[OSM-dev] Usage of the standard dev server

[Paul Norman]

On 2/4/2016 1:47 PM, markus schnalke wrote:
> Instead of transmitting the username and password, the oauth token
> and secret are transmitted. How is that different, besides the
> ability of restricting the permitted actions?

No, the token and secret are used to sign the request. Someone who MITMs 
your connection can read the traffic, drop it, but not pretend to be you 
to the API server or modify it. I've done this in testing of a local API 
proxy. There are some attack vectors with oauth + HTTP that remain open, 
but not ones which involve pretending to be the user or stealing 
credentials.

> (And shouldn't that oauth secret be transmitted via httpS as well,
> because it's a secret? Hence coming back to my original remark.)

The redaction bot was written before HTTPS was fully available, and I 
believe it also talked over a local network connection to the API 
server. I should change it to HTTPS at some point.

> If you'd take the time, I'd be glad to learn the advantages of
> oauth over http basic auth, especially because for a command line
> application it appears to be mainly inconvenient (needs a web
> browser to be available (which actually is an issue for me), plus
> switching to it and back) and only better by the ability to limit
> the permitted actions.

The advantage is that it avoids the editor knowing the user's password, 
or storing the password.

Personally, I'd like to see HTTP basic auth removed as an authentication 
option in the future. All apps *should* be using OAuth.