From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 171DD1FF15C for ; Fri, 22 Aug 2025 13:20:14 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id AE631EEED; Fri, 22 Aug 2025 13:20:14 +0200 (CEST) From: Shannon Sterz To: pbs-devel@lists.proxmox.com Date: Fri, 22 Aug 2025 13:17:49 +0200 Message-ID: <20250822111748.259591-2-s.sterz@proxmox.com> X-Mailer: git-send-email 2.47.2 MIME-Version: 1.0 X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1755861609919 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.023 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [access.rs] Subject: [pbs-devel] [PATCH proxmox] auth-api: allow logging in with tickets provided via password field only X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox Backup Server development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pbs-devel-bounces@lists.proxmox.com Sender: "pbs-devel" this was previously possible but was accidentally removed when introducing the fall back logic for failed cookie authentication. Reported-by: Lukas Wagner Signed-off-by: Shannon Sterz --- proxmox-auth-api/src/api/access.rs | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/proxmox-auth-api/src/api/access.rs b/proxmox-auth-api/src/api/access.rs index 490fe5c8..76feb698 100644 --- a/proxmox-auth-api/src/api/access.rs +++ b/proxmox-auth-api/src/api/access.rs @@ -121,7 +121,7 @@ fn create_ticket_http_only( let auth_context = auth_context()?; let host_cookie = auth_context.prefixed_auth_cookie_name(); let mut create_params: CreateTicket = serde_json::from_value(param)?; - let password = create_params.password.take(); + let mut password = create_params.password.take(); // previously to refresh a ticket, the old ticket was provided as a password via this // endpoint's parameters. however, once the ticket is set as an HttpOnly cookie, some @@ -140,7 +140,9 @@ fn create_ticket_http_only( // after this only `__Host-{Cookie Name}` cookies are in the iterator .filter_map(|c| extract_cookie(c, host_cookie)) // so this should just give us the first one if it exists - .next(); + .next() + // if nothing was provided via the cookie, fall back to the requests body again + .or_else(|| password.take()); let env: &RestEnvironment = rpcenv .as_any() @@ -149,6 +151,9 @@ fn create_ticket_http_only( let mut ticket_response = handle_ticket_creation(create_params.clone(), true, env).await; + // if authentication failed via the cookie parameter, try the password from the body here. + // don't allow ticket refresh, though. this should only be done via the cookie if the + // client uses cookies for tickets. if ticket_response.is_err() && password.is_some() { create_params.password = password; ticket_response = handle_ticket_creation(create_params, false, env).await; -- 2.47.2 _______________________________________________ pbs-devel mailing list pbs-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel