#wordpress 2018-01-15

2018-01-15 UTC
[cleverdevil] joined the channel
# 01:30 
GWG I need to harden the Indieauth implementation in both plugins that implement it
[tantek], [jeremycherfas] and [pfefferle] joined the channel
# 08:06 
[pfefferle] good morning
# 08:06 
Loqi guten morgen
jeremycherfas, [kevinmarks], [tantek] and [pfefferle] joined the channel
# 13:33 
GWG [pfefferle]: WordPress specific question. How can I improve the matching of URLs to WordPress users?
# 14:05 
[pfefferle] what do you mean?
# 14:05 
[pfefferle] so that multiple users can login to one wordpress with different indieauth urlsß
# 14:05 
[pfefferle] ?
# 14:08 
GWG [pfefferle]: In both the Micropub and the Indieauth code, to match URL to WP username, it does a user query on the user_url property to match it to the 'me' property.
# 14:08 
GWG If it matches, it creates the post as that user
# 14:19 
[pfefferle] that is the current code
# 14:20 
GWG Yes
# 14:20 
GWG I want to improve that
# 14:20 
GWG https://indieauth.spec.indieweb.org/#user-profile-url
# 14:20 
GWG The spec says I could use /author/?????
# 14:22 
[pfefferle] yes, but you do not want to use the profile page to loginin to the site you have the author page…
# 14:22 
[pfefferle] that is kind of an infinate loop
# 14:23 
[pfefferle] and if you use a profile page of a different site, it is working again
# 14:23 
aaronparecki.com edited /Wordpress_IndieAuth_Plugin (+2143) "add brainstorming section for different use cases" (view diff)
aaronpk joined the channel
# 14:24 
[pfefferle] using notiz.blog/author/matthias-pfefferle to login to notiz.blog does not make sense
# 14:25 
[pfefferle] ah sorry, you mean a mechanism to match a profile link to a username automattically?
# 14:25 
GWG Yes
# 14:25 
aaronpk isn't there a URL field in the wordpress user table?
# 14:25 
[pfefferle] oh, that is no good idea
# 14:26 
[pfefferle] I can generate any author page in my site, so this is very risky
# 14:26 
[pfefferle] notiz.blog/author/dshanske should not be able to login as dshanske on your blog
# 14:26 
[pfefferle] only if you whitelisted the page
# 14:28 
[pfefferle] aaronpk, sure and that is currently used
# 14:28 
[pfefferle] aaronpk as far as I understand GWG he wants a mechanism to automatch URLs to users without configuration!?
# 14:29 
aaronpk i'm confused, isn't that all stored in the wordpress database?
# 14:29 
GWG [pfefferle]: Yes, but not only other sites
# 14:29 
[pfefferle] ???
# 14:29 
GWG I don't have an account on notiz.blog
# 14:29 
aaronpk also am I understanding correctly that the URL example.com/author/alice can map to a wordpress username of bethany?
# 14:30 
[pfefferle] now I am also confused
# 14:30 
[pfefferle] can you make an example with URLs GWG
# 14:30 
[pfefferle] ???
# 14:31 
GWG Okay.
# 14:31 
GWG notiz.blog/author/pfefferle would work, but notiz.blog/author/dshanske wouldn't because your site has no dshanske user
# 14:32 
GWG Whereas david.shanske.com/author/dshanske would work, because I have such a page
# 14:32 
[pfefferle] but as I said, why would I like to login to my site with a URL on the same site?
# 14:32 
GWG aaronpk: The permalink can be changed, but it can be picked up in the backend
# 14:32 
[pfefferle] in the end I have to type in my password
# 14:32 
aaronpk this is why https://indieweb.org/Wordpress_IndieAuth_Plugin#Logging_in_to_a_single-user_Wordpress_via_RelMeAuth
# 14:32 
aaronpk so that you don't need to type a password
# 14:33 
GWG Will agree with aaronpk that I thought that was why people used the Indieauth plugin on their sites
# 14:33 
GWG I don't want it for that, but that's what people use it for
# 14:33 
aaronpk that's what i've heard from everyone who installs it
# 14:33 
[pfefferle] but this only makes sense, if you use indieauth.com
# 14:33 
aaronpk no
# 14:34 
aaronpk it makes sense for RelMeAuth
# 14:34 
[pfefferle] sure
# 14:34 
aaronpk which happens to be implemented by indieauth.com but could be other services as well
# 14:34 
[pfefferle] sure, but we are not discussing RelMeAuth do we?
# 14:34 
[pfefferle] and for IndieAuth it makes no sense
# 14:35 
aaronpk agreed it makes no sense for indieauth, which is why the second use case I listed is phrased totally differently https://indieweb.org/Wordpress_IndieAuth_Plugin#Logging_in_to_a_multi-user_Wordpress_site_via_IndieAuth
# 14:35 
[pfefferle] sorry, havent read the Wiki
# 14:35 
GWG [pfefferle]: How someone's Indieauth server authenticates people is up to that server
# 14:36 
aaronpk that second use case would let you log in to notiz.blog using the identity https://pfefferle.org/
# 14:36 
[pfefferle] GWG if I go to notiz.blog and use notiz.blog/author/pfefferle to login, the site checks the authentication server and finds that it’s notiz.blog, so I will be redirected to notiz.blog to authenticate… that makes no sense…
# 14:37 
[pfefferle] aaronpk that is how I implemented it currently
# 14:39 
aaronpk GWG: can you write up what you're trying to do as a use case on that page?
# 14:39 
[pfefferle] GWG as aaronpk mentioned, it is OK for rel-me-auth, but we should handle this different from IndieAuth
# 14:39 
aaronpk in the same format as the others?
# 14:40 
GWG I will, but later when I can focus on it
# 14:41 
GWG aaronpk: You didn't cover multiple users logging into an multi-user site where all of their URLs are under that site. But I'll try to document that
# 14:41 
[pfefferle] we can always trigger a rel-me-auth/indieauth.com login if it is the same domain, as the blog-domain
# 14:41 
aaronpk GWG: please do, I am not clear what your goal is with that one
# 14:41 
GWG Supporting WordPress in all its permutations
# 14:42 
aaronpk I am not clear on how you expect it to work
# 14:42 
GWG aaronpk: Authors have pages on WordPress...
# 14:42 
aaronpk that's not a complete answer
# 14:42 
[pfefferle] GWG but that is what I said
# 14:42 
[pfefferle] if I go to notiz.blog and use notiz.blog/author/pfefferle to login, the site checks the authentication server and finds that it’s notiz.blog, so I will be redirected to notiz.blog to authenticate… that makes no sense…
# 14:42 
aaronpk fill out the use case like I did the others, describing the whole flow like you expect it to work
# 14:42 
GWG Will do
# 14:42 
aaronpk e.g. do they actually authenticate via RelMeAuth?
# 14:43 
[pfefferle] with indieauth.com
# 14:43 
[pfefferle] so yes
# 14:43 
[pfefferle] and no 😉
# 14:43 
GWG But in this case, so far 100% yes
# 14:43 
GWG As long as relmeauth is a possibility for the indieauth server, it makes sense
# 14:43 
[pfefferle] no, if the site uses IndieAuth, then no
# 14:43 
aaronpk cause that would require that someone puts their URL like notiz.blog/author/pfefferle in their twitter profile, which not everyone does
# 14:43 
sknebel but notiz.blog/author/pfefferle could also have an external authentication server, e.g. another WP instance of yours?
# 14:44 
GWG Can of worms opened
# 14:44 
GWG But we'll figure it out
# 14:45 
[pfefferle] sknebel true, that’s why it do not always use rel-me.-auth
# 14:45 
aaronpk we may need more than one session at IWC Baltimore to sort through this
# 14:48 
[pfefferle] 😞
# 14:49 
aaronpk GWG: you're arriving Friday right? maybe we can get together friday before the meetup to work through some of this
# 14:49 
GWG aaronpk: I'm arriving at 9:30PM Friday night
# 14:49 
aaronpk aw darn
# 14:50 
GWG If I get to Penn Station NY early, I might try to get an earlier train.
# 14:50 
GWG aaronpk: Sorry.
# 14:54 
GWG I think the train has wifi
snarfed joined the channel
# 15:11 
snarfed morning GWG! re https://github.com/snarfed/wordpress-micropub/issues/99 ...odd, i don't actually see headers get replaced with the current code. e.g. it currently happily outputs multiple Link headers right now
# 15:11 
Loqi [dshanske] #99 Multiple HTTP Headers are Being Overwritten
# 15:11 
snarfed your PR looks fine, i'm just curious
# 15:17 
[pfefferle] me neither
# 15:17 
[pfefferle] but it is only for the same rel
# 15:17 
[pfefferle] that means, if you have multiple authentication provider for example
# 15:18 
[pfefferle] I had the issue when using multiple “hub” header for websub
# 15:19 
[pfefferle] perhaps GWG found out, while working on the IndieAuth plugin…
# 15:22 
snarfed ah ok
# 15:38 
GWG snarfed: When I checked with the old code, the token endpoint showed up as it went in last, but that overwrote the authentication endpoint
# 15:39 
GWG We never noticed because the code looks at the html headers if the http headers aren't there
# 15:39 
GWG This would have been discovered if there was a unit test for it
# 15:39 
GWG By the way, I wrote one in Indieauth to test this
# 15:40 
GWG That's how I noticed it
# 15:40 
GWG I turned off Micropub
# 15:44 
GWG snarfed: It is a nice small PR though.
# 15:44 
GWG I'll be copying the discovery tests I wrote(based on the ones I wrote for webmentions) over to Micropub after I finish with them in Indieauth
# 15:55 
GWG I'm sorry for causing trouble, either way. I keep trying to make things better
[kevinmarks], snarfed and gRegorLove joined the channel; snarfed left the channel
# 17:41 
david.shanske.com edited /Wordpress_IndieAuth_Plugin (+408) "/* Logging in to a single-user Wordpress via RelMeAuth */" (view diff)
[kevinmarks] joined the channel
# 18:37 
david.shanske.com edited /Wordpress_IndieAuth_Plugin (+1711) (view diff)
# 18:37 
GWG aaronpk: Does that help?
# 18:42 
aaronpk we may need to talk this through in person
# 18:42 
aaronpk I see a few things getting mixed up here
# 18:42 
aaronpk the section you added has: "Users may not have their own websites" followed by "The users want to use their own website identity"
# 18:43 
aaronpk and you've put some stuff about posting via micropub (authorization) under the "authenticating" header, so I am confused about what you're actually going for
# 18:58 
GWG I think I keep confusing those terms
# 18:58 
GWG I'll look at it again
# 18:58 
GWG That was during lunch
raretrack and [kevinmarks] joined the channel
# 23:03 
GWG aaronpk, rereading what you wrote. I think we're both confused. Working on clarifying as much as possible
[miklb] joined the channel