Bug Report: Alertmanager server type does not send Authorization headers
Description
When configuring a server of type Alertmanager, Nagstamon does not include any Authorization header in the HTTP requests sent to the endpoint, regardless of the authentication method configured (Basic Auth or Bearer token).
This was confirmed by intercepting the actual requests using a local Python HTTP listener — no Authorization header is present in any request.
Environment
- Nagstamon version: 3.18.2
- OS: Linux
- Alertmanager endpoint: Grafana embedded Alertmanager (
/api/alertmanager/grafana/api/v2/alerts)
- Authentication tested: Basic Auth, Bearer token
Steps to Reproduce
- Add a new server of type Alertmanager
- Set a valid URL (e.g.
http://127.0.0.1:3000/api/alertmanager/grafana)
- Configure credentials (username + password, or Bearer token)
- Start a local HTTP listener to inspect incoming requests:
from http.server import HTTPServer, BaseHTTPRequestHandler
class LogHandler(BaseHTTPRequestHandler):
def do_GET(self):
print("\n=== REQUEST ===")
print(f"{self.command} {self.path}")
print("\n--- HEADERS ---")
for k, v in self.headers.items():
print(f"{k}: {v}")
self.send_response(200)
self.end_headers()
self.wfile.write(b'{"data":[]}')
def log_message(self, format, *args):
pass
HTTPServer(('0.0.0.0', 9999), LogHandler).serve_forever()
- Point Nagstamon to
http://127.0.0.1:9999
- Observe that no
Authorization header is present in the captured request
Expected Behavior
Nagstamon should include an Authorization: Basic <base64> or Authorization: Bearer <token> header in all requests to the Alertmanager endpoint, according to the configured authentication method.
Actual Behavior
No Authorization header is sent. The server receives the request without any authentication credentials, causing a 401 response from protected endpoints. The error surfaced in the UI is a confusing json.decoder.JSONDecodeError (as also reported in #753) instead of an authentication failure message.
Root Cause (suspected)
The requests library only sends Authorization headers automatically when the server responds with a WWW-Authenticate challenge. Grafana (and some other Alertmanager deployments behind reverse proxies) returns a plain 401 without a WWW-Authenticate header, so requests never attaches the credentials.
The fix would be to explicitly set the Authorization header on the session in Alertmanager.py, rather than relying on session.auth or the default requests challenge-response mechanism:
import base64
def init_HTTP(self):
GenericServer.init_HTTP(self)
if self.username and self.password:
creds = base64.b64encode(f"{self.username}:{self.password}".encode()).decode()
self.session.headers.update({'Authorization': f'Basic {creds}'})Workaround
Deploying a local nginx reverse proxy that injects the Authorization header before forwarding to the actual Alertmanager endpoint.
Bug Report: Alertmanager server type does not send Authorization headers
Description
When configuring a server of type Alertmanager, Nagstamon does not include any
Authorizationheader in the HTTP requests sent to the endpoint, regardless of the authentication method configured (Basic Auth or Bearer token).This was confirmed by intercepting the actual requests using a local Python HTTP listener — no
Authorizationheader is present in any request.Environment
/api/alertmanager/grafana/api/v2/alerts)Steps to Reproduce
http://127.0.0.1:3000/api/alertmanager/grafana)http://127.0.0.1:9999Authorizationheader is present in the captured requestExpected Behavior
Nagstamon should include an
Authorization: Basic <base64>orAuthorization: Bearer <token>header in all requests to the Alertmanager endpoint, according to the configured authentication method.Actual Behavior
No
Authorizationheader is sent. The server receives the request without any authentication credentials, causing a401response from protected endpoints. The error surfaced in the UI is a confusingjson.decoder.JSONDecodeError(as also reported in #753) instead of an authentication failure message.Root Cause (suspected)
The
requestslibrary only sendsAuthorizationheaders automatically when the server responds with aWWW-Authenticatechallenge. Grafana (and some other Alertmanager deployments behind reverse proxies) returns a plain401without aWWW-Authenticateheader, sorequestsnever attaches the credentials.The fix would be to explicitly set the
Authorizationheader on the session inAlertmanager.py, rather than relying onsession.author the defaultrequestschallenge-response mechanism:Workaround
Deploying a local nginx reverse proxy that injects the
Authorizationheader before forwarding to the actual Alertmanager endpoint.