fix: Use authorization endpoint for IndieAuth code verification (v0.9.4)

IndieAuth authentication-only flows should redeem the code at the authorization endpoint, not the token endpoint. The token endpoint is only for authorization flows that need access tokens. - Remove grant_type parameter (only needed for token flows) - Change endpoint from /token to /authorize - Update debug logging to reflect code verification flow 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-22 19:19:37 -07:00
parent cbef0c1561
commit a6f3fbaae4
5 changed files with 307 additions and 8 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,20 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

 ## [Unreleased]

+## [0.9.4] - 2025-11-22
+
+### Fixed
+- **IndieAuth authentication endpoint correction**: Changed code redemption from token endpoint to authorization endpoint
+  - Per IndieAuth spec: authentication-only flows use `/authorize`, not `/token`
+  - StarPunk only needs identity verification, not access tokens
+  - Removed unnecessary `grant_type` parameter (only needed for token endpoint)
+  - Updated debug logging to reflect "code verification" terminology
+  - Fixes authentication with IndieLogin.com and spec-compliant providers
+
+### Changed
+- Code redemption now POSTs to `/authorize` endpoint instead of `/token`
+- Log messages updated from "token exchange" to "code verification"
+
 ## [0.9.3] - 2025-11-22

 ### Fixed