#indiewebcamp 2014-01-19

2014-01-19 UTC
snarfed joined the channel
#
bear
KartikPrabhu - that's why i'm happy you are making changes - I love that we will be working on making the code better. let me check the PR status now...
#
Jeena
hm brid.gy says my notes have no webmention support, weird, perhaps it is not checking the http header?
#
snarfed
Jeena: sorry about that! i'll take a look
#
snarfed
if you click on the "XXX ago" link, it will show you the log
#
Jeena
ah ok
#
snarfed
ah. the link is to a pdf :P
#
snarfed
…and there's no webmention http header
#
bear
KartikPrabhu - I had one merge conflict to clear up but otherwise it was a clean PR - thanks
#
Jeena
yeah but just a minute ago there were /notes/6 no webmention support
#
Jeena
the ones with @goetzb
#
Jeena
but those aren't there anymore hm
#
snarfed
huh. i don't see a link rel=webmention in https://jeena.net/notes/6
#
Jeena
it is in the HTTP header
#
snarfed
ah, thanks
#
Jeena
rel="webmention"
#
KartikPrabhu
bear: nice
#
snarfed
oh, boo. it looks like the webmention library i use doesn't look in the http header
#
snarfed
sorry jeena. i'll add that.
#
Jeena
I could add a html <link> but that would be cheating :D
#
Jeena
and I think it is always good to have some people on different edges ;)
#
snarfed
of course!
#
Jeena
but still how does it know that https://jeena.net is my own website? Does it look into the "website" field of twitter?
#
snarfed
good question! it doesn't. it sends webmentions to any link that accepts them. :P
#
Jeena
ah hehe interesting
#
KartikPrabhu
Jeena: when I am parsing your website using the python request module, I get an 'certificate verify failed' error. Any idea how to get around/fix this?
#
Jeena
hm that is odd, because it is a real certificate, not a self signed one
#
aaronpk
Jeena: did you add the certificate chain to your cert if necessary?
#
Jeena
I'm not sure I understand what you're saying
#
Jeena
I added two files in my nginx config
#
aaronpk
sometimes you need to add the intermediate cert to your certificate file
#
aaronpk
if the place you got the cert from requires it
#
Jeena
I got it from StartSSL and I did it how they write on their website
#
snarfed
specifically the "intermediate cert" part
#
Jeena
I'll have a look
#
aaronpk
KartikPrabhu: out of curiousity, do you get an SSL error on https://indiewebcamp.com ? I got a startssl cert for the wiki too.
#
bear
KartikPrabhu - you can pass in verify=False to the request to have python-requests not walk the chain
#
Jeena
I have a file called sub.class1.server.ca.pem here, I will check the howto on their website
#
KartikPrabhu
aaronpk: same error chain for indiewebcamp too
#
Jeena
the fuck! Some of our services are offline and under maintenance at weekends during the night hours until 07:00 AM GMT. We apologize for the temporary inconvenience and thank you for your understanding.
#
KartikPrabhu
bear: good to know. but ideally it should work without that
#
bear
yes, but… there are some bugs with older versions of both python-requests *and* openssl
#
aaronpk
ok, I did include the intermediate cert for indiewebcamp.com, so it might not be a problem with jeena's server then
#
bear
that cause them to improperly reference cached cert chain from the OS
#
KartikPrabhu
bear: I see. So i could be a python bug. most annoying :(
#
Jeena
yeah I kind of remember that I added one file to the other or something
#
bear
lets see if verify=False works
#
bear
and then I would love to see if your code works against indiewebcamp.com and also bear.im
#
aaronpk
Jeena: yea that sounds right
#
snarfed
bear, it sounds like you're familiar with python-requests? i'm trying to figure out how it handles multiple response headers with the same name. any idea?
#
bear
last one wins IIRC
#
aaronpk
python-requests--
#
Loqi
python-requests has -1 karma
#
aaronpk
that's not how HTTP works :P
#
bear
that is memory speaking - working to verify my brain
#
snarfed
wow. that's pretty bad for Link headers
#
snarfed
docs don't say anything
#
KartikPrabhu
bear, Jenna, aaronpk: it works with verify=False. surely python-requests--
#
bear
not yet for the --
#
Jeena
I was thinking about disabling cert verrification in my code too but decided that I would do it only if it is a real problem some day in the future
#
bear
we need to see if verify=true works on the other two
#
KartikPrabhu
verify=True fails for Jenna's site but works for bear's
#
KartikPrabhu
also fails for indiewebcamp
#
Jeena
I'm a edge case :-(
#
bear
ok, so let's see if that is the same when jenna adds the intermediate cert
#
Jeena
but I think I added it, and aaronpk added it to indiewebcamp too
#
Jeena
and it doesn't work for both
#
bear
notes the he also has a StartSSL cert
#
aaronpk
bear: your startssl cert is Class 2
#
Jeena
sadly the StartSSL FAQ where it says how I did it is down until 07:00 AM GMT
#
aaronpk
indiewebcamp and jeena are class 1
#
aaronpk
I don't remember the difference
#
aaronpk
but either way, they have different root certs
#
Jeena
class 1 is that we only gave the email address
#
Jeena
class 2 is something more
#
bear
class 2 is owner verified
#
Jeena
I think
#
aaronpk
so it could be that the root cert for the class 1 cert just isn't in KartikPrabhu's system
#
bear
nods
#
KartikPrabhu
ok so. it would be best to add verify=False to webmention codes?
#
bear
I would suggest that is ok only for webmention code
icco joined the channel
#
bear
but i'm also kinda a security nerd
#
aaronpk
you shouldn't really get in the habit of not verifying SSL certs
#
Loqi
agreed.
#
Jeena
or first try it with true, when it fails retry it with fals?
#
Jeena
and log a warning or something
#
bear
KartikPrabhu - use verify=false for now and file a bug against our repo
#
aaronpk
there aren't really any security risks in not verifying the SSL cert for a webmention I suppose
#
bear
i'll work up a test using python-requests and start to find out why
#
KartikPrabhu
bear: cool. Will also try adding finding a webmention end-point discovery in link header
#
bear
i'm looking at sslabs.com results for jeena.net and while the cert chain looks good there are other issues common with self-hosted sites :)
#
KartikPrabhu
which is why i was requesting Jenna's site in the first place :P
#
KartikPrabhu
headers['link']
#
KartikPrabhu
oops. wrong window
#
Jeena
while fiddeling with certs and ssl http://i.imgur.com/xVyoSl.jpg
#
bear
what web server are you using? you can find good info on the indieweb site for both apache and nginx
#
Jeena
nginx
#
bear
yea, the nginx section covers a lot of ground and I look forward to any questions you may have so I can fix them on that page
#
Jeena
Ok, I already saw my domain on that page, just didn't understand anything and assumed it was because of the fact that it was class1
#
Jeena
but let's get down to business!
icco joined the channel
#
KartikPrabhu
how standard is 'link': '<webmentionendpoint>
#
KartikPrabhu
rel="webmention"' format? Can I just do simple string parsing to get the endpoint?
#
snarfed
KartikPrabhu: standard enough. the spec does say it's that format. also only a few people use the header
#
snarfed
pretty good!
#
bear
wow - nicely done!
#
Jeena
I just copy & pasted from the wiki! :-p
#
bear
that is good feedback then - thanks!
#
bear
you went from an F earlier to an A now - again, nicely done!
#
snarfed
jeena, just fyi, i pushed a fix to bridgy, it's sending you webmentions now
#
snarfed
although they're 500ing on your site :/
#
Jeena
cool!
#
KartikPrabhu
Jeena: and I am not getting the SSL error thing now. success all over
#
aaronpk
lol, supporting SSL2 gives you an automatic F
#
Jeena
wohoo!
#
Jeena
ah snarfed but it looks like my server crashed hm, will have a look at it
#
KartikPrabhu
aaronpk: now only indiewebcamp gives the SSL error. Jeena's site seems to be fixed
#
aaronpk
i should track that down
#
Jeena
bridgy outputs invalid HTML https://brid-gy.appspot.com/like/twitter/jeena/424554756917702656/109427493 <- there is no <title> which is required even in HTML 2.0 ;)
icco, pfenwick, j12t and bnvk joined the channel
#
KartikPrabhu
bear: new PR with verify=False thing, and endpoint discovery in link headers for ronkyuu
#
bear
cool
snarfed joined the channel
#
snarfed
Jeena: thanks for filling that issue! I'll fix soon. hope that wasn't breaking your server!
#
bear
KartikPrabhu - merged!
#
Jeena
hehe it was actually but I just need to handle stuff like that, I think I will try to get some mictoformat data out of it
#
Jeena
you know, JSON would be so much easier to handle, I can't get my HTML parser to find <meta name='description'> vs. Description vs DESCRIPTION, etc.
#
aaronpk
you'd have the same problem with JSON (description vs Description vs DESCRIPTION)
#
aaronpk
I use the php-mf2 parser, and I get back a native object with the parsed results. I don't have to think about HTML parsing at all.
#
Jeena
no because this would have been defined somewhere, the html world is just the wild west and you find all of those
#
Jeena
I can use xpath for querying, so in theory I also get a native object, but everything looks like this:
#
Jeena
parser.at("meta[@title='description'|meta[@title='Description']|meta[@title='DESCRIPTION']")
#
Jeena
and it doesn't even cover all the cases
#
aaronpk
you shouldn't need to think about parsing HTML if your'e using a library like php-mf2
#
Loqi
it is probable
#
aaronpk
use a library that does all the dirty work and returns the structure of the page
#
Jeena
there is http://nokogiri.org/ which says it you can use CSS3 selectors, I wonder if those are case insensitive
#
aaronpk
chances are if you're struggling with it, then someone else will be struggling with it in the future too
#
aaronpk
and would be useful to have as a library
#
Jeena
but php-mf2 gives you what? array("title" => "Description") I assume? how do you query something like that then?
#
Jeena
it looks like in mf2 you also need to use a xpath query for querying for stuff like that
#
Jeena
hm perhaps one of those will work http://microformats.org/wiki/parser#Ruby
#
etymancer
any guidelines on photo size for h-card?
#
etymancer
!tell caseorganic your photo on http://indiewebcamp.com/2014/Guest_List is a 404
#
Loqi
Ok, I'll tell them that when I see them next
#
etymancer
is tempted to try to (bang)tell Loqi something...
#
Loqi
woot!
#
etymancer
especially something with a (bang)tell $botname in it
#
etymancer
does this make me a bad person?
#
etymancer.com
edited /2014/Guest_List (+0) "/* Event */ Year was still 2013"
(view diff)
#
etymancer
also web sign-in damn well rocks.
#
etymancer
and loqi++
#
etymancer
:-D
KevinMarks2 joined the channel
#
etymancer
oh, okay, I have to
#
etymancer
!tell Loqi !tell Loqi you're a rad bot
#
Loqi
Ok, I'll tell them that when I see them next
#
etymancer
hm. unsatisfying.
#
KartikPrabhu
etymancer: Loqi seems much smarter than expected
scor joined the channel
KartikPrabhu joined the channel
scor joined the channel
#
KartikPrabhu
aaronpk: when do you send a 400 status code for incoming webmentions?
KartikPrabhu joined the channel
#
KevinMarks
heh etymancer - I remember bot shenanigans like that with jibot
scor, srushe_, dvirsky_, XgFgX, igalic, hallettj, bear, tantek, bear_ and dvirsky joined the channel
#
bear
i'm trying to get an older microformat parser to grok mf2 and i've run headlong into long forgotten xpath query knowledge
#
bear
(the older parser is microtron)
squeakytoy, schalkneethling, glennjones and stefek99 joined the channel
#
stefek99
Hello - what was the name of the tools that integrates all post in social media (app.net, vine, instagram, twitter, G+) into one page?
#
stefek99
I remember it was active at IndieWebCamp in Brighton
#
stefek99
Now at #HackHumanity event and I would like to generate similar page (just forgot the name)
pfenwick joined the channel
#
stefek99
Can you help me with that? Searches for "social media tag aggregator" leads to thousand of non-meaningful results... (thanks)
#
stefek99
[re-post] Trying to find a tool that aggregate social media tags from the event... Kind of a >>storify<< but different...
#
KevinMarks
I vaguely remember this
schalkneethling joined the channel
#
stefek99
now improved my keyword accuracy for "social media aggregator" :)
#
stefek99
Done: https://tagboard.com/HackHumanity the answer is >>TAG BOARD<<
#
stefek99
(easy, kind of obcious once you know it)
#
stefek99
Once again talking to oneself was so helpful (rubber duck method)
#
stefek99
Thanks, need to go! :)
#
KevinMarks
I built the first one of those at technorati almost exactly 9 years ago
melvster, eschnou, glennjones, Zegnat, Jestre and pasevin joined the channel
marjolein, bnvk, eschnou, voxpelli, glennjones, CheckDavid and skinny joined the channel
#
Loqi
skinny: KevinMarks left you a message on 1/17 at 3:15pm: the indiewebcamp log reminds me of the old Electroinc Arts logo http://www.brandsoftheworld.com/logo/electronic-arts-0
CheckDavid and snarfed joined the channel
#
@snarfed_org
@pfefferle @diplix hi guys! felix, thanks for trying bridgy, and sorry for the trouble. want to talk on irc? http://indiewebcamp.com/IRC
(twitter.com/_/status/424926621192032256)
ix_, friedcell, scor, pfefferle, glennjones, voxpelli and snarfed joined the channel
#
snarfed.org
edited /Bridgy (+73) "/* more */"
(view diff)
barnabywalters joined the channel
#
@npm_tweets
webmention-testpinger 0.3.0 https://npmjs.org/package/webmention-testpinger A tool to ping your site with a variety of webmention markup
(twitter.com/_/status/424945719200333825)
pasevin joined the channel
#
@nodenpm
webmention-testpinger (0.3.0): https://npmjs.org/package/webmention-testpinger A tool to ping your site with a variety of webmention mark...
(twitter.com/_/status/424946570187276288)
snarfed, melvster and natwelch joined the channel
#
aaronpk
barnabywalters: i'm almost ready
#
barnabywalters
aaronpk: cool
#
barnabywalters
I’m playing with the rocket
tantek, pasevin, iangreenleaf and caseorganic joined the channel
#
Loqi
caseorganic: etymancer left you a message on 1/18 at 7:12pm: your photo on http://indiewebcamp.com/2014/Guest_List is a 404
#
tantek
hello caseorganic!
#
neuro`
Good time of day #indiewebcamp
#
caseorganic
tantek: hello tantek!
#
caseorganic.com
edited /2014/Guest_List (-10) "/* Creators */ Fixed broken image link to pic from caseorganic.com"
(view diff)
#
caseorganic
!tell etymancer thank you for letting me know! fixed.
#
Loqi
Ok, I'll tell them that when I see them next
#
neuro`
tantek: nice new avatar on Twitter, but the resolution is very low on my client (low like "oh, cool pixel art")
#
tantek
neuro` Twitter is lower resolution than my own site. In general ;)
#
tantek
It's inevitable that silos will have downlevel content compared to indieweb sites.
#
neuro`
tantek: not sure how Twitter resized it, lots of people I follow have high def avatar on twitter.
#
tantek
but do they have their own websites? when silos are mere POSSE copies, they can be expected to be lower resolution and should be treated as such.
#
www.iangreenleaf.com
edited /Twitter (-42) "Organize and rename page sections"
(view diff)
voxpelli joined the channel
#
www.iangreenleaf.com
edited /Twitter (+277) "Add section on exporting DMs"
(view diff)
#
www.iangreenleaf.com
edited /Facebook (+144) "Add message export option"
(view diff)
#
@npm_tweets
webmention-testpinger 0.3.1 https://npmjs.org/package/webmention-testpinger A tool to ping your site with a variety of webmention markup
(twitter.com/_/status/424977186580201472)
caseorganic joined the channel
#
aaronpk
heh "it's a feature not a bug"
glennjones, bnvk, KevinMarks2 and snarfed joined the channel
#
@eikiu
RT @voxpelli: Everything seems to be working well with my WebMention endpoint, so I'm making 5 more accounts available: https://t.co/jpviUX…
(twitter.com/_/status/424992321550438400)
j12t joined the channel
#
aaronpk
KartikPrabhu: I only send a 400 for seriously malformed requests, like missing a source parameter, or when the URL parameters aren't actually URLs
#
KartikPrabhu
aaronpk: Do you check if sourceURL can be retrieved and send 400 if not?
#
KartikPrabhu
I am sending webmentions automatically on saving a new post and it seems that the webmention is sent before the article even has a URL
#
aaronpk
you probably shouldn't send a webmention until your URL actually exists
#
KartikPrabhu
yes! But the only way I have figured out to do it in Django is to modify the save method. So the very first time it is executed there is no actual post! It does work on re-save though :P
#
aaronpk
ah, crazy! there isn't a post-save hook or something?
#
KartikPrabhu
possibly. must look more through the docs
#
KartikPrabhu
but tracking this down took a lot of work! I was very confused fora while that it didnt work only on first save :)
#
aaronpk
heh i can imagine!
#
KartikPrabhu
there is a post_save signal! I just didn't know what word to look for. Thanks aaronpk
#
aaronpk
hah! good guess!
bnvk, scor and skinny joined the channel
#
@helloanselm
Keyhotee sounds interesting as a decentralized way of using the internet: http://invictus.io/keyhotee.php #indieweb
(twitter.com/_/status/425008687707877376)
#
barnabywalters
aaronpk: just started implementing indieauth stuff by trying to get equivalent behaviour to current approach using new flow
CheckDavid joined the channel
#
barnabywalters
wondering how to structure what scope to request for each person logging in
#
barnabywalters
e.g. someone might want to authenticate to see some private content without authorising my server to post on their behalf
#
barnabywalters
for the moment it’s probably safe to assume that if the person has a micropub endpoint (i.e. is you) they want to request the post scope, but going forward that’s going to be a UI issue we have to figure out
#
aaronpk
great point!
#
aaronpk
I think you can probably infer the intended scope based on the page they are signing in from
#
aaronpk
but that seems like only a temporary solution
#
barnabywalters
the awesomesauce solution would be for the app to pass a list of scopes it supports to the authorisation endpoint and let the user choose what they want to give
#
barnabywalters
but that has plenty of issues too
#
aaronpk
sort of. I know Github is moving to that model though.
#
barnabywalters
for the moment I’ll infer based on the presence of a micropub endpoint
#
aaronpk
yay real-world testing!
#
Loqi
does a happy dance!
#
barnabywalters
observation: the new flow is significantly more complicated than the old one, which for the limited case of just signing in was amazingly simple. presumably the old flow will still continue to be “officially” supported?
#
aaronpk
sort of
#
aaronpk
the old flow did not allow a website to specify its authorization endpoint
#
aaronpk
so implementations hard-coded to indieauth.com, which is not idael
#
barnabywalters
yes that is true
#
aaronpk
so I would be fine to specify a simplified flow for identification (instead of identification plus authorization) but it would still require delegating to an authorization server
#
barnabywalters
but not only is that a sane default, just discovering what authorisation endpoint the user wants to use and then completing the old flow as before is still easier than the complete new flow
CheckDavid joined the channel
#
aaronpk
yes, you don't need an access token for identification
#
barnabywalters
aaronpk: yep that sounds like a good plan — keep a simple yet distributed flow for the common case of just identification, and then have the new flow for more complex stuff
#
aaronpk
I just want to make sure nobody is hard-coding to indieauth.com
#
barnabywalters
I’m just going to set state to an empty string for now, is that a good idea?
#
barnabywalters
or should I stick a random number in there or something
#
aaronpk
you should stick a random number in there for security
#
Loqi
fo sho
#
barnabywalters
but I don’t need to store it because it’ll be passed to the authorisation endpoint, right?
#
aaronpk
you will need to store it, which is where the security comes in. you generate a random number, store it in a session somewhere, then you use it when you want to get a token.
#
aaronpk
if you want to take a shortcut for now, you can just leave it blank, cause blank=blank. that just means that if someone intercepts the auth code, they can steal the code and generate a token.
#
barnabywalters
well I can store it in an encrypted cookie
#
aaronpk
yes! p.s. an encrypted cookie is basically what I was talking about with my JWT-encoded access tokens
#
barnabywalters
okay I’ll read from dev/urandom and store that in a cookie
#
barnabywalters
and a 5 min timeout on that cookie should be sane for the moment
#
barnabywalters
where would you recommend storing the access token? in an encrypted cookie or on disk somewhere?
#
aaronpk
$token = JWT::encode($token_data, $encryptionKey);
#
aaronpk
which means I don't need to store it
#
aaronpk
when a request comes in with an access token, I decrypt it, so if it's a bogus token it won't decrypt properly
#
aaronpk
that's basically how an encrypted cookie works
eschnou joined the channel
#
barnabywalters
I mean for the note app — when I get a token for a user who’s logged in
#
aaronpk
yes, an encrypted cookie should be fine
#
barnabywalters
I’m not quite onto implementing token generators for myself yet ;)
#
aaronpk
you're going to have to decrypt it to put the plaintext token in the form though
#
@snarfed_org
@pfefferle hi! how do i compose a reply with wordpress-webmention 2.0? the old one had Replies in admin. does the new one not have a UI?
(twitter.com/_/status/425020324954918912)
#
@howardshipp_in
Interesting stuff, this #indieweb : Getting Started - IndieWebCamp http://indiewebcamp.com/Getting_Started
(twitter.com/_/status/425020376960077824)
#
barnabywalters
ah I love having an encryption service set up so all I have to do to encrypt/decrypt is $app['encryption']->en/decrypt($value)
#
aaronpk
so syntax
#
aaronpk
much confuse
#
barnabywalters
silex is awesome
#
barnabywalters
I use it for all PHP projects now
#
barnabywalters
heh “allow waterpigs.co.uk to access waterpigs.co.uk?”
#
barnabywalters
hm indieauth is failing for me now
#
aaronpk
oh? crap
#
Loqi
lolz
#
aaronpk
what error?
#
barnabywalters
nothing, just a blank screen
#
barnabywalters
trying again with persona
#
barnabywalters
using persona is either really slow or is hanging on “Verifying Login”
#
barnabywalters
okay with persona I see this in the logs: POST https://indieauth.com/auth/verify_email.json [HTTP/1.1 1366 Unknown Status Code 693ms
#
barnabywalters
unknown status code? never seen that one before
#
aaronpk
huh yea hI see 1366 in my logs too wtf
#
aaronpk
can you sign in to the wiki right now?
#
barnabywalters
and with exact same URL I was using locally too
#
aaronpk
*blink blink*
#
barnabywalters
huh, using twitter worked
#
bear
I logged into the wiki using site+persona
#
aaronpk
bear: barnabywalters is testing out the new indieauth+authorization flow
#
bear
goes back to coding :)
#
aaronpk
barnabywalters: so you did end up getting an authorization code?
#
barnabywalters
yep, I have one
#
barnabywalters
it was passed with the token parameter name though, not code as specified
#
aaronpk
did you include a client_id parameter?
#
barnabywalters
ah no my bad it’s fine
#
barnabywalters
I think… debugging encryption error on my end now
#
aaronpk
I made it return it in the parameter "token" if a client_id is not specified, for backwards compatibility
#
barnabywalters
now weird things are happening
snarfed joined the channel
#
barnabywalters
twitter failed (same no response code issue) then disappeared despite not rescanning
#
barnabywalters
which I am doing now
#
aaronpk
there's that 1366 again
#
barnabywalters
yep, back to blank screen problems now, on both github and persona
#
barnabywalters
which are the only working auth providers I have left now
#
aaronpk
can you try entering your values here? http://client.indieauth.com/signin
lukebrooker joined the channel
#
barnabywalters
ah I think I’m not setting the token endpoint — what should it be?
#
barnabywalters
or do I need to build one
#
aaronpk
oh! funny...
#
aaronpk
yes, I suppose you do need to build one!
#
barnabywalters
well, in for a penny in for a pound
#
aaronpk
but I'm confused why that would cause the issues that you're seeing
#
barnabywalters
but wait, this means that everyone who wants to log into my site (e.g. to see private content) needs to build a token endpoint
#
aaronpk
if they want to use your site to post to theirs, then yes
#
aaronpk
which is why we need to formalize the identification-only flow
#
barnabywalters
unless I fall back to the old flow if no token endpoint can be discovered for their me URL
EHLOVader and tantek joined the channel
#
aaronpk
yes, I suppose that makes sense
#
EHLOVader
aaronpk, trying to use your signing thing for a wildcard... do I have to fill in all the information?
#
EHLOVader
The stateOrProvinceName field needed to be supplied and was missing
#
EHLOVader
unable to write 'random state' was returned
#
aaronpk
EHLOVader: the ssl cert thing?
#
EHLOVader
signing
#
aaronpk
hm yeah you might need to include that value then
#
aaronpk
in the CSR
#
EHLOVader
it was for *.ehlovader.dev
#
EHLOVader
just checking
#
aaronpk
not really sure why it would require it though
#
EHLOVader
I will throw something in
#
EHLOVader
something valid
#
aaronpk
probably XX counts as valid
#
EHLOVader
me neither I didn't at globalsign
#
aaronpk
barnabywalters: you should fall back to the existing flow if there is no authorization endpoint found. if there is an authorization endpoint but no token endpoint, then we need to figure out how to handle that
#
EHLOVader
check that the request matches signature?
#
aaronpk
EHLOVader: what?
#
EHLOVader
oh passphrase
#
EHLOVader
I left it blank but didn't know, openssl kept asking me for one
#
aaronpk
ah! if there is no token endpoint, then you should attempt to verify the auth code with the authorization server. (that is basically what the existing flow does)
#
barnabywalters
that makes sense
#
aaronpk
which is what the token endpoint uses internally
#
barnabywalters
we should write the spec (or other documentation) in such a way that it’s a logical progression from the simple flow to the complex flow
#
aaronpk
agreed
#
barnabywalters
I’m building a token endpoint at the moment
#
barnabywalters
aaronpk: at https://github.com/indieweb/indieauth-client-php#verifying-the-authorization-code does the verify function call decode the POST body response?
#
barnabywalters
the spec isn’t clear, makes it sound like it returns a string
#
aaronpk
oh yeah. the method parses it and returns as an array
#
aaronpk
updates the docs
howardshippin and KevinMarks2 joined the channel
#
barnabywalters
aaronpk: okay now I’m getting No micro pub endpoint error on the client, so I assume everything up to that point is working fine
#
aaronpk
awesome
#
barnabywalters
still getting blank page error when trying to sign in to my local instance though
#
barnabywalters
porridge break
#
aaronpk
can you send me the authorization URL you are constructing?
#
aaronpk
i might be able to re-create the problem on my local copy of indieauth.com that way
snarfed joined the channel
#
barnabywalters
hm I wonder if it’s those crazy bytes in the state which are causing the problem
#
aaronpk
huh yeah
#
barnabywalters
I’ll try just using mt_rand
#
aaronpk
those are some crazy bytes
#
aaronpk
wow so much german activity! awesome!
#
barnabywalters
well I would hope so as they are random :) I’ll fix it after porridge
#
barnabywalters
aaronpk: one really cool bit of discovery to add would be discovering app information
#
barnabywalters
even basic name+photo would really improve the authorisation screen
#
aaronpk
yep! that's part of the reason the client_id is a URL
#
aaronpk
so the auth server can fetch an h-card or something that describes the app
#
barnabywalters
yep it was those crazy bytes
iangreenleaf joined the channel
#
aaronpk
wow that's bizarre
#
barnabywalters
hm indieauth isn’t redirecting to the redirect URL I set
#
barnabywalters
it’s going to /
#
barnabywalters
maybe I got some parameters mixed up somewhere
#
barnabywalters
oh no, it is going to the right place, firefox’s debug UI is just weird
#
aaronpk
hah ok
#
aaronpk
ok my micropub endpoint should accept an "access_token" parameter now
#
barnabywalters
under what conditions might the token array be empty? because that’s what’s happening
#
@diplix
indieweb und reclaim social media - was ix so am wochende gemacht habe —http://wirres.net/article/articleview/7046/1/6/
(twitter.com/_/status/425045462538657792)
#
barnabywalters
possibly a problem with my token endpoint
#
aaronpk
the token array after calling IndieAuth\Client::getAccessToken?
#
aaronpk
probably if it couldn't decode the form-encoded string
#
barnabywalters
yep, I see where the error was now — I wasn’t constructing the response properly
#
aaronpk
ah cool
#
barnabywalters
might be handy to explicitly return false there instead of an empty array
#
aaronpk
that should just be a matter of changing this to $auth = false
#
barnabywalters
looking in my logs I’m seeing Method Not Allowed: GET for /login/token/ — I thought the token endpoint only ever got POSTed to?
#
barnabywalters
unless there’s a redirect -> GET dance going on
#
aaronpk
do you have /login/token redirecting to /login/token/ by chance?
#
barnabywalters
why would the trailing slash be stripped though?
KartikPrabhu joined the channel
#
aaronpk
hm you do reference /login/token/ in your html rel value
#
barnabywalters
unless… it’s somewhere in the relative URL resolution
#
barnabywalters
there’s no benefit to that being relative anyway
#
aaronpk
probably better to be fully qualified, so that your http pages can specify the https token endpoint once you get https set up
#
barnabywalters
is it a good idea to still have http pages lying around with https set up?
#
aaronpk
i think it's fine for public content
#
aaronpk
but technically you'd need to make sure you're setting the cookie https-only so the browser doesn't send cookies in the clear
#
barnabywalters
okay, route matching correctly now but token still broken. probably something on my side
#
@kaffeeringe
RT @diplix: indieweb und reclaim social media - was ix so am wochende gemacht habe —http://wirres.net/article/articleview/7046/1/6/
(twitter.com/_/status/425049564409004032)
aaronpk_ and j12t joined the channel