feat(token): implement GET /token for token verification

Implements W3C IndieAuth Section 6.3 token verification endpoint. The token endpoint now supports both: - POST: Issue new tokens (authorization code exchange) - GET: Verify existing tokens (resource server validation) Changes: - Added GET handler to /token endpoint - Extracts Bearer token from Authorization header (RFC 6750) - Returns JSON with me, client_id, scope - Returns 401 with WWW-Authenticate for invalid tokens - 11 new tests covering all verification scenarios All 533 tests passing. Resolves critical P0 blocker for v1.0.0. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-25 08:10:47 -07:00
parent 526a21d3fb
commit 6bb2a4033f
8 changed files with 1168 additions and 26 deletions
--- a/tests/e2e/test_error_scenarios.py
+++ b/tests/e2e/test_error_scenarios.py
@@ -118,11 +118,14 @@ class TestTokenEndpointErrors:
        data = response.json()
        assert data["detail"]["error"] == "invalid_grant"

-    def test_get_method_not_allowed(self, error_client):
-        """Test GET method not allowed on token endpoint."""
+    def test_get_method_requires_authorization(self, error_client):
+        """Test GET method requires Authorization header for token verification."""
        response = error_client.get("/token")

-        assert response.status_code == 405
+        # GET is now allowed for token verification, but requires Authorization header
+        assert response.status_code == 401
+        data = response.json()
+        assert data["detail"]["error"] == "invalid_token"


@pytest.mark.e2e