From e26729f658739b368073b558eb909af137609dfa Mon Sep 17 00:00:00 2001
From: bndw <ben@bdw.to>
Date: Sun, 15 Feb 2026 10:22:32 -0800
Subject: feat: track auth rejections with specific 'unauthorized' status

Auth failures (pubkey not in allowlist) are now tracked with status
'unauthorized' instead of generic 'error' in metrics. This allows
monitoring of auth rejections separately from other errors.

Metrics will now show:
- muxstr_relay_requests_total{status="unauthorized"} - auth failures
- muxstr_relay_requests_total{status="unauthenticated"} - no auth yet
- muxstr_relay_requests_total{status="error"} - other errors
- muxstr_relay_requests_total{status="rate_limited"} - rate limited
- muxstr_relay_requests_total{status="ok"} - success

Added test assertion to verify metrics tracking.
---
 internal/handler/websocket/handler.go      | 4 ++--
 internal/handler/websocket/handler_test.go | 7 +++++++
 2 files changed, 9 insertions(+), 2 deletions(-)

(limited to 'internal/handler/websocket')

diff --git a/internal/handler/websocket/handler.go b/internal/handler/websocket/handler.go
index a23dd60..de71926 100644
--- a/internal/handler/websocket/handler.go
+++ b/internal/handler/websocket/handler.go
@@ -265,7 +265,7 @@ func (h *Handler) handleEvent(ctx context.Context, conn *websocket.Conn, raw []j
 	}
 
 	if err := h.requireAuth(ctx, conn, true, state); err != nil {
-		status = "error"
+		status = "unauthorized"
 		h.sendOK(ctx, conn, event.ID, false, err.Error())
 		return nil
 	}
@@ -371,7 +371,7 @@ func (h *Handler) handleReq(ctx context.Context, conn *websocket.Conn, raw []jso
 	}
 
 	if err := h.requireAuth(ctx, conn, false, state); err != nil {
-		status = "error"
+		status = "unauthorized"
 		return err
 	}
 
diff --git a/internal/handler/websocket/handler_test.go b/internal/handler/websocket/handler_test.go
index 9f02510..9982aea 100644
--- a/internal/handler/websocket/handler_test.go
+++ b/internal/handler/websocket/handler_test.go
@@ -368,6 +368,13 @@ func TestAuthNotInAllowlist(t *testing.T) {
 		t.Errorf("Expected OK false for unauthorized pubkey, got false: %v", msg3[3])
 	}
 	t.Logf("Unauthorized pubkey correctly rejected: %v", msg3[3])
+
+	// Verify metrics tracked the unauthorized request
+	unauthorizedCount := ts.metrics.getRequestCount("EVENT", "unauthorized")
+	if unauthorizedCount == 0 {
+		t.Errorf("Expected unauthorized requests to be tracked in metrics, got 0")
+	}
+	t.Logf("Metrics: %d unauthorized requests tracked", unauthorizedCount)
 }
 
 // TestRateLimitByIP verifies that rate limiting works by IP
-- 
cgit v1.2.3