Posted Thursday, November 24 at 1:18 AM (a year ago)
I haven’t been working on this stuff in a while, but there were reasons to make some updates and releases for both Publ and Authl.
Publ changes:
- Updated dependencies and fixed code standards to the latest pylint and mypy
- Fixed a bug where if an image file disappears before the async rendition is generated, it was generating a 503 error instead of a 404
Authl changes:
- Updated packages and fixed code standards to the latest pylint and mypy
- Removed a couple of Fediverse method hacks which are no longer necessary due to updates in
mastodon.py
Some of the dependency changes necessitated updating the minimum Python version; in particular, Publ and Authl now require Python 3.7.2 or greater. But if you’re still running Python 3.6 for some reason you’re used to things being broken or outdated.
Also, due to an impending change in Flask, the Publ API is going to have to change somewhat; the short version is that app.secret_key will no longer be the means of configuring authentication. Most likely the config will change to get a secret_key key within the auth section instead. This actually makes the configuration a lot easier to deal with anyway, and I was never happy about this inconsistency. (In fact, I’m pretty sure that’s how it used to be configured until I changed it to be more Flask-like in the first place!)
It’s also possible that publ.Publ will revert to being a function that constructs a Flask application object, rather than being a subclass of Flask, but I haven’t yet investigated what the implications of this change would be. I believe there are a few places in the Publ codebase which rely directly on the subclass relationship (which would be difficult to change, such as the way that the Authl instance is associated with the application), and prior to that there’s a reason I switched it from a factory to a subclass in the first place, although I can’t quite remember what it was (it was probably either something to do with the ORM’s startup behavior or something to do with Authl’s lifetime). Either way, it’ll take significant investigation, and this will be necessary before Flask 2.3 is released. (In retrospect I meant to pin Publ’s Flask requirement to <2.3.0 before I did this release, but I forgot. Oops.)
Posted Thursday, October 14 at 10:02 PM (3 years ago)
Released new versions of Publ and Authl today.
First, the Authl changes:
- Fixed some test coverage
- Changed Twitter user URLs to be stable (but less readable)
- Added
profile_url field to user profiles to make up for the Twitter URL thing
And the Publ changes:
- Fixed image cache stale directory removal
- Fix ETag output
- Full-text search now properly excludes future articles
- Added a filename normalization tool
- Fixed an Internal Server Error that occurred from a malformed or expired bearer token (AutoAuth et al)
- Updated to Authl 0.6.0 and made use of the new
profile_url field
Posted Monday, August 30 at 10:51 PM (3 years ago)
Authl v0.5.2 is now out.
Changes:
- Fixed some caching-related issues on IndieAuth profiles
- The IndieAuth handler now supports PKCE
- IndieAuth takes detection priority over Fediverse
- Authl is now compatible with Flask 2.0
Posted Sunday, August 29 at 1:24 AM (3 years ago)
I’ve just released v0.5.1 of Authl. The only functional change is adding support for actually parsing IndieAuth server response profiles (rather than just requesting one and only using the h-card), now that there’s implementations in the wild, meaning that egg has hatched into a chicken.
There were also some minor documentation cleanups since v0.5.0.
Posted Thursday, July 8 at 8:56 PM (3 years ago)
Big new releases for Publ and Authl!
Publ changes:
Authl changes:
- Improve the meta robots rules on the login form
- Add IndieWeb endpoint discovery to the profile
Posted Friday, December 4 at 12:09 AM (3 years ago)
Wow, it’s been a while since I’ve worked on this stuff, huh?
Anyway, IndieAuth validation rules have changed for the better, so Authl has been updated accordingly.
There’s a few other changes as well:
- On IndieAuth profiles,
p-pronoun is treated as a fallback for p-pronouns
- The Flask templates add some
rel="nofollow" in some appropriate places
Posted Sunday, August 2 at 2:37 AM (4 years ago)
Some pretty big new features added. First, in Authl:
- Major documentation improvements
- Bug fixes with Fediverse instance caching
- All providers now normalize to the same profile format
- Some basic spam prevention for the email provider
- 100% unit test coverage on the Fediverse provider (which is now using mastodon.py instead of a hand-rolled OAuth client)
And in Publ:
- Fenced code now uses
<figure> and <figcaption> instead of ad-hoc <div>s for its layout, and the overall HTML semantic has been greatly improved
- Individual code blocks are now configurable with respect to highlighting and line numbering
- The user object now provides a user profile and separates the identity URL from the familiar name
Posted Tuesday, July 21 at 9:09 PM (4 years ago)
Authl v0.4.2 is out. Mostly infrastructural changes, but a few other changes too:
- Switched the development environment to poetry
- Made some internal naming changes, and renamed the technically-incorrect
force_ssl to the more-accurate force_https
- It is also now up to handlers to do all of their own exception catching, which cleans up some stuff
- Massively overhauled the docs, and got doc site generation working with Sphinx (many thanks to Khr for help!)
In theory there will now be docs visible at authl.readthedocs.io, although I’m still having trouble getting some of it to actually appear.
But, speaking of appearing, somehow the hostname for this site stopped resolving, so hopefully by the time this site comes back, the readthedocs stuff will be working too!
Posted Sunday, July 5 at 6:59 PM (4 years ago)
Authl 0.4.1 is out. Changes below:
- Better unit test coverage
- Some better error messaging in some places
- Removed the IndieLogin handler, which serves no real purpose when there’s native IndieAuth support anyway
Posted Sunday, May 31 at 3:32 AM (4 years ago)
I’ve just released new versions of Publ and Authl.
Publ v0.6.6 changes:
- Fixed a regression that made it impossible to log out
- Fixed a problem where
WWW-Authenticate headers weren’t being cached properly
- Improve the changed-file cache-busting methodology
- Add object pooling to Entry, Category, and View (for a potentially big memory and performance improvement)
Authl v0.4.0 changes:
- Finally started to add unit tests
- Removed some legacy WebFinger code that was no longer relevant or ever touched
- Added a mechanism to allow providers to go directly to login, as appropriate
- Added friendly visual icons for providers which support them (a so-called “NASCAR interface”)
Posted Saturday, December 14 at 2:24 PM (4 years ago)
Some fresh new versions of things.
Publ
Changes to Publ:
- Massive improvements to how footnotes are handled; now they get their own virtual section (so if you’re currently using footnotes you’ll need to update your templates!)1
- Various performance improvements:
- Some internal caching on image rendition stuff
- Reduce contention in the content indexer (to hopefully make large sites more responsive on restart)
- Minor optimizations to
category.subcats
- Removed
config.secret_key; now this should be configured on the application object per Flask standards
- Allow HTML attributes other than
href and src to contain image renditions
Authl
- Improve WebFinger support
- Improve the JavaScript in the default Flask template
Posted Tuesday, December 3 at 11:28 PM (4 years ago)
Double-whammy release today.
Posted Thursday, November 14 at 10:23 PM (5 years ago)
Just a tiny fix in this; it works around an inconsistency between the IndieAuth spec and IndieAuth.com’s implementation. Normally I’d just be all, “this is a bug in IndieAuth.com” but that’s the most popular IndieAuth endpoint right now so I decided it was prudent to make a compromise. And really it’s a good idea to always specify an Accept: header anyway.
Thanks to Colin for bringing this to my attention.
Posted Monday, November 4 at 3:04 PM (5 years ago)
I’ve now released v0.3.2 of Authl, which adds the following changes:
- Fixed IndieAuth URL validation rules
- Improved UX for login type preview
- Now it supports Twitter on “stateless” hosting
As an experiment I’ve enabled Twitter login on this site, so now you should be
able to use it to look at protected entries.
Posted Wednesday, October 30 at 7:11 PM (5 years ago)
So, both Publ and Authl had a pretty naïve issue with the identity verification step of the IndieAuth flow; it simply accepted whatever the authorization endpoint said the user’s identity was. This made it very simple to spoof one’s identity and log in as anyone on any Publ or Authl site.
Authl 0.3.1 fixes the problem with the IndieAuth login flow, and Publ 0.5.8 fixes the problem with the Bearer token flow.
Posted Wednesday, October 30 at 2:53 AM (5 years ago)
I just released Authl v0.3.0; minor version bump because of a public API change,
to better facilitate stateless storage.
Which is to say I converted most of the handlers to be stateless, which
hopefully fixes the issues with running on Heroku.
Unfortunately Twitter couldn’t be fixed easily but I wasn’t running the Twitter
handler on this site anyway. I do have some ideas but they’re fairly involved
and will have to come later, and not when I’m up way past my bedtime.
Also, there still seems to be some cache-related issue that’s making it
necessary to shift-reload the page after logging in or out, sometimes.
Posted Monday, August 26 at 3:35 PM (5 years ago)
I’ve released updates to both Publ and Authl.
On the Authl side:
- Code quality and documentation improvements
- Add an asynchronous client-side lookup thing that tells users how their login will proceed
- Add the redirection target to
disposition.Error so that can be preserved correctly
- Update the Flask wrapper to use
disposition.Error.redir
- Let the application know the redirection target in
render_login_func
On the Publ side:
- If the site is configured to force HTTPS in authentication, force the cookie to be HTTPS-only
- If a user is already logged in, make the login handler redirect them to their destination
For both:
- Improved build scripts to make it less convenient to accidentally push a build from the wrong branch or version
These changes help to keep sites more secure from eavesdroppers, while also hopefully improving the user experience!
Posted Monday, August 19 at 1:49 AM (5 years ago)
I’ve released Authl v0.2.0. Changes since v0.1.8:
- Added support for Twitter
- Big ol' refactor to support Twitter (see the fuller discussion below the cut!)
- Released to beta!
And changes from v0.1.7 to v0.1.8 (which I didn’t bother to post an announcement about):
- Fixed an incredibly minor security issue in the Mastodon client (the
client_secret was leaking but in the context of Mastodon that couldn’t really be used for anything anyway)
- Centralize/refactor the login token management, allowing for future flexibility in the service stack
- Make callback IDs protocol-stable, which helps with some stricter services (e.g. Twitter)
Posted Monday, August 12 at 1:41 AM (5 years ago)
I’ve released Authl v0.1.7, which now adds direct support for IndieAuth (rather than requiring IndieLogin.com as a broker). This means that now folks who have an IndieAuth identity can log in using that; previously I was expecting IndieLogin.com to eventually open up client registrations to make that a useful authentication path, but for various reasons Aaron hasn’t opened it up to the general public.
Part of this update was to also refactor how OAuth is handled, so it’ll be a lot easier for me to add more OAuth-based providers in the future; hopefully I’ll have direct support for Twitter, GitHub, and maybe even Facebook in the near-ish future. But for now, between Mastodon, email, and IndieAuth, I think I have all of my own personal needs taken care of.
Feel free to make suggestions for other identity providers in the Authl issue tracker, though!
Posted Saturday, August 10 at 2:04 AM (5 years ago)
Oh gosh I seem to be on a roll with these updates again. Here’s what changed in Publ:
- Fixed a silly bug in the admin dashboard renderer which made it not work in production mode
- Make the admin log only record the most recent access per user per entry, making it way more useful
- Make the logout operation happen via POST method rather than GET, fixing a problem with browser prefetching; added a
logout.html template to support that. (Also made the default unauthorized.html use Authl’s default CSS.)
- Actually make
entry.authorized available, rather than just documented. Also gave it a better name while I was at it.
view.entries can now take an optional argument for inlining unauthorized entries, improving its usage within feeds.view.unauthorized can now take an optional argument for limiting the unauthorized view count, which helps performance and makes it a bit more predictable- Images now provide their filename as the default alt text, which is arguably better for accessibility than just leaving it a blank string. I am willing to change my mind on this, however.
- Cleaned up the code around
category.subcats(recurse=True) and also added some actual tests for the sort ordering. They pass.
And the Authl changes (which were actually released before Publ 0.5.0 but I didn’t bother announcing them until I had them tested “in the wild”):
- Changed to using packaged data for templates
- Made the login page CSS available through
url_for
- Removed the spurious precision from the email message template
Anyway, I of course updated the sample beesbuzz.biz templates to reflect the new functionality.
Wow, Publ’s feeling like it’s actually kinda pretty good at stuff now. I hope someone else ever wants to actually, like, use it or something.