Token_auth issue

Any guidanc greatly appreciated. Been knocking my head against a wall on this and been through much troubleshooting.

Issue

Trying to load widgets using ‘token_auth’ in url but keep getting:
==“Error: You must be logged in to access this functionality.”==

When I use the same token with a json request I also get:

{"result":"error","message":"Unable to authenticate with the provided token. It is either invalid, expired or is required to be sent as a POST parameter."}

But when I use a curl request with same token it seem to work so the token seems valid.

Had Matomo blocked ability to passt token_auth to URL now and is there a setting that will bypass any such blockage to reenable if we’re aware of risks? Matomo’s backend seems to still advertising the use of tokens in the url for Widgets so it’s very conusing.

I have done lots of troubleshooting.

How I set it up

  1. Logged in a super admin and created a new user called “mysiteviewer” and gave this user access to site #3mysite.com
  2. Logged OUT as super admin and logged IN as newly-created “mysiteviewer” and went to settings page and then widget’s page and grabbed the link to the widget I want to be able to embed for site #3 making sure that siteID is in the link …
  3. While logged in as “mysiteviewer” click on settings and generated a new API token and copied it/saved it
  4. Paste this newly-generated code at the end of teh widget link after “token_auth” and visited link in incognito while being logged out

Result: You need access/don’t have access.

Things tried

Config.ini

Spent time removing various things from config ini and adding back in.

Servers

Tried setting up demo servers just with latest Matomo version on different servers and hosts, same thing happened.
Tried:

  • Just an apache server
  • Just an NGNIX server
  • Tried an apache and NGNIX config

Also tried on a Runcloud install on Digital Ocean and Cloudron-based docker install of Matomo to try to see if this happens on each fresh install and each time it did seem to happen in the same way.

PHP and NGNIX settings

  • Tried removing all default blocked PHP functions just as a test but same thing
  • Tried removing all restricting safet measures for NGNIX like cross origin and click jacking
  • Tried rolling back to PHP version 7.4

Cloudflare

  • Turned off the proxy so it’s just using bypass to simplify

Ideas not tried

  • POST METHOD NOW: Is url token banned now? … it’s advertised in the actual matomo widgets screen so assuming it must still be supported … if have to you post can I use this with IFRAME and anyone have an example code?

Hi @benfranklin
Did you try just simple HTTP request with your . For example: https://matomo/?module=API&method=API.getMatomoVersion&format=xml&token_auth=anonymous?
Maybe a proxy / WAF / firewall between the client and the server alters the HTTP message… Can you check in the Apache log if the request arrives unaltered?