#dev 2020-04-12

2020-04-12 UTC
#
aaronpk oh that's interesting
#
aaronpk so the http codes weren't written with oauth in mind, which i think is where this mixup is coming from
ben_thatmustbeme joined the channel
#
aaronpk looks like they were updated in http 1.1 to make it more clear
#
aaronpk but generally this is the difference between whether the user is allowed and whether the client is allowed
ben_thatmustbeme joined the channel
#
GWG I had this idea last night that my posts should know if they were posted during the day or at night.
ben_thatmustbeme joined the channel
#
dansup will fix, thanks for the bug report snarfed!
#
Loqi dansup: [snarfed] left you a message 7 hours, 21 minutes ago: just fyi, i noticed a couple more small differences btw pixelfed's and mastodon's APIs. 1) status.in_reply_to_id is an int instead of a string, 2) account.created at: is int POSIX timestamp instead of ISO8601 string. lmk if you want me to file issue(s)!
[Jeff_Hawkins] joined the channel
#
dansup sort of confused by the created_at issue, we appear to be using ISO8601
#
dansup regarding https://github.com/pixelfed/pixelfed/issues/2106, I will take a look into Laravel Passport and league/oauth2 server
#
Loqi [snarfed] #2106 support multiple OAuth redirect URLs
#
dansup figured it out, PR to fix #2106 will be merged soon :)
geoffo and [snarfed] joined the channel
#
[snarfed] awesome, thank you dansup!
#
jacky an alternative to Google's recaptcha service: https://www.hcaptcha.com/
#
jacky kinda wish there was some kind of thing like this for the commons
#
jacky (like to train a publicly available, royalty-free model of sorts like Mozilla's voice model)
#
jacky versus us just giving _so_ much data to google lol
#
[snarfed] ah dansup i'm only seeing account.created_at as int timestamp in pixelfed's search API. you're right that it's ISO8601 in the statuses/* endpoints
#
dansup oh I see
#
dansup will fix 😅
#
dansup jacky: yeah, the v3 recaptcha which has great UX comes at the expense of all the invasive client analysis and fingerprinting
#
dansup [snarfed] do you mean the /api/v1/accounts/search endpoint?
#
[snarfed] dansup /api/v2/search
#
dansup ah ok
#
dansup [snarfed] fixed! will be merged soon https://github.com/pixelfed/pixelfed/pull/2083/commits/f5e4e468a2e4381b15bf5f447dca124e28d818ad
petermolnar and [LewisCowles] joined the channel
#
[snarfed] thanks for the quick fixes!
gRegorLove_ and vinzalf joined the channel
#
GWG https://david.shanske.com/2020/04/12/thinking-about-weather/
#
GWG Did some Weather API analysis for the future
#
vilhalmer oh sweet
#
vilhalmer GWG++
#
Loqi GWG has 25 karma in this channel over the last year (139 in all channels)
#
GWG I also just joined the CWOP.
dmitry joined the channel
#
jacky CWOP?
#
GWG Citizen Weather Observer Project
#
jacky oooh
vinzalf, [tantek], [LewisCowles], KartikPrabhu, petermolnar and [jgmac1106] joined the channel
#
[jgmac1106] gwg thx for looking into the apis, thinking about building a weather station with the kids
leg, [spieper] and jamietanna joined the channel
#
jamietanna aaronpk sorry, "looks like they were updated in http 1.1 to make it more clear" - do you mean the OAuth2-specific error codes, or the Micropub error codes were updated? What would you recommend re moving forward? Align my resource server's implementation with Micropub spec, not OAuth2?
#
[LewisCowles] Does anyone know of some good work on in-the-open secrets for a Git repository? Right now I'm using OpenSSL CBC, but it feels dog rough. I'm participating in a hackathon, and I made a contextual seeder, so that PR's can come with Seeds for QA / review. It's a public repo, and if I seed users, I really don't want to seed passwords; or put other easily stolen details in the public.
#
jamietanna[m] [LewisCowles] I'd be interested in hearing solutions but can't offer anything of help unfortunately 😥 did you definitely want to store them in-repo, instead of outside ie in the build/test/deploy pipeline tooling?
#
[LewisCowles] This is seed data, so really it has to be in the code
#
[LewisCowles] I did make a secondary CBC key / cipher combo yesterday so that I can commit secrets
#
[LewisCowles] The problem is that I'd need to roll the key / cipher combo if anyone ever worked it out. It's also a little crappy comitting open, yet secret things I can't share
#
[LewisCowles] I could pivot to answering a different question
#
[LewisCowles] How do I discover genuinely faked seeds
#
[LewisCowles] then it removes two problems
#
[LewisCowles] but leaves me with one
#
Zegnat I do not understand why seed data isn’t dummy data to begin with, surely there should never be a problem with that leaking?
#
[LewisCowles] especially not as this data is only seeded contextually
#
[LewisCowles] i.e. supports branch matching as well as deployment environment matching
#
[LewisCowles] btw zegnat, I've not authored the data and now trying to protect
#
[LewisCowles] I was thinking, so how will I know what the runtime picks?
#
[LewisCowles] Then I thought. I know, at work we had some users. But it was a closed source repo
#
[LewisCowles] so no discoverability issues
#
[LewisCowles] CBC cipher is no good because there is one key. Splitting to have my own secondary key provider feels like a fix, but it's not
#
Zegnat Honestly this just sounds like content that is not supposed to be inside the repo at all
#
[LewisCowles] Maybe I'm trying to solve an impossible problem. I know It's hard-stalled me since yesterday
#
[LewisCowles] Oh I did write one thing that involved sending data to another place. It basically gets the seed data and uploads to an S3 bucket as private object. It's intended to not be presentational seed data, but. Here's my feature, and here are some seeds that illustrate it in use for previewing branches.
#
Zegnat “how to encrypt data” is not impossible to solve. Lots of options. https://github.com/FiloSottile/age is pretty good if you want unixy cli one-tool-for-one-thing encryption.
#
Zegnat But it seems you have a multi-faceted question here. Also adding the complication of wanting to make the whole thing public (?) which I do not think anyone would really recommend, even if encrypted.
#
Loqi [FiloSottile] age: A simple, modern and secure encryption tool with small explicit keys, no config options, and UNIX-style composability.
#
[LewisCowles] Well no part of my problem forces encryption, but the public availability of both source code and PR + deploy means accidents could make a preview environment vulnerable
#
[LewisCowles] lack of access to the seed data, in my mind is a form of obscurity that would harm.
#
[LewisCowles] It's that intersection I'm trying to "solve for" in the absence of a good idea for the hackathon, I've just been spelunking
ben_thatmustbeme joined the channel
#
GWG [jgmac1106]: Keep me posted
#
[jgmac1106] I think a "my first bot" project will come before the weather station, do you have posts on your set up or bookmarks of good how to get started?
#
GWG I may write something on the weather
#
[jgmac1106] just do a series post one this is my station, post two this is my set up to my site, post three this is what I want to do next
#
[jgmac1106] ...post four ...look I did it
Mikaela and djmoch joined the channel
#
jeremycherfas I think may need to learn awk.
#
Zegnat *gasp*
#
jeremycherfas I know! But after just half an hour of reading around the topic, it looks like a little time on that would be more useful, long-term, that trying to bodge something with grep.
#
jeremycherfas /that/than/
#
jeremycherfas What does it mean when the access log shows many attempts to get ?s=averylongstringthatlookslikeitcouldbeahash ?
#
jeremycherfas Many of them seem to be coming from ahrefs.com, which claims to be a very well-behaved bot. So I'm going to ignore them.
#
Zegnat Sounds like it may be tring out session IDs? But that seems like a waste of time
jamietanna joined the channel
#
jamietanna Or maybe a unique hash so the pages it gets are definitely out of the cache? (If any)
#
Zegnat Feels weird for a bot to be having a cache in place though. Unless it is trying to work around things like CDN caches, making sure they always get the freshest response from your server.
#
Zegnat Either way, seems ignorable!
#
Zegnat (As long as you do not use ?s= for anything on your site, that is.)
#
jeremycherfas My reading of ahrefs.com suggests that it is their hash of a link on my site, but I don't really know.
tsrt^, [KevinMarks], loicm and Mikaela joined the channel
#
aaronpk jamietanna: I mean the HTTP 401/403 codes
#
aaronpk were created way before OAuth and the idea of a separate client from the user
#
aaronpk so they originally make it sound like its whether the user is authorized to do the action, and with OAuth there is now the idea that even if a user is authorized to do something, the client making the request may not be
#
aaronpk anyway we should probably update the micropub spec to match OAuth in this case
#
jamietanna aaronpk gotcha! I'm happy to raise a PR to get the spec updated, if you'd like? Given it'd mean that existing clients are now no longer spec-compliant, what sort of socialisation is required to let them know?
oedmarap joined the channel
#
aaronpk Sure
#
aaronpk i doubt it will have any significant effect on clients, since the error JSON is fine and tells the client more about what's going on
#
aaronpk and in any case there's really only one thing the client can do regardless of the error returned which is to ask the user to log in again
#
jamietanna That's fair enough - I'll raise a PR in a mo then :)
#
jamietanna That's fair enough - I'll raise a PR in a mo then :)
#
jamietanna That's fair enough - I'll raise a PR in a mo then
#
jamietanna That's fair enough
#
jamietanna Sorry for the multiple messages - looks like network problems on my side
[tantek] joined the channel
#
jamietanna aaronpk: https://github.com/w3c/Micropub/pull/117 is the PR to update the spec
#
Loqi [jamietanna] #117 Fix: Align HTTP status code for `insufficient_scope` with RFC6750
#
aaronpk 👍
#
jamietanna It'd be good if Micropub.rocks were updated at the same time, so things are in sync - but it looks like we don't have a test case for it, so I'll raise an issue for it, but should be OK leaving that till some time in the future if we don't already have it
geoffo, [prtksxna], dmitry, leg, hello, loicm, swentel, KartikPrabhu and gRegorLove_ joined the channel
#
GWG Okay, my development servers just moved to their new homes.
#
GWG Good time to consolidate test sites.
#
jacky TIL of another (dead) captcha project https://wiki.hsr.ch/StefanKeller/wiki.cgi?ReMAPTCHA
jaklt and Tomas joined the channel
#
jacky re: IndieKit (cc: jaklt)
#
jacky is there a 'debug' mode for IndieKit?
#
jaklt aparently, you can run IndieKit locally but I'm not sure if it helps :-)
#
jaklt aparently, you can run IndieKit locally but I'm not sure if it helps :-)
#
jacky it could! running a proxy service from your local machine to the Web and then hitting it from the client could give you info
#
jacky especially if you can run it `node --debug-brk` mode and see where it's failing
#
jaklt ok, that might work, I guess that then I would also have to run my website locally and point the micropub point to this local one
#
jaklt I'll ponder for a bit more if I can find a way to debug IndieKit on heroku to avoid this, and otherwise I try what you say
#
jacky potentially not the entire site - it could be just this part that's busted
geoffo, petermolnar and jamietanna joined the channel
#
jamietanna Looking at https://www.w3.org/TR/micropub/#h-source-content what's the expectation when a property is not found? An empty array? an HTTP 400? Or not sending the property
#
aaronpk i don't think we have enough implementation experience to know what the best response is
#
aaronpk it also likely depends on the specific client
#
jacky ^ I currently leave it out altogether
#
jacky this reminds me tho
#
jacky what is Micropub
#
Loqi Micropub is an open API standard (W3C Recommendation) for creating, editing, and deleting posts on websites, like on your own domain, supported by numerous third-party clients and CMSs https://indieweb.org/Micropub
#
jamietanna I'd be concerned that a client would then expect that the properties would be there (as it's requested them) so I'd be tempted to return `[]`. But then that could mean that I've actually specified it in the post, but as an empty array, so maybe I'll leave it out, too
#
jacky right
#
jacky like if it's not there, I take that as you don't "recognize" it
#
jacky if it is but is empty, that's a hint (on my end) that nothing has been specified
#
jacky (examples of this would be tags or syndication data)
oedmarap joined the channel
#
jamietanna Yeah that sounds reasonable :)
#
jacky the biggest thing I want to implement on my site is this https://github.com/indieweb/micropub-extensions/issues/4
#
Loqi [EdwardHinkle] #4 Query for Post List
#
jacky so I can use it for more efficient rendering of reactions in my reader
#
jacky no point of enabling someone to re-like something if they already have
#
aaronpk Yeah I could definitely use that too
#
jamietanna I've generated it in a non-Micropub way at https://www.jvt.me/content-deduplication.json but that's a good shout, I should really wrap it in a Micropub thing, too
#
jacky firefox++ for the in-built json viewer lol
#
Loqi firefox has 1 karma over the last year
#
jamietanna oh yeah, that and its new certificates interface is ace - the little things that make a difference!
#
jamietanna Also sorry, should've warned it's a large JSON file
#
jacky indeed!
#
jacky oh it was fine on my computer
oedmarap joined the channel; oedmarap left the channel