From: Shannon Sterz <s.sterz@proxmox.com>
To: pdm-devel@lists.proxmox.com
Subject: [pdm-devel] [PATCH yew-comp v5 19/21] LoginPanel/http helpers: add support for handling HttpOnly cookies
Date: Tue, 4 Mar 2025 15:42:45 +0100 [thread overview]
Message-ID: <20250304144247.231089-20-s.sterz@proxmox.com> (raw)
In-Reply-To: <20250304144247.231089-1-s.sterz@proxmox.com>
this makes sure that we handle tickets that are stored in in HttpOnly
cookies correctly by:
- assuming that the properly sign ticket is in a cookie we can't
access when refreshing tickets and only an informational ticket is
available to us.
- handling `TicketResult::HttpOnly` correctly
Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
---
src/http_helpers.rs | 30 ++++++++++++++++++++++++++----
src/login_panel.rs | 5 ++++-
2 files changed, 30 insertions(+), 5 deletions(-)
diff --git a/src/http_helpers.rs b/src/http_helpers.rs
index 9f0403f..e2489cc 100644
--- a/src/http_helpers.rs
+++ b/src/http_helpers.rs
@@ -108,11 +108,25 @@ async fn ticket_refresh_loop() {
}
Validity::Refresh => {
let client = CLIENT.with(|c| Rc::clone(&*c.borrow()));
- if let Ok(TicketResult::Full(auth)) =
+
+ // if the ticket is not signed, there is no point in sending it, assume we
+ // are using a HttpOnly cookie that is properly handled by the
+ // browser/cookie anyway
+ let result = if data.ticket.is_info_only() {
+ client.refresh(&data.userid).await
+ } else {
client.login(&data.userid, &data.ticket.to_string()).await
- {
- log::info!("ticket_refresh_loop: Got ticket update.");
- client.set_auth(auth.clone());
+ };
+
+ match result {
+ // TODO: eventually deprecate support for `TicketResult::Full` and
+ // throw an error. this package should only ever be used in a browser
+ // context where authentication info should be set via HttpOnly cookies.
+ Ok(TicketResult::Full(auth)) | Ok(TicketResult::HttpOnly(auth)) => {
+ log::info!("ticket_refresh_loop: Got ticket update.");
+ client.set_auth(auth.clone());
+ }
+ _ => { /* do nothing */ }
}
}
Validity::Valid => { /* do nothing */ }
@@ -157,11 +171,19 @@ pub async fn http_login(
.await?;
match ticket_result {
+ // TODO: eventually deprecate support for `TicketResult::Full` and
+ // throw an error. this package should only ever be used in a browser
+ // context where authentication info should be set via HttpOnly cookies.
TicketResult::Full(auth) => {
client.set_auth(auth.clone());
update_global_client(client);
Ok(TicketResult::Full(auth))
}
+ TicketResult::HttpOnly(auth) => {
+ client.set_auth(auth.clone());
+ update_global_client(client);
+ Ok(TicketResult::HttpOnly(auth))
+ }
challenge => Ok(challenge),
}
}
diff --git a/src/login_panel.rs b/src/login_panel.rs
index d979bbb..aecbf80 100644
--- a/src/login_panel.rs
+++ b/src/login_panel.rs
@@ -74,7 +74,10 @@ impl ProxmoxLoginPanel {
let link = ctx.link().clone();
self.async_pool.spawn(async move {
match crate::http_login(username, password, realm).await {
- Ok(TicketResult::Full(info)) => {
+ // TODO: eventually deprecate support for `TicketResult::Full` and
+ // throw an error. this package should only ever be used in a browser
+ // context where authentication info should be set via HttpOnly cookies.
+ Ok(TicketResult::Full(info)) | Ok(TicketResult::HttpOnly(info)) => {
link.send_message(Msg::Login(info));
}
Ok(TicketResult::TfaRequired(challenge)) => {
--
2.39.5
_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel
next prev parent reply other threads:[~2025-03-04 14:43 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-04 14:42 [pdm-devel] [PATCH datacenter-manager/proxmox/yew-comp v5 00/21] use HttpOnly cookies in new projects Shannon Sterz
2025-03-04 14:42 ` [pdm-devel] [PATCH proxmox v5 01/21] time: add new `epoch_to_http_date` helper Shannon Sterz
2025-03-04 14:42 ` [pdm-devel] [PATCH proxmox v5 02/21] rest-server: borrow parts parameter in `get_request_parameter` Shannon Sterz
2025-03-04 14:42 ` [pdm-devel] [PATCH proxmox v5 03/21] router/rest-server: add new `AsyncHttpBodyParameters` api handler type Shannon Sterz
2025-03-04 14:42 ` [pdm-devel] [PATCH proxmox v5 04/21] auth-api: extend `AuthContext` with prefixed cookie name Shannon Sterz
2025-03-04 14:42 ` [pdm-devel] [PATCH proxmox v5 05/21] auth-api: check for new prefixed cookies as well Shannon Sterz
2025-03-04 14:42 ` [pdm-devel] [PATCH proxmox v5 06/21] auth-api: introduce new CreateTicket and CreateTickeReponse api types Shannon Sterz
2025-03-04 14:42 ` [pdm-devel] [PATCH proxmox v5 07/21] auth-api: add endpoint for issuing tickets as HttpOnly tickets Shannon Sterz
2025-03-04 14:42 ` [pdm-devel] [PATCH proxmox v5 08/21] auth-api: make regular ticket endpoint use the new types and handler Shannon Sterz
2025-03-04 14:42 ` [pdm-devel] [PATCH proxmox v5 09/21] auth-api: add logout method Shannon Sterz
2025-03-04 14:42 ` [pdm-devel] [PATCH proxmox v5 10/21] login: add optional field for ticket_info and make password optional Shannon Sterz
2025-03-04 14:42 ` [pdm-devel] [PATCH proxmox v5 11/21] login: make password optional when creating Login requests Shannon Sterz
2025-03-04 14:42 ` [pdm-devel] [PATCH proxmox v5 12/21] login: add helpers to pass cookie values when parsing login responses Shannon Sterz
2025-03-04 14:42 ` [pdm-devel] [PATCH proxmox v5 13/21] login: add `TicketResult::HttpOnly` member Shannon Sterz
2025-03-04 14:42 ` [pdm-devel] [PATCH proxmox v5 14/21] login: add helper to check whether a ticket is just informational Shannon Sterz
2025-03-04 14:42 ` [pdm-devel] [PATCH proxmox v5 15/21] login: add functions to specify full cookie names Shannon Sterz
2025-03-04 14:42 ` [pdm-devel] [PATCH proxmox v5 16/21] client: add compatibility with HttpOnly cookies Shannon Sterz
2025-03-04 14:42 ` [pdm-devel] [PATCH proxmox v5 17/21] client: specify cookie names for authentication headers where possible Shannon Sterz
2025-03-04 14:42 ` [pdm-devel] [PATCH yew-comp v5 18/21] HttpClient: add helpers to refresh HttpOnly cookies and remove them Shannon Sterz
2025-03-04 14:42 ` Shannon Sterz [this message]
2025-03-04 14:42 ` [pdm-devel] [PATCH yew-comp v5 20/21] http helpers: ask server to remove `__Host-` prefixed cookie on logout Shannon Sterz
2025-03-04 14:42 ` [pdm-devel] [PATCH datacenter-manager v5 21/21] api: switch ticket endpoint over to new http only endpoint Shannon Sterz
2025-03-04 15:31 ` [pdm-devel] applied-series: [PATCH datacenter-manager/proxmox/yew-comp v5 00/21] use HttpOnly cookies in new projects Wolfgang Bumiller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250304144247.231089-20-s.sterz@proxmox.com \
--to=s.sterz@proxmox.com \
--cc=pdm-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal