Yesterday, I went to Den Helder for a day. Besides doing some work, we also made a walk through the dunes. Such walks produce pictures, somehow, and I wanted to post some of them here.

Since I didn't want to create multiple posts, it made sense to create a list of photo's in one post. Instagram also launched a new post type with multiple photo's, and this seemed to be a good match for it.

So yesterday I made a quick foreach loop to be able to post them and today I styled it some more with CSS. It's not as pretty as the Instagram presentation of a multi-photo post, but I didn't want a carrousel like they use. The pro is that the images are viewed one by one, not influencing each other that much, but the con is that it's hard to signal to the user that there are more then one picture behind the post. I like the list as it is now. It's kind of long, but it works.

Today, I moved some existing code from my kirby-micropub plugin to my indieweb-toolkit, and then I rewrote it a bit. It is the code that checks for an Authorization: Bearer xxx header and rejects people that have the wrong token.

At this point, my blog just uses tokens.indieauth.com, as it's token endpoint. So, that is what the toolkit uses now too. This is not ideal, and I plan on adding a token endpoint directly to the toolkit. But, everything in steps!

You can now do the following:

indieauth::requireMe();
indieauth::requireScope('create');

// do stuff!

And then the script will exit if there's no Authorization: Bearer in the header with the proper scope and a 'me' value corresponding with the current URL. (You can also pass in a 'me' to check against.) I am still not sure about some things, so I am putting them out here to think about them some more. Feel free to comment.

• Is 'IndieAuth' the right name for this static class? I think so, because it uses 'me' and 'scope'. But at this point, it's only checking tokens. And when I add a token endpoint, is that token endpoint still IndieAuth?

• In my code, I now check url::host($token->me) == url::host($requiredMe)). I only compare hosts, so seblog.nl, which works, because seblog.nl/micropub still has the host seblog.nl. Maybe I should drop this 'use the current URL if the $requiredMe is empty' and only go for explicit 'me'-values.

• Previously, I threw Errors. Now, I just set the HTTP-header and exit the script. I wonder which way is more elegant. The way I do it now, makes sure the right HTTP status is sent, but the way I did it before allows for more customisation. Both ways exit the script, which is the most important part.