New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve password confirmation in UI & API #19525
Conversation
Will also implement some changes so we can fix #19169 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Go through all the changes, working as expected
@tsteur would you mind having a quick look at that one? Just want to make sure the implementation with this new event is a solid solution for other login plugins to circumvent the issue, that they don't have a password the user can enter. |
…lugins to disable the password confirmation for users
Description:
Our UI and API currently requires a password confirmation for certain (critical) actions. Currently that is done in each vue component and API in a similar way (but own implementations).
This PR introduces a new
PasswordConfirmation
vue component, that can be easily reused in other components. This also helps to let them look similar across Matomo. All existing password confirmations were replaced with the new component.The password confirmation check in the API also was done in each class, but will now be available in each API, as it's part of the abstract class.
As confirming passwords introduced issues with other login plugins (that simply don't use passwords), a new event
Login.userRequiresPasswordConfirmation
was introduced, that allows to disable password confirmation for certain users.If it's disabled, the API won't perform password checks and in UI the password confirm will still be displayed, but with password input disabled and an enabled submit button, so it can be submitted without entering a password.
Additionally this PR introduces password confirmations for this critical actions:
On
Privacy > Anonymize data
page it is possible to change the settings for purging old log data and reports as well as directly purging such data. As this is a critical action, that can cause data loss, we will now require the password to be confirmed.fixes #19335
fixes #19169
fixes https://github.com/matomo-org/matomo-security/issues/209
Review