#indiewebcamp 2014-01-19

2014-01-19 UTC
snarfed joined the channel
#
bear KartikPrabhu - that's why i'm happy you are making changes - I love that we will be working on making the code better. let me check the PR status now...
#
Jeena hm brid.gy says my notes have no webmention support, weird, perhaps it is not checking the http header?
#
snarfed Jeena: sorry about that! i'll take a look
#
snarfed if you click on the "XXX ago" link, it will show you the log
#
Jeena ah ok
#
snarfed ah. the link is to a pdf :P
#
snarfed …and there's no webmention http header
#
bear KartikPrabhu - I had one merge conflict to clear up but otherwise it was a clean PR - thanks
#
Jeena yeah but just a minute ago there were /notes/6 no webmention support
#
snarfed ah
#
Jeena the ones with @goetzb
#
Jeena but those aren't there anymore hm
#
snarfed huh. i don't see a link rel=webmention in https://jeena.net/notes/6
#
@pfefferle @diplix könnte dich vielleicht interessieren http://indiewebcamp.com/wordpress #indieweb (twitter.com/_/status/424694762378391552)
#
Jeena curl -I https://jeena.net/notes/6
#
Jeena it is in the HTTP header
#
snarfed ah, thanks
#
Jeena Link: <https://jeena.net/webmentions>
#
Jeena rel="webmention"
#
KartikPrabhu bear: nice
#
snarfed oh, boo. it looks like the webmention library i use doesn't look in the http header
#
snarfed sorry jeena. i'll add that.
#
Jeena I could add a html <link> but that would be cheating :D
#
snarfed heh
#
Jeena and I think it is always good to have some people on different edges ;)
#
snarfed of course!
#
Jeena but still how does it know that https://jeena.net is my own website? Does it look into the "website" field of twitter?
#
snarfed good question! it doesn't. it sends webmentions to any link that accepts them. :P
#
Jeena ah hehe interesting
#
KartikPrabhu Jeena: when I am parsing your website using the python request module, I get an 'certificate verify failed' error. Any idea how to get around/fix this?
#
Jeena hm that is odd, because it is a real certificate, not a self signed one
#
aaronpk Jeena: did you add the certificate chain to your cert if necessary?
#
Jeena I'm not sure I understand what you're saying
#
Jeena I added two files in my nginx config
#
aaronpk sometimes you need to add the intermediate cert to your certificate file
#
aaronpk if the place you got the cert from requires it
#
Jeena I got it from StartSSL and I did it how they write on their website
#
snarfed http://indiewebcamp.com/https#Managing
#
snarfed specifically the "intermediate cert" part
#
Jeena I'll have a look
#
aaronpk KartikPrabhu: out of curiousity, do you get an SSL error on https://indiewebcamp.com ? I got a startssl cert for the wiki too.
#
bear KartikPrabhu - you can pass in verify=False to the request to have python-requests not walk the chain
#
Jeena I have a file called sub.class1.server.ca.pem here, I will check the howto on their website
#
KartikPrabhu aaronpk: same error chain for indiewebcamp too
#
Jeena the fuck! Some of our services are offline and under maintenance at weekends during the night hours until 07:00 AM GMT. We apologize for the temporary inconvenience and thank you for your understanding.
#
KartikPrabhu bear: good to know. but ideally it should work without that
#
bear yes, but… there are some bugs with older versions of both python-requests *and* openssl
#
aaronpk ok, I did include the intermediate cert for indiewebcamp.com, so it might not be a problem with jeena's server then
#
bear that cause them to improperly reference cached cert chain from the OS
#
KartikPrabhu bear: I see. So i could be a python bug. most annoying :(
#
Jeena yeah I kind of remember that I added one file to the other or something
#
bear lets see if verify=False works
#
bear and then I would love to see if your code works against indiewebcamp.com and also bear.im
#
aaronpk Jeena: yea that sounds right
#
snarfed bear, it sounds like you're familiar with python-requests? i'm trying to figure out how it handles multiple response headers with the same name. any idea?
#
bear last one wins IIRC
#
aaronpk python-requests--
#
Loqi python-requests has -1 karma
#
aaronpk that's not how HTTP works :P
#
Jeena hehe
#
bear that is memory speaking - working to verify my brain
#
snarfed wow. that's pretty bad for Link headers
#
snarfed np
#
snarfed docs don't say anything
#
KartikPrabhu bear, Jenna, aaronpk: it works with verify=False. surely python-requests--
#
bear not yet for the --
#
Jeena I was thinking about disabling cert verrification in my code too but decided that I would do it only if it is a real problem some day in the future
#
bear we need to see if verify=true works on the other two
#
KartikPrabhu verify=True fails for Jenna's site but works for bear's
#
KartikPrabhu also fails for indiewebcamp
#
Jeena I'm a edge case :-(
#
bear ok, so let's see if that is the same when jenna adds the intermediate cert
#
Jeena but I think I added it, and aaronpk added it to indiewebcamp too
#
Jeena and it doesn't work for both
#
bear notes the he also has a StartSSL cert
#
aaronpk bear: your startssl cert is Class 2
#
Jeena sadly the StartSSL FAQ where it says how I did it is down until 07:00 AM GMT
#
aaronpk indiewebcamp and jeena are class 1
#
aaronpk I don't remember the difference
#
bear ohh
#
aaronpk but either way, they have different root certs
#
Jeena class 1 is that we only gave the email address
#
Jeena class 2 is something more
#
bear class 2 is owner verified
#
Jeena I think
#
aaronpk so it could be that the root cert for the class 1 cert just isn't in KartikPrabhu's system
#
bear nods
#
KartikPrabhu ok so. it would be best to add verify=False to webmention codes?
#
bear I would suggest that is ok only for webmention code
icco joined the channel
#
bear but i'm also kinda a security nerd
#
aaronpk you shouldn't really get in the habit of not verifying SSL certs
#
Loqi agreed.
#
Jeena or first try it with true, when it fails retry it with fals?
#
Jeena and log a warning or something
#
bear KartikPrabhu - use verify=false for now and file a bug against our repo
#
aaronpk there aren't really any security risks in not verifying the SSL cert for a webmention I suppose
#
bear i'll work up a test using python-requests and start to find out why
#
KartikPrabhu bear: cool. Will also try adding finding a webmention end-point discovery in link header
#
bear i'm looking at sslabs.com results for jeena.net and while the cert chain looks good there are other issues common with self-hosted sites :)
#
KartikPrabhu which is why i was requesting Jenna's site in the first place :P
#
KartikPrabhu headers['link']
#
KartikPrabhu oops. wrong window
#
Jeena while fiddeling with certs and ssl http://i.imgur.com/xVyoSl.jpg
#
bear :)
#
bear what web server are you using? you can find good info on the indieweb site for both apache and nginx
#
Jeena nginx
#
bear yea, the nginx section covers a lot of ground and I look forward to any questions you may have so I can fix them on that page
#
Jeena Ok, I already saw my domain on that page, just didn't understand anything and assumed it was because of the fact that it was class1
#
Jeena but let's get down to business!
#
bear :)
icco joined the channel
#
KartikPrabhu how standard is 'link': '<webmentionendpoint>
#
KartikPrabhu rel="webmention"' format? Can I just do simple string parsing to get the endpoint?
#
@artwisanggeni webmentiontools 0.3.7: Tools for http://t.co/ZRk0kgwzYf. https://pypi.python.org/pypi/webmentiontools/0.3.7 (twitter.com/_/status/424704035640209408)
#
snarfed KartikPrabhu: standard enough. the spec does say it's that format. also only a few people use the header
#
Jeena wow! https://www.ssllabs.com/ssltest/analyze.html?d=jeena.net
#
snarfed pretty good!
#
bear wow - nicely done!
#
Jeena I just copy & pasted from the wiki! :-p
#
bear that is good feedback then - thanks!
#
bear you went from an F earlier to an A now - again, nicely done!
#
snarfed jeena, just fyi, i pushed a fix to bridgy, it's sending you webmentions now
#
snarfed although they're 500ing on your site :/
#
snarfed https://www.brid.gy/log?start_time=1390092596&key=aglzfmJyaWQtZ3lyTAsSCFJlc3BvbnNlIj50YWc6dHdpdHRlci5jb20sMjAxMzo0MjQ1NTQ3NTY5MTc3MDI2NTZfZmF2b3JpdGVkX2J5XzEwOTQyNzQ5Mww
#
Jeena cool!
#
KartikPrabhu Jeena: and I am not getting the SSL error thing now. success all over
#
aaronpk lol, supporting SSL2 gives you an automatic F
#
Jeena wohoo!
#
Jeena ah snarfed but it looks like my server crashed hm, will have a look at it
#
KartikPrabhu aaronpk: now only indiewebcamp gives the SSL error. Jeena's site seems to be fixed
#
aaronpk sweet
#
aaronpk i should track that down
#
Loqi yea
#
Jeena bridgy outputs invalid HTML https://brid-gy.appspot.com/like/twitter/jeena/424554756917702656/109427493 <- there is no <title> which is required even in HTML 2.0 ;)
icco, pfenwick, j12t and bnvk joined the channel
#
KartikPrabhu bear: new PR with verify=False thing, and endpoint discovery in link headers for ronkyuu
#
bear cool
snarfed joined the channel
#
snarfed Jeena: thanks for filling that issue! I'll fix soon. hope that wasn't breaking your server!
#
bear KartikPrabhu - merged!
#
Jeena hehe it was actually but I just need to handle stuff like that, I think I will try to get some mictoformat data out of it
#
Jeena you know, JSON would be so much easier to handle, I can't get my HTML parser to find <meta name='description'> vs. Description vs DESCRIPTION, etc.
#
aaronpk you'd have the same problem with JSON (description vs Description vs DESCRIPTION)
#
aaronpk I use the php-mf2 parser, and I get back a native object with the parsed results. I don't have to think about HTML parsing at all.
#
Jeena no because this would have been defined somewhere, the html world is just the wild west and you find all of those
#
Jeena I can use xpath for querying, so in theory I also get a native object, but everything looks like this:
#
Jeena parser.at("meta[@title='description'|meta[@title='Description']|meta[@title='DESCRIPTION']")
#
Jeena and it doesn't even cover all the cases
#
aaronpk you shouldn't need to think about parsing HTML if your'e using a library like php-mf2
#
Loqi it is probable
#
aaronpk use a library that does all the dirty work and returns the structure of the page
#
Jeena there is http://nokogiri.org/ which says it you can use CSS3 selectors, I wonder if those are case insensitive
#
aaronpk chances are if you're struggling with it, then someone else will be struggling with it in the future too
#
aaronpk and would be useful to have as a library
#
Jeena but php-mf2 gives you what? array("title" => "Description") I assume? how do you query something like that then?
#
Jeena it looks like in mf2 you also need to use a xpath query for querying for stuff like that
#
Jeena hm perhaps one of those will work http://microformats.org/wiki/parser#Ruby
#
etymancer any guidelines on photo size for h-card?
#
etymancer !tell caseorganic your photo on http://indiewebcamp.com/2014/Guest_List is a 404
#
Loqi Ok, I'll tell them that when I see them next
#
etymancer is tempted to try to (bang)tell Loqi something...
#
Loqi woot!
#
etymancer especially something with a (bang)tell $botname in it
#
etymancer does this make me a bad person?
#
etymancer.com edited /2014/Guest_List (+0) "/* Event */ Year was still 2013" (view diff)
#
etymancer also web sign-in damn well rocks.
#
etymancer and loqi++
#
etymancer :-D
KevinMarks2 joined the channel
#
etymancer oh, okay, I have to
#
etymancer !tell Loqi !tell Loqi you're a rad bot
#
Loqi Ok, I'll tell them that when I see them next
#
etymancer hm. unsatisfying.
#
KartikPrabhu etymancer: Loqi seems much smarter than expected
scor joined the channel
#
Loqi [mention] http://kartikprabhu.com/article/source linked to http://indiewebcamp.com/webmention (webmention)
KartikPrabhu joined the channel
#
Loqi [mention] http://kartikprabhu.com/article/source linked to http://indiewebcamp.com/webmention (webmention)
#
Loqi [mention] http://kartikprabhu.com/article/source linked to http://indiewebcamp.com/webmention (webmention)
scor joined the channel
#
Loqi [mention] http://kartikprabhu.com/article/source linked to http://indiewebcamp.com/webmention (webmention)
#
Loqi [mention] http://kartikprabhu.com/article/source linked to http://indiewebcamp.com/webmention (webmention)
#
Loqi [mention] http://kartikprabhu.com/article/source linked to http://indiewebcamp.com/webmention (webmention)
#
Loqi [mention] http://kartikprabhu.com/article/source linked to http://indiewebcamp.com/webmention (webmention)
#
KartikPrabhu aaronpk: when do you send a 400 status code for incoming webmentions?
KartikPrabhu joined the channel
#
KevinMarks heh etymancer - I remember bot shenanigans like that with jibot
scor, srushe_, dvirsky_, XgFgX, igalic, hallettj, bear, tantek, bear_ and dvirsky joined the channel
#
bear i'm trying to get an older microformat parser to grok mf2 and i've run headlong into long forgotten xpath query knowledge
#
bear (the older parser is microtron)
squeakytoy, schalkneethling, glennjones and stefek99 joined the channel
#
stefek99 Hello - what was the name of the tools that integrates all post in social media (app.net, vine, instagram, twitter, G+) into one page?
#
stefek99 I remember it was active at IndieWebCamp in Brighton
#
stefek99 Now at #HackHumanity event and I would like to generate similar page (just forgot the name)
pfenwick joined the channel
#
stefek99 Can you help me with that? Searches for "social media tag aggregator" leads to thousand of non-meaningful results... (thanks)
#
stefek99 [re-post] Trying to find a tool that aggregate social media tags from the event... Kind of a >>storify<< but different...
#
KevinMarks I vaguely remember this
schalkneethling joined the channel
#
stefek99 now improved my keyword accuracy for "social media aggregator" :)
#
stefek99 Done: https://tagboard.com/HackHumanity the answer is >>TAG BOARD<<
#
stefek99 (easy, kind of obcious once you know it)
#
stefek99 Once again talking to oneself was so helpful (rubber duck method)
#
stefek99 Thanks, need to go! :)
#
KevinMarks I built the first one of those at technorati almost exactly 9 years ago
melvster, eschnou, glennjones, Zegnat, Jestre and pasevin joined the channel
#
@digitalb2 #Bridgy, ein WebMention Proxy für Twitter, Facebook und Google+ http://notizblog.org/2014/01/16/bridgy-webmentions-fuer-twitter-und-facebook/?utm_content=buffer68a8a&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer (twitter.com/_/status/424892813193801728)
marjolein, bnvk, eschnou, voxpelli, glennjones, CheckDavid and skinny joined the channel
#
Loqi skinny: KevinMarks left you a message on 1/17 at 3:15pm: the indiewebcamp log reminds me of the old Electroinc Arts logo http://www.brandsoftheworld.com/logo/electronic-arts-0
CheckDavid and snarfed joined the channel
#
@snarfed_org @pfefferle @diplix hi guys! felix, thanks for trying bridgy, and sorry for the trouble. want to talk on irc? http://indiewebcamp.com/IRC (twitter.com/_/status/424926621192032256)
ix_, friedcell, scor, pfefferle, glennjones, voxpelli and snarfed joined the channel
#
snarfed.org edited /Bridgy (+73) "/* more */" (view diff)
barnabywalters joined the channel
#
@npm_tweets webmention-testpinger 0.3.0 https://npmjs.org/package/webmention-testpinger A tool to ping your site with a variety of webmention markup (twitter.com/_/status/424945719200333825)
pasevin joined the channel
#
@nodenpm webmention-testpinger (0.3.0): https://npmjs.org/package/webmention-testpinger A tool to ping your site with a variety of webmention mark... (twitter.com/_/status/424946570187276288)
snarfed, melvster and natwelch joined the channel
#
aaronpk barnabywalters: i'm almost ready
#
barnabywalters aaronpk: cool
#
barnabywalters I’m playing with the rocket
tantek, pasevin, iangreenleaf and caseorganic joined the channel
#
Loqi caseorganic: etymancer left you a message on 1/18 at 7:12pm: your photo on http://indiewebcamp.com/2014/Guest_List is a 404
#
tantek hello caseorganic!
#
neuro` Good time of day #indiewebcamp
#
caseorganic tantek: hello tantek!
#
caseorganic.com edited /2014/Guest_List (-10) "/* Creators */ Fixed broken image link to pic from caseorganic.com" (view diff)
#
caseorganic !tell etymancer thank you for letting me know! fixed.
#
Loqi Ok, I'll tell them that when I see them next
#
neuro` tantek: nice new avatar on Twitter, but the resolution is very low on my client (low like "oh, cool pixel art")
#
tantek neuro` Twitter is lower resolution than my own site. In general ;)
#
tantek It's inevitable that silos will have downlevel content compared to indieweb sites.
#
neuro` tantek: not sure how Twitter resized it, lots of people I follow have high def avatar on twitter.
#
tantek but do they have their own websites? when silos are mere POSSE copies, they can be expected to be lower resolution and should be treated as such.
#
www.iangreenleaf.com edited /Twitter (-42) "Organize and rename page sections" (view diff)
voxpelli joined the channel
#
www.iangreenleaf.com edited /Twitter (+277) "Add section on exporting DMs" (view diff)
#
www.iangreenleaf.com edited /Facebook (+144) "Add message export option" (view diff)
#
@npm_tweets webmention-testpinger 0.3.1 https://npmjs.org/package/webmention-testpinger A tool to ping your site with a variety of webmention markup (twitter.com/_/status/424977186580201472)
caseorganic joined the channel
#
aaronpk heh "it's a feature not a bug"
glennjones, bnvk, KevinMarks2 and snarfed joined the channel
#
@eikiu RT @voxpelli: Everything seems to be working well with my WebMention endpoint, so I'm making 5 more accounts available: https://t.co/jpviUX… (twitter.com/_/status/424992321550438400)
j12t joined the channel
#
aaronpk KartikPrabhu: I only send a 400 for seriously malformed requests, like missing a source parameter, or when the URL parameters aren't actually URLs
#
KartikPrabhu aaronpk: Do you check if sourceURL can be retrieved and send 400 if not?
#
KartikPrabhu I am sending webmentions automatically on saving a new post and it seems that the webmention is sent before the article even has a URL
#
aaronpk lol!
#
aaronpk you probably shouldn't send a webmention until your URL actually exists
#
KartikPrabhu yes! But the only way I have figured out to do it in Django is to modify the save method. So the very first time it is executed there is no actual post! It does work on re-save though :P
#
aaronpk ah, crazy! there isn't a post-save hook or something?
#
KartikPrabhu possibly. must look more through the docs
#
KartikPrabhu but tracking this down took a lot of work! I was very confused fora while that it didnt work only on first save :)
#
aaronpk heh i can imagine!
#
KartikPrabhu there is a post_save signal! I just didn't know what word to look for. Thanks aaronpk
#
aaronpk hah! good guess!
bnvk, scor and skinny joined the channel
#
@helloanselm Keyhotee sounds interesting as a decentralized way of using the internet: http://invictus.io/keyhotee.php #indieweb (twitter.com/_/status/425008687707877376)
#
barnabywalters aaronpk: just started implementing indieauth stuff by trying to get equivalent behaviour to current approach using new flow
CheckDavid joined the channel
#
barnabywalters wondering how to structure what scope to request for each person logging in
#
barnabywalters e.g. someone might want to authenticate to see some private content without authorising my server to post on their behalf
#
barnabywalters for the moment it’s probably safe to assume that if the person has a micropub endpoint (i.e. is you) they want to request the post scope, but going forward that’s going to be a UI issue we have to figure out
#
aaronpk great point!
#
aaronpk I think you can probably infer the intended scope based on the page they are signing in from
#
aaronpk but that seems like only a temporary solution
#
barnabywalters the awesomesauce solution would be for the app to pass a list of scopes it supports to the authorisation endpoint and let the user choose what they want to give
#
aaronpk true!
#
barnabywalters but that has plenty of issues too
#
aaronpk sort of. I know Github is moving to that model though.
#
barnabywalters for the moment I’ll infer based on the presence of a micropub endpoint
#
aaronpk yay real-world testing!
#
Loqi does a happy dance!
#
barnabywalters observation: the new flow is significantly more complicated than the old one, which for the limited case of just signing in was amazingly simple. presumably the old flow will still continue to be “officially” supported?
#
aaronpk sort of
#
aaronpk the old flow did not allow a website to specify its authorization endpoint
#
aaronpk so implementations hard-coded to indieauth.com, which is not idael
#
aaronpk ideal
#
barnabywalters yes that is true
#
aaronpk so I would be fine to specify a simplified flow for identification (instead of identification plus authorization) but it would still require delegating to an authorization server
#
barnabywalters but not only is that a sane default, just discovering what authorisation endpoint the user wants to use and then completing the old flow as before is still easier than the complete new flow
CheckDavid joined the channel
#
aaronpk yes, you don't need an access token for identification
#
barnabywalters aaronpk: yep that sounds like a good plan — keep a simple yet distributed flow for the common case of just identification, and then have the new flow for more complex stuff
#
aaronpk I just want to make sure nobody is hard-coding to indieauth.com
#
barnabywalters sure
#
barnabywalters I’m just going to set state to an empty string for now, is that a good idea?
#
barnabywalters or should I stick a random number in there or something
#
aaronpk you should stick a random number in there for security
#
Loqi fo sho
#
barnabywalters but I don’t need to store it because it’ll be passed to the authorisation endpoint, right?
#
aaronpk you will need to store it, which is where the security comes in. you generate a random number, store it in a session somewhere, then you use it when you want to get a token.
#
aaronpk if you want to take a shortcut for now, you can just leave it blank, cause blank=blank. that just means that if someone intercepts the auth code, they can steal the code and generate a token.
#
barnabywalters well I can store it in an encrypted cookie
#
aaronpk yes! p.s. an encrypted cookie is basically what I was talking about with my JWT-encoded access tokens
#
barnabywalters okay I’ll read from dev/urandom and store that in a cookie
#
aaronpk http://php.net/mt_rand should suffice
#
barnabywalters and a 5 min timeout on that cookie should be sane for the moment
#
aaronpk yep
#
barnabywalters where would you recommend storing the access token? in an encrypted cookie or on disk somewhere?
#
aaronpk this is how I generate mine: https://github.com/indieweb/indieauth-client-php#issuing-an-access-token
#
aaronpk $token = JWT::encode($token_data, $encryptionKey);
#
aaronpk which means I don't need to store it
#
aaronpk when a request comes in with an access token, I decrypt it, so if it's a bogus token it won't decrypt properly
#
aaronpk that's basically how an encrypted cookie works
eschnou joined the channel
#
barnabywalters I mean for the note app — when I get a token for a user who’s logged in
#
aaronpk oh!
#
aaronpk yes, an encrypted cookie should be fine
#
barnabywalters I’m not quite onto implementing token generators for myself yet ;)
#
barnabywalters cool
#
aaronpk you're going to have to decrypt it to put the plaintext token in the form though
#
barnabywalters indeed
#
@snarfed_org @pfefferle hi! how do i compose a reply with wordpress-webmention 2.0? the old one had Replies in admin. does the new one not have a UI? (twitter.com/_/status/425020324954918912)
#
@howardshipp_in Interesting stuff, this #indieweb : Getting Started - IndieWebCamp http://indiewebcamp.com/Getting_Started (twitter.com/_/status/425020376960077824)
#
@howardshipp_in The #indieweb as a minimum viable social web ecosystem http://werd.io/entry/51dca7e2bed7de945debf707/the-indieweb-as-a-minimum-viable-social-web-ecosystem (twitter.com/_/status/425020892028997632)
#
barnabywalters ah I love having an encryption service set up so all I have to do to encrypt/decrypt is $app['encryption']->en/decrypt($value)
#
aaronpk wow
#
aaronpk so syntax
#
aaronpk much confuse
#
barnabywalters aaronpk: http://silex.sensiolabs.org/
#
barnabywalters silex is awesome
#
barnabywalters I use it for all PHP projects now
#
barnabywalters heh “allow waterpigs.co.uk to access waterpigs.co.uk?”
#
barnabywalters hm indieauth is failing for me now
#
aaronpk hehe
#
aaronpk oh? crap
#
barnabywalters at this URL https://indieauth.com/auth/start?me=http%3A%2F%2Fwaterpigs.co.uk&profile=https%3A%2F%2Fgithub.com%2Fbarnabywalters&redirect_uri=http%3A%2F%2Flocalhost%3A9000%2Flogin%2Fauthorise%2F
#
Loqi lolz
#
aaronpk what error?
#
barnabywalters nothing, just a blank screen
#
barnabywalters trying again with persona
#
aaronpk odd
#
barnabywalters using persona is either really slow or is hanging on “Verifying Login”
#
barnabywalters okay with persona I see this in the logs: POST https://indieauth.com/auth/verify_email.json [HTTP/1.1 1366 Unknown Status Code 693ms
#
aaronpk whaaa
#
barnabywalters unknown status code? never seen that one before
#
aaronpk huh yea hI see 1366 in my logs too wtf
#
aaronpk can you sign in to the wiki right now?
#
barnabywalters yes with http://-less URL
#
barnabywalters and with exact same URL I was using locally too
#
aaronpk *blink blink*
#
barnabywalters huh, using twitter worked
#
bear I logged into the wiki using site+persona
#
aaronpk bear: barnabywalters is testing out the new indieauth+authorization flow
#
bear ahh
#
bear goes back to coding :)
#
aaronpk barnabywalters: so you did end up getting an authorization code?
#
barnabywalters yep, I have one
#
aaronpk cool
#
barnabywalters it was passed with the token parameter name though, not code as specified
#
aaronpk did you include a client_id parameter?
#
barnabywalters ah no my bad it’s fine
#
barnabywalters I think… debugging encryption error on my end now
#
aaronpk I made it return it in the parameter "token" if a client_id is not specified, for backwards compatibility
#
barnabywalters now weird things are happening
snarfed joined the channel
#
barnabywalters twitter failed (same no response code issue) then disappeared despite not rescanning
#
barnabywalters which I am doing now
#
aaronpk there's that 1366 again
#
barnabywalters yep, back to blank screen problems now, on both github and persona
#
barnabywalters which are the only working auth providers I have left now
#
aaronpk can you try entering your values here? http://client.indieauth.com/signin
lukebrooker joined the channel
#
barnabywalters ah I think I’m not setting the token endpoint — what should it be?
#
barnabywalters or do I need to build one
#
aaronpk oh! funny...
#
aaronpk yes, I suppose you do need to build one!
#
barnabywalters huh
#
barnabywalters well, in for a penny in for a pound
#
aaronpk but I'm confused why that would cause the issues that you're seeing
#
barnabywalters me too
#
barnabywalters but wait, this means that everyone who wants to log into my site (e.g. to see private content) needs to build a token endpoint
#
aaronpk if they want to use your site to post to theirs, then yes
#
aaronpk which is why we need to formalize the identification-only flow
#
barnabywalters unless I fall back to the old flow if no token endpoint can be discovered for their me URL
EHLOVader and tantek joined the channel
#
aaronpk yes, I suppose that makes sense
#
EHLOVader aaronpk, trying to use your signing thing for a wildcard... do I have to fill in all the information?
#
EHLOVader The stateOrProvinceName field needed to be supplied and was missing
#
EHLOVader unable to write 'random state' was returned
#
aaronpk EHLOVader: the ssl cert thing?
#
EHLOVader signing
#
EHLOVader https://ssl.pin13.net/indiewebcamp/
#
aaronpk hm yeah you might need to include that value then
#
aaronpk in the CSR
#
EHLOVader it was for *.ehlovader.dev
#
EHLOVader just checking
#
aaronpk not really sure why it would require it though
#
EHLOVader I will throw something in
#
EHLOVader something valid
#
aaronpk probably XX counts as valid
#
EHLOVader me neither I didn't at globalsign
#
aaronpk barnabywalters: you should fall back to the existing flow if there is no authorization endpoint found. if there is an authorization endpoint but no token endpoint, then we need to figure out how to handle that
#
EHLOVader check that the request matches signature?
#
aaronpk EHLOVader: what?
#
EHLOVader oh passphrase
#
EHLOVader I left it blank but didn't know, openssl kept asking me for one
#
aaronpk ah! if there is no token endpoint, then you should attempt to verify the auth code with the authorization server. (that is basically what the existing flow does)
#
barnabywalters that makes sense
#
aaronpk you can use the IndieAuth\verifyIndieAuthCode method here https://github.com/indieweb/indieauth-client-php/blob/master/src/IndieAuth/Client.php#L151
#
aaronpk which is what the token endpoint uses internally
#
barnabywalters we should write the spec (or other documentation) in such a way that it’s a logical progression from the simple flow to the complex flow
#
aaronpk agreed
#
barnabywalters I’m building a token endpoint at the moment
#
Loqi yea
#
barnabywalters aaronpk: at https://github.com/indieweb/indieauth-client-php#verifying-the-authorization-code does the verify function call decode the POST body response?
#
barnabywalters the spec isn’t clear, makes it sound like it returns a string
#
aaronpk oh yeah. the method parses it and returns as an array
#
barnabywalters cool
#
aaronpk updates the docs
#
Loqi [mention] https://brid-gy.appspot.com/like/facebook/548616784/10151978318456785/100001658854524 linked to http://indiewebcamp.com/ (webmention)
#
aaronpk whoa nice, PESOS from instagram! http://root.wirres.net/reclaim/pesos-photos-from-instagram/
howardshippin and KevinMarks2 joined the channel
#
barnabywalters aaronpk: okay now I’m getting No micro pub endpoint error on the client, so I assume everything up to that point is working fine
#
aaronpk awesome
#
barnabywalters still getting blank page error when trying to sign in to my local instance though
#
barnabywalters porridge break
#
aaronpk can you send me the authorization URL you are constructing?
#
aaronpk i might be able to re-create the problem on my local copy of indieauth.com that way
snarfed joined the channel
#
Loqi [mention] http://kartikprabhu.com/article/source linked to http://indiewebcamp.com/webmention (webmention)
#
barnabywalters so this is the URL which is causing problems: https://indieauth.com/auth/start?me=http%3A%2F%2Fwaterpigs.co.uk&profile=https%3A%2F%2Fgithub.com%2Fbarnabywalters&redirect_uri=http%3A%2F%2Flocalhost%3A9000%2Flogin%2Fauthorize%2F
#
barnabywalters and the auth URL: https://indieauth.com/auth?me=http%3A%2F%2Fwaterpigs.co.uk&redirect_uri=http%3A%2F%2Flocalhost%3A9000%2Flogin%2Fauthorize%2F&client_id=http%3A%2F%2Fwaterpigs.co.uk&state=%8E%24%EB%C8%92%92%B7%BBC5%0B%B7%B5G%CBz
#
barnabywalters hm I wonder if it’s those crazy bytes in the state which are causing the problem
#
aaronpk huh yeah
#
barnabywalters I’ll try just using mt_rand
#
aaronpk those are some crazy bytes
#
@wirresnet [artikel] indieweb und reclaim social media http://wirres.net/article/articleview/7046/1/49/ (twitter.com/_/status/425035593375285248)
#
aaronpk wow so much german activity! awesome!
#
barnabywalters well I would hope so as they are random :) I’ll fix it after porridge
#
Loqi [mention] http://kartikprabhu.com/article/source linked to http://indiewebcamp.com/webmention (webmention)
#
barnabywalters aaronpk: one really cool bit of discovery to add would be discovering app information
#
barnabywalters even basic name+photo would really improve the authorisation screen
#
aaronpk yep! that's part of the reason the client_id is a URL
#
aaronpk so the auth server can fetch an h-card or something that describes the app
#
Loqi [mention] http://kartikprabhu.com/article/source linked to http://indiewebcamp.com/webmention (webmention)
#
barnabywalters yep it was those crazy bytes
iangreenleaf joined the channel
#
aaronpk wow that's bizarre
#
@howardshipp_in various #indieweb projects - IndieWebCamp http://indiewebcamp.com/projects (twitter.com/_/status/425041986786062338)
#
barnabywalters hm indieauth isn’t redirecting to the redirect URL I set
#
barnabywalters it’s going to /
#
barnabywalters maybe I got some parameters mixed up somewhere
#
barnabywalters oh no, it is going to the right place, firefox’s debug UI is just weird
#
aaronpk hah ok
#
aaronpk ok my micropub endpoint should accept an "access_token" parameter now
#
barnabywalters under what conditions might the token array be empty? because that’s what’s happening
#
@diplix indieweb und reclaim social media - was ix so am wochende gemacht habe —http://wirres.net/article/articleview/7046/1/6/ (twitter.com/_/status/425045462538657792)
#
barnabywalters possibly a problem with my token endpoint
#
aaronpk the token array after calling IndieAuth\Client::getAccessToken?
#
barnabywalters yep
#
aaronpk probably if it couldn't decode the form-encoded string
#
barnabywalters yep, I see where the error was now — I wasn’t constructing the response properly
#
aaronpk ah cool
#
barnabywalters might be handy to explicitly return false there instead of an empty array
#
aaronpk that should just be a matter of changing this to $auth = false
#
aaronpk https://github.com/indieweb/indieauth-client-php/blob/master/src/IndieAuth/Client.php#L146
#
barnabywalters looking in my logs I’m seeing Method Not Allowed: GET for /login/token/ — I thought the token endpoint only ever got POSTed to?
#
barnabywalters unless there’s a redirect -> GET dance going on
#
aaronpk do you have /login/token redirecting to /login/token/ by chance?
#
barnabywalters yes
#
barnabywalters why would the trailing slash be stripped though?
KartikPrabhu joined the channel
#
aaronpk hm you do reference /login/token/ in your html rel value
#
barnabywalters unless… it’s somewhere in the relative URL resolution
#
barnabywalters there’s no benefit to that being relative anyway
#
aaronpk probably better to be fully qualified, so that your http pages can specify the https token endpoint once you get https set up
#
barnabywalters is it a good idea to still have http pages lying around with https set up?
#
aaronpk i think it's fine for public content
#
aaronpk but technically you'd need to make sure you're setting the cookie https-only so the browser doesn't send cookies in the clear
#
barnabywalters okay, route matching correctly now but token still broken. probably something on my side
#
@kaffeeringe RT @diplix: indieweb und reclaim social media - was ix so am wochende gemacht habe —http://wirres.net/article/articleview/7046/1/6/ (twitter.com/_/status/425049564409004032)
aaronpk_ and j12t joined the channel