No ticket error even with the ticket in api2/json/nodes/pve/qemu/100/vncwebsocket

[PedroPastore]

I'm trying to embed the noVNC application in my website so people can connect to some proxmox VM, but I'm having a hard time connecting the noVNC using the api2/json/nodes/pve/qemu/100/vncwebsocket endpoint.

I've tried using the following url in the noVNC page to try and connect to proxmox

http://0.0.0.0:9123/vnc?host=MYPROXMOXIP&port=8006&encrypt=1&path=api2%2Fjson%2Fnodes%2Fpve%2Fqemu%2F100%2Fvncwebsocket%3Fport%3D5900%26vncticket%3DPVEVNC%253A63FF909F%253A%253AhRNBOIzdsCUaBf2hOf9vKx0tHxfH1%252BRHqXkDEq8v7GfEQuGn%252BmRGa7TKFrSJT9ACYf3hEOxpMAqDl9vZbMsssVz8KlS2T5njyzlm1%252FyFxLyQMgpcH5s0MjT5TnurfcTHEW147jc7A1h2eyb2lXxLPkWkDDDcK4bjL%252BdtJ3%252FL1mEzOXwymE5KP6URT3r3AbLL4a2G0yrMVtNT9sjx8IMGkBBa%252FZOAXBk62e3xACTkpnQKvNQL%252Bu%252BXy5aEDMgmXaKbmIqRZLvG5Ua4qWLpD93m6dcEHVuRaZdbF1yNqBc0Kg4UEhazWBdJMxSXCRfyi03XbGPxJ4RznkgaYtyrq0CoyA%253D%253D


I saw in this post here that the ticket is supposed to be URLEncoded so i did that, but i still cannot connect to proxmox, i keep getting an error saying that there is no ticket like shown in this screenshot:

I've tried not using URLEncoding but the problem is still the same

 

[dcsapak]

the connection also has to have a valid PVEAuthCookie, not only the vncticket in the url

 

[PedroPastore]

I started using the PVEAuthCookie like dcsapak suggested but now i get the following response




the dev console shows that the following request was made and failed, im not sure what is wrong with the request (i changed most of the characters in the ticket to post it here)

ws://myIP/api2/json/nodes/pve/qemu/101/vncwebsocket?port=5900&vncticket=PVEVNC:6405D56A::02rABWvX78AkqEdecN6CSXneHTstdzyxGYgT9pqkOJsNxvg8XmGd7Pxzs0yrZfOcKNJ1lj5ooFlILT1cEgUsAIE Hr/xCFYoNVkj YyFYqIIpobgo97vkRGFqTfWe4ezChi/sqGdgJ3oOloreDE5PNOqUZtMniEOUNBTZHn1N11tQukFabD4rquoggcCAqgr2MG6MvciEX8P3qUODHcXTopxwxcyMnVATrTGYsxrwNEHBOlHsC/DgMytd4ru SdvmZvup58jBXwdyhq/sLxlL8lLnG9bSXSWNG7ouqiajij Ekhit/jTqT773CbjM 6pBUKKlk6ONNcSQJ2C5KZB3uw==

 

[PedroPastore]

UPDATE, fixed the error 400 Parameter verification failed by removing the amp; that the html encoding was adding to the URL, but now im getting the error:

i tried it with the ticket as it comes from the request, with urlencoding and even tried urlenconding it twice but i the error is the same, as far as I understand this is the ticket i get in the endpoint https://172.16.20.151:8006/api2/json/nodes/pve/qemu/100/vncproxy and then i use it here, but it doesn't seem to be working

Ps. the browser shows me that it is trying to connect to the following websocket (again I changed most of the characters in the ticket to post it here)
ws://myip/api2/json/nodes/pve/qemu/101/vncwebsocket?port=5900&vncticket=PVEVNC:64061558::e2o8SQ96/BHMrueanUuKr8hHclUScNfXzwfaVyAUm5YDg/0ESdo6tIQbsV5dD3b+QRboN8/0Ytk/Cgm0sO94Qw0JlZ5gs0YRvB+4rlV4D07fkhDGEgsP5tmx8fUG42PzluPXFcvsdAe7MCq3ZtYG2ZMCFWhxEOWZEWV9Jmh88k7wr4C/16ohfAV0kEM/b060ZcCuGYGiQoHodah3UNQPl7yXCBw2c3VMtGwAQrvgEM4gasGRVtDxCs66h2C6ShlRW1SBukwg34Mw+f3F3VvnU5g2hV6dGU4fFT6+wc2OkgMm86jrj2Rskjue1aimn/dICt/m9iImDvoXrhEOQNQdsg==

 

[dcsapak]

the vncticket only has a very short lifetime (10seconds), are you making the requests fast enough? the ticket should be urlencoded e.g. with 'encodeURIComponent' in javascript

 

[PedroPastore]

the vncticket only has a very short lifetime (10seconds), are you making the requests fast enough? the ticket should be urlencoded e.g. with 'encodeURIComponent' in javascript

yeah im using encodeURIComponent on the ticket, also i timed the request and it definetly does not take more then 5 seconds for the page to load and for me to click connect, so basically the entire process takes less than 5 seconds.
I also tried with the api key of a pve user and a pam user, both had the same error

 

[dcsapak]

is the user that generated the ticket the same user for which the cookie is set? this is also a requirement

 

[PedroPastore]

is the user that generated the ticket the same user for which the cookie is set? this is also a requirement

yes

 

[PedroPastore]

Here is the code that gets the tokens and the websocket port, maybe im doing something wrong (all authentication info was altered to be useless to post here)

 return fetch(
      'https://myip:8006/api2/json/nodes/pve/qemu/100/vncproxy',
      {
        method:"POST",
        headers:{
          "Content-Type": "application/x-www-form-urlencoded",
          "Authorization": "Bearer PVEAPIToken=myfakeusername@pve!test=9e1b868f-e1Cc-4Eg0-9qcv-113dc7d87709"
        }
      }
    )
      .then((result)=>{
        return result.json()
      })
      .then((result)=>{
        ticket = result.data.ticket
        console.log(ticket)
        return fetch(
          'https://myip:8006/api2/json/nodes/pve/qemu/100/vncwebsocket?' +
            new URLSearchParams({
              port:result.data.port,
              vncticket:result.data.ticket
            }),
          {
            method: "GET",
            headers:{
              "Content-Type": "application/x-www-form-urlencoded",
              "Authorization": "Bearer PVEAPIToken=myfakeusername@pve!test=9e1b868f-e1Cc-4Eg0-9qcv-113dc7d87709"
            }
          }
        )
      })
      .then((result)=>result.json())
      .then((result)=>{
        port = result.data.port
        return fetch(
          'https://myip:8006/api2/json/access/ticket',
          {
            method: "POST",
            headers:{
              "Content-Type": "application/x-www-form-urlencoded"
            },
            body: new URLSearchParams({
              'username': "myfakeusername@pve",
              'password': "123456"
            })
          }
        )
      })
      .then((result)=>result.json())
      .then((result)=>{
        result.ticket = ticket
        result.port = port
        return result
      })
  }
}

 

[dcsapak]

ok a few things here:

i don't really know what you are trying to achieve, but using the vncwebsocket api in this way will never work
this is intended to be used as a websocket, not a 'normal' api call. (e.g. use 'wss://<...>/vncwebsocket' in a 'new Websocket()' call)

second, the 'Bearer' part of the Authorization header is wrong, just omit it
(e.g. a good header would be:

'Authorization: PVEAPIToken=.....'

with a token, you should not need to create a ticket in the fist place

 

[PedroPastore]

I will try to explain better what I'm trying to do:

I am trying to have a page in my website with noVNC, the code i posted was in my backend, i was tring to get the info necessary to pass to the front end so that a user can access the an specific VM, the Websocket connection code in done in the noVNC library, I was just passing the arguments to the lib.

After i pass the info to the front end and try to create the connection between the noVNC and the VM i get the following error

According to the error that appears in my browser's console when i try to do that the noVNC lib tried doing the following request

GET  ws://myip/api2/json/nodes/pve/qemu/100/vncwebsocket?port=5900&vncticket=PVEVNC:640869E9::TuIrytx+dL1RCQu64GmN1bxEKrTzZYdPBwmbP8IPV5f2yOFxLO0BIH7TONDjqb7phE87xMh25mmMIG7PFMUJlO0BRG/HB8cE7F7IK6CYOplU2p106xd1pRn+QllHCUlxRKtu9HgVAK/fZFXPrEI3DHYgEkLVKxizHnpmr+eXSGGCDthZFgl17Xgmy86naQ1XrpM9qseRRKhpewS1cbSvB2mWV8ojfKkF64d3jaxXzrfRdkI6iIDuufMo8NJbA0HqGCUFvcNrvHKDXAYI70INqPdvbfiJeKy/uniJh3BIRVFSS2GaewKJBK2kVdK07aQkpMef/jYaXmcKsaXj6juYCBew==

it also used the following cookie:

PVEAuthCookie : "PVE:mypveaccount@pve:610363E9::ARWQP9atrj6l6NQpHaPqEjWGUDuqIXqhzLuUekBlvoe1AhcWELzfXQpwmrxar9h/k/JaBRToCFjQoVVvk6h5CG98f/4JwcHfDYtIiFfWlkDGbIiLCtMQY6rdUFa7M0AmgFcc1z72OD9tgJcjGJPGMzzfNSSZvw/evorX2nFQO/Z1NdKewC/6mm//AFNES4BhNgf3Mfasd3Sssnlx1rfmZWkbmGPlGzC41d/oAyILzyf/XInVsPURKVFqrIah9CWAgFPc0VgEOKc5OP2vLU88TTqAzm49zyUYr81ExnaH3YDk1X7473wgGgcfORkVcnrlurxYV08TTERKu+MkX/6NA=="

The entire process takes about 5 seconds in total and I am not sure why I'm getting the PVEVNC error, because of what dcsapak said i removed the call in the backend to the vncwebsocket endpoint (i thought it was necessary to "activate" it before using it) and i also removed Bearer part of the Auth header but the error i get is still the same.

ok a few things here:

i don't really know what you are trying to achieve, but using the vncwebsocket api in this way will never work
this is intended to be used as a websocket, not a 'normal' api call. (e.g. use 'wss://<...>/vncwebsocket' in a 'new Websocket()' call)

second, the 'Bearer' part of the Authorization header is wrong, just omit it
(e.g. a good header would be:

'Authorization: PVEAPIToken=.....'

with a token, you should not need to create a ticket in the fist place

 

[dcsapak]

ok, the vncticket must be urlencoded properly (e.g. the ':' and '=' symbols)

aside from that, and making sure the enduser cookie set is for the same user as the vncticket, there is not much else that could go wrong with that error message though...

what i find curious though is the use of 'ws://' which would indicate a non encrypted websocket, which might not correctly send the cookie along?

 

[PedroPastore]

ok, the vncticket must be urlencoded properly (e.g. the ':' and '=' symbols)

aside from that, and making sure the enduser cookie set is for the same user as the vncticket, there is not much else that could go wrong with that error message though...

what i find curious though is the use of 'ws://' which would indicate a non encrypted websocket, which might not correctly send the cookie along?

I have now tried it with wss and it didn't change the error, as for the encoding, I'm doing it in the back end but i also printed the string right before passing it to the noVNC library in the frontend and in the backend as well (after encoding it) and compared the 2, both are exactly the same. Just to be sure I'm using the following to encode the ticket:

let encodedTicket = encodeURIComponent(result.ticket)

I also triple checked and all the api calls are being made by the only PVE user i have in this proxmox.

I honestly don't even know what i can change to make it work

PS. the user I'm using has permission do to basically everything

 

[dcsapak]

weird that it does not work, since we basically do the same:

we use this function to url encode the parameters:

urlEncode: function(object) {                                                           
   var i,value, params = [];                                                            
                                                                                        
   for (i in object) {                                                                  
       if (object.hasOwnProperty(i)) {                                                  
           value = object[i];                                                           
           if (value === undefined) value = '';                                         
           params.push(encodeURIComponent(i) + '=' + encodeURIComponent(String(value)));
       }                                                                                
   }                                                                                    
                                                                                        
   return params.join('&');                                                             
},

and this is how it's called:

var wsparams = me.urlEncode({                                                        
    port: result.data.port,                                                          
    vncticket: result.data.ticket                                                    
});                                                                                  
                                                                                     
document.getElementById('noVNC_password_input').value = result.data.ticket;          
me.UI.forceSetting('path', 'api2/json' + me.baseUrl + '/vncwebsocket' + "?" + wsparams);

(the 'path' setting is what novnc uses for the websocket part then)

see: https://git.proxmox.com/?p=novnc-pv...7821490369c153655e9;hb=refs/heads/master#l383

 

[PedroPastore]

Unfortunately I'm still having the problem, here are the things i have tried since my last post:



Instead of using my code to encode the ticket i copied the code from the https://git.proxmox.com/?p=novnc-pv...7821490369c153655e9;hb=refs/heads/master#l383

I tried encoding the ticket that is added to the cookie as well since i opened the console the promox dashboard and checked the cookies of the page, the ticket was URLencoded there as well

I then tried everything again with the root user

I created a new cluster and then repeated all the tests again with the new cluster

I changed the order in which I call the vncproxy endpoint and the access ticket endpoint

all of the options above where not successful in connecting the VNC with the proxmox, the only noticeable difference is that when i URL encoded the ticket in the cookie the error i got changed from
invalid PVEVNC ticket
to
invalid PVE ticket

unfortunatelly that didn't help me in understanding what I'm doing wrong.

 

[dcsapak]

i am sorry you're having trouble getting this to work, but without more information and/or looking at what exactly you're doing on the novnc side, there really is not much i can do here
you could try to simply use our novnc code and tweak it to get it to work?

 

[PedroPastore]

i am sorry you're having trouble getting this to work, but without more information and/or looking at what exactly you're doing on the novnc side, there really is not much i can do here
you could try to simply use our novnc code and tweak it to get it to work?

Well, for the noVNC part I cloned the git repository found in this link: https://github.com/novnc/noVNC and then created a little server that returns the vnc.html page, the only part of the code i changed was the following part in the ui.js file:

// start of my code
fetch(window.location.pathname + "/getVNCInfo",
{
  method: "GET",
}
)
.then((result)=>result.json())
  .then((result)=>{
      UI.forceSetting('path', 'api2/json/nodes/pve/qemu/100/vncwebsocket' + "?" + result.encodedParams);
      console.log(result)
      })
.catch((err)=>{
    console.log(err)
    })
//end of my code

UI.initSetting('host', window.location.hostname);
UI.initSetting('port', port);
UI.initSetting('encrypt', (window.location.protocol === "https:"));
UI.initSetting('view_clip', false);
UI.initSetting('resize', 'off');
UI.initSetting('quality', 6);
UI.initSetting('compression', 2);
UI.initSetting('shared', true);
UI.initSetting('view_only', false);
UI.initSetting('show_dot', false);
// UI.initSetting('path', mypath); commented this line because im setting the path in the code above
UI.initSetting('repeaterID', '');
UI.initSetting('reconnect', false);
UI.initSetting('reconnect_delay', 5000);

UI.setupSettingLabels();

i use that fetch to get the info i need, the rest of the code comes from the noVNC respository, i know the fetch part is async so for this test i always wait for the console.log(result) to show in the browser console before trying to connect.

I would change a lot of parts before using in my website, but right now i just want to make it work once before I automate the process for multiple clients

When it comes to using your noVNC code, where can i get it ? I know you sent the link to the https://git.proxmox.com that has the VNC code, but im not sure how i can clone the repository to see the files. im only able to see specific commits in the link.

 

[dcsapak]

the repo is in: https://git.proxmox.com/?p=novnc-pve.git;a=summary

and has a few links at the top:
e.g. 'fast: git://git.proxmox.com/git/novnc-pve.git'

you can check that out with git like this:

git clone git://git.proxmox.com/git/novnc-pve.git

 

[PedroPastore]

the repo is in: https://git.proxmox.com/?p=novnc-pve.git;a=summary

and has a few links at the top:
e.g. 'fast: git://git.proxmox.com/git/novnc-pve.git'

you can check that out with git like this:

git clone git://git.proxmox.com/git/novnc-pve.git

Sorry for the lack of knowledge but after i cloned it but the novnc folder is empty. i tried changing branches, like changing to the branch stable-4, but then the folder novnc is deleted, im confused as to how im supposed to get the code

 

[dcsapak]

ah, yes, the novnc code itself is only in a submodule, you can fetch that with:

git submodule update --init --recursive

to see the actual code we run, you have to apply the patches in the debian/patches folder
(thats a debian packaging thing) e.g. with 'git am'