#Loqijacky: [tantek] left you a message 9 hours, 49 minutes ago: a bit delayed, re: how to display reply content from others on your site, we've been collecting various how-tos, exampes, techniques here: https://indieweb.org/comments
#Loqijacky: [tantek] left you a message 9 hours, 46 minutes ago: been trying to use the singular /reply meaning a reply post on your own site, and the plural /comments to mean display of others's replies on your site. Similarly, /like vs /likes,/repost vs /reposts, and even /RSVP vs /RSVPs!
valuemachine, gRegorLove, [wtmonroe], Ruthiarcos, [tantek] and [fluffy] joined the channel
#[fluffy][aaronpk] I’m getting pretty close to rolling out a version of Publ with IndieAuth support. Any chance I could get beesbuzz.biz added as a client ID so I can start using it on my own site? 🙂
#GWGMozilla is the enemy of the people and all that
#[jgmac1106]any company ISPs hate is a good friend of the web
gRegorLove, ben_thatmustbeme, [wtmonroe], [jgmac1106] and jgmac1106 joined the channel
#jgmac1106a new feature in firefox (dev 67.0.4) has me go to an open tab if I try to typt the same root domain in a new tab. Anyone know how to turn it off?
[tantek], ben_thatmustbeme, petermolnar, [davidmead], [grantcodes], valuemac_ and leg joined the channel
#@jaroslawjarosik↩️ I'd probably put microsub servers and clients somewhere there too but that's a complex matter as these have no propertiary protocols and most often have no second one to pair, you just grab ones you like and they will play together nicely (twitter.com/_/status/1147925738043191296)
#GWGI am still trying to conceptualize what modifications I need to get to AutoAuth
#LoqiIt looks like we don't have a page for "yours, GWG" yet. Would you like to create it? (Or just say "yours, GWG is ____", a sentence describing the term)
#GWGI have the problem that tokens are tied to users on my platform
#GWGSo, someone getting a token from my endpoint must be a user right now.
#sebselIf you go to the basis of it, the token endpoint is just a place that takes a random string (the token) and maps it to a URL (the user the token represents) and some scopes. And it does the reverse: once it verified some steps, it gives out those tokens.
#sebselThere is not really a notion of 'user' there, other than that URL.
#GWGCorrect, but that only works of you are on a platform that doesn't use users for permissions
#sknebelwell, you potentially could have a kind of "holding state" for URLs that currently do not map to users
#GWGAlso, look at the spec where it mentions user profiles
#sknebelif we assume that *if* an user-URL is granted special access to something a user for it will be created
#GWGFor me, it is easier for that holding state to be a type of user
#sknebel"Also, look at the spec where it mentions user profiles" - what do you mean?
#sknebeltrue, but that doesn't have to 1:1 match your definition of a user
deathrow1 joined the channel
#sknebelthe "holding state" would in my mind be something like "this request has a confirmed identity attached, but they're not a user, so they're treated the same as an unauthenticated request"
#GWGIn the definition I am thinking of, a user would be a row in the user table. That allows it to be associated with arbitrary data like a user id, url, etc
#sknebelright, and I'm not sure you want to add a user just because someone made an authenticated request
#GWGIf I don't do that, I have to change how I store tokens, as they are associated with the user id
#GWGaaronpk at IWS was commenting on letting anyone authenticate so you know who is reading your feed
#GWGWhich is an interesting idea... I am oversimplifying that conversation
#sknebelit also enables people to follow you, including private posts, even if your system doesn't know them yet
#GWGSo, back to the system automatically creating unprivileged users
#sknebelotherwise their (e.g.) reader would have to regularly attempt to auth, even if it has been failing for a long time, to make sure to catch the moment they're added
#GWGIs there a risk in adding a user who has no permissions that I could escalate over time?
#sknebelcould be an annoyance - many users added you don't actually care about
#sebselI have no knowledge of the wp_users table, but to me it feels like you want a different table for this info.
#sknebelbugs that allow escalation from any existing user now can become relevant
#GWGBut admins should know what tokens are issued on the system
#sknebelif you remove a users permissions, the token shouldn't matter (although a system might choose to automatically revoke tokens based on it?)
jgmac1106 joined the channel
#sknebelI guess for things like Micropub it makes sense, e.g. "service X is suddenly spamming broken posts, let's kill their token and not wait for the user to do it"
#GWGSo, I have a lot of little things to handle around that
#sebselthe token is telling you: this is X who is viewing this. And you say: well X, I don’t know you and I don’t have any, so here is just the normal homepage
#GWGI want to uncheck the scope on the authorize page if you don't have it
#sebselwell if it's actual work it's not yak shaving. Yak shaving is doing the things you think are required, but are actually just keeping you from the real stuff.