spot icon indicating copy to clipboard operation
spot copied to clipboard
verified publisher icon xou816

Can't recall credentials from KeePassXC secret service

Open TheDcoder opened this issue 2 years ago • 9 comments

Describe the bug spot doesn't seem to be able to recall credentials if the secret service provider is KeePassXC, but it can store them during initial attempt.

Closing it and launching it again results in spot asking for credentials again, even though the secret store is open with the credentials present in it.

There's no additional information in the console output from spot.

To Reproduce

  1. Open KeePassXC and go to app settings
  2. Go to "Secret Service" and enable Freedesktop.org secret service integration and "OK"
  3. Setup a new KeePass database in KeePassXC for storing the secrets
  4. Go to the "Database Settings" (not the same as app settings!) -> "Secret Service" -> Select the Root group under Expose entries under this group. At this point, the integration should be complete.
  5. Open spot and complete the first login, verify that the credentials are stored in the KeePass database
  6. Close spot and start it again, it should ask for credentials even though KeePassXC is open with the database!

Expected behavior Spot opens up without prompting for credentials

General information:

  • Distribution: Arch Linux
  • Installation method [e. g. built from source, installed from Flathub...]: Built from AUR
  • Version [e.g. 0.1.0]: spot-client 0.4.0-1
  • Device used [e. g. desktop, phone...]: PC (does spot even support other devices?)

Stack trace: If applicable, run the application from a terminal and paste relevant log output.

TheDcoder@arch ~> RUST_BACKTRACE=full spot

(process:38625): Adwaita-CRITICAL **: 13:16:29.164: adw_leaflet_set_visible_child: assertion 'contains_child' failed

(spot:38625): Gtk-WARNING **: 13:16:29.365: GtkLabel 0x562c5a581060 (label) reported min height 22 and natural height 20 in measure() with for_size=-1; natural size must be >= min size

Additional context This issue should be fairly easy to fix since I think it's just a quirk in spot's implementation of the secret service which might work with GNOME or KDE but not with KeePassXC.

TheDcoder avatar Jun 01 '23 07:06 TheDcoder

This issue should be fairly easy to fix since I think it's just a quirk in spot's implementation of the secret service which might work with GNOME or KDE but not with KeePassXC.

That's one way to see it -- it could just as well be KeePassXC not implementing the secrets interface correctly :wink:

I don't have KeePassXC atm, it's worth investigating with a tool such as https://flathub.org/apps/org.gnome.dspy

xou816 avatar Jun 01 '23 19:06 xou816

Fair enough, so I tested it with secret-tool from libsecret:

$ secret-tool lookup spot_credentials yes
{"username":"<REDACTED>","password":"<REDACTED>","token":"<REDACTED>","token_expiry_time":{"secs_since_epoch":1685608276,"nanos_since_epoch":271279756},"country":"<REDACTED>"}

I think it's working properly :slightly_smiling_face:

TheDcoder avatar Jun 02 '23 04:06 TheDcoder

Works fine if I disable the options to prompt before allowing a third party app to read password: (excuse my French) image

So you're right, in a way, the integration could be better to support this kind of prompt to unlock the collection.

xou816 avatar Jun 02 '23 13:06 xou816

Probably this? https://freedesktop.org/wiki/Specifications/secret-storage-spec/secrets-api-0.1.html#authentication-unlocking

which doesn't seem to be supported by https://docs.rs/secret-service/latest/secret_service/ atm

xou816 avatar Jun 02 '23 13:06 xou816

Don't have much time atm, but could be interesting to contribute to the crate above, or switch to something different (ashpd would probably be a good idea)

xou816 avatar Jun 02 '23 13:06 xou816

Works fine if I disable the options to prompt before allowing a third party app to read password: (excuse my French)

Ah, so that's the thing responsible for the issue! Also I think this is the first time I ever saw someone using "excuse my French" in a literal an unsarcastic manner :smile:

Probably this? https://freedesktop.org/wiki/Specifications/secret-storage-spec/secrets-api-0.1.html#authentication-unlocking

which doesn't seem to be supported by https://docs.rs/secret-service/latest/secret_service/ atm

Looks like the right thing to me, and it doesn't look like anyone has reported the lack of this feature to upstream yet. Maybe you can create an issue there to keep track?

TheDcoder avatar Jun 02 '23 14:06 TheDcoder

(pun definitely intended :smile: )

Sure, I could do that, I'll need to check properly however, I just had a quick look and didn't see it, but I might have missed it!

xou816 avatar Jun 02 '23 15:06 xou816

@xou816 By the way, this might be unrelated to this issue, but spot seems to be refreshing the login token each time, is this intended behavior?

I know that this is happening because KeePassXC prompts me when secrets are updated, and I also get an email from Spotify about the login each time.

spotifyd doesn't do this, it stores the token and reuses it on subsequent launches.

TheDcoder avatar Jun 03 '23 04:06 TheDcoder

We do reuse the token, but it's got a very short lifetime (about half an hour iirc)

There are probably a few things we could do better with regards to authentication -- there are a couple issues open mentioning just that

xou816 avatar Jun 05 '23 02:06 xou816