# Publ: Development Blog

Entries tagged security, websub or import

# Publ 0.5.8, Authl 0.3.1, and IndieAuth security

Posted Wednesday, October 30 at 7:11 PM (4 months ago)

So, both Publ and Authl had a pretty naïve issue with the identity verification step of the IndieAuth flow; it simply accepted whatever the authorization endpoint said the user’s identity was. This made it very simple to spoof one’s identity and log in as anyone on any Publ or Authl site.

Authl 0.3.1 fixes the problem with the IndieAuth login flow, and Publ 0.5.8 fixes the problem with the Bearer token flow.

# Why Publ won’t support magic auth links

Posted Friday, October 25 at 5:36 PM (4 months ago)

Since adding user authentication to Publ, I’ve been thinking of ways of allowing people to subscribe to sites from feed readers while getting their own native authorization, so that people can see entries directly in their readers rather than needing the clumsy mechanisms of unauthorized placeholder entries.

Out of the box, Publ authentication does support a shared cookie jar; if you can provide your cookies to your feed reader in some way, then things will Just Work. Unfortunately, I don’t know of any feed readers that actually support this, at least not easily. (Back when most browsers had a feed reader built-in this was a lot simpler. But time marches on.)

The two mechanisms which seemed most promising are AutoAuth and “magic links,” where users get signed URLs that come pre-authenticated and show the full authorized content for that user. AutoAuth is still in a draft phase that’s stuck in a chicken-and-egg situation (and also requires a lot of buy-in to IndieWeb protocols, which is still a pill too large to swallow for most of the folks who follow my blog), so magic feed links seemed like the best path forward.

I even got so far as to draft out an implementation, but there’s a few bad issues with it which just made me opt not to.

# webmention.js security update

Posted Friday, September 6 at 5:27 PM (5 months ago)

So hey, if you’ve been using webmention.js you should probably update it, as there turned out to be an XSS issue found by Checkmention. Better to be safe than sorry etc. etc.

# An early-alpha Movable Type importer

Posted Wednesday, February 20 at 3:42 PM (a year ago)

For those folks who want to import their content from Movable Type over to Publ, I’ve finally gotten around to writing an importer. Currently it only attempts to convert entry content and category metadata, and only using SQLite-formatted database dumps.

See its README.md for the (incredibly rough) usage instructions.

Eventually I want to try to automatically convert templates from MT’s scripting language to Jinja-Publ templates, although there’s a bunch of stuff that’s going to be difficult to port across and a lot of stuff is just plain not feasible to even try, so don’t expect that to become a major thing any time soon.

# Pushl v0.1.3, and a FeedOnFeeds update!

Posted Wednesday, November 28 at 1:18 AM (a year ago)

I just released Pushl v0.1.3, which adds some minor performance optimizations and a bug fix.

Originally I was hoping to have a major performance optimization, in the form of having rewritten Pushl from thread-per-connection to async operation, but unfortunately I ran into a bunch of problems with it. Mostly that I was running into a “too many open files” error and I couldn’t figure out what was causing a descriptor leak. I have the work-in-progress branch online if anyone wants to take a look at it.

Anyway, the reason I went down this route is because I added WebSub subscriber support to my fork of Feed-On-Feeds, which makes it so that WebSub-enabled RSS and Atom feeds will push their updates to your reader instead of having to wait for a polling interval.

You can read more about some of my other thoughts on a blog entry that quickly devolves into a rant, if you’re so inclined.