feat: add captive portal (zero-trust proxy) authentication support

[jerzykrlk]

Hello all,

This MR detects when the server is behind a zero-trust proxy (Cloudflare Access, Authelia, etc.) and present an embedded browser for authentication.

Cookies are persisted and forwarded to all request paths including audio streaming. Session is cleared on explicit logout but preserved on token expiry for seamless re-authentication.

It's slightly related to #694 - I just thought it would be useful for those who don't want to generate a private key.

Thanks!

[BLeeEZ]

First of all thank you for providing PRs.
The problem I have is that I am not able to test this feature.
What would be needed to set up an environment to test this?

[jerzykrlk]

Hello @BLeeEZ , thanks for the reply!

I didn't think of that before, apologies. I'll find something suitable and get back to you.

[rybomir]

@jerzykrlk I'd love to see this PR merged, so if there's anything I can do to help with testing (eg. I could set up a sample Navidrome instance behind a CF Zero Trust tunnel for @BLeeEZ) - please let me know!

[mesonoxianvlad]

@BLeeEZ

Here's a sample docker compose stack.

services:
  cloudflared:
    image: cloudflare/cloudflared:latest
    container_name: cloudflared
    restart: unless-stopped
    environment:
      - TUNNEL_TOKEN=${CLOUDFLARE_TUNNEL_TOKEN}
    command: tunnel --no-autoupdate run
    networks:
      - cloudflare
  
  navidrome:
    image: deluan/navidrome:latest
    container_name: navidrome
    user: 1000:1000
    ports:
      - "4533:4533"
    environment:
      - PUID=1000
      - PGID=1000
    restart: unless-stopped
    volumes:
      # - ./volumes/navidrome/data:/data # optionally set your data dir for a persistent container
      # - /mnt/hdd/music:/music:ro # optionally mount your music library
    networks:
      - cloudflare

networks:
  cloudflare:
    driver: bridge

Then in Cloudflare:
Required: You need to have a domain in Cloudflare for this setup.

• Create a Cloudflared tunnel in Zero Trust > Networks > Connectors.
  • Select Docker for the setup, and copy the command it gives you, then extract the token from the command. This is the ${CLOUDFLARE_TUNNEL_TOKEN}
• Create an application in Zero Trust > Access Controls > Applications
  • Select 'Private Destination'
  • Continue
  • Destinations Section:
    • Enter a test subdomain, and select the domain you want to use for testing. Remember this, they are used below
  • Access Policies Section
    • Select 'Create new policy'
    • Then in 'Policy rules', select PWD
    • Give it a policy name
    • Click 'Save policy'
  • Scroll to the bottom, and in the 'Details' section set the name you want for this application.
  • Click 'Create'
• Go back to Zero Trust > Networks > Connectors
  • Select the tunnel you crated previously
  • At the top select 'Published application routes'
  • Click 'Add published application route'
  • Enter the same subdomain and domain that you selected above
  • Select 'http' for service, and type 'navidrome:4533' for the URL
  • Click 'Save'

Now you should be able to navigate to subdomain.domain.com that you entered above in a browser, and it will prompt for your cloudflare username and password, then it should navigate you to the Navidrome web ui.