public inbox for pbs-devel@lists.proxmox.com
 help / color / mirror / Atom feed
From: Shannon Sterz <s.sterz@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [pbs-devel] [PATCH proxmox-backup v2 2/3] ui: opt into the new HttpOnly ticket authentication flow
Date: Wed, 23 Jul 2025 17:14:00 +0200	[thread overview]
Message-ID: <20250723151356.264229-9-s.sterz@proxmox.com> (raw)
In-Reply-To: <20250723151356.264229-3-s.sterz@proxmox.com>

this should add additional protections for cookie stealing and xss
attacks. it also makes it harder to overwrite the cookie from
malicious subdomains.

Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
Tested-by: Mira Limbeck <m.limbeck@proxmox.com>
Tested-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---
changes since v1:

- minor lint fix-up where a trailing "," was missing in the second
  proxmox-backup patch
- consistently use "HttpOnly" instead of switching between "http only",
  "http-only" and "HttpOnly" in comments and user facing documentation,
  thanks @ Mira Limbeck

 www/Application.js | 12 +++++++++++-
 www/LoginView.js   |  4 +++-
 www/MainView.js    |  1 +
 www/Utils.js       |  6 ++++++
 4 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/www/Application.js b/www/Application.js
index 9e223522..e82ccdd0 100644
--- a/www/Application.js
+++ b/www/Application.js
@@ -18,7 +18,17 @@ Ext.define('PBS.Application', {
     logout: function () {
         var me = this;
         Proxmox.Utils.authClear();
-        me.changeView('loginview', true);
+        Proxmox.Utils.API2Request({
+            url: '/api2/extjs/access/ticket',
+            method: 'DELETE',
+            success: function () {
+                me.changeView('loginview', true);
+            },
+            failure: function ({ response }) {
+                // logout failed
+                console.error('could not log out', response);
+            },
+        });
     },

     changeView: function (view, skipCheck) {
diff --git a/www/LoginView.js b/www/LoginView.js
index a7764e5b..9c1ac38a 100644
--- a/www/LoginView.js
+++ b/www/LoginView.js
@@ -86,6 +86,8 @@ Ext.define('PBS.LoginView', {
             }
             sp.set(saveunField.getStateId(), saveunField.getValue());

+            creds['http-only'] = true;
+
             try {
                 let resp = await Proxmox.Async.api2({
                     url: '/api2/extjs/access/ticket',
@@ -94,7 +96,7 @@ Ext.define('PBS.LoginView', {
                 });

                 let data = resp.result.data;
-                if (data.ticket.startsWith('PBS:!tfa!')) {
+                if (data.ticket?.startsWith('PBS:!tfa!')) {
                     data = await me.performTFAChallenge(data);
                 }

diff --git a/www/MainView.js b/www/MainView.js
index b5ae3605..70adfbce 100644
--- a/www/MainView.js
+++ b/www/MainView.js
@@ -172,6 +172,7 @@ Ext.define('PBS.MainView', {
                         params: {
                             username: Proxmox.UserName,
                             password: ticket,
+                            'http-only': true,
                         },
                         url: '/api2/json/access/ticket',
                         method: 'POST',
diff --git a/www/Utils.js b/www/Utils.js
index 7fcf60e6..ccdae522 100644
--- a/www/Utils.js
+++ b/www/Utils.js
@@ -8,6 +8,12 @@ Ext.define('PBS.Utils', {
     missingText: gettext('missing'),

     updateLoginData: function (data) {
+        if (data['ticket-info']) {
+            // we received a HttpOnly ticket response, the actual cookie is handled by the browser.
+            // set the ticket field to use the information from `ticket-info`
+            data.ticket = data['ticket-info'];
+        }
+
         Proxmox.Utils.setAuthData(data);
     },

--
2.47.2



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel


  parent reply	other threads:[~2025-07-23 15:14 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-07-23 15:13 [pbs-devel] [PATCH proxmox{, -backup} v2 0/4] HttpOnly cookie based tickets for pbs Shannon Sterz
2025-07-23 15:13 ` [pbs-devel] [PATCH proxmox v2 1/1] auth-api: include meta information required by extjs in api endpoints Shannon Sterz
2025-07-23 18:38   ` [pbs-devel] applied: " Thomas Lamprecht
2025-07-23 15:13 ` [pbs-devel] [PATCH proxmox-backup v2 1/3] api: access: add opt-in HttpOnly ticket authentication flow Shannon Sterz
2025-07-23 18:37   ` [pbs-devel] applied: " Thomas Lamprecht
2025-07-23 15:14 ` Shannon Sterz [this message]
2025-07-23 18:37   ` [pbs-devel] applied: [PATCH proxmox-backup v2 2/3] ui: opt into the new " Thomas Lamprecht
2025-07-23 15:14 ` [pbs-devel] [PATCH proxmox-backup v2 3/3] client: adapt pbs client to also handle HttpOnly flows correctly Shannon Sterz
2025-07-23 18:37   ` [pbs-devel] applied: " Thomas Lamprecht

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250723151356.264229-9-s.sterz@proxmox.com \
    --to=s.sterz@proxmox.com \
    --cc=pbs-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal