(#) Misuse of Credential Manager API !!! WARNING: Misuse of Credential Manager API This is a warning. Id : `CredentialManagerMisuse` Summary : Misuse of Credential Manager API Severity : Warning Category : Correctness Platform : Android Vendor : Android Open Source Project Feedback : https://issuetracker.google.com/issues/new?component=192708 Since : 8.8.0 (January 2025) Affects : Kotlin and Java files Editing : This check can *not* run live in the IDE editor See : https://developer.android.com/identity/sign-in/credential-manager#handle-exceptions Implementation : [Source Code](https://cs.android.com/android-studio/platform/tools/base/+/mirror-goog-studio-main:lint/libs/lint-checks/src/main/java/com/android/tools/lint/checks/CredentialManagerMisuseDetector.kt) Tests : [Source Code](https://cs.android.com/android-studio/platform/tools/base/+/mirror-goog-studio-main:lint/libs/lint-tests/src/test/java/com/android/tools/lint/checks/CredentialManagerMisuseDetectorTest.kt) When calling `CredentialManager.getCredential` or `CredentialManager.getCredentialAsync`, you should handle `NoCredentialException` somewhere in your project. (##) Example Here is an example of lint warnings produced by this check: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~text src/com/example/app/Foo.kt:26:Warning: Call to CredentialManager.getCredential without use of NoCredentialException [CredentialManagerMisuse] credentialManager.getCredential(context, request) ------------------------------------------------- src/com/example/app/Foo.kt:27:Warning: Call to CredentialManager.getCredential without use of NoCredentialException [CredentialManagerMisuse] credentialManager.getCredential(context, prepareGetCredentialResponse.pendingGetCredentialHandle!!) --------------------------------------------------------------------------------------------------- src/com/example/app/Foo.kt:28:Warning: Call to CredentialManager.getCredential without use of NoCredentialException [CredentialManagerMisuse] credentialManager.getCredentialAsync(context, request, cancellationSignal, executor, callback) ---------------------------------------------------------------------------------------------- src/com/example/app/Foo.kt:29:Warning: Call to CredentialManager.getCredential without use of NoCredentialException [CredentialManagerMisuse] credentialManager.getCredentialAsync(context, prepareGetCredentialResponse.pendingGetCredentialHandle!!, cancellationSignal, executor, callback) ------------------------------------------------------------------------------------------------------------------------------------------------ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Here is the source file referenced above: `src/com/example/app/Foo.kt`: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~kotlin linenumbers package com.example.app import android.content.Context import android.os.Build import android.os.CancellationSignal import androidx.credentials.CredentialManager import androidx.credentials.CredentialManagerCallback import androidx.credentials.GetCredentialRequest import androidx.credentials.GetCredentialResponse import androidx.credentials.PrepareGetCredentialResponse import androidx.credentials.PrepareGetCredentialResponse.PendingGetCredentialHandle import androidx.credentials.exceptions.GetCredentialException import androidx.credentials.exceptions.NoCredentialException import java.util.concurrent.Executor class Foo { suspend fun foo( credentialManager: CredentialManager, context: Context, request: GetCredentialRequest, cancellationSignal: CancellationSignal, executor: Executor, callback: CredentialManagerCallback) { try { val prepareGetCredentialResponse = credentialManager.prepareGetCredential(request) credentialManager.getCredential(context, request) credentialManager.getCredential(context, prepareGetCredentialResponse.pendingGetCredentialHandle!!) credentialManager.getCredentialAsync(context, request, cancellationSignal, executor, callback) credentialManager.getCredentialAsync(context, prepareGetCredentialResponse.pendingGetCredentialHandle!!, cancellationSignal, executor, callback) } catch (e: GetCredentialException) { bar(e) } } fun bar(e: GetCredentialException) { TODO() } } ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ You can also visit the [source code](https://cs.android.com/android-studio/platform/tools/base/+/mirror-goog-studio-main:lint/libs/lint-tests/src/test/java/com/android/tools/lint/checks/CredentialManagerMisuseDetectorTest.kt) for the unit tests for this check to see additional scenarios. (##) Suppressing You can suppress false positives using one of the following mechanisms: * Using a special `lint.xml` file in the source tree which turns off the check in that folder and any sub folder. A simple file might look like this: ```xml <?xml version="1.0" encoding="UTF-8"?> <lint> <issue id="CredentialManagerMisuse" severity="ignore" /> </lint> ``` Instead of `ignore` you can also change the severity here, for example from `error` to `warning`. You can find additional documentation on how to filter issues by path, regular expression and so on [here](https://googlesamples.github.io/android-custom-lint-rules/usage/lintxml.md.html). * In Gradle projects, using the DSL syntax to configure lint. For example, you can use something like ```gradle lintOptions { disable 'CredentialManagerMisuse' } ``` In Android projects this should be nested inside an `android { }` block. * For manual invocations of `lint`, using the `--ignore` flag: ``` $ lint --ignore CredentialManagerMisuse ...` ``` * Last, but not least, using baselines, as discussed [here](https://googlesamples.github.io/android-custom-lint-rules/usage/baselines.md.html).