Validate /dump-* requests method & add some logging

internal/listener/listener.go

@@ -163,14 +163,18 @@ func (l *Listener) ProcessEvent(w http.ResponseWriter, req *http.Request) {
 func (l *Listener) checkDebugPassword(w http.ResponseWriter, r *http.Request) bool {
 	expectedPassword := l.configFile.DebugPassword
 	if expectedPassword == "" {
+		l.logger.Warnw("Config dump disables, no debug-password set in config", zap.String("url", r.RequestURI), zap.String("agent", r.UserAgent()))
+
 		w.WriteHeader(http.StatusForbidden)
 		_, _ = fmt.Fprintln(w, "config dump disables, no debug-password set in config")
 
 		return false
 	}
 
-	_, providedPassword, _ := r.BasicAuth()
+	username, providedPassword, _ := r.BasicAuth()
 	if subtle.ConstantTimeCompare([]byte(expectedPassword), []byte(providedPassword)) != 1 {
+		l.logger.Warnw("Unauthorized request", zap.String("url", r.RequestURI), zap.String("user", username), zap.String("agent", r.UserAgent()))
+
 		w.Header().Set("WWW-Authenticate", `Basic realm="debug"`)
 		w.WriteHeader(http.StatusUnauthorized)
 		_, _ = fmt.Fprintln(w, "please provide the debug-password as basic auth credentials (user is ignored)")
@@ -181,6 +185,12 @@ func (l *Listener) checkDebugPassword(w http.ResponseWriter, r *http.Request) bo
 }
 
 func (l *Listener) DumpConfig(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodGet {
+		w.WriteHeader(http.StatusMethodNotAllowed)
+		_, _ = fmt.Fprintln(w, "Bad request method")
+		return
+	}
+
 	if !l.checkDebugPassword(w, r) {
 		return
 	}
@@ -191,6 +201,12 @@ func (l *Listener) DumpConfig(w http.ResponseWriter, r *http.Request) {
 }
 
 func (l *Listener) DumpIncidents(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodGet {
+		w.WriteHeader(http.StatusMethodNotAllowed)
+		_, _ = fmt.Fprintln(w, "Bad request method")
+		return
+	}
+
 	if !l.checkDebugPassword(w, r) {
 		return
 	}