phil/StarPunk
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b46ab2264e8fce55fb69a9c72e497d68ee063c7b
StarPunk/docs/decisions/ADR-036-indieauth-token-verification-method.md
Phil Skentelbery 82bb1499d5 docs: Add v1.1.0 architecture and validation documentation 
- ADR-033: Database migration redesign
- ADR-034: Full-text search with FTS5
- ADR-035: Custom slugs in Micropub
- ADR-036: IndieAuth token verification method
- ADR-039: Micropub URL construction fix
- Implementation plan and decisions
- Architecture specifications
- Validation reports for implementation and search UI

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-25 10:39:58 -07:00

114 lines
4.4 KiB
Markdown
Raw Blame History

# ADR-036: IndieAuth Token Verification Method Diagnosis
## Status
Accepted
## Context
StarPunk is experiencing HTTP 405 Method Not Allowed errors when verifying tokens with the external IndieAuth provider (gondulf.thesatelliteoflove.com). The user questioned "why are we making GET requests to these endpoints?"
Error from logs:
```
[2025-11-25 03:29:50] WARNING: Token verification failed:
Verification failed: Unexpected response: HTTP 405
```
## Investigation Results
### What the IndieAuth Spec Says
According to the W3C IndieAuth specification (Section 6.3.4 - Token Verification):
- Token verification MUST use a **GET request** to the token endpoint
- The request must include an Authorization header with Bearer token format
- This is explicitly different from token issuance, which uses POST
### What Our Code Does
Our implementation in `starpunk/auth_external.py` (line 425):
- **Correctly** uses GET for token verification
- **Correctly** sends Authorization: Bearer header
- **Correctly** follows the IndieAuth specification
### Why the 405 Error Occurs
HTTP 405 Method Not Allowed means the server doesn't support the HTTP method (GET) for the requested resource. This indicates that the gondulf IndieAuth provider is **not implementing the IndieAuth specification correctly**.
## Decision
Our implementation is correct. We are making GET requests because:
1. The IndieAuth spec explicitly requires GET for token verification
2. This distinguishes verification (GET) from token issuance (POST)
3. This is a standard pattern in OAuth-like protocols
## Rationale
### Why GET for Verification?
The IndieAuth spec uses different HTTP methods for different operations:
- **POST** for state-changing operations (issuing tokens, revoking tokens)
- **GET** for read-only operations (verifying tokens)
This follows RESTful principles where:
- GET is idempotent and safe (doesn't modify server state)
- POST creates or modifies resources
### The Problem
The gondulf IndieAuth provider appears to only support POST on its token endpoint, not implementing the full IndieAuth specification which requires both:
- POST for token issuance (Section 6.3)
- GET for token verification (Section 6.3.4)
## Consequences
### Immediate Impact
- StarPunk cannot verify tokens with gondulf.thesatelliteoflove.com
- The provider needs to be fixed to support GET requests for verification
- Our code is correct and should NOT be changed
### Potential Solutions
1. **Provider Fix** (Recommended): The gondulf IndieAuth provider should implement GET support for token verification per spec
2. **Provider Switch**: Use a compliant IndieAuth provider that fully implements the specification
3. **Non-Compliant Mode** (Not Recommended): Add a workaround to use POST for verification with non-compliant providers
## Alternatives Considered
### Alternative 1: Use POST for Verification
- **Rejected**: Violates IndieAuth specification
- Would make StarPunk non-compliant
- Would create confusion about proper IndieAuth implementation
### Alternative 2: Support Both GET and POST
- **Rejected**: Adds complexity without benefit
- The spec is clear: GET is required
- Supporting non-standard behavior encourages poor implementations
### Alternative 3: Document Provider Requirements
- **Accepted as Additional Action**: We should clearly document that StarPunk requires IndieAuth providers that fully implement the W3C specification
## Technical Details
### Correct Token Verification Flow
```
Client → GET /token
Authorization: Bearer {token}
Server → 200 OK
{
"me": "https://user.example.net/",
"client_id": "https://app.example.com/",
"scope": "create update"
}
```
### What Gondulf Is Doing Wrong
```
Client → GET /token
Authorization: Bearer {token}
Server → 405 Method Not Allowed
(Server only accepts POST)
```
## References
- [W3C IndieAuth Specification - Token Verification](https://www.w3.org/TR/indieauth/#token-verification)
- [W3C IndieAuth Specification - Token Endpoint](https://www.w3.org/TR/indieauth/#token-endpoint)
- StarPunk Implementation: `/home/phil/Projects/starpunk/starpunk/auth_external.py`
## Recommendation
1. Contact the gondulf IndieAuth provider maintainer and inform them their implementation is non-compliant
2. Provide them with the W3C spec reference showing GET is required for verification
3. Do NOT modify StarPunk's code - it is correct
4. Consider adding a note in our documentation about provider compliance requirements
Reference in New Issue View Git Blame Copy Permalink