#dev 2022-03-29

2022-03-29 UTC
kandr3s, darkkirb and cybi joined the channel
#
[tantek] this also feels like a potential OAuth permissions granularity kind of thing
#
jacky yup
#
jacky what is IndieAuth
#
Loqi IndieAuth is a federated login protocol for Web sign-in, enabling users to use their own domain to sign in to other sites and services https://indieweb.org/IndieAuth
#
jacky might be some prior art there
#
barnaby jacky: the MP spec seems to suggest using e.g. create:note, create:photo etc. as content-type scopes https://micropub.spec.indieweb.org/#x6-security-considerations
#
barnaby IIRC aaronpk’s MP authorization screen allows him to select which streams a token grants access to
#
jacky ah that's interesting b/c the spec mentions that in passing but I don't see a reference on the linked page ( /scope )
#
barnaby there’s a screenshot here https://indieweb.org/scope#Scopes_supported_by_Micropub_servers
#
barnaby although it might be less of an explicit permissions thing and more a hint for where to put the posts created by a client
#
jacky ah I think he uses channels as the posting channels there
#
jacky s/posting channels/post types/g
#
jacky I think I can normalize it to `create:$POST-TYPE` tbh
#
barnaby that definitely seems to be the format suggested by the spec
#
barnaby no idea how widely used it is though
#
jacky right
#
jacky hmm this is a bit tricky
#
jacky b/c whatever I do will be stuck in clients (which tbh is fixable by rolling the token)
#
jacky my use case is wanting to scope down a client to only be able to create notes
#
jacky no deleting, updating, etc or making of other types
#
jacky I also have a usecase where I only want to be able to update a specific URL (as part of https://indieweb.org/User:Jacky.wtf#Editor_Presence_Emission to change my h-card with the needed info)
#
[tantek] both of those make a lot of sense to me
#
jacky it's very granular but it makes me feel a bit safer about using those specific tokens for particular use-cases
#
[tantek] worth capturing them as explicit use-cases
#
[tantek] yes I agree especially with a "profile editing" permission
#
[tantek] as a client developer, if that's all you want to support, you can kind of protect yourself / set expectations by only asking for that granularity of permission
#
[tantek] (both for profile editing and/or note creating)
#
jacky exactly!
#
jacky yeah I'll add this to /scope then
#
barnaby I wonder if it’d make more sense to treat the post type limitation as an internal detail, which is stored on the access token but not exposed to client apps in the scope
#
jacky so that's something I can't do because my indieauth server and micropub server are two separate apps
#
jacky if there's a way to have more 'metadata' in a token that's introspectable on request then perhaps
#
jacky however this does make it explicit
#
barnaby the micropub server should be able to do some sort of token introspection though, right?
#
barnaby afaik token introspection is part of oauth2
#
jacky ah yeah that's the new new
#
jacky I haven't implemented that yet in Sele
#
jacky I really should
#
barnaby yeah I haven’t updated my IA library yet either
#
jacky yup it looks like it at https://indieauth.spec.indieweb.org/#access-token-verification-response
#
jacky I could add more fields in there
#
jacky > Specific implementations MAY include additional parameters as top-level JSON properties. Clients SHOULD ignore parameters they don't recognize.
#
jacky that actually would be very handy
#
jacky I could even restrict it to particular URLs that can be interacted with
#
barnaby I think using that for post type limitations would make more sense until there’s a clear reason for the client app itself to be aware of what post type it’s allowed to make, and what that actually means
#
jacky oh indeed
#
jacky there's things like photo posting apps (like /sunlit for example)
#
[tantek] a note-taking client would make sense. similarly a bookmarking client.
#
[tantek] or an audio-note recording client
#
jacky Yup!
#
barnaby in most cases the post type can be implied from the properties included by the client app, and when that’s not possible, using an internal token property to let the server know how to treat content from that particular client app gets the job done without having to add additional scopes
#
barnaby (afaik that’s how aaronpk’s MP server and consent screen works)
#
barnaby IMO additional scopes would only be necessary if client app behaviour changed significantly based on them
#
jacky do you mean the properties in the Micropub request made?
barnaby joined the channel
#
barnaby yep exactly
cybi, Seirdy and justOkay joined the channel
#
jacky ah yeah then hm I guess I can see that being a way to support clients that don't have the ability to report that (or servers that might not support it)
#
jacky I think tbh
#
jacky doing that + token introspection endpoint might be the more 'fool-proof' method
#
jacky for both the client and the Micropub server
[tw2113_Slack_], angelo, tbbrown, strugee, cybi, mro and tetov-irc joined the channel
#
[KevinMarks] hm, twitter's 'expand tweet script' is now broken for deleted tweets - it's not showing the fallback blockquote
mro joined the channel
#
[KevinMarks] https://twitter.com/kevinmarks/status/1508754955108241414?s=20&t=JHWdzvMLgHWGyIyOiX_dlA
#
@kevinmarks hi @TwitterEng - you broke the fallback case in the tweet embedding js for deleted tweets. Previously they would not be decorated and show the <blockquote> html version. Now they're turned into empty white boxes. Do you want us to go back to screenshots? (twitter.com/_/status/1508754955108241414)
#
sknebel given they e.g. expect API users to check tweets are still around I'm not surprised
mro and cybi joined the channel
#
[KevinMarks] https://twitter.com/benward/status/144855762836013056
#
@benward @arielwaldman The embed code is a <blockquote> containing the Tweet content. If it's deleted, or 1000 years in the future, the text remains. (twitter.com/_/status/144855762836013056)
#
[KevinMarks] longevity << https://twitter.com/benward/status/144855762836013056
#
Loqi ok, I added "https://twitter.com/benward/status/144855762836013056" to the "See Also" section of /longevity https://indieweb.org/wiki/index.php?diff=80452&oldid=79854
mro, jacky, mro_, samhenrigold[d] and cybi joined the channel
#
[manton] Wonder if it would be useful to push for bloggers to use https://quotebacks.net instead of Twitter embeds. Maybe a browser extension that makes it easy to copy embeds for tweets.
#
[manton] Micro.blog’s “Embed” link just uses Quotebacks with slight tweaks.
#
[manton] Doesn’t seem good to depend on Twitter for something as important as quoting a tweet. Also, privacy and tracking ramifications, I assume.
mro joined the channel
#
[KevinMarks] Ben's original design was good, but the embedded tweets do seem to take up huge amounts of space now https://twitter.com/kevinmarks/status/1508754959591956481
#
@kevinmarks Here's an old example post of mine. Notice how the 2 deleted tweets are blank, making nonsense of the narrative: http://epeus.blogspot.com/2012/04/draw-something-ceo-grace-and-high.html It first looked like this, then showed deleted ones as HTML, now it's blobs. https://pbs.twimg.com/media/FPAsfAZWUAEgeA-.jpg (twitter.com/_/status/1508754959591956481)
#
[manton] Yeah, tweet embeds now have more of a mini Twitter interface in them.
#
jacky I do like the presentation of quotebacks
#
[manton] I personally don’t feel the need to help Twitter with their engagement numbers. 🙂
#
jacky heh
#
jacky I wonder if there's a means of doing some sort of twitter URL -> quoteback (and falling back to archive.org if it's been deleted)
#
jacky a means or a need
#
[manton] In theory maybe the Quotebacks browser extension could intercept the embed links on twitter.com and reformat them.
#
jacky ah true
#
sknebel what is quotebacks?
#
Loqi A quotation is a type of response post that is primarily a subset of the contents of another post, and often has a citation of that other post https://indieweb.org/quotebacks
barnaby joined the channel
#
[KevinMarks] the twitter script looks for a blockquote of class "twitter-tweet" and decorates the url found in it. https://twitter.com/benward/status/547771372681052160
#
@benward @lhl You can manually construct embed codes: Just need <blockquote class=twitter-tweet> containing a permalink with the Tweet ID. (twitter.com/_/status/547771372681052160)
#
[KevinMarks] so you could write your own decorator that overrides that
#
jacky [manton]: I can see me using quotebacks with my site when JS is enabled as a way to improve my /reply-context
#
jacky I don't see that being too difficult for me
#
jacky easy way to promote it and tbh to have a more friendly UX (they put more thought into it than I did)
#
sknebel from a look at the JS, a lot of that could also be done server-side
#
sknebel (or even all)
jacky, ben_thatmust and chenghiz_ joined the channel
#
eb I have been thinking a bit about designing websites for less technical people for "free". I have been seeing an increase of people forming digital gardens with obsidian and blogs with writefreely/substack. I believe in ownership over your content to some degree, but for many the thought of making a static website/wordpress site is daunting. I'm wondering if anyone had had similar thoughts. I
#
eb envision something like a coop, where there is shared hosting for websites as a part of this program (if needed). God I feel like an advertisement for some junk, I don't know if this is something people actually need or if it's a good idea. The thought process is somewhat inspired by https://drewdevault.com/make-a-blog, I want to see a very diverse community of indiewebbers, right now it
#
eb feels very developer focused
cybi and barnaby joined the channel
#
jacky that depends on how you look at the community
#
jacky AFAIK, a lot of people on https://micro.blog aren't developers
#
jacky I've been meaning to try out Obsidian for personal note taking for some time now
#
jacky but w.r.t a co-op of web sites, that reminds me of the https://tildeverse.org/
#
jacky namely https://tilde.club/
#
jacky that said, I'd be interested in seeing some sort of cooperative site hosting (which isn't anything new!)
jacky and cybi joined the channel
#
sknebel what is neocities?
#
Loqi NeoCities is a free website hosting silo in the spirit of defunct silo GeoCities (Yahoo shutdown in 2009) that looks like a stepping stone to getting started on the IndieWeb https://indieweb.org/NeoCities
#
[schmarty] 🤔 Neocities supports using your own domain if you are a $60/yr supporter
#
[schmarty] silo at the free tier, indieweb-friendly at the paid tier.
#
barnaby $5 a month is pretty reasonable for hosting IMO
#
barnaby I pay a little less for my shared hosting, but that’s only because I have a multi-year deal
#
barnaby do neocities have built in TLS support?
#
sknebel yes
[chrisaldrich] joined the channel
#
sknebel (just stumbled over it again and wanted to check if we have an article. we dont really cover the social side of it which they at least try to build it seems, but I have no big insight into that either)
#
sknebel (i.e. highlight pages, saw some mention of webrings, ... - needs looking at and capturing :D)
barnaby and jacky joined the channel
#
[KevinMarks] well, twitter broke tweet embedding on purpose https://twitter.com/tweetanor/status/1508876355873738752?s=20&t=Gi61E-GAEa1WroyPdIfv2g
#
@tweetanor @kevinmarks @TwitterEng Hey Kevin! We're doing this to better respect when people have chosen to delete their Tweets. Very soon it'll have better messaging that explains why the content is no longer available :) my DMs are open if you'd like to chat more about this (twitter.com/_/status/1508876355873738752)
#
barnaby back to screenshots and copy/pasting text then
#
barnaby I suspected that might be the case
#
barnaby tweet URLs don’t contain tweet content in the source any more, so my site’s auto-archiving of everything I link to doesn’t help much in that case
#
barnaby I should probably block archiving for twitter.com, rather than accumulate hundreds of files containing meaninless JSON blobs embedded in HTML
#
[tantek] or special-case archiving for twitter.com
#
[tantek] could model it on their 2007-era permalink HTML 🙂
#
barnaby yeah, make my own mf2 marked-up archive pages using data from their API
#
barnaby definitely an option
#
[tantek] giving your own personal Twitter archive pages a classic Twitter look would be fetch
#
[KevinMarks] they have the oembed endpoint that gives you the blockquote
#
barnaby huh I had forgotten about oembed
#
barnaby interesting
#
[KevinMarks] though if the tweet is deleted it gives you a blob of html with an error in
#
barnaby well when it’s deleted their API likely doesn’t return any content either, so no archiving is going to work at that point
#
[KevinMarks] except archive.org if you're lucky
#
barnaby yeah I’ve also considered looking into pinging archive.org or archive.is for my automatic archiving, if it’s possible
#
barnaby that’s assuming that they’ve special-cased twitter’s SPA enough to be able to effectively archive it
#
[tantek] it has mixed results currently. some tweets appear to be archived, others don't
#
[KevinMarks] I think I need to write this up properly. Twitter is using its embed code to edit other people's articles.
cybi and [benatwork] joined the channel
#
[tantek] be sure to get in a proper Xanadu dig regarding the naïveté of transclusion as a technology
cybi and tetov-irc joined the channel