A token_auth can be invalid when, for example:
When a token_auth is invalid, some API features (which are usually essential for SDK users who can't use the JS tracker) won't work well:
We have two choices when it comes with dealing with these requests that have an invalid token_auth:
-> What do you think?
Personally I'm not sure what is the best solution. If we decide to go with 2) we should make sure that, the requests are not dropped, when the token_auth was invalid AND there was no parameter in the request that need token_auth, ie. no
region.... (these requests with and without a valid token, would have the exact same behavior).
FYI: I used https://demo.matomo.org/piwik.php?idsite=1&rec=1&cdt=1388540582&token_auth=1234
=> results in an error HTTP 400.
What request did you use?
IMO any such tracking request with invalid token should not be tracked. Worse than not tracking is only tracking of wrong data and it is not even trivial to find out and to get a chance to see that the token is eg invalid.
I was using https://demo.matomo.org/piwik.php?idsite=1&rec=1&cip=126.96.36.199&token_auth=1234 which returns 200
Yeah I can see in code cip falls back to header, cid throws exception. IMO both should throw an exception.
Sounds good to have both throw an exception, be consistent.