The new feature "Show export URL" is very valuable in giving everyone quick access to the API and seeing how the URL is constructed, making it easy to share, etc.
However for security reasons we would not want to reveal the full token_auth on screen.
Similarly in the Personal settings page where the
token_auth is displayed to the user, it requires an extra click to reveal the full token.
So the goal if this issue is to slightly change the behavior, proposal:
Is this really needed considering you already have to click to see it?
Just tested and noticed that currently you need to click, and then double click to select the string. Ideally on the first click to reveal the full URL then the full URL would be selected and then user can copy. it would be more usable.
But an even more secure / usable solution could be maybe:
Not showing the token_auth on screen would be a security improvement as the token can be easily seen/recorded by someone viewing the screen.
I won't be working on this, so unassigning myself. I don't agree with any of the flows. Even the original in the issue.
is there maybe a better way not to show the token_auth on screen? anyway it's not urgent for now so removing from milestone
Either you have only a "copy url" link, or you simply show it directly on "show export url" and accept the fact how Matomo works currently and eventually it'll be refactored to have proper authentication in place.
Also when you paste a URL in the address bar, it will show the end of the URL which is usally the token. Next, a more likely risk than screen recording is that users send the exported URL to other people. Ideally you neither show them the URL nor let them copy the URL. Then when we POST to export the URL, the token won't be in the URL at all and will neither appear in access logs.