Bug fixes - April 27th 2026 (#907)

* fix: clean up dangling FK references before deleting a user Resolves FOREIGN KEY constraint failed (500) on DELETE /api/admin/users/:id and DELETE /api/auth/me when the target user had rows in trip_members.invited_by, share_tokens.created_by, budget_items.paid_by_user_id, journeys.user_id, journey_entries.author_id, journey_contributors.user_id, or journey_share_tokens.created_by — none of which had ON DELETE clauses. Introduces deleteUserCompletely() in userCleanupService.ts which wraps all cleanup and the final DELETE FROM users in a single transaction. Both adminService.deleteUser and authService.deleteAccount now call it instead of the bare DELETE. Tests ADMIN-005b and AUTH-040 cover all reference types including notification sender/recipient and notice dismissals. * test: extend FK deletion tests to cover journeys, files, and photos ADMIN-005b and AUTH-040 now also seed and assert: - owned journey with entries (cascade-deleted via journeys.user_id cleanup) - trip_files.uploaded_by (SET NULL — file survives, attribution cleared) - trek_photos.owner_id (SET NULL — photo record survives, owner cleared) - trip_photos.user_id (CASCADE — photo association removed) * test: extend user deletion tests to cover all FK relationships ADMIN-005b and AUTH-040 now seed and assert every user FK relationship: CASCADE (row deleted): trips, trip_members, tags, mcp_tokens, oauth_tokens, oauth_consents, vacay_plans, vacay_plan_members, bucket_list, visited_countries, visited_regions, packing_templates, invite_tokens, collab_notes, settings, password_reset_tokens, notification_channel_preferences SET NULL (row survives, column nulled): categories, todo_items.assigned_user_id, packing_bags, audit_log Caught and fixed: notification_preferences was dropped in migration 72; correct table is notification_channel_preferences. * fix: preserve URL hash and OIDC redirect target through login flow - Include location.hash in redirect param at all three producer sites (ProtectedRoute, axios 401 interceptor, OAuthAuthorizePage) so hash fragments survive the login bounce - Stash redirectTarget in sessionStorage before any OIDC provider redirect and restore it after the code exchange, since the IdP strips the original ?redirect= param during the roundtrip - Clear sessionStorage on OIDC error to avoid stale state - Add tests covering sessionStorage stash on mount, navigate to saved redirect after OIDC exchange, fallback to /dashboard, and cleanup on error * fix: use day position instead of ID for accommodation date range clamping Math.min/Math.max over raw day IDs breaks the start/end picker when a trip's day IDs are non-monotonic relative to day_number (normal after repeated generateDays extend/shrink cycles). Replaced with findIndex lookups so clamping is always based on positional order. Closes #889 * fix: normalize env var comparisons to be case-insensitive All NODE_ENV, DEMO_MODE, OIDC_ONLY, FORCE_HTTPS, COOKIE_SECURE, and ALLOW_INTERNAL_NETWORK checks now use .toLowerCase() so values like 'Production' or 'True' behave identically to their lowercase forms. Also adds APP_VERSION to the startup banner. * fix: delete surplus days when shortening a trip When shrinking a trip's date range, surplus days are now deleted along with their assignments, notes, and accommodations (cascade). Places remain in the trip pool; reservations keep their day reference nulled by the existing ON DELETE SET NULL constraint (issue #909). Updates TRIP-SVC-011 to reflect the new behaviour; adds TRIP-SVC-016 as a regression test for the empty-day case. * fix: auto-backup retention deletes itself and manual backups on Docker Two bugs in cleanupOldBackups: 1. Filter was .endsWith('.zip') — swept manual backup-*.zip files too. Now restricted to auto-backup-* prefix. 2. Age was derived from stat.birthtimeMs, which is 0 on overlayfs (Docker default), making every backup appear epoch-old and get deleted immediately. Age is now parsed from the filename timestamp and falls back to mtimeMs (reliable on overlayfs). Also converts inline require('./services/auditLog') calls to a static import throughout scheduler.ts, and adds 8 unit tests covering the fixed retention logic including the overlayfs regression case. * test: update TRIP-024 to match delete behavior on trip shrink * feat: add bypass-branch-check label to skip branch enforcement
2026-06-19 13:21:46 +00:00 · 2026-04-28 05:17:20 +02:00
parent ca832e8d88
commit 1f5deeba6c
32 changed files with 937 additions and 106 deletions
@@ -41,7 +41,7 @@ import { createApp } from '../../src/app';
 import { createTables } from '../../src/db/schema';
 import { runMigrations } from '../../src/db/migrations';
 import { resetTestDb } from '../helpers/test-db';
-import { createUser, createAdmin, createInviteToken } from '../helpers/factories';
+import { createUser, createAdmin, createInviteToken, createTrip, createBudgetItem, createJourney, createJourneyEntry, addJourneyContributor, addTripPhoto, createCategory, createTag, createTodoItem, createMcpToken, createBucketListItem, createVisitedCountry, createCollabNote, addTripMember } from '../helpers/factories';
 import { authCookie } from '../helpers/auth';
 import { loginAttempts, mfaAttempts } from '../../src/routes/auth';

@@ -148,6 +148,216 @@ describe('Admin user management', () => {
    expect(deleted).toBeUndefined();
  });

+  it('ADMIN-005b — DELETE /admin/users/:id succeeds when user has FK references', async () => {
+    const { user: admin } = createAdmin(testDb);
+    const { user: target } = createUser(testDb);
+    const { user: otherUser } = createUser(testDb);
+    const { user: thirdUser } = createUser(testDb);
+
+    // trip_members.invited_by: target invited thirdUser to otherUser's trip
+    // (trip survives deletion; only invited_by should become NULL)
+    const otherTrip = createTrip(testDb, otherUser.id);
+    testDb.prepare('INSERT INTO trip_members (trip_id, user_id, invited_by) VALUES (?, ?, ?)').run(otherTrip.id, thirdUser.id, target.id);
+
+    // share_tokens.created_by: target created a share token for otherUser's trip
+    testDb.prepare("INSERT INTO share_tokens (trip_id, token, created_by) VALUES (?, 'tok-admin-test', ?)").run(otherTrip.id, target.id);
+
+    // budget_items.paid_by_user_id: target paid for an expense on otherUser's trip
+    const budgetItem = createBudgetItem(testDb, otherTrip.id);
+    testDb.prepare('UPDATE budget_items SET paid_by_user_id = ? WHERE id = ?').run(target.id, budgetItem.id);
+
+    // journey_contributors: target is a contributor on otherUser's journey
+    const otherJourney = createJourney(testDb, otherUser.id);
+    addJourneyContributor(testDb, otherJourney.id, target.id);
+
+    // journey_entries: target authored an entry on otherUser's journey
+    createJourneyEntry(testDb, otherJourney.id, target.id);
+
+    // journey_share_tokens: target created a share token for otherUser's journey
+    testDb.prepare("INSERT INTO journey_share_tokens (journey_id, token, created_by) VALUES (?, 'jst-admin-test', ?)").run(otherJourney.id, target.id);
+
+    // notifications.sender_id (SET NULL): target sent a notification to otherUser
+    const sentNotif = testDb.prepare(
+      "INSERT INTO notifications (type, scope, target, sender_id, recipient_id, title_key, text_key) VALUES ('simple', 'trip', ?, ?, ?, 'k', 'k')"
+    ).run(otherTrip.id, target.id, otherUser.id);
+    // notifications.recipient_id (CASCADE): otherUser sent a notification to target
+    testDb.prepare(
+      "INSERT INTO notifications (type, scope, target, sender_id, recipient_id, title_key, text_key) VALUES ('simple', 'trip', ?, ?, ?, 'k', 'k')"
+    ).run(otherTrip.id, otherUser.id, target.id);
+
+    // user_notice_dismissals (CASCADE): target dismissed a notice
+    testDb.prepare(
+      "INSERT INTO user_notice_dismissals (user_id, notice_id, dismissed_at) VALUES (?, 'test-notice', ?)"
+    ).run(target.id, Date.now());
+
+    // owned journey: target owns a journey with an entry (cascade-deletes on journey deletion)
+    const ownedJourney = createJourney(testDb, target.id);
+    createJourneyEntry(testDb, ownedJourney.id, target.id);
+
+    // trip_files.uploaded_by (SET NULL): target uploaded a file to otherUser's trip
+    const fileRow = testDb.prepare(
+      "INSERT INTO trip_files (trip_id, filename, original_name, uploaded_by) VALUES (?, 'f.pdf', 'file.pdf', ?)"
+    ).run(otherTrip.id, target.id);
+
+    // trek_photos.owner_id (SET NULL): target owns a photo in the central registry
+    const trekPhotoRow = testDb.prepare(
+      "INSERT INTO trek_photos (provider, asset_id, owner_id) VALUES ('immich', 'asset-admin-test', ?)"
+    ).run(target.id);
+
+    // trip_photos.user_id (CASCADE): target added a photo to otherUser's trip
+    addTripPhoto(testDb, otherTrip.id, target.id, 'asset-tp-admin', 'immich');
+
+    // trips.user_id (CASCADE): target owns a trip
+    const ownedTrip = createTrip(testDb, target.id);
+
+    // trip_members.user_id (CASCADE): target is a member of otherUser's trip
+    addTripMember(testDb, otherTrip.id, target.id);
+
+    // categories.user_id (SET NULL): target created a category
+    const userCategory = createCategory(testDb, { user_id: target.id });
+
+    // tags.user_id (CASCADE): target created a tag
+    const userTag = createTag(testDb, target.id);
+
+    // todo_items.assigned_user_id (SET NULL): target is assigned to a todo on otherUser's trip
+    const todoItem = createTodoItem(testDb, otherTrip.id);
+    testDb.prepare('UPDATE todo_items SET assigned_user_id = ? WHERE id = ?').run(target.id, todoItem.id);
+
+    // packing_bags.user_id (SET NULL): target owns a packing bag on otherUser's trip
+    const packBagRow = testDb.prepare(
+      "INSERT INTO packing_bags (trip_id, name, color, user_id) VALUES (?, 'Bag', '#ff0000', ?)"
+    ).run(otherTrip.id, target.id);
+
+    // mcp_tokens.user_id (CASCADE): target has an MCP API token
+    createMcpToken(testDb, target.id);
+
+    // oauth_tokens/consents.user_id (CASCADE): target has tokens from otherUser's OAuth client
+    testDb.prepare(
+      "INSERT INTO oauth_clients (id, user_id, name, client_id, client_secret_hash) VALUES ('cl-admin-test', ?, 'App', 'cid-admin-test', 'h')"
+    ).run(otherUser.id);
+    testDb.prepare(
+      "INSERT INTO oauth_tokens (client_id, user_id, access_token_hash, refresh_token_hash, access_token_expires_at, refresh_token_expires_at) VALUES ('cid-admin-test', ?, 'ath-admin', 'rth-admin', datetime('now','+1 hour'), datetime('now','+30 days'))"
+    ).run(target.id);
+    testDb.prepare(
+      "INSERT INTO oauth_consents (client_id, user_id) VALUES ('cid-admin-test', ?)"
+    ).run(target.id);
+
+    // vacay_plans.owner_id (CASCADE): target owns a vacation plan
+    const vacayPlanRow = testDb.prepare("INSERT INTO vacay_plans (owner_id) VALUES (?)").run(target.id);
+
+    // vacay_plan_members.user_id (CASCADE): target is a member of otherUser's vacay plan
+    const otherVacayPlanRow = testDb.prepare("INSERT INTO vacay_plans (owner_id) VALUES (?)").run(otherUser.id);
+    testDb.prepare("INSERT INTO vacay_plan_members (plan_id, user_id) VALUES (?, ?)").run(otherVacayPlanRow.lastInsertRowid, target.id);
+
+    // bucket_list.user_id (CASCADE): target has a bucket list item
+    createBucketListItem(testDb, target.id);
+
+    // visited_countries.user_id (CASCADE): target has visited a country
+    createVisitedCountry(testDb, target.id, 'JP');
+
+    // visited_regions.user_id (CASCADE): target has visited a region
+    testDb.prepare(
+      "INSERT INTO visited_regions (user_id, region_code, region_name, country_code) VALUES (?, 'JP-13', 'Tokyo', 'JP')"
+    ).run(target.id);
+
+    // packing_templates.created_by (CASCADE): target created a packing template
+    const packTemplateRow = testDb.prepare(
+      "INSERT INTO packing_templates (name, created_by) VALUES ('My Template', ?)"
+    ).run(target.id);
+
+    // invite_tokens.created_by (CASCADE): target created an invite token
+    createInviteToken(testDb, { created_by: target.id });
+
+    // collab_notes.user_id (CASCADE): target authored a collab note on otherUser's trip
+    createCollabNote(testDb, otherTrip.id, target.id);
+
+    // settings.user_id (CASCADE): target has a user setting
+    testDb.prepare("INSERT INTO settings (user_id, key, value) VALUES (?, 'theme', 'dark')").run(target.id);
+
+    // password_reset_tokens.user_id (CASCADE): target has a pending password reset
+    testDb.prepare(
+      "INSERT INTO password_reset_tokens (user_id, token_hash, expires_at) VALUES (?, 'prt-hash-admin', datetime('now','+1 hour'))"
+    ).run(target.id);
+
+    // audit_log.user_id (SET NULL): target performed an audited action
+    const auditRow = testDb.prepare(
+      "INSERT INTO audit_log (user_id, action, ip) VALUES (?, 'test.action', '127.0.0.1')"
+    ).run(target.id);
+
+    // notification_channel_preferences.user_id (CASCADE): target has notification preferences
+    testDb.prepare("INSERT OR IGNORE INTO notification_channel_preferences (user_id, event_type, channel) VALUES (?, 'trip_invite', 'email')").run(target.id);
+
+    const res = await request(app)
+      .delete(`/api/admin/users/${target.id}`)
+      .set('Cookie', authCookie(admin.id));
+    expect(res.status).toBe(200);
+    expect(res.body.success).toBe(true);
+
+    expect(testDb.prepare('SELECT id FROM users WHERE id = ?').get(target.id)).toBeUndefined();
+    // trip_members row survives but invited_by is now NULL
+    expect((testDb.prepare('SELECT invited_by FROM trip_members WHERE trip_id = ? AND user_id = ?').get(otherTrip.id, thirdUser.id) as any).invited_by).toBeNull();
+    expect(testDb.prepare('SELECT id FROM share_tokens WHERE created_by = ?').get(target.id)).toBeUndefined();
+    expect((testDb.prepare('SELECT paid_by_user_id FROM budget_items WHERE id = ?').get(budgetItem.id) as any).paid_by_user_id).toBeNull();
+    expect(testDb.prepare('SELECT user_id FROM journey_contributors WHERE journey_id = ? AND user_id = ?').get(otherJourney.id, target.id)).toBeUndefined();
+    expect(testDb.prepare('SELECT id FROM journey_entries WHERE author_id = ?').get(target.id)).toBeUndefined();
+    expect(testDb.prepare('SELECT id FROM journey_share_tokens WHERE created_by = ?').get(target.id)).toBeUndefined();
+    // sent notification survives but sender_id becomes NULL
+    expect((testDb.prepare('SELECT sender_id FROM notifications WHERE id = ?').get(sentNotif.lastInsertRowid) as any).sender_id).toBeNull();
+    // received notification is cascade-deleted
+    expect(testDb.prepare('SELECT id FROM notifications WHERE recipient_id = ?').get(target.id)).toBeUndefined();
+    // notice dismissals are cascade-deleted
+    expect(testDb.prepare("SELECT user_id FROM user_notice_dismissals WHERE user_id = ? AND notice_id = 'test-notice'").get(target.id)).toBeUndefined();
+    // owned journey and its entries are cascade-deleted
+    expect(testDb.prepare('SELECT id FROM journeys WHERE user_id = ?').get(target.id)).toBeUndefined();
+    expect(testDb.prepare('SELECT id FROM journey_entries WHERE journey_id = ?').get(ownedJourney.id)).toBeUndefined();
+    // uploaded file survives but uploaded_by is now NULL
+    expect((testDb.prepare('SELECT uploaded_by FROM trip_files WHERE id = ?').get(fileRow.lastInsertRowid) as any).uploaded_by).toBeNull();
+    // trek_photos row survives but owner_id is now NULL
+    expect((testDb.prepare('SELECT owner_id FROM trek_photos WHERE id = ?').get(trekPhotoRow.lastInsertRowid) as any).owner_id).toBeNull();
+    // trip_photos row for target is cascade-deleted
+    expect(testDb.prepare("SELECT id FROM trip_photos WHERE trip_id = ? AND user_id = ?").get(otherTrip.id, target.id)).toBeUndefined();
+    // owned trip is cascade-deleted
+    expect(testDb.prepare('SELECT id FROM trips WHERE id = ?').get(ownedTrip.id)).toBeUndefined();
+    // trip membership on others' trips is removed
+    expect(testDb.prepare('SELECT id FROM trip_members WHERE trip_id = ? AND user_id = ?').get(otherTrip.id, target.id)).toBeUndefined();
+    // category survives but user_id is NULL
+    expect((testDb.prepare('SELECT user_id FROM categories WHERE id = ?').get(userCategory.id) as any).user_id).toBeNull();
+    // tag is deleted
+    expect(testDb.prepare('SELECT id FROM tags WHERE id = ?').get(userTag.id)).toBeUndefined();
+    // todo assigned_user_id is NULL
+    expect((testDb.prepare('SELECT assigned_user_id FROM todo_items WHERE id = ?').get(todoItem.id) as any).assigned_user_id).toBeNull();
+    // packing bag survives but user_id is NULL
+    expect((testDb.prepare('SELECT user_id FROM packing_bags WHERE id = ?').get(packBagRow.lastInsertRowid) as any).user_id).toBeNull();
+    // MCP tokens are deleted
+    expect(testDb.prepare('SELECT id FROM mcp_tokens WHERE user_id = ?').get(target.id)).toBeUndefined();
+    // OAuth tokens and consents are deleted
+    expect(testDb.prepare('SELECT id FROM oauth_tokens WHERE user_id = ?').get(target.id)).toBeUndefined();
+    expect(testDb.prepare('SELECT id FROM oauth_consents WHERE user_id = ?').get(target.id)).toBeUndefined();
+    // owned vacay plan is deleted
+    expect(testDb.prepare('SELECT id FROM vacay_plans WHERE id = ?').get(vacayPlanRow.lastInsertRowid)).toBeUndefined();
+    // vacay plan membership on others' plans is removed
+    expect(testDb.prepare('SELECT id FROM vacay_plan_members WHERE plan_id = ? AND user_id = ?').get(otherVacayPlanRow.lastInsertRowid, target.id)).toBeUndefined();
+    // bucket list items are deleted
+    expect(testDb.prepare('SELECT id FROM bucket_list WHERE user_id = ?').get(target.id)).toBeUndefined();
+    // travel history is deleted
+    expect(testDb.prepare('SELECT user_id FROM visited_countries WHERE user_id = ? AND country_code = ?').get(target.id, 'JP')).toBeUndefined();
+    expect(testDb.prepare('SELECT id FROM visited_regions WHERE user_id = ?').get(target.id)).toBeUndefined();
+    // packing template is deleted
+    expect(testDb.prepare('SELECT id FROM packing_templates WHERE id = ?').get(packTemplateRow.lastInsertRowid)).toBeUndefined();
+    // invite tokens created by target are deleted
+    expect(testDb.prepare('SELECT id FROM invite_tokens WHERE created_by = ?').get(target.id)).toBeUndefined();
+    // collab content is deleted
+    expect(testDb.prepare('SELECT id FROM collab_notes WHERE user_id = ? AND trip_id = ?').get(target.id, otherTrip.id)).toBeUndefined();
+    // user settings are deleted
+    expect(testDb.prepare("SELECT id FROM settings WHERE user_id = ?").get(target.id)).toBeUndefined();
+    // password reset tokens are deleted
+    expect(testDb.prepare('SELECT id FROM password_reset_tokens WHERE user_id = ?').get(target.id)).toBeUndefined();
+    // audit log entry survives but user_id is NULL
+    expect((testDb.prepare('SELECT user_id FROM audit_log WHERE id = ?').get(auditRow.lastInsertRowid) as any).user_id).toBeNull();
+    // notification channel preferences are deleted
+    expect(testDb.prepare("SELECT user_id FROM notification_channel_preferences WHERE user_id = ? AND event_type = 'trip_invite'").get(target.id)).toBeUndefined();
+  });
+
  it('ADMIN-006 — admin cannot delete their own account', async () => {
    const { user: admin } = createAdmin(testDb);

@@ -52,7 +52,7 @@ import { createApp } from '../../src/app';
 import { createTables } from '../../src/db/schema';
 import { runMigrations } from '../../src/db/migrations';
 import { resetTestDb } from '../helpers/test-db';
-import { createUser, createAdmin, createUserWithMfa, createInviteToken } from '../helpers/factories';
+import { createUser, createAdmin, createUserWithMfa, createInviteToken, createTrip, createBudgetItem, createJourney, createJourneyEntry, addJourneyContributor, addTripPhoto, createCategory, createTag, createTodoItem, createMcpToken, createBucketListItem, createVisitedCountry, createCollabNote, addTripMember } from '../helpers/factories';
 import { authCookie, authHeader } from '../helpers/auth';
 import { loginAttempts, mfaAttempts } from '../../src/routes/auth';

@@ -509,6 +509,225 @@ describe('Extended auth scenarios', () => {
  });
 });

+// ─────────────────────────────────────────────────────────────────────────────
+// Account deletion
+// ─────────────────────────────────────────────────────────────────────────────
+
+describe('Account deletion', () => {
+  it('AUTH-040 — DELETE /auth/me succeeds when user has FK references', async () => {
+    const { user: admin } = createAdmin(testDb);
+    const { user: target } = createUser(testDb);
+    const { user: otherUser } = createUser(testDb);
+    const { user: thirdUser } = createUser(testDb);
+
+    // trip_members.invited_by: target invited thirdUser to otherUser's trip
+    // (trip survives deletion; only invited_by should become NULL)
+    const otherTrip = createTrip(testDb, otherUser.id);
+    testDb.prepare('INSERT INTO trip_members (trip_id, user_id, invited_by) VALUES (?, ?, ?)').run(otherTrip.id, thirdUser.id, target.id);
+
+    // share_tokens.created_by: target created a share token for otherUser's trip
+    testDb.prepare("INSERT INTO share_tokens (trip_id, token, created_by) VALUES (?, 'tok-auth-test', ?)").run(otherTrip.id, target.id);
+
+    // budget_items.paid_by_user_id: target paid for an expense on otherUser's trip
+    const budgetItem = createBudgetItem(testDb, otherTrip.id);
+    testDb.prepare('UPDATE budget_items SET paid_by_user_id = ? WHERE id = ?').run(target.id, budgetItem.id);
+
+    // journey_contributors: target is a contributor on otherUser's journey
+    const otherJourney = createJourney(testDb, otherUser.id);
+    addJourneyContributor(testDb, otherJourney.id, target.id);
+
+    // journey_entries: target authored an entry on otherUser's journey
+    createJourneyEntry(testDb, otherJourney.id, target.id);
+
+    // journey_share_tokens: target created a share token for otherUser's journey
+    testDb.prepare("INSERT INTO journey_share_tokens (journey_id, token, created_by) VALUES (?, 'jst-auth-test', ?)").run(otherJourney.id, target.id);
+
+    // notifications.sender_id (SET NULL): target sent a notification to otherUser
+    const sentNotif = testDb.prepare(
+      "INSERT INTO notifications (type, scope, target, sender_id, recipient_id, title_key, text_key) VALUES ('simple', 'trip', ?, ?, ?, 'k', 'k')"
+    ).run(otherTrip.id, target.id, otherUser.id);
+    // notifications.recipient_id (CASCADE): otherUser sent a notification to target
+    testDb.prepare(
+      "INSERT INTO notifications (type, scope, target, sender_id, recipient_id, title_key, text_key) VALUES ('simple', 'trip', ?, ?, ?, 'k', 'k')"
+    ).run(otherTrip.id, otherUser.id, target.id);
+
+    // user_notice_dismissals (CASCADE): target dismissed a notice
+    testDb.prepare(
+      "INSERT INTO user_notice_dismissals (user_id, notice_id, dismissed_at) VALUES (?, 'test-notice', ?)"
+    ).run(target.id, Date.now());
+
+    // owned journey: target owns a journey with an entry (cascade-deletes on journey deletion)
+    const ownedJourney = createJourney(testDb, target.id);
+    createJourneyEntry(testDb, ownedJourney.id, target.id);
+
+    // trip_files.uploaded_by (SET NULL): target uploaded a file to otherUser's trip
+    const fileRow = testDb.prepare(
+      "INSERT INTO trip_files (trip_id, filename, original_name, uploaded_by) VALUES (?, 'f.pdf', 'file.pdf', ?)"
+    ).run(otherTrip.id, target.id);
+
+    // trek_photos.owner_id (SET NULL): target owns a photo in the central registry
+    const trekPhotoRow = testDb.prepare(
+      "INSERT INTO trek_photos (provider, asset_id, owner_id) VALUES ('immich', 'asset-auth-test', ?)"
+    ).run(target.id);
+
+    // trip_photos.user_id (CASCADE): target added a photo to otherUser's trip
+    addTripPhoto(testDb, otherTrip.id, target.id, 'asset-tp-auth', 'immich');
+
+    // trips.user_id (CASCADE): target owns a trip
+    const ownedTrip = createTrip(testDb, target.id);
+
+    // trip_members.user_id (CASCADE): target is a member of otherUser's trip
+    addTripMember(testDb, otherTrip.id, target.id);
+
+    // categories.user_id (SET NULL): target created a category
+    const userCategory = createCategory(testDb, { user_id: target.id });
+
+    // tags.user_id (CASCADE): target created a tag
+    const userTag = createTag(testDb, target.id);
+
+    // todo_items.assigned_user_id (SET NULL): target is assigned to a todo on otherUser's trip
+    const todoItem = createTodoItem(testDb, otherTrip.id);
+    testDb.prepare('UPDATE todo_items SET assigned_user_id = ? WHERE id = ?').run(target.id, todoItem.id);
+
+    // packing_bags.user_id (SET NULL): target owns a packing bag on otherUser's trip
+    const packBagRow = testDb.prepare(
+      "INSERT INTO packing_bags (trip_id, name, color, user_id) VALUES (?, 'Bag', '#ff0000', ?)"
+    ).run(otherTrip.id, target.id);
+
+    // mcp_tokens.user_id (CASCADE): target has an MCP API token
+    createMcpToken(testDb, target.id);
+
+    // oauth_tokens/consents.user_id (CASCADE): target has tokens from otherUser's OAuth client
+    testDb.prepare(
+      "INSERT INTO oauth_clients (id, user_id, name, client_id, client_secret_hash) VALUES ('cl-auth-test', ?, 'App', 'cid-auth-test', 'h')"
+    ).run(otherUser.id);
+    testDb.prepare(
+      "INSERT INTO oauth_tokens (client_id, user_id, access_token_hash, refresh_token_hash, access_token_expires_at, refresh_token_expires_at) VALUES ('cid-auth-test', ?, 'ath-auth', 'rth-auth', datetime('now','+1 hour'), datetime('now','+30 days'))"
+    ).run(target.id);
+    testDb.prepare(
+      "INSERT INTO oauth_consents (client_id, user_id) VALUES ('cid-auth-test', ?)"
+    ).run(target.id);
+
+    // vacay_plans.owner_id (CASCADE): target owns a vacation plan
+    const vacayPlanRow = testDb.prepare("INSERT INTO vacay_plans (owner_id) VALUES (?)").run(target.id);
+
+    // vacay_plan_members.user_id (CASCADE): target is a member of otherUser's vacay plan
+    const otherVacayPlanRow = testDb.prepare("INSERT INTO vacay_plans (owner_id) VALUES (?)").run(otherUser.id);
+    testDb.prepare("INSERT INTO vacay_plan_members (plan_id, user_id) VALUES (?, ?)").run(otherVacayPlanRow.lastInsertRowid, target.id);
+
+    // bucket_list.user_id (CASCADE): target has a bucket list item
+    createBucketListItem(testDb, target.id);
+
+    // visited_countries.user_id (CASCADE): target has visited a country
+    createVisitedCountry(testDb, target.id, 'JP');
+
+    // visited_regions.user_id (CASCADE): target has visited a region
+    testDb.prepare(
+      "INSERT INTO visited_regions (user_id, region_code, region_name, country_code) VALUES (?, 'JP-13', 'Tokyo', 'JP')"
+    ).run(target.id);
+
+    // packing_templates.created_by (CASCADE): target created a packing template
+    const packTemplateRow = testDb.prepare(
+      "INSERT INTO packing_templates (name, created_by) VALUES ('My Template', ?)"
+    ).run(target.id);
+
+    // invite_tokens.created_by (CASCADE): target created an invite token
+    createInviteToken(testDb, { created_by: target.id });
+
+    // collab_notes.user_id (CASCADE): target authored a collab note on otherUser's trip
+    createCollabNote(testDb, otherTrip.id, target.id);
+
+    // settings.user_id (CASCADE): target has a user setting
+    testDb.prepare("INSERT INTO settings (user_id, key, value) VALUES (?, 'theme', 'dark')").run(target.id);
+
+    // password_reset_tokens.user_id (CASCADE): target has a pending password reset
+    testDb.prepare(
+      "INSERT INTO password_reset_tokens (user_id, token_hash, expires_at) VALUES (?, 'prt-hash-auth', datetime('now','+1 hour'))"
+    ).run(target.id);
+
+    // audit_log.user_id (SET NULL): target performed an audited action
+    const auditRow = testDb.prepare(
+      "INSERT INTO audit_log (user_id, action, ip) VALUES (?, 'test.action', '127.0.0.1')"
+    ).run(target.id);
+
+    // notification_channel_preferences.user_id (CASCADE): target has notification preferences
+    testDb.prepare("INSERT OR IGNORE INTO notification_channel_preferences (user_id, event_type, channel) VALUES (?, 'trip_invite', 'email')").run(target.id);
+
+    // admin exists to ensure target (non-admin user) passes the last-admin guard
+    void admin;
+
+    const res = await request(app)
+      .delete('/api/auth/me')
+      .set('Cookie', authCookie(target.id));
+    expect(res.status).toBe(200);
+    expect(res.body.success).toBe(true);
+
+    expect(testDb.prepare('SELECT id FROM users WHERE id = ?').get(target.id)).toBeUndefined();
+    // trip_members row survives but invited_by is now NULL
+    expect((testDb.prepare('SELECT invited_by FROM trip_members WHERE trip_id = ? AND user_id = ?').get(otherTrip.id, thirdUser.id) as any).invited_by).toBeNull();
+    expect(testDb.prepare('SELECT id FROM share_tokens WHERE created_by = ?').get(target.id)).toBeUndefined();
+    expect((testDb.prepare('SELECT paid_by_user_id FROM budget_items WHERE id = ?').get(budgetItem.id) as any).paid_by_user_id).toBeNull();
+    expect(testDb.prepare('SELECT user_id FROM journey_contributors WHERE journey_id = ? AND user_id = ?').get(otherJourney.id, target.id)).toBeUndefined();
+    expect(testDb.prepare('SELECT id FROM journey_entries WHERE author_id = ?').get(target.id)).toBeUndefined();
+    expect(testDb.prepare('SELECT id FROM journey_share_tokens WHERE created_by = ?').get(target.id)).toBeUndefined();
+    // sent notification survives but sender_id becomes NULL
+    expect((testDb.prepare('SELECT sender_id FROM notifications WHERE id = ?').get(sentNotif.lastInsertRowid) as any).sender_id).toBeNull();
+    // received notification is cascade-deleted
+    expect(testDb.prepare('SELECT id FROM notifications WHERE recipient_id = ?').get(target.id)).toBeUndefined();
+    // notice dismissals are cascade-deleted
+    expect(testDb.prepare("SELECT user_id FROM user_notice_dismissals WHERE user_id = ? AND notice_id = 'test-notice'").get(target.id)).toBeUndefined();
+    // owned journey and its entries are cascade-deleted
+    expect(testDb.prepare('SELECT id FROM journeys WHERE user_id = ?').get(target.id)).toBeUndefined();
+    expect(testDb.prepare('SELECT id FROM journey_entries WHERE journey_id = ?').get(ownedJourney.id)).toBeUndefined();
+    // uploaded file survives but uploaded_by is now NULL
+    expect((testDb.prepare('SELECT uploaded_by FROM trip_files WHERE id = ?').get(fileRow.lastInsertRowid) as any).uploaded_by).toBeNull();
+    // trek_photos row survives but owner_id is now NULL
+    expect((testDb.prepare('SELECT owner_id FROM trek_photos WHERE id = ?').get(trekPhotoRow.lastInsertRowid) as any).owner_id).toBeNull();
+    // trip_photos row for target is cascade-deleted
+    expect(testDb.prepare("SELECT id FROM trip_photos WHERE trip_id = ? AND user_id = ?").get(otherTrip.id, target.id)).toBeUndefined();
+    // owned trip is cascade-deleted
+    expect(testDb.prepare('SELECT id FROM trips WHERE id = ?').get(ownedTrip.id)).toBeUndefined();
+    // trip membership on others' trips is removed
+    expect(testDb.prepare('SELECT id FROM trip_members WHERE trip_id = ? AND user_id = ?').get(otherTrip.id, target.id)).toBeUndefined();
+    // category survives but user_id is NULL
+    expect((testDb.prepare('SELECT user_id FROM categories WHERE id = ?').get(userCategory.id) as any).user_id).toBeNull();
+    // tag is deleted
+    expect(testDb.prepare('SELECT id FROM tags WHERE id = ?').get(userTag.id)).toBeUndefined();
+    // todo assigned_user_id is NULL
+    expect((testDb.prepare('SELECT assigned_user_id FROM todo_items WHERE id = ?').get(todoItem.id) as any).assigned_user_id).toBeNull();
+    // packing bag survives but user_id is NULL
+    expect((testDb.prepare('SELECT user_id FROM packing_bags WHERE id = ?').get(packBagRow.lastInsertRowid) as any).user_id).toBeNull();
+    // MCP tokens are deleted
+    expect(testDb.prepare('SELECT id FROM mcp_tokens WHERE user_id = ?').get(target.id)).toBeUndefined();
+    // OAuth tokens and consents are deleted
+    expect(testDb.prepare('SELECT id FROM oauth_tokens WHERE user_id = ?').get(target.id)).toBeUndefined();
+    expect(testDb.prepare('SELECT id FROM oauth_consents WHERE user_id = ?').get(target.id)).toBeUndefined();
+    // owned vacay plan is deleted
+    expect(testDb.prepare('SELECT id FROM vacay_plans WHERE id = ?').get(vacayPlanRow.lastInsertRowid)).toBeUndefined();
+    // vacay plan membership on others' plans is removed
+    expect(testDb.prepare('SELECT id FROM vacay_plan_members WHERE plan_id = ? AND user_id = ?').get(otherVacayPlanRow.lastInsertRowid, target.id)).toBeUndefined();
+    // bucket list items are deleted
+    expect(testDb.prepare('SELECT id FROM bucket_list WHERE user_id = ?').get(target.id)).toBeUndefined();
+    // travel history is deleted
+    expect(testDb.prepare('SELECT user_id FROM visited_countries WHERE user_id = ? AND country_code = ?').get(target.id, 'JP')).toBeUndefined();
+    expect(testDb.prepare('SELECT id FROM visited_regions WHERE user_id = ?').get(target.id)).toBeUndefined();
+    // packing template is deleted
+    expect(testDb.prepare('SELECT id FROM packing_templates WHERE id = ?').get(packTemplateRow.lastInsertRowid)).toBeUndefined();
+    // invite tokens created by target are deleted
+    expect(testDb.prepare('SELECT id FROM invite_tokens WHERE created_by = ?').get(target.id)).toBeUndefined();
+    // collab content is deleted
+    expect(testDb.prepare('SELECT id FROM collab_notes WHERE user_id = ? AND trip_id = ?').get(target.id, otherTrip.id)).toBeUndefined();
+    // user settings are deleted
+    expect(testDb.prepare("SELECT id FROM settings WHERE user_id = ?").get(target.id)).toBeUndefined();
+    // password reset tokens are deleted
+    expect(testDb.prepare('SELECT id FROM password_reset_tokens WHERE user_id = ?').get(target.id)).toBeUndefined();
+    // audit log entry survives but user_id is NULL
+    expect((testDb.prepare('SELECT user_id FROM audit_log WHERE id = ?').get(auditRow.lastInsertRowid) as any).user_id).toBeNull();
+    // notification channel preferences are deleted
+    expect(testDb.prepare("SELECT user_id FROM notification_channel_preferences WHERE user_id = ? AND event_type = 'trip_invite'").get(target.id)).toBeUndefined();
+  });
+});
+
 // ─────────────────────────────────────────────────────────────────────────────
 // Rate limiting (AUTH-004, AUTH-018) — placed last
 // ─────────────────────────────────────────────────────────────────────────────
@@ -463,7 +463,7 @@ describe('Update trip', () => {
    expect(notesAfter!.day_id).toBe(daysAfter[1].id);
  });

-  it('TRIP-024 — Shrinking trip date range keeps overflow days as dateless with content intact', async () => {
+  it('TRIP-024 — Shrinking trip date range deletes overflow days and their content', async () => {
    const { user } = createUser(testDb);
    const trip = createTrip(testDb, user.id, { start_date: '2026-09-01', end_date: '2026-09-05' });

@@ -481,13 +481,12 @@ describe('Update trip', () => {
    expect(res.status).toBe(200);

    const daysAfter = testDb.prepare('SELECT * FROM days WHERE trip_id = ? ORDER BY day_number').all(trip.id) as { id: number; date: string | null }[];
-    expect(daysAfter).toHaveLength(5);
-    expect(daysAfter.filter(d => d.date !== null)).toHaveLength(3);
-    expect(daysAfter.filter(d => d.date === null)).toHaveLength(2);
+    expect(daysAfter).toHaveLength(3);
+    expect(daysAfter.every(d => d.date !== null)).toBe(true);

-    // Overflow assignments survived
+    // Overflow days and their assignments deleted
    const all = testDb.prepare('SELECT * FROM day_assignments WHERE id IN (?, ?)').all(a4.id, a5.id) as { id: number }[];
-    expect(all).toHaveLength(2);
+    expect(all).toHaveLength(0);
  });
 });

@@ -1,4 +1,4 @@
-import { describe, it, expect, vi } from 'vitest';
+import { describe, it, expect, vi, beforeEach } from 'vitest';

 // Prevent node-cron from scheduling anything at import time
 vi.mock('node-cron', () => ({
@@ -17,6 +17,7 @@ vi.mock('node:fs', () => ({
    writeFileSync: vi.fn(),
    readdirSync: vi.fn(() => []),
    statSync: vi.fn(() => ({ mtime: new Date(), size: 0 })),
+    unlinkSync: vi.fn(),
    createWriteStream: vi.fn(() => ({ on: vi.fn(), pipe: vi.fn() })),
  },
  existsSync: vi.fn(() => false),
@@ -25,14 +26,20 @@ vi.mock('node:fs', () => ({
  writeFileSync: vi.fn(),
  readdirSync: vi.fn(() => []),
  statSync: vi.fn(() => ({ mtime: new Date(), size: 0 })),
+  unlinkSync: vi.fn(),
  createWriteStream: vi.fn(() => ({ on: vi.fn(), pipe: vi.fn() })),
 }));
 vi.mock('../../../src/db/database', () => ({
  db: { prepare: () => ({ all: vi.fn(() => []), get: vi.fn(), run: vi.fn() }) },
 }));
 vi.mock('../../../src/config', () => ({ JWT_SECRET: 'test-secret', ENCRYPTION_KEY: '0'.repeat(64) }));
+vi.mock('../../src/services/auditLog', () => ({
+  logInfo: vi.fn(),
+  logError: vi.fn(),
+}));

-import { buildCronExpression } from '../../src/scheduler';
+import fs from 'node:fs';
+import { buildCronExpression, cleanupOldBackups } from '../../src/scheduler';

 interface BackupSettings {
  enabled: boolean;
@@ -130,3 +137,82 @@ describe('buildCronExpression', () => {
    });
  });
 });
+
+describe('cleanupOldBackups', () => {
+  const DAY = 24 * 60 * 60 * 1000;
+  const NOW = new Date('2026-04-27T02:00:00Z').getTime();
+
+  function isoFilename(daysAgo: number, prefix: 'auto-backup' | 'backup' = 'auto-backup'): string {
+    const d = new Date(NOW - daysAgo * DAY);
+    const stamp = d.toISOString().replace(/[:.]/g, '-').slice(0, 19);
+    return `${prefix}-${stamp}.zip`;
+  }
+
+  beforeEach(() => {
+    vi.mocked(fs.readdirSync).mockReset();
+    vi.mocked(fs.statSync).mockReset();
+    vi.mocked(fs.unlinkSync as ReturnType<typeof vi.fn>).mockReset();
+    (vi.mocked(fs.statSync) as ReturnType<typeof vi.fn>).mockReturnValue({ mtime: new Date(), mtimeMs: NOW, birthtimeMs: NOW, size: 0 });
+  });
+
+  it('never deletes manual backup-*.zip files regardless of age', () => {
+    const manual = isoFilename(365 * 5, 'backup');
+    const auto = isoFilename(0);
+    vi.mocked(fs.readdirSync).mockReturnValue([manual, auto] as unknown as string[]);
+    cleanupOldBackups(7, NOW);
+    const deleted = (vi.mocked(fs.unlinkSync as ReturnType<typeof vi.fn>)).mock.calls.map((c: unknown[]) => c[0] as string);
+    expect(deleted.some((p: string) => p.includes(manual))).toBe(false);
+  });
+
+  it('keeps auto-backups newer than retention', () => {
+    const recent = isoFilename(3);
+    vi.mocked(fs.readdirSync).mockReturnValue([recent] as unknown as string[]);
+    cleanupOldBackups(7, NOW);
+    expect(vi.mocked(fs.unlinkSync as ReturnType<typeof vi.fn>)).not.toHaveBeenCalled();
+  });
+
+  it('deletes auto-backups older than retention', () => {
+    const old = isoFilename(30);
+    vi.mocked(fs.readdirSync).mockReturnValue([old] as unknown as string[]);
+    cleanupOldBackups(7, NOW);
+    expect(vi.mocked(fs.unlinkSync as ReturnType<typeof vi.fn>)).toHaveBeenCalledOnce();
+    const [calledPath] = (vi.mocked(fs.unlinkSync as ReturnType<typeof vi.fn>)).mock.calls[0] as string[];
+    expect(calledPath).toContain(old);
+  });
+
+  it('overlayfs regression: birthtimeMs=0 does not delete a same-day backup', () => {
+    const fresh = isoFilename(0);
+    vi.mocked(fs.readdirSync).mockReturnValue([fresh] as unknown as string[]);
+    (vi.mocked(fs.statSync) as ReturnType<typeof vi.fn>).mockReturnValue({ birthtimeMs: 0, mtimeMs: NOW, mtime: new Date(NOW), size: 100 });
+    cleanupOldBackups(7, NOW);
+    expect(vi.mocked(fs.unlinkSync as ReturnType<typeof vi.fn>)).not.toHaveBeenCalled();
+  });
+
+  it('malformed filename falls back to mtimeMs: keeps recent file', () => {
+    vi.mocked(fs.readdirSync).mockReturnValue(['auto-backup-garbage.zip'] as unknown as string[]);
+    (vi.mocked(fs.statSync) as ReturnType<typeof vi.fn>).mockReturnValue({ birthtimeMs: 0, mtimeMs: NOW - 1 * DAY, mtime: new Date(NOW - 1 * DAY), size: 0 });
+    cleanupOldBackups(7, NOW);
+    expect(vi.mocked(fs.unlinkSync as ReturnType<typeof vi.fn>)).not.toHaveBeenCalled();
+  });
+
+  it('malformed filename falls back to mtimeMs: deletes stale file', () => {
+    vi.mocked(fs.readdirSync).mockReturnValue(['auto-backup-garbage.zip'] as unknown as string[]);
+    (vi.mocked(fs.statSync) as ReturnType<typeof vi.fn>).mockReturnValue({ birthtimeMs: 0, mtimeMs: NOW - 30 * DAY, mtime: new Date(NOW - 30 * DAY), size: 0 });
+    cleanupOldBackups(7, NOW);
+    expect(vi.mocked(fs.unlinkSync as ReturnType<typeof vi.fn>)).toHaveBeenCalledOnce();
+  });
+
+  it('ignores non-zip files and does not crash', () => {
+    const old = isoFilename(30);
+    vi.mocked(fs.readdirSync).mockReturnValue([old, 'notes.txt'] as unknown as string[]);
+    cleanupOldBackups(7, NOW);
+    const calls = (vi.mocked(fs.unlinkSync as ReturnType<typeof vi.fn>)).mock.calls as string[][];
+    expect(calls.every(([p]: string[]) => !p.includes('notes.txt'))).toBe(true);
+    expect(calls.length).toBe(1);
+  });
+
+  it('swallows readdirSync errors without throwing', () => {
+    vi.mocked(fs.readdirSync).mockImplementation(() => { throw new Error('ENOENT'); });
+    expect(() => cleanupOldBackups(7, NOW)).not.toThrow();
+  });
+});
@@ -96,33 +96,37 @@ describe('generateDays', () => {
    expect(getNotes(day2.id)[0].id).toBe(note.id);
  });

-  it('TRIP-SVC-011: shrinking range converts overflow days to dateless, preserves their assignments', () => {
+  it('TRIP-SVC-011: shrinking range deletes overflow days and their assignments (issue #909)', () => {
    const { user } = createUser(testDb);
    const trip = createTrip(testDb, user.id, { start_date: '2025-07-01', end_date: '2025-07-05' });
    const daysBefore = getDays(trip.id);
    expect(daysBefore).toHaveLength(5);

    const place = createPlace(testDb, trip.id);
-    // Assign places to days 4 and 5 (will become overflow)
-    const a4 = createDayAssignment(testDb, daysBefore[3].id, place.id);
-    const a5 = createDayAssignment(testDb, daysBefore[4].id, place.id);
+    createDayAssignment(testDb, daysBefore[3].id, place.id);
+    createDayAssignment(testDb, daysBefore[4].id, place.id);

-    // Shrink from 5 to 3 days
+    // Shrink from 5 to 3 days — surplus days and their content are removed
    generateDays(trip.id, '2025-07-01', '2025-07-03');

    const daysAfter = getDays(trip.id);
-    expect(daysAfter).toHaveLength(5); // no rows deleted
+    expect(daysAfter).toHaveLength(3);
+    expect(daysAfter.map(d => d.date)).toEqual(['2025-07-01', '2025-07-02', '2025-07-03']);
+  });

-    const dated = daysAfter.filter(d => d.date !== null);
-    const dateless = daysAfter.filter(d => d.date === null);
-    expect(dated).toHaveLength(3);
-    expect(dateless).toHaveLength(2);
+  it('TRIP-SVC-016: shrinking range deletes empty overflow days (issue #909)', () => {
+    const { user } = createUser(testDb);
+    const trip = createTrip(testDb, user.id, { start_date: '2025-07-01', end_date: '2025-07-07' });
+    expect(getDays(trip.id)).toHaveLength(7);

-    // Overflow days still have their assignments
-    expect(getAssignments(dateless[0].id)).toHaveLength(1);
-    expect(getAssignments(dateless[0].id)[0].id).toBe(a4.id);
-    expect(getAssignments(dateless[1].id)).toHaveLength(1);
-    expect(getAssignments(dateless[1].id)[0].id).toBe(a5.id);
+    // Shrink 7 → 5; days 6 and 7 have no content
+    generateDays(trip.id, '2025-07-01', '2025-07-05');
+
+    const daysAfter = getDays(trip.id);
+    expect(daysAfter).toHaveLength(5);
+    expect(daysAfter.map(d => d.date)).toEqual([
+      '2025-07-01', '2025-07-02', '2025-07-03', '2025-07-04', '2025-07-05',
+    ]);
  });

  it('TRIP-SVC-012: growing range keeps existing day content and appends new empty days', () => {