internal/web: remove authentication for metrics (#21077)

2026-04-25 17:15:26 +02:00 · 2026-03-23 13:52:04 +00:00
parent 0bc4739f54
commit 197cde8fae
4 changed files with 6 additions and 56 deletions
--- a/authentik/root/monitoring.py
+++ b/authentik/root/monitoring.py
@@ -1,10 +1,5 @@
 """Metrics view"""

-from hmac import compare_digest
-from pathlib import Path
-from tempfile import gettempdir
-
-from django.conf import settings
 from django.db import connections
 from django.db.utils import OperationalError
 from django.dispatch import Signal
@@ -18,18 +13,8 @@ monitoring_set = Signal()
 class MetricsView(View):
    """Wrapper around ExportToDjangoView with authentication, accessed by the authentik router"""

-    def __init__(self, **kwargs):
-        _tmp = Path(gettempdir())
-        with open(_tmp / "authentik-core-metrics.key") as _f:
-            self.monitoring_key = _f.read()
-
    def get(self, request: HttpRequest) -> HttpResponse:
        """Check for HTTP-Basic auth"""
-        auth_header = request.META.get("HTTP_AUTHORIZATION", "")
-        auth_type, _, given_credentials = auth_header.partition(" ")
-        authed = auth_type == "Bearer" and compare_digest(given_credentials, self.monitoring_key)
-        if not authed and not settings.DEBUG:
-            return HttpResponse(status=401)
        monitoring_set.send_robust(self)
        return ExportToDjangoView(request)

--- a/authentik/root/tests/test_views.py
+++ b/authentik/root/tests/test_views.py
@@ -1,9 +1,5 @@
 """root tests"""

-from pathlib import Path
-from secrets import token_urlsafe
-from tempfile import gettempdir
-
 from django.test import TransactionTestCase
 from django.urls import reverse

@@ -11,26 +7,9 @@ from django.urls import reverse
 class TestRoot(TransactionTestCase):
    """Test root application"""

-    def setUp(self):
-        _tmp = Path(gettempdir())
-        self.token = token_urlsafe(32)
-        with open(_tmp / "authentik-core-metrics.key", "w") as _f:
-            _f.write(self.token)
-
-    def tearDown(self):
-        _tmp = Path(gettempdir())
-        (_tmp / "authentik-core-metrics.key").unlink()
-
-    def test_monitoring_error(self):
-        """Test monitoring without any credentials"""
-        response = self.client.get(reverse("metrics"))
-        self.assertEqual(response.status_code, 401)
-
-    def test_monitoring_ok(self):
+    def test_monitoring(self):
        """Test monitoring with credentials"""
-        auth_headers = {"HTTP_AUTHORIZATION": f"Bearer {self.token}"}
-        response = self.client.get(reverse("metrics"), **auth_headers)
-        self.assertEqual(response.status_code, 200)
+        self.assertEqual(self.client.get(reverse("metrics")).status_code, 200)

    def test_monitoring_live(self):
        """Test LiveView"""
--- a/internal/web/metrics.go
+++ b/internal/web/metrics.go
@@ -37,7 +37,6 @@ func (ws *WebServer) runMetricsServer(listen string) {
 			l.WithError(err).Warning("failed to get upstream metrics")
 			return
 		}
-		re.Header.Set("Authorization", fmt.Sprintf("Bearer %s", ws.metricsKey))
 		res, err := ws.upstreamHttpClient().Do(re)
 		if err != nil {
 			l.WithError(err).Warning("failed to get upstream metrics")
--- a/internal/web/web.go
+++ b/internal/web/web.go
@@ -31,7 +31,6 @@ import (
 const (
 	SocketName     = "authentik.sock"
 	IPCKeyFile     = "authentik-core-ipc.key"
-	MetricsKeyFile = "authentik-core-metrics.key"
 	CoreSocketName = "authentik-core.sock"
 )

@@ -52,8 +51,7 @@ type WebServer struct {
 	upstreamClient *http.Client
 	upstreamURL    *url.URL

-	metricsKey string
-	ipcKey     string
+	ipcKey string
 }

 func NewWebServer() *WebServer {
@@ -92,6 +90,7 @@ func NewWebServer() *WebServer {
 		upstreamClient: upstreamClient,
 		upstreamURL:    u,
 	}
+	ws.mainRouter.PathPrefix(config.Get().Web.Path).Path("/-/metrics/").Handler(http.NotFoundHandler())
 	ws.configureStatic()
 	ws.configureProxy()
 	// Redirect for sub-folder
@@ -122,15 +121,7 @@ func (ws *WebServer) upstreamHealthcheck() bool {
 func (ws *WebServer) prepareKeys() {
 	tmp := os.TempDir()
 	key := base64.StdEncoding.EncodeToString(securecookie.GenerateRandomKey(64))
-	err := os.WriteFile(path.Join(tmp, MetricsKeyFile), []byte(key), 0o600)
-	if err != nil {
-		ws.log.WithError(err).Warning("failed to save metrics key")
-		return
-	}
-	ws.metricsKey = key
-
-	key = base64.StdEncoding.EncodeToString(securecookie.GenerateRandomKey(64))
-	err = os.WriteFile(path.Join(tmp, IPCKeyFile), []byte(key), 0o600)
+	err := os.WriteFile(path.Join(tmp, IPCKeyFile), []byte(key), 0o600)
 	if err != nil {
 		ws.log.WithError(err).Warning("failed to save ipc key")
 		return
@@ -228,11 +219,7 @@ func (ws *WebServer) Shutdown() {
 	ws.log.Info("shutting down gunicorn")
 	ws.g.Kill()
 	tmp := os.TempDir()
-	err := os.Remove(path.Join(tmp, MetricsKeyFile))
-	if err != nil {
-		ws.log.WithError(err).Warning("failed to remove metrics key file")
-	}
-	err = os.Remove(path.Join(tmp, IPCKeyFile))
+	err := os.Remove(path.Join(tmp, IPCKeyFile))
 	if err != nil {
 		ws.log.WithError(err).Warning("failed to remove ipc key file")
 	}