Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Admin for Matomo still says token_auth allowed for widgets but stopped working for me #22572

Open
ReessKennedy opened this issue Sep 10, 2024 · 0 comments
Open

Admin for Matomo still says token_auth allowed for widgets but stopped working for me #22572

ReessKennedy opened this issue Sep 10, 2024 · 0 comments
Labels
To Triage An issue awaiting triage by a Matomo core team member

Comments

@ReessKennedy
Copy link

ReessKennedy commented Sep 10, 2024
edited
Loading

Issue

Trying to load widgets using 'token_auth' in url but keep getting:
"Error: You must be logged in to access this functionality."

When I use the same token with a json request I also get:

{"result":"error","message":"Unable to authenticate with the provided token. It is either invalid, expired or is required to be sent as a POST parameter."}

But when I use a curl request with same token it seem to work so the token seems valid.

Had Matomo blocked ability to passt token_auth to URL now and is there a setting that will bypass any such blockage to reenable if we're aware of risks? Matomo's backend seems to still advertising the use of tokens in the url for Widgets so it's very conusing.

I have done lots of troubleshooting.

How I set it up

  1. Logged in a super admin and created a new user called "mysiteviewer" and gave this user access to site 3 "mysite.com"
  2. Logged OUT as super admin and logged IN as newly-created "mysiteviewer" and went to settings page and then widget's page and grabbed the link to the widget I want to be able to embed for site 3 making sure that siteID is in the link ....
  3. While logged in as "mysiteviewer" click on settings and generated a new API token and copied it/saved it
  4. Paste this newly-generated code at the end of the widget link after "token_auth" and visited link in incognito while being logged out

Result: You need access/don't have access.

Things tried

Config.ini

Spent time removing various things from config ini and adding back in.

Servers

Tried setting up demo servers just with latest Matomo version on different servers and hosts, same thing happened.
Tried:

  • Just an apache server
  • Just an NGNIX server
  • Tried an apache and NGNIX config

Also tried on a Runcloud install on Digital Ocean and Cloudron-based docker install of Matomo to try to see if this happens on each fresh install and each time it did seem to happen in the same way.

PHP and NGNIX settings

  • Tried removing all default blocked PHP functions just as a test but same thing
  • Tried removing all restricting safety measures for NGNIX like cross origin and click jacking
  • Tried rolling back to PHP version 7.4

Cloudflare

  • Turned off the proxy so it's just using bypass to simplify

Ideas not tried

  • POST METHOD NOW: Is url token banned now? ... it's advertised in the actual matomo widgets screen so assuming it must still be supported ... if have to you post can I use this with IFRAME and anyone have an example code?
@ReessKennedy ReessKennedy added the To Triage An issue awaiting triage by a Matomo core team member label Sep 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
To Triage An issue awaiting triage by a Matomo core team member
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ReessKennedy