search

matomo-org / matomo

Empowering People Ethically with the leading open source alternative to Google Analytics that gives you full control over your data. Matomo lets you easily collect data from websites & apps and visualise this data and extract insights. Privacy is built-in. Liberating Web Analytics. Star us on Github? +1. And we love Pull Requests!
https://matomo.org/
GNU General Public License v3.0
19.36k stars 2.6k forks source link

[Bug] Bulk tracking does not authenticate #21905

Open martin-neumann-gurus opened 5 months ago

martin-neumann-gurus commented 5 months ago

What happened?

I did some tests with Postman and with debugging enabled. Doing a single tracking request works perfectly. I take the same token and put it into a bulk tracking request and I get the error: WARNING! token_auth = xxxxx is not valid, Super User / Admin / Write was NOT authenticated

What should happen?

It should authenticate and process the tracking requests

How can this be reproduced?

Send on Postman this tracking request

{
   "requests": [
      "?idsite=2&rec=1&cip=23.145.24.180&cdt=1706332501&url=https%3A%2F%2Fwww.rundumgesund.org%2F&urlref=-&ua=Mozilla%2F5.0+%28Windows+NT+10.0%3B+Win64%3B+x64%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F119.0.0.0+Safari%2F537.36",
      "?idsite=2&rec=1&cip=2.57.122.115&cdt=1706371627&url=https%3A%2F%2Fwww.rundumgesund.org%2F&urlref=http%3A%2F%2Fwww.rundumgesund.org%3A80%2F&ua=Mozilla%2F5.0+%28Macintosh%3B+Intel+Mac+OS+X+10_11_2%29+AppleWebKit%2F601.3.9+%28KHTML%2C+like+Gecko%29+Version%2F9.0.2+Safari%2F601.3.9",
      "?idsite=2&rec=1&cip=2.57.122.115&cdt=1706371627&url=https%3A%2F%2Fwww.rundumgesund.org%2F&urlref=http%3A%2F%2Frundumgesund.org%3A80%2F&ua=Mozilla%2F5.0+%28Macintosh%3B+Intel+Mac+OS+X+10_11_2%29+AppleWebKit%2F601.3.9+%28KHTML%2C+like+Gecko%29+Version%2F9.0.2+Safari%2F601.3.9"
   ],
   "token_auth": "put your token"
}

Matomo version

5.0.2

PHP version

No response

Server operating system

No response

What browsers are you seeing the problem on?

No response

Computer operating system

No response

Relevant log output

No response

Validations

mneudert commented 4 months ago

Hi @martin-neumann-gurus,

thank you for raising this issue.

I could confirm this behaviour when using a token that is configured as Secure use only = Yes. Having a token that is configured to allow being used as a GET parameter (Secure use only = No), the bulk tracking works as expected, but I don't think the behaviour you are experiencing is or should be expected.

For reference my curl commands (should match your Postman requests):

# single tracking request
# token_auth works as expected
curl -XPOST 'https://matomo.instance/matomo.php?idsite=1&rec=1&cip=1.2.3.4&cdt=1706332501&url=https%3A%2F%2Fexample.com%2F&urlref=-' --data 'token_auth=<secure_use_only_token>'

# bulk tracking request
# token_auth not detected as secure
curl -kv -XPOST 'https://dev.matomo.io/matomo.php' --data '{"requests":["?idsite=1&rec=1&cip=1.2.3.4&cdt=1706332501&url=https%3A%2F%2Fexample.com%2F&urlref=-"],"token_auth":"<secure_use_only_token>"}'
MatomoForumNotifications commented 3 weeks ago

This issue has been mentioned on Matomo forums. There might be relevant details there:

https://forum.matomo.org/t/problem-with-php-library/55072/5