keepassxc-browser
keepassxc-browser copied to clipboard
keepassxreboot
KeePassXC Browser extension does only fetch updated values from KeePass database after tab reload
It seems that the KeePassXC Browser extension fetches credentials for a website before actually filling them in - and does not update them when filling them in. If the option "Fetch credentials automatically" is enabled, it fetches the credentials upon loading a tab. If that option is disabled, it fetches the credentials upon clicking the KeePass symbol in the credential field. (I'm not sure what the option is actually called in English - although I have set my Browser and KeePassXC to English, the browser extension still shows me the german options page).
However, if the credentials in the KeePass database change between fetching the credentials and filling them in, the KeePassXC Browser extension will use the old, fetched credentials for filling instead of the new, updated credentials from the database. Only after reloading the tab and therefore triggering a refetch from the database, the updated values will be used.
Some scenarios to demonstrate this:
Scenario: Change valid credentials to invalid credentials
Given
I visit a website for which I have valid credentials stored in my KeePass database And I trigger a fetch from the database by clicking on the KeePass symbol if I do not have the autofetch option enabled And I do not fill the credentials field yet
When
I switch to KeePassXC and change the credentials in my KeePass database to invalid credentials And I switch back to my browser and fill the credential fields with the KeePassXC Browser extension And I click Login
Then
Expected
the login fails because I have invalid credentials in my KeePass database
Current
the login is successful
Scenario: Change invalid credentials to valid credentials
Given
I visit a website for which I have invalid credentials stored in my KeePass database And I trigger a fetch from the database by clicking on the KeePass symbol if I do not have the autofetch option enabled And I do not fill the credentials field yet
When
I switch to KeePassXC and change the credentials in my KeePass database to valid credentials And I switch back to my browser and fill the credential fields with the KeePassXC Browser extension And I click Login
Then
Expected
the login is successful because I have valid credentials in my database
Current
the login fails
Scenario: Save new credentials
Given
I visit a website for which I have no credentials stored in my KeePass database And I try to fill the credentials field and the browser extension tells me that it could not find any credentials for this website
When
I switch to KeePassXC and manually add credentials for that website to my database And I switch back to my browser and try to fill the credential fields with the KeePassXC Browser extension
Then
Expected
the browser extension fills the fields with the credentials that I added to the database
Current
the Browser extension tells me that it could not find any credentials for this website
Scenario: Remove credentials
Given
I visit a website for which I have valid credentials stored in my KeePass database And I trigger a fetch from the database by clicking on the KeePass symbol if I do not have the autofetch option enabled And I do not fill the credentials field yet
When
I switch to KeePassXC and delete the credentials for that website from my database And I switch back to my browser and try to fill the credential fields with the KeePassXC Browser extension
Then
Expected
the browser extension says it cannot find any credentials for this website
Current
the Browser extension fills the fields with the deleted credentials
Scenario: Add TOTP to already existing credentials
Given
I visit a website for which I have valid credentials stored in my KeePass database And I do not have setup a TOTP for this website yet And I login into the website and go to my account settings to add a TOTP
When
I switch to KeePassXC and add the TOTP secret to my credentials for that website And the website requires me to enter a TOTP for confirmation And I click the browser extension button to fill the TOTP
Then
Expected
the browser extension fills in the TOTP I just added to my credentials for this website
Current
the Browser extension tells me that it could not find a TOTP for this website
Possible Solution
Upon filling in a credential field like Username/Password/TOTP, the browser extension should fetch the actual values that are currently stored in the database and not some previously cached value.
Steps to Reproduce (for bugs)
1.) Log out of GitHub 2.) Navigate to the GitHub login page 3.) If you have the autofetch option disabled, fetch the credentials by clicking on the grey KeePass Symbol so it turns green. 4.) Change your username or password in your KeePass database for GitHub to something invalid. 5.) Switch back to your browser and login to GitHub with KeePassXC Browser extension.
Debug info
KeePassXC - 2.7.6 KeePassXC-Browser - 1.8.10 Operating system: Windows 10 Pro 22H2 Browser: Firefox 121.0
You can switch off the tab, wait 10 seconds (can also configure this), then switch back. Credentials are forgotten after 10 seconds of a tab not being active.
I do agree, however, we could include a button on the extension dialog that force refreshes previously pulled credentials.
FWIW, there are very good reasons for not constantly checking for new/updated credentials. Namely, we ask the user to authorize credentials to be sent to the browser by default. If we always checked for new credentials, you'd be inundated with those confirmation dialogs.
I especially noticed this behavior when setting up TOTPs. Pretty much all websites require you to enter a confirmation TOTP. I would add the TOTP to my KeePass database and try to autofill it - and it would not work. Reloading the tab is not an option at that moment because you would restart the TOTP setup. That was a very irritating and unintuitive behavior.
That confirmation dialog has a checkbox to remember the authorization for the current website.
I'd be ok with a small change: if no credentials or no totp is currently in cache, attempt another pull when the keepass icon is clicked in the input field.