Allow `q=config` (and some other queries) to be unauthenticated

[jamietanna]

I've currently got my Micropub server not requiring this, as I don't think this query requires anything - what are your thoughts?

Also wondering about allowing q=source to attempt to retrieve a post if unauthenticated, and only show it if it's public

[barryf]

I've made q=config calls require authentication based on the Micropub spec examples. I also assume the config would be consumed by clients which must authenticate first anyway. What's your use case for an unauthenticated request?

[jamietanna]

I don't really have a use case per se, but when implementing my Micropub server I decided that q=config showed nothing of note that should be private, and i.e. allowed me to easily check things in a browser without authenticating.

No biggie - and happy to talk a bit more about this across others' implementations :smile:

[barryf]

I think I considered it when looking at your server because it's a nice way of seeing how others have done it 😎

But it's also convenient having all requests require authentication without exceptions. So I'm a bit on the fence!

[jamietanna]

That's a fair point, that makes sense 👍🏽