Feat/OSM login enforced for management, additional temp login option for mappers

[Anuj-Gupta4]

What type of PR is this? (check all applicable)

• 🍕 Feature
• 🐛 Bug Fix
• 📝 Documentation
• 🧑‍💻 Refactor
• ✅ Test
• 🤖 Build or CI
• ❓ Other (please specify)

Related Issue

• Related to: Backend: OSM login enforced for management, additional temp login option for mappers #1911

Describe this PR

• created two seperate refresh endpoint for management and mapper frontends.
• enforced osm login only for management
• preferred osm login for mapper but also allowed temp login

[spwoodcock]

Haven't been able to test yet, but just reviewing the code this looks good!

[spwoodcock]

@Anuj-Gupta4 this is causing an issue: when I refresh the page on the management frontend (i.e. call the /refresh endpoint), my cookies seem to be cleared and I am no longer logged in.

The cookie needs to be refreshed correctly on the /refresh call, meaning the user is still logged in 😄
Please prioritise this issue for the release today 🙏

[spwoodcock]

Of course - the frontend also needs to be updated to match these new endpoints!

[spwoodcock]

Ignore the above - this works nicely for the management frontend 👍

Need to test on the mapper frontend too, but I think this is all good!

[spwoodcock]

OK so this mostly works, but temp login seems to fail for some reason on the mapper frontend

[Sujanadh]

The project detail endpoint currently checks for mapper role in react frontend and same endpoint is used in the mapper frontend where it only checks for osm login in the login required. I think we might need a separate project endpoint in the mapper frontend with only the minimal required details of the project; I don't think we will require everything like in the project of the react frontend.

The project details page of react frontend might require project mapper role not a global mapper, we can change this as per requirements. In the mapper frontend we will check only login and the token validation. Use login_required as dependency, handle both type of cookies in login required. To make it simpler, frontend needs to remove temporary cookie if i switch back to react frontend. Then we will get whatever cookies is stored in both frontend and test its validation.
@spwoodcock @Anuj-Gupta4

• fix/temp login for mapper frontend #1969

[spwoodcock]

Great observations!

There is already some commented out code for a simpler dbproject query here: https://github.com/hotosm/fmtm/blob/development/src%2Fbackend%2Fapp%2Fdb%2Fmodels.py#L1109

We could add a minimal flag to the .one method, then use that SQL instead. And as you say, add a new endpoint to allow temp login access from the mapper frontend.

The temp login does has issues with our access model, as this new endpoint can be accessed by anyone, meaning anyone can contribute. But I think its fine for now - a problem to solve later! (We might have to reconsider temp login)

[spwoodcock]

The endpoint could be /projects/1/mapper-data and will use the minimal flag for getting the project

[Sujanadh]

I don't find any significance of temp login at all. Its purpose is to allow anyone to contribute to the project; for that, we don't even need a login just for field submissions. Task locking and updating status will all require osm login. This temp login does have an issue with our access model, so creating an endpoint with minimal details will not leak any sensitive data. We can consider it for now.

And, about removing cookies when I redirect to the react frontend, it might create a requirement to login every time I go to mapper frontend.
For this, I think we can auto log in with temporary login as a default, no need to do extra click to login for temporary users (mappers). We can add a pop-up to allow them to use osm login if they have an osm profile; otherwise, they can simply skip that.

What do you think? @spwoodcock

[spwoodcock]

Good points!
The only purpose of the 'temp login' is an extra layer of obfuscation really - it doesn't provide any security benefit.

So in theory I'm hoping it might reduce bots / spamming / scraping endpoints as it requires a login of some sorts, before anything else can be accessed.

It's not essential though! We considered it previous as we had everyone on one frontend, all using the same endpoints.
Now we have the separation, it's less important.

We could actually remove it entirely with this scenario:

• By default any user can access the mapper frontend (no login required).
• It has minimal info included / no sensitive data (via a separate endpoint specifically for the mapper frontend).
• It will have to include the ODK Central appuser token (QRCode data), meaning for now, anyone can contribute to the project (we can revisit how to restrict this in the future).
• We prompt the user to log in via OSM, if they want to get credit for their contributions.

Would that work?

[spwoodcock]

This all said, for now we rely on endpoints to update task/entity statuses - it will be removed in the future, but is a requirement for now.

If we had no login at all, it would mean we have to update the access on all those endpoints too, or create separate 'mapper' endpoints 🤔

[spwoodcock]

The idea you proposed above could work well:

Mapper:

• When a user accesses the mapper frontend and calls /refresh/mapper, we either attempt to refresh the OSM cookie if it exists, or we by default provide a 'temporary login' cookie.
• The user will be seamlessly logged in either way, but if they are using a temp cookie, we prompt them to log in via OSM in the frontend (if they want to be attributed).

Management:

• When they access the React frontend, we invalidate / remove any 'temp login' cookie they might have.

[Sujanadh]

Yeah that could work for now. 👍