From: Wolfgang Bumiller <w.bumiller@proxmox.com>
To: Shannon Sterz <s.sterz@proxmox.com>
Cc: pbs-devel@lists.proxmox.com
Subject: [pbs-devel] applied: [PATCH proxmox] auth-api: allow logging in with tickets provided via password field only
Date: Mon, 25 Aug 2025 13:13:17 +0200 [thread overview]
Message-ID: <lnarysx6eho7zfsgo3eojsms2zlgqrpxteaqcx5vgvnqhojqdk@tq7cpyvjikdx> (raw)
In-Reply-To: <20250822111748.259591-2-s.sterz@proxmox.com>
applied, thanks
On Fri, Aug 22, 2025 at 01:17:49PM +0200, Shannon Sterz wrote:
> this was previously possible but was accidentally removed when
> introducing the fall back logic for failed cookie authentication.
>
> Reported-by: Lukas Wagner <l.wagner@proxmox.com>
> Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
> ---
> proxmox-auth-api/src/api/access.rs | 9 +++++++--
> 1 file changed, 7 insertions(+), 2 deletions(-)
>
> diff --git a/proxmox-auth-api/src/api/access.rs b/proxmox-auth-api/src/api/access.rs
> index 490fe5c8..76feb698 100644
> --- a/proxmox-auth-api/src/api/access.rs
> +++ b/proxmox-auth-api/src/api/access.rs
> @@ -121,7 +121,7 @@ fn create_ticket_http_only(
> let auth_context = auth_context()?;
> let host_cookie = auth_context.prefixed_auth_cookie_name();
> let mut create_params: CreateTicket = serde_json::from_value(param)?;
> - let password = create_params.password.take();
> + let mut password = create_params.password.take();
>
> // previously to refresh a ticket, the old ticket was provided as a password via this
> // endpoint's parameters. however, once the ticket is set as an HttpOnly cookie, some
> @@ -140,7 +140,9 @@ fn create_ticket_http_only(
> // after this only `__Host-{Cookie Name}` cookies are in the iterator
> .filter_map(|c| extract_cookie(c, host_cookie))
> // so this should just give us the first one if it exists
> - .next();
> + .next()
> + // if nothing was provided via the cookie, fall back to the requests body again
> + .or_else(|| password.take());
>
> let env: &RestEnvironment = rpcenv
> .as_any()
> @@ -149,6 +151,9 @@ fn create_ticket_http_only(
>
> let mut ticket_response = handle_ticket_creation(create_params.clone(), true, env).await;
>
> + // if authentication failed via the cookie parameter, try the password from the body here.
> + // don't allow ticket refresh, though. this should only be done via the cookie if the
> + // client uses cookies for tickets.
> if ticket_response.is_err() && password.is_some() {
> create_params.password = password;
> ticket_response = handle_ticket_creation(create_params, false, env).await;
> --
> 2.47.2
_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
prev parent reply other threads:[~2025-08-25 11:13 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-22 11:17 [pbs-devel] " Shannon Sterz
2025-08-25 9:03 ` Wolfgang Bumiller
2025-08-25 11:13 ` Wolfgang Bumiller [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=lnarysx6eho7zfsgo3eojsms2zlgqrpxteaqcx5vgvnqhojqdk@tq7cpyvjikdx \
--to=w.bumiller@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
--cc=s.sterz@proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.