#dev 2022-01-31

2022-01-31 UTC
#
jacky I know I'm doing something wrong with PKCE but I haven't the faintest idea what
#
jacky like I think I'm either not decoding the right value somewhere
#
jacky is about to post links
#
aaronpk this is a correct implementation so you can check it here https://example-app.com/pkce
#
jacky this is a test https://git.jacky.wtf/indieweb/sele/src/branch/next/src/request.rs#L451-L472 of what it looks like to verify a PKCE request (I'm still thinking if I want to make it a floating function but eh)
#
jacky oh bet thank you
#
aaronpk pkce isn't straight base64, it's base64-url-encoding
#
aaronpk replace + with -, replace / with _, trim trailing =
#
jacky smacks forehead
#
jacky of course
#
jacky thank you lol
#
jacky if I tell you how long this is been blocking me, I might be embarrased lol
#
aaronpk it is by far the most common mistake
#
jacky that makes me nothing but human then lol
#
jacky might move this into https://lib.rs/crates/indieweb soon
#
jacky I've been thinking about breaking that up into 'micro' crates (like indieauth, webmention) but that's not really the Rust-y way (conventionally you'd break things like that into "feature" flags)
#
jacky (side-note: the hope is to capture enough of the spec in a way that one could test their endpoints against a minimal client that could describe what the request is asking for)
#
jacky how did you get that domain for the PKCE thing? lol
#
jacky surprised it wasn't taken
#
aaronpk haha i registered it ages ago when i was working on my oauth book, for a few years it just redirected to the book website
#
aaronpk also authorization-server.com
#
aaronpk i wanted to have domains to use in the examples in the book that i could also actually do stuff with
#
jacky living-examples++
#
Loqi living-examples has 1 karma over the last year
#
jacky wow also make sure you're using the sha2 implementation and not the sha3
#
aaronpk good point
#
jacky I thought sha3 and sha2 might have been the same
#
jacky foolish coder
#
jacky https://en.wikipedia.org/wiki/SHA-3
#
aaronpk sha256 tho
#
jacky heh yeah
#
jacky for some reason the lib exposed a sha256 method
#
jacky considering this my "IndieAuth completion" certificate lol https://imgur.com/a/Whq0qFM
#
aaronpk haha yayyy
sarahd[d], Seirdy and nanoflite joined the channel
#
capjamesg[d] Can one only broadcast a feed through a HTTP header?
mambang[m], kinduff, [aciccarello], voxpelli and marksuth[d] joined the channel
#
[tantek] this post was interesting from the "run your own server" argument perspective: https://staltz.com/some-people-want-to-run-their-own-servers.html
#
[tantek] what is self host
#
Loqi It looks like we don't have a page for "self host" yet. Would you like to create it? (Or just say "self host is ____", a sentence describing the term)
#
[tantek] hah
#
[tantek] walks away slowly
tetov-irc, Asaf_Agranat[d] and nanoflite joined the channel
#
kinduff what is self-hosted
#
Loqi self hosting is the practice of running the software for your personal website on hardware under your own physical control, typically on a server at home, or sometimes refers to only the aspect of running web applications on a server under your control but not necessarily in your home https://indieweb.org/self-hosted
#
kinduff ive been wondering about the indieweb philosophy, and something that comes to my mind is the libera.chat, has it been considered to move to matrix? since it is decentralized, federated, etc.
#
sknebel there are matrix bridges if you prefer to use matrix
#
sknebel (and bridges to slack and discord too)
#
kinduff yeah, im connected through a bridge
#
kinduff but wondering why is not a preferred choice for indieweb
#
sknebel what would make it a "preferred choice"? turning off IRC instead of using both?
#
sknebel for lots of the core stuff the reason is simply that our IRC-based infra is older than Matrix, or at least older than Matrix being a viable choice
#
kinduff would go the other way, matrix first, bridge to irc, so we can take advantage of video/calls, etc
#
sknebel people on matrix still can use these things, no? and others that aren't couldn't either way, whatever you consider "first"
#
kinduff well yeah
#
kinduff just a thought :)
#
sknebel yeah. generally with the chat systems we tend do go with bridging everything together over putting one as "the" solution
#
sknebel IRC is kind of the smalles common denominator and the core, but not really inteded to be promoted over others
#
sknebel (well, sort-of. Slack and Discord obviously are at more risk of going away than others, since they depend on companies, and IRC is probably overall the most resilient)
#
kinduff i agree, unless self-hosted or avoid a freenode situation
#
GWG Self hosted is a barrier for some just starting out
#
GWG Also, isn't this more a meta conversation
#
sknebel lol, got in a discussion about auth tokens (JWT etc) and looked for some sources to cite and ouch do various vendors confuse terminology themselves
#
sknebel like half the texts about access tokens also feel the need to talk about 2FA tokens and ...
#
sknebel (i.e. chaos like https://www.okta.com/identity-101/what-is-token-based-authentication/ /cc aaronpk)
#
aaronpk Yeah "token" is just so overloaded at this point that it can mean anything
#
aaronpk Also a lot of the stuff online is written to a specific audience that is coming at it from different backgrounds, so you'll see language used in one industry that doesn't make sense to a different industry
#
sknebel and articles just seem to smash all definitions together instead of ... explaining that it means different things and which one they are talking about :D
#
sknebel (i.e. I can live with an article talking about OAuth tokens just assuming that it means just that. but then why does it have a section about hardware tokens just thrown in)
#
aaronpk I also personally think nobody should call anything just "token" by itself. I try to always say "access token" since that is actually defined somewhere and is not ambiguous
#
sknebel yeah. the linked example even tries that at the start: "Token-based authentication is a protocol which allows users to verify their identity, and in return receive a unique access token", and the linked definition is ~useful
#
sknebel and then talks about "Authentication Token"s (=devices?), and then "JSON Web Token (JWT): A Special Form of Auth Token" :D
#
sknebel so "Auth token" != "authentication token"
#
sknebel (and plenty other sources make similar confusion. i.e. this search started with the old argument of "no, tokens don't have to be JWTs"
#
aaronpk Ah yes haha
#
aaronpk Here's an official looking link for you :-) https://oauth.net/2/access-tokens/
#
sknebel :D
#
sknebel good point
hans63us[d] and [tonz] joined the channel
#
capjamesg[d] re: "Can one only broadcast a feed through a HTTP header?" Is this something people do?
#
capjamesg[d] Or something that is not an extreme edge case that's not worth planning for?
Ramon[d] joined the channel
#
[KevinMarks] do they mean a header or a <link rel> in the head?
#
capjamesg[d] The original comment was me. I meant a header, not a link rel.
#
capjamesg[d] I proposed adding this as a feature to indieweb-utils' feed discovery but wondered whether the code is worth writing.
#
[snarfed] you could look through your search engine's crawl to see how common they are. indiemap's too: https://indiemap.org/docs.html#schema-pages
#
[snarfed] but maybe for correctness just go ahead and do it, code should be small
#
[tantek] the PHP library for rel discovery was written to handle HTTP headers also
kinduff_, KartikPrabhu and [manton] joined the channel
#
[manton] I think in practice using HTTP headers is extremely rare these days. <link> tags are much easier for normal people to deal with.
#
capjamesg[d] How would those headers communicate MIME types?
#
capjamesg[d] indieweb-utils returns a mime_type value for each feed.
#
capjamesg[d] Or maybe a request should be made to the feed to ascertain its type.
#
[manton] To be honest I wasn’t following this discussion closely… 🙂 But if this is about discovering a feed for a page using only HTTP headers, I would argue that no one does that.
#
sknebel capjamesg[d]: link headers have a type= parameter just as <link> tags
#
sknebel * can have
#
[snarfed] you all are almost certainly right on prevalence. it is a standard though, so the question for capjamesg's is probably more, does he want his library to be fully compliant, or only partially
#
[snarfed] unrelated, does anyone have any experience with mbasic.facebook.com ? looks like it dropped the website field in profiles recently, and I'm struggling to find it anywhere else. https://github.com/snarfed/bridgy/issues/1110
#
[schmarty] oh wow
#
Loqi [snarfed] #1110 browser extension: mbasic.facebook.com profile no longer has web site
#
[snarfed] breaks new user onboarding for Bridgy FB browser extension 😐
#
[manton] Ugh, sorry [snarfed]. Facebook is such an unreliable point of integration now.
#
[schmarty] just confirmed i see my website on my profile on www.facebook.com but not m. or mbasic. 😐
jacky joined the channel
#
[snarfed] Bridgy browser extension was a wonderful horrible idea
#
[schmarty] the problem with adversarial interoperability is that there is an adversary 😐
#
[snarfed] silver lining is that adversary doesn't know or care that I exist. probably better than if they actually knew and cared...probably...
#
[snarfed] reminds me of this part of the Bridgy section of jackjamieson++'s awesome IndieWeb dissertation: https://dissertation.jackjamieson.net/#page.284
oxo111999 joined the channel
#
@Cambridgeport90 Just finished taking the @Readwiseio reader private beta survey. I can't wait. Please, pay attention to my last response about social reading. Webmention can use a big boost. #indieweb #readwise (twitter.com/_/status/1488187487218401280)
#
capjamesg[d] sknebel Do you have an example of that behaviour?
#
sknebel i.e. if the HTML version would be <link rel="feed" type="text/html" title="My blog's feed" href="feed.htm"> you get Link: <feed.htm>; rel="feed"; type="text/html"; title="My blog's feed"
#
capjamesg[d] Oh that's good.
#
capjamesg[d] I didn't know you could do that.
#
capjamesg[d] The MDN docs only showed the rel and the Link destination.
#
[tantek] capjamesg[d] if you're looking for an example of the kind of code to do HTTP header based discovery/parsing, see https://github.com/indieweb/link-rel-parser-php/blob/master/src/IndieWeb/link_rel_parser.php
#
GWG capjamesg[d]: Look at h-feed discovery, [tantek] added a line about this recently
#
[tantek] capjamesg[d], there are a couple of Python codebases that include a bunch of link discovery code, you may need to extract them though to make a generic library
#
[tantek] starting here: https://indieweb.org/Webmention-developer#Sending
#
[tantek] https://github.com/bear/ronkyuu
#
[tantek] https://github.com/snarfed/webutil/blob/master/webmention.py
jacky joined the channel
#
[tantek] for generic link rel discovery code, I just created this list (which only has standalone files/functions for PHP, Ruby, Haskell, Elixir) https://indieweb.org/discovery-algorithms#Link_rel_discovery
#
[tantek] so you may want to pick one of those that looks good to you and model your code accordingly
#
[snarfed] Link header parsing 🙈
#
[tantek] it wasn't that bad. read a few specs, handled a bunch of edge cases
#
[snarfed] sounds like we're agreeing!
#
[snarfed] which reminds me, it's Monday, new week! time for my regularly scheduled conneg--
#
Loqi conneg has -5 karma in this channel over the last year (-7 in all channels)
#
[tantek] lol
superkuh, jacky and Christian_Olivie joined the channel
#
[tantek] capjamesg[d], another thing for that coffee/cafes site, whether or not they are willing to fill your personal cup (and if so, do they give you a discount)
#
[tantek] these conditions have changed during the pandemic
#
[tantek] and it's inconsistent across cafes
#
[tantek] (useful for folks that want to reduce indirectly creating waste)
#
[manton] [aaronpk] In the latest Micro.blog beta I’ve fixed that issue of requiring “me” if you want to test again. Need to grab the beta from TestFlight for now… I’ll ship it this week if it looks good. https://testflight.apple.com/join/ZiEDiuUK
#
aaronpk oh lovely, i'll give it a try!
jacky joined the channel
#
capjamesg[d] Is this used by anything: https://indieweb.org/page-name-discovery
#
jacky first time I'm seeing that
#
capjamesg[d] It is linked on the discovery algorithms page 🙂
#
Zegnat I can’t thinkg of any immediate implementations of that one
#
jacky like I could see it being usefulf for a microsub server tbh
#
jacky *useful
#
[tantek] hmm, maybe I need to more explicitly document the use-case(s) there
#
[tantek] tl;dr: it's an open version of what OGP does with "name"
#
[tantek] I think XRay may be at least a partial implementation
#
[tantek] what is xray
#
Loqi XRay is an open source API that returns structured data for a URL by parsing microformats and following other indieweb algorithms, and is part of the p3k suite of applications https://indieweb.org/XRay
#
[tantek] yes, XRay implements at least step 1 of the algorithm
P1000[d] joined the channel
#
capjamesg[d] What are the use cases?
#
Loqi Because there is as broad an array of types of websites as there are people, a motivating personal factor for joining the IndieWeb may entail a particular use case one has in mind for what they want to do online or how they'd like to interact with others https://indieweb.org/use_cases
#
capjamesg[d] [tantek] Thank you for sharing! I didn't know that Pingback had a header. That's a good note for me to add into indieweb-utils.
#
capjamesg[d] GWG I will take a look at h-feed discovery. I have a feeling I read about this a few weeks ago too.
#
capjamesg[d] [snarfed] haha re: conneg 🙂
#
GWG https://microformats.org/wiki/h-feed
#
GWG The mime type is in the spec
#
Loqi Tantek Çelik
#
capjamesg[d] [tantek] Funnily enough, the coffee/cafes site came to mind earlier today. I think I overthought the last version a bit. I wonder what the most simple version could be.
#
capjamesg[d] GWG So I should look for an mf2+html rel before a h-feed class in a file?
#
[aciccarello] It's in the see also, but I find the /why page a good overview that is similar to use case
#
capjamesg[d] [tantek] Python's requests already has a header parsing utility too which is super helpful.
#
[aciccarello] lol, just realized that was probably an accidental loqi trigger
#
[aciccarello] One of these days I'll write a post about why I'm interested in the IndieWeb...
#
[snarfed] capjamesg: which requests function? https://2.python-requests.org/en/master/api/#requests.utils.get_encoding_from_headers ?
#
[snarfed] I'm not aware of any other(s) in requests, at least for parsing a single header value like we're talking about here
#
[snarfed] (and that one's obviously very limited)
#
capjamesg[d] https://github.com/psf/requests/blob/f5dacf84468ab7e0631cc61a3f1431a32e3e143c/requests/utils.py#L580
#
capjamesg[d] I use parse_header_links().
#
capjamesg[d] It turns a header into a dict.
#
GWG capjamesg[d]: It's a recent change, so still needs adoption, but yes
#
capjamesg[d] Got it. I think I might add a h-feed discovery algorithm into indieweb-utils.
#
[snarfed] oh wow that fn isn't in my version of the docs at all, must be new
#
[snarfed] huh no it's not, wonder why I'm not seeing it
#
capjamesg[d] It is in requests.utils.
#
[snarfed] oh yeah, I mean in the docs
#
[snarfed] no matter
#
[KevinMarks] I send a webmention link in the header of svg's and png's on svgshare.com
#
[tantek] ^ good use-case! non-HTML
#
[tantek] forgot to celebrate anniversaries for Webmention (5y) and WebSub (4y) RECs. Anyone post anything about them?
#
[tantek] https://indieweb.org/timeline#January
#
[tantek] [KevinMarks] got a particular anniversary coming up on 11th February! (18y since we did that :exploding_head:)
#
[KevinMarks] That was a fun etech
#
capjamesg[d] Wow! Amazing!
#
capjamesg[d] https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-safe-method-w-body-02
#
capjamesg[d] Interesting…
bg1 joined the channel
#
kinduff has someone used comments from hackernews as webmentions?
#
capjamesg[d] What is hacker news?
#
Loqi Hacker News is a bookmark posting silo as well as a silo for comments on those links https://indieweb.org/Hacker_News
#
sknebel HN comments arent very well suited
#
sknebel at least not in the sense of "all comments under a submission of an article" like bridgy mit do with replies to tweets
#
kinduff i need to use the bot and search the wiki more, haha thanks capjamesg
#
sknebel (IHMO)
#
sknebel because the discussions meander a lot more than elsewhere, and just the top-level comments also is not that useful
#
kinduff i agree, at least the threads, but root comments are generally related to the shared item
#
sknebel what I've done in the past is manually sent WMs to the submission page with all the comments if I've noticed a link by someone where I know they have WMs
#
sknebel yeah, sort-of. I don't know, for me the threads belong together. but that's just my impression
#
sknebel what is lobsters?
#
Loqi Lobsters is an open source, technology-focused link-aggregation service similar to Hacker News https://indieweb.org/Lobsters
#
sknebel ^^^ they have WM support build in
#
Zegnat capjamesg[d]: that is an interesting HTTP method, yeah. Though part of me feels like this is what GET is already supposed to be, haha
#
sknebel Zegnat: well, it's GET for when you dont want to be limited to a query string
#
sknebel analog POST, but safe
#
kinduff totally forgot about lobsters
#
sknebel actually, by now HN does fetch and parse submitted pages
#
sknebel I should talk to the mod about WM support
#
sknebel although I suspect its not going to be his highest priority
#
Loqi yea
#
[tantek] worth starting the conversation, especially if it can go into a feature request issue somewhere we can link to
#
sknebel HN doesn't track these things publicly at all
#
sknebel even "which features does HN even have" is not unversally documented
#
Zegnat sknebel: HTTP messages take bodies for all possible requests, including GET. But I can see that might causing some unexpected behaviour. So maybe it is better to document a new method all together? Unsure.
#
kinduff it would be great, an effort on brid.gy can be done with their API
#
capjamesg[d] Yeah. And I don’t think the responses are cached with QUERY.
#
capjamesg[d] How does one get a new HTTP method adopted? 😂
#
capjamesg[d] That seems like a lot of work.
#
capjamesg[d] I’m still waiting on more implementations of BREW and WHEN.
#
sknebel Zegnat: well, sort of. afair the definition of GET is fairly clear in that it only cares about the URL
#
sknebel Zegnat: found it, RFC 7231: "A payload within a GET request message has no defined semantics; sending a payload body on a GET request might cause some existing implementations to reject the request."
#
sknebel so yeah, and thus rather introduce something new you can query for etc intead of changing the rules around request semantics for existing verbs
#
Zegnat Yeah, they made that note because prior to RFC 7231 they apparently made stricter claims about GET: https://stackoverflow.com/a/983458
#
sknebel "this doesnt understand QUERY" is a lot more obvious than "this speaks GET but doesn't like/ignores the payload"
#
Zegnat capjamesg[d]: "How does one get a new HTTP method adopted?" - you start to use them and try to get more people onboard?
#
capjamesg[d] That is very true.
#
sknebel I suspect query wont be a big thing on the web, but more in the backend places the spec calls out
#
sknebel although I guess we're at the point where the browser delay is not necessarily as large anymore
gRegor and [tw2113_Slack_] joined the channel
#
[snarfed] kinduff: feel free to weigh in on https://github.com/snarfed/bridgy/issues/693
#
Loqi [snarfed] #693 hacker news support: publish, backfeed
Seb[d] joined the channel
#
kinduff Will do!
#
[snarfed] (I don't plan to work on it myself, I don't really use HN, but pull requests are welcome!)
#
sknebel hm, for Bridgy HN is different in that you can just work through the public firehose and dont need per-user scans
#
sknebel because the firehose is really more a watering can
#
[snarfed] ohhh interesting point. so you could do it site-wide, all at once. fascinating
#
[snarfed] could be a fun project for someone to see if they can hook up that firehose to IFTTT or something similar and do https://snarfed.org/backfeed-without-code for all of HN
#
[snarfed] I wonder which other silos have similar public firehoses. maybe some of the ~30 open requests, https://github.com/snarfed/bridgy/issues?q=is%3Aissue+is%3Aopen+label%3A%22new+silo%22
#
sknebel hacker news << feeds including firehoses of all comments https://hnrss.github.io/ (code at https://github.com/hnrss)
#
Loqi ok, I added "feeds including firehoses of all comments https://hnrss.github.io/ (code at https://github.com/hnrss)" to the "See Also" section of /Hacker_News https://indieweb.org/wiki/index.php?diff=79428&oldid=71445
jacky and tetov-irc joined the channel