keepassxc-browser
keepassxc-browser copied to clipboard
keepassxreboot
Autofill of HTTP Basic Auth for multiple specific files not working
Expected Behavior
- Open web page
- Web page loads some js files which are behind a basic auth
- Plugin automatically fills in these credentials and proceeds loading whole page.
Current Behavior
Basic Auth Popup opens.
Possible Solution
Maybe try detecting certain files which are getting loaded instead of only the initial request?
Steps to Reproduce (for bugs)
It's an internal corporate webpage, so I unfortunately can't share the url here.
Debug info
KeePassXC - 2.4.3 KeePassXC-Browser - 1.6.3 Operating system: Win32 Browser: Chrome/Chromium 79.0.3945.79
So credentials for the same URL doesn't automatically work with that auth request?
I've one entry in keepass with the domain itself for the basic auth credentials. I temporarily deactivated all other entries for that domain/subdomain/subpaths (like user accounts). And I still can't get it to work. When I open a webpage where the initial request is behind the basic auth (on the same domain, same credentials) it works fine.
The only way to get this to work would be to investigate every file request during the page load, and I'm not sure if that's something we want to do. Another thing is that it's unclear if this is even possible to do at file level.
We are already connected to the webRequest.onAuthRequired, and I'm not aware of any other API that deals with HTTP Basic Auth. I suggest you to debug the extension's background script httpauth.js and see if the file request is visible in the callback function. I would do it myself but I'm lacking an example site.
I've created a test page with a html file and a js file behind a basic auth: https://test.niklas.top/ (test:123)
But... it works. So I have to invastigate more, so apparently the fact that only the file is behind a basic auth is not actually the issue...
@varjolintu I've added 3 other js files with the same credentials. Now only the first popup will get autofilled. I think that could be the issue.
Ok. I know what happens but I don't know why it happens.
Each file load sends a request for retrieving credentials from KeePassXC, but only first one of these is received. And the same reply for the first request is seen in all four, which of course causes the last three to ignore it because the reply doesn't match the request.
@varjolintu How's the roadmap of the plugin? Is it worth it to get on the project and invest time to understand the architecture and look for myself or do you have any ideas how this could be fixed faster and easier by yourself?
I haven't had time to look this any further (yet) but here's some more information about my last attempts to solve this:
Things I tried:
- Removed any possible sleep or delay from the proxy when reading
stdin. No help. - Made a message buffer to the extension that ensures the replies are for the correct request (this could be merged anyway because it increases the reliability of passing messages). No help.
- Made sure that the four request differ and are sent separately. Confirmed.
Things that need to be tried:
- Trace the messages between extension (e.g. with
strace) and the proxy to confirm the requests are received correctly. This way we can ensure if the problem is with the proxy, KeePassXC or Native Messaging. - If the same happens with direct connection to KeePassXC. However, this feature will be removed in 2.6.0.
Changes made in 1.7.0 allowed me to solve this pretty quickly. Give the PR a try.
I imported the branch as a dev extension, allowed the origin and I tried it on my test page, so when I first open it, it asks me to allow access to the entry in KeePassXC, then it loads the first JS file and then it just keeps on loading.. :/
Retested it, and it gets stuck after the first file when browsing the page first time. After that all files load normally, if you reload the page.
Will there still be progress here?
I have some strange behaviour on a site I'm using, which led me here. On the Site I even get a login popup, with no option to autofill it by the extention. But when I hit cancel on that form, the extentions selection dialog opens. The Network Monitor tells me that this happens on the initial request for that page. (Maybe this behaviour is a bug unrelated to this, but nevertheless...)
Additionally, while fiddling with the test page, I noticed that the extention sometimes get's confused and proposes credentials for the false domain. This may even be a security problem since it may enable a evil site to get your credentials.
I imported the branch as a dev extension, allowed the origin and I tried it on my test page, so when I first open it, it asks me to allow access to the entry in KeePassXC, then it loads the first JS file and then it just keeps on loading.. :/
Having the same problem on the provided test page.
Setup:
KeePassXC - 2.6.4 KeePassXC-Browser - 1.7.8.1 Operating system: Linux x86_64 Browser: Mozilla Firefox 89.0
@MG-96 No progress yet. Haven't had time to look at this. It's quite difficult to solve.
I have this same bug in a on-premises Microsoft Azure installation (which I can't share), so I tried to rebuild the test site @niklaswa created… but I fear I don't know how it was created exactly, as the one I created works correctly:
https://lapo.it/test-basic/
index.html is unauthenticated, but then includes both script1.js and script2.js which both need authentication as test:123.
KeePassXC-Browser Version: 1.9.0.1 KeePassXC Version: 2.7.7 Firefox 123.0.1 (64-bit)
I have this same bug
Or rather, this is what I'm seeing: upon first login an HTTP basic auth KeepassXC dialog pops up asking for confirmation, as as sono as I confirm Firefox basic auth dialog pops up with empty fields, as if I canceled the request on KeepassXC.