Implement IndieAuth client changes detailed in Aaron's article, including OAuth 2.0 PKCE (Proof Key for Code Exchange).

Hi,

I think there's a bug with the encoding checkbox.

After I log in, the JSON option is ticked. However, if I create a post it goes form-encoded. I have to click again on JSON to make sure it will be sent as JSON after.

For folks who prefer dark mode, we should have support in the CSS to render as such.

Looking at the code, we may be able to bump to the newest version of Bootstrap to get this?

To help debug login issues and other errors the app should provide feedback to the user. Currently just borks with a 500 Internal Server Error.

Hey!

According to the spec, a client identifier must contain a path (emphasis added):

Clients are identified by a [URL]. Client identifier URLs MUST have either an https or http scheme, MUST contain a path component, MUST NOT contain single-dot or double-dot path segments, MAY contain a query string component, MUST NOT contain a fragment component, MUST NOT contain a username or password component, and MAY contain a port. Additionally, host names MUST be domain names or a loopback interface and MUST NOT be IPv4 or IPv6 addresses except for IPv4 127.0.0.1 or IPv6 [::1].

It is not a problem for me, but I bumped into someone that could not log in in Micropublish because they were strictly verifying that 😃 Perhaps it would be great to add that here.

If you use a full URL for client_id, then you can get the IndieAuth server to show app info during authorization! Use h-x-app markup to point to the app's name and logo. https://indiewebcamp.com/h-x-app

Hey - it would be really nice if Micropublish supported adding location to posts similar to Quill. Unfortunately Quill only adds Location to notes, but it'd be great if that was an option for all post types. 😃

Every time I do anything, Micropublish.net makes dozens of GET requests to my Micropub endpoint, until one returns 404 and then it proceeds normally. I'm not sure if this is an issue on my implementation or not.

If I open Micropublish.net, click on "Note", it happens. Quill and others do not have this behaviour.

This is the list of requests:

/micropub?q=config
/micropub?q=config
/micropub?q=config
/micropub?q=config
/micropub?q=config
/micropub?q=config
/micropub?q=config
/micropub?q=config
/micropub?q=syndicate-to&post-type=note
/micropub?q=channel
/micropub?q=config

When I try to log in with my wordpress.com page, it just redirects to the login page with no error.

Wild guess, this may be because wordpress.com makes you use <a> instead of <link> for the rel= properties.

https://micropublish.herokuapp.com/auth?me=https%3A%2F%2Fkylewm.com

gives a 500: Internal Server Error

Now we've added support for autoconfiguration, I've spotted that when publishing a note (which has a required published property) it requires the user to fill it out, rather than it be auto-generated - is that expected?

The implementation report says that Micropublish can create a post with a nested Microformats2 object. I don't see anything in the interface that supports this. How can I do this?

Store me in the session and use in the callback method instead of from params. It's currently possible to spoof me and so is/will be deprecated in IndieAuth.

See also:

• aaronpk/Quill#79
• aaronpk/IndieAuth.com#85
• Inklings-io/selfauth#10

Support the creation of photo posts.

For now this would be limited to specifying photo URL(s), not the uploading of photos.

It should still be possible to create a form-encoded post, but JSON should be the default.

Look for channels via q=channel.

If an array of channels is found, display a channels dropdown using uid for the value and name for the label.

Include mp-channel=uid in the Micropub post's properties.

The app crashes in lib/micropublish/auth.rb in confirm_auth? when trying to make a post to an invalid URL. In my case the SSL cert it was trying to post to was self-signed so it didn't recognize it. Should probably try to handle this error better.

Currently Micropublish allows you to log in with one of two preset scopes:

1. post
2. create update delete undelete

It's not possible for a user wishes to log in and only select the create scope, for example.

Allow for individual scopes to be selected and sent for authorisation.

On the dashboard, under ‘Modify an existing post’, I enter the following URL:

https://paulrobertlloyd.com/notes/1670453319/

I get a ‘Something went wrong’ page, with the following error:

undefined method `key?' for nil:NilClass

It appears that this form is attempting to make a request to my Micropub endpoint. This provides the following response:

// GET https://kit.paulrobertlloyd.com/micropub
//     ?q=source
//     &url=https://paulrobertlloyd.com/notes/1670453319/

{
  "items": [
    {
      "type": [
        "h-entry"
      ],
      "properties": {
        "content": [
          {
            "html": "<p>Just read that there’s another <em>Motherland</em> Christmas special this year, airing 23 December on BBC One. This is truly excellent news!</p>",
            "value": "Just read that there’s another _Motherland_ Christmas special this year, airing 23 December on BBC One. This is truly excellent news!"
          }
        ],
        "name": [
          ""
        ],
        "post-status": [
          "published"
        ],
        "mp-syndicate-to": [
          "https://web.archive.org/"
        ],
        "published": [
          "2022-12-07T22:48:39.115Z"
        ],
        "mp-slug": [
          "3yacw"
        ],
        "post-type": [
          "note"
        ],
        "url": [
          "https://paulrobertlloyd.com/notes/1670453319/"
        ],
        "syndication": [
          "https://mastodon.social/@paulrobertlloyd/109474833616087287",
          "https://twitter.com/paulrobertlloyd/status/1600623663425851392"
        ]
      }
    }
  ]
}

Is this not the response Micropublish is expecting, or is there something missing?

When a post contains properties that Micropublish doesn't support, such as featured, the Micropublish UI doesn't render that property.

I think that's quite reasonable, as there's not necessarily a point showing a property we don't understand.

However, when sending an update request, it appears that Micropublish is deleting the properties it doesn't understand, rather than just ignoring them.

Is that intentional?

{
  "type": [
    "h-entry"
  ],
  "properties": {
    "summary": [
      "How to source your Chef Gem dependencies from your Chef cookbook's `metadata.rb` instead of duplicating them between files."
    ],
    "code-license": [
      "Apache-2.0"
    ],
    "featured": [
      "/img/vendor/chef-logo.png"
    ],
    "name": [
      "Managing Your Chef Gem Dependencies More Easily in your `Gemfile`"
    ],
    "prose-license": [
      "CC-BY-NC-SA-4.0"
    ],
    "published": [
      "2021-03-24T13:42:37+0000"
    ],
    "category": [
      "blogumentation",
      "chef",
      "ruby"
    ],
    "post-status": [
      "published"
    ],
    "content": [
      "..."
    ]
  }
}

{
  "action": "update",
  "delete": [
    "code-license",
    "featured",
    "prose-license"
  ],
  "replace": {
    "content": [
      "..."
    ]
  },
  "url": "https://www.jvt.me/posts/2021/03/24/chef-cookbook-gem-metadata/"
}

Replies and reposts can contain photos too.

It would be appreciated if micropublish would allow for photos to be added to these type of posts too.

Some config responses are >4K which is too big for cookie storage.

HTTParty escapes query string values, but seemingly doesn't escape keys.

When Micropublish includes a properties[] key as a query parameter some servers (in particular, Jamie Tanna's Apache Tomcat server) reject those requests.

Keys should be escaped before making HTTParty requests.

Alongside post-status (see #35), visibility is now considered a stable extension.

Add this as a property with the following options, to follow the suggestions on the IndieWeb wiki:

1. public
2. unlisted
3. private

If you try to reply to an ActivityPub post (Pleroma, Mastodon, or even my website), the website hangs via the bookmarklet and when submitting. I'm not sure if it's related to ActivityPub posts, but it only happens with replies. It feels extremely random and I can't pinpoint the reason.

Hey there! Thank you for micropublish! I use it heavily to edit my posts to add syndication links. :}

I recently made a post with an in-reply-to URL. I wanted to change that to a simple mention, with the URL in the body. However, when I blank the in-reply-to field during an edit, micropublish won't let me submit the form, asking me to please enter a value for that field.

Expected behavior: micropublish detects the change and sends a micropub edit request to remove that attribute from the post.

Thanks again!

Similar context to #79, but would enable Micropublish to perform the refresh token grant in the case of the 401/403 response, and only send the user on the authorization journey if the refresh token grant fails.

I've just done an update via MIcropublish and it looks like the emoji are being stripped:

-  - Massively threw off the plans, ruining a few days down in London with the family, and seeing other fam which was a shame, but the right call - even though on Friday Morph was basically fine again 🙄
+  - Massively threw off the plans, ruining a few days down in London with the family, and seeing other fam which was a shame, but the right call - even though on Friday Morph was basically fine again ����

Something that's been discussed a bit in the past, and we're starting to see more adoption of, is expiring tokens in IndieAuth.

This would see an IndieAuth Resource Server, in this case the Micropub Server, returning HTTP 401 or HTTP 403s for bad authentication sent by the client, in the case that the token is no longer valid.

This would require handling these errors, and sending the user through a fresh authorization journey to receive new tokens.

As we're starting to see servers supporting this, it'd be good to have one of the more popular clients supporting this!

Related reading:

• indieweb/indieauth#81
• indieweb/Micropub#5
• w3c/Micropub#107

When logging in with https://commentpara.de/, a user URL of https://commentpara.de/user/3.htm is returned to the micropub client. Quill does this correctly.

Micropublish only uses only the originally input http://commentpara.de as the user name, leading to a post error:

There was an error making a request to your Micropub endpoint. The error received was: {"error":"forbidden","error_description":"Invalid user URL"}

Micropublish should use the final me URL, not the user-input one.

I'm using my own server implementation (https://codeberg.org/ulpa/minibar). It response with http 201, a location header and an empty body. The tests on micropub.rocks pass, so there shouldn't be any issues with the server.

alt is a required attribute of the <img> element and should be provided in any use of images on indieweb pages from photo posts.

source: https://indieweb.org/alt

Add support for indieweb/micropub-extensions#33

Query for this data in the server's Micropub endpoint via q=config and use to define post-type presets for Micropublish's interface. If the data is missing then fall back to the default.

With post-status now considered a stable property, add the property as a default option to posts.

Hello 👋

I've been using Micropub for months and using micropublish.net to publish all my microinteractions. However, I never use the Articles publishing feature because I simply don't want to write HTML. It would be nice to be able to choose between editing HTML or just raw content.

I haven't looked at the code, but I could probably work on implementing that if that's something that'd be welcome!

It'd be quite useful to have a front-end for publishing events to my site via Micropub (via form POST).

Would this be something you'd be interested in if I contributed it via a PR?

Which is different to when we're creating a post, and can specify text

This is on a server that doesn't provide the q=properties extension.

It would be great for some entry types to add selected text into content, for instance bookmarking takes the URL, title page, adding a pre-selection in the original window into the content would help contextualize more the bookmark.

https://developer.mozilla.org/en-US/docs/Web/API/Window/getSelection

Allow for files to be uploaded via the user's Micropub media endpoint.

Consider also supporting management of those files, e.g. deleting.

Support filtering of syndication targets using a post-type parameter so that only the appropriate targets are returned for the chosen post type. For example, for bookmarks, select a bookmarking provider.

Also, support a checked property for when the user is likely to always want the target selected. For example, if the user always wants notes syndicated to Twitter.

• Filter by post-type indieweb/micropub-extensions#23 (comment)
• Checked property: indieweb/micropub-extensions#23

I'm seeing this in the error log for silo.pub

2015-07-28 01:06:33,459 - feverdream.app - WARNING - client_id mismatch. expected=https://micropublish.herokuapp.com, received=

also I don't think it's necessary to verify the auth code against the authorization endpoint (and it's not actually required for authorization endpoints to support verification for micropub). You can just skip right to asking the token endpoint for a token.

As noted in #85, Micropublish fetches config data multiple times per request. This is unfriendly towards servers and can result in slow page loads.

My suggestion is to store the config data in Redis using the user's URL as the key. When a user logs out their data would be removed. It should also be automatically expired after 24 hours.

If Redis is not available the fallback should be to fetch on each request. This avoids introducing a breaking dependency for those running Micropublish elsewhere.

https://indieweb.org/Web_App_Manifest

New thought on client discovery

It would be great to have an auto-completion feature for the categories, as described here:
https://indieweb.org/Micropub-extensions#Query_for_Category.2FTag_List
I might give it a try someday, but my ruby skills are a little bit rusty. What do you think?

I've noticed that recently, when publishing posts to my staging server (and I think sometimes my Production server, too) I don't get the handy redirect functionality I love in Micropublish.

I'd thought it was due to the way that I'd made my Micropub endpoint perform content-negotiation, and return an HTML representation if HTML was acceptable, but it looks like it's due to session limits, as running locally, I see:

Warning! Rack::Session::Cookie data size exceeds 4K.
Warning! Rack::Session::Cookie failed to save session. Content dropped.

When dumping the session before it adds the URL, I see the below object, which is ~5200 bytes already:

{
  "session_id": "................................................................",
  "state": "ICQ1Ogbhr7BzjiNDdGZn",
  "scope": "create update delete undelete",
  "me": "https://www.staging.jvt.me/",
  "code_verifier": "....................................................................................................",
  "micropub": "https://www-api.staging.jvt.me/micropub",
  "authorization_endpoint": "https://indieauth.jvt.me/authorize",
  "token_endpoint": "https://indieauth.jvt.me/token",
  "token": "........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................",
  "flash": {
    "type": "success",
    "message": "You are now signed in successfully\n          as \"https://www.staging.jvt.me/\".\n          Submit content to your site via Micropub using the links\n          below. Please\n          <a href=\"/about\" class=\"alert-link\">read&nbsp;the&nbsp;docs</a> for\n          more information and help."
  },
  "config": {
    "syndicate-to": [
      {
        "uid": "https://brid.gy/publish/github",
        "name": "Brid.gy GitHub Syndication"
      },
      {
        "uid": "https://news.indieweb.org/en",
        "name": "IndieNews"
      },
      {
        "uid": "https://indieweb.xyz/en/blogging",
        "name": "/en/Blogging"
      },
      {
        "uid": "https://indieweb.xyz/en/indieweb",
        "name": "/en/IndieWeb"
      },
      {
        "uid": "https://indieweb.xyz/en/tools",
        "name": "/en/Tools"
      },
      {
        "uid": "https://indieweb.xyz/en/microformats",
        "name": "/en/Microformats"
      },
      {
        "uid": "https://brid.gy/publish/twitter",
        "name": "Brid.gy Twitter Syndication"
      },
      {
        "uid": "https://brid.gy/publish/meetup",
        "name": "Brid.gy Meetup Syndication"
      }
    ],
    "media-endpoint": "https://www-api.staging.jvt.me/micropub/media",
    "q": [
      "post-types",
      "contact",
      "syndicate-to",
      "source",
      "category",
      "config",
      "properties"
    ],
    "post-types": [
      {
        "type": "bookmark",
        "name": "Bookmark",
        "h": "entry",
        "properties": [
          "bookmark-of",
          "name",
          "published",
          "category",
          "content",
          "syndication"
        ],
        "required-properties": [
          "bookmark-of",
          "name",
          "published"
        ]
      },
      {
        "type": "like",
        "name": "Like",
        "h": "entry",
        "properties": [
          "like-of",
          "published",
          "category",
          "content",
          "name",
          "syndication"
        ],
        "required-properties": [
          "like-of",
          "published"
        ]
      },
      {
        "type": "reply",
        "name": "Reply",
        "h": "entry",
        "properties": [
          "content",
          "in-reply-to",
          "published",
          "category",
          "name",
          "photo",
          "syndication",
          "mp-photo-alt"
        ],
        "required-properties": [
          "content",
          "in-reply-to",
          "published"
        ]
      },
      {
        "type": "reads",
        "name": "Reading",
        "h": "entry",
        "properties": [
          "published",
          "read-of",
          "read-status"
        ],
        "required-properties": [
          "published",
          "read-of",
          "read-status"
        ]
      },
      {
        "type": "repost",
        "name": "Repost",
        "h": "entry",
        "properties": [
          "published",
          "repost-of",
          "content",
          "category",
          "syndication"
        ],
        "required-properties": [
          "published",
          "repost-of"
        ]
      },
      {
        "type": "rsvp",
        "name": "RSVP",
        "h": "entry",
        "properties": [
          "in-reply-to",
          "published",
          "rsvp",
          "category",
          "content",
          "syndication"
        ],
        "required-properties": [
          "in-reply-to",
          "published",
          "rsvp"
        ]
      },
      {
        "type": "note",
        "name": "Note",
        "h": "entry",
        "properties": [
          "content",
          "published",
          "category",
          "syndication"
        ],
        "required-properties": [
          "content",
          "published"
        ]
      },
      {
        "type": "photo",
        "name": "Photo",
        "h": "entry",
        "properties": [
          "photo",
          "published",
          "mp-photo-alt",
          "category",
          "content",
          "syndication"
        ],
        "required-properties": [
          "photo",
          "published",
          "mp-photo-alt"
        ]
      },
      {
        "type": "step",
        "name": "Step Counts",
        "h": "measure",
        "properties": [
          "unit",
          "num",
          "published",
          "start",
          "end"
        ],
        "required-properties": [
          "unit",
          "num",
          "published",
          "start",
          "end"
        ]
      },
      {
        "type": "event",
        "name": "Event",
        "h": "event",
        "properties": [
          "end",
          "name",
          "published",
          "start",
          "content",
          "url"
        ],
        "required-properties": [
          "end",
          "name",
          "published",
          "start"
        ]
      },
      {
        "type": "contact",
        "name": "Contact",
        "h": "card",
        "properties": [
          "name",
          "nickname",
          "url",
          "rel=twitter"
        ],
        "required-properties": [
          "name",
          "nickname",
          "url"
        ]
      }
    ]
  },
  "post_types": {
    "bookmark": {
      "name": "Bookmark",
      "icon": "bookmark",
      "properties": [
        "bookmark-of",
        "name",
        "published",
        "category",
        "content",
        "syndication"
      ],
      "required": [
        "bookmark-of",
        "name",
        "published"
      ]
    },
    "like": {
      "name": "Like",
      "icon": "heart",
      "properties": [
        "like-of",
        "published",
        "category",
        "content",
        "name",
        "syndication"
      ],
      "required": [
        "like-of",
        "published"
      ]
    },
    "reply": {
      "name": "Reply",
      "icon": "reply",
      "properties": [
        "content",
        "in-reply-to",
        "published",
        "category",
        "name",
        "photo",
        "syndication",
        "mp-photo-alt"
      ],
      "required": [
        "content",
        "in-reply-to",
        "published"
      ]
    },
    "repost": {
      "name": "Repost",
      "icon": "retweet",
      "properties": [
        "published",
        "repost-of",
        "content",
        "category",
        "syndication"
      ],
      "required": [
        "published",
        "repost-of"
      ]
    },
    "rsvp": {
      "name": "RSVP",
      "icon": "calendar-check-o",
      "properties": [
        "in-reply-to",
        "published",
        "rsvp",
        "category",
        "content",
        "syndication"
      ],
      "required": [
        "in-reply-to",
        "published",
        "rsvp"
      ]
    },
    "note": {
      "name": "Note",
      "icon": "comment",
      "properties": [
        "content",
        "published",
        "category",
        "syndication"
      ],
      "required": [
        "content",
        "published"
      ]
    }
  }
}

https://www.staging.jvt.me/post#ewogICJkYXRlIiA6ICIyMDIxLTAyLTEwVDEyOjU1OjE3WiIsCiAgImRlbGV0ZWQiIDogZmFsc2UsCiAgImgiIDogImgtZW50cnkiLAogICJwcm9wZXJ0aWVzIiA6IHsKICAgICJzeW5kaWNhdGlvbiIgOiBbICJodHRwczovL2JyaWQuZ3kvcHVibGlzaC90d2l0dGVyIiBdLAogICAgInB1Ymxpc2hlZCIgOiBbICIyMDIxLTAyLTEwVDEyOjU1OjE3WiIgXSwKICAgICJjb250ZW50IiA6IFsgewogICAgICAiaHRtbCIgOiAiIiwKICAgICAgInZhbHVlIiA6ICJmc2QiCiAgICB9IF0KICB9LAogICJraW5kIiA6ICJub3RlcyIsCiAgInNsdWciIDogIjIwMjEvMDIvZ3F5eGkiLAogICJjbGllbnRfaWQiIDogImh0dHA6Ly9sb2NhbGhvc3Q6OTI5MiIKfQ==

Thought it'd be interesting to share, and definitely an artefact of the verbosity of the proposed Micropub server properties syntax, and may only affect me, in which case I'm happy leaving it as-is, or whether we look at the url being passed into the querystring (if that also doesn't hit limits)

For users who don't wish to grant Micropublish create+ access, or for those who always want to create draft posts.

By selecting only the draft scope, all requests will be sent to the server with post-status=draft in the properties. The post-status dropdown will be replaced with a label indicating draft status.

This implements indieweb/micropub-extensions#24

Tried your code with my WordPress endpoint and am getting a PKCE validation failure. I've had PKCE for a while and it does work with other PKCE clients.

The specification now refers to h-app.