StarPunk

phil/StarPunk

Fork 0

Commit Graph

Author	SHA1	Message	Date
Phil Skentelbery	a3bac86647	feat: Complete IndieAuth server removal (Phases 2-4) Completed all remaining phases of ADR-030 IndieAuth provider removal. StarPunk no longer acts as an authorization server - all IndieAuth operations delegated to external providers. Phase 2 - Remove Token Issuance: - Deleted /auth/token endpoint - Removed token_endpoint() function from routes/auth.py - Deleted tests/test_routes_token.py Phase 3 - Remove Token Storage: - Deleted starpunk/tokens.py module entirely - Created migration 004 to drop tokens and authorization_codes tables - Deleted tests/test_tokens.py - Removed all internal token CRUD operations Phase 4 - External Token Verification: - Created starpunk/auth_external.py module - Implemented verify_external_token() for external IndieAuth providers - Updated Micropub endpoint to use external verification - Added TOKEN_ENDPOINT configuration - Updated all Micropub tests to mock external verification - HTTP timeout protection (5s) for external requests Additional Changes: - Created migration 003 to remove code_verifier from auth_state - Fixed 5 migration tests that referenced obsolete code_verifier column - Updated 11 Micropub tests for external verification - Fixed test fixture and app context issues - All 501 tests passing Breaking Changes: - Micropub clients must use external IndieAuth providers - TOKEN_ENDPOINT configuration now required - Existing internal tokens invalid (tables dropped) Migration Impact: - Simpler codebase: -500 lines of code - Fewer database tables: -2 tables (tokens, authorization_codes) - More secure: External providers handle token security - More maintainable: Less authentication code to maintain Standards Compliance: - W3C IndieAuth specification - OAuth 2.0 Bearer token authentication - IndieWeb principle: delegate to external services Related: - ADR-030: IndieAuth Provider Removal Strategy - ADR-050: Remove Custom IndieAuth Server - Migration 003: Remove code_verifier from auth_state - Migration 004: Drop tokens and authorization_codes tables 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-11-24 17:23:46 -07:00
Phil Skentelbery	8be079593f	fix: Implement OAuth Client ID Metadata Document endpoint Fixes critical IndieAuth authentication failure by implementing modern JSON-based client discovery mechanism per IndieAuth spec section 4.2. Added /.well-known/oauth-authorization-server endpoint returning JSON metadata with client_id, redirect_uris, and OAuth capabilities. Added <link rel="indieauth-metadata"> discovery hint in HTML head. Maintained h-app microformats for backward compatibility with legacy IndieAuth servers. This resolves "client_id is not registered" error from IndieLogin.com by providing the metadata document modern IndieAuth servers expect. Changes: - Added oauth_client_metadata() endpoint in public routes - Returns JSON with client info (24-hour cache) - Uses config values (SITE_URL, SITE_NAME) not hardcoded URLs - Added indieauth-metadata link in base.html - Comprehensive test suite (15 new tests, all passing) - Updated version to v0.6.2 (PATCH increment) - Updated CHANGELOG.md with detailed fix documentation Standards Compliance: - IndieAuth specification section 4.2 - OAuth Client ID Metadata Document format - IANA well-known URI registry - RFC 7591 OAuth 2.0 Dynamic Client Registration Testing: - 467/468 tests passing (99.79%) - 15 new tests for OAuth metadata and discovery - Zero regressions in existing tests - Test coverage maintained at 88% Related Documentation: - ADR-017: OAuth Client ID Metadata Document Implementation - IndieAuth Fix Summary report - Implementation report in docs/reports/ Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-11-19 14:33:23 -07:00
Phil Skentelbery	0cca8169ce	feat: Implement Phase 4 Web Interface with bugfixes (v0.5.2) ## Phase 4: Web Interface Implementation Implemented complete web interface with public and admin routes, templates, CSS, and development authentication. ### Core Features Public Routes: - Homepage with recent published notes - Note permalinks with microformats2 - Server-side rendering (Jinja2) Admin Routes: - Login via IndieLogin - Dashboard with note management - Create, edit, delete notes - Protected with @require_auth decorator Development Authentication: - Dev login bypass for local testing (DEV_MODE only) - Security safeguards per ADR-011 - Returns 404 when disabled Templates & Frontend: - Base layouts (public + admin) - 8 HTML templates with microformats2 - Custom responsive CSS (114 lines) - Error pages (404, 500) ### Bugfixes (v0.5.1 → v0.5.2) 1. Cookie collision fix (v0.5.1): - Renamed auth cookie from "session" to "starpunk_session" - Fixed redirect loop between dev login and admin dashboard - Flask's session cookie no longer conflicts with auth 2. HTTP 404 error handling (v0.5.1): - Update route now returns 404 for nonexistent notes - Delete route now returns 404 for nonexistent notes - Follows ADR-012 HTTP Error Handling Policy - Pattern consistency across all admin routes 3. Note model enhancement (v0.5.2): - Exposed deleted_at field from database schema - Enables soft deletion verification in tests - Follows ADR-013 transparency principle ### Architecture New ADRs: - ADR-011: Development Authentication Mechanism - ADR-012: HTTP Error Handling Policy - ADR-013: Expose deleted_at Field in Note Model Standards Compliance: - Uses uv for Python environment - Black formatted, Flake8 clean - Follows git branching strategy - Version incremented per versioning strategy ### Test Results - 405/406 tests passing (99.75%) - 87% code coverage - All security tests passing - Manual testing confirmed working ### Documentation - Complete implementation reports in docs/reports/ - Architecture reviews in docs/reviews/ - Design documents in docs/design/ - CHANGELOG updated for v0.5.2 ### Files Changed New Modules: - starpunk/dev_auth.py - starpunk/routes/ (public, admin, auth, dev_auth) Templates: 10 files (base, pages, admin, errors) Static: CSS and optional JavaScript Tests: 4 test files for routes and templates Docs: 20+ architectural and implementation documents 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-11-18 23:01:53 -07:00

Author

SHA1

Message

Date

Phil Skentelbery

a3bac86647

feat: Complete IndieAuth server removal (Phases 2-4)

Completed all remaining phases of ADR-030 IndieAuth provider removal.
StarPunk no longer acts as an authorization server - all IndieAuth
operations delegated to external providers.

Phase 2 - Remove Token Issuance:
- Deleted /auth/token endpoint
- Removed token_endpoint() function from routes/auth.py
- Deleted tests/test_routes_token.py

Phase 3 - Remove Token Storage:
- Deleted starpunk/tokens.py module entirely
- Created migration 004 to drop tokens and authorization_codes tables
- Deleted tests/test_tokens.py
- Removed all internal token CRUD operations

Phase 4 - External Token Verification:
- Created starpunk/auth_external.py module
- Implemented verify_external_token() for external IndieAuth providers
- Updated Micropub endpoint to use external verification
- Added TOKEN_ENDPOINT configuration
- Updated all Micropub tests to mock external verification
- HTTP timeout protection (5s) for external requests

Additional Changes:
- Created migration 003 to remove code_verifier from auth_state
- Fixed 5 migration tests that referenced obsolete code_verifier column
- Updated 11 Micropub tests for external verification
- Fixed test fixture and app context issues
- All 501 tests passing

Breaking Changes:
- Micropub clients must use external IndieAuth providers
- TOKEN_ENDPOINT configuration now required
- Existing internal tokens invalid (tables dropped)

Migration Impact:
- Simpler codebase: -500 lines of code
- Fewer database tables: -2 tables (tokens, authorization_codes)
- More secure: External providers handle token security
- More maintainable: Less authentication code to maintain

Standards Compliance:
- W3C IndieAuth specification
- OAuth 2.0 Bearer token authentication
- IndieWeb principle: delegate to external services

Related:
- ADR-030: IndieAuth Provider Removal Strategy
- ADR-050: Remove Custom IndieAuth Server
- Migration 003: Remove code_verifier from auth_state
- Migration 004: Drop tokens and authorization_codes tables

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

2025-11-24 17:23:46 -07:00

Phil Skentelbery

8be079593f

fix: Implement OAuth Client ID Metadata Document endpoint

Fixes critical IndieAuth authentication failure by implementing modern
JSON-based client discovery mechanism per IndieAuth spec section 4.2.

Added /.well-known/oauth-authorization-server endpoint returning JSON
metadata with client_id, redirect_uris, and OAuth capabilities.

Added <link rel="indieauth-metadata"> discovery hint in HTML head.

Maintained h-app microformats for backward compatibility with legacy
IndieAuth servers.

This resolves "client_id is not registered" error from IndieLogin.com
by providing the metadata document modern IndieAuth servers expect.

Changes:
- Added oauth_client_metadata() endpoint in public routes
- Returns JSON with client info (24-hour cache)
- Uses config values (SITE_URL, SITE_NAME) not hardcoded URLs
- Added indieauth-metadata link in base.html
- Comprehensive test suite (15 new tests, all passing)
- Updated version to v0.6.2 (PATCH increment)
- Updated CHANGELOG.md with detailed fix documentation

Standards Compliance:
- IndieAuth specification section 4.2
- OAuth Client ID Metadata Document format
- IANA well-known URI registry
- RFC 7591 OAuth 2.0 Dynamic Client Registration

Testing:
- 467/468 tests passing (99.79%)
- 15 new tests for OAuth metadata and discovery
- Zero regressions in existing tests
- Test coverage maintained at 88%

Related Documentation:
- ADR-017: OAuth Client ID Metadata Document Implementation
- IndieAuth Fix Summary report
- Implementation report in docs/reports/

Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

2025-11-19 14:33:23 -07:00

Phil Skentelbery

0cca8169ce

feat: Implement Phase 4 Web Interface with bugfixes (v0.5.2)

## Phase 4: Web Interface Implementation

Implemented complete web interface with public and admin routes,
templates, CSS, and development authentication.

### Core Features

**Public Routes**:
- Homepage with recent published notes
- Note permalinks with microformats2
- Server-side rendering (Jinja2)

**Admin Routes**:
- Login via IndieLogin
- Dashboard with note management
- Create, edit, delete notes
- Protected with @require_auth decorator

**Development Authentication**:
- Dev login bypass for local testing (DEV_MODE only)
- Security safeguards per ADR-011
- Returns 404 when disabled

**Templates & Frontend**:
- Base layouts (public + admin)
- 8 HTML templates with microformats2
- Custom responsive CSS (114 lines)
- Error pages (404, 500)

### Bugfixes (v0.5.1 → v0.5.2)

1. **Cookie collision fix (v0.5.1)**:
   - Renamed auth cookie from "session" to "starpunk_session"
   - Fixed redirect loop between dev login and admin dashboard
   - Flask's session cookie no longer conflicts with auth

2. **HTTP 404 error handling (v0.5.1)**:
   - Update route now returns 404 for nonexistent notes
   - Delete route now returns 404 for nonexistent notes
   - Follows ADR-012 HTTP Error Handling Policy
   - Pattern consistency across all admin routes

3. **Note model enhancement (v0.5.2)**:
   - Exposed deleted_at field from database schema
   - Enables soft deletion verification in tests
   - Follows ADR-013 transparency principle

### Architecture

**New ADRs**:
- ADR-011: Development Authentication Mechanism
- ADR-012: HTTP Error Handling Policy
- ADR-013: Expose deleted_at Field in Note Model

**Standards Compliance**:
- Uses uv for Python environment
- Black formatted, Flake8 clean
- Follows git branching strategy
- Version incremented per versioning strategy

### Test Results

- 405/406 tests passing (99.75%)
- 87% code coverage
- All security tests passing
- Manual testing confirmed working

### Documentation

- Complete implementation reports in docs/reports/
- Architecture reviews in docs/reviews/
- Design documents in docs/design/
- CHANGELOG updated for v0.5.2

### Files Changed

**New Modules**:
- starpunk/dev_auth.py
- starpunk/routes/ (public, admin, auth, dev_auth)

**Templates**: 10 files (base, pages, admin, errors)
**Static**: CSS and optional JavaScript
**Tests**: 4 test files for routes and templates
**Docs**: 20+ architectural and implementation documents

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

2025-11-18 23:01:53 -07:00

3 Commits