fix(auth): require email authentication every login

CRITICAL SECURITY FIX: - Email code required EVERY login (authentication, not verification) - DNS TXT check cached separately (domain verification) - New auth_sessions table for per-login state - Codes hashed with SHA-256, constant-time comparison - Max 3 attempts, 10-minute session expiry - OAuth params stored server-side (security improvement) New files: - services/auth_session.py - migrations 004, 005 - ADR-010: domain verification vs user authentication 312 tests passing, 86.21% coverage 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-22 15:16:26 -07:00
parent 9b50f359a6
commit 9135edfe84
17 changed files with 3457 additions and 529 deletions
--- a/src/gondulf/templates/authorize.html
+++ b/src/gondulf/templates/authorize.html
@@ -34,14 +34,8 @@
 {% endif %}

 <form method="POST" action="/authorize/consent">
-    <input type="hidden" name="client_id" value="{{ client_id }}">
-    <input type="hidden" name="redirect_uri" value="{{ redirect_uri }}">
-    <input type="hidden" name="response_type" value="{{ response_type }}">
-    <input type="hidden" name="state" value="{{ state }}">
-    <input type="hidden" name="code_challenge" value="{{ code_challenge }}">
-    <input type="hidden" name="code_challenge_method" value="{{ code_challenge_method }}">
-    <input type="hidden" name="scope" value="{{ scope }}">
-    <input type="hidden" name="me" value="{{ me }}">
+    <!-- Session ID contains all authorization state and proves authentication -->
+    <input type="hidden" name="session_id" value="{{ session_id }}">
    <button type="submit">Authorize</button>
 </form>
 {% endblock %}