#bearKartikPrabhu - that's why i'm happy you are making changes - I love that we will be working on making the code better. let me check the PR status now...
#Jeenahm brid.gy says my notes have no webmention support, weird, perhaps it is not checking the http header?
#KartikPrabhuJeena: when I am parsing your website using the python request module, I get an 'certificate verify failed' error. Any idea how to get around/fix this?
#Jeenahm that is odd, because it is a real certificate, not a self signed one
#aaronpkJeena: did you add the certificate chain to your cert if necessary?
#JeenaI'm not sure I understand what you're saying
#aaronpkKartikPrabhu: out of curiousity, do you get an SSL error on https://indiewebcamp.com ? I got a startssl cert for the wiki too.
#bearKartikPrabhu - you can pass in verify=False to the request to have python-requests not walk the chain
#JeenaI have a file called sub.class1.server.ca.pem here, I will check the howto on their website
#KartikPrabhuaaronpk: same error chain for indiewebcamp too
#Jeenathe fuck! Some of our services are offline and under maintenance at weekends during the night hours until 07:00 AM GMT. We apologize for the temporary inconvenience and thank you for your understanding.
#KartikPrabhubear: good to know. but ideally it should work without that
#bearyes, but… there are some bugs with older versions of both python-requests *and* openssl
#aaronpkok, I did include the intermediate cert for indiewebcamp.com, so it might not be a problem with jeena's server then
#bearthat cause them to improperly reference cached cert chain from the OS
#KartikPrabhubear: I see. So i could be a python bug. most annoying :(
#Jeenayeah I kind of remember that I added one file to the other or something
#snarfedbear, it sounds like you're familiar with python-requests? i'm trying to figure out how it handles multiple response headers with the same name. any idea?
#JeenaI was thinking about disabling cert verrification in my code too but decided that I would do it only if it is a real problem some day in the future
#bearwe need to see if verify=true works on the other two
#KartikPrabhuverify=True fails for Jenna's site but works for bear's
#Jeenahehe it was actually but I just need to handle stuff like that, I think I will try to get some mictoformat data out of it
#Jeenayou know, JSON would be so much easier to handle, I can't get my HTML parser to find <meta name='description'> vs. Description vs DESCRIPTION, etc.
#aaronpkyou'd have the same problem with JSON (description vs Description vs DESCRIPTION)
#aaronpkI use the php-mf2 parser, and I get back a native object with the parsed results. I don't have to think about HTML parsing at all.
#Jeenano because this would have been defined somewhere, the html world is just the wild west and you find all of those
#JeenaI can use xpath for querying, so in theory I also get a native object, but everything looks like this:
#neuro`tantek: nice new avatar on Twitter, but the resolution is very low on my client (low like "oh, cool pixel art")
#tantekneuro` Twitter is lower resolution than my own site. In general ;)
#tantekIt's inevitable that silos will have downlevel content compared to indieweb sites.
#neuro`tantek: not sure how Twitter resized it, lots of people I follow have high def avatar on twitter.
#tantekbut do they have their own websites? when silos are mere POSSE copies, they can be expected to be lower resolution and should be treated as such.
#aaronpkKartikPrabhu: I only send a 400 for seriously malformed requests, like missing a source parameter, or when the URL parameters aren't actually URLs
#KartikPrabhuaaronpk: Do you check if sourceURL can be retrieved and send 400 if not?
#KartikPrabhuI am sending webmentions automatically on saving a new post and it seems that the webmention is sent before the article even has a URL
#aaronpkyou probably shouldn't send a webmention until your URL actually exists
#KartikPrabhuyes! But the only way I have figured out to do it in Django is to modify the save method. So the very first time it is executed there is no actual post! It does work on re-save though :P
#aaronpkah, crazy! there isn't a post-save hook or something?
#KartikPrabhupossibly. must look more through the docs
#KartikPrabhubut tracking this down took a lot of work! I was very confused fora while that it didnt work only on first save :)
#barnabywaltersaaronpk: just started implementing indieauth stuff by trying to get equivalent behaviour to current approach using new flow
CheckDavid joined the channel
#barnabywalterswondering how to structure what scope to request for each person logging in
#barnabywalterse.g. someone might want to authenticate to see some private content without authorising my server to post on their behalf
#barnabywaltersfor the moment it’s probably safe to assume that if the person has a micropub endpoint (i.e. is you) they want to request the post scope, but going forward that’s going to be a UI issue we have to figure out
#aaronpkI think you can probably infer the intended scope based on the page they are signing in from
#aaronpkbut that seems like only a temporary solution
#barnabywaltersthe awesomesauce solution would be for the app to pass a list of scopes it supports to the authorisation endpoint and let the user choose what they want to give
#barnabywaltersobservation: the new flow is significantly more complicated than the old one, which for the limited case of just signing in was amazingly simple. presumably the old flow will still continue to be “officially” supported?
#aaronpkso I would be fine to specify a simplified flow for identification (instead of identification plus authorization) but it would still require delegating to an authorization server
#barnabywaltersbut not only is that a sane default, just discovering what authorisation endpoint the user wants to use and then completing the old flow as before is still easier than the complete new flow
CheckDavid joined the channel
#aaronpkyes, you don't need an access token for identification
#barnabywaltersaaronpk: yep that sounds like a good plan — keep a simple yet distributed flow for the common case of just identification, and then have the new flow for more complex stuff
#aaronpkI just want to make sure nobody is hard-coding to indieauth.com
#barnabywaltersbut I don’t need to store it because it’ll be passed to the authorisation endpoint, right?
#aaronpkyou will need to store it, which is where the security comes in. you generate a random number, store it in a session somewhere, then you use it when you want to get a token.
#aaronpkif you want to take a shortcut for now, you can just leave it blank, cause blank=blank. that just means that if someone intercepts the auth code, they can steal the code and generate a token.
#aaronpkbarnabywalters: you should fall back to the existing flow if there is no authorization endpoint found. if there is an authorization endpoint but no token endpoint, then we need to figure out how to handle that
#EHLOVadercheck that the request matches signature?
#EHLOVaderI left it blank but didn't know, openssl kept asking me for one
#aaronpkah! if there is no token endpoint, then you should attempt to verify the auth code with the authorization server. (that is basically what the existing flow does)
#aaronpkwhich is what the token endpoint uses internally
#barnabywalterswe should write the spec (or other documentation) in such a way that it’s a logical progression from the simple flow to the complex flow