Re: [pbs-devel] [PATCH proxmox-backup 1/1] api/proxy: set auth cookie name in rest server api config

[Dominik Csapak <d.csapak@proxmox.com>]

LGTM

Reviewed-by: Dominik Csapak <d.csapak@proxmox.com>
Tested-by: Dominik Csapak <d.csapak@proxmox.com>

On 7/25/25 13:24, Shannon Sterz wrote:
> set the name of the auth cookie when configuring apis to allow the
> rest server to remove invalid tickets on 401 requests.
> 
> Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
> ---
>   src/auth.rs                     | 10 +++++++++-
>   src/auth_helpers.rs             |  1 +
>   src/bin/proxmox-backup-api.rs   |  1 +
>   src/bin/proxmox-backup-proxy.rs |  1 +
>   4 files changed, 12 insertions(+), 1 deletion(-)
> 
> diff --git a/src/auth.rs b/src/auth.rs
> index 86b12a76..ac24c8ca 100644
> --- a/src/auth.rs
> +++ b/src/auth.rs
> @@ -13,7 +13,7 @@ use pbs_config::open_backup_lockfile;
>   use proxmox_router::http_bail;
>   use serde_json::json;
>   
> -use proxmox_auth_api::api::{Authenticator, LockedTfaConfig};
> +use proxmox_auth_api::api::{AuthContext, Authenticator, LockedTfaConfig};
>   use proxmox_auth_api::ticket::{Empty, Ticket};
>   use proxmox_auth_api::types::Authid;
>   use proxmox_auth_api::{HMACKey, Keyring};
> @@ -377,6 +377,14 @@ pub fn setup_auth_context(use_private_key: bool) {
>       proxmox_auth_api::set_auth_context(AUTH_CONTEXT.get().unwrap());
>   }
>   
> +pub fn get_auth_cookie_name() -> String {
> +    AUTH_CONTEXT
> +        .get()
> +        .expect("auth context needs to be set before accessing the auth cookie name")
> +        .prefixed_auth_cookie_name()
> +        .to_string()
> +}
> +
>   pub(crate) fn private_auth_keyring() -> &'static Keyring {
>       &PRIVATE_KEYRING
>   }
> diff --git a/src/auth_helpers.rs b/src/auth_helpers.rs
> index 65e36308..fdd8d663 100644
> --- a/src/auth_helpers.rs
> +++ b/src/auth_helpers.rs
> @@ -10,6 +10,7 @@ use proxmox_sys::fs::{file_get_contents, replace_file, CreateOptions};
>   use pbs_buildcfg::configdir;
>   use serde_json::json;
>   
> +pub use crate::auth::get_auth_cookie_name;
>   pub use crate::auth::setup_auth_context;
>   pub use proxmox_auth_api::api::assemble_csrf_prevention_token;
>   
> diff --git a/src/bin/proxmox-backup-api.rs b/src/bin/proxmox-backup-api.rs
> index 3d80b023..74528236 100644
> --- a/src/bin/proxmox-backup-api.rs
> +++ b/src/bin/proxmox-backup-api.rs
> @@ -88,6 +88,7 @@ async fn run() -> Result<(), Error> {
>       let config = ApiConfig::new(pbs_buildcfg::JS_DIR, RpcEnvironmentType::PRIVILEGED)
>           .index_handler_func(|_, _| get_index())
>           .auth_handler_func(|h, m| Box::pin(check_pbs_auth(h, m)))
> +        .auth_cookie_name(proxmox_backup::auth_helpers::get_auth_cookie_name())
>           .default_api2_handler(&proxmox_backup::api2::ROUTER)
>           .enable_access_log(
>               pbs_buildcfg::API_ACCESS_LOG_FN,
> diff --git a/src/bin/proxmox-backup-proxy.rs b/src/bin/proxmox-backup-proxy.rs
> index 694c2463..4641fed1 100644
> --- a/src/bin/proxmox-backup-proxy.rs
> +++ b/src/bin/proxmox-backup-proxy.rs
> @@ -195,6 +195,7 @@ async fn run() -> Result<(), Error> {
>       let mut config = ApiConfig::new(pbs_buildcfg::JS_DIR, RpcEnvironmentType::PUBLIC)
>           .index_handler_func(|e, p| Box::pin(get_index_future(e, p)))
>           .auth_handler_func(|h, m| Box::pin(check_pbs_auth(h, m)))
> +        .auth_cookie_name(proxmox_backup::auth_helpers::get_auth_cookie_name())
>           .register_template("index", &indexpath)?
>           .register_template("console", "/usr/share/pve-xtermjs/index.html.hbs")?
>           .default_api2_handler(&proxmox_backup::api2::ROUTER)



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel