#dev 2019-11-25

2019-11-25 UTC
uniquerockrz and [dmitshur] joined the channel
#
[dmitshur] I'm working on switching to using URLs as identities on my personal site (while preserving ability for people to sign in via GitHub) and it turns out to be possible to add a little nice touch to the process. it's extremely tiny and probably no one will notice, but I'm so pleased I wanted to share.
#
[dmitshur] since the user starts by entering their URL, I already know their expected GitHub username by the time I redirect them to github.com to authenticate, so I can pre-populate the "username" field on github.com's sign in form
#
[dmitshur] it's only relevant if the user isn't already signed in to github.com which is probably rare (for my target audience), but still
#
[dmitshur] e.g., say you start by entering this on my site's sign in form (while signed out of github.com)
#
[dmitshur] instead of seeing this
#
[dmitshur] you get this right away 😄
#
aaronpk nice, I didn't know github had that parameter
#
[dmitshur] e.g., http://github.com/login?login=abc123
#
[dmitshur] it's not documented, but I found it by trial an error. it's `login` . with a simple name like that I figure it's likely to stay around.
#
[dmitshur] https*
#
[dmitshur] and my code diff is:
#
[dmitshur] ```-url := githubConfig.AuthCodeURL(state)
#
[dmitshur] +url := githubConfig.AuthCodeURL(state, oauth2.SetAuthURLParam("login", login))
#
[dmitshur] return httperror.Redirect{URL: url}```
#
aaronpk oh it is documented: https://developer.github.com/apps/building-oauth-apps/authorizing-oauth-apps/#web-application-flow
#
[dmitshur] oh great, I forgot to look there. thanks 🙂
#
[dmitshur] might want to set allow_signup=false too lol
[jgmac1106], uniquerockrz and [fluffy] joined the channel
#
[fluffy] Anyone have any thoughts on this? https://github.com/PlaidWeb/Publ/issues/312
#
Loqi [fluffy-critter] #312 Allow marking an arbitrary HTML attribute as needing image resolution
#
aaronpk is this for a templating language?
#
aaronpk I don't understand the context of the problem
#
[fluffy] It’s for how Publ handles its page renditions with respect to images in HTML attributes yeah
#
[fluffy] Like in Publ, HTML elements like <img src=“foo.jpg”> will resolve the foo.jpg to an actual image rendition (usually also setting srcset as well for hidpi or whatever), rather than just showing the image directly
#
[fluffy] and I support that specifically on the src and href elements of everything, so like <a href=“foo.jpg”> will produce a link to the template-configured full-size rendition of foo.jpg
#
[fluffy] but for Reasons I don’t want to try to detect images on other arbitrary elements/attributes, and like Snapcart uses its own data-* attributes on <button> for specifying shopping cart behavior.
#
[fluffy] When I was looking into Snipcart I thought I’d just make my entry templates support the various attributes as page metadata but that got unwieldy fast and that’s why I ended up just going with Storenvy instead, rather than worrying about my own page layout. (and to be fair Storenvy brings a lot to the table that Snipcart doesn’t do.)
#
[fluffy] (also I mean snipcart not snapcart oops)
#
[fluffy] but anyway the idea still stuck with me that I’d like to maybe support data- attributes that link to images
#
aaronpk I guess I don't understand the use case for this
#
[fluffy] okay so like in Publ you don’t actually link to images directly, it generates renditions on the fly
#
[fluffy] there isn’t actually a way to insert arbitrary HTML where an attribute links to an image, unless it’s stored in your static assets
#
[fluffy] and then snipcart’s API looks like this: https://docs.snipcart.com/v3/setup/products
#
[fluffy] I’d like to be able to support snipcart from Publ. Or any other HTML/JS-based library that uses data attributes to provide images, while still using Publ’s image management.
#
[fluffy] Snipcart was just the first library I found that made me think about this.
#
aaronpk oh I see, it's turning a <button> into a whole thing with multiple elements inside
#
[fluffy] like, lightbox.js just uses href/src and then uses data- attributes for its own purposes, but it’s extending <img> and <a>, while snipcart is providing entirely new functionality with data- attributes as params
#
[fluffy] yeah
#
aaronpk presumably they use <button> for backwards compatibility in case their JS doesn't load?
#
[fluffy] no, as far as I can tell it’s still JS-only
#
[fluffy] but <button> is a good semantic for it
#
[fluffy] like when you click the “add to cart” button it slurps up the data attributes for what it actually adds to the cart
#
[fluffy] including an image thumbnail, which is specified in a data-attribute like everything else
#
[fluffy] and it seems like it’d be cumbersome/inelegant to add configuration to Publ’s template system to whitelist arbitrary data-attributes into the image rendition stuff
#
[fluffy] I mean it’s certainly possible and straightforward, but it’s annoying and then you’d have to remember to set that up on every single template that uses it and I don’t think it buys anything
#
[fluffy] um, so to speak
uniquerockrz joined the channel
#
aaronpk now I see... well your proposal in the issue seems fine, I think the "!" version is probably easier to consume
#
[fluffy] yeah, I’m less concerned about it being valid HTML and more concerned about BeautifulSoup/html.parser not choking on it
#
[fluffy] but I’d be worried about future changes to make attribute-names more strict or something
#
[fluffy] I mean assuming it’s even supported now, which I don’t know if it is
#
[fluffy] I’d be worried about an attribute legitimately starting with ! though
#
[fluffy] I mean it’s not a huge deal, if the image fails to resolve then the attribute doesn’t get transformed, but I worry about edge cases.
#
aaronpk pick a non URL safe character then?
#
[fluffy] wait no if the image fails to resolve it also adds a data-publ-debug attribute I think?
#
[fluffy] ooh that’s a good idea
#
[fluffy] oh wait I don’t use bs4 in publ itself, I just use html.parser directly
#
[fluffy] getting my projects confused heh
#
[fluffy] looks like html.parser does allow @ in data-attribute names
#
[fluffy] https://stackoverflow.com/a/926136 says that the spec allows “all characters except tab, line feed, form feed, space, solidus, greater than sign, quotation mark, apostrophe and equals sign” in attribute names
#
[fluffy] and I keep having to look up what “solidus” is and I guess it’s a historical name for slash
#
[fluffy] so, yeah, I think it’s safe to either prefix or postfix the attribute name with something. Maybe postfix so that it remains valid HTML5 outside of Publ, and also @= kinda looks like an operator?
#
[fluffy] or maybe some other punctuation. anyway, this isn’t an urgent thing, I’ll plop this into commentary on the issue and let it stew for a while.
#
[fluffy] thanks for being a sounding board 🙂
#
aaronpk 👍
fauno, uniquerockrz, gRegorLove, jbove, KartikPrabhu, nfip^ and [dmitshur] joined the channel
#
[dmitshur] as I work towards reducing reliance on github, a fun event happens https://www.githubstatus.com/incidents/4sh7f76nh5gq
uniquerockrz joined the channel
#
mblaney feels like playing with different login urls mentioned earlier broke github...
uniquerockrz joined the channel
#
[dmitshur] I hope it's not that brittle :face_with_hand_over_mouth:
uniquerockrz joined the channel
#
[dmitshur] ok... is anyone brave around to test my new sign in flow? it's not finished yet, but I've made much progress, so it's closer.
#
[dmitshur] (you'll need to have a github account and to allow my test app to access you public information only.)
uniquerockrz joined the channel
#
[dmitshur] ok, another time. 🥱 going to sleep
uniquerockrz, KartikPrabhu, [jeremycherfas], [LewisCowles], cweiske, [tantek], jbove and [KevinMarks] joined the channel
#
[KevinMarks] Be careful with html.parser, it can do weird things with element nesting compared to html5lib
uniquerockrz, gxt, asymptotically, misterwhatever, [LewisCowles], [Rose], swentel, krychu, [tantek], jgmac1106, jacky-, wagle_, [KevinMarks], ffl^, [jgmac1106], [manton] and [jeremycherfas] joined the channel; misterwhatever left the channel
#
aaronpk Would love to hear feedback from people who have implemented IndieAuth on the server as to whether this would clear up the concerns around issuing access tokens for different endpoints like a microsub server https://tools.ietf.org/html/draft-ietf-oauth-resource-indicators-08
#
aaronpk the high level goal of that spec is to let the client say “I’m trying to get an access token to use at this particular endpoint (resource) and no others”
#
GWG_ aaronpk: Interesting
#
GWG_ I am looking now, but I am certainly concerned about that
#
aaronpk We’ve kind of overloaded scope for this purpose as mentioned in the draft
#
aaronpk F
#
aaronpk oops
#
GWG_ aaronpk: Seems a good thing to think about
#
[Rose] G?
#
GWG_ H
#
[Rose] I’ll have to read that later, I’ve got a lot of work to do today
#
GWG_ I have some time
uniquerockrz joined the channel
#
GWG_ aaronpk: Seems straight forward
#
aaronpk I agree
#
aaronpk Looks like the client can even include multiple values
#
aaronpk which monocle would need to do to get a token that works at both the microsub and micropub endpoints
#
GWG_ aaronpk: I am happy to be a test case
[schmarty] joined the channel
#
[schmarty] aaronpk: is this abusing scopes? i feel like this is what scopes are for, they're underspecified. 😅
uniquerockrz joined the channel
#
GWG_ [schmarty]: Scopes don't specify the endpoints they work with
#
GWG_ Just what privileges you get
[LewisCowles] joined the channel
#
[schmarty] GWG_ "what privileges you get" is also pretty underspecified!
#
GWG_ Also true
#
[schmarty] for example, "subscriptions" can be thought of as shorthand for "manage subscriptions - on your microsub endpoint."
#
[schmarty] "create" as "create posts - on your micropub endpoint"
#
[schmarty] a made-up goofy way of writing that might be https://your.website/micropub#create https://your.website/microsub#subscriptions etc.
#
[schmarty] ^ that's a straw-format, don't want to wade too far in the weeds
#
GWG_ Autoauth uses resource, by the way
#
aaronpk Technically scopes can be, er, scopes to the resource server
#
aaronpk theyre deliberately under defined in OAuth which has been both good and bad
#
aaronpk oops that second "scopes" was supposed to be "scoped"
#
[schmarty] yeah! google does this with some of their APIs and OAuth scopes.
#
[schmarty] and when i say "this" i mean specifying scopes as URLs, though now that i think about it those URLs aren't actually the resource URLs that an app talks to.
#
aaronpk I'm also trying to aim for the future here, and tying everything to OAuth RFC6749 alone is now a bit dated
#
[schmarty] skimming this resource indicators draft now. interesting that it's a combo of scope and resource=https://some/url
#
aaronpk we had a good discussion at the IETF meeting around publishing a 2.1 version of OAuth to sort of clean things up, and I'm trying to keep in mind how that would affect IndieAuth
#
[schmarty] feels like a weird combinatorics is possible if, e.g. two resource endpoints understand the same scope values differently.
#
[schmarty] (e.g. if "read" in micropub means "read the source of my posts" and "read" for microsub means "read channels and their contents", it may not be clear to the user that you're authorizing an app to read all of your posts, potentially including private ones)
uniquerockrz joined the channel
#
aaronpk Yeah it still requires coordinating scope values
#
[schmarty] but i get the sense that i'm stirring up nonsense. been away too long. looking forward to catching up on what happened during Berlin2!!
KartikPrabhu, uniquerockrz, [KevinMarks], gxt, vilhalmer and [snarfed] joined the channel
#
[snarfed] odd. someone spent ~10h yesterday downloading ~20k bridgy log pages. i have no idea why. no pattern, no particular user(s), nothing in User-Agent, client IPs don't belong to any org or ISP that seems relevant.
#
aaronpk hm I wonder if it's the same crawler that hit the indieweb servers
#
[snarfed] user agent: "Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1"
#
[snarfed] example IPs: 66.109.27.138, 66.109.27.141, 66.109.27.142, 192.157.89.7, 192.157.89.8
#
[snarfed] not a big deal on my end at least, just odd
#
aaronpk huh that looks totally different
#
aaronpk strange
gRegorLove joined the channel
#
[snarfed] "background radiation of the internet," one of my favorite recent phrases. https://www.potaroo.net/ispcol/2019-10/dark.html
#
[snarfed] also "the internet is the wild west"
#
[snarfed] generally not worth investigating these too deeply unless they cause an actual problem
#
aaronpk I blocked the IP because it was taking down the server 🙈
[jgmac1106] and uniquerockrz joined the channel
#
GWG_ My sleep tracker just got to me about my request to export I made in 2017
#
GWG_ Once I see what they give, I may do something with it
#
aaronpk lol wow
uniquerockrz joined the channel
#
GWG_ It seems to be json
uniquerockrz joined the channel
#
GWG_ And they provided a schema file
misterwhatever, chimo and uniquerockrz joined the channel
#
jacky regarding scopes, I've been tempted to use URIs for them
[Rose] and [KevinMarks] joined the channel
#
[KevinMarks] handy thing I found today https://twitter.com/kevinmarks/status/1199039691959545857?s=20
#
@kevinmarks something to add to your CSS resets: table td {font-variant-numeric: tabular-nums;} It makes columns of numbers or dates line up, especially if you text-align: right them too HT @snookca (twitter.com/_/status/1199039691959545857)
#
[KevinMarks] I was using a monospace font for numeric columns before, this looks nicer
uniquerockrz joined the channel
#
GWG_ Trying to figure out how to manage the IndieAuth.com code, which I don't use, and the IndieAuth endpoint code, which I do
#
GWG_ aaronpk: What is your long term plan for IndieAuth.com?
#
aaronpk eventually i'm going to decommission it and replace it with a new indieauth endpoint service, but it will work differently and I will probably make people sign up for an account to use it
#
GWG_ aaronpk: Any ideas on what I should do? I don't use IndieAuth.com, but some people still want to use it with WordPress
#
GWG_ snarfed, for one. I just want to minimize maintenance
uniquerockrz and [snarfed] joined the channel
#
[snarfed] do whatever you want, don't worry about me 😎
#
aaronpk I hate to suggest yet another plugin, but I honestly do think the best thing to do would be to move the indieauth.com specific stuff into its own plugin. I imagine it would work similar to the Aperture plugin which ties into my hosted aperture instance directly.
uniquerockrz, krychu and [LewisCowles] joined the channel
#
[LewisCowles] RE: the spammer / bad script. Does Herndon USA ring any bells for the `66.109.27.138, 66.109.27.141, 66.109.27.142, 192.157.89.7, 192.157.89.8` they are all US IP's. Herndon shows up as being in Virginia
uniquerockrz joined the channel
#
[snarfed] no, those IPs are owned by Galaxyvisions and Cologuard (https://myip.ms/view/ip_owners/22654/Galaxyvisions_Inc.html , https://myip.ms/view/web_hosting/334573/Cologuard.html), but probably just compromised machines with their IPs
uniquerockrz and [jgmac1106] joined the channel
#
[jgmac1106] Gwg...because an iframe is all I know how to do..but I can display a trip now: https://jgregorymcverry.com/messingwithgpx
uniquerockrz and Bubu joined the channel
#
Bubu hello
#
Bubu everybody
#
[jgmac1106] nvm logged out users would just see a login screen, switching link to the public view
#
[jgmac1106] Hello Bubu
#
Bubu hi what's up?
uniquerockrz joined the channel; Bubu left the channel