* [pbs-devel] [PATCH proxmox-backup/widget-toolkit 0/2] opt PBS into the new HttpOnly flow for TFA challenges
@ 2025-08-06 9:57 Shannon Sterz
2025-08-06 9:57 ` [pbs-devel] [PATCH widget-toolkit 1/1] tfa window: allow opting into the new http only flow for tfa challenges Shannon Sterz
2025-08-06 9:57 ` [pbs-devel] [PATCH proxmox-backup 1/1] ui: login: opt the tfa challenge handling into the new HttpOnly flow Shannon Sterz
0 siblings, 2 replies; 7+ messages in thread
From: Shannon Sterz @ 2025-08-06 9:57 UTC (permalink / raw)
To: pbs-devel
these patches:
a) allow users of the TfaWindow to opt into the new HttpOnly auth flow
b) do so for PBS
this should fix a problem where log ins could became racy
proxmox-widget-toolkit:
Shannon Sterz (1):
tfa window: allow opting into the new http only flow for tfa
challenges
src/window/TfaWindow.js | 4 ++++
1 file changed, 4 insertions(+)
proxmox-backup:
Shannon Sterz (1):
ui: login: opt the tfa challenge handling into the new HttpOnly flow
www/LoginView.js | 2 ++
1 file changed, 2 insertions(+)
Summary over all repositories:
2 files changed, 6 insertions(+), 0 deletions(-)
--
Generated by git-murpp 0.8.1
_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
^ permalink raw reply [flat|nested] 7+ messages in thread
* [pbs-devel] [PATCH widget-toolkit 1/1] tfa window: allow opting into the new http only flow for tfa challenges
2025-08-06 9:57 [pbs-devel] [PATCH proxmox-backup/widget-toolkit 0/2] opt PBS into the new HttpOnly flow for TFA challenges Shannon Sterz
@ 2025-08-06 9:57 ` Shannon Sterz
2025-08-06 10:04 ` [pve-devel] applied: [pbs-devel] " Thomas Lamprecht
2025-08-06 9:57 ` [pbs-devel] [PATCH proxmox-backup 1/1] ui: login: opt the tfa challenge handling into the new HttpOnly flow Shannon Sterz
1 sibling, 1 reply; 7+ messages in thread
From: Shannon Sterz @ 2025-08-06 9:57 UTC (permalink / raw)
To: pbs-devel
Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
---
src/window/TfaWindow.js | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/window/TfaWindow.js b/src/window/TfaWindow.js
index c066f22..e3a73b5 100644
--- a/src/window/TfaWindow.js
+++ b/src/window/TfaWindow.js
@@ -301,6 +301,10 @@ Ext.define('Proxmox.window.TfaLoginWindow', {
password,
};
+ if (view.http_only === true) {
+ params['http-only'] = true;
+ }
+
let resolve = view.onResolve;
let reject = view.onReject;
view.close();
--
2.47.2
_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
^ permalink raw reply [flat|nested] 7+ messages in thread
* [pbs-devel] [PATCH proxmox-backup 1/1] ui: login: opt the tfa challenge handling into the new HttpOnly flow
2025-08-06 9:57 [pbs-devel] [PATCH proxmox-backup/widget-toolkit 0/2] opt PBS into the new HttpOnly flow for TFA challenges Shannon Sterz
2025-08-06 9:57 ` [pbs-devel] [PATCH widget-toolkit 1/1] tfa window: allow opting into the new http only flow for tfa challenges Shannon Sterz
@ 2025-08-06 9:57 ` Shannon Sterz
2025-08-06 10:09 ` Thomas Lamprecht
1 sibling, 1 reply; 7+ messages in thread
From: Shannon Sterz @ 2025-08-06 9:57 UTC (permalink / raw)
To: pbs-devel
this was missed previously leading to the tfa part of the auth flow
not opting into the new auth flow. this meant the server did not add a
Set-Cookie header. after that whether or not a login worked fine
became a race between the refresh logic (which was opted into the new
flow and, thus, would yield a proper HttpOnly cookie) and other
requests.
Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
---
www/LoginView.js | 2 ++
1 file changed, 2 insertions(+)
diff --git a/www/LoginView.js b/www/LoginView.js
index 9c1ac38a..cf6c2cf7 100644
--- a/www/LoginView.js
+++ b/www/LoginView.js
@@ -114,6 +114,7 @@ Ext.define('PBS.LoginView', {
let userid = data.username;
let ticket = data.ticket;
+ let http_only = true;
let challenge = JSON.parse(
decodeURIComponent(ticket.split(':')[1].slice('!tfa!'.length)),
);
@@ -123,6 +124,7 @@ Ext.define('PBS.LoginView', {
userid,
ticket,
challenge,
+ http_only,
onResolve: (value) => resolve(value),
onReject: reject,
}).show();
--
2.47.2
_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
^ permalink raw reply [flat|nested] 7+ messages in thread
* [pbs-devel] applied: [PATCH widget-toolkit 1/1] tfa window: allow opting into the new http only flow for tfa challenges
2025-08-06 9:57 ` [pbs-devel] [PATCH widget-toolkit 1/1] tfa window: allow opting into the new http only flow for tfa challenges Shannon Sterz
@ 2025-08-06 10:04 ` Thomas Lamprecht
0 siblings, 0 replies; 7+ messages in thread
From: Thomas Lamprecht @ 2025-08-06 10:04 UTC (permalink / raw)
To: pve-devel, pbs-devel, Shannon Sterz
On Wed, 06 Aug 2025 11:57:01 +0200, Shannon Sterz wrote:
>
Applied, thanks!
[1/1] tfa window: allow opting into the new http only flow for tfa challenges
commit: 230fb4d0d15b348253aa53cfe169d0066e4f1647
_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
^ permalink raw reply [flat|nested] 7+ messages in thread
* [pve-devel] applied: [pbs-devel] [PATCH widget-toolkit 1/1] tfa window: allow opting into the new http only flow for tfa challenges
@ 2025-08-06 10:04 ` Thomas Lamprecht
0 siblings, 0 replies; 7+ messages in thread
From: Thomas Lamprecht @ 2025-08-06 10:04 UTC (permalink / raw)
To: pve-devel, pbs-devel, Shannon Sterz
On Wed, 06 Aug 2025 11:57:01 +0200, Shannon Sterz wrote:
>
Applied, thanks!
[1/1] tfa window: allow opting into the new http only flow for tfa challenges
commit: 230fb4d0d15b348253aa53cfe169d0066e4f1647
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [pbs-devel] [PATCH proxmox-backup 1/1] ui: login: opt the tfa challenge handling into the new HttpOnly flow
2025-08-06 9:57 ` [pbs-devel] [PATCH proxmox-backup 1/1] ui: login: opt the tfa challenge handling into the new HttpOnly flow Shannon Sterz
@ 2025-08-06 10:09 ` Thomas Lamprecht
2025-08-06 10:20 ` Shannon Sterz
0 siblings, 1 reply; 7+ messages in thread
From: Thomas Lamprecht @ 2025-08-06 10:09 UTC (permalink / raw)
To: pbs-devel, Shannon Sterz
On Wed, 06 Aug 2025 11:57:02 +0200, Shannon Sterz wrote:
> this was missed previously leading to the tfa part of the auth flow
> not opting into the new auth flow. this meant the server did not add a
> Set-Cookie header. after that whether or not a login worked fine
> became a race between the refresh logic (which was opted into the new
> flow and, thus, would yield a proper HttpOnly cookie) and other
> requests.
>
> [...]
Applied, thanks!
tiny nit: we would prefer camelCase in JS, but that's just internal so we can
change it at any time with a fallback to the previous property.
[1/1] ui: login: opt the tfa challenge handling into the new HttpOnly flow
commit: 4e7c0d6a264557e4e9eea3b0cae2a97260848469
_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [pbs-devel] [PATCH proxmox-backup 1/1] ui: login: opt the tfa challenge handling into the new HttpOnly flow
2025-08-06 10:09 ` Thomas Lamprecht
@ 2025-08-06 10:20 ` Shannon Sterz
0 siblings, 0 replies; 7+ messages in thread
From: Shannon Sterz @ 2025-08-06 10:20 UTC (permalink / raw)
To: Thomas Lamprecht, pbs-devel
On Wed Aug 6, 2025 at 12:09 PM CEST, Thomas Lamprecht wrote:
> On Wed, 06 Aug 2025 11:57:02 +0200, Shannon Sterz wrote:
>> this was missed previously leading to the tfa part of the auth flow
>> not opting into the new auth flow. this meant the server did not add a
>> Set-Cookie header. after that whether or not a login worked fine
>> became a race between the refresh logic (which was opted into the new
>> flow and, thus, would yield a proper HttpOnly cookie) and other
>> requests.
>>
>> [...]
>
> Applied, thanks!
>
> tiny nit: we would prefer camelCase in JS, but that's just internal so we can
> change it at any time with a fallback to the previous property.
yes sorry, noticed that after i send it, just send a follow-up. snake
case is too much of a habbit at this point ^^'
> [1/1] ui: login: opt the tfa challenge handling into the new HttpOnly flow
> commit: 4e7c0d6a264557e4e9eea3b0cae2a97260848469
_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2025-08-06 10:19 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-08-06 9:57 [pbs-devel] [PATCH proxmox-backup/widget-toolkit 0/2] opt PBS into the new HttpOnly flow for TFA challenges Shannon Sterz
2025-08-06 9:57 ` [pbs-devel] [PATCH widget-toolkit 1/1] tfa window: allow opting into the new http only flow for tfa challenges Shannon Sterz
2025-08-06 10:04 ` [pbs-devel] applied: " Thomas Lamprecht
2025-08-06 10:04 ` [pve-devel] applied: [pbs-devel] " Thomas Lamprecht
2025-08-06 9:57 ` [pbs-devel] [PATCH proxmox-backup 1/1] ui: login: opt the tfa challenge handling into the new HttpOnly flow Shannon Sterz
2025-08-06 10:09 ` Thomas Lamprecht
2025-08-06 10:20 ` Shannon Sterz
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.