#dev 2019-10-08
2019-10-08 UTC
IPFSFanDiscord[m, t-mo, imsky, jfoster and [dmitshur] joined the channel
# [dmitshur] I have a (long-ish) question about indieauth (the protocol). I _think_ I've found an answer myself, but want to confirm.
# [dmitshur] In OAuth 2.0 web application flow, there is a part where the OAuth provider shows a page like "example.com wants to access your <account> with the following permissions: 1. read public data, 2. write foo/bar", and the user has to press a green Authorize button to proceed if they wish.
# [dmitshur] Does something like this happen as part of IndieAuth? it would be something like "example.com wants to authenticate you as <yourname.com>, okay?" since there are no authz permissions or scopes involved, just authn. but still, it may be scary to get immediately signed in with your site without such a screen.
# [dmitshur] As I understand, it "should" happen and it's to be done by the authorization endpoint (i.e., part of step 4 in the diagram at https://indieweb.org/indieauth-for-login). The relevant section in the spec seems to be section 7.2, https://indieauth.spec.indieweb.org/#preventing-phishing-and-redirect-attacks.
# [dmitshur] I tested this out recently on a site I'm pretty sure I never tried to sign in to before (but maybe I forgot?), https://unicyclic.com. I entered my domain and pressed the Log In button. It redirected me to indieauth.com, which asked me to prove to it that I am dmitri.shuralyov.com, and then it just logged me in to https://unicyclic.com without any more questions.
# [dmitshur] I understand that IndieAuth the protocol can offer a better/different experience in this regard, if I just implement IndieAuth on my site instead of relying on RelMeAuth that indieauth.com used.
# [dmitshur] Thanks.
[tantek] joined the channel
# [tantek] !tell snarfed re: #445 seems like a pretty straightforward case of "keep Bridgy simple" and closing accordingly. Also original requester shut down their service and not seeing anyone else care for 4 years seems like a pretty clear cut case of a great edge case to avoid complexifying the code over.
# [dmitshur] GWG, thanks, but my question wasn't about verifying myself, it was about presenting a grant/deny dialog when going through web sign-in.
# [dmitshur] I think the second half of this sentence at https://indieauth.spec.indieweb.org/#authentication is the most clear confirmation:
# [dmitshur] "The authorization endpoint verifies the End-User, e.g. by logging in, and establishes whether the End-User grants or denies the client's authentication request"
gRegorLove joined the channel
# [dmitshur] also relevant:
# [dmitshur] > Once the user is authenticated, the authorization endpoint presents the authentication prompt to the user. The prompt MUST indicate which application the user is signing in to, and SHOULD provide as much detail as possible about the request.
# gRegorLove indieauth.com does that
# gRegorLove I get "Allow unicyclic.com access to gregorlove.com?
# gRegorLove The app https://unicyclic.com would like to access your site, https://gregorlove.com/"
[Lewis_Cowles] and mblaney joined the channel
# [Lewis_Cowles] It'd be pretty bad for end-users if scopes were incorrectly communicated
# gRegorLove indieauth shows the scope
# gRegorLove Yeah "The app is requesting the following scopes: create"
gxt joined the channel
# gRegorLove oh, no mp endpoint?
# gRegorLove I bet that's it, so it's just doing authentication
cweiske and krychu joined the channel
# @digitarald ↩️ Oh, sweet. Discus is broken for a while on my legacy/mostly-dead http://digitarald.de and I was thinking about what a new static site woiödbuse. webmentions looks great. (twitter.com/_/status/1181474981567455232)
[tonz] joined the channel
# [Lewis_Cowles] oh man gmail is boiling my ****
# [Lewis_Cowles] Add 30 whitespace chars so that an email client doesn’t cut-off-content… That is a trip
jeremych_ and [jgmac1106] joined the channel
# [jgmac1106] Yeah fine with #445 and fragments not working with Bridgy worked on a single note per page layout last night
# [jgmac1106] Incentive to learn more PHP so I can build daily or p-category views
# [jgmac1106] One of my fav features of Known is any hashtag automatically converting to a link and having it's own RSS and now h-feed.... Long time before I figure that out
# jeremycherfas I have found, though, that hashtags in Known to not get syndicated out to, e.g., microblog.
# [Lewis_Cowles] [jgmac1106] could you avoid PHP by putting in separate posts, and using search functionality (perhaps with rewrite) to show those posts?
# [Lewis_Cowles] if it’s WP, you might be able to do that. If it’s static, probably not
# [Lewis_Cowles] * rewrite (vanity url like /photos/2018/10/18 instead of q=&thing=&category=&tags=)
# [jgmac1106] Not WP, just writing HTML and then sftp to server. Not an though I like the old school blogs of short notes chronologically served on files by date, either month or day
# [jgmac1106] On another note I need to learn how javascript and php work together. Only javascript I use is a collapsible menu on <800px devices
# [jgmac1106] Ever since I moved my nav into header.php the javascript does not work. Might just drop and try to write a media query using a vertical flexbox and details/summary
# [jgmac1106] Then I can get back my claim of being javascript free
# jeremycherfas Where is the script itself?
# [jgmac1106] In a separate file
# jeremycherfas So, not loaded with the page?
# [jgmac1106] https://github.com/jgmac1106/homepage/blob/master/script.js... Used to be when I manually did my header
# jeremycherfas Give me a link to a page on which it is supposed to work.
# [jgmac1106] jgregorymcverry.com
# [jgmac1106] Wondering if I can write a media query where content summary is default open on large displays and default closed on small. Then I can use horizontal flexbox big and vertical flexbox small
# jeremycherfas I can see that .navbar-items is set to display: none; but I cannot see where I am supposed to click to change that. Do you have a hamburger icon or anything?
deathrow1 joined the channel
# jeremycherfas I'd love to be able to show you how I am doing it with flex on my new theme, but that would man ngrok and a whole lot of stuff right now.
# jeremycherfas Let me see if I can extract the code for you.
# [jgmac1106] No worries. If i make a page and manually add my header it works. Must be way I am calling the javascript. Yes hamburger icon. Gotta make kids breakfast
# jeremycherfas OK. Just realised I can't easily show you, because all my responsiveness is built with Tailwind. So it handles the breakpoints by using things like `sm` and `md` as prefixes. You would have to translate
# [jgmac1106] Will fix the javascript. Has to be a simple issue. Will just try moving that one line back to each file. Should work
# [jgmac1106] Then keep playing with flexbox and details/summary media queries
# jeremycherfas Good luck.
# [jgmac1106] Get my No Javascript Badge back from the Order Of Holy Pretentiousness... It's good nerd cred
# jeremycherfas Just turned Lighthouse on briefly and it illuminated what I already knew; got to work on a11y
UsamaIrfanDiscor, imsky and krychu joined the channel
# [jgmac1106] Just had thought... The script prolly points to *.html
imsky, [tantek], [aaronpk], [Lewis_Cowles], dougbeal|iOS, dougbeal| and jfoster joined the channel
# @justinribeiro Adding Webmention support to a Progressive Web App. https://justinribeiro.com/chronicle/2019/10/07/adding-webmention-support-to-a-progressive-web-app/ (twitter.com/_/status/1181605674352103425)
gRegorLove, [snarfed], [bdesham], [schmarty], [jgmac1106], gxt, AutoAIDiscord[m], [Rose] and [fluffy] joined the channel
# [fluffy] [tantek] pushl seems to handle protocol-relative webmention endpoints correctly, incidentally. When I mention http://tantek.com it resolves the endpoint to http://webmention.io/tantek.com/webmention and when I mention https://tantek.com it resolves the endpoint to https://webmention.io/tantek.com/webmention
# [fluffy] Although I’m not sure why you’d bother with protocol-relative in this case since http://webmention.io just redirects to https://webmention.io anyway
[tantek] joined the channel
[KevinMarks] joined the channel
# [schmarty] oh here are the release notes. they're clearer: https://github.com/tootsuite/mastodon/releases/tag/v3.0.0
krychu joined the channel
# gRegorLove I have them working on DH shared too
# gRegorLove Which is also an old account, probably around that same era
# gRegorLove I kinda recall someone else on DH shared had some caching thing going on with their account that affected it? It was in wordpress chat months ago
jfoster joined the channel
# gRegorLove Not a bad idea. I'd also be curious to try it with and without WordPress.
# gRegorLove Since we're not on WP and it works for us. :shrug:
# aaronpk ok so that was: brand new dreamhost account, with wordpress pre-installed through the checkbox during registration. went into the folder on the server and added the "SetEnvIf" rule to the htaccess file described here https://indieweb.org/Wordpress_IndieAuth_Plugin#Apache_htaccess_solutions
# [schmarty] aaronpk: how did you test it?
# gRegorLove Which DH version of PHP?
# gRegorLove solution: have aaronpk install your wordpress. ;)
[David_Bryant] joined the channel
# Loqi [snarfed]: [tantek] left you a message 16 hours, 29 minutes ago: re: #445 seems like a pretty straightforward case of "keep Bridgy simple" and closing accordingly. Also original requester shut down their service and not seeing anyone else care for 4 years seems like a pretty clear cut case of a great edge case to avoid complexifying the code over.
# [David_Bryant] [aaronpk] -- I swapped messages with the Dreamhost support folks gradually helping them understand what I was trying to do, namely get HTTP Authorization headers to work, but they mostly left it to me to try all the various combinations of rewrite rules in .htaccess to see if I could get something to work.
# [David_Bryant] Nope, alas. I pointed them at the plan 'test.php' file and gave them the curl -H command we tested with, they looked at my .htaccess file and said, "Wow, that's weird."
# [David_Bryant] Interestingly enough, I registered a new domain just so i could create a totally empty shared hosted instance and try reproducing the problem there. I figured if I still saw the problem I had a solid case for the "your server's broke".
# [David_Bryant] Which I see is the process you're working through on your plane flight. :-0
# [David_Bryant] You can still do 'curl -H "Authorization: Bearer FOO" https://orangemoose.com/test.php and see the result on my home domain.
krychu joined the channel
# [David_Bryant] You bet. I'm writing up an email with the findings from the experimentation I did this past weekend. Have more testing planned for this weekend.
jfoster, [jgmac1106], [grantcodes] and [benatwork] joined the channel
# [jgmac1106] [benatwork] we just looked at updating the Installatron file, even though its marked for PHP 5.2 it doesn't seem (from my neophyte) eyes to have breaking code
# [benatwork] I did - and the tests included mf2 code
# [benatwork] I'd have to ask Kyle to be sure, but I'm pretty sure those tests are still running
# [benatwork] And the effort to change the tests < the effort just to write code that stays in line with them
# [benatwork] Er, or rather, the other way around
# [benatwork] I think the solution is really the same as any feature you don't want to lose - test and document well
# [benatwork] It also helped that nobody really cared about export so I had free reign - it was much harder to bake mf2 into the UI because it meant discussing with every single FE engineer
[fluffy] joined the channel
[KevinMarks], imsky and deathrow1 joined the channel
# [snarfed] added mastodon to https://oauth-dropins.appspot.com/
# [fluffy] someday I do want to implement an endpoint that satisfies my wishlist at http://beesbuzz.biz/blog/6982-My-webmention-endpoint-wish-list
strugee joined the channel
# [snarfed] [fluffy] you may also be interested in de-duping syndicated etc copies: https://indieweb.org/deduplication
# aaronpk I think it's this one https://indieweb.org/Private-Webmention
# aaronpk i'm not 100% convinced that https://indieweb.org/Private-Webmention is the best model, but any implementation experience with it is most welcome
# KartikPrabhu anyone with Safari here can check if my site content actually displays now?
# KartikPrabhu or Chrome