From a99ee90e159813da10384f9c9a45867a3817e1be Mon Sep 17 00:00:00 2001
From: Yohan Boniface <yohanboniface@free.fr>
Date: Tue, 13 Feb 2024 15:06:30 +0100
Subject: [PATCH] chore: migrate to OAuth 2 for OpenStreetMap backend

fix #1279
---
 docs/changelog.md                                | 13 ++++++++++++-
 docs/config/settings.md                          |  4 ++--
 pyproject.toml                                   |  9 ++++++---
 .../0017_migrate_to_openstreetmap_oauth2.py      | 16 ++++++++++++++++
 umap/settings/base.py                            | 12 ++++++++----
 umap/settings/local.py.sample                    |  4 ++--
 umap/static/umap/content.css                     |  3 ++-
 7 files changed, 48 insertions(+), 13 deletions(-)
 create mode 100644 umap/migrations/0017_migrate_to_openstreetmap_oauth2.py

diff --git a/docs/changelog.md b/docs/changelog.md
index a6d969c3..0c47383b 100644
--- a/docs/changelog.md
+++ b/docs/changelog.md
@@ -4,10 +4,11 @@
 
 This release is inauguring a new era in versionning uMap: in the future, we'll take care of better documenting breaking changes, so expect more major releases from now on. More details on [how we version](https://docs.umap-project.org/en/master/release/#when-to-make-a-release).
 
-The two main changes are:
+The main changes are:
 
 * on the front-end side, we now use native ESM modules, so this may break on old browsers (see our [ESlint configuration](https://github.com/umap-project/umap/blob/a0634e5f55179fb52f7c00e39236b6339a7714b9/package.json#L68))
 * on the back-end, we upgraded to Django 5.x, which drops support for Python 3.8 and Python 3.9.
+* the OpenStreetMap OAuth1 client is not supported anymore
 
 More details below!
 
@@ -16,6 +17,16 @@ More details below!
 * updrade to Django 5.x, which drops support for python < 3.10
 * remove `django-compressor`, so `umap compress` is not a valid command anymore (compress is now done in the `collectstatic` process itself) (#1544, #1539)
 * remove support for settings starting with `LEAFLET_STORAGE_` (deprecated since 1.0.0)
+* remove support for deprecated OpenStreetMap OAuth1 backend in favour of OAuth2
+
+#### Migrate to OpenStreetMap OAuth2
+
+* create a new app on OSM.org: https://www.openstreetmap.org/oauth2/applications/
+* add the key and secret in your settings (or as env vars):
+    * `SOCIAL_AUTH_OPENSTREETMAP_OAUTH2_KEY=xxxx`
+    * `SOCIAL_AUTH_OPENSTREETMAP_OAUTH2_SECRET=xxxx`
+* run the migration command, that will migrate all accounts from OAuth1 to Oauth2:
+  `umap migrate`
 
 ### New features
 
diff --git a/docs/config/settings.md b/docs/config/settings.md
index 3e1114c1..2f2650ed 100644
--- a/docs/config/settings.md
+++ b/docs/config/settings.md
@@ -262,8 +262,8 @@ Can be set to `X-Accel-Redirect` to enable the [NGINX X-Accel](https://www.nginx
 
 See the NGINX documentation in addition.
 
-#### SOCIAL_AUTH_OPENSTREETMAP_KEY, SOCIAL_AUTH_OPENSTREETMAP_SECRET
+#### SOCIAL_AUTH_OPENSTREETMAP_OAUTH2_KEY, SOCIAL_AUTH_OPENSTREETMAP_OAUTH2_SECRET
 
-If you use OpenStreetMap as OAuth provider, use those settings.
+If you use OpenStreetMap as OAuth 2 provider, you can use those settings.
 
 Otherwise, use any valid [python-social-auth configuration](https://python-social-auth.readthedocs.io/en/latest/configuration/django.html).
diff --git a/pyproject.toml b/pyproject.toml
index 74a2da36..cd1e5627 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -37,7 +37,7 @@ dependencies = [
   "requests==2.31.0",
   "rcssmin==1.1.2",
   "rjsmin==1.2.2",
-  "social-auth-core==4.5.2",
+  "social-auth-core==4.5.3",
   "social-auth-app-django==5.4.0",
 ]
 
@@ -64,6 +64,9 @@ docker = [
   "uwsgi==2.0.23",
 ]
 
