#dev 2017-10-26

2017-10-26 UTC
EmreSokullu, dougbeal|mb1, [kevinmarks], renem, [miklb], [eddie], gRegorLove, sebsel, j12t, cweiske, KartikPrabhu, John___, [jeremycherfas], jeremycherfas and martin4 joined the channel
#
vanderven.se martijn moved /Typography to /typography "This isn’t a name, better to be available without caps."
#
vanderven.se martijn edited /Planning (-24) "/* Planned */ Martijn is definitely on-site for a Leaders Summit in Berlin" (view diff)
#
jeremycherfas !tell aaronpk Telegraph received this error "Reason: <span style="color: #F00;">POST received with blank user-agent and referer" from https://readwriterespond.com/wp-json/webmention/1.0/endpoint. Is this something I should report to that site?
#
Loqi Ok, I'll tell them that when I see them next
#
sknebel that sounds like a security thing getting in the way, yes
#
jeremycherfas At the site I am replying to? I'll let him know directly.
#
sknebel googling that topic, it sounds like that's a common thing
#
sknebel I guess it's a good idea to have a user-agent for your webmention sender (it's also friendly to the other admin so they can see what it is if something goes wrong)
#
Zegnat I thought Telegraph had a UA
#
sknebel oh, right
#
sknebel reading further, ti seems like it is a common wordfence option
#
sknebel (to block requests like this)
#
Zegnat Hmm. I might have been mistaken. Looks like MentionClient uses default PHP cURL. And that might not have a UA set.
#
Zegnat Feel free to comment further on this issue: https://github.com/indieweb/mention-client-php/issues/32
#
Loqi [aaronpk] #32 add config option to set http user agent
#
Zegnat I think it would be good solving it in MentionClient directly, rather than Telegraph only.
#
sknebel yes
#
jeremycherfas Thanks for doing all the detective work. I just left a comment at that site.
#
Zegnat I am procrastinating. Detective work is great. Haha
#
Loqi ahahahaha
#
jeremycherfas It's a wordpress.com site; I wonder whether that makes a difference?
EmreSokullu joined the channel
#
Zegnat AFAIK there is nothing in WordPress that filters POST requests globally by default.
#
petermolnar what is MentionClient
#
Loqi It looks like we don't have a page for "MentionClient" yet. Would you like to create it?
#
Zegnat Hmm. It is a library, and I don’t think all libraries should have their own pages. It is linked on https://indieweb.org/Webmention-developer#Sending
#
sknebel WordFence has a feature to block these kind of requests
#
sknebel (it's a "security plugin" for wordpress)
#
Zegnat Maybe ad that to GitHub? I have added a way for just using cURL as the default UA.
#
petermolnar worldfence, one of the heaviest plugin ever existed for wp
#
cweiske wordfence vs. worldfence
j12t joined the channel
#
petermolnar nyeh, typo
eli_oat, calumryan, snarfed and tantek joined the channel
#
loqi.me edited /blockchain (+381) "tantek added "[https://steem.io/ Steem] - a "blockchain-based social media platform" - misfocused because [[plumbing#UX_and_design_is_more_important_than_plumbing|plumbing is less important than UX]], and ironic because deduplication (user level, not" (view diff)
#
snarfed tantek++
#
Loqi tantek has 18 karma in this channel (398 overall)
#
tantek lol thanks snarfed, not sure that was deserved but I'll take it :)
#
Loqi tantek: sknebel left you a message 18 hours, 32 minutes ago: one thing I noticed regarding your traffic issues is that apparently only static files get gzip-compressed by your webserver. maybe they let you configure that?
#
tantek ^^^ good troubleshooting tip, perhaps add to
#
tantek what is bandwidth
#
Loqi bandwidth is defined by hosting providers as the amount of network traffic sent and received by your web site during a billing period (like a month) and by ISPs as the maximum rate of network traffic allowed per minute https://indieweb.org/bandwidth
#
tantek ...
#
tantek on another topic, interesting silo RSVP permalink datapoint - when you click a FB action to respond "interested" to an event it creates an RSVP post that others can like, comment on etc., AND if you click another FB action (or via API) to respond "going" to that same event, rather than create a new RSVP post, FB updates the original RSVP post with "is going" replacing "is interested" which then may make the comments inapplic
#
tantek etc.
#
tantek public (log-in may be required?) permalink: https://www.facebook.com/events/920009881480567/permalink/920183231463232/
#
tantek maybe worth adding as an explicit example to https://indieweb.org/RSVP#Facebook, with screenshot, above analysis, etc.
#
www.svenknebel.de edited /bandwidth (+366) "mention compression" (view diff)
j12t, [manton], snarfed, snarfed1, John___ and sebsel joined the channel
#
raziellight anyone know if i use OAuth 2.0 will that work for micropub endpoint?
snarfed joined the channel
#
jeremycherfas @manton For the first time. OSX app responded with Micropub API settings have been updated. But when I tried to post, same Error sending post.
[eddie] joined the channel
#
[eddie] raziellight: IndieAuth (the authorization side of Micropub) is an OAuth 2.0 extension, meaning it is compatible but additional steps are needed to support IndieAuth.
#
jeremycherfas I would be willing to delete my Known instance and reinstall, except that I have had had poor experiences with importing and exported database. If there's another way, I would try that.
#
[eddie] raziellight: From what I understand the main difference is that your authorization endpoint, token endpoint and Micropub Server should all be referenced as either HTTP headers or HTML Rel links
#
[eddie] raziellight: that’s about the limit of my understanding between the two ?
#
raziellight hmm i was trying to use indieauth(the website) yesterday for the verification in code, but i couldn't use it because it was a local server from flask, and i think the indieauth website couldn't see my server.
#
Zegnat Actually, I believe Micropub itself only mentions authorisation through Bearer tokens (through HTTP Authorization header). How these tokens are created (IndieAuth OAuth extension or plain OAuth 2) does not matter.
#
raziellight i've been looking over two code bases with it implemented. one which is a huge mess. and the other that uses indieauth website, and seems much cleaner.
#
raziellight and i am sort of at a dead end right now. not sure where to go to get something up and running. a simple micropub endpoint
#
raziellight hmm
#
raziellight cause i was trying to log in with omnibear, but i need authorization. so i got into that
#
raziellight omnibear is a browser extension
#
raziellight they detail some of it on the indieweb wiki but not complete enought to actually get something up and running
#
raziellight i think all i really need to figure out is the authorization endpoint
#
raziellight because i have some code here for token and micropub
#
Zegnat https://github.com/Inklings-io/selfauth is a pretty simple auth endpoint implementation in PHP, if that is your language
#
Loqi [Inklings-io] selfauth: self-hosted auth_endpoint using simple login mechanism
#
raziellight no it's not but it's better than nothing
#
raziellight python is my language
#
raziellight thanks
#
raziellight i'll check it out
#
raziellight this looks actually really good. a simple example is exactly what i need
#
Zegnat You can also have a look at adactio’s micropub implementation, which is all just a single PHP file: https://gist.github.com/adactio/8168e6b78da7b16a4644
#
Zegnat His micropub implementation also shows how he checks the Bearer token against an external token service (tokens.indieauth.com). But it is easy to imagine you do a completely localised check of the token, maybe even just against a static token you saved on the server.
#
[eddie] raziellight, the other option if you don't want to tackle the authorization endpoint, you can do what I did and use the authorization service indieauth.com
#
[manton] jeremycherfas I'd probably avoid reinstalling if it was me too. I'm at a loss for what to suggest, though, since I'm just not very familiar with Known. Wish I had better advice than "works on my machine".
#
Loqi [manton]: mblaney left you a message on 2017-09-28 at 9:45am UTC: just following up on the conversation from a few days ago about follow webactions and subscribing, there is a pitfall with indie-config that voxpelli and I discussed recently: unless you actively whitelist who you share your config with then you're potentially broadcasting your config to every page you visit.
#
raziellight ya well using indieauth.com would be great eddie, but ican't do it if my webpage is offline
#
jeremycherfas Manton Thanks anyway. I could of course create a new subdirectory and attempt a fresh install to that. But I really don't know how to go about troubleshooting when there are two entities involved and the trouble lies somewhere between the two of them.
#
[eddie] raziellight: yeah that would be a problem ?
#
raziellight i was trying that the other day, but omnibear kept redirecting the auth? to an error. i think in the end it was because it couldn't see the webpage
#
jeremycherfas Dgold Have you given up on Known?
