Malcolm Blaney

IndieWeb Summit hack day

By Malcolm Blaney on
IndieWeb Summit demos were yesterday and I wanted to write up my thoughts while they're still fresh in my mind.

Gregor and I decided to have a go at implementing AutoAuth, after the session on private webmentions and different types of auth on the Saturday. That discussion brought up that AutoAuth was capable of replacing some of the earlier auth flows created to solve individual cases of sharing private data. I think that's a good sign for AutoAuth, because it's flexible enough to solve multiple problems.

That meant we had to pick a test case we would use to implement and demo using AutoAuth, and decided viewing a private post would be the simplest. Gregor already had support for private posts on his site, so we started from there and I would add support to view the post.

Our first challenge was just agreeing on how to read the spec! We had both read it before starting the hack day, but it's not a simple thing to get your head around. One of the best things we did was work through each step, once we had picked our roles. We implemented one step at a time, working on our own side of the flow, and luckily there was about the same amount of work to do each, so this worked well.

The first step was for Gregor to add a token endpoint to discover from his private post, and a WWW-Authenticate header. The process then is that when I fetch the private post I see this header and craft a POST request to his token endpoint. This request contains a bunch of information, with the goal being that I give Gregor's token endpoint enough information to find my authorization endpoint and be able to make a request to it on my behalf. I make sure that this request will be successful by storing the same authorization code that I send to the token endpoint. The thing that I really liked at this point was that I didn't need to change my authorization endpoint at all to make this happen. I could craft an entry in my authorization codes table that would pass when requested based on the AutoAuth spec.

After Gregor makes this request, he's happy that I have been identified and can be issued a token for his private post. I provide a callback url in my request, so that's where he sends the token. I store that on my server and can now fetch the private post again with the token in an Authorization header. This all worked pretty well and our 2 minute demo involving just a couple of page loads was our reward for spending pretty much the whole day trying to work this out. :-)

We observed a few interesting things from this process. First, there's a fair bit of work involved to get a token, but once it's done you get to skip most of it for subsequent requests for the private post. I found the callback process to receive the token interesting, there's not much information in the request about who the token is coming from. There is enough information though, as the callback includes a state parameter which I initially generate. I need to store all the information about the private post I'm accessing when creating the state parameter, so that I know who to associate the token with when it gets returned.

IndieWeb Summit 2019 was great and I don't think we would've been able to get through AutoAuth in a day without having such an awesome group of people to talk to!
likesharereplyWant to share this? Click to choose a site:settings
likesharereplyWant to share this? Click to choose a site:settings
likesharereplyWant to share this? Click to choose a site:settings
likesharereplyWant to share this? Click to choose a site:settings

Planck held at the center of his credo the conviction that the pinnacle of scientific progress is the discovery of a new mystery just when all the fundamentals are assumed to be known.

Was introduced to Brain Pickings recently, such great writing.
likesharereplyWant to share this? Click to choose a site:settings
likesharereplyWant to share this? Click to choose a site:settings
likesharereplyWant to share this? Click to choose a site:settings
likesharereplyWant to share this? Click to choose a site:settings
likesharereplyWant to share this? Click to choose a site:settings
likesharereplyWant to share this? Click to choose a site:settings

Moved my reader actions inline... previously clicking an action in the reader would scroll to the top of the page, because that's where the editor was. It would helpfully scroll you back once the interaction was complete, but it was a bit clunky. :-)
likesharereplyWant to share this? Click to choose a site:settings
There was something else I wanted to mention in my post the other day, but left it out because it was getting a bit long. The first screenshot contains the unexplained piece of text: "To follow indieweb add a reader" followed by a settings link. (Here it is again...)



I added this because it's an easy way to add a rel=feed to the page. It's a separate module in Dobrado that allows setting some values for the account. One of the options allows specifying what feeds you want to make discoverable, so in this case I have it set to indieweb/directory which is the microformats feed list for all the feeds shown on that page.

The module renders that link, marked up with rel=feed, along with the logo and account name as an h-card for the account. The other thing it does is provide a webaction, which is why rather than just being a link it mentions adding a reader. Clicking the settings link opens a dialog that lets you specify your web action config. If the dialog finds a valid config it will trigger an update to any indie-action tags it finds on the page. There just happens to be one in the module I've just mentioned, so it will now looks like this:



The link "follow indieweb" is now using my config! It's pointing at my own reader with a follow action set, so if I click on that link all I have to do is click ok in my reader to add the feed. As it turns out I'm already following the indieweb directory on unicyclic.com, and my webaction config has checked this too!

One of the options set in my config is status and it happens to work a little differently from the other actions. This config option supports CORS requests, and will provide information about urls when I'm logged in. The request is made during the config check mentioned above, so the page actually looks like this for me:



The status endpoint supports multiple urls at a time, so it gets called for all indie-action tags on a page, and returns information for other actions too such as likes, replies and reposts. When it finds an action set for a url, that action will also be highlighted on the page.
indieweb
likesharereplyWant to share this? Click to choose a site:settings

On planets and reading lists

By Malcolm Blaney on
This is going to be a long one, so the short version is summed up in this screenshot:



That's from the top of this page: unicyclic.com/indieweb, which is a feed combined from different sources, commonly referred to as a planet. Up until now I've been adding new feeds to that page as people join the IndieWeb community, but I've now automated that process using follow webmentions.

What is a follow webmention? Well you start by writing a post on your own website containing a link to someone you've started following in your reader, with an extra bit of microformats in the markup of the link: class="u-follow-of". Then you would send webmentions for the post, so that the recipient can check your content and discover that you have indeed started following them.

That is what the indieweb account on unicyclic.com is now looking for, but with one extra step. When it receives a follow webmention, it will follow you back by adding you to the planet it manages. It does this by looking at the author of the post, and then doing feed discovery based on that URL. If it all works out you will be notified in the response to your webmention.

If you don't want to be listed in the planet you can unfollow the indieweb account too, no hard feelings! This is done by removing your follow post and re-sending webmentions, which should result in a 410 Gone status code from your site.

So that's how this planet now works, but what is really fun is connecting this to reading lists. I'm not sure what the right terminology is here... reading lists are also known as subscriptions lists, or dynamic OPML files. Whatever they are Dobrado now supports them, so you can subscribe to unicyclic.com/indieweb and stay up to date with the feeds of whoever happens to have joined.

Both OPML and microformats versions are available to subscribe to and are linked from that page for discovery. Since microformats is just HTML it is also a nice web page to browse, and adds to the growing list of directories in a year that is widely regarded as the year of the indieweb directory. If you parse the microformats on that page you will notice the reading list is an h-feed of h-cards. Whichever version you subscribe to, if your reader supports this type of subscription it should add feeds to your reader when they are added to the list, and remove the feed when they are taken off.

When thinking about implementing this I realised I didn't always want to stop following people just because they were removed from a reading list, so I added an extra option to manually add feeds that you're automatically subscribed to. Dobrado now provides a dialog that looks like this when viewing a reading list:



Every feed allows setting a channel, the new bit here is the description at the bottom of the dialog that mentions manually adding the feeds below. Scrolling down allows you to go through the feeds you've been subscribed to and manually add them, which just means they won't be removed from your reader if they are removed from the reading list or if you unsubscribe from that list completely. If you're already following a feed that just happens to be on a reading list you subscribe to, this also means your original subscription will be kept.

Up until now I've been reading feeds from some indieweb members in my own reader, and then also visiting the indieweb page to check out the rest, which of course meant reading things twice! Pretty happy that I can now just set a channel for it and also provide a version for others to check out or subscribe to themselves.
likesharereplyWant to share this? Click to choose a site:settings
likesharereplyWant to share this? Click to choose a site:settings
likesharereplyWant to share this? Click to choose a site:settings
likesharereplyWant to share this? Click to choose a site:settings
likesharereplyWant to share this? Click to choose a site:settings