Skip to content

feat: protect /metrics endpoint with auth and IP allowlist#620

Merged
hman38705 merged 2 commits intosolutions-plug:mainfrom
obanai9:feat/protect-metrics-endpoint
Apr 27, 2026
Merged

feat: protect /metrics endpoint with auth and IP allowlist#620
hman38705 merged 2 commits intosolutions-plug:mainfrom
obanai9:feat/protect-metrics-endpoint

Conversation

@obanai9
Copy link
Copy Markdown
Contributor

@obanai9 obanai9 commented Apr 27, 2026

Summary

Gates the /metrics Prometheus endpoint behind API key authentication and an optional IP allowlist, preventing public exposure of internal operational data.

Changes

services/api/src/main.rs

  • Removed /metrics from public_routes
  • Added a dedicated metrics_routes router with metrics_auth_middleware wired from MetricsAuthConfig (built from existing config fields: metrics_public, metrics_allowlist_ips, api_key_auth)

services/api/src/security.rs

  • MetricsAuthConfig and metrics_auth_middleware were already implemented; no changes needed
  • Added unit tests covering all access-control branches

services/api/tests/security_tests.rs

  • Added integration-level HTTP tests: public mode bypass, missing key → 401, valid key → 200, wrong key → 401, IP not in allowlist → 403

Security Behaviour

Scenario Result
METRICS_PUBLIC=true Open (no auth) — for trusted internal networks only
Valid x-api-key header, no allowlist ✅ 200
Missing or wrong x-api-key ❌ 401
IP not in METRICS_ALLOWLIST_IPS ❌ 403
IP in allowlist + valid key ✅ 200

Configuration

Env var Default Purpose
METRICS_PUBLIC false Skip all auth (opt-in, internal clusters only)
METRICS_ALLOWLIST_IPS (empty) Comma-separated IP allowlist; empty = no IP restriction
API_KEYS (empty) Shared API key(s) checked via x-api-key header

Testing

All new tests are in security.rs (unit) and tests/security_tests.rs (integration).

Closes #456

@obanai9
feat: protect /metrics endpoint with auth and IP allowlist
044ef94 
- Move /metrics from public_routes into a dedicated metrics_routes
  router guarded by metrics_auth_middleware
- Import MetricsAuthConfig in main.rs and wire it from config fields
  (metrics_public, metrics_allowlist_ips, api_key_auth)
- Add unit tests in security.rs for all middleware branches
- Add integration-level tests in tests/security_tests.rs covering:
  public mode bypass, missing key → 401, valid key → 200,
  wrong key → 401, IP not in allowlist → 403

Config env vars (already present in Config):
  METRICS_PUBLIC=true        opt-in public mode (default: false)
  METRICS_ALLOWLIST_IPS=...  comma-separated IP allowlist
  API_KEYS=...               shared API key(s) for x-api-key header

Closes solutions-plug#456
@drips-wave
Copy link
Copy Markdown

drips-wave Bot commented Apr 27, 2026

@obanai9 Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

@hman38705 hman38705 merged commit 8ef82f1 into solutions-plug:main Apr 27, 2026
3 of 24 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Protect or gate /metrics endpoint

2 participants

@obanai9 @hman38705