Routes using withAuth were creating new unauthenticated PocketBase
clients, causing 404 errors when trying to update records. Modified
withAuth to pass the authenticated pb client to handlers so they can
use it for database operations.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Added three Garmin API endpoints for token management:
- POST /api/garmin/tokens: Accepts oauth1, oauth2, expires_at;
encrypts tokens using AES-256-GCM; stores in user record;
returns daysUntilExpiry
- DELETE /api/garmin/tokens: Clears encrypted tokens from user
record and sets garminConnected to false
- GET /api/garmin/status: Returns connection status, days until
expiry, expired flag, and warning level (critical ≤7 days,
warning 8-14 days)
All endpoints use withAuth() middleware for authentication.
Added 26 tests covering encryption, validation, auth, and
warning level thresholds.
Also added pb_data/ to .gitignore for PocketBase data.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
