feat(api): Add endpoint-level authentication and visibility control

Implement endpoint-level authentication mode where authentication is
optional but filters visible data based on public/private status:

**API Changes:**
- Add global vs endpoint-level auth routing in api.go
- Update EndpointStatuses and EndpointStatus handlers with auth checks
- Add cache key separation for public/private data
- Update badge endpoints to respect visibility

**Configuration:**
- Add Public field to Endpoint, ExternalEndpoint, Result, and Status
- Add EndpointStatusVisibility DTO for visibility management
- Extend security config with Level field (global/endpoint)
- Implement IsAuthenticated() for Basic Auth
- Add IsGlobal() helper method

**Features:**
- Routes conditionally protected based on security.level
- Unauthenticated users see only public endpoints
- Authenticated users see all endpoints
- Cache keys include auth status to prevent data leakage

Author: loispostula

api/api.go

@@ -118,18 +118,33 @@ func (a *API) createRouter(cfg *config.Config) *fiber.App {
 	// PROTECTED ROUTES //
 	//////////////////////
 	// ORDER IS IMPORTANT: all routes applied AFTER the security middleware will require authn
-	protectedAPIRouter := apiRouter.Group("/")
 	if cfg.Security != nil {
 		if err := cfg.Security.RegisterHandlers(app); err != nil {
 			panic(err)
 		}
-		if err := cfg.Security.ApplySecurityMiddleware(protectedAPIRouter); err != nil {
-			panic(err)
+		if cfg.Security.IsGlobal() {
+			// Global auth: protect all API routes with middleware
+			protectedAPIRouter := apiRouter.Group("/")
+			if err := cfg.Security.ApplySecurityMiddleware(protectedAPIRouter); err != nil {
+				panic(err)
+			}
+			protectedAPIRouter.Get("/v1/endpoints/statuses", EndpointStatuses(cfg))
+			protectedAPIRouter.Get("/v1/endpoints/:key/statuses", EndpointStatus(cfg))
+			protectedAPIRouter.Get("/v1/suites/statuses", SuiteStatuses(cfg))
+			protectedAPIRouter.Get("/v1/suites/:key/statuses", SuiteStatus(cfg))
+		} else {
+			// Endpoint-level auth: routes are accessible but data is filtered
+			unprotectedAPIRouter.Get("/v1/endpoints/statuses", EndpointStatuses(cfg))
+			unprotectedAPIRouter.Get("/v1/endpoints/:key/statuses", EndpointStatus(cfg))
+			unprotectedAPIRouter.Get("/v1/suites/statuses", SuiteStatuses(cfg))
+			unprotectedAPIRouter.Get("/v1/suites/:key/statuses", SuiteStatus(cfg))
 		}
+	} else {
+		// No security: all routes accessible
+		unprotectedAPIRouter.Get("/v1/endpoints/statuses", EndpointStatuses(cfg))
+		unprotectedAPIRouter.Get("/v1/endpoints/:key/statuses", EndpointStatus(cfg))
+		unprotectedAPIRouter.Get("/v1/suites/statuses", SuiteStatuses(cfg))
+		unprotectedAPIRouter.Get("/v1/suites/:key/statuses", SuiteStatus(cfg))
 	}
-	protectedAPIRouter.Get("/v1/endpoints/statuses", EndpointStatuses(cfg))
-	protectedAPIRouter.Get("/v1/endpoints/:key/statuses", EndpointStatus(cfg))
-	protectedAPIRouter.Get("/v1/suites/statuses", SuiteStatuses(cfg))
-	protectedAPIRouter.Get("/v1/suites/:key/statuses", SuiteStatus(cfg))
 	return app
 }

api/badge.go

@@ -119,7 +119,8 @@ func HealthBadge(c *fiber.Ctx) error {
 		return c.Status(400).SendString("invalid key encoding")
 	}
 	pagingConfig := paging.NewEndpointStatusParams()
-	status, err := store.Get().GetEndpointStatusByKey(key, pagingConfig.WithResults(1, 1))
+	status, err := store.Get().GetEndpointStatusByKey(key, true, pagingConfig.WithResults(1, 1))
+
 	if err != nil {
 		if errors.Is(err, common.ErrEndpointNotFound) {
 			return c.Status(404).SendString(err.Error())
@@ -148,7 +149,7 @@ func HealthBadgeShields(c *fiber.Ctx) error {
 		return c.Status(400).SendString("invalid key encoding")
 	}
 	pagingConfig := paging.NewEndpointStatusParams()
-	status, err := store.Get().GetEndpointStatusByKey(key, pagingConfig.WithResults(1, 1))
+	status, err := store.Get().GetEndpointStatusByKey(key, true, pagingConfig.WithResults(1, 1))
 	if err != nil {
 		if errors.Is(err, common.ErrEndpointNotFound) {
 			return c.Status(404).SendString(err.Error())

api/config.go

@@ -16,15 +16,21 @@ type ConfigHandler struct {
 
 func (handler ConfigHandler) GetConfig(c *fiber.Ctx) error {
 	hasOIDC := false
+	hasBasic := false
+	authLevel := ""
 	isAuthenticated := true // Default to true if no security config is set
 	if handler.securityConfig != nil {
 		hasOIDC = handler.securityConfig.OIDC != nil
+		hasBasic = handler.securityConfig.Basic != nil
+		authLevel = handler.securityConfig.Level
 		isAuthenticated = handler.securityConfig.IsAuthenticated(c)
 	}
 
 	// Prepare response with announcements
 	response := map[string]interface{}{
 		"oidc":          hasOIDC,
+		"basic":         hasBasic,
+		"authLevel":     authLevel,
 		"authenticated": isAuthenticated,
 	}
 	// Add announcements if available, otherwise use empty slice

api/endpoint_status.go

@@ -21,11 +21,16 @@ import (
 // Due to how intensive this operation can be on the storage, this function leverages a cache.
 func EndpointStatuses(cfg *config.Config) fiber.Handler {
 	return func(c *fiber.Ctx) error {
+		// If no security is configured, user is considered authenticated (full access)
+		// If security is configured at endpoint level, check authentication status
+		userAuthenticated := cfg.Security == nil || cfg.Security.IsAuthenticated(c)
 		page, pageSize := extractPageAndPageSizeFromRequest(c, cfg.Storage.MaximumNumberOfResults)
-		value, exists := cache.Get(fmt.Sprintf("endpoint-status-%d-%d", page, pageSize))
+		// Include authentication status in cache key to separate public/private cached results
+		cacheKey := fmt.Sprintf("endpoint-status-%d-%d-auth-%t", page, pageSize, userAuthenticated)
+		value, exists := cache.Get(cacheKey)
 		var data []byte
 		if !exists {
-			endpointStatuses, err := store.Get().GetAllEndpointStatuses(paging.NewEndpointStatusParams().WithResults(page, pageSize))
+			endpointStatuses, err := store.Get().GetAllEndpointStatuses(!userAuthenticated, paging.NewEndpointStatusParams().WithResults(page, pageSize))
 			if err != nil {
 				logr.Errorf("[api.EndpointStatuses] Failed to retrieve endpoint statuses: %s", err.Error())
 				return c.Status(500).SendString(err.Error())
@@ -42,7 +47,7 @@ func EndpointStatuses(cfg *config.Config) fiber.Handler {
 				logr.Errorf("[api.EndpointStatuses] Unable to marshal object to JSON: %s", err.Error())
 				return c.Status(500).SendString("unable to marshal object to JSON")
 			}
-			cache.SetWithTTL(fmt.Sprintf("endpoint-status-%d-%d", page, pageSize), data, cacheTTL)
+			cache.SetWithTTL(cacheKey, data, cacheTTL)
 		} else {
 			data = value.([]byte)
 		}
@@ -86,13 +91,14 @@ func getEndpointStatusesFromRemoteInstances(remoteConfig *remote.Config) ([]*end
 // EndpointStatus retrieves a single endpoint.Status by group and endpoint name
 func EndpointStatus(cfg *config.Config) fiber.Handler {
 	return func(c *fiber.Ctx) error {
+		userAuthenticated := cfg.Security == nil || cfg.Security.IsAuthenticated(c)
 		page, pageSize := extractPageAndPageSizeFromRequest(c, cfg.Storage.MaximumNumberOfResults)
 		key, err := url.QueryUnescape(c.Params("key"))
 		if err != nil {
 			logr.Errorf("[api.EndpointStatus] Failed to decode key: %s", err.Error())
 			return c.Status(400).SendString("invalid key encoding")
 		}
-		endpointStatus, err := store.Get().GetEndpointStatusByKey(key, paging.NewEndpointStatusParams().WithResults(page, pageSize).WithEvents(1, cfg.Storage.MaximumNumberOfEvents))
+		endpointStatus, err := store.Get().GetEndpointStatusByKey(key, !userAuthenticated, paging.NewEndpointStatusParams().WithResults(page, pageSize).WithEvents(1, cfg.Storage.MaximumNumberOfEvents))
 		if err != nil {
 			if errors.Is(err, common.ErrEndpointNotFound) {
 				return c.Status(404).SendString(err.Error())

config/endpoint/endpoint.go

@@ -137,6 +137,9 @@ type Endpoint struct {
 	// LastReminderSent is the time at which the last reminder was sent for this endpoint.
 	LastReminderSent time.Time `yaml:"-"`
 
+	// Public mark an endpoint as public, unauthenticated users will be able to see them
+	Public bool `yaml:"public,omitempty"`
+
 	///////////////////////
 	// SUITE-ONLY FIELDS //
 	///////////////////////
@@ -288,7 +291,7 @@ func (e *Endpoint) EvaluateHealth() *Result {
 
 // EvaluateHealthWithContext sends a request to the endpoint's URL with context support and evaluates the conditions
 func (e *Endpoint) EvaluateHealthWithContext(context *gontext.Gontext) *Result {
-	result := &Result{Success: true, Errors: []string{}}
+	result := &Result{Success: true, Errors: []string{}, Public: e.Public}
 	// Preprocess the endpoint with context if provided
 	processedEndpoint := e
 	if context != nil {

config/endpoint/external_endpoint.go

@@ -48,6 +48,9 @@ type ExternalEndpoint struct {
 
 	// NumberOfSuccessesInARow is the number of successful evaluations in a row
 	NumberOfSuccessesInARow int `yaml:"-"`
+
+	// Public mark an endpoint as public, unauthenticated users will be able to see them
+	Public bool `yaml:"public,omitempty"`
 }
 
 // ValidateAndSetDefaults validates the ExternalEndpoint and sets the default values

config/endpoint/result.go

@@ -61,6 +61,9 @@ type Result struct {
 	// Name of the endpoint (ONLY USED FOR SUITES)
 	// Group is not needed because it's inherited from the suite
 	Name string `json:"name,omitempty"`
+
+	// Public mark an endpoint as public, unauthenticated users will be able to see them
+	Public bool
 }
 
 // AddError adds an error to the result's list of errors.

config/endpoint/status.go

@@ -20,6 +20,9 @@ type Status struct {
 	// Events is a list of events
 	Events []*Event `json:"events,omitempty"`
 
+	// Public mark an endpoint as public, unauthenticated users will be able to see them
+	Public bool `yaml:"public,omitempty"`
+
 	// Uptime information on the endpoint's uptime
 	//
 	// Used by the memory store.
@@ -29,13 +32,30 @@ type Status struct {
 }
 
 // NewStatus creates a new Status
-func NewStatus(group, name string) *Status {
+func NewStatus(group, name string, public bool) *Status {
 	return &Status{
 		Name:    name,
 		Group:   group,
 		Key:     key.ConvertGroupAndNameToKey(group, name),
 		Results: make([]*Result, 0),
 		Events:  make([]*Event, 0),
+		Public: public,
 		Uptime:  NewUptime(),
 	}
 }
+
+
+// EndpointStatusVisibility is a DTO used to manage an EndpointStatus visibility
+type EndpointStatusVisibility struct {
+	// Key of the Endpoint
+	Key string
+	// Public mark an endpoint as public, unauthenticated users will be able to see them
+	Public bool
+}
+
+func NewEndpointStatusVisibility(key string, public bool) *EndpointStatusVisibility {
+	return &EndpointStatusVisibility{
+	Key: key,
+		Public: public,
+	}
+}

security/config.go

@@ -18,17 +18,37 @@ const (
 	cookieNameSession = "gatus_session"
 )
 
+const (
+	authLevelGlobal = "global"
+	authLevelEndpoint = "endpoint"
+)
+
 // Config is the security configuration for Gatus
 type Config struct {
 	Basic *BasicConfig `yaml:"basic,omitempty"`
-	OIDC  *OIDCConfig  `yaml:"oidc,omitempty"`
-
+	OIDC  *OIDCConfig  `yaml:"oidc,omitempty"`      
+	Level string  `yaml:"level,omitempty"`
+	
 	gate *g8.Gate
 }
 
 // ValidateAndSetDefaults returns whether the security configuration is valid or not and sets default values.
 func (c *Config) ValidateAndSetDefaults() bool {
-	return (c.Basic != nil && c.Basic.isValid()) || (c.OIDC != nil && c.OIDC.ValidateAndSetDefaults())
+	basicValid := c.Basic != nil && c.Basic.isValid()
+	oauthValid := c.OIDC != nil && c.OIDC.ValidateAndSetDefaults()
+	
+	// Set default level
+	if c.Level == "" {
+		c.Level = authLevelGlobal
+	}
+	levelValid := c.Level == authLevelGlobal || c.Level == authLevelEndpoint
+
+	return levelValid && (basicValid || oauthValid)
+}
+
+// IsGlobal tells wether the auth is global or at endpoint level
+func (c *Config) IsGlobal() bool {
+	return c.Level == authLevelGlobal
 }
 
 // RegisterHandlers registers all handlers required based on the security configuration
@@ -96,7 +116,7 @@ func (c *Config) ApplySecurityMiddleware(router fiber.Router) error {
 // If the Config does not warrant authentication, it will always return true.
 func (c *Config) IsAuthenticated(ctx *fiber.Ctx) bool {
 	if c.gate != nil {
-		// TODO: Update g8 to support fasthttp natively? (see g8's fasthttp branch)
+		// OIDC authentication check
 		request, err := adaptor.ConvertRequest(ctx, false)
 		if err != nil {
 			logr.Errorf("[security.IsAuthenticated] Unexpected error converting request: %v", err)
@@ -105,6 +125,53 @@ func (c *Config) IsAuthenticated(ctx *fiber.Ctx) bool {
 		token := c.gate.ExtractTokenFromRequest(request)
 		_, hasSession := sessions.Get(token)
 		return hasSession
+	} else if c.Basic != nil {
+		// Basic Auth authentication check
+		authHeader := ctx.Get("Authorization")
+		if authHeader == "" {
+			return false
+		}
+		// Parse the Basic Auth header manually (fasthttp doesn't have BasicAuth() helper)
+		// Format: "Basic base64(username:password)"
+		const prefix = "Basic "
+		if len(authHeader) < len(prefix) {
+			return false
+		}
+		if authHeader[:len(prefix)] != prefix {
+			return false
+		}
+		// Decode the base64 credentials
+		decoded, err := base64.StdEncoding.DecodeString(authHeader[len(prefix):])
+		if err != nil {
+			return false
+		}
+		// Split username:password
+		credentials := string(decoded)
+		colonIndex := -1
+		for i := 0; i < len(credentials); i++ {
+			if credentials[i] == ':' {
+				colonIndex = i
+				break
+			}
+		}
+		if colonIndex == -1 {
+			return false
+		}
+		username := credentials[:colonIndex]
+		password := credentials[colonIndex+1:]
+
+		// Validate credentials
+		var decodedBcryptHash []byte
+		if len(c.Basic.PasswordBcryptHashBase64Encoded) > 0 {
+			decodedBcryptHash, err = base64.URLEncoding.DecodeString(c.Basic.PasswordBcryptHashBase64Encoded)
+			if err != nil {
+				return false
+			}
+			if username != c.Basic.Username || bcrypt.CompareHashAndPassword(decodedBcryptHash, []byte(password)) != nil {
+				return false
+			}
+			return true
+		}
 	}
 	return false
 }