Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Disable login for non-whitelisted IPs #22357

Conversation

FrancoisChaumont
Copy link

Description:

This allows to disable login to non-whitelisted IPs and add some flexibility into the whitelist scope (i.e. for authentication & login).
A customized error message can be set to be displayed on the login page in order to inform about the reason for disabling login.

There are 3 new setting to play with:

  • login_allowlist_apply_to_authentication
  • login_allowlist_apply_to_login
  • login_disabled_message

Review

@MatomoForumNotifications

This pull request has been mentioned on Matomo forums. There might be relevant details there:

https://forum.matomo.org/t/disable-login-and-all-emailing-for-non-superusers-admins/58013/3

@michalkleiner
Copy link
Contributor

Hi @FrancoisChaumont, thank you for taking the time and submitting the PR.
Can you please explain a bit more what you see as the difference between authenticating and logging in? Do you mean access in general (e.g. also as a anonymous user) vs logging in as a known user?

@FrancoisChaumont
Copy link
Author

FrancoisChaumont commented Jul 2, 2024

Hi @FrancoisChaumont, thank you for taking the time and submitting the PR. Can you please explain a bit more what you see as the difference between authenticating and logging in? Do you mean access in general (e.g. also as a anonymous user) vs logging in as a known user?

Hi @michalkleiner, thanks for taking the time to look into this.
I see logging in as strictly through the login (aka sign-in) page using user's credentials (email/username & password), and authenticating as through requests that either use token or credentials provided in the URL.

Here's the use-case that lead to the PR:

  • only the superuser should be allowed to login (using the sign-in page) from a specific IP address and access Matomo's interface
  • other users should still have access to their widgetized dashboards
  • API & tracking requests should be able to be received from any IP

@sgiehl
Copy link
Member

sgiehl commented Jul 3, 2024

@FrancoisChaumont Am I right that you are actually looking for a way how to restrict access for certain users to specific reports? So more something related to #1568

Restricting the login in the way you are trying to do it might not work as expected. The token_auth you would provide for loading a widgetized dashboard, can always be used to request/load any other widget and even the whole Matomo interface without the need to log in.

@FrancoisChaumont
Copy link
Author

FrancoisChaumont commented Jul 3, 2024

@FrancoisChaumont Am I right that you are actually looking for a way how to restrict access for certain users to specific reports? So more something related to #1568

Restricting the login in the way you are trying to do it might not work as expected. The token_auth you would provide for loading a widgetized dashboard, can always be used to request/load any other widget and even the whole Matomo interface without the need to log in.

Hi @sgiehl, not exactly.
All reports should remain accessible to all users.
No user should have access to Matomo interface unless accessing from specific IPs.

Just to confirm my understanding of accessing the "whole Matomo interface without the need to log in", is this only available when logme feature is active (config: login_allow_logme = 1)?

@FrancoisChaumont
Copy link
Author

@FrancoisChaumont Am I right that you are actually looking for a way how to restrict access for certain users to specific reports? So more something related to #1568
Restricting the login in the way you are trying to do it might not work as expected. The token_auth you would provide for loading a widgetized dashboard, can always be used to request/load any other widget and even the whole Matomo interface without the need to log in.

Hi @sgiehl, not exactly. All reports should remain accessible to all users. No user should have access to Matomo interface unless accessing from specific IPs.

Just to confirm my understanding of accessing the "whole Matomo interface without the need to log in", is this only available when logme feature is active (config: login_allow_logme = 1)?

Hey @sgiehl, just wondering if you had any updates on this. Could this work for the intended purpose? Is it missing something? ... Thanks

@sgiehl
Copy link
Member

sgiehl commented Jul 24, 2024

@FrancoisChaumont sorry for not coming back earlier on this.
No this is unrelated to the logme feature. That feature allows to log in using username and md5-password as url parameters.
The token_auth is an authentication token, it can be used in widgets, api as well as for the UI.

@FrancoisChaumont
Copy link
Author

@FrancoisChaumont sorry for not coming back earlier on this. No this is unrelated to the logme feature. That feature allows to log in using username and md5-password as url parameters. The token_auth is an authentication token, it can be used in widgets, api as well as for the UI.

@sgiehl No worries. Is login via token_auth only allowed with Login Token Auth plugin installed & activated or always? If always, is there an easy/built-in way to disable it? I'm still trying to figure out if this PR could fit my use-case.

@sgiehl
Copy link
Member

sgiehl commented Jul 29, 2024

It is always enabled, as that is how our API authentication works.
The normal login also uses a token_auth, which is session based only, but used to authenticate API requests sent through the UI.
Disabling that isn't possible.

@FrancoisChaumont
Copy link
Author

Hi @FrancoisChaumont, thank you for taking the time and submitting the PR. Can you please explain a bit more what you see as the difference between authenticating and logging in? Do you mean access in general (e.g. also as a anonymous user) vs logging in as a known user?

Hi @michalkleiner, thanks for taking the time to look into this. I see logging in as strictly through the login (aka sign-in) page using user's credentials (email/username & password), and authenticating as through requests that either use token or credentials provided in the URL.

Here's the use-case that lead to the PR:

* only the superuser should be allowed to login (using the sign-in page) from a specific IP address and access Matomo's interface

* other users should still have access to their widgetized dashboards

* API & tracking requests should be able to be received from any IP

Hey @sgiehl, I think we're slowly drifting a bit from the original question. Do you think the above could be achieved? Using the changes provided in the PR? Or maybe some other ways already existing or yet to be implemented?

@sgiehl
Copy link
Member

sgiehl commented Aug 5, 2024

@FrancoisChaumont No, that won't be possible at the moment. Accessing UI, widgetized reports or API is possible with the same tokens. You can't easily restrict that without the risk to break something.

Matomo would need #21175 to allow something like that directly. So you could define tokens that are e.g. only valid for a certain widgeted reports or similar. That way a user wouldn't be able to use the same token for something else.

If you wish to restrict some parts of your instance, you might need to do a custom implementation / plugin and hook into certain events in order to deny normal user accounts to access it.

Anyway, thanks for your effort in creating this PR.

@sgiehl sgiehl closed this Aug 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants