Tracking API behaviour on incorrect token_auth should be improved #10685
Labels
c: Platform
For Matomo platform changes that aren't impacting any of our APIs but improve the core itself.
c: Usability
For issues that let users achieve a defined goal more effectively or efficiently.
Help wanted
Beginner friendly issues or issues where we'd highly appreciate community's help and involvement.
Milestone
I'm importing historical data to piwik through the tracking API, and after resetting to notice the auth_token changed on user password reset I spent quite a while wondering where my events were going.
With each event I also set the original time it was received, ip-address and other location related data. Setting these require also providing the auth_token.
Current behaviour:
It seems that if the auth_token is provided but incorrect then the data is stored without the values requiring the auth token. No warnings are logged, calls receive status 200, so no visible indication that things are going sour.
Expected behaviour:
A clear indication that things are going wrong, IMO the events should not even be stored as providing a token_auth indicates that the party sending the event wants to be authenticated so you are either looking at storing wrong / partial data for a valid user or storing bogus data for an "attacker".
I'd say there are 3 possible solutions (or combination):
I'd think 3 would be the correct option. Generally when I'm calling the API I'm importing hundreds of thousands of events so cleaning out bad data becomes challenging, especially if I already have lots of valid data for the same site.
The text was updated successfully, but these errors were encountered: