Adds code to restrict token_auth post param

[AltamashShaikh]

Description

Adds code to restrict token_auth post param

Checklist

• [NA] I have understood, reviewed, and tested all AI outputs before use
• [NA] All AI instructions respect security, IP, and privacy rules

Review

• Functional review done
• Potential edge cases thought about (behaviour of the code with strange input, with strange internal state or possible interactions with other Matomo subsystems)
• Usability review done (is anything maybe unclear or think about anything that would cause people to reach out to support)
• Security review done
• Wording review done
• Code review done
• Tests were added if useful/possible
• Reviewed for breaking changes
• Developer changelog updated if needed
• New documentation added or existing documentation updated

[sgiehl]

Technically I'm not sure if this might not have any side effects. file_get_contents("php://input") uses the real raw input, while http_build_query($_POST) sort of reconstructs it, while it may normalize ordering, repeated params, array syntax, and encoding details. I wonder if it might be safe to just go this path if at least one of the disallowed parameters was really discarded.

[sgiehl]

That one should be removed again