all lists on lists.proxmox.com
 help / color / mirror / Atom feed
From: Shannon Sterz <s.sterz@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [pbs-devel] [PATCH proxmox-backup v2 2/3] ui: opt into the new HttpOnly ticket authentication flow
Date: Wed, 23 Jul 2025 17:14:00 +0200	[thread overview]
Message-ID: <20250723151356.264229-9-s.sterz@proxmox.com> (raw)
In-Reply-To: <20250723151356.264229-3-s.sterz@proxmox.com>

this should add additional protections for cookie stealing and xss
attacks. it also makes it harder to overwrite the cookie from
malicious subdomains.

Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
Tested-by: Mira Limbeck <m.limbeck@proxmox.com>
Tested-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---
changes since v1:

- minor lint fix-up where a trailing "," was missing in the second
  proxmox-backup patch
- consistently use "HttpOnly" instead of switching between "http only",
  "http-only" and "HttpOnly" in comments and user facing documentation,
  thanks @ Mira Limbeck

 www/Application.js | 12 +++++++++++-
 www/LoginView.js   |  4 +++-
 www/MainView.js    |  1 +
 www/Utils.js       |  6 ++++++
 4 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/www/Application.js b/www/Application.js
index 9e223522..e82ccdd0 100644
--- a/www/Application.js
+++ b/www/Application.js
@@ -18,7 +18,17 @@ Ext.define('PBS.Application', {
     logout: function () {
         var me = this;
         Proxmox.Utils.authClear();
-        me.changeView('loginview', true);
+        Proxmox.Utils.API2Request({
+            url: '/api2/extjs/access/ticket',
+            method: 'DELETE',
+            success: function () {
+                me.changeView('loginview', true);
+            },
+            failure: function ({ response }) {
+                // logout failed
+                console.error('could not log out', response);
+            },
+        });
     },

     changeView: function (view, skipCheck) {
diff --git a/www/LoginView.js b/www/LoginView.js
index a7764e5b..9c1ac38a 100644
--- a/www/LoginView.js
+++ b/www/LoginView.js
@@ -86,6 +86,8 @@ Ext.define('PBS.LoginView', {
             }
             sp.set(saveunField.getStateId(), saveunField.getValue());

+            creds['http-only'] = true;
+
             try {
                 let resp = await Proxmox.Async.api2({
                     url: '/api2/extjs/access/ticket',
@@ -94,7 +96,7 @@ Ext.define('PBS.LoginView', {
                 });

                 let data = resp.result.data;
-                if (data.ticket.startsWith('PBS:!tfa!')) {
+                if (data.ticket?.startsWith('PBS:!tfa!')) {
                     data = await me.performTFAChallenge(data);
                 }

diff --git a/www/MainView.js b/www/MainView.js
index b5ae3605..70adfbce 100644
--- a/www/MainView.js
+++ b/www/MainView.js
@@ -172,6 +172,7 @@ Ext.define('PBS.MainView', {
                         params: {
                             username: Proxmox.UserName,
                             password: ticket,
+                            'http-only': true,
                         },
                         url: '/api2/json/access/ticket',
                         method: 'POST',
diff --git a/www/Utils.js b/www/Utils.js
index 7fcf60e6..ccdae522 100644
--- a/www/Utils.js
+++ b/www/Utils.js
@@ -8,6 +8,12 @@ Ext.define('PBS.Utils', {
     missingText: gettext('missing'),

     updateLoginData: function (data) {
+        if (data['ticket-info']) {
+            // we received a HttpOnly ticket response, the actual cookie is handled by the browser.
+            // set the ticket field to use the information from `ticket-info`
+            data.ticket = data['ticket-info'];
+        }
+
         Proxmox.Utils.setAuthData(data);
     },

--
2.47.2



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel


  parent reply	other threads:[~2025-07-23 15:14 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-07-23 15:13 [pbs-devel] [PATCH proxmox{, -backup} v2 0/4] HttpOnly cookie based tickets for pbs Shannon Sterz
2025-07-23 15:13 ` [pbs-devel] [PATCH proxmox v2 1/1] auth-api: include meta information required by extjs in api endpoints Shannon Sterz
2025-07-23 18:38   ` [pbs-devel] applied: " Thomas Lamprecht
2025-07-23 15:13 ` [pbs-devel] [PATCH proxmox-backup v2 1/3] api: access: add opt-in HttpOnly ticket authentication flow Shannon Sterz
2025-07-23 18:37   ` [pbs-devel] applied: " Thomas Lamprecht
2025-07-23 15:14 ` Shannon Sterz [this message]
2025-07-23 18:37   ` [pbs-devel] applied: [PATCH proxmox-backup v2 2/3] ui: opt into the new " Thomas Lamprecht
2025-07-23 15:14 ` [pbs-devel] [PATCH proxmox-backup v2 3/3] client: adapt pbs client to also handle HttpOnly flows correctly Shannon Sterz
2025-07-23 18:37   ` [pbs-devel] applied: " Thomas Lamprecht

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250723151356.264229-9-s.sterz@proxmox.com \
    --to=s.sterz@proxmox.com \
    --cc=pbs-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal