@squarewolf opened this Pull Request on June 24th 2013

Additional security has been added by removing the private token from the actual request. To use the new authentication scheme, supply the following parameters:


  • [x] make private key private by excluding it from the actual request
  • [ ] add nonce to the database to prevent replay attacks
  • [ ] add timestamp timeout
  • [ ] add two-tiered security scheme (i.e. unique public & private tokens per API client)
@mattab commented on July 16th 2013 Member

Thanks for the proposal! Sorry about no feedback earlier.

  • In the function you can use uksort() instead of sorting then array manip.
  • put the other code in a new private method
  • See also coding standard guide: http://piwik.org/participate/coding-standards/
  • Maybe post a working example of a code that uses this auth method instead of token_auth,
  • and that shows to user (and us) how this feature solves a very nice problem (ie. token_auth kept secret)

It would be great to support OAuth like security, so I look forward to next update.

@mattab commented on September 6th 2013 Member

Ping us to reopen PR, or we will reopen if you commit again, cheers!

This Pull Request was closed on September 6th 2013
Powered by GitHub Issue Mirror