NethCTI Middleware #7504
Description
Description
This issue tracks the expected behavior and responsibilities of the new authentication middleware, which is positioned between the client (nethvoice-cti) and the server (nethcti-server).
The goal is to reimplement the current custom login mechanism using a standard JWT-based authentication flow, and to introduce support for two-factor authentication (2FA).
This will improve security, maintainability, and alignment with best practices.
Proposed solution
- The middleware must act as an authentication proxy between
nethvoice-ctiandnethcti-server. - It will expose a login endpoint that:
- Authenticates the user via the backend (
nethcti-server) - Issues a JWT to the client on successful authentication
- If 2FA is enabled, requires a second verification step before issuing the token
- Authenticates the user via the backend (
- The middleware will validate JWTs on each request from the client, and forward only authenticated requests to the server.
- JWTs must be signed securely and have configurable expiration policies.
- Add support for token refresh if needed.
- Ensure the middleware handles 2FA logic (e.g. verifying TOTP codes)
Additional context
The middleware serves as a security boundary and should encapsulate all authentication-related logic.
Using JWTs allows stateless authentication, decouples the client from backend auth internals, and enables easier scaling and integration with future services.
2FA is a critical requirement for securing user access and must be handled by the middleware during the login flow.
See also
Main component
CTI components
- https://github.com/nethesis/nethcti-middleware
- https://github.com/nethesis/nethcti-server
- https://github.com/nethesis/nethvoice-cti
- https://github.com/nethesis/phone-island
- https://github.com/NethServer/nethlink