#dev 2017-07-09

2017-07-09 UTC
snarfed, eli_oat and davidmead joined the channel
#
[miklb] is there any mf2 meant for pagination?
#
[miklb] what is pagination?
#
Loqi pagination is a UI pattern for navigation across (typically chronologically) sequential pages that show one or more posts such as permalink post pages, archives, search results, and lists of tagged posts https://indieweb.org/pagination
#
[miklb] nothing mentioned there.
davidmead joined the channel
#
ben_thatmustbeme !tell miklb there is rel=next / rel=prev
#
Loqi Ok, I'll tell them that when I see them next
[miklb] joined the channel
#
[miklb] true. thanks ben_thatmustbeme
#
Loqi [miklb]: ben_thatmustbeme left you a message 43 minutes ago: there is rel=next / rel=prev
davidmead, prtksxna and tantek joined the channel
#
www.boffosocko.com edited /commonplace_book (+336) "Peter Molnar article" (view diff)
#
www.boffosocko.com edited /backfill (+811) "Indieweb examples; Peter Molnar article" (view diff)
#
www.boffosocko.com edited /wikifying (+36) "additional examples" (view diff)
AngeloGladding, prtksxna, [jemostrom], barpthewire and prtksxna_ joined the channel
#
sebsel re Selfauth, shouldn't verify_password() also use hash_equals() if present? https://github.com/Inklings-io/selfauth/blob/master/index.php#L63
#
sknebel yeah, that stuff wasn't touched yet. probably should
#
sebsel opens issue for it as a reminder
#
sebsel how do I get a GitHub URL with line for a specific version?
#
Zegnat Change master in the URL to the commit ID?
#
sebsel yeah found that out now, but there is no button for it, right?
#
Zegnat I did not do any work on the password functionality yet, true
#
Zegnat Hmm, no, don't think there is a button
#
sebsel Another thing I keep getting wrong while setting up: setup.php asks for 'Login URL', and I think of Selfauth's URL then.
#
sebsel This is more UI, but the first time I couldn't get it to work because I entered the wrong URL there.
#
sebsel IndieAuth calls it 'Web Address', but that's probably not a good name either.
#
sebsel s/IndieAuth/IndieAuth.com/
#
sknebel hm. no great idea right now either (well, we could/should add a line of explaination for each)
#
sebsel I wrote "the URL you're trying to log in for" in the setup docs
#
sebsel I guess the thing is that we're still not used to using URLs for people yet :)
#
Zegnat setup.php probably needs a whole rewrite anyway. But I wanted to focus on the part that is actually “in use” first.
[kevinmarks] joined the channel
#
[kevinmarks] Granary implements pagination in some of its outputs, not sure if it maps to mf2 though
#
Zegnat btw, sknebel, sebsel, I have a Public Domain timing-attack safe hash_equals alternative here: https://gist.github.com/Zegnat/5935844#file-bcrypt-php-L60-L63
#
Zegnat Should probably get that in there …
#
Zegnat Not as extremely thorough as the one in password_compat, but probably enough for us
prtksxna joined the channel
#
sebsel I have some new docs for SelfAuth https://github.com/sebsel/selfauth/blob/docs/README.md
#
Zegnat !tell ben_thatmustbeme can we add sebsel to the selfauth repo?
#
Loqi Ok, I'll tell them that when I see them next
#
Zegnat If you are running my branch, sebsel, please be very nitpicky in the PR, just comment on specific lines.
#
sebsel Zegnat I'm now introducing myself to the wonderful world of code sniffing with phpcs.
#
Zegnat Haha, welcome! ;)
#
sebsel I don't feel ready to contribute with code to Selfauth, so I wrote docs ;)
#
Loqi hehe
#
ben_thatmustbeme Sure
#
Loqi ben_thatmustbeme: Zegnat left you a message 27 minutes ago: can we add sebsel to the selfauth repo?
#
Zegnat Documentation contributions are just as needed as code. And nitpicking at my code can be more important than writing your own ;)
#
sknebel indeed. I'm having trouble reviewing stuff, since I have to look up basically every stdlib function in the docs ;)
#
sebsel I found out why setup.php still does not write config.php: is_writeable() returns false when the file does not exist.
#
sebsel But I have all the whitespace issues with setup.php first.
#
ben_thatmustbeme You should have an invite sebsel
#
sebsel I do!
#
Zegnat Don’t start by fixing whitespace. I just did it because this PR was touching most lines of index.php anyway. If you are also already touching most lines, that’s when you can make sure all of them comply.
#
Loqi +1
#
sebsel accepts the invitation
#
sebsel That's a good point.
#
Zegnat sknebel, here I thought you were getting good at reading PHP ;)
#
ben_thatmustbeme Everyone has to look up like every function in PHP. Such an inconsistent language
#
sknebel Zegnat: "reading" and "reviewing" is a difference, since for reading you can skip/skim a lot of stuff and assume it'll do what you think it does
#
Zegnat And even if you read the docs, my input_filters were failing for the longest time because I misread the way they expected the nested arrays.
#
Zegnat Which is why I do like this review setting on GitHub :)
#
sebsel So with this new warning, do I still have to state I'm okay with the licenses?
#
Zegnat I would say that the moment you accepted the invite you agreed to the licences
#
sebsel fine by me :)
#
Zegnat (Lets be honest, all the licence stuff are just guestimations anyway until you are big enough to get a lawyer on board)
#
sknebel which brings me to the question of "tests?". at least for pieces like the validation
#
Zegnat The functions I wrote should work 100% stand-alone, so we could take the code signing/verification as well as the content negotiation functions out and write tests for them
#
sknebel that was the idea
#
Zegnat The problem is that you will be adding more files to the repository again. While the base idea was to have just the index.php file with the optional setup.php for setup.
#
sknebel is "download the entire repo" so much easier than "download these two files"?
#
Zegnat Yes. GitHub gives you a button to download the repo as zip file
#
sebsel Isn't there an option to exclude files from the zip-file?
#
sknebel you can make a "release", there you can determine what goes in
#
Zegnat I think there was ... maybe ... with .gitattributes
#
sknebel the download-repo button always is the full repo as far as I know
#
Zegnat can you pick and chose files there, sknebel? I thought releases at the same auto-generated zip? Releases do allow us to upload our own ZIPs alongside the autogenerated ones, that I know
#
sebsel I know https://github.com/aaronpk/XRay has a release.sh, but I don't know how much manual work is there for aaronpk in there.
#
Loqi [aaronpk] XRay: X-Ray returns structured data from any URL
#
sknebel Zegnat: i thought you could, but you might be right
#
sknebel can't find anything about it right now
#
sknebel something to think about
prtksxna joined the channel
#
Zegnat sknebel, thanks for going through the oauth spec again. I will update the scope code
[jeremycherfas], prtksxna and barpthewire joined the channel
#
sebsel hmz, re: scopes, my token endpoint now gives out tokens with scope=false because Compass requests an access_token with empty scope https://chat.indieweb.org/dev/2017-07-03#t1499094507506000
#
Loqi [sebsel] aaronpk I was trying to spin up my own instance of Compass, but it seems like my new auth endpoint does not play well with it (also not on your instance). It is not requesting any scopes, but if I read the code correctly, it IS asking the token endpo...
[miklb] joined the channel
#
sebsel am I reading sknebel's comment correctly that that should not be possible? https://github.com/Inklings-io/selfauth/pull/16#issuecomment-313914445
#
sebsel well, this is about the token-endpoint, not about the auth-endpoint.
#
sknebel sebsel: not sure
#
Zegnat if the client making the request (e.g. compass) requests no scope – i.e. omit the scope property or have it as an empty string – it seems the endpoint should return an error
#
Zegnat That is also my reading of the spec linked by sknebel
#
Zegnat Sorry, sebsel, I was out
#
sknebel Zegnat: just read a bit more and https://tools.ietf.org/html/rfc6749#section-4.1.1 says that its optional
#
sknebel so it can't have an empty value, but not be included?
#
Zegnat When defined it must have a value and cannot be empty, when omitted the endpoint is supposed to use its default
#
Zegnat At least that’s what I get out of the RFC
#
sknebel and there is no default
#
sknebel yeah
#
Zegnat And we don’t have a default, exactly
#
aaronpk hmm
#
aaronpk maybe i should change compass
#
sknebel not sure if that's valid for the token endpoint though
#
sknebel but at least I am now again of the opinion that my selfauth comment was right ;)
#
Zegnat I am of two minds on this. There is no reason why selfauth can’t issue a code with scope, on the other hand, it is completely agnostic to what other tools exist so it can never make sense of any scopes that are requested
#
aaronpk all it needs to do is show the scopes that are requested
#
aaronpk it doesn't need to know what they mean
#
Zegnat Right now, scope is actually supported. It is shown to the user, and the user can accept them. The code issued by selfauth is signed with the secret, so a different token endpoint with the same secret can validate it and will then know that the user accepted whatever scope was asked for.
#
sknebel Zegnat: that's fine
#
@jimpick @emd @taravancil With IndieAuth, you just need to add some tags to your personal website. Of course, most people do… https://twitter.com/i/web/status/884089092371173378 (twitter.com/_/status/884089092371173378)
#
sknebel oh, right, we ignore the response_type
#
Zegnat Yes, I need to fix that. But that was what my question was about.
#
Zegnat Seems like we’ll error on response_type=id with a scope, and we will error on response_type=code if it is missing a scope :p
#
sknebel yes
#
sknebel that seems to me as the correct reading
#
Zegnat I’ll get that in the branch before dinner
#
sknebel aaronpk is now free to change the definition of IndieAuth, ideally before we go implement it :P
#
aaronpk that sounds correct
#
sknebel ok, good
#
aaronpk and sebsel feel free to file an issue on Compass if it does not do that
#
sknebel I think the compass issue is about the token endpoint, and thus not the same
#
sebsel I am reading what it does.
#
sknebel does it do an response_type=code or =id request initially?
#
sebsel Compass sends me to response_type=id, correctly without scope param.
#
aaronpk ah great
#
sknebel ok, then the question is if a token endpoint is supposed to know anything about that?
#
sebsel The weird part is here: https://github.com/aaronpk/Compass/blob/master/compass/app/Http/Controllers/IndieAuth.php#L77
#
sebsel If it sees a token endpoint, it requests an access token, but since it has no scope, it requests a no-scope access token.
#
sebsel but that is a token-endpoint issue, nothing to do with Selfauth I guess.
#
aaronpk ok yeah
#
aaronpk i think compass should not do that actually
#
aaronpk reviews openid connect
#
sebsel I think so too.
#
sebsel because it works if I have no token endpoint specified
#
sebsel I guess
#
sebsel I can test taht
#
aaronpk this is the classic OAuth is not an authentication protocol thing
#
aaronpk https://oauth.net/articles/authentication/
#
sebsel Well, IndieAuth is, right? :)
#
aaronpk yeah, it's the authenticatioin layer on top of OAuth
#
aaronpk similar to how OpenID Connect is authentication on top of OAuth
#
sebsel If I do not state my token endpoint in my rels, Compass works just fine, because it checks my auth-code with my auth endpoint, and I think it should do that anyway, since it does not request scopes.
#
aaronpk Yeah I think that makes sense
#
Zegnat New scope rules added for selfauth: https://github.com/Inklings-io/selfauth/pull/16/commits/08f5f05fd3d8ae85cc621fa476331cc27f335b2a
#
sebsel seems like Compass also does not store the token, only the 'me' in it, in a session. So I am storing a token for compass, and it will request one every time I log in.
#
sebsel Will open an issue :)
#
Zegnat Time to go stateless, sebsel, go selfauth ;)
#
sebsel Zegnat My seblog.nl/auth is already stateless, only my seblog.nl/token is not :)
#
Zegnat I guess the problem with stateless is it becomes hard to retract access tokens
#
aaronpk sebsel: yeah that's kind of why i think compass shouldn't request a token, because all it;'s really trying to do is verify that you are at your computeer when you sign in
#
aaronpk good use of temporary authorization codes
#
sebsel https://github.com/aaronpk/Compass/issues/4 :)
#
Loqi [sebsel] #4 Do not request access token when signing in
#
aaronpk ?
#
sebsel I can fix it with a PR. Want to clone it anyway to add a default timezone option and a metric option.
#
sebsel git branch all the things!
#
Loqi http://meme.loqi.me/m/4pGAEWGq.jpg
#
sebsel Zegnat re stateless access tokens: yes, that's why I have what I have now. I already have JWT for /auth, so I could use it for /token too, but I like having a list of active tokens.
#
jeremycherfas.net edited /site-deaths (+385) "Clammr audio sharing silo closing --~~~~" (view diff)
leg and KartikPrabhu joined the channel
#
sebsel Zegnat Problem with the scope regex: it does not accept spaces
#
Zegnat Put it in a review and I will fix it. Currently having dinner.
#
Zegnat (Or fix it and commit to the branch, of course!)
#
loqi.me edited /audio (+67) "Zegnat added "[[Screech]], a simple app for posting audio content to your site" to "See Also"" (view diff)
#
sebsel Hm, problem on https://indieweb.org/authorization-endpoint#Auth_code_verification : it says it returns only me=URL, but on https://indieweb.org/token-endpoint , it says that the authorization endpoint should return me=URL&scope=SCOPE
#
sebsel aaronpk Should I add the optional scope param to /authorization-endpoint ?
#
Zegnat According to https://tools.ietf.org/html/rfc6749#section-3.3 the authorisation server should have scope in its response
#
Zegnat https://chat.indieweb.org/dev/2017-07-07/1499446174801000 is what keeps tripping me up
#
Loqi [Zegnat] aaronpk is there such a thing as a “full IndieAuth spec”? Instead of /indieauth-for-login, /authorization-endpoint, /token-endpoint, and /obtaining-an-access-token?
#
sebsel I believe the answer to that is 'no'.
#
sknebel Zegnat: I'm not sure this applies to the response to a verification request?
#
Zegnat Oh. Hmm...
#
sknebel since that (unless I'm missing it) is an IndieAuth only concept
#
Zegnat Maybe I should read the OAuth spec in its entirety at some point, hahaha
#
Loqi ahahaha
[miklb] joined the channel
#
aaronpk Agh I've gotta write the spec up finally
#
Zegnat We’ll figure it out without a spec, eventually, aaronpk ;)
#
@misuba @beakerbrowser so, hashbase.io should clearly provide Webmention endpoints... but what should it then do with the… http://gibberish.com/2017/07/09/beakerbrowser-so-hashbaseio-should-clearly-provide-webmention-endpoints-but-what (twitter.com/_/status/884144467627978754)
snarfed joined the channel
#
@testalokin django-webmention https://www.djangopackages.com/packages/p/django-webmention/ (twitter.com/_/status/884149678622654464)
#
@PythonJo Django packages- django-webmention https://www.djangopackages.com/packages/p/django-webmention/ #jo #amman #JPY (twitter.com/_/status/884150431101837312)
prtksxna, snarfed and [eddie] joined the channel