Current behavior

iframe embedded widgetized reports don't load when 2FA is activated for the user with this token_auth.

Expected behavior instead

When a widgetize/report iframe embedding request is received by Matomo, and it has a valid token_auth parameter, and Two factor auth is enabled for this user, then we expect reports to embed correctly (no 2fa token required).

The error is arising from an XHR call which is sending back the 2FA token validation page instead of the expected JSON response. XHR calls with module=API skip 2FA validation (see Request class and TwoFactorAuth). Others do not and will be rejected, causing the page to fail to render.

Proposal

• Prevent 2fa user to use Embedding report feature
• When a user has 2fa enabled, then module=Widgetize requests should issue a friendly reminder "Embedding reports is not supported because Two-Factor auth is enabled. Please consider create a new user, give it only read only permissions to the website, disable two-factor auth for this user."
• when a Matomo instance has 2fa forced across all users, then as a side effect embedding reports would be completely disabled since all users would be required to have 2fa... This may be a BC break for some.
• would be great to also update the user guide https://matomo.org/docs/embed-matomo-reports/ with best practises, and other tweaks.

@mattab the embedded widgets should definitely work with token_auth. There's no reason it shouldn't work as the same data could be requested through the API with 2FA. And in Matomo 4 we will replace the token_auth with some app specific token or so which will then also have the same behaviour.

2fa user should be able to use Embedding report feature for sure.

There should be already some logic in there for this that any authentication through token_auth should be fine, also for widgets (I had tested this) but maybe there's some other problem with it.