According to #2701 all export links should be stripped out of auth_token. This isn't a case for link allowing to download file with email report content:
Users concern is that end-user may copy that link and send to someone. Then the token will be exposed.
Iframe buster related bug: https://github.com/piwik/piwik/issues/10147
I will mark it as a bug similar to #10147 . First I checked all the emails but then I got that it's actually in the UI.
While the token auth will be hidden when right click and copying it, the token auth will be still in the URL when actually clicking on it and there will be a risk for sending the link with token again. At some point we could actually build an export feature for links within the UI that never shows the token auth.
Opening such reports without token_auth does not work atm, because it is an API request. API requests can currently only be authenticated using the token_auth.
Can somebody see any possible security breach in activating cookie auth for API requests? That would solve the problem for the UI, as there wouldn't be a reason to have the token_auth in URL.
We could already log in a user by using session in the API but sessions and API are rather a no no. We could store the token auth in the cookie but this would bring some more attack vectors like XSS get more relevant etc if we stored the token auth in plain text in a cookie. What I was thinking would have been simply a controller/action that basically calls the API with all the given parameters. We would only need to adjust the export logic in
dataTable to call the controller/action and not the actual API method
Can somebody see any possible security breach in activating cookie auth for API requests?
fyi Our API used to work in this way (cookie auth fallback to token_auth auth) but it was actually confusing and was changed to pure token auth.
What I was thinking would have been simply a controller/action that basically calls the API with all the given parameters.
This could work. Also alternatively maybe we could
POST the token_auth in the request as we do for Export download links?
That doesn't work with right click etc
Ok then +1 to proxy such requests through a controller while the user is logged in the UI. this should work well :+1:
I guess adding a api proxy method, as @tsteur mentioned, would be the
May have closed this mistake