I'm importing historical data to piwik through the tracking API, and after resetting to notice the auth_token changed on user password reset I spent quite a while wondering where my events were going.
With each event I also set the original time it was received, ip-address and other location related data. Setting these require also providing the auth_token.
It seems that if the auth_token is provided but incorrect then the data is stored without the values requiring the auth token. No warnings are logged, calls receive status 200, so no visible indication that things are going sour.
A clear indication that things are going wrong, IMO the events should not even be stored as providing a token_auth indicates that the party sending the event wants to be authenticated so you are either looking at storing wrong / partial data for a valid user or storing bogus data for an "attacker".
I'd say there are 3 possible solutions (or combination):
I'd think 3 would be the correct option. Generally when I'm calling the API I'm importing hundreds of thousands of events so cleaning out bad data becomes challenging, especially if I already have lots of valid data for the same site.
Thanks @dropadrop for the report. In Tracking API when token_auth is invalid it would make sense to log a warning. Not sure about not storing the data at all... but it might be the more correct thing to do indeed. When storing partial data, the warning messages and data inacurracies could be easily ignored... while no data tracked makes it easier to find the problem. If we don't track any data at all then we can also return http status
I think this was fixed in https://github.com/matomo-org/matomo/pull/13675