#
raziellight :o
#
dgold jeremycherfas: yes, sorry
#
raziellight then i tried putting something on dropbox, but that didn't turn out so well either :D
#
jeremycherfas What are you using then?
#
dgold i'm using Hugo as the content generator, and my nanopub micropub implementation
#
jeremycherfas Ah. So everything is in Hugo now. OK.
#
dgold i just didn't like the idea of spreading myself over several different loci
#
raziellight well yesterday i was trying to figure out their micropub implementations from the two main ones in python, kaku, and redwind with dreams of making something super simple that could be used as a supser simple component for micropubs to connect to and get the rel data
#
raziellight it all started from someone in here saying to try to just hook a python script up and see what data a micropub client spits out at you to figure out what to do with it
#
jeremycherfas I definitely can relate to that.
#
raziellight and ofcourse it wasn't as simple as that beccause there were auth checks
#
raziellight i don't even know if you're talking to me. anyway i'm going to get back to work
#
raziellight thanks guys !
#
[eddie] raziellight: ahhh yeah. One thing you could do is put up a simple static html with rel links for IndieAuth
#
raziellight yes eddie! that's what i did. on my server anyway. then i tried with dropbox, but the link was too long or wasn't processing completely
#
dgold you tried what with dropbox?
#
raziellight putting the static html with rel links for indie auth and then putting my token and micropub endpoints in it
#
raziellight dropbox doesn't just get a plain page or i couldn't get it working
#
sknebel I don't think dropbox does webpages anymore, yeah
#
raziellight and i tried on local server as well which actually made some progress in getting omnibear to work
#
dgold no, it doesn't
#
jeremycherfas Manton In the knownchat channel mapkyca wonders whether it is possible to get CURL data from micro.blog.
#
[eddie] raziellight: do you have a public web host that you could put the html file on? Or not currently?
#
raziellight ya.. well i need another place to put a simple page online. but it will still be pointing to my local micropub endpoint, so dunno how that will work
#
raziellight not right now eddie. but i suppose that could be another direction to go in if i find making my own auth implementation too onerous
#
[eddie] raziellight: If you can get the token into omnibear I think a local endpoint would be okay
#
[eddie] raziellight: but yeah if you want to stay local for a bit, auth endpoint is the way to go ?
#
dgold raziellight: getting an auth endpoint working is a lot of work
#
raziellight hmm well i know the redirect url for omnibear, but not sure how the token would get passed yet
#
raziellight ya which is why indieauth exists right
#
raziellight lol.. what have i got myself into :o
#
dgold if you were using indieauth, then the mpub _client_ makes a delcaration of the authorization token, either in a header or in a POST variable
#
raziellight this all started with just trying to see what a micropub client spits out at me
#
Zegnat neocities or github pages are pretty good for single static HTML pages to host for free. It always gets tricky when you start mixing in authentication. Any chance of having your micropub endpoint just accept a fixed token (say AAAAA) and then telling omnibear to always use said fixed token?
#
raziellight someone on here suggesting that anyhow
#
Zegnat Then you can work on micropub and worry about tokens leter.
#
Zegnat s/leter/later/
#
raziellight ah i have a github account!
#
raziellight i can do that
#
dgold a mpub _server_ then goes and checks if that's a viable token for that server, using indieauth or a local auth server
#
raziellight i don't think there's a way to input that token zegnat
#
raziellight it does it all automagically. when i tried omnibear with indieauth it redirected to an indieauth page
#
raziellight so i can get to the token part without jumping through hurdles
#
raziellight but ya it would be nice if i could do that..
#
Zegnat Not necessary a separate server dgold. You can easily tweak your micropub endpoint to just check if the Authorization header on the request matches a fixed string.
#
sknebel if you put a static page on github pages you can have it declare a localhost url for micropub and indieauth.com for token and authorization endpoint
#
dgold Zegnat: sorry, you're quite correct, that's what I meant
#
Zegnat I don’t know where Omnibear gets its token from though. If Omnibear requires a full auth_endpoint and token_endpoint exchange, then yeah …
#
raziellight well i can try putting it on github and see if i can get it working that way.. that definitely might be an option
#
sknebel then omnibear should be happy to get a token from indieauth.com, indieauth.com can see the page and thus do the rel=me verification
#
raziellight and seeing if i can jump a few steps
#
raziellight ya well when i first tried omnibear it kept hitting me back with auth token and micropub endpoints, and then i figured out that i needed to put those links in my / directory, and then i got it to the next step
#
raziellight so i think it definitely needs them
#
dgold yes, omni looks for an auth and token endpoint
#
dgold omnibear/src/components/LoginForm.js
#
dgold 70-77
#
dgold 'put those links' ??
