@MrIsak opened this Issue on September 23rd 2021

When sending requests against the API module with a non existing token, the HTTP response should be 403. Not 200.

Expected Behavior

When sending a request with a non existing token, response code should be 403

Current Behavior

Response code is 200

Steps to Reproduce (for Bugs)

  1. curl -ik 'https://matomo.example.com/index.php?module=API&method=API.getMatomoVersion&token_auth=I_DONT_EXIST'

Your Environment

  • Matomo Version: 4.4.1
  • PHP Version: PHP 7.4.3
  • Server Operating System: Ubuntu 20.04.03
@sgiehl commented on September 23rd 2021 Member

Hi @MrIsak
Thanks for your suggestion. You are right, I guess it would make sense to return a proper response code in this case.

@tsteur commented on September 23rd 2021 Member

This one we might want to do in Matomo 5.0 just because it's kind of a breaking change. We're using some of these URLs with invalid token in some monitoring tools ourselves and we'd get paged if there's a change and it's no longer HTTP 2XX.

It could also cause issues potentially with the Matomo Mobile app and possibly other apps etc when someone is trying to log in with wrong username/password.

@jdelucaa commented on October 20th 2021

Hi guys,

Is there any case the API would respond status != 200? So far I've only seen 200s and the only indication that an error has occurred can be found in the response body (result = "error").

@jane-twizel commented on July 8th 2022

Needs to be included in the developer changelog as well in case anyone is using an invalid token in the monitoring tool.

Powered by GitHub Issue Mirror