all lists on lists.proxmox.com
 help / color / mirror / Atom feed
From: Dominik Csapak <d.csapak@proxmox.com>
To: Proxmox Backup Server development discussion
	<pbs-devel@lists.proxmox.com>,
	Shannon Sterz <s.sterz@proxmox.com>
Subject: Re: [pbs-devel] [PATCH proxmox 1/3] rest-server: remove auth cookies via http header on unauthorized request
Date: Fri, 25 Jul 2025 14:15:04 +0200	[thread overview]
Message-ID: <0b460887-b9aa-48b2-b3b8-03b0e33b5f34@proxmox.com> (raw)
In-Reply-To: <20250725112357.247866-2-s.sterz@proxmox.com>

Looks good to me.

Tested by invalidating my cookie and sending any http request that 
returns a 401 subsequently.
That successfully deleted my http-only cookie.


Reviewed-by: Dominik Csapak <d.csapak@proxmox.com>
Tested-by: Dominik Csapak <d.csapak@proxmox.com>

On 7/25/25 13:24, Shannon Sterz wrote:
> previously the behaviour of our javascript clients was to remove
> authentication cookies if the api returned a 401 UNAUTHORIZED
> response. with the switch to httponly cookies, this is no longer
> possible. add an option to the ApiConfig to allow the rest-server to
> remove such cookies
> 
> Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
> ---
>   proxmox-rest-server/src/api_config.rs |  9 +++++++++
>   proxmox-rest-server/src/rest.rs       | 25 ++++++++++++++++++++++++-
>   2 files changed, 33 insertions(+), 1 deletion(-)
> 
> diff --git a/proxmox-rest-server/src/api_config.rs b/proxmox-rest-server/src/api_config.rs
> index 0b847a0c..0a67231e 100644
> --- a/proxmox-rest-server/src/api_config.rs
> +++ b/proxmox-rest-server/src/api_config.rs
> @@ -33,6 +33,9 @@ pub struct ApiConfig {
>       auth_handler: Option<AuthHandler>,
>       index_handler: Option<IndexHandler>,
>       pub(crate) privileged_addr: Option<PrivilegedAddr>,
> +    // Name of the auth cookie that should be unset on 401 request. If `None` no cookie will be
> +    // removed.
> +    pub(crate) auth_cookie_name: Option<String>,
>   
>       #[cfg(feature = "templates")]
>       templates: templates::Templates,
> @@ -62,6 +65,7 @@ impl ApiConfig {
>               auth_handler: None,
>               index_handler: None,
>               privileged_addr: None,
> +            auth_cookie_name: None,
>   
>               #[cfg(feature = "templates")]
>               templates: templates::Templates::with_escape_fn(),
> @@ -82,6 +86,11 @@ impl ApiConfig {
>           self.auth_handler(AuthHandler::from_fn(func))
>       }
>   
> +    pub fn auth_cookie_name(mut self, auth_cookie_name: String) -> Self {
> +        self.auth_cookie_name = Some(auth_cookie_name);
> +        self
> +    }
> +
>       /// This is used for `protected` API calls to proxy to a more privileged service.
>       pub fn privileged_addr(mut self, addr: impl Into<PrivilegedAddr>) -> Self {
>           self.privileged_addr = Some(addr.into());
> diff --git a/proxmox-rest-server/src/rest.rs b/proxmox-rest-server/src/rest.rs
> index bff90882..035a9537 100644
> --- a/proxmox-rest-server/src/rest.rs
> +++ b/proxmox-rest-server/src/rest.rs
> @@ -357,8 +357,21 @@ impl Service<Request<Incoming>> for ApiService {
>               Some(proxied_peer) => proxied_peer,
>               None => self.peer,
>           };
> +
> +        let header = self.api_config
> +            .auth_cookie_name
> +            .as_ref()
> +            .map(|name|{
> +                let host_cookie = format!("{name}=; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Secure; SameSite=Lax; HttpOnly; Path=/;");
> +
> +                // SAFETY: this can only fail if the cookie name is not valid in http headers.
> +                // since this is about an authentication cookie, this should never happen.
> +                hyper::header::HeaderValue::from_str(&host_cookie)
> +                    .expect("auth cookie name has characters that are not valid for http headers")
> +             });
> +
>           async move {
> -            let response = match Arc::clone(&config).handle_request(req, &peer).await {
> +            let mut response = match Arc::clone(&config).handle_request(req, &peer).await {
>                   Ok(response) => response,
>                   Err(err) => {
>                       let (err, code) = match err.downcast_ref::<HttpError>() {
> @@ -371,6 +384,16 @@ impl Service<Request<Incoming>> for ApiService {
>                           .body(err.into())?
>                   }
>               };
> +
> +            if let Some(cookie_header) = header {
> +                // remove auth cookies that javascript based clients can not unset
> +                if response.status() == StatusCode::UNAUTHORIZED {
> +                    response
> +                        .headers_mut()
> +                        .insert(hyper::header::SET_COOKIE, cookie_header);
> +                }
> +            }
> +
>               let logger = config.get_access_log();
>               log_response(logger, &peer, method, &path, &response, user_agent);
>               Ok(response)



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel


  reply	other threads:[~2025-07-25 12:13 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-07-25 11:23 [pbs-devel] [PATCH proxmox{,-backup} 0/4] HttpOnly follow-ups Shannon Sterz
2025-07-25 11:23 ` [pbs-devel] [PATCH proxmox 1/3] rest-server: remove auth cookies via http header on unauthorized request Shannon Sterz
2025-07-25 12:15   ` Dominik Csapak [this message]
2025-07-25 11:23 ` [pbs-devel] [PATCH proxmox 2/3] auth-api: don't set `Expire` for HttpOnly cookies anymore Shannon Sterz
2025-07-25 12:15   ` Dominik Csapak
2025-07-25 11:23 ` [pbs-devel] [PATCH proxmox 3/3] auth-api: allow log-in via parameters even if HttpOnly cookie is invalid Shannon Sterz
2025-07-25 12:23   ` Dominik Csapak
2025-07-25 11:23 ` [pbs-devel] [PATCH proxmox-backup 1/1] api/proxy: set auth cookie name in rest server api config Shannon Sterz
2025-07-25 12:23   ` Dominik Csapak
2025-07-25 11:24 ` [pbs-devel] [PATCH proxmox{,-backup} 0/4] HttpOnly follow-ups Shannon Sterz
2025-07-28  8:01 ` Shannon Sterz
2025-07-28 12:56 ` [pbs-devel] applied: [PATCH proxmox{, -backup} " Thomas Lamprecht
  -- strict thread matches above, loose matches on Subject: below --
2025-07-25 11:20 [pbs-devel] [PATCH proxmox{,-backup} " Shannon Sterz
2025-07-25 11:20 ` [pbs-devel] [PATCH proxmox 1/3] rest-server: remove auth cookies via http header on unauthorized request Shannon Sterz

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=0b460887-b9aa-48b2-b3b8-03b0e33b5f34@proxmox.com \
    --to=d.csapak@proxmox.com \
    --cc=pbs-devel@lists.proxmox.com \
    --cc=s.sterz@proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal