Phil Skentelbery
a3bac86647
Completed all remaining phases of ADR-030 IndieAuth provider removal. StarPunk no longer acts as an authorization server - all IndieAuth operations delegated to external providers. Phase 2 - Remove Token Issuance: - Deleted /auth/token endpoint - Removed token_endpoint() function from routes/auth.py - Deleted tests/test_routes_token.py Phase 3 - Remove Token Storage: - Deleted starpunk/tokens.py module entirely - Created migration 004 to drop tokens and authorization_codes tables - Deleted tests/test_tokens.py - Removed all internal token CRUD operations Phase 4 - External Token Verification: - Created starpunk/auth_external.py module - Implemented verify_external_token() for external IndieAuth providers - Updated Micropub endpoint to use external verification - Added TOKEN_ENDPOINT configuration - Updated all Micropub tests to mock external verification - HTTP timeout protection (5s) for external requests Additional Changes: - Created migration 003 to remove code_verifier from auth_state - Fixed 5 migration tests that referenced obsolete code_verifier column - Updated 11 Micropub tests for external verification - Fixed test fixture and app context issues - All 501 tests passing Breaking Changes: - Micropub clients must use external IndieAuth providers - TOKEN_ENDPOINT configuration now required - Existing internal tokens invalid (tables dropped) Migration Impact: - Simpler codebase: -500 lines of code - Fewer database tables: -2 tables (tokens, authorization_codes) - More secure: External providers handle token security - More maintainable: Less authentication code to maintain Standards Compliance: - W3C IndieAuth specification - OAuth 2.0 Bearer token authentication - IndieWeb principle: delegate to external services Related: - ADR-030: IndieAuth Provider Removal Strategy - ADR-050: Remove Custom IndieAuth Server - Migration 003: Remove code_verifier from auth_state - Migration 004: Drop tokens and authorization_codes tables 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
28 lines
976 B
SQL
28 lines
976 B
SQL
-- Migration 003: Remove code_verifier from auth_state table
|
|
-- Reason: PKCE is only needed for authorization servers, not for admin login
|
|
-- Phase 1 of IndieAuth authorization server removal
|
|
-- Date: 2025-11-24
|
|
|
|
-- SQLite doesn't support DROP COLUMN directly, so we need to recreate the table
|
|
-- Step 1: Create new table without code_verifier
|
|
CREATE TABLE auth_state_new (
|
|
state TEXT PRIMARY KEY,
|
|
created_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
|
|
expires_at TIMESTAMP NOT NULL,
|
|
redirect_uri TEXT
|
|
);
|
|
|
|
-- Step 2: Copy data from old table (excluding code_verifier)
|
|
INSERT INTO auth_state_new (state, created_at, expires_at, redirect_uri)
|
|
SELECT state, created_at, expires_at, redirect_uri
|
|
FROM auth_state;
|
|
|
|
-- Step 3: Drop old table
|
|
DROP TABLE auth_state;
|
|
|
|
-- Step 4: Rename new table to original name
|
|
ALTER TABLE auth_state_new RENAME TO auth_state;
|
|
|
|
-- Step 5: Recreate index
|
|
CREATE INDEX IF NOT EXISTS idx_auth_state_expires ON auth_state(expires_at);
|