feat: enforce mqtt auth tls and keepalive semantics

tests/NATS.Server.Tests/Mqtt/MqttAuthIntegrationTests.cs

@@ -0,0 +1,24 @@
+using System.Net;
+using System.Net.Sockets;
+using NATS.Server.Mqtt;
+
+namespace NATS.Server.Tests.Mqtt;
+
+public class MqttAuthIntegrationTests
+{
+    [Fact]
+    public async Task Invalid_mqtt_credentials_or_keepalive_timeout_close_session_with_protocol_error()
+    {
+        await using var listener = new MqttListener("127.0.0.1", 0, requiredUsername: "mqtt", requiredPassword: "secret");
+        using var cts = new CancellationTokenSource();
+        await listener.StartAsync(cts.Token);
+
+        using var client = new TcpClient();
+        await client.ConnectAsync(IPAddress.Loopback, listener.Port);
+        var stream = client.GetStream();
+
+        await MqttRuntimeWire.WriteLineAsync(stream, "CONNECT auth-client user=bad pass=wrong");
+        (await MqttRuntimeWire.ReadLineAsync(stream, 1000)).ShouldBe("ERR mqtt auth failed");
+        (await MqttRuntimeWire.ReadRawAsync(stream, 1000)).ShouldBeNull();
+    }
+}