public inbox for pbs-devel@lists.proxmox.com
 help / color / mirror / Atom feed
From: Maximiliano Sandoval <m.sandoval@proxmox.com>
To: Shannon Sterz <s.sterz@proxmox.com>
Cc: pbs-devel@lists.proxmox.com
Subject: Re: [pbs-devel] [PATCH proxmox-backup 1/3] api: access: add opt-in http only ticket authentication flow
Date: Wed, 23 Jul 2025 15:58:53 +0200	[thread overview]
Message-ID: <s8oy0sf100y.fsf@proxmox.com> (raw)
In-Reply-To: <20250710135010.305861-3-s.sterz@proxmox.com> (Shannon Sterz's message of "Thu, 10 Jul 2025 15:50:08 +0200")

Shannon Sterz <s.sterz@proxmox.com> writes:

> this new flow returns https only cookies providing an additional layer
> of security for clients operating in a browser environment. opt-in
> only to not break existing clients.
>
> Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
> ---
>  src/api2/access/mod.rs | 77 +++++++++++++++++++++++++++++++++++++++---
>  1 file changed, 73 insertions(+), 4 deletions(-)
>
> diff --git a/src/api2/access/mod.rs b/src/api2/access/mod.rs
> index 832cdc66..b61b596e 100644
> --- a/src/api2/access/mod.rs
> +++ b/src/api2/access/mod.rs
> @@ -2,14 +2,23 @@
>  
>  use anyhow::{bail, format_err, Error};
>  
> -use serde_json::Value;
> +use hyper::header::CONTENT_TYPE;
> +use hyper::http::request::Parts;
> +use hyper::Response;
> +use serde_json::{json, Value};
> +
>  use std::collections::HashMap;
>  use std::collections::HashSet;
>  
> +use proxmox_auth_api::api::API_METHOD_CREATE_TICKET_HTTP_ONLY;
> +use proxmox_auth_api::types::{CreateTicket, CreateTicketResponse};
>  use proxmox_router::{
> -    http_bail, http_err, list_subdirs_api_method, Permission, Router, RpcEnvironment, SubdirMap,
> +    http_bail, http_err, list_subdirs_api_method, ApiHandler, ApiMethod, ApiResponseFuture,
> +    Permission, Router, RpcEnvironment, SubdirMap,
> +};
> +use proxmox_schema::{
> +    api, AllOfSchema, ApiType, BooleanSchema, ObjectSchema, ParameterSchema, ReturnType,
>  };
> -use proxmox_schema::api;
>  use proxmox_sortable_macro::sortable;
>  
>  use pbs_api_types::{
> @@ -268,7 +277,9 @@ const SUBDIRS: SubdirMap = &sorted!([
>      ),
>      (
>          "ticket",
> -        &Router::new().post(&proxmox_auth_api::api::API_METHOD_CREATE_TICKET)
> +        &Router::new()
> +            .post(&API_METHOD_CREATE_TICKET_TOGGLE)
> +            .delete(&proxmox_auth_api::api::API_METHOD_LOGOUT)
>      ),
>      ("openid", &openid::ROUTER),
>      ("domains", &domain::ROUTER),
> @@ -277,6 +288,64 @@ const SUBDIRS: SubdirMap = &sorted!([
>      ("tfa", &tfa::ROUTER),
>  ]);
>  
> +const API_METHOD_CREATE_TICKET_TOGGLE: ApiMethod = ApiMethod::new_full(
> +    &proxmox_router::ApiHandler::AsyncHttpBodyParameters(&handle_ticket_toggle),
> +    ParameterSchema::AllOf(&AllOfSchema::new(
> +        "Either create a new HttpOnly ticket or a regular ticket.",
> +        &[
> +            &ObjectSchema::new(
> +                "<INNER: Toggle between http only or legacy ticket endpoints.>",
> +                &[(
> +                    "http-only",
> +                    true,
> +                    &BooleanSchema::new(
> +                        "Whether the http only authentication flow should be used.",
> +                    )
> +                    .default(false)
> +                    .schema(),
> +                )],
> +            )
> +            .schema(),
> +            &CreateTicket::API_SCHEMA,
> +        ],
> +    )),
> +)
> +.returns(ReturnType::new(false, &CreateTicketResponse::API_SCHEMA))
> +.protected(true)
> +.access(None, &Permission::World);
> +
> +fn handle_ticket_toggle(
> +    parts: Parts,
> +    mut param: Value,
> +    info: &'static ApiMethod,
> +    mut rpcenv: Box<dyn RpcEnvironment>,
> +) -> ApiResponseFuture {
> +    // If the client specifies that they want to use http only cookies, prefer those.
> +    if Some(true) == param["http-only"].take().as_bool() {
> +        if let ApiHandler::AsyncHttpBodyParameters(handler) =
> +            API_METHOD_CREATE_TICKET_HTTP_ONLY.handler
> +        {

This could benefit from a

            tracing::debug!("Client requests http-only cookies");

or similar.

> +            return handler(parts, param, info, rpcenv);
> +        }
> +    }
> +
> +    // Otherwise, default back to the previous ticket method.
> +    Box::pin(async move {
> +        let create_params: CreateTicket = serde_json::from_value(param)?;
> +
> +        let ticket_response =
> +            proxmox_auth_api::api::create_ticket(create_params, rpcenv.as_mut()).await?;
> +
> +        let response = Response::builder().header(CONTENT_TYPE, "application/json");
> +
> +        Ok(response.body(
> +            json!({"data": ticket_response, "status": 200, "success": true })
> +                .to_string()
> +                .into(),
> +        )?)
> +    })
> +}
> +
>  pub const ROUTER: Router = Router::new()
>      .get(&list_subdirs_api_method!(SUBDIRS))
>      .subdirs(SUBDIRS);

-- 
Maximiliano


_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel


  parent reply	other threads:[~2025-07-23 13:58 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-07-10 13:50 [pbs-devel] [PATCH proxmox{, -backup} 0/4] http only cookie based tickets for pbs Shannon Sterz
2025-07-10 13:50 ` [pbs-devel] [PATCH proxmox 1/1] auth-api: include meta information required by extjs in api endpoints Shannon Sterz
2025-07-15 22:40   ` Thomas Lamprecht
     [not found]     ` <DBDBXGTI71WP.3V2J3DEMNK1DL@proxmox.com>
2025-07-22 20:21       ` Thomas Lamprecht
2025-07-23 15:18         ` Shannon Sterz
2025-07-10 13:50 ` [pbs-devel] [PATCH proxmox-backup 1/3] api: access: add opt-in http only ticket authentication flow Shannon Sterz
2025-07-23 12:57   ` Mira Limbeck
2025-07-23 13:58   ` Maximiliano Sandoval [this message]
2025-07-10 13:50 ` [pbs-devel] [PATCH proxmox-backup 2/3] ui: opt into the new http-only " Shannon Sterz
2025-07-10 13:50 ` [pbs-devel] [PATCH proxmox-backup 3/3] client: adapt pbs client to also handle http-only flows correctly Shannon Sterz
2025-07-23 12:56 ` [pbs-devel] [PATCH proxmox{, -backup} 0/4] http only cookie based tickets for pbs Mira Limbeck
2025-07-23 14:05 ` Maximiliano Sandoval
2025-07-23 15:15 ` Shannon Sterz

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=s8oy0sf100y.fsf@proxmox.com \
    --to=m.sandoval@proxmox.com \
    --cc=pbs-devel@lists.proxmox.com \
    --cc=s.sterz@proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal