@mattab opened this Issue on May 29th 2008 Owner

Currently authenticating with token_auth works in all modules. We would want to restrict to API module, because there is no need for users to use this mechanism to login.

@anonymous-piwik-user commented on May 29th 2008

I do not think so - I think that would be a nice feature.

For example:
Company who rents webspace and wants to track the user date for the customer. In the admin interface is an link to login direct to piwik with the right permissions.
So it would not be necessary to build an own UI and connect to the api.

Also this is advertising for the open source software.

I would propose following:
In the default settings token_auth is disabled and admin could activate in UI (or in the config file).

@mattab commented on July 27th 2008 Owner

in [576]

@anonymous-piwik-user commented on March 3rd 2009

What about Widgetize? That process calls the API indirectly. We are experiencing problems because we are unable to use the Widgets in our drupal app because of this problem. We have to log in and the cookie allows the charts to work. It would be better if we could use the token_auth feature with Widgetize too.

@mattab commented on March 11th 2009 Owner

chuckdeal97 please see your feature request in #283 ; feel free to submit any ideas or patches

@mattab commented on March 4th 2010 Owner

reopening as I am now convinced that Widgetize is another special case where token_auth should work, at least until #283 is implemented.

@anonymous-piwik-user commented on March 4th 2010

I dont know how to submit a patch but this is what I added in plugins/Login/Login.php
on line 68 to make it work with token_auth

        if(Piwik::getModule() === 'Widgetize')
        {
            $tokenAuthAPIInUrl = Piwik_Common::getRequestVar('token_auth', '', 'string');
            if( !empty($tokenAuthAPIInUrl))
            {
                $auth->setLogin($login = null);
                $auth->setTokenAuth($tokenAuthAPIInUrl);
                return;
            }
        }
@mattab commented on March 18th 2010 Owner

I am a bit confused; I generated the widget and manually added the token_auth in the widget URL, eg.```
module=Widgetize&action=iframe&.......&token_auth=$TOKEN_AUTH


And the widgets loaded fine. I thought this wasn't working. This means this bug is invalid; the downside is that you have to manually add the token_auth in the widget URLs but this is expected, as we do not want users to expose by mistake their token_auth, hence why we removed it from the URL.
@mattab commented on March 18th 2010 Owner

(In [1935]) Fixes #5655 clarifying documentation regarding widget authentication

This Issue was closed on March 18th 2010
Powered by GitHub Issue Mirror