Is this really needed considering you already have to click to see it?

Just tested and noticed that currently you need to click, and then double click to select the string. Ideally on the first click to reveal the full URL then the full URL would be selected and then user can copy. it would be more usable.

But an even more secure / usable solution could be maybe:

• The full token_auth is never displayed on screen, and instead it shows the full URL and replaces token_auth=full_token_here by token_auth=start_tok***********
• on click on the textarea, the value is copied into the clipboard
• and a feedback "Copied to your clipboard!" is displayed

Not showing the token_auth on screen would be a security improvement as the token can be easily seen/recorded by someone viewing the screen.

I won't be working on this, so unassigning myself. I don't agree with any of the flows. Even the original in the issue.

is there maybe a better way not to show the token_auth on screen? anyway it's not urgent for now so removing from milestone

Either you have only a "copy url" link, or you simply show it directly on "show export url" and accept the fact how Matomo works currently and eventually it'll be refactored to have proper authentication in place.

Also when you paste a URL in the address bar, it will show the end of the URL which is usally the token. Next, a more likely risk than screen recording is that users send the exported URL to other people. Ideally you neither show them the URL nor let them copy the URL. Then when we POST to export the URL, the token won't be in the URL at all and will neither appear in access logs.