Account Security Reference

Password management

• frontend/src/pages/applications/Users/settings/SecurityTab.js:99 posts to POST /auth/reset-password, supplying the current password plus new/confirm values.
• Formik validation enforces strength rules client-side; backend validation in backend/r/auth_all.js:273 repeats the same constraints before authController.resetPassword updates credentials.

Deactivation & deletion

• frontend/src/pages/applications/Users/settings/DeactivateUser.js:25 invokes POST /u/deactusr to suspend the account while preserving data.
• frontend/src/pages/applications/Users/settings/DeleteUser.js:53 starts deletion with POST /u/delusrp (preflight) and confirms via POST /u/delusr once the emailed key is provided.
• Routes are registered in backend/r/users.js:226 (/u/deactusr), :247 (/u/delusrp) and :252 (/u/delusr), each debounced to avoid accidental double submissions.

Logout & revoke

• The auth action userLogout clears tokens locally and calls POST /auth/logout (see backend/r/auth_all.js:311) to revoke refresh tokens server-side.
• Deactivation and deletion both trigger the logout sequence to ensure stale sessions cannot persist.

Notification hygiene

• Before closing an account the UI prompts the user to review pending testimonies and club responsibilities, reducing orphaned moderation tasks.
• Admin escalations rely on the activity log; security actions append entries so support can audit the timeline if needed.

Error handling

• All security forms share the same snackbar pattern: success responses show green notices, while API errors bubble up the msg field returned by the controller for precise feedback.
• The deletion flow prevents submission until a valid confirmation key is entered, minimising accidental account loss.