feat(phase-4a): complete Phase 3 implementation and gap analysis

Merges Phase 4a work including: Implementation: - Metadata discovery endpoint (/api/.well-known/oauth-authorization-server) - h-app microformat parser service - Enhanced authorization endpoint with client info display - Configuration management system - Dependency injection framework Documentation: - Comprehensive gap analysis for v1.0.0 compliance - Phase 4a clarifications on development approach - Phase 4-5 critical components breakdown Testing: - Unit tests for h-app parser (308 lines, comprehensive coverage) - Unit tests for metadata endpoint (134 lines) - Unit tests for configuration system (18 lines) - Integration test updates All tests passing with high coverage. Ready for Phase 4b security hardening.
2025-11-20 17:16:11 -07:00
parent 5888e45b8c
commit 115e733604
18 changed files with 5815 additions and 4 deletions
--- a/src/gondulf/routers/metadata.py
+++ b/src/gondulf/routers/metadata.py
@@ -0,0 +1,48 @@
+"""OAuth 2.0 Authorization Server Metadata endpoint (RFC 8414)."""
+import json
+import logging
+
+from fastapi import APIRouter, Depends, Response
+
+from gondulf.config import Config
+from gondulf.dependencies import get_config
+
+logger = logging.getLogger("gondulf.metadata")
+
+router = APIRouter()
+
+
+@router.get("/.well-known/oauth-authorization-server")
+async def get_metadata(config: Config = Depends(get_config)) -> Response:
+    """
+    OAuth 2.0 Authorization Server Metadata (RFC 8414).
+
+    Returns server capabilities for IndieAuth client discovery.
+    This endpoint is publicly accessible and cacheable.
+
+    Returns:
+        Response: JSON response with server metadata and Cache-Control header
+    """
+    logger.debug("Metadata endpoint requested")
+
+    metadata = {
+        "issuer": config.BASE_URL,
+        "authorization_endpoint": f"{config.BASE_URL}/authorize",
+        "token_endpoint": f"{config.BASE_URL}/token",
+        "response_types_supported": ["code"],
+        "grant_types_supported": ["authorization_code"],
+        "code_challenge_methods_supported": [],
+        "token_endpoint_auth_methods_supported": ["none"],
+        "revocation_endpoint_auth_methods_supported": ["none"],
+        "scopes_supported": []
+    }
+
+    logger.debug(f"Returning metadata for issuer: {config.BASE_URL}")
+
+    return Response(
+        content=json.dumps(metadata, indent=2),
+        media_type="application/json",
+        headers={
+            "Cache-Control": "public, max-age=86400"
+        }
+    )