infra/docs/keycloak/delete-unverified-accounts.md

# Delete accounts without verified email address

### Keycloak

Required:

- auth.pub.solar admin-cli service user credentials
- [SSH access to host `nachtigall`](../administrative-access.md#ssh-access)

Run following after SSH'ing to `nachtigall`.

Credentials for the following command are in keepass. Create a keycloak
config/credentials file at `/tmp/kcadm.config`:

```
sudo --user keycloak kcadm.sh config credentials \
  --config /tmp/kcadm.config \
  --server https://auth.pub.solar \
  --realm pub.solar \
  --client admin-cli
```

Get list of accounts without a verified email address:

```
sudo --user keycloak kcadm.sh get \
  --config /tmp/kcadm.config \
  users \
  --realm pub.solar \
  --query emailVerified=false \
  > /tmp/keycloak-unverified-accounts
```

Review list of accounts, especially check `createdTimestamp` if any accounts
were created in the past 2 days. If so, delete those from the
`/tmp/keycloak-unverified-accounts` file.

```
createdTimestamps=( $( nix run nixpkgs#jq -- -r '.[].createdTimestamp' < /tmp/keycloak-unverified-accounts ) )

# timestamps are in nanoseconds since epoch, so we need to strip the last three digits
for timestamp in ${createdTimestamps[@]}; do date --date="@${timestamp::-3}"; done

vim /tmp/keycloak-unverified-accounts
```

Check how many accounts are going to be deleted:

```
jq -r '.[].id' < /tmp/keycloak-unverified-accounts | wc -l
```

```
jq -r '.[].id' < /tmp/keycloak-unverified-accounts > /tmp/keycloak-unverified-account-ids
```

Final check before deletion (dry-run):

```
for id in $(cat /tmp/keycloak-unverified-account-ids)
  do
    echo sudo --user keycloak kcadm.sh delete \
      --config /tmp/kcadm.config \
      users/$id \
      --realm pub.solar
  done
```

THIS WILL DELETE ACCOUNTS:

```
for id in $(cat /tmp/keycloak-unverified-account-ids)
  do
    sudo --user keycloak kcadm.sh delete \
      --config /tmp/kcadm.config \
      users/$id \
      --realm pub.solar
  done
```