Our UI and API currently requires a password confirmation for certain (critical) actions. Currently that is done in each vue component and API in a similar way (but own implementations).
This PR introduces a new PasswordConfirmation
vue component, that can be easily reused in other components. This also helps to let them look similar across Matomo. All existing password confirmations were replaced with the new component.
The password confirmation check in the API also was done in each class, but will now be available in each API, as it's part of the abstract class.
As confirming passwords introduced issues with other login plugins (that simply don't use passwords), a new event Login.userRequiresPasswordConfirmation
was introduced, that allows to disable password confirmation for certain users.
If it's disabled, the API won't perform password checks and in UI the password confirm will still be displayed, but with password input disabled and an enabled submit button, so it can be submitted without entering a password.
Additionally this PR introduces password confirmations for this critical actions:
On Privacy > Anonymize data
page it is possible to change the settings for purging old log data and reports as well as directly purging such data. As this is a critical action, that can cause data loss, we will now require the password to be confirmed.
fixes #19335
fixes #19169
fixes https://github.com/matomo-org/matomo-security/issues/209
Will also implement some changes so we can fix https://github.com/matomo-org/matomo/issues/19169
@tsteur would you mind having a quick look at that one? Just want to make sure the implementation with this new event is a solid solution for other login plugins to circumvent the issue, that they don't have a password the user can enter.