feat: add new Prometheus metrics and bearer token auth for /metrics

Add 6 new Prometheus metrics for richer observability: - auth_attempts_by_country_total (counter by country) - commands_executed_total (counter by shell via OnCommand callback) - human_score (histogram of final detection scores) - storage_login_attempts_total, storage_unique_ips, storage_sessions_total (gauges via custom collector querying GetDashboardStats on each scrape) Add optional bearer token authentication for the /metrics endpoint via web.metrics_token config option. Uses crypto/subtle.ConstantTimeCompare. Empty token (default) means no auth for backwards compatibility. Also adds "cisco" to pre-initialized session/command metric labels. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-15 15:54:29 +01:00
parent 9aecc7ce02
commit df860b3061
16 changed files with 301 additions and 23 deletions
--- a/internal/web/web.go
+++ b/internal/web/web.go
@@ -1,9 +1,11 @@
 package web

 import (
+	"crypto/subtle"
 	"embed"
 	"log/slog"
 	"net/http"
+	"strings"

 	"git.t-juice.club/torjus/oubliette/internal/storage"
 )
@@ -21,7 +23,8 @@ type Server struct {

 // NewServer creates a new web Server with routes registered.
 // If metricsHandler is non-nil, a /metrics endpoint is registered.
-func NewServer(store storage.Store, logger *slog.Logger, metricsHandler http.Handler) (*Server, error) {
+// If metricsToken is non-empty, the metrics endpoint requires Bearer token auth.
+func NewServer(store storage.Store, logger *slog.Logger, metricsHandler http.Handler, metricsToken string) (*Server, error) {
 	tmpl, err := loadTemplates()
 	if err != nil {
 		return nil, err
@@ -42,7 +45,11 @@ func NewServer(store storage.Store, logger *slog.Logger, metricsHandler http.Han
 	s.mux.HandleFunc("GET /fragments/active-sessions", s.handleFragmentActiveSessions)

 	if metricsHandler != nil {
-		s.mux.Handle("GET /metrics", metricsHandler)
+		h := metricsHandler
+		if metricsToken != "" {
+			h = requireBearerToken(metricsToken, h)
+		}
+		s.mux.Handle("GET /metrics", h)
 	}

 	return s, nil
@@ -52,3 +59,20 @@ func NewServer(store storage.Store, logger *slog.Logger, metricsHandler http.Han
 func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	s.mux.ServeHTTP(w, r)
 }
+
+// requireBearerToken wraps a handler to require a valid Bearer token.
+func requireBearerToken(token string, next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		auth := r.Header.Get("Authorization")
+		if !strings.HasPrefix(auth, "Bearer ") {
+			http.Error(w, "Unauthorized", http.StatusUnauthorized)
+			return
+		}
+		provided := auth[len("Bearer "):]
+		if subtle.ConstantTimeCompare([]byte(provided), []byte(token)) != 1 {
+			http.Error(w, "Unauthorized", http.StatusUnauthorized)
+			return
+		}
+		next.ServeHTTP(w, r)
+	})
+}