Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

interactive publish: skip silo auth if there's a bridgy publish backlink #666

Open
snarfed opened this issue May 2, 2016 · 5 comments
Open

interactive publish: skip silo auth if there's a bridgy publish backlink #666

snarfed opened this issue May 2, 2016 · 5 comments
Labels
publish

Comments

@snarfed
Copy link
Owner

snarfed commented May 2, 2016

...since the backlink proves that they intend to publish it with bridgy. requested by @tantek.
@snarfed snarfed added the publish label May 2, 2016
@snarfed
Copy link
Owner Author

snarfed commented Jun 2, 2022
edited

Thinking about this. I like it, and it would help us work around eg #911.

I'm worried about one scenario, though. Say a post includes a Bridgy Publish backlink, but doesn't actually trigger the publish. Someone else (ie not that site's owner) could then use the interactive UI on https://brid.gy/ to publish that post as that silo user at some arbitrary point in the future.

Realistically, I think at least some sites automatically include Bridgy Publish backlinks for some silos on many or all of their posts, eg maybe @jamietanna and @jalcine, among others? So they might be susceptible if they don't also automatically publish all of those posts.

@tantek et al, open to thoughts on the threat model here!

@jalcine
Copy link

jalcine commented Jun 5, 2022

(heh, this issue number)

I actually disabled automatic syndication until I supported indieweb/micropub-extensions#4 (by way of https://git.jacky.wtf/indieweb/koype-next/issues/11) to do automatic syndication more accurately. That said, if I notice a failure on syndication, it follows an exponential retry flow (and I tend to check the logs often after I post, so I'd be able to debug).

That said, is it more of an idea/request to implicitly authenticate people if they have everything in place to publish posts?

(Originally published at: https://jacky.wtf/2022/6/YDYq)

@snarfed
Copy link
Owner Author

snarfed commented Jun 5, 2022

That said, is it more of an idea/request to implicitly authenticate people if they have everything in place to publish posts?

Right, this.

@jalcine
Copy link

jalcine commented Jun 5, 2022

Interesting! I figure some level of user intervention was required for things like Twitter or Tumblr. If not, that would be very nice to have (and would be one less step for people).

(Originally published at: https://jacky.wtf/2022/6/F65c)

@snarfed
Copy link
Owner Author

snarfed commented Jul 21, 2022

Looked at this a bit. It's not easy right now, due to the way we handle the OAuth check for interactive publish requests. We do the OAuth redirect and dance first, before we fetch the source page. To do this, we'd need to add a new server-side handler before the OAuth dance that fetches the source page and checks for the backlink. Doable! But nontrivial.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
publish
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jalcine @snarfed