#dev 2020-08-03

2020-08-03 UTC
[tantek], [schmarty], oodani and [dmitshur] joined the channel
#
[dmitshur]
found this (in HTTP/1.1 spec):
#
[dmitshur]
> All general-purpose servers MUST support the methods GET and HEAD.
#
[dmitshur]
> All other methods are OPTIONAL.
#
GWG
If you send an article via webmention twice to indienews, does it post twice?
#
[tantek]
it shouldn't
#
[tantek]
what is a private group
#
Loqi
A private group is a group where the posts, members, and any other content in the group is only viewable by members of the group, a common social silo feature (like on Facebook) https://indieweb.org/private_group
#
[tantek]
private group << Before you go building this, please be aware of the hazards of group dynamics and group psychology, as described in this article: 2020-07-02 The Guardian: [https://www.theguardian.com/technology/2020/jul/02/whatsapp-groups-conspiracy-theories-disinformation-democracy What's wrong with WhatsApp] (applies to much more than WhatsApp)
#
Loqi
ok, I added "Before you go building this, please be aware of the hazards of group dynamics and group psychology, as described in this article: 2020-07-02 The Guardian: [https://www.theguardian.com/technology/2020/jul/02/whatsapp-groups-conspiracy-theories-disinformation-democracy What's wrong with WhatsApp] (applies to much more than WhatsApp)" to the "See Also" section of /private_group https://indieweb.org/wiki/index.php?diff=71823&oldid=71103
#
aaronpk
GWG: i'm pretty sure it will update the post
#
GWG
aaronpk: I'm trying to redo the POSSE scheduling code.
#
GWG
I know Bridgy doesn't do updates, so asking it to won't change anything
#
GWG
I'm trying to fix the logic.
#
GWG
I'm still afraid of a mistake like I made years ago.
#
GWG
When I imported old posts and an auto-posting system syndicated them as if they were new
beko, Yes, [dmitshur], [tantek], geoffo, geoffo_ and [tb] joined the channel
#
[tb]
If any Rails folks here have ever been interested in IndieAuth on top of Doorkeeper, completed my spike today https://github.com/craftyphotons/singulus/commit/3ad02913b113221c73dfc2c208a7ca0c57e2c12f
#
[tb]
Fairly happy with it so far, needs a lot of tests and probably a fair amount of refactoring now
superkuh, [tantek], swentel, KartikPrabhu, gxt, [KevinMarks], moppy, [arush], dckc, [jgmac1106], geoffo, [Chaitanya], nickodd, [schmarty], [tw2113] and [chrisaldrich] joined the channel
#
sknebel
colors << [https://whocanuse.com whocanuse.com - contrast checker with checks for visual impairments]
#
Loqi
ok, I added "[https://whocanuse.com whocanuse.com - contrast checker with checks for visual impairments]" to the "See Also" section of /color_palette https://indieweb.org/wiki/index.php?diff=71831&oldid=70394
#
[tantek]
hey aaronpk (cc: GWG), I updated the one-sentence summary of IndieAuth to "IndieAuth is the most implemented decentralized identity protocol, built on top of OAuth 2.0." (in the pop-up event description) because I believe this is currently true
#
[tantek]
most number of implementations, most widely deployed in terms of number of servers actually running it
#
[tantek]
we need to not hold back about these facts
#
aaronpk
πŸ‘
#
aaronpk
i'm not good at self-promotion :)
#
[tantek]
It helps to separate technology / ideas from sense of self πŸ™‚
#
[tantek]
also a good side-effect of making efforts into community efforts rather than solo πŸ™‚
KartikPrabhu joined the channel; nickodd left the channel
#
[tantek]
has anyone who runs these "send webmentions on your behalf as a service" things considered adding an "archive all potential webmention destinations" option that automatically sends everything a post links to, to the internet archive for archiving as of the time you (tried to) send a webmention?
[tb] joined the channel
#
[tb]
That's an interesting idea, might make that a fast follow to my own webmention implementation once I finish the mvp
#
[tb]
Wayback Machine only appears to have a retrieval API though, suppose you could just post to the same URL as their save form though
#
aaronpk
Pretty sure this is documented somewhere
#
aaronpk
my site does it, I hadn't thought of adding it to telegraph
#
[tb]
How are you submitting the URLs programatically?
[schmarty] joined the channel
#
aaronpk
that stopped working
#
aaronpk
now it says "You need to be logged in to use Save Page Now."
leg joined the channel
#
[tantek]
wait what
#
aaronpk
actually when i try that in a browser it just hangs too! totally broken
leg joined the channel
#
[tantek]
I'm going to assume this is a regression and not a deliberate breakage
#
aaronpk
i assume the logged-in version failing is accidental or temporary, but that error message seems very intentional
#
[tantek]
I can see them rate-limiting but blocking completely makes no sense
#
[tantek]
yeah I got a "502 Bad Gateway" from attempting it in a browser. that looks more like a mistake
#
aaronpk
yeah but if you try that curl command (adding the Accept header), it replies back with `{"message":"You need to be logged in to use Save Page Now."}`
#
[tb]
Ah that's too bad 😞
#
[tb]
Can I pick your brains at some point on my IndieAuth implementation? There were a couple tradeoffs I made where I was confused about something in the spec or due to the fact that I was extending it on top of Doorkeeper that I was curious to get some thoughts on
#
[tb]
One of the major ones was that I completely removed the client validation from the token revocation endpoint, which I wasn't sure on since the OAuth2 specs have it in there as a requirement but it didn't seem like much use for IndieAuth clients
#
aaronpk
correct, all indieauth clients are oauth "public clients" and don't have a client secret
#
aaronpk
not sure if that's what you mean by "validation" tho
#
[tb]
Oh I meant the part of RFC 7009 that says "
#
[tb]
in SectionΒ 2.3. of [RFC6749].```
#
[tb]
```The client also includes its authentication credentials as described
#
aaronpk
checks what 7009 says about public clients
#
aaronpk
oh it references 6749
#
[tb]
"
#
[tb]
```According to this specification, a client's request must contain a
#
[tb]
valid client_id, in the case of a public client```
#
aaronpk
yeah it sounds like it's fine that the revocation request doesn't include any client authentication
#
[tb]
Yeah I don't see how it would really serve much of a purpose in this case to me
#
[tb]
Cool well I'll maintain that behavior then β€” my other question was around how I'm doing authorization. Right now what I'm doing (and this is largely a product of me extending Doorkeeper's architecture) is to upsert an OAuth client on the backend whenever an IndieAuth authorization request comes in https://github.com/craftyphotons/singulus/blob/main/app/models/indieauth/pre_authorization.rb#L50-L62
#
[tb]
I figure that also gives me a place to store any information I discover about the client
#
aaronpk
i'd probably only create any records if the user is logged in
#
[tb]
Yeah they need to be logged in to get that far
#
aaronpk
you want to avoid someone being able to spam the authorization endpoint and make it do stuff
#
aaronpk
but yeah if they're logged in that seems fine
#
[tb]
iA Writer continues to dislike my setup 😞
#
[tb]
It actually makes it all the way through the authorization flow for me now but once it gets the token it claims that the token doesn't have valid permissions
#
aaronpk
have yuo implemented scope?
#
[tb]
Yep
#
[tb]
And the token that was given back to iA Writer indeed has the scopes it asked for
#
[tb]
Which were `create` and `media` in this cae
#
[tb]
Trying to find some other places now to validate my auth endpoint against, and I need to write a full acceptance test suite for this now.
#
[tb]
Oh actually that leads me to my last question. For my `response_type=id` flow, I force a scope of `profile` no matter what they give as `scope` in case they decide to use the access grant to get a token instead of just POST back to the auth endpoint again
#
[tb]
Is there any issue with doing it that way? I know that's mostly just because I'm trying to reuse Doorkeeper's `code` flow for `id`
#
aaronpk
that's something i want to fix in the spec actually... i think `id` was a mistake because it's still actually the authorization code flow
#
@RubygemsN
indieauth-token-verification (0.2.1): Perform the access token verification portion of the IndieAuth process by communicationg with a toke https://rubygems.org/gems/indieauth-token-verification
(twitter.com/_/status/1290390596515852288)
#
[tb]
Oh hah gotcha
#
[tb]
Does anything out there actually use `id`?
#
aaronpk
i suspect not
#
aaronpk
i think most things just don't include response_type in that case
#
jacky
I use it at times with [fluffy]'s site
#
jacky
I wanted to use it for my site just to confirm people
#
jacky
wait is this `response_type=id` right?
#
jacky
ah yeah then yeah, providing that is good
#
aaronpk
but like specifically the value `id` is in question, not the mechanism
#
jacky
ahhh yeah
#
jacky
opts for verbosity tbh
#
aaronpk
the thing is it still _is_ response_type=code
#
[tb]
I think the reason I like it is it standardizes a way for the client to get the user's profile
#
jacky
ah so it's more of a contesting of just making it implicit
#
jacky
thinks aggressively
#
aaronpk
cause you still get back an auth code
#
aaronpk
the difference is actually in the scope
#
[tb]
But yeah I literally force it over to the `code` flow in my implementation and just force the scope to `profile`
#
aaronpk
makes sure this is on the list for saturday
#
aaronpk
btw [tb] are you joining?
[fluffy] joined the channel
#
[fluffy]
[jacky] What context are you doing a response_type=id? I'm not specifically requesting/handling that anywhere
#
[tb]
Ah what's Saturday? I need to keep up better!
#
[tb]
Oh nvm found it
#
[fluffy]
oh wait never mind, I do specifically do response_type=id in authl
#
[tb]
Yes I'll be there!
#
[fluffy]
but just because that's what the indieauth spec says to do
#
[tb]
Hehe that's why I did it
#
[tb]
Either way though great work with IndieAuth [aaronpk]. It was a fun time yesterday reading through the spec and implementing for my site, and learned some things about OAuth along the way
#
[tb]
Oh I guess the one thing I need to do for `id` then is invalidate the access grant once it's POST'ed to the auth endpoint
#
[tb]
Oh yeah I didn't do that yet πŸ˜„
#
[tb]
Now that I have IndieAuth implemented though it's time to get back to my Micropub server and get my initial iteration of webmentions sorted out!
geoffo joined the channel
#
[tantek]
may be worth tweeting @ internetarchive to ask them about the "save one page" problems, both in browser 502 and the weird error message from curl
#
[tb]
So in lieu of submitting to internetarchive, are there some good self-hosted internetarchive-like apps that one could deploy and that follow any standard protocols around this kind of thing?
#
[tantek]
what is indie archive
#
Loqi
IndieArchive is a project to collaboratively grow an archival copy of pages replied to (possibly also mentioned) in indie web posts https://indieweb.org/indie-archive
#
[tantek]
and just got a "500 Internal Server Error" from the save link as well
#
[tantek]
"nginx/1.15.8" if that makes any difference
#
[tb]
tantek++ thanks!
#
Loqi
tantek has 21 karma in this channel over the last year (119 in all channels)
#
[tb]
Also just discovered https://github.com/pirate/ArchiveBox as I was searching around
#
[tantek]
yw [tb]!
#
[tantek]
now trying the W3C validator as a method of "calling" the save link for internet archive
#
[tantek]
I think the validator uses curl so ...
#
[tantek]
oh, weird, it got a "`500 read timeout"`
#
[tb]
What if you used a full on chrome headless session? πŸ˜„
#
[tb]
Oh! ArchiveBox has a save-to-IA function
#
[tb]
Maybe some clues here
[manton] joined the channel
#
[manton]
Annoyed by this Wayback Machine change. Micro.blog can save every post to the Internet Archive and it’s broken now. Looks like it always times out.
[KevinMarks] joined the channel
#
[KevinMarks]
[tantek] mention.tech sends all urls it sees to archive.org
[chrisaldrich] joined the channel
#
[KevinMarks]
I tried it manually and got β€œSaving page https://highlightpoetry.com
#
[KevinMarks]
The capture is estimated to start in 634 minutes.”
[tb] joined the channel
#
[tb]
I was playing around a bit with that ArchiveBox project I linked above and it's pretty neat
#
[tb]
I think I'm going to deploy that thing onto a small cloud instance somewhere and use that for my archive