bitwarden / clients

Bitwarden client apps (web, browser extension, desktop, and cli).
https://bitwarden.com
Other
9.38k stars 1.26k forks source link

Autofill basic auth prompts #116

Closed dralley closed 7 years ago

dralley commented 7 years ago

For instance, some routers do this, as well as ADP iPay which is my payroll site.

Lastpass can handle this but it doesn't appear that Bit Warden can.

kspearrin commented 7 years ago

Are you referring to "basic authentication" windows that popup in the browser like this? https://i.stack.imgur.com/QnUZW.png

dralley commented 7 years ago

Yes, exactly that

On Mar 23, 2017 4:40 PM, "Kyle Spearrin" notifications@github.com wrote:

Are you referring to "basic authentication" windows that popup in the browser like this? https://i.stack.imgur.com/QnUZW.png

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/bitwarden/browser/issues/116#issuecomment-288852957, or mute the thread https://github.com/notifications/unsubscribe-auth/ACn9_GdSj_icv8hw3_BAdDpBj1eyAS1Uks5rotimgaJpZM4MnOJc .

jjdelc commented 7 years ago

I was just filing an issue about this same thing. For now I have to rely on the browser's password manager to remember this (using Firefox) and Bitwarden for websites, but now I have two password managers.

kspearrin commented 7 years ago

I am looking into this more now but an running into a few problems.

  1. I am not able to get this working with LastPass.

  2. I am exploring the browser APIs that make this possible and see a few issues:

    • This works by intercepting web requests as that come in to the browser and detecting when it is a auth request. I can then automatically provide the credentials to the request. It appears that there is no way to provide the credentials after the prompt appears. Because of this I would have to figure out what credentials to use for you. What if the user has multiple logins in their vault for this site? How would I know which to use?
jjdelc commented 7 years ago

I don't know if this is possible with web extensions, but last pass would add an extra select box to the auth prompt where you could pick the credentials to use:

screenshot_2017-06-09 134506

kspearrin commented 7 years ago

@jjdelc Hmm, yea. That definitely isn't possible with web extensions. Is that screenshot from Chrome or Firefox? You would probably need some kind of native app installed to override that kind of stuff.

jjdelc commented 7 years ago

That's Firefox.

Maybe if the request can be intercepted a previous UI can be shown to ask which credential to use and then fill up using that one. It would be a 2 step process but at least you get the option to choose. If there's only one there would be no need.

On this one screenshot it is showing me 4 options, but really only 1 is fitting. I have 3 subdomains on my personal domain:

For sub1.domain I only have a http auth password. For blog1.domain I have httpauth for when I access /admin and also the engine admin credentials itself (so 2 entriesm different kinds) and for blog2.domain only admin credentials.

Really, only one of them is necessary ever here, matching by subdomain and path and type of auth the other 3 options that I get would be ruled out and reduce the number of times a picker needs to be shown. Looks like lastpass is not making those distinctions so it shows me all (and remembers my last choice)

piejanssens commented 7 years ago

Detect request to matching URL from vault and for 1 matching credential automatically insert username/password in URL, otherwise show popup. Change URL to http(s)://username:password@hostname/path This way you never get to see the basic auth popup that you can't access with web extensions.

jjdelc commented 7 years ago

I don't think you want to make a GET request with your credentials in the URL, that will get recorded in some access.log file.

SylwesterZarebski commented 7 years ago

I don't think it is recorded on server side, because form of username:password@hostname is just shortcut to fill desired request headers - it is handled by browser, not server. Or it is when used by user, don't know when address is given by addon's code.

On the other hand, this form could be seen by JS on browser side and abused.

mhammond commented 7 years ago

As @kspearrin mentioned, the onAuthRequired API exists and would be able the handle the case of exactly 1 set of credentials being used without user interaction - it's the "user interaction" part that I can't see a solution to - even in the case of exactly 1 set of credentials, you almost certainly still want user interaction.

It appears that it may be possible to open a window where the user can select a set of credentials from, but I can't see a way to make this either modal or "always on top" - so the user could accidentally send that window to the back and get confused. Nor can I see a way to open the usual panel in this case.

I did find another password manager on github and they took the approach of injecting a html "dialog" into the page being requested, but this seems both risky and destined to fail in edge cases.

The lastpass examples are all from their "legacy" addon, where customizing the builtin auth dialog is possible. I know they are working on a webextension-only version of the addon, so it will be interesting to see how they do things there - and if that turns out to be "nothing", then I guess we could agitate for a new webext API for Firefox, but that's still only 1 browser.

SylwesterZarebski commented 7 years ago

Is it possible to 'agitate' for extending WebAPI in both Chromium and Firefox browsers/engines? I heard, that Chromium folks are hard to convince, but it may be possible still.

jjdelc commented 7 years ago

Is there a bugzilla ticket? So Firefox devs can be aware of the limitation to begin with.

fwosar commented 7 years ago

Any update on this? :)

pannal commented 7 years ago

I'm actively using LastPass with the binary extension enabled, to autofill basic auth requests.

With the recent price-doubling I've come across Bitwarden, which seems really interesting to me. The Open Source part is key. Supporting basic auth is a must, for me, unfortunately.

viertaxa commented 7 years ago

I also am migrating to Bitwarden from LastPass. This functionality is critical to me.

kspearrin commented 7 years ago

all: There isn't a good solution for this at the moment.

We use the web extensions API for bitwarden. Web extensions do not provide a good API to handle basic auth at the moment. Unless something changes with the web extension APIs I don't see how we can proceed with anything at this time.

As mentioned above, LastPass is using an old, deprecated API that is no longer going to be available in a few months. It will be interesting to see what they came up with to get around this problem.

jjdelc commented 7 years ago

It will be interesting to see what they came up with to get around this problem.

Are they aware of the problem? Maybe file a ticket in bugzilla. I know Firefox is also ramping up their built in password manager so they could add APIs for this.

fwosar commented 7 years ago

I don't think there are a lot of use cases for having multiple different HTTP AUTH credentials for the same domain. So just implementing the case that if only one set of credentials exist, use those would help tremendously. If there are security concerns, you can always add a flag per credentials to mark them as HTTP AUTH credentials that a user can set to avoid situations where a rogue AUTH request on a website is able to steal your credentials.

pannal commented 7 years ago

@fwosar how do you come to that conclusion? I've got several http auth enabled domains with different apps on different paths with different logins.

fwosar commented 7 years ago

Do you have multiple credentials for the same URL though that you need to switch between? Even if you do, I would argue that not a lot of other people do. I too have dozens of HTTP AUTH credentials, but they are all for different servers/URLs.

viertaxa commented 7 years ago

That situation is not as uncommon as it may seem. I have several HTTP auth logins for the same domain (admin and regular login) and several different logins for different subdomains (products that do not support AD login capability).

fwosar commented 7 years ago

And still, you would prefer it to work at least for the cases where you only have one instead of not at all.

pannal commented 7 years ago

That's true.

aquatix commented 7 years ago

Looks related to this issue from another project that I found, which seems to have a fix: https://github.com/nextcloud/passman-webextension/issues/10

kspearrin commented 7 years ago

@aquatix The solution there seems to be along the lines of what we have pointed out here. It will only handle a single credential and provides no method of selection if there is more than 1.

fwosar commented 7 years ago

Which is still better than doing nothing at all and just wait.

aquatix commented 7 years ago

@kspearrin @fwosar agreed with both of you. Of course, @kspearrin it would be great to have it fixed properly, however, I have those popups several times on a daily base, so having only one option already would help me greatly.

synotna commented 7 years ago

Would this be possible?

kspearrin commented 7 years ago

@synotna That's more or less the steps we'd have to take to achieve this except step no. 3 is not possible since a user has to physically click the popup to make it open. We'd need some alternate UI.

mhammond commented 7 years ago

https://bugzilla.mozilla.org/show_bug.cgi?id=1341126 is landing on Firefox as we speak, which adds browserAction.openPopup and pageAction.openPopup - however, currently they can only be used while directly handling user input which probably isn't going to help. There does seem to be agreement that we should also allow this while handling onAuthRequired, so I opened https://bugzilla.mozilla.org/show_bug.cgi?id=1391093.

kspearrin commented 7 years ago

Thanks for that @mhammond though users should be aware that this would only be possible to do with Firefox since this would not be an cross-platform API.

bstaruk commented 7 years ago

I will likely need to switch back to LastPass due to this missing feature.

A password manager should be able to fill all password prompts.

LastPass does it, so it's absolutely not impossible.

I will certainly watch this space though. Besides this one hangup, I am really enjoying bitwarden and would rather stick around here.

jyavenard commented 7 years ago

LastPass does it, so it's absolutely not impossible.

LastPass doesn't use web extension and no longer works with Firefox 57... So your choices very soon will be very limited.

bstaruk commented 7 years ago

LastPass offers a binary installer which adds support for these prompts on Chrome.

SylwesterZarebski commented 7 years ago

For me, LastPass 4.0 have lost basic auth in Fx 52 and newer (and since then no combination worked), then i've switched to Bitwarden.

PS. Yes, i know of binary installer, but it did not work for me also. I've had LP on two computers and about Fx 52 it stopped working. Reinstalling did not work.

PPS. I wasn't precise, LP added additional button to basic auth window and allow to choose credential, but didn't fill them - i had to copy user & password by hand.

synotna commented 7 years ago

For what it's worth LastPass 4.1.62 with binary is working fine for me in Firefox 55 & 56, and I'm also curious what they have planned for 57 :)

synotna commented 7 years ago

"except step no. 3 is not possible since a user has to physically click the popup to make it open"

Oh, the call to action feature of notifications is not enough to open the extension pop-up? Damn

Then what about onAuthRequired go to a credential selector page view in the content area? i.e. skip using the browser dialog completely

kspearrin commented 7 years ago

all:

I have created a solution for this in the next release using the web extension APIs that are available.

  1. If you encounter a basic auth prompt and there is 1 login in your vault matching the given website, bitwarden will log you in automatically. You will never see the login prompt.
  2. If bitwarden tries to perform the login from step 1 and the login credentials fail, you see the login prompt.
  3. If there is no login in your vault for the given website, you see the login prompt.
  4. Here's the unfortunate one for now: If there is more than 1 login in your vault for the given website, you see the login prompt. I can't know which login you want to use in this scenario. If we made the decision for you (ex. choosing the last used login), you would never be able to log in using any of the others since logging in happens automatically with these APIs. We cannot auto-login for you in this situation without the side effect of blocking you from using and others stored for the website.

It's not the best solution, but it's the only one I can see available at the moment.

related commit: https://github.com/bitwarden/browser/commit/41c32f3874f9f0cb2c10bc464a75897a8a655f75

pannal commented 7 years ago

Great news!

For the multiple login problem: it would help if either there was a switch for the matching strictness of a domain (like lastpass has). That way one could have 10 logins for 10 subdomains but only the one for the current subdomain gets picked if that matching strictness is set to a certain level.

Also is the favourite flag honored?

kspearrin commented 7 years ago

This is now live.

pannal commented 7 years ago

Hmm. With multiple logins for a domain this doesn't do anything, not even take the one with the "favourite"-flag set.

Judging by the code, the basic auth functionality doesn't do anything when it detects more than one login per (sub-!) domain, why is that?

And why does it treat logins for different subdomains as the same? That doesn't make any sense to me.

kspearrin commented 7 years ago
  1. Here's the unfortunate one for now: If there is more than 1 login in your vault for the given website, you see the login prompt. I can't know which login you want to use in this scenario. If we made the decision for you (ex. choosing the last used login), you would never be able to log in using any of the others since logging in happens automatically with these APIs. We cannot auto-login for you in this situation without the side effect of blocking you from using and others stored for the website.
pannal commented 7 years ago

I understand that. But why does it treat test1.domain.com the same as test2.domain.com and skips auto-filling the basic auth for test1.domain.com altogether? That missing distinction doesn't make any sense to me.

SylwesterZarebski commented 7 years ago

Real problem is with more than 1 login in your vault. In fact i have multiple websites under same domain and have exactly one login for every website, but Bitwarden sees them as whole, which is a problem - see issue #77.

kspearrin commented 7 years ago

@pannal See #77

pannal commented 7 years ago

@kspearrin OK, thanks. I still don't understand why that's the default behaviour, though, but that's out of the scope for this ticket.

pannal commented 7 years ago

For multiple logins per (sub-) domain - could we have a flag that marks one login as the one to use for basic auth? Perhaps the existing favourite-flag?

kspearrin commented 7 years ago

@pannal see https://github.com/bitwarden/browser/issues/77 which will be able to take care of that

pannal commented 7 years ago

Hmm, I'm still having problems with this functionality.

I understand that it's limited to domains with only one login in BW, but even then it does nothing for me. I have a login for domainX.com, BW also shows me the little 1 besides its icon when I visit that page. It doesn't auto-fill the basic auth, though.