[pbs-devel] [PATCH proxmox{, -backup} v2 0/4] HttpOnly cookie based tickets for pbs

From: Shannon Sterz <s.sterz@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [pbs-devel] [PATCH proxmox{, -backup} v2 0/4] HttpOnly cookie based tickets for pbs
Date: Wed, 23 Jul 2025 17:13:54 +0200	[thread overview]
Message-ID: <20250723151356.264229-3-s.sterz@proxmox.com> (raw)

# Summary

this series adds an authentication flow based on HttpOnly cookies for
proxmox backup server. at the moment this authentication flow is opt-in
in order to not break older clients that may still rely on the previous
authentication flow.

this series is split into three parts:

1. prepare proxmox-auth-api to be used with extjs and implements a new
   ticket endpoint for pbs. this endpoint requires clients to provide a
   boolean parameter `http-only` as `true` for it to switch to the new
   http-only based authentication flow.
2. adapt proxmox backup server's ui components to always use the
   HttpOnly based authentication flow. this should make cookies
   inaccessible to any javascript-based attack in the browser,
   providing an extra layer of security.
3. prepare pbs-client for potential servers that may no longer provide
   the previous authentication flow. the point of already adding this
   now, is to be prepare update-hesitant users for a future without the
   old authentication flow. if the old authentication flow is dropped in
   the future, more users will already have a client version that can
   adapt to the new flow.

note that this series is a follow up to a much more in-depth series for
proxmox-auth-api and related crates. so a lot of the actual security
considerations were addressed in the original already applied series.
see [1] for more details.

[1]: https://lore.proxmox.com/pdm-devel/20250304144247.231089-1-s.sterz@proxmox.com/T/#u

# Changes since v1

- minor lint fix-up where a trailing "," was missing in the second
  proxmox-backup patch
- add a `tracing::debug!()` statement to the opt-in HttpOnly flow,
  thanks @ Maximiliano Sandoval
- consistently use "HttpOnly" instead of switching between "http only",
  "http-only" and "HttpOnly" in comments and user facing documentation,
  thanks @ Mira Limbeck

since none of these changes impact the behaviour of these patches, i'll
keep the T-b lines intact for the entire series.

# Why not opt the `pbs-client` into the new flow?

the client is deliberatelly not opted into the new authentication flow
for the following reasons:

- http only cookies are only an effective security mechanism within a
  browser context. the client simply does not benefit from this extra
  layer of protection. the attacks http only cookies protect against,
  simply don't exist here.
- opting the client in unconditionally isn't possible. older pbs servers
  would complain about the additional api parameters provided by the
  client. this means:

    + the client would either need to try the http-only flow and once
      that fails, fall back to the older authentication flow.
    + or query (and possibly cache) the server version and check if the
      version is new enough to support the new authentication flow.

both approaches are more error-prone and produce additional network
overhead than simply not opting the client into the new flow. causing
api errors may also produce a lot of false warnings when monitoring pbs.
so there are no benefits, but potential downsides. hence, the client
will not yet be opted into the new authentication flow.

# How to Test

- apply all patches to the respective repositories and make sure to
  build against the patched proxmox-auth-api crate
- once you set up a pbs server with the new patches, refresh the ui
  (ideally with ctrl+shift+r, so nothing is cached). log in and check
  the developer console on whether the new `__Host-PBSAuthCookie` is
  set. log out and verify that it is being removed.
- build the new proxmox-backup-client and try listing a datastore of an
  old unpached pbs and a new patched pbs. instead you can also cary out
  any other action that would require authentication.
- use an old proxmox-backup-client without these patches and try listing
  a datastore or anything else that would require authentication against
  a newly patched pbs

proxmox:

Shannon Sterz (1):
  auth-api: include meta information required by extjs in api endpoints

 proxmox-auth-api/src/api/access.rs | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

proxmox-backup:

Shannon Sterz (3):
  api: access: add opt-in HttpOnly ticket authentication flow
  ui: opt into the new HttpOnly ticket authentication flow
  client: adapt pbs client to also handle HttpOnly flows correctly

 pbs-client/src/http_client.rs | 70 +++++++++++++++++++++++++++++---
 src/api2/access/mod.rs        | 76 +++++++++++++++++++++++++++++++++--
 www/Application.js            | 12 +++++-
 www/LoginView.js              |  4 +-
 www/MainView.js               |  1 +
 www/Utils.js                  |  6 +++
 6 files changed, 158 insertions(+), 11 deletions(-)

Summary over all repositories:
  7 files changed, 168 insertions(+), 14 deletions(-)

--
Generated by git-murpp 0.8.1

_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel