The micropub API and security

I’ve talked before about the IndieWeb. That it’s important to own your identity online. What is the point, however, if there is no social nature to all this? We need to interact with each other.

Webmentions to the rescue. These allow one website to “ping” another. A sort of notification system. This has been extended by snarfed to the major silos of social network with his excellent bridgy service. This is basically a shim that makes it look like the sites use mf2 + webmentions, and very nicely done to. I still need to implement this on my own site. I’m working on it.

What people are also working on is something called the micropub API. This would allow one site or service to post to another. You could log into my site, and post a note to your site. This obviously involves authentication, which is a well discussed problem. The indieweb community, and Aaron in particular, have developed a service called IndieAuth. This allows you to authenticate as yourself with your own domain, by linking bijectively with various silos.

To summarise the process, when you log into my site with your domain, I go to your domain and look for an authorisation endpoint, either in an HTTP Link header, or in a <link> element in the HTML. This endpoint is usually You authorise and get redirected back to my site, along with an auth code being sent over as well. I then look for a token endpoint, again on your site, and make a request for a token and send the auth code I received. Your site verifies this code with the authorisation endpoint and then generates its own OAuth token which is sent back to my site. I can then use this token when making API requests to your micropub endpoint.

Security is a concern here. The most important step I take is to store your token in an encrypted cookie. By not storing the token in my webapp, if my site becomes compromised, then your token isnt’t automatically compromised as well. The other talking point regarding security is the revocation of tokens. This isn’t an issue for micropub clients. This is an issue for our own sites, the micropub endpoints. We need a way of managing the OAuth tokens we have generated, so we can see and control which micropub clients we’ve authorised.

I wonder if this is something that can be incorporated into IndieAuth? Once authorisation has occured, the endpoint could request that IndieAuth generates an OAuth token, and that token gets sent back to the client. Then when the micropub client makes an API request, the endpoint checks the OAuth token with IndieAuth. Then we could see all our “active” tokens on IndieAuth and revoke those we no longer wish to be active. Further consideration would be needed as to how to implement this. Particularly details like which roles a token is valid for, or whether it has an expiration date. How would this information be associated with a token? It could be simply encoded into the token itself, this would probably be the easiest solution to initially implement. It’s how I generate the tokens on my site at the moment.

Maybe Aaron could chime in.

IndieWeb and POSSE

I’m trying to adhere to the IndieWeb principals, as my homepage states. The first step was to get the ability to create notes, or micro-blogging, and then syndicate these to other silos.

The most popular one by far, and the one I interact with most actually, is Twitter. So that’s what I’m looking to achieve initially, and then I can integrate support for other silos. Currently things are going well.

My code is capable of syndicating notes to Twitter with a permashortcitaction. If the note is too long it will ellide at the appropriate word boundary and then add a permalink to the note.

Further I can specify the URL of a particular tweet and the syndicated tweet will then be a reply to the original tweet. Allowing for threading on twitter.

This is done by combining two pieces of software. The main code that runs my site. This is where the actual interaction with Twitter occurs. The preparation work is done in my POSSE library. This is what creates the correctly formatted tweet and works out the reply to status id. I don’t think it’s ready for other people to use yet though. And there are still some features to be added.

Embedding Google Maps

When you want to embed a map of a location on a webpage the first place to go is Google Maps. This process is slightly complicated for me as I am using the Maps Preview which removes the default sharing options. Maybe this is a plan by Google to move all developers onto the Google Maps JS API. Though how that benefits normal users who don’t know what Javascript is I don’t know. The original method however was to generate an <iframe> HTML block to put in your site. This was to me essentially undecipherable. All the options were cryptic URL parameters. Using a little Javascript is much simpler. You define all your options and then add your map to the relevant <div>. Here is an example:

See the Pen bfdLj by Jonny Barnes (@jonnybarnes) on CodePen

Goodbye DumbQuotes

I’ve decided to stop using my DumbQuotes library on my site. I found that there were too many issues. Primarily with raw HTML and code-blocks. The straight-quotes in these sections all needed escaping so my library didn’t mangle anything. So I am now manually typing in curly-quotes using the appropriate keyboard shortcut. This is much simpler to maintain and keeps my markdown clean.

I have also slightly redesigned my site. I was using Skolar and Myriad Pro but found this a little clichéd. I am now using Prenton for titles and Livory for my body text. I’m liking the look so far. For readability I’ve also increased the font-size slightly.

How should non-profits spend money

Dan Pallotta gives an excellent TED talk about the differences in how the non-profit and for-profit sectors spend money. In summary, he suggests that our current attitude that charities must spend as little on overhead as possible is actually limiting the amount of good they can do. Who cares about the overhead, what matters is how much money actually gets spent on doing good. In order to grow that number then money will have to be spent. This shouldn’t be stigmatised like it currenly is.