feat(phase-4a): complete Phase 3 implementation and gap analysis

Merges Phase 4a work including: Implementation: - Metadata discovery endpoint (/api/.well-known/oauth-authorization-server) - h-app microformat parser service - Enhanced authorization endpoint with client info display - Configuration management system - Dependency injection framework Documentation: - Comprehensive gap analysis for v1.0.0 compliance - Phase 4a clarifications on development approach - Phase 4-5 critical components breakdown Testing: - Unit tests for h-app parser (308 lines, comprehensive coverage) - Unit tests for metadata endpoint (134 lines) - Unit tests for configuration system (18 lines) - Integration test updates All tests passing with high coverage. Ready for Phase 4b security hardening.
2025-11-20 17:16:11 -07:00
parent 5888e45b8c
commit 115e733604
18 changed files with 5815 additions and 4 deletions
--- a/src/gondulf/config.py
+++ b/src/gondulf/config.py
@@ -24,6 +24,7 @@ class Config:

    # Required settings - no defaults
    SECRET_KEY: str
+    BASE_URL: str

    # Database
    DATABASE_URL: str
@@ -69,6 +70,16 @@ class Config:
            )
        cls.SECRET_KEY = secret_key

+        # Required - BASE_URL must exist for OAuth metadata
+        base_url = os.getenv("GONDULF_BASE_URL")
+        if not base_url:
+            raise ConfigurationError(
+                "GONDULF_BASE_URL is required for OAuth 2.0 metadata endpoint. "
+                "Examples: https://auth.example.com or http://localhost:8000 (development only)"
+            )
+        # Normalize: remove trailing slash if present
+        cls.BASE_URL = base_url.rstrip("/")
+
        # Database - with sensible default
        cls.DATABASE_URL = os.getenv(
            "GONDULF_DATABASE_URL", "sqlite:///./data/gondulf.db"
@@ -110,6 +121,21 @@ class Config:

        Performs additional validation beyond initial loading.
        """
+        # Validate BASE_URL is a valid URL
+        if not cls.BASE_URL.startswith(("http://", "https://")):
+            raise ConfigurationError(
+                "GONDULF_BASE_URL must start with http:// or https://"
+            )
+
+        # Warn if using http:// in production-like settings
+        if cls.BASE_URL.startswith("http://") and "localhost" not in cls.BASE_URL:
+            import warnings
+            warnings.warn(
+                "GONDULF_BASE_URL uses http:// for non-localhost domain. "
+                "HTTPS is required for production IndieAuth servers.",
+                UserWarning
+            )
+
        # Validate SMTP port is reasonable
        if cls.SMTP_PORT < 1 or cls.SMTP_PORT > 65535:
            raise ConfigurationError(