Tracking API: fail with an error when wrong authentication provided when sending custom ip address (instead of using the sender's ip address) #13471
Description
A token_auth can be invalid when, for example:
- The user has re-generated a new token_auth in the personal settings, and forgot to update the token in the SDK
- The wrong token is used
- The user whose token was used has been deleted
- An attacker is trying to guess valid tokens
When a token_auth is invalid, some API features (which are usually essential for SDK users who can't use the JS tracker) won't work well:
- Setting custom IP address
- Setting custom date and time
- Overriding the default geolocation
We have two choices when it comes with dealing with these requests that have an invalid token_auth:
- track them as if there was no token specified (possibly tracking a wrong IP address, or a wrong custom date & time) - this is current behavior
- drop them entirely
-> What do you think?
Personally I'm not sure what is the best solution. If we decide to go with 2) we should make sure that, the requests are not dropped, when the token_auth was invalid AND there was no parameter in the request that need token_auth, ie. nocip, cdt, country, city, region.... (these requests with and without a valid token, would have the exact same behavior).