Extension won't lock once unlock [$25]

[xenofree]

When I open my browser (Firefox), I successfully unlock the extension. But, when i lock the extension i still have access to the search and list button and can access to the passwords without unlock it.

Steps to reproduce

1. Install and Setup the extension
2. Open your browser (Firefox )

Expected behaviour

1. Install and Setup the extension
2. Open your browser (Firefox )
3. Unlock the extension
4. Lock the extension
5. Can't use the extension untill you didn't unlock it.

Actual behaviour

1. Install and Setup the extension
2. Open your browser (Firefox )
3. Unlock the extension
4. Lock the extension
5. You can still use the search button and have access to your password without unlock the extension

Configuration

Windows 7 64bits:

Firefox 59.0.2 (64bits):

Passman 2.1.4:

Extension 2.1.1:

Nextcloud 13.0.1:

--- There is a **[$25 open bounty](https://www.bountysource.com/issues/56842202-extension-won-t-lock-once-unlock?utm_campaign=plugin&utm_content=tracker%2F52236699&utm_medium=issues&utm_source=github)** on this issue. Add to the bounty at [Bountysource](https://www.bountysource.com/?utm_campaign=plugin&utm_content=tracker%2F52236699&utm_medium=issues&utm_source=github).

[Backfighter]

Can confirm on: 4.17.2-1-ARCH Firefox Nightly 62.0a1 (2018-05-09) Extension 2.1.1 Passman 2.1.4

[kartoffelheinz]

Can also confirm on: Debian 4.9.0-8 Firefox 62.0 Extension 2.1.1 Passman 2.1.4

This is actually a major show-stopper and makes the use of passman as a browser extension quite risky in a lot of environments.

And it is actually worse (and I feel this has the same underlying problem): If you delete a vault / account from the browser extension, all passwords from this deleted account are still accessible as if the vault had never been deleted. A restart of Firefox mitigates this issue, though.

It seems this is just about letting the app code know something has changed and make it reload / invalidate certain data. Should not be hard to fix, but I'm not an app developer. Will pay for a proper fix and will add a bounty.

[joshhazelhurst123]

Once you hit the lock button, passman needs to go back to the login screen is that what's required here? Regarding the extension won't lock after it has been opened/modified.

@kartoffelheinz Also, when you delete a vault/account from the browser extension and the password still shows/is accessible, until you restart firefox and then the problem disappears ie, the password is correctly deleted. Yes, there must be something in the code not updating properly, maybe the page is cached and needs to reload after the update (like a trigger statement). Seems like that will solve the issue.

[kartoffelheinz]

Well, the extension "locks", as in shows a locked sign. But thats about it.

And to be honest, I'm not after a cosmetic change here. Just blocking the access to any other screen than "unlock" once you unlocked will not suffice. The extension needs to clear EVERY available cache, memory whatsoever. Wipe clean everything to make sure no credentials will ever be accessible once locked.

Same thing should happen for deleted vaults, with the exception of only wiping clean anything related to that deleted vault. Although, it's probably best to just clean all caches (not resetting logins) after deleting a vault, regardless of relation. This would trigger reloads, yes, but it's the save road - and we're talking security impact here, so the save road should be the only road to town.

[kartoffelheinz]

Any way to speed this up? More Bounty?

As I said, this bug (especially the not-working unlocking) is a major showstopper for anybody remotely concerned with security and usage on portable devices.