# Publ: Development Blog

Entries tagged planning or IndieWeb

## Publ 0.5.8, Authl 0.3.1, and IndieAuth security

Posted Wednesday, October 30 at 7:11 PM (3 weeks ago)

So, both Publ and Authl had a pretty naïve issue with the identity verification step of the IndieAuth flow; it simply accepted whatever the authorization endpoint said the user’s identity was. This made it very simple to spoof one’s identity and log in as anyone on any Publ or Authl site.

Authl 0.3.1 fixes the problem with the IndieAuth login flow, and Publ 0.5.8 fixes the problem with the Bearer token flow.

## Why Publ won’t support magic auth links

Posted Friday, October 25 at 5:36 PM (3 weeks ago)

Since adding user authentication to Publ, I’ve been thinking of ways of allowing people to subscribe to sites from feed readers while getting their own native authorization, so that people can see entries directly in their readers rather than needing the clumsy mechanisms of unauthorized placeholder entries.

Out of the box, Publ authentication does support a shared cookie jar; if you can provide your cookies to your feed reader in some way, then things will Just Work. Unfortunately, I don’t know of any feed readers that actually support this, at least not easily. (Back when most browsers had a feed reader built-in this was a lot simpler. But time marches on.)

The two mechanisms which seemed most promising are AutoAuth and “magic links,” where users get signed URLs that come pre-authenticated and show the full authorized content for that user. AutoAuth is still in a draft phase that’s stuck in a chicken-and-egg situation (and also requires a lot of buy-in to IndieWeb protocols, which is still a pill too large to swallow for most of the folks who follow my blog), so magic feed links seemed like the best path forward.

I even got so far as to draft out an implementation, but there’s a few bad issues with it which just made me opt not to.

## Authl v0.1.7, now with IndieAuth support!

Posted Monday, August 12 at 1:41 AM (3 months ago)

I’ve released Authl v0.1.7, which now adds direct support for IndieAuth (rather than requiring IndieLogin.com as a broker). This means that now folks who have an IndieAuth identity can log in using that; previously I was expecting IndieLogin.com to eventually open up client registrations to make that a useful authentication path, but for various reasons Aaron hasn’t opened it up to the general public.

Part of this update was to also refactor how OAuth is handled, so it’ll be a lot easier for me to add more OAuth-based providers in the future; hopefully I’ll have direct support for Twitter, GitHub, and maybe even Facebook in the near-ish future. But for now, between Mastodon, email, and IndieAuth, I think I have all of my own personal needs taken care of.

Feel free to make suggestions for other identity providers in the Authl issue tracker, though!

## Publ 0.4.6, Authl 0.1.5

Posted Friday, July 26 at 12:36 AM (4 months ago)

Updated some packages.

Main things with Publ since the last release:

• Internal cleanups to how caching happens
• Stop spuriously-caching a bunch of stuff; in particular login/logout endpoint URLs no longer get cached
• Various cleanups
• Improve the way that built-in templates are managed
• Initial cruddy implementation of an admin authentication dashboard (although this isn’t quite ready for prime time)

The only Authl change is that email identities are now given as a full mailto: URL; going forward all identity strings will be full URLs. This simplifies the UX for admin dashboards, in particular, and removes some ambiguity.

## v0.4.0 released! Let’s talk future!

Posted Monday, May 13 at 11:11 PM (6 months ago)

Oh wow, I finally closed out the Publ 0.4.0 milestone. So, wow, this is a pretty big deal for me.

Changes since 0.3.23:

So that closes out the last three issues before I was ready to consider this usable by a wider audience. Neat.

There’s a lot of stuff I want to do for 1.0 of course, but also more importantly I need to vastly improve the documentation on this site, as well as collect things to make it easier for people to get started with Publ. I would absolutely invite people to make suggestions; have you looked into Publ, and been confused about what exactly to do? Please let me know!

The best ways to do so are to either hop onto my Discord channel or to open issues against the documentation site.

## v0.3.19, now with extra tagging goodness!

Posted Monday, March 4 at 3:47 PM (8 months ago)

I’ve released Publ v0.3.19, which now finally has a tagging system, which is only one of the oldest issues that was still open.

Here’s a list of what’s been added or changed since 0.3.18:

### Credits

I want to thank Karina Antonio for implementing image cropping.

## v0.3.18, now with better asset management!

Posted Wednesday, February 27 at 9:38 PM (9 months ago)

I’ve just released v0.3.18, with the following changes:

• Add date grouping properties to entry
• Add a pages property to view
• Provide the current category object to the error handler
• Support linking to non-image/non-entry local files
• Added, then removed, some performance micro-optimizations that only caused problems

More details about the major changes below!

Update: I released a hotfix as 0.3.18.1 because there was a last-minute bug that snuck in while I was trying to silence a new pylint error. Oops.

## Embedding webmention.io pings on your site

Posted Thursday, December 20 at 11:14 PM (11 months ago)

Are you using webmention.io as your webmention endpoint? Want to get your incoming webmentions displayed on your website?

Well you’re in luck, I wrote a simple-ish script for that. (You’ll probably also want to see the accompanying stylesheet too.) And it doesn’t even require that you use Publ – it should work with any CMS, static or dynamic. The only requirement is that you use either webmention.io or something that has a similar enough retrieval API.

I wrote more about it on my blog, where you can also see it in use. For now, I’m just going to use the sample site repository to manage it (and issues against it).

It’s MIT-licensed, so feel free to use it wherever and however you want and to modify it for your needs. I might improve it down the road but for now it’s mostly just a quick itch-scratching hack that does things the way I want it to.

## v0.3.11

Posted Saturday, December 15 at 1:08 AM (11 months ago)

v0.3.11 is now released, with the following changes:

• A more complete fix for how to handle image sets and inline images with respect to paragraphs
• Better cleanup for spurious empty paragraphs
• Improved internal entry link handling

Detailed descriptions of the changes are below.

## Pushl v0.1.3, and a FeedOnFeeds update!

Posted Wednesday, November 28 at 1:18 AM (a year ago)

I just released Pushl v0.1.3, which adds some minor performance optimizations and a bug fix.

Originally I was hoping to have a major performance optimization, in the form of having rewritten Pushl from thread-per-connection to async operation, but unfortunately I ran into a bunch of problems with it. Mostly that I was running into a “too many open files” error and I couldn’t figure out what was causing a descriptor leak. I have the work-in-progress branch online if anyone wants to take a look at it.

Anyway, the reason I went down this route is because I added WebSub subscriber support to my fork of Feed-On-Feeds, which makes it so that WebSub-enabled RSS and Atom feeds will push their updates to your reader instead of having to wait for a polling interval.

You can read more about some of my other thoughts on a blog entry that quickly devolves into a rant, if you’re so inclined.

## Pushl 0.0.1 released

Posted Monday, October 8 at 11:53 PM (a year ago)

I finally got around to releasing a very rough prototype of Pushl to pypi. It only sends out WebSub notifications for now (does anyone even use those?), but I’ll work on actually implementing WebMention soon.

Also, recently someone pointed out to me fed.brid.gy which makes it easy to turn a static site into an ActivityPub source. At some point I’ll experiment with setting up Publ for this; it looks like it’s just a matter of adding a couple of additional route rules to Publ, so that will probably go into an advanced configuration guide if I ever get around to making such a thing. (Or it could actually be added to Publ directly but there isn’t much of a reason for that, IMO.)

## Some thoughts on WebMention

Posted Saturday, September 29 at 9:00 PM (a year ago)

So, for the last couple of days I’ve been playing with some of the IndieWeb concepts, in particular Webmention. Spurred on by a helpful thread with Kevin Marks, I took some time to actually do a rough implementation of outgoing Webmentions, and also did some of the work to set up the h-card and h-entry microformats on my main site.

As far as I can tell, it works great, but I’m also not going to actually merge this to master or push it to production. Read on to see why!

## v0.1.19: creeping ever closer to beta status

Posted Sunday, May 27 at 5:22 PM (a year ago)

The amount of stuff I’m having to fix in Publ to support beesbuzz.biz is diminishing rapidly! Here’s what’s happened since 0.1.18:

• Improved the Path-Alias redirection logic; now it will do a 301 Permanently Moved for inbound Path-Aliased requests, and if a Path-Alias points to an entry with a Redirect-To it will redirect directly to that URL instead (and it will be a 302, same as the old Redirect-To behavior)
• Pagination can now be weekly; you can use entry.archive(paging='week'), and a ?date= view parameter ending in _w will provide a weekly view instead.
• Better default formatting for view.range, and an addition of a week format parameter there