search

matomo-org / matomo

Empowering People Ethically with the leading open source alternative to Google Analytics that gives you full control over your data. Matomo lets you easily collect data from websites & apps and visualise this data and extract insights. Privacy is built-in. Liberating Web Analytics. Star us on Github? +1. And we love Pull Requests!
https://matomo.org/
GNU General Public License v3.0
19.9k stars 2.65k forks source link

tracking_requests_require_authentication doesn't require authentication for all http APIs #20801

Open h-fazai opened 1 year ago

h-fazai commented 1 year ago

For a publicly available Matomo server, where only application users should be able to push events to matomo, there should be some auth mecanism.

So we expect to be able to secure matomo http APIs with requiring auth token, but actually the setting tracking_requests_require_authentication doesn't make token mandatory for all tracking APIs such as the API that sends tracking events (/matomo.php).

Why this use case is not considered by Matomo? otherwise is there any other config to do ?

sgiehl commented 1 year ago

Hi @h-fazai,

Thanks for creating this issue. The tracker is currently always kind of public. Auth tokens are actually not meant to be used that way, as an auth token would also always give at least view access to all reports. They are needed for tracking api only in case you want to e.g. track visits in the past.

To really have a secure way to only allow certain users to track something I guess a more complex mechanism would need to be implemented. As using the token for all users would still allow anyone knowing that token to track anything.

I doubt this is a use case we will be working on soon, but it might be possible to implement that in a custom plugin.

Alternatively you could maybe append a custom tracking parameter to the tracking requests and let the webserver deny all requests that don't contain the parameter or similar.