[FEAT]: Implement PATCH /api/v1/users/deactivate Endpoint #1031
Description
Is your feature request related to a problem? Please describe.
Currently, there is no endpoint in the FastAPI implementation to deactivate a user account. In the NestJS version, an admin can deactivate a user to restrict access.
Problem:
Admins cannot suspend or deactivate a user’s account.
There is no API control to revoke user access without deleting the account.
Security risk: If a user is found violating policies, the only way to stop them is deleting their account, which is not ideal.
Describe the solution you'd like.
A FastAPI route handler should be implemented to allow an admin to deactivate a user.
✅ PATCH request: PATCH /api/v1/users/deactivate
✅ Requires admin authentication (protected route)
✅ Updates the user’s status in the database (active → deactivated)
✅ Sends an email notification informing the user of the deactivation
✅ Standardized API response format following HNG guidelines
Expected API Response (Success):
{
"status": "success",
"status_code": 200,
"message": "User account deactivated successfully",
"data": {}
}
Expected API Response (User Already Deactivated):
{
"status": "error",
"status_code": 400,
"message": "User is already deactivated",
"data": {}
}
Describe alternatives you've considered.
Soft Delete Instead of Deactivation
The user’s account could be marked as "soft deleted" rather than deactivated.
However, this might cause inconsistencies when checking if an account is still accessible.
Role-Based Restriction Instead of Status Change
Instead of setting status: "deactivated", we could change the user’s role to "suspended".
This would require extra role checks across the application, increasing complexity.
Admin Dashboard UI Instead of API
Allow admins to manually deactivate users from an admin panel instead of an API call.
This is not scalable for automated actions or integrations.
👉 The best approach is implementing the API endpoint for deactivation.
Additional Context
✅ Security & Compliance: Prevents unauthorized access when needed.
✅ Uniformity: Ensures FastAPI follows the same features as NestJS.
✅ Testing & Reliability: Covers all edge cases (e.g., already deactivated users, invalid requests).
Tasks to Complete
Create an endpoint (PATCH /api/v1/users/deactivate).
Validate admin authentication before allowing deactivation.
Modify the database model to track is_active: false.
Send an email notification to inform the user.
Write unit tests for deactivation logic.
Ensure all API responses follow the standard format.
Testing
✅ Unit Tests
Verify the user’s account status updates to deactivated.
Ensure authentication and authorization checks work properly.
Test for edge cases:
Deactivating an already deactivated user.
Deactivating a non-existent user.
Deactivating without proper authentication.
✅ Integration Tests
Simulate a PATCH request and check if the database updates correctly.
Ensure the API follows the correct response format.
Example API Request (With Auth Token)
curl -X PATCH {rootdomain}/api/v1/users/deactivate
-H "Authorization: Bearer YOUR_ACCESS_TOKEN"
-H "Content-Type: application/json"
-d '{ "user_id": "12345" }'
Example API Responses
✅ Success Response:
{
"status": "success",
"status_code": 200,
"message": "User account deactivated successfully",
"data": {}
}
❌ User Already Deactivated:
{
"status": "error",
"status_code": 400,
"message": "User is already deactivated",
"data": {}
}
❌ Unauthorized Access (Invalid Token):
{
"status": "error",
"status_code": 401,
"message": "Could not validate admin credentials",
"data": {}
}
❌ User Not Found:
{
"status": "error",
"status_code": 404,
"message": "User not found",
"data": {}
}
❌ Server Error:
{
"status": "error",
"status_code": 500,
"message": "An unexpected error occurred.",
"data": {}
}