Re: [openstreetmap/openstreetmap-website] blocks with needs_view flag not shown when user does oauth authorisation (for example login into an OSM editor) (Issue #5490)

[Anton Khorev via rails-dev]

> invalidating tokens

If there's an api to check whether the user is blocked, you need a valid token 
to access that api. If blocking invalidates the token, you're not going to have 
a valid token to access that api.

It only makes sense to invalidate the token if you insist on making users to 
reauthorize all of their apps once blocked, maybe as a form of punishment. Got 
blocked while having JOSM, Vespucci, StreetComplete, OSMCha, etc authorized? 
Now go reauthorize all of them and don't get blocked next time.

> Perhaps I'm misunderstanding, but why would that "again and again" 
> reauthorisation need to happen?

It doesn't need to happen. It's going to happen if things are done the way 
StreetComplete devs want. They want to kill off the token once they get a 403 
response. If the user has a timed block, they'll keep killing off the tokens 
and telling the user to reauthorize, and then get 403 again because the block 
is still active.

This behavior of killing off tokens on 403 is the reason why this issue was 
opened. If they stop doing that, they wouldn't need block messages appearing on 
the authorization page.

> If that suggestion is viable, invalidating all sessions

Invalidating website sessions is a different from invalidating tokens, but it 
goes further down the road of not being able to check the current blocked 
status. The user won't necessarily notice that they are logged out. If we add 
some kind of notifications for blocks, they won't work because the user needs 
to be logged in to receive notifications.

> As a main advantage to such flow, only admin blocking backend and login form 
> need to change, and no app need to change their code

The apps need to change their code if their devs want the error messages 
presented to users to make sense. "We got some error we don't know why, maybe 
go relogin?"

-- 
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/5490#issuecomment-2585774911
You are receiving this because you are subscribed to this thread.

Message ID: 
<openstreetmap/openstreetmap-website/issues/5490/2585774...@github.com>
_______________________________________________
rails-dev mailing list
rails-dev@openstreetmap.org
https://lists.openstreetmap.org/listinfo/rails-dev