Phil Skentelbery
5e50330bdf
This fixes critical IndieAuth authentication by implementing PKCE (Proof Key for Code Exchange) as required by IndieLogin.com API specification. Added: - PKCE code_verifier and code_challenge generation (RFC 7636) - Database column: auth_state.code_verifier for PKCE support - Issuer validation for authentication callbacks - Comprehensive PKCE unit tests (6 tests, all passing) - Database migration script for code_verifier column Changed: - Corrected IndieLogin.com API endpoints (/authorize and /token) - State token validation now returns code_verifier for token exchange - Authentication flow follows IndieLogin.com API specification exactly - Enhanced logging with code_verifier redaction Removed: - OAuth metadata endpoint (/.well-known/oauth-authorization-server) Added in v0.7.0 but not required by IndieLogin.com - h-app microformats markup from templates Modified in v0.7.1 but not used by IndieLogin.com - indieauth-metadata link from HTML head Security: - PKCE prevents authorization code interception attacks - Issuer validation prevents token substitution attacks - Code verifier securely stored, redacted in logs, and single-use Documentation: - Version: 0.8.0 - CHANGELOG updated with v0.8.0 entry and v0.7.x notes - ADR-016 and ADR-017 marked as superseded by ADR-019 - Implementation report created in docs/reports/ - Test update guide created in TODO_TEST_UPDATES.md Breaking Changes: - Users mid-authentication will need to restart login after upgrade - Database migration required before deployment Related: ADR-019 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
6.8 KiB
6.8 KiB
ADR-019 Implementation Summary
Quick Reference for Developer Date: 2025-11-19 Version Target: 0.8.0
What You Need to Know
This is a critical bug fix that implements IndieAuth authentication correctly by following the IndieLogin.com API specification. The previous attempts (v0.7.0 OAuth metadata, v0.7.1 h-app visibility) were based on misunderstanding the requirements.
Documentation Structure
All documentation has been separated into proper categories:
1. Architecture Decision Record (ADR-019)
File: /home/phil/Projects/starpunk/docs/decisions/ADR-019-indieauth-pkce-authentication.md
What it contains:
- Context: Why we need this change
- Decision: What we're doing (PKCE implementation)
- Rationale: Why this approach is correct
- Consequences: Benefits and trade-offs
- NO implementation details (those are in the design doc)
2. Design Document (Complete Technical Specifications)
File: /home/phil/Projects/starpunk/docs/designs/indieauth-pkce-authentication.md
What it contains:
- Complete authentication flow diagrams
- PKCE implementation specifications
- Database schema changes
- Exact code changes with line numbers
- Code to remove with line numbers
- Testing strategy and test code
- Error handling specifications
- Security considerations
- Complete implementation guide with step-by-step instructions
This is your primary implementation reference.
3. Versioning Guidance
File: /home/phil/Projects/starpunk/docs/reports/ADR-019-versioning-guidance.md
What it contains:
- Version number decision: 0.8.0
- Git tag handling (keep all existing tags)
- CHANGELOG update instructions
- Rationale for versioning choice
- What to do with v0.7.0 and v0.7.1 tags
Quick Implementation Checklist
Follow the design document for detailed steps. This is just a high-level checklist:
Pre-Implementation
- Read ADR-019 (architectural decision)
- Read full design document
- Review versioning guidance
- Understand PKCE flow
Database
- Add
code_verifiercolumn toauth_statetable - Test migration
Code Changes
- Add PKCE functions to
starpunk/auth.py - Update
_verify_state_token()to return verifier - Update
initiate_login()with PKCE - Update
handle_callback()with PKCE and iss validation - Update callback route to extract and pass
iss - Update logging to redact
code_verifier
Code Removal
- Remove OAuth metadata endpoint from
starpunk/routes/public.py - Remove h-app microformats from
templates/base.html - Remove indieauth-metadata link from
templates/base.html
Testing
- Run unit tests for PKCE functions
- Run integration tests for auth flow
- Manual testing with IndieLogin.com
- Verify logs show PKCE parameters (redacted)
- Check database for code_verifier storage
Versioning
- Update
__version__to "0.8.0" instarpunk/__init__.py - Update
__version_info__to (0, 8, 0) - Update CHANGELOG.md with v0.8.0 entry
- Add notes to v0.7.0 and v0.7.1 CHANGELOG entries
- Create git tag v0.8.0
- Do NOT delete v0.7.0 or v0.7.1 tags
Documentation
- Update ADR-016 status to "Superseded by ADR-019"
- Update ADR-017 status to "Superseded by ADR-019"
- Add implementation note to ADR-005
Key Points
What's Wrong Now
- Missing PKCE - IndieLogin.com requires it, we don't have it
- Wrong endpoints - Using
/authinstead of/authorizeand/token - Unnecessary features - OAuth metadata and h-app not needed
What We're Fixing
- Add PKCE - Generate verifier/challenge, store, validate
- Correct endpoints - Use
/authorizeand/token - Remove cruft - Delete OAuth metadata and h-app
- Add iss validation - Security best practice
Why v0.8.0?
- Not v0.7.2: Too substantial for PATCH (database change, PKCE implementation, removals)
- Not v1.0.0: Not ready for stable (V1 features not complete)
- Yes v0.8.0: Appropriate MINOR increment for significant change during 0.x phase
Why Keep v0.7.0 and v0.7.1 Tags?
- Git history integrity
- Can't "un-release" versions
- CHANGELOG explains what didn't work
- Shows progression of understanding
File Reference
Read in this order:
- This file (you are here) - Overview
/home/phil/Projects/starpunk/docs/decisions/ADR-019-indieauth-pkce-authentication.md- Architectural decision/home/phil/Projects/starpunk/docs/designs/indieauth-pkce-authentication.md- Full implementation guide/home/phil/Projects/starpunk/docs/reports/ADR-019-versioning-guidance.md- Versioning details
Standards Reference:
/home/phil/Projects/starpunk/docs/standards/versioning-strategy.md- Semantic versioning rules/home/phil/Projects/starpunk/docs/standards/git-branching-strategy.md- Git workflow
Critical Files to Modify
Python Code
/home/phil/Projects/starpunk/starpunk/auth.py
/home/phil/Projects/starpunk/starpunk/routes/auth.py
/home/phil/Projects/starpunk/starpunk/routes/public.py (deletions)
/home/phil/Projects/starpunk/starpunk/__init__.py (version)
Templates
/home/phil/Projects/starpunk/templates/base.html (deletions)
Database
Schema: auth_state table (add code_verifier column)
Documentation
/home/phil/Projects/starpunk/CHANGELOG.md (updates)
/home/phil/Projects/starpunk/docs/decisions/ADR-016-indieauth-client-discovery.md (status)
/home/phil/Projects/starpunk/docs/decisions/ADR-017-oauth-client-metadata-document.md (status)
/home/phil/Projects/starpunk/docs/decisions/ADR-005-indielogin-authentication.md (note)
Success Criteria
You're done when:
- User can log in via IndieLogin.com
- PKCE parameters visible in authorization URL
- code_verifier stored in database
- Token exchange succeeds with code_verifier
- All tests pass
- Version is 0.8.0
- CHANGELOG updated
- ADR statuses updated
Getting Help
If authentication still fails:
- Check logs for PKCE parameters (should be redacted but visible)
- Verify database has code_verifier column
- Check authorization URL has
code_challengeandcode_challenge_method=S256 - Verify token exchange POST includes
code_verifier - Check IndieLogin.com response in logs
Key debugging points:
initiate_login(): Should generate verifier and challenge- Database: Should store verifier with state
- Authorization URL: Should include challenge
handle_callback(): Should retrieve verifier- Token exchange: Should send verifier
- IndieLogin.com: Should return
{"me": "url"}
Questions?
Refer to:
- Design document for "how"
- ADR-019 for "why"
- Versioning guidance for "what version"
All documentation follows the project principle: Every line must justify its existence.
Author: StarPunk Architect Status: Ready for Implementation Priority: Critical (authentication broken in production)