all lists on lists.proxmox.com
 help / color / mirror / Atom feed
From: Shannon Sterz <s.sterz@proxmox.com>
To: pdm-devel@lists.proxmox.com
Subject: [pdm-devel] [PATCH proxmox v4 05/21] auth-api: check for new prefixed cookies as well
Date: Tue,  4 Mar 2025 13:04:50 +0100	[thread overview]
Message-ID: <20250304120506.135617-6-s.sterz@proxmox.com> (raw)
In-Reply-To: <20250304120506.135617-1-s.sterz@proxmox.com>

this makes sure that newly generated cookies that are prefixed with,
for example, `__Host-`, for security purposes, are correctly picked
up on. otherwise, the new cookies would not be able to yield proper
authentication.

currently this still falls back to insecure non-prefixed cookies. we
should deprecate them in the long-term and remove this fallback.

Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
---
 proxmox-auth-api/src/api/mod.rs | 36 ++++++++++++++++++++++++---------
 1 file changed, 27 insertions(+), 9 deletions(-)

diff --git a/proxmox-auth-api/src/api/mod.rs b/proxmox-auth-api/src/api/mod.rs
index b75c8602..32d18299 100644
--- a/proxmox-auth-api/src/api/mod.rs
+++ b/proxmox-auth-api/src/api/mod.rs
@@ -203,18 +203,36 @@ fn extract_auth_data(
     auth_context: &dyn AuthContext,
     headers: &http::HeaderMap,
 ) -> Option<AuthData> {
-    if let Some(raw_cookie) = headers.get(http::header::COOKIE) {
-        if let Ok(cookie) = raw_cookie.to_str() {
-            if let Some(ticket) = extract_cookie(cookie, auth_context.auth_cookie_name()) {
-                let csrf_token = match headers.get("CSRFPreventionToken").map(|v| v.to_str()) {
-                    Some(Ok(v)) => Some(v.to_owned()),
-                    _ => None,
-                };
-                return Some(AuthData::User(UserAuthData { ticket, csrf_token }));
-            }
+    let mut ticket = None;
+    let cookie_name = auth_context.auth_cookie_name();
+    let host_cookie = auth_context.prefixed_auth_cookie_name();
+    let cookies = headers
+        .get_all(http::header::COOKIE)
+        .iter()
+        .filter_map(|c| c.to_str().ok());
+
+    for cookie in cookies {
+        // check if we got a `__Host-` prefixed cookie first and break the loop if we do so we use
+        // that cookie.
+        if let Some(extracted_ticket) = extract_cookie(cookie, host_cookie) {
+            ticket = Some(extracted_ticket);
+            break;
+        // if no such prefixed cookie exists, try to fall back to a non-prefixed one
+        // TODO: remove this once we do not support less secure non-prefixed cookies anymore
+        } else if let Some(extracted_ticket) = extract_cookie(cookie, cookie_name) {
+            ticket = Some(extracted_ticket)
         }
     }
 
+    if let Some(ticket) = ticket {
+        let csrf_token = match headers.get("CSRFPreventionToken").map(|v| v.to_str()) {
+            Some(Ok(v)) => Some(v.to_owned()),
+            _ => None,
+        };
+
+        return Some(AuthData::User(UserAuthData { ticket, csrf_token }));
+    }
+
     let token_prefix = auth_context.auth_token_prefix();
     match headers.get(http::header::AUTHORIZATION).map(|v| v.to_str()) {
         Some(Ok(v)) => {
-- 
2.39.5



_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel


  parent reply	other threads:[~2025-03-04 12:05 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-03-04 12:04 [pdm-devel] [PATCH datacenter-manager/proxmox/yew-comp v4 00/21] use HttpOnly cookies in new projects Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 01/21] time: add new `epoch_to_http_date` helper Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 02/21] rest-server: borrow parts parameter in `get_request_parameter` Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 03/21] router/rest-server: add new `AsyncHttpBodyParameters` api handler type Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 04/21] auth-api: extend `AuthContext` with prefixed cookie name Shannon Sterz
2025-03-04 12:04 ` Shannon Sterz [this message]
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 06/21] auth-api: introduce new CreateTicket and CreateTickeReponse api types Shannon Sterz
2025-03-04 14:16   ` Wolfgang Bumiller
2025-03-07 10:06     ` Maximiliano Sandoval
2025-03-07 10:14       ` Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 07/21] auth-api: add endpoint for issuing tickets as HttpOnly tickets Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 08/21] auth-api: make regular ticket endpoint use the new types and handler Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 09/21] auth-api: add logout method Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 10/21] login: add optional field for ticket_info and make password optional Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 11/21] login: make password optional when creating Login requests Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 12/21] login: add helpers to pass cookie values when parsing login responses Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 13/21] login: add `TicketResult::HttpOnly` member Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 14/21] login: add helper to check whether a ticket is just informational Shannon Sterz
2025-03-04 12:05 ` [pdm-devel] [PATCH proxmox v4 15/21] login: add functions to specify full cookie names Shannon Sterz
2025-03-04 12:05 ` [pdm-devel] [PATCH proxmox v4 16/21] client: add compatibility with HttpOnly cookies Shannon Sterz
2025-03-04 12:05 ` [pdm-devel] [PATCH proxmox v4 17/21] client: specify cookie names for authentication headers where possible Shannon Sterz
2025-03-04 12:05 ` [pdm-devel] [PATCH yew-comp v4 18/21] HttpClient: add helpers to refresh HttpOnly cookies and remove them Shannon Sterz
2025-03-04 12:05 ` [pdm-devel] [PATCH yew-comp v4 19/21] LoginPanel/http helpers: add support for handling HttpOnly cookies Shannon Sterz
2025-03-04 12:05 ` [pdm-devel] [PATCH yew-comp v4 20/21] http helpers: ask server to remove `__Host-` prefixed cookie on logout Shannon Sterz
2025-03-04 12:05 ` [pdm-devel] [PATCH datacenter-manager v4 21/21] api: switch ticket endpoint over to new http only endpoint Shannon Sterz
2025-03-04 14:43 ` [pdm-devel] [PATCH datacenter-manager/proxmox/yew-comp v4 00/21] use HttpOnly cookies in new projects Shannon Sterz

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250304120506.135617-6-s.sterz@proxmox.com \
    --to=s.sterz@proxmox.com \
    --cc=pdm-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal