- We have setup Login SAML plugin provided by matomo to setup our oauth mechanism.
- We have used Azure AD for setting up the SSO with matomo
- This SSO setup works well while logging into the matomo dashboard and accessing it and the flow is smooth in that aspect.
- But when the matomo script that gets called when the event is triggered from our application is unauthenticated.
- The matomo.php script that gets triggered from the matomo analytics integrated web app of ours is getting triggered without the authentication.
- If I take the matomo.php trigger script URL from networks tab in developer tools, the same URL can be triggered by anyone from a browser URL without any hindrance.
- This introduces a vulnerability in the entire flow. As someone with access to the URL can spam our system with unlimited events just by hitting the script URL in a new browser tab.
- We want the matomo.php script to only save events that are being triggered with an auth_token from the LoginSAML plugin.
- Will this be possible with LoginSAML plugin. If yes, then what configuration changes do we need to make in our plugin?
3 posts - 3 participants