| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add 'authorized' status for requests that complete successfully after
authentication. This complements the existing 'unauthenticated' (pre-auth)
status tracking.
Now the dashboard shows:
- Authorized: Authenticated requests that succeeded
- Unauthorized: Authenticated requests rejected (not in allowlist)
- Pre-Auth: Requests sent before authentication
This gives full visibility into the auth flow:
1. Challenges: How many clients authenticated
2. Authorized: How many authenticated requests succeeded
3. Unauthorized: How many were rejected despite valid auth
4. Pre-Auth: How many tried before authenticating
Updated metrics:
- requests_total{status="authorized"} - authenticated successes
- requests_total{status="ok"} - unauthenticated successes (when no auth)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add RecordAuthAttempt calls to handleAuth so successful and failed
AUTH attempts are tracked in metrics. This fixes the dashboard
'Challenges' counter which was always showing 0.
The deferred call ensures both success and failure cases are recorded:
- success=true when AUTH completes successfully
- success=false when AUTH fails (invalid signature, wrong challenge, etc.)
Updated MetricsRecorder interface and mock to include RecordAuthAttempt.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Auth failures (pubkey not in allowlist) are now tracked with status
'unauthorized' instead of generic 'error' in metrics. This allows
monitoring of auth rejections separately from other errors.
Metrics will now show:
- muxstr_relay_requests_total{status="unauthorized"} - auth failures
- muxstr_relay_requests_total{status="unauthenticated"} - no auth yet
- muxstr_relay_requests_total{status="error"} - other errors
- muxstr_relay_requests_total{status="rate_limited"} - rate limited
- muxstr_relay_requests_total{status="ok"} - success
Added test assertion to verify metrics tracking.
|
|
|
Add comprehensive WebSocket handler integration tests that verify:
- NIP-42 authentication flow (auth required, challenge/response)
- Allowlist enforcement (reject unauthorized pubkeys)
- Rate limiting by IP address
- Rate limiting by authenticated pubkey
- No-auth mode works correctly
These tests use real WebSocket connections and would have caught
the AUTH timeout bug and other protocol issues.
Tests cover:
- TestAuthRequired: Verifies AUTH challenge sent, client authenticates, publish succeeds
- TestAuthNotInAllowlist: Verifies pubkeys not in allowlist are rejected
- TestRateLimitByIP: Verifies unauthenticated clients are rate limited by IP
- TestRateLimitByPubkey: Verifies authenticated clients are rate limited by pubkey
- TestNoAuthWhenDisabled: Verifies publishing works when auth is disabled
|
