New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
JOSM Auth Token #185
JOSM Auth Token #185
Conversation
@ingalls can we limit this path based token so that it cannot be used for endpoints that are not data reading? ...or is that here in some way that I'm missing? |
@miccolis I initially had a very rough scope that could be conditionally added to the token to limit it, however it was very rough and at the end of the day the URL based tokem its way better than our basic auth and equivalent to our session token. Both of which are protected by our use of HTTPS on the endpoint. I'd really like to take on token scope, but I would like to do it "right" and make the scopes equivalent to the auth JSON categories. Basically expose an interface like
|
WIP of scoped tokens here: https://github.com/mapbox/Hecate/tree/josm-token-scope |
@miccolis I've got to run to the airport, will be back online in a few hours.
|
… with token + cookie
LGTM 🌮 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🌮
Context
An unexpected side affect of allowing full server auth in #184 was that JOSM doesn't send authentication except when creating objects. This effectively broke JOSM integration for servers that ran full authentication.
This PR sidesteps the issue by allowing users to create a URL with the access token in the URL, which can then be used in JOSM, circumventing the need for Basic auth for normally unauthenticated read operations.
cc/ @ingalls