From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id D3B3F1FF17C for ; Wed, 23 Jul 2025 14:54:56 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 441EC11CBF; Wed, 23 Jul 2025 14:56:15 +0200 (CEST) Message-ID: Date: Wed, 23 Jul 2025 14:56:11 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: pbs-devel@lists.proxmox.com References: <20250710135010.305861-1-s.sterz@proxmox.com> Content-Language: en-US From: Mira Limbeck In-Reply-To: <20250710135010.305861-1-s.sterz@proxmox.com> X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1753275361730 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.294 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pbs-devel] [PATCH proxmox{, -backup} 0/4] http only cookie based tickets for pbs X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox Backup Server development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pbs-devel-bounces@lists.proxmox.com Sender: "pbs-devel" On 7/10/25 15:50, Shannon Sterz wrote: > # Summary > > this series adds an authentication flow based on http only cookies for > proxmox backup server. at the moment this authentication flow is opt-in > in order to not break older clients that may still rely on the previous > authentication flow. > > this series is split into three parts: > > 1. prepare proxmox-auth-api to be used with extjs and implements a new > ticket endpoint for pbs. this endpoint requires clients to provide a > boolean parameter `http-only` as `true` for it to switch to the new > http-only based authentication flow. > 2. adapt proxmox backup server's ui components to always use the http > only based authentication flow. this should make cookies > inaccessible to any javascript-based attack in the browser, > providing an extra layer of security. > 3. prepare pbs-client for potential servers that may no longer provide > the previous authentication flow. the point of already adding this > now, is to be prepare update-hesitant users for a future without the > old authentication flow. if the old authentication flow is dropped in > the future, more users will already have a client version that can > adapt to the new flow. > > # Why not opt the `pbs-client` into the new flow? > > the client is deliberatelly not opted into the new authentication flow > for the following reasons: > > - http only cookies are only an effective security mechanism within a > browser context. the client simply does not benefit from this extra > layer of protection. the attacks http only cookies protect against, > simply don't exist here. > - opting the client in unconditionally isn't possible. older pbs servers > would complain about the additional api parameters provided by the > client. this means: > > + the client would either need to try the http-only flow and once > that fails, fall back to the older authentication flow. > + or query (and possibly cache) the server version and check if the > version is new enough to support the new authentication flow. > > both approaches are more error-prone and produce additional network > overhead than simply not opting the client into the new flow. causing > api errors may also produce a lot of false warnings when monitoring pbs. > so there are no benefits, but potential downsides. hence, the client > will not yet be opted into the new authentication flow. > > proxmox: > > Shannon Sterz (1): > auth-api: include meta information required by extjs in api endpoints > > proxmox-auth-api/src/api/access.rs | 13 ++++++++++--- > 1 file changed, 10 insertions(+), 3 deletions(-) > > > proxmox-backup: > > Shannon Sterz (3): > api: access: add opt-in http only ticket authentication flow > ui: opt into the new http-only ticket authentication flow > client: adapt pbs client to also handle http-only flows correctly > > pbs-client/src/http_client.rs | 70 ++++++++++++++++++++++++++++--- > src/api2/access/mod.rs | 77 +++++++++++++++++++++++++++++++++-- > www/Application.js | 12 +++++- > www/LoginView.js | 4 +- > www/MainView.js | 1 + > www/Utils.js | 6 +++ > 6 files changed, 159 insertions(+), 11 deletions(-) > > > Summary over all repositories: > 7 files changed, 169 insertions(+), 14 deletions(-) > > -- > Generated by git-murpp 0.8.1 > > > _______________________________________________ > pbs-devel mailing list > pbs-devel@lists.proxmox.com > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel > > Tested this series on a freshly installed pbs4, updated to the latest version. Tests: - browser login -> check cookies for __Host-PBSAuthCookie -> had the `HttpOnly` flag set - browser logout -> cookie got deleted - old authentication flow (non-HttpOnly) with: - proxmox-backup-client backup via PVE 8 (pbs client 3) web interface - proxmox-backup-client list via PVE 8 (pbs client 3) web interface So consider this: Tested-by: Mira Limbeck _______________________________________________ pbs-devel mailing list pbs-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel