Authl 0.3.1 fixes the problem with the IndieAuth login flow, and Publ 0.5.8 fixes the problem with the Bearer token flow.

If you don’t understand what any of that means, the short form is: please update your package versions. You might also want to change your secret key while you’re at it; even if you don’t have any private content yet, someone could possibly have used this hole to log in as you in case you ever do post private content.

It’s incredibly unlikely, of course! As far as I know I’m the only active user of Publ (aside from my old day job where they are definitely not using the authentication stuff at all). But I felt that full disclosure is a good idea anyway.

Also, if you have your own IndieAuth implementation that you want to check for proper identity sanitization, the Authl GitHub repository has an identity tester that should be easy to deploy. It’s worth testing against that to make sure that your identity verification is working correctly!

To use it, run it somewhere that’s visible to your IndieAuth login flow; for example, if you’re testing locally, you can do something like:

$ FLASK_APP=Authl/test/rogue-indieauth.py flask run -p 6789

and then you can use http://localhost:6789 as your identity; you can also add arbitrary path elements (e.g. http://localhost:6789/alice). Then when you try to log in as IndieAuth it’ll prompt you for what you want your canonical identity to look like (for example, http://example.com/ or http://localhost:6789/bob), and then see how your login flow deals with it.

At some point I’ll probably spin up a public instance of this, as well.

There’s also a deficiency in the IndieAuth spec regarding how to verify the path part of an identity URL; see this open issue if you want to see more and/or participate in the discussion.

Authl and Publ currently follow my proposal for the path validation, where for example http://example.com/alice can identify as http://example.com/alice/ or http://example.com/alice/blog/ but not as http://example.com/bob or http://example.com/alice_is_bob. This makes it technically stricter than the current public specification, but it’s also a lot safer especially for multi-user websites such as tilde.club or any random WordPress installation or whatever.

Anyway. This is just my long-winded way of saying, oops, I hecked up, but I fixed it, and maybe other people hecked up too and it’s worth testing.

EDIT: Oh I also forgot to mention that no, AutoAuth isn’t actually supported yet. But I’m working on it!

Unfortunately, there aren’t any tools that I know of which actually support this mode of operation; all testing has been manual and In Theory.

Fortunately, if someone does want to test AutoAuth (or IndieAuth Bearer authentication in general), you can test it out on this site! You can use this entry as an individual entry, and this category or this feed to see how well it works with the “partial public” path.

Also, this page will tell you all sorts of useful information about the current user (if any).

And I’d might as well use this opportunity to show off the admin dashboard – just sign in as the user test:admin to see how it looks.

EDIT: It looks like there’s a problem with third-party auth due to the way that Heroku works. I should have anticipated this. Third-party auth is temporarily disabled for now. (But this doesn’t affect AutoAuth at least!)