Skip to content
This repository has been archived by the owner on May 27, 2019. It is now read-only.

Support HTTP basic authentication (browser pop-up window) #103

Closed
gurucubano opened this issue Jul 7, 2017 · 27 comments
Closed

Support HTTP basic authentication (browser pop-up window) #103

gurucubano opened this issue Jul 7, 2017 · 27 comments

Comments

@gurucubano
Copy link

I'm very happy with browserpass+GnuPG and removed all my insecure FF credential storage.

There are two issue (I will file the 2nd one in an extra issue): Some sites use for the credential an extra pop-up window and in this case one can not hit the browserpass icon anymore. It helps only to cut&paste from another (shell) window. Perhaps there is no solution for this.

@maximbaz
Copy link
Member

maximbaz commented Jul 8, 2017

I like this idea!

Judging by this link, this can only be implemented in Chrome.

This link seems to be the explanation on how to implement it. In short: add webRequest permission and override onAuthRequired method filling in the credentials.

However I don't think user can interact with extensions while this auth popup is open, so it requires more thought. If I'm not mistaken, LastPass solves this by asking user to choose which webpage they want to open with which credentials, and then opens the page and prefills the selected credentials.

@maximbaz maximbaz changed the title browserpass does not work for sites which pop-up an athentication window Support HTTP basic authentication (browser pop-up window) Sep 14, 2017
@Weker01
Copy link
Contributor

Weker01 commented Nov 9, 2017

Implementing #105 could be a work around for all browsers. BTW you can interact with the extension while the popup is open in Chrome.

@maximbaz
Copy link
Member

maximbaz commented Nov 9, 2017

Great observation, you are certainly right! By the way, just checked FF and you can interact with extension there as well.

@varac
Copy link

varac commented Nov 9, 2017

I like the workaround but personally I don't get any benefit from it because I can already copy&paste from the dmenu pass integration.
An automatic fill of both user and password like requested by this issue would still be highly appreciated.

@maximbaz
Copy link
Member

maximbaz commented Nov 9, 2017

Personally - me too, I use a similar plugin for a different launcher.

The original request can still be implemented like I described earlier (except that now it might probably also work in Firefox, they seemed to improve extensions quite a bit), but the workflow would be quite different.

Today you open the page first, and then use browserpass to fill credentials. When there is this popup window open, it is already too late, browserpass cannot fill it in.

Instead what we can do is the following: when user is on a new tab page, select a browserpass entry, browserpass should be smart enough to understand that it currently stands on a new tab page, so instead of filling in the form it actually opens the selected website with pre-filled credentials. So you will not see the popup at all, browserpass will open the page and authenticate you automatically.

@erayd
Copy link
Contributor

erayd commented Nov 9, 2017

@varac I use a custom dmenu script that can do autofill, mapped to a hotkey.

  1. Press hotkey (runs ~/.password-store/.bin/pass-dmenu.sh type via xbindkeys)
  2. Search / select target login
  3. Select the 'login+secret' option
  4. It will type the login, then a tab, then the password, into wherever the current cursor focus is.

pass-dmenu.sh

#!/bin/bash

DMENU_FONT='Hack:pixelsize=20'
MODE="$1"
shift

shopt -s nullglob globstar

prefix=${PASSWORD_STORE_DIR-~/.password-store}
password_files=( "$prefix"/**/*.gpg )
password_files=( "${password_files[@]#"$prefix"/}" )
password_files=( "${password_files[@]%.gpg}" )

target=$(printf '%s\n' "${password_files[@]}" | dmenu -fn "$DMENU_FONT" $@)

[[ -n "$target" ]] || exit 0

secret="$(pass show "$target")"

key=( 'secret' )
if [[ $(echo "$secret" | wc -l) -gt 1 ]]; then
    key+=( 'everything' )
fi
key+=( $(echo "$secret" | tail -n +2 | grep '^[^\s]\+:.\+' | sed -r 's/^(.+):.+$/\1/' | sort | tr ' ' '\ ') )
printf '%s\n' "${key[@]}" | grep -q '^login$'
if [[ $? -eq 0 ]]; then
    key+=( 'login+secret' )
fi

if [[ $(printf '%s\n' "${key[@]}" | wc -l ) -gt 1 ]]; then
    key=$(printf '%s\n' "${key[@]}" | dmenu -fn "$DMENU_FONT" $@)
fi

if [[ "$key" == "secret" ]]; then
    secret="$(echo "$secret" | head -n 1 | sed -r 's/^.+:\s*//')"
elif [[ "$key" == "login+secret" ]]; then
    login="$(printf '%s\n' "${secret[@]}" | grep "^login:" | head -n 1 | sed -r 's/^.+:\s*//')"
    secret="$(printf '%s\t' "$login")$(echo "$secret" | head -n 1 | sed -r 's/^.+:\s*//')"
elif [[ "$key" != 'everything' ]]; then
    secret="$(printf '%s\n' "${secret[@]}" | grep "^$key:" | head -n 1 | sed -r 's/^.+:\s*//')"
fi

if [[ "$MODE" == 'clipboard' ]]; then
    echo -n "$secret" | xclip -selection clipboard
elif [[ "$MODE" == 'type' ]]; then
    echo -n "$secret" | xdotool type -clearmodifiers --file -
fi

@madduck
Copy link

madduck commented Feb 27, 2018

Again, PassFF does HTTP basic auth now. It's a bit clunky, but it works in such a way that the dialog isn't even displayed!

@maximbaz
Copy link
Member

Guys, this would be a perfect time if you could test the basic auth support in #224. I don't have many examples of such websites, that's why I want to make sure it really works for all your cases.

If you don't want to bother with compiling the extension, I can attach a .crx file, just say so.

@varac
Copy link

varac commented Mar 21, 2018

@maximbaz Please add a compiled version which will increase the outreach of volunteer testers (incl. me). Thx !

@maximbaz
Copy link
Member

I attached the crx file (and will be attaching new versions) in #224.

@gurucubano
Copy link
Author

The attachment and solution is only for Chromium, correct?

@maximbaz
Copy link
Member

Firefox >= 54 is supported too, sorry I forgot to attach the zip file for it - attached now.

You have to unpack the firefox.zip and then load this unpacked extension as described in CONTRIBUTING.md

@gurucubano
Copy link
Author

I'm still on FF 52. Apart of not being so easy a FF update in FreeBSD, I would loose an essential plugin: the vimperator :-(

maximbaz pushed a commit that referenced this issue Mar 21, 2018
#103)

 - Host app will now return a "url" field
 - Browser plugin has a "launch URL" button for each entry
 - Browser plugin has a new hotkey (g) to launch the URL
 - Supply basic auth credentials if necessary when launching via the extension

Note that basic auth will only work in Firefox >= 54. Older versions don't have the required API to do this.
@maximbaz
Copy link
Member

Released in v2.0.14, kudos to @erayd for implementing this!

@varac
Copy link

varac commented Mar 22, 2018

Unfortunatly this doesn't work for me.
As an example I took https://www.httpwatch.com/httpgallery/authentication/ where you can click on Display Image and a basic auth pops up. If I choose a test entry I made for that site, the popup is not filled out.

I am using browserpass 2.0.15 (both chromium extension and host application), and for other non-basic auth sites it works as expected.

@maximbaz
Copy link
Member

Such scenario is unfortunately not supported, we only pre-fill credentials if they are asked at the moment of opening the URL, not at any time afterwards.

I might say this is even intentional, imagine if this was not the case, you open a URL, credentials are prepared but not submitted yet, you forget that you ever selected credentials, then 15 minutes later you click a different button (which wants different credentials) and your previously selected credentials are leaked.

@erayd
Copy link
Contributor

erayd commented Mar 22, 2018

@varac

where you can click on Display Image and a basic auth pops up. If I choose a test entry I made for that site, the popup is not filled out

It's not supposed to work that way. It's intended to intercept and handle the auth request when launched from the extension; it doesn't fill out the popup box.

I'll take a look at this tomorrow just in case - but based on your description, this doesn't sound like a bug. There could be some room for enhancement though - can you explain in a bit more detail how your think it should work in this scenario?

@maximbaz
Copy link
Member

I think what @varac meant is that they open URL via browserpass, but they expect the authListener to not be removed when tab finished loading, but instead stay a bit longer and wait until it is requested for the first time (when on that page they click a button that requests basic auth).

@erayd
Copy link
Contributor

erayd commented Mar 22, 2018

@maximbaz It should actually work that way, although it would be unusual for a site to implement that kind of behaviour.

That said, I'm seeing a potential exploit vector there for stealing credentials which I'd not thought of yesterday - so I will roll another PR tomorrow to secure things a bit better. At a minimum, the login code needs a domain restriction. I might also add something that disables basic auth if the user fills another login form on the site.

@varac
Copy link

varac commented Mar 22, 2018

What I'd like to have is:

  • Open the URL from my browser (not via browserpass)
  • click on the popup
  • click on the browserpass icon
  • click on the login entry
  • Browserpass fills out the popup

Is this possible ? This is the workflow I'm used to for all other sites.

@maximbaz
Copy link
Member

No, for basic auth this is not possible, an extension can only fill basic auth on URLs that were opened by that extension.

@varac
Copy link

varac commented Mar 22, 2018

Ok,cool - this is working for me on other basic auth sites. Thx for implementing this !!

@erayd
Copy link
Contributor

erayd commented Mar 22, 2018

Is this possible ? This is the workflow I'm used to for all other sites.

This is not currently possible. We can preempt the popup and handle authentication at that point, provided that we already know which credentials need to be used. This is the current behaviour. The credentials used are the ones associated with whatever site the user launched via the extension.

Unfortunately, there's not currently any ability for the user to select credentials on demand (I'll see if I can come up with a solution to this use-case tomorrow, but don't get too hopeful), and the browser doesn't allow the extension to interact with the login popup at all.

@maximbaz
Copy link
Member

maximbaz commented Mar 22, 2018

@erayd it somehow feels better to remove the listener when tab is loaded (as it is now), and not wait for potential future requests for basic auth. After all, 99% of websites do not use basic auth, but if we make the listener stay until the first usage, for 99% of websites will keep my credentials forever in the memory of the browser, waiting to be requested.

Domain restriction is a good idea, although if we only fill out credentials during the time until the tab has finished loading, a third-party domain probably has no chance to initiate basic auth request anyway.

@maximbaz
Copy link
Member

maximbaz commented Mar 22, 2018

I finally realized that authListener is removed not when tab has finished loading, but only after it has been used once. I thought that chrome.tabs.onUpdated.addListener is happening outside of chrome.webRequest.onAuthRequired.addListener, but actually it's the other way around.

So in other words, the website that @varac provided as an example, I thought browserpass is not able to fill credentials at all, but actually it should work if you open the page from browserpass.

UPDATE: after all PRs have settled, it was decided against this behavior for security reasons. Final behavior: if the password is not requested during the loading, it is cleared from the memory. The example above is not supported by design.

@anarcat
Copy link

anarcat commented Dec 25, 2018

this and the new "go to URL" feature would be a great addition to the FAQ...

@maximbaz
Copy link
Member

Documented in this section of Browserpass v3 README: https://github.com/browserpass/browserpass-extension#basic-http-authentication

By the way, if you can help testing Browserpass v3, please share your feedback in #331

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Development

No branches or pull requests

7 participants