#dev 2016-10-02

2016-10-02 UTC
KevinMarks joined the channel
#
gRegorLove
Think I've got sending of private webmentions mostly working!
miklb and KevinMarks_ joined the channel
#
gregorlove.com
edited /Private-Webmention (+637) "/* IndieWeb Examples */ subheadings, +me"
(view diff)
#
gregorlove.com
edited /private_posts (+12) "/* gRegor Morrill */"
(view diff)
#
gRegorLove
aaronpk: Is nonce a good idea for the code JWT, or is its short expiration period sufficient? My notes: https://indieweb.org/private_webmention#gRegor_Morrill
KevinMarks and tantek joined the channel
#
aaronpk
gRegorLove: looks like the general thinking is including a nonce gives you a unique ID for the JWT you can use to block it in the future if you need http://security.stackexchange.com/questions/64541/can-i-prevent-a-replay-attack-of-my-signed-jwts
#
gRegorLove
I thought you'd said something before about it making it cryptographically stronger. Maybe that was with IndieAuth though.
tantek and chrisaldrich1 joined the channel
#
aaronpk
I seem to remember something about the nonce adding to the entropy of the resulting string making it harder to reverse engineer the secret. If that's true, then it wouldn't matter whether the code has expired since you could gather a bunch of codes and analyze them even if they've expired
#
KartikPrabhu
getting back into indieweb-deving and found that everything is broken since I haven't updated stuff for a year!
KevinMarks, gRegorLove, KevinMarks_ and mblaney joined the channel
#
mblaney
I would be interested in understanding more about /Private-Webmention, if someone wants to answer my questions (maybe even add the answers to the page)
#
mblaney
it might be my lack of understanding of oauth in general, but what's the difference between an auth code and an access token?
#
mblaney
ie if as a webmention receiver, I'm going to provide an access token for any auth code I provide, what extra security is the back and forth providing?
#
mblaney
also if auth codes only last for 60 seconds, how will it work with async processing?
#
mblaney
happy to be pointed at oauth docs if these questions have already been answered!
#
mblaney
(sorry I think above should be: s/webmention receiver/webmention sender)
chrisaldrich_ and gRegorLove joined the channel
#
gRegorLove
I don't know about the oauth reasonings behind it, but switching a short-lived auth code for the token seems like it's safer than just sending a longer-lived access token to the recipient.
#
gRegorLove
60s is a minimum on the auth token, can be up to 10 minutes.
#
gRegorLove
access tokens can (optionally) not expire, too, so in that case you definitely want to receiver to initiate the process, not just send it to them directly; anyone in-between or with access to logs could access the private post then.
#
gRegorLove
s/auth token/auth code/ ^^
mblaney joined the channel
#
mblaney
hi gRegorLove, thanks for your answers. wasn't expecting anyone to be around because timezones :-)
#
mblaney
I think I understand, that the auth code is not requested by the receiver, so no chance for them to protect it.
#
mblaney
as you say, they request the access token which makes it safer.
KartikPrabhu and chrisaldrich1 joined the channel
#
sebastianlasse.de
edited /Planning (+402) "/* Berlin */ VENUES"
(view diff)
#
@m_ott
@fhemberger Hi Frederic, take a look at https://webmention.io by @aaronpk. It's a hosted service with API that collects webmentions.
(twitter.com/_/status/782521277655441408)
#
@m_ott
@fhemberger And https://brid.gy is great if you want to receive webmentions via Twitter / Facebook / Instagram / Flickr.
(twitter.com/_/status/782522385887031296)
#
sebastianlasse.de
edited /Planning (+55) "/* Berlin */ would participate"
(view diff)
#
matthiasott.com
created /Template:matthiasott (+163) "Created page with "<span class="h-card" style="white-space:nowrap">{{sparkline|https://cdn.matthiasott.com/apple-touch-icon-180x180.png}} [[User:matthiasott.com|Matthias Ott]]</span>""
(view diff)
#
matthiasott.com
created /User:Matthiasott.com (+80) "Created page with "{{stub}} is <span class="h-card">[https://matthiasott.com/ Matthias Ott]</span>""
(view diff)
#
adactio.com
edited /Planning (+18) "/* Berlin */"
(view diff)
#
Zegnat
Do we have an h-feed validator somewhere?
#
sknebel
Zegnat: don't think so, apart from feeding it into a mf2 parser and looking at the output
#
Zegnat
Then I probably did it right. Haha
#
Loqi
ahahahaha
#
aaronpk
mblaney: that's a great way of saying that! I'll add that to the page
#
aaronparecki.com
edited /Private-Webmention (+106) "/* IndieWeb Examples */ add URL to my example private post"
(view diff)
#
@nicolehill17
#IndieAuthors Want to be featured on Lady N's Den of Indie Awesomeness? Find out more here: http://nicolefaithhill.blogspot.com/p/indie-auth
(twitter.com/_/status/782612668985249794)
#
KevinMarks_
Hm, could do an h-feed to h-feed translation so you see what is missing
#
KevinMarks_
Unmung has the storycards thing that is a bit like that
#
KevinMarks_
Also, indiewebify.me has h-entry validation
#
KevinMarks_
You could use h-feed to h-atom, then unmung atom to h-feed and see what makes it through
#
aaronparecki.com
edited /Private-Webmention (+722) "/* FAQ */ why auth code"
(view diff)
#
Zegnat
KevinMarks, I really just wanted a thing that told me if my h-feed was right or not. I am now just assuming it is.
#
Zegnat
Converting back and forth might not work because of the implementations of the converters
KartikPrabhu joined the channel
#
aaronpk
could just look at it in woodwind
#
Zegnat
Well, apparently it does not work on woodwind, haha
#
Loqi
hahahaha
#
Zegnat
keeps forgetting about Woodwind
#
Zegnat
It picks up on my feed name, so it recognises the feed, but I am not seeing any of the h-entries being pulled. Odd.
#
sknebel
Zegnat: could it be that it expects a u-url for a permalink?
#
Zegnat
It might, in which case it is obvious why mine aren’t showing up yet
#
Zegnat
permalink pags aren’t done yet
#
sknebel
(assuming that code does and is used for what the function name indicates ;))
#
Zegnat
Hm, yes, or possible a uid, which I do not provide either. So that would be why
#
sknebel
opensource++ for being able to check things like that
#
Loqi
opensource has 8 karma (1 in this channel)
#
Zegnat
I will get permalink pages done this week, so it should be sorted soon.
#
Zegnat
Once permalinks are in, I will also start testing with private webmentions. Time to replace Twitter mentions!
ChrisAldrich joined the channel
#
sknebel
I'm still wondering how to manage private posts and store *received* private posts best
#
KevinMarks_
What is your h-feed url Zegnat?
#
sknebel
part of me thinks "they are just posts, dump them in the timeline and make sure your display code understands not to show it publicly", part of me wants to put them in their own, seperated space
#
aaronpk
sknebel: i'm planning on showing private webmentions on post permalinks the same as normal webmentions except only visible to me, and with a visibility indicator so that i know it's not public
#
sknebel
that's an idea. lots of pieces to build for that for me, but might be cleanest
chrisaldrich1 joined the channel
#
Zegnat
KevinMarks_, haven't you read the Brighton demos? ? I am building my feed at https://licit.li
#
KevinMarks_
Looks like I don't check for url
#
KevinMarks_
You could make author an h-card, so it can have name url and photo
#
KevinMarks_
And you have 2 published rather than a published and update
KevinMarks and dkm joined the channel