mattydebie / bitwarden-rofi

Wrapper for Bitwarden https://github.com/bitwarden/cli and Rofi
GNU General Public License v3.0
351 stars 57 forks source link

Add `auto-lock` option #14

Closed ngotchac closed 5 years ago

ngotchac commented 5 years ago

Closes #13

This PR adds an auto-lock option that automatically locks the Vault when the program exists.

mattydebie commented 5 years ago

Thanks for the PR! This is a good start I think, but I would add the ability to lock after x minutes.

My suggestion: AUTO_LOCK should be a numeric value

Maybe we could expand the BW_HASH_FILE to contain a timestamp of the last unlock, when load_items() is called we source that file, that's the perfect time to check for expiration.

if timestamp > $AUTO_LOCK: lock the vault.

What do you think?

ngotchac commented 5 years ago

Yeah, that's what I initially thought as well, however, if this were implemented, I would expect the session ID in the hash file to be invalidated after N minutes. With this implementation, it wouldn't be the case as it's valid until you re-run the program.

Maybe it could spawn a new process and sleep the required amount of time before locking the Vault.

mattydebie commented 5 years ago

That sounds like too much trouble, the file containing the hash is only readable by the user (mod 600), so unless you source it yourself, no one is running away with your passwords. Also, if anyone were to launch bitwarden-rofi, it would check the hash file and see the expiration. You could also change the location of the state file to any place you want, making it "hard" to find for malicious programs etc.. We could however make the storage location of the hash file super random, and let it change from time to time?

Mange commented 5 years ago

Does the bwcli support any options for setting expiration on the session?

mattydebie commented 5 years ago

Not that I'm aware of: session management

mattydebie commented 5 years ago

Did some digging, in #15 I replaced sourcing the file with storing the session into keyctl (this is a kernel key storage in ram). @ngotchac would you mind trying this out and getting back to me?

ngotchac commented 5 years ago

Wow, that's great, I wasn't aware of keyctl! That's way better, I'll close this PR, thanks!