all lists on lists.proxmox.com
 help / color / mirror / Atom feed
* [pbs-devel] [PATCH proxmox] auth-api: allow logging in with tickets provided via password field only
@ 2025-08-22 11:17 Shannon Sterz
  2025-08-25  9:03 ` Wolfgang Bumiller
  2025-08-25 11:13 ` [pbs-devel] applied: " Wolfgang Bumiller
  0 siblings, 2 replies; 3+ messages in thread
From: Shannon Sterz @ 2025-08-22 11:17 UTC (permalink / raw)
  To: pbs-devel

this was previously possible but was accidentally removed when
introducing the fall back logic for failed cookie authentication.

Reported-by: Lukas Wagner <l.wagner@proxmox.com>
Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
---
 proxmox-auth-api/src/api/access.rs | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/proxmox-auth-api/src/api/access.rs b/proxmox-auth-api/src/api/access.rs
index 490fe5c8..76feb698 100644
--- a/proxmox-auth-api/src/api/access.rs
+++ b/proxmox-auth-api/src/api/access.rs
@@ -121,7 +121,7 @@ fn create_ticket_http_only(
         let auth_context = auth_context()?;
         let host_cookie = auth_context.prefixed_auth_cookie_name();
         let mut create_params: CreateTicket = serde_json::from_value(param)?;
-        let password = create_params.password.take();
+        let mut password = create_params.password.take();
 
         // previously to refresh a ticket, the old ticket was provided as a password via this
         // endpoint's parameters. however, once the ticket is set as an HttpOnly cookie, some
@@ -140,7 +140,9 @@ fn create_ticket_http_only(
             // after this only `__Host-{Cookie Name}` cookies are in the iterator
             .filter_map(|c| extract_cookie(c, host_cookie))
             // so this should just give us the first one if it exists
-            .next();
+            .next()
+            // if nothing was provided via the cookie, fall back to the requests body again
+            .or_else(|| password.take());
 
         let env: &RestEnvironment = rpcenv
             .as_any()
@@ -149,6 +151,9 @@ fn create_ticket_http_only(
 
         let mut ticket_response = handle_ticket_creation(create_params.clone(), true, env).await;
 
+        // if authentication failed via the cookie parameter, try the password from the body here.
+        // don't allow ticket refresh, though. this should only be done via the cookie if the
+        // client uses cookies for tickets.
         if ticket_response.is_err() && password.is_some() {
             create_params.password = password;
             ticket_response = handle_ticket_creation(create_params, false, env).await;
-- 
2.47.2



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel


^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [pbs-devel] [PATCH proxmox] auth-api: allow logging in with tickets provided via password field only
  2025-08-22 11:17 [pbs-devel] [PATCH proxmox] auth-api: allow logging in with tickets provided via password field only Shannon Sterz
@ 2025-08-25  9:03 ` Wolfgang Bumiller
  2025-08-25 11:13 ` [pbs-devel] applied: " Wolfgang Bumiller
  1 sibling, 0 replies; 3+ messages in thread
From: Wolfgang Bumiller @ 2025-08-25  9:03 UTC (permalink / raw)
  To: Shannon Sterz; +Cc: pbs-devel

On Fri, Aug 22, 2025 at 01:17:49PM +0200, Shannon Sterz wrote:
> this was previously possible but was accidentally removed when
> introducing the fall back logic for failed cookie authentication.
> 
> Reported-by: Lukas Wagner <l.wagner@proxmox.com>
> Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
> ---
>  proxmox-auth-api/src/api/access.rs | 9 +++++++--
>  1 file changed, 7 insertions(+), 2 deletions(-)
> 
> diff --git a/proxmox-auth-api/src/api/access.rs b/proxmox-auth-api/src/api/access.rs
> index 490fe5c8..76feb698 100644
> --- a/proxmox-auth-api/src/api/access.rs
> +++ b/proxmox-auth-api/src/api/access.rs
> @@ -121,7 +121,7 @@ fn create_ticket_http_only(
>          let auth_context = auth_context()?;
>          let host_cookie = auth_context.prefixed_auth_cookie_name();
>          let mut create_params: CreateTicket = serde_json::from_value(param)?;
> -        let password = create_params.password.take();
> +        let mut password = create_params.password.take();
>  
>          // previously to refresh a ticket, the old ticket was provided as a password via this
>          // endpoint's parameters. however, once the ticket is set as an HttpOnly cookie, some
> @@ -140,7 +140,9 @@ fn create_ticket_http_only(
>              // after this only `__Host-{Cookie Name}` cookies are in the iterator
>              .filter_map(|c| extract_cookie(c, host_cookie))
>              // so this should just give us the first one if it exists
> -            .next();
> +            .next()
> +            // if nothing was provided via the cookie, fall back to the requests body again
> +            .or_else(|| password.take());
>  
>          let env: &RestEnvironment = rpcenv
>              .as_any()
> @@ -149,6 +151,9 @@ fn create_ticket_http_only(
>  
>          let mut ticket_response = handle_ticket_creation(create_params.clone(), true, env).await;
>  
> +        // if authentication failed via the cookie parameter, try the password from the body here.
> +        // don't allow ticket refresh, though. this should only be done via the cookie if the
> +        // client uses cookies for tickets.

^ Why though, and how is it enforced? If there was no cookie, the
parameter ended up back in the create_params by way of hte `.or_else()`?

>          if ticket_response.is_err() && password.is_some() {
>              create_params.password = password;
>              ticket_response = handle_ticket_creation(create_params, false, env).await;
> -- 
> 2.47.2


_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel


^ permalink raw reply	[flat|nested] 3+ messages in thread
* [pbs-devel] applied: [PATCH proxmox] auth-api: allow logging in with tickets provided via password field only
  2025-08-22 11:17 [pbs-devel] [PATCH proxmox] auth-api: allow logging in with tickets provided via password field only Shannon Sterz
  2025-08-25  9:03 ` Wolfgang Bumiller
@ 2025-08-25 11:13 ` Wolfgang Bumiller
  1 sibling, 0 replies; 3+ messages in thread
From: Wolfgang Bumiller @ 2025-08-25 11:13 UTC (permalink / raw)
  To: Shannon Sterz; +Cc: pbs-devel

applied, thanks

On Fri, Aug 22, 2025 at 01:17:49PM +0200, Shannon Sterz wrote:
> this was previously possible but was accidentally removed when
> introducing the fall back logic for failed cookie authentication.
> 
> Reported-by: Lukas Wagner <l.wagner@proxmox.com>
> Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
> ---
>  proxmox-auth-api/src/api/access.rs | 9 +++++++--
>  1 file changed, 7 insertions(+), 2 deletions(-)
> 
> diff --git a/proxmox-auth-api/src/api/access.rs b/proxmox-auth-api/src/api/access.rs
> index 490fe5c8..76feb698 100644
> --- a/proxmox-auth-api/src/api/access.rs
> +++ b/proxmox-auth-api/src/api/access.rs
> @@ -121,7 +121,7 @@ fn create_ticket_http_only(
>          let auth_context = auth_context()?;
>          let host_cookie = auth_context.prefixed_auth_cookie_name();
>          let mut create_params: CreateTicket = serde_json::from_value(param)?;
> -        let password = create_params.password.take();
> +        let mut password = create_params.password.take();
>  
>          // previously to refresh a ticket, the old ticket was provided as a password via this
>          // endpoint's parameters. however, once the ticket is set as an HttpOnly cookie, some
> @@ -140,7 +140,9 @@ fn create_ticket_http_only(
>              // after this only `__Host-{Cookie Name}` cookies are in the iterator
>              .filter_map(|c| extract_cookie(c, host_cookie))
>              // so this should just give us the first one if it exists
> -            .next();
> +            .next()
> +            // if nothing was provided via the cookie, fall back to the requests body again
> +            .or_else(|| password.take());
>  
>          let env: &RestEnvironment = rpcenv
>              .as_any()
> @@ -149,6 +151,9 @@ fn create_ticket_http_only(
>  
>          let mut ticket_response = handle_ticket_creation(create_params.clone(), true, env).await;
>  
> +        // if authentication failed via the cookie parameter, try the password from the body here.
> +        // don't allow ticket refresh, though. this should only be done via the cookie if the
> +        // client uses cookies for tickets.
>          if ticket_response.is_err() && password.is_some() {
>              create_params.password = password;
>              ticket_response = handle_ticket_creation(create_params, false, env).await;
> -- 
> 2.47.2


_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel


^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2025-08-25 11:13 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-08-22 11:17 [pbs-devel] [PATCH proxmox] auth-api: allow logging in with tickets provided via password field only Shannon Sterz
2025-08-25  9:03 ` Wolfgang Bumiller
2025-08-25 11:13 ` [pbs-devel] applied: " Wolfgang Bumiller

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal