Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

logme login token_auth authentication broken #9080

Closed
TheLastProject opened this issue Oct 22, 2015 · 3 comments
Closed

logme login token_auth authentication broken #9080

TheLastProject opened this issue Oct 22, 2015 · 3 comments
Labels
worksforme The issue cannot be reproduced and things work as intended.

Comments

@TheLastProject
Copy link

I just updated Piwik to 2.15.0. Unfortunately, logme has been broken.

Say we have user testuser with token_auth abcdefghijklmnopqrstuvwxyz who wants to look at idSite 8.

Normally, I log them in with the following URL:
https://example.com/piwik/index.php?module=Login&action=logme&login=testuser&password=abcdefghijklmnopqrstuvwxyz&idSite=8

However, this no longer works and Piwik returns an "invalid username and password" error.

This was working fine before 2.15.0 and is clearly a regression, as I have checked the correctness of the username and token_auth for every single user and they match exactly what the Piwik admin UI shows (logically, because they were never changed).

Any chance we could get a hotfix for this?

EDIT: Well, this is strange, I see no changes to logme in Piwik between the last stable and 2.15.0. Still, I am absolutely sure this used to work before. I'm going to do more research, see if I can find anything out at all.

@TheLastProject TheLastProject changed the title Logme token_auth broken logme login token_auth authentication broken Oct 22, 2015
@TheLastProject
Copy link
Author

With some weird reverting messing around, I can confirm that Piwik 2.14.3 can log in with this method just fine.

@TheLastProject
Copy link
Author

I can work around this by editing the authenticateAndRedirect function in plugins/Login/Controller.php.

I changed the code to not do $this->auth->setPassword($password) or $this->auth->setPasswordHash($password), but instead do $this->auth->setTokenAuth($password).

Obviously, this is not the correct way to do these things. The FAQ entry states using an md5 of the pass. However, token_auth has always worked and the changelog says nothing about changes here. Therefore, I still believe this is a regression. Are we really supposed to use an md5 of the password these days, or is there another way to use token_auth instead?

@TheLastProject
Copy link
Author

Well, I decided to bite the bullet and generate a new password for every user (still doable) and save the md5sum of that in my CMS. The documentation does talk about the md5 of the pass, so I suppose my earlier wrong implementation worked out of pure luck.

I will close this ticket now, as I have managed to fix it and I believe the issue lied fully on my side and I just managed to make myself believe token_auth was the correct way to do this. Because an incorrect way worked earlier doesn't mean Piwik should ensure that way keeps working.

Sorry for the ticket, and thanks a million for Piwik, the new design looks great!

@mattab mattab added the worksforme The issue cannot be reproduced and things work as intended. label Oct 27, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
worksforme The issue cannot be reproduced and things work as intended.
Projects
None yet
Development

No branches or pull requests

2 participants