feat: Complete IndieAuth server removal (Phases 2-4)

Completed all remaining phases of ADR-030 IndieAuth provider removal. StarPunk no longer acts as an authorization server - all IndieAuth operations delegated to external providers. Phase 2 - Remove Token Issuance: - Deleted /auth/token endpoint - Removed token_endpoint() function from routes/auth.py - Deleted tests/test_routes_token.py Phase 3 - Remove Token Storage: - Deleted starpunk/tokens.py module entirely - Created migration 004 to drop tokens and authorization_codes tables - Deleted tests/test_tokens.py - Removed all internal token CRUD operations Phase 4 - External Token Verification: - Created starpunk/auth_external.py module - Implemented verify_external_token() for external IndieAuth providers - Updated Micropub endpoint to use external verification - Added TOKEN_ENDPOINT configuration - Updated all Micropub tests to mock external verification - HTTP timeout protection (5s) for external requests Additional Changes: - Created migration 003 to remove code_verifier from auth_state - Fixed 5 migration tests that referenced obsolete code_verifier column - Updated 11 Micropub tests for external verification - Fixed test fixture and app context issues - All 501 tests passing Breaking Changes: - Micropub clients must use external IndieAuth providers - TOKEN_ENDPOINT configuration now required - Existing internal tokens invalid (tables dropped) Migration Impact: - Simpler codebase: -500 lines of code - Fewer database tables: -2 tables (tokens, authorization_codes) - More secure: External providers handle token security - More maintainable: Less authentication code to maintain Standards Compliance: - W3C IndieAuth specification - OAuth 2.0 Bearer token authentication - IndieWeb principle: delegate to external services Related: - ADR-030: IndieAuth Provider Removal Strategy - ADR-050: Remove Custom IndieAuth Server - Migration 003: Remove code_verifier from auth_state - Migration 004: Drop tokens and authorization_codes tables 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-24 17:23:46 -07:00
parent 869402ab0d
commit a3bac86647
36 changed files with 5597 additions and 2670 deletions
--- a/tests/test_templates.py
+++ b/tests/test_templates.py
@@ -394,44 +394,8 @@ class TestTemplateVariables:
        assert b"href=" in response.data


-class TestIndieAuthClientDiscovery:
-    """Test IndieAuth client discovery (h-app microformats)"""
-
-    def test_h_app_microformats_present(self, client):
-        """Verify h-app client discovery markup exists"""
-        response = client.get("/")
-        assert response.status_code == 200
-        assert b'class="h-app"' in response.data
-
-    def test_h_app_contains_url_and_name_properties(self, client):
-        """Verify h-app contains u-url and p-name properties"""
-        response = client.get("/")
-        assert response.status_code == 200
-        assert b'class="u-url p-name"' in response.data
-
-    def test_h_app_contains_site_url(self, client, app):
-        """Verify h-app contains correct site URL"""
-        response = client.get("/")
-        assert response.status_code == 200
-        assert app.config["SITE_URL"].encode() in response.data
-
-    def test_h_app_contains_site_name(self, client, app):
-        """Verify h-app contains site name"""
-        response = client.get("/")
-        assert response.status_code == 200
-        site_name = app.config.get("SITE_NAME", "StarPunk").encode()
-        assert site_name in response.data
-
-    def test_h_app_is_hidden(self, client):
-        """Verify h-app has hidden attribute for visual hiding"""
-        response = client.get("/")
-        assert response.status_code == 200
-        # h-app div should have hidden attribute
-        assert b'class="h-app" hidden' in response.data
-
-    def test_h_app_is_aria_hidden(self, client):
-        """Verify h-app has aria-hidden for screen reader hiding"""
-        response = client.get("/")
-        assert response.status_code == 200
-        # h-app div should have aria-hidden="true"
-        assert b'aria-hidden="true"' in response.data
+# IndieAuth client discovery tests (h-app microformats) removed in Phase 1
+# The h-app markup was only needed when StarPunk acted as an IndieAuth client
+# for Micropub authorization. With the authorization server removed, these
+# discovery microformats are no longer needed.
+# See: docs/architecture/indieauth-removal-phases.md