Implement posture checks

build.rs

@@ -31,6 +31,7 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
             &[
                 "proto/v2/proxy.proto",
                 "proto/v2/common.proto",
+                "proto/enterprise/v2/posture/posture.proto",
                 "proto/common/client_types.proto",
             ],
             &["proto"],

src/enterprise/handlers/desktop_client_posture.rs

@@ -0,0 +1,44 @@
+use axum::{Json, Router, extract::State, routing::post};
+
+use crate::{
+    error::ApiError,
+    handlers::get_core_response,
+    http::AppState,
+    proto::{
+        DeviceInfo, DevicePostureCheckRequest, DevicePostureCheckResponse, core_request,
+        core_response,
+    },
+};
+
+pub(crate) fn router() -> Router<AppState> {
+    Router::new().route("/connect", post(connect_with_posture_check))
+}
+
+#[instrument(level = "debug", skip(state, req))]
+async fn connect_with_posture_check(
+    State(state): State<AppState>,
+    device_info: DeviceInfo,
+    Json(req): Json<DevicePostureCheckRequest>,
+) -> Result<Json<DevicePostureCheckResponse>, ApiError> {
+    info!("Starting desktop client posture check {req:?}");
+    let rx = state.grpc_server.send(
+        core_request::Payload::DevicePostureCheck(req.clone()),
+        device_info,
+    )?;
+    let payload = get_core_response(rx, None).await?;
+
+    match payload {
+        core_response::Payload::DevicePostureCheck(response) => {
+            info!("Desktop client passed posture check {req:?}");
+            Ok(Json(response))
+        }
+        core_response::Payload::DevicePostureRejected(response) => {
+            info!("Desktop client failed posture check {response:?}");
+            Err(ApiError::PostureRejected(response.failed_posture_checks))
+        }
+        _ => {
+            error!("Received invalid gRPC response type");
+            Err(ApiError::InvalidResponseType)
+        }
+    }
+}

src/enterprise/handlers/mod.rs

@@ -1,2 +1,3 @@
 pub mod desktop_client_mfa;
+pub mod desktop_client_posture;
 pub mod openid_login;

src/error.rs

@@ -30,6 +30,8 @@ pub enum ApiError {
     PreconditionRequired(String),
     #[error("Bad request: {0}")]
     NotFound(String),
+    #[error("PostureRejected: {0:?}")]
+    PostureRejected(Vec<String>),
 }
 
 impl IntoResponse for ApiError {
@@ -45,6 +47,7 @@ impl IntoResponse for ApiError {
             ),
             Self::PreconditionRequired(msg) => (StatusCode::PRECONDITION_REQUIRED, msg),
             Self::NotFound(msg) => (StatusCode::NOT_FOUND, msg),
+            Self::PostureRejected(reasons) => (StatusCode::FORBIDDEN, reasons.join(" ,")),
             _ => (
                 StatusCode::INTERNAL_SERVER_ERROR,
                 "Internal server error".to_string(),

src/handlers/desktop_client_mfa.rs

@@ -159,12 +159,19 @@ async fn start_client_mfa(
     )?;
     let payload = get_core_response(rx, None).await?;
 
-    if let core_response::Payload::ClientMfaStart(response) = payload {
-        info!("Started desktop client authorization {req:?}");
-        Ok(Json(response))
-    } else {
-        error!("Received invalid gRPC response type");
-        Err(ApiError::InvalidResponseType)
+    match payload {
+        core_response::Payload::ClientMfaStart(response) => {
+            info!("Started desktop client authorization {req:?}");
+            Ok(Json(response))
+        }
+        core_response::Payload::DevicePostureRejected(response) => {
+            info!("Desktop client failed posture check {response:?}");
+            Err(ApiError::PostureRejected(response.failed_posture_checks))
+        }
+        _ => {
+            error!("Received invalid gRPC response type");
+            Err(ApiError::InvalidResponseType)
+        }
     }
 }
 

src/http.rs

@@ -43,7 +43,7 @@ use crate::{
     LogsReceiver, VERSION,
     assets::{index, web_asset},
     config::EnvConfig,
-    enterprise::handlers::openid_login,
+    enterprise::handlers::{desktop_client_posture, openid_login},
     error::ApiError,
     grpc::{ProxyServer, TlsConfig},
     handlers::{desktop_client_mfa, enrollment, password_reset, polling},
@@ -507,6 +507,7 @@ pub async fn run_server(
             .nest("/password-reset", password_reset::router())
             .nest("/client-mfa", desktop_client_mfa::router())
             .nest("/openid", openid_login::router())
+            .nest("/posture", desktop_client_posture::router())
             .route("/poll", post(polling::info))
             .route("/health", get(healthcheck))
             .route("/health-grpc", get(healthcheckgrpc))

src/lib.rs

@@ -33,14 +33,24 @@ pub(crate) mod generated {
             }
         }
 
+        pub(crate) mod enterprise {
+            pub(crate) mod posture {
+                pub mod v2 {
+                    tonic::include_proto!("defguard.enterprise.posture.v2");
+                }
+            }
+        }
+
         pub mod client_types {
             tonic::include_proto!("defguard.client_types");
         }
     }
 }
 
 pub(crate) mod proto {
-    pub(crate) use crate::generated::defguard::{client_types::*, common::v2::*, proxy::v2::*};
+    pub(crate) use crate::generated::defguard::{
+        client_types::*, common::v2::*, enterprise::posture::v2::*, proxy::v2::*,
+    };
 }
 
 #[macro_use]

web/package.json

@@ -15,50 +15,50 @@
   "dependencies": {
     "@axa-ch/react-polymorphic-types": "^1.4.1",
     "@floating-ui/react": "^0.27.19",
-    "@inlang/paraglide-js": "^2.17.0",
+    "@inlang/paraglide-js": "^2.18.0",
     "@tanstack/react-devtools": "^0.9.13",
-    "@tanstack/react-form": "^1.29.1",
-    "@tanstack/react-query": "^5.100.6",
-    "@tanstack/react-query-devtools": "^5.100.6",
-    "@tanstack/react-router": "^1.168.25",
-    "@tanstack/react-router-devtools": "^1.166.13",
+    "@tanstack/react-form": "^1.32.0",
+    "@tanstack/react-query": "^5.100.10",
+    "@tanstack/react-query-devtools": "^5.100.10",
+    "@tanstack/react-router": "^1.170.4",
+    "@tanstack/react-router-devtools": "^1.167.0",
     "@uidotdev/usehooks": "^2.4.1",
-    "axios": "^1.15.2",
+    "axios": "^1.16.1",
     "change-case": "^5.4.4",
     "clsx": "^2.1.1",
     "dayjs": "^1.11.20",
     "lodash-es": "^4.18.1",
     "motion": "^12.38.0",
     "qrcode.react": "^4.2.0",
-    "qs": "^6.15.1",
-    "react": "^19.2.5",
-    "react-dom": "^19.2.5",
+    "qs": "^6.15.2",
+    "react": "^19.2.6",
+    "react-dom": "^19.2.6",
     "react-markdown": "^10.1.0",
     "rxjs": "^7.8.2",
-    "zod": "^4.3.6",
-    "zustand": "^5.0.12"
+    "zod": "^4.4.3",
+    "zustand": "^5.0.13"
   },
   "devDependencies": {
     "@biomejs/biome": "2.3.14",
     "@inlang/paraglide-js": "2.15.1",
     "@tanstack/devtools-vite": "^0.5.5",
-    "@tanstack/router-plugin": "^1.167.28",
+    "@tanstack/router-plugin": "^1.168.6",
     "@types/lodash-es": "^4.17.12",
-    "@types/node": "^25.6.0",
-    "@types/qs": "^6.15.0",
+    "@types/node": "^25.8.0",
+    "@types/qs": "^6.15.1",
     "@types/react": "^19.2.14",
     "@types/react-dom": "^19.2.3",
-    "@vitejs/plugin-react-swc": "^4.3.0",
-    "globals": "^17.5.0",
+    "@vitejs/plugin-react-swc": "^4.3.1",
+    "globals": "^17.6.0",
     "prettier": "^3.8.3",
     "sass": "^1.99.0",
     "sharp": "^0.34.5",
-    "stylelint": "^17.9.1",
+    "stylelint": "^17.11.1",
     "stylelint-config-standard-scss": "^17.0.0",
-    "stylelint-scss": "^7.0.0",
+    "stylelint-scss": "^7.1.1",
     "typescript": "~5.9.3",
-    "typescript-eslint": "^8.59.1",
-    "vite": "^7.3.2",
+    "typescript-eslint": "^8.59.3",
+    "vite": "^7.3.3",
     "vite-plugin-image-optimizer": "^2.0.3"
   },
   "pnpm": {