🔍 Issue Description
In mofa-monitoring/src/dashboard/auth.rs, the default NoopAuthProvider grants wildcard * permissions to every connection with a hardcoded anonymous client ID:
https://github.com/mofa-org/mofa/blob/main/crates/mofa-monitoring/src/dashboard/auth.rs#L33-L38
async fn validate(&self, _token: &str) -> Result<AuthInfo, String> {
Ok(AuthInfo {
client_id: "anonymous".to_string(),
permissions: vec!["*".to_string()], // ← full access for everyone
})
}📌 Issue Type
📝 Description
Since NoopAuthProvider is the default auth provider (is_enabled() returns false), any monitoring dashboard deployment that doesn't explicitly configure a TokenAuthProvider will have zero authentication and give every client unrestricted access to all metrics, agent states, and WebSocket streams.
Impact
Any deployed monitoring dashboard is unauthenticated by default — agent execution data, metrics, and system internals are exposed
There is no warning log when NoopAuthProvider is active, making it easy to overlook in production
The permissions: vec!["*"] grants full wildcard access, so even if auth middleware checks permissions, anonymous clients pass every check
🎯 Proposed Solution (Optional but Encouraged)
When NoopAuthProvider is active, emit a tracing::warn!("Dashboard authentication is disabled — all connections are anonymous with full access") on first connection
Add a DashboardConfig flag require_auth: bool (default true) that panics at startup if no real auth provider is configured
Change default NoopAuthProvider permissions from "*" to "read:metrics" (read-only, no write/admin)
Add documentation warning in dashboard/mod.rs about securing production deployments
🙋 Claiming This Issue
To avoid duplicated work:
🔔 Important
If you check the box above:
- Comment below: "I’d like to work on this."
- Wait for maintainer acknowledgment (if required).
- Then start working.
🔍 Issue Description
In
mofa-monitoring/src/dashboard/auth.rs, the defaultNoopAuthProvidergrants wildcard*permissions to every connection with a hardcodedanonymousclient ID:https://github.com/mofa-org/mofa/blob/main/crates/mofa-monitoring/src/dashboard/auth.rs#L33-L38
📌 Issue Type
📝 Description
Since NoopAuthProvider is the default auth provider (is_enabled() returns false), any monitoring dashboard deployment that doesn't explicitly configure a TokenAuthProvider will have zero authentication and give every client unrestricted access to all metrics, agent states, and WebSocket streams.
Impact
Any deployed monitoring dashboard is unauthenticated by default — agent execution data, metrics, and system internals are exposed
There is no warning log when NoopAuthProvider is active, making it easy to overlook in production
The permissions: vec!["*"] grants full wildcard access, so even if auth middleware checks permissions, anonymous clients pass every check
🎯 Proposed Solution (Optional but Encouraged)
When NoopAuthProvider is active, emit a tracing::warn!("Dashboard authentication is disabled — all connections are anonymous with full access") on first connection
Add a DashboardConfig flag require_auth: bool (default true) that panics at startup if no real auth provider is configured
Change default NoopAuthProvider permissions from "*" to "read:metrics" (read-only, no write/admin)
Add documentation warning in dashboard/mod.rs about securing production deployments
🙋 Claiming This Issue
To avoid duplicated work:
🔔 Important
If you check the box above: