From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 06F861FF15C for ; Fri, 25 Jul 2025 13:19:56 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 3672A16596; Fri, 25 Jul 2025 13:21:17 +0200 (CEST) From: Shannon Sterz To: pbs-devel@lists.proxmox.com Date: Fri, 25 Jul 2025 13:20:16 +0200 Message-ID: <20250725112019.245838-2-s.sterz@proxmox.com> X-Mailer: git-send-email 2.47.2 In-Reply-To: <20250725112019.245838-1-s.sterz@proxmox.com> References: <20250725112019.245838-1-s.sterz@proxmox.com> MIME-Version: 1.0 X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1753442440324 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.022 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pbs-devel] [PATCH proxmox 1/3] rest-server: remove auth cookies via http header on unauthorized request X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox Backup Server development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pbs-devel-bounces@lists.proxmox.com Sender: "pbs-devel" previously the behaviour of our javascript clients was to remove authentication cookies if the api returned a 401 UNAUTHORIZED response. with the switch to httponly cookies, this is no longer possible. add an option to the ApiConfig to allow the rest-server to remove such cookies Signed-off-by: Shannon Sterz --- proxmox-rest-server/src/api_config.rs | 9 +++++++++ proxmox-rest-server/src/rest.rs | 25 ++++++++++++++++++++++++- 2 files changed, 33 insertions(+), 1 deletion(-) diff --git a/proxmox-rest-server/src/api_config.rs b/proxmox-rest-server/src/api_config.rs index 0b847a0c..0a67231e 100644 --- a/proxmox-rest-server/src/api_config.rs +++ b/proxmox-rest-server/src/api_config.rs @@ -33,6 +33,9 @@ pub struct ApiConfig { auth_handler: Option, index_handler: Option, pub(crate) privileged_addr: Option, + // Name of the auth cookie that should be unset on 401 request. If `None` no cookie will be + // removed. + pub(crate) auth_cookie_name: Option, #[cfg(feature = "templates")] templates: templates::Templates, @@ -62,6 +65,7 @@ impl ApiConfig { auth_handler: None, index_handler: None, privileged_addr: None, + auth_cookie_name: None, #[cfg(feature = "templates")] templates: templates::Templates::with_escape_fn(), @@ -82,6 +86,11 @@ impl ApiConfig { self.auth_handler(AuthHandler::from_fn(func)) } + pub fn auth_cookie_name(mut self, auth_cookie_name: String) -> Self { + self.auth_cookie_name = Some(auth_cookie_name); + self + } + /// This is used for `protected` API calls to proxy to a more privileged service. pub fn privileged_addr(mut self, addr: impl Into) -> Self { self.privileged_addr = Some(addr.into()); diff --git a/proxmox-rest-server/src/rest.rs b/proxmox-rest-server/src/rest.rs index bff90882..035a9537 100644 --- a/proxmox-rest-server/src/rest.rs +++ b/proxmox-rest-server/src/rest.rs @@ -357,8 +357,21 @@ impl Service> for ApiService { Some(proxied_peer) => proxied_peer, None => self.peer, }; + + let header = self.api_config + .auth_cookie_name + .as_ref() + .map(|name|{ + let host_cookie = format!("{name}=; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Secure; SameSite=Lax; HttpOnly; Path=/;"); + + // SAFETY: this can only fail if the cookie name is not valid in http headers. + // since this is about an authentication cookie, this should never happen. + hyper::header::HeaderValue::from_str(&host_cookie) + .expect("auth cookie name has characters that are not valid for http headers") + }); + async move { - let response = match Arc::clone(&config).handle_request(req, &peer).await { + let mut response = match Arc::clone(&config).handle_request(req, &peer).await { Ok(response) => response, Err(err) => { let (err, code) = match err.downcast_ref::() { @@ -371,6 +384,16 @@ impl Service> for ApiService { .body(err.into())? } }; + + if let Some(cookie_header) = header { + // remove auth cookies that javascript based clients can not unset + if response.status() == StatusCode::UNAUTHORIZED { + response + .headers_mut() + .insert(hyper::header::SET_COOKIE, cookie_header); + } + } + let logger = config.get_access_log(); log_response(logger, &peer, method, &path, &response, user_agent); Ok(response) -- 2.47.2 _______________________________________________ pbs-devel mailing list pbs-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel