phil/StarPunk
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
dd63df785874ba63277afdbb2d0f4c90b6238897
StarPunk/docs/architecture/phase1-completion-guide.md
Phil Skentelbery a3bac86647 feat: Complete IndieAuth server removal (Phases 2-4) 
Completed all remaining phases of ADR-030 IndieAuth provider removal.
StarPunk no longer acts as an authorization server - all IndieAuth
operations delegated to external providers.

Phase 2 - Remove Token Issuance:
- Deleted /auth/token endpoint
- Removed token_endpoint() function from routes/auth.py
- Deleted tests/test_routes_token.py

Phase 3 - Remove Token Storage:
- Deleted starpunk/tokens.py module entirely
- Created migration 004 to drop tokens and authorization_codes tables
- Deleted tests/test_tokens.py
- Removed all internal token CRUD operations

Phase 4 - External Token Verification:
- Created starpunk/auth_external.py module
- Implemented verify_external_token() for external IndieAuth providers
- Updated Micropub endpoint to use external verification
- Added TOKEN_ENDPOINT configuration
- Updated all Micropub tests to mock external verification
- HTTP timeout protection (5s) for external requests

Additional Changes:
- Created migration 003 to remove code_verifier from auth_state
- Fixed 5 migration tests that referenced obsolete code_verifier column
- Updated 11 Micropub tests for external verification
- Fixed test fixture and app context issues
- All 501 tests passing

Breaking Changes:
- Micropub clients must use external IndieAuth providers
- TOKEN_ENDPOINT configuration now required
- Existing internal tokens invalid (tables dropped)

Migration Impact:
- Simpler codebase: -500 lines of code
- Fewer database tables: -2 tables (tokens, authorization_codes)
- More secure: External providers handle token security
- More maintainable: Less authentication code to maintain

Standards Compliance:
- W3C IndieAuth specification
- OAuth 2.0 Bearer token authentication
- IndieWeb principle: delegate to external services

Related:
- ADR-030: IndieAuth Provider Removal Strategy
- ADR-050: Remove Custom IndieAuth Server
- Migration 003: Remove code_verifier from auth_state
- Migration 004: Drop tokens and authorization_codes tables

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-24 17:23:46 -07:00

7.1 KiB
Raw Blame History

Phase 1 Completion Guide: Test Cleanup and Commit

Architectural Decision Summary

After reviewing your Phase 1 implementation, I've made the following architectural decisions:

1. Implementation Assessment: EXCELLENT

Your Phase 1 implementation is correct and complete. You've successfully:

  • Removed the authorization endpoint cleanly
  • Preserved admin functionality
  • Documented everything properly
  • Identified all test impacts

2. Test Strategy: DELETE ALL 30 FAILING TESTS NOW

Rationale: These tests are testing removed functionality. Keeping them provides no value and creates confusion.

3. Phase Strategy: ACCELERATE WITH COMBINED PHASES

After completing Phase 1, combine Phases 2+3 for faster delivery.

Immediate Actions Required (30 minutes)

Step 1: Analyze Failing Tests (5 minutes)

First, let's identify exactly which tests to remove:

# Get a clean list of failing test locations
uv run pytest --tb=no -q 2>&1 | grep "FAILED" | cut -d':' -f1-3 | sort -u

Step 2: Remove OAuth Metadata Tests (5 minutes)

Edit /home/phil/Projects/starpunk/tests/test_routes_public.py:

Delete these entire test classes:

  • TestOAuthMetadataEndpoint (all 10 tests)
  • TestIndieAuthMetadataLink (all 3 tests)

These tested the /.well-known/oauth-authorization-server endpoint which no longer exists.

Step 3: Handle State Token Tests (10 minutes)

Edit /home/phil/Projects/starpunk/tests/test_auth.py:

Critical: Some state token tests might be for admin login. Check each one:

# If test references authorization flow -> DELETE
# If test references admin login -> KEEP AND FIX

Tests to review:

  • test_verify_valid_state_token - Check if this is admin login
  • test_verify_invalid_state_token - Check if this is admin login
  • test_verify_expired_state_token - Check if this is admin login
  • test_state_tokens_are_single_use - Check if this is admin login
  • test_initiate_login_success - Likely admin login, may need fixing
  • test_handle_callback_* - Check each for admin vs authorization

Decision Logic:

  • If the test is validating state tokens for admin login via IndieLogin.com -> FIX IT
  • If the test is validating state tokens for Micropub authorization -> DELETE IT

Step 4: Fix Migration Tests (5 minutes)

Edit /home/phil/Projects/starpunk/tests/test_migrations.py:

For these two tests:

  • test_is_schema_current_with_code_verifier
  • test_run_migrations_fresh_database

Action: Remove any assertions about code_verifier or code_challenge columns. These PKCE fields are gone.

Step 5: Remove Client Discovery Tests (2 minutes)

Edit /home/phil/Projects/starpunk/tests/test_templates.py:

Delete the entire class: TestIndieAuthClientDiscovery

This tested h-app microformats for Micropub client discovery, which is no longer relevant.

Step 6: Fix Dev Auth Test (3 minutes)

Edit /home/phil/Projects/starpunk/tests/test_routes_dev_auth.py:

The test test_dev_mode_requires_dev_admin_me is failing. Investigate why and fix or remove based on current functionality.

Verification Commands

After making changes:

# Run tests to verify all pass
uv run pytest

# Expected output:
# =============== XXX passed in X.XXs ===============
# (No failures!)

# Count remaining tests
uv run pytest --co -q | wc -l

# Should be around 539 tests (down from 569)

Git Commit Strategy

Commit 1: Test Cleanup

git add tests/
git commit -m "test: Remove tests for deleted IndieAuth authorization functionality

- Remove OAuth metadata endpoint tests (13 tests)
- Remove authorization-specific state token tests
- Remove authorization callback tests
- Remove h-app client discovery tests (5 tests)
- Update migration tests to match current schema

All removed tests validated functionality that was intentionally
deleted in Phase 1 of the IndieAuth removal plan.

Test suite now: 100% passing"

Commit 2: Phase 1 Implementation

git add .
git commit -m "feat!: Phase 1 - Remove IndieAuth authorization server

BREAKING CHANGE: Removed built-in IndieAuth authorization endpoint

Removed:
- /auth/authorization endpoint and handler
- Authorization consent UI template
- Authorization-related imports and functions
- PKCE implementation tests

Preserved:
- Admin login via IndieLogin.com
- Session management
- Token endpoint (for Phase 2 removal)

This completes Phase 1 of 5 in the IndieAuth removal plan.
Version: 1.0.0-rc.4

Refs: ADR-050, ADR-051
Docs: docs/architecture/indieauth-removal-phases.md
Report: docs/reports/2025-11-24-phase1-indieauth-server-removal.md"

Commit 3: Architecture Documentation

git add docs/
git commit -m "docs: Add architecture decisions and reports for Phase 1

- ADR-051: Test strategy and implementation review
- Phase 1 completion guide
- Implementation reports

These document the architectural decisions made during
Phase 1 implementation and provide guidance for remaining phases."

Decision Points During Cleanup

For State Token Tests

Ask yourself:

  1. Does this test verify state tokens for /auth/callback (admin login)?

    • YES → Fix the test to work with current code
    • NO → Delete it

  2. Does the test reference authorization codes or Micropub clients?

    • YES → Delete it
    • NO → Keep and fix

For Callback Tests

Ask yourself:

  1. Is this testing the IndieLogin.com callback for admin?

    • YES → Fix it
    • NO → Delete it

  2. Does it reference authorization approval/denial?

    • YES → Delete it
    • NO → Keep and fix

Success Criteria

You'll know Phase 1 is complete when:

  1. All tests pass (100% green)
  2. No references to authorization endpoint in tests
  3. Admin login tests still present and passing
  4. Clean git commits with clear messages
  5. Documentation updated

Next Steps: Combined Phase 2+3

After committing Phase 1, immediately proceed with:

  1. Phase 2+3 Combined (2 hours):

    • Remove /auth/token endpoint
    • Delete starpunk/tokens.py entirely
    • Create database migration to drop tables
    • Remove all token-related tests
    • Version: 1.0.0-rc.5

  2. Phase 4 (2 hours):

    • Implement external token verification
    • Add caching layer
    • Update Micropub to use external verification
    • Version: 1.0.0-rc.6

  3. Phase 5 (1 hour):

    • Add discovery links
    • Update all documentation
    • Final version: 1.0.0

Architecture Principles Maintained

Throughout this cleanup:

  • Simplicity First: Remove complexity, don't reorganize it
  • Clean States: No partially-broken states
  • Clear Intent: Deleted code is better than commented code
  • Test Confidence: Green tests or no tests, never red tests

Questions?

If you encounter any test that you're unsure about:

  1. Check if it tests admin functionality (keep/fix)
  2. Check if it tests authorization functionality (delete)
  3. When in doubt, trace the code path it's testing

Remember: We're removing an entire subsystem. It's better to be thorough than cautious.

Time Estimate: 30 minutes Complexity: Low Risk: Minimal (tests only) Confidence: High - clear architectural decision

Reference in New Issue View Git Blame Copy Permalink