Feature request: support IndieAuth introspection endpoint

[martymcguire]

When verifying an auth token, Aperture uses the old indieauth.com-style of making a GET request to the user's token_endpoint with an Authorization: Bearer <TOKEN> header: https://github.com/aaronpk/Aperture/blob/main/aperture/app/Http/Middleware/VerifyIndieAuthAccessToken.php#L83-L113

Per recent(ish?) updates to IndieAuth, I believe it should instead support calling the Introspection endpoint: https://indieauth.spec.indieweb.org/#access-token-verification-request

To my understanding the changes there are:

• an application/x-www-form-urlencoded POST request to the introspection endpoint (discovered from the new indieauth-metadata endpoint, etc.)
• relying apps like Aperture need their own authorization method to talk to the introspection endpoint. This seems a little open ended and I've just been using a shared secret in the Authorization: Bearer <SECRET> HTTP header in my setups. :man_shrugging:
• the token to check now goes in the body as token=<TOKEN>

In my minimal setups (micropub and micropub-media endpoints) I've used the presence of a "token endpoint secret" in the configuration as a sign to use the introspection endpoint method. If there's no secret set, it falls back on the old authorization-header-to-the-token-endpoint.

[martymcguire]

Ah, this will also require supporting the metadata endpoint to look up the introspection endpoint.

My quick and dirty hack did not include that so eventually Aperture re-fetched and saved my token endpoint again leading to auth errors because my token endpoint doesn't support the old "throw the token in an Authorization header at the token endpoint". :sweat_smile: