#dev 2024-04-20

2024-04-20 UTC
[KevinMarks], [naturestudy] and ttybitnik joined the channel
# 00:27 
gRegor Google Domains registrations are finally switching over to Squarespace. I've had a couple go through already.
# 00:34 
[tantek] and this is good? bad? neutral?
geoffo, Xe, Maxpm, barnaby, ttybitnik, [tantek], chimo, ttybitni` and [schmarty] joined the channel
# 15:49 
[schmarty] i'm frustrated by it. i don't have a reason to have a squarespace account and they're using the opportunity to make big upsells.
# 15:50 
[schmarty] their DNS support is pretty minimal, so the domain forwarding I had set up on google domains didn't transfer over.
vanitas_gloam joined the channel
# 16:43 
vanitas_gloam with my current attempt at making a webmention endpoint i'm trying to focus on extensibility. making it only do the receiving and validating part, so i can then have something else handle the rest
# 16:45 
vanitas_gloam it's a hack-job but it validates if the source has a in-reply-to, that the source url is the reply's canonical url, and that the author of it is linking to the same host as the source
# 16:46 
vanitas_gloam it writes the reply urls into a file with a little tag of either "ADD" or "DEL" because i want to support deletion of replies too
# 16:46 
vanitas_gloam i think i got a good start going so far. especially since it has been a while since writing that much golang
# 16:48 
Zegnat Sounds good!
# 16:49 
Zegnat Do you do the validation at the time of receiving the webmention, or do you blanket accept, return a 201, and then validate separately?
# 16:49 
vanitas_gloam the validate happens at the moment of receiving. to give feedback for why it failed
# 16:55 
Zegnat Gotcha! I was testing for a while with having a two step. So I would return an error (HTTP 400) immidately when I knew the target domain was wrong (simple and cheap test), but would add the request to a "to be checked" list and return an accepted response (HTTP 202). That way potential spammers have no feedback to know when they got to me or not, and the more expensive check that involves fetching other resources can happen out of
# 16:55 
Zegnat bounds (also protecting the server from being DoS’ed if ever too many requests came in)
# 16:56 
Zegnat Then it turned out all of that is great and should probably be done, but at my size, it was completely fine just writing everything to a single list for human checking ;)
# 16:58 
vanitas_gloam i similarly got the idea that i should write everything for a scale where 1000 requests per second would be no issue. i plan on for now using an allowlist based system where people first ask to be put on there and then send the request
# 16:58 
vanitas_gloam i can prolly figure out something more robust when i work on it for a bit more than an afternoon
# 17:01 
Zegnat Oh, I did not grasp that, you were allow listing based on source, not target. Yeah, that would definitely work too
# 17:03 
vanitas_gloam for the target validation i just send a head request to it and check for a 200 response
# 17:04 
vanitas_gloam and ofc have it check the host before as well to make sure it's on my site as well
shoesNsocks joined the channel
# 17:16 
Zegnat My webmentions have sometimes help me discover other people’s websites. Because they linked to me. So I never considered allow listing the source. I want those to be unknown to me, that has been most of the fun
# 17:24 
vanitas_gloam hmm maybe. i'm still very new to the stuff and prolly spammers won't (at least for now) set up real reply posts to spm so maybe i should just use blocklist instead yea
bterry joined the channel
# 17:52 
jonnybarnes Looking at the redirect url part of indieauth: https://indieauth.spec.indieweb.org/#redirect-url
# 17:53 
jonnybarnes am I interpreting it correctly for native apps, which will have a custom url scheme for their redirect url
# 17:54 
jonnybarnes that the webpage for the app, the url of which will be the client_id, should list redirect urls, and will therefore list in a Link header or <link> tag something like `<link rel="redirect_uri" href="custom-app-scheme://auth">`?
# 18:01 
Zegnat jonnybarnes: correct
# 18:04 
jonnybarnes thanks
# 18:08 
aaronpk native apps can also use an app-claimed https URL
[jeremycherfas], rrix and [Joe_Crawford] joined the channel
# 22:47 
[tantek] [schmarty] is there something we can document about how to mitigate or repair someone's domain setup if they had it transferred from Google Domains to Squarespace? Or the shortest/simplest steps to migrate their domain to another provider?
Xe joined the channel