#dev 2019-10-29

2019-10-29 UTC
[chrisbergr] and [snarfed] joined the channel
#
[snarfed]
updated all the images and buttons on https://brid.gy/ , https://granary.io/ , https://oauth-dropins.appspot.com/ to 2x resolution. not a big deal, but they definitely look sharper now
#
[snarfed]
little things
tg-z, SevenTwenty, KartikPrabhu, [Bradley_Allen] and maxwell joined the channel
#
maxwell
@jgmac1106, @aaronpk, @snarfed - I wrote a post about what I got done with your help, thanks again: https://www.maxwelljoslyn.com/blog/2019/10/28/1
#
Loqi
With advice from Greg McVerry, Aaron Parecki, and Ryan Barrett, I finished getting this blog set up for subscription using the h-feed microformat, and made other improvements along the way: all pages now have a self-link in the title all pages, not ...
SevenTwenty, dougbeal|mb1, gRegorLove, [fluffy], [KevinMarks], tg-z and [snarfed] joined the channel
#
[snarfed]
maxwell++
#
Loqi
maxwell has 1 karma over the last year
#
[snarfed]
and hah, rogue u-mention-ofs
#
[tantek]
where did that even come from?
[timothy_chamber, FreshcollegeGirl, ecrosstexas, gRegorLove, ecrosstexas[m], LavetteGeneratio and [fluffy] joined the channel
#
[fluffy]
probably from me, I was sending those out for a while
#
[fluffy]
but maybe I’m not the only one 🙂
#
[fluffy]
meanwhile I’m going out on a limb and startin gto implement AutoAuth in Publ even though I have no way to actually, like, test it
[Rose] joined the channel
#
[fluffy]
or maybe maxwell got it from the same place I did, and I have no idea where that is aside from maybe inferring it based on ???
#
[fluffy]
like it seems intuitive that it’d exist
#
gRegorLove
[fluffy], mblaney and I can help test different parts of that. He has the reader part
FreshcollegeGirl joined the channel
#
[fluffy]
Is there any mechanism for testing it when my stuff is just on localhost though? I don’t want to have to deploy to the public web to test things.
#
[fluffy]
also, for the resource token endpoint, is there any reason I should implement my own as part of Publ, or can that just be something that’s hosted externally and uses tokens.indieauth.com by default or whatever?
#
[fluffy]
like I’m not quite clear on the difference between a resource token and a user token in this context
#
[fluffy]
Or is there one?
[jeremycherfas] joined the channel
#
[fluffy]
okay yeah I’m completely confused by how one actually goes about verifying a token
#
[fluffy]
it seems that it’s up to the application to have a trust relationship with the token endpoint, is that correct?
#
[fluffy]
so like I could use tokens.indieauth.com as a short-term thing but in the long term I’d want to move to my own self-hosted endpoint?
cweiske joined the channel
#
[fluffy]
what I could really use is some simple commandline tools or cut-and-paste recipes or whatever for verifying the token flow
KartikPrabhu, asymptotically and [tonz] joined the channel
#
@Borisson
It looks like we will get @swentel back into core development with getting webmention and the indieweb to drupal https://t.co/BBZdlk6g1L
(twitter.com/_/status/1189105832300023808)
#
@Peytz
What comes after Drupal 9.0.0? Automation? Reusable components? Accessibility? Semantic HMTL? Webmention support? Native DAM? JSON: API clients / SDKs? What are your hopes and wishes? #Driesnotes #DrupalCon
(twitter.com/_/status/1189106771983511554)
[KevinMarks] and [Matt_Hobbs] joined the channel
#
myfreeweb
[fluffy]: token (& auth) endpoint being part of the application is honestly so much easier than using an external one, localhost development Just Works
#
myfreeweb
for checking that auth works, i use a local instance of https://github.com/barryf/micropublish
#
Loqi
[barryf] micropublish: A Micropub client that you can use to create, update, delete and undelete content on your Micropub-enabled site.
gRegorLove joined the channel
#
Zegnat
Oooh, Webmention shoutout at the Drupal Driesnote?
#
Zegnat
pings local Drupal dev firm with a pitch to come and speak about mf2 and webmentions
jeremych_, [KevinMarks]1, [jgmac1106], [grantcodes], FreshcollegeGirl and [qubyte] joined the channel
#
jeremycherfas
Is there a simpler way of testing a cron job than tail the file in var/mail ?
IWSlackGateway, [Matt_Hobbs], [qubyte], [grantcodes] and [tonz] joined the channel
#
Zegnat
jeremycherfas: test how? Know that it ran?
#
jeremycherfas
Know that it ran is easy; the files appear where I expect them. Find the errors if it didn't.
#
jeremycherfas
But in the meantime, I fixed the path to the bash script I was hoping it would run and it worked. I thought that cron might know about $PATH, but it seems not to.
#
jeremycherfas
So now I am downloading and renaming my access.log every day, and my next chellenge will be to try and get Bise working locallly.
#
Zegnat
Ah, yeah, $PATH is “scoped” to your current terminal session. So unless you are the one running the cron task manually, it would not know about what you personally set as your $PATH
[Rose], [KevinMarks] and [timothy_chamber joined the channel
#
aaronpk
[fluffy]: yeah using built in endpoints is much easier than trying to support external services for things like that once you get into the relatively complex scenarios like autoauth
KartikPrabhu and [tantek] joined the channel
#
[Rose]
[aaronpk] What should I be looking for regarding compass background workers? I thought mine were working but I probably missed something
#
aaronpk
Oh I did document it
#
Loqi
[aaronpk] Compass: Compass is a GPS tracking server that stores data in flat files.
#
aaronpk
Refer to the Lumen docs for more details too
#
[Rose]
Thanks!
#
aaronpk
You'll need to define the queue driver in the config file, there are different options like database or redis
#
[Rose]
Good start: queue driver database is uncommented
GWG joined the channel
#
aaronpk
For the database one you'll need to add the tables. There's a command for that documented in Lumen
#
aaronpk
Oh it's in my docs too
#
[Rose]
It is, and I already did that
#
[Rose]
Right, so it was running the queue in the background I didn't have
#
[tantek]
Wait what did I just read that Webmention and other building blocks may get built into Drupal 9?
#
aaronpk
When you run the worker it'll write to a log file in the storage/logs folder so you can check there for errors
#
[tantek]
[KevinMarks] ping - how soon can you get to updating /fragmentions spec? This week? It has some urgency because various Google folks are pushing for their more complex proposal instead
#
[Rose]
I _think_ I got it working
#
[Rose]
Oh darn, errors
#
[Rose]
Aws\Sqs\SqsClient not found
#
aaronpk
That's odd, so you have anything in the config that mentions AWS?
#
aaronpk
That's an alternative queue driver
#
[Rose]
Sorry, work emergency, now I can check
#
[Rose]
There's nothing in my .env
#
[Rose]
But, my queue is running now
#
[Rose]
(I just stopped it, because letting it run wildly when it's running into errors seems like a bad idea)
vika_nezrimaya joined the channel
#
vika_nezrimaya
Good Morning IndieWeb
#
vika_nezrimaya
My site's currently down, so I'm playing around with node.js
#
vika_nezrimaya
JavaScript is actually fun! Right now I'm trying to make a socket.io based chat app with IndieAuth
#
[KevinMarks]
Being able to debug node server code on my own machine with Visual Studio Code is nice
[schmarty] joined the channel
#
[tantek]
[Matt_Hobbs] can you add your questions about how to markup author(s) of one or more entry(ies) to the https://indieweb.org/h-entry page? That way we can capture them and make sure they have good step by step answers!
[Matt_Hobbs] joined the channel
#
[Matt_Hobbs]
Hi [tantek], yes sure will do :thumbsup:
#
[Rose]
[aaronpk] To further mystify matters, I can't find "Aws" anywhere in your code
#
aaronpk
[Rose]: yeah it's part of Lumen
#
aaronpk
it shouldn't be trying to load that unless you've defined the SQS driver though
#
[Rose]
I don't even see a sample of defining that
#
[Matt_Hobbs]
Hmmm I'm looking for a way to do this. Just logged in but can't see an option anywhere. Is there something I am missing?
#
Loqi
[andy1547] #12029 SQS Class 'Aws\Sqs\SqsClient' not found When trying to use Redis queue, despite SQS not referenced anywhere
#
[Rose]
Possibly!
#
[Rose]
Yes, it was
#
[Rose]
Mystery solved, poor documentation at fault (as well as me not reading everything through/understanding it all)
#
aaronpk
i didn't even know that was possible so i learned something new too
#
[Rose]
It would be better if the docs didn't have that as the default command I suspect
#
aaronpk
definitely
#
aaronpk
seems like a weird default
#
[Rose]
Anyway, I now have a queue worker running
[jgmac1106] joined the channel
#
[Rose]
makes a note to make a pull request on your repo to add details to the docs on what she did
#
vika_nezrimaya
any easy ways to discover rel=authorization_endpoint from client-side JS without hoping that stuff happens with cross origin policy?
#
vika_nezrimaya
CORS, I mean
#
aaronpk
either the site needs to send the proper CORS headers, or you'll need a server-side component that the client-side JS can talk to
#
vika_nezrimaya
ugh
#
aaronpk
yeah :-/
#
aaronpk
browsers 🤷
#
[tantek]
[Matt_Hobbs] you can start with adding a new == Questions == section near the bottom
[Lewis_Cowles] and jackjamieson joined the channel
#
vika_nezrimaya
oh, great
#
vika_nezrimaya
IndieAuth is so weird. I try to authenticate against my endpoint (indieauth.com) but it says that code parameter is missing. I can clearly see it being sent.
#
vika_nezrimaya
also it doesn't seem to understand Accept: application/json, text/plain, */*
#
aaronpk
Make sure it's sent in the post body not the query string
#
vika_nezrimaya
I'm POSTing it... There are no query strings
#
vika_nezrimaya
I'm using axios on Node.js side to talk to auth endpoint
#
vika_nezrimaya
because auth is checked on the server
#
aaronpk
Double check the post body format then. Sometimes these clients do weird things. Needs to be form-encoded body with the matching content type header
#
vika_nezrimaya
Form-encoded? It doesn't accept JSON?!
#
aaronpk
As a post body? No
#
vika_nezrimaya
oh wow
#
aaronpk
form encoded posts are the "normal" one
#
vika_nezrimaya
that's why I kinda don't like implementing IndieAuth... :3 sadly I don't think there's a library
#
aaronpk
there's no advantage to posting JSON if you're only sending a couple strings
#
vika_nezrimaya
maybe I should write one
#
aaronpk
there has to be a library for it
#
aaronpk
its usually the default in http clients
#
vika_nezrimaya
library for IndieAuth, I mean!
#
vika_nezrimaya
so I wouldn't have to deal with finding endpoints, checking codes, etc. myself
#
vika_nezrimaya
and only have a function that executes once user completes the auth flow correctly :3
#
[Lewis_Cowles]
vika, you could implement a middleware to wrangle content-type if it’s JSON, but then you’d increase a lot of work as there are many JSON mime-types. text/json, application/json, application/vnd.api+jsoncontentType is one I learned about at my current job (which I think should just be application/json)
#
vika_nezrimaya
I think application/json is the more accepted and seen one
#
vika_nezrimaya
i use it when sending my requests
#
vika_nezrimaya
text/json imo is not quite right, since JSON can be anything, including text. I could even transmit a PNG picture encoding its properties in JSON. it'll take a lot of data but it will certainly not be text
#
[Lewis_Cowles]
fd = new FormData() would allow you to unburden yourself and simply POST 😉
[qubyte] joined the channel
#
[qubyte]
When it’s a URL encoded body you can use `URLSearchParams` as a global in node these days. Very handy.
#
[qubyte]
I use it quite a lot to decode simple form bodies. It’s only when things go multipart that it becomes a pain to handle.
#
[Lewis_Cowles]
[qubyte]++
#
Loqi
[qubyte] has 1 karma in this channel over the last year (2 in all channels)
#
[Lewis_Cowles]
I’ve never encountered that. Wonderful. I rather like window.location, but fully accept it could be easier to work with and less verbose
#
[qubyte]
If it’s all hex tokens and stuff you can just build a string manually. No need for the encoding.
gRegorLove joined the channel
#
vika_nezrimaya
yay, I wrote a chat app using socket.io and IndieAuth!
#
Loqi
vika_nezrimaya has 1 karma in this channel over the last year (3 in all channels)
#
aaronpk
vika_nezrimaya++ yay congrats!
#
Loqi
😃
#
vika_nezrimaya
I only need to upload it to glitch and we can ditch IRC :D
#
vika_nezrimaya
except I don't have chat history yet
#
vika_nezrimaya
huh, glitch doesn't seem to do something like npm run build before starting my app
#
[qubyte]
You can hack a bunch of that stuff (it’s possible for glitch to run rust (and therefore compilation is a must)).
#
[qubyte]
It _might_ (definitely no guarantees here) be as simple as including a shell script called `start.sh`.
#
[qubyte]
Info on lifecycle hooks in that.
#
[qubyte]
If glitch is starting the app using `npm start`, then you might just get away with adding to scripts `"prestart": "npm run build",` since npm will pick that up as part of how it handles scripts right before it runs `start`.
#
[qubyte]
(definitely worth trying that before getting into the glitch lifecycle stuff)
#
vika_nezrimaya
https://indiewebchat.glitch.me - login with your website!
#
vika_nezrimaya
I want to try seeing other people in the chat :3
#
vika_nezrimaya
so please someone test this
#
vika_nezrimaya
note that this thing doesn't remember the login
#
vika_nezrimaya
no cookies support, no session persistence, nothing!
[snarfed] joined the channel
#
[snarfed]
just fyi, interesting error when i typed in http://asdf.com : looks like it tried to HTTP GET the HTML contents? and failed
#
aaronpk
i logged in but i can't click into the text box
#
vika_nezrimaya
Wait a little bit, once auth passes, it should unlock
#
vika_nezrimaya
This is alpha-quality software
#
vika_nezrimaya
and my first foray into Node
#
vika_nezrimaya
I don't see you being connected though... something may have went wrong
#
vika_nezrimaya
and it certainly did
#
[Lewis_Cowles]
same, but very cool
#
[Lewis_Cowles]
@vika_nezrimaya++
#
Loqi
@vika_nezrimaya has 2 karma in this channel over the last year (4 in all channels)
[manton] joined the channel
#
vika_nezrimaya
aaronpk, [Lewis_Cowles]: I pushed some fixes that prevent app from glitching in case it can't fetch your h-cards
#
vika_nezrimaya
try again now
#
[Lewis_Cowles]
OfflineFirst has their very own aaron, and they've written a post about request queueing https://medium.com/to-err-is-aaron/managing-state-with-offline-first-request-queuing-d29f043205d4
#
[Lewis_Cowles]
I'll check out changes
[grantcodes] joined the channel
#
[grantcodes]
Nice vika! I have some pretty well tested node / is libraries for indieauth. Feel free to use it or copy code from it. It uses axios too
#
[Lewis_Cowles]
Shorter url query-string this time, but ultimately still not logged me in
#
[Lewis_Cowles]
perhaps that can help?
#
vika_nezrimaya
wait, this is not supposed to happen. It should GET that query string to an authorization endpoint!
#
vika_nezrimaya
Do you have an authorization endpoint configured correctly?
#
[Lewis_Cowles]
oh this may be me conflating indieauth and indielogin 😊
#
[Lewis_Cowles]
yeah... my bad
#
vika_nezrimaya
ok I think I should run 'cause it's 20:39 in my TZ and I should be @ home probably
#
vika_nezrimaya
I'll try to reply once I come home
#
[Lewis_Cowles]
👋
#
vika_nezrimaya
feel free to play with my app though, and !tell me if it works or if it doesnt
#
vika_nezrimaya
It worked for me when I tested it though, even fetching my h-card!
#
[snarfed]
vika: i can log in now! sending a message crashes though. TypeError: msg.author is null
#
[snarfed]
also you may want to add a nice error message for non-indieauth-enabled sites, eg http://asdf.com . right now it just reloads the home page, no message
#
[snarfed]
(and sites that don't connect at all, eg http://asdf.bbb)
#
[qubyte]
I’ll give this a shot in a bit. In transit.
#
jeremycherfas
What is Bussator
#
Loqi
It looks like we don't have a page for "Bussator" yet. Would you like to create it? (Or just say "Bussator is ____", a sentence describing the term)
#
jeremycherfas
Bussator is a WSGI application which implements a webmention receiver. Webmentions can then
#
jeremycherfas
be published through dedicated plugins; currently, a plugin for publishing webmentions as Isso comments exists.
#
jeremycherfas
What is isso
#
Loqi
isso is a self-hosted commenting server similar to Disqus https://indieweb.org/isso
Ashraf_2 and [fluffy] joined the channel
#
[fluffy]
[aaronpk] @myfreeweb Thanks, I’ll do my own self-hosted resource token endpoint then. But: that still opens the question of how do I test it as I develop it. I’m not intending to support Micropub just yet and all the tools I’m finding/see mentioned are oriented toward that.
#
[fluffy]
My goal here is to have AutoAuth for fetching an authenticated feed. Are there any tools I can run locally toward that goal? Like, being able to get my user endpoint’s token and then simulate the rest of the flow from that.
#
[fluffy]
or whatever the right terms are, I probably hecked that up
[chrisbergr] joined the channel
#
[fluffy]
per the diagram on https://indieweb.org/AutoAuth - I need a tool for verifying the resource and token_endpoint actions
#
aaronpk
you can always fake out these endpoints to test the positive case, like making a token endpoint that returns a fixed string "AAAAAA" and always returns a hardcoded user URL
#
[fluffy]
but that doesn’t help me make sure I’m doing the right thing
#
[fluffy]
this is one case where I really, really do not want to get the security aspects wrong
#
aaronpk
you can also create simplified endpoints that are hard-coded single-user for testing
#
[fluffy]
but that also requires me understanding the protocol insofar as creating the simplified endpoints goes
#
[fluffy]
I’m running into a big bootstrapping problem here
#
aaronpk
i guess i don't know what you're asking then
#
[fluffy]
I need to test against an implementation that’s correct, and I need to know what data is exchanged in each step
#
aaronpk
so it sounds like you need to find a correct implementation
#
[fluffy]
I’m having a very hard time wrapping my head around the various specifications, and it doesn’t help that the AuthAuth spec just defers a bunch of stuff to the IndieAuth spec
#
sebsel
also: be a aware that you're one of the first people implementing that flow. it's not a battle-tested thing yet.
#
aaronpk
i haven't even implemented any of AutoAuth myself yet, so maybe sknebel or sebsel have some more thoughts
#
[fluffy]
But also correctly-implemented tooling that makes use of that correct implementation, correctly
#
[fluffy]
yeah I asked for more infromation on the AutoAuth spec itself, hoping sknebel gets back to me at some point
#
sebsel
I haven't got to it either.
#
Loqi
[fluffy-critter] #19 Provide a full HTTP request/response transaction example
#
sebsel
I saw that and have thumbs-upped it, for I struggle with the spec myself still too!
#
[fluffy]
even outside of an AutoAuth case, is there tooling for doing the IndieAuth token flow for manually fetching a resource given an appropriate token?
#
sebsel
sknebel is the criminal mastermind in this one ;) and Zegnat knows stuff too
#
aaronpk
i don't understand that question either heh
#
[fluffy]
like, doing the Micropub thing, but without it being Micropub
#
sebsel
hm, that would be as simple as `curl -H "Authentication: Bearer xxx" http://example.com`
#
[fluffy]
yes but how do I get the value of `xxx` 😛
#
aaronpk
that depends on your token endpoint
#
[fluffy]
(and how do I verify it)
#
[fluffy]
🤦‍♀️
#
aaronpk
up to you
#
aaronpk
your token endpoint can create and store tokens however it wants
#
aaronpk
one way is to put them in a database
#
[fluffy]
I was going to use signed things, because Publ is stateless
#
[fluffy]
but like that’s not the part I’mc oncerned about
#
aaronpk
sure that's another way
#
aaronpk
then i don't understand the problem
#
[fluffy]
like I’m concerned about the flow for granting the token
#
aaronpk
that's indieauth
#
sebsel
what is gimme a token?
#
Loqi
gimme a token is a helper to obtain an access token from your IndieAuth endpoint: https://gimme-a-token.5eb.nl/ https://indieweb.org/gimme_a_token
#
aaronpk
or, you can just manually create them yourself for testing
#
sebsel
If you have IndieAuth set up, then that is a tool to get a token. Does that help?
#
[fluffy]
yes, that does. Thank you!
#
aaronpk
sebsel: wanna make an equivalent one for autoauth?
#
sebsel
sounds like a fun project, but I rather start with actually adding autoauth to my site first :)
#
aaronpk
it would help you add it to your site by being able to play the other half!
#
sebsel
That is true!
#
sebsel
at some point Zegnat had a tool like that, but I believe he said it hardcoded a lot of values.
#
[fluffy]
What I’m still missing with gimme-a-token is an explanation of how the token endpoint validates the code though
#
[fluffy]
I know it’s “just indieauth” but it’s a part of indieauth I haven’t done and the specs are confusing
#
[fluffy]
or maybe it is a part of indieauth I have done and I’m just not recognizing it
#
[fluffy]
like here is the sum total of what I’ve implemented IndieAuth-wise: https://github.com/PlaidWeb/Authl/blob/master/authl/handlers/indieauth.py
[schmarty] joined the channel
#
sebsel
Yea, that's not really a concern of gimme a token, for it is meant to obtain a token, and how the token is verified is not really important for that flow.
#
aaronpk
[fluffy]: how the token endpoint verifies the code is not part of the spec because it's an internal implementation detail between the two
#
[fluffy]
yeah but I want to make sure that my token endpoint is verifying the auth code correctly, so that it knows that it’s safe to vend out the token
#
aaronpk
so again you can do it however you want to. either by storing the authorization code in memcache or a database, or by using signed strings
#
[fluffy]
I realize that token verification is my own concern and I appreciate that
#
aaronpk
code verification, not token verification
#
aaronpk
what is what i thought you just asked
#
Loqi
It looks like we don't have a page for "what i thought you just asked" yet. Would you like to create it? (Or just say "what i thought you just asked is ____", a sentence describing the term)
#
[fluffy]
probably!
#
[fluffy]
that’s not the part I’m asking about
#
aaronpk
"What I’m still missing with gimme-a-token is an explanation of how the token endpoint validates the code though" did you mean authorization code or access token?
#
[fluffy]
I meant the authorization code
#
[fluffy]
which is why I said code, not token 😛
#
aaronpk
ok good
#
aaronpk
then yes it depends on how you build your authorization endpoitn and token endpoint
#
aaronpk
they can coordinate internally by using a shared database or shared signing key for example
#
sebsel
ah you did say so indeed.
#
[fluffy]
but the authorization endpoint isn’t under my control
#
[fluffy]
it’s whoever is trying to log in via autoauth
#
aaronpk
oh in autoauth
#
[fluffy]
yeah. when I say “micropub without micropub” I mean I want to build the parts of the flow that involve all of the stuff up to getting the bearer token
#
[fluffy]
and also theoretically I want my micropub stuff, when I do build it, to be able to accept any arbitrary identity URL
#
[fluffy]
the part I’m confused about is: someone has an identity URL and, presumably, an authorization code. How do I verify that those things go together so that I can safely generate an access token?
#
aaronpk
you ask their authorization endpoint whether it issued that authorization code
#
[fluffy]
validating the access token is, yes, my own concern, and I know how I’m going to do that already
#
[fluffy]
okay, and is there a step-by-step protocol example of that?
#
aaronpk
for autoauth? i don't know
#
[fluffy]
for anything
#
aaronpk
the indieauth spec walks through each step
#
aaronpk
with examples of requests and responses
#
[fluffy]
thanks, that’s not where my documentation crawl pointed me last night
#
[fluffy]
all roads led to the RFC, which is written in RFC-ese
#
aaronpk
the various wiki pages also show examples from the point of view of each component, e.g. https://indieweb.org/authorization-endpoint
#
[fluffy]
okay so my understanding is that the stuff I already implemented for Authl is what I need to do for the code verification here, too? https://github.com/PlaidWeb/Authl/blob/master/authl/handlers/indieauth.py#L139
#
[fluffy]
except instead of it being an indieauth callback it’ll come in as a POST request to my resource endpoint with an `Authorized:` header or something
#
[fluffy]
`Authorization:`
#
aaronpk
i don't know enough of the autoauth flow to go into any more detail on that
#
[fluffy]
okay wait no the part that I’m confused about, I think, is the “Token Request” line beetween user authorization_endpoint and token_endpoint
#
[fluffy]
that’s the request I don’t know what it looks like
#
[fluffy]
okay I found that in the autoauth spec
#
[fluffy]
that was the missing piece. Phew.
#
[fluffy]
okay I think I understand this now, and I might even understand how to test it. Thanks!
#
[fluffy]
I should document this before my ADHD does its thing
circlesDiscord[m joined the channel
#
[schmarty]
fluffy++ excellent sleuthing 😄
#
Loqi
fluffy has 12 karma in this channel over the last year (38 in all channels)
#
Loqi
[fluffy-critter] Okay per conversation on Slack: 1. Token request comes from the user's auth endpoint to the token endpoint that we advertise. It is described in https://github.com/sknebel/AutoAuth/blob/master/AutoAuth.md#token-request 2. token endpoint verifies ...
#
sknebel
someone rang?
#
sknebel
hi [fluffy] - saw your github notifications this morning but had a busy day at work :D
SevenTwenty joined the channel
#
sknebel
re reference implementations and tooling: yeah, sadly not really there yet. thanks for taking a look at it anyways!
#
[Lewis_Cowles]
[fluffy] have you ever worked with VCR?
#
[Lewis_Cowles]
It has libraries for many languages
#
[Lewis_Cowles]
https://github.com/vcr/vcr Ruby
#
Loqi
[vcr] vcr: Record your test suite's HTTP interactions and replay them during future test runs for fast, deterministic, accurate tests.
#
Loqi
[php-vcr] php-vcr: Record your test suite's HTTP interactions and replay them during future test runs for fast, deterministic, accurate tests.
#
[Lewis_Cowles]
😂 the Java fork is called Betamax
#
[Lewis_Cowles]
I love that so much
#
[fluffy]
Anyway yeah I’ll probably be building some very simple command line tools for testing this stuff.
#
[Lewis_Cowles]
👍 exit code zero ftw
#
[fluffy]
And vcrpy looks like it might be useful too, thanks LewisCowles++
#
Loqi
LewisCowles has 1 karma in this channel over the last year (3 in all channels)
#
[fluffy]
Also sebsel++ and aaronpk++ for helping me stammer my way through this spec
#
[tantek]
[fluffy] karma only works at start or end of line
#
[fluffy]
sebsel++ for helping me stammer my way through as well as aaronpk++
#
Loqi
sebsel has 9 karma in this channel over the last year (32 in all channels)
#
Loqi
aaronpk has 53 karma in this channel over the last year (195 in all channels)
#
[fluffy]
Cool that edge case works
#
[fluffy]
testing++ validation++ IndieWeb++
#
Loqi
testing has 6 karma over the last year
#
Loqi
IndieWeb has 1 karma in this channel over the last year (4 in all channels)
#
[fluffy]
And that result was unsurprising
ecrosstexas joined the channel
#
[tantek]
so, fragmentions 😄
[KevinMarks] joined the channel
#
[KevinMarks]
Fragmentions always have a space
#
[fluffy]
Yes. Fragmentions.
#
[fluffy]
Yeah that seems obvious in retrospect.
#
[tantek]
I support them on my blog with the polyfill
#
[tantek]
they're pretty cool 🙂
#
[KevinMarks]
If they don't, id takes precedence
#
[KevinMarks]
(some languages don't have spaces)
#
[fluffy]
Ah right. Japanese for example.
#
Loqi
[Tantek Çelik] #Redecentralize 2019 Session: IndieWeb Decentralized Standards and Methods
ecrosstexas joined the channel
#
[tantek]
[KevinMarks] it may be useful to define fragmentions behavior in terms of the existing Windows.find feature: https://developer.mozilla.org/en-US/docs/Web/API/Window/find
ecrosstexas and krychu joined the channel
#
[fluffy]
Given that’s not a standard that seems risky.
ecrosstexas joined the channel
#
Loqi
[annevk] #3539 Potentially standardize window.find()
ecrosstexas joined the channel
#
[tantek]
[fluffy] it's not a boolean
#
[tantek]
welcome to my fuzzy world
ecrosstexas joined the channel
#
[fluffy]
I think if the standard specifies what is meant by window.find or links to a stable definition that’s fine
#
[tantek]
sufficient but not necessary
#
[fluffy]
I’ve just been burned too much in the past by a “spec” being “it behaves like this other thing, which doesn’t have a formal spec”
#
[tantek]
many work in progress standards cite other work in progress standards instead of duplicating work. this type of living modularization makes sense
#
[fluffy]
but if there’s a formal spec,e ven one in-progress, that’s certainly reasonable
#
[KevinMarks]
Also id can't have ascii whitespace but could have unicode whitespace. AFAIK fragmentions treat unicode whitespace as ascii whitespace
#
[tantek]
sure, you should have something to cite from that perspective. however "doesn't have a formal spec" is *very* different than "all browser implement, but slightly differently"
#
[fluffy]
unicode makes everything complicated, but not as complicated as not having unicode
#
[tantek]
not as discriminatory at least. human complexity is a good thing that's worth supporting
#
[KevinMarks]
The formal spec in html5 came from looking at browser implementations for commonality
#
[tantek]
anyway, any standard/spec should *at least* have an appendix of links/references to prior work
#
[fluffy]
I’m always imprssed-surprised when things actually capitalize non-US-ASCII correctly. which is a little annoying sometimes
#
[tantek]
[fluffy] yup. my last name is a test case for that 🙂
#
[fluffy]
My Steam profile name is ◉ω◉ which shows up in the (capitalized) UI as ◉Ω◉
#
[fluffy]
which always makes me giggle
#
[tantek]
(on two counts, both the ç at the start, and the "i" second to last character is supposed to be uppercased as "İ")
#
[fluffy]
oh dang I never noticed that wasn’t an English “i”
#
[fluffy]
homographs--
#
Loqi
homographs has -1 karma over the last year
#
[tantek]
yeah the lang="tr" is invisible metadata 💁‍♂️
#
[tantek]
also why JSON fails at human strings, which most strings are
#
[fluffy]
Long ago I gave up on trying to spell “Erdos” correctly
#
[tantek]
JSON is actually anti-i18n by default because of this. kind of a problem if you're not english-centric/blinded
#
[fluffy]
I mean usually if I want to I copy-paste from the Wikipedia page title to get Erdős
#
[tantek]
BTW this is why HTML is a better format for machine data *about humans* than JSON
#
[fluffy]
but I have no idea how the heck to write ő otherwise
#
[fluffy]
nor do I have any idea how to pronounce it
#
Loqi
[voxpelli] #3 Parse language information
#
[tantek]
that's how we solve this for JSON
#
[tantek]
by using mf2 instead
#
[fluffy]
A few years ago I saw a TED talk where someone pronounced “Mandelbrot” as if it were a French name and I had a minor existential crisis because I thought I’d been saying it wrong all these years, but then I looked it up and found out, no, he was French-Polish and Mandelbrot is a Polish name, so I was probably mispronouncing it a different way.
#
[KevinMarks]
There used to be a nice mac keyboard called US Academic that extended the option-u [letter] model used for umlaut to all the other diureses
#
[tantek]
could folks using php-mf2 please turn on the flag for 'lang' attribute parsing in their consuming code and report back re: https://github.com/microformats/microformats2-parsing/issues/3#issuecomment-400498161 ?
#
Loqi
[gRegorLove] php-mf2 supports this behind a feature flag as of 0.3.2 https://github.com/indieweb/php-mf2/releases/tag/v0.3.2 microformat-shiv supports this as of 2.0 https://github.com/glennjones/microformat-shiv/issues/22 Still pending confirmation from a ...
#
[tantek]
we really need code that uses php-mf2 to do this and report back on what breakage (if any) they encountered
#
[fluffy]
oh neat, macOS actually lets you long-press O to get the õ
#
[tantek]
and how much work it was to fix
#
[fluffy]
oh wait that’s a tilde, I need to wear my glasses I guess
#
[tantek]
can we move the authoring of i18n text (keyboards, keys) to the main indieweb channel? since that's a UX/user thing?
#
[tantek]
(hoping it would reach more non-English folks)
#
[fluffy]
good idea
ecrosstexas and [jgmac1106] joined the channel
#
[Lewis_Cowles]
tantek, HTML only copes after decode. In it's TCP packet form, I
#
[Lewis_Cowles]
am fairly certain it's all anglo-centric
#
[tantek]
[Lewis_Cowles] that's ok if we agree on HTML as the interop layer
#
[tantek]
that allows lower layers to be swapped out
#
[Lewis_Cowles]
👍
#
[tantek]
for example when I view HTML files on my laptop there is zero TCP
#
[Lewis_Cowles]
JSON has an interop layer on an interop layer
#
[tantek]
JSON has no i18n layer, that's the problem
#
[tantek]
unicode alone is insufficient
#
[Lewis_Cowles]
hmm, interesting outlook
#
[Lewis_Cowles]
aren't most envelope formats guilty of the same?
#
[tantek]
oh it was quite the interesting painful lesson learned in W3C Social Web WG standards work
#
[tantek]
aaronpk knows what I'm talking about
#
[Lewis_Cowles]
be interested to see the solutions
[qubyte] joined the channel
#
Loqi
[voxpelli] #3 Parse language information
gRegorLove joined the channel
#
[Lewis_Cowles]
trying to work out as lightweight as possible a fragmention / settings optional include
#
[Lewis_Cowles]
fragmention.js is a little heavyweight
#
[Lewis_Cowles]
and I'm not sure I want to force it on people
#
[Lewis_Cowles]
but if someone opts in to them, I can use a small script to include the feature
#
[Lewis_Cowles]
I avoided serviceworker right now for the same reason
#
[Lewis_Cowles]
I don't like forcing cruft upon people
#
[tantek]
yeah that's reasonable and I'm similarly trying to keep my "default" service worker fairly lightweight for that matter (and only installs if you visit my home page)
#
[Lewis_Cowles]
not knocking anyone else efforts.
#
[Lewis_Cowles]
or approach
#
[tantek]
not at all, it's good food for discussion
#
[tantek]
I like the general idea of respecting a user's (browsing, machine, energy) resources
#
[Lewis_Cowles]
I wish my fav browser would come with polyfills for this sort of thing
[snarfed] joined the channel
#
[snarfed]
fragmention.js is 3.1KB. i wouldn't call that heavyweight
#
[tantek]
snarfed, the payload size is only the initial weight. it's the ongoing processing overhead that could be considered additional weight
#
[Lewis_Cowles]
[snarfed] 3k per-visit (assume I didn't setup caching or their client doesn't support)
#
[snarfed]
well yeah caching is kind of assumed
#
[snarfed]
[tantek] sure! but i also expect fragmention.js's CPU load is very low
#
[snarfed]
measure before you optimize, etc
#
[tantek]
no way to know without measuring 🙂
#
[snarfed]
and decide what you compare it to
#
[tantek]
(I mean absent spinning fans and laptop heat but that's rather coarse)
#
[Lewis_Cowles]
I don't mind assuming a client will behave sanely, but I do think we're stretching a bit, ignoring aggregates
#
[Lewis_Cowles]
3kb is about the size of a blog page
#
[tantek]
lol not on any silo
#
[Lewis_Cowles]
so relatively it's 3x the size of my SVG logo
#
[tantek]
more like 3MB amirite?
#
[Lewis_Cowles]
😉
#
[snarfed]
[Lewis_Cowles] regardless, 3KB's impact on your actual time to first byte, or whatever, i expect is more or less nothing
#
[tantek]
my goal is to get my entire site service-worker caching to be less than the HTTP transfer size of a single twitter permalink
#
[snarfed]
(relative to all other factors)
#
[snarfed]
[tantek] sounds like a low bar 😁
#
[tantek]
[Lewis_Cowles] I like the design thinking of opt-in for feature enhancements like fragmentions
#
[Lewis_Cowles]
maybe he means mobile twitter 😄
#
[tantek]
lol. either way IDK anyone who can make that claim today so it's not too low a bar 😄
#
sebsel
I remember seeing a page where VueJS was showing they were the smallest among other JS frameworks with only 21kb. People throw in multiple frameworks on some pages.
#
[Lewis_Cowles]
It's a wonderful goal
#
[tantek]
maybe that's worth a public challenge
#
sebsel
I mean good to think about 3kb, but the bar is low
#
[tantek]
there may be a way to do an implied opt-in for fragmentions even on first fragmention load
#
[Lewis_Cowles]
I've so far refused to implement webmention display
#
[chrisbergr]
[tantek] I hope you reach your goal. And I hope that you will write an article about how you did it 🙂
#
[tantek]
[Lewis_Cowles] I've only implemented it for RSVPs
#
[Lewis_Cowles]
[tantek] that is the idea, although I've just pivoted to tiny JS which turns on by default
#
[tantek]
I'm thinking a small JS stub that checks the document URL to see 1 it has a fragment and 2 if that fragment has a space, and only *then* dynamically loading the fragmentions js and executing it
#
[tantek]
so you'd only incur that 3kb when people clicked URLs with fragmentions.
#
[Lewis_Cowles]
#
[Lewis_Cowles]
that is better
#
[Lewis_Cowles]
no need to check for cookies or localstorage then
#
[tantek]
correct
#
sebsel
(it's worse: the 21kb for Vue is actually the Gzipped version. https://gist.github.com/Restuta/cda69e50a853aa64912d)
#
[Lewis_Cowles]
I may be lazy and just check for a hash
#
Loqi
[Tantek Çelik] How many ways can you slice a URL and name the pieces?
#
[Lewis_Cowles]
as it's a 1-liner
#
[Lewis_Cowles]
```javascript
#
[Lewis_Cowles]
return (href && href.split('#').length > 1 && href.indexOf('%20') > 0);
#
[Lewis_Cowles]
}
#
[Lewis_Cowles]
function usesFragmention(href) {
#
[Lewis_Cowles]
usesFragmention(window.location.href)
#
[Lewis_Cowles]
```
#
[tantek]
if (h=window.location.hash && h.indexOf('#')!=-1 && h.indexOf(' ')!=-1) ...
#
[Lewis_Cowles]
I've been more ghetto
#
[Lewis_Cowles]
href.split
#
[Lewis_Cowles]
😂 flashing the OG
#
[chrisbergr]
Oh dear, that comic is so true
#
[tantek]
not sure which is more ghetto, using split to parse a URL, or inline variable assignment in an if conditional
#
[Lewis_Cowles]
and not scoping it 👀
#
[Lewis_Cowles]
I like that we had a similar idea, although yours forces double hash... maybe I should too
#
[Lewis_Cowles]
I do like the function so I can pretend I'll test it too
FreshcollegeGirl joined the channel
#
[Lewis_Cowles]
hmm site folder is a lot more than 3kb as every file has overhead of feature-detection (1kb on disc) + if fragmention is needed
#
[Lewis_Cowles]
We're talking bytes per-page (and I included it site-wide, which I'm not sure is right)
#
[Lewis_Cowles]
but it's a thing
FreshcollegeGirl joined the channel
#
[tantek]
no [Lewis_Cowles] mine does not force double hash
#
[tantek]
but that clues me into an improvement
#
[tantek]
if (h=window.location.hash && h[0]==='#' && h.indexOf(' ')!==-1) { /* load fragmentions.js */ }
#
[tantek]
which makes me realize you *can* use fragmentions to link to a single word, you just have to decide whether to include a space before or after the word!
#
[fluffy]
Question: if someone tries to access a public resource but provides an invalid/expired Bearer token, what’s the correct response?
#
[fluffy]
Should it just be treated as if there was no token provided or should it return a 403?
#
[fluffy]
Or other 4xx
#
aaronpk
doesn't really matter too much because nobody has built UX around handling the different responses differently, but https://tools.ietf.org/html/rfc6750#section-3.1
#
[fluffy]
That’s for a protected resource. What about for one that would be accessible even without a token?
#
aaronpk
i'd say the "invalid_token" response applies there too
#
aaronpk
you do want to indicate that something went wrong as opposed to returning the public response
#
[fluffy]
Makes sense.
FreshcollegeGirl joined the channel
#
[tantek]
there are public resources with protected sections
#
[tantek]
e.g. home page with h-card that has phone number or address when signed-in with IndieAuth and on an allow list
#
[tantek]
e.g. h-feed with a mix of public and protected posts
#
aaronpk
right which is why you want to make sure the client knows the token they sent is bad, vs just returning only the public parts
FreshcollegeGirl and [KevinMarks] joined the channel
#
[KevinMarks]
they could check if it still has a WWW-Authenticate: header
jjuran joined the channel
#
[Lewis_Cowles]
my blog loads so fast I had to add a setTimeout for the fragmentions to work
#
[Lewis_Cowles]
I checked the element was not null, and the document.readyState, but it would not scroll without a setTimeout, which I then had to debounce
bradleyallen joined the channel
#
[Lewis_Cowles]
One sucky thing is that it's not on by default, so people wanting to use should try adding #frag%20mention%20for%20quotes
#
[fluffy]
Returning an error on bad token is actually easier for me to implement so that’s what I’m doing :)
#
aaronpk
that sounds better anyway
[Bradley_Allen] and gRegorLove joined the channel
#
KartikPrabhu
[Lewis_Cowles]: that is surprising. I am sure I have fragmention.js on local pages
#
[KevinMarks]
you can keep it in separate file and defer it?
#
[Lewis_Cowles]
Oh it is in a separate file
#
[Lewis_Cowles]
I'm now proud to say that I made a link which is not visible without JS, which toggles loading for people visiting without a fragmention
#
[Lewis_Cowles]
I also removed the IE8 jazz
#
[Lewis_Cowles]
guarded adding the JS
[dougbeal] joined the channel
#
[Lewis_Cowles]
just added a descriptive title to let people know they need JS (because the button is there without JS, just not visible via CSS)