2016-09-08 UTC
singpolyma, cmal, KevinMarks and KevinMarks_ joined the channel
loicm_, gRegorLove, miklb, AngeloGladding and loicm__ joined the channel
KevinMarks joined the channel
# 06:09 Zegnat KevinMarks, will you put The verify me extension on github?
cweiske, AngeloGladding and loicm__ joined the channel
# 07:18 KevinMarks Oh, sure. It's just the code from yesterday wrapped with a manifest
# 07:46 Zegnat Oh, alright, I thought you may have itterated on it, KevinMarks. I would like to see if it can be packaged for Firefox.
loicm__ joined the channel
KevinMarks_ joined the channel
gRegorLove and cmal joined the channel
# 10:20 Loqi [Ben Roberts] Successful posting from the new app!
# 10:20 cweiske webmention endpoint says "200 OK" with no content
Zegnat joined the channel
# 12:06 GWG cweiske: Does the spec say you have to return content with a 200? I don't remember seeing that.
# 12:12 cweiske webmention spec says "Any 2xx response code must be considered a success.
# 12:12 GWG cweiske: Yes, but it doesn't say what constitutes a success.
# 12:12 GWG The receiver doesn't have to display it.
# 12:13 cweiske I just wondered why a) it did not show up and b) was a 200 and not 204
# 12:13 GWG So, if someone manually approves comments, or just stores webmentions for statistical data, they would still return success.
# 12:13 GWG cweiske: I don't think 204 is appropriate
# 12:14 cweiske "204 No Content" is not appropriate for "all fine, but I have nothing to say"?
# 12:15 GWG I think there is no expectation by the sender that the receiver will display content.
# 12:15 GWG That is why 204 isn't appropriate.
# 12:16 GWG I'm referring to the Webmention spec.
# 12:16 cweiske "However, folding of header lines is not expected by some applications"
# 12:17 cweiske "204 No Content: The server has fulfilled the request but there is no new information to send back."
# 12:18 GWG Again, still think that the webmention specification doesn't require new information sent back. It requires either to alert that it was accepted, or accepted but queued.
# 12:20 cweiske so ben_thatmustbeme's 200 response is semantically incorrect
# 12:21 GWG cweiske: If ben_thatmustbeme is processing synchronously, then it would be correct according to the spec.
# 12:39 Zegnat I never bothered to check the HTTP headers on my own receiver. I should do that when I get home. My implantation should be giving 202, but I expect I am doing 200...
# 13:16 voxpelli myfreeweb: if you have time for a PR, then that usually speeds things up. I guess a concern for aaronpk is also that there might be a need for some backwards compatibility
# 13:17 aaronpk I will have to think about the backwards compatibility of that. I've been doing those kinds of changes in quill with a backwards compatibility flag and a notice where you can opt in to the change when you're ready
# 13:18 aaronpk Oh dear my SSL cert expired a few minutes ago. For some reason my auto renew failed!
# 13:20 GWG Another glorious Indieweb day for all?
# 13:21 myfreeweb it's just weird that your client is not compliant with your spec
# 13:23 GWG The specification was still partially undefined when several implementations came out.
# 13:23 GWG It means that I am not sure what constitutes a reference implementation/client.
# 13:25 aaronpk there we go, fixed it and put it into the rotation
# 13:26 aaronpk yes, quill is meant to be a reference implementation but i am behind on it since i've been making faster progress on the micropub spec lately since it's been in the w3c
# 13:28 GWG aaronpk, I appreciate you. I do not think I am alone.
# 13:30 myfreeweb aren't unknown query params usually ignored?
# 13:31 myfreeweb i guess it could check "q=" for other things and return an error for an unknown one though, yeah
# 13:34 GWG I think last night I figured out Indieauth for WordPress REST infrastructure
doesntgolf joined the channel
# 13:43 myfreeweb implemented mine according to the spec over a month ago. still can't post images.
# 13:48 myfreeweb yeah i could make it work with a one line fix. but this is still incredibly frustrating. i want to follow the spec, not the client's implementation
# 13:50 voxpelli I'm happy that aaronpk has such a great client and that he values to stay compatible with us early adopters – everyone can write their own clients if they want or contribute to the ones that exists
# 13:51 voxpelli it's that atmosphere of mutual contributions that I find so appealing with the IndieWeb
# 13:51 ben_thatmustbeme cweiske: your comment was queued for approval as it wasn't whitelisted and didn't have a vouch
# 13:52 Loqi ben_thatmustbeme has 167 karma (1 in this channel)
# 13:52 myfreeweb staying compatible with literally everything is how you become microsoft
# 13:53 myfreeweb i haven't ever seen getting the config without ?q=config in the draft
# 13:53 myfreeweb yeah i have a media endpoint
# 13:53 myfreeweb yeah exactly
# 13:54 myfreeweb so i wonder who needs backwards compatibility for THAT
# 13:55 aaronpk myfreeweb: normally what i do is i check my logs to see who is using a particular feature and if there are people then i will create a feature flag for the change and let them opt in to the change when ready
# 13:57 myfreeweb was the old media endpoint discovery behavior (no q=config) *ever* in the spec?
# 13:58 myfreeweb oh i guess you could also query *both* urls
# 13:59 aaronpk hm looks like the first w3c draft only had q=syndicate-to but didn't mention no q parameter
# 14:01 voxpelli there were talks about using no q as a way to verify log in success, but that warped into ?q=config
# 14:01 myfreeweb my endpoint returns auth info for no q
# 14:01 aaronpk looks like it never mentioned anything about a GET request to the endpoint with authentication and no query parameters
# 14:02 aaronpk looking at Quill, it actually expects all the config info to come back in a single request which is probably why I made my endpoint return both the syndicate-to list as well as the media endpoint on an empty GET request
# 14:04 myfreeweb yep and i put that on q=config
# 14:04 voxpelli such iterative evolving is key to the momentum – waiting for a full spec before implementations kills any momentum
# 14:04 cweiske I wonder why the media endpoint is in that config at all, and not at the same place as the micropub server link
# 14:05 aaronpk cweiske: that was a tricky one, I wasn't totally sure about which way to go with it
# 14:05 aaronpk I figured that for the most part, the media endpoint is an implementation detail of the micropub endpoint, so users shouldn't be bothered with it
# 14:05 aaronpk (assuming the user is at least aware of the html tags that go into their home page)
# 14:05 cweiske aaronpk, same could be said of the token endpoint
# 14:06 voxpelli token endpoint is connected to a domain identity, media endpoint is connected to a content destination
# 14:06 aaronpk really the user should only have to specify their authorization endpoint and their micropub endpoint
# 14:06 cweiske voxpelli, token endpoint is actually determined by the micropub endpoint
# 14:06 voxpelli cweiske: my micropub endpoint supports plenty of token endpoints
# 14:07 cweiske because the micropub endpoint has to verify the token against the token server, without knowing which user the token sent
# 14:07 cweiske voxpelli, then I'm curious how you determine which token endpoint to query
# 14:09 voxpelli if a token returns a valid "me" from any of the supported token endpoints, then success
# 14:10 cweiske I don't doubt that this works. it's just not good idea to have a spec that requires you to do this
# 14:10 voxpelli of course it wouldn't scale to thousands of users, but if I were to have thousands of users I would instead implement my own token endpoint
# 14:10 cweiske voxpelli, then all people would be required to list your token endpoint on their page
# 14:11 cweiske voxpelli stores a list of all his user's token endpoints
# 14:12 voxpelli cweiske: if I were to have thousands of users of my endpoint, then it would probably be because I was running a small indieweb friendly social network or similar and then I would be in control of all those social network profiles as well
# 14:12 aaronpk because that means your'e sending tokens all over the place
# 14:12 voxpelli aaronpk: it's a list of trusted places to query – it's something that's hard coded into an environment variable
# 14:13 voxpelli I'm sending a nuke to the server location right away – not
# 14:15 aaronpk If it's hard coded then you haven't really made it work with arbitrary token endpoints
# 14:16 cweiske but all generic micropub endpoints will have this problem
# 14:16 cweiske they get a request with a token, but don't know which token server to query
# 14:18 voxpelli aaronpk: it's an environemtn variable right now but could be loaded from the database just as well
# 14:19 voxpelli well, they know which token services that are allowed to provide access, but they don't know which one of those a token is from if there are more than one
# 14:20 voxpelli that issue comes from the fact that micropub has primarily been designed with a single user in mind – but if one has a multi-user site, then the problem will arise – especially if people of that multi-user site will log in with their personal sites
# 14:20 cweiske so when mr. malicious X logs into such a generic micropub server, his token endpoint will be added to the list of potential token endpoints
# 14:20 cweiske and thus will in future get all tokens handed to him
# 14:21 voxpelli cweiske: the generic micropub server would give Mr X his own micropub endpoint
# 14:21 voxpelli and if Mr X doesn't add anyone else to his own micropub endpoint, then no other token endpoints than his will be checked for access
# 14:22 voxpelli I do allow multiple identities to access my endpoints though – I support independent discovery of user identity and micropub destination
# 14:22 voxpelli (which is a reason why token endpoint should be discoverable separately from the micropub one)
# 14:30 aaronpk voxpelli: what do you mean "his own micropub endpoint"?
# 14:30 aaronpk is that like example.com/username/micropub or something?
# 14:32 voxpelli especially since a single identity can be used to publish to multiple destinations so every destination needs it's own endpoint
# 14:33 voxpelli so basically a JSON array like: [{"endpoint":"https://tokens.indieauth.com/token","me":"http://micropub-test-blog.voxpelli.com/"}
]
# 14:36 voxpelli aaronpk: then I'll check your token against the ones configured for that specific endpoint and since the token isn't recognized by any of them it will fail
singpolyma joined the channel
# 14:45 aaronpk voxpelli: i'm just confused about what the config file is for. you have to be discovering token endpoints dynamically
# 14:46 voxpelli aaronpk: no, my endpoint isn't dynamic yet, this version is manually configured – in the future I will probably launch a dynamic hosted version that will discover token endpoints automatically and save to a db
# 14:47 voxpelli people still have to self host and manually configure this version
# 14:51 voxpelli (and my main focus now with my little time is to complete that SWAT0 thing finally :P )
# 15:21 rhiaro hmm aaronpk: indieauth doesn't do discovery on auth endpoints with a HEAD first?
# 15:21 rhiaro If it is doing, it shouldn't be rejecting the response based on content type, should it?
# 15:22 rhiaro Which means indieauth.com either sent */* or no Accept header
# 15:22 rhiaro but if it's just checking Link headers it shouldn't care what the content-type is?
# 15:23 aaronpk true, could be bad defaults of the ruby http client
# 15:23 rhiaro (and sending no accept header implies the same as */* if my http spec reading memory is correct, so rejecting anything I think is wrong)
# 15:27 aaronpk oh i remember, it doesn't do a HEAD request because most of the URLs it needs the body of the response anyway
# 15:27 aaronpk (it doesn't know whether something is an authorization endpoint until after it checks)
cweiske joined the channel
# 15:40 voxpelli "To specify multiple values for a property, such as multiple categories of an h-entry, use array bracket notation for the property name." – seems to be the generic suggestion?
# 15:46 cweiske aaronpk, does micropub officially allow "photo[]" as file name?
# 15:49 cweiske I wonder how to make curl cli tool to give a name to the uploaded file
# 15:50 aaronpk it'd be great to have a collection of curl commands there to use for testing
# 15:51 cweiske aaronpk, shpub outputs a curl command when passing the --debug option
# 15:54 voxpelli cweiske: docs say: curl -F "file=@localfile;filename=nameinpost"
gRegorLove joined the channel
# 17:08 aaronpk hopefully this helps encourage hosting providers to make SSL free and easy to enable without lots of work
# 17:14 cmal I think it's going to happen anyway, or they're going to lose *a lot* of clients ^^
# 17:18 cmal yeah so we can finally stop having this plumbering argument and focus on how to implement proper security protocols on top of it (the necessity of TLS changes MUCH in this regard)
# 17:21 aaronpk now i just gotta go figure out what was using it and update that
# 17:22 gRegorLove Should be minor and not change most things, though maybe indieauth with weird capitalization of domain names.
# 17:27 gRegorLove Learned to write the tests first. I'd actually written up code to find the t.co meta refresh and use that before I realized cURL was getting the 301 redirect already.
cmal joined the channel
AngeloGladding joined the channel
# 18:45 cweiske who has a micropub endpoint that supports multiple images?
# 19:09 KevinMarks_ So, can we discuss the https issue in indiewebify.me and indieweb/rel-me?
# 19:11 KevinMarks_ I don't understand the specific objection to http/https redirection
# 19:12 gRegorLove Any security implications of using an http rel-me link in indieauth, maybe?
# 19:12 KevinMarks_ I don't think this should be a 400. If there is an issue, returning an explanatory string that we could show the user would be better
# 19:13 gRegorLove Agreed, the 400 just seems like a shortcut for the simple AJAX. Would be better to make the AJAX more robust to handle different responses / warnings.
cweiske joined the channel
# 19:42 cweiske some sites show which tool has been used to create the post. is this information transmitted through micropub? which property is used?
# 19:48 aaronpk since the client ID is the URL of the app, I can fetch the app's h-card info to get the name and icon
# 19:59 aaronpk right, when the client gets the token, the token is associated with the client_id at that point
# 19:59 aaronpk so when the token is used, the server already knows which app it's for
AngeloGladding and cmal joined the channel
# 20:56 cweiske the micropub "published" property - is it free-format, or is a certain format expected?
tantek, KevinMarks_, KevinMarks and miklb joined the channel