#dev 2020-07-19

2020-07-19 UTC
#
jacky
pops in
#
jacky
likes this discussion
#
jacky
this is making me realize that I should track more information about Webmentions in Lighthouse
#
jacky
since it's only me, it's realistically mostly interactions with Bridgy
#
jacky
I would love a way to 'detect' if a webmention is going to be full-on async or if it even considered handling a callback
#
aaronpk
what's the use case for that?
#
jacky
mainly for presentation (but I think this is mainly from using Webmention-based syndication versus more 'vanilla' Webmention sending)
#
jacky
thinks that this is unrelated though as he continues to read the backlog
#
jacky
now needs to re-read the spec, lol
#
jacky
oh hm
#
jacky
so (just re-iterating) 201 -> async w/ status page, 202 -> async w/ no feedback
#
jacky
[200 only seems useful if you're doing it either in the browser in real time / in a validation of the sending use-case]
#
jacky
hmm w.r.t callback-centric wms, I think using 202 to hint that it'll support it is safe (b/c a status URL won't be needed - the status would be informed via said callback, no?)
#
aaronpk
if we add a callback mechanism we could also add a callback acknowledgemeent
#
aaronpk
more explicit than just 202
#
jacky
couldn't that be the act of calling the callback? (I'm also making the assumption here that the callback can be called multiple times)
#
aaronpk
so like if you send me a webmention and give me a callback URL, I wouldn't send you anything until processing is done
#
aaronpk
but that would take some arbitrary amount of time
#
jacky
hm okay
#
aaronpk
so if you wanted to know whether to ever even expect a response there you'd want some acknowledgment that i'm going to post there later
#
jacky
right versus twiddling thumbs and hoping for a reply, lol
#
jacky
perhaps that's where that mention on the wiki of adding another header could come into play?
#
jacky
It was like `X-Webmention-Status` or something
#
aaronpk
no i think that's something different
#
aaronpk
since this is still brainstorming, i clarified that here: https://indieweb.org/Webmention-brainstorming#Asynchronous_status_notification
#
jacky
Hm gotchas
#
jacky
I don't have a way to do that rightn ow
#
jacky
*right now
#
jacky
any of those approaches would work for me tbh
#
aaronpk
i like the callback approach in that it's easier to get actual status information into a UI
#
aaronpk
however if something goes wrong for some reason, it's harder to then surface that
#
aaronpk
whereas having the UI link out to the status URL would then at least take the user to that link where some more details or an error message might be visible
#
jacky
hm in what case? when Lighthouse experiences _anything_, it invokes the callback with error information (so my site can then attempt again later)
#
jacky
hmm tbh I don't see a reason _against_ doing both
#
aaronpk
well like if the webmention receiver fails to actually send anything to the callback URL
#
jacky
ha yeah
#
aaronpk
the question then is why and where did it break down
#
aaronpk
but yeah both is not bad either
sp1ff and [tw2113] joined the channel
#
Loqi
[dshanske] #226 No longer support IndieAuth in this Plugin
#
aaronpk
not sure that's the right title for that issue 😂
#
GWG
aaronpk: Changed
#
GWG
(It didn't read it again)
#
aaronpk
built-in indieauth?
#
GWG
"No longer offer built-in IndieAuth in this Plugin Require IndieAuth Plugin"
#
aaronpk
it never had built-in indieauth i thought
#
Loqi
[dshanske] #226 No longer offer built-in IndieAuth in this Plugin Require IndieAuth Plugin
#
aaronpk
i thought it always required an external indieauth server
#
GWG
"Remove IndieAuth Client Code?"
IWSlackGateway2 joined the channel
#
GWG
Okay
#
GWG
Take three
#
GWG
"Make IndieAuth Plugin a Dependency to Use This Plugin
#
aaronpk
how about describing what the end result is rather than what it's not
#
aaronpk
or at least starting with that
#
GWG
To be honest, I would have done it by now if people hadn't told me they didn't want to use the local endpoint
#
aaronpk
that works
#
GWG
aaronpk: I wrote a PR in January to put the remote endpoint code back into the IndieAuth plugin. I'd like to merge it, but keep it hidden so only people who really want it can use it
[tb] joined the channel
#
Loqi
[dshanske] #227 IndieAuth Dependency
#
GWG
Okay, famous last words
#
GWG
Broke the unit tests.
[tb]1, nickodd, KartikPrabhu, bear and [schmarty] joined the channel
#
GWG
Okay. There we are.
#
GWG
Now Micropub knows nothing about scope.
#
aaronpk
Interesting, that isn't where I thought that was going
#
GWG
aaronpk: Scope is handled by IndieAuth. It translates it into WordPress capabilities. So Micropub just has to check that
#
aaronpk
scope is to protect the resource servers, the micropub plugin is a resource server, so it should know about the scopes relevant to it
#
aaronpk
oh I see
#
aaronpk
I am always surprised by how things play out in the Wordpress model but I guess that does make sense
#
GWG
So, it checks if a user can publish a post to see if it can create one
[tw2113] and [tb] joined the channel
#
GWG
aaronpk: Unfortunately, the scope to capability code hit IndieAuth in January... but the last release was a year ago, so I have to ensure it is released.
#
ThatSummer[m]
Is mp-slug a part of the Micropub spec? I can't find anything about it but a Micropub server I'm reading through is making use of it.
#
ThatSummer[m]
And while we're on it, what about mp-syndicate-to?
#
GWG
ThatSummer[m]: mp-slug is a stable extension
#
GWG
mp-syndicate-to is in the spec
#
ThatSummer[m]
Can I read somewhere about mp-slug?
#
ThatSummer[m]
What does the mp- prefix stand for - is it Micropub?
#
GWG
Yes
#
GWG
For the spec
#
GWG
For stable and proposed extensions
#
ThatSummer[m]
I see, thank you!
#
GWG
Happy to share Links
[snarfed], KartikPrabhu, adiweb, lahacker, moppy, [pfefferle] and [KevinMarks] joined the channel
#
[KevinMarks]
Worth making wiki links for mp-slug?
#
@erikkroes
↩️ I'm working on using http://webmention.io for reactions. RSS-feed is buggy right now but I see no reason why it shouldn't work
(twitter.com/_/status/1284779437926555648)
[jeremycherfas], KartikPrabhu, sp1ff`, petermolnar_, treora_, shrysr_, oodani_, bear_, shoesNsocks, builder, nickodd and [tantek] joined the channel
#
[tantek]
What is nowww
#
Loqi
no-www is a movement to deprecate use of "www." at the start of URLs as being redundant, unnecessary, and a waste of resources https://indieweb.org/nowww
#
[tantek]
nowww << Another reason to setup www. to permanently redirect to your plain domain: apparently (some) browsers hide the www. in the URL bar and when users copy/paste it doesn’t show. Thread: https://twitter.com/mountain_ghosts/status/1284877229449773058
#
@mountain_ghosts
really wish browsers would stop hiding parts of domains, esp the 'www.' subdomain. just results in you typing the site you think you're on into another tab or app and it failing
(twitter.com/_/status/1284877229449773058)
#
Loqi
ok, I added "Another reason to setup www. to permanently redirect to your plain domain: apparently (some) browsers hide the www. in the URL bar and when users copy/paste it doesn’t show. Thread: https://twitter.com/mountain_ghosts/status/1284877229449773058" to the "See Also" section of /no-www https://indieweb.org/wiki/index.php?diff=71455&oldid=34100
[fluffy], [schmarty], crazed, leg, [tantek], KartikPrabhu and Coll joined the channel; nickodd left the channel
#
GWG
aaronpk: Working on some IndieAuth bug fixes...any ideas for any enhancements I can make based on your extensive experience
#
GWG
I'm looking at sanitization and validation functions in other endpoints
#
aaronpk
my main concern right now is getting it so people don't think they have to use indieauth.com when they use either the wordpress micropub or indieauth plugins
#
GWG
aaronpk: It's coming
#
GWG
I just want to enhance some security issues
#
GWG
aaronpk: Expect people with auth header issues again
#
aaronpk
i'd look at selfauth as a reference, lots of good security features there
#
GWG
pfefferle flagged that I'm not sanitizing the token
[schmarty] joined the channel
#
GWG
As one of his concerns
#
aaronpk
i don't know what you mean, where?
#
GWG
From the post array
#
aaronpk
i don't understand
#
GWG
$_POST['access_token']
#
GWG
When a token is passed in the post body as opposed to the header
#
aaronpk
sanitizing doesn't happen in a vaccuum. where is that value used and what sort of sanitization would it need?
#
GWG
Although maybe I should cut that... wasn't there a discussion of not allowing it anymore
#
GWG
aaronpk: WordPress likes everything sanitized. But it's only compared to the value of the stored token
#
GWG
So, it is brought in, hashed, then the hashes are compared
#
aaronpk
you can't just say "sanitize" without describing the context in which that is happening
#
aaronpk
but again, if you want a reference implementation to look at, check out selfauth which considers all sorts of different kinds of attacks
#
GWG
I know WordPress is a desirable target
#
GWG
I figured if more people are coming, I should consider some security
geoffo joined the channel
#
GWG
I think I see some things selfauth does I could do
#
GWG
I do a string comparison...I could use hash compare..
superkuh and [tw2113] joined the channel