(Feature Request] Ability the detect password confirmation area within protonmakl account and paste password

[CodeCracker-oss]

Hello,

within protonmail account when doing sensitive things like changing password, add/removing keys, modifying subscription/payment details it will ask for protonmail password. I have it stored in my password manager as its long/unrememorable, i'd have to launch it up just to get it. So for conveinience, EM being able to type it in for me, like it does for login to account would be nice. If its for some reason hard for it to detect a password confirmation screen having a hotkey (that can be set by user) to paste in the password would be good.

I just thought that if EM has the ability already to save protonmail credentials from the start, why not leverage that to further the conveinience for the user.

What do you think?

[vladimiry]

The idea is clear and it would improve the UX of course. By the way, I think not everyone should store the credentials in the app but also use the persistent session feature which enables automatic login into the account scenario without a need to store the credentials.

I believe it's quite possible to detect the event/screen/form to fill the password into. A feature like this will in general increase the maintenance burden since the integration logic will have to be always up to date / synced with the @protonmail web clients stack which is technically possible since the app comes with static @protonmail web clients built-in (means no online/live clients loading and so no sudden breakage). I'd consider such a feature to be enabled here if it gets thoroughly covered by e2e/integration tests (likely using https://github.com/electron-userland/spectron which is already used for some basic scenarios). Those tests will have to include the signing-in into the account stage, changing some sensitive settings to trigger the password request, etc. So aside from the initial implementation, the feature comes with an additional price which I'm not ready to pay at the moment.

[CodeCracker-oss]

@vladimiry Actually, i do use persistent session, been using it since it was released. However, it seems to still store the credentials though, if I ever turned off persistent session, it goes back to signing jn manually each time, never having to (re)save the credentials.

Since of course the protonmail webclient is open source, is it possible (and secure) to disable the password confirnation itself (of course allowing the user to decide), or is this somehow dependent on protonmail servers to require password confirmation?

[vladimiry]

However, it seems to still store the credentials though

When the persistent session feature enabled for the account it/feature only stores "some cookie records + javascript thing: window.name" (stored encrypted). So it's not the same as having the credentials saved and then used for automatic forms filling. If you don't store the account credentials in the app then:

• the signing-in gets processed faster since login forms get skipped
• new sessions don't get created on proton's backend with every/new signing-in using forms filling
• one can't extract credentials from your app when it's running (using memory scanning)
• one can't come to your unlocked computer and for example remove your account (since such action will likely require password confirmation).
• you can drop the specific session in the admin area to disable access for the specific point/computer (assuming there are no points that save the credentials).

Since of course the protonmail webclient is open source, is it possible (and secure) to disable the password confirnation itself (of course allowing the user to decide), or is this somehow dependent on protonmail servers to require password confirmation?

It's in general pointless to implement the password confirmation on the client-side only since it can be easily bypassed. So I believe it's handled at the serve-side.

[CodeCracker-oss]

@vladimiry Ok, I may be a bit confused then. I was an electronmail user before integration of persistent session so i've had my login stored in it. Are you able to then just check persistent session in it and skip entering your login in the settings? As in my settings, persistent session is enabled and my username is shown above, as are my 2 passwords.

[vladimiry]

There is no need to check anything. It's the users choice to save the credentials or not, those are optional fields on the app's form. If you have the "persistent session" toggle enabled then the session will be reused if it's valid. Then if the credentials saved the automatic forms filling will occur using those credentials. If not saved then you fill in the forms manually. That's the workflow.