The authentication flow doesn't actually work in IE11.

This is because window.opener here is null after being directed from another domain (e.g. openstreetmap.org) back to wherever land.html sits (mydomain.com).

Here is some more info on stackoverflow and potential fix:
https://stackoverflow.com/questions/18625733/how-do-i-get-around-window-opener-cross-domain-security

We never noticed this before, probably because most users of iD are on openstreetmap.org, which loads iD in an iframe and preauthenticates it. You'd only hit this bug on an install of iD elsewhere.

I would use OAuth with OpenStreetMap and I would like to use it with Wikimedia Commons with one library (osm-auth).

According to index.js#L236, I guess that I should use the url parameters somewhere, and that's all ?

Is there an way to track when authentication status changes? For example, if during a request, authentication changes from non-authenticated to authenticated, it would be good to call my event handler. Also, it should be called if client had to re-login (possibly under different credentials) during the request handling.

My goal is to update UI if login status has changed.

Thanks!

re: openstreetmap/iD#3519 (comment)

I did some debugging today with @zerebubuth

Here's what I've noticed...

If I pass to xhr:

options = {
   path:  '/api/0.6/map',
   content:  'bbox=-74.55322265625,40.6723059714534,-74.5477294921875,40.67647212850004'
}

we get a base signature string like GET&http%3A%2F%2Fwww.openstreetmap.org%2Fapi%2F0.6%2Fmap&bbox%3D-74.5477294921875%2C40.66813……..

… but it requests the base url without the parameters

if I pass to it options.path:

options = {
   path:  '/api/0.6/map?bbox=-74.55322265625,40.6723059714534,-74.5477294921875,40.67647212850004',
   content: ''
}

we get a base signature string like GET&http%3A%2F%2Fwww.openstreetmap.org%2Fapi%2F0.6%2Fmap%26bbox%3D-74.5477294921875%2C40.66813……..
(note the %26, where a & should be)

...and it requests the right url, but the authentication is wrong

Hi,

I would like to wrap my site, which uses this package, as an android application using cordova.
There is a problem there with opening a new window or redirecting the user to another page.
It would be great if I could either place the window inside an iFrame or have a window.open callback option so that I'll be able to replace/modify it according to my needs.

I found strange behavior in authenticate() and xhr(). (gist)

When user is not authenticated, authenticate() and xhr() return undefined.
But, when user is authenticated, these functions return different types.
authenticate() returns arbitrary value which returns in callback function.
xhr() returns XHR object.

Do these functions work as required?

I have been able to authenticate, and to get the user permissions and user details but I am not being able to create a changeset. I am always getting a 401 error. This is the code that I am using:

    auth.xhr({
        method: 'PUT',
        path: '/api/0.6/changeset/create',
        content:
            '<osm>'+
                '<changeset>'+
                    '<tag k="created_by" v="xxxxxxxxxxxxxxxx"/>'+
                    '<tag k="comment" v="Testing"/>'+
                '</changeset>'+
            '</osm>'
    }, function(err, details) {
        console.log(err);
        console.log(details);
    });

The example stopped working in 94ff056.

See openstreetmap/openstreetmap-website#220

OAuth 1.x has security issues, especially with this javascript client because you need to specify the consumer secret.
Are there any plans to migrate to OAuth2?

Currently, it throws an exception. Would be better to suppress the error and just require a new login on the next session. And for preauth scenarios, there's no need to use localStorage at all.

See openstreetmap/iD#1904.

osm-auth doesn't work in iD following 22c32d8. The authorization sequence succeeds, but all subsequent authenticated requests result in 401 errors.

Do I have to add resolveUrl to iD's package.json for it to work when running npm run all?

iD's version of osm-auth isnt updated to this version and replacing osm-auth in node_modules breaks the run all process at resolveUrl.

I updated iD 2.0's osm-auth in node_modules with the most recent version in this repo. The user name is no longer showing in the info bar.

Version 10 of Node.js (code name Dubnium) has been released! 🎊

To see what happens to your code in Node.js 10, Greenkeeper has created a branch with the following changes:

• Added the new Node.js version to your .travis.yml

If you’re interested in upgrading this repo to Node.js 10, you can open a PR with these changes. Please note that this issue is just intended as a friendly reminder and the PR as a possible starting point for getting your code running on Node.js 10.

Your Greenkeeper Bot 🌴

I tested v2.0.1, v2.1.0, and v2.2.0 with the demo page running in github codespace.

On older versions you can click "Login" button and you are redirected to osm page for auth. On newest version clicking "Login" buttons does not do anything.

Single page version on newest version works as expected.

The popup seems to be the default for osmauth. How do we set it to load in the main window? There are no examples around on how to do this in osmauth.js. This would be the preferred behaviour. Popups are being blocked by default by all browsers because of the rampant abuse of popups.

Hi, would it be possible to move all source code files into a subdir, e.g. src/? The root dir seems a bit crowded, had to look closely to figure out what is the code and what are just the docs. Also, still a bit confused about the auto-generated files. Should they be checked in at all?

Thanks for the great example!

If I want to create a new changeset, I get everytime a "401 - Unauthorized".

auth.xhr({
    method: 'GET',
    path: '/api/0.6/user/details'
}, done);

succeeded

auth.xhr({
            method: 'GET',
            path: '/api/0.6/permissions'
}, function(err, details) {
            console.log(err);
            console.log(details);
});

succeeded with following permissions:

<?xml version="1.0" encoding="UTF-8"?>
<osm version="0.6" generator="OpenStreetMap Server">
  <permissions>
    <permission name="allow_read_prefs"/>
    <permission name="allow_write_api"/>
    <permission name="allow_write_notes"/>
  </permissions>
</osm>

But if I create a new Changeset with:

auth.xhr({
        method: 'PUT',
        path: '/api/0.6/changeset/create',
        content:
            '<osm>'+
                '<changeset>'+
                    '<tag k="created_by" v="xxxxxxxxxxxxxxxx"/>'+
                    '<tag k="comment" v="Testing"/>'+
                '</changeset>'+
            '</osm>'
    }, function(err, details) {
        console.log(err);
        console.log(details);
});

I get

Request URL:http://www.openstreetmap.org/api/0.6/changeset/create
Request Method:PUT
Status Code:401 Unauthorized

I test from a localhost-environment.

ohauth --> oauth

see scrennshot below:

While using osm-auth 2.3.0

1. Oauth token in local storage is saved when logging in "". So value is "${token}".
2. Both ${token} and "${token}" in local storage work when making OSM requests.

In 2.4.0:

1. Oauth token is saved without "" when logging in. Value is ${token}.
2. Only ${token} works. "${token}" does not.

User after logging in older version needs to log out and log in again.

I wasn't able to catch this issue when upgrading because I cannot reproduce it with React dev mode on.
Functions are called twice then which might be a reason.

I have workaround: openstreetmap-polska/openaedmap-frontend@8b0d70c

I tried to create simple page but the project source from the CDN is not working. It says uncaught TypeError: osmAuth is not a function

This is the code I use:

<!DOCTYPE html>
<html>
<head>
<title>Page Title</title>

<script src="https://cdn.jsdelivr.net/npm/osm-auth@2/dist/osm-auth.iife.min.js"></script>
</head>
<body>
<script>
    var redirectPath = window.location.origin + window.location.pathname;
	var auth = osmAuth({
	  client_id: "JWXSAzNp64sIRMStTnkhMRaMxSR964V4sFgn3KUZNTA",
	  client_secret: "6umOXfkZqH5CVUtv6iDqN7k8o7mKbQvTrHvbDQH36hs",
	  redirect_uri: redirectPath + "land.html",
	  scope: "read_prefs",
	  auto: true  // show a login form if the user is not authenticated and you try to do a call
	});
</script>

</body>
</html>

Am I doing something wrong? It is all code from the project readme.

When creating the changes, I get the error 401 (Unauthorized). I solved the problem by adding the options: { header: { 'Content-Type': 'text/xml' } } shots as in iD. Perhaps you should write about this in the 'readme'.

Is there a full example that utilizes the singlepage option? I can't seem to get the index.html example working in conjunction with land_single.html, but I'm sure I'm probably missing something obvious...

In the sample code, use https://master.apis.dev.openstreetmap.org/ for the api and apiUrl keys, which will both allow you to safely test the tool in the context of a test server, and show users how to properly configure the test server . I haven't found the information anywhere that I have to provide the same address for both keys. I discovered this through experimentation.

You should also write that to test it locally, I must provide both supported addresses in the application configuration, i.e. both http://127.0.0.1:8080 and http://127.0.0.1:8080/land.html and that I must write them one after the other, because it is not written anywhere either.

I would like to suggest dropping store dependency and using localStorage directly.

Pros:

• dropping dependency which had the latest release 7 years ago
• smaller library size

Cons:

• store has support for some browsers where localStorage is not implemented (IE 6-7)
  See https://www.npmjs.com/package/store#user-content-list-of-supported-browsers and https://caniuse.com/mdn-api_window_localstorage
  But osm-auth already has workaround when store wasn't enabled:

  osm-auth/src/osm-auth.mjs

  Line 171 in 1f2a8a3

  if (!store.enabled) {

What do you think?
I can prepare PR if it makes sense

I have setup the authentication but when iD reloads, the user is not authenticated and the user name (userLink) doesnt show in the info bar.

I am using this to authenticate:

var auth = osmAuth({
singlepage: true,
oauth_consumer_key: '5A043yRSEugj4DJ5TljuapfnrflWDte8jTOcWLlT',
oauth_secret: 'aB3jKq1TRsCOUrfOIZ6oQMEDmv2ptV76PA54NGLL',
landing:"land_single.html"
});
document.getElementById('authenticate').onclick = function() {
auth.authenticate(function() {
});
};

We are migrating radverkehrsatlas.de https://github.com/FixMyBerlin/atlas-app to NextJS using the App Directory and BlitzJS.

I notices to issues related to osm-auth. I want to document them here FYI and so others might find them. We will be moving our OsmAuth server side, so the issue is not pressing for us ATM.

Error Uncaught Error: DYNAMIC_SERVER_USAGE when

I documented the error at blitz-js/blitz#4232 with a log of the error message. I now notice, that this error goes away once we remove the osm-auth dependency. So I assume this is where it came from.

Maybe relevant: In our previous setup as a regular React App, there was also a console error in dev mode related to some re-rendering. This might be the same issues that shows different in the different environments.

Error Module '"osm-auth"' has no exported member 'osmAuth'.ts(2305)

I get this error on this line: import { osmAuth } from 'osm-auth'

Screenshot:

raised here 895c265#r51170032

xtend is deprecated, but this project doesn't really use it for much so we can just get rid of it to avoid install warnings.

Hi,

I was created a TypeScript declaration file for osm-auth lib before.
If you will have a plan for supporting TypeScript declaration,
I would contribute this file to the project.

I am trying to get user login name but auth.xhr returns nothing at all.

After looking at the console of the landing page I found this error: Uncaught TypeError: opener.authComplete is not a function.

I tried to call the authComplete in other ways but with no success.

Steps:

1. Call auth.xhr
2. Click authorize on OSM popup window
3. Script redirects to the landing page
4. There is error on the landing page: Uncaught TypeError: opener.authComplete is not a function
5. auth.xhr callback function is not called at all

Here is my script on main page:

var auth = osmAuth.osmAuth({
    client_id: "xxx",
    client_secret: "yyy",
    redirect_uri: "zzz",
    scope: "read_prefs",
    singlepage: false,
    auto: true  // show a login form if the user is not authenticated and you try to do a call
});
function login() {
        auth.xhr( { method: "GET", path: "/api/0.6/user/details" },
            function (err, result) {
                var div = document.getElementById('output');
                div.innerHTML += 'err:' + err + '<br>';
                div.innerHTML += 'result:' + result;
                console.log("err:");
                console.log(err);
                console.log("result:");
                console.log(result);
            }
        );
    }
);

Here is my landing page script (copied from repository):

opener.authComplete(window.location.href);
//window.close();

What do I need to do to make it work?

Follow up for zerebubuth/openstreetmap-cgimap#146 and zerebubuth/openstreetmap-cgimap#147

Apologies, this issue is a bit confusing, as I identified the root cause in the meantime, and updated the issue a couple of times.

Here's the original issue:

I'm using osm-auth for unit testing, i.e. sending some HTTP POST request to the OSM API with OAuth support. This all works fine. However, we've identified an issue with the following HTTP POST payload:

<dummy id='1'/>

For some reason, parts of this string also make it into the OAuth Authentication header, and worse, there appears to be some issue with the way the apostrophe (') character is being transmitted. If I'm using " instead of ' for the id attribute, everything works fine.

Original xhr call triggering the issue: https://github.com/mmd-osm/osm-auth/blob/6b69fcf23d5c6e33014afa053a5ea08a3a53983c/index.html#L93-L96

I'm suspecting that there was some issue in the way I use this library. Looking at the iD source, here's how the upload call is implemented there.

oauth.xhr({
                method: 'POST',
                path: '/api/0.6/changeset/' + changesetID + '/upload',
                options: { header: { 'Content-Type': 'text/xml' } },
                content: JXON.stringify(changeset.osmChangeJXON(changes))

Once I added the options field to my own call, the issue seems to be gone now. I'm not sure, if I also would need the JXON.stringify. Updated call: https://github.com/mmd-osm/osm-auth/blob/debug_client/index.html#L93-L97

So in conclusion, I think it would be pretty good to have some working example code for an OSM API upload call as part of the documentation in this library.

Re #112
I tried to actually use it - but it looks like all the options aren't actually passed through to fetch

Also accepting a callback is kind of weird, for something that normally would have a .then() chained to it

So I think I'd like to just make this function more compatible with how fetch works.
https://developer.mozilla.org/en-US/docs/Web/API/fetch

I added oauth using this library to the following site:
Http://israelhiking.osm.org.il/
When clicking on the upper right sad face the code activates this library.
This works fine on mobile devices, however if I surf to the sane site using https protocol, I'm getting an empty page from osm oauth page.
Does anyone else has the same problem?

Correctly marked

• .xhr(options, callback) where callback arguments are error and result ( xhr.responseXML or xhr.response)
• .fetch(resource, options) where success is result or throws error.

Incorrectly marked

• .authenticate(callback) where callback arguments should be marked as error and self.
• .authenticateAsync() where success should be marked as self or throws error.
• .bootstrapToken(auth_code, callback) where callback arguments should be marked as error and self.

Why?

In each of these functions success is marked as result, however this is not true. This unsystematic nature complicates learning how to use the library. If a function returns self, it should be written as self, and when it returns a request result, it should be written as result. This is clear, sensible, and lucid.

When initiated from a different locale than english, oauth-osm directs to an english page.
There must be a way to have it load in a different language?

To give more details, I am using iD in a bilingual app. A user can switch to another language from a menu. From that point, the user has loaded iD in the language of their choice and they select the option to authenticate. The login page loads in English and it should be in the langauge iD was set to.

How could this be done? I tried adding parameters to the login url but it doesnt work.

https://github.com/Monduiz/CrowdiD2/tree/CrowdiD2

This library expect cliet secret to be in the JS which is downloaded to the broser. This is insecure and documetation should at least contain a warning about it.

You can read about it for example at https://oauth1.wp-api.org/docs/advanced/Web.html, chapter In-Browser Clients.

Hi - just having a look at this, I notice that the LICENCE file declares it's public domain, while package.json declares it's BSD-licenced. I can't use it if I don't know what licence it's really under ;) Grateful if you could fix this please.

Hi,

I use OSM authentication for one of my projects (OpenTrailView; opentrailview.org) so that people can log into OpenTrailView using their OSM credentials - essentially using OSM as an oauth provider. Some time ago I discussed this on the dev list.

Until now it's used the old oauth1 approach, however I'd like to update it to oauth2. Indeed, oauth1 appears to no longer work.

In principle could osm-auth be used with Node.js?

Looking at the code it uses xmlhttprequest, and there's an NPM package for doing that in node:

https://www.npmjs.com/package/xmlhttprequest

Thanks.

When the Content-Type is application/x-www-form-urlencoded and the POST body is single-part, the OAuth specification requires that the signature include those parameters. I traced through a request on the mobile-note site and it appears as if they are not being included, which would lead to an authorisation failure, and may be the cause of the issue there.

Hello,
With some developers, we started working on a JS library to allow easy requesting of OSM API (meaning with promises, returning clean JS objects...), and we will use osm-auth in order to handle authenticated calls.
As our lib will also be able to perform API calls which don't need authentication (like getting notes in an area), we are wondering if calls without authentication could be enabled in osm-auth ? For the while, xhr method rejects you if you're not authenticated. This implies that any other lib should maintain its own xhr method for not authenticated calls, which is not optimal as we could reuse the one in osm-auth.
Does this makes sense to you ? We are ready to propose a pull-request to enable this.
Regards.

The following code assumes the page name is index.html

oauth_callback: location.href.replace('index.html', '')
                    .replace(/#.*/, '').replace(location.search, '') + o.landing

I was trying it on a page called auth.html (currently for testing) and it failed.
I think a another option should be added, something like indexPage or pageName or whatever you think is appropriate that defaults to index.html

Since options are passed to the constructor, why hardcode land.html for a landing page?

I'd like to use index.html itself as a landing page, checking whether query parameters contain oauth_token and calling opener.authComplete() if they do.

Feel free to close if this is not the right place to ask.

With OSM now supporting OAuth v2.0, are there plans to support that protocol in this library?

This is the only real blocker to this being a drop-in replacement for iD

The options should possibly include an actual access token.

I'm trying to use this library in order to upload a trace file to the following API method:
/api/0.6/gpx/create
As far as I can tell from the code and some test I ran this is not possible?
I might have missed something, but the documentation does not indicate how to do it.
Looking at the code I see the content attribute in the options which uses key value pair with form data.
As far as I can tell in order to upload a file this library needs to support multi-part content, right?