Fix: Don't re-use authorization codes
As noted in #243 (closed), I misimplemented the IndieAuth spec, ending up performing authorization code verification and authorization code grant, which is not allowed as the authorization code should be single use.
When IndieAuth.com fixed this, www-editor broke.
To fix this, we need to retrieve the me
from the response from the
authorization code grant, which results in a few internal tweaks:
- we need to map the
state
to theme
of a given authorization request - we need to return the
me
from the token endpoint request, which requires mapping the fullTokenEndpointResponse
, which for now, only includesaccess_token
andme
- we need to provide a means to determine the
me
for a givenstate
value
Closes #243 (closed).