marius-wieschollek / passwords-webextension Goto Github PK

Hi, and sorry if it is not the right place to explain this
I have found that when trying to use passwords in a web where before the password I have to choose a database, confusion is created and the user puts in the text box of the database and the password in the user.
Thanks for your job

Hi Marius,

I encountered a weird behavior with the Chrome extension:

• I install the Chrome extension (Chrome Version 71.0.3578.98 (Build officiel) (64 bits))
• I enter my Nextcloud URL
• I enter my Nextcloud username
• I enter my Nextcloud password and suddenly the Nextcloud URL and username are emptied

I managed to reproduce this everytime. After entering the first letter, the URL and username are immediately reset.

If I first enter the password then URL and username, I can actually save the configuration and everything seems to work, but this weird behavior also happens if I want to update my configuration.
For instance, let's say I set the following information:

• URL: https://my.nextcloud.com
• User: my.bad.username
• Password: somethingverysecret

Then, if I first change my user from my.bad.username to my.username then change the password, I can see my username being reset to my.bad.username.

I did not look through the code but there must be some kind of "reset to last save config" function which is triggered when updating the password.

Hi :)

On gnome-shell when entering a web site with a password, I've got a notification asking me whether I want to save the password but there are no button to say "yes" and clicking the notification isn't enough, Am I missing something ?

Thanks ! :)

Running passwords 2018.5.2 on Nextcloud 13.0.2 and trying to retrieve passwords via the web extension running in Firefox 60.0, legacy API switched off.

Login works fine, but when it tries to fetch passwords, I get a JSON parse error. Using Firefox's web extension debugger console I see

Encoding response failed Request { method: "GET", url: "https://cloud.server.tld/index.php…", headers: Headers, referrer: "about:client", referrerPolicy: "", mode: "cors", credentials: "omit", cache: "default", redirect: "follow", integrity: "" } SyntaxError: JSON.parse: unexpected character at line 1 column 1 of the JSON data  background.js:1:96395
	_createRequest/</</<

This doesn't look very helpful to me, maybe it would be worth noting somewhere that the Legacy API has to be enabled in the app settings?

When enabling the Legacy API all works as expected.

Is there a way to tell the Firefox addon to distinguish between subdomains (xxx.domain.com), subdirectories (domain.com/xxx), and ports (domain.com:123)? It seems to only be looking at top level domain names and ends up giving me a huge list for domains where there are a lot of subdomains, subdirectories, and different ports for the same domain. Thanks.

I connected to my nc 14.03 instance via app passwords.
Connect to nc - successfull
But, I cant save password, i cant load passwords - see picture.

I noticed some bugs when I used German umlauts (ä ö ü) in this extension with a current version of firefox, nextcloud 15.0.2 and (K)Ubuntu 18.04 on the client side.

1. When I had an umlaut in my nextcloud password, this extension could not retrieve the password list and showed a error message "Authorisation failed" (no other nextcloud app had problems with the specific password). When I set a password without umlauts, it worked fine.
2. When I had an umlaut in a username for a music board, I could not get the login data for the specific page, neither with the auto detection, nor with the search module. Retrieving the data from the webapp worked perfectly fine, but not with the ff extenseion. Tested with another account, it worked after I deleted the ones with the umlauts.

There seem to be issues with character encoding in this extension.

Can you add the option to add a master password for added protection to the passwords stored in the extension?

Love this extension keep up the great work.

What about a feature to access (thats already built in for passwords) and edit passwords and their notes through the extension.

Sometimes the Extension does not recognize a new password and does not ask to change it. So the password could be set manually.
And the access to notes of the passwords would also be great, so you do not have to login to your nextcloud instance for some information and could grab or edit them directly through the extension.

What do you think about that?

Hey Marius,

I've got a problem while setting up the firefox webextension.
After filling in the credentials and clicking on "save" the extension is switching to the first tab with status "no logins found".
If I want to store a password by clicking on the "New Login found" window the error I get is "The password could not be saved"
Is there a chance of investigate the thing with a log file or something like that?

Here some more information:

Hello,
It would be nice to support the two factor autentication of the Nextcloud instance
Because in 2019 only one factor autentication is not secure enough!

Hi,

I know this is a very suggestive request, but the Chrome extension logo is only a key with no background. I use a dark theme for Chrome which unfortunately uses pretty much the same background color as the extension's icon color, which makes it "invisible".

Most of nowadays Web Extensions seems to use a logo with a background color. I'm guessing this is to always be visible no matter the user theme configuration.
Would it be possible to "improve" the logo by adding a background color to it?

hello, I want to explain the problem in english.

I have install the app “passman” in Next Cloud and the Add on for firefox.

Now my problem is that a cant connect to the passman. I get the following popup: “Request has forbidden by Antivirus” - after I have disable that Kaspersky.
I get the following popup: JSON.parse:Unexpected character at line 1 column 1 of the JSON data.

Who can help me ? What must I do the solve the problems.

Firefox 59.02 + Nextcloud Passwords 1.5.0
Nextcloud 13.0.1

On some websites, there is an additional field for an Account Number before using a Username and Password. When using the extension, the username will be placed in the Account Number instead. Here is an example website of what I mean:

http://adpcrm2.v-sept.com/Common/Pages/Authentication/Login.aspx

The password list could not be retrieved.
Error: JSON.parse: unexpected character at line 1 column 1 of the JSON data

I have actually been getting this error since the upgrade to the new Nextcloud passwords app, but it doesn't seem to effect the extension working.

I followed the debug steps and saw this in the console ([domain] replaces my valid NC domain):
Encoding response failed Request { method: "GET", url: "[domain]/index.php/apps/passwords/api/0.1/passwords", headers: Headers, referrer: "about:client", referrerPolicy: "", mode: "cors", credentials: "omit", cache: "default", redirect: "follow", integrity: "" } SyntaxError: JSON.parse: unexpected character at line 1 column 1 of the JSON data app.js:1:92256

The error only appears if Enable Legacy API is disabled within NC, but as I said the extension appears to work correctly either way.

The picture explains it all. I get an warning that I need to be HTTPS to use the app but as you can see I am HTTPS. How do I fix this? Thanks

First of all: Great and good looking App+Addon!!!
But: In my opinion there is a big security issue. When starting firefox there is no need of typing a master password or each time the login phrase for the nextcloud instance. So withoout typing any kind of password a person can check all passwords stored over the password-app in the nextcloud.

Tools like Keeweb etc. solve this by locking the connection after a few minutes e.g. Would this also be possible in the firefox-extension?

The password field in the app settings remembers all previously entered passwords and displays them in clear text when double clicking in it.
See:

The password field must not remember previously entered passwords and not display them.

Hi,

I'm testing the Passwords Nextcloud app and this extensions, so far I really like them, they are easy to use, provide all the features I want except that this extension seems to store the Nextcloud user credentials as plain text on the local computer (in Firefox: Profiles/XXX/browser-extension-data/[email protected]/storage.js).

Is there any plan to encrypt that (with a master password or something else)?

Many thanks,

Laurent.

Single Sign On systems pose some challenges for Passwords users that all have some drawbacks.

One password

Each password has only a single website field. For other sites in the SSO system the user has to search for the password and enter it. Passwords prompts the user to save the password for that website, so duplicates are likely to occur eventually.

Password for each site

User enters the password for each site in the SSO they use. The browser plugin does match the password for that site. When the user changes the password for that site they need to remember to change all the other passwords for the other sites in the SSO held by Passwords. Passwords also warns the user that the password is weak (duplicate) even though that's not correct. This false positive makes the other warnings less helpful.

Possible solutions

1. Browser plugins could match on more than just the website field. This way a Passwords user could add other domains in the SSO system to the password notes or a custom field and be able to select the password to use at those domains without searching for it.

2. Websites field could support multiple domains as a delimited list and the browser plugin could parse that and match on each one.

3. Multiple websites fields. browser plugin could check each one.

4. Connect multiple passwords and when one changes change the others. Exempt these from the duplicate check.

Bonus Request

It would be nice if the website field could support wildcards.

System Information

• Nextcloud Version: 14
• PHP Version: not sure
• Passwords Version: 2018.12.0
• Browser and Version: Chromium
• Client OS and Version: Version 73.0.3655.0 (Developer Build) (64-bit)
• Server OS and Version: MacOS Mojave 10.14.2

Steps to reproduce

1. Add password for a domain that is part of an SSO system.
2. Add password for a different domain that uses the same SSO.

Actual result

Passwords warns the user that the password is weak(duplicate).
Passwords are matched by each website in the browser plugin.
Changing one password does not change the other password.

