#dev 2022-09-04

2022-09-04 UTC
neceve, neceve_, gRegorLove_, bterry, geoffo, cjw6k, [Jamie_Tanna]1, voxpelli, jonnybarnes, klez_, Demi, vikanezrimaya, kushal, rockorager, ancarda, srushe, eb, Feoh, capjamesg, jbove, rrix, aaronpk, sebsel, Saphire, Xe, [chrisaldrich], IWDiscordGateway, [Jamie_Tanna], Ruxton_, gxt, sivoais, jeremycherfas, tommorris, s[_], benji, lanodan, Kaja, rhiaro, alecjonathon, willnorris, jan6, GWG, chenghiz_, omz13, jjuran, Zegnat, joshproehl, sebbu, Pyroxtheythem[m], Steve[m]1231, zack[m], AramZ-S[m], mambang[m], strugee, angelo, sknebel, Seirdy, pmlnr, Guest5425, ben_thatmust, [manton], nsh, lagash, kandr3s, tetov-irc, gerben, superkuh, oodani_, t0nic, kloenk, nathan[m], walkah, BinarySavior_, moose333, h4kor[m], totertats, BinarySavior, sara, [manton]1, [jeremycherfas] and barnaby joined the channel
#
barnaby for the IWC Berlin hack day I’m working on long-overdue issues in taproot/indieauth, starting with https://github.com/Taproot/indieauth/issues/12
#
Loqi [martymcguire] #12 Normalize client_Id
#
barnaby relevant previous chat: https://chat.indieweb.org/dev/2022-07-28#t1659023548487400
#
Loqi [[schmarty]] in other news i think owncast's indieauth implementation is slightly broken? when starting an indieauth flow on their test server at https://watch.owncast.online/ the `client_id` they send does not include a path component. is it OK to assume `/` if ...
#
barnaby and I have a few questions
#
barnaby if this normalisation applies to all urls, should it apply to redirect_uri as well as client_id?
#
barnaby in requests to the token endpoint, the submitted client_id and redirect_uri are compared to the original authorization request, failing if they don’t match. Should this comparison take place after normalisation?
#
barnaby the indieauth client library has normalizeMeURL which performs this normalisation, but additionally rejects URLs with fragments. Does this restriction apply to client_id and redirect_uri as well, or do I need to write a different normalisation function which allows client_id/redirect_uri with fragments?
#
barnaby would appreciate any insights [schmarty] aaronpk Zegnat etc!
#
barnaby in the meantime I’ll start working on something easier xD
geoffo joined the channel
#
[schmarty] I think in my workaround I just apply normalizeMeURL() to client_id whenever it is in a request. Also yay! barnaby++
#
Loqi barnaby has 9 karma in this channel over the last year (20 in all channels)
#
Loqi woot
#
barnaby [schmarty]: yep, I had a look at your middleware! Good to hear that it works as a temporary solution, but I want to avoid repeating this a year later when someone shows up with a client_id containing a fragment ;)
#
barnaby and any opportunity to improve the spec by clarifying things which are vague is good IMO
neceve_ joined the channel
#
Zegnat barnaby: I have to double check on redirect URLs, but client_id MUST NOT contain fragments. So you should not have problems there.
#
barnaby good to know, thanks Zegnat
#
Zegnat I think in general fragments are ignored because per HTTP spec they do not identify resources?
#
Zegnat But will double check in a bit once I've finished my morning cup of tea :D
#
capjamesg [James_Van_Dyne] I have a new io-refactor branch on indieweb-utils for your review :)
#
capjamesg I will need to write updated docstrings for everything. I will do that once we agree on the different types of IO to support.
[James_Van_Dyne] joined the channel
#
[James_Van_Dyne] Sweet, I’ll give it a look
#
Zegnat barnaby: I cannot find the definition of the redrect Uri in the indieauth spec. But in OAuth it looks like it MUST NOT have a fragment: https://www.rfc-editor.org/rfc/rfc6749#section-3.1.2
#
Zegnat So it is fine to throw an error of either client or redirect URIs include fragments
#
barnaby okay, that’s good enough for me, I’ll reuse the normalizeMeURL as-is, and add some test cases for rejecting client_id and redirect_uri if they have fragments
#
barnaby thanks Zegnat++
#
Loqi Zegnat has 9 karma in this channel over the last year (16 in all channels)
#
Zegnat You should not need to do normalisation I think, at all, because a faulty URL is a sign of a faulty client. But if course you may do it regardless
#
capjamesg [James_Van_Dyne] We're doing the IndieWebCamp hack day today if you want to join.
#
Loqi it is probable
#
[James_Van_Dyne] Almost bedtime for me 😄
#
capjamesg Oh of course :facepalm:
#
[schmarty] barnaby: re: unfetchable client_id - I have non-web microsub (scripts) and Micropub (iOS shortcuts) where it doesn't make sense to have a web page for them
#
[schmarty] Heh oops left the word "clients" out of that sentence
#
barnaby Zegnat: my assumption that normalisation was necessary was based on the previous question about in-the-wild client_ids without path segments, where the consensus was that they should be normalised. I was only asking about fragments to check whether I could use the indieauth client library normalisation function
#
barnaby [schmarty]: isn’t that what the separation of client_id and redirect_uri is for, in theory? but I agree regardless, per the spec unfetchable client_id shouldn’t be a hard fail, provided the client_id is otherwise valid
tetov-irc joined the channel
#
Zegnat I agree that unfetchable client_id should not be hard fails, it just means no client information can be discovered. I guess there is no harm in normalising them (or canonicalising, as the indieauth spec calls it) because that is what all HTTP clients I know of do anyway (if you do not provide a path, it is set to / on request). But it is probably still a faulty client URI if no path is provided *shrug*
#
Zegnat Same goes for redirect_uri, I suppose. I would just be less lenient there, because that URL is always meant to resolve and should even be mutable as the server will add query parameters to it.
#
Zegnat Huh. Interesting. I think OAuth allows empty paths for redirect_uri.
#
Zegnat barnaby: I think it might be fine to do normalizeMeURL, *but* only if the redirect_uri is a HTTP(S) url
#
Zegnat Reading the code for normalizeMeURL from IndieAuth/Client, it actually returns false for non http/https URLs. So you already have to have that check in place. A redirect_uri is not limited to HTTP.
#
barnaby [schmarty]: did this bug cause a problem for you, or did you find it just by reading through the source? https://github.com/Taproot/indieauth/issues/13
#
Loqi [martymcguire] #13 Allow `.` and `~` in `code_challenge`
#
barnaby it’s correct and I’ll fix it, but afaik . and ~ will never show up in s256 pkce code challenges because the code verifier is base64urlencoded
#
barnaby so it’d only actually cause problems if the code challenge was sent plain
#
barnaby I actually had a test for that already https://github.com/Taproot/indieauth/blob/main/tests/FunctionTest.php#L132
jamietanna joined the channel
#
jamietanna Is `2022-09-04T12:45:00+0100` a valid date we should be allowing in Micropub? Or should it have a colon in the offset i.e. `2022-09-04T12:45:00+01:00` ? Go, by default, only allows a colon, but thought I'd check as Indigenous for Android sends without one
#
jamietanna I notice we don't specify exactly what date formats are expected, likely to allow folks to choose themselves? Or is ISO8601/RFC3339 implied?
#
barnaby afaik ISO8601 is assumed (should likely be specified) and no colon in the timezone component is valid ISO8601, so should be accepted
#
jamietanna Ah gotcha, I'll add support for falling back to colon-less as well then :)
kloenk joined the channel
#
Zegnat I like to refer to the HTML spec for datetime, as that is what I would expect in mf2.
#
Zegnat But there too both with and without colon is valid: https://html.spec.whatwg.org/multipage/text-level-semantics.html#the-time-element:valid-time-zone-offset-string
#
Zegnat barnaby: I heard you ask something re ticket auth. Probably not very useful, but here is the code of my test implementation from last year: https://gist.github.com/Zegnat/116b29ed0ef0e3f346583c48388ecc41
#
[Jamie_Tanna] Although not officially in the hack day, I've been making some progress on my private journal site, and getting closer to open sourcing the Go micropub library portions, so folks can get a drop-in micropub endpoint 🙌
#
sknebel Zegnat capjamesg there was this discussion re "whats the token valid for" https://github.com/indieweb/indieauth/issues/83
#
Loqi [aaronpk] #83 Should a token grant access to anything more specific than the specified resource?
#
GWG I'm contemplating the topic of weather codes
#
GWG I store the weather summary as text and an icon, thinking of using a code so it can be translated
#
capjamesg https://github.com/capjamesg/micropub/blob/fd037886db921f73b14e896c04f5686ad9735cc0/templates/post/create_post.html
#
barnaby Another IndieAuth question: https://indieauth.spec.indieweb.org/#access-token-response uses “expires_in” as the key for access token lifetime on issuing, whereas the response from the token introspection endpoint uses “exp” for the same thing https://indieauth.spec.indieweb.org/#access-token-verification-response
#
barnaby is there a reason for the discrepancy? are these likely to be consolidated at some point, or will they remain separate?
#
barnaby huh, looks like both are part of OAuth. weird https://github.com/indieweb/indieauth/issues/81#issuecomment-907687677
#
Loqi [aaronpk] > Don't you mean `expires_at` (not `expiration`) which is the absolute (epoch time) version of the relative `expires_in` (seconds)? `expires_at` isn't a thing really. OAuth has `expires_in` for the access token response, and `exp` in the token int...
#
Zegnat barnaby: my guess is that the token introspection spec borrowed a lot from terms used by tokens found in the wild. And `exp` is the standard property for JWTs.
#
barnaby ah, I see. weird, but provided it’s consistent and not likely to change in the future, fine by me
#
Zegnat It will be consistently inconsistent ;)
#
Zegnat What I was working on: packaging taproot/indieauth with some code into a PHAR file so you could do a 1-file deploy of an up-to-date indieauth endpoint on any PHP server.
#
Zegnat Hope to continue that work tonight
#
barnaby Zegnat: oh very cool, sounds similar to what [schmarty] was working on I think?
#
Zegnat Maybe. Im not up to date with chat
#
capjamesg https://www.w3schools.com/html/html5_geolocation.asp
#
GWG capjamesg: What prompted that?
#
capjamesg GWG Geolocation?
#
GWG Yes, what about it?
#
capjamesg We're working through issues with the JS geolocation API.
#
capjamesg If you are free and could join the call, we could sure use your help if you have experience with it.
#
GWG Give me a minute, just eating
#
GWG I need an invitation...fancy
#
GWG In the 'waiting room'
#
[tantek]4 w3schools-- w3fools++
#
Loqi w3schools has -1 karma over the last year
#
Loqi w3fools has 1 karma over the last year
#
barnaby heads-up to anyone experimenting with taproot/indieauth (Zegnat, [schmarty]): in the latest commit I changed the internal format of JSON tokens slightly, to better match the terms used in the spec. If you have issues with old tokens being invalid, that’s why
#
barnaby more info here https://github.com/Taproot/indieauth/issues/5
#
Loqi [barnabywalters] #5 Refer to expires_in as the recommended expiry property name
gRegorLove__ joined the channel
#
[schmarty] barnaby++ thanks for so many taproot/IndieAuth updates!! I recall I ran into issue 13 and had to change something. I should have documented. 🤔
#
Loqi barnaby has 10 karma in this channel over the last year (21 in all channels)
#
barnaby [schmarty]: np, they’re long overdue! looking forward to working on refresh tokens next
#
[tantek]4 confirmed barnaby, "blog" is in the auto-linker: https://github.com/tantek/cassis/blob/master/cassis.js#L1313
#
GWG barnaby: Refresh tokens aren't required, but they are a good safety measure.
#
GWG As I said in the IndieAuth: New Stuff session...they were always a possibility, but people weren't going to implement them until there was some guidance in the spec.
#
barnaby [tantek]4: good to know, I’ll make sure my copy is up to date an investigate if that doesn’t fix it
#
barnaby GWG: indeed, but my goal with taproot/indieauth is to make a reliable and widely useful IA implementation, so I want to cover as much of the spec as I can
#
barnaby heading out now, bye everyone!
#
[tantek]4 barnaby, it's been there for 5 years 😂 how old of a version are you running?!? https://github.com/tantek/cassis/commit/9b9c78519e85b1a7025ffa3b7f692d7607943565
gRegorLove_, geoffo, cjw6k, AramZS and gRegorLove__ joined the channel
#
IWDiscordGateway <capjamesg> 🤣
jacky joined the channel
#
capjamesg [fluffy] Is there a way to get the webmention HTML from webmention.js?
#
capjamesg Rather than just the text.
[fluffy] joined the channel
#
[fluffy] It should be pretty easy to modify to extract that
#
[fluffy] It’s just using webmention.io’s API
#
[fluffy] I opted to only get the plain text just to prevent malicious markup from being injected into my comments list
#
[fluffy] Feel free to add it as a config option and send a pull request though 🙂
#
aaronpk webmention.io does extensive sanitization so it's safe to embed the html from it
tetov-irc, jacky and gRegorLove_ joined the channel