Our stack:
- Vue.js frontend using vuetify component lib
- custom python middleware rest api using flask + tornado
- matomo running externally and connected to the frontend using vues plugin system.(https://github.com/AmazingDreams/vue-matomo)
We recently added matamo to our site and very very rarely we’ve noticed 4 incidents out of thousands of users where the username/password which is submitted via POST request to our middleware is ending up being logged in matomo as https://somesite.com?username=someUser&password=somePassword.
Strangely enough the actual route to login is at somesite.com/login so its weird matamo sees it on the homepage.
Here’s the code we use for logging users in:
auth.js
JavaScript
x
19
19
1
const authenicateUser = async (username, password) => {2
const body = { username: username, password: password }3
const headers = new Headers()4
headers.append('Content-Type', 'application/json')5
headers.append('Accept', 'application/json')6
try {7
const response = await fetch('https://somesite.com/users/login', {8
method: 'POST',9
(body ? { body: JSON.stringify(body) } : {}),10
cache: 'no-store',11
credentials: 'include', // this is to allow cross origin requests to our middleware microservice12
headers: headers13
})14
return response15
} catch (error) {16
return false17
}18
}19
login form
JavaScript
1
33
33
1
<v-form @submit.prevent="submit" @keyup.native.enter="submit" id="check-login-form">2
<v-text-field3
class="input-field"4
label="MS ID"5
v-model="username"6
name="username"7
data-cy="userName"8
prepend-icon="mdi-account"9
type="text"10
color="rgb(232, 119, 34)"11
/>12
<div class="password-field">13
<v-text-field14
class="input-field"15
id="password"16
data-cy="userPassword"17
label="Password"18
v-model="password"19
name="password"20
prepend-icon="mdi-lock"21
:type="showPassword ? 'text' : 'password'"22
@click:append="showPassword = !showPassword"23
color="rgb(232, 119, 34)"24
></v-text-field>25
<div v-if="showPassword" class="icon-container" v-on:click="toggleShowPassword">26
<img src="~assets/Icons/View.svg" class="eye-icon" />27
</div>28
<div v-else class="icon-container" v-on:click="toggleShowPassword">29
<img src="~assets/Icons/ViewHide.svg" class="eye-icon" />30
</div>31
</div>32
</v-form>33
submit method
JavaScript
1
21
21
1
async submit() {2
this.isLoading = true3
const response = await authenticateUser(this.username, this.password)4
this.statusCode = response.status5
this.currentStatusCode = this.statusCode6
if (this.statusCode === 200) {7
this.currentStatusCode = this.statusCode8
this.$router.push('/')9
this.isLoading = false10
this.$matomo.setUserId(this.username)11
} else {12
this.isLoading = false13
this.currentStatusCode = null14
this.showPassword = false15
}16
},17
toggleShowPassword: function() {18
this.showPassword = !this.showPassword19
}20
},21
Any ides on why this might be happening?
Advertisement
Answer
We ended up resolving this by adding the method="POST" attr to <v-form>. turned out in some rare cases the form would try to submit as GET which resulted in the form params ending up in the URL as URL params.
JavaScript
1
8
1
<v-form2
method="POST"3
enctype="text/plain"4
@submit.prevent="submit"5
@keyup.native.enter="submit"6
id="check-login-form"7
></v-form>8