--- issue: "006" title: "Frontend deleteAccount action calls DELETE /user/profile which does not exist" severity: critical domain: auth labels: [frontend, bug] status: open created: 2026-05-29 source: Doc vs Code Audit 2026-05-29 --- # 🔴 Frontend deleteAccount action calls DELETE /user/profile which does not exist **Severity:** critical **Domain:** auth **Labels:** frontend, bug ## Description `frontend/src/actions/account.ts` (line ~144) calls: ```ts axiosInstance.delete(endpoints.users.profile) // resolves to DELETE /user/profile ``` There is no `DELETE` handler on `/user/profile` in the backend. The actual soft-delete endpoint is: ``` DELETE /api/auth/account ``` which requires a `password` field in the request body and runs `deleteAccountValidation`. **Result:** Account deletion silently 404s from every UI path. Users cannot delete their accounts. ## Current Behavior Clicking the delete account button in the dashboard sends `DELETE /user/profile` → 404. The account is not deleted. ## Expected Behavior The action should send `DELETE /api/auth/account` with `{ password }` in the body. On success, the account status is set to `'deleted'` (soft delete) in MongoDB. ## Affected Files - `frontend/src/actions/account.ts` — `deleteAccount` function - `frontend/src/lib/axios.ts` — `endpoints.users.profile` key used for the path ## References - [Doc vs Code Audit Report](../09%20-%20Audits/Doc%20vs%20Code%20Audit%20Report%20-%202026-05-29.md) — Finding C3