feat: Complete IndieAuth server removal (Phases 2-4)

Completed all remaining phases of ADR-030 IndieAuth provider removal.
StarPunk no longer acts as an authorization server - all IndieAuth
operations delegated to external providers.

Phase 2 - Remove Token Issuance:
- Deleted /auth/token endpoint
- Removed token_endpoint() function from routes/auth.py
- Deleted tests/test_routes_token.py

Phase 3 - Remove Token Storage:
- Deleted starpunk/tokens.py module entirely
- Created migration 004 to drop tokens and authorization_codes tables
- Deleted tests/test_tokens.py
- Removed all internal token CRUD operations

Phase 4 - External Token Verification:
- Created starpunk/auth_external.py module
- Implemented verify_external_token() for external IndieAuth providers
- Updated Micropub endpoint to use external verification
- Added TOKEN_ENDPOINT configuration
- Updated all Micropub tests to mock external verification
- HTTP timeout protection (5s) for external requests

Additional Changes:
- Created migration 003 to remove code_verifier from auth_state
- Fixed 5 migration tests that referenced obsolete code_verifier column
- Updated 11 Micropub tests for external verification
- Fixed test fixture and app context issues
- All 501 tests passing

Breaking Changes:
- Micropub clients must use external IndieAuth providers
- TOKEN_ENDPOINT configuration now required
- Existing internal tokens invalid (tables dropped)

Migration Impact:
- Simpler codebase: -500 lines of code
- Fewer database tables: -2 tables (tokens, authorization_codes)
- More secure: External providers handle token security
- More maintainable: Less authentication code to maintain

Standards Compliance:
- W3C IndieAuth specification
- OAuth 2.0 Bearer token authentication
- IndieWeb principle: delegate to external services

Related:
- ADR-030: IndieAuth Provider Removal Strategy
- ADR-050: Remove Custom IndieAuth Server
- Migration 003: Remove code_verifier from auth_state
- Migration 004: Drop tokens and authorization_codes tables

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

This commit is contained in:

Phil Skentelbery

2025-11-24 17:23:46 -07:00

parent 869402ab0d

commit a3bac86647

36 changed files with 5597 additions and 2670 deletions

									
										4

starpunk/routes/micropub.py
									
												View File
												
				@@ -28,7 +28,7 @@ from starpunk.micropub import (

				    handle_create,

				    handle_query,

				)

				from starpunk.tokens import verify_token

				from starpunk.auth_external import verify_external_token

				# Create blueprint

				bp = Blueprint("micropub", __name__)

				@@ -71,7 +71,7 @@ def micropub_endpoint():

				    if not token:

				        return error_response("unauthorized", "No access token provided", 401)

				    token_info = verify_token(token)

				    token_info = verify_external_token(token)

				    if not token_info:

				        return error_response("unauthorized", "Invalid or expired access token", 401)

feat: Complete IndieAuth server removal (Phases 2-4)

4 starpunk/routes/micropub.py Unescape Escape View File

4

starpunk/routes/micropub.py

View File