[pbs-devel] [PATCH proxmox-backup 1/1] api/proxy: set auth cookie name in rest server api config
Dominik Csapak
d.csapak at proxmox.com
Fri Jul 25 14:23:17 CEST 2025
LGTM
Reviewed-by: Dominik Csapak <d.csapak at proxmox.com>
Tested-by: Dominik Csapak <d.csapak at proxmox.com>
On 7/25/25 13:24, Shannon Sterz wrote:
> set the name of the auth cookie when configuring apis to allow the
> rest server to remove invalid tickets on 401 requests.
>
> Signed-off-by: Shannon Sterz <s.sterz at proxmox.com>
> ---
> src/auth.rs | 10 +++++++++-
> src/auth_helpers.rs | 1 +
> src/bin/proxmox-backup-api.rs | 1 +
> src/bin/proxmox-backup-proxy.rs | 1 +
> 4 files changed, 12 insertions(+), 1 deletion(-)
>
> diff --git a/src/auth.rs b/src/auth.rs
> index 86b12a76..ac24c8ca 100644
> --- a/src/auth.rs
> +++ b/src/auth.rs
> @@ -13,7 +13,7 @@ use pbs_config::open_backup_lockfile;
> use proxmox_router::http_bail;
> use serde_json::json;
>
> -use proxmox_auth_api::api::{Authenticator, LockedTfaConfig};
> +use proxmox_auth_api::api::{AuthContext, Authenticator, LockedTfaConfig};
> use proxmox_auth_api::ticket::{Empty, Ticket};
> use proxmox_auth_api::types::Authid;
> use proxmox_auth_api::{HMACKey, Keyring};
> @@ -377,6 +377,14 @@ pub fn setup_auth_context(use_private_key: bool) {
> proxmox_auth_api::set_auth_context(AUTH_CONTEXT.get().unwrap());
> }
>
> +pub fn get_auth_cookie_name() -> String {
> + AUTH_CONTEXT
> + .get()
> + .expect("auth context needs to be set before accessing the auth cookie name")
> + .prefixed_auth_cookie_name()
> + .to_string()
> +}
> +
> pub(crate) fn private_auth_keyring() -> &'static Keyring {
> &PRIVATE_KEYRING
> }
> diff --git a/src/auth_helpers.rs b/src/auth_helpers.rs
> index 65e36308..fdd8d663 100644
> --- a/src/auth_helpers.rs
> +++ b/src/auth_helpers.rs
> @@ -10,6 +10,7 @@ use proxmox_sys::fs::{file_get_contents, replace_file, CreateOptions};
> use pbs_buildcfg::configdir;
> use serde_json::json;
>
> +pub use crate::auth::get_auth_cookie_name;
> pub use crate::auth::setup_auth_context;
> pub use proxmox_auth_api::api::assemble_csrf_prevention_token;
>
> diff --git a/src/bin/proxmox-backup-api.rs b/src/bin/proxmox-backup-api.rs
> index 3d80b023..74528236 100644
> --- a/src/bin/proxmox-backup-api.rs
> +++ b/src/bin/proxmox-backup-api.rs
> @@ -88,6 +88,7 @@ async fn run() -> Result<(), Error> {
> let config = ApiConfig::new(pbs_buildcfg::JS_DIR, RpcEnvironmentType::PRIVILEGED)
> .index_handler_func(|_, _| get_index())
> .auth_handler_func(|h, m| Box::pin(check_pbs_auth(h, m)))
> + .auth_cookie_name(proxmox_backup::auth_helpers::get_auth_cookie_name())
> .default_api2_handler(&proxmox_backup::api2::ROUTER)
> .enable_access_log(
> pbs_buildcfg::API_ACCESS_LOG_FN,
> diff --git a/src/bin/proxmox-backup-proxy.rs b/src/bin/proxmox-backup-proxy.rs
> index 694c2463..4641fed1 100644
> --- a/src/bin/proxmox-backup-proxy.rs
> +++ b/src/bin/proxmox-backup-proxy.rs
> @@ -195,6 +195,7 @@ async fn run() -> Result<(), Error> {
> let mut config = ApiConfig::new(pbs_buildcfg::JS_DIR, RpcEnvironmentType::PUBLIC)
> .index_handler_func(|e, p| Box::pin(get_index_future(e, p)))
> .auth_handler_func(|h, m| Box::pin(check_pbs_auth(h, m)))
> + .auth_cookie_name(proxmox_backup::auth_helpers::get_auth_cookie_name())
> .register_template("index", &indexpath)?
> .register_template("console", "/usr/share/pve-xtermjs/index.html.hbs")?
> .default_api2_handler(&proxmox_backup::api2::ROUTER)
More information about the pbs-devel
mailing list