From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 0A1681FF15C for ; Fri, 25 Jul 2025 14:21:45 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id D5D50179ED; Fri, 25 Jul 2025 14:23:05 +0200 (CEST) Message-ID: <27d79e9b-baa3-43f7-b32a-a14ad41365d8@proxmox.com> Date: Fri, 25 Jul 2025 14:23:02 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Beta To: Proxmox Backup Server development discussion , Shannon Sterz References: <20250725112357.247866-1-s.sterz@proxmox.com> <20250725112357.247866-4-s.sterz@proxmox.com> Content-Language: en-US From: Dominik Csapak In-Reply-To: <20250725112357.247866-4-s.sterz@proxmox.com> X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1753446178998 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.028 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment PROLO_LEO1 0.1 Meta Catches all Leo drug variations so far SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pbs-devel] [PATCH proxmox 3/3] auth-api: allow log-in via parameters even if HttpOnly cookie is invalid X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox Backup Server development discussion Content-Transfer-Encoding: base64 Content-Type: text/plain; charset="utf-8"; Format="flowed" Errors-To: pbs-devel-bounces@lists.proxmox.com Sender: "pbs-devel" TEdUTQoKdGVzdGVkIGJ5IGludmFsaWRhdGluZyBteSBodHRwLW9ubHkgY29va2llIGFuZCBsb2dn ZWQgaW4gdmlhCnRoZSBsb2dpbiBtYXNrLiB3b3JrZWQgc3VjY2Vzc2Z1bGx5CgpSZXZpZXdlZC1i eTogRG9taW5payBDc2FwYWsgPGQuY3NhcGFrQHByb3htb3guY29tPgpUZXN0ZWQtYnk6IERvbWlu aWsgQ3NhcGFrIDxkLmNzYXBha0Bwcm94bW94LmNvbT4KCk9uIDcvMjUvMjUgMTM6MjQsIFNoYW5u b24gU3Rlcnogd3JvdGU6Cj4gcHJldmlvdXNseSB0aGUgbmV3IEh0dHBPbmx5IGVuZHBvaW50IHdv dWxkIGZhaWwgd2hlbiBhIGNvb2tpZSB3YXMKPiBwcm92aWRlZCBldmVuIGlmIHRoZSBib2R5IG9m IHRoZSByZXF1ZXN0IGNvbnRhaW5lZCB2YWxpZCBjcmVkZW50aWFscy4KPiB0aGlzIGxlYWQgdG8g aXNzdWVzIHdoZW4gYnJvd3Nlci1iYXNlZCBjbGllbnRzIG1heSBoYXZlIGdvdHRlbiBpbnZhbGlk Cj4gSHR0cE9ubHkgY29va2llcyBlLmcuIGlmIGEgUHJveG1veCBCYWNrdXAgU2VydmVyIHdhcyBy ZS1pbnN0YWxsZWQgYXQKPiB0aGUgc2FtZSBJUCBhZGRyZXNzLiB0aGUgY2xpZW50IGNvdWxkIG5v dCByZW1vdmUgdGhlIGNvb2tpZSBkdWUgdG8gdGhlCj4gbmV3IHByb3RlY3Rpb25zLiB3aGlsZSB0 aGUgc2VydmVyIGRpZCBub3QgYWxsb3cgdGhlIGNsaWVudCB0byBsb2cgaW4KPiBhcyBpdCB0cnVz dGVkIHRoZSBIdHRwT25seSBjb29raWUgb3ZlciB0aGUgcGFyYW1ldGVycy4KPiAKPiBhbGxvdyB1 c2VycyB0byBsb2cgaW4gYWdhaW4gaW4gc3VjaCBhIHNjZW5hcmlvLCBidXQgZG9uJ3QgYWxsb3cg YQo+IHRpY2tldCByZWZyZXNoLiBpZiB0aGUgY2xpZW50IGhhcyBhIHZhbGlkIHRpY2tldCBidXQg Y2Fubm90IHByb3ZpZGUgaXQKPiB2aWEgSHR0cE9ubHkgY29va2llLCBzb21ldGhpbmcgaXMgb2Zm IGFuZCBmb3JjaW5nIHRoZSBjbGllbnQgdG8KPiByZS1hdXRoZW50aWNhdGUgaXMgcHJvYmFibHkg dGhlIHNhZmVyIG9wdGlvbi4KPiAKPiBSZXBvcnRlZC1ieTogTGF1cmVuyJtpdSBMZWFodS1WbMSD ZHVjdSA8bC5sZWFodS12bGFkdWN1QHByb3htb3guY29tPgo+IFN1Z2dlc3RlZC1CeTogRG9taW5p ayBDc2FwYWsgPGQuY3NhcGFrQHByb3htb3guY29tPgo+IFNpZ25lZC1vZmYtYnk6IFNoYW5ub24g U3RlcnogPHMuc3RlcnpAcHJveG1veC5jb20+Cj4gLS0tCj4gICBwcm94bW94LWF1dGgtYXBpL3Ny Yy9hcGkvYWNjZXNzLnJzIHwgNTAgKysrKysrKysrKysrKysrKysrKy0tLS0tLS0tLS0tCj4gICBw cm94bW94LWF1dGgtYXBpL3NyYy90eXBlcy5ycyAgICAgIHwgIDIgKy0KPiAgIDIgZmlsZXMgY2hh bmdlZCwgMzMgaW5zZXJ0aW9ucygrKSwgMTkgZGVsZXRpb25zKC0pCj4gCj4gZGlmZiAtLWdpdCBh L3Byb3htb3gtYXV0aC1hcGkvc3JjL2FwaS9hY2Nlc3MucnMgYi9wcm94bW94LWF1dGgtYXBpL3Ny Yy9hcGkvYWNjZXNzLnJzCj4gaW5kZXggNjcxYTM3MGIuLjQ5MGZlNWM4IDEwMDY0NAo+IC0tLSBh L3Byb3htb3gtYXV0aC1hcGkvc3JjL2FwaS9hY2Nlc3MucnMKPiArKysgYi9wcm94bW94LWF1dGgt YXBpL3NyYy9hcGkvYWNjZXNzLnJzCj4gQEAgLTU5LDcgKzU5LDcgQEAgcHViIGFzeW5jIGZuIGNy ZWF0ZV90aWNrZXQoCj4gICAgICAgICAgIC5kb3duY2FzdF9yZWY6OjxSZXN0RW52aXJvbm1lbnQ+ KCkKPiAgICAgICAgICAgLm9rX29yX2Vsc2UofHwgZm9ybWF0X2VyciEoImRldGVjdGVkIHdyb25n IFJwY0Vudmlyb25tZW50IHR5cGUiKSk/Owo+ICAgCj4gLSAgICBoYW5kbGVfdGlja2V0X2NyZWF0 aW9uKGNyZWF0ZV9wYXJhbXMsIGVudikKPiArICAgIGhhbmRsZV90aWNrZXRfY3JlYXRpb24oY3Jl YXRlX3BhcmFtcywgdHJ1ZSwgZW52KQo+ICAgICAgICAgICAuYXdhaXQKPiAgICAgICAgICAgLy8g cmVtb3ZlIHRoZSBzdXBlcmZsdW91cyB0aWNrZXRfaW5mbyB0byBub3QgY29uZnVzZSBjbGllbnRz Cj4gICAgICAgICAgIC5tYXAofG11dCBpbmZvfCB7Cj4gQEAgLTEyMSw2ICsxMjEsNyBAQCBmbiBj cmVhdGVfdGlja2V0X2h0dHBfb25seSgKPiAgICAgICAgICAgbGV0IGF1dGhfY29udGV4dCA9IGF1 dGhfY29udGV4dCgpPzsKPiAgICAgICAgICAgbGV0IGhvc3RfY29va2llID0gYXV0aF9jb250ZXh0 LnByZWZpeGVkX2F1dGhfY29va2llX25hbWUoKTsKPiAgICAgICAgICAgbGV0IG11dCBjcmVhdGVf cGFyYW1zOiBDcmVhdGVUaWNrZXQgPSBzZXJkZV9qc29uOjpmcm9tX3ZhbHVlKHBhcmFtKT87Cj4g KyAgICAgICAgbGV0IHBhc3N3b3JkID0gY3JlYXRlX3BhcmFtcy5wYXNzd29yZC50YWtlKCk7Cj4g ICAKPiAgICAgICAgICAgLy8gcHJldmlvdXNseSB0byByZWZyZXNoIGEgdGlja2V0LCB0aGUgb2xk IHRpY2tldCB3YXMgcHJvdmlkZWQgYXMgYSBwYXNzd29yZCB2aWEgdGhpcwo+ICAgICAgICAgICAv LyBlbmRwb2ludCdzIHBhcmFtZXRlcnMuIGhvd2V2ZXIsIG9uY2UgdGhlIHRpY2tldCBpcyBzZXQg YXMgYW4gSHR0cE9ubHkgY29va2llLCBzb21lCj4gQEAgLTEzOSwxNiArMTQwLDIyIEBAIGZuIGNy ZWF0ZV90aWNrZXRfaHR0cF9vbmx5KAo+ICAgICAgICAgICAgICAgLy8gYWZ0ZXIgdGhpcyBvbmx5 IGBfX0hvc3Qte0Nvb2tpZSBOYW1lfWAgY29va2llcyBhcmUgaW4gdGhlIGl0ZXJhdG9yCj4gICAg ICAgICAgICAgICAuZmlsdGVyX21hcCh8Y3wgZXh0cmFjdF9jb29raWUoYywgaG9zdF9jb29raWUp KQo+ICAgICAgICAgICAgICAgLy8gc28gdGhpcyBzaG91bGQganVzdCBnaXZlIHVzIHRoZSBmaXJz dCBvbmUgaWYgaXQgZXhpc3RzCj4gLSAgICAgICAgICAgIC5uZXh0KCkKPiAtICAgICAgICAgICAg Ly8gaWYgbm90IHVzZSB0aGUgcGFyYW1ldGVyCj4gLSAgICAgICAgICAgIC5vcihjcmVhdGVfcGFy YW1zLnBhc3N3b3JkKTsKPiArICAgICAgICAgICAgLm5leHQoKTsKPiAgIAo+ICAgICAgICAgICBs ZXQgZW52OiAmUmVzdEVudmlyb25tZW50ID0gcnBjZW52Cj4gICAgICAgICAgICAgICAuYXNfYW55 KCkKPiAgICAgICAgICAgICAgIC5kb3duY2FzdF9yZWY6OjxSZXN0RW52aXJvbm1lbnQ+KCkKPiAg ICAgICAgICAgICAgIC5va19vcihmb3JtYXRfZXJyISgiZGV0ZWN0ZWQgd3JvbmcgUnBjRW52aXJv bm1lbnQgdHlwZSIpKT87Cj4gICAKPiAtICAgICAgICBsZXQgbXV0IHRpY2tldF9yZXNwb25zZSA9 IGhhbmRsZV90aWNrZXRfY3JlYXRpb24oY3JlYXRlX3BhcmFtcywgZW52KS5hd2FpdD87Cj4gKyAg ICAgICAgbGV0IG11dCB0aWNrZXRfcmVzcG9uc2UgPSBoYW5kbGVfdGlja2V0X2NyZWF0aW9uKGNy ZWF0ZV9wYXJhbXMuY2xvbmUoKSwgdHJ1ZSwgZW52KS5hd2FpdDsKPiArCj4gKyAgICAgICAgaWYg dGlja2V0X3Jlc3BvbnNlLmlzX2VycigpICYmIHBhc3N3b3JkLmlzX3NvbWUoKSB7Cj4gKyAgICAg ICAgICAgIGNyZWF0ZV9wYXJhbXMucGFzc3dvcmQgPSBwYXNzd29yZDsKPiArICAgICAgICAgICAg dGlja2V0X3Jlc3BvbnNlID0gaGFuZGxlX3RpY2tldF9jcmVhdGlvbihjcmVhdGVfcGFyYW1zLCBm YWxzZSwgZW52KS5hd2FpdDsKPiArICAgICAgICB9Cj4gKwo+ICsgICAgICAgIGxldCBtdXQgdGlj a2V0X3Jlc3BvbnNlID0gdGlja2V0X3Jlc3BvbnNlPzsKPiArCj4gICAgICAgICAgIGxldCBtdXQg cmVzcG9uc2UgPQo+ICAgICAgICAgICAgICAgUmVzcG9uc2U6OmJ1aWxkZXIoKS5oZWFkZXIoaHR0 cDo6aGVhZGVyOjpDT05URU5UX1RZUEUsICJhcHBsaWNhdGlvbi9qc29uIik7Cj4gICAKPiBAQCAt MTg1LDYgKzE5Miw3IEBAIGZuIGNyZWF0ZV90aWNrZXRfaHR0cF9vbmx5KAo+ICAgCj4gICBhc3lu YyBmbiBoYW5kbGVfdGlja2V0X2NyZWF0aW9uKAo+ICAgICAgIGNyZWF0ZV9wYXJhbXM6IENyZWF0 ZVRpY2tldCwKPiArICAgIGFsbG93X3RpY2tldF9yZWZyZXNoOiBib29sLAo+ICAgICAgIGVudjog JlJlc3RFbnZpcm9ubWVudCwKPiAgICkgLT4gUmVzdWx0PENyZWF0ZVRpY2tldFJlc3BvbnNlLCBF cnJvcj4gewo+ICAgICAgIGxldCB1c2VybmFtZSA9IGNyZWF0ZV9wYXJhbXMudXNlcm5hbWU7Cj4g QEAgLTE5OSw2ICsyMDcsNyBAQCBhc3luYyBmbiBoYW5kbGVfdGlja2V0X2NyZWF0aW9uKAo+ICAg ICAgICAgICBjcmVhdGVfcGFyYW1zLnByaXZzLAo+ICAgICAgICAgICBjcmVhdGVfcGFyYW1zLnBv cnQsCj4gICAgICAgICAgIGNyZWF0ZV9wYXJhbXMudGZhX2NoYWxsZW5nZSwKPiArICAgICAgICBh bGxvd190aWNrZXRfcmVmcmVzaCwKPiAgICAgICAgICAgZW52LAo+ICAgICAgICkKPiAgICAgICAu YXdhaXQKPiBAQCAtMjQwLDYgKzI0OSw3IEBAIGFzeW5jIGZuIGhhbmRsZV90aWNrZXRfY3JlYXRp b24oCj4gICAgICAgfQo+ICAgfQo+ICAgCj4gKyNbYWxsb3coY2xpcHB5Ojp0b29fbWFueV9hcmd1 bWVudHMpXQo+ICAgYXN5bmMgZm4gYXV0aGVudGljYXRlX3VzZXIoCj4gICAgICAgdXNlcmlkOiAm VXNlcmlkLAo+ICAgICAgIHBhc3N3b3JkOiAmc3RyLAo+IEBAIC0yNDcsNiArMjU3LDcgQEAgYXN5 bmMgZm4gYXV0aGVudGljYXRlX3VzZXIoCj4gICAgICAgcHJpdnM6IE9wdGlvbjxTdHJpbmc+LAo+ ICAgICAgIHBvcnQ6IE9wdGlvbjx1MTY+LAo+ICAgICAgIHRmYV9jaGFsbGVuZ2U6IE9wdGlvbjxT dHJpbmc+LAo+ICsgICAgYWxsb3dfdGlja2V0X3JlZnJlc2g6IGJvb2wsCj4gICAgICAgcnBjZW52 OiAmUmVzdEVudmlyb25tZW50LAo+ICAgKSAtPiBSZXN1bHQ8QXV0aFJlc3VsdCwgRXJyb3I+IHsK PiAgICAgICBsZXQgYXV0aF9jb250ZXh0ID0gYXV0aF9jb250ZXh0KCk/Owo+IEBAIC0yNjEsMjEg KzI3MiwyNCBAQCBhc3luYyBmbiBhdXRoZW50aWNhdGVfdXNlcigKPiAgICAgICAgICAgcmV0dXJu IGF1dGhlbnRpY2F0ZV8ybmQodXNlcmlkLCAmdGZhX2NoYWxsZW5nZSwgcGFzc3dvcmQpOwo+ICAg ICAgIH0KPiAgIAo+IC0gICAgaWYgcGFzc3dvcmQuc3RhcnRzX3dpdGgocHJlZml4KSAmJiBwYXNz d29yZC5hc19ieXRlcygpLmdldChwcmVmaXgubGVuKCkpLmNvcGllZCgpID09IFNvbWUoYic6JykK PiAtICAgIHsKPiAtICAgICAgICBpZiBsZXQgT2sodGlja2V0X3VzZXJpZCkgPSBUaWNrZXQ6OjxV c2VyaWQ+OjpwYXJzZShwYXNzd29yZCkKPiAtICAgICAgICAgICAgLmFuZF90aGVuKHx0aWNrZXR8 IHRpY2tldC52ZXJpZnkoYXV0aF9jb250ZXh0LmtleXJpbmcoKSwgcHJlZml4LCBOb25lKSkKPiAr ICAgIGlmIGFsbG93X3RpY2tldF9yZWZyZXNoIHsKPiArICAgICAgICBpZiBwYXNzd29yZC5zdGFy dHNfd2l0aChwcmVmaXgpCj4gKyAgICAgICAgICAgICYmIHBhc3N3b3JkLmFzX2J5dGVzKCkuZ2V0 KHByZWZpeC5sZW4oKSkuY29waWVkKCkgPT0gU29tZShiJzonKQo+ICAgICAgICAgICB7Cj4gLSAg ICAgICAgICAgIGlmICp1c2VyaWQgPT0gdGlja2V0X3VzZXJpZCB7Cj4gLSAgICAgICAgICAgICAg ICByZXR1cm4gT2soQXV0aFJlc3VsdDo6Q3JlYXRlVGlja2V0KTsKPiArICAgICAgICAgICAgaWYg bGV0IE9rKHRpY2tldF91c2VyaWQpID0gVGlja2V0Ojo8VXNlcmlkPjo6cGFyc2UocGFzc3dvcmQp Cj4gKyAgICAgICAgICAgICAgICAuYW5kX3RoZW4ofHRpY2tldHwgdGlja2V0LnZlcmlmeShhdXRo X2NvbnRleHQua2V5cmluZygpLCBwcmVmaXgsIE5vbmUpKQo+ICsgICAgICAgICAgICB7Cj4gKyAg ICAgICAgICAgICAgICBpZiAqdXNlcmlkID09IHRpY2tldF91c2VyaWQgewo+ICsgICAgICAgICAg ICAgICAgICAgIHJldHVybiBPayhBdXRoUmVzdWx0OjpDcmVhdGVUaWNrZXQpOwo+ICsgICAgICAg ICAgICAgICAgfQo+ICsgICAgICAgICAgICAgICAgYmFpbCEoInRpY2tldCBsb2dpbiBmYWlsZWQg LSB3cm9uZyB1c2VyaWQiKTsKPiArICAgICAgICAgICAgfQo+ICsgICAgICAgIH0gZWxzZSBpZiBs ZXQgU29tZSgoKHBhdGgsIHByaXZzKSwgcG9ydCkpID0gcGF0aC56aXAocHJpdnMpLnppcChwb3J0 KSB7Cj4gKyAgICAgICAgICAgIG1hdGNoIGF1dGhfY29udGV4dC5jaGVja19wYXRoX3RpY2tldCh1 c2VyaWQsIHBhc3N3b3JkLCBwYXRoLCBwcml2cywgcG9ydCk/IHsKPiArICAgICAgICAgICAgICAg IE5vbmUgPT4gKCksIC8vIG5vIHBhdGggYmFzZWQgdGlja2V0cyBzdXBwb3J0ZWQsIGp1c3QgZmFs bCB0aHJvdWdoLgo+ICsgICAgICAgICAgICAgICAgU29tZSh0cnVlKSA9PiByZXR1cm4gT2soQXV0 aFJlc3VsdDo6U3VjY2VzcyksCj4gKyAgICAgICAgICAgICAgICBTb21lKGZhbHNlKSA9PiBiYWls ISgiTm8gc3VjaCBwcml2aWxlZ2UiKSwKPiAgICAgICAgICAgICAgIH0KPiAtICAgICAgICAgICAg YmFpbCEoInRpY2tldCBsb2dpbiBmYWlsZWQgLSB3cm9uZyB1c2VyaWQiKTsKPiAtICAgICAgICB9 Cj4gLSAgICB9IGVsc2UgaWYgbGV0IFNvbWUoKChwYXRoLCBwcml2cyksIHBvcnQpKSA9IHBhdGgu emlwKHByaXZzKS56aXAocG9ydCkgewo+IC0gICAgICAgIG1hdGNoIGF1dGhfY29udGV4dC5jaGVj a19wYXRoX3RpY2tldCh1c2VyaWQsIHBhc3N3b3JkLCBwYXRoLCBwcml2cywgcG9ydCk/IHsKPiAt ICAgICAgICAgICAgTm9uZSA9PiAoKSwgLy8gbm8gcGF0aCBiYXNlZCB0aWNrZXRzIHN1cHBvcnRl ZCwganVzdCBmYWxsIHRocm91Z2guCj4gLSAgICAgICAgICAgIFNvbWUodHJ1ZSkgPT4gcmV0dXJu IE9rKEF1dGhSZXN1bHQ6OlN1Y2Nlc3MpLAo+IC0gICAgICAgICAgICBTb21lKGZhbHNlKSA9PiBi YWlsISgiTm8gc3VjaCBwcml2aWxlZ2UiKSwKPiAgICAgICAgICAgfQo+ICAgICAgIH0KPiAgIAo+ IGRpZmYgLS1naXQgYS9wcm94bW94LWF1dGgtYXBpL3NyYy90eXBlcy5ycyBiL3Byb3htb3gtYXV0 aC1hcGkvc3JjL3R5cGVzLnJzCj4gaW5kZXggMDk2NGUwNzIuLjliZGU2NjFjIDEwMDY0NAo+IC0t LSBhL3Byb3htb3gtYXV0aC1hcGkvc3JjL3R5cGVzLnJzCj4gKysrIGIvcHJveG1veC1hdXRoLWFw aS9zcmMvdHlwZXMucnMKPiBAQCAtNjc4LDcgKzY3OCw3IEBAIGltcGwgVHJ5RnJvbTxTdHJpbmc+ IGZvciBBdXRoaWQgewo+ICAgCj4gICAjW2FwaV0KPiAgIC8vLyBUaGUgcGFyYW1ldGVyIG9iamVj dCBmb3IgY3JlYXRpbmcgbmV3IHRpY2tldC4KPiAtI1tkZXJpdmUoRGVidWcsIERlc2VyaWFsaXpl LCBTZXJpYWxpemUpXQo+ICsjW2Rlcml2ZShEZWJ1ZywgQ2xvbmUsIERlc2VyaWFsaXplLCBTZXJp YWxpemUpXQo+ICAgcHViIHN0cnVjdCBDcmVhdGVUaWNrZXQgewo+ICAgICAgIC8vLyBVc2VyIG5h bWUKPiAgICAgICBwdWIgdXNlcm5hbWU6IFVzZXJpZCwKCgoKX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX18KcGJzLWRldmVsIG1haWxpbmcgbGlzdApwYnMtZGV2 ZWxAbGlzdHMucHJveG1veC5jb20KaHR0cHM6Ly9saXN0cy5wcm94bW94LmNvbS9jZ2ktYmluL21h aWxtYW4vbGlzdGluZm8vcGJzLWRldmVsCg==