[openstreetmap/openstreetmap-website] blocks with needs_view flag not shown when user does oauth authorisation (for example login into an OSM editor) (Issue #5490)

[Anton Khorev]

> invalidating tokens

If there's an api to check whether the user is blocked, you need a valid token to access that api. If blocking invalidates the token, you're not going to have a valid token to access that api.

It only makes sense to invalidate the token if you insist on making users to reauthorize all of their apps once blocked, maybe as a form of punishment. Got blocked while having JOSM, Vespucci, StreetComplete, OSMCha, etc authorized? Now go reauthorize all of them and don't get blocked next time.

> Perhaps I'm misunderstanding, but why would that "again and again" reauthorisation need to happen?

It doesn't need to happen. It's going to happen if things are done the way StreetComplete devs want. They want to kill off the token once they get a 403 response. If the user has a timed block, they'll keep killing off the tokens and telling the user to reauthorize, and then get 403 again because the block is still active.

This behavior of killing off tokens on 403 is the reason why this issue was opened. If they stop doing that, they wouldn't need block messages appearing on the authorization page.

> If that suggestion is viable, invalidating all sessions

Invalidating website sessions is a different from invalidating tokens, but it goes further down the road of not being able to check the current blocked status. The user won't necessarily notice that they are logged out. If we add some kind of notifications for blocks, they won't work because the user needs to be logged in to receive notifications.

> As a main advantage to such flow, only admin blocking backend and login form need to change, and no app need to change their code

The apps need to change their code if their devs want the error messages presented to users to make sense. "We got some error we don't know why, maybe go relogin?"

-- 
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/5490#issuecomment-2585774911
You are receiving this because you are subscribed to this thread.

Message ID: <openstreetmap/openstreetmap-website/issues/5490/2585774911 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20250112/f4da76fb/attachment-0001.htm>