Browser Extensions

[beatles1]

In the Apps section there are Firefox and Chrome extensions listed. Have these been started yet or are they later on in the roadmap?

[matteo-convertino]

Honestly it's still just an idea that would be really cool to develop.

[JoshuaPettus]

I figured as much, though I do hope one day it become a reality. I see that this app strongly compliments NC Passwords, and a matching browser plugin to NC Passwords would be very helpful to fill that OTP hole.

[beatles1]

So this weekend I thought I'd have a go at writing a browser extension for this. I didn't know how far I'd get but it's basically all working!

I've made is a simple as I can. It's read only and doesn't even refresh the OTP tokens but I think that's fine as it's just a quick tool to grab an OTP when you need it. It relies on the current browser session being logged into Nextcloud and just requests permission to access the URL once it's told it.

I've developed it in Firefox so need to test in Chrome and see if any tweaks are needed but in theory it should just work. I'd also like to try and get the logos working in it, haven't got round to checking how they work in the app and see if I can borrow the resources yet.

@matteo-convertino I can hand it over if you wanted it on your GitHub as an official browser extension but also very happy to just have it as an unofficial one and publish and support it myself.

[matteo-convertino]

Very very nice, thank you for all the work you are doing. What are you developing it with? If you want I can create an organization so we can put all the OTP Manager repositories there and continue working on them together.

[beatles1]

What are you developing it with?

I've used Fomantic UI for the UI library as it's something I've used before and find reasonably easy to work with. Other than that I just kept it as vanilla as possible as it's quite a simple thing. I just used the jQuery that Fomantic UI requires anyway and not much else.

If you want I can create an organization

That sounds fine to me although it's ultimately your decision I think.

I've published the repo on Github now if you want to check it out: https://github.com/beatles1/otpmanager-browser. I think it's basically done for version 1.0. Unless you have any objections I'll publish it on the stores for Chrome and Firefox so anyone can test and give feedback.

[beatles1]

This is now available on Chrome Web Store and Firefox Add-ons if anyone wants to try it out and help test

[JoshuaPettus]

Fantastic! A little quick and dirty but does the job!

Couple of things I'd love to see, aside from something that can update as the otp changes or do it itself, is to have the app use NC's session system to log in. I think the NC Passwords extensions makes use of the PassLink system to make this a little easier for the end user to set up.

Also if there were a way to hide the OTP codes until they are clicked on or hovered over or something.

[beatles1]

A little quick and dirty but does the job!

That's unfortunately my speciality :stuck_out_tongue_closed_eyes:

something that can update as the otp changes or do it itself

What do you mean by this? As in if the popup is open for over 30 seconds it refreshes to the new codes or a way to register new codes in the extension?

In terms of having it update the codes every 30 seconds I did consider it but I couldn't really see a situation where I'd have it open longer than that myself. If it's an issue for other people I don't see why it can't be added.

have the app use NC's session system to log in. I think the NC Passwords extensions makes use of the PassLink system to make this a little easier for the end user to set up.

From searching it sounds like PassLink is a proprietary part of the NC Passwords app and not NC itself. Honestly looking at the guide to login via PassLink it seems a lot more complex than just logging into Nextcloud in the browser (as the user probably already is) and then entering the server name in the extension. I guess maybe we just want a nicer message with a link for the user to click and login to their Nextcloud instance if they're not already when they enter the url?

Or is the benefit of PassLink that you could logout of Nextcloud in the browser but still be connected in the extension? I think the proper way to do that would be to use OAuth in the extension itself although admittedly I don't actually know how you'd call the API outside of the context of the current browsing session. Presumably must be possible though.

Also if there were a way to hide the OTP codes until they are clicked on or hovered over or something.

Sounds sensible, I think it would benefit from a few options for that and how to order/sort the OTP codes (even if I can't see myself ever scrolling to a code rather than just typing in the search box).

[JoshuaPettus]

What do you mean by this?

Well this is more of a design issue. The only problem with the way you have it is what if the user querries the nc otp extention on second 28? By the time they enter it in it will be too late. And there is no feedback that it would have expired. Or what if one of the codes isnt 30 seconds and totally out of sync with the rest? Ideally a client should pull and sync the otp keys themselves and generate the otp code client side from the system clock. Unless there is a way to live querry the nc app?

Of course that would requre a propper NC session stored. Im not sure how passwords came up with their passlink system but it is a little easier then logging in yet again for another app when you are in theory already signed in to initiate it.

[beatles1]

The only problem with the way you have it is what if the user querries the nc otp extention on second 28?

I don't think this is ever practically going to be an issue. There's always a risk that the server and the client will have some time difference between their clocks or that a user might be slow to type in a code for some reason. Because of that servers will accept a certain number of old (or future) codes. RFC 6238 (which defines TOTP) mentions this but doesn't suggest any specific number of time steps however I think it's unlikely there are any implementations which won't accept at least 2 codes behind. Because of that I don't think it'll ever a problem to copy a code 45 seconds after it technically stopped being the current one and using it to authenticate.

The client does download the secrets and then generate the codes so it would be possible, I just don't believe it's necessary for this application. Although of course if anyone does actually experience problems with it in the real world or has a use case for keeping the popup open for a long period of time we can look at it.

[JoshuaPettus]

Really? In my expieriance there can be a couple seconds leaway but it doesnt allow for an outright old code. But I will test that hypothisis.

EDIT, wow looks like youre right. Fortitoken is an outlyer but their implementation is completely propritary and not compatible with other authenticator apps.

[matteo-convertino]

Thank you so much for all the work you are doing @beatles1. I have to be honest, my intention was to develop the extension always using react and mantine so as to have a project that was a little easier to maintain and scale: think if we wanted to add/edit/delete accounts directly from here, or if in the future the accounts could be divided into folders, or it could be very cool to give the possibility to scan the qr code directly from the browser extension(?). I think it would also be great because you could reuse a lot of the code already written for the web app (both the logical and graphic parts). The fact remains that I'm very happy that you're developing the browser extension and that I definitely won't be able to help you/start developing it for a while longer (off topic: these days I'm developing the ability to share accounts)

[beatles1]

I think that's very valid, I was worried that it's not of quite the same professionalism or at least not using the same tools as the stuff you've done.

The features I planned for this (if you can call it planning, I just sort of started to see if I could) were just what I thought I personally wanted in order to start using OTP Manager as my main 2FA app. Possibly that's a bit selfish really 😛.

I wonder if the best option for now is if I rebrand this as something like 'Simple Browser Extension for OTP Manager' to make it clear its not the official one. People can use it for now if they want and I'll keep it working if any changes to the server happen etc and add any easy features if I feel like it. Then one day if/when a fully featured extension comes along people can move to it and I can always try and contribute to it at that point as well.

EDIT: I've released an update today with a few settings that can now be changed. I've also changed the name to add in simple: https://github.com/beatles1/simple-otpmanager-browser

[JoshuaPettus]

I for one am very glad this exists in the interum too. It really makes life a little easier. Thanks so much!

[JoshuaPettus]

If I may, I for one think @beatles1 app should be listed on the Apps section of the the web app as possible clients. I'm sure a lot of people will be happy to know it exists.

[matteo-convertino]

@beatles1 I return to this issue just to let you know that I added a couple of links that refer to your repo and the firefox/chrome extension. I hadn't forgotten about your work, thanks so much again :heart:.

• In the app description:

• In the apps modal:

• In the README.md:

[beatles1]

Thank you, much appreciated! Happy for you to close this issue or leave it open if you are still planning your own browser extensions at some point.