Opened 11 months ago

Closed 8 months ago

Last modified 8 months ago

#18820 closed defect (fixed)

JOSM sends OAuth headers when downloading map

Reported by: simon04 Owned by: team
Priority: normal Milestone: 20.05
Component: Core Version:
Keywords: template_report oauth api map Cc:


What steps will reproduce the problem?

  1. Start with --debug
  2. Login via OAuth
  3. Download map

What is the expected result?

No OAuth headers are sent since the /api/0.6/map is read-only.

What happens instead?

JOSM sends OAuth headers to

2020-02-29 21:50:02.387 FINE: REQEST HEADERS: {Accept-Encoding=gzip, deflate, Authorization=OAuth oauth_consumer_key="xxxx", oauth_nonce="xxxx", oauth_signature="xxxx", oauth_signature_method="HMAC-SHA1", oauth_timestamp="xxxx", oauth_token="xxxx", oauth_version="1.0"}
2020-02-29 21:50:02.630 INFO: GET,47.2644566,11.3866688,47.2661062 -> HTTP/1.1 200 (244 ms)
2020-02-29 21:50:02.630 FINE: RESPONSE HEADERS: {Transfer-Encoding=[chunked], Keep-Alive=[timeout=5, max=100], null=[HTTP/1.1 200 OK], Strict-Transport-Security=[max-age=31536000; includeSubDomains; preload, max-age=31536000; includeSubDomains; preload], Cache-Control=[private, max-age=0, must-revalidate], Server=[Apache/2.4.29 (Ubuntu)], Content-Disposition=[attachment; filename="map.osm"], Connection=[Keep-Alive], Content-Encoding=[gzip], Date=[Sat, 29 Feb 2020 20:50:02 GMT], Content-Type=[text/xml; charset=utf-8], Expect-CT=[max-age=0, report-uri="", max-age=0, report-uri=""]}

Please provide any additional information below. Attach a screenshot if possible.

Build-Date:2020-02-28 00:24:36

Identification: JOSM/1.5 (15950 SVN en_GB) Linux Arch Linux
Memory Usage: 695 MB / 3531 MB (489 MB allocated, but free)
Java version: 1.8.0_242-b08, Oracle Corporation, OpenJDK 64-Bit Server VM
Screen: :0.0 3840x2160
Maximum Screen Size: 3840x2160
VM arguments: [-agentlib:jdwp=transport=dt_socket,address=,suspend=y,server=n, -Djosm.home=<josm.pref>, -javaagent:/home/simon/bin/idea/plugins/Groovy/lib/agent/gragent.jar, -javaagent:/home/simon/bin/idea/plugins/java/lib/rt/debugger-agent.jar, -agentpath:/tmp/, -Dfile.encoding=UTF-8]
Program arguments: [--set=expert=true, --set=iso.dates=true, --set=debug.edt-checker.enable=true, --debug]
Dataset consistency test: No problems found

Attachments (0)

Change History (7)

comment:1 Changed 11 months ago by simon04

Resolution: invalid
Status: newclosed

This behaviour is intentional, see #13872.

comment:2 Changed 11 months ago by skyper

Resolution: invalid
Status: closedreopened

This should be optional but I did not find any possibility to disable it.

Note: I also got a time out from overpass these days after running too many queries of small bbox within seconds. So at least for people the same IP overpass might need an adjustment

comment:3 Changed 8 months ago by simon04

Resolution: fixed
Status: reopenedclosed

In 16422/josm:

fix #18820, see #13872 - Make OAuth signing of all API requests configurable

comment:4 Changed 8 months ago by simon04

Milestone: 20.05

comment:5 Changed 8 months ago by mmd

This should be optional but I did not find any possibility to disable it.

What would be a use case why you would disable this?

comment:6 Changed 8 months ago by simon04

comment:7 in reply to:  6 Changed 8 months ago by stoecker

Replying to simon04:

Following the principle of least privilege.

The wiki article as is does not apply here (it does when looking from the API side :-). But I think it's clear what's meant. When not needed to send login data, there should be a chance to prevent it. What's not transmitted also cannot be misused.

Modify Ticket

Change Properties
Set your email in Preferences
as closed The owner will remain team.
as The resolution will be set.
The resolution will be deleted.

Add Comment

E-mail address and name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.