fix : setups the redirect for the login instead of popup to address bug introduced by this security patch openstreetmap/openstreetmap-website@2ff4d6a

Author: root

core/settings/contrib.py

@@ -45,7 +45,7 @@
 SOCIAL_AUTH_OPENSTREETMAP_LOGIN_URL = "/osm/login/"
 SOCIAL_AUTH_OPENSTREETMAP_OAUTH2_KEY = os.getenv("OSM_API_KEY")
 SOCIAL_AUTH_OPENSTREETMAP_OAUTH2_SECRET = os.getenv("OSM_API_SECRET")
-SOCIAL_AUTH_LOGIN_REDIRECT_URL = "/"
+SOCIAL_AUTH_LOGIN_REDIRECT_URL = "/authorized"
 SOCIAL_AUTH_LOGIN_ERROR_URL = "/osm/error"
 SOCIAL_AUTH_URL_NAMESPACE = "osm"
 SOCIAL_AUTH_ADMIN_USER_SEARCH_FIELDS = ["username", "first_name", "email"]

ui/app/actions/meta.js

@@ -32,7 +32,7 @@ if (window.OAUTH_CLIENT_ID == null) {
 
 const oauthConfig = {
   // url: window.EXPORTS_API_URL + "/o/openstreetmap_oauth2",
-  url: window.EXPORTS_API_URL + "/o/authorize?approval_prompt=auto",
+  url: window.EXPORTS_API_URL + "/o/authorize?approval_prompt=auto&response_type=token",
   client: window.OAUTH_CLIENT_ID,
   redirect: `${window.location.protocol}//${hostname}/authorized`
 };
@@ -95,7 +95,13 @@ export const fetchGroups = () => (dispatch, getState) => {
     );
 };
 
-export const login = () => _login(oauthConfig);
+export const login = () => {
+  const { url, client, redirect } = oauthConfig;
+  window.location.href =
+    url +
+    `&client_id=${client}` +
+    `&redirect_uri=${encodeURIComponent(redirect)}`;
+};
 
 export const loginSuccess = (token, expiresAt) => dispatch =>
   dispatch({

ui/app/components/Authorized.js

@@ -1,10 +1,41 @@
 import React from "react";
-import { FormattedMessage } from "react-intl";
-
-export default () =>
-  <div>
-    <FormattedMessage
-      id="ui.authorized.thank_you"
-      defaultMessage="Thank you for authorizing!"
-    />
-  </div>;
+import { connect } from "react-redux";
+import { withRouter } from "react-router-dom";
+import { loginSuccess } from "../actions/meta";
+
+class Authorized extends React.Component {
+  componentDidMount() {
+    // grab the hash fragment (e.g. "#access_token=…&expires_in=…")
+    const hash = window.location.hash.replace(/^#/, "");
+    const params = new URLSearchParams(hash);
+    const token = params.get("access_token");
+    const expiresIn = params.get("expires_in");
+
+    if (token) {
+
+      const expiresAt = expiresIn
+        ? Date.now() + parseInt(expiresIn, 10) * 1000
+        : null;
+
+
+      this.props.loginSuccess(token, expiresAt);
+
+      window.location.hash = "";
+      this.props.history.replace("/");
+    } else {
+      // no token? bounce back to login/start
+      this.props.history.replace("/");
+    }
+  }
+
+  render() {
+    return null;
+  }
+}
+
+export default withRouter(
+  connect(
+    null,
+    { loginSuccess }
+  )(Authorized)
+);

ui/views.py

@@ -23,7 +23,8 @@ def authorized(request):
     # be logged into the site (and it will be confusing if they are, since
     # "logging out" of the UI just drops the auth token)
     auth_logout(request)
-    return render(request, "ui/authorized.html")
+    return v3(request)
+    # return render(request, "ui/authorized.html")
 
 
 def login(request):