add support for some basic authentication methods

2026-04-21 09:46:40 +00:00 · 2026-01-29 16:34:52 +00:00
parent 0d480071b6
commit e95cfa1a00
12 changed files with 867 additions and 449 deletions
--- a/management/internals/modules/reverseproxy/reverseproxy.go
+++ b/management/internals/modules/reverseproxy/reverseproxy.go
@@ -162,25 +162,27 @@ func (r *ReverseProxy) ToProtoMapping(operation Operation, setupKey string) *pro
 	auth := &proto.Authentication{}

 	if r.Auth.PasswordAuth != nil && r.Auth.PasswordAuth.Enabled {
-		auth.Password = &proto.Password{
-			Enabled:  true,
-			Password: r.Auth.PasswordAuth.Password,
-		}
+		auth.Password = true
 	}

 	if r.Auth.PinAuth != nil && r.Auth.PinAuth.Enabled {
-		auth.Pin = &proto.Pin{
-			Enabled: true,
-			Pin:     r.Auth.PinAuth.Pin,
-		}
+		auth.Pin = true
 	}

 	if r.Auth.BearerAuth != nil && r.Auth.BearerAuth.Enabled {
 		auth.Oidc = &proto.OIDC{
-			Enabled: true,
+			OidcProviderUrl:  "",  // TODO:
+			OidcClientId:     "",  // TODO:
+			OidcClientSecret: "",  // TODO:
+			OidcRedirectUrl:  "",  // TODO:
+			OidcScopes:       nil, // TODO:
 		}
 	}

+	if r.Auth.LinkAuth != nil && r.Auth.LinkAuth.Enabled {
+		auth.Link = true
+	}
+
 	return &proto.ProxyMapping{
 		Type:      operationToProtoType(operation),
 		Id:        r.ID,
--- a/management/internals/shared/grpc/proxy.go
+++ b/management/internals/shared/grpc/proxy.go
@@ -2,6 +2,7 @@ package grpc

 import (
 	"context"
+	"crypto/subtle"
 	"fmt"
 	"sync"
 	"time"
@@ -246,3 +247,33 @@ func (s *ProxyServiceServer) GetConnectedProxies() []string {
 	})
 	return proxies
 }
+
+func (s *ProxyServiceServer) Authenticate(ctx context.Context, req *proto.AuthenticateRequest) (*proto.AuthenticateResponse, error) {
+	proxy, err := s.reverseProxyStore.GetReverseProxyByID(ctx, store.LockingStrengthNone, req.GetAccountId(), req.GetId())
+	if err != nil {
+		// TODO: log the error
+		return nil, status.Errorf(codes.FailedPrecondition, "failed to get reverse proxy from store: %v", err)
+	}
+	var authenticated bool
+	switch v := req.GetRequest().(type) {
+	case *proto.AuthenticateRequest_Pin:
+		auth := proxy.Auth.PinAuth
+		if auth == nil || !auth.Enabled {
+			// TODO: log
+			// Break here and use the default authenticated == false.
+			break
+		}
+		authenticated = subtle.ConstantTimeCompare([]byte(auth.Pin), []byte(v.Pin.GetPin())) == 1
+	case *proto.AuthenticateRequest_Password:
+		auth := proxy.Auth.PasswordAuth
+		if auth == nil || !auth.Enabled {
+			// TODO: log
+			// Break here and use the default authenticated == false.
+			break
+		}
+		authenticated = subtle.ConstantTimeCompare([]byte(auth.Password), []byte(v.Password.GetPassword())) == 1
+	}
+	return &proto.AuthenticateResponse{
+		Success: authenticated,
+	}, nil
+}