New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using auth tokens of "write" or "admin" permissions when embedding #16554
Comments
At same time, could we change the message from |
We won't do this because those things aren't related. Also embedding manage goals or so is not officially supported by our widgets that can be embedded. It's likely a use case we don't want to support. There could be some setting if REALLY needed like It wouldn't even be a BC break as we never supported this AFAIK. Maybe what should be used in this case is rather the |
We did support this use case and several people rely on it. That's why we have the feature |
If we continue to support this (which I would maybe not recommend) then the risks will need to mentioned clearly eg that the token will appear in logs and everything. It's not really secure in various ways (token appearing in logs, not clear who makes changes / anyone being able to misuse things in many ways, etc) plus it can create a lot of work for us to support this as it means we cannot always rely on a session etc. Also we need to mention on HackerOne that we exclude anything related this config flag (and |
it would be ideal if we could keep this feature as it helps people embed Matomo app within their own backoffice (for example in combination with a custom theme, we've seen some really great looking integrations before). Also some people want to embed Matomo App within iframe, including the login form (the So we need to be way more transparent of all the disadvantages (which we weren't quite aware of before) and sounds good to mention clearly the security risks:
|
@mattab there may be many more security issues. Eg around sessions etc. It's basically quite unpredictable. I wouldn't even be surprised if a user stayed logged in even if the user itself was removed etc. |
the new security feature in #16263 would break use cases for users who need to be able to create/update entities like goals and custom dimensions from within an iframe. This is the case when users embed the whole Matomo App within their products. as quickly described in this faq). Currently they would get the message
This user has at least some write access. Only tokens of users who have only view access can be used.
.Initially was thinking we could have yet another INI setting, but actually it looks better/easier to accept write/admin tokens whenever
enable_framed_pages=1
orenable_framed_settings=1
are set in the config?(need to be added to RC as this would otherwise be a BC break for some)
The text was updated successfully, but these errors were encountered: