#dev 2021-05-31
2021-05-31 UTC
KartikPrabhu, wagle, shoesNsocks1, [jeremycherfas], geman, geman-, [KevinMarks], barnaby, jngldwf and [Shane_Gough] joined the channel
# [Shane_Gough] Hello everybody. Just discovered the IndieWeb idea (and Wiki) and love the concept. I have a few questions though relating to the various protocols and I hope you can help. I apologise if I have missed some details in the various specs 😞
# [Shane_Gough] First off, the MicroPub protocol makes sense but the MicroSub protocol is described as a way to `consume and interact with feeds collected by a server` - how should I export the feed created by new entries created by MicroPub?
# [Shane_Gough] Thank you all 🙂 Very friendly group - more than most 🙂
# [Shane_Gough] [sknebel] I got that - but what is the best format to expose my feed? RSS, Atom? Is there a JSON format that is preferred?
# [Shane_Gough] Ahh, ok - so just the markup in the HTML is enough?
# [Shane_Gough] Ok, is there a preferred machine readable format though? In JSON or something?
# [Shane_Gough] Ok, just thinking about things like malformed HTML etc. In Python or PHP you can probably process that fairly easily but in something like C# it's a bit of a pain 😞
# barnaby hmm yeah I think we don’t have a C# mf2 parser yet https://microformats.org/wiki/microformats2#Parsers
# [Shane_Gough] I am sure it could be done but it would probably be messy 😞 Subcontracting that out to a separate service written in the appropriate language would probably be better.
# [Shane_Gough] Yes, or have a separate parser service that just pushes JSON to a queue for processing by the C# service.
# [Shane_Gough] Or invoke a binary - whatever the architecture you are using is 🙂
# barnaby looks like C# has some pretty good HTML parsing tools already! https://html-agility-pack.net/
# [Shane_Gough] Ok, next question 🙂 What if the post (in HTML in RSS or Atom feed) cannot be turned into a valid mf2 structure? (is that correct - mf2 or do you prefer microformats2)?
# [Shane_Gough] If there are nice stable implementations that exist I would prefer to use them rather than re-invent the wheel 🙂
# [Shane_Gough] I want to do *my* nice funky stuff - not build everyone elses again 🙂
# [Shane_Gough] And probably badly 😛
# [Shane_Gough] So the mf2 structures are still a bit flexible?
# [Shane_Gough] Oh, that's not too bad. I mean worst case it includes the link to the source so you can go and have a look at that anyway.
# barnaby I think https://indieweb.org/XRay is the best example of a service which performs these sorts of transformations https://indieweb.org/XRay
# [Shane_Gough] That is a great resource, thanks.
# [KevinMarks] also indiewebify.me gives a walkthrough of marking up your page
# [Shane_Gough] What about visibility scope? I mean something like posts can be `public` (default), `private` (only visible to the author) or `restricted` (visible to a whitelist of subscribers). Those were just my initial thoughts - it seems that the assumption is that everything is public.
# barnaby there has been some work done on private posts https://indieweb.org/private_posts
# [Shane_Gough] Hah, I just realised the whole concept of `restricted` would never work 😞 If I allow you to see my post there is nothing stopping you from reposting it anyway so it may as well be public.
# [KevinMarks] google deck on competing app stores in china leaked via court case https://twitter.com/benedictevans/status/1399292996823269377?s=20
# @benedictevans What happens when there are competing smartphone app stores? China is a case study. 700m+ Androids without Google services. Result: complexity… and higher commissions. https://pbs.twimg.com/media/E2tJhmLWYAA1jea.png (twitter.com/_/status/1399292996823269377)
# [Shane_Gough] Yeah, it's more by accident than malicious intent is what I was thinking about. Both are possible of course.
# [Shane_Gough] So I'm thinking that it would be an implementation detail of the microblog itself - if you are logged in as the author you can see all posts made by that author, and you can mark posts as only visible by the author. If you are not the author then you only see public posts.
# [Shane_Gough] I am just thinking that I have a 'real' (haha) job that might have me saving links as part of my diary that I either don't want to (or am not allowed to) share with others.
# [Shane_Gough] I think many people can think of similar examples 🙂
# [Shane_Gough] Some might be a bit too personal 😛
# [Shane_Gough] Yeah, what I really want is a shared UI, not so much a shared data source.
# [Shane_Gough] Both I guess - I am still trying to build up the perfect scenario in my head.
# [Shane_Gough] So imagine this - you are building up a set of best practices to make docker containers, helm charts and local testing scripts to achieve a particular purpose for the company that is paying you money. A lot of the stuff you come across and the ideas you have are pubic (based on public examples) but the final implementation you do is private (refers to company internal policies, urls, etc). So you need to split them for security
# [Shane_Gough] but for your own 'stream of consciousness` to figure out how you got from point A to point B you want to see everything.
# [Shane_Gough] Does that make some kind of sense?
# [Shane_Gough] Some of the bookmarks could be to internal company domains - or maybe not as internal as they like depending on the skill of the security team 😞
# [Shane_Gough] The difference between 'work' and 'personal' is so blurred now 😞 I am already thinking of a MicroSub based reader that I could deploy inside the company I work for as a way to collect events from various internal systems and let people subscribe to the ones that interest them.
# [Shane_Gough] I guess I am thinking about the whole stream thing as a lifelog - and there are different parts of your life that you share with different people. I guess `public` and `private` are enough - there are plenty of other channels available for `restricted`
# [Shane_Gough] Seems like an implementation specific feature (if you are logged in, and subscribed to my channel then you get to see my 'restricted' stuff and I trust you not to share it even by accident).
# [Shane_Gough] Well, what is the bearer token in the request?
# [Shane_Gough] Oh, ok - sorry. I just clicked - if there is a bearer token it will be from the reader app right? Not the actual user of the reader app?
# aaronpk if you're interested, start by reading up on https://indieweb.org/IndieAuth
[schmarty] and [tw2113_Slack_] joined the channel
# [Shane_Gough] Thanks, I will have a read
# [Shane_Gough] I have to say - you guys are really great at linking to specific examples and documentation or chats 🙂
# [Shane_Gough] I wish I could get the people inside the company I work for to do the same 🙂 Haha
# [Shane_Gough] Ok, thank you everybody. I have enough to start to implement a microblog site that supports `private` posts I think.
shoesNsocks joined the channel
# [Shane_Gough] Hmm, what tools exist for testing an authentication server (https://indieweb.org/authorization-endpoint#Auth_code_verification) running on localhost?
# [Shane_Gough] I would like to test locally first before exposing on public domains.
# [Shane_Gough] Oh, are there any that are purely web based? Like SPA style? I remember reading some of your blog posts linked from the Wiki but they were from 2015 or 2018 😞
# aaronpk there should be some SPA ones if you want that https://indieweb.org/Micropub/Clients
# [Shane_Gough] Hahaha 🙂 Fair enough 🙂 But JS has changed enough that things from 4 years ago don't actually work now 😞
# [Shane_Gough] Haha - at least JS has better backward compatibility than iOS or Android code so far
# [Shane_Gough] Um, ok - I have to admit I have no idea how end user auth flow works 😞 I work on backend and infrastructure provisioning - so someone gives us an API token and we plug that into requests. When it breaks we ask for a new one.
# aaronpk the guides on https://indieauth.net should help
# aaronpk if you want a high level overview then this is good https://aaronparecki.com/2018/07/07/7/oauth-for-the-open-web
# [Shane_Gough] From reading through this spec - https://indieweb.org/authorization-endpoint - it shows a page with permission (scope) requests and the serving page decides what to request to verify?
# [Shane_Gough] So if I decided to use Google or Facebook or Twitter as an authentication backend that wouldn't be a problem? I could ask them to do that on my page and when I got the response generate the `code` to send back?
# [Shane_Gough] But this isn't OAuth flow is it? In this case I could pop up a page that asks for a plain text password and generate whatever code I want?
# [Shane_Gough] Or just saying 'yes' to any login?
# [Shane_Gough] Ok, so this is where the trust comes in 🙂
# [Shane_Gough] And also support for approved lists or ignore lists?
# [Shane_Gough] But if I am building something for more than one user?
# [Shane_Gough] Or if I was a complete a**h**e and decided to build a system that supported multiple IndieWeb users?
# [Shane_Gough] Never mind, we are getting off topic. If you can recommend a link, chat, forum or something for security I would appreciate it 🙂
# [Shane_Gough] Oh yes, I recognise that.
# [Shane_Gough] But ideally, to be open, I should accept users from their own sites right?
# @polarbirke ↩️ I‘m using „Comment“ button to Twitter reply with URL to Webmention myself. (twitter.com/_/status/1399431791413452807)
# [Shane_Gough] Maybe I don't have a complete understanding of the flow here - If you allow auth by domain and let me publish as that user I can push content to your site?
# aaronpk so if you log in to https://quill.p3k.io for example, quill needs an access token from your site so that it can post to your site
# [Shane_Gough] So I could set up a domain that auths everyone, login to your site as that user, and then push a bunch of rubbish until you block me?
# barnaby [Shane_Gough]: e.g. you can log in to https://waterpigs.co.uk/, and view my posting UI e.g. https://waterpigs.co.uk/notes/new, but it won’t let you post to my site, and if you log in with a micropub endpoint configured, my posting UI will create a post on *your* site!
# [Shane_Gough] I understand limiting posts to owners (or registered users of a site). But what about comments?
# Loqi A comment is a reply syndicated into the context of the original post https://indieweb.org/comment
# [Shane_Gough] Ah, ok
# aaronpk here's an overview post of how that flow works https://aaronparecki.com/2018/06/30/11/your-first-webmention
# [Shane_Gough] Sorry everybody, I really am not trying to be contrary - I am just trying to get it sorted in my head 😞
# barnaby you’re kinda jumping in the deep end by starting out implementing an indieauth server! might be worth starting out by working through the steps here to indiewebify your personal site and get familiar with how the most common indieweb building blocks work https://indiewebify.me/
# [Shane_Gough] So, from what I understand the auth process returns a `code` which is basically a string? The consumer will then try to verify it by passing it back to the same URL?
# [Shane_Gough] 555 - ok, I completely agree with that - jumping in with an auth server is probably the deep end 😞
# Zegnat barnaby: https://sink.zegnat.net/
# aaronpk this is also a good overview of indieauth https://aaronparecki.com/2021/04/13/26/indieauth
# Zegnat barnaby: in case you are looking at test tools, there is also https://commentpara.de/ which can function as both an anonymous indieauth endpoint as well as a place to write webmention-powered comments without needing to use your own site.
# [Shane_Gough] Oh my, if I insulted you about mentioning dates I am sorry 😞
# [Shane_Gough] I can tell from the rest of your posts you had other things on your mind
# [schmarty] [Shane_Gough] I can't speak for aaronpk but I doubt the dates mention was taken as insulting. that said, there _is_ a recurring theme that the constant churn and re-invention of web development tooling makes anything with a date on it increasingly seem "old".
# [schmarty] haha oh the timing
[dianoetic] joined the channel
# [dianoetic] I took the dates off my list pages for just that reason aaronpk
# [schmarty] indieweb building blocks tend to be developed through consensus as folks actually build them to interoperate. and they're typically scoped to solve specific problems, so a given spec (like IndieAuth) might "just work" for years between major changes.
# [dianoetic] Still trying to find a balance between garden and "recent news"
# Zegnat I like what https://maggieappleton.com/garden/ is doing where posts will mature over time (seedling -> evergreen), which instantly makes me think of them differently versus normal time stamping.
# @petergoes ↩️ Maybe something like: Netlify forms -> Webhook notification -> Netlify Function stores it somewhere (firebase?) -> fetch all on build?
I did something similar with webmentions: https://www.petergoes.nl/blog/review-webmentions-before-publishing-with-github-actions/ (https://www.petergoes.nl/replies/2021-05-31-19-18/) (twitter.com/_/status/1399445513372684293)
KartikPrabhu, chee, jeremycherfas and [dianoetic] joined the channel