Skip to content

When exporting data and "Show export URL" is clicked, don't reveal the full token_auth  #13413

New issue
New issue
Closed as not planned
Closed as not planned
When exporting data and "Show export URL" is clicked, don't reveal the full token_auth #13413
Labels
c: SecurityFor issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Milestone
For Prioritization
@mattab

Description

@mattab
mattab
opened on Sep 11, 2018

The new feature "Show export URL" is very valuable in giving everyone quick access to the API and seeing how the URL is constructed, making it easy to share, etc.

However for security reasons we would not want to reveal the full token_auth on screen.
Similarly in the Personal settings page where the token_auth is displayed to the user, it requires an extra click to reveal the full token.

So the goal if this issue is to slightly change the behavior, proposal:

  • When "Show export URL" is clicked, show the textarea but in the string, only show the first few characters and write ....
  • When user clicks the field to copy/paste it, then reveal the full token_auth and full URL

follows up #11958 #12987

Metadata

Metadata

Assignees

No one assigned

    Labels

    c: SecurityFor issues that make Matomo more secure. Please report issues through HackerOne and not in Github.

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions