From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pbs-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
	by lore.proxmox.com (Postfix) with ESMTPS id DB1151FF15C
	for <inbox@lore.proxmox.com>; Fri, 25 Jul 2025 14:13:49 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id 4E4A6176E3;
	Fri, 25 Jul 2025 14:15:10 +0200 (CEST)
Message-ID: <0b460887-b9aa-48b2-b3b8-03b0e33b5f34@proxmox.com>
Date: Fri, 25 Jul 2025 14:15:04 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird Beta
To: Proxmox Backup Server development discussion
 <pbs-devel@lists.proxmox.com>, Shannon Sterz <s.sterz@proxmox.com>
References: <20250725112357.247866-1-s.sterz@proxmox.com>
 <20250725112357.247866-2-s.sterz@proxmox.com>
Content-Language: en-US
From: Dominik Csapak <d.csapak@proxmox.com>
In-Reply-To: <20250725112357.247866-2-s.sterz@proxmox.com>
X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2
X-Bm-Transport-Timestamp: 1753445701947
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.020 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
 information. [rest.rs]
Subject: Re: [pbs-devel] [PATCH proxmox 1/3] rest-server: remove auth
 cookies via http header on unauthorized request
X-BeenThere: pbs-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox Backup Server development discussion
 <pbs-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pbs-devel>, 
 <mailto:pbs-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pbs-devel/>
List-Post: <mailto:pbs-devel@lists.proxmox.com>
List-Help: <mailto:pbs-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel>, 
 <mailto:pbs-devel-request@lists.proxmox.com?subject=subscribe>
Reply-To: Proxmox Backup Server development discussion
 <pbs-devel@lists.proxmox.com>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: pbs-devel-bounces@lists.proxmox.com
Sender: "pbs-devel" <pbs-devel-bounces@lists.proxmox.com>

Looks good to me.

Tested by invalidating my cookie and sending any http request that 
returns a 401 subsequently.
That successfully deleted my http-only cookie.


Reviewed-by: Dominik Csapak <d.csapak@proxmox.com>
Tested-by: Dominik Csapak <d.csapak@proxmox.com>

On 7/25/25 13:24, Shannon Sterz wrote:
> previously the behaviour of our javascript clients was to remove
> authentication cookies if the api returned a 401 UNAUTHORIZED
> response. with the switch to httponly cookies, this is no longer
> possible. add an option to the ApiConfig to allow the rest-server to
> remove such cookies
> 
> Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
> ---
>   proxmox-rest-server/src/api_config.rs |  9 +++++++++
>   proxmox-rest-server/src/rest.rs       | 25 ++++++++++++++++++++++++-
>   2 files changed, 33 insertions(+), 1 deletion(-)
> 
> diff --git a/proxmox-rest-server/src/api_config.rs b/proxmox-rest-server/src/api_config.rs
> index 0b847a0c..0a67231e 100644
> --- a/proxmox-rest-server/src/api_config.rs
> +++ b/proxmox-rest-server/src/api_config.rs
> @@ -33,6 +33,9 @@ pub struct ApiConfig {
>       auth_handler: Option<AuthHandler>,
>       index_handler: Option<IndexHandler>,
>       pub(crate) privileged_addr: Option<PrivilegedAddr>,
> +    // Name of the auth cookie that should be unset on 401 request. If `None` no cookie will be
> +    // removed.
> +    pub(crate) auth_cookie_name: Option<String>,
>   
>       #[cfg(feature = "templates")]
>       templates: templates::Templates,
> @@ -62,6 +65,7 @@ impl ApiConfig {
>               auth_handler: None,
>               index_handler: None,
>               privileged_addr: None,
> +            auth_cookie_name: None,
>   
>               #[cfg(feature = "templates")]
>               templates: templates::Templates::with_escape_fn(),
> @@ -82,6 +86,11 @@ impl ApiConfig {
>           self.auth_handler(AuthHandler::from_fn(func))
>       }
>   
> +    pub fn auth_cookie_name(mut self, auth_cookie_name: String) -> Self {
> +        self.auth_cookie_name = Some(auth_cookie_name);
> +        self
> +    }
> +
>       /// This is used for `protected` API calls to proxy to a more privileged service.
>       pub fn privileged_addr(mut self, addr: impl Into<PrivilegedAddr>) -> Self {
>           self.privileged_addr = Some(addr.into());
> diff --git a/proxmox-rest-server/src/rest.rs b/proxmox-rest-server/src/rest.rs
> index bff90882..035a9537 100644
> --- a/proxmox-rest-server/src/rest.rs
> +++ b/proxmox-rest-server/src/rest.rs
> @@ -357,8 +357,21 @@ impl Service<Request<Incoming>> for ApiService {
>               Some(proxied_peer) => proxied_peer,
>               None => self.peer,
>           };
> +
> +        let header = self.api_config
> +            .auth_cookie_name
> +            .as_ref()
> +            .map(|name|{
> +                let host_cookie = format!("{name}=; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Secure; SameSite=Lax; HttpOnly; Path=/;");
> +
> +                // SAFETY: this can only fail if the cookie name is not valid in http headers.
> +                // since this is about an authentication cookie, this should never happen.
> +                hyper::header::HeaderValue::from_str(&host_cookie)
> +                    .expect("auth cookie name has characters that are not valid for http headers")
> +             });
> +
>           async move {
> -            let response = match Arc::clone(&config).handle_request(req, &peer).await {
> +            let mut response = match Arc::clone(&config).handle_request(req, &peer).await {
>                   Ok(response) => response,
>                   Err(err) => {
>                       let (err, code) = match err.downcast_ref::<HttpError>() {
> @@ -371,6 +384,16 @@ impl Service<Request<Incoming>> for ApiService {
>                           .body(err.into())?
>                   }
>               };
> +
> +            if let Some(cookie_header) = header {
> +                // remove auth cookies that javascript based clients can not unset
> +                if response.status() == StatusCode::UNAUTHORIZED {
> +                    response
> +                        .headers_mut()
> +                        .insert(hyper::header::SET_COOKIE, cookie_header);
> +                }
> +            }
> +
>               let logger = config.get_access_log();
>               log_response(logger, &peer, method, &path, &response, user_agent);
>               Ok(response)



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel