#dev 2021-01-01

2021-01-01 UTC
[Raphael_Luckom], geoffo and [snarfed] joined the channel
#
gRegorLove [snarfed], trying out the Bridgy Chrome extension, think I got my first webmention from it!
#
gRegorLove The logs on https://brid.gy/instagram/gregorlove don't show it yet, but maybe that part is delayed
#
gRegorLove [snarfed]++
#
Loqi [snarfed] has 35 karma in this channel over the last year (56 in all channels)
hoschi, gRegorLove_, [chrisaldrich] and [snarfed] joined the channel
#
[snarfed] [gRegorLove] hmm not if your user page doesn’t show it. i have a new version that should work in chrome though! https://chrome.google.com/webstore/detail/bridgy/lcpeamdhminbbjdfjbpmhgjgliaknflj
gRegorLove_ joined the channel
#
gRegorLove_ That's the one I have, I uninstalled the previous one
#
gRegorLove_ oh, looks like it was a twitter backfeed, nevermind
[chrisaldrich], [fluffy], oodani, maxwelljoslyn, [tantek], [jeremycherfas], nickodd and [Emma_Humphries] joined the channel
#
drhitchcock[m] Happy new year! I'm in the process of working through Sia's tutorial in setting up webmentions on an 11ty website, https://sia.codes/posts/webmentions-eleventy-in-depth/. As far as I can tell the code is set up correctly but there seems to be an issue connecting to webmentions.io or it isn't writing to the cache properly? The dashboard in websockets.io can see that likes have been posted in Twitter. Can anyone
#
drhitchcock[m] help?? 🙏
#
Loqi [Sia Karamalegos] An In-Depth Tutorial of Webmentions + Eleventy
hoschi, h0sch1, hoschi-it, leg and [KevinMarks] joined the channel
#
Zegnat Starting 2021 by merging the Selfauth PRs :D
[snarfed] joined the channel
#
[snarfed] [gRegorLove] you have some instagram backfeed now!
gxt, [KevinMarks] and geoffo joined the channel
#
jeremycherfas is starting 2021 by snarling at Day One and looking around again at open-source journalling.
[Raphael_Luckom] joined the channel
#
[Raphael_Luckom] I have some kinda basic-level questions about authn after looking around a little bit. First, I'm looking at the differences between tokens and cookies for session storage. Am I correct to think that cookies are more "indieweb" most of the time? It seems like cookies are better protected by the browser (but you need to watch out for csrf).
#
[snarfed] by “tokens,” do you mean stateless, ie passed in query params or headers?
#
[snarfed] sounds like a reasonable web dev question but probably orthogonal to indieweb specifically
#
[Raphael_Luckom] yeah that's true.
#
[Raphael_Luckom] I did mean stateless, but I think you're right that this may not be the venue...nvm
#
[snarfed] they’re obviously different but in general both are fine
hoschi joined the channel
#
Zegnat Eeh, you can store a token in a cookie ;) I think some context might be missing
#
[Raphael_Luckom] This article is what I think I needed: http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/ --to [Zegnat]’s point, the relevant line is "The correct comparisons are "_sessions_ vs. JWT" and "cookies vs. Local Storage"."
#
sknebel *JWT* specifically are not generic "tokens"
#
Zegnat session vs JWT, from that article, is talking about whether you put the session *data* in the hands of the client (JWT) or in the hand of the server (ie. client only gets an opaque identifier)
#
[Raphael_Luckom] the problem is that many resources that give advice on this conflate those terms as well. For instance, so far this morning I've seen places that recommend _never_ storing "tokens" on the browser. But by "tokens" I believe they're referring to something like JWTs (which makes sense if you decide that "tokens" and "session ids" are different, but not if you think they can both be called "tokens")
#
Zegnat For sure a lot of conflating of terms in that field, yeah
#
Zegnat But it also depends a lot on the context. E.g. OAuth is always going to call it tokens, because they do not define what those look like at all. So a JSON string is a perfectly valid "token" as far as the OAuth spec is concerned.
#
Zegnat Whenever I see the word "token" I just think "opaque string of anything". Because in general I can't assign more meaning from reading just the word token.
#
[Raphael_Luckom] yeah, I think of that as the "lex" meaning.
KartikPrabhu, maxwelljoslyn and [KevinMarks] joined the channel
#
aaronpk OAuth intentionally chose the term “token” for that reason
#
Loqi aaronpk: jeremycherfas left you a message 1 day, 7 hours ago: Just started getting an error from Telelgraph `cURL error 23: Unrecognized content encoding type. libcurl understands deflate, gzip content encodings. (see http://curl.haxx.se/libcurl/c/libcurl-errors.html)` but as far as I know nothing at my site has changed. Not sure how to troubleshoot this.
#
Loqi aaronpk: jeremycherfas left you a message 1 day, 5 hours ago: Nevermind ^^^
#
aaronpk “token” isn’t meant to mean anything in particular
#
aaronpk JWT took the term “token” and added the “JSON Web” qualifier to it
#
aaronpk and now people unfortunately refer to JWTs as “tokens” too
#
[Raphael_Luckom] good clarification, thank you!
#
[KevinMarks] hence the original logo of an NYC subway token?
#
GWG I miss subway tokens
nickodd joined the channel
#
jamietanna[m] <drhitchcock[m] "Happy new year! I'm in the proce"> Did you get a reply to this?
#
sknebel jamietanna[m]++
#
Loqi jamietanna[m] has 11 karma in this channel over the last year (26 in all channels)
#
sknebel drhitchcock[m]: can you share an example link and more details?
shoesNsocks, shoesNsocks1, [Rose], [tw2113_Slack_], [Raphael_Luckom] and maxwelljoslyn joined the channel; nickodd left the channel
#
maxwelljoslyn smh all of us over here building "reply from your website", meanwhile Iif I try to reply to the author of a sub stack mailing list the email To:field doesn't fill in and I can't figure how to do it
#
maxwelljoslyn they offer a reply-to: field... which my email provider (Gmail,ssigh) refuses to recognize as a mail address. dammit
[KevinMarks], [jeremycherfas] and gRegorLove joined the channel
#
jacky I wonder if this is a bug in indielogin https://github.com/aaronpk/indielogin.com/issues/71
#
jacky I don't think it is tbh
#
Loqi [clawfire] #71 Can't login on clawfire.net using twitter
#
aaronpk well taht's weird
#
jacky they don't have any rel=me info on their page
#
aaronpk i see some https://pin13.net/mf2/?url=https%3A%2F%2Fclawfire.net%2F
#
jacky ooh I shouldn't have run that through xray then
[tantek] joined the channel
#
aaronpk oh yea xray doesn't return rel=me i think
#
lahacker was there any resolution to the whole IndieAuth through browser extension? runtime.getURL() will give you a valid moz-extension:// URL but Firefox will not allow for the redirection
geoffo and [Rose] joined the channel
#
lahacker the server can't fetch a moz-extension:// URL either so both `client_id` and `redirect_uri` cannot be relied upon in this case however i *can* poll the server for a `code`
#
@clawfire En train d'essayer d'implémenter webmentions sur mon blog. Ça a l'air chiant. Et difficile à tester autrement qu'en prod. (twitter.com/_/status/1345128431592333314)
#
aaronpk interesting, sounds like we need a variation of the oauth device flow
#
lahacker that's what i'm thinking
#
@cld ↩️ Webmentions ? (twitter.com/_/status/1345129174730731522)
#
lahacker i thought i'd bring it up; i'm finally bringing my framework's IA implementation up to spec and i have an extension ready to fit itself into the puzzle
#
lahacker goes to look up "device flow" and find's Aaron Parecki in the first result
#
aaronpk haha good
#
lahacker so i know nothing about device flows other than i'm pretty sure they existed
#
aaronpk how do other extensions do oauth?
#
lahacker hah great question; i have no experience.. you mean just signing in to Twitter from within an extension? i can try to find one
#
aaronpk yeah like this can't be the first time someone has tried to log in to something from an extension
#
sknebel I think omnibear redirects you to its homepage
#
sknebel and the extension captures that
#
[tantek] what is Day One?
#
Loqi It looks like we don't have a page for "Day One" yet. Would you like to create it? (Or just say "Day One is ____", a sentence describing the term)
#
[tantek] jeremycherfas ^^^ good opportunity to quickly create a new stub page for us (since it's clearly related to an IndieWeb itch of yours) before the newsletter in 30 min!
#
[tantek] or anyone else that has heard of or especially uses "Day One"
#
[tantek] is it a daily journaling app? like does it prompt you or something?
#
lahacker whoa aaronpk maybe you can make more sense of this; did you know it existed? https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/identity#Getting_the_redirect_URL
#
aaronpk oh cool
#
aaronpk google has something like that too i think
#
aaronpk so you can use whatever that returns as the redirect url for the flow
#
lahacker yeah https://github.com/mdn/webextensions-examples/tree/master/google-userinfo
#
lahacker i'll do some more investigating; thanks for the pointer
#
drhitchcock[m] <sknebel "drhitchcock: can you share an ex"> Sure thing.
#
drhitchcock[m] uploaded an image: Screen Shot 2021-01-02 at 11.30.52 AM.png (194KiB) < https://matrix.org/_matrix/media/r0/download/matrix.org/QpRyyCrhaOEsesbdadzrtykn/Screen Shot 2021-01-02 at 11.30.52 AM.png >
#
drhitchcock[m] sent a long message: < https://matrix.org/_matrix/media/r0/download/matrix.org/kuUQQqVvjxmwaYZejVUDciIH/message.txt >
#
drhitchcock[m] sent a long message: < https://matrix.org/_matrix/media/r0/download/matrix.org/EcGRcLJNGipBHHnQWLjSTuFD/message.txt >
#
drhitchcock[m] sent a long message: < https://matrix.org/_matrix/media/r0/download/matrix.org/kGylvyrRLLjHcQCfloyMRxwX/message.txt >
#
drhitchcock[m] sent a long message: < https://matrix.org/_matrix/media/r0/download/matrix.org/eUWqNUPMFSJxkcAeykDgXkbZ/message.txt >
[KevinMarks] joined the channel
#
drhitchcock[m] sent a long message: < https://matrix.org/_matrix/media/r0/download/matrix.org/FCsXeebvjypnrAiSkJeNzFva/message.txt >
[schmarty] joined the channel
#
@clawfire ↩️ https://indieweb.org/Webmention https://indiewebify.me/ (twitter.com/_/status/1345145047050805254)
[snarfed] joined the channel
#
[snarfed] lahacker aaronpk just fyi i’m punting the entire indieauth flow to the server. browser extension generates a token, opens a URL on the server with that token to start the flow, and then the server stores that token with the auth result (eg the me value)
hoschi joined the channel
#
lahacker this looks promising: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/identity/launchWebAuthFlow#Examples
#
lahacker response_type=token
#
[snarfed] (one drawback of my punt is the browser extension won’t know if they completed the auth)
#
lahacker browser.identity.getRedirectURL() == "https://c2da413af4461a7b2dad47ed791c118f0c4137c2.extensions.allizom.org/"
#
lahacker and it actually went through my server and seemed to succeed; accidental benefit of having a null implementation
#
lahacker except i have no clue what dimension i'm in with that url
#
lahacker oh i just reran it.. yeah this should work
#
lahacker response_type=token
#
lahacker aaronpk does that mean anything to you?
#
aaronpk response_type=token is the implicit flow, bad idea
#
jamietanna[m] That's recently been removed from IndieAuth and I want to say OAuth2.1 too?
#
jamietanna[m] Although I guess if there isn't an alternative 🤷🏽‍♂️
#
lahacker k
#
aaronpk indieauth never had the implicit flow
#
jamietanna[m] Ah my bad, I was thinking about response_type=id
#
jamietanna[m] On oauth.net there are a few code snippets that use `&amp;` instead of `&` is that expected? I don't mind raising a change request if it's OSS 👍🏽
#
aaronpk i assume you mean oauth.com? there aren't code samples on oauth.net
#
aaronpk it's managed by wordpress, let me know the pages and i can fix them
#
jamietanna[m] Sorry yep I did mean that
jamietanna joined the channel
#
jamietanna https://www.oauth.com/oauth2-servers/indieauth/sign-in/ and https://www.oauth.com/oauth2-servers/device-flow/token-request/ are the ones I've definitely spotted today
#
jamietanna Also should https://www.oauth.com/oauth2-servers/indieauth/discovery/ point to a https://indieauth.spec.indieweb.org/ ?