From: Shannon Sterz <s.sterz@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [pbs-devel] [PATCH proxmox-backup 1/3] api: access: add opt-in http only ticket authentication flow
Date: Thu, 10 Jul 2025 15:50:08 +0200 [thread overview]
Message-ID: <20250710135010.305861-3-s.sterz@proxmox.com> (raw)
In-Reply-To: <20250710135010.305861-1-s.sterz@proxmox.com>
this new flow returns https only cookies providing an additional layer
of security for clients operating in a browser environment. opt-in
only to not break existing clients.
Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
---
src/api2/access/mod.rs | 77 +++++++++++++++++++++++++++++++++++++++---
1 file changed, 73 insertions(+), 4 deletions(-)
diff --git a/src/api2/access/mod.rs b/src/api2/access/mod.rs
index 832cdc66..b61b596e 100644
--- a/src/api2/access/mod.rs
+++ b/src/api2/access/mod.rs
@@ -2,14 +2,23 @@
use anyhow::{bail, format_err, Error};
-use serde_json::Value;
+use hyper::header::CONTENT_TYPE;
+use hyper::http::request::Parts;
+use hyper::Response;
+use serde_json::{json, Value};
+
use std::collections::HashMap;
use std::collections::HashSet;
+use proxmox_auth_api::api::API_METHOD_CREATE_TICKET_HTTP_ONLY;
+use proxmox_auth_api::types::{CreateTicket, CreateTicketResponse};
use proxmox_router::{
- http_bail, http_err, list_subdirs_api_method, Permission, Router, RpcEnvironment, SubdirMap,
+ http_bail, http_err, list_subdirs_api_method, ApiHandler, ApiMethod, ApiResponseFuture,
+ Permission, Router, RpcEnvironment, SubdirMap,
+};
+use proxmox_schema::{
+ api, AllOfSchema, ApiType, BooleanSchema, ObjectSchema, ParameterSchema, ReturnType,
};
-use proxmox_schema::api;
use proxmox_sortable_macro::sortable;
use pbs_api_types::{
@@ -268,7 +277,9 @@ const SUBDIRS: SubdirMap = &sorted!([
),
(
"ticket",
- &Router::new().post(&proxmox_auth_api::api::API_METHOD_CREATE_TICKET)
+ &Router::new()
+ .post(&API_METHOD_CREATE_TICKET_TOGGLE)
+ .delete(&proxmox_auth_api::api::API_METHOD_LOGOUT)
),
("openid", &openid::ROUTER),
("domains", &domain::ROUTER),
@@ -277,6 +288,64 @@ const SUBDIRS: SubdirMap = &sorted!([
("tfa", &tfa::ROUTER),
]);
+const API_METHOD_CREATE_TICKET_TOGGLE: ApiMethod = ApiMethod::new_full(
+ &proxmox_router::ApiHandler::AsyncHttpBodyParameters(&handle_ticket_toggle),
+ ParameterSchema::AllOf(&AllOfSchema::new(
+ "Either create a new HttpOnly ticket or a regular ticket.",
+ &[
+ &ObjectSchema::new(
+ "<INNER: Toggle between http only or legacy ticket endpoints.>",
+ &[(
+ "http-only",
+ true,
+ &BooleanSchema::new(
+ "Whether the http only authentication flow should be used.",
+ )
+ .default(false)
+ .schema(),
+ )],
+ )
+ .schema(),
+ &CreateTicket::API_SCHEMA,
+ ],
+ )),
+)
+.returns(ReturnType::new(false, &CreateTicketResponse::API_SCHEMA))
+.protected(true)
+.access(None, &Permission::World);
+
+fn handle_ticket_toggle(
+ parts: Parts,
+ mut param: Value,
+ info: &'static ApiMethod,
+ mut rpcenv: Box<dyn RpcEnvironment>,
+) -> ApiResponseFuture {
+ // If the client specifies that they want to use http only cookies, prefer those.
+ if Some(true) == param["http-only"].take().as_bool() {
+ if let ApiHandler::AsyncHttpBodyParameters(handler) =
+ API_METHOD_CREATE_TICKET_HTTP_ONLY.handler
+ {
+ return handler(parts, param, info, rpcenv);
+ }
+ }
+
+ // Otherwise, default back to the previous ticket method.
+ Box::pin(async move {
+ let create_params: CreateTicket = serde_json::from_value(param)?;
+
+ let ticket_response =
+ proxmox_auth_api::api::create_ticket(create_params, rpcenv.as_mut()).await?;
+
+ let response = Response::builder().header(CONTENT_TYPE, "application/json");
+
+ Ok(response.body(
+ json!({"data": ticket_response, "status": 200, "success": true })
+ .to_string()
+ .into(),
+ )?)
+ })
+}
+
pub const ROUTER: Router = Router::new()
.get(&list_subdirs_api_method!(SUBDIRS))
.subdirs(SUBDIRS);
--
2.39.5
_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
next prev parent reply other threads:[~2025-07-10 13:50 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-10 13:50 [pbs-devel] [PATCH proxmox{, -backup} 0/4] http only cookie based tickets for pbs Shannon Sterz
2025-07-10 13:50 ` [pbs-devel] [PATCH proxmox 1/1] auth-api: include meta information required by extjs in api endpoints Shannon Sterz
2025-07-15 22:40 ` Thomas Lamprecht
[not found] ` <DBDBXGTI71WP.3V2J3DEMNK1DL@proxmox.com>
2025-07-22 20:21 ` Thomas Lamprecht
2025-07-23 15:18 ` Shannon Sterz
2025-07-10 13:50 ` Shannon Sterz [this message]
2025-07-23 12:57 ` [pbs-devel] [PATCH proxmox-backup 1/3] api: access: add opt-in http only ticket authentication flow Mira Limbeck
2025-07-23 13:58 ` Maximiliano Sandoval
2025-07-10 13:50 ` [pbs-devel] [PATCH proxmox-backup 2/3] ui: opt into the new http-only " Shannon Sterz
2025-07-10 13:50 ` [pbs-devel] [PATCH proxmox-backup 3/3] client: adapt pbs client to also handle http-only flows correctly Shannon Sterz
2025-07-23 12:56 ` [pbs-devel] [PATCH proxmox{, -backup} 0/4] http only cookie based tickets for pbs Mira Limbeck
2025-07-23 14:05 ` Maximiliano Sandoval
2025-07-23 15:15 ` Shannon Sterz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250710135010.305861-3-s.sterz@proxmox.com \
--to=s.sterz@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox