# Publ: Development Blog

Entries tagged design or IndieWeb

## Publ 0.5.8, Authl 0.3.1, and IndieAuth security

Posted Wednesday, October 30 at 7:11 PM (2 weeks ago)

So, both Publ and Authl had a pretty naïve issue with the identity verification step of the IndieAuth flow; it simply accepted whatever the authorization endpoint said the user’s identity was. This made it very simple to spoof one’s identity and log in as anyone on any Publ or Authl site.

Authl 0.3.1 fixes the problem with the IndieAuth login flow, and Publ 0.5.8 fixes the problem with the Bearer token flow.

## Why Publ won’t support magic auth links

Posted Friday, October 25 at 5:36 PM (2 weeks ago)

Since adding user authentication to Publ, I’ve been thinking of ways of allowing people to subscribe to sites from feed readers while getting their own native authorization, so that people can see entries directly in their readers rather than needing the clumsy mechanisms of unauthorized placeholder entries.

Out of the box, Publ authentication does support a shared cookie jar; if you can provide your cookies to your feed reader in some way, then things will Just Work. Unfortunately, I don’t know of any feed readers that actually support this, at least not easily. (Back when most browsers had a feed reader built-in this was a lot simpler. But time marches on.)

The two mechanisms which seemed most promising are AutoAuth and “magic links,” where users get signed URLs that come pre-authenticated and show the full authorized content for that user. AutoAuth is still in a draft phase that’s stuck in a chicken-and-egg situation (and also requires a lot of buy-in to IndieWeb protocols, which is still a pill too large to swallow for most of the folks who follow my blog), so magic feed links seemed like the best path forward.

I even got so far as to draft out an implementation, but there’s a few bad issues with it which just made me opt not to.

## Authl v0.1.7, now with IndieAuth support!

Posted Monday, August 12 at 1:41 AM (3 months ago)

I’ve released Authl v0.1.7, which now adds direct support for IndieAuth (rather than requiring IndieLogin.com as a broker). This means that now folks who have an IndieAuth identity can log in using that; previously I was expecting IndieLogin.com to eventually open up client registrations to make that a useful authentication path, but for various reasons Aaron hasn’t opened it up to the general public.

Part of this update was to also refactor how OAuth is handled, so it’ll be a lot easier for me to add more OAuth-based providers in the future; hopefully I’ll have direct support for Twitter, GitHub, and maybe even Facebook in the near-ish future. But for now, between Mastodon, email, and IndieAuth, I think I have all of my own personal needs taken care of.

Feel free to make suggestions for other identity providers in the Authl issue tracker, though!

## v0.3.19, now with extra tagging goodness!

Posted Monday, March 4 at 3:47 PM (8 months ago)

I’ve released Publ v0.3.19, which now finally has a tagging system, which is only one of the oldest issues that was still open.

Here’s a list of what’s been added or changed since 0.3.18:

### Credits

I want to thank Karina Antonio for implementing image cropping.

## v0.3.18, now with better asset management!

Posted Wednesday, February 27 at 9:38 PM (9 months ago)

I’ve just released v0.3.18, with the following changes:

• Add date grouping properties to entry
• Add a pages property to view
• Provide the current category object to the error handler
• Support linking to non-image/non-entry local files
• Added, then removed, some performance micro-optimizations that only caused problems

More details about the major changes below!

Update: I released a hotfix as 0.3.18.1 because there was a last-minute bug that snuck in while I was trying to silence a new pylint error. Oops.

## v0.3.15 Released (finally!)

Posted Wednesday, February 13 at 6:20 PM (9 months ago)

It’s been a while since I’ve had a chance to work on Publ, but the great thing is that I actually had a reason to work on it for my day job. Which is to say I’m finally being paid to work on Publ. ;)

Changes since 0.3.14:

• Add requirement for Arrow 0.13.0 (issue 41)
• Fix a dumb tpyo that was the cause of issue 158
• Don’t rewrite DRAFT files; fixes 137
• Move sample-site files back to the library repo rather than in the doc repo
• Fix the way we map malformed category URLs (issue 156)
• Update upstream library versions
• Move version number to publ module
• Allow empty slug-text in entry route (fixes 161)
• Process HTML entries, to finally handle issues 136 and 154.

Some more information about that last one under the cut!

## Embedding webmention.io pings on your site

Posted Thursday, December 20 at 11:14 PM (11 months ago)

Are you using webmention.io as your webmention endpoint? Want to get your incoming webmentions displayed on your website?

Well you’re in luck, I wrote a simple-ish script for that. (You’ll probably also want to see the accompanying stylesheet too.) And it doesn’t even require that you use Publ – it should work with any CMS, static or dynamic. The only requirement is that you use either webmention.io or something that has a similar enough retrieval API.

I wrote more about it on my blog, where you can also see it in use. For now, I’m just going to use the sample site repository to manage it (and issues against it).

It’s MIT-licensed, so feel free to use it wherever and however you want and to modify it for your needs. I might improve it down the road but for now it’s mostly just a quick itch-scratching hack that does things the way I want it to.

## v0.3.11

Posted Saturday, December 15 at 1:08 AM (11 months ago)

v0.3.11 is now released, with the following changes:

• A more complete fix for how to handle image sets and inline images with respect to paragraphs
• Better cleanup for spurious empty paragraphs
• Improved internal entry link handling

Detailed descriptions of the changes are below.

## v0.3.9 Released

Posted Wednesday, November 28 at 3:33 PM (a year ago)

This entry marks the release of Publ v0.3.9. It has the following changes:

• Added more_text and related functionality to image sets (an example being visible over here)
• Improved and simplified the caching behavior (fixing some fiddly cases around how ETags and last-modified worked, or rather didn’t)

I also made, and then soon reverted, a change around how entry IDs and publish dates were automatically assigned to non-published entries. I thought it was going to simplify some workflow things but it only complicated the code and added more corner cases to deal with, all for something that doesn’t actually address the use case I was worried about. So never mind on that.

(What happened to v0.3.8? I goofed and forgot to merge the completed more_text et al changes into my build system first. Oops.)

See below for more on the caching changes.

## Pushl v0.1.3, and a FeedOnFeeds update!

Posted Wednesday, November 28 at 1:18 AM (a year ago)

I just released Pushl v0.1.3, which adds some minor performance optimizations and a bug fix.

Originally I was hoping to have a major performance optimization, in the form of having rewritten Pushl from thread-per-connection to async operation, but unfortunately I ran into a bunch of problems with it. Mostly that I was running into a “too many open files” error and I couldn’t figure out what was causing a descriptor leak. I have the work-in-progress branch online if anyone wants to take a look at it.

Anyway, the reason I went down this route is because I added WebSub subscriber support to my fork of Feed-On-Feeds, which makes it so that WebSub-enabled RSS and Atom feeds will push their updates to your reader instead of having to wait for a polling interval.

You can read more about some of my other thoughts on a blog entry that quickly devolves into a rant, if you’re so inclined.

## Pushl 0.0.1 released

Posted Monday, October 8 at 11:53 PM (a year ago)

I finally got around to releasing a very rough prototype of Pushl to pypi. It only sends out WebSub notifications for now (does anyone even use those?), but I’ll work on actually implementing WebMention soon.

Also, recently someone pointed out to me fed.brid.gy which makes it easy to turn a static site into an ActivityPub source. At some point I’ll experiment with setting up Publ for this; it looks like it’s just a matter of adding a couple of additional route rules to Publ, so that will probably go into an advanced configuration guide if I ever get around to making such a thing. (Or it could actually be added to Publ directly but there isn’t much of a reason for that, IMO.)

## v0.3.3 - now with ETag and Last-Modified

Posted Monday, October 1 at 11:16 PM (a year ago)

I’ve started working on Pushl in earnest now, and one thing that was really bugging me about this is that anything which polls feeds and entries would really benefit from having client-side cache control working. Which was a big missing feature in Publ.

Well, I finally implemented it, and I’m pretty happy with how I did it.

The short version: for any given view it figures out (pessimistically) what’s the most recent file that would have affected the view (well, within reason; it only looks at the current template rather than any included templates, which is pretty difficult to do correctly) and uses that to generate an ETag (via metadata fingerprint) and a Last-Modified time (based either on the file modification time or the time the entry was actually published).

There’s probably a few corner cases this misses but in general this makes client-side caching of feeds and such work nicely.

## Some thoughts on WebMention

Posted Saturday, September 29 at 9:00 PM (a year ago)

So, for the last couple of days I’ve been playing with some of the IndieWeb concepts, in particular Webmention. Spurred on by a helpful thread with Kevin Marks, I took some time to actually do a rough implementation of outgoing Webmentions, and also did some of the work to set up the h-card and h-entry microformats on my main site.

As far as I can tell, it works great, but I’m also not going to actually merge this to master or push it to production. Read on to see why!

## v0.3.2: a smol bugfix release

Posted Tuesday, September 25 at 2:55 PM (a year ago)

I found a few more annoying bugs that were shaken out from the whole PonyORM transition, as well as a couple of bugs in the new shape functionality. There’s probably a few more of these bugs lurking in the codebase (I mean, in addition to the existing bugs I know about), but here’s what’s changed:

## The shape of the float (v0.3.1)

Posted Thursday, September 20 at 10:58 PM (a year ago)

Did you know that CSS3 has a style called shape-outline? It’s pretty neat, it makes it so that a floated object gets a shape based on the alpha channel of its specified image. But it’s kind of a pain to set up; in plain HTML it looks something like this:

<img src="/path/to/image.png" width="320" height="320"
style="shape-outline:url('/path/to/image.png');float: left">


and if you want a different shape mask for your image than its own alpha channel, you have to do a bunch of stuff like making sure that the image sizes are the same and whatever.

## Goodbye peewee, hello PonyORM

Posted Wednesday, September 19 at 2:27 AM (a year ago)

For a number of reasons, I have replaced the backing ORM. Previously I was using peewee, but now I’m using PonyORM. The primary reason for this is purely ideological; I do not want to use software which is maintained by someone with a track record of toxic behavior. peewee’s maintainer responds to issues and feature requests with shouting and dismissive snark; PonyORM’s maintainer responds with helpfulness and grace. I am a strong proponent of the latter.

PonyORM’s API is also significantly more Pythonic, and rather than abusing operator overloads for clever query building purposes, it abuses Python’s AST functionality to parse actual Python expressions into SQL queries. Seriously, look at this explanation of it and tell me that isn’t just amazing.

## The downside to running on Heroku

Posted Wednesday, June 27 at 8:01 PM (a year ago)

So, sorry to anyone who was subscribed to the RSS feed for this and got spammed with v0.1.24 release announcements. I made a mistake and pushed a version of the entry that didn’t have a canonical ID assigned yet, and as a result, every time Heroku spun up, it assigned a new ID. This is something that’s happened before and I really ought to do something about it.

Three things come to mind:

1. Figuring out how to always make IDs get assigned in an idempotent manner (hard to do correctly)
2. Don’t run on Heroku so the assignments persist between executions (easy)
3. Add a pre-push hook to the repo that verifies that all entries alread have an assigned ID (???)

2 seems like the easiest approach for now, so that’s what I’ll probably do.

## Dates are hard

Posted Friday, May 18 at 12:00 PM (a year ago)

There’s an old joke in programming, that the two hardest things to do are naming things, cache invalidation, and off-by-one errors. But this doesn’t pay sufficient respect to one of the other hardest things, namely handling date and time.

## Asynchronous workers

Posted Tuesday, May 15 at 5:21 PM (2 years ago)

Today I got two major bits of functionality in: Publ will now asynchronously scan the content index (which speeds up startup and fixes some annoying race conditions with entry creation), and it also asynchronously generates image renditions (which makes pages not take forever to load on first render, and will also use multiple CPU cores if available). Seems to work well so far.

I was running into scaling problems with beesbuzz.biz (what with there being a couple thousand entries and some pages with hundreds of images on it) and this keeps it feeling pretty good.

So, this brings us up to version 0.1.14.

## The Trouble with PHP

Posted Tuesday, May 8 at 12:00 AM (2 years ago)

I’ve had people ask me why I’m not building Publ using PHP. While much has been written on this subject from a standpoint of what’s wrong with the language (and with which I agree quite a lot!), that isn’t, to me, the core of the problem with PHP on the web.

So, I want to talk a bit about some of the more fundamental issues with PHP, which actually goes back well before PHP even existed and is intractibly linked with the way PHP applications themselves are installed and run.

(I will be glossing over a lot of details here.)