2018-04-26 UTC
leg1, eli_oat, oodani, snarfed, snarfed1, renem and [snarfed] joined the channel
# 01:45 aaronpk Wanna look at the Buffer API next as a hack to post to FB via Buffer? 😆 # 01:47 GWG [snarfed]: Reading the deprecation notice. Wonder what I should do. # 01:47 GWG I see they recommend sharing intents. [matthilt] joined the channel
# 01:51 GWG aaronpk: I'd imagine they'll have the same problems, wouldn't they? Or can an application created by a user post on their behalf? # 01:51 aaronpk Depends on whether they have a bizdev deal with FB or not # 01:52 GWG I want to get away from them anyway jjuran, Kaja___, chimo, kline, [chrisaldrich], KartikPrabhu and bdesham joined the channel
# 03:20 bdesham I have the impression that microformats always uses arrays of strings... is that how OwnYourGram behaves as well? AngeloGladding joined the channel
# 03:57 aaronpk bdesham: heh tricky. I'm not actually sure what OYG does, but if it doesn't send strings then it should. # 04:40 bdesham aaronpk: OK! I'll proceed under that assumption. I just post infrequently enough to Instagram that I won't have a lot of opportunities to tweak stuff :-) tomasparks, snarfed, cweiske, Mandrake, loicm, mblaney, [kevinmarks], swentel, [pfefferle], myfreeweb, plindner, grantcodes, zoglesby, eli_oat[m], schmarty, peterlawson[m], mindB and jeremycherfas joined the channel; mblaney left the channel
# 09:49 treora Do I hear Facebook is blocking POSSE? Any links to relevant deprecation notices/explanations/critiques? # 09:58 Loqi [snarfed] #817 publish for facebook is dead [kevinmarks] joined the channel
# 10:05 treora realises that gdpr's data portability has been defined rather one-directionally: only for getting data *out* without hindrance. # 10:16 cweiske companies will add import functionality to their products to ease user migration # 10:16 cweiske exporting functionality is not in their own interest myfreeweb joined the channel
# 10:33 [kevinmarks] I'm walking through the internal process for setting up AWS at this company I'm consulting for and "manual until it hurts" has a very high threshold of hurting plindner, eli_oat[m], grantcodes, zoglesby, schmarty, peterlawson[m] and mindB joined the channel
# 11:22 Zegnat Still depends on a whole slew of separate code for resolving URLs :( But no way around that. jgmac1106 and Mandrake joined the channel
jgmac1106, [jgmac1106], iasai_, leg, [kevinmarks], snarfed, AngeloGladding, tantek and Mandrake_ joined the channel
# 15:20 tantek and confirmed that Bridgy Publish RSVP to FB no longer goes through. back to manual. Thanks for the run Bridgy and snarfed! [eddie], jeremycherfas, iasai_, [cleverdevil] and snarfed joined the channel
# 16:26 jeremycherfas If I want to add email to a data element in h-card, would I give the bare email as the value, or mailto:email ? # 16:30 jeremycherfas Finally getting into the habit of opening up ngrok to check things on local before sending them out live into the world. Makes a difference. # 16:43 GWG Wondering if we should have a going away party for Bridgy Publish [kevinmarks] joined the channel
# 16:54 skippy i think it goes on the img tag, but I've been wrong a lot lately, so looking for confirmation. [snarfed] joined the channel
# 17:02 [snarfed] for bridgy publish *for Facebook*. let's not scare people unnecessarily! # 17:26 Zegnat I am good at throwing things at other things! # 17:26 aaronpk if you have an auth endpoint defined on your site then you shoulnd't even see indielogin.com when you log in to pin13.net # 17:27 Zegnat I see indielogin.com because that is where I land after coming back from my auth endpoint # 17:27 Zegnat “Your IndieAuth server did not return a valid state parameter” hmmm # 17:29 Zegnat Now I make it past indielogin.com back to pin13.net, and am again told “Invalid State”. Probably need cookies there as well then :P # 17:29 KartikPrabhu aaronpk: the placeholder on the login form says "yourdomain.com" but the HTML form validation does not accept that format since it checks for "http or https" # 17:29 aaronpk pin13.net/login is just a scrap thing, don't worry too much about it # 17:30 Zegnat Alright. So cookies enabled on both domains, I can now login. Again from the start! jackjamieson joined the channel
# 17:30 Zegnat Hmm. Now I see indielogin.com with a “Continue” button? # 17:30 Zegnat Is that because I am already logged in to indielogin.com, so it doesn’t need to send me to my authpoint again? # 17:31 aaronpk I think i'm going to disable that if you use an authorization endpoint # 17:31 Zegnat It is nice for me because selfauth doesn’t do sessions, so always requires a password. This indielogin enables me to not have to enter my password again. # 17:31 Zegnat On the other hand, the flow is weird, because at the first login I never saw indielogin. # 17:32 Zegnat And now on second login attempt I suddenly get a different view. # 17:32 Zegnat So probably best to always redirect in the case of endpoint. Though maybe you can skip doing endpoint discovery again for someone who is already logged in to indielogin? As you already know their endpoint? # 17:33 aaronpk tho then I have to worry about invalidating that cache if they change their auth endpoint # 17:34 Zegnat True. I guess going directly to indielogin.com could show my current session and let me invalidate the endpoint or something. tantek joined the channel
# 17:37 aaronpk so now if you have an authorization_endpoint defined you'll never see indielogin.com when everything works # 17:37 Zegnat Still getting the screen with the Continue button? # 17:38 aaronpk to have it remmeber that it found an auth endpoint for you # 17:38 Zegnat I guess I need to click the “Log in as a different user” link then first? So it forgets my current session? # 17:39 aaronpk "log in as a different user" will also clear out the session and start over # 17:40 aaronpk btw I implemented the rel=authn thing in this too :) # 17:42 Zegnat I seem to recall sebsel let people login to his site with Twitter - not just their own URLs - because so much of his audience wasn’t expected to have own sites at the moment # 17:42 aaronpk i'll consider it as a feature request for indielogin.com # 17:43 aaronpk is pretty pleased he can enter "aaron@parecki.com" into that sign-in box too :) # 17:43 Zegnat Though I am not sure how I would expect that to work for my Twitter or GitHub profile. As they have a rel="me" to a page with an IndieAuth endpoint ... Though that is probably a layer too deep # 17:43 aaronpk it would just return the github URL as the identity # 17:44 aaronpk I also handle a lot of cases for the different kinds of profile URL redirects in this # 17:44 Zegnat Hmm. What happens if I link my GitHub to my Twitter and my Twitter to GitHub? Will I then be able to use either and use the other for authentication? snarfed joined the channel
# 17:45 Zegnat martijn@vanderven.se doesn’t work in the box, doesn’t pass form validation # 17:46 aaronpk also your vanderven.se server will need to return a permanent redirect to your web page when fetched with as the "martijn" user # 17:46 Zegnat I tried setting that up in nginx but couldn’t get it to work :( # 17:47 skippy thats overloading the login form's use a bit. it specifically says "your domain name", not "your email address", nor "a username at your domain name" # 17:47 Zegnat I am in the process of moving vanderven.se to static. But I might be able to put in a PHP redirect for now. # 17:47 skippy nitpick: the form doesnt ask for a URL or a URI, it asks for a domain name. # 17:47 Zegnat I am already not entering my domain name, as I am not at the root. # 17:48 skippy and the sample text does not include a protocol. # 17:48 aaronpk technically it says "web address" and the placeholder example is "yourdomain.com" # 17:49 aaronpk oh I was talking about pin13.net/login which is the "app" in this case # 17:49 Zegnat aaronpk, maybe include https:// in the placeholder when JS is disabled? As it is very much required in that case. # 17:50 aaronpk i'm also okay with promoting the idea of a domain name being the primary use of this, and anyone who uses a subfolder as their primary identity can figure out that it also works jackjamieson joined the channel
# 17:55 aaronpk next up is adding email and pgp support so that it has feature parity with indieauth.com jackjamieson joined the channel
