#dev 2019-10-08

2019-10-08 UTC
IPFSFanDiscord[m, t-mo, imsky, jfoster and [dmitshur] joined the channel
#
[dmitshur]
I have a (long-ish) question about indieauth (the protocol). I _think_ I've found an answer myself, but want to confirm.
#
[dmitshur]
In OAuth 2.0 web application flow, there is a part where the OAuth provider shows a page like "example.com wants to access your <account> with the following permissions: 1. read public data, 2. write foo/bar", and the user has to press a green Authorize button to proceed if they wish.
#
[dmitshur]
Does something like this happen as part of IndieAuth? it would be something like "example.com wants to authenticate you as <yourname.com>, okay?" since there are no authz permissions or scopes involved, just authn. but still, it may be scary to get immediately signed in with your site without such a screen.
#
[dmitshur]
As I understand, it "should" happen and it's to be done by the authorization endpoint (i.e., part of step 4 in the diagram at https://indieweb.org/indieauth-for-login). The relevant section in the spec seems to be section 7.2, https://indieauth.spec.indieweb.org/#preventing-phishing-and-redirect-attacks.
#
[dmitshur]
I tested this out recently on a site I'm pretty sure I never tried to sign in to before (but maybe I forgot?), https://unicyclic.com. I entered my domain and pressed the Log In button. It redirected me to indieauth.com, which asked me to prove to it that I am dmitri.shuralyov.com, and then it just logged me in to https://unicyclic.com without any more questions.
#
[dmitshur]
I understand that IndieAuth the protocol can offer a better/different experience in this regard, if I just implement IndieAuth on my site instead of relying on RelMeAuth that indieauth.com used.
#
GWG
IndieAuth uses rel me auth. You can use any authentication to verify yourself during authorization
[tantek] joined the channel
#
Loqi
Ok, I'll tell them that when I see them next
#
[tantek]
!tell snarfed re: #445 seems like a pretty straightforward case of "keep Bridgy simple" and closing accordingly. Also original requester shut down their service and not seeing anyone else care for 4 years seems like a pretty clear cut case of a great edge case to avoid complexifying the code over.
#
[dmitshur]
GWG, thanks, but my question wasn't about verifying myself, it was about presenting a grant/deny dialog when going through web sign-in.
#
[dmitshur]
I think the second half of this sentence at https://indieauth.spec.indieweb.org/#authentication is the most clear confirmation:
#
[dmitshur]
"The authorization endpoint verifies the End-User, e.g. by logging in, and establishes whether the End-User grants or denies the client's authentication request"
#
GWG
Okay, I misunderstood
#
GWG
But yes.
gRegorLove joined the channel
#
[dmitshur]
also relevant:
#
[dmitshur]
> Once the user is authenticated, the authorization endpoint presents the authentication prompt to the user. The prompt MUST indicate which application the user is signing in to, and SHOULD provide as much detail as possible about the request.
#
gRegorLove
indieauth.com does that
#
gRegorLove
I get "Allow unicyclic.com access to gregorlove.com?
#
gRegorLove
The app https://unicyclic.com would like to access your site, https://gregorlove.com/"
[Lewis_Cowles] and mblaney joined the channel
#
mblaney
I think the question is should indieauth.com display the scope that unicyclic.com is requesting?
#
mblaney
let me know if I've got that wrong dmitshur
#
[Lewis_Cowles]
It'd be pretty bad for end-users if scopes were incorrectly communicated
#
aaronpk
[dmitshur]: yes that's called the consent screen
#
aaronpk
it's ultimately up to the IndieAuth server whether and how and when to show it, but it's generally a good idea
#
gRegorLove
indieauth shows the scope
#
mblaney
gRegorLove are you talking about indieauth.com? I didn't see it.
#
gRegorLove
Yeah "The app is requesting the following scopes: create"
#
mblaney
I'm entering dmitri.shuralyov.com into unicyclic.com and don't see that when I get to indieauth.com
gxt joined the channel
#
mblaney
interesting, I am shown scopes for gregorlove.com :-D
#
gRegorLove
oh, no mp endpoint?
#
gRegorLove
I bet that's it, so it's just doing authentication
#
mblaney
ah yeah that makes sense.
cweiske and krychu joined the channel
#
@digitarald
↩️ Oh, sweet. Discus is broken for a while on my legacy/mostly-dead http://digitarald.de and I was thinking about what a new static site woiödbuse. webmentions looks great.
(twitter.com/_/status/1181474981567455232)
[tonz] joined the channel
#
[Lewis_Cowles]
oh man gmail is boiling my ****
#
[Lewis_Cowles]
Add 30 whitespace chars so that an email client doesn’t cut-off-content… That is a trip
jeremych_ and [jgmac1106] joined the channel
#
[jgmac1106]
Yeah fine with #445 and fragments not working with Bridgy worked on a single note per page layout last night
#
[jgmac1106]
Incentive to learn more PHP so I can build daily or p-category views
#
[jgmac1106]
One of my fav features of Known is any hashtag automatically converting to a link and having it's own RSS and now h-feed.... Long time before I figure that out
#
jeremycherfas
I have found, though, that hashtags in Known to not get syndicated out to, e.g., microblog.
#
[Lewis_Cowles]
[jgmac1106] could you avoid PHP by putting in separate posts, and using search functionality (perhaps with rewrite) to show those posts?
#
[Lewis_Cowles]
if it’s WP, you might be able to do that. If it’s static, probably not
#
[Lewis_Cowles]
* rewrite (vanity url like /photos/2018/10/18 instead of q=&thing=&category=&tags=)
#
[jgmac1106]
Not WP, just writing HTML and then sftp to server. Not an though I like the old school blogs of short notes chronologically served on files by date, either month or day
#
[jgmac1106]
On another note I need to learn how javascript and php work together. Only javascript I use is a collapsible menu on <800px devices
#
[jgmac1106]
Ever since I moved my nav into header.php the javascript does not work. Might just drop and try to write a media query using a vertical flexbox and details/summary
#
[jgmac1106]
Then I can get back my claim of being javascript free
#
jeremycherfas
Where is the script itself?
#
[jgmac1106]
In a separate file
#
jeremycherfas
So, not loaded with the page?
#
jeremycherfas
Give me a link to a page on which it is supposed to work.
#
[jgmac1106]
jgregorymcverry.com
#
[jgmac1106]
Wondering if I can write a media query where content summary is default open on large displays and default closed on small. Then I can use horizontal flexbox big and vertical flexbox small
#
jeremycherfas
I can see that .navbar-items is set to display: none; but I cannot see where I am supposed to click to change that. Do you have a hamburger icon or anything?
deathrow1 joined the channel
#
jeremycherfas
I'd love to be able to show you how I am doing it with flex on my new theme, but that would man ngrok and a whole lot of stuff right now.
#
jeremycherfas
Let me see if I can extract the code for you.
#
[jgmac1106]
No worries. If i make a page and manually add my header it works. Must be way I am calling the javascript. Yes hamburger icon. Gotta make kids breakfast
#
jeremycherfas
OK. Just realised I can't easily show you, because all my responsiveness is built with Tailwind. So it handles the breakpoints by using things like `sm` and `md` as prefixes. You would have to translate
#
[jgmac1106]
Will fix the javascript. Has to be a simple issue. Will just try moving that one line back to each file. Should work
#
[jgmac1106]
Then keep playing with flexbox and details/summary media queries
#
jeremycherfas
Good luck.
#
[jgmac1106]
Get my No Javascript Badge back from the Order Of Holy Pretentiousness... It's good nerd cred
#
jeremycherfas
Just turned Lighthouse on briefly and it illuminated what I already knew; got to work on a11y
UsamaIrfanDiscor, imsky and krychu joined the channel
#
[jgmac1106]
Just had thought... The script prolly points to *.html
imsky, [tantek], [aaronpk], [Lewis_Cowles], dougbeal|iOS, dougbeal| and jfoster joined the channel
gRegorLove, [snarfed], [bdesham], [schmarty], [jgmac1106], gxt, AutoAIDiscord[m], [Rose] and [fluffy] joined the channel
#
[fluffy]
[tantek] pushl seems to handle protocol-relative webmention endpoints correctly, incidentally. When I mention http://tantek.com it resolves the endpoint to http://webmention.io/tantek.com/webmention and when I mention https://tantek.com it resolves the endpoint to https://webmention.io/tantek.com/webmention
#
[fluffy]
Although I’m not sure why you’d bother with protocol-relative in this case since http://webmention.io just redirects to https://webmention.io anyway
#
[fluffy]
so all that effectively does is create an additional forwarding http transaction
#
aaronpk
and technically http clients aren't supposed to re-do the POST after a 301 redirect
[tantek] joined the channel
#
[tantek]
Oh interesting
#
aaronpk
I can see the argument for protocol relative if you're hosting your own webmention endpoint on the domain
[KevinMarks] joined the channel
#
[tantek]
Sounds like the webmention.io docs should clarify that then, to only use https as the endpoint for it since the http redirect will break the webmention POST
#
[schmarty]
oh here are the release notes. they're clearer: https://github.com/tootsuite/mastodon/releases/tag/v3.0.0
#
aaronpk
I mean webmention.io never says you can use http anywhere, and all the examples are https
#
[tantek]
Might be good to warn against it
#
[tantek]
Since it could be an unintentional silent failure
krychu joined the channel
#
[tantek]
On a separate topic, who here has gotten HTTP Authorization headers working on Dreamhost? This seems to be a challenge many folks on Dreamhost run into and we don't have good docs on
#
[tantek]
use-case: this is a sticking point for getting Micropub setup on solution hosted on Dreamhost
#
aaronpk
I added the htaccess rule to my dreamhost and have never had a problem, which is why i'm so confused why it continues to be a challenge
#
[tantek]
There are multiple people who have had failures, had to file support tickets, and very few of those have worked out
#
aaronpk
my media endpoint is on dreamhost and uses the authorization header
#
[tantek]
It sounds like you are an exception aaronpk on Dreamhost, that's my point
#
aaronpk
and i'm on just regular dreamhost shared hosting, nothing special
#
[tantek]
right, I get that
#
[tantek]
they seem to have changed something in their default setup since when you signed up
#
aaronpk
that's why i'm so confused
#
[tantek]
when did you sign up?
#
aaronpk
could be, but they've moved my account to new servers several times
#
[tantek]
they change defaults on the default signup all the time
#
[tantek]
moving servers is orthogonal
#
gRegorLove
I have them working on DH shared too
#
aaronpk
i've had my account since 2008
#
gRegorLove
Which is also an old account, probably around that same era
#
aaronpk
i've seen so many issues with people that I am tempted to go make a brand new account and fight with their support myself until we figure it out
#
aaronpk
I was half kidding but actually that sounds like not the worst idea right now
#
gRegorLove
I kinda recall someone else on DH shared had some caching thing going on with their account that affected it? It was in wordpress chat months ago
jfoster joined the channel
#
gRegorLove
Not a bad idea. I'd also be curious to try it with and without WordPress.
#
gRegorLove
Since we're not on WP and it works for us. :shrug:
#
aaronpk
the last one I was helping with was not on their wordpress hosting but did have wordpress installed. that shouldn't matter though, should be just a regular shared hosting account
#
aaronpk
ok i'm gonna do this right now
#
[tantek]
aaronpk++
#
Loqi
aaronpk has 47 karma in this channel over the last year (183 in all channels)
#
[Rose]
With the added difficulty level of “I’m on a plane”? aaronpk++
#
Loqi
aaronpk has 48 karma in this channel over the last year (184 in all channels)
#
aaronpk
excellent plane activity
#
aaronpk
"pre-install wordpress" is a checkbox *when signing up for a new account* o.O
#
aaronpk
ok new account is created, DNS changes are pending
#
aaronpk
it's installing wordpress
#
aaronpk
looks for the htaccess rule on the wiki
#
aaronpk
adds it to htaccess
#
aaronpk
and sure enough the header passes through
#
aaronpk
ok so that was: brand new dreamhost account, with wordpress pre-installed through the checkbox during registration. went into the folder on the server and added the "SetEnvIf" rule to the htaccess file described here https://indieweb.org/Wordpress_IndieAuth_Plugin#Apache_htaccess_solutions
#
aaronpk
so now i'm even more confused
#
[tantek]
I thought the problem was with Micropub not IndieAuth
#
[schmarty]
aaronpk: how did you test it?
#
aaronpk
same test I did with David at IWC AMS
#
aaronpk
I added a php file to the server with <?php print_r($_SERVER); ?>
#
aaronpk
so I can see whether PHP sees the authorization header
#
gRegorLove
Which DH version of PHP?
#
aaronpk
[tantek]: yes arguably that troubleshooting section should be moved to the micropub page because that's likely where people will look because that's where the problem will appear to be
#
aaronpk
on and this is with "extra web security" checked in dreamhost too
#
aaronpk
which enables mod_security, which has been the cause of this issue on other hosts
#
aaronpk
i'll try with it disabled too, but enabled is the stricter case where i'd expect the problem to surface
#
gRegorLove
solution: have aaronpk install your wordpress. ;)
#
[tantek]
[David_Bryant] ^^^
#
aaronpk
[David_Bryant] did you ever hear back from dreamhost support on that ticket?
[David_Bryant] joined the channel
#
[tantek]
^^^ aaronpk that @-mention didn't come through as linked here on the Slack side 🤔
#
aaronpk
yeah slack doesn't let bots actually @-mention people
#
[tantek]
interesting
#
[snarfed]
well it does, you just need to do extra work
#
Loqi
[snarfed]: [tantek] left you a message 16 hours, 29 minutes ago: re: #445 seems like a pretty straightforward case of "keep Bridgy simple" and closing accordingly. Also original requester shut down their service and not seeing anyone else care for 4 years seems like a pretty clear cut case of a great edge case to avoid complexifying the code over.
#
aaronpk
wait really?
#
[David_Bryant]
[aaronpk] -- I swapped messages with the Dreamhost support folks gradually helping them understand what I was trying to do, namely get HTTP Authorization headers to work, but they mostly left it to me to try all the various combinations of rewrite rules in .htaccess to see if I could get something to work.
#
aaronpk
they couldn't help you figure out why the header isn't coming through? we narrowed the test case down to a plain PHP file with no wordpress stuff involved
#
[snarfed]
(basically you map the username to user id, then use <@ID>)
#
aaronpk
[snarfed]: ohhh I need to translate it to ID!
#
aaronpk
I never made that connection when that announcement came out
#
[snarfed]
(and wrap in < >)
#
[David_Bryant]
Nope, alas. I pointed them at the plan 'test.php' file and gave them the curl -H command we tested with, they looked at my .htaccess file and said, "Wow, that's weird."
#
aaronpk
[David_Bryant]: can you tell them their server is broke and they need to go fix it?
#
[David_Bryant]
Interestingly enough, I registered a new domain just so i could create a totally empty shared hosted instance and try reproducing the problem there. I figured if I still saw the problem I had a solid case for the "your server's broke".
#
[David_Bryant]
Which I see is the process you're working through on your plane flight. :-0
#
aaronpk
yep. a brand new hosting account doesn't have this issue
#
[David_Bryant]
You can still do 'curl -H "Authorization: Bearer FOO" https://orangemoose.com/test.php and see the result on my home domain.
#
aaronpk
[David_Bryant]: can you try continuing to bug dreamhost support to get them to fix it? "that's weird" isn't really a good answer from their support
#
aaronpk
[snarfed]: I think I know why I didn't do the mapping this direction. slack doesn't have an API method to look up a user ID from a username. so it's only going to work with users who the gateway has seen
#
[tantek]
That seems like a reasonable limitation though since irc people are unlikely to @-mention a Slack user that has never said anything (thus the gate way has never seen)
#
[tantek]
Hmm I guess that’s more meta than dev
#
[tantek]
While the auth header discussion is definitely dev
#
aaronpk
oops yes, moving that to meta
krychu joined the channel
#
[David_Bryant]
You bet. I'm writing up an email with the findings from the experimentation I did this past weekend. Have more testing planned for this weekend.
jfoster, [jgmac1106], [grantcodes] and [benatwork] joined the channel
#
[jgmac1106]
[benatwork] we just looked at updating the Installatron file, even though its marked for PHP 5.2 it doesn't seem (from my neophyte) eyes to have breaking code
#
[tantek]
[benatwork] did you write CI tests for your Medium export that you think are still running?
#
[benatwork]
I did - and the tests included mf2 code
#
[tantek]
my suspicion is that's what's going on
#
[benatwork]
I'd have to ask Kyle to be sure, but I'm pretty sure those tests are still running
#
[benatwork]
And the effort to change the tests < the effort just to write code that stays in line with them
#
[benatwork]
Er, or rather, the other way around
#
[tantek]
this is a very good technique for sustainable indieweb support
#
[tantek]
both in corporate services, and likely in OSS projects as well
#
[tantek]
this is why I wanted to capture it
#
[benatwork]
I think the solution is really the same as any feature you don't want to lose - test and document well
#
[benatwork]
It also helped that nobody really cared about export so I had free reign - it was much harder to bake mf2 into the UI because it meant discussing with every single FE engineer
[fluffy] joined the channel
#
[tantek]
^^^ that's a very important insight
#
[tantek]
a similar dynamic likely exists on OSS projects
#
[tantek]
UI is "sexier" to work on because it's more obviously visible. Whereas export is one of those "boring" sometimes features that tends to get less attention.
[KevinMarks], imsky and deathrow1 joined the channel
#
[fluffy]
okay to follow up on previous pushl testing, according to the webmention API it looks like only the https version of my mention of tantek.com went through. Or did you delete the apparent duplicate? 🙂
#
[fluffy]
Pushl itself doesn’t do anything to chase redirects, so if the http POST produces a redirect then there’s no reason that version would have gone through.
#
[fluffy]
although I see now you declare https for your endpoint so there’s no point in me testing http: now
#
[tantek]
[fluffy] yeah after the realization that http redirect doesn't POST, I hardcoded the https of wm io
#
[fluffy]
out of curiosity had my ping to http: gone through and you deleted it manually?
#
[fluffy]
pushl didn’t indicate whether it did or not in my own logs
#
[fluffy]
I do know webmention.io doesn’t automatically dedupe them though (or at least it didn’t use to)
#
aaronpk
dedupe http vs https? no. it only dedupes exact URL matches
#
[fluffy]
that’s what I thought
#
[fluffy]
which is, I mean, 100% valid and accurate to the spec
#
[fluffy]
webmention.js dedupes client-side by just requesting the mentions for both versions and then merging 🙂
#
aaronpk
that's what tantek does too
#
[fluffy]
someday I do want to implement an endpoint that satisfies my wishlist at http://beesbuzz.biz/blog/6982-My-webmention-endpoint-wish-list
#
[fluffy]
(I also use <link rel=“canonical”> on my own site to mitigate it to begin with.)
#
aaronpk
#2 and #3 are defintitely things i've been thinking about adding to webmention.io
#
[fluffy]
and you support #1 already 😉
#
[fluffy]
it’s mostly 4-6 that would be interesting on the endpoint side of things. 3 could be done with existing tooling as it is.
#
[fluffy]
Well, clumsily.
#
[fluffy]
and of course 7 would be amazing but I feel like private-post stuff needs so many things to fall into place before it’s worth trying to implement anything and there’s a giant chicken-and-egg situation there.
strugee joined the channel
#
aaronpk
webmention.io can already receive private webmentions :D
#
[fluffy]
oh? huh
#
aaronpk
at least in some form of private webmentions
#
[fluffy]
how does that work?
#
[snarfed]
[fluffy] you may also be interested in de-duping syndicated etc copies: https://indieweb.org/deduplication
#
[fluffy]
[snarfed] oh yeah that’s a good one too
#
[fluffy]
ok the access token part is where I always get lost trying to read this
#
aaronpk
it's not ideal
#
aaronpk
I think there's a better version of this somewhere
#
[fluffy]
also doesn’t it require that the response still be public?
#
[fluffy]
that’s where I get confused
#
aaronpk
it doesn't make an assumption about the privacy of the post you're replying to
#
[fluffy]
I also am unsure of how this stuff would get integrated in with my auth layer.
#
[fluffy]
oh right! it’s just the source that’s private in this context, right
#
aaronpk
it enables the reply to be private, only viewable during webmention verification
#
[fluffy]
the target never gets validated since there’s no reason to (except in the case of chasing redirects which isn’t part of webmention itself and not something webmention.io does)
#
aaronpk
the trick with this one is that it also makes no assumptions about identity
#
[fluffy]
okay yeah it’s me overthinking the target privacy that always loses me
#
[fluffy]
but it’s about the *source*
#
aaronpk
yeah the *target* is generally left as an internal implementation detail of the site receiving the webmention
#
[fluffy]
okay so I guess what I’d need to do is “just” make it so that authl can work with generated auth codes
#
[fluffy]
or rather, publ’s auth stuff, I don’t think that’s in authl’s domain
#
aaronpk
i'm not 100% convinced that https://indieweb.org/Private-Webmention is the best model, but any implementation experience with it is most welcome
#
[fluffy]
all authl does is presents third-party auth UI and validates that for the actual content platform
#
[fluffy]
I’m still unclear about how the authorization code itself gets generated, like whose request causes that to happen and how it’s validated. Someday I’ll understand.
#
[fluffy]
like at least in my own ecosystem it seems that it’s Pushl that needs to obtain the authorization code and then send that along to the endpoint. And that flow is something I can’t brain right now.
#
[fluffy]
Pushl is intended to run unattended in a cron job or git commit hook or whatever.
#
[fluffy]
I assume that this is what AutoAuth is for but I can’t brain that either 🙂
#
aaronpk
yeah autoauth is an alternative version that would make this not necessary
#
[fluffy]
yeah I think I really need to spend some time actually understanding the AutoAuth flow and which party is responsible for what
#
[fluffy]
if I can add AutoAuth support to Pushl and it can broker the auth code along to the webmention endpoint I think that covers everything
#
[fluffy]
at least on my end
#
aaronpk
yeah it should cover the full use case of private webmentions as well as private feeds
#
KartikPrabhu
anyone with Safari here can check if my site content actually displays now?
#
KartikPrabhu
or Chrome