From f658ef072394ff9fd28244ad475859c210e8ec16 Mon Sep 17 00:00:00 2001 From: bndw Date: Sun, 15 Feb 2026 10:31:06 -0800 Subject: feat: track authorized (authenticated + successful) requests Add 'authorized' status for requests that complete successfully after authentication. This complements the existing 'unauthenticated' (pre-auth) status tracking. Now the dashboard shows: - Authorized: Authenticated requests that succeeded - Unauthorized: Authenticated requests rejected (not in allowlist) - Pre-Auth: Requests sent before authentication This gives full visibility into the auth flow: 1. Challenges: How many clients authenticated 2. Authorized: How many authenticated requests succeeded 3. Unauthorized: How many were rejected despite valid auth 4. Pre-Auth: How many tried before authenticating Updated metrics: - requests_total{status="authorized"} - authenticated successes - requests_total{status="ok"} - unauthenticated successes (when no auth) --- internal/handler/websocket/handler.go | 14 ++++++++++++-- internal/handler/websocket/handler_test.go | 7 +++++++ 2 files changed, 19 insertions(+), 2 deletions(-) (limited to 'internal/handler/websocket') diff --git a/internal/handler/websocket/handler.go b/internal/handler/websocket/handler.go index dfe7b9e..909e2ec 100644 --- a/internal/handler/websocket/handler.go +++ b/internal/handler/websocket/handler.go @@ -348,7 +348,12 @@ func (h *Handler) handleEvent(ctx context.Context, conn *websocket.Conn, raw []j h.subs.MatchAndFan(pbEvent) - status = "ok" + // Track whether request was authenticated for metrics + if state.authenticatedPubkey != "" { + status = "authorized" + } else { + status = "ok" + } h.sendOK(ctx, conn, event.ID, true, "") return nil } @@ -448,7 +453,12 @@ func (h *Handler) handleReq(ctx context.Context, conn *websocket.Conn, raw []jso go h.streamEvents(ctx, conn, sub) - status = "ok" + // Track whether request was authenticated for metrics + if state.authenticatedPubkey != "" { + status = "authorized" + } else { + status = "ok" + } return nil } diff --git a/internal/handler/websocket/handler_test.go b/internal/handler/websocket/handler_test.go index 10405b2..604a190 100644 --- a/internal/handler/websocket/handler_test.go +++ b/internal/handler/websocket/handler_test.go @@ -305,6 +305,13 @@ func TestAuthRequired(t *testing.T) { t.Errorf("Expected OK true after auth, got false: %v", msg3[3]) } t.Logf("Publish succeeded after auth") + + // Verify authorized requests are tracked in metrics + authorizedCount := ts.metrics.getRequestCount("EVENT", "authorized") + if authorizedCount == 0 { + t.Errorf("Expected authorized requests to be tracked in metrics, got 0") + } + t.Logf("Metrics: %d authorized requests tracked", authorizedCount) } // TestAuthNotInAllowlist verifies that pubkeys not in allowlist are rejected -- cgit v1.2.3