#dev 2023-12-01

2023-12-01 UTC
[capjamesg] joined the channel
#
[capjamesg] What should we include in a Webmention MDN page? What is Webmention, how to send webmentions, how to receive webmentions, how to display webmentions?
#
[tantek] where it fits in the larger context of the web platform as well
#
[capjamesg] Elaborate?
#
[capjamesg] (I might draft something up this weekend!)
#
[tantek] for example, a Webmention MDN page could fit in as a key use of HTTP in the platform and thus link from https://developer.mozilla.org/en-US/docs/Web/HTTP
#
[tantek] [capjamesg] more context: the page on the "a" element https://developer.mozilla.org/en-US/docs/Web/HTML/Element/a, could note that after linking from one page to another, the originating page may also use the Webmention protocol to notify (opt-in) the destination page that the link has been published
#
[tantek] this is what I mean by "fits in the larger context of the web platform"
#
c​apjamesg [tantek]++
#
Loqi [tantek] has 32 karma in this channel over the last year (101 in all channels)
jeremy and lockywolf joined the channel
#
[jacky] what is orgmode
#
Loqi Org mode is for keeping notes, maintaining todo lists, planning projects, and authoring documents with a fast and effective plain-text system https://indieweb.org/orgmode
#
[jacky] orgmode << an example of it being used for a static site at https://github.com/sp1ff/indie-org running https://www.unwoundstack.com/
#
Loqi ok, I added "an example of it being used for a static site at https://github.com/sp1ff/indie-org running https://www.unwoundstack.com/" to the "See Also" section of /Org_mode https://indieweb.org/wiki/index.php?diff=90934&oldid=90930
#
[jacky] this person even did a talk about this! https://www.youtube.com/watch?v=48RoqMbhftg&list=PLomc4HLgvuCUIwab7EynU78rerDXfFyR_&index=57&t=2s
#
[jacky] so indieauth specifies `s256` for PKCE b/c of its RFC
#
[jacky] but is it possible to use _other_ ones? I'm guessing one would hint that using their metadata endpoint somehow
#
[jacky] considering opting for SHA3-512 (b/c why not, I'm not worrying that adding teraflops of processing power and it's a wee bit more secure)
#
[jacky] hmm actually there _isn't_ one
#
sebbu2 lots of people uses pbkdf2 (with sha1 or 2)
#
sebbu2 (and 100k or 1m iterations)
#
[aciccarello] Hit another disappearing `+` form encoding issue with my last micropub post. I need to dig into if it's an issue with the clients or server or both.
#
gRegor Wouldn't expect an IndieAuth client to implement something else unless the PKCE RFC listed it
#
sebbu2 [aciccarello], oh, that one should be easy : urlencode != rawurlencode
#
gRegor `code_challenge_methods_supported` is in server metadata, so you could list it
#
[jacky] interesting okay
#
sebbu2 (and similar for decode)
#
[aciccarello] Yeah, probably simple, just don't have the time to track it down across multiple projects.
#
sebbu if you have console access, a big barbaric grep -R would probably do it
#
[jacky] ah I didn't see that somehow, thanks gRegor!
thekifake joined the channel
#
gRegor Hmm, so your server could advertise it supports S256 and S512 like that. And clients send `code_challenge_method` along with the `code_challenge`, so it's possible.
#
gRegor but in practice so far I think clients will only support S256
hoylecake joined the channel
#
barnaby perhaps if you add support for next-gen hashing algos, it’ll have a trickle-down effect and some more clients might start supporting pkce at all
#
barnaby from what I can tell there are still quite a few old implementations which don’t support pkce, right?
#
gRegor The server plugins for WordPress and Processwire support pkce, and the php-indieauth-client lib does
#
gRegor I think Quill does too
#
gRegor Yeah, since it uses php-indieauth-client
#
[jacky] yeah that's the hope, to encourage clients to use newever ones
#
[jacky] *newer ones
#
[jacky] and I'll be making clients for myself that could take advantage of it 😄
#
gRegor Is S256 not secure for the short period of an indieauth session?
#
[jacky] lol it is
#
[jacky] which is now challenging the usefulness of this
#
GWG gRegor: I just updated the plugin to use PKCE for websignin using other IndieAuth endpoints. Just merged that. So, the client side
#
gRegor Nice
#
GWG I tested it on another IndieAuth WordPress site. I may need to find an independent test
#
aaronpk It's going to take quantum computers for S256 to not be secure enough to protect the already short lived authorization code. I wouldn't worry about it until the larger OAuth community starts worrying about it
geoffo joined the channel
#
GWG aaronpk: What is new and exciting in the OAuth community that might be worth adding to an IndieAuth endpoint?
#
aaronpk We've done enough of that for the time being
#
GWG aaronpk: I wasn't thinking of in the spec.
#
GWG I have more than enough there to work on.
#
GWG I just haven't kept up.
#
GWG I need to improve my UI for the flow a bit.
gRegor, win0err and jeremycherfas joined the channel
#
[KevinMarks] https://www.htmhell.dev/adventcalendar/2023/1/
[Jo], zuis, win0err, [benatwork] and geoffo joined the channel
#
GWG I didn't notice the restrictions on IP addresses for IndieAuth client identifiers. Time to fix that
win0err joined the channel
#
GWG Would anyone be able to comment on https://github.com/indieweb/indieauth/issues/130 and the associated wiki page? I need to add omz13's alternative take on Ticketing with it's extra extensions.
#
GWG I wanted to add a place for things not in the spec to live
#
GWG Also have to add the extension proposal that we removed from the specification for when the token and authorization endpoints aren't tightly coupled
[schmarty] and [jacky] joined the channel
#
[jacky] I'll be able to check that out tonight
rrix, [tw2113], hoylecake, win0err, Kaja, Zegnat and sknebel joined the channel