#gRegorLoveEr, guess you'd need the array as a param too, heh
#KartikPrabhumf2py does similar things for python 2.7/3 support
#gRegorLoveI'm finally working on splitting out favorites and photos (and probably replies) from my notes stream. I think I'm going to do a channels thing similar to p3k.
#gRegorLovePartly so I can construct newsletters with or without certain posts more easily.
[chrisaldrich] and snarfed joined the channel
#GWGsnarfed: Apparently, your frustration is shared with other PHP users.
#Loqi[cweiske] shpub: command line micropub client
#[manton]It doesn't seem compatible with Micro.blog's IndieAuth endpoint since shpub sends a redirect_uri of 127.0.0.1. Doesn't appear to be whitelisted in a <link> tag anywhere either.
#Zegnat“It doesn't seem compatible with Micro.blog's IndieAuth endpoint since shpub sends a redirect_uri of 127.0.0.1. Doesn't appear to be whitelisted in a <link> tag anywhere either”
#Loqi[Zegnat] If local shpub knows its own IP and port, it could theoretically already set client_id to shpub.com/?port=1111&ip=127.0.0.1 and have shpub.com serve a dynamic redirect_uri value.
#Loqi[Zegnat] If local shpub knows its own IP and port, it could theoretically already set client_id to shpub.com/?port=1111&ip=127.0.0.1 and have shpub.com serve a dynamic redirect_uri value.
#ZegnatYeah, I was just looking through the logs myself :)
#cweiskeone solution would be to allow all "redirect_uri" by adding a special tag on the client_id page
#LoqiZegnat has 52 karma in this channel over the last year (142 in all channels)
#ZegnatI do wonder if that would make it easier for attackers to intercept the redirect, and thus intercept the auth code ... maybe that would be a reason to support https://www.oauth.com/oauth2-servers/pkce/ on IndieAuth ... needs more thinking
barpthewire1, jeremych_, [jgmac1106], [mrkrndvs] and pointfree13 joined the channel
#petermolnarI'm clicking through some of the indie webring pages, and while I'm surprised on the amount of good photos I'm finding, I'm also surprised a bit on the two polar endpoints of performance I'm finding: either very snappy, very small sites, though some of them could do with some kind of indication for link vs text ( http://sawv.org/ ) or fascinatingly underoptimised ones, eg: https://oyam.ca/blog/archive.html - a single page for 10 y
#petermolnarears of posts, resulting in 53MB in images.
#ben_thatmustbemein case people missed it amongst the spam in #microformats
#skippywelp, my micropub endpoint is broken in fun new ways. it works for the bulk of what i do, but fun new bugs crop up when i try something new!
eli_oat, shreyansh_k11, snarfed, [jgmac1106], jackjamieson and [grantcodes] joined the channel
#[grantcodes]!tell cleverdevil Yeah it's a bit iffy for me too. Don't know if anyone knows any other image proxy services that support resizing on the fly like that
#NinjaTrappeurI'm the guy who implements webmentions for lobsters, I am wondering if you plan to change your ruby webmention client architecture anytime soon
#NinjaTrappeurmore specially if I can safely use the discover_webmention_endpoint_from_html (and http equivalent) safely
Pilfers joined the channel
#NinjaTrappeurgood morning :) (it is actually 6pm in my timezone ><)
#aaronpktho it looks like that one doesn't do discovery from an HTML string, it expects to be able to fetch the URL itself?
#NinjaTrappeurYup, that's my problem, this does not really fit my workflow... I'm gonna read further to see if I can trivially expose a way to "plug" my HTML. I guess it'll still gonna need to get the HTTP headers from one way or another.
#NinjaTrappeurWebmentions discovery is not as trivial to implement as I first thought :)
#aaronpkwell to answer your first question, i don't think we're planning on changing that gem's API, anything we do will be internal refactors
#[Petrk]Hello, Im new here and have recently read about IndieAuth.
#[Petrk]I could test the function on IndieLogin.com and it works well, but now I want to implement it as provider and how to make it work with applications where login information are requested. But I dont know how to work with POST requests and how to verify it. With cURL I could test in my terminal, but I dont know how to make that work in productive way. I hope you can help
#[Petrk]I want to build up a regional digitalization network for companies and people who provide own web services like blogs, information sites etc. For that I want to set up a Identity service for free, no costs, no commercialization. I have made first trials with simpleID for openID, but the protocol seems to be nearly dead(?), OAuth2 were better, but its harder to setup, more complex and I dont have a server to provide it independent from another co
#[Petrk]found IndieAuth and it seems to be really easy to use, but I dont know how to use it after I get the code from callback and how to implement this in application like nextcloud, humhumb, rocket.chat, friendica, etc... I joined the slack channel here, because I hope I can talk and get help from people who have more experience in it.
#aaronpkhm, if you're trying to get people to be able to log in to things like nextcloud, that's going to require quite a bit of work to modify that software to work with it
#[Petrk]I mean IndieAuth work, but the problem is the integration in services, if no "client" in popular software is using IndieAuth, how it can be used?
[iambismark] joined the channel
#Zegnat[Petrk], the services that are interested in allowing people to login with IndieAuth will have to add that capability to their software. You’d want to ask Nextcloud to support it, or built a plugin for Nextcloud, if that is what you are after.
#[Petrk]Ok, due my lack in experience in programming such things, I think only openid stay here as solution, right?
eli_oat joined the channel
#ZegnatThat depends. Did you check that Nextcloud / Humhumb / RocketChat / Friendica / etc all support OpenID? If they do not, that will give you the same issue
#aaronpkthe other problem with openid is there are basically no providers left
#[Petrk]@Zegnat, Nextcloud provide a plugin, humhub has developer instructions, rocketchat provide that as in work in github issues, friendica provide openid natively
#[Petrk][aaronpk] thats why I would choose simpleID as provider
snarfed joined the channel
#ZegnatSounds like you have done your research then [Petrk] :)
#[Petrk]I just hoped to use IndieAuth, due its look better and more userfriendly
#[Petrk]but even so, I still dont know how to use it after the login code was successful
#aaronpkwell you have to check that the code is valid by sending a POST request with the code back to indieauth.com, like described on that page
#aaronpkhow you do that is very dependent on what language you're using to write this code in
#[Petrk]ok, lets say php, this should work everywhere
#aaronpksure, so you can search for how to make a post request in PHP and find examples
#[Petrk]but I could not find any documentation how to check this and how to forward than to the site
Chords, snarfed, sl3dge__ and [eddie] joined the channel
#[eddie]aaronpk: I’m thinking through steps regarding detecting and sending responses to ActivityPub posts. Let me know how this measures up to yours. Seems like what I’m thinking is: 1) Fetch the targetUrl as JSON, if that fails it’s not ActivityPub. 2) If you receive a response, check for @context to contain “https://www.w3.org/ns/activitystreams” in the response data to verify it’s ActivityPub. 3) Check the attributedTo variable to retrie
#[eddie]authorUrl as JSON in order to get the inbox
#aaronpk@context can be either a string or array, so keep that in mind
#aaronpksome servers will only give you back the JSON result if you send "Accept: application/activity+json" or "application/ld+json"
#[eddie]Ahh gotcha. Those are two good potential gotchas
#aaronpksending replies is a bit tricky because you need to also include a "Mention" in the tags array, and also you need to include the person's "preferredUsername" in the post text for mastodon to show it as a notification
#[eddie]Do you know if activity or ld is “preferred”
#aaronpki've only been sending "activity", someone else told me that some servers also respond to "ld"
#aaronpkalso apparently "attributedTo" *can* be an object, although I don't think I've encountered that yet
#Loqiaaronpk has 103 karma in this channel over the last year (315 in all channels)
#snarfedand because AP underspecifies auth/sigs itself, so you usually have to dive into individual servers' code to figure out what they expect
#aaronpkoh and then when you're sending a reply, unless you also serve that at a URL that sends back JSON (or support conneg), it will "look weird" to people on other servers since they won't be able to interact with it
#sknebelaaronpk: did you mention that to the mastodon devs? If they're looking to make interoperability easier, "error messages" is comparatively low hanging fruit...
#[eddie]I figured I would do conneg as it seems pretty easy in node.js
#aaronpkso you probably want to prioritize text/html in your accept header
#[eddie]Mastodon does conneg, though. So I need to actually do 2 queries rather than prioritize, right? Because Mastadon would return text/html rather than ActivityPub if I prioritize text/html?
#aaronpksknebel: oh good point i might actually already be sending a Link header
#aaronpkmastodon is definitely not meant for one person, you'll end up with an empty "home timeline" and a bunch of the features won't make sense. but i know some people who are doing that anyway.
#skippyin single-user mode the default home page is the "about", though? so Mastodon clearly supports the notion of single user.
#LoqiIt looks like we don't have a page for "Pleroma" yet. Would you like to create it? (Or just say "Pleroma is ____", a sentence describing the term)
#[manton][cweiske] @Zegnat Sorry, catching up... Micro.blog doesn't actually check <link> for redirect URLs yet, so that's an improvement I need to make. But regardless, it seems like shpub will break for any IndieAuth provider that enforces the redirect check for security.
#Zegnat[manton], yes, if you are strictly enforcing the redirect_uri check, shpub will not work for you.
#[manton]It seems like shpub could be modified to always use localhost for the redirect, which is more easily whitelisted, but maybe I'm missing something. I've only used it very briefly.
#[manton]Micro.blog could also warn about this instead of making it an error, but generally I think the redirect check is a good thing.
#ZegnatYou are missing running it on a non-local machine, e.g. on a remote machine you are connected to via ssh.
#aaronpkZegnat: i don't understand why 0.0.0.0 doesn't work at that point?
#ZegnatI think this is a case where shpub is running on a remote machine. You then need to authenticate and use your local browser to authenticate. The redirect uri however needs to loop back to the remote machine.
#aaronpkthe big picture is that until we get all the edge cases of this worked out, it's probably best for the authorization server to show a warning (and maybe even make the user click something to confirm) if the redirect uri isn't registered or doesn't match
#ZegnatCan we add a note to that effect in the spec? Because right now people are recommended to outright block non-verified redirect_uris
#sknebelHm, that's a tricky one... How much do you trust users to do the right thing effectively
#sknebelAlthough you can always work around it using a specially crafted site, so I guess little point in making the direct way forbidden?
#Zegnatsknebel, any idea if using xip.io (or something like it) would leak information? Logging policies? That’s the one thing I thought of as a point agains a dynamic client_id page (example.org/shpub?ip=1.2.3.4&port=1234): it means every time you authenticate with shpub you tell someone else about the IP you are on.
#sknebelYeah. And since it is possible, the wildcard registration doesn't make it less secure in the normal case
#ZegnatThe wildcard registration may even be more private (regardless of secure) as you don’t have to inform the third party client_id hoster of where you are going.
#ZegnatThis should be noted in the issue, probably
#Loqi[Zegnat] @sknebel points out [in chat](https://chat.indieweb.org/dev/2018-08-13/1534192339261900) that clients are already able to work with variable redirect URLs by passing the `redirect_uri` value along to a specially crafted page at `client_id`. Example:
...
snarfed, snarfed1 and jgmac1106 joined the channel