chore: login metric added

[ApekshaBhosale]

Description

Added custom login metrics

Fixes #Issue Number
or
Fixes Issue URL

Warning

If no issue exists, please create an issue first, and check with the maintainers if the issue is valid.

Automation

/ok-to-test tags="@tag.All"

🔍 Cypress test results

Tip

🟢 🟢 🟢 All cypress tests have passed! 🎉 🎉 🎉
Workflow run: https://github.com/appsmithorg/appsmith/actions/runs/14617262543
Commit: e36ee2c
Cypress dashboard.
Tags: @tag.All
Spec:

---

Wed, 23 Apr 2025 12:57:57 UTC

Communication

Should the DevRel and Marketing teams inform users about this change?

• Yes
• No

Summary by CodeRabbit

Summary by CodeRabbit

• New Features

  • Introduced login metrics tracking, including timing and failure counts for login attempts.
  • Added a new filter to monitor login attempts and record related metrics.
  • Enhanced authentication failure handling with detailed metrics for different failure sources and error redirects.
  • Improved rate limiting feedback with integrated metric recording.

• Bug Fixes

  • More accurate tracking and reporting of login failures and their sources.

• Chores

  • Updated security configuration to integrate new metrics and failure handling components.

[coderabbitai]

Walkthrough

This set of changes introduces comprehensive login metrics tracking into the authentication flow. New constants for login-related metrics are defined, and a new filter is added to record login attempts and failures using Micrometer. The authentication failure handlers are updated to accept a metrics registry and to record failure events with detailed tags. The rate limiting filter is also enhanced to record metrics and invoke the new error handling logic. Security configuration is updated to wire in these new components and ensure metrics are collected for both successful and failed login attempts, including those blocked by rate limiting.

Changes

File(s)	Change Summary
.../LoginSpan.java	New class defining LOGIN_FAILURE and LOGIN_ATTEMPT metric name constants for use in telemetry/tracing.
.../AuthenticationFailureHandler.java	Constructor updated to accept a MeterRegistry for metrics tracking.
.../AuthenticationFailureHandlerCE.java	Now records login failure metrics, distinguishes failure sources, and adds a new method for error redirect handling.
.../NoTagsMeterFilter.java	Allows LOGIN_FAILURE and LOGIN_ATTEMPT metrics to retain specific tags in the metrics filter configuration.
.../SecurityConfig.java	Replaces failure handler with new CE version, injects MeterRegistry, adds login metrics and updated rate limit filter.
.../LoginMetricsFilter.java	New filter class that records timing and failure metrics for login attempts using Micrometer.
.../LoginRateLimitFilter.java	Constructor expanded to accept MeterRegistry and new failure handler; records metrics and invokes error redirect.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant LoginMetricsFilter
    participant LoginRateLimitFilter
    participant WebFilterChain
    participant AuthenticationFailureHandlerCE
    participant MeterRegistry

    User->>LoginMetricsFilter: HTTP login request
    LoginMetricsFilter->>MeterRegistry: Start timer for LOGIN_ATTEMPT
    LoginMetricsFilter->>LoginRateLimitFilter: Pass request
    LoginRateLimitFilter->>WebFilterChain: Pass request if not rate-limited
    WebFilterChain-->>LoginMetricsFilter: Success/Failure
    alt Success
        LoginMetricsFilter->>MeterRegistry: Stop timer and record LOGIN_ATTEMPT
    else Failure
        LoginMetricsFilter->>MeterRegistry: Record LOGIN_FAILURE with tags
    end
    alt Rate limit exceeded
        LoginRateLimitFilter->>AuthenticationFailureHandlerCE: handleErrorRedirect
        AuthenticationFailureHandlerCE->>MeterRegistry: Record LOGIN_FAILURE with tags
        LoginRateLimitFilter->>User: Redirect with error
    end

Loading

Poem

Metrics now dance on the login page,
Counting attempts and failures with sage,
Filters and handlers, all in a row,
Tagging each error, so insights may grow.
With timers and counters, the numbers align—
Security and stats, in elegant design!
🚦🔐📈

---

📜 Recent review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro (Legacy)

📥 Commits

Reviewing files that changed from the base of the PR and between 9306fb8 and e36ee2c.

📒 Files selected for processing (4)

• app/server/appsmith-server/src/main/java/com/appsmith/server/authentication/handlers/ce/AuthenticationFailureHandlerCE.java (1 hunks)
• app/server/appsmith-server/src/main/java/com/appsmith/server/configurations/SecurityConfig.java (9 hunks)
• app/server/appsmith-server/src/main/java/com/appsmith/server/filters/LoginMetricsFilter.java (1 hunks)
• app/server/appsmith-server/src/main/java/com/appsmith/server/filters/LoginRateLimitFilter.java (3 hunks)

🚧 Files skipped from review as they are similar to previous changes (4)

• app/server/appsmith-server/src/main/java/com/appsmith/server/filters/LoginRateLimitFilter.java
• app/server/appsmith-server/src/main/java/com/appsmith/server/authentication/handlers/ce/AuthenticationFailureHandlerCE.java
• app/server/appsmith-server/src/main/java/com/appsmith/server/filters/LoginMetricsFilter.java
• app/server/appsmith-server/src/main/java/com/appsmith/server/configurations/SecurityConfig.java

⏰ Context from checks skipped due to timeout of 90000ms (2)

• GitHub Check: server-spotless / spotless-check
• GitHub Check: server-unit-tests / server-unit-tests

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5ace9ba and f76ea3b.

📒 Files selected for processing (7)

• app/server/appsmith-interfaces/src/main/java/com/appsmith/external/constants/spans/LoginSpan.java (1 hunks)
• app/server/appsmith-server/src/main/java/com/appsmith/server/authentication/handlers/AuthenticationFailureHandler.java (1 hunks)
• app/server/appsmith-server/src/main/java/com/appsmith/server/authentication/handlers/ce/AuthenticationFailureHandlerCE.java (1 hunks)
• app/server/appsmith-server/src/main/java/com/appsmith/server/configurations/NoTagsMeterFilter.java (2 hunks)
• app/server/appsmith-server/src/main/java/com/appsmith/server/configurations/SecurityConfig.java (9 hunks)
• app/server/appsmith-server/src/main/java/com/appsmith/server/filters/LoginMetricsFilter.java (1 hunks)
• app/server/appsmith-server/src/main/java/com/appsmith/server/filters/LoginRateLimitFilter.java (3 hunks)

🧰 Additional context used

🧬 Code Graph Analysis (3)

app/server/appsmith-server/src/main/java/com/appsmith/server/configurations/NoTagsMeterFilter.java (1)

app/server/appsmith-interfaces/src/main/java/com/appsmith/external/constants/spans/LoginSpan.java (1)

• LoginSpan (5-8)

app/server/appsmith-server/src/main/java/com/appsmith/server/filters/LoginMetricsFilter.java (3)

app/server/appsmith-server/src/main/java/com/appsmith/server/authentication/handlers/ce/AuthenticationFailureHandlerCE.java (1)

• Slf4j (15-50)

app/server/appsmith-server/src/main/java/com/appsmith/server/filters/LoginRateLimitFilter.java (1)

• Slf4j (24-97)

app/server/appsmith-interfaces/src/main/java/com/appsmith/external/constants/spans/LoginSpan.java (1)

• LoginSpan (5-8)

app/server/appsmith-server/src/main/java/com/appsmith/server/authentication/handlers/ce/AuthenticationFailureHandlerCE.java (3)

app/server/appsmith-server/src/main/java/com/appsmith/server/filters/LoginRateLimitFilter.java (1)

• Slf4j (24-97)

app/server/appsmith-server/src/main/java/com/appsmith/server/filters/LoginMetricsFilter.java (1)

• Slf4j (14-47)

app/server/appsmith-interfaces/src/main/java/com/appsmith/external/constants/spans/LoginSpan.java (1)

• LoginSpan (5-8)

⏰ Context from checks skipped due to timeout of 90000ms (2)

• GitHub Check: server-unit-tests / server-unit-tests
• GitHub Check: server-spotless / spotless-check

🔇 Additional comments (23)

app/server/appsmith-interfaces/src/main/java/com/appsmith/external/constants/spans/LoginSpan.java (1)

1-8: Clean implementation of login metric constants

The implementation follows good practices with clear constant naming that aligns with existing span naming conventions by using the APPSMITH_SPAN_PREFIX. The choice of suffixes (login_failure and login_total) is descriptive and reflects the metrics' purposes.

app/server/appsmith-server/src/main/java/com/appsmith/server/authentication/handlers/AuthenticationFailureHandler.java (1)

5-14: Constructor properly updated for metrics integration

The constructor has been correctly modified to accept and pass the MeterRegistry to the parent class, enabling metrics collection for authentication failures.

app/server/appsmith-server/src/main/java/com/appsmith/server/configurations/NoTagsMeterFilter.java (2)

11-12: Appropriate imports for login metrics constants

These static imports correctly reference the newly defined span constants.

---

33-35: Correctly configured metric tag preservation

The seriesExceptionMap has been properly extended to include the login metrics with their relevant tags. This ensures that important context information like source and error messages are preserved for these metrics while still applying the filter's general tag removal policy to other metrics.

app/server/appsmith-server/src/main/java/com/appsmith/server/filters/LoginRateLimitFilter.java (3)

3-8: Appropriate imports for metrics integration

All necessary imports have been added to support the metrics functionality.

Also applies to: 11-12, 21-21

---

29-39: Constructor properly updated for metrics integration

The constructor has been correctly updated to include the MeterRegistry and AuthenticationFailureHandlerCE dependencies, following proper dependency injection patterns.

---

79-89: Metrics implementation follows best practices

The metrics counter is correctly incremented with appropriate tags to provide context about the rate limit failure.

app/server/appsmith-server/src/main/java/com/appsmith/server/filters/LoginMetricsFilter.java (1)

1-47: Well-designed metrics filter implementation

The implementation effectively captures both timing and error information for login attempts. It properly uses Micrometer's Timer.Sample for measuring durations and adds appropriate tags to metrics.

A minor consideration: very long error messages used as tag values could potentially cause storage issues with some metric systems. Consider truncating error messages to a reasonable length.

app/server/appsmith-server/src/main/java/com/appsmith/server/authentication/handlers/ce/AuthenticationFailureHandlerCE.java (5)

4-5: Good import additions for metrics

Proper imports added for MeterRegistry and LOGIN_FAILURE constant.

Also applies to: 13-14

---

8-9: Appropriate OAuth2 exception import

Correctly imported OAuth2AuthenticationException to differentiate between authentication sources.

---

20-20: Proper dependency injection

Good use of the final keyword for dependency injection with @requiredargsconstructor.

---

24-32: Well-implemented failure source identification

The code effectively differentiates between OAuth2 and form login failures, extracting the appropriate error code and incrementing metrics with relevant tags.

---

36-49: Good implementation of error redirect handling

The handleErrorRedirect method properly checks for the "error=true" parameter before recording metrics and uses appropriate tags for source and message.

app/server/appsmith-server/src/main/java/com/appsmith/server/configurations/SecurityConfig.java (10)

7-7: Correct imports for new and updated components

Appropriately imported the new LoginMetricsFilter and updated AuthenticationFailureHandlerCE.

Also applies to: 15-16

---

23-23: Added MeterRegistry import

Properly imported MeterRegistry for metrics collection.

---

75-86: CE URL constants imports

Added imports for CE version URL constants. Appears to have some duplicate imports with lines 64-74, but this may be intentional for CE/EE code structure.

---

106-106: Updated authentication failure handler type

Changed from the interface to the specific CE implementation which includes metrics functionality.

---

140-142: Added MeterRegistry dependency

Correctly added MeterRegistry for dependency injection.

---

144-157: Comment formatting improvements

Updated comment formatting for better readability.

---

205-209: Comment formatting improvements

Updated comment formatting for clarity.

---

214-215: Comment formatting improvements

Updated comment formatting for clarity.

---

251-258: Properly integrated metrics filter in the security chain

The LoginMetricsFilter is correctly added before the form login filter, and LoginRateLimitFilter constructor properly updated to include both meterRegistry and authenticationFailureHandler.

---

315-316: Comment formatting improvements

Updated comment formatting for better readability.

Also applies to: 332-333