#dev 2024-08-23

2024-08-23 UTC
alvarop, CRISPR, alephalpha0, epoch, geoffo, thegreekgeek, GuestZero and [KevinMarks] joined the channel
#
[KevinMarks]
I was running my tests yesterday in LA rather than the UK and several timed out because the lag connecting to Amazon in Ireland was higher
GuestZero, claudinec, [KevinMarks]1, [morganm]1, aaaa, AramZS, barnabywalters, ShinyCyril, Xe, [snarfed], jonnybarnes, box464, Stormblessed, Guest68 and Lars-Christian joined the channel
#
vikanezrimaya
it's kinda nice to see things that I developed before all fall into their places once I place some sort of capstone feature down. In this case, it was the login system, which also prompted me to update to the latest IndieAuth spec. On that topic — are there those among us who keep up with the spec changes, or do most of the IndieAuth implementations in-the-wild only support older vs?
#
GWG
I keep up... but I contributed to the last 4 updates, so...
#
vikanezrimaya
GWG: that's practically cheating :P
#
vikanezrimaya
tbh the new JSON app metadata thingy makes it easier to parse things, but also requires more burden on the clients to be compatible (because older implementations will still want HTML, and so one has to figure out what the implementation wants based on the Accept: header)
#
capjamesg[d]
vikanezrimaya++
#
Loqi
vikanezrimaya has 1 karma over the last year
#
capjamesg[d]
Your blog looks great by the way!
#
capjamesg[d]
I love all the different coloured hearts.
#
vikanezrimaya
thank you! the colored hearts are pure CSS by the way, no JavaScript!
#
vikanezrimaya
i want to make as much of my website to be accessible _to readers_ without JS
#
GWG
vikanezrimaya: I learned the hard way what happened when I didn't code for unexpected json at the url
#
vikanezrimaya
sadly it's very hard to do the same for the authoring experience because my onboarding has custom form controls that wouldn't be possible without JS
#
vikanezrimaya
but i recently added a `<noscript>` block there explaining how to write the neccesary onboarding payload by hand
#
vikanezrimaya
because let's be real, someone who doesn't have JS is likely to be a power user anyway
#
vikanezrimaya
the problem is implementing webauthn is going to be a big trouble with no js, and the proposals for webauthn form controls are all going nowhere (or moving at a snail's pace)
#
vikanezrimaya
and i really want webauthn, so much that I'm probably going to have to compromise my no-C policy by linking to openssl (because my webauthn library of choice requires openssl)
#
vikanezrimaya
well, the onboarding flow is still incomplete, i still have time to figure it out, also i want a recovery password option anyway in case one loses all their passkeys
#
vikanezrimaya
In other news, it turns out that actually having a Micropub client boosts my ability to post really well. And I have one, fresh outta the oven
#
vikanezrimaya
it still doesn't have indieauth btw, i'm getting the token and micropub endpoint from environment variables
#
vikanezrimaya
but it looks nice on my desktop! meshes really well with the other GTK apps (it's written in GTK, I hate Electron and Qt, the two other major options for desktop apps)
#
vikanezrimaya
getting into desktop development was my dream since i was what, 14?
#
vikanezrimaya
but i was too stupid back then to figure out the graphical frameworks
#
vikanezrimaya
maybe i should try Elm for web development too, my GTK wrapper library of choice is based on the Elm architecture pattern or something like that
#
vikanezrimaya
Relm4 is amazing, but I think I'm starting to hit the limitations of Rust macros at this point, probably will have to write code by hand to do the things I want
#
vikanezrimaya
lmao just wanted to see how my website looks with a user who's not me, tried commentpara.de, and the next thing I see is:
#
vikanezrimaya
> Failed to deserialize query string: missing field `iss`
#
vikanezrimaya
somebody hasn't been keeping up with updates, or maybe my implementation is a bit too strict
cuibonobo joined the channel
#
capjamesg[d]
My search engine now has support for a few more operators 😊
#
vikanezrimaya
!tell cweiske https://github.com/cweiske/anoweco may need an update, section 5.2.1 of IndieAuth, one needs to append `iss=` to the authorization response
#
Loqi
Ok, I'll tell them that when I see them next
#
Loqi
[preview] [cweiske] anoweco: Anonymous web comments for the indieweb
#
Loqi
Loqi has 2 karma in this channel over the last year (14 in all channels)
#
vikanezrimaya
re-read the spec, and I think my implementation handled it correctly as a client by bailing out when seeing no `iss=` — I could've made it less strict by omitting it and assuming it's valid, I guess...
#
vikanezrimaya
But then that parameter is there for security reasons, and I guess I wouldn't benefit from its protection if I allow omitting it?
#
vikanezrimaya
oh, commentpara.de apparently still has old-style indieauth metadata, so maybe I could keep a marker somewhere that I'm using the old-style flow and make the `iss=` parameter optional or synthesize it
#
vikanezrimaya
Hm, intersting, I seemed to have coded the frontend itself to be tolerant to older versions (it doesn't store the `iss` parameter if old-style metadata is used), but my IndieAuth library seems to bail out — I guess I made the types a bit too unforgiving
#
vikanezrimaya
mmhm, exactly. Maybe I should make a "compatibility" mode for older implementations
#
vikanezrimaya
I'm also making the PKCE mandatory as required by spec, but that breaks outdated clients that aren't updated for PKCE. How much ground am I willing to give to outdated software?
#
vikanezrimaya
With so many updates, I wonder if it would be viable to authenticate to an IndieAuth server using just an off-the-shelf unpatched OAuth2 library.
#
vikanezrimaya
And vice versa — with IndieAuth being just a weird dialect of OAuth2 where the client ID is specifically a URL and there is no client secret, I wonder how well my IndieAuth library would fare against a standards-compliant OAuth2 server that knows nothing of IndieAuth. (With Dynamic Client Registration, maybe it would work.)
#
vikanezrimaya
Also I just remembered a thing. That Login button? The session store behind it is in-memory and has no limits on size, and currently no eviction. (I'm pretty sure I meant to add it but forgot). Bonus points to whoever OOMs my poor Raspberry Pi by logging in repeatedly :P
#
vikanezrimaya
I hope that I don't run out of UUIDs.
#
vikanezrimaya
A UUID collision would be THE FUNNIEST thing to happen, because I'm completely not sure how my software will handle it.
#
vikanezrimaya
It might crash, but more likely it'll just overwrite someone's session.
#
vikanezrimaya
I'm terrible at security measures.
#
vikanezrimaya
tbh how do i still have a job while being this terrible with implementing security measures /j
#
vikanezrimaya
capjamesg++ for `u-sound p-ipa`, looks like a cool idea
#
Loqi
capjamesg has 42 karma in this channel over the last year (202 in all channels)
#
vikanezrimaya
i wish i could kang it but im terrible at ipa and also pretty much everyone pronounces my first name correctly (couldn't be said about my nickname though, people unfamiliar with my native tongue have butchered it in the past)
#
vikanezrimaya
hm, p-ipa for my nickname?
thegreekgeek_, ttybitnik and trwnh joined the channel
#
capjamesg[d]
I think Zegnat proposed those!
#
capjamesg[d]
I use them on my home page.
_capjamesg[d], lockywolf_, wagle and capjamesg[d] joined the channel