New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Disabling user auth also disables the API token requirement for /metrics #4628
Comments
Thanks. As /metrics can disclose a lot of private details, the documentation and GUI should be very clear and explicit about this. I would suggest to allow disabling user/GUI auth separately from service/API auth and/or requiring deletion of all API keys before the built-in API auth is disabled. Feel free to close the issue or keep it as a heads-up for other users as long as necessary. |
Changing the helptexts in the disable-auth popup seems sufficient to me. No need to introduce more complexity than needed. |
Where/How? |
Oh well, I tried |
📑 I have found these related issues/pull requests
-/-
🛡️ Security Policy
Description
I have an API token to access /metrics which worked well.
I have now disabled user authentication and added Authelia as a middleware, with both the /metrics and /api/push endpoints configured as 'bypass', with everything else requiring authentication.
To my surprise. the API token is no longer required anymore to access /metrics.
👟 Reproduction steps
see above
👀 Expected behavior
I expected that the /metrics endpoint still requires an API token. According to the docs,
😓 Actual Behavior
/metrics was unprotected
🐻 Uptime-Kuma Version
1.23.11
💻 Operating System and Arch
louislam/uptime-kuma:alpine (x64)
🌐 Browser
n/a
🖥️ Deployment Environment
n/a
📝 Relevant log output
No response
The text was updated successfully, but these errors were encountered: