Posted Saturday, December 14 at 2:24 PM (8 months ago)
Some fresh new versions of things.
Changes to Publ:
- Massive improvements to how footnotes are handled; now they get their own virtual section (so if you’re currently using footnotes you’ll need to update your templates!)1
- Various performance improvements:
- Some internal caching on image rendition stuff
- Reduce contention in the content indexer (to hopefully make large sites more responsive on restart)
- Minor optimizations to
config.secret_key; now this should be configured on the application object per Flask standards
- Allow HTML attributes other than
src to contain image renditions
- Improve WebFinger support
Posted Wednesday, December 4 at 8:56 PM (8 months ago)
Thanks to André Jaenisch for his incredibly generous help in getting this set up!
And, if you run into any trouble (or have any suggestions for improvement), please open an issue.
(Full disclosure: I have even more of no idea what I’m doing than usual.)
Posted Tuesday, December 3 at 11:28 PM (8 months ago)
Double-whammy release today.
Posted Sunday, December 1 at 9:10 PM (8 months ago)
I’ve released a new version of Pushl.
Changes since the last version:
- Added support for tracking entry URL changes
- Finally got around to adding type annotations and static analysis
Posted Wednesday, November 27 at 9:13 PM (9 months ago)
Publ v0.5.10 is now available. The following has changed since v0.5.9:
- Image sets will generate fullsize renditions (and their links) for images which were skipped, so they will still appear in the lightbox
- Footnotes now get rolled up into the
entry.more (with some caveats), and also get stable permalinks for their references1
- You can now annotate an HTML attribute with
I’ve also made a bunch of changes to the sample templates.
Posted Thursday, November 14 at 10:23 PM (9 months ago)
Just a tiny fix in this; it works around an inconsistency between the IndieAuth spec and IndieAuth.com’s implementation. Normally I’d just be all, “this is a bug in IndieAuth.com” but that’s the most popular IndieAuth endpoint right now so I decided it was prudent to make a compromise. And really it’s a good idea to always specify an
Accept: header anyway.
Thanks to Colin for bringing this to my attention.
Posted Thursday, November 7 at 12:03 PM (9 months ago)
Publ v0.5.9 is now out. Just a couple of bugfixes in this one:
- Login pages now properly redirect to https again (after that was broken due to some of the recent auth-related changes)
view.range works correctly again, as does everything else that relied on
len() on parameter-optional properties (e.g.
Posted Monday, November 4 at 3:04 PM (9 months ago)
I’ve now released v0.3.2 of Authl, which adds the following changes:
- Fixed IndieAuth URL validation rules
- Improved UX for login type preview
- Now it supports Twitter on “stateless” hosting
As an experiment I’ve enabled Twitter login on this site, so now you should be
able to use it to look at protected entries.
Posted Wednesday, October 30 at 7:11 PM (10 months ago)
So, both Publ and Authl had a pretty naïve issue with the identity verification step of the IndieAuth flow; it simply accepted whatever the authorization endpoint said the user’s identity was. This made it very simple to spoof one’s identity and log in as anyone on any Publ or Authl site.
Authl 0.3.1 fixes the problem with the IndieAuth login flow, and Publ 0.5.8 fixes the problem with the Bearer token flow.
Posted Wednesday, October 30 at 2:53 AM (10 months ago)
I just released Authl v0.3.0; minor version bump because of a public API change,
to better facilitate stateless storage.
Which is to say I converted most of the handlers to be stateless, which
hopefully fixes the issues with running on Heroku.
Unfortunately Twitter couldn’t be fixed easily but I wasn’t running the Twitter
handler on this site anyway. I do have some ideas but they’re fairly involved
and will have to come later, and not when I’m up way past my bedtime.
Also, there still seems to be some cache-related issue that’s making it
necessary to shift-reload the page after logging in or out, sometimes.
Posted Tuesday, October 29 at 9:38 PM (10 months ago)
There is only one feature for this new release of Publ, but it’s a big one – there is (theoretical) support for AutoAuth! That’s right, deploy this version and people should be able to magically log on to your website using unattended IndieAuth providers.
Unfortunately, there aren’t any tools that I know of which actually support this mode of operation; all testing has been manual and In Theory.
Fortunately, if someone does want to test AutoAuth (or IndieAuth Bearer authentication in general), you can test it out on this site! You can use this entry as an individual entry, and this category or this feed to see how well it works with the “partial public” path.
Also, this page will tell you all sorts of useful information about the current user (if any).
And I’d might as well use this opportunity to show off the admin dashboard – just sign in as the user
test:admin to see how it looks.
EDIT: It looks like there’s a problem with third-party auth due to the way that Heroku works. I should have anticipated this. Third-party auth is temporarily disabled for now. (But this doesn’t affect
AutoAuth at least!)
Posted Friday, October 25 at 10:45 PM (10 months ago)
Oops, I’d been sitting on a bunch of bugfixes for a month, which I didn’t notice until I put in another bugfix tonight.
Changes since v0.5.5:
- Fix title sanitization
- Handle category.name with the same formatting options as entry.title
- Replace hand-rolled atomic file operations with atomicwrites
link_class to image renditions
- Fix automatic
alt generation for external images
- Simplify the way entry URLs are canonicized
- Fix some bitrot in older tests
Posted Friday, October 25 at 5:36 PM (10 months ago)
Since adding user authentication to Publ, I’ve been thinking of ways of allowing people to subscribe to sites from feed readers while getting their own native authorization, so that people can see entries directly in their readers rather than needing the clumsy mechanisms of unauthorized placeholder entries.
Out of the box, Publ authentication does support a shared cookie jar; if you can provide your cookies to your feed reader in some way, then things will Just Work. Unfortunately, I don’t know of any feed readers that actually support this, at least not easily. (Back when most browsers had a feed reader built-in this was a lot simpler. But time marches on.)
The two mechanisms which seemed most promising are AutoAuth and “magic links,” where users get signed URLs that come pre-authenticated and show the full authorized content for that user. AutoAuth is still in a draft phase that’s stuck in a chicken-and-egg situation (and also requires a lot of buy-in to IndieWeb protocols, which is still a pill too large to swallow for most of the folks who follow my blog), so magic feed links seemed like the best path forward.
I even got so far as to draft out an implementation, but there’s a few bad issues with it which just made me opt not to.
Posted Thursday, October 3 at 1:49 AM (10 months ago)
I have now released Pushl v0.2.12. The following is new:
- It now respects
rel="self" when determining which URL to send a WebSub ping for
- You can now send self-pings using the
- Miscellaneous code cleanups
Posted Monday, September 23 at 5:51 PM (11 months ago)
Howdy y'all! Here’s a new release of Publ for you.
What’s new in this version:
- Add the ability to filter by multiple categories, and also to filter out categories as well
- Various code cleanups, especially around the query generator
Also the unannounced v0.5.4 release was to fix some stuff that broke due to an upstream Arrow change (specifically dealing with them removing an API that I was using to suppress warnings for a different upstream change that I’d already handled).
I should also mention that I’ve updated the beesbuzz.biz template samples to improve IndieWeb and ActivityPub compatibility. (Publ still doesn’t support ActivityPub itself but these changes make it interoperate with Bridgy Fed a bit better.)
On a meta note, I’ve left the microbiology lab I was at; I hope they continue to use Publ, of course! Over the next little while I’m going to spend some more time working on my own things again (including Publ et al), but I’ve also had some interesting job interviews with one of them seeming very likely to turn into an offer. Wish me luck, if you’re into that sort of thing! (And of course, follow my blog for the primary source of this stuff.)
Posted Monday, September 23 at 9:33 AM (11 months ago)
In trying to fix what looked like a bug in Pushl (which turned out to be a bug in one of the services I was pinging), I did a bunch of much-needed code cleanup and refactoring.
I also added the ability to ping the Internet Archive Wayback Machine for outgoing links if the target has changed (relative to the usual
Pushl will now also log warnings for two useful situations:
- An outgoing link generates a 400-class error (403/404/410/etc.)
- An outgoing webmention has a different canonical URL than what’s being pinged (improved since v0.2.8)
The way it handles canonical URLs is also now improved; if a page has
<link rel="canonical"> it will use that, otherwise it will use the final URL that is the result of chasing redirects.
Posted Friday, September 6 at 5:27 PM (11 months ago)
So hey, if you’ve been using webmention.js you should probably update it, as there turned out to be an XSS issue found by Checkmention. Better to be safe than sorry etc. etc.
Posted Monday, August 26 at 3:35 PM (a year ago)
I’ve released updates to both Publ and Authl.
On the Authl side:
- Code quality and documentation improvements
- Add an asynchronous client-side lookup thing that tells users how their login will proceed
- Add the redirection target to
disposition.Error so that can be preserved correctly
- Update the Flask wrapper to use
- Let the application know the redirection target in
On the Publ side:
- If the site is configured to force HTTPS in authentication, force the cookie to be HTTPS-only
- If a user is already logged in, make the login handler redirect them to their destination
- Improved build scripts to make it less convenient to accidentally push a build from the wrong branch or version
These changes help to keep sites more secure from eavesdroppers, while also hopefully improving the user experience!
Posted Wednesday, August 21 at 10:21 PM (a year ago)
I’ve released v0.2.8 of Pushl, which fixes an issue with Webmention and Pingback where it was over-optimistically setting the link target. It will also warn you if the link target doesn’t match with the actual page, so you can update your links accordingly.
Right now it’s a little spammy (in that it’ll tell you about redirection mismatches for all links, not just ones with a Webmention or Pingback endpoint), but the next version will address that.
Posted Monday, August 19 at 1:49 AM (a year ago)
I’ve released Authl v0.2.0. Changes since v0.1.8:
- Added support for Twitter
- Big ol' refactor to support Twitter (see the fuller discussion below the cut!)
- Released to beta!
And changes from v0.1.7 to v0.1.8 (which I didn’t bother to post an announcement about):
- Fixed an incredibly minor security issue in the Mastodon client (the
client_secret was leaking but in the context of Mastodon that couldn’t really be used for anything anyway)
- Centralize/refactor the login token management, allowing for future flexibility in the service stack
- Make callback IDs protocol-stable, which helps with some stricter services (e.g. Twitter)