From 519c13d4cd3823ab422e94ffb4fb9fbe05712392 Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Thu, 25 Jan 2024 21:07:16 +0000 Subject: [PATCH] Allow OAuth 1.0a to be disabled --- app/controllers/api_controller.rb | 6 +++++- app/controllers/application_controller.rb | 4 ++++ app/controllers/oauth_controller.rb | 2 ++ config/locales/en.yml | 1 + config/settings.yml | 5 ++++- 5 files changed, 16 insertions(+), 2 deletions(-) diff --git a/app/controllers/api_controller.rb b/app/controllers/api_controller.rb index af4c0c4f3..0b45ca168 100644 --- a/app/controllers/api_controller.rb +++ b/app/controllers/api_controller.rb @@ -106,7 +106,11 @@ class ApiController < ApplicationController if doorkeeper_token&.accessible? self.current_user = User.find(doorkeeper_token.resource_owner_id) elsif Authenticator.new(self, [:token]).allow? - # self.current_user setup by OAuth + if Settings.oauth_10a_support + # self.current_user setup by OAuth + else + report_error t("application.oauth_10a_disabled", :link => t("application.auth_disabled_link")), :forbidden + end else username, passwd = auth_data # parse from headers # authenticate per-scheme diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 0a7df0994..ddc6d8ab2 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -69,6 +69,10 @@ class ApplicationController < ActionController::Base @oauth_token = current_user.oauth_token(Settings.oauth_application) if current_user && Settings.key?(:oauth_application) end + def require_oauth_10a_support + report_error t("application.oauth_10a_disabled", :link => t("application.auth_disabled_link")), :forbidden unless Settings.oauth_10a_support + end + ## # require the user to have cookies enabled in their browser def require_cookies diff --git a/app/controllers/oauth_controller.rb b/app/controllers/oauth_controller.rb index cd7e48277..49af05b0d 100644 --- a/app/controllers/oauth_controller.rb +++ b/app/controllers/oauth_controller.rb @@ -5,6 +5,8 @@ class OauthController < ApplicationController # a login, but we want to check authorization on every action. authorize_resource :class => false + before_action :require_oauth_10a_support + layout "site" def revoke diff --git a/config/locales/en.yml b/config/locales/en.yml index 17cdff9bf..1d9b1ccdf 100644 --- a/config/locales/en.yml +++ b/config/locales/en.yml @@ -2556,6 +2556,7 @@ en: description_without_count: "GPX file from %{user}" application: basic_auth_disabled: "HTTP Basic Authentication is disabled: %{link}" + oauth_10a_disabled: "OAuth 1.0 and 1.0a are disabled: %{link}" auth_disabled_link: "https://wiki.openstreetmap.org/wiki/2024_authentication_update" permission_denied: You do not have permission to access that action require_cookies: diff --git a/config/settings.yml b/config/settings.yml index 6eab4807e..19006f611 100644 --- a/config/settings.yml +++ b/config/settings.yml @@ -95,9 +95,12 @@ attachments_dir: ":rails_root/public/attachments" #memcache_servers: [] # Enable HTTP basic authentication support basic_auth_support: true +# Enable OAuth 1.0/1.0a registration +oauth_10_registration: true # Enable legacy OAuth 1.0 support oauth_10_support: true -oauth_10_registration: true +# Enable OAuth 1.0a support +oauth_10a_support: true # URL of Nominatim instance to use for geocoding nominatim_url: "https://nominatim.openstreetmap.org/" # Default editor -- 2.39.5