Great question! Handling account deletion securely for OAuth-based users (Google/Facebook) needs a slightly different approach than password-based accounts, but there are solid best practices to follow—including alignment with OWASP guidelines. Let’s break this down:

Recommended Security Schemes for Google/Facebook Registered Users #

• Re-authenticate via OAuth provider: This is the gold standard. When a user requests to delete their account, prompt them to re-login through Google/Facebook’s OAuth flow. Since they’re already familiar with this process, it’s seamless, and it ensures only the legitimate account holder (who has access to the Google/Facebook account) can proceed. This avoids risks from shared devices or stale sessions.
• Send a one-time verification token to a linked contact: If your app collects and verifies a user’s email/phone number during OAuth registration, send a short-lived token (or a link containing the token) to this verified contact. The user must enter the token or click the link to confirm deletion. This mirrors the password-reset flow you already use, creating a consistent UX for your users.
• Session-based secondary confirmation (with caveats): If the user is currently logged in, you can add a secondary confirmation step (e.g., asking them to confirm their registered email address or a unique account detail) before proceeding. Note that this is less secure than the above options, as it’s vulnerable to social engineering if the detail is easily guessable.

OWASP Guidelines Relevant to This Scenario #

OWASP’s Authentication Verification and Account Protection guidelines emphasize these key points for sensitive actions like account deletion:

• Always require re-authentication for high-risk operations: Regardless of the login method, sensitive actions (deletion, changing credentials, etc.) should never rely solely on an active session. Re-authentication mitigates risks from session hijacking or unattended logged-in devices.
• For OAuth users, prefer re-authentication via the provider: OWASP recommends leveraging the OAuth provider’s built-in security (like 2FA if enabled on the user’s Google/Facebook account) instead of rolling your own verification scheme when possible.
• Token-based verification must be secure: If using token links, ensure tokens are cryptographically random, short-lived, single-use, and tied explicitly to the deletion operation (not reusable for other actions).

Is a 1-Hour Expiry Token Link Secure? #

Yes, a 1-hour expiry token link can be secure if you follow these safeguards:

• Use a cryptographically strong token: Generate a long, random string (at least 32 characters) using a secure random number generator—avoid using predictable values like hashed user IDs or email addresses.
• Restrict the token to account deletion only: The token should only validate the deletion request, not grant access to other account functions.
• Enforce single-use: Once the token is used (or the deletion is confirmed), invalidate it immediately so it can’t be reused.
• Transmit over HTTPS: Always send the link via HTTPS to prevent interception.
• Add a final confirmation step: After the user clicks the link, prompt them to explicitly confirm deletion (e.g., “Are you sure you want to permanently delete your account?”) to avoid accidental deletions from misclicked links.

In short, re-authenticating via the OAuth provider is the most secure option, but a well-implemented 1-hour token link is a strong alternative if that’s not feasible for your UX.

内容的提问来源于stack exchange，提问作者william