[pbs-devel] [PATCH proxmox-backup] api tokens: add authorization method

[pbs-devel] [PATCH proxmox-backup] api tokens: add authorization method

[Fabian Grünbichler]

and properly decode secret (which is a no-op with the current scheme).

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
note: this breaks older clients obviously, but given the short time it's
been out, and the lack of documentation I think this is okay..

 src/client/http_client.rs | 4 ++--
 src/server/rest.rs        | 9 ++++++++-
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/src/client/http_client.rs b/src/client/http_client.rs
index 3b7597fe..99558dba 100644
--- a/src/client/http_client.rs
+++ b/src/client/http_client.rs
@@ -493,7 +493,7 @@ impl HttpClient {
 
         let auth =  self.login().await?;
         if auth.auth_id.is_token() {
-            let enc_api_token = format!("{}:{}", auth.auth_id, percent_encode(auth.ticket.as_bytes(), DEFAULT_ENCODE_SET));
+            let enc_api_token = format!("PBSAPIToken {}:{}", auth.auth_id, percent_encode(auth.ticket.as_bytes(), DEFAULT_ENCODE_SET));
             req.headers_mut().insert("Authorization", HeaderValue::from_str(&enc_api_token).unwrap());
         } else {
             let enc_ticket = format!("PBSAuthCookie={}", percent_encode(auth.ticket.as_bytes(), DEFAULT_ENCODE_SET));
@@ -602,7 +602,7 @@ impl HttpClient {
         let auth =  self.login().await?;
 
         if auth.auth_id.is_token() {
-            let enc_api_token = format!("{}:{}", auth.auth_id, percent_encode(auth.ticket.as_bytes(), DEFAULT_ENCODE_SET));
+            let enc_api_token = format!("PBSAPIToken {}:{}", auth.auth_id, percent_encode(auth.ticket.as_bytes(), DEFAULT_ENCODE_SET));
             req.headers_mut().insert("Authorization", HeaderValue::from_str(&enc_api_token).unwrap());
         } else {
             let enc_ticket = format!("PBSAuthCookie={}", percent_encode(auth.ticket.as_bytes(), DEFAULT_ENCODE_SET));
diff --git a/src/server/rest.rs b/src/server/rest.rs
index 365e3570..85ad3746 100644
--- a/src/server/rest.rs
+++ b/src/server/rest.rs
@@ -17,6 +17,7 @@ use lazy_static::lazy_static;
 use serde_json::{json, Value};
 use tokio::fs::File;
 use tokio::time::Instant;
+use percent_encoding::percent_decode_str;
 use url::form_urlencoded;
 use regex::Regex;
 
@@ -568,7 +569,9 @@ fn extract_auth_data(headers: &http::HeaderMap) -> Option<AuthData> {
     }
 
     match headers.get("AUTHORIZATION").map(|v| v.to_str()) {
-        Some(Ok(v)) => Some(AuthData::ApiToken(v.to_owned())),
+        Some(Ok(v)) if v.starts_with("PBSAPIToken ") => {
+            Some(AuthData::ApiToken(v["PBSAPIToken ".len()..].to_owned()))
+        },
         _ => None,
     }
 }
@@ -609,6 +612,10 @@ fn check_auth(
 
             let tokensecret = parts.next()
                 .ok_or_else(|| format_err!("failed to split API token header"))?;
+            let tokensecret = percent_decode_str(tokensecret)
+                .decode_utf8()
+                .map_err(|_| format_err!("failed to decode API token header"))?;
+
             crate::config::token_shadow::verify_secret(&tokenid, &tokensecret)?;
 
             Ok(tokenid)
-- 
2.20.1

[pbs-devel] applied: [PATCH proxmox-backup] api tokens: add authorization method

[Thomas Lamprecht]

On 30.10.20 13:10, Fabian Grünbichler wrote:
> and properly decode secret (which is a no-op with the current scheme).
> 
> Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
> ---
> note: this breaks older clients obviously, but given the short time it's
> been out, and the lack of documentation I think this is okay..
> 

and we're still in beta :-)

>  src/client/http_client.rs | 4 ++--
>  src/server/rest.rs        | 9 ++++++++-
>  2 files changed, 10 insertions(+), 3 deletions(-)
> 
>

applied, thanks! Made a followupto also accept the `PBSAPIToken=<...>` variant to
be consistent with PVE, like discussed.