@mgonera opened this Issue on May 25th 2016

According to #2701 all export links should be stripped out of auth_token. This isn't a case for link allowing to download file with email report content:

screen shot 2016-05-25 at 17 44 05

Users concern is that end-user may copy that link and send to someone. Then the token will be exposed.

@mgonera commented on May 25th 2016

Iframe buster related bug: https://github.com/piwik/piwik/issues/10147

@tsteur commented on May 25th 2016 Owner

I will mark it as a bug similar to #10147 . First I checked all the emails but then I got that it's actually in the UI.

While the token auth will be hidden when right click and copying it, the token auth will be still in the URL when actually clicking on it and there will be a risk for sending the link with token again. At some point we could actually build an export feature for links within the UI that never shows the token auth.

@sgiehl commented on May 26th 2016 Member

Opening such reports without token_auth does not work atm, because it is an API request. API requests can currently only be authenticated using the token_auth.
Can somebody see any possible security breach in activating cookie auth for API requests? That would solve the problem for the UI, as there wouldn't be a reason to have the token_auth in URL.

@tsteur commented on May 26th 2016 Owner

We could already log in a user by using session in the API but sessions and API are rather a no no. We could store the token auth in the cookie but this would bring some more attack vectors like XSS get more relevant etc if we stored the token auth in plain text in a cookie. What I was thinking would have been simply a controller/action that basically calls the API with all the given parameters. We would only need to adjust the export logic in dataTable to call the controller/action and not the actual API method

@mattab commented on May 27th 2016 Owner

Can somebody see any possible security breach in activating cookie auth for API requests?

fyi Our API used to work in this way (cookie auth fallback to token_auth auth) but it was actually confusing and was changed to pure token auth.

What I was thinking would have been simply a controller/action that basically calls the API with all the given parameters.

This could work. Also alternatively maybe we could POST the token_auth in the request as we do for Export download links?

@tsteur commented on May 27th 2016 Owner

That doesn't work with right click etc

@mattab commented on May 27th 2016 Owner

Ok then +1 to proxy such requests through a controller while the user is logged in the UI. this should work well :+1:

@sgiehl commented on May 27th 2016 Member

I guess adding a api proxy method, as @tsteur mentioned, would be the
simplest solution

@mattab commented on June 19th 2017 Owner

this was fixed long time ago in https://github.com/piwik/piwik/pull/10201 cc @sgiehl

@lindsaymacvean commented on July 24th 2017

@mattab but you closed #10201 ??

@mattab commented on July 24th 2017 Owner

May have closed this mistake

Powered by GitHub Issue Mirror