@mattab opened this Issue on September 11th 2018 Member

The new feature "Show export URL" is very valuable in giving everyone quick access to the API and seeing how the URL is constructed, making it easy to share, etc.

However for security reasons we would not want to reveal the full token_auth on screen.
Similarly in the Personal settings page where the token_auth is displayed to the user, it requires an extra click to reveal the full token.

So the goal if this issue is to slightly change the behavior, proposal:

  • When "Show export URL" is clicked, show the textarea but in the string, only show the first few characters and write ....
  • When user clicks the field to copy/paste it, then reveal the full token_auth and full URL

follows up #11958 #12987

@tsteur commented on September 12th 2018 Member

Is this really needed considering you already have to click to see it?

@mattab commented on December 24th 2018 Member

Just tested and noticed that currently you need to click, and then double click to select the string. Ideally on the first click to reveal the full URL then the full URL would be selected and then user can copy. it would be more usable.

But an even more secure / usable solution could be maybe:

  • The full token_auth is never displayed on screen, and instead it shows the full URL and replaces token_auth=full_token_here by token_auth=start_tok***********
  • on click on the textarea, the value is copied into the clipboard
  • and a feedback "Copied to your clipboard!" is displayed

Not showing the token_auth on screen would be a security improvement as the token can be easily seen/recorded by someone viewing the screen.

@tsteur commented on December 24th 2018 Member

I won't be working on this, so unassigning myself. I don't agree with any of the flows. Even the original in the issue.

@mattab commented on December 24th 2018 Member

is there maybe a better way not to show the token_auth on screen? anyway it's not urgent for now so removing from milestone

@tsteur commented on December 24th 2018 Member

Either you have only a "copy url" link, or you simply show it directly on "show export url" and accept the fact how Matomo works currently and eventually it'll be refactored to have proper authentication in place.

@tsteur commented on December 24th 2018 Member

Also when you paste a URL in the address bar, it will show the end of the URL which is usally the token. Next, a more likely risk than screen recording is that users send the exported URL to other people. Ideally you neither show them the URL nor let them copy the URL. Then when we POST to export the URL, the token won't be in the URL at all and will neither appear in access logs.

Powered by GitHub Issue Mirror