profile scope in Mastodon 4.3, which provides better login-flow UX.If profile is unsupported it tries to fall back to the old read:accounts scope, which should keep it working on older Mastodon versions as well.
In theory it should also work with Pleroma/Akkoma (and anything else that speaks the Mastodon client API), although that functionality hasn’t been verified in quite some time. If someone else wants to take on the work of verifying that and fixing whatever’s broken, that would be greatly appreciated!
]]>Publ changes:
Authl changes:
mastodon.pySome of the dependency changes necessitated updating the minimum Python version; in particular, Publ and Authl now require Python 3.7.2 or greater. But if you’re still running Python 3.6 for some reason you’re used to things being broken or outdated.
Also, due to an impending change in Flask, the Publ API is going to have to change somewhat; the short version is that app.secret_key will no longer be the means of configuring authentication. Most likely the config will change to get a secret_key key within the auth section instead. This actually makes the configuration a lot easier to deal with anyway, and I was never happy about this inconsistency. (In fact, I’m pretty sure that’s how it used to be configured until I changed it to be more Flask-like in the first place!)
It’s also possible that publ.Publ will revert to being a function that constructs a Flask application object, rather than being a subclass of Flask, but I haven’t yet investigated what the implications of this change would be. I believe there are a few places in the Publ codebase which rely directly on the subclass relationship (which would be difficult to change, such as the way that the Authl instance is associated with the application), and prior to that there’s a reason I switched it from a factory to a subclass in the first place, although I can’t quite remember what it was (it was probably either something to do with the ORM’s startup behavior or something to do with Authl’s lifetime). Either way, it’ll take significant investigation, and this will be necessary before Flask 2.3 is released. (In retrospect I meant to pin Publ’s Flask requirement to <2.3.0 before I did this release, but I forgot. Oops.)
First, the Authl changes:
profile_url field to user profiles to make up for the Twitter URL thingAnd the Publ changes:
profile_url fieldThe Authl change affects the way that Twitter identities show up in the user system; now instead of the user URL being e.g. https://twitter.com/fluffy#993171, the URL will now be https://twitter.com/i/user/993171. This makes the users.cfg file a little more opaque, but it also fixes the issue that if someone changes their Twitter username their connection is lost forever.
In the short term, you can use a comment to keep track of things, e.g.
[friends] ; fluffy https://twitter.com/i/user/993171
although this isn’t ideal. In the future I may add the ability to add a post-line comment to make tracking things a bit easier, but I need to find a character that both says “this is a comment” and also can’t actually appear in a URL (so ; and # are out). I suppose I could just treat whitespace as a comment start, though. I’ll consider that for the next version of Publ.
Also, you’ll need to mechanically convert your users.cfg file, with e.g.
$ sed 's,twitter.com/.*#\([0-9]*\),twitter.com/i/user/\1,g' users.cfg > users.cfg.new $ mv users.cfg.new users.cfg
(or you can use -i but that varies in usage between macOS and Linux so I’ve opted to be safe instead).
This change is a bit annoying for Publ, but it was necessary for other use cases of Authl, such as providing login to applications.
Also, keep in mind that users who were logged in via Twitter will still have their old identity URL present, which will likely cause confusion. The easy fix for that is to reset your session secret. How you do that is up to how your application is configured.
Anyway, as always, when you want to add a user to the users.cfg file, you need to copy the link target, rather than the link text.
Changes:
h-card), now that there’s implementations in the wild, meaning that egg has hatched into a chicken.There were also some minor documentation cleanups since v0.5.0.
]]>Publ changes:
Authl changes:
Ticket Auth is a pretty cool protocol which I have a lot of optimism for. You know how one of the big problems with self-hosted blogging is that there’s no way to share private posts on your feed without revealing that you have private posts and requiring people to log in to actually read them? Ticket Auth is a huge solution for that.
There’s a few things that need to happen before it actually gets used, though. The main thing is that feed readers need to get support for Ticket Auth, and there also needs to be a way to associate your user profile with the Ticket Auth endpoint. In an IndieWeb context this is pretty straightforward; on your profile page you’d have something like:
<link rel="ticket_endpoint" href="https://feed-reader.example/tickets">
and when you sign in, Publ sees that you have that ticket endpoint and initiates the flow to it. Then the feed reader has a bearer token that it can use to fetch the secure feed on your behalf.
However, outside of IndieAuth it gets a little trickier. There’s technically no requirement that someone uses the IndieAuth login flow to get a ticket, but the protocol relies pretty heavily on there being a tight coupling between the identity provider and the feed reader. The most straightforward way to support this in non-IndieWeb feed readers is to simply have feed readers grow IndieAuth support, though, and then use that to sign in to the IndieWeb sites you’re following.
There’s probably some other mechanism that could be used to provide matching third-party identity between a feed reader and, say, a Twitter identity, but that’s getting so far off into the weeds.
My recommendation to anyone implementing a new feed reader in this day and age: integrate with existing IndieAuth login flows, and/or allow folks to identify themselves with a public IndieWeb profile when they log in with a username and password. Then you can provide them a public profile page that also has the Ticket Auth endpoint, and then we can finally break free of walled-garden social media.
]]>Anyway, IndieAuth validation rules have changed for the better, so Authl has been updated accordingly.
There’s a few other changes as well:
p-pronoun is treated as a fallback for p-pronounsrel="nofollow" in some appropriate placesAnd in Publ:
<figure> and <figcaption> instead of ad-hoc <div>s for its layout, and the overall HTML semantic has been greatly improvedCurrently I am getting quite frustrated with the state of this documentation site. I am working towards making Publ itself more amenable to documentation via pydoc/readthedocs, and transitioning this site only to be for demos and usage examples. I’m not sure how to make the templating guide and markdown extensions fit in with RTD, though.
I’ve long wanted to do some sort of automated documentation generation, though, and as the various mechanisms in Publ get more complicated this starts to feel way more important. This is definitely something I could use some help on, for anyone who’s interested.
It’s also becoming more and more apparent that there needs to be some sort of online post editor, and I really ought to get around to building the simple one I’ve had in mind for a while. This is long-overdue.
Anyway. This update is a lot of fun. See some of the stuff you can do with it!
]]>force_ssl to the more-accurate force_httpsIn theory there will now be docs visible at authl.readthedocs.io, although I’m still having trouble getting some of it to actually appear.
But, speaking of appearing, somehow the hostname for this site stopped resolving, so hopefully by the time this site comes back, the readthedocs stuff will be working too!
]]>