feat(gateway): add trusted-proxy auth mode (#15940)

Merged via /review-pr -> /prepare-pr -> /merge-pr. Prepared head SHA: 279d4b304f Co-authored-by: nickytonline <833231+nickytonline@users.noreply.github.com> Co-authored-by: steipete <58493+steipete@users.noreply.github.com> Reviewed-by: @steipete
2026-05-08 22:28:27 +00:00 · 2026-02-14 06:32:17 -05:00
parent 3a330e681b
commit 1fb52b4d7b
28 changed files with 1867 additions and 92 deletions
--- a/src/commands/configure.gateway-auth.e2e.test.ts
+++ b/src/commands/configure.gateway-auth.e2e.test.ts
@@ -117,4 +117,94 @@ describe("buildGatewayAuthConfig", () => {
    expect(typeof result?.token).toBe("string");
    expect(result?.token?.length).toBeGreaterThan(0);
  });
+
+  it("builds trusted-proxy config with all options", () => {
+    const result = buildGatewayAuthConfig({
+      mode: "trusted-proxy",
+      trustedProxy: {
+        userHeader: "x-forwarded-user",
+        requiredHeaders: ["x-forwarded-proto", "x-forwarded-host"],
+        allowUsers: ["nick@example.com", "admin@company.com"],
+      },
+    });
+
+    expect(result).toEqual({
+      mode: "trusted-proxy",
+      trustedProxy: {
+        userHeader: "x-forwarded-user",
+        requiredHeaders: ["x-forwarded-proto", "x-forwarded-host"],
+        allowUsers: ["nick@example.com", "admin@company.com"],
+      },
+    });
+  });
+
+  it("builds trusted-proxy config with only userHeader", () => {
+    const result = buildGatewayAuthConfig({
+      mode: "trusted-proxy",
+      trustedProxy: {
+        userHeader: "x-remote-user",
+      },
+    });
+
+    expect(result).toEqual({
+      mode: "trusted-proxy",
+      trustedProxy: {
+        userHeader: "x-remote-user",
+      },
+    });
+  });
+
+  it("preserves allowTailscale when switching to trusted-proxy", () => {
+    const result = buildGatewayAuthConfig({
+      existing: {
+        mode: "token",
+        token: "abc",
+        allowTailscale: true,
+      },
+      mode: "trusted-proxy",
+      trustedProxy: {
+        userHeader: "x-forwarded-user",
+      },
+    });
+
+    expect(result).toEqual({
+      mode: "trusted-proxy",
+      allowTailscale: true,
+      trustedProxy: {
+        userHeader: "x-forwarded-user",
+      },
+    });
+  });
+
+  it("throws error when trusted-proxy mode lacks trustedProxy config", () => {
+    expect(() => {
+      buildGatewayAuthConfig({
+        mode: "trusted-proxy",
+        // missing trustedProxy
+      });
+    }).toThrow("trustedProxy config is required when mode is trusted-proxy");
+  });
+
+  it("drops token and password when switching to trusted-proxy", () => {
+    const result = buildGatewayAuthConfig({
+      existing: {
+        mode: "token",
+        token: "abc",
+        password: "secret",
+      },
+      mode: "trusted-proxy",
+      trustedProxy: {
+        userHeader: "x-forwarded-user",
+      },
+    });
+
+    expect(result).toEqual({
+      mode: "trusted-proxy",
+      trustedProxy: {
+        userHeader: "x-forwarded-user",
+      },
+    });
+    expect(result).not.toHaveProperty("token");
+    expect(result).not.toHaveProperty("password");
+  });
 });