Migrate player auth API to new router

[tudddorrr]

No description provided.

[codecov]

Codecov Report

❌ Patch coverage is 99.69388% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 98.53%. Comparing base (20f800c) to head (976d9a9).
⚠️ Report is 2 commits behind head on develop.

Files with missing lines	Patch %	Lines
src/routes/api/player-auth/register.ts	97.84%	2 Missing ⚠️
src/routes/api/player-auth/login.ts	98.68%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@             Coverage Diff             @@
##           develop     #812      +/-   ##
===========================================
- Coverage    98.53%   98.53%   -0.01%     
===========================================
  Files          359      369      +10     
  Lines        18840    18850      +10     
  Branches      1764     1766       +2     
===========================================
+ Hits         18564    18573       +9     
- Misses         268      269       +1     
  Partials         8        8              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[claude]

Code Review - PR #812: Migrate player auth API to new router

Overall, this is a well-executed migration following the documented patterns in CLAUDE.md. The code is well-organized with proper separation of concerns. I found one legitimate improvement opportunity:

---

🟡 Code Quality

Email validation happens in handlers instead of schemas

Currently, email format validation uses emailRegex.test() in handlers (after request parsing), but Zod schemas accept emails as plain strings. This means:

• Invalid emails pass validation and reach handler logic
• Error responses happen later in execution flow
• Validation logic is split between schema and handler

Files affected:

• register.ts (lines 65-74)
• change-email.ts (lines 75-90)
• toggle-verification.ts (lines 76-94)

Suggested fix:

// Instead of:
email: z.string().optional().meta({ description: "..." })

// Use:
email: z.string().email().optional().meta({ description: "..." })

This would make validation fail earlier and centralize all validation in schemas (following best practices). However, note that this was migrated as-is from the old service, so it's not a regression - just an opportunity for improvement.

---

✅ Everything Else Looks Good

What I verified:

• ✅ Middleware ordering follows CLAUDE.md (scopes first, then resource loading)
• ✅ Type safety with proper context types
• ✅ Password reset code checks !aliasId before using it (line 40 in reset-password.ts) - no race condition
• ✅ All routes have comprehensive test coverage
• ✅ Tests verify INVALID_EMAIL error codes work correctly
• ✅ Documentation properly configured with docsKey and individual route docs
• ✅ Validation schemas include .meta() descriptions
• ✅ Error handling is consistent with proper error codes

No issues found in: security, performance, or test coverage.