A secret, protected entry

This entry is ultra super secret! You have to log in to see it!

Publ v0.5.7, now with theoretical AutoAuth support!

There is only one feature for this new release of Publ, but it’s a big one – there is (theoretical) support for AutoAuth! That’s right, deploy this version and people should be able to magically log on to your website using unattended IndieAuth providers.

Unfortunately, there aren’t any tools that I know of which actually support this mode of operation; all testing has been manual and In Theory.

Fortunately, if someone does want to test AutoAuth (or IndieAuth Bearer authentication in general), you can test it out on this site! You can use this entry as an individual entry, and this category or this feed to see how well it works with the “partial public” path.

Also, this page will tell you all sorts of useful information about the current user (if any).

And I’d might as well use this opportunity to show off the admin dashboard – just sign in as the user test:admin to see how it looks.

EDIT: It looks like there’s a problem with third-party auth due to the way that Heroku works. I should have anticipated this. Third-party auth is temporarily disabled for now. (But this doesn’t affect AutoAuth at least!)

Publ v0.5.6 released

Oops, I’d been sitting on a bunch of bugfixes for a month, which I didn’t notice until I put in another bugfix tonight.

Changes since v0.5.5:

• Fix title sanitization
• Handle category.name with the same formatting options as entry.title
• Replace hand-rolled atomic file operations with atomicwrites
• Add link_class to image renditions
• Fix automatic alt generation for external images
• Simplify the way entry URLs are canonicized
• Fix some bitrot in older tests

Why Publ won’t support magic auth links

Since adding user authentication to Publ, I’ve been thinking of ways of allowing people to subscribe to sites from feed readers while getting their own native authorization, so that people can see entries directly in their readers rather than needing the clumsy mechanisms of unauthorized placeholder entries.

Out of the box, Publ authentication does support a shared cookie jar; if you can provide your cookies to your feed reader in some way, then things will Just Work. Unfortunately, I don’t know of any feed readers that actually support this, at least not easily. (Back when most browsers had a feed reader built-in this was a lot simpler. But time marches on.)

The two mechanisms which seemed most promising are AutoAuth and “magic links,” where users get signed URLs that come pre-authenticated and show the full authorized content for that user. AutoAuth is still in a draft phase that’s stuck in a chicken-and-egg situation (and also requires a lot of buy-in to IndieWeb protocols, which is still a pill too large to swallow for most of the folks who follow my blog), so magic feed links seemed like the best path forward.

I even got so far as to draft out an implementation, but there’s a few bad issues with it which just made me opt not to.

Pushl v0.2.12

I have now released Pushl v0.2.12. The following is new:

• It now respects rel="canonical" or rel="self" when determining which URL to send a WebSub ping for
• You can now send self-pings using the --self-pings parameter
• Miscellaneous code cleanups

Publ v0.5.5 released

Howdy y'all! Here’s a new release of Publ for you.

What’s new in this version:

• Add the ability to filter by multiple categories, and also to filter out categories as well
• Various code cleanups, especially around the query generator

Also the unannounced v0.5.4 release was to fix some stuff that broke due to an upstream Arrow change (specifically dealing with them removing an API that I was using to suppress warnings for a different upstream change that I’d already handled).

I should also mention that I’ve updated the beesbuzz.biz template samples to improve IndieWeb and ActivityPub compatibility. (Publ still doesn’t support ActivityPub itself but these changes make it interoperate with Bridgy Fed a bit better.)

On a meta note, I’ve left the microbiology lab I was at; I hope they continue to use Publ, of course! Over the next little while I’m going to spend some more time working on my own things again (including Publ et al), but I’ve also had some interesting job interviews with one of them seeming very likely to turn into an offer. Wish me luck, if you’re into that sort of thing! (And of course, follow my blog for the primary source of this stuff.)

Pushl v0.2.11

In trying to fix what looked like a bug in Pushl (which turned out to be a bug in one of the services I was pinging), I did a bunch of much-needed code cleanup and refactoring.

I also added the ability to ping the Internet Archive Wayback Machine for outgoing links if the target has changed (relative to the usual If-Modified-Since/If-None-Match tests).

Pushl will now also log warnings for two useful situations:

• An outgoing link generates a 400-class error (403/404/410/etc.)
• An outgoing webmention has a different canonical URL than what’s being pinged (improved since v0.2.8)

The way it handles canonical URLs is also now improved; if a page has <link rel="canonical"> it will use that, otherwise it will use the final URL that is the result of chasing redirects.

webmention.js security update

So hey, if you’ve been using webmention.js you should probably update it, as there turned out to be an XSS issue found by Checkmention. Better to be safe than sorry etc. etc.

Publ v0.5.3, Authl v0.2.2

I’ve released updates to both Publ and Authl.

On the Authl side:

• Code quality and documentation improvements
• Add an asynchronous client-side lookup thing that tells users how their login will proceed
• Add the redirection target to disposition.Error so that can be preserved correctly
• Update the Flask wrapper to use disposition.Error.redir
• Let the application know the redirection target in render_login_func

On the Publ side:

• If the site is configured to force HTTPS in authentication, force the cookie to be HTTPS-only
• If a user is already logged in, make the login handler redirect them to their destination

For both:

• Improved build scripts to make it less convenient to accidentally push a build from the wrong branch or version

These changes help to keep sites more secure from eavesdroppers, while also hopefully improving the user experience!

Pushl v0.2.8

I’ve released v0.2.8 of Pushl, which fixes an issue with Webmention and Pingback where it was over-optimistically setting the link target. It will also warn you if the link target doesn’t match with the actual page, so you can update your links accordingly.

Right now it’s a little spammy (in that it’ll tell you about redirection mismatches for all links, not just ones with a Webmention or Pingback endpoint), but the next version will address that.

Authl v0.2.0, now in beta status!

I’ve released Authl v0.2.0. Changes since v0.1.8:

• Added support for Twitter
• Big ol' refactor to support Twitter (see the fuller discussion below the cut!)
• Released to beta!

And changes from v0.1.7 to v0.1.8 (which I didn’t bother to post an announcement about):

• Fixed an incredibly minor security issue in the Mastodon client (the client_secret was leaking but in the context of Mastodon that couldn’t really be used for anything anyway)
• Centralize/refactor the login token management, allowing for future flexibility in the service stack
• Make callback IDs protocol-stable, which helps with some stricter services (e.g. Twitter)

Pushl v0.2.7

Around a month ago a bunch of my webmention stuff broke on my site, and I just figured out what was causing it. Pushl was getting confused by the fact that I had multiple feeds which provided the same content, and some of them were in a no-webmentions context. The no-webmentions ones were getting processed first, which was preventing the webmention-context versions from actually being processed.

So, I fixed this bug by making the context part of what dedupes the actions.

Every time I work on Pushl I feel like it could use a major rewrite, incidentally. This is one of those times.

Authl v0.1.7, now with IndieAuth support!

I’ve released Authl v0.1.7, which now adds direct support for IndieAuth (rather than requiring IndieLogin.com as a broker). This means that now folks who have an IndieAuth identity can log in using that; previously I was expecting IndieLogin.com to eventually open up client registrations to make that a useful authentication path, but for various reasons Aaron hasn’t opened it up to the general public.

Part of this update was to also refactor how OAuth is handled, so it’ll be a lot easier for me to add more OAuth-based providers in the future; hopefully I’ll have direct support for Twitter, GitHub, and maybe even Facebook in the near-ish future. But for now, between Mastodon, email, and IndieAuth, I think I have all of my own personal needs taken care of.

Feel free to make suggestions for other identity providers in the Authl issue tracker, though!

v0.5.1 released (also Authl v0.1.6)

Oh gosh I seem to be on a roll with these updates again. Here’s what changed in Publ:

• Fixed a silly bug in the admin dashboard renderer which made it not work in production mode
• Make the admin log only record the most recent access per user per entry, making it way more useful
• Make the logout operation happen via POST method rather than GET, fixing a problem with browser prefetching; added a logout.html template to support that. (Also made the default unauthorized.html use Authl’s default CSS.)
• Actually make entry.authorized available, rather than just documented. Also gave it a better name while I was at it.
• view.entries can now take an optional argument for inlining unauthorized entries, improving its usage within feeds.
• view.unauthorized can now take an optional argument for limiting the unauthorized view count, which helps performance and makes it a bit more predictable
• Images now provide their filename as the default alt text, which is arguably better for accessibility than just leaving it a blank string. I am willing to change my mind on this, however.
• Cleaned up the code around category.subcats(recurse=True) and also added some actual tests for the sort ordering. They pass.

And the Authl changes (which were actually released before Publ 0.5.0 but I didn’t bother announcing them until I had them tested “in the wild”):

• Changed to using packaged data for templates
• Made the login page CSS available through url_for
• Removed the spurious precision from the email message template

Anyway, I of course updated the sample beesbuzz.biz templates to reflect the new functionality.

Wow, Publ’s feeling like it’s actually kinda pretty good at stuff now. I hope someone else ever wants to actually, like, use it or something.

v0.5.0 released

I figured there wasn’t really any reason to keep waiting. So here we are.

Changes since v0.4.6:

• Improve the performance and stability of the admin dashboard
• Correctly fall back to the internal Authl templates
• Remove some spurious/empty attributes from image tags
• Don’t cache template mappings forever
• Don’t mark an entry title as being markup if its markup is disabled
• Correctly set the default entry recursion for entry.previous/next
• Disable an arrow warning for a future change

In other news, over on my main website I have successfully migrated my comments over to Isso, which is a nice self-hosted alternative to Disqus that does a much better job of handling privacy in particular, as well as providing a simpler UX that doesn’t try to get in your face about everything. If you want to read more about how I made that change, read the several blog entries starting with “Moving away from Disqus,” and also look at the sample templates to see the actual implementation.

May your private entries remain exclusive, and your public entries be brilliant.

UPDATE: Someday I’ll learn to use and test rc builds before making an actual public release. Oops.

Publ 0.4.6, Authl 0.1.5

Updated some packages.

Main things with Publ since the last release:

• Internal cleanups to how caching happens
• Stop spuriously-caching a bunch of stuff; in particular login/logout endpoint URLs no longer get cached
• Various cleanups
• Improve the way that built-in templates are managed
• Initial cruddy implementation of an admin authentication dashboard (although this isn’t quite ready for prime time)

The only Authl change is that email identities are now given as a full mailto: URL; going forward all identity strings will be full URLs. This simplifies the UX for admin dashboards, in particular, and removes some ambiguity.

Publ 0.4.5.1, Authl 0.1.4

I’ve released a mini-update of Publ to fix an authentication problem (the config parser was “helpfully” sanitizing things that didn’t want to be sanitized), and also some refactoring/improvements/bugfixes to Authl.

The big changes to Authl are that the email handler generates shorter/nicer links, and it also puts an anti-abuse timeout into email login attempts to prevent people from spamming themselves or others with spurious email notifications. There’s also a bunch of small bugfixes to Authl’s login flow, and Flask apps can specify that sessions should not be made permanent.

v0.4.5

Normally I wouldn’t release a new version just for a single minor bugfix, but this was causing bigger problems. Oops.

Anyway, there was one other minor fix, which allows “cb” to be a valid category name again. It’s minor and fiddly but hey, consistency, right? (And anyway you never know, someone might use Publ for a site that has a CB enthusiasm blog!)

v0.4.4, and private entries in the wild

I’ve added private entry stuff to my website (here’s an example post) and in doing so I shook out a few loose ends:

• Improved the login flow for when someone is logged in but goes to an entry they don’t have access to
• Simplified generating login and logout links from templates
• Added Status: UNLISTED as a synonym for Status: HIDDEN

All the auth-related things are now documented here and also demonstrated in the sample templates.

There is not much left for v0.5, incidentally!

v0.4.3! Authentication!

Wow, this is a pretty major update: authentication is now a thing!

It isn’t quite complete yet – I still have a few more things I want to add before I consider it done (and therefore release v0.5.0) – but this is at least in a state where it’s ready to be experimented with. Probably. I need to sleep first, before I start adding authentication to my website.