Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OSM OAuth/Users Epic #51

Open
4 of 5 tasks
maxgrossman opened this issue May 9, 2019 · 0 comments
Open
4 of 5 tasks

OSM OAuth/Users Epic #51

maxgrossman opened this issue May 9, 2019 · 0 comments

Comments

@maxgrossman
Copy link
Contributor

maxgrossman commented May 9, 2019
edited
Loading

Before we take steps to integrate the application with other osm services (like the hot tm), we ought to create users so that only logged in OSM users can create/update/delete MapRules...

Following documentation from the OSM site and other popular apps (like TM), the way to do this is to make MapRules an OAuth client with the OSM OAuth mechanism. MapRules will use the OSM OAuth to create user records that we save in the MapRules database. These records will include a user id and session token, both of which rely on authenticating with the OSM OAuth first.

Below are the 2 main components to making this happen.

Logging into MapRules

1a. get our client template, particularly for the consumer_key and consumer_secret codes, from here

  1. A client, the maprules-ui web app, makes a request to a new endpoint called /auth/login
  • that endpoint's handler will make a request to the OSM site's request_token endpoint, and include the MapRules /auth/callback endpoint, the MapRules' consumer_key code, and the consumer_secret code.
  • /request_token responds back the oauth_token and oauth_token_secret codes.
  • we keep a record of those codes in our request's 'session', then send a request to the /oauth/authorize?${oauth_token} endpoint. Doing so opens up a popup for the user to log into OpenStreetMap...
  • once logged into to OpenStreetMap, the OpenStreetMap service will tell the client to make a request to the callback url we specified when we made a request to the /request_token endpoint...
  1. The auth/callback endpoint receives a request that includes 2 codes as query parameters, oauth_token and oauth_verifier
  • This endpoint handler makes a request to OSM's /access_token endpoint, providing the oauth_token, ouath_token_secret, and oauth_verifier, consumer_secret, and consumer_key codes...
  • This request provides back access_token and access_token_secret codes...
  1. The MapRules service makes a request to the user/details endpoint with the access_token and access_token secret codes we retrieved in step 2
  • this returns an xml document with information, including user name and id about the user...
  1. we take user details to create/update a user record in the database.
  • if no user record exists, make a new one with user_id from user details as the primary key and a session hash (maybe generated with something like the uuid package we have already in the service), as well as a timestamp (to use for expiring tokens...)
  • if a user does exist in the table, see if the session is out of date, and if so, create a new token and timestamp
  1. we take the current user record to generate a JSON Web Token
  • the decoded token will be...
{
   id: ${user.id},
   username: ${user.name},
   session: ${session.id}
}
  • looks like this is a popular package for decoding/encoding the token
  1. encode the JWT and reply it back to the client to be saved in the browser and used for future CRUD requests...

CRUD Requests in MapRules

Endpoints that allow users to do POST/PUT/DELETE operations need to do the following beforehand

  1. see if a session JWT is provided in the request
    - if not, throw a 401 unauthorized...
  2. (for PUT/DELETE) see if JWT is valid for the resource of interest
    - if JWT is not for resource's owner, throw a 403
    - if JWT is valid for resource's owner, but session id is not the one in the user table, throw a 401
  • the client should handle the 401 cases by making the user try to log back in
  • the client should kick/scream/make it clear the user is trying to do something very uncool if a 403...

Phew, that was a lot of pseudo code and thinking!!! As for the next steps...

  • Setup MapRules as an OAuth client with OpenStreetMap OAuth for the Logging into MapRules steps...
  • Implement the needed /auth/${login/callback} endpoints needed for logging into MapRules....
  • Create database migrations that will include new user table and update preset schema so presets table has a user so we can enforce ownership
  • introduce JWT library for creating, decoding JWTs
  • update all CRUD endpoints so they enforce the steps mentioned above...

I'll make tickets for these!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@maxgrossman