busybee fluffy rambles

There’s new versions of Publ and Authl in town, and they support some fun stuff with user profiles. Go and check it out!

Ugh, I really want to support dark mode (it’s a big accessibility win!) but right now my stylesheets are such a mess and Isso does a couple of aggravating things that makes it hard to correctly do dark mode themes. Namely that it provides its own inline stylesheet that is difficult to override correctly (without just throwing the whole thing out and remaking it from the ground up).

I wish more things used CSS variables by default – they’re very well-supported now and make it a lot easier to reason around themes. One of these days I’m going to get around to redoing all my stylesheets and use them for all colors and probably for most of my sizing.

I finally got around to making a better store page. It’s still not great but it’s better than just linking to either my Threadless or Storenvy or whatever, and I’ll be able to backfill a bunch more of my items into it eventually.

There’s a lot of stuff I’d like to change of course, but this at least gives me a hook to setting up my own PayPal/Stripe/etc. cart as well.

Anyway I’m glad that Publ is in a state where it’s gotten easier and easier for me to make new sites from scratch with it. And I also released a new version of Publ with some shiny new features.

Why didn’t anyone tell me that the previous blog post was posted as a very-broken comics post

I’ve changed my site templates a bit more, to make CWs work a bit better. In particular, now entries which have a CW will also hide the text behind a <details> on the page (for example), and similarly I’ve hidden CWed images on individual comic pages (for example). Comic images will also (finally!) be blurred in the OpenGraph tags, as well, after one too many “oops"es when posting links to Slack demonstrating how my CWs work.

I’ve also improved compatibility with Bridgy Fed and with the way that webmention microformats are supposed to work in the first place, per a conversation in which I learned that I wasn’t actually using reply types correctly. (You may have noticed a bunch more micro-posts on the chatter section as a result of me fixing this as well. I also need to finally implement a thing so I can properly filter that stuff out of the little "latest posts” box on the main page!)

The sample templates repository has been updated, accordingly.

As always, thanks to the various IndieWeb folks, especially Ryan and Kevin for setting me straight on this issue.

Edit: It didn’t take me very long to implement the Publ feature change. I went ahead and cleaned up a bunch of query generator code while I was at it. Also I think I found a bug in PonyORM. Nope, I think I was just being hopelessly optimistic about a thing.

I’m working on improving some of the https-related security in Authl, in particular making it so that if a site is configured with https, then it’ll only send the security cookie over https. This reduces the chances of a certain kind of possible security issue, but it also means that if you normally access the site with http://beesbuzz.biz instead of https://beesbuzz.biz it’ll show you as being signed out, and if you click the “log in” link it’ll ask you to sign in again even if you were already signed in.

I have a fix for that in mind, but it might cause a potential redirection loop problem in some cases so I’m not going to implement it until I’ve determined the scope of the problem and figured out if I need further workarounds.

Update: Fix is implemented and being tested on this site. Authl and Publ updates pending other folks trying it out.

So, one of the things with the Isso migration is that I finally came up with a better way of handling thread IDs to keep them actually-private. And part of that is the mechanism to rehash them.

Which is good, because I keep on accidentally leaking the dang secret sauce. The first time was when I updated my sample templates with the comment hash generation (and I accidentally left the HMAC key intact), and the second time was when I started building a new Publ-based website and decided to start with my actual app.py as the basis, HMAC key and all, never mind that I later ended up removing about 90% of the beesbuzz.biz custom routes and the Authl config since they’re not actually needed for this site. Yeesh.

Anyway, whatever. Someday I’ll learn my lesson (and maybe I’ll even go so far as to make the HMAC key not even be checked into code!), but today is not that day.

I’ve released a new version of Authl that has direct login support for IndieAuth. Also as of v0.1.6 it supports discovery via WebFinger, which should at least have Ryan a lot happier.

If you don’t know what any of the above means, this update probably doesn’t matter to you. 🙃

As far as I know, all of the comments have been restored and mechanically updated to work correctly. It’s pretty neat that I actually have comments dating back to 2003, that have survived four separate comment systems! (Movable Type, phpBB, Disqus, and now Isso.) And some of the oldest ones hadn’t been visible for years, since I never got around to migrating them over to my comics section before.

I also now have a script to automatically rehash the thread IDs in case the HMAC key leaks, as it did yesterday when I accidentally forgot to redact it from the sample templates repository, oops. I doubt anyone saw that but now it doesn’t matter if they did.

I do want to make a final migration script to try adding thread nesting to comments which quote other comments. I have a good idea of how to do it but it’s gonna be tricky and since Isso apparently uses oldest-to-newest sort on comments I don’t know how useful it’ll be, anyway. But I like doing that sort of thing.

I also have automated backups of my comment database, as well as having it checked into a git repository so I can do simple checkpointing whenever I do something funky with a migration (and it means I can also run the migration on my local machine instead of having to worry about hecking something up in production). And of course since Isso runs as its own systemd unit I can easily take it down while I’m doing a thing. (If you ever notice my comments completely vanishing for a while, that’s probably what happened. Unfortunately there isn’t any easy way to show a reasonable message when that’s what’s going on.)

So, now I feel a lot more confident in the privacy and longevity of my comments. Which is good because I have a lot more private stuff to talk about. 😛