#dev 2019-07-25

2019-07-25 UTC
KartikPrabhu, GWG and [tantek] joined the channel
#
[tantek] There is no redirect on orangemoose's home page
#
[tantek] Both Aperture *and* OwnYourGram show the /blog URL on the auth confirmation screen and it's not clear *why* they are doing so when https://orangemoose.com/ is a valid home page that DOES NOT REDIRECT to /blog
#
Loqi David Bryant
#
KartikPrabhu the authorization endpoint has a */blog/* would that be causing this?
#
GWG I can answer that one.
#
GWG WordPress returns the URL of the site.
#
GWG Which is /blog
#
GWG As I said, probably should test this
#
[tantek] GWG, no, the Website URL in the dbryant's user profile in WordPress is https://orangemoose.com/ so if anything, the plugin should be returning that as his identity
#
Loqi David Bryant
#
GWG [tantek]: That is problematic.
#
GWG What if two accounts have the website URL then
#
[tantek] GWG, as part of the auth flow I thought the "what the user entered into the form" URL was passed along so you could verify it
#
[tantek] GWG, common case, there is only one user
#
GWG [tantek]: You are correct. But when there wasn't, it was allowing any other user access to that account.
#
GWG [tantek]: I sent the first PR working on the problem to pfefferle. Awaiting his approval
#
GWG But, now we have a new scenario.
#
[tantek] GWG, another common case, there are multiple accounts with the same URL, but one of them is the admin account. The admin account wins.
#
GWG The orangemoose scenario is that he is using an identity not inside the install.
#
[tantek] Else, error
#
GWG I didn't account for that
#
[tantek] what do you mean "inside the install"?
#
GWG [tantek]: WordPress is installed in a subdirectory.
#
GWG That I accounted for.
#
[tantek] Since the WordPress profile already has a Website URL, that should be supported
#
GWG [tantek]: Again, the issue being a security one.
KartikPrabhu joined the channel
#
GWG But, I am working through those
#
[tantek] also the auth flow *started* with the domain of the entire site, and only delegated to the WP IndieAuth plugin to authenticate - that should work
#
[tantek] the same way that I can use tantek.com as my identity and delegate to https://indieauth.com/auth
#
GWG Let me get this straight, to make sure we're on the same page.
#
GWG The site being authenticated to is orangemoose.com/blog . The user enters orangemoose.com, where he's added the auth endpoint headers manually.
#
GWG It redirects him to his blog to authenticate, he does.
#
GWG The IndieAuth protocol returns an updated me value based on the user account.
#
GWG Which is what the client uses.
#
GWG It comes with the spec noting, "The resulting profile URL MAY be different from what the user initially entered, but MUST be on the same domain"
#
GWG I didn't code it to permit the same domain.
#
GWG I coded it to be within the same site.
#
GWG so, I have to allow that.
#
GWG So, the PR I am awaiting review on starts by mandating unique URLs in that profile...so no two sites can set the same.
#
GWG Not sites...excuse me.
#
GWG Accounts
#
GWG Then, I need to allow a root URL on the same site.
KartikPrabhu and [Michael_Beckwit joined the channel
#
[tantek] There’s no redirect
#
[tantek] The site being authenticated is just the domain. There is a page there with auth link rels etc
#
[tantek] Just because the IndieAuth handler is at a different URL doesn’t mean it gets to change the identity of what delegates to it
#
GWG Needs thought
gRegorLove and eddiehinkle joined the channel
#
eddiehinkle eddiehinkle.com
#
eddiehinkle oops
#
eddiehinkle tantek, actually changing the identity to the canonical version is exactly what the IndieAuth handler should do
#
eddiehinkle the question though, is how you determine the canonical url within Wordpress
#
GWG Hard QUESTION
#
eddiehinkle Yep absolutely. That is the question that has to be figured out
#
GWG Thoughts?
[eddie] joined the channel
#
[eddie] Not much different then the discussion above
#
[eddie] I think the user profile url field makes sense, but if you don’t have a way to verify it’s within the same domain, you either need to have a configuration checker to present an error if that’s not within the same domain
#
[eddie] Or if it’s a different domain then you would need to fallback to the install path or something similar
#
GWG The original design used the field.
#
GWG Now, it still does, but adds extra checks.
#
GWG I think I need to think about the safe verification practice
#
GWG I think I may set up a test site that has that configuration to ensure it works.
#
[eddie] Ohh interesting.
#
GWG The thing is, that it is hard enough to map a wordpress user to a URL reliably and safely.
#
[eddie] Absolutely. Wordpress doesn’t really have an idea of a user existing at a url within the instance
#
[eddie] So that seems like a challenging thing to introduce
#
GWG So, IndieAuth supports two options right now.
#
GWG The WordPress site url or the author archive URL... /author/eddiehinkle
#
[eddie] Those seem like two good options. I think 90% would be single user installs that would use the site url
#
GWG Yes.
#
GWG And only 1 user can use the site URL
#
[eddie] Wait so if that’s the case, what’s wrong with that orangemoose.com site?
#
GWG [eddie]: orangemoose.com is a static site. orangemoose.com/blog is a WordPress site
#
GWG It never occurred to me to plan for the possibility that someone would install the site in a subdirectory and want to authenticate as the root domain.
#
GWG I have to think about how to configure that to work
#
[eddie] Ohhh
#
[eddie] Hmmmm yeah that seems strange ... and possibly somewhat dangerous?
#
GWG Which is why I would want to set it up and think about it.
#
GWG I changed the way IndieAuth for wordpress works, as of the latest PR, for security reasons.
#
GWG The user URL is used for web signin, but not for IndieAuth
#
[eddie] I guess as long as the IndieAuth server (aka Wordpress) always returns a url that contains the original “me” entry as the beginning of the url it’s safe
#
GWG Yes, but I need to ensure that.
#
[eddie] So if IndieAuth gets a request with a me that’s abc.xyz/me Wordpress should NOT return anything higher (abc.xyz/lala would be invalid) but it’s okay to go higher than Wordpress
#
GWG Also, when I started thinking about AutoAuth, I was thinking about how to handle authenticate as a non-local user.
#
GWG So I will probably try to fix both problems at once.
#
GWG Maybe think a bit about web sign in again
#
[eddie] In some of my IndieAuth client code I verify it by essentially taking the original me and checking that the string starts at index 0
#
[eddie] So in JavaScript it’s “about.xyz/itsme”.indexOf(about.xyz) === 0
#
@startutorial Adding webmentions to my blog https://sebastiandedeyne.com/adding-webmentions-to-my-blog/ #php (twitter.com/_/status/1154225513449308160)
#
[eddie] That tells me that the entire string about.xyz is contained within the other string and it essentially prefixes the string
#
[eddie] That’s a simpler way to put it. The me string that gets provided to the IndieAuth server needs to prefix whatever is returned as the final profile url
#
[eddie] So yeah, I think in this case, the user profile should be able to set their associated url to the root domain orangemoose.com
#
[eddie] Then all Wordpress has to do is when it gets the me request for orangemoose.com, it asks the user to login and then it checks the user’s profile url, then compares that profile url to the me url in the initial request. When the profile url either matches the me request OR the me request prefixes the profile url, then you are good to go
#
[eddie] If not, I would return an OAuth 2.0 error
#
GWG [eddie]: Simpler answer though.
#
GWG Orangemoose.com has to have the WordPress site's authorization endpoint.
#
[eddie] Yes that as well
#
[eddie] But you don’t have to verify that as the IndieAuth endpoint
#
GWG The client usually verifies that, not the endpoint
#
[eddie] That’s the clients job (like Indigenous)
#
GWG I'm just thinking that it needs to check it to save the value in the backend as an allowed profile URL
#
[eddie] Nah, no need to get that complicated
#
[eddie] Wordpress will never receive a request from a url that doesn’t have Wordpress set as the authorization endpoint
#
[eddie] So you can assume that as a given
#
[eddie] As long as you verify that the me url received is either equal to or prefixes the profile url of the logged in user, that seems good enough
#
[eddie] If they don’t match return that in the error you send to the client so the user knows
#
GWG I still want to set up the same test site to see what might happen.
dhanesh95 joined the channel
#
GWG I feel like I'm never going to get to webmentions though
#
[Michael_Beckwit WordPress will keep me employed for the foreseeable future, but at times I question their long term goals
gRegorLove joined the channel
#
Zegnat [eddie]: re: “the me url received is either equal to or prefixes the profile url” - this means that every account on the WP site is allowed to identify as the root domain?
#
Zegnat Although I guess you could add an extra check: if the account is an admin account then that is allowed, else no?
#
Zegnat Or alternatively go the Known route and check whether the site is single-user?
jeremych_ and [Rose] joined the channel
#
GWG We already check for single
[KevinMarks] joined the channel
#
@MacDara Someone please write ‘Webmention for Dummies’ because I cannot make heads or tails of the scant documentation for user implementation that exists (twitter.com/_/status/1154323990015557632)
#
@petermolnar ↩️ @MacDara I'm confused - are you looking for implementation guides or just generic webmention docs? (twitter.com/_/status/1154325646363041795)
#
@MacDara ↩️ A basic set-up and walk-thru for someone who wants to use Webmention on a WordPress install: what code to use, plugins, testing whether it works, etc. I’m not a coder, just a blogger, so if this something exclusive to that clique, I’m out (twitter.com/_/status/1154327451167875077)
#
@MacDaraBlogs New post: Someone please write ‘Webmention for… http://macdaraconroy.com/2019/07/someone-please-write-webmention-for/ (twitter.com/_/status/1154327848645275648)
jeremych_ joined the channel
#
jeremycherfas !tell [@MacDara] Migfht this be a good starting point for you? https://boffosocko.com/2017/12/15/threaded-replies-with-webmentions-in-wordpress/
#
Zegnat Are they in chat?
#
jeremycherfas Don't know; will reply to Twitter.
#
@EatPodcast ↩️ @MacDaraBlogs If you want to understand webmentions in WordPress, might this be a good starting point for you? https://boffosocko.com/2017/12/15/threaded-replies-with-webmentions-in-wordpress/ (twitter.com/_/status/1154333410942443520)
[Rose] joined the channel
#
[Rose] Does anyone have any resources they'd recommend for NoSQL DB introduction? Or any comments on synchronizing (very large) databases across multiple machines
#
Zegnat Nope, but I will probably start looking into that for work soon, so maybe in a week or 2
#
[Rose] Ahh, well anything you turn up which you feel is useful please feel free to share and I'll do the same 🙂
[jgmac1106] joined the channel
#
sknebel NoSQL is a very generic term
[grantcodes] joined the channel
#
[grantcodes] Depends [Rose] there are few different nosql db implementations (even if they are similar) Do you have one in particular you know you are going to use?
#
[grantcodes] or what sknebel said 😛
#
Zegnat The case I will be looking into: we have thousands (tens of thousands? hundreds of thousands? Haven’t gotten the number yet) of articles. They aren’t really interlinked in any special way. Those created several years ago may be based on a different schema then those created yesterday, which is what makes structured databases hard. We need a place to store all of these and query them based on a tiny subset of properties
#
GWG I am still trying to explain the user problem in my mind for documenting how code like Parse This and Xray can work on parsed HTML
#
Zegnat I don’t think I follow GWG, could you rephrase?
#
GWG It was yesterday in dev
#
Zegnat Aah, you mean this, GWG? https://chat.indieweb.org/dev/2019-07-24#t1563988414342300
#
Loqi [[tantek]] "where to document things that affected xray and Parse This" - depends on the specific thing, in this case, I just went with answering the first concrete example, fragments
[KevinMarks] joined the channel
#
[KevinMarks] Is there a good reason to have the large databases on multiple machines rather than on a cloud server?
#
GWG I wanted to document things like implied h-feed..if you don't have an explicit one, so that it is easier to work with parsed mf2...
#
GWG And yes
#
GWG I think they are worth writing down for anyone else who wants to do them
#
Zegnat (Scratch my previous statement, I apparently need a non-strict-schema db to handle millions of documents.)
#
GWG But tantek is right, I have not defined the use cases
#
Zegnat GWG, aah, I gotcha. Really what you are looking at is something like the /authorship algorithm then
#
GWG Having trouble with that
#
GWG Zegnat, yes
#
GWG My use case is that I'll never remember it, and someone else will probably want to do it
#
GWG So I want to help
#
GWG And be helped
#
Zegnat implied h-feed: a user sees a page with interesting items on it and would like to subscribe to it. When the URL is given to the subscriber, no h-feed is found. Question to be answered: are there logical fallbacks to imply a feed from just the items on the page?
#
Zegnat s/subscriber/subscription service/
#
GWG I am just using implied h-feed as one concrete example. I have others.
#
GWG That is the question.
#
Zegnat Sure, but the different examples may have different usecases
#
Zegnat Just tried my hand at coming up with the user-based use-case for having an implied-feed-algorithm :)
#
GWG I think you did
#
GWG I just wanted to mention I'm not just focused on that one issue
#
Zegnat Would it make sense to just open an etherpad, drop the things you are thinking about in there, and then get people to help write user-based use-cases?
#
GWG Maybe
#
GWG Also a good idea till I figure out where it belongs
#
GWG The closest sort of thing I am looking for is something like https://indieweb.org/comments#How_to_display
#
Zegnat Maybe we need more “how to determine” sections, like on https://indieweb.org/authorship#How_to_determine
#
GWG I'd also like a page that links to all the how to determine stuff
#
GWG I can never find them when I am looking
#
GWG I should add one somewhere
#
GWG I'm back to where again. Darn
#
Loqi +1
#
Zegnat /how_to_determine ? Hahaha
#
Loqi rofl
#
[Rose] [KevinMarks]
#
[Rose] * In my case this is because it's for authentication and we host the servers ourselves, but if server A goes down server B needs to be ready to take over instantly.
#
[Rose] Identity and Access Management
#
[Rose] !tell sknebel Redis and MongoDB are the two that have been suggested, but I'm open to all possibilities.
#
Loqi Ok, I'll tell them that when I see them next
#
[KevinMarks] How volatile is the data?
#
[Rose] It would be better if the passwords weren't volatile I presume
#
aaronpk [Rose]: Identity and Access Management? Now you're speaking my language :-D
#
GWG Zegnat, will give it a shot
#
[Rose] Aaron, how would you feel about coming and giving us a training session? 😛
#
GWG Aaronpk, I hear Vienna is lovely.
#
[grantcodes] Sounds like the db isn't so important but replication
#
aaronpk In Vienna? How close is that to Amsterdam? heh
#
[Rose] Not far, maybe 1.5 hours of flying?
#
[Rose] It won't just be passwords, we also have to cache personal data which ought to be available from another source, and the access management bit is still "TBC", but there's a massive existing system which has to be replaced - and that has everything from "person A owns software X" to phone management, and other things in it.
#
[Rose] Aaron: Or 12.5 hours on the train: https://www.rome2rio.com/map/Amsterdam/Vienna
#
Zegnat Hmm, I think we will just be buying an SSO solution.
#
Zegnat wonders if Okta is on the table
#
sknebel [Rose]: that doesn't really sound like something that needs nosql
#
Loqi sknebel: [Rose] left you a message 7 minutes ago: Redis and MongoDB are the two that have been suggested, but I'm open to all possibilities.
#
[grantcodes] Maybe add couchdb to your list rose mainly because database replication is built in and straightforward enough that I was able to set it up myself.
[pfefferle] joined the channel
#
[KevinMarks] If you're thinking about those issues, this paper by Lea may be helpful: https://twitter.com/LeaKissner/status/1136626971566149633?s=20
#
@LeaKissner A few years back, Abhishek Parmar (at the time, the TL of Bigtable) and I started Zanzibar to handle access control for Google products. Like... basically all Google products. The paper is public (and will be in ATC '19): https://ai.google/research/pubs/pub48190 Other bits not in the paper 🧵🧵 (twitter.com/_/status/1136626971566149633)
#
[KevinMarks] They're working at a much bigger scale, but explain the problem space thoroughly
#
[Rose] Sknebel: I didn't think so either, but the project manager asked me to research it
#
[Rose] Thanks Kevin, that's really useful!
#
Zegnat TIL: “If you want to make sure a URL is not in [Google’s] index then you have to ‘allow’ them to crawl the page in robots.txt and use a noindex meta tag on the page to stop indexing”
#
Zegnat https://news.ycombinator.com/item?id=20326445
#
Loqi [bhartzer] Google has been very clear lately (via John Mueller) regarding getting pages indexed or removed from the index. If you want to make sure a URL is not in their index then you have to 'allow' them to crawl the page in robots.txt and use a noindex meta ...
#
Zegnat Google Search << https://news.ycombinator.com/item?id=20326445
#
Loqi ok, I added "https://news.ycombinator.com/item?id=20326445" to the "See Also" section of /Google_Search https://indieweb.org/wiki/index.php?diff=63919&oldid=63398
#
Loqi [bhartzer] Google has been very clear lately (via John Mueller) regarding getting pages indexed or removed from the index. If you want to make sure a URL is not in their index then you have to 'allow' them to crawl the page in robots.txt and use a noindex meta ...
#
[Rose] [grantcodes] Thanks! That's documented as a possibility to explore
ingoogni and [grantcodes] joined the channel
#
[grantcodes] For node people like [schmarty] [eddie] [Vincent] [Paul_Robert Lloyd] [amit] voxpelli et al. I started a new repo for combined micropub endpoint brainstorming and maybe development in the future: https://github.com/grantcodes/future-micropub-endpoint
[eddie] joined the channel
#
[eddie] Awesome, looks good :thumbsup:
[KevinMarks] joined the channel
#
voxpelli Interesting [grantcodes] 😊
#
[grantcodes] To be honest I think the end goal of that would be very similar to your existing middleware voxpelli but I thought it deserved its own repo, at least for brainstorming purposes
#
voxpelli [grantcodes]: sure thing, that can keep the discussion more focused. Probably good to have experimentation and drafts happen outside of that repo and only add code once something has somewhat matured/been agreed to
#
[eddie] I agree, with the exception of maybe creating some branches for experimentation/drafts? So it's still somewhat centralized when people collaborate? But keep Master as a blank slate?
#
[grantcodes] I think either or is fine, as long as people comment in that repo.
eli_oat joined the channel
#
@aswath ↩️ Not necessarily. We can bring web based id (indieauth or WebID), our addr books contain WebRTC Call URL and connect w each other. XMPP/SIP like trapezoidal conn is not needed. (twitter.com/_/status/1154410891657515009)
chrisaldrich, [tantek] and gRegorLove joined the channel
#
GWG My goal this weekend is webmention PRs
#
GWG Anyone want to ask me on Monday if I achieved any
[snarfed] joined the channel
#
[snarfed] YES ME
#
[snarfed] GWG++
#
Loqi GWG has 31 karma in this channel over the last year (159 in all channels)
#
GWG [snarfed]: I keep getting sidetracked
#
GWG But I'm eager
[schmarty] joined the channel
#
[snarfed] => #-wordpress
#
GWG I wasn't going to get more technical but okay
#
[snarfed] heh not you, me!
#
[snarfed] not technical, just wp-specific
jgmac1106 and [chrisaldrich] joined the channel
#
@apgwoz ↩️ This is at least 5 yrs old at this point, and my interest fizzled. There’s activityPub now, webmention and friends—I think these need to be mentioned as open plumbing, and considered somehow. Not sure! (twitter.com/_/status/1154448980006170624)
[fluffy], [Jamey_Sharp] and George_null joined the channel
#
George_null Seeking help: I am trying to add a new section within the middle of my home page, a 3 or 4 section column, that allows the visitor to select or on-hover over a small dropdown list, which would just display a few options they can click on, bringing them to that page on the site. Any advice?
leg, jjuran, [tantek] and [grantcodes] joined the channel
#
[grantcodes] https://slashreading.org - interesting idea for publishing who you're following from that Twitter convo above.
#
[grantcodes] Oops no Https http://slashreading.org/
KartikPrabhu, [snarfed] and jjuran joined the channel