matomo-org · michalkleiner · Apr 14, 2025 · Mar 26, 2025 · Mar 26, 2025 · Mar 28, 2025
diff --git a/config/global.ini.php b/config/global.ini.php
@@ -561,6 +561,10 @@
 ; Recommended for best security.
 only_allow_secure_auth_tokens = 0
 
+; Number of days after which a personal auth token is recommended to be rotated
+; and an email notification will be sent to the user
+auth_token_rotation_notification_days = 180
+
 ; language cookie name for session
 language_cookie_name = matomo_lang
 

diff --git a/core/Updates/5.4.0-b1.php b/core/Updates/5.4.0-b1.php
@@ -0,0 +1,39 @@
+<?php
+
+/**
+ * Matomo - free/libre analytics platform
+ *
+ * @link    https://matomo.org
+ * @license https://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later
+ */
+
+namespace Piwik\Updates;
+
+use Piwik\Updater;
+use Piwik\Updater\Migration\Factory as MigrationFactory;
+use Piwik\Updates;
+
+class Updates_5_4_0_b1 extends Updates
+{
+    /**
+     * @var MigrationFactory
+     */
+    private $migration;
+
+    public function __construct(MigrationFactory $factory)
+    {
+        $this->migration = $factory;
+    }
+
+    public function getMigrations(Updater $updater)
+    {
+        return [
+            $this->migration->db->addColumn('user_token_auth', 'ts_rotation_notified', 'TIMESTAMP NULL'),
+        ];
+    }
+
+    public function doUpdate(Updater $updater)
+    {
+        $updater->executeMigrations(__FILE__, $this->getMigrations($updater));
+    }
+}
diff --git a/core/Version.php b/core/Version.php
@@ -22,7 +22,7 @@ final class Version
      * The current Matomo version.
      * @var string
      */
-    public const VERSION = '5.4.0-alpha';
+    public const VERSION = '5.4.0-b1';
 
     public const MAJOR_VERSION = 5;
 

diff --git a/plugins/UsersManager/AuthTokenEmailNotification.php b/plugins/UsersManager/AuthTokenEmailNotification.php
@@ -0,0 +1,21 @@
+<?php
+
+/**
+ * Matomo - free/libre analytics platform
+ *
+ * @link https://matomo.org
+ * @license http://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later
+ */
+
+namespace Piwik\Plugins\UsersManager;
+
+use Piwik\Plugins\UsersManager\Emails\AuthTokenNotificationEmail;
+use Piwik\Plugins\UsersManager\TokenNotifications\TokenEmailNotification;
+
+final class AuthTokenEmailNotification extends TokenEmailNotification
+{
+    public function getEmailClass(): string
+    {
+        return AuthTokenNotificationEmail::class;
+    }
+}
diff --git a/plugins/UsersManager/Emails/AuthTokenNotificationEmail.php b/plugins/UsersManager/Emails/AuthTokenNotificationEmail.php
@@ -0,0 +1,103 @@
+<?php
+
+/**
+ * Matomo - free/libre analytics platform
+ *
+ * @link    https://matomo.org
+ * @license https://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later
+ */
+
+namespace Piwik\Plugins\UsersManager\Emails;
+
+use Piwik\Config;
+use Piwik\Mail;
+use Piwik\Piwik;
+use Piwik\Plugins\UsersManager\TokenNotifications\TokenNotification;
+use Piwik\Url;
+use Piwik\View;
+
+class AuthTokenNotificationEmail extends Mail
+{
+    /**
+     * @var TokenNotification
+     */
+    private $notification;
+
+    /** @var string */
+    private $recipient;
+
+    /** @var array */
+    private $emailData;
+
+    public function __construct(TokenNotification $notification, string $recipient, array $emailData)
+    {
+        parent::__construct();
+
+        $this->notification = $notification;
+        $this->recipient = $recipient;
+        $this->emailData = $emailData;
+
+        $this->setUpEmail();
+    }
+
+    private function setUpEmail(): void
+    {
+        $this->setDefaultFromPiwik();
+        $this->addTo($this->recipient);
+        $this->setSubject($this->getDefaultSubject());
+        $this->addReplyTo($this->getFrom(), $this->getFromName());
+        $this->setBodyText($this->getDefaultBodyText());
+        $this->setWrappedHtmlBody($this->getDefaultBodyView());
+    }
+
+    private function getRotationPeriodPretty(): string
+    {
+        $rotationPeriodDays = Config::getInstance()->General['auth_token_rotation_notification_days'];
+
+        return Piwik::translate('Intl_PeriodDay' . ($rotationPeriodDays === 1 ? '' : 's'));
+    }
+
+    protected function getManageAuthTokensLink(): string
+    {
+        return Url::getCurrentUrlWithoutQueryString()
+            . '?module=UsersManager'
+            . '&action=userSecurity'
+            . '#authtokens';
+    }
+    protected function getDefaultSubject(): string
+    {
+        return Piwik::translate('UsersManager_AuthTokenNotificationEmailSubject');
+    }
+
+    protected function getDefaultBodyText(): string
+    {
+        $view = new View('@UsersManager/_authTokenNotificationTextEmail.twig');
+        $view->setContentType('text/plain');
+
+        $this->assignCommonParameters($view);
+
+        return $view->render();
+    }
+
+    protected function getDefaultBodyView(): View
+    {
+        $view = new View('@UsersManager/_authTokenNotificationHtmlEmail.twig');
+
+        $this->assignCommonParameters($view);
+
+        return $view;
+    }
+
+    protected function assignCommonParameters(View $view): void
+    {
+        $view->tokenName = $this->notification->getTokenName();
+        $view->tokenCreationDate = $this->notification->getTokenCreationDate();
+
+        $view->rotationPeriod = $this->getRotationPeriodPretty();
+        $view->manageAuthTokensLink = $this->getManageAuthTokensLink();
+
+        foreach ($this->emailData as $item => $value) {
+            $view->assign($item, $value);
+        }
+    }
+}
diff --git a/plugins/UsersManager/Model.php b/plugins/UsersManager/Model.php
@@ -536,6 +536,11 @@ public function setTokenAuthWasUsed($tokenAuth, $dateLastUsed)
         }
     }
 
