#dev 2022-05-01

2022-05-01 UTC
jacky, angelo, gRegor, neceve, mro, sebsel, hary and tetov-irc joined the channel
#
@YourOnlyONEofcl
So, I finished implementing #webmention #microformats2 and #indieweb (receive only for now) on my blogs (like: https://im.youronly.one/snoworld/). Hope it works. Time to watch #Kdrama #tv. I am so behind. ^_^ #microformats #YourOnlyOne
(twitter.com/_/status/1520729874016907264)
#
@lunamoth
↩️ 웹멘션은 스팸 문제 없는지 궁금하군요. 트랙백은 스팸 문제로 사멸했는데 Webmention http://bit.ly/2LqzzDk
(twitter.com/_/status/1520747798353698816)
#
GWG
I've been thinking about that idea of having web signin on my site, if there is no matching internal account, creating an unprivileged one to tie the domain into, so anyone with IndieAuth could get a login on my site.
#
GWG
Anyone have any thoughts on that? I believe [fluffy] lets anyone with IndieAuth log in.
#
GWG
And if the IndieAuth endpoint supports a profile return, then I could get name/email for the account optionally...
#
GWG
Hmm...
#
GWG
Someone tell me why this is a bad idea.
#
aaronpk
yes that is how i would expect it to work
#
aaronpk
the trick is to stop thinking about things as "accounts"
sebsel and [Sam_Butler] joined the channel
#
GWG
aaronpk: It's a WordPress thing...I can't give privileges without a local user id
#
GWG
But the person logging in doesn't need to know about it
gxt and jacky joined the channel
#
@t
@IndieWebCamp Düsseldorf is a wrap! For Create Day, I added code to my publishing system to only syndicate (POSSE) a reply post to Twitter if it actually has an @-name, otherwise if it’s a peer-to-peer reply, just directly send them a Webmention. https://tantek.com/t5JZ3
(twitter.com/_/status/1520809780725526529)
#
[tantek]
yay! got plain indieweb-to-indieweb replies all debugged and working (& not POSSEing) and made sure I didn't actually break "normal" auto-POSSEing of notes to Twitter! (^ that note/tweet was a test of that 🙂 )
#
Loqi
yay!
AramZS joined the channel
#
@TT_SemWeb
@IndieWebCamp Düsseldorf is a wrap! For Create Day, I added code to my publishing system to only syndicate (POSSE) a reply post to Twitter if it actually has an @-name, otherwise if it’s a peer-to-peer reply, just dire… https://tantek.com/2022/121/t3/indiewebcamp-wrap-send-webmention, see more https://tweetedtimes.com/topic/RWW/semantic-web?s=tnp
(twitter.com/_/status/1520817530671095808)
[fluffy] joined the channel
#
[fluffy]
@GWG In Publ there's no real “account” for people, it's just a URL, and a single database row with metadata about that URL. Actual authentication grants are based on the ACLs around the identity URL.
#
[fluffy]
Publ doesn't even see it as being “indieauth” or “email” or “twitter” or whatever, it's just a URL which it trusts to be authenticated by Authl.
#
[fluffy]
Which is also how the mailto: and test: schemata work.
#
[fluffy]
The only indieauth-specific functionality in Publ itself is getting the ticket auth endpoint and even then that could be provided by any identity provider, not just indieauth, and the manual request grant flow doesn't even touch Authl.
#
GWG
[fluffy]: I have no other way to do access control... but I was referring more to the philosophy you use
#
[fluffy]
Yeah my philosophy is that all logins are allowed and access control is based on what the login has access to, not based on there being a login
#
GWG
[fluffy]: I just need to tie it to a user id because that's the architecture
#
[fluffy]
Yeah, it makes sense for how Wordpress was designed.
gxt and [sebsel] joined the channel
#
GWG
[fluffy]: Still, could bring some exciting possibilities in future
#
[fluffy]
Yeah. Also I don't think that adding a user account per login is going to break the bank on storage or anything.
#
[fluffy]
Like I can't imagine the database has to store all that much for a user.
#
[fluffy]
Probably just a few dozen/hundred bytes.
h8h8h89h9h joined the channel
#
GWG
[fluffy]: I'm more wondering about a future avenue of attack where someone figures out a way to flood my list with dozens of requests.
#
[fluffy]
Yeah I was thinking about that too but like. That seems kind of far-fetched? I suppose it'd be possible to generate many many accounts with something like anyauth.beesbuzz.biz
#
[fluffy]
That sort of attack would also mess up Publ though, because even if it doesn't make a fully fledged user account there's still a database row per logged in identity.
#
GWG
[fluffy]: I figured it was far fetched
#
GWG
Besides, I'd like to have the problem of someone wanting to spin up an indieauth endpoint to make my life difficult
#
[fluffy]
But at that point you also have to worry about the size of your access_log
#
GWG
[fluffy]: I just try to think ahead in my designs
#
[fluffy]
yeah, it’s easy to fall into an analysis paralysis hole though
#
[fluffy]
it’s hard to find the balance between Perfect and Done.
#
GWG
I'm not sure when I'd get to this, because I'd want to pair it with an access control list, and that's a bit more involved. I have some smaller things first.
#
[fluffy]
Is there a particular requirement that you even use wordpress accounts? You could make your own ACL system and base it on identity tokens/cookies that get set at a different layer.
#
GWG
I try to not go too far outside of the built-in services. I feel it discourages adoption if I do.
#
GWG
Right now, tokens are issued against user_ids as well. I'd have to reengineer that as well.
#
GWG
I'm really not worried about issuing users
[jgmac1106] joined the channel
#
[jgmac1106]
if you like search and discovery I encourage you to read: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.500-332.pdf the section on federated cloud discovery and metadata maybe useful
[KevinMarks] joined the channel
#
[jgmac1106]
added a bit of a hack to my notes publishing workflow...instead of worrying about navigation I just publish two files "latest note" and the one with a canonical date url, I use next and prev nav if anyone wants to chase down rabbit hole
#
aaronpk
here's another thought, you don't even have to create a user record in your internal storage unless it actually would give you access to something
jacky and Seirdy joined the channel
#
[jgmac1106]
aaronpk I am with you 100% and that has implications for thinks like webmentions...which in a way become a user record without consent
#
[jgmac1106]
I live in a land of trying to push authorization to identity while meeting boundary based security requirements. ZTA and IndieWeb are synonymous IMO
#
[jgmac1106]
and there are examples of discovery in the document utilizing no user record solution but don't look to NIST for cutting edge security..just to the security you often have to do
#
[jgmac1106]
(I argue you gave consent when you published on a publicly available webserver but that is a perspective not shared across the globe)
gxt and tetov-irc joined the channel
#
@YourOnlyONEofcl
So, apparently, #webmention related bots are blocked (503) by @Cloudflare. Setting a Firewall Allow/Bypass doesn't work. Only solution: turn-off the "Bot Fight Mode" setting. Then #Bridgy #WebmentionApp and other webmention related services starts to work. #IndieWeb #Cloudflare
(twitter.com/_/status/1520899580782837760)
#
@YourOnlyONEofcl
#Webmention related bots are blocked (503) by @Cloudflare. Setting a Firewall (Allow/Bypass) doesn't work. Only solution: turn-off the "Bot Fight Mode" setting. Then #Bridgy #WebmentionApp and other webmention related services starts to work. #IndieWeb #Cloudflare
(twitter.com/_/status/1520899947813810176)