[pdm-devel] [PATCH proxmox v5 04/21] auth-api: extend `AuthContext` with prefixed cookie name

Shannon Sterz s.sterz at proxmox.com
Tue Mar 4 15:42:30 CET 2025


this adds the function `prefixed_auth_cookie_name` to the
`AuthContext` trait. said function can be used by users of this crate
to modify the expected prefix of the auth cookie. most products
should be able to use the default of `__Host-` though, so this also
adds a default implementation.

Signed-off-by: Shannon Sterz <s.sterz at proxmox.com>
---
 proxmox-auth-api/src/api/mod.rs | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/proxmox-auth-api/src/api/mod.rs b/proxmox-auth-api/src/api/mod.rs
index a6f9d425..b75c8602 100644
--- a/proxmox-auth-api/src/api/mod.rs
+++ b/proxmox-auth-api/src/api/mod.rs
@@ -1,7 +1,7 @@
 use std::future::Future;
 use std::net::IpAddr;
 use std::pin::Pin;
-use std::sync::Mutex;
+use std::sync::{Mutex, OnceLock};
 
 use anyhow::{format_err, Error};
 use percent_encoding::percent_decode_str;
@@ -84,6 +84,16 @@ pub trait AuthContext: Send + Sync {
         let _ = (userid, password, path, privs, port);
         Ok(None)
     }
+
+    /// The auth cookie with a prefix. Usually this will be `__Host-`. However, products that don't
+    /// want a prefix or need a different one such as `__Secure-` should override the default
+    /// implementation.
+    ///
+    /// See: <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#cookie_prefixes>
+    fn prefixed_auth_cookie_name(&self) -> &'static str {
+        static HOST_COOKIE: OnceLock<String> = OnceLock::new();
+        HOST_COOKIE.get_or_init(|| format!("__Host-{}", self.auth_cookie_name()))
+    }
 }
 
 /// When verifying TFA challenges we need to be able to update the TFA config without interference
-- 
2.39.5





More information about the pdm-devel mailing list