The thing I was most excited about at IndieWebCamp Brighton was coming up with a Private Webmention extension to Webmention. The version we outlined in Brighton was drastically simplified from previous iterations of potential ways to send private Webmentions.
Nearly a week after speccing it out, I now have a first draft implementation of sending. My goal this week was to finish implementing sending private Webmentions, to get some real-world feedback on the spec.
First, since I use the Telegraph API to send Webmentions, I had to add the ability for it to pass through the new "code" and "realm" values. The neat thing about doing it this way is if you want to use Telegraph to send Webmentions for you, you don't have to give it access to your private posts.
I then had to add the concept of private posts to p3k. One of the challenges I've been facing with p3k is adding the concept of user accounts and other people logging in. To do so, I would need some sort of user database (likely treating the person's URL as the unique identifier for their identity in my system), and then would need to associate users with posts to keep track of who can see what. Then the next challenge would be writing the queries to return different items in various feeds people are viewing when logged in. This all sounded terribly complicated, and there were a number of implementation decisions I didn't want to make just yet.
I decided to scrap that whole idea and do the simplest possible thing instead. I realized that the way the Private Webmention spec is written, I don't actually need "user accounts" to send a private Webmention at all. Instead, all I need to do is to be able to generate and verify tokens that can fetch a specific page. I don't need these tokens associated with users or even domain names.
This simplified my implementation a lot. It meant a relatively small amount of self-contained code to generate the authorization codes and access tokens. The access tokens are locked to a specific post URL, so each token issued can only be used to view a specific post. This is obviously not useful as a generic login mechanism, but it's absolutely sufficient to have a Webmention receiver verify a private Webmention!
Also worth noting is that my implementation does not currently take advantage of the "realm" value. This means every private Webmention I send will require the receiver obtain a new access token. Once I add the of concept of user accounts and mapping posts to users, then I'll be able to generate a "realm" value for that particular user so they will be able to reuse access tokens to fetch additional posts. This is a good future optimization, but not necessary for a first draft implementation.
Next up I need to implement receiving private Webmentions. Since I use webmention.io to handle receiving Webmentions, I'll be adding support for receiving private Webmentions to it.
I am also looking forward to others implementing receiving private Webmentions so that I can start sending some! If you're interested, take a look at the spec, as well as the implementation guide. Hop in our chat if you're not already there and feel free to ask questions!