Prohibit automatically submitting website forms

[pnorman]

Implements openstreetmap/operations#859

Creating this for discussion at the next ops meeting before a vote.

[Firefishy]

Briefly discussed on 23 March 2023 Ops call. We likely want to hold back a bit on this until board resolve the issue with the party.

[mmd-osm]

JOSM's OAuth Authorisation Wizard would no longer be permitted with this policy in place. Has this been considered in the discussion?

[tomhughes]

Well it's exactly the kind of thing we don't want to allow so in that sense yes, sure it has.

[mmd-osm]

The interesting side effect of this policy is that it would force JOSM to drop OAuth 1.0a support much earlier than originally planned. Only their new OAuth 2.0 implementation complies with this policy.

[tomhughes]

I thought the wizard was optional and that 1.0a could be configured in the intended way, without giving your password to JOSM?

[mmd-osm]

The documentation still talks about some semi-automated and manual auth mode, which both bypass the wizard in one way or another.

However, in the newest version 18700, I can't find a way to bypass the fully automated mode anymore. Not sure when they've removed the other two options.

Besides, other apps are doing similar things, e.g. some of the mobile editors, but also download tools like the Geofrabik internal country extract downloader (more background info: https://blog.geofabrik.de/?p=484 ).

[tsmock]

However, in the newest version 18700, I can't find a way to bypass the fully automated mode anymore. Not sure when they've removed the other two options.

I suspect you are logged in via OAuth 2.0. It looks like there is a bug whereby if you are logged in via OAuth 2.0, OAuth 1.0 thinks you are logged in.

Anyway, from a coding perspective, we (JOSM) would probably want to drop OAuth 1.0 if we end up having to make changes around it. We added OAuth 2.0 support in r18678, and there haven't been any "breaking" bugs reported with respect to OAuth 2.0.

In addition, cgimap has an issue open for dropping OAuth 1.0 support in "Q4/23 or Q1/24". So I can figure that OAuth 1.0a has < 1 year to live, and I'd rather start removing OAuth 1.0 code from JOSM prior to the drop-dead date. We'd probably drop the ability to do new logins via OAuth 1.0 (probably when you make this change) and encourage migration to OAuth 2.0 first, and keep the ability to use existing OAuth 1.0 tokens around for awhile.

[mmd-osm]

I suspect you are logged in via OAuth 2.0. It looks like there is a bug whereby if you are logged in via OAuth 2.0, OAuth 1.0 thinks you are logged in.

Confirmed, it's a bug. Once you're logged off from OAuth 2.0, the old OAuth 1.0a dialog works as expected and shows all three options. Users still have the option to bypass the fully automated mode in that case.

Besides, I found that OAuth1.0a "Test Access Token" would also fail when logged in via OAuth 2.0 due to the missing accessToken. There may be other places with some minor issues. We'll leave that for the JOSM bug tracker.