From a3f4f3056c8368ba83c75d55c8ca1a3bbbe4f536 Mon Sep 17 00:00:00 2001
From: Anbraten <anton@ju60.de>
Date: Fri, 9 Dec 2022 18:03:43 +0100
Subject: [PATCH] disable metrics access if no token is set (#1469)

---
 docs/docs/30-administration/10-server-config.md | 1 +
 server/api/metrics/prometheus.go                | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/docs/docs/30-administration/10-server-config.md b/docs/docs/30-administration/10-server-config.md
index 4b7a86987..e7bc6f129 100644
--- a/docs/docs/30-administration/10-server-config.md
+++ b/docs/docs/30-administration/10-server-config.md
@@ -294,6 +294,7 @@ Read the value for `WOODPECKER_DATABASE_DATASOURCE` from the specified filepath
 > Default: empty
 
 Token to secure the Prometheus metrics endpoint.
+Must be set to enable the endpoint.
 
 ### `WOODPECKER_PROMETHEUS_AUTH_TOKEN_FILE`
 > Default: empty
diff --git a/server/api/metrics/prometheus.go b/server/api/metrics/prometheus.go
index 1658ea083..2d93bbc87 100644
--- a/server/api/metrics/prometheus.go
+++ b/server/api/metrics/prometheus.go
@@ -17,6 +17,7 @@ package metrics
 import (
 	"errors"
 	"fmt"
+	"net/http"
 
 	"github.com/gin-gonic/gin"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
@@ -35,7 +36,7 @@ func PromHandler() gin.HandlerFunc {
 		token := server.Config.Prometheus.AuthToken
 
 		if token == "" {
-			handler.ServeHTTP(c.Writer, c.Request)
+			c.AbortWithStatus(http.StatusNotFound)
 			return
 		}