#dev 2020-12-28

2020-12-28 UTC
#
Zegnat
Hmm. HTML scraping might be out as well, does not give me what I need. So my new flow is going to be: Google Takeout -> convert JSON to OPML -> import in feed reader.
#
Zegnat
Going to need to either get the API working or find a better way to manage YouTube subscriptions
#
Zegnat
If anyone has a functioning API setup for YouTube, I would love some debugging help tomorrow.
#
[KevinMarks]
What is huginn?
#
Loqi
Huginn is a system for building agents that perform automated tasks for you online https://indieweb.org/huginn
geoffo, ShadowKyogre and [dmitshur] joined the channel
#
[dmitshur]
hmm, does the current indielogin.com IndieAuth client implementation not set the (newly mandatory! or mandatory-ish lol) grant_type parameter when redeeming the authorization code at the authorization endpoint?
#
[dmitshur]
asking (sorta a rhetorical question) to confirm my findings are accurate.
#
Loqi
[gRegorLove] #69 Add grant_type
[schmarty] joined the channel
#
[dmitshur]
woohoo, a part of resolving https://github.com/shurcooL/home/issues/43 is complete:
#
[dmitshur]
"Congrats!
#
[dmitshur]
You successfully authenticated as https://dev.dmitri.shuralyov.com/"
#
[dmitshur]
the rest (finishing the client TODOs, clean up and review) is next up.
#
[dmitshur]
that is the first rough version of the IndieAuth server working.
#
[dmitshur]
but this should be enough progress to let me login to https://indieweb.org and RSVP to https://events.indieweb.org/2020/12/homebrew-website-club-the-americas-iCQoviBRPr7r in time lol.
#
Loqi
woot
#
Loqi
[dmitshur] #43 indieauth: update implementation for 2020 spec changes
#
[dmitshur]
Assuming I only support the S256 code_challenge_method, I wonder if there'd be any problem with doing the code_verifier check by base64-decoding the code_challenge to precompute the expected sha256 sum of the code_verifier, then doing a sha256(code_verifier) == wantsum check. (It relies on base64 encoding/decoding being 1:1.) https://tools.ietf.org/html/rfc7636#section-4.6 doesn't go into low-level details about how the comparison should be
#
[dmitshur]
made. As far as I can tell it should be equivalent, but I'll want to do more reading up on PKCE before making any kind of final decision.
[asuh], ShadowKyogre and gRegorLove joined the channel; ShadowKyogre left the channel
#
aaronpk
[dmitshur]: I'm not sure I understand what you're trying to do. The verification should be pretty straightforward, you do the same sha256 calculation of the value you get in the token request and compare the hash with what came in the request
#
[dmitshur]
I'm just trying to challenge my understanding of things by thinking through a slightly unusual approach.
#
[dmitshur]
RFC7636 says:
#
[dmitshur]
> received "code_verifier" is hashed by SHA-256, base64url-encoded, and
#
[dmitshur]
> If the "code_challenge_method" from Section 4.3 was "S256", the
#
[dmitshur]
> then compared to the "code_challenge", i.e.:
#
[dmitshur]
> BASE64URL-ENCODE(SHA256(ASCII(code_verifier))) == code_challenge
#
[dmitshur]
> BASE64URL-DECODE(BASE64URL-ENCODE(SHA256(ASCII(code_verifier)))) == BASE64URL-DECODE(code_challenge)
#
[dmitshur]
As a thought exercise, if one applies base64URL-decode to both sides of the equation, you get:
#
[dmitshur]
Which can be simplified to:
#
[dmitshur]
> SHA256(ASCII(code_verifier)) == BASE64URL-DECODE(code_challenge)
#
[dmitshur]
I was just curious how unusual it is to do the verification that way.
KartikPrabhu joined the channel
#
[dmitshur]
I'm probably not going do that in the end, but I'll keep thinking for now and as I do more research/learning.
#
aaronpk
I don't think these operations work the way algebraic operations work
dhanesh, [cleverdevil] and KartikPrabhu joined the channel
#
[dmitshur]
Agree about that in the general case (e.g., can open up timing or DoS attacks). But I haven’t found a concrete way it’s a bad idea in this specific case, other than the general “factors I haven’t considered” angle.
#
[dmitshur]
Not yet anyway.
peterrother, dhanesh, ludovicchabant, themaxdavitt, raucao, swentel, KartikPrabhu, [tantek] and ShadowKyogre joined the channel; ShadowKyogre left the channel
#
@EatPodcast
@voxpelli could this be an error from https://webmention.herokuapp.com/? No problem at my end, the webmention was received and displays. @vonExplaino
(twitter.com/_/status/1343520742663716870)
#
@EatPodcast
↩️ I wonder whether that might have been an error from the 3rd-party app I use for webmentions. In any case, it got through. Unlike my attempt to DM you.
(twitter.com/_/status/1343520209324417026)
[tantek] joined the channel
#
Zegnat
[dmitshur] there should not be any reason why that should not work. I think I would mostly just find it unneccessary to do any processing on the originally provided code_challenge value. Especially since both inputs code_challenge and code_verifier are untrusted. I would say it is better to SHA-hash an untrusted value, than to (try to) decode an untrusted value.
[Ana_Rodrigues], [Rose], [jgmac1106], ShadowKyogre, [Raphael_Luckom] and [KevinMarks] joined the channel; ShadowKyogre left the channel
#
jeremycherfas
Out of my depth again, so ... by my understanding, there shouldn't be any problems with loading js from anywhere in my site. And yet, I get a 404 when I try. One thought was CORS, but that can't be it from the same site, can it?
#
jeremycherfas
By in my site, I mean, in the domain that hosts my site.
#
Zegnat
You are correct, jeremycherfas. The path to the JS file should not matter, as long as the file is there.
#
Zegnat
You are sure you have uploaded it to a publicly accessible folder?
#
jeremycherfas
If it is local, isn't it all public? I better check.
#
jeremycherfas
755 for node_modules
#
jeremycherfas
And 755 for all enclosed folders
ShadowKyogre left the channel
#
Zegnat
That sounds like it should be public, yes
#
Zegnat
Does Grav allow access of folders it does not know about?
ShadowKyogre joined the channel
#
jeremycherfas
Yes. It even has a syntax for that, `theme://`
#
jeremycherfas
You were telling me yesterday about a method to discover whether a js script had actually loaded. Can you remind me, please.
#
[KevinMarks]
dev tools in the browser will show you
#
jeremycherfas
Under the Network tab?
ShadowKyogre joined the channel; ShadowKyogre left the channel
#
Zegnat
yes, network tab should work just fine
#
[KevinMarks]
Sources is quicker to see if it found the file at all, network to see if it didn't load and what the error was
#
Zegnat
But if you get a 404 for the javascript file URL, I would guess you will see the same 404 in the network tab :/
#
jeremycherfas
OH no, wait. The folder it is in is 755, but the file itself is 644. Could that make a difference?
#
jeremycherfas
I can't see how, but I have tried everything else.
#
jeremycherfas
Makes no difference.
#
[Raphael_Luckom]
the permissions of the file could definitely make a difference, but 644 would allow read
#
jeremycherfas
That's what I thought
geoffo joined the channel
#
jeremycherfas
Grav people are suggesting to copy my stuff out of `/node_modules` and into `/js` instead. I may as well give that a try.
#
[Raphael_Luckom]
I have some time to help if I can be useful, but I'm not familiar with Grav. If you wanted to start a zoom or equivalent, or if there's something else I could do to help, I'd be happy to
#
jeremycherfas
Many thank [Raphael_Luckom] but let me give this latest suggestion a go first.
#
[Raphael_Luckom]
yeah, sometimes you just need to agitate it until it works 😄
#
Zegnat
Folder name should not make a difference, unless Grav does not allow access of folders that it does not know about
ShadowKyogre left the channel
#
jeremycherfas
Well, I'm none the wiser, but it worked all the same. So, progress, of a kind. Now asking the Grav people why that was.
#
[Raphael_Luckom]
changing things in general sometimes fixes problems because it provokes revisiting things you might not have thought were the problem
ShadowKyogre joined the channel
#
swentel
yeah, there might be rule (e.g. in a htaccess file) to prevent accessing files in certain folders, node_modules usually is a good idea to deny access :)
#
[Raphael_Luckom]
that's a very plausible idea
ShadowKyogre joined the channel; ShadowKyogre left the channel
#
Zegnat
Oooh, it looks like I need Google to verify me for using OAuth. There is a 100 requests life-time quota before being verified, if I am understanding this right. I bet the old keys had gotten stuck on that.
#
Zegnat
I guess that is one way to gatekeep against private apps
ShadowKyogre left the channel
#
aaronpk
wow weird
#
Zegnat
The problem is I cannot really find it documented anywhere outside of this one-time popup you get when you create credentials: https://i.imgur.com/VOkEruK.png
#
Zegnat
(No worries, credentials created specifically for this screenshot, that secret is not in use.)
[snarfed] and [schmarty] joined the channel
#
Zegnat
What is OPML?
#
Loqi
OPML stands for Outline Processor Markup Language, an XML-based format and defacto standard used for feed lists interchange https://indieweb.org/OPML
#
Zegnat
Hmm. Was wondering if anyone ever documented the standard for feed lists
#
Zegnat
Anyone know? [KevinMarks]?
[tantek], alex11 and [dmitshur] joined the channel
#
[dmitshur]
[Zegnat] Thanks for your thoughts above, very helpful.
#
Zegnat
That only took 2 days, but I have an OPML export from YouTube again :D https://github.com/Zegnat/php-youtube-subscriptions-opml
#
Loqi
[Zegnat] php-youtube-subscriptions-opml: Single page web service to download an OPML file of a user's YouTube subscriptions
#
[schmarty]
Zegnat++ wow very nice!
#
Loqi
Zegnat has 35 karma in this channel over the last year (95 in all channels)
#
Zegnat
This has not left me a big fan of Google APIs, I have to say. Unlikely I will host this publicly for people to make use of.
[Raphael_Luckom] joined the channel
#
[Raphael_Luckom]
their gsuite / oauth stuff is their worst
swentel joined the channel
#
[Raphael_Luckom]
some of the cloud infrastructure stuff is ok (and I think but can't really demonstrate that their cdn game is ahead of aws's) but their identity and authn / authz products suffer horribly because they're still tied to roots as email addresses and mailing lists.
#
aaronpk
Zegnat: that's the same reason i'm hesitating publishing some of my tools for dealing with youtube stuff too
#
Zegnat
Do not know about Google infrastructure at all, I am only speaking of APIs into their own services like YouTube
#
Zegnat
aaronpk: I think it is fine if you can get away with only using endpoints that do not require authorization. I had no real issue when I was working on getting YouTube into XRay
#
aaronpk
yeah and they do have an "api key" that you can generate as a user and it works for some methods but not all
#
aaronpk
but once you get into the rate limited and restricted APIs, the rate limiting is super harsh until you get your app approved and stuff
[Ana_Rodrigues] and [tw2113_Slack_] joined the channel
#
@UpscaleDavid
↩️ Oh, and i'm adding webmentions, it's sort of like Twitter's @ feature.
(twitter.com/_/status/1343613019734028295)
#
aaronpk
[snarfed]: can I pass a twitter list ID instead of a name to granary? I renamed a list and I think that broke it
#
aaronpk
it can't find the list with either the old or new nam
#
GWG
This week I'm working on fixing a few weather bugs.
#
GWG
Like the fact that I don't pick a weather icon for my homemade weather stations because I don't know how I should derive cloudy
#
GWG
Wondering if I can figure it out from this wikipedia table
[plenglin] joined the channel
#
jeremycherfas
Well, my ongoing project of the past few days is up and working, although I don't expect anyone to notice. There are still a couple of rough edges to smooth off, but I am glad to have got it done before 2021-01-01. Thanks everyone for help and support.
[snarfed] and [KevinMarks] joined the channel
#
[KevinMarks]
Xoxo was an alternative to opml, and originally I translated opml into it
#
Zegnat
But XOXO was never used as an interchange format for feed subscriptions, right? Only OPML?
#
Zegnat
I am most interested in the interchange format ... having a hard time finding that one documented.
#
Zegnat
OPML as the outlining spec is simple enough to find
gxt joined the channel
#
Zegnat
!tell jeremycherfas I think Grav is still in some sort of debug mode? I get a debugging bar at the bottom on your site. Also: pagination links on https://www.jeremycherfas.net/blog seem to be broken?
#
Loqi
Ok, I'll tell them that when I see them next
#
[KevinMarks]
The motivation for xoxo was feed subscriptions yes
#
Zegnat
Hmm, xoxo pages on microformats.org aren't of any help either in tracking down the feed interchange format
#
Zegnat
takes a break
[tantek] joined the channel
#
[tantek]
Zegnat, indeed there's scant formal documentation of the interchange format, what implements it etc. If only the developers of the spec kept such things on an easily web search discoverable wiki
#
[tantek]
And absent that, might as well start documenting your interchange format use-case needs and come up with something more minimal/modern than a subset of OPML for that
#
[tantek]
an undocumented spec is not a spec at all, and is unlikely to have actually been properly implemented
#
[tantek]
thus a bit of poking in the dark to both implement yourself and attempt any degree of interop
#
Zegnat
The problem as far as I can see is specifically with the interchange format. I can find outliners that still use OPML, and there are plenty copies of the pure OPML spec that you can find (it is mostly just an XML vocab afterall). But does seem like I would need to create a handful of different nesting and naming combinations and start importing in multiple readers to figure out interop for the feed-subscription interchange format
#
Zegnat
specifically
#
Zegnat
Will see if I can find the motivation to do that research. Chances are no. As I do not switch between readers a lot. I think I have only done one major switch, from Google Reader to Feedbin.
gRegorLove and [jeremycherfas] joined the channel
#
[jeremycherfas]
!tell zegnat Rats! I always forget to disable the debugging. It will have to wait until tomorrow.
#
Loqi
Ok, I'll tell them that when I see them next
#
Loqi
[jeremycherfas]: Zegnat left you a message 2 hours, 4 minutes ago: I think Grav is still in some sort of debug mode? I get a debugging bar at the bottom on your site. Also: pagination links on https://www.jeremycherfas.net/blog seem to be broken?
jolvera, [KevinMarks] and ShadowKyogre joined the channel; ShadowKyogre left the channel
#
@houshuang
↩️ I'd be happy to discuss cognitive stuff any day. Also very interested in the idea of linking digital gardens - have been discussing some prototype with @JoelChan86 using webmentions, and actually tried building something 7 yrs ago based on PhD students reading identical papers.
(twitter.com/_/status/1343680383930527749)
#
GWG
I was thinking about trying to tackle reviews
ShadowKyogre left the channel