#dev 2023-02-06

2023-02-06 UTC
gRegor, gRegorLove_, gRegorLove__ and geoffo joined the channel
# 01:47 
[tantek] [snarfed] this looks like it overlaps your interests: https://docs.kazar.ma/
# 01:57 
[snarfed] hah yes, wedging a square chat peg into a round AP hole
# 03:28 
starrwulfe[m] [aciccarello]: thanks! As things progress, I’ll be explaining things a bit more in depth (it’s part of my 100 days of indieweb challenge that I need to “backfeed” post about once the wiring is finished on my site in the next week or two)
petermolnar, gRegor, mro, gerben, Skyther[d], IWDiscordRelay, Johan and [jamietanna] joined the channel
# 14:20 
[jamietanna] Snarfed does https://fed.brid.gy/log?start_time=1675689540&key=https://fed.brid.gy/user/www.jvt.me/following#2022-01-02T03:04:05-https://mastodon.social/@stackaid&module= look right for a follow via the BF UI?
# 14:20 
[jamietanna] `signing with snarfed.org's key` looks odd to me
sp1ff joined the channel
# 14:39 
[snarfed] yup, that does look odd, thanks for the nudge, will look
[dave], geoffo, mro and [jacky] joined the channel
# 17:09 
[jamietanna] Thanks snarfed 🚀
gRegor joined the channel
# 17:30 
[jamietanna] Another one I've spotted - that I'll see if I can resolve, is that unfollow seems to redirect me to auth at https://indieauth.jvt.me/authenticate/start?me=http://www.jvt.me/ and my site doesn't upgrade it from an http:// profile URL but that's probably just me gonna hit that issue
# 17:38 
[snarfed] ah, thanks, true! BF should be starting it with https, I'll fix that
ross[m], [KevinMarks]1 and sebbu2 joined the channel
# 19:08 
[timothy_chambe] If anyone can create a Twitter bot that twice a day counts down how long until it is ended by the API shutdown, would promote that very widely to the Twitter dev community:
# 19:08 
[timothy_chambe] Handly countdown clock until Twitter's paid API goes away stranding many researchers and small developers dependent on that API.  Still zero word on pricing for researchers or enterprise developers, nor word for what comes next for small bot develpers other than vague statements Elon replied to a Cat bot account.
# 19:08 
[timothy_chambe] https://countdown.andrewhoyer.com/twitter-api/
geoffo, AramZS and petermolnar joined the channel
# 21:10 
[tantek] literally no services (e.g. Mastodon instances) allow HTML sub/sup elements/markup, thus forcing the use of Unicode superscripts for footnotes rather than HTML sub/sup markup. I guess that's ok but not great?
# 21:11 
[tantek] thinking through the "sanitize" lens or filter, I wonder what other semantic HTML element should either be unrecommended to developers/publishers, or should be part of a concerted effort to add them to sanitizers
# 21:15 
capjamesg On sanitization: https://www.youtube.com/watch?v=kvQSLIS3j5s&ab_channel=TWiTTechPodcastNetwork
# 21:20 
[tantek] capjamesg, do you have an article link for that? didn't see anything interesting in the description/summary and now wanting to watch a video for "info"
# 21:21 
[tantek] imagines someone calling in a request for Little bobby drop tables and cover
# 21:31 
capjamesg https://arstechnica.com/cars/2022/02/radio-station-snafu-in-seattle-bricks-some-mazda-infotainment-systems/
# 21:42 
[tantek] hah. I mean that's not really a sanitization bug/issue, that's more in the category of "malformed input"
# 21:43 
[tantek] yes they're both about being defensive about external data sources/input, though very different classes of problems
sebbu2, geoffo, kdas_ and BinarySavior joined the channel
# 23:18 
gRegor I'm thinking through IndieAuth Token Introspection again while working on a media endpoint, specifically the requirement to have authorization for that request...
# 23:20 
gRegor If I had the media endpoint get its own bearer token for that authorization, wondering what the scope should be on that token, "introspection"?
# 23:21 
aaronpk i don't think i've seen scope used for that before, but you could do that
# 23:21 
gRegor Or put another way I guess, does it need a scope? I didn't think it was possible to grant an access token without a scope.
# 23:22 
aaronpk that's up to you
# 23:25 
gRegor "If the client omits this value (scope), the authorization server MUST NOT issue an access token for this authorization code." I'm thinking of the media endpoint as the "client" in the typical flow, but maybe that's not correct.
# 23:25 
aaronpk it wouldn't use the authorization code flow though
# 23:25 
gRegor Which flow would it use?
# 23:27 
aaronpk client credentials
# 23:28 
aaronpk the idea is the media endpoint would be authenticating itself to the introspection endpoint
# 23:31 
gRegor Ahh, gotcha
# 23:31 
gRegor So my server needs to support grant_type=client_credentials and let me set up a client_secret for a client_id, looks like. Not too bad. https://www.oauth.com/oauth2-servers/access-tokens/client-credentials/
# 23:33 
aaronpk or, just use the client secret as the authentication to the introspection endpoint
# 23:33 
aaronpk either is allowed by the introspection spec
# 23:46 
gRegor true, probably easier than getting an access token each time
bterry joined the channel