From: Shannon Sterz <s.sterz@proxmox.com>
To: pdm-devel@lists.proxmox.com
Subject: [pdm-devel] [PATCH yew-comp v4 19/21] LoginPanel/http helpers: add support for handling HttpOnly cookies
Date: Tue, 4 Mar 2025 13:05:04 +0100 [thread overview]
Message-ID: <20250304120506.135617-20-s.sterz@proxmox.com> (raw)
In-Reply-To: <20250304120506.135617-1-s.sterz@proxmox.com>
this makes sure that we handle tickets that are stored in in HttpOnly
cookies correctly by:
- assuming that the properly sign ticket is in a cookie we can't
access when refreshing tickets and only an informational ticket is
available to us.
- handling `TicketResult::HttpOnly` correctly
Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
---
src/http_helpers.rs | 30 ++++++++++++++++++++++++++----
src/login_panel.rs | 5 ++++-
2 files changed, 30 insertions(+), 5 deletions(-)
diff --git a/src/http_helpers.rs b/src/http_helpers.rs
index 9f0403f..e2489cc 100644
--- a/src/http_helpers.rs
+++ b/src/http_helpers.rs
@@ -108,11 +108,25 @@ async fn ticket_refresh_loop() {
}
Validity::Refresh => {
let client = CLIENT.with(|c| Rc::clone(&*c.borrow()));
- if let Ok(TicketResult::Full(auth)) =
+
+ // if the ticket is not signed, there is no point in sending it, assume we
+ // are using a HttpOnly cookie that is properly handled by the
+ // browser/cookie anyway
+ let result = if data.ticket.is_info_only() {
+ client.refresh(&data.userid).await
+ } else {
client.login(&data.userid, &data.ticket.to_string()).await
- {
- log::info!("ticket_refresh_loop: Got ticket update.");
- client.set_auth(auth.clone());
+ };
+
+ match result {
+ // TODO: eventually deprecate support for `TicketResult::Full` and
+ // throw an error. this package should only ever be used in a browser
+ // context where authentication info should be set via HttpOnly cookies.
+ Ok(TicketResult::Full(auth)) | Ok(TicketResult::HttpOnly(auth)) => {
+ log::info!("ticket_refresh_loop: Got ticket update.");
+ client.set_auth(auth.clone());
+ }
+ _ => { /* do nothing */ }
}
}
Validity::Valid => { /* do nothing */ }
@@ -157,11 +171,19 @@ pub async fn http_login(
.await?;
match ticket_result {
+ // TODO: eventually deprecate support for `TicketResult::Full` and
+ // throw an error. this package should only ever be used in a browser
+ // context where authentication info should be set via HttpOnly cookies.
TicketResult::Full(auth) => {
client.set_auth(auth.clone());
update_global_client(client);
Ok(TicketResult::Full(auth))
}
+ TicketResult::HttpOnly(auth) => {
+ client.set_auth(auth.clone());
+ update_global_client(client);
+ Ok(TicketResult::HttpOnly(auth))
+ }
challenge => Ok(challenge),
}
}
diff --git a/src/login_panel.rs b/src/login_panel.rs
index d979bbb..aecbf80 100644
--- a/src/login_panel.rs
+++ b/src/login_panel.rs
@@ -74,7 +74,10 @@ impl ProxmoxLoginPanel {
let link = ctx.link().clone();
self.async_pool.spawn(async move {
match crate::http_login(username, password, realm).await {
- Ok(TicketResult::Full(info)) => {
+ // TODO: eventually deprecate support for `TicketResult::Full` and
+ // throw an error. this package should only ever be used in a browser
+ // context where authentication info should be set via HttpOnly cookies.
+ Ok(TicketResult::Full(info)) | Ok(TicketResult::HttpOnly(info)) => {
link.send_message(Msg::Login(info));
}
Ok(TicketResult::TfaRequired(challenge)) => {
--
2.39.5
_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel
next prev parent reply other threads:[~2025-03-04 12:05 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-04 12:04 [pdm-devel] [PATCH datacenter-manager/proxmox/yew-comp v4 00/21] use HttpOnly cookies in new projects Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 01/21] time: add new `epoch_to_http_date` helper Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 02/21] rest-server: borrow parts parameter in `get_request_parameter` Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 03/21] router/rest-server: add new `AsyncHttpBodyParameters` api handler type Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 04/21] auth-api: extend `AuthContext` with prefixed cookie name Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 05/21] auth-api: check for new prefixed cookies as well Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 06/21] auth-api: introduce new CreateTicket and CreateTickeReponse api types Shannon Sterz
2025-03-04 14:16 ` Wolfgang Bumiller
2025-03-07 10:06 ` Maximiliano Sandoval
2025-03-07 10:14 ` Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 07/21] auth-api: add endpoint for issuing tickets as HttpOnly tickets Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 08/21] auth-api: make regular ticket endpoint use the new types and handler Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 09/21] auth-api: add logout method Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 10/21] login: add optional field for ticket_info and make password optional Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 11/21] login: make password optional when creating Login requests Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 12/21] login: add helpers to pass cookie values when parsing login responses Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 13/21] login: add `TicketResult::HttpOnly` member Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 14/21] login: add helper to check whether a ticket is just informational Shannon Sterz
2025-03-04 12:05 ` [pdm-devel] [PATCH proxmox v4 15/21] login: add functions to specify full cookie names Shannon Sterz
2025-03-04 12:05 ` [pdm-devel] [PATCH proxmox v4 16/21] client: add compatibility with HttpOnly cookies Shannon Sterz
2025-03-04 12:05 ` [pdm-devel] [PATCH proxmox v4 17/21] client: specify cookie names for authentication headers where possible Shannon Sterz
2025-03-04 12:05 ` [pdm-devel] [PATCH yew-comp v4 18/21] HttpClient: add helpers to refresh HttpOnly cookies and remove them Shannon Sterz
2025-03-04 12:05 ` Shannon Sterz [this message]
2025-03-04 12:05 ` [pdm-devel] [PATCH yew-comp v4 20/21] http helpers: ask server to remove `__Host-` prefixed cookie on logout Shannon Sterz
2025-03-04 12:05 ` [pdm-devel] [PATCH datacenter-manager v4 21/21] api: switch ticket endpoint over to new http only endpoint Shannon Sterz
2025-03-04 14:43 ` [pdm-devel] [PATCH datacenter-manager/proxmox/yew-comp v4 00/21] use HttpOnly cookies in new projects Shannon Sterz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250304120506.135617-20-s.sterz@proxmox.com \
--to=s.sterz@proxmox.com \
--cc=pdm-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal