bug: Social Connection Identity Linking API Inconsistency

[suin]

Describe the bug

The API endpoint for linking social identities shows inconsistencies between documentation and implementation:

1. Documentation specifies PATCH /api/my-account/identities
2. API returns Allow: POST header and 405 Method Not Allowed for PATCH
3. Using POST method results in 401 Unauthorized with verification_record.permission_denied

This makes it impossible to complete the social connection linking flow.

Expected behavior

Either:

• The API should accept PATCH method as documented, or
• POST method should work properly if that's the intended design

How to reproduce?

1. Request authorization URL:

POST /api/verifications/social
Authorization: Bearer <token>

{
  "connectorId": "github",
  "redirectUri": "http://localhost:3000/callback/github",
  "state": "asdfassdfafasd"
}

→ Returns 201 with verification record ID

2. Complete GitHub OAuth flow and receive callback code

3. Verify the social connection:

POST /api/verifications/social/verify
Authorization: Bearer <token>
{
  "connectorData": {
    "code": "<auth_code>",
    "state": "asdfassdfafasd"
  },
  "verificationRecordId": "<record_id>"
}

→ Returns 200 OK

4. Try to link identity with PATCH (as per documentation):

PATCH /api/my-account/identities
Authorization: Bearer <token>
logto-verification-id: <record_id>
{
  "newIdentifierVerificationRecordId": "<record_id>"
}

→ Returns 405 Method Not Allowed

5. Try with POST (as suggested by Allow header):

POST /api/my-account/identities
Authorization: Bearer <token>
logto-verification-id: <record_id>
{
  "newIdentifierVerificationRecordId": "<record_id>"
}

→ Returns 401 Unauthorized (verification_record.permission_denied)

Context

• Self-hosted, Logto version = v1.23.0
  • Container (Docker image)