config: Add a flag to control the /metrics and /status endpoints

It can be a security concern in some environments to expose system
capabilities even though they don't expose any PII. Add some
flags (defaulted `true` to maintain existing behaviour) to control
whether the /metrics and /status (and anything in the StatusRouter)
are exposed.

Signed-off-by: Stéphane Maniaci <stephane.maniaci@beta.gouv.fr>

app.js

@@ -75,8 +75,10 @@ app.use(morgan('combined', {
 }))
 
 // Register prometheus metrics endpoint
-app.use(apiMetrics())
-metrics.setupCustomPrometheusMetrics()
+if (config.observability.exposeMetrics) {
+  app.use(apiMetrics())
+  metrics.setupCustomPrometheusMetrics()
+}
 
 // socket io
 const io = require('socket.io')(server, { cookie: false })
@@ -226,7 +228,17 @@ app.locals.enableGitHubGist = config.isGitHubEnable
 app.locals.enableGitlabSnippets = config.isGitlabSnippetsEnable
 
 app.use(require('./lib/web/baseRouter'))
-app.use(require('./lib/web/statusRouter'))
+
+if (config.observability.exposeStatus) {
+  app.use(require('./lib/web/statusRouter'))
+} else {
+  // the `/status` route is used by the hedgedoc container's
+  // healtcheck route so keep the endpoint alive
+  app.get('/status', function (req, res, next) {
+    res.sendStatus(200)
+  })
+}
+
 app.use(require('./lib/web/auth'))
 app.use(require('./lib/web/historyRouter'))
 app.use(require('./lib/web/userRouter'))