#dev 2018-03-12

2018-03-12 UTC
eli_oat, tantek, snarfed, leg and [miklb] joined the channel
#
[miklb]
aaronpk if you could document the most common mistakes you see in WP microformats, we could try and make sure those things are solved in our examples at least. I’m sure I have holes in my mf2.
#
[miklb]
which also reminds me to ask, there isn’t an online mf2 validator like there is for HTML is there?
#
aaronpk
i think the problems fall into two categories. one is where there is barely any microformats at all, just enough to trigger my code to think "hey yes there is a feed here" (probably it's actually hentry mf1), it's often just a list of empty hentry objects with no data
[kevinmarks] joined the channel
#
aaronpk
(or a bad implied p-name but that is being solved with the parser now)
#
aaronpk
the other case which happens is once there's mostly good data, it's often missing authorship info completely
#
[kevinmarks]
Indiewebify.me is the closest thing to a validator, in that it is opinionated about vocabulary
#
[kevinmarks]
The other parsers are more forgiving
#
[miklb]
I’m thinking more about being able to link to a specific page and it spit out what is invalid, not a yes/no valid check.
#
[kevinmarks]
Right, which Indiewebify.me does
#
[miklb]
interesting. I don’t know why I thought it was just a yes/no
#
aaronpk
it needs a lot more stuff before i'd consider it a solid validator. it does a simple check on h-entry permalinks, and doesn't have anything about h-feed for example
#
[miklb]
seems to me considering how important valid mf2 is to the other indie tools, an easier way to validate your page/site/feed could be important to have
#
[miklb]
not that I have a clue how to do that
#
aaronpk
i will say given my experience building micropub.rocks, webmention.rocks and websub.rocks, it takes a lot of work :)
#
[miklb]
would working with any of those tools be useful for mf2? Like, could the WP IW plugin hook into them for users to test their content?
#
aaronpk
i should probably do a bit of UI cleanup on webmention.rocks, but you can use it to check whether your mf2 works for webmention comments
#
[miklb]
When you were building them, I assumed they were for testing implementations, not end users. Sounds like maybe I was wrong?
#
aaronpk
the main purpose of building them in the first place was to survey implementations on the details of the specs, but webmention.rocks in particular is actually more widely applicable than that
#
aaronpk
it'll accept comments, likes and bookmarks for example, so you can check whether your markup works for each. it just doesn't have a UI that prompts for those tests because it wasn't intended for that
#
aaronpk
i've used it during indiewebcamp sessions to demonstrate building up an html page from scratch that shows up as a comment
#
[miklb]
is there an API so, say an WP admin page could have a button to ping a post against
#
aaronpk
an api for the results? not really, but that could be arranged
#
[miklb]
I’m totally thinking out loud right now
leg and [snarfed] joined the channel
#
[snarfed]
casually plugs http://www.indiemap.org as another comprehensive way to survey implementation/adoption of indieweb specs
#
Loqi
Indie Map is a public IndieWeb social graph and dataset. 2300 sites, 5.7M pages, 380GB HTML with microformats2. Social graph API and i...
renem joined the channel
#
dansup
I added bcrypt + argon2i support to gnu/social, hopefully they merge :)
[miklb] and [eddie] joined the channel
#
KartikPrabhu
what is bcrypt?
#
Loqi
It looks like we don't have a page for "bcrypt" yet. Would you like to create it? (Or just say "bcrypt is ____", a sentence describing the term)
#
KartikPrabhu
what is argon2?
#
Loqi
It looks like we don't have a page for "argon2" yet. Would you like to create it? (Or just say "argon2 is ____", a sentence describing the term)
[snarfed], eli_oat, snarfed, [mrkrndvs], KartikPrabhu, [eddie], AngeloGladding, GWG, myfreeweb, schmarty, cweiske, jeremycherfas and [kevinmarks] joined the channel
#
@brendandawes
Really like Webmentions and how it works especially when used with http://brid.gy https://indieweb.org/Webmention The web is a conversation again.
(twitter.com/_/status/973152828104630272)
#
notiz.blog
created /User:Notiz.blog (+1837) "Created page with "<div class="floatright">http://en.gravatar.com/userimage/43087/1c8944dcd21662dd22e97052690f954b.jpg</div> = Matthias Pfefferle, @pfefferle= Webworker from Germany * https://n...""
(view diff)
#
notiz.blog
edited /User:Notizblog.org () "(-1808) Redirected page to [[User:Notiz.blog]]"
(view diff)
#
notiz.blog
edited /IRC_People (-3) "/* Nicknames */"
(view diff)
globbot, leg, eli_oat and barpthewire joined the channel
snarfed, eli_oat, barpthewire and [snarfed] joined the channel
#
aaronpk
hahaha [eddie] this just showed up in my reader today https://media.aaronpk.com/Screen-Shot-2018-03-12-08-00-53-je3NMQENFi.jpg
#
Loqi
nice
#
aaronpk
8 years ago!
