JOSM Auth Token

[ingalls]

Context

An unexpected side affect of allowing full server auth in #184 was that JOSM doesn't send authentication except when creating objects. This effectively broke JOSM integration for servers that ran full authentication.

This PR sidesteps the issue by allowing users to create a URL with the access token in the URL, which can then be used in JOSM, circumventing the need for Basic auth for normally unauthenticated read operations.

cc/ @ingalls

[miccolis]

@ingalls can we limit this path based token so that it cannot be used for endpoints that are not data reading? ...or is that here in some way that I'm missing?

[ingalls]

@miccolis I initially had a very rough scope that could be conditionally added to the token to limit it, however it was very rough and at the end of the day the URL based tokem its way better than our basic auth and equivalent to our session token. Both of which are protected by our use of HTTPS on the endpoint.

I'd really like to take on token scope, but I would like to do it "right" and make the scopes equivalent to the auth JSON categories. Basically expose an interface like

- [ ] READ
- [ ] WRITE

OR

Full Auth JSON checkboxes
- [ ] Deltas
- [ ] Users
- [ ] Styles
- [ ] ... etc ...

[ingalls]

WIP of scoped tokens here: https://github.com/mapbox/Hecate/tree/josm-token-scope

[ingalls]

@miccolis I've got to run to the airport, will be back online in a few hours.

• The branch referenced above should implement a basic read and full scope. Tokens that are authed via the in URL method are given a read scope and as such should not be able to access a Full scoped API endpoint (any write endpoint)
• Write tests to ensure that an in URL token can't access a full method (setting a meta attribute would be a good candidate for this test)
• Ensure that when running cargo run -- --auth test/fixtures/auth.default.json, you are able to login via the browser and generate a JOSM URL. (Click on your user icon and it will open user settings, the JOSM URL generation button will be at the bottom) If you run a test before hand that creates a user, then this command the default test user is ingalls:yeaheh. Otherwise you will have to manually create a user in the database as the register API will be protected.

[ingalls]

LGTM 🌮

[lizziegooding]

🌮