#dev 2020-12-20

2020-12-20 UTC
[schmarty] joined the channel
#
GWG
I'm going through my repositories.
#
GWG
Wondering what needs some love.
wagle, [tantek], geoffo, nickodd, oodani, [sebsel], schmudde and KartikPrabhu joined the channel
#
jamietanna[m]
Where do we store the code that defines the "this week in the IndieWeb" newsletter? Thinking about having a look over this week at how to get bookmarks to show the `p-name` rather than "a post"
dhanesh, jeremycherfas, nickodd and schmudde joined the channel
#
@LukasRosenstock
↩️ Besides that, the #IndieWeb focuses on lightweight #APIs like #webmention to connect their websites and #syndication (#PESOS/#POSSE) to bridge the divide towards the walled gardens of the "Web 2.0" era. (54/100)
(twitter.com/_/status/1340656268462178304)
#
@TheIdOfAlan
https://indieauth.com is amazing once you set it up via your domain, you just use your domain to log into sites… https://twitter.com/i/web/status/1340276459949215746
(twitter.com/_/status/1340276459949215746)
jeremycherfas, [Alan_Smith], [jgmac1106], [sebsel] and [snarfed] joined the channel
#
[snarfed]
IG backfeed in Bridgy browser extension is working! can’t believe i didn’t do this earlier
#
[snarfed]
FB should be doable eventually too
geoffo joined the channel
#
lahacker
awesome snarfed++ is the code on GitHub?
#
lahacker
snarfed++ for keeping the bridge standing
#
Loqi
snarfed has 32 karma in this channel over the last year (54 in all channels)
#
lahacker
wonders if it'll work in a headless context
geoffo, leg, nickodd, KartikPrabhu and [tantek] joined the channel
#
GWG
I'm intrigued by this browser extension idea
schmudde joined the channel; nickodd left the channel
#
lahacker
here's the working code for controlling firefox using selenium in python: https://github.com/angelogladding/web/blob/main/web/agent.py#L444
#
lahacker
both the login and the backfeed use only the dom as exposed by selenium
#
lahacker
the syndicate however required me to use an operating system tool (xdotool) to simulate a click on the virtual screen in order to activate the Tweet textarea
#
lahacker
if all this logic could be moved into an extension that could work for users in their desktop browser AND on headless backends.. that's where i wanted to head with it
KartikPrabhu, geoffo, lahacker and [snarfed] joined the channel
#
[snarfed]
lahacker: most of bridgy backfeed will still happen server side. the browser extension right now is minimal, just forwards complete IG HTTP request contents: https://github.com/snarfed/bridgy/tree/browser-extension/browser-extension
#
[snarfed]
the reason for the browser extension is to use users’ current, valid IG session cookies. i doubt many people have headless browser setups at all, and even fewer maintain valid IG sessions in them, so i’m not targeting headless
#
[snarfed]
also for the record this isn’t ready for testing yet. soon though!
#
[snarfed]
out of curiosity, why are you scraping twitter instead of using the API?
#
lahacker
snarfed i want a twitter user to be able to plunk their username/password into my software and have it just work; for GitHub, DynaDot and DigitalOcean I'm currently using tokens; do you know if there's some kind of twitter equivalent? no third-party, no "app"..
#
[snarfed]
uh, this is what their API and OAuth is for, right? asking for a user’s password to a third party site is a well established bad antipattern. or am i misunderstanding what you’re doing?
#
lahacker
import web; browser = web.browser(); browser.twitter_login("exampleuser", "p@ssw0rd"); browser.twitter_syndicate_post("test", "example.com/test")
#
lahacker
so the idea is that you're running your own software
#
lahacker
in that case, you need to go through the entire Twitter App registration process?
#
[snarfed]
no, you can embed your own API app in it, using PKCE to avoid exposing a client secret
#
[snarfed]
we want to train people to only enter a given password on the site it’s for, not anywhere else. when we normalize giving passwords to arbitrary other software, we make people more like to fall for phishing and other ways to get owned
#
[snarfed]
you can do anything you want, of course. just know that this is an antipattern that the modern software and security communities have been trying to stamp out for decades, precisely because it makes the whole ecosystem less secure
#
lahacker
do you give your passphrase to your browser? your password keeper?
#
lahacker
if i just simply take the passphrase, pass it on to twitter.com in firefox, never hold on to it?
#
lahacker
and if this is software that's being run by the user on their own host/site?
#
[snarfed]
browsers have very specific, very strict, industry known security frameworks, specifically same origin. so no, when i see anything that’s not a very well known browser or password manager, i don’t enter it
#
lahacker
do you use a password manager?
#
aaronpk
basically by asking people to enter their twitter password in your app you're asking people to trust your code
#
[snarfed]
yes, like i mentioned. a very established and well known one
#
[snarfed]
again, you’re free to do anything you want, just know that you’re on the wrong side of history here
#
lahacker
well here's the thing..
#
lahacker
so i'm writing a micropub editor right now
#
lahacker
so maybe i've got this wrong
#
aaronpk
this is also why we didn't make micropub work by having people enter their website password into micropub clients
#
[snarfed]
^ exactly. you type it into your own web site, not the micropub client
#
lahacker
i'm instructing the micropub server on my own site angelogladding.com to store my credentials (un/pw)
#
lahacker
then i send over to my editor syndicate-to: ["twitter"...]
#
lahacker
i check the Twitter box in my editor and then my own site uses the browser it has open in the background to perform the syndication
#
[snarfed]
yes, we (i at least) understand what you’re doing. we’re just telling you it’s an antipattern
#
[snarfed]
in your case, you created your site, so you trust it. we’re just discouraging you from shipping that software to anyone else and encouraging them to use it the same way.
#
lahacker
what about a site that doesn't have an api?
#
[snarfed]
maybe. but twitter does.
#
lahacker
could i meet some kind of security criteria?
#
[snarfed]
why? just use OAuth
#
[snarfed]
having said that, you are right that the OAuth app registration process is awkward for self hosted client software. app registration on big sites is often too heavyweight to impose on individual users, but embedding your own app is also awkward for its own reasons. i don’t know that the industry has a good answer there. aaronpk?
#
lahacker
i mean i've got the whole darn thing one-click ready to rock and roll and i swear i've been through the twitter docs a dozen times
#
lahacker
i just want to say, sorry, not sorry
#
lahacker
dang
#
lahacker
it's bad enough sending the user to a page on the site to gen a token and copy/paste it back
#
aaronpk
the technology answer is "dynamic client registration", but in practice sites like twitter actually do want to require that you go through their manual registration process to agree to the developer terms of service and such
#
aaronpk
i wish twitter still had the simple "give me a token for my own account" option. at least github still does that
#
[snarfed]
lahacker again, go for it! for yourself at least. it’s just not good to encourage other people to do
#
[snarfed]
aaronpk thx
#
[snarfed]
guess that makes sense. mastodon style. that’s the only place i’ve ever seen it so far though, sadly
gxt joined the channel
#
aaronpk
yeah i think some oauth vendors support it but i don't know that i've seen it in any actual public api docs
#
[snarfed]
“ignore self hosted, that’s only for dirty hippies” 😎
#
lahacker
k so how about typing your twitter password into beakerbrowser?
#
lahacker
i'm aware of the implications..
#
[snarfed]
you have a point. we understand it. we also lived through a period in the industry where user security was materially harmed by third party apps asking for arbitrary passwords, and normalizing that practice for users. it’s what led to OAuth in the first place.
#
[snarfed]
regardless, i’ll stop pushing, i think hopefully we all at least understand each other at this point 😁
#
aaronpk
that's literally the first part of my oauth workshops :)
#
[snarfed]
(^ he is very literally the expert on this. i am an amateur.)
#
aaronpk
about how people entering twitter passwords into random apps led to oauth
#
lahacker
yeah i've been following along from a distance for a long time
#
lahacker
but this is like software that runs your dot.com
#
lahacker
in a sense your browser in the cloud
gRegorLove joined the channel
#
lahacker
the third party apps are the micropub editors and they certainly don't receive the passowrd
#
[snarfed]
so again, why not use OAuth, and just embed your app? (so users don’t have to make their own)
#
aaronpk
you can justify it however you want, but please keep in mind that asking users to hand over their twitter password to anything that isn't typing it in twitter.com in a browser is actively harming everyone in the industry trying to teach people how to improve their online security
#
[snarfed]
(besides the fact that you’ve already implemented scraping)
#
[snarfed]
aaronpk++
#
Loqi
aaronpk has 70 karma in this channel over the last year (217 in all channels)