-
Notifications
You must be signed in to change notification settings - Fork 30
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prohibit automatically submitting website forms #102
Conversation
Briefly discussed on 23 March 2023 Ops call. We likely want to hold back a bit on this until board resolve the issue with the party. |
JOSM's OAuth Authorisation Wizard would no longer be permitted with this policy in place. Has this been considered in the discussion? |
Well it's exactly the kind of thing we don't want to allow so in that sense yes, sure it has. |
The interesting side effect of this policy is that it would force JOSM to drop OAuth 1.0a support much earlier than originally planned. Only their new OAuth 2.0 implementation complies with this policy. |
I thought the wizard was optional and that 1.0a could be configured in the intended way, without giving your password to JOSM? |
The documentation still talks about some semi-automated and manual auth mode, which both bypass the wizard in one way or another. However, in the newest version 18700, I can't find a way to bypass the fully automated mode anymore. Not sure when they've removed the other two options. Besides, other apps are doing similar things, e.g. some of the mobile editors, but also download tools like the Geofrabik internal country extract downloader (more background info: https://blog.geofabrik.de/?p=484 ). |
I suspect you are logged in via OAuth 2.0. It looks like there is a bug whereby if you are logged in via OAuth 2.0, OAuth 1.0 thinks you are logged in. Anyway, from a coding perspective, we (JOSM) would probably want to drop OAuth 1.0 if we end up having to make changes around it. We added OAuth 2.0 support in r18678, and there haven't been any "breaking" bugs reported with respect to OAuth 2.0. In addition, cgimap has an issue open for dropping OAuth 1.0 support in "Q4/23 or Q1/24". So I can figure that OAuth 1.0a has < 1 year to live, and I'd rather start removing OAuth 1.0 code from JOSM prior to the drop-dead date. We'd probably drop the ability to do new logins via OAuth 1.0 (probably when you make this change) and encourage migration to OAuth 2.0 first, and keep the ability to use existing OAuth 1.0 tokens around for awhile. |
Confirmed, it's a bug. Once you're logged off from OAuth 2.0, the old OAuth 1.0a dialog works as expected and shows all three options. Users still have the option to bypass the fully automated mode in that case. Besides, I found that OAuth1.0a "Test Access Token" would also fail when logged in via OAuth 2.0 due to the missing accessToken. There may be other places with some minor issues. We'll leave that for the JOSM bug tracker. |
Implements openstreetmap/operations#859
Creating this for discussion at the next ops meeting before a vote.