# Testing TODO (ideas)

This document collects **concrete** test ideas to increase safety/stability (especially under load and misbehaviour).

## Stream (TCP/TLS) robustness

- Split reads: STUN header (20B) in 2 reads, body in multiple reads
- Split reads: ChannelData header (4B) and payload separated
- Mixed frames: STUN → ChannelData → STUN in a single read (and across multiple reads)
- Oversize frames:
  - STUN length > max → close connection (or drop frame, depending on policy)
  - ChannelData length > max → close connection (or drop frame)
- Garbage resync:
  - random bytes before valid STUN (already covered)
  - random bytes between valid frames

## TURN flows (happy + negative)

- Negative cases per method (for UDP/TCP/TLS each):
  - without allocation → 437 Allocation Mismatch
  - without permission → 403 Peer Not Permitted
  - ChannelData without ChannelBind → drop + optional log counter
  - stale nonce → 438
  - wrong MI → 401/403 depending on policy

## Auth

- TURN REST:
  - expired username → reject
  - username too far in the future (max TTL) → reject
  - wrong HMAC/base64 → reject
  - priority: “user exists in store” vs. “REST fallback”

## Lifecycle

- Allocation expiry:
  - Refresh shortens/extends; min/max lifetime
  - Expiry removes allocation and ends relay task (no task leaks)
- Permission expiry:
  - peer is dropped after expiry
- Channel binding expiry:
  - return path falls back to Data Indication when the binding expires

## Abuse/DoS prevention (once limits are implemented)

- Rate limit: auth failures per IP/username
- Max allocations per IP
- Max permissions/channels per allocation
- Bandwidth caps (bytes/s) per allocation
- Backpressure: writer queue full → define behaviour (drop/close)

## Interop (manually reproducible, but documented)

- Browser plan:
  - trickle ICE / webrtc-internals: forced relay
  - UDP-only block: expect TCP/TLS fallback
  - `turns:` with self-signed vs. valid cert