Skip to content

fix: restrict /metrics endpoint to admin users in production#95

Open
Deepam02 wants to merge 2 commits intomcpjungle:mainfrom
Deepam02:fix/metrics-endpoint-admin-access
Open

fix: restrict /metrics endpoint to admin users in production#95
Deepam02 wants to merge 2 commits intomcpjungle:mainfrom
Deepam02:fix/metrics-endpoint-admin-access

Conversation

@Deepam02
Copy link
Contributor

@Deepam02 Deepam02 commented Sep 9, 2025

Fixes #92

Added requireAdminUser() middleware to /metrics endpoint as requested in the issue.

@Deepam02 Deepam02 mentioned this pull request Sep 9, 2025
Open
duaraghav8
duaraghav8 requested changes Sep 9, 2025
View reviewed changes
@Deepam02
Copy link
Contributor Author

Deepam02 commented Sep 9, 2025

Removed the extra middleware.

@duaraghav8
Copy link
Member

duaraghav8 commented Sep 9, 2025

Thanks. I just realized that there's another complication - this authentication works well when an admin is trying to access /metrics because they send their admin token.
But we also need to configure prometheus (or other prometheus-compatible tools) with auth token so that they can also scrape this endpoint (they too will need to authenticate).
I'm not sure how this will be done yet.
Will need to research a little more on this. Keeping this PR open for now.

@Deepam02
Copy link
Contributor Author

Deepam02 commented Sep 9, 2025

Yes! i see this issue
For a quick fix we could create separate endpoints for prometheus, but there would be no point of securing it then.

The best solution would be adding an auth token for prometheus authentication, but that might be outside my scope for now - seems too complex for a beginner.

@Deepam02 Deepam02 closed this Oct 3, 2025
@Deepam02 Deepam02 reopened this Oct 3, 2025
@Deepam02 Deepam02 closed this Oct 3, 2025
@duaraghav8
Copy link
Member

duaraghav8 commented Oct 3, 2025

I'll keep this open because its a valid change but needs to be refined further.

@duaraghav8 duaraghav8 reopened this Oct 3, 2025
@duaraghav8 duaraghav8 force-pushed the main branch 2 times, most recently from e6f9f3d to 321f552 Compare October 8, 2025 08:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@duaraghav8 duaraghav8 duaraghav8 requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

/metrics endpoint should only be accessible by admin in production mode

2 participants

@Deepam02 @duaraghav8