diff options
author | Stefan Giehl <stefan@matomo.org> | 2021-08-10 10:39:37 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-08-10 10:39:37 +0300 |
commit | 1c287f118dcccbaea6385550e2c1e94969ec2618 (patch) | |
tree | 83ad4d2f1452077b190857e4a8f5b38bd0314210 /core | |
parent | d78b4e2ba7bb556dcde11df10a1b0dde4d9ffcc8 (diff) |
Do not log a failed login if a valid app token_auth is sent with the request, but force_api_session parameter is present as well (#17867)
Diffstat (limited to 'core')
-rw-r--r-- | core/Access.php | 13 |
1 files changed, 5 insertions, 8 deletions
diff --git a/core/Access.php b/core/Access.php index 92b9dff1bd..8c5f74e758 100644 --- a/core/Access.php +++ b/core/Access.php @@ -170,14 +170,11 @@ class Access $auth = StaticContainer::get(SessionAuth::class); $auth->setTokenAuth($tokenAuth); $result = $auth->authenticate(); - if (!$result->wasAuthenticationSuccessful()) { - /** - * Ensures brute force logic to be executed - * @ignore - * @internal - */ - Piwik::postEvent('API.Request.authenticate.failed'); - } + // Note: We do not post a failed login event at this point on purpose + // If using the SessionAuth doesn't work, the FrontController will try to reload the Auth using + // the token_auth only. If that works everything is "fine" and the `force_api_session` parameter was + // unneeded. If that fails as well it will trigger the failed login event + // See FrontController::init() or Request::reloadAuthUsingTokenAuth() Session::close(); // if not successful, we will fallback to regular auth } |