OeditusCredo.Check.Warning.MissingTelemetryInAuthPlug (OeditusCredo v0.5.0)

View Source

Basics

This check is disabled by default.

Learn how to enable it via .credo.exs.

This check has a base priority of normal and works with any version of Elixir.

Explanation

Authentication and authorization plugs should emit telemetry events for observability.

Instrumenting auth plugs helps track login attempts, success/failure rates, authentication latency, and can help identify security issues.

Bad:

defmodule MyAppWeb.Plugs.Authenticate do
  import Plug.Conn

  def call(conn, _opts) do
    case verify_token(conn) do
      {:ok, user} -> assign(conn, :current_user, user)
      {:error, _} -> halt(conn)
    end
  end
end

Good:

defmodule MyAppWeb.Plugs.Authenticate do
  import Plug.Conn

  def call(conn, _opts) do
    start_time = System.monotonic_time()
    result = verify_token(conn)

    duration = System.monotonic_time() - start_time
    :telemetry.execute(
      [:auth, :verify_token],
      %{duration: duration},
      %{result: elem(result, 0)}
    )

    case result do
      {:ok, user} -> assign(conn, :current_user, user)
      {:error, _} -> halt(conn)
    end
  end
end

Check-Specific Parameters

Use the following parameters to configure this check:

:exclude_test_files

Set to true to skip test files (default: false)

This parameter defaults to nil.

:extra_auth_plug_names

Additional auth plug name substrings to detect (default: [])

This parameter defaults to nil.

General Parameters

Like with all checks, general params can be applied.

Parameters can be configured via the .credo.exs config file.