From: Mira Limbeck <m.limbeck@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: Re: [pbs-devel] [PATCH proxmox{, -backup} 0/4] http only cookie based tickets for pbs
Date: Wed, 23 Jul 2025 14:56:11 +0200 [thread overview]
Message-ID: <e135819b-1d15-4fc2-b53f-3292d91f1518@proxmox.com> (raw)
In-Reply-To: <20250710135010.305861-1-s.sterz@proxmox.com>
On 7/10/25 15:50, Shannon Sterz wrote:
> # Summary
>
> this series adds an authentication flow based on http only cookies for
> proxmox backup server. at the moment this authentication flow is opt-in
> in order to not break older clients that may still rely on the previous
> authentication flow.
>
> this series is split into three parts:
>
> 1. prepare proxmox-auth-api to be used with extjs and implements a new
> ticket endpoint for pbs. this endpoint requires clients to provide a
> boolean parameter `http-only` as `true` for it to switch to the new
> http-only based authentication flow.
> 2. adapt proxmox backup server's ui components to always use the http
> only based authentication flow. this should make cookies
> inaccessible to any javascript-based attack in the browser,
> providing an extra layer of security.
> 3. prepare pbs-client for potential servers that may no longer provide
> the previous authentication flow. the point of already adding this
> now, is to be prepare update-hesitant users for a future without the
> old authentication flow. if the old authentication flow is dropped in
> the future, more users will already have a client version that can
> adapt to the new flow.
>
> # Why not opt the `pbs-client` into the new flow?
>
> the client is deliberatelly not opted into the new authentication flow
> for the following reasons:
>
> - http only cookies are only an effective security mechanism within a
> browser context. the client simply does not benefit from this extra
> layer of protection. the attacks http only cookies protect against,
> simply don't exist here.
> - opting the client in unconditionally isn't possible. older pbs servers
> would complain about the additional api parameters provided by the
> client. this means:
>
> + the client would either need to try the http-only flow and once
> that fails, fall back to the older authentication flow.
> + or query (and possibly cache) the server version and check if the
> version is new enough to support the new authentication flow.
>
> both approaches are more error-prone and produce additional network
> overhead than simply not opting the client into the new flow. causing
> api errors may also produce a lot of false warnings when monitoring pbs.
> so there are no benefits, but potential downsides. hence, the client
> will not yet be opted into the new authentication flow.
>
> proxmox:
>
> Shannon Sterz (1):
> auth-api: include meta information required by extjs in api endpoints
>
> proxmox-auth-api/src/api/access.rs | 13 ++++++++++---
> 1 file changed, 10 insertions(+), 3 deletions(-)
>
>
> proxmox-backup:
>
> Shannon Sterz (3):
> api: access: add opt-in http only ticket authentication flow
> ui: opt into the new http-only ticket authentication flow
> client: adapt pbs client to also handle http-only flows correctly
>
> pbs-client/src/http_client.rs | 70 ++++++++++++++++++++++++++++---
> src/api2/access/mod.rs | 77 +++++++++++++++++++++++++++++++++--
> www/Application.js | 12 +++++-
> www/LoginView.js | 4 +-
> www/MainView.js | 1 +
> www/Utils.js | 6 +++
> 6 files changed, 159 insertions(+), 11 deletions(-)
>
>
> Summary over all repositories:
> 7 files changed, 169 insertions(+), 14 deletions(-)
>
> --
> Generated by git-murpp 0.8.1
>
>
> _______________________________________________
> pbs-devel mailing list
> pbs-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
>
>
Tested this series on a freshly installed pbs4, updated to the latest
version.
Tests:
- browser login -> check cookies for __Host-PBSAuthCookie
-> had the `HttpOnly` flag set
- browser logout -> cookie got deleted
- old authentication flow (non-HttpOnly) with:
- proxmox-backup-client backup via PVE 8 (pbs client 3) web interface
- proxmox-backup-client list via PVE 8 (pbs client 3) web interface
So consider this:
Tested-by: Mira Limbeck <m.limbeck@proxmox.com>
_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
next prev parent reply other threads:[~2025-07-23 12:54 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-10 13:50 Shannon Sterz
2025-07-10 13:50 ` [pbs-devel] [PATCH proxmox 1/1] auth-api: include meta information required by extjs in api endpoints Shannon Sterz
2025-07-15 22:40 ` Thomas Lamprecht
[not found] ` <DBDBXGTI71WP.3V2J3DEMNK1DL@proxmox.com>
2025-07-22 20:21 ` Thomas Lamprecht
2025-07-23 15:18 ` Shannon Sterz
2025-07-10 13:50 ` [pbs-devel] [PATCH proxmox-backup 1/3] api: access: add opt-in http only ticket authentication flow Shannon Sterz
2025-07-23 12:57 ` Mira Limbeck
2025-07-23 13:58 ` Maximiliano Sandoval
2025-07-10 13:50 ` [pbs-devel] [PATCH proxmox-backup 2/3] ui: opt into the new http-only " Shannon Sterz
2025-07-10 13:50 ` [pbs-devel] [PATCH proxmox-backup 3/3] client: adapt pbs client to also handle http-only flows correctly Shannon Sterz
2025-07-23 12:56 ` Mira Limbeck [this message]
2025-07-23 14:05 ` [pbs-devel] [PATCH proxmox{, -backup} 0/4] http only cookie based tickets for pbs Maximiliano Sandoval
2025-07-23 15:15 ` Shannon Sterz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e135819b-1d15-4fc2-b53f-3292d91f1518@proxmox.com \
--to=m.limbeck@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox