Add basic auth support for the metrics endpoint

Author: Anyitechs

e2e-tests/src/lib.rs

@@ -97,10 +97,24 @@ pub struct LdkServerHandle {
 	client: LdkServerClient,
 }
 
+pub struct LdkServerConfig {
+	pub metrics_auth: Option<(String, String)>,
+}
+
+impl Default for LdkServerConfig {
+	fn default() -> Self {
+		Self { metrics_auth: None }
+	}
+}
+
 impl LdkServerHandle {
 	/// Starts a new ldk-server instance against the given bitcoind.
 	/// Waits until the server is ready to accept requests.
 	pub async fn start(bitcoind: &TestBitcoind) -> Self {
+		Self::start_with_config(bitcoind, LdkServerConfig::default()).await
+	}
+
+	pub async fn start_with_config(bitcoind: &TestBitcoind, config: LdkServerConfig) -> Self {
 		#[allow(deprecated)]
 		let storage_dir = tempfile::tempdir().unwrap().into_path();
 		let rest_port = find_available_port();
@@ -111,6 +125,12 @@ impl LdkServerHandle {
 
 		let exchange_name = format!("e2e_test_exchange_{rest_port}");
 
+		let metrics_auth_config = if let Some((user, pass)) = config.metrics_auth {
+			format!("username = \"{}\"\npassword = \"{}\"", user, pass)
+		} else {
+			String::new()
+		};
+
 		let config_content = format!(
 			r#"[node]
 network = "regtest"
@@ -144,7 +164,9 @@ client_trusts_lsp = true
 [metrics]
 enabled = true
 poll_metrics_interval = 1
+{}
 "#,
+			metrics_auth_config,
 			storage_dir = storage_dir.display(),
 		);
 

e2e-tests/tests/e2e.rs

@@ -12,7 +12,8 @@ use std::time::Duration;
 
 use e2e_tests::{
 	find_available_port, mine_and_sync, run_cli, run_cli_raw, setup_funded_channel,
-	wait_for_onchain_balance, LdkServerHandle, RabbitMqEventConsumer, TestBitcoind,
+	wait_for_onchain_balance, LdkServerConfig, LdkServerHandle, RabbitMqEventConsumer,
+	TestBitcoind,
 };
 use hex_conservative::{DisplayHex, FromHex};
 use ldk_node::bitcoin::hashes::{sha256, Hash};
@@ -1087,3 +1088,40 @@ async fn test_metrics_endpoint() {
 		tokio::time::sleep(Duration::from_millis(500)).await;
 	}
 }
+
+#[tokio::test]
+async fn test_metrics_endpoint_with_auth() {
+	let bitcoind = TestBitcoind::new();
+
+	let username = "admin";
+	let password = "password123";
+
+	let config =
+		LdkServerConfig { metrics_auth: Some((username.to_string(), password.to_string())) };
+
+	let server = LdkServerHandle::start_with_config(&bitcoind, config).await;
+	let client = server.client();
+
+	// Should fail because auth is provided in the config
+	let result = client.get_metrics().await;
+	assert!(result.is_err(), "Expected failure without credentials");
+
+	// Request has the correct auth, so it should succeed
+	let result = client.get_metrics_with_auth(Some(username), Some(password)).await;
+
+	assert!(result.is_ok(), "Expected success with correct credentials");
+	let metrics = result.unwrap();
+
+	assert!(metrics.contains("ldk_server_total_peers_count 0"));
+	assert!(metrics.contains("ldk_server_total_payments_count 0"));
+	assert!(metrics.contains("ldk_server_total_successful_payments_count 0"));
+	assert!(metrics.contains("ldk_server_total_pending_payments_count 0"));
+	assert!(metrics.contains("ldk_server_total_failed_payments_count 0"));
+	assert!(metrics.contains("ldk_server_total_channels_count 0"));
+	assert!(metrics.contains("ldk_server_total_public_channels_count 0"));
+	assert!(metrics.contains("ldk_server_total_private_channels_count 0"));
+	assert!(metrics.contains("ldk_server_total_onchain_balance_sats 0"));
+	assert!(metrics.contains("ldk_server_spendable_onchain_balance_sats 0"));
+	assert!(metrics.contains("ldk_server_total_anchor_channels_reserve_sats 0"));
+	assert!(metrics.contains("ldk_server_total_lightning_balance_sats 0"));
+}

