add support for some basic authentication methods

management/internals/modules/reverseproxy/reverseproxy.go

@@ -162,25 +162,27 @@ func (r *ReverseProxy) ToProtoMapping(operation Operation, setupKey string) *pro
 	auth := &proto.Authentication{}
 
 	if r.Auth.PasswordAuth != nil && r.Auth.PasswordAuth.Enabled {
-		auth.Password = &proto.Password{
+		auth.Password = true
-			Enabled:  true,
-			Password: r.Auth.PasswordAuth.Password,
-		}
 	}
 
 	if r.Auth.PinAuth != nil && r.Auth.PinAuth.Enabled {
-		auth.Pin = &proto.Pin{
+		auth.Pin = true
-			Enabled: true,
-			Pin:     r.Auth.PinAuth.Pin,
-		}
 	}
 
 	if r.Auth.BearerAuth != nil && r.Auth.BearerAuth.Enabled {
 		auth.Oidc = &proto.OIDC{
-			Enabled: true,
+			OidcProviderUrl:  "",  // TODO:
+			OidcClientId:     "",  // TODO:
+			OidcClientSecret: "",  // TODO:
+			OidcRedirectUrl:  "",  // TODO:
+			OidcScopes:       nil, // TODO:
 		}
 	}
 
+	if r.Auth.LinkAuth != nil && r.Auth.LinkAuth.Enabled {
+		auth.Link = true
+	}
+
 	return &proto.ProxyMapping{
 		Type:      operationToProtoType(operation),
 		Id:        r.ID,

management/internals/shared/grpc/proxy.go

@@ -2,6 +2,7 @@ package grpc
 
 import (
 	"context"
+	"crypto/subtle"
 	"fmt"
 	"sync"
 	"time"
@@ -246,3 +247,33 @@ func (s *ProxyServiceServer) GetConnectedProxies() []string {
 	})
 	return proxies
 }
+
+func (s *ProxyServiceServer) Authenticate(ctx context.Context, req *proto.AuthenticateRequest) (*proto.AuthenticateResponse, error) {
+	proxy, err := s.reverseProxyStore.GetReverseProxyByID(ctx, store.LockingStrengthNone, req.GetAccountId(), req.GetId())
+	if err != nil {
+		// TODO: log the error
+		return nil, status.Errorf(codes.FailedPrecondition, "failed to get reverse proxy from store: %v", err)
+	}
+	var authenticated bool
+	switch v := req.GetRequest().(type) {
+	case *proto.AuthenticateRequest_Pin:
+		auth := proxy.Auth.PinAuth
+		if auth == nil || !auth.Enabled {
+			// TODO: log
+			// Break here and use the default authenticated == false.
+			break
+		}
+		authenticated = subtle.ConstantTimeCompare([]byte(auth.Pin), []byte(v.Pin.GetPin())) == 1
+	case *proto.AuthenticateRequest_Password:
+		auth := proxy.Auth.PasswordAuth
+		if auth == nil || !auth.Enabled {
+			// TODO: log
+			// Break here and use the default authenticated == false.
+			break
+		}
+		authenticated = subtle.ConstantTimeCompare([]byte(auth.Password), []byte(v.Password.GetPassword())) == 1
+	}
+	return &proto.AuthenticateResponse{
+		Success: authenticated,
+	}, nil
+}

proxy/internal/auth/auth.gohtml

@@ -1,4 +1,14 @@
 <!doctype html>
 {{ range . }}
-<p>{{ . }}</p>
+{{ if eq .Key "pin" }}
+<form>
+    <input name={{ . }} />
+    <button type=submit></button>
+</form>
+{{ else if eq .Key "password" }}
+<form>
+    <input name={{ . }} />
+    <button type=submit></button>
+</form>
+{{ end }}
 {{ end }}

proxy/internal/auth/link.go

@@ -0,0 +1,57 @@
+package auth
+
+import (
+	"net/http"
+
+	"github.com/netbirdio/netbird/shared/management/proto"
+)
+
+const linkFormId = "email"
+
+type Link struct {
+	id, accountId string
+	client        authenticator
+}
+
+func NewLink(client authenticator, id, accountId string) Link {
+	return Link{
+		id:        id,
+		accountId: accountId,
+		client:    client,
+	}
+}
+
+func (Link) Type() Method {
+	return MethodLink
+}
+
+func (l Link) Authenticate(r *http.Request) (string, bool, any) {
+	email := r.FormValue(linkFormId)
+
+	res, err := l.client.Authenticate(r.Context(), &proto.AuthenticateRequest{
+		Id:        l.id,
+		AccountId: l.accountId,
+		Request: &proto.AuthenticateRequest_Link{
+			Link: &proto.LinkRequest{
+				Email:    email,
+				Redirect: "", // TODO: calculate this.
+			},
+		},
+	})
+	if err != nil {
+		// TODO: log error here
+		return "", false, linkFormId
+	}
+
+	if res.GetSuccess() {
+		// Use the email address as the user identifier.
+		return email, true, nil
+	}
+
+	return "", false, linkFormId
+}
+
+func (l Link) Middleware(next http.Handler) http.Handler {
+	// TODO: handle magic link redirects, should be similar to OIDC.
+	return next
+}

