Posted Thursday, November 14 at 10:23 PM (a week ago)
Just a tiny fix in this; it works around an inconsistency between the IndieAuth spec and IndieAuth.com’s implementation. Normally I’d just be all, “this is a bug in IndieAuth.com” but that’s the most popular IndieAuth endpoint right now so I decided it was prudent to make a compromise. And really it’s a good idea to always specify an
Accept: header anyway.
Thanks to Colin for bringing this to my attention.
Posted Monday, November 4 at 3:04 PM (2 weeks ago)
I’ve now released v0.3.2 of Authl, which adds the following changes:
- Fixed IndieAuth URL validation rules
- Improved UX for login type preview
- Now it supports Twitter on “stateless” hosting
As an experiment I’ve enabled Twitter login on this site, so now you should be
able to use it to look at protected entries.
Posted Wednesday, October 30 at 7:11 PM (3 weeks ago)
So, both Publ and Authl had a pretty naïve issue with the identity verification step of the IndieAuth flow; it simply accepted whatever the authorization endpoint said the user’s identity was. This made it very simple to spoof one’s identity and log in as anyone on any Publ or Authl site.
Authl 0.3.1 fixes the problem with the IndieAuth login flow, and Publ 0.5.8 fixes the problem with the Bearer token flow.
Posted Wednesday, October 30 at 2:53 AM (3 weeks ago)
I just released Authl v0.3.0; minor version bump because of a public API change,
to better facilitate stateless storage.
Which is to say I converted most of the handlers to be stateless, which
hopefully fixes the issues with running on Heroku.
Unfortunately Twitter couldn’t be fixed easily but I wasn’t running the Twitter
handler on this site anyway. I do have some ideas but they’re fairly involved
and will have to come later, and not when I’m up way past my bedtime.
Also, there still seems to be some cache-related issue that’s making it
necessary to shift-reload the page after logging in or out, sometimes.
Posted Friday, October 25 at 5:36 PM (3 weeks ago)
Since adding user authentication to Publ, I’ve been thinking of ways of allowing people to subscribe to sites from feed readers while getting their own native authorization, so that people can see entries directly in their readers rather than needing the clumsy mechanisms of unauthorized placeholder entries.
Out of the box, Publ authentication does support a shared cookie jar; if you can provide your cookies to your feed reader in some way, then things will Just Work. Unfortunately, I don’t know of any feed readers that actually support this, at least not easily. (Back when most browsers had a feed reader built-in this was a lot simpler. But time marches on.)
The two mechanisms which seemed most promising are AutoAuth and “magic links,” where users get signed URLs that come pre-authenticated and show the full authorized content for that user. AutoAuth is still in a draft phase that’s stuck in a chicken-and-egg situation (and also requires a lot of buy-in to IndieWeb protocols, which is still a pill too large to swallow for most of the folks who follow my blog), so magic feed links seemed like the best path forward.
I even got so far as to draft out an implementation, but there’s a few bad issues with it which just made me opt not to.
Posted Monday, August 26 at 3:35 PM (3 months ago)
I’ve released updates to both Publ and Authl.
On the Authl side:
- Code quality and documentation improvements
- Add an asynchronous client-side lookup thing that tells users how their login will proceed
- Add the redirection target to
disposition.Error so that can be preserved correctly
- Update the Flask wrapper to use
- Let the application know the redirection target in
On the Publ side:
- If the site is configured to force HTTPS in authentication, force the cookie to be HTTPS-only
- If a user is already logged in, make the login handler redirect them to their destination
- Improved build scripts to make it less convenient to accidentally push a build from the wrong branch or version
These changes help to keep sites more secure from eavesdroppers, while also hopefully improving the user experience!
Posted Monday, August 19 at 1:49 AM (3 months ago)
I’ve released Authl v0.2.0. Changes since v0.1.8:
- Added support for Twitter
- Big ol' refactor to support Twitter (see the fuller discussion below the cut!)
- Released to beta!
And changes from v0.1.7 to v0.1.8 (which I didn’t bother to post an announcement about):
- Fixed an incredibly minor security issue in the Mastodon client (the
client_secret was leaking but in the context of Mastodon that couldn’t really be used for anything anyway)
- Centralize/refactor the login token management, allowing for future flexibility in the service stack
- Make callback IDs protocol-stable, which helps with some stricter services (e.g. Twitter)
Posted Monday, August 12 at 1:41 AM (3 months ago)
I’ve released Authl v0.1.7, which now adds direct support for IndieAuth (rather than requiring IndieLogin.com as a broker). This means that now folks who have an IndieAuth identity can log in using that; previously I was expecting IndieLogin.com to eventually open up client registrations to make that a useful authentication path, but for various reasons Aaron hasn’t opened it up to the general public.
Part of this update was to also refactor how OAuth is handled, so it’ll be a lot easier for me to add more OAuth-based providers in the future; hopefully I’ll have direct support for Twitter, GitHub, and maybe even Facebook in the near-ish future. But for now, between Mastodon, email, and IndieAuth, I think I have all of my own personal needs taken care of.
Feel free to make suggestions for other identity providers in the Authl issue tracker, though!
Posted Saturday, August 10 at 2:04 AM (3 months ago)
Oh gosh I seem to be on a roll with these updates again. Here’s what changed in Publ:
- Fixed a silly bug in the admin dashboard renderer which made it not work in production mode
- Make the admin log only record the most recent access per user per entry, making it way more useful
- Make the logout operation happen via POST method rather than GET, fixing a problem with browser prefetching; added a
logout.html template to support that. (Also made the default
unauthorized.html use Authl’s default CSS.)
- Actually make
entry.authorized available, rather than just documented. Also gave it a better name while I was at it.
view.entries can now take an optional argument for inlining unauthorized entries, improving its usage within feeds.
view.unauthorized can now take an optional argument for limiting the unauthorized view count, which helps performance and makes it a bit more predictable
- Images now provide their filename as the default alt text, which is arguably better for accessibility than just leaving it a blank string. I am willing to change my mind on this, however.
- Cleaned up the code around
category.subcats(recurse=True) and also added some actual tests for the sort ordering. They pass.
And the Authl changes (which were actually released before Publ 0.5.0 but I didn’t bother announcing them until I had them tested “in the wild”):
- Changed to using packaged data for templates
- Made the login page CSS available through
- Removed the spurious precision from the email message template
Anyway, I of course updated the sample beesbuzz.biz templates to reflect the new functionality.
Wow, Publ’s feeling like it’s actually kinda pretty good at stuff now. I hope someone else ever wants to actually, like, use it or something.
Posted Friday, July 26 at 12:36 AM (4 months ago)
Updated some packages.
Main things with Publ since the last release:
- Internal cleanups to how caching happens
- Stop spuriously-caching a bunch of stuff; in particular login/logout endpoint URLs no longer get cached
- Various cleanups
- Improve the way that built-in templates are managed
- Initial cruddy implementation of an admin authentication dashboard (although this isn’t quite ready for prime time)
The only Authl change is that email identities are now given as a full
mailto: URL; going forward all identity strings will be full URLs. This simplifies the UX for admin dashboards, in particular, and removes some ambiguity.
Posted Sunday, July 21 at 2:24 AM (4 months ago)
I’ve released a mini-update of Publ to fix an authentication problem (the config parser was “helpfully” sanitizing things that didn’t want to be sanitized), and also some refactoring/improvements/bugfixes to Authl.
The big changes to Authl are that the email handler generates shorter/nicer links, and it also puts an anti-abuse timeout into email login attempts to prevent people from spamming themselves or others with spurious email notifications. There’s also a bunch of small bugfixes to Authl’s login flow, and Flask apps can specify that sessions should not be made permanent.
Posted Saturday, July 13 at 5:25 PM (4 months ago)
I’ve added private entry stuff to my website (here’s an example post) and in doing so I shook out a few loose ends:
- Improved the login flow for when someone is logged in but goes to an entry they don’t have access to
- Simplified generating login and logout links from templates
Status: UNLISTED as a synonym for
All the auth-related things are now documented here and also demonstrated in the sample templates.
There is not much left for v0.5, incidentally!
Posted Saturday, July 13 at 2:58 AM (4 months ago)
Wow, this is a pretty major update: authentication is now a thing!
