Use GET http method for API requests that don't send data

[uschwarz]

AJAX requests that go through AjaxHelper are all handled as POSTs, even when they have no POST data.

Summary

AjaxHelper treats all requests as POST. Many of these requests do not cause change of server state, so by RFC9110, they could be GET requests. (This does not include API calls which have auth data in POST parameters. Asking whether auth should be done through HTTP Request headers instead is valid, but way beyond the scope of this feature request.)

Taking the Matomo trial with demo data as an example, the dashboard issues 17 POST requests, of which 7 do not carry POST data. (The other 10 only carry default API authentication.)
Hosting environments may rate-limit POST as a brute-force deterrant, so any measure reducing the number of rapid-succession POST requests is useful in those environments.

Not having explicit flags for this, the best I could come up with was to test for presence of POST data and I'm trialling the code in uschwarz/matomo locally to see if anything falls over.

Given how far down the call stack this is, there is a risk of side-effects, for example if API endpoints check for the method and reject GET if they expect a POST, even if they do not take POST data. I do not know enough about Matomo's best practices around this to confidently assess this risk. (Requiring explicit flagging as GET-safe is unlikely to see adoption in the field.)
I'll be happy to update with any plugin issues along those lines we encounter locally.

Your Environment

• Matomo Version: developed on 5.x branch, testing in the wild with 4.14.0

[michalkleiner]

Slightly relevant to #20677.

I tend to agree that requests that are not sending data could be GET requests but as it currently functions well, the only real benefit I can see would be the potential to avoid POST-requests rate limiting. Because of that I think this will probably be a lower priority.

[sgiehl]

We are actually using POST requests in most cases on purpose. For authentication a token_auth needs to be sent with the request. Even though this is only a token_auth that is valid, while the session is active, someone being able to intercept this token_auth could misuse it. So sending it as GET request might lower the security.