[pve-devel] [PATCH widget-toolkit] fix #2758: reject 'tfa' cookies

Dominik Csapak d.csapak at proxmox.com
Mon May 25 10:35:02 CEST 2020


return false on authOK when the ticket is a tfa ticket
(starts with PVE:tfa!)

when a user now loads the page with only a tfa ticket, it shows the
login window again

Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
---
 Utils.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/Utils.js b/Utils.js
index 22eddd2..cae25b2 100644
--- a/Utils.js
+++ b/Utils.js
@@ -207,7 +207,8 @@ Ext.define('Proxmox.Utils', { utilities: {
 	if (Proxmox.LoggedOut) {
 	    return undefined;
 	}
-	return (Proxmox.UserName !== '') && Ext.util.Cookies.get(Proxmox.Setup.auth_cookie_name);
+	let cookie = Ext.util.Cookies.get(Proxmox.Setup.auth_cookie_name);
+	return (Proxmox.UserName !== '') && (cookie && !cookie.startsWith("PVE:tfa!"));
     },
 
     authClear: function() {
-- 
2.20.1





More information about the pve-devel mailing list