Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

API for token_auth #1884

Closed
anonymous-matomo-user opened this issue Dec 11, 2010 · 3 comments
Closed

API for token_auth #1884

anonymous-matomo-user opened this issue Dec 11, 2010 · 3 comments
Labels
Bug For errors / faults / flaws / inconsistencies etc. wontfix If you can reproduce this issue, please reopen the issue or create a new one describing it.

Comments

@anonymous-matomo-user
Copy link

is adaption of a post in lists.typo3.org/projects/piwik
Hi,

it's just going forward with mobile app support for TYPO3 Piwikintegration.
Currently there is a problem with generation the authTokens, as
Piwik.org seems to have a static relation between username / password and token!

 Out of piwik/plugins/UsersManager/API.php
/**
 * Generates a unique MD5 for the given login & password
 *
 * @param string Login
 * @param string MD5ied string of the password
 */
public function getTokenAuth($userLogin, $md5Password)
{
    if(strlen($md5Password) != 32)
    {
        throw new Exception(Piwik_TranslateException
           ('UsersManager_ExceptionPasswordMD5HashExpected'));
    }
    return md5($userLogin . $md5Password );
}

This collides with the current idea of a complete independent API Key. (As the apikey field in the db could be calculated automatically ...)
You can set the API code manually to the above value to enable mobile
Apps in the SVN version on [1].

Piwik should check wether the given username/password is correct
and return the correct API Key from the database.

Additionally i would like to have a function getNewTokenAuth(...) for generating a new random API key.

SVN:
[1] http://forge.typo3.org/projects/show/extension-piwikintegration
Forum
[2] http://forum.piwik.org/read.php?2,69771

Best regards
Kay

@robocoder
Copy link
Contributor

For backward compatibility, matt responded in #308 that this relationship wouldn't change.

I think after the 1.1 release, we'll have to look at the overall security model given:

  • weakneses associated with md5
  • APIs moving towards oAuth (which we have a ticket open for).
  • desire for more granular access (eg access to some widgets and not others)

Marking as wontfix in the interim.

@anonymous-matomo-user
Copy link
Author

thanks,

so the key is stored in the database for performance reasons only :( ?

@robocoder
Copy link
Contributor

I don't know if it's that much of a performance enhancement, but theoretically, the md5 hashed password is no longer required to be stored.

@anonymous-matomo-user anonymous-matomo-user added this to the Future releases milestone Jul 8, 2014
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug For errors / faults / flaws / inconsistencies etc. wontfix If you can reproduce this issue, please reopen the issue or create a new one describing it.
Projects
None yet
Development

No branches or pull requests

2 participants