#dev 2024-08-23

2024-08-23 UTC
alvarop, CRISPR, alephalpha0, epoch, geoffo, thegreekgeek, GuestZero and [KevinMarks] joined the channel
# 06:54 
[KevinMarks] I was running my tests yesterday in LA rather than the UK and several timed out because the lag connecting to Amazon in Ireland was higher
GuestZero, claudinec, [KevinMarks]1, [morganm]1, aaaa, AramZS, barnabywalters, ShinyCyril, Xe, [snarfed], jonnybarnes, box464, Stormblessed, Guest68 and Lars-Christian joined the channel
# 19:36 
vikanezrimaya it's kinda nice to see things that I developed before all fall into their places once I place some sort of capstone feature down. In this case, it was the login system, which also prompted me to update to the latest IndieAuth spec. On that topic — are there those among us who keep up with the spec changes, or do most of the IndieAuth implementations in-the-wild only support older vs?
# 19:45 
GWG I keep up... but I contributed to the last 4 updates, so...
# 19:53 
vikanezrimaya GWG: that's practically cheating :P
# 19:54 
vikanezrimaya tbh the new JSON app metadata thingy makes it easier to parse things, but also requires more burden on the clients to be compatible (because older implementations will still want HTML, and so one has to figure out what the implementation wants based on the Accept: header)
# 19:54 
capjamesg[d] vikanezrimaya++
# 19:54 
Loqi vikanezrimaya has 1 karma over the last year
# 19:54 
capjamesg[d] Your blog looks great by the way!
# 19:54 
capjamesg[d] I love all the different coloured hearts.
# 19:55 
vikanezrimaya thank you! the colored hearts are pure CSS by the way, no JavaScript!
# 19:55 
vikanezrimaya i want to make as much of my website to be accessible _to readers_ without JS
# 19:55 
GWG vikanezrimaya: I learned the hard way what happened when I didn't code for unexpected json at the url
# 19:56 
vikanezrimaya sadly it's very hard to do the same for the authoring experience because my onboarding has custom form controls that wouldn't be possible without JS
# 19:57 
vikanezrimaya but i recently added a `<noscript>` block there explaining how to write the neccesary onboarding payload by hand
# 19:57 
vikanezrimaya because let's be real, someone who doesn't have JS is likely to be a power user anyway
# 19:58 
vikanezrimaya the problem is implementing webauthn is going to be a big trouble with no js, and the proposals for webauthn form controls are all going nowhere (or moving at a snail's pace)
# 19:59 
vikanezrimaya and i really want webauthn, so much that I'm probably going to have to compromise my no-C policy by linking to openssl (because my webauthn library of choice requires openssl)
# 20:00 
vikanezrimaya well, the onboarding flow is still incomplete, i still have time to figure it out, also i want a recovery password option anyway in case one loses all their passkeys
# 20:01 
vikanezrimaya In other news, it turns out that actually having a Micropub client boosts my ability to post really well. And I have one, fresh outta the oven
# 20:02 
vikanezrimaya it still doesn't have indieauth btw, i'm getting the token and micropub endpoint from environment variables
# 20:02 
vikanezrimaya but it looks nice on my desktop! meshes really well with the other GTK apps (it's written in GTK, I hate Electron and Qt, the two other major options for desktop apps)
# 20:03 
vikanezrimaya getting into desktop development was my dream since i was what, 14?
# 20:03 
vikanezrimaya but i was too stupid back then to figure out the graphical frameworks
# 20:05 
vikanezrimaya maybe i should try Elm for web development too, my GTK wrapper library of choice is based on the Elm architecture pattern or something like that
# 20:06 
vikanezrimaya Relm4 is amazing, but I think I'm starting to hit the limitations of Rust macros at this point, probably will have to write code by hand to do the things I want
# 20:09 
vikanezrimaya lmao just wanted to see how my website looks with a user who's not me, tried commentpara.de, and the next thing I see is:
# 20:09 
vikanezrimaya > Failed to deserialize query string: missing field `iss`
# 20:09 
vikanezrimaya somebody hasn't been keeping up with updates, or maybe my implementation is a bit too strict
cuibonobo joined the channel
# 20:11 
capjamesg[d] My search engine now has support for a few more operators 😊
# 20:13 
vikanezrimaya !tell cweiske https://github.com/cweiske/anoweco may need an update, section 5.2.1 of IndieAuth, one needs to append `iss=` to the authorization response
# 20:13 
Loqi Ok, I'll tell them that when I see them next
# 20:13 
Loqi [preview] [cweiske] anoweco: Anonymous web comments for the indieweb
# 20:13 
vikanezrimaya Loqi++
# 20:13 
Loqi Loqi has 2 karma in this channel over the last year (14 in all channels)
# 20:15 
vikanezrimaya re-read the spec, and I think my implementation handled it correctly as a client by bailing out when seeing no `iss=` — I could've made it less strict by omitting it and assuming it's valid, I guess...
# 20:15 
vikanezrimaya But then that parameter is there for security reasons, and I guess I wouldn't benefit from its protection if I allow omitting it?
# 20:18 
vikanezrimaya oh, commentpara.de apparently still has old-style indieauth metadata, so maybe I could keep a marker somewhere that I'm using the old-style flow and make the `iss=` parameter optional or synthesize it
# 20:20 
vikanezrimaya Hm, intersting, I seemed to have coded the frontend itself to be tolerant to older versions (it doesn't store the `iss` parameter if old-style metadata is used), but my IndieAuth library seems to bail out — I guess I made the types a bit too unforgiving
# 20:21 
vikanezrimaya mmhm, exactly. Maybe I should make a "compatibility" mode for older implementations
# 20:23 
vikanezrimaya I'm also making the PKCE mandatory as required by spec, but that breaks outdated clients that aren't updated for PKCE. How much ground am I willing to give to outdated software?
# 20:33 
vikanezrimaya With so many updates, I wonder if it would be viable to authenticate to an IndieAuth server using just an off-the-shelf unpatched OAuth2 library.
# 20:35 
vikanezrimaya And vice versa — with IndieAuth being just a weird dialect of OAuth2 where the client ID is specifically a URL and there is no client secret, I wonder how well my IndieAuth library would fare against a standards-compliant OAuth2 server that knows nothing of IndieAuth. (With Dynamic Client Registration, maybe it would work.)
# 20:52 
vikanezrimaya Also I just remembered a thing. That Login button? The session store behind it is in-memory and has no limits on size, and currently no eviction. (I'm pretty sure I meant to add it but forgot). Bonus points to whoever OOMs my poor Raspberry Pi by logging in repeatedly :P
# 20:52 
vikanezrimaya  I hope that I don't run out of UUIDs.
# 20:53 
vikanezrimaya A UUID collision would be THE FUNNIEST thing to happen, because I'm completely not sure how my software will handle it.
# 20:53 
vikanezrimaya It might crash, but more likely it'll just overwrite someone's session.
# 20:53 
vikanezrimaya I'm terrible at security measures.
# 20:53 
vikanezrimaya tbh how do i still have a job while being this terrible with implementing security measures /j
# 20:56 
vikanezrimaya capjamesg++ for `u-sound p-ipa`, looks like a cool idea
# 20:56 
Loqi capjamesg has 42 karma in this channel over the last year (202 in all channels)
# 20:57 
vikanezrimaya i wish i could kang it but im terrible at ipa and also pretty much everyone pronounces my first name correctly (couldn't be said about my nickname though, people unfamiliar with my native tongue have butchered it in the past)
# 20:57 
vikanezrimaya hm, p-ipa for my nickname?
thegreekgeek_, ttybitnik and trwnh joined the channel
# 22:44 
capjamesg[d] I think Zegnat proposed those!
# 22:44 
capjamesg[d] I use them on my home page.
_capjamesg[d], lockywolf_, wagle and capjamesg[d] joined the channel