#tantekI'm happy to report that the few bots and such IPs that I blocked resulted in 1/6th the bandwidth usage for my site in November as compared to October
#aaronpkI have this vague recollection of a discussion about dropping the "me" from the initial redirect, since client's shouldn't be trusting variables in query strings. but I can't find that discussion, and two of the indieauth pages were not updated to reflect that.
tantek, KartikPrabhu and oodani joined the channel
#ZegnatI will be reading it carefully on my upcoming train ride to uni this morning. Looking good on glance, aaronpk!
#Zegnat!tell aaronpk "3.2 Client Identifier" disallows ports for clients, how will this work with e.g. shpub where the Micropub client locally runs a server?
tantek, cweiske, jjuran and [kevinmarks] joined the channel
#Zegnat!tell aaronpk "Discovery by Clients" says: “For the Authorization workflow […] the client needs to find the user's authorization_endpoint, token_endpoint and micropub endpoint”. I get using Micropub as example, but the it is listed here almost makes it sounds like the micropub endpoint is a MUST for the authz flow. Is there a better way to phrase t
#cweiskebecause shpub runs in userspace and thus cannot use port numbers < 1024
#cweiskethe only solution would be if non-redirect verification would be supported by *all* indieauth servers (aka pin code entry)
#cweiskeAFAIK none of the indieauth servers today support that
#ZegnatI guess you could fix it by having a publicly hosted home page for shpub and define only the redirect_uri with a port, since that is allowed. But then the publicly hosted page needs to whitelist all possible ports on 127.0.0.1 or something…
#Loqiaaronpk: Zegnat left you a message 6 hours, 15 minutes ago: "3.2 Client Identifier" disallows ports for clients, how will this work with e.g. shpub where the Micropub client locally runs a server?
#Loqiaaronpk: Zegnat left you a message 5 hours, 25 minutes ago: "Discovery by Clients" says: “For the Authorization workflow […] the client needs to find the user's authorization_endpoint, token_endpoint and micropub endpoint”. I get using Micropub as example, but the it is listed here almost makes it sounds like the micropub endpoint is a MUST for the authz flow. Is there a better way to phrase t
#ZegnatDisregard the first !tell, was reading that wrong, and discussed it with cweiske :) But you’ll catch up to that.
#aaronpkyes, those restrictions don't apply to the redirect_uri intentionally
#ZegnatWas interrupted with school stuff though, still need to pull my thoughts together on the Authentication flow. Maybe have some more thoughts / questions in about an hour when I get home.
#ZegnatIn layman’s terms (as an authorization endpoint) if an application has 127.0.0.1 listed as a redirect_uri, I can (SHOULD/MUST) accept it with any port?
#aaronpkthe point of redirect url registration is to prevent an attacker from setting the redirect URL to something under their control to steal the auth code
#aaronpkas well as avoid being an "open redirector"
#aaronpkshould we say that port variation on the redirect URL is always allowed?
#aaronpkthe other way to solve this is to allow port numbers in client_id
#aaronpkthen the remote shpub could serve its own home page that registers its redirect_uri
#ZegnatIf local shpub knows its own IP and port, it could theoretically already set client_id to shpub.com/?port=1111&ip=127.0.0.1 and have shpub.com serve a dynamic redirect_uri value.
#aaronpkI think dropping the port restriction on client_id is the simplest
#ZegnatI can’t immediately think of a security issue with that.
#ZegnatApart maybe from https being send to http by a middleman?
#ZegnatNot sure how connection libs like curl handle that
eli_oat joined the channel
#aaronpkthat provides shpub with two options. for local use, it would have to use a public URL client_id with a query string component to specify the local port of the redirect URI. for remote use, it could use the remote IP as the client_id
#aaronpkoh yeah, one more option. since what we're trying to do here is prevent specific attacks involving tricky redirect URLs, if the scheme/domain/port of the client_id match the redirect_uri then there wouldn't be any surprises. so I *think* we can bypass the redirect_uri lookup altogether if those match
#ZegnatI agree, path isn't so important in that case.
#aaronpkyea you can't steal an auth code by changing just the path of an otherwise legitimate redirect URL
#ZegnatIf you don't end up allowing different ports, maybe reference the OAuth document on allowing variable ports for loopback. I think that is worth calling out.
#tantekyeah I'd say so - especially an annual fee!
[manton] joined the channel
#[manton]With this kind of variable pricing, would be nice if the lowest price is less than $75. .blog has this same approach, where some words are $$$$, but at least they start at something like $20.
#tantek.comedited /Trello (+983) "expand Card share UI, note its a citation UI, provide example blockquote inline to demonstrate" (view diff)
#aaronpkyeah, they're definitely targeting a specific customer with .bot
#[manton]Yeah, with .bot I guess I can see it... It'll be interesting to see if it takes off.
John____, renem and j12t joined the channel
#tantekspecific customer? good self-identifying bots?
#ZegnatGood stuff. Reviewing to see if there are any selfauth updates to do.
#ZegnatProbably should get redirect_uri support in there. Not sure if I want to do the h-app parsing.
#aaronpkhm maybe a security consideration paragraph about displaying the client_id and redirect_uri if you aren't going to be fetching the client_id
#ZegnatI think we might already be displaying those? Or at least client_id. But would need to check.
#ZegnatIf someone wants to rewrite selfauth into v2 with separate dependencies and pull in an mf2 parser etc, I would not be against it. But that’s not something that is currently in my planning.
#Loqi[Daniel Goldsmith] Oh wow. Just wow. The quantity of quality available on this site. Such an incredible resource, such an incredible artist.
http://www.neilyoungarchives.com
#Loqi[Daniel Goldsmith] Oh wow. Just wow. The quantity of quality available on this site. Such an incredible resource, such an incredible artist.
http://www.neilyoungarchives.com
#aaronpkright, but since it's not visible, easy change to change it to just the URL
#sknebel^^^ now the text overlaps the icon there, seems like the template doesn't quite work?
snarfed joined the channel
#snarfeddgold1: re "i think I've been having a conceptual anti-pattern in wanting a shorter h-card & a full-featured one," you've seen https://indieweb.org/h-card#Issues ?
#gRegorLoveHeh, editing the homepage when I click preview I get: ERR_BLOCKED_BY_XSS_AUDITOR
#gRegorLove "Chrome detected unusual code on this page and blocked it to protect your personal information (for example, passwords, phone numbers, and credit cards).
#chrisaldrichsknebel, which browser are you using that you saw the overlap issue? I changed it because there was an overlap issue before, but it looks fine in chrome & ff for me.
#ZegnatI have nothing against making it explicit, but wanted to double check
#aaronpkwhich is funny cause i was copying from that page
#ZegnatNeed many eyes, and all that jazz :) I am pretty full up with uni at the moment, but hope to have time to give it another solid look later this week.
tantek, [horsemansyospos and [mrkrndvs] joined the channel