Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

token_auth authentication should only work in the API and Widgetize #5655

Closed
mattab opened this issue May 29, 2008 · 8 comments
Closed

token_auth authentication should only work in the API and Widgetize #5655

mattab opened this issue May 29, 2008 · 8 comments
Labels
Bug For errors / faults / flaws / inconsistencies etc. Major Indicates the severity or impact or benefit of an issue is much higher than normal but not critical.
Milestone
0.5.5

Comments

@mattab
Copy link
Member

mattab commented May 29, 2008

Currently authenticating with token_auth works in all modules. We would want to restrict to API module, because there is no need for users to use this mechanism to login.
@anonymous-matomo-user
Copy link

I do not think so – I think that would be a nice feature.

For example:
Company who rents webspace and wants to track the user date for the customer. In the admin interface is an link to login direct to piwik with the right permissions.
So it would not be necessary to build an own UI and connect to the api.

Also this is advertising for the open source software.

I would propose following:
In the default settings token_auth is disabled and admin could activate in UI (or in the config file).

@mattab
Copy link
Member Author

mattab commented Jul 27, 2008

in 576

@anonymous-matomo-user
Copy link

What about Widgetize? That process calls the API indirectly. We are experiencing problems because we are unable to use the Widgets in our drupal app because of this problem. We have to log in and the cookie allows the charts to work. It would be better if we could use the token_auth feature with Widgetize too.

@mattab
Copy link
Member Author

mattab commented Mar 11, 2009

chuckdeal97 please see your feature request in #283 ; feel free to submit any ideas or patches

@mattab
Copy link
Member Author

mattab commented Mar 4, 2010

reopening as I am now convinced that Widgetize is another special case where token_auth should work, at least until #283 is implemented.

@anonymous-matomo-user
Copy link

I dont know how to submit a patch but this is what I added in plugins/Login/Login.php
on line 68 to make it work with token_auth

        if(Piwik::getModule() === 'Widgetize')
        {
            $tokenAuthAPIInUrl = Piwik_Common::getRequestVar('token_auth', '', 'string');
            if( !empty($tokenAuthAPIInUrl))
            {
                $auth->setLogin($login = null);
                $auth->setTokenAuth($tokenAuthAPIInUrl);
                return;
            }
        }

@mattab
Copy link
Member Author

mattab commented Mar 18, 2010

I am a bit confused; I generated the widget and manually added the token_auth in the widget URL, eg.```
module=Widgetize&action=iframe&.......&token_auth=$TOKEN_AUTH


And the widgets loaded fine. I thought this wasn't working. This means this bug is invalid; the downside is that you have to manually add the token_auth in the widget URLs but this is expected, as we do not want users to expose by mistake their token_auth, hence why we removed it from the URL.

@mattab
Copy link
Member Author

mattab commented Mar 18, 2010

(In [1935]) Fixes #5655 clarifying documentation regarding widget authentication

@mattab mattab added this to the Piwik 0.5.5 milestone Jul 8, 2014
Closed
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug For errors / faults / flaws / inconsistencies etc. Major Indicates the severity or impact or benefit of an issue is much higher than normal but not critical.
Projects
None yet
Milestone
0.5.5
Development

No branches or pull requests
2 participants
@mattab @anonymous-matomo-user