[OSM-dev] API suggestion - "authorise"?

Lambertus osm at na1400.info
Sat Nov 17 12:13:00 GMT 2007


As TomH said earlier, the forum also uses the API for authentication (only 
since about a week though). I have not heard of anyone complaining about 
security or even mentioning it. In fact I was urged to implement this. Note 
that the forum is running on an external site even though it uses an OSM 
subdomain, so it compares to your situation.

As a sidenote, I agree that using plain HTTP for authentication is not very 
secure. But common sense dictates the use of different passwords for every 
account, so in case the OSM authentication request gets intercepted it won't 
do much harm.

Below is the PHP code that performs the authentication, maybe it is of use 
to you (heavily modified example code, so don't look at the aestetics):

function my_get_url($user, $pass, $url ) {
 $url_info=parse_url($url);
 if (isset($url_info['scheme']) && $url_info['scheme'] == 'https') {
  $port = 443;
  @$fp=fsockopen('ssl://'.$url_info['host'], $port, $errno, $errstr, 10);
 } else {
  $port = isset($url_info['port']) ? $url_info['port'] : 80;
  @$fp=fsockopen($url_info['host'], $port, $errno, $errstr, 10);
 }
 if($fp) {
  stream_set_timeout($fp, 10);
  $urlString = "GET $url HTTP/1.0\r\nHost: $addr\r\n";
  if ($user) {
   $urlString .= "Authorization: Basic 
".base64_encode("$user:$pass")."\r\n";
   $urlString .= "Credentials: ".$user.":".$pass."\r\n";
  }
  $urlString .= "\r\n";
  fputs($fp, $urlString);
  $bBody = false;
  while(!feof($fp)) {
   if($header=trim(fgets($fp, 1024))) {
    $sc_pos = strpos( $header, '<' );
    if ( $sc_pos === false && $bBody == false) {
     $sc_pos = strpos( $header, ':' );
     if( $sc_pos === false ) {
      $headers['status'] = $header;
     } else {
      $label = substr( $header, 0, $sc_pos );
      $value = substr( $header, $sc_pos+1 );
      $headers[strtolower($label)] = trim($value);
     }
    } else {
     $headers['body'] .= $header;
     $bBody = true;
    }
   }
  }
  return $headers;
 } else {
  return false;
 }
}

$action = isset($_GET['action']) ? $_GET['action'] : null;

if (isset($_POST['form_sent']) && $action == 'in')
{
 //Login attempt
 $form_username = trim($_POST['req_username']);
 $form_password = trim($_POST['req_password']);
 $form_password_hash = pun_hash($form_password); // This could result in 
either an SHA-1 or an MD5 hash (depends on $sha1_available)

 print "Checking your identity against OpenStreetMap userbase. Please wait 
for the server to complete the process....";
 $authURL=sprintf("http://%s:%s@api.openstreetmap.org/api/0.5/user/details",urlencode($form_username),urlencode($form_password)); $header = my_get_url($form_username, $form_password, $authURL); if ($header['status'] == 'HTTP/1.0 200 OK') {  $sc_pos = strpos($header['body'], 'display_name="');  if ($sc_pos > 0) {   $sc_pos += 14;   $sc_end = strpos($header['body'], '"', $sc_pos);   $username = substr($header['body'], $sc_pos, $sc_end - $sc_pos);   if (strlen($username) == 0)    message('A problem was encountered: The display name cannot be empty.Please setup your <ahref="http://forum.openstreetmap.org/viewtopic.php?pid=1087">\'Displayname\'</a> which you can find on the \'My Settings\' page on theOpenStreetMap main page.');  }  else   message('A problem was encountered: Could not lookup the Display name inthe authentication response. Please try again');  // Does the user exist already?  $username_sql = ($db_type == 'mysql' || $db_type == 'mysqli') ?'username=\''.$db->escape($u
 sername).'\'' :'LOWER(username)=LOWER(\''.$db->escape($username).'\')';  $result = $db->query('SELECT id, group_id FROM '.$db->prefix.'users WHERE'.$username_sql) or error('Unable to fetch user info', __FILE__, __LINE__,$db->error());  list($user_id, $group_id) = $db->fetch_row($result);  if (!$user_id) {   //Create the user   $intial_group_id = ($pun_config['o_regs_verify'] == '0') ?$pun_config['o_default_user_group'] : PUN_UNVERIFIED;   $email1 = "";   $email_setting = 1;   $save_pass = 0;   $timezone = 0;   $language = $pun_config['o_default_lang'];   $now = time();   $sql = 'INSERT INTO '.$db->prefix.'users (username, group_id, password,email, email_setting, save_pass, timezone, language, style, registered,registration_ip, last_visit) VALUES(\''.$db->escape($username).'\','.$intial_group_id.', \''.$form_password_hash.'\', \''.$email1.'\','.$email_setting.', '.$save_pass.', '.$timezone.' ,\''.$db->escape($language).'\', \''.$pun_config['o_default_style'].'\','.$now.', \''
 .get_remote_address().'\', '.$now.')';   $db->query($sql) or error('Unable to create user', __FILE__, __LINE__,$db->error());   $user_id = $db->insert_id();  }  $authorized = true; } else {// remote auth failed. Fail totally (returning NULL would Phorum let dothe auth locally)  $authorized = false; }//At this point you know if you're authorized or not





More information about the dev mailing list