feat: Add detailed IndieAuth logging with security-aware token redaction
- Add logging helper functions with automatic token redaction - Implement comprehensive logging throughout auth flow - Add production warning for DEBUG logging - Add 14 new tests for logging functionality - Update version to v0.7.0 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
124
docs/reports/indieauth-fix-summary.md
Normal file
124
docs/reports/indieauth-fix-summary.md
Normal file
@@ -0,0 +1,124 @@
|
||||
# IndieAuth Authentication Fix - Quick Summary
|
||||
|
||||
**Status**: Solution Identified, Ready for Implementation
|
||||
**Priority**: CRITICAL
|
||||
**Estimated Fix Time**: 1-2 hours
|
||||
**Confidence**: 95%
|
||||
|
||||
## The Problem
|
||||
|
||||
IndieLogin.com rejects authentication with:
|
||||
```
|
||||
This client_id is not registered (https://starpunk.thesatelliteoflove.com)
|
||||
```
|
||||
|
||||
## Root Cause
|
||||
|
||||
StarPunk is using an outdated client discovery approach. The IndieAuth specification evolved in 2022 from HTML microformats (h-app) to JSON metadata documents. IndieLogin.com now requires the modern JSON approach.
|
||||
|
||||
**What we have**: h-app microformats in HTML footer
|
||||
**What IndieLogin expects**: JSON metadata document at a well-known URL
|
||||
|
||||
## The Solution
|
||||
|
||||
Implement OAuth Client ID Metadata Document endpoint.
|
||||
|
||||
### Quick Implementation
|
||||
|
||||
1. **Add new route** in your Flask app:
|
||||
|
||||
```python
|
||||
@app.route('/.well-known/oauth-authorization-server')
|
||||
def oauth_client_metadata():
|
||||
"""OAuth Client ID Metadata Document for IndieAuth discovery."""
|
||||
metadata = {
|
||||
'issuer': current_app.config['SITE_URL'],
|
||||
'client_id': current_app.config['SITE_URL'],
|
||||
'client_name': 'StarPunk',
|
||||
'client_uri': current_app.config['SITE_URL'],
|
||||
'redirect_uris': [
|
||||
f"{current_app.config['SITE_URL']}/auth/callback"
|
||||
],
|
||||
'grant_types_supported': ['authorization_code'],
|
||||
'response_types_supported': ['code'],
|
||||
'code_challenge_methods_supported': ['S256'],
|
||||
'token_endpoint_auth_methods_supported': ['none']
|
||||
}
|
||||
|
||||
response = jsonify(metadata)
|
||||
response.cache_control.max_age = 86400 # Cache 24 hours
|
||||
response.cache_control.public = True
|
||||
return response
|
||||
```
|
||||
|
||||
2. **Add discovery link** to `templates/base.html` in `<head>`:
|
||||
|
||||
```html
|
||||
<link rel="indieauth-metadata" href="/.well-known/oauth-authorization-server">
|
||||
```
|
||||
|
||||
3. **Keep existing h-app** in footer for backward compatibility
|
||||
|
||||
### Testing
|
||||
|
||||
```bash
|
||||
# Test endpoint exists and returns JSON
|
||||
curl -s https://starpunk.thesatelliteoflove.com/.well-known/oauth-authorization-server | jq .
|
||||
|
||||
# Verify client_id matches URL (should return: true)
|
||||
curl -s https://starpunk.thesatelliteoflove.com/.well-known/oauth-authorization-server | \
|
||||
jq '.client_id == "https://starpunk.thesatelliteoflove.com"'
|
||||
```
|
||||
|
||||
### Critical Requirements
|
||||
|
||||
1. `client_id` field MUST exactly match the URL where document is served
|
||||
2. Use `current_app.config['SITE_URL']` - never hardcode URLs
|
||||
3. `redirect_uris` must be an array, not a string
|
||||
4. Return `Content-Type: application/json` (jsonify does this automatically)
|
||||
|
||||
## Why This Will Work
|
||||
|
||||
1. **Specification Compliant**: Implements current IndieAuth spec (2022+) exactly
|
||||
2. **Matches Error Behavior**: IndieLogin.com is checking for client registration/metadata
|
||||
3. **Industry Standard**: All modern IndieAuth clients use this approach
|
||||
4. **Low Risk**: Purely additive, no breaking changes
|
||||
5. **Observable**: Can verify endpoint before testing auth flow
|
||||
|
||||
## What Changed in IndieAuth
|
||||
|
||||
| Version | Method | Status |
|
||||
|---------|--------|--------|
|
||||
| 2020 | h-app microformats | Legacy (supported for compatibility) |
|
||||
| 2022+ | JSON metadata document | Current standard |
|
||||
|
||||
IndieAuth spec now says servers "SHOULD" fetch metadata document and "SHOULD abort if fetching fails" - this explains the rejection.
|
||||
|
||||
## Documentation
|
||||
|
||||
Full details in:
|
||||
- `/home/phil/Projects/starpunk/docs/reports/indieauth-client-discovery-root-cause-analysis.md` (comprehensive analysis)
|
||||
- `/home/phil/Projects/starpunk/docs/decisions/ADR-017-oauth-client-metadata-document.md` (architecture decision)
|
||||
|
||||
## Next Steps
|
||||
|
||||
1. Implement the JSON metadata endpoint
|
||||
2. Add discovery link to HTML
|
||||
3. Deploy to production
|
||||
4. Test authentication flow with IndieLogin.com
|
||||
5. Verify successful login
|
||||
6. Update version to v0.6.2
|
||||
7. Update CHANGELOG
|
||||
|
||||
## Rollback Plan
|
||||
|
||||
If this doesn't work (unlikely):
|
||||
1. Contact IndieLogin.com for clarification
|
||||
2. Consider alternative IndieAuth provider
|
||||
3. Implement self-hosted IndieAuth server
|
||||
|
||||
---
|
||||
|
||||
**Analysis Date**: 2025-11-19
|
||||
**Architect**: StarPunk Architect Agent
|
||||
**Reviewed**: IndieAuth spec, OAuth spec, IndieLogin.com behavior
|
||||
Reference in New Issue
Block a user