The changes are pretty ridiculous [1], apparently the gobernment's devs kept deliberately renaming a specific header by adding and increasing a number at the end, from `xsrf-token` up to `xsrf-token11` [0], clearly only with the intend to break their rival free market app.
The devs don't work for the Stockholm region nor the government. They are contractors. Stockholm is notorious for terrible fragmented outsourcing programs
We did. We have a regex to catch all variants of spellings. But since our code is open they can easily select another variant. We could load our script dynamically but have chosen not to of security reasons. (And transparency).
While there is a technical issue here, there is also a legal issue and a PR issue.
Government institutions have a duty of care and a duty to help to private individuals. Since they are apparently working _against_ people in this case, they are probably in breach of the law.
I strongly suggest that you file a formal complaint against the government agency. This is easy to do and you can do it here.
https://www.jo.se/sv/JO-anmalan/
When you have filed the complaint: MAKE IT PUBLIC (hacker news follow up story, twitter, linkedin, etc). This is because there is a political dimension to this issue and if there is anything politicians care about, it's jobs (their own).
Good luck and keep us updated! I'm sure lots of people will be happy to spread a copy of the complaint around.
Thanks! Yes, we are investigating our legal options.
We just recently filed an appeal regarding getting access to the API documentation.
We have gotten a lot of PR in Sweden from the major news papers and tech press. So I think the pressure is building but if it is one thing Swedes are worried about is the appearance internationally. So help us getting this story to Wired, TechCrunch etc - that will make them crazy. We still live on the front page of Newsweek from 2000 - the capital of Internet. That might be true for the tech scene but definitely not the public sector.
We would rather concentrate our limited time and resources on making the product better instead of this crap but we have an amazing community that are helping us with both legal advice, artwork, communication, UX etc so we will continue the fight and will keep you updated here in Hacker News.
Also keep in mind that the legal options and PR options are tightly coupled. Regardless of the outcome of any legal option (e.g. "JO anmälan"), the PR generated around it may itself lead to a change if it gets enough attention (e.g., Anna König Jerlmyr seems to be in charge of Stockholm municipality at the moment). Make it easy for them to get good PR and make it clear the other option is to get bad PR.
These questions are larger than this project. This is about how the government itself builds API:s. That's big.
It's my (uneducated) understanding that legally, this makes you cross a boundary. You're no longer ~"circumventing security measures" on your own, you're inciting and enabling an end user to.
One could easily argue it's on the darker side of the grey area.
Not OP but from what I understand, the problem is that their code has to interoperate with the “private” service run by the “bad guys”; it’s basically a more usable front-end. So the bad guys keep messing with the backend just to break the open client.
The government devs are deliberately modifying server code after seeing what the open source code is using to identify their header. Guthub doesn't require an account to view code, so how could they ban government coders from seeing their code?
I assume they read the code that tries to parse the data, and come up with formats that don't fit. If the code is open, they don't need accounts to see it
The system that implements breaking changes is not the open source system. The open source system attempts to be compatible with the proprietary system. That is what it sounds like.
They don't contribute changes. Server and official client is maintained by Stockholmsstad contractors. Open source project is alternative client, not full solution.