#dev 2023-11-14

2023-11-14 UTC
geoffo, [chrisaldrich], {{lifeofpablo}}, lifeofpablo, SoniEx2, streety, omz13, Guest1350 and nsh joined the channel
#
GWG
Okay, found a problem with my PKCE implementation. Makes me wonder if I should stop making PKCE optional
[cleverdevil] joined the channel
#
GWG
Problem is this is WordPress, and I'm not the only user.... maybe a flag for strict mode...
sivoais, chenghiz_, srijan, lockywolf, superkuh, SoniEx2, Saphire and [m] joined the channel
#
[m]
I’m curious about cross posting and web mentions. I looked at http://brid.gy but it seems like the support for platforms is not that good. If I’m correct it seems like cross posting only works with Mastodon?
tiim, voxpelli, jonnybarnes and jeremycherfas joined the channel
#
s​tarrwulfe
[m]: Crossposting there's also Github and Flickr plus limited BlueSky support in testing. There's ways to crosspost to other places though. Where else are you trying to post and I can help find a solution for you...
#
s​tarrwulfe
[edit] [m]: Crossposting with Bridgy, there's also Github and Flickr plus limited BlueSky support in testing. There's ways to crosspost to other places though. Where else are you trying to post and I can help find a solution for you...
#
[m]
I mainly use Bluesky, Mastodon and http://Posts.cv, but also X and LinkedIn.
ramsey joined the channel
#
s​tarrwulfe
Your best bet would be to use Bridgy for Bluesky and Mastodon, and cross post via micro.blog to LinkedIn. Crossposting to X is not an option unless you want to pay them for their API. It used to be the most open and popular way to crosspost up until Musk paywalled it.
#
s​tarrwulfe
What is posts.cv?
#
s​tarrwulfe
(I guess Loqi doesn't know either!)
#
s​tarrwulfe
Posts.cv is a Mastodon/Twitter/Bluesky like microblogging app that is a part of the Read.cv creative professional social media network. It currently does not support any federation, nor does it seem to have any plans to do so on its roadmap.
#
[m]
Posting to Bluesky doesn’t seem to work with Bridgy? I have a syndication link to Mastodon but when I tried bluesky the endpoint didn’t work
#
s​tarrwulfe
Did you follow the instructions and create a Bluesky app password to input into Bridgy?
#
s​tarrwulfe
It definitely works even in the current alpha/beta test phase.
#
s​tarrwulfe
My last few posts are all from my site:
#
s​tarrwulfe
(we can take this discussion over to \#indieweb-dev so we don't clutter the chat over here with tech-speak)
#
s​tarrwulfe
OK, I need to have my coffee BEFORE I start reading the chat stream apparently. We're already in the correct place. 😅☕
#
[m]
I used the guide and added the app password. The publish option I see when using mastodon does not appear in the Bluesky section in Bridgy
#
[m]
This is what I see
#
[m]
No option for publish
#
[m]
Also, this is what I get when I try to post using webmention.
#
[m]
> {
#
[m]
>>
#
[m]
> }
#
s​tarrwulfe
Should automatically "just start working" with bluesky. bear in mind they're moving things around at the moment on their side and this is all in beta right now too...
#
IWDiscord
<s​tarrwulfe#0>
#
s​tarrwulfe
BTW your website is taking a very long time to resolve, so there's some problem on your side as well.
aaronpk joined the channel
#
[snarfed]
[m] is right, Bridgy supports backfeeding from Bluesky but not publishing/cross-posting to it yet
#
Loqi
[preview] [JoelOtter] #1580 Bluesky: publishing
petermolnar, ancarda, geoffo, sebsel1 and CRISPR joined the channel
#
GWG
I need sounding boards again
#
GWG
Let's say I'm signing into website X using websignin. I use the URL of website Y and authorize using IndieAuth. How do I match the user on website Y to website X?
#
[jacky]
You know, that's something I'm thinking about now. However you discern the means of authorization might help her
#
GWG
I'm wondering if the profile data could help on that, except it is non-authoritative.
#
[jacky]
That profile data could
#
GWG
[jacky]: Per the spec. Enter URL, discovery of endpoint... authenticate..
#
GWG
Right now,. matching the me property to an account on website X.... but that's not very robust
#
aaronpk
i'm not sure who "I" is in your example
#
[jacky]
I'm assuming a IndieAuth client here tbh
#
aaronpk
you're going to have to rephrase the question in order for me to understand where the problem is
#
aaronpk
try being more explicit about the roles you're talking about and avoid using "I" in place of a software role
#
GWG
Let's say a user wants to sign into website X using websignin. That user wants to enter the URL of website Y and authorize using IndieAuth. How does the code match the user on website Y to website X?
#
GWG
Better?
kushal joined the channel
#
GWG
In the use case, user D wants to log into his dev environment by entering in the URL from his production environment which has an IndieAuth endpoint.
#
GWG
D is a real person and not me
#
GWG
Just the profile URL part is What I'm questioning
#
sknebel
by looking up what user is linked to that URL in the database
#
GWG
Yes, but any user can add a URL to their profile in WordPress
#
GWG
Although the plugin tries to reject non unique addresses
#
sknebel
you could let them choose what user to use and/or have a way of specifically forcing which user its bound to by authenticating once at setup
#
GWG
So, anyone using web signin has to bind the two accounts together in a setup flow? Interesting
kushal joined the channel
#
GWG
So, like a registration phase?
#
s​tarrwulfe
[snarfed]: Aha— I’m actually using \*micro.blog\* to cross post to Bluesky. Totally forgot. Bridgy is then picking up backfeeds.
#
GWG
That's a thought...micro.blog is a multi -user site...wonder what it does
#
sknebel
GWG: would be an option. then you can be relatively sure about the link
#
sknebel
depending on the target you also could do rel-me-style checks in both directions in addition
#
sknebel
but "you can choose which account to sign in as" could also be valid, if people have reasons to have multiple accounts
#
GWG
sknebel: I have two target scenarios... WordPress to WordPress and WordPress to non WordPress I suppose
#
GWG
I'm looking at tightening a lot of areas of the code. I'm rewriting the websignin into a WordPress site using an IndieAuth endpoint which has created a lot of questions
#
GWG
Like should I switch to strict enforcement of PKCE? Should I log who uses response=id? Should I log who doesn't return iss properties?
#
sknebel
IMHO for WP it makes a lot of sense to allow a lot of "old" way of doing things, but show it to the user
#
sknebel
to produce reports where things are missing
#
GWG
sknebel: But being as all WordPress sites use the same code... shouldn't it be the other way round
#
sknebel
other way round?
#
GWG
Also I'd lose compass which still uses response=id
#
GWG
sknebel: Have it default to strict standard
#
sknebel
I'd say finding out about all the things that dont do the new ways through warnings instead of through breaking peoples workflow would be nicer, especially given wordpress' large userbase?
#
GWG
sknebel: Probably. But I do want to make it more noticeable as time goes on.
#
sknebel
but right now it isnt noticable at all, right?
#
GWG
aaronpk: If you do any work on compass in near future, how hard would it be to update the version of IndieAuth client?
#
GWG
sknebel: Barely
#
sknebel
so put big "this is using an outdated thing, please report this <here> so we can coordinate updates" notices in it
#
sknebel
people hopefully find most of the things that are not complete and we get data to actually fix the ecosystem
ludovicchabant, capjamesg, barnaby, tbbrown, geoffo, [0x3b0b], gxt and hi joined the channel
#
[tantek]
wow lots of websignin discussion
#
[tantek]
GWG, short version, there is no difference between user and website Y
#
[tantek]
on website X, assuming it has a table of username strings, the username for the user that just signed in is literally the URL/domain "website Y". that's it. there's no "other account" etc. to "associate" or "connect to" or whatever. your domain is literally your unique ID in the database in the place you're signing into
#
[tantek]
you are your domain
srushe_ joined the channel
#
GWG
[tantek]: WordPress doesn't support that, so I need to build that better
#
GWG
Sorry for the delay...was teaching a class about Salesforce
[Joe_Crawford] joined the channel
#
gRegor
My condolences ;)
#
aaronpk
apparently the idea of client IDs as URLs is catching on in a few places
#
aaronpk
i've now found two open source OpenID Connect providers that do it, specifically linking to my blog post about it in their docs
vikanezrimaya joined the channel
#
aaronpk
oops nevermind, just one... i had two tabs open to the same project without realizing it 😂
#
[tantek]
^ the power of blogging about a technique or design with reasons why
#
aaronpk
but now we have two examples of this outside of indieauth
gerben joined the channel
#
aaronpk
hmm where can i document these on the wiki
#
aaronpk
what is client ID?
