From e21df4afeda22ad251e0f1f5fe5ae7040f49b27e Mon Sep 17 00:00:00 2001
From: Flegma <Flegma@users.noreply.github.com>
Date: Thu, 2 Apr 2026 16:16:33 +0200
Subject: [PATCH 1/2] fix: log rejected game server WebSocket connections

Add warning logs when connections are rejected due to missing auth
header, malformed credentials, or invalid format for security monitoring.
---
 src/matches/match-events.gateway.ts | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/matches/match-events.gateway.ts b/src/matches/match-events.gateway.ts
index 4686d481..1c9ce991 100644
--- a/src/matches/match-events.gateway.ts
+++ b/src/matches/match-events.gateway.ts
@@ -43,12 +43,16 @@ export class MatchEventsGateway {
       const authHeader = request.headers.authorization;
 
       if (!authHeader || !authHeader.startsWith("Basic ")) {
+        this.logger.warn("game server connection rejected: missing auth", {
+          ip: request.headers["cf-connecting-ip"],
+        });
         client.close();
         return;
       }
 
       const base64Credentials = authHeader.split(" ").at(1);
       if (!base64Credentials) {
+        this.logger.warn("game server connection rejected: malformed auth");
         client.close();
         return;
       }
@@ -56,6 +60,7 @@ export class MatchEventsGateway {
       const decoded = Buffer.from(base64Credentials, "base64").toString();
       const colonIndex = decoded.indexOf(":");
       if (colonIndex === -1) {
+        this.logger.warn("game server connection rejected: invalid credentials format");
         client.close();
         return;
       }

From 7537c569c17ed10252924cbf659cc85c3ae33cef Mon Sep 17 00:00:00 2001
From: Flegma <Flegma@users.noreply.github.com>
Date: Thu, 2 Apr 2026 16:34:44 +0200
Subject: [PATCH 2/2] fix: include client IP in all auth rejection logs

Per review: all three rejection paths should log the IP for
consistent security monitoring, not just the first one.
---
 src/matches/match-events.gateway.ts | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/matches/match-events.gateway.ts b/src/matches/match-events.gateway.ts
index 1c9ce991..a71bd9d9 100644
--- a/src/matches/match-events.gateway.ts
+++ b/src/matches/match-events.gateway.ts
@@ -52,7 +52,9 @@ export class MatchEventsGateway {
 
       const base64Credentials = authHeader.split(" ").at(1);
       if (!base64Credentials) {
-        this.logger.warn("game server connection rejected: malformed auth");
+        this.logger.warn("game server connection rejected: malformed auth", {
+          ip: request.headers["cf-connecting-ip"],
+        });
         client.close();
         return;
       }
@@ -60,7 +62,9 @@ export class MatchEventsGateway {
       const decoded = Buffer.from(base64Credentials, "base64").toString();
       const colonIndex = decoded.indexOf(":");
       if (colonIndex === -1) {
-        this.logger.warn("game server connection rejected: invalid credentials format");
+        this.logger.warn("game server connection rejected: invalid credentials format", {
+          ip: request.headers["cf-connecting-ip"],
+        });
         client.close();
         return;
       }