#dev 2020-01-03

2020-01-03 UTC
[tantek] and anonymous8 joined the channel
#
anonymous8
hello
BeatusHomo, chrisaldrich, [CrowderSoup], simons, gRegorLove and DrillTherapy joined the channel; anonymous8 left the channel
#
[tantek]
how are our brave 2020-01-01 challengers doing? gRegorLove and jacky https://indieweb.org/2020-01-01-commitments
#
gRegorLove
behind schedule :)
#
[tantek]
I'm considering a few different 100 day projects as structure for getting through a bunch of backlogs
#
[tantek]
e.g. 100 days of filing github issues
#
gRegorLove
I'm probably about 70% there on the mailing list signup which is a pre-req for my announcement post on FB
#
aaronpk
considers a 100 days of changing old passwords
[CrowderSoup]1 joined the channel
#
GWG
gRegorLove: What mailing list is this?
simons, arj, dhanesh95, asymptotically and AkyRhO_ joined the channel
#
GWG
Suspense... I am wondering if this is POSSE to mailing list, which I used to have but need to fix
[jgmac1106], PlusMinus, [xavierroy], simons and [jeremycherfas] joined the channel
#
[jeremycherfas]
One password a day? I could maybe manage that
simons and [LewisCowles] joined the channel
#
[LewisCowles]
Automating it would be nice. An automated password changing mechanism. (not a notification to change or expiry, those both SUCK)
[Rose] joined the channel
#
[Rose]
What are people's thoughts here on passwordless login? I'm looking at adding it to a service (not for the primary users, but for their customers). I know micro.blog uses it and some users don't like it, others do.
#
aaronpk
passwordless via email login link? I think that's the particularly controversial part
#
[Rose]
Well, I wouldn't only offer that, I'd also let you verify through Apple or Google.
#
[Rose]
I don't want user accounts for the customers, but understandably some people want to be able to restrict viewing things to a specific list of users.
#
aaronpk
the classic problem of having multiple login methods is people forget which one they used the first time then they show up as a new user when they come back
#
[Rose]
Good point
#
[Rose]
I'm going to try "generate an obscure link to this" as my first approach
#
[Rose]
Hopefully that will satisfy people, if not, I'll have to revisit this.
#
aaronpk
if you use the email address to try to dedupe then you have to make sure the provider tells you whether an email address has been verified otherwise people can steal accounts
#
[LewisCowles]
FIDO u2F for GitHub is amazing
#
[LewisCowles]
have to get a USB-C adapter if you’re on a modern mac though
#
aaronpk
or a usb-c yubikey
#
aaronpk
isn't that just second factor though?
#
[LewisCowles]
and as I’ve lost one (and de-authed it) already buy more than one
#
[Rose]
I have a USB C and Lightning Yubikey, I also have low expectations of the technical level of these people 😛
#
[Rose]
(Some of course will be technical! But expecting people to own a Yubikey, or my users to have customers that own a Yubikey... feels like a bad idea)
#
[LewisCowles]
[aaronpk] I think maybe because I allow my browser to remember / auto-fill passwords I treat it as 1FA, although technically I run on an encrypted volume with password and have to login to get auto-fill
#
[LewisCowles]
There was a service I used in 2014 that sent me a QR code I had to scan which somehow knew which phone I was on for passwordless. I expect it was using http headers though so it was probably as secure as a do-not-enter sign
#
aaronpk
[Rose]: one way i've seen services try to avoid the duplicate account problem is they ask you to enter your username or email to log in, and only *then* show the authentication buttons that are connected to that account
#
[Rose]
I don't have accounts for these users
#
[Rose]
I will only have either a list of email addresses for whom access is allowed, or a domain which the email has to belong to.
#
aaronpk
I mean the second time they try to log in
#
[Rose]
Ahhhh
#
[Rose]
Genius
#
[Rose]
Though honestly I plan to drop the data ASAP, I want as little data as possible.
#
[Rose]
But that works too.
#
[LewisCowles]
[aaronpk] does that mean that it’s possible for someone from the outside to check if a user has an account with a service though?
#
aaronpk
yes but that is a pretty common thing that's possible anyway, and also not a huge attack vector
#
aaronpk
especially not a huge attack vector if you don't have passwords for users
#
[Rose]
That might also solve the "user uses apple generated email address" "problem" I could run into.
#
aaronpk
if sign in with apple is an option for you you should definitely use that
#
[Rose]
I'll be offering it for my customers for sure.
#
[Rose]
But for them I have accounts 🙂
[schmarty], Suw, [jgmac1106], [Khurt], [CrowderSoup], [tantek], emakDiscord[m], gRegorLove and simons joined the channel
#
[jgmac1106]
Can anyone else try signing up for huffduffer, I have tried both FF and Chrome and can't get past the account creation
#
[LewisCowles]
Excellent! Your Huffduffer account has been created.
#
[LewisCowles]
It did complain about me trying to use hyphens
#
[LewisCowles]
I’m sorry if my chosen psuedonym upsets. Too much sugar makes me pick questionable pseudonyms
#
[jgmac1106]
wondering if it was password rules for me,
[manton] joined the channel
#
[manton]
[Rose] I rarely hear from people who want passwords on Micro.blog, maybe once every few months. Now that we support Sign in with Apple (on iOS) that helps too. The most common problem is people using iOS but Firefox or Gmail which currently has some problems with our sign-in email links (likely fixable).
#
Loqi
[manton]: mblaney left you a message 5 days, 8 hours ago: hey I was working on my Micropub config support and noticed you're using "destination" for your syndication list rather than "syndicate-to"? is there a spec change that I've missed?
#
Loqi
[manton]: mblaney left you a message 4 days, 19 hours ago: all good, I found mp-destination on /Micropub-extensions
#
[Rose]
[manton]++ thanks! I think I may have more users with the case of “I can
#
Loqi
[manton] has 18 karma in this channel over the last year (56 in all channels)
#
[Rose]
’t*can
#
[Rose]
*can’t access my email on this device” so I may go for “email a code to use as a one time password”
#
[manton]
Yeah, I often wish I had a better answer for people who can't check email, like on a work computer.
#
[manton]
Well, not "often"… But it would be useful.
#
[jgmac1106]
[LewisCowles] just must not like me, I can't create an account on any browser
#
[LewisCowles]
clear cookies / private window?
#
[LewisCowles]
are you doing anything to the browser or at the network level?
#
[jgmac1106]
I am using cloudfare's 1.1.1.1 VPN wonder if that is messing it up
[schmarty], petermolnar and BeatusHomo joined the channel
#
GWG
[Rose], aaronpk How do you share a temporary link with Compass?
#
[Rose]
Post to (compass_url)/api/share?token=(token)&duration=(duration) with the token in the header
#
[Rose]
No token in the header even.
[Sadik_Shahadu] joined the channel
#
GWG
And it will return the link?
#
GWG
And the duration in what unit?
#
GWG
apparently I didn't configure something because it says that the share table doesn't exist
#
[LewisCowles]
[jgmac1106] I don’t think that could be it. Do you know how to check the network tab?
Nuve and KartikPrabhu joined the channel
#
GWG
Okay...fixed that problem
[tantek], [KevinMarks] and doubleloop joined the channel
#
doubleloop
aaronpk: think this is a problem with the WordPress plugin, but just fyi - https://github.com/pfefferle/wordpress-activitypub/issues/78
#
Loqi
[ngm] #78 Conflict with XRay's parsing of microformats
KartikPrabhu, davepeck, billbennettnz and [Ian_Forrester] joined the channel
#
[Ian_Forrester]
Trying to solve my problem with indieauth plugin for wp - https://github.com/indieweb/wordpress-micropub#frequently-asked-questions
#
Loqi
[indieweb] wordpress-micropub: A Micropub Endpoint plugin for WordPress
#
GWG
[Ian_Forrester]: What problem?
#
[Ian_Forrester]
The support for my site hoster say - "The WordPress version you are on is a lot newer, and they are asking if it is compatible with PHP version 7.3., since that is currently what you are on. The plugin says 5.4 or higher"
#
GWG
Yes.
#
[Ian_Forrester]
I'm currently 5.3.2 when that plugin says 5.2. (5.2, does seem like it may line up with the time I was at #indiewebcampberlin and reached out/talked to the dev) which seems like 5.2 came out around May, mid 2019. https://wordpress.org/news/category/releases/
#
GWG
[Ian_Forrester]: That doesn't really say what the problem is.
#
GWG
I'm running 7.2 and the latest version of the plugin.
#
GWG
Can you advise what the symptoms are?
#
GWG
<- The Dev
#
[Ian_Forrester]
Hi again...
#
GWG
Hi.
#
[Ian_Forrester]
Ok so far we have added the HTaccess rules and tried adding the wpconfig.php bits
#
GWG
Few questions, if you go into the IndieAuth settings page, does it say at the top, "Authorization Header Found?"
#
GWG
I'm running PHP7.3 and WordPress 5.3.2.
#
[Ian_Forrester]
WPengine support asks if it supports the latest php, will feedback now
#
[Ian_Forrester]
and yes I get that problem in my wp
#
GWG
It does.
#
GWG
[Ian_Forrester]: Which problem? Where it says Authorization Header Found? Or does it say it wasn't?
#
[Ian_Forrester]
Not sure if you want to do this in the #indieweb-dev channel or dm? happy either way
#
GWG
[Ian_Forrester]: I'd say switch to #indieweb-wordpress
#
GWG
We have a channel for that
#
[Ian_Forrester]
Ok going there now thanks