feat: Implement all authentication compliance phases

src/lib/identityService.ts

@@ -223,6 +223,76 @@ export async function connectIdentity(
   }
 }
 
+/**
+ * Link an OAuth identity to the logged-in user's account (Manual Linking)
+ * Requires user to be authenticated
+ */
+export async function linkOAuthIdentity(
+  provider: OAuthProvider
+): Promise<IdentityOperationResult> {
+  try {
+    const { data, error } = await supabase.auth.linkIdentity({ 
+      provider 
+    });
+    
+    if (error) throw error;
+    
+    // Log audit event
+    const { data: { user } } = await supabase.auth.getUser();
+    if (user) {
+      await logIdentityChange(user.id, 'identity_linked', { 
+        provider,
+        method: 'manual',
+        timestamp: new Date().toISOString()
+      });
+    }
+    
+    return { success: true };
+  } catch (error) {
+    const errorMsg = getErrorMessage(error);
+    logger.error('Failed to link identity', {
+      action: 'identity_link',
+      provider,
+      error: errorMsg
+    });
+    return {
+      success: false,
+      error: errorMsg
+    };
+  }
+}
+
+/**
+ * Log when automatic identity linking occurs
+ * Called internally when Supabase automatically links identities
+ */
+export async function logAutomaticIdentityLinking(
+  userId: string,
+  provider: OAuthProvider,
+  email: string
+): Promise<void> {
+  try {
+    await logIdentityChange(userId, 'identity_auto_linked', {
+      provider,
+      email,
+      method: 'automatic',
+      timestamp: new Date().toISOString()
+    });
+    
+    logger.info('Automatic identity linking logged', {
+      userId,
+      provider,
+      action: 'identity_auto_linked'
+    });
+  } catch (error) {
+    logger.error('Failed to log automatic identity linking', {
+      userId,
+      provider,
+      error: getErrorMessage(error)
+    });
+  }
+}
+
 
 /**
  * Add password authentication to an OAuth-only account