#wordpress 2018-04-08

2018-04-08 UTC
Taleth, tantek, [snarfed], [miklb], j12t, sebsel, [joewillmott], [kevinmarks], [cleverdevil], spaceoyster, kaushalmodi, [kaushal_modi] and [pfefferle] joined the channel
#
[pfefferle]
GWG are you here?
#
GWG
[pfefferle]: I am
#
GWG
I'm reading the code now.
#
GWG
I'm still not 100% sure about this though.
#
GWG
I did hard code those.
#
GWG
But, I still think I may be confused.
#
[pfefferle]
you have to verify the tokens always from the other page, but the code tries to verify with the local endpoint
#
GWG
[pfefferle]: Let me repeat this so I am sure I understand.
#
GWG
You want to log into pfefferle.org with the authorization and token endpoint from notiz.blog?
#
GWG
Is that correct?
#
[pfefferle]
but pfefferle.org tries to verify the tokens with the endpoint of pfefferle.org and that can’t work
#
GWG
Then, on pfefferle.org, you set the configuration to use the authorization and token endpoint from notiz.blog?
#
[pfefferle]
I don’t change the endpoints of pfefferle.org
#
GWG
I think I was wrong about it being an issue, though I still should add an option.
#
GWG
[pfefferle]: When you put in notiz.blog, it searches the user table of pfefferle.org and tries to find a user account with the user_url of notiz.blog.
#
[pfefferle]
but the code blocks before that, because the verification is not working
#
GWG
I'm walking myself through this in the code.
#
GWG
So, it reaches out to notiz.blog and discovers the endpoints and tries to use them.
#
GWG
But then pfefferle.org uses the configuration option instead of what it discovered.
#
GWG
[pfefferle]: Okay.
#
GWG
I can fix that
#
[pfefferle]
so it tries to verify the token of notiz.blog with the local endpoint
#
[pfefferle]
and that can’t work
#
[pfefferle]
I think autodiscovery on the redirect url should work
j12t joined the channel
#
aaronpk
I should be able to replicate this by trying to sign in to my wordpress site using aaronparecki.com's auth endpoint
#
[pfefferle]
or perhaps you have already saved the info in a cookie
#
[pfefferle]
[aaronpk] yes
#
aaronpk
ah I get "Cannot use object of type WP_OAuth_Response as array"
#
[pfefferle]
you have to use the code of the latest merge request
#
aaronpk
oh tricky k
#
[pfefferle]
then you get a proper error message
#
GWG
I have a discover_endpoint function. I just have to call it.
#
[pfefferle]
hmmm, but the service might be configured so that the redirect URL does not have the headers…
#
GWG
[pfefferle]: I'm just going to pass it into the function.
#
aaronpk
heh gotta switch back to non-safe get and sslverify=false :(
#
GWG
I basically am going to pass through an array. I figure if I have more than 3 arguments, I should pass an array.
#
[pfefferle]
but then it’s hareder to verify the params…
#
aaronpk
whoops now I just get "Fatal error: Uncaught ArgumentCountError: Too few arguments to function add_action(), 1 passed" on the sign-in screen before doing anything
#
GWG
[pfefferle]: I intend to verify them.
#
aaronpk
deleted the add_action line and now I am getting the invalid authorization code error
#
[pfefferle]
[aaronpk] same for me, if I enable WP_DEBUG
#
GWG
Which add_action is it?
#
GWG
So I can fix that too?
#
aaronpk
GWG: I left a comment on the PR
#
aaronpk
okay yeah it's trying to verify the auth code itself rather than checking the site of the person logging in
#
[pfefferle]
changed it
#
[pfefferle]
has to be do_action instead of add_action
#
[pfefferle]
aaaahhhh, and now I see the submit button and the help messages 😄
#
GWG
I intend to fix everything
#
GWG
Where is my head?
#
[pfefferle]
I fixed the small issues
#
[pfefferle]
and some CSS
#
GWG
[pfefferle]: It should now do endpoint discovery.
#
GWG
Want to give it a shot?
#
aaronpk
hm same problem
#
GWG
Odd.
#
GWG
I thought I fixed it
#
aaronpk
I don't see where you actually discover the endpoint again
#
GWG
aaronpk: When the token is requested, it discovers the endpoint. L138 of the token-endpoint class
#
aaronpk
(also the better solution is to store the endpoint in the session when you start to avoid needing to look it up again)
#
aaronpk
there should be no token endpoint involved in this flow
#
GWG
This is the authorization or the authentication flow?
#
aaronpk
i'm using the "sign in with your domain" form so it's authentication
#
GWG
Okay.
#
GWG
I fixed the other one.
#
GWG
One second
#
[pfefferle]
I added some comments
#
GWG
aaronpk: What is the error code for no endpoint found?
#
GWG
I'm having a block.
#
aaronpk
hm I dont think that's part of the error set in the spec
#
GWG
When verifying an access token, how does it know what token endpoint to use?
#
GWG
I'm missing something here.
#
[pfefferle]
the fastest way is to make a deiscovery on the redirect URL
#
[pfefferle]
the best way is to store it in the session, as [aaronpk] mentioned
#
GWG
There is no redirect URL. When you have an OAuth Bearer Token, and you send it to pfefferle.org, how is pfefferle.org supposed to know by the token which endpoint to verify it against?
#
aaronpk
the only thing that should be verifying access tokens is the thing that issues them
#
GWG
So, we're back to a confusion on my part here.
#
[pfefferle]
then you have to store it
#
GWG
You send a request to a Micropub endpoint using a token.
#
[pfefferle]
when you discover ir
#
GWG
You already have the token.
#
GWG
How does it know the endpoint.
tantek joined the channel
#
GWG
I never considered this case before
#
GWG
The initial Indieauth exchange might have been days ago.
#
GWG
I'm definitely missing something here.
#
GWG
For verifying the authorization code, you can discover the endpoint.
#
GWG
For the access token, I have no idea how.
#
sknebel
you can discover the token endpoint
#
GWG
But all I have is the token.
#
sknebel
wait, I have to actually read backscroll
#
GWG
I'm missing something obvious here, I fear.
#
GWG
I got the token.
#
GWG
Let's say I used 'Gimme a Token'.
#
GWG
So, I'm not in the same session when I make my micropub request.
#
GWG
I am just sending a request in with an OAuth Bearer Token
#
sknebel
ok, but gimma-a-token gets the token from your wordpress site
#
GWG
Yes.
#
sknebel
the same that the micropub endpoint is on.
#
GWG
Yes
#
sknebel
then it can just look up the token in the database of valid tokens?
#
aaronpk
it is expected that the micropub endpoint and token endpoint are tightly coupled
#
GWG
Bingo.
#
GWG
So, my original code is correct on that
#
GWG
It has to be the one set in options for the token endpoint.
#
aaronpk
which means any tokens the micropub endpoint will accept will only be ones that its own token endpoint has issued
#
aaronpk
you won't be in a situation where you're expected to send the token elsewhere to verify it
#
aaronpk
s/elsewhere/to an arbitrary location/
#
aaronpk
so if the micropub endpoint is configured to use tokens.indieauth.com to issue tokens, then that is the only place it will send them to verify them
#
GWG
So, [pfefferle], you did confuse me
#
GWG
It is only the authorization endpoint I have to fix, not the token endpoint verification
#
aaronpk
also i'm still confused about why pfefferle's two sites are talking to each other in a version of this flow that involves tokens
#
[pfefferle]
I am not sure if I use the correct wordings
#
aaronpk
that situation is very confusing for me to follow, it's easier for me to think about if i'm using my wordpress site tiny.xyz.dev and my not-wordpress-site and primary identity aaronparecki.com
#
aaronpk
so if I want to log in to quill to post to tiny.xyz.dev, it's tiny.xyz.dev that will issue the token to quill
#
aaronpk
how I authenticate at tiny.xyz.dev has nothing to do with quill and doesn't involve access tokens.
#
GWG
aaronpk: If you are confused, then I am confused.
#
GWG
aaronpk: He wants to use one site to authorize the other.
#
[pfefferle]
ok… but why does “verify_access_token” verify against a local endpoint
#
[pfefferle]
that does not make sense
#
GWG
[pfefferle]: Because how could it not?
#
aaronpk
that is the only thing that makes sense
#
GWG
You are letting people into that site?
#
[pfefferle]
the blog makes a HTTP call against his own endpoint?
#
aaronpk
ideally it should be looking up the token in the database, but yes it can make an HTTP call to itself as an alternative
#
[pfefferle]
ok, then perhaps it’s the code, because it mixes stuff
#
GWG
I'm going to go eat something
#
GWG
I think I confused myself
#
aaronpk
actually GWG now that you've got the new settings screen there's a better option here
#
GWG
aaronpk: Yes?
#
[pfefferle]
nevertheless… I get an “Invalid authorization code” error
#
[pfefferle]
when I try to login
#
aaronpk
"built-in token endpoint" as a radio button means you can store that information and avoid the http request to verify the token
#
aaronpk
since now you know that it is using the built-in token endpoint
#
GWG
aaronpk: Yes.
#
GWG
But I think I may save that for 2.1
#
GWG
I'd like to figure out the current problem first
#
aaronpk
so if that option is set, look up the token in the DB to verify it
#
aaronpk
okay well the current problem shouldn't have anything to do with access tokens
#
aaronpk
which is why i'm confused
#
GWG
aaronpk: Me too
#
GWG
But I think we should figure out [pfefferle]'s problem before pushing this to wordpress.org
#
[pfefferle]
sorry, but calling a local API confused me and then I seemed to mix up things
#
aaronpk
yes, considering web-sign-in is broken right now :)
#
aaronpk
I found another problem, which is related, and might help you figure this out
#
GWG
aaronpk: I tested it, but only to sign into itself, which is not a good test.
#
aaronpk
it appears it's not verifying the state parameter right now?
#
GWG
aaronpk: Web sign in?
#
aaronpk
"sign in with your domain"
#
GWG
aaronpk: Yes. I meant, that function.
#
GWG
I'm going to go eat something, as I haven't eaten in 6 hours.
#
GWG
I think after a full stomach, I may be better equipped to figure this out.
sebsel joined the channel
#
aaronpk
good plan
#
GWG
I am going to install it on a second site to recreate the issue.
#
aaronpk
hm looks like errors aren't being returned or shown properly
#
aaronpk
it redirects back to the login screen but it should be showing me the "indieauth_invalid_url" error
#
[pfefferle]
yes, he forgot to add the endpoint
#
aaronpk
I take it back, it does verify the state parameter 👍
#
aaronpk
what's the Wordpress Way to store stuff in the session?
#
[pfefferle]
here seems to be the error
#
[pfefferle]
the second param is missing
#
[pfefferle]
the endpoint
#
[pfefferle]
[aaronpk] GWG is storing it in the cookie, using the default PHP methods
#
aaronpk
ok, I switched that to read from a cookie I set, but somehow it's getting overridden
#
aaronpk
is it possible to set a cookie when also sending an HTTP redirect?
#
[pfefferle]
ok, I found a quick way
#
aaronpk
yeah looks like the cookie is not being set
#
aaronpk
also i'm gonna have to double check whether it's considered safe to store the authorization endpoint in a cookie. my inclination is that should be stored server-side or in a signed cookie so the client can't tamper with it.
#
[pfefferle]
should I add a quick and dirty way to the merge request?
#
[pfefferle]
GWG might beautify it when he finished eating
#
aaronpk
what's the quick and dirty way?
#
GWG
I haven't even started eating yet
#
[pfefferle]
so, try the latest version
#
GWG
But I appreciate us getting this off the ground
#
[pfefferle]
this works for me
#
aaronpk
httponly cookie should be safe I guess
#
[pfefferle]
set a cookie with the endpoint, the first time the endpoint is discovered… and then use the session value
#
[pfefferle]
sorry for the confusion… have to dig deeper into the code at some time…
#
aaronpk
sweet, worked for me too
#
[pfefferle]
perhaps we should move the whole token stuff into a separate class (perhaps class-indieauth-authorisation.php)… to lower confusion…
#
[pfefferle]
and to remove the local http-calls in favor of db-request… to also lower confusion 😉
#
GWG
I will look after food. Just ordered
#
[pfefferle]
[aaronpk] is there a testsuite? like webmention.rocks?
#
[pfefferle]
hmmm… should have tried the .rocks domain first… 🙂 https://indieauth.rocks/
#
GWG
pfefferle, merge and then refactor?
#
[pfefferle]
I am not sure if we need some more checks
#
[pfefferle]
if the cookie is set or so
#
[pfefferle]
but sure… perhaps we merge it, to have a woring copy in master
#
GWG
Okay, if you review, I will merge and brainstorm refactoring.
#
GWG
Will be back soon
tantek joined the channel