Opened 5 years ago

Closed 2 months ago

#514 closed New feature (fixed)

New Plugin: Provide HTTP_AUTH Authentication for Piwik - Release in Marketplace

Reported by: vipsoft Owned by:
Priority: critical Milestone: 2.1 - Piwik 2.1
Component: Plugins Wishlist Keywords: third-party-plugin
Cc: r.goyet@… Sensitive: no

Description (last modified by matt)

Plugin that forwards the current HTTP_AUTH'ed user to Piwik

  • What is HttpAuthLogin plugin ?

It's a plug-in that authentifies users based on HTTP_AUTH. HTTP_AUTH is a mechanism provided by the webserver itself (I tested this with Apache). The webserver prompts the user for a login and password, matches it to a database (or a file, you decide), and if the authentication is successful, it lets you access the current logged-in user from PHP.

  • What use cases is HttpAuthLogin useful ?

If you have several web services running on the same machine, you can achieve Single Sign-On. For instance, if you run Piwik, a bug tracker, and a WebDAV disk space on the same web server, you could log-in once on the bug tracker, and be automagically logged-in on Piwik.

HTTP_AUTH is extremely widely supported. Even command-line tools like cURL or wget support it. If for some reason you'd like to write a script that fetches stuff out of Piwik, but you'd like it to be authentified, it'd be a lot easier to do with HttpAuthPlugIn.

Contributed by Romain Goyet.

Requires review per CodingStandard.

Attachments (2)

HttpAuthLogin.zip (3.7 KB) - added by vipsoft 3 years ago.
v0.3.4
HttpAuthLogin2.tgz (2.7 KB) - added by nougad 3 months ago.
Rewrite for piwik 2.0

Download all attachments as: .zip

Change History (59)

comment:3 Changed 5 years ago by matt (mattab)

  • Description modified (diff)

comment:4 Changed 5 years ago by matt (mattab)

  • Milestone changed from Features requests - after Piwik 1.0 to Third Party Piwik Plugins

comment:5 Changed 5 years ago by matt (mattab)

  • Description modified (diff)

comment:6 Changed 5 years ago by matt (mattab)

  • Summary changed from HTTP_AUTH plugin to Plugin: Provides HTTP_AUTH authentication in Piwik

comment:7 Changed 5 years ago by vipsoft (robocoder)

New in version 0.2:

  • Should conform to coding standard
  • Compatible with 0.2.37
  • Logout link

Extract into plugins folder and activate via Settings | Plugins menu.

comment:8 Changed 5 years ago by vipsoft (robocoder)

  • Owner set to vipsoft
  • Status changed from new to assigned

comment:9 Changed 5 years ago by vipsoft (robocoder)

  • Owner vipsoft deleted
  • Status changed from assigned to new

Note: The AuthName from your .htaccess file is not passed to PHP. If you need to change the realm name, "Piwik" is hard-coded in plugins/HttpAuthLogin/Controller.php.

comment:10 Changed 5 years ago by vipsoft (robocoder)

Note: token_auth authentication is not available with this plugin

comment:11 Changed 5 years ago by alivenk

comment:12 Changed 5 years ago by domtop

comment:13 Changed 5 years ago by koteiko

comment:14 Changed 5 years ago by vipsoft (robocoder)

  • Sensitive unset

comment:16 Changed 4 years ago by timwood

comment:17 Changed 4 years ago by timwood

comment:19 Changed 4 years ago by timwood

comment:21 Changed 4 years ago by timwood

comment:23 Changed 4 years ago by vipsoft (robocoder)

But I tested the updated plugin on the 1.0 branch, and it worked fine there.

comment:24 Changed 4 years ago by timwood

I've just had the time to try the HttpAuthLogin plugin with version 1.0. I logged in as administrator, enabled the plugin and when I reload the page it throws me back to the Piwik login screen. I previously authenticated with the webserver using a different username then administrator, but this username doesn't exist in Piwik. I tried clearing my HTTP auth information and then loading piwik again. I logged in to Apache again but this time Piwik falls into an infinite redirect loop.

Can you give a brief description on how exactly to use this plugin? I use LDAP for authentication in Apache and usernames are user@…. I tried manually creating a user account in Piwik to match my email address, but it wouldn't allow me to use the @ character in the username. Thanks, -Tim

comment:25 follow-up: Changed 4 years ago by vipsoft (robocoder)

Tim: this plugin requires that you set up an .htaccess file and password file. In your case, shouldn't you be using #734?

comment:26 in reply to: ↑ 25 Changed 4 years ago by timwood

Replying to vipsoft:

Tim: this plugin requires that you set up an .htaccess file and password file. In your case, shouldn't you be using #734?

For one, I'd prefer to stick with multi-layers of security: Password protect all of Piwik with Apache HTTP authentication (over SSL of course) while still having Piwik user accounts handle access control to the analytics data for each site. But I was hoping this plugin would pass along the credentials from HTTP authentication to Piwik. Isn't this what was intended?

As for using the plugin for LDAP authentication, it seemed more complicated to setup and hasn't been updated in 13 months (maybe that just means it's working as expected). Since I already had Apache HTTP authentication setup using LDAP, I thought it would be easier to use the HTTP_AUTH plugin.

-Tim

comment:27 Changed 4 years ago by ploum

That plugins works fairly well except one big things : the .htaccess breaks the API access with token_auth.

How could it be made so it doesn't break the token_auth ?

comment:28 Changed 4 years ago by ploum

mmm, it seems that, as soon as you enable this plugin (even without any .htaccess file), the token_auth access is broken. (SitesManager.getSitesWithAdminAccess always returns an empty value)

comment:29 Changed 3 years ago by matt (mattab)

See #1766 for a patch to a possible bug in this plugin.

comment:30 Changed 3 years ago by vipsoft (robocoder)

Changelog:

  • 0.3.2 - Piwik_HttpAuthLogin_Auth now extends Piwik_Login_Auth, and calls parent::authenticate() as a fallback for token_auth access; this is a bit cleaner than the fix in #1766

comment:31 Changed 3 years ago by domruf

Like Tim I also had the redirect loop problem.
I looked into the sources and just added another if else block to make it work on my apache server with mod_sspi authentication.

Auth.php:
...

if(isset($_SERVER['PHP_AUTH_USER']))
{
    $httpLogin = $_SERVER['PHP_AUTH_USER'];
}
else if(isset($_SERVER['HTTP_AUTH_USER']))
{
    $httpLogin = $_SERVER['HTTP_AUTH_USER'];
}
else if(isset($_SERVER['REMOTE_USER']))
{
    $httpLogin = $_SERVER['REMOTE_USER'];
}

...

comment:32 Changed 3 years ago by vipsoft (robocoder)

Changelog:

  • 0.3.3 - added domruf's patch for mod_sspi

Changed 3 years ago by vipsoft (robocoder)

v0.3.4

comment:33 Changed 3 years ago by vipsoft (robocoder)

Changelog for 0.3.4

  • use $_ENV instead of $_SERVER in case variables_order excludes 'E'
  • added AUTH_USER and REDIRECT_REMOVE_USER
  • removed HTTP_AUTH_USER

comment:34 Changed 2 years ago by digant

This should get listed in the list of plugins b/c this is very valuable for any enterprise organization.

comment:35 Changed 2 years ago by klaus

Maybe someone is running into similar problems: At first I couldn't get it to work with a clean PIWIK 1.7.1 install, because I always ran into a redirect loop problem, when I activated the plugin.

After a lot of trial and error I found out that I have to deactivate the standard authentication and after that insert:

PluginsInstalled[] = "HttpAuthLogin"
Plugins[] = "HttpAuthLogin"

in the config/config.ini.php manually. It works now!

comment:36 Changed 20 months ago by drammons

I've found that not setting token auth upon authentication breaks some functionality as the superuser. So I wrote an updated version of Auth.php that sets the token_auth (instead of NULL) on successful authentication, and also replaces the Zend_Registry calls with the appropriate calls Piwik_config::getInstance() and Piwik_FetchOne.

comment:37 Changed 20 months ago by drammons

	public function authenticate()
	{
		$rootLogin = Piwik_config::getInstance()->superuser['login'];
		$rootPassword = Piwik_Config::getInstance()->superuser['password'];

		$httpLogin = null;
		if(isset($_SERVER['PHP_AUTH_USER']))
		{
			$httpLogin = $_SERVER['PHP_AUTH_USER'];
		}
		else if(isset($_ENV['AUTH_USER']))
		{
			$httpLogin = $_ENV['AUTH_USER'];
		}
		else if(isset($_ENV['REMOTE_USER']))
		{
			$httpLogin = $_ENV['REMOTE_USER'];
		}
		else if(isset($_ENV['REDIRECT_REMOTE_USER']))
		{
			$httpLogin = $_ENV['REDIRECT_REMOTE_USER'];
		}

		if(isset($httpLogin))
		{
			if($httpLogin === $rootLogin)
			{
				$rootToken = Piwik_UsersManager_API::getInstance()->getTokenAuth($rootLogin, $rootPassword);
				return new Piwik_Auth_Result(Piwik_Auth_Result::SUCCESS_SUPERUSER_AUTH_CODE, $httpLogin, $rootToken );
			}

			$auth = Piwik_FetchRow(
				'SELECT login, token_auth FROM '.Piwik_Common::prefixTable('user').' WHERE login = ?',
				array($httpLogin)
			);
			
			if(isset($auth['login'])
				&& $auth['login'] === $httpLogin)
			{
				return new Piwik_Auth_Result(Piwik_Auth_Result::SUCCESS, $httpLogin, $auth['token_auth'] );
			}

			return new Piwik_Auth_Result( Piwik_Auth_Result::FAILURE, $httpLogin, NULL );
		}

		return parent::authenticate();
	}

comment:38 Changed 11 months ago by lkraav

+1 following

comment:39 Changed 4 months ago by nougad

Hey. I added a rewrite for piwik 2.0. It seams to work for me but it may need a review.

comment:40 Changed 4 months ago by spam.xilef

i keep getting

Cannot access parent:: when current class scope has no parent

in

piwik/plugins/HttpAuthLogin2/Auth.php line 84

comment:41 Changed 4 months ago by nougad

thx, I fixed this and another critical bug in db query

comment:42 Changed 4 months ago by drammons

@nougad thanks for your work on this. I was wondering, though, why did you choose to change Auth to implementing Core Auth instead of extending the Login plugin like the previous version? It seems like a lot of additional code for which you could simply fall back on the Login plugin instead.

comment:43 Changed 4 months ago by nougad

@drammons Do you mean I should extend the exiting Auth class instead of implementing the Auth interface? I had no real reason and your suggestion makes sense. I will change it that way. Thx

comment:44 Changed 4 months ago by drammons

Yes! That is exactly what I meant. Good work!

comment:45 Changed 4 months ago by jarkko

I had to add:

use Piwik\Common;

...to Auth.php to get this working.

Changed 3 months ago by nougad

Rewrite for piwik 2.0

comment:46 Changed 3 months ago by nougad

@jarkko fixed - thx

comment:47 Changed 3 months ago by drammons

Heads up as ticket:4564 rolls out, adding support for multiple super users.

comment:48 Changed 2 months ago by digantk

Piwik 2.0.3 still tells me this plugin doesn't work Piwik. What am I doing wrong?

comment:49 follow-up: Changed 2 months ago by nougad

@digantk - sure you used the HttpAuthLogin2.tgz file? Not the HttpAuthLogin.tgz one

comment:50 in reply to: ↑ 49 Changed 2 months ago by digantk

Replying to nougad:

@digantk - sure you used the HttpAuthLogin2.tgz file? Not the HttpAuthLogin.tgz one

I'm very sure. The directory is HttpAuthLogin2 and has the HttpAuthLogin2.php file in it and the error message in the plugin manager says HttpAuthLogin2. :-/

comment:51 Changed 2 months ago by matt (mattab)

  • Resolution set to answered
  • Status changed from new to closed

Along with the Piwik 2.0 release and new design for Piwik, we have also launched the official Plugins Marketplace to let any developer share their work to the thousands of Piwik users worldwide.

Maybe you'd like to publish your plugin there?

In any case, keep up the good work and we hope you enjoy Piwik 2!

--> See also example of the Ldap plugin #734 published on the Marketplace at: http://plugins.piwik.org/LoginLdap

comment:52 Changed 2 months ago by matt (mattab)

  • Keywords third-party-plugin added

Adding third-party-plugin tag to all Piwik 1.x third party plugins. For more information, please visit the Developer docs, the Plugins Marketplace, the themes Marketplace and see #4607

If you have any question or feedback, get in touch in our Piwik developers forum. Happy new year 2014!

comment:53 Changed 2 months ago by matt (mattab)

  • Milestone Third Party Piwik Plugins deleted

Milestone Third Party Piwik Plugins deleted

comment:54 Changed 2 months ago by digant

Please add it to the marketplace. Without this plugin (and soon), I'll have lose the argument against Google Analytics and I'll have to drop the use of Piwik.

comment:55 Changed 2 months ago by matt (mattab)

  • Milestone set to 2.1 - Piwik 2.1
  • Priority changed from normal to critical
  • Resolution answered deleted
  • Status changed from closed to reopened
  • Summary changed from Plugin: Provides HTTP_AUTH authentication in Piwik to New Plugin: Provide HTTP_AUTH Authentication for Piwik - Release in Marketplace

Thanks for the suggestion. Indeed I think it makes sense that the Piwik team officially supports this important plugin. We will release it on the Marketplace soon, and will then officially support it going forward.
stay tuned!

comment:57 Changed 2 months ago by matt (mattab)

In 8d156bd1c4e8ee85d14e8caa64661354cb88bd8f:

Refactor core Login to allow for clean LoginHttpAuth logic refs #514

comment:58 Changed 2 months ago by matt (mattab)

Thanks for your patience! the HttpAuth login is now published on the Marketplace at: http://plugins.piwik.org/LoginHttpAuth

please test it and report any issue in the Github issue tracker: https://github.com/piwik/plugin-LoginHttpAuth/issues

Cheers!

comment:59 Changed 2 months ago by matt (mattab)

  • Resolution set to fixed
  • Status changed from reopened to closed
Note: See TracTickets for help on using tickets.