You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
iframe embedded widgetized reports don't load when 2FA is activated for the user with this token_auth.
Expected behavior instead
When a widgetize/report iframe embedding request is received by Matomo, and it has a valid token_auth parameter, and Two factor auth is enabled for this user, then we expect reports to embed correctly (no 2fa token required).
The error is arising from an XHR call which is sending back the 2FA token validation page instead of the expected JSON response. XHR calls with module=API skip 2FA validation (see Request class and TwoFactorAuth). Others do not and will be rejected, causing the page to fail to render.
When a user has 2fa enabled, then module=Widgetize requests should issue a friendly reminder "Embedding reports is not supported because Two-Factor auth is enabled. Please consider create a new user, give it only read only permissions to the website, disable two-factor auth for this user."
when a Matomo instance has 2fa forced across all users, then as a side effect embedding reports would be completely disabled since all users would be required to have 2fa... This may be a BC break for some.
@mattab the embedded widgets should definitely work with token_auth. There's no reason it shouldn't work as the same data could be requested through the API with 2FA. And in Matomo 4 we will replace the token_auth with some app specific token or so which will then also have the same behaviour.
2fa user should be able to use Embedding report feature for sure.
There should be already some logic in there for this that any authentication through token_auth should be fine, also for widgets (I had tested this) but maybe there's some other problem with it.
When embedding as follows.
https://test.innocraft.cloud/index.php?module=Widgetize&action=iframe&moduleToWidgetize=Dashboard&actionToWidgetize=index&idSite=8&period=week&date=yesterday&token_auth=xxxxxxxx
Widgets are not displayed in the iFrame, only website and segment selector.
This issue occurs when a non-authenticated user attempts to view the embed. If the user is logged in the view behaves as expected.
The text was updated successfully, but these errors were encountered: