
<p></p>

<p><b>@tomhughes</b> requested changes on this pull request.</p>


<hr>


<p>In <a href="https://github.com/openstreetmap/openstreetmap-website/pull/4226#discussion_r1327367280">config/settings.yml</a>:</p>

<pre style='color:#555'>> @@ -150,3 +150,7 @@ smtp_password: null

 #signup_ip_max_burst:

 #signup_email_per_day:

 #signup_email_max_burst:

+#doorkeeper_signing_key: |

</pre>

<p dir="auto">I know it's kind of self describing but every other option or group of options has a comment before it so can we add one here.</p>


<hr>


<p>In <a href="https://github.com/openstreetmap/openstreetmap-website/pull/4226#discussion_r1327368232">config/settings/test.yml</a>:</p>

<pre style='color:#555'>> @@ -22,3 +22,33 @@ trace_icon_storage: "test"

 # Lower some rate limits for testing

 max_changeset_comments_per_hour: 30

 moderator_changeset_comments_per_hour: 60

+

</pre>

<p dir="auto">We don't have any other blank lines in this file, rather each group of options is preceded by a comment.</p>


<hr>


<p>In <a href="https://github.com/openstreetmap/openstreetmap-website/pull/4226#discussion_r1327369246">db/structure.sql</a>:</p>

<pre style='color:#555'>> @@ -107,6 +114,7 @@ CREATE TYPE public.user_status_enum AS ENUM (

     'deleted'

 );

 
+

</pre>

<p dir="auto">This extra blank line looks suspicious?</p>


<hr>


<p>In <a href="https://github.com/openstreetmap/openstreetmap-website/pull/4226#discussion_r1327370662">db/structure.sql</a>:</p>

<pre style='color:#555'>> @@ -3448,3 +3518,5 @@ INSERT INTO "schema_migrations" (version) VALUES

 ('7'),

 ('8'),

 ('9');

+

+

</pre>

<p dir="auto">These two extra blank lines at the end also look suspicious.</p>


<hr>


<p>In <a href="https://github.com/openstreetmap/openstreetmap-website/pull/4226#discussion_r1327374188">test/integration/oauth2_test.rb</a>:</p>

<pre style='color:#555'>>    private

 
   def authorize_client(user, client, options = {})

     options = options.merge(:client_id => client.uid,

                             :redirect_uri => client.redirect_uri,

                             :response_type => "code",

-                            :scope => "read_prefs")

+                            :scope => "read_prefs") { |_key, oldval, _newval| oldval }

</pre>

<p dir="auto">If you want to reverse the priority then just reverse the hashes rather than using a lamda like that, so something like:</p>

<div class="highlight highlight-source-ruby" dir="auto"><pre class="notranslate"><span class="pl-s1">options</span> <span class="pl-c1">=</span> <span class="pl-kos">{</span>

  <span class="pl-pds">:client_id</span> <span class="pl-c1">=></span> <span class="pl-en">client</span><span class="pl-kos">.</span><span class="pl-en">uid</span><span class="pl-kos">,</span>

  <span class="pl-pds">:redirect_uri</span> <span class="pl-c1">=></span> <span class="pl-en">client</span><span class="pl-kos">.</span><span class="pl-en">redirect_uri</span><span class="pl-kos">,</span>

  <span class="pl-pds">:response_type</span> <span class="pl-c1">=></span> <span class="pl-s">"code"</span><span class="pl-kos">,</span>

  <span class="pl-pds">:scope</span> <span class="pl-c1">=></span> <span class="pl-s">"read_prefs"</span>

<span class="pl-kos">}</span><span class="pl-kos">.</span><span class="pl-en">merge</span><span class="pl-kos">(</span><span class="pl-s1">options</span><span class="pl-kos">)</span></pre></div>


<hr>


<p>In <a href="https://github.com/openstreetmap/openstreetmap-website/pull/4226#discussion_r1327436422">test/integration/oauth2_test.rb</a>:</p>

<pre style='color:#555'>> +    state = SecureRandom.urlsafe_base64(16)

+    verifier = SecureRandom.urlsafe_base64(48)

+    challenge = Base64.urlsafe_encode64(Digest::SHA256.digest(verifier), :padding => false)

+

+    authorize_client(user, client, :state => state, :code_challenge => challenge, :code_challenge_method => "S256", :scope => "openid read_prefs")

+    assert_response :redirect

+    code = validate_redirect(client, state)

+

+    tokens = request_tokens(client, code, verifier)

+    id_token = tokens[:id_token]

+    access_token = tokens[:access_token]

+

+    assert_not_nil(id_token)

+

+    data, _headers = JWT.decode id_token, Doorkeeper::OpenidConnect.signing_key.keypair, true, {

+      :algorithm => [Doorkeeper::OpenidConnect.signing_algorithm.to_s],

</pre>

<p dir="auto">We should probably get the key and algorithm the same way a real client will, by fetching <code class="notranslate">/oauth2/discovery/keys</code>.</p>

<p dir="auto">In fact we should probably fetch <code class="notranslate">/.well-known/openid-configuration</code> and do some validation on it, then follow the <code class="notranslate">jwks_uri</code> entry to get the keys.</p>


<hr>


<p>In <a href="https://github.com/openstreetmap/openstreetmap-website/pull/4226#discussion_r1327438516">test/integration/oauth2_test.rb</a>:</p>

<pre style='color:#555'>> @@ -116,6 +161,11 @@ def validate_redirect(client, state)

   end

 
   def request_token(client, code, verifier = nil)

+    tokens = request_tokens(client, code, verifier)

+    tokens[:access_token]

+  end

+

+  def request_tokens(client, code, verifier = nil)

</pre>

<p dir="auto">I think we should leave this called <code class="notranslate">request_token</code> and get rid of the other routine, then have this just return <code class="notranslate">token</code> and have the callers pick out the bits they want.</p>


<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />Reply to this email directly, <a href="https://github.com/openstreetmap/openstreetmap-website/pull/4226#pullrequestreview-1629079368">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/AAK2OLKBKBOMIXHOTSO53VDX2RWDJANCNFSM6AAAAAA4KPKL4I">unsubscribe</a>.<br />You are receiving this because you are subscribed to this thread.<img src="https://github.com/notifications/beacon/AAK2OLINMFZYYGUNIGSSBNLX2RWDJA5CNFSM6AAAAAA4KPKL4KWGG33NNVSW45C7OR4XAZNRKB2WY3CSMVYXKZLTORJGK5TJMV32UY3PNVWWK3TUL5UWJTTBDHDUQ.gif" height="1" width="1" alt="" /><span style="color: transparent; font-size: 0; display: none; visibility: hidden; overflow: hidden; opacity: 0; width: 0; height: 0; max-width: 0; max-height: 0; mso-hide: all">Message ID: <span><openstreetmap/openstreetmap-website/pull/4226/review/1629079368</span><span>@</span><span>github</span><span>.</span><span>com></span></span></p>

<script type="application/ld+json">[

{

"@context": "http://schema.org",

"@type": "EmailMessage",

"potentialAction": {

"@type": "ViewAction",

"target": "https://github.com/openstreetmap/openstreetmap-website/pull/4226#pullrequestreview-1629079368",

"url": "https://github.com/openstreetmap/openstreetmap-website/pull/4226#pullrequestreview-1629079368",

"name": "View Pull Request"

},

"description": "View this Pull Request on GitHub",

"publisher": {

"@type": "Organization",

"name": "GitHub",

"url": "https://github.com"

}

}

]</script>