#dev 2024-05-18

2024-05-18 UTC
#
[Al_Abut] [Joe_Crawford] I have a request for the DJ at the next frontend study party: can you explain this flex wrapping to me like I’m an infant?
#
[Al_Abut] https://www.threads.net/@mengto/post/C7DZG0YvKei
#
jacky what is a sitemap
#
Loqi A sitemap is a list of pages on a website https://indieweb.org/sitemap
geoffo joined the channel
#
cophee i think the issue i had with webmentions after moving over to cloudflare pages from netlify was that cloudflare uses www. before my domain name
#
[Joe_Crawford] [Al_Abut] You got it. Sneak preview: `flex: 1 0 0` is short for `flex-grow: 1; flex-shrink: 0; flex-basis: 0;`
#
aaronpk ooo sam set up a service to try fedcm with your own domain!!
#
aaronpk https://github.com/fedidcg/FedCM/issues/240#issuecomment-2118606184
#
Loqi [preview] [samuelgoto] > I'll put instructions on how to use this Ok, here is one way anyone with a domain can be an Indie FedCM IdP that https://webmention.io would accept as an IdP. You have three options: 1) You can implement https://indieweb.org/FedCM_for_Indi...
geoffo joined the channel
#
aaronpk You have no idea how excited I am about this!
hacdias_, oenone_, Zegnet, geoffo and [tw2113] joined the channel
#
[tw2113] very?
#
aaronpk how did you know?!?!?!
#
[tw2113] intuition
#
[tw2113] erm I mean an indiebirdie told me 😛
ancarda_, eb_, Guest1350_, lanodan_, sebbu2, oodani_, rjomara583, chenghiz__, revi_, chimo_, _standingdesk[d], gerben_, RapidRotator_, revi, bacardi55[m], herbi, Pegazusuo`_, eitilt and GuestZero joined the channel
#
cophee just started using webc components in 11ty =]
#
cophee building the site for indieweb.guide now (based off max boeck's starter)
[jeremycherfas], randulo and [Joel_Auterson] joined the channel
#
[Joel_Auterson] Got EXIF extraction working for photos :) I realised I was including location data in all my photos so now Hugo extracts it selectively and then my build strips it from the images https://www.joelotter.com/notes/2024/04/19-japan-19/
#
Loqi [preview] [Joel Auterson] Spent Wednesday evening in Kabukicho - def worth a visit, especially if you’ve played the Like A Dragon games as it’s the inspiration for Kamurocho. Had drinks in the Golden Gai, met some lovely people, had far too much shochu. https://www.joelotter.com/img/2024/04/japan-19-1.jpeg
#
[Joel_Auterson] Inspired by [aaronpk]++
#
Loqi [aaronpk] has 44 karma in this channel over the last year (128 in all channels)
pcarrier joined the channel
#
pcarrier ah, won't lose history :)
#
pcarrier this channel isn't really usable in discord in my experience
pcarrier and jeremycherfas joined the channel
#
GWG I rely on exif data, but I store it in the site and strip it for serving
barnaby, chimo, jonnybarnes, geoffo and [qubyte] joined the channel
#
capjamesg [tantek] aaronpk: https://indieweb.social/@evan@cosocial.ca/112457309794440288
#
Loqi [preview] [Evan Prodromou] @jesseplusplus I had a much more pessimistic feeling about federation by the early 2010s, when that ecosystem had collapsed into a few dominant players. It wasn't until we started the Social Web Working Group at the W3C in 2014 that I started feelin...
barnaby and [tantek] joined the channel
#
[tantek] 👍
#
aaronpk well now that i stopped processing pingbacks in webmention.io, i just noticed actual webmention spam
#
aaronpk spam as in a webmention request from a clearly spam URL that doesn't even have a link to the target site in the webmention
pcarrier and [Joe_Crawford] joined the channel
#
[Joe_Crawford] one prerequisite for a webmention is the link to the target be included in the originating url so that seems like the result should be failure, flagging or the like
#
aaronpk Right, which is why I'm surprised to see this request
#
aaronpk cause it's not like someone set up a Wordpress site with the webmention plugin and is sending webmentions from actual pages on the site where it's only spam because of the content of the page
[snarfed] joined the channel
#
[snarfed] maybe someone's site has a "send me a webmention" form pointing to http://wm.io, and this is the usual indiscriminate "find forms with text boxes, plug in our URL" spam
#
aaronpk ah that seems likely
#
aaronpk confirmed, there is a webmention form on the site
[manton] joined the channel
#
aaronpk [manton]: curious if you've seen my writeup on FedCM yet! https://aaronparecki.com/2024/05/12/3/fedcm-for-indieauth
#
pcarrier I haven't seen how idps register themselves in browsers, presumably it takes more than visiting a page or the list could get polluted quickly?
