Logme fails after update


(Kuf04) #1

Hi, i´m using 2.15.1 for a couple of small sites, and as I am not the admin from a content perspective on these sites I´ve used the logme functionality from the admin panels of these sites. After update to 2.15 (and going forward) this has failed for me. I.e. there is just a link like this:

http://piwikurl/index.php?module=Login&action=logme&login=sitename&password=MD5 from piwik admin.

This has worked like a charm for the last 7 or 8 months through upgrades, etc. But now it fails with a “Wrong Username and password combination.” error on piwik. I´ve tried recreating the users and even tried with a new user, but I always get the same error. Any one else seen this? And perhaps figured out what is wrong? I´ve also tried cleaning the temp files and redeploying the piwik files, but to no avail :frowning:

AB,Carsten


(Kuf04) #2

I actually found the answer my self… In the previous versions auth token also worked for logme, which was what i used, but the latest build requires the MD5 hash instead. Just if someone else stumbles into the same error :slight_smile:


(Martin Francis) #3

Thanks so much @Kuf04 for checking back with the answer

The authenticate() method in plugins/Login/Auth.php changed a lot between version 2.14.3 and 2.15.0:

2.14.3:

public function authenticate()
{
    if (!empty($this->md5Password)) { // favor authenticating by password
        $this->token_auth = UsersManagerAPI::getInstance()->getTokenAuth($this->login, $this->getTokenAuthSecret());
    }

    if (is_null($this->login)) {
        $model = new Model();
        $user  = $model->getUserByTokenAuth($this->token_auth);

        if (!empty($user['login'])) {
            $code = $user['superuser_access'] ? AuthResult::SUCCESS_SUPERUSER_AUTH_CODE : AuthResult::SUCCESS;

            return new AuthResult($code, $user['login'], $this->token_auth);
        }
    } else if (!empty($this->login)) {
        $model = new Model();
        $user  = $model->getUser($this->login);

        if (!empty($user['token_auth'])
            && ((SessionInitializer::getHashTokenAuth($this->login, $user['token_auth']) === $this->token_auth)
                || $user['token_auth'] === $this->token_auth)
        ) {
            $this->setTokenAuth($user['token_auth']);
            $code = !empty($user['superuser_access']) ? AuthResult::SUCCESS_SUPERUSER_AUTH_CODE : AuthResult::SUCCESS;

            return new AuthResult($code, $this->login, $user['token_auth']);
        }
    }

    return new AuthResult(AuthResult::FAILURE, $this->login, $this->token_auth);
}

2.15.0:

public function authenticate()
{
    if (!empty($this->md5Password)) { // favor authenticating by password
        return $this->authenticateWithPassword($this->login, $this->getTokenAuthSecret());
    } elseif (is_null($this->login)) {
        return $this->authenticateWithToken($this->token_auth);
    } elseif (!empty($this->login)) {
        return $this->authenticateWithTokenOrHashToken($this->token_auth, $this->login);
    }

    return new AuthResult(AuthResult::FAILURE, $this->login, $this->token_auth);
}

As a result, where previously you could provide an auth_token value for the password parameter in your call, you now need to send the value saved in the password field of the user table instead.

My application needed to be modified to allow me to have separate entries for API token and password.