--- phase: 28-profile-and-logto-integration plan: 01 subsystem: server tags: [logto, account-management, auth] key-files: created: - src/server/services/logto.service.ts - src/server/routes/account.ts - tests/services/logto.service.test.ts modified: - src/server/index.ts - src/shared/schemas.ts - src/shared/types.ts metrics: tasks: 2/2 commits: 2 files-changed: 6 --- # Plan 28-01 Summary: Logto Management API Client & Account Routes ## What Was Built 1. **LogtoManagementClient** (`src/server/services/logto.service.ts`) — M2M token-based client for Logto Management API with automatic token caching and refresh. Methods: getUser, verifyPassword, updatePassword, hasPassword, updateEmail, deleteUser. 2. **Account management routes** (`src/server/routes/account.ts`) — Four endpoints: - `POST /api/account/password` — Change password (verifies current first) - `POST /api/account/email` — Change email - `GET /api/account/has-password` — Check if user has password - `POST /api/account/delete` — Delete account with public setup anonymization 3. **Zod schemas** added to `src/shared/schemas.ts`: changePasswordSchema, changeEmailSchema, deleteAccountSchema 4. **12 unit tests** covering all LogtoManagementClient methods and token caching behavior ## Commits | # | Hash | Description | |---|------|-------------| | 1 | fcd8279 | feat(28-01): create Logto Management API client service with M2M auth | | 2 | e8207a3 | feat(28-01): add account management routes for password, email, and deletion | ## Deviations None — implemented as planned. ## Self-Check: PASSED - [x] LogtoManagementClient has all required methods - [x] Token caching works with 60s buffer before expiry - [x] Password change verifies current password first (T-28-03) - [x] Account deletion creates sentinel user and anonymizes public setups (D-06) - [x] All routes use requireAuth middleware (T-28-05) - [x] Deletion requires "DELETE" confirmation (T-28-04) - [x] Routes registered in index.ts - [x] All tests pass - [x] Lint passes