dunkirk.sh
+6
src/routes/indieauth.ts
+6
src/routes/indieauth.ts
···
1694
1694
| undefined;
1695
1695
1696
1696
if (!authcode) {
1697
+
console.error("Token endpoint: authorization code not found", { code });
1697
1698
return Response.json(
1698
1699
{
1699
1700
error: "invalid_grant",
···
1705
1706
1706
1707
// Check if already used
1707
1708
if (authcode.used) {
1709
+
console.error("Token endpoint: authorization code already used", { code });
1708
1710
return Response.json(
1709
1711
{
1710
1712
error: "invalid_grant",
···
1717
1719
// Check if expired
1718
1720
const now = Math.floor(Date.now() / 1000);
1719
1721
if (authcode.expires_at < now) {
1722
+
console.error("Token endpoint: authorization code expired", { code, expires_at: authcode.expires_at, now, diff: now - authcode.expires_at });
1720
1723
return Response.json(
1721
1724
{
1722
1725
error: "invalid_grant",
···
1728
1731
1729
1732
// Verify client_id matches
1730
1733
if (authcode.client_id !== client_id) {
1734
+
console.error("Token endpoint: client_id mismatch", { stored: authcode.client_id, received: client_id });
1731
1735
return Response.json(
1732
1736
{
1733
1737
error: "invalid_grant",
···
1739
1743
1740
1744
// Verify redirect_uri matches
1741
1745
if (authcode.redirect_uri !== redirect_uri) {
1746
+
console.error("Token endpoint: redirect_uri mismatch", { stored: authcode.redirect_uri, received: redirect_uri });
1742
1747
return Response.json(
1743
1748
{
1744
1749
error: "invalid_grant",
···
1750
1755
1751
1756
// Verify PKCE code_verifier (required for all clients per IndieAuth spec)
1752
1757
if (!verifyPKCE(code_verifier, authcode.code_challenge)) {
1758
+
console.error("Token endpoint: PKCE verification failed", { code_verifier, code_challenge: authcode.code_challenge });
1753
1759
return Response.json(
1754
1760
{
1755
1761
error: "invalid_grant",