#dev 2021-09-10

2021-09-10 UTC
hendursaga joined the channel
#
@TwitterDev
Better believe it, OAuth 2.0 is nearly here! We’re releasing OAuth 2.0 into beta on the Twitter API v2, and you're all invited to request access today. Let us know what you think and learn more in the forum post 👇 https://twittercommunity.com/t/announcing-oauth-2-0-beta/159189
(twitter.com/_/status/1436020870875656196)
feoh and Seirdy joined the channel
#
aaronpk
I requested access thru their google form and put "OAuth.net" as my company and "testing compliance with OAuth 2.1" as my app description
#
GWG
Did we ever answer the question of authentication in the new IndieAuth token introspection endpoint?
bitmega joined the channel; feoh left the channel
#
GWG
[fluffy]: I still want to talk Ticket auth at some point, but better in here
#
[fluffy]
yeah definitely
#
[fluffy]
I also just noticed I never actually fully implemented the refresh token flow on my token endpoint, oops
#
GWG
[fluffy]: Well, neither have I. But it's next for me, now that I have added token introspection per the new proposal.
#
[fluffy]
yeah I need to read up on that bit, that’s completely new to me
#
[fluffy]
I assume it’s a specific action sent to the token endpoint htat returns a JSON blob with metadata about the provided token
#
GWG
[fluffy]: Essentially, the existing token verification is a GET. The Token Introspection spec uses a POST. So, we're harmonizing.
#
GWG
So, you'd POST to the token endpoint with only a parameter token and it would return
#
GWG
The outstanding question is, IndieAuth Token Verification has no auth. OAuth2 Token Introspection requires authentication. Should we or just note we don't.
#
[fluffy]
oh, I also don’t implement any sort of token verification on the token endpoint, I just have it such that like `Authorization: bearer xxxxx` works
#
[fluffy]
I don’t really have any strong opinion about that stuff, I’m only implementing tokens insofar as they’re for allowing private entry access from feed readers and so on
#
GWG
[fluffy]: If you make a get request to your token endpoint with the token in the Authorization header, what happens?
#
[fluffy]
obviously I need to do a more thorough job when I get around to supporting micropub et al but like, eh
#
[fluffy]
right now my token endpoint essentially returns a 400 error unless you’re doing a `grant_type=ticket`
#
[fluffy]
I have a bunch of stub code for supporting other things but nothing implemented
#
GWG
Okay.
#
GWG
But, the idea of aligning a bit to OAuth2 means client libraries could work with little modification, which seems like a good idea
#
[fluffy]
well also I have `_tokens?me=http://foo.bar` to initiate a ticketauth grant flow but that’s a hack and not the intended flow for TicketAuth AIUI
#
[fluffy]
yeah I suppose, I don’t really relish the idea of bringing in a full OAuth server thing when I only care about supporting some very specific IndieAuth-related things.
#
GWG
I sort of like Zegnat's proposed action parameter for that, as action is only used for revokation right now.
#
GWG
[fluffy]: I had a GET token verification function already. It took about 30 minutes to change it to a POST and adjust the three parameters I needed.
#
[fluffy]
the primary TicketAuth flow I support is like… someone logs in via IndieAuth, and when the profile discovery sees that there’s a TicketAuth endpoint, it sends the TicketAuth grant.
#
GWG
The other part I'm still contemplating is how a client gets a token your ticket endpoint has.
#
GWG
[fluffy]: Which is still an option.
#
Loqi
[dshanske] #88 Extension to Allow Clients to Get Tokens Secured by Ticket
#
GWG
So, right now, I'm thinking you POST to the ticket endpoint with the token that authorizing you to get tokens as the token parameter, and resource being what you are looking for.
#
[fluffy]
my assumption for how that’d work is that like, your user profile URL would provide a ticketauth endpoint that communicates with your feed reader in some way, and then when you get the token grant, your feed reader has access to the bearer token, but how that actually works is an implementation detail of the ticketauth endpoint and the feed reader
#
[fluffy]
having a standard mechanism for token storage wouldn’t be a bad thing but I’d worry about a turtles-all-the-way-down issue if retrieving the bearer token requires having an active session, since that sort of defeats the point to having a token for an unattended feed reader 🙂
#
GWG
[fluffy]: That's why I was suggesting that the feed reader gets a scope that allows it to retrieve tokens from the token store the ticket endpoint keeps.
#
[fluffy]
the feed reader I keep on wanting to build would just have its own association between identity URLs and its backing storage, and would provide the TicketAuth endpoint since the only use case I personally have for TicketAuth is feed reading
#
[fluffy]
yeah I guess that makes sense
#
GWG
Like other endpoints, if you have them integrated, you don't need the remote method.
#
[fluffy]
the feed reader I want to build isn’t going to be based on micropub/microsub, and I was just going to use authl as its login mechanism which means not necessarily requiring IndieAuth for login either. and I have out-of-scope-for-this-discussion reasons for wanting to build it that way.
#
GWG
I was just saying I want to do some work on Yarns so I actually would use it, as jackjamieson, the primary author, is busy with other projects.
#
GWG
So I could have all the feed reading I want.
#
GWG
I spent all of this time adding the ability to get tokens from other sites, now I need some way to use them.
bitmega joined the channel
#
[fluffy]
yeah someday I will get around to writing Subl because I am so sick of dealing with FeedOnFeeds’ limitations and ther’es no way I’m going to hack TicketAuth into that
#
[fluffy]
just because FoF is very aggressive at subscription sharing and it’d be difficult to make it secure
#
GWG
[fluffy]: What are the best features of a feed reader you want to have?
[jeremycherfas], [jgmac1106]1 and bitmega joined the channel
#
[fluffy]
being able to order things oldest-to-newest, having a stream of stuff where it’s easy to mark stuff as read as I read/skim it
#
[fluffy]
also having multiple inboxes which I can put different feeds into and have those inboxes ordered differently
#
[fluffy]
like, ‘news’ vs ‘comics’ vs ‘social’ inboxes should all have different behaviors in terms of ordering, completionism, etc.
#
[fluffy]
having the ability to filter based on tags/categories would also be good
#
[fluffy]
atom category support has never been implemented that well that I’ve seen, it’d be nice to at least try
#
[fluffy]
supporting the `<at:deleted>` element would also be nice
#
GWG
I always read oldest to newest, I never knew why the other way is the default in many systems.
#
[fluffy]
RFC6721. also RFC5005 support would be neat
#
[fluffy]
RFC6721 being deleted entries
#
[fluffy]
also some nice things to have would be support for like… autodiscovery of feeds of things that people you read in turn link to, for getting feed suggestions
#
[fluffy]
or maybe that ties into the nebulous Vouch future
#
[fluffy]
being able to subscribe to things ‘publicly’ would be neat, like providing a timeline for others to look at and also providing subscription suggestions to others
#
[fluffy]
that being opt-in at time of subscription of course
#
[fluffy]
and I guess that sort of would be better served as a ‘following’ webmention/note
#
GWG
Going to have to read those RFCs
#
[fluffy]
both RFCs are pretty straightforward
#
GWG
Yes, but I like to learn
#
[fluffy]
6721 is basically “if you delete an entry, provide an entry that’s like <at:deleted_entry><guid>asjdfklajkflajfkla</guid></at:deleted_entry>
#
[fluffy]
and 5005 is a way of paginating feeds so that readers can get backlog stuff
#
[fluffy]
which is especially good for comics, but also for the notion of making atom itself a distributed social network, which was one of the original goals (and a lot of what indieweb does sort of replicates atom’s social aspects, although in ways that are way more practical)
#
GWG
Seems like useful possible enhancements
jonnybarnes, bitmega and hendursa1 joined the channel
#
capjamesg[d]
I'm all set up on Monocle now. Still got a lot of the spec to implement on my server though.
#
[KevinMarks]
Apple defined some extensions to feeds (for podcasts) to distinguish oldest first from newest first, and to label episodic posts
jeremycherfas, tetov-irc, bitmega and jonnybarnes joined the channel
#
[jgmac1106]1
thx Jeremy I will look, something happened on the last update, I will start by looking there, I took a backup before update so I have that
#
capjamesg[d]
What scope does one need to use Microsub?
#
capjamesg[d]
I suppose read + maybe everything that you need to post via Micropub?
shoesNsocks joined the channel
#
capjamesg[d]
Also, what is the proper way to mark up a list in which there will be two buttons that are enclosed in form elements? Is <div> really the best option? Something feels off about using an <li> / <ul>.
bitmega joined the channel
#
Murray[d]
Do you have an example page/code? Agree that it feels a bit strange to nest a form within a `<ul>` but not clear on the use case 🙂
#
capjamesg[d]
I am using forms to trigger an up / down movement in the channel list.
#
capjamesg[d]
If there's a better way other than using a form I am all ears (but I don't want to bring JS Into the equation if possible).
#
capjamesg[d]
Each row needs to show one or two buttons depending on its position in the list.
#
GWG
jeremycherfas: What format does Known export to?
#
Murray[d]
capjamesg: okay, this does fit a list imo, though it could also be a `<table>`. But I'd say the current markup makes sense to me.
#
Murray[d]
What I would add is that `<button>` may serve just as well, though it's been so long since I've implemented something like this without JS I forgot how accessible button events are outside of forms 😄
#
Murray[d]
forget*
#
capjamesg[d]
Are there any specific advantages of using <button>?
#
capjamesg[d]
I like avoiding JS when possible Murray 😄
#
Murray[d]
I understand that, but in this instance it may fit better. Semantically, I'd argue you're creating buttons, so `<button>` is a better fit. In practice, a form submit event seems to be treated closely enough to a button that I don't think it makes any difference.
#
Murray[d]
(I know Tantek has raised some interesting points about form/submit in the past, would be interested in their opinion)
#
capjamesg[d]
Likewise. I must admit I don't know much about the semantic difference between input type=submit elements vs. the <button> element.
#
capjamesg[d]
In this case, I am indeed creating a button. But that button is also submitting a form within a <form> element.
#
capjamesg[d]
tantek would love your thoughts here. I feel like this might be quite a long discussion 🙂
#
Murray[d]
Sure, I guess I'd expect a submit event to be sending *user* input. In this case, you're prepopulating input and restricting it, so it's really just a predefined action, ergo `<button>`. **But** I think both are fine from a practical sense 🙂
#
Murray[d]
I suppose I brought up `<button>` to consider the nesting: if you feel that a `<button>` within a `<li>` is fine (which I see no issue with :D), then a `<form>` operating like a `<button>` should also be fine 😊
#
Murray[d]
FWIW from a spec perspective both can be nested within a `<li>`, so at least that side of things is fine 😄
#
capjamesg[d]
Yeah. I believe so.
#
capjamesg[d]
WAVE doesn't have any objection to the markup or accessibility. But I'll have to do a manual test with a screenreader for more info on that.
#
capjamesg[d]
w3 validator says the markup is okay too.
#
capjamesg[d]
The mention of a table is interesting. Because visually this is going to look like a table, almost.
#
capjamesg[d]
There will be a list but each row contains three pieces of info: a label, a move up button, and a move down button.
#
capjamesg[d]
(although the code above shows there are conditions in which a move up / down button may not appear)
#
Murray[d]
Yeah, the code structure put me in mind of a to-do list, and those often end up in debates over table versus list structures. Personally, I'd test with a screenreader (and possibly something like a Google Home or Echo device) and see how both options _sound_, then pick whichever best fits the use case 🙂
#
Murray[d]
Of course, tables do have some benefits (and negatives) when it comes to layout as well. For example, that wrapping `<div>` might not be necessary in a table
#
capjamesg[d]
I do like getting rid of <div> tags 🙂
hendursaga joined the channel
#
@Cambridgeport90
I wonder what it would be like using @Statiqdev for a personal web site with Indieweb functionality? (that is, Webmention support, likes and comments from various other places showing up near the post, and so on). I might fool around with it if nothing else.
(twitter.com/_/status/1436328665080500226)
#
jeremycherfas
XML, but it is bad.
#
jeremycherfas
Much better to hook up the old database to a new install, which is relatively easy.
kevinmarksbot, kimberlyhirsh[d], alex11 and shoesNsocks joined the channel
#
[tantek]
oooh interesting HTML discussion!
#
[tantek]
general guidelines for links vs buttons: is it "just" navigation / changing the user's view of the information? hyperlinks are fine for that. is it providing some information from the user to the server (even a single bit of information like a checkbox)? then a form is the proper semantic.
#
[tantek]
if you're using a form, it sounded like there was a question between input type=submit vs a button tag. note that you can also do button type=submit. https://developer.mozilla.org/en-US/docs/Web/HTML/Element/button
#
[tantek]
having skimmed, I think Murray[d]'s reasoning and answers look correct as well
#
[tantek]
re: "I am using forms to trigger an up / down movement in the channel list." <-- that sounds more like navigating a view of information rather than any kind of information submitted by the user.
#
[tantek]
one of the big reasons you want to use links vs forms/buttons properly is that browsers do treat them very differently in the UI, e.g. back buttons
#
[tantek]
for actions that are "just" navigation, links go into history, and the back buttons works smoothly without any interruption
#
[tantek]
when a page is the result of a form submission, when you navigate further, and then use the back button, you may see a warning about the information being re-submitted. that should *only* happen when the user has deliberately submitted some information, and navigating up/down in a list (or sorting a table, or any other kind of view manipulation) should not cause such a warning because it will only confuse the user
#
[tantek]
btw, example of "a single bit of information like a checkbox": agreeing to some terms like a ToS or confirming that you've read some disclosure
#
[tantek]
capjamesg[d], Murray[d], does that answer the questions raised?
[manton] joined the channel
#
[tantek]
there are some interesting borderline/hybrid cases of "navigating to a different view", e.g. when you're viewing the history of a wiki page, and click the radio buttons next to two different versions and then click the "Compare versions" button.
#
[tantek]
that could be considered navigating to a specific view of the data, and it also required some deliberate user input to choose which versions to compare.
#
[tantek]
since the navigation / retrieval of that information is read-only, the form uses method GET, which performs a navigation action like a link would, except by adding the various form input name value pairs to the URL, which is added to the user's browser history as a idempotent action so no warning is needed if they go "back" to it
#
[tantek]
thus a more challenging question is, when does a navigation become "complex" enough to switch from using hyperlinks to form method GET?
#
capjamesg[d]
Love it! Thanks tantek. The use case is rearranging channels in a microsub server.
#
capjamesg[d]
Hence the use of a form,
#
capjamesg[d]
But I could make a link that reorders a channel and then redirects a user back to the channel list.
#
capjamesg[d]
I just thought that a form would be more appropriate because the user is causing a change in state to the page,
#
capjamesg[d]
And I would be notifying them the order of channels has changed via an on-page notification (a success message).
#
capjamesg[d]
I had not considered the submit form again browser feature you mentioned. Which actually makes me think JS would be okay in this case because I could easily change the page to show the reordered channels.
#
capjamesg[d]
But I thought a fork would be more elegant.
#
[tantek]
re-arranging channels sounds like user-editing
#
capjamesg[d]
I meant form, not fork.
#
capjamesg[d]
So what would be the most appropriate implementation tantek?
#
capjamesg[d]
In my head I have the semantic rule links are for navigation forms are for user action.
#
capjamesg[d]
The blurred line here is that the form is technically hidden from the user because only a button is visible on screen.
#
[tantek]
user *editing* or information submitting, not just "action"
#
[tantek]
a form can consist of a single button, e.g. if that button alters content
#
[tantek]
e.g. ( Undo ) 🙂
#
[tantek]
snarfed, I'm still trying to solve for single-file stored "topic" pages, including all their revisions
#
[tantek]
I think there's a way to do that that both presents a decent default UI, and is *very* portable (each "topic" page is self-contained in a single file that you can move to any "folder" and have it "just work")
#
[snarfed]
ah sure! I have few or no opinions on revision storage plumbing
#
[tantek]
completely avoiding any database nonsense
#
[snarfed]
other than, obviously tons of prior art
#
[tantek]
really? all the prior art I've seen is with a database of all the things
#
[tantek]
single file per topic with revisions included is not something I've seen examples of
#
[snarfed]
sure. prior art of a wide range of techniques and implementations in general
#
[snarfed]
as you narrow your req'ts that far, yes, the pool gets smaller
#
[tantek]
I'm kinda interested in figuring one out that can work with "just" CSS for browsing / showing "major" revisions as well
#
[tantek]
though I'm mixed on whether a revision should be displayed as it was when it was the most recent revision, OR if it should be shown with ins/del changes highlighted
#
[tantek]
from the previous revision (which is a common use-case)
#
[snarfed]
totally! also fertile ground for prior art on user-level revision history, especially in the last 10+ yrs in doc etc tools
#
[snarfed]
(and obviously longer in dev tools, but maybe less useful)
#
[tantek]
there's been a lot of bad examples of that unfortunately. fancy displays of revision history without any functionality to selectively revert or any other kind of way to restore old content
#
[tantek]
tbh I'm not very impressed with "the last 10+ yrs in doc etc tools", at least not web-based
#
[tantek]
e.g. gdocs is crap for this
#
[snarfed]
but plenty also with revert and compare functionality
#
[snarfed]
sure! bad examples are still examples, and useful
#
[tantek]
eh, useful more for research than design/engineering
#
[tantek]
tbh haven't seen anything as easy to use for viewing / restoring as mediawiki
#
[tantek]
if you know of other good examples, I'm interested
#
[snarfed]
yeah mediawiki's is good
#
[snarfed]
I haven't done any deep dives. definitely worth looking again if you do, eg wordpress, notion/roam, etc. but I don't have detailed recommendations
#
[tantek]
another thought is seeing if aligning with Micropub editing actions helps at all (in terms of good UX)
#
[tantek]
though there's also the danger there of the plumbing wagging the feature
#
[tantek]
I'm more likely to go from desired user feature set -> optimum HTML storage (+ CSS for MVUI) -> potential editing primitives -> proposed additions to Micropub
#
[tantek]
e.g. one "simple" way to markup a single-page storage file of revisions of a page would be an h-feed for the file, and an h-entry for each revision
#
[tantek]
the most recent h-entry would be the first in the file, and its dt-updated would reflect that revision, along with the dt-published reflecting the first revision
#
[tantek]
however with that choice of storage, no Micropub "editor" that I know of would be able to understand / present that information accordingly
#
[snarfed]
yup. makes me think about revisiting https://snarfed.org/posting-to-the-indieweb-from-your-phone and sketching out revision UI
#
[snarfed]
ok, not UI, but the underlying PWA plumbing for parsing out and exposing revisions to UI
#
[tantek]
Indeed, the interaction with "undo" is another angle!
#
capjamesg[d]
snarfed Right now I just post from a bookmark on my phone that loads my Micropub web app. Nothing special but the UX is not quite what I would like.
#
[KevinMarks]
Static site with Github pages gets history by default and some editor integration (bbedit and vscode support it)
#
capjamesg[d]
Very true. GitHub’s revision history is great.
#
capjamesg[d]
I found myself poking around quite often when building my Micropub client.
#
capjamesg[d]
But how that goes into a live website I’m not sure.
#
[tantek]
eh, see above about viewing but not very useful at actually restoring / reverting pieces
#
[tantek]
not really impressed with GH in that regard
#
[KevinMarks]
I admit that checking out both versions and using bbedit diff is something that I fall back on
#
[tantek]
also GH is a bit of a roach motel in that regard. things put in GH feel stuck in GH
#
[fluffy]
I do `git diff 32942048084202 -- content/blog/bar.md
#
[fluffy]
but I’m also used to git not meaning “GitHub” and my actual site files are hosted on a private git repo
#
[tantek]
ah, if only such large numbers were datetimes of a sort
#
[tantek]
Internet Archive handles this quite well in their URLs of revisions of pages
#
[fluffy]
maybe my keysmash should have involved some cacdefbbcdaefdbeacfdacebf
#
[fluffy]
although tbh I also don’t often do diffs on stuff in my site files in the first place
#
[fluffy]
or much in terms of history consultation unless I’m trying to figure out what happened to one of my templates
#
[tantek]
in looking at my own edits, it looks like either paragraph (block element) granularity or entire page granularity is sufficient to store and (re)store / (re)generate revisions dynamically via DOM manipulation
#
[KevinMarks]
I have merged PRs on my site (mostly from Tantek fixing typos)
#
[tantek]
my own edits on my existing pbwiki
#
[fluffy]
I keep hoping that for novembeat.com people will submit their own things via PR on https://github.com/fluffy-critter/novembeat.com but so far that hasn’t happened
#
Loqi
[fluffy-critter] novembeat.com: SIte files for novembeat.com
#
[fluffy]
but I’ve had people at least submit a couple of things via the issues page
#
[tantek]
snarfed, that article on re: mobile posting on your site links to a comment from kylewm that returns a literal php file (unprocessed)
#
[tantek]
as in a text file that starts with <?php
#
[tantek]
last line is: require __DIR__ . '/wp-blog-header.php';
#
[snarfed]
yeah sadly he lost kylewm.com a long time ago
#
[tantek]
oh no. ugh thought maybe it was "just" a configuration problem 😕
#
sknebel
Moinmoin Wiki dies just a folder per page with a file per revision
#
[tantek]
sounds like VMS 🙂
#
[tantek]
so let's see if I have this right snarfed...
#
[tantek]
mobile, offline first, auto-server-syncing, undoable, revision-saving/browsing/reverting, micropub-based, post authoring & editing
#
[snarfed]
lol. "right" meaning...what you want? or what I wrote up?
#
[tantek]
what you wrote up combined with today's conversation here & in #indieweb and your assertion of combining the sets of requirements for pages & posts 🙂
#
[snarfed]
yes, that covers my post and adds revisions and undoability
#
[tantek]
yes, revisions/history were the primary topic today. I added undoability because that's kind of a requirement for me for any new posting UX
#
[snarfed]
for evergreen pages + posts, minimal support arguably doesn't require much new functionality, if any. it's more a mindset shift that you could treat some posts as evergreen, and keep them regularly updated and current
#
[snarfed]
eg on my site, the only difference is that pages don't have dates in URLs and don't show up in feeds. and neither of those is strictly necessary.
#
[snarfed]
but ideally yes, you'd distinguish them, support browsable history, etc
#
[snarfed]
personally, i'm happy to start by just evangelizing here that evergreen pages/posts are useful, more of us should try them in our existing sites, and we can all prototype them as normal posts that we update over time
#
[tantek]
there's a distinct disadvantage to the 'prototype as normal posts' approach in that as you observed, 'normal posts' typically have their date published in the URL in some form, and as such imply a certain point in time in contradiction to the intended meaning of a "current" or "evergreen" page
#
[tantek]
now, prototyping a *revision* of an evergreen page as a "normal post" could work, since a revision is also strongly tied to a particular date(time)
jjuran joined the channel
#
[snarfed]
KevinMarks++
#
Loqi
KevinMarks has 14 karma in this channel over the last year (43 in all channels)
#
[snarfed]
[tantek] oh sure, prototyping implies rough edges. I think visible dates are a small enough rough edge that you can still get the sense of the value
#
[snarfed]
eg my pages still have visible published and updated dates, which I actually like and plan to keep
#
[tantek]
Wiki pages have visible last updated dates too. That’s consistent
#
[tantek]
For me the more important / urgent aspects are what’s the minimum needed to move things from pbwiki to my own site, even if editing gets a little harder
#
Murray[d]
tantek++ thanks for the clarity, some useful way of thinking about things 🙂
#
Loqi
tantek has 18 karma in this channel over the last year (50 in all channels)
#
@RubygemsN
authorio (0.8.5): Rails engine to add IndieAuth authentication endpoint functionality https://rubygems.org/gems/authorio
(twitter.com/_/status/1436458994562781187)
tetov-irc and wackycity[d] joined the channel