From e26729f658739b368073b558eb909af137609dfa Mon Sep 17 00:00:00 2001
From: bndw <ben@bdw.to>
Date: Sun, 15 Feb 2026 10:22:32 -0800
Subject: feat: track auth rejections with specific 'unauthorized' status

Auth failures (pubkey not in allowlist) are now tracked with status
'unauthorized' instead of generic 'error' in metrics. This allows
monitoring of auth rejections separately from other errors.

Metrics will now show:
- muxstr_relay_requests_total{status="unauthorized"} - auth failures
- muxstr_relay_requests_total{status="unauthenticated"} - no auth yet
- muxstr_relay_requests_total{status="error"} - other errors
- muxstr_relay_requests_total{status="rate_limited"} - rate limited
- muxstr_relay_requests_total{status="ok"} - success

Added test assertion to verify metrics tracking.
---
 internal/handler/websocket/handler.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'internal/handler/websocket/handler.go')

diff --git a/internal/handler/websocket/handler.go b/internal/handler/websocket/handler.go
index a23dd60..de71926 100644
--- a/internal/handler/websocket/handler.go
+++ b/internal/handler/websocket/handler.go
@@ -265,7 +265,7 @@ func (h *Handler) handleEvent(ctx context.Context, conn *websocket.Conn, raw []j
 	}
 
 	if err := h.requireAuth(ctx, conn, true, state); err != nil {
-		status = "error"
+		status = "unauthorized"
 		h.sendOK(ctx, conn, event.ID, false, err.Error())
 		return nil
 	}
@@ -371,7 +371,7 @@ func (h *Handler) handleReq(ctx context.Context, conn *websocket.Conn, raw []jso
 	}
 
 	if err := h.requireAuth(ctx, conn, false, state); err != nil {
-		status = "error"
+		status = "unauthorized"
 		return err
 	}
 
-- 
cgit v1.2.3