Posted Wednesday, October 30 at 7:11 PM (6 months ago)
So, both Publ and Authl had a pretty naïve issue with the identity verification step of the IndieAuth flow; it simply accepted whatever the authorization endpoint said the user’s identity was. This made it very simple to spoof one’s identity and log in as anyone on any Publ or Authl site.
Authl 0.3.1 fixes the problem with the IndieAuth login flow, and Publ 0.5.8 fixes the problem with the Bearer token flow.
Posted Wednesday, October 30 at 2:53 AM (6 months ago)
I just released Authl v0.3.0; minor version bump because of a public API change,
to better facilitate stateless storage.
Which is to say I converted most of the handlers to be stateless, which
hopefully fixes the issues with running on Heroku.
Unfortunately Twitter couldn’t be fixed easily but I wasn’t running the Twitter
handler on this site anyway. I do have some ideas but they’re fairly involved
and will have to come later, and not when I’m up way past my bedtime.
Also, there still seems to be some cache-related issue that’s making it
necessary to shift-reload the page after logging in or out, sometimes.
Posted Tuesday, October 29 at 9:38 PM (6 months ago)
There is only one feature for this new release of Publ, but it’s a big one – there is (theoretical) support for AutoAuth! That’s right, deploy this version and people should be able to magically log on to your website using unattended IndieAuth providers.
Unfortunately, there aren’t any tools that I know of which actually support this mode of operation; all testing has been manual and In Theory.
Fortunately, if someone does want to test AutoAuth (or IndieAuth Bearer authentication in general), you can test it out on this site! You can use this entry as an individual entry, and this category or this feed to see how well it works with the “partial public” path.
Also, this page will tell you all sorts of useful information about the current user (if any).
And I’d might as well use this opportunity to show off the admin dashboard – just sign in as the user
test:admin to see how it looks.
EDIT: It looks like there’s a problem with third-party auth due to the way that Heroku works. I should have anticipated this. Third-party auth is temporarily disabled for now. (But this doesn’t affect
AutoAuth at least!)
Posted Friday, October 25 at 10:45 PM (6 months ago)
Oops, I’d been sitting on a bunch of bugfixes for a month, which I didn’t notice until I put in another bugfix tonight.
Changes since v0.5.5:
- Fix title sanitization
- Handle category.name with the same formatting options as entry.title
- Replace hand-rolled atomic file operations with atomicwrites
link_class to image renditions
- Fix automatic
alt generation for external images
- Simplify the way entry URLs are canonicized
- Fix some bitrot in older tests
Posted Friday, October 25 at 5:36 PM (6 months ago)
Since adding user authentication to Publ, I’ve been thinking of ways of allowing people to subscribe to sites from feed readers while getting their own native authorization, so that people can see entries directly in their readers rather than needing the clumsy mechanisms of unauthorized placeholder entries.
Out of the box, Publ authentication does support a shared cookie jar; if you can provide your cookies to your feed reader in some way, then things will Just Work. Unfortunately, I don’t know of any feed readers that actually support this, at least not easily. (Back when most browsers had a feed reader built-in this was a lot simpler. But time marches on.)
The two mechanisms which seemed most promising are AutoAuth and “magic links,” where users get signed URLs that come pre-authenticated and show the full authorized content for that user. AutoAuth is still in a draft phase that’s stuck in a chicken-and-egg situation (and also requires a lot of buy-in to IndieWeb protocols, which is still a pill too large to swallow for most of the folks who follow my blog), so magic feed links seemed like the best path forward.
I even got so far as to draft out an implementation, but there’s a few bad issues with it which just made me opt not to.
Posted Thursday, October 3 at 1:49 AM (6 months ago)
I have now released Pushl v0.2.12. The following is new:
- It now respects
rel="self" when determining which URL to send a WebSub ping for
- You can now send self-pings using the
- Miscellaneous code cleanups