slanatech / swagger-stats

API Observability. Trace API calls and Monitor API performance, health and usage statistics in Node.js Microservices.
MIT License
893 stars 137 forks source link

Authentication protection for swagger-stats? #13

Open danihenrique opened 7 years ago

danihenrique commented 7 years ago

Hello, first of all, really great job! Congrats !!I

I have two concerns about this. The first one, is about memory leak, is that possible, because all the information is stored at runtime memory right? What you can say about that.

The second one, is about how to protect the access to stats, is possible to add some authentication?


sv2 commented 7 years ago

Thank you, @danihenrique !

On memory usage: swagger-stats only keeps limited amount of data in memory, and it should not grow over time, for the same set of API operations. First, it stores set of statistics (counters) per API operation. These stats are incremented / updated, but no new objects allocated, so the same amount of data is maintained per operation. Second, swagger-stats stores timeline statistics - that is, stats for each minute for the last hour. The size of timeline is limited ( default - 60 buckets 1 minutes each, so 1 hour ), and oldest buckets are removed when they expire. So total amount of data stored in timeline is also preserved the same. Also, swagger-stats stores data on last errors and longest requests. These also capped - only last 100 errors are stored, and only top 100 longest requests are stored; i.e. data on previous errors will be evicted as new ones occur.

If your app receives new request for unknown API Operation, which does not match with any express routes, or any operation defined in swagger spec, then swagger-stats will detect new operation and allocate stats for it. This may happen when new request URI contains some parameter but does not match with any defined parameterized path like /api/{param} or /api/:param.

Typically this should not be the case, but I think it'll be good to introduce option that would cap total number of API Operation swagger-stats maintains in memory, and set default to something like 100. #15

Note that even thought swagger-stats keeps in memory only timeline for last 60 minutes, API monitoring for longer periods of time is still possible. For that, swagger-stats exposes Prometheus metrics - #9 . Prometheus can be used to collect metrics from swagger-stats and store them in it's time series database, which makes it possible to monitor trends over long periods of time.

On authentication: absolutely, great point! I've opened #14 to track this.

Thanks a lot for your feedback!