mvdan / bitw Goto Github PK

I double checked to see if using the 6 digit phrase worked on the bitwarden website, and it does. But when using it with bitw I get the following error every time:

error: could not login via two-factor: Bad Request: {"error":"invalid_grant","error_description":"invalid_username_or_password","ErrorModel":{"Object":"error","Message":"Two-step token is invalid. Try again.","ValidationErrors":null,"ExceptionMessage":null,"ExceptionStackTrace":null,"InnerExceptionMessage":null}}

For example, the only way to supply a two-factor auth token is via the terminal. We should support graphical prompts. This is useful to make usage easier, and to allow starting the D-Bus service without hard-coding passwords anywhere.

I'm unsure how this could be done. Tools like zenity may not be installed. Depending on GTK or Qt would be overkill. Perhaps the simplest would be an askpass config option, similar to what git has.

Hi there,

I'm checking out your project after reading through this thread. I'm happy to see it's still being maintained and worked on, this is definitely something the Bitwarden ecosystem needs in my humble opinion!

After building the application as per your instructions, I:

• Logged in
• Ran sync
• Started serve
• In a different terminal, I verified that I could retrieve a decrypted password using secret-tool
• Changed a password in Bitwarden's Firefox extension
• Ran secret-tool again, and it produced the same password
• Ran sync again, and it secret-tool produced the same password
• Restarted serve and ran secret-tool once again, and the new password shows up

It seems like serve is not currently detecting when sync is invalidating cached passwords :)

It would be nice if there are releases with compiled binaries (e.g via creating github action pipeline which creates a github release upon a tag and adds the compiled binaries to the release) so one could use this without setting up a go toolchain.

Hi! thanks for bitw, I like what I've used so far, except I have a question.

My dotfiles require some secrets - for example imgur api key for a screenshot tool, bank api keys for a bank balance applet, smtp passwords, etc.

I keep all these as encrypted gpg files in a syncthing mount, and wrote a little wrapper.
eg $ secret imgur_api_key or $ secret bank_api_key.

it does a simple gpg --decrypt, and prints to stdout. the nice thing about this is that "pinenty-gnome3" pops up asking for the passphase and caches it. so once booting, many of my dotfiles will subshell secret, and the first will trigger the gui passphrase prompt, but they'll all get their secret.

It think it would be cool to use bitw instead, perhaps replacing my $ secret with $ secret-tool and $ bitw serve for my dotfiles scripts. but I would be nice to have this gui password box for perhaps my bitwarden password.

so the question is

1. do you use bitw for dotfile secrets or equivalent?
2. if so what about the terminal password prompt? in my case I don't think it's do-able because the scripts that would subshell secret-tool can't give the password

thank you!

Hi,

I've just started trying to run this.
I can get bitw login to work but when I run bitw sync it dumps a whole load of encrypted stuff in what looks like a json array and then returns the error above.

1 │ {
2 │ "DeviceID": "REDACTED",
3 │ "AccessToken": "REDACTED",
4 │ "RefreshToken": "REDACTED"
5 │ "TokenExpiry": "2021-10-03T00:47:23.103238698Z",
6 │ "KDF": 0,
7 │ "KDFIterations": 100000,
8 │ "LastSync": "0001-01-01T00:00:00Z",
9 │ "Sync": {
10 │ "Profile": {
11 │ "ID": "00000000-0000-0000-0000-000000000000",
12 │ "Name": "",
13 │ "Email": "",
14 │ "EmailVerified": false,
15 │ "Premium": false,
16 │ "MasterPasswordHint": "",
17 │ "Culture": "",
18 │ "TwoFactorEnabled": false,
19 │ "Key": "",
20 │ "PrivateKey": "",
21 │ "SecurityStamp": "",
22 │ "Organizations": null
23 │ },
24 │ "Folders": null,
25 │ "Ciphers": null,
26 │ "Domains": {
27 │ "EquivalentDomains": null,
28 │ "GlobalEquivalentDomains": null
29 │ }
30 │ }
31 │ }

I've read through all the issues on this github and I couldn't find anything quite the same.

Any ideas? Am I doing something obvious wrong?

This way, one can rely on BitWarden for all sorts of secrets on the desktop, instead of common local alternatives like gnome-keyring.

This is a TODO for now.

Otherwise, the secret contents are going around dbus in plaintext. See the TODO around this code in dbus.go:

	switch algo {
	case "plain":

Hello,
I'm trying to use bitw but I'm unsure where to start. I'm not familiar with Go and go get.

Typing

cd $(mktemp -d); go mod init tmp; go get mvdan.cc/bitw

doesn't seem to install the program, or even build it as far as I can tell.

It just creates a folder in /tmp with the files go.mod and go sum in it.

I'm probably missing something but I'm not sure what. Could you please explain to me how to install this tool? Thanks!

Getting the following after typing in my password. I have only OTP in the 2FA settings, if that's relevant.

error: could not login via password: Bad Request: {"error":"invalid_grant","error_description":"Auth-Email header invalid."}

I am getting the following error when I attempt to login. I've installed bitw using the instructions in the readme.

error: could not login via password: Bad Request: {"error":"invalid_grant","error_description":"Auth-Email header invalid."}

This would be easier to debug if bitw could print out it's version. Can the install instructions/package be updated?

bitw sync fails for a database with attachments.

Currently, Cipher.Attachments is defined as a string array but this does not match with the actual format returned by Bitwarden.

The actual datatype returned is an array of Attachment objects. The object has the following properties:

FileName:string
Id:string
Key:string
Object:string
Size:string
SizeName:string
Url:string

I've set up a Yubikey 5 NFC with both FIDO2 and Yubikey OTP 2FA methods. I can't log in due to

$ bitw sync
Password: 
error: invalid two-factor auth provider: "7"

Related: #15

Thanks for your work on this!

Surely this is possible - but how? Input welcome.

I am using bitwarden_rs. The password login succeeds so the email/password should be correct however it fails to decrypt my password:

$ bitw sync
$ bitw dump
error: MAC mismatch

How can I debug this further?

Probably a copy/paste error, bitw config shows the apiURL for both apiURL and identityURL, the error is in line 245 of main.go

fmt.Printf("identityURL = %q\n", apiURL)

should read

fmt.Printf("identityURL = %q\n", idtURL)

Running the bitw sync command for the first time results in an unauthorized error, though I am fairly certain that I got my password correct. I'd love to try and enter my password again, but I don't see how I would do that.

$ [email protected] bitw sync
Password: 
error: could not sync: Unauthorized: 

Then running the same command again results in a huge JSON dump (which I'm not going to share for obvious reasons) and the following error:

error: could not sync: json: cannot unmarshal object into Go struct field Cipher.Fields of type string

If you have any questions, let me know as I understand that you probably need the JSON dump for debugging. But I hope you understand that I cannot provide that, though I can answer the questions you have about it.

Let me know if there's any way I could provide more info.

❯ ./bitw dump
Password:
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x71707b]

goroutine 1 [running]:
main.run(0xc00012e010, 0x1, 0x1, 0x0, 0x0)
        /home/pmo/.local/share/go/pkg/mod/mvdan.cc/[email protected]/main.go:268 +0xc9b
main.main1(0x824620, 0xc000128010, 0xc00007a058)
        /home/pmo/.local/share/go/pkg/mod/mvdan.cc/[email protected]/main.go:53 +0xb7
main.main()
        /home/pmo/.local/share/go/pkg/mod/mvdan.cc/[email protected]/main.go:46 +0x39

Config:

email = [email protected]
apiURL = https://bw.ikl.sh/api/
idURL = https://bw.ikl.sh/identity/

Output:

$ bitw login
error: could not login via password: Bad Request: {"error":"invalid_grant","error_description":"invalid_username_or_password","ErrorModel":{"Object":"error","Message":"Username or password is incorrect. Try again.","ValidationErrors":null,"ExceptionMessage":null,"ExceptionStackTrace":null,"InnerExceptionMessage":null}}

Data file:

{
	"DeviceID": "[redacted]",
	"AccessToken": "",
	"RefreshToken": "",
	"TokenExpiry": "0001-01-01T00:00:00Z",
	"KDF": 0,
	"KDFIterations": 100000,
	"LastSync": "0001-01-01T00:00:00Z",
	"Sync": {
		"Profile": {
			"ID": "",
			"Name": "",
			"Email": "",
			"EmailVerified": false,
			"Premium": false,
			"MasterPasswordHint": "",
			"Culture": "",
			"TwoFactorEnabled": false,
			"Key": "",
			"PrivateKey": "",
			"SecurityStamp": "",
			"Organizations": null
		},
		"Folders": null,
		"Ciphers": null,
		"Domains": {
			"EquivalentDomains": null,
			"GlobalEquivalentDomains": null
		}
	}
}

So here's what happened:

export [email protected]
bitw sync
Password:
error: expected one two-factor auth provider, found 2

Technically more than 1 2FA can be set up. In my case that'd be TOTP + Email.

For example, querying a password by domain, or searching all passwords with a certain username.

Domains are a bit tricky, because the other clients have multiple ways to match domains - by host, by top-level domain, etc.

Right now the DBUS api does not allow to store secrets:

(gnome-calendar:15788): e-data-server-ui-WARNING **: 09:12:46.451: credentials_prompter_store_credentials_cb: Failed to store source credentials: Object does not implement the interface

Similar to the browser extension. Having to type the full master password whenever one needs to unlock decryption is a bit cumbersome.

I assume one way to do this would be to optionally store the decryption key, encrypted with the PIN password. We can request a code review in #3 once this is implemented.

The password would be requested the first time it's needed. Without this, starting the service when a user logs in would be kinda annoying.

Another option would be for the service to be started as-needed, when the D-Bus service is first used. See for example https://github.com/lemenkov/systemd-user-units/blob/d3329306a9db9b1da12c1436915b74ea6fe75536/user/gnome-keyring.service.

Listening on org.freedesktop.secrets
Password: 
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x721f96]

goroutine 9 [running]:
main.(*Cipher).Match(0x0?, {0xc0003101f0, 0x8}, {0xc000310210, 0xa})
        /home/meow/.cache/go/mod/mvdan.cc/[email protected]/sync.go:246 +0x176
main.(*dbusService).SearchItems(0x3?, 0x46a213?)
        /home/meow/.cache/go/mod/mvdan.cc/[email protected]/dbus.go:121 +0x26c
reflect.Value.call({0x791020?, 0xc0002a8060?, 0x7f5c3aa68338?}, {0x7bdfa5, 0x4}, {0xc000303f98, 0x1, 0x0?})
        /usr/lib/go/src/reflect/value.go:596 +0xce7
reflect.Value.Call({0x791020?, 0xc0002a8060?, 0x1?}, {0xc000303f98?, 0xc000114090?, 0x0?})
        /usr/lib/go/src/reflect/value.go:380 +0xb9
github.com/godbus/dbus/v5.exportedMethod.Call({{0x791020?, 0xc0002a8060?, 0xc000027e70?}}, {0xc000027e80, 0x1, 0xc000120000?})
        /home/meow/.cache/go/mod/github.com/godbus/dbus/[email protected]/default_handler.go:128 +0x1b1
github.com/godbus/dbus/v5.(*Conn).handleCall(0xc000120000, 0xc000259b30)
        /home/meow/.cache/go/mod/github.com/godbus/dbus/[email protected]/export.go:193 +0x565
created by github.com/godbus/dbus/v5.(*Conn).inWorker in goroutine 34
        /home/meow/.cache/go/mod/github.com/godbus/dbus/[email protected]/conn.go:435 +0x276

If bitw is running as a daemon, it should never ask for the password from the terminal #4 or preferably a PIN #7

Thanks for making this! I am keen to bitwarden as the secret service on my setup to have it all in one place. Unfortunately, I can't get it to work :/

• I installed bitw through the AUR package here: https://aur.archlinux.org/packages/bitw-git
• I logged into bitwarden using [email protected] sync. This triggered the login with API key etc.
• bitw dump works and lists all my passwords
• bitw serve also starts and triggers a master password prompt if I try to lookup a password with secret-tool
• I enter the password (using ENTER to "submit") and nothing happens. Any query to secret-tool eventually runs into a timeout.
• Further secret-tool invocations don't trigger the "Password: " prompt again
• Killing bitw serve aborts and pending secret-tool lookup with a "Message recipient disconnected from message bus without replying"

Help is much appreciated :)

when secret-tool store --label="test" k1 v1 k2 v2 is ran the following output is shown

Password:
secret-tool: Object does not implement the interface 'org.freedesktop.Secret.Collection'

Hi, thanks for building this. An implementation with a Dbus secret service sounds like a great idea!

I am having some trouble with my (fairly huge) dataset from bitwarden.

Doing bitw sync fails with:

could not sync: invalid cipher string <<<REDACTED>>>

Should this happen, and is there a way I should go about debugging this?

Hello-

If you need a libsecret/SecretService implementation in golang, I just released v1.1.0 of r00t2.io/gosecret (GitHub mirror as github.com/johnnybubonic/gosecret).

Please feel free to let me know if it serves your purposes better. It would take all of the Dbus integration off your hands for you. :)

I'm not an expert at security by any means. I know enough to get this working, but I'd like some reviews and feedback before people start using this for their own passwords.

Current TODOs:

• The password and decryption key are stored in memory for the lifetime of the process. Should we use https://github.com/awnumar/memguard?
• The D-Bus service only implements the plaintext session encryption algorithm. Should we implement dh-ietf1024-sha256-aes128-cbc-pkcs7 and discourage the use of plain?
• The encrypted sync data is stored on disk as-is. I assume this is fine because bitwarden-cli does the same, but I'm not 100% sure.

I understand this is out of scope of this project but I can't find anywhere online on how to setup autofill for libsecret dbus service. This project is working great but is secret-tool the only way to access secrets ?

By default, go test will skip a significant portion of the tests:

--- PASS: TestScripts (0.00s)
    --- SKIP: TestScripts/login-tfa (0.00s)
    --- SKIP: TestScripts/dbus (0.00s)
    --- SKIP: TestScripts/dump (0.00s)
    --- PASS: TestScripts/config (0.01s)
    --- PASS: TestScripts/help (0.01s)
    --- SKIP: TestScripts/login-sync (0.21s)

This is because we use two real accounts with bitwarden.com to run the tests. Passwords are needed for login-sync and login-tfa. The accounts and their passwords are dummy; they contain no sensitive information. However, I still don't want to publish them freely, because I reckon the accounts would get spammed or banned in a matter of weeks. Setting up the test accounts only took about an hour, but I would hate to have to re-do that regularly.

For now, the passwords are needed for other tests like dbus and dump, since we simply keep a copy of the encrypted data in testdata, and use it in those two tests. Since it's from the same account, it's the same password. In the future, we could use different data with a dummy password that we can just commit to master, since it wouldn't be in use with a real bitwarden.com account.

In the future, we might do away with all of the passwords by using a local bitwarden server instead of bitwarden.com, initializing the local server with the dummy accounts we want.

But for now, the passwords are needed to run all tests. If you want to contribute to bitw, please leave a comment on this thread with your email address and I'll email them to you.