[Bug] Tracking API Bulk Tracking rejects token_auth tokens set to "Secure use only"

[david-bezero]

What happened?

The Tracking API's Bulk Tracking (POST) endpoint fails when called using an auth token (sent in the body) which is set to "secure use only":

Request:

{
  "requests": ["?blah&cip=1.1.1.1"],
  "token_auth": "my token"
}

Response:

{"status":"success","tracked":0,"invalid":1}

After several requests, the caller IP gets blocked for too many invalid login attempts.

The same request with a token which is not marked as "secure use only" succeeds.

I see this has also been reported several months ago in the forums here: https://forum.matomo.org/t/token-auth-is-ignored-when-secure-only-is-set-to-1/59151

What should happen?

Since the token is sent as part of the POST body (not in the URL), this should be considered a secure use and should succeed.

How can this be reproduced?

1. Create a user auth token with "Only allow secure requests" ticked

2. Perform a POST to the tracking API with the body content (fill in extra tracking details as desired; this should be the minimum to be successfully received):

   {
     "requests": ["?rec=1&idsite=1&cip=1.1.1.1"],
     "token_auth": "<token from above>"
   }

3. Observe failure to track

4. Create a new token with "Only allow secure requests" NOT ticked

5. Send the same request with this new token

6. Observe tracking success

Matomo version

cloud

PHP version

No response

Server operating system

No response

What browsers are you seeing the problem on?

Not applicable (e.g. an API call etc.)

Computer operating system

No response

Relevant log output

No response

Validations

• Read our Contributing Guidelines.
• Follow our Security Policy.
• Check that there isn't already an issue that reports the same bug to avoid creating duplicates.
• The provided steps to reproduce is a minimal reproducible of the Bug.

[randy-innocraft]

Hi @david-bezero. Thank you for creating the issue and bringing this to our attention, that's very appreciated. We have reviewed and triaged the problem internally, and we have confirmed it is an issue. Our team will prioritise this, and we will update you on the progress here when we have an update to share. If you have any further information or questions, please feel free to add them here.

[michalkleiner]

I'd guess the token needs to be a separate part of the post data or sent as a request header, it can't be a part of a JSON object being sent.

[david-bezero]

@michalkleiner can you tell me which header needs to be set for this? I've been following the documentation from here (which could probably do with updating if there's a better way to do this)