search

louislam / uptime-kuma

A fancy self-hosted monitoring tool
https://uptime.kuma.pet
MIT License
54.78k stars 4.93k forks source link

Disabling user auth also disables the API token requirement for /metrics #4628

Closed thielj closed 1 month ago

thielj commented 4 months ago

πŸ“‘ I have found these related issues/pull requests

-/-

πŸ›‘οΈ Security Policy

Description

I have an API token to access /metrics which worked well.

I have now disabled user authentication and added Authelia as a middleware, with both the /metrics and /api/push endpoints configured as 'bypass', with everything else requiring authentication.

To my surprise. the API token is no longer required anymore to access /metrics.

πŸ‘Ÿ Reproduction steps

see above

πŸ‘€ Expected behavior

I expected that the /metrics endpoint still requires an API token. According to the docs,

By default, HTTP basic authentication is used to secure access to the Prometheus metrics endpoint. As soon as you add your first API key, the use of basic authentication for the endpoint will be permanently disabled.

πŸ˜“ Actual Behavior

/metrics was unprotected

🐻 Uptime-Kuma Version

1.23.11

πŸ’» Operating System and Arch

louislam/uptime-kuma:alpine (x64)

🌐 Browser

n/a

πŸ–₯️ Deployment Environment

n/a

πŸ“ Relevant log output

No response

CommanderStorm commented 4 months ago

Disabling auth disables auth, so far this is not a bug from my standpoint.

I agree that we might want to draw more attention to what this does here (and in the docs) image

If you/somebody wants to create a PR for this change, we would be open to this ^^

thielj commented 4 months ago

Thanks. As /metrics can disclose a lot of private details, the documentation and GUI should be very clear and explicit about this.

I would suggest to allow disabling user/GUI auth separately from service/API auth and/or requiring deletion of all API keys before the built-in API auth is disabled.

Feel free to close the issue or keep it as a heads-up for other users as long as necessary.

CommanderStorm commented 4 months ago

Changing the helptexts in the disable-auth popup seems sufficient to me. No need to introduce more complexity than needed.

thielj commented 4 months ago

@CommanderStorm This, too: https://github.com/louislam/uptime-kuma/wiki/API-Keys

CommanderStorm commented 4 months ago

Where/How? I think that disabling auth disables auth entirely has the logical cause that no auth is present any longer. => don't think this needs to be added on that docs page.

thielj commented 4 months ago

Oh well, I tried Β―\_(ツ)_/Β―

github-actions[bot] commented 1 month ago

We are clearing up our old help-issues and your issue has been open for 60 days with no activity. If no comment is made and the stale label is not removed, this issue will be closed in 7 days.

chakflying commented 1 month ago

Resolved by #4723