Tracking API: fail with an error when wrong authentication provided when sending custom ip address (instead of using the sender's ip address) #13471
Comments
mattab
added
the
RFC
|
FYI: I used https://demo.matomo.org/piwik.php?idsite=1&rec=1&cdt=1388540582&token_auth=1234 |
|
IMO any such tracking request with invalid token should not be tracked. Worse than not tracking is only tracking of wrong data and it is not even trivial to find out and to get a chance to see that the token is eg invalid. |
|
I was using https://demo.matomo.org/piwik.php?idsite=1&rec=1&cip=1.1.1.1&token_auth=1234 which returns 200 |
|
Yeah I can see in code cip falls back to header, cid throws exception. IMO both should throw an exception. |
|
Sounds good to have both throw an exception, be consistent. |
|
Not fixed after revert, rescheduling for 4.0 |
|
Note: will need to change the php tracker when this is merged, since it will send cip by default. |
mattab
changed the title
A token_auth can be invalid when, for example:
When a token_auth is invalid, some API features (which are usually essential for SDK users who can't use the JS tracker) won't work well:
We have two choices when it comes with dealing with these requests that have an invalid token_auth:
-> What do you think?
Personally I'm not sure what is the best solution. If we decide to go with 2) we should make sure that, the requests are not dropped, when the token_auth was invalid AND there was no parameter in the request that need token_auth, ie. no
cip,cdt,country,city,region.... (these requests with and without a valid token, would have the exact same behavior).The text was updated successfully, but these errors were encountered: