proxmox-mirrors/proxmox
1
0
Fork 1
mirror of https://git.proxmox.com/git/proxmox synced 2025-08-07 15:36:08 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

auth-api: check for new prefixed cookies as well

Browse Source 
this makes sure that newly generated cookies that are prefixed with,
for example, `__Host-`, for security purposes, are correctly picked
up on. otherwise, the new cookies would not be able to yield proper
authentication.

currently this still falls back to insecure non-prefixed cookies. we
should deprecate them in the long-term and remove this fallback.

Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
This commit is contained in:
Shannon Sterz 2025-03-04 15:42:31 +01:00 committed by Wolfgang Bumiller
parent b598e03287
commit 6f61b991a0
1 changed files with 27 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
proxmox-auth-api/src/api/mod.rs
View File

@ -203,18 +203,36 @@ fn extract_auth_data(
auth_context: &dyn AuthContext, auth_context: &dyn AuthContext,
headers: &http::HeaderMap, headers: &http::HeaderMap,
) -> Option<AuthData> { ) -> Option<AuthData> {
if let Some(raw_cookie) = headers.get(http::header::COOKIE) { let mut ticket = None;
if let Ok(cookie) = raw_cookie.to_str() { let cookie_name = auth_context.auth_cookie_name();
if let Some(ticket) = extract_cookie(cookie, auth_context.auth_cookie_name()) { let host_cookie = auth_context.prefixed_auth_cookie_name();
let csrf_token = match headers.get("CSRFPreventionToken").map(|v| v.to_str()) { let cookies = headers
Some(Ok(v)) => Some(v.to_owned()), .get_all(http::header::COOKIE)
_ => None, .iter()
}; .filter_map(|c| c.to_str().ok());
return Some(AuthData::User(UserAuthData { ticket, csrf_token }));
} for cookie in cookies {
// check if we got a `__Host-` prefixed cookie first and break the loop if we do so we use
// that cookie.
if let Some(extracted_ticket) = extract_cookie(cookie, host_cookie) {
ticket = Some(extracted_ticket);
break;
// if no such prefixed cookie exists, try to fall back to a non-prefixed one
// TODO: remove this once we do not support less secure non-prefixed cookies anymore
} else if let Some(extracted_ticket) = extract_cookie(cookie, cookie_name) {
ticket = Some(extracted_ticket)
} }
} }
if let Some(ticket) = ticket {
let csrf_token = match headers.get("CSRFPreventionToken").map(|v| v.to_str()) {
Some(Ok(v)) => Some(v.to_owned()),
_ => None,
};
return Some(AuthData::User(UserAuthData { ticket, csrf_token }));
}
let token_prefix = auth_context.auth_token_prefix(); let token_prefix = auth_context.auth_token_prefix();
match headers.get(http::header::AUTHORIZATION).map(|v| v.to_str()) { match headers.get(http::header::AUTHORIZATION).map(|v| v.to_str()) {
Some(Ok(v)) => { Some(Ok(v)) => {