#LoqiIt looks like we don't have a page for "login@indieauth.com" yet. Would you like to create it? (Or just say "login@indieauth.com is ____", a sentence describing the term)
#[tantek]login@indieauth.com is perhaps where email sign-in messages come from 'IndieLogin.com or maybe IndieAuth.com.
#[tantek]hirusi[m], that's about as much as I can guess right now. We'll have to wait for aaronpk to help disambiguate what this means, though yes, we should have documentation to enable you to troubleshoot this directly yourself. thanks for your patience!
#GWGHow do you attribute your cached copy of an image to the original URL?
#aaronpkthen they try github, then they start over again
#aaronpkthen they click the re-scan button a few times, then send another email
#aaronpkthen they start clicking the send email button every 2 seconds
#aaronpkthen a couple minutes later they figured out how to automate it and started sending 30 requests per second. the server rejected some of those, some of them resulted in http 502 errors, but a lot got through
#aaronpkthis lasted about 2 minutes, then they wrapped up by clicking re-scan again, then visiting the indieauth.com home page, then left
#aaronpkI really should have built rate limiting of some sort into that, but I don't really want to add more code to that site, I'd rather spend the time building a replacement for it
jonnybarnes joined the channel
#[tantek]presumably we can document "rate limiting" guidance for anyone who would build a similar site
#[tantek]worth considering for the "Security Considerations" section in IndieAuth spec (if it's not already there)
#aaronpkit's not an indieauth spec issue, it applies to any system that does email-only authentication
#aaronpki wonder if [manton] has any similar rate limiting for micro.blog logins
#LoqiIt looks like we don't have a page for "email authentication" yet. Would you like to create it? (Or just say "email authentication is ____", a sentence describing the term)
#aaronpkit's not really appropriate for a security considerations section in the spec though
#aaronpkit's completely up to the implementation whether to support email authentication, and has nothing to do with the indieauth spec
#aaronpkif anything, a security considerations section could point to OWASP's authentication cheat sheet because there's *lots* more considerations than just this issue when dealing with authentication
#[tantek]email authentication is an alternative sign-in method to the classic username password method, where the user only enters an email address, the site then emails the user a unique sign-in link, which upon clicking they are authenticated. If you add a [[rel-me]] link from your site to your email, then login services that support [[RelMeAuth]] may provide you the option of signing in via email authentication.
#[manton]Much better to have [aaronpk] try to break Micro.blog now instead of hackers later. 🙂 This is definitely a problem… I think I’m going to start by allowing at most 1 sign-in email attempt every 30 seconds, just to have some protection in place.
#aaronpki actually got all 110 emails that I requested :)
#aaronpkso no HTTP error, a testament to micro.blog's scalability :D :D
#hirusi[m]aaronpk: thanks for taking a look! have you decided if this would be tackled in the current build or just something you'd rather tackle in a fresh project?
#aaronpkI'm trying to think of the smallest change I could do to prevent this, I think some basic rate limiting is doable. I just really don't want to sink a lot of time into it because I know I'm going to throw out all this code at some point. But also who knows when that will actually be.
KartikPrabhu and [fluffy] joined the channel
#[fluffy]For email signins what I do is I keep track of all pending email signins for an address and don’t allow anyone to request a new signin while there’s a pending, unexpired one.
#[fluffy]Like, if someone requests a signin and the email doesn’t come to them, requesting another one during the timeout window probably won’t help matters.
#[fluffy](This is the only thing in Authl that requires statefulness to work but the failure mode is that someone’s able to make some extra signin requests so it’s not that big a deal to me.)
#[fluffy]I do also want to add rate-limiting based on originating IP address but that gets into framework-dependent territory so that’ll probably only be on the Flask frontend.
jonnybarnes joined the channel
#[tantek]originating IP is probably better, otherwise someone else can DoS you from logging into your site
#[tantek]if their request to login means your request to login is blocked because you didn't wait long enough
[chrisaldrich], jonnybarnes, mattl, jeremy, jeremy-, [tantek], moppy, [Murray], [James_Gallaghe], swentel, nickodd, KartikPrabhu, [eddie], dckc, [Rose], geoffo, [schmarty] and [manton] joined the channel
#[manton]Whether you can block new emails while a sign-in is pending may depend on how long they are valid. For Micro.blog, the sign-in emails are valid for 24 hours, so blocking future sign-ins would not work. People often have email delivery problems that are resolved and then need to try again some number of minutes later.
#[manton]Maybe 24 hours is too long, but I’d want it to be at least 1-2 hours since someone might request a sign-in, forget about it, then see the email later that day and expect it to work.
[tantek] and dckc joined the channel
#jjuranYou can allow a small number of emails to be in play at once, e.g. 3 - 5.
#[tantek]Hah [KevinMarks] beat me to it. GWG re: WebShare see ^^^
#@skkboz↩️ "limited nuclear war" is the fantasy they will only go up in asia like the last time and only asians are affected.
china and/or north korea would send microsub/fishing boats/suicide planes into both San Francisco & LA and take out both cities and naval facilities w nukes. (twitter.com/_/status/1297922084559917056)
#@skkboz↩️ "limited nuclear war" is the fantasy they will only go up in asia like the last time and only asians are affected.
china and/or north korea would send microsub/fishing boats/suicide planes into both San Francisco & LA and take out both cities and naval facilities w nukes. (twitter.com/_/status/1297921934747869184)
#GWGI forget where I filed it with the other standard
#[manton]@GWG Good question about JSON Feed. I think 2 things: writing up a draft for the MIME type so that we can officially register it, and revisiting some of the early experiments for podcasting that some folks were working on (basically adapting the iTunes tags to JSON in a more vendor-neutral way): https://jsonfeed.org/podcasting
#GWGI may reread the vendor specific tags and media rss
#[manton]It’s always been a little annoying to me that Apple’s podcast directory requires extra fields, when really a basic RSS feed (or JSON Feed) has enough to support podcasting without the “itunes” namespace. But many clients and aggregators now expect at least a few extras, like cover art and Apple categories.
#GWG[manton]: Agreed on the idea of not working upstream
#GWGI'll see if I can write something up...I was planning on opening issues with some podcast stuff I use to support JSONFeed
#hirusi[m]I had, for whatever reason, assumed that the mp-slug property would be reserved for just notes, likes etc. and not articles. So I've added that in... but... is this a) correct b) should this be kept in the wiki?
#hirusi[m]Or we could revert this and add it to the Slug extension section on the Micropub-extensions page itself. An extra line to clarify it is acceptable for all post types
swentel and nickodd joined the channel
#sknebelmicropub doesn't care about post types at all
#sknebelso yes, extensions like that can apply everywhere
#[manton]You could revert it if you think that including mp-slug there would confuse someone into thinking it’s specific to articles, or required.
#GWGI think no one has seriously looked at that page recently to compare to the spec and extensions
#GWG[manton]: Reading podcast markup specifications over my lunch. In the context of a podcast, is author the host?
jonnybarnes joined the channel
#GWGThis applies to microformats as well...how do you represent artist, host, guest as opposed to author?
jonnybarnes joined the channel; nickodd left the channel
#[tantek]this gets at the question of what is an uthor
#swentel[snarfed], thanks for the followers list. Additional questoin re: .well-known/host-meta - do you know whether that route is mandatory? of is .well-known/webfinger good enough. Been looking around a bit for docs about that, but can't really find anything conclusive.
#swenteloh, could be, haven't checked that out yet
#GWGswentel: It was prompted by Indigenous behavior. I implemented it because I use Indigenous. So, I tried to put it in extension terms as a way to do form encoded h-geo and h-card
#swentel[snarfed], not at the point yet to send anything out to the fediverse, but will test and see what happens :)
#sknebelthere is something to be learned about protocol design by the regular extension pushes for form-encoded and I'm not sure yet what
#swentelGWG, I more or less use the same logic as you in the Drupal module
#GWGswentel: If you want to add that my description matches your implementation...
#GWGJust making sure it's all documented somewhere
jonnybarnes and [jacky] joined the channel
#[tantek][snarfed] correct, AP does not require any "well-known", none of the Social Web WG specs do. We adopted "follow your nose" discoverability as a design principle quite up front, which rejects any "magic place" knowledge type design like "well-known".
#[tantek]sad to see the OAuth crowd run with .well-known with wild abandon 💁♂️
jonnybarnes joined the channel
#sknebelhm, looking at that podcast link above, chapters are another thing. although they are already in the media file, so they don't really need duplicate markup maybe. (links with mediafragments might do the job too)
jonnybarnes and [manton] joined the channel
#[manton]ActivityPub might not require well-known, but I think Mastodon effectively does require it because of WebFinger.
KartikPrabhu, [Emma_Humphries] and [KevinMarks] joined the channel
#[KevinMarks]Why mastodon kept the worst bit of OStatus and threw away the good bits I don't know.
[snarfed], jonnybarnes, [tantek], geoffo and [fluffy] joined the channel