#dev 2020-08-29

2020-08-29 UTC
Ani, geoffo and [chrisaldrich] joined the channel
#
GWG
Does Bridgy refresh Twitter profile images if I try to refresh the webmention?
[tantek] and [fluffy] joined the channel
#
[fluffy]
[jackjamieson] Owenrnship?
#
[fluffy]
that was meant for `@jamietanna` but of course slack ruins everything
#
[fluffy]
how the heck do people prevent slack client from "optimistically" autocompleting @-names to ones with a vague substring match?
nickodd, jonnybarnes, deltab, [fluffy]1, lahacker, jbove, voxpelli, KartikPrabhu, beko, [chrisaldrich], [jeremycherfas], [James_Gallaghe], leg, dckc, moppy and [KevinMarks] joined the channel
#
jamietanna[m]
Fluffy thanks for the catch on the typo
[Ana_Rodrigues], [fluffy], [James_Gallaghe], jonnybarnes, [grantcodes], jeremy, [KevinMarks], krychu and [jeremycherfas] joined the channel
#
@MCQN_Ltd
Slowly adding some #indieweb features to our main website. https://mcqn.com now supports #webmention on blog posts and catalogue entries #weeknotes
(twitter.com/_/status/1299682533488168960)
jeremy-, krychu, KartikPrabhu, jonnybarnes, fauno and nickodd joined the channel
#
GWG
Watching [tantek] and [schmarty] demo at IWC Berlin 2018 because I was looking at archives and they did some archive navigation stuff. Alas, the pagination session does not seem to be recorded
[manton] and [snarfed] joined the channel
#
[snarfed]
GWG: yes, bridgy mf2 source pages refresh and always use the current avatar
#
GWG
[snarfed]: So if we refresh webmentions for broken avatars, it should work...except for Facebook and Google Plus, for obvious reasons.
#
GWG
I was trying to refresh pfefferle's PR for avatar storing for WordPress Webmentions.
#
petermolnar
I remeber that session
#
petermolnar
I made my Sunday hacking around it
#
GWG
[manton]: I just did a test on your test site
#
GWG
It says it can't find the token.
#
GWG
The IndieAuth token endpoint, if you send a get request to it, should return information about the token.
#
GWG
On my site, it does.
#
GWG
On the test site, it says it didn't get one.
twomanytacos joined the channel
#
[manton]
@GWG Hmm. This is a pretty basic WordPress blog, other than I installed a plug-in to disable the RSD/XML-RPC link tags. Have you seen that problem before?
#
[snarfed]
really great post on the “paving the cowpaths,” ie descriptive over prescriptive, approach to standards and specs: https://www.potaroo.net/ispcol/2020-08/ietfstd.html
[fluffy] joined the channel
#
lahacker
[snarfed]: any experience with jupyter-repo2docker?
#
lahacker
seems to be the crux of "binder" tech but i have zero experience with docker..
#
lahacker
i like the `Edit` and `Issue` webactions at https://docs.docker.com/get-docker/
[jeremycherfas] joined the channel
#
GWG
[manton]: Yes, but only commonality I've found is Apache
#
GWG
So stumped
#
GWG
I thought maybe caching
#
[manton]
@GWG Related to Apache, I noticed that mod_security is enabled (this is hosted on an old DreamHost account). I’ve disabled it if you want to try again.
#
GWG
Okay. One second
#
[manton]
(Although might take a few minutes for the change to take affect.)
#
GWG
[manton]: No luck yet.
#
GWG
I've seen some Dreamhost problems before
#
GWG
It may be something they do
#
GWG
But it insists the token isn't there. Not that it is invalid
#
GWG
So something is blocking it
#
GWG
The test token is short. I wonder if I should have the test use one as long as the regular.
[chrisaldrich] joined the channel
#
Loqi
[dshanske] #183 Test Token is abc123
[KevinMarks] joined the channel
#
GWG
I'm going to try a bit later
#
GWG
Could a mod security rule limit auth header length?
#
GWG
Or some other string check?
#
aaronpk
unless it's reeaaaaly long i doubt it
#
GWG
aaronpk: You have any ideas?
#
GWG
abc123 is the fake token I use and that passes...the real one is 128 character hashed random value
#
Zegnat
I have never seen mod_security pass auth headers sometimes. It seemed to always have been boolean.
#
Zegnat
At what part of the flow does it stop working, GWG? Requesting the token?
#
GWG
But this isn't my first Dreamhost problem
#
GWG
No...this is failing when I send a get request to the token endpoint to validate the token
#
GWG
I manually generated the token
#
GWG
[manton]. already reported that getting the token was working
#
GWG
It seems to be using it that is a problem
#
GWG
Same test on my site and [chrisaldrich]'s endpoint works..well, on boffosocko.com it says invalid token
#
GWG
But on test.manton.org it says no token provided
#
Zegnat
Just to be on the same page (because sometimes this is hard to communicate) this step is failing: https://indieauth.spec.indieweb.org/#access-token-verification-request ?
#
GWG
Exactly that step
#
GWG
It seemed the easiest way to troubleshoot
#
Zegnat
That is the first step that ever sends an Authorization header. So that would be what I expect the culprit to be, for sure
#
GWG
But my test sends it as well...and passes
#
GWG
Only difference is that the test uses 'abc123' as the token...thus my earlier question
#
Zegnat
Hmmmm.
#
Zegnat
Alternatively there could be some sort of whitelisting shenanigans going on where the test is bypassing mod_sec because it is originating on the same server?
#
GWG
Maybe
#
Zegnat
Could we add a debugging endpoint somewhere (disabled by default) that simply returns the authorization header value? I think that might go a long way.
#
GWG
Good idea
#
Zegnat
dislikes how Authorization somehow ended up getting special treatment
JankyDoodle joined the channel
#
Zegnat
Maybe I should also do a JS version of the header checking script. So the requests are made by the browser and it validates whether an external client can use authorization headers.
#
Zegnat
I could probably do a PR for that on the WP plugin, if you want me to, GWG
#
Zegnat
Aah, my old authdiag script has been refactored away from the WP plugin, never mind
#
@ronotypo
↩️ Hello, ton site mentionne "en attendant un système de webmention", https://quotebacks.net/ pourrait correspondre peut-être ?
(twitter.com/_/status/1299766019469312001)
#
[manton]
I did try passing access_token as a parameter too (to Micropub q=config), so my issue doesn’t appear to be specifically with the HTTP header, unless I did something else wrong with my test.
#
Zegnat
Access token verification does not support that parameter, I think? Unless that is something WP has added. So if that step is failing, there is probably something else getting borked
#
[manton]
Oh sorry, I was mixing 2 separate issues. What GWG is testing is slightly different than what I ran into. I got what looks like a valid token, but making any Micropub requests with it returns a 403 error.
jonnybarnes joined the channel
#
GWG
[manton]: I think it is the same problem
#
GWG
It isn't getting the token authorized
#
[manton]
Anything I can do to help debug?
#
[manton]
It’s fine if we hack up this WordPress install while troubleshooting.
#
GWG
[manton]: Should mod_security be off now so I can test?
#
[manton]
It should be off now.
#
[manton]
This is also running PHP 7.2, by the way. Could upgrade it to 7.3 or 7.4.
#
GWG
Shouldn't make a difference
#
GWG
I test versions
JankyDoodle joined the channel
#
GWG
[manton]: I may do a debug version and side load it
#
[manton]
Sounds good.
[James_Gallaghe] joined the channel
#
[manton]
Just looked at the logs too, and I see this if it’s helpful:
#
[manton]
```AH01215: REST request: /indieauth/1.0/test: [](Header Absent): /dh/cgi-system/php72.cgi
#
[manton]
AH01215: REST result: /indieauth/1.0/test: {"code":"forbidden","message":"Could Not Find Token","data":{"status":403}}(403) - [](User ID: 0): /dh/cgi-system/php72.cgi```
#
GWG
Exactly
#
GWG
That's what I was doing
#
GWG
Still no token
#
Zegnat
Did you sideload a debug build, GWG? Are you able to get $_SERVER['HTTP_AUTHORIZATION']?
#
GWG
No. I have yet to try that.
#
GWG
I was on my phone. Just came down to my computer
#
Zegnat
Ah gotcha, well, keep us posted :)
JankyDoodle left the channel
#
GWG
Zegnat: I'm reproducing some of your authdiag within WordPress.
#
Zegnat
Yeah, I noticed when I went looking for my script
#
GWG
Zegnat: I'm adding an echo test.
#
GWG
It will just echo back a list of headers.
#
GWG
Start simple
#
Zegnat
Make sure to put that behind admin login or some other sort of toggle, if you want to keep it in the stable plugin.
#
GWG
For now, it's just behind a query var
#
Zegnat
Fine if you are sideloading for debugging. Just felt like it should be said that HTTP headers are client-provided-data and you should not normally just echo that always. Means you need to start thinking about XSS and all that crap if it is public-by-default
#
GWG
Will, it is behind the debug flag.
#
GWG
Zegnat: If you want to try, it is live now
#
GWG
Send to https://test.manton.org/?iaetest=1 and it will echo back the names of the available headers not their content.
#
GWG
HTTP_AUTHORIZATION is not there
#
Zegnat
Yeah, it is definitely dropping it
#
Zegnat
curl -H 'Authorization: martijn' -H 'X-Martijn: yes' 'https://test.manton.org/?iaetest=1'
#
Zegnat
Random custom headers do go through
#
GWG
Exactly
#
Zegnat
But according to the authdiag the header does go through?
#
GWG
According to the version built into wp-login
#
GWG
Essentially yes
#
GWG
So, it is possible Dreamhost only allows the header in wp-login
#
Zegnat
That gets a big yikes from me then. Especially if this is with the mod_security turned off.
#
Zegnat
Do you have SSH access to the box, GWG? Or maybe [manton]?
#
GWG
No, just an account on the site.
#
GWG
So, the htaccess option is required.
#
Zegnat
I wonder what the output is if you run the curl command above straight on the box. Then maybe they are doing something funky where Authorization headers are let through within the box, but not from outside their network.
#
GWG
[manton] may have stepped away
#
Zegnat
This feels closer to a Dreamhost issue than a WordPress or IndieAuth issue, to be honest. But I understand the want to give users some sort of feedback on that
#
GWG
I wonder if leaving the echo is safe if all it does is show the headers returned without the data
#
Zegnat
Not unless you are at least HTML sanitising
#
Zegnat
(I didn't check if you do that or not)
#
Zegnat
Otherwise I can put arbirtrary HTML with script tags on a URL on your domain (or in this case manton's)
#
GWG
I'll add WordPress's sanitize_key
#
Zegnat
You are also dumping the entire $_SERVER global which may include other information. So maybe also do an array_filter and only print those starting with `HTTP_`?
#
GWG
I need redirect also.
#
Zegnat
Does that one not also get the HTTP_ prefix?
#
GWG
Well, getallheaders returns 'Authorization', not HTTP_Authorization.
#
Zegnat
Oh, yeah, I mean only on the $_SERVER
#
Zegnat
The getallheaders function is fine
jonnybarnes joined the channel
#
Zegnat
$_SERVER also includes environment variables from the server itself, which you may not want to leak. Therefor I would only render names starting with HTTP_, as you are only interested in HTTP headers here.
#
GWG
Okay. Newer version filters
#
GWG
We'll wait for [manton] to see about adding an .htaccess
#
[manton]
Sorry, back… I do have SSH access.
#
Zegnat
Could you run the curl I had above and see if the authorization header shows up in the response?
#
[manton]
It does not show up when running curl from the server.
#
Zegnat
Hmm, then I wonder why the authdiag was not working, GWG...
#
GWG
[manton]: Do you want to try the .htaccess mods?
#
[manton]
Sure, what needs to be in the .htaccess?
#
Loqi
[aaronpk] Hi! I was away from my computer the last 2 days, just catching up now. Now that you mention it, I do remember hearing about some web servers removing the `Authorization` header. It could be either the web server or a proxy server in between. It lo...
#
[manton]
Adding that first suggestion from Aaron doesn’t appear to change anything.
#
GWG
If that doesn't work, try RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
#
[manton]
No luck.
#
Zegnat
This is really starting to sound like a Dreamhost support ticket
#
[manton]
I’ll write them.
#
Zegnat
I do wonder why the diag is not detecting it, GWG ...
#
GWG
So do I... wonder if it broke somehow
#
Zegnat
Hard to test that without particular server setups
#
Zegnat
I guess you could try running my original authdiag on the server and see if it reports correctly? If it does, something broke in the WP implementation
KartikPrabhu, jonnybarnes, geoffo, [snarfed] and [tantek] joined the channel; nickodd left the channel