[pbs-devel] [PATCH proxmox-backup 1/1] ui: login: opt the tfa challenge handling into the new HttpOnly flow
Shannon Sterz
s.sterz at proxmox.com
Wed Aug 6 11:57:02 CEST 2025
this was missed previously leading to the tfa part of the auth flow
not opting into the new auth flow. this meant the server did not add a
Set-Cookie header. after that whether or not a login worked fine
became a race between the refresh logic (which was opted into the new
flow and, thus, would yield a proper HttpOnly cookie) and other
requests.
Signed-off-by: Shannon Sterz <s.sterz at proxmox.com>
---
www/LoginView.js | 2 ++
1 file changed, 2 insertions(+)
diff --git a/www/LoginView.js b/www/LoginView.js
index 9c1ac38a..cf6c2cf7 100644
--- a/www/LoginView.js
+++ b/www/LoginView.js
@@ -114,6 +114,7 @@ Ext.define('PBS.LoginView', {
let userid = data.username;
let ticket = data.ticket;
+ let http_only = true;
let challenge = JSON.parse(
decodeURIComponent(ticket.split(':')[1].slice('!tfa!'.length)),
);
@@ -123,6 +124,7 @@ Ext.define('PBS.LoginView', {
userid,
ticket,
challenge,
+ http_only,
onResolve: (value) => resolve(value),
onReject: reject,
}).show();
--
2.47.2
More information about the pbs-devel
mailing list