2020-07-19 UTC
# 00:38 jacky this is making me realize that I should track more information about Webmentions in Lighthouse # 00:38 jacky since it's only me, it's realistically mostly interactions with Bridgy # 00:40 jacky I would love a way to 'detect' if a webmention is going to be full-on async or if it even considered handling a callback # 00:42 jacky mainly for presentation (but I think this is mainly from using Webmention-based syndication versus more 'vanilla' Webmention sending) # 00:42 jacky thinks that this is unrelated though as he continues to read the backlog # 00:47 jacky so (just re-iterating) 201 -> async w/ status page, 202 -> async w/ no feedback # 00:48 jacky [200 only seems useful if you're doing it either in the browser in real time / in a validation of the sending use-case] # 00:51 jacky hmm w.r.t callback-centric wms, I think using 202 to hint that it'll support it is safe (b/c a status URL won't be needed - the status would be informed via said callback, no?) # 00:52 aaronpk if we add a callback mechanism we could also add a callback acknowledgemeent # 00:52 jacky couldn't that be the act of calling the callback? (I'm also making the assumption here that the callback can be called multiple times) # 00:53 aaronpk so like if you send me a webmention and give me a callback URL, I wouldn't send you anything until processing is done # 00:53 aaronpk but that would take some arbitrary amount of time # 00:53 aaronpk so if you wanted to know whether to ever even expect a response there you'd want some acknowledgment that i'm going to post there later # 00:54 jacky right versus twiddling thumbs and hoping for a reply, lol # 00:54 jacky perhaps that's where that mention on the wiki of adding another header could come into play? # 00:54 jacky It was like `X-Webmention-Status` or something # 01:01 jacky any of those approaches would work for me tbh # 01:01 aaronpk i like the callback approach in that it's easier to get actual status information into a UI # 01:02 aaronpk however if something goes wrong for some reason, it's harder to then surface that # 01:02 aaronpk whereas having the UI link out to the status URL would then at least take the user to that link where some more details or an error message might be visible # 01:02 jacky hm in what case? when Lighthouse experiences _anything_, it invokes the callback with error information (so my site can then attempt again later) # 01:03 jacky hmm tbh I don't see a reason _against_ doing both # 01:03 aaronpk well like if the webmention receiver fails to actually send anything to the callback URL # 01:04 aaronpk the question then is why and where did it break down sp1ff and [tw2113] joined the channel
# 02:26 Loqi [dshanske] #226 No longer support IndieAuth in this Plugin # 02:29 GWG "No longer offer built-in IndieAuth in this Plugin Require IndieAuth Plugin" # 02:29 Loqi [dshanske] #226 No longer offer built-in IndieAuth in this Plugin Require IndieAuth Plugin # 02:30 aaronpk i thought it always required an external indieauth server IWSlackGateway2 joined the channel
# 02:31 GWG "Make IndieAuth Plugin a Dependency to Use This Plugin # 02:31 aaronpk how about describing what the end result is rather than what it's not # 02:32 GWG To be honest, I would have done it by now if people hadn't told me they didn't want to use the local endpoint # 02:34 GWG aaronpk: I wrote a PR in January to put the remote endpoint code back into the IndieAuth plugin. I'd like to merge it, but keep it hidden so only people who really want it can use it [tb] joined the channel
[tb]1, nickodd, KartikPrabhu, bear and [schmarty] joined the channel
# 05:25 GWG Now Micropub knows nothing about scope. # 05:28 aaronpk Interesting, that isn't where I thought that was going # 05:28 GWG aaronpk: Scope is handled by IndieAuth. It translates it into WordPress capabilities. So Micropub just has to check that # 05:28 aaronpk scope is to protect the resource servers, the micropub plugin is a resource server, so it should know about the scopes relevant to it # 05:29 aaronpk I am always surprised by how things play out in the Wordpress model but I guess that does make sense # 05:31 GWG So, it checks if a user can publish a post to see if it can create one [tw2113] and [tb] joined the channel
# 05:36 GWG aaronpk: Unfortunately, the scope to capability code hit IndieAuth in January... but the last release was a year ago, so I have to ensure it is released. # 05:44 ThatSummer[m] Is mp-slug a part of the Micropub spec? I can't find anything about it but a Micropub server I'm reading through is making use of it. # 05:52 ThatSummer[m] And while we're on it, what about mp-syndicate-to? # 05:58 GWG ThatSummer[m]: mp-slug is a stable extension # 05:59 ThatSummer[m] Can I read somewhere about mp-slug? # 05:59 ThatSummer[m] What does the mp- prefix stand for - is it Micropub? # 06:00 GWG For stable and proposed extensions # 06:01 ThatSummer[m] I see, thank you! [snarfed], KartikPrabhu, adiweb, lahacker, moppy, [pfefferle] and [KevinMarks] joined the channel
[jeremycherfas], KartikPrabhu, sp1ff`, petermolnar_, treora_, shrysr_, oodani_, bear_, shoesNsocks, builder, nickodd and [tantek] joined the channel
[fluffy], [schmarty], crazed, leg, [tantek], KartikPrabhu and Coll joined the channel; nickodd left the channel
# 21:24 GWG aaronpk: Working on some IndieAuth bug fixes...any ideas for any enhancements I can make based on your extensive experience # 21:33 GWG I'm looking at sanitization and validation functions in other endpoints # 21:33 aaronpk my main concern right now is getting it so people don't think they have to use indieauth.com when they use either the wordpress micropub or indieauth plugins # 21:34 GWG I just want to enhance some security issues # 21:34 GWG aaronpk: Expect people with auth header issues again # 21:35 aaronpk i'd look at selfauth as a reference, lots of good security features there # 21:35 GWG pfefferle flagged that I'm not sanitizing the token [schmarty] joined the channel
# 21:38 GWG When a token is passed in the post body as opposed to the header # 21:38 aaronpk sanitizing doesn't happen in a vaccuum. where is that value used and what sort of sanitization would it need? # 21:38 GWG Although maybe I should cut that... wasn't there a discussion of not allowing it anymore # 21:39 GWG aaronpk: WordPress likes everything sanitized. But it's only compared to the value of the stored token # 21:39 GWG So, it is brought in, hashed, then the hashes are compared # 21:40 aaronpk you can't just say "sanitize" without describing the context in which that is happening # 21:40 aaronpk but again, if you want a reference implementation to look at, check out selfauth which considers all sorts of different kinds of attacks # 21:41 GWG I know WordPress is a desirable target # 21:43 GWG I figured if more people are coming, I should consider some security geoffo joined the channel
# 22:05 GWG I think I see some things selfauth does I could do # 22:05 GWG I do a string comparison...I could use hash compare.. superkuh and [tw2113] joined the channel
aaronpk since this is still brainstorming, i clarified that here: https://indieweb.org/Webmention-brainstorming#Asynchronous_status_notification
GWG aaronpk: Would you want to comment on https://github.com/indieweb/wordpress-micropub/issues/226
ThatSummer[m] Is mp-slug a part of the Micropub spec? I can't find anything about it but a Micropub server I'm reading through is making use of it.
[KevinMarks] Worth making wiki links for mp-slug?
@erikkroes ↩️ I'm working on using http://webmention.io for reactions. RSS-feed is buggy right now but I see no reason why it shouldn't work (twitter.com/_/status/1284779437926555648)
Loqi no-www is a movement to deprecate use of "www." at the start of URLs as being redundant, unnecessary, and a waste of resources https://indieweb.org/nowww
[tantek] nowww << Another reason to setup www. to permanently redirect to your plain domain: apparently (some) browsers hide the www. in the URL bar and when users copy/paste it doesn’t show. Thread: https://twitter.com/mountain_ghosts/status/1284877229449773058
@mountain_ghosts really wish browsers would stop hiding parts of domains, esp the 'www.' subdomain. just results in you typing the site you think you're on into another tab or app and it failing (twitter.com/_/status/1284877229449773058)