phil/StarPunk
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
StarPunk/docs/reports/indieauth-fix-summary.md
Phil Skentelbery 01e66a063e feat: Add detailed IndieAuth logging with security-aware token redaction 
- Add logging helper functions with automatic token redaction
- Implement comprehensive logging throughout auth flow
- Add production warning for DEBUG logging
- Add 14 new tests for logging functionality
- Update version to v0.7.0

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-19 14:51:30 -07:00

125 lines
4.0 KiB
Markdown
Raw Permalink Blame History

# IndieAuth Authentication Fix - Quick Summary
**Status**: Solution Identified, Ready for Implementation
**Priority**: CRITICAL
**Estimated Fix Time**: 1-2 hours
**Confidence**: 95%
## The Problem
IndieLogin.com rejects authentication with:
```
This client_id is not registered (https://starpunk.thesatelliteoflove.com)
```
## Root Cause
StarPunk is using an outdated client discovery approach. The IndieAuth specification evolved in 2022 from HTML microformats (h-app) to JSON metadata documents. IndieLogin.com now requires the modern JSON approach.
**What we have**: h-app microformats in HTML footer
**What IndieLogin expects**: JSON metadata document at a well-known URL
## The Solution
Implement OAuth Client ID Metadata Document endpoint.
### Quick Implementation
1. **Add new route** in your Flask app:
```python
@app.route('/.well-known/oauth-authorization-server')
def oauth_client_metadata():
"""OAuth Client ID Metadata Document for IndieAuth discovery."""
metadata = {
'issuer': current_app.config['SITE_URL'],
'client_id': current_app.config['SITE_URL'],
'client_name': 'StarPunk',
'client_uri': current_app.config['SITE_URL'],
'redirect_uris': [
f"{current_app.config['SITE_URL']}/auth/callback"
],
'grant_types_supported': ['authorization_code'],
'response_types_supported': ['code'],
'code_challenge_methods_supported': ['S256'],
'token_endpoint_auth_methods_supported': ['none']
}
response = jsonify(metadata)
response.cache_control.max_age = 86400 # Cache 24 hours
response.cache_control.public = True
return response
```
2. **Add discovery link** to `templates/base.html` in `<head>`:
```html
<link rel="indieauth-metadata" href="/.well-known/oauth-authorization-server">
```
3. **Keep existing h-app** in footer for backward compatibility
### Testing
```bash
# Test endpoint exists and returns JSON
curl -s https://starpunk.thesatelliteoflove.com/.well-known/oauth-authorization-server | jq .
# Verify client_id matches URL (should return: true)
curl -s https://starpunk.thesatelliteoflove.com/.well-known/oauth-authorization-server | \
jq '.client_id == "https://starpunk.thesatelliteoflove.com"'
```
### Critical Requirements
1. `client_id` field MUST exactly match the URL where document is served
2. Use `current_app.config['SITE_URL']` - never hardcode URLs
3. `redirect_uris` must be an array, not a string
4. Return `Content-Type: application/json` (jsonify does this automatically)
## Why This Will Work
1. **Specification Compliant**: Implements current IndieAuth spec (2022+) exactly
2. **Matches Error Behavior**: IndieLogin.com is checking for client registration/metadata
3. **Industry Standard**: All modern IndieAuth clients use this approach
4. **Low Risk**: Purely additive, no breaking changes
5. **Observable**: Can verify endpoint before testing auth flow
## What Changed in IndieAuth
| Version | Method | Status |
|---------|--------|--------|
| 2020 | h-app microformats | Legacy (supported for compatibility) |
| 2022+ | JSON metadata document | Current standard |
IndieAuth spec now says servers "SHOULD" fetch metadata document and "SHOULD abort if fetching fails" - this explains the rejection.
## Documentation
Full details in:
- `/home/phil/Projects/starpunk/docs/reports/indieauth-client-discovery-root-cause-analysis.md` (comprehensive analysis)
- `/home/phil/Projects/starpunk/docs/decisions/ADR-017-oauth-client-metadata-document.md` (architecture decision)
## Next Steps
1. Implement the JSON metadata endpoint
2. Add discovery link to HTML
3. Deploy to production
4. Test authentication flow with IndieLogin.com
5. Verify successful login
6. Update version to v0.6.2
7. Update CHANGELOG
## Rollback Plan
If this doesn't work (unlikely):
1. Contact IndieLogin.com for clarification
2. Consider alternative IndieAuth provider
3. Implement self-hosted IndieAuth server
---
**Analysis Date**: 2025-11-19
**Architect**: StarPunk Architect Agent
**Reviewed**: IndieAuth spec, OAuth spec, IndieLogin.com behavior
Reference in New Issue View Git Blame Copy Permalink