Prometheus: keep auth by default

Restore the previous behaviour where the Prometheus /metrics endpoint required auth if auth was enabled. A new -prometheus-no-auth flag allows you to override this and disable auth for that specific endpoint.
2025-10-19 07:33:21 +00:00 · 2021-01-04 20:23:26 +08:00 · 2021-01-04 20:23:26 +08:00 · 9db2d52fbe
commit 9db2d52fbe
parent 32c138aa84
3 changed files with 31 additions and 16 deletions
--- a/mux.go
+++ b/mux.go
@ -45,6 +45,16 @@ func (s *Server) checkAuth(r *http.Request) (username string, ok bool) {
 	return username, true
 }

+func (s *Server) wrapAuth(f http.HandlerFunc) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		if _, ok := s.checkAuth(r); !ok {
+			httpDefaultError(w, http.StatusUnauthorized)
+			return
+		}
+		f(w, r)
+	}
+}
+
 // NewHandler returns the master HTTP multiplexer/router.
 func NewHandler(server *Server) (http.Handler, error) {
 	if !server.NoAuth {
@ -67,8 +77,11 @@ func NewHandler(server *Server) (http.Handler, error) {

 	mux := http.NewServeMux()
 	if server.Prometheus {
-		// FIXME: need auth like in previous version?
-		mux.Handle("/metrics", promhttp.Handler())
+		if server.PrometheusNoAuth {
+			mux.Handle("/metrics", promhttp.Handler())
+		} else {
+			mux.HandleFunc("/metrics", server.wrapAuth(promhttp.Handler().ServeHTTP))
+		}
 	}
 	mux.Handle("/", server)