#dev 2022-09-19

2022-09-19 UTC
[snarfed] and geoffo joined the channel
#
[jgarber] MicroMicro supports this: https://github.com/jgarber623/micromicro
#
[jgarber] > will be nice to have example parsers with img.alt out there
#
Loqi [jgarber623] micromicro: A Ruby gem for extracting microformats2-encoded data from HTML documents.
geoffo joined the channel
#
gRegor Cool. Is that a different parser than https://github.com/microformats/microformats-ruby? (I don't know Ruby well)
#
Loqi [microformats] microformats-ruby: Ruby gem that parse HTML containing microformats/microformats2 and returns Ruby objects, a Ruby hash or a JSON hash
Poo joined the channel
#
@Naitakal How comes I haven’t heard about wenmentions until just now? I really need to see how I can implement this in a useful way for my website. Thanks for your post about it! http://adrianmouat.com/posts/enabling-webmention-for-comments/ via @adrianmouat (twitter.com/_/status/1571604480017195008)
#
@ariadneconill this thread outlines why web-wide single sign on (e.g. via the indieauth variant of OIDC) is critical if we want to live in a world where we have agency as internet participants. (twitter.com/_/status/1571803106576576512)
tetov-irc joined the channel
#
[jgarber] gRegor: yes, it's a different parser from the official Ruby parser.
[Jamie_Tanna] joined the channel
#
[Jamie_Tanna] Is there a way to get Granary to show a user's tweets, including retweets? Or is Twitter-atom needed?
#
[Jamie_Tanna] I've got a List on Twitter that doesn't seem to be including RTs
#
@kasimir_030 I really need to have this on my blog https://daily-dev-tips.com/posts/goodbye-comments-welcome-webmentions/ via @DailyDevTips1 (twitter.com/_/status/1571116097059033090)
geoffo and AramZS joined the channel
#
[snarfed] [Jamie_Tanna] thanks for the report! I think I'm seeing the same thing, I'll look
corlaez joined the channel
#
corlaez RSSHub allows twitter (and many other sites) to generate RSS https://docs.rsshub.app/en/
#
corlaez https://rsshub.app/twitter/user/jamietanna
#
corlaez I don't know if you need to spin your own server for twitter, I know that their tiktok parser on the demo instance is pretty nerfed down
#
[snarfed] hah also there's no UI: https://rsshub.app/
#
[snarfed] [Jamie_Tanna] fixed! thanks for reporting!
#
[Jamie_Tanna] You're welcome, thanks for the speedy fix 👏
#
corlaez so, after their critique to mf they actually describe a tool that could be interesting to have for mf2. Like some sort of automatic validation https://youtu.be/Je6G4IUYcGI
#
corlaez letting you know if you broke something in real time
#
capjamesg maxwelljosyln After our Lisp chat: https://gist.github.com/capjamesg/a546ba1ab8737b7f9a8ef3f9f8c4b7ed
#
vikanezrimaya Good morning IndieWeb! I am currently seeking feedback on testing my implementation of an IndieAuth client, because I seem to have encountered a bug that could be sitting in my library and I want to iron it out.
#
vikanezrimaya https://git.sr.ht/~vikanezrimaya/kittybox/tree/main/item/kittybox-rs/src/bin/kittybox-indieauth-helper.rs
#
vikanezrimaya This is the helper. Compiling it (using cargo build --feature=cli --bin kittybox-indieauth-helper) should give a binary that will lead one through the process of IndieAuth and hopefully acquire a token
#
vikanezrimaya Something seems to be off about PKCE challenges, because my website doesn't want to authenticate Quill, which I presume has a well-behaved IndieAuth implementation
#
vikanezrimaya Maybe I'm calculating it wrong? https://git.sr.ht/~vikanezrimaya/kittybox/tree/main/item/kittybox-rs/indieauth/src/pkce.rs#L69-83
#
vikanezrimaya The helper obviously seems to work well with my own website, because they use the same library.
#
aaronpk base64-url-encoding is slightly different than base64-encoding
#
aaronpk that's usually what trips people up
#
vikanezrimaya I am in fact using what should be Base64Url encoding, as evident in L77
#
aaronpk the other common problem is if your sha256 function returns a hex char string rather than raw bytes
#
vikanezrimaya I believe the Rust type system should make that highly improbable, but I will check in a minute...
#
aaronpk you can compare the output of your code_challenge function with this site which is a correct implementation of the PKCE challenge https://example-app.com/pkce
#
vikanezrimaya aaronpk: thank you! I didn't know about that resource
#
vikanezrimaya I'll make a few test-cases using data from this tool; maybe the results will help in achieving enlightenment on this issue
#
aaronpk hm you know what i should do is move that code into oauth.net
#
[tantek]4 Nice
#
vikanezrimaya Ok, I glued up a simple test case that compares the output of the challenge with the known-good value. Let's see how spectacularly it fails
#
vikanezrimaya lol the padding
#
vikanezrimaya everything is right except my implementation inserted one character of padding apparently?!
#
vikanezrimaya is it permissible to Base64-decode the hash before comparing? that could solve the problem
#
aaronpk interesting, let me check something
#
aaronpk here's the pkce spec describing its encoding without padding https://www.rfc-editor.org/rfc/rfc7636#appendix-A
#
vikanezrimaya Ah, I see, PKCE mandates all padding to be removed beforehand! That was my mistake.
#
vikanezrimaya I shall update the library to remove the padding from the code challenges then.
#
aaronpk here's the base64 encoding spec saying that padding is not required if used by a spec that says it's not required https://www.rfc-editor.org/rfc/rfc4648#section-3.2
#
vikanezrimaya aaronpk++ you're absolutely amazing
#
Loqi aaronpk has 32 karma in this channel over the last year (111 in all channels)
#
vikanezrimaya how do you remember all of this? or do you have a search engine tailored to searching for RFCs somewhere?
#
aaronpk i have spent a lot of time in the pkce weeds and i also know how to follow references between specs
#
vikanezrimaya Ah, the references! I sometimes forget they're there -- I guess I have a lot to learn in terms of RFC-surfing
#
vikanezrimaya I often neglect that...
#
aaronpk it's not obvious until you get used to RFCese
#
vikanezrimaya RFCese 😂
#
vikanezrimaya Ok, the test passes now that I've stripped the padding. I guess I should update my production environment then
#
aaronpk nice
neceve and gRegor joined the channel
#
GWG aaronpk continues to impress.
#
vikanezrimaya with this commit, I should have fully self-hosted IndieAuth. One more step to full autonomy
#
vikanezrimaya aaaaa
#
vikanezrimaya invalid_authorization_endpoint
#
vikanezrimaya at least it's different tho!
#
vikanezrimaya i wish i could see exactly what quill sees... I might need to improve my debug logging
#
gRegor progress! :)
tetov-irc joined the channel
#
vikanezrimaya Oh really? The address needs to match byte-for-byte?! (`/.kittybox/indieauth/auth` in https://fireburn.ru/, `https://fireburn.ru/.kittybox/indieauth/auth` in metadata endpoint)
#
vikanezrimaya I thought Quill would canonicalize the URL... oh no
#
Loqi Vika
#
vikanezrimaya Loqi: yes, that's me
#
vikanezrimaya I need to check the spec...
#
vikanezrimaya > ...verify that URL declares the same authorization endpoint as was discovered in the initial discovery step...
#
vikanezrimaya > The URLs discovered MAY be relative URLs, in which case *the client MUST resolve them relative to the current document URL*... (emphasis mine)
#
vikanezrimaya this leads me to belive that Quill doesn't expand the relative URL the second time and therefore is not compliant. aaronpk your thoughts?
#
vikanezrimaya debugging IndieAuth is fun
#
gRegor I don't think Quill consumes the metadata endpoint yet, so would fallback to rel=authorization_endpoint, which it seems to be canonicalizing correctly
#
gRegor My endpoints are relative too and I can sign in.
geoffo joined the channel
#
gRegor You're signing in with https://fireburn.ru correct? For me, Quill ends up at your authorization_endpoint prompting for login and scopes
#
Loqi Vika
#
gRegor the indieauth-client lib Quill uses has a PR for that though: https://github.com/indieweb/indieauth-client-php/pull/19
#
Loqi [gRegorLove] #19 Add support for IndieAuth metadata endpoint
#
gRegor Would love to get that into a new release :)
#
vikanezrimaya Hm, let me try https://
#
vikanezrimaya Ok, it did make a difference!
#
vikanezrimaya Weird! I thought Quill was supposed to follow the chain of redirects properly...
#
vikanezrimaya aaa! I caught a spec error!!!
#
vikanezrimaya https://indieauth.spec.indieweb.org/#access-token-response
#
vikanezrimaya scope isn't listed as a parameter in spec text, yet is present in the example, and Quill also requires it!
#
vikanezrimaya aaronpk: should "scope" be present in access token grant response? Spec doesn't mention it, example in spec does, Quill requires it in the wild
#
vikanezrimaya Probably a mistake
#
gRegor For authorization (not just authentication), at least one scope is required
#
vikanezrimaya No, this is response, not request.
#
vikanezrimaya In the request, scopes are present, but Quill wants to have "scope" in resposne to see which scopes the user granted to the app
#
gRegor ? "The token endpoint needs to verify that the authorization code is valid, and that it was issued for the matching client_id and redirect_uri, contains at least one scope"
#
vikanezrimaya > The token response is a JSON object containing: - access_token (required)... - me (required)... - profile (optional)... - expires_in (recommended)... - refresh_token (optional)...
#
vikanezrimaya no mention of "scope"
#
vikanezrimaya EXAMPLE 12: has "scope" parameter
#
vikanezrimaya Quill: > The token endpoint did not return a "scope" parameter. The `scope` parameter lets this client know what permission the token represents.
#
vikanezrimaya I was transcribing the spec when building my IndieAuth library, and did not include a scope: Scopes parameter in my GrantResponse::AccessToken {...}
#
gRegor Ah, gotcha. Yeah that part might need to be updated in spec. I think it's needed in that response because the client needs to know which scopes they selected. Client can ask for certain scopes, but user can limit them further.
#
gRegor Checked my server and it is returning scopes
#
vikanezrimaya My endpoint has limiting scopes as a defining feature. Actually, I went one step further. The default is to grant no scopes, user must explicitly allow any requested scopes
#
vikanezrimaya I want scope granting to feel intentional
#
gRegor Makes sense
#
vikanezrimaya I want the user to click checkboxes with intent and understanding (which is why I also have user-friendly explanations for scopes, and even a small-ish explainer at the top, which I tested on my non-techy friends even!)
barnaby joined the channel
#
barnaby vikanezrimaya sounds cool, do you have a screenshot of that in action? would be worth adding to https://indieweb.org/consent_screen
#
vikanezrimaya I can make one real quick!
#
barnaby I need to add screenshots of my indeauth implementation’s consent screen there too, now that I styled it up
#
gRegor Same
#
barnaby and good catch on that section of the spec and the example, looks like it needs updating. clients definitely need scope information so that they can confirm that the user granted the scopes they need to work (or not, and adjust accordingly)
#
barnaby I’ll make an issue on the spec, unless you feel like adding one?
#
vikanezrimaya barnaby: go ahead
#
barnaby the prose doesn’t mention token_type, which is in the example, so they’re clearly really out of sync
#
vikanezrimaya how to upload files on the wiki?...
#
barnaby https://indieweb.org/Special:Upload
#
vikanezrimaya thanks
#
vikanezrimaya uploaded!
#
vikanezrimaya looks good on the page with the rest of the examples
#
barnaby ha ha yeah it’s very satisfying seeing people’s different UIs together! especially as login flows are inherently private
#
barnaby really nice example! I think you might be the first person to prioritise prose descriptions of the scopes, and not display their internal names at all
#
vikanezrimaya I targeted someone similar to my friends -- a non-techy person, and even tried to do a research by showing my friends the UI and asking them if they understand what's going on
#
barnaby if an app requests unsupported scopes, do you present them at all or leave them out?
#
vikanezrimaya I do present them! Let me look up my templates...
#
vikanezrimaya `format!("(custom or unknown scope) <code>{}</code>", scope.as_ref())`
#
barnaby when I was styling the auth templates for taproot/indieauth I made a little helper script which lets me preview the templates under various different conditions for quick debugging
#
vikanezrimaya (Scope::as_ref() gives a &str corresponding to serialized form of the scope)
#
barnaby can definitely recommend this approach for handling all these weird edge cases ;)
#
vikanezrimaya barnaby: I use live debugging on a Kittybox instance rigged to serve as a test stand
#
vikanezrimaya to see how the user would see it
#
vikanezrimaya not as comprehensive, but allows me to test entire flows at once
#
barnaby ah yeah that’s also very useful. I don’t currently have a local test setup for a complete flow using an external client
#
vikanezrimaya I wrote a special-purpose client that tests an entire IndieAuth flow. It's not too comprehensive but it helped me iron out some issues
#
barnaby in theory my test cases cover almost 100% of the codebase, but it’d be nice to be able to work through the flow in a browser without having to deploy anything
#
vikanezrimaya However, its vulnerability was using the same library as Kittybox for IndieAuth, which made me stumble when I tried a wild implementation
#
barnaby hmmm maybe I will procrastinate adding more features by creating a test setup like that xD
#
vikanezrimaya are features required for this? just bind to localhost and stub some "https" for "http" in some places where it's important
#
barnaby I mean procrastinate on adding more features to the library itself! I need to get refresh tokens working, which means reworking the temporary JSON filesystem storage I was using into a minimal SQLite file instead
#
vikanezrimaya ...i store my tokens as flat files...
#
vikanezrimaya what is SQLite /s
#
Loqi It looks like we don't have a page for "SQLite /s" yet. Would you like to create it? (Or just say "SQLite /s is ____", a sentence describing the term)
#
barnaby yeah me too, at the moment
#
vikanezrimaya i plan to continue doing that
#
vikanezrimaya flatfiles++
#
Loqi flatfiles has 1 karma over the last year
#
vikanezrimaya database--
#
Loqi database has -1 karma over the last year
#
vikanezrimaya databases are harder to hack on
#
barnaby currently the auth codes are encrypted hashes of the access token, which is also the file name
#
vikanezrimaya considering i still don't have an admin dashboard to enroll credentials, I had to manually create a file with the password hash
#
vikanezrimaya barnaby: I generate a 16 char string for auth codes and 128 char string for tokens
#
vikanezrimaya no way someone would guess a token or even a code...
#
vikanezrimaya Also the ctime of the authcode is checked to ensure it's still valid; I capped it at 10 minutes
#
vikanezrimaya filesystem metadata is awesome
#
vikanezrimaya i basically get authcode validity checking for almost free, just one syscall... and as for cleaning up, I could make systemd-tmpfiles clean up stale codes after me!
#
vikanezrimaya the novel thing I did in Kittybox for the token storage is actually sanitizing filenames, since an attack to read or delete some files would otherwise be trivial -- just try to access the authorization endpoint with a code like ../../../../../../../etc/passwd (of course Kittybox doesn't run as root and cannot read nor delete that file, but it could've attempted if not for me only allowing alphanumeric characters in codes and tokens!)
#
barnaby yep, anything my code does with paths has the incoming data sanitized, the final path resolved, and then checked to ensure that it’s inside a hard-coded path prefix
#
barnaby okay I raised an issue on the indieauth spec, feel free to clarify/expand on it https://github.com/indieweb/indieauth/issues/116
#
Loqi [barnabywalters] #116 Clarify properties in access token grant response description and example