fix: metrics endpoint

Author: GoliathLabs

README.md

@@ -135,7 +135,7 @@ See the [Releases section](https://github.com/freifunkMUC/wg-access-server/relea
   - `wg_access_server_devices_bytes_received_total`: sum of received bytes across devices
   - `wg_access_server_devices_bytes_transmitted_total`: sum of transmitted bytes across devices
 
-If both `EnableMetadata` and `EnableDeviceMetrics` are enabled, device-specific metrics are included in the output.
+If both `EnableMetadata` and `EnableDeviceMetrics` are enabled, device-specific metrics are included in the output. Set `metrics.basicAuth.username` and `metrics.basicAuth.passwordHash` (bcrypt) to protect the `/metrics` endpoint with HTTP Basic Auth.
 
 The software consists of a Golang server and a React app.
 

cmd/serve/main.go

@@ -45,7 +45,8 @@ func Register(app *kingpin.Application) *servecmd {
 	cli.Flag("external-host", "The external origin of the server (e.g. https://mydomain.com)").Envar("WG_EXTERNAL_HOST").StringVar(&cmd.AppConfig.ExternalHost)
 	cli.Flag("storage", "The storage backend connection string").Envar("WG_STORAGE").Default("memory://").StringVar(&cmd.AppConfig.Storage)
 	cli.Flag("enable-metadata", "Enable metadata collection (i.e. metrics)").Envar("WG_ENABLE_METADATA").Default("false").BoolVar(&cmd.AppConfig.EnableMetadata)
-	cli.Flag("enable-device-metrics", "Expose device-level metrics on /metrics (requires enable-metadata)").Envar("WG_ENABLE_DEVICE_METRICS").Default("true").BoolVar(&cmd.AppConfig.EnableDeviceMetrics)
+	cli.Flag("metrics-basic-auth-username", "Require basic auth for /metrics (username)").Envar("WG_METRICS_BASIC_AUTH_USERNAME").StringVar(&cmd.AppConfig.Metrics.BasicAuth.Username)
+	cli.Flag("metrics-basic-auth-password-hash", "Require basic auth for /metrics (bcrypt hash)").Envar("WG_METRICS_BASIC_AUTH_PASSWORD_HASH").StringVar(&cmd.AppConfig.Metrics.BasicAuth.PasswordHash)
 	cli.Flag("enable-inactive-device-deletion", "Enable inactive device deletion").Envar("WG_ENABLE_INACTIVE_DEVICE_DELETION").Default("false").BoolVar(&cmd.AppConfig.EnableInactiveDeviceDeletion)
 	cli.Flag("inactive-device-grace-period", "Duration after inactive device are deleted").Envar("WG_INACTIVE_DEVICE_GRACE_PERIOD").Default((1 * config.Year).String()).DurationVar(&cmd.AppConfig.InactiveDeviceGracePeriod)
 	cli.Flag("filename", "The configuration filename (e.g. WireGuard-Home)").Envar("WG_FILENAME").StringVar(&cmd.AppConfig.Filename)
@@ -249,8 +250,8 @@ func (cmd *servecmd) Run() {
 	// Health check endpoint
 	router.PathPrefix("/health").Handler(services.HealthEndpoint(deviceManager))
 
-	// Prometheus metrics endpoint (public, no auth)
-	router.Path("/metrics").Handler(services.MetricsHandler(&services.MetricsDeps{
+	// Prometheus metrics endpoint (optionally basic-auth protected)
+	router.Path("/metrics").Handler(services.MetricsEndpoint(&services.MetricsDeps{
 		Config:        conf,
 		DeviceManager: deviceManager,
 	}))
@@ -378,6 +379,13 @@ func (cmd *servecmd) ReadConfig() *config.AppConfig {
 	} else if !cmd.AppConfig.EnableDeviceMetrics {
 		logrus.Info("Device-level Prometheus metrics are disabled; metadata remains available for the UI")
 	}
+	if cmd.AppConfig.Metrics.BasicAuth.Username != "" {
+		if cmd.AppConfig.Metrics.BasicAuth.PasswordHash == "" {
+			logrus.Warn("Metrics basic auth username is set but password hash is missing")
+		} else {
+			logrus.Info("Basic auth is enabled for /metrics")
+		}
+	}
 
 	if !cmd.AppConfig.Auth.IsEnabled() {
 		if cmd.AppConfig.AdminPassword == "" {

docs/2-configuration.md

@@ -40,6 +40,8 @@ Here's what you can configure:
 | `WG_STORAGE`                         | `--storage`                         | `storage`                      |          | `sqlite3:///data/db.sqlite3`                 | A storage backend connection string. See [storage docs](./3-storage.md)                                                                                                                                                                                                       |
 | `WG_ENABLE_METADATA`                 | `--enable-metadata`                 | `enableMetadata`               |          | `false`                                      | Turn on collection of device metadata logging. Includes last handshake time and RX/TX bytes only.                                                                                                                                                                             |
 | `WG_ENABLE_DEVICE_METRICS`           | `--enable-device-metrics`           | `enableDeviceMetrics`          |          | `true`                                       | Expose device-level Prometheus metrics on `/metrics`. Requires `enableMetadata` to provide data.                                                                                                                                                                              |
+| `WG_METRICS_BASIC_AUTH_USERNAME`     | `--metrics-basic-auth-username`     | `metrics.basicAuth.username`   |          |                                              | Username required when accessing `/metrics`. Leave empty to keep the endpoint unauthenticated.                                                                                                                                                                                |
+| `WG_METRICS_BASIC_AUTH_PASSWORD_HASH` | `--metrics-basic-auth-password-hash` | `metrics.basicAuth.passwordHash` |          |                                              | Bcrypt hash of the password required for `/metrics`. Use together with the username to protect the endpoint.                                                                                                                                                                 |
 | `WG_ENABLE_INACTIVE_DEVICE_DELETION` | `--enable-inactive-device-deletion` | `enableInactiveDeviceDeletion` |          | `false`                                      | Enable/Disable the automatic deletion of inactive devices.                                                                                                                                                                                                                    |
 | `WG_INACTIVE_DEVICE_GRACE_PERIOD`    | `--inactive-device-grace-period`    | `inactiveDeviceGracePeriod`    |          | `8760h` (1 Year)                             | The duration after which inactive devices are automatically deleted, if automatic deletion is enabled. A device is inactive if it has not been connected to the server for longer than the inactive device grace period. The duration format is the go duration string format |
 | `WG_FILENAME        `                | `--filename`                        | `filename`                     |          | `WireGuard`                                  | Change the name of the configuration file the user can download (Do not include the '.conf' extension )                                                                                                                                                                       |

internal/config/config.go

@@ -160,6 +160,15 @@ type AppConfig struct {
 		// Defaults to 0 (disabled)
 		PersistentKeepalive int `yaml:"PersistentKeepalive"`
 	} `yaml:"clientConfig"`
+	// Metrics configures access to the /metrics endpoint.
+	Metrics struct {
+		BasicAuth struct {
+			// Username required when accessing /metrics. Empty disables auth.
+			Username string `yaml:"username"`
+			// Bcrypt hashed password required when accessing /metrics.
+			PasswordHash string `yaml:"passwordHash"`
+		} `yaml:"basicAuth"`
+	} `yaml:"metrics"`
 	// Auth configures optional authentication backends
 	// to control access to the web ui.
 	// Devices will be managed on a per-user basis if any

internal/services/basic_auth.go

@@ -0,0 +1,21 @@
+package services
+
+import (
+	"crypto/subtle"
+	"net/http"
+
+	"golang.org/x/crypto/bcrypt"
+)
+
+// basicAuthHandler wraps h with HTTP Basic Auth using a bcrypt hashed password.
+func basicAuthHandler(h http.Handler, realm, username, passwordHash string) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		u, p, ok := r.BasicAuth()
+		if !ok || subtle.ConstantTimeCompare([]byte(u), []byte(username)) != 1 || bcrypt.CompareHashAndPassword([]byte(passwordHash), []byte(p)) != nil {
+			w.Header().Set("WWW-Authenticate", "Basic realm=\""+realm+"\"")
+			http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
+			return
+		}
+		h.ServeHTTP(w, r)
+	})
+}

internal/services/metrics.go

@@ -18,8 +18,8 @@ type MetricsDeps struct {
 }
 
 // MetricsHandler returns an http.Handler that exposes Prometheus metrics.
-// It honors EnableMetadata/EnableDeviceMetrics by including device-specific metrics only when both are enabled,
-// but still exposes basic process/go/build metrics.
+// Device-level gauges are only registered when both metadata collection and
+// device metrics are enabled, but process/build metrics are always exposed.
 func MetricsHandler(deps *MetricsDeps) http.Handler {
 	reg := prometheus.NewRegistry()
 
@@ -130,3 +130,13 @@ func MetricsHandler(deps *MetricsDeps) http.Handler {
 
 	return promhttp.HandlerFor(reg, promhttp.HandlerOpts{EnableOpenMetrics: true})
 }
+
+// MetricsEndpoint wraps MetricsHandler with optional basic auth protection.
+func MetricsEndpoint(deps *MetricsDeps) http.Handler {
+	h := MetricsHandler(deps)
+	creds := deps.Config.Metrics.BasicAuth
+	if creds.Username == "" || creds.PasswordHash == "" {
+		return h
+	}
+	return basicAuthHandler(h, "metrics", creds.Username, creds.PasswordHash)
+}