phil/StarPunk
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
dd63df785874ba63277afdbb2d0f4c90b6238897
StarPunk/docs/decisions/ADR-036-indieauth-token-verification-method.md
Phil Skentelbery 82bb1499d5 docs: Add v1.1.0 architecture and validation documentation 
- ADR-033: Database migration redesign
- ADR-034: Full-text search with FTS5
- ADR-035: Custom slugs in Micropub
- ADR-036: IndieAuth token verification method
- ADR-039: Micropub URL construction fix
- Implementation plan and decisions
- Architecture specifications
- Validation reports for implementation and search UI

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-25 10:39:58 -07:00

4.4 KiB
Raw Blame History

ADR-036: IndieAuth Token Verification Method Diagnosis

Status

Accepted

Context

StarPunk is experiencing HTTP 405 Method Not Allowed errors when verifying tokens with the external IndieAuth provider (gondulf.thesatelliteoflove.com). The user questioned "why are we making GET requests to these endpoints?"

Error from logs:

[2025-11-25 03:29:50] WARNING: Token verification failed:
  Verification failed: Unexpected response: HTTP 405

Investigation Results

What the IndieAuth Spec Says

According to the W3C IndieAuth specification (Section 6.3.4 - Token Verification):

  • Token verification MUST use a GET request to the token endpoint
  • The request must include an Authorization header with Bearer token format
  • This is explicitly different from token issuance, which uses POST

What Our Code Does

Our implementation in starpunk/auth_external.py (line 425):

  • Correctly uses GET for token verification
  • Correctly sends Authorization: Bearer header
  • Correctly follows the IndieAuth specification

Why the 405 Error Occurs

HTTP 405 Method Not Allowed means the server doesn't support the HTTP method (GET) for the requested resource. This indicates that the gondulf IndieAuth provider is not implementing the IndieAuth specification correctly.

Decision

Our implementation is correct. We are making GET requests because:

  1. The IndieAuth spec explicitly requires GET for token verification
  2. This distinguishes verification (GET) from token issuance (POST)
  3. This is a standard pattern in OAuth-like protocols

Rationale

Why GET for Verification?

The IndieAuth spec uses different HTTP methods for different operations:

  • POST for state-changing operations (issuing tokens, revoking tokens)
  • GET for read-only operations (verifying tokens)

This follows RESTful principles where:

  • GET is idempotent and safe (doesn't modify server state)
  • POST creates or modifies resources

The Problem

The gondulf IndieAuth provider appears to only support POST on its token endpoint, not implementing the full IndieAuth specification which requires both:

  • POST for token issuance (Section 6.3)
  • GET for token verification (Section 6.3.4)

Consequences

Immediate Impact

  • StarPunk cannot verify tokens with gondulf.thesatelliteoflove.com
  • The provider needs to be fixed to support GET requests for verification
  • Our code is correct and should NOT be changed

Potential Solutions

  1. Provider Fix (Recommended): The gondulf IndieAuth provider should implement GET support for token verification per spec
  2. Provider Switch: Use a compliant IndieAuth provider that fully implements the specification
  3. Non-Compliant Mode (Not Recommended): Add a workaround to use POST for verification with non-compliant providers

Alternatives Considered

Alternative 1: Use POST for Verification

  • Rejected: Violates IndieAuth specification
  • Would make StarPunk non-compliant
  • Would create confusion about proper IndieAuth implementation

Alternative 2: Support Both GET and POST

  • Rejected: Adds complexity without benefit
  • The spec is clear: GET is required
  • Supporting non-standard behavior encourages poor implementations

Alternative 3: Document Provider Requirements

  • Accepted as Additional Action: We should clearly document that StarPunk requires IndieAuth providers that fully implement the W3C specification

Technical Details

Correct Token Verification Flow

Client → GET /token
         Authorization: Bearer {token}

Server → 200 OK
         {
           "me": "https://user.example.net/",
           "client_id": "https://app.example.com/",
           "scope": "create update"
         }

What Gondulf Is Doing Wrong

Client → GET /token
         Authorization: Bearer {token}

Server → 405 Method Not Allowed
         (Server only accepts POST)

References

Recommendation

  1. Contact the gondulf IndieAuth provider maintainer and inform them their implementation is non-compliant
  2. Provide them with the W3C spec reference showing GET is required for verification
  3. Do NOT modify StarPunk's code - it is correct
  4. Consider adding a note in our documentation about provider compliance requirements
Reference in New Issue View Git Blame Copy Permalink