#
Loqi
It looks like we don't have a page for "client ID" yet. Would you like to create it? (Or just say "client ID is ____", a sentence describing the term)
#
aaronpk
client ID is how a website or web app identifies itself in [[IndieAuth]] and [[OAuth]]
tbbrown joined the channel
#
aaronpk
there we go
alecjonathon and tbbrown joined the channel
geoffo and tbbrown joined the channel
#
[cleverdevil]
So, a quick intro to what I’m up to from a project perspective. My website is a sizable repository of content going all the way back to 2002, including content that I’ve repatriated from silos like Instagram, Facebook, and Twitter, and content migrated from my very first website powered by MovableType.
#
[cleverdevil]
When I first learned about the IndieWeb, I discovered Known, which is a lovely CMS that has served me well. I’ve built a ton of extensions and customization. But, PHP isn’t my language of choice, I’m dependent on a big MySQL database, and am feeling a bit paralyzed to upgrade to newer versions of Known for a variety of reasons.
eb_ joined the channel
#
[cleverdevil]
I started tinkering recently with how I may build an ideal replacement CMS for my site, from some first principles:
#
[cleverdevil]
• all content should be first and foremost stored as plain text files on disk
#
[cleverdevil]
• support for all of the wacky types of content that I publish on my current site, including things like posts that track what I watch, listen to, review, etc.
#
[cleverdevil]
• Few dependencies and in Python which is how my brain works
#
[cleverdevil]
• first class support for micropub, IndieAuth, and webmention
#
[cleverdevil]
• All of the freedom to create dynamic content by slicing and dicing content, not just a static site generator
#
aaronpk
sounds a lot like my goals
#
aaronpk
except in php not python :D
#
[cleverdevil]
So, I started about a month ago with “mkdir unknown”
#
gRegor
I see what you did there :)
#
[cleverdevil]
Here is what I have so far:
#
[cleverdevil]
• An export of around 15,000 JSON files representing the entire content of my current site. All as MF2 JSON in “hive partitioned” directories.
#
[cleverdevil]
• A micropub API that layers on top, supporting pretty much the entire spec
#
[cleverdevil]
• A snappy Python data library that provides a complete API to search, query, filter, etc. the entire data set
#
[cleverdevil]
• The world’s shittiest IndieAuth implementation
#
[cleverdevil]
But, it works!
#
aaronpk
sweeeet
#
aaronpk
[cleverdevil]++
#
Loqi
[cleverdevil] has 1 karma in this channel over the last year (5 in all channels)
#
[cleverdevil]
I can search for content that includes any particular "kind" of data (watch records, listen records, status updates, posts, etc.)
#
[cleverdevil]
Its insanely fast and there are no database servers to worry about
#
[cleverdevil]
It uses DuckDB under the hood
#
[cleverdevil]
Which is AMAZING
#
[snarfed]
awesome! any plans to open source it?
#
GWG
[cleverdevil]: Is the shitty IndieAuth endpoint up to current specifications?
#
[tantek]
that sounds more like a typo than GWG
#
GWG
[tantek]: Scroll up... I didn't call it that, [cleverdevil] did
#
GWG
I'm only self deprecating
#
[tantek]
GWG, better to use scare quotes in cases like that
#
GWG
Good point
#
GWG
In good news I fixed a minor issue in my PKCE code so I can come up with more aggressive ways of telling users they didn't use PKCE
#
GWG
I think I may switch from the padlock to the unlocked padlock