sebsel / gimme-a-token Goto Github PK

In the newer changes to IndieAuth, https://indieauth.spec.indieweb.org/#changes-from-26-september-2020-to-26-november-2020 mentions the use of PKCE for more security.

the .dev TLD was never reserved to never exist, and one can indeed now register .dev domains, and I now could register nonexisting-domain.dev (it seems to be still available).

Options:
Use one of .example or .invalid, which (among others) RFC2606 explicitly reserves.

".example" is recommended for use in documentation or as examples.
".invalid" is intended for use in online construction of domain
names that are sure to be invalid and which it is obvious at a
glance are invalid.

Maybe use the me url, assuming that wrongly sending the data there is at least safe since it's owned by the person testing.

I also considered using a "weird" url-scheme, but is more likely to be rejected I think.

The main goal of the tool is to be totally client-side, which makes it harder to call out to discover the right URLs (can't call cross domain for all URLs).

I could improve the documentation to point to the public XRay, which makes it easier to discover the right rel-links for the user.

According to the spec, the state parameter is required as a parameter when making authentication and authorization requests:

• https://indieauth.spec.indieweb.org/#authentication-request
• https://indieauth.spec.indieweb.org/#authorization-request

I don't think gimme-a-token is provided the state parameter - if I use it to make an auth request to my endpoint, it is missing. (If I append a made up state value to the query string, the rest of the flow works fine.)