-
Notifications
You must be signed in to change notification settings - Fork 80
Support HTTP basic authentication (browser pop-up window) #103
Comments
I like this idea! Judging by this link, this can only be implemented in Chrome. This link seems to be the explanation on how to implement it. In short: add webRequest permission and override However I don't think user can interact with extensions while this auth popup is open, so it requires more thought. If I'm not mistaken, LastPass solves this by asking user to choose which webpage they want to open with which credentials, and then opens the page and prefills the selected credentials. |
Implementing #105 could be a work around for all browsers. BTW you can interact with the extension while the popup is open in Chrome. |
Great observation, you are certainly right! By the way, just checked FF and you can interact with extension there as well. |
I like the workaround but personally I don't get any benefit from it because I can already copy&paste from the dmenu pass integration. |
Personally - me too, I use a similar plugin for a different launcher. The original request can still be implemented like I described earlier (except that now it might probably also work in Firefox, they seemed to improve extensions quite a bit), but the workflow would be quite different. Today you open the page first, and then use browserpass to fill credentials. When there is this popup window open, it is already too late, browserpass cannot fill it in. Instead what we can do is the following: when user is on a new tab page, select a browserpass entry, browserpass should be smart enough to understand that it currently stands on a new tab page, so instead of filling in the form it actually opens the selected website with pre-filled credentials. So you will not see the popup at all, browserpass will open the page and authenticate you automatically. |
@varac I use a custom dmenu script that can do autofill, mapped to a hotkey.
pass-dmenu.sh#!/bin/bash
DMENU_FONT='Hack:pixelsize=20'
MODE="$1"
shift
shopt -s nullglob globstar
prefix=${PASSWORD_STORE_DIR-~/.password-store}
password_files=( "$prefix"/**/*.gpg )
password_files=( "${password_files[@]#"$prefix"/}" )
password_files=( "${password_files[@]%.gpg}" )
target=$(printf '%s\n' "${password_files[@]}" | dmenu -fn "$DMENU_FONT" $@)
[[ -n "$target" ]] || exit 0
secret="$(pass show "$target")"
key=( 'secret' )
if [[ $(echo "$secret" | wc -l) -gt 1 ]]; then
key+=( 'everything' )
fi
key+=( $(echo "$secret" | tail -n +2 | grep '^[^\s]\+:.\+' | sed -r 's/^(.+):.+$/\1/' | sort | tr ' ' '\ ') )
printf '%s\n' "${key[@]}" | grep -q '^login$'
if [[ $? -eq 0 ]]; then
key+=( 'login+secret' )
fi
if [[ $(printf '%s\n' "${key[@]}" | wc -l ) -gt 1 ]]; then
key=$(printf '%s\n' "${key[@]}" | dmenu -fn "$DMENU_FONT" $@)
fi
if [[ "$key" == "secret" ]]; then
secret="$(echo "$secret" | head -n 1 | sed -r 's/^.+:\s*//')"
elif [[ "$key" == "login+secret" ]]; then
login="$(printf '%s\n' "${secret[@]}" | grep "^login:" | head -n 1 | sed -r 's/^.+:\s*//')"
secret="$(printf '%s\t' "$login")$(echo "$secret" | head -n 1 | sed -r 's/^.+:\s*//')"
elif [[ "$key" != 'everything' ]]; then
secret="$(printf '%s\n' "${secret[@]}" | grep "^$key:" | head -n 1 | sed -r 's/^.+:\s*//')"
fi
if [[ "$MODE" == 'clipboard' ]]; then
echo -n "$secret" | xclip -selection clipboard
elif [[ "$MODE" == 'type' ]]; then
echo -n "$secret" | xdotool type -clearmodifiers --file -
fi |
Again, PassFF does HTTP basic auth now. It's a bit clunky, but it works in such a way that the dialog isn't even displayed! |
Guys, this would be a perfect time if you could test the basic auth support in #224. I don't have many examples of such websites, that's why I want to make sure it really works for all your cases. If you don't want to bother with compiling the extension, I can attach a |
@maximbaz Please add a compiled version which will increase the outreach of volunteer testers (incl. me). Thx ! |
I attached the crx file (and will be attaching new versions) in #224. |
The attachment and solution is only for Chromium, correct? |
Firefox >= 54 is supported too, sorry I forgot to attach the zip file for it - attached now. You have to unpack the firefox.zip and then load this unpacked extension as described in CONTRIBUTING.md |
I'm still on FF 52. Apart of not being so easy a FF update in FreeBSD, I would loose an essential plugin: the vimperator :-( |
#103) - Host app will now return a "url" field - Browser plugin has a "launch URL" button for each entry - Browser plugin has a new hotkey (g) to launch the URL - Supply basic auth credentials if necessary when launching via the extension Note that basic auth will only work in Firefox >= 54. Older versions don't have the required API to do this.
