search

browserpass / browserpass-native

Browserpass native client app
ISC License
394 stars 50 forks source link

Support multiple stores natively #118

Open lasers opened 2 years ago

lasers commented 2 years ago

General information

Make browserpass support multiple stores?

I wanted to know if browserpass should be supporting multiple stores too without having to add each store manually in the extension. If I set PASSWORD_STORE_DIR or use any store path (i.e ~/.local/share/gopass/stores), then the extension should be able to pick up secrets in all stores.

https://github.com/gopasspw/gopass/blob/master/docs/features.md#multiple-stores

If you are getting an error immediately after opening popup, have you followed the Configure browsers documentation section?

Exact steps to reproduce the problem

Na.

What should happen?

  1. Set PASSWORD_STORE_DIR or specify a multi-stores path.

  2. Browserpass to pick up secrets in all stores.

  3. Enter any secrets.

What happened instead?

  1. Browserpass doesn't recognize the multi-stores path.
maximbaz commented 2 years ago

Hello, the extension doesn't have a coupling to gopass or any specific implementation or variation of password store, we do respect $PASSWORD_STORE_DIR environment variable (which allows only for one location), but don't support or rely specifically on gopass and its structure.

That's why if you have multiple stores, you need to use browser extension config, but on the other hand it allows to have complete freedom, you to have multiple stores even if you use plain pass (just define them as subfolders of your $PASSWORD_STORE_DIR, or have one store point to pass and another to gopass locations, etc.

UPDATE: you might have hit this caveat: in order to recognize PASSWORD_STORE_DIR environment variable, this variable needs to be exported for the browser to see, so it needs to be visible for all GUI apps, not just in your terminal - so e.g. putting it into your .zshrc is often not enough. I'm not very sure how you'd do it on NixOS to give you a more concrete hint...

erayd commented 2 years ago

@maximbaz Is there anything preventing $PASSWORD_STORE_DIR from containing multiple locations, using the standard $PATH syntax?

If there's nothing in the way, it might be worth us parsing that - seems like a pretty simple thing to add, and quite useful.

maximbaz commented 2 years ago

pass doesn't seem to like that format, chances are people who set this variable would also be using pass...

erayd commented 2 years ago

Let's not, then. We don't want to encourage anything that would cause pass incompatibilities.

lasers commented 2 years ago

There could be an upstream tweak to accept only the first supplied store.

maximbaz commented 2 years ago

Realistically I don't think it's something we'll be pursuing, but you are welcome to try to do this. We could potentially support our own environment variable, but then again I'm not really sure how much benefit is in it, if you have to configure it in one place and only one tool supports this configuration, it is far easier for people to configure it in browser extension options...

fetwar commented 1 year ago

Could browserpass potentially look at the gopass config and parse it as extra stores similar to how you would manually through the browserpass extension menu?

For example, if a user has their root store at ~/.password-store and an additional gopass mount at ~/.password-store-work the following file is created at ~/.password-store/.config/gopass/config

[mounts]
    path = /home/username/.password-store
[recipients]
    hash = xxxxx
[recipients "work"]
    hash = xxxxx
[mounts "work"]
    path = /home/username/.password-store-work

This would provide both the mounts display name (in this case work) and the mounts path to be added.

The main advantage of doing this would be for team compatibility and auto setup, it wouldn't be a lot of work to go into the browser extension on just your PC, but having to do it for every member on a team would make it a big headache when this step could potentially be automated.

What are your thoughts @maximbaz ?

maximbaz commented 1 year ago

Hello, thanks for bringing this up!

I acknowledge that the setup shouldn't be unnecessarily complicated. I think it's important to mention some constraints that we chose for this project:

  1. Not relying on any specific password-store client (not gopass, not even pass itself).
  2. Staying compatible with password-store format.
  3. Offloading most of the logic to browser extension.

Making native host parse gopass config file would violate the first point (e.g. it would make us dependent on the gopass, if they for example choose to change config file format), and open up for requests to also support other clients (which would conflict with the third point). This makes me not super-keen on the idea...

But perhaps we can still improve your workflow? What do you think about doing something on the browser side?

Here's what I'm thinking: configuration in the browser extension is a simple json, stored in local storage. What if we were to add some kind of Backup/Restore functionality in the extension options? Then you could have some script that converts gopass config to browserpass config, and upload it via "Restore". Not exactly an auto-setup, but if you have a lot of stores, it would reduce the setup to a few clicks?

(A certain language model is convincing me that it's possible to manipulate local storage of an extension from a python script, though I don't know if we should trust it, and whether I'd go down that hacky road even if it was technically possible :sweat_smile:)