No ticket error even with the ticket in api2/json/nodes/pve/qemu/100/vncwebsocket

[PedroPastore]

Here is what i have altered my code to after the last post:

I have this page that only has one button, when the page is loaded it comes with the PVE ticket in the cookies as shown in the image bellow (im not showing the cookie since it has a valid ticket, but i can see the cookie has been set)

the redirect button runs the following code to get that will be use for the noVNC, that info is added in the query variables so i have to url encode it as shown bellow

function redirectToVNC(){
  fetch(window.location.origin+ "/vnc/getVNCInfo",
    {
      method: "GET",
    }
  )
    .then((result)=>result.json())
    .then((result)=>{

      console.log(result)

      window.location.href = window.location.origin + "/vnc?" +
      "path=" + encodeURIComponent('api2/json/nodes/pve/qemu/100/vncwebsocket' + "?" + result.encodedParams)

    })
    .catch((err)=>{
      console.log(err)
    })
  }

then it opens the following page, which i got from the proxmox git mentioned before in this thread, the only info i have are the ticket in the cookies (a PVE ticket) and the ticket and port present in the path (a PVEVNC ticket)

I then try to connect by clicking the connect button and get the following error:

as for my backend code, i basically just divided the code i already posted here, so that the cookies are set on page load and the PVEVNC ticket is acquired when i press the redirect button, but just to be sure here is the code im running:

To get the ticket that goes in the cookies:

async getPVETicket(){
    return fetch(
      'https://mydns:8006/api2/json/access/ticket',
      {
        method: "POST",
        headers:{
          "Content-Type": "application/x-www-form-urlencoded"
        },
        body: new URLSearchParams({
          'username': "amyfakeruser",
          'password': "1234"
        })
      }
    )
      .then((result)=>{
        return result.json()
      }).
      then((result)=>{
        return result
      })
  }

To get the port and PVEVNC ticket:

async getPortAndPVEVNCTicket(){
    return fetch(
      'https://mydns:8006/api2/json/nodes/pve/qemu/100/vncproxy',
      {
        method:"POST",
        headers:{
          "Content-Type": "application/x-www-form-urlencoded",
          "Authorization": "PVEAPIToken=myfakeuser@pve!test=7DD751EE-7e39-49a3-8718-08cf77fg5taf"
        }
      }
    )
      .then((result)=>result.json())
      .then((result)=>{
        return result
      })

  }

Also relevant is the code im using to create the encodedParams variable, here it is:

let resultPortAndPVEVNCTicket = await this.vncService.getPortAndPVEVNCTicket();
let paramsBeforeEncoding: any= {
    port: resultPortAndPVEVNCTicket.data.port,
    vncticket: resultPortAndPVEVNCTicket.data.ticket
}

for (i in paramsBeforeEncoding) {
    if (paramsBeforeEncoding.hasOwnProperty(i)) {
        value = paramsBeforeEncoding[i];
        if (value === undefined) value = '';
        params.push(encodeURIComponent(i) + '=' + encodeURIComponent(String(value)));
    }
}

let encodedParams = params.join('&');

Everything else i have is just boilerplate to load the page and the cookies.
Ps. thought it might be good to show how im setting the cookies to see if im doing it wrong:

.header('Set-Cookie', "PVEAuthCookie="+ resultPVETicket.data.ticket +";SameSite=Lax;Domain=mydns;Path=/")

This is all the info related to the connection that i can think of adding to the post to try and share my problem. But if you think something is missing please let me know.

 

[dcsapak]

mhmm... i guess what happens is that you create a ticket and use that as cookie (so the websocket gets that set too, but you call the vncproxy with an 'authorization' header (and the cookie?) and this generates the vncticket for the token, not the cookie user

does it work if you simply leave out the authorization header for the vncproxy call?

if not, what exactly do you see in the browser console what the websocket url is? (just truncate the vncticket)

 

[PedroPastore]

Unfortunately the vncproxy call fails without the Auth Header.
As for the websocket url and the stuff i see in the browser console is the following (i changed most of the characters of the ticket):

GET wss://myurl/api2/json/nodes/pve/qemu/100/vncwebsocket?port=5900&vncticket=PVEVNC:64183B9E::ImM2lczQjnnTLhpo83tnoFv7RXGM5DNo6AejmAZaDUoh0nT41h0tSOycYs1RYrLxMo7z8FA8R2b1iZST/yJugJchp+R0kNlQ+7td5s7RqrnCZD1q1Isrtx8U6HCmzigHz1YqOcokl7aJtleCyL9YJJgLxQ+DbSn2F8FfodgbdbbTOPIvCIYQ00DHpDlSHLzeDDi0XoUSs9//+3PVoddFz621aV6jNqsdfIQfjq7bYZm6v4Ejkm4+Bpg8uaeSJlW4XHMvHq86dfgndfnqbg+wJXCqjM4pAnuQzDFLlWExUWbbxVj4zaPe5yD44VSdKPfoHeGSFOlt5Smmeum/xlcPg==[HTTP/1.1 401 permission denied - invalid PVEVNC ticket 3029ms]

I can also see that the following ticket in the cookies that are sent in the request (again with characters of the ticket altered a bit):

PVEAuthCookie    "PVE:mypveuser@pve:64183B98::OdbcknCenFWEa6EvY9PpwtLbH9MsSMBKWl/0FH5l5EvE165VosHjaC3YM1rnKVA00y0/FEqgePd8YB9yloAjFOC2LqPfe5af4TH7fXNXI61JmrsdfsdfzshtScNSbI7yt1VK2W1CV5lSOMPCmawvhqfKsdgsdfZHQ01wLPMos/78J+O/LgSyKibb0R6Fzx1xQzpgcnN2JdKjvuuYasdaA5Yg5V4T7yunTQqvXbQ6IZgP5LOP6/YK2Z9f2C/80v+Hm3eim844GrgasdascasvyhKRgadasQNObe3qTCntgNkCp4+U/2JIhbNfDxJ4/v8utSBf09LifQ=="

Thats it for the things printed in the console

 

[dcsapak]

Unfortunately the vncproxy call fails without the Auth Header.

how does it fail? if you set the cookie right, this should also be sent along to the vncproxy call where the vncticket will be created for exact this user

 

[PedroPastore]

how does it fail? if you set the cookie right, this should also be sent along to the vncproxy call where the vncticket will be created for exact this user

The call to the vnc proxy is made in the backend without any cookies, should i change it to the front end ?

 

[dcsapak]

well the vncproxy call creates a ticket for the user by whom it is called, so it must be the same user as the one doing the websocket connection. where it is done does not really matter, but it must be the same cookie/user that does both

 

[PedroPastore]

I changed the vncproxy api call to the front end but it actually failed without the auth header, i get a 401 unauthorized error when the api call is made. I am rather confused about this, i checked again and the API token i have definitely belongs to the same user, so i don't understand how the ticket i get from calling /access/ticket has less permission or how i can fix that.

 

[dcsapak]

i checked again and the API token i have definitely belongs to the same user

the point is that the vncticket is then probably issued for the token, not the user itself. (iow. the secret of the ticket is then user@realm!token instead of user@realm which is then checked)

not sure if that counts as a bug or feature, but if you want you can open one here https://bugzilla.proxmox.com (my colleagues may also want to chime in on that)

did you try to also set the cookie for from the /access/ticket call to the vncproxy?

 

[PedroPastore]

did you try to also set the cookie for from the /access/ticket call to the vncproxy?

If you mean trying to use both the ticket from /access/ticket and from vncproxy in the cookies then yeah i tried both.

but im still confused as to how I can solve this issue, it seems like it would work if the user had the permissions and no the API token, but as far as I can see both have permission to do basically everything. Sorry if im not understanding this well enough.

