OeditusCredo.Check.Security.MissingAuthentication (OeditusCredo v0.6.0)

View Source

Basics

This check is disabled by default.

Learn how to enable it via .credo.exs.

This check has a base priority of high and works with any version of Elixir.

Explanation

Detects potential missing authentication in controller actions (CWE-306).

Sensitive controller actions should be protected by an authentication plug. This check accepts any plug name containing "auth" as an authentication indicator.

Bad:

defmodule MyAppWeb.AdminController do
  use MyAppWeb, :controller

  def delete(conn, params) do
    ...
  end
end

Good:

defmodule MyAppWeb.AdminController do
  use MyAppWeb, :controller
  plug :require_authentication

  def delete(conn, params) do
    ...
  end
end

Check-Specific Parameters

Use the following parameters to configure this check:

:exclude_test_files

Set to true to skip test files (default: false)

This parameter defaults to nil.

:sensitive_actions

List of action name strings considered sensitive (default: index, show, create, new, update, edit, delete, destroy)

This parameter defaults to nil.

General Parameters

Like with all checks, general params can be applied.

Parameters can be configured via the .credo.exs config file.