Ticket #235 (closed Bug: fixed)

Opened 4 years ago

Last modified 2 years ago

token_auth authentication should only work in the API and Widgetize

Reported by: matt Owned by:
Priority: major Milestone: Piwik 0.5.5
Component: Core Keywords:
Cc: Sensitive: no

Description

Currently authenticating with token_auth works in all modules. We would want to restrict to API module, because there is no need for users to use this mechanism to login.

Change History

Changed 4 years ago by maetrus

I do not think so - I think that would be a nice feature.

For example: Company who rents webspace and wants to track the user date for the customer. In the admin interface is an link to login direct to piwik with the right permissions. So it would not be necessary to build an own UI and connect to the api.

Also this is advertising for the open source software.

I would propose following: In the default settings token_auth is disabled and admin could activate in UI (or in the config file).

Changed 4 years ago by matt

  • milestone changed from Stable release to RobotRock

Changed 4 years ago by matt

  • status changed from new to closed
  • resolution set to fixed

in [576]

Changed 3 years ago by chuckdeal97

What about Widgetize? That process calls the API indirectly. We are experiencing problems because we are unable to use the Widgets in our drupal app because of this problem. We have to log in and the cookie allows the charts to work. It would be better if we could use the token_auth feature with Widgetize too.

Changed 3 years ago by matt

chuckdeal97 please see your feature request in #283 ; feel free to submit any ideas or patches

Changed 2 years ago by matt

  • status changed from closed to reopened
  • sensitive unset
  • resolution fixed deleted

reopening as I am now convinced that Widgetize is another special case where token_auth should work, at least until #283 is implemented.

Changed 2 years ago by matt

  • milestone changed from RobotRock to 1 - Piwik 0.5.5

Changed 2 years ago by matt

  • summary changed from token_auth authentication should only work in the API to token_auth authentication should only work in the API and Widgetize

Changed 2 years ago by vnese

I dont know how to submit a patch but this is what I added in plugins/Login/Login.php on line 68 to make it work with token_auth 

        if(Piwik::getModule() === 'Widgetize')
        {
            $tokenAuthAPIInUrl = Piwik_Common::getRequestVar('token_auth', '', 'string');
            if( !empty($tokenAuthAPIInUrl))
            {
                $auth->setLogin($login = null);
                $auth->setTokenAuth($tokenAuthAPIInUrl);
                return;
            }
        }

Changed 2 years ago by matt

I am a bit confused; I generated the widget and manually added the token_auth in the widget URL, eg. {{{ module=Widgetize&action=iframe&.......&token_auth=$TOKEN_AUTH }}}

And the widgets loaded fine. I thought this wasn't working. This means this bug is invalid; the downside is that you have to manually add the token_auth in the widget URLs but this is expected, as we do not want users to expose by mistake their token_auth, hence why we removed it from the URL.

Changed 2 years ago by matt

  • status changed from reopened to closed
  • resolution set to fixed

(In [1935]) Fixes #235 clarifying documentation regarding widget authentication

Note: See TracTickets for help on using tickets.