#dev 2022-08-10

2022-08-10 UTC
# 00:47 
[tantek] I get that it seems to collapse into some sort of productivity tracking system, but I think that really misses the point, especially when it comes to (semi-)passive activities
# 00:49 
[schmarty] gRegor: nice! Would love to be added to test. My regular site supports indieauth-metadata https://martymcgui.re
# 00:49 
[tantek] like read/watch/listen feel fundamentally different as a set/category of "experiences" compared to say walk/run/bike/swim or even drive
# 00:49 
[schmarty] Looks like that "me" field is not marked as a url. My phone tried to "Http" it and I 😖
# 00:50 
gRegor *hacker voice* "you're in"
# 00:50 
[tantek] ironically, [schmarty]'s home page link-preview here in Slack demonstrates the relevance of such "passive" activities: "He also enjoys *listening to podcasts, reading*, and posting photos." [*emphasis* added]
# 00:51 
gRegor Ah, yeah, balance of "let people enter just the domain name" vs convenience of url field
# 00:51 
gRegor should be able to sign in now [schmarty]
# 00:51 
[schmarty] Debug looks good! https://media.martymcgui.re/ca/3e/f3/83/55c36a5d30c4cfdac6105825801e0e5a51190d7dbb765d7883f9e007.png
# 00:51 
gRegor huzzah!
# 00:52 
[schmarty] Tho I have both indieauth-metadata and the fallbacks so I can't tell which it got the auth and token endpoints from 😅
# 00:53 
[schmarty] Ooh, bonked https://media.martymcgui.re/c8/84/03/a4/8c3e1bf4ed1004ed2dc0c001712d65a97a820976d438f5797ca31178.png
# 00:53 
[schmarty] Let me double check but I think I am sending that 🤔
# 00:54 
gRegor ah, that's part of the latest spec. is your authorizaztion endpoint sending back 'iss' along with 'me'?
# 00:54 
gRegor It will need to match 'issuer' from your metadata: https://martymcgui.re/api/indieauth
# 00:55 
[schmarty] Oh in the code return to the redirect_uri? I doubt it! I thought that was just for the response when you redeem the code
# 00:55 
gRegor the latter, iirc
# 00:56 
gRegor should add some better debug on my end for this next version
# 00:58 
[schmarty] HA! i somehow missed it 😂 🤦‍♂️ https://git.schmarty.net/schmarty/belding/src/branch/main/app/Controller.php#L83
# 01:01 
[schmarty] hmmm. it should definitely be returning it now but i am getting the same missing_iss 🤔
# 01:01 
gRegor Let me turn on some debugging. I can show all the params at least temporarily on that error page
# 01:02 
[schmarty] thanks! and i'll double-check the spec and what i'm returning
# 01:02 
[schmarty] currently sending the user back to the redirect_uri with just code and state in the URL, which i think is right.
# 01:03 
[schmarty] oh! it _is_ supposed to be in the redirect response
# 01:04 
[schmarty] per https://indieauth.spec.indieweb.org/#authorization-response
geoffo joined the channel
# 01:12 
[schmarty] looks like https://martymcgui.re/ has been removed from the list of allowed `me` values for dev.indiebookclub.biz 🤔
# 01:13 
gRegor Can't have these kids on my lawn
# 01:13 
gRegor just a moment, almost done :)
# 01:14 
gRegor [schmarty], clear cookies for the dev site and try now. Error page should show all the query parameters returned.
# 01:16 
gRegor is now curious about implementing some indieauth.rocks tests
# 01:17 
gRegor I thought we had those, but probably remembering micropub
# 01:17 
[schmarty] ok yeah i had introduced some chaos in that `iss` value. cleaned it up and it looks good??
# 01:17 
[schmarty] yeah there are no indieauth.rocks tests though i once got excited about them https://indieweb.org/User:Martymcgui.re/IndieAuth-Endpoint-Testing
# 01:18 
gRegor I see you signed in, so looks good!
# 01:19 
gRegor thanks for testing, and glad to help test your server, haha
# 01:19 
[schmarty] good job being the first indieauth client i've encountered that actually expects `iss` 😐
# 01:20 
[schmarty] i feel like indieauth has kind of got brittle with all the "generic" oauth2 stirred in
# 01:20 
gRegor That's via my pending PR: https://github.com/indieweb/indieauth-client-php/pull/19 I think it's ready pending review, this was just me trying it out on IBC
# 01:20 
gRegor Was pretty easy to implement in IBC, just a couple lines.
# 01:20 
Loqi [gRegorLove] #19 Add support for IndieAuth metadata endpoint
# 01:21 
[schmarty] yeah it's not on you so much as like there's a lot of new must/should stuff that simply breaks compatibility older stuff including aaronpk's "flagship" indieauth.com
# 01:21 
gRegor Yeah, and a lot of these need to keep things around so indie apps work, like I still advertise the auth and token endpoints in addition to metadata
# 01:22 
[schmarty] i guess as long as you're not requiring `iss` during an oauth dance without an `indieauth-metadata` endpoint...
# 01:22 
gRegor 'iss' is only required if there's a metadata endpoint
# 01:22 
gRegor So that should backcompat well
# 01:22 
[schmarty] (no ia-meta means no `issuer`  means no `iss`)
# 01:22 
[schmarty] word yeah
# 01:22 
[schmarty] gRegor++
# 01:22 
Loqi gRegor has 7 karma in this channel over the last year (48 in all channels)
# 01:23 
[schmarty] in that case, as you said: thanks for making the first spec-compliant client to test my server against 😂
# 01:23 
gRegor I'm gonna resists indieauth.rocks tests as tempting as it is right now. too many things, haha
# 01:23 
gRegor it's hard when you feel on a roll though
# 01:24 
[schmarty] sometimes inertia is the only way!
# 01:30 
gRegor Added autocapitalize=off on the sign in field
# 01:33 
[schmarty] aha, thanks!
# 01:34 
[schmarty] still wishes iOS safari would autocomplete URL inputs https://martymcgui.re/2020/05/25/a-hole-in-browser-autofill-support/
zanne, alecj and alecjonathon joined the channel
# 04:13 
GWG gRegor: It let me log in
alecjonathon, geoffo and tbbrown joined the channel
# 05:17 
[Jamie_Tanna] gRegor I'm happy to do some testing on dev.indiebookclub.biz if you fancy another!
tbbrown, petermolnar, pmlnr, tetov-irc, [tantek], nertzy, cjw6k, alecjonathon, alecj, geoffo and chenghiz_ joined the channel; alecjonathon left the channel
# 15:54 
[tantek] has anyone here looked into or used Haven? looks like it has both "private" RSS feeds, and a reader than can read them? https://havenweb.org/2022/01/29/haven-reader.html
# 15:57 
[aciccarello] Does haven have any options for changing templates? I see they have css you can modify
# 15:57 
[aciccarello] I guess if you're self-hosting you can do whatever.
kloenk joined the channel
# 16:19 
[schmarty] from that Haven post, pikapods definitely looks interesting as a slightly friendlier face on cloud hosting. gonna dig in and see if they have docs on how to host new apps there.
# 16:41 
[schmarty] couldn't find docs adding new apps to pikapod. they have a request / discussion forum here: https://feedback.pikapods.com/
# 16:43 
[schmarty] looks like they have one person who does the setup and support. easiest path seems to be to provide a docker config for standing up a working project that listens on a single https port. there are some restrictions on what other services it needs internally like they seem to support mysql and postgresql but maybe not redis, etc.
[sebsel] and neceve joined the channel
# 18:05 
@joejenett RT @the.dailywebthing.com@fed.brid.gy
how-to: a unique approach to ‘publishing your own notes online’

https://fed.brid.gy/r/https://the.dailywebthing.com/how-to-a-unique-approach-to-publishing-your-own-notes-online/
https://fed.brid.gy/r/https://the.dailywebthing.com/how-to-a-unique-approach-to-publishing-your-own-notes-online/ (twitter.com/_/status/1557025080219209728)
[KevinMarks] and barnaby joined the channel
# 18:41 
barnaby tucked away at the bottom of this article are two code snippets you can use to interfere with the tracking code injected by the instagram/fb in-app browsers https://krausefx.com/blog/ios-privacy-instagram-and-facebook-can-track-anything-you-do-on-any-website-in-their-in-app-browser
# 18:41 
barnaby I just added it to my site
# 18:53 
[tantek] oh that is very interesting
# 18:58 
[tantek] regarding: "It’s also easy for an app to detect if the current browser is the Instagram/Facebook app by checking the user agent, however I couldn’t find a good way to pop out of the in-app browser automatically to open Safari instead."
# 18:58 
[tantek] perhaps even detecting and warning a user that they are being tracked (and explicitly telling them how to open the page in Safari) would be a good use of a "detect if the current browser is the Instagram/Facebook app" approach
[tonz] joined the channel
# 18:59 
[tonz] Would it be possible to detect the IG/FB browser header and redirect to an error message for the visitor explaining the problem (and showing the article with those snippets) as well?
# 18:59 
[tonz] ah, same thoughts
# 18:59 
[tantek] error/warning is an option yes
# 18:59 
[tantek] you could also provide a more "locked down" version of your page, e.g. no form fields, nothing for users to "enter data" and thus be tracked (keylogged) by FB
# 19:00 
barnaby I think it’d be entirely reasonable to redirect to a different page if you know there’s a chance of sensitive information being intercepted, yeah
# 19:00 
barnaby such as in an auth flow, as aaron just pointed out on twitter
# 19:00 
[tonz] like “this comment form isn’t loaded because FB would keylog your data as you’re viewing this from inside FB/IG
# 19:00 
barnaby otherwise a banner/locked down version of the page seems appropriate
# 19:03 
[tantek] or "sign-in is disabled because you are viewing this inside IG/FB and they inject a script that can track everything you enter" etc.
# 19:05 
[tonz] do we know what user agent IG/FB uses?
# 19:06 
[tantek] [Simon_Willison] in case you see this, we're chatting about https://twitter.com/simonw/status/1557426481109667843 here in #indieweb-dev
# 19:06 
@simonw This is really grim, if not entirely unexpected: apparently the Instagram mobile app injects additional JavaScript into every page that's loaded using the in-app embedded browser - here's the tool @KrauseFx built to track changes made to the DOM when loading a page https://twitter.com/krausefx/status/1557412468368052225 https://pbs.twimg.com/media/FZ0XIWaUUAEeTxl.jpg (twitter.com/_/status/1557426481109667843)
# 19:07 
AramZ-S[m] on iOS it uses Webkit like everyone else is forced to
# 19:08 
AramZ-S[m] but presumably it is equally a problem on Android devices.
# 19:08 
[tantek] which browser engine it uses is not the same as which User Agent string it uses
# 19:08 
[tantek] many different browsers (User Agents) use the same browser engine
# 19:09 
AramZ-S[m] oh sorry, yeah, it does have one of its own I think. Facebook's is particularly popular in analytics - https://developers.whatismybrowser.com/useragents/explore/software_name/facebook-app/
[KevinMarks] joined the channel
# 19:11 
AramZ-S[m] I'm actually amazed this is a surprise to anyone, though very happy to see an intercept there
# 19:13 
[tonz] “We’ve got 3.6 million Facebook App User Agents in our database” “We’ve got 358,484 Instagram User Agents in our database.” The IG likely all contain instagram, the FB ones do all contain FB somewhere, but unsure if there are non-FB ones that do too.
# 19:14 
AramZ-S[m] Usually the WebView user agent is attached if the app doesn't make a specfic setting of the user agent I think.
[benatwork] joined the channel
# 19:24 
AramZ-S[m] There are absolutly sites out there that react to being in in-app browsers. https://twitter.com/Chronotope/status/1557447427556270080
# 19:24 
@Chronotope https://twitter.com/ericlaw/status/1330932882756558856 (twitter.com/_/status/1557447427556270080)
# 19:25 
AramZ-S[m] oops wrong link
# 19:25 
AramZ-S[m] Here's the right one - https://twitter.com/Chronotope/status/1007577080668749825
# 19:25 
@Chronotope First time I've seen a special warning for in app browsers. https://pbs.twimg.com/media/DfuiApEWAAUJeL1.jpg (twitter.com/_/status/1007577080668749825)
gRegor joined the channel
# 20:00 
[aciccarello] Is this something that CSP could resolve instead of id specific hacks
# 20:21 
gRegor [Jamie_Tanna], Thanks! added jvt.me to the allowlist. Mainly testing sign in with the metadata endpoint. Last night I added 'profile' support too, so if you return that it should use that name/photo in the header. Falls back to your representative h-card.
# 20:23 
[Jamie_Tanna] Nice, that's worked 👏
# 20:28 
gRegor Awesome. So I think https://github.com/indieweb/indieauth-client-php/pull/19 is ready for final review and merge pending no issues.
# 20:37 
gRegor [schmarty], probably already know, but just in case: on your site in Chrome, your name overlaps your photo instead of being to the right
# 20:37 
gRegor looks correct in Firefox
# 20:37 
gRegor firefox++
# 20:37 
Loqi firefox has 1 karma in this channel over the last year (3 in all channels)
# 20:59 
[schmarty] gRegor: hah, thanks, I did not know. because i don't chrome when i can help it.
# 20:59 
IWDiscordGateway <capjamesg> [Jamie_Tanna] I'm struggling with a Go issue.
# 20:59 
[schmarty] leaves it
# 20:59 
IWDiscordGateway <capjamesg> I have a JSON file structured like this [[{"key": "value"}], [{"key": "value"}]].
jamietanna joined the channel
# 21:05 
jamietanna capjamesg https://go.dev/play/p/FWF0GCriZXF :)
# 21:06 
IWDiscordGateway <capjamesg> Thank you so much!
# 21:06 
IWDiscordGateway <capjamesg> I have been having a really hard time with JSON in Go.
# 21:07 
[Jamie_Tanna] You're welcome. Definitely takes a bit of getting used to. I can help a bit more tomorrow if you need anything but hopefully that's enough to start with ☺
# 21:12 
Loqi AramZ-S has 2 karma in this channel over the last year (4 in all channels)
# 21:12 
[tantek] AramZ-S++
# 21:30 
omz13 jamietanna nice playground example, but please avoid using panic like that in go
# 21:31 
omz13 that is a very recoverable situation and panic is overkill
# 21:40 
IWDiscordGateway <capjamesg> I got my list of lists working!
# 21:40 
IWDiscordGateway <capjamesg> But now I realise my data isn't structured properly so I'll have to fix that haha.
# 21:42 
IWDiscordGateway <capjamesg> That's enough for today 😄
gxt, tetov-irc and geoffo joined the channel