[OSM-dev] Announcing: Simple Map Editor (GSoC 2010)

Michael Daines michael at mdaines.com
Fri Aug 20 04:49:30 BST 2010

> It's awesome that it uses OAuth, I tip my hat at you for getting that
> working! I hope to see many people building on your work. Could you
> explain more what the ruby proxy layer does? Is it just handling the
> session stuff or does it do translations between OSM API and the
> javascript code?

Sessions are handled by keeping the OAuth access token in the user's localStorage. (I believe this is incompatible with several versions of Internet Explorer, but it has an equivalent method I can implement later.) I don't know that this is the best solution, but I think it's the closest to what a desktop application might do when dealing with OAuth, and it allows me to not have to keep state in the proxy, so no database.

The proxy layer is split into two parts:

- A proxy for doing bbox queries on the map, which requires no authentication. I use the rack-streaming-proxy gem for this.

- A proxy for OAuth and the API methods requiring authentication. This is in lib/osm_auth.rb. The /auth/request and /auth/access URLs handle getting request and access tokens, and the /proxy/* handlers use the OAuth gem to make requests to the API. I send the access token and secret from the JS part using special headers.

> I'll also put out a plea to any Ruby/OAuth experts that we're still
> looking for someone to tackle
> http://wiki.openstreetmap.org/wiki/OAuth/10a

I believe there's also some newer version of OAuth which specifically takes into account browser applications (although the last time I checked, that stuff wasn't really "standardized").

Another thing that would be nice would be being able to tell the API I want to revoke tokens. Right now, if the user authorizes and deauthorizes several times, old tokens can pile up in their OAuth settings. I "log out" by simply clearing the token from localStorage.

-- Michael

More information about the dev mailing list