Autofill basic auth prompts

[dralley]

For instance, some routers do this, as well as ADP iPay which is my payroll site.

Lastpass can handle this but it doesn't appear that Bit Warden can.

[kspearrin]

Are you referring to "basic authentication" windows that popup in the browser like this? https://i.stack.imgur.com/QnUZW.png

[dralley]

Yes, exactly that

On Mar 23, 2017 4:40 PM, "Kyle Spearrin" notifications@github.com wrote:

Are you referring to "basic authentication" windows that popup in the browser like this? https://i.stack.imgur.com/QnUZW.png

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/bitwarden/browser/issues/116#issuecomment-288852957, or mute the thread https://github.com/notifications/unsubscribe-auth/ACn9_GdSj_icv8hw3_BAdDpBj1eyAS1Uks5rotimgaJpZM4MnOJc .

[jjdelc]

I was just filing an issue about this same thing. For now I have to rely on the browser's password manager to remember this (using Firefox) and Bitwarden for websites, but now I have two password managers.

[kspearrin]

I am looking into this more now but an running into a few problems.

1. I am not able to get this working with LastPass.

   • I have the browser extension installed with a site added for "https://httpbin.org/".
   • When I visit https://httpbin.org/basic-auth/user/passwd and get a basic auth prompt I am not able to autofill from LastPass. It just does nothing when I autofill??

2. I am exploring the browser APIs that make this possible and see a few issues:

   • This works by intercepting web requests as that come in to the browser and detecting when it is a auth request. I can then automatically provide the credentials to the request. It appears that there is no way to provide the credentials after the prompt appears. Because of this I would have to figure out what credentials to use for you. What if the user has multiple logins in their vault for this site? How would I know which to use?

[jjdelc]

I don't know if this is possible with web extensions, but last pass would add an extra select box to the auth prompt where you could pick the credentials to use:

[kspearrin]

@jjdelc Hmm, yea. That definitely isn't possible with web extensions. Is that screenshot from Chrome or Firefox? You would probably need some kind of native app installed to override that kind of stuff.

[jjdelc]

That's Firefox.

Maybe if the request can be intercepted a previous UI can be shown to ask which credential to use and then fill up using that one. It would be a 2 step process but at least you get the option to choose. If there's only one there would be no need.

On this one screenshot it is showing me 4 options, but really only 1 is fitting. I have 3 subdomains on my personal domain:

• sub1.domain
• blog1.domain
• blog2.comain

For sub1.domain I only have a http auth password. For blog1.domain I have httpauth for when I access /admin and also the engine admin credentials itself (so 2 entriesm different kinds) and for blog2.domain only admin credentials.

Really, only one of them is necessary ever here, matching by subdomain and path and type of auth the other 3 options that I get would be ruled out and reduce the number of times a picker needs to be shown. Looks like lastpass is not making those distinctions so it shows me all (and remembers my last choice)

[piejanssens]

Detect request to matching URL from vault and for 1 matching credential automatically insert username/password in URL, otherwise show popup. Change URL to http(s)://username:password@hostname/path This way you never get to see the basic auth popup that you can't access with web extensions.

[jjdelc]

I don't think you want to make a GET request with your credentials in the URL, that will get recorded in some access.log file.

[SylwesterZarebski]

I don't think it is recorded on server side, because form of username:password@hostname is just shortcut to fill desired request headers - it is handled by browser, not server. Or it is when used by user, don't know when address is given by addon's code.

On the other hand, this form could be seen by JS on browser side and abused.

[mhammond]

As @kspearrin mentioned, the onAuthRequired API exists and would be able the handle the case of exactly 1 set of credentials being used without user interaction - it's the "user interaction" part that I can't see a solution to - even in the case of exactly 1 set of credentials, you almost certainly still want user interaction.

It appears that it may be possible to open a window where the user can select a set of credentials from, but I can't see a way to make this either modal or "always on top" - so the user could accidentally send that window to the back and get confused. Nor can I see a way to open the usual panel in this case.

I did find another password manager on github and they took the approach of injecting a html "dialog" into the page being requested, but this seems both risky and destined to fail in edge cases.

The lastpass examples are all from their "legacy" addon, where customizing the builtin auth dialog is possible. I know they are working on a webextension-only version of the addon, so it will be interesting to see how they do things there - and if that turns out to be "nothing", then I guess we could agitate for a new webext API for Firefox, but that's still only 1 browser.

[SylwesterZarebski]

Is it possible to 'agitate' for extending WebAPI in both Chromium and Firefox browsers/engines? I heard, that Chromium folks are hard to convince, but it may be possible still.

[jjdelc]

Is there a bugzilla ticket? So Firefox devs can be aware of the limitation to begin with.

[fwosar]

Any update on this? :)

[pannal]

I'm actively using LastPass with the binary extension enabled, to autofill basic auth requests.

With the recent price-doubling I've come across Bitwarden, which seems really interesting to me. The Open Source part is key. Supporting basic auth is a must, for me, unfortunately.

[viertaxa]

I also am migrating to Bitwarden from LastPass. This functionality is critical to me.

[kspearrin]

all: There isn't a good solution for this at the moment.

We use the web extensions API for bitwarden. Web extensions do not provide a good API to handle basic auth at the moment. Unless something changes with the web extension APIs I don't see how we can proceed with anything at this time.

As mentioned above, LastPass is using an old, deprecated API that is no longer going to be available in a few months. It will be interesting to see what they came up with to get around this problem.

[jjdelc]

It will be interesting to see what they came up with to get around this problem.

Are they aware of the problem? Maybe file a ticket in bugzilla. I know Firefox is also ramping up their built in password manager so they could add APIs for this.

[fwosar]

I don't think there are a lot of use cases for having multiple different HTTP AUTH credentials for the same domain. So just implementing the case that if only one set of credentials exist, use those would help tremendously. If there are security concerns, you can always add a flag per credentials to mark them as HTTP AUTH credentials that a user can set to avoid situations where a rogue AUTH request on a website is able to steal your credentials.

[pannal]

@fwosar how do you come to that conclusion? I've got several http auth enabled domains with different apps on different paths with different logins.

[fwosar]

Do you have multiple credentials for the same URL though that you need to switch between? Even if you do, I would argue that not a lot of other people do. I too have dozens of HTTP AUTH credentials, but they are all for different servers/URLs.

[viertaxa]

That situation is not as uncommon as it may seem. I have several HTTP auth logins for the same domain (admin and regular login) and several different logins for different subdomains (products that do not support AD login capability).

[fwosar]

And still, you would prefer it to work at least for the cases where you only have one instead of not at all.

[pannal]

That's true.

[aquatix]

Looks related to this issue from another project that I found, which seems to have a fix: https://github.com/nextcloud/passman-webextension/issues/10

[kspearrin]

@aquatix The solution there seems to be along the lines of what we have pointed out here. It will only handle a single credential and provides no method of selection if there is more than 1.

[fwosar]

Which is still better than doing nothing at all and just wait.

[aquatix]

@kspearrin @fwosar agreed with both of you. Of course, @kspearrin it would be great to have it fixed properly, however, I have those popups several times on a daily base, so having only one option already would help me greatly.

[synotna]

Would this be possible?

• onAuthRequired block asynchronously ( https://developer.mozilla.org/en-US/Add-ons/WebExtensions/API/webRequest/onAuthRequired )
• notification with call to action ( https://developer.mozilla.org/en-US/Add-ons/WebExtensions/user_interface/Notifications )
• call to action open's extension pop-up with credential choice
• choose credential
• continue with credentials

[kspearrin]

@synotna That's more or less the steps we'd have to take to achieve this except step no. 3 is not possible since a user has to physically click the popup to make it open. We'd need some alternate UI.

[mhammond]

https://bugzilla.mozilla.org/show_bug.cgi?id=1341126 is landing on Firefox as we speak, which adds browserAction.openPopup and pageAction.openPopup - however, currently they can only be used while directly handling user input which probably isn't going to help. There does seem to be agreement that we should also allow this while handling onAuthRequired, so I opened https://bugzilla.mozilla.org/show_bug.cgi?id=1391093.

[kspearrin]

Thanks for that @mhammond though users should be aware that this would only be possible to do with Firefox since this would not be an cross-platform API.

[bstaruk]

I will likely need to switch back to LastPass due to this missing feature.

A password manager should be able to fill all password prompts.

LastPass does it, so it's absolutely not impossible.

I will certainly watch this space though. Besides this one hangup, I am really enjoying bitwarden and would rather stick around here.

[jyavenard]

LastPass does it, so it's absolutely not impossible.

LastPass doesn't use web extension and no longer works with Firefox 57... So your choices very soon will be very limited.

[bstaruk]

LastPass offers a binary installer which adds support for these prompts on Chrome.

[SylwesterZarebski]

For me, LastPass 4.0 have lost basic auth in Fx 52 and newer (and since then no combination worked), then i've switched to Bitwarden.

PS. Yes, i know of binary installer, but it did not work for me also. I've had LP on two computers and about Fx 52 it stopped working. Reinstalling did not work.

PPS. I wasn't precise, LP added additional button to basic auth window and allow to choose credential, but didn't fill them - i had to copy user & password by hand.

[synotna]

For what it's worth LastPass 4.1.62 with binary is working fine for me in Firefox 55 & 56, and I'm also curious what they have planned for 57 :)

[synotna]

"except step no. 3 is not possible since a user has to physically click the popup to make it open"

Oh, the call to action feature of notifications is not enough to open the extension pop-up? Damn

Then what about onAuthRequired go to a credential selector page view in the content area? i.e. skip using the browser dialog completely

[kspearrin]

all:

I have created a solution for this in the next release using the web extension APIs that are available.

1. If you encounter a basic auth prompt and there is 1 login in your vault matching the given website, bitwarden will log you in automatically. You will never see the login prompt.
2. If bitwarden tries to perform the login from step 1 and the login credentials fail, you see the login prompt.
3. If there is no login in your vault for the given website, you see the login prompt.
4. Here's the unfortunate one for now: If there is more than 1 login in your vault for the given website, you see the login prompt. I can't know which login you want to use in this scenario. If we made the decision for you (ex. choosing the last used login), you would never be able to log in using any of the others since logging in happens automatically with these APIs. We cannot auto-login for you in this situation without the side effect of blocking you from using and others stored for the website.

It's not the best solution, but it's the only one I can see available at the moment.

related commit: https://github.com/bitwarden/browser/commit/41c32f3874f9f0cb2c10bc464a75897a8a655f75

[pannal]

Great news!

For the multiple login problem: it would help if either there was a switch for the matching strictness of a domain (like lastpass has). That way one could have 10 logins for 10 subdomains but only the one for the current subdomain gets picked if that matching strictness is set to a certain level.

Also is the favourite flag honored?

[kspearrin]

This is now live.

[pannal]

Hmm. With multiple logins for a domain this doesn't do anything, not even take the one with the "favourite"-flag set.

Judging by the code, the basic auth functionality doesn't do anything when it detects more than one login per (sub-!) domain, why is that?

And why does it treat logins for different subdomains as the same? That doesn't make any sense to me.

[kspearrin]

4. Here's the unfortunate one for now: If there is more than 1 login in your vault for the given website, you see the login prompt. I can't know which login you want to use in this scenario. If we made the decision for you (ex. choosing the last used login), you would never be able to log in using any of the others since logging in happens automatically with these APIs. We cannot auto-login for you in this situation without the side effect of blocking you from using and others stored for the website.

[pannal]

I understand that. But why does it treat test1.domain.com the same as test2.domain.com and skips auto-filling the basic auth for test1.domain.com altogether? That missing distinction doesn't make any sense to me.

[SylwesterZarebski]

Real problem is with more than 1 login in your vault. In fact i have multiple websites under same domain and have exactly one login for every website, but Bitwarden sees them as whole, which is a problem - see issue #77.

[kspearrin]

@pannal See #77

[pannal]

@kspearrin OK, thanks. I still don't understand why that's the default behaviour, though, but that's out of the scope for this ticket.

[pannal]

For multiple logins per (sub-) domain - could we have a flag that marks one login as the one to use for basic auth? Perhaps the existing favourite-flag?

[kspearrin]

@pannal see https://github.com/bitwarden/browser/issues/77 which will be able to take care of that

[pannal]

Hmm, I'm still having problems with this functionality.

I understand that it's limited to domains with only one login in BW, but even then it does nothing for me. I have a login for domainX.com, BW also shows me the little 1 besides its icon when I visit that page. It doesn't auto-fill the basic auth, though.