@anonymous-piwik-user opened this Issue on December 11th 2010

is adaption of a post in lists.typo3.org/projects/piwik

it's just going forward with mobile app support for TYPO3 Piwikintegration.
Currently there is a problem with generation the authTokens, as
Piwik.org seems to have a static relation between username / password and token!

 Out of piwik/plugins/UsersManager/API.php
 * Generates a unique MD5 for the given login & password
 * <a class='mention' href='https://github.com/param'>@param</a> string Login
 * <a class='mention' href='https://github.com/param'>@param</a> string MD5ied string of the password
public function getTokenAuth($userLogin, $md5Password)
    if(strlen($md5Password) != 32)
        throw new Exception(Piwik_TranslateException
    return md5($userLogin . $md5Password );

This collides with the current idea of a complete independent API Key. (As the apikey field in the db could be calculated automatically ...)
You can set the API code manually to the above value to enable mobile
Apps in the SVN version on [1].

Piwik should check wether the given username/password is correct
and return the correct API Key from the database.

Additionally i would like to have a function getNewTokenAuth(...) for generating a new random API key.

[1] http://forge.typo3.org/projects/show/extension-piwikintegration
[2] http://forum.piwik.org/read.php?2,69771

Best regards

@robocoder commented on December 11th 2010 Contributor

For backward compatibility, matt responded in #308 that this relationship wouldn't change.

I think after the 1.1 release, we'll have to look at the overall security model given:

  • weakneses associated with md5
  • APIs moving towards oAuth (which we have a ticket open for).
  • desire for more granular access (eg access to some widgets and not others)

Marking as wontfix in the interim.

@anonymous-piwik-user commented on December 11th 2010


so the key is stored in the database for performance reasons only :( ?

@robocoder commented on December 12th 2010 Contributor

I don't know if it's that much of a performance enhancement, but theoretically, the md5 hashed password is no longer required to be stored.

This Issue was closed on December 12th 2010
Powered by GitHub Issue Mirror