Commit 0b30833
committed
fix(gateway): defer bootstrap failure accounting; remove PoC scripts
Record bootstrap rate-limit failure only after all fallback auth paths
(device-token) have run and auth is still false. A device presenting a
stale bootstrap token alongside a valid device token is a legitimate
connection and must not accumulate bootstrap-scope failures.
Adds a test covering the cross-path case: stale bootstrap + valid
device token → authOk true, bootstrap recordFailure never called.
Removes runnable PoC scripts (poc-bootstrap-dos*.mjs, .ts) ahead of
maintainer review; the rate-limiting proof lives in the test suite.1 parent 96ce3aa commit 0b30833
6 files changed
Lines changed: 45 additions & 742 deletions
File tree
- scripts
- src/gateway/server/ws-connection
This file was deleted.
0 commit comments