mvdan / bitw Goto Github PK
View Code? Open in Web Editor NEWMinimalist BitWarden client
License: BSD 3-Clause "New" or "Revised" License
Minimalist BitWarden client
License: BSD 3-Clause "New" or "Revised" License
I double checked to see if using the 6 digit phrase worked on the bitwarden website, and it does. But when using it with bitw I get the following error every time:
error: could not login via two-factor: Bad Request: {"error":"invalid_grant","error_description":"invalid_username_or_password","ErrorModel":{"Object":"error","Message":"Two-step token is invalid. Try again.","ValidationErrors":null,"ExceptionMessage":null,"ExceptionStackTrace":null,"InnerExceptionMessage":null}}
For example, the only way to supply a two-factor auth token is via the terminal. We should support graphical prompts. This is useful to make usage easier, and to allow starting the D-Bus service without hard-coding passwords anywhere.
I'm unsure how this could be done. Tools like zenity
may not be installed. Depending on GTK or Qt would be overkill. Perhaps the simplest would be an askpass
config option, similar to what git
has.
Hi there,
I'm checking out your project after reading through this thread. I'm happy to see it's still being maintained and worked on, this is definitely something the Bitwarden ecosystem needs in my humble opinion!
After building the application as per your instructions, I:
sync
serve
secret-tool
secret-tool
again, and it produced the same passwordsync
again, and it secret-tool
produced the same passwordserve
and ran secret-tool
once again, and the new password shows upIt seems like serve
is not currently detecting when sync
is invalidating cached passwords :)
It would be nice if there are releases with compiled binaries (e.g via creating github action pipeline which creates a github release upon a tag and adds the compiled binaries to the release) so one could use this without setting up a go toolchain.
Hi! thanks for bitw, I like what I've used so far, except I have a question.
My dotfiles require some secrets - for example imgur api key for a screenshot tool, bank api keys for a bank balance applet, smtp passwords, etc.
I keep all these as encrypted gpg files in a syncthing mount, and wrote a little wrapper.
eg $ secret imgur_api_key
or $ secret bank_api_key
.
it does a simple gpg --decrypt
, and prints to stdout. the nice thing about this is that "pinenty-gnome3" pops up asking for the passphase and caches it. so once booting, many of my dotfiles will subshell secret
, and the first will trigger the gui passphrase prompt, but they'll all get their secret.
It think it would be cool to use bitw instead, perhaps replacing my $ secret
with $ secret-tool
and $ bitw serve
for my dotfiles scripts. but I would be nice to have this gui password box for perhaps my bitwarden password.
so the question is
thank you!
Hi,
I've just started trying to run this.
I can get bitw login to work but when I run bitw sync it dumps a whole load of encrypted stuff in what looks like a json array and then returns the error above.
1 │ {
2 │ "DeviceID": "REDACTED",
3 │ "AccessToken": "REDACTED",
4 │ "RefreshToken": "REDACTED"
5 │ "TokenExpiry": "2021-10-03T00:47:23.103238698Z",
6 │ "KDF": 0,
7 │ "KDFIterations": 100000,
8 │ "LastSync": "0001-01-01T00:00:00Z",
9 │ "Sync": {
10 │ "Profile": {
11 │ "ID": "00000000-0000-0000-0000-000000000000",
12 │ "Name": "",
13 │ "Email": "",
14 │ "EmailVerified": false,
15 │ "Premium": false,
16 │ "MasterPasswordHint": "",
17 │ "Culture": "",
18 │ "TwoFactorEnabled": false,
19 │ "Key": "",
20 │ "PrivateKey": "",
21 │ "SecurityStamp": "",
22 │ "Organizations": null
23 │ },
24 │ "Folders": null,
25 │ "Ciphers": null,
26 │ "Domains": {
27 │ "EquivalentDomains": null,
28 │ "GlobalEquivalentDomains": null
29 │ }
30 │ }
31 │ }
I've read through all the issues on this github and I couldn't find anything quite the same.
Any ideas? Am I doing something obvious wrong?
This way, one can rely on BitWarden for all sorts of secrets on the desktop, instead of common local alternatives like gnome-keyring.
This is a TODO for now.
Otherwise, the secret contents are going around dbus in plaintext. See the TODO around this code in dbus.go
:
switch algo {
case "plain":
Hello,
I'm trying to use bitw but I'm unsure where to start. I'm not familiar with Go and go get
.
Typing
cd $(mktemp -d); go mod init tmp; go get mvdan.cc/bitw
doesn't seem to install the program, or even build it as far as I can tell.
It just creates a folder in /tmp
with the files go.mod
and go sum
in it.
I'm probably missing something but I'm not sure what. Could you please explain to me how to install this tool? Thanks!
Getting the following after typing in my password. I have only OTP in the 2FA settings, if that's relevant.
error: could not login via password: Bad Request: {"error":"invalid_grant","error_description":"Auth-Email header invalid."}
I am getting the following error when I attempt to login. I've installed bitw using the instructions in the readme.
error: could not login via password: Bad Request: {"error":"invalid_grant","error_description":"Auth-Email header invalid."}
This would be easier to debug if bitw could print out it's version. Can the install instructions/package be updated?
bitw sync fails for a database with attachments.
Currently, Cipher.Attachments is defined as a string array but this does not match with the actual format returned by Bitwarden.
The actual datatype returned is an array of Attachment objects. The object has the following properties:
FileName:string
Id:string
Key:string
Object:string
Size:string
SizeName:string
Url:string
I've set up a Yubikey 5 NFC with both FIDO2 and Yubikey OTP 2FA methods. I can't log in due to
$ bitw sync
Password:
error: invalid two-factor auth provider: "7"
Related: #15
Thanks for your work on this!
Surely this is possible - but how? Input welcome.
I am using bitwarden_rs
. The password login succeeds so the email/password should be correct however it fails to decrypt my password:
$ bitw sync
$ bitw dump
error: MAC mismatch
How can I debug this further?
Probably a copy/paste error, bitw config shows the apiURL for both apiURL and identityURL, the error is in line 245 of main.go
fmt.Printf("identityURL = %q\n", apiURL)
should read
fmt.Printf("identityURL = %q\n", idtURL)
Running the bitw sync
command for the first time results in an unauthorized error, though I am fairly certain that I got my password correct. I'd love to try and enter my password again, but I don't see how I would do that.
$ [email protected] bitw sync
Password:
error: could not sync: Unauthorized:
Then running the same command again results in a huge JSON dump (which I'm not going to share for obvious reasons) and the following error:
error: could not sync: json: cannot unmarshal object into Go struct field Cipher.Fields of type string
If you have any questions, let me know as I understand that you probably need the JSON dump for debugging. But I hope you understand that I cannot provide that, though I can answer the questions you have about it.
Let me know if there's any way I could provide more info.
❯ ./bitw dump
Password:
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x71707b]
goroutine 1 [running]:
main.run(0xc00012e010, 0x1, 0x1, 0x0, 0x0)
/home/pmo/.local/share/go/pkg/mod/mvdan.cc/[email protected]/main.go:268 +0xc9b
main.main1(0x824620, 0xc000128010, 0xc00007a058)
/home/pmo/.local/share/go/pkg/mod/mvdan.cc/[email protected]/main.go:53 +0xb7
main.main()
/home/pmo/.local/share/go/pkg/mod/mvdan.cc/[email protected]/main.go:46 +0x39
Config:
email = [email protected]
apiURL = https://bw.ikl.sh/api/
idURL = https://bw.ikl.sh/identity/
Output:
$ bitw login
error: could not login via password: Bad Request: {"error":"invalid_grant","error_description":"invalid_username_or_password","ErrorModel":{"Object":"error","Message":"Username or password is incorrect. Try again.","ValidationErrors":null,"ExceptionMessage":null,"ExceptionStackTrace":null,"InnerExceptionMessage":null}}
Data file:
{
"DeviceID": "[redacted]",
"AccessToken": "",
"RefreshToken": "",
"TokenExpiry": "0001-01-01T00:00:00Z",
"KDF": 0,
"KDFIterations": 100000,
"LastSync": "0001-01-01T00:00:00Z",
"Sync": {
"Profile": {
"ID": "",
"Name": "",
"Email": "",
"EmailVerified": false,
"Premium": false,
"MasterPasswordHint": "",
"Culture": "",
"TwoFactorEnabled": false,
"Key": "",
"PrivateKey": "",
"SecurityStamp": "",
"Organizations": null
},
"Folders": null,
"Ciphers": null,
"Domains": {
"EquivalentDomains": null,
"GlobalEquivalentDomains": null
}
}
}
So here's what happened:
export [email protected]
bitw sync
Password:
error: expected one two-factor auth provider, found 2
Technically more than 1 2FA can be set up. In my case that'd be TOTP + Email.
Lines 93 to 95 in 7b76ea2
For example, querying a password by domain, or searching all passwords with a certain username.
Domains are a bit tricky, because the other clients have multiple ways to match domains - by host, by top-level domain, etc.
Right now the DBUS api does not allow to store secrets:
(gnome-calendar:15788): e-data-server-ui-WARNING **: 09:12:46.451: credentials_prompter_store_credentials_cb: Failed to store source credentials: Object does not implement the interface
Similar to the browser extension. Having to type the full master password whenever one needs to unlock decryption is a bit cumbersome.
I assume one way to do this would be to optionally store the decryption key, encrypted with the PIN password. We can request a code review in #3 once this is implemented.
The password would be requested the first time it's needed. Without this, starting the service when a user logs in would be kinda annoying.
Another option would be for the service to be started as-needed, when the D-Bus service is first used. See for example https://github.com/lemenkov/systemd-user-units/blob/d3329306a9db9b1da12c1436915b74ea6fe75536/user/gnome-keyring.service.
Listening on org.freedesktop.secrets
Password:
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x721f96]
goroutine 9 [running]:
main.(*Cipher).Match(0x0?, {0xc0003101f0, 0x8}, {0xc000310210, 0xa})
/home/meow/.cache/go/mod/mvdan.cc/[email protected]/sync.go:246 +0x176
main.(*dbusService).SearchItems(0x3?, 0x46a213?)
/home/meow/.cache/go/mod/mvdan.cc/[email protected]/dbus.go:121 +0x26c
reflect.Value.call({0x791020?, 0xc0002a8060?, 0x7f5c3aa68338?}, {0x7bdfa5, 0x4}, {0xc000303f98, 0x1, 0x0?})
/usr/lib/go/src/reflect/value.go:596 +0xce7
reflect.Value.Call({0x791020?, 0xc0002a8060?, 0x1?}, {0xc000303f98?, 0xc000114090?, 0x0?})
/usr/lib/go/src/reflect/value.go:380 +0xb9
github.com/godbus/dbus/v5.exportedMethod.Call({{0x791020?, 0xc0002a8060?, 0xc000027e70?}}, {0xc000027e80, 0x1, 0xc000120000?})
/home/meow/.cache/go/mod/github.com/godbus/dbus/[email protected]/default_handler.go:128 +0x1b1
github.com/godbus/dbus/v5.(*Conn).handleCall(0xc000120000, 0xc000259b30)
/home/meow/.cache/go/mod/github.com/godbus/dbus/[email protected]/export.go:193 +0x565
created by github.com/godbus/dbus/v5.(*Conn).inWorker in goroutine 34
/home/meow/.cache/go/mod/github.com/godbus/dbus/[email protected]/conn.go:435 +0x276
If bitw is running as a daemon, it should never ask for the password from the terminal #4 or preferably a PIN #7
Thanks for making this! I am keen to bitwarden as the secret service on my setup to have it all in one place. Unfortunately, I can't get it to work :/
bitw
through the AUR package here: https://aur.archlinux.org/packages/bitw-git[email protected] sync
. This triggered the login with API key etc.bitw dump
works and lists all my passwordsbitw serve
also starts and triggers a master password prompt if I try to lookup a password with secret-tool
secret-tool
eventually runs into a timeout.secret-tool
invocations don't trigger the "Password: " prompt againbitw serve
aborts and pending secret-tool
lookup with a "Message recipient disconnected from message bus without replying"Help is much appreciated :)
when secret-tool store --label="test" k1 v1 k2 v2
is ran the following output is shown
Password:
secret-tool: Object does not implement the interface 'org.freedesktop.Secret.Collection'
Hi, thanks for building this. An implementation with a Dbus secret service sounds like a great idea!
I am having some trouble with my (fairly huge) dataset from bitwarden.
Doing bitw sync
fails with:
could not sync: invalid cipher string <<<REDACTED>>>
Should this happen, and is there a way I should go about debugging this?
Hello-
If you need a libsecret/SecretService implementation in golang, I just released v1.1.0 of r00t2.io/gosecret (GitHub mirror as github.com/johnnybubonic/gosecret
).
Please feel free to let me know if it serves your purposes better. It would take all of the Dbus integration off your hands for you. :)
I'm not an expert at security by any means. I know enough to get this working, but I'd like some reviews and feedback before people start using this for their own passwords.
Current TODOs:
dh-ietf1024-sha256-aes128-cbc-pkcs7
and discourage the use of plain
?I understand this is out of scope of this project but I can't find anywhere online on how to setup autofill for libsecret dbus service. This project is working great but is secret-tool
the only way to access secrets ?
By default, go test
will skip a significant portion of the tests:
--- PASS: TestScripts (0.00s)
--- SKIP: TestScripts/login-tfa (0.00s)
--- SKIP: TestScripts/dbus (0.00s)
--- SKIP: TestScripts/dump (0.00s)
--- PASS: TestScripts/config (0.01s)
--- PASS: TestScripts/help (0.01s)
--- SKIP: TestScripts/login-sync (0.21s)
This is because we use two real accounts with bitwarden.com to run the tests. Passwords are needed for login-sync
and login-tfa
. The accounts and their passwords are dummy; they contain no sensitive information. However, I still don't want to publish them freely, because I reckon the accounts would get spammed or banned in a matter of weeks. Setting up the test accounts only took about an hour, but I would hate to have to re-do that regularly.
For now, the passwords are needed for other tests like dbus
and dump
, since we simply keep a copy of the encrypted data in testdata
, and use it in those two tests. Since it's from the same account, it's the same password. In the future, we could use different data with a dummy password that we can just commit to master, since it wouldn't be in use with a real bitwarden.com account.
In the future, we might do away with all of the passwords by using a local bitwarden server instead of bitwarden.com, initializing the local server with the dummy accounts we want.
But for now, the passwords are needed to run all tests. If you want to contribute to bitw, please leave a comment on this thread with your email address and I'll email them to you.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.