* [pbs-devel] [PATCH proxmox v2 1/1] auth-api: include meta information required by extjs in api endpoints
2025-07-23 15:13 [pbs-devel] [PATCH proxmox{, -backup} v2 0/4] HttpOnly cookie based tickets for pbs Shannon Sterz
@ 2025-07-23 15:13 ` Shannon Sterz
2025-07-23 18:38 ` [pbs-devel] applied: " Thomas Lamprecht
2025-07-23 15:13 ` [pbs-devel] [PATCH proxmox-backup v2 1/3] api: access: add opt-in HttpOnly ticket authentication flow Shannon Sterz
` (2 subsequent siblings)
3 siblings, 1 reply; 9+ messages in thread
From: Shannon Sterz @ 2025-07-23 15:13 UTC (permalink / raw)
To: pbs-devel
otherwise extjs will assume the requests failed even though they were
successful.
Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
Tested-by: Mira Limbeck <m.limbeck@proxmox.com>
Tested-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---
proxmox-auth-api/src/api/access.rs | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/proxmox-auth-api/src/api/access.rs b/proxmox-auth-api/src/api/access.rs
index fdf52185..f5111d4a 100644
--- a/proxmox-auth-api/src/api/access.rs
+++ b/proxmox-auth-api/src/api/access.rs
@@ -6,7 +6,6 @@ use http::Response;
use openssl::hash::MessageDigest;
use serde_json::{json, Value};
-use proxmox_http::Body;
use proxmox_rest_server::{extract_cookie, RestEnvironment};
use proxmox_router::{
http_err, ApiHandler, ApiMethod, ApiResponseFuture, Permission, RpcEnvironment,
@@ -93,7 +92,11 @@ fn logout_handler(
Ok(Response::builder()
.header(hyper::header::SET_COOKIE, host_cookie)
- .body(Body::empty())?)
+ .body(
+ json!({"data": {}, "status": 200, "success": true })
+ .to_string()
+ .into(),
+ )?)
})
}
@@ -179,7 +182,11 @@ fn create_ticket_http_only(
}
}
- Ok(response.body(json!({"data": ticket_response }).to_string().into())?)
+ Ok(response.body(
+ json!({"data": ticket_response, "status": 200, "success": true })
+ .to_string()
+ .into(),
+ )?)
})
}
--
2.47.2
_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
^ permalink raw reply [flat|nested] 9+ messages in thread* [pbs-devel] [PATCH proxmox-backup v2 1/3] api: access: add opt-in HttpOnly ticket authentication flow
2025-07-23 15:13 [pbs-devel] [PATCH proxmox{, -backup} v2 0/4] HttpOnly cookie based tickets for pbs Shannon Sterz
2025-07-23 15:13 ` [pbs-devel] [PATCH proxmox v2 1/1] auth-api: include meta information required by extjs in api endpoints Shannon Sterz
@ 2025-07-23 15:13 ` Shannon Sterz
2025-07-23 18:37 ` [pbs-devel] applied: " Thomas Lamprecht
2025-07-23 15:14 ` [pbs-devel] [PATCH proxmox-backup v2 2/3] ui: opt into the new " Shannon Sterz
2025-07-23 15:14 ` [pbs-devel] [PATCH proxmox-backup v2 3/3] client: adapt pbs client to also handle HttpOnly flows correctly Shannon Sterz
3 siblings, 1 reply; 9+ messages in thread
From: Shannon Sterz @ 2025-07-23 15:13 UTC (permalink / raw)
To: pbs-devel
this new flow returns HttpOnly cookies providing an additional layer
of security for clients operating in a browser environment. opt-in
only to not break existing clients.
most of the new protections were implement by a previous series that
adapted proxmox-auth-api and related crates [1]. this just enables
client's of the api to opt-into these protections.
[1]:
https://lore.proxmox.com/pdm-devel/20250304144247.231089-1-s.sterz@proxmox.com/T/#u
Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
Tested-by: Mira Limbeck <m.limbeck@proxmox.com>
Tested-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---
changes since v1:
- add a `tracing::debug!()` statement to the opt-in HttpOnly flow,
thanks @ Maximiliano Sandoval
- consistently use "HttpOnly" instead of switching between "http only",
"http-only" and "HttpOnly" in comments and user facing documentation,
thanks @ Mira Limbeck
src/api2/access/mod.rs | 76 +++++++++++++++++++++++++++++++++++++++---
1 file changed, 72 insertions(+), 4 deletions(-)
diff --git a/src/api2/access/mod.rs b/src/api2/access/mod.rs
index 832cdc66..b356c842 100644
--- a/src/api2/access/mod.rs
+++ b/src/api2/access/mod.rs
@@ -2,14 +2,23 @@
use anyhow::{bail, format_err, Error};
-use serde_json::Value;
+use hyper::header::CONTENT_TYPE;
+use hyper::http::request::Parts;
+use hyper::Response;
+use serde_json::{json, Value};
+
use std::collections::HashMap;
use std::collections::HashSet;
+use proxmox_auth_api::api::API_METHOD_CREATE_TICKET_HTTP_ONLY;
+use proxmox_auth_api::types::{CreateTicket, CreateTicketResponse};
use proxmox_router::{
- http_bail, http_err, list_subdirs_api_method, Permission, Router, RpcEnvironment, SubdirMap,
+ http_bail, http_err, list_subdirs_api_method, ApiHandler, ApiMethod, ApiResponseFuture,
+ Permission, Router, RpcEnvironment, SubdirMap,
+};
+use proxmox_schema::{
+ api, AllOfSchema, ApiType, BooleanSchema, ObjectSchema, ParameterSchema, ReturnType,
};
-use proxmox_schema::api;
use proxmox_sortable_macro::sortable;
use pbs_api_types::{
@@ -268,7 +277,9 @@ const SUBDIRS: SubdirMap = &sorted!([
),
(
"ticket",
- &Router::new().post(&proxmox_auth_api::api::API_METHOD_CREATE_TICKET)
+ &Router::new()
+ .post(&API_METHOD_CREATE_TICKET_TOGGLE)
+ .delete(&proxmox_auth_api::api::API_METHOD_LOGOUT)
),
("openid", &openid::ROUTER),
("domains", &domain::ROUTER),
@@ -277,6 +288,63 @@ const SUBDIRS: SubdirMap = &sorted!([
("tfa", &tfa::ROUTER),
]);
+const API_METHOD_CREATE_TICKET_TOGGLE: ApiMethod = ApiMethod::new_full(
+ &proxmox_router::ApiHandler::AsyncHttpBodyParameters(&handle_ticket_toggle),
+ ParameterSchema::AllOf(&AllOfSchema::new(
+ "Either create a new HttpOnly ticket or a regular ticket.",
+ &[
+ &ObjectSchema::new(
+ "<INNER: Toggle between HttpOnly or legacy ticket endpoints.>",
+ &[(
+ "http-only",
+ true,
+ &BooleanSchema::new("Whether the HttpOnly authentication flow should be used.")
+ .default(false)
+ .schema(),
+ )],
+ )
+ .schema(),
+ &CreateTicket::API_SCHEMA,
+ ],
+ )),
+)
+.returns(ReturnType::new(false, &CreateTicketResponse::API_SCHEMA))
+.protected(true)
+.access(None, &Permission::World);
+
+fn handle_ticket_toggle(
+ parts: Parts,
+ mut param: Value,
+ info: &'static ApiMethod,
+ mut rpcenv: Box<dyn RpcEnvironment>,
+) -> ApiResponseFuture {
+ // If the client specifies that they want to use HttpOnly cookies, prefer those.
+ if Some(true) == param["http-only"].take().as_bool() {
+ if let ApiHandler::AsyncHttpBodyParameters(handler) =
+ API_METHOD_CREATE_TICKET_HTTP_ONLY.handler
+ {
+ tracing::debug!("client requests HttpOnly authentication, using new endpoint...");
+ return handler(parts, param, info, rpcenv);
+ }
+ }
+
+ // Otherwise, default back to the previous ticket method.
+ Box::pin(async move {
+ let create_params: CreateTicket = serde_json::from_value(param)?;
+
+ let ticket_response =
+ proxmox_auth_api::api::create_ticket(create_params, rpcenv.as_mut()).await?;
+
+ let response = Response::builder().header(CONTENT_TYPE, "application/json");
+
+ Ok(response.body(
+ json!({"data": ticket_response, "status": 200, "success": true })
+ .to_string()
+ .into(),
+ )?)
+ })
+}
+
pub const ROUTER: Router = Router::new()
.get(&list_subdirs_api_method!(SUBDIRS))
.subdirs(SUBDIRS);
--
2.47.2
_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
^ permalink raw reply [flat|nested] 9+ messages in thread* [pbs-devel] [PATCH proxmox-backup v2 2/3] ui: opt into the new HttpOnly ticket authentication flow
2025-07-23 15:13 [pbs-devel] [PATCH proxmox{, -backup} v2 0/4] HttpOnly cookie based tickets for pbs Shannon Sterz
2025-07-23 15:13 ` [pbs-devel] [PATCH proxmox v2 1/1] auth-api: include meta information required by extjs in api endpoints Shannon Sterz
2025-07-23 15:13 ` [pbs-devel] [PATCH proxmox-backup v2 1/3] api: access: add opt-in HttpOnly ticket authentication flow Shannon Sterz
@ 2025-07-23 15:14 ` Shannon Sterz
2025-07-23 18:37 ` [pbs-devel] applied: " Thomas Lamprecht
2025-07-23 15:14 ` [pbs-devel] [PATCH proxmox-backup v2 3/3] client: adapt pbs client to also handle HttpOnly flows correctly Shannon Sterz
3 siblings, 1 reply; 9+ messages in thread
From: Shannon Sterz @ 2025-07-23 15:14 UTC (permalink / raw)
To: pbs-devel
this should add additional protections for cookie stealing and xss
attacks. it also makes it harder to overwrite the cookie from
malicious subdomains.
Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
Tested-by: Mira Limbeck <m.limbeck@proxmox.com>
Tested-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---
changes since v1:
- minor lint fix-up where a trailing "," was missing in the second
proxmox-backup patch
- consistently use "HttpOnly" instead of switching between "http only",
"http-only" and "HttpOnly" in comments and user facing documentation,
thanks @ Mira Limbeck
www/Application.js | 12 +++++++++++-
www/LoginView.js | 4 +++-
www/MainView.js | 1 +
www/Utils.js | 6 ++++++
4 files changed, 21 insertions(+), 2 deletions(-)
diff --git a/www/Application.js b/www/Application.js
index 9e223522..e82ccdd0 100644
--- a/www/Application.js
+++ b/www/Application.js
@@ -18,7 +18,17 @@ Ext.define('PBS.Application', {
logout: function () {
var me = this;
Proxmox.Utils.authClear();
- me.changeView('loginview', true);
+ Proxmox.Utils.API2Request({
+ url: '/api2/extjs/access/ticket',
+ method: 'DELETE',
+ success: function () {
+ me.changeView('loginview', true);
+ },
+ failure: function ({ response }) {
+ // logout failed
+ console.error('could not log out', response);
+ },
+ });
},
changeView: function (view, skipCheck) {
diff --git a/www/LoginView.js b/www/LoginView.js
index a7764e5b..9c1ac38a 100644
--- a/www/LoginView.js
+++ b/www/LoginView.js
@@ -86,6 +86,8 @@ Ext.define('PBS.LoginView', {
}
sp.set(saveunField.getStateId(), saveunField.getValue());
+ creds['http-only'] = true;
+
try {
let resp = await Proxmox.Async.api2({
url: '/api2/extjs/access/ticket',
@@ -94,7 +96,7 @@ Ext.define('PBS.LoginView', {
});
let data = resp.result.data;
- if (data.ticket.startsWith('PBS:!tfa!')) {
+ if (data.ticket?.startsWith('PBS:!tfa!')) {
data = await me.performTFAChallenge(data);
}
diff --git a/www/MainView.js b/www/MainView.js
index b5ae3605..70adfbce 100644
--- a/www/MainView.js
+++ b/www/MainView.js
@@ -172,6 +172,7 @@ Ext.define('PBS.MainView', {
params: {
username: Proxmox.UserName,
password: ticket,
+ 'http-only': true,
},
url: '/api2/json/access/ticket',
method: 'POST',
diff --git a/www/Utils.js b/www/Utils.js
index 7fcf60e6..ccdae522 100644
--- a/www/Utils.js
+++ b/www/Utils.js
@@ -8,6 +8,12 @@ Ext.define('PBS.Utils', {
missingText: gettext('missing'),
updateLoginData: function (data) {
+ if (data['ticket-info']) {
+ // we received a HttpOnly ticket response, the actual cookie is handled by the browser.
+ // set the ticket field to use the information from `ticket-info`
+ data.ticket = data['ticket-info'];
+ }
+
Proxmox.Utils.setAuthData(data);
},
--
2.47.2
_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
^ permalink raw reply [flat|nested] 9+ messages in thread* [pbs-devel] [PATCH proxmox-backup v2 3/3] client: adapt pbs client to also handle HttpOnly flows correctly
2025-07-23 15:13 [pbs-devel] [PATCH proxmox{, -backup} v2 0/4] HttpOnly cookie based tickets for pbs Shannon Sterz
` (2 preceding siblings ...)
2025-07-23 15:14 ` [pbs-devel] [PATCH proxmox-backup v2 2/3] ui: opt into the new " Shannon Sterz
@ 2025-07-23 15:14 ` Shannon Sterz
2025-07-23 18:37 ` [pbs-devel] applied: " Thomas Lamprecht
3 siblings, 1 reply; 9+ messages in thread
From: Shannon Sterz @ 2025-07-23 15:14 UTC (permalink / raw)
To: pbs-devel
if we decide to make the HttpOnly flow opt-out or remove the previous
authentication flow entirely, prepare the client to properly
authenticate against such servers as well
this does not opt the client into the new flow, as that has no real
security benefits. however, doing so would require additional network
traffic and/or state handling on the client to maintain backward
compatability. this would be rather convoluted. hence, avoid doing so
for now.
Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
Tested-by: Mira Limbeck <m.limbeck@proxmox.com>
Tested-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---
changes since v1:
- consistently use "HttpOnly" instead of switching between "http only",
"http-only" and "HttpOnly" in comments and user facing documentation,
thanks @ Mira Limbeck
pbs-client/src/http_client.rs | 70 ++++++++++++++++++++++++++++++++---
1 file changed, 65 insertions(+), 5 deletions(-)
diff --git a/pbs-client/src/http_client.rs b/pbs-client/src/http_client.rs
index 0b415cac..74b07624 100644
--- a/pbs-client/src/http_client.rs
+++ b/pbs-client/src/http_client.rs
@@ -7,6 +7,7 @@ use bytes::Bytes;
use futures::*;
use http_body_util::{BodyDataStream, BodyExt};
use hyper::body::Incoming;
+use hyper::header::SET_COOKIE;
use hyper::http::header::HeaderValue;
use hyper::http::Uri;
use hyper::http::{Request, Response};
@@ -111,11 +112,16 @@ mod resolver {
/// certain error conditions. Keep it generous, to avoid false-positive under high load.
const HTTP_TIMEOUT: Duration = Duration::from_secs(2 * 60);
+const PROXMOX_BACKUP_AUTH_COOKIE: &str = "PBSAuthCookie";
+const PROXMOX_BACKUP_PREFIXED_AUTH_COOKIE: &str = "__Host-PBSAuthCookie";
+
#[derive(Clone)]
pub struct AuthInfo {
pub auth_id: Authid,
pub ticket: String,
pub token: String,
+ // Whether the server uses HttpOnly cookies for authentication
+ pub http_only: bool,
}
pub struct HttpClientOptions {
@@ -504,6 +510,7 @@ impl HttpClient {
auth_id: auth_id.clone(),
ticket: password.clone(),
token: "".to_string(),
+ http_only: false,
}));
let server2 = server.to_string();
@@ -725,10 +732,18 @@ impl HttpClient {
HeaderValue::from_str(&enc_api_token).unwrap(),
);
} else {
+ let cookie_name = if auth.http_only {
+ // server has switched to http only flow, provide ticket in properly prefixed cookie
+ PROXMOX_BACKUP_PREFIXED_AUTH_COOKIE
+ } else {
+ PROXMOX_BACKUP_AUTH_COOKIE
+ };
+
let enc_ticket = format!(
- "PBSAuthCookie={}",
+ "{cookie_name}={}",
percent_encode(auth.ticket.as_bytes(), DEFAULT_ENCODE_SET)
);
+
req.headers_mut()
.insert("Cookie", HeaderValue::from_str(&enc_ticket).unwrap());
req.headers_mut().insert(
@@ -767,10 +782,18 @@ impl HttpClient {
let auth = self.login().await?;
+ let cookie_name = if auth.http_only {
+ // server has switched to http only flow, provide ticket in properly prefixed cookie
+ PROXMOX_BACKUP_PREFIXED_AUTH_COOKIE
+ } else {
+ PROXMOX_BACKUP_AUTH_COOKIE
+ };
+
let enc_ticket = format!(
- "PBSAuthCookie={}",
+ "{cookie_name}={}",
percent_encode(auth.ticket.as_bytes(), DEFAULT_ENCODE_SET)
);
+
req.headers_mut()
.insert("Cookie", HeaderValue::from_str(&enc_ticket).unwrap());
@@ -836,10 +859,18 @@ impl HttpClient {
HeaderValue::from_str(&enc_api_token).unwrap(),
);
} else {
+ let cookie_name = if auth.http_only {
+ // server has switched to http only flow, provide ticket in properly prefixed cookie
+ PROXMOX_BACKUP_PREFIXED_AUTH_COOKIE
+ } else {
+ PROXMOX_BACKUP_AUTH_COOKIE
+ };
+
let enc_ticket = format!(
- "PBSAuthCookie={}",
+ "{cookie_name}={}",
percent_encode(auth.ticket.as_bytes(), DEFAULT_ENCODE_SET)
);
+
req.headers_mut()
.insert("Cookie", HeaderValue::from_str(&enc_ticket).unwrap());
req.headers_mut().insert(
@@ -905,14 +936,43 @@ impl HttpClient {
"/api2/json/access/ticket",
Some(data),
)?;
- let cred = Self::api_request(client, req).await?;
+
+ let res = tokio::time::timeout(HTTP_TIMEOUT, client.request(req))
+ .await
+ .map_err(|_| format_err!("http request timed out"))??;
+
+ // check if the headers contain a newer HttpOnly cookie
+ let http_only_ticket = res
+ .headers()
+ .get_all(SET_COOKIE)
+ .iter()
+ .filter_map(|c| c.to_str().ok())
+ .filter_map(|c| match (c.find('='), c.find(';')) {
+ (Some(begin), Some(end))
+ if begin < end && &c[..begin] == PROXMOX_BACKUP_PREFIXED_AUTH_COOKIE =>
+ {
+ Some(c[begin + 1..end].to_string())
+ }
+ _ => None,
+ })
+ .next();
+
+ // if the headers contained a new HttpOnly cookie, the server switched to providing these
+ // by default. this means that older cookies may no longer be supported, so switch to using
+ // the new cookie name.
+ let http_only = http_only_ticket.is_some();
+
+ let cred = Self::api_response(res).await?;
let auth = AuthInfo {
auth_id: cred["data"]["username"].as_str().unwrap().parse()?,
- ticket: cred["data"]["ticket"].as_str().unwrap().to_owned(),
+ ticket: http_only_ticket
+ .or(cred["data"]["ticket"].as_str().map(|t| t.to_string()))
+ .unwrap(),
token: cred["data"]["CSRFPreventionToken"]
.as_str()
.unwrap()
.to_owned(),
+ http_only,
};
Ok(auth)
--
2.47.2
_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
^ permalink raw reply [flat|nested] 9+ messages in thread