@tsteur opened this Issue on June 9th 2020 Member

Was just testing https://github.com/matomo-org/matomo/pull/15999 and then went to Ecommerce log -> Export and noticed I always get an error Your session has expired due to inactivity. Please log in to continue.. I suppose this applies to all reports through the UI report export popover.

Possible this is due to the app specific token change.

@sgiehl commented on June 9th 2020 Member

Same applies for all API example links

@sgiehl commented on June 9th 2020 Member

@tsteur do you have a suggestion how to fix that issue? The reason seems to be, that the token_auth used within Matomo is a token_auth generated for the current session. The export and api example links are generated using this session token_auth. But actually that session token_auth can't be used for normal API calls.
Would it make sense to store the session token_auth in the user_token_auth table instead of in the session, and let it expire with the session maybe? That way it could be used with API calls as long as the session didn't expire 🤔

@tsteur commented on June 10th 2020 Member

@sgiehl when using the export button ideally we'd POST &token_auth=92e282cbcd215d65f1a03e86e9bbcbb9&force_api_session=1 then it would work.

The shown URL would maybe need to remove since we can't know the token.

We wouldn't want to add that token to user_token_auth as it would basically mean if a user shares that link for some reason, another user would have access to Matomo for a certain amount of time.

Of course it also means a user can no longer edit the URL after clicking on the export button.

An alternative be to allow $_GET in https://github.com/matomo-org/matomo/blob/4.x-dev/core/Access.php#L160-L162 . It be bit less secure though maybe.

Ideally we'd POST the two mentioned parameters.

If we still need to show a URL, we could add a sentence they need to append an app specific token to use it (could even show a form field where they can enter their token).

@Findus23 commented on June 10th 2020 Member

Of course it also means a user can no longer edit the URL after clicking on the export button.

Isn't that the whole point of the export feature: To have a starting point to interactively browse the Matomo API

Another idea (not sure if it is better) would be to require people to create API tokens to use the export feature and allow selecting the used API token in the export window with an explanation on the implications of sharing the token (of course then we are again back to sending a token allowing access to a user via GET parameters)

@tsteur commented on June 10th 2020 Member

Isn't that the whole point of the export feature: To have a starting point to interactively browse the Matomo API

Not sure. I think the export dialog was added so people don't need to play with it and just get the data they want to export. I don't think too many people actually "play" with the API there as you'd need to know API, that you can play with it, it's parameters etc. Of course some do play with it.

Another idea (not sure if it is better) would be to require people to create API tokens to use the export feature and allow selecting the used API token in the export window with an explanation on the implications of sharing the token

It would just mean that people need to store the token in a password manager or something and copy/paste it every time they want to export something and there is indeed the risk re sharing the token.

I guess maybe it shouldn't use the API there in the first place but then people wouldn't be able to "play" with it. Guess the most valuable parameters can be already changed in the export widget so that the URL doesn't need to be changed afterwards. Of course there will be always edge cases where other parameters will want to be used.

Maybe we could allow $_GET in https://github.com/matomo-org/matomo/blob/4.x-dev/core/Access.php#L160-L162 when the original request is an API request for a .get* method. Would maybe need to use Api\Request::getRootApiRequestMethod() for that but not sure it gives us the originally requested method or so. @sgiehl could maybe go with that?

Sharing that URL wouldn't give anyone else access to it because they would also need access to the user's session (aka cookies). That's because it is the session token auth.

@sgiehl commented on June 11th 2020 Member
@tsteur commented on June 11th 2020 Member

Yep.

This Issue was closed on June 18th 2020
Powered by GitHub Issue Mirror