01:46 <PixltdGuy> sorry for the spam

18:59 <ill_logic> Hmm. So Tiny Tiny RSS must have the ability to reach the outside world.

18:59 <ill_logic> Arbitrarily.

18:59 <ill_logic> And there's no user warning about "reduced security" or something like that.

19:00 <ill_logic> Also notable that I can't really connect an application to it without making the thing public.

19:00 <ill_logic> Though I suppose I could just not tell anyone the share URL.

19:01 <pdurbin> Is Tiny Tiny RSS the only example of the sort of reduced security you're talking about?

19:07 <ill_logic> That I can think of. I might make a new such app myself though.

19:07 <ill_logic> I haven't played around with a whole lot of the applications.

19:07 <pdurbin> ok

19:08 <ill_logic> Assuming that's actually reduced security. I thought applications were closed off by default, is all.

19:09 <ill_logic> So does anybody know how to connect to Tiny Tiny RSS to the Android application? I gave it a share link but it wants to try to hit api endpoints.

19:09 <ill_logic> I'm not sure how APIs work with Sandstorm since it tries to hide endpoints.

19:10 <ill_logic> Okay I'm reading about SS api tokens now...

19:20 <ill_logic> And I have an authentication problem on my app.

19:21 <ill_logic> Why would the API URL have a # in it? The server doesn't see it. An arbitrary client wouldn't know what to do with it. I don't see the point.

19:21 <ill_logic> Looks like one of those things Sandstorm hasn't had time to smooth over.

19:30 <kentonv> ill_logic, TinyTinyRSS takes advantage of a hole we punched specifically for it that we plan to fill in eventually. Technically all apps can use this same hole to make outgoing HTTP requests. It's a confinement violation, though it's worth noting that most other server infrastructure doesn't consider confinement to be an important property in the first place.

19:31 <kentonv> ill_logic, to connect the android client you need to generate a webkey rather than a share link.

19:31 <kentonv> ill_logic, use the key icon in the top bar

19:32 <kentonv> a webkey has the format <host>#<token>

19:32 <kentonv> the token is meant to be sent in the Authorization header

19:32 <pdurbin> kentonv: do a lot of sandstorm apps make outgoing http requests?

19:33 <kentonv> pdurbin, very few. TTRSS is the only one I can think of off the top of my head.

19:33 <pdurbin> gotcha

20:11 <moromi> hi there, I'm trying to install sandstorm and receive a "400 Bad Request" when trying to register a sandcats domain with a recovery mail. any idea?

20:19 <TimMc> kentonv: TinyTinyRSS can talk to other hosts on the LAN, which seems maybe undesirable. It would be nice if the outbound HTTP permissions could in the future allow/deny private IPs.

22:09 <moromi> I tried with another email and it just worked. May be some non-cooperative email domain?