Posted Monday, August 26 at 3:35 PM (5 years ago)
I’ve released updates to both Publ and Authl.
On the Authl side:
- Code quality and documentation improvements
- Add an asynchronous client-side lookup thing that tells users how their login will proceed
- Add the redirection target to
disposition.Error
so that can be preserved correctly
- Update the Flask wrapper to use
disposition.Error.redir
- Let the application know the redirection target in
render_login_func
On the Publ side:
- If the site is configured to force HTTPS in authentication, force the cookie to be HTTPS-only
- If a user is already logged in, make the login handler redirect them to their destination
For both:
- Improved build scripts to make it less convenient to accidentally push a build from the wrong branch or version
These changes help to keep sites more secure from eavesdroppers, while also hopefully improving the user experience!
Posted Monday, August 19 at 1:49 AM (5 years ago)
I’ve released Authl v0.2.0. Changes since v0.1.8:
- Added support for Twitter
- Big ol' refactor to support Twitter (see the fuller discussion below the cut!)
- Released to beta!
And changes from v0.1.7 to v0.1.8 (which I didn’t bother to post an announcement about):
- Fixed an incredibly minor security issue in the Mastodon client (the
client_secret
was leaking but in the context of Mastodon that couldn’t really be used for anything anyway)
- Centralize/refactor the login token management, allowing for future flexibility in the service stack
- Make callback IDs protocol-stable, which helps with some stricter services (e.g. Twitter)
Posted Monday, August 12 at 1:41 AM (5 years ago)
I’ve released Authl v0.1.7, which now adds direct support for IndieAuth (rather than requiring IndieLogin.com as a broker). This means that now folks who have an IndieAuth identity can log in using that; previously I was expecting IndieLogin.com to eventually open up client registrations to make that a useful authentication path, but for various reasons Aaron hasn’t opened it up to the general public.
Part of this update was to also refactor how OAuth is handled, so it’ll be a lot easier for me to add more OAuth-based providers in the future; hopefully I’ll have direct support for Twitter, GitHub, and maybe even Facebook in the near-ish future. But for now, between Mastodon, email, and IndieAuth, I think I have all of my own personal needs taken care of.
Feel free to make suggestions for other identity providers in the Authl issue tracker, though!
Posted Saturday, August 10 at 2:04 AM (5 years ago)
Oh gosh I seem to be on a roll with these updates again. Here’s what changed in Publ:
- Fixed a silly bug in the admin dashboard renderer which made it not work in production mode
- Make the admin log only record the most recent access per user per entry, making it way more useful
- Make the logout operation happen via POST method rather than GET, fixing a problem with browser prefetching; added a
logout.html
template to support that. (Also made the default unauthorized.html
use Authl’s default CSS.)
- Actually make
entry.authorized
available, rather than just documented. Also gave it a better name while I was at it.
view.entries
can now take an optional argument for inlining unauthorized entries, improving its usage within feeds.
view.unauthorized
can now take an optional argument for limiting the unauthorized view count, which helps performance and makes it a bit more predictable
- Images now provide their filename as the default alt text, which is arguably better for accessibility than just leaving it a blank string. I am willing to change my mind on this, however.
- Cleaned up the code around
category.subcats(recurse=True)
and also added some actual tests for the sort ordering. They pass.
And the Authl changes (which were actually released before Publ 0.5.0 but I didn’t bother announcing them until I had them tested “in the wild”):
- Changed to using packaged data for templates
- Made the login page CSS available through
url_for
- Removed the spurious precision from the email message template
Anyway, I of course updated the sample beesbuzz.biz templates to reflect the new functionality.
Wow, Publ’s feeling like it’s actually kinda pretty good at stuff now. I hope someone else ever wants to actually, like, use it or something.