@diosmosis opened this Issue on May 19th 2021 Member

After https://github.com/matomo-org/matomo/pull/17520 we avoid using session auth if token_auth is in the URL and force_api_session is not set to 1. This is fine for API requests, but in some places (like the GoogleAnalyticsImporter), we make ajax requests to controller methods w/ the token_auth in the URL. These now are not authenticated when they should be.

Expected Behavior

When requesting a controller method w/ token_auth in the URL, allow use of SessionAuth.

Current Behavior

The session is not used, even if the API is not being requested, if token_auth is in the URL.

Possible Solution

Two quick fixes would be:

  • add to the check in core $module == 'API'
  • in GoogleAnalyticsImporter add force_api_session=1 to the calls (though this would not fix any other uses in the wild or in our code, so the BC break would still be there)

Steps to Reproduce (for Bugs)

Can be reproduced by trying to start an import in the GoogleAnalyticsImporter API.

FYI @tsteur

@tsteur commented on May 19th 2021 Member

@diosmosis the solution in this case is likely similar to https://github.com/matomo-org/matomo/pull/17587 to send the correct force_api_session=1 request in GA. It basically wasn't really supposed to work before. Or alternatively remove the token_auth from the request. Can you point me to the code maybe in GA Importer where the problem is?

Generally we'd want to have this check not just for API, but also widgets and because any action can be embedded using token we kind of have to keep this new behaviour for things to work correctly as expected and it might be better to fix the code in the plugins etc. Be good to let me know though where this happens

@tsteur commented on May 19th 2021 Member

Just seeing the code in https://github.com/matomo-org/plugin-GoogleAnalyticsImporter/blob/4.x-dev/angularjs/import-scheduler/import-scheduler.controller.js#L57 . I think in that case we shouldn't set the token hard coded but use the method withTokenInUrl in the API angular service which then will behave correct automatically

@tsteur commented on May 19th 2021 Member

Looked through the code and think the only other place that also needs updating is https://github.com/matomo-org/matomo/blob/4.3.0/plugins/UserCountryMap/javascripts/visitor-map.js#L1189

@flamisz commented on May 19th 2021 Contributor

I'd prefer fixing the code as @tsteur suggested. This way will have a clear way of how it should and how it works.

@tsteur commented on May 20th 2021 Member

I just tested and visitor-map is already doing it correctly. @diosmosis I think you updated the GA importer so we can close this issue? Let me know if that's not the case and I will reopen.

This Issue was closed on May 20th 2021
Powered by GitHub Issue Mirror