@mattab
A token_auth can be invalid when, for example:
- The user has re-generated a new token_auth in the personal settings, and forgot to update the token in the SDK
- The wrong token is used
- The user whose token was used has been deleted
- An attacker is trying to guess valid tokens
When a token_auth is invalid, some API features (which are usually essential for SDK users who can't use the JS tracker) won't work well:
- Setting custom IP address
- Setting custom date and time
- Overriding the default geolocation
We have two choices when it comes with dealing with these requests that have an invalid token_auth:
- track them as if there was no token specified (possibly tracking a wrong IP address, or a wrong custom date & time) - this is current behavior
- drop them entirely
-> What do you think?
Personally I'm not sure what is the best solution. If we decide to go with 2) we should make sure that, the requests are not dropped, when the token_auth was invalid AND there was no parameter in the request that need token_auth, ie. nocip, cdt, country, city, region.... (these requests with and without a valid token, would have the exact same behavior).
@tsteur
FYI: I used https://demo.matomo.org/piwik.php?idsite=1&rec=1&cdt=1388540582&token_auth=1234
=> results in an error HTTP 400.
What request did you use?
IMO any such tracking request with invalid token should not be tracked. Worse than not tracking is only tracking of wrong data and it is not even trivial to find out and to get a chance to see that the token is eg invalid.
I was using https://demo.matomo.org/piwik.php?idsite=1&rec=1&cip=1.1.1.1&token_auth=1234 which returns 200
Yeah I can see in code cip falls back to header, cid throws exception. IMO both should throw an exception.
Sounds good to have both throw an exception, be consistent.