Vieb
Vieb copied to clipboard
Jelmerro
Implement a password manager
Veib should have a password manager to auto-fill password fields
Steps to reproduce:
- Go to a site with a login field
- Enter your username and password
- Click submit/save/login
Expected behavior: Veib should prompt you to save your login information (and allow you to still do this if you dismiss the dialog). Upon subsequent visits to the site it should auto-fill the fields.
It should be possible to manage the passwords (view, edit, modify, delete)
It would be nice if the passwords were secured behind a master password, unlocked on browser start
I currently recommend to use an external password manager. You can easily make your password manager read the current website url or title using the windowtitle option of Vieb.
However, it can also be of value to give Vieb it's own built-in password manager. I personally don't have a strong interest to develop this, but I welcome PRs from others to do so, given that the passwords are properly encrypted. And finally, as with all Vieb features, the user should be in control. For example: when it should autocomplete and how to store the passwords. A dedicated password page would be appropriate I think.
I would have vieb use an external command as a password manager. A option such as passcommand similar to vimcommand, which would run and external program/script such as pass, keypass etc to get the password and autofill the input fields.
That sounds pretty useful actually, and I have considered that before. My two questions on this would be:
- Do we need an integrated manager if you can link any external one? What would be the benefit of a built-in one over linking the one you are familiar with? Especially if/when we also get extensions to work better than they do now? (Though that might take years in the current pace.)
- Would it be secure to have a command print out your password on the standard output for Vieb to read? I don't have the answer to that and would expect the security risks to vary across systems.
I would prefer that most tools that can be outside just stay outside including password manager. But as @simonhughcom suggested having option like passcommand to invoke external manager would be convenient.
I agree and I would like to add it, but I am trying to come up with a way to make logins and passwords be supported, while at the same time not requiring interaction with the command that gets called as the passcommand. I guess that people will always need to write their own wrapper for a password manager, but that wouldn't be easy to integrate for users. As such I'm still looking for the best way to implement this, suggestions addressing these concerns and the ones I expressed earlier are more than welcome.
A generic implementation of detecting form fields and auto-filling them is actually desperately needed, look at the non-exhaustive list of open-source plugins of various password managers below. For some reason, everyone feels the need to reinvent the wheel, even though doing it well is really hard and the hard work is independent of the actual password manager used. Anyways, the passff extension might be a good base. I easily extended it to handle most credit card forms, too, although some work is still needed.
Stateless
https://masterpassword.app -> https://spectre.app
https://github.com/ttyridal/masterpassword-firefox
LessPass
https://github.com/lesspass/lesspass/tree/main/packages/lesspass-web-extension
Stateful
Pass
https://github.com/passff/passff UNIX-philosophy
Bitwarden
https://github.com/bitwarden/browser
Passbolt
https://github.com/passbolt/passbolt_browser_extension
qutebrowser allows integration of external password managers via it's userscripts (not the same as greasemonkey scripts), which are external binaries it can call with some contextual information in environment variables, and then read commands from via a pipe. Together with its fake-key command, the scripts are able to type out username<TAB>password into the page, for example, making logging in fairly painless, though you do need to focus the username field before activating the script. A more sophisticated mechanism could work by outputting something like vieb's runjsinpage command to find the appropriate fields and fill them in with javascript.
Could a general purpose plugin system vaguely like this be developed for vieb? It has the potential to alleviate quite a few of the problems that people use extensions to solve on other browsers, without necessarily having to implement each of them in vieb itself. It also just makes vieb a more extensible piece of software, generally.
I would love to solve this, but there seems to be no general way to ask for a password to unlock a vault or password manager from the commandline, besides tools like zenity and such, but that would still mean that a custom script is needed for every different password manager. The ones that accept the password as plain text as an argument are in the minority (and probably for the best), but it does make it hard to integrate with them in a non-interactive way.
This also applies to getting the password/user credentials out of the printed results from the script, which formats do they use? Colon-separated data, or json, and how do they name the respective fields like username, email, password or full name? Or do they just copy the password to the clipboard and that's it? There are just so many ways to input and output a password from a manager program, that it would take at least 5 or 6 different settings plus external scripts to make this even work in the first place.
Another option would be to leave the information gathering and parsing to an external script that must return the data in a fixed format and do it without cli interaction (either using zenity, env vars and/or arguments). This would make the implementation on Vieb's side do-able and simple, while still being compatible with the majority of managers IF there is a wrapper script written for it. These can be hosted in the repo and linked to from the docs, and then be copied to some location to be used by Vieb, or users could write their own (and optionally make PRs to have them added).
As far as changing Vieb internals is concerned, I would like to refer to #192, but this ticket will remain open for implementing a solution for password management that does not require that kind of depth and programming knowledge to use.
Another option would be to leave the information gathering and parsing to an external script that must return the data in a fixed format and do it without cli interaction (either using zenity, env vars and/or arguments). This would make the implementation on Vieb's side do-able and simple, while still being compatible with the majority of managers IF there is a wrapper script written for it. These can be hosted in the repo and linked to from the docs, and then be copied to some location to be used by Vieb, or users could write their own (and optionally make PRs to have them added).
This is what I was imagining, but I was also imagining that it would be useful for a lot more than just entering passwords, as qutebrowser's scripts are, because they can run any sequence of commands they like. It also has the advantage that the additional code can be in whatever language people like.
Anyway, I realize I'm probably getting a bit off-topic for this issue. I just wanted to bring up the idea, since it seems to work well for qutebrowser and has additional benefits.
Does someone have a fork where they implemented an external password manager to vieb? I am a little lost and could use an example for help.
I would love to solve this, but there seems to be no general way to ask for a password to unlock a vault or password manager from the commandline, besides tools like zenity and such, but that would still mean that a custom script is needed for every different password manager. The ones that accept the password as plain text as an argument are in the minority (and probably for the best), but it does make it hard to integrate with them in a non-interactive way.
Yes there is, this is exactly the purpose of https://www.passwordstore.org - simple, reliable, extensible. Since it uses simple encrypted file structures as backend, it can be made to interface with just about anything :)
Hello I was trying nyxt and hear about vieb so far I like it, I am a bit concerned about the electron pieces but since is for a browser not a GUI desktop app I can live with that, the first thing I am trying is to find a way to get gopass/pass to work like I had on qutebrowser and nyxt. I agree with xeruf for all Unix derived systems there is a standard is "pass" and all the managers that use the passwordstore solution, anything else are non-standard like bitwarden that decide to go their own way I think vieb should at least support passwordstore that is easy to implement and a standard. saying this anyone have already wrote any add-on or extension or script for vieb so I do not have to re-invent the wheel here locally?
thanks
Currently the easiest way is to use an external manager and link up the windowtitle setting to be able to extract Vieb's url from there and offer a login/password for that site. A planned feature is the ability to read variables/state things like the current url from the CLI, so that will only become easier in the future. As for password management itself, as there has been no proposed solution that brings answers to my questions for a method of integration password managers in an agnostic way, using for example a passcommand setting, it remains an open issue on the todo list, PRs are welcome.