feat: Add comprehensive Prometheus metrics support

Cargo.toml

@@ -27,6 +27,8 @@ vendored_openssl = ["openssl/vendored"]
 # Enable MiMalloc memory allocator to replace the default malloc
 # This can improve performance for Alpine builds
 enable_mimalloc = ["dep:mimalloc"]
+# Enable Prometheus metrics endpoint
+enable_metrics = ["dep:prometheus"]
 # This is a development dependency, and should only be used during development!
 # It enables the usage of the diesel_logger crate, which is able to output the generated queries.
 # You also need to set an env variable `QUERY_LOGGER=1` to fully activate this so you do not have to re-compile
@@ -181,6 +183,9 @@ semver = "1.0.26"
 # Mainly used for the musl builds, since the default musl malloc is very slow
 mimalloc = { version = "0.1.47", features = ["secure"], default-features = false, optional = true }
 
+# Prometheus metrics
+prometheus = { version = "0.13.1", default-features = false, optional = true }
+
 which = "8.0.0"
 
 # Argon2 library with support for the PHC format

METRICS.md

@@ -0,0 +1,125 @@
+# Prometheus Metrics for Vaultwarden
+
+This document describes how to enable and configure Prometheus metrics in Vaultwarden.
+
+## Configuration
+
+### Environment Variables
+
+- `ENABLE_METRICS`: Set to `true` to enable the metrics endpoint (default: `false`)
+- `METRICS_TOKEN`: Optional token to secure the /metrics endpoint (default: none - public access)
+
+### Examples
+
+#### Enable metrics without authentication (development)
+```bash
+ENABLE_METRICS=true
+```
+
+#### Enable metrics with token authentication (production)
+```bash
+ENABLE_METRICS=true
+METRICS_TOKEN=your-secret-token
+```
+
+#### Enable metrics with Argon2 hashed token (most secure)
+```bash
+ENABLE_METRICS=true
+METRICS_TOKEN='$argon2id$v=19$m=65540,t=3,p=4$...'
+```
+
+## Build Configuration
+
+To enable metrics support, compile with the `enable_metrics` feature:
+
+```bash
+cargo build --features enable_metrics
+```
+
+Without this feature, all metrics functions become no-ops and the endpoint is not available.
+
+## Usage
+
+When enabled, metrics are available at:
+- `/metrics` (if no token configured)
+- `/metrics?token=your-token` (with token as query parameter)
+- `/metrics` with `Authorization: Bearer your-token` header
+
+## Metrics Categories
+
+### HTTP Metrics
+- `vaultwarden_http_requests_total`: Total number of HTTP requests by method, path, and status
+- `vaultwarden_http_request_duration_seconds`: HTTP request duration histograms
+
+### Database Metrics
+- `vaultwarden_db_connections_active`: Number of active database connections
+- `vaultwarden_db_connections_idle`: Number of idle database connections
+- `vaultwarden_db_query_duration_seconds`: Database query duration histograms
+
+### Authentication Metrics
+- `vaultwarden_auth_attempts_total`: Total authentication attempts by method and status
+- `vaultwarden_user_sessions_active`: Number of active user sessions
+
+### Business Metrics
+- `vaultwarden_users_total`: Total number of users by status (enabled/disabled)
+- `vaultwarden_organizations_total`: Total number of organizations
+- `vaultwarden_vault_items_total`: Total number of vault items by type and organization
+- `vaultwarden_collections_total`: Total number of collections per organization
+
+### System Metrics
+- `vaultwarden_uptime_seconds`: Application uptime in seconds
+- `vaultwarden_build_info`: Build information (version, revision, branch)
+
+## Security Considerations
+
+- **Disable by default**: Metrics are disabled unless explicitly enabled
+- **Token protection**: Use a strong, unique token in production environments
+- **Argon2 hashing**: For maximum security, use Argon2-hashed tokens
+- **Network security**: Consider restricting access to the metrics endpoint at the network level
+- **Rate limiting**: The endpoint uses existing Vaultwarden rate limiting mechanisms
+
+## Integration with Monitoring Systems
+
+### Prometheus Configuration
+
+```yaml
+scrape_configs:
+  - job_name: 'vaultwarden'
+    static_configs:
+      - targets: ['localhost:8080']
+    metrics_path: '/metrics'
+    bearer_token: 'your-secret-token'  # If using token authentication
+    scrape_interval: 30s
+```
+
+### Grafana Dashboard
+
+The metrics can be visualized in Grafana using the standard Prometheus data source. Common queries:
+
+- Request rate: `rate(vaultwarden_http_requests_total[5m])`
+- Error rate: `rate(vaultwarden_http_requests_total{status=~"4..|5.."}[5m])`
+- Active users: `vaultwarden_users_total{status="enabled"}`
+- Database connections: `vaultwarden_db_connections_active`
+
+## Troubleshooting
+
+### Metrics endpoint not found (404)
+- Ensure `ENABLE_METRICS=true` is set
+- Verify the application was compiled with `--features enable_metrics`
+- Check application logs for metrics initialization messages
+
+### Authentication errors (401)
+- Verify the `METRICS_TOKEN` is correctly configured
+- Ensure the token in requests matches the configured token
+- Check for whitespace or encoding issues in token values
+
+### Missing metrics data
+- Metrics are populated as the application handles requests
+- Some business metrics require database queries and may take time to populate
+- Check application logs for any metrics collection errors
+
+## Performance Impact
+
+- Metrics collection has minimal performance overhead
+- Database metrics queries are run only when the metrics endpoint is accessed
+- Consider the frequency of metrics scraping in high-traffic environments