#dev 2017-07-09

2017-07-09 UTC
snarfed, eli_oat and davidmead joined the channel
#
[miklb]
is there any mf2 meant for pagination?
#
[miklb]
what is pagination?
#
Loqi
pagination is a UI pattern for navigation across (typically chronologically) sequential pages that show one or more posts such as permalink post pages, archives, search results, and lists of tagged posts https://indieweb.org/pagination
#
[miklb]
nothing mentioned there.
davidmead joined the channel
#
ben_thatmustbeme
!tell miklb there is rel=next / rel=prev
#
Loqi
Ok, I'll tell them that when I see them next
[miklb] joined the channel
#
[miklb]
true. thanks ben_thatmustbeme
#
Loqi
[miklb]: ben_thatmustbeme left you a message 43 minutes ago: there is rel=next / rel=prev
davidmead, prtksxna and tantek joined the channel
#
www.boffosocko.com
edited /commonplace_book (+336) "Peter Molnar article"
(view diff)
#
www.boffosocko.com
edited /backfill (+811) "Indieweb examples; Peter Molnar article"
(view diff)
#
www.boffosocko.com
edited /wikifying (+36) "additional examples"
(view diff)
AngeloGladding, prtksxna, [jemostrom], barpthewire and prtksxna_ joined the channel
#
sebsel
re Selfauth, shouldn't verify_password() also use hash_equals() if present? https://github.com/Inklings-io/selfauth/blob/master/index.php#L63
#
sknebel
yeah, that stuff wasn't touched yet. probably should
#
sebsel
opens issue for it as a reminder
#
sebsel
how do I get a GitHub URL with line for a specific version?
#
Zegnat
Change master in the URL to the commit ID?
#
sebsel
yeah found that out now, but there is no button for it, right?
#
Zegnat
I did not do any work on the password functionality yet, true
#
Zegnat
Hmm, no, don't think there is a button
#
sebsel
Another thing I keep getting wrong while setting up: setup.php asks for 'Login URL', and I think of Selfauth's URL then.
#
sebsel
This is more UI, but the first time I couldn't get it to work because I entered the wrong URL there.
#
sebsel
IndieAuth calls it 'Web Address', but that's probably not a good name either.
#
sebsel
s/IndieAuth/IndieAuth.com/
#
sknebel
hm. no great idea right now either (well, we could/should add a line of explaination for each)
#
sebsel
I wrote "the URL you're trying to log in for" in the setup docs
#
sebsel
I guess the thing is that we're still not used to using URLs for people yet :)
#
Zegnat
setup.php probably needs a whole rewrite anyway. But I wanted to focus on the part that is actually “in use” first.
[kevinmarks] joined the channel
#
[kevinmarks]
Granary implements pagination in some of its outputs, not sure if it maps to mf2 though
#
Zegnat
btw, sknebel, sebsel, I have a Public Domain timing-attack safe hash_equals alternative here: https://gist.github.com/Zegnat/5935844#file-bcrypt-php-L60-L63
#
Zegnat
Should probably get that in there …
#
Zegnat
Not as extremely thorough as the one in password_compat, but probably enough for us
prtksxna joined the channel
#
Zegnat
!tell ben_thatmustbeme can we add sebsel to the selfauth repo?
#
Loqi
Ok, I'll tell them that when I see them next
#
Zegnat
If you are running my branch, sebsel, please be very nitpicky in the PR, just comment on specific lines.
#
sebsel
Zegnat I'm now introducing myself to the wonderful world of code sniffing with phpcs.
#
Zegnat
Haha, welcome! ;)
#
sebsel
I don't feel ready to contribute with code to Selfauth, so I wrote docs ;)
#
Loqi
hehe
#
Loqi
ben_thatmustbeme: Zegnat left you a message 27 minutes ago: can we add sebsel to the selfauth repo?
#
Zegnat
Documentation contributions are just as needed as code. And nitpicking at my code can be more important than writing your own ;)
#
sknebel
indeed. I'm having trouble reviewing stuff, since I have to look up basically every stdlib function in the docs ;)
#
sebsel
I found out why setup.php still does not write config.php: is_writeable() returns false when the file does not exist.
#
sebsel
But I have all the whitespace issues with setup.php first.
#
ben_thatmustbeme
You should have an invite sebsel
#
sebsel
I do!
#
Zegnat
Don’t start by fixing whitespace. I just did it because this PR was touching most lines of index.php anyway. If you are also already touching most lines, that’s when you can make sure all of them comply.
#
sebsel
accepts the invitation
#
sebsel
That's a good point.
#
Zegnat
sknebel, here I thought you were getting good at reading PHP ;)
#
ben_thatmustbeme
Everyone has to look up like every function in PHP. Such an inconsistent language
#
sknebel
Zegnat: "reading" and "reviewing" is a difference, since for reading you can skip/skim a lot of stuff and assume it'll do what you think it does
#
Zegnat
And even if you read the docs, my input_filters were failing for the longest time because I misread the way they expected the nested arrays.
#
Zegnat
Which is why I do like this review setting on GitHub :)
#
sebsel
So with this new warning, do I still have to state I'm okay with the licenses?
#
Zegnat
I would say that the moment you accepted the invite you agreed to the licences
#
sebsel
fine by me :)
#
Zegnat
(Lets be honest, all the licence stuff are just guestimations anyway until you are big enough to get a lawyer on board)
#
sknebel
which brings me to the question of "tests?". at least for pieces like the validation
#
Zegnat
The functions I wrote should work 100% stand-alone, so we could take the code signing/verification as well as the content negotiation functions out and write tests for them
#
sknebel
that was the idea
#
Zegnat
The problem is that you will be adding more files to the repository again. While the base idea was to have just the index.php file with the optional setup.php for setup.
#
sknebel
is "download the entire repo" so much easier than "download these two files"?
#
Zegnat
Yes. GitHub gives you a button to download the repo as zip file
#
sebsel
Isn't there an option to exclude files from the zip-file?
#
sknebel
you can make a "release", there you can determine what goes in
#
Zegnat
I think there was ... maybe ... with .gitattributes
#
sknebel
the download-repo button always is the full repo as far as I know
#
Zegnat
can you pick and chose files there, sknebel? I thought releases at the same auto-generated zip? Releases do allow us to upload our own ZIPs alongside the autogenerated ones, that I know
#
sebsel
I know https://github.com/aaronpk/XRay has a release.sh, but I don't know how much manual work is there for aaronpk in there.
#
Loqi
[aaronpk] XRay: X-Ray returns structured data from any URL
#
sknebel
Zegnat: i thought you could, but you might be right
#
sknebel
can't find anything about it right now
#
sknebel
something to think about
prtksxna joined the channel
#
Zegnat
sknebel, thanks for going through the oauth spec again. I will update the scope code
[jeremycherfas], prtksxna and barpthewire joined the channel
#
sebsel
hmz, re: scopes, my token endpoint now gives out tokens with scope=false because Compass requests an access_token with empty scope https://chat.indieweb.org/dev/2017-07-03#t1499094507506000
#
Loqi
[sebsel] aaronpk I was trying to spin up my own instance of Compass, but it seems like my new auth endpoint does not play well with it (also not on your instance). It is not requesting any scopes, but if I read the code correctly, it IS asking the token endpo...
[miklb] joined the channel
#
sebsel
am I reading sknebel's comment correctly that that should not be possible? https://github.com/Inklings-io/selfauth/pull/16#issuecomment-313914445
#
sebsel
well, this is about the token-endpoint, not about the auth-endpoint.
#
sknebel
sebsel: not sure
#
Zegnat
if the client making the request (e.g. compass) requests no scope – i.e. omit the scope property or have it as an empty string – it seems the endpoint should return an error
#
Zegnat
That is also my reading of the spec linked by sknebel
#
Zegnat
Sorry, sebsel, I was out
#
sknebel
Zegnat: just read a bit more and https://tools.ietf.org/html/rfc6749#section-4.1.1 says that its optional
#
sknebel
so it can't have an empty value, but not be included?
#
Zegnat
When defined it must have a value and cannot be empty, when omitted the endpoint is supposed to use its default
#
Zegnat
At least that’s what I get out of the RFC
#
sknebel
and there is no default
#
Zegnat
And we don’t have a default, exactly
#
aaronpk
maybe i should change compass
#
sknebel
not sure if that's valid for the token endpoint though
#
sknebel
but at least I am now again of the opinion that my selfauth comment was right ;)
#
Zegnat
I am of two minds on this. There is no reason why selfauth can’t issue a code with scope, on the other hand, it is completely agnostic to what other tools exist so it can never make sense of any scopes that are requested
#
aaronpk
all it needs to do is show the scopes that are requested
#
aaronpk
it doesn't need to know what they mean
#
Zegnat
Right now, scope is actually supported. It is shown to the user, and the user can accept them. The code issued by selfauth is signed with the secret, so a different token endpoint with the same secret can validate it and will then know that the user accepted whatever scope was asked for.
#
sknebel
Zegnat: that's fine
#
@jimpick
@emd @taravancil With IndieAuth, you just need to add some tags to your personal website. Of course, most people do… https://twitter.com/i/web/status/884089092371173378
(twitter.com/_/status/884089092371173378)
#
sknebel
oh, right, we ignore the response_type
#
Zegnat
Yes, I need to fix that. But that was what my question was about.
