GearBox/.planning/milestones/v2.2-phases/28-profile-and-logto-integration/28-VERIFICATION.md

phase, status, verified, score

phase	status	verified	score
28	human_needed	2026-04-12	8/11

Phase 28: Profile & Logto Integration - Verification

Phase Goal

Users have a working profile page with account management powered by Logto, branded login screens, and email verification.

Must-Haves Verification

Plan 01: Logto Management API Client & Account Routes

#	Must-Have	Status	Evidence
1	Logto Management API client acquires and caches M2M access tokens	✓ PASS	src/server/services/logto.service.ts contains getAccessToken() with TTL caching; 12 unit tests pass
2	Password change endpoint verifies current password before setting new one	✓ PASS	src/server/routes/account.ts calls verifyPassword() before updatePassword()
3	Email change endpoint updates primary email on Logto user record	✓ PASS	POST /api/account/email calls logtoClient.updateEmail()
4	Account deletion endpoint removes user from both GearBox DB and Logto	✓ PASS	Transaction deletes DB data, then calls logtoClient.deleteUser()
5	All account management endpoints require authentication	✓ PASS	app.use("*", requireAuth) in account.ts

Plan 02: Profile Page & Settings Separation

#	Must-Have	Status	Evidence
6	/profile route renders profile info, account info, security, and danger zone sections	✓ PASS	src/client/routes/profile.tsx has all four sections
7	/settings no longer contains ProfileSection	✓ PASS	grep -c "ProfileSection" src/client/routes/settings.tsx returns 0
8	Profile page shows email from auth session and member-since date	✓ PASS	AccountInfoSection renders email and formatted createdAt

Plan 03: Navigation, /me Extension, Logto Configuration

#	Must-Have	Status	Evidence
9	Navigation includes link to /profile page	✓ PASS	UserMenu.tsx contains <Link to="/profile">
10	/me endpoint returns createdAt field	✓ PASS	auth.ts queries full user record, returns createdAt: fullUser?.createdAt?.toISOString()
11	Logto sign-in page shows GearBox branding	PENDING	Requires manual Logto Console configuration

Automated Checks

bun test tests/services/logto.service.test.ts  → 12/12 pass
bun run lint                                    → 0 errors
grep "accountRoutes" src/server/index.ts        → found
grep "requireAuth" src/server/routes/account.ts → found
grep "ProfileSection" src/client/routes/settings.tsx → not found (correct)

Human Verification Required

The following items require manual verification after Logto Console configuration:

1. D-07: Visit /login — verify GearBox branding (logo, colors) appears on Logto sign-in page
2. D-08: Verify auth.gearbox.de resolves to Logto (if custom domain configured)
3. D-09: Verify Google and GitHub social sign-in buttons appear on login page
4. D-10: Create new account — verify email verification is required
5. D-11: Try weak password at signup — verify policy enforcement (8+ chars, mixed case, number)
6. Profile page: Navigate to /profile — verify all four sections render with correct data
7. Password change: Change password using the Security section — verify success/error flows
8. Email change: Change email using the Account section — verify update reflects
9. Settings page: Visit /settings — verify ProfileSection is gone, only app preferences remain

Decision Coverage

Decision	Implemented	Notes
D-01	✓	Profile at /profile, settings keeps only app preferences
D-02	✓	Profile shows displayName, bio, avatar, email, member-since
D-03	✓	No gear stats on profile page
D-04	✓	All account management proxied through GearBox backend
D-05	✓	Three actions: change password, change email, delete account
D-06	✓	Deletion anonymizes public setups to "Deleted User" sentinel
D-07	PENDING	Requires Logto Console CSS/branding configuration
D-08	PENDING	Requires DNS/reverse proxy configuration
D-09	PENDING	Requires Logto Console social connector setup
D-10	PENDING	Requires Logto Console sign-up configuration
D-11	PENDING	Requires Logto Console password policy configuration

Summary

Code implementation is complete (8/11 must-haves verified). Remaining 3 items are Logto Console configuration tasks that require manual human action. No code gaps found.