#wordpress 2021-06-15

2021-06-15 UTC
[Will_Monroe] joined the channel
# 01:01 
[Will_Monroe] [dshanske] That didn't seem to work.  Here's what I did:
# 01:01 
[Will_Monroe] 3. Saved token to Indigenous for Desktop Settings > The token for both endpoints (see screenshot)
# 01:01 
[Will_Monroe] 1. In WP, went to Users > Manage Tokens > Add New Token
# 01:01 
[Will_Monroe] 2. Named token, Added Token and copied the token
# 01:01 
[Will_Monroe] 4. Added settings for Post endpoint, Media endpoint as listed in Indigenous for Android (which is working)
# 01:01 
[Will_Monroe] 5. Added setting for Reader endpoint as listed in Indigenous for Android
# 01:01 
[Will_Monroe] The settings for the Post and Media endpoints both point to my domain.  But the setting for the reader points to Aperture.
# 01:01 
[Will_Monroe] Can you see any obvious errors I might have made?
# 01:01 
GWG No, but what is the error?
# 01:02 
[Will_Monroe] "Something went wrong loading the channels"
# 01:04 
[Will_Monroe] Actually, both the Post and Media endpoints seem to work!  Only the Reader endpoint seems to be having trouble.
# 01:16 
[Will_Monroe] [dshanske] I think I may have the answer:  See Token generation in Wordpress https://github.com/swentel/indigenous-desktop
# 01:17 
[Will_Monroe] I should have noticed this earlier
[tw2113_Slack_] joined the channel
# 01:17 
Loqi [swentel] indigenous-desktop: An IndieWeb Desktop app with extensions for sharing information to micropub endpoints and reading from microsub endpoints
Ruxton, [schmarty], [jacky], [Murray], [chee], tonz, [KevinMarks] and [pfefferle] joined the channel
# 12:25 
[pfefferle] GWG I just had a look at your PR… does the renew, simply update the timestamp on the token?
# 12:26 
GWG [pfefferle]: The expiration timestamp yes
# 12:26 
GWG The cron job expires the token or the attempt to use an expired token
# 12:27 
[pfefferle] hmmm, shouldn’t this be an oauth renewal process? https://www.oauth.com/oauth2-servers/access-tokens/refreshing-access-tokens/
# 12:28 
GWG It could be in a future pr, but no IndieAuth client supports refresh yet
# 12:28 
[pfefferle] or why do you have implemented the expired feature?
# 12:28 
GWG So that tokens don't last forever
# 12:29 
[pfefferle] does the expires update after a “new” login?
# 12:29 
GWG No
# 12:29 
GWG Tokens are valid for 14 days unless you extend them
# 12:29 
GWG Or disable expiry
# 12:30 
[pfefferle] that means, that a client that has access to my blog will no longer work if I do not update the token?
# 12:30 
GWG Yes
# 12:30 
[pfefferle] does that make sense?
# 12:31 
[pfefferle] I think you added it because of security reasons?
# 12:31 
GWG Yes
# 12:31 
GWG https://github.com/indieweb/wordpress-indieauth/issues/171
# 12:31 
GWG Also I wasn't the only requestor
# 12:31 
GWG The other option is to put the setting on the consent screen
# 12:32 
Loqi [janboddez] #171 Token expiration filter?
# 12:32 
[pfefferle] but shouldn’t we use something like “if a token was not used for more than 15 days, delete it”?
# 12:32 
GWG That is also an option
# 12:33 
GWG I was looking at what other implementations did
# 12:33 
[pfefferle] that wouldn’t delete “active” tokens
# 12:33 
GWG gRegor and jamietanna, for example, both set expiring tokens
# 12:33 
[pfefferle] therefore we have to update the expires date every time a token is used
# 12:34 
GWG [pfefferle]: Actually no
jeremycherfas joined the channel
# 12:34 
GWG The feature you are suggesting is there in the last accessed field
# 12:34 
GWG It's a little different
# 12:34 
GWG [pfefferle]: There is a compromise position
# 12:34 
GWG I can add the option to disable expiry and people can choose 
# 12:35 
[pfefferle] hmmm, but I like the feature in general, but I do fear that an active token might be expire
# 12:35 
GWG Essentially, let expiration be set to 0 to disable
# 12:35 
[pfefferle] I do not want to disable it in general
# 12:36 
[pfefferle] I like the idea of deleting unused tokens
# 12:36 
[pfefferle] I am just thinking about a way to identify “inactive”/“unused” tokens
# 12:37 
GWG I see that as a different feature
# 12:37 
[pfefferle] ok, maybe
# 12:38 
GWG That's a good feature though
# 12:39 
GWG Expiring tokens are set at time of creation, they don't necessarily have to correspond with refresh... though I am happy to build refresh tokens as a feature
# 12:40 
GWG https://www.jvt.me/posts/2021/01/31/refresh-token-indieauth/
# 12:40 
GWG At least one person did
# 12:40 
[pfefferle] that is not what I meant
# 12:40 
GWG I know.. just exploring options
# 12:40 
Loqi [Jamie Tanna] Implementing the Refresh Token Grant in my IndieAuth Server
# 12:41 
[pfefferle] I only had the idea to update the “expires in”, if a token was used
# 12:41 
[pfefferle] to keep it alive
# 12:41 
GWG Okay
# 12:42 
GWG I see that as a different feature, which I would add
# 12:42 
GWG So, what do you think in the end re this?
# 12:44 
[pfefferle] I understand the reason behind but it. What is the default behaviour atm.?
# 12:44 
[pfefferle] expires on or off?
# 13:01 
GWG [pfefferle]: Expires on at 14 days
# 13:01 
GWG But I could change the default and let people choose to turn it on
# 13:02 
GWG Or let them turn it off, which I didn't build
# 13:02 
[pfefferle] shouldn’t off be the default, to not change the behaviour for existing users?
# 13:02 
[pfefferle] opt-in
# 13:10 
GWG [pfefferle]: I am happy to change the default to disabled
# 13:10 
[pfefferle] just thinking
# 13:11 
GWG If everything else is satisfactory, I can commit that as a change
# 13:11 
[pfefferle] I added some comments to your PR
# 13:12 
[pfefferle] I am also fine with default on, but would recommend to raise a major version then, because it is a breaking change
# 13:35 
GWG Okay. Will examine it next work break
jeremycherfas, Tomte, jeremych-, [jacky], [KevinMarks], bode, [chrisaldrich], [tw2113_Slack_] and [asuh] joined the channel