Add settings to make it work with django.contrib.auth.middleware.LoginRequiredMiddleware without auth

[codot-fr]

Hello,

I've had an issue with django 5.2 and the django.contrib.auth.middleware.LoginRequiredMiddleware middleware on to enable site-wide login requirement.

I wanted to allow /metrics to be unauthenticated because it would be way too complicated to configure prometheus scraping with django auth system, and I don't think it's worth it from a security perspective.

Therefore, I did this bit of workaround:

from django_prometheus.exports import ExportToDjangoView
from django.contrib.auth.decorators import login_not_required

# Hack to allow unauthenticated access to the prometheus metrics view
# with django.contrib.auth.middleware.LoginRequiredMiddleware on
@login_not_required
def UnauthenticatedDjangoMetricsView(request):
    return ExportToDjangoView(request)

urlpatterns = [
    ...
    path('metrics', UnauthenticatedDjangoMetricsView, name="prometheus-django-metrics"),
]

However, it would be quite nice if there was some kind of switch parameter for django-prometheus to enable this decorator. I kinda hope my hack won't break at the next library update.

Thanks.

[Frodothedwarf]

I am not knowing anything about your application.
Exposing /metrics to the whole internet, can be quite problematic, and can confirm attack vectors.
If they are trying to ddos you for example, they can look directly into the metrics and see if it's working.

[codot-fr]

Yes, you are right. I was trying to work my way around the django auth system that doesn't seem a very good fit with Prometheus auth parameters as #315 would suggest. I was going for an authentication from the nginx reverse proxy upstream actually.