cleanup

proxy/internal/auth/methods/basic_auth.go

@@ -0,0 +1,26 @@
+package methods
+
+import (
+	"crypto/subtle"
+	"net/http"
+)
+
+// BasicAuthConfig holds HTTP Basic authentication settings
+type BasicAuthConfig struct {
+	Username string
+	Password string
+}
+
+// Validate checks Basic Auth credentials from the request
+func (c *BasicAuthConfig) Validate(r *http.Request) bool {
+	username, password, ok := r.BasicAuth()
+	if !ok {
+		return false
+	}
+
+	// Use constant-time comparison to prevent timing attacks
+	usernameMatch := subtle.ConstantTimeCompare([]byte(username), []byte(c.Username)) == 1
+	passwordMatch := subtle.ConstantTimeCompare([]byte(password), []byte(c.Password)) == 1
+
+	return usernameMatch && passwordMatch
+}

proxy/internal/auth/methods/bearer_auth.go

@@ -0,0 +1,10 @@
+package methods
+
+// BearerConfig holds JWT/OAuth/OIDC bearer token authentication settings
+// The actual OIDC/JWT configuration comes from the global proxy Config.OIDCConfig
+// This just enables Bearer auth for a specific route
+type BearerConfig struct {
+	// Enable bearer token authentication for this route
+	// Uses the global OIDC configuration from proxy Config
+	Enabled bool
+}

proxy/internal/auth/methods/pin_auth.go

@@ -0,0 +1,33 @@
+package methods
+
+import (
+	"crypto/subtle"
+	"net/http"
+)
+
+const (
+	// DefaultPINHeader is the default header name for PIN authentication
+	DefaultPINHeader = "X-PIN"
+)
+
+// PINConfig holds PIN authentication settings
+type PINConfig struct {
+	PIN    string
+	Header string // Header name (default: "X-PIN")
+}
+
+// Validate checks PIN from the request header
+func (c *PINConfig) Validate(r *http.Request) bool {
+	header := c.Header
+	if header == "" {
+		header = DefaultPINHeader
+	}
+
+	providedPIN := r.Header.Get(header)
+	if providedPIN == "" {
+		return false
+	}
+
+	// Use constant-time comparison to prevent timing attacks
+	return subtle.ConstantTimeCompare([]byte(providedPIN), []byte(c.PIN)) == 1
+}