From: "Shannon Sterz" <s.sterz@proxmox.com>
To: "Shannon Sterz" <s.sterz@proxmox.com>, <pbs-devel@lists.proxmox.com>
Subject: Re: [pbs-devel] [PATCH proxmox{, -backup} 0/4] http only cookie based tickets for pbs
Date: Wed, 23 Jul 2025 17:15:54 +0200 [thread overview]
Message-ID: <DBJJ7XHU1N4D.2Y4F2F87V8VFR@proxmox.com> (raw)
In-Reply-To: <20250710135010.305861-1-s.sterz@proxmox.com>
Superseeded-by: https://lore.proxmox.com/pbs-devel/20250723151356.264229-3-s.sterz@proxmox.com/T/#u
On Thu Jul 10, 2025 at 3:50 PM CEST, Shannon Sterz wrote:
> # Summary
>
> this series adds an authentication flow based on http only cookies for
> proxmox backup server. at the moment this authentication flow is opt-in
> in order to not break older clients that may still rely on the previous
> authentication flow.
>
> this series is split into three parts:
>
> 1. prepare proxmox-auth-api to be used with extjs and implements a new
> ticket endpoint for pbs. this endpoint requires clients to provide a
> boolean parameter `http-only` as `true` for it to switch to the new
> http-only based authentication flow.
> 2. adapt proxmox backup server's ui components to always use the http
> only based authentication flow. this should make cookies
> inaccessible to any javascript-based attack in the browser,
> providing an extra layer of security.
> 3. prepare pbs-client for potential servers that may no longer provide
> the previous authentication flow. the point of already adding this
> now, is to be prepare update-hesitant users for a future without the
> old authentication flow. if the old authentication flow is dropped in
> the future, more users will already have a client version that can
> adapt to the new flow.
>
> # Why not opt the `pbs-client` into the new flow?
>
> the client is deliberatelly not opted into the new authentication flow
> for the following reasons:
>
> - http only cookies are only an effective security mechanism within a
> browser context. the client simply does not benefit from this extra
> layer of protection. the attacks http only cookies protect against,
> simply don't exist here.
> - opting the client in unconditionally isn't possible. older pbs servers
> would complain about the additional api parameters provided by the
> client. this means:
>
> + the client would either need to try the http-only flow and once
> that fails, fall back to the older authentication flow.
> + or query (and possibly cache) the server version and check if the
> version is new enough to support the new authentication flow.
>
> both approaches are more error-prone and produce additional network
> overhead than simply not opting the client into the new flow. causing
> api errors may also produce a lot of false warnings when monitoring pbs.
> so there are no benefits, but potential downsides. hence, the client
> will not yet be opted into the new authentication flow.
>
> proxmox:
>
> Shannon Sterz (1):
> auth-api: include meta information required by extjs in api endpoints
>
> proxmox-auth-api/src/api/access.rs | 13 ++++++++++---
> 1 file changed, 10 insertions(+), 3 deletions(-)
>
>
> proxmox-backup:
>
> Shannon Sterz (3):
> api: access: add opt-in http only ticket authentication flow
> ui: opt into the new http-only ticket authentication flow
> client: adapt pbs client to also handle http-only flows correctly
>
> pbs-client/src/http_client.rs | 70 ++++++++++++++++++++++++++++---
> src/api2/access/mod.rs | 77 +++++++++++++++++++++++++++++++++--
> www/Application.js | 12 +++++-
> www/LoginView.js | 4 +-
> www/MainView.js | 1 +
> www/Utils.js | 6 +++
> 6 files changed, 159 insertions(+), 11 deletions(-)
>
>
> Summary over all repositories:
> 7 files changed, 169 insertions(+), 14 deletions(-)
>
> --
> Generated by git-murpp 0.8.1
_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
prev parent reply other threads:[~2025-07-23 15:15 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-10 13:50 Shannon Sterz
2025-07-10 13:50 ` [pbs-devel] [PATCH proxmox 1/1] auth-api: include meta information required by extjs in api endpoints Shannon Sterz
2025-07-15 22:40 ` Thomas Lamprecht
[not found] ` <DBDBXGTI71WP.3V2J3DEMNK1DL@proxmox.com>
2025-07-22 20:21 ` Thomas Lamprecht
2025-07-23 15:18 ` Shannon Sterz
2025-07-10 13:50 ` [pbs-devel] [PATCH proxmox-backup 1/3] api: access: add opt-in http only ticket authentication flow Shannon Sterz
2025-07-23 12:57 ` Mira Limbeck
2025-07-23 13:58 ` Maximiliano Sandoval
2025-07-10 13:50 ` [pbs-devel] [PATCH proxmox-backup 2/3] ui: opt into the new http-only " Shannon Sterz
2025-07-10 13:50 ` [pbs-devel] [PATCH proxmox-backup 3/3] client: adapt pbs client to also handle http-only flows correctly Shannon Sterz
2025-07-23 12:56 ` [pbs-devel] [PATCH proxmox{, -backup} 0/4] http only cookie based tickets for pbs Mira Limbeck
2025-07-23 14:05 ` Maximiliano Sandoval
2025-07-23 15:15 ` Shannon Sterz [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DBJJ7XHU1N4D.2Y4F2F87V8VFR@proxmox.com \
--to=s.sterz@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.