Piwik: Pass auth token via POST

piwik/README.md

@@ -5,6 +5,10 @@ gather statistics about the users accessing Indico or specific Indico events.
 
 ## Changelog
 
+### 3.3.1
+
+- Pass `token_auth` via POST instead of query string (more secure, and required by modern Matomo versions)
+
 ### 3.3
 
 - Support (and require) Python 3.12

piwik/indico_piwik/forms.py

@@ -9,6 +9,7 @@
 from wtforms.validators import ValidationError
 
 from indico.web.forms.base import IndicoForm
+from indico.web.forms.fields import IndicoPasswordField
 from indico.web.forms.widgets import SwitchWidget
 
 from indico_piwik import _
@@ -19,10 +20,10 @@ class SettingsForm(IndicoForm):
     enabled_for_events = BooleanField(_('Track events'), widget=SwitchWidget())
     cache_enabled = BooleanField(_('Cache results'), widget=SwitchWidget())
     server_url = StringField(_('Piwik server URL'))
-    server_api_url = StringField(_('Piwik API server URL'),
-                                 description=_("Should be pointing to 'index.php'"))
-    server_token = StringField(_('Piwik API token'),
-                               description=_('Token to access the API. Do not share it!'))
+    server_api_url = StringField(_('Piwik API server URL'))
+    server_token = IndicoPasswordField(_('Piwik API token'),
+                                       toggle=True,
+                                       description=_('Token to access the API. Do not share it!'))
     site_id_general = StringField(_('Global statistics ID'),
                                   description=_('Piwik site ID for global statistics'))
     site_id_events = StringField(_('Event statistics ID'),

piwik/indico_piwik/piwik.py

@@ -38,31 +38,27 @@ def call(self, default_response=None, **query_params):
         :param default_response: Return value in case the query fails
         :param query_params: Dictionary with the parameters of the query
         """
-        query_url = self.get_query_url(**query_params)
-        return self._perform_call(query_url, default_response)
+        return self._perform_call(self.api_url, self.get_query(query_params), default_response)
 
     def get_query(self, query_params=None):
         """Return a query string"""
         if query_params is None:
             query_params = {}
-        query = ''
+        query = {}
         query_params['idSite'] = self.site_id
         if self.api_token is not None:
             query_params['token_auth'] = self.api_token
         for key, value in query_params.items():
             if isinstance(value, list):
                 value = ','.join(value)
-            query += f'{key}={value}&'
-        return query[:-1]
+            query[key] = value
+        return query
 
-    def get_query_url(self, **query_params):
-        """Return the url for a Piwik API query"""
-        return f'{self.api_url}?{self.get_query(query_params)}'
-
-    def _perform_call(self, query_url, default_response=None, timeout=10):
+    def _perform_call(self, query_url, query_params, default_response=None, timeout=10):
         """Returns the raw results from the API"""
+        payload = self.get_query(query_params)
         try:
-            response = requests.get(query_url, timeout=timeout)
+            response = requests.post(query_url, data=payload, timeout=timeout)
         except TimeoutError:
             current_plugin.logger.warning('Timeout contacting Piwik server')
             return default_response

piwik/pyproject.toml

@@ -2,7 +2,7 @@
 name = 'indico-plugin-piwik'
 description = 'Piwik integration for global and event-specific statistics in Indico'
 readme = 'README.md'
-version = '3.3'
+version = '3.3.1'
 license = 'MIT'
 authors = [{ name = 'Indico Team', email = '[email protected]' }]
 classifiers = [