1.5

2025-07-22 Per-location MFA settings

Until this point enabling MFA for a location has been a simple on/off toggle for each location. Since using an external OIDC provider (e.g. Google) for client MFA was introduced in #1264 we now need to configure which type of MFA (internal or external) a given location is using.

In practice this means that within core the WireguardLocation struct no longer has an mfa_enabled boolean field, but instead uses a location_mfa_mode field. This field uses a LocationMfaMode enum with three possible values (for now): Disabled, Internal and External.

To retain compatibility with legacy clients our protos were updated to include the new field as optional and mfa_enabled field was marked as deprecated, but not yet removed. It will now be set to true only if a location uses internal MFA which allows pre-1.5 clients to work as before with new core releases.

Since the new field is optional and mfa_enabled is still present, new client can still use a pre-1.5 core for internal MFA.