#dev 2024-05-18

2024-05-18 UTC
#
[Al_Abut]
[Joe_Crawford] I have a request for the DJ at the next frontend study party: can you explain this flex wrapping to me like I’m an infant?
#
jacky
what is a sitemap
#
Loqi
A sitemap is a list of pages on a website https://indieweb.org/sitemap
geoffo joined the channel
#
cophee
i think the issue i had with webmentions after moving over to cloudflare pages from netlify was that cloudflare uses www. before my domain name
#
[Joe_Crawford]
[Al_Abut] You got it. Sneak preview: `flex: 1 0 0` is short for `flex-grow: 1; flex-shrink: 0; flex-basis: 0;`
#
aaronpk
ooo sam set up a service to try fedcm with your own domain!!
#
Loqi
[preview] [samuelgoto] > I'll put instructions on how to use this Ok, here is one way anyone with a domain can be an Indie FedCM IdP that https://webmention.io would accept as an IdP. You have three options: 1) You can implement https://indieweb.org/FedCM_for_Indi...
geoffo joined the channel
#
aaronpk
You have no idea how excited I am about this!
hacdias_, oenone_, Zegnet, geoffo and [tw2113] joined the channel
#
aaronpk
how did you know?!?!?!
#
[tw2113]
intuition
#
[tw2113]
erm I mean an indiebirdie told me 😛
ancarda_, eb_, Guest1350_, lanodan_, sebbu2, oodani_, rjomara583, chenghiz__, revi_, chimo_, _standingdesk[d], gerben_, RapidRotator_, revi, bacardi55[m], herbi, Pegazusuo`_, eitilt and GuestZero joined the channel
#
cophee
just started using webc components in 11ty =]
#
cophee
building the site for indieweb.guide now (based off max boeck's starter)
[jeremycherfas], randulo and [Joel_Auterson] joined the channel
#
[Joel_Auterson]
Got EXIF extraction working for photos :) I realised I was including location data in all my photos so now Hugo extracts it selectively and then my build strips it from the images https://www.joelotter.com/notes/2024/04/19-japan-19/
#
Loqi
[preview] [Joel Auterson] Spent Wednesday evening in Kabukicho - def worth a visit, especially if you’ve played the Like A Dragon games as it’s the inspiration for Kamurocho. Had drinks in the Golden Gai, met some lovely people, had far too much shochu. https://www.joelotter.com/img/2024/04/japan-19-1.jpeg
#
[Joel_Auterson]
Inspired by [aaronpk]++
#
Loqi
[aaronpk] has 44 karma in this channel over the last year (128 in all channels)
pcarrier joined the channel
#
pcarrier
ah, won't lose history :)
#
pcarrier
this channel isn't really usable in discord in my experience
pcarrier and jeremycherfas joined the channel
#
GWG
I rely on exif data, but I store it in the site and strip it for serving
barnaby, chimo, jonnybarnes, geoffo and [qubyte] joined the channel
#
Loqi
[preview] [Evan Prodromou] @jesseplusplus I had a much more pessimistic feeling about federation by the early 2010s, when that ecosystem had collapsed into a few dominant players. It wasn't until we started the Social Web Working Group at the W3C in 2014 that I started feelin...
barnaby and [tantek] joined the channel
#
aaronpk
well now that i stopped processing pingbacks in webmention.io, i just noticed actual webmention spam
#
aaronpk
spam as in a webmention request from a clearly spam URL that doesn't even have a link to the target site in the webmention
pcarrier and [Joe_Crawford] joined the channel
#
[Joe_Crawford]
one prerequisite for a webmention is the link to the target be included in the originating url so that seems like the result should be failure, flagging or the like
#
aaronpk
Right, which is why I'm surprised to see this request
#
aaronpk
cause it's not like someone set up a Wordpress site with the webmention plugin and is sending webmentions from actual pages on the site where it's only spam because of the content of the page
[snarfed] joined the channel
#
[snarfed]
maybe someone's site has a "send me a webmention" form pointing to http://wm.io, and this is the usual indiscriminate "find forms with text boxes, plug in our URL" spam
#
aaronpk
ah that seems likely
#
aaronpk
confirmed, there is a webmention form on the site
[manton] joined the channel
#
aaronpk
[manton]: curious if you've seen my writeup on FedCM yet! https://aaronparecki.com/2024/05/12/3/fedcm-for-indieauth
#
pcarrier
I haven't seen how idps register themselves in browsers, presumably it takes more than visiting a page or the list could get polluted quickly?
#
[manton]
[aaronpk] Yes, this looks really cool. I’d love to experiment with it. I haven’t fully wrapped my head around how it actually works yet.
#
pcarrier
End to end flow charts would be great
#
aaronpk
cool! yeah it takes a bit to get your head around. I wrote up this guide for how to turn an indieauth server into a FedCM provider
#
aaronpk
I don't want to replicate all of what's on the google developer guide, which does have a sequence diagram https://developers.google.com/privacy-sandbox/3pcd/fedcm-developer-guide
barnaby joined the channel
#
aaronpk
but the indieauth version adds one step to it so maybe there's a way to do it that isn't entirely duplicative
#
pcarrier
Hmmm really wish things like generating the list of users could happen through agent-side code instead of being limited to server logic
#
aaronpk
how so? it's server-side logic by definition, since it relies on being logged in at the IdP
#
pcarrier
The client could generate everything based on local storage, that the server merely confirms at the end by verifying the unsigned assertion and signing it
#
aaronpk
it does do a fair bit of client-side caching of the logged-in state on the server in practice
#
pcarrier
Does it though? I could imagine keeping a list of user, private key in local storage, and the server resigning the assertion that's been signed by the client to prove it has the private key after verifying the user ID -> public key association, for example
#
pcarrier
That could allow for login/logout without involving the server, which could be better for privacy
#
aaronpk
that sounds a lot like passkeys
#
pcarrier
100% inspired by passkeys
#
aaronpk
this solves a different purpose, which is federated login, which by definition uses a server
#
aaronpk
this isn't login in general
#
pcarrier
I would use a server. Just for one step not all.
#
aaronpk
in other words, i could not use fedcm to log in to aaronparecki.com with my aaronparecki.com account
#
pcarrier
I still want centralized ID<->passkey management
#
pcarrier
I still want to remove ID when an employee leaves etc.
#
pcarrier
I just dont need the server to have a cookie->user association for every UA
#
pcarrier
(By server I mean IdP)
#
pcarrier
Maybe I misunderstand what problem is being solved, but some of the design feels overly constraining to me. I don't like first party cookies either, in my ideal world every FP/IdP request could be signed by my passkey rather introducing a stateful session with cookies
#
aaronpk
this has more of the background of the problem space in general https://blog.timcappalli.me/p/preso-osw24-fedcm101/
#
pcarrier
Is CHIPS a real thing that's happening?
#
pcarrier
Sorry can't watch talk now, but read the slides
#
pcarrier
aaronpk: thanks. so if Mozilla and Apple come along… :)
geoffo and [jgarber] joined the channel
#
[jgarber]
Aaron’s recent posts about FedCM reminded me of a question y’all might have some thoughts on.
#
[jgarber]
Assume this is about an authorization endpoint service akin to http://indielogin.com. I’m 99% sure I’ve used the right terminology, but apologies if the wording is slightly off:
#
[jgarber]
In an IndieAuth flow, what are some authorization endpoint strategies (besides RelMeAuth) for attesting that a person "owns" the domain they're authenticating with?
#
[jgarber]
Some ideas in decreasing order of complexity: TXT DNS record, an HTTP header, a `<link>` element of some kind…
#
aaronpk
besides relmeauth? yeah those sound reasonable
#
pcarrier
[jgarber]: sorry for the nit, but granted that complexity ≠ difficulty, I'd argue TXT is the least complex of those options
#
[jgarber]
Any thoughts on the “shape” (name, content, etc.) of any of those three options? Is there any prior art or something similar out there?
#
pcarrier
I'd love a provider-agnostic spec to suggest DNS changes
#
pcarrier
cloudflare has a one-click option that Google uses to install their domain ownership verification record
#
[jgarber]
Google’s site verification comes to mind.
#
aaronpk
lots of prior art for domain verification with lots of tools like email services or hosting companies
#
[jgarber]
pcarrier Heh, good timing.
#
[jgarber]
Maybe the `<link>` relation is the oddball then?
#
[jgarber]
Or, no, you could do a version of the same thing with all three options.
#
pcarrier
I'd make the point that a change to DNS goes through better safeguards than a change to a company's landing page
#
pcarrier
in my limited but non-trivial experience
#
pcarrier
wouldn't be comfortable with any member of the web team changing a key corporate security policy whenever they feel like it, whereas changes to the main DNS zone is likely to go through sysops
#
pcarrier
(or 2 members of the web team assuming 4 eyes)
barnaby and rrix joined the channel; pcarrier left the channel
#
aaronpk
huh i can't figure out how to get this passkeys UX to work the way i want
#
aaronpk
i don't want to ask the user for an email address or username first, which theoretically seems to be supported using "discoverable credentials"
#
aaronpk
but then it seems like i'm forced to provide two buttons: log in and register
#
aaronpk
but there isn't really a difference in the UX depending on which they click, because neither case asks for any user input before triggering the passkey prompt
rrix and [KevinMarks] joined the channel
#
aaronpk
i guess i have to have two buttons for now? i'm going to ask tim cappalli about this on monday
amyiscoolz_ joined the channel
#
pcarrier
aaronpk[d] yeah pretty sure you need 2 buttons.
#
pcarrier
aaronpk[d] lemme know if I turn out wrong though, would love to simplify https://xmit.co 😄
#
pcarrier
[edit] aaronpk[d] lemme know if I turn out wrong though, would love to simplify https://xmit.co 😄
#
aaronpk
it looks like you're going for the same ux i am
#
aaronpk
have you thought about what happens if someone registers a new account accidentally and then wants to move that passkey onto their existing account?
sarajaksa joined the channel
#
pcarrier
no. everything belongs to teams, so you'd invite the other account onto the same team, then one of the accounts would leave the team and could be kept around empty
#
pcarrier
if you have workflow improvement ideas I'm 100% all ears
#
aaronpk
one thought was to detect a first-time account and ask if they meant to log in to a different account, then go through some sort of recovery flow like if they have an email address
geoffo joined the channel
#
[jgarber]
I’m probably missing some context here, but this presumes the person realizes after the fact that they created a second account (both using passkeys)?
#
pcarrier
Yeah so account merge
#
pcarrier
You log into account A, hit "merge another account" which makes you log into account B, account B disappears and account A has all the things
#
aaronpk
it might be less of a problem with separate log in / register buttons
#
[jgarber]
Copy that. That’s what I thought. Maybe this is naive:
#
[jgarber]
User realizes they messed up, they initiate an account merge flow that prompts for two passkeys in sequence (the current account’s then the “other” accounts which I suppose they’d have on device or have access to), and then the application is responsible for handling the data merge.
#
aaronpk
that doesn't quite work
#
pcarrier
Would it not though?
#
aaronpk
if they managed to create a second passkey, it's probably (probably) because they used a different device that isn't syncing their passkeys
#
[jgarber]
Figured it had to be naïveté on my part. 😅
#
aaronpk
which means they wouldn't be able to log in using the two passkeys on the same device
#
[jgarber]
That seems more likely, yeah. Then that falls into the account recovery field of pain.
#
pcarrier
aaronpk[d] I have a UX to enroll another passkey, you can use your second device then
#
pcarrier
Or take your phone and enroll it into both accounts
#
aaronpk
it's definitely an edge case and not as much of a problem with separate buttons, but i was trying to make just one button for both actions where it would be more likely to happen
#
pcarrier
(One account has 0..N passkeys managed though the admin page in my model)
#
aaronpk
right but if you assume they got into the situation because they weren't able to use the two different passkeys on the same device, they're stuck
#
aaronpk
and if they were able to use the two passkeys on the same device, a regular login flow would have worked
#
pcarrier
Everybody and their Chihuahua has a smartphonr
#
aaronpk
i don't see how a smartphone changes that
#
pcarrier
So you can log in with whatever you have on whatever device for each account
#
[jgarber]
aaron would you like to use a passkey from your chrome profile or
#
pcarrier
On each account, add a passkey that's on your smartphone
#
pcarrier
Then do the merge from the smartphone
#
aaronpk
i guess that assumes the cross-device flow is available
#
pcarrier
Correct.
#
pcarrier
Unless you used safari and have an Android phone, that should always be true I think
#
aaronpk
and assumes the original passkey is available on a phone and not stuck on a computer
#
pcarrier
I don't make that assumption
#
aaronpk
how do you scan the QR code from a computer?
#
pcarrier
It's the other way around
#
pcarrier
Lemme get to a PC that'll be easier to type out
#
pcarrier
Logs onto account A with computer A, enrolls phone by scanning a QR code. now phone has account A
#
pcarrier
Same on computer B. Now phone has accounts A and B.
#
pcarrier
Enrolling a phone from a computer involves the computer showing a QR code, the phone scanning it, not the other way around?
#
[jgarber]
Yeah that’s correct.
#
[jgarber]
At least on macOS.
#
aaronpk
it's actually: created account on computer A, created second account on phone B, now you want to move the passkey on the phone to the account created from computer A
#
pcarrier
well does it matter which way you do the transform?
#
[jgarber]
Requires Bluetooth or being on the same wifi in a quick local test.
#
pcarrier
but I mean, sure, let's do that. You log onto your computer, you click enroll, you use your phone. Now phone has A and B. You log into A from phone, click merge, log onto B, done
#
aaronpk
i didn't follow that, need to use more specific terms referring to accounts and passkeys
#
pcarrier
account A has passkey A that's on computer A. account B has passkey B that's on phone B.
#
pcarrier
you want account A to have passkeys A and B
ttybitnik joined the channel
#
pcarrier
you log onto account A from computer A. you click enroll, pick mobile, scan the QR code shown by computer A on phone B. now phone B has passkeys A, B, and C where passkey C belongs to account A
#
pcarrier
you log onto account A on phone B using passkey C, then hit merge, then select passkey B. now account A has passkeys A, B, C and you can delete passkey C.
#
aaronpk
yea this is a nightmare lol
#
pcarrier
so the real life situation I expect is:
#
aaronpk
two problems with that: you are forcing the user to switch devices to go through this flow (they were on their phone when they made the second account accidentally), and you are forcing them to delete the extra passkey, which is not good UX right now
#
pcarrier
you click sign up instead of sign in by mistake. you see an empty account. you log out and never use that account again.
#
aaronpk
as long as you know how to delete the passkey that was created when you signed up for that account that's fine
#
pcarrier
however, you want to use an account you've lost access to. you reach out to me. I find a way to validate your identity (E-mail address on the account, domain you own where you can change DNS, etc.) and send you a one-time link to log into a fresh session for your account without a passkey.
#
pcarrier
oh yeah, getting rid of a passkey is a must-have. it's not too bad on iPhones, it's nigh impossible on a yubikey.
#
aaronpk
i can't seem to get rid of them from chrome
#
pcarrier
macOS, no password manager?
#
aaronpk
they are just in chrome
#
aaronpk
ah found the page. it's not linked to anywhere lol chrome://settings/passkeys
#
pcarrier
yeah from my personal and friends' experiences, the passkey experience leaves a lot to be desired without 1password or bitwarden
#
pcarrier
or if you're 100% Apple and know to go into System settings for everything 🙂
#
[jgarber]
Opinions vary, but I’ve enjoyed the convenience of passkeys using iCloud Keychain.
#
[jgarber]
But yeah, I’d classify myself as overly technical. 😂
#
aaronpk
i do like how 1Password manages it
#
[jgarber]
1Password’s integration is pretty slick, too.
#
pcarrier
damn, now I want to implement account merge
#
pcarrier
I didn't need to grow my backlog
#
aaronpk
ahh thank goodness finally just got login/register working
#
aaronpk
it's a bad sign that it was easier to use a "from scratch" library than to get it working in Laravel with their library
#
pcarrier
oh yeah I looked at what was around for golang and decided I was better off implementing my own thing pretty quickly 🙂
#
aaronpk
i don't love the assumption that there is a user-visible account identifier that is assumed to be known at the time of passkey creation
#
[jgarber]
Meaning like a username or something?
#
pcarrier
aaronpk[d] yuuup
#
aaronpk
username or email or whatever
#
aaronpk
it's so that the password managers have some account identifier to show i guess
#
aaronpk
i don't _need_ to have any identifying information for an account to be functional, and in fact i would like to only collect any identifying information after the account is created so that i can do it incrementally and when it makes sense
#
pcarrier
went with 'passkey' for id, name, and displayName 🙂 https://gist.github.com/pcarrier/776117b2c132e957eb2c5253f81e675a
#
[jgarber]
That may vary. I think I’ve got passkeys in iCloud Keychain that re just hanging out there by themselves. Let me check.
#
pcarrier
[edit] went with 'passkey' for id, name, and displayName 🙂 https://gist.github.com/pcarrier/776117b2c132e957eb2c5253f81e675a
#
[jgarber]
Kidding. All of mine have username/email but I may have added those myself. 🤔
#
aaronpk
what i'm trying to do is make it so you can click "register" and make an account where there is no information yet, then go add a domain to your account (which will require that i do domain verification). but then you should be able to add a second domain too. and there's no reason to ask the user to create a separate username for this either
#
pcarrier
aaronpk[d] 100% same boat 🙂
#
aaronpk
i guess i'll just use the website domain
#
pcarrier
that's gonna be weird if they add a second domain then remove the first
#
aaronpk
no the domain of the site you're logging in to
#
aaronpk
so "localhost" right now 😂
#
[jgarber]
lol “demo user”
#
pcarrier
you probably don't need to put that there, it's already stored by domain
#
aaronpk
you kind of have to put something or it looks weird
#
pcarrier
yeah I've been thinking "Created 2024-05-18T20:21:22Z"
#
aaronpk
ok wow 4 hours later i finally have basic login working lolsob
#
pcarrier
only 4? I think you beat me by a few
#
[jgarber]
Okay, so it is super easy on that Yubico demo site to rack up passkeys. I was expecting an iOS/macOS prompt asking if I wanted to use an existing one but that highlights my ignorance of the underlying implementation code.
#
aaronpk
right, that's what i was trying to do at the start
#
[jgarber]
I’m a little slow on the uptake. 😬
#
[jgarber]
Supposing there’s no credentials request-or-create in the JS API…
#
pcarrier
yeah so I've been in the situation of many keys with the same name multiple times
#
pcarrier
just shipped https://gist.github.com/pcarrier/776117b2c132e957eb2c5253f81e675a so it doesn't happen again, because it's terrible
#
pcarrier
[edit] just shipped https://gist.github.com/pcarrier/776117b2c132e957eb2c5253f81e675a so it doesn't happen again, because it's terrible
#
aaronpk
i also assumed that would be the default UX, then tried to find a way to do it with just one button, but it looks like that's just not possible
#
pcarrier
deleting the right one(s) is nerve-wracking
#
aaronpk
kinda wish i had been paying attention better at the beginning of passkeys to give this feedback while it was in progress
#
pcarrier
no, it's `navigator.credentials.create` vs `navigator.credentials.get`
#
aaronpk
but this is the exact kind of thing i'm trying to make sure doesn't happen with FedCM, by actually getting in early(ish)
#
pcarrier
aaronpk[d] I guess it's not too late to bring `navigator.credentials.get({orCreate:true})` or some such
#
aaronpk
i will ask
#
aaronpk
i'm sure there's been some discussion of it in the past
#
[jgarber]
Wait what happens with credentials.get if there’s no passkey available?
#
aaronpk
the browser doesn't necessarily know if there is no passkey
#
aaronpk
because you can use a passkey on a separate device
#
aaronpk
so if you have none in the browser, it defaults to the cross-device flow
#
pcarrier
or push a button on a hardware passkey
#
[jgarber]
Could you catch the failed “get” Promise and flip over to a create flow…?
#
[jgarber]
Sorry, my naïveté is showing again.
#
pcarrier
terrible UX
#
pcarrier
you'd get a popup asking you what to do, you'd have to refuse to make progress there, and then get the other option
#
[jgarber]
It’s presumptive for sure.
#
aaronpk
yep i went down that path earlier too haha
#
[jgarber]
That makes me feel a little better. 😂
#
aaronpk
if you assume there is an identifier that the user knows, most of this goes away
#
pcarrier
also the exception is horribly general
#
pcarrier
who wants a w3.org link in their exception message 😛
#
aaronpk
ask the user for their email, check if you have an account with that email, if so ask for navigator.credentials.get, if not do navigator.credentials.create
#
aaronpk
i just don't want to make the user type anything first
[johnstonphilip] joined the channel
#
aaronpk
well i was hoping to be a lot farther along by now
#
[jgarber]
The “ask for email get or create” flow _could_ be used nefariously to determine the existence of an account for a given email similar to how 401’s can leak the same (vs. a generic 404).
#
[jgarber]
It’s a stretch (and probably wildly tedious) but theoretically possible.
#
aaronpk
yeah, doesn't have to be an email address, it can just be a username
#
[jgarber]
same same vulnerability but with arguably less consequence. 🤷‍♂️
#
[jgarber]
Depends on the nature of the system.
#
[jgarber]
Someone would earn a small payout in a hacking program. 😂
box464 joined the channel