#dev 2019-07-07

2019-07-07 UTC
#
Loqi
jacky: [tantek] left you a message 9 hours, 49 minutes ago: a bit delayed, re: how to display reply content from others on your site, we've been collecting various how-tos, exampes, techniques here: https://indieweb.org/comments
#
Loqi
jacky: [tantek] left you a message 9 hours, 46 minutes ago: been trying to use the singular /reply meaning a reply post on your own site, and the plural /comments to mean display of others's replies on your site. Similarly, /like vs /likes, /repost vs /reposts, and even /RSVP vs /RSVPs!
#
jacky
ooh interesting bit re: singular vs plural
valuemachine, gRegorLove, [wtmonroe], Ruthiarcos, [tantek] and [fluffy] joined the channel
#
[fluffy]
[aaronpk] I’m getting pretty close to rolling out a version of Publ with IndieAuth support. Any chance I could get beesbuzz.biz added as a client ID so I can start using it on my own site? 🙂
#
[fluffy]
er, IndieLogin support
dhanesh95, vilhalmer, eddy[m]1, JeffMaherVegas[m, rklaehn[m]1, oed3[m], Akshay[m4, macerbi[m]1, Ja3ood[m], placer14[m], Swedneck_, npfoss[m], balupton[m], Lolicon[m], card[m], AXEL-Lee5595[m], enricomarino[m], infominer[m], strugee, prtfw[m], WidgetBotiocli1[, jamietanna[m], celso[m4, jee[m], rittme[m], jenncloud5838[m], andrewxhill[m], zoglesby, ritewhose[m], mattl, Giyomu[m], Kongaloosh, valuemachine, cuibonobo, jimpick, discord[m], astrojuanlu[m], freethinkingaway, aaronpk[m], sfroment[m], sacha[m], iiogama[m], new0ne[m], Nebulous[m], manfred[m], Romaric[m]1, sander[m], tom85[m], romaric[m], drbh[m], Valium[m], RealSnazzy[m], Tianyi[m]1, vasa[m], gorhgorh[m]1, Tianyi[m], Keegen[m], gnunicorn[m], Senshi[m], mZ[m], mikeal[m], stevej[m], cesarosum[m], Gorka[m], gorhgorh[m]2, rklaehn[m], chris[m]3, maparent[m], gozala[m], Mairkur[m], drshamoon[m], aeddi[m], pierreboc[m], celso[m]1, M[AXEL]Darr[m], Rick[m]1, celso[m], CantiTurtleCoin[, AXEL-Lee[m], msena3[m], fozzie[m], AXEL-Brian[m], CryptoEmpress[m], jenncloud[m], Akshay[m]1, Expherience[m], eddy[m], Clment[m], grantcodes[m], carsonfarmer[m], phynite[m], plindner[m], myfreeweb, ketudb[m], jgmac1106[m], Rixon, omz13[m], hvergara[m] and [KevinMarks] joined the channel
#
@nhoizey
↩️ That’s what @AaronGustafson’s Webmention plugin for Jekyll does, with an additional refresh rate depending on the article age, so that every build is fast, while not losing any mention.
(twitter.com/_/status/1147798614900715521)
gRegorLove and dhanesh95 joined the channel
#
GWG
Morning
#
Loqi
guten morgen
[jgmac1106] joined the channel
#
[jgmac1106]
dns over https didn't break anything for IndieAuth for me, not that it should but just wanted to check
#
GWG
It shouldn't have
#
GWG
Unless something is blocking it
#
[jgmac1106]
you have to manually turn it on because of UK ISPs
#
GWG
I saw that
#
GWG
Mozilla is the enemy of the people and all that
#
[jgmac1106]
any company ISPs hate is a good friend of the web
gRegorLove, ben_thatmustbeme, [wtmonroe], [jgmac1106] and jgmac1106 joined the channel
#
jgmac1106
a new feature in firefox (dev 67.0.4) has me go to an open tab if I try to typt the same root domain in a new tab. Anyone know how to turn it off?
[tantek], ben_thatmustbeme, petermolnar, [davidmead], [grantcodes], valuemac_ and leg joined the channel
#
@jaroslawjarosik
↩️ I'd probably put microsub servers and clients somewhere there too but that's a complex matter as these have no propertiary protocols and most often have no second one to pair, you just grab ones you like and they will play together nicely
(twitter.com/_/status/1147925738043191296)
#
GWG
I am still trying to conceptualize what modifications I need to get to AutoAuth
#
sebsel
I am too
#
GWG
sebsel, what are your stumbling blocks?
#
sebsel
we had some discussions in Åmål about the differences between the normal IndieAuth token flow and this new token flow
#
sebsel
to me, it feels like this is a totally different endpoint.
#
sebsel
but I've been yakshaving myself into writing a token endpoint for the 'normal' flow first, to get to know the details better.
#
sebsel
what are yours, GWG?
#
Loqi
It looks like we don't have a page for "yours, GWG" yet. Would you like to create it? (Or just say "yours, GWG is ____", a sentence describing the term)
#
GWG
I have the problem that tokens are tied to users on my platform
#
GWG
So, someone getting a token from my endpoint must be a user right now.
#
GWG
Having trouble reconciling that with unknowns
#
sebsel
yea, I have that too, which is why I now write a new one.
#
GWG
The simplest solution is to create users for external parties
#
GWG
But users with no privileges
#
sebsel
This could also be an argument for 'this is a different endpoint'.
#
GWG
I'm not sure about that
#
GWG
I decided that I probably need to harden the security before allowing those users
#
sebsel
I should be careful with my thinking here indeed. My mind wants to think of it as a different endpoint and seeks excuses to do so.
#
GWG
My problem is that the token endpoint should be handling security, not the Micropub endpoint
#
GWG
But I have a fundamental architecture issue
#
sebsel
If you go to the basis of it, the token endpoint is just a place that takes a random string (the token) and maps it to a URL (the user the token represents) and some scopes. And it does the reverse: once it verified some steps, it gives out those tokens.
#
sebsel
There is not really a notion of 'user' there, other than that URL.
#
GWG
Correct, but that only works of you are on a platform that doesn't use users for permissions
#
sknebel
well, you potentially could have a kind of "holding state" for URLs that currently do not map to users
#
GWG
Also, look at the spec where it mentions user profiles
#
sknebel
if we assume that *if* an user-URL is granted special access to something a user for it will be created
#
GWG
For me, it is easier for that holding state to be a type of user
#
sknebel
"Also, look at the spec where it mentions user profiles" - what do you mean?
#
GWG
It says users
#
sknebel
true, but that doesn't have to 1:1 match your definition of a user
deathrow1 joined the channel
#
sknebel
the "holding state" would in my mind be something like "this request has a confirmed identity attached, but they're not a user, so they're treated the same as an unauthenticated request"
#
GWG
In the definition I am thinking of, a user would be a row in the user table. That allows it to be associated with arbitrary data like a user id, url, etc
#
sknebel
right, and I'm not sure you want to add a user just because someone made an authenticated request
#
GWG
If I don't do that, I have to change how I store tokens, as they are associated with the user id
#
sknebel
seems so
#
GWG
Well, I had the idea of adding users to represent people in my contact list for a long time
#
sknebel
(unless you only give out tokens to users that actually exist as users in your system, but that also has pitfalls)
#
GWG
So I could import their h-card, subscribe/update it, allow for private responses, etc
#
GWG
Well, who should get authenticated posts if not people I trust?
#
GWG
Who are in my network?
#
GWG
That's a long standing question
#
GWG
aaronpk at IWS was commenting on letting anyone authenticate so you know who is reading your feed
#
GWG
Which is an interesting idea... I am oversimplifying that conversation
#
sknebel
it also enables people to follow you, including private posts, even if your system doesn't know them yet
#
GWG
So, back to the system automatically creating unprivileged users
#
sknebel
otherwise their (e.g.) reader would have to regularly attempt to auth, even if it has been failing for a long time, to make sure to catch the moment they're added
#
GWG
Is there a risk in adding a user who has no permissions that I could escalate over time?
#
sknebel
could be an annoyance - many users added you don't actually care about
#
sebsel
I have no knowledge of the wp_users table, but to me it feels like you want a different table for this info.
#
sknebel
bugs that allow escalation from any existing user now can become relevant
#
sebsel
also, you don't even need that table.
#
sebsel
From the token, you can get an identifier for the user, and all you have to do is anwer the question: can this user see this post?
#
sebsel
which could be stored on the post
[tantek] joined the channel
#
sebsel
showing feeds is a different problem then. But it almost feels like a taxonomy (if we're talking WP terms)
#
sebsel
A user_id, a row in the wp_users table, a profile URL... they are all not users, but just identifiers for a user (as in a human)
#
sknebel
but if WP has the infrastructure to handle this for WP users, it makes sense to use it
#
sknebel
*probably makes sense
#
GWG
Which is why I will probably invest time in locking it down
#
sebsel
and with 'the infrastructure' you mean WP's login form?
#
sknebel
I'm assuming concepts for post permissions etc tied to users also already exist
#
sebsel
yea there is this 'subscriber' role, I believe. But again I'm no expert.
#
GWG
sebsel, you are correct
#
GWG
And custom roles can be created
#
GWG
roles are just a collection of permissions
#
sebsel
a different angle on this: as a user, it is a nice feature to have a page with all my tokens, so I can revoke them.
#
sebsel
but here, the admin / writer of the blog, would be the one who wants to seee those tokens as well (?)
#
sebsel
hm, but there can be value in seeing my tokens on your site, as a reader, as well.
[wtmonroe] joined the channel
#
sknebel
sebsel: for the reader, that's something the auth endpoint can provide
#
sknebel
or rather, should be able to provide
#
sknebel
why all the tokens go through the auth endpoint
#
sknebel
although I guess it might not know all attached detail, so a way of viewing them on the other side could still be useful
#
sknebel
it's an interesting question what kind of interface a site operator would need/want
#
GWG
I think talking IndieAuth UI would be a great conversation
#
GWG
I mirrored a lot of what I was seeing others doing, with a little original UI
stevej[m] left the channel
#
GWG
I have a token revokation admin page already
#
GWG
What I need is one for admins that can show all users
#
sknebel
could be a thing
#
sknebel
question is: when would you revoke a users token as the admin?
#
GWG
Not sure
#
GWG
But admins should know what tokens are issued on the system
#
sknebel
if you remove a users permissions, the token shouldn't matter (although a system might choose to automatically revoke tokens based on it?)
jgmac1106 joined the channel
#
sknebel
I guess for things like Micropub it makes sense, e.g. "service X is suddenly spamming broken posts, let's kill their token and not wait for the user to do it"
#
sknebel
so that'd be a multi-user site
#
sknebel
I'm less sure it's important for read-only users, but still could be a thing
#
sebsel
yea, so: only create the user in the table once they have permissions attached
#
GWG
sknebel, right now, the system will issue tokens for scopes that reflect permissions the user doesn't have
#
GWG
It will fail when you try to use it
silent_Activist[ joined the channel
#
sknebel
yes, that's fine I think
#
GWG
So, I have a lot of little things to handle around that
#
sebsel
the token is telling you: this is X who is viewing this. And you say: well X, I don’t know you and I don’t have any, so here is just the normal homepage
#
GWG
I want to uncheck the scope on the authorize page if you don't have it
#
GWG
Or rather, disable it automatically.
#
GWG
Either way, scope improvements are needed.
#
GWG
But, assuming I get past that stumbling block, I also need to build that private and public setup you mentioned.
#
GWG
So, lot of security hardening to make this work for me.
#
GWG
Which, what did you call it? Shaving?
#
sebsel
well if it's actual work it's not yak shaving. Yak shaving is doing the things you think are required, but are actually just keeping you from the real stuff.
#
GWG
I just wonder if it is worth it.
#
sknebel
sebsel: which, as far as I know, is actually not the original definition of yak shaving
[pfefferle] joined the channel
#
sebsel
hm then I'm using it wrong. Either way, I'm procrastinating by building a token endpoint instead of doing real AutoAuth.
#
sknebel
aaronpk: can you take a look at https://github.com/sknebel/AutoAuth/issues/18 ? there might be an answer along the lines of "OAuth prefers X" I don't know
#
Loqi
[sknebel] #18 Pass data via Token Request vs Authorization Code Verification response?
dougbeal|imac, lyon[m] and gRegorLove joined the channel
#
gRegorLove
!tell mblaney did my like of your post come through?
#
Loqi
Ok, I'll tell them that when I see them next
valuemachine, [KevinMarks] and KartikPrabhu joined the channel