[eddie] joined the channel
#
[eddie]
Haha yep, part of my Facebook imports! 😆😆
#
[eddie]
It’s been really fun seeing my old posts pop up on my homepage after the Facebook imports. (I still need to import 2012-2016)
#
[eddie]
I’m also trying to upgrade old plain text posts. So that was just a status update that said “listening to Alice by Avril Lavigne”. But on my site I upgraded it by linking to the song on Apple Music and actually auto-embedding an Apple Music preview beneath the song. It’s cool to be able to take historical posts and add further context.
#
aaronpk
oh nice
barpthewire, tantek, AngeloGladding, KartikPrabhu, gobengo and [cleverdevil] joined the channel
#
[cleverdevil]
When implementing an IndieAuth auth endpoint, is it assumed that auth codes are highly ephemeral?
#
[cleverdevil]
Meaning, should I persist them in a database or on disk, or can I just throw them in memory or memcached for a short period of time?
#
sknebel
yep, see https://indieauth.spec.indieweb.org/#authentication-response-p-1 "The code MUST expire shortly after it is issued to mitigate the risk of leaks. A maximum lifetime of 10 minutes is recommended. "
#
aaronpk
that 10 minutes is from the OAuth recommendation. I think most of mine expire after 60 seconds
snarfed joined the channel
#
[cleverdevil]
I spent some time over the weekend writing an auth endpoint and a token endpoint.
#
[cleverdevil]
I want to understand IndieAuth better, and there's no better way than implementing 🙂
snarfed1 joined the channel
#
schmarty
i finally wrote up my (janky) IndieAuth endpoint on Glitch, based on selfauth: https://martymcgui.re/2018/03/12/130455/
#
Loqi
[Marty McGuire] Micropub for a static Neocities website
#
sknebel
schmarty++
#
Loqi
schmarty has 11 karma in this channel (74 overall)
#
aaronpk
[eddie]: oh no your posts on https://eddiehinkle.com/timeline/ don't have u-urls!
#
aaronpk
(or authorship info)
#
aaronpk
I should have previewed that feed before I added it haha
#
Loqi
ahahaha
#
Loqi
yea!
#
[eddie]
That’s strange!
#
[eddie]
I’m actually in the middle of adding context so microformats only display in certain sections. That might be a glitch of that. I’ll know shortly. If not, good thing I can fix that up at the same time 🙂
AngeloGladding joined the channel
#
[eddie]
!tell aaronpk: The timeline page should be fixed now. It was a glitch from the changes I was making to remove microformats from the front-page displays
#
Loqi
Ok, I'll tell them that when I see them next
#
aaronpk
I should see these pop up in the reader again soon then
#
[eddie]
Yay! I also got the front page working correctly. Using a contextual variable, I was able to hide all the posts on the front page except “Todays Posts”
#
Loqi
😊
#
[eddie]
Even got to fix up some implied p-name issues
#
[eddie]
It’s always nice to get those little bugs cleaned out
#
dgold
aaronpk: can you clarify your aperture post?
tantek joined the channel
#
dgold
are you saying that aperture will create a domain, or that one needs to create a sub-domain?
#
dgold
and does it need to be a sub of the same domain that aperture is running on? with full nginx/apache config?
#
aaronpk
oops, forgot to add to the example config!
#
aaronpk
oh wait no I totally did
#
aaronpk
the new domain does not need to be a subdomain, but needs to point to the `storage/app/media` folder and serve the files that are there
#
aaronpk
then just tell aperture what the domain is in the .env file
#
aaronpk
`MEDIA_URL`
#
aaronpk
sorry does that make sense?
[mrkrndvs], leg, [snarfed], ben_thatmustbeme, KartikPrabhu, snarfed, tantek, tbbrown, wagle, wladz and [eddie] joined the channel
#
[eddie]
!tell aaronpk: regarding https://aaronparecki.com/2018/03/12/16/, is there something you can do differently with a paid developer account? Or did it affect ALL accounts when Apple made the free accounts?
#
Loqi
Ok, I'll tell them that when I see them next
#
Loqi
[Aaron Parecki] It's an unfortunate side-effect of how Apple decided to implement the new free developer accounts! oh well!
#
aaronpk
if you use a paid provisioning profile then it lasts like a year I think
#
aaronpk
is there a reason you're not running the app store version?
[cleverdevil] joined the channel
#
[cleverdevil]
Question: I know that many IndieAuth authorization endpoints use relme to verify a user's identity. Is it also common to just have the auth endpoint have a password database and allow the user to directly enter a password to verify themselves?
#
aaronpk
yep! mine doesn't use rel=me, doesn't even use a password!
#
[cleverdevil]
With Known, the auth endpoint just uses the user database for the website itself, so I figure the answer is "yes"
#
[cleverdevil]
How do you verify that someone else isn't hitting the auth endpoint?
#
Loqi
[Aaron Parecki] Passwordless Logins for Your Website
#
[cleverdevil]
Ah, so your auth endpoint knows to send your phone the notification?
#
aaronpk
yeah, if the browser isn't logged in then it makes me log in first
#
aaronpk
basically the login has nothing to do with the authorization prompt
#
[cleverdevil]
Thinking about what to do in this little auth/token endpoint I'm writing.
#
aaronpk
as goes the age old saying: authentication != authorization
#
[cleverdevil]
Sure, but authentication should always *precede* authorization 🙂
#
aaronpk
indeed
#
aaronpk
selfauth uses a simple password for authentication that's set at the time you set up the file
#
[cleverdevil]
For the purposes of learning, I might just make it so that I can configure the endpoint with a password, like selfauth does.
#
[cleverdevil]
I have a working auth and token endpoint, but right now it always authorizes, without any authentication 😄
#
[cleverdevil]
(Caveat: I *think* I have it working...)
#
Loqi
hahahaha
#
[cleverdevil]
For some reason or another I've always found OAuth and the ilk to be maddeningly confusing, with all of the dancing around between endpoints.
#
[cleverdevil]
Without comments, this thing is like.... 100 lines of very readable Python code.
#
[cleverdevil]
No databases or storage required.
#
[cleverdevil]
It stores the auth codes in an in-memory cache that auto expires codes.
#
[cleverdevil]
And it uses JWT to generate tokens.
#
aaronpk
nice! it's really not that bad once you sit down and walk through it :D
#
[cleverdevil]
Its not that bad, really, no.
#
[cleverdevil]
Oh... are the x-www-form-urlencoded bits still required?
#
[cleverdevil]
Its trivial to do (its already done, in fact) in my web framework, so no big deal.
#
[cleverdevil]
But, just curious.
#
aaronpk
only if you want to support old stuff that may not have updated yet
#
[cleverdevil]
Oh, one more thing, I couldn't figure out what I was supposed to do in the case that response_type=id
#
aaronpk
make sure you don't issue an access token, only let the auth code be verified
#
[cleverdevil]
From my read, the authorization endpoint gets passed that, but the token is also asked for if the user follows up providing the access code to the token endpoint.
#
aaronpk
in other words, a call to the token endpoint with an auth code that was issued with response_type=id should be rejected
#
[cleverdevil]
Ah, I see.
#
GWG
Enjoying this
#
[cleverdevil]
In that event, would you return a 403?
#
aaronpk
checks OAuth 2.0
#
aaronpk
HTTP 400 with error=invalid_grant
#
schmarty
wonders if he should add his (awful?) one-off NodeJS auth endpoint on Glitch to the wiki... 🤔
#
aaronpk
authorization_endpoint << [https://glitch.com/edit/#!/befitting-price a simple NodeJS authorization endpoint] by {{schmarty}}
#
Loqi
ok, I added "[https://glitch.com/edit/#!/befitting-price a simple NodeJS authorization endpoint] by {{schmarty}}" to the "See Also" section of /authorization-endpoint
[kevinmarks] joined the channel
#
schmarty
haha, problem solved.
#
schmarty
aaronpk++
#
Loqi
aaronpk has 123 karma in this channel (1585 overall)
#
[eddie]
!tell aaronpk I have plans to add some small improvements that we mentioned, and I don’t want to keep swapping back and forth between App Store and dev version
#
Loqi
Ok, I'll tell them that when I see them next
#
[eddie]
aaronpk: plus, I don’t think your new layout (black background at top) has been pushed to the App Store yet
#
aaronpk
ah yeah
#
aaronpk
yeah i'm due for releasing an update, I was just hoping to push a couple more features out at the same time
#
aaronpk
the new dark top background layout is great, thanks for that help btw
#
[eddie]
Yeah, my pleasure :) I’ve really been enjoying it. Can’t go back to the old version haha!
#
Loqi
awesome
#
[eddie]
I do have a paid dev account so I’ll have to see if I can do a provisioning profile that lasts longer :)
snarfed joined the channel
#
aaronpk
yeah that should work fine!
#
grantcodes
I know there is a bit of hate for infinite scrolling, but I'm working on it in together and it's so good!
#
aaronpk
haha awesome
#
tantek.com
edited /Squarespace (+656) "Principles Support / 2018 Superbowl ads"
(view diff)
[miklb] joined the channel
#
[miklb]
grantcodes I believe in app setting it can make sense. On a website I haven’t seen it used successfully aside from images/galleries
#
grantcodes
Yeah, Well i'll make it an option so people can disable it per channel :)
#
[cleverdevil]
Yay! I was hoping to get to that at some point 🙂
#
Loqi
does a happy dance!
#
[cleverdevil]
Nicely done [grantcodes]