Expected result

Passwords

when sharing an user account all other have the passwords.

For security reasons the webextension could set to disabled by elapsed time and for enabling it, it can ask for master password.

Hi Marius,
Would it be helpful and possible to have buttons in the pop-up when saving a password in firefox? So you can clear choose to save or not save a password to your nextcloud?

Even if the password field is hidden with dots, if you copy the text with Ctrl+C or do right click -> copy, you can paste it in clear everywhere.
(sorry, I should have seen that before, to avoid making so many releases)
Also I don't know if you can do anything to prevent this as this password field is a text one (#15 ) in order to workaround a firefox bug
Anyway, at least, the problem is now tracked.

The Passwords app offers to generate a random password for a site, which is super useful when registering or changing the password.

It would be great if one could generate a random password using this extension, too. For example from the context menu of the password field before submitting and saving it.

I can;t seem to install the extension, chrome doesn't want to enable it. (And some time I have to use chrome instead of Firefox)

Its getting a little confusing when I'm visiting a site where I have multiple accounts, or have multiple passwords for different functions, but tied to the same mail/username.

For example:

I have differentiated them in their names. But when on the site they are used, the extension shows the username/mail.

It would be nice if the extension showed the name field instead of username, or at least had a option to show the name.

Additional information such as notes on passwords should be show for examp on mouse over.
Sometimes you have different logins just with number as username. So you could specify some hints which user it is.

I install this extension (v1.5.0) into Chrome, Opera, and Firefox. I cannot sign into my Passwords account on any. After entering my credentials and clicking "Save", I am moved to the first tab with "No logins found".

I've tried this over https, with Passwords v2018.4.0-build2103 with Nextcloud 13.0.1, the Legacy API is enabled.

I've also tried this over https, on a separate off-site server with Passwords 3.0 on Nextcloud 13.0.1, the Legacy API is enabled.

Both are Debian Jessie servers. Is this broken or am I missing something?

The support for filling into basic auth would be nice. At the moment, when showing the login request in firefox, no interaction is possible, so maybe autofilling would be useful.

basically my server 302 to:
apps/passwords/api/0.1/passwords
until it fails.

however, the firefox version works fine.

With Firefox Android, when I'm viewing a login-page and I open the "Passwords" window via the three-dot-menu, a new tab opens with a moz-extension:// URL. But this new tab doesn't propose me the login for the page that was previously showing. Instead, it shows "No logins found".

Currently, we login by opening the extension and click on the user.

I think it should be nice if we could also use the default login form, as the plugin autofill it for us.

It is required if we use chrome with an app: we have no toolbar in this case, so we can't access the extension button.

I'm using a few nextcloud instances and I's like to access each one trough the extension, because in each instance there's password shared with users of different nextcloud instances

alternatively it would be nice to be allowed to share a folder to remote instances trough federation but I guess this would be harder if at all possible

Hi,
because I never save highly important login data it would be nice not to get the note to save them each time I visit e.g. my bank account. The possibility to exclude definite URLs through a config item would be nice.
IMHO it's a minor proposal for the bottom of an existing todo-list but worth mentioned.
TIA
Martin

I typed my username and password on:
https://eu.battle.net/login/de/ -> enter

I got a promt "Click here to save password" -> clicked it. Saved password in nextcloud was ".............." (yes the char dot "." multible times -> and yes, I clicked on the eye icon :)

this function is working on other sites without a problem so far.

I would suggest an export import feature so that passwords can be backed up, maybe to an encrypted file.

Please support encrypted passwords (on nextcloud-server)

I always get the following message. I also tried to enable legacy API.

Currently it seems that the search does not allow to search substrings. When my password has the name "My host - app1", I would like to find this entry by typing "app1" or "host" or "My". This could be applied to other fields as well, like tags or user.

V1.5.0

System Information

• Nextcloud Version: 15.0.5
• Passwords Version: 2019.3.0
• Browser and Version: Chrome 72.0.3626.121
  We use Nextcloud 15.0.5 with the "Two-Factor TOTP Provider" app (version 2.1.2) enabled. A user who uses two factor authentication to log in into nextcloud, cannot use the passwords webextension. If the same user disables two factor authentication, then there is no problem.

I have it installed in Firefox 60.0.1 (64-bits) and, when configuring, it closes when I select the password field, without giving me time to enter anything

The plugin does two things:

1. it autocompletes the username/password
2. it submits the login form

I have found many sites which are built as "single page applications", and process the login form using JavaScript.

Effectively, something like this

<form>
<input type="text">
<input type="password">
<input type="submit" onclick="login()'>
</form>

Note that the <form> element does not have method="POST" or action="url".

When the plugin submits this form, two things happen:

1. the page reloads with ?username=xxx&password=yyy in the URL
2. the login doesn't actually work

Suggestion - if form.method === 'GET' then do not submit the form.
Just autocomplete the fields.
Login credentials should never be sent in a GET request.

Currently, the passwords-webextension always displays the user name of the respective entry found in the database. This leads to problems for passords without user name:

No entry is displayed below the buttons - not the "no logins found" since there is an entry, but not the entry itself as there is no user name.

Suggestion: display the configured name of the password entry instead of the user name (or preferably both, e.g.

My Online Shop: my_user_name

which would solve both this issue and the requirement to manually relate the displayed user name to the Passwords entry name.

Hi,

I just installed the nextcloud App. No problem, it's perfect.
After that, i installed the Firefox extension. No problem, works great !
At the end, i installed the Firefox extension on my mobile. But there, it is impossible to login.

In the nextcloud logs, i see "Login failed" but i'm sure of my password, of course ...

All apps are up to date.

Do you have any explanation ?

Thank you and great job for all of that by the way 👍 !

Gaëtan

Hello,

Nextcloud 13.0.2
Php 7.2.5
Nginx : nginx-mainline 1.13.12-1
Firefox 60.0
Arch Linux 64
Nextcloud Passwords Client 1.5.0
Nextcloud Passwords App 2018.5.2

When Nextcloud Passwords Client detects a password change, the browser shows a notification to update the password. When I click on it, another notification says that password update failed.

When activating debugging on the Nextcloud Password Client (firefox extension), I see the failed request.

Here are the request headers (I replaced my host name)

Url is: https://myhost.mydomain.tld/index.php/apps/passwords/api/0.1/passwords/722

Host: myhost.mydomain.tld
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: application/json, text/plain, */*
Accept-Language: fr-FR,fr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
authorization: Basic Ym...blablablablabla
content-type: application/json
origin: moz-extension://8d55e17a-79e7-4b21-9567-96d446690ee8
Content-Length: 167
DNT: 1
Connection: keep-alive

Here are the response headers:

HTTP/2.0 405 Method Not Allowed
server: nginx
date: Fri, 18 May 2018 04:42:44 GMT
content-type: text/html; charset=UTF-8
x-powered-by: PHP/7.2.5
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
set-cookie: oc_sessionPassphrase=NuuMV4...blablablablabla; path=/; secure; HttpOnly
content-security-policy: default-src 'self'; script-src 'self' 'unsafe-eval' 'nonce-...blablablablabla='; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *; object-src 'none'; base-uri 'self';
x-frame-options: SAMEORIGIN
set-cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
set-cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
set-cookie: ocr0uzgqnx0t=...blablablablabla; path=/; secure; HttpOnly
set-cookie: cookie_test=test; expires=Fri, 18-May-2018 05:42:44 GMT; Max-Age=3600
X-Firefox-Spdy: h2

I think the problem is that request method:PATCH returns 405 Method Not Allowed.

I followed the official Nextcloud guide to configure my nginx server. I don't know how to allow PATCH request and where to enable it (nginx, php, nextcloud) ?

Hello,
So I installed password the extension yesterday it worked well but now the extension seems to not work at all it tells me 'NetworkError when attempting to fetch source'.

@pafcioooo Since the new passwords app is nearly ready, it is time to get this experiment started. I have added the automated polish translation here, and i would like you to review it and tell me how good it actually was.

I have succesfullty installed FF extension from addons repository.
I have entered credentials for my NC12 instance.
When I click extension there is an FF notification (both on Windows and Android):
"The password list could not be retreived. Error.JSON.parse: unexpected character at line 1 column 1 of the JSON data".

Hello, I use the Passwords Extension 1.7.1.0 with Firefox on Android. For a few days I can no longer retrieve a password list. There are no entries in the log on Nextcloud Server 14.04.

The extension works fine on the Windows desktop.

Any idea?