WeChat ID
aaronpk_tv
-
I'll be in SF this week! Any special donut requests? -
vishae
https://github.com/vishae
•
Apr 28
Hi @aaronpk
When I add the first line, this is the error message I get (when attempting to send a previous post to my site - after the verification process):
HTTP/1.1 100 Continue
HTTP/1.1 500 Internal Server Error Server: nginx/1.12.2 Date: Sat, 28 Apr 2018 06:32:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Endurance-Cache-Level: 2
That is the same error message I get if I remove that line and add the second line you suggested (I'm assuming you didn't want both lines in the .htaccess file).
Okay, thanks for giving that a try. We're working on a fix and should hopefully have an update shortly. -
Does this match the behavior as described in the readme? https://github.com/indieweb/php-mf2#generating-output-for-json-serialization-with-json-mode See also this issue which looks like the same thing but for `rels` https://github.com/indieweb/php-mf2/issues/29
-
Looking forward to coming back to Nürnberg!
-
I use that all the time! It's very helpful to be able to tell whether a "sale" is actually a good deal.
-
sknebel
https://github.com/sknebel
•
Apr 26
A potential manual way: have a !snooze command that blacklists a string for e.g. 24 hours.
!snooze is not a bad idea, that gives people the ability to make the decision about what to filter.
I do have some code that Loqi uses to kick people out of the IRC room when they spam it that might also work here, but I'd be worried about too much false positive filtering. It looks at a normalized version of the text (lowercase, no whitespace or punctuation, minus URLs) and could reject tweets that match an existing one found in the last 24 hours. That would have stopped a bunch of these from coming through. -
I solved that problem for myself pretty quick 😉 -
danielpunkass
https://micro.blog/danielpunkass
•
Apr 25
@aaronpk This is a privilege that I enjoy far more than many programmers... thanks for the reminder.
Yes, I learned this the hard way two years ago. I was blissfully unaware of this privilege up until that point. -
Zegnat
https://github.com/Zegnat
•
Apr 25
This totally slipped me by, so here we go. I do like the idea of logging things, and
syslog()is probably the best solution unless we want to pull in something like PSR-3. More thoughts:- I would not turn any logging on by default. I do think logging IPs with authentication requests makes sense, and I would simply never want to log any IPs by default. Especially when people running this on shared hosts might be feeding it into logs they themselves cannot clear.
LOG_FAILED_PASSWORDSsounds like a nice-to-have that needs massive disclaimers around it. We can’t work on the assumption that everyone is using a password manager. This means people are typing their passwords, and typos happen. This option sounds good, but if you over time fill logs with deviations of your real password, you better be making sure you are purging those logs real good. (Of course again with the problem thatsyslog()may be out of reach to the user who unwittingly turned this on.)
I can almost see us strategically dropping these into the source code, but commented. Anyone who understands
syslog()and wants to use it to trip up other alarm bells on a server, will probably be OK uncommenting a couple of functions. Even if they aren’t well versed with PHP. This will at least keep it out of the hands of users who cannot see the possible side-effects.Like the idea, just not sure how to execute it without giving users some flags in the config with huge warning disclaimers. And I don’t like warning disclaimers in what is supposed to be a simple single-purpose thing.
I like the idea of making logging opt-in by uncommenting the code. I'm struggling to think of a case where logging failed passwords is ever a good idea. It seems others would agree with this assessment as well. https://security.stackexchange.com/questions/16824/is-it-common-practice-to-log-rejected-passwords -
I love programming*
*when programming a product that I also designed myself -
Eddie Hinkle
https://eddiehinkle.com/
•
permalink
I definitely agree! It was a huge improvement when they switched to subscription!
Everyone seemed super upset about the change, but honestly I prefer the new model. I am happy to support them yearly rather than pay once and expect them to continue improving the software for free. I want to be seen as a customer rather than a drain on their resources. -
In practice this is enforced by the PHP process itself. PHP has a setting for a maximum memory limit, at which point the process will be killed. I'm not really interested in trying to solve this for real using some sort of stream solution, since the vast majority of content this is used for is relatively small pages.
-
omg is that a cat cafe? 😻 -
nickvance
https://micro.blog/nickvance
•
Apr 24
@aaronpk I'm a big fan of plan 'ol RSS but this is neat. Seems weird that it shows up under a GoDaddy URL though?
Plain old RSS is fine for what it does -- one-way consumption of blog posts and podcasts -- but the web moved on from that kind of interaction ages ago. GoDaddy has been a big indieweb supporter for a while now too! https://indieweb.org/GoDaddy -
wow pretty cool! It looks like 1000ft is normal though: https://aviation.stackexchange.com/a/2813
-
Adam Lewis
https://twitter.com/lewiada
•
Apr 24
and what about for storing the access token in the browser?
Sadly there isn't a satisfying answer to that. Anything that your JS can use to store any token is vulnerable to XSS. The only secure option is cookies, but that won't work with OAuth. https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage -
Aaron Parecki
https://aaronparecki.com/
•
Apr 24
BCP for public UA clients:
• use the authorization code flow
• omit client secret
• strict redirect URI validation
Some citations and more info: https://aaronparecki.com/oauth-2-simplified/#single-page-apps
I agree it would be nice to see this written up properly though. In the mean time, I'm adding a section to my book about this. -
Adam Lewis
https://twitter.com/lewiada
•
Apr 24
We do implement native apps per RFC8252 including code flow, custom tabs and PKCE, and we use OIDC for authentication to web apps. But doing ua-based-apps / SPAs right is ambiguous at best and I keep hoping for the @oauth_2 WG to begin work on an ua-based client BCP.
BCP for public UA clients:
• use the authorization code flow
• omit client secret
• strict redirect URI validation
Some citations and more info: https://aaronparecki.com/oauth-2-simplified/#single-page-apps -
jagtalon
https://micro.blog/jagtalon
•
Apr 23
@aaronpk Hi! I just started using OwnYourGram and it's so cool! I'm glad that I get to archive my stuff from there and onto my own domain. I have a question though: is it possible for it to fetch more than 20 IG posts? Would be cool if I could back those up as well.
Thank you!
Thanks! Unfortunately it doesn't handle importing past photos right now, it's meant to just import photos going forward. -
macgenie
https://micro.blog/macgenie
•
Apr 21
@aaronpk Your list of life tools is the one that pushed me over the edge. I got the KitchenAid, as recommended, and I hope you are enjoying your $0.26 of affiliate income. 😂. (I actually don't know what the affiliate percentage is anymore.)
Haha that's great! It was probably actually more like $1 too!
