indie_auth.rb

class IndieAuthController < ApplicationController

  skip_before_action :verify_authenticity_token

  def index
    if request.head?
      head :ok, "IndieAuth" => "authorization_endpoint"
    else
      unless admin? || Rails.env.development?
        authorize()
      else
        payload = {
          redirect_uri: params[:redirect_uri],
          client_id: params[:client_id]
        }
        token = JWT.encode(payload, Rails.application.secrets.secret_key_base, 'HS256')

        uri = URI.parse(params[:redirect_uri])
        query = URI.decode_www_form(uri.query || '') + [["code", token], ["state", params[:state]], ["me", params[:me]]]
        uri.query = URI.encode_www_form(query)
        
        redirect_to uri.to_s
      end
    end
  end

  def verify
    payload = JWT.decode(params[:code], Rails.application.secrets.secret_key_base, true, { :algorithm => 'HS256' }).reduce(:merge)

    if payload["redirect_uri"] == params[:redirect_uri] && payload["client_id"] == params[:client_id]
      respond_to do |format|
        format.json { render json: {me: root_url} }
        format.all { render text: "me=#{root_url}"}
      end
    else
      head :forbidden
    end
  end
end