Strava Authentication Support

Map Plus helps, usage, issues, bug report, downloads...

Strava Authentication Support

Postby ddrinka » 2018-05-06 3:52

Thanks, as always, for this extremely useful app.

Strava has recently added authentication to their higher zoom levels. See for instance, here: https://github.com/bertt/wmts/issues/2 and here: https://josm.openstreetmap.de/ticket/16100 .

The authentication flow is as follows:
POST https://www.strava.com/session, email=<STRAVA EMAIL>, password=<STRAVA PASSWORD>
-> Sets _strava3_session and _strava4_session cookies
GET https://heatmap-external-a.strava.com/auth with session cookies set
-> Sets CloudFront-Signature, CloudFront-Policy, and CloudFront-Key-Pair-Id cookies
GET https://heatmap-external-a.strava.com/t ... h/all/hot/{z}/{x}/{y}.png?v=19 with CloudFront cookies set

CloudFront accepts its authentication tokens in the query string, so we could hardcode those values after a successful login, but the CloudFront signature is only valid for 10 days, so it would be a mess copying and pasting long lines of text every week.

Strava support in Map Plus is very important to me. I would like to find a way to handle this authentication.

Some ideas I had:
  • Use the cookies present in Safari when requesting tiles. We'd need to request the Strava Heatmap in Safari every week, but that wouldn't be bad.
  • Use the embedded browser engine in Map Plus to pop up a hardcoded link and save the cookies from that request and provide them to tile requests.
  • Make Javascript / LUA engine stateful so that I can check if a logon is needed, go through the authentication flow, save the tokens as state somewhere, and then return URLs with the tokens embedded, all in Javascript/LUA.
  • Handle this oddball case in the code, allowing me to enter my Strava credentials and you do all the authentication.

I'd be willing to pay for an additional feature license to make this work, since I know it's a specific use case. But it also wouldn't surprise me if more maps embed additional security like this in the future so it may become more globally useful going forward.

Thoughts?
User avatar
ddrinka
★★
 
Posts: 8
Joined: 2018-01-29 23:57

Re: Strava Authentication Support

Postby Zax » 2018-05-24 8:14

Thanks for your suggestion.

Please notice that the app add support for the Basic HTTP authorization in the version of v2.7.4. If the server do support such authorization, you can input username and password in the detail information of the custom map to work.

Otherwise, your suggestion is great, and we'll try to study deeper on that, and give a solution in a future release.
For example, more standard authorization route support, or a customizable javascript for you to define a authorization process and prepare a cookie or token for the tile url.
Zax Zeng
Duwei Technology
User avatar
Zax
★★★★★
 
Posts: 1172
Joined: 2011-07-27 0:54


Return to Map Plus - Forums

cron