Does Piwik PRO implement CSRF on the API?

Hi, so I have this chrome extension in which I integrated Piwik PRO APIs (I was posting about it here) and it stopped working all of the sudden. It did download the data from api endpoints successfully, and now I cannot fetch the bearer token. As a response to my try of fetching API Bearer Token I’m getting 403 error with info about CSRF, this is exact error I’m getting:

CSRF Failed: Origin checking failed - chrome-extension://jlemboadadokodoekhfeobkcjlbgnjkf does not match any trusted origins.

Were there any additional policies just introduced server side on the API endpoints? From what I’m understanding only server-side change can be reason for this. I will be thankful if you can share any information regarding that, thanks!

Edit: I just noticed, that this seems to happen just for my Piwik PRO instance. I have also API credentials configured from another PP instance, and connections from the chrome extension work for it just well. Now I’m even more puzzled, is there maybe something off with my instance? They are both on the same version from what I see - 18.13.5.

I know the instance it does work on is much newer, both are on Core plan.

Edit2: And now I checked on yet another PP instance and it doesn’t work with it (same error about CSRF).
I hope this information will be maybe helpful in providing me help with this one. It seems that something is maybe not consistent since it works with one instance and not another?

Hi @gonerator,

Could you share some details on how you call the auth endpoint? From what I understand, you tried calling both instances from the same extension right (so same method of sending the API call)?

Thanks for the answer @anthonybartczak!

Yes, as you said - right now it works with one PP instance, and not with another.
I’m connecting through native JS code of Chrome extension with regular fetch - getting the token and later using it to query the data.

It worked just fine up until today (March 15th, not sure if I was using it yesterday, but I’m 100% positive it was working just fine on March 13th).

From my understanding some policies got additionally enforced for particular instance but I hope this is just some oversight because it would make my code non-functional :smiley: :cry:

Connecting to API for my instance (the one with the problem) is at the same time working just fine from Python code for example.

What headers are being used in the request? Are you using POST or GET?

Of course, appropriately, I’m using POST, along with content-type and all, here’s a snippet of my code if you wanna take a look:

  const response = await fetch(tokenUrl, {
    method: 'POST',
    headers: {
      'Content-Type': 'application/json',
    body: JSON.stringify({
      grant_type: 'client_credentials',
      client_id: config.clientId,
      client_secret: config.clientSecret,

But the fact that this code is alright is confirmed by that I connected to one of the instances successfully. And the error would be different if it was something wrong with the request anyway. The error about CSRF is specifically saying that source of chrome-extension:// is disallowed to connect, so that’s why I think it’s something server-side. I will be thankful if you guys can take a look a this :pleading_face:

So, to wrap this up - on Saturday evening (16th March) it started working back again :face_with_raised_eyebrow: so maybe just an FYI for you, that something like this was happening for some time, maybe some config got out partying for the weekend. Thanks for the assistance!

@anthonybartczak sorry to bother you but this just came up again. Just as I am working, fetching the tokens all the time basically, all of the sudden - same error:

    "detail": "CSRF Failed: Origin checking failed - chrome-extension://jlemboadadokodoekhfeobkcjlbgnjkf does not match any trusted origins."

Were you maybe able to check on this? Now it seems like it won’t be a one time issue :face_with_raised_eyebrow:

Responded in a PM. The bugfix will be introduced with the next release.