Add player self service routes for deletion

[tudddorrr]

No description provided.

[codecov]

Codecov Report

❌ Patch coverage is 98.38710% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 97.10%. Comparing base (a41daf7) to head (7e3fac9).
⚠️ Report is 4 commits behind head on develop.

Files with missing lines	Patch %	Lines
src/lib/auth/jwt.ts	66.66%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@             Coverage Diff             @@
##           develop     #877      +/-   ##
===========================================
+ Coverage    97.07%   97.10%   +0.02%     
===========================================
  Files          390      397       +7     
  Lines         6184     6243      +59     
  Branches       795      806      +11     
===========================================
+ Hits          6003     6062      +59     
- Misses          94       95       +1     
+ Partials        87       86       -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[claude]

PR Review: Add player self service routes for deletion

Overall this is a well-structured PR. The refactoring of handlers into standalone functions (loginHandler, verifyHandler, deleteHandler, performDelete) is clean and the test coverage is solid.

---

Potential Bugs

loginHandler swaps graceful 401 for a hard crash on missing auth

In src/routes/api/player-auth/login.ts (around line 501), the original login route had:

if (!alias.player.auth) return handleFailedLogin(ctx)

The new shared loginHandler replaces this with:

assert(alias.player.auth)

If alias.player.auth is null - which should not happen for Talo aliases but could through data inconsistency - this throws a Node.js AssertionError resulting in a 500 instead of a 401. Since the handler is now shared across both the API route and the new public routes, the impact surface is wider. Should be a guarded return:

if (!alias.player.auth) {
  return { status: 401, body: { message: 'Incorrect identifier or password', errorCode: 'INVALID_CREDENTIALS' } }
}

---

Minor

Sqids instance allocated on every call

Game.getToken() and Game.fromToken() both call new Sqids({ minLength: 8 }) on every invocation. The object is stateless so results are correct, but a module-level constant avoids the allocation on every token encode/decode:

const sqids = new Sqids({ minLength: 8 })

---

Security

No issues found. The public session JWT uses a distinct audience (player-public), expires in 5 minutes, and the rate limit of 10 req/period on /public/players is appropriate given bcrypt in the login path. The delete-without-password design (session token substitutes for password re-confirmation) is consistent with the intended short-lived GDPR-style flow.

Test Coverage

No issues found. Cross-game isolation, rollback on ClickHouse failure, invalid tokens, and missing auth cases are all well covered.