Skip to content

Switch to proxy URL to handle API requests to demo, #PG-5029 #876

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
AltamashShaikh merged 4 commits into from
Apr 10, 2026
Merged

Switch to proxy URL to handle API requests to demo, #PG-5029 #876

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
ab5cd61
Now using proxy class to handle swagger try it out requests
lachiebol Mar 31, 2026
eedd123
Fixed bad error code handling from codex review
lachiebol Mar 31, 2026
843e4be
Validate url and add more error handling
lachiebol Mar 31, 2026
59f2d5c
Changed pathing
lachiebol Mar 31, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
85 changes: 85 additions & 0 deletions app/helpers/DemoProxy.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
<?php
/**
* Piwik - Open source web analytics
*
* @link http://piwik.org
* @license http://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later
*/

namespace helpers;

/**
* Proxy for demo.matomo.cloud, allows us to make single origin requests by doing them through this class
*/
class DemoProxy
{

public const MATOMO_SWAGGER_PROXY_TARGET = 'https://demo.matomo.cloud';

/**
* Fetches a demo API GET response and returns the body and status code.
*
* @param string $url Demo API URL to request.
* @param string $authorizationHeader Optional Authorization header value to forward.
* @return array{body: string, statusCode: int}
*/
public static function get(string $url, string $authorizationHeader = ''): array
{
$context = self::createContext($authorizationHeader);
$proxiedResponse = self::fetchResponse($url, $context);
$statusCode = self::parseStatusCode($proxiedResponse['responseHeaders']);

return [
'body' => $proxiedResponse['body'],
'statusCode' => $statusCode,
];
}

private static function createContext(string $authorizationHeader)
{
return stream_context_create([
'http' => [
'method' => 'GET',
'header' => self::buildHeaders($authorizationHeader),
'ignore_errors' => true,
'timeout' => 30,
],
]);
}

private static function buildHeaders(string $authorizationHeader): string
{
if ($authorizationHeader === '') {
return '';
}

return 'Authorization: ' . $authorizationHeader;
}

/**
* @return array{body: string, responseHeaders: array}
*/
private static function fetchResponse(string $url, $context): array
{
$body = @file_get_contents($url, false, $context);
if ($body === false) {
throw new \RuntimeException('Could not proxy HTTP request');
}

return [
'body' => $body,
'responseHeaders' => $http_response_header ?? [],
];
}

private static function parseStatusCode(array $responseHeaders): int
{
$statusLine = $responseHeaders[0] ?? '';

if (preg_match('#^HTTP/\S+\s+(\d{3})#', $statusLine, $matches)) {
return (int) $matches[1];
}

return 200;
}
}
16 changes: 16 additions & 0 deletions app/routes/page.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
use helpers\Content\Category\TracTicketArchiveCategory;
use helpers\Content\Guide;
use helpers\Content\PhpDoc;
use helpers\DemoProxy;
use helpers\DocumentNotExistException;
use helpers\Environment;
use helpers\OpenApiSpecRegistry;
Expand All @@ -31,6 +32,7 @@
use Slim\Exception\HttpNotFoundException;



function renderGuide(Slim\Views\Twig $view, Response $response, Psr\Http\Message\UriInterface $uri, Guide $guide, Category $category, string $template = 'guide.twig')
{
return $view->render($response, $template, [
Expand Down Expand Up @@ -265,6 +267,20 @@ function renderGuide(Slim\Views\Twig $view, Response $response, Psr\Http\Message
->withStatus(200);
});

$app->get('/demo-proxy/{path:.*}', function (Request $request, Response $response, $args) {
$path = ltrim($args['path'] ?? '', '/');
Copy link
Copy Markdown
Contributor

@AltamashShaikh AltamashShaikh Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

main concern is that it now becomes a proxy to query demo.matomo.cloud without any CORS error

We can add a check that requestURL path should be index.php and Module should be API along with CSRF token.

Copy link
Copy Markdown
Contributor Author

@lachiebol lachiebol Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have added some URL validation so only the API can be queried.

Demo is a public instance, are we exposing anything that isn't already available with this proxy? For the CSRF token, we don't have a session on developer docs, so not sure where we can store that

$targetUrl = rtrim(DemoProxy::MATOMO_SWAGGER_PROXY_TARGET, '/') . '/' . $path;
$query = $request->getUri()->getQuery();
if ($query !== '') {
$targetUrl .= '?' . $query;
}

$proxiedResponse = DemoProxy::get($targetUrl, $request->getHeaderLine('Authorization'));

$response->getBody()->write($proxiedResponse['body']);
Copy link
Copy Markdown
Contributor

@AltamashShaikh AltamashShaikh Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we should add a try/catch here

Copy link
Copy Markdown
Contributor Author

@lachiebol lachiebol Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done, I also realised we return errors with a 200 OK? At the moment it doesn't break anything in Swagger, technically we could catch in the proxy and throw something else

return $response->withStatus($proxiedResponse['statusCode']);
});

$app->post('/receive-commit-hook', function (Request $request, Response $response, $args) {
$params = $request->getQueryParams();
if (empty($params["token"]) || !password_verify($params["token"], WEBHOOK_TOKEN)) {
Expand Down
10 changes: 8 additions & 2 deletions app/templates/api-swagger.twig
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,8 @@
<script src="/vendor/swagger-ui/swagger-ui-bundle.js?{{ revision|e('html_attr') }}"></script>
<script type="text/javascript">
window.onload = function () {
let pluginSpec = {{ pluginSpecJson|raw }};
let pluginSpecJson = {{ pluginSpecJson|raw }};
let proxyBaseUrl = window.location.origin + '/demo-proxy';
Copy link
Copy Markdown
Contributor

@AltamashShaikh AltamashShaikh Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
let proxyBaseUrl = window.location.origin + '/demo-proxy';
let proxyBaseUrl = '/demo-proxy';

Copy link
Copy Markdown
Contributor Author

@lachiebol lachiebol Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Made that change, it also collapses the server field down to this
image

I changed it to 'demo' rather than 'demo-proxy', proxy felt too technical for a user facing page.

let summaryPrefix = '/index.php?module=API&method=';

function clonePluginSpec(spec) {
Expand Down Expand Up @@ -50,10 +51,15 @@
}

if (typeof SwaggerUIBundle === 'function') {
let pluginSpec = clonePluginSpec(pluginSpecJson);

// CORs on demo not allowing authorization: Bearer anonymous in preflight, so we need a proxy into demo
pluginSpec.servers = [{ url: proxyBaseUrl }];

SwaggerUIBundle({
dom_id: '#swagger-ui',
url: null,
spec: clonePluginSpec(pluginSpec),
spec: pluginSpec,
docExpansion: 'list',
tagsSorter: 'alpha',
presets: [
Expand Down