#dev 2020-01-11

2020-01-11 UTC
#
mblaney
[schmarty] you need a sign-in button! https://unicyclic.com/usb works with aperture
gRegorLove joined the channel
#
aaronpk
superkuh: that's great! thanks!
oodani, [tantek], [kimberlyhirsh] and [dmitshur] joined the channel
#
[dmitshur]
I'm thinking about relying on the rel=me building block, on top of IndieAuth, to implement optional identity consolidation.
#
[dmitshur]
I've realized there's a usability problem with just letting people sign in with their URL is that if they've previously left reactions, they'll lose all that state because their IndieAuth URL would effectively be a completely separate account.
#
[dmitshur]
Ideally, I would have some UI where you can explicitly choose your preferred identity out of many (e.g., "example.com" or "github.com/user"), but perhaps I can take a UI-less shortcut by using the heuristic: if you sign in as X (instead of Y), then X is your current identity until you sign in via Y.
KartikPrabhu, [manton], [Michael_Beckwit and [dmitshur] joined the channel
#
[dmitshur]
On a different but related note, "https://example.com/user" and "https://example.com/user/" are technically different URLs. It seems weird to let 2 completely different people differ only by a trailing slash. But https://indieauth.spec.indieweb.org/#url-canonicalization allows it.
#
[dmitshur]
Marty's website claims he is "https://github.com/martymcguire/" (note the trailing slash) on GitHub. I think I should handle that no different than if he left out the trailing slash, since that URL does show his profile. I wonder what I should do if someone has a rel="me" url="https://github.com/example/repo-or-some-such"... I imagine I would reject that, since a repository isn't a GitHub user.
[KevinMarks] joined the channel
#
[KevinMarks]
If you follow the url does it redirect to a common form?
#
[dmitshur]
it does not. however, the URLs in links in the rendered HTML have a canonical form: including canonical case and no trailing slash
#
[dmitshur]
e.g. http://github.com/DMITSHUR/ -> shows same page as http://github.com/dMiTsHuR or http://github.com/dmitshur, but the "Overview" URL is exactly "http://github.com/dmitshur" in all cases.
#
[dmitshur]
I meant to use https in those links
#
@ChrisAldrich
↩️ There's definitely a Webmention plugin for @CraftCMS which was written by @m_ott, but it's only compatible with v2 & not v3. There's an IndieWeb stub page for @Statamic, but no examples of usage yet. I'm curious to hear what you think of them [more...] https://boffosocko.com/2020/01/10/55764193/
(twitter.com/_/status/1215908383666003968)
tsrt^, [dmitshur], [KevinMarks], [kimberlyhirsh], swentel and maifaelin joined the channel
#
maifaelin
hello
#
maifaelin
? join
maifaelin53 and maficious joined the channel; maifaelin53 left the channel
#
maficious
I don't see any messages, is it because nobody sends anything or is it my problem?
maficious left the channel
#
nloadholtes
It is just a quiet moment, this is a pretty active channel most days
#
aaronpk
[dmitshur]: check out all the text around redirect following in IndieAuth , that's how to treat URLs with extra slashes the same
#
aaronpk
you will probably have to make special cases for GitHub or sites with usernames if they serve the profile page from multiple URLs without redirecting. Check if they use rel=canonical tho
[tantek] and [schmarty] joined the channel
#
[schmarty]
Haha that is clever mblaney. 😂
#
[schmarty]
dmitshur: good tip about canonical GitHub URLs! I have it in my head that they are inconsistent about when they allow or disallow trailing slashes. 🤔
[dmitshur] joined the channel
#
[dmitshur]
[aaronpk]: Thanks! I'm fairly aware of redirect following (although implementing much of that is still a known TODO), but it doesn't help with GitHub because they don't redirect.
#
aaronpk
Yeah that's why I said you have to handle those kinds of sites differently
#
[dmitshur]
Great idea about rel=canonical though. I checked, not seeing it, but there is a meta property="og:url" which might be usable instead? Going to read about it.
#
aaronpk
it's their own fault for not sending redirects. It causes other problems besides this for them too
#
[dmitshur]
Do you agree it's reasonable not to accept someone's GitHub profile if their rel=me link doesn't point to the profile but another page (e.g., their repo)
#
[dmitshur]
https://indieweb.org/The-Open-Graph-protocol recommends "You do not ever need `og:url`. Instead, use the existing rel=canonical standard ..."
#
[dmitshur]
in practice, I'm not going to need it for now because it's just easier to add special case for github. For now at least, I'm going to use GitHub API to fetch the user info including their HTMLURL, rather than doing an HTTP get.
#
[dmitshur]
but it's good to know there may be a way of applying a general solution even to github
#
[dmitshur]
the possibility of a trailing-slash difference between two different legitimate users is slightly unfortunate, but thinking more about it, it seems very unlikely to come up in practice.
#
aaronpk
Yeah with indielogin.com I switched to using the silo APIs to get user info instead of dealing with URL normalization and it really cleaned things up
[jgmac1106] and [KevinMarks] joined the channel
#
[KevinMarks]
I hope they don't change their urls at dinner point, or do it carefully. Didn't twitter switch to having an @ in the canonical url after a few years?
#
[KevinMarks]
s/dinner/some/
[kimberlyhirsh] joined the channel
#
aaronpk
They used to have @ at one point
#
aaronpk
but also #! lol
swentel and [dmitshur] joined the channel
#
[dmitshur]
at first I thought I'd just ignore errors, but now I'm thinking I'll report them to user and prevent from logging in. so they'll be motivated to fix (or remove) their broken/misconfigured stuff.
#
[dmitshur]
I'm thinking about how to handle error cases when a user signed in successfully via IndieAuth but their user info is misconfigured/erroneous.
#
[dmitshur]
and make the error messages helpful/detailed that is
#
[dmitshur]
I'll include my email under the error message so if I messed up or if people have questions, they can reach me.
#
[dmitshur]
that seems more in line with my principles (be strict about input and report detailed error messages), so that's where I'll start.
#
[dmitshur]
(most of these error conditions are very unlikely, but I still need to make a decision for how to handle them)
#
[dmitshur]
a future enhancement may be to have some UI that says "I acknowledge this thing is broken and would prefer to proceed without it anyway".
#
[dmitshur]
this should be a better user experience than a thing becoming broken causing it to silently disappear
#
[dmitshur]
example error conditions I have in mind:
#
[dmitshur]
• user's website has rel="me" pointing to a github.com profile, but that profile doesn't link back to their website
#
[dmitshur]
• h-card.photo[0] is present but is an invalid URL
#
[dmitshur]
• h-card.photo is present but has 0 elements (maybe?)
#
[dmitshur]
• h-card.photo[0] is a valid URL but fetching it is non-2xx status code (maybe?)
dckc joined the channel
#
[dmitshur]
another one (a subset of the first item above):
#
[dmitshur]
• user's website has rel="me" pointing to a github.com/user profile but that user doesn't exist
aaronpk, treora and [KevinMarks] joined the channel
#
[dmitshur]
(thanks to aaronpk, schmarty and willnorris whose websites have a GitHub profile linked and I'm using for testing this)
#
[dmitshur]
this is going so well and I am enjoying this so much 😄
#
[dmitshur]
note that it correctly reported an error for dev.dmitri.shuralyov.com because the github account it points to doesn't point back to it.
blueyed, [manton], [Michael_Beckwit and shivankDiscord[m joined the channel
#
@hankchizljaw
I’d really like something that will ping me for each webmention so I can approve it or reject it. Are there any existing services that do that? (Please say yes I don’t need more side projects)
(twitter.com/_/status/1216105178526617601)
#
@sil
↩️ how are you getting and storing the webmentions now? If I want notifying about something, most of the time I just punch out an RSS feed for it and then subscribe to that, if that's a useful approach
(twitter.com/_/status/1216108772453732359)
#
@hankchizljaw
↩️ @sil I used to use http://webmention.io but got rid because I just got loads of bloody spam on my site!
(twitter.com/_/status/1216109299870715905)
[tantek] joined the channel
#
[tantek]
^^^ interesting, actual webmention spam or twitter spam via Bridgy?
#
[tantek]
aaronpk, good point about "#!". Maybe fragmention should explicitly disallow "#!" fragmentions and note that such URLs are reserved for single page app routing (per that old Google advice ages ago). Then we can tell anyone who breaks (like WebMD) that they are violating Google's standard for single page app routing, and they should fix their site 😄
#
[tantek]
KevinMarks ^^^ WDYT? Worth me filing an issue on fragmention for that?
petermolnar and [schmarty] joined the channel
#
@nhoizey
↩️ You can remove webmentions on http://webmention.io I don’t know any other third party service for that, but you can do it yourself in your source, if you build the webmentions in your static site.
(twitter.com/_/status/1216136227369488384)