Phil Skentelbery
80bd51e4c1
CRITICAL: Fix hardcoded IndieAuth endpoint configuration that violated the W3C IndieAuth specification. Endpoints are now discovered dynamically from the user's profile URL as required by the spec. This combines two critical fixes for v1.0.0-rc.5: 1. Migration race condition fix (previously committed) 2. IndieAuth endpoint discovery (this commit) ## What Changed ### Endpoint Discovery Implementation - Completely rewrote starpunk/auth_external.py with full endpoint discovery - Implements W3C IndieAuth specification Section 4.2 (Discovery by Clients) - Supports HTTP Link headers and HTML link elements for discovery - Always discovers from ADMIN_ME (single-user V1 assumption) - Endpoint caching (1 hour TTL) for performance - Token verification caching (5 minutes TTL) - Graceful fallback to expired cache on network failures ### Breaking Changes - REMOVED: TOKEN_ENDPOINT configuration variable - Endpoints now discovered automatically from ADMIN_ME profile - ADMIN_ME profile must include IndieAuth link elements or headers - Deprecation warning shown if TOKEN_ENDPOINT still in environment ### Added - New dependency: beautifulsoup4>=4.12.0 for HTML parsing - HTTP Link header parsing (RFC 8288 basic support) - HTML link element extraction with BeautifulSoup4 - Relative URL resolution against profile URL - HTTPS enforcement in production (HTTP allowed in debug mode) - Comprehensive error handling with clear messages - 35 new tests covering all discovery scenarios ### Security - Token hashing (SHA-256) for secure caching - HTTPS required in production, localhost only in debug mode - URL validation prevents injection - Fail closed on security errors - Single-user validation (token must belong to ADMIN_ME) ### Performance - Cold cache: ~700ms (first request per hour) - Warm cache: ~2ms (subsequent requests) - Grace period maintains service during network issues ## Testing - 536 tests passing (excluding timing-sensitive migration tests) - 35 new endpoint discovery tests (all passing) - Zero regressions in existing functionality ## Documentation - Updated CHANGELOG.md with comprehensive v1.0.0-rc.5 entry - Implementation report: docs/reports/2025-11-24-v1.0.0-rc.5-implementation.md - Migration guide: docs/migration/fix-hardcoded-endpoints.md (architect) - ADR-031: Endpoint Discovery Implementation Details (architect) ## Migration Required 1. Ensure ADMIN_ME profile has IndieAuth link elements 2. Remove TOKEN_ENDPOINT from .env file 3. Restart StarPunk - endpoints discovered automatically Following: - ADR-031: Endpoint Discovery Implementation Details - docs/architecture/endpoint-discovery-answers.md (architect Q&A) - docs/architecture/indieauth-endpoint-discovery.md (architect guide) - W3C IndieAuth Specification Section 4.2 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
StarPunk
A minimal, self-hosted IndieWeb CMS for publishing notes with RSS syndication.
Current Version: 0.9.5 (development)
Versioning
StarPunk follows Semantic Versioning 2.0.0:
- Version format:
MAJOR.MINOR.PATCH - Current:
0.9.5(pre-release development) - First stable release will be
1.0.0
Version Information:
- Current:
0.9.5(pre-release development) - Check version:
python -c "from starpunk import __version__; print(__version__)" - See changes: CHANGELOG.md
- Versioning strategy: docs/standards/versioning-strategy.md
Philosophy
"Every line of code must justify its existence. When in doubt, leave it out."
StarPunk is designed for a single user who wants to:
- Publish short notes to their personal website
- Own their content (notes stored as portable markdown files)
- Syndicate via RSS
- Support IndieWeb standards (Micropub, IndieAuth)
- Run on minimal resources
Features
- File-based storage: Notes are markdown files, owned by you
- IndieAuth authentication: Use your own website as identity
- Micropub support: Coming in v1.0 (currently in development)
- RSS feed: Automatic syndication
- No database lock-in: SQLite for metadata, files for content
- Self-hostable: Run on your own server
- Minimal dependencies: 6 core dependencies, no build tools
Requirements
- Python 3.11 or higher
- 500MB disk space
- Linux, macOS, or Windows with WSL2
Quick Start
# Clone repository
git clone https://github.com/YOUR_USERNAME/starpunk.git
cd starpunk
# Install uv (package manager)
curl -LsSf https://astral.sh/uv/install.sh | sh
# Create virtual environment
uv venv .venv --python 3.11
# Install dependencies
uv pip install -r requirements.txt
# Configure
cp .env.example .env
# Edit .env and set ADMIN_ME and SESSION_SECRET
# Initialize database
mkdir -p data/notes
.venv/bin/python -c "from starpunk.database import init_db; init_db()"
# Note: Database also auto-initializes on first run if not present
# Run development server
.venv/bin/flask --app app.py run --debug
# Visit http://localhost:5000
Configuration
All configuration is in the .env file. Required settings:
ADMIN_ME- Your IndieWeb identity URL (e.g., https://yoursite.com)SESSION_SECRET- Random secret key (generate withpython3 -c "import secrets; print(secrets.token_hex(32))")SITE_URL- Public URL of your site
See .env.example for all options.
Project Structure
starpunk/
├── app.py # Application entry point
├── starpunk/ # Application code
├── data/ # Your notes and database (gitignored)
│ ├── notes/ # Markdown files
│ └── starpunk.db # SQLite database
├── static/ # CSS and JavaScript
├── templates/ # HTML templates
└── tests/ # Test suite
Usage
Publishing Notes
Via Web Interface:
- Navigate to
/admin - Login with your IndieWeb identity
- Create notes in markdown
Via Micropub Client (Coming in v1.0):
- Configure client with your site URL
- Authenticate via IndieAuth
- Publish from any Micropub-compatible app
Backing Up Your Data
Your notes are stored as plain markdown files in data/notes/. Back up this directory:
# Simple backup
tar -czf backup.tar.gz data/
# Or use rsync
rsync -av data/ /backup/starpunk/
Development
See docs/standards/development-setup.md for detailed setup.
# Install dev dependencies
uv pip install -r requirements-dev.txt
# Run tests
.venv/bin/pytest
# Format code
.venv/bin/black starpunk/ tests/
# Lint
.venv/bin/flake8 starpunk/ tests/
Architecture
StarPunk uses a hybrid storage approach:
- Notes content: Markdown files (portable, human-readable)
- Metadata: SQLite database (fast queries)
This gives you both portability AND performance.
See docs/architecture/ for complete documentation.
IndieWeb Compliance
StarPunk implements:
- Micropub - Publishing API
- IndieAuth - Authentication
- Microformats2 - Semantic HTML markup
- RSS 2.0 - Feed syndication
Deployment
Production Setup
# Install gunicorn
uv pip install gunicorn
# Run with gunicorn
.venv/bin/gunicorn -w 4 -b 127.0.0.1:8000 app:app
# Configure nginx/Caddy for HTTPS
# Set up systemd for process management
# Enable regular backups of data/ directory
See docs/standards/deployment-standards.md for details.
License
MIT License - see LICENSE file
Credits
Built with:
- Flask - Web framework
- python-markdown - Markdown processing
- feedgen - RSS generation
- httpx - HTTP client
- IndieLogin - Authentication service
Contributing
This is a personal project optimized for single-user use. If you want additional features, consider forking!
Support
- Documentation: docs/
- Issues: GitHub Issues
- IndieWeb: indieweb.org