fix(auth): Implement IndieAuth endpoint discovery per W3C spec

BREAKING: Removes INDIELOGIN_URL config - endpoints are now properly discovered from user's profile URL as required by W3C IndieAuth spec. - auth.py: Uses discover_endpoints() to find authorization_endpoint - config.py: Deprecation warning for obsolete INDIELOGIN_URL setting - auth_external.py: Relaxed validation (allows auth-only flows) - tests: Updated to mock endpoint discovery This fixes a regression where admin login was hardcoded to use indielogin.com instead of respecting the user's declared endpoints. Version: 1.5.0-hotfix.1 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-12-17 13:52:36 -07:00
parent 84e693fe57
commit 2bd971f3d6
12 changed files with 1366 additions and 77 deletions
--- a/starpunk/routes/auth.py
+++ b/starpunk/routes/auth.py
@@ -27,6 +27,7 @@ from starpunk.auth import (
    require_auth,
    verify_session,
 )
+from starpunk.auth_external import DiscoveryError

 # Create blueprint
 bp = Blueprint("auth", __name__, url_prefix="/auth")
@@ -77,12 +78,16 @@ def login_initiate():
        return redirect(url_for("auth.login_form"))

    try:
-        # Initiate IndieLogin flow
+        # Initiate IndieAuth flow
        auth_url = initiate_login(me_url)
        return redirect(auth_url)
    except ValueError as e:
        flash(str(e), "error")
        return redirect(url_for("auth.login_form"))
+    except DiscoveryError as e:
+        current_app.logger.error(f"Endpoint discovery failed for {me_url}: {e}")
+        flash("Unable to verify your profile URL. Please check that it's correct and try again.", "error")
+        return redirect(url_for("auth.login_form"))


@bp.route("/callback")