After https://github.com/matomo-org/matomo/pull/17520 we avoid using session auth if token_auth is in the URL and force_api_session is not set to 1. This is fine for API requests, but in some places (like the GoogleAnalyticsImporter), we make ajax requests to controller methods w/ the token_auth in the URL. These now are not authenticated when they should be.
When requesting a controller method w/ token_auth in the URL, allow use of SessionAuth.
The session is not used, even if the API is not being requested, if token_auth is in the URL.
Two quick fixes would be:
$module == 'API'
Can be reproduced by trying to start an import in the GoogleAnalyticsImporter API.
@diosmosis the solution in this case is likely similar to https://github.com/matomo-org/matomo/pull/17587 to send the correct
force_api_session=1 request in GA. It basically wasn't really supposed to work before. Or alternatively remove the token_auth from the request. Can you point me to the code maybe in GA Importer where the problem is?
Generally we'd want to have this check not just for API, but also widgets and because any action can be embedded using token we kind of have to keep this new behaviour for things to work correctly as expected and it might be better to fix the code in the plugins etc. Be good to let me know though where this happens
Just seeing the code in https://github.com/matomo-org/plugin-GoogleAnalyticsImporter/blob/4.x-dev/angularjs/import-scheduler/import-scheduler.controller.js#L57 . I think in that case we shouldn't set the token hard coded but use the method
withTokenInUrl in the API angular service which then will behave correct automatically
I'd prefer fixing the code as @tsteur suggested. This way will have a clear way of how it should and how it works.
I just tested and visitor-map is already doing it correctly. @diosmosis I think you updated the GA importer so we can close this issue? Let me know if that's not the case and I will reopen.