*Feature Request* Use nextcloud's session api instead of an open browser session

[JoshuaPettus]

First of all, this app is looking great. Thank you so much!

For myself though, I am somewhat concerned with hijacking of session tokens at least as far as open webbrowsers are concerned (there tends to be a lot of them all over the place if I'm not careful). So after a bit of time I have the NC server log those out automatically. One thing that would be great is if there was a way the app could use nextcloud's actual session api to have it's own dedicated session. Then I wouldn't need an OTP to open the OTP app every time, I can just provide the database password like I do with the password browser extension.

[beatles1]

That's fair, I'll look into the authentication options for the Nextcloud APIs and see if we can add something

[beatles1]

I've pretty much finished writing this feature today (branch feature-nc-authenticaiton-flow-v2) however I've come across an issue I can't work out a good solution to.

Basically the login flow doesn't allow cross origin requests. This is fine for a mobile app which ignores this but web browsers respect it and as such a web browser can only start the login flow if it's on the same domain as the Nextcloud server. There's an issue open for it here: https://github.com/nextcloud/server/issues/34898

I haven't checked yet but the assumption is that the Passwords app has it's own feature as part of the app itself which can proxy these requests and pass the app password back. I think it's probably beyond the scope of this extension to add that functionality to the OTP Manager Nextcloud app.

If we use a permission to the host as the existing extension does we bypass CORS issues but we end up with a situation where if you logout of Nextcloud in the browser and then open the extension you get authenticated in the entire browser again using the extensions session.

It's possible I'm missing something and there is a way to resolve this currently but I can't work it out myself without Nextcloud fixing the login flow CORS issue.

[JoshuaPettus]

Doh! That's a shame. Yeah the work around sounds like it defeats the purpose. Hopefully some NC person can shed some light on the situation or maybe passwords extension has some method that's usable though you may be right.

[JoshuaPettus]

The only other web browser extension I know of would be floccus for bookmarks.

[beatles1]

Having a look through their code it might just be that I'm missing a simple option in the fetch request to omit credentials. I'll give it a test and see!

If so it's very much just a lack of my knowledge and a simple issue to fix.

[JoshuaPettus]

Hey, no one knows everything! :) I for instance know some of the basic concepts and can be dangerous with a bash script, but that's about the extent of my programing knowledge.

[beatles1]

I think I'm there now, the code on the #feature-nc-authenticaiton-flow-v2 branch should work. I'll do a bit more testing and release shortly.

[beatles1]

This is now published and should hit the Chrome webstore soon, Firefox is already live.

The only annoyance now is that Nextcloud uses the User-Agent header to name the apppassword that's generated via the login flow. In Firefox this is fine but in Chrome there's an outstanding bug since 2015 which means this doesn't work and it shows up as being Chrome itself rather than the browser extension. Minor but a bit annoying.

[JoshuaPettus]

That is annoying. Firefox and Librewolf are my browsers of choice, but I know I'm in the minority :-(

[JoshuaPettus]

Works great! Thanks so much!