[pdm-devel] [PATCH proxmox v2 3/3] proxmox-login: add compat mode to fallback to PBS3 ticket parsing

Christian Ebner c.ebner at proxmox.com
Tue Sep 30 10:02:04 CEST 2025 

The ticket info field is present for Proxmox Backup Server version 3
login response data, the client however switches to http-only in this
case.

Allow to use the old authentication workflow instead by extending the
compat mode by `Pbs3Ticket`, resulting in a full ticket instead of
the http-only one.

Signed-off-by: Christian Ebner <c.ebner at proxmox.com>
---
changes since version 1:
- fix check for CompatMode::Pbs3Ticket not being set

 proxmox-login/src/lib.rs | 21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

diff --git a/proxmox-login/src/lib.rs b/proxmox-login/src/lib.rs
index e7b8e023..c919c6a0 100644
--- a/proxmox-login/src/lib.rs
+++ b/proxmox-login/src/lib.rs
@@ -58,6 +58,7 @@ pub enum CompatMode {
     #[default]
     Generic,
     PveTfa,
+    Pbs3Ticket,
 }
 
 fn normalize_url(mut api_url: String) -> String {
@@ -216,15 +217,17 @@ impl Login {
             ));
         }
 
-        // `ticket_info` is set when the server sets the ticket via an HttpOnly cookie. this also
-        // means we do not have access to the cookie itself which happens for example in a browser.
-        // assume that the cookie is handled properly by the context (browser) and don't worry
-        // about handling it ourselves.
-        if let Some(ref ticket) = response.ticket_info {
-            let ticket = ticket.parse()?;
-            return Ok(TicketResult::HttpOnly(
-                self.authentication_for(ticket, response)?,
-            ));
+        if self.compat_mode != CompatMode::Pbs3Ticket {
+            // `ticket_info` is set when the server sets the ticket via an HttpOnly cookie. this also
+            // means we do not have access to the cookie itself which happens for example in a browser.
+            // assume that the cookie is handled properly by the context (browser) and don't worry
+            // about handling it ourselves.
+            if let Some(ref ticket) = response.ticket_info {
+                let ticket = ticket.parse()?;
+                return Ok(TicketResult::HttpOnly(
+                    self.authentication_for(ticket, response)?,
+                ));
+            }
         }
 
         // old authentication flow where we needed to handle the ticket ourselves even in the
-- 
2.47.3

More information about the pdm-devel mailing list