From 986c3e5fa2a29d817255d3c7566cc943f1e698c8 Mon Sep 17 00:00:00 2001
From: vpalmisano <vpalmisano@gmail.com>
Date: Fri, 9 Apr 2021 19:06:51 +0200
Subject: [PATCH] add authorization header option for metrics http endpoint

---
 compose/config/edumeet-server-config.js |  3 ++-
 compose/config/prometheus.yml           | 14 ++++----------
 server/config/config.example.js         |  1 +
 server/lib/promExporter.js              |  6 ++++++
 4 files changed, 13 insertions(+), 11 deletions(-)

diff --git a/compose/config/edumeet-server-config.js b/compose/config/edumeet-server-config.js
index 15ce1a13..1711d539 100644
--- a/compose/config/edumeet-server-config.js
+++ b/compose/config/edumeet-server-config.js
@@ -503,7 +503,8 @@ module.exports =
 		port       : 8889, // allocated port
 		quiet      : false, // include fewer labels
 		// aggregated metrics options
-		period     : 15 // update period (seconds)
+		period     : 15, // update period (seconds)
+		secret     : null // if set, checks the authorization header: `Bearer <secret>`
 	}
 	
 };
diff --git a/compose/config/prometheus.yml b/compose/config/prometheus.yml
index 7a52f668..7768b981 100644
--- a/compose/config/prometheus.yml
+++ b/compose/config/prometheus.yml
@@ -14,23 +14,17 @@ rule_files:
 # - "first.rules"
 # - "second.rules"
 
-# A scrape configuration containing exactly one endpoint to scrape:
-# Here it's Prometheus itself.
 scrape_configs:
-# The job name is added as a label `job=<job_name>` to any timeseries scraped from this config.
 - job_name: 'prometheus'
   scrape_interval: 15s
-  # metrics_path defaults to '/metrics'
-  # scheme defaults to 'http'.
   static_configs:
-  - targets: ['localhost:9090','node-exporter:9100','edumeet:8889']
+  - targets: ['localhost:9090','node-exporter:9100']
 - job_name: 'edumeet'
   scrape_interval: 15s
   metrics_path: /metrics
   scheme: http
-  #basic_auth:
-  #  username: <string>
-  #  password: <secret>
-  #  password_file: <string>
+  # authorization:
+  #   type: Bearer
+  #   credentials: "prometheus-secret"
   static_configs:
   - targets: ['edumeet:8889']
diff --git a/server/config/config.example.js b/server/config/config.example.js
index 4698c08a..1deea6ba 100644
--- a/server/config/config.example.js
+++ b/server/config/config.example.js
@@ -473,6 +473,7 @@ module.exports =
 		quiet      : false // include fewer labels
 		// aggregated metrics options
 		period     : 15 // update period (seconds)
+		secret     : null // if set, checks the authorization header: `Bearer <secret>`
 	}
 	*/
 };
diff --git a/server/lib/promExporter.js b/server/lib/promExporter.js
index 2fcd11b7..b748a5b3 100644
--- a/server/lib/promExporter.js
+++ b/server/lib/promExporter.js
@@ -51,6 +51,12 @@ module.exports = async function(rooms, peers, config)
 		app.get('/metrics', async (req, res) =>
 		{
 			logger.debug(`GET ${req.originalUrl}`);
+
+			if (config.secret && req.headers.authorization !== 'Bearer ' + config.secret)
+			{
+				logger.error(`Invalid authorization header`);
+				return res.status(401).end();
+			}
 		
 			res.set('Content-Type', registerAggregated.contentType);
 			const data = await registerAggregated.metrics();