#dev 2020-08-24

2020-08-24 UTC
[KevinMarks] and [tantek] joined the channel
#
[tantek]
what is login@indieauth.com
#
Loqi
It looks like we don't have a page for "login@indieauth.com" yet. Would you like to create it? (Or just say "login@indieauth.com is ____", a sentence describing the term)
#
[tantek]
login@indieauth.com is perhaps where email sign-in messages come from 'IndieLogin.com or maybe IndieAuth.com.
#
[tantek]
what is login@indieauth.com
#
Loqi
login@indieauth.com is perhaps where email sign-in messages come from IndieLogin.com or maybe indieauth.com https://indieweb.org/login@indieauth.com
#
[tantek]
hirusi[m], that's about as much as I can guess right now. We'll have to wait for aaronpk to help disambiguate what this means, though yes, we should have documentation to enable you to troubleshoot this directly yourself. thanks for your patience!
#
GWG
How do you attribute your cached copy of an image to the original URL?
#
GWG
Or rather cite?
#
[tantek]
on another topic I saw that https://macwright.com/2020/08/22/clean-starts-for-the-web.html was bookmarked to IndieNews, curious what people think about it or if anyone is considering a follow-up post with how the IndieWeb is already doing a lot of things for a better web?
#
[tantek]
It looks like a mostly dev-specific discussion to be clear, lots of jargon
#
@RubygemsN
webmention (4.0.0): A Ruby gem for sending Webmention notifications. https://rubygems.org/gems/webmention
(twitter.com/_/status/1297711876936146944)
#
aaronpk
hellooooo sorry been offline all day
#
aaronpk
let me see if i can figure out what's happening
#
aaronpk
hirusi[m]: looking at the logs, this looks like someone did this deliberately and at least somewhat manually
#
aaronpk
it starts out with someone visiting the site trying to log in to micropub-celestial.herokuapp.com as you
#
aaronpk
that looks like a real browser, a Linux user agent, IP address in sweden, it fetches all the CSS and JS and such
#
aaronpk
then 25 seconds later, they click the send email button
#
aaronpk
then 17 seconds later they start over
#
aaronpk
then they try github, then they start over again
#
aaronpk
then they click the re-scan button a few times, then send another email
#
aaronpk
then they start clicking the send email button every 2 seconds
#
aaronpk
then a couple minutes later they figured out how to automate it and started sending 30 requests per second. the server rejected some of those, some of them resulted in http 502 errors, but a lot got through
#
aaronpk
this lasted about 2 minutes, then they wrapped up by clicking re-scan again, then visiting the indieauth.com home page, then left
#
@RubygemsN
webmention-cli (1.4.0): A command-line interface for Webmention. https://rubygems.org/gems/webmention-cli
(twitter.com/_/status/1297716604000591879)
shoesNsocks joined the channel
#
aaronpk
well that was fun. now i need to figure out how to deal with this.
#
aaronpk
kinda surprised it took this long for someone to do this TBH
beko joined the channel
#
[tantek]
whoa that definitely deserves a write-up!
#
[tantek]
is that the first indieauth.com automated abuse attack?
#
aaronpk
Semi automated
#
[tantek]
interesting that it's considered important/relevant enough to put the effort into such an attack
#
aaronpk
I really should have built rate limiting of some sort into that, but I don't really want to add more code to that site, I'd rather spend the time building a replacement for it
jonnybarnes joined the channel
#
[tantek]
presumably we can document "rate limiting" guidance for anyone who would build a similar site
#
[tantek]
worth considering for the "Security Considerations" section in IndieAuth spec (if it's not already there)
#
aaronpk
it's not an indieauth spec issue, it applies to any system that does email-only authentication
#
aaronpk
i wonder if [manton] has any similar rate limiting for micro.blog logins
#
[tantek]
I didn't say it was IndieAuth-specific
#
[tantek]
worth documenting adjacent issues, especially when they've literally come up in a real world example implementation
#
[tantek]
or rather, considerations, not issues
#
[tantek]
what is email authentication
#
Loqi
It looks like we don't have a page for "email authentication" yet. Would you like to create it? (Or just say "email authentication is ____", a sentence describing the term)
#
aaronpk
it's not really appropriate for a security considerations section in the spec though
#
aaronpk
it's completely up to the implementation whether to support email authentication, and has nothing to do with the indieauth spec
#
aaronpk
if anything, a security considerations section could point to OWASP's authentication cheat sheet because there's *lots* more considerations than just this issue when dealing with authentication
#
[tantek]
email authentication is an alternative sign-in method to the classic username password method, where the user only enters an email address, the site then emails the user a unique sign-in link, which upon clicking they are authenticated. If you add a [[rel-me]] link from your site to your email, then login services that support [[RelMeAuth]] may provide you the option of signing in via email authentication.
#
[tantek]
email authentication << [[email]]
#
[tantek]
email authentication << [[indielogin.com]] supports email authentication.
#
Loqi
ok, I added "[[indielogin.com]] supports email authentication." to the "See Also" section of /email_authentication https://indieweb.org/wiki/index.php?diff=72224&oldid=72222
#
aaronpk
oh gosh that OWASP page needs some updates to their OAuth/OpenID sections
#
[tantek]
what is OWASP
#
Loqi
It looks like we don't have a page for "OWASP" yet. Would you like to create it? (Or just say "OWASP is ____", a sentence describing the term)
[manton] joined the channel
#
[manton]
[aaronpk] I currently have some overall rate-limiting, but not specifically for sign-in attempts. I should add something.
#
aaronpk
tries something
#
aaronpk
apologizes in advance
#
aaronpk
spams himself
#
aaronpk
well now you have some interesting logs :)
#
aaronpk
my phone is blowing up
#
aaronpk
i broke the notifications on my phone
#
[manton]
Yeah, I should protect against this. 🙂 There’s no legitimate reason for sending more than 1 email every minute or so, really.
#
[manton]
Did you get any HTTP errors?
#
[tantek]
lol test in prod
jonnybarnes joined the channel
#
[manton]
Much better to have [aaronpk] try to break Micro.blog now instead of hackers later. 🙂 This is definitely a problem… I think I’m going to start by allowing at most 1 sign-in email attempt every 30 seconds, just to have some protection in place.
#
aaronpk
i actually got all 110 emails that I requested :)
#
aaronpk
so no HTTP error, a testament to micro.blog's scalability :D :D
#
[manton]
Well, that’s “good” I guess.
[tw2113] joined the channel
#
hirusi[m]
aaronpk: thanks for taking a look! have you decided if this would be tackled in the current build or just something you'd rather tackle in a fresh project?
#
aaronpk
I'm trying to think of the smallest change I could do to prevent this, I think some basic rate limiting is doable. I just really don't want to sink a lot of time into it because I know I'm going to throw out all this code at some point. But also who knows when that will actually be.
KartikPrabhu and [fluffy] joined the channel
#
[fluffy]
For email signins what I do is I keep track of all pending email signins for an address and don’t allow anyone to request a new signin while there’s a pending, unexpired one.
#
[fluffy]
Like, if someone requests a signin and the email doesn’t come to them, requesting another one during the timeout window probably won’t help matters.
#
[fluffy]
(This is the only thing in Authl that requires statefulness to work but the failure mode is that someone’s able to make some extra signin requests so it’s not that big a deal to me.)
#
aaronpk
That's a reasonable way to rate limit
#
[fluffy]
I do also want to add rate-limiting based on originating IP address but that gets into framework-dependent territory so that’ll probably only be on the Flask frontend.
jonnybarnes joined the channel
#
[tantek]
originating IP is probably better, otherwise someone else can DoS you from logging into your site
#
[tantek]
if their request to login means your request to login is blocked because you didn't wait long enough
[chrisaldrich], jonnybarnes, mattl, jeremy, jeremy-, [tantek], moppy, [Murray], [James_Gallaghe], swentel, nickodd, KartikPrabhu, [eddie], dckc, [Rose], geoffo, [schmarty] and [manton] joined the channel
#
[manton]
Whether you can block new emails while a sign-in is pending may depend on how long they are valid. For Micro.blog, the sign-in emails are valid for 24 hours, so blocking future sign-ins would not work. People often have email delivery problems that are resolved and then need to try again some number of minutes later.
#
[manton]
Maybe 24 hours is too long, but I’d want it to be at least 1-2 hours since someone might request a sign-in, forget about it, then see the email later that day and expect it to work.
