Metastatic.Analysis.BusinessLogic.MissingTelemetryInAuthPlug (Metastatic v0.10.4)

View Source

Detects authentication/authorization code without telemetry.

Universal pattern: auth checks without audit logging or metrics.

Examples

Python (Django auth without logging):

def check_permission(request, required_role):
    if request.user.role != required_role:  # Should log auth failures
        raise PermissionDenied()

JavaScript (Express auth without metrics):

function authMiddleware(req, res, next) {
    if (!req.headers.authorization) {  # Should emit auth failure metric
        return res.status(401).send('Unauthorized');
    }
    next();
}

Elixir (Plug auth without telemetry):

def authenticate(conn, _opts) do
    case verify_token(conn) do
        {:error, _} -> send_resp(conn, 401, "Unauthorized")  # Should emit telemetry
        {:ok, user} -> assign(conn, :user, user)
    end
end

C# (ASP.NET auth without logging):

public override void OnAuthorization(AuthorizationContext context) {
    if (!context.HttpContext.User.Identity.IsAuthenticated) {  # Should log
        context.Result = new UnauthorizedResult();
    }
}

Go (auth check without tracing):

func requireAuth(next http.Handler) http.Handler {
    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
        if !isAuthenticated(r) {  # Should emit auth failure event
            http.Error(w, "Unauthorized", 401)
            return
        }
        next.ServeHTTP(w, r)
    })
}

Java (Spring Security without audit):

public class CustomAuthFilter extends OncePerRequestFilter {
    protected void doFilterInternal(HttpServletRequest request) {
        if (!hasValidToken(request)) {  # Should audit auth failures
            response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
        }
    }
}

Ruby (devise auth without logging):

before_action :authenticate_user!

def authenticate_user!
    unless signed_in?  # Should log authentication attempts
        redirect_to login_path
    end
end