GearBox/.planning/phases/28-profile-and-logto-integration/28-01-SUMMARY.md

phase, plan, subsystem, tags, key-files, metrics

phase	plan	subsystem	tags	key-files	metrics
28-profile-and-logto-integration	01	server	logto account-management auth	created modified src/server/services/logto.service.ts src/server/routes/account.ts tests/services/logto.service.test.ts src/server/index.ts src/shared/schemas.ts src/shared/types.ts	tasks commits files-changed 2/2 2 6

Plan 28-01 Summary: Logto Management API Client & Account Routes

What Was Built

1. LogtoManagementClient (src/server/services/logto.service.ts) — M2M token-based client for Logto Management API with automatic token caching and refresh. Methods: getUser, verifyPassword, updatePassword, hasPassword, updateEmail, deleteUser.

2. Account management routes (src/server/routes/account.ts) — Four endpoints:

   • POST /api/account/password — Change password (verifies current first)
   • POST /api/account/email — Change email
   • GET /api/account/has-password — Check if user has password
   • POST /api/account/delete — Delete account with public setup anonymization

3. Zod schemas added to src/shared/schemas.ts: changePasswordSchema, changeEmailSchema, deleteAccountSchema

4. 12 unit tests covering all LogtoManagementClient methods and token caching behavior

Commits

#	Hash	Description
1	fcd8279	feat(28-01): create Logto Management API client service with M2M auth
2	e8207a3	feat(28-01): add account management routes for password, email, and deletion

Deviations

None — implemented as planned.

Self-Check: PASSED

• LogtoManagementClient has all required methods
• Token caching works with 60s buffer before expiry
• Password change verifies current password first (T-28-03)
• Account deletion creates sentinel user and anonymizes public setups (D-06)
• All routes use requireAuth middleware (T-28-05)
• Deletion requires "DELETE" confirmation (T-28-04)
• Routes registered in index.ts
• All tests pass
• Lint passes