#dev 2017-10-26

2017-10-26 UTC
EmreSokullu, dougbeal|mb1, [kevinmarks], renem, [miklb], [eddie], gRegorLove, sebsel, j12t, cweiske, KartikPrabhu, John___, [jeremycherfas], jeremycherfas and martin4 joined the channel
#
vanderven.se martijn
moved /Typography to /typography "This isn’t a name, better to be available without caps."
#
vanderven.se martijn
edited /Planning (-24) "/* Planned */ Martijn is definitely on-site for a Leaders Summit in Berlin"
(view diff)
#
jeremycherfas
!tell aaronpk Telegraph received this error "Reason: <span style="color: #F00;">POST received with blank user-agent and referer" from https://readwriterespond.com/wp-json/webmention/1.0/endpoint. Is this something I should report to that site?
#
Loqi
Ok, I'll tell them that when I see them next
#
sknebel
that sounds like a security thing getting in the way, yes
#
jeremycherfas
At the site I am replying to? I'll let him know directly.
#
sknebel
googling that topic, it sounds like that's a common thing
#
sknebel
I guess it's a good idea to have a user-agent for your webmention sender (it's also friendly to the other admin so they can see what it is if something goes wrong)
#
Zegnat
I thought Telegraph had a UA
#
sknebel
oh, right
#
sknebel
reading further, ti seems like it is a common wordfence option
#
sknebel
(to block requests like this)
#
Zegnat
Hmm. I might have been mistaken. Looks like MentionClient uses default PHP cURL. And that might not have a UA set.
#
Zegnat
Feel free to comment further on this issue: https://github.com/indieweb/mention-client-php/issues/32
#
Loqi
[aaronpk] #32 add config option to set http user agent
#
Zegnat
I think it would be good solving it in MentionClient directly, rather than Telegraph only.
#
jeremycherfas
Thanks for doing all the detective work. I just left a comment at that site.
#
Zegnat
I am procrastinating. Detective work is great. Haha
#
Loqi
ahahahaha
#
jeremycherfas
It's a wordpress.com site; I wonder whether that makes a difference?
EmreSokullu joined the channel
#
Zegnat
AFAIK there is nothing in WordPress that filters POST requests globally by default.
#
petermolnar
what is MentionClient
#
Loqi
It looks like we don't have a page for "MentionClient" yet. Would you like to create it?
#
Zegnat
Hmm. It is a library, and I don’t think all libraries should have their own pages. It is linked on https://indieweb.org/Webmention-developer#Sending
#
sknebel
WordFence has a feature to block these kind of requests
#
sknebel
(it's a "security plugin" for wordpress)
#
Zegnat
Maybe ad that to GitHub? I have added a way for just using cURL as the default UA.
#
petermolnar
worldfence, one of the heaviest plugin ever existed for wp
#
cweiske
wordfence vs. worldfence
j12t joined the channel
#
petermolnar
nyeh, typo
eli_oat, calumryan, snarfed and tantek joined the channel
#
loqi.me
edited /blockchain (+381) "tantek added "[https://steem.io/ Steem] - a "blockchain-based social media platform" - misfocused because [[plumbing#UX_and_design_is_more_important_than_plumbing|plumbing is less important than UX]], and ironic because deduplication (user level, not"
(view diff)
#
snarfed
tantek++
#
Loqi
tantek has 18 karma in this channel (398 overall)
#
tantek
lol thanks snarfed, not sure that was deserved but I'll take it :)
#
Loqi
tantek: sknebel left you a message 18 hours, 32 minutes ago: one thing I noticed regarding your traffic issues is that apparently only static files get gzip-compressed by your webserver. maybe they let you configure that?
#
tantek
^^^ good troubleshooting tip, perhaps add to
#
tantek
what is bandwidth
#
Loqi
bandwidth is defined by hosting providers as the amount of network traffic sent and received by your web site during a billing period (like a month) and by ISPs as the maximum rate of network traffic allowed per minute https://indieweb.org/bandwidth
#
tantek
on another topic, interesting silo RSVP permalink datapoint - when you click a FB action to respond "interested" to an event it creates an RSVP post that others can like, comment on etc., AND if you click another FB action (or via API) to respond "going" to that same event, rather than create a new RSVP post, FB updates the original RSVP post with "is going" replacing "is interested" which then may make the comments inapplic
#
tantek
maybe worth adding as an explicit example to https://indieweb.org/RSVP#Facebook, with screenshot, above analysis, etc.
