Page Overlay ignores token_auth in URL when opened from a Widget #17640

Expected Behavior

When embedding Matomo widgets in an iFrame, it is expected that all links in the widget will work when using a token_auth with the correct permissions.

Current Behavior

When embedding Matomo widgets that contain links to view the Page Overlay (For example the Pages or Page URL reports) the Page Overlay links open in a new tab and force the user to log in instead of using the token_auth present in the URL.

This causes any users that are already logged in to Matomo but don't have access to the site to see You do not have access in the Page Overlay UI.
Users that are not logged in will see the error message Your session has expired due to inactivity. Please log in to continue.

Steps to Reproduce (for Bugs)

1. Embed the Page URL report as a widget in a page using a token_auth of a user that has view access to the report
2. Open the page that contains the iFramed widget in a private browsing session and click on a link to to a Page Overlay
3. You should be presented with the following error message if you are not logged in to Matomo:
   

Your Environment

• Matomo Version: 4.3.1

I'm not sure if the Page Overlay is meant to work in an iframe. ping @tsteur @mattab
But I guess the "problem" is that the overlay appends force_api_session=1 to various urls.

@Starker3 @sgiehl I just tested it using 4.2.1 and it worked there from what I can see so I'm assuming this might be a regression

Probably related to this PR: https://github.com/matomo-org/matomo/pull/17520

@tsteur I tested this on 4.2.1 and had the exact same error. I tried appending the token_auth to the end of the URL (Since the link from the widget adds a # with additional information at the end of the URL) as well and it returned the error Error: You must be logged in to access this functionality.

Weird, it worked for me there using

https://mylocaldomain/index.php?module=Widgetize&action=iframe&disableLink=0&widget=1&moduleToWidgetize=Actions&actionToWidgetize=getPageUrls&idSite=1&period=year&date=yesterday&disableLink=1&widget=1&token_auth=4a45307d01810d2307be558f9596e51f#

and then opening the page overlay. Tested this in a private window where you aren't logged in.

@tsteur and @Starker3 could you please check if the URL of the overlay page contains the force_api_session=1 and try it with or without it to reload the page?

actually 4.2 and 4.3 works for me nicely with only the token.
Also works when adding force_api_session=1 (because I don't have a session active anyway)

I can't reproduce the issue actually

@flamisz removing force_api_session=1 from the URL didn't make any difference when testing (On 4.2.1).
I got the same error from the URL with and without the force_api_session: Error: Your session has expired due to inactivity. Please log in to continue.
Tested using a private window (To ensure that there is no open session)

The link that is generated for the overview on both my testing instances is the following:
https://localhost/index.php?module=Overlay&period=month&date=today&idSite=1&force_api_session=1&token_auth=f1d1fd6c253df6d6aa3840aca258a046#?l=http$3A$2F$2Flocalhost$2Ftest$20page1.html

@tsteur the same for me, it works on the latest version with a view token even when the force_session_api=1 is in the url.

@flamisz If it helps narrow it down, I'm testing using localhost for the iFrame widget with an externally hosted Matomo install (Accessible from the internet).

OK I was able to reproduce it, had to turn off anom user (obviously) on my local environment. @tsteur @Starker3

great find @flamisz could you also git checkout 4.2.1 to see if it happens there too?

@tsteur it happens there as well. it's not a regression in my opinion.

Great, thanks @flamisz I moved it out of the milestone for now.