[OSM-dev] API suggestion - "authorise"?

Nick Whitelegg nick at hogweed.org
Sat Nov 17 11:44:50 GMT 2007 

On Saturday 17 Nov 2007 10:39, Tom Hughes wrote:
> In message <200711170905.18363.nick at hogweed.org>
>
>           Nick Whitelegg <nick at hogweed.org> wrote:
> > Doesn't look like you can do this at the moment but what would be good to
> > have  in the API is an "authorise" call which will do nothing but take a
> > username  and password and return either 200 OK if OK, or 401 if invalid.
> > This would  make it easier for client sites which use the API to perform
> > modifications to  add an OSM login, as the user could get instant
> > feedback as to whether the  login was incorrect, as opposed to waiting
> > until they actually edit  something.
>
> You certainly can do it - both trac and the forum make use of it.
>
> In principle any API call will do as you will get a 401 response if
> the credentials you provide are no good.
>
> The recommended way is to use /api/0.5/user/details which will return
> a small XML document giving some details of the user, and will obviously
> fails if the HTTP authentication credentials are not valid.
>
> Tom

Thanks for that - what I used to do when I developed the "POI Editor" back in 
May was to just use a GET call, though these don't require a login now.

One guy emailed me privately recommending I shouldn't do this sort of thing 
(i.e. take login details on my site then forward them to OSM)  for security 
reasons though I have to admit that despite not being a security expert I'm 
not convinced - I don't really see a major problem with it, no more than 
using non-HTTPS communication in general (and OSM doesn't currently use 
HTTPS). Also, I thought one of the whole ideas of the "web 2.0 way of doing 
things" is to provide flexibility in the form APIs/interfaces which could be 
called by third parties. 

My specific case is the 'osmajax' editor I'm developing which I'm hosting on 
Freemap but manipulating the live API). When I get people to login, I explain 
to them precisely what I'm doing.

If any of the 'key' people (Steve, Tom, Andy, Etienne etc) are unhappy me, or 
anyone else, doing this though, let me know.

Nick

More information about the dev mailing list