#dev 2021-01-01

2021-01-01 UTC
[Raphael_Luckom], geoffo and [snarfed] joined the channel
#
gRegorLove
[snarfed], trying out the Bridgy Chrome extension, think I got my first webmention from it!
#
gRegorLove
The logs on https://brid.gy/instagram/gregorlove don't show it yet, but maybe that part is delayed
#
gRegorLove
[snarfed]++
#
Loqi
[snarfed] has 35 karma in this channel over the last year (56 in all channels)
hoschi, gRegorLove_, [chrisaldrich] and [snarfed] joined the channel
#
[snarfed]
[gRegorLove] hmm not if your user page doesn’t show it. i have a new version that should work in chrome though! https://chrome.google.com/webstore/detail/bridgy/lcpeamdhminbbjdfjbpmhgjgliaknflj
gRegorLove_ joined the channel
#
gRegorLove_
That's the one I have, I uninstalled the previous one
#
gRegorLove_
oh, looks like it was a twitter backfeed, nevermind
[chrisaldrich], [fluffy], oodani, maxwelljoslyn, [tantek], [jeremycherfas], nickodd and [Emma_Humphries] joined the channel
#
drhitchcock[m]
Happy new year! I'm in the process of working through Sia's tutorial in setting up webmentions on an 11ty website, https://sia.codes/posts/webmentions-eleventy-in-depth/. As far as I can tell the code is set up correctly but there seems to be an issue connecting to webmentions.io or it isn't writing to the cache properly? The dashboard in websockets.io can see that likes have been posted in Twitter. Can anyone
#
drhitchcock[m]
help?? 🙏
#
Loqi
[Sia Karamalegos] An In-Depth Tutorial of Webmentions + Eleventy
hoschi, h0sch1, hoschi-it, leg and [KevinMarks] joined the channel
#
Zegnat
Starting 2021 by merging the Selfauth PRs :D
[snarfed] joined the channel
#
[snarfed]
[gRegorLove] you have some instagram backfeed now!
gxt, [KevinMarks] and geoffo joined the channel
#
jeremycherfas
is starting 2021 by snarling at Day One and looking around again at open-source journalling.
[Raphael_Luckom] joined the channel
#
[Raphael_Luckom]
I have some kinda basic-level questions about authn after looking around a little bit. First, I'm looking at the differences between tokens and cookies for session storage. Am I correct to think that cookies are more "indieweb" most of the time? It seems like cookies are better protected by the browser (but you need to watch out for csrf).
#
[snarfed]
by “tokens,” do you mean stateless, ie passed in query params or headers?
#
[snarfed]
sounds like a reasonable web dev question but probably orthogonal to indieweb specifically
#
[Raphael_Luckom]
yeah that's true.
#
[Raphael_Luckom]
I did mean stateless, but I think you're right that this may not be the venue...nvm
#
[snarfed]
they’re obviously different but in general both are fine
hoschi joined the channel
#
Zegnat
Eeh, you can store a token in a cookie ;) I think some context might be missing
#
[Raphael_Luckom]
This article is what I think I needed: http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/ --to [Zegnat]’s point, the relevant line is "The correct comparisons are "_sessions_ vs. JWT" and "cookies vs. Local Storage"."
#
sknebel
*JWT* specifically are not generic "tokens"
#
Zegnat
session vs JWT, from that article, is talking about whether you put the session *data* in the hands of the client (JWT) or in the hand of the server (ie. client only gets an opaque identifier)
#
[Raphael_Luckom]
the problem is that many resources that give advice on this conflate those terms as well. For instance, so far this morning I've seen places that recommend _never_ storing "tokens" on the browser. But by "tokens" I believe they're referring to something like JWTs (which makes sense if you decide that "tokens" and "session ids" are different, but not if you think they can both be called "tokens")
#
Zegnat
For sure a lot of conflating of terms in that field, yeah
#
Zegnat
But it also depends a lot on the context. E.g. OAuth is always going to call it tokens, because they do not define what those look like at all. So a JSON string is a perfectly valid "token" as far as the OAuth spec is concerned.
#
Zegnat
Whenever I see the word "token" I just think "opaque string of anything". Because in general I can't assign more meaning from reading just the word token.
#
[Raphael_Luckom]
yeah, I think of that as the "lex" meaning.
KartikPrabhu, maxwelljoslyn and [KevinMarks] joined the channel
#
aaronpk
OAuth intentionally chose the term “token” for that reason
#
Loqi
aaronpk: jeremycherfas left you a message 1 day, 7 hours ago: Just started getting an error from Telelgraph `cURL error 23: Unrecognized content encoding type. libcurl understands deflate, gzip content encodings. (see http://curl.haxx.se/libcurl/c/libcurl-errors.html)` but as far as I know nothing at my site has changed. Not sure how to troubleshoot this.
#
Loqi
aaronpk: jeremycherfas left you a message 1 day, 5 hours ago: Nevermind ^^^
#
aaronpk
“token” isn’t meant to mean anything in particular
#
aaronpk
JWT took the term “token” and added the “JSON Web” qualifier to it
#
aaronpk
and now people unfortunately refer to JWTs as “tokens” too
#
[Raphael_Luckom]
good clarification, thank you!
#
[KevinMarks]
hence the original logo of an NYC subway token?
#
GWG
I miss subway tokens
nickodd joined the channel
#
jamietanna[m]
<drhitchcock[m] "Happy new year! I'm in the proce"> Did you get a reply to this?
#
sknebel
jamietanna[m]++
#
Loqi
jamietanna[m] has 11 karma in this channel over the last year (26 in all channels)
#
sknebel
drhitchcock[m]: can you share an example link and more details?
shoesNsocks, shoesNsocks1, [Rose], [tw2113_Slack_], [Raphael_Luckom] and maxwelljoslyn joined the channel; nickodd left the channel
#
maxwelljoslyn
smh all of us over here building "reply from your website", meanwhile Iif I try to reply to the author of a sub stack mailing list the email To:field doesn't fill in and I can't figure how to do it
#
maxwelljoslyn
they offer a reply-to: field... which my email provider (Gmail,ssigh) refuses to recognize as a mail address. dammit
[KevinMarks], [jeremycherfas] and gRegorLove joined the channel
#
jacky
I wonder if this is a bug in indielogin https://github.com/aaronpk/indielogin.com/issues/71
#
jacky
I don't think it is tbh
#
Loqi
[clawfire] #71 Can't login on clawfire.net using twitter
#
aaronpk
well taht's weird
#
jacky
they don't have any rel=me info on their page
#
jacky
ooh I shouldn't have run that through xray then
[tantek] joined the channel
#
aaronpk
oh yea xray doesn't return rel=me i think
#
lahacker
was there any resolution to the whole IndieAuth through browser extension? runtime.getURL() will give you a valid moz-extension:// URL but Firefox will not allow for the redirection
geoffo and [Rose] joined the channel
#
lahacker
the server can't fetch a moz-extension:// URL either so both `client_id` and `redirect_uri` cannot be relied upon in this case however i *can* poll the server for a `code`
#
@clawfire
En train d'essayer d'implémenter webmentions sur mon blog. Ça a l'air chiant. Et difficile à tester autrement qu'en prod.
(twitter.com/_/status/1345128431592333314)
#
aaronpk
interesting, sounds like we need a variation of the oauth device flow
#
lahacker
that's what i'm thinking
#
lahacker
i thought i'd bring it up; i'm finally bringing my framework's IA implementation up to spec and i have an extension ready to fit itself into the puzzle
#
lahacker
goes to look up "device flow" and find's Aaron Parecki in the first result
#
aaronpk
haha good
#
lahacker
so i know nothing about device flows other than i'm pretty sure they existed
#
aaronpk
how do other extensions do oauth?
#
lahacker
hah great question; i have no experience.. you mean just signing in to Twitter from within an extension? i can try to find one
#
aaronpk
yeah like this can't be the first time someone has tried to log in to something from an extension
#
sknebel
I think omnibear redirects you to its homepage
#
sknebel
and the extension captures that
#
[tantek]
what is Day One?
#
Loqi
It looks like we don't have a page for "Day One" yet. Would you like to create it? (Or just say "Day One is ____", a sentence describing the term)
#
[tantek]
jeremycherfas ^^^ good opportunity to quickly create a new stub page for us (since it's clearly related to an IndieWeb itch of yours) before the newsletter in 30 min!
#
[tantek]
or anyone else that has heard of or especially uses "Day One"
#
[tantek]
is it a daily journaling app? like does it prompt you or something?
#
lahacker
whoa aaronpk maybe you can make more sense of this; did you know it existed? https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/identity#Getting_the_redirect_URL
#
aaronpk
oh cool
#
aaronpk
google has something like that too i think
#
aaronpk
so you can use whatever that returns as the redirect url for the flow
#
lahacker
i'll do some more investigating; thanks for the pointer
#
drhitchcock[m]
<sknebel "drhitchcock: can you share an ex"> Sure thing.
#
drhitchcock[m]
uploaded an image: Screen Shot 2021-01-02 at 11.30.52 AM.png (194KiB) < https://matrix.org/_matrix/media/r0/download/matrix.org/QpRyyCrhaOEsesbdadzrtykn/Screen Shot 2021-01-02 at 11.30.52 AM.png >
[KevinMarks] joined the channel
[schmarty] joined the channel
[snarfed] joined the channel
#
[snarfed]
lahacker aaronpk just fyi i’m punting the entire indieauth flow to the server. browser extension generates a token, opens a URL on the server with that token to start the flow, and then the server stores that token with the auth result (eg the me value)
hoschi joined the channel
#
lahacker
response_type=token
#
[snarfed]
(one drawback of my punt is the browser extension won’t know if they completed the auth)
#
lahacker
browser.identity.getRedirectURL() == "https://c2da413af4461a7b2dad47ed791c118f0c4137c2.extensions.allizom.org/"
#
lahacker
and it actually went through my server and seemed to succeed; accidental benefit of having a null implementation
#
lahacker
except i have no clue what dimension i'm in with that url
#
lahacker
oh i just reran it.. yeah this should work
#
lahacker
response_type=token
#
lahacker
aaronpk does that mean anything to you?
#
aaronpk
response_type=token is the implicit flow, bad idea
#
jamietanna[m]
That's recently been removed from IndieAuth and I want to say OAuth2.1 too?
#
jamietanna[m]
Although I guess if there isn't an alternative 🤷🏽‍♂️
#
lahacker
k
#
aaronpk
indieauth never had the implicit flow
#
jamietanna[m]
Ah my bad, I was thinking about response_type=id
#
jamietanna[m]
On oauth.net there are a few code snippets that use `&amp;` instead of `&` is that expected? I don't mind raising a change request if it's OSS 👍🏽
#
aaronpk
i assume you mean oauth.com? there aren't code samples on oauth.net
#
aaronpk
it's managed by wordpress, let me know the pages and i can fix them
#
jamietanna[m]
Sorry yep I did mean that
jamietanna joined the channel