eli_oat, KevinMarks, snarfed and [keithjgrant] joined the channel
#[keithjgrant][grantcodes] Do I need to do anything different with your micropub lib to send HTML content? Or markdown? (Is markdown valid in micropub? That's how my site stores stuff behind the scenes)
#[keithjgrant]Also: damn, your docs are nice. What do you use to generate those?
[grantcodes] joined the channel
#[grantcodes]Markdown isn't valid. I guess it's possible or some sites to support it, but no requirement so you'd have to have a fallback which kind of negates the point of if
#[grantcodes]To send html is just standard micropub stuff
#[keithjgrant]I'm curious how much that should be a one-click thing. Or would it be ok if it inserted the emoji in the compose window and let you edit further before submitting...?
#pstuifzandgrantcodes re: endpoints, I need some more CORS headers there as well
AngeloGladding joined the channel
#pstuifzandI thought it would be possible to get them without credentials
#pstuifzandgrantcodes: I now use micropub-helper to implement the Indieauth support in the Microsub client
jjuran joined the channel
#[grantcodes][keithjgrant] I'm pretty sure if there is more than a single emoji in the content then it is not a reacji anymore
#[keithjgrant]Think I should keep it as a one-click to send then?
#[grantcodes]pstuifzand: Cool, I'll need to try out your microsub client. I think I have cors stuff setup on my site so it would work, but the vast majority of people do not
barpthewire joined the channel
#ZegnatGWG, I was just reading the backlog, interesting thoughts on securely storing tokens. There is definitely something to say for using a file-stored key to encrypt database-stored sensitive data, as that gives you some protected against leaks through SQL injections and the like.
#ZegnatBut I think the real win is to promote minimal scopes on tokens more. If I am giving my WP blog a token that lets it automatically cross-post using micropub, how much do I trust the WP blog to only do that? I can mitigate my trust by scoping the token in such a way that it only allows "create". Even if the token were to leak now, nobody can use it to update/delete my posts.
[manton] joined the channel
#[manton]On Markdown being "invalid" as Micropub text, Micro.blog has been doing this and I don't think it has created any problems. I know there were some concerns and it's probably worth revisiting.
#aaronpkSending markdown as text in Micropub isfine as long as your site knows to treat it as markdown
#aaronpkThe challenge is when editing since editing clients will treat it as plaintext too. But since markdown is meant to be close to plaintext it ends up working mostly fine
#aaronpkSo it's not that it's "invalid", it's that there is no mechanism for clients and servers to communicate that the text is markdown so it's up to the server to handle it how it wants. The nice thing is that it's your server so you can choose to make that work if you want. And chances are you're the only person sending data to your server so again it works out fine in practice.
#sknebelI'd assume quite a few sites, static or not, return the storage format for posts
#ZegnatI thought you were talking about storing auth tokens of external services, GWG? So it isn’t your local site that determines what is/isnot allowed with that token
#ZegnatBasically I am saying, change the question. Rather than wondering “what to do so WP does not leak the auth token” you should wonder “what can I do so an auth token leak does the least damage possible”.
#ZegnatIn the end, you are not going to have all to many tools to secure random WP installations on random shared hosting providers. But you may be able to push for a healthier token climate on the second question :)
#pstuifzandgrantcodes[m], I just removed the last hard coded bits from the microsub client. It should be possible now to clone the repo and npm install / npm run serve it.
jgmac1106 joined the channel
#tantek.comcreated /schema.org (+453) "prompted by [keithjgrant] dfn, summary of creation, re-use/re-invention, launch" (view diff)