#dev 2025-02-10

2025-02-10 UTC
MyNetAz, Chailotl, recognitium, gRegor, geoffo and grufwub joined the channel; RodrigoBorges and recognitium left the channel
#
carrvo You can do it with IndieAuth...but I haven't dug into RelMeAuth...
bterry joined the channel
#
sknebel I dont think it fits into how relmeauth works, because its very much part of the design/point of that webauthn is tied to the site, which relmeauth explicitly doesnt do/require
#
aaronpk Yeah
#
sknebel I think (without rereading specs) in theory you could do a stateless indielogin-type service, but it would basically be that service outsourcing its internal storage to you
#
sknebel (i.e. you'd need to use that service as your indieauth endpoint)
[Jo], jan and jjuran joined the channel
#
sebbu couldn't it be tied to the url you enter ?
jjuran, Dryusdan, GuestZero, nemonical and recognitium joined the channel
#
recognitium [snarfed]: Hi everybody, I am in the process of indiewebizing my site . When trying to setup snarfed bridgy with bluesky ( I have setup a self-hosted pds), after getting and app password , I get "HTTP Error 401: {"error":"AuthenticationRequired","message":"Invalid identifier or password"}" . Has anybody had and worked around a similar issue ? I tried searching on the web and also in bridgy's github issues, to no avail. Thanks for
#
recognitium the patience
ttybitnik, Guest6, jak2k and [KevinMarks] joined the channel
#
[snarfed] recognitium hmm! what's your Bluesky handle?
#
[snarfed] oh nm, this is probably because Bridgy classic doesn't yet fully support self-hosted PDSes, https://github.com/snarfed/bridgy/issues/1606
#
Loqi [preview] [snarfed] #1606 Bluesky: handle federated PDSes
#
[snarfed] hey [aaronpk] any chance you know of an OAuth 2 Python lib that supports pushed authorization request? I haven't found one yet 😕
Siscu joined the channel
#
aaronpk oh hm, i haven't looked around at libraries in a while
#
[snarfed] np
#
doesnm doesn't fully support selfhosted pds-es <- https://bsky.app/profile/juli.ee/post/3lgsz52w6oc2g
#
doesnm i see two services which violate this: one don't support pds-es and one don't support did:web
GuestZero, sp1ff and [aciccarello] joined the channel
#
[KevinMarks] https://mastodon.design/@DavidDarnes/113981158550079648
#
aaronpk 6 years is barely yesterday
#
[tantek] there are times where 2019 still feels like last year 😬 — wondering if anyone has incorporated this (or other pandemic time compression/dilation effects) into their personal site archive UI
#
[tantek] times when*
nemonical joined the channel
#
[tantek] hot take on "private" (misnamed) or actually limited audience posts. how to implement: (1) implement IndieAuth/RelMeAuth consumption, (2) implement "simple" password consuming/cookie setting, (3) implement per-post explicit audience allow-lists of domains and optionally one or more passwords. cc: capjamesg[d]
#
aaronpk i've been slowly putting the pieces together to be able to do that on my site. I think I finally got over the biggest hurdle of it, which is the ability to have posts be public/protected/private, and the pages with lists of posts respect that visibility
#
recognitium [snarfed]: Thanks a lot, I don't know how I missed that info, probably out of sleepiness and fatigue
#
[tantek] I'm definitely curious of your exploration of "protected" (limited audience IMO) and "private" (???) and what they each mean (don't mean)
#
aaronpk private means only me, protected means there's a possibilty someone else could see it (if they could log in, or with a password, or with a token obtained through webmention verification)
#
aaronpk i also have a 4th setting "unlisted" which is exactly what it sounds like, it is only visible at the post's URL, it wont show up in tag pages or anything
#
[tantek] that largely aligns with my understanding. one nit about "private" that I'm increasingly wanting to solve (for myself) is splitting it into "private private" (as in no one else can ever access) and "private delegatable" (as in just for me however I could delegate access to another person (set?) in order to act "as me")
#
aaronpk what's the use case for that?
#
[tantek] going on vacation
#
[tantek] or for many, allowing a trusted partner / assistant to act as you
#
aaronpk act as you for what purpose though?
#
[tantek] in order to offload some amount of labor / life admintax
#
[tantek] act as you to interface with larger legacy systems that require "you" to be acting as yourself
#
aaronpk how is that related to a post's visibility?
#
[tantek] because I can think of (have) examples of "private" posts that I do want visible to delegates and posts that I don't want visible to delegates
#
[tantek] and the aspect of "delegatable" is the key, not *who* I delegate to (i.e. you might change assistants or partners over time)
#
[tantek] and don't want to hardcode access to a post based on that person's identity
#
aaronpk sounds like RBAC
#
aaronpk role-based access control
#
[aciccarello] I've thought a few times about how to implement limited-audience posts on my static site. Always ends up feeling like I'd be jumping through too many hoops.
#
[aciccarello] I'd probably require some kind of non-static version of my site.
#
[aciccarello] Some people have static encrypted files but I'd be nervous about that since you can't manage access after it's published.
#
aaronpk it's basically impossible in a static site, the best you can do is long random URLs as a form of access control, or encryption like you mention
#
aaronpk the other way is to do it at the web server layer, but that's also complicated
#
[aciccarello] Yeah, I think for now I'll just leave myself constrained
#
[aciccarello] I don't need more complexity in my life lol
gRegor joined the channel
#
[snarfed] I often see people here (and nearby) talk about wanting protected/limited-audience posts, and they often jump to tokens, logins, etc
#
[snarfed] for true mainstream accessibility, I really like email + unguessable URLs, nothing more
#
[snarfed] pretty much everyone has email and can click on links and see web pages
#
[snarfed] ...but you can't assume a lot past that
GuestZero and btrem joined the channel
#
[tantek] [snarfed] my point about passwords for resources is it's a proven and understood UX people are used to (using daily!) with Zoom, PDFs, and even Flickr
#
[tantek] Zoom essentially enables what you suggest by putting the pw in the URL
#
[tantek] Flickr as well with capability URLs that set a cookie with the pw access
paotsaq joined the channel
#
gRegor I do that for passwordless sign in; one-time password links
#
sebbu [snarfed], but you can't assume someone will always have the same email
#
sebbu i know people who uses only their isp email, and when they move away and change isp, well their email chagnes too
GuestZero joined the channel
#
Loqi emailasidentity has -1 karma over the last year
#
[tantek] emailasidentity--
#
[snarfed] sure, identities can change. that seems orthogonal
#
[snarfed] [tantek] true! people get passwords too. so if you email a password along with the post url, and it prompts for the password, then sure
#
[snarfed] more friction than an unguessable URL, but still reasonable
#
gRegor The email message is just the delivery method for the links in your example, right? It's not saying "email user@example.com can read this post"
#
[snarfed] right
#
sebbu even if you got your email elsewhere, well that service might end too (like voila and zzn/mailcentro)
#
gRegor So changing emails over time isn't a big concern
#
gRegor I'm interested in experimenting with this more too
#
sebbu yeah, but if the url is unguessable, the user might forget it too
#
sebbu or they might browse it on a public pc and let it be on the browser history
#
[snarfed] sure. same with passwords, login sessions etc
#
[snarfed] nothing's perfect. but for accessibility emailed unguessable links (or link + password) is pretty damn accessible
#
[snarfed] other methods that we prototype and iterate on here, less so
#
[Joe_Crawford] they also tend to me long and inscrutable in ways where forwarding and copying and pasting can introduce damage to them
#
[snarfed] still worth working on them! that's how anything starts. we just need to be clear-eyed about the tradeoffs
#
[snarfed] [Joe_Crawford] true!
#
[Joe_Crawford] +1
#
[snarfed] ...although [Joe_Crawford] if an unguessable link may degrade when you try to give it to someone else, that may not be a drawback 😁
#
[Joe_Crawford] hah! yes
Chailotl, GuestZero_, sebbu and ttybitnik joined the channel
#
[snarfed] [aaronpk] and for the logs, re https://chat.indieweb.org/dev/2025-02-10#t1739203065764500 , found https://guillp.github.io/requests_oauth2client/ , looks promising
#
Loqi [preview] [[snarfed]] hey [aaronpk] any chance you know of an OAuth 2 Python lib that supports pushed authorization request? I haven't found one yet 😕
#
[snarfed] no protected resource discovery, but otherwise looks like it generally has the modern features I need
bret joined the channel
#
sebbu i don't think there's a standard for 2FA push notification
#
[snarfed] sebbu https://www.rfc-editor.org/rfc/rfc9126.html
#
[snarfed] not notifs
#
sebbu oh, i thought of the stuff like with google (authenticator), steam, battle, adobe, twillio authy, duo mobile, microsoft, etc... where you connect on a new browser/device, and you get a notification on (all) the old ones that someone (you) tried to log in, and you can accept or refuse (or choose another 2FA)
#
[snarfed] heh right
#
sebbu is that RFC 9126 about that, or something different ?
#
[snarfed] no, different, unrelated afaik
#
sebbu :'(
#
[Joe_Crawford] _" warning: GH010: Your push referenced at least 20000 Git LFS objects, but we only validated a random sample of 10000. It is very likely that the remaining files have been uploaded successfully too."_
#
[Joe_Crawford] I am calling that a win.
#
[schmarty] artlung++ montecarlo++
#
Loqi artlung has 1 karma in this channel over the last year (6 in all channels)
#
Loqi montecarlo has 1 karma over the last year
#
[snarfed] wow git LFS? is this for web assets?!
#
[Joe_Crawford] For. Uh. 29 years worth of assets.
#
[snarfed] and they need LFS?!
#
[Joe_Crawford] MIND YOU, NO VIDEOS. Or maybe like 1.
#
[snarfed] lol
#
[Joe_Crawford] just kept doing git push over and over. different but vaguely hopeful ambiguous result each time for the last hour.
#
[Joe_Crawford] my nomination for most fun message: "GH009: Git LFS object integrity could not be checked. Please contact GitHub support."
#
[Joe_Crawford] The pain of this makes me glad a) I never tried to bring videos into my site as-is. and b) I never embarked on my "let's import all of my flickr photos into my site" project. Every prior version of me was rightly frightened to do that.
#
[snarfed] glad it eventually worked!
#
[snarfed] afaik normal git does medium sized files fine, eg 10-100MB even, LFS is maybe only for lots of bigger files in the 100s of MB to GB
#
[snarfed] ...but if this is working for you, great!
#
[Joe_Crawford] Yeah, I was kind of all in on git-lfs but having it all in one place means I can do bulk operations more rationally. It also let's me automate more parts of it, optimize thumbs, use new image technologies (uploaded my first avif yesterday). It'll also allow me to normalize the ad hoc weird WordPress code, random PHP classes, and make all the code quality better with PHPCode Sniffer and Unit tests too.
#
sebbu [Joe_Crawford], you'ld probably have an easier way installing nextcloud and syncing your photos there
bterry1 joined the channel