use safer pve ticket endpoint

This commit is contained in:
Arthur Lu 2023-05-13 07:28:09 +00:00
parent 06c6e926ca
commit a3e1d2ed03
2 changed files with 6 additions and 14 deletions

View File

@ -1,10 +1,10 @@
import {requestTicket, setTicket, NetworkError, goToPage, deleteAllCookies, requestPVE} from "./utils.js";
import {requestTicket, NetworkError, goToPage, deleteAllCookies, requestPVE} from "./utils.js";
import {alert} from "./dialog.js";
window.addEventListener("DOMContentLoaded", init);
async function init (){
deleteAllCookies();
await deleteAllCookies();
let formSubmitButton = document.querySelector("#submit");
let realms = await requestPVE("/access/domains", "GET");
let realmSelect = document.querySelector("#realm");
@ -22,7 +22,6 @@ async function init (){
formSubmitButton.innerText = "Authenticating...";
let ticket = await requestTicket(formData.get("username"), formData.get("password"), formData.get("realm"));
if (ticket.status === 200) {
setTicket(ticket.data.ticket, ticket.data.CSRFPreventionToken, formData.get("username"));
formSubmitButton.innerText = "LOGIN";
goToPage("index.html");
}

View File

@ -96,18 +96,10 @@ export function getCookie(cname) {
}
export async function requestTicket (username, password, realm) {
let response = await requestPVE("/access/ticket", "POST", {username: `${username}@${realm}`, password: password}, false);
let response = await requestAPI("/ticket", "POST", {username: `${username}@${realm}`, password: password}, false);
return response;
}
export function setTicket (ticket, csrf, username) {
let d = new Date();
d.setTime(d.getTime() + (2*60*60*1000));
document.cookie = `PVEAuthCookie=${ticket}; path=/; expires=${d.toUTCString()}; domain=.tronnet.net; Secure;`;
document.cookie = `CSRFPreventionToken=${csrf}; path=/; expires=${d.toUTCString()}; domain=.tronnet.net; Secure;`
document.cookie = `username=${username}@ldap; path=/; expires=${d.toUTCString()}; domain=.tronnet.net; Secure;`
}
export async function requestPVE (path, method, body = null) {
let prms = new URLSearchParams(body);
let content = {
@ -204,6 +196,7 @@ export function getURIData () {
return Object.fromEntries(url.searchParams);
}
export function deleteAllCookies () {
document.cookie.split(";").forEach(function(c) { document.cookie = c.replace(/^ +/, "").replace(/=.*/, "=;expires=" + new Date().toUTCString() + ";path=/;domain=.tronnet.net;"); });
export async function deleteAllCookies () {
document.cookie.split(";").forEach(function(c) { document.cookie = c.replace(/^ +/, "").replace(/=.*/, "=;expires=" + new Date().toUTCString() + ";path=/;domain=.client.tronnet.net;"); });
await requestAPI("/ticket", "DELETE");
}