I regularly use modified handlers. Here's a rundown:
config_handler: I've updated get_values/4 to use my application name
(?APP, defined by a modified -include(). I did this years ago but now
forget exactly why. (If I had to guess, I'd say it had something to
do with modifying to build with rebar3.)
role_handler: Modified to query a database backend. I think I added
this to ensure that role as checked on each request and not ever
relying on a cache.
query_handler: Added a call in set_websocket_params/3 to reset a
session timer.
security_handler: Added a call in init/2 to create or update a session
timer. Also added a means to redirect to a login page for all pages,
even those usually publically available. (I use this for
demonstration and testing instances.)
route_handler: Added code to detect, auth/authz, and route API calls.
A quick word on my session timer: for each (authenticated) request a
process is started or restarted with a timeout. The process state
contains the most recent wf:context and is able to push a "you will
timeout in one minute..." modal or actually log the user out and
redirect to the login page.
Speaking off the cuff from a remembered pain point: if there was one
item on my wishlist it would be a way of implementing a handler (even
the existing security handler) for websocket requests. In the default
case the request could just pass through to the appropriate event/1
but it could also be hijacked for other processing.