Today, I moved some existing code from my kirby-micropub plugin to my indieweb-toolkit, and then I rewrote it a bit. It is the code that checks for an Authorization: Bearer xxx header and rejects people that have the wrong token.

At this point, my blog just uses tokens.indieauth.com, as it's token endpoint. So, that is what the toolkit uses now too. This is not ideal, and I plan on adding a token endpoint directly to the toolkit. But, everything in steps!

You can now do the following:

indieauth::requireMe();
indieauth::requireScope('create');

// do stuff!

And then the script will exit if there's no Authorization: Bearer in the header with the proper scope and a 'me' value corresponding with the current URL. (You can also pass in a 'me' to check against.) I am still not sure about some things, so I am putting them out here to think about them some more. Feel free to comment.

• Is 'IndieAuth' the right name for this static class? I think so, because it uses 'me' and 'scope'. But at this point, it's only checking tokens. And when I add a token endpoint, is that token endpoint still IndieAuth?

• In my code, I now check url::host($token->me) == url::host($requiredMe)). I only compare hosts, so seblog.nl, which works, because seblog.nl/micropub still has the host seblog.nl. Maybe I should drop this 'use the current URL if the $requiredMe is empty' and only go for explicit 'me'-values.

• Previously, I threw Errors. Now, I just set the HTTP-header and exit the script. I wonder which way is more elegant. The way I do it now, makes sure the right HTTP status is sent, but the way I did it before allows for more customisation. Both ways exit the script, which is the most important part.