Added simple script to fetch API specs, #PG-5043#949
Merged
Conversation
| $params['token_auth'] = $tokenAuth; | ||
|
|
||
| $url = $baseUrl . '/index.php?' . http_build_query($params); | ||
| $response = @file_get_contents($url); |
Contributor
There was a problem hiding this comment.
we should use curl ideally for remote URLs
|
|
||
| $written++; | ||
| } catch (Throwable $e) { | ||
| fwrite(STDERR, "Failed for $plugin: {$e->getMessage()}\n"); |
Contributor
There was a problem hiding this comment.
Here it will keep continuing unnecessarily if file_put_contents fail, the issue would be consistent for all
AltamashShaikh
requested changes
Apr 13, 2026
AltamashShaikh
left a comment
AltamashShaikh
left a comment
Contributor
There was a problem hiding this comment.
@lachiebol left few comments
Contributor
Author
|
From codex: This doesn't seem too bad for our use case right? I know we could write to a tmp folder then move after everything is done. Not sure if I need to address that one. |
AltamashShaikh
left a comment
AltamashShaikh
left a comment
Contributor
There was a problem hiding this comment.
@lachiebol AI review
High-risk issues (blocking)
- Secret leakage in error output: fetch-openapi-specs.php:26 and fetch-openapi-specs.php:43 include the full request URL in thrown exceptions. That URL contains token_auth, so any network/API failure will print
credentials to stderr via the top-level handlers at fetch-openapi-specs.php:71 and fetch-openapi-specs.php:112. For a script likely to run in CI or shared shells, that is a real credential exposure.
- Stale spec files are never removed: the script only writes files for the current whitelist, but the docs app enumerates all matching files on disk via app/helpers/OpenApiSpecRegistry.php:21. If a plugin is removed
from the whitelist or renamed, its old *_openapi_spec_v1.0.0.json file remains and will still be shown in the UI. That makes the generated docs drift from the source instance.
Contributor
Author
Secret leakage in error output: Should only be leaking token_auth anonymous but can remove that Stale spec files are never removed: Can fix that one |
AltamashShaikh
approved these changes
Apr 14, 2026
AltamashShaikh
left a comment
AltamashShaikh
left a comment
Contributor
There was a problem hiding this comment.
@lachiebol Looks good we can test it together after deployment and I should be able to create a cron for you
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
NOTE: This OpenApiDocs change is needed to run this script matomo-org/plugin-ApiReference#30
Script to pull specs from cloud, default MATOMO_BASE_URL will be demo.matomo.cloud
MATOMO_BASE_URL="{matomo-url}" php fetch-openapi-specs.phpChecklist
Review