fix(auth): Implement IndieAuth endpoint discovery per W3C spec

BREAKING: Removes INDIELOGIN_URL config - endpoints are now properly
discovered from user's profile URL as required by W3C IndieAuth spec.

- auth.py: Uses discover_endpoints() to find authorization_endpoint
- config.py: Deprecation warning for obsolete INDIELOGIN_URL setting
- auth_external.py: Relaxed validation (allows auth-only flows)
- tests: Updated to mock endpoint discovery

This fixes a regression where admin login was hardcoded to use
indielogin.com instead of respecting the user's declared endpoints.

Version: 1.5.0-hotfix.1

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

CHANGELOG.md

@@ -7,6 +7,19 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [1.5.0-hotfix.1] - 2025-12-17
+
+### Fixed
+
+- **CRITICAL: IndieAuth Login Failure** - Fixed authentication bug preventing user login
+  - Authentication now correctly discovers endpoints from user's profile URL per W3C IndieAuth spec
+  - Removed hardcoded indielogin.com service URL (was causing PKCE errors)
+  - Login flow now uses discovered authorization_endpoint for identity verification
+  - URL comparison now handles trailing slashes and case differences correctly
+  - User-friendly error messages when endpoint discovery fails
+  - DEPRECATED: `INDIELOGIN_URL` config no longer used (will show warning if set)
+  - Implements proper IndieAuth authentication-only flow per specification
+
 ## [1.5.0] - 2025-12-17
 
 ### Added