fix: improve user deletion process and session handling

src/models/index.js

@@ -143,8 +143,11 @@ const Users = {
   },
 
   deleteUser(userId) {
-    db.prepare('UPDATE users SET display_name = ?, password_hash = ?, is_admin = 0, is_organizer = 0 WHERE id = ?')
+    // get username from userId before scrambling
-      .run('[deleted]', '', userId);
+    const user = this.findById(userId);
+    const scrambled = `_deleted_${user.username}_${Date.now()}`;
+    db.prepare('UPDATE users SET username = ?, display_name = ?, password_hash = ?, is_admin = 0, is_organizer = 0 WHERE id = ?')
+      .run(scrambled, '[deleted]', '', userId);
     db.prepare('UPDATE password_reset_tokens SET used = 1 WHERE user_id = ?').run(userId);
     db.prepare("DELETE FROM sessions WHERE sess LIKE ?").run('%"userId":' + userId + '%');
   }

src/routes/admin.js

@@ -186,7 +186,7 @@ router.post('/users/:id/delete', requireAdmin, (req, res) => {
   }
 
   Users.deleteUser(userId);
-  req.session.flash = { type: 'success', message: `Account "${user.username}" has been deleted.` };
+  req.session.flash = { type: 'success', message: `Account "${user.display_name || user.username}" has been deleted.` };
   res.redirect('/admin');
 });
 

src/routes/hunts.js

@@ -167,8 +167,9 @@ router.post('/player/:username/delete', requireAuth, (req, res) => {
   }
 
   Users.deleteUser(user.id);
-  req.session.destroy();
+  req.session.destroy(() => {
-  res.redirect('/');
+    res.redirect('/');
+  });
 });
 
 // ─── Browse all hunts ─────────────────────────────────────