Feat: soft delete account with 30 days grace period

[patilmanasvi]

Related Issue

Closes #607

Overview

This PR adds an Instagram-style account deletion system where accounts are first deactivated for 30 days before being permanently deleted.

Users can restore their account anytime during the grace period simply by logging back in.

Type of Change

• UI enhancement
• Feature improvement
• Bug fix
• Documentation update

Changes Made

Backend

• Added isDeactivated and deletionScheduledAt to User model
• Added:
  • scheduleAccountDeletion
  • cancelAccountDeletion
• Auto-reactivate account on login
• Hide deactivated accounts from search/profile lookups
• Added daily cron job for permanent deletion after 30 days

Frontend

• Added DeactivateAccountModal
• Added Danger Zone section in Profile Settings
• Added type-to-confirm (DELETE) safety input
• Added reactivation success toast on login

Testing

• Deactivate account from Settings → Danger Zone
• Verify logout after deletion request
• Login again to restore account
• Confirm deactivated accounts are hidden from search/profile
• Test cron job by setting deletionScheduledAt to a past date

Checklist

• Code runs successfully
• Changes tested locally
• No console errors
• Follows existing project structure
• DCO sign-off

Screen.Recording.2026-05-28.at.2.52.49.AM.mov

[vercel]

@patilmanasvi is attempting to deploy a commit to the Shivayan's projects Team on Vercel.

A member of the Team first needs to authorize it.

[patilmanasvi]

@Shivayan09 kindly check

[Shivayan09]

• The server crashes in localhost, so there are errors in server
• You replaced the noraml "Logged in successfully" text with "Welcome back, account not deleted" which then shows then 2nd text even on normal login
• You pushed the changes of "save as draft" issue here as well, which mixes 2 prs. So please revert the changes of that issue
• Account deletion is fine, but it leaves behind orphaned account related data like likes, comments and more, so clean those up as well

[patilmanasvi]

Will submit changes by eod

[patilmanasvi]

@Shivayan09 kindly check. the changes are done

[Shivayan09]

@patilmanasvi Your branch has merge conflicts, kindly pull the recent-most code from main branch and resolve the conflicts (Don't remove/overwrite any existing functionality as well)

[Shivayan09]

Feature is close, but a few fixes are still needed before this is safe to merge:

• Enforce isDeactivated in authMiddleware so deactivated users cannot keep using protected endpoints.
• Finish the hard-delete job: delete Comment docs, remove follows/bookmarks/likes tied to the user, and clean up schema-accurate relations only.
• Add a server-side cutoff for reactivation so accounts can only be restored within the 30-day grace period, not indefinitely.
• Add tests for deactivation, reactivation, and the scheduled deletion path.

A couple of changes look out of scope / unnecessary for this feature:

• getUserProfile now selects followers and followRequests, but those fields aren’t part of the User schema.
• If possible, keep the PR focused on account lifecycle changes only and avoid unrelated cleanup unless it’s required for the flow.