[pve-devel] [PATCH v3 http-server 1/2] allow ticket in auth header as fallback
Thomas Lamprecht
t.lamprecht at proxmox.com
Wed Jan 29 21:46:12 CET 2020
On 1/21/20 1:54 PM, Fabian Grünbichler wrote:
> From: Tim Marx <t.marx at proxmox.com>
>
> based on idea & RFC by Tim Marx, incorporating feedback by Thomas
> Lamprecht. this will be extended to support API tokens in the
> Authorization header as well, so make it generic.
>
> Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
> ---
>
> Notes:
> semi-independent, could also leave extract_auth_cookie as alias/wrapper to
> avoid a change in PMG. but since we need to change other method signatures
> anyway for the token part, we could change this as well.
>
> as-is, needs a versioned breaks/depends on pve-manager and pmg-api
>
> PVE/APIServer/AnyEvent.pm | 9 ++++++++-
> PVE/APIServer/Formatter.pm | 12 ++++++------
> 2 files changed, 14 insertions(+), 7 deletions(-)
>
> diff --git a/PVE/APIServer/AnyEvent.pm b/PVE/APIServer/AnyEvent.pm
> index 539a156..1e5c180 100644
> --- a/PVE/APIServer/AnyEvent.pm
> +++ b/PVE/APIServer/AnyEvent.pm
> @@ -1229,7 +1229,14 @@ sub unshift_read_header {
> } elsif ($path =~ m/^\Q$base_uri\E/) {
> my $token = $r->header('CSRFPreventionToken');
> my $cookie = $r->header('Cookie');
> - my $ticket = PVE::APIServer::Formatter::extract_auth_cookie($cookie, $self->{cookie_name});
> + my $auth_header = $r->header('Authorization');
> +
> + # prefer actual cookie
> + my $ticket = PVE::APIServer::Formatter::extract_auth_value($cookie, $self->{cookie_name});
> +
> + # fallback to cookie in 'Authorization' header
> + $ticket = PVE::APIServer::Formatter::extract_auth_value($auth_header, $self->{cookie_name})
> + if !$ticket;
>
> my ($rel_uri, $format) = &$split_abs_uri($path, $self->{base_uri});
> if (!$format) {
> diff --git a/PVE/APIServer/Formatter.pm b/PVE/APIServer/Formatter.pm
> index 0c459bd..def1932 100644
> --- a/PVE/APIServer/Formatter.pm
> +++ b/PVE/APIServer/Formatter.pm
> @@ -75,16 +75,16 @@ sub get_login_formatter {
>
> # some helper functions
>
> -sub extract_auth_cookie {
> - my ($cookie, $cookie_name) = @_;
> +sub extract_auth_value {
> + my ($header, $key) = @_;
>
> - return undef if !$cookie;
> + return undef if !$header;
>
> - my $ticket = ($cookie =~ /(?:^|\s)\Q$cookie_name\E=([^;]*)/)[0];
> + my $value = ($header =~ /(?:^|\s)\Q$key\E(?:=| )([^;]*)/)[0];
>
> - $ticket = uri_unescape($ticket) if $ticket;
> + $value = uri_unescape($value) if $value;
>
> - return $ticket;
> + return $value;
> }
>
> sub create_auth_cookie {
>
applied, thanks!
More information about the pve-devel
mailing list