#dev 2017-11-03

2017-11-03 UTC
tantek, snarfed and gRegorLove joined the channel
#
oodani
Hmm. Still haven't figured out what's going wrong with Woodwind authentication - it finds my authorisation endpoint https://00dani.me/auth/indie, I approve it and redirect back, and then it fails with the error 'Login error: missing "me" in response'. But if I verify the auth code myself, using HTTPie, the response is clearly {"me": "https://00dani.me/"} and should work totally fine. I tried omitting the Accept header, which is what Woodwind does, and
#
oodani
it still worked in my test. Any ideas?
#
oodani
It works *perfectly* with IndieAuth.com and telegraph.p3k.io now. Still not with Quill, since I still haven't got micropub.
#
oodani
(I checked the flask-micropub source. Rather than sending an Accept header, it just tries to parse the response as JSON and then as formencoded. Which should work totally fine."
#
oodani
s/"/)
#
unicyclic.com mal
edited /payment (+1195) "/* Brainstorming */"
(view diff)
#
sknebel
oodani: might be worth setting up a simple thing to log into that uses flask-micropub to debug? (there is an example I think in the repo, otherwise I think I dig one out tomorrow).
#
oodani
Worth a try, yeah.
mblaney and snarfed joined the channel
#
oodani
Ooh, that's interesting. kylewm.com, which presumably also uses flask-micropub, fails too - but differently? It gave me a state parameter of None, and then when I redirect back to it it sends me to https://kylewm.com/None and naturally 404s. Seems like it meant to omit the state rather than send me None as a string.
#
oodani
Removing the state parameter manually makes it fail the same way as Woodwind: Verify response missing required "me" field {"me": "https://00dani.me/"}
#
mblaney
hi oodani feel free to try https://unicyclic.com if you're looking for more indieauth sites to test :-)
#
oodani
I did, but I haven't written the token endpoint, and Unicyclic needs it. :P
#
oodani
Hmm. https://ben.thatmustbe.me also complains about 'me' being missing, and it's not flask-micropub at all, it's PHP. ?
#
Loqi
Ben Roberts
#
mblaney
I thought I defaulted to tokens.indieauth.com when it doesn't find the token endpoint, will look into that now.
#
oodani
It might. My authorisation endpoint only works for response_type=id, since response_type=code needs to go somewhere else anyway.
#
sknebel
oodani: the version of flask-micropub on pypi is older than the changes adding JSON support to it
#
sknebel
the code is in the repo, but probably never was deployed
[tantek] joined the channel
#
sknebel
and quite possibly woodwind.xyz is not up to date with the woodwind repo either
#
oodani
Oooh, that would explain that.
#
oodani
So I should default to formencoded instead, when the client doesn't ask for anything specific.
#
sknebel
you should ask aaronpk about that
#
Loqi
I agree
#
oodani
Good point. aaronpk, when a client doesn't pass any Accept header to an authorisation endpoint, should we be defaulting to formencoded?
#
aaronpk
Probably for legacy suppprt yeah
#
oodani
That fixed Woodwind. :)
#
oodani
And kylewm.com!
#
oodani
But *not* ben.thatmustbe.me, which is still failing to find the 'me' value in the response. :o
#
mblaney
oodani the token endpoint fallback should work on unicyclic.com now.
#
oodani
Looks like it does work. I'm in. :0
#
oodani
Kinda surprising, honestly? Like I said, my auth endpoint only works for response_type=id. Not sure how tokens.indieauth.com decided the auth was valid.
#
aaronpk
wait what's going on? you shouldnt be interacting with tokens.indieauth.com unless you're doing response_type=code for getting a micropub access token
#
mblaney
actually it didn't... I've got a log message saying it's invalid.
#
oodani
Interesting. It still let me log in despite being invalid?
#
mblaney
yeah exactly aaronpk.
#
oodani
aaronpk, Unicyclic uses response_type=code since it lets you micropub your responses and stuff I think.
#
oodani
Not that I can actually do that yet. :P
#
mblaney
oodani you should still be able to log in to unicyclic.com with just a valid authorization endpoint.
#
oodani
Yeah, looks like I have.
#
mblaney
I only use tokens.indieauth.com as a fallback if it doesn't find an endpoint but *it does* find a micropub endpoint.
#
mblaney
sorry for the confusion :-/
#
oodani
Ohhh.
#
aaronpk
wait a sec
#
aaronpk
no consuming client should be hardcoding tokens.indieauth.com
benwerd joined the channel
#
mblaney
aaronpk so if a micropub endpoint is set, but no authorization or token endpoint, the request should fail?
#
aaronpk
correct
#
aaronpk
that's not enough information for the client to do anything that the user should be trusting of
#
oodani
Figured out ben.thatmustbe.me, that was a bug on my part. That site's redirect URI already has a query parameter and I was just using uri + '?' + urlencode(params). Works now though.
#
aaronpk
ah nice yeah
#
aaronpk
that's always a tricky one :)
#
mblaney
ok that's good to know.
#
aaronpk
I also really want to discourage people from using what appear to be centralized services for things like this :)
#
oodani
I reckon it *shouldn't* have a query parameter, because it points to where on the site to go after authing me, and that info really belongs in the state parameter. But surely someone's gonna be using query params correctly. ;)
#
oodani
Just about to code my token endpoint: thoughts on revoking access? My tokens are gonna be stateless JWT, so there won't just be a table to remove them from. I could store a list of authorised client IDs. perhaps - remove a client from that list, all their tokens stop working.
#
aaronpk
classic JWT problem yeah
#
oodani
Could just make them expire, that's easy enough.
#
oodani
Annoying though. :P
#
aaronpk
you could store a list of revoked client IDs plus timestamps, then reject any tokens issued to that client from before the timestamp
#
oodani
Oo. I like that.
#
aaronpk
that way you can make a new token for the client without reactivating old tokens
#
aaronpk
this is also a reason to use refresh tokens, tho i don't think many indieauth clients support that flow
#
mblaney
aaronpk do you feel the same way about using indieauth.com/auth as a fallback when no authorization endpoint is found?
#
aaronpk
for micropub yes
John___ joined the channel
#
aaronpk
if all you're trying to do is sign the user in without requesting permission to post for them, then you can use indieauth.com for its second role, which is that use case.
#
aaronpk
this is also why i am splitting it up into two services
#
oodani
I'm thinking list of client IDs with an optional "revoked_at" timestamp. Then you can list off the apps you've authorised and know who can be revoked, as well as know which tokens were revoked when you do it.
#
mblaney
ok cool.
#
oodani
It's a little more space used than just storing the revoked ones, but I think if I've issued enough tokens that that matters I'm really gonna want my site keeping track of them anyway. :P
#
aaronpk
the nice thing is this isn't a permanent decision, you can change your mind later
#
oodani
Yeah. :)
#
aaronpk
also clients don't need to worry about it since tokens are opaque
#
aaronpk
i actually switched from JWT to storing tokens in a database with my last site rebuild. I do have to have a legacy bit of code to continue to validate the already issued JWT's but it's not hard to support both old and new tokens
#
oodani
Hmm, I was thinking about the opacity of tokens: does the spec say anything about how *big* a token can be? Lots of databases have field size restrictions.
#
aaronpk
strangely I don't see any indication of a maximum length https://tools.ietf.org/html/rfc6749#section-1.4
#
oodani
The tokens are also passed as query params, and I'm pretty sure URLs have a size restriction. Hm.
#
aaronpk
no they shouldn't be
#
oodani
Oh, right, yeah. Auth codes are. Tokens aren't.
#
oodani
I made my auth codes JWT as well. :P
#
aaronpk
i think mine are too
#
oodani
Neat. I think that could *potentially* cause problems with URL size, since JWT are kinda long, but it hasn't yet.
#
aaronpk
actually wait when are you seeing a GET request with the auth code? isn't that POST also?
#
aaronpk
oh nvm from the browser obviously
#
aaronpk
my head was stuck in server land
#
oodani
Yeah, from the browser when it redirects. ;)
#
aaronpk
looks like OAuth 2 says the lengths of code and state are not defined by the spec and that the authorization server should document them
#
aaronpk
since we're decentralized, it would be reasonable for the IndieAuth spec to define a maximum length then
#
oodani
Probably a good idea!
#
aaronpk
what's the general consensus on maximum URL length these days
#
aaronpk
since even the URL spec doesn't define a max length
#
oodani
Wait, really? I thought it did.
#
aaronpk
if it did it's a relatively recent change
#
oodani
Huh. Well, there you go then. :P
#
aaronpk
tl;dr the spec doesn't define a max length. still generally staying under 2000 is recommended to be compatible across all browsers
#
aaronpk
although browsers will often be able to handle a longer URL than they will display in the address bar
#
aaronpk
since we don't need these to be visible in the address bar or even able to type, the next limit would be Android at 8k
#
aaronpk
looks like most browsers will support URLs over 64k even
#
oodani
Jeepers.
#
aaronpk
but the safe thing to do is stay under 2000
#
oodani
Yeah.
#
aaronpk
so then the client and the server are fighting for that space, because the client defines the "state" value and the server defines the "code" value
#
mblaney
oodani, aaronpk I made some changes to unicyclic.com based on your feedback. no more token fallback and I was also adding scope=create and response_type=code even though it was log in only.
#
mblaney
I'm hoping the default response_type=id works even though I'm not adding that?
#
oodani
It does, yep. Just tested and it works fine for me. :)
#
mblaney
oodani++ thanks! :-)
#
Loqi
oodani has 1 karma
#
oodani
While you're making auth tweaks, may I recommend adding <link rel="redirect_uri" href="https://unicyclic.com/php/auth.php" /> to your markup? :)
#
oodani
Some IndieAuth servers (like mine) use that to verify the redirect URI and client ID "match". It's on the wiki but apparently not formally specified yet.
#
aaronpk
? nothing about IndieAuth is formally specified yet
#
oodani
Ah. That would be why. :P
#
aaronpk
we've made some amazing progress despite that :)
#
mblaney
interesting, that's quite the generic rel value to be claiming. I wonder if it should be more auth specific?
#
oodani
Hm. Good point.
renem joined the channel
#
oodani
Although publishing other kinds of redirect URIs under the same rel would be harmless, I think. Still can't craft malicious redirect URIs, you can just point the IndieAuth server to the wrong place and probably get a 400 because the other endpoints don't know what the heck these parameters are for.
#
aaronpk
If you have a suggestion this would be the time to change it
#
oodani
rel="auth_redirect" or something, maybe? Including "uri" seems redundant.
#
aaronpk
best to check the OAuth discovery spec to see what they call it
#
aaronpk
that's where i got the names for the otheres
#
aaronpk
rather than making up something new
#
oodani
Hmm. It doesn't look like the redirect URI is *in* the discovery spec, since it's a client property rather than a server property.
#
oodani
Aha, found it in the "dynamic client registration" spec: it uses an array called redirect_uris, which would make rel="redirect_uri" the most appropriate. And that's what we already use.
#
aaronpk
that said, if there is a good reason to be more specific that's still something to consider. the registration spec was not intended to be in a document that's also oa website :)
gRegorLove and [miklb] joined the channel
#
oodani
Oh wow, my use of JWT was actually insecure since I didn't specify a signature algorithm. ? Fixed now though. ?
#
aaronpk
classic
#
oodani
The docs said to include it, I figured leaving it out would make it pick a ~reasonably secure~ default or something. But actually it leaves a gaping security hole. Oops?
#
aaronpk
yeeaahhh
snarfed and tantek joined the channel
#
oodani
Hmm, that's weird. My tokens are coming out of PyJWT with apostrophes in them? The auth code is working fine, it's all valid base64 and jwt.io understands it. But the token, which is using the same call exactly, has weird apostrophes in its header and signature. ?
#
oodani
And yet it's entirely fine if formencoded instead of JSON'd?? :0
#
oodani
*Oh*, those quotes are Python putting b' ' around the whole thing. For some reason.
#
oodani
Weird.
#
oodani
¯\_(ツ)_/¯
benwerd, calumryan, KartikPrabhu, jeremycherfas, cweiske, loicm, barpthewire, [pfefferle], jeremych_, mblaney, eli_oat, [kevinmarks] and snarfed joined the channel
#
bear
that is Python telling you that it's a string of bytes
#
snarfed
python3++
#
Loqi
python3 has 1 karma
#
bear
python3++
#
Loqi
python3 has 2 karma
#
dgold
do micropub articles _have_ to be <html> encoded?
#
dgold
just noting that both quill and micropublish do html for them
#
Zegnat
I don't think Micropub specifies an encoding at all, dgold. But I would have to double check.
#
aaronpk
an "article" is just a note with a name, you could have plaintext content for a note with a name just as well
#
dgold
aye - in testing, I get html-encoded content both from quill & micropublish.net
#
dgold
but by quill's email, I get the text/markdown
#
dgold
and in quill, I have the [Send HTML content] unchecked, but it still sends html
#
aaronpk
what do you mean you get markdown from the post-by-email?
#
aaronpk
i mean if you write markdown in the email then it's really just text and quill should be sending you the same text you wrote
#
dgold
when i post via the email, I get the same text as I email
#
dgold
when I use the quill editor, i always get html
#
aaronpk
yeah that checkbox text is misleading
#
aaronpk
it was meant as a backwards compatibility thing, from an early micropub draft
calumryan and tantek joined the channel
#
petermolnar
python3++
#
Loqi
python3 has 3 karma
#
dgold
now stop it there
jjuran and [kevinmarks] joined the channel
#
[kevinmarks]
appengine-- for not having python3 yet
#
Loqi
appengine has -2 karma in this channel (-1 overall)
#
[kevinmarks]
appengine++ for being easy to run stuff without fretting about databases
snarfed, [eddie], calumryan_, calumryan, [cleverdevil], benwerd, gRegorLove, [stefp], tantek and [miklb] joined the channel
#
aaronpk
haven't been able to get any of the podcast stat tracking things to work so i am doing it myself
KartikPrabhu joined the channel
[cleverdevil], j12t, snarfed and [markmhendrickso joined the channel
#
www.boffosocko.com
created /ask_me_anything (+2286) "started stub page with some examples"
(view diff)
#
www.boffosocko.com
created /AMA (+29) "redirect"
(view diff)
#
gregorlove.com
edited /ask_me_anything (+62) "/* Silo Examples */ +curiouscat"
(view diff)
[kevinmarks], [chrisaldrich], benwerd, [tantek], snarfed, renem, tantek and John___ joined the channel
#
tantek.com
edited /ask_me_anything (+36) "/* IndieWeb Examples */ link to chrisaldrich's actual ama page"
(view diff)
#
tantek.com
edited /ask_me_anything (+110) "/* IndieWeb Examples */ note source of use webmention suggestion"
(view diff)
#
tantek.com
edited /badge (+119) "AKA achievement"
(view diff)
KartikPrabhu joined the channel
#
tantek.com
edited /token (+27) "dfn tweaks, see also"
(view diff)
[eddie] and snarfed joined the channel
#
loqi.me
edited /this-week-in-the-indieweb (+57) "/* See Also */ new section"
(view diff)
#
tantek.com
edited /js;dr (+585) "/* Web Content Examples */ Apple Podcasts Connect Help"
(view diff)
benwerd, [cleverdevil], [miklb] and [kevinmarks] joined the channel