+[project.scripts]
+umap = "umap.bin:main"
+
 [tool.hatch.build]
 artifacts = [
   # Required because part of .gitignore (and thus excluded by hatch).
@@ -78,8 +81,8 @@ include = [
 [tool.hatch.build.targets.wheel]
 packages = ["umap"]
 
-[project.scripts]
-umap = "umap.bin:main"
+[tool.hatch.metadata]
+allow-direct-references = true
 
 [tool.hatch.version]
 path = "umap/__init__.py"
diff --git a/umap/migrations/0017_migrate_to_openstreetmap_oauth2.py b/umap/migrations/0017_migrate_to_openstreetmap_oauth2.py
new file mode 100644
index 00000000..11285286
--- /dev/null
+++ b/umap/migrations/0017_migrate_to_openstreetmap_oauth2.py
@@ -0,0 +1,16 @@
+# Generated by Django 5.0.2 on 2024-02-13 14:04
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("umap", "0016_pictogram_category"),
+    ]
+
+    operations = [
+        migrations.RunSQL(
+            "UPDATE social_auth_usersocialauth "
+            "SET provider = 'openstreetmap-oauth2' WHERE provider = 'openstreetmap'"
+        ),
+    ]
diff --git a/umap/settings/base.py b/umap/settings/base.py
index f4f96332..b564a5ac 100644
--- a/umap/settings/base.py
+++ b/umap/settings/base.py
@@ -274,11 +274,15 @@ SOCIAL_AUTH_LOGIN_REDIRECT_URL = "/login/popup/end/"
 
 AUTHENTICATION_BACKENDS = ()
 
-SOCIAL_AUTH_OPENSTREETMAP_KEY = env("SOCIAL_AUTH_OPENSTREETMAP_KEY", default="")
-SOCIAL_AUTH_OPENSTREETMAP_SECRET = env("SOCIAL_AUTH_OPENSTREETMAP_SECRET", default="")
-if SOCIAL_AUTH_OPENSTREETMAP_KEY and SOCIAL_AUTH_OPENSTREETMAP_SECRET:
+SOCIAL_AUTH_OPENSTREETMAP_OAUTH2_KEY = env(
+    "SOCIAL_AUTH_OPENSTREETMAP_OAUTH2_KEY", default=""
+)
+SOCIAL_AUTH_OPENSTREETMAP_OAUTH2_SECRET = env(
+    "SOCIAL_AUTH_OPENSTREETMAP_OAUTH2_SECRET", default=""
+)
+if SOCIAL_AUTH_OPENSTREETMAP_OAUTH2_KEY and SOCIAL_AUTH_OPENSTREETMAP_OAUTH2_SECRET:
     AUTHENTICATION_BACKENDS += (
-        "social_core.backends.openstreetmap.OpenStreetMapOAuth",
+        "social_core.backends.openstreetmap_oauth2.OpenStreetMapOAuth2",
     )
 
 AUTHENTICATION_BACKENDS += ("django.contrib.auth.backends.ModelBackend",)
diff --git a/umap/settings/local.py.sample b/umap/settings/local.py.sample
index 0fe412c8..6ac3bb39 100644
--- a/umap/settings/local.py.sample
+++ b/umap/settings/local.py.sample
@@ -52,8 +52,8 @@ SOCIAL_AUTH_GITHUB_SCOPE = [
 ]
 SOCIAL_AUTH_TWITTER_KEY = "xxx"
 SOCIAL_AUTH_TWITTER_SECRET = "xxx"
-SOCIAL_AUTH_OPENSTREETMAP_KEY = "xxx"
-SOCIAL_AUTH_OPENSTREETMAP_SECRET = "xxx"
+SOCIAL_AUTH_OPENSTREETMAP_OAUTH2_KEY = "xxx"
+SOCIAL_AUTH_OPENSTREETMAP_OAUTH2_SECRET = "xxx"
 MIDDLEWARE += ("social_django.middleware.SocialAuthExceptionMiddleware",)
 SOCIAL_AUTH_REDIRECT_IS_HTTPS = True
 SOCIAL_AUTH_RAISE_EXCEPTIONS = False
diff --git a/umap/static/umap/content.css b/umap/static/umap/content.css
index e986c097..f777bc93 100644
--- a/umap/static/umap/content.css
+++ b/umap/static/umap/content.css
@@ -77,7 +77,8 @@ body.login header {
 .login-grid .login-twitter-oauth2 {
     background-image: url("./twitter.png");
 }
-.login-grid .login-openstreetmap {
+.login-grid .login-openstreetmap,
+.login-grid .login-openstreetmap-oauth2 {
     background-image: url("./openstreetmap.png");
 }