Descriptive summary

Matomo 5 (released Dec 2023) changes how auth tokens work when using the reporting API (see notes). Hyrax currently (in Hyrax v5.0.1) issues GET requests to the reporting API that include a confidential auth token, and this should be changed to POST.

Steps to reproduce the behavior

See the following example API call issued via a Hyrax application to a Matomo instance (w/token & IP obscured):

xxx.x.xxx.xx - - [01/Apr/2024:14:43:56 +0000] "GET /?date=2023-03-31%2C2024-04-01&flat=1&format=JSON&idSite=6&label=7m01bk723+-+file-set-in-work-download&method=Events.getName&module=API&period=day&token_auth=xxx HTTP/1.1" 200 5889

Acceptance Criteria/Expected Behavior

• Calls to the Matomo reporting API are made via POST and not GET

Rationale (for feature request only)

This change is recommended by Matomo for improved security. Anyone setting up a new auth token in Matomo 5 (e.g., to support Matomo analytics in a Hyrax app) will by default have it restricted to POST, which would make it not work with Hyrax.