OSM Live participants: a) no https for credentials b) use oauth or other secure methods

[ToeBee]

The page that allows people to sign up to be OSM live recipients (http://osmand.net/osm_live) asks for OSM user name and password and then transmits it in an unencrypted HTTP post back to osmand.net servers.

This is completely unacceptable.

At the very least the form post should be happening via HTTPS. I can't even use HTTPS if I try because the certificate is self-signed and the SSL virtual host is not configured so all I get is a 404 anyway.

However the real solution is to use OAuth and not ask for peoples passwords at all.

[pnorman]

However the real solution is to use OAuth and not ask for peoples passwords at all.

Yes, a third party site shouldn't be asking for passwords. That's what OAuth is for, and examples like this are often cited in why to remove HTTP basic auth.

[ghost]

Plus 1

[vshcherb]

No worries we are on the same site, I support this request and feel critical for this. I will try to find a web developer and improve it.

[ghost]

Any update on this? I'd like to earn some Bitcoins for my mapping but I'm not going to give my OSM password.

[HolgerJeromin]

@M1dgard you can change your password to a dummy pw, authorize osmand.net and reset the password to a strong one.

[ToeBee]

Well at least the page is being served up via HTTPS now.

[vshcherb]

@HolgerJeromin fully agree, may be we should make a note! We don't try to use OSM credentials though we don't have specialists in web to setup OAuth. Any help is welcome.

[HolgerJeromin]

@vshcherb did you closed the issue on purpose?

[dbdean]

Please reopen this issue. OSMAnd should not be requesting our OpenStreetMap usernames and passwords.

[vshcherb]

https was implemented.

[dbdean]

Ok. Is there an issue I can subscribe to for getting OAuth support up and running? osmandapp/OsmAnd#3457 was closed as a duplicate of this, but was about the OAuth support. Perhaps open that issue again?

[dbdean]

In fact, I'd prefer an issue about OAuth being used in the app, as well as, and as distinct from the website.

[HolgerJeromin]

@dbdean we have currently no oauth issue for the app itself.

[pnorman]

https was implemented.

Yes, but that doesn't fix part b, which is about not having give your password to a third-party. This is different than using http basic auth for an editor, because no third parties are involved there.

[vshcherb]

a) https - is in place

[vpzomtrrfrt]

Where is the code for this API? The only file I could find appears to be deleted

[vshcherb]

https://github.com/osmandapp/OsmAnd-tools/blob/ecfbbc64e3c91c2de7daef5a9fa97c4aff711d9f/java-tools/OsmAndServer/src/main/java/net/osmand/server/controllers/pub/SubscriptionController.java#L136