From: Shannon Sterz <s.sterz@proxmox.com>
To: pdm-devel@lists.proxmox.com
Subject: [pdm-devel] [PATCH proxmox v4 09/21] auth-api: add logout method
Date: Tue, 4 Mar 2025 13:04:54 +0100 [thread overview]
Message-ID: <20250304120506.135617-10-s.sterz@proxmox.com> (raw)
In-Reply-To: <20250304120506.135617-1-s.sterz@proxmox.com>
adds a new endpoint that is useful when dealing with HttpOnly cookies
that cannot be removed by client-side javascript (and by extension
wasm) code. the logout handle simply removes the cookie that is used
for storing the current ticket. this works the same way as it does in
the front-end: by setting an expired cookie with the same name.
as cookies are now prefixed with `__Host-` by default, the cookie here
also needs to be `Secure` and have the same `Path` to not be rejected
by the browser before it can remove the old cookie.
Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
---
proxmox-auth-api/src/api/access.rs | 29 ++++++++++++++++++++++++++++-
proxmox-auth-api/src/api/mod.rs | 2 +-
2 files changed, 29 insertions(+), 2 deletions(-)
diff --git a/proxmox-auth-api/src/api/access.rs b/proxmox-auth-api/src/api/access.rs
index 260440bf..411ac5b5 100644
--- a/proxmox-auth-api/src/api/access.rs
+++ b/proxmox-auth-api/src/api/access.rs
@@ -11,7 +11,7 @@ use proxmox_rest_server::{extract_cookie, RestEnvironment};
use proxmox_router::{
http_err, ApiHandler, ApiMethod, ApiResponseFuture, Permission, RpcEnvironment,
};
-use proxmox_schema::{api, AllOfSchema, ApiType, ParameterSchema, ReturnType};
+use proxmox_schema::{api, AllOfSchema, ApiType, ObjectSchema, ParameterSchema, ReturnType};
use proxmox_tfa::api::TfaChallenge;
use super::ApiTicket;
@@ -63,6 +63,33 @@ pub async fn create_ticket(
handle_ticket_creation(create_params, env).await
}
+pub const API_METHOD_LOGOUT: ApiMethod = ApiMethod::new(
+ &ApiHandler::AsyncHttpBodyParameters(&logout_handler),
+ &ObjectSchema::new("", &[]),
+)
+.protected(true)
+.access(None, &Permission::World);
+
+fn logout_handler(
+ _parts: Parts,
+ _param: Value,
+ _info: &ApiMethod,
+ _rpcenv: Box<dyn RpcEnvironment>,
+) -> ApiResponseFuture {
+ Box::pin(async move {
+ // unset authentication cookie by setting an invalid one. needs the same `Path` and
+ // `Secure` parameter to not be rejected by some browsers. also use the same `HttpOnly` and
+ // `SameSite` parameters just in case.
+ let host_cookie = format!(
+ "{}=; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Secure; SameSite=Lax; HttpOnly; Path=/;",
+ auth_context()?.prefixed_auth_cookie_name()
+ );
+
+ Ok(Response::builder()
+ .header(hyper::header::SET_COOKIE, host_cookie)
+ .body(Body::empty())?)
+ })
+}
pub const API_METHOD_CREATE_TICKET_HTTP_ONLY: ApiMethod = ApiMethod::new_full(
&ApiHandler::AsyncHttpBodyParameters(&create_ticket_http_only),
diff --git a/proxmox-auth-api/src/api/mod.rs b/proxmox-auth-api/src/api/mod.rs
index 3ee2d0e1..e176ea01 100644
--- a/proxmox-auth-api/src/api/mod.rs
+++ b/proxmox-auth-api/src/api/mod.rs
@@ -20,7 +20,7 @@ use access::verify_csrf_prevention_token;
pub use access::{
assemble_csrf_prevention_token, create_ticket, API_METHOD_CREATE_TICKET,
- API_METHOD_CREATE_TICKET_HTTP_ONLY,
+ API_METHOD_CREATE_TICKET_HTTP_ONLY, API_METHOD_LOGOUT,
};
pub use ticket::{ApiTicket, PartialTicket};
--
2.39.5
_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel
next prev parent reply other threads:[~2025-03-04 12:05 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-04 12:04 [pdm-devel] [PATCH datacenter-manager/proxmox/yew-comp v4 00/21] use HttpOnly cookies in new projects Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 01/21] time: add new `epoch_to_http_date` helper Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 02/21] rest-server: borrow parts parameter in `get_request_parameter` Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 03/21] router/rest-server: add new `AsyncHttpBodyParameters` api handler type Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 04/21] auth-api: extend `AuthContext` with prefixed cookie name Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 05/21] auth-api: check for new prefixed cookies as well Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 06/21] auth-api: introduce new CreateTicket and CreateTickeReponse api types Shannon Sterz
2025-03-04 14:16 ` Wolfgang Bumiller
2025-03-07 10:06 ` Maximiliano Sandoval
2025-03-07 10:14 ` Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 07/21] auth-api: add endpoint for issuing tickets as HttpOnly tickets Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 08/21] auth-api: make regular ticket endpoint use the new types and handler Shannon Sterz
2025-03-04 12:04 ` Shannon Sterz [this message]
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 10/21] login: add optional field for ticket_info and make password optional Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 11/21] login: make password optional when creating Login requests Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 12/21] login: add helpers to pass cookie values when parsing login responses Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 13/21] login: add `TicketResult::HttpOnly` member Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 14/21] login: add helper to check whether a ticket is just informational Shannon Sterz
2025-03-04 12:05 ` [pdm-devel] [PATCH proxmox v4 15/21] login: add functions to specify full cookie names Shannon Sterz
2025-03-04 12:05 ` [pdm-devel] [PATCH proxmox v4 16/21] client: add compatibility with HttpOnly cookies Shannon Sterz
2025-03-04 12:05 ` [pdm-devel] [PATCH proxmox v4 17/21] client: specify cookie names for authentication headers where possible Shannon Sterz
2025-03-04 12:05 ` [pdm-devel] [PATCH yew-comp v4 18/21] HttpClient: add helpers to refresh HttpOnly cookies and remove them Shannon Sterz
2025-03-04 12:05 ` [pdm-devel] [PATCH yew-comp v4 19/21] LoginPanel/http helpers: add support for handling HttpOnly cookies Shannon Sterz
2025-03-04 12:05 ` [pdm-devel] [PATCH yew-comp v4 20/21] http helpers: ask server to remove `__Host-` prefixed cookie on logout Shannon Sterz
2025-03-04 12:05 ` [pdm-devel] [PATCH datacenter-manager v4 21/21] api: switch ticket endpoint over to new http only endpoint Shannon Sterz
2025-03-04 14:43 ` [pdm-devel] [PATCH datacenter-manager/proxmox/yew-comp v4 00/21] use HttpOnly cookies in new projects Shannon Sterz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250304120506.135617-10-s.sterz@proxmox.com \
--to=s.sterz@proxmox.com \
--cc=pdm-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal