Posted Wednesday, October 30 at 7:11 PM (5 years ago)
So, both Publ and Authl had a pretty naïve issue with the identity verification step of the IndieAuth flow; it simply accepted whatever the authorization endpoint said the user’s identity was. This made it very simple to spoof one’s identity and log in as anyone on any Publ or Authl site.
Authl 0.3.1 fixes the problem with the IndieAuth login flow, and Publ 0.5.8 fixes the problem with the Bearer token flow.
Posted Wednesday, October 30 at 2:53 AM (5 years ago)
I just released Authl v0.3.0; minor version bump because of a public API change,
to better facilitate stateless storage.
Which is to say I converted most of the handlers to be stateless, which
hopefully fixes the issues with running on Heroku.
Unfortunately Twitter couldn’t be fixed easily but I wasn’t running the Twitter
handler on this site anyway. I do have some ideas but they’re fairly involved
and will have to come later, and not when I’m up way past my bedtime.
Also, there still seems to be some cache-related issue that’s making it
necessary to shift-reload the page after logging in or out, sometimes.