#dev 2022-09-04

2022-09-04 UTC
neceve, neceve_, gRegorLove_, bterry, geoffo, cjw6k, [Jamie_Tanna]1, voxpelli, jonnybarnes, klez_, Demi, vikanezrimaya, kushal, rockorager, ancarda, srushe, eb, Feoh, capjamesg, jbove, rrix, aaronpk, sebsel, Saphire, Xe, [chrisaldrich], IWDiscordGateway, [Jamie_Tanna], Ruxton_, gxt, sivoais, jeremycherfas, tommorris, s[_], benji, lanodan, Kaja, rhiaro, alecjonathon, willnorris, jan6, GWG, chenghiz_, omz13, jjuran, Zegnat, joshproehl, sebbu, Pyroxtheythem[m], Steve[m]1231, zack[m], AramZ-S[m], mambang[m], strugee, angelo, sknebel, Seirdy, pmlnr, Guest5425, ben_thatmust, [manton], nsh, lagash, kandr3s, tetov-irc, gerben, superkuh, oodani_, t0nic, kloenk, nathan[m], walkah, BinarySavior_, moose333, h4kor[m], totertats, BinarySavior, sara, [manton]1, [jeremycherfas] and barnaby joined the channel
#
barnaby
for the IWC Berlin hack day I’m working on long-overdue issues in taproot/indieauth, starting with https://github.com/Taproot/indieauth/issues/12
#
Loqi
[martymcguire] #12 Normalize client_Id
#
Loqi
[[schmarty]] in other news i think owncast's indieauth implementation is slightly broken? when starting an indieauth flow on their test server at https://watch.owncast.online/ the `client_id` they send does not include a path component. is it OK to assume `/` if ...
#
barnaby
and I have a few questions
#
barnaby
if this normalisation applies to all urls, should it apply to redirect_uri as well as client_id?
#
barnaby
in requests to the token endpoint, the submitted client_id and redirect_uri are compared to the original authorization request, failing if they don’t match. Should this comparison take place after normalisation?
#
barnaby
the indieauth client library has normalizeMeURL which performs this normalisation, but additionally rejects URLs with fragments. Does this restriction apply to client_id and redirect_uri as well, or do I need to write a different normalisation function which allows client_id/redirect_uri with fragments?
#
barnaby
would appreciate any insights [schmarty] aaronpk Zegnat etc!
#
barnaby
in the meantime I’ll start working on something easier xD
geoffo joined the channel
#
[schmarty]
I think in my workaround I just apply normalizeMeURL() to client_id whenever it is in a request. Also yay! barnaby++
#
Loqi
barnaby has 9 karma in this channel over the last year (20 in all channels)
#
Loqi
woot
#
barnaby
[schmarty]: yep, I had a look at your middleware! Good to hear that it works as a temporary solution, but I want to avoid repeating this a year later when someone shows up with a client_id containing a fragment ;)
#
barnaby
and any opportunity to improve the spec by clarifying things which are vague is good IMO
neceve_ joined the channel
#
Zegnat
barnaby: I have to double check on redirect URLs, but client_id MUST NOT contain fragments. So you should not have problems there.
#
barnaby
good to know, thanks Zegnat
#
Zegnat
I think in general fragments are ignored because per HTTP spec they do not identify resources?
#
Zegnat
But will double check in a bit once I've finished my morning cup of tea :D
#
capjamesg
[James_Van_Dyne] I have a new io-refactor branch on indieweb-utils for your review :)
#
capjamesg
I will need to write updated docstrings for everything. I will do that once we agree on the different types of IO to support.
[James_Van_Dyne] joined the channel
#
[James_Van_Dyne]
Sweet, I’ll give it a look
#
Zegnat
barnaby: I cannot find the definition of the redrect Uri in the indieauth spec. But in OAuth it looks like it MUST NOT have a fragment: https://www.rfc-editor.org/rfc/rfc6749#section-3.1.2
#
Zegnat
So it is fine to throw an error of either client or redirect URIs include fragments
#
barnaby
okay, that’s good enough for me, I’ll reuse the normalizeMeURL as-is, and add some test cases for rejecting client_id and redirect_uri if they have fragments
#
barnaby
thanks Zegnat++
#
Loqi
Zegnat has 9 karma in this channel over the last year (16 in all channels)
#
Zegnat
You should not need to do normalisation I think, at all, because a faulty URL is a sign of a faulty client. But if course you may do it regardless
#
capjamesg
[James_Van_Dyne] We're doing the IndieWebCamp hack day today if you want to join.
#
Loqi
it is probable
#
[James_Van_Dyne]
Almost bedtime for me 😄
#
capjamesg
Oh of course :facepalm:
#
[schmarty]
barnaby: re: unfetchable client_id - I have non-web microsub (scripts) and Micropub (iOS shortcuts) where it doesn't make sense to have a web page for them
#
[schmarty]
Heh oops left the word "clients" out of that sentence
#
barnaby
Zegnat: my assumption that normalisation was necessary was based on the previous question about in-the-wild client_ids without path segments, where the consensus was that they should be normalised. I was only asking about fragments to check whether I could use the indieauth client library normalisation function
#
barnaby
[schmarty]: isn’t that what the separation of client_id and redirect_uri is for, in theory? but I agree regardless, per the spec unfetchable client_id shouldn’t be a hard fail, provided the client_id is otherwise valid
tetov-irc joined the channel
#
Zegnat
I agree that unfetchable client_id should not be hard fails, it just means no client information can be discovered. I guess there is no harm in normalising them (or canonicalising, as the indieauth spec calls it) because that is what all HTTP clients I know of do anyway (if you do not provide a path, it is set to / on request). But it is probably still a faulty client URI if no path is provided *shrug*
#
Zegnat
Same goes for redirect_uri, I suppose. I would just be less lenient there, because that URL is always meant to resolve and should even be mutable as the server will add query parameters to it.
#
Zegnat
Huh. Interesting. I think OAuth allows empty paths for redirect_uri.
#
Zegnat
barnaby: I think it might be fine to do normalizeMeURL, *but* only if the redirect_uri is a HTTP(S) url
#
Zegnat
Reading the code for normalizeMeURL from IndieAuth/Client, it actually returns false for non http/https URLs. So you already have to have that check in place. A redirect_uri is not limited to HTTP.
#
barnaby
[schmarty]: did this bug cause a problem for you, or did you find it just by reading through the source? https://github.com/Taproot/indieauth/issues/13
#
Loqi
[martymcguire] #13 Allow `.` and `~` in `code_challenge`
#
barnaby
it’s correct and I’ll fix it, but afaik . and ~ will never show up in s256 pkce code challenges because the code verifier is base64urlencoded
#
barnaby
so it’d only actually cause problems if the code challenge was sent plain
jamietanna joined the channel
#
jamietanna
Is `2022-09-04T12:45:00+0100` a valid date we should be allowing in Micropub? Or should it have a colon in the offset i.e. `2022-09-04T12:45:00+01:00` ? Go, by default, only allows a colon, but thought I'd check as Indigenous for Android sends without one
#
jamietanna
I notice we don't specify exactly what date formats are expected, likely to allow folks to choose themselves? Or is ISO8601/RFC3339 implied?
#
barnaby
afaik ISO8601 is assumed (should likely be specified) and no colon in the timezone component is valid ISO8601, so should be accepted
#
jamietanna
Ah gotcha, I'll add support for falling back to colon-less as well then :)
kloenk joined the channel
#
Zegnat
I like to refer to the HTML spec for datetime, as that is what I would expect in mf2.
#
Zegnat
barnaby: I heard you ask something re ticket auth. Probably not very useful, but here is the code of my test implementation from last year: https://gist.github.com/Zegnat/116b29ed0ef0e3f346583c48388ecc41
#
[Jamie_Tanna]
Although not officially in the hack day, I've been making some progress on my private journal site, and getting closer to open sourcing the Go micropub library portions, so folks can get a drop-in micropub endpoint 🙌
#
sknebel
Zegnat capjamesg there was this discussion re "whats the token valid for" https://github.com/indieweb/indieauth/issues/83
#
Loqi
[aaronpk] #83 Should a token grant access to anything more specific than the specified resource?
#
GWG
I'm contemplating the topic of weather codes
#
GWG
I store the weather summary as text and an icon, thinking of using a code so it can be translated
#
barnaby
Another IndieAuth question: https://indieauth.spec.indieweb.org/#access-token-response uses “expires_in” as the key for access token lifetime on issuing, whereas the response from the token introspection endpoint uses “exp” for the same thing https://indieauth.spec.indieweb.org/#access-token-verification-response
#
barnaby
is there a reason for the discrepancy? are these likely to be consolidated at some point, or will they remain separate?
#
Loqi
[aaronpk] > Don't you mean `expires_at` (not `expiration`) which is the absolute (epoch time) version of the relative `expires_in` (seconds)? `expires_at` isn't a thing really. OAuth has `expires_in` for the access token response, and `exp` in the token int...
#
Zegnat
barnaby: my guess is that the token introspection spec borrowed a lot from terms used by tokens found in the wild. And `exp` is the standard property for JWTs.
#
barnaby
ah, I see. weird, but provided it’s consistent and not likely to change in the future, fine by me
#
Zegnat
It will be consistently inconsistent ;)
#
Zegnat
What I was working on: packaging taproot/indieauth with some code into a PHAR file so you could do a 1-file deploy of an up-to-date indieauth endpoint on any PHP server.
#
Zegnat
Hope to continue that work tonight
#
barnaby
Zegnat: oh very cool, sounds similar to what [schmarty] was working on I think?
#
Zegnat
Maybe. Im not up to date with chat
#
GWG
capjamesg: What prompted that?
#
capjamesg
GWG Geolocation?
#
GWG
Yes, what about it?
#
capjamesg
We're working through issues with the JS geolocation API.
#
capjamesg
If you are free and could join the call, we could sure use your help if you have experience with it.
#
GWG
Give me a minute, just eating
#
GWG
I need an invitation...fancy
#
GWG
In the 'waiting room'
#
[tantek]4
w3schools-- w3fools++
#
Loqi
w3schools has -1 karma over the last year
#
Loqi
w3fools has 1 karma over the last year
#
barnaby
heads-up to anyone experimenting with taproot/indieauth (Zegnat, [schmarty]): in the latest commit I changed the internal format of JSON tokens slightly, to better match the terms used in the spec. If you have issues with old tokens being invalid, that’s why
#
Loqi
[barnabywalters] #5 Refer to expires_in as the recommended expiry property name
gRegorLove__ joined the channel
#
[schmarty]
barnaby++ thanks for so many taproot/IndieAuth updates!! I recall I ran into issue 13 and had to change something. I should have documented. 🤔
#
Loqi
barnaby has 10 karma in this channel over the last year (21 in all channels)
#
barnaby
[schmarty]: np, they’re long overdue! looking forward to working on refresh tokens next
#
[tantek]4
confirmed barnaby, "blog" is in the auto-linker: https://github.com/tantek/cassis/blob/master/cassis.js#L1313
#
GWG
barnaby: Refresh tokens aren't required, but they are a good safety measure.
#
GWG
As I said in the IndieAuth: New Stuff session...they were always a possibility, but people weren't going to implement them until there was some guidance in the spec.
#
barnaby
[tantek]4: good to know, I’ll make sure my copy is up to date an investigate if that doesn’t fix it
#
barnaby
GWG: indeed, but my goal with taproot/indieauth is to make a reliable and widely useful IA implementation, so I want to cover as much of the spec as I can
#
barnaby
heading out now, bye everyone!
#
[tantek]4
barnaby, it's been there for 5 years 😂 how old of a version are you running?!? https://github.com/tantek/cassis/commit/9b9c78519e85b1a7025ffa3b7f692d7607943565
gRegorLove_, geoffo, cjw6k, AramZS and gRegorLove__ joined the channel
#
IWDiscordGateway
<capjamesg> 🤣
jacky joined the channel
#
capjamesg
[fluffy] Is there a way to get the webmention HTML from webmention.js?
#
capjamesg
Rather than just the text.
[fluffy] joined the channel
#
[fluffy]
It should be pretty easy to modify to extract that
#
[fluffy]
It’s just using webmention.io’s API
#
[fluffy]
I opted to only get the plain text just to prevent malicious markup from being injected into my comments list
#
[fluffy]
Feel free to add it as a config option and send a pull request though 🙂
#
aaronpk
webmention.io does extensive sanitization so it's safe to embed the html from it
tetov-irc, jacky and gRegorLove_ joined the channel