From 306db4b46c47ee17ae59ecf6819d9cd8fc6cce4a Mon Sep 17 00:00:00 2001
From: Bernd Storath <999999bst@gmail.com>
Date: Mon, 10 Feb 2025 12:13:21 +0100
Subject: [PATCH] check metrics password

---
 src/server/routes/metrics/index.get.ts | 12 +-----
 src/server/routes/metrics/json.get.ts  | 12 +-----
 src/server/utils/handler.ts            | 58 ++++++++++++++++++++++++++
 3 files changed, 60 insertions(+), 22 deletions(-)

diff --git a/src/server/routes/metrics/index.get.ts b/src/server/routes/metrics/index.get.ts
index 427e84ec..2d5a9f27 100644
--- a/src/server/routes/metrics/index.get.ts
+++ b/src/server/routes/metrics/index.get.ts
@@ -1,14 +1,4 @@
-export default defineEventHandler(async (event) => {
-  // TODO: check password
-
-  const prometheus = await Database.metrics.prometheus.get('wg0');
-  if (!prometheus) {
-    throw createError({
-      statusCode: 400,
-      message: 'Prometheus metrics are not enabled',
-    });
-  }
-
+export default defineMetricsHandler('prometheus', async ({ event }) => {
   setHeader(event, 'Content-Type', 'text/plain');
   return getPrometheusResponse();
 });
diff --git a/src/server/routes/metrics/json.get.ts b/src/server/routes/metrics/json.get.ts
index d9211241..e89e64b8 100644
--- a/src/server/routes/metrics/json.get.ts
+++ b/src/server/routes/metrics/json.get.ts
@@ -1,13 +1,3 @@
-export default defineEventHandler(async () => {
-  // TODO: check password
-
-  const prometheus = await Database.metrics.prometheus.get('wg0');
-  if (!prometheus) {
-    throw createError({
-      statusCode: 400,
-      message: 'Prometheus metrics are not enabled',
-    });
-  }
-
+export default defineMetricsHandler('prometheus', async () => {
   return getMetricsJSON();
 });
diff --git a/src/server/utils/handler.ts b/src/server/utils/handler.ts
index 754bb8d3..20b3c852 100644
--- a/src/server/utils/handler.ts
+++ b/src/server/utils/handler.ts
@@ -57,3 +57,61 @@ export const defineSetupEventHandler = <
     return await handler({ event, setup });
   });
 };
+
+type Metrics = 'prometheus';
+
+type MetricsHandler<
+  TReq extends EventHandlerRequest,
+  TRes extends EventHandlerResponse,
+> = { (params: { event: H3Event<TReq> }): TRes };
+
+/**
+ * check if the metrics are enabled and the token is correct
+ */
+export const defineMetricsHandler = <
+  TReq extends EventHandlerRequest,
+  TRes extends EventHandlerResponse,
+>(
+  type: Metrics,
+  handler: MetricsHandler<TReq, TRes>
+) => {
+  return defineEventHandler(async (event) => {
+    const auth = getHeader(event, 'Authorization');
+
+    if (!auth) {
+      throw createError({
+        statusCode: 401,
+        statusMessage: 'Unauthorized',
+      });
+    }
+
+    const [method, value] = auth.split(' ');
+
+    if (method !== 'Bearer' || !value) {
+      throw createError({
+        statusCode: 401,
+        statusMessage: 'Bearer Auth required',
+      });
+    }
+
+    const metricsConfig = await Database.metrics[type].get('wg0');
+
+    if (!metricsConfig) {
+      throw createError({
+        statusCode: 400,
+        statusMessage: 'Metrics not enabled',
+      });
+    }
+
+    const tokenValid = await isPasswordValid(value, metricsConfig.password);
+
+    if (!tokenValid) {
+      throw createError({
+        statusCode: 401,
+        statusMessage: 'Incorrect token',
+      });
+    }
+
+    return await handler({ event });
+  });
+};