Enable authentication for /metrics by default if authentication is enabled

[a-gerhard]

Describe the bug
It looks like authentication for the metrics endpoint has been disabled by #1129.

I am pretty sure that these metrics can allow an external party to gather some information on what is going on in a system, as it can leak information that developers may not have thought to ever be available to the outside, like the task names.

When basic authentication is enabled, this endpoint should also require authentication by default, as many users will either not use the metrics endpoint at all, or will be able to configure a scraper to use these credentials.

Alternatively, at least allow to enable authentication here as well. For me, this renders the built-in authentication completely useless and I will need to set it up in my reverse proxy instead.

To Reproduce
Steps to reproduce the behavior:

1. Set up Basic Authentication for flower
2. Access the /metrics endpoint without authentication

Expected behavior
By default, the metrics endpoint requires authentication.

[a-gerhard]

I'd also like to add that even though the list of unauthenticated endpoints is at the top of the documentation page, many people will skip the introduction and go straight through their preferred authentication method, and not realising that the metrics won't be protected.