Phil Skentelbery 052d3ad3e1 feat(auth): implement response_type=id authentication flow ...

Implements both IndieAuth flows per W3C specification:
- Authentication flow (response_type=id): Code redeemed at authorization endpoint, returns only user identity
- Authorization flow (response_type=code): Code redeemed at token endpoint, returns access token

Changes:
- Authorization endpoint GET: Accept response_type=id (default) and code
- Authorization endpoint POST: Handle code verification for authentication flow
- Token endpoint: Validate response_type=code for authorization flow
- Store response_type in authorization code metadata
- Update metadata endpoint: response_types_supported=[code, id], code_challenge_methods_supported=[S256]

The default behavior now correctly defaults to response_type=id when omitted, per IndieAuth spec section 5.2.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

2025-11-22 12:23:20 -07:00

..

api

feat(auth): implement response_type=id authentication flow

2025-11-22 12:23:20 -07:00

middleware

feat(test): add Phase 5b integration and E2E tests

2025-11-21 22:22:04 -07:00

services

feat(test): add Phase 5b integration and E2E tests

2025-11-21 22:22:04 -07:00

__init__.py

feat(core): implement Phase 1 foundation infrastructure

2025-11-20 12:21:42 -07:00

test_health.py

fix(health): support HEAD method for health endpoint

2025-11-22 11:54:06 -07:00

test_https_enforcement.py

fix(security): exempt health endpoint from HTTPS enforcement

2025-11-22 11:45:06 -07:00

test_security_headers.py

feat(security): merge Phase 4b security hardening

2025-11-20 18:28:50 -07:00