[Prometheus plugin] Fetch should incorporate proxy authentication.

[ipe4647]

Feature Suggestion

The proxy usage should be authenticated so that anyone can't use the path /api/proxy/prometheus/api. Prometheus in production has such safeguards with Bearer token and Backstage plugin should implement it as well.

Possible Implementation

Add identityApiRef to the query (this is an example; all places that interact with the proxy should use authentication):

roadie-backstage-plugins/plugins/frontend/backstage-plugin-prometheus/src/api/index.ts

Lines 106 to 113 in b59b4b4

	const response = await fetch(
	`${apiUrl}/query_range?query=${query}&start=${start}&end=${end}&step=${step}`,
	{
	headers: {
	[SERVICE_NAME_HEADER]: serviceName || '',
	},
	},
	);

Some example code:

  // Obtain the token
  const { token: idToken } = await identityApi.getCredentials();
 // Fetch with authentication
  const response = await fetch( 
     `${apiUrl}/query_range?query=${query}&start=${start}&end=${end}&step=${step}`, 
     { 
       headers: { 
         [SERVICE_NAME_HEADER]: serviceName || '', 
         Authorization: `Bearer ${idToken}`,
       }, 
     }, 
   ); 

Context

Right now the workaround is to use credentials: dangerously-allow-unauthenticated (#1680) that removes authentication.
This change will make proxy secure by allowing access only to authenticated users and does not expose Prometheus to the network.

This issue might be tied with security vulnerability as the proxied system is exposed to unauthenticated users.