#dev 2020-12-28

2020-12-28 UTC
# 00:08 
Zegnat Hmm. HTML scraping might be out as well, does not give me what I need. So my new flow is going to be: Google Takeout -> convert JSON to OPML -> import in feed reader.
# 00:08 
Zegnat Going to need to either get the API working or find a better way to manage YouTube subscriptions
# 00:08 
Zegnat If anyone has a functioning API setup for YouTube, I would love some debugging help tomorrow.
# 00:24 
[KevinMarks] What is huginn?
# 00:24 
Loqi Huginn is a system for building agents that perform automated tasks for you online https://indieweb.org/huginn
geoffo, ShadowKyogre and [dmitshur] joined the channel
# 02:12 
[dmitshur] hmm, does the current indielogin.com IndieAuth client implementation not set the (newly mandatory! or mandatory-ish lol) grant_type parameter when redeeming the authorization code at the authorization endpoint?
# 02:12 
[dmitshur] asking (sorta a rhetorical question) to confirm my findings are accurate.
# 02:12 
[dmitshur] (I successfully got this: https://user-images.githubusercontent.com/1924134/103184925-19c49d80-4888-11eb-83fb-69cabc3e43c6.png)
# 02:12 
[dmitshur] https://github.com/aaronpk/indielogin.com/issues/69 seems to support this.
# 02:13 
Loqi [gRegorLove] #69 Add grant_type
[schmarty] joined the channel
# 02:59 
[dmitshur] woohoo, a part of resolving https://github.com/shurcooL/home/issues/43 is complete:
# 02:59 
[dmitshur] "Congrats!
# 02:59 
[dmitshur] You successfully authenticated as https://dev.dmitri.shuralyov.com/"
# 02:59 
[dmitshur] the rest (finishing the client TODOs, clean up and review) is next up.
# 02:59 
[dmitshur] that is the first rough version of the IndieAuth server working.
# 02:59 
[dmitshur] but this should be enough progress to let me login to https://indieweb.org and RSVP to https://events.indieweb.org/2020/12/homebrew-website-club-the-americas-iCQoviBRPr7r in time lol.
# 02:59 
Loqi woot
# 03:00 
Loqi [dmitshur] #43 indieauth: update implementation for 2020 spec changes
# 03:19 
[dmitshur] Assuming I only support the S256 code_challenge_method, I wonder if there'd be any problem with doing the code_verifier check by base64-decoding the code_challenge to precompute the expected sha256 sum of the code_verifier, then doing a sha256(code_verifier) == wantsum check. (It relies on base64 encoding/decoding being 1:1.) https://tools.ietf.org/html/rfc7636#section-4.6 doesn't go into low-level details about how the comparison should be
# 03:19 
[dmitshur] made. As far as I can tell it should be equivalent, but I'll want to do more reading up on PKCE before making any kind of final decision.
[asuh], ShadowKyogre and gRegorLove joined the channel; ShadowKyogre left the channel
# 04:45 
aaronpk [dmitshur]: I'm not sure I understand what you're trying to do. The verification should be pretty straightforward, you do the same sha256 calculation of the value you get in the token request and compare the hash with what came in the request
# 04:52 
[dmitshur] I'm just trying to challenge my understanding of things by thinking through a slightly unusual approach.
# 04:52 
[dmitshur] RFC7636 says:
# 04:52 
[dmitshur] > received "code_verifier" is hashed by SHA-256, base64url-encoded, and
# 04:52 
[dmitshur] > If the "code_challenge_method" from Section 4.3 was "S256", the
# 04:52 
[dmitshur] > then compared to the "code_challenge", i.e.:
# 04:52 
[dmitshur] >    BASE64URL-ENCODE(SHA256(ASCII(code_verifier))) == code_challenge
# 04:52 
[dmitshur] >
# 04:52 
[dmitshur] > BASE64URL-DECODE(BASE64URL-ENCODE(SHA256(ASCII(code_verifier)))) == BASE64URL-DECODE(code_challenge)
# 04:52 
[dmitshur] As a thought exercise, if one applies base64URL-decode to both sides of the equation, you get:
# 04:52 
[dmitshur] Which can be simplified to:
# 04:52 
[dmitshur] > SHA256(ASCII(code_verifier)) == BASE64URL-DECODE(code_challenge)
# 04:52 
[dmitshur] I was just curious how unusual it is to do the verification that way.
KartikPrabhu joined the channel
# 05:24 
[dmitshur] I'm probably not going do that in the end, but I'll keep thinking for now and as I do more research/learning.
# 05:24 
aaronpk I don't think these operations work the way algebraic operations work
dhanesh, [cleverdevil] and KartikPrabhu joined the channel
# 06:37 
[dmitshur] Agree about that in the general case (e.g., can open up timing or DoS attacks). But I haven’t found a concrete way it’s a bad idea in this specific case, other than the general “factors I haven’t considered” angle.
# 06:38 
[dmitshur] Not yet anyway.
peterrother, dhanesh, ludovicchabant, themaxdavitt, raucao, swentel, KartikPrabhu, [tantek] and ShadowKyogre joined the channel; ShadowKyogre left the channel
# 11:35 
@EatPodcast @voxpelli could this be an error from https://webmention.herokuapp.com/? No problem at my end, the webmention was received and displays.

@vonExplaino (twitter.com/_/status/1343520742663716870)
# 11:35 
@EatPodcast ↩️ I wonder whether that might have been an error from the 3rd-party app I use for webmentions. In any case, it got through. Unlike my attempt to DM you. (twitter.com/_/status/1343520209324417026)
[tantek] joined the channel
# 12:47 
Zegnat [dmitshur] there should not be any reason why that should not work. I think I would mostly just find it unneccessary to do any processing on the originally provided code_challenge value. Especially since both inputs code_challenge and code_verifier are untrusted. I would say it is better to SHA-hash an untrusted value, than to (try to) decode an untrusted value.
[Ana_Rodrigues], [Rose], [jgmac1106], ShadowKyogre, [Raphael_Luckom] and [KevinMarks] joined the channel; ShadowKyogre left the channel
# 14:16 
jeremycherfas Out of my depth again, so ... by my understanding, there shouldn't be any problems with loading js from anywhere in my site. And yet, I get a 404 when I try. One thought was CORS, but that can't be it from the same site, can it?
# 14:17 
jeremycherfas By in my site, I mean, in the domain that hosts my site.
# 14:21 
Zegnat You are correct, jeremycherfas. The path to the JS file should not matter, as long as the file is there.
# 14:21 
Zegnat You are sure you have uploaded it to a publicly accessible folder?
# 14:21 
jeremycherfas If it is local, isn't it all public? I better check.
# 14:22 
jeremycherfas 755 for node_modules
# 14:22 
jeremycherfas And 755 for all enclosed folders
ShadowKyogre left the channel
# 14:29 
Zegnat That sounds like it should be public, yes
# 14:29 
Zegnat Does Grav allow access of folders it does not know about?
ShadowKyogre joined the channel
# 14:32 
jeremycherfas Yes. It even has a syntax for that, `theme://`
# 14:32 
jeremycherfas You were telling me yesterday about a method to discover whether a js script had actually loaded. Can you remind me, please.
# 14:33 
[KevinMarks] dev tools in the browser will show you
# 14:34 
jeremycherfas Under the Network tab?
ShadowKyogre joined the channel; ShadowKyogre left the channel
# 14:45 
Zegnat yes, network tab should work just fine
# 14:46 
[KevinMarks] Sources is quicker to see if it found the file at all, network to see if it didn't load and what the error was
# 14:46 
Zegnat But if you get a 404 for the javascript file URL, I would guess you will see the same 404 in the network tab :/
# 14:56 
jeremycherfas OH no, wait. The folder it is in is 755, but the file itself is 644. Could that make a difference?
# 14:56 
jeremycherfas I can't see how, but I have tried everything else.
# 14:57 
jeremycherfas Makes no difference.
# 14:59 
[Raphael_Luckom] the permissions of the file could definitely make a difference, but 644 would allow read
# 14:59 
jeremycherfas That's what I thought
geoffo joined the channel
# 15:00 
jeremycherfas Grav people are suggesting to copy my stuff out of `/node_modules` and into `/js` instead. I may as well give that a try.
# 15:00 
[Raphael_Luckom] I have some time to help if I can be useful, but I'm not familiar with Grav. If you wanted to start a zoom or equivalent, or if there's something else I could do to help, I'd be happy to
# 15:01 
jeremycherfas Many thank [Raphael_Luckom] but let me give this latest suggestion a go first.
# 15:01 
[Raphael_Luckom] yeah, sometimes you just need to agitate it until it works 😄
# 15:06 
Zegnat Folder name should not make a difference, unless Grav does not allow access of folders that it does not know about
ShadowKyogre left the channel
# 15:07 
jeremycherfas Well, I'm none the wiser, but it worked all the same. So, progress, of a kind. Now asking the Grav people why that was.
# 15:08 
[Raphael_Luckom] changing things in general sometimes fixes problems because it provokes revisiting things you might not have thought were the problem
ShadowKyogre joined the channel
# 15:12 
swentel yeah, there might be rule (e.g. in a htaccess file) to prevent accessing files in certain folders, node_modules usually is a good idea to deny access :)
# 15:14 
[Raphael_Luckom] that's a very plausible idea
ShadowKyogre joined the channel; ShadowKyogre left the channel
# 15:32 
Zegnat Oooh, it looks like I need Google to verify me for using OAuth. There is a 100 requests life-time quota before being verified, if I am understanding this right. I bet the old keys had gotten stuck on that.
# 15:37 
Zegnat I guess that is one way to gatekeep against private apps
ShadowKyogre left the channel
# 15:44 
aaronpk wow weird
# 15:58 
Zegnat The problem is I cannot really find it documented anywhere outside of this one-time popup you get when you create credentials: https://i.imgur.com/VOkEruK.png
# 15:59 
Zegnat (No worries, credentials created specifically for this screenshot, that secret is not in use.)
[snarfed] and [schmarty] joined the channel
# 16:23 
Zegnat What is OPML?
# 16:23 
Loqi OPML stands for Outline Processor Markup Language, an XML-based format and defacto standard used for feed lists interchange https://indieweb.org/OPML
# 16:26 
Zegnat Hmm. Was wondering if anyone ever documented the standard for feed lists
# 16:26 
Zegnat Anyone know? [KevinMarks]?
[tantek], alex11 and [dmitshur] joined the channel
# 16:47 
[dmitshur] [Zegnat] Thanks for your thoughts above, very helpful.
# 17:09 
Zegnat That only took 2 days, but I have an OPML export from YouTube again :D https://github.com/Zegnat/php-youtube-subscriptions-opml
# 17:09 
Loqi [Zegnat] php-youtube-subscriptions-opml: Single page web service to download an OPML file of a user's YouTube subscriptions
# 17:10 
[schmarty] Zegnat++ wow very nice!
# 17:10 
Loqi Zegnat has 35 karma in this channel over the last year (95 in all channels)
# 17:25 
Zegnat This has not left me a big fan of Google APIs, I have to say. Unlikely I will host this publicly for people to make use of.
[Raphael_Luckom] joined the channel
# 17:26 
[Raphael_Luckom] their gsuite / oauth stuff is their worst
swentel joined the channel
# 17:27 
[Raphael_Luckom] some of the cloud infrastructure stuff is ok (and I think but can't really demonstrate that their cdn game is ahead of aws's) but their identity and authn / authz products suffer horribly because they're still tied to roots as email addresses and mailing lists.
# 17:30 
aaronpk Zegnat: that's the same reason i'm hesitating publishing some of my tools for dealing with youtube stuff too
# 17:32 
Zegnat Do not know about Google infrastructure at all, I am only speaking of APIs into their own services like YouTube
# 17:33 
Zegnat aaronpk: I think it is fine if you can get away with only using endpoints that do not require authorization. I had no real issue when I was working on getting YouTube into XRay
# 17:33 
aaronpk yeah and they do have an "api key" that you can generate as a user and it works for some methods but not all
# 17:34 
aaronpk but once you get into the rate limited and restricted APIs, the rate limiting is super harsh until you get your app approved and stuff
[Ana_Rodrigues] and [tw2113_Slack_] joined the channel
# 17:45 
@UpscaleDavid ↩️ Oh, and i'm adding webmentions, it's sort of like Twitter's @ feature. (twitter.com/_/status/1343613019734028295)
# 17:47 
aaronpk [snarfed]: can I pass a twitter list ID instead of a name to granary? I renamed a list and I think that broke it
# 17:47 
aaronpk it can't find the list with either the old or new nam
# 17:53 
GWG This week I'm working on fixing a few weather bugs.
# 17:54 
GWG Like the fact that I don't pick a weather icon for my homemade weather stations because I don't know how I should derive cloudy
# 17:55 
GWG https://en.m.wikipedia.org/wiki/Daylight
# 17:55 
GWG Wondering if I can figure it out from this wikipedia table
[plenglin] joined the channel
# 18:14 
jeremycherfas Well, my ongoing project of the past few days is up and working, although I don't expect anyone to notice. There are still a couple of rough edges to smooth off, but I am glad to have got it done before 2021-01-01. Thanks everyone for help and support.
[snarfed] and [KevinMarks] joined the channel
# 18:21 
[KevinMarks] Xoxo was an alternative to opml, and originally I translated opml into it
# 18:28 
Zegnat But XOXO was never used as an interchange format for feed subscriptions, right? Only OPML?
# 18:28 
Zegnat I am most interested in the interchange format ... having a hard time finding that one documented.
# 18:28 
Zegnat OPML as the outlining spec is simple enough to find
gxt joined the channel
# 18:53 
Zegnat !tell jeremycherfas I think Grav is still in some sort of debug mode? I get a debugging bar at the bottom on your site. Also: pagination links on https://www.jeremycherfas.net/blog seem to be broken?
# 18:53 
Loqi Ok, I'll tell them that when I see them next
# 19:07 
[KevinMarks] The motivation for xoxo was feed subscriptions yes
# 19:33 
Zegnat Hmm, xoxo pages on microformats.org aren't of any help either in tracking down the feed interchange format
# 19:33 
Zegnat takes a break
[tantek] joined the channel
# 19:33 
[tantek] Zegnat, indeed there's scant formal documentation of the interchange format, what implements it etc. If only the developers of the spec kept such things on an easily web search discoverable wiki
# 19:34 
[tantek] And absent that, might as well start documenting your interchange format use-case needs and come up with something more minimal/modern than a subset of OPML for that
# 19:34 
[tantek] an undocumented spec is not a spec at all, and is unlikely to have actually been properly implemented
# 19:34 
[tantek] thus a bit of poking in the dark to both implement yourself and attempt any degree of interop
# 19:37 
Zegnat The problem as far as I can see is specifically with the interchange format. I can find outliners that still use OPML, and there are plenty copies of the pure OPML spec that you can find (it is mostly just an XML vocab afterall). But does seem like I would need to create a handful of different nesting and naming combinations and start importing in multiple readers to figure out interop for the feed-subscription interchange format
# 19:37 
Zegnat specifically
# 19:38 
Zegnat Will see if I can find the motivation to do that research. Chances are no. As I do not switch between readers a lot. I think I have only done one major switch, from Google Reader to Feedbin.
gRegorLove and [jeremycherfas] joined the channel
# 20:57 
[jeremycherfas] !tell zegnat Rats! I always forget to disable the debugging. It will have to wait until tomorrow.
# 20:57 
Loqi Ok, I'll tell them that when I see them next
# 20:57 
Loqi [jeremycherfas]: Zegnat left you a message 2 hours, 4 minutes ago: I think Grav is still in some sort of debug mode? I get a debugging bar at the bottom on your site. Also: pagination links on https://www.jeremycherfas.net/blog seem to be broken?
jolvera, [KevinMarks] and ShadowKyogre joined the channel; ShadowKyogre left the channel
# 22:10 
@houshuang ↩️ I'd be happy to discuss cognitive stuff any day. Also very interested in the idea of linking digital gardens - have been discussing some prototype with @JoelChan86 using webmentions, and actually tried building something 7 yrs ago based on PhD students reading identical papers. (twitter.com/_/status/1343680383930527749)
# 23:06 
GWG I was thinking about trying to tackle reviews
ShadowKyogre left the channel