v1.31.0 (2026-02-24)
Features
-
API authentication and authorization (#273, closes #268)
Adds opt-in API authentication to Scrutiny, securing the dashboard and API endpoints while maintaining full backward compatibility. Auth is disabled by default -- existing deployments are completely unaffected.
When enabled:
- Web UI login page with token-based and optional username/password login methods
- JWT session tokens with configurable expiry and optional persistent secret for surviving restarts
- Collector authentication -- all 4 collectors (metrics, performance, ZFS, selftest) support
--api-tokenflag and per-collector environment variables (COLLECTOR_METRICS_API_TOKEN,COLLECTOR_PERF_API_TOKEN,COLLECTOR_ZFS_API_TOKEN) - Independent Prometheus metrics auth -- separate
web.metrics.tokenfor securing/api/metricswithout enabling full API auth - Rate limiting on login endpoint (10 failures per IP in 5-minute window)
- Security hardening -- SHA-256 hash-then-compare for constant-time token validation, returnUrl sanitization
Public endpoints (
/api/health,/api/auth/status,/api/auth/login) remain accessible without authentication.See AUTH.md for full configuration, deployment, and migration documentation.
Quick start:
web: auth: enabled: true token: 'your-secret-api-token-here'
Bug Fixes
-
SMART attributes table column sorting (#272, closes #269)
Fixed sorting on the SMART attributes table. Added a
sortingDataAccessorto map column definitions to their actual data properties so all columns (ID, name, failure rate, value, worst, threshold, ideal) sort correctly by displayed values. Blank columns in raw/scrutiny mode now sort as0instead of by hidden underlying values.
Documentation
-
ZFS monitoring setup (#251)
Updated omnibus Docker documentation to include
/dev/zfsin the device mappings, which is required for ZFS pool detection inside the container.