Authl 0.4.1 is out. Changes below:
- Better unit test coverage
- Some better error messaging in some places
- Removed the IndieLogin handler, which serves no real purpose when there’s native IndieAuth support anyway
Authl 0.4.1 is out. Changes below:
I’ve just released new versions of Publ and Authl.
Publ v0.6.6 changes:
WWW-Authenticateheaders weren’t being cached properly
Authl v0.4.0 changes:
Some fresh new versions of things.
Changes to Publ:
config.secret_key; now this should be configured on the application object per Flask standards
srcto contain image renditions
Double-whammy release today.
Just a tiny fix in this; it works around an inconsistency between the IndieAuth spec and IndieAuth.com’s implementation. Normally I’d just be all, “this is a bug in IndieAuth.com” but that’s the most popular IndieAuth endpoint right now so I decided it was prudent to make a compromise. And really it’s a good idea to always specify an
Accept: header anyway.
Thanks to Colin for bringing this to my attention.
I’ve now released v0.3.2 of Authl, which adds the following changes:
As an experiment I’ve enabled Twitter login on this site, so now you should be able to use it to look at protected entries.
So, both Publ and Authl had a pretty naïve issue with the identity verification step of the IndieAuth flow; it simply accepted whatever the authorization endpoint said the user’s identity was. This made it very simple to spoof one’s identity and log in as anyone on any Publ or Authl site.
Authl 0.3.1 fixes the problem with the IndieAuth login flow, and Publ 0.5.8 fixes the problem with the Bearer token flow.
I just released Authl v0.3.0; minor version bump because of a public API change, to better facilitate stateless storage.
Which is to say I converted most of the handlers to be stateless, which hopefully fixes the issues with running on Heroku.
Unfortunately Twitter couldn’t be fixed easily but I wasn’t running the Twitter handler on this site anyway. I do have some ideas but they’re fairly involved and will have to come later, and not when I’m up way past my bedtime.
Also, there still seems to be some cache-related issue that’s making it necessary to shift-reload the page after logging in or out, sometimes.
I’ve released updates to both Publ and Authl.
On the Authl side:
disposition.Errorso that can be preserved correctly
On the Publ side:
These changes help to keep sites more secure from eavesdroppers, while also hopefully improving the user experience!
I’ve released Authl v0.2.0. Changes since v0.1.8:
And changes from v0.1.7 to v0.1.8 (which I didn’t bother to post an announcement about):
client_secretwas leaking but in the context of Mastodon that couldn’t really be used for anything anyway)
I’ve released Authl v0.1.7, which now adds direct support for IndieAuth (rather than requiring IndieLogin.com as a broker). This means that now folks who have an IndieAuth identity can log in using that; previously I was expecting IndieLogin.com to eventually open up client registrations to make that a useful authentication path, but for various reasons Aaron hasn’t opened it up to the general public.
Part of this update was to also refactor how OAuth is handled, so it’ll be a lot easier for me to add more OAuth-based providers in the future; hopefully I’ll have direct support for Twitter, GitHub, and maybe even Facebook in the near-ish future. But for now, between Mastodon, email, and IndieAuth, I think I have all of my own personal needs taken care of.
Feel free to make suggestions for other identity providers in the Authl issue tracker, though!
Oh gosh I seem to be on a roll with these updates again. Here’s what changed in Publ:
logout.htmltemplate to support that. (Also made the default
unauthorized.htmluse Authl’s default CSS.)
entry.authorizedavailable, rather than just documented. Also gave it a better name while I was at it.
view.entriescan now take an optional argument for inlining unauthorized entries, improving its usage within feeds.
view.unauthorizedcan now take an optional argument for limiting the unauthorized view count, which helps performance and makes it a bit more predictable
category.subcats(recurse=True)and also added some actual tests for the sort ordering. They pass.
And the Authl changes (which were actually released before Publ 0.5.0 but I didn’t bother announcing them until I had them tested “in the wild”):
Anyway, I of course updated the sample beesbuzz.biz templates to reflect the new functionality.
Wow, Publ’s feeling like it’s actually kinda pretty good at stuff now. I hope someone else ever wants to actually, like, use it or something.
Updated some packages.
Main things with Publ since the last release:
The only Authl change is that email identities are now given as a full
mailto: URL; going forward all identity strings will be full URLs. This simplifies the UX for admin dashboards, in particular, and removes some ambiguity.
I’ve released a mini-update of Publ to fix an authentication problem (the config parser was “helpfully” sanitizing things that didn’t want to be sanitized), and also some refactoring/improvements/bugfixes to Authl.
The big changes to Authl are that the email handler generates shorter/nicer links, and it also puts an anti-abuse timeout into email login attempts to prevent people from spamming themselves or others with spurious email notifications. There’s also a bunch of small bugfixes to Authl’s login flow, and Flask apps can specify that sessions should not be made permanent.
Status: UNLISTEDas a synonym for
There is not much left for v0.5, incidentally!
Wow, this is a pretty major update: authentication is now a thing!
It isn’t quite complete yet – I still have a few more things I want to add before I consider it done (and therefore release v0.5.0) – but this is at least in a state where it’s ready to be experimented with. Probably. I need to sleep first, before I start adding authentication to my website.
I’ve released Authl 0.1.1, which adds support for Mastodon authentication. And the Publ test suite now is up-to-date with that as well.
There’s a few things I want to do on Publ before I release a version for use on my own website, the big one being the ability to provide a better login page, and some refactoring around built-in templates now that built-in templates are becoming a thing.
I also really want to redo how I manage the documentation site, because it’s getting kind of untenable at this point.
Anyway, really soon I’ll have properly-private content on my website again, and hopefully this will be enough of a feature for people to actually be interested in Publ!
Hey, wait, Publ’s a Flask application!
How about that.
I wrote more about this on my personal blog but to summarize, I finally made some progress on actually working on Authl, which was the missing piece I needed before finally getting started on private posts. No promises on when I’ll actually have that functionality working, but at least I’ve finally gotten over the chicken-and-egg bump of not having any auth system to implement privacy against (and no privacy system to implement auth for).
Anyway, if anyone wants to play with what I have so far, there’s an incredibly basic starting point over yonder.