Add support for push pam users

2026-05-28 03:32:20 +00:00 · 2026-05-22 12:12:55 -07:00
parent fe67e8e384
commit 454449ec8a
5 changed files with 175 additions and 24 deletions
--- a/server/db/pg/schema/schema.ts
+++ b/server/db/pg/schema/schema.ts
@@ -160,7 +160,13 @@ export const resources = pgTable("resources", {
    postAuthPath: text("postAuthPath"),
    health: varchar("health").default("unknown"), // "healthy", "unhealthy", "unknown"
    wildcard: boolean("wildcard").notNull().default(false),
-    browserAccessType: text("browserAccessType").default("http") // rdp, ssh, http, vnc
+    browserAccessType: text("browserAccessType").default("http"), // rdp, ssh, http, vnc
+    pamMode: varchar("pamMode", { length: 32 })
+        .$type<"passthrough" | "push">()
+        .default("passthrough"),
+    authDaemonMode: varchar("authDaemonMode", { length: 32 })
+        .$type<"site" | "remote" | "native">()
+        .default("site")
 });

 export const labels = pgTable("labels", {
--- a/server/db/sqlite/schema/schema.ts
+++ b/server/db/sqlite/schema/schema.ts
@@ -181,7 +181,13 @@ export const resources = sqliteTable("resources", {
    postAuthPath: text("postAuthPath"),
    health: text("health").default("unknown"), // "healthy", "unhealthy", "unknown"
    wildcard: integer("wildcard", { mode: "boolean" }).notNull().default(false),
-    browserAccessType: text("browserAccessType").default("http") // rdp, ssh, http, vnc
+    browserAccessType: text("browserAccessType").default("http"), // rdp, ssh, http, vnc
+    pamMode: text("pamMode")
+        .$type<"passthrough" | "push">()
+        .default("passthrough"),
+    authDaemonMode: text("authDaemonMode")
+        .$type<"site" | "remote" | "native">()
+        .default("site")
 });

 export const labels = sqliteTable("labels", {
--- a/server/routers/resource/getBrowserTarget.ts
+++ b/server/routers/resource/getBrowserTarget.ts
@@ -21,6 +21,11 @@ export type GetBrowserTargetResponse = {
    ip: string;
    port: number;
    authToken: string;
+    orgId: string;
+    resourceId: number;
+    niceId: string;
+    pamMode: "passthrough" | "push" | null;
+    authDaemonMode: "site" | "remote" | "native" | null;
 };

 export async function getBrowserTarget(
@@ -47,7 +52,12 @@ export async function getBrowserTarget(
            .select({
                destination: browserGatewayTarget.destination,
                destinationPort: browserGatewayTarget.destinationPort,
-                authToken: browserGatewayTarget.authToken
+                authToken: browserGatewayTarget.authToken,
+                resourceId: resources.resourceId,
+                niceId: resources.niceId,
+                orgId: resources.orgId,
+                pamMode: resources.pamMode,
+                authDaemonMode: resources.authDaemonMode
            })
            .from(browserGatewayTarget)
            .innerJoin(
@@ -57,7 +67,7 @@ export async function getBrowserTarget(
            .where(eq(resources.fullDomain, fullDomain))
            .limit(1);

-        const decryptAuthToken = decrypt(
+        const decryptedAuthToken = decrypt(
            browserTarget.authToken,
            config.getRawConfig().server.secret!
        );
@@ -75,7 +85,12 @@ export async function getBrowserTarget(
            data: {
                ip: browserTarget.destination,
                port: browserTarget.destinationPort,
-                authToken: decryptAuthToken
+                authToken: decryptedAuthToken,
+                pamMode: browserTarget.pamMode,
+                authDaemonMode: browserTarget.authDaemonMode,
+                orgId: browserTarget.orgId,
+                resourceId: browserTarget.resourceId,
+                niceId: browserTarget.niceId
            },
            success: true,
            error: false,