New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

gpx/create API dosn't work any more since recent website update #1609

Closed
KaiRo-at opened this Issue Aug 7, 2017 · 13 comments

Comments

Projects
None yet
2 participants
@KaiRo-at

KaiRo-at commented Aug 7, 2017

About a week ago, the upload feature in my https://lantea.kairo.at/ web app (which I heavily use for recording GPS tracks) stopped working, I'm getting the following error in a browser console:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at ‘https://api.openstreetmap.org/api/0.6/gpx/create’. (Reason: Credential is not supported if the CORS header ‘Access-Control-Allow-Origin’ is ‘*’).

The problem is that CORS with a '*' doesn't work for XMLHttpRequest when credentials (HTTP Auth) are needed.
Before the website update that was done around August 1st, uploading GPX tracks with HTTP AUth worked fine.

@KaiRo-at

This comment has been minimized.

KaiRo-at commented Aug 7, 2017

Just to make STR clear:

  1. Load https://lantea.kairo.at/
  2. Click the "track" icon (top left, tag/waymarker/arrow-like shape)
  3. Click the "Upload" button
  4. Click "Upload Track"

Actual outcome: "Track upload failed" and the above-mentioned message in the browser console
Expected outcome: browser prompt for user/password and successful upload

@tomhughes

This comment has been minimized.

Member

tomhughes commented Aug 8, 2017

Are you saying that site is using HTTP basic authentication rather than OAuth to access the api? If so then they should probably fix that...

@KaiRo-at

This comment has been minimized.

KaiRo-at commented Aug 9, 2017

At least when I wrote the web app, OAuth was documented to not be available for gpx/create

@tomhughes

This comment has been minimized.

Member

tomhughes commented Aug 9, 2017

As far as I can see it has allowed OAuth since b8f6dbd which was the commit that introduced OAuth.

This is for the API create method (/api/0.6/gpx/create) referred to in this report, not the create method (/trace/create) used by the form on the main web site.

@tomhughes

This comment has been minimized.

Member

tomhughes commented Aug 10, 2017

So this is the result of change in the behaviour of rack-cors but that change is deliberate and is probably a good thing.

The previous behaviour was to default to sending Access-Control-Allow-Credentials: true which allows the client to send credentials with a CORS request and to also reflect the domain, which is required when allowing credentials as a wildcard domain is not valid in that case.

Now it won't allow you to set a wildcard domain and allow credentials and the default is only to allow credentials if the domains are restricted.

There is a way to go back to the old behaviour, but that behaviour is a potential security issue - we are allowing all domains because our data is generally public but not everything is and if we allow credentials then a malicious site could silently fetch (for example) your user details in the background if the browser knew your authentication details.

Note that this doesn't affect OAuth as the browser won't silently sign requests in the way it will silently pass on basic authentication and/or cookies.

@KaiRo-at

This comment has been minimized.

KaiRo-at commented Aug 10, 2017

OK, that's all fine and good. That said, https://wiki.openstreetmap.org/wiki/API_v0.6#Uploading_traces still says "HTTP basic authentication is required." - is that documentation still true? If so, then I believe we need to return to the old behavior at least just for this one API endpoint or else uploading GPS tracks is not possible at all any more.

Also, in general, it feels weird to not desupport the HTTP Auth access and make big announcements about that to the API when changing the CORS behavior like that.

(And note that I'm all for security and also I'd prefer all of the API to work with OAuth2 but unfortunately the less common and more complicated OAuth1 is used from what I understand, and is not even supported for the gpx/create endpoint, at least as described by docs.)

@tomhughes

This comment has been minimized.

Member

tomhughes commented Aug 10, 2017

Well it wasn't an intentional change but the old configuration was unintentional as well in that we added CORS support to a site that already had basic auth support without realising the potential consequences.

Equally basic authentication has really been deprecated pretty much since OAuth was added though we don't have a formal timetable for removing it.

I'm very reluctant to re-enable this for any endpoints - not only does it potentially allow a malicious site to extract information it would also allow it to, for example, make edits in your name.

@KaiRo-at

This comment has been minimized.

KaiRo-at commented Aug 19, 2017

OK, given that according to documentation, GPX tracks can only be uploaded with HTTP Basic Auth and that you say that will not be possible any more, I take it that OSM just doesn't want GPX tracks uploaded any more and I'll just implement a GPX track store on my server. It was a nice side effect that OSM would get the tracks, but the real feature I need is to make the tracks available for the user to download onto a different device, and I can use a different service than OSM for that.

@tomhughes

This comment has been minimized.

Member

tomhughes commented Aug 19, 2017

Have you actually tried OAuth? As far as I know it works fine.

There is unfortunately no official API documentation - the wiki is user contributed and can easily be wrong. if you find OAuth works then update the wiki!

@KaiRo-at

This comment has been minimized.

KaiRo-at commented Aug 19, 2017

The problem is that it probably will take me about half a day to implement the ancient OAuth 1.0 protocol that OSM needs (I only have the code for the modern OAuth 2.0 in code I can copy) and if, for a hobby-only project, I then find out it doesn't work, I'll be angry as in the same time I could have made most of my own GPX storage working as well probably, and that OSM gets the data is just a nice side-effect anyhow.

@tomhughes

This comment has been minimized.

Member

tomhughes commented Aug 19, 2017

Well I'm very sorry but as there is, as far as I can see, no way to securely enable what you want I'm not sure what more I can do.

@tomhughes tomhughes closed this Aug 19, 2017

@KaiRo-at

This comment has been minimized.

KaiRo-at commented Aug 19, 2017

OK, you should correct the wiki then to say that uploading GPX tracks is not supported any more. Or at least in the general descriptions that HTTP Auth is not fully or at all (not sure that status) supported any more.

@tomhughes

This comment has been minimized.

Member

tomhughes commented Aug 19, 2017

It's fully supported for direct access, just not for cross origin loads from other web sites. It works fine when loading an openstreetmap.org URL directly in a browser or from a separate application like JOSM.

Because the authentication is, or can be, applied implicitly without user authorization or a case-by-case basis it simply isn't safe to allow it for cross origin loads because any random web site you visit could have background javascript that did things on osm.org as you without you ever even knowing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment