Allow /users/me to return content.markdown_text= with the markdown reversed.

Either query parameter, or only on the me call.

https://posts.pnut.io/218988

Websocket connections for individual users would be massively useful for some cases, and even reduce load when used instead of polling.

This requires a massive reworking on the backend, first.

It can be done as a client feature, but doing it serverside has a few advantages:

• Cross platform. Mute in one client on the phone, have a quiet life on the computer
• (Slight) performance increase. Clientside means fetching and transmitting all posts, then filter. Serverside filtering saves data as the filtered posts won’t even be transmitted

It’s absolutely not a priority though

App.net paginates streams by providing a max_id and min_id in the response metadata of a request. Developers can then use these values to request more objects in the stream. This is great for fetching from the beginning and ends of streams because one can save the values in the model layer. However, things got tricky when you want to load from the middle of a stream where the min/max_id isn't know (I do this when I trim a stream and when I load missing data in gaps).

In these scenarios one can use a paginated object's pagination_id value. For user/post streams these are often the exact same as the id value. This is redundant but provides a consistent API for loading paginated streams regardless of what kind of objects were in the stream.

I understand this is kind of a non-issue at the moment because non-user/post streams are still under construction and I can easily just use the id value like a gentleman. However, when non user/post streams are finished I would love to have a consistent "pagination_id" value across all streams that can be paginated. If this conflicts with the backend structure, a simple notation in the docs about which values can be used as before/since_id values would also suffice.

When setting up my new account yesterday, I went to this page: https://pnut.io/account/rss and enabled RSS.

The page gave me two URL's one for a personal stream, one for a unified stream. I copied them and added them to my RSS reader. The RSS reader complained that the links were invalid.

Checking the links via curl on the command line, the server was returning HTTP Error code 500 for both URLs.

When I check the URLs now, they are working as expected. So either there was an issue yesterday that's been corrected (if so, close this ticket and ignore), or the streams take some time before they're actually set up and working. If that's the case, there should be a note on the page to indicate that.

The subscribed channels list should be ordered by recent message and creation, not channel ID.
https://pnut.io/docs/resources/channels/lookup#get-users-me-channels-subscribed

Just checked this endpoint while looking for missing endpoints in pnut-butter and it looks like this one does not work as intended. /users/@33MHz/clients from the doc example shows a couple of clients, but /users/@kwood/clients does not. (checked with user ids instead of usernames and with other developers that have their client listed in the app directory).

Hardcoded? :P

The way PMs are handled, I can't look up the ID of a PM between me and other people unless I know the ID of the channel (if it exists). If it's not in the first 20 (or first 200) channels I'm subscribed to, or something similar, it can be hard to find out if a channel exists already. It would be convenient to be able to look that up.

Submit a list of user_ids/@-usernames and return the existing PM channel_id if it exists.

And checking your in the right repo - that would also be good.

e.g., https://posts.pnut.io/83954

I am working on the details of implementing "raw" data, that can be attached to a post or message on creation (immutable), or a user or channel at any time (mutable).

Current spec:

Up to 10 items of up to 800 bytes each can be added to those four objects.

Users and channels can include an ACL for each item for visibility. User and channel raw can be updated with the user and channel PUT requests. Visibility for individual raw items can be this:

Read ACL

Not having implemented it yet, there may be performance issues with the Read ACL.
A concern with a set number of items with byte limits like I've proposed vs one large blob is that something like image metadata might not fit in 800 bytes. Not sure on that, though. The set number of items seems most useful to me on users, more than posts, messages, or channels.

There are some other details, but that is the general idea. Thoughts?

The redirect_uri should authenticate regardless of the query parameters on it.

And add curl examples.

Minor issue. Seems if you try to create a one time password and name it "0" (just a single zero), the page reloads as normal, but no password is created.

Do One time passwords need names? At first I thought there were like App passwords, where you could create a password and use it repeatedly in just one specific app. But the password is deleted once it's used (yes, hence the name 'one time password'). It seems you could save the user a step and just use the date the password was generated for the name instead of asking for a custom name that will be deleted momentarily anyway. I tend to just hit one random key as the name (which is how I find this 0 bug).

sevan asked to be able to verify more than one domain. I'm open to other verifications, as well. Something to think about.

Should I? I didn't realize Twitter allows them. ADN doesn't. It's not important to me, but the Germans have been adding them--I assume out of familiarity with Twitter. 🤷‍

*Correction: ADN does! It's a deal.

On this page: https://pnut.io/account/support there's an option to "Show badge on our profile".

Using a newly generated, paid account, when enabling the checkbox to show the badge and hitting save, the error "You have no badge to show." is displayed.

User should be able to turn that badge on.

On this page: https://pnut.io/join a new user can create an account. There's a password field, and underneath it states: "Password must be 7 to 128 characters."

1. The length doesn't seem to be checked. As long as there's 1 character in the field, the user can proceed to the next step of the account creation (payment in the example here)

2. No other constraints are required for the password when creating an account. In my case, I created a long password (8 words separated by dots). However, after the account is successfully made, you can go to this page: https://pnut.io/account/security to change your password. Here it also states "Passwords must be 7-128 characters.", but when trying to change the password, there are additional constraints that must be met. "Passwords must include lowercase and a number". This validation is applied to the current password as well, making it impossible* for a user to change their password if it didn't already coincidentally meet those requirements.

*impossible, unless you edit the source of the web site and remove the validation, at which point the server does actually change the password. Removing the client side validation also allows you to again pick a new password that doesn't meet the set requirements. I.e.:, the client is enforcing rules not required by the server.

The password change form should not validate the current password (other than standard input validation, checking for SQL Injection etc). The server side check to see if the password is correct should suffice and allow anyone to change their password regardless of what the password criteria was when the password was created. Next, the client side validation fo the new password should match the server side validation.

3. While not really a bug, I'd suggest changing the password requirements to be 12-128 characters, and drop the lowercase and number requirement. That makes the minimum password more secure, and works with more password manager password generation systems.

Need to consider the viability.

https://indieweb.org/microformats
https://indieweb.org/webmention

The link stays the same, which isn’t the case when deleting/re-uploading a file. I want to build an overview over the clients and their supported features. Being able to update files means I can share/link to it once and don’t have to update it every time it changes. My plan was to do it as markdown formatted file instead of hosting it as website.

It could be a relatively simple implementation, e.g. adding a ‚version‘ field to the file object and the ability to update a file

Currently, chat rooms (io.pnut.core.chat channels) do not have E-mail notifications or counters returned in meta data, which private messages (io.pnut.core.pm channels) do have.

This is a major feature, that would also require creating a payments layer. There are a handful of possible forms, but they are all likely to have a reasonable cost associated.

https://posts.pnut.io/7158 should include a mention.

This page: https://pnut.io/account#profile allows a user to edit their avatar, cover photo, name and description.

It appears to be one form. A user is likely to enter their name, type in a description (possibly a few paragraphs), select an image file from their computer to use as their avatar, hit upload, and boom. They've just lost everything they'd typed into the description field. Granted it's not a lot of information, but it still could have been 10-15 minutes of work as someone meticulously attempts to introduce themselves to this new community. And then it's all lost because the form didn't tell the user it was about to be cleared when the file was uploaded, or the form didn't just keep that information available when the page reloaded. Ideally this would be just one form, remove the separate "Upload" buttons, and just have the files uploaded when "Update" is pressed. (Even better if the photo just automatically uploaded in the background as it was selected).

These issues have been tested using Apero on macOS, but appear to be related to all third party clients using the web login form.

1. When attempting to log in, the user is presented with this screen:

If the user enters an incorrect username/password pair, an error message is displayed:

Note that in the first screen, there's no links for "Apps", "Updates", "Docs", or "Login" at the top, and no links in the footer at the bottom. The incorrect login has taken the user to the normal web login page, rather than back to the third party specific login page. Even if the user correctly enters their info now, the third party app will never been sent the credentials needed. The pnut.io web page just loads in the window instead.

2. If MFA is enabled on your account, it's impossible to log into a third party app. The username/password is accepted, and then this screen is displayed (as expected):

However, after entering the MFA code, the screen just goes back to the standard login form (with all the header/footer links again).

I've listed both of these bugs in one issue since they likely have the same root cause (or are at least related). It appears as though the app token/redirect link etc is lost when a second page is loaded, whether it be the login page again (after a failed login), or the MFA screen.

Return user's E-mail address on their token object when "email" scope is authorized.

Currently can look up actions against posts at /posts/{post_id}/actions with optional filters. It would be good to be able to pull up specifically bookmarkers and reposters of a post as User objects, not Action objects.

User, channel, message, post. Client?

That is, the inverse of ?channel_types=: ?exclude_channel_types=.

Let me know what you would like to be fleshed out better/explained for devs or end-users.

(updated list)

• pagination (since_id, before_id, special markers...)
• include_muted=1
• how invites work (and replenish)
• community guidelines for NSFW, bot vs feed vs human, invites
• app streaming how-to
• copy mentions (/@username)
• markdown links ([markdown](link.com "title"))
• what content to escape (user name, app name, file name)
• canonical post and user URLs (https://posts.pnut.io/{post_id}, https://pnut.io/@username)
• explain URI Templates (object_id)
• give examples of scope usage
• redirect URI requirements
• what happens when you change a client's active status (and the process of putting an app in the directory)
• avatar and cover image resolution, max size (2MB, 4MB)
• allowed locales and timezones
• X-PRETTY-JSON header
• examples for every endpoint's allowed/required scopes
• specify max lengths for all fields (messages, posts, less common ones...)
• app stream examples
• examples for each option for endpoints (e.g., files can be uploaded as multipart/form or application/json)
• list of file types that are uploaded encoded as utf-8
• audio oembed specifics (only duration required...)
• detail email scope

Currently the API listens for entities.links being submitted for objects, but doesn't actually use any links that are submitted.

To have one field for a handful of parsable statuses, and another for an optional free-form explanation. Would have to decide what standard statuses to use.

Something like

{
  "id": 1,
  "last_seen_at": "2016-12-22T19:39:38Z",
  "presence": "online|busy|offline|...",
  "description":"building Rome"
}

io.pnut.core.crosspost

What else?

Currently only retains the HTML and text of the original.

Clients should be allowed to create multiple tokens for the same user account, and currently it simply replaces the old token.

Allow app streams to include raw.

So developers can detail features, requirements, and how to use.

App Streams need extensive filtering options (and the ability to include raw on objects).

In order to provide a better and more native user experience on mobile apps there should be authentication flow that can avoid the OAuth web view tango.

In the App.net API, this was called Password Flow.

Since I have endpoints for retrieving additional data on clients by their ID, it seems like it could be helpful to allow developers to detail a "description" for their client.

When signing up for a new account (paid or with an invite code), an initial email to verify the email address is not sent. The user needs to go to this page: https://pnut.io/account/discovery_and_identity and request a 're-send'.

After requesting the re-send, this alert is displayed:

"A verification E-mail has been re-sent to the new address. Until it is verified, the old address will continue to be used."

Technically it's not a new address, it's using the existing address. Granted, it's a bit of a nitpick, but the issue continues. Two emails will be sent to the email address. One with a link to verify the email address and the text "Someone has requested that your pnut.io E-mail address be changed". No one requested a change. Only a verification of the same email. The second email sent is worse and includes the text: "Someone has requested that your pnut.io E-mail address be changed from [email protected] to [email protected]. If this has been in error, please contact [email protected] immediately, or change your E-mail address back, if you can." The whole message is pointless since it's the same email address.

I hope I haven't overlooked something, but:

When calling channel endpoints, like /users/me/channels/subscribed, it would be useful to have a (optional) array of subscribers in the response, similar to what I get from /channels/{channel_id}/subscribers.

My use case:

I want to render a list of all subscribed channels; and if it's a PM-channel, I want to display the username alongside - without doing an additional request.

When building a list of current chat/PM channels, I can't tell exactly who the recipient is without doing
If someone messages me first, I can get the value out of owner. But If I initiated the conversation, the only hint is the user id found in acl.write.user_ids – but that requires keeping track of the users in the application if I want to map the id to the correct username.

Thoughts?

Allow a user to create a client for themselves to use.

App.net provides an endpoint that makes sending push notifications possible, it is called App Streams. It is an endpoint that a client (in my case a server) can monitor and pass on parsed notifications (mentions, PMs, follow/unfollow etc) to APNS or another push notification platform.

I would love to see a similar endpoint for pnut.io so I could provide users with realtime notifications on their devices.

Not include posts directed (leading mentions) at users I don't follow.

Hard for me to implement without a performance penalty. Have been considering it for months.