From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 607E51FF17C for ; Wed, 23 Jul 2025 17:15:08 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id BF82216EC1; Wed, 23 Jul 2025 17:16:27 +0200 (CEST) Mime-Version: 1.0 Date: Wed, 23 Jul 2025 17:15:54 +0200 Message-Id: To: "Shannon Sterz" , X-Mailer: aerc 0.20.0 References: <20250710135010.305861-1-s.sterz@proxmox.com> In-Reply-To: <20250710135010.305861-1-s.sterz@proxmox.com> From: "Shannon Sterz" X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1753283744117 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.023 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pbs-devel] [PATCH proxmox{, -backup} 0/4] http only cookie based tickets for pbs X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox Backup Server development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pbs-devel-bounces@lists.proxmox.com Sender: "pbs-devel" Superseeded-by: https://lore.proxmox.com/pbs-devel/20250723151356.264229-3-s.sterz@proxmox.com/T/#u On Thu Jul 10, 2025 at 3:50 PM CEST, Shannon Sterz wrote: > # Summary > > this series adds an authentication flow based on http only cookies for > proxmox backup server. at the moment this authentication flow is opt-in > in order to not break older clients that may still rely on the previous > authentication flow. > > this series is split into three parts: > > 1. prepare proxmox-auth-api to be used with extjs and implements a new > ticket endpoint for pbs. this endpoint requires clients to provide a > boolean parameter `http-only` as `true` for it to switch to the new > http-only based authentication flow. > 2. adapt proxmox backup server's ui components to always use the http > only based authentication flow. this should make cookies > inaccessible to any javascript-based attack in the browser, > providing an extra layer of security. > 3. prepare pbs-client for potential servers that may no longer provide > the previous authentication flow. the point of already adding this > now, is to be prepare update-hesitant users for a future without the > old authentication flow. if the old authentication flow is dropped in > the future, more users will already have a client version that can > adapt to the new flow. > > # Why not opt the `pbs-client` into the new flow? > > the client is deliberatelly not opted into the new authentication flow > for the following reasons: > > - http only cookies are only an effective security mechanism within a > browser context. the client simply does not benefit from this extra > layer of protection. the attacks http only cookies protect against, > simply don't exist here. > - opting the client in unconditionally isn't possible. older pbs servers > would complain about the additional api parameters provided by the > client. this means: > > + the client would either need to try the http-only flow and once > that fails, fall back to the older authentication flow. > + or query (and possibly cache) the server version and check if the > version is new enough to support the new authentication flow. > > both approaches are more error-prone and produce additional network > overhead than simply not opting the client into the new flow. causing > api errors may also produce a lot of false warnings when monitoring pbs. > so there are no benefits, but potential downsides. hence, the client > will not yet be opted into the new authentication flow. > > proxmox: > > Shannon Sterz (1): > auth-api: include meta information required by extjs in api endpoints > > proxmox-auth-api/src/api/access.rs | 13 ++++++++++--- > 1 file changed, 10 insertions(+), 3 deletions(-) > > > proxmox-backup: > > Shannon Sterz (3): > api: access: add opt-in http only ticket authentication flow > ui: opt into the new http-only ticket authentication flow > client: adapt pbs client to also handle http-only flows correctly > > pbs-client/src/http_client.rs | 70 ++++++++++++++++++++++++++++--- > src/api2/access/mod.rs | 77 +++++++++++++++++++++++++++++++++-- > www/Application.js | 12 +++++- > www/LoginView.js | 4 +- > www/MainView.js | 1 + > www/Utils.js | 6 +++ > 6 files changed, 159 insertions(+), 11 deletions(-) > > > Summary over all repositories: > 7 files changed, 169 insertions(+), 14 deletions(-) > > -- > Generated by git-murpp 0.8.1 _______________________________________________ pbs-devel mailing list pbs-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel