fix(auth): Implement IndieAuth endpoint discovery per W3C spec

BREAKING: Removes INDIELOGIN_URL config - endpoints are now properly
discovered from user's profile URL as required by W3C IndieAuth spec.

- auth.py: Uses discover_endpoints() to find authorization_endpoint
- config.py: Deprecation warning for obsolete INDIELOGIN_URL setting
- auth_external.py: Relaxed validation (allows auth-only flows)
- tests: Updated to mock endpoint discovery

This fixes a regression where admin login was hardcoded to use
indielogin.com instead of respecting the user's declared endpoints.

Version: 1.5.0-hotfix.1

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

starpunk/auth_external.py

@@ -299,11 +299,14 @@ def _fetch_and_parse(profile_url: str) -> Dict[str, str]:
             current_app.logger.warning(f"HTML parsing failed: {e}")
             # Continue with Link header endpoints if HTML parsing fails
 
-    # Validate we found required endpoints
-    if 'token_endpoint' not in endpoints:
+    # Validate we found at least one endpoint
+    # - authorization_endpoint: Required for authentication-only flows (admin login)
+    # - token_endpoint: Required for Micropub token verification
+    # Having at least one allows the appropriate flow to work
+    if 'token_endpoint' not in endpoints and 'authorization_endpoint' not in endpoints:
         raise DiscoveryError(
-            f"No token endpoint found at {profile_url}. "
-            "Ensure your profile has IndieAuth link elements or headers."
+            f"No IndieAuth endpoints found at {profile_url}. "
+            "Ensure your profile has authorization_endpoint or token_endpoint configured."
         )
 
     # Validate endpoint URLs