Posted Friday, December 4 at 12:09 AM (4 months ago)
Wow, it’s been a while since I’ve worked on this stuff, huh?
Anyway, IndieAuth validation rules have changed for the better, so Authl has been updated accordingly.
There’s a few other changes as well:
- On IndieAuth profiles,
p-pronoun is treated as a fallback for
- The Flask templates add some
rel="nofollow" in some appropriate places
Posted Sunday, August 2 at 2:37 AM (8 months ago)
Some pretty big new features added. First, in Authl:
- Major documentation improvements
- Bug fixes with Fediverse instance caching
- All providers now normalize to the same profile format
- Some basic spam prevention for the email provider
- 100% unit test coverage on the Fediverse provider (which is now using mastodon.py instead of a hand-rolled OAuth client)
And in Publ:
- Fenced code now uses
<figcaption> instead of ad-hoc
<div>s for its layout, and the overall HTML semantic has been greatly improved
- Individual code blocks are now configurable with respect to highlighting and line numbering
- The user object now provides a user profile and separates the identity URL from the familiar name
Posted Sunday, May 31 at 3:32 AM (11 months ago)
I’ve just released new versions of Publ and Authl.
Publ v0.6.6 changes:
- Fixed a regression that made it impossible to log out
- Fixed a problem where
WWW-Authenticate headers weren’t being cached properly
- Improve the changed-file cache-busting methodology
- Add object pooling to Entry, Category, and View (for a potentially big memory and performance improvement)
Authl v0.4.0 changes:
- Finally started to add unit tests
- Removed some legacy WebFinger code that was no longer relevant or ever touched
- Added a mechanism to allow providers to go directly to login, as appropriate
- Added friendly visual icons for providers which support them (a so-called “NASCAR interface”)
Posted Saturday, December 14 at 2:24 PM (a year ago)
Some fresh new versions of things.
Changes to Publ:
- Massive improvements to how footnotes are handled; now they get their own virtual section (so if you’re currently using footnotes you’ll need to update your templates!)1
- Various performance improvements:
- Some internal caching on image rendition stuff
- Reduce contention in the content indexer (to hopefully make large sites more responsive on restart)
- Minor optimizations to
config.secret_key; now this should be configured on the application object per Flask standards
- Allow HTML attributes other than
src to contain image renditions
- Improve WebFinger support
Posted Wednesday, October 30 at 7:11 PM (a year ago)
So, both Publ and Authl had a pretty naïve issue with the identity verification step of the IndieAuth flow; it simply accepted whatever the authorization endpoint said the user’s identity was. This made it very simple to spoof one’s identity and log in as anyone on any Publ or Authl site.
Authl 0.3.1 fixes the problem with the IndieAuth login flow, and Publ 0.5.8 fixes the problem with the Bearer token flow.
Posted Monday, August 26 at 3:35 PM (2 years ago)
I’ve released updates to both Publ and Authl.
On the Authl side:
- Code quality and documentation improvements
- Add an asynchronous client-side lookup thing that tells users how their login will proceed
- Add the redirection target to
disposition.Error so that can be preserved correctly
- Update the Flask wrapper to use
- Let the application know the redirection target in
On the Publ side:
- If the site is configured to force HTTPS in authentication, force the cookie to be HTTPS-only
- If a user is already logged in, make the login handler redirect them to their destination
- Improved build scripts to make it less convenient to accidentally push a build from the wrong branch or version
These changes help to keep sites more secure from eavesdroppers, while also hopefully improving the user experience!
Posted Saturday, August 10 at 2:04 AM (2 years ago)
Oh gosh I seem to be on a roll with these updates again. Here’s what changed in Publ:
- Fixed a silly bug in the admin dashboard renderer which made it not work in production mode
- Make the admin log only record the most recent access per user per entry, making it way more useful
- Make the logout operation happen via POST method rather than GET, fixing a problem with browser prefetching; added a
logout.html template to support that. (Also made the default
unauthorized.html use Authl’s default CSS.)
- Actually make
entry.authorized available, rather than just documented. Also gave it a better name while I was at it.
view.entries can now take an optional argument for inlining unauthorized entries, improving its usage within feeds.
view.unauthorized can now take an optional argument for limiting the unauthorized view count, which helps performance and makes it a bit more predictable
- Images now provide their filename as the default alt text, which is arguably better for accessibility than just leaving it a blank string. I am willing to change my mind on this, however.
- Cleaned up the code around
category.subcats(recurse=True) and also added some actual tests for the sort ordering. They pass.
And the Authl changes (which were actually released before Publ 0.5.0 but I didn’t bother announcing them until I had them tested “in the wild”):
- Changed to using packaged data for templates
- Made the login page CSS available through
- Removed the spurious precision from the email message template
Anyway, I of course updated the sample beesbuzz.biz templates to reflect the new functionality.
Wow, Publ’s feeling like it’s actually kinda pretty good at stuff now. I hope someone else ever wants to actually, like, use it or something.
Posted Friday, July 26 at 12:36 AM (2 years ago)
Updated some packages.
Main things with Publ since the last release:
- Internal cleanups to how caching happens
- Stop spuriously-caching a bunch of stuff; in particular login/logout endpoint URLs no longer get cached
- Various cleanups
- Improve the way that built-in templates are managed
- Initial cruddy implementation of an admin authentication dashboard (although this isn’t quite ready for prime time)
The only Authl change is that email identities are now given as a full
mailto: URL; going forward all identity strings will be full URLs. This simplifies the UX for admin dashboards, in particular, and removes some ambiguity.
Posted Sunday, July 21 at 2:24 AM (2 years ago)
I’ve released a mini-update of Publ to fix an authentication problem (the config parser was “helpfully” sanitizing things that didn’t want to be sanitized), and also some refactoring/improvements/bugfixes to Authl.
The big changes to Authl are that the email handler generates shorter/nicer links, and it also puts an anti-abuse timeout into email login attempts to prevent people from spamming themselves or others with spurious email notifications. There’s also a bunch of small bugfixes to Authl’s login flow, and Flask apps can specify that sessions should not be made permanent.
Posted Saturday, July 13 at 5:25 PM (2 years ago)
I’ve added private entry stuff to my website (here’s an example post) and in doing so I shook out a few loose ends:
- Improved the login flow for when someone is logged in but goes to an entry they don’t have access to
- Simplified generating login and logout links from templates
Status: UNLISTED as a synonym for
All the auth-related things are now documented here and also demonstrated in the sample templates.
There is not much left for v0.5, incidentally!
Posted Saturday, July 13 at 2:58 AM (2 years ago)
Wow, this is a pretty major update: authentication is now a thing!
It isn’t quite complete yet – I still have a few more things I want to add before I consider it done (and therefore release v0.5.0) – but this is at least in a state where it’s ready to be experimented with. Probably. I need to sleep first, before I start adding authentication to my website.