[pbs-devel] [PATCH proxmox] auth-api: allow logging in with tickets provided via password field only

[pbs-devel] [PATCH proxmox] auth-api: allow logging in with tickets provided via password field only

[Shannon Sterz]

this was previously possible but was accidentally removed when
introducing the fall back logic for failed cookie authentication.

Reported-by: Lukas Wagner <l.wagner@proxmox.com>
Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
---
 proxmox-auth-api/src/api/access.rs | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/proxmox-auth-api/src/api/access.rs b/proxmox-auth-api/src/api/access.rs
index 490fe5c8..76feb698 100644
--- a/proxmox-auth-api/src/api/access.rs
+++ b/proxmox-auth-api/src/api/access.rs
@@ -121,7 +121,7 @@ fn create_ticket_http_only(
         let auth_context = auth_context()?;
         let host_cookie = auth_context.prefixed_auth_cookie_name();
         let mut create_params: CreateTicket = serde_json::from_value(param)?;
-        let password = create_params.password.take();
+        let mut password = create_params.password.take();
 
         // previously to refresh a ticket, the old ticket was provided as a password via this
         // endpoint's parameters. however, once the ticket is set as an HttpOnly cookie, some
@@ -140,7 +140,9 @@ fn create_ticket_http_only(
             // after this only `__Host-{Cookie Name}` cookies are in the iterator
             .filter_map(|c| extract_cookie(c, host_cookie))
             // so this should just give us the first one if it exists
-            .next();
+            .next()
+            // if nothing was provided via the cookie, fall back to the requests body again
+            .or_else(|| password.take());
 
         let env: &RestEnvironment = rpcenv
             .as_any()
@@ -149,6 +151,9 @@ fn create_ticket_http_only(
 
         let mut ticket_response = handle_ticket_creation(create_params.clone(), true, env).await;
 
+        // if authentication failed via the cookie parameter, try the password from the body here.
+        // don't allow ticket refresh, though. this should only be done via the cookie if the
+        // client uses cookies for tickets.
         if ticket_response.is_err() && password.is_some() {
             create_params.password = password;
             ticket_response = handle_ticket_creation(create_params, false, env).await;
-- 
2.47.2



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

Re: [pbs-devel] [PATCH proxmox] auth-api: allow logging in with tickets provided via password field only

[Wolfgang Bumiller]

On Fri, Aug 22, 2025 at 01:17:49PM +0200, Shannon Sterz wrote:
> this was previously possible but was accidentally removed when
> introducing the fall back logic for failed cookie authentication.
> 
> Reported-by: Lukas Wagner <l.wagner@proxmox.com>
> Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
> ---
>  proxmox-auth-api/src/api/access.rs | 9 +++++++--
>  1 file changed, 7 insertions(+), 2 deletions(-)
> 
> diff --git a/proxmox-auth-api/src/api/access.rs b/proxmox-auth-api/src/api/access.rs
> index 490fe5c8..76feb698 100644
> --- a/proxmox-auth-api/src/api/access.rs
> +++ b/proxmox-auth-api/src/api/access.rs
> @@ -121,7 +121,7 @@ fn create_ticket_http_only(
>          let auth_context = auth_context()?;
>          let host_cookie = auth_context.prefixed_auth_cookie_name();
>          let mut create_params: CreateTicket = serde_json::from_value(param)?;
> -        let password = create_params.password.take();
> +        let mut password = create_params.password.take();
>  
>          // previously to refresh a ticket, the old ticket was provided as a password via this
>          // endpoint's parameters. however, once the ticket is set as an HttpOnly cookie, some
> @@ -140,7 +140,9 @@ fn create_ticket_http_only(
>              // after this only `__Host-{Cookie Name}` cookies are in the iterator
>              .filter_map(|c| extract_cookie(c, host_cookie))
>              // so this should just give us the first one if it exists
> -            .next();
> +            .next()
> +            // if nothing was provided via the cookie, fall back to the requests body again
> +            .or_else(|| password.take());
>  
>          let env: &RestEnvironment = rpcenv
>              .as_any()
> @@ -149,6 +151,9 @@ fn create_ticket_http_only(
>  
>          let mut ticket_response = handle_ticket_creation(create_params.clone(), true, env).await;
>  
> +        // if authentication failed via the cookie parameter, try the password from the body here.
> +        // don't allow ticket refresh, though. this should only be done via the cookie if the
> +        // client uses cookies for tickets.

^ Why though, and how is it enforced? If there was no cookie, the
parameter ended up back in the create_params by way of hte `.or_else()`?

>          if ticket_response.is_err() && password.is_some() {
>              create_params.password = password;
>              ticket_response = handle_ticket_creation(create_params, false, env).await;
> -- 
> 2.47.2


_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

[pbs-devel] applied: [PATCH proxmox] auth-api: allow logging in with tickets provided via password field only

[Wolfgang Bumiller]

applied, thanks

On Fri, Aug 22, 2025 at 01:17:49PM +0200, Shannon Sterz wrote:
> this was previously possible but was accidentally removed when
> introducing the fall back logic for failed cookie authentication.
> 
> Reported-by: Lukas Wagner <l.wagner@proxmox.com>
> Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
> ---
>  proxmox-auth-api/src/api/access.rs | 9 +++++++--
>  1 file changed, 7 insertions(+), 2 deletions(-)
> 
> diff --git a/proxmox-auth-api/src/api/access.rs b/proxmox-auth-api/src/api/access.rs
> index 490fe5c8..76feb698 100644
> --- a/proxmox-auth-api/src/api/access.rs
> +++ b/proxmox-auth-api/src/api/access.rs
> @@ -121,7 +121,7 @@ fn create_ticket_http_only(
>          let auth_context = auth_context()?;
>          let host_cookie = auth_context.prefixed_auth_cookie_name();
>          let mut create_params: CreateTicket = serde_json::from_value(param)?;
> -        let password = create_params.password.take();
> +        let mut password = create_params.password.take();
>  
>          // previously to refresh a ticket, the old ticket was provided as a password via this
>          // endpoint's parameters. however, once the ticket is set as an HttpOnly cookie, some
> @@ -140,7 +140,9 @@ fn create_ticket_http_only(
>              // after this only `__Host-{Cookie Name}` cookies are in the iterator
>              .filter_map(|c| extract_cookie(c, host_cookie))
>              // so this should just give us the first one if it exists
> -            .next();
> +            .next()
> +            // if nothing was provided via the cookie, fall back to the requests body again
> +            .or_else(|| password.take());
>  
>          let env: &RestEnvironment = rpcenv
>              .as_any()
> @@ -149,6 +151,9 @@ fn create_ticket_http_only(
>  
>          let mut ticket_response = handle_ticket_creation(create_params.clone(), true, env).await;
>  
> +        // if authentication failed via the cookie parameter, try the password from the body here.
> +        // don't allow ticket refresh, though. this should only be done via the cookie if the
> +        // client uses cookies for tickets.
>          if ticket_response.is_err() && password.is_some() {
>              create_params.password = password;
>              ticket_response = handle_ticket_creation(create_params, false, env).await;
> -- 
> 2.47.2


_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel