bitwarden / web Goto Github PK

The line is right here

https://github.com/bitwarden/web/blob/master/src/app/vault/views/vault.html#L24

but I'm unsure how to change it depending on the collapsed / expanded state.

There is no way to store the address without the protocol.

When I search for a site and the matching site is in one of the last folders (I have ~20 folders), I have to scroll through a bunch of folders that all say "No sites in this folder." It would be nice if these folders were automatically hidden while I am searching.

Having a collapse all button for the folders would be useful since someone way has too many entries in a folder and scrolling through the entire page would be annoying.

Pressing enter after typing your master password in the "permanently delete" modal just submits whatever form is in the background instead of submitting the modal's form.

From a user perspective, the website is pretty sluggish. I've started using it any when I want to add a new login, new folder, even move the pane away, it moves REALLY slowly.

I noticed it is because the website is using Angular over faster libraries (such as React).

I'm looking at the code and may try to move things over to React if I get a blessing on this. Would love to make a much snappier website using new technology.

Add additional password manager options to the import process:

• LastPass csv
• 1Password 1pif
• KeePass
• Dashlane csv
• Keeper csv
• Enpass csv
• SafeInCloud csv
• SafeInCloud xml
• Padlock csv
• Sticky Password xml
• Firefox Password Exporter xml
• Chrome csv
• UPM csv
• Password Dragon xml
• Password Safe xml

I think adding some buttons on the homepage sites list could improve UX a lot.
I imagine something like that:

where instead of black squares there are buttons to directly copy username/password OR a direct link to the site.

It ends up printing that the password should not be longer than 300 chars. Secure Notes have the URL "http://sn", and the content of secure notes in LastPass has no size limit as far as I know, which is stored in the password column. Perhaps it should just ignore that particular URL until Bitwarden can handle notes as well.

And one other small issue: Import fails as well when there's empty lines at the beginning of the CSV file. Those empty lines were added automatically when copy/pasting. In my opinion, the importer should be a bit more forgiving there and just ignore them. I had to remove them manually to continue.

Spent a couple of hours trying to import my Keepass database but it wouldn't let me, saying there was a password longer than 300 characters. After running a regex I couldn't find it, so today I imported one group at time and I found it was a 193 characters long password. I tested some numbers and the maximum length for this field is 191, even if the error message says otherwise. I tried to create a new login for the vault and I still get this error so I'm pretty sure it wasn't an import problem

As you requested here is the sample CSV

sampleCSV_21-04-17_205019.zip

PassKeep : https://play.google.com/store/apps/details?id=eu.wedgess.passkeep

I cannot log in to access my vault from the web client for some days. But the android and browser apps works, I can unlock them with my password.
I use Firefox, but I have the problem on Chrome too. Not tried on other browsers.

I did nothing special :-s Any idea ? Did you need some additional info ?

Request:

POST /connect/token HTTP/1.1
Host: api.bitwarden.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0
Accept: application/json, text/plain, */*
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://vault.bitwarden.com/
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Content-Length: 141
Origin: https://vault.bitwarden.com
Connection: keep-alive

client_id=web
grant_type=password
password=XXXXX
scope=api+offline_access
username=XXXXX

Response:

HTTP/2.0 400 Bad Request
Date: Wed, 15 Feb 2017 11:34:31 GMT
Content-Type: application/json
Set-Cookie: __cfduid=XXXXX; expires=Thu, 15-Feb-18 11:34:28 GMT; path=/; domain=.bitwarden.com; HttpOnly
Cache-Control: no-store, no-cache, max-age=0
Pragma: no-cache
Access-Control-Allow-Origin: *
x-rate-limit-limit: 1m
x-rate-limit-remaining: 59
x-rate-limit-reset: 2017-02-15T11:35:28.6538999Z
X-Powered-By: ASP.NET
Server: cloudflare-nginx
CF-RAY: 3318736cdebc4433-BRU
X-Firefox-Spdy: h2

{"error":"invalid_grant","error_description":"invalid_username_or_password","ErrorModel":{"Message":"Username or password is incorrect. Try again.","ValidationErrors":null,"ExceptionMessage":null,"ExceptionStackTrace":null,"InnerExceptionMessage":null,"Object":"error"}}

Thanks !

When exporting your 1Password vault, you can "export all..." which includes things like bank accounts and credit cards. When I include credit card exports, the website throws a JS error when trying to import the .1pif:

app.min.js?v=xqdea5