#dev 2022-12-02

2022-12-02 UTC
#
[tantek] but using known solutions to known problem so much less FUN aaronpk
#
aaronpk TRUE
#
[tantek] and doesn't feel like you're taking part in a REVOLUTION! ✊
#
[tantek] the existence of simple boring solutions to boring problems does nothing to help you blame big companies, capitalists (surveillance or otherwise), for all your struggles and problems in life.
#
[snarfed]2 🔥
#
[snarfed]2 [tantek] had curry for lunch
#
[tantek] starts looking around for the cameras 👀
#
[KevinMarks] A link preview caching proxy seems like a good answer. Didn't oEmbed do that a while ago? The Google favicon cache is ~ 15 years old now, and still works
#
[KevinMarks] https://www.google.com/s2/favicons?sz=128&domain_url=tantek.com
#
[snarfed]2 it's all pretty heavily discussed in https://github.com/mastodon/mastodon/issues/4486 and beyond. they agree, but can't because decentralization. they don't want to trust other instances in case they're malicious
#
Loqi [valentin2105] #4486 Mastodon can be used as a DDOS tool
mlncn joined the channel
#
[jacky] Okay so I want to specify that a token is only usable for a particular resource. I'm thinking that `realm` might be the key I want to use per https://www.rfc-editor.org/rfc/rfc2617 (per https://www.oauth.com/oauth2-servers/the-resource-server/); would that make sense?
#
[jacky] what is realm
#
Loqi It looks like we don't have a page for "realm" yet. Would you like to create it? (Or just say "realm is ____", a sentence describing the term)
#
aaronpk realm is something slightly different
#
Loqi ok
#
[tantek] lol
#
aaronpk where are you trying to indicate that the token is for only a particular resource?
#
aaronpk oops
#
[jacky] lol ohno
#
gRegor I think /AutoAuth used realm like that
#
[jacky] I'm looking to use it to 'protect' the dashboard for my site (since it doesn't have any in-built auth outside of IndieAuth _and_ can show a different dashboard depending on whose local account is available)
#
[jacky] [inb4 slowly rebuilding parts of wordpress in rust, lol]
#
[tantek] that's not a realm, THIS is a realm: https://weizman.github.io/page-what-is-a-realm-in-js/
#
aaronpk one way to do that is scopes
#
[tantek] love that preview image lol
#
[jacky] ah okay yeah I see
#
[jacky] a scope even makes more sense tbh
#
aaronpk there's also Resource Indicators if you actually want the client to have to request it, but we haven't brought that into indieauth yet because it's not clear there is a need https://www.rfc-editor.org/rfc/rfc8707.html
#
[jacky] checking the `me` + scope is good enough for me
#
aaronpk the other way to do it without client involvement is the "audience" claim of a token
#
aaronpk and you would only add the "dashboard" audience to your token based on some rule like it's *you* logging in
#
[jacky] oh `resource` looks nice
#
aaronpk yeah the resource indicator spec is useful *if* you need the client to be able to request a token for a particular resource because you can't infer it from some other reason
#
[jacky] Okay so, with this info, I'll go with the `dashboard` scope (truly the easiest and would be a hint to assert against parts of the obtained token before even accepting it).
#
[jacky] I think I need to read more on claims w.r.t OAuth (I don't have the tooling, mainly using light assertions for that yet but I have been looking at https://paseto.io/ as a means of implementation)
#
aaronpk forget "claims" just think of it as internal properties associated with your tokens
#
aaronpk but yeah scope is probably a good way to start with this, and you can make your own rules about which users are allowed to be granted which scopes. that's very common
#
aaronpk and remember the client doesn't have to request a scope for the AS to grant it, you can make a rule on your server that says any time *you* log in the "dashboard" scope is always added
#
[jacky] "Your server" would be the AS, here? Shock (the client, in this case) talks to Sele (the AS) as if it was a client
#
[jacky] s/, here/ here/
#
aaronpk sorry yes your AS
#
[jacky] Gotcha! Okay
#
[jacky] Actually, that makes this flow even a bit easier (can do a validation on the form before the whole dance)
#
[jacky] thanks aaronpk!
#
[jacky] aaronpk++
#
Loqi aaronpk has 34 karma in this channel over the last year (110 in all channels)
#
[jacky] okay now to add logic to immediately revoke the token if they're not allowed to use the `dashboard` scope
#
[jacky] (which is what I'd want b/c I ask for it _right_ as they confirm that they'd want to sign into the dashboard)
[Joe_Crawford], mlncn, geoffo, Nuve, [jeremycherfas] and mro joined the channel
#
IWDiscordRelay <c​apjamesg#4492> I thought I'd push myself to give a talk next year so I thought I'd start with something online: https://www.codementor.io/events/decentralized-website-communication-with-webmention-fwusximcte 😄
mro joined the channel
#
[tantek] capjamesg++ looks great! Add it to events.indieweb.org
#
Loqi capjamesg has 32 karma in this channel over the last year (89 in all channels)
mro, [marksuth] and mlncn joined the channel
#
IWDiscordRelay <c​apjamesg#4492> Will do!
#
[KevinMarks] per https://github.com/mastodon/mastodon/issues/21913 is this another IndieAuth use case?
#
Loqi [ilovecomputers] #21913 Support OAuth PKCE to allow third-party single-page apps to utilize best practice when authorizing with an instance
wskearney, mro, geoffo, mlncn and tiim joined the channel
#
aaronpk [manton]: i'm seeing a lot of webmentions sent from micro.blog back to my site for the same posts, how often is that expected?
#
aaronpk these are the webmentions sent to indicate that the post in my feed was picked up by micro.blog
#
[manton] [aaronpk] I would only expect a single webmention… They all look the same?
#
[manton] If they are coming in every few minutes it might be a bug with sending the webmention when it checks the feed even if the feed hasn’t changed.
#
aaronpk my last two posts have received webmentions repeatedly
#
aaronpk it's not hurting anything, but thought you might want to know
#
[manton] Definitely. Thanks for letting me know. I’ll track it down.
#
[manton] Don’t want Micro.blog to be extra chatty… that’s ActivityPub’s job! (Cheap shot. Sorry.)
#
aaronpk 😂
#
[manton] Speaking of, I blogged about my experience with Mastodon moving accounts. https://www.manton.org/2022/12/02/moving-from-mastodon.html
#
Loqi [Manton Reece] Moving from Mastodon to a new instance or to Micro.blog
#
aaronpk seems appropriate for indienews
#
[manton] Just realized I forgot to document the Move JSON. I think I’ll update the post to include an example of that too.
[chrisaldrich] joined the channel
#
[snarfed]2 mantont++
#
Loqi mantont has 1 karma over the last year
#
[snarfed]2 manton++
#
Loqi manton has 26 karma in this channel over the last year (33 in all channels)
mro and gRegor joined the channel
#
[catgirlinspace] what's a good way to handle authentication for myself on my website? like, i think i'd need a way to authenticate myself for logging into something like Quill for micropub right? should i just has my own password and store it in a file, making it hardcoded?
#
aaronpk as long as it's stored encrypted that's an easy way to go for sure
#
[aciccarello] When is brute forcing passwords a concern? Do bots try dictionary attacks on authentication endpoints?
#
aaronpk generally always a concern
#
aaronpk some sort of 2fa is a good protection against that, or not using passwords
#
aaronpk hopefully passkeys (webauthn) starts getting easier to implement because that's going to be way better in general
#
[catgirlinspace] oh i didn't even think about 2fa. how hard is that to implement?
#
aaronpk depends on which type
#
aaronpk but also a long random string password is very unlikely to be brute forced
#
[snarfed]2 right
#
[snarfed]2 [catgirlinspace] if you make a long ish random password, and you don't use it anywhere else, and you use a password manager and only let it fill in your password on your site, you're fine, don't worry about 2FA
#
[snarfed]2 `pwgen 32 1` is a good low tech way
#
gRegor Hm, Monocle is showing the alt text on my gif reply as the p-name. The preview tool doesn't though, interestingly. Might be older php-mf2 parser somewhere? https://monocle.p3k.io/preview?url=https%3A%2F%2Fgregorlove.com%2F2022%2F12%2Funtitled-0221201173524%2F
#
aaronpk you're using monocle.p3k.io or your own version?
#
aaronpk oh hm the monocle preview actually calls out to the hosted xray instance
#
aaronpk the one in your account would have gone through aperture's mf2 parser which is at 0.4
#
gRegor yeah, the p3k.io one, with aperture there as well
#
aaronpk was that a change in 0.5?
#
gRegor I thought it was earlier, but checking
#
gRegor huh, yeah reduce implied p-name was on 0.4.0
#
aaronpk ok it looks like i'ts running 0.4.6
#
[catgirlinspace] is this a good design for handling sessions? on login page ask for password, then if correct set a cookie for like, checking totp code and redirect to ask for 2fa totp code. and then if thats correct, set a cookie for isAuthenticated and do whatever. all the cookies would be signed by the webserver im using.
#
gRegor Aperture's using xray, right? Wonder if it's because my photos are still inside the e-content
#
gRegor I know xray does some stuff to extract photos like that
#
aaronpk it is, but this looks right https://xray.p3k.app/parse?url=https%3A%2F%2Fgregorlove.com%2F2022%2F12%2Funtitled-0221201173524%2F&pretty=true
#
[snarfed]2 [catgirlinspace] rolling your own auth is dangerous, really easy to leave holes. I'd strongly suggest you use a library or whatever's built into your web framework instead
#
[catgirlinspace] i'm using oak which i dont think has much for auth (pretty much the deno equivalent of express i think). not aware of any good auth libraries for deno either.
paulrobertlloyd joined the channel
#
aaronpk the other way to punt the auth problem is to use OAuth to a provider where your account actually is. (then of course you have to make sure you do OAuth right but hopefully there's a library for that, and if not, i know of some tutorials ;-)
#
[snarfed]2 ^ yup
#
[snarfed]2 (also https://www.google.com/search?q=oak+deno+user+auth turns up https://deno.land/x/dashport@v1.2.1 ?)
#
[catgirlinspace] by "OAuth to a provider" that'd be like, GitHub right?
#
[catgirlinspace] oooo dashport looks interesting.
#
[catgirlinspace] thx for the link
#
aaronpk yeah github, google, whatever
#
aaronpk even your own auth0 account if you don't want to use a social provider
gRegorLove_, gRegorLove__ and geoffo joined the channel
#
[tantek] welcome [Paul_Robert_Ll]!
mro and paulrobertlloyd joined the channel
#
paulrobertlloyd 👋
geoffo joined the channel
#
[catgirlinspace] how exactly would i implement using GitHub with indieauth (other than relmeauth)? like, would it redirect from my website's indieauth thing to GitHub and then back to my website and then to where i'm logging in?
#
[tantek] yeah rel=me is the simpler answer there
#
aaronpk do you mean how would you use github to log in to your own site?
#
aaronpk that would involve creating an oauth app on github and plugging that in to your oauth library in dashport
mro and geoffo joined the channel
#
[tantek] aaronpk, did you ever blog about implementing ActivityPub on your website in addition to all the IndieWeb things?
#
aaronpk apparently not https://aaronparecki.com/articles?tag=activitypub
#
Loqi [preview] Aaron Parecki
#
[tantek] alright, I'll just have to write another note when you do
mro_, [benatwork] and [tw2113_Slack_] joined the channel
#
IWDiscordRelay <j​acky#7226> passkeys are still Apple-only, no?
#
aaronpk passkeys were never apple only
#
aaronpk that's the whole point, and that's why it's also not an uppercase P
#
aaronpk https://auth0.com/blog/our-take-on-passkeys/
#
IWDiscordRelay <j​acky#7226> hmm I think the docs I was reading for something made it seem like they were the only ones with support
#
IWDiscordRelay <j​acky#7226> trying not to overload myself with the shiny but if this is a good alt, I can remove this argon stuff
#
IWDiscordRelay <j​acky#7226> hmm
#
IWDiscordRelay <j​acky#7226> > passkeys are meant to roam within the boundaries of the vendor ecosystem they have been created in
#
IWDiscordRelay <j​acky#7226> this feels good and bad at the same time
#
IWDiscordRelay <j​acky#7226> I guess it's pushing up the key management to your OS (or service you interface with on the Web)
#
IWDiscordRelay <j​acky#7226> hope this allows for third party key managers to be used in a browser (like if I wanted to use BitWarden instead of Chrome's flow)
#
IWDiscordRelay <j​acky#7226> (I guess that's possible with FIDO)
#
IWDiscordRelay <j​acky#7226> for those curious about "docs", it's https://simplewebauthn.dev/ (I use this for the client side bits of implementing WebAuthn)
#
IWDiscordRelay <j​acky#7226> what is WebAuthn
#
IWDiscordRelay <j​acky#7226> /me squints at Loqi
#
aaronpk it's meant to solve the problem of having only one USB FIDO key, this way it syncs with the OS so it'd be available on all your devices
#
aaronpk apple did good PR about it which is why you probably associate it with them
#
IWDiscordRelay <j​acky#7226> yeah they were the first place I saw it mentioned
#
gRegor what is webauthn
#
Loqi Web Authentication (WebAuthn) is a W3C Recommendation for an API to access public key credentials, including for a browser, optionally with the use of a hardware key https://indieweb.org/webauthn
#
gRegor what is passkey
#
Loqi It looks like we don't have a page for "passkey" yet. Would you like to create it? (Or just say "passkey is ____", a sentence describing the term)
[ender] joined the channel
#
[ender] [catgirlinspace] as other people said in #indieweb, I think 11ty (eleventy) is the most popular option for templating at the moment. I haven't used it extensively but find it pretty cool + there is a huge community of people who use it that can always help with technical issues
[benji] and [campegg] joined the channel
#
[catgirlinspace] i'd probably throw deno in a docker container
#
[tantek] I have a strange use-case due to a publishing error though I think it has non-strange use-cases too. I want to "flag" a past post of mine in such a way that it is replaced by (redirected to) a newer post *if* the referrer is NOT my own site, but show some form of "plain text redirect" e.g. "This post has been replaced by: (link)" when navigating it from within my site/domain, e.g. from /archives. Has anyone else found a need for
#
[tantek] something like this? And have a solution?
#
aaronpk huh, i've definitely turned mistake URLs into redirects, but never tried to keep it navigable before
#
[tantek] non-strange use-case for this: you have a general "how to" post that you update every so often, once a year (e.g. in my case, "How to pack for SXSW" (yes, back in the day) which I'd update once a year sometime before the conference). I'd want other people's links to the OLD versions (permalinks) of the post to automatically redirect viewers to the newest version, while if you happen to find old versions via navigating my archives,
#
[tantek] then I'd be ok with you seeing the past version with a "updated" or "replaced" banner with the link to the new one at the top
#
[tantek] ^ aaronpk you might have come across *this* use-case since you also write how-tos
#
aaronpk ohhh
#
aaronpk interesting
#
aaronpk so i've done it the opposite way
#
[snarfed]2 sometimes it's easier to maintain those as evergreen "pages" instead of dated posts
#
aaronpk i update the text on the existing link, make a new link for the old text, and add a link to the old version
#
[snarfed]2 (but begs the question of whether/how to show them in feeds though, with which date(s), etc)
#
aaronpk this has been an ongoing thing for my oauth blog post
#
aaronpk since it gets linked to in readmes and stuff. finally I decided to strip the date out of the URL and redirect it to an evergreen URL, redirecting the original link
#
[snarfed]2 evergreen++
#
Loqi evergreen has 1 karma over the last year
#
[tantek] another similar use-case: /using, e.g. you might write once in a while snapshot blog post updates of your "life stack"
#
[tantek] and always want external links (like old ones) to redirect people to your latest one
#
aaronpk yep with the evergreen URL you can always snapshot old versions at a new URL
#
[tantek] which could have a "Previously" section in it that linked to older versions in case people were curious
#
[tantek] and if people clicked those links from the previously section they'd be coming from your own site, it would show them instead of redirecting
#
[tantek] the problem is you might not know a priori *which* posts are going to be "updated" like that
#
aaronpk i don't think you need to do referer/redirect tricks
#
[benji] ↩️ I tested Lume (Deno's static site generator) a few weeks ago to see if it was worth migrating my eleventy site. I was able to get a basic blog up and running fairly quickly but decided against migrating my site in the end but I would use it if I was setting up something new. It also deploys to Netlify and I'm sure GitHub pages pretty easily
#
[tantek] like I don't want to think about every blog post, hmm, will I rewrite this in a year? ok then should I pick some generic URL for it now?
#
[tantek] sure if you know in advance (a priori), you can do generic /page URL tricks like that or what W3C does with /TR
#
[ender] i have thought of making some tool along the lines of git diffs between different versions of evergreen posts, using wasm-git, the details for how to do such a thing evade me however
#
[ender] yes, choosing links can be stressful
#
[tantek] however for most of us, we have no idea when we blog something that we may write a massive update of it in the future
#
[tantek] as in, it does not start as an "evergreen" post
#
aaronpk sure, when you decide you want to update the post, just update it inline and copy the old text to a new URL. or turn it into a non-dated post at that point
#
[tantek] so by the time you decide later to shift it to one, it's too late
#
[snarfed]2 that's not quite true. thinking of mine, I often do have a sense at the beginning whether something will be an evergreen page or dated post
#
[snarfed]2 but definitely not 100%, agreed
#
[tantek] but you still want all the old links to redirect people automatically to (send traffic to) the newest update
#
aaronpk it's not too late. I already did it like that
#
[tantek] snarfed, the opposite happens to which seems like a waste, that is, you *think* oh this will be an evergreen post that I'll update so I'll go to the effort of picking a generic /page name etc. and then you *never* update it, so it would have been better served with a datestamp permalink
#
[tantek] happens too*
#
aaronpk 2012: wrote a post at /2012/etcetc. 2014 noticed it was getting a lot of traffic. 2015 redirected /2012/etcetc to /oauth, made a new page /2012/v1 with the original contents
#
[snarfed]2 eh that's a minor problem. ie, not much harm in having a rarely updated page
#
aaronpk any links to the old URL are redirected to the new evergreen URL, a link on the evergreen URL links to the new URL for the old content
#
[snarfed]2 rendering separate created and last updated dates on evergreen pages helps
#
[tantek] "evergreen" is also not quite the right term for the kind of content I'm talking about because it's not like the latest version is always 100% up to date, it's not actually *ever* green. It's the most recent not older version
#
aaronpk s/evergreen/non-dated URL/
#
[snarfed]2 people also often use page vs post
#
[tantek] I *like* that the URL design includes the date as part of the, oh, this was written / was true as of date YYYY-MM-DD
#
[snarfed]2 right, which is why dates in URLs make sense for posts, less for pages that are updated more often
#
[tantek] which is *very* different than the generic /page URL semantic of "this is universally true"
geoffo joined the channel
#
[tantek] like the specific use-case I noted, "packing for SXSW" which since it includes specific technology recommendations, I *know* will go out of date in a year or two regardless, so I don't want the URL to pretend to convey that it is timeless
#
aaronpk ok new strategy: original post is at /2022/1, you want to update it next year, you copy the text of /2022/1 to a new page /2022/2, make a redireect from /2022/1 to /2023/1 and write the new text at /2023/1
#
[tantek] a similar article might be "how to setup a new laptop"
#
[snarfed]2 lol https://snarfed.org/mac-setup
#
aaronpk any links to the original post redirect to the new one, and you have a dated URL with the old contents
#
aaronpk and you can continue doing it whenever you want
#
[snarfed]2 (created and last updated dates, no date in URL)
#
[tantek] snarfed, *now* you share that URL with me. I could have used that a few weeks ago
#
[snarfed]2 oh no laptop setup is too personal
#
aaronpk haha i have a text file like that
#
[tantek] also the glossy silvery 2.5D Apple logo in that link preview kinda gives away the post as potentially anachronistic :face_with_hand_over_mouth:
#
[snarfed]2 yeah I enjoy the deliberately dated company logos on https://snarfed.org/resume, eg Google's
#
Loqi [preview] [Ryan Barrett] Experienced engineering leader. 20+ years building and scaling backend infrastructure, data platforms and applications, and cross functional teams. NCX (née SilviaTerra), 2021 – present Head of Data Leading a team of machine learning engine...
#
[ender] I would use https://slay.sh/ for generic mac laptop setup, I forget to use it when I need to though
#
[tantek] part of this is that I want to capture the semantic in the post markup so that my server can automatically read that and go redirect to the newer (ideally newest) version
#
[tantek] without me having to go update all the previous versions of the post
#
aaronpk i'm pretty sure what i outlined will do that
#
[tantek] which I realize is also an argument for "at some point" you switch to a generic /page URL
#
[tantek] something like rel=newer or u-updated-by or u-replaced-by
#
[tantek] oh hey I have ANOTHER (albeit nerdy) use-case duh. RFCs
#
aaronpk oh yeah, also have been doing that with the specs at spec.indieweb.org already
#
aaronpk https://indieauth.spec.indieweb.org/ <-- always latest version
#
[tantek] e.g. RFC2445 has a link at the top for "Obsoleted by: 5545" (where 5545 is linked)
#
aaronpk https://indieauth.spec.indieweb.org/20201126/ <-- latest version links to previous dated version
#
[tantek] wouldn't it be better as a "living" standard approach for external links/results to 2445 to automatically be redirected to 5545?
#
[snarfed]2 [ender] https://snarfed.org/why_i_run_shells_inside_emacs
#
aaronpk no, because unless you are intentionally trying to link to an old version, you should be linking to the living standard at https://indieauth.spec.indieweb.org/
#
aaronpk if you do link to a dated version it's probably because you wanted to reference something in the old version
#
[tantek] aaronpk, except there is no way to link to a non-dated version of an RFC
#
[tantek] there's no way to say, send people to this RFC or whatever obsoleted it (transitively)
#
aaronpk i was talking about the living standards at spec.indieweb.org
#
[tantek] I'm sure that's happened. X -> obsoleted by Y -> obsoleted by Z
#
[tantek] spec.indieweb is different obviously like I said for w3.org/TR
#
[tantek] spec.indieweb and w3.org/TR are in the category I mentioned above of "you know up front that this will be updated/replaced so use a non-dated /page URL"
#
[tantek] (since we replaced "evergreen" with "non-dated")
#
[tantek] so I'm considering using either u-replaced-by or u-updated-by in my old(er) h-entry posts
#
aaronpk wait how did we jump to mf2 markup?
#
[tantek] sorry, long (over lots of chat scroll) jump from the sample text I want to put in the old(er) version that I posted previously
#
[tantek] as in how could I mark that up such that my server software would notice it and auto-redirect accordingly
#
[tantek] ah yes top of "thread" 🙂 https://chat.indieweb.org/dev/2022-12-02#t1670019622734700
#
aaronpk what about my alternative proposal that doesn't require redirect tricks?
#
Loqi [preview] [[tantek]] I have a strange use-case due to a publishing error though I think it has non-strange use-cases too. I want to "flag" a past post of mine in such a way that it is replaced by (redirected to) a newer post *if* the referrer is NOT my own site, but show...
#
aaronpk (assuming you have some way to turn existing URLs into a redirect to begin with)
#
aaronpk > original post is at /2022/1, you want to update it next year, you copy the text of /2022/1 to a new page /2022/2, make a redirect from /2022/1 to /2023/1 and write the new text at /2023/1
#
[tantek] I guess I'm not seeing the difference between "make a redireect from /2022/1 to /2023/1" and "u-replaced by /2023/1" except that this way, this post-specific semantic information is captured IN THE POST rather than some side metadata (wherever you store redirects) which is more fragile
#
[tantek] (per the distance between data & metadata law)
#
aaronpk my redirects are stored in the post file itself :)
#
[tantek] Ruby's postulate
#
[tantek] ok so then we're just debating different ways of storing, and my method preserves the original old URLs in my /archives
#
[tantek] storing the "updated" or "replaced" URL in the mf2 means it has a better chance of being portable HTML mf2 / mf2json etc.
#
[KevinMarks] No, you pick an evergreen url once you decide that it is one, redirect the old one to that, and make the new evergreen one link to previous versions (which could be evergreen slug +date)
#
[KevinMarks] Oops, I was scrolled up a bit. That was in response to an earlier point.
#
[tantek] [KevinMarks] the evergreenness is orthogonal to updates. Sometimes you may never want an evergreen url bc you will always be writing things that are snapshots in time (per sxsw packing use case)