proxy/internal/auth/middleware.go

@@ -1,6 +1,7 @@
 package auth
 
 import (
+	"context"
 	"crypto/rand"
 	_ "embed"
 	"encoding/base64"
@@ -8,6 +9,10 @@ import (
 	"net/http"
 	"sync"
 	"time"
+
+	"google.golang.org/grpc"
+
+	"github.com/netbirdio/netbird/shared/management/proto"
 )
 
 //go:embed auth.gohtml
@@ -16,9 +21,10 @@ var authTemplate string
 type Method string
 
 var (
-	MethodBasicAuth Method = "basic"
+	MethodPassword Method = "password"
 	MethodPIN      Method = "pin"
-	MethodBearer    Method = "bearer"
+	MethodOIDC     Method = "oidc"
+	MethodLink     Method = "link"
 )
 
 func (m Method) String() string {
@@ -36,6 +42,10 @@ type session struct {
 	CreatedAt time.Time
 }
 
+type authenticator interface {
+	Authenticate(ctx context.Context, in *proto.AuthenticateRequest, opts ...grpc.CallOption) (*proto.AuthenticateResponse, error)
+}
+
 type Scheme interface {
 	Type() Method
 	// Authenticate should check the passed request and determine whether

proxy/internal/auth/oidc.go

@@ -35,6 +35,7 @@ type oidcState struct {
 
 // OIDC implements the Scheme interface for JWT/OIDC authentication
 type OIDC struct {
+	id, accountId string
 	verifier      *oidc.IDTokenVerifier
 	oauthConfig   *oauth2.Config
 	states        map[string]*oidcState
@@ -42,7 +43,7 @@ type OIDC struct {
 }
 
 // NewOIDC creates a new OIDC authentication scheme
-func NewOIDC(ctx context.Context, cfg OIDCConfig) (*OIDC, error) {
+func NewOIDC(ctx context.Context, id, accountId string, cfg OIDCConfig) (*OIDC, error) {
 	if cfg.OIDCProviderURL == "" || cfg.OIDCClientID == "" {
 		return nil, fmt.Errorf("OIDC provider URL and client ID are required")
 	}
@@ -58,6 +59,8 @@ func NewOIDC(ctx context.Context, cfg OIDCConfig) (*OIDC, error) {
 	}
 
 	o := &OIDC{
+		id:        id,
+		accountId: accountId,
 		verifier: provider.Verifier(&oidc.Config{
 			ClientID: cfg.OIDCClientID,
 		}),
@@ -77,7 +80,7 @@ func NewOIDC(ctx context.Context, cfg OIDCConfig) (*OIDC, error) {
 }
 
 func (*OIDC) Type() Method {
-	return MethodBearer
+	return MethodOIDC
 }
 
 func (o *OIDC) Authenticate(r *http.Request) (string, bool, any) {

proxy/internal/auth/password.go

@@ -0,0 +1,62 @@
+package auth
+
+import (
+	"net/http"
+
+	"github.com/netbirdio/netbird/shared/management/proto"
+)
+
+const (
+	passwordUserId = "password-user"
+	passwordFormId = "password"
+)
+
+type Password struct {
+	id, accountId string
+	client        authenticator
+}
+
+func NewPassword(client authenticator, id, accountId string) Password {
+	return Password{
+		id:        id,
+		accountId: accountId,
+		client:    client,
+	}
+}
+
+func (Password) Type() Method {
+	return MethodPassword
+}
+
+// Authenticate attempts to authenticate the request using a form
+// value passed in the request.
+// If authentication fails, the required HTTP form ID is returned
+// so that it can be injected into a request from the UI so that
+// authentication may be successful.
+func (p Password) Authenticate(r *http.Request) (string, bool, any) {
+	password := r.FormValue(passwordFormId)
+
+	res, err := p.client.Authenticate(r.Context(), &proto.AuthenticateRequest{
+		Id:        p.id,
+		AccountId: p.accountId,
+		Request: &proto.AuthenticateRequest_Password{
+			Password: &proto.PasswordRequest{
+				Password: password,
+			},
+		},
+	})
+	if err != nil {
+		// TODO: log error here
+		return "", false, passwordFormId
+	}
+
+	if res.GetSuccess() {
+		return passwordUserId, true, nil
+	}
+
+	return "", false, passwordFormId
+}
+
+func (p Password) Middleware(next http.Handler) http.Handler {
+	return next
+}

proxy/internal/auth/pin.go

@@ -1,22 +1,26 @@
 package auth
 
 import (
-	"crypto/subtle"
 	"net/http"
+
+	"github.com/netbirdio/netbird/shared/management/proto"
 )
 
 const (
-	userId = "pin-user"
+	pinUserId = "pin-user"
-	formId = "pin"
+	pinFormId = "pin"
 )
 
 type Pin struct {
-	pin string
+	id, accountId string
+	client        authenticator
 }
 
-func NewPin(pin string) Pin {
+func NewPin(client authenticator, id, accountId string) Pin {
 	return Pin{
-		pin: pin,
+		id:        id,
+		accountId: accountId,
+		client:    client,
 	}
 }
 
@@ -30,14 +34,27 @@ func (Pin) Type() Method {
 // so that it can be injected into a request from the UI so that
 // authentication may be successful.
 func (p Pin) Authenticate(r *http.Request) (string, bool, any) {
-	pin := r.FormValue(formId)
+	pin := r.FormValue(pinFormId)
 
-	// Compare the passed pin with the expected pin.
+	res, err := p.client.Authenticate(r.Context(), &proto.AuthenticateRequest{
-	if subtle.ConstantTimeCompare([]byte(pin), []byte(p.pin)) == 1 {
+		Id:        p.id,
-		return userId, false, nil
+		AccountId: p.accountId,
+		Request: &proto.AuthenticateRequest_Pin{
+			Pin: &proto.PinRequest{
+				Pin: pin,
+			},
+		},
+	})
+	if err != nil {
+		// TODO: log error here
+		return "", false, pinFormId
 	}
 
-	return "", false, formId
+	if res.GetSuccess() {
+		return pinUserId, true, nil
+	}
+
+	return "", false, pinFormId
 }
 
 func (p Pin) Middleware(next http.Handler) http.Handler {

proxy/server.go

@@ -287,15 +287,17 @@ func (s *Server) updateMapping(ctx context.Context, mapping *proto.ProxyMapping)
 	// the auth and proxy mappings.
 	// Note: this does require the management server to always send a
 	// full mapping rather than deltas during a modification.
+	mgmtClient := proto.NewProxyServiceClient(s.mgmtConn)
 	var schemes []auth.Scheme
-	if mapping.GetAuth().GetPin().GetEnabled() {
+	if mapping.GetAuth().GetPassword() {
-		schemes = append(schemes, auth.NewPin(
+		schemes = append(schemes, auth.NewPassword(mgmtClient, mapping.GetId(), mapping.GetAccountId()))
-			mapping.GetAuth().GetPin().GetPin(),
-		))
 	}
-	if mapping.GetAuth().GetOidc().GetEnabled() {
+	if mapping.GetAuth().GetPin() {
+		schemes = append(schemes, auth.NewPin(mgmtClient, mapping.GetId(), mapping.GetAccountId()))
+	}
+	if mapping.GetAuth().GetOidc() != nil {
 		oidc := mapping.GetAuth().GetOidc()
-		scheme, err := auth.NewOIDC(ctx, auth.OIDCConfig{
+		scheme, err := auth.NewOIDC(ctx, mapping.GetId(), mapping.GetAccountId(), auth.OIDCConfig{
 			OIDCProviderURL:  oidc.GetOidcProviderUrl(),
 			OIDCClientID:     oidc.GetOidcClientId(),
 			OIDCClientSecret: oidc.GetOidcClientSecret(),
@@ -308,6 +310,9 @@ func (s *Server) updateMapping(ctx context.Context, mapping *proto.ProxyMapping)
 			schemes = append(schemes, scheme)
 		}
 	}
+	if mapping.GetAuth().GetLink() {
+		schemes = append(schemes, auth.NewLink(mgmtClient, mapping.GetId(), mapping.GetAccountId()))
+	}
 	s.auth.AddDomain(mapping.GetDomain(), schemes)
 	s.proxy.AddMapping(s.protoToMapping(mapping))
 }

shared/management/proto/proxy_service.proto

@@ -12,6 +12,8 @@ service ProxyService {
   rpc GetMappingUpdate(GetMappingUpdateRequest) returns (stream GetMappingUpdateResponse);
 
   rpc SendAccessLog(SendAccessLogRequest) returns (SendAccessLogResponse);
+
+  rpc Authenticate(AuthenticateRequest) returns (AuthenticateResponse);
 }
 
 // GetMappingUpdateRequest is sent to initialise a mapping stream.
@@ -40,35 +42,18 @@ message PathMapping {
 }
 
 message Authentication {
-  Password password = 1;
+  bool password = 1;
-  Pin pin = 2;
+  bool pin = 2;
-  OIDC oidc = 3;
+  optional OIDC oidc = 3;
-  Link link = 4;
+  bool link = 4;
-}
-
-message Password {
-  bool enabled = 1;
-  string password = 2;
-}
-
-message Pin {
-  bool enabled = 1;
-  string pin = 2;
-}
-
-message Link {
-  bool enabled = 1;
-  string link_url = 2;
 }
 
 message OIDC {
-  bool enabled = 1;
+  string oidc_provider_url = 1;
-  string oidc_provider_url = 2;
+  string oidc_client_id = 2;
-  string oidc_client_id = 3;
+  string oidc_client_secret = 3;
-  string oidc_client_secret = 4;
+  string oidc_redirect_url = 4;
-  string oidc_redirect_url = 5;
+  repeated string oidc_scopes = 5;
-  repeated string oidc_scopes = 6;
-  string session_cookie_name = 7;
 }
 
 message ProxyMapping {
@@ -104,3 +89,30 @@ message AccessLog {
   string user_id = 12;
   bool auth_success = 13;
 }
+
+message AuthenticateRequest {
+  string id = 1;
+  string account_id = 2;
+  oneof request {
+    PasswordRequest password = 3;
+    PinRequest pin = 4;
+    LinkRequest link = 5;
+  }
+}
+
+message PasswordRequest {
+  string password = 1;
+}
+
+message PinRequest {
+  string pin = 1;
+}
+
+message LinkRequest {
+  string email = 1;
+  string redirect = 2;
+}
+
+message AuthenticateResponse {
+  bool success = 1;
+}

shared/management/proto/proxy_service_grpc.pb.go

@@ -20,6 +20,7 @@ const _ = grpc.SupportPackageIsVersion7
 type ProxyServiceClient interface {
 	GetMappingUpdate(ctx context.Context, in *GetMappingUpdateRequest, opts ...grpc.CallOption) (ProxyService_GetMappingUpdateClient, error)
 	SendAccessLog(ctx context.Context, in *SendAccessLogRequest, opts ...grpc.CallOption) (*SendAccessLogResponse, error)
+	Authenticate(ctx context.Context, in *AuthenticateRequest, opts ...grpc.CallOption) (*AuthenticateResponse, error)
 }
 
 type proxyServiceClient struct {
@@ -71,12 +72,22 @@ func (c *proxyServiceClient) SendAccessLog(ctx context.Context, in *SendAccessLo
 	return out, nil
 }
 
+func (c *proxyServiceClient) Authenticate(ctx context.Context, in *AuthenticateRequest, opts ...grpc.CallOption) (*AuthenticateResponse, error) {
+	out := new(AuthenticateResponse)
+	err := c.cc.Invoke(ctx, "/management.ProxyService/Authenticate", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 // ProxyServiceServer is the server API for ProxyService service.
 // All implementations must embed UnimplementedProxyServiceServer
 // for forward compatibility
 type ProxyServiceServer interface {
 	GetMappingUpdate(*GetMappingUpdateRequest, ProxyService_GetMappingUpdateServer) error
 	SendAccessLog(context.Context, *SendAccessLogRequest) (*SendAccessLogResponse, error)
+	Authenticate(context.Context, *AuthenticateRequest) (*AuthenticateResponse, error)
 	mustEmbedUnimplementedProxyServiceServer()
 }
 
@@ -90,6 +101,9 @@ func (UnimplementedProxyServiceServer) GetMappingUpdate(*GetMappingUpdateRequest
 func (UnimplementedProxyServiceServer) SendAccessLog(context.Context, *SendAccessLogRequest) (*SendAccessLogResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method SendAccessLog not implemented")
 }
+func (UnimplementedProxyServiceServer) Authenticate(context.Context, *AuthenticateRequest) (*AuthenticateResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method Authenticate not implemented")
+}
 func (UnimplementedProxyServiceServer) mustEmbedUnimplementedProxyServiceServer() {}
 
 // UnsafeProxyServiceServer may be embedded to opt out of forward compatibility for this service.
@@ -142,6 +156,24 @@ func _ProxyService_SendAccessLog_Handler(srv interface{}, ctx context.Context, d
 	return interceptor(ctx, in, info, handler)
 }
 
+func _ProxyService_Authenticate_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(AuthenticateRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(ProxyServiceServer).Authenticate(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/management.ProxyService/Authenticate",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(ProxyServiceServer).Authenticate(ctx, req.(*AuthenticateRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 // ProxyService_ServiceDesc is the grpc.ServiceDesc for ProxyService service.
 // It's only intended for direct use with grpc.RegisterService,
 // and not to be introspected or modified (even as a copy)
@@ -153,6 +185,10 @@ var ProxyService_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "SendAccessLog",
 			Handler:    _ProxyService_SendAccessLog_Handler,
 		},
+		{
+			MethodName: "Authenticate",
+			Handler:    _ProxyService_Authenticate_Handler,
+		},
 	},
 	Streams: []grpc.StreamDesc{
 		{