Disabling user auth also disables the API token requirement for /metrics #4628
Labels
area:documentation
Improvements or additions to documentation
area:settings
Related to Settings page and application configration
good first issue
Good for newcomers
help wanted
May need your help to test or answer
📑 I have found these related issues/pull requests
-/-
🛡️ Security Policy
Description
I have an API token to access /metrics which worked well.
I have now disabled user authentication and added Authelia as a middleware, with both the /metrics and /api/push endpoints configured as 'bypass', with everything else requiring authentication.
To my surprise. the API token is no longer required anymore to access /metrics.
👟 Reproduction steps
see above
👀 Expected behavior
I expected that the /metrics endpoint still requires an API token. According to the docs,
😓 Actual Behavior
/metrics was unprotected
🐻 Uptime-Kuma Version
1.23.11
💻 Operating System and Arch
louislam/uptime-kuma:alpine (x64)
🌐 Browser
n/a
🖥️ Deployment Environment
n/a
📝 Relevant log output
No response
The text was updated successfully, but these errors were encountered: