diff options
| author | MohamedBassem <me@mbassem.com> | 2025-08-22 18:15:06 +0300 |
|---|---|---|
| committer | MohamedBassem <me@mbassem.com> | 2025-08-22 21:20:37 +0300 |
| commit | a64307e8ac92226581d74248b7727488ecd53465 (patch) | |
| tree | ac3d57c617e4b352ca7eb142fb7c937be5531a91 /packages | |
| parent | f1662b820f45a7ee89503448fc6a77085e87dc64 (diff) | |
| download | karakeep-a64307e8ac92226581d74248b7727488ecd53465.tar.zst | |
feat: generate a random prometheus token on startup
Diffstat (limited to 'packages')
| -rw-r--r-- | packages/api/middlewares/prometheusAuth.ts | 33 | ||||
| -rw-r--r-- | packages/api/routes/metrics.ts | 9 | ||||
| -rw-r--r-- | packages/shared/config.ts | 4 |
3 files changed, 10 insertions, 36 deletions
diff --git a/packages/api/middlewares/prometheusAuth.ts b/packages/api/middlewares/prometheusAuth.ts deleted file mode 100644 index bf35608f..00000000 --- a/packages/api/middlewares/prometheusAuth.ts +++ /dev/null @@ -1,33 +0,0 @@ -import { createMiddleware } from "hono/factory"; -import { HTTPException } from "hono/http-exception"; - -import serverConfig from "@karakeep/shared/config"; - -export const prometheusAuthMiddleware = createMiddleware(async (c, next) => { - const { metricsToken } = serverConfig.prometheus; - - // If no token is configured, deny access (safe default) - if (!metricsToken) { - throw new HTTPException(404, { - message: "Not Found", - }); - } - - const auth = c.req.header("Authorization"); - - if (!auth || !auth.startsWith("Bearer ")) { - throw new HTTPException(401, { - message: "Unauthorized", - }); - } - - const token = auth.slice(7); // Remove "Bearer " prefix - - if (token !== metricsToken) { - throw new HTTPException(401, { - message: "Unauthorized", - }); - } - - await next(); -}); diff --git a/packages/api/routes/metrics.ts b/packages/api/routes/metrics.ts index 9d668afe..aeb03c03 100644 --- a/packages/api/routes/metrics.ts +++ b/packages/api/routes/metrics.ts @@ -3,15 +3,20 @@ import "@karakeep/trpc/stats"; import { prometheus } from "@hono/prometheus"; import { Hono } from "hono"; +import { bearerAuth } from "hono/bearer-auth"; import { register } from "prom-client"; -import { prometheusAuthMiddleware } from "../middlewares/prometheusAuth"; +import serverConfig from "@karakeep/shared/config"; export const { printMetrics, registerMetrics } = prometheus({ registry: register, prefix: "karakeep_", }); -const app = new Hono().get("/", prometheusAuthMiddleware, printMetrics); +const app = new Hono().get( + "/", + bearerAuth({ token: serverConfig.prometheus.metricsToken }), + printMetrics, +); export default app; diff --git a/packages/shared/config.ts b/packages/shared/config.ts index f9ef90cd..4ba3978a 100644 --- a/packages/shared/config.ts +++ b/packages/shared/config.ts @@ -1,3 +1,4 @@ +import crypto from "node:crypto"; import path from "path"; import { z } from "zod"; @@ -278,7 +279,8 @@ const serverConfigSchema = allEnv.transform((val, ctx) => { }, }, prometheus: { - metricsToken: val.PROMETHEUS_AUTH_TOKEN, + metricsToken: + val.PROMETHEUS_AUTH_TOKEN ?? crypto.randomBytes(64).toString("hex"), }, rateLimiting: { enabled: val.RATE_LIMITING_ENABLED, |