#vika_nezrimayaI should really use my GitLab more...
KartikPrabhu, kitt, jonnybarnes and nickodd joined the channel
#vika_nezrimayasorted sets are really built for this kind of thing, but I think I might need some server-side pagination to make it blazing fast enough for feed views
#vika_nezrimayaI'll just implement it later, the performance feels reasonable enough for testing
#vika_nezrimayaI mean, with 100000 feed items it takes 0.7 seconds to get the whole feed, but it scales linearly and I don't see getting 100k posts in forseeable future
#vika_nezrimayaSo with a more reasonable 2000 posts it takes on average 15 ms
#vika_nezrimayascaling linearly since ZREVRANGEBYSCORE is O(log(n)+m), where n is the cardinality of the sorted set and m is the number of items requested
#vika_nezrimayasince I'm requesting the whole set it's basically O(log(n)+n) == O(n)
#vika_nezrimayaif I implement pagination I'm gonna cut it down to O(log(n)) since m is const
#vika_nezrimayaassuming the pagination will be efficient and use the rank of the last item on page as a pagination token
#vika_nezrimayato a Micropub client that will be an implementation detail, to me it'll be a way to really optimise pagination - I'll be able to simply request limit+1 items every time and return posts[limit]'s timestamp (which is its ZRANK) as a pagination token
#vika_nezrimayaand boom, suddenly I have the perfect solution to the slow pagination problem
#sknebelZegnat: I probably won't be in the session actually, but we can discuss some of it now if you want?
#ZegnatI think I have two points to discuss on that one: 1) must the extra check always be done or can we safe the work for clients in some cases (e.g. where new profile URL is a subpath of the original profile URL?) and 2) must we still forbid the domain from changing when different URLs have a way to be checked.
#sknebelas I said I'm fairly strong "yes, must always be done if the URL changed in any way" for the first one
#sknebelI don't feel particularly comfortable defining a "this has to be safe" exception that won't break a realistic scenario, so given the (IMHO) little gain I'd rather err on the side of checking "too often"
floridafruitgeek joined the channel
#sknebelfor 2 - might not be needed indeed (I think its ok to allow it), but that could be a second iterative change potentially.
geoffo joined the channel
#ZegnatI guess most of my ponderings are in the "what effects has this throughout the spec" category. I have no problems with making clients redo discovery on the returned profile URL when it is different from the originally discovered profile URL. That seems fine to me.
#Zegnatagenda seems fine to me aaronpk. I think there is still plenty discussion there
#sknebelI feel like 2) could especially be relevant in an location migration use case, but that'd be a bigger project
#ZegnatAgreed, it is not what the change set out to solve. But I like it if we can simplify any parts of the spec by having as few exceptions or alternative behaviours as possible. But completely fine with opening a seperate ticket for it after this gets merged.
[manton] joined the channel
#[manton]I’ve gotta say: I worry about shared domains even being supported in IndieAuth at all. It adds a lot of complexity.
#aaronpki guess the problem is right now it's not disallowed, and as such there's a potential impersonation issue
#[manton]And it’s complexity that is kind of against IndieWeb principles, since you can’t fully own your identity on a shared domain.
vika_nez` joined the channel
#sknebelI think it would be a bad idea to restrict indieweb technologies out of academic/corporate environments due to purity of principle arguments
#[manton][sknebel] Academic/corporate environments can’t use subdomains? I agree we don’t want to be too restrictive, but again I worry about making IndieAuth much more complicated than it already is.
#sknebelSubdomains also are not "fully owned identity" - and it's much more about "won't" than "can't.
#[manton]If someone is using a library that handles everything, great, but if someone is rolling their own implementation, expecting them to follow 10 redirects and re-download the HTML to check links, etc… It’s a lot. 🙂
#sknebelI disagree. you already need to fetch a URL, follow redirects and look up a rel value for the initial discovery
#sknebelif you got that figured out, you can do it a second time.
#sknebel(I generally subscribe to HTTP requests being cheap, and that you've got bigger problems if they aren't)
geoffo and [fluffy] joined the channel
#[fluffy][Zegnat] I didn’t know there’s a session but I have other stuff going on today
#Zegnat[fluffy]: aah, that is too bad. Yeah, we decided to do a follow up 2 weeks after the previous one
#[fluffy]And sknebel I agree, reducing HTTP transactions gets to be a micro optimization after a certain point, and micro optimizations are bugs in disguise
jonnybarnes joined the channel
#[manton]To be clear, I’m not talking about any cost of the request itself, but the client code complexity.
#[fluffy]I already implement that in Authl and the code complexity is very low
#[fluffy]Less complexity would mean not allowing URL changes at all
#[fluffy]Assuming domain ownership is extremely exclusionary and short-sighted.
#[fluffy]Most of the complexity in my implementation comes from having to verify the URL itself due to redirections. Checking the endpoint matching is trivial, and reuses a function that already existed for the initial discovery.
#[fluffy]Also, if IndieAuth cannot be trusted on shared domains then it cannot be trusted, as there is no way to know if someone has implemented it on a shared domain.
#[fluffy]And then we’re back to the mess of having to allow/blocklist known-safe domains.
#[manton]If IndieAuth didn’t support shared domains, it wouldn’t be an issue. But I’m happy to drop the issue… Just wanted to voice my concern instead of ranting on the Zoom call about it. 🙂
#[manton](I’m still having trouble with the potential security risk, but I trust y’all that it’s there.)
#[fluffy]Supporting shared domains is incredibly important IMO. The vast majority of academic homepages are tilde pages; university IT does not hand out subdomains for homepage hosting, and most students aren’t going to set up a dedicated server.
#[fluffy]There is a proof of concept at tilde.club/~fluffy
#sknebeland since you can't technically *block* shared domains, you'd rely on every implementation and documentation always warning users about not to use it in such situations, which IMHO is a terrible idea for a security feature
#[fluffy]Use that URL to sign in to indieweb.org as any tilde.club identity.
#ZegnatI think the argument there has always been that those students should be enabled to get a domain (which they could setup to forward to their tilde page). Because that way even when you quit the university, your identity moves along with you.
#ZegnatBut as a folder-user myself, I totally see the use-case. I have always been using IndieAuth for my sub folder. And most of the time there are no problems. The fact that this opens up for imitations is a concerning though.
#[fluffy]Even if they can it requires more technical acumen. And they’d still need to be able to host the profile page in such a way it still canonicizes as the subdomain.
#[fluffy]Which means ensuring a temporary redirect, and validating that is way more complex code-wise (and still needs to be done, and is already in the spec)
#[fluffy]I would rather see more complexity on clients, which can use existing libraries and have more validation performed on them, than on users, who just want a dang webpage.
#[fluffy]And verifying that the endpoint matches is trivial and gives you more security guarantees on its own than verifying the canonical URL on its own
nickodd joined the channel
#[fluffy]Honestly the whole temporary vs permanent redirect thing is annoyingly complex, and verifying the domain doesn’t change is annoyingly complex, and neither of those do anything to guarantee endpoint integrity.
#[fluffy]But verifying that the endpoint never changes solves the same problems but way, way more easily.
#[fluffy](Putting the onus on the endpoint to be correct, of course.)
#ZegnatThe temporary redirects are there so you can have something as your profile URL even if that is not the resource where the auth endpoint is on. Which I think is the proper HTTP way of using that. Allowing you to switch systems without switching profile URL.
#[fluffy]Yeah I mean I agree that the redirection stuff needs to be there.
#[fluffy]To me it seems silly to debate that redirection validation is important but endpoint matching isn’t.
#[fluffy]Especially when verifying the final endpoint is just going to be calling the same function you did for initial discovery.
#[fluffy]It is literally impossible to write a client in such a way that it doesn’t have the means of discovering the endpoint from an arbitrary URL.
#[fluffy]like. That is fundamental to the protocol.
#[tb]Don't want to send the popup on a tangent for this so I'll post here while I remember — is there a reason why a defacto `read` scope hasn't been defined alongside `create`/`media`/`update`/`delete` here in https://indieweb.org/scope or used in any of the implementations listed out there?
#GWGWe probably should address the wiki confusion though
#[tb]I was thinking on the MP query endpoint specifically
#[tb]I suppose there's not really anything you'd want to do against the Micropub query endpoint though without also wanting to do `create`-type things down the line though
#[snarfed]`read` would be useful for making full fledged authoring clients. key main use case is “show me my posts (and drafts)”
#[snarfed]you can get public posts from the site (h-feeds etc), but not drafts, private posts, feed locations aren’t standardized or guaranteed to contain all posts, etc
#GWG[snarfed], [tb] : Good point to add to the Micropub-extensions issue list then
[James_Gallaghe] and [chrisaldrich] joined the channel
#ZegnatI was discussing that with voxpelli over coffee last week. Where he brought up the - to me unknown - BREAD over CRUD debate. As in CRUD rules do not cover everything, you want BREAD, which includes "browse" as an action. http://paul-m-jones.com/post/2008/08/20/bread-not-crud/
#jamietannaI guess you wouldn't necessarily introspect JWTs, as often Authorization Servers would issue a JWS rather than a JWE, so you'd be able to inspect the claims without introspecting it
#ZegnatProblems that solve themselves, we love those around here, hirusi[m]! :D
#hirusi[m]oh this is the first time I think I solved it myself lol, but glad to be a part of that gang :D
#aaronpkwhat's a good label to put for this token introspection issue? "needs experimentation" or something
#hirusi[m]Oh really? I did drop in on the Micropub session I think but had to leave early + didn't have much to say re: the extensions themselves.
#GWGhirusi[m]: We didn't get to it, but the notes and video for what we did are all available.
#hirusi[m]Not sure, aaronpk. I can't comment on what the industry standard/defaults are, just that it confused me and would like to see it ironed out :)
#aaronpkhirusi[m]: what do you mean? what's confusing?
#aaronpki was just talking about orgnanizing issues on github :)
#hirusi[m]Are we talking about issue #119 around Micropub?
#GWGhirusi[m]: There is obvious overlap between Micropub and IndieAuth as Micropub uses IndieAuth, but we weren't focused on anything Micropub specific today
#sknebelaaronpk: needs experimentation/needs information sounds good
#ZegnatShould we have opened a separate ticket for the changes needed around the auth endpoint verification step, aaronpk? Or is just the TODOs in the notes enough?
#ZegnatOr if anyone wants to have a go at writing a PR for PKCE... I am still not sure how I would do that one :(
#swentelanything specific you're having trouble with?
[tantek] joined the channel
#GWGI was trying to figure out if I should change how I generate my random tokens
#ZegnatWhere do I store the secret? Selfauth is stateless, so would have to be in the state. But then you want it to be encrypted and there is not really anything in out-of-the-box PHP 5.6 that I would want to use for that encryption...
#aaronpkZegnat: what are you using to store stuff for the authorization code? it's just one more thing to add to that list
#[fluffy]is there a requirement in PKCE that the stuff be encrypted, or does it just need to be signed?
#sknebelGWG: why? and what are you using currently?
#aaronpkit's a particular problem for selfauth because it's trying to be stateless
#[fluffy]like is there a secret that cannot be visible to the end user?
#aaronpkbut also yes the pkce code verifier can't be returned in plaintext as part of the authorization code otherwise that defeats the protection that pkce provides
#[fluffy]okay, so this is something I'll have to keep in mind when I add that to Authl
#[fluffy]since Authl supports stateless operation (and Publ uses that mode by default)
#ZegnatAuthorization codes are not stored, they have an embedded expiry time that is checked against a signature.
[dmitshur] joined the channel
#[dmitshur]Hi sknebel. I saw a notification about a question from you on GitHub, but can't see that message now.
#sknebel[dmitshur]: yep, deleted it because I saw it was already covered in the change and thus didn't actually need discussion from my POV
#ZegnatAnd the signature is your standard HMAC thing, which should be safe enough.
#[dmitshur]I see. To clarify though, I used it because I didn't understand a comment, not that I disagreed with it. A guess a comment would've been more clear.
#ZegnatBut for those signatures Selfauth only needs 1 random secret (stored in APP_KEY) that gets set at installation. PKCE would require new randoms for each request, which does have storage requirements.
#GWGsknebel: WP updated to PHP5.6 and is staying there. I thought there were some new functions in 5.6 I might want to use.
#Loqi[Zegnat] #56 Remove requirement for same domain
#[fluffy]with PKCE can you generate a new secret by hashing the APP_KEY along with something that's immutable throughout the transaction? Or is that not considered secure enough?
#sknebelGWG: ah. I think the interesting ones are in PHP 7, BUT a) worth checking if wordpress is using them in wp_generate_password and b) there is a 5.6+ polyfill by paragonie: https://github.com/paragonie/random_compat
#Loqi[paragonie] random_compat: PHP 5.x support for random_bytes() and random_int()
[tw2113] joined the channel
#[fluffy]I guess that could be subject to attacks like multiple transactions started within a single second
#sknebelZegnat: I *think* storing information about the PKCE code in the auth code would already help?
#GWGsknebel: It does not, but it's wp_rand function is pluggable.
#sknebelbecause the code_challenge is what the authorization server needs to be able to "remember" later
#ZegnatThe simple PKCE idea is just hard with real stateless and no storage and no encryption...
#ZegnatSo my mind kinda gave up and started to wonder if it is useful to try and figure out a solution. Or if I should do a PHP7+ implementation where I also merge in Mintoken.
#sknebelbut if we put the PKCE code_challenge in the auth code
#sknebelsomeone who intercepts the code can see the challenge
#sknebelbut they'd need to be able to reverse the hash used to be able to use the auth code
#sknebelwell, PKCE with "plain" code challenge isn't helping then I guess, but the signed one is
#aaronpkwhich is interesting... if we disallow "none" for IndieAuth then maybe that'd be okay
#sknebelI feel like thats one of the few cases where a "SHOULD" might have been appropriate :D
#sknebel(especially since the alternative for selfauth is to ignore PKCE... which is worse)
#sknebel(client can't even tell if the server supports it, right?)
#aaronpkcorrect except if the server supports OAuth metadata
#sknebelokay, so I see an argument for ignoring that MUST, but you have a point
#sknebel(especially if the integration with token endpoint and thus wants storage anyways project is Zegnats alternative)
#ZegnatNote that scopes were not even included in the first version of Selfauth, because it was just for authentication. So in a world where IndieAuth is moving to even closer to zero stand-alone token endpoints than today, maybe Selfauth is moving towards overall deprecation anyway...
jonnybarnes, leg and geoffo joined the channel
#aaronpki mean you can still implement just the authorization endpoint if you never have a use case for token endpoints
#ZegnatI guess I am just seeing fewer and fewer people who have that as the usecase? But I could be wrong.
#aaronpkrolling mintoken into selfauth probably does make sense tho, even if someone only ever uses it to log in to stuff
#[fluffy]I only really care about the authorization endpoint, FWIW.
krychu joined the channel; nickodd left the channel
#ZegnatI am just wondering what people use on the wider IndieWeb where they get away without a token endpoint. Telegram, indieweb.org, and webmention.io? Is that it? As soon as you start wanting to experiment with Aperture or Quill you are going to need tokens, and a bunch of other endpoints.
#ZegnatThere is also a bit of eat-what-you-cook in here. The more I am thinking of moving away from Selfauth on my own site, the less likely I will be to do any upkeep on the code. And it already feels like many of the other collaborators on it have dropped off too
#aaronpkare you going to switch to something built in to your own site?
[chrisaldrich] joined the channel
#Zegnataaronpk: my own site is static, so probably not integrated. But I want to switch to something that integrates the token endpoint and is written in modern PHP
#ZegnatProbably also with an interface for looking at and revoking tokens
#aaronpki'd prefer if other people made some good alternatives first tho :)
#ZegnatWhatever I end up building will probably still be single user. But I am planning to deploy with Dokku, so it *may* end up having a one-click Heroku deploy thanks to that.
#ZegnatBut if you expect indieauth.com alternative to include relmeauth, you might be in for a longer wait, aaronpk. Not sure who wants to take on that pain
#aaronpki'm not sure i want it to include relmeauth specifically, but I do want it to be usable without a password
#aaronpki'm pretty happy with how indielogin.com handles twitter and github authentication now, so i'll probably provide those options still
#ZegnatThat is something I have been thinking about a lot. But I am not sure what I want to swap password logins with. For instance, I got rid of email on my phone. So I cannot just email a link to myself.
#aaronpki'd like to also support webauthn too, since it's integrated into browsers, it's a very nice experience once it's set up
krychu joined the channel
#ZegnatAnother reason why I want to branch away from selfauth is testing more of that sort of stuff for login. I think Selfauth was great for doing what it does when it was written: dump it on any PHP host you happen to be using and it enables login to the indieweb.
#ZegnatIt was not written to use libsodium for proper encryptions/signings, to offer multi-user or multi-login, etc.
#sknebelright, and PHP baseline is changing. PHP7 only is now more viable, and adds a lot
#Zegnatis tempted to start a project in PHP8 right now