feat(phase-3): implement token endpoint and OAuth 2.0 flow

Phase 3 Implementation: - Token service with secure token generation and validation - Token endpoint (POST /token) with OAuth 2.0 compliance - Database migration 003 for tokens table - Authorization code validation and single-use enforcement Phase 1 Updates: - Enhanced CodeStore to support dict values with JSON serialization - Maintains backward compatibility Phase 2 Updates: - Authorization codes now include PKCE fields, used flag, timestamps - Complete metadata structure for token exchange Security: - 256-bit cryptographically secure tokens (secrets.token_urlsafe) - SHA-256 hashed storage (no plaintext) - Constant-time comparison for validation - Single-use code enforcement with replay detection Testing: - 226 tests passing (100%) - 87.27% coverage (exceeds 80% requirement) - OAuth 2.0 compliance verified This completes the v1.0.0 MVP with full IndieAuth authorization code flow. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-20 14:24:06 -07:00
parent 074f74002c
commit 05b4ff7a6b
18 changed files with 4049 additions and 26 deletions
--- a/src/gondulf/services/domain_verification.py
+++ b/src/gondulf/services/domain_verification.py
@@ -246,9 +246,9 @@ class DomainVerificationService:
            "used": False
        }

-        # Store with prefix
+        # Store with prefix (CodeStore handles dict values natively)
        storage_key = f"authz:{authorization_code}"
-        self.code_storage.store(storage_key, str(metadata))
+        self.code_storage.store(storage_key, metadata)

        logger.info(f"Authorization code created for client_id={client_id}")
        return authorization_code