What are your preferred methods to offer account deletion?

Building on this GH discussion on nextauth:
https://github.com/nextauthjs/next-auth/discussions/3935

Do you currently add your own with CSRF etc.? Would be curious to know if anyone here has some strong opinions on that.

GitHub

Add delete account API endpoint · Discussion #3935 · nextauthjs/nex...

There should be an endpoint at /api/auth/delete that deletes a user, all sessions and all account entries associated with that user. Like the signout endpoint, it should require a POST request with...

Samathingamajig•10/3/22, 3:32 PM

i havent built anything that is public for people to be able to delete their accounts.

i know that there's some EU law about being able to delete your accounts though, so if you operate there you need to have that option

having it be built into nextauth seems weird, if it does come to exist it should have an easy way to opt-out, because of potential things like if you want to

Require 2fa before deleting account
Disable the account, but wait "x" days before actually deleting everything
Delete all other related user data (EU laws require deleted accounts to have all user data related to that account deleted, i believe)