From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 8A0201FF15C for ; Fri, 25 Jul 2025 13:23:09 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id AC743167E6; Fri, 25 Jul 2025 13:24:30 +0200 (CEST) From: Shannon Sterz To: pbs-devel@lists.proxmox.com Date: Fri, 25 Jul 2025 13:23:53 +0200 Message-ID: <20250725112357.247866-1-s.sterz@proxmox.com> X-Mailer: git-send-email 2.47.2 MIME-Version: 1.0 X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1753442634602 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.022 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pbs-devel] [PATCH proxmox{,-backup} 0/4] HttpOnly follow-ups X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox Backup Server development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pbs-devel-bounces@lists.proxmox.com Sender: "pbs-devel" this small series tries to smooth out the transition to HttpOnly cookies for our users: - cookies are now removed by the server if a 401 UNAUTHORIZED error is encountered. this matches the behaviour of our previous javascript browser-based clients. it is necessary, as they can't remove the cookie themselves anymore due to the new security measures. - log-in is possible again, even if an invalid HttpOnly cookie is provided. - `Expire` is removed from the cookies to make them "session cookies" again. this should restore security assumptions some users may have made about closing their browser and being logged out. note that session cookies may still be restored after a browser was closed, if the browser uses session restoration. proxmox: Shannon Sterz (3): rest-server: remove auth cookies via http header on unauthorized request auth-api: don't set `Expire` for HttpOnly cookies anymore auth-api: allow log-in via parameters even if HttpOnly cookie is invalid proxmox-auth-api/src/api/access.rs | 67 +++++++++++++++------------ proxmox-auth-api/src/types.rs | 2 +- proxmox-rest-server/src/api_config.rs | 9 ++++ proxmox-rest-server/src/rest.rs | 25 +++++++++- 4 files changed, 71 insertions(+), 32 deletions(-) proxmox-backup: Shannon Sterz (1): api/proxy: set auth cookie name in rest server api config src/auth.rs | 10 +++++++++- src/auth_helpers.rs | 1 + src/bin/proxmox-backup-api.rs | 1 + src/bin/proxmox-backup-proxy.rs | 1 + 4 files changed, 12 insertions(+), 1 deletion(-) Summary over all repositories: 8 files changed, 83 insertions(+), 33 deletions(-) -- Generated by git-murpp 0.8.1 _______________________________________________ pbs-devel mailing list pbs-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel