#dev 2020-08-03

2020-08-03 UTC
[tantek], [schmarty], oodani and [dmitshur] joined the channel
#
[dmitshur] found this (in HTTP/1.1 spec):
#
[dmitshur] > All general-purpose servers MUST support the methods GET and HEAD.
#
[dmitshur] > All other methods are OPTIONAL.
#
GWG If you send an article via webmention twice to indienews, does it post twice?
#
[tantek] it shouldn't
#
[tantek] what is a private group
#
Loqi A private group is a group where the posts, members, and any other content in the group is only viewable by members of the group, a common social silo feature (like on Facebook) https://indieweb.org/private_group
#
[tantek] private group << Before you go building this, please be aware of the hazards of group dynamics and group psychology, as described in this article: 2020-07-02 The Guardian: [https://www.theguardian.com/technology/2020/jul/02/whatsapp-groups-conspiracy-theories-disinformation-democracy What's wrong with WhatsApp] (applies to much more than WhatsApp)
#
Loqi ok, I added "Before you go building this, please be aware of the hazards of group dynamics and group psychology, as described in this article: 2020-07-02 The Guardian: [https://www.theguardian.com/technology/2020/jul/02/whatsapp-groups-conspiracy-theories-disinformation-democracy What's wrong with WhatsApp] (applies to much more than WhatsApp)" to the "See Also" section of /private_group https://indieweb.org/wiki/index.php?diff=71823&oldid=71103
#
aaronpk GWG: i'm pretty sure it will update the post
#
GWG aaronpk: I'm trying to redo the POSSE scheduling code.
#
GWG I know Bridgy doesn't do updates, so asking it to won't change anything
#
GWG I'm trying to fix the logic.
#
GWG I'm still afraid of a mistake like I made years ago.
#
GWG When I imported old posts and an auto-posting system syndicated them as if they were new
beko, Yes, [dmitshur], [tantek], geoffo, geoffo_ and [tb] joined the channel
#
[tb] If any Rails folks here have ever been interested in IndieAuth on top of Doorkeeper, completed my spike today https://github.com/craftyphotons/singulus/commit/3ad02913b113221c73dfc2c208a7ca0c57e2c12f
#
[tb] Fairly happy with it so far, needs a lot of tests and probably a fair amount of refactoring now
superkuh, [tantek], swentel, KartikPrabhu, gxt, [KevinMarks], moppy, [arush], dckc, [jgmac1106], geoffo, [Chaitanya], nickodd, [schmarty], [tw2113] and [chrisaldrich] joined the channel
#
sknebel colors << [https://whocanuse.com whocanuse.com - contrast checker with checks for visual impairments]
#
Loqi ok, I added "[https://whocanuse.com whocanuse.com - contrast checker with checks for visual impairments]" to the "See Also" section of /color_palette https://indieweb.org/wiki/index.php?diff=71831&oldid=70394
#
[tantek] hey aaronpk (cc: GWG), I updated the one-sentence summary of IndieAuth to "IndieAuth is the most implemented decentralized identity protocol, built on top of OAuth 2.0." (in the pop-up event description) because I believe this is currently true
#
[tantek] most number of implementations, most widely deployed in terms of number of servers actually running it
#
[tantek] we need to not hold back about these facts
#
aaronpk πŸ‘
#
aaronpk i'm not good at self-promotion :)
#
[tantek] It helps to separate technology / ideas from sense of self πŸ™‚
#
[tantek] also a good side-effect of making efforts into community efforts rather than solo πŸ™‚
KartikPrabhu joined the channel; nickodd left the channel
#
[tantek] has anyone who runs these "send webmentions on your behalf as a service" things considered adding an "archive all potential webmention destinations" option that automatically sends everything a post links to, to the internet archive for archiving as of the time you (tried to) send a webmention?
[tb] joined the channel
#
[tb] That's an interesting idea, might make that a fast follow to my own webmention implementation once I finish the mvp
#
[tb] Wayback Machine only appears to have a retrieval API though, suppose you could just post to the same URL as their save form though
#
aaronpk Pretty sure this is documented somewhere
#
aaronpk my site does it, I hadn't thought of adding it to telegraph
#
[tb] How are you submitting the URLs programatically?
#
aaronpk https://indieweb.org/Internet_Archive#Trigger_an_Archive
[schmarty] joined the channel
#
aaronpk oh no
#
aaronpk that stopped working
#
aaronpk now it says "You need to be logged in to use Save Page Now."
leg joined the channel
#
[tantek] wait what
#
aaronpk actually when i try that in a browser it just hangs too! totally broken
leg joined the channel
#
[tantek] I'm going to assume this is a regression and not a deliberate breakage
#
aaronpk i assume the logged-in version failing is accidental or temporary, but that error message seems very intentional
#
[tantek] I can see them rate-limiting but blocking completely makes no sense
#
[tantek] yeah I got a "502 Bad Gateway" from attempting it in a browser. that looks more like a mistake
#
aaronpk yeah but if you try that curl command (adding the Accept header), it replies back with `{"message":"You need to be logged in to use Save Page Now."}`
#
[tb] Ah that's too bad 😞
#
[tb] Can I pick your brains at some point on my IndieAuth implementation? There were a couple tradeoffs I made where I was confused about something in the spec or due to the fact that I was extending it on top of Doorkeeper that I was curious to get some thoughts on
#
aaronpk sure
#
[tb] One of the major ones was that I completely removed the client validation from the token revocation endpoint, which I wasn't sure on since the OAuth2 specs have it in there as a requirement but it didn't seem like much use for IndieAuth clients
#
aaronpk correct, all indieauth clients are oauth "public clients" and don't have a client secret
#
aaronpk not sure if that's what you mean by "validation" tho
#
[tb] Oh I meant the part of RFC 7009 that says "
#
[tb] in SectionΒ 2.3. of [RFC6749].```
#
[tb] ```The client also includes its authentication credentials as described
#
aaronpk checks what 7009 says about public clients
#
aaronpk oh it references 6749
#
[tb] "
#
[tb] ```According to this specification, a client's request must contain a
#
[tb] valid client_id, in the case of a public client```
#
aaronpk yeah it sounds like it's fine that the revocation request doesn't include any client authentication
#
[tb] Yeah I don't see how it would really serve much of a purpose in this case to me
#
[tb] Cool well I'll maintain that behavior then β€” my other question was around how I'm doing authorization. Right now what I'm doing (and this is largely a product of me extending Doorkeeper's architecture) is to upsert an OAuth client on the backend whenever an IndieAuth authorization request comes in https://github.com/craftyphotons/singulus/blob/main/app/models/indieauth/pre_authorization.rb#L50-L62
#
[tb] I figure that also gives me a place to store any information I discover about the client
#
aaronpk i'd probably only create any records if the user is logged in
#
[tb] Yeah they need to be logged in to get that far
#
aaronpk you want to avoid someone being able to spam the authorization endpoint and make it do stuff
#
aaronpk but yeah if they're logged in that seems fine
#
[tb] iA Writer continues to dislike my setup 😞
#
[tb] It actually makes it all the way through the authorization flow for me now but once it gets the token it claims that the token doesn't have valid permissions
#
aaronpk have yuo implemented scope?
#
[tb] Yep
#
[tb] And the token that was given back to iA Writer indeed has the scopes it asked for
#
[tb] Which were `create` and `media` in this cae
#
[tb] Trying to find some other places now to validate my auth endpoint against, and I need to write a full acceptance test suite for this now.
#
[tb] Oh actually that leads me to my last question. For my `response_type=id` flow, I force a scope of `profile` no matter what they give as `scope` in case they decide to use the access grant to get a token instead of just POST back to the auth endpoint again
#
[tb] Is there any issue with doing it that way? I know that's mostly just because I'm trying to reuse Doorkeeper's `code` flow for `id`
#
aaronpk that's something i want to fix in the spec actually... i think `id` was a mistake because it's still actually the authorization code flow
#
@RubygemsN indieauth-token-verification (0.2.1): Perform the access token verification portion of the IndieAuth process by communicationg with a toke https://rubygems.org/gems/indieauth-token-verification (twitter.com/_/status/1290390596515852288)
#
[tb] Oh hah gotcha
#
[tb] Does anything out there actually use `id`?
#
aaronpk i suspect not
#
aaronpk i think most things just don't include response_type in that case
#
jacky I use it at times with [fluffy]'s site
#
jacky I wanted to use it for my site just to confirm people
#
jacky wait is this `response_type=id` right?
#
aaronpk yeah
#
jacky ah yeah then yeah, providing that is good
#
aaronpk but like specifically the value `id` is in question, not the mechanism
#
jacky ahhh yeah
#
jacky hmm
#
jacky opts for verbosity tbh
#
aaronpk the thing is it still _is_ response_type=code
#
[tb] I think the reason I like it is it standardizes a way for the client to get the user's profile
#
jacky ah so it's more of a contesting of just making it implicit
#
jacky thinks aggressively
#
aaronpk cause you still get back an auth code
#
aaronpk the difference is actually in the scope
#
[tb] But yeah I literally force it over to the `code` flow in my implementation and just force the scope to `profile`
#
aaronpk makes sure this is on the list for saturday
#
aaronpk btw [tb] are you joining?
[fluffy] joined the channel
#
[fluffy] [jacky] What context are you doing a response_type=id? I'm not specifically requesting/handling that anywhere
#
[tb] Ah what's Saturday? I need to keep up better!
#
[tb] Oh nvm found it
#
[fluffy] oh wait never mind, I do specifically do response_type=id in authl
#
[tb] Yes I'll be there!
#
[fluffy] but just because that's what the indieauth spec says to do
#
[tb] Hehe that's why I did it
#
aaronpk ah yes https://github.com/indieweb/indieauth/issues/42
#
[tb] Either way though great work with IndieAuth [aaronpk]. It was a fun time yesterday reading through the spec and implementing for my site, and learned some things about OAuth along the way
#
[tb] Oh I guess the one thing I need to do for `id` then is invalidate the access grant once it's POST'ed to the auth endpoint
#
[tb] Oh yeah I didn't do that yet πŸ˜„
#
[tb] Now that I have IndieAuth implemented though it's time to get back to my Micropub server and get my initial iteration of webmentions sorted out!
geoffo joined the channel
#
[tantek] may be worth tweeting @ internetarchive to ask them about the "save one page" problems, both in browser 502 and the weird error message from curl
#
[tb] So in lieu of submitting to internetarchive, are there some good self-hosted internetarchive-like apps that one could deploy and that follow any standard protocols around this kind of thing?
#
[tantek] what is indie archive
#
Loqi IndieArchive is a project to collaboratively grow an archival copy of pages replied to (possibly also mentioned) in indie web posts https://indieweb.org/indie-archive
#
[tantek] and just got a "500 Internal Server Error" from the save link as well
#
[tantek] "nginx/1.15.8" if that makes any difference
#
[tb] tantek++ thanks!
#
Loqi tantek has 21 karma in this channel over the last year (119 in all channels)
#
[tb] Also just discovered https://github.com/pirate/ArchiveBox as I was searching around
#
[tantek] yw [tb]!
#
[tantek] now trying the W3C validator as a method of "calling" the save link for internet archive
#
[tantek] I think the validator uses curl so ...
#
[tantek] oh, weird, it got a "`500 read timeout"`
#
[tb] What if you used a full on chrome headless session? πŸ˜„
#
[tb] Oh! ArchiveBox has a save-to-IA function
#
[tb] Maybe some clues here
#
[tb] https://github.com/pirate/ArchiveBox/blob/master/archivebox/extractors/archive_org.py#L39-L95
[manton] joined the channel
#
[manton] Annoyed by this Wayback Machine change. Micro.blog can save every post to the Internet Archive and it’s broken now. Looks like it always times out.
[KevinMarks] joined the channel
#
[KevinMarks] [tantek] mention.tech sends all urls it sees to archive.org
[chrisaldrich] joined the channel
#
[KevinMarks] I tried it manually and got β€œSaving page https://highlightpoetry.com
#
[KevinMarks] The capture is estimated to start in 634 minutes.”
[tb] joined the channel
#
[tb] I was playing around a bit with that ArchiveBox project I linked above and it's pretty neat
#
[tb] I think I'm going to deploy that thing onto a small cloud instance somewhere and use that for my archive