 

[dcsapak]

maybe if i write down the steps it's more clear:

* call /access/ticket with username & password (not a token) -> returns a ticket, i call this 'pve auth ticket'
* call vncproxy with the 'pve auth ticket' set as 'PVEAuthCookie' -> returns a ticket, i call this 'vncticket'
* set the path in novnc to wss://....&vncticket='url encoded vncticket' and make sure the wss connection also uses the 'pve auth ticket' as PVEAuthCookie

that is the way our code works and it should also work for you

 

[PedroPastore]

well the problem for me right now is that the following happens:

I follow the first step:

call /access/ticket with username & password (not a token) -> returns a ticket, i call this 'pve auth ticket'

So far everything is good, now when i do the second step:

call vncproxy with the 'pve auth ticket' set as 'PVEAuthCookie' -> returns a ticket, i call this 'vncticket'

I get

401 Unauthorized

but as far as i know the user has the permission to do this as shown bellow in the picture:

 

[dcsapak]

well the problem for me right now is that the following happens:

I follow the first step:

So far everything is good, now when i do the second step:

I get

but as far as i know the user has the permission to do this as shown bellow in the picture:

can you post the complete request that is done? (you can censor sensitive info ofc)

 

[PedroPastore]

request URL:

https:/myip/api2/json/nodes/pve/qemu/100/vncproxy

request cookie:

PVEAuthCookie: "PVE:myuser@pve:563ARD12::ce3y4bmWCz0GhrsV3aB12Ax3VzFqX8lfxBBhcg4jf3eBmeoz0x34AVT3ncMFIJ2V4Ho2w5ubUXT0rQmfg47rZUH+2TUDwveYEznJngbKERGn4tId+aaITf+jYJmO/hbaogR6LST2/QNb0vCbkPaznW3eZoxGh/3jv//IOCldvkzfSfjgM7TbhE0zVrOC0bqV4y+/X/gYXIEmR1Do+cdvaPG2yfJxZQhlmqlFPVco0u0Ir3re1386eFWswQMsjrWg7ZCQwiuEczG0riWvY+WhIVwuH/SjxLYiHnR2i2OML1gfhr4mXcmQ5utTDigLntwIHQOI+syW7O/rplg/DKnGUg=="

the request returned an empty body with he following header:

Status 401Unauthorized

that's all i can get from the browser console

 

[dcsapak]

request cookie:

PVEAuthCookie: "PVE:myuser@pve:563ARD12::ce3y4bmWCz0GhrsV3aB12Ax3VzFqX8lfxBBhcg4jf3eBmeoz0x34AVT3ncMFIJ2V4Ho2w5ubUXT0rQmfg47rZUH+2TUDwveYEznJngbKERGn4tId+aaITf+jYJmO/hbaogR6LST2/QNb0vCbkPaznW3eZoxGh/3jv//IOCldvkzfSfjgM7TbhE0zVrOC0bqV4y+/X/gYXIEmR1Do+cdvaPG2yfJxZQhlmqlFPVco0u0Ir3re1386eFWswQMsjrWg7ZCQwiuEczG0riWvY+WhIVwuH/SjxLYiHnR2i2OML1gfhr4mXcmQ5utTDigLntwIHQOI+syW7O/rplg/DKnGUg=="

where did you extract this? is it really formatted this way in the request? if yes, it would be a header, not a cookie

a cookie normally looks like this in the http request:

Cookie: PVEAuthCookie=<somecookiedata>;anothercookie=....

 

[PedroPastore]

I got it from this:

 

[dcsapak]

in that case it looks ok.... do you have anything in between the browser and pve that could/would strip the cookie?

 

[PedroPastore]

There is a kong api gateway instance, but before posting this reply i checked and there is no configuration that would remove the cookies.
Just to be sure i also made a request with the cookie to an api i made (with the same api gateway) and the request arrived with the cookie.

 

[dcsapak]

ah i just remembered one thing that might happen, the vncproxy api call is a POST one, so you also have to send along the CSRF token as a http header... sorry that i did not remember sooner...

 

[PedroPastore]

It worked !!!!
Thanks for the patience dcsapak. It was just like you said with the CSRF token. Then all i was missing was the password but i remember seeing in a post here that the password is the ticket from the vncproxy call so i used that and now it works. Again thank you for your help.