search

PlaidWeb / Publ

Flexible publishing system for the web
http://publ.beesbuzz.biz/
MIT License
40 stars 4 forks source link

TicketAuth should respect rel="canonical" #486

Closed fluffy-critter closed 2 years ago

fluffy-critter commented 2 years ago

Expected Behavior

If someone makes a TicketAuth request with http://example.com, and http://example.com has a rel="canonical" of https://example.com, the TicketAuth flow should continue for https://example.com instead

Current Behavior

TicketAuth uses the original requested URL in the granted bearer token

Possible Solution

Steps to Reproduce (for bugs)

1. 2. 3. 4.

Context

fluffy-critter commented 2 years ago

Per discussion at https://chat.indieweb.org/dev/2022-03-22#t1647972845699900 this is very edge-casey and hard to capture in a spec; IndieAuth itself doesn't care about rel="canonical", so Authl doesn't do anything with that, which means that it's up to Publ to determine if there's a rel="canonical" on the request grant flow. I'm definitely not going to add this into Authl (which has no involvement in TicketAuth or bearer token grants in general). If I were to handle this on Publ, then Publ itself needs to fetch the profile page to see if there's a rel="canonical" on it. Kind of messy!