phil/Gondulf
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge Phase 1: Foundation and Initial Server Setup

Browse Source 
Merge feature/phase-1-foundation into master.

Phase 1 Components Completed:
- FastAPI application structure with Jinja2 templates
- SQLite database with migration system (002-domains.sql ready)
- Comprehensive test suite (pytest, 80%+ coverage)
- Security headers middleware
- SMTP email service
- Configuration management (environment-based)
- Development tooling (uvicorn, pytest, coverage)
- Complete documentation (standards, architecture, designs, ADRs)
- Phase 2 design and implementation guide

All Phase 1 gates passed:
- Architect approval: APPROVED
- Test coverage: 80%+
- Code quality: Standards compliant
- Documentation: Complete

Ready for Phase 2: Domain Verification Implementation

Generated with Claude Code https://claude.com/claude-code

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Phil Skentelbery
2025-11-20 13:05:40 -07:00
parent 7255867fde 6f06aebf40
commit 4c58cd510a
45 changed files with 13329 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
.claude/agents/architect.md
View File

@@ -25,6 +25,14 @@ When you find yourself designing something complex, step back and reconsider. Th
You must ensure this implementation fully adheres to the W3C IndieAuth specification. The specification is your primary source of truth: You must ensure this implementation fully adheres to the W3C IndieAuth specification. The specification is your primary source of truth:
- **Required Reading**: https://www.w3.org/TR/indieauth/ - **Required Reading**: https://www.w3.org/TR/indieauth/
- **Reference Implementation**: https://github.com/aaronpk/indielogin.com (PHP) - **Reference Implementation**: https://github.com/aaronpk/indielogin.com (PHP)
- **Local Reference Copy**: `/home/phil/Projects/indielogin.com` - READ ONLY for study purposes
**Using the Reference Implementation**:
- You MAY read files in `/home/phil/Projects/indielogin.com` to understand how IndieLogin implements specific features
- Use it to clarify ambiguous specification points
- Learn from its security patterns and approaches
- Adapt patterns to Python/FastAPI (don't copy PHP directly)
- **CRITICAL**: This directory is STRICTLY READ-ONLY - you may never modify, write, or change anything in it
When the specification is ambiguous, consult the reference implementation and document your interpretation as an Architecture Decision Record (ADR). When the specification is ambiguous, consult the reference implementation and document your interpretation as an Architecture Decision Record (ADR).
@@ -221,11 +229,17 @@ Update the roadmap and backlog based on learnings from implementation.
8. Signal to coordinator: "ARCHITECTURE FOUNDATION COMPLETE" 8. Signal to coordinator: "ARCHITECTURE FOUNDATION COMPLETE"
### Phase 2: Feature Design (Repeated for Each Feature) ### Phase 2: Feature Design (Repeated for Each Feature)
1. Select next feature from roadmap 1. **MANDATORY: Review all existing documentation** in `/docs/` before designing:
2. Create detailed design in `/docs/designs/[feature-name].md` - Read all files in `/docs/standards/` to understand project conventions
3. Create any necessary ADRs for design decisions - Read all files in `/docs/architecture/` to understand system design
4. Ensure design is complete and unambiguous - Read all files in `/docs/decisions/` to understand past ADRs
5. Signal to Developer: "DESIGN READY: [feature name] - Please review /docs/designs/[feature-name].md" - Read all files in `/docs/designs/` to understand existing feature designs
- This ensures consistency and prevents contradictory designs
2. Select next feature from roadmap
3. Create detailed design in `/docs/designs/[feature-name].md`
4. Create any necessary ADRs for design decisions
5. Ensure design is complete and unambiguous
6. Signal to Developer: "DESIGN READY: [feature name] - Please review /docs/designs/[feature-name].md"
### Phase 3: Review & Iteration (After Each Implementation) ### Phase 3: Review & Iteration (After Each Implementation)
1. Read Developer's implementation report 1. Read Developer's implementation report
@@ -236,6 +250,21 @@ Update the roadmap and backlog based on learnings from implementation.
## Critical Constraints ## Critical Constraints
### You ALWAYS Review Existing Documentation Before Designing
Before creating any new design document, you MUST review ALL existing documentation in `/docs/`:
- All standards in `/docs/standards/`
- All architecture documents in `/docs/architecture/`
- All ADRs in `/docs/decisions/`
- All existing designs in `/docs/designs/`
This is **non-negotiable**. Failing to review existing documentation leads to:
- Inconsistent design decisions
- Contradictory architectural patterns
- Duplicated effort
- Confusion for the Developer
You must demonstrate familiarity with existing documentation in your new designs by referencing relevant prior decisions and standards.
### You NEVER Write Implementation Code ### You NEVER Write Implementation Code
Your role is design and architecture. If you find yourself writing actual implementation code, stop immediately. Create a design document instead and let the Developer implement it. Your role is design and architecture. If you find yourself writing actual implementation code, stop immediately. Create a design document instead and let the Developer implement it.

40
.claude/agents/developer.md
View File

@@ -121,7 +121,9 @@ Your implementation reports must include:
### 4. Create Implementation Reports ### 4. Create Implementation Reports
After completing each feature, create a report in `/docs/reports/YYYY-MM-DD-feature-name.md`: **MANDATORY FOR ALL WORK**: After completing ANY implementation work (features, refactoring, infrastructure, project setup, bug fixes, etc.), you MUST create a report in `/docs/reports/YYYY-MM-DD-description.md`.
Implementation reports are NOT optional and are NOT limited to "features only." Every piece of implementation work requires a report for the Architect to review.
**Required report structure**: **Required report structure**:
@@ -292,11 +294,12 @@ Wait for Architect's responses.
3. Run tests and achieve coverage targets 3. Run tests and achieve coverage targets
4. Fix any test failures 4. Fix any test failures
### Step 6: Document Implementation ### Step 6: Document Implementation (MANDATORY)
1. Create implementation report in `/docs/reports/` 1. **ALWAYS** create implementation report in `/docs/reports/YYYY-MM-DD-description.md`
2. Be thorough and honest 2. This is required for ALL work - features, setup, infrastructure, bug fixes, everything
3. Include all required sections 3. Be thorough and honest
4. Include test results and coverage metrics 4. Include all required sections
5. Include test results and coverage metrics (or verification results for non-code work)
### Step 7: Signal Completion ### Step 7: Signal Completion
Signal "IMPLEMENTATION COMPLETE" to Architect. Signal "IMPLEMENTATION COMPLETE" to Architect.
@@ -325,6 +328,17 @@ Tests are mandatory:
No excuses. Test your code. No excuses. Test your code.
### You NEVER Skip Implementation Reports
Implementation reports are mandatory for ALL work:
- Features require reports
- Infrastructure setup requires reports
- Bug fixes require reports
- Refactoring requires reports
- Project initialization requires reports
- ANY code or configuration work requires a report
No exceptions. The Architect must review all work through implementation reports.
### You NEVER Proceed with Ambiguity ### You NEVER Proceed with Ambiguity
If the design is unclear: If the design is unclear:
- Stop immediately - Stop immediately
@@ -375,6 +389,15 @@ You are implementing a W3C IndieAuth server. Key awareness:
- W3C IndieAuth specification: https://www.w3.org/TR/indieauth/ - W3C IndieAuth specification: https://www.w3.org/TR/indieauth/
- Reference implementation: https://github.com/aaronpk/indielogin.com - Reference implementation: https://github.com/aaronpk/indielogin.com
**CRITICAL - Reference Implementation Directory**:
- There is a directory at `/home/phil/Projects/indielogin.com` containing a PHP reference implementation
- **YOU MUST COMPLETELY IGNORE THIS DIRECTORY**
- Never read from it, never reference it, never use it
- Do not search for code in it, do not look at its structure
- The Architect will study it and incorporate learnings into designs
- Your job is to implement the Architect's designs, not to study PHP code
- **NEVER access `/home/phil/Projects/indielogin.com` for any reason**
You are not expected to know the entire specification by heart - the Architect's designs will guide you. But you should understand you're implementing an authentication/authorization protocol where correctness and security are paramount. You are not expected to know the entire specification by heart - the Architect's designs will guide you. But you should understand you're implementing an authentication/authorization protocol where correctness and security are paramount.
### Simplicity is Key ### Simplicity is Key
@@ -464,8 +487,9 @@ Your role is to transform designs into working, tested code. You are not here to
1. **Ask when uncertain** - clarity beats speed 1. **Ask when uncertain** - clarity beats speed
2. **Test thoroughly** - tests prove correctness 2. **Test thoroughly** - tests prove correctness
3. **Report honestly** - transparency enables improvement 3. **Report ALWAYS** - every piece of work requires an implementation report for Architect review
4. **Implement faithfully** - the design is your blueprint 4. **Report honestly** - transparency enables improvement
5. **Implement faithfully** - the design is your blueprint
When you complete a feature and the Architect approves it, that's success. When you catch a design issue before implementing it, that's success. When your tests prevent a bug from reaching production, that's success. When you complete a feature and the Architect approves it, that's success. When you catch a design issue before implementing it, that's success. When your tests prevent a bug from reaching production, that's success.

32
.env.example Normal file
View File

@@ -0,0 +1,32 @@
# Gondulf IndieAuth Server Configuration
# Copy this file to .env and fill in your values
# REQUIRED - Secret key for cryptographic operations
# Generate with: python -c "import secrets; print(secrets.token_urlsafe(32))"
GONDULF_SECRET_KEY=
# Database Configuration
# Default: sqlite:///./data/gondulf.db (relative to working directory)
# Production example: sqlite:////var/lib/gondulf/gondulf.db
GONDULF_DATABASE_URL=sqlite:///./data/gondulf.db
# SMTP Configuration for Email Verification
# Use port 587 with STARTTLS (most common) or port 465 for implicit TLS
GONDULF_SMTP_HOST=localhost
GONDULF_SMTP_PORT=587
GONDULF_SMTP_USERNAME=
GONDULF_SMTP_PASSWORD=
GONDULF_SMTP_FROM=noreply@example.com
GONDULF_SMTP_USE_TLS=true
# Token and Code Expiry (in seconds)
# GONDULF_TOKEN_EXPIRY: How long access tokens are valid (default: 3600 = 1 hour)
# GONDULF_CODE_EXPIRY: How long authorization/verification codes are valid (default: 600 = 10 minutes)
GONDULF_TOKEN_EXPIRY=3600
GONDULF_CODE_EXPIRY=600
# Logging Configuration
# LOG_LEVEL: DEBUG, INFO, WARNING, ERROR, CRITICAL
# DEBUG: Enable debug mode (sets LOG_LEVEL to DEBUG if not specified)
GONDULF_LOG_LEVEL=INFO
GONDULF_DEBUG=false

3
CLAUDE.md
View File

@@ -18,6 +18,9 @@ This implementation prioritizes client self-registration capability, providing a
### Reference Materials ### Reference Materials
- **Primary Specification**: W3C IndieAuth (https://www.w3.org/TR/indieauth/) - **Primary Specification**: W3C IndieAuth (https://www.w3.org/TR/indieauth/)
- **Reference Implementation**: Aaron Parecki's IndieLogin (https://github.com/aaronpk/indielogin.com) in PHP - **Reference Implementation**: Aaron Parecki's IndieLogin (https://github.com/aaronpk/indielogin.com) in PHP
- **Local Reference Copy**: `/home/phil/Projects/indielogin.com` - **READ ONLY** - No agent or subagent may modify this directory
**IMPORTANT**: The `/home/phil/Projects/indielogin.com` directory contains a PHP reference implementation for study purposes only. This directory is STRICTLY READ-ONLY. No modifications, writes, or changes of any kind are permitted by any agent or subagent.
### Architecture ### Architecture
- **Admin Model**: Single administrator - **Admin Model**: Single administrator

135
docs/CLARIFICATIONS-ANSWERED.md Normal file
View File

@@ -0,0 +1,135 @@
# Phase 2 Clarifications - Architect's Responses
**Date**: 2024-11-20
**Status**: All 23 questions answered
**Developer Action**: Proceed with implementation
## Overview
The Architect has provided complete answers to all 8 categories (23 specific questions) raised by the Developer. This document provides a quick reference to the decisions made.
**Full Details**: See `/docs/designs/phase-2-implementation-guide.md` for complete implementation specifications.
**Architectural Decision Record**: See `/docs/decisions/0004-phase-2-implementation-decisions.md` for rationale and consequences.
## Quick Reference Answers
### 1. Rate Limiting Implementation
**Q: Should actual rate limiting be implemented or leave as stubs?**
- A: Implement actual rate limiting with in-memory storage
**Q: Should metadata storage use CodeStorage?**
- A: No, use simple dictionary in RateLimiter service instance
**Q: Should "Max 3 codes per domain per hour" be implemented?**
- A: Yes, with timestamp list tracking and automatic cleanup
### 2. Authorization Code Metadata Structure
**Q: Should storage include 'used' field in Phase 2?**
- A: Yes, include now (set to False, consume in Phase 3)
**Q: Use Phase 1's CodeStorage or separate storage?**
- A: Reuse Phase 1's CodeStorage with key prefix `authz:`
**Q: Store datetime objects or epoch integers?**
- A: Epoch integers (simpler)
### 3. HTML Template Implementation
**Q: Use Jinja2 or plain Python f-strings?**
- A: Use Jinja2 templates
**Q: Where should template files be located?**
- A: `src/gondulf/templates/`
**Q: Reusable layout templates or self-contained?**
- A: Reusable `base.html` with template inheritance
**Q: Template files vs inline HTML?**
- A: Separate template files
### 4. Database Migration Timing
**Q: Apply migration 002 as part of Phase 2?**
- A: Yes, apply immediately before Phase 2 implementation
**Q: Is migration necessary since Phase 1 doesn't write to domains?**
- A: Yes, keeps schema current with code expectations
**Q: Should new code use 'two_factor' immediately?**
- A: Yes, assume column exists (migration handles it)
### 5. Client Validation Helper Functions
**Q: Implement as standalone functions or methods on helper class?**
- A: Standalone functions in `src/gondulf/utils/validation.py`
**Q: Create shared utility module?**
- A: Yes, `gondulf.utils.validation` module
**Q: Full subdomain validation now or stub for Phase 3?**
- A: Full validation now (security should be complete)
### 6. Error Response Format Consistency
**Q: Should verification endpoints return JSON (200 OK with success:false)?**
- A: Yes, always JSON with 200 OK
**Q: Should authorization endpoint errors return HTML or redirects?**
- A: Depends on validation stage:
- Pre-client validation: HTML error page
- Post-client validation: OAuth redirect with error
**Q: When to use HTML vs OAuth redirect errors?**
- A: See decision tree in implementation guide
### 7. Dependency Injection Pattern
**Q: Create dependencies.py module?**
- A: Yes, `src/gondulf/dependencies.py`
**Q: Services instantiated at startup (singleton) or per-request?**
- A: Singleton at startup using `@lru_cache()`
**Q: Configuration passed at instantiation or read each time?**
- A: Read at instantiation (services configured once)
### 8. Test Organization for Authorization Endpoint
**Q: Separate test files per router?**
- A: Yes:
- `test_verification_endpoints.py`
- `test_authorization_endpoint.py`
**Q: Test sub-endpoints separately or as part of full flow?**
- A: Test complete flows (black box testing)
**Q: Shared fixtures for common scenarios?**
- A: Yes, use `tests/conftest.py` for shared fixtures
## Implementation Priority
All decisions are final and ready for implementation. The Developer should:
1. **Read** `/docs/designs/phase-2-implementation-guide.md` thoroughly
2. **Review** code examples and patterns provided
3. **Apply** migration 002 before starting implementation
4. **Implement** following the exact patterns specified
5. **Ask** additional questions ONLY if new ambiguities arise
## Architect's Guiding Principles
Every decision made reflects these core values:
- **Simplicity**: Real implementations using simple patterns
- **Reuse**: Leverage Phase 1 infrastructure where possible
- **Standards**: Use established tools (Jinja2, FastAPI patterns)
- **Clarity**: Explicit structures over implicit behavior
- **Security**: Complete security features, not stubs
## Status
**DESIGN READY: Phase 2 Implementation - All clarifications resolved**
Developer: Please proceed with implementation following the patterns in the implementation guide.

688
docs/architecture/indieauth-protocol.md Normal file
View File

@@ -0,0 +1,688 @@
# IndieAuth Protocol Implementation
## Specification Compliance
This document describes Gondulf's implementation of the W3C IndieAuth specification.
**Primary Reference**: https://www.w3.org/TR/indieauth/
**Reference Implementation**: https://github.com/aaronpk/indielogin.com
**Compliance Target**: Any compliant IndieAuth client MUST be able to authenticate successfully against Gondulf.
## Protocol Overview
IndieAuth is built on OAuth 2.0, extending it to enable decentralized authentication where users are identified by URLs (typically their own domain) rather than accounts on centralized services.
### Core Principle
Users prove ownership of a domain, and that domain becomes their identity. No usernames, no passwords stored by the server.
### IndieAuth vs OAuth 2.0
**Similarities**:
- Authorization code flow
- Token endpoint for code exchange
- State parameter for CSRF protection
- Redirect-based flow
**Differences**:
- User identity is a URL (`me` parameter), not an opaque user ID
- No client secrets (all clients are "public clients")
- Client IDs are URLs that must be fetchable
- Domain ownership verification instead of password authentication
## v1.0.0 Scope
Gondulf v1.0.0 implements **authentication only** (not authorization):
- Users can prove they own a domain
- Tokens are issued but carry no permissions (scope)
- Client applications can verify user identity
- NO resource server capabilities
- NO scope-based authorization
**Future versions** will add:
- Authorization with scopes
- Token refresh
- Token revocation
- Resource server capabilities
## Endpoints
### Discovery Endpoint (Optional)
**URL**: `/.well-known/oauth-authorization-server`
**Purpose**: Advertise server capabilities and endpoints per RFC 8414.
**Response** (JSON):
```json
{
"issuer": "https://auth.example.com",
"authorization_endpoint": "https://auth.example.com/authorize",
"token_endpoint": "https://auth.example.com/token",
"response_types_supported": ["code"],
"grant_types_supported": ["authorization_code"],
"code_challenge_methods_supported": ["S256"],
"token_endpoint_auth_methods_supported": ["none"]
}
```
**Implementation Notes**:
- Optional for v1.0.0 but recommended
- FastAPI endpoint: `GET /.well-known/oauth-authorization-server`
- Static response (no database access)
- Cache-Control: public, max-age=86400
### Authorization Endpoint
**URL**: `/authorize`
**Method**: GET
**Purpose**: Initiate authentication flow
#### Required Parameters
| Parameter | Description | Validation |
|-----------|-------------|------------|
| `me` | User's domain/URL | Must be valid URL, no fragments/credentials/ports |
| `client_id` | Client application URL | Must be valid URL, must be fetchable |
| `redirect_uri` | Where to send user after auth | Must be valid URL, must match client_id domain OR be registered |
| `state` | CSRF protection token | Required, opaque string, returned unchanged |
| `response_type` | Must be `code` | Exactly `code` for auth code flow |
#### Optional Parameters (v1.0.0)
| Parameter | Description | v1.0.0 Behavior |
|-----------|-------------|-----------------|
| `scope` | Requested permissions | Ignored (authentication only) |
| `code_challenge` | PKCE challenge | NOT supported in v1.0.0 |
| `code_challenge_method` | PKCE method | NOT supported in v1.0.0 |
**PKCE Decision**: Deferred to post-v1.0.0 to maintain MVP simplicity. See ADR-003.
#### Request Validation Sequence
1. **Validate `response_type`**
- MUST be exactly `code`
- Error: `unsupported_response_type`
2. **Validate `me` parameter**
- Must be a valid URL
- Must NOT contain fragment (#)
- Must NOT contain credentials (user:pass@)
- Must NOT contain port (except :443 for HTTPS)
- Must NOT be an IP address
- Normalize: lowercase domain, remove trailing slash
- Error: `invalid_request` with description
3. **Validate `client_id`**
- Must be a valid URL
- Must contain a domain component (not localhost in production)
- Fetch client_id URL to retrieve app info (see Client Validation)
- Error: `invalid_client` with description
4. **Validate `redirect_uri`**
- Must be a valid URL
- Must use HTTPS in production (HTTP allowed for localhost)
- If domain differs from client_id domain:
- Must match client_id subdomain pattern, OR
- Must be registered in client metadata (future), OR
- Display warning to user
- Error: `invalid_request` with description
5. **Validate `state`**
- Must be present
- Must be non-empty string
- Store for verification (not used server-side, returned to client)
- Error: `invalid_request` with description
#### Client Validation
When `client_id` is provided, fetch the URL to retrieve application information:
**HTTP Request**:
```
GET https://client.example.com/
Accept: text/html
```
**Extract Application Info**:
- Look for `h-app` microformat in HTML
- Extract: app name, icon, URL
- Extract registered redirect URIs from `<link rel="redirect_uri">` tags
- Cache result for 24 hours
**Fallback**:
- If no h-app found, use domain name as app name
- If no icon, use generic icon
- If no redirect URIs registered, rely on domain matching
**Security**:
- Follow redirects (max 5)
- Timeout after 5 seconds
- Validate SSL certificates
- Reject non-200 responses
- Log client_id fetch failures
#### Authentication Flow (v1.0.0: Two-Factor Domain Verification)
1. **DNS TXT Record Verification (Required)**
- Check if `me` domain has TXT record: `_gondulf.{domain}` = `verified`
- Query multiple DNS resolvers (Google 8.8.8.8, Cloudflare 1.1.1.1)
- Require consensus from at least 2 resolvers
- If not found: Display error with instructions to add TXT record
- If found: Proceed to email discovery
- Proves: User controls DNS for the domain
2. **Email Discovery via rel="me" (Required)**
- Fetch user's domain homepage (e.g., https://example.com)
- Parse HTML for `<link rel="me" href="mailto:user@example.com">` or `<a rel="me" href="mailto:user@example.com">`
- Extract email address from first matching mailto: link
- If not found: Display error with instructions to add rel="me" link
- If found: Proceed to email verification
- Proves: User has published email relationship on their site
- Reference: https://indieweb.org/rel-me
3. **Email Verification Code (Required)**
- Generate 6-digit verification code (cryptographically random)
- Store code in memory with 15-minute TTL
- Send code to discovered email address via SMTP
- Display code entry form showing discovered email (partially masked)
- User enters 6-digit code
- Validate code matches and hasn't expired (max 3 attempts)
- Proves: User controls the email account
- Mark domain as verified (store in database)
4. **User Consent**
- Display authorization prompt:
- "Sign in to [App Name] as [me]"
- Show client_id full URL
- Show redirect_uri if different domain
- Show scope (future)
- User approves or denies
5. **Authorization Code Generation**
- Generate cryptographically secure code (32 bytes, base64url)
- Store code in memory with 10-minute TTL
- Store associated data:
- `me` (user's domain)
- `client_id`
- `redirect_uri`
- `state`
- Timestamp
- Code is single-use only
6. **Redirect to Client**
```
HTTP/1.1 302 Found
Location: {redirect_uri}?code={code}&state={state}
```
**Security Model**: Two-factor verification requires BOTH DNS control AND email control. An attacker would need to compromise both to authenticate fraudulently.
#### Error Responses
Return error via redirect when possible:
```
HTTP/1.1 302 Found
Location: {redirect_uri}?error={error}&error_description={description}&state={state}
```
**Error Codes** (OAuth 2.0 standard):
- `invalid_request` - Malformed request
- `unauthorized_client` - Client not authorized
- `access_denied` - User denied authorization
- `unsupported_response_type` - response_type not `code`
- `invalid_scope` - Invalid scope requested (future)
- `server_error` - Internal server error
- `temporarily_unavailable` - Server temporarily unavailable
When redirect not possible (invalid redirect_uri), display error page.
### Token Endpoint
**URL**: `/token`
**Method**: POST
**Content-Type**: `application/x-www-form-urlencoded`
**Purpose**: Exchange authorization code for access token
#### Required Parameters
| Parameter | Description | Validation |
|-----------|-------------|------------|
| `grant_type` | Must be `authorization_code` | Exactly `authorization_code` |
| `code` | Authorization code from /authorize | Must be valid, unexpired, unused |
| `client_id` | Client application URL | Must match code's client_id |
| `redirect_uri` | Original redirect URI | Must match code's redirect_uri |
| `me` | User's domain | Must match code's me |
#### Request Validation Sequence
1. **Validate `grant_type`**
- MUST be `authorization_code`
- Error: `unsupported_grant_type`
2. **Validate `code`**
- Must exist in storage
- Must not have expired (10-minute TTL)
- Must not have been used already
- Mark as used immediately
- Error: `invalid_grant`
3. **Validate `client_id`**
- Must match the client_id associated with code
- Error: `invalid_client`
4. **Validate `redirect_uri`**
- Must exactly match the redirect_uri from authorization request
- Error: `invalid_grant`
5. **Validate `me`**
- Must exactly match the me from authorization request
- Error: `invalid_request`
#### Token Generation
**v1.0.0 Implementation: Opaque Tokens**
```python
import secrets
import hashlib
from datetime import datetime, timedelta
# Generate token
token = secrets.token_urlsafe(32) # 256 bits
# Store in database
token_record = {
"token_hash": hashlib.sha256(token.encode()).hexdigest(),
"me": me,
"client_id": client_id,
"scope": "", # Empty for authentication-only
"issued_at": datetime.utcnow(),
"expires_at": datetime.utcnow() + timedelta(hours=1)
}
```
**Why Opaque Tokens in v1.0.0**:
- Simpler than JWT (no signing, no key rotation)
- Easier to revoke (database lookup)
- Sufficient for authentication-only use case
- Can migrate to JWT in future versions
**Token Properties**:
- Length: 43 characters (base64url of 32 bytes)
- Entropy: 256 bits (cryptographically secure)
- Storage: SHA-256 hash in database
- Expiration: 1 hour (configurable)
- Revocable: Delete from database
#### Success Response
**HTTP 200 OK**:
```json
{
"access_token": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"token_type": "Bearer",
"me": "https://example.com",
"scope": ""
}
```
**Response Fields**:
- `access_token`: The opaque token (43 characters)
- `token_type`: Always `Bearer`
- `me`: User's canonical domain URL (normalized)
- `scope`: Empty string for authentication-only (future: space-separated scopes)
**Headers**:
```
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
```
#### Error Responses
**HTTP 400 Bad Request**:
```json
{
"error": "invalid_grant",
"error_description": "Authorization code has expired"
}
```
**Error Codes** (OAuth 2.0 standard):
- `invalid_request` - Missing or invalid parameters
- `invalid_client` - Client authentication failed
- `invalid_grant` - Invalid or expired authorization code
- `unauthorized_client` - Client not authorized for grant type
- `unsupported_grant_type` - Grant type not `authorization_code`
### Token Verification Endpoint (Future)
**URL**: `/token/verify`
**Method**: GET
**Purpose**: Verify token validity (for resource servers)
**NOT implemented in v1.0.0** (authentication only, no resource servers).
Future implementation:
```
GET /token/verify
Authorization: Bearer {token}
Response 200 OK:
{
"me": "https://example.com",
"client_id": "https://client.example.com",
"scope": ""
}
```
### Token Revocation Endpoint (Future)
**URL**: `/token/revoke`
**Method**: POST
**Purpose**: Revoke access token
**NOT implemented in v1.0.0**.
Future implementation per RFC 7009.
## Data Models
### Authorization Code (In-Memory)
```python
{
"code": "abc123...", # 43-char base64url
"me": "https://example.com",
"client_id": "https://client.example.com",
"redirect_uri": "https://client.example.com/callback",
"state": "client-provided-state",
"created_at": datetime,
"expires_at": datetime, # created_at + 10 minutes
"used": False
}
```
**Storage**: Python dict with TTL management
**Expiration**: 10 minutes (per spec: "shortly after")
**Single-use**: Marked as used after redemption
**Cleanup**: Automatic expiration via TTL
### Email Verification Code (In-Memory)
```python
{
"email": "admin@example.com", # Discovered from rel="me", not user-provided
"code": "123456", # 6-digit string
"domain": "example.com",
"created_at": datetime,
"expires_at": datetime, # created_at + 15 minutes
"attempts": 0 # Rate limiting (max 3 attempts)
}
```
**Storage**: Python dict with TTL management
**Email Source**: Discovered from site's rel="me" link (not user input)
**Expiration**: 15 minutes
**Rate Limiting**: Max 3 attempts per email, max 3 codes per domain per hour
**Cleanup**: Automatic expiration via TTL
### Access Token (SQLite)
```sql
CREATE TABLE tokens (
id INTEGER PRIMARY KEY AUTOINCREMENT,
token_hash TEXT NOT NULL UNIQUE, -- SHA-256 hash
me TEXT NOT NULL,
client_id TEXT NOT NULL,
scope TEXT NOT NULL, -- Empty string for v1.0.0
issued_at TIMESTAMP NOT NULL,
expires_at TIMESTAMP NOT NULL,
revoked BOOLEAN DEFAULT 0,
INDEX idx_token_hash (token_hash),
INDEX idx_me (me),
INDEX idx_expires_at (expires_at)
);
```
**Lookup**: By token_hash (constant-time comparison)
**Expiration**: 1 hour default (configurable)
**Revocation**: Set `revoked = 1` (future feature)
**Cleanup**: Periodic deletion of expired tokens
### Verified Domain (SQLite)
```sql
CREATE TABLE domains (
id INTEGER PRIMARY KEY AUTOINCREMENT,
domain TEXT NOT NULL UNIQUE,
verification_method TEXT NOT NULL, -- 'two_factor' (DNS + Email)
verified_at TIMESTAMP NOT NULL,
last_dns_check TIMESTAMP,
dns_txt_valid BOOLEAN DEFAULT 0,
last_email_check TIMESTAMP,
INDEX idx_domain (domain)
);
```
**Purpose**: Cache domain ownership verification
**Verification Method**: Always 'two_factor' in v1.0.0 (DNS TXT + Email via rel="me")
**DNS TXT**: Re-verified periodically (daily check)
**Email**: NOT stored (only verification timestamp recorded)
**Re-verification**: DNS checked periodically, email re-verified on each login
**Cleanup**: Optional (admin decision)
## Security Considerations
### URL Validation
**Critical**: Prevent open redirect and phishing attacks.
**`me` Validation**:
```python
from urllib.parse import urlparse
def validate_me(me: str) -> tuple[bool, str, str]:
"""
Validate me parameter.
Returns: (valid, normalized_me, error_message)
"""
parsed = urlparse(me)
# Must have scheme and netloc
if not parsed.scheme or not parsed.netloc:
return False, "", "me must be a complete URL"
# Must be HTTP or HTTPS
if parsed.scheme not in ['http', 'https']:
return False, "", "me must use http or https"
# No fragments
if parsed.fragment:
return False, "", "me must not contain fragment"
# No credentials
if parsed.username or parsed.password:
return False, "", "me must not contain credentials"
# No ports (except default)
if parsed.port and not (parsed.port == 443 and parsed.scheme == 'https'):
return False, "", "me must not contain non-standard port"
# No IP addresses
import ipaddress
try:
ipaddress.ip_address(parsed.netloc)
return False, "", "me must be a domain, not IP address"
except ValueError:
pass # Good, not an IP
# Normalize
domain = parsed.netloc.lower()
path = parsed.path.rstrip('/')
normalized = f"{parsed.scheme}://{domain}{path}"
return True, normalized, ""
```
**`redirect_uri` Validation**:
```python
def validate_redirect_uri(redirect_uri: str, client_id: str) -> tuple[bool, str]:
"""
Validate redirect_uri against client_id.
Returns: (valid, error_message)
"""
parsed_redirect = urlparse(redirect_uri)
parsed_client = urlparse(client_id)
# Must be valid URL
if not parsed_redirect.scheme or not parsed_redirect.netloc:
return False, "redirect_uri must be a complete URL"
# Must be HTTPS in production (allow HTTP for localhost)
if not DEBUG:
if parsed_redirect.scheme != 'https':
if parsed_redirect.netloc != 'localhost':
return False, "redirect_uri must use HTTPS"
redirect_domain = parsed_redirect.netloc.lower()
client_domain = parsed_client.netloc.lower()
# Same domain: OK
if redirect_domain == client_domain:
return True, ""
# Subdomain of client domain: OK
if redirect_domain.endswith('.' + client_domain):
return True, ""
# Different domain: Check if registered (future)
# For v1.0.0: Display warning to user
return True, "warning: redirect_uri domain differs from client_id"
```
### Constant-Time Comparison
Prevent timing attacks on token verification:
```python
import secrets
def verify_token(provided_token: str, stored_hash: str) -> bool:
"""
Verify token using constant-time comparison.
"""
import hashlib
provided_hash = hashlib.sha256(provided_token.encode()).hexdigest()
return secrets.compare_digest(provided_hash, stored_hash)
```
### CSRF Protection
**State Parameter**:
- Client generates unguessable state
- Server returns state unchanged
- Client verifies state matches
- Server does NOT validate state (client's responsibility)
### HTTPS Enforcement
**Production Requirements**:
- All endpoints MUST use HTTPS
- HTTP allowed only for localhost in development
- HSTS header recommended: `Strict-Transport-Security: max-age=31536000`
### Rate Limiting (Future)
**v1.0.0**: Not implemented (acceptable for small deployments).
**Future versions**:
- Authorization requests: 10/minute per IP
- Token requests: 30/minute per client_id
- Email codes: 3/hour per email
- Failed verifications: 5/hour per IP
## Protocol Deviations
### Intentional Deviations from W3C Spec
**ADR-003**: PKCE deferred to post-v1.0.0
- **Reason**: Simplicity for MVP, small user base, HTTPS mitigates risk
- **Impact**: Slightly less secure against code interception
- **Mitigation**: Enforce HTTPS, short code TTL (10 minutes)
- **Upgrade Path**: Add PKCE in v1.1.0 without breaking changes
**ADR-004**: No client pre-registration required (TBD)
- **Reason**: Aligns with user requirement for simplified client onboarding
- **Impact**: Must validate client_id on every request
- **Mitigation**: Cache client metadata, implement rate limiting
- **Spec Compliance**: Spec allows this ("client IDs are resolvable URLs")
### Scope Limitations (v1.0.0)
**Authentication Only**:
- `scope` parameter accepted but ignored
- All tokens issued with empty scope
- Tokens prove identity, not authorization
- Future versions will support scopes
## Testing Strategy
### Compliance Testing
**Required Tests**:
1. Valid authorization request → code generation
2. Valid token request → token generation
3. Invalid client_id → error
4. Invalid redirect_uri → error
5. Missing state → error
6. Expired authorization code → error
7. Used authorization code → error
8. Mismatched client_id on token request → error
### Interoperability Testing
**Test Against**:
- IndieAuth.com test suite (if available)
- Real IndieAuth clients (IndieLogin, etc.)
- Reference implementation comparison
### Security Testing
**Required Tests**:
1. Open redirect prevention (invalid redirect_uri)
2. Timing attack resistance (token verification)
3. CSRF protection (state parameter)
4. Code reuse prevention (single-use codes)
5. URL validation (me parameter malformation)
## Implementation Checklist
- [ ] `/authorize` endpoint with parameter validation
- [ ] Client metadata fetching (h-app microformat)
- [ ] Email verification flow (code generation, sending, validation)
- [ ] Domain ownership caching (SQLite)
- [ ] Authorization code generation and storage (in-memory)
- [ ] `/token` endpoint with grant validation
- [ ] Access token generation and storage (SQLite, hashed)
- [ ] Error responses (OAuth 2.0 compliant)
- [ ] HTTPS enforcement (production)
- [ ] URL validation (me, client_id, redirect_uri)
- [ ] Constant-time token comparison
- [ ] Metadata endpoint `/.well-known/oauth-authorization-server`
- [ ] Comprehensive test suite (80%+ coverage)
## References
- W3C IndieAuth Specification: https://www.w3.org/TR/indieauth/
- OAuth 2.0 (RFC 6749): https://datatracker.ietf.org/doc/html/rfc6749
- OAuth 2.0 Security Best Practices: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics
- PKCE (RFC 7636): https://datatracker.ietf.org/doc/html/rfc7636 (future)
- Token Revocation (RFC 7009): https://datatracker.ietf.org/doc/html/rfc7009 (future)
- Authorization Server Metadata (RFC 8414): https://datatracker.ietf.org/doc/html/rfc8414

356
docs/architecture/overview.md Normal file
View File

@@ -0,0 +1,356 @@
# System Architecture Overview
## Project Context
Gondulf is a self-hosted IndieAuth server implementing the W3C IndieAuth specification. It enables users to use their own domain as their identity when authenticating to third-party applications, providing a decentralized alternative to centralized authentication providers.
### Key Differentiators
- **Email-based authentication**: v1.0.0 uses email verification for domain ownership
- **No client pre-registration**: Clients validate themselves through domain ownership verification
- **Simplicity-first**: Minimal complexity, production-ready MVP
- **Single-admin model**: Designed for individual operators, not multi-tenancy
## Technology Stack
### Core Platform
- **Language**: Python 3.10+
- **Web Framework**: FastAPI 0.104+
- Chosen for: Native async/await, type hints, OAuth 2.0 support, automatic OpenAPI docs
- See: `/docs/decisions/ADR-001-python-framework-selection.md`
- **ASGI Server**: uvicorn with standard extras
- **Data Validation**: Pydantic 2.0+ (bundled with FastAPI)
### Data Storage
- **Primary Database**: SQLite 3.35+
- Sufficient for 10s of users
- Simple file-based backups
- No separate database server required
- **Database Interface**: SQLAlchemy Core (NOT ORM)
- Direct SQL-like interface without ORM complexity
- Explicit queries, no hidden behavior
- Simple schema management
### Session/State Storage (v1.0.0)
- **In-Memory Storage**: Python dictionaries with TTL management
- **Rationale**:
- No Redis in v1.0.0 per user requirements
- Authorization codes are short-lived (10 minutes max)
- Single-process deployment acceptable for MVP
- Upgrade path: Can add Redis later without code changes if persistence needed
### Development Environment
- **Package Manager**: uv (Astral Rust-based tool)
- See: `/docs/decisions/ADR-002-uv-environment-management.md`
- Direct execution model (no environment activation)
- **Linting**: Ruff + flake8
- **Type Checking**: mypy (strict mode)
- **Formatting**: Black (88 character line length)
- **Testing**: pytest with async, coverage, mocking
## System Architecture
### Component Diagram
```
┌─────────────────────────────────────────────────────────────────┐
│ Client Application │
│ (Third-party IndieAuth client) │
└───────────────────────────┬─────────────────────────────────────┘
│ HTTPS
│ IndieAuth Protocol
┌─────────────────────────────────────────────────────────────────┐
│ Gondulf IndieAuth Server │
│ ┌────────────────────────────────────────────────────────────┐ │
│ │ FastAPI Application │ │
│ │ ┌──────────────┐ ┌──────────────┐ ┌─────────────────┐ │ │
│ │ │ Authorization │ │ Token │ │ Metadata │ │ │
│ │ │ Endpoint │ │ Endpoint │ │ Endpoint │ │ │
│ │ │ /authorize │ │ /token │ │ /.well-known │ │ │
│ │ └──────┬───────┘ └──────┬───────┘ └────────┬────────┘ │ │
│ │ │ │ │ │ │
│ │ └──────────────────┼────────────────────┘ │ │
│ │ │ │ │
│ │ ┌─────────────────────────▼──────────────────────────────┐ │ │
│ │ │ Business Logic Layer │ │ │
│ │ │ ┌───────────────┐ ┌────────────┐ ┌──────────────┐ │ │ │
│ │ │ │ AuthService │ │TokenService│ │DomainService │ │ │ │
│ │ │ │ - Auth flow │ │ - Token │ │ - Domain │ │ │
│ │ │ │ - Email send │ │ creation │ │ validation │ │ │
│ │ │ │ - Code gen │ │ - Token │ │ - TXT record │ │ │
│ │ │ │ │ │ verify │ │ check │ │ │
│ │ │ └───────────────┘ └────────────┘ └──────────────┘ │ │ │
│ │ └────────────────────────┬───────────────────────────────┘ │ │
│ │ │ │ │
│ │ ┌────────────────────────▼──────────────────────────────┐ │ │
│ │ │ Storage Layer │ │ │
│ │ │ ┌──────────────────┐ ┌────────────────────────┐ │ │ │
│ │ │ │ SQLite Database │ │ In-Memory Store │ │ │ │
│ │ │ │ - Tokens │ │ - Auth codes (10min) │ │ │ │
│ │ │ │ - Domains │ │ - Email codes (15min)│ │ │ │
│ │ │ └──────────────────┘ └────────────────────────┘ │ │ │
│ │ └───────────────────────────────────────────────────────┘ │ │
│ └────────────────────────────────────────────────────────────┘ │
└──────────┬──────────────────────────────────────┬───────────────┘
│ SMTP │ DNS
▼ ▼
┌────────────────┐ ┌──────────────────┐
│ Email Server │ │ DNS Provider │
│ (external) │ │ (external) │
└────────────────┘ └──────────────────┘
```
### Component Responsibilities
#### HTTP Endpoints Layer
Handles all HTTP concerns:
- Request validation (Pydantic models)
- Parameter parsing and type coercion
- HTTP response formatting
- Error responses (OAuth 2.0 compliant)
- CORS headers
- Rate limiting (future)
#### Business Logic Layer (Services)
Contains all domain logic, completely independent of HTTP:
**AuthService**:
- Authorization flow orchestration
- Email verification code generation and validation
- Authorization code generation (cryptographically secure)
- User consent management
- PKCE support (future)
**TokenService**:
- Access token generation (JWT or opaque)
- Token validation and introspection
- Token revocation (future)
- Token refresh (future)
**DomainService**:
- Domain ownership validation
- DNS TXT record checking
- Domain normalization
- Security validation (prevent open redirects)
#### Storage Layer
Provides data persistence:
**SQLite Database**:
- Access tokens (long-lived)
- Verified domains
- Audit logs
- Configuration
**In-Memory Store**:
- Authorization codes (TTL: 10 minutes)
- Email verification codes (TTL: 15 minutes)
- Rate limit counters (future)
### Data Flow: Authorization Flow
```
1. Client → /authorize
2. Gondulf validates client_id, redirect_uri, state
3. Gondulf checks domain ownership (TXT record or cached)
4. User enters email address for their domain
5. Gondulf sends verification code to email
6. User enters code
7. Gondulf generates authorization code
8. Gondulf redirects to client with code + state
9. Client → /token with code
10. Gondulf validates code, generates access token
11. Gondulf returns token + me (user's domain)
```
## Deployment Model
### Target Deployment
- **Platform**: Docker container
- **Scale**: 10s of users initially
- **Process Model**: Single uvicorn process (sufficient for MVP)
- **File System**:
- `/data/gondulf.db` - SQLite database
- `/data/backups/` - Database backups
- `/app/` - Application code
### Configuration Management
- **Environment Variables**: All configuration via environment
- **Secrets**: Loaded from environment (SECRET_KEY, SMTP credentials)
- **Config Validation**: Pydantic Settings validates on startup
### Backup Strategy
Simple file-based SQLite backups:
- Daily automated backups of `gondulf.db`
- Backup rotation (keep last 7 days)
- Simple shell script + cron
- Future: S3/object storage support
## Security Architecture
### Authentication Method (v1.0.0)
**Email-based verification only**:
- User provides email address for their domain
- Server sends time-limited verification code
- User enters code to prove email access
- No password storage
- No external identity providers in v1.0.0
### Domain Ownership Validation
**Two-tier validation**:
1. **TXT Record (preferred)**:
- Admin adds TXT record: `_gondulf.example.com` = `verified`
- Server checks DNS before first use
- Result cached in database
- Periodic re-verification (configurable)
2. **Email-based (alternative)**:
- If no TXT record, fall back to email verification
- Email must be at verified domain (e.g., `admin@example.com`)
- Less secure but more accessible for users
### Token Security
- **Generation**: Cryptographically secure random tokens (secrets.token_urlsafe)
- **Storage**: Hashed in database (SHA-256)
- **Transmission**: HTTPS only (enforced in production)
- **Expiration**: Configurable (default 1 hour)
- **Validation**: Constant-time comparison (prevent timing attacks)
### Privacy Principles
**Minimal Data Collection**:
- NEVER store email addresses beyond verification flow
- NEVER log user personal data
- Store only:
- Domain name (user's identity)
- Token hashes (security)
- Timestamps (auditing)
- Client IDs (protocol requirement)
## Operational Architecture
### Logging Strategy
**Structured logging** with appropriate levels:
- **INFO**: Normal operations (auth success, token issued)
- **WARNING**: Suspicious activity (failed validations, rate limit near)
- **ERROR**: Failures requiring investigation (email send failed, DNS timeout)
- **CRITICAL**: System failures (database unavailable, config invalid)
**Log fields**:
- Timestamp (ISO 8601)
- Level
- Event type
- Domain (never email)
- Client ID
- Request ID (correlation)
**Privacy**:
- NEVER log email addresses
- NEVER log full tokens (only first 8 chars for correlation)
- NEVER log user-agent or IP in production (GDPR)
### Monitoring (Future)
- Health check endpoint: `/health`
- Metrics endpoint: `/metrics` (Prometheus format)
- Key metrics:
- Authorization requests/min
- Token generation rate
- Email delivery success rate
- Domain validation cache hit rate
- Error rate by type
## Upgrade Paths
### Future Enhancements (Post v1.0.0)
**Persistence Layer**:
- Add Redis for distributed sessions
- Support PostgreSQL for larger deployments
- No code changes required (SQLAlchemy abstraction)
**Authentication Methods**:
- GitHub/GitLab provider support
- IndieAuth delegation
- WebAuthn for passwordless
- All additive, no breaking changes
**Protocol Features**:
- Token refresh
- Token revocation endpoint
- Scope management (authorization)
- Dynamic client registration
**Operational**:
- Multi-process deployment (gunicorn)
- Horizontal scaling (with Redis)
- Metrics and monitoring
- Admin dashboard
## Constraints and Trade-offs
### Conscious Simplifications (v1.0.0)
1. **No Redis**: In-memory storage acceptable for single-process deployment
- Trade-off: Lose codes on restart (acceptable for 10-minute TTL)
- Upgrade path: Add Redis when scaling needed
2. **No client pre-registration**: Domain-based validation sufficient
- Trade-off: Must validate client_id on every request
- Mitigation: Cache validation results
3. **Email-only authentication**: Simplest secure method
- Trade-off: Requires SMTP configuration
- Upgrade path: Add providers in future releases
4. **SQLite database**: Perfect for small deployments
- Trade-off: No built-in replication
- Upgrade path: Migrate to PostgreSQL when needed
5. **Single process**: No distributed coordination needed
- Trade-off: Limited concurrent capacity
- Upgrade path: Add Redis + gunicorn when scaling
### Non-Negotiable Requirements
1. **W3C IndieAuth compliance**: Full protocol compliance required
2. **Security best practices**: No shortcuts on security
3. **HTTPS in production**: Required for OAuth 2.0 security
4. **Minimal data collection**: Privacy by design
5. **Comprehensive testing**: 80%+ coverage minimum
## Documentation Structure
### For Developers
- `/docs/architecture/` - This directory
- `/docs/designs/` - Feature-specific designs
- `/docs/decisions/` - Architecture Decision Records
### For Operators
- `README.md` - Installation and usage
- `/docs/operations/` - Deployment guides (future)
- Environment variable reference (future)
### For Protocol Compliance
- `/docs/architecture/indieauth-protocol.md` - Protocol implementation
- `/docs/architecture/security.md` - Security model
- Test suite demonstrating compliance
## Next Steps
See `/docs/roadmap/v1.0.0.md` for the MVP feature set and implementation plan.
Key architectural documents to review:
- `/docs/architecture/indieauth-protocol.md` - Protocol design
- `/docs/architecture/security.md` - Security design
- `/docs/roadmap/backlog.md` - Feature prioritization

809
docs/architecture/phase-1-impact-assessment.md Normal file
View File

@@ -0,0 +1,809 @@
# Phase 1 Impact Assessment: Authentication Flow Change
**Date**: 2025-11-20
**Architect**: Claude (Architect Agent)
**Related ADRs**: ADR-005 (updated), ADR-008 (new)
**Related Report**: /docs/reports/2025-11-20-phase-1-foundation.md
## Summary
The authentication design has been updated to require BOTH DNS TXT verification AND email verification via rel="me" discovery. This change impacts Phase 1 implementation and defines new requirements for Phase 2.
## Authentication Flow Change
### Original Design (ADR-005 v1)
- **Primary**: Email verification (user provides email)
- **Optional**: DNS TXT verification (fast-path to skip email)
- **Flow**: DNS check → if not found, request email → send code → verify code
### Updated Design (ADR-005 v2 + ADR-008)
- **Required Factor 1**: DNS TXT verification (`_gondulf.{domain}` = `verified`)
- **Required Factor 2**: Email verification via rel="me" discovery
- **Flow**: DNS check → rel="me" discovery → send code to discovered email → verify code
### Key Differences
| Aspect | Original | Updated |
|--------|----------|---------|
| DNS TXT | Optional (fast-path) | Required (first factor) |
| Email Discovery | User input | rel="me" link parsing |
| Email Verification | Optional (fallback) | Required (second factor) |
| Security Model | Single-factor | Two-factor |
| Attack Resistance | Moderate | High (requires DNS + email control) |
| Setup Complexity | Lower (email only works) | Higher (both required) |
## Phase 1 Implementation Impact
### What Phase 1 Implemented
Phase 1 successfully implemented:
- ✅ Configuration management (GONDULF_* environment variables)
- ✅ Database layer with migrations (SQLite, SQLAlchemy Core)
- ✅ In-memory code storage (TTL-based expiration)
- ✅ Email service (SMTP with STARTTLS support)
- ✅ DNS service (TXT record querying with fallback resolvers)
- ✅ Structured logging
- ✅ FastAPI application with health check endpoint
- ✅ 94.16% test coverage (96 tests passing)
### Does Phase 1 Need Changes?
**Answer: NO. Phase 1 implementation remains valid.**
#### Analysis
**Email Service** (`src/gondulf/email.py`):
- Current: Generic email sending service
- Change Impact: **None**
- Reason: Email service sends codes to any email address. Whether email is user-provided or rel="me"-discovered doesn't affect this service.
- Status: **No changes needed**
**DNS Service** (`src/gondulf/dns.py`):
- Current: TXT record verification with fallback resolvers
- Change Impact: **None**
- Reason: DNS service already implements TXT record verification as designed. Changing from "optional" to "required" is a business logic change, not a DNS service change.
- Status: **No changes needed**
**In-Memory Storage** (`src/gondulf/storage.py`):
- Current: TTL-based code storage
- Change Impact: **None**
- Reason: Storage mechanism is independent of how email is discovered or whether DNS is optional/required.
- Status: **No changes needed**
**Database Schema** (`001_initial_schema.sql`):
- Current: `domains` table with `domain`, `verification_method`, `verified_at`
- Change Impact: **Minor update needed in Phase 2**
- Reason: Schema already supports storing verification method. Will need to update from `'txt_record'` or `'email'` to `'two_factor'` when storing records.
- Status: **Schema structure OK, values will change in Phase 2**
**Configuration** (`src/gondulf/config.py`):
- Current: SMTP configuration, DNS configuration, timeouts
- Change Impact: **None immediately, optional addition in Phase 2**
- Reason: Current configuration supports both email and DNS. May want to add timeout for HTML fetching in Phase 2.
- Status: **No changes needed now**
### Phase 1 Status: APPROVED
Phase 1 implementation remains valid and does NOT require any revisions due to the authentication flow change. All Phase 1 components are foundational services that work regardless of how they're orchestrated in the authentication flow.
## Phase 2 Requirements: New Implementation Needs
Phase 2 must now implement the updated authentication flow. Here's what needs to be built:
### 1. HTML Fetching Service (NEW)
**Purpose**: Fetch user's homepage to discover rel="me" links
**Implementation**:
```python
# src/gondulf/html_fetcher.py
import requests
from typing import Optional
class HTMLFetcherService:
"""
Fetch user's homepage over HTTPS.
"""
def __init__(self, timeout: int = 10):
self.timeout = timeout
self.max_redirects = 5
self.max_size = 5 * 1024 * 1024 # 5MB
def fetch_site(self, domain: str) -> Optional[str]:
"""
Fetch site HTML content.
Args:
domain: Domain to fetch (e.g., "example.com")
Returns:
HTML content as string, or None if fetch fails
"""
url = f"https://{domain}"
try:
response = requests.get(
url,
timeout=self.timeout,
allow_redirects=True,
max_redirects=self.max_redirects,
verify=True # Enforce SSL verification
)
response.raise_for_status()
# Check content size
if len(response.content) > self.max_size:
raise ValueError(f"Response too large: {len(response.content)} bytes")
return response.text
except requests.exceptions.SSLError as e:
logger.error(f"SSL verification failed for {domain}: {e}")
return None
except requests.exceptions.Timeout:
logger.error(f"Timeout fetching {domain}")
return None
except Exception as e:
logger.error(f"Failed to fetch {domain}: {e}")
return None
```
**Dependencies**:
- `requests` library (already in pyproject.toml)
- Timeout configuration (add to Config if needed)
**Tests Required**:
- Successful HTTPS fetch
- SSL verification failure
- Timeout handling
- HTTP error codes (404, 500, etc.)
- Redirect following
- Size limit enforcement
---
### 2. rel="me" Email Discovery Service (NEW)
**Purpose**: Parse HTML to discover email from rel="me" links
**Implementation**:
```python
# src/gondulf/relme.py
from bs4 import BeautifulSoup
from typing import Optional
import re
class RelMeDiscoveryService:
"""
Discover email addresses from rel="me" links in HTML.
"""
def discover_email(self, html_content: str) -> Optional[str]:
"""
Parse HTML and discover email from rel="me" link.
Args:
html_content: HTML content as string
Returns:
Email address or None if not found
"""
try:
# Parse HTML (BeautifulSoup handles malformed HTML)
soup = BeautifulSoup(html_content, 'html.parser')
# Find all rel="me" links (<link> and <a> tags)
me_links = soup.find_all('link', rel='me') + soup.find_all('a', rel='me')
# Look for mailto: links
for link in me_links:
href = link.get('href', '')
if href.startswith('mailto:'):
email = href.replace('mailto:', '').strip()
# Validate email format
if self._validate_email_format(email):
logger.info(f"Discovered email via rel='me': {email[:3]}***")
return email
logger.warning("No rel='me' mailto: link found in HTML")
return None
except Exception as e:
logger.error(f"Failed to parse HTML: {e}")
return None
def _validate_email_format(self, email: str) -> bool:
"""Validate email address format (RFC 5322 simplified)."""
email_regex = r'^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$'
if not re.match(email_regex, email):
return False
if len(email) > 254: # RFC 5321 maximum
return False
if email.count('@') != 1:
return False
return True
```
**Dependencies**:
- `beautifulsoup4` library (add to pyproject.toml)
- `html.parser` (Python standard library)
**Tests Required**:
- Discovery from `<link rel="me">` tags
- Discovery from `<a rel="me">` tags
- Multiple rel="me" links (select first mailto)
- Malformed HTML handling
- Missing rel="me" links
- Invalid email format in link
- Edge cases (empty href, non-mailto links, etc.)
---
### 3. Domain Verification Service (UPDATED)
**Purpose**: Orchestrate two-factor verification (DNS + Email)
**Implementation**:
```python
# src/gondulf/domain_verification.py
from typing import Tuple, Optional
from .dns import DNSService
from .html_fetcher import HTMLFetcherService
from .relme import RelMeDiscoveryService
from .email import EmailService
from .storage import CodeStorage
class DomainVerificationService:
"""
Two-factor domain verification service.
Verifies domain ownership through:
1. DNS TXT record verification
2. Email verification via rel="me" discovery
"""
def __init__(
self,
dns_service: DNSService,
html_fetcher: HTMLFetcherService,
relme_discovery: RelMeDiscoveryService,
email_service: EmailService,
code_storage: CodeStorage
):
self.dns = dns_service
self.html_fetcher = html_fetcher
self.relme = relme_discovery
self.email = email_service
self.code_storage = code_storage
def start_verification(self, domain: str) -> Tuple[bool, Optional[str], Optional[str]]:
"""
Start domain verification process.
Returns: (success, discovered_email, error_message)
Raises HTTPException with appropriate error if verification cannot start.
"""
# Step 1: Verify DNS TXT record
dns_verified = self.dns.verify_txt_record(domain, "verified")
if not dns_verified:
error = f"DNS TXT record not found for {domain}. Please add: _gondulf.{domain} TXT verified"
return False, None, error
# Step 2: Fetch site and discover email
html = self.html_fetcher.fetch_site(domain)
if html is None:
error = f"Could not fetch site at https://{domain}. Please ensure site is accessible via HTTPS."
return False, None, error
# Step 3: Discover email from rel="me"
email = self.relme.discover_email(html)
if email is None:
error = 'No rel="me" mailto: link found. Please add: <link rel="me" href="mailto:you@example.com">'
return False, None, error
# Step 4: Generate and send verification code
code = self._generate_code()
self.code_storage.store(email, code, ttl=900) # 15 minutes
email_sent = self.email.send_verification_email(email, code)
if not email_sent:
error = f"Failed to send verification email to {email}. Please try again."
return False, email, error
# Success: code sent to discovered email
return True, email, None
def verify_code(self, email: str, submitted_code: str) -> Tuple[bool, str]:
"""
Verify submitted code.
Returns: (success, domain_or_error_message)
"""
stored_data = self.code_storage.get(email)
if stored_data is None:
return False, "No verification code found. Please restart verification."
code, domain = stored_data
# Verify code (constant-time comparison)
if not secrets.compare_digest(submitted_code, code):
return False, "Invalid code. Please try again."
# Success: mark code as used
self.code_storage.delete(email)
return True, domain
def _generate_code(self) -> str:
"""Generate 6-digit verification code."""
return ''.join(secrets.choice('0123456789') for _ in range(6))
```
**Dependencies**:
- All Phase 1 services (DNS, Email, Storage)
- New HTML fetcher service
- New rel="me" discovery service
**Tests Required**:
- Full verification flow (DNS → rel="me" → email → code)
- DNS verification failure
- Site fetch failure
- rel="me" discovery failure
- Email send failure
- Code verification success/failure
- Multiple attempts tracking
- Code expiration
---
### 4. Domain Verification UI Endpoints (NEW)
**Purpose**: HTTP endpoints for user interaction
**Implementation**:
```python
# src/gondulf/routers/verification.py
from fastapi import APIRouter, HTTPException
from pydantic import BaseModel
router = APIRouter(prefix="/verify", tags=["verification"])
class VerificationStartRequest(BaseModel):
domain: str
class VerificationStartResponse(BaseModel):
success: bool
email_masked: Optional[str] # e.g., "u***@example.com"
error: Optional[str]
class VerificationCodeRequest(BaseModel):
email: str
code: str
class VerificationCodeResponse(BaseModel):
success: bool
domain: Optional[str]
error: Optional[str]
@router.post("/start", response_model=VerificationStartResponse)
async def start_verification(request: VerificationStartRequest):
"""
Start domain verification process.
Steps:
1. Verify DNS TXT record
2. Discover email from rel="me"
3. Send verification code to email
"""
success, email, error = domain_verification_service.start_verification(request.domain)
if not success:
return VerificationStartResponse(success=False, email_masked=None, error=error)
# Mask email for display: u***@example.com
masked_email = f"{email[0]}***@{email.split('@')[1]}"
return VerificationStartResponse(
success=True,
email_masked=masked_email,
error=None
)
@router.post("/code", response_model=VerificationCodeResponse)
async def verify_code(request: VerificationCodeRequest):
"""
Verify submitted code.
Returns domain if code is valid.
"""
success, result = domain_verification_service.verify_code(request.email, request.code)
if not success:
return VerificationCodeResponse(success=False, domain=None, error=result)
return VerificationCodeResponse(success=True, domain=result, error=None)
```
**Dependencies**:
- FastAPI router
- Pydantic models
- Domain verification service
**Tests Required**:
- POST /verify/start success case
- POST /verify/start with DNS failure
- POST /verify/start with rel="me" failure
- POST /verify/start with email send failure
- POST /verify/code success case
- POST /verify/code with invalid code
- POST /verify/code with expired code
- POST /verify/code with missing code
---
### 5. Authorization Endpoint Integration (UPDATED)
**Changes to Authorization Flow**:
**Before** (original design):
```
1. User enters domain (me parameter)
2. Display form: "Enter your email at {domain}"
3. User enters email manually
4. Send code, user enters code
5. Display consent screen
```
**After** (updated design):
```
1. User enters domain (me parameter)
2. Server performs two-factor verification:
a. Verify DNS TXT record
b. Discover email from rel="me"
c. Send code to discovered email
3. Display code entry form (show discovered email masked)
4. User enters code
5. Display consent screen
```
**Implementation Changes**:
- Call `DomainVerificationService.start_verification()` instead of requesting email from user
- Update UI to show "Sending code to u***@example.com" instead of email input form
- Handle new error cases (DNS not found, rel="me" not found, site unreachable)
---
## Phase 2 Feature Breakdown
### New Dependencies to Add
**pyproject.toml additions**:
```toml
[project]
dependencies = [
# ... existing dependencies
"beautifulsoup4>=4.12.0", # HTML parsing for rel="me" discovery
]
```
### New Source Files
1. `src/gondulf/html_fetcher.py` - HTML fetching service
2. `src/gondulf/relme.py` - rel="me" email discovery service
3. `src/gondulf/domain_verification.py` - Two-factor verification orchestration
4. `src/gondulf/routers/verification.py` - Verification endpoints (if implemented separately from authorization)
### Updated Files
1. `src/gondulf/main.py` - Register new routers, initialize new services
2. `src/gondulf/config.py` - Optional: add HTML fetch timeout config
3. Database migration (002_update_verification_method.sql) - Change domain.verification_method values
### New Test Files
1. `tests/unit/test_html_fetcher.py` - HTML fetching tests
2. `tests/unit/test_relme.py` - rel="me" discovery tests
3. `tests/unit/test_domain_verification.py` - Verification service tests
4. `tests/integration/test_verification_endpoints.py` - Verification endpoint tests
### Estimated Effort
**New Components**:
- HTML Fetcher Service: 0.5 days
- rel="me" Discovery Service: 0.5 days
- Domain Verification Service: 1 day
- Verification Endpoints: 0.5 days
- Tests (all new components): 1 day
**Total New Work**: ~3.5 days
**Authorization Endpoint** (already planned):
- Original estimate: 3-5 days
- Updated estimate: 3-5 days (same - just uses DomainVerificationService)
## Database Schema Updates
### Migration: 002_update_verification_method.sql
```sql
-- Update verification_method values from single-factor to two-factor
-- This is a data migration, not schema change
UPDATE domains
SET verification_method = 'two_factor'
WHERE verification_method IN ('txt_record', 'email');
-- No schema changes needed - 'verification_method' column already exists
```
**When to Apply**: Phase 2, before authorization endpoint implementation
## Error Message Updates
### DNS TXT Not Found
```
DNS Verification Failed
Please add this TXT record to your domain's DNS:
Type: TXT
Name: _gondulf.example.com
Value: verified
DNS changes may take up to 24 hours to propagate.
Need help? See: https://docs.gondulf.example.com/setup/dns
```
### rel="me" Not Found
```
Email Discovery Failed
Could not find a rel="me" email link on your homepage.
Please add this to your homepage (https://example.com):
<link rel="me" href="mailto:your-email@example.com">
This declares your email address for IndieAuth verification.
Learn more: https://indieweb.org/rel-me
```
### Site Unreachable
```
Site Fetch Failed
Could not fetch your site at https://example.com
Please check:
- Site is accessible via HTTPS
- SSL certificate is valid
- No firewall blocking requests
Try again once your site is accessible.
```
### Email Send Failure
```
Email Delivery Failed
Failed to send verification code to u***@example.com
Please check:
- Email address is correct in your rel="me" link
- Email server is accepting mail
- Check spam/junk folder
Try again, or contact support if the issue persists.
```
## Documentation Updates Needed
### User Documentation (Phase 2)
1. **Setup Guide**: `/docs/user/setup.md`
- Step 1: Add DNS TXT record
- Step 2: Add rel="me" link to homepage
- Step 3: Test verification
2. **Troubleshooting**: `/docs/user/troubleshooting.md`
- DNS verification failures
- rel="me" discovery issues
- Email delivery problems
3. **Examples**: `/docs/user/examples.md`
- Example HTML with rel="me" link
- Example DNS configuration (various providers)
### Developer Documentation (Phase 2)
1. **API Reference**: `/docs/api/verification.md`
- POST /verify/start endpoint
- POST /verify/code endpoint
- Error codes and responses
2. **Architecture**: `/docs/architecture/domain-verification.md`
- Two-factor verification flow diagram
- Service interaction diagram
- Error handling flowchart
## Security Considerations for Phase 2
### New Attack Surfaces
1. **HTML Parsing**:
- Risk: Malicious HTML exploiting parser
- Mitigation: BeautifulSoup handles untrusted HTML safely
- Test: Fuzzing with malformed HTML
2. **HTTPS Fetching**:
- Risk: SSL verification bypass
- Mitigation: Enforce `verify=True` in requests
- Test: Attempt to fetch site with invalid certificate (must fail)
3. **rel="me" Spoofing**:
- Risk: Attacker adds rel="me" to compromised site
- Mitigation: Two-factor requirement (also need DNS control)
- Test: Verify DNS check happens BEFORE rel="me" discovery
### Security Testing Required
1. **Input Validation**:
- Malformed domain names
- Oversized HTML responses (>5MB)
- Invalid email formats in rel="me" links
2. **TLS Enforcement**:
- Verify HTTPS-only fetching
- Verify SSL certificate validation
- Reject sites with invalid certificates
3. **Rate Limiting** (future):
- Prevent bulk rel="me" discovery
- Limit verification attempts per domain
## Configuration Updates
### Optional New Config
```python
# src/gondulf/config.py
class Config:
# ... existing config
# HTML Fetching (optional, has sensible defaults)
HTML_FETCH_TIMEOUT: int = 10 # seconds
HTML_MAX_SIZE: int = 5 * 1024 * 1024 # 5MB
HTML_MAX_REDIRECTS: int = 5
```
### Environment Variables
```bash
# .env.example additions (optional)
# HTML Fetching Configuration (optional - has defaults)
GONDULF_HTML_FETCH_TIMEOUT=10 # Timeout for fetching user's site (seconds)
GONDULF_HTML_MAX_SIZE=5242880 # Maximum HTML size (bytes, default 5MB)
GONDULF_HTML_MAX_REDIRECTS=5 # Maximum redirects to follow
```
## Testing Strategy for Phase 2
### Unit Tests
**HTML Fetcher**:
- Mock successful HTTPS response
- Mock SSL verification failure
- Mock timeout
- Mock HTTP errors (404, 500, etc.)
- Mock size limit exceeded
- Mock redirect following
**rel="me" Discovery**:
- Parse `<link rel="me" href="mailto:...">`
- Parse `<a rel="me" href="mailto:...">`
- Handle malformed HTML
- Handle missing rel="me" links
- Handle invalid email in link
- Handle multiple rel="me" links (select first)
**Domain Verification Service**:
- Full two-factor flow success
- DNS verification failure
- Site fetch failure
- rel="me" discovery failure
- Email send failure
- Code verification success/failure
### Integration Tests
**Verification Endpoints**:
- POST /verify/start with valid domain (mock services)
- POST /verify/start with DNS failure
- POST /verify/start with rel="me" failure
- POST /verify/code with valid code
- POST /verify/code with invalid code
### End-to-End Tests (Future)
- Complete verification flow with real HTML
- Authorization flow integration
- Token issuance after successful verification
## Acceptance Criteria for Phase 2
Phase 2 will be considered complete when:
1. ✅ HTML fetcher service implemented and tested
2. ✅ rel="me" discovery service implemented and tested
3. ✅ Domain verification service orchestrates two-factor verification
4. ✅ Verification endpoints return correct responses for all cases
5. ✅ Error messages are clear and actionable
6. ✅ All new tests passing (unit + integration)
7. ✅ Test coverage remains >80% overall
8. ✅ Security testing complete (HTML parsing, TLS enforcement)
9. ✅ Documentation updated (user setup guide, API reference)
10. ✅ Database migration applied successfully
## Timeline Estimate
**Phase 2 Components**:
- HTML Fetcher: 0.5 days
- rel="me" Discovery: 0.5 days
- Domain Verification Service: 1 day
- Verification Endpoints: 0.5 days
- Testing: 1 day
- Documentation: 0.5 days
**Total New Work**: ~4 days
**Authorization Endpoint** (already planned):
- Original estimate: 3-5 days
- Updated estimate: 3-5 days (uses DomainVerificationService)
**Phase 2 Total**: ~7-9 days (vs. original estimate of 3-5 days)
**Impact**: +4 days of work due to authentication flow change
## Recommendation
**Phase 1**: APPROVED as-is. No changes needed.
**Phase 2**: Proceed with implementation of:
1. HTML fetching service
2. rel="me" discovery service
3. Domain verification service (two-factor orchestration)
4. Verification endpoints
5. Updated authorization endpoint to use domain verification service
The additional work (HTML fetching + rel="me" discovery) adds ~4 days to Phase 2, bringing total Phase 2 estimate to 7-9 days instead of original 3-5 days.
## Sign-off
**Assessment Status**: Complete
**Phase 1 Impact**: None - Phase 1 approved as-is
**Phase 2 Impact**: Additional 4 days of work for new services
**Risk Level**: Low - All new work is well-scoped and testable
**Ready to Proceed**: Yes
---
**Assessment completed**: 2025-11-20
**Architect**: Claude (Architect Agent)

371
docs/architecture/phase1-clarifications.md Normal file
View File

@@ -0,0 +1,371 @@
# Phase 1 Implementation Clarifications
Date: 2024-11-20
This document provides specific answers to Developer's clarification questions for Phase 1 implementation.
## 1. Configuration Management - Environment Variables
**Decision**: YES - Use the `GONDULF_` prefix for all environment variables.
**Complete environment variable specification**:
```bash
# Required - no defaults
GONDULF_SECRET_KEY=<generate-with-secrets.token_urlsafe(32)>
# Database
GONDULF_DATABASE_URL=sqlite:///./data/gondulf.db
# SMTP Configuration
GONDULF_SMTP_HOST=localhost
GONDULF_SMTP_PORT=587
GONDULF_SMTP_USERNAME=
GONDULF_SMTP_PASSWORD=
GONDULF_SMTP_FROM=noreply@example.com
GONDULF_SMTP_USE_TLS=true
# Token and Code Expiry (seconds)
GONDULF_TOKEN_EXPIRY=3600
GONDULF_CODE_EXPIRY=600
# Logging
GONDULF_LOG_LEVEL=INFO
GONDULF_DEBUG=false
```
**Implementation Requirements**:
- Create `.env.example` with all variables documented
- Use `python-dotenv` for loading (already in requirements.txt)
- Validate `GONDULF_SECRET_KEY` exists on startup (fail fast if missing)
- All other variables should have sensible defaults as shown above
**See Also**: ADR 0004 - Configuration Management Strategy
---
## 2. Database Schema - Tables for Phase 1
**Decision**: Create exactly THREE tables in Phase 1.
### Table 1: `authorization_codes`
```sql
CREATE TABLE authorization_codes (
code TEXT PRIMARY KEY,
client_id TEXT NOT NULL,
redirect_uri TEXT NOT NULL,
state TEXT,
code_challenge TEXT,
code_challenge_method TEXT,
scope TEXT,
me TEXT NOT NULL,
created_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP
);
```
### Table 2: `domains`
```sql
CREATE TABLE domains (
domain TEXT PRIMARY KEY,
email TEXT NOT NULL,
verification_code TEXT NOT NULL,
verified BOOLEAN NOT NULL DEFAULT FALSE,
created_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
verified_at TIMESTAMP
);
```
### Table 3: `migrations`
```sql
CREATE TABLE migrations (
version INTEGER PRIMARY KEY,
description TEXT NOT NULL,
applied_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP
);
```
**Do NOT create**:
- Audit tables (use logging instead)
- Token tables (Phase 2)
- Client tables (Phase 3)
**Implementation Requirements**:
- Create `src/gondulf/database/migrations/` directory
- Create `001_initial_schema.sql` with above schema
- Migration runner should track applied migrations in `migrations` table
- Use simple sequential versioning: 001, 002, 003, etc.
**See Also**: ADR 0005 - Phase 1 Database Schema
---
## 3. In-Memory Storage - Implementation Details
**Decision**: Option B - Standard dict with manual expiration check on access.
**Rationale**:
- Simplest implementation
- No background threads or complexity
- Codes are short-lived (10 minutes), so memory cleanup isn't critical
- Lazy deletion on access is sufficient
**Implementation Specification**:
```python
class CodeStore:
"""In-memory storage for domain verification codes with TTL."""
def __init__(self, ttl_seconds: int = 600):
self._store: dict[str, tuple[str, float]] = {}
self._ttl = ttl_seconds
def store(self, email: str, code: str) -> None:
"""Store verification code with expiry timestamp."""
expiry = time.time() + self._ttl
self._store[email] = (code, expiry)
def verify(self, email: str, code: str) -> bool:
"""Verify code and remove from store."""
if email not in self._store:
return False
stored_code, expiry = self._store[email]
# Check expiration
if time.time() > expiry:
del self._store[email]
return False
# Check code match
if code != stored_code:
return False
# Valid - remove from store
del self._store[email]
return True
```
**Expiration cleanup**: On read only. No background cleanup needed.
**Configuration**: Use `GONDULF_CODE_EXPIRY=600` (10 minutes default)
---
## 4. Email Service - SMTP TLS/STARTTLS
**Decision**: Support both via port-based configuration (Option B variant).
**Configuration**:
```bash
GONDULF_SMTP_HOST=smtp.gmail.com
GONDULF_SMTP_PORT=587 # or 465 for implicit TLS
GONDULF_SMTP_USERNAME=user@gmail.com
GONDULF_SMTP_PASSWORD=app-password
GONDULF_SMTP_FROM=noreply@example.com
GONDULF_SMTP_USE_TLS=true
```
**Implementation Logic**:
```python
if smtp_port == 465:
# Implicit TLS
server = smtplib.SMTP_SSL(smtp_host, smtp_port)
elif smtp_port == 587 and smtp_use_tls:
# STARTTLS
server = smtplib.SMTP(smtp_host, smtp_port)
server.starttls()
else:
# Unencrypted (testing only)
server = smtplib.SMTP(smtp_host, smtp_port)
if smtp_username and smtp_password:
server.login(smtp_username, smtp_password)
```
**Defaults**: Port 587 with STARTTLS (most common)
**See Also**: ADR 0006 - Email SMTP Configuration
---
## 5. DNS Service - Resolver Configuration
**Decision**: Option C - Use system DNS with fallback to public DNS.
**Rationale**:
- Respects system configuration (good citizenship)
- Fallback to reliable public DNS if system fails
- No configuration needed for most users
- Works in containerized environments
**Implementation Specification**:
```python
import dns.resolver
def create_resolver() -> dns.resolver.Resolver:
"""Create DNS resolver with system DNS and public fallbacks."""
resolver = dns.resolver.Resolver()
# Try system DNS first (resolver.nameservers is already populated)
# If you need to explicitly set fallbacks:
if not resolver.nameservers:
# Fallback to public DNS if system DNS not available
resolver.nameservers = ['8.8.8.8', '1.1.1.1']
return resolver
```
**No environment variable needed** - keep it simple and use system defaults.
**Timeout configuration**: Use dnspython defaults (2 seconds per nameserver)
---
## 6. Logging Configuration - Log Levels and Format
**Decision**: Option B - Standard Python logging with structured fields.
**Format**:
```
%(asctime)s [%(levelname)s] %(name)s: %(message)s
```
**Example output**:
```
2024-11-20 10:30:45,123 [INFO] gondulf.domain: Domain verification requested domain=example.com email=user@example.com
2024-11-20 10:30:46,456 [INFO] gondulf.auth: Authorization code generated client_id=https://app.example.com me=https://example.com
```
**Log Levels**:
- **Development** (`GONDULF_DEBUG=true`): `DEBUG`
- **Production** (`GONDULF_DEBUG=false`): `INFO`
- Configurable via `GONDULF_LOG_LEVEL=INFO|DEBUG|WARNING|ERROR`
**Implementation**:
```python
import logging
# Configure root logger
log_level = os.getenv('GONDULF_LOG_LEVEL', 'DEBUG' if debug else 'INFO')
logging.basicConfig(
level=log_level,
format='%(asctime)s [%(levelname)s] %(name)s: %(message)s',
datefmt='%Y-%m-%d %H:%M:%S'
)
# Get logger for module
logger = logging.getLogger('gondulf.domain')
# Log with structured information
logger.info(f"Domain verification requested domain={domain} email={email}")
```
**Output**: stdout/stderr (let deployment environment handle log files)
**See Also**: ADR 0007 - Logging Strategy for v1.0.0
---
## 7. Health Check Endpoint
**Decision**: Option B - Check database connectivity.
**Rationale**:
- Must verify database is accessible (critical dependency)
- Email and DNS are used on-demand, not required for health
- Keep it simple - one critical check
- Fast response time
**Endpoint Specification**:
```
GET /health
```
**Response - Healthy**:
```json
{
"status": "healthy",
"database": "connected"
}
```
Status Code: 200
**Response - Unhealthy**:
```json
{
"status": "unhealthy",
"database": "error",
"error": "unable to connect to database"
}
```
Status Code: 503
**Implementation**:
- Execute simple query: `SELECT 1` against database
- Timeout: 5 seconds
- No authentication required for health check
- Log failures at WARNING level
---
## 8. Database File Location
**Decision**: Option C - Configurable via `GONDULF_DATABASE_URL` with smart defaults.
**Configuration**:
```bash
GONDULF_DATABASE_URL=sqlite:///./data/gondulf.db
```
**Path Resolution**:
- Relative paths resolved from current working directory
- Absolute paths used as-is
- Default: `./data/gondulf.db` (relative to cwd)
**Data Directory Creation**:
```python
from pathlib import Path
from urllib.parse import urlparse
def ensure_database_directory(database_url: str) -> None:
"""Create database directory if it doesn't exist."""
if database_url.startswith('sqlite:///'):
# Parse path from URL
db_path = database_url.replace('sqlite:///', '', 1)
db_file = Path(db_path)
# Create parent directory if needed
db_file.parent.mkdir(parents=True, exist_ok=True)
```
**Call this on application startup** before any database operations.
**Deployment Examples**:
Development:
```bash
GONDULF_DATABASE_URL=sqlite:///./data/gondulf.db
```
Production (Docker):
```bash
GONDULF_DATABASE_URL=sqlite:////data/gondulf.db
```
Production (systemd):
```bash
GONDULF_DATABASE_URL=sqlite:////var/lib/gondulf/gondulf.db
```
---
## Summary
All 8 questions have been answered with specific implementation details. Key ADRs created:
- ADR 0004: Configuration Management
- ADR 0005: Phase 1 Database Schema
- ADR 0006: Email SMTP Configuration
- ADR 0007: Logging Strategy
The Developer now has complete, unambiguous specifications to proceed with Phase 1 implementation.

1000
docs/architecture/security.md Normal file
View File

File diff suppressed because it is too large Load Diff

43
docs/decisions/0004-configuration-management.md Normal file
View File

@@ -0,0 +1,43 @@
# 0004. Configuration Management Strategy
Date: 2024-11-20
## Status
Accepted
## Context
We need a consistent approach to configuration management that is simple, clear, and follows industry standards. The system requires configuration for database, email, secrets, and various runtime parameters.
## Decision
We will use environment variables with the `GONDULF_` prefix for all configuration:
- All environment variables must start with `GONDULF_` to avoid namespace collisions
- Use uppercase with underscores for word separation
- Follow standard naming patterns (e.g., `_URL` for connection strings, `_KEY` for secrets)
- Provide sensible defaults where possible
- Use a single `.env.example` file to document all available configuration
Standard variables:
```
GONDULF_SECRET_KEY=<required - no default>
GONDULF_DATABASE_URL=sqlite:///./data/gondulf.db
GONDULF_SMTP_HOST=localhost
GONDULF_SMTP_PORT=587
GONDULF_SMTP_USERNAME=
GONDULF_SMTP_PASSWORD=
GONDULF_SMTP_FROM=noreply@example.com
GONDULF_SMTP_USE_TLS=true
GONDULF_TOKEN_EXPIRY=3600
GONDULF_LOG_LEVEL=INFO
GONDULF_DEBUG=false
```
## Consequences
### Positive
- Clear namespace prevents collision with other applications
- Standard environment variable pattern familiar to developers
- Easy to configure in various deployment scenarios (Docker, systemd, etc.)
- `.env.example` provides self-documentation
### Negative
- Slightly longer variable names
- Must maintain `.env.example` alongside actual configuration

98
docs/decisions/0004-phase-2-implementation-decisions.md Normal file
View File

@@ -0,0 +1,98 @@
# 0004. Phase 2 Implementation Decisions
Date: 2024-11-20
## Status
Accepted
## Context
The Developer has raised 8 categories of implementation questions for Phase 2 that require architectural decisions. These decisions need to balance simplicity with functionality while providing clear direction for implementation.
## Decisions
### 1. Rate Limiting Implementation
**Decision**: Implement actual rate limiting with in-memory storage in Phase 2.
**Rationale**: Security features should be real from the start, not stubs. In-memory is simplest.
**Implementation**:
- Use a simple dictionary with domain as key, list of timestamps as value
- Clean up old timestamps on each check (older than 1 hour)
- Store in `RateLimiter` service as instance variable
- No persistence needed - resets on restart is acceptable
### 2. Authorization Code Metadata Structure
**Decision**: Use Phase 1's `CodeStorage` service with complete structure from the start.
**Rationale**: Reuse existing infrastructure, avoid future migrations.
**Implementation**:
- Include `used` field (boolean, default False) even though Phase 3 consumes it
- Store epoch integers for timestamps (simpler than datetime objects)
- Use same `CodeStorage` from Phase 1 with authorization code keys
### 3. HTML Template Implementation
**Decision**: Use Jinja2 templates with separate template files.
**Rationale**: Jinja2 is standard, maintainable, and allows for future template customization.
**Implementation**:
- Templates in `src/gondulf/templates/`
- Create `base.html` for shared layout
- Individual templates: `verify_email.html`, `verify_totp.html`, `authorize.html`, `error.html`
- Pass minimal context to templates
### 4. Database Migration Timing
**Decision**: Apply migration 002 immediately as part of Phase 2 setup.
**Rationale**: Keep database schema current with code expectations.
**Implementation**:
- Run migration before any Phase 2 code execution
- New code assumes 'two_factor' column exists
- Migration updates existing rows (if any) to have 'two_factor' = false
### 5. Client Validation Helper Functions
**Decision**: Implement as standalone functions in a shared utility module.
**Rationale**: Functions over classes when no state is needed. Simpler to test and understand.
**Implementation**:
- Create `src/gondulf/utils/validation.py`
- Functions: `mask_email()`, `validate_redirect_uri()`, `normalize_client_id()`
- Full subdomain validation now (not a stub) - security should be complete
### 6. Error Response Format Consistency
**Decision**: Use format appropriate to the endpoint type.
**Rationale**: Follow OAuth 2.0 patterns and user experience expectations.
**Implementation**:
- Verification endpoints (`/verify/email`, `/verify/totp`): JSON responses, always 200 OK
- Authorization endpoint errors before user interaction: HTML error page
- Authorization endpoint errors after client validation: OAuth redirect with error
- Token endpoint (Phase 3): Always JSON
### 7. Dependency Injection Pattern
**Decision**: Create `dependencies.py` with singleton services instantiated at startup.
**Rationale**: Simpler than per-request instantiation, consistent with Phase 1 pattern.
**Implementation**:
- All services instantiated once in `dependencies.py`
- Services read configuration at instantiation
- FastAPI dependency injection provides same instance to all requests
- Pattern: `get_code_storage()`, `get_rate_limiter()`, etc.
### 8. Test Organization for Authorization Endpoint
**Decision**: Separate test files per major endpoint with shared fixtures module.
**Rationale**: Easier to navigate and maintain as tests grow.
**Implementation**:
- `tests/test_verification_endpoints.py` - email and TOTP verification
- `tests/test_authorization_endpoint.py` - authorization flow
- `tests/conftest.py` - shared fixtures for common scenarios
- Test complete flows, not sub-endpoints in isolation
## Consequences
### Positive
- Clear, consistent patterns across the codebase
- Real security from the start (no stubs)
- Reuse of existing Phase 1 infrastructure
- Standard, maintainable template approach
- Simple service architecture
### Negative
- Slightly more upfront work than stub implementations
- In-memory rate limiting loses state on restart
- Templates add a dependency (Jinja2)
### Neutral
- Following established patterns from other web frameworks
- Committing to specific implementation choices early

42
docs/decisions/0005-phase1-database-schema.md Normal file
View File

@@ -0,0 +1,42 @@
# 0005. Phase 1 Database Schema
Date: 2024-11-20
## Status
Accepted
## Context
Phase 1 requires database storage for authorization codes and domain verification. We need to determine which tables to create initially while avoiding over-engineering for future needs.
## Decision
Phase 1 will create exactly three tables:
1. **`authorization_codes`** - Temporary storage for OAuth authorization codes
- Required by IndieAuth authorization flow
- Short-lived (10 minutes expiry)
- Contains: code, client_id, redirect_uri, state, code_challenge, code_challenge_method, scope, created_at
2. **`domains`** - Verified domain ownership records
- Required for domain verification flow
- Stores verification codes and status
- Contains: domain, email, verification_code, verified, created_at, verified_at
3. **`migrations`** - Schema version tracking
- Simple migration tracking
- Contains: version, applied_at, description
We will NOT create in Phase 1:
- Audit/logging tables (use structured logging to files instead)
- Token storage table (tokens are handled in Phase 2)
- Client registration table (Phase 3 feature)
## Consequences
### Positive
- Minimal schema focused on immediate Phase 1 needs
- Easy to understand and test
- Fast database operations with minimal tables
- Can add tables in later phases as features require them
### Negative
- No audit trail in database (rely on application logs)
- Will need migration for Phase 2 token storage

40
docs/decisions/0006-email-smtp-configuration.md Normal file
View File

@@ -0,0 +1,40 @@
# 0006. Email SMTP Configuration
Date: 2024-11-20
## Status
Accepted
## Context
Email service needs SMTP configuration for sending domain verification codes. We need to support common email providers while keeping configuration simple. Modern SMTP typically uses STARTTLS on port 587 or implicit TLS on port 465.
## Decision
Support both STARTTLS and implicit TLS via configuration:
Configuration:
```
GONDULF_SMTP_HOST=smtp.example.com
GONDULF_SMTP_PORT=587
GONDULF_SMTP_USERNAME=user@example.com
GONDULF_SMTP_PASSWORD=secret
GONDULF_SMTP_FROM=noreply@example.com
GONDULF_SMTP_USE_TLS=true
```
Implementation logic:
- If `GONDULF_SMTP_PORT=465`: Use implicit TLS (smtplib.SMTP_SSL)
- If `GONDULF_SMTP_PORT=587` and `GONDULF_SMTP_USE_TLS=true`: Use STARTTLS (smtplib.SMTP with starttls())
- If `GONDULF_SMTP_PORT=25` and `GONDULF_SMTP_USE_TLS=false`: Use unencrypted SMTP (testing only)
Default to port 587 with STARTTLS as the most common modern configuration.
## Consequences
### Positive
- Supports all major email providers (Gmail, SendGrid, Mailgun, etc.)
- Simple configuration with sensible defaults
- Port number determines TLS behavior (intuitive)
- Single USE_TLS flag controls STARTTLS
### Negative
- Slightly more complex than hardcoding one approach
- Must document port/TLS combinations in `.env.example`

54
docs/decisions/0007-logging-strategy.md Normal file
View File

@@ -0,0 +1,54 @@
# 0007. Logging Strategy for v1.0.0
Date: 2024-11-20
## Status
Accepted
## Context
We need structured logging for debugging, security auditing, and operational monitoring. The choice is between JSON-structured logs (machine-parseable), Python's standard logging with structured fields, or simple string logging.
## Decision
Use Python's standard logging module with structured string formatting for v1.0.0:
Format pattern:
```
%(asctime)s [%(levelname)s] %(name)s: %(message)s
```
Structured information in message strings:
```python
logger.info("Domain verification requested", extra={
"domain": domain,
"email": email,
"request_id": request_id
})
```
Log levels:
- **Development**: `DEBUG` (default when `GONDULF_DEBUG=true`)
- **Production**: `INFO` (default)
Configuration:
```
GONDULF_LOG_LEVEL=INFO
GONDULF_DEBUG=false
```
Output: stdout/stderr (let deployment environment handle log collection)
## Consequences
### Positive
- Standard Python logging - no additional dependencies
- Simple to implement and test
- Human-readable for local development
- Structured extras can be extracted if needed later
- Easy to redirect to files or syslog via deployment config
### Negative
- Not as machine-parseable as pure JSON logs
- May need to migrate to structured JSON logging in future versions
- Extra fields may not be captured by all log handlers
## Future Consideration
If operational monitoring requires it, we can migrate to JSON-structured logging in a minor version update without breaking changes.

292
docs/decisions/ADR-003-pkce-deferred-to-v1-1-0.md Normal file
View File

@@ -0,0 +1,292 @@
# ADR-003: PKCE Support Deferred to v1.1.0
Date: 2025-11-20
## Status
Accepted
## Context
PKCE (Proof Key for Code Exchange, RFC 7636) is a security extension to OAuth 2.0 that protects against authorization code interception attacks. It works by having the client generate a random secret, send a hash of it during the authorization request, and prove knowledge of the original secret during token exchange.
### PKCE Security Benefits
1. **Code Interception Protection**: Even if an attacker intercepts the authorization code, they cannot exchange it for a token without the code_verifier
2. **Public Client Security**: Essential for native apps and SPAs where client secrets cannot be stored securely
3. **Best Practice**: OAuth 2.0 Security Best Practices (draft-ietf-oauth-security-topics) recommends PKCE for all clients
### W3C IndieAuth Specification
The current W3C IndieAuth specification (published January 2018) does not mention PKCE. However, PKCE has become a standard security measure in modern OAuth 2.0 implementations since then.
### v1.0.0 Constraints
For the MVP release, we face a simplicity vs. security trade-off:
- Target users: 10s of users initially
- Deployment: Single-process Docker container
- Timeline: 6-8 weeks to v1.0.0
- Focus: Prove core authentication functionality
### PKCE Implementation Effort
**Estimated effort**: 1-2 days
**Required changes**:
1. Accept `code_challenge` and `code_challenge_method` parameters in /authorize endpoint
2. Store code challenge with authorization code
3. Accept `code_verifier` parameter in /token endpoint
4. Validate code_verifier hashes to stored challenge using S256 method
5. Update metadata endpoint to advertise PKCE support
6. Add comprehensive tests
**Complexity**:
- Low technical complexity (straightforward hashing and comparison)
- Well-documented in RFC 7636
- Standard library support (hashlib for SHA-256)
## Decision
**PKCE support is deferred to v1.1.0 and will NOT be included in v1.0.0.**
### Rationale
**Simplicity Over Complexity**:
- v1.0.0 is an MVP focused on proving core authentication functionality
- Every additional feature increases risk and development time
- PKCE adds security but is not required for the W3C IndieAuth specification compliance
- Deferring PKCE reduces v1.0.0 scope without compromising compliance
**Acceptable Risk for MVP**:
- Target deployment: Small scale (10s of users), controlled environment
- Mitigation: HTTPS enforcement + short code lifetime (10 minutes) + single-use codes
- Risk window: 10-minute authorization code lifetime only
- Attack complexity: Requires MITM during specific 10-minute window despite HTTPS
**Clear Upgrade Path**:
- PKCE can be added in v1.1.0 without breaking changes
- Implementation is well-understood and straightforward
- Clients that don't use PKCE will continue working (backward compatible)
**Development Focus**:
- Free up 1-2 days of effort for core functionality
- Reduce testing surface area for MVP
- Simplify initial security review
- Gather real-world usage data before adding complexity
## Consequences
### Positive Consequences
1. **Faster Time to Market**: v1.0.0 ships 1-2 days earlier
2. **Reduced Complexity**: Fewer parameters to validate, fewer edge cases
3. **Simpler Testing**: Smaller test surface area for initial release
4. **Focus**: Development effort concentrated on core authentication flow
5. **Learning Opportunity**: Real-world usage informs PKCE implementation in v1.1.0
### Negative Consequences
1. **Slightly Reduced Security**: Authorization codes vulnerable to interception (mitigated by HTTPS)
2. **Not Best Practice**: Modern OAuth 2.0 guidance recommends PKCE for all flows
3. **Client Compatibility**: Clients requiring PKCE cannot use v1.0.0 (upgrade to v1.1.0)
4. **Perception**: Security-conscious users may view absence as weakness
### Mitigation Strategies
**For v1.0.0 (Without PKCE)**:
1. **Enforce HTTPS**: Strictly enforce HTTPS in production (mitigates interception)
```python
if not DEBUG and request.url.scheme != 'https':
raise HTTPException(status_code=400, detail="HTTPS required")
```
2. **Short Code Lifetime**: 10-minute maximum (per W3C spec)
```python
CODE_EXPIRATION = timedelta(minutes=10) # Minimize attack window
```
3. **Single-Use Codes**: Immediately invalidate after use (detect replay attacks)
```python
if code_data.get('used'):
logger.error(f"Code replay attack detected: {code[:8]}...")
raise HTTPException(status_code=400, detail="invalid_grant")
```
4. **Documentation**: Clearly document PKCE absence and planned support
- README security section
- Release notes
- Roadmap (v1.1.0 feature)
5. **Logging**: Monitor for potential code interception attempts
```python
if code_expired:
logger.warning(f"Expired code presented: {code[:8]}... (potential attack)")
```
**For v1.1.0 (Adding PKCE)**:
1. **Backward Compatibility**: PKCE optional, not required
- Clients without PKCE continue working
- Clients with PKCE get enhanced security
- Gradual migration path
2. **Client Detection**: Detect PKCE capability and encourage usage
```python
if code_challenge is None:
logger.info(f"Client {client_id} not using PKCE (consider upgrading)")
```
3. **Future Enforcement**: Option to require PKCE in configuration
```python
if config.REQUIRE_PKCE and not code_challenge:
raise HTTPException(status_code=400, detail="PKCE required")
```
### Implementation Plan for v1.1.0
**Effort**: 1-2 days
**Changes Required**:
1. **Authorization Endpoint** (`/authorize`):
```python
class AuthorizeRequest(BaseModel):
# ... existing fields ...
code_challenge: Optional[str] = None
code_challenge_method: Optional[Literal["S256"]] = None
# Validation
if code_challenge and code_challenge_method != "S256":
raise HTTPException(400, "Only S256 challenge method supported")
# Store challenge with code
code_data = {
# ... existing data ...
"code_challenge": code_challenge,
"code_challenge_method": code_challenge_method
}
```
2. **Token Endpoint** (`/token`):
```python
class TokenRequest(BaseModel):
# ... existing fields ...
code_verifier: Optional[str] = None
# Validate PKCE
if code_data.get('code_challenge'):
if not code_verifier:
raise HTTPException(400, "code_verifier required")
# Verify S256(code_verifier) == code_challenge
import hashlib
import base64
computed = base64.urlsafe_b64encode(
hashlib.sha256(code_verifier.encode()).digest()
).decode().rstrip('=')
if not secrets.compare_digest(computed, code_data['code_challenge']):
raise HTTPException(400, "Invalid code_verifier")
```
3. **Metadata Endpoint**:
```json
{
"code_challenge_methods_supported": ["S256"]
}
```
4. **Tests**:
- PKCE flow success cases
- Invalid code_verifier rejection
- Missing code_verifier when challenge present
- Backward compatibility (no PKCE)
### Risk Assessment
**Attack Scenario Without PKCE**:
1. Attacker performs MITM attack on authorization redirect (despite HTTPS)
2. Attacker intercepts authorization code
3. Attacker exchanges code for token (within 10-minute window)
4. Attacker uses token to impersonate user
**Likelihood**: Very Low
- Requires MITM capability (difficult with proper TLS)
- Requires attack during specific 10-minute window
- Requires client_id and redirect_uri knowledge
**Impact**: High
- Complete account impersonation
- Access to user's identity
**Risk Level**: **Low** (Very Low likelihood × High impact = Low overall risk)
**Acceptable for MVP?**: Yes
- Controlled deployment (small user base)
- Proper TLS mitigates primary attack vector
- Short code lifetime limits exposure window
- Clear upgrade path to full PKCE in v1.1.0
### Monitoring and Review
**v1.0.0 Deployment**:
- Monitor logs for expired code presentations (potential interception attempts)
- Track time between code generation and redemption
- Document any security concerns from real-world usage
**v1.1.0 Planning**:
- Review security logs from v1.0.0 deployment
- Prioritize PKCE based on actual risk observed
- Implement with lessons learned from v1.0.0
## References
- RFC 7636 - PKCE: https://datatracker.ietf.org/doc/html/rfc7636
- OAuth 2.0 Security Best Practices: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics
- W3C IndieAuth Specification: https://www.w3.org/TR/indieauth/
- OWASP OAuth 2.0 Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/OAuth2_Cheat_Sheet.html
## Alternatives Considered
### Alternative 1: Implement PKCE in v1.0.0
**Pros**:
- Better security from day one
- Follows modern OAuth 2.0 best practices
- No perceived security weakness
**Cons**:
- Adds 1-2 days to development timeline
- Increases testing surface area
- More complexity for MVP
- Not required for W3C spec compliance
**Rejected**: Violates simplicity principle for MVP.
### Alternative 2: Make PKCE Required (not optional) in v1.1.0
**Pros**:
- Forces clients to adopt best security practices
- Simpler server logic (no conditional handling)
**Cons**:
- Breaking change for clients
- Not backward compatible
- W3C spec doesn't require PKCE
**Rejected**: Breaks compatibility, not required by spec.
### Alternative 3: Never Implement PKCE
**Pros**:
- Permanent simplicity
- No additional development
**Cons**:
- Permanent security weakness
- Not following industry best practices
- May limit adoption by security-conscious users
**Rejected**: Security should improve over time, not stagnate.
## Decision History
- 2025-11-20: Proposed (Architect)
- 2025-11-20: Accepted (Architect)
- TBD: Implementation in v1.1.0

434
docs/decisions/ADR-004-opaque-tokens-for-v1-0-0.md Normal file
View File

@@ -0,0 +1,434 @@
# ADR-004: Opaque Tokens for v1.0.0 (Not JWT)
Date: 2025-11-20
## Status
Accepted
## Context
Access tokens in OAuth 2.0 can be implemented in two primary formats:
### 1. Opaque Tokens
Random strings with no inherent meaning. Token validation requires database lookup.
**Characteristics**:
- Random, unpredictable string (e.g., `secrets.token_urlsafe(32)`)
- Server stores token metadata in database
- Validation requires database query
- Easily revocable (delete from database)
- No information leakage (token contains no data)
**Example**:
```
Token: Xy9kP2mN8fR5tQ1wE7aZ4bV6cG3hJ0sL
Database: {
token_hash: sha256(token),
me: "https://example.com",
client_id: "https://client.example.com",
scope: "",
issued_at: 2025-11-20T10:00:00Z,
expires_at: 2025-11-20T11:00:00Z
}
```
### 2. JWT (JSON Web Tokens)
Self-contained tokens encoding claims, signed by server.
**Characteristics**:
- Base64-encoded JSON with signature
- Contains all metadata (me, client_id, scope, expiration)
- Validation via signature verification (no database lookup)
- Stateless (server doesn't store tokens)
- Revocation complex (requires blocklist or short TTL)
**Example**:
```
Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJtZSI6Imh0dHBzOi8vZXhhbXBsZS5jb20iLCJjbGllbnRfaWQiOiJodHRwczovL2NsaWVudC5leGFtcGxlLmNvbSIsInNjb3BlIjoiIiwiaWF0IjoxNzAwNDgwNDAwLCJleHAiOjE3MDA0ODQwMDB9.signature
Decoded Payload: {
"me": "https://example.com",
"client_id": "https://client.example.com",
"scope": "",
"iat": 1700480400,
"exp": 1700484000
}
```
### v1.0.0 Requirements
**Use Case**: Authentication only (no authorization)
- Users prove domain ownership
- Tokens confirm user identity to clients
- No resource server in v1.0.0 (no /api endpoints to protect)
- No token introspection endpoint in v1.0.0
**Scale**: 10s of users
- Dozens of active tokens maximum
- Database lookups negligible performance impact
- No distributed system requirements
**Security Priorities**:
1. Simple, auditable security model
2. Easy token revocation (future requirement)
3. No information leakage
4. No key management complexity
**Simplicity Principle**:
- Favor straightforward implementations
- Avoid unnecessary complexity
- Minimize dependencies
## Decision
**Gondulf v1.0.0 will use opaque tokens (NOT JWT).**
Tokens will be:
- Generated using `secrets.token_urlsafe(32)` (256 bits of entropy)
- Stored in SQLite database as SHA-256 hashes
- Validated via database lookup and constant-time comparison
- 1-hour expiration (configurable)
### Rationale
**Simplicity**:
- No signing algorithm selection (HS256 vs RS256 vs ES256)
- No key generation or rotation
- No JWT library dependency
- No clock skew handling
- Simple database lookup, not cryptographic verification
**Security**:
- No information leakage (token reveals nothing)
- Easy revocation (delete from database)
- No risk of algorithm confusion attacks
- No risk of "none" algorithm vulnerability
- Hashed storage prevents token recovery from database
**v1.0.0 Scope Alignment**:
- No resource server = no benefit from stateless validation
- Authentication only = simple token validation sufficient
- Small scale = database lookup performance acceptable
- No token introspection endpoint = no external validation needed
**Future Flexibility**:
- Can migrate to JWT in v2.0.0 if needed
- Database abstraction allows storage changes
- Token format is implementation detail (not exposed to clients)
## Consequences
### Positive Consequences
1. **Simpler Implementation**:
- No JWT library dependency
- No signing key management
- No algorithm selection complexity
- Straightforward database operations
2. **Better Security (for this use case)**:
- No information in token (empty payload = no leakage)
- Trivial revocation (DELETE FROM tokens WHERE ...)
- No cryptographic algorithm vulnerabilities
- No key compromise risk
3. **Easier Auditing**:
- All tokens visible in database
- Clear token lifecycle (creation, usage, expiration)
- Simple query to list all active tokens
- Easy to track token usage
4. **Operational Simplicity**:
- No key rotation required
- No clock synchronization concerns
- No JWT debugging complexity
- Standard database operations
5. **Privacy**:
- Token reveals nothing about user
- No accidental PII in token claims
- Bearer token is just a random string
### Negative Consequences
1. **Database Dependency**:
- Token validation requires database access
- Database outage = token validation fails
- Performance limited by database (acceptable for small scale)
2. **Not Stateless**:
- Cannot validate tokens without database
- Horizontal scaling requires shared database
- Not suitable for distributed resource servers (not needed in v1.0.0)
3. **Larger Storage**:
- Must store all active tokens in database
- Database grows with token count (cleaned up on expiration)
4. **Token Introspection**:
- Resource servers cannot validate tokens independently (not needed in v1.0.0)
- Would require introspection endpoint in future
### Mitigation Strategies
**Database Dependency**:
- Acceptable for v1.0.0 (single-process deployment)
- SQLite is reliable (no network dependency)
- Future: Add Redis caching if performance becomes issue
- Future: Migrate to JWT if distributed validation needed
**Storage Growth**:
- Periodic cleanup of expired tokens
- Configurable expiration (default 1 hour)
- Database indexes on token_hash and expires_at
- Monitor database size, alerts if grows unexpectedly
**Future Scaling**:
- SQLAlchemy abstraction allows migration to PostgreSQL
- Can add Redis for caching if needed
- Can migrate to JWT in v2.0.0 if requirements change
## Implementation
### Token Generation
```python
import secrets
import hashlib
from datetime import datetime, timedelta
def generate_token(me: str, client_id: str, scope: str = "") -> str:
"""
Generate opaque access token.
Returns: 43-character base64url string (256 bits of entropy)
"""
# Generate token (returned to client, never stored)
token = secrets.token_urlsafe(32) # 32 bytes = 256 bits
# Hash for storage (SHA-256)
token_hash = hashlib.sha256(token.encode('utf-8')).hexdigest()
# Store in database
expires_at = datetime.utcnow() + timedelta(hours=1)
db.execute('''
INSERT INTO tokens (token_hash, me, client_id, scope, issued_at, expires_at, revoked)
VALUES (?, ?, ?, ?, ?, ?, 0)
''', (token_hash, me, client_id, scope, datetime.utcnow(), expires_at))
logger.info(f"Token generated for {me} (client: {client_id})")
return token # Return plaintext to client (only time it exists in plaintext)
```
### Token Validation
```python
import secrets
import hashlib
from datetime import datetime
def verify_token(provided_token: str) -> Optional[dict]:
"""
Verify access token and return metadata.
Returns: Token metadata dict or None if invalid
"""
# Hash provided token
token_hash = hashlib.sha256(provided_token.encode('utf-8')).hexdigest()
# Lookup in database (constant-time comparison in SQL)
result = db.query_one('''
SELECT me, client_id, scope, expires_at, revoked
FROM tokens
WHERE token_hash = ?
''', (token_hash,))
if not result:
logger.warning("Token not found")
return None
# Check expiration
if datetime.utcnow() > result['expires_at']:
logger.info(f"Token expired for {result['me']}")
return None
# Check revocation
if result['revoked']:
logger.warning(f"Revoked token presented for {result['me']}")
return None
# Valid token
return {
'me': result['me'],
'client_id': result['client_id'],
'scope': result['scope']
}
```
### Token Revocation (Future)
```python
def revoke_token(provided_token: str) -> bool:
"""
Revoke access token.
Returns: True if revoked, False if not found
"""
token_hash = hashlib.sha256(provided_token.encode('utf-8')).hexdigest()
rows_updated = db.execute('''
UPDATE tokens
SET revoked = 1
WHERE token_hash = ?
''', (token_hash,))
if rows_updated > 0:
logger.info(f"Token revoked: {provided_token[:8]}...")
return True
else:
logger.warning(f"Revoke failed: token not found")
return False
```
### Database Schema
```sql
CREATE TABLE tokens (
id INTEGER PRIMARY KEY AUTOINCREMENT,
token_hash TEXT NOT NULL UNIQUE, -- SHA-256 hash
me TEXT NOT NULL, -- User's domain
client_id TEXT NOT NULL, -- Client application URL
scope TEXT NOT NULL DEFAULT '', -- Empty for v1.0.0
issued_at TIMESTAMP NOT NULL, -- When token created
expires_at TIMESTAMP NOT NULL, -- When token expires
revoked BOOLEAN NOT NULL DEFAULT 0 -- Revocation flag
-- Indexes for performance
CREATE INDEX idx_tokens_hash ON tokens(token_hash);
CREATE INDEX idx_tokens_expires ON tokens(expires_at);
CREATE INDEX idx_tokens_me ON tokens(me);
);
```
### Periodic Cleanup
```python
def cleanup_expired_tokens():
"""
Delete expired tokens from database.
Run periodically (e.g., hourly cron job).
"""
deleted = db.execute('''
DELETE FROM tokens
WHERE expires_at < ?
''', (datetime.utcnow(),))
logger.info(f"Cleaned up {deleted} expired tokens")
```
## Comparison: Opaque vs JWT
| Aspect | Opaque Tokens | JWT |
|--------|---------------|-----|
| **Complexity** | Low (simple random string) | Medium (encoding, signing, claims) |
| **Dependencies** | None (standard library) | JWT library (python-jose, PyJWT) |
| **Validation** | Database lookup | Signature verification |
| **Performance** | Requires DB query (~1-5ms) | No DB query (~0.1ms) |
| **Revocation** | Trivial (DELETE) | Complex (blocklist required) |
| **Stateless** | No (requires DB) | Yes (self-contained) |
| **Information Leakage** | None (opaque) | Possible (claims readable) |
| **Token Size** | 43 bytes | 150-300 bytes |
| **Key Management** | Not required | Required (signing key) |
| **Clock Skew** | Not relevant | Can cause issues (exp claim) |
| **Debugging** | Simple (query database) | Complex (decode, verify signature) |
| **Scale** | Limited by DB | Unlimited (stateless) |
**Verdict for v1.0.0**: Opaque tokens win on simplicity, security, and alignment with MVP scope.
## Migration Path to JWT (if needed)
If future requirements demand JWT (e.g., distributed resource servers, token introspection), migration is straightforward:
**Step 1**: Implement JWT generation alongside opaque tokens
```python
if config.USE_JWT:
return generate_jwt_token(me, client_id, scope)
else:
return generate_opaque_token(me, client_id, scope)
```
**Step 2**: Support both token types in validation
```python
if token.startswith('ey'): # JWT starts with 'ey' (base64 of {"alg":...)
return verify_jwt_token(token)
else:
return verify_opaque_token(token)
```
**Step 3**: Gradual migration (both types valid)
**Step 4**: Deprecate opaque tokens (future major version)
## Alternatives Considered
### Alternative 1: Use JWT from v1.0.0
**Pros**:
- Industry standard
- Stateless validation
- Self-contained (no DB for validation)
- Better for distributed systems
**Cons**:
- Adds complexity (signing, key management)
- Requires JWT library dependency
- Harder to revoke
- Not needed for v1.0.0 scope (no resource server)
- Risk of implementation mistakes (algorithm confusion, etc.)
**Rejected**: Violates simplicity principle, no benefit for v1.0.0 scope.
---
### Alternative 2: Use JWT but store in database anyway
**Pros**:
- JWT benefits (self-contained)
- Easy revocation (DB lookup)
**Cons**:
- Worst of both worlds (complexity + database dependency)
- No performance benefit (still requires DB)
- Redundant storage (token + database)
**Rejected**: Adds complexity without benefits.
---
### Alternative 3: Use Macaroons (fancy tokens)
**Pros**:
- Advanced capabilities (caveats, delegation)
- Cryptographically interesting
**Cons**:
- Extreme overkill for authentication
- No standard library support
- Complex implementation
- Not OAuth 2.0 standard
**Rejected**: Massive complexity for no benefit.
## References
- OAuth 2.0 Bearer Token Usage (RFC 6750): https://datatracker.ietf.org/doc/html/rfc6750
- JWT (RFC 7519): https://datatracker.ietf.org/doc/html/rfc7519
- Token Introspection (RFC 7662): https://datatracker.ietf.org/doc/html/rfc7662
- OAuth 2.0 Security Best Practices: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics
## Decision History
- 2025-11-20: Proposed (Architect)
- 2025-11-20: Accepted (Architect)
- TBD: Review for v2.0.0 (if JWT needed)

700
docs/decisions/ADR-005-email-based-authentication-v1-0-0.md Normal file
View File

@@ -0,0 +1,700 @@
# ADR-005: Two-Factor Domain Verification for v1.0.0 (DNS + Email via rel="me")
Date: 2025-11-20
Last Updated: 2025-11-20
## Status
Accepted (Updated)
## Context
Gondulf requires users to prove domain ownership to authenticate. Multiple authentication methods exist for proving domain control.
### Authentication Methods Evaluated
**1. Email Verification**
- User provides email at their domain
- Server sends verification code to email
- User enters code to prove email access
- Assumes: Email access = domain control
**2. DNS TXT Record**
- Admin adds TXT record to DNS: `_gondulf.example.com` = `verified`
- Server queries DNS to verify record
- Assumes: DNS control = domain control
**3. External Identity Providers** (GitHub, GitLab, etc.)
- User links domain to GitHub/GitLab profile
- Server verifies profile contains domain
- User authenticates via OAuth to provider
- Assumes: Provider verification = domain control
**4. WebAuthn / FIDO2**
- User registers hardware security key
- Authentication via cryptographic challenge
- Assumes: Physical key possession = domain control (after initial registration)
**5. IndieAuth Delegation**
- User's domain delegates to another IndieAuth server
- Server follows delegation chain
- Assumes: Delegated server = domain control
### User Requirements
From project brief:
- **v1.0.0**: Email-based ONLY (no other identity providers)
- **Simplicity**: Keep MVP simple and focused
- **Scale**: 10s of users initially
- **No client registration**: Simplify client onboarding
### Technical Constraints
**SMTP Dependency**:
- Requires email server configuration
- Potential delivery failures (spam filters, configuration errors)
- Dependency on external service (email provider)
**Security Considerations**:
- Email interception risk (transit security)
- Email account compromise risk (user responsibility)
- Code brute-force risk (limited entropy)
**User Experience**:
- Familiar pattern (like password reset)
- Requires email access during authentication
- Additional step vs. provider OAuth (GitHub, etc.)
## Decision
**Gondulf v1.0.0 will require BOTH DNS TXT record verification AND email verification using the IndieWeb rel="me" pattern. Both verifications must succeed for authentication to complete.**
### Implementation Approach
**Two-Factor Verification (Both Required)**:
1. **DNS TXT Record Verification (Required)**:
- Check for `_gondulf.{domain}` TXT record = `verified`
- If found: Proceed to email verification
- If not found: Authentication fails with instructions to add TXT record
- Proves: User controls DNS for the domain
2. **Email Discovery via rel="me" (Required)**:
- Fetch user's domain homepage (e.g., https://example.com)
- Parse HTML for `<link rel="me" href="mailto:user@example.com">`
- Extract email address from rel="me" link
- If not found: Authentication fails with instructions to add rel="me" link
- Proves: User has published email relationship on their site
3. **Email Verification Code (Required)**:
- Server generates 6-digit verification code
- Server sends code to discovered email address via SMTP
- User enters code (15-minute expiration)
- Verification code must be correct to complete authentication
- Proves: User controls the email account
**Why All Three?**:
- **DNS TXT**: Proves domain DNS control (strong ownership signal)
- **rel="me"**: Follows IndieWeb standard for identity claims
- **Email Code**: Proves active control of the email account (not just DNS/HTML)
- **Combined**: Two-factor verification provides stronger security than either alone
### Rationale
**Enhanced Security Model**:
- Two-factor verification: DNS control + Email control
- Prevents attacks where only one factor is compromised
- DNS TXT proves domain ownership
- Email code proves active account control
- rel="me" follows IndieWeb standards for identity
**Follows IndieWeb Standards**:
- rel="me" is standard practice for identity claims (see: https://thesatelliteoflove.com)
- Aligns with IndieAuth ecosystem expectations
- Users likely already have rel="me" links for other purposes
- Email discovery is self-documenting (user's site declares their email)
**No User-Provided Email Input**:
- Server discovers email from user's site (no manual entry)
- Prevents typos and social engineering
- Email is self-attested by user on their own domain
- Reduces attack surface (can't claim arbitrary email)
**Stronger Than Single-Factor**:
- Attacker needs DNS control AND email access
- Compromised DNS alone: insufficient
- Compromised email alone: insufficient
- Requires control of both infrastructure and communication
**Simplicity Maintained**:
- Two verification checks, but both straightforward
- DNS TXT: standard practice
- rel="me": standard HTML link
- Email code: familiar pattern
- Total setup time: < 5 minutes for technical users
## Consequences
### Positive Consequences
1. **Enhanced Security**:
- Two-factor verification (DNS + Email)
- Stronger ownership proof than single factor
- Prevents single-point-of-compromise attacks
- Aligns with security best practices
2. **IndieWeb Standard Compliance**:
- Follows rel="me" pattern from IndieWeb community
- Interoperability with other IndieWeb tools
- Users may already have rel="me" configured
- Self-documenting identity claims
3. **Reduced Attack Surface**:
- No user-provided email input (prevents typos/social engineering)
- Email discovered from user's own site
- Can't claim arbitrary email addresses
- User controls all verification requirements
4. **Implementation Simplicity**:
- HTML parsing for rel="me" (standard libraries)
- DNS queries (dnspython)
- SMTP email sending (smtplib)
- No external API dependencies
5. **Privacy**:
- Email addresses NOT stored after verification
- No data shared with third parties
- No tracking by external providers
- Minimal data collection
6. **Transparency**:
- User explicitly declares email on their site
- No hidden verification methods
- User controls both DNS and HTML
- Clear requirements for setup
### Negative Consequences
1. **Higher Setup Complexity**:
- Users must configure TWO things (DNS TXT + rel="me" link)
- More steps than single-factor approaches
- Requires basic HTML editing skills
- May deter non-technical users
2. **Email Dependency**:
- Requires functioning SMTP configuration
- Email delivery not guaranteed (spam filters)
- Users must have email access during authentication
- Email account compromise still a risk (mitigated by DNS requirement)
3. **User Experience**:
- More setup steps vs. simpler alternatives
- Requires checking email inbox during login
- Potential delay (email delivery time)
- Code expiration can frustrate users
- Both verifications must succeed (no fallback)
4. **HTML Parsing Complexity**:
- Must parse potentially malformed HTML
- Multiple possible HTML formats for rel="me"
- Case sensitivity issues
- Must handle various link formats (mailto: vs https://)
5. **Failure Points**:
- DNS lookup failure blocks authentication
- Site unavailable blocks authentication
- Email send failure blocks authentication
- No fallback mechanism (both required)
### Mitigation Strategies
**Clear Setup Instructions**:
```markdown
## Domain Verification Setup
Gondulf requires two verifications to prove domain ownership:
### Step 1: Add DNS TXT Record
Add this DNS record to your domain:
- Type: TXT
- Name: _gondulf.example.com
- Value: verified
This proves you control DNS for your domain.
### Step 2: Add rel="me" Link to Your Homepage
Add this HTML to your homepage (e.g., https://example.com/index.html):
<link rel="me" href="mailto:your-email@example.com">
This declares your email address publicly on your site.
### Step 3: Verify Email Access
During login:
- We'll discover your email from the rel="me" link
- We'll send a verification code to that email
- Enter the code to complete authentication
Setup time: ~5 minutes
```
**Robust HTML Parsing**:
```python
from bs4 import BeautifulSoup
from urllib.parse import urlparse
def discover_email_from_site(domain_url: str) -> Optional[str]:
"""
Fetch site and discover email from rel="me" link.
Returns: email address or None if not found
"""
try:
# Fetch homepage
response = requests.get(domain_url, timeout=10, allow_redirects=True)
response.raise_for_status()
# Parse HTML (handle malformed HTML gracefully)
soup = BeautifulSoup(response.content, 'html.parser')
# Find all rel="me" links
me_links = soup.find_all('link', rel='me') + soup.find_all('a', rel='me')
# Look for mailto: links
for link in me_links:
href = link.get('href', '')
if href.startswith('mailto:'):
email = href.replace('mailto:', '').strip()
# Validate email format
if validate_email_format(email):
logger.info(f"Discovered email via rel='me' for {domain_url}")
return email
logger.warning(f"No rel='me' mailto: link found for {domain_url}")
return None
except Exception as e:
logger.error(f"Failed to discover email for {domain_url}: {e}")
return None
```
**DNS Verification**:
```python
def verify_dns_txt(domain: str) -> bool:
"""
Verify _gondulf.{domain} TXT record exists.
Returns: True if verified, False otherwise
"""
try:
import dns.resolver
# Query multiple resolvers for redundancy
resolvers = ['8.8.8.8', '1.1.1.1']
verified_count = 0
for resolver_ip in resolvers:
resolver = dns.resolver.Resolver()
resolver.nameservers = [resolver_ip]
resolver.timeout = 5
answers = resolver.resolve(f'_gondulf.{domain}', 'TXT')
for rdata in answers:
if rdata.to_text().strip('"') == 'verified':
verified_count += 1
break
# Require consensus from multiple resolvers
return verified_count >= 2
except Exception as e:
logger.warning(f"DNS verification failed for {domain}: {e}")
return False
```
**Helpful Error Messages**:
```python
# DNS TXT not found
if not dns_verified:
return ErrorResponse("""
DNS verification failed.
Please add this TXT record to your domain:
- Type: TXT
- Name: _gondulf.{domain}
- Value: verified
DNS changes may take up to 24 hours to propagate.
""")
# rel="me" not found
if not email_discovered:
return ErrorResponse("""
Could not find rel="me" link on your site.
Please add this to your homepage:
<link rel="me" href="mailto:your-email@example.com">
See: https://indieweb.org/rel-me for more information.
""")
# Email send failure
if not email_sent:
return ErrorResponse("""
Failed to send verification code to {email}.
Please check:
- Email address is correct in your rel="me" link
- Email server is accepting mail
- Check spam/junk folder
""")
```
**Code Security** (unchanged):
```python
# Sufficient entropy
code = ''.join(secrets.choice('0123456789') for _ in range(6))
# 1,000,000 possible codes
# Rate limiting
MAX_ATTEMPTS = 3 # Per email
MAX_CODES = 3 # Per hour per domain
# Expiration
CODE_LIFETIME = timedelta(minutes=15)
# Single-use enforcement
code_storage.mark_used(code_id)
```
## Implementation
### Complete Authentication Flow (v1.0.0)
```python
from datetime import datetime, timedelta
import secrets
import smtplib
import requests
import dns.resolver
from email.message import EmailMessage
from bs4 import BeautifulSoup
from typing import Optional, Tuple
class DomainVerificationService:
"""
Two-factor domain verification: DNS TXT + Email via rel="me"
"""
def __init__(self, smtp_config: dict):
self.smtp = smtp_config
self.codes = {} # In-memory storage for verification codes
def verify_domain_ownership(self, domain: str) -> Tuple[bool, Optional[str], Optional[str]]:
"""
Perform two-factor domain verification.
Returns: (success, email_discovered, error_message)
Steps:
1. Verify DNS TXT record
2. Discover email from rel="me" link
3. Send verification code to email
4. User enters code (handled separately)
"""
# Step 1: Verify DNS TXT record
dns_verified = self._verify_dns_txt(domain)
if not dns_verified:
return False, None, "DNS TXT record not found. Please add _gondulf.{domain} = verified"
# Step 2: Discover email from site's rel="me" link
email = self._discover_email_from_site(f"https://{domain}")
if not email:
return False, None, 'No rel="me" mailto: link found on homepage. Please add <link rel="me" href="mailto:you@example.com">'
# Step 3: Generate and send verification code
code_sent = self._send_verification_code(email, domain)
if not code_sent:
return False, email, f"Failed to send verification code to {email}"
# Return success with discovered email
return True, email, None
def verify_code(self, email: str, submitted_code: str) -> Tuple[bool, str]:
"""
Verify submitted code.
Returns: (success, domain or error_message)
"""
code_data = self.codes.get(email)
if not code_data:
return False, "No verification code found. Please request a new code."
# Check expiration
if datetime.utcnow() > code_data['expires_at']:
del self.codes[email]
return False, "Code expired. Please request a new code."
# Check attempts
code_data['attempts'] += 1
if code_data['attempts'] > 3:
del self.codes[email]
return False, "Too many attempts. Please restart authentication."
# Verify code (constant-time comparison)
if not secrets.compare_digest(submitted_code, code_data['code']):
return False, "Invalid code. Please try again."
# Success: Clean up and return domain
domain = code_data['domain']
del self.codes[email] # Single-use code
logger.info(f"Domain verified: {domain} (DNS + Email)")
return True, domain
def _verify_dns_txt(self, domain: str) -> bool:
"""
Verify _gondulf.{domain} TXT record exists with value 'verified'.
Returns: True if verified, False otherwise
"""
record_name = f'_gondulf.{domain}'
# Use multiple resolvers for redundancy
resolvers = ['8.8.8.8', '1.1.1.1']
verified_count = 0
for resolver_ip in resolvers:
try:
resolver = dns.resolver.Resolver()
resolver.nameservers = [resolver_ip]
resolver.timeout = 5
answers = resolver.resolve(record_name, 'TXT')
for rdata in answers:
if rdata.to_text().strip('"') == 'verified':
verified_count += 1
break
except Exception as e:
logger.debug(f"DNS query failed (resolver {resolver_ip}): {e}")
continue
# Require consensus from at least 2 resolvers
if verified_count >= 2:
logger.info(f"DNS TXT verified: {domain}")
return True
logger.warning(f"DNS TXT verification failed: {domain}")
return False
def _discover_email_from_site(self, domain_url: str) -> Optional[str]:
"""
Fetch domain homepage and discover email from rel="me" link.
Returns: email address or None if not found
"""
try:
# Fetch homepage
response = requests.get(domain_url, timeout=10, allow_redirects=True)
response.raise_for_status()
# Parse HTML (BeautifulSoup handles malformed HTML)
soup = BeautifulSoup(response.content, 'html.parser')
# Find all rel="me" links (both <link> and <a>)
me_links = soup.find_all('link', rel='me') + soup.find_all('a', rel='me')
# Look for mailto: links
for link in me_links:
href = link.get('href', '')
if href.startswith('mailto:'):
email = href.replace('mailto:', '').strip()
# Basic email validation
if '@' in email and '.' in email.split('@')[1]:
logger.info(f"Discovered email via rel='me': {domain_url}")
return email
logger.warning(f"No rel='me' mailto: link found: {domain_url}")
return None
except Exception as e:
logger.error(f"Failed to discover email for {domain_url}: {e}")
return None
def _send_verification_code(self, email: str, domain: str) -> bool:
"""
Generate and send verification code to email.
Returns: True if sent successfully, False otherwise
"""
# Check rate limit
if self._is_rate_limited(domain):
logger.warning(f"Rate limit exceeded for domain: {domain}")
return False
# Generate 6-digit code
code = ''.join(secrets.choice('0123456789') for _ in range(6))
# Store code with expiration
self.codes[email] = {
'code': code,
'domain': domain,
'created_at': datetime.utcnow(),
'expires_at': datetime.utcnow() + timedelta(minutes=15),
'attempts': 0,
}
# Send email via SMTP
try:
msg = EmailMessage()
msg['From'] = self.smtp['from_email']
msg['To'] = email
msg['Subject'] = 'Gondulf Verification Code'
msg.set_content(f"""
Your Gondulf verification code is:
{code}
This code expires in 15 minutes.
Only enter this code if you initiated this login.
If you did not request this code, ignore this email.
""")
with smtplib.SMTP(self.smtp['host'], self.smtp['port'], timeout=10) as smtp:
smtp.starttls()
smtp.login(self.smtp['username'], self.smtp['password'])
smtp.send_message(msg)
logger.info(f"Verification code sent to {email[:3]}***@{email.split('@')[1]}")
return True
except Exception as e:
logger.error(f"Failed to send email to {email}: {e}")
return False
def _is_rate_limited(self, domain: str) -> bool:
"""
Check if domain is rate limited (max 3 codes per hour).
Returns: True if rate limited, False otherwise
"""
recent_codes = [
code for code in self.codes.values()
if code.get('domain') == domain
and datetime.utcnow() - code['created_at'] < timedelta(hours=1)
]
return len(recent_codes) >= 3
```
## Future Enhancements
### v1.1.0+: Additional Authentication Methods
**GitHub/GitLab Providers**:
- OAuth 2.0 flow with provider
- Verify domain in profile URL
- Link GitHub username to domain
**WebAuthn / FIDO2**:
- Register hardware security key
- Challenge/response authentication
- Strongest security option
**IndieAuth Delegation**:
- Follow rel="authorization_endpoint" link
- Delegate to another IndieAuth server
- Support federated authentication
These will be additive (user chooses method), not replacing email.
## Alternatives Considered
### Alternative 1: External Providers Only (GitHub, GitLab)
**Pros**:
- No email infrastructure needed
- Established OAuth 2.0 flows
- Users already have accounts
**Cons**:
- Contradicts user requirement (email-only in v1.0.0)
- Requires external API integration
- Users locked to specific providers
- Privacy concerns (data sharing)
**Rejected**: Violates user requirements for v1.0.0.
---
### Alternative 2: WebAuthn as Primary Method
**Pros**:
- Strongest security (hardware keys)
- Phishing-resistant
- No password/email needed
**Cons**:
- Requires hardware key (barrier to entry)
- Complex implementation (WebAuthn API)
- Browser compatibility issues
- Not suitable for MVP
**Rejected**: Too complex for MVP, hardware requirement.
---
### Alternative 3: SMS Verification
**Pros**:
- Familiar pattern
- Fast delivery
**Cons**:
- Requires phone number (PII collection)
- SMS delivery costs
- Phone number != domain ownership
- SIM swapping attacks
**Rejected**: Doesn't prove domain ownership, adds PII collection.
---
### Alternative 4: DNS Only (No Email Fallback)
**Pros**:
- Strongest proof of domain control
- No email infrastructure
- Simple implementation
**Cons**:
- Requires DNS knowledge
- Barrier to entry for non-technical users
- DNS propagation delays
- No fallback if DNS inaccessible
**Rejected**: Too restrictive, not accessible enough.
## References
- IndieWeb rel="me": https://indieweb.org/rel-me
- Example Implementation: https://thesatelliteoflove.com (Phil Skents' identity page)
- SMTP Protocol (RFC 5321): https://datatracker.ietf.org/doc/html/rfc5321
- Email Security (STARTTLS): https://datatracker.ietf.org/doc/html/rfc3207
- DNS TXT Records (RFC 1035): https://datatracker.ietf.org/doc/html/rfc1035
- HTML Link Relations: https://www.w3.org/TR/html5/links.html#linkTypes
- BeautifulSoup (HTML parsing): https://www.crummy.com/software/BeautifulSoup/
- WebAuthn (W3C): https://www.w3.org/TR/webauthn/ (future)
## Decision History
- 2025-11-20: Proposed (Architect) - Email primary, DNS optional
- 2025-11-20: Accepted (Architect) - Email primary, DNS optional
- 2025-11-20: **UPDATED** (Architect) - BOTH required (DNS + Email via rel="me")
- Changed from single-factor (email OR DNS) to two-factor (email AND DNS)
- Added rel="me" email discovery (IndieWeb standard)
- Removed user-provided email input (security improvement)
- Enhanced security model with dual verification
- TBD: Review after v1.0.0 deployment (gather user feedback)

516
docs/decisions/ADR-008-rel-me-email-discovery.md Normal file
View File

@@ -0,0 +1,516 @@
# ADR-008: rel="me" Email Discovery Pattern
Date: 2025-11-20
## Status
Accepted
## Context
Gondulf's authentication flow requires email verification as part of two-factor domain verification (see ADR-005). This raises the question: How do we obtain the user's email address?
### Email Acquisition Methods Evaluated
**1. User-Provided Email Input**
- User manually enters their email address
- Server validates email domain matches identity domain
- Simple UX pattern (familiar from many sites)
**2. DNS TXT Record**
- Email address stored in DNS: `_email.example.com` TXT `user@example.com`
- Server queries DNS to discover email
- Requires DNS configuration
**3. rel="me" Link Discovery (IndieWeb Standard)**
- User publishes email on their site: `<link rel="me" href="mailto:user@example.com">`
- Server fetches site and parses HTML for rel="me" links
- Follows IndieWeb standards for identity claims
**4. WebFinger Protocol**
- Server queries `/.well-known/webfinger?resource={domain}`
- Standard protocol for identity discovery
- Requires additional endpoint implementation
### Requirements
From the user requirement and IndieAuth ecosystem:
- **Security**: Prevent social engineering and email spoofing
- **Simplicity**: Keep v1.0.0 implementation straightforward
- **Standards**: Align with IndieWeb/IndieAuth community practices
- **Self-Documenting**: Users should understand what they're publishing
### IndieWeb Context
The IndieWeb community uses `rel="me"` as a standard way to assert identity relationships:
- Users publish rel="me" links on their homepage to various profiles (GitHub, Twitter, email, etc.)
- Other tools can discover these relationships by parsing the page
- Well-established pattern in the IndieWeb ecosystem
- Reference implementation: https://thesatelliteoflove.com
## Decision
**Gondulf v1.0.0 will discover email addresses from rel="me" links published on the user's homepage, following the IndieWeb standard.**
### Implementation Approach
1. **Fetch User's Homepage**
- When user initiates authentication with domain (e.g., `https://example.com`)
- Server fetches the homepage over HTTPS
- Timeout: 10 seconds
- Follow redirects (max 5)
- Verify SSL certificate
2. **Parse HTML for rel="me" Links**
- Use BeautifulSoup for robust HTML parsing (handles malformed HTML)
- Search for `<link rel="me" href="mailto:...">` tags
- Also check `<a rel="me" href="mailto:...">` tags
- Extract first matching mailto: link
- Case-insensitive rel attribute matching
3. **Validate Email Format**
- Basic RFC 5322 format validation
- Length checks (max 254 characters per RFC 5321)
- Format: `user@domain.tld`
4. **Use Discovered Email**
- Send verification code to discovered email
- Display partially masked email to user: `u***@example.com`
- User cannot modify email (discovered automatically)
5. **Error Handling**
- If no rel="me" link found: Display setup instructions
- If multiple mailto: links: Use first one
- If site unreachable: Display error with retry option
- If SSL verification fails: Reject (security)
### Example HTML
User adds this to their homepage:
```html
<!DOCTYPE html>
<html>
<head>
<title>Phil Skents</title>
<!-- rel="me" link for email -->
<link rel="me" href="mailto:phil@example.com">
<!-- Other rel="me" links (optional) -->
<link rel="me" href="https://github.com/philskents">
<link rel="me" href="https://twitter.com/philskents">
</head>
<body>
<h1>Phil Skents</h1>
<p>This is my personal website.</p>
</body>
</html>
```
Or visible link:
```html
<a rel="me" href="mailto:phil@example.com">Email me</a>
```
## Rationale
### Follows IndieWeb Standards
**IndieWeb Alignment**:
- rel="me" is the standard way to assert identity in IndieWeb
- Users familiar with IndieAuth likely already have rel="me" configured
- Interoperability with other IndieWeb tools
- Well-documented pattern: https://indieweb.org/rel-me
**Community Expectations**:
- IndieAuth ecosystem uses rel="me" extensively
- Users understand the pattern
- Existing tutorials and documentation available
- Aligns with decentralized identity principles
### Security Benefits
**Prevents Social Engineering**:
- User cannot claim arbitrary email addresses
- Email must be published on the user's own site
- Attacker cannot trick user into entering wrong email
- Self-attested identity (user declares on their domain)
**Reduces Attack Surface**:
- No user input field for email (no typos, no XSS)
- No email enumeration via guessing
- Email discovery transparent and auditable
- User controls what email is published
**Transparency**:
- User explicitly publishes email on their site
- Public declaration of email relationship
- User aware they're making email public
- No hidden or implicit email collection
### Implementation Simplicity
**Standard Libraries**:
- BeautifulSoup: Robust HTML parsing (handles malformed HTML)
- requests: HTTP client (widely used, well-tested)
- No custom protocols or complex parsing
- Python standard library for email validation
**Error Handling**:
- Clear error messages with setup instructions
- Graceful degradation (site unavailable, etc.)
- Standard HTTP status codes
- No complex state management
**Testing**:
- Easy to mock HTTP responses
- Straightforward unit tests
- BeautifulSoup handles edge cases (malformed HTML)
- No external service dependencies
### User Experience
**Self-Documenting**:
- User adds one HTML tag to their site
- Clear relationship between domain and email
- User understands what they're publishing
- No hidden configuration
**Familiar Pattern**:
- Similar to verifying site ownership (Google Search Console, etc.)
- Adding meta tags is common web practice
- Many users already have rel="me" for other purposes
- Works with static sites (no backend required)
**Setup Time**:
- ~1 minute to add link tag
- No waiting (unlike DNS propagation)
- Immediate verification possible
- Can be combined with other rel="me" links
## Consequences
### Positive Consequences
1. **IndieWeb Standard Compliance**:
- Follows established rel="me" pattern
- Interoperability with IndieWeb tools
- Community-vetted approach
- Well-documented standard
2. **Enhanced Security**:
- No user-provided email input (prevents social engineering)
- Email explicitly published by user
- Transparent and auditable
- Reduces phishing risk
3. **Implementation Simplicity**:
- Standard libraries (BeautifulSoup, requests)
- No complex protocols
- Easy to test and maintain
- Handles malformed HTML gracefully
4. **User Control**:
- User explicitly declares email on their site
- Can change email by updating HTML
- No hidden email collection
- User aware of public email
5. **Flexibility**:
- Works with static sites (no backend needed)
- Can use any email provider
- Email can be at different domain (e.g., Gmail)
- Supports multiple rel="me" links
### Negative Consequences
1. **Public Email Requirement**:
- User must publish email publicly on their site
- Not suitable for users who want private email
- Email harvesters can discover address
- Spam risk (mitigated: users can use spam filters)
2. **HTML Parsing Complexity**:
- Must handle various HTML formats
- Malformed HTML can cause issues (mitigated: BeautifulSoup)
- Case sensitivity considerations
- Multiple possible HTML structures
3. **Website Dependency**:
- User's site must be available during authentication
- Site downtime blocks authentication
- No fallback if site unreachable
- Requires HTTPS (not all sites have valid certificates)
4. **Discovery Failures**:
- User may not have rel="me" configured
- Link may be in wrong format
- Email may be invalid format
- Clear error messages required
5. **Privacy Considerations**:
- Email addresses visible to anyone
- Cannot use email verification without public disclosure
- Users must accept public email
- May deter privacy-conscious users
### Mitigation Strategies
**For Public Email Concern**:
- Document clearly that email will be public
- Suggest using dedicated email for IndieAuth
- Recommend spam filtering
- Note: Email is user's choice (they publish it)
**For HTML Parsing**:
```python
from bs4 import BeautifulSoup
# BeautifulSoup handles malformed HTML gracefully
soup = BeautifulSoup(html_content, 'html.parser')
# Case-insensitive attribute matching
me_links = soup.find_all('link', rel='me') + soup.find_all('a', rel='me')
# Multiple link formats supported
# <link rel="me" href="mailto:user@example.com">
# <a rel="me" href="mailto:user@example.com">Email</a>
```
**For Website Dependency**:
- Clear error messages with retry option
- Suggest checking site availability
- Timeout limits (10 seconds)
- Log errors for debugging
**For Discovery Failures**:
```markdown
Error: No rel="me" email link found
Please add this to your homepage:
<link rel="me" href="mailto:your-email@example.com">
See: https://indieweb.org/rel-me for more information.
```
## Implementation
### Email Discovery Service
```python
from bs4 import BeautifulSoup
import requests
from typing import Optional
import re
class RelMeEmailDiscovery:
"""
Discover email addresses from rel="me" links on user's homepage.
"""
def discover_email(self, domain: str) -> Optional[str]:
"""
Fetch domain homepage and discover email from rel="me" link.
Args:
domain: User's domain (e.g., "example.com")
Returns:
Email address or None if not found
"""
url = f"https://{domain}"
try:
# Fetch homepage with safety limits
response = requests.get(
url,
timeout=10,
allow_redirects=True,
max_redirects=5,
verify=True # Verify SSL certificate
)
response.raise_for_status()
# Parse HTML (handles malformed HTML)
soup = BeautifulSoup(response.content, 'html.parser')
# Find all rel="me" links
# Both <link> and <a> tags supported
me_links = soup.find_all('link', rel='me') + soup.find_all('a', rel='me')
# Look for mailto: links
for link in me_links:
href = link.get('href', '')
if href.startswith('mailto:'):
email = href.replace('mailto:', '').strip()
# Validate email format
if self._validate_email_format(email):
logger.info(f"Discovered email via rel='me' for {domain}")
return email
logger.warning(f"No rel='me' mailto: link found on {domain}")
return None
except requests.exceptions.SSLError as e:
logger.error(f"SSL verification failed for {domain}: {e}")
return None
except requests.exceptions.Timeout:
logger.error(f"Timeout fetching {domain}")
return None
except requests.exceptions.HTTPError as e:
logger.error(f"HTTP error fetching {domain}: {e}")
return None
except Exception as e:
logger.error(f"Failed to discover email for {domain}: {e}")
return None
def _validate_email_format(self, email: str) -> bool:
"""
Validate email address format.
Args:
email: Email address to validate
Returns:
True if valid format, False otherwise
"""
# Basic RFC 5322 format check
email_regex = r'^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$'
if not re.match(email_regex, email):
return False
# Length check (RFC 5321)
if len(email) > 254:
return False
# Must have exactly one @
if email.count('@') != 1:
return False
return True
```
### Error Messages
```python
# DNS TXT found, but no rel="me" link
error_message = """
Domain verified via DNS, but no email found on your site.
Please add this to your homepage:
<link rel="me" href="mailto:your-email@example.com">
This allows us to discover your email address automatically.
Learn more: https://indieweb.org/rel-me
"""
# Site unreachable
error_message = """
Could not fetch your site at https://{domain}
Please check:
- Site is accessible via HTTPS
- SSL certificate is valid
- No firewall blocking requests
Try again once your site is accessible.
"""
# Invalid email format in rel="me"
error_message = """
Found rel="me" link, but email format is invalid: {email}
Please check your rel="me" link uses valid email format:
<link rel="me" href="mailto:valid-email@example.com">
"""
```
## Alternatives Considered
### Alternative 1: User-Provided Email Input
**Pros**:
- Simpler implementation (no HTTP fetch, no parsing)
- Works even if site is down
- User can use private email (not public)
- Immediate (no HTTP round-trip)
**Cons**:
- Social engineering risk (attacker tricks user into entering wrong email)
- Typo risk (user enters incorrect email)
- No self-attestation (email not on user's site)
- Not aligned with IndieWeb standards
**Rejected**: Security risks outweigh simplicity benefits. rel="me" provides self-attestation and prevents social engineering.
---
### Alternative 2: DNS TXT Record for Email
**Pros**:
- Stronger proof of domain control (DNS)
- No website dependency
- Machine-readable format
- Fast lookups (DNS cache)
**Cons**:
- Requires DNS configuration (more complex than HTML)
- DNS propagation delays (can be hours)
- Not user-friendly for non-technical users
- Not standard IndieWeb practice
**Rejected**: DNS configuration is more complex than adding HTML tag. rel="me" is more aligned with IndieWeb standards.
---
### Alternative 3: WebFinger Protocol
**Pros**:
- Standard protocol (RFC 7033)
- Machine-readable format (JSON)
- Supports multiple identities
- Well-defined spec
**Cons**:
- Requires server-side endpoint (not for static sites)
- More complex implementation
- Not common in IndieWeb ecosystem
- Overkill for email discovery
**Rejected**: Too complex for v1.0.0 MVP. Doesn't work with static sites. rel="me" is simpler and more aligned with IndieWeb.
---
### Alternative 4: Well-Known URI
**Pros**:
- Standard approach (`/.well-known/email`)
- Simple file-based implementation
- No HTML parsing required
- Fast lookups
**Cons**:
- Not an established standard for email
- Requires server configuration
- Not aligned with IndieWeb practices
- Duplicate effort (rel="me" already exists)
**Rejected**: Not standard practice. rel="me" is already established in IndieWeb ecosystem.
## References
- IndieWeb rel="me": https://indieweb.org/rel-me
- Example Implementation: https://thesatelliteoflove.com (Phil Skents' identity page)
- HTML Link Relations (W3C): https://www.w3.org/TR/html5/links.html#linkTypes
- BeautifulSoup Documentation: https://www.crummy.com/software/BeautifulSoup/
- RFC 5322 (Email Format): https://datatracker.ietf.org/doc/html/rfc5322
- RFC 5321 (SMTP): https://datatracker.ietf.org/doc/html/rfc5321
- WebFinger (RFC 7033): https://datatracker.ietf.org/doc/html/rfc7033 (alternative considered)
## Decision History
- 2025-11-20: Proposed (Architect)
- 2025-11-20: Accepted (Architect)
- Related to ADR-005 (Two-Factor Domain Verification)

2559
docs/designs/phase-2-domain-verification.md Normal file
View File

File diff suppressed because it is too large Load Diff

739
docs/designs/phase-2-implementation-guide.md Normal file
View File

@@ -0,0 +1,739 @@
# Phase 2 Implementation Guide - Specific Details
**Date**: 2024-11-20
**Architect**: Claude (Architect Agent)
**Status**: Supplementary to Phase 2 Design
**Purpose**: Provide specific implementation details for Developer clarification questions
This document supplements `/docs/designs/phase-2-domain-verification.md` with specific implementation decisions from ADR-0004.
## 1. Rate Limiting Implementation
### Approach
Implement actual in-memory rate limiting with timestamp tracking.
### Implementation Specifications
**Service Structure**:
```python
# src/gondulf/rate_limiter.py
from typing import Dict, List
import time
class RateLimiter:
"""In-memory rate limiter for domain verification attempts."""
def __init__(self, max_attempts: int = 3, window_hours: int = 1):
"""
Args:
max_attempts: Maximum attempts per domain in time window (default: 3)
window_hours: Time window in hours (default: 1)
"""
self.max_attempts = max_attempts
self.window_seconds = window_hours * 3600
self._attempts: Dict[str, List[int]] = {} # domain -> [timestamp1, timestamp2, ...]
def check_rate_limit(self, domain: str) -> bool:
"""
Check if domain has exceeded rate limit.
Args:
domain: Domain to check
Returns:
True if within rate limit, False if exceeded
"""
# Clean old timestamps first
self._clean_old_attempts(domain)
# Check current count
if domain not in self._attempts:
return True
return len(self._attempts[domain]) < self.max_attempts
def record_attempt(self, domain: str) -> None:
"""Record a verification attempt for domain."""
now = int(time.time())
if domain not in self._attempts:
self._attempts[domain] = []
self._attempts[domain].append(now)
def _clean_old_attempts(self, domain: str) -> None:
"""Remove timestamps older than window."""
if domain not in self._attempts:
return
now = int(time.time())
cutoff = now - self.window_seconds
self._attempts[domain] = [ts for ts in self._attempts[domain] if ts > cutoff]
# Remove domain entirely if no recent attempts
if not self._attempts[domain]:
del self._attempts[domain]
```
**Usage in Endpoints**:
```python
# In verification endpoint
rate_limiter = get_rate_limiter()
if not rate_limiter.check_rate_limit(domain):
return {"success": False, "error": "rate_limit_exceeded"}
rate_limiter.record_attempt(domain)
# ... proceed with verification
```
**Consequences**:
- State lost on restart (acceptable trade-off for simplicity)
- No persistence needed
- Simple dictionary-based implementation
## 2. Authorization Code Metadata Structure
### Approach
Use Phase 1's `CodeStorage` service with complete metadata structure from the start.
### Data Structure Specification
**Authorization Code Metadata**:
```python
{
"client_id": "https://client.example.com/",
"redirect_uri": "https://client.example.com/callback",
"state": "client_state_value",
"code_challenge": "base64url_encoded_challenge",
"code_challenge_method": "S256",
"scope": "profile email",
"me": "https://user.example.com/",
"created_at": 1700000000, # epoch integer
"expires_at": 1700000600, # epoch integer (created_at + 600)
"used": False # Include now, consume in Phase 3
}
```
**Storage Implementation**:
```python
# Use Phase 1's CodeStorage
code_storage = get_code_storage()
authorization_code = generate_random_code()
metadata = {
"client_id": client_id,
"redirect_uri": redirect_uri,
"state": state,
"code_challenge": code_challenge,
"code_challenge_method": code_challenge_method,
"scope": scope,
"me": me,
"created_at": int(time.time()),
"expires_at": int(time.time()) + 600,
"used": False
}
code_storage.store(f"authz:{authorization_code}", metadata, ttl=600)
```
**Rationale**:
- Epoch integers simpler than datetime objects
- Include `used` field now (Phase 3 will check/update it)
- Reuse existing `CodeStorage` infrastructure
- Key prefix `authz:` distinguishes from verification codes
## 3. HTML Template Implementation
### Approach
Use Jinja2 templates with separate template files.
### Directory Structure
```
src/gondulf/templates/
├── base.html # Shared layout
├── verify_email.html # Email verification form
├── verify_totp.html # TOTP verification form (future)
├── authorize.html # Authorization consent page
└── error.html # Generic error page
```
### Base Template
```html
<!-- src/gondulf/templates/base.html -->
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>{% block title %}Gondulf IndieAuth{% endblock %}</title>
<style>
body {
font-family: system-ui, -apple-system, sans-serif;
max-width: 600px;
margin: 50px auto;
padding: 20px;
line-height: 1.6;
}
.error { color: #d32f2f; }
.success { color: #388e3c; }
form { margin-top: 20px; }
input, button { font-size: 16px; padding: 8px; }
button { background: #1976d2; color: white; border: none; cursor: pointer; }
button:hover { background: #1565c0; }
</style>
</head>
<body>
{% block content %}{% endblock %}
</body>
</html>
```
### Email Verification Template
```html
<!-- src/gondulf/templates/verify_email.html -->
{% extends "base.html" %}
{% block title %}Verify Email - Gondulf{% endblock %}
{% block content %}
<h1>Verify Your Email</h1>
<p>A verification code has been sent to <strong>{{ masked_email }}</strong></p>
<p>Please enter the 6-digit code to complete verification:</p>
{% if error %}
<p class="error">{{ error }}</p>
{% endif %}
<form method="POST" action="/verify/email">
<input type="hidden" name="domain" value="{{ domain }}">
<input type="text" name="code" placeholder="000000" maxlength="6" required autofocus>
<button type="submit">Verify</button>
</form>
{% endblock %}
```
### FastAPI Integration
```python
from fastapi import FastAPI, Request
from fastapi.templating import Jinja2Templates
templates = Jinja2Templates(directory="src/gondulf/templates")
@app.get("/verify/email")
async def verify_email_page(request: Request, domain: str):
masked = mask_email(discovered_email)
return templates.TemplateResponse("verify_email.html", {
"request": request,
"domain": domain,
"masked_email": masked
})
```
**Dependencies**:
- Add to `pyproject.toml`: `jinja2 = "^3.1.0"`
## 4. Database Migration Timing
### Approach
Apply migration 002 immediately as part of Phase 2 setup.
### Execution Order
1. Developer runs migration: `alembic upgrade head`
2. Migration 002 adds `two_factor` column with default value `false`
3. All Phase 2 code assumes column exists
4. New domains inserted with explicit `two_factor` value
### Migration File (if not already created)
```python
# migrations/versions/002_add_two_factor_column.py
"""Add two_factor column to domains table
Revision ID: 002
Revises: 001
Create Date: 2024-11-20
"""
from alembic import op
import sqlalchemy as sa
def upgrade():
op.add_column('domains',
sa.Column('two_factor', sa.Boolean(), nullable=False, server_default='false')
)
def downgrade():
op.drop_column('domains', 'two_factor')
```
**Rationale**:
- Keep database schema current with code expectations
- No conditional logic needed in Phase 2 code
- Clean separation: migration handles existing data, new code uses new schema
## 5. Client Validation Helper Functions
### Approach
Standalone utility functions in shared module.
### Module Structure
```python
# src/gondulf/utils/validation.py
"""Client validation and utility functions."""
from urllib.parse import urlparse
import re
def mask_email(email: str) -> str:
"""
Mask email for display: user@example.com -> u***@example.com
Args:
email: Email address to mask
Returns:
Masked email string
"""
if '@' not in email:
return email
local, domain = email.split('@', 1)
if len(local) <= 1:
return email
masked_local = local[0] + '***'
return f"{masked_local}@{domain}"
def normalize_client_id(client_id: str) -> str:
"""
Normalize client_id URL to canonical form.
Rules:
- Ensure https:// scheme
- Remove default port (443)
- Preserve path
Args:
client_id: Client ID URL
Returns:
Normalized client_id
"""
parsed = urlparse(client_id)
# Ensure https
if parsed.scheme != 'https':
raise ValueError("client_id must use https scheme")
# Remove default HTTPS port
netloc = parsed.netloc
if netloc.endswith(':443'):
netloc = netloc[:-4]
# Reconstruct
normalized = f"https://{netloc}{parsed.path}"
if parsed.query:
normalized += f"?{parsed.query}"
if parsed.fragment:
normalized += f"#{parsed.fragment}"
return normalized
def validate_redirect_uri(redirect_uri: str, client_id: str) -> bool:
"""
Validate redirect_uri against client_id per IndieAuth spec.
Rules:
- Must use https scheme (except localhost)
- Must share same origin as client_id OR
- Must be subdomain of client_id domain
Args:
redirect_uri: Redirect URI to validate
client_id: Client ID for comparison
Returns:
True if valid, False otherwise
"""
try:
redirect_parsed = urlparse(redirect_uri)
client_parsed = urlparse(client_id)
# Check scheme (allow http for localhost only)
if redirect_parsed.scheme != 'https':
if redirect_parsed.hostname not in ('localhost', '127.0.0.1'):
return False
# Same origin check
if (redirect_parsed.scheme == client_parsed.scheme and
redirect_parsed.netloc == client_parsed.netloc):
return True
# Subdomain check
redirect_host = redirect_parsed.hostname or ''
client_host = client_parsed.hostname or ''
# Must end with .{client_host}
if redirect_host.endswith(f".{client_host}"):
return True
return False
except Exception:
return False
```
**Usage**:
```python
from gondulf.utils.validation import mask_email, validate_redirect_uri, normalize_client_id
# In verification endpoint
masked = mask_email(discovered_email)
# In authorization endpoint
normalized_client = normalize_client_id(client_id)
if not validate_redirect_uri(redirect_uri, normalized_client):
return error_response("invalid_redirect_uri")
```
## 6. Error Response Format Consistency
### Approach
Use format appropriate to endpoint type.
### Format Rules by Endpoint Type
**Verification Endpoints** (`/verify/email`, `/verify/totp`):
```python
# Always return 200 OK with JSON
return JSONResponse(
status_code=200,
content={"success": False, "error": "invalid_code"}
)
```
**Authorization Endpoint - Pre-Client Validation**:
```python
# Return HTML error page if client_id not yet validated
return templates.TemplateResponse("error.html", {
"request": request,
"error": "Missing required parameter: client_id",
"error_code": "invalid_request"
}, status_code=400)
```
**Authorization Endpoint - Post-Client Validation**:
```python
# Return OAuth redirect with error parameter
from urllib.parse import urlencode
error_params = {
"error": "invalid_request",
"error_description": "Missing code_challenge parameter",
"state": request.query_params.get("state", "")
}
redirect_url = f"{redirect_uri}?{urlencode(error_params)}"
return RedirectResponse(url=redirect_url, status_code=302)
```
**Token Endpoint** (Phase 3):
```python
# Always return JSON with appropriate status code
return JSONResponse(
status_code=400,
content={
"error": "invalid_grant",
"error_description": "Authorization code has expired"
}
)
```
### Error Flow Decision Tree
```
Is this a verification endpoint?
YES -> Return JSON (200 OK) with success:false
NO -> Continue
Has client_id been validated yet?
NO -> Return HTML error page
YES -> Continue
Is redirect_uri valid?
NO -> Return HTML error page (can't redirect safely)
YES -> Return OAuth redirect with error
```
## 7. Dependency Injection Pattern
### Approach
Singleton services instantiated at startup in `dependencies.py`.
### Implementation Structure
**Dependencies Module**:
```python
# src/gondulf/dependencies.py
"""FastAPI dependency injection for services."""
from functools import lru_cache
from gondulf.config import get_config
from gondulf.database import DatabaseService
from gondulf.code_storage import CodeStorage
from gondulf.email_service import EmailService
from gondulf.dns_service import DNSService
from gondulf.html_fetcher import HTMLFetcherService
from gondulf.relme_parser import RelMeParser
from gondulf.verification_service import DomainVerificationService
from gondulf.rate_limiter import RateLimiter
# Configuration
@lru_cache()
def get_config_singleton():
"""Get singleton configuration instance."""
return get_config()
# Phase 1 Services
@lru_cache()
def get_database():
"""Get singleton database service."""
config = get_config_singleton()
return DatabaseService(config.database_url)
@lru_cache()
def get_code_storage():
"""Get singleton code storage service."""
return CodeStorage()
@lru_cache()
def get_email_service():
"""Get singleton email service."""
config = get_config_singleton()
return EmailService(
smtp_host=config.smtp_host,
smtp_port=config.smtp_port,
smtp_username=config.smtp_username,
smtp_password=config.smtp_password,
from_address=config.smtp_from_address
)
@lru_cache()
def get_dns_service():
"""Get singleton DNS service."""
config = get_config_singleton()
return DNSService(nameservers=config.dns_nameservers)
# Phase 2 Services
@lru_cache()
def get_html_fetcher():
"""Get singleton HTML fetcher service."""
return HTMLFetcherService()
@lru_cache()
def get_relme_parser():
"""Get singleton rel=me parser service."""
return RelMeParser()
@lru_cache()
def get_rate_limiter():
"""Get singleton rate limiter service."""
return RateLimiter(max_attempts=3, window_hours=1)
@lru_cache()
def get_verification_service():
"""Get singleton domain verification service."""
return DomainVerificationService(
dns_service=get_dns_service(),
email_service=get_email_service(),
code_storage=get_code_storage(),
html_fetcher=get_html_fetcher(),
relme_parser=get_relme_parser()
)
```
**Usage in Endpoints**:
```python
from fastapi import Depends
from gondulf.dependencies import get_verification_service, get_rate_limiter
@app.post("/verify/email")
async def verify_email(
domain: str,
code: str,
verification_service: DomainVerificationService = Depends(get_verification_service),
rate_limiter: RateLimiter = Depends(get_rate_limiter)
):
# Use injected services
if not rate_limiter.check_rate_limit(domain):
return {"success": False, "error": "rate_limit_exceeded"}
result = verification_service.verify_email_code(domain, code)
return {"success": result}
```
**Rationale**:
- `@lru_cache()` ensures single instance per function
- Services configured once at startup
- Consistent with Phase 1 pattern
- Simple to test (can override dependencies in tests)
## 8. Test Organization for Authorization Endpoint
### Approach
Separate test files per major endpoint with shared fixtures.
### File Structure
```
tests/
├── conftest.py # Shared fixtures and configuration
├── test_verification_endpoints.py # Email/TOTP verification tests
└── test_authorization_endpoint.py # Authorization flow tests
```
### Shared Fixtures Module
```python
# tests/conftest.py
import pytest
from fastapi.testclient import TestClient
from gondulf.main import app
from gondulf.dependencies import get_database, get_code_storage, get_rate_limiter
@pytest.fixture
def client():
"""FastAPI test client."""
return TestClient(app)
@pytest.fixture
def mock_database():
"""Mock database service for testing."""
# Create in-memory test database
from gondulf.database import DatabaseService
db = DatabaseService("sqlite:///:memory:")
db.initialize()
return db
@pytest.fixture
def mock_code_storage():
"""Mock code storage for testing."""
from gondulf.code_storage import CodeStorage
return CodeStorage()
@pytest.fixture
def mock_rate_limiter():
"""Mock rate limiter with clean state."""
from gondulf.rate_limiter import RateLimiter
return RateLimiter()
@pytest.fixture
def verified_domain(mock_database):
"""Fixture providing a pre-verified domain."""
domain = "example.com"
mock_database.store_verified_domain(
domain=domain,
email="user@example.com",
two_factor=True
)
return domain
@pytest.fixture
def override_dependencies(mock_database, mock_code_storage, mock_rate_limiter):
"""Override FastAPI dependencies with test mocks."""
app.dependency_overrides[get_database] = lambda: mock_database
app.dependency_overrides[get_code_storage] = lambda: mock_code_storage
app.dependency_overrides[get_rate_limiter] = lambda: mock_rate_limiter
yield
app.dependency_overrides.clear()
```
### Verification Endpoints Tests
```python
# tests/test_verification_endpoints.py
import pytest
class TestEmailVerification:
"""Tests for /verify/email endpoint."""
def test_email_verification_success(self, client, override_dependencies):
"""Test successful email verification."""
# Test implementation
pass
def test_email_verification_invalid_code(self, client, override_dependencies):
"""Test email verification with invalid code."""
pass
def test_email_verification_rate_limit(self, client, override_dependencies):
"""Test rate limiting on email verification."""
pass
class TestTOTPVerification:
"""Tests for /verify/totp endpoint (future)."""
pass
```
### Authorization Endpoint Tests
```python
# tests/test_authorization_endpoint.py
import pytest
from urllib.parse import parse_qs, urlparse
class TestAuthorizationEndpoint:
"""Tests for /authorize endpoint."""
def test_authorize_missing_client_id(self, client, override_dependencies):
"""Test authorization with missing client_id parameter."""
response = client.get("/authorize")
assert response.status_code == 400
assert "client_id" in response.text
def test_authorize_invalid_redirect_uri(self, client, override_dependencies):
"""Test authorization with mismatched redirect_uri."""
params = {
"client_id": "https://client.example.com/",
"redirect_uri": "https://evil.com/callback",
"response_type": "code",
"state": "test_state"
}
response = client.get("/authorize", params=params)
assert response.status_code == 400
def test_authorize_success_flow(self, client, override_dependencies, verified_domain):
"""Test complete successful authorization flow."""
# Full flow test with verified domain
params = {
"client_id": "https://client.example.com/",
"redirect_uri": "https://client.example.com/callback",
"response_type": "code",
"state": "test_state",
"code_challenge": "test_challenge",
"code_challenge_method": "S256",
"me": f"https://{verified_domain}/"
}
response = client.get("/authorize", params=params, allow_redirects=False)
assert response.status_code == 302
# Verify redirect contains authorization code
redirect_url = response.headers["location"]
parsed = urlparse(redirect_url)
query_params = parse_qs(parsed.query)
assert "code" in query_params
assert query_params["state"][0] == "test_state"
```
### Test Organization Rules
1. **One test class per major functionality** (email verification, authorization flow)
2. **Test complete flows, not internal methods** (black box testing)
3. **Use shared fixtures** for common setup (verified domains, mock services)
4. **Test both success and error paths**
5. **Test security boundaries** (rate limiting, invalid inputs, unauthorized access)
## Summary
These implementation decisions provide the Developer with unambiguous direction for Phase 2 implementation. All decisions prioritize simplicity while maintaining security and specification compliance.
**Key Principles Applied**:
- Real implementations over stubs (rate limiting, validation)
- Reuse existing infrastructure (CodeStorage, dependency pattern)
- Standard tools over custom solutions (Jinja2 templates)
- Simple data structures (epoch integers, dictionaries)
- Clear separation of concerns (utility functions, test organization)
**Next Steps for Developer**:
1. Review this guide alongside Phase 2 design document
2. Implement in the order specified by Phase 2 design
3. Follow patterns and structures defined here
4. Ask clarification questions if any ambiguity remains before implementation
All architectural decisions are now documented and ready for implementation.

328
docs/reports/2025-11-20-phase-1-foundation.md Normal file
View File

@@ -0,0 +1,328 @@
# Implementation Report: Phase 1 Foundation
**Date**: 2025-11-20
**Developer**: Claude (Developer Agent)
**Design Reference**: /home/phil/Projects/Gondulf/docs/architecture/phase1-clarifications.md
## Summary
Phase 1 Foundation has been successfully implemented. All core services are operational: configuration management, database layer with migrations, in-memory code storage, email service with SMTP/TLS support, DNS service with TXT record verification, structured logging, and FastAPI application with health check endpoint. The implementation achieved 94.16% test coverage across 96 tests, exceeding the 80% minimum requirement.
## What Was Implemented
### Components Created
1. **Configuration Module** (`src/gondulf/config.py`)
- Environment variable loading with GONDULF_ prefix
- Required SECRET_KEY validation (minimum 32 characters)
- Sensible defaults for all optional configuration
- Comprehensive validation on startup
2. **Database Layer** (`src/gondulf/database/connection.py`)
- SQLAlchemy-based database connection management
- Simple sequential migration system
- Automatic directory creation for SQLite databases
- Health check capability
- Initial schema migration (001_initial_schema.sql)
3. **Database Schema** (`src/gondulf/database/migrations/001_initial_schema.sql`)
- `authorization_codes` table for OAuth 2.0 authorization codes
- `domains` table for domain ownership verification records
- `migrations` table for tracking applied migrations
4. **In-Memory Code Storage** (`src/gondulf/storage.py`)
- Simple dict-based storage with TTL
- Automatic expiration checking on access (lazy cleanup)
- Single-use verification codes
- Manual cleanup method available
5. **Email Service** (`src/gondulf/email.py`)
- SMTP support with STARTTLS (port 587) and implicit TLS (port 465)
- Optional authentication
- Verification email templating
- Connection testing capability
6. **DNS Service** (`src/gondulf/dns.py`)
- TXT record querying using dnspython
- System DNS with public DNS fallback (Google, Cloudflare)
- Domain existence checking
- TXT record verification
7. **Logging Configuration** (`src/gondulf/logging_config.py`)
- Structured logging with Python's standard logging module
- Format: `%(asctime)s [%(levelname)s] %(name)s: %(message)s`
- Configurable log levels (DEBUG, INFO, WARNING, ERROR, CRITICAL)
- Debug mode support
8. **FastAPI Application** (`src/gondulf/main.py`)
- Application initialization and service setup
- Health check endpoint (GET /health) with database connectivity check
- Root endpoint (GET /) with service information
- Startup/shutdown event handlers
9. **Configuration Template** (`.env.example`)
- Complete documentation of all GONDULF_ environment variables
- Sensible defaults
- Examples for different deployment scenarios
### Key Implementation Details
**Configuration Management**:
- Used python-dotenv for .env file loading
- Fail-fast approach: invalid configuration prevents application startup
- Lazy loading for tests, explicit loading for production
**Database Layer**:
- Simple sequential migrations (001, 002, 003, etc.)
- Idempotent migration execution
- SQLite URL parsing for automatic directory creation
- Transaction-based migration execution
**In-Memory Storage**:
- Chose dict with manual expiration (Option B from clarifications)
- TTL stored alongside code as (code, expiry_timestamp) tuple
- Expiration checked on every access operation
- No background cleanup threads (simplicity)
**Email Service**:
- Port-based TLS determination:
- Port 465: SMTP_SSL (implicit TLS)
- Port 587 + USE_TLS: STARTTLS
- Other: Unencrypted (testing only)
- Standard library smtplib (no async needed for Phase 1)
**DNS Service**:
- dnspython Resolver with system DNS by default
- Fallback to [8.8.8.8, 1.1.1.1] if system DNS unavailable
- Graceful handling of NXDOMAIN, Timeout, NoAnswer
**Logging**:
- Standard Python logging module (no external dependencies)
- Structured information embedded in message strings
- Module-specific loggers with gondulf.* naming
## How It Was Implemented
### Approach
Implemented components in dependency order:
1. Configuration first (foundation for everything)
2. Logging setup (needed for debugging subsequent components)
3. Database layer (core data persistence)
4. Storage, Email, DNS services (independent components)
5. FastAPI application (integrates all services)
6. Comprehensive testing suite
### Deviations from Design
**Deviation 1**: Configuration Loading Timing
- **Design**: Configuration loaded on module import
- **Implementation**: Configuration loaded lazily/explicitly
- **Reason**: Module-level import-time loading broke tests. Tests need to control environment variables before config loads.
- **Impact**: Production code must explicitly call `Config.load()` and `Config.validate()` at startup (added to main.py)
**Deviation 2**: Email Service Implementation
- **Design**: Specified aiosmtplib dependency
- **Implementation**: Used standard library smtplib instead
- **Reason**: Phase 1 doesn't require async email sending. Blocking SMTP is simpler and sufficient for current needs. Aiosmtplib can be added in Phase 2 if async becomes necessary.
- **Impact**: Email sending blocks briefly (typically <1 second), acceptable for Phase 1 usage patterns
No other deviations from design.
## Issues Encountered
### Initial Test Failures
**Issue**: Configuration module loaded on import, causing all tests to fail with "GONDULF_SECRET_KEY required" error.
**Solution**: Changed configuration to lazy loading. Tests control environment, production code explicitly loads config at startup.
**Impact**: Required minor refactor of config.py and main.py. Tests now work properly.
### FastAPI TestClient Startup Events
**Issue**: TestClient wasn't triggering FastAPI startup events, causing integration tests to fail (database not initialized).
**Solution**: Used context manager pattern (`with TestClient(app) as client:`) which properly triggers startup/shutdown events.
**Impact**: Fixed 3 failing integration tests. All 96 tests now pass.
### Python Package Not Including aiosmtplib
**Issue**: Added aiosmtplib to pyproject.toml but didn't use it in implementation.
**Solution**: Removed aiosmtplib from implementation, used stdlib smtplib instead (see Deviation 2).
**Impact**: Simpler implementation, one less dependency, sufficient for Phase 1.
## Test Results
### Test Execution
```
============================= test session starts ==============================
platform linux -- Python 3.11.14, pytest-9.0.1, pluggy-1.6.0
collected 96 items
tests/integration/test_health.py::TestHealthEndpoint::test_health_check_success PASSED
tests/integration/test_health.py::TestHealthEndpoint::test_health_check_response_format PASSED
tests/integration/test_health.py::TestHealthEndpoint::test_health_check_no_auth_required PASSED
tests/integration/test_health.py::TestHealthEndpoint::test_root_endpoint PASSED
tests/integration/test_health.py::TestHealthCheckUnhealthy::test_health_check_unhealthy_bad_database PASSED
tests/unit/test_config.py::TestConfigLoad (19 tests) PASSED
tests/unit/test_config.py::TestConfigValidate (5 tests) PASSED
tests/unit/test_database.py (18 tests) PASSED
tests/unit/test_dns.py (20 tests) PASSED
tests/unit/test_email.py (16 tests) PASSED
tests/unit/test_storage.py (19 tests) PASSED
======================= 96 passed, 4 warnings in 11.06s =======================
```
All 96 tests pass successfully.
### Test Coverage
```
Name Stmts Miss Cover Missing
-------------------------------------------------------------------
src/gondulf/__init__.py 1 0 100.00%
src/gondulf/config.py 50 0 100.00%
src/gondulf/database/__init__.py 0 0 100.00%
src/gondulf/database/connection.py 93 12 87.10%
src/gondulf/dns.py 72 0 100.00%
src/gondulf/email.py 70 2 97.14%
src/gondulf/logging_config.py 13 3 76.92%
src/gondulf/main.py 59 7 88.14%
src/gondulf/storage.py 53 0 100.00%
-------------------------------------------------------------------
TOTAL 411 24 94.16%
```
**Overall Coverage**: 94.16% (exceeds 80% requirement)
**Coverage Analysis**:
- **100% coverage**: config.py, dns.py, storage.py (excellent)
- **97.14% coverage**: email.py (minor gap in error handling edge cases)
- **88.14% coverage**: main.py (uncovered: startup error paths)
- **87.10% coverage**: database/connection.py (uncovered: error handling paths)
- **76.92% coverage**: logging_config.py (uncovered: get_logger helper, acceptable)
**Coverage Gaps**:
- Uncovered lines are primarily error handling edge cases and helper functions
- All primary code paths have test coverage
- Coverage gaps are acceptable for Phase 1
### Test Scenarios
#### Unit Tests (77 tests)
**Configuration Module** (24 tests):
- Environment variable loading with valid/invalid values
- Default value application
- SECRET_KEY validation (length, presence)
- SMTP configuration (all ports, TLS modes)
- Token/code expiry configuration
- Log level validation
- Validation error cases (bad ports, negative expiries)
**Database Layer** (18 tests):
- Database initialization with various URLs
- Directory creation (SQLite, absolute/relative paths)
- Engine creation and reuse
- Health checks (success and failure)
- Migration tracking and execution
- Idempotent migrations
- Schema correctness verification
**In-Memory Storage** (19 tests):
- Code storage and verification
- Expiration handling
- Single-use enforcement
- Manual cleanup
- Multiple keys
- Code overwrites
- Custom TTL values
**Email Service** (16 tests):
- STARTTLS and implicit TLS modes
- Authentication (with and without credentials)
- Error handling (SMTP errors, auth failures)
- Message content verification
- Connection testing
**DNS Service** (20 tests):
- TXT record querying (single, multiple, multipart)
- TXT record verification
- Error handling (NXDOMAIN, timeout, DNS exceptions)
- Domain existence checking
- Resolver fallback configuration
#### Integration Tests (5 tests)
**Health Check Endpoint**:
- Success response (200 OK, correct JSON)
- Response format verification
- No authentication required
- Unhealthy response (503 Service Unavailable)
- Root endpoint functionality
### Test Results Analysis
**All tests passing**: Yes ✓
**Coverage acceptable**: Yes ✓ (94.16% > 80% requirement)
**Coverage gaps**: Minor, limited to error handling edge cases
**Known issues**: None - all functionality working as designed
## Technical Debt Created
### TD-001: FastAPI Deprecation Warnings
**Description**: FastAPI on_event decorators are deprecated in favor of lifespan context managers.
**Reason**: Using older on_event API for simplicity in Phase 1.
**Impact**: 4 deprecation warnings in test output. Application functions correctly.
**Suggested Resolution**: Migrate to lifespan context managers in Phase 2. See [FastAPI Lifespan Events](https://fastapi.tiangolo.com/advanced/events/).
### TD-002: Limited Error Recovery in Database Migrations
**Description**: Migration failures are not rollback-safe. Partially applied migrations could leave database in inconsistent state.
**Reason**: Simple migration system prioritizes clarity over robustness for Phase 1.
**Impact**: Low risk with simple schema. Higher risk as schema complexity grows.
**Suggested Resolution**: Add transaction rollback on migration failure or migrate to Alembic in Phase 2.
### TD-003: Missing Async Email Support
**Description**: Email service uses synchronous smtplib, blocking briefly during sends.
**Reason**: Sufficient for Phase 1 with infrequent email sending.
**Impact**: Minor latency on verification email endpoints (typically <1s).
**Suggested Resolution**: Migrate to aiosmtplib or use background task queue in Phase 2 when email volume increases.
## Next Steps
**Immediate** (Phase 1 Complete):
1. Architect review of this implementation report
2. Address any requested changes
3. Merge Phase 1 foundation to main branch
**Phase 2 Prerequisites**:
1. Domain verification service (uses email + DNS services)
2. Domain verification UI endpoints
3. Authorization endpoint (uses domain verification)
4. Token endpoint (uses database)
**Follow-up Tasks**:
1. Consider lifespan migration (TD-001) before Phase 2
2. Monitor email sending performance (TD-003)
3. Document database backup/restore procedures
## Sign-off
**Implementation status**: Complete
**Ready for Architect review**: Yes
**Test coverage**: 94.16% (exceeds 80% requirement)
**Deviations from design**: 2 (documented above, both minor)
**All Phase 1 exit criteria met**: Yes
**Exit Criteria Verification**:
- ✓ All foundation services have passing unit tests
- ✓ Application starts without errors
- ✓ Health check endpoint returns 200
- ✓ Email can be sent successfully (tested with mocks)
- ✓ DNS queries resolve correctly (tested with mocks)
- ✓ Database migrations run successfully
- ✓ Configuration loads and validates correctly
- ✓ Test coverage exceeds 80%
Phase 1 Foundation is complete and ready for the next development phase.

199
docs/reports/2025-11-20-project-initialization.md Normal file
View File

@@ -0,0 +1,199 @@
# Implementation Report: Project Initialization
**Date**: 2025-11-20
**Developer**: Developer Agent
**Design Reference**: /docs/standards/ (project standards suite)
## Summary
Successfully initialized the Gondulf IndieAuth server project structure with all foundational components, development environment, documentation structure, and project standards. The project is now ready for feature development with a complete development environment, git repository, dependency management, and comprehensive standards documentation. All setup verification tests passed successfully.
## What Was Implemented
### Directory Structure Created
- `/src/gondulf/` - Main application package with `__init__.py`
- `/tests/` - Test suite root with `__init__.py`
- `/docs/standards/` - Project standards documentation
- `/docs/architecture/` - Architecture documentation (directory ready)
- `/docs/designs/` - Feature design documents (directory ready)
- `/docs/decisions/` - Architecture Decision Records
- `/docs/roadmap/` - Version planning (directory ready)
- `/docs/reports/` - Implementation reports (directory ready)
- `/.claude/agents/` - Agent role definitions
### Configuration Files Created
- **pyproject.toml**: Complete Python project configuration including:
- Project metadata (name, version 0.1.0-dev, description, license)
- Python 3.10+ requirement
- Production dependencies (FastAPI, SQLAlchemy, Pydantic, uvicorn)
- Development dependencies (Black, Ruff, mypy, isort, bandit)
- Test dependencies (pytest suite with coverage, async, mocking, factories)
- Tool configurations (Black, isort, mypy, pytest, coverage, Ruff)
- **.gitignore**: Comprehensive ignore patterns for Python, IDEs, databases, environment files
- **README.md**: Complete project documentation with installation, usage, development workflow
- **uv.lock**: Dependency lockfile for reproducible environments
### Documentation Files Created
- **CLAUDE.md**: Main project coordination document
- **/docs/standards/README.md**: Standards directory overview
- **/docs/standards/versioning.md**: Semantic versioning v2.0.0 standard
- **/docs/standards/git.md**: Trunk-based development workflow
- **/docs/standards/testing.md**: Testing strategy with 80% minimum coverage requirement
- **/docs/standards/coding.md**: Python coding standards and conventions
- **/docs/standards/development-environment.md**: uv-based environment management workflow
- **/docs/decisions/ADR-001-python-framework-selection.md**: FastAPI framework decision
- **/docs/decisions/ADR-002-uv-environment-management.md**: uv tooling decision
- **/.claude/agents/architect.md**: Architect agent role definition
- **/.claude/agents/developer.md**: Developer agent role definition
### Development Environment Setup
- Virtual environment created at `.venv/` using uv
- All production dependencies installed via uv
- All development and test dependencies installed via uv
- Package installed in editable mode for development
### Version Control Setup
- Git repository initialized
- Two commits created:
1. "chore: initialize gondulf project structure"
2. "fix(config): update ruff configuration to modern format"
- Working tree clean with all files committed
## How It Was Implemented
### Approach
1. **Standards-First**: Created comprehensive standards documentation before any code
2. **ADR Documentation**: Documented key architectural decisions (FastAPI, uv) as ADRs
3. **Environment Configuration**: Set up uv-based development environment with direct execution model
4. **Dependency Management**: Configured pyproject.toml with appropriate dependency groups
5. **Tool Configuration**: Configured all development tools (linting, type checking, testing, formatting)
6. **Git Workflow**: Initialized repository following trunk-based development standard
7. **Documentation**: Created comprehensive README and development environment guide
### Implementation Order
1. Created directory structure following project standards
2. Wrote all standards documentation in `/docs/standards/`
3. Created Architecture Decision Records for key technology choices
4. Created project configuration in `pyproject.toml`
5. Set up `.gitignore` with comprehensive ignore patterns
6. Initialized virtual environment with `uv venv`
7. Installed all dependencies using `uv pip install -e ".[dev,test]"`
8. Created comprehensive README.md
9. Initialized git repository and made initial commits
10. Created agent role definitions
### Key Configuration Decisions
- **Python Version**: 3.10+ minimum (aligns with FastAPI requirements and modern type hints)
- **Line Length**: 88 characters (Black default, applied consistently across all tools)
- **Test Organization**: Markers for unit/integration/e2e tests
- **Coverage Target**: 80% minimum, 90% for new code
- **Async Support**: pytest-asyncio configured with auto mode
- **Type Checking**: Strict mypy configuration with untyped definitions disallowed
### Deviations from Design
No deviations from standards. All implementation followed the documented standards in `/docs/standards/` exactly as specified.
## Issues Encountered
### Challenges
1. **Ruff Configuration Format**: Initial pyproject.toml used older Ruff configuration format
- **Resolution**: Updated to modern `[tool.ruff.lint]` format with `select` and `ignore` arrays
- **Impact**: Required a second git commit to fix the configuration
- **Status**: Resolved successfully
### Unexpected Discoveries
1. **uv Lockfile**: uv automatically created a comprehensive lockfile (uv.lock, 262KB) ensuring reproducible installations
- This is a positive feature that enhances reproducibility
- No action needed, lockfile committed to repository
No significant issues encountered. Setup process was straightforward.
## Test Results
### Setup Verification Tests
```bash
# Package import test
$ uv run python -c "import gondulf; print('Package import successful')"
Package import successful
# Pytest installation verification
$ uv run pytest --version
pytest 9.0.1
# Ruff installation verification
$ uv run ruff --version
ruff 0.14.5
# Mypy installation verification
$ uv run mypy --version
mypy 1.18.2 (compiled: yes)
```
### Verification Results
- Package successfully importable: PASS
- Test framework installed: PASS
- Linting tool installed: PASS
- Type checking tool installed: PASS
- Virtual environment functional: PASS
- Direct execution model working: PASS
### Test Coverage
Not applicable for project initialization. No application code yet to test.
### Functional Tests Performed
1. **Package Import**: Verified gondulf package can be imported in Python
2. **Tool Availability**: Verified all development tools are accessible via `uv run`
3. **Git Status**: Verified repository is clean with all files committed
4. **Environment Isolation**: Verified virtual environment is properly isolated
All verification tests passed successfully.
## Technical Debt Created
No technical debt identified. The project initialization follows all standards and best practices.
### Future Considerations (Not Debt)
1. **CI/CD Pipeline**: Not yet implemented (not required for initialization phase)
- Should be added when first features are implemented
- GitHub Actions workflow to run tests, linting, type checking
2. **Pre-commit Hooks**: Not yet configured (optional enhancement)
- Could add pre-commit hooks for automatic linting/formatting
- Would ensure code quality before commits
These are future enhancements, not technical debt from this implementation.
## Next Steps
### Immediate Next Steps
1. **Architect Review**: This implementation report requires Architect review and approval
2. **Architecture Phase**: Once approved, Architect should proceed with Phase 1 (Architecture & Standards):
- Review W3C IndieAuth specification
- Create `/docs/architecture/overview.md`
- Create `/docs/architecture/indieauth-protocol.md`
- Create `/docs/architecture/security.md`
- Create initial feature backlog in `/docs/roadmap/backlog.md`
- Create first version plan
### Project State
- Project structure: COMPLETE
- Development environment: COMPLETE
- Standards documentation: COMPLETE
- Version control: COMPLETE
- Ready for architecture phase: YES
### Dependencies
No blockers. The Architect can begin the architecture and planning phase immediately upon approval of this implementation report.
## Sign-off
**Implementation status**: Complete
**Ready for Architect review**: Yes
**Environment verification**: All tools functional and verified
**Git status**: Clean working tree, all files committed
**Standards compliance**: Full compliance with all project standards

711
docs/roadmap/backlog.md Normal file
View File

@@ -0,0 +1,711 @@
# Feature Backlog
This document tracks all planned features for Gondulf, sized using t-shirt sizes based on estimated implementation effort.
**T-shirt sizes**:
- **XS (Extra Small)**: < 1 day of implementation
- **S (Small)**: 1-2 days of implementation
- **M (Medium)**: 3-5 days of implementation
- **L (Large)**: 1-2 weeks of implementation
- **XL (Extra Large)**: 2+ weeks (should be broken down)
**Priority levels**:
- **P0**: Required for v1.0.0 (MVP blocker)
- **P1**: High priority for post-v1.0.0
- **P2**: Medium priority, nice to have
- **P3**: Low priority, future consideration
## v1.0.0 MVP Features (P0)
These features are REQUIRED for the first production-ready release.
### Core Infrastructure (M)
**What**: Basic FastAPI application structure, configuration management, error handling.
**Includes**:
- FastAPI app initialization
- Environment-based configuration (Pydantic Settings)
- Logging setup (structured logging)
- Error handling middleware
- Security headers middleware
- Health check endpoint
**Dependencies**: None
**Acceptance Criteria**:
- Application starts successfully
- Configuration loads from environment
- Logging outputs structured JSON
- /health endpoint returns 200 OK
- Security headers present on all responses
**Effort**: 3-5 days
---
### Database Schema & Storage Layer (S)
**What**: SQLite schema definition and SQLAlchemy Core setup.
**Includes**:
- SQLAlchemy Core connection setup
- Schema definition (tokens, domains tables)
- Migration approach (simple SQL files for v1.0.0)
- Connection pooling
- Database initialization script
**Dependencies**: Core Infrastructure
**Acceptance Criteria**:
- Database initializes on first run
- Tables created correctly
- SQLAlchemy Core queries work
- File permissions set correctly (600)
**Effort**: 1-2 days
---
### In-Memory Storage (XS)
**What**: TTL-based in-memory storage for authorization codes and email verification codes.
**Includes**:
- Python dict-based storage with expiration
- Automatic cleanup of expired entries
- Thread-safe operations (if needed)
- Storage interface abstraction (for future Redis migration)
**Dependencies**: Core Infrastructure
**Acceptance Criteria**:
- Codes expire after configured TTL
- Expired codes automatically removed
- Thread-safe operations
- Memory usage bounded
**Effort**: < 1 day
---
### Email Service (S)
**What**: SMTP-based email sending for verification codes.
**Includes**:
- SMTP configuration (host, port, credentials)
- Email template rendering
- Verification code email generation
- Error handling (connection failures, send failures)
- TLS/STARTTLS support
**Dependencies**: Core Infrastructure
**Acceptance Criteria**:
- Emails sent successfully via configured SMTP
- Templates render correctly
- Errors logged appropriately
- TLS connection established
**Effort**: 1-2 days
---
### DNS Service (S)
**What**: DNS TXT record verification for domain ownership.
**Includes**:
- DNS query implementation (using dnspython)
- TXT record validation logic
- Multi-resolver consensus (Google + Cloudflare)
- Timeout handling
- Result caching in database
**Dependencies**: Database Schema
**Acceptance Criteria**:
- TXT records verified correctly
- Multiple resolvers queried
- Timeouts handled gracefully
- Results cached in database
**Effort**: 1-2 days
---
### Domain Service (M)
**What**: Domain ownership validation and management.
**Includes**:
- Domain normalization
- TXT record verification flow
- Email verification flow (fallback)
- Domain ownership caching
- Periodic re-verification (background task)
**Dependencies**: Email Service, DNS Service, Database Schema
**Acceptance Criteria**:
- Both verification methods work
- TXT record preferred over email
- Verification results cached
- Re-verification scheduled correctly
**Effort**: 3-5 days
---
### Authorization Endpoint (M)
**What**: `/authorize` endpoint implementing IndieAuth authorization flow.
**Includes**:
- Request parameter validation (me, client_id, redirect_uri, state, response_type)
- Client metadata fetching (h-app microformat parsing)
- URL validation (open redirect prevention)
- User consent form rendering
- Authorization code generation
- Redirect to client with code + state
**Dependencies**: Domain Service, In-Memory Storage
**Acceptance Criteria**:
- All parameters validated per spec
- Client metadata fetched and displayed
- User consent required
- Authorization codes generated securely
- Redirects work correctly
- Errors handled per OAuth 2.0 spec
**Effort**: 3-5 days
---
### Token Endpoint (S)
**What**: `/token` endpoint implementing token exchange.
**Includes**:
- Request parameter validation (grant_type, code, client_id, redirect_uri, me)
- Authorization code verification
- Single-use code enforcement
- Access token generation
- Token storage (hashed)
- JSON response formatting
**Dependencies**: Authorization Endpoint, Database Schema
**Acceptance Criteria**:
- All parameters validated
- Codes verified correctly
- Single-use enforced (replay prevention)
- Tokens generated securely
- Tokens stored as hashes
- Response format per spec
**Effort**: 1-2 days
---
### Metadata Endpoint (XS)
**What**: `/.well-known/oauth-authorization-server` discovery endpoint.
**Includes**:
- Static JSON response
- Endpoint URLs
- Supported features list
- Caching headers
**Dependencies**: Core Infrastructure
**Acceptance Criteria**:
- Returns valid JSON per RFC 8414
- Correct endpoint URLs
- Cache-Control headers set
**Effort**: < 1 day
---
### Email Verification UI (S)
**What**: Web forms for email verification flow.
**Includes**:
- Email address input form
- Verification code input form
- Error message display
- Success/failure feedback
- Basic styling (minimal, functional)
**Dependencies**: Email Service, Domain Service
**Acceptance Criteria**:
- Forms render correctly
- Client-side validation
- Error messages clear
- Accessible (WCAG AA)
**Effort**: 1-2 days
---
### Authorization Consent UI (S)
**What**: User consent screen for authorization.
**Includes**:
- Client information display (name, icon, URL)
- Domain identity display (me parameter)
- Approve/Deny buttons
- Security warnings (if redirect_uri differs)
- Basic styling (minimal, functional)
**Dependencies**: Authorization Endpoint
**Acceptance Criteria**:
- Client info displayed correctly
- User can approve/deny
- Security warnings shown when appropriate
- Accessible (WCAG AA)
**Effort**: 1-2 days
---
### Security Hardening (S)
**What**: Implementation of all v1.0.0 security requirements.
**Includes**:
- HTTPS enforcement (production)
- Security headers (HSTS, CSP, etc.)
- Constant-time token comparison
- Input sanitization
- SQL injection prevention (parameterized queries)
- Logging security (no PII)
**Dependencies**: All endpoints
**Acceptance Criteria**:
- HTTPS enforced in production
- All security headers present
- No timing attack vulnerabilities
- No SQL injection vulnerabilities
- Logs contain no PII
**Effort**: 1-2 days
---
### Deployment Configuration (S)
**What**: Docker setup and deployment documentation.
**Includes**:
- Dockerfile (multi-stage build)
- docker-compose.yml (for testing)
- Environment variable documentation
- Backup script (SQLite file copy)
- Health check configuration
**Dependencies**: All features
**Acceptance Criteria**:
- Docker image builds successfully
- Container runs properly
- Environment variables documented
- Backup script works
- Health checks pass
**Effort**: 1-2 days
---
### Comprehensive Test Suite (L)
**What**: 80%+ code coverage with unit, integration, and e2e tests.
**Includes**:
- Unit tests for all services
- Integration tests for endpoints
- End-to-end IndieAuth flow tests
- Security tests (timing attacks, injection, etc.)
- Compliance tests (W3C spec verification)
**Dependencies**: All features
**Acceptance Criteria**:
- 80%+ overall coverage
- 95%+ coverage for auth/token/security code
- All tests passing
- Fast execution (< 1 minute for unit tests)
**Effort**: 1-2 weeks (parallel with development)
---
## Post-v1.0.0 Features
### PKCE Support (S)
**Priority**: P1
**Dependencies**: Token Endpoint
**What**: Implement Proof Key for Code Exchange (RFC 7636) for enhanced security.
**Includes**:
- Accept `code_challenge` and `code_challenge_method` in /authorize
- Validate `code_verifier` in /token
- Support S256 challenge method
- Update metadata endpoint
**Effort**: 1-2 days
**Rationale**: Deferred from v1.0.0 per ADR-003 for MVP simplicity. Should be added in v1.1.0.
---
### Token Revocation (S)
**Priority**: P1
**Dependencies**: Token Endpoint
**What**: `/token/revoke` endpoint per RFC 7009.
**Includes**:
- Revocation endpoint implementation
- Mark tokens as revoked in database
- Return appropriate responses
- Update metadata endpoint
**Effort**: 1-2 days
---
### Token Refresh (M)
**Priority**: P1
**Dependencies**: Token Endpoint
**What**: Refresh token support for long-lived sessions.
**Includes**:
- Refresh token generation and storage
- `refresh_token` grant type support
- Rotation of refresh tokens (security best practice)
- Expiration management
**Effort**: 3-5 days
---
### Rate Limiting (M)
**Priority**: P1
**Dependencies**: Core Infrastructure
**What**: Request rate limiting to prevent abuse.
**Includes**:
- Redis-based rate limiting
- Per-endpoint limits
- Per-IP and per-client_id limits
- Exponential backoff on failures
- Rate limit headers (X-RateLimit-*)
**Effort**: 3-5 days
**Note**: Requires Redis, breaking single-process assumption.
---
### Admin Dashboard (L)
**Priority**: P2
**Dependencies**: All v1.0.0 features
**What**: Web-based admin interface for server management.
**Includes**:
- Active tokens view
- Domain verification status
- Revoke tokens manually
- View audit logs
- Configuration management
**Effort**: 1-2 weeks
---
### Client Pre-Registration (M)
**Priority**: P2
**Dependencies**: Authorization Endpoint
**What**: Allow admin to pre-register known clients.
**Includes**:
- Client registration UI (admin-only)
- Store registered clients in database
- Skip metadata fetching for registered clients
- Manage redirect URIs per client
**Effort**: 3-5 days
**Note**: Not required per spec, but useful for trusted clients.
---
### Token Introspection (S)
**Priority**: P1
**Dependencies**: Token Endpoint
**What**: `/token/verify` endpoint for resource servers.
**Includes**:
- Verify token validity
- Return token metadata (me, client_id, scope)
- Support Bearer authentication
- Rate limiting
**Effort**: 1-2 days
---
### Scope Support (Authorization) (L)
**Priority**: P1
**Dependencies**: Token Endpoint, Token Introspection
**What**: Full OAuth 2.0 scope-based authorization.
**Includes**:
- Scope validation and parsing
- Scope consent UI (checkboxes)
- Token scope storage and verification
- Scope-based access control
- Standard scopes (profile, email, create, update, delete)
**Effort**: 1-2 weeks
**Note**: Major feature, expands from authentication to authorization.
---
### GitHub/GitLab Providers (M)
**Priority**: P2
**Dependencies**: Domain Service
**What**: Alternative authentication via GitHub/GitLab (like IndieLogin).
**Includes**:
- OAuth 2.0 client for GitHub/GitLab
- Link GitHub username to domain (via profile URL)
- Verify domain ownership via GitHub/GitLab profile
- Provider selection UI
**Effort**: 3-5 days
**Note**: Per user request, email-only in v1.0.0. This is future enhancement.
---
### WebAuthn Support (L)
**Priority**: P2
**Dependencies**: Domain Service
**What**: Passwordless authentication via WebAuthn (FIDO2).
**Includes**:
- WebAuthn registration flow
- WebAuthn authentication flow
- Credential storage
- Browser compatibility
- Fallback to email
**Effort**: 1-2 weeks
---
### PostgreSQL Support (S)
**Priority**: P2
**Dependencies**: Database Schema
**What**: Support PostgreSQL as alternative to SQLite.
**Includes**:
- Connection configuration
- Schema adaptation (minimal changes)
- Migration from SQLite
- Documentation
**Effort**: 1-2 days
**Note**: SQLAlchemy Core makes this trivial.
---
### Prometheus Metrics (S)
**Priority**: P2
**Dependencies**: Core Infrastructure
**What**: `/metrics` endpoint for Prometheus scraping.
**Includes**:
- Request counters (by endpoint, status)
- Response time histograms
- Token generation rate
- Email send success rate
- Error rate by type
**Effort**: 1-2 days
---
### Internationalization (M)
**Priority**: P3
**Dependencies**: UI components
**What**: Multi-language support for user-facing pages.
**Includes**:
- i18n framework (Babel)
- English (default)
- Extract translatable strings
- Translation workflow
**Effort**: 3-5 days
**Note**: Low priority, English-first acceptable for MVP.
---
## Technical Debt
Technical debt items are tracked here with a DEBT: prefix. Per project standards, each release must allocate at least 10% of effort to technical debt reduction.
### DEBT: TD-001 - FastAPI Lifespan Migration (XS)
**Created**: 2025-11-20 (Phase 1 review)
**Priority**: P2
**Component**: Core Infrastructure
**Issue**: Using deprecated `@app.on_event()` decorators instead of lifespan context manager.
**Impact**:
- Deprecation warnings in FastAPI 0.109+
- Will break in future FastAPI version
- Not following current best practices
**Current Mitigation**: Still works in current FastAPI version.
**Effort to Fix**: < 1 day
- Replace `@app.on_event("startup")` with lifespan context manager
- Update database initialization to use lifespan
- Update tests if needed
**Plan**: Address in v1.1.0 or during FastAPI upgrade.
**References**: FastAPI lifespan documentation
---
### DEBT: TD-002 - Database Migration Rollback Safety (S)
**Created**: 2025-11-20 (Phase 1 review)
**Priority**: P2
**Component**: Database Layer
**Issue**: No migration rollback capability. Migrations are one-way only.
**Impact**:
- Cannot easily roll back schema changes
- Requires manual SQL to undo migrations
- Risk during production deployments
**Current Mitigation**: Simple schema, manual SQL backups acceptable for v1.0.0.
**Effort to Fix**: 1-2 days
- Integrate Alembic for migration management
- Create rollback scripts for existing migrations
- Update deployment documentation
**Plan**: Address before v1.1.0 when schema changes become more frequent.
**References**: Alembic documentation
---
### DEBT: TD-003 - Async Email Support (S)
**Created**: 2025-11-20 (Phase 1 review)
**Priority**: P2
**Component**: Email Service
**Issue**: Synchronous SMTP blocks request thread during email sending.
**Impact**:
- Email sending delays response to user (1-5 seconds)
- Thread blocked during SMTP operation
- Poor UX during slow email delivery
**Current Mitigation**: Acceptable for low-volume v1.0.0. Timeout limits (10s) prevent long blocks.
**Effort to Fix**: 1-2 days
- Implement background task queue (FastAPI BackgroundTasks or Celery)
- Make email sending non-blocking
- Update UX to show "Sending email..." message
- Add retry logic for failed sends
**Plan**: Address in v1.1.0 when user volume increases or when UX feedback indicates issue.
**Alternative**: Use async SMTP library (aiosmtplib)
---
### DEBT: TD-004 - Add Redis for Session Storage (M)
**Created**: 2025-11-20 (architectural decision)
**Priority**: P2
**Component**: Storage Layer
**Issue**: In-memory storage doesn't survive restarts.
**Impact**: Authorization codes and email codes lost on restart.
**Mitigation (current)**: Codes are short-lived (10-15 min), restart impact minimal.
**Effort to Fix**: 3-5 days (Redis integration, deployment changes)
**Plan**: Address when scaling beyond single process or when restarts become frequent.
---
## Backlog Management
### Adding New Features
When adding features to the backlog:
1. Define clear scope and acceptance criteria
2. Assign t-shirt size
3. Assign priority (P0-P3)
4. Identify dependencies
5. Estimate effort in days
6. Add to appropriate section
### Prioritization Criteria
Features are prioritized based on:
1. **MVP requirement**: Is it required for v1.0.0?
2. **Security impact**: Does it improve security?
3. **User value**: How much does it benefit users?
4. **Complexity**: Simpler features prioritized when value equal
5. **Dependencies**: Features blocking others prioritized
### Technical Debt Policy
- Minimum 10% effort per release allocated to technical debt
- Technical debt items must have:
- Creation date
- Issue description
- Current impact and mitigation
- Effort to fix
- Resolution plan
- Debt reviewed quarterly, re-prioritized based on impact
## Version Planning
See version-specific roadmap files:
- `/docs/roadmap/v1.0.0.md` - MVP features and plan
- `/docs/roadmap/v1.1.0.md` - First post-MVP release (future)
- `/docs/roadmap/v2.0.0.md` - Major feature release (future)
## Estimation Accuracy
After each feature implementation, review estimation accuracy:
- Compare actual effort vs. estimated
- Update t-shirt size if significantly different
- Document lessons learned
- Adjust future estimates accordingly
Current estimation baseline: TBD (will be established after v1.0.0 completion)

593
docs/roadmap/v1.0.0.md Normal file
View File

@@ -0,0 +1,593 @@
# Version 1.0.0 Release Plan
## Release Overview
**Target Version**: 1.0.0
**Release Type**: Initial MVP (Minimum Viable Product)
**Target Date**: TBD (6-8 weeks from project start)
**Status**: Planning
## Release Goals
### Primary Objective
Deliver a production-ready, W3C IndieAuth-compliant authentication server that:
1. Allows users to authenticate using their domain as their identity
2. Supports email-based domain ownership verification
3. Enables any compliant IndieAuth client to authenticate successfully
4. Operates securely in a Docker-based deployment
5. Supports 10s of users with room to scale
### Success Criteria
**Functional**:
- ✅ Complete IndieAuth authentication flow (authorization + token exchange)
- ✅ Email-based domain ownership verification
- ✅ DNS TXT record verification (preferred method)
- ✅ Secure token generation and storage
- ✅ Client metadata fetching (h-app microformat)
**Quality**:
- ✅ 80%+ overall test coverage
- ✅ 95%+ coverage for authentication/token/security code
- ✅ All security best practices implemented
- ✅ Comprehensive documentation
**Operational**:
- ✅ Docker deployment ready
- ✅ Simple SQLite backup strategy
- ✅ Health check endpoint
- ✅ Structured logging
**Compliance**:
- ✅ W3C IndieAuth specification compliance
- ✅ OAuth 2.0 error responses
- ✅ Security headers and HTTPS enforcement
## Feature Scope
### Included Features (P0)
All features listed below are REQUIRED for v1.0.0 release.
| Feature | Size | Effort (days) | Dependencies |
|---------|------|---------------|--------------|
| Core Infrastructure | M | 3-5 | None |
| Database Schema & Storage Layer | S | 1-2 | Core Infrastructure |
| In-Memory Storage | XS | <1 | Core Infrastructure |
| Email Service | S | 1-2 | Core Infrastructure |
| DNS Service | S | 1-2 | Database Schema |
| Domain Service | M | 3-5 | Email, DNS, Database |
| Authorization Endpoint | M | 3-5 | Domain Service, In-Memory |
| Token Endpoint | S | 1-2 | Authorization Endpoint, Database |
| Metadata Endpoint | XS | <1 | Core Infrastructure |
| Email Verification UI | S | 1-2 | Email Service, Domain Service |
| Authorization Consent UI | S | 1-2 | Authorization Endpoint |
| Security Hardening | S | 1-2 | All endpoints |
| Deployment Configuration | S | 1-2 | All features |
| Comprehensive Test Suite | L | 10-14 | All features (parallel) |
**Total Estimated Effort**: 32-44 days of development + testing
### Explicitly Excluded Features
These features are intentionally deferred to post-v1.0.0 releases:
**Excluded (for simplicity)**:
- ❌ PKCE support (planned for v1.1.0, see ADR-003)
- ❌ Token refresh (planned for v1.1.0)
- ❌ Token revocation (planned for v1.1.0)
- ❌ Scope-based authorization (planned for v1.2.0)
- ❌ Rate limiting (planned for v1.1.0)
**Excluded (not needed for MVP)**:
- ❌ Admin dashboard (planned for v1.2.0)
- ❌ Client pre-registration (planned for v1.2.0)
- ❌ Alternative auth providers (GitHub/GitLab) (planned for v1.3.0)
- ❌ WebAuthn support (planned for v2.0.0)
- ❌ PostgreSQL support (planned for v1.2.0)
- ❌ Prometheus metrics (planned for v1.1.0)
**Rationale**: Focus on core authentication functionality with minimal complexity. Additional features add value but increase risk and development time. MVP should prove the concept and gather user feedback.
## Implementation Plan
### Phase 1: Foundation (Week 1-2)
**Goal**: Establish application foundation and core services.
**Features**:
1. Core Infrastructure (M) - 3-5 days
2. Database Schema & Storage Layer (S) - 1-2 days
3. In-Memory Storage (XS) - <1 day
4. Email Service (S) - 1-2 days
5. DNS Service (S) - 1-2 days
**Deliverables**:
- FastAPI application running
- Configuration management working
- SQLite database initialized
- Email sending functional
- DNS queries working
- Unit tests for all services (80%+ coverage)
**Risks**:
- SMTP configuration issues (mitigation: test with real SMTP early)
- DNS query timeouts (mitigation: implement retries and fallback)
**Exit Criteria**:
- All foundation services have passing unit tests
- Application starts without errors
- Health check endpoint returns 200
- Email can be sent successfully
- DNS queries resolve correctly
---
### Phase 2: Domain Verification (Week 2-3)
**Goal**: Implement complete domain ownership verification flows.
**Features**:
1. Domain Service (M) - 3-5 days
2. Email Verification UI (S) - 1-2 days
**Deliverables**:
- TXT record verification working
- Email verification flow complete
- Domain ownership caching in database
- User-facing verification forms
- Integration tests for both verification methods
**Risks**:
- Email delivery failures (mitigation: comprehensive error handling)
- DNS propagation delays (mitigation: cache results, allow retry)
- UI/UX complexity (mitigation: keep forms minimal)
**Exit Criteria**:
- Both verification methods work end-to-end
- TXT record verification preferred when available
- Email fallback works when TXT record absent
- Verification results cached in database
- UI forms accessible and functional
---
### Phase 3: IndieAuth Protocol (Week 3-5)
**Goal**: Implement core IndieAuth endpoints (authorization and token).
**Features**:
1. Authorization Endpoint (M) - 3-5 days
2. Token Endpoint (S) - 1-2 days
3. Metadata Endpoint (XS) - <1 day
4. Authorization Consent UI (S) - 1-2 days
**Deliverables**:
- /authorize endpoint with full validation
- /token endpoint with code exchange
- /.well-known/oauth-authorization-server metadata
- Client metadata fetching (h-app)
- User consent screen
- OAuth 2.0 compliant error responses
- Integration tests for full auth flow
**Risks**:
- Client metadata fetching failures (mitigation: timeouts, fallbacks)
- Open redirect vulnerabilities (mitigation: thorough URL validation)
- State parameter handling (mitigation: clear documentation, tests)
**Exit Criteria**:
- Authorization flow completes successfully
- Tokens generated and validated
- Client metadata displayed correctly
- All parameter validation working
- Error responses compliant with OAuth 2.0
- End-to-end tests pass
---
### Phase 4: Security & Hardening (Week 5-6)
**Goal**: Ensure all security requirements met and production-ready.
**Features**:
1. Security Hardening (S) - 1-2 days
2. Security testing - 2-3 days
**Deliverables**:
- HTTPS enforcement (production)
- Security headers on all responses
- Constant-time token comparison
- Input sanitization throughout
- SQL injection prevention verified
- No PII in logs
- Security test suite (timing attacks, injection, etc.)
- Security documentation review
**Risks**:
- Undiscovered vulnerabilities (mitigation: comprehensive security testing)
- Performance impact of security measures (mitigation: benchmark)
**Exit Criteria**:
- All security tests passing
- Security headers verified
- HTTPS enforced in production
- Timing attack tests pass
- SQL injection tests pass
- No sensitive data in logs
- External security review recommended (optional but encouraged)
---
### Phase 5: Deployment & Testing (Week 6-8)
**Goal**: Prepare for production deployment with comprehensive testing.
**Features**:
1. Deployment Configuration (S) - 1-2 days
2. Comprehensive Test Suite (L) - ongoing
3. Documentation review and updates - 2-3 days
4. Integration testing with real clients - 2-3 days
**Deliverables**:
- Dockerfile with multi-stage build
- docker-compose.yml for testing
- Backup script for SQLite
- Complete environment variable documentation
- 80%+ test coverage achieved
- All documentation reviewed and updated
- Tested with at least one real IndieAuth client
- Release notes prepared
**Risks**:
- Docker build issues (mitigation: test early and often)
- Interoperability issues with clients (mitigation: test multiple clients)
- Documentation gaps (mitigation: external review)
**Exit Criteria**:
- Docker image builds successfully
- Container runs in production-like environment
- All tests passing (unit, integration, e2e, security)
- Test coverage ≥80% overall, ≥95% for critical code
- Successfully authenticates with real IndieAuth client
- Documentation complete and accurate
- Release notes approved
---
## Testing Strategy
### Test Coverage Requirements
**Overall**: 80% minimum coverage
**Critical Paths** (auth, token, security): 95% minimum coverage
**New Code**: 90% coverage required
### Test Levels
**Unit Tests** (70% of test suite):
- All services (Domain, Email, DNS, Auth, Token)
- All utility functions
- Input validation
- Error handling
- Fast execution (<1 minute total)
**Integration Tests** (20% of test suite):
- Endpoint tests (FastAPI TestClient)
- Database operations
- Email sending (mocked SMTP)
- DNS queries (mocked resolver)
- Multi-component workflows
**End-to-End Tests** (10% of test suite):
- Complete authentication flow
- Email verification flow
- TXT record verification flow
- Error scenarios
- OAuth 2.0 error responses
**Security Tests**:
- Timing attack resistance (token verification)
- SQL injection prevention
- XSS prevention (HTML escaping)
- Open redirect prevention
- CSRF protection (state parameter)
- Input validation edge cases
**Compliance Tests**:
- W3C IndieAuth specification adherence
- OAuth 2.0 error response format
- Required parameters validation
- Optional parameters handling
### Test Execution
**Local Development**:
```bash
# All tests
uv run pytest
# With coverage
uv run pytest --cov=src/gondulf --cov-report=html --cov-report=term-missing
# Specific test level
uv run pytest -m unit
uv run pytest -m integration
uv run pytest -m e2e
uv run pytest -m security
```
**CI/CD Pipeline**:
- Run on every commit to main
- Run on all pull requests
- Block merge if tests fail
- Block merge if coverage drops
- Generate coverage reports
**Pre-release**:
- Full test suite execution
- Manual end-to-end testing
- Test with real IndieAuth clients
- Security scan (bandit, pip-audit)
- Performance baseline
---
## Risk Assessment
### High-Risk Areas
**Email Delivery**:
- **Risk**: SMTP configuration issues or delivery failures
- **Impact**: Users cannot verify domain ownership
- **Mitigation**:
- Comprehensive error handling and logging
- Test with real SMTP early in development
- Provide clear error messages to users
- Support TXT record as primary verification method
- **Contingency**: Admin can manually verify domains if email fails
**Security Vulnerabilities**:
- **Risk**: Security flaws in authentication/authorization logic
- **Impact**: Unauthorized access, data exposure
- **Mitigation**:
- Follow OAuth 2.0 security best practices
- Comprehensive security testing
- External security review (recommended)
- Conservative defaults
- **Contingency**: Rapid patch release if vulnerability found
**Interoperability**:
- **Risk**: Incompatibility with IndieAuth clients
- **Impact**: Clients cannot authenticate
- **Mitigation**:
- Strict W3C spec compliance
- Test with multiple clients
- Reference implementation comparison
- **Contingency**: Fix and patch release
### Medium-Risk Areas
**Client Metadata Fetching**:
- **Risk**: Timeout or parse failures when fetching client_id
- **Impact**: Poor UX (generic client display)
- **Mitigation**:
- Aggressive timeouts (5 seconds)
- Fallback to domain name
- Cache successful fetches
- **Contingency**: Display warning, continue with basic info
**DNS Resolution**:
- **Risk**: DNS query failures or timeouts
- **Impact**: TXT verification unavailable
- **Mitigation**:
- Multiple resolvers (Google + Cloudflare)
- Timeout handling
- Fallback to email verification
- **Contingency**: Email verification as alternative
**Database Performance**:
- **Risk**: SQLite performance degrades with usage
- **Impact**: Slow response times
- **Mitigation**:
- Indexes on critical columns
- Periodic cleanup of expired tokens
- Benchmark under load
- **Contingency**: Migrate to PostgreSQL if needed (already supported by SQLAlchemy)
### Low-Risk Areas
**Deployment**:
- **Risk**: Docker issues or configuration errors
- **Impact**: Cannot deploy
- **Mitigation**: Test deployment early, document thoroughly
**UI/UX**:
- **Risk**: Forms confusing or inaccessible
- **Impact**: User frustration
- **Mitigation**: Keep forms simple, test accessibility
---
## Release Checklist
### Pre-Release
- [ ] All P0 features implemented
- [ ] All tests passing (unit, integration, e2e, security)
- [ ] Test coverage ≥80% overall, ≥95% critical paths
- [ ] Security scan completed (bandit, pip-audit)
- [ ] Documentation complete and reviewed
- [ ] Tested with real IndieAuth client(s)
- [ ] Docker image builds successfully
- [ ] Deployment tested in production-like environment
- [ ] Environment variables documented
- [ ] Backup/restore procedure tested
- [ ] Release notes drafted
- [ ] Version bumped to 1.0.0 in pyproject.toml
### Security Review
- [ ] HTTPS enforcement verified
- [ ] Security headers present
- [ ] No PII in logs
- [ ] Constant-time comparisons verified
- [ ] SQL injection tests pass
- [ ] Open redirect tests pass
- [ ] CSRF protection verified
- [ ] Timing attack tests pass
- [ ] Input validation comprehensive
- [ ] External security review recommended (optional)
### Documentation Review
- [ ] README.md accurate and complete
- [ ] /docs/architecture/ documents accurate
- [ ] /docs/standards/ documents followed
- [ ] Installation guide tested
- [ ] Configuration guide complete
- [ ] Deployment guide tested
- [ ] API documentation generated (OpenAPI)
- [ ] Troubleshooting guide created
### Deployment Verification
- [ ] Docker image tagged with v1.0.0
- [ ] Docker image pushed to registry
- [ ] Test deployment successful
- [ ] Health check endpoint responds
- [ ] Logging working correctly
- [ ] Backup script functional
- [ ] Environment variables set correctly
- [ ] HTTPS certificate valid
### Release Publication
- [ ] Git tag created: v1.0.0
- [ ] GitHub release created with notes
- [ ] Docker image published
- [ ] Documentation published
- [ ] Announcement prepared (optional)
---
## Post-Release Activities
### Monitoring (First Week)
- Monitor logs for errors
- Track authentication success/failure rates
- Monitor email delivery success
- Monitor DNS query failures
- Monitor response times
- Collect user feedback
### Support
- Respond to bug reports within 24 hours
- Security issues: patch within 24-48 hours
- Feature requests: triage and add to backlog
- Documentation improvements: apply quickly
### Retrospective (After 2 Weeks)
- Review actual vs. estimated effort
- Document lessons learned
- Update estimation baseline
- Identify technical debt
- Plan v1.1.0 features
---
## Version 1.1.0 Preview
Tentative features for next release:
**High Priority**:
- PKCE support (ADR-003 resolution)
- Token revocation endpoint
- Rate limiting (Redis-based)
- Token introspection endpoint
**Medium Priority**:
- Token refresh
- Prometheus metrics
- Enhanced logging
**Technical Debt**:
- Schema migrations (Alembic)
- Redis integration (if scaling needed)
**Target**: 4-6 weeks after v1.0.0 release
---
## Success Metrics
### Release Success
The v1.0.0 release is successful if:
1. **Functional**: At least one real-world user successfully authenticates
2. **Quality**: No critical bugs reported in first week
3. **Security**: No security vulnerabilities reported in first month
4. **Operational**: Server runs stably for 1 week without restarts
5. **Compliance**: Successfully interoperates with ≥2 different IndieAuth clients
### User Success
Users are successful if:
1. Can verify domain ownership (either method) in <5 minutes
2. Can complete authentication flow in <2 minutes
3. Understand what is happening at each step
4. Feel secure about the process
5. Experience no unexpected errors
### Developer Success
Development process is successful if:
1. Actual effort within 20% of estimated effort
2. No major scope changes during development
3. Test coverage goals met
4. No cutting corners on security
5. Documentation kept up-to-date during development
---
## Budget
**Total Estimated Effort**: 32-44 days of development + 10-14 days of testing (parallel)
**Breakdown**:
- Phase 1 (Foundation): 7-11 days
- Phase 2 (Domain Verification): 4-7 days
- Phase 3 (IndieAuth Protocol): 6-9 days
- Phase 4 (Security): 3-5 days
- Phase 5 (Deployment & Testing): 5-8 days
- Testing (parallel throughout): 10-14 days
**Technical Debt Allocation**: 10% = 4-5 days
- Schema migration prep
- Redis integration groundwork
- Documentation improvements
**Total Timeline**: 6-8 weeks (assuming 1 developer, ~5 days/week)
---
## Approval
This release plan requires review and approval by:
- [x] Architect (design complete)
- [ ] Developer (feasibility confirmed)
- [ ] User (scope confirmed)
Once approved, this plan becomes the binding contract for v1.0.0 development.
**Approved by**: TBD
**Approval Date**: TBD
**Development Start Date**: TBD
**Target Release Date**: TBD

3
pyproject.toml
View File

@@ -26,6 +26,9 @@ dependencies = [
"pydantic>=2.0.0", "pydantic>=2.0.0",
"pydantic-settings>=2.0.0", "pydantic-settings>=2.0.0",
"python-multipart>=0.0.6", "python-multipart>=0.0.6",
"python-dotenv>=1.0.0",
"dnspython>=2.4.0",
"aiosmtplib>=3.0.0",
] ]
[project.optional-dependencies] [project.optional-dependencies]

125
src/gondulf/config.py Normal file
View File

@@ -0,0 +1,125 @@
"""
Configuration management for Gondulf IndieAuth server.
Loads configuration from environment variables with GONDULF_ prefix.
Validates required settings on startup and provides sensible defaults.
"""
import os
from typing import Optional
from dotenv import load_dotenv
# Load environment variables from .env file if present
load_dotenv()
class ConfigurationError(Exception):
"""Raised when configuration is invalid or missing required values."""
pass
class Config:
"""Application configuration loaded from environment variables."""
# Required settings - no defaults
SECRET_KEY: str
# Database
DATABASE_URL: str
# SMTP Configuration
SMTP_HOST: str
SMTP_PORT: int
SMTP_USERNAME: Optional[str]
SMTP_PASSWORD: Optional[str]
SMTP_FROM: str
SMTP_USE_TLS: bool
# Token and Code Expiry (seconds)
TOKEN_EXPIRY: int
CODE_EXPIRY: int
# Logging
LOG_LEVEL: str
DEBUG: bool
@classmethod
def load(cls) -> None:
"""
Load and validate configuration from environment variables.
Raises:
ConfigurationError: If required settings are missing or invalid
"""
# Required - SECRET_KEY must exist and be sufficiently long
secret_key = os.getenv("GONDULF_SECRET_KEY")
if not secret_key:
raise ConfigurationError(
"GONDULF_SECRET_KEY is required. Generate with: "
"python -c \"import secrets; print(secrets.token_urlsafe(32))\""
)
if len(secret_key) < 32:
raise ConfigurationError(
"GONDULF_SECRET_KEY must be at least 32 characters for security"
)
cls.SECRET_KEY = secret_key
# Database - with sensible default
cls.DATABASE_URL = os.getenv(
"GONDULF_DATABASE_URL", "sqlite:///./data/gondulf.db"
)
# SMTP Configuration
cls.SMTP_HOST = os.getenv("GONDULF_SMTP_HOST", "localhost")
cls.SMTP_PORT = int(os.getenv("GONDULF_SMTP_PORT", "587"))
cls.SMTP_USERNAME = os.getenv("GONDULF_SMTP_USERNAME") or None
cls.SMTP_PASSWORD = os.getenv("GONDULF_SMTP_PASSWORD") or None
cls.SMTP_FROM = os.getenv("GONDULF_SMTP_FROM", "noreply@example.com")
cls.SMTP_USE_TLS = os.getenv("GONDULF_SMTP_USE_TLS", "true").lower() == "true"
# Token and Code Expiry
cls.TOKEN_EXPIRY = int(os.getenv("GONDULF_TOKEN_EXPIRY", "3600"))
cls.CODE_EXPIRY = int(os.getenv("GONDULF_CODE_EXPIRY", "600"))
# Logging
cls.DEBUG = os.getenv("GONDULF_DEBUG", "false").lower() == "true"
# If DEBUG is true, default LOG_LEVEL to DEBUG, otherwise INFO
default_log_level = "DEBUG" if cls.DEBUG else "INFO"
cls.LOG_LEVEL = os.getenv("GONDULF_LOG_LEVEL", default_log_level).upper()
# Validate log level
valid_log_levels = {"DEBUG", "INFO", "WARNING", "ERROR", "CRITICAL"}
if cls.LOG_LEVEL not in valid_log_levels:
raise ConfigurationError(
f"GONDULF_LOG_LEVEL must be one of: {', '.join(valid_log_levels)}"
)
@classmethod
def validate(cls) -> None:
"""
Validate configuration after loading.
Performs additional validation beyond initial loading.
"""
# Validate SMTP port is reasonable
if cls.SMTP_PORT < 1 or cls.SMTP_PORT > 65535:
raise ConfigurationError(
f"GONDULF_SMTP_PORT must be between 1 and 65535, got {cls.SMTP_PORT}"
)
# Validate expiry times are positive
if cls.TOKEN_EXPIRY <= 0:
raise ConfigurationError(
f"GONDULF_TOKEN_EXPIRY must be positive, got {cls.TOKEN_EXPIRY}"
)
if cls.CODE_EXPIRY <= 0:
raise ConfigurationError(
f"GONDULF_CODE_EXPIRY must be positive, got {cls.CODE_EXPIRY}"
)
# Configuration is loaded lazily or explicitly by the application
# Tests should call Config.load() explicitly in fixtures
# Production code should call Config.load() at startup

1
src/gondulf/database/__init__.py Normal file
View File

@@ -0,0 +1 @@
"""Database module for Gondulf IndieAuth server."""

226
src/gondulf/database/connection.py Normal file
View File

@@ -0,0 +1,226 @@
"""
Database connection management and migrations for Gondulf.
Provides database initialization, migration running, and health checks.
"""
import logging
from pathlib import Path
from typing import Optional
from urllib.parse import urlparse
from sqlalchemy import create_engine, text
from sqlalchemy.engine import Engine
from sqlalchemy.exc import SQLAlchemyError
logger = logging.getLogger("gondulf.database")
class DatabaseError(Exception):
"""Raised when database operations fail."""
pass
class Database:
"""
Database connection manager with migration support.
Handles database initialization, migration execution, and health checks.
"""
def __init__(self, database_url: str):
"""
Initialize database connection.
Args:
database_url: SQLAlchemy database URL (e.g., sqlite:///./data/gondulf.db)
"""
self.database_url = database_url
self._engine: Optional[Engine] = None
def ensure_database_directory(self) -> None:
"""
Create database directory if it doesn't exist (for SQLite).
Only applies to SQLite databases. Creates parent directory structure.
"""
if self.database_url.startswith("sqlite:///"):
# Parse path from URL
# sqlite:///./data/gondulf.db -> ./data/gondulf.db
# sqlite:////var/lib/gondulf/gondulf.db -> /var/lib/gondulf/gondulf.db
db_path_str = self.database_url.replace("sqlite:///", "", 1)
db_file = Path(db_path_str)
# Create parent directory if needed
db_file.parent.mkdir(parents=True, exist_ok=True)
logger.info(f"Database directory ensured: {db_file.parent}")
def get_engine(self) -> Engine:
"""
Get or create SQLAlchemy engine.
Returns:
SQLAlchemy Engine instance
Raises:
DatabaseError: If engine creation fails
"""
if self._engine is None:
try:
self._engine = create_engine(
self.database_url,
echo=False, # Don't log all SQL statements
pool_pre_ping=True, # Verify connections before using
)
logger.debug(f"Created database engine for {self.database_url}")
except Exception as e:
raise DatabaseError(f"Failed to create database engine: {e}") from e
return self._engine
def check_health(self, timeout_seconds: int = 5) -> bool:
"""
Check if database is accessible and healthy.
Args:
timeout_seconds: Query timeout in seconds
Returns:
True if database is healthy, False otherwise
"""
try:
engine = self.get_engine()
with engine.connect() as conn:
# Simple health check query
result = conn.execute(text("SELECT 1"))
result.fetchone()
logger.debug("Database health check passed")
return True
except Exception as e:
logger.warning(f"Database health check failed: {e}")
return False
def get_applied_migrations(self) -> set[int]:
"""
Get set of applied migration versions.
Returns:
Set of migration version numbers that have been applied
Raises:
DatabaseError: If query fails
"""
try:
engine = self.get_engine()
with engine.connect() as conn:
# Check if migrations table exists first
try:
result = conn.execute(text("SELECT version FROM migrations"))
versions = {row[0] for row in result}
logger.debug(f"Applied migrations: {versions}")
return versions
except SQLAlchemyError:
# Migrations table doesn't exist yet
logger.debug("Migrations table does not exist yet")
return set()
except Exception as e:
raise DatabaseError(f"Failed to query applied migrations: {e}") from e
def run_migration(self, version: int, sql_file_path: Path) -> None:
"""
Run a single migration file.
Args:
version: Migration version number
sql_file_path: Path to SQL migration file
Raises:
DatabaseError: If migration fails
"""
try:
logger.info(f"Running migration {version}: {sql_file_path.name}")
# Read SQL file
sql_content = sql_file_path.read_text()
# Execute migration in a transaction
engine = self.get_engine()
with engine.begin() as conn:
# Split by semicolons and execute each statement
# Note: This is simple splitting, doesn't handle semicolons in strings
statements = [s.strip() for s in sql_content.split(";") if s.strip()]
for statement in statements:
if statement:
conn.execute(text(statement))
logger.info(f"Migration {version} completed successfully")
except Exception as e:
raise DatabaseError(f"Migration {version} failed: {e}") from e
def run_migrations(self) -> None:
"""
Run all pending database migrations.
Discovers migration files in migrations/ directory and runs any that haven't
been applied yet.
Raises:
DatabaseError: If migrations fail
"""
# Get migrations directory
migrations_dir = Path(__file__).parent / "migrations"
if not migrations_dir.exists():
logger.warning(f"Migrations directory not found: {migrations_dir}")
return
# Get applied migrations
applied = self.get_applied_migrations()
# Find all migration files
migration_files = sorted(migrations_dir.glob("*.sql"))
if not migration_files:
logger.info("No migration files found")
return
# Run pending migrations in order
for migration_file in migration_files:
# Extract version number from filename (e.g., "001_initial_schema.sql" -> 1)
try:
version = int(migration_file.stem.split("_")[0])
except (ValueError, IndexError):
logger.warning(f"Skipping invalid migration filename: {migration_file}")
continue
if version not in applied:
self.run_migration(version, migration_file)
else:
logger.debug(f"Migration {version} already applied, skipping")
logger.info("All migrations completed")
def initialize(self) -> None:
"""
Initialize database: create directories and run migrations.
This is the main entry point for setting up the database.
Raises:
DatabaseError: If initialization fails
"""
logger.info("Initializing database")
# Ensure database directory exists (for SQLite)
self.ensure_database_directory()
# Run migrations
self.run_migrations()
# Verify database is healthy
if not self.check_health():
raise DatabaseError("Database health check failed after initialization")
logger.info("Database initialization complete")

38
src/gondulf/database/migrations/001_initial_schema.sql Normal file
View File

@@ -0,0 +1,38 @@
-- Migration 001: Initial schema for Gondulf v1.0.0 Phase 1
-- Creates tables for authorization codes, domain verification, and migration tracking
-- Authorization codes table
-- Stores temporary OAuth 2.0 authorization codes with PKCE support
CREATE TABLE authorization_codes (
code TEXT PRIMARY KEY,
client_id TEXT NOT NULL,
redirect_uri TEXT NOT NULL,
state TEXT,
code_challenge TEXT,
code_challenge_method TEXT,
scope TEXT,
me TEXT NOT NULL,
created_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP
);
-- Domains table
-- Stores domain ownership verification records
CREATE TABLE domains (
domain TEXT PRIMARY KEY,
email TEXT NOT NULL,
verification_code TEXT NOT NULL,
verified BOOLEAN NOT NULL DEFAULT FALSE,
created_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
verified_at TIMESTAMP
);
-- Migrations table
-- Tracks applied database migrations
CREATE TABLE migrations (
version INTEGER PRIMARY KEY,
description TEXT NOT NULL,
applied_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP
);
-- Record this migration
INSERT INTO migrations (version, description) VALUES (1, 'Initial schema - authorization_codes, domains, migrations tables');

160
src/gondulf/dns.py Normal file
View File

@@ -0,0 +1,160 @@
"""
DNS service for TXT record verification.
Provides domain verification via DNS TXT records with system DNS resolver
and fallback to public DNS servers.
"""
import logging
from typing import List, Optional
import dns.resolver
from dns.exception import DNSException
logger = logging.getLogger("gondulf.dns")
class DNSError(Exception):
"""Raised when DNS queries fail."""
pass
class DNSService:
"""
DNS resolver service for TXT record verification.
Uses system DNS with fallback to public DNS (Google and Cloudflare).
"""
def __init__(self) -> None:
"""Initialize DNS service with system resolver and public fallbacks."""
self.resolver = self._create_resolver()
logger.debug("DNSService initialized with system resolver")
def _create_resolver(self) -> dns.resolver.Resolver:
"""
Create DNS resolver with system DNS and public fallbacks.
Returns:
Configured DNS resolver
"""
resolver = dns.resolver.Resolver()
# System DNS is already configured by default
# If system DNS fails to load, use public DNS as fallback
if not resolver.nameservers:
logger.info("System DNS not available, using public DNS fallback")
resolver.nameservers = ["8.8.8.8", "1.1.1.1"]
else:
logger.debug(f"Using system DNS: {resolver.nameservers}")
return resolver
def get_txt_records(self, domain: str) -> List[str]:
"""
Query TXT records for a domain.
Args:
domain: Domain name to query
Returns:
List of TXT record strings (decoded from bytes)
Raises:
DNSError: If DNS query fails
"""
try:
logger.debug(f"Querying TXT records for domain={domain}")
answers = self.resolver.resolve(domain, "TXT")
# Extract and decode TXT records
txt_records = []
for rdata in answers:
# Each TXT record can have multiple strings, join them
txt_value = "".join([s.decode("utf-8") for s in rdata.strings])
txt_records.append(txt_value)
logger.info(f"Found {len(txt_records)} TXT record(s) for domain={domain}")
return txt_records
except dns.resolver.NXDOMAIN:
logger.debug(f"Domain does not exist: {domain}")
raise DNSError(f"Domain does not exist: {domain}")
except dns.resolver.NoAnswer:
logger.debug(f"No TXT records found for domain={domain}")
return [] # No TXT records is not an error, return empty list
except dns.resolver.Timeout:
logger.warning(f"DNS query timeout for domain={domain}")
raise DNSError(f"DNS query timeout for domain: {domain}")
except DNSException as e:
logger.error(f"DNS query failed for domain={domain}: {e}")
raise DNSError(f"DNS query failed: {e}") from e
def verify_txt_record(self, domain: str, expected_value: str) -> bool:
"""
Verify that domain has a TXT record with the expected value.
Args:
domain: Domain name to verify
expected_value: Expected TXT record value
Returns:
True if expected value found in TXT records, False otherwise
"""
try:
txt_records = self.get_txt_records(domain)
# Check if expected value is in any TXT record
for record in txt_records:
if expected_value in record:
logger.info(
f"TXT record verification successful for domain={domain}"
)
return True
logger.debug(
f"TXT record verification failed: expected value not found "
f"for domain={domain}"
)
return False
except DNSError as e:
logger.warning(f"TXT record verification failed for domain={domain}: {e}")
return False
def check_domain_exists(self, domain: str) -> bool:
"""
Check if a domain exists (has any DNS records).
Args:
domain: Domain name to check
Returns:
True if domain exists, False otherwise
"""
try:
# Try to resolve A or AAAA record
try:
self.resolver.resolve(domain, "A")
logger.debug(f"Domain exists (A record): {domain}")
return True
except dns.resolver.NoAnswer:
# Try AAAA if no A record
try:
self.resolver.resolve(domain, "AAAA")
logger.debug(f"Domain exists (AAAA record): {domain}")
return True
except dns.resolver.NoAnswer:
# Try any record type (TXT, MX, etc.)
# If NXDOMAIN not raised, domain exists
logger.debug(f"Domain exists (other records): {domain}")
return True
except dns.resolver.NXDOMAIN:
logger.debug(f"Domain does not exist: {domain}")
return False
except DNSException as e:
logger.warning(f"DNS check failed for domain={domain}: {e}")
# Treat DNS errors as "unknown" - return False to be safe
return False

177
src/gondulf/email.py Normal file
View File

@@ -0,0 +1,177 @@
"""
Email service for sending verification codes via SMTP.
Supports both STARTTLS (port 587) and implicit TLS (port 465) based on
configuration. Handles authentication and error cases.
"""
import logging
import smtplib
from email.mime.multipart import MIMEMultipart
from email.mime.text import MIMEText
from typing import Optional
logger = logging.getLogger("gondulf.email")
class EmailError(Exception):
"""Raised when email sending fails."""
pass
class EmailService:
"""
SMTP email service for sending verification emails.
Supports STARTTLS and implicit TLS configurations based on port number.
"""
def __init__(
self,
smtp_host: str,
smtp_port: int,
smtp_from: str,
smtp_username: Optional[str] = None,
smtp_password: Optional[str] = None,
smtp_use_tls: bool = True,
):
"""
Initialize email service.
Args:
smtp_host: SMTP server hostname
smtp_port: SMTP server port (587 for STARTTLS, 465 for implicit TLS)
smtp_from: From address for sent emails
smtp_username: SMTP username for authentication (optional)
smtp_password: SMTP password for authentication (optional)
smtp_use_tls: Whether to use TLS (STARTTLS on port 587)
"""
self.smtp_host = smtp_host
self.smtp_port = smtp_port
self.smtp_from = smtp_from
self.smtp_username = smtp_username
self.smtp_password = smtp_password
self.smtp_use_tls = smtp_use_tls
logger.debug(
f"EmailService initialized: host={smtp_host} port={smtp_port} "
f"tls={smtp_use_tls}"
)
def send_verification_code(self, to_email: str, code: str, domain: str) -> None:
"""
Send domain verification code via email.
Args:
to_email: Recipient email address
code: Verification code to send
domain: Domain being verified
Raises:
EmailError: If sending fails
"""
subject = f"Domain Verification Code for {domain}"
body = f"""
Hello,
Your domain verification code for {domain} is:
{code}
This code will expire in 10 minutes.
If you did not request this verification, please ignore this email.
---
Gondulf IndieAuth Server
"""
try:
self._send_email(to_email, subject, body)
logger.info(f"Verification code sent to {to_email} for domain={domain}")
except Exception as e:
logger.error(f"Failed to send verification email to {to_email}: {e}")
raise EmailError(f"Failed to send verification email: {e}") from e
def _send_email(self, to_email: str, subject: str, body: str) -> None:
"""
Send email via SMTP.
Handles STARTTLS vs implicit TLS based on port configuration.
Args:
to_email: Recipient email address
subject: Email subject
body: Email body (plain text)
Raises:
EmailError: If sending fails
"""
# Create message
msg = MIMEMultipart()
msg["From"] = self.smtp_from
msg["To"] = to_email
msg["Subject"] = subject
msg.attach(MIMEText(body, "plain"))
try:
# Determine connection type based on port
if self.smtp_port == 465:
# Implicit TLS (SSL/TLS from start)
logger.debug("Using implicit TLS (SMTP_SSL)")
server = smtplib.SMTP_SSL(self.smtp_host, self.smtp_port, timeout=10)
elif self.smtp_port == 587 and self.smtp_use_tls:
# STARTTLS (upgrade plain connection to TLS)
logger.debug("Using STARTTLS")
server = smtplib.SMTP(self.smtp_host, self.smtp_port, timeout=10)
server.starttls()
else:
# Unencrypted (for testing only)
logger.warning("Using unencrypted SMTP connection")
server = smtplib.SMTP(self.smtp_host, self.smtp_port, timeout=10)
# Authenticate if credentials provided
if self.smtp_username and self.smtp_password:
logger.debug(f"Authenticating as {self.smtp_username}")
server.login(self.smtp_username, self.smtp_password)
# Send email
server.send_message(msg)
server.quit()
logger.debug(f"Email sent successfully to {to_email}")
except smtplib.SMTPAuthenticationError as e:
raise EmailError(f"SMTP authentication failed: {e}") from e
except smtplib.SMTPException as e:
raise EmailError(f"SMTP error: {e}") from e
except Exception as e:
raise EmailError(f"Failed to send email: {e}") from e
def test_connection(self) -> bool:
"""
Test SMTP connection and authentication.
Returns:
True if connection successful, False otherwise
"""
try:
if self.smtp_port == 465:
server = smtplib.SMTP_SSL(self.smtp_host, self.smtp_port, timeout=10)
elif self.smtp_port == 587 and self.smtp_use_tls:
server = smtplib.SMTP(self.smtp_host, self.smtp_port, timeout=10)
server.starttls()
else:
server = smtplib.SMTP(self.smtp_host, self.smtp_port, timeout=10)
if self.smtp_username and self.smtp_password:
server.login(self.smtp_username, self.smtp_password)
server.quit()
logger.info("SMTP connection test successful")
return True
except Exception as e:
logger.warning(f"SMTP connection test failed: {e}")
return False

57
src/gondulf/logging_config.py Normal file
View File

@@ -0,0 +1,57 @@
"""
Logging configuration for Gondulf IndieAuth server.
Provides structured logging with consistent format across all modules.
Uses Python's standard logging module with configurable levels.
"""
import logging
import sys
def configure_logging(log_level: str = "INFO", debug: bool = False) -> None:
"""
Configure application logging.
Sets up structured logging format and level for all Gondulf modules.
Logs to stdout/stderr for container-friendly output.
Args:
log_level: Logging level (DEBUG, INFO, WARNING, ERROR, CRITICAL)
debug: If True, overrides log_level to DEBUG
"""
# Determine effective log level
effective_level = "DEBUG" if debug else log_level
# Configure root logger
logging.basicConfig(
level=effective_level,
format="%(asctime)s [%(levelname)s] %(name)s: %(message)s",
datefmt="%Y-%m-%d %H:%M:%S",
stream=sys.stdout,
force=True, # Override any existing configuration
)
# Set level for gondulf modules specifically
gondulf_logger = logging.getLogger("gondulf")
gondulf_logger.setLevel(effective_level)
# Reduce noise from third-party libraries in production
if not debug:
logging.getLogger("urllib3").setLevel(logging.WARNING)
logging.getLogger("sqlalchemy").setLevel(logging.WARNING)
logging.info(f"Logging configured: level={effective_level}")
def get_logger(name: str) -> logging.Logger:
"""
Get a logger instance for a module.
Args:
name: Logger name (typically __name__ from calling module)
Returns:
Configured logger instance
"""
return logging.getLogger(name)

166
src/gondulf/main.py Normal file
View File

@@ -0,0 +1,166 @@
"""
Gondulf IndieAuth Server - Main application entry point.
FastAPI application with health check endpoint and core service initialization.
"""
import logging
from fastapi import FastAPI
from fastapi.responses import JSONResponse
from gondulf.config import Config
from gondulf.database.connection import Database
from gondulf.dns import DNSService
from gondulf.email import EmailService
from gondulf.logging_config import configure_logging
from gondulf.storage import CodeStore
# Load configuration at application startup
Config.load()
Config.validate()
# Configure logging
configure_logging(log_level=Config.LOG_LEVEL, debug=Config.DEBUG)
logger = logging.getLogger("gondulf.main")
# Initialize FastAPI application
app = FastAPI(
title="Gondulf IndieAuth Server",
description="Self-hosted IndieAuth authentication server",
version="0.1.0-dev",
)
# Initialize core services
database: Database = None
code_store: CodeStore = None
email_service: EmailService = None
dns_service: DNSService = None
@app.on_event("startup")
async def startup_event() -> None:
"""
Initialize application on startup.
Initializes database, code storage, email service, and DNS service.
"""
global database, code_store, email_service, dns_service
logger.info("Starting Gondulf IndieAuth Server")
logger.info(f"Configuration: DATABASE_URL={Config.DATABASE_URL}")
logger.info(f"Configuration: SMTP_HOST={Config.SMTP_HOST}:{Config.SMTP_PORT}")
logger.info(f"Configuration: DEBUG={Config.DEBUG}")
try:
# Initialize database
logger.info("Initializing database")
database = Database(Config.DATABASE_URL)
database.initialize()
logger.info("Database initialized successfully")
# Initialize code store
logger.info("Initializing code store")
code_store = CodeStore(ttl_seconds=Config.CODE_EXPIRY)
logger.info(f"Code store initialized with TTL={Config.CODE_EXPIRY}s")
# Initialize email service
logger.info("Initializing email service")
email_service = EmailService(
smtp_host=Config.SMTP_HOST,
smtp_port=Config.SMTP_PORT,
smtp_from=Config.SMTP_FROM,
smtp_username=Config.SMTP_USERNAME,
smtp_password=Config.SMTP_PASSWORD,
smtp_use_tls=Config.SMTP_USE_TLS,
)
logger.info("Email service initialized")
# Initialize DNS service
logger.info("Initializing DNS service")
dns_service = DNSService()
logger.info("DNS service initialized")
logger.info("Gondulf startup complete")
except Exception as e:
logger.critical(f"Failed to initialize application: {e}")
raise
@app.on_event("shutdown")
async def shutdown_event() -> None:
"""Clean up resources on shutdown."""
logger.info("Shutting down Gondulf IndieAuth Server")
@app.get("/health")
async def health_check() -> JSONResponse:
"""
Health check endpoint.
Verifies that the application is running and database is accessible.
Does not require authentication.
Returns:
JSON response with health status:
- 200 OK: {"status": "healthy", "database": "connected"}
- 503 Service Unavailable: {"status": "unhealthy", "database": "error", "error": "..."}
"""
# Check database connectivity
if database is None:
logger.warning("Health check failed: database not initialized")
return JSONResponse(
status_code=503,
content={
"status": "unhealthy",
"database": "error",
"error": "database not initialized",
},
)
is_healthy = database.check_health(timeout_seconds=5)
if is_healthy:
logger.debug("Health check passed")
return JSONResponse(
status_code=200,
content={"status": "healthy", "database": "connected"},
)
else:
logger.warning("Health check failed: unable to connect to database")
return JSONResponse(
status_code=503,
content={
"status": "unhealthy",
"database": "error",
"error": "unable to connect to database",
},
)
@app.get("/")
async def root() -> dict:
"""
Root endpoint.
Returns basic server information.
"""
return {
"service": "Gondulf IndieAuth Server",
"version": "0.1.0-dev",
"status": "operational",
}
# Entry point for uvicorn
if __name__ == "__main__":
import uvicorn
uvicorn.run(
"gondulf.main:app",
host="0.0.0.0",
port=8000,
reload=Config.DEBUG,
log_level=Config.LOG_LEVEL.lower(),
)

150
src/gondulf/storage.py Normal file
View File

@@ -0,0 +1,150 @@
"""
In-memory storage for short-lived codes with TTL.
Provides simple dict-based storage for email verification codes and authorization
codes with automatic expiration checking on access.
"""
import logging
import time
from typing import Dict, Optional, Tuple
logger = logging.getLogger("gondulf.storage")
class CodeStore:
"""
In-memory storage for domain verification codes with TTL.
Stores codes with expiration timestamps and automatically removes expired
codes on access. No background cleanup needed - cleanup happens lazily.
"""
def __init__(self, ttl_seconds: int = 600):
"""
Initialize code store.
Args:
ttl_seconds: Time-to-live for codes in seconds (default: 600 = 10 minutes)
"""
self._store: Dict[str, Tuple[str, float]] = {}
self._ttl = ttl_seconds
logger.debug(f"CodeStore initialized with TTL={ttl_seconds}s")
def store(self, key: str, code: str) -> None:
"""
Store verification code with expiry timestamp.
Args:
key: Storage key (typically email address or similar identifier)
code: Verification code to store
"""
expiry = time.time() + self._ttl
self._store[key] = (code, expiry)
logger.debug(f"Code stored for key={key} expires_in={self._ttl}s")
def verify(self, key: str, code: str) -> bool:
"""
Verify code matches stored value and remove from store.
Checks both expiration and code matching. If valid, removes the code
from storage (single-use). Expired codes are also removed.
Args:
key: Storage key to verify
code: Code to verify
Returns:
True if code matches and is not expired, False otherwise
"""
if key not in self._store:
logger.debug(f"Verification failed: key={key} not found")
return False
stored_code, expiry = self._store[key]
# Check expiration
if time.time() > expiry:
del self._store[key]
logger.debug(f"Verification failed: key={key} expired")
return False
# Check code match
if code != stored_code:
logger.debug(f"Verification failed: key={key} code mismatch")
return False
# Valid - remove from store (single use)
del self._store[key]
logger.info(f"Code verified successfully for key={key}")
return True
def get(self, key: str) -> Optional[str]:
"""
Get code without removing it (for testing/debugging).
Checks expiration and removes expired codes.
Args:
key: Storage key to retrieve
Returns:
Code if exists and not expired, None otherwise
"""
if key not in self._store:
return None
stored_code, expiry = self._store[key]
# Check expiration
if time.time() > expiry:
del self._store[key]
return None
return stored_code
def delete(self, key: str) -> None:
"""
Explicitly delete a code from storage.
Args:
key: Storage key to delete
"""
if key in self._store:
del self._store[key]
logger.debug(f"Code deleted for key={key}")
def cleanup_expired(self) -> int:
"""
Manually cleanup all expired codes.
This is optional - cleanup happens automatically on access. But can be
called periodically if needed to free memory.
Returns:
Number of expired codes removed
"""
now = time.time()
expired_keys = [key for key, (_, expiry) in self._store.items() if now > expiry]
for key in expired_keys:
del self._store[key]
if expired_keys:
logger.debug(f"Cleaned up {len(expired_keys)} expired codes")
return len(expired_keys)
def size(self) -> int:
"""
Get number of codes currently in storage (including expired).
Returns:
Number of codes in storage
"""
return len(self._store)
def clear(self) -> None:
"""Clear all codes from storage."""
self._store.clear()
logger.debug("Code store cleared")

20
tests/conftest.py Normal file
View File

@@ -0,0 +1,20 @@
"""
Pytest configuration and shared fixtures.
"""
import pytest
@pytest.fixture(autouse=True)
def reset_config_before_test(monkeypatch):
"""
Reset configuration before each test.
This prevents config from one test affecting another test.
"""
# Clear all GONDULF_ environment variables
import os
gondulf_vars = [key for key in os.environ.keys() if key.startswith("GONDULF_")]
for var in gondulf_vars:
monkeypatch.delenv(var, raising=False)

1
tests/integration/__init__.py Normal file
View File

@@ -0,0 +1 @@
"""Integration tests package."""

101
tests/integration/test_health.py Normal file
View File

@@ -0,0 +1,101 @@
"""
Integration tests for health check endpoint.
Tests the /health endpoint with actual FastAPI TestClient.
"""
import tempfile
from pathlib import Path
import pytest
from fastapi.testclient import TestClient
class TestHealthEndpoint:
"""Integration tests for /health endpoint."""
@pytest.fixture
def test_app(self, monkeypatch):
"""Create test FastAPI app with temporary database."""
# Set up test environment
with tempfile.TemporaryDirectory() as tmpdir:
db_path = Path(tmpdir) / "test.db"
# Set required environment variables
monkeypatch.setenv("GONDULF_SECRET_KEY", "a" * 32)
monkeypatch.setenv("GONDULF_DATABASE_URL", f"sqlite:///{db_path}")
monkeypatch.setenv("GONDULF_DEBUG", "true")
# Import app AFTER setting env vars
from gondulf.main import app
yield app
def test_health_check_success(self, test_app):
"""Test health check returns 200 when database is healthy."""
with TestClient(test_app) as client:
response = client.get("/health")
assert response.status_code == 200
data = response.json()
assert data["status"] == "healthy"
assert data["database"] == "connected"
def test_health_check_response_format(self, test_app):
"""Test health check response has correct format."""
with TestClient(test_app) as client:
response = client.get("/health")
assert response.status_code == 200
data = response.json()
assert "status" in data
assert "database" in data
def test_health_check_no_auth_required(self, test_app):
"""Test health check endpoint doesn't require authentication."""
with TestClient(test_app) as client:
# Should work without any authentication headers
response = client.get("/health")
assert response.status_code == 200
def test_root_endpoint(self, test_app):
"""Test root endpoint returns service information."""
client = TestClient(test_app)
response = client.get("/")
assert response.status_code == 200
data = response.json()
assert "service" in data
assert "version" in data
assert "Gondulf" in data["service"]
class TestHealthCheckUnhealthy:
"""Tests for unhealthy database scenarios."""
def test_health_check_unhealthy_bad_database(self, monkeypatch):
"""Test health check returns 503 when database inaccessible."""
# Set up with non-existent database path
monkeypatch.setenv("GONDULF_SECRET_KEY", "a" * 32)
monkeypatch.setenv(
"GONDULF_DATABASE_URL", "sqlite:////nonexistent/path/db.db"
)
monkeypatch.setenv("GONDULF_DEBUG", "true")
# Import app AFTER setting env vars
# This should fail during startup, so we need to handle it
try:
from gondulf.main import app
client = TestClient(app, raise_server_exceptions=False)
response = client.get("/health")
# If startup succeeds but health check fails
assert response.status_code == 503
data = response.json()
assert data["status"] == "unhealthy"
except Exception:
# Startup failure is also acceptable for this test
pass

1
tests/unit/__init__.py Normal file
View File

@@ -0,0 +1 @@
"""Unit tests package."""

182
tests/unit/test_config.py Normal file
View File

@@ -0,0 +1,182 @@
"""
Unit tests for configuration module.
Tests environment variable loading, validation, and error handling.
"""
import os
import pytest
from gondulf.config import Config, ConfigurationError
class TestConfigLoad:
"""Tests for Config.load() method."""
def test_load_with_valid_secret_key(self, monkeypatch):
"""Test configuration loads successfully with valid SECRET_KEY."""
monkeypatch.setenv("GONDULF_SECRET_KEY", "a" * 32)
Config.load()
assert Config.SECRET_KEY == "a" * 32
def test_load_missing_secret_key_raises_error(self, monkeypatch):
"""Test that missing SECRET_KEY raises ConfigurationError."""
monkeypatch.delenv("GONDULF_SECRET_KEY", raising=False)
with pytest.raises(ConfigurationError, match="GONDULF_SECRET_KEY is required"):
Config.load()
def test_load_short_secret_key_raises_error(self, monkeypatch):
"""Test that SECRET_KEY shorter than 32 chars raises error."""
monkeypatch.setenv("GONDULF_SECRET_KEY", "short")
with pytest.raises(ConfigurationError, match="at least 32 characters"):
Config.load()
def test_load_database_url_default(self, monkeypatch):
"""Test DATABASE_URL defaults to sqlite:///./data/gondulf.db."""
monkeypatch.setenv("GONDULF_SECRET_KEY", "a" * 32)
monkeypatch.delenv("GONDULF_DATABASE_URL", raising=False)
Config.load()
assert Config.DATABASE_URL == "sqlite:///./data/gondulf.db"
def test_load_database_url_custom(self, monkeypatch):
"""Test DATABASE_URL can be customized."""
monkeypatch.setenv("GONDULF_SECRET_KEY", "a" * 32)
monkeypatch.setenv("GONDULF_DATABASE_URL", "sqlite:////tmp/test.db")
Config.load()
assert Config.DATABASE_URL == "sqlite:////tmp/test.db"
def test_load_smtp_configuration_defaults(self, monkeypatch):
"""Test SMTP configuration uses sensible defaults."""
monkeypatch.setenv("GONDULF_SECRET_KEY", "a" * 32)
for key in [
"GONDULF_SMTP_HOST",
"GONDULF_SMTP_PORT",
"GONDULF_SMTP_USERNAME",
"GONDULF_SMTP_PASSWORD",
"GONDULF_SMTP_FROM",
"GONDULF_SMTP_USE_TLS",
]:
monkeypatch.delenv(key, raising=False)
Config.load()
assert Config.SMTP_HOST == "localhost"
assert Config.SMTP_PORT == 587
assert Config.SMTP_USERNAME is None
assert Config.SMTP_PASSWORD is None
assert Config.SMTP_FROM == "noreply@example.com"
assert Config.SMTP_USE_TLS is True
def test_load_smtp_configuration_custom(self, monkeypatch):
"""Test SMTP configuration can be customized."""
monkeypatch.setenv("GONDULF_SECRET_KEY", "a" * 32)
monkeypatch.setenv("GONDULF_SMTP_HOST", "smtp.gmail.com")
monkeypatch.setenv("GONDULF_SMTP_PORT", "465")
monkeypatch.setenv("GONDULF_SMTP_USERNAME", "user@gmail.com")
monkeypatch.setenv("GONDULF_SMTP_PASSWORD", "password123")
monkeypatch.setenv("GONDULF_SMTP_FROM", "sender@example.com")
monkeypatch.setenv("GONDULF_SMTP_USE_TLS", "false")
Config.load()
assert Config.SMTP_HOST == "smtp.gmail.com"
assert Config.SMTP_PORT == 465
assert Config.SMTP_USERNAME == "user@gmail.com"
assert Config.SMTP_PASSWORD == "password123"
assert Config.SMTP_FROM == "sender@example.com"
assert Config.SMTP_USE_TLS is False
def test_load_token_expiry_default(self, monkeypatch):
"""Test TOKEN_EXPIRY defaults to 3600 seconds."""
monkeypatch.setenv("GONDULF_SECRET_KEY", "a" * 32)
monkeypatch.delenv("GONDULF_TOKEN_EXPIRY", raising=False)
Config.load()
assert Config.TOKEN_EXPIRY == 3600
def test_load_code_expiry_default(self, monkeypatch):
"""Test CODE_EXPIRY defaults to 600 seconds."""
monkeypatch.setenv("GONDULF_SECRET_KEY", "a" * 32)
monkeypatch.delenv("GONDULF_CODE_EXPIRY", raising=False)
Config.load()
assert Config.CODE_EXPIRY == 600
def test_load_token_expiry_custom(self, monkeypatch):
"""Test TOKEN_EXPIRY can be customized."""
monkeypatch.setenv("GONDULF_SECRET_KEY", "a" * 32)
monkeypatch.setenv("GONDULF_TOKEN_EXPIRY", "7200")
Config.load()
assert Config.TOKEN_EXPIRY == 7200
def test_load_log_level_default_production(self, monkeypatch):
"""Test LOG_LEVEL defaults to INFO in production mode."""
monkeypatch.setenv("GONDULF_SECRET_KEY", "a" * 32)
monkeypatch.delenv("GONDULF_LOG_LEVEL", raising=False)
monkeypatch.delenv("GONDULF_DEBUG", raising=False)
Config.load()
assert Config.LOG_LEVEL == "INFO"
assert Config.DEBUG is False
def test_load_log_level_default_debug(self, monkeypatch):
"""Test LOG_LEVEL defaults to DEBUG when DEBUG=true."""
monkeypatch.setenv("GONDULF_SECRET_KEY", "a" * 32)
monkeypatch.delenv("GONDULF_LOG_LEVEL", raising=False)
monkeypatch.setenv("GONDULF_DEBUG", "true")
Config.load()
assert Config.LOG_LEVEL == "DEBUG"
assert Config.DEBUG is True
def test_load_log_level_custom(self, monkeypatch):
"""Test LOG_LEVEL can be customized."""
monkeypatch.setenv("GONDULF_SECRET_KEY", "a" * 32)
monkeypatch.setenv("GONDULF_LOG_LEVEL", "WARNING")
Config.load()
assert Config.LOG_LEVEL == "WARNING"
def test_load_invalid_log_level_raises_error(self, monkeypatch):
"""Test invalid LOG_LEVEL raises ConfigurationError."""
monkeypatch.setenv("GONDULF_SECRET_KEY", "a" * 32)
monkeypatch.setenv("GONDULF_LOG_LEVEL", "INVALID")
with pytest.raises(ConfigurationError, match="must be one of"):
Config.load()
class TestConfigValidate:
"""Tests for Config.validate() method."""
def test_validate_valid_configuration(self, monkeypatch):
"""Test validation passes with valid configuration."""
monkeypatch.setenv("GONDULF_SECRET_KEY", "a" * 32)
Config.load()
Config.validate() # Should not raise
def test_validate_smtp_port_too_low(self, monkeypatch):
"""Test validation fails when SMTP_PORT < 1."""
monkeypatch.setenv("GONDULF_SECRET_KEY", "a" * 32)
Config.load()
Config.SMTP_PORT = 0
with pytest.raises(ConfigurationError, match="must be between 1 and 65535"):
Config.validate()
def test_validate_smtp_port_too_high(self, monkeypatch):
"""Test validation fails when SMTP_PORT > 65535."""
monkeypatch.setenv("GONDULF_SECRET_KEY", "a" * 32)
Config.load()
Config.SMTP_PORT = 70000
with pytest.raises(ConfigurationError, match="must be between 1 and 65535"):
Config.validate()
def test_validate_token_expiry_negative(self, monkeypatch):
"""Test validation fails when TOKEN_EXPIRY <= 0."""
monkeypatch.setenv("GONDULF_SECRET_KEY", "a" * 32)
Config.load()
Config.TOKEN_EXPIRY = -1
with pytest.raises(ConfigurationError, match="must be positive"):
Config.validate()
def test_validate_code_expiry_zero(self, monkeypatch):
"""Test validation fails when CODE_EXPIRY <= 0."""
monkeypatch.setenv("GONDULF_SECRET_KEY", "a" * 32)
Config.load()
Config.CODE_EXPIRY = 0
with pytest.raises(ConfigurationError, match="must be positive"):
Config.validate()

274
tests/unit/test_database.py Normal file
View File

@@ -0,0 +1,274 @@
"""
Unit tests for database connection and migrations.
Tests database initialization, migration running, and health checks.
"""
import tempfile
from pathlib import Path
import pytest
from sqlalchemy import text
from gondulf.database.connection import Database, DatabaseError
class TestDatabaseInit:
"""Tests for Database initialization."""
def test_init_with_valid_url(self):
"""Test Database can be initialized with valid URL."""
db = Database("sqlite:///:memory:")
assert db.database_url == "sqlite:///:memory:"
def test_init_with_file_url(self):
"""Test Database can be initialized with file URL."""
db = Database("sqlite:///./test.db")
assert db.database_url == "sqlite:///./test.db"
class TestDatabaseDirectory:
"""Tests for database directory creation."""
def test_ensure_directory_creates_parent(self):
"""Test ensure_database_directory creates parent directories."""
with tempfile.TemporaryDirectory() as tmpdir:
db_path = Path(tmpdir) / "subdir" / "nested" / "test.db"
db_url = f"sqlite:///{db_path}"
db = Database(db_url)
db.ensure_database_directory()
assert db_path.parent.exists()
def test_ensure_directory_relative_path(self):
"""Test ensure_database_directory works with relative paths."""
with tempfile.TemporaryDirectory() as tmpdir:
# Change to temp dir temporarily to test relative paths
import os
original_cwd = os.getcwd()
try:
os.chdir(tmpdir)
db = Database("sqlite:///./data/test.db")
db.ensure_database_directory()
assert Path("data").exists()
finally:
os.chdir(original_cwd)
def test_ensure_directory_does_not_fail_if_exists(self):
"""Test ensure_database_directory doesn't fail if directory exists."""
with tempfile.TemporaryDirectory() as tmpdir:
db_path = Path(tmpdir) / "test.db"
db_url = f"sqlite:///{db_path}"
db = Database(db_url)
db.ensure_database_directory()
# Call again - should not raise
db.ensure_database_directory()
class TestDatabaseEngine:
"""Tests for database engine creation."""
def test_get_engine_creates_engine(self):
"""Test get_engine creates SQLAlchemy engine."""
db = Database("sqlite:///:memory:")
engine = db.get_engine()
assert engine is not None
assert engine.url.drivername == "sqlite"
def test_get_engine_returns_same_instance(self):
"""Test get_engine returns same engine instance."""
db = Database("sqlite:///:memory:")
engine1 = db.get_engine()
engine2 = db.get_engine()
assert engine1 is engine2
def test_get_engine_with_invalid_url_raises_error(self):
"""Test get_engine raises DatabaseError with invalid URL."""
db = Database("invalid://bad_url")
with pytest.raises(DatabaseError, match="Failed to create database engine"):
db.get_engine()
class TestDatabaseHealth:
"""Tests for database health checks."""
def test_check_health_success(self):
"""Test health check passes for healthy database."""
db = Database("sqlite:///:memory:")
db.get_engine() # Initialize engine
assert db.check_health() is True
def test_check_health_failure(self):
"""Test health check fails for inaccessible database."""
db = Database("sqlite:////nonexistent/path/db.db")
# Trying to check health on non-existent DB should fail gracefully
assert db.check_health() is False
class TestDatabaseMigrations:
"""Tests for database migrations."""
def test_get_applied_migrations_empty(self):
"""Test get_applied_migrations returns empty set for new database."""
db = Database("sqlite:///:memory:")
db.get_engine() # Initialize engine
migrations = db.get_applied_migrations()
assert migrations == set()
def test_get_applied_migrations_after_running(self):
"""Test get_applied_migrations returns versions after running migrations."""
with tempfile.TemporaryDirectory() as tmpdir:
db_path = Path(tmpdir) / "test.db"
db = Database(f"sqlite:///{db_path}")
# Initialize will run migrations
db.initialize()
migrations = db.get_applied_migrations()
# Migration 001 should be applied
assert 1 in migrations
def test_run_migrations_creates_tables(self):
"""Test run_migrations creates expected tables."""
with tempfile.TemporaryDirectory() as tmpdir:
db_path = Path(tmpdir) / "test.db"
db = Database(f"sqlite:///{db_path}")
db.ensure_database_directory()
db.run_migrations()
# Check that tables were created
engine = db.get_engine()
with engine.connect() as conn:
# Check migrations table
result = conn.execute(text("SELECT name FROM sqlite_master WHERE type='table'"))
tables = {row[0] for row in result}
assert "migrations" in tables
assert "authorization_codes" in tables
assert "domains" in tables
def test_run_migrations_idempotent(self):
"""Test run_migrations can be run multiple times safely."""
with tempfile.TemporaryDirectory() as tmpdir:
db_path = Path(tmpdir) / "test.db"
db = Database(f"sqlite:///{db_path}")
db.ensure_database_directory()
db.run_migrations()
# Run again - should not raise or duplicate
db.run_migrations()
engine = db.get_engine()
with engine.connect() as conn:
# Check migration was recorded only once
result = conn.execute(text("SELECT COUNT(*) FROM migrations"))
count = result.fetchone()[0]
assert count == 1
def test_initialize_full_setup(self):
"""Test initialize performs full database setup."""
with tempfile.TemporaryDirectory() as tmpdir:
db_path = Path(tmpdir) / "test.db"
db = Database(f"sqlite:///{db_path}")
db.initialize()
# Verify database is healthy
assert db.check_health() is True
# Verify migrations ran
migrations = db.get_applied_migrations()
assert 1 in migrations
# Verify tables exist
engine = db.get_engine()
with engine.connect() as conn:
result = conn.execute(text("SELECT name FROM sqlite_master WHERE type='table'"))
tables = {row[0] for row in result}
assert "migrations" in tables
assert "authorization_codes" in tables
assert "domains" in tables
class TestMigrationSchemaCorrectness:
"""Tests for correctness of migration schema."""
def test_authorization_codes_schema(self):
"""Test authorization_codes table has correct columns."""
with tempfile.TemporaryDirectory() as tmpdir:
db_path = Path(tmpdir) / "test.db"
db = Database(f"sqlite:///{db_path}")
db.initialize()
engine = db.get_engine()
with engine.connect() as conn:
result = conn.execute(text("PRAGMA table_info(authorization_codes)"))
columns = {row[1] for row in result} # row[1] is column name
expected_columns = {
"code",
"client_id",
"redirect_uri",
"state",
"code_challenge",
"code_challenge_method",
"scope",
"me",
"created_at",
}
assert columns == expected_columns
def test_domains_schema(self):
"""Test domains table has correct columns."""
with tempfile.TemporaryDirectory() as tmpdir:
db_path = Path(tmpdir) / "test.db"
db = Database(f"sqlite:///{db_path}")
db.initialize()
engine = db.get_engine()
with engine.connect() as conn:
result = conn.execute(text("PRAGMA table_info(domains)"))
columns = {row[1] for row in result}
expected_columns = {
"domain",
"email",
"verification_code",
"verified",
"created_at",
"verified_at",
}
assert columns == expected_columns
def test_migrations_schema(self):
"""Test migrations table has correct columns."""
with tempfile.TemporaryDirectory() as tmpdir:
db_path = Path(tmpdir) / "test.db"
db = Database(f"sqlite:///{db_path}")
db.initialize()
engine = db.get_engine()
with engine.connect() as conn:
result = conn.execute(text("PRAGMA table_info(migrations)"))
columns = {row[1] for row in result}
expected_columns = {"version", "description", "applied_at"}
assert columns == expected_columns

293
tests/unit/test_dns.py Normal file
View File

@@ -0,0 +1,293 @@
"""
Unit tests for DNS service.
Tests TXT record querying, domain verification, and error handling.
Uses mocking to avoid actual DNS queries.
"""
from unittest.mock import MagicMock, patch
import pytest
import dns.resolver
from dns.exception import DNSException
from gondulf.dns import DNSError, DNSService
class TestDNSServiceInit:
"""Tests for DNSService initialization."""
def test_init_creates_resolver(self):
"""Test DNSService initializes with resolver."""
service = DNSService()
assert service.resolver is not None
assert isinstance(service.resolver, dns.resolver.Resolver)
class TestGetTxtRecords:
"""Tests for get_txt_records method."""
@patch("gondulf.dns.dns.resolver.Resolver.resolve")
def test_get_txt_records_success(self, mock_resolve):
"""Test getting TXT records successfully."""
# Mock TXT record response
mock_rdata = MagicMock()
mock_rdata.strings = [b"v=spf1 include:example.com ~all"]
mock_resolve.return_value = [mock_rdata]
service = DNSService()
records = service.get_txt_records("example.com")
assert len(records) == 1
assert records[0] == "v=spf1 include:example.com ~all"
mock_resolve.assert_called_once_with("example.com", "TXT")
@patch("gondulf.dns.dns.resolver.Resolver.resolve")
def test_get_txt_records_multiple(self, mock_resolve):
"""Test getting multiple TXT records."""
# Mock multiple TXT records
mock_rdata1 = MagicMock()
mock_rdata1.strings = [b"record1"]
mock_rdata2 = MagicMock()
mock_rdata2.strings = [b"record2"]
mock_resolve.return_value = [mock_rdata1, mock_rdata2]
service = DNSService()
records = service.get_txt_records("example.com")
assert len(records) == 2
assert "record1" in records
assert "record2" in records
@patch("gondulf.dns.dns.resolver.Resolver.resolve")
def test_get_txt_records_multipart(self, mock_resolve):
"""Test getting TXT record with multiple strings (joined)."""
# Mock TXT record with multiple strings
mock_rdata = MagicMock()
mock_rdata.strings = [b"part1", b"part2", b"part3"]
mock_resolve.return_value = [mock_rdata]
service = DNSService()
records = service.get_txt_records("example.com")
assert len(records) == 1
assert records[0] == "part1part2part3"
@patch("gondulf.dns.dns.resolver.Resolver.resolve")
def test_get_txt_records_no_answer(self, mock_resolve):
"""Test getting TXT records when none exist returns empty list."""
mock_resolve.side_effect = dns.resolver.NoAnswer()
service = DNSService()
records = service.get_txt_records("example.com")
assert records == []
@patch("gondulf.dns.dns.resolver.Resolver.resolve")
def test_get_txt_records_nxdomain(self, mock_resolve):
"""Test DNSError raised when domain doesn't exist."""
mock_resolve.side_effect = dns.resolver.NXDOMAIN()
service = DNSService()
with pytest.raises(DNSError, match="Domain does not exist"):
service.get_txt_records("nonexistent.example")
@patch("gondulf.dns.dns.resolver.Resolver.resolve")
def test_get_txt_records_timeout(self, mock_resolve):
"""Test DNSError raised on timeout."""
mock_resolve.side_effect = dns.resolver.Timeout()
service = DNSService()
with pytest.raises(DNSError, match="timeout"):
service.get_txt_records("example.com")
@patch("gondulf.dns.dns.resolver.Resolver.resolve")
def test_get_txt_records_dns_exception(self, mock_resolve):
"""Test DNSError raised on other DNS exceptions."""
mock_resolve.side_effect = DNSException("DNS query failed")
service = DNSService()
with pytest.raises(DNSError, match="DNS query failed"):
service.get_txt_records("example.com")
class TestVerifyTxtRecord:
"""Tests for verify_txt_record method."""
@patch("gondulf.dns.dns.resolver.Resolver.resolve")
def test_verify_txt_record_success(self, mock_resolve):
"""Test TXT record verification succeeds when value found."""
mock_rdata = MagicMock()
mock_rdata.strings = [b"gondulf-verify=ABC123"]
mock_resolve.return_value = [mock_rdata]
service = DNSService()
result = service.verify_txt_record("example.com", "gondulf-verify=ABC123")
assert result is True
@patch("gondulf.dns.dns.resolver.Resolver.resolve")
def test_verify_txt_record_partial_match(self, mock_resolve):
"""Test TXT record verification succeeds with partial match."""
mock_rdata = MagicMock()
mock_rdata.strings = [b"some prefix gondulf-verify=ABC123 some suffix"]
mock_resolve.return_value = [mock_rdata]
service = DNSService()
result = service.verify_txt_record("example.com", "gondulf-verify=ABC123")
assert result is True
@patch("gondulf.dns.dns.resolver.Resolver.resolve")
def test_verify_txt_record_not_found(self, mock_resolve):
"""Test TXT record verification fails when value not found."""
mock_rdata = MagicMock()
mock_rdata.strings = [b"different-value"]
mock_resolve.return_value = [mock_rdata]
service = DNSService()
result = service.verify_txt_record("example.com", "gondulf-verify=ABC123")
assert result is False
@patch("gondulf.dns.dns.resolver.Resolver.resolve")
def test_verify_txt_record_no_txt_records(self, mock_resolve):
"""Test TXT record verification fails when no TXT records exist."""
mock_resolve.side_effect = dns.resolver.NoAnswer()
service = DNSService()
result = service.verify_txt_record("example.com", "gondulf-verify=ABC123")
assert result is False
@patch("gondulf.dns.dns.resolver.Resolver.resolve")
def test_verify_txt_record_nxdomain(self, mock_resolve):
"""Test TXT record verification fails when domain doesn't exist."""
mock_resolve.side_effect = dns.resolver.NXDOMAIN()
service = DNSService()
result = service.verify_txt_record("nonexistent.example", "value")
assert result is False
@patch("gondulf.dns.dns.resolver.Resolver.resolve")
def test_verify_txt_record_timeout(self, mock_resolve):
"""Test TXT record verification fails on timeout."""
mock_resolve.side_effect = dns.resolver.Timeout()
service = DNSService()
result = service.verify_txt_record("example.com", "value")
assert result is False
@patch("gondulf.dns.dns.resolver.Resolver.resolve")
def test_verify_txt_record_among_multiple(self, mock_resolve):
"""Test TXT record verification finds value among multiple records."""
mock_rdata1 = MagicMock()
mock_rdata1.strings = [b"unrelated-record"]
mock_rdata2 = MagicMock()
mock_rdata2.strings = [b"gondulf-verify=ABC123"]
mock_rdata3 = MagicMock()
mock_rdata3.strings = [b"another-record"]
mock_resolve.return_value = [mock_rdata1, mock_rdata2, mock_rdata3]
service = DNSService()
result = service.verify_txt_record("example.com", "gondulf-verify=ABC123")
assert result is True
class TestCheckDomainExists:
"""Tests for check_domain_exists method."""
@patch("gondulf.dns.dns.resolver.Resolver.resolve")
def test_check_domain_exists_a_record(self, mock_resolve):
"""Test domain exists check succeeds with A record."""
mock_resolve.return_value = [MagicMock()]
service = DNSService()
result = service.check_domain_exists("example.com")
assert result is True
mock_resolve.assert_called_with("example.com", "A")
@patch("gondulf.dns.dns.resolver.Resolver.resolve")
def test_check_domain_exists_aaaa_record(self, mock_resolve):
"""Test domain exists check succeeds with AAAA record."""
# First call (A record) fails, second call (AAAA) succeeds
mock_resolve.side_effect = [
dns.resolver.NoAnswer(),
[MagicMock()], # AAAA record exists
]
service = DNSService()
result = service.check_domain_exists("example.com")
assert result is True
@patch("gondulf.dns.dns.resolver.Resolver.resolve")
def test_check_domain_exists_no_records(self, mock_resolve):
"""Test domain exists check succeeds even with no A/AAAA records."""
# Both A and AAAA fail with NoAnswer (but not NXDOMAIN)
mock_resolve.side_effect = [
dns.resolver.NoAnswer(),
dns.resolver.NoAnswer(),
]
service = DNSService()
result = service.check_domain_exists("example.com")
# Domain exists even if no A/AAAA records (might have MX, TXT, etc.)
assert result is True
@patch("gondulf.dns.dns.resolver.Resolver.resolve")
def test_check_domain_not_exists_nxdomain(self, mock_resolve):
"""Test domain exists check fails with NXDOMAIN."""
mock_resolve.side_effect = dns.resolver.NXDOMAIN()
service = DNSService()
result = service.check_domain_exists("nonexistent.example")
assert result is False
@patch("gondulf.dns.dns.resolver.Resolver.resolve")
def test_check_domain_exists_dns_error(self, mock_resolve):
"""Test domain exists check returns False on DNS error."""
mock_resolve.side_effect = DNSException("DNS failure")
service = DNSService()
result = service.check_domain_exists("example.com")
assert result is False
class TestResolverFallback:
"""Tests for DNS resolver fallback configuration."""
@patch("gondulf.dns.dns.resolver.Resolver")
def test_resolver_uses_system_dns(self, mock_resolver_class):
"""Test resolver uses system DNS when available."""
mock_resolver = MagicMock()
mock_resolver.nameservers = ["192.168.1.1"] # System DNS
mock_resolver_class.return_value = mock_resolver
service = DNSService()
# System DNS should be used
assert service.resolver.nameservers == ["192.168.1.1"]
@patch("gondulf.dns.dns.resolver.Resolver")
def test_resolver_fallback_to_public_dns(self, mock_resolver_class):
"""Test resolver falls back to public DNS when system DNS unavailable."""
mock_resolver = MagicMock()
mock_resolver.nameservers = [] # No system DNS
mock_resolver_class.return_value = mock_resolver
service = DNSService()
# Should fall back to public DNS
assert service.resolver.nameservers == ["8.8.8.8", "1.1.1.1"]

304
tests/unit/test_email.py Normal file
View File

@@ -0,0 +1,304 @@
"""
Unit tests for email service.
Tests email sending with SMTP, TLS configuration, and error handling.
Uses mocking to avoid actual SMTP connections.
"""
from unittest.mock import MagicMock, patch
import pytest
import smtplib
from gondulf.email import EmailError, EmailService
class TestEmailServiceInit:
"""Tests for EmailService initialization."""
def test_init_with_all_parameters(self):
"""Test EmailService initializes with all parameters."""
service = EmailService(
smtp_host="smtp.gmail.com",
smtp_port=587,
smtp_from="sender@example.com",
smtp_username="user@example.com",
smtp_password="password",
smtp_use_tls=True,
)
assert service.smtp_host == "smtp.gmail.com"
assert service.smtp_port == 587
assert service.smtp_from == "sender@example.com"
assert service.smtp_username == "user@example.com"
assert service.smtp_password == "password"
assert service.smtp_use_tls is True
def test_init_without_credentials(self):
"""Test EmailService initializes without username/password."""
service = EmailService(
smtp_host="localhost",
smtp_port=25,
smtp_from="sender@example.com",
)
assert service.smtp_username is None
assert service.smtp_password is None
class TestEmailServiceSendVerificationCode:
"""Tests for send_verification_code method."""
@patch("gondulf.email.smtplib.SMTP")
def test_send_verification_code_success_starttls(self, mock_smtp):
"""Test sending verification code with STARTTLS."""
mock_server = MagicMock()
mock_smtp.return_value = mock_server
service = EmailService(
smtp_host="smtp.example.com",
smtp_port=587,
smtp_from="sender@example.com",
smtp_username="user",
smtp_password="pass",
smtp_use_tls=True,
)
service.send_verification_code("recipient@example.com", "123456", "example.com")
# Verify SMTP was called correctly
mock_smtp.assert_called_once_with("smtp.example.com", 587, timeout=10)
mock_server.starttls.assert_called_once()
mock_server.login.assert_called_once_with("user", "pass")
mock_server.send_message.assert_called_once()
mock_server.quit.assert_called_once()
@patch("gondulf.email.smtplib.SMTP_SSL")
def test_send_verification_code_success_implicit_tls(self, mock_smtp_ssl):
"""Test sending verification code with implicit TLS (port 465)."""
mock_server = MagicMock()
mock_smtp_ssl.return_value = mock_server
service = EmailService(
smtp_host="smtp.example.com",
smtp_port=465,
smtp_from="sender@example.com",
smtp_username="user",
smtp_password="pass",
)
service.send_verification_code("recipient@example.com", "123456", "example.com")
# Verify SMTP_SSL was called
mock_smtp_ssl.assert_called_once_with("smtp.example.com", 465, timeout=10)
# starttls should NOT be called for implicit TLS
assert not mock_server.starttls.called
mock_server.login.assert_called_once()
mock_server.send_message.assert_called_once()
@patch("gondulf.email.smtplib.SMTP")
def test_send_verification_code_without_auth(self, mock_smtp):
"""Test sending without authentication."""
mock_server = MagicMock()
mock_smtp.return_value = mock_server
service = EmailService(
smtp_host="localhost",
smtp_port=25,
smtp_from="sender@example.com",
smtp_use_tls=False,
)
service.send_verification_code("recipient@example.com", "123456", "example.com")
# Verify login was not called
assert not mock_server.login.called
mock_server.send_message.assert_called_once()
@patch("gondulf.email.smtplib.SMTP")
def test_send_verification_code_smtp_error(self, mock_smtp):
"""Test EmailError raised on SMTP failure."""
mock_server = MagicMock()
mock_server.send_message.side_effect = smtplib.SMTPException("SMTP error")
mock_smtp.return_value = mock_server
service = EmailService(
smtp_host="smtp.example.com",
smtp_port=587,
smtp_from="sender@example.com",
)
with pytest.raises(EmailError, match="SMTP error"):
service.send_verification_code(
"recipient@example.com", "123456", "example.com"
)
@patch("gondulf.email.smtplib.SMTP")
def test_send_verification_code_auth_error(self, mock_smtp):
"""Test EmailError raised on authentication failure."""
mock_server = MagicMock()
mock_server.login.side_effect = smtplib.SMTPAuthenticationError(
535, "Authentication failed"
)
mock_smtp.return_value = mock_server
service = EmailService(
smtp_host="smtp.example.com",
smtp_port=587,
smtp_from="sender@example.com",
smtp_username="user",
smtp_password="wrong",
smtp_use_tls=True,
)
with pytest.raises(EmailError, match="authentication failed"):
service.send_verification_code(
"recipient@example.com", "123456", "example.com"
)
class TestEmailServiceConnection:
"""Tests for test_connection method."""
@patch("gondulf.email.smtplib.SMTP")
def test_connection_success_starttls(self, mock_smtp):
"""Test connection test succeeds with STARTTLS."""
mock_server = MagicMock()
mock_smtp.return_value = mock_server
service = EmailService(
smtp_host="smtp.example.com",
smtp_port=587,
smtp_from="sender@example.com",
smtp_username="user",
smtp_password="pass",
smtp_use_tls=True,
)
assert service.test_connection() is True
mock_smtp.assert_called_once()
mock_server.starttls.assert_called_once()
mock_server.login.assert_called_once()
mock_server.quit.assert_called_once()
@patch("gondulf.email.smtplib.SMTP_SSL")
def test_connection_success_implicit_tls(self, mock_smtp_ssl):
"""Test connection test succeeds with implicit TLS."""
mock_server = MagicMock()
mock_smtp_ssl.return_value = mock_server
service = EmailService(
smtp_host="smtp.example.com",
smtp_port=465,
smtp_from="sender@example.com",
smtp_username="user",
smtp_password="pass",
)
assert service.test_connection() is True
mock_smtp_ssl.assert_called_once()
mock_server.login.assert_called_once()
@patch("gondulf.email.smtplib.SMTP")
def test_connection_failure(self, mock_smtp):
"""Test connection test fails gracefully."""
mock_smtp.side_effect = smtplib.SMTPException("Connection failed")
service = EmailService(
smtp_host="smtp.example.com",
smtp_port=587,
smtp_from="sender@example.com",
)
assert service.test_connection() is False
@patch("gondulf.email.smtplib.SMTP")
def test_connection_without_credentials(self, mock_smtp):
"""Test connection test works without credentials."""
mock_server = MagicMock()
mock_smtp.return_value = mock_server
service = EmailService(
smtp_host="localhost",
smtp_port=25,
smtp_from="sender@example.com",
smtp_use_tls=False,
)
assert service.test_connection() is True
# Login should not be called without credentials
assert not mock_server.login.called
class TestEmailMessageContent:
"""Tests for email message content."""
@patch("gondulf.email.smtplib.SMTP")
def test_message_contains_code(self, mock_smtp):
"""Test email message contains the verification code."""
mock_server = MagicMock()
mock_smtp.return_value = mock_server
service = EmailService(
smtp_host="localhost",
smtp_port=25,
smtp_from="sender@example.com",
)
service.send_verification_code("recipient@example.com", "ABC123", "example.com")
# Get the message that was sent
call_args = mock_server.send_message.call_args
sent_message = call_args[0][0]
# Verify message contains code
message_body = sent_message.as_string()
assert "ABC123" in message_body
@patch("gondulf.email.smtplib.SMTP")
def test_message_contains_domain(self, mock_smtp):
"""Test email message contains the domain being verified."""
mock_server = MagicMock()
mock_smtp.return_value = mock_server
service = EmailService(
smtp_host="localhost",
smtp_port=25,
smtp_from="sender@example.com",
)
service.send_verification_code(
"recipient@example.com", "123456", "mydomain.com"
)
# Get the message that was sent
call_args = mock_server.send_message.call_args
sent_message = call_args[0][0]
message_body = sent_message.as_string()
assert "mydomain.com" in message_body
@patch("gondulf.email.smtplib.SMTP")
def test_message_has_correct_headers(self, mock_smtp):
"""Test email message has correct From/To/Subject headers."""
mock_server = MagicMock()
mock_smtp.return_value = mock_server
service = EmailService(
smtp_host="localhost",
smtp_port=25,
smtp_from="noreply@gondulf.example",
)
service.send_verification_code("user@example.com", "123456", "example.com")
# Get the message that was sent
call_args = mock_server.send_message.call_args
sent_message = call_args[0][0]
assert sent_message["From"] == "noreply@gondulf.example"
assert sent_message["To"] == "user@example.com"
assert "example.com" in sent_message["Subject"]

218
tests/unit/test_storage.py Normal file
View File

@@ -0,0 +1,218 @@
"""
Unit tests for in-memory code storage.
Tests code storage, verification, expiration, and cleanup.
"""
import time
import pytest
from gondulf.storage import CodeStore
class TestCodeStore:
"""Tests for CodeStore class."""
def test_store_and_verify_success(self):
"""Test storing and verifying a valid code."""
store = CodeStore(ttl_seconds=60)
store.store("test@example.com", "123456")
assert store.verify("test@example.com", "123456") is True
def test_verify_wrong_code_fails(self):
"""Test verification fails with wrong code."""
store = CodeStore(ttl_seconds=60)
store.store("test@example.com", "123456")
assert store.verify("test@example.com", "wrong") is False
def test_verify_nonexistent_key_fails(self):
"""Test verification fails for nonexistent key."""
store = CodeStore(ttl_seconds=60)
assert store.verify("nonexistent@example.com", "123456") is False
def test_verify_removes_code_after_success(self):
"""Test that successful verification removes code (single-use)."""
store = CodeStore(ttl_seconds=60)
store.store("test@example.com", "123456")
# First verification succeeds
assert store.verify("test@example.com", "123456") is True
# Second verification fails (code removed)
assert store.verify("test@example.com", "123456") is False
def test_verify_expired_code_fails(self):
"""Test verification fails for expired code."""
store = CodeStore(ttl_seconds=1)
store.store("test@example.com", "123456")
# Wait for expiration
time.sleep(1.1)
assert store.verify("test@example.com", "123456") is False
def test_verify_removes_expired_code(self):
"""Test that expired codes are removed from storage."""
store = CodeStore(ttl_seconds=1)
store.store("test@example.com", "123456")
# Wait for expiration
time.sleep(1.1)
# Verification fails and removes code
store.verify("test@example.com", "123456")
# Code should be gone from storage
assert store.size() == 0
def test_get_valid_code(self):
"""Test getting a valid code without removing it."""
store = CodeStore(ttl_seconds=60)
store.store("test@example.com", "123456")
assert store.get("test@example.com") == "123456"
# Code should still be in storage
assert store.get("test@example.com") == "123456"
def test_get_nonexistent_code(self):
"""Test getting nonexistent code returns None."""
store = CodeStore(ttl_seconds=60)
assert store.get("nonexistent@example.com") is None
def test_get_expired_code(self):
"""Test getting expired code returns None."""
store = CodeStore(ttl_seconds=1)
store.store("test@example.com", "123456")
# Wait for expiration
time.sleep(1.1)
assert store.get("test@example.com") is None
def test_delete_code(self):
"""Test explicitly deleting a code."""
store = CodeStore(ttl_seconds=60)
store.store("test@example.com", "123456")
store.delete("test@example.com")
assert store.get("test@example.com") is None
def test_delete_nonexistent_code(self):
"""Test deleting nonexistent code doesn't raise error."""
store = CodeStore(ttl_seconds=60)
# Should not raise
store.delete("nonexistent@example.com")
def test_cleanup_expired_codes(self):
"""Test manual cleanup of expired codes."""
store = CodeStore(ttl_seconds=1)
# Store multiple codes
store.store("test1@example.com", "code1")
store.store("test2@example.com", "code2")
store.store("test3@example.com", "code3")
assert store.size() == 3
# Wait for expiration
time.sleep(1.1)
# Cleanup should remove all expired codes
removed = store.cleanup_expired()
assert removed == 3
assert store.size() == 0
def test_cleanup_expired_partial(self):
"""Test cleanup removes only expired codes, not valid ones."""
store = CodeStore(ttl_seconds=2)
# Store first code
store.store("test1@example.com", "code1")
# Wait 1 second
time.sleep(1)
# Store second code (will expire later)
store.store("test2@example.com", "code2")
# Wait for first code to expire
time.sleep(1.1)
# Cleanup should remove only first code
removed = store.cleanup_expired()
assert removed == 1
assert store.size() == 1
assert store.get("test2@example.com") == "code2"
def test_size(self):
"""Test size() returns correct count."""
store = CodeStore(ttl_seconds=60)
assert store.size() == 0
store.store("test1@example.com", "code1")
assert store.size() == 1
store.store("test2@example.com", "code2")
assert store.size() == 2
store.delete("test1@example.com")
assert store.size() == 1
def test_clear(self):
"""Test clear() removes all codes."""
store = CodeStore(ttl_seconds=60)
store.store("test1@example.com", "code1")
store.store("test2@example.com", "code2")
store.store("test3@example.com", "code3")
assert store.size() == 3
store.clear()
assert store.size() == 0
def test_custom_ttl(self):
"""Test custom TTL is respected."""
store = CodeStore(ttl_seconds=2)
store.store("test@example.com", "123456")
# Code valid after 1 second
time.sleep(1)
assert store.get("test@example.com") == "123456"
# Code expired after 2+ seconds
time.sleep(1.1)
assert store.get("test@example.com") is None
def test_multiple_keys(self):
"""Test storing multiple different keys."""
store = CodeStore(ttl_seconds=60)
store.store("test1@example.com", "code1")
store.store("test2@example.com", "code2")
store.store("test3@example.com", "code3")
assert store.verify("test1@example.com", "code1") is True
assert store.verify("test2@example.com", "code2") is True
assert store.verify("test3@example.com", "code3") is True
def test_overwrite_existing_code(self):
"""Test storing new code with same key overwrites old code."""
store = CodeStore(ttl_seconds=60)
store.store("test@example.com", "old_code")
store.store("test@example.com", "new_code")
assert store.verify("test@example.com", "old_code") is False
assert store.verify("test@example.com", "new_code") is True

24
uv.lock generated
View File

@@ -2,6 +2,15 @@ version = 1
revision = 3 revision = 3
requires-python = ">=3.10" requires-python = ">=3.10"
[[package]]
name = "aiosmtplib"
version = "5.0.0"
source = { registry = "https://pypi.org/simple" }
sdist = { url = "https://files.pythonhosted.org/packages/a2/15/c2dc93a58d716bce64b53918d3cf667d86c96a56a9f3a239a9f104643637/aiosmtplib-5.0.0.tar.gz", hash = "sha256:514ac11c31cb767c764077eb3c2eb2ae48df6f63f1e847aeb36119c4fc42b52d", size = 61057, upload-time = "2025-10-19T19:12:31.426Z" }
wheels = [
{ url = "https://files.pythonhosted.org/packages/99/42/b997c306dc54e6ac62a251787f6b5ec730797eea08e0336d8f0d7b899d5f/aiosmtplib-5.0.0-py3-none-any.whl", hash = "sha256:95eb0f81189780845363ab0627e7f130bca2d0060d46cd3eeb459f066eb7df32", size = 27048, upload-time = "2025-10-19T19:12:30.124Z" },
]
[[package]] [[package]]
name = "annotated-doc" name = "annotated-doc"
version = "0.0.4" version = "0.0.4"
@@ -232,6 +241,15 @@ toml = [
{ name = "tomli", marker = "python_full_version <= '3.11'" }, { name = "tomli", marker = "python_full_version <= '3.11'" },
] ]
[[package]]
name = "dnspython"
version = "2.8.0"
source = { registry = "https://pypi.org/simple" }
sdist = { url = "https://files.pythonhosted.org/packages/8c/8b/57666417c0f90f08bcafa776861060426765fdb422eb10212086fb811d26/dnspython-2.8.0.tar.gz", hash = "sha256:181d3c6996452cb1189c4046c61599b84a5a86e099562ffde77d26984ff26d0f", size = 368251, upload-time = "2025-09-07T18:58:00.022Z" }
wheels = [
{ url = "https://files.pythonhosted.org/packages/ba/5a/18ad964b0086c6e62e2e7500f7edc89e3faa45033c71c1893d34eed2b2de/dnspython-2.8.0-py3-none-any.whl", hash = "sha256:01d9bbc4a2d76bf0db7c1f729812ded6d912bd318d3b1cf81d30c0f845dbf3af", size = 331094, upload-time = "2025-09-07T18:57:58.071Z" },
]
[[package]] [[package]]
name = "exceptiongroup" name = "exceptiongroup"
version = "1.3.0" version = "1.3.0"
@@ -314,9 +332,12 @@ name = "gondulf"
version = "0.1.0.dev0" version = "0.1.0.dev0"
source = { editable = "." } source = { editable = "." }
dependencies = [ dependencies = [
{ name = "aiosmtplib" },
{ name = "dnspython" },
{ name = "fastapi" }, { name = "fastapi" },
{ name = "pydantic" }, { name = "pydantic" },
{ name = "pydantic-settings" }, { name = "pydantic-settings" },
{ name = "python-dotenv" },
{ name = "python-multipart" }, { name = "python-multipart" },
{ name = "sqlalchemy" }, { name = "sqlalchemy" },
{ name = "uvicorn", extra = ["standard"] }, { name = "uvicorn", extra = ["standard"] },
@@ -343,8 +364,10 @@ test = [
[package.metadata] [package.metadata]
requires-dist = [ requires-dist = [
{ name = "aiosmtplib", specifier = ">=3.0.0" },
{ name = "bandit", marker = "extra == 'dev'", specifier = ">=1.7.0" }, { name = "bandit", marker = "extra == 'dev'", specifier = ">=1.7.0" },
{ name = "black", marker = "extra == 'dev'", specifier = ">=23.0.0" }, { name = "black", marker = "extra == 'dev'", specifier = ">=23.0.0" },
{ name = "dnspython", specifier = ">=2.4.0" },
{ name = "factory-boy", marker = "extra == 'test'", specifier = ">=3.2.0" }, { name = "factory-boy", marker = "extra == 'test'", specifier = ">=3.2.0" },
{ name = "fastapi", specifier = ">=0.104.0" }, { name = "fastapi", specifier = ">=0.104.0" },
{ name = "flake8", marker = "extra == 'dev'", specifier = ">=6.0.0" }, { name = "flake8", marker = "extra == 'dev'", specifier = ">=6.0.0" },
@@ -358,6 +381,7 @@ requires-dist = [
{ name = "pytest-asyncio", marker = "extra == 'test'", specifier = ">=0.20.0" }, { name = "pytest-asyncio", marker = "extra == 'test'", specifier = ">=0.20.0" },
{ name = "pytest-cov", marker = "extra == 'test'", specifier = ">=4.0.0" }, { name = "pytest-cov", marker = "extra == 'test'", specifier = ">=4.0.0" },
{ name = "pytest-mock", marker = "extra == 'test'", specifier = ">=3.10.0" }, { name = "pytest-mock", marker = "extra == 'test'", specifier = ">=3.10.0" },
{ name = "python-dotenv", specifier = ">=1.0.0" },
{ name = "python-multipart", specifier = ">=0.0.6" }, { name = "python-multipart", specifier = ">=0.0.6" },
{ name = "ruff", marker = "extra == 'dev'", specifier = ">=0.1.0" }, { name = "ruff", marker = "extra == 'dev'", specifier = ">=0.1.0" },
{ name = "sqlalchemy", specifier = ">=2.0.0" }, { name = "sqlalchemy", specifier = ">=2.0.0" },