Phase 2: Automated IDP Deletion and Email Re-assignment

[JoseSzycho]

Problem: We need a robust API endpoint to handle IDP deletion that maintains account integrity by ensuring every user always has a verified email address attached to their profile.

Requirement:
Create a deletion API that performs the following logic:

1. Automatic Update: If the IDP being deleted is the source of the user's primary email, the system must automatically update the user's email to match a remaining valid UserIdentity.
2. Validation & Constraints:
   • The GitHub Edge Case: Some IDPs (specifically GitHub) may not provide a public or valid email address.
   • Safety Check: The API must block the deletion if it would leave the user with no valid email address.
   • Final Identity Protection: Do not allow the user to delete their last IDP link that contains a valid email address.

Warning

Warning Message for Users:
"Deleting this Identity Provider requires two steps:

1. You must first update your account email address to match one of your other linked identities.
2. Once your email is updated, you may proceed with the deletion of this provider."

The best approach for this implementation is likely a reconciler loop. Because we need to warranty that both steps happen and that the system reaches a consistent state, a standard synchronous API is insufficient.