#
dgold omnibear looks for those in your website <link rel="..."> headers or content
#
raziellight yes and it found them. then it redirected to indieauth which looks for a webpage which was offline because it was my local server. and i'm not sure how it redirects, however
#
raziellight i guess that is handled by the client? not sure tho
#
sknebel FWIW, filed https://github.com/keithjgrant/omnibear/issues/37
#
Loqi [sknebel] #37 Allow to manually set micropub endpoint and token
[cleverdevil] and [markmhendrickso joined the channel
#
raziellight brilliant !
#
raziellight thank you!
#
@keithjgrant This thread. I absolutely believe it. It only took me a few hours of hacking to implement IndieAuth in Omnibear. I hope it catches on. https://twitter.com/Rich_Harris/status/923392376592392197 (twitter.com/_/status/923588407456133121)
#
@keithjgrant @Rich_Harris Are you familiar with IndieAuth? Way easier to implement. Though it requires your users to have a compatible website https://indieweb.org/indieauth (twitter.com/_/status/923589971205853186)
#
raziellight lol omgosh. this is exactly how i feelt "is about as well-maintained as your department's internal wiki — all broken links, unfinished guides, bad information architecture etc."
#
sknebel raziellight: do you have a plan how you'd continue with a static page and indieauth.com? not sure how much of our back and forth was understandable
[keithjgrant] joined the channel
#
[keithjgrant] Yeah, Omnibear does a full token exchange with the auth endpoint
#
raziellight not really sknebel. i'm a bit clearer of the exchanges going on due to some of the indieweb wiki(https://indieweb.org/obtaining-an-access-token) but it's far from completely clear.
#
raziellight my plan was really just to look at some of this code you sent me and maybe throw up a static page on github and see what happens
#
raziellight it seems like omni bear sends a request to indieauth and then indieauth looks at the domain for something in the me= that's as far as i've got through the sign in process
#
raziellight and indieauth is far from clear about this stuff for developers
#
sknebel right, and because it looks at the domain it has to be online
#
raziellight and it all might be in vain if indieauth can't see my server with my code..
#
sknebel that's why the suggestion is to use a static page that's online
#
[keithjgrant] @ksnebel Check my comment on that GitHub issue
#
[keithjgrant] You should be able to manually set the token in the browser console
#
raziellight ya for the main page, right sknebel? i'm completely in the dark about the exchanges that go on after that, but it's worth a shot
#
sknebel raziellight: if you don't wnat to start building the auth endpoints ourself, you don't really need to deal with exchanges after that
#
Loqi it is probable
#
raziellight so indieauth looks at this webpage, and then the token is passed to omnibear through some black box magic, and then hopefully omnibear sends that token to micropub endpoint, and we are off?
#
sknebel yes
#
sknebel https://indieweb.org/obtaining-an-access-token#Discovery you need a static page online with these three links, except that you replace the micropub one with your locally running micropub endpoint you want to test. then add a rel=me link like described on https://indieauth.com/setup
#
sknebel then you should be able to put your static page into omnibear and go
#
raziellight yes exactly ! i was trying that though first on my local server and then through dropbox and i got to the next step but indieauth spat out an unrecognizable error and i figured it couldn't detect the page
#
[keithjgrant] Omnibear watches for your browser to be redirected to omnibear.com/auth/success?code=123abc, then uses that code to fetch a token from the auth endpoint
#
sknebel yes
#
raziellight so the next step would be to try it on github. which i'm definitely willing to try at this point
#
raziellight and it would be magic if it worked
#
raziellight ya i actually went to that url keith and got an ever loading page
#
raziellight redirect url
#
raziellight oh well i guess i'm going to go load a simple html page up to github. i'll report back on what happens
KartikPrabhu joined the channel
#
raziellight hey kartik!
