#dev 2021-02-06

2021-02-06 UTC
ShadowKyogre joined the channel
# 00:02 
Saphire So what's "code_challenge" from indielogin?
# 00:03 
jacky hold on, I got a link!
# 00:03 
jacky https://aaronparecki.com/2020/12/03/1/indieauth-2020#pkce
[chrisaldrich] joined the channel; ShadowKyogre left the channel
# 00:18 
Saphire Also I'm still confused about the whole uh. Auth vs token thing?
# 00:18 
Saphire I need an example/use case of why those are separate things >.>
# 00:19 
aaronpk trying to think if i have a link handy
# 00:23 
aaronpk i build up to this idea in my oauth course, but i think that way of describing it hasn't been written down elsewhere yet
# 00:23 
jacky have you seen https://indieauth.spec.indieweb.org yet (if you're into reading specs)?
# 00:24 
jacky if not, https://aaronparecki.com/2018/07/07/7/oauth-for-the-open-web might be a bit more of a better read
# 00:24 
aaronpk i kinda talk about it in this video too https://www.youtube.com/watch?v=KT8ybowdyr0
# 00:24 
jacky tl;dr: IndieAuth == OAuth but optimized for inter-site communcation without the client secret fuzz
# 00:25 
Saphire https://paseto.io/ - also, wonder if this will be useful to anyone?
# 00:25 
aaronpk eh you don't need either that or jwt for a simple indieauth implementation
# 00:25 
aaronpk (true of oauth too)
# 00:26 
Saphire Oh meant in general ^^
# 00:26 
Saphire Tangentially remembered about that when thinking of tokens and especially "bakind code in"
# 00:30 
jacky interesting
# 00:31 
jacky my setup uses jwts by default (I never bothered to switch it off)
# 00:33 
Saphire JWT are.. highly fragile, but "fine" if done correctly
# 00:33 
Saphire It's just that doing them correctly might not be trivial
# 00:33 
Saphire Or at least, not clear enough and easy to miss an issue
# 00:36 
jacky yeah
# 00:37 
Saphire See good old "alg=none" ^-^
# 00:37 
jacky ha right
# 00:38 
jacky ooh I can just drop this into my project
# 00:38 
jacky https://github.com/ueberauth/guardian_paseto
# 00:38 
Loqi [ueberauth] guardian_paseto: A Guardian.Token implementation for Paseto tokens (https://paseto.io)
# 00:39 
Saphire Eee. Neat o:
[schmarty]1, [KevinMarks]1, ShadowKyogre and [tw2113_Slack_] joined the channel; ShadowKyogre left the channel
# 01:35 
Saphire "The client SHOULD provide the me query string parameter to the authorization endpoint"
# 01:36 
Saphire Uhh, only should? So applications /may/ assume that a user page uses an exclusive auth endpoint?
# 01:37 
jacky thinks about that for a moment
# 01:37 
jacky yeah! there's a chance that the user page might need a different type of authorization (so a different endpoint could be provided) or maybe they change it depending on who's asking (think: multiple identities/ACLs from one user/domain/URL)
# 01:37 
jacky granted, that sounds a bit complex in theory
# 01:38 
jacky but it's possible with a site that holds more than one user (like if Mastodon wanted to use specific URLs)
# 01:39 
Saphire I mean, if the specific user instance does not care about me parameter, it is very much free to ignore it. But a client app potentially not proving a "me" value to a multi-tenant auth host because it assumes single-tenant only use case, uh, sounds problematic?
# 01:40 
jacky I'm not very good with specific language stuff like this in specs, tbh, but I _think_ that client apps NOT providing a 'me' parameter wouldn't be a thing
# 01:41 
jacky in the sense that, without it, you can't do the resolving of their authentication _or_ token endpoints
# 01:41 
Saphire Well, it is apparently allowed by spec to fetch a provided "me" url, get auth endpoint, and not give the "me" to said endpoint?
# 01:41 
Saphire Unless I'm misreading
# 01:42 
jacky what part of the spec are you up to? there's a chance it explains itself later on
# 01:42 
Saphire Ooh
# 01:42 
Saphire Right, wait
# 01:42 
Saphire The auth page would be able to determine user it is going to verify by itself v:
# 01:42 
Saphire Right
# 01:44 
jacky :)
# 01:44 
jacky always glad to talk over this stuff - both parties get more understanding
# 01:45 
Saphire The section about "treat me parameter as insecure/compromised data" (paraphrasing) kinda made me understand that ^^
[Tim_Nolte] and ShadowKyogre joined the channel
# 02:43 
Saphire So.. never allow any potentially malicious/untrusted actor be able to put a ref link or control your headers to mess with what auth endpoint is used..
# 03:21 
aaronpk I mean, generally yeah I'm not gonna let random people change my website :-)
ccchapman and alex11 joined the channel
# 05:35 
@reinhart1010 ↩️ Kalau saya, karena sering nulis blog di lebih dari satu tempat, sering reupload konten blog di situs baru saya http://reinhart1010.github.io.

Situs ini masih belum ada fitur like dan komentar (meskipun rencananya mau ditambahkan webmentions), jadi saya juga naruh link artikel aslinya. (twitter.com/_/status/1357924947926999044)
dopplergange, gRegorLove_, dhanesh, silo, nickodd, [KevinMarks] and jamietanna joined the channel
# 12:48 
jamietanna The removal of the `me` parameter also allows you to use a general-purpose OAuth2 client, instead of an IndieAuth specific client
# 12:49 
jamietanna If no `me` is provided, it's up to the user who they want to authenticate as. And tbh, even if there was a `me`, the authorization server doesn't have to listen to it - users can choose what identity they want
# 14:09 
Saphire Yeah, realized that later ^^'
# 14:14 
jamietanna I'm interested in giving PASETO a go, but I use JWT so much and I don't like change D:
# 14:14 
jamietanna Does sound super interesting though
silo joined the channel
# 15:34 
Saphire Hm.. is it worth having both h-card and older vcard-y thing too on, well, page with that?
silo and KartikPrabhu joined the channel
# 16:00 
Saphire So uh.. kinda trying to make own mock-up of a login screen for 3rd party indielogin, well, login. But having some difficulty and kinda want to see already existing examples and I'm not sure where to get them ^^'
# 16:00 
aaronpk there are some examples here! https://indieweb.org/consent_screen
# 16:03 
GWG I love some of those examples and wish to add some of them to mine.
# 16:03 
GWG Like the PKCE alert
# 16:03 
GWG aaronpk: That might be a good way to get people to adopt the new pieces.
# 16:05 
GWG I see people doing it, but I'm wondering if it is worth putting somewhere people trying to implement will see it.
# 16:09 
Saphire Ooh. How does your look?
# 16:09 
GWG I should screenshot mine and add it.
# 16:11 
Saphire Meanwhile I'm trying to go for a minimalistic one, but it's.. slightly difficult ^^'
# 16:12 
Saphire Wondering whether a pop-up or collapsible would be good, hm
shoesNsocks1 joined the channel
# 16:14 
Saphire Currently having an issue of the app URL being a bit long to easily fit <.<
KartikPrabhu joined the channel
# 16:27 
GWG There's mine.
alex11, [KevinMarks], silo and ccchapman joined the channel
# 17:07 
Saphire Heh.. one day I will get myself an image share/drop thing set up. For now just trying to figure out how to throw in the current mockup result for login consent?
# 17:10 
Saphire https://cdn.discordapp.com/attachments/523706669805338627/807659353694797874/unknown.png annoyingly Discord is better than Imgur nowadays thanks to not serving those uh.. <strong words> redirects to "feature rich" pages
# 17:18 
Saphire Maybe pillage Mozilla for some icons.. also not sure whether to put. PKCE on top of bottom. And in general unsure of layout but I think it works mostly >.>
alex11 joined the channel
# 17:23 
Saphire ...also not even sure what's up with the font and it just slightly not getting properly aligned vertically x.x
silo joined the channel
# 18:01 
leo60228 if i'm using Bridgy and i link someone else's Webmention-compatible site on a site that i have Bridgy linked to will they receive a Webmention?
[snarfed] joined the channel
# 18:15 
[snarfed] bridgy does that for hosted blog silos, but not for arbitrary web sites. https://brid.gy/about#blogs
ShadowKyogre, blade82, nickodd and [benatwork] joined the channel; ShadowKyogre left the channel
# 19:33 
leo60228 [snarfed]: gotcha
# 19:33 
leo60228 the specific thing i was curious about was whether if i linked a webmention-compatible site in a github commit message they would get a webmention
# 19:34 
leo60228 i suppose i could just send the webmention manually from my cli
ShadowKyogre, [KevinMarks] and leg joined the channel; ShadowKyogre and nickodd left the channel
# 20:33 
Saphire https://media.discordapp.net/attachments/523706669805338627/807710395925528626/unknown.png ...I probably should do this with actual css rather than in dev tools >.>
leg joined the channel; ShadowKyogre left the channel
# 20:43 
jacky nah devtools >>>
# 20:43 
jacky I tend to do it all there
# 20:43 
jacky then do "Copy Outer HTML" and adjust in my code
# 20:43 
jacky who needs Sketch? lol
# 20:46 
Saphire Pfff
# 20:46 
Saphire And uh. Isn't Sketch Mac only
# 20:47 
jacky yeah
# 20:47 
jacky there's another thing but I forget the name
# 20:47 
jacky I was a big fan of Pencil
# 20:47 
jacky https://pencil.evolus.vn/
ShadowKyogre and leg joined the channel; ShadowKyogre left the channel
# 22:05 
@nhoizey ↩️ Right, everybody should stop using Disqus:
https://nicolas-hoizey.com/articles/2017/07/27/so-long-disqus-hello-webmentions/ (twitter.com/_/status/1358173784306515974)
ShadowKyogre left the channel
# 22:39 
lahacker i'd like to search my micropub endpoint for presence of a URL (eg. the like-of property of an entry) so i can light up my extension icon when i'm on a page i've interacted with before
# 22:40 
jacky yup
# 22:40 
lahacker i think i can use microsub's https://indieweb.org/Microsub-spec#Searching_for_Content to pluck out URLs from feeds i'm following
# 22:40 
jacky this is something I think we've discussed for this
# 22:40 
jacky re: micropub and finding a post/entry by a property
# 22:40 
lahacker i see some faint mention of "search" on the micropub pages
# 22:40 
jacky https://indieweb.org/Micropub-extensions
# 22:40 
jacky would have it
# 22:41 
jacky I think it's this one https://indieweb.org/Micropub-extensions#Filter_Parameters_in_Query_for_Post_List
# 22:41 
jacky something like `?q=source&exists[]=like-of&property-like-of=$URL`
# 22:42 
jacky ^ that's a hard check imo, you wouldn't need the `exists[]` if you know you're looking for a particular property
# 22:46 
lahacker since it seems "filter" is intended to be used in a letter-by-letter sort of fashion for autocomplete.. how about ?q=source&search=https://indieweb.org
# 22:46 
lahacker i'd prefer to keep it as general a search as possible
# 22:47 
jacky I don't follow
# 22:47 
jacky https://github.com/indieweb/micropub-extensions/issues/4 has more info about this extension btw
# 22:47 
Loqi [EdwardHinkle] #4 Query for Post List
# 22:47 
lahacker ah ok
# 22:47 
lahacker thanks
# 22:47 
jacky np!
# 22:48 
jacky this is something I've wanted for my social readers as well tbh :)
# 23:20 
@jamesvandyne Got the start of the indieauth authorization flow working and the base models setup.
https://tanzawa.jamesvandyne.com/7b4add9a-9a3a-4484-9823-d54e6b44f4da (twitter.com/_/status/1358193591806398464)
# 23:27 
jacky like if someone signed in with their site, it'd automatically highlight action buttons (like reposting, etc) and allow for removal of said changes
# 23:28 
jacky tbh!
# 23:32 
jacky I can even see indiebookclub using it to pre-load books and reading options