fix(router): use proper OTEL span kind for Authenticate middleware step

[Blacksmoke16]

Summary by CodeRabbit

• Chores
  • Updated tracing metadata to classify authentication-related traces as client-side, improving attribution and visibility in observability tools.
  • No changes to user-facing behavior, workflows, or APIs.
  • Error handling and pre-handler flow remain unchanged.
  • No configuration updates or actions required from users.

Checklist

• I have discussed my proposed changes in an issue and have received approval to proceed.
• I have followed the coding standards of the project.
• I have read the Contributors Guide.

Follow up to #456 (comment). It was unexpected for the Authenticate middleware step to have a span kind of server due to this step not representing an incoming remote call. In fact since authentication results in an outgoing HTTP request, it should in fact be client. It cannot be internal because it's crossing a process boundary (the HTTP request).

[coderabbitai]

Walkthrough

Changed the tracing span kind in the GraphQL pre-handler’s Authenticate flow from SpanKindServer to SpanKindClient. No control-flow, error handling, or API signature changes.

Changes

Cohort / File(s)	Summary of Changes
Tracing span kind update router/core/graphql_prehandler.go	Changed Authenticate tracing span kind from SpanKindServer to SpanKindClient; no other logic modified.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

• Review router/core/graphql_prehandler.go to confirm span-kind usage aligns with tracing conventions and downstream span relationships.

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically summarizes the main change: correcting the OpenTelemetry span kind for the Authenticate middleware from server to client.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

• 📝 Generate docstrings

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e473302 and 3e1e330.

📒 Files selected for processing (1)

• router/core/graphql_prehandler.go (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• router/core/graphql_prehandler.go

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (7)

• GitHub Check: integration_test (./telemetry)
• GitHub Check: integration_test (./events)
• GitHub Check: integration_test (./. ./fuzzquery ./lifecycle ./modules)
• GitHub Check: build_test_fork
• GitHub Check: build_image_fork
• GitHub Check: build_image_fork (nonroot)
• GitHub Check: Analyze (go)

Tip

📝 Customizable high-level summaries are now available!

You can now customize how CodeRabbit generates the high-level summary in your pull requests — including its content, structure, tone, and formatting.

  - Provide custom instructions to shape the summary (bullet lists, tables, contributor stats, etc.).
  - Use `high_level_summary_in_walkthrough` to move the summary from the description to the walkthrough section.

  Example:

  > "Create a concise high-level summary as a bullet-point list. Then include a Markdown table showing lines added and removed by each contributing author."

  Note: This feature is currently in beta for Pro-tier users, and pricing will be announced later.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

This PR was marked stale due to lack of activity. It will be closed in 14 days.

[Blacksmoke16]

Not stale, just pending a review 🙂

[github-actions]

This PR was marked stale due to lack of activity. It will be closed in 14 days.

[Blacksmoke16]

@SkArchon bump

[github-actions]

This PR was marked stale due to lack of activity. It will be closed in 14 days.

[Aenimus]

@Blacksmoke16 Hi, sorry for the delay.

I think at minimum we will need some tests to prove that we don't make assumptions on the kind in the control plane.

Could you add some relevant tests, please?

The WunderGraph Team

CC: @SkArchon @miklosbarabas @StarpTech

[Blacksmoke16]

@Aenimus I guess one follow-up question: how would you actually write a test for that? If there was a prior assumption I'd have expected some existing test(s) to fail. I can of course write a test that asserts this span's kind is what we expect and that it doesn't affect root span detection or anything tho.

The UI just exposes whatever the kind is cosmetically, and ClickHouse views are based on attributes so no change in behavior there either.