@mattab opened this Issue on September 23rd 2018 Member

A token_auth can be invalid when, for example:

  • The user has re-generated a new token_auth in the personal settings, and forgot to update the token in the SDK
  • The wrong token is used
  • The user whose token was used has been deleted
  • An attacker is trying to guess valid tokens

When a token_auth is invalid, some API features (which are usually essential for SDK users who can't use the JS tracker) won't work well:

  • Setting custom IP address
  • Setting custom date and time
  • Overriding the default geolocation

We have two choices when it comes with dealing with these requests that have an invalid token_auth:

  1. track them as if there was no token specified (possibly tracking a wrong IP address, or a wrong custom date & time) - this is current behavior
  2. drop them entirely

-> What do you think?

Personally I'm not sure what is the best solution. If we decide to go with 2) we should make sure that, the requests are not dropped, when the token_auth was invalid AND there was no parameter in the request that need token_auth, ie. nocip, cdt, country, city, region.... (these requests with and without a valid token, would have the exact same behavior).

@tsteur commented on September 23rd 2018 Member

FYI: I used https://demo.matomo.org/piwik.php?idsite=1&rec=1&cdt=1388540582&token_auth=1234
=> results in an error HTTP 400.
What request did you use?

@tsteur commented on September 24th 2018 Member

IMO any such tracking request with invalid token should not be tracked. Worse than not tracking is only tracking of wrong data and it is not even trivial to find out and to get a chance to see that the token is eg invalid.

@mattab commented on September 24th 2018 Member
@tsteur commented on September 24th 2018 Member

Yeah I can see in code cip falls back to header, cid throws exception. IMO both should throw an exception.

@mattab commented on October 8th 2018 Member

Sounds good to have both throw an exception, be consistent.

@diosmosis commented on December 14th 2018 Member

Not fixed after revert, rescheduling for 4.0

@diosmosis commented on December 14th 2018 Member

Note: will need to change the php tracker when this is merged, since it will send cip by default.

This Issue was closed on May 6th 2020
Powered by GitHub Issue Mirror