Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Detect if tracking request needs authentication but is not authenticated as early as possible before doing any DB connection ideally #14801

Closed
tsteur opened this issue Aug 22, 2019 · 0 comments · Fixed by #14830

Comments

@tsteur
Copy link
Member

commented Aug 22, 2019

In https://github.com/matomo-org/matomo/blob/3.12.0-b1/core/Tracker/Visit.php#L123 we already check early whether the site exists before doing any "work".

The same way we should check if a tracking API parameter is used that requires authentication very early in the request (after the site request). We're wanting to this for tracking API request parameters where we know the request would fail otherwise.

We're wanting to do this after manipulateRequest() was called. So basically here: https://github.com/matomo-org/matomo/blob/3.12.0-b1/core/Tracker/Visit.php#L131

Like cdt, region, city, country, long, lat (and other tracking parameters that fail in Piwik\Plugins\UserCountry\Columns\Base).

If any of them are set, and request is not authenticated, we fail right away. The tracking failure should be still logged which is done in Request::authenticateTrackingApi() and should just work automatically.

To validate cdt it may be enough to call $trackerRequest->getCurrentTimestamp() which will then trigger the exception.

For the location tracking parameters we would throw an exception like in Piwik\Plugins\UserCountry\Columns\Base::getUrlOverrideValueIfAllowed().

We probably don't need any tests for this as behaviour should just stay the same. need to make sure though (eg manually) that when using one of those parameters, and we are not authenticated with token_auth that a tracking failure is triggered

@tsteur tsteur added this to the 3.12.0 milestone Aug 22, 2019

@tsteur tsteur changed the title Detect if request is authenticated early before doing any DB connection ideally Detect if tracking request is authenticated early before doing any DB connection ideally Aug 22, 2019

@tsteur tsteur changed the title Detect if tracking request is authenticated early before doing any DB connection ideally Detect if tracking request needs authentication but is not authenticated as early as possible before doing any DB connection ideally Aug 22, 2019

@katebutler katebutler self-assigned this Aug 26, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.