2018-06-10 UTC
# 00:00 GWG Okay, completely rewriting a bunch of the code to be more generic. # 03:11 GWG It pulls all rels now, because I might code support for redirect_uri for whitelisting # 05:21 GWG aaronpk: I just realized I have to manage multiple types of tokens. The Bearer Token, the Authorization Code, and now the State are all being generated the same way. I think I'd better reorganize that. [grantcodes], jeremycherfas, jeremych- and jeremycherfas_ joined the channel; jeremycherfas left the channel
# 08:03 GWG Okay. Auth code and Access token moved over to more featured way of management. State next [kevinmarks] joined the channel
# 14:11 GWG aaronpk: I've done a whole boatload of stuff in IndieAuth. I may ask you to have a look when I'm done. It should make it easier to manage the code, I hope. # 14:15 GWG aaronpk: I'm already picturing a "Why Did You Do This" moment from either you or pfefferle. That or a commit that says "Indents" raretrack joined the channel
# 14:16 GWG aaronpk: Be kind today. It's not one of my favorite days of the year. [manton], sketchess, jgmac1106, JHSheridan and [grantcodes] joined the channel
# 17:02 Loqi [dshanske] #67 Refactor and Improve Security # 17:03 GWG aaronpk: This is just the beginning, but it's a lot of changes. # 17:04 GWG aaronpk: I'll await the "Why Did You Do This?" Moment. jgmac1106 joined the channel
# 17:08 aaronpk did you at least leave comments about why did you do this? # 17:09 GWG I think this does a lot of good things, but I think I could do more jgmac1106 and gRegorLove joined the channel
# 18:12 aaronpk GWG: just settled down with some coffee and I'm gonna take a look at this PR now # 18:13 Loqi aaronpk has 8 karma in this channel (1644 overall) # 18:19 aaronpk GWG: it looks like the local verification of authorization codes by the token endpoint is completely gone now # 18:19 GWG Someone just told me that they have no idea why they want the Indieauth plugin # 18:22 GWG I told them what it was for and if they didn't do any of those things, they should disable it gRegorLove joined the channel
# 18:27 GWG I thought I did. People don't always read the readme # 18:28 aaronpk GWG: from what I can tell, the plugin now always makes an HTTP request to itself when the token endpoint is verifying the authorization code. I thought you had code in there that looked that up in the database instead # 18:29 aaronpk oh huh, looks like that was the case in the previous version of the plugin too. so I guess that didn't change in this PR # 18:29 GWG I did, pfefferle removed it. I may restore it in future # 18:30 aaronpk it makes no sense to have the plugin make an http request to itself. that adds so many potential points of failure to what otherwise would be a very straightforward check # 18:31 GWG I intend to redesign it and reimplement # 18:31 GWG But it can't use configuration settings. # 18:31 GWG It needs to figure it out based on the two endpoints being on the same site # 18:31 aaronpk why can't it uset he configuration settings? I thought that was the point of the setting # 18:33 GWG It's why I want to reexamine the issue # 18:34 aaronpk I thought class-indieauth-authenticate.php was the file where this plugin consumes other indieauth servers for web sign-in. is that correct? # 18:35 GWG It still is, but the new websignin class started splitting off the login interface. Why? # 18:35 GWG Authenticate probably should eventually be renamed authorize # 18:36 aaronpk there's a bunch of stuff in class-indieauth-authenticate.php about scopes and setting headers, which isn't used at all if you're consuming an existing IndieAuth identity # 18:36 GWG consuming was moved to the new file # 18:37 aaronpk oh I see, so class-indieauth-authenticate.php is actually the authorization interface for the built-in authorization endpoint? # 18:38 GWG I'm trying to make it that way. It was originally a collection of functionality for both # 18:39 aaronpk by "trying to" do you mean this is a completed attempt or work is still in progress? # 18:40 GWG It is a completed attempt, but I think there is always more to do # 18:40 aaronpk of course there is always more to do. but it's very confusing when you use language like "trying to" because it is not clear whether I am looking at something intended to actually work # 18:41 aaronpk hm local access token verification seems to have been taken out as well [pfefferle] joined the channel
# 18:43 [pfefferle] [aaronpk] I removed the local stuff, because the code tries to verify the authentication code with it’s local endpoint instead of the endpoint of the other party… we discussed that a lot # 18:43 aaronpk [pfefferle]: this is for the web sign-in flow tho right? # 18:44 aaronpk right so that should have nothing to do with whether the plugin is providing a built-in authorization endpoint # 18:44 aaronpk for web sign-in, the assumption is that you are always using an external identity URL so you'd *always* check the remote authorization server # 18:44 aaronpk but when providing a built-in indieauth server, you'd *always* look up the code locally because this server is the one that generated the code # 18:45 aaronpk so at least this PR is starting to split out the web sign-in code so that one file isn't trying to do both things # 18:46 GWG I think maybe I should have renamed the file now. # 18:46 aaronpk also I don't see any changes to the wiki page documenting all the use cases # 18:46 GWG For the things it worked for before # 18:46 GWG I am still confused I think about pfefferle's use case # 18:46 aaronpk if so, where is the list you used to walk through everything? # 18:47 GWG I need to clarify that one to write a clearer list # 18:47 GWG I tested using the endpoint for authorization and authentication # 18:48 GWG I don't remember. I think I was working on it and may have gotten distracted with something else # 18:51 aaronpk i'm going to completely replace that use cases section with new content # 18:52 aaronpk and try to enumerate all the different combinations of things that are or will be supported # 18:59 aaronpk that's good. I can't get it to work but it might be because I'm using localhost for everything # 19:03 GWG Pfefferle, what do you think of the changes? Does it make the code a little easier to work with? # 19:04 aaronpk add enough detail so that I can read it and recreate your situation with two wordpress installations so that I can test it myself # 19:05 aaronpk we should not have to wait for you to test these changes on your own site # 19:08 GWG I am still trying to figure out if the user to url mapping needs further review # 19:11 [pfefferle] [dshanske] I only had a quick look, but there are so many changes that makes it hard to say it’s easier to work with 😉 # 19:11 GWG pfefferle, I meant the end product # 19:12 GWG I moved all the token storage code out. # 19:12 GWG I moved the websignin code out of the same file as the Indieauth code # 19:12 GWG pfefferle, as in... when the changes are finished # 19:13 aaronpk GWG: in theory, should I be able to disable all the files except the Web_Signin class and have that part still work? # 19:13 GWG You'd need the global functions, but I think I got everything # 19:14 [pfefferle] should we add a setting to also disable the endpoint? to only have the web sign-in? JHSheridan joined the channel
# 19:15 aaronpk maybe let's save that til we move web sign-in into its own plugin? # 19:15 sknebel curious, can a plugin install the second plugin on upgrade? # 19:16 aaronpk so it could say "you need to install this other plugin now" kind of thing # 19:19 GWG "We have split the sign-on portion into a separate plugin. IndieAuth will only contain the IndieAuth endpoints and authorization code. Please install the web sign-in plugin if you want to sign into your WordPress site with an external IndieAuth endpoint." # 19:20 aaronpk GWG: so I just tested it, and something in class-indieauth-authenticate.php is still required for web sign-in to work # 19:20 GWG aaronpk: I'll get it all out. I should have tested that # 19:21 aaronpk which plugin adds rel=me links to your home page? is that the IndieWeb plugin? # 19:23 GWG There are manual ways, of course, but that is the one that takes them from your user profile. # 19:25 aaronpk question for GWG and pfefferle: hypothetically, in this new standalone web sign-in plugin, would you like to use indielogin.com as a fallback authentication option if the user is signing in with a site that doesn't support IndieAuth? # 19:25 GWG aaronpk: I would think so. But is it ready for that? # 19:27 GWG Theoretically, it could do something completely different. But I don't know what that is # 19:27 aaronpk it could do relmeauth itself, but that requires the person installing the relmeauth plugin on their blog go register github/twitter API keys # 19:28 aaronpk there are other plugins that do that already so I don't see much value in that # 19:29 GWG aaronpk: I considered it might need relme checking for other reasons. # 19:31 aaronpk okay, I installed the IndieAuth plugin for web-sign-in on a test site on a real server so I'll be able to continue to test pfefferle's use case there # 19:31 GWG I meant as part of the user to url problem, but I'm not worried about it # 19:31 aaronpk I was able to log in as aaronparecki.com there with the current published version of the plugin # 19:34 aaronpk GWG: so that I know how to budget my time the rest of the day, are you going to be able to publish some more changes to this PR today still ? # 19:34 GWG aaronpk: I'm waiting for feedback # 19:35 GWG Based on your feedback, I might make amendments. # 19:36 GWG Or, alternatively, if both of you are fine with it so far, might merge it and make additional changes a new PR # 19:36 aaronpk Okay the main thing I would like to see from this PR is that the Web sign in flow works with just its own file # 19:36 GWG I also have to figure out a fix for Semantic Linkbacks string issue so pfefferle can push that as people are annoyed with a spy icon # 19:37 aaronpk That will make me feel better about continuing forward with more changes to the IndieAuth side since we'll be less likely to break Web sign in # 19:37 GWG aaronpk: Do you want me to go back in and work on that while you are looking then? # 19:37 aaronpk The next PR i want to see local code and token verification come back # 19:37 aaronpk I don't think I have any other feedback right now # 19:37 GWG aaronpk: I wanted that to be a specific PR from this. # 19:38 GWG [pfefferle]: Anything from you before I update the PR with that? # 19:40 [pfefferle] No, I only hope that the local stuff will not kill the authentication again # 19:41 GWG [pfefferle]: I meant with ensuring the web signin code can work without the auth code # 19:54 GWG [pfefferle], aaronpk: Pushed split # 19:54 GWG Also renamed authenticate to authorize to be clearer about it # 19:54 GWG You can now comment out the endpoints and the authorize functions and it will work # 19:55 GWG Although both do use the same abstract class, although I suppose I could remove that if I had to jgmac1106_ joined the channel
# 20:21 aaronpk sweet, web sign-in works with all the indieauth classes disabled # 20:22 aaronpk GWG: got some nasty errors entering a URL that doesn't support indieauth. strangely they are in a wordpress core file # 20:26 aaronpk if $endpoints is a string and !isset($return[$endpoints]) you should return false # 20:27 aaronpk also it appears returning a WP_Error from websignin_redirect doesn't actually show that error to the user. # 20:28 GWG aaronpk, it should. Will have to look at that # 20:30 aaronpk if you fix the previously mentioned error, then type in a URL that doesn't have an indieauth server, you'll see what I mean # 20:49 aaronpk "It's strange that it's working" or "It is working in an unusual way" # 20:56 aaronpk ah ffs wordpress is getting ssl errors trying to fetch itself # 20:56 GWG aaronpk: If endpoint is a string and $return[$endpoints] isn't set, I shouldn't return false. # 20:56 GWG Because it should check html links after that # 20:58 GWG It does. It moved into that code. # 20:58 aaronpk the problem is right now if you pass in a string for $endpoints, and it's not found, at the very end it returns an array # 20:59 GWG Then the last setting should be return false, not return $return; # 20:59 aaronpk maybe return false only if $endpoints is a string? # 20:59 aaronpk I don't know what the code expects to happen when $endpoints is an array JHSheridan joined the channel
# 21:01 GWG The return isn't going where it should be # 21:02 aaronpk found the filter to disable ssl verification thank goodness JHSheridan joined the channel
# 21:06 aaronpk sweet, can finally log in to stuff with my local wordpress # 21:09 GWG Back to it not passing scope in correctly. [grantcodes] joined the channel
# 21:15 aaronpk error reporting is not working like expected, which is part of why this is so confusing # 21:16 aaronpk how is the determine_current_user filter supposed to work? # 21:17 aaronpk er, how is it supposed to tell wordpress there was an error? # 21:17 GWG aaronpk: I'm fixing error reporting for authenticate now # 21:26 aaronpk the next question is why is it failing that in the first place # 21:28 aaronpk the token endpoint is returning that it's an invalid token # 21:32 GWG There. Also fixed errors in the authenticate function not being returned. # 21:36 aaronpk okay tracked this down to "determine_current_user" is trying to return "User Not Found on this Site" JHSheridan joined the channel
# 21:38 aaronpk hopefully your changes will make it more obvious what's going on # 21:38 GWG I'm going to try to edit the error function. # 21:39 aaronpk okay, pulled in changes, no change to the "Unauthorized" error # 21:39 aaronpk the current problem is that "determine_current_user" is trying to set an error but that error is never being returned anywhere # 21:40 aaronpk now i'm going to try to figure out why "determine_current_user" is failing # 21:40 GWG Yes. I am looking at that. It's the surfacing that is an issue # 21:44 aaronpk especially since this site is in single-user mode # 21:46 aaronpk with local token verification this wouldn't be a problem # 21:47 aaronpk since the user_id is stored along with the token record # 21:47 aaronpk so there's no URL matching or lookup that has to happen # 21:49 aaronpk please do fix surfacing those errors, but how do you feel about ripping out the remote token stuff and replacing it with local lookup right now? now that web sign-in is isolated I don't think there's a use case that requires using a remote indieauth server now # 21:49 GWG I've set up a test to push for an error so I can get it working again # 21:50 aaronpk we know web sign-in works with just the web sign-in file, so we should be able to rip out a bunch of code from the rest of the files now tantek joined the channel
# 22:07 aaronpk i'm moving to another project for now but will take a look when you're done # 22:26 GWG Sorry, people keep calling me for some reason # 22:58 GWG If my case, I was running it in a browser that had my cookies enabled, so it was bypassing auth. # 23:04 GWG For Firefox. To test the error messages, I was using curl to surface messages tantek__ joined the channel
aaronpk oh thank goodness. this should help me https://gist.github.com/saas786/a567363477df7e28b0c1df6295cadf75
[pfefferle] [aaronpk] I removed the local stuff, because the code tries to verify the authentication code with it’s local endpoint instead of the endpoint of the other party… we discussed that a lot
aaronparecki.com edited /Wordpress_IndieAuth_Plugin (+991) "/* Use Cases */ rewrite pfefferle's use case with more detailed steps, stub out additional use cases" (view diff)
notiz.blog edited /Wordpress_IndieAuth_Plugin (+70) "/* Logging in to a multi-user WordPress site via IndieAuth */" (view diff)
GWG You could try /author/username