feat: add proxy authentication middleware (Authentik, Authelia support)

[brian-olson]

Summary

Add ProxyAuthMiddleware for authenticating users via reverse proxy headers. This enables integration with self-hosted identity providers like Authentik, Authelia, and any ForwardAuth-compatible service.

When PROXY_AUTH_ENABLED=true, the middleware:

• Trusts X-Auth-User-Email header from auth proxies
• Auto-creates users by email (get-or-create pattern)
• Logs users in automatically
• Optionally reads X-Auth-User-Name and X-Auth-Tenant-Id headers

Configuration

environment:
  - PROXY_AUTH_ENABLED=true

The middleware expects these headers from the auth proxy:

Header	Required	Description
X-Auth-User-Email	Yes	User's email address
X-Auth-User-Name	No	Display name
X-Auth-Tenant-Id	No	Tenant identifier

Use Cases

• Self-hosted SSO with Authentik or Authelia
• Integration with existing OIDC/SAML identity providers via proxy
• Air-gapped deployments without external OAuth
• Local development with simulated auth

Fixes

• Fixes Feature Request: selfhosted auth providers (authentik, authelia), MFA Support #140 - Feature Request: selfhosted auth providers (authentik, authelia), MFA Support
• Fixes Support for Self-Hosted OIDC #126 - Support for Self-Hosted OIDC
• Fixes No local logins? I don't plan on getting an o-auth provider account anywhere will there ever be an account management for local users? #116 - No local logins? (enables auth via any proxy)

Testing

Tested with ForwardAuth proxy setting headers:

curl -H "X-Auth-User-Email: test@example.com" http://localhost:9090/api/1/user
# Returns authenticated user data