use safer pve ticket endpoint

This commit is contained in:
Arthur Lu 2023-05-13 07:28:09 +00:00
parent 119efcda33
commit c6d5d5dbc5
2 changed files with 6 additions and 14 deletions

View File

@ -1,10 +1,10 @@
import {requestTicket, setTicket, NetworkError, goToPage, deleteAllCookies, requestPVE} from "./utils.js"; import {requestTicket, NetworkError, goToPage, deleteAllCookies, requestPVE} from "./utils.js";
import {alert} from "./dialog.js"; import {alert} from "./dialog.js";
window.addEventListener("DOMContentLoaded", init); window.addEventListener("DOMContentLoaded", init);
async function init (){ async function init (){
deleteAllCookies(); await deleteAllCookies();
let formSubmitButton = document.querySelector("#submit"); let formSubmitButton = document.querySelector("#submit");
let realms = await requestPVE("/access/domains", "GET"); let realms = await requestPVE("/access/domains", "GET");
let realmSelect = document.querySelector("#realm"); let realmSelect = document.querySelector("#realm");
@ -22,7 +22,6 @@ async function init (){
formSubmitButton.innerText = "Authenticating..."; formSubmitButton.innerText = "Authenticating...";
let ticket = await requestTicket(formData.get("username"), formData.get("password"), formData.get("realm")); let ticket = await requestTicket(formData.get("username"), formData.get("password"), formData.get("realm"));
if (ticket.status === 200) { if (ticket.status === 200) {
setTicket(ticket.data.ticket, ticket.data.CSRFPreventionToken, formData.get("username"));
formSubmitButton.innerText = "LOGIN"; formSubmitButton.innerText = "LOGIN";
goToPage("index.html"); goToPage("index.html");
} }

View File

@ -96,18 +96,10 @@ export function getCookie(cname) {
} }
export async function requestTicket (username, password, realm) { export async function requestTicket (username, password, realm) {
let response = await requestPVE("/access/ticket", "POST", {username: `${username}@${realm}`, password: password}, false); let response = await requestAPI("/ticket", "POST", {username: `${username}@${realm}`, password: password}, false);
return response; return response;
} }
export function setTicket (ticket, csrf, username) {
let d = new Date();
d.setTime(d.getTime() + (2*60*60*1000));
document.cookie = `PVEAuthCookie=${ticket}; path=/; expires=${d.toUTCString()}; domain=.tronnet.net; Secure;`;
document.cookie = `CSRFPreventionToken=${csrf}; path=/; expires=${d.toUTCString()}; domain=.tronnet.net; Secure;`
document.cookie = `username=${username}@ldap; path=/; expires=${d.toUTCString()}; domain=.tronnet.net; Secure;`
}
export async function requestPVE (path, method, body = null) { export async function requestPVE (path, method, body = null) {
let prms = new URLSearchParams(body); let prms = new URLSearchParams(body);
let content = { let content = {
@ -204,6 +196,7 @@ export function getURIData () {
return Object.fromEntries(url.searchParams); return Object.fromEntries(url.searchParams);
} }
export function deleteAllCookies () { export async function deleteAllCookies () {
document.cookie.split(";").forEach(function(c) { document.cookie = c.replace(/^ +/, "").replace(/=.*/, "=;expires=" + new Date().toUTCString() + ";path=/;domain=.tronnet.net;"); }); document.cookie.split(";").forEach(function(c) { document.cookie = c.replace(/^ +/, "").replace(/=.*/, "=;expires=" + new Date().toUTCString() + ";path=/;domain=.client.tronnet.net;"); });
await requestAPI("/ticket", "DELETE");
} }