[tantek] and dckc joined the channel
#
jjuran
You can allow a small number of emails to be in play at once, e.g. 3 - 5.
jbove_, themaxdavitt_, hirusi[m], [KevinMarks], jbove, jalcine[m], [tantek], mattl, jeremy-, samwilson, themaxdavitt, fauno, dckc, [manton], [schmarty], [James_Gallaghe], strugee, craftyphotons, justache, kitt, jjuran, peterrother, jimpick, beko, myfreeweb, ludovicchabant, moppy, [Rose], MrHyde_, lahacker, Zegnat, crab, willnorris, raucao, geoffo, cjw6k, gxt, skalnik, khimaros[m], nloadholtes, IWSlackGateway, aaronpk, jmac, globbot, omz13, joshproehl, Kaja, dansup, rhiaro, Kongaloosh_, Ruxton, kiero_, blueyed, NinjaTrappeur, danyao, dietricha, MylesBraithwaite, sebsel, joshghent, cjav_dev, shrysr, gbmor, shakeel, vilhalmer, superkuh, oodani, GWG, wagle, enpo, dopplergange, treora, j605, djmoch, oenone, AkyRhO, jamietanna[m], smacko, geman, petermolnar, mitchell, zootella, fredcy_, JameySharp[m], smacko[m], JK_na, sknebel, deltab, nsh, ben_thatmustbeme, jacky, genehack, callMeBaby, mayakate[m], voxpelli and [snarfed] joined the channel
#
[tantek]
Hah [KevinMarks] beat me to it. GWG re: WebShare see ^^^
#
@skkboz
↩️ "limited nuclear war" is the fantasy they will only go up in asia like the last time and only asians are affected. china and/or north korea would send microsub/fishing boats/suicide planes into both San Francisco & LA and take out both cities and naval facilities w nukes.
(twitter.com/_/status/1297922084559917056)
#
@skkboz
↩️ "limited nuclear war" is the fantasy they will only go up in asia like the last time and only asians are affected. china and/or north korea would send microsub/fishing boats/suicide planes into both San Francisco & LA and take out both cities and naval facilities w nukes.
(twitter.com/_/status/1297921934747869184)
#
GWG
[tantek]: What about it?
#
[tantek]
GWG, you were asking about WebShare and figured you’d want to try that out on your site!
#
Loqi
[dshanske] #168 Add intent parameter
#
GWG
I forget where I filed it with the other standard
#
[manton]
@GWG Good question about JSON Feed. I think 2 things: writing up a draft for the MIME type so that we can officially register it, and revisiting some of the early experiments for podcasting that some folks were working on (basically adapting the iTunes tags to JSON in a more vendor-neutral way): https://jsonfeed.org/podcasting
#
Loqi
[w3c] web-share-target: Web API proposal for receiving shared data
#
GWG
[manton]: I would like to help if I can
#
[manton]
Thanks, that’d be great!
jonnybarnes joined the channel
#
GWG
[manton]: I'm not sure where to start, but...
#
GWG
I may reread the vendor specific tags and media rss
#
[manton]
It’s always been a little annoying to me that Apple’s podcast directory requires extra fields, when really a basic RSS feed (or JSON Feed) has enough to support podcasting without the “itunes” namespace. But many clients and aggregators now expect at least a few extras, like cover art and Apple categories.
#
GWG
[manton]: Agreed on the idea of not working upstream
#
GWG
I'll see if I can write something up...I was planning on opening issues with some podcast stuff I use to support JSONFeed
jonnybarnes and [tb] joined the channel
#
[manton]
Sounds good.
jeremy- joined the channel
#
hirusi[m]
I'm having second doubts about this but I certainly was thrown off with this behaviour so added an extra example: https://indieweb.org/Micropub#New_Article
#
hirusi[m]
I had, for whatever reason, assumed that the mp-slug property would be reserved for just notes, likes etc. and not articles. So I've added that in... but... is this a) correct b) should this be kept in the wiki?
#
hirusi[m]
Or we could revert this and add it to the Slug extension section on the Micropub-extensions page itself. An extra line to clarify it is acceptable for all post types
swentel and nickodd joined the channel
#
sknebel
micropub doesn't care about post types at all
#
sknebel
so yes, extensions like that can apply everywhere
#
[manton]
You could revert it if you think that including mp-slug there would confuse someone into thinking it’s specific to articles, or required.
#
GWG
I think no one has seriously looked at that page recently to compare to the spec and extensions
#
GWG
[manton]: Reading podcast markup specifications over my lunch. In the context of a podcast, is author the host?
jonnybarnes joined the channel
#
GWG
This applies to microformats as well...how do you represent artist, host, guest as opposed to author?
jonnybarnes joined the channel; nickodd left the channel
#
[tantek]
this gets at the question of what is an uthor
#
[tantek]
author* even
#
GWG
[tantek]: Exactly
#
[tantek]
GWG, if you really want a rabbthole to go down, look into how various contributors to a music track are recognized, or a film for that matter
#
GWG
But if you look at iTunes, which [manton] was citing as a JSONFeed matching goal...they use author as podcast content creator
#
GWG
I've been down that hole before
#
[tantek]
artist, songwriter, performer, lyricist, arranger, mixer, DJ etc.
#
GWG
I'm trying to start smaller
#
GWG
Essentially with minimum viable for podcasts
#
sknebel
hm, I remember one wordpress podcast plugin that made that distinction I think... let me check if they had any markup
[jgmac1106] joined the channel
#
sknebel
hm, no, nothing marked up or in the feed
#
sknebel
including links on where to find the contributors on the web
[snarfed] joined the channel
#
[snarfed]
jacky not sure if you caught this before, but just fyi your 404 handler is 500ing, eg https://jacky.wtf/asdf
#
jacky
I know why
#
jacky
but tbh it's like one of those things I'll leave broken until I _actually_ move v2.jacky.wtf to jacky.wtf
#
jacky
has that slated for mid-September finally
[James_Gallaghe] joined the channel
#
swentel
[snarfed], thanks for the followers list. Additional questoin re: .well-known/host-meta - do you know whether that route is mandatory? of is .well-known/webfinger good enough. Been looking around a bit for docs about that, but can't really find anything conclusive.
#
swentel
*question
#
sknebel
GWG: so that plugin referenced above apparently has freely configured "roles" for contributors and no markup: https://podlove.org/2014/03/03/contributors-groups-and-roles/
#
GWG
swentel: I wrote something on your behalf I wanted you to see if you could.
#
swentel
GWG, sure
#
Loqi
[manton] #32 Extended GEO URI Support for Form-Encoded Posts
#
GWG
I'm not sure I updated it to really explain the rationale
#
swentel
ah, saw that passing by this weekend (not sure how I got to it)
#
[snarfed]
swentel, re .well-known/host-meta, not sure, might only be required for ostatus, not activitypub?
#
[snarfed]
https://w3c.github.io/activitypub/ doesn’t contain `host-meta`. maybe try AP without it and see if it works?
#
swentel
oh, could be, haven't checked that out yet
#
GWG
swentel: It was prompted by Indigenous behavior. I implemented it because I use Indigenous. So, I tried to put it in extension terms as a way to do form encoded h-geo and h-card
#
swentel
[snarfed], not at the point yet to send anything out to the fediverse, but will test and see what happens :)
#
sknebel
there is something to be learned about protocol design by the regular extension pushes for form-encoded and I'm not sure yet what
#
swentel
GWG, I more or less use the same logic as you in the Drupal module
#
GWG
swentel: If you want to add that my description matches your implementation...
#
GWG
Just making sure it's all documented somewhere
jonnybarnes and [jacky] joined the channel
#
[tantek]
[snarfed] correct, AP does not require any "well-known", none of the Social Web WG specs do. We adopted "follow your nose" discoverability as a design principle quite up front, which rejects any "magic place" knowledge type design like "well-known".
#
[tantek]
sad to see the OAuth crowd run with .well-known with wild abandon 💁‍♂️
jonnybarnes joined the channel
#
sknebel
hm, looking at that podcast link above, chapters are another thing. although they are already in the media file, so they don't really need duplicate markup maybe. (links with mediafragments might do the job too)
jonnybarnes and [manton] joined the channel
#
[manton]
ActivityPub might not require well-known, but I think Mastodon effectively does require it because of WebFinger.
KartikPrabhu, [Emma_Humphries] and [KevinMarks] joined the channel
#
[KevinMarks]
Why mastodon kept the worst bit of OStatus and threw away the good bits I don't know.
[snarfed], jonnybarnes, [tantek], geoffo and [fluffy] joined the channel
jonnybarnes joined the channel
[chrisaldrich] joined the channel