[pve-devel] [PATCH 17/23] allow ticket in auth header as fallback

Thomas Lamprecht t.lamprecht at proxmox.com
Thu Oct 17 17:33:14 CEST 2019 

On 10/17/19 3:14 PM, Fabian Grünbichler wrote:
> based on idea & RFC by Tim Marx, incorporating feedback by Thomas
> Lamprecht. this will be extended to support API tokens in the
> Authorization header as well, so make it generic.
> 
> Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
> ---
> 
> Notes:
>     semi-independent, could also leave extract_auth_cookie as alias/wrapper to
>     avoid a change in PMG. but since we need to change other method signatures
>     anyway for the token part, we could change this as well.
>     
>     as-is, needs a versioned breaks/depends on pve-manager and some part of PMG?
> 
>  PVE/APIServer/AnyEvent.pm  |  5 ++++-
>  PVE/APIServer/Formatter.pm | 12 ++++++------
>  2 files changed, 10 insertions(+), 7 deletions(-)
> 
> diff --git a/PVE/APIServer/AnyEvent.pm b/PVE/APIServer/AnyEvent.pm
> index 9aba27d..c0b90ab 100644
> --- a/PVE/APIServer/AnyEvent.pm
> +++ b/PVE/APIServer/AnyEvent.pm
> @@ -1232,7 +1232,10 @@ sub unshift_read_header {
>  		} elsif ($path =~ m/^\Q$base_uri\E/) {
>  		    my $token = $r->header('CSRFPreventionToken');
>  		    my $cookie = $r->header('Cookie');
> -		    my $ticket = PVE::APIServer::Formatter::extract_auth_cookie($cookie, $self->{cookie_name});
> +		    my $auth_header = $r->header('Authorization');
> +		    my $ticket = PVE::APIServer::Formatter::extract_auth_value($cookie, $self->{cookie_name});
> +		    $ticket = PVE::APIServer::Formatter::extract_auth_value($auth_header, $self->{cookie_name})
> +			if !$ticket;

can we do this a bit more separate like:

if (!$ticket && (my $auth_header = $r->header('Authorization')) {
    $ticket = PVE::APIServer::Formatter::extract_auth_value($auth_header, $self->{cookie_name});
}

or if you prefer:

if (!$ticket) {
    my $auth_header = $r->header('Authorization');
    $ticket = PVE::APIServer::Formatter::extract_auth_value($auth_header, $self->{cookie_name});
}

makes it slightly cleaner/easier to read, IMO

>  
>  		    my ($rel_uri, $format) = &$split_abs_uri($path, $self->{base_uri});
>  		    if (!$format) {
> diff --git a/PVE/APIServer/Formatter.pm b/PVE/APIServer/Formatter.pm
> index 0c459bd..def1932 100644
> --- a/PVE/APIServer/Formatter.pm
> +++ b/PVE/APIServer/Formatter.pm
> @@ -75,16 +75,16 @@ sub get_login_formatter {
>  
>  # some helper functions
>  
> -sub extract_auth_cookie {
> -    my ($cookie, $cookie_name) = @_;
> +sub extract_auth_value {
> +    my ($header, $key) = @_;
>  
> -    return undef if !$cookie;
> +    return undef if !$header;
>  
> -    my $ticket = ($cookie =~ /(?:^|\s)\Q$cookie_name\E=([^;]*)/)[0];
> +    my $value = ($header =~ /(?:^|\s)\Q$key\E(?:=| )([^;]*)/)[0];
>  
> -    $ticket = uri_unescape($ticket) if $ticket;
> +    $value = uri_unescape($value) if $value;
>  
> -    return $ticket;
> +    return $value;
>  }
>  
>  sub create_auth_cookie {
>

More information about the pve-devel mailing list