From 86cda618a99996b0b130370eae5eb13e1925f935 Mon Sep 17 00:00:00 2001
From: Ean Milligan <ean.milligan@gmail.com>
Date: Fri, 10 Apr 2026 15:19:29 -0400
Subject: [PATCH] add perm-delete api

---
 README.md |  1 +
 mod.ts    | 15 +++++++++++++++
 2 files changed, 16 insertions(+)

diff --git a/README.md b/README.md
index 4ee9ff4..750de92 100644
--- a/README.md
+++ b/README.md
@@ -50,6 +50,7 @@ The API will be a combination API and basic SSR.  Check out the [Bruno](https://
 - /api/move/[planId] - API Page: **PUT** to change what folder a plan is in while keeping same data, name, and id, requires **PIN** and name
 - /api/undelete/[planId] - API Page: **PUT** to unmark plan as deleted, requires **PIN**
 - /api/delete/[planId] - API Page: **DELETE** to mark plan as deleted, requires **PIN**
+- /api/perm-delete/[planId] - API Page: **DELETE** to truly delete the plan, requires **PIN** and plan to be marked as deleted
 - /api/auth - API Page: **POST** to check if you are who you say you are, requires username and **PIN**, returns userId and boolean of if email was set
 - /api/enroll - API Page: **POST** to create new user, requires username and **PIN** (optionally email), returns userId
 - /api/unenroll - API Page: **DELETE** to get rid of user and all of their plans, requires username and **PIN** (and deletion-confirmation-code if email present)
diff --git a/mod.ts b/mod.ts
index 628767b..450f94e 100644
--- a/mod.ts
+++ b/mod.ts
@@ -286,6 +286,21 @@ Deno.serve({ port: config.api.port }, async (req) => {
             });
             if (failed) return genericResponse(STATUS_CODE.InternalServerError, "Couldn't update DB.");
             return genericResponse(STATUS_CODE.OK, 'Plan deleted.');
+          } else if (path.startsWith('/perm-delete/')) {
+            const planId = path.replace('/perm-delete/', '');
+            const planMatch = await dbClient.query('SELECT ownerId, deleted FROM plans WHERE id = ?', [planId]).catch(() => {
+              failed = true;
+            });
+            if (failed) return genericResponse(STATUS_CODE.InternalServerError, "Couldn't read DB.");
+            if (!planMatch.length) return genericResponse(STATUS_CODE.NotFound, 'Plan ID does not exist.');
+            if (planMatch[0].ownerId !== id) return genericResponse(STATUS_CODE.Forbidden, "You don't own this plan.");
+            if (!planMatch[0].deleted) return genericResponse(STATUS_CODE.Forbidden, 'Plan must be marked as deleted to perm delete.');
+
+            await dbClient.execute('DELETE FROM plans WHERE id = ? AND deleted = 1', [planId]).catch(() => {
+              failed = true;
+            });
+            if (failed) return genericResponse(STATUS_CODE.InternalServerError, "Couldn't update DB.");
+            return genericResponse(STATUS_CODE.OK, 'Plan deleted.');
           }
           break;
       }