Fix: Don't re-use authorization codes

Jamie Tannarequested to merge
defect/authz-code into develop

As noted in #243 (closed), I misimplemented the IndieAuth spec, ending up performing authorization code verification and authorization code grant, which is not allowed as the authorization code should be single use.

When IndieAuth.com fixed this, www-editor broke.

To fix this, we need to retrieve the me from the response from the authorization code grant, which results in a few internal tweaks:

  • we need to map the state to the me of a given authorization request
  • we need to return the me from the token endpoint request, which requires mapping the full TokenEndpointResponse, which for now, only includes access_token and me
  • we need to provide a means to determine the me for a given state value

Closes #243 (closed).

Merge request reports