Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

In Personal settings page and API page, only show the full token_auth value on the screen after the user clicked #10939

Closed
mattab opened this issue Dec 1, 2016 · 0 comments · Fixed by #10966
Assignees
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Milestone

Comments

@mattab
Copy link
Member

mattab commented Dec 1, 2016

To prevent API token authentication data leakage during screen sharing, or via screenshot, or when someone looks over shoulder, we will always display only the first few characters of the token_auth on the screen and only display the full value of token_auth after the user has specifically clicked on it.

  • let's show the first 6 characters of the token_auth and then show remaining 32-6 = 26 characters as dots.
  • to make it clear that the field is clickable let's show a cursor:pointer on hover, and a tooltip Click to show the full token_auth or so
  • when the block is clicked, the full token is displayed and the focus is applied (see piwik-select-on-focus).
  • Apply this to the Platform > API listing page
  • As well as the Settings > Personal page

This will improve security and complements well our recent security improvement: Do not show token_auth of other users to a Super User #10938

@mattab mattab added the c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. label Dec 1, 2016
@mattab mattab modified the milestones: 3.0.0-b5, 3.0.0-rc Dec 1, 2016
@sgiehl sgiehl self-assigned this Dec 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants