From c6d5d5dbc5126e360e2f4934b9a6ed577dc9d771 Mon Sep 17 00:00:00 2001 From: Arthur Lu Date: Sat, 13 May 2023 07:28:09 +0000 Subject: [PATCH] use safer pve ticket endpoint --- scripts/login.js | 5 ++--- scripts/utils.js | 15 ++++----------- 2 files changed, 6 insertions(+), 14 deletions(-) diff --git a/scripts/login.js b/scripts/login.js index c9443ad..007ea95 100644 --- a/scripts/login.js +++ b/scripts/login.js @@ -1,10 +1,10 @@ -import {requestTicket, setTicket, NetworkError, goToPage, deleteAllCookies, requestPVE} from "./utils.js"; +import {requestTicket, NetworkError, goToPage, deleteAllCookies, requestPVE} from "./utils.js"; import {alert} from "./dialog.js"; window.addEventListener("DOMContentLoaded", init); async function init (){ - deleteAllCookies(); + await deleteAllCookies(); let formSubmitButton = document.querySelector("#submit"); let realms = await requestPVE("/access/domains", "GET"); let realmSelect = document.querySelector("#realm"); @@ -22,7 +22,6 @@ async function init (){ formSubmitButton.innerText = "Authenticating..."; let ticket = await requestTicket(formData.get("username"), formData.get("password"), formData.get("realm")); if (ticket.status === 200) { - setTicket(ticket.data.ticket, ticket.data.CSRFPreventionToken, formData.get("username")); formSubmitButton.innerText = "LOGIN"; goToPage("index.html"); } diff --git a/scripts/utils.js b/scripts/utils.js index 0e22ccf..3fbd6b0 100644 --- a/scripts/utils.js +++ b/scripts/utils.js @@ -96,18 +96,10 @@ export function getCookie(cname) { } export async function requestTicket (username, password, realm) { - let response = await requestPVE("/access/ticket", "POST", {username: `${username}@${realm}`, password: password}, false); + let response = await requestAPI("/ticket", "POST", {username: `${username}@${realm}`, password: password}, false); return response; } -export function setTicket (ticket, csrf, username) { - let d = new Date(); - d.setTime(d.getTime() + (2*60*60*1000)); - document.cookie = `PVEAuthCookie=${ticket}; path=/; expires=${d.toUTCString()}; domain=.tronnet.net; Secure;`; - document.cookie = `CSRFPreventionToken=${csrf}; path=/; expires=${d.toUTCString()}; domain=.tronnet.net; Secure;` - document.cookie = `username=${username}@ldap; path=/; expires=${d.toUTCString()}; domain=.tronnet.net; Secure;` -} - export async function requestPVE (path, method, body = null) { let prms = new URLSearchParams(body); let content = { @@ -204,6 +196,7 @@ export function getURIData () { return Object.fromEntries(url.searchParams); } -export function deleteAllCookies () { - document.cookie.split(";").forEach(function(c) { document.cookie = c.replace(/^ +/, "").replace(/=.*/, "=;expires=" + new Date().toUTCString() + ";path=/;domain=.tronnet.net;"); }); +export async function deleteAllCookies () { + document.cookie.split(";").forEach(function(c) { document.cookie = c.replace(/^ +/, "").replace(/=.*/, "=;expires=" + new Date().toUTCString() + ";path=/;domain=.client.tronnet.net;"); }); + await requestAPI("/ticket", "DELETE"); } \ No newline at end of file