Cap pre-auth handshake recv at 5 s so bad-protocol clients fail fast

Both bare-TCP and WS hosts inherit the listener's 0.5 s socket timeout
on accept(). Bumping that to 60 s covered the WS handshake on slow CI
runners but introduced the inverse hang: a peer that never sends
"\r\n\r\n" (the plain-TCP-into-WS rejection test) deadlocked the server
for the full 60 s and exceeded pytest's per-test budget.

Split the timeouts: 5 s for the pre-auth step (TLS wrap, WS upgrade) —
microseconds is plenty on loopback, 5 s absorbs scheduler starvation,
and shorter than pytest --timeout so wrong-protocol clients fail fast.
The auth exchange that follows still uses the original 60 s budget set
inside _ClientHandler._authenticate.

Author: JE-Chen

je_auto_control/utils/remote_desktop/host.py

@@ -38,6 +38,13 @@
 InputDispatcher = Callable[[Mapping[str, Any]], Any]
 
 _AUTH_TIMEOUT_S = 60.0
+# Ceiling for the pre-auth handshake step (TLS wrap + WS upgrade GET).
+# Legitimate handshakes complete in milliseconds; 5 s is generous enough
+# to absorb scheduler starvation on slow CI runners but short enough to
+# fast-fail when a client speaks the wrong protocol (e.g. plain-TCP auth
+# bytes hitting a WS server). Kept distinct from _AUTH_TIMEOUT_S so the
+# subsequent auth-message exchange retains its longer budget.
+_HANDSHAKE_RECV_TIMEOUT_S = 5.0
 _DEFAULT_QUALITY = 70
 
 
@@ -554,6 +561,18 @@ def _accept_loop(self) -> None:
                 continue
             except OSError:
                 return
+            # accept() returns a new socket that INHERITS the listener's
+            # 0.5 s timeout. That is fine for the accept poll itself but
+            # fatally tight for the handshake that follows: a slow CI
+            # runner can't deliver the TLS / WS upgrade request inside
+            # 500 ms, the recv times out, server drops, and the client's
+            # separate auth wait ticks down to its own timeout. Promote
+            # to a handshake-specific budget — long enough for runner
+            # starvation, short enough to fast-fail on protocol mismatch.
+            try:
+                client_sock.settimeout(_HANDSHAKE_RECV_TIMEOUT_S)
+            except OSError:
+                pass
             wrapped = self._maybe_wrap_tls(client_sock, address)
             if wrapped is None:
                 continue
@@ -594,7 +613,9 @@ def _maybe_wrap_tls(self, client_sock: socket.socket,
         if self._ssl_context is None:
             return client_sock
         try:
-            client_sock.settimeout(_AUTH_TIMEOUT_S)
+            # Use the handshake-specific budget so a peer that never
+            # speaks TLS (or cuts off mid-ClientHello) fails fast.
+            client_sock.settimeout(_HANDSHAKE_RECV_TIMEOUT_S)
             wrapped = self._ssl_context.wrap_socket(
                 client_sock, server_side=True,
             )

je_auto_control/utils/remote_desktop/ws_host.py

@@ -17,7 +17,13 @@
     WsProtocolError, server_handshake,
 )
 
-_HANDSHAKE_TIMEOUT_S = 60.0
+# Ceiling for the WS upgrade exchange. A legitimate handshake on
+# loopback completes in microseconds; 5 s easily absorbs scheduler
+# starvation on a loaded CI runner while still letting the server
+# fast-fail when a peer never sends "\r\n\r\n" (e.g. a plain-TCP
+# viewer pointed at a WS host). The auth exchange that follows uses
+# its own, much longer budget defined in :mod:`host`.
+_HANDSHAKE_TIMEOUT_S = 5.0
 
 
 class WebSocketDesktopHost(RemoteDesktopHost):