#dev 2021-08-15

2021-08-15 UTC
#
cambridgeport90[
<jamietanna> "barryfrost's Vibrancy is another..." <- I have tried messing with that, though not too familiar with it, honestly.
kimberlyhirsh[d], alex11 and hendursa1 joined the channel
#
capjamesg[d]
I have another micropub question...
#
capjamesg[d]
So I am using IndieAuth to get a token for authenticating with my domain.
#
capjamesg[d]
I get that token.
#
capjamesg[d]
What do I do with it?
#
capjamesg[d]
I know I need to store it but I can't figure out how to do that in Flask.
#
capjamesg[d]
I have read Flask's default session[] isn't very secure.
#
vikanezrimaya
session[] is mostly designed to protect from tampering with cookies. If your tokens are opaque blobs (which they should be), you can safely save one in a cookie or in localStorage
#
vikanezrimaya
I assume you're building a Micropub client, right?
tetov-irc and oodani joined the channel
#
capjamesg[d]
Yeah, I am.
#
capjamesg[d]
I am tearing my hair out over IndieAuth login though. I keep getting a code invalid error.
hendursa1 joined the channel
#
capjamesg[d]
I have a token but I can't seem to verify it with Python.
#
capjamesg[d]
"code": session["access_token"],
#
capjamesg[d]
I send: data = {
#
capjamesg[d]
"client_id": "http://localhost:5000"
#
capjamesg[d]
"redirect_uri": "http://localhost:5000/callback",
#
capjamesg[d]
I don't understand why I get the "Invalid code provided" error when I am using a code I just generated.
#
capjamesg[d]
Can you not use IndieAuth with localhost?
#
capjamesg[d]
Never mind. flask_indieauth has saved the day!
alex11, nertzy, GWG and hendursaga joined the channel
#
cambridgeport90[
So... am I right that most of the dev stuff's just JSON? (probs need to learn that, then.)
[jeremycherfas] and KartikPrabhu joined the channel
#
capjamesg[d]
I'm almost done with the Flask questions 🙂 One more...
#
capjamesg[d]
!tell vikanezrimaya Can I use Flask-Session for storing the tokens? Or is the best idea to create a db and save each token in there?
#
Loqi
Ok, I'll tell them that when I see them next
#
capjamesg[d]
I know storing my auth token in a cookie in plain text is not a good idea. How should I best store it so it can be sent in micropub requests by my client?
[snarfed] joined the channel
#
[snarfed]
capjamesg why is that not a good idea? it's how pretty much all web site auth works
#
capjamesg[d]
Let's say my IndieAuth token is "capjamesg123" (obviously it's not).
#
capjamesg[d]
That token can be used to retrieve information from my micropub endpoint / create posts, etc.
#
capjamesg[d]
Is storing that in a cookie okay?
#
capjamesg[d]
(Assuming there is CSRF protection on the form).
#
capjamesg[d]
The easiest way to send the bearer token to my endpoint from the client would be via a hidden HTML field. Which is why having the token in a cookie would be so much more convenient.
#
capjamesg[d]
Oh, well that has saved me a lot of time!
#
capjamesg[d]
By the way, I thank everyone who put together the Micropub Wiki page. It is amazing!
#
[snarfed]
auth cookies are generally expected to be sent over SSL, and browser cookie storage on the local device is also expected to be secure (modulo user login etc), so you're fine
KartikPrabhu, [chrisaldrich], klez and alex11 joined the channel
#
cambridgeport90[
I had sort of a general question... for general Git development,is it better to have your main source of development on personal projects github.com, or gitlab.com. I sort of get annoyed at GitHub taking away the ability for folks to subscribe to the RSS feeds of their favourite developers,but is it a good idea to switch just because of RSS? I'm cambridgeport90 on both... and I like the automatic CI/CD features that GitLab has.
tetov-irc joined the channel
#
Loqi
vikanezrimaya: capjamesg[d] left you a message 7 hours, 28 minutes ago: Can I use Flask-Session for storing the tokens? Or is the best idea to create a db and save each token in there?
#
vikanezrimaya
The better option would be of course just hosting your own git repositories. cgit and gitolite are your friends, and if you want CI, you can make your own and host it yourself or in the cloud
#
vikanezrimaya
Loqi: capjamesg[d] personally I'd say having somebody else's tokens in database on my server is too much of a temptation. Use cookies or localStorage
#
Loqi
I'm pretty sure localstorage
#
vikanezrimaya
Don't forget to save the "me" value too!