It isn’t quite complete yet – I still have a few more things I want to add before I consider it done (and therefore release v0.5.0) – but this is at least in a state where it’s ready to be experimented with. Probably. I need to sleep first, before I start adding authentication to my website.
Posted Monday, July 8 at 11:56 AM (4 months ago)
I’ve released Authl 0.1.1, which adds support for Mastodon authentication. And the Publ test suite now is up-to-date with that as well.
There’s a few things I want to do on Publ before I release a version for use on my own website, the big one being the ability to provide a better login page, and some refactoring around built-in templates now that built-in templates are becoming a thing.
I also really want to redo how I manage the documentation site, because it’s getting kind of untenable at this point.
Anyway, really soon I’ll have properly-private content on my website again, and hopefully this will be enough of a feature for people to actually be interested in Publ!
Posted Thursday, July 4 at 10:58 PM (4 months ago)
I’ve put a bunch more work into Authl, and have released it into PyPI. Of note is that now it has a simplified mechanism for setting it up with a Flask application.
Hey, wait, Publ’s a Flask application!
How about that.
Posted Monday, July 1 at 12:07 AM (4 months ago)
I wrote more about this on my personal blog but to summarize, I finally made some progress on actually working on Authl, which was the missing piece I needed before finally getting started on private posts. No promises on when I’ll actually have that functionality working, but at least I’ve finally gotten over the chicken-and-egg bump of not having any auth system to implement privacy against (and no privacy system to implement auth for).
Anyway, if anyone wants to play with what I have so far, there’s an incredibly basic starting point over yonder.
Posted Thursday, December 20 at 11:14 PM (11 months ago)
Are you using webmention.io as your webmention endpoint? Want to get your incoming webmentions displayed on your website?
Well you’re in luck, I wrote a simple-ish script for that. (You’ll probably also want to see the accompanying stylesheet too.) And it doesn’t even require that you use Publ – it should work with any CMS, static or dynamic. The only requirement is that you use either webmention.io or something that has a similar enough retrieval API.
I wrote more about it on my blog, where you can also see it in use. For now, I’m just going to use the sample site repository to manage it (and issues against it).
It’s MIT-licensed, so feel free to use it wherever and however you want and to modify it for your needs. I might improve it down the road but for now it’s mostly just a quick itch-scratching hack that does things the way I want it to.
Posted Wednesday, November 28 at 1:18 AM (a year ago)
I just released Pushl v0.1.3, which adds some minor performance optimizations and a bug fix.
Originally I was hoping to have a major performance optimization, in the form of having rewritten Pushl from thread-per-connection to async operation, but unfortunately I ran into a bunch of problems with it. Mostly that I was running into a “too many open files” error and I couldn’t figure out what was causing a descriptor leak. I have the work-in-progress branch online if anyone wants to take a look at it.
Anyway, the reason I went down this route is because I added WebSub subscriber support to my fork of Feed-On-Feeds, which makes it so that WebSub-enabled RSS and Atom feeds will push their updates to your reader instead of having to wait for a polling interval.
You can read more about some of my other thoughts on a blog entry that quickly devolves into a rant, if you’re so inclined.
Posted Monday, October 8 at 11:53 PM (a year ago)
I finally got around to releasing a very rough prototype of Pushl to pypi. It only sends out WebSub notifications for now (does anyone even use those?), but I’ll work on actually implementing WebMention soon.
Also, recently someone pointed out to me fed.brid.gy which makes it easy to turn a static site into an ActivityPub source. At some point I’ll experiment with setting up Publ for this; it looks like it’s just a matter of adding a couple of additional route rules to Publ, so that will probably go into an advanced configuration guide if I ever get around to making such a thing. (Or it could actually be added to Publ directly but there isn’t much of a reason for that, IMO.)
Posted Saturday, September 29 at 9:00 PM (a year ago)
So, for the last couple of days I’ve been playing with some of the IndieWeb concepts, in particular Webmention. Spurred on by a helpful thread with Kevin Marks, I took some time to actually do a rough implementation of outgoing Webmentions, and also did some of the work to set up the
h-entry microformats on my main site.
As far as I can tell, it works great, but I’m also not going to actually merge this to master or push it to production. Read on to see why!