#
aaronpk i documented it with a screenshot here https://indieweb.org/FedCM_for_IndieAuth#IdP_Registration
#
pcarrier Thanks
#
[manton] [aaronpk] Yes, this looks really cool. I’d love to experiment with it. I haven’t fully wrapped my head around how it actually works yet.
#
pcarrier End to end flow charts would be great
#
aaronpk cool! yeah it takes a bit to get your head around. I wrote up this guide for how to turn an indieauth server into a FedCM provider
#
aaronpk I don't want to replicate all of what's on the google developer guide, which does have a sequence diagram https://developers.google.com/privacy-sandbox/3pcd/fedcm-developer-guide
barnaby joined the channel
#
aaronpk but the indieauth version adds one step to it so maybe there's a way to do it that isn't entirely duplicative
#
pcarrier Hmmm really wish things like generating the list of users could happen through agent-side code instead of being limited to server logic
#
aaronpk how so? it's server-side logic by definition, since it relies on being logged in at the IdP
#
pcarrier The client could generate everything based on local storage, that the server merely confirms at the end by verifying the unsigned assertion and signing it
#
aaronpk it does do a fair bit of client-side caching of the logged-in state on the server in practice
#
pcarrier Does it though? I could imagine keeping a list of user, private key in local storage, and the server resigning the assertion that's been signed by the client to prove it has the private key after verifying the user ID -> public key association, for example
#
pcarrier That could allow for login/logout without involving the server, which could be better for privacy
#
aaronpk that sounds a lot like passkeys
#
pcarrier 100% inspired by passkeys
#
aaronpk this solves a different purpose, which is federated login, which by definition uses a server
#
aaronpk this isn't login in general
#
pcarrier I would use a server. Just for one step not all.
#
aaronpk in other words, i could not use fedcm to log in to aaronparecki.com with my aaronparecki.com account
#
pcarrier I still want centralized ID<->passkey management
#
pcarrier I still want to remove ID when an employee leaves etc.
#
pcarrier I just dont need the server to have a cookie->user association for every UA
#
pcarrier (By server I mean IdP)
#
pcarrier Maybe I misunderstand what problem is being solved, but some of the design feels overly constraining to me. I don't like first party cookies either, in my ideal world every FP/IdP request could be signed by my passkey rather introducing a stateful session with cookies
#
aaronpk this has more of the background of the problem space in general https://blog.timcappalli.me/p/preso-osw24-fedcm101/
#
pcarrier Is CHIPS a real thing that's happening?
#
pcarrier Sorry can't watch talk now, but read the slides
#
aaronpk https://developers.google.com/privacy-sandbox/3pcd/chips
#
pcarrier aaronpk: thanks. so if Mozilla and Apple come along… :)
geoffo and [jgarber] joined the channel
#
[jgarber] Aaron’s recent posts about FedCM reminded me of a question y’all might have some thoughts on.
#
[jgarber] Assume this is about an authorization endpoint service akin to http://indielogin.com. I’m 99% sure I’ve used the right terminology, but apologies if the wording is slightly off:
#
[jgarber] In an IndieAuth flow, what are some authorization endpoint strategies (besides RelMeAuth) for attesting that a person "owns" the domain they're authenticating with?
#
[jgarber] Some ideas in decreasing order of complexity: TXT DNS record, an HTTP header, a `<link>` element of some kind…
#
aaronpk besides relmeauth? yeah those sound reasonable
#
pcarrier [jgarber]: sorry for the nit, but granted that complexity ≠ difficulty, I'd argue TXT is the least complex of those options
#
[jgarber] Any thoughts on the “shape” (name, content, etc.) of any of those three options? Is there any prior art or something similar out there?
#
pcarrier I'd love a provider-agnostic spec to suggest DNS changes
#
pcarrier cloudflare has a one-click option that Google uses to install their domain ownership verification record
#
[jgarber] Google’s site verification comes to mind.
#
aaronpk lots of prior art for domain verification with lots of tools like email services or hosting companies
#
[jgarber] pcarrier Heh, good timing.
#
[jgarber] Maybe the `<link>` relation is the oddball then?
#
[jgarber] Or, no, you could do a version of the same thing with all three options.
#
pcarrier I'd make the point that a change to DNS goes through better safeguards than a change to a company's landing page
#
pcarrier in my limited but non-trivial experience
#
pcarrier wouldn't be comfortable with any member of the web team changing a key corporate security policy whenever they feel like it, whereas changes to the main DNS zone is likely to go through sysops
#
pcarrier (or 2 members of the web team assuming 4 eyes)
barnaby and rrix joined the channel; pcarrier left the channel
#
aaronpk huh i can't figure out how to get this passkeys UX to work the way i want
#
aaronpk i don't want to ask the user for an email address or username first, which theoretically seems to be supported using "discoverable credentials"
#
aaronpk but then it seems like i'm forced to provide two buttons: log in and register
#
aaronpk but there isn't really a difference in the UX depending on which they click, because neither case asks for any user input before triggering the passkey prompt
rrix and [KevinMarks] joined the channel
#
aaronpk i guess i have to have two buttons for now? i'm going to ask tim cappalli about this on monday
amyiscoolz_ joined the channel
#
pcarrier aaronpk[d] yeah pretty sure you need 2 buttons.
#
pcarrier aaronpk[d] lemme know if I turn out wrong though, would love to simplify https://xmit.co 😄
#
pcarrier [edit] aaronpk[d] lemme know if I turn out wrong though, would love to simplify https://xmit.co 😄
#
aaronpk it looks like you're going for the same ux i am
#
aaronpk have you thought about what happens if someone registers a new account accidentally and then wants to move that passkey onto their existing account?
sarajaksa joined the channel
#
pcarrier no. everything belongs to teams, so you'd invite the other account onto the same team, then one of the accounts would leave the team and could be kept around empty
#
pcarrier if you have workflow improvement ideas I'm 100% all ears
#
aaronpk one thought was to detect a first-time account and ask if they meant to log in to a different account, then go through some sort of recovery flow like if they have an email address
geoffo joined the channel
#
[jgarber] I’m probably missing some context here, but this presumes the person realizes after the fact that they created a second account (both using passkeys)?
#
pcarrier Yeah so account merge
#
aaronpk yes
#
pcarrier You log into account A, hit "merge another account" which makes you log into account B, account B disappears and account A has all the things
#
aaronpk it might be less of a problem with separate log in / register buttons
#
[jgarber] Copy that. That’s what I thought. Maybe this is naive:
#
[jgarber] User realizes they messed up, they initiate an account merge flow that prompts for two passkeys in sequence (the current account’s then the “other” accounts which I suppose they’d have on device or have access to), and then the application is responsible for handling the data merge.
#
aaronpk that doesn't quite work
#
pcarrier Would it not though?
#
aaronpk if they managed to create a second passkey, it's probably (probably) because they used a different device that isn't syncing their passkeys
#
[jgarber] Figured it had to be naïveté on my part. 😅
#
aaronpk which means they wouldn't be able to log in using the two passkeys on the same device
#
[jgarber] That seems more likely, yeah. Then that falls into the account recovery field of pain.
#
pcarrier aaronpk[d] I have a UX to enroll another passkey, you can use your second device then
#
pcarrier Or take your phone and enroll it into both accounts
#
aaronpk it's definitely an edge case and not as much of a problem with separate buttons, but i was trying to make just one button for both actions where it would be more likely to happen
#
pcarrier (One account has 0..N passkeys managed though the admin page in my model)
#
aaronpk right but if you assume they got into the situation because they weren't able to use the two different passkeys on the same device, they're stuck
#
aaronpk and if they were able to use the two passkeys on the same device, a regular login flow would have worked
#
aaronpk in other news https://media.aaronpk.com/2024/05/18143116-3484.png 😭
#
pcarrier Everybody and their Chihuahua has a smartphonr
#
aaronpk i don't see how a smartphone changes that
#
pcarrier So you can log in with whatever you have on whatever device for each account
#
[jgarber] aaron would you like to use a passkey from your chrome profile or
#
pcarrier On each account, add a passkey that's on your smartphone
#
pcarrier Then do the merge from the smartphone
#
aaronpk i guess that assumes the cross-device flow is available
#
pcarrier Correct.
#
pcarrier Unless you used safari and have an Android phone, that should always be true I think
#
aaronpk and assumes the original passkey is available on a phone and not stuck on a computer
#
pcarrier No
#
pcarrier I don't make that assumption
#
aaronpk how do you scan the QR code from a computer?
#
pcarrier It's the other way around
#
pcarrier Lemme get to a PC that'll be easier to type out
#
pcarrier Logs onto account A with computer A, enrolls phone by scanning a QR code. now phone has account A
#
pcarrier Same on computer B. Now phone has accounts A and B.
#
pcarrier Enrolling a phone from a computer involves the computer showing a QR code, the phone scanning it, not the other way around?
#
[jgarber] Yeah that’s correct.
#
[jgarber] At least on macOS.
#
aaronpk it's actually: created account on computer A, created second account on phone B, now you want to move the passkey on the phone to the account created from computer A
#
pcarrier well does it matter which way you do the transform?
#
[jgarber] Requires Bluetooth or being on the same wifi in a quick local test.
#
pcarrier but I mean, sure, let's do that. You log onto your computer, you click enroll, you use your phone. Now phone has A and B. You log into A from phone, click merge, log onto B, done
#
aaronpk i didn't follow that, need to use more specific terms referring to accounts and passkeys
#
pcarrier account A has passkey A that's on computer A. account B has passkey B that's on phone B.
#
pcarrier you want account A to have passkeys A and B
ttybitnik joined the channel
#
pcarrier you log onto account A from computer A. you click enroll, pick mobile, scan the QR code shown by computer A on phone B. now phone B has passkeys A, B, and C where passkey C belongs to account A
#
pcarrier you log onto account A on phone B using passkey C, then hit merge, then select passkey B. now account A has passkeys A, B, C and you can delete passkey C.
#
aaronpk yea this is a nightmare lol
#
pcarrier so the real life situation I expect is:
#
aaronpk two problems with that: you are forcing the user to switch devices to go through this flow (they were on their phone when they made the second account accidentally), and you are forcing them to delete the extra passkey, which is not good UX right now
#
pcarrier you click sign up instead of sign in by mistake. you see an empty account. you log out and never use that account again.
#
aaronpk as long as you know how to delete the passkey that was created when you signed up for that account that's fine
#
pcarrier however, you want to use an account you've lost access to. you reach out to me. I find a way to validate your identity (E-mail address on the account, domain you own where you can change DNS, etc.) and send you a one-time link to log into a fresh session for your account without a passkey.
#
pcarrier oh yeah, getting rid of a passkey is a must-have. it's not too bad on iPhones, it's nigh impossible on a yubikey.
#
aaronpk i can't seem to get rid of them from chrome
#
pcarrier macOS, no password manager?
#
aaronpk they are just in chrome
#
aaronpk ah found the page. it's not linked to anywhere lol chrome://settings/passkeys
#
pcarrier yeah from my personal and friends' experiences, the passkey experience leaves a lot to be desired without 1password or bitwarden
#
pcarrier or if you're 100% Apple and know to go into System settings for everything 🙂
#
[jgarber] Opinions vary, but I’ve enjoyed the convenience of passkeys using iCloud Keychain.
#
[jgarber] But yeah, I’d classify myself as overly technical. 😂
#
aaronpk i do like how 1Password manages it
#
[jgarber] 1Password’s integration is pretty slick, too.
#
pcarrier damn, now I want to implement account merge
#
pcarrier I didn't need to grow my backlog
#
aaronpk ahh thank goodness finally just got login/register working
#
aaronpk it's a bad sign that it was easier to use a "from scratch" library than to get it working in Laravel with their library
#
pcarrier oh yeah I looked at what was around for golang and decided I was better off implementing my own thing pretty quickly 🙂
#
aaronpk i don't love the assumption that there is a user-visible account identifier that is assumed to be known at the time of passkey creation
#
[jgarber] Meaning like a username or something?
#
pcarrier aaronpk[d] yuuup
#
aaronpk username or email or whatever
#
aaronpk it's so that the password managers have some account identifier to show i guess
#
aaronpk i don't _need_ to have any identifying information for an account to be functional, and in fact i would like to only collect any identifying information after the account is created so that i can do it incrementally and when it makes sense
#
pcarrier went with 'passkey' for id, name, and displayName 🙂 https://gist.github.com/pcarrier/776117b2c132e957eb2c5253f81e675a
#
[jgarber] That may vary. I think I’ve got passkeys in iCloud Keychain that re just hanging out there by themselves. Let me check.
#
pcarrier [edit] went with 'passkey' for id, name, and displayName 🙂 https://gist.github.com/pcarrier/776117b2c132e957eb2c5253f81e675a
#
[jgarber] Kidding. All of mine have username/email but I may have added those myself. 🤔
#
aaronpk what i'm trying to do is make it so you can click "register" and make an account where there is no information yet, then go add a domain to your account (which will require that i do domain verification). but then you should be able to add a second domain too. and there's no reason to ask the user to create a separate username for this either
#
pcarrier aaronpk[d] 100% same boat 🙂
#
aaronpk i guess i'll just use the website domain
#
pcarrier that's gonna be weird if they add a second domain then remove the first
#
aaronpk no the domain of the site you're logging in to
#
aaronpk so "localhost" right now 😂
#
[jgarber] lol “demo user”
#
[jgarber] https://chat-uploads.indieweb.org/files/2024/05/dev-20240518-215602-image_from_ios.jpg
#
pcarrier ha
#
aaronpk https://media.aaronpk.com/2024/05/18145605-7833.png
#
pcarrier you probably don't need to put that there, it's already stored by domain
#
aaronpk you kind of have to put something or it looks weird
#
pcarrier yeah I've been thinking "Created 2024-05-18T20:21:22Z"
#
aaronpk ok wow 4 hours later i finally have basic login working lolsob
#
pcarrier only 4? I think you beat me by a few
#
[jgarber] Okay, so it is super easy on that Yubico demo site to rack up passkeys. I was expecting an iOS/macOS prompt asking if I wanted to use an existing one but that highlights my ignorance of the underlying implementation code.
#
aaronpk right, that's what i was trying to do at the start
#
[jgarber] I’m a little slow on the uptake. 😬
#
[jgarber] Supposing there’s no credentials request-or-create in the JS API…
#
pcarrier yeah so I've been in the situation of many keys with the same name multiple times
#
pcarrier just shipped https://gist.github.com/pcarrier/776117b2c132e957eb2c5253f81e675a so it doesn't happen again, because it's terrible
#
pcarrier [edit] just shipped https://gist.github.com/pcarrier/776117b2c132e957eb2c5253f81e675a so it doesn't happen again, because it's terrible
#
aaronpk i also assumed that would be the default UX, then tried to find a way to do it with just one button, but it looks like that's just not possible
#
pcarrier deleting the right one(s) is nerve-wracking
#
aaronpk kinda wish i had been paying attention better at the beginning of passkeys to give this feedback while it was in progress
#
pcarrier no, it's `navigator.credentials.create` vs `navigator.credentials.get`
#
aaronpk but this is the exact kind of thing i'm trying to make sure doesn't happen with FedCM, by actually getting in early(ish)
#
pcarrier aaronpk[d] I guess it's not too late to bring `navigator.credentials.get({orCreate:true})` or some such
#
aaronpk i will ask
#
aaronpk i'm sure there's been some discussion of it in the past
#
[jgarber] Wait what happens with credentials.get if there’s no passkey available?
#
aaronpk the browser doesn't necessarily know if there is no passkey
#
aaronpk because you can use a passkey on a separate device
#
aaronpk so if you have none in the browser, it defaults to the cross-device flow
#
pcarrier or push a button on a hardware passkey
#
[jgarber] Could you catch the failed “get” Promise and flip over to a create flow…?
#
[jgarber] Sorry, my naïveté is showing again.
#
pcarrier terrible UX
#
pcarrier you'd get a popup asking you what to do, you'd have to refuse to make progress there, and then get the other option
#
[jgarber] It’s presumptive for sure.
#
aaronpk yep i went down that path earlier too haha
#
[jgarber] That makes me feel a little better. 😂
#
aaronpk if you assume there is an identifier that the user knows, most of this goes away
#
pcarrier also the exception is horribly general
#
pcarrier https://cdn.discordapp.com/attachments/866577430886350869/1241512433089249280/image.png?ex=664a780e&is=6649268e&hm=38a8fb9a5223aee1505242a6a11526c5d9d95a0fd7ab4503c845c9cb42f98e65&
#
pcarrier who wants a w3.org link in their exception message 😛
#
aaronpk ask the user for their email, check if you have an account with that email, if so ask for navigator.credentials.get, if not do navigator.credentials.create
#
aaronpk i just don't want to make the user type anything first
[johnstonphilip] joined the channel
#
aaronpk well i was hoping to be a lot farther along by now
#
[jgarber] The “ask for email get or create” flow _could_ be used nefariously to determine the existence of an account for a given email similar to how 401’s can leak the same (vs. a generic 404).
#
[jgarber] It’s a stretch (and probably wildly tedious) but theoretically possible.
#
aaronpk yeah, doesn't have to be an email address, it can just be a username
#
[jgarber] same same vulnerability but with arguably less consequence. 🤷‍♂️
#
[jgarber] Depends on the nature of the system.
#
[jgarber] Someone would earn a small payout in a hacking program. 😂
box464 joined the channel