From mboxrd@z Thu Jan 1 00:00:00 1970
Return-Path: <pdm-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9])
by lore.proxmox.com (Postfix) with ESMTPS id 65DEB1FF168
for <inbox@lore.proxmox.com>; Tue, 4 Mar 2025 13:05:32 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
by firstgate.proxmox.com (Proxmox) with ESMTP id 731F91D9DD;
Tue, 4 Mar 2025 13:05:24 +0100 (CET)
From: Shannon Sterz <s.sterz@proxmox.com>
To: pdm-devel@lists.proxmox.com
Date: Tue, 4 Mar 2025 13:05:04 +0100
Message-Id: <20250304120506.135617-20-s.sterz@proxmox.com>
X-Mailer: git-send-email 2.39.5
In-Reply-To: <20250304120506.135617-1-s.sterz@proxmox.com>
References: <20250304120506.135617-1-s.sterz@proxmox.com>
MIME-Version: 1.0
X-SPAM-LEVEL: Spam detection results: 0
AWL -0.018 Adjusted score from AWL reputation of From: address
BAYES_00 -1.9 Bayes spam probability is 0 to 1%
DMARC_MISSING 0.1 Missing DMARC policy
KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record
SPF_PASS -0.001 SPF: sender matches SPF record
Subject: [pdm-devel] [PATCH yew-comp v4 19/21] LoginPanel/http helpers: add
support for handling HttpOnly cookies
X-BeenThere: pdm-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox Datacenter Manager development discussion
<pdm-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pdm-devel>,
<mailto:pdm-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pdm-devel/>
List-Post: <mailto:pdm-devel@lists.proxmox.com>
List-Help: <mailto:pdm-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel>,
<mailto:pdm-devel-request@lists.proxmox.com?subject=subscribe>
Reply-To: Proxmox Datacenter Manager development discussion
<pdm-devel@lists.proxmox.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pdm-devel-bounces@lists.proxmox.com
Sender: "pdm-devel" <pdm-devel-bounces@lists.proxmox.com>
this makes sure that we handle tickets that are stored in in HttpOnly
cookies correctly by:
- assuming that the properly sign ticket is in a cookie we can't
access when refreshing tickets and only an informational ticket is
available to us.
- handling `TicketResult::HttpOnly` correctly
Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
---
src/http_helpers.rs | 30 ++++++++++++++++++++++++++----
src/login_panel.rs | 5 ++++-
2 files changed, 30 insertions(+), 5 deletions(-)
diff --git a/src/http_helpers.rs b/src/http_helpers.rs
index 9f0403f..e2489cc 100644
--- a/src/http_helpers.rs
+++ b/src/http_helpers.rs
@@ -108,11 +108,25 @@ async fn ticket_refresh_loop() {
}
Validity::Refresh => {
let client = CLIENT.with(|c| Rc::clone(&*c.borrow()));
- if let Ok(TicketResult::Full(auth)) =
+
+ // if the ticket is not signed, there is no point in sending it, assume we
+ // are using a HttpOnly cookie that is properly handled by the
+ // browser/cookie anyway
+ let result = if data.ticket.is_info_only() {
+ client.refresh(&data.userid).await
+ } else {
client.login(&data.userid, &data.ticket.to_string()).await
- {
- log::info!("ticket_refresh_loop: Got ticket update.");
- client.set_auth(auth.clone());
+ };
+
+ match result {
+ // TODO: eventually deprecate support for `TicketResult::Full` and
+ // throw an error. this package should only ever be used in a browser
+ // context where authentication info should be set via HttpOnly cookies.
+ Ok(TicketResult::Full(auth)) | Ok(TicketResult::HttpOnly(auth)) => {
+ log::info!("ticket_refresh_loop: Got ticket update.");
+ client.set_auth(auth.clone());
+ }
+ _ => { /* do nothing */ }
}
}
Validity::Valid => { /* do nothing */ }
@@ -157,11 +171,19 @@ pub async fn http_login(
.await?;
match ticket_result {
+ // TODO: eventually deprecate support for `TicketResult::Full` and
+ // throw an error. this package should only ever be used in a browser
+ // context where authentication info should be set via HttpOnly cookies.
TicketResult::Full(auth) => {
client.set_auth(auth.clone());
update_global_client(client);
Ok(TicketResult::Full(auth))
}
+ TicketResult::HttpOnly(auth) => {
+ client.set_auth(auth.clone());
+ update_global_client(client);
+ Ok(TicketResult::HttpOnly(auth))
+ }
challenge => Ok(challenge),
}
}
diff --git a/src/login_panel.rs b/src/login_panel.rs
index d979bbb..aecbf80 100644
--- a/src/login_panel.rs
+++ b/src/login_panel.rs
@@ -74,7 +74,10 @@ impl ProxmoxLoginPanel {
let link = ctx.link().clone();
self.async_pool.spawn(async move {
match crate::http_login(username, password, realm).await {
- Ok(TicketResult::Full(info)) => {
+ // TODO: eventually deprecate support for `TicketResult::Full` and
+ // throw an error. this package should only ever be used in a browser
+ // context where authentication info should be set via HttpOnly cookies.
+ Ok(TicketResult::Full(info)) | Ok(TicketResult::HttpOnly(info)) => {
link.send_message(Msg::Login(info));
}
Ok(TicketResult::TfaRequired(challenge)) => {
--
2.39.5
_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel