feat: Implement API to GDPR delete users

[Janis4411]

This PR introduces a possible way to GDPR delete users via a API.

If we delete a user on openHPI we also have to delete the user on codeocean. Previously this was handled via a rake task that has to be triggered manually.

Part of SODEV-2997

[codecov]

Codecov Report

❌ Patch coverage is 73.68421% with 5 lines in your changes missing coverage. Please review.
✅ Project coverage is 70.35%. Comparing base (7876111) to head (29ef0d1).

Files with missing lines	Patch %	Lines
app/controllers/api/internal/users_controller.rb	75.00%	2 Missing ⚠️
lib/tasks/gdpr_delete.rake	0.00%	2 Missing ⚠️
app/controllers/api/api_controller.rb	85.71%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3224      +/-   ##
==========================================
+ Coverage   70.33%   70.35%   +0.01%     
==========================================
  Files         214      216       +2     
  Lines        6839     6857      +18     
==========================================
+ Hits         4810     4824      +14     
- Misses       2029     2033       +4     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[arkirchner]

I think it is better to blow up if the update did not work. soft_delete does not need a !. The ! indicates a volatile version of a method. Since we do not implement two versions of this method, we should not use !.

Suggested change

	def soft_delete!
	update(name: 'Deleted User', email: nil)
	def soft_delete
	update!(name: 'Deleted User', email: nil)

[arkirchner]

Maybe we can add a new column deleted_at and add a timestamp when the user was deleted. This is good for debugging.

[Janis4411]

Is the updated_at not serving the pretty much same purpose? Once a ExternalUser is updated with (name: 'Deleted User', email: nil) it won't be updated again, right?

[arkirchner]

It might be. The username Deleted User could be used by a user. No email could be a side effect from some bug. The deleted_at just makes it clearer and is a common practice for soft deletions.

[Janis4411]

I added the deleted_at column and update it now in the soft_delete method.

[sentry]

Bug: ActiveSupport::SecurityUtils.secure_compare will raise a NoMethodError if the OPENHPI_API_TOKEN environment variable is not set, as ENV.fetch will return nil.
_{Severity: HIGH}

Suggested Fix

Ensure the value passed to secure_compare is a string. Either convert the result of ENV.fetch to a string using .to_s, like ENV.fetch('OPENHPI_API_TOKEN', nil).to_s, or provide an empty string as the default value to fetch, like ENV.fetch('OPENHPI_API_TOKEN', '').

Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent. Verify if this is a real issue. If it is, propose a fix; if not, explain why it's
not valid.

Location: app/controllers/api/api_controller.rb#L10-L13

Potential issue: The `authenticate` method uses
`ActiveSupport::SecurityUtils.secure_compare` to validate an API token. The second
argument to this function is `ENV.fetch('OPENHPI_API_TOKEN', nil)`. If the
`OPENHPI_API_TOKEN` environment variable is not set, for example due to a deployment
misconfiguration, `ENV.fetch` will return `nil`. The `secure_compare` function then
attempts to call `.bytesize` on this `nil` value, which raises a `NoMethodError`. This
causes the request to fail with a 500 Internal Server Error instead of gracefully
returning a 401 Unauthorized status as intended.