#dev 2020-11-18

2020-11-18 UTC
#
[chrisaldrich]
they were two different people I think... it's in the wordpress chat...
#
GWG
Yes
[schmarty] joined the channel
#
[chrisaldrich]
Turns out they're the same person with two different screen names.
#
[tantek]
ah thanks for tracking down!
[KevinMarks], [tw2113_Slack_], [snarfed], petermolnar, geoffo and [jgmac1106] joined the channel
#
[jgmac1106]
so what I meant between poetry, syndication and what what a CMS does...Bridgy to Twitter got my author intent correct: https://twitter.com/jgmac1106/status/1328803024945471490 but the canonical copy does not: https://quickthoughts.jgregorymcverry.com/2020/11/17/in-shades-of-indiscriminate-waves
#
@jgmac1106
In shades of indiscriminate waves he plays on troughs of time cresting on hopes approaching shore #smallpoems #writingcommunity (https://quickthoughts.jgregorymcverry.com/s/N5Iim)
(twitter.com/_/status/1328803024945471490)
[Simon_Willison] joined the channel
#
[Simon_Willison]
OK! I have a fully working implementation of IndieAuth now, I think! Try it out at https://datasette-indieauth-demo.datasette.io/-/indieauth - if you sign in with a URL that supports full IndieAuth (has a `authorization_endpoint` rel link) it will redirect to your chosen authorization provider. If you use a domain that supports rel=me authentication it will instead bounce you through indielogin.com
#
Loqi
datasette-indieauth demo
#
[Simon_Willison]
https://github.com/simonw/datasette-indieauth is the repo - it’s on PyPI, so `pip install datasette-indieauth` will install the Datasette plugin
#
Loqi
[simonw] datasette-indieauth: Datasette authentication using IndieAuth and RelMeAuth
#
[Simon_Willison]
I’ve kept as much of the IndieAuth code as possible in a `utils.py` module which I should be able to extract out into a separate Python library in the future https://github.com/simonw/datasette-indieauth
#
Loqi
[simonw] datasette-indieauth: Datasette authentication using IndieAuth and RelMeAuth
#
[Simon_Willison]
see also the tests for the utils.py module here: https://github.com/simonw/datasette-indieauth/blob/main/tests/test_utils.py
#
Loqi
[Simon_Willison] has 1 karma over the last year
#
aaronpk
[Simon_Willison]++ cool!
#
aaronpk
trying it with mine right now, I get an error 500 and `('profile', <class 'dict'>)` appears
#
aaronpk
I don't understand what it means
#
[Simon_Willison]
I imagine that means you implement the “profile” extension and I didn’t properly test for that
#
Loqi
[simonw] #16 Profile extension causes a 500 error
#
aaronpk
is it complaining because there are extra properties in the response?
#
[Simon_Willison]
fix on the way
#
aaronpk
has no idea what that code is doing haha
#
[Simon_Willison]
OK, try again now - I just deployed a fix
#
aaronpk
worked!
#
aaronpk
oh i see the bug now
#
[Simon_Willison]
Just released 0.3.1 to PyPI with the fix (love GitHub Actions CI)
[chrisaldrich] joined the channel
#
[chrisaldrich]
[Simon_Willison]++ I just tested with my WordPress set up and didn't see anything out of place. Now I'm wondering what to do with the "fixtures" data... 🙂
#
Loqi
[Simon_Willison] has 2 karma over the last year
#
[Simon_Willison]
The best fixtures page is this one https://datasette-indieauth-demo.datasette.io/fixtures/roadside_attractions
[tantek] joined the channel
#
[tantek]
[Simon_Willison] I tried it and got:
#
[tantek]
> Expecting value: line 1 column 1 (char 0)
#
[tantek]
(after a successful bounce to signin via my github)
#
[Simon_Willison]
thanks, I’ll take a look
#
[Simon_Willison]
could you trigger that again? I don’t get persistent logs unfortuanetyl, but I can see them if you hit it live
#
[Simon_Willison]
Tantek - you have this on tantek.com
#
[Simon_Willison]
I didn’t know indieauth.com supported being used like that - I thought it only worked using rel=me - do you know how I can set my own site up to use indieauth.com/auth as the authorization_endpoint so I can test that myself?
#
[Simon_Willison]
```<link rel="authorization_endpoint" href="https://indieauth.com/auth"/>```
#
[tantek]
ok about to trigger
#
KartikPrabhu
[Simon_Willison]: I think you add exactly the rel-markup that [tantek] has
#
[tantek]
yup it reproduced
#
[tantek]
and to answer your question, our starter github site has it!
#
[tantek]
what is a starter site
#
Loqi
It looks like we don't have a page for "starter site" yet. Would you like to create it? (Or just say "starter site is ____", a sentence describing the term)
#
[Simon_Willison]
OK Tantek I’ve replicated that bug
#
aaronpk
[Simon_Willison]: this is exactly why I'm gonna get rid of IndieAuth.com, because it's confusing that it works both ways
#
[Simon_Willison]
Will indielogin.com still work as a way to keep RelMeAuth working?
#
[Simon_Willison]
It strikes me that RelMeAuth needs at least on centralized provider that holds the keys for GitHub OAuth etc
#
aaronpk
yep indielogin.com is the replacement for that half of IndieAuth.com
#
[Simon_Willison]
https://github.com/simonw/datasette-indieauth/issues/18 - that’s the issue, working on a fix now
#
[Simon_Willison]
Aha, it looks like indieauth.com sometimes returns a body that looks like `me=https%3A%2F%2Fsimon-indieauth.vercel.app%2F&scope` rather than retuning JSON `{"me": "…"}`
#
aaronpk
Yeah that was an early version of the spec. If you add an accept JSON header it'll respond with JSON
#
aaronpk
RelMeAuth is more a mechanism for a particular website to authenticate users than any sort of distributed identity system
#
[tantek]
RelMeAuth supports decentralized identity by building on existing proprietary authentication services
#
[tantek]
I wouldn't call it an "identity system" in and of itself no
#
[tantek]
[Simon_Willison] do you keep track of your Netflix "views" in your datasette? or am I thinking of dogsheep? I'm now confused which does which and have to look it up...
#
[Simon_Willison]
[tantek] OK try that now, I think I just shipped a fix
#
[Simon_Willison]
Tantek no I’d love to do Netflix, not sure where I’d get it from though
#
[Simon_Willison]
I guess I could scrape their site somehow?
#
[tantek]
I thought they had an API?
#
[tantek]
What is Netflix
#
Loqi
Netflix is a subscription service for on-demand video streaming and a silo of lists of shows you want to watch, shows you have watched, and lists of shows you like (or dislike) https://indieweb.org/Netflix
#
[Simon_Willison]
We recently setup Plex and that actually uses a SQLite database already, so I may pull that in soon
#
[tantek]
[Simon_Willison]++ it worked! I'm signed in 😄
#
Loqi
[Simon_Willison] has 3 karma over the last year
#
[tantek]
now I'm really confused about what I'm clicking on and looking at 😂
#
[Simon_Willison]
It’s the fixtures database from the Datasette test suite, so it’s not particularly interesting to look at!
#
[Simon_Willison]
just a very quick `.db` file I can drop into a demo
#
[Simon_Willison]
the only interesting thing about the demo is the way it shows you that you’re signed in at the top of the page
#
[Simon_Willison]
oh - and you can visit https://datasette-indieauth-demo.datsaette.io/-/actor to see your profile
#
[tantek]
ok got it, I thought there was some data being built from my site or something lol
#
[tantek]
uh oh: "actor": null
#
[tantek]
weird something logged me out
#
[Simon_Willison]
Every time I deploy the site it resets the signing secret which logs everyone out, I should fix that
#
[Simon_Willison]
[aaronpk] so currently I have this on https://simonwillison.net/
#
[Simon_Willison]
```<link href="https://github.com/simonw" rel="me">```
#
[Simon_Willison]
I can use simonwillison.net to sign in using my datasette-indieauth plugin because it has code that looks for `<link rel="authorization_endpoint" …` on the page and, if that’s missing, redirect to `https://indieauth.com/auth?me=…` and rely on that to scan for RelMeAuth and redirect back again if it works
#
[Simon_Willison]
If indieauth.com goes away will I be able to use the same trick against indielogic.com ?
#
[Simon_Willison]
indielogin.com
nickodd joined the channel
#
aaronpk
I'm trying to do something different with indielogin.com which is to make developers who want to use it have to register so that they understand they're using it as a tool
#
[Simon_Willison]
Oh that’s a shame - my particular use-case benefits enormously from not needing to register, because the idea with Datasette is to support easily deploying dozens or even hundeds of websites
#
[Simon_Willison]
having to manually register them kills the magic of being able to do `datasette publish cloudrun my.db --install=datasette-indieauth`
#
[Simon_Willison]
The plugin will still be able to support raw IndieAuth but it won’t be easy to support RelMeAuth if there’s a registration requirement - well, that partly depends on the registration requirement. If it’s lighttweight and gives me a token I could set it up to work something like this:
#
[Simon_Willison]
```datasette publish vercel my.db --project --my-database --install datasette-indieauth --plugin-secret datasette-indieauth indielogin_token XXXXXXX```
#
[Simon_Willison]
My stuff is a very weird edge-case, I can’t imagine there are many people building tools to actively encourage deploying semi-throwaway sites at a moments notice
#
[Simon_Willison]
Also a problem: sometimes you don’t even know the URL that your site will be deployed to when you run the command - but if indielogin.com lets me change the redirect URL after registering the site that shouldn’t be a show-stopper
#
[Simon_Willison]
or how about if indielogin.com provided a registration API that my deployment script could call during the deploy?
#
aaronpk
See that's the thing tho
#
aaronpk
someone has to have an api key with github to use github login. That person is then responsible for maintaining it and also takes on the risk of someone abusing it. So requiring that someone who's using it establish some relationship is appropriate
#
aaronpk
an automatic registration is an option, but also comes with its own risks, and isn't something that is actually distributed or decentralized either
#
aaronpk
what I'm trying to do with indielogin.com is provide a tool for a small number of websites to use directly while also demonstrating the idea of having users authenticate as their own domain name so that hopefully more people will implement that idea or even spin up their own instances of that software
#
[Simon_Willison]
Not wanting to take responsibility for being the holder of the GitHub API key does make sense to me
#
[Simon_Willison]
to implement it myself
#
[Simon_Willison]
I think I may have been abusing indieauth.com via an undocumented feature - I can’t quite remember how I figured out that bouncing people to `https://indieauth.com/auth?me=http%3A%2F%2Fsimonwillison.net%2F&client_id=https%3A%2F%2Fdatasette-indieauth-demo.datasette.io%2F-%2Findieauth&redirect_uri=https%3A%2F%2Fdatasette-indieauth-demo.datasette.io%2F-%2Findieauth%2Findieauth-com-done` was a trick for getting `rel=me` auth without havin
#
[Simon_Willison]
When indieauth.com is replaced, will it still be possible for users to configure their domain for IndieAuth by following these steps?
#
[Simon_Willison]
1. Add `<link href=“https://github.com/simonw” rel=“me”>` to your homepage
#
[Simon_Willison]
3. Add `<link rel=“authorization_endpoint” href=“https://indieauth.com/auth”/>` to your homepage? (swapping indielogin.com in place of indieauth.com)
#
[Simon_Willison]
2. Make sure your GitHub profile links back to your homepage
#
[Simon_Willison]
Or will users have to run the WordPress plugin or use some other `authorization_endpoint` provider?
#
aaronpk
It's really my fault this is so confusing which is why I'm trying to clean it up
#
aaronpk
the other half of what I need to finish replacing IndieAuth.com is building something people can use that does exactly those steps, but with a service that isn't IndieAuth.com or indielogin.com
#
aaronpk
The idea is to create a service someone can use as their own authorization endpoint
#
aaronpk
how they authenticate to that is tangential to that service's relationship to any client trying to get that user to log in
#
aaronpk
I do want to have people be able to authenticate to that via GitHub and Twitter and email and probably also password and maybe even Sign In with Apple
#
aaronpk
in order for someone to use it they'll have to link to it with rel=authorization_endpoint just like if it were their own Wordpress plugin or homegrown thing
#
[Simon_Willison]
Ok I think I understand the plan
Zegnat, jeremycherfas, schmudde, [tantek] and swentel joined the channel; nickodd left the channel
#
@_maximization
↩️ Cool way of implementing webmentions!
(twitter.com/_/status/1329001835882016768)
#
@Rommudoh
A simple setup for webmentions: just a Nginx server that logs the data, like described here:… https://twitter.com/i/web/status/1328799452388339714
(twitter.com/_/status/1328799452388339714)
[jgmac1106], jeremych_, swentel, [Ian_Forrester], oenone, [Sadik_Shahadu], swentie and DanC joined the channel
#
superkuh
Aw man.
#
superkuh
I tried to respond to that guy with webmentions but his webserver only accepts bleeding edge TLS versions. And *no* http. How lame.
p, geoffo and geoffo_ joined the channel
#
Zegnat
I am not commenting on that, seeing how my server will not respond to HTTP1 requests :P
#
petermolnar
Zegnat: you are a test case :P
Kaja, nickodd and [tantek] joined the channel
#
[tantek]
Zegnat what does your server respond to?
#
sknebel
just http2
#
sknebel
Zegnat: <insert admonishment that you don't do it properly here> (we've had it often enough, no need to repeat it :D)
#
[tantek]
what is HTTP2
#
Loqi
HTTP/2 is an IETF working group project to define and standardize the successor to HTTP/1.1 that currently drives the modern world wide web, see https://http2.github.io for more https://indieweb.org/HTTP2
[Ian_Forrester] joined the channel
#
sknebel
okay, thats a bit outdated
#
sknebel
hm, how to define that in a helpful way...
#
sknebel
(I find talking about "current version" a bit odd when it comes to HTTP)
#
sknebel
newest version? (ignoring draft-status HTTP3)
#
Zegnat
licit.li broke Loqi and a couple other places to start, because it is actually tricky to have PHP curl speak http2 with fallback to http1. (CLI curl has no problem with it whatsoever.)
#
Zegnat
Although as sknebel says, I am cheating slightly, as I did not want to recompile nginx from scratch just because of a funny idea
[chrisaldrich], [asuh], [tantek], KartikPrabhu, leg, leg1, anemoiac, [jacky] and [Simon_Willison] joined the channel; nickodd left the channel
#
[Simon_Willison]
I removed the indieauth.com fallback from datasette-indieauth and shiped v1.0 https://github.com/simonw/datasette-indieauth/releases
#
[Simon_Willison]
(since the indieauth.com fallback was using what I think is an unsupported and undocumented feature, and wasn’t really necessary for the plugin - more details on that here https://github.com/simonw/datasette-indieauth/issues/14 )
#
aaronpk
[Simon_Willison]++ great idea
#
Loqi
[Simon_Willison] has 4 karma over the last year
[asuh] and [KevinMarks] joined the channel