-
Release Candidate 4: IndieAuth Authorization Server Removal
phil released this
2025-11-25 02:18:20 +01:00 | 89 commits to main since this releaseMajor architectural simplification removing built-in IndieAuth
authorization server in favor of external provider delegation.This release reduces the codebase by ~500 lines of security-critical
code while maintaining full IndieAuth specification compliance.Highlights:
- Removed authorization and token endpoints
- Removed token storage and management (~412 lines from tokens.py)
- Implemented external token verification architecture
- Dropped auth_codes and auth_tokens database tables
- Simplified security model focused on verification only
Breaking Changes:
- Existing tokens issued by StarPunk no longer valid
- TOKEN_ENDPOINT configuration now required
- Micropub clients must obtain tokens from external providers
(e.g., IndieLogin.com, tokens.indieauth.com)
Migration Required:
- Database migrations 003 and 004 must run
- Update configuration to set TOKEN_ENDPOINT
- Micropub clients need to re-authenticate
Documentation:
- Complete implementation report in docs/reports/
- Architectural review confirms production readiness
- ADR-050 and ADR-030 document architectural decisions
Security Improvements:
- Reduced attack surface (no token generation code)
- No cryptographic token management burden
- No local token storage or leakage risk
- Delegates security to specialized providers
Testing:
- 501/501 tests passing (100% success rate)
- Comprehensive test coverage for external verification
- Migration tests updated and passing
For complete details see:
docs/reports/2025-11-24-indieauth-removal-complete.mdDownloads