New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Publishing API: alternative authentication mechanism #552

Closed
kylewm opened this Issue Nov 19, 2015 · 7 comments

Comments

Projects
None yet
4 participants
@kylewm
Collaborator

kylewm commented Nov 19, 2015

Curious to get feedback on this. Totally open to criticism.

I have been wanting to pull a lot of the silo syndication stuff out of RedWind and delegate it all to Bridgy for a while, particularly now that Bridgy is more capable than my site is. The main thing stopping me is I don't really like the idea of embedding a link to brid.gy/publish/x in my posts -- I don't necessarily want to send the publish requests at the same time I send other webmentions, and I need a little special handling for the return value from them (i.e. to populate the syndication field of my posts).

I could of course have a routine that sticks the link in my html, sends the webmention, and then removes the link, but that rubs me the wrong way for some reason.

It would be great if when I have authenticated on Bridgy, it would give me a token that I could send with the webmention request, in lieu of embedding a link on my site. (This would also help with the problem of the curl command below publish preview not working). We could use JWT to avoid storing anything or generate a token with uuid.uuid4 stick it in the Source.

I think Bridgy only knows that I'm me immediately after an authorization, so I'd need add a separate "Get Publish Token" button that would run through the auth process for publishing and give a token at the end. (like instead of just showing the token on the user's homepage)

@singpolyma

This comment has been minimized.

Show comment
Hide comment
@singpolyma

singpolyma Nov 19, 2015

Contributor

I would suggest: give the user the actual bearer token you got from twitter/facebook, and have them send via OAuth headers along with the webmention. Then pass straight through to twitter/facebook. Then you don't have to store anything.

Contributor

singpolyma commented Nov 19, 2015

I would suggest: give the user the actual bearer token you got from twitter/facebook, and have them send via OAuth headers along with the webmention. Then pass straight through to twitter/facebook. Then you don't have to store anything.

@snarfed

This comment has been minimized.

Show comment
Hide comment
@snarfed

snarfed Nov 19, 2015

Owner

thanks for the ideas all! we're discussing on IRC. cc @rhiaro.

i'm a bit reluctant to implement ideas like these because they'd be nontrivial complexity that i honestly suspect would only be adopted by single digits of users or so...but still definitely worth discussing!

my straw man counterproposal is, include bridgy publish links for every silo in every post, outside e-content, and trigger the bridgy publish wms when you click each "posse to X silo" button.

the main drawback is that someone could maliciously posse one of your posts to a silo you didn't intend to. oddly shaped threat, maybe not major, but definitely not ideal.

(the other drawback is that all posts have bridgy publish links in them, but that's less motivating for me personally.)

Owner

snarfed commented Nov 19, 2015

thanks for the ideas all! we're discussing on IRC. cc @rhiaro.

i'm a bit reluctant to implement ideas like these because they'd be nontrivial complexity that i honestly suspect would only be adopted by single digits of users or so...but still definitely worth discussing!

my straw man counterproposal is, include bridgy publish links for every silo in every post, outside e-content, and trigger the bridgy publish wms when you click each "posse to X silo" button.

the main drawback is that someone could maliciously posse one of your posts to a silo you didn't intend to. oddly shaped threat, maybe not major, but definitely not ideal.

(the other drawback is that all posts have bridgy publish links in them, but that's less motivating for me personally.)

@kylewm

This comment has been minimized.

Show comment
Hide comment
@kylewm

kylewm Nov 19, 2015

Collaborator

Thank you for your feedback and for summarizing the IRC discussion, @snarfed. I think my challenge now is to come up with a suggestion that adds negligible complexity and maintenance overhead to Bridgy, but still makes this easier to implement on my site ... or suck it up and add the logic @gRegorLove suggested to swap bridgy publish links in and out as the syndication urls

Collaborator

kylewm commented Nov 19, 2015

Thank you for your feedback and for summarizing the IRC discussion, @snarfed. I think my challenge now is to come up with a suggestion that adds negligible complexity and maintenance overhead to Bridgy, but still makes this easier to implement on my site ... or suck it up and add the logic @gRegorLove suggested to swap bridgy publish links in and out as the syndication urls

@kylewm

This comment has been minimized.

Show comment
Hide comment
@kylewm

kylewm Nov 19, 2015

Collaborator

FWIW, it is kind of important to me to migrate so I can dogfood Bridgy Publish, instead of my own code which mostly just benefits me and Lancey.

Collaborator

kylewm commented Nov 19, 2015

FWIW, it is kind of important to me to migrate so I can dogfood Bridgy Publish, instead of my own code which mostly just benefits me and Lancey.

@snarfed

This comment has been minimized.

Show comment
Hide comment
@snarfed

snarfed Nov 20, 2015

Owner

@kylewm you win the spirit award by invoking self dogfood! I'm not nearly as good at it myself, but it's absolutely the right idea, and I've definitely witnessed it firsthand with bridgy: https://snarfed.org/2014-11-06_happy-1000th-bridgy#worked

there may well be something we can do here that serves you all and also doesn't scare me off. I'm open to finding it!

Owner

snarfed commented Nov 20, 2015

@kylewm you win the spirit award by invoking self dogfood! I'm not nearly as good at it myself, but it's absolutely the right idea, and I've definitely witnessed it firsthand with bridgy: https://snarfed.org/2014-11-06_happy-1000th-bridgy#worked

there may well be something we can do here that serves you all and also doesn't scare me off. I'm open to finding it!

@dshanske

This comment has been minimized.

Show comment
Hide comment
@dshanske

dshanske Nov 20, 2015

On some level, sending webmentions to publish something seems an odd overloading of the functionality.

dshanske commented Nov 20, 2015

On some level, sending webmentions to publish something seems an odd overloading of the functionality.

@kylewm

This comment has been minimized.

Show comment
Hide comment
@kylewm

kylewm Nov 20, 2015

Collaborator

Going to close this now, thanks for the spirited discussion! I'll open a new one if a simpler proposal occurs to me

Collaborator

kylewm commented Nov 20, 2015

Going to close this now, thanks for the spirited discussion! I'll open a new one if a simpler proposal occurs to me

@kylewm kylewm closed this Nov 20, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment