Fix ajax no access error

core/Access.php

@@ -13,6 +13,7 @@
 use Piwik\Access\CapabilitiesProvider;
 use Piwik\API\Request;
 use Piwik\Access\RolesProvider;
+use Piwik\Http\BadRequestException;
 use Piwik\Request\AuthenticationToken;
 use Piwik\Container\StaticContainer;
 use Piwik\Plugins\SitesManager\API as SitesManagerApi;
@@ -78,6 +79,11 @@ class Access
      */
     private $auth = null;
 
+    /**
+     * @var bool
+     */
+    private $sessionExpired = false;
+
     /**
      * Gets the singleton instance. Creates it if necessary.
      *
@@ -627,7 +633,7 @@ public function checkUserHasCapability($idSites, $capability)
     /**
      * @param int|array|string $idSites
      * @return array
-     * @throws \Piwik\NoAccessException
+     * @throws BadRequestException
      */
     protected function getIdSites($idSites)
     {
@@ -638,7 +644,7 @@ protected function getIdSites($idSites)
         $idSites = Site::getIdSitesFromIdSitesString($idSites);
 
         if (empty($idSites)) {
-            $this->throwNoAccessException("The parameter 'idSite=' is missing from the request.");
+            throw new BadRequestException("The parameter 'idSite=' is missing from the request.");
         }
 
         return $idSites;
@@ -745,21 +751,24 @@ private function throwNoAccessException($message)
     {
         if (Piwik::isUserIsAnonymous() && !Request::isRootRequestApiRequest()) {
             $message = Piwik::translate('General_YouMustBeLoggedIn');
-
-            // Try to detect whether user was previously logged in so that we can display a different message
-            $referrer = Url::getReferrer();
-            $matomoUrl = SettingsPiwik::getPiwikUrl();
-            if (
-                $referrer && $matomoUrl && Url::isValidHost(Url::getHostFromUrl($referrer)) &&
-                strpos($referrer, $matomoUrl) === 0
-            ) {
+            if ($this->sessionExpired) {
                 $message = Piwik::translate('General_YourSessionHasExpired');
             }
         }
 
         throw new NoAccessException($message);
     }
 
+    public function setSessionExpired(bool $sessionExpired): void
+    {
+        $this->sessionExpired = $sessionExpired;
+    }
+
+    public function wasSessionExpired(): bool
+    {
+        return $this->sessionExpired;
+    }
+
     /**
      * Returns true if the current user is logged in or not.
      *

core/FrontController.php

@@ -70,6 +70,7 @@ class FrontController extends Singleton
     public const DEFAULT_MODULE = 'CoreHome';
     public const DEFAULT_LOGIN = 'anonymous';
     public const DEFAULT_TOKEN_AUTH = 'anonymous';
+    private const SESSION_TIMEOUT_COOKIE_NAME = 'matomo_session_timed_out';
 
     // public for tests
     public static $requestId = null;
@@ -425,6 +426,9 @@ public function init()
         $sessionAuth = $this->makeSessionAuthenticator();
         if ($sessionAuth) {
             $loggedIn = Access::getInstance()->reloadAccess($sessionAuth);
+            if (!$loggedIn && $sessionAuth->wasSessionExpired()) {
+                Access::getInstance()->setSessionExpired(true);
+            }
         }
 
         // ... if session auth fails try normal auth (which will login the anonymous user)
@@ -449,7 +453,8 @@ public function init()
             $this->makeAuthenticator($sessionAuth); // Piwik\Auth must be set to the correct Login plugin
         }
 
-
+        $this->consumeSessionTimeoutCookie();
+        $this->sendSessionTimedOutHeaderIfNeeded();
 
         // Force the auth to use the token_auth if specified, so that embed dashboard
         // and all other non widgetized controller methods works fine
@@ -806,6 +811,21 @@ private static function setRequestIdHeader()
         Common::sendHeader("X-Matomo-Request-Id: $requestId");
     }
 
