From: Shannon Sterz <s.sterz@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [pbs-devel] [PATCH proxmox-backup 3/3] client: adapt pbs client to also handle http-only flows correctly
Date: Thu, 10 Jul 2025 15:50:10 +0200 [thread overview]
Message-ID: <20250710135010.305861-5-s.sterz@proxmox.com> (raw)
In-Reply-To: <20250710135010.305861-1-s.sterz@proxmox.com>
if we decide to make the http-only flow opt-out or remove the previous
authentication flow entirely, prepare the client to speak to servers
that only support http-only cookie tickets
Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
---
pbs-client/src/http_client.rs | 70 ++++++++++++++++++++++++++++++++---
1 file changed, 65 insertions(+), 5 deletions(-)
diff --git a/pbs-client/src/http_client.rs b/pbs-client/src/http_client.rs
index 0b415cac..f6aedda1 100644
--- a/pbs-client/src/http_client.rs
+++ b/pbs-client/src/http_client.rs
@@ -7,6 +7,7 @@ use bytes::Bytes;
use futures::*;
use http_body_util::{BodyDataStream, BodyExt};
use hyper::body::Incoming;
+use hyper::header::SET_COOKIE;
use hyper::http::header::HeaderValue;
use hyper::http::Uri;
use hyper::http::{Request, Response};
@@ -111,11 +112,16 @@ mod resolver {
/// certain error conditions. Keep it generous, to avoid false-positive under high load.
const HTTP_TIMEOUT: Duration = Duration::from_secs(2 * 60);
+const PROXMOX_BACKUP_AUTH_COOKIE: &str = "PBSAuthCookie";
+const PROXMOX_BACKUP_PREFIXED_AUTH_COOKIE: &str = "__Host-PBSAuthCookie";
+
#[derive(Clone)]
pub struct AuthInfo {
pub auth_id: Authid,
pub ticket: String,
pub token: String,
+ // Whether the server uses HttpOnly cookies for authentication
+ pub http_only: bool,
}
pub struct HttpClientOptions {
@@ -504,6 +510,7 @@ impl HttpClient {
auth_id: auth_id.clone(),
ticket: password.clone(),
token: "".to_string(),
+ http_only: false,
}));
let server2 = server.to_string();
@@ -725,10 +732,18 @@ impl HttpClient {
HeaderValue::from_str(&enc_api_token).unwrap(),
);
} else {
+ let cookie_name = if auth.http_only {
+ // server has switched to http only flow, provide ticket in properly prefixed cookie
+ PROXMOX_BACKUP_PREFIXED_AUTH_COOKIE
+ } else {
+ PROXMOX_BACKUP_AUTH_COOKIE
+ };
+
let enc_ticket = format!(
- "PBSAuthCookie={}",
+ "{cookie_name}={}",
percent_encode(auth.ticket.as_bytes(), DEFAULT_ENCODE_SET)
);
+
req.headers_mut()
.insert("Cookie", HeaderValue::from_str(&enc_ticket).unwrap());
req.headers_mut().insert(
@@ -767,10 +782,18 @@ impl HttpClient {
let auth = self.login().await?;
+ let cookie_name = if auth.http_only {
+ // server has switched to http only flow, provide ticket in properly prefixed cookie
+ PROXMOX_BACKUP_PREFIXED_AUTH_COOKIE
+ } else {
+ PROXMOX_BACKUP_AUTH_COOKIE
+ };
+
let enc_ticket = format!(
- "PBSAuthCookie={}",
+ "{cookie_name}={}",
percent_encode(auth.ticket.as_bytes(), DEFAULT_ENCODE_SET)
);
+
req.headers_mut()
.insert("Cookie", HeaderValue::from_str(&enc_ticket).unwrap());
@@ -836,10 +859,18 @@ impl HttpClient {
HeaderValue::from_str(&enc_api_token).unwrap(),
);
} else {
+ let cookie_name = if auth.http_only {
+ // server has switched to http only flow, provide ticket in properly prefixed cookie
+ PROXMOX_BACKUP_PREFIXED_AUTH_COOKIE
+ } else {
+ PROXMOX_BACKUP_AUTH_COOKIE
+ };
+
let enc_ticket = format!(
- "PBSAuthCookie={}",
+ "{cookie_name}={}",
percent_encode(auth.ticket.as_bytes(), DEFAULT_ENCODE_SET)
);
+
req.headers_mut()
.insert("Cookie", HeaderValue::from_str(&enc_ticket).unwrap());
req.headers_mut().insert(
@@ -905,14 +936,43 @@ impl HttpClient {
"/api2/json/access/ticket",
Some(data),
)?;
- let cred = Self::api_request(client, req).await?;
+
+ let res = tokio::time::timeout(HTTP_TIMEOUT, client.request(req))
+ .await
+ .map_err(|_| format_err!("http request timed out"))??;
+
+ // check if the headers contain a newer http only cookie
+ let http_only_ticket = res
+ .headers()
+ .get_all(SET_COOKIE)
+ .iter()
+ .filter_map(|c| c.to_str().ok())
+ .filter_map(|c| match (c.find('='), c.find(';')) {
+ (Some(begin), Some(end))
+ if begin < end && &c[..begin] == PROXMOX_BACKUP_PREFIXED_AUTH_COOKIE =>
+ {
+ Some(c[begin + 1..end].to_string())
+ }
+ _ => None,
+ })
+ .next();
+
+ // if the headers contained a new http only cookie, the server switched to providing these
+ // by default. this means that older cookies may no longer be supported, so switch to using
+ // the new cookie name.
+ let http_only = http_only_ticket.is_some();
+
+ let cred = Self::api_response(res).await?;
let auth = AuthInfo {
auth_id: cred["data"]["username"].as_str().unwrap().parse()?,
- ticket: cred["data"]["ticket"].as_str().unwrap().to_owned(),
+ ticket: http_only_ticket
+ .or(cred["data"]["ticket"].as_str().map(|t| t.to_string()))
+ .unwrap(),
token: cred["data"]["CSRFPreventionToken"]
.as_str()
.unwrap()
.to_owned(),
+ http_only,
};
Ok(auth)
--
2.39.5
_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
next prev parent reply other threads:[~2025-07-10 13:50 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-10 13:50 [pbs-devel] [PATCH proxmox{, -backup} 0/4] http only cookie based tickets for pbs Shannon Sterz
2025-07-10 13:50 ` [pbs-devel] [PATCH proxmox 1/1] auth-api: include meta information required by extjs in api endpoints Shannon Sterz
2025-07-15 22:40 ` Thomas Lamprecht
[not found] ` <DBDBXGTI71WP.3V2J3DEMNK1DL@proxmox.com>
2025-07-22 20:21 ` Thomas Lamprecht
2025-07-23 15:18 ` Shannon Sterz
2025-07-10 13:50 ` [pbs-devel] [PATCH proxmox-backup 1/3] api: access: add opt-in http only ticket authentication flow Shannon Sterz
2025-07-23 12:57 ` Mira Limbeck
2025-07-23 13:58 ` Maximiliano Sandoval
2025-07-10 13:50 ` [pbs-devel] [PATCH proxmox-backup 2/3] ui: opt into the new http-only " Shannon Sterz
2025-07-10 13:50 ` Shannon Sterz [this message]
2025-07-23 12:56 ` [pbs-devel] [PATCH proxmox{, -backup} 0/4] http only cookie based tickets for pbs Mira Limbeck
2025-07-23 14:05 ` Maximiliano Sandoval
2025-07-23 15:15 ` Shannon Sterz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250710135010.305861-5-s.sterz@proxmox.com \
--to=s.sterz@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.