phil/StarPunk
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: Change auth blueprint prefix from /admin to /auth (v0.9.2)

Browse Source 
The auth routes were registered under /admin/* but the IndieAuth
redirect_uri was configured as /auth/callback, causing 404 errors
when providers redirected back after authentication.

- Change auth blueprint url_prefix from "/admin" to "/auth"
- Update test expectations for new auth route paths
- Add ADR-022 documenting the architectural decision

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Phil Skentelbery
2025-11-22 18:22:08 -07:00
parent 78165ad3be
commit 44a97e4ffa
8 changed files with 308 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

178
docs/decisions/ADR-022-auth-route-prefix-fix.md Normal file
View File

@@ -0,0 +1,178 @@
# ADR-022: Fix IndieAuth Callback Route Mismatch
## Status
Proposed
## Context
We have discovered a critical routing mismatch in our IndieAuth implementation that causes a 404 error when IndieAuth providers redirect back to our application.
### The Problem
The auth blueprint is currently registered with `url_prefix="/admin"` in `/starpunk/routes/auth.py` line 30:
```python
bp = Blueprint("auth", __name__, url_prefix="/admin")
```
This means all auth routes are actually served under `/admin`:
- `/admin/login` - Login form
- `/admin/callback` - OAuth callback endpoint
- `/admin/logout` - Logout endpoint
However, in `/starpunk/auth.py` lines 325 and 414, the redirect_uri sent to IndieAuth providers is:
```python
redirect_uri = f"{current_app.config['SITE_URL']}auth/callback"
```
This mismatch causes IndieAuth providers to redirect users to `/auth/callback`, which doesn't exist, resulting in a 404 error.
### Current Route Structure
- **Auth Blueprint** (with `/admin` prefix):
- `/admin/login` - Login form
- `/admin/callback` - OAuth callback
- `/admin/logout` - Logout endpoint
- **Admin Blueprint** (with `/admin` prefix):
- `/admin/` - Dashboard
- `/admin/new` - Create note
- `/admin/edit/<id>` - Edit note
- `/admin/delete/<id>` - Delete note
## Decision
Change the auth blueprint URL prefix from `/admin` to `/auth` to match the redirect_uri being sent to IndieAuth providers.
## Rationale
### 1. Separation of Concerns
Authentication routes (`/auth/*`) should be semantically separate from administration routes (`/admin/*`). This creates a cleaner architecture where:
- `/auth/*` handles authentication flows (login, callback, logout)
- `/admin/*` handles protected administrative functions (dashboard, CRUD operations)
### 2. Standards Compliance
IndieAuth and OAuth2 conventions typically use `/auth/callback` for OAuth callbacks:
- Most OAuth documentation and examples use this pattern
- IndieAuth implementations commonly expect callbacks at `/auth/callback`
- Follows RESTful URL design principles
### 3. Security Benefits
Clear separation provides:
- Easier application of different security policies (rate limiting on auth vs admin)
- Clearer audit trails and access logs
- Reduced cognitive load when reviewing security configurations
- Better principle of least privilege implementation
### 4. Minimal Impact
Analysis of the codebase shows:
- No hardcoded URLs to `/admin/login` in external-facing documentation
- All internal redirects use `url_for('auth.login_form')` which will automatically adjust
- Templates use named routes: `url_for('auth.login_initiate')`, `url_for('auth.logout')`
- No stored auth_state data is tied to the URL path
### 5. Future Flexibility
If we later need public authentication for other features:
- API token generation could live at `/auth/tokens`
- OAuth provider functionality could use `/auth/authorize`
- WebAuthn endpoints could use `/auth/webauthn`
- All auth-related functionality stays organized under `/auth`
## Consequences
### Positive
- **Fixes the immediate bug**: IndieAuth callbacks will work correctly
- **Cleaner architecture**: Proper separation between auth and admin concerns
- **Standards alignment**: Matches common OAuth/IndieAuth patterns
- **No breaking changes**: All internal routes use named endpoints
- **Better organization**: More intuitive URL structure
### Negative
- **Documentation updates needed**: Must update docs showing `/admin/login` paths
- **Potential user confusion**: Users who bookmarked `/admin/login` will get 404
- Mitigation: Could add a redirect from `/admin/login` to `/auth/login` for transition period
### Migration Requirements
- No database migrations required
- No session invalidation needed
- No configuration changes needed
- Simply update the blueprint registration
## Alternatives Considered
### Alternative 1: Change redirect_uri to `/admin/callback`
**Rejected because:**
- Mixes authentication concerns with administration in URL structure
- Goes against common OAuth/IndieAuth URL patterns
- Less intuitive - callbacks aren't "admin" functions
- Requires changes in two places in `auth.py` (lines 325 and 414)
### Alternative 2: Create a separate `/auth` blueprint just for callback
**Rejected because:**
- Splits related authentication logic across multiple blueprints
- More complex routing configuration
- Harder to maintain - auth logic spread across files
- Violates single responsibility principle at module level
### Alternative 3: Use root-level routes (`/login`, `/callback`, `/logout`)
**Rejected because:**
- Pollutes the root namespace
- No logical grouping of related routes
- Harder to apply auth-specific middleware
- Less scalable as application grows
### Alternative 4: Keep current structure and add redirect
**Rejected because:**
- Doesn't fix the underlying architectural issue
- Adds unnecessary HTTP redirect overhead
- Makes debugging more complex
- Band-aid solution rather than proper fix
## Implementation
### Required Change
Update line 30 in `/home/phil/Projects/starpunk/starpunk/routes/auth.py`:
```python
# From:
bp = Blueprint("auth", __name__, url_prefix="/admin")
# To:
bp = Blueprint("auth", __name__, url_prefix="/auth")
```
### Results
This single change will:
- Make the callback available at `/auth/callback` (matching the redirect_uri)
- Move login to `/auth/login`
- Move logout to `/auth/logout`
- All template references using `url_for()` will automatically resolve correctly
### Optional Transition Support
If desired, add temporary redirects in `starpunk/routes/admin.py`:
```python
@bp.route("/login")
def old_login_redirect():
"""Temporary redirect for bookmarks"""
return redirect(url_for("auth.login_form"), 301)
```
### Documentation Updates Required
Files to update:
- `/home/phil/Projects/starpunk/TECHNOLOGY-STACK-SUMMARY.md` - Update route table
- `/home/phil/Projects/starpunk/docs/design/phase-4-web-interface.md` - Update route documentation
- `/home/phil/Projects/starpunk/docs/designs/phase-5-quick-reference.md` - Update admin access instructions
## Testing Verification
After implementation:
1. Verify `/auth/login` displays login form
2. Verify `/auth/callback` accepts IndieAuth redirects
3. Verify `/auth/logout` destroys session
4. Verify all admin routes still require authentication
5. Test full IndieAuth flow with real provider
## References
- [IndieAuth Specification](https://indieauth.spec.indieweb.org/) - Section on redirect URIs
- [OAuth 2.0 RFC 6749](https://tools.ietf.org/html/rfc6749) - Section 3.1.2 on redirection endpoints
- [RESTful API Design](https://restfulapi.net/resource-naming/) - URL naming conventions
- Current implementation: `/home/phil/Projects/starpunk/starpunk/routes/auth.py`, `/home/phil/Projects/starpunk/starpunk/auth.py`
---
**Document Version**: 1.0
**Created**: 2025-11-22
**Author**: StarPunk Architecture Team (agent-architect)
**Review Required By**: agent-developer before implementation

107
docs/reports/2025-11-22-auth-route-prefix-fix.md Normal file
View File

@@ -0,0 +1,107 @@
# Auth Route Prefix Fix Implementation Report
**Date**: 2025-11-22
**Version**: 0.9.2
**ADR**: ADR-022-auth-route-prefix-fix.md
## Summary
Fixed IndieAuth callback 404 error by changing the auth blueprint URL prefix from `/admin` to `/auth`.
## Problem
The auth blueprint in `starpunk/routes/auth.py` had its URL prefix set to `/admin`:
```python
bp = Blueprint("auth", __name__, url_prefix="/admin")
```
However, the redirect_uri sent to IndieAuth providers used `/auth/callback`:
```
redirect_uri=https://example.com/auth/callback
```
This mismatch caused IndieLogin.com to redirect users back to `/auth/callback`, which resulted in a 404 error because Flask was routing auth endpoints to `/admin/*`.
## Solution
Changed the auth blueprint URL prefix from `/admin` to `/auth`:
```python
bp = Blueprint("auth", __name__, url_prefix="/auth")
```
This aligns the blueprint prefix with the redirect_uri being sent to IndieAuth providers.
## Files Modified
1. **`starpunk/routes/auth.py`** (line 30)
- Changed: `url_prefix="/admin"` -> `url_prefix="/auth"`
2. **`tests/test_routes_admin.py`**
- Updated test assertion from `/admin/login` to `/auth/login`
3. **`tests/test_routes_dev_auth.py`**
- Updated all references from `/admin/login` to `/auth/login`
- Updated `/admin/logout` to `/auth/logout`
4. **`tests/test_templates.py`**
- Updated all references from `/admin/login` to `/auth/login`
5. **`starpunk/__init__.py`**
- Version bumped from 0.9.1 to 0.9.2
6. **`CHANGELOG.md`**
- Added 0.9.2 release notes
## Route Changes
### Before (incorrect)
- `/admin/login` - Login form
- `/admin/callback` - OAuth callback (never reached due to 404)
- `/admin/logout` - Logout endpoint
### After (correct)
- `/auth/login` - Login form
- `/auth/callback` - OAuth callback (matches redirect_uri)
- `/auth/logout` - Logout endpoint
### Unchanged
- `/admin/` - Admin dashboard (remains unchanged)
- `/admin/new` - Create note form
- `/admin/edit/<id>` - Edit note form
- `/admin/delete/<id>` - Delete note
## Testing
Ran full test suite with `uv run pytest`:
- **Before fix**: 28 failed, 486 passed
- **After fix**: 28 failed, 486 passed
The failure count is identical because:
1. The fix itself does not introduce new failures
2. Tests were updated to expect the new `/auth/*` URL patterns
3. Existing failures are pre-existing issues unrelated to this change (h-app microformats and OAuth metadata tests that were removed in v0.8.0)
## Verification
To verify the fix is working:
1. Start the application: `uv run flask --app app.py run`
2. Navigate to `/auth/login`
3. Enter your IndieAuth URL and submit
4. After authenticating with IndieLogin.com, you should be redirected back to `/auth/callback` which now correctly handles the OAuth response
## Related Documentation
- **ADR-022**: `/home/phil/Projects/starpunk/docs/decisions/ADR-022-auth-route-prefix-fix.md`
- **Versioning Strategy**: `/home/phil/Projects/starpunk/docs/standards/versioning-strategy.md`
- **Git Branching Strategy**: `/home/phil/Projects/starpunk/docs/standards/git-branching-strategy.md`
## Notes
- This is a bug fix (PATCH version increment per SemVer)
- No breaking changes to existing functionality
- Admin dashboard routes remain at `/admin/*` as before
- Only authentication routes moved to `/auth/*`