Author: mendhak
[Added to the original trac issue at 9.59am, Saturday, 23rd April 2011]

I followed the instructions on the OSM wiki and made the change in a fork on github:

mendhak/openstreetmap-website@9b82d5e

Author: TomH
[Added to the original trac issue at 1.52pm, Monday, 25th April 2011]

Your change doesn't actually seem to match what you say in the bug description though. You stated that only http and https were allowed but it looks to me like any sequence of one of more word characters (plus hyphens) was allowed as the scheme name?

All your change really seems to have done is to add restrictions (like requiring the scheme name to start with an alphabetic character) and possibly allow a few extra characters like the plus sign and full stop.

Can you explain more clearly exactly what the problem you encountered was (perhaps if you said what scheme name didn't work that would help explain) and why your change fixes it, as well as why the extra restrictions you have introduced are necessary?

Author: mendhak
[Added to the original trac issue at 1.16pm, Wednesday, 11th May 2011]

Hi TomH,
I'm sorry for the confusion - The link I pasted above is showing a diff of a previous change I made (I did two versions of the fix). In the [https://github.com/openstreetmap/openstreetmap-website/blob/master/app/models/client_application.rb original regex], only http and https are allows like so:

validates_format_of :callback_url, :with => /\Ahttp(s?)://(\w+:{0,1}\w*@)?(\S+)(:[0-9]+)?(/|/([\w#!:.?+=&%@!-/]))?/i, :allow_blank=>true

The [https://github.com/mendhak/openstreetmap-website/commit/3e948c382e616c1bccd73db83d9cc53083ae644e first change] I made changed it to allow words and hyphens

validates_format_of :callback_url, :with => /\A**([\w-])**+://(\w+:{0,1}\w*@)?(\S+)(:[0-9]+)?(/|/([\w#!:.?+=&%@!-/]))?/i, :allow_blank=>true

The [https://github.com/mendhak/openstreetmap-website/commit/9b82d5eda10292d74720cf12c5704dcc2d1e49b1 second change] is a bit more detailed because I was reading up on the RFC 3986

validates_format_of :callback_url, :with => /\A**([a-z]){1}([\w0-9.+-])://(\w+:{0,1}\w@)**?(\S+)(:[0-9]+)?(/|/([\w#!:.?+=&%@!-/]))?/i, :allow_blank=>true

I didn't know which you would have preferred which is why I did it twice.

To explain the problem more clearly - in a third party website, a user will click 'authorize' which will redirect to the openstreetmap.org website.

Then, the user will sign in and grant permissions to the third party website. At this point, normally, the openstreetmap.org website will redirect the user back to the callback url that had originally been specified. This callback url would have been specified by the author of the third party website. (!http://example.com/finishedauthorization)

Currently, the callback url is being restricted to http:// and https:// addresses which doesn't work for mobile apps. This means that mobile app users will need to copy the code given to them by openstreetmap.org and paste that into the mobile app. What would be nice is if anything:// is allowed.

The reason - on a smartphone, the mobile browser will attempt to redirect the user to anything:// and this will in turn invoke the original mobile app which has registered itself to listen to anything://. As far as I know, Android OS and iOS currently allow applications to register against custom schemes.

The anything:// URL would contain the OAuth tokens it needs to communicate with openstreetmap.org which it can process and use. This provides the user with a seamless experience.

Hope I'm clear, please let me know if my description is still lacking.

Author: TomH
[Added to the original trac issue at 10.17pm, Wednesday, 11th May 2011]

Applied and deployed. Thanks for the patch.

Author: mendhak
[Added to the original trac issue at 9.35pm, Tuesday, 17th May 2011]

Replying to [comment:4 TomH]:

Applied and deployed. Thanks for the patch.

Hi TomH, thanks for applying this and for your time, it is appreciated. Just did an end-to-end test of my mobile app and the OAuth process is very smooth.