Disabling user auth also disables the API token requirement for /metrics #4628
Comments
|
Disabling auth disables auth, so far this is not a bug from my standpoint. I agree that we might want to draw more attention to what this does here (and in the docs) If you/somebody wants to create a PR for this change, we would be open to this ^^ |
CommanderStorm
added
area:documentation
|
Thanks. As /metrics can disclose a lot of private details, the documentation and GUI should be very clear and explicit about this. I would suggest to allow disabling user/GUI auth separately from service/API auth and/or requiring deletion of all API keys before the built-in API auth is disabled. Feel free to close the issue or keep it as a heads-up for other users as long as necessary. |
|
Changing the helptexts in the disable-auth popup seems sufficient to me. No need to introduce more complexity than needed. |
|
Where/How? |
|
Oh well, I tried |
📑 I have found these related issues/pull requests
-/-
🛡️ Security Policy
Description
I have an API token to access /metrics which worked well.
I have now disabled user authentication and added Authelia as a middleware, with both the /metrics and /api/push endpoints configured as 'bypass', with everything else requiring authentication.
To my surprise. the API token is no longer required anymore to access /metrics.
👟 Reproduction steps
see above
👀 Expected behavior
I expected that the /metrics endpoint still requires an API token. According to the docs,
😓 Actual Behavior
/metrics was unprotected
🐻 Uptime-Kuma Version
1.23.11
💻 Operating System and Arch
louislam/uptime-kuma:alpine (x64)
🌐 Browser
n/a
🖥️ Deployment Environment
n/a
📝 Relevant log output
No response
The text was updated successfully, but these errors were encountered: