Skip to content

Allow switching between request methods and post token by default #72

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 19 commits into from
Jul 27, 2020
Merged

Allow switching between request methods and post token by default #72

merged 19 commits into from
Jul 27, 2020

Conversation

tsteur
Copy link
Member

@tsteur tsteur commented Jul 15, 2020

follow up from https://github.com/matomo-org/matomo-php-tracker/pull/71/files
to fix #43

I haven't fully tested it. If someone could continue and test it this would be great.

Bulk requests would keep behaving the same. All other requests should behave like this:

  • You can now force POST of all requests. When set, all parameters will be posted. This can be useful if there's a problem on the webserver re URL length or the requests are very long.
  • By default we still use GET
    • Unless a token auth is specified. In this case we use POST but we only POST the token, nothing else. This way log replay will still be possible.
      • Unless you force GET request method. Then token_auth will still be sent using GET which can be useful if you are having redirect issues for example.

tsteur and others added 11 commits June 16, 2020 14:30
@tsteur
Fix include_once warning Failed opening './PiwikTracker.php' for incl…
d842235 
…usion

Have been getting these warnings quite often and a user mentioned it recently as well. I reckon this should fix it

> Warning: include_once(): Failed opening './PiwikTracker.php' for inclusion (include_path='/vendor/pear/pear_exception:/vendor/pear/console_getopt:/vendor/pear/pear-core-minimal/src:/vendor/pear/archive_tar:.:/usr/local/Cellar/php/7.4.6_1/share/php/pear') in /vendor/matomo/matomo-php-tracker/MatomoTracker.php on line 2110
@tsteur
Update PiwikTracker.php
68a2178
@tsteur
Merge pull request #69 from matomo-org/inclusionwarning
96cfab7 
Fix include_once warning Failed opening './PiwikTracker.php' for inclusion
@silvershadowcc
function setRequestMethod added for POST
3ee2532
@silvershadowcc
Update MatomoTracker.php
b76389f 
added warning about redirects for setRequestMethod()
@silvershadowcc
indentation
5891331
@silvershadowcc
prevent method change for bulk requests
81d6605 
prevent method from being set to GET while doing Bulk Requests
@silvershadowcc
reworked
4eac561 
Method is now set to POST as bool, instead of a string, since it should remain defaulted to GET and there is no need to have the option to set it to GET.

URL is spliced in URL and parameters which are now fed to the POST payload for both cURL and stream.
@silvershadowcc
Casing, non-boolean method selection
597712c 
Snake case converted to camel case. Reverted back to the method selection of 'POST' (intended). Added a warning about Log Analytics.
@tsteur
Allow switching between request methods and post token by default
b7ad0c9
@tsteur
add docs
d525d37
@silvershadowcc silvershadowcc mentioned this pull request Jul 16, 2020
Merged
tsteur added 3 commits July 16, 2020 12:57
@tsteur
Merge pull request #71 from silvershadowcc/patch-1
effc715 
Method setRequestMethodNonBulk() added to allow (non bulk) POST requests
@tsteur
Merge branch 'master' into m43
098f3d0
@tsteur
merge master
f0973fb
@silvershadowcc
Copy link
Contributor

I used the following script.

<?php
$path = __DIR__ . '/data.txt';

file_put_contents($path, json_encode(array('get' => $_GET, 'post' => $_POST), JSON_PRETTY_PRINT), FILE_APPEND);

The token was set for every request.

I got as output:
setRequestMethodNonBulk('POST') -> Only POST, but token is missing
setRequestMethodNonBulk('GET') -> Only GET, token included
setRequestMethodNonBulk() not used -> Only GET, but token is missing (in both GET and POST)

Expected behaviour:
setRequestMethodNonBulk('POST') -> Only POST, token included
setRequestMethodNonBulk('GET') -> Only GET. token included
setRequestMethodNonBulk() not used -> GET, but token through POST

@tsteur
Copy link
Member Author

tsteur commented Jul 20, 2020

Thanks @silvershadowcc I've tested it now as well and fixed it. In my case it worked nicely.

@silvershadowcc
Copy link
Contributor

I will test it again this weekend. Also with redirects.

@silvershadowcc
fixed typo
54268f1 
fixed typo and passed test as such
@silvershadowcc
Copy link
Contributor

silvershadowcc commented Jul 26, 2020
edited
Loading

In my case it works nicely as well. Got the results as stated in the expected behaviour above. Redirecting also works fine (using cURL).

I did find a typo for which I have made PR #74 in this branch. This needs to be fixed in order for redirects to work.

@tsteur
Copy link
Member Author

tsteur commented Jul 27, 2020

@sgiehl technically, this one could break something so would need to release ideally a 3.0.0 but considering Matomo 1 is still including 1.X in https://github.com/matomo-org/matomo/blob/3.14.1-b1/composer.json#L47 maybe it be fine to release a 2.1 version afterwards? Can also make it 3.0 I'm not quite sure what the policy is so far.

Technically, something could break because if a token_auth is used, and the user is using eg http://example.com/matomo.php as tracking API, and this URL redirects to https://example.com/matomo.php and not curl is used (or an old PHP version is used), then it might execute the tracking request without the posted tracking parameter. So it's quite an edge case but problems could still happen. Wonder if we would simply release a 3.0 afterwards?

We POST tokens by default to have it secure by default.

@tsteur tsteur added this to the Current sprint milestone Jul 27, 2020
@sgiehl
Copy link
Member

sgiehl commented Jul 27, 2020

@tsteur version 2.0 was only released for the new package name. Even though all versions are now available on both names, as we are using the same repo 🤷
Should those changes be included for Matomo 3.x? If not we could move it to 4.x-dev branch and release a new major version once Matomo 4 beta will be finished...

@tsteur
Copy link
Member Author

tsteur commented Jul 27, 2020

They shouldn't be included in 3.x.
Could release a new major version before the beta? or some beta version like 3.0-be1? Then we could already include it in first Matomo 4 beta?

@sgiehl
Copy link
Member

sgiehl commented Jul 27, 2020

Matomo 4 currently uses the 4.x-dev branch of this repo: https://github.com/matomo-org/matomo/blob/4.x-dev/composer.json#L38

@tsteur tsteur changed the base branch from master to 4.x-dev July 27, 2020 20:23
@tsteur tsteur merged commit e4c6829 into 4.x-dev Jul 27, 2020
@tsteur tsteur deleted the m43 branch July 27, 2020 20:23
@tsteur
Copy link
Member Author

tsteur commented Jul 27, 2020

Thanks for your help @silvershadowcc very appreciated

@sgiehl sgiehl mentioned this pull request Jul 28, 2020
Merged
@tsteur tsteur mentioned this pull request Sep 7, 2020
Closed
@innocraft-automation innocraft-automation removed this from the Current sprint milestone Jan 24, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Needs Review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

POST when using PiwikTracker instead of GET to prevent token_auth showing in access_log
4 participants
@tsteur @silvershadowcc @sgiehl @innocraft-automation