POST when using PiwikTracker instead of GET to prevent token_auth showing in access_log

[c-prompt]

Per:
Originally posted by @c-prompt in matomo-org/matomo#7349 (comment)

I suggest you create an issue in the Matomo PHP Tracker for this: https://github.com/matomo-org/matomo-php-tracker/
For the archiving there is matomo-org/matomo#14190
Originally posted by @tsteur in matomo-org/matomo#7349 (comment)

[mattab]

Hi @c-prompt - thanks for the report. Would it be possible to create your suggestion in the issue tracker for PHP tracker? at https://github.com/matomo-org/matomo-php-tracker/

[c-prompt]

Apologies @mattab. I assume you just wanted the text from my comment on #7349 copy/pasted, correct (as #43 is already here)?

---

Looking through my access_log recently reminded me of a comment @tsteur made in #14099:

BTW: You want to send those requests through POST request otherwise you may have eg the token_auth from the request in web server log files

I just noticed the token_auth is shown in access_logs anytime the PHP Tracking Web API client (Method 2: HTTP Request) is used. For example, I see a bunch of these in my access_log:

12.345.67.89 - - [31/Mar/2019:12:13:29 -0500] "GET /matomo/piwik.php?idsite=1&rec=1&apiv=1&r=963767&cip=987.65.43.210&token_auth=my_admin_token_auth&_idts=1234094409&_idvc=0&_id=4a29e8bd0d739ec2&url=https%3A%2F%2Fwebsitename.com&urlref=&pv_id=714aa3&action_name=API+was+used HTTP/1.1" 200 3312 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/70.0.3538.77 HeadlessChrome/70.0.3538.77 Safari/537.36"

According to Tracking HTTP API:

To track page views, events, visits, you have to send a HTTP request (GET or POST) to your Tracking HTTP API endpoint, for example, http://your-piwik-domain.example/piwik.php with the correct query parameters set.

However, it's not clear how to send these via POST when using PiwikTracker (instead of CURL). I haven't dug into Matomo's code but shouldn't the PiwikTracker be using POST so the token_auth doesn't show up? Is there a way to force PiwikTracker to use POST? Here's some basic scrubbed code I'm using:

<?php
require_once('/matomo/libs/PiwikTracker/PiwikTracker.php');

\PiwikTracker::$URL = 'https:' . BASE_URL . 'matomo';
$piwikTracker = new \PiwikTracker(1, 'https:' . BASE_URL . 'matomo');

$token = $this->getMatomoTokenAuth();

if (isset($matomo['force_new_visit']) && $matomo['force_new_visit'])
{ $piwikTracker->setForceNewVisit(); }

if (isset($matomo['visitorId']) && $matomo['visitorId'])
{ $piwikTracker->setVisitorId($matomo['visitorId']); }

if (isset($matomo['user-agent']) && $matomo['user-agent'])
{ $piwikTracker->setUserAgent($matomo['user-agent']); }

$piwikTracker->setTokenAuth($token);
$piwikTracker->setUrl($matomo['url']);
$piwikTracker->setUrlReferer($global['HTTP_REFERER']);
$piwikTracker->setIp($global['ip_address']);

if ($username) { $piwikTracker->setUserId($username); }

$piwikTracker->doTrackPageView(urldecode($matomo['page_title']));
$visitorID = $piwikTracker->getVisitorId();

[mattab]

@c-prompt please ignore my last comment, you already created the issue in the right place :-) Thanks!