#
Zegnat
Seems like we’ll error on response_type=id with a scope, and we will error on response_type=code if it is missing a scope :p
#
sknebel
that seems to me as the correct reading
#
Zegnat
I’ll get that in the branch before dinner
#
sknebel
aaronpk is now free to change the definition of IndieAuth, ideally before we go implement it :P
#
aaronpk
that sounds correct
#
sknebel
ok, good
#
aaronpk
and sebsel feel free to file an issue on Compass if it does not do that
#
sknebel
I think the compass issue is about the token endpoint, and thus not the same
#
sebsel
I am reading what it does.
#
sknebel
does it do an response_type=code or =id request initially?
#
sebsel
Compass sends me to response_type=id, correctly without scope param.
#
aaronpk
ah great
#
sknebel
ok, then the question is if a token endpoint is supposed to know anything about that?
#
sebsel
If it sees a token endpoint, it requests an access token, but since it has no scope, it requests a no-scope access token.
#
sebsel
but that is a token-endpoint issue, nothing to do with Selfauth I guess.
#
aaronpk
ok yeah
#
aaronpk
i think compass should not do that actually
#
aaronpk
reviews openid connect
#
sebsel
I think so too.
#
sebsel
because it works if I have no token endpoint specified
#
sebsel
I guess
#
sebsel
I can test taht
#
aaronpk
this is the classic OAuth is not an authentication protocol thing
#
sebsel
Well, IndieAuth is, right? :)
#
aaronpk
yeah, it's the authenticatioin layer on top of OAuth
#
aaronpk
similar to how OpenID Connect is authentication on top of OAuth
#
sebsel
If I do not state my token endpoint in my rels, Compass works just fine, because it checks my auth-code with my auth endpoint, and I think it should do that anyway, since it does not request scopes.
#
aaronpk
Yeah I think that makes sense
#
sebsel
seems like Compass also does not store the token, only the 'me' in it, in a session. So I am storing a token for compass, and it will request one every time I log in.
#
sebsel
Will open an issue :)
#
Zegnat
Time to go stateless, sebsel, go selfauth ;)
#
sebsel
Zegnat My seblog.nl/auth is already stateless, only my seblog.nl/token is not :)
#
Zegnat
I guess the problem with stateless is it becomes hard to retract access tokens
#
aaronpk
sebsel: yeah that's kind of why i think compass shouldn't request a token, because all it;'s really trying to do is verify that you are at your computeer when you sign in
#
aaronpk
good use of temporary authorization codes
#
Loqi
[sebsel] #4 Do not request access token when signing in
#
sebsel
I can fix it with a PR. Want to clone it anyway to add a default timezone option and a metric option.
#
sebsel
git branch all the things!
#
sebsel
Zegnat re stateless access tokens: yes, that's why I have what I have now. I already have JWT for /auth, so I could use it for /token too, but I like having a list of active tokens.
#
jeremycherfas.net
edited /site-deaths (+385) "Clammr audio sharing silo closing --~~~~"
(view diff)
leg and KartikPrabhu joined the channel
#
sebsel
Zegnat Problem with the scope regex: it does not accept spaces
#
Zegnat
Put it in a review and I will fix it. Currently having dinner.
#
Zegnat
(Or fix it and commit to the branch, of course!)
#
loqi.me
edited /audio (+67) "Zegnat added "[[Screech]], a simple app for posting audio content to your site" to "See Also""
(view diff)
#
sebsel
Hm, problem on https://indieweb.org/authorization-endpoint#Auth_code_verification : it says it returns only me=URL, but on https://indieweb.org/token-endpoint , it says that the authorization endpoint should return me=URL&scope=SCOPE
#
sebsel
aaronpk Should I add the optional scope param to /authorization-endpoint ?
#
Zegnat
According to https://tools.ietf.org/html/rfc6749#section-3.3 the authorisation server should have scope in its response
#
Loqi
[Zegnat] aaronpk is there such a thing as a “full IndieAuth spec”? Instead of /indieauth-for-login, /authorization-endpoint, /token-endpoint, and /obtaining-an-access-token?
#
sebsel
I believe the answer to that is 'no'.
#
sknebel
Zegnat: I'm not sure this applies to the response to a verification request?
#
Zegnat
Oh. Hmm...
#
sknebel
since that (unless I'm missing it) is an IndieAuth only concept
#
Zegnat
Maybe I should read the OAuth spec in its entirety at some point, hahaha
#
Loqi
ahahaha
[miklb] joined the channel
#
aaronpk
Agh I've gotta write the spec up finally
#
Zegnat
We’ll figure it out without a spec, eventually, aaronpk ;)
snarfed joined the channel
prtksxna, snarfed and [eddie] joined the channel