#dev 2020-12-31

2020-12-31 UTC
[chrisaldrich] joined the channel
# 01:11 
[chrisaldrich] What is weather?
# 01:11 
Loqi Weather is the state of the atmosphere at a place and time as regards heat, dryness, sunshine, wind, rain, etc https://indieweb.org/weather
[schmarty] and geoffo joined the channel
# 03:05 
@ChrisAldrich My poor little website passed 23,000 comments/replies/reactions yesterday. This is in tremendous part due to webmentions and the ability to collect the conversation about my content across social spaces.

I’m wondering when comments will pass the number… https://boffosocko.com/?p=55784494 (twitter.com/_/status/1344478877410758657)
ShadowKyogre joined the channel
# 04:15 
@ChrisAldrich ↩️ We totally need to schedule a follow up to the IndieWeb Gardens & Streams session from early 2020 to discuss the efflorescence of platforms in this space. I’d love to see more of them supporting Webmention for garden-to-garden interactions. 
(http://boffosocko.com/2020/12/30/55784499/) (twitter.com/_/status/1344497133760651264)
geoffo, KartikPrabhu, nickodd and [tw2113_Slack_] joined the channel
# 08:20 
@flancian ↩️ Nice! Webmentions is another thing I really need to take a look at this weekend, do you have a personally recommended URL to ramp up on them perhaps / source for your site? (twitter.com/_/status/1344557912740540417)
# 10:21 
jeremycherfas !tell aaronpk Just started getting an error from Telelgraph `cURL error 23: Unrecognized content encoding type. libcurl understands deflate, gzip content encodings. (see http://curl.haxx.se/libcurl/c/libcurl-errors.html)` but as far as I know nothing at my site has changed. Not sure how to troubleshoot this.
# 10:21 
Loqi Ok, I'll tell them that when I see them next
# 10:21 
jeremycherfas And I still seem to be logged in to indieweb.org
# 10:30 
sebsel jeremycherfas:
# 10:30 
sebsel oops.
[Ana_Rodrigues] joined the channel
# 11:25 
Zegnat jeremycherfas: when are you seeing that error? Is it when you try to login to Telegraph or when you try to send out webmentions? And if the latter, does it happen when it checks your site or when it goes out to check the site you are sending to?
# 11:38 
Zegnat also, jeremycherfas, I just read your latest blog post on understanding JS, and you are spot on :) That function does not neccessarily need a return statement at all. The only reason it is there is so you could put in a check to see if it ran or not, but the example code never checks for that.
# 11:44 
jeremycherfas  Wow. Thanks zegnat. And I get that error when I try to log in to Telegraph. I'm not sure how to check my headers.
# 11:50 
Zegnat Hm, odd one. Is that when trying to login with www.jeremycherfas.net ?
# 11:51 
Zegnat I can curl that domain without any problems. Though with that said, I do think it is returning an invalid content type. The content-type header is set to `none`, which is not a valid value.
# 11:51 
Zegnat That reminds me of an old Grav bug, hmmm
# 11:52 
Zegnat s/content-type/content-encoding/
# 11:52 
jeremycherfas Hmmn indeed. Is that something that is set in HEAD, or elsewhere. As I said, I don't know where to look.
# 11:53 
jeremycherfas Ah, there is a Grav option. Let me l;ook at that.
# 11:54 
jeremycherfas "This option will change the header to Content-Encoding: identity allowing gzip to be more reliably set by the webserver although this usually breaks the out-of-process onShutDown() capability."
# 11:55 
jeremycherfas I should take a look and see whether that fixes the error.
# 11:55 
Loqi yea
# 11:57 
Zegnat Please have a look. It seems to only exist in the Grav code to fix specific server setups. https://github.com/getgrav/grav/issues/548 is a bug from 2015 with a discussion spanning multiple years of people having problems with it. And as recently as June this year Grav was still tweaking the header: https://github.com/getgrav/grav/issues/2619
# 11:58 
Zegnat Those two issues may include some pointers on what settings you want to look at :)
# 11:58 
jeremycherfas Yup, that was it. I enabled gzip and all is good with login, although now there is trouble finding the rel-=me links.
# 11:59 
jeremycherfas ... because I had not allowed indieauth to load. :(
# 12:00 
Zegnat Afraid I do not really have any good advice here, seems to be something very specific about Grav and how they wish to handle compression
# 12:01 
jeremycherfas All solved now. I re-enabled gzip and managed to login to Telegraph and send the webmentions.
# 12:01 
jeremycherfas !tell aaronpk Nevermind ^^^
# 12:01 
Loqi Ok, I'll tell them that when I see them next
# 12:05 
jeremycherfas How important is it to have an integrity check when you are loading a script from your own domain? I noticed that Zegnat does it, so I guess it is good practice.
# 12:06 
Zegnat *cough* me doing it is not always a sign of good practice.
# 12:08 
Zegnat For scripts you host yourself, there is very little to no benefit, if you have HTTPS setup
# 12:10 
Zegnat The idea of subresource integrity (https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) is that you know the dependency has not changed from the one you were originally using. If your site is not on HTTPS, it could protect from MITM rewrites of resources (like when public WiFi networks try to insert their own ads/scripts) by not letting a rewritten resource load. Of course if they wanted to, they could at that
# 12:10 
Zegnat point also rewrite the integrity hash so it does not make a targetted attack impossible. If your site is HTTPS and you believe to have already secured it against MITM rewrites, the only party you are protecting against is yourself.
# 12:11 
Zegnat It might still have value. E.g. maybe you host Chartist yourself and do not want to accidentally update it. Having the hash means you will instantly notice when the dependency was updated and you have to take a second action to confirm the update (change the hashes) or rollback to a previous matching version. But that is super marginal as far as value goes.
# 12:16 
jeremycherfas Super-marginal means I will push it down my priorities a bit.
# 12:16 
jeremycherfas OK, I'm in an annoying frame of mind here, so ...
# 12:17 
jeremycherfas What is the second parameter in `parseFloat` for.  https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/parseFloat does not mention a second parameter. I'm guessing it may be a precision indicator.
# 12:18 
jeremycherfas I'm seeing it in `td => parseFloat(td.textContent, 10)` in the script I am reading.
# 12:20 
@autiomaa ↩️ People might also use IndieAuth https://indieauth.net/ ("a decentralized identity protocol built on top of OAuth 2.0") that allows you to use your personal website's domain for logging in to 3rd party applications. It is part of IndieWeb https://indieweb.org/IndieAuth proposals. (twitter.com/_/status/1344618417152790529)
[KevinMarks] joined the channel
# 12:31 
sknebel jeremycherfas: I think they are confusing it with parseInt, which  does have a second parameter
# 12:32 
Zegnat Yeah, what sknebel said. parseInt lets you define base in the second parameter: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Number/parseInt
# 13:29 
jeremycherfas I'm guessing parseFloat is more general, when you know it is a number but not necessarily whether it is an integer?
# 13:42 
Zegnat Yep
[Ana_Rodrigues], nickodd and dodo345 joined the channel
# 14:43 
dodo345 hi everyone
# 14:45 
@hiro_y webmentionsをどう表示するか難しいな。英語での表記に逃げてしまった…。 (twitter.com/_/status/1344655284275298306)
geoffo, [Raphael_Luckom] and [schmarty] joined the channel
# 15:55 
@BillSeitz ↩️ (hack solution: tweet out every roam block, use webmentions) (twitter.com/_/status/1344673089892851712)
jamietanna, KartikPrabhu, [KevinMarks] and [Raphael_Luckom] joined the channel
# 18:11 
[Raphael_Luckom] Question for people who've done indieauth. I found a list of _oauth_ libraries for Node: https://oauth.net/code/nodejs/ . Reading the indieauth docs though, it seems like I wouldn't really get any benefit out of starting with an oauth lib vs just implementing indieauth myself. Does that sound right, or are there enough reusable parts of standard oauth2 libs that makes it worth reusing them? I'm thinking that I'll need both client and
# 18:11 
[Raphael_Luckom] server eventually, if that changes anything.
# 18:14 
[Raphael_Luckom] I suppose that it might be better to use an existing library for generating tokens, but I'm not sure that's a point in favor of an oauth library vs a more basic token library
# 18:14 
vilhalmer server was pretty easy imo, mine is only ~400 lines of go and a good chunk of that is not indieauth but the communication with the thing I use to actually authorize logins
# 18:15 
[Raphael_Luckom] cool, that's what I was hoping, thanks!
# 18:15 
vilhalmer and I'm reasonably sure it doesn't even have any massive vulns :D
# 18:16 
[Raphael_Luckom] hehe. I really appreciate the attention at the indieauth protocol level to minimizing the number of ways I can self-own.
[snarfed], KartikPrabhu and [Rose] joined the channel
# 19:07 
Zegnat If you want a client, you might be able to get there with default OAuth libraries. This year's IndieAuth spec update has focussed a lot on being more like default OAuth
# 19:08 
Zegnat Default OAuth just does not have discovery steps. So it does not know how to find the authorization and token endpoint by itself. It usually does not need to do this because OAuth providers provide these URLs to implementers for hard coding (e.g. Twitter only has the 1 URL). So you will end up having to implement that part of the IndieAuth spec yourself.
# 19:09 
Zegnat But you may not have to build PKCE or the other aspects of OAuth if you can use an existing lib.
# 19:09 
Zegnat We would also be very interested in hearing how people fare using standard OAuth libs. One of the reasons the `me` parameter was made optional in IndieAuth was in response to a ticket that said using OAuth libs was impossible as long as we required it.
cla, [tw2113_Slack_] and enpo joined the channel
# 20:02 
[Raphael_Luckom] cool, that helps. I bookmarked mindee, selfauth, and mintoken as auth server, auth endpoint, and token endpoint. If I can use an ots oauth client lib, I think that's pretty much everything I could possibly need. I saw the note about combining auth and token endpoints if you need both
# 20:10 
Zegnat Mindee was supposed to release today, but I am still puzzling with integrating Mintoken into the thing, so I am postponing it a little, hehe
geoffo joined the channel
# 20:20 
[Raphael_Luckom] oh, are you combining them yourself?
# 20:27 
Zegnat Yes. Things are easier when they are combined. Mintoken is the only separate token endpoint we know of besides tokens.indieauth.com, so integrated ones are the way to go
# 20:28 
[Raphael_Luckom] nice!
# 20:32 
Zegnat Mindee is basically me combining what I have done for Selfauth with my work in Mintoken
# 20:35 
@ChrisAldrich ↩️ For a base introduction I’ve written a piece for A List Apart. For the more technical side, I recommend the IndieWeb wiki:
* Webmentions page: https://indieweb.org/Webmention
* Webmentions developer page: https://indieweb.org/Webmention-developer
There should be lots of [more...]
https://boffosocko.com/2020/12/30/55784499/?replytocom=306138#respond (twitter.com/_/status/1344742779558105088)
# 20:37 
Zegnat Or at least, that is the goal. Hopefully there soon^{tm}
alex11 joined the channel
# 21:53 
[Raphael_Luckom] [Zegnat] I've been feeling grumpy today, but I'm finding it calming to port your implementations to node. It's fun to look up the php builtins you're using and compare  / translate them to the node equivalents. I like the `hash_hmac` method better than what I have to do with `crypto` in node.
[chrisaldrich], pikseladam, hoschi-it, jamietanna, pikselaxam, gRegorLove and sp1ff joined the channel; nickodd left the channel