feat(token): implement GET /token for token verification

Implements W3C IndieAuth Section 6.3 token verification endpoint. The token endpoint now supports both: - POST: Issue new tokens (authorization code exchange) - GET: Verify existing tokens (resource server validation) Changes: - Added GET handler to /token endpoint - Extracts Bearer token from Authorization header (RFC 6750) - Returns JSON with me, client_id, scope - Returns 401 with WWW-Authenticate for invalid tokens - 11 new tests covering all verification scenarios All 533 tests passing. Resolves critical P0 blocker for v1.0.0. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-25 08:10:47 -07:00
parent 526a21d3fb
commit 6bb2a4033f
8 changed files with 1168 additions and 26 deletions
--- a/tests/integration/api/test_token_flow.py
+++ b/tests/integration/api/test_token_flow.py
@@ -244,10 +244,13 @@ class TestTokenExchangeErrors:
 class TestTokenEndpointSecurity:
    """Security tests for token endpoint."""

-    def test_token_endpoint_requires_post(self, token_client):
-        """Test token endpoint only accepts POST requests."""
+    def test_token_endpoint_get_requires_authorization(self, token_client):
+        """Test GET to token endpoint requires Authorization header."""
        response = token_client.get("/token")
-        assert response.status_code == 405  # Method Not Allowed
+        # GET is allowed for token verification but requires Authorization header
+        assert response.status_code == 401  # Unauthorized
+        data = response.json()
+        assert data["detail"]["error"] == "invalid_token"

    def test_token_endpoint_requires_form_data(self, token_client, setup_auth_code):
        """Test token endpoint requires form-encoded data."""