feat(api+client): linked-identities panel on the account screen #216
Labels
No labels
area:auth
area:ci
area:db
area:infra
area:native
area:pwa
area:service
epic
feature
foundation
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
james/carol#216
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Context
The Universal client's Account screen (
apps/client/app/(app)/account.tsx) ports the Personal Access Tokens panel but omits the OAuth identity-link/unlink panel the previous Next.js PWA shipped. There is no/api/account/identitiesendpoint and no UI for users to see which providers are linked, link a new provider, or unlink one with the safety guard that the last sign-in method cannot be removed.The PWA had this via
apps/api/app/(app)/account/page.tsx+unlink-action.ts(since deleted by #185) callingLocalIdentitiesRepositoryandOauthIdentitiesRepositorydirectly from a server component. The universal client must do it through an API endpoint.Source
apps/client/app/(app)/account.tsxlines 31-34:apps/api/app/(app)/account/page.tsxandunlink-action.ts(deleted in PR #209 / #185) are the historical reference for the unlink behaviour, including the "do not strand the user without a sign-in method" check.Scope
GET /api/account/identitiesreturning{ local: { email } | null, oauth: [{ id, provider, email }] }scoped to the authenticated user.DELETE /api/account/identities/oauth/:idenforcing the "last sign-in method" check fromunlink-action.ts: refuse if removing the identity would leave the user with zero sign-in methods./api/auth/oauth/start?provider=...&intent=link(the start route already supports the linking intent).@carol/api-clienthooks:useAccountIdentities,useUnlinkAccountIdentity.apps/client/app/(app)/account.tsxnext to the existing PATs panel: signed-in identity (already shown) → linked providers → connectable providers.react-i18next; tokens viauseTheme().Acceptance criteria
GET /api/account/identitiesreturns the per-user list; cross-user reads 404.DELETE /api/account/identities/oauth/:idenforces the last-method check and returns409 last_sign_in_methodon refusal.Composes with