Add a mechanism to remind users to rotate personal auth tokens

config/global.ini.php

@@ -561,6 +561,10 @@
 ; Recommended for best security.
 only_allow_secure_auth_tokens = 0
 
+; Number of days after which a personal auth token is recommended to be rotated
+; and an email notification will be sent to the user
+auth_token_rotation_notification_days = 180
+
 ; language cookie name for session
 language_cookie_name = matomo_lang
 

plugins/UsersManager/AuthTokenNotifications/AuthTokenNotification.php

@@ -0,0 +1,78 @@
+<?php
+
+/**
+ * Matomo - free/libre analytics platform
+ *
+ * @link https://matomo.org
+ * @license http://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later
+ */
+
+namespace Piwik\Plugins\UsersManager\AuthTokenNotifications;
+
+use Piwik\Config;
+use Piwik\Container\StaticContainer;
+use Piwik\Plugins\UsersManager\Emails\AuthTokenNotificationEmail;
+
+final class AuthTokenNotification
+{
+    /** @var string */
+    private $tokenId;
+
+    /** @var string */
+    private $tokenName;
+
+    /** @var string */
+    private $tokenCreationDate;
+
+    /** @var string */
+    private $login;
+
+    /** @var string */
+    private $email;
+
+    /** @var callable */
+    private $onNotificationSent;
+
+    public function __construct(
+        string $tokenId,
+        string $tokenName,
+        string $tokenCreationDate,
+        string $login,
+        string $email,
+        callable $onNotificationSent
+    ) {
+        $this->tokenId = $tokenId;
+        $this->tokenName = $tokenName;
+        $this->tokenCreationDate = $tokenCreationDate;
+        $this->login = $login;
+        $this->email = $email;
+        $this->onNotificationSent = $onNotificationSent;
+    }
+
+    public function getTokenName(): string
+    {
+        return $this->tokenName;
+    }
+
+    public function getTokenCreationDate(): string
+    {
+        return $this->tokenCreationDate;
+    }
+
+    public function sendNotification(): void
+    {
+        // send email
+        $email = StaticContainer::getContainer()->make(
+            AuthTokenNotificationEmail::class,
+            [
+                'notification' => $this,
+                'rotationPeriodDays' => Config::getInstance()->General['auth_token_rotation_notification_days'],
+            ]
+        );
+        $email->safeSend();
+
+        if (is_callable($this->onNotificationSent)) {
+            call_user_func($this->onNotificationSent, $this->tokenId);
+        }
+    }
+}

plugins/UsersManager/AuthTokenNotifications/AuthTokenNotifierTask.php

@@ -0,0 +1,84 @@
+<?php
+
+/**
+ * Matomo - free/libre analytics platform
+ *
+ * @link    https://matomo.org
+ * @license https://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later
+ */
+
+namespace Piwik\Plugins\UsersManager\AuthTokenNotifications;
+
+use Exception;
+use Piwik\Container\StaticContainer;
+use Piwik\Date;
+use Piwik\Log;
+use Piwik\Option;
+use Piwik\Plugin\Manager as PluginManager;
+use Piwik\Plugins\UsersManager\AuthTokenProvider;
+use Piwik\Scheduler\Schedule\Daily;
+use Piwik\Scheduler\Scheduler;
+use Piwik\Scheduler\Task;
+
+/**
+ * Used to automatically update installed GeoIP 2 databases, and manages the updater's
+ * scheduled task.
+ */
+class AuthTokenNotifierTask extends Task
+{
+    public const LAST_RUN_TIME_OPTION_NAME = 'AuthTokenNotifier.lastRunTime';
+
+    public function __construct()
+    {
+        // all checks whether emails can be sent are done in the actual Mail class
+
+        parent::__construct($this, 'sendEmails', null, new Daily());
+    }
+
+    /**
+     * @return AuthTokenNotification[]
+     */
+    private function getAuthTokensToNotify(): array
+    {
+        $tokensToNotify = [];
+        $providers = PluginManager::getInstance()->findComponents(
+            'AuthTokenProvider',
+            AuthTokenProviderInterface::class
+        );
+
+        /** @var AuthTokenProvider $provider */
+        foreach ($providers as $provider) {
+            array_push($tokensToNotify, ...$provider->getAuthTokensToNotify());
+        }
+
+        return $tokensToNotify;
+    }
+
+    /**
+     * Attempts to download new location & ISP GeoIP databases and
+     * replace the existing ones w/ them.
+     */
+    public function sendEmails()
+    {
+        try {
+            Option::set(self::LAST_RUN_TIME_OPTION_NAME, Date::factory('today')->getTimestamp());
+
+            $tokensToNotify = $this->getAuthTokensToNotify();
+
+            // notification emails should be using `safeSend()` method so we don't do try/catch here
+            foreach ($tokensToNotify as $tokenToNotify) {
+                $tokenToNotify->sendNotification();
+            }
+
+            // reschedule for next run
+            /** @var Scheduler $scheduler */
+            $scheduler = StaticContainer::getContainer()->get(Scheduler::class);
+            // reschedule to ensure it's not run again in an hour
+            $scheduler->rescheduleTask(new AuthTokenNotifierTask());
+        } catch (Exception $ex) {
+            // message will already be prefixed w/ 'GeoIP2AutoUpdater: '
+            Log::error($ex);
+            throw $ex;
+        }
+    }
+}

plugins/UsersManager/AuthTokenNotifications/AuthTokenProviderInterface.php

@@ -0,0 +1,21 @@
+<?php
+
+/**
+ * Matomo - free/libre analytics platform
+ *
+ * @link https://matomo.org
+ * @license http://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later
+ */
+
+namespace Piwik\Plugins\UsersManager\AuthTokenNotifications;
+
+interface AuthTokenProviderInterface
+{
+    /**
+     * Provide a list of auth tokens to be notified, each with their information
+     * that can be used to populate the notification email
+     *
+     * @return AuthTokenNotification[]
+     */
+    public function getAuthTokensToNotify(): array;
+}

plugins/UsersManager/AuthTokenProvider.php

@@ -0,0 +1,76 @@
+<?php
+
+/**
+ * Matomo - free/libre analytics platform
+ *
+ * @link https://matomo.org
+ * @license http://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later
+ */
+
+namespace Piwik\Plugins\UsersManager;
+
+use Piwik\Common;
+use Piwik\Config;
+use Piwik\Date;
+use Piwik\Db;
+use Piwik\Plugins\UsersManager\AuthTokenNotifications\AuthTokenNotification;
+use Piwik\Plugins\UsersManager\AuthTokenNotifications\AuthTokenProviderInterface;
+use Piwik\Plugins\UsersManager\Model as UserModel;
+
+class AuthTokenProvider implements AuthTokenProviderInterface
+{
+    /** @var Model */
+    private $userModel;
+
+    /** @var string */
+    private $today;
+
+    public function __construct()
+    {
+        $this->userModel = new UserModel();
+        $this->today = Date::factory('today')->getDatetime();
+    }
+
+    private function getRotationPeriodThreshold(): string
+    {
+        $periodDays = Config::getInstance()->General['auth_token_rotation_notification_days'];
+        return Date::factory('today')->subDay($periodDays)->getDateTime();
+    }
+
+    public function setTokenNotified(string $tokenId): void
+    {
+        $this->userModel->setRotationNotificationWasSentForToken($tokenId, $this->today);
+    }
+
+    public function getAuthTokensToNotify(): array
+    {
+        $db = Db::get();
+        $sql = "SELECT * FROM " . Common::prefixTable('user_token_auth')
+            . " WHERE (date_expired is null or date_expired > ?)"
+            . " AND (date_created <= ?)"
+            . " AND ts_rotation_notified is null";
+
+        $tokensToNotify = $db->fetchAll($sql, [
+            $this->today,
+            $this->getRotationPeriodThreshold()
+        ]);
+
+        $notifications = [];
+
+        foreach ($tokensToNotify as $t) {
+            $user = $this->userModel->getUser($t->login);
+            $email = $user['email'];
+
+            $notifications[] = new AuthTokenNotification(
+                $t->idusertokenauth,
+                $t->description,
+                $t->date_created,
+                $t->login,
+                $email,
+                [static::class, 'setTokenNotified']
+            );
+        }
+
+        return $notifications;
+    }
+}