+    private function consumeSessionTimeoutCookie(): void
+    {
+        $cookie = new Cookie(self::SESSION_TIMEOUT_COOKIE_NAME);
+
+        if (!$cookie->isCookieFound()) {
+            return;
+        }
+
+        $cookie->delete();
+
+        if (Piwik::isUserIsAnonymous()) {
+            Access::getInstance()->setSessionExpired(true);
+        }
+    }
+
     private function isSupportedBrowserCheckNeeded()
     {
         if (defined('PIWIK_ENABLE_DISPATCH') && !PIWIK_ENABLE_DISPATCH) {
@@ -845,4 +865,12 @@ private function isSupportedBrowserCheckNeeded()
 
         return false;
     }
+
+    private function sendSessionTimedOutHeaderIfNeeded()
+    {
+        if (!Access::getInstance()->wasSessionExpired()) {
+            return;
+        }
+        Common::sendHeader('X-Matomo-Session-Timed-Out: 1');
+    }
 }

core/Session/SessionAuth.php

@@ -46,6 +46,11 @@ class SessionAuth implements Auth
 
     private $tokenAuth;
 
+    /**
+     * @var bool
+     */
+    private $sessionExpired = false;
+
     public function __construct(?UsersModel $userModel = null, $shouldDestroySession = true)
     {
         $this->userModel = $userModel ?: new UsersModel();
@@ -97,6 +102,7 @@ public function setPasswordHash(
 
     public function authenticate()
     {
+        $this->sessionExpired = false;
         $sessionFingerprint = new SessionFingerprint();
         $userModel = $this->userModel;
 
@@ -243,9 +249,17 @@ private function isExpiredSession(SessionFingerprint $sessionFingerprint)
         }
 
         $isExpired = Date::now()->getTimestampUTC() > $expirationTime;
+        if ($isExpired) {
+            $this->sessionExpired = true;
+        }
         return $isExpired;
     }
 
+    public function wasSessionExpired(): bool
+    {
+        return $this->sessionExpired;
+    }
+
     private function checkIfSessionFailedToRead()
     {
         if (Session\SaveHandler\DbTable::$wasSessionToLargeToRead) {

plugins/CoreHome/tests/UI/AjaxHelperSessionTimeout_spec.js

@@ -0,0 +1,78 @@
+/*!
+ * Matomo - free/libre analytics platform
+ *
+ * AjaxHelper session timeout UI test.
+ *
+ * @link    https://matomo.org
+ * @license https://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later
+ */
+
+describe('AjaxHelperSessionTimeout', function () {
+  this.fixture = "Piwik\\Tests\\Fixtures\\OneVisitorTwoVisits";
+
+  const reportUrl = '?module=CoreHome&action=index&idSite=1&period=day&date=yesterday';
+
+  async function loadReportPage() {
+    await page.goto(reportUrl);
+    await page.waitForNetworkIdle();
+    await page.waitForFunction(() => window.ajaxHelper && window.piwikHelper);
+  }
+
+  const cases = [
+    {
+      name: 'should refresh when a request indicates the session has timed out',
+      headerValue: '1',
+      expectedRefresh: true,
+    },
+    {
+      name: 'should not refresh when the session timeout header is missing',
+      headerValue: null,
+      expectedRefresh: false,
+    },
+  ];
+
+  cases.forEach(({ name, headerValue, expectedRefresh }) => {
+    it(name, async function () {
+      await loadReportPage();
+
+      const refreshCalled = await page.evaluate((value) => {
+        document.cookie = 'matomo_session_timed_out=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/';
+        window._ajaxSessionTimedOutRefresh = false;
+        const originalRefresh = window.piwikHelper.refreshAfter;
+        const originalAjax = window.$.ajax;
+
+        window.piwikHelper.refreshAfter = (timeout) => {
+          window._ajaxSessionTimedOutRefresh = timeout === 0;
+        };
+
+        const mockXhr = {
+          status: 401,
+          statusText: 'error',
+          getResponseHeader: (name) => (name === 'X-Matomo-Session-Timed-Out' ? value : null),
+          then() {
+            return this;
+          },
+          fail(callback) {
+            this._fail = callback;
+            return this;
+          },
+        };
+
+        window.$.ajax = () => mockXhr;
+
+        const helper = new window.ajaxHelper();
+        helper.send();
+        if (typeof mockXhr._fail === 'function') {
+          mockXhr._fail(mockXhr);
+        }
+
+        window.$.ajax = originalAjax;
+        window.piwikHelper.refreshAfter = originalRefresh;
+
+        return window._ajaxSessionTimedOutRefresh;
+      }, headerValue);
+
+      expect(refreshCalled).to.equal(expectedRefresh);
+    });
+  });
+});