#dev 2025-01-25

2025-01-25 UTC
dissolve22[d], DJ_[dj_je][d], [tw2113], Kolev, yewscion_, capjamesg, grufwub, claudinec, srushe, rob32, eb_, okCiel, ramsey, bitauger, mooff, jak2k, nemonical, [aciccarello], [Jo], ttybitnik and [qubyte] joined the channel
#
[schmarty] hmm. tried to reproduce the webring login issue. i have a test site at https://backinthe.club/ with rel=me links but no indieauth metadata to speak of. I'm able to use it to sign in at http://indielogin.com with email. however, i can also sign into the webring just fine with the same technique.
#
Loqi [preview] Michael Bolton
#
[schmarty] lol thx loqi
#
[schmarty] i think the fetch-the-page issue only comes up when the originally entered `me` value isn't identical to the `me` value returned by the http://indielogin.com, but i haven't yet been able to trigger that. 🤔
#
[schmarty] http://indielogin.com so far faithfully gives back a `me` value for any URL that it can find `rel=me` on, which makes sense (e.g. http:// instead of https://, adding /index.html, ...). i don't have any redirection set up for this domain yet. enabling http=>https and i'll try again.
#
[schmarty] http://indielogin.com might be caching something. still letting me sign-in as the http: version of my domain. i'll check back later.
#
aaronpk it doesn't cache anything, but if you have signed in once and enter the same URL later it'll use your existing session and skip the relmeauth part and show a "log in as a different user" button so it should be obvious if that's happening
#
[schmarty] aaronpk++ thanks! i cleared the session but was still able to sign in as http://backintheclub/ 🤔
#
Loqi aaronpk has 48 karma in this channel over the last year (135 in all channels)
#
[schmarty] not sure that i'm even barking up the right tree. gonna need a way to repro this issue if i'm going to fix it though, ha
#
aaronpk let me try to reproduce too, what exactly was the issue?
#
[schmarty] to my understanding: someone sets up RelMeAuth on their page, can use it to sign in with http://indielogin.com, but trying to do so on the webring fails because the webring is trying to fetch the `me` page that indielogin returned.
#
[schmarty] my theory is that should only happen if the webring was given a different `me` value than what http://indielogin.com returned. so i'm trying to figure out ways to trigger that, haha.
#
[schmarty] (also possible: the webring and indielogin are normalizing the entered `me` value in different ways)
#
aaronpk i got the error by tricking it
#
[schmarty] 😳
#
aaronpk I entered "pin13.net" into the webring, that auto-corrected to "https://pin13.net/" then on indielogin.com I changed the URL in the address bar to "http://pin13.net/" and when i was redirected back to the webring i see the invalid_authorization_endpoint error
#
aaronpk oh wait, i got the error but less tricky
#
[schmarty] hahaha, yeah that makes sense!
#
aaronpk it's trailing slash vs no trailing slash
#
Loqi rofl
#
[schmarty] thank goodness. honestly i think that first "trick" is... like, yeah i don't wanna support that!
#
aaronpk if you enter "https://pin13.net" in the webring, indielogin.com returns the URL with a slash, then it fails
#
[schmarty] aw man! the webring should be normalizing URLs before sending them along. that's a great place to look, thanks!
#
aaronpk so you just need to normalize the entered URL to include the trailing slash, as described here https://indieauth.spec.indieweb.org/#url-canonicalization (yes I realize we are not actually talking about the indieauth spec but same difference)
#
[schmarty] yeah the webring _should_ be doing that. it's a bug i've fixed before! regressions, ugh.
[snarfed] joined the channel
#
[snarfed] tests++
#
Loqi tests has 6 karma in this channel over the last year (9 in all channels)
#
aaronpk [schmarty]: also i'm curious how your code ended up with that error in the first place, since you're using PKCE with indielogin.com you shouldn't even actually care what the user entered in the box and you can just accept whatever indielogin.com returns
#
[schmarty] i'm re-familiarizing myself with this code but i am confused, as well. the login-start code relies on indieauth-client-php to do the normalizing _and_ the session storage of what was entered vs what comes back. https://git.schmarty.net/schmarty/micropubkit/src/branch/main/src/IndieAuthController.php#L32-L48
#
aaronpk where is the fallback to indielogin.com happening?
#
[schmarty] well that's a good question 😂
#
[schmarty] ahaaaaaa, i override that method i just linked! https://git.schmarty.net/schmarty/gem-diamond/src/branch/main/app/IndieAuthController.php#L14-L57
#
aaronpk lolol
#
[schmarty] `// NOTE: this duplicates a _bunch_ of \IndieAuth\Client::begin. Smells like a refactor maybe?`
#
[schmarty] a bunch. and yet, not enough.
#
aaronpk also your new client ID should be in the indielogin.com database now
#
[schmarty] let's find out!
#
[schmarty] client_id should now be the path to the JSON document for the client, right?
#
[schmarty] ok, yep, that's all workin'.
#
[schmarty] aaronpk++ many thanks! now i once again get to hunt down dupes with slash vs no-slash. well. someday.
#
aaronpk yay
#
Loqi 😄
#
[schmarty] i really struggle with keeping focus and energy on indieweb projects like this. i _need_ to figure out how to make these building blocks work like actual building blocks.
#
aaronpk same tbh
#
aaronpk alternatively, I need to switch everything back to a monolith
#
[schmarty] nice thing about a monolith is you know the answer is _somewhere_ in this one repo, haha
#
aaronpk and only one set of dependencies to update lol
#
[schmarty] yeppp
#
aaronpk speaking of which, maybe i should spend some time this morning continuing to plan this out
#
[schmarty] planning++
#
Loqi planning has 1 karma over the last year
#
[schmarty] 😅 was afraid i'd botched deleting some dupes because i couldn't find snarfed or manton in the webring directory afterwards even though their domain-with-slash entries were still there and their without-slash ones were gone. turns out they just don't have the webring links anymore, haha.
#
[schmarty] system working as intended.
#
aaronpk haha
#
carrvo[d] aaronpk, schmarty, I also ran into a slash vs no slash issue. I don't know if it is related but I raised a fix: https://github.com/indieweb/indieauth-client-php/pull/28
#
carrvo[d] [edit] aaronpk, schmarty, I also ran into a slash vs no slash issue. I don't know if it is related but I raised a fix: https://github.com/indieweb/indieauth-client-php/pull/28
#
Loqi [preview] [carrvo] #28 normalize issuer as a sanity check
#
Loqi [preview] [carrvo] #28 normalize issuer as a sanity check
#
aaronpk oh interesting, thanks. this isn't related, but also good catch
#
aaronpk have to think about whether that's related
#
aaronpk i mean, have to think about whether that's a good idea to normalize this or not
#
carrvo[d] I ran headfirst into something where my meta endpoint returning slashed or slashless failed the check. I don't remember why, but I think two different dependencies wanted different things.
#
carrvo[d] I doubt it would have any negative consequences because my fix only normalizes for the comparison, and passes through the original.
#
aaronpk yeah I think the same URL canonicalization rules here should also apply to the issuer URL https://indieauth.spec.indieweb.org/#url-canonicalization
#
carrvo[d] I was just looking at that. Completely missed it when I was implementing so I will have to compare it with MIndie-IdP...
#
carrvo[d] Yeah, that implies it should always have a slash.
#
aaronpk there should probably be a reference to that section in a few more places in the doc, it isn't entirely obvious that it applies to the issuer URL
#
carrvo[d] Yup, I'll have to fix mine 😦
#
carrvo[d] But I have to modify the lib on my system either way to normalize
bterry joined the channel
#
carrvo[d] A bit of a tangent, is there a way for a browser to accept a self-signed certificate without insecurely installing it to the root store? I think I tried the me store but my browser still gave an insecure warning.
#
carrvo[d] I ask because using IndieAuth in an offline network either needs HTTP (no S), users to ignore warnings, (bad practice), or the answer to my question.
#
aaronpk self-signed i don't think so, but you can make your own CA and install the CA's root cert and then you can sign certs all day long
#
aaronpk actually this might still work if you want to use this CA: https://ssl.indieweb.org/
#
aaronpk looks like i made that root cert in 2015 valid for 10 years, which means it expires this year 😮
#
carrvo[d] That is what I found so far. "My own CA" sounds like the root cert is self-signed, and that still poses a high risk...
#
aaronpk what risk are you concerned about?
#
aaronpk the root cert would be self signed, but that's no different than the root certs your browser already ships with, those are just managed by mozilla/google/apple instead
#
carrvo[d] Right, but I learned that CAs in the root store can be used to impersonate any site. It would be better if I could say "only trust this CA for this domain and subdomains".
#
aaronpk yeah, any CA in your browser can issue a cert for any domain and your computer will trust it. in practice this is dealt with by kicking out CAs that behave badly.
#
carrvo[d] Like, I get that you need the root store to be trusted for other domains or services such as Let'sEncrypt can't work.
#
carrvo[d] I cannot fully trust that my in-house CA won't be easily compromised.
#
aaronpk DNS also plays a factor here though, so in practice the actual threat is not that big
#
carrvo[d] How so?
#
aaronpk let's say your CA was compromised and anyone can issue a cert for any domain with it. your computer would be the only one trusting that CA in the first place, so only your computer would be at risk in the first place. in order to actually do anything bad, your computer's DNS would also have to resolve a domain to the attacker's IP. so if someone also hacked your router to trick your computer into
#
aaronpk thinking google.com was the attacker's IP, and then if you visited google.com, you'd end up on the attacker's website with a valid cert for google.com
#
aaronpk a more realistic scenario is your laptop is on someone else's network like at a coffee shop so you're using their DNS server and that's how your computer gets the wrong IP for google. which is also why you should use DNS-over-HTTP or always VPN when you're on public wifi
#
carrvo[d] Ah.
#
carrvo[d] So if I had a friend over and got them to install my CA, as long as my app server is found through mDNS I can't muck with their machine.
jimw and rrix joined the channel
#
sknebel I think nowadays support for restricting the range a CA-cert can issue certs for is also better than it was in the past, but you'd need to double check that
#
sknebel for a long time Apple did not support that, but I think that might have changed in the last few years?
#
sknebel "Name Constraints" is the keyword to look for if I remember right
#
sknebel with Lets Encrypt etc having generally accepted certs in local networks is also not as painful anymore (networks that are entirely offline long-term are an exception admittedly)
#
carrvo[d] sknebel++ will have to look into this long term, thanks!
#
Loqi sknebel has 7 karma in this channel over the last year (14 in all channels)
#
carrvo[d] What do you mean by "generally accepted certs in local networks"?
#
carrvo[d] Like, how do you get Let'sEncrypt to issue them?
#
sknebel use a subdomain of your real domain locally, use the DNS challenge to not have to expose the host to the public
sebbu2 joined the channel
#
carrvo[d] Ah! I considered that, and still am. Long term I have to consider the differences between my own DNS server and mDNS 😦
#
carrvo[d] sknebel++ that is still very helpful!
[KevinMarks], gRegor, barnaby and bterry joined the channel