#dev 2024-12-12

2024-12-12 UTC
troojg joined the channel
# 00:41 
Kolev [mattl], why 11ty?
[Sophia_wood], MyNetAz, bterry, troojg and gRegorLove_ joined the channel
# 03:54 
[mattl] Why not?
Salt, gRegor, [Sophia_wood] and [Joe_Crawford] joined the channel
# 07:10 
doesnm i'm found a typo in wiki but not sure is it a typo
# 07:10 
doesnm can i change? (if wrong, can you undo?)
# 07:16 
carrvo Tonight was supposed to be the night. I have my mindie to authenticate, my svn-auth to authorize, and SVN to serve: https://turner.enemyterritory.org/oauth/svn/indieweb/
# 07:16 
carrvo But of course it won't redirect to /oauth/index for I don't know why.
# 07:18 
carrvo And because of my ISP router limitations I can't test the public link (posted) so I have it duplicated with a local network domain.
# 07:20 
carrvo But a least anonymous access works! https://turner.enemyterritory.org/public/svn/indieweb/
# 07:21 
carrvo (But anonymous, for reasons, needs you to click login without needing to fill it in.)
# 07:21 
carrvo Grr...too late tonight to do more.
[Jo], [KevinMarks], jimw, [snarfed], Maxpm, ben, streety, Zegnat, voxpelli, fluffy, rjomara5853 and MyNetAz joined the channel
# 07:33 
funkylarma Personally I went with 11ty as I managed to get my old WordPress blog into a collection of markdown files and it feels like a easy way to host and preserve a local copy
nemonical, gRegor, gRegorLove_, jimw4, GuestZero, [morganm]1, [aciccarello]1, IWSlackGateway7, [tantek]2, [Murray]1, [benatwork], MyNetAz, Guest6, grufwub, dustinm`, al3xaurus and [snarfed] joined the channel
# 16:33 
[snarfed] doesnm please do fix typos in the wiki! and yes we can always undo
# 16:53 
doesnm [snarfed]: i can rollback myself. Confused with Accept on one line and Content-Type on another
# 16:59 
doesnm im also want to do something with twtxt article. He has mention about Hallway which will be closed
# 17:00 
doesnm *was
al3xaurus, Kolev and gRegor joined the channel; al3xaurus left the channel
# 18:34 
carrvo Fixed the redirect! Half my issue was that a regular expression had (///) instead of (|||). Very wrong meaning.
# 18:37 
Kolev Looks like someone is going to help me write a builder for Haunt, so that archives show up at year, month and day.
# 18:38 
carrvo I would appreciate someone willing to login to https://turner.enemyterritory.org/oauth/svn/indieweb/ just to make sure that it works with a different IdP.
# 18:39 
carrvo Kolev++
# 18:39 
Loqi Kolev has 7 karma in this channel over the last year (9 in all channels)
# 18:40 
[Joe_Crawford] @carrvo 500 error on /oauth/login for me
# 18:40 
carrvo Drat. 😢
# 18:41 
gRegor I also get a 500 there, entered https://gregorlove.com
# 18:42 
[Joe_Crawford] form also can be submitted without input. adding `required` to the input would do that.
# 18:42 
carrvo [Joe_Crawford]++ thanks for trying. I'll have to look at the logs.
# 18:42 
Loqi [Joe_Crawford] has 14 karma in this channel over the last year (113 in all channels)
# 18:42 
[Joe_Crawford] would _fix_ that, I mean.
sebbu2 joined the channel
# 18:43 
carrvo [Joe_Crawford]++ thanks for the added bonus of empty input!
# 18:44 
carrvo [gRegor]++ thanks for trying as well!
# 18:44 
Loqi [gRegor] has 28 karma in this channel over the last year (126 in all channels)
# 19:00 
carrvo Hopefully I just fixed it. And UI improvements.
barnaby joined the channel
# 19:04 
[Joe_Crawford] Got further: `Error: indieauth_error The authorization server did not return a valid response` (on submission of password from my server)
# 19:11 
gRegor I got through authorizing it, ended up with "Error: invalid_grant"
# 19:14 
funkylarma Could not find your authorization endpoint
# 19:14 
funkylarma No joy here:
# 19:14 
funkylarma Error: missing_authorization_endpoint
# 19:14 
gRegor Maybe `/oauth/redirect` needs to be added in your allowed redirect_uris somewhere
# 19:14 
gRegor (that was for carrvo)
# 19:15 
carrvo Oh boy. This is going to take a lot more work then. I really appreciate it! You can still look a the /public stuff
# 19:16 
gRegor Oops, missed pasting the rest of the error: "Error: invalid_grant. redirect_uri in request does not match the authorization code"
# 19:17 
gRegor But got pretty far in the process! my site redirected with the code, state, and iss query parameters
[pfefferle] joined the channel
# 19:51 
carrvo gRegor the issue with your request is easy: when I changed my requests to remove the file extension, I missed a reference. Will fix that shortly.
[aciccarello] joined the channel
# 19:57 
carrvo [Joe_Crawford] your request issue is trickier. My server received a 400 from https://apps.artlung.com/auth/ when indieauth-client-php library tried to authenticate and introspect.
# 19:59 
[Joe_Crawford] just retried. same. not sure I know what I ought to do. I put that in as a drop-in a few weeks ago.
# 20:02 
carrvo I am not sure what I need to do, because I don't know why your server thinks it is a 400 Bad Request.
# 20:04 
carrvo gRegor your issue should be fixed. Fingers crossed.
# 20:04 
carrvo I really appreciate the external testing! I thought there might be hiccups with a different IdP implementation.
# 20:05 
gRegor No error! Ended up back at `oauth/svn/indieweb/?`
# 20:05 
gRegor With an HTTP 401
# 20:06 
carrvo Excellent! That means I have something working in some way!! Super exciting!
# 20:06 
gRegor Is this with the Apache OAuth module?
# 20:06 
carrvo Oh..."with a 401" 😦
# 20:06 
carrvo Yes it is.
# 20:06 
gRegor Heh, yeah sorry, just checked it again to see what the redirects were
# 20:07 
gRegor Bc wasn't sure if that `?` at the end was intentional or a bug
# 20:07 
gRegor Still, progress!
# 20:08 
gRegor I don't know how difficult it might be, but maybe it could redirect to a URL that shows the returned `me` from IndieAuth, to make sure that part of it works.
# 20:09 
gRegor Hm, wait. Just a regular GET to https://turner.enemyterritory.org/oauth/svn/indieweb/ is returning 401
# 20:09 
gRegor what is 401
# 20:09 
Loqi 401 is an HTTP/1.1 Status Code returned from a webserver to signify that your are not authorized to make a request to the URI https://indieweb.org/401
# 20:09 
carrvo It is intentional. I ended up using ErrorDocument with a double redirection...but I don't know if a variable it sets pre-includes the ? and didn't think it important enough yet.
# 20:10 
gRegor 401 makes sense if that's actually the protected URL
# 20:11 
gRegor So maybe there's no problem with the OAuth flow itself. Question is how to make the resource return 200 after the auth
# 20:11 
carrvo Good point about the user feedback. In the meantime check your cookies and the information might be there.
# 20:11 
gRegor Ooh!
# 20:12 
gRegor Yep, I see a `PHPSESSID` cookie
# 20:12 
gRegor carrvo++
# 20:12 
Loqi carrvo has 4 karma over the last year
# 20:13 
carrvo The Apache OAuth requires a id token, but what I found was that IndieAuth with no scopes has no token, and with no introspection has an auth token (wrong kind).
# 20:14 
carrvo I am hoping that you have a "me" cookie...
# 20:14 
carrvo One sec, I'll check my logs again.
# 20:14 
[Joe_Crawford] my `me` cookie has a value of `https%3A%2F%http://2Fapps.artlung.com%2F`
# 20:14 
gRegor Let me clear cookies and restart
# 20:15 
gRegor I've gone through it a few times so clean slate might help haha
# 20:16 
[Joe_Crawford] I do a flow and end up on the login form. But I do have 3 cookies. `auth_redirect`, `me` and `PHPSESSID`
# 20:16 
gRegor Hm, so when I start fresh it has an `auth_redirect` cookie. After I go through auth I only have `PHPSESSID`
# 20:17 
gRegor Then I refresh after auth (GET) and have all three that Joe listed
# 20:17 
gRegor And the `me` is correct!
# 20:19 
gRegor I think cookies are working fine, maybe just an oddity of having the dev tools open during all the redirects. Your /redirect endpoint is returning a Set-Cookie header with the `me`
# 20:19 
[Joe_Crawford] Different paths and subtly different domains on each. a_r and me have domain of `.http://turner.enemyterritory.org`while `PHPSESSID` has it without the `.` at beginning. path for first 2 is `/auth/`  and `/` for `PHPSESSID`
# 20:19 
gRegor Actually I see two Set-Cookie headers there, so maybe that's the oddity
# 20:19 
[Joe_Crawford] (and I'm using Safari on Mac)
# 20:19 
gRegor I'm Chrome on Windows
# 20:23 
carrvo That sounds really good. I have auth_redirect cookie so that I can properly return you to your first endpoint at the end of it all.
# 20:25 
carrvo gRegor I just checked your metadata endpoint and you don't have an introspection endpoint. So you won't get further unless I redo stuff.
# 20:25 
carrvo How common is it for introspection to be used for IndieAuth sites?
# 20:26 
gRegor Hm, I'll have to check. I thought I had that, but maybe only in dev
# 20:27 
carrvo [Joe_Crawford] is the me the correct value? I'll think about why the domain is different but PHPSESSID is correct.
# 20:30 
gRegor Yeah, looks like my site is behind a version, I'll update my IndieAuth
# 20:31 
gRegor The WordPress plugin has the introspection endpoint, so that's a big chunk of the IndieAuth-capable sites supporting it.
# 20:32 
[Joe_Crawford] `me` value is `https%3A%2F%http://2Fapps.artlung.com%2F` which matches domain I used.
# 20:33 
gRegor Other implementations may be behind, though. If you want to support backcompat, token verification used to be a request to the token endpoint. A GET request, I think
# 20:49 
carrvo Oh! That would explain some code in SelfAuth!
# 20:50 
carrvo Unfortunately the Apache OAuth module is controlling the introspection so not now. But this is really good to know overall!
# 20:51 
gRegor Yeah, I think only supporting introspection endpoint is fine
# 20:52 
gRegor Introspection was in 2022 spec update: https://indieauth.spec.indieweb.org/#changes-from-26-november-2020-to-12-february-2022
# 20:59 
carrvo [Joe_Crawford] I figured it out! You also don't have an introspection endpoint BUT the reason you did not make it as far as gRegor is that you don't have a metadata endpoint. This really helps flesh out some assumptions that I have made.
# 20:59 
[Joe_Crawford] betatesters++ glad it was helpful!
# 20:59 
Loqi betatesters has 1 karma over the last year
# 20:59 
gRegor Yeah, if there's no indieauth-metadata endpoint, I wouldn't expect there to be an introspection endpoint
# 21:00 
carrvo In other words, this line broke: https://github.com/carrvo/mindie-client/blob/ba30991817cb3585b9e45be17b9668b160bbdd83/indieauth-client-php/redirect.php#L42C1-L42C83
# 21:00 
carrvo [edit] In other words, this line broke: https://github.com/carrvo/mindie-client/blob/ba30991817cb3585b9e45be17b9668b160bbdd83/indieauth-client-php/redirect.php#L42C1-L42C83
angelo joined the channel
# 21:01 
gRegor Hm, [Joe_Crawford] are you running the WP IndieAuth plugin? I'm not seeing the endpoints
# 21:02 
gRegor Not even the legacy `authorzation_endpoint`, `token_endpoint`
# 21:02 
carrvo It could at least use some better error handling, any ideas on how to detect indieauth-client-php failing this function? Just check if the output is null?
# 21:04 
gRegor Some example code for that scenario: https://github.com/indieweb/indieauth-client-php?tab=readme-ov-file#discovering-the-required-endpoints
# 21:04 
Loqi [preview] [indieweb] indieauth-client-php: Sample implementation and helper methods for an IndieAuth client.
# 21:04 
carrvo I am super happy that this is 90%!!!! It looks like there are still hiccups to supporting the Apache OAuth module, but if I make any apps that consume the IndieAuth result directly they will work just fine!
# 21:06 
carrvo gRegor++ I remember skimming that now, that will suite my needs well.
# 21:06 
Loqi gRegor has 29 karma in this channel over the last year (126 in all channels)
# 21:07 
gRegor I think the individual `discover*` functions will also return the endpoint from *either* method, with preference for the metadata endpoint. See `discoverAuthorizationEndpoint()` and `_discoverEndpoint()` that it uses
# 21:08 
gRegor But that section I linked above is also important, to do the extra step of verifying the `issuer` if there's a metadata endpoint
# 21:10 
gRegor Congrats, this is exciting progress!
# 21:11 
[Joe_Crawford] On my main site I don't run this stuff. I was testing with http://apps.artlung.com which I use for more exploratory stuff.
# 21:12 
[Joe_Crawford] "this stuff" = WP IndieAuth plugin on http://artlung.com - not running it. and `apps.` subdomain doesn't have WP on it.
# 21:13 
gRegor Ohh
# 21:14 
gRegor Nice! So you're experimenting with your own IndieAuth server on apps subdomain?
# 21:14 
[Joe_Crawford] yeah, worked fine! I did it when Angelo was running his experiments.
# 21:15 
[Joe_Crawford] Dropped in quick
# 21:15 
gRegor Very cool. I like the changing bg colors on that btw
# 21:16 
[Joe_Crawford] yeah, it's as nice a way to say "go away" as I could think of .... not even sure how many years ago.
# 21:16 
[Joe_Crawford] https://github.com/artlung/selfauth was the thing I dropped in.
# 21:16 
[Joe_Crawford] derp. I mean https://github.com/Inklings-io/selfauth
# 21:16 
Loqi [preview] [Inklings-io] selfauth: self-hosted auth_endpoint using simple login mechanism
# 21:16 
Loqi [preview] [artlung] selfauth: self-hosted auth_endpoint using simple login mechanism
# 21:31 
carrvo Any potential issues or usability complaints with returning `422 Unprocessable Content` in the middle of the double redirect? This would be for users without a metadata endpoint or mismatched issuer. https://github.com/carrvo/mindie-client/pull/7
# 21:31 
Loqi [preview] [carrvo] #7 Handle metadata discovery issues
# 21:31 
carrvo [edit] Any potential issues or usability complaints with returning `422 Unprocessable Content` in the middle of the double redirect? This would be for users without a metadata endpoint or mismatched issuer. https://github.com/carrvo/mindie-client/pull/7
# 21:32 
Loqi [preview] [carrvo] #7 Handle metadata discovery issues
# 21:32 
carrvo Now that I say it out loud I obviously should be treating the metadata and issuer as different codes when they fail.
barnaby joined the channel
# 21:58 
gRegor aaronpk, I see a red error "FedCM error: Provider 1 information is incomplete.
# 21:58 
gRegor " at the top of webmention.io
# 22:21 
aaronpk huh, you shouldn't see that unless you have the feature flags turned on
# 22:21 
aaronpk in chrome
# 22:23 
aaronpk i'll have to take a look again
# 22:27 
gRegor Oh, maybe I do
# 22:27 
gRegor I think I started to play around with that
# 22:28 
gRegor what is fedcm
# 22:28 
Loqi FedCM is a browser API for logging in to websites using external identity providers, and has an experimental feature "IdP Registration" which can let your own website be an identity provider to any website using IndieAuth https://indieweb.org/FedCM
# 22:29 
gRegor Hm, searched "FedCM" in Chrome and it looks like they're all set to "Default"
# 22:36 
gRegor Looks like it's checking for `navigator.credentials` and `Chrome >= 128` in https://webmention.io/js/fedcm.js
# 22:42 
aaronpk hm, that was for a feature they added in 128. i guess i just need to freshen up on the current state of things
Dryusdan and btrem joined the channel
# 23:25 
btrem I've written a post about self-documenting microformats in my website code. Wondering if I can ask if anyone wants to take a look at the draft copy and, perhaps, offer any suggestions or criticisms. Is that a thing? Is this the place to ask? (Couldn't decide if my query belongs her, or in #microformats, or #indieweb, or....?)