+    public function setRotationNotificationWasSentForToken(string $tokenId, string $tsRotation)
+    {
+        $this->updateTokenAuthTable($tokenId, ['ts_rotation_notified' => $tsRotation]);
+    }
+
     private function updateTokenAuthTable($idTokenAuth, $fields)
     {
         $set = array();

diff --git a/plugins/UsersManager/TokenNotifications/TokenEmailNotification.php b/plugins/UsersManager/TokenNotifications/TokenEmailNotification.php
@@ -0,0 +1,61 @@
+<?php
+
+/**
+ * Matomo - free/libre analytics platform
+ *
+ * @link https://matomo.org
+ * @license http://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later
+ */
+
+namespace Piwik\Plugins\UsersManager\TokenNotifications;
+
+use Piwik\Container\StaticContainer;
+
+abstract class TokenEmailNotification extends TokenNotification
+{
+    /**
+     * A list of recipient emails
+     *
+     * @var array
+     */
+    private $recipients;
+
+    /**
+     * Data in the format of ['[email protected]' => ['item1' => 'value1'], ...] that will be passed to the email class
+     *
+     * @var array
+     */
+    private $emailData;
+
+    public function __construct(
+        string $tokenId,
+        string $tokenName,
+        string $tokenCreationDate,
+        array $recipients,
+        array $emailData
+    ) {
+        parent::__construct($tokenId, $tokenName, $tokenCreationDate);
+
+        $this->recipients = $recipients;
+        $this->emailData = $emailData;
+    }
+
+    abstract public function getEmailClass(): string;
+
+    public function dispatch(): bool
+    {
+        foreach ($this->recipients as $recipient) {
+            $email = StaticContainer::getContainer()->make(
+                $this->getEmailClass(),
+                [
+                    'notification' => $this,
+                    'recipient' => $recipient,
+                    'emailData' => $this->emailData[$recipient] ?? [],
+                ]
+            );
+            $email->safeSend();
+        }
+
+        return true;
+    }
+}
diff --git a/plugins/UsersManager/TokenNotifications/TokenNotification.php b/plugins/UsersManager/TokenNotifications/TokenNotification.php
@@ -0,0 +1,49 @@
+<?php
+
+/**
+ * Matomo - free/libre analytics platform
+ *
+ * @link https://matomo.org
+ * @license http://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later
+ */
+
+namespace Piwik\Plugins\UsersManager\TokenNotifications;
+
+abstract class TokenNotification implements TokenNotificationInterface
+{
+    /** @var string */
+    private $tokenId;
+
+    /** @var string */
+    private $tokenName;
+
+    /** @var string */
+    private $tokenCreationDate;
+
+    public function __construct(
+        string $tokenId,
+        string $tokenName,
+        string $tokenCreationDate
+    ) {
+        $this->tokenId = $tokenId;
+        $this->tokenName = $tokenName;
+        $this->tokenCreationDate = $tokenCreationDate;
+    }
+
+    public function getTokenId(): string
+    {
+        return $this->tokenId;
+    }
+
+    public function getTokenName(): string
+    {
+        return $this->tokenName;
+    }
+
+    public function getTokenCreationDate(): string
+    {
+        return $this->tokenCreationDate;
+    }
+
+    abstract public function dispatch(): bool;
+}
diff --git a/plugins/UsersManager/TokenNotifications/TokenNotificationInterface.php b/plugins/UsersManager/TokenNotifications/TokenNotificationInterface.php
@@ -0,0 +1,21 @@
+<?php
+
+/**
+ * Matomo - free/libre analytics platform
+ *
+ * @link https://matomo.org
+ * @license http://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later
+ */
+
+namespace Piwik\Plugins\UsersManager\TokenNotifications;
+
+interface TokenNotificationInterface
+{
+    public function getTokenId(): string;
+
+    public function getTokenName(): string;
+
+    public function getTokenCreationDate(): string;
+
+    public function dispatch(): bool;
+}