API in Proxy for Multi Factor Authentication in Desktop Client

[teon]

1. Proxy will expose user MFA endpoints from core by connecting with GRPC to defguard.
2. Defuard client before connect will need to go through MFA exactly the same as after doing login on the web.
3. After successful MFA on client - the client receives a unique PSK KEY for this device, the gateway receives action of adding a new PEER with this PSK key.

In VPN Settings we need a checkbox Require MFA to connect to this Location (enabled by default).

Add rate limit - 5/min && (if possible) after that 1min brake.

[teon]

@4lb we need to talk it through from design point of view

[teon]

Agreed on duplicate core UI

[przemyslaw]

MVP - TOTP or email codes for MFA

[wojcik91]

TODO:

• update protos & proxy to expose auth methods from core
  • TOTP/email code auth
• login flow in client (on tunnel connect)
  • step 1: MFA method choice
  • step 2: MFA code
• send PSK to the gateway
• gateway confirms that the peer is UP
• THEN send PSK to the client
• Client: connec wg interface
• user is logged out:
  • desktop client is closed - add sending info to proxy on disconnect to remove peer
  • based on the settings (Peer disconnect time) disconnect the peer & remove PSK from device

[teon]

Design -> https://www.figma.com/file/uoFcgpOuVWa6g7tvKwB52o/defguard?type=design&node-id=3963%3A12460&mode=design&t=8S3WzxGSIpjnMb74-1

Sekcja: GH-https://github.com/DefGuard/client/issues/128

[wojcik91]

Rate limiting moved to a dedicated task: https://github.com/DefGuard/proxy/issues/45