# 17:59 Zegnat Hmm, the username trick is working with curl, but not in Firefox jackjamieson joined the channel
# 18:05 aaronpk Maybe the browser isn't sending the username unless it gets the www-authenticate response? # 18:06 Zegnat I will test with that later, do not want to test that on the live website, he # 18:12 sknebel browsers are in various stages of getting rid of that # 18:13 sknebel afaik not entirely committed to killing it, but certainly restricting it in various ways # 18:16 Zegnat Firefox already prompts warning me someone might be trying to scam me with the URL # 18:17 Zegnat Still weird that it wouldn’t send the information to the website though. I totally get why they might hide it in the URL bar against phishing # 18:17 aaronpk yeah i don't remember all the attack vectors there, but it'll be nice to finally kill the username/password model for websites snarfed joined the channel; snarfed left the channel
# 18:24 Zegnat I think the phishing vector is mostly just that you can put almost anything in the username field, including perfectly valid domain names. https://paypal.com@zegnat.net/ still seems to start with paypal.com. # 18:25 Zegnat Slashes need to be encoded in the authority part, IIRC, so can’t make the URL seem even more real ... unless there are user-agents that do not require that, of course leg, cweiske and [sebsel] joined the channel
# 18:40 [sebsel] Zegnat: I believe I still support Twitter logins indeed, but I doubt anyone ever used it apart from myself to test it. It asks for way to many permissions anyway :( sebsel joined the channel
# 18:53 jeremycherfas Trying to use my Known instance, get this error `me=https%3A%2F%2Fstream.jeremycherfas.net%2F` # 18:53 aaronpk ah i think i only added support for JSON responses in the indieauth part # 18:55 sebsel The spec mentions JSON too. Is that the preferred way? # 18:55 aaronpk jeremycherfas: try again, i just quick-hacked it to hopefully accept form-encoded too # 18:56 aaronpk jeremycherfas: did you start from the beginning or try to refresh? # 18:57 aaronpk hm then i'm not sure what the problem is, it's something on Known's end # 18:58 cweiske I could log in successfully with cweiske.de and commentpara.de # 18:59 cweiske so two different indieauth server implementations work with it # 19:00 aaronpk more than that! we have Known, commentpara.de, selfauth, p3k # 19:05 aaronpk pstuifzand: if you make your short url a permanent redirect to your main url it should work # 19:06 pstuifzand The error that I get is a little strange, it says the response from the server, is the indielogin.com page with the error response # 19:07 aaronpk Hm can you screenshot the sequence of all the steps? # 19:08 Zegnat Looks really interesting for caching requests when possible, instead of doing these countless refetches we are often doing now with IndieWeb things. # 19:11 cweiske Zegnat, this class is not for fetching data. it shall be used so that your server returns "not modified" responses kinda automatically # 19:12 cweiske it does not help you to cache http requests to other sites or apis # 19:12 Zegnat For some reason, when I first read it, I thought it was doing it on the fetching side :( # 19:12 aaronpk pstuifzand: weird, i'm guessing my code isn't resolving relative URLs at some point # 19:13 aaronpk that's the only way i can think of that indielogin.com would try to make a request to itself # 19:13 pstuifzand the response in the textarea: contains "Your IndieAuth server did not return a valid state parameter" # 19:14 aaronpk oh maybe your indieauth endpoint thinks the request to it is wrong. i see it redirected back with ?error=invalid_request # 19:15 pstuifzand if I use my "normal" domain, it works without problems, the only difference is the extra 302 redirect (I would think), oh, and of course the different "me". # 19:17 pstuifzand I redirect to the redirect_uri with invalid_request when "me" and "client_id" are missing # 19:18 pstuifzand that is checked after the two invalid_requests, but at the moment it can't be the shorturl # 19:19 aaronpk well if your short URL redirects with a 301 to your full URL then indielogin.com will use the full URL when making the request # 19:21 aaronpk looks like i need to add some additional error checking though # 19:21 pstuifzand I'm quite reluctant to use 301 redirects these days, they've become quite permanent :) # 19:23 pstuifzand it doesn't get cleared in browsers when emptying the browser cache # 19:25 pstuifzand 301 redirect are on a seperate page (net-internals), or you need to clear complete browser history gRegorLove and leg joined the channel
# 19:37 pstuifzand I don't know if something changed, but even without the 301 redirect I can now login to pin13.net/login # 19:38 aaronpk if your authorization endpoint allows that then that's fine # 19:39 aaronpk i'm still really confused about what was happening before # 19:40 aaronpk i'd like to try to reproduce that so i can make the error messages better # 19:43 aaronpk just changed something. would you mind changing yours back and trying the short URL again? # 19:45 aaronpk you should see the "access_denied" error from your endpoint now # 19:46 aaronpk and now i don't see it trying to make a request to itself snarfed joined the channel
# 19:46 Zegnat Interesting. Is that adding an error to the callback URL? Is that in OAuth? # 19:47 aaronpk it's only if everything about the request is okay but there was some other error or if the user clicks the "deny" button # 19:47 aaronpk but you don't redirect back to the app for problems like missing parameters # 19:48 aaronpk also i'm not sure how much it actually matters in practice, especially if the auth server shows a good error message in place of redirecting # 19:48 cweiske if there are missing parameters, the app has to be fixed. a redirect won't help [kevinmarks] joined the channel
# 19:49 [kevinmarks] known.kevinmarks.com leaves me at known.kevinmarks.com after logging in # 19:50 cweiske mail('developer', '5 auth servers told me the "me" parameter is missing. I saw that adding it made it work. You should add the following code at line 42: ...') KartikPrabhu joined the channel
leg joined the channel
# 20:08 aaronpk so most of the testing has been with various indieauth servers, which is great, but i also need people to test this who don't have an indieauth server and use twitter/github instead # 20:10 aaronpk i'm impressed there are so many indieauth server implementations now tho! tantek and [matthilt] joined the channel
KartikPrabhu joined the channel
# 20:18 aaronpk hm, no in order to do indieauth the site has to use rel=authorization_endpoint # 20:22 pstuifzand I see indielogin does the rel=me check after the login to twitter or github # 20:23 aaronpk makes things work a bit better in the first part of the flow # 20:23 aaronpk also it's not strictly checking for rel=me from twitter and github, it's using the API to pull out the profile URL from the account # 20:30 aaronpk IIRC if the twitter app requests permission to post to your twitter account, then that prompt is bypassed the next time you log in # 20:30 aaronpk but for read-only apps it seems to prompt each time # 20:30 pstuifzand this wasn't needed on indieauth.com, it automatically redirected # 20:30 aaronpk hm let me check something then, they have two endpoints for that tantek joined the channel
# 20:32 aaronpk yep my bad. switched to the other endpoint. try again snarfed, [jgmac1106], tantek, swentel and [kim_landwehr] joined the channel
[tantek] joined the channel
# 20:59 [tantek] That twitter card updating when a domain is taken over is very bad # 21:00 [tantek] It means you cannot trust POSSEing raw external links to Twitter, lest those links get owned by someone else, who abuses the twitter cards and makes crappy stuff show up on your old tweets # 21:01 [tantek] Almost seems to require POSSEing the archive org version of all external links when POSSEing to twitter # 21:01 aaronpk or a link on your own site that either redirects immediately or just a page that you can update later if you want # 21:02 [tantek] I don’t see any other options (assuming you want to include external links in your posse weeks) tbbrown joined the channel
# 21:54 aaronpk once i fix a couple of the issues identified and give it a little more testing, i'm going to switch the wiki over to it # 21:56 aaronpk myindieauth.com, but that's going to be more work # 21:56 GWG Can you elaborate on what the other half does? # 21:57 aaronpk myindieauth.com is an indieauth authorization endpoint as a service # 21:57 GWG snarfed, still worried that Facebook's publish action is just the beginning # 21:58 aaronpk so your wordpress plugin will eventually update to use myindieauth.com as the other option if you don't want to use the built-in one # 21:59 GWG aaronpk, and that will be the relmeauth option? # 21:59 aaronpk actually, wait, why do people use the indieauth.com option in wordpress right now? # 22:01 aaronpk this is gonna get confusing. i vote we stop talking about it until myindieauth.com is live :) # 22:03 GWG They want to log into their website using Twitter or GitHub or such # 22:03 GWG I suppose there is also if you aren't SSL # 22:04 GWG aaronpk, what would you suggest I do then? # 22:06 aaronpk what's the overlap between people who want to use twitter/github to sign in and people who also use micropub clients? snarfed joined the channel
# 22:08 aaronpk i am hoping it's 0, otherwise this will be more complicated tantek joined the channel
# 22:11 GWG snarfed: What do I do with Bridgy Publish for WordPress, remove the Facebook feature? # 22:12 snarfed and ideally surface a warning message to existing users asap # 22:13 GWG I have been thinking of deprecating the plugin # 22:13 GWG I will likely issue a warning regardless # 22:15 GWG snarfed, I want to add platform neutral syndication support, so Bridgy would be a target, but not a solo implementation # 22:17 Loqi [snarfed] #796 micropub API for bridgy publish leg joined the channel
# 22:18 GWG snarfed, I would have to learn Python. Which isn't a bad idea at some point # 22:18 GWG I'm an old C programmer, everything is related # 22:19 snarfed yes! great engineers aren't limited to individual languages, frameworks, tools, etc # 22:19 GWG snarfed, I will take that as a compliment # 22:20 GWG But I want to build the underlying UI for syndicating in WordPress and then I can start creating targets # 22:21 GWG Once I have the code no longer embedded in Bridgy, I can add Indienews as a target, for example # 22:21 GWG I can't put that in a plugin called Bridgy. # 22:26 GWG snarfed, I am putting the code in Syndication Links. It seemed easier than creating a new plugin # 22:27 GWG That plugin is already full of integrations to extract syndication URLs from other plugins # 22:27 GWG I might as well go the other way and write code to trigger POSSE from Micropub [snarfed] joined the channel
# 22:31 GWG I think I have created too many different things. I am trying to consolidate [tantek] and [snarfed] joined the channel
# 23:29 Loqi merging has 1 karma in this channel (0 overall) jgmac1106 and [jgmac1106] joined the channel
bdesham aaronpk: I have a pedantic question for you. The OwnYourGram docs (https://ownyourgram.com/docs#json) show a microformats latitude and longitude but they're arrays of numbers, not strings.
treora Do I hear Facebook is blocking POSSE? Any links to relevant deprecation notices/explanations/critiques?
Zegnat treora, see also https://github.com/snarfed/bridgy/issues/817 and the slew of now-closed feature requests that will never be
[kevinmarks] presumably this will affect silo.pub too
jeremycherfas Interesting observation.
@morid1n How to Get Webmention Working Under WordPress https://infinitediaries.net/how-to-get-webmention-working-under-wordpress/ (twitter.com/_/status/989488445822205952)
@1nfiniteDiaries How to Get Webmention Working Under WordPress https://infinitediaries.net/how-to-get-webmention-working-under-wordpress/ https://t.co/QPCX6CJJli (twitter.com/_/status/989488475878633472)
skippy https://indieweb.org/photo#How_to_markup does the u-photo go on the <img> tag, or on the <h-entry> div containing the image?
KartikPrabhu aaronpk: the placeholder on the login form says "yourdomain.com" but the HTML form validation does not accept that format since it checks for "http or https"
aaronpk or just add http://yourself
Loqi [cweiske] indieauth-openid: Mirror of http://git.cweiske.de/indieauth-openid.git/
pstuifzand I can also use it