#
[keithjgrant] Yeah, if you were to go into the debugger for Omnibear’s background page, you should see what went wrong fetching the token in the network traffic. Some errors don't propagate well at this point
#
raziellight you mean like firefox developer?
#
raziellight the browser toolbox
#
[keithjgrant] Firefox devtools. To open them for the add-on, go to 'about:debugging' (in URL bar). Check "enable add-on debugging", then click "debug" beneath Omnibear
#
[keithjgrant] (if anyone wants to help document this stuff on omnibear.com, I'd gladly take PRs ?)
#
raziellight oh wow. this is great. thanks keith
#
[keithjgrant] Firefox is probably easier to debug than Chrome. In chrome, network traffic/errors/etc can happen on any of three pages—omnibear window, Omnibear background page, and the current page. In FF, these all get shown in the same debugger window.
#
raziellight i see the network menu. but it looks like it doesn't filter it for omnibar(in the omnibar developer tools)
#
[keithjgrant] Yeah. I think that's b/c Omnibear is running a script on all pages, so all network traffic shows there. You can clear it just before attempting authentication to make your requests easier to find
KartikPrabhu joined the channel
#
Zegnat Are there any Micropub clients that do not require IndieAuth for token discovery?
#
raziellight so i uploaded to github and tried. i get a no rel=me found. i looked in the red wind repository, and it seems like there needs to be some hash or something to identify the program
#
raziellight so i added it, but i have no idea what i'm doing at this point
#
Zegnat If you are using indieauth.com you need a rel="me" link somewhere on the page, that’s what indieauth.com uses to log you in
#
raziellight seems like this is more for logging into other webpage services, and it will still look for that other service to log you in. so i'm guessing it won't communicate with my app since it's local
#
raziellight my page is raziellight.github.io/auth.html btw
#
sknebel raziellight: it doesn't need to communicate with your app
#
sknebel the micropub client needs to talk to auth endpoint and micropub endpoint, the auth endpoint doesn't talk to the micropub endpoint
#
aaronpk Zegnat: i have a few hacky clients that I just hard-code tokens into, they don't even do discovery
#
Loqi aaronpk: jeremycherfas left you a message 6 hours ago: Telegraph received this error "Reason: <span style="color: #F00;">POST received with blank user-agent and referer" from https://readwriterespond.com/wp-json/webmention/1.0/endpoint. Is this something I should report to that site?
#
Zegnat I’m guessing none of those are actually published though, aaronpk
#
raziellight hmm ok
#
sknebel raziellight: you just need to add a rel=me Indieauth.com understands (e.g. with your e-mail address, https://indieauth.com/setup ) and you should be good to go
[eddie] joined the channel
#
[eddie] raziellight: With IndieAuth.com you can either use a third party social service, a PGP key or Email: https://indieauth.com/setup
#
aaronpk likely not
#
[eddie] If you add one of those three to your page you'll be all set
#
aaronpk email is the easiest, but i'm a personal fan of PGP cause once you get it set up with a keyboard shortcut to sign text it's super fast
#
raziellight and that's not just for stuff like twitter. it will work for micropub endpoints?
#
raziellight and clients..
#
sknebel Indieauth.com does all the token stuff you looked at. but to make sure it is allowed to do that for you, the person trying to log in, it uses one of the rel=me things to make sure it is really you
#
Zegnat raziellight: a Micropub server expects an (OAuth) Bearer token in an Authorization header. Where and how this is gotten doesn’t matter. Most Micropub clients that have currently been published assume the user will use the IndieAuth protocol for creating that Bearer token, so the clients initialise the entire authorization “dance” for you.
#
Zegnat IndieAuth.com is a website that implements rel-me-auth (authentication by linking to a different identity like email or Twitter) and exposes it in the form of the IndieAuth protocol.
#
Zegnat I think most people start by implementing IndieAuth on there pages, to login to the wiki and other things. So it doesn’t happen a lot that someone wants to start using Micropub and doesn’t have a working authentication flow already set-up. Clearly you are the different case and are hitting a part that we haven’t documented well enough.
#
raziellight ah ok
#
raziellight i see
#
aaronpk Zegnat++ good explanation
#
Loqi zegnat has 31 karma in this channel (136 overall)
#
raziellight ya because i've seen this page several times, and it was somewhat ambiguous if it was meant for micropub clients at first, but then i saw some in the redwind code
#
raziellight ok let me try this and i'll see
#
dgold aaronpk: hmmm - what frontend are you using for pgp?
#
GWG Evening
#
jjuran Cool, I didn’t know PGP was an option. TIL.
#
aaronpk dgold: https://gpgtools.org
#
dgold turns out I have that - I just never got round to using it. furrrfu
#
dgold this seems apposite: http://tinyurl.com/lo64wrw [ http://notes.jerzygangi.com/the-best-pgp-tutorial-for-mac-os-x-ever/ ]
#
aaronpk the key is setting up the keyboard shortcut in the services menu to sign the selected text
#
jjuran “Many of the tutorials I found for OS X are not Mac friendly. Many want you to install bloated, Windows-like software; or, install questionable add-ons.”
#
jjuran I wonder if that’s a dig at GPG Tools.
#
aaronpk that tutorial is about setting up GPG Tools...
#
jjuran “Step 1: Install the GPGTools GPG Suite for OS X” <— Oh, I guess not :-)
#
dgold :)
#
jjuran Well, he does say not to install the GPGMail plugin.
#
raziellight whoa it works. i'm in guys !
#
sknebel nice
#
raziellight :)!
#
raziellight super :)
#
raziellight so now will omnibear send a token to micropub then?
#
dgold Gratulojn!
#
raziellight i'm guessing yes
#
raziellight each time a micropub request is done, i seem to remember a auth token is sent
#
dgold jjuran: plugins are usually just asking for trouble, sadly.
#
raziellight thanks to all. and thanks for the github request. that worked perfect.
#
dgold you should try getting gpg working with [?al]pine
#
raziellight time for coffffeeee
#
Loqi yea
#
Zegnat We could definitely use some more PGP/GPG how-tos on https://indieweb.org/pgp#Articles
#
jjuran “People who use mail plugins for encryption have no idea how they work; the result is a false sense of security.”
#
Zegnat Didn’t GPG Tools make their mail plugin non-free?
#
jjuran He’s got a point. How many GPGMail plugin users know that the email header (including the Subject field) isn’t encrypted?
#
snarfed obligatory: https://xkcd.com/1181/
#
Loqi [XKCD] PGP https://imgs.xkcd.com/comics/pgp_2x.png
#
jjuran “As we have mentioned in the past, we will start charging a small fee for GPGMail once the stable version of GPGMail 3.0 is released in order to deliver more timely updates and even better user support in the future.”
#
snarfed pine++ also
#
Loqi pine has 1 karma
#
snarfed alpine++
#
Loqi alpine has 1 karma in this channel (3 overall)
#
dgold lol!
#
snarfed spent a lot of my life using and hacking on [al]pine. e.g. https://snarfed.org/software#pine
#
Loqi [Ryan Barrett] software
#
dgold snarfed: I don't understand how soooooo many techy types are wedded to that damnable mutt abomination1
#
snarfed very different from mutt, not a fork
#
snarfed dgold: https://snarfed.org/gmail_vs_pine :P
#
dgold oh, no, its completely different, I use it every day, even professionaly
#
Loqi [Ryan Barrett] gmail vs pine
#
Zegnat Oh, the GPGMail small fee was discussed as far back as 2014. I thought they already had it going.
#
dgold I have pine reading two different gmail accounts, and my applemail promotions fee
#
dgold *feed
j12t joined the channel
#
www.svenknebel.de edited /User:Www.svenknebel.de (+83) "/* mid-ter itches */" (view diff)
EmreSokullu joined the channel
#
dgold just realised I can strike out a huge chunk of my micropub endpoint by testing the data input properly
#
dgold oh, wait, no, I can't
#
vanderven.se martijn edited /pgp (+1937) "/* Articles */ Add articles linked previously on the page, with full citation info and archives." (view diff)
#
vanderven.se martijn edited /User:Vanderven.se_martijn/IndieAuth (+1067) "/* Articles */ Links to IndieAuth chapters on OAuth.com, with full citation and archive links" (view diff)
snarfed and KartikPrabhu joined the channel
#
@depone Wieder ein bisschen mit Webmentions experimentiert und festgestellt, dass Instagram ein noch übleres Silo ist, als ich dachte. (twitter.com/_/status/923674556811882496)
snarfed and EmreSokullu joined the channel