Same applies for all API example links

@tsteur do you have a suggestion how to fix that issue? The reason seems to be, that the token_auth used within Matomo is a token_auth generated for the current session. The export and api example links are generated using this session token_auth. But actually that session token_auth can't be used for normal API calls.
Would it make sense to store the session token_auth in the user_token_auth table instead of in the session, and let it expire with the session maybe? That way it could be used with API calls as long as the session didn't expire 🤔

@sgiehl when using the export button ideally we'd POST &token_auth=92e282cbcd215d65f1a03e86e9bbcbb9&force_api_session=1 then it would work.

The shown URL would maybe need to remove since we can't know the token.

We wouldn't want to add that token to user_token_auth as it would basically mean if a user shares that link for some reason, another user would have access to Matomo for a certain amount of time.

Of course it also means a user can no longer edit the URL after clicking on the export button.

An alternative be to allow $_GET in https://github.com/matomo-org/matomo/blob/4.x-dev/core/Access.php#L160-L162 . It be bit less secure though maybe.

Ideally we'd POST the two mentioned parameters.

If we still need to show a URL, we could add a sentence they need to append an app specific token to use it (could even show a form field where they can enter their token).

Of course it also means a user can no longer edit the URL after clicking on the export button.

Isn't that the whole point of the export feature: To have a starting point to interactively browse the Matomo API

Another idea (not sure if it is better) would be to require people to create API tokens to use the export feature and allow selecting the used API token in the export window with an explanation on the implications of sharing the token (of course then we are again back to sending a token allowing access to a user via GET parameters)

Isn't that the whole point of the export feature: To have a starting point to interactively browse the Matomo API

Not sure. I think the export dialog was added so people don't need to play with it and just get the data they want to export. I don't think too many people actually "play" with the API there as you'd need to know API, that you can play with it, it's parameters etc. Of course some do play with it.

Another idea (not sure if it is better) would be to require people to create API tokens to use the export feature and allow selecting the used API token in the export window with an explanation on the implications of sharing the token

It would just mean that people need to store the token in a password manager or something and copy/paste it every time they want to export something and there is indeed the risk re sharing the token.

I guess maybe it shouldn't use the API there in the first place but then people wouldn't be able to "play" with it. Guess the most valuable parameters can be already changed in the export widget so that the URL doesn't need to be changed afterwards. Of course there will be always edge cases where other parameters will want to be used.

Maybe we could allow $_GET in https://github.com/matomo-org/matomo/blob/4.x-dev/core/Access.php#L160-L162 when the original request is an API request for a .get* method. Would maybe need to use Api\Request::getRootApiRequestMethod() for that but not sure it gives us the originally requested method or so. @sgiehl could maybe go with that?

Sharing that URL wouldn't give anyone else access to it because they would also need access to the user's session (aka cookies). That's because it is the session token auth.

@tsteur you mean something like this: https://github.com/matomo-org/matomo/compare/exportauth

Yep.

• in https://github.com/matomo-org/matomo/compare/exportauth#diff-82c23ad6299b4c45e6495bd51d2dacf9R163 would need to make sure there's only one dot... like explode('.', $method) and check there are only 2 parts and the second starts with get or so... just to make sure it won't ever be possible to do something like UsersManager.createUser.get. Obviously I guess this wouldn't work anyway but you never know.
• in https://github.com/matomo-org/matomo/compare/exportauth#diff-82c23ad6299b4c45e6495bd51d2dacf9R166 read token only from $_GET when $forceApiSessionGet && $isApiRequest && $isGetApiRequest not that a user can provide a false token by post and a correct one by GET or something weird. Probably won't help much but better be safe.