#
www.svenknebel.de
edited /bandwidth (+366) "mention compression"
(view diff)
j12t, [manton], snarfed, snarfed1, John___ and sebsel joined the channel
#
raziellight
anyone know if i use OAuth 2.0 will that work for micropub endpoint?
snarfed joined the channel
#
jeremycherfas
@manton For the first time. OSX app responded with Micropub API settings have been updated. But when I tried to post, same Error sending post.
[eddie] joined the channel
#
[eddie]
raziellight: IndieAuth (the authorization side of Micropub) is an OAuth 2.0 extension, meaning it is compatible but additional steps are needed to support IndieAuth.
#
jeremycherfas
I would be willing to delete my Known instance and reinstall, except that I have had had poor experiences with importing and exported database. If there's another way, I would try that.
#
[eddie]
raziellight: From what I understand the main difference is that your authorization endpoint, token endpoint and Micropub Server should all be referenced as either HTTP headers or HTML Rel links
#
[eddie]
raziellight: that’s about the limit of my understanding between the two ?
#
raziellight
hmm i was trying to use indieauth(the website) yesterday for the verification in code, but i couldn't use it because it was a local server from flask, and i think the indieauth website couldn't see my server.
#
Zegnat
Actually, I believe Micropub itself only mentions authorisation through Bearer tokens (through HTTP Authorization header). How these tokens are created (IndieAuth OAuth extension or plain OAuth 2) does not matter.
#
raziellight
i've been looking over two code bases with it implemented. one which is a huge mess. and the other that uses indieauth website, and seems much cleaner.
#
raziellight
and i am sort of at a dead end right now. not sure where to go to get something up and running. a simple micropub endpoint
#
raziellight
hmm
#
raziellight
cause i was trying to log in with omnibear, but i need authorization. so i got into that
#
raziellight
omnibear is a browser extension
#
raziellight
they detail some of it on the indieweb wiki but not complete enought to actually get something up and running
#
raziellight
i think all i really need to figure out is the authorization endpoint
#
raziellight
because i have some code here for token and micropub
#
Zegnat
https://github.com/Inklings-io/selfauth is a pretty simple auth endpoint implementation in PHP, if that is your language
#
Loqi
[Inklings-io] selfauth: self-hosted auth_endpoint using simple login mechanism
#
raziellight
no it's not but it's better than nothing
#
raziellight
python is my language
#
raziellight
thanks
#
raziellight
i'll check it out
#
raziellight
this looks actually really good. a simple example is exactly what i need
#
Zegnat
You can also have a look at adactio’s micropub implementation, which is all just a single PHP file: https://gist.github.com/adactio/8168e6b78da7b16a4644
#
Zegnat
His micropub implementation also shows how he checks the Bearer token against an external token service (tokens.indieauth.com). But it is easy to imagine you do a completely localised check of the token, maybe even just against a static token you saved on the server.
#
[eddie]
raziellight, the other option if you don't want to tackle the authorization endpoint, you can do what I did and use the authorization service indieauth.com
#
[manton]
jeremycherfas I'd probably avoid reinstalling if it was me too. I'm at a loss for what to suggest, though, since I'm just not very familiar with Known. Wish I had better advice than "works on my machine".
#
Loqi
[manton]: mblaney left you a message on 2017-09-28 at 9:45am UTC: just following up on the conversation from a few days ago about follow webactions and subscribing, there is a pitfall with indie-config that voxpelli and I discussed recently: unless you actively whitelist who you share your config with then you're potentially broadcasting your config to every page you visit.
#
raziellight
ya well using indieauth.com would be great eddie, but ican't do it if my webpage is offline
#
jeremycherfas
Manton Thanks anyway. I could of course create a new subdirectory and attempt a fresh install to that. But I really don't know how to go about troubleshooting when there are two entities involved and the trouble lies somewhere between the two of them.
#
[eddie]
raziellight: yeah that would be a problem ?
#
raziellight
i was trying that the other day, but omnibear kept redirecting the auth? to an error. i think in the end it was because it couldn't see the webpage
#
jeremycherfas
Dgold Have you given up on Known?
#
raziellight
:o
#
dgold
jeremycherfas: yes, sorry
#
raziellight
then i tried putting something on dropbox, but that didn't turn out so well either :D
#
jeremycherfas
What are you using then?
#
dgold
i'm using Hugo as the content generator, and my nanopub micropub implementation
#
jeremycherfas
Ah. So everything is in Hugo now. OK.
#
dgold
i just didn't like the idea of spreading myself over several different loci
#
raziellight
well yesterday i was trying to figure out their micropub implementations from the two main ones in python, kaku, and redwind with dreams of making something super simple that could be used as a supser simple component for micropubs to connect to and get the rel data
#
raziellight
it all started from someone in here saying to try to just hook a python script up and see what data a micropub client spits out at you to figure out what to do with it
#
jeremycherfas
I definitely can relate to that.
#
raziellight
and ofcourse it wasn't as simple as that beccause there were auth checks
#
raziellight
i don't even know if you're talking to me. anyway i'm going to get back to work
#
raziellight
thanks guys !
#
[eddie]
raziellight: ahhh yeah. One thing you could do is put up a simple static html with rel links for IndieAuth
#
raziellight
yes eddie! that's what i did. on my server anyway. then i tried with dropbox, but the link was too long or wasn't processing completely
#
dgold
you tried what with dropbox?
#
raziellight
putting the static html with rel links for indie auth and then putting my token and micropub endpoints in it
#
raziellight
dropbox doesn't just get a plain page or i couldn't get it working
#
sknebel
I don't think dropbox does webpages anymore, yeah
#
raziellight
and i tried on local server as well which actually made some progress in getting omnibear to work
#
dgold
no, it doesn't
#
jeremycherfas
Manton In the knownchat channel mapkyca wonders whether it is possible to get CURL data from micro.blog.
#
[eddie]
raziellight: do you have a public web host that you could put the html file on? Or not currently?
#
raziellight
ya.. well i need another place to put a simple page online. but it will still be pointing to my local micropub endpoint, so dunno how that will work
#
raziellight
not right now eddie. but i suppose that could be another direction to go in if i find making my own auth implementation too onerous
#
[eddie]
raziellight: If you can get the token into omnibear I think a local endpoint would be okay
#
[eddie]
raziellight: but yeah if you want to stay local for a bit, auth endpoint is the way to go ?
#
dgold
raziellight: getting an auth endpoint working is a lot of work
#
raziellight
hmm well i know the redirect url for omnibear, but not sure how the token would get passed yet
#
raziellight
ya which is why indieauth exists right
#
raziellight
lol.. what have i got myself into :o
#
dgold
if you were using indieauth, then the mpub _client_ makes a delcaration of the authorization token, either in a header or in a POST variable
#
raziellight
this all started with just trying to see what a micropub client spits out at me
#
Zegnat
neocities or github pages are pretty good for single static HTML pages to host for free. It always gets tricky when you start mixing in authentication. Any chance of having your micropub endpoint just accept a fixed token (say AAAAA) and then telling omnibear to always use said fixed token?
#
raziellight
someone on here suggesting that anyhow
#
Zegnat
Then you can work on micropub and worry about tokens leter.
#
Zegnat
s/leter/later/
#
raziellight
ah i have a github account!
#
raziellight
i can do that
#
dgold
a mpub _server_ then goes and checks if that's a viable token for that server, using indieauth or a local auth server
#
raziellight
i don't think there's a way to input that token zegnat
#
raziellight
it does it all automagically. when i tried omnibear with indieauth it redirected to an indieauth page
#
raziellight
so i can get to the token part without jumping through hurdles
#
raziellight
but ya it would be nice if i could do that..
#
Zegnat
Not necessary a separate server dgold. You can easily tweak your micropub endpoint to just check if the Authorization header on the request matches a fixed string.
#
sknebel
if you put a static page on github pages you can have it declare a localhost url for micropub and indieauth.com for token and authorization endpoint
#
dgold
Zegnat: sorry, you're quite correct, that's what I meant
#
Zegnat
I don’t know where Omnibear gets its token from though. If Omnibear requires a full auth_endpoint and token_endpoint exchange, then yeah …
#
raziellight
well i can try putting it on github and see if i can get it working that way.. that definitely might be an option
#
sknebel
then omnibear should be happy to get a token from indieauth.com, indieauth.com can see the page and thus do the rel=me verification
#
raziellight
and seeing if i can jump a few steps
#
raziellight
ya well when i first tried omnibear it kept hitting me back with auth token and micropub endpoints, and then i figured out that i needed to put those links in my / directory, and then i got it to the next step
#
raziellight
so i think it definitely needs them
#
dgold
yes, omni looks for an auth and token endpoint
#
dgold
omnibear/src/components/LoginForm.js
#
dgold
70-77
#
dgold
'put those links' ??
#
dgold
omnibear looks for those in your website <link rel="..."> headers or content
#
raziellight
yes and it found them. then it redirected to indieauth which looks for a webpage which was offline because it was my local server. and i'm not sure how it redirects, however
#
raziellight
i guess that is handled by the client? not sure tho
#
Loqi
[sknebel] #37 Allow to manually set micropub endpoint and token
[cleverdevil] and [markmhendrickso joined the channel
#
raziellight
brilliant !
#
raziellight
thank you!
#
@keithjgrant
This thread. I absolutely believe it. It only took me a few hours of hacking to implement IndieAuth in Omnibear. I hope it catches on. https://twitter.com/Rich_Harris/status/923392376592392197
(twitter.com/_/status/923588407456133121)
#
@keithjgrant
@Rich_Harris Are you familiar with IndieAuth? Way easier to implement. Though it requires your users to have a compatible website https://indieweb.org/indieauth
(twitter.com/_/status/923589971205853186)
#
raziellight
lol omgosh. this is exactly how i feelt "is about as well-maintained as your department's internal wiki — all broken links, unfinished guides, bad information architecture etc."
#
sknebel
raziellight: do you have a plan how you'd continue with a static page and indieauth.com? not sure how much of our back and forth was understandable
[keithjgrant] joined the channel
#
[keithjgrant]
Yeah, Omnibear does a full token exchange with the auth endpoint
#
raziellight
not really sknebel. i'm a bit clearer of the exchanges going on due to some of the indieweb wiki(https://indieweb.org/obtaining-an-access-token) but it's far from completely clear.
#
raziellight
my plan was really just to look at some of this code you sent me and maybe throw up a static page on github and see what happens
#
raziellight
it seems like omni bear sends a request to indieauth and then indieauth looks at the domain for something in the me= that's as far as i've got through the sign in process
#
raziellight
and indieauth is far from clear about this stuff for developers
#
sknebel
right, and because it looks at the domain it has to be online
#
raziellight
and it all might be in vain if indieauth can't see my server with my code..
#
sknebel
that's why the suggestion is to use a static page that's online
#
[keithjgrant]
@ksnebel Check my comment on that GitHub issue
#
[keithjgrant]
You should be able to manually set the token in the browser console
#
raziellight
ya for the main page, right sknebel? i'm completely in the dark about the exchanges that go on after that, but it's worth a shot
#
sknebel
raziellight: if you don't wnat to start building the auth endpoints ourself, you don't really need to deal with exchanges after that
#
Loqi
it is probable
#
raziellight
so indieauth looks at this webpage, and then the token is passed to omnibear through some black box magic, and then hopefully omnibear sends that token to micropub endpoint, and we are off?
#
sknebel
https://indieweb.org/obtaining-an-access-token#Discovery you need a static page online with these three links, except that you replace the micropub one with your locally running micropub endpoint you want to test. then add a rel=me link like described on https://indieauth.com/setup
#
sknebel
then you should be able to put your static page into omnibear and go
#
raziellight
yes exactly ! i was trying that though first on my local server and then through dropbox and i got to the next step but indieauth spat out an unrecognizable error and i figured it couldn't detect the page
#
[keithjgrant]
Omnibear watches for your browser to be redirected to omnibear.com/auth/success?code=123abc, then uses that code to fetch a token from the auth endpoint
#
raziellight
so the next step would be to try it on github. which i'm definitely willing to try at this point
#
raziellight
and it would be magic if it worked
#
raziellight
ya i actually went to that url keith and got an ever loading page
#
raziellight
redirect url
#
raziellight
oh well i guess i'm going to go load a simple html page up to github. i'll report back on what happens
KartikPrabhu joined the channel
#
raziellight
hey kartik!
#
[keithjgrant]
Yeah, if you were to go into the debugger for Omnibear’s background page, you should see what went wrong fetching the token in the network traffic. Some errors don't propagate well at this point
#
raziellight
you mean like firefox developer?
#
raziellight
the browser toolbox
#
[keithjgrant]
Firefox devtools. To open them for the add-on, go to 'about:debugging' (in URL bar). Check "enable add-on debugging", then click "debug" beneath Omnibear
#
[keithjgrant]
(if anyone wants to help document this stuff on omnibear.com, I'd gladly take PRs ?)
#
raziellight
oh wow. this is great. thanks keith
#
[keithjgrant]
Firefox is probably easier to debug than Chrome. In chrome, network traffic/errors/etc can happen on any of three pages—omnibear window, Omnibear background page, and the current page. In FF, these all get shown in the same debugger window.
#
raziellight
i see the network menu. but it looks like it doesn't filter it for omnibar(in the omnibar developer tools)
#
[keithjgrant]
Yeah. I think that's b/c Omnibear is running a script on all pages, so all network traffic shows there. You can clear it just before attempting authentication to make your requests easier to find
KartikPrabhu joined the channel
#
Zegnat
Are there any Micropub clients that do not require IndieAuth for token discovery?
#
raziellight
so i uploaded to github and tried. i get a no rel=me found. i looked in the red wind repository, and it seems like there needs to be some hash or something to identify the program
#
raziellight
so i added it, but i have no idea what i'm doing at this point
#
Zegnat
If you are using indieauth.com you need a rel="me" link somewhere on the page, that’s what indieauth.com uses to log you in
#
raziellight
seems like this is more for logging into other webpage services, and it will still look for that other service to log you in. so i'm guessing it won't communicate with my app since it's local
#
raziellight
my page is raziellight.github.io/auth.html btw
#
sknebel
raziellight: it doesn't need to communicate with your app
#
sknebel
the micropub client needs to talk to auth endpoint and micropub endpoint, the auth endpoint doesn't talk to the micropub endpoint
#
aaronpk
Zegnat: i have a few hacky clients that I just hard-code tokens into, they don't even do discovery
#
Loqi
aaronpk: jeremycherfas left you a message 6 hours ago: Telegraph received this error "Reason: <span style="color: #F00;">POST received with blank user-agent and referer" from https://readwriterespond.com/wp-json/webmention/1.0/endpoint. Is this something I should report to that site?
#
Zegnat
I’m guessing none of those are actually published though, aaronpk
#
raziellight
hmm ok
#
sknebel
raziellight: you just need to add a rel=me Indieauth.com understands (e.g. with your e-mail address, https://indieauth.com/setup ) and you should be good to go
[eddie] joined the channel
#
[eddie]
raziellight: With IndieAuth.com you can either use a third party social service, a PGP key or Email: https://indieauth.com/setup
#
aaronpk
likely not
#
[eddie]
If you add one of those three to your page you'll be all set
#
aaronpk
email is the easiest, but i'm a personal fan of PGP cause once you get it set up with a keyboard shortcut to sign text it's super fast
#
raziellight
and that's not just for stuff like twitter. it will work for micropub endpoints?
#
raziellight
and clients..
#
sknebel
Indieauth.com does all the token stuff you looked at. but to make sure it is allowed to do that for you, the person trying to log in, it uses one of the rel=me things to make sure it is really you
#
Zegnat
raziellight: a Micropub server expects an (OAuth) Bearer token in an Authorization header. Where and how this is gotten doesn’t matter. Most Micropub clients that have currently been published assume the user will use the IndieAuth protocol for creating that Bearer token, so the clients initialise the entire authorization “dance” for you.
#
Zegnat
IndieAuth.com is a website that implements rel-me-auth (authentication by linking to a different identity like email or Twitter) and exposes it in the form of the IndieAuth protocol.
#
Zegnat
I think most people start by implementing IndieAuth on there pages, to login to the wiki and other things. So it doesn’t happen a lot that someone wants to start using Micropub and doesn’t have a working authentication flow already set-up. Clearly you are the different case and are hitting a part that we haven’t documented well enough.
#
raziellight
ah ok
#
raziellight
i see
#
aaronpk
Zegnat++ good explanation
#
Loqi
zegnat has 31 karma in this channel (136 overall)
#
raziellight
ya because i've seen this page several times, and it was somewhat ambiguous if it was meant for micropub clients at first, but then i saw some in the redwind code
#
raziellight
ok let me try this and i'll see
#
dgold
aaronpk: hmmm - what frontend are you using for pgp?
#
GWG
Evening
#
jjuran
Cool, I didn’t know PGP was an option. TIL.
#
dgold
turns out I have that - I just never got round to using it. furrrfu
#
aaronpk
the key is setting up the keyboard shortcut in the services menu to sign the selected text
#
jjuran
“Many of the tutorials I found for OS X are not Mac friendly. Many want you to install bloated, Windows-like software; or, install questionable add-ons.”
#
jjuran
I wonder if that’s a dig at GPG Tools.
#
aaronpk
that tutorial is about setting up GPG Tools...
#
jjuran
“Step 1: Install the GPGTools GPG Suite for OS X” <— Oh, I guess not :-)
#
jjuran
Well, he does say not to install the GPGMail plugin.
#
raziellight
whoa it works. i'm in guys !
#
raziellight
:)!
#
raziellight
super :)
#
raziellight
so now will omnibear send a token to micropub then?
#
dgold
Gratulojn!
#
raziellight
i'm guessing yes
#
raziellight
each time a micropub request is done, i seem to remember a auth token is sent
#
dgold
jjuran: plugins are usually just asking for trouble, sadly.
#
raziellight
thanks to all. and thanks for the github request. that worked perfect.
#
dgold
you should try getting gpg working with [?al]pine
#
raziellight
time for coffffeeee
#
Zegnat
We could definitely use some more PGP/GPG how-tos on https://indieweb.org/pgp#Articles
#
jjuran
“People who use mail plugins for encryption have no idea how they work; the result is a false sense of security.”
#
Zegnat
Didn’t GPG Tools make their mail plugin non-free?
#
jjuran
He’s got a point. How many GPGMail plugin users know that the email header (including the Subject field) isn’t encrypted?
#
jjuran
“As we have mentioned in the past, we will start charging a small fee for GPGMail once the stable version of GPGMail 3.0 is released in order to deliver more timely updates and even better user support in the future.”
#
snarfed
pine++ also
#
Loqi
pine has 1 karma
#
snarfed
alpine++
#
Loqi
alpine has 1 karma in this channel (3 overall)
#
snarfed
spent a lot of my life using and hacking on [al]pine. e.g. https://snarfed.org/software#pine
#
Loqi
[Ryan Barrett] software
#
dgold
snarfed: I don't understand how soooooo many techy types are wedded to that damnable mutt abomination1
#
snarfed
very different from mutt, not a fork
#
dgold
oh, no, its completely different, I use it every day, even professionaly
#
Loqi
[Ryan Barrett] gmail vs pine
#
Zegnat
Oh, the GPGMail small fee was discussed as far back as 2014. I thought they already had it going.
#
dgold
I have pine reading two different gmail accounts, and my applemail promotions fee
#
dgold
*feed
j12t joined the channel
#
www.svenknebel.de
edited /User:Www.svenknebel.de (+83) "/* mid-ter itches */"
(view diff)
EmreSokullu joined the channel
#
dgold
just realised I can strike out a huge chunk of my micropub endpoint by testing the data input properly
#
dgold
oh, wait, no, I can't
#
vanderven.se martijn
edited /pgp (+1937) "/* Articles */ Add articles linked previously on the page, with full citation info and archives."
(view diff)
#
vanderven.se martijn
edited /User:Vanderven.se_martijn/IndieAuth (+1067) "/* Articles */ Links to IndieAuth chapters on OAuth.com, with full citation and archive links"
(view diff)
snarfed and KartikPrabhu joined the channel
#
@depone
Wieder ein bisschen mit Webmentions experimentiert und festgestellt, dass Instagram ein noch übleres Silo ist, als ich dachte.
(twitter.com/_/status/923674556811882496)
snarfed and EmreSokullu joined the channel