#[fluffy]It’s about time I finally get around to adding PKCE support to Authl. Are there any IndieAuth providers that I can use for the purpose of testing the implementation?
#[fluffy]something like indieauth.rocks except, y’know, existing
#[fluffy]I guess I could see if SelfAuth supports it yet
#rattroupe[d]In fact until recently it required PKCE, I had to fix a bug to make it work with legacy clients like beesbuzz
#[fluffy]Authl is the client, beesbuzz.biz is just a site that uses Authl 😛
#[fluffy]From the IndieAuth spec it isn’t clear to me what the PKCE verification flow is, or what this actually does to help with verification in the first place.
maxwelljoslyn[d] joined the channel
#aaronpkI don't think IndieAuth is the place to describe the underlying ideas there
#[fluffy]okay, the RFC’s just kinda hard for me to parse for whatever reason. So, if I understand correctly: when I initiate the auth request I include a code_challenge=base64(sha256(garbagestring)), and then when I do the verification request I include code_verifier=garbagestring ?
#rattroupe[d]PKCE aid used in the token flow too, when the client requests a token
#[fluffy]so, interesting wrinkle… Authl by default stashes the state data in the state value itself. Which means if someone’s savvy to that and notices that Authl is using an itsdangerous signed session cookie thing for that storage, they’d be able to extract the verifier out of it.
#rattroupe[d]aaronpk[d] if I want to propose a change to the indieauth spec is the best way to just make a PR?
#[fluffy]Authl *can* be configured to use local storage for things but this was a design decision I made to keep things simple for deployment.
#aaronpkrattroupe[d]: If it's relatively straightforward yes, otherwise an issue first to discuss it
#[fluffy]but the original reason for using signed session cookie-style things was to make it easier to support a load-balanced configuration and I guess at some point I decided that wasn’t a reasonable default to go with? Who knows.
#[fluffy]Wait no, the Flask wrapper actually defaults to using the signed cookies. Well, that’s the place to change that then.
#aaronpkif you can use signed cookies you can probably use encrypted cookies, in which case it's fine to tuck that into the state parameter
#[fluffy]itsdangerous doesn’t support encryption, just HMAC-style signing 😞
#[fluffy]It’s intended to be tamper-proof, not secret.
#[fluffy]I should look into an alternate storage mechanism for that stuff though, it wouldn’t be that hard to change the serializing token store to use an actual encryption library instead of simple signing
#Loqi[capjamesg] indieweb-search: Source code for the IndieWeb search engine.
#Loqi[capjamesg] indieweb-search: Source code for the IndieWeb search engine.
Seirdy, hendursa1, grantcodes[d] and Nezteb[d] joined the channel
#[KevinMarks][tantek] what I meant by 'speed gate' was that Google's oneboxes have to complete within a deadline (100ms or so) or it ignores them in constructing the results page. That's harder if you're calling multiple separate endpoints (though doable if the various algorithms are running locally and you're loading them as modules)
#Loqicapjamesg has 6 karma in this channel over the last year (9 in all channels)
#capjamesg[d]Thanks [snarfed]. The index is 35,000 documents large so far. It's been working in the background today / yesterday.
#capjamesg[d]Unfortunately the search engine is really slow on PythonAnywhere but on localhost it's super quick. So I need to research that before saying "hey, this indieweb search engine exists"
#capjamesg[d]PythonAnywhere's advice is to move to MySQL / PostgreSQL.
#capjamesg[d]Because it's faster on their infrastructure. I just can't be bothered to set up a web server but it looks like I'll have to.