Publ: Development Blog

News and updates about Publ

Publ 0.5.8, Authl 0.3.1, and IndieAuth security

Posted Wednesday, October 30 at 7:11 PM (4 years ago)

So, both Publ and Authl had a pretty naïve issue with the identity verification step of the IndieAuth flow; it simply accepted whatever the authorization endpoint said the user’s identity was. This made it very simple to spoof one’s identity and log in as anyone on any Publ or Authl site.

Authl 0.3.1 fixes the problem with the IndieAuth login flow, and Publ 0.5.8 fixes the problem with the Bearer token flow.

Authl v0.3.0

Posted Wednesday, October 30 at 2:53 AM (4 years ago)

I just released Authl v0.3.0; minor version bump because of a public API change, to better facilitate stateless storage.

Which is to say I converted most of the handlers to be stateless, which hopefully fixes the issues with running on Heroku.

Unfortunately Twitter couldn’t be fixed easily but I wasn’t running the Twitter handler on this site anyway. I do have some ideas but they’re fairly involved and will have to come later, and not when I’m up way past my bedtime.

Also, there still seems to be some cache-related issue that’s making it necessary to shift-reload the page after logging in or out, sometimes.

Publ v0.5.7, now with theoretical AutoAuth support!

Posted Tuesday, October 29 at 9:38 PM (4 years ago)

There is only one feature for this new release of Publ, but it’s a big one – there is (theoretical) support for AutoAuth! That’s right, deploy this version and people should be able to magically log on to your website using unattended IndieAuth providers.

Unfortunately, there aren’t any tools that I know of which actually support this mode of operation; all testing has been manual and In Theory.

Fortunately, if someone does want to test AutoAuth (or IndieAuth Bearer authentication in general), you can test it out on this site! You can use this entry as an individual entry, and this category or this feed to see how well it works with the “partial public” path.

Also, this page will tell you all sorts of useful information about the current user (if any).

And I’d might as well use this opportunity to show off the admin dashboard – just sign in as the user test:admin to see how it looks.

EDIT: It looks like there’s a problem with third-party auth due to the way that Heroku works. I should have anticipated this. Third-party auth is temporarily disabled for now. (But this doesn’t affect AutoAuth at least!)

Publ v0.5.6 released

Posted Friday, October 25 at 10:45 PM (4 years ago)

Oops, I’d been sitting on a bunch of bugfixes for a month, which I didn’t notice until I put in another bugfix tonight.

Changes since v0.5.5:

  • Fix title sanitization
  • Handle category.name with the same formatting options as entry.title
  • Replace hand-rolled atomic file operations with atomicwrites
  • Add link_class to image renditions
  • Fix automatic alt generation for external images
  • Simplify the way entry URLs are canonicized
  • Fix some bitrot in older tests

Why Publ won’t support magic auth links

Posted Friday, October 25 at 5:36 PM (4 years ago)

Since adding user authentication to Publ, I’ve been thinking of ways of allowing people to subscribe to sites from feed readers while getting their own native authorization, so that people can see entries directly in their readers rather than needing the clumsy mechanisms of unauthorized placeholder entries.

Out of the box, Publ authentication does support a shared cookie jar; if you can provide your cookies to your feed reader in some way, then things will Just Work. Unfortunately, I don’t know of any feed readers that actually support this, at least not easily. (Back when most browsers had a feed reader built-in this was a lot simpler. But time marches on.)

The two mechanisms which seemed most promising are AutoAuth and “magic links,” where users get signed URLs that come pre-authenticated and show the full authorized content for that user. AutoAuth is still in a draft phase that’s stuck in a chicken-and-egg situation (and also requires a lot of buy-in to IndieWeb protocols, which is still a pill too large to swallow for most of the folks who follow my blog), so magic feed links seemed like the best path forward.

I even got so far as to draft out an implementation, but there’s a few bad issues with it which just made me opt not to.

Pushl v0.2.12

Posted Thursday, October 3 at 1:49 AM (4 years ago)

I have now released Pushl v0.2.12. The following is new:

  • It now respects rel="canonical" or rel="self" when determining which URL to send a WebSub ping for
  • You can now send self-pings using the --self-pings parameter
  • Miscellaneous code cleanups