feat: prometheus key to access /metrics

Author: wylited

.env.example

@@ -9,3 +9,6 @@ AUTH_CLIENT_ID=b4bc4b9a-7162-44c5-bb50-fe935dce1f5a
 
 # Loki Host
 # LOKI_HOST=http://localhost:3100
+
+# Prometheus Key
+PROMETHEUS_KEY=prometheus

src/app.ts

@@ -10,6 +10,9 @@ import {
   RawReplyDefaultExpression,
   RawRequestDefaultExpression,
   RawServerDefault,
+  FastifyReply,
+  FastifyRequest,
+  RouteOptions,
 } from "fastify";
 import fastifyMetrics from "fastify-metrics";
 import * as path from "path";
@@ -23,6 +26,7 @@ export type AppOptions = {
   // MongoDB URI (Optional)
   // mongoUri: string;
   lokiHost?: string;
+  prometheusKey?: string;
 } & FastifyServerOptions &
   Partial<AutoloadPluginOptions> &
   AuthPluginOptions;
@@ -52,6 +56,7 @@ const options: AppOptions = {
   authDiscoveryURL: getOption("AUTH_DISCOVERY_URL")!,
   authClientID: getOption("AUTH_CLIENT_ID")!,
   lokiHost: getOption("LOKI_HOST", false),
+  prometheusKey: getOption("PROMETHEUS_KEY", false),
   authSkip: (() => {
     const opt = getOption("AUTH_SKIP", false);
     if (opt !== undefined) {
@@ -69,7 +74,7 @@ if (options.lokiHost) {
       target: "pino-loki",
       options: {
         batching: true,
-        interval: 5,
+        interval: 5, // Logs are sent every 5 seconds, default.
         host: options.lokiHost,
         labels: { application: packageJson.name },
       },
@@ -102,9 +107,26 @@ const app: FastifyPluginAsync<AppOptions> = async (
   });
 
   // Register Metrics
+  const metricsEndpoint: RouteOptions | string | null = opts.prometheusKey
+    ? {
+        url: "/metrics",
+        method: "GET",
+        handler: async () => {}, // Overridden by fastify-metrics
+        onRequest: async (request: FastifyRequest, reply: FastifyReply) => {
+          if (
+            request.headers.authorization !== `Bearer ${opts.prometheusKey}`
+          ) {
+            reply.code(401).send("Unauthorized");
+            return reply;
+          }
+        },
+      }
+    : "/metrics";
+
   await fastify.register(fastifyMetrics.default, {
-    endpoint: "/metrics",
+    endpoint: metricsEndpoint,
     defaultMetrics: { enabled: true },
+    clearRegisterOnInit: true,
   });
 
   // Register Swagger & Swagger UI & Scalar

test/helper.ts

@@ -25,14 +25,16 @@ async function config(): Promise<AppOptions> {
 }
 
 // Automatically build and tear down our instance
-async function build(t: TestContext) {
+async function build(t: TestContext, options?: Partial<AppOptions>) {
   // you can set all the options supported by the fastify CLI command
   const argv = [AppPath];
 
+  const appOptions = { ...(await config()), ...options };
+
   // fastify-plugin ensures that all decorators
   // are exposed for testing purposes, this is
   // different from the production setup
-  const app = await helper.build(argv, await config(), await config());
+  const app = await helper.build(argv, appOptions, appOptions);
 
   // Tear down our app after we are done
   t.after(() => void app.close());

test/routes/metrics.test.ts

@@ -0,0 +1,41 @@
+import { test } from "node:test";
+import * as assert from "node:assert";
+import { build } from "../helper.js";
+
+test("metrics route without key", async (t) => {
+  const app = await build(t);
+
+  const response = await app.inject({
+    url: "/metrics",
+  });
+
+  assert.equal(response.statusCode, 200);
+});
+
+test("metrics route with key", async (t) => {
+  const app = await build(t, { prometheusKey: "secret" });
+
+  // Without auth header
+  const response = await app.inject({
+    url: "/metrics",
+  });
+  assert.equal(response.statusCode, 401);
+
+  // With correct auth header
+  const responseAuth = await app.inject({
+    url: "/metrics",
+    headers: {
+      authorization: "Bearer secret",
+    },
+  });
+  assert.equal(responseAuth.statusCode, 200);
+
+  // With incorrect auth header
+  const responseBadAuth = await app.inject({
+    url: "/metrics",
+    headers: {
+      authorization: "Bearer wrong",
+    },
+  });
+  assert.equal(responseBadAuth.statusCode, 401);
+});