From 1b6b112e92d68b884eade6a847e921a03963bd8e Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Wed, 27 May 2026 17:29:19 -0700
Subject: [PATCH] Add auth daemon to blueprints

---
 server/lib/blueprints/clientResources.ts | 12 ++++++++++--
 server/lib/blueprints/proxyResources.ts  | 10 ++++++++++
 server/lib/blueprints/types.ts           | 25 ++++++++++++++++++++++--
 3 files changed, 43 insertions(+), 4 deletions(-)

diff --git a/server/lib/blueprints/clientResources.ts b/server/lib/blueprints/clientResources.ts
index 22b951870..67291bd0f 100644
--- a/server/lib/blueprints/clientResources.ts
+++ b/server/lib/blueprints/clientResources.ts
@@ -225,7 +225,11 @@ export async function updateClientResources(
                             : resourceData["udp-ports"],
                     fullDomain: resourceData["full-domain"] || null,
                     subdomain: domainInfo ? domainInfo.subdomain : null,
-                    domainId: domainInfo ? domainInfo.domainId : null
+                    domainId: domainInfo ? domainInfo.domainId : null,
+                    pamMode: resourceData["auth-daemon"]?.pam || "passthrough",
+                    authDaemonMode:
+                        resourceData["auth-daemon"]?.mode || "native",
+                    authDaemonPort: resourceData["auth-daemon"]?.port || 22123
                 })
                 .where(
                     eq(
@@ -415,7 +419,11 @@ export async function updateClientResources(
                             : resourceData["udp-ports"],
                     fullDomain: resourceData["full-domain"] || null,
                     subdomain: domainInfo ? domainInfo.subdomain : null,
-                    domainId: domainInfo ? domainInfo.domainId : null
+                    domainId: domainInfo ? domainInfo.domainId : null,
+                    pamMode: resourceData["auth-daemon"]?.pam || "passthrough",
+                    authDaemonMode:
+                        resourceData["auth-daemon"]?.mode || "native",
+                    authDaemonPort: resourceData["auth-daemon"]?.port || 22123
                 })
                 .returning();
 
diff --git a/server/lib/blueprints/proxyResources.ts b/server/lib/blueprints/proxyResources.ts
index 897a7a77b..3fb8711c8 100644
--- a/server/lib/blueprints/proxyResources.ts
+++ b/server/lib/blueprints/proxyResources.ts
@@ -275,6 +275,12 @@ export async function updateProxyResources(
                         headers: headers || null,
                         applyRules:
                             resourceData.rules && resourceData.rules.length > 0,
+                        pamMode:
+                            resourceData["auth-daemon"]?.pam || "passthrough",
+                        authDaemonMode:
+                            resourceData["auth-daemon"]?.mode || "native",
+                        authDaemonPort:
+                            resourceData["auth-daemon"]?.port || 22123,
                         maintenanceModeEnabled:
                             resourceData.maintenance?.enabled,
                         maintenanceModeType: resourceData.maintenance?.type,
@@ -746,6 +752,10 @@ export async function updateProxyResources(
                     headers: headers || null,
                     applyRules:
                         resourceData.rules && resourceData.rules.length > 0,
+                    pamMode: resourceData["auth-daemon"]?.pam || "passthrough",
+                    authDaemonMode:
+                        resourceData["auth-daemon"]?.mode || "native",
+                    authDaemonPort: resourceData["auth-daemon"]?.port || 22123,
                     maintenanceModeEnabled: resourceData.maintenance?.enabled,
                     maintenanceModeType: resourceData.maintenance?.type,
                     maintenanceTitle: resourceData.maintenance?.title,
diff --git a/server/lib/blueprints/types.ts b/server/lib/blueprints/types.ts
index 1dff334b0..ebcb69840 100644
--- a/server/lib/blueprints/types.ts
+++ b/server/lib/blueprints/types.ts
@@ -161,6 +161,25 @@ export const HeaderSchema = z.object({
     value: z.string().min(1)
 });
 
+export const AuthDaemonSchema = z
+    .object({
+        pam: z.enum(["passthrough", "push"]).optional().default("passthrough"),
+        mode: z.enum(["site", "remote", "native"]).optional().default("site"),
+        port: z.int().min(1).max(65535).optional()
+    })
+    .refine(
+        (data) => {
+            if (data.mode === "remote") {
+                return data.port !== undefined;
+            }
+            return true;
+        },
+        {
+            path: ["port"],
+            message: "port is required when auth-daemon mode is 'remote'"
+        }
+    );
+
 // Schema for individual resource
 export const PublicResourceSchema = z
     .object({
@@ -180,7 +199,8 @@ export const PublicResourceSchema = z
         "tls-server-name": z.string().optional(),
         headers: z.array(HeaderSchema).optional(),
         rules: z.array(RuleSchema).optional(),
-        maintenance: MaintenanceSchema.optional()
+        maintenance: MaintenanceSchema.optional(),
+        "auth-daemon": AuthDaemonSchema.optional()
     })
     .refine(
         (resource) => {
@@ -401,7 +421,8 @@ export const PrivateResourceSchema = z
                 error: "Admin role cannot be included in roles"
             }),
         users: z.array(z.string()).optional().default([]),
-        machines: z.array(z.string()).optional().default([])
+        machines: z.array(z.string()).optional().default([]),
+        "auth-daemon": AuthDaemonSchema.optional()
     })
     .refine(
         (data) => {