Token_auth is ignored when secure_only is set to 1

Hello,

I am using the Java Tracker to send bulk requests to Matomo v5.1.0. In the requests I have set fields that require the token_auth field to be present, with write or admin rights. I have created the token_auth accordingly, and with secure_only = 1 flag. When I use this token, I get tracking failures, that the token_auth field is missing, though it is there in the request. If I set secure_only to 0, the requests are working as expecting.

According to the documentation, secure_only = 1 is used to specify that the token_auth field should be used only in POST requests, and as far as I can tell from the logs, the Java Tracker is send POST requests to Matomo.

I have checked the configuration of Matomo, and only_allow_secure_auth_tokens is set to 0. I haven’t noticed any difference by changing its value to 1.

Would you have any idea what am I doing wrong or this a possible bug?

Thank you and Best Regards,
Alex

Hi @alexciouca

Can you confirm the token_auth param is not sent in the query string but in the request body?

Probably the Java Tracker must be updated to take this into account… :thinking:

Hi @heurteph-ei

Thank you for your response. Yes, I can confirm that the token_auth param is sent in the request body, so I am not sure that’s where the issue is. Looking through the code, it seems that also the Java tracker handles it correctly and based on Matomo’s logs, I see that it receives the param in the request body.

Cheers,
Alex

Maybe @innocraft has an idea about this issue?