From: Wolfgang Bumiller <w.bumiller@proxmox.com>
To: Shannon Sterz <s.sterz@proxmox.com>
Cc: pbs-devel@lists.proxmox.com
Subject: Re: [pbs-devel] [PATCH proxmox] auth-api: allow logging in with tickets provided via password field only
Date: Mon, 25 Aug 2025 11:03:15 +0200 [thread overview]
Message-ID: <z6iadexegkz7e3ib7z3agqtntds7rgqfjn3ja7nij572fcqaea@ajnn7nqlrm2l> (raw)
In-Reply-To: <20250822111748.259591-2-s.sterz@proxmox.com>
On Fri, Aug 22, 2025 at 01:17:49PM +0200, Shannon Sterz wrote:
> this was previously possible but was accidentally removed when
> introducing the fall back logic for failed cookie authentication.
>
> Reported-by: Lukas Wagner <l.wagner@proxmox.com>
> Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
> ---
> proxmox-auth-api/src/api/access.rs | 9 +++++++--
> 1 file changed, 7 insertions(+), 2 deletions(-)
>
> diff --git a/proxmox-auth-api/src/api/access.rs b/proxmox-auth-api/src/api/access.rs
> index 490fe5c8..76feb698 100644
> --- a/proxmox-auth-api/src/api/access.rs
> +++ b/proxmox-auth-api/src/api/access.rs
> @@ -121,7 +121,7 @@ fn create_ticket_http_only(
> let auth_context = auth_context()?;
> let host_cookie = auth_context.prefixed_auth_cookie_name();
> let mut create_params: CreateTicket = serde_json::from_value(param)?;
> - let password = create_params.password.take();
> + let mut password = create_params.password.take();
>
> // previously to refresh a ticket, the old ticket was provided as a password via this
> // endpoint's parameters. however, once the ticket is set as an HttpOnly cookie, some
> @@ -140,7 +140,9 @@ fn create_ticket_http_only(
> // after this only `__Host-{Cookie Name}` cookies are in the iterator
> .filter_map(|c| extract_cookie(c, host_cookie))
> // so this should just give us the first one if it exists
> - .next();
> + .next()
> + // if nothing was provided via the cookie, fall back to the requests body again
> + .or_else(|| password.take());
>
> let env: &RestEnvironment = rpcenv
> .as_any()
> @@ -149,6 +151,9 @@ fn create_ticket_http_only(
>
> let mut ticket_response = handle_ticket_creation(create_params.clone(), true, env).await;
>
> + // if authentication failed via the cookie parameter, try the password from the body here.
> + // don't allow ticket refresh, though. this should only be done via the cookie if the
> + // client uses cookies for tickets.
^ Why though, and how is it enforced? If there was no cookie, the
parameter ended up back in the create_params by way of hte `.or_else()`?
> if ticket_response.is_err() && password.is_some() {
> create_params.password = password;
> ticket_response = handle_ticket_creation(create_params, false, env).await;
> --
> 2.47.2
_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
next prev parent reply other threads:[~2025-08-25 9:03 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-22 11:17 Shannon Sterz
2025-08-25 9:03 ` Wolfgang Bumiller [this message]
2025-08-25 11:13 ` [pbs-devel] applied: " Wolfgang Bumiller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=z6iadexegkz7e3ib7z3agqtntds7rgqfjn3ja7nij572fcqaea@ajnn7nqlrm2l \
--to=w.bumiller@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
--cc=s.sterz@proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox