#dev 2019-10-29

2019-10-29 UTC
[chrisbergr] and [snarfed] joined the channel
#
[snarfed] updated all the images and buttons on https://brid.gy/ , https://granary.io/ , https://oauth-dropins.appspot.com/ to 2x resolution. not a big deal, but they definitely look sharper now
#
[snarfed] little things
tg-z, SevenTwenty, KartikPrabhu, [Bradley_Allen] and maxwell joined the channel
#
maxwell @jgmac1106, @aaronpk, @snarfed - I wrote a post about what I got done with your help, thanks again: https://www.maxwelljoslyn.com/blog/2019/10/28/1
#
Loqi With advice from Greg McVerry, Aaron Parecki, and Ryan Barrett, I finished getting this blog set up for subscription using the h-feed microformat, and made other improvements along the way: all pages now have a self-link in the title all pages, not ...
SevenTwenty, dougbeal|mb1, gRegorLove, [fluffy], [KevinMarks], tg-z and [snarfed] joined the channel
#
[snarfed] maxwell++
#
Loqi maxwell has 1 karma over the last year
#
[snarfed] and hah, rogue u-mention-ofs
#
[tantek] where did that even come from?
[timothy_chamber, FreshcollegeGirl, ecrosstexas, gRegorLove, ecrosstexas[m], LavetteGeneratio and [fluffy] joined the channel
#
[fluffy] probably from me, I was sending those out for a while
#
[fluffy] but maybe I’m not the only one 🙂
#
[fluffy] meanwhile I’m going out on a limb and startin gto implement AutoAuth in Publ even though I have no way to actually, like, test it
[Rose] joined the channel
#
[fluffy] or maybe maxwell got it from the same place I did, and I have no idea where that is aside from maybe inferring it based on ???
#
[fluffy] like it seems intuitive that it’d exist
#
gRegorLove [fluffy], mblaney and I can help test different parts of that. He has the reader part
FreshcollegeGirl joined the channel
#
[fluffy] Is there any mechanism for testing it when my stuff is just on localhost though? I don’t want to have to deploy to the public web to test things.
#
[fluffy] also, for the resource token endpoint, is there any reason I should implement my own as part of Publ, or can that just be something that’s hosted externally and uses tokens.indieauth.com by default or whatever?
#
[fluffy] like I’m not quite clear on the difference between a resource token and a user token in this context
#
[fluffy] Or is there one?
[jeremycherfas] joined the channel
#
[fluffy] okay yeah I’m completely confused by how one actually goes about verifying a token
#
[fluffy] it seems that it’s up to the application to have a trust relationship with the token endpoint, is that correct?
#
[fluffy] so like I could use tokens.indieauth.com as a short-term thing but in the long term I’d want to move to my own self-hosted endpoint?
cweiske joined the channel
#
[fluffy] what I could really use is some simple commandline tools or cut-and-paste recipes or whatever for verifying the token flow
KartikPrabhu, asymptotically and [tonz] joined the channel
#
@Borisson It looks like we will get @swentel back into core development with getting webmention and the indieweb to drupal https://t.co/BBZdlk6g1L (twitter.com/_/status/1189105832300023808)
#
@Peytz What comes after Drupal 9.0.0? Automation? Reusable components? Accessibility? Semantic HMTL? Webmention support? Native DAM? JSON: API clients / SDKs? What are your hopes and wishes? #Driesnotes #DrupalCon (twitter.com/_/status/1189106771983511554)
[KevinMarks] and [Matt_Hobbs] joined the channel
#
myfreeweb [fluffy]: token (& auth) endpoint being part of the application is honestly so much easier than using an external one, localhost development Just Works
#
myfreeweb for checking that auth works, i use a local instance of https://github.com/barryf/micropublish
#
Loqi [barryf] micropublish: A Micropub client that you can use to create, update, delete and undelete content on your Micropub-enabled site.
gRegorLove joined the channel
#
Zegnat Oooh, Webmention shoutout at the Drupal Driesnote?
#
Zegnat pings local Drupal dev firm with a pitch to come and speak about mf2 and webmentions
jeremych_, [KevinMarks]1, [jgmac1106], [grantcodes], FreshcollegeGirl and [qubyte] joined the channel
#
jeremycherfas Is there a simpler way of testing a cron job than tail the file in var/mail ?
IWSlackGateway, [Matt_Hobbs], [qubyte], [grantcodes] and [tonz] joined the channel
#
Zegnat jeremycherfas: test how? Know that it ran?
#
jeremycherfas Know that it ran is easy; the files appear where I expect them. Find the errors if it didn't.
#
jeremycherfas But in the meantime, I fixed the path to the bash script I was hoping it would run and it worked. I thought that cron might know about $PATH, but it seems not to.
#
jeremycherfas So now I am downloading and renaming my access.log every day, and my next chellenge will be to try and get Bise working locallly.
#
Zegnat Ah, yeah, $PATH is “scoped” to your current terminal session. So unless you are the one running the cron task manually, it would not know about what you personally set as your $PATH
[Rose], [KevinMarks] and [timothy_chamber joined the channel
#
aaronpk [fluffy]: yeah using built in endpoints is much easier than trying to support external services for things like that once you get into the relatively complex scenarios like autoauth
KartikPrabhu and [tantek] joined the channel
#
[Rose] [aaronpk] What should I be looking for regarding compass background workers? I thought mine were working but I probably missed something
#
aaronpk Oh I did document it
#
aaronpk https://github.com/aaronpk/Compass#job-queue
#
Loqi [aaronpk] Compass: Compass is a GPS tracking server that stores data in flat files.
#
aaronpk Refer to the Lumen docs for more details too
#
[Rose] Thanks!
#
aaronpk You'll need to define the queue driver in the config file, there are different options like database or redis
#
[Rose] Good start: queue driver database is uncommented
GWG joined the channel
#
aaronpk For the database one you'll need to add the tables. There's a command for that documented in Lumen
#
aaronpk Oh it's in my docs too
#
[Rose] It is, and I already did that
#
[Rose] Right, so it was running the queue in the background I didn't have
#
[tantek] Wait what did I just read that Webmention and other building blocks may get built into Drupal 9?
#
aaronpk When you run the worker it'll write to a log file in the storage/logs folder so you can check there for errors
#
[tantek] [KevinMarks] ping - how soon can you get to updating /fragmentions spec? This week? It has some urgency because various Google folks are pushing for their more complex proposal instead
#
[Rose] I _think_ I got it working
#
[Rose] Oh darn, errors
#
[Rose] Aws\Sqs\SqsClient not found
#
aaronpk That's odd, so you have anything in the config that mentions AWS?
#
aaronpk That's an alternative queue driver
#
[Rose] Sorry, work emergency, now I can check
#
[Rose] There's nothing in my .env
#
[Rose] But, my queue is running now
#
[Rose] (I just stopped it, because letting it run wildly when it's running into errors seems like a bad idea)
vika_nezrimaya joined the channel
#
vika_nezrimaya Good Morning IndieWeb
#
vika_nezrimaya My site's currently down, so I'm playing around with node.js
#
vika_nezrimaya JavaScript is actually fun! Right now I'm trying to make a socket.io based chat app with IndieAuth
#
[KevinMarks] Being able to debug node server code on my own machine with Visual Studio Code is nice
[schmarty] joined the channel
#
[tantek] [Matt_Hobbs] can you add your questions about how to markup author(s) of one or more entry(ies) to the https://indieweb.org/h-entry page? That way we can capture them and make sure they have good step by step answers!
[Matt_Hobbs] joined the channel
#
[Matt_Hobbs] Hi [tantek], yes sure will do :thumbsup:
#
[Rose] [aaronpk] To further mystify matters, I can't find "Aws" anywhere in your code
#
aaronpk [Rose]: yeah it's part of Lumen
#
aaronpk it shouldn't be trying to load that unless you've defined the SQS driver though
#
[Rose] I don't even see a sample of defining that
#
[Matt_Hobbs] Hmmm I'm looking for a way to do this. Just logged in but can't see an option anywhere. Is there something I am missing?
#
aaronpk [Rose]: is it this? https://github.com/laravel/framework/issues/12029
#
Loqi [andy1547] #12029 SQS Class 'Aws\Sqs\SqsClient' not found When trying to use Redis queue, despite SQS not referenced anywhere
#
[Rose] Possibly!
#
[Rose] Yes, it was
#
[Rose] Mystery solved, poor documentation at fault (as well as me not reading everything through/understanding it all)
#
aaronpk i didn't even know that was possible so i learned something new too
#
[Rose] It would be better if the docs didn't have that as the default command I suspect
#
aaronpk definitely
#
aaronpk seems like a weird default
#
[Rose] Anyway, I now have a queue worker running
#
aaronpk yay
[jgmac1106] joined the channel
#
[Rose] makes a note to make a pull request on your repo to add details to the docs on what she did
#
vika_nezrimaya any easy ways to discover rel=authorization_endpoint from client-side JS without hoping that stuff happens with cross origin policy?
#
vika_nezrimaya CORS, I mean
#
aaronpk either the site needs to send the proper CORS headers, or you'll need a server-side component that the client-side JS can talk to
#
vika_nezrimaya ugh
#
aaronpk yeah :-/
#
aaronpk browsers 🤷
#
[tantek] [Matt_Hobbs] you can start with adding a new == Questions == section near the bottom
[Lewis_Cowles] and jackjamieson joined the channel
#
vika_nezrimaya oh, great
#
vika_nezrimaya IndieAuth is so weird. I try to authenticate against my endpoint (indieauth.com) but it says that code parameter is missing. I can clearly see it being sent.
#
vika_nezrimaya also it doesn't seem to understand Accept: application/json, text/plain, */*
#
aaronpk Make sure it's sent in the post body not the query string
#
vika_nezrimaya I'm POSTing it... There are no query strings
#
vika_nezrimaya I'm using axios on Node.js side to talk to auth endpoint
#
vika_nezrimaya because auth is checked on the server
#
aaronpk Double check the post body format then. Sometimes these clients do weird things. Needs to be form-encoded body with the matching content type header
#
vika_nezrimaya Form-encoded? It doesn't accept JSON?!
#
aaronpk As a post body? No
#
vika_nezrimaya oh wow
#
aaronpk form encoded posts are the "normal" one
#
vika_nezrimaya that's why I kinda don't like implementing IndieAuth... :3 sadly I don't think there's a library
#
aaronpk there's no advantage to posting JSON if you're only sending a couple strings
#
vika_nezrimaya maybe I should write one
#
aaronpk there has to be a library for it
#
aaronpk its usually the default in http clients
#
vika_nezrimaya library for IndieAuth, I mean!
#
vika_nezrimaya so I wouldn't have to deal with finding endpoints, checking codes, etc. myself
#
vika_nezrimaya and only have a function that executes once user completes the auth flow correctly :3
#
[Lewis_Cowles] vika, you could implement a middleware to wrangle content-type if it’s JSON, but then you’d increase a lot of work as there are many JSON mime-types. text/json, application/json, application/vnd.api+jsoncontentType is one I learned about at my current job (which I think should just be application/json)
#
vika_nezrimaya I think application/json is the more accepted and seen one
#
vika_nezrimaya i use it when sending my requests
#
vika_nezrimaya text/json imo is not quite right, since JSON can be anything, including text. I could even transmit a PNG picture encoding its properties in JSON. it'll take a lot of data but it will certainly not be text
#
[Lewis_Cowles] fd = new FormData() would allow you to unburden yourself and simply POST 😉
[qubyte] joined the channel
#
[qubyte] When it’s a URL encoded body you can use `URLSearchParams` as a global in node these days. Very handy.
#
[qubyte] I use it quite a lot to decode simple form bodies. It’s only when things go multipart that it becomes a pain to handle.
#
[Lewis_Cowles] [qubyte]++
#
Loqi [qubyte] has 1 karma in this channel over the last year (2 in all channels)
#
[Lewis_Cowles] I’ve never encountered that. Wonderful. I rather like window.location, but fully accept it could be easier to work with and less verbose
#
[qubyte] If it’s all hex tokens and stuff you can just build a string manually. No need for the encoding.
gRegorLove joined the channel
#
vika_nezrimaya yay, I wrote a chat app using socket.io and IndieAuth!
#
Loqi vika_nezrimaya has 1 karma in this channel over the last year (3 in all channels)
#
aaronpk vika_nezrimaya++ yay congrats!
#
Loqi 😃
#
vika_nezrimaya I only need to upload it to glitch and we can ditch IRC :D
#
vika_nezrimaya except I don't have chat history yet
#
aaronpk hehe
#
vika_nezrimaya huh, glitch doesn't seem to do something like npm run build before starting my app
#
[qubyte] You can hack a bunch of that stuff (it’s possible for glitch to run rust (and therefore compilation is a must)).
#
[qubyte] It _might_ (definitely no guarantees here) be as simple as including a shell script called `start.sh`.
#
[qubyte] aha https://support.glitch.com/t/language-support-on-glitch-a-list/5466
#
[qubyte] Info on lifecycle hooks in that.
#
[qubyte] If glitch is starting the app using `npm start`, then you might just get away with adding to scripts `"prestart": "npm run build",` since npm will pick that up as part of how it handles scripts right before it runs `start`.
#
[qubyte] (definitely worth trying that before getting into the glitch lifecycle stuff)
#
vika_nezrimaya https://indiewebchat.glitch.me - login with your website!
#
vika_nezrimaya I want to try seeing other people in the chat :3
#
vika_nezrimaya so please someone test this
#
vika_nezrimaya note that this thing doesn't remember the login
#
vika_nezrimaya no cookies support, no session persistence, nothing!
[snarfed] joined the channel
#
[snarfed] just fyi, interesting error when i typed in http://asdf.com : looks like it tried to HTTP GET the HTML contents? and failed
#
[snarfed] same when i enter https://snarfed.org
#
aaronpk i logged in but i can't click into the text box
#
vika_nezrimaya Wait a little bit, once auth passes, it should unlock
#
vika_nezrimaya This is alpha-quality software
#
vika_nezrimaya and my first foray into Node
#
vika_nezrimaya I don't see you being connected though... something may have went wrong
#
vika_nezrimaya and it certainly did
#
[Lewis_Cowles] same, but very cool
#
[Lewis_Cowles] @vika_nezrimaya++
#
Loqi @vika_nezrimaya has 2 karma in this channel over the last year (4 in all channels)
[manton] joined the channel
#
vika_nezrimaya aaronpk, [Lewis_Cowles]: I pushed some fixes that prevent app from glitching in case it can't fetch your h-cards
#
vika_nezrimaya try again now
#
[Lewis_Cowles] OfflineFirst has their very own aaron, and they've written a post about request queueing https://medium.com/to-err-is-aaron/managing-state-with-offline-first-request-queuing-d29f043205d4
#
[Lewis_Cowles] I'll check out changes
[grantcodes] joined the channel
#
[grantcodes] Nice vika! I have some pretty well tested node / is libraries for indieauth. Feel free to use it or copy code from it. It uses axios too
#
[Lewis_Cowles] Shorter url query-string this time, but ultimately still not logged me in
#
[Lewis_Cowles] https://indiewebchat.glitch.me/?me=https%3A%2F%2Fwww.lewiscowles.co.uk&redirect_uri=https%3A%2F%2Findiewebchat.glitch.me&client_id=https%3A%2F%2Findiewebchat.glitch.me&response_type=id
#
[Lewis_Cowles] perhaps that can help?
#
vika_nezrimaya wait, this is not supposed to happen. It should GET that query string to an authorization endpoint!
#
vika_nezrimaya Do you have an authorization endpoint configured correctly?
#
[Lewis_Cowles] oh this may be me conflating indieauth and indielogin 😊
#
[Lewis_Cowles] yeah... my bad
#
vika_nezrimaya ok I think I should run 'cause it's 20:39 in my TZ and I should be @ home probably
#
vika_nezrimaya I'll try to reply once I come home
#
[Lewis_Cowles] 👋
#
vika_nezrimaya feel free to play with my app though, and !tell me if it works or if it doesnt
#
vika_nezrimaya It worked for me when I tested it though, even fetching my h-card!
#
[snarfed] vika: i can log in now! sending a message crashes though. TypeError: msg.author is null
#
[snarfed] at onmessage https://indiewebchat.glitch.me/bundle.js:6276
#
[snarfed] also you may want to add a nice error message for non-indieauth-enabled sites, eg http://asdf.com . right now it just reloads the home page, no message
#
[snarfed] (and sites that don't connect at all, eg http://asdf.bbb)
#
[qubyte] I’ll give this a shot in a bit. In transit.
#
jeremycherfas What is Bussator
#
Loqi It looks like we don't have a page for "Bussator" yet. Would you like to create it? (Or just say "Bussator is ____", a sentence describing the term)
#
jeremycherfas Bussator is a WSGI application which implements a webmention receiver. Webmentions can then
#
jeremycherfas be published through dedicated plugins; currently, a plugin for publishing webmentions as Isso comments exists.
#
Loqi ok
#
jeremycherfas What is isso
#
Loqi isso is a self-hosted commenting server similar to Disqus https://indieweb.org/isso
Ashraf_2 and [fluffy] joined the channel
#
[fluffy] [aaronpk] @myfreeweb Thanks, I’ll do my own self-hosted resource token endpoint then. But: that still opens the question of how do I test it as I develop it. I’m not intending to support Micropub just yet and all the tools I’m finding/see mentioned are oriented toward that.
#
[fluffy] My goal here is to have AutoAuth for fetching an authenticated feed. Are there any tools I can run locally toward that goal? Like, being able to get my user endpoint’s token and then simulate the rest of the flow from that.
#
[fluffy] or whatever the right terms are, I probably hecked that up
[chrisbergr] joined the channel
#
[fluffy] per the diagram on https://indieweb.org/AutoAuth - I need a tool for verifying the resource and token_endpoint actions
#
aaronpk you can always fake out these endpoints to test the positive case, like making a token endpoint that returns a fixed string "AAAAAA" and always returns a hardcoded user URL
#
[fluffy] but that doesn’t help me make sure I’m doing the right thing
#
[fluffy] this is one case where I really, really do not want to get the security aspects wrong
#
aaronpk you can also create simplified endpoints that are hard-coded single-user for testing
#
[fluffy] but that also requires me understanding the protocol insofar as creating the simplified endpoints goes
#
[fluffy] I’m running into a big bootstrapping problem here
#
aaronpk i guess i don't know what you're asking then
#
[fluffy] I need to test against an implementation that’s correct, and I need to know what data is exchanged in each step
#
aaronpk so it sounds like you need to find a correct implementation
#
[fluffy] I’m having a very hard time wrapping my head around the various specifications, and it doesn’t help that the AuthAuth spec just defers a bunch of stuff to the IndieAuth spec
#
[fluffy] yes
#
sebsel also: be a aware that you're one of the first people implementing that flow. it's not a battle-tested thing yet.
#
aaronpk i haven't even implemented any of AutoAuth myself yet, so maybe sknebel or sebsel have some more thoughts
#
[fluffy] But also correctly-implemented tooling that makes use of that correct implementation, correctly
#
[fluffy] yeah I asked for more infromation on the AutoAuth spec itself, hoping sknebel gets back to me at some point
#
sebsel I haven't got to it either.
#
[fluffy] https://github.com/sknebel/AutoAuth/issues/19
#
Loqi [fluffy-critter] #19 Provide a full HTTP request/response transaction example
#
sebsel I saw that and have thumbs-upped it, for I struggle with the spec myself still too!
#
[fluffy] even outside of an AutoAuth case, is there tooling for doing the IndieAuth token flow for manually fetching a resource given an appropriate token?
#
sebsel sknebel is the criminal mastermind in this one ;) and Zegnat knows stuff too
#
aaronpk i don't understand that question either heh
#
[fluffy] like, doing the Micropub thing, but without it being Micropub
#
sebsel hm, that would be as simple as `curl -H "Authentication: Bearer xxx" http://example.com`
#
[fluffy] yes but how do I get the value of `xxx` 😛
#
aaronpk that depends on your token endpoint
#
[fluffy] (and how do I verify it)
#
[fluffy] 🤦‍♀️
#
aaronpk up to you
#
aaronpk your token endpoint can create and store tokens however it wants
#
aaronpk one way is to put them in a database
#
[fluffy] I was going to use signed things, because Publ is stateless
#
[fluffy] but like that’s not the part I’mc oncerned about
#
aaronpk sure that's another way
#
aaronpk then i don't understand the problem
#
[fluffy] like I’m concerned about the flow for granting the token
#
aaronpk that's indieauth
#
sebsel what is gimme a token?
#
Loqi gimme a token is a helper to obtain an access token from your IndieAuth endpoint: https://gimme-a-token.5eb.nl/ https://indieweb.org/gimme_a_token
#
aaronpk or, you can just manually create them yourself for testing
#
sebsel If you have IndieAuth set up, then that is a tool to get a token. Does that help?
#
[fluffy] yes, that does. Thank you!
#
aaronpk sebsel: wanna make an equivalent one for autoauth?
#
sebsel sounds like a fun project, but I rather start with actually adding autoauth to my site first :)
#
aaronpk it would help you add it to your site by being able to play the other half!
#
sebsel That is true!
#
sebsel at some point Zegnat had a tool like that, but I believe he said it hardcoded a lot of values.
#
[fluffy] What I’m still missing with gimme-a-token is an explanation of how the token endpoint validates the code though
#
[fluffy] I know it’s “just indieauth” but it’s a part of indieauth I haven’t done and the specs are confusing
#
[fluffy] or maybe it is a part of indieauth I have done and I’m just not recognizing it
#
[fluffy] like here is the sum total of what I’ve implemented IndieAuth-wise: https://github.com/PlaidWeb/Authl/blob/master/authl/handlers/indieauth.py
[schmarty] joined the channel
#
sebsel Yea, that's not really a concern of gimme a token, for it is meant to obtain a token, and how the token is verified is not really important for that flow.
#
aaronpk [fluffy]: how the token endpoint verifies the code is not part of the spec because it's an internal implementation detail between the two
#
[fluffy] yeah but I want to make sure that my token endpoint is verifying the auth code correctly, so that it knows that it’s safe to vend out the token
#
aaronpk so again you can do it however you want to. either by storing the authorization code in memcache or a database, or by using signed strings
#
[fluffy] I realize that token verification is my own concern and I appreciate that
#
aaronpk code verification, not token verification
#
aaronpk what is what i thought you just asked
#
Loqi It looks like we don't have a page for "what i thought you just asked" yet. Would you like to create it? (Or just say "what i thought you just asked is ____", a sentence describing the term)
#
sebsel Does this help then? https://indieweb.org/token-endpoint#Verifying_an_Access_Token
#
[fluffy] probably!
#
[fluffy] no!
#
[fluffy] that’s not the part I’m asking about
#
aaronpk "What I’m still missing with gimme-a-token is an explanation of how the token endpoint validates the code though" did you mean authorization code or access token?
#
[fluffy] I meant the authorization code
#
[fluffy] which is why I said code, not token 😛
#
aaronpk ok good
#
aaronpk then yes it depends on how you build your authorization endpoitn and token endpoint
#
aaronpk they can coordinate internally by using a shared database or shared signing key for example
#
sebsel ah you did say so indeed.
#
[fluffy] but the authorization endpoint isn’t under my control
#
[fluffy] it’s whoever is trying to log in via autoauth
#
aaronpk oh in autoauth
#
[fluffy] yeah. when I say “micropub without micropub” I mean I want to build the parts of the flow that involve all of the stuff up to getting the bearer token
#
[fluffy] and also theoretically I want my micropub stuff, when I do build it, to be able to accept any arbitrary identity URL
#
[fluffy] the part I’m confused about is: someone has an identity URL and, presumably, an authorization code. How do I verify that those things go together so that I can safely generate an access token?
#
aaronpk you ask their authorization endpoint whether it issued that authorization code
#
[fluffy] validating the access token is, yes, my own concern, and I know how I’m going to do that already
#
[fluffy] okay, and is there a step-by-step protocol example of that?
#
aaronpk for autoauth? i don't know
#
[fluffy] for anything
#
aaronpk the indieauth spec walks through each step
#
aaronpk https://indieauth.spec.indieweb.org/#authentication
#
aaronpk with examples of requests and responses
#
[fluffy] thanks, that’s not where my documentation crawl pointed me last night
#
[fluffy] all roads led to the RFC, which is written in RFC-ese
#
aaronpk the various wiki pages also show examples from the point of view of each component, e.g. https://indieweb.org/authorization-endpoint
#
[fluffy] okay so my understanding is that the stuff I already implemented for Authl is what I need to do for the code verification here, too? https://github.com/PlaidWeb/Authl/blob/master/authl/handlers/indieauth.py#L139
#
[fluffy] except instead of it being an indieauth callback it’ll come in as a POST request to my resource endpoint with an `Authorized:` header or something
#
[fluffy] `Authorization:`
#
aaronpk i don't know enough of the autoauth flow to go into any more detail on that
#
[fluffy] okay wait no the part that I’m confused about, I think, is the “Token Request” line beetween user authorization_endpoint and token_endpoint
#
[fluffy] that’s the request I don’t know what it looks like
#
[fluffy] on the autoauth flow at https://indieweb.org/AutoAuth
#
[fluffy] okay I found that in the autoauth spec
#
[fluffy] https://github.com/sknebel/AutoAuth/blob/master/AutoAuth.md#token-request
#
[fluffy] that was the missing piece. Phew.
#
[fluffy] okay I think I understand this now, and I might even understand how to test it. Thanks!
#
[fluffy] I should document this before my ADHD does its thing
circlesDiscord[m joined the channel
#
Loqi yea
#
[schmarty] fluffy++ excellent sleuthing 😄
#
Loqi fluffy has 12 karma in this channel over the last year (38 in all channels)
#
[fluffy] https://github.com/PlaidWeb/Publ/issues/296#issuecomment-547573850
#
Loqi [fluffy-critter] Okay per conversation on Slack: 1. Token request comes from the user's auth endpoint to the token endpoint that we advertise. It is described in https://github.com/sknebel/AutoAuth/blob/master/AutoAuth.md#token-request 2. token endpoint verifies ...
#
sknebel someone rang?
#
sknebel hi [fluffy] - saw your github notifications this morning but had a busy day at work :D
SevenTwenty joined the channel
#
sknebel re reference implementations and tooling: yeah, sadly not really there yet. thanks for taking a look at it anyways!
#
[Lewis_Cowles] [fluffy] have you ever worked with VCR?
#
[Lewis_Cowles] It has libraries for many languages
#
[Lewis_Cowles] https://github.com/php-vcr/php-vcr PHP
#
[Lewis_Cowles] https://github.com/vcr/vcr Ruby
#
[Lewis_Cowles] https://www.npmjs.com/package/node-vcr NodeJS
#
[Lewis_Cowles] https://readthedocs.org/projects/vcrpy/ Python
#
Loqi [vcr] vcr: Record your test suite's HTTP interactions and replay them during future test runs for fast, deterministic, accurate tests.
#
Loqi [php-vcr] php-vcr: Record your test suite's HTTP interactions and replay them during future test runs for fast, deterministic, accurate tests.
#
[Lewis_Cowles] 😂 the Java fork is called Betamax
#
[Lewis_Cowles] I love that so much
#
[fluffy] Cute.
#
[fluffy] Anyway yeah I’ll probably be building some very simple command line tools for testing this stuff.
#
[Lewis_Cowles] 👍 exit code zero ftw
#
[fluffy] And vcrpy looks like it might be useful too, thanks LewisCowles++
#
Loqi LewisCowles has 1 karma in this channel over the last year (3 in all channels)
#
[fluffy] Also sebsel++ and aaronpk++ for helping me stammer my way through this spec
#
[tantek] [fluffy] karma only works at start or end of line
#
[fluffy] Ah
#
[fluffy] sebsel++ for helping me stammer my way through as well as aaronpk++
#
Loqi sebsel has 9 karma in this channel over the last year (32 in all channels)
#
Loqi aaronpk has 53 karma in this channel over the last year (195 in all channels)
#
[fluffy] Cool that edge case works
#
[fluffy] testing++ validation++ IndieWeb++
#
Loqi testing has 6 karma over the last year
#
Loqi IndieWeb has 1 karma in this channel over the last year (4 in all channels)
#
[fluffy] And that result was unsurprising
ecrosstexas joined the channel
#
[tantek] so, fragmentions 😄
[KevinMarks] joined the channel
#
[KevinMarks] Fragmentions always have a space
#
[fluffy] Yes. Fragmentions.
#
[fluffy] Yeah that seems obvious in retrospect.
#
[tantek] I support them on my blog with the polyfill
#
[tantek] they're pretty cool 🙂
#
[KevinMarks] If they don't, id takes precedence
#
[KevinMarks] (some languages don't have spaces)
#
[fluffy] Ah right. Japanese for example.
#
[tantek] e.g. https://tantek.com/2019/301/b1/redecentralize-indieweb-standards-methods#How%20does%20reading%20work
#
Loqi [Tantek Çelik] #Redecentralize 2019 Session: IndieWeb Decentralized Standards and Methods
ecrosstexas joined the channel
#
[tantek] [KevinMarks] it may be useful to define fragmentions behavior in terms of the existing Windows.find feature: https://developer.mozilla.org/en-US/docs/Web/API/Window/find
ecrosstexas and krychu joined the channel
#
[fluffy] Given that’s not a standard that seems risky.
#
[tantek] see also https://github.com/whatwg/html/issues/3539
ecrosstexas joined the channel
#
Loqi [annevk] #3539 Potentially standardize window.find()
ecrosstexas joined the channel
#
[tantek] [fluffy] it's not a boolean
#
[tantek] welcome to my fuzzy world
ecrosstexas joined the channel
#
[fluffy] I think if the standard specifies what is meant by window.find or links to a stable definition that’s fine
#
[tantek] sufficient but not necessary
#
[fluffy] I’ve just been burned too much in the past by a “spec” being “it behaves like this other thing, which doesn’t have a formal spec”
#
[tantek] many work in progress standards cite other work in progress standards instead of duplicating work. this type of living modularization makes sense
#
[fluffy] but if there’s a formal spec,e ven one in-progress, that’s certainly reasonable
#
[KevinMarks] Also id can't have ascii whitespace but could have unicode whitespace. AFAIK fragmentions treat unicode whitespace as ascii whitespace
#
[tantek] sure, you should have something to cite from that perspective. however "doesn't have a formal spec" is *very* different than "all browser implement, but slightly differently"
#
[fluffy] unicode makes everything complicated, but not as complicated as not having unicode
#
[tantek] not as discriminatory at least. human complexity is a good thing that's worth supporting
#
[KevinMarks] The formal spec in html5 came from looking at browser implementations for commonality
#
[tantek] anyway, any standard/spec should *at least* have an appendix of links/references to prior work
#
[fluffy] I’m always imprssed-surprised when things actually capitalize non-US-ASCII correctly. which is a little annoying sometimes
#
[tantek] [fluffy] yup. my last name is a test case for that 🙂
#
[fluffy] My Steam profile name is ◉ω◉ which shows up in the (capitalized) UI as ◉Ω◉
#
[fluffy] which always makes me giggle
#
[schmarty] haha
#
[tantek] (on two counts, both the ç at the start, and the "i" second to last character is supposed to be uppercased as "İ")
#
[fluffy] oh dang I never noticed that wasn’t an English “i”
#
[fluffy] homographs--
#
Loqi homographs has -1 karma over the last year
#
[tantek] yeah the lang="tr" is invisible metadata 💁‍♂️
#
[tantek] also why JSON fails at human strings, which most strings are
#
[fluffy] Long ago I gave up on trying to spell “Erdos” correctly
#
[tantek] JSON is actually anti-i18n by default because of this. kind of a problem if you're not english-centric/blinded
#
[fluffy] I mean usually if I want to I copy-paste from the Wikipedia page title to get Erdős
#
[tantek] BTW this is why HTML is a better format for machine data *about humans* than JSON
#
[fluffy] but I have no idea how the heck to write ő otherwise
#
[fluffy] nor do I have any idea how to pronounce it
#
[tantek] we need to progress & specify & fix this: https://github.com/microformats/microformats2-parsing/issues/3
#
Loqi [voxpelli] #3 Parse language information
#
[tantek] that's how we solve this for JSON
#
[tantek] by using mf2 instead
#
[fluffy] A few years ago I saw a TED talk where someone pronounced “Mandelbrot” as if it were a French name and I had a minor existential crisis because I thought I’d been saying it wrong all these years, but then I looked it up and found out, no, he was French-Polish and Mandelbrot is a Polish name, so I was probably mispronouncing it a different way.
#
[KevinMarks] There used to be a nice mac keyboard called US Academic that extended the option-u [letter] model used for umlaut to all the other diureses
#
[tantek] could folks using php-mf2 please turn on the flag for 'lang' attribute parsing in their consuming code and report back re: https://github.com/microformats/microformats2-parsing/issues/3#issuecomment-400498161 ?
#
Loqi [gRegorLove] php-mf2 supports this behind a feature flag as of 0.3.2 https://github.com/indieweb/php-mf2/releases/tag/v0.3.2 microformat-shiv supports this as of 2.0 https://github.com/glennjones/microformat-shiv/issues/22 Still pending confirmation from a ...
#
[tantek] we really need code that uses php-mf2 to do this and report back on what breakage (if any) they encountered
#
[fluffy] oh neat, macOS actually lets you long-press O to get the õ
#
[tantek] and how much work it was to fix
#
[fluffy] oh wait that’s a tilde, I need to wear my glasses I guess
#
[tantek] can we move the authoring of i18n text (keyboards, keys) to the main indieweb channel? since that's a UX/user thing?
#
[tantek] (hoping it would reach more non-English folks)
#
[fluffy] good idea
ecrosstexas and [jgmac1106] joined the channel
#
[Lewis_Cowles] tantek, HTML only copes after decode. In it's TCP packet form, I
#
[Lewis_Cowles] am fairly certain it's all anglo-centric
#
[tantek] [Lewis_Cowles] that's ok if we agree on HTML as the interop layer
#
[tantek] that allows lower layers to be swapped out
#
[Lewis_Cowles] 👍
#
[tantek] for example when I view HTML files on my laptop there is zero TCP
#
[Lewis_Cowles] JSON has an interop layer on an interop layer
#
[tantek] JSON has no i18n layer, that's the problem
#
[tantek] unicode alone is insufficient
#
[Lewis_Cowles] hmm, interesting outlook
#
[Lewis_Cowles] aren't most envelope formats guilty of the same?
#
[tantek] oh it was quite the interesting painful lesson learned in W3C Social Web WG standards work
#
[tantek] aaronpk knows what I'm talking about
#
[Lewis_Cowles] be interested to see the solutions
[qubyte] joined the channel
#
[tantek] already linked. https://github.com/microformats/microformats2-parsing/issues/3
#
Loqi [voxpelli] #3 Parse language information
gRegorLove joined the channel
#
[Lewis_Cowles] trying to work out as lightweight as possible a fragmention / settings optional include
#
[Lewis_Cowles] fragmention.js is a little heavyweight
#
[Lewis_Cowles] and I'm not sure I want to force it on people
#
[Lewis_Cowles] but if someone opts in to them, I can use a small script to include the feature
#
[Lewis_Cowles] I avoided serviceworker right now for the same reason
#
[Lewis_Cowles] I don't like forcing cruft upon people
#
[tantek] yeah that's reasonable and I'm similarly trying to keep my "default" service worker fairly lightweight for that matter (and only installs if you visit my home page)
#
[Lewis_Cowles] not knocking anyone else efforts.
#
[Lewis_Cowles] or approach
#
[tantek] not at all, it's good food for discussion
#
[tantek] I like the general idea of respecting a user's (browsing, machine, energy) resources
#
[Lewis_Cowles] I wish my fav browser would come with polyfills for this sort of thing
[snarfed] joined the channel
#
[snarfed] fragmention.js is 3.1KB. i wouldn't call that heavyweight
#
[tantek] snarfed, the payload size is only the initial weight. it's the ongoing processing overhead that could be considered additional weight
#
[Lewis_Cowles] [snarfed] 3k per-visit (assume I didn't setup caching or their client doesn't support)
#
[snarfed] well yeah caching is kind of assumed
#
[snarfed] [tantek] sure! but i also expect fragmention.js's CPU load is very low
#
[snarfed] measure before you optimize, etc
#
[tantek] no way to know without measuring 🙂
#
[tantek] lol
#
[snarfed] and decide what you compare it to
#
[tantek] (I mean absent spinning fans and laptop heat but that's rather coarse)
#
[Lewis_Cowles] I don't mind assuming a client will behave sanely, but I do think we're stretching a bit, ignoring aggregates
#
[Lewis_Cowles] 3kb is about the size of a blog page
#
[tantek] lol not on any silo
#
[Lewis_Cowles] so relatively it's 3x the size of my SVG logo
#
[tantek] more like 3MB amirite?
#
[Lewis_Cowles] 😉
#
[snarfed] [Lewis_Cowles] regardless, 3KB's impact on your actual time to first byte, or whatever, i expect is more or less nothing
#
[tantek] my goal is to get my entire site service-worker caching to be less than the HTTP transfer size of a single twitter permalink
#
[snarfed] (relative to all other factors)
#
[snarfed] [tantek] sounds like a low bar 😁
#
[tantek] [Lewis_Cowles] I like the design thinking of opt-in for feature enhancements like fragmentions
#
[Lewis_Cowles] maybe he means mobile twitter 😄
#
[tantek] lol. either way IDK anyone who can make that claim today so it's not too low a bar 😄
#
sebsel I remember seeing a page where VueJS was showing they were the smallest among other JS frameworks with only 21kb. People throw in multiple frameworks on some pages.
#
[Lewis_Cowles] It's a wonderful goal
#
[tantek] maybe that's worth a public challenge
#
sebsel I mean good to think about 3kb, but the bar is low
#
[tantek] there may be a way to do an implied opt-in for fragmentions even on first fragmention load
#
[Lewis_Cowles] I've so far refused to implement webmention display
#
[chrisbergr] [tantek] I hope you reach your goal. And I hope that you will write an article about how you did it 🙂
#
[tantek] [Lewis_Cowles] I've only implemented it for RSVPs
#
[Lewis_Cowles] [tantek] that is the idea, although I've just pivoted to tiny JS which turns on by default
#
[tantek] I'm thinking a small JS stub that checks the document URL to see 1 it has a fragment and 2 if that fragment has a space, and only *then* dynamically loading the fragmentions js and executing it
#
[tantek] so you'd only incur that 3kb when people clicked URLs with fragmentions.
#
[Lewis_Cowles]
#
[Lewis_Cowles] that is better
#
[Lewis_Cowles] no need to check for cookies or localstorage then
#
[tantek] correct
#
sebsel (it's worse: the 21kb for Vue is actually the Gzipped version. https://gist.github.com/Restuta/cda69e50a853aa64912d)
#
[Lewis_Cowles] I may be lazy and just check for a hash
#
[tantek] pulls out his URL reference https://tantek.com/2011/238/b1/many-ways-slice-url-name-pieces
#
Loqi [Tantek Çelik] How many ways can you slice a URL and name the pieces?
#
[Lewis_Cowles] as it's a 1-liner
#
[Lewis_Cowles] ```javascript
#
[Lewis_Cowles] return (href && href.split('#').length > 1 && href.indexOf('%20') > 0);
#
[Lewis_Cowles] }
#
[Lewis_Cowles] function usesFragmention(href) {
#
[Lewis_Cowles] usesFragmention(window.location.href)
#
[Lewis_Cowles] ```
#
[tantek] if (h=window.location.hash && h.indexOf('#')!=-1 && h.indexOf(' ')!=-1) ...
#
[tantek] lol
#
[Lewis_Cowles] I've been more ghetto
#
[Lewis_Cowles] href.split
#
[Lewis_Cowles] 😂 flashing the OG
#
[chrisbergr] Oh dear, that comic is so true
#
[tantek] not sure which is more ghetto, using split to parse a URL, or inline variable assignment in an if conditional
#
[Lewis_Cowles] and not scoping it 👀
#
[Lewis_Cowles] I like that we had a similar idea, although yours forces double hash... maybe I should too
#
[Lewis_Cowles] I do like the function so I can pretend I'll test it too
FreshcollegeGirl joined the channel
#
[Lewis_Cowles] hmm site folder is a lot more than 3kb as every file has overhead of feature-detection (1kb on disc) + if fragmention is needed
#
[Lewis_Cowles] We're talking bytes per-page (and I included it site-wide, which I'm not sure is right)
#
[Lewis_Cowles] but it's a thing
FreshcollegeGirl joined the channel
#
[tantek] no [Lewis_Cowles] mine does not force double hash
#
[tantek] but that clues me into an improvement
#
[tantek] if (h=window.location.hash && h[0]==='#' && h.indexOf(' ')!==-1) { /* load fragmentions.js */ }
#
[tantek] which makes me realize you *can* use fragmentions to link to a single word, you just have to decide whether to include a space before or after the word!
#
[fluffy] Question: if someone tries to access a public resource but provides an invalid/expired Bearer token, what’s the correct response?
#
[fluffy] Should it just be treated as if there was no token provided or should it return a 403?
#
[fluffy] Or other 4xx
#
aaronpk doesn't really matter too much because nobody has built UX around handling the different responses differently, but https://tools.ietf.org/html/rfc6750#section-3.1
#
[fluffy] That’s for a protected resource. What about for one that would be accessible even without a token?
#
aaronpk i'd say the "invalid_token" response applies there too
#
[fluffy] Ok
#
aaronpk you do want to indicate that something went wrong as opposed to returning the public response
#
[fluffy] Makes sense.
FreshcollegeGirl joined the channel
#
[tantek] there are public resources with protected sections
#
[tantek] e.g. home page with h-card that has phone number or address when signed-in with IndieAuth and on an allow list
#
[tantek] e.g. h-feed with a mix of public and protected posts
#
aaronpk right which is why you want to make sure the client knows the token they sent is bad, vs just returning only the public parts
FreshcollegeGirl and [KevinMarks] joined the channel
#
[KevinMarks] they could check if it still has a WWW-Authenticate: header
jjuran joined the channel
#
[Lewis_Cowles] my blog loads so fast I had to add a setTimeout for the fragmentions to work
#
[Lewis_Cowles] I checked the element was not null, and the document.readyState, but it would not scroll without a setTimeout, which I then had to debounce
bradleyallen joined the channel
#
[Lewis_Cowles] One sucky thing is that it's not on by default, so people wanting to use should try adding #frag%20mention%20for%20quotes
#
[fluffy] Returning an error on bad token is actually easier for me to implement so that’s what I’m doing :)
#
aaronpk that sounds better anyway
[Bradley_Allen] and gRegorLove joined the channel
#
KartikPrabhu [Lewis_Cowles]: that is surprising. I am sure I have fragmention.js on local pages
#
[KevinMarks] you can keep it in separate file and defer it?
#
[Lewis_Cowles] Oh it is in a separate file
#
[Lewis_Cowles] I'm now proud to say that I made a link which is not visible without JS, which toggles loading for people visiting without a fragmention
#
[Lewis_Cowles] I also removed the IE8 jazz
#
[Lewis_Cowles] guarded adding the JS
[dougbeal] joined the channel
#
[Lewis_Cowles] just added a descriptive title to let people know they need JS (because the button is there without JS, just not visible via CSS)