Released in v2.0.14, kudos to @erayd for implementing this! |
Unfortunatly this doesn't work for me. I am using browserpass 2.0.15 (both chromium extension and host application), and for other non-basic auth sites it works as expected. |
Such scenario is unfortunately not supported, we only pre-fill credentials if they are asked at the moment of opening the URL, not at any time afterwards. I might say this is even intentional, imagine if this was not the case, you open a URL, credentials are prepared but not submitted yet, you forget that you ever selected credentials, then 15 minutes later you click a different button (which wants different credentials) and your previously selected credentials are leaked. |
It's not supposed to work that way. It's intended to intercept and handle the auth request when launched from the extension; it doesn't fill out the popup box. I'll take a look at this tomorrow just in case - but based on your description, this doesn't sound like a bug. There could be some room for enhancement though - can you explain in a bit more detail how your think it should work in this scenario? |
I think what @varac meant is that they open URL via browserpass, but they expect the |
@maximbaz It should actually work that way, although it would be unusual for a site to implement that kind of behaviour. That said, I'm seeing a potential exploit vector there for stealing credentials which I'd not thought of yesterday - so I will roll another PR tomorrow to secure things a bit better. At a minimum, the login code needs a domain restriction. I might also add something that disables basic auth if the user fills another login form on the site. |
What I'd like to have is:
Is this possible ? This is the workflow I'm used to for all other sites. |
No, for basic auth this is not possible, an extension can only fill basic auth on URLs that were opened by that extension. |
Ok,cool - this is working for me on other basic auth sites. Thx for implementing this !! |
This is not currently possible. We can preempt the popup and handle authentication at that point, provided that we already know which credentials need to be used. This is the current behaviour. The credentials used are the ones associated with whatever site the user launched via the extension. Unfortunately, there's not currently any ability for the user to select credentials on demand (I'll see if I can come up with a solution to this use-case tomorrow, but don't get too hopeful), and the browser doesn't allow the extension to interact with the login popup at all. |
Domain restriction is a good idea, although if we only fill out credentials during the time until the tab has finished loading, a third-party domain probably has no chance to initiate basic auth request anyway. |
UPDATE: after all PRs have settled, it was decided against this behavior for security reasons. Final behavior: if the password is not requested during the loading, it is cleared from the memory. The example above is not supported by design. |
this and the new "go to URL" feature would be a great addition to the FAQ... |
Documented in this section of Browserpass v3 README: https://github.com/browserpass/browserpass-extension#basic-http-authentication By the way, if you can help testing Browserpass v3, please share your feedback in #331 |
I'm very happy with browserpass+GnuPG and removed all my insecure FF credential storage.
There are two issue (I will file the 2nd one in an extra issue): Some sites use for the credential an extra pop-up window and in this case one can not hit the browserpass icon anymore. It helps only to cut&paste from another (shell) window. Perhaps there is no solution for this.
The text was updated successfully, but these errors were encountered: