#dev 2016-10-02

2016-10-02 UTC
KevinMarks joined the channel
# 00:39 
gRegorLove Think I've got sending of private webmentions mostly working!
miklb and KevinMarks_ joined the channel
# 00:57 
gregorlove.com edited /Private-Webmention (+637) "/* IndieWeb Examples */ subheadings, +me" (view diff)
# 00:59 
gregorlove.com edited /private_posts (+12) "/* gRegor Morrill */" (view diff)
# 01:02 
gRegorLove aaronpk: Is nonce a good idea for the code JWT, or is its short expiration period sufficient? My notes: https://indieweb.org/private_webmention#gRegor_Morrill
KevinMarks and tantek joined the channel
# 01:15 
aaronpk gRegorLove: looks like the general thinking is including a nonce gives you a unique ID for the JWT you can use to block it in the future if you need http://security.stackexchange.com/questions/64541/can-i-prevent-a-replay-attack-of-my-signed-jwts
# 01:17 
gRegorLove I thought you'd said something before about it making it cryptographically stronger. Maybe that was with IndieAuth though.
tantek and chrisaldrich1 joined the channel
# 02:16 
aaronpk I seem to remember something about the nonce adding to the entropy of the resulting string making it harder to reverse engineer the secret. If that's true, then it wouldn't matter whether the code has expired since you could gather a bunch of codes and analyze them even if they've expired
# 03:11 
KartikPrabhu getting back into indieweb-deving and found that everything is broken since I haven't updated stuff for a year!
KevinMarks, gRegorLove, KevinMarks_ and mblaney joined the channel
# 06:15 
mblaney I would be interested in understanding more about /Private-Webmention, if someone wants to answer my questions (maybe even add the answers to the page)
# 06:16 
mblaney it might be my lack of understanding of oauth in general, but what's the difference between an auth code and an access token?
# 06:17 
mblaney ie if as a webmention receiver, I'm going to provide an access token for any auth code I provide, what extra security is the back and forth providing?
# 06:18 
mblaney also if auth codes only last for 60 seconds, how will it work with async processing?
# 06:19 
mblaney happy to be pointed at oauth docs if these questions have already been answered!
# 06:22 
mblaney (sorry I think above should be: s/webmention receiver/webmention sender)
chrisaldrich_ and gRegorLove joined the channel
# 06:35 
gRegorLove I don't know about the oauth reasonings behind it, but switching a short-lived auth code for the token seems like it's safer than just sending a longer-lived access token to the recipient.
# 06:36 
gRegorLove 60s is a minimum on the auth token, can be up to 10 minutes.
# 06:39 
gRegorLove access tokens can (optionally) not expire, too, so in that case you definitely want to receiver to initiate the process, not just send it to them directly; anyone in-between or with access to logs could access the private post then.
# 06:40 
gRegorLove s/auth token/auth code/ ^^
mblaney joined the channel
# 06:43 
mblaney hi gRegorLove, thanks for your answers. wasn't expecting anyone to be around because timezones :-)
# 06:44 
mblaney I think I understand, that the auth code is not requested by the receiver, so no chance for them to protect it.
# 06:45 
mblaney as you say, they request the access token which makes it safer.
KartikPrabhu and chrisaldrich1 joined the channel
# 09:42 
sebastianlasse.de edited /Planning (+402) "/* Berlin */ VENUES" (view diff)
# 10:03 
@m_ott @fhemberger Hi Frederic, take a look at https://webmention.io by @aaronpk. It's a hosted service with API that collects webmentions. (twitter.com/_/status/782521277655441408)
# 10:07 
@m_ott @fhemberger And https://brid.gy is great if you want to receive webmentions via Twitter / Facebook / Instagram / Flickr. (twitter.com/_/status/782522385887031296)
# 10:25 
sebastianlasse.de edited /Planning (+55) "/* Berlin */ would participate" (view diff)
# 11:12 
matthiasott.com created /Template:matthiasott (+163) "Created page with "<span class="h-card" style="white-space:nowrap">{{sparkline|https://cdn.matthiasott.com/apple-touch-icon-180x180.png}} [[User:matthiasott.com|Matthias Ott]]</span>"" (view diff)
# 11:13 
matthiasott.com created /User:Matthiasott.com (+80) "Created page with "{{stub}}  is <span class="h-card">[https://matthiasott.com/ Matthias Ott]</span>"" (view diff)
# 11:13 
matthiasott.com edited /Template:matthiasott (+0) (view diff)
# 11:14 
matthiasott.com edited /Planning (+22) (view diff)
# 12:23 
adactio.com edited /Planning (+18) "/* Berlin */" (view diff)
# 12:53 
Zegnat Do we have an h-feed validator somewhere?
# 12:55 
sknebel Zegnat: don't think so, apart from feeding it into a mf2 parser and looking at the output
# 13:00 
Zegnat Then I probably did it right. Haha
# 13:00 
Loqi ahahahaha
# 14:26 
aaronpk mblaney: that's a great way of saying that! I'll add that to the page
# 14:30 
aaronparecki.com edited /Private-Webmention (+106) "/* IndieWeb Examples */ add URL to my example private post" (view diff)
# 14:53 
@schnarfed @m_ott @fhemberger https://webmention.herokuapp.com is better for static sites; it renders webmentions with just JS. example: http://www.kevinmarks.com/distributed-verify.html (twitter.com/_/status/782594434802200576)
# 16:15 
@nicolehill17 #IndieAuthors Want to be featured on Lady N's Den of Indie Awesomeness? Find out more here: http://nicolefaithhill.blogspot.com/p/indie-auth (twitter.com/_/status/782612668985249794)
# 17:04 
KevinMarks_ Hm, could do an h-feed to h-feed translation so you see what is missing
# 17:05 
KevinMarks_ Unmung has the storycards thing that is a bit like that
# 17:06 
KevinMarks_ Also, indiewebify.me has h-entry validation
# 17:08 
KevinMarks_ You could use h-feed to h-atom, then unmung atom to h-feed and see what makes it through
# 17:49 
aaronparecki.com edited /Private-Webmention (+722) "/* FAQ */ why auth code" (view diff)
# 18:37 
Zegnat KevinMarks, I really just wanted a thing that told me if my h-feed was right or not. I am now just assuming it is.
# 18:37 
Zegnat Converting back and forth might not work because of the implementations of the converters
KartikPrabhu joined the channel
# 18:41 
aaronpk could just look at it in woodwind
# 18:43 
Zegnat Well, apparently it does not work on woodwind, haha
# 18:43 
Loqi hahahaha
# 18:43 
Zegnat keeps forgetting about Woodwind
# 18:44 
Zegnat It picks up on my feed name, so it recognises the feed, but I am not seeing any of the h-entries being pulled. Odd.
# 18:55 
sknebel Zegnat: could it be that it expects a u-url for a permalink?
# 18:58 
Zegnat It might, in which case it is obvious why mine aren’t showing up yet
# 18:58 
sknebel Zegnat: reading the code, that seems to be the case: https://github.com/kylewm/woodwind/blob/71be267613f2b9f2feafd8e39663b6b54187de3a/woodwind/tasks.py#L494
# 18:58 
Zegnat permalink pags aren’t done yet
# 18:59 
sknebel (assuming that code does and is used for what the function name indicates ;))
# 19:06 
Zegnat Hm, yes, or possible a uid, which I do not provide either. So that would be why
# 19:10 
sknebel opensource++ for being able to check things like that
# 19:10 
Loqi opensource has 8 karma (1 in this channel)
# 19:15 
Zegnat I will get permalink pages done this week, so it should be sorted soon.
# 19:16 
Zegnat Once permalinks are in, I will also start testing with private webmentions. Time to replace Twitter mentions!
ChrisAldrich joined the channel
# 19:33 
sknebel I'm still wondering how to manage private posts and store *received* private posts best
# 19:33 
KevinMarks_ What is your h-feed url Zegnat?
# 19:35 
sknebel part of me thinks "they are just posts, dump them in the timeline and make sure your display code understands not to show it publicly", part of me wants to put them in their own, seperated space
# 19:47 
aaronpk sknebel: i'm planning on showing private webmentions on post permalinks the same as normal webmentions except only visible to me, and with a visibility indicator so that i know it's not public
# 19:51 
sknebel that's an idea. lots of pieces to build for that for me, but might be cleanest
chrisaldrich1 joined the channel
# 20:28 
Zegnat KevinMarks_, haven't you read the Brighton demos? ? I am building my feed at https://licit.li
# 20:35 
KevinMarks_ http://www.unmung.com/storycard?url=https%3A%2F%2Flicit.li
# 20:35 
KevinMarks_ Looks like I don't check for url
# 20:44 
KevinMarks_ You could make author an h-card, so it can have name url and photo
# 20:45 
KevinMarks_ Chaining unmung processes http://www.unmung.com/jsontoxoxo?url=http%3A%2F%2Fwww.unmung.com%2Fmf2tojs2%3Furl%3Dhttp%253A%252F%252Fwww.unmung.com%252Fmf2%253Furl%253Dhttps%25253A%25252F%25252Flicit.li%26pretty%3Don
# 20:47 
KevinMarks_ And you have 2 published rather than a published and update
KevinMarks and dkm joined the channel