-
Release 0.8.0: Fix IndieAuth authentication with PKCE
phil released this
2025-11-19 23:44:07 +01:00 CRITICAL FIX: This release fixes IndieAuth authentication by implementing
PKCE (Proof Key for Code Exchange) as required by IndieLogin.com.Key Features:
- PKCE implementation (RFC 7636 compliant)
- Corrected IndieLogin.com API endpoints
- Issuer validation for enhanced security
- Database migration for code_verifier storage
What's Fixed:
- Authentication now works with IndieLogin.com
- Removed incorrect OAuth metadata endpoint (v0.7.0)
- Removed unnecessary h-app microformats (v0.7.1)
Security Improvements:
- PKCE prevents code interception attacks
- Issuer validation prevents token substitution
- Enhanced logging with sensitive data redaction
Breaking Changes:
- Database migration required
- Users mid-authentication must restart login
Migration:
See migrations/001_add_code_verifier_to_auth_state.sqlFull details: See CHANGELOG.md for complete changes
🤖 Generated with Claude Code
Downloads