feat: Complete IndieAuth server removal (Phases 2-4)

Completed all remaining phases of ADR-030 IndieAuth provider removal.
StarPunk no longer acts as an authorization server - all IndieAuth
operations delegated to external providers.

Phase 2 - Remove Token Issuance:
- Deleted /auth/token endpoint
- Removed token_endpoint() function from routes/auth.py
- Deleted tests/test_routes_token.py

Phase 3 - Remove Token Storage:
- Deleted starpunk/tokens.py module entirely
- Created migration 004 to drop tokens and authorization_codes tables
- Deleted tests/test_tokens.py
- Removed all internal token CRUD operations

Phase 4 - External Token Verification:
- Created starpunk/auth_external.py module
- Implemented verify_external_token() for external IndieAuth providers
- Updated Micropub endpoint to use external verification
- Added TOKEN_ENDPOINT configuration
- Updated all Micropub tests to mock external verification
- HTTP timeout protection (5s) for external requests

Additional Changes:
- Created migration 003 to remove code_verifier from auth_state
- Fixed 5 migration tests that referenced obsolete code_verifier column
- Updated 11 Micropub tests for external verification
- Fixed test fixture and app context issues
- All 501 tests passing

Breaking Changes:
- Micropub clients must use external IndieAuth providers
- TOKEN_ENDPOINT configuration now required
- Existing internal tokens invalid (tables dropped)

Migration Impact:
- Simpler codebase: -500 lines of code
- Fewer database tables: -2 tables (tokens, authorization_codes)
- More secure: External providers handle token security
- More maintainable: Less authentication code to maintain

Standards Compliance:
- W3C IndieAuth specification
- OAuth 2.0 Bearer token authentication
- IndieWeb principle: delegate to external services

Related:
- ADR-030: IndieAuth Provider Removal Strategy
- ADR-050: Remove Custom IndieAuth Server
- Migration 003: Remove code_verifier from auth_state
- Migration 004: Drop tokens and authorization_codes tables

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

starpunk/auth.py

@@ -27,7 +27,6 @@ Exceptions:
     IndieLoginError: External service error
 """
 
-import base64
 import hashlib
 import logging
 import secrets
@@ -68,42 +67,6 @@ class IndieLoginError(AuthError):
     pass
 
 
-# PKCE helper functions
-def _generate_pkce_verifier() -> str:
-    """
-    Generate PKCE code_verifier.
-
-    Creates a cryptographically random 43-character URL-safe string
-    as required by PKCE specification (RFC 7636).
-
-    Returns:
-        URL-safe base64-encoded random string (43 characters)
-    """
-    # Generate 32 random bytes = 43 chars when base64-url encoded
-    verifier = secrets.token_urlsafe(32)
-    return verifier
-
-
-def _generate_pkce_challenge(verifier: str) -> str:
-    """
-    Generate PKCE code_challenge from code_verifier.
-
-    Creates SHA256 hash of verifier and encodes as base64-url string
-    per RFC 7636 S256 method.
-
-    Args:
-        verifier: The code_verifier string from _generate_pkce_verifier()
-
-    Returns:
-        Base64-URL encoded SHA256 hash (43 characters)
-    """
-    # SHA256 hash the verifier
-    digest = hashlib.sha256(verifier.encode('utf-8')).digest()
-    # Base64-URL encode (no padding)
-    challenge = base64.urlsafe_b64encode(digest).decode('utf-8').rstrip('=')
-    return challenge
-
-
 # Logging helper functions
 def _redact_token(value: str, show_chars: int = 6) -> str:
     """
@@ -230,37 +193,35 @@ def _generate_state_token() -> str:
     return secrets.token_urlsafe(32)
 
 
-def _verify_state_token(state: str) -> Optional[str]:
+def _verify_state_token(state: str) -> bool:
     """
-    Verify and consume CSRF state token, returning code_verifier.
+    Verify and consume CSRF state token.
 
     Args:
         state: State token to verify
 
     Returns:
-        code_verifier string if valid, None if invalid or expired
+        True if valid, False if invalid or expired
     """
     db = get_db(current_app)
 
-    # Check if state exists and not expired, retrieve code_verifier
+    # Check if state exists and not expired
     result = db.execute(
         """
-        SELECT code_verifier FROM auth_state
+        SELECT 1 FROM auth_state
         WHERE state = ? AND expires_at > datetime('now')
         """,
         (state,),
     ).fetchone()
 
     if not result:
-        return None
-
-    code_verifier = result['code_verifier']
+        return False
 
     # Delete state (single-use)
     db.execute("DELETE FROM auth_state WHERE state = ?", (state,))
     db.commit()
 
-    return code_verifier
+    return True
 
 
 def _cleanup_expired_sessions() -> None:
@@ -289,7 +250,7 @@ def _cleanup_expired_sessions() -> None:
 # Core authentication functions
 def initiate_login(me_url: str) -> str:
     """
-    Initiate IndieLogin authentication flow with PKCE.
+    Initiate IndieLogin authentication flow.
 
     Args:
         me_url: User's IndieWeb identity URL
@@ -310,37 +271,27 @@ def initiate_login(me_url: str) -> str:
     state = _generate_state_token()
     current_app.logger.debug(f"Auth: Generated state token: {_redact_token(state, 8)}")
 
-    # Generate PKCE verifier and challenge
-    code_verifier = _generate_pkce_verifier()
-    code_challenge = _generate_pkce_challenge(code_verifier)
-    current_app.logger.debug(
-        f"Auth: Generated PKCE pair:\n"
-        f"  verifier: {_redact_token(code_verifier)}\n"
-        f"  challenge: {_redact_token(code_challenge)}"
-    )
-
-    # Store state and verifier in database (5-minute expiry)
+    # Store state in database (5-minute expiry)
     db = get_db(current_app)
     expires_at = datetime.utcnow() + timedelta(minutes=5)
     redirect_uri = f"{current_app.config['SITE_URL']}auth/callback"
 
     db.execute(
         """
-        INSERT INTO auth_state (state, code_verifier, expires_at, redirect_uri)
-        VALUES (?, ?, ?, ?)
+        INSERT INTO auth_state (state, expires_at, redirect_uri)
+        VALUES (?, ?, ?)
         """,
-        (state, code_verifier, expires_at, redirect_uri),
+        (state, expires_at, redirect_uri),
     )
     db.commit()
 
-    # Build IndieLogin authorization URL with PKCE
+    # Build IndieLogin authorization URL
     params = {
         "me": me_url,
         "client_id": current_app.config["SITE_URL"],
         "redirect_uri": redirect_uri,
         "state": state,
-        "code_challenge": code_challenge,
-        "code_challenge_method": "S256",
+        "response_type": "code",
     }
 
     current_app.logger.debug(
@@ -349,8 +300,7 @@ def initiate_login(me_url: str) -> str:
         f"  client_id: {current_app.config['SITE_URL']}\n"
         f"  redirect_uri: {redirect_uri}\n"
         f"  state: {_redact_token(state, 8)}\n"
-        f"  code_challenge: {_redact_token(code_challenge)}\n"
-        f"  code_challenge_method: S256"
+        f"  response_type: code"
     )
 
     # CORRECT ENDPOINT: /authorize (not /auth)
@@ -370,7 +320,7 @@ def initiate_login(me_url: str) -> str:
 
 def handle_callback(code: str, state: str, iss: Optional[str] = None) -> Optional[str]:
     """
-    Handle IndieLogin callback with PKCE verification.
+    Handle IndieLogin callback.
 
     Args:
         code: Authorization code from IndieLogin
@@ -387,15 +337,14 @@ def handle_callback(code: str, state: str, iss: Optional[str] = None) -> Optiona
     """
     current_app.logger.debug(f"Auth: Verifying state token: {_redact_token(state, 8)}")
 
-    # Verify state token and retrieve code_verifier (CSRF protection)
-    code_verifier = _verify_state_token(state)
-    if not code_verifier:
+    # Verify state token (CSRF protection)
+    if not _verify_state_token(state):
         current_app.logger.warning(
             "Auth: Invalid state token received (possible CSRF or expired token)"
         )
         raise InvalidStateError("Invalid or expired state token")
 
-    current_app.logger.debug("Auth: State token valid, code_verifier retrieved")
+    current_app.logger.debug("Auth: State token valid")
 
     # Verify issuer (security check)
     expected_iss = f"{current_app.config['INDIELOGIN_URL']}/"
@@ -407,7 +356,7 @@ def handle_callback(code: str, state: str, iss: Optional[str] = None) -> Optiona
 
     current_app.logger.debug(f"Auth: Issuer verified: {iss}")
 
-    # Prepare code verification request with PKCE verifier
+    # Prepare code verification request
     # Note: For authentication-only flows (identity verification), we use the
     # authorization endpoint, not the token endpoint. grant_type is not needed.
     # See IndieAuth spec: authorization endpoint for authentication,
@@ -416,13 +365,12 @@ def handle_callback(code: str, state: str, iss: Optional[str] = None) -> Optiona
         "code": code,
         "client_id": current_app.config["SITE_URL"],
         "redirect_uri": f"{current_app.config['SITE_URL']}auth/callback",
-        "code_verifier": code_verifier,  # PKCE verification
     }
 
     # Use authorization endpoint for authentication-only flow (identity verification)
     token_url = f"{current_app.config['INDIELOGIN_URL']}/authorize"
 
-    # Log the request (code_verifier will be redacted)
+    # Log the request
     _log_http_request(
         method="POST",
         url=token_url,
@@ -434,12 +382,11 @@ def handle_callback(code: str, state: str, iss: Optional[str] = None) -> Optiona
         "Auth: Sending code verification request to authorization endpoint:\n"
         "  Method: POST\n"
         "  URL: %s\n"
-        "  Data: code=%s, client_id=%s, redirect_uri=%s, code_verifier=%s",
+        "  Data: code=%s, client_id=%s, redirect_uri=%s",
         token_url,
         _redact_token(code),
         token_exchange_data["client_id"],
         token_exchange_data["redirect_uri"],
-        _redact_token(code_verifier),
     )
 
     # Exchange code for identity at authorization endpoint (authentication-only flow)