# Protecting OpenStreetMap telegram channels ###### tags: OpenStreetMap Telegram golang abuse oauth1.0a ## Background OpenStreetMap telegram channels have publicly published join links. These reguarly get indexed by spammer groups with bots and humans joining the channels to promote non-openstreetmap topics (bitcoin seems popular). Considerable effort is expended by channel admins in moderating channels and kicking bad actors. This is non-productive time that could be better used elsewhere. In addition, OSM participants are subjected to approaches by these bad actors which devalues the OpenStreetMap brand. ## Possible Approaches ### 1. Utilise OSM's IdP to increase the hoops needed to join channels A simple approach would be to authenticate all joins and tie them to existing OSM channels. Authentic particpants are already likely to have an OSM account and this would add minimal overhead while restricting bad actors. **User journey** 1. Click on join link to connect to new web service. 2. Authenticate to OSM (oAuth workflow) 3. web service generates a one-time time-bound join link for the user (and logs the details). 4. User joins the channel. 5. ~~telegram bot announces the arrival of the new participant and their osm username. [OPTIONAL]~~ telegram bot forwards updates about who has joined to web endpoint. Unauthorised use of a URLs will result in newly joined member being removed (e.g. mismatch between telegram username that requested the URL) **GDPR considerations** 1. The web service would connect telegram usernames / user IDs to OSM IDs. This could require operating entities to provide logs if requested by users. 2. Individuals may want to keep their OSM and Telegram identities separate. Announcing the connection in a channel could violate individual's privacy preferences. **Other considerations** 1. Introducing this web service may result in an uptick in the creation of OSM account by bad actors (they are highly motivated). Consultation with the accounts team for OSM regarding this approach, anti-patterns and likely abuse patterns is recommended. 2. It may be worth while to be able to flag bad actors and propagate those signals to other systems (e.g. enable the web service to blacklist users / flag the upstream OSM accounts as bad actors). ### 2. Implement a telegram bot that manages joins **User journey** 1. User starts a conversation with our bot. 2. Bot points them to web interface to authenticate. 3. Once authenticated, bot allows user to access relevant channels (worded openly right now to allow discussion regarding what this might mean). **Abuse considerations** 1. One advantage of this approach is that we allow for federation across channels. A bad actor in one channel can be auto-blocked from other channels. ## Implementation Python or Go seems like a good candidate for implementing this MVP. Both have good support for oAuth, API connections and logging. **Structure of telegram /getUpdates json response** ```json= {"update_id":468080142, "message":{"message_id":3, "from":{"id":262800000, "is_bot":false, "first_name":"First", "last_name":"Last", "username":"FirstLast" }, "chat":{"id":-1001473100000, "title":"OSM oauth test 2021-04-23", "type":"supergroup" }, "date":1619186614, "new_chat_participant":{"id":262800000, "is_bot":false, "first_name":"First", "last_name":"Last", "username":"FirstLast" }, "new_chat_member":{"id":262800000, "is_bot":false, "first_name":"First", "last_name":"Last", "username":"FirstLast" }, "new_chat_members":[{"id":262800000, "is_bot":false, "first_name":"First", "last_name":"Last", "username":"FirstLast" } ] } } ``` ## References 1. [OpenStreetMap API](https://wiki.openstreetmap.org/wiki/API_v0.6) * details of logged in user: [/api/0.6/user/detail](https://wiki.openstreetmap.org/wiki/API_v0.6#Details_of_a_user) * preferences of logged in user: [/api/0.6/user/preferences](https://wiki.openstreetmap.org/wiki/API_v0.6#Preferences_of_the_logged-in_user) 1. [Telegram Bot API](https://core.telegram.org/bots/api) ## Thanks * XML to go struct generator: https://www.onlinetool.io/xmltogo/ Without this I would have torn a lot of hair out. :)