Allow for 3 seconds for grace before challenge is fatal

internal/router/session_manager.go

@@ -81,22 +81,26 @@ func (c *Challenger) Challenge(address string) error {
 
 	err := conn.SetWriteDeadline(time.Now().Add(2 * time.Second))
 	if err != nil {
+		conn.Close()
 		return err
 	}
 
 	err = conn.WriteJSON("challenge")
 	if err != nil {
+		conn.Close()
 		return err
 	}
 
 	err = conn.SetReadDeadline(time.Now().Add(2 * time.Second))
 	if err != nil {
+		conn.Close()
 		return err
 	}
 
 	msg := struct{ Challenge string }{}
 	err = conn.ReadJSON(&msg)
 	if err != nil {
+		conn.Close()
 		return err
 	}
 
@@ -153,7 +157,7 @@ func (c *Challenger) WS(w http.ResponseWriter, r *http.Request) {
 
 	err = c.Challenge(remoteAddress.String())
 	if err != nil {
-		log.Printf("client did not complete ws challenge: %s", err)
+		log.Printf("client did not complete inital ws challenge: %s", err)
 		return
 	}
 

internal/router/statemachine.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"log"
 	"strings"
+	"time"
 
 	"github.com/NHAS/wag/internal/acls"
 	"github.com/NHAS/wag/internal/data"
@@ -103,15 +104,24 @@ func deviceChanges(_ string, current, previous data.Device, et data.EventType) e
 
 			log.Printf("challenging %s:%s device, as endpoint changed: %s -> %s", current.Username, current.Address, current.Endpoint.String(), previous.Endpoint.String())
 			// Will take at most 4 seconds
-			err := Verifier.Challenge(current.Address)
-			if err != nil {
+
+			attempts := 0
+			for ; attempts < 3; attempts++ {
+				err = Verifier.Challenge(current.Address)
+				if err != nil {
+					time.Sleep(1 * time.Second)
+				}
+			}
+
+			if attempts >= 3 {
 				log.Printf("%s:%s failed to pass websockets challenge: %s", current.Username, current.Address, err)
 				err := Deauthenticate(current.Address)
 				if err != nil {
 					return fmt.Errorf("cannot deauthenticate device %s: %s", current.Address, err)
 				}
 			} else {
 				log.Printf("%s:%s device succeeded challenge", current.Username, current.Address)
+
 			}
 		}