#dev 2022-07-10

2022-07-10 UTC
jacky joined the channel
# 03:30 
@murtuza_surti Time to integrate webmentions into my blog syntackle! (twitter.com/_/status/1545973586233417728)
jacky, chee, [tw2113_Slack_], GWG, mro, geoffo and tetov-irc joined the channel
# 12:16 
vikanezrimaya IndieAuth question! The Spec says in the indieauth metadata some values are not optional, like `introspection_endpoint`, yet all examples consistently omit it. Is this an error in the spec or in the example?
# 12:59 
[Jamie_Tanna] Good spot vikanezrimaya that looks like an oversight and we should add it to the examples
# 13:00 
vikanezrimaya [Jamie_Tanna]: yay, I found an error!
# 13:01 
Loqi giggles
# 13:01 
vikanezrimaya It looks like `introspection_endpoint` support is up to the implementation and only if it wishes to interoperate with external clients
# 13:01 
vikanezrimaya or, more likely, external server applications that serve clients and authenticate them using IndieAuth
# 13:02 
vikanezrimaya eh, the exact wording is best left to other people, I'm not good with words when I'm thinking about code
# 13:18 
IWDiscordGateway <AkatsukiLevi> Hiya
# 13:18 
IWDiscordGateway <AkatsukiLevi> Small question about IndieAuth, got interested on it
# 13:19 
IWDiscordGateway <AkatsukiLevi> I'm currently working on the development of a federated social network for roleplaying
# 13:19 
IWDiscordGateway <AkatsukiLevi> And i'm wanting to use IndieAuth for authentication
# 13:20 
IWDiscordGateway <AkatsukiLevi> So far as I understood, the only thing people have to input is their URL, on the case of this net, it could be url to the profile(so for example, `akatsukilevi.covenfox.com`)
# 13:20 
IWDiscordGateway <AkatsukiLevi> let's say i'm not `akatsukilevi`, if i put this URL there would somebody else be able to login as me?
# 13:21 
IWDiscordGateway <AkatsukiLevi> Or is there something that is done to prevent somebody else authenticating as me?
# 13:30 
IWDiscordGateway <AkatsukiLevi> reading the docs now, I quite understood the gist of it
# 13:30 
IWDiscordGateway <AkatsukiLevi> reading the docs now, I quite understood the gist of it(yeah i'm dumb lol)
# 13:39 
vikanezrimaya @AkatsukiLevi (Assuming your federated social network is an identity provider) Since the burden of identity proof is on the identity provider, your federated social network is free to request any proof from whoever tries to authenticate as akatsukilevi.covenfox.com - for example, ask them to authenticate using their password.
# 13:40 
vikanezrimaya My own website, for example, will demand proof in form of WebAuthn authentication (using a security key or Windows Hello PIN to unlock an encrypted credential)
# 13:42 
vikanezrimaya Anyone who tries to authenticate as me will get redirected to my website, which will demand proof by asking me to authenticate with my security key - and if whoever tries to impersonate me cannot present this proof, they're out of luck
# 13:42 
IWDiscordGateway <AkatsukiLevi> So I can, for example, make a simple login form with local accounts
# 13:42 
vikanezrimaya I used a password in the past, so whoever wanted to impersonate me had to learn the password
# 13:42 
IWDiscordGateway <AkatsukiLevi> for example, `auth.covenfox.com` for people to login
# 13:43 
vikanezrimaya @AkatsukiLevi exactly! and on the IndieAuth, check if they're logged in and ask to log in, and then continue authentication with the identity of whoever logged in
# 13:43 
IWDiscordGateway <AkatsukiLevi> and then when they access someone's profile(eg: `akatsuikilevi.covenfox.com`), if the profile is the one of the logged in account, it will have the rel-me
# 13:43 
IWDiscordGateway <AkatsukiLevi> otherwise it wouldn't have and auth wouldn't pass
# 13:43 
IWDiscordGateway <AkatsukiLevi> this is lit
# 13:44 
IWDiscordGateway <AkatsukiLevi> if it is someone accessing as normal, present public profile, if it is a login attempt, check if logged in and if not, redirect to login
# 13:44 
IWDiscordGateway <AkatsukiLevi> ayo this is easier than keycloak XD
# 13:44 
vikanezrimaya And for sites using IndieAuth as identity consumers (which means they allow logging in through IndieAuth), they trust the authorization endpoint to provide correct details, but verify that the authorization endpoint belongs to whoever tries to authenticate by checking if their profile page contains a link to it
# 13:45 
vikanezrimaya So, for example, if I want to log in on our IndieWeb wiki, it asks me for my URL, then redirects me to my authorization endpoint which asks me to present proof of my identity, and then the authorization endpoint gives the wiki the green light to log me in
# 13:46 
vikanezrimaya Depending on if you're an identity provider or an identity consumer, you will go with one of the two sides of this flow
# 13:46 
IWDiscordGateway <AkatsukiLevi> got it!
# 13:46 
vikanezrimaya (and I have to implement both... because I want others to be able to log in to my own website to view private posts)
# 13:49 
IWDiscordGateway <AkatsukiLevi> Same thing XP
# 14:21 
vikanezrimaya @AkatsukiLevi oh, so you want to support both internal identities and external ones
# 14:21 
vikanezrimaya that's not gonna be easy, but it will be extremely useful for your users
# 14:21 
IWDiscordGateway <AkatsukiLevi> I mean, the network is federated
# 14:22 
vikanezrimaya Ah, right... Yes, that makes a lot of sense
# 14:22 
IWDiscordGateway <AkatsukiLevi> Also got interested with the idea of using a website to authenticate
# 14:23 
IWDiscordGateway <AkatsukiLevi> Since my idea is to allow users to make their url profile `akatsukilevi.covenfox.com` into a literal website of their choice
# 14:23 
IWDiscordGateway <AkatsukiLevi> kinda like geocities/neocities
# 14:25 
IWDiscordGateway <AkatsukiLevi> i made a smol login page
# 14:25 
IWDiscordGateway <AkatsukiLevi> https://cdn.discordapp.com/attachments/866577430886350869/995697161507454987/unknown.png
# 14:25 
IWDiscordGateway <AkatsukiLevi> wait does images works correctly with the bridges?
# 14:31 
IWDiscordGateway <jacky> It might
# 14:31 
IWDiscordGateway <jacky> https://chat.indieweb.org/dev is the fastest way to check
# 14:32 
IWDiscordGateway <jacky> Yeah it did!
# 14:35 
IWDiscordGateway <AkatsukiLevi> It shows up as a link, nice
# 14:35 
IWDiscordGateway <AkatsukiLevi> This is cool af
# 15:17 
Xe is it normal for microformats json to be a pain in the ass to parse in Rust?
# 15:20 
sknebel in the sense that its a bit too dynamic in structure? probably
# 15:21 
sknebel (I dont remember, does the rust parser have some native rust structures as output that do some of that work?)
# 15:25 
vikanezrimaya Xe: I'm using the microformats crate, but it has a bug with implied properties which is tracked here: https://gitlab.com/maxburon/microformats-parser/-/issues/7
# 15:26 
vikanezrimaya For working with MF2-JSON in general, I just use serde_json and query fields manually
# 15:27 
vikanezrimaya It's easier in async code, because all of the `microformats` types are !Send + !Sync
jacky and mro joined the channel
# 16:15 
@gholk5566 感覺可以把 webmention 和 mastodon 單方面結合，讓嘟文中提及的連結，如果支援 webmention 的話可以收到被提及的通知。
寫個 crontab 定期檢查新嘟文有沒有超連結就可以了，但對方沒辦法提及回來。 (twitter.com/_/status/1546165471187087367)
rounin1 and jacky joined the channel
# 16:23 
vikanezrimaya IndieAuth spec question: why does the introspection endpoint require authentication? This seems restrictive if one wants to connect an external service to authenticate users using tokens, say, an external Microsub implementation like Aperture (side question for aaronpk: is Aperture updated to handle the new spec?)
jeremycherfas and jacky joined the channel
# 16:37 
jacky I think that's to prevent a rouge client from just taking a token and sending it to the endpoint to read information about it from it
# 16:38 
jacky though from what it looks like, I _think_ you can use the same token in question _as_ the method for auth
# 16:38 
jacky that's from a cursorary glance at the spec, I have yet to implement this
# 16:38 
jacky I think GWG wrote something at length a while ago explaining these changes a bit, might have context there
# 16:39 
GWG jacky: I did
# 16:39 
jacky this might also have more info https://datatracker.ietf.org/doc/html/rfc7662#section-2.1
# 16:39 
vikanezrimaya If I was implementing a rogue client and wanted to mess around, I personally would try to send Micropub requests or attempt destructive actions and see how quickly my token gets revoked
# 16:39 
GWG vikanezrimaya: The introspection endpoint is not supposed to be used by clients. But, OAuth2 introspection requires some form of auth. You can specify none as the auth type in the metadata file though
# 16:40 
jacky ahh I see why
# 16:40 
vikanezrimaya In any case, while reading related specs and registries I found that the introspection endpoint allows to use Bearer tokens as a method of auth
# 16:40 
jacky that spec page says this:
# 16:40 
jacky > https://paste.gnome.org/bT1gR4A4H
# 16:40 
GWG vikanezrimaya: It also allows for basic auth
# 16:41 
GWG I wrote the draft for those sections of the spec based on what happened at the popups and the OAuth2 Introspection Endpoint rfc
# 16:41 
vikanezrimaya GWG: Specifying "none" would go against section 6.1, quote: "The endpoint MUST also require some form of authorization to access this endpoint..."
# 16:42 
vikanezrimaya "none" is not some form of authorization in the sense that it implies there is no form of authorization required
# 16:42 
vikanezrimaya which is against section 6.1
# 16:42 
GWG vikanezrimaya: I agree, just saying it is an option
# 16:42 
GWG I think someone did it
# 16:43 
vikanezrimaya well that's technically a spec violation then 🤔
# 16:44 
jacky it's not a spec if _someone_ violates it ;)
# 16:44 
vikanezrimaya more like "it's not a spec if nothing violates it"... though it's more of a bad spec than not a spec then
# 16:45 
GWG  I agree, so basic auth is minimum
# 16:45 
vikanezrimaya Anyway I transcribed the whole IndieAuth protocol in Rust structs with strong typing: https://git.sr.ht/~vikanezrimaya/kittybox/commit/9ca0e358dc95e7358815886b061288f04a7d29af#kittybox-rs/indieauth
# 16:45 
vikanezrimaya I think that's a good first step for in-house IndieAuth
# 16:45 
vikanezrimaya It's also usable by clients! At least it should be and I probably will reuse it for a client
# 16:46 
jacky nice work vikanezrimaya++
# 16:46 
Loqi vikanezrimaya has 3 karma over the last year
# 16:47 
vikanezrimaya now I will need to write the first user of that library, Kittybox's identity provider...
jacky joined the channel
# 16:51 
jacky ooh I see this note about using serde https://git.sr.ht/~vikanezrimaya/kittybox/commit/9ca0e358dc95e7358815886b061288f04a7d29af#kittybox-rs/indieauth/src/scopes.rs-1-43, you could cheat a bit I think with `#[serde(from="String")]` wherever you need to use it - to reduce the use of a derive ;)
# 16:51 
jacky been using it for some work stuff, benchmarked it a bit and it does make a subtle difference
# 16:52 
jacky the way you're doing it (with `AsRef<str>` or `ToString`) is the idiomatic way!
# 16:55 
vikanezrimaya jacky: the Scopes type is probably the most complex type of this library, because Vec<T> is ordered, and I needed an unordered set that serializes to a string (because oauth2 is weird and requires scope to be a space-separated string)
# 16:55 
vikanezrimaya I basically implemented an unordered list on top of an ordered list and then manually implemented Serialize and Deserialize for it
# 16:56 
vikanezrimaya if it was Python i'd use a set but I kinda forgot how to do sets in Rust... probably could replace it with HashMap<Scope, ()>?
# 16:56 
vikanezrimaya Anyway, the fact that it uses Vec is an implementation detail and can be changed later
# 16:57 
vikanezrimaya checking a scope is O(n) and checking for multiple scopes is O(n^2)
# 16:57 
vikanezrimaya using HashMap<Scope, ()> could cut one `n` out of the complexity, turning it into O(1) and O(n) respectively
# 16:59 
vikanezrimaya serializing and deserializing a list to a string is such a pain that I even deemed it worthy of a unit-test
# 17:00 
jacky would `HashSet` work for you? I was thinking of moving the one in the indieweb to use that (but I haven't seen a pressing need)
# 17:00 
jacky the way I do comparison is a bit interesting too because I want to include support for prefixed scopes
# 17:00 
jacky https://docs.rs/indieweb/latest/src/indieweb/standards/indieauth.rs.html#597-599
# 17:01 
vikanezrimaya It is in fact impelemented in terms of HashMap<T, ()> so it's exactly what I was talking about above
# 17:02 
vikanezrimaya jacky: oh, prefixed scopes!
# 17:02 
vikanezrimaya nice
# 17:03 
jacky ah okay
# 17:03 
vikanezrimaya I haven't seen the need for prefixed scopes for myself, but it's a nice addition to the system
# 17:03 
jacky yeah I'd want it for things like locking a soon-to-come client to _only_ post a specific kind of post
# 17:05 
vikanezrimaya In any case, if a desired comparison is not provided, I have an escape hatch that allows me to get &[Scope] and inspect it myself
# 17:05 
vikanezrimaya Prefixed scopes could be implemented on top of that
[snarfed] joined the channel
# 17:05 
[snarfed] lists of scopes will probably have 10-20 ish elements at most, right? at that size none of the complexity or algorithmic considerations will really matter 😁
# 17:06 
vikanezrimaya Honestly yeah, I don't see it as a big point for optimization
# 17:06 
jacky [snarfed]: exactly - big reason why I left it in a list
# 17:07 
[snarfed] jacky++
# 17:07 
Loqi jacky has 27 karma in this channel over the last year (61 in all channels)
# 17:07 
[snarfed] make it work, make it right, then - only if it's actually measurably too slow - make it fast
# 17:12 
vikanezrimaya Oops, I already found my first bug
# 17:13 
vikanezrimaya And it's already worthy to be called security issue!
# 17:13 
vikanezrimaya And that's why one should always write unit tests even if the code seems obvious
# 17:13 
jacky lol
# 17:30 
[snarfed] testing++
# 17:30 
Loqi testing has 3 karma in this channel over the last year (5 in all channels)
# 17:30 
[snarfed] (also tests are for the future even more than present!)
# 17:31 
vikanezrimaya I use a lot of unit tests on my storage backends to ensure they will never fail to read the data they wrote
# 17:51 
GWG [snarfed]: I think of you each time I do something with unit testing
[KevinMarks] joined the channel
# 18:25 
[snarfed] GWG++
# 18:25 
Loqi GWG has 17 karma in this channel over the last year (73 in all channels)
jacky, [chrisaldrich] and [schmarty] joined the channel
# 19:44 
IWDiscordGateway <AkatsukiLevi> Aand guess what?
# 19:44 
IWDiscordGateway <AkatsukiLevi> It works
# 19:44 
IWDiscordGateway <AkatsukiLevi> https://cdn.discordapp.com/attachments/866577430886350869/995777523923308566/unknown.png
# 21:53 
sp1ff What is the difference, in terms of markup, between a post and a note? I mean, I get that a note is a short-form post, but is there any programmatic difference, in terms of microformats, betwen the two?
# 22:01 
GWG  A note is a type of post
# 22:01 
GWG There are many types
# 22:01 
GWG It refers to the characteristics
# 22:02 
GWG For one, a note doesn't have an explicit title
# 22:14 
sp1ff Ah, good example.
# 22:14 
sp1ff No p-name
tetov-irc joined the channel