@tsteur opened this Issue on January 9th 2020 Member

In https://github.com/matomo-org/matomo/issues/6559

I am starting to implement app specific authtokens/passwords.

I started adding some additional features to further increase the security of tokens:

  • Scope: Let users choose if token should be valid for Reporting API, and/or Tracking API, Widgets
  • Access: I was going to let users choose what access the token should have. Eg an admin user could decide the token should have only view or write or admin access (but not super user)
  • Sites: I was going to let the user choose whether the token should have access to all sites, or only one site.

Of course this way you could create different combination of tokens to lower the risk a lot, eg

  • A write token for the tracking API that has only access to one site
  • A reporting token with view permission for only a specific site even though the user is super user or write user or admin user
  • A token for the exported widgets with only view access which has only access for one site

This way, even if a tracker gets the token, the scope of what they can do is quite restricted.

It's tricky to implement though. Eg likely we would need to use completely different Access class depending on whether user is authenticated through UI, or through token_auth. It me mostly done though by changing maybe the behaviour of Access:loadSitesIfNeeded but not sure. Also we would need to check in various places eg in API::index() whether the token is allowed for the current scope etc.

Figured I create separate issue for now to simplify #6559.

Powered by GitHub Issue Mirror