[OSM-dev] API authentication

[Frederik Ramm]

Hi,

> Some quick tests and it looks trivial to be able to restrict API  
> authentication to just POST/DELETE/whatever requests.
> What does this mean?

First of all, it saves an extra HTTP roundtrip in many cases (initial 
JOSM downloads etc), so thumbs up.

> If JOSM or $EDITOR were to set Accept: headers on their request then  
> they could be given text/xml OSM data. If Accept: wasn't present  
> then, say, JSON could be returned or text/html.

Cool, and Accept: application/pdf would return a PDF atlas ;-)

However, many browsers natively accept XML data and display it in an XML 
viewer. Firefox, by default, sends:

Accept: 
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5

So the Accept: header alone is probably not suitable for selecting what 
to deliver, unless we would define a special OSM MIME type 
(application/osmxml or whatever).

> The simplest possible thing that could work as a first step is to  
> turn off requiring authentication for GET requests. I haven't just  
> done it in case it horribly breaks some client or other

Most clients probably use some sort of abstraction lib that does 
everything magically anyway, i.e. $CLIENT provides password to $LIBRARY 
which sentds it to the server if the server so desires, and $CLIENT 
won't even notice your change.

Bye
Frederik

-- 
Frederik Ramm  ##  eMail frederik at remote.org  ##  N49°00.09' E008°23.33'