ldk-server-client/src/client.rs

@@ -40,11 +40,12 @@ use ldk_server_protos::endpoints::{
 	BOLT11_RECEIVE_VIA_JIT_CHANNEL_PATH, BOLT11_SEND_PATH, BOLT12_RECEIVE_PATH, BOLT12_SEND_PATH,
 	CLOSE_CHANNEL_PATH, CONNECT_PEER_PATH, DECODE_INVOICE_PATH, DECODE_OFFER_PATH,
 	DISCONNECT_PEER_PATH, EXPORT_PATHFINDING_SCORES_PATH, FORCE_CLOSE_CHANNEL_PATH,
-	GET_BALANCES_PATH, GET_METRICS_PATH, GET_NODE_INFO_PATH, GET_PAYMENT_DETAILS_PATH, GRAPH_GET_CHANNEL_PATH,
-	GRAPH_GET_NODE_PATH, GRAPH_LIST_CHANNELS_PATH, GRAPH_LIST_NODES_PATH, LIST_CHANNELS_PATH,
-	LIST_FORWARDED_PAYMENTS_PATH, LIST_PAYMENTS_PATH, LIST_PEERS_PATH, ONCHAIN_RECEIVE_PATH,
-	ONCHAIN_SEND_PATH, OPEN_CHANNEL_PATH, SIGN_MESSAGE_PATH, SPLICE_IN_PATH, SPLICE_OUT_PATH,
-	SPONTANEOUS_SEND_PATH, UNIFIED_SEND_PATH, UPDATE_CHANNEL_CONFIG_PATH, VERIFY_SIGNATURE_PATH,
+	GET_BALANCES_PATH, GET_METRICS_PATH, GET_NODE_INFO_PATH, GET_PAYMENT_DETAILS_PATH,
+	GRAPH_GET_CHANNEL_PATH, GRAPH_GET_NODE_PATH, GRAPH_LIST_CHANNELS_PATH, GRAPH_LIST_NODES_PATH,
+	LIST_CHANNELS_PATH, LIST_FORWARDED_PAYMENTS_PATH, LIST_PAYMENTS_PATH, LIST_PEERS_PATH,
+	ONCHAIN_RECEIVE_PATH, ONCHAIN_SEND_PATH, OPEN_CHANNEL_PATH, SIGN_MESSAGE_PATH, SPLICE_IN_PATH,
+	SPLICE_OUT_PATH, SPONTANEOUS_SEND_PATH, UNIFIED_SEND_PATH, UPDATE_CHANNEL_CONFIG_PATH,
+	VERIFY_SIGNATURE_PATH,
 };
 use ldk_server_protos::error::{ErrorCode, ErrorResponse};
 use prost::bytes::Bytes;
@@ -123,8 +124,17 @@ impl LdkServerClient {
 
 	/// Retrieve the node metrics in Prometheus format.
 	pub async fn get_metrics(&self) -> Result<String, LdkServerError> {
+		self.get_metrics_with_auth(None, None).await
+	}
+
+	/// Retrieve the node metrics in Prometheus format using Basic Auth.
+	pub async fn get_metrics_with_auth(
+		&self, username: Option<&str>, password: Option<&str>,
+	) -> Result<String, LdkServerError> {
 		let url = format!("https://{}/{GET_METRICS_PATH}", self.base_url);
-		let payload = self.make_request(&url, RequestType::Get, None, false).await?;
+		let payload =
+			self.make_request(&url, RequestType::Get, None, false, username, password).await?;
+
 		String::from_utf8(payload.to_vec()).map_err(|e| {
 			LdkServerError::new(
 				InternalError,
@@ -468,21 +478,23 @@ impl LdkServerClient {
 		&self, request: &Rq, url: &str,
 	) -> Result<Rs, LdkServerError> {
 		let request_body = request.encode_to_vec();
-		let payload = self.make_request(url, RequestType::Post, Some(request_body), true).await?;
+		let payload =
+			self.make_request(url, RequestType::Post, Some(request_body), true, None, None).await?;
 		Rs::decode(&payload[..]).map_err(|e| {
 			LdkServerError::new(InternalError, format!("Failed to decode success response: {}", e))
 		})
 	}
 
 	async fn make_request(
-		&self, url: &str, request_type: RequestType, body: Option<Vec<u8>>, authenticated: bool,
+		&self, url: &str, request_type: RequestType, body: Option<Vec<u8>>,
+		hmac_authenticated: bool, metrics_username: Option<&str>, metrics_password: Option<&str>,
 	) -> Result<Bytes, LdkServerError> {
 		let builder = match request_type {
 			RequestType::Get => self.client.get(url),
 			RequestType::Post => self.client.post(url),
 		};
 
-		let builder = if authenticated {
+		let builder = if hmac_authenticated {
 			let body_for_auth = body.as_deref().unwrap_or(&[]);
 			let auth_header = self.compute_auth_header(body_for_auth);
 			builder.header("X-Auth", auth_header)
@@ -496,10 +508,23 @@ impl LdkServerClient {
 			builder
 		};
 
+		let builder = if let (Some(username), Some(password)) = (metrics_username, metrics_password)
+		{
+			builder.basic_auth(username, Some(password))
+		} else {
+			builder
+		};
+
 		let response_raw = builder.send().await.map_err(|e| {
 			LdkServerError::new(InternalError, format!("HTTP request failed: {}", e))
 		})?;
 
+		self.handle_response(response_raw).await
+	}
+
+	async fn handle_response(
+		&self, response_raw: reqwest::Response,
+	) -> Result<Bytes, LdkServerError> {
 		let status = response_raw.status();
 		let payload = response_raw.bytes().await.map_err(|e| {
 			LdkServerError::new(InternalError, format!("Failed to read response body: {}", e))

ldk-server/ldk-server-config.toml

@@ -93,3 +93,6 @@ client_trusts_lsp = false
 [metrics]
 enabled = false
 poll_metrics_interval = 60       # The polling interval for metrics in seconds. Defaults to 60secs if unset and metrics enabled.
+# The auth details below are optional, but uncommenting the fields means enabling basic auth, so valid fields must be supplied.
+#username = ""               # The username required to access the metrics endpoint (Basic Auth).
+#password = ""               # The password required to access the metrics endpoint (Basic Auth).

ldk-server/src/main.rs

@@ -18,6 +18,8 @@ use std::path::{Path, PathBuf};
 use std::sync::Arc;
 use std::time::{Duration, SystemTime, UNIX_EPOCH};
 
+use base64::prelude::BASE64_STANDARD;
+use base64::Engine;
 use clap::Parser;
 use hex::DisplayHex;
 use hyper::server::conn::http1;
@@ -296,6 +298,15 @@ fn main() {
 			None
 		};
 
+		let metrics_auth_header = if let (Some(username), Some(password)) =
+			(config_file.metrics_username.as_ref(), config_file.metrics_password.as_ref())
+		{
+			let auth = format!("{}:{}", username, password);
+			Some(format!("Basic {}", BASE64_STANDARD.encode(auth)))
+		} else {
+			None
+		};
+
 		let rest_svc_listener = TcpListener::bind(config_file.rest_service_addr)
 			.await
 			.expect("Failed to bind listening port");
@@ -488,7 +499,13 @@ fn main() {
 				res = rest_svc_listener.accept() => {
 					match res {
 						Ok((stream, _)) => {
-							let node_service = NodeService::new(Arc::clone(&node), Arc::clone(&paginated_store), api_key.clone(), metrics.clone());
+							let node_service = NodeService::new(
+								Arc::clone(&node),
+								Arc::clone(&paginated_store),
+								api_key.clone(),
+								metrics.clone(),
+								metrics_auth_header.clone(),
+							);
 							let acceptor = tls_acceptor.clone();
 							runtime.spawn(async move {
 								match acceptor.accept(stream).await {

ldk-server/src/service.rs

@@ -24,11 +24,12 @@ use ldk_server_protos::endpoints::{
 	BOLT11_RECEIVE_VIA_JIT_CHANNEL_PATH, BOLT11_SEND_PATH, BOLT12_RECEIVE_PATH, BOLT12_SEND_PATH,
 	CLOSE_CHANNEL_PATH, CONNECT_PEER_PATH, DECODE_INVOICE_PATH, DECODE_OFFER_PATH,
 	DISCONNECT_PEER_PATH, EXPORT_PATHFINDING_SCORES_PATH, FORCE_CLOSE_CHANNEL_PATH,
-	GET_BALANCES_PATH, GET_METRICS_PATH, GET_NODE_INFO_PATH, GET_PAYMENT_DETAILS_PATH, GRAPH_GET_CHANNEL_PATH,
-	GRAPH_GET_NODE_PATH, GRAPH_LIST_CHANNELS_PATH, GRAPH_LIST_NODES_PATH, LIST_CHANNELS_PATH,
-	LIST_FORWARDED_PAYMENTS_PATH, LIST_PAYMENTS_PATH, LIST_PEERS_PATH, ONCHAIN_RECEIVE_PATH,
-	ONCHAIN_SEND_PATH, OPEN_CHANNEL_PATH, SIGN_MESSAGE_PATH, SPLICE_IN_PATH, SPLICE_OUT_PATH,
-	SPONTANEOUS_SEND_PATH, UNIFIED_SEND_PATH, UPDATE_CHANNEL_CONFIG_PATH, VERIFY_SIGNATURE_PATH,
+	GET_BALANCES_PATH, GET_METRICS_PATH, GET_NODE_INFO_PATH, GET_PAYMENT_DETAILS_PATH,
+	GRAPH_GET_CHANNEL_PATH, GRAPH_GET_NODE_PATH, GRAPH_LIST_CHANNELS_PATH, GRAPH_LIST_NODES_PATH,
+	LIST_CHANNELS_PATH, LIST_FORWARDED_PAYMENTS_PATH, LIST_PAYMENTS_PATH, LIST_PEERS_PATH,
+	ONCHAIN_RECEIVE_PATH, ONCHAIN_SEND_PATH, OPEN_CHANNEL_PATH, SIGN_MESSAGE_PATH, SPLICE_IN_PATH,
+	SPLICE_OUT_PATH, SPONTANEOUS_SEND_PATH, UNIFIED_SEND_PATH, UPDATE_CHANNEL_CONFIG_PATH,
+	VERIFY_SIGNATURE_PATH,
 };
 use prost::Message;
 
@@ -85,14 +86,15 @@ pub struct NodeService {
 	paginated_kv_store: Arc<dyn PaginatedKVStore>,
 	api_key: String,
 	metrics: Option<Arc<Metrics>>,
+	metrics_auth_header: Option<String>,
 }
 
 impl NodeService {
 	pub(crate) fn new(
 		node: Arc<Node>, paginated_kv_store: Arc<dyn PaginatedKVStore>, api_key: String,
-		metrics: Option<Arc<Metrics>>,
+		metrics: Option<Arc<Metrics>>, metrics_auth_header: Option<String>,
 	) -> Self {
-		Self { node, paginated_kv_store, api_key, metrics }
+		Self { node, paginated_kv_store, api_key, metrics, metrics_auth_header }
 	}
 }
 
@@ -181,6 +183,19 @@ impl Service<Request<Incoming>> for NodeService {
 			&& req.uri().path().len() > 1
 			&& &req.uri().path()[1..] == GET_METRICS_PATH
 		{
+			if let Some(expected_header) = &self.metrics_auth_header {
+				let auth_header = req.headers().get("Authorization").and_then(|h| h.to_str().ok());
+				if auth_header != Some(expected_header) {
+					return Box::pin(async move {
+						Ok(Response::builder()
+							.status(StatusCode::UNAUTHORIZED)
+							.header("WWW-Authenticate", "Basic realm=\"metrics\"")
+							.body(Full::new(Bytes::from("Unauthorized")))
+							.unwrap())
+					});
+				}
+			}
+
 			if let Some(metrics) = &self.metrics {
 				let metrics = Arc::clone(metrics);
 				return Box::pin(async move {