release: v1.5.0 - Quality of Life Improvements

IndieAuth Authentication: - Corrected W3C IndieAuth specification compliance - Uses response_type=id for authentication-only flow per spec - Discovers endpoints from user profile URL - Removed hardcoded indielogin.com service - DEPRECATED: INDIELOGIN_URL config (now auto-discovered) Timestamp-Based Slugs (ADR-062): - Default slugs now use YYYYMMDDHHMMSS format - Unique collision handling with numeric suffix Debug File Management: - Controlled by DEBUG_SAVE_FAILED_UPLOADS config - Auto-cleanup of files older than 7 days - 100MB disk space protection - Filename sanitization for security Performance: - N+1 query fix in feed generation - Batch media loading for feed notes Data Integrity: - Atomic variant generation with temp files - Database/filesystem consistency on failure 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-12-17 15:57:45 -07:00
parent c94cb377d3
commit 4ee2c189ae
8 changed files with 942 additions and 17 deletions
--- a/starpunk/init.py
+++ b/starpunk/init.py
@@ -332,5 +332,5 @@ def create_app(config=None):

 # Package version (Semantic Versioning 2.0.0)
 # See docs/standards/versioning-strategy.md for details
-__version__ = "1.5.0-rc.1"
+__version__ = "1.5.0"
 __version_info__ = (1, 5, 0)
--- a/starpunk/auth.py
+++ b/starpunk/auth.py
@@ -308,12 +308,15 @@ def initiate_login(me_url: str) -> str:
    db.commit()

    # Build authorization URL
+    # Per W3C IndieAuth spec: use response_type=id for authentication-only flow
+    # (identity verification without access token). This allows code redemption
+    # at the authorization_endpoint rather than requiring token_endpoint.
    params = {
        "me": me_url,
        "client_id": current_app.config["SITE_URL"],
        "redirect_uri": redirect_uri,
        "state": state,
-        "response_type": "code",
+        "response_type": "id",
    }

    current_app.logger.debug(
@@ -322,7 +325,7 @@ def initiate_login(me_url: str) -> str:
        f"  client_id: {current_app.config['SITE_URL']}\n"
        f"  redirect_uri: {redirect_uri}\n"
        f"  state: {_redact_token(state, 8)}\n"
-        f"  response_type: code"
+        f"  response_type: id (authentication-only flow)"
    )

    auth_url = f"{auth_endpoint}?{urlencode(params)}"