diff --git a/docs/keycloak/delete-unverified-accounts.md b/docs/keycloak/delete-unverified-accounts.md new file mode 100644 index 00000000..031abc08 --- /dev/null +++ b/docs/keycloak/delete-unverified-accounts.md @@ -0,0 +1,82 @@ +# Delete accounts without verified email address + +### Keycloak + +Required: + +- auth.pub.solar admin-cli service user credentials +- SSH access to host nachtigall + +``` +ssh barkeeper@nachtigall.wg.pub.solar +``` + +Credentials for the following command are in keepass. + +Create keycloak config/credentials file at `/tmp/kcadm.config`: + +``` +sudo --user keycloak kcadm.sh config credentials \ + --config /tmp/kcadm.config \ + --server https://auth.pub.solar \ + --realm pub.solar \ + --client admin-cli +``` + +Get list of accounts without a verified email address: + +``` +sudo --user keycloak kcadm.sh get \ + --config /tmp/kcadm.config \ + users \ + --realm pub.solar \ + --query emailVerified=false \ + > /tmp/keycloak-unverified-accounts +``` + +Review list of accounts, especially check `createdTimestamp` if any accounts +were created in the past 2 days. If so, delete those from the +`/tmp/keycloak-unverified-accounts` file. + +``` +createdTimestamps=( $( nix run nixpkgs#jq -- -r '.[].createdTimestamp' < /tmp/keycloak-unverified-accounts ) ) + +# timestamps are in nanoseconds since epoch, so we need to strip the last three digits +for timestamp in ${createdTimestamps[@]}; do date --date="@${timestamp::-3}"; done + +vim /tmp/keycloak-unverified-accounts +``` + +Check how many accounts are going to be deleted: + +``` +jq -r '.[].id' < /tmp/keycloak-unverified-accounts | wc -l +``` + +``` +jq -r '.[].id' < /tmp/keycloak-unverified-accounts > /tmp/keycloak-unverified-account-ids +``` + +Final check before deletion (dry-run): + +``` +for id in $(cat /tmp/keycloak-unverified-account-ids) + do + echo sudo --user keycloak kcadm.sh delete \ + --config /tmp/kcadm.config \ + users/$id \ + --realm pub.solar + done +``` + +THIS WILL DELETE ACCOUNTS: + +``` +for id in $(cat /tmp/keycloak-unverified-account-ids) + do + sudo --user keycloak kcadm.sh delete \ + --config /tmp/kcadm.config \ + users/$id \ + --realm pub.solar + done +```