Prerequisites
The problem
Many external services and dashboard e.g. OPNSense and Homepage widgets query the /control/stats API endpoint to display AGH stats within a widget. Many people use these widgets.
AGH doesn't currently offer read-only API key creation, meaning for these widgets to access this endpoint I must pass them my AGH username/password; even in the best case scenario this means storing this sensitive info in a plaintext docker secrets file for these services to use.
Proposed solution
Many other open source homelab projects (e.g. Tautulli, Home Assistant) offer the ability to create API Keys for access to information by other services. This would be much more secure than offering these services my UN/PW. If the key could be restricted to read-only access of certain endpoints, this would be even better; this way if anyone ever got hold of the key, they could only read stats. Keys could also be revoked from the web AGH control panel allowing for easy rotation of keys in the event of compromise.
The current comparison is that if my AGH UN/PW got leaked from these services, the bad actor could log directly into my AGH control panel and make malicious changes, and the current process for changing AGH PW is quite involved requiring generation of a bcrypt hashed PW via a cli tool.
Alternatives considered and additional information
No response
Prerequisites
I have checked the Wiki and Discussions and found no answer
I have searched other issues and found no duplicates
I want to request a feature or enhancement and not ask a question
The problem
Many external services and dashboard e.g. OPNSense and Homepage widgets query the
/control/statsAPI endpoint to display AGH stats within a widget. Many people use these widgets.AGH doesn't currently offer read-only API key creation, meaning for these widgets to access this endpoint I must pass them my AGH username/password; even in the best case scenario this means storing this sensitive info in a plaintext docker secrets file for these services to use.
Proposed solution
Many other open source homelab projects (e.g. Tautulli, Home Assistant) offer the ability to create API Keys for access to information by other services. This would be much more secure than offering these services my UN/PW. If the key could be restricted to read-only access of certain endpoints, this would be even better; this way if anyone ever got hold of the key, they could only read stats. Keys could also be revoked from the web AGH control panel allowing for easy rotation of keys in the event of compromise.
The current comparison is that if my AGH UN/PW got leaked from these services, the bad actor could log directly into my AGH control panel and make malicious changes, and the current process for changing AGH PW is quite involved requiring generation of a bcrypt hashed PW via a cli tool.
Alternatives considered and additional information
No response