Problem/Motivation

Currently the token can only be provided via query string (?token=xxx). Query string tokens:

  • Appear in server access logs
  • May be cached by proxies
  • Visible in browser history

Supporting an HTTP header (e.g., Authorization: Bearer xxx or X-Prometheus-Token: xxx) would be more secure for production use.

Steps to reproduce

Proposed resolution

Modify TokenAccessCheck to accept the token from either:

  • Query string: `?token=xxx` (existing behavior)
  • HTTP header: `Authorization: Bearer xxx` or custom header

Remaining tasks

User interface changes

API changes

Data model changes

Issue fork prometheus_exporter-3587918

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

nterbogt created an issue. See original summary.

kim.pepper’s picture

kim.pepper
Primary language English
Location 🏄‍♂️🇦🇺Sydney, Australia
commented
Title: Allow use of a header for auth token » Support token via HTTP header
Issue summary: View changes

  • kim.pepper committed b704129d on 3587918-token-header-support 
    perf: #3587918 early return when no token configured

  • kim.pepper committed 981e9474 on 2.x 
    feat: #3587918 Support token via HTTP header

By: nterbogt
By: kim....
kim.pepper’s picture

kim.pepper
Primary language English
Location 🏄‍♂️🇦🇺Sydney, Australia
commented
Status: Active » Fixed

Committed to 2.x

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.