[pve-devel] [PATCH widget-toolkit] fix #2758: reject 'tfa' cookies
Dominik Csapak
d.csapak at proxmox.com
Mon May 25 10:35:02 CEST 2020
return false on authOK when the ticket is a tfa ticket
(starts with PVE:tfa!)
when a user now loads the page with only a tfa ticket, it shows the
login window again
Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
---
Utils.js | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/Utils.js b/Utils.js
index 22eddd2..cae25b2 100644
--- a/Utils.js
+++ b/Utils.js
@@ -207,7 +207,8 @@ Ext.define('Proxmox.Utils', { utilities: {
if (Proxmox.LoggedOut) {
return undefined;
}
- return (Proxmox.UserName !== '') && Ext.util.Cookies.get(Proxmox.Setup.auth_cookie_name);
+ let cookie = Ext.util.Cookies.get(Proxmox.Setup.auth_cookie_name);
+ return (Proxmox.UserName !== '') && (cookie && !cookie.startsWith("PVE:tfa!"));
},
authClear: function() {
--
2.20.1
More information about the pve-devel
mailing list