@MrIsak opened this Issue on September 23rd 2021

When sending requests against the API module with a non existing token, the HTTP response should be 403. Not 200.

Expected Behavior

When sending a request with a non existing token, response code should be 403

Current Behavior

Response code is 200

Steps to Reproduce (for Bugs)

  1. curl -ik 'https://matomo.example.com/index.php?module=API&method=API.getMatomoVersion&token_auth=I_DONT_EXIST'

Your Environment

  • Matomo Version: 4.4.1
  • PHP Version: PHP 7.4.3
  • Server Operating System: Ubuntu 20.04.03
@sgiehl commented on September 23rd 2021 Member

Hi @MrIsak
Thanks for your suggestion. You are right, I guess it would make sense to return a proper response code in this case.

@tsteur commented on September 23rd 2021 Member

This one we might want to do in Matomo 5.0 just because it's kind of a breaking change. We're using some of these URLs with invalid token in some monitoring tools ourselves and we'd get paged if there's a change and it's no longer HTTP 2XX.

It could also cause issues potentially with the Matomo Mobile app and possibly other apps etc when someone is trying to log in with wrong username/password.

Powered by GitHub Issue Mirror