public inbox for pbs-devel@lists.proxmox.com
 help / color / mirror / Atom feed
From: Dominik Csapak <d.csapak@proxmox.com>
To: Proxmox Backup Server development discussion
	<pbs-devel@lists.proxmox.com>,
	Shannon Sterz <s.sterz@proxmox.com>
Subject: Re: [pbs-devel] [PATCH proxmox 1/3] rest-server: remove auth cookies via http header on unauthorized request
Date: Fri, 25 Jul 2025 14:15:04 +0200	[thread overview]
Message-ID: <0b460887-b9aa-48b2-b3b8-03b0e33b5f34@proxmox.com> (raw)
In-Reply-To: <20250725112357.247866-2-s.sterz@proxmox.com>

Looks good to me.

Tested by invalidating my cookie and sending any http request that 
returns a 401 subsequently.
That successfully deleted my http-only cookie.


Reviewed-by: Dominik Csapak <d.csapak@proxmox.com>
Tested-by: Dominik Csapak <d.csapak@proxmox.com>

On 7/25/25 13:24, Shannon Sterz wrote:
> previously the behaviour of our javascript clients was to remove
> authentication cookies if the api returned a 401 UNAUTHORIZED
> response. with the switch to httponly cookies, this is no longer
> possible. add an option to the ApiConfig to allow the rest-server to
> remove such cookies
> 
> Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
> ---
>   proxmox-rest-server/src/api_config.rs |  9 +++++++++
>   proxmox-rest-server/src/rest.rs       | 25 ++++++++++++++++++++++++-
>   2 files changed, 33 insertions(+), 1 deletion(-)
> 
> diff --git a/proxmox-rest-server/src/api_config.rs b/proxmox-rest-server/src/api_config.rs
> index 0b847a0c..0a67231e 100644
> --- a/proxmox-rest-server/src/api_config.rs
> +++ b/proxmox-rest-server/src/api_config.rs
> @@ -33,6 +33,9 @@ pub struct ApiConfig {
>       auth_handler: Option<AuthHandler>,
>       index_handler: Option<IndexHandler>,
>       pub(crate) privileged_addr: Option<PrivilegedAddr>,
> +    // Name of the auth cookie that should be unset on 401 request. If `None` no cookie will be
> +    // removed.
> +    pub(crate) auth_cookie_name: Option<String>,
>   
>       #[cfg(feature = "templates")]
>       templates: templates::Templates,
> @@ -62,6 +65,7 @@ impl ApiConfig {
>               auth_handler: None,
>               index_handler: None,
>               privileged_addr: None,
> +            auth_cookie_name: None,
>   
>               #[cfg(feature = "templates")]
>               templates: templates::Templates::with_escape_fn(),
> @@ -82,6 +86,11 @@ impl ApiConfig {
>           self.auth_handler(AuthHandler::from_fn(func))
>       }
>   
> +    pub fn auth_cookie_name(mut self, auth_cookie_name: String) -> Self {
> +        self.auth_cookie_name = Some(auth_cookie_name);
> +        self
> +    }
> +
>       /// This is used for `protected` API calls to proxy to a more privileged service.
>       pub fn privileged_addr(mut self, addr: impl Into<PrivilegedAddr>) -> Self {
>           self.privileged_addr = Some(addr.into());
> diff --git a/proxmox-rest-server/src/rest.rs b/proxmox-rest-server/src/rest.rs
> index bff90882..035a9537 100644
> --- a/proxmox-rest-server/src/rest.rs
> +++ b/proxmox-rest-server/src/rest.rs
> @@ -357,8 +357,21 @@ impl Service<Request<Incoming>> for ApiService {
>               Some(proxied_peer) => proxied_peer,
>               None => self.peer,
>           };
> +
> +        let header = self.api_config
> +            .auth_cookie_name
> +            .as_ref()
> +            .map(|name|{
> +                let host_cookie = format!("{name}=; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Secure; SameSite=Lax; HttpOnly; Path=/;");
> +
> +                // SAFETY: this can only fail if the cookie name is not valid in http headers.
> +                // since this is about an authentication cookie, this should never happen.
> +                hyper::header::HeaderValue::from_str(&host_cookie)
> +                    .expect("auth cookie name has characters that are not valid for http headers")
> +             });
> +
>           async move {
> -            let response = match Arc::clone(&config).handle_request(req, &peer).await {
> +            let mut response = match Arc::clone(&config).handle_request(req, &peer).await {
>                   Ok(response) => response,
>                   Err(err) => {
>                       let (err, code) = match err.downcast_ref::<HttpError>() {
> @@ -371,6 +384,16 @@ impl Service<Request<Incoming>> for ApiService {
>                           .body(err.into())?
>                   }
>               };
> +
> +            if let Some(cookie_header) = header {
> +                // remove auth cookies that javascript based clients can not unset
> +                if response.status() == StatusCode::UNAUTHORIZED {
> +                    response
> +                        .headers_mut()
> +                        .insert(hyper::header::SET_COOKIE, cookie_header);
> +                }
> +            }
> +
>               let logger = config.get_access_log();
>               log_response(logger, &peer, method, &path, &response, user_agent);
>               Ok(response)



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel


  reply	other threads:[~2025-07-25 12:13 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-07-25 11:23 [pbs-devel] [PATCH proxmox{,-backup} 0/4] HttpOnly follow-ups Shannon Sterz
2025-07-25 11:23 ` [pbs-devel] [PATCH proxmox 1/3] rest-server: remove auth cookies via http header on unauthorized request Shannon Sterz
2025-07-25 12:15   ` Dominik Csapak [this message]
2025-07-25 11:23 ` [pbs-devel] [PATCH proxmox 2/3] auth-api: don't set `Expire` for HttpOnly cookies anymore Shannon Sterz
2025-07-25 12:15   ` Dominik Csapak
2025-07-25 11:23 ` [pbs-devel] [PATCH proxmox 3/3] auth-api: allow log-in via parameters even if HttpOnly cookie is invalid Shannon Sterz
2025-07-25 12:23   ` Dominik Csapak
2025-07-25 11:23 ` [pbs-devel] [PATCH proxmox-backup 1/1] api/proxy: set auth cookie name in rest server api config Shannon Sterz
2025-07-25 12:23   ` Dominik Csapak
2025-07-25 11:24 ` [pbs-devel] [PATCH proxmox{,-backup} 0/4] HttpOnly follow-ups Shannon Sterz
2025-07-28  8:01 ` Shannon Sterz
2025-07-28 12:56 ` [pbs-devel] applied: [PATCH proxmox{, -backup} " Thomas Lamprecht
  -- strict thread matches above, loose matches on Subject: below --
2025-07-25 11:20 [pbs-devel] [PATCH proxmox{,-backup} " Shannon Sterz
2025-07-25 11:20 ` [pbs-devel] [PATCH proxmox 1/3] rest-server: remove auth cookies via http header on unauthorized request Shannon Sterz

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=0b460887-b9aa-48b2-b3b8-03b0e33b5f34@proxmox.com \
    --to=d.csapak@proxmox.com \
    --cc=pbs-devel@lists.proxmox.com \
    --cc=s.sterz@proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal