From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 2C28A1FF179 for ; Wed, 1 Oct 2025 15:28:32 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id B3A2D1F6C1; Wed, 1 Oct 2025 15:28:39 +0200 (CEST) Message-ID: <84f90d94-12a7-473b-a366-94c1162fa526@proxmox.com> Date: Wed, 1 Oct 2025 15:28:36 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Content-Language: en-US From: Shannon Sterz To: pbs-devel@lists.proxmox.com References: <20250520085549.56525-1-s.sterz@proxmox.com> In-Reply-To: <20250520085549.56525-1-s.sterz@proxmox.com> X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1759325294128 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.057 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [proxmox.com, lib.rs] Subject: [pbs-devel] Superseded: Re: [PATCH proxmox] login: use `ticket` if both it and `ticket_info` are provided X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox Backup Server development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pbs-devel-bounces@lists.proxmox.com Sender: "pbs-devel" Superseded-by: https://lore.proxmox.com/all/20251001131102.266920-1-s.sterz@proxmox.com/T/#u On 5/20/25 10:55, Shannon Sterz wrote: > previously the precense of `ticket_info` was assumed to indicate the > HTTPOnly authentication flow. the `ticket` field was ignore in that > case, because the client has no way of validating a ticket anyway. > > this commit changes the behaviour to assume that the server is not > trying to "trick us" and that the presence of a `ticket` field > indicates that this value should be used for authentication. if the > `ticket_info` field is also present, the field will be ignored. > > Signed-off-by: Shannon Sterz > --- > > this is basically a different approach to fixing an issue that occured > when a server also returned a `ticket_info` field but was still using > the non-HTTPOnly auth flow [1]. while this shouldn't be strictly > necessary, it shouldn't hurt either. > > [1]: https://lore.proxmox.com/all/20250516131122.276231-1-s.sterz@proxmox.com/ > > proxmox-login/src/lib.rs | 26 ++++++++++++++------------ > 1 file changed, 14 insertions(+), 12 deletions(-) > > diff --git a/proxmox-login/src/lib.rs b/proxmox-login/src/lib.rs > index e97ece7b..710434d6 100644 > --- a/proxmox-login/src/lib.rs > +++ b/proxmox-login/src/lib.rs > @@ -200,22 +200,24 @@ impl Login { > )); > } > > - // `ticket_info` is set when the server sets the ticket via an HttpOnly cookie. this also > - // means we do not have access to the cookie itself which happens for example in a browser. > - // assume that the cookie is handled properly by the context (browser) and don't worry > - // about handling it ourselves. > - if let Some(ref ticket) = response.ticket_info { > - let ticket = ticket.parse()?; > - return Ok(TicketResult::HttpOnly( > - self.authentication_for(ticket, response)?, > - )); > - } > - > // old authentication flow where we needed to handle the ticket ourselves even in the > // browser etc. > let ticket: TicketResponse = match response.ticket { > Some(ref ticket) => ticket.parse()?, > - None => return Err("no ticket information in response".into()), > + None => { > + // `ticket_info` is set when the server sets the ticket via a HttpOnly cookie. this > + // also means we do not have access to the cookie itself which happens for example > + // in a browser. assume that the cookie is handled properly by the context > + // (browser) and don't worry about handling it ourselves. > + if let Some(ref ticket) = response.ticket_info { > + let ticket = ticket.parse()?; > + return Ok(TicketResult::HttpOnly( > + self.authentication_for(ticket, response)?, > + )); > + } > + > + return Err("no ticket information in response".into()); > + } > }; > > Ok(match ticket { > -- > 2.39.5 > > > > _______________________________________________ > pbs-devel mailing list > pbs-devel@lists.proxmox.com > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel > > _______________________________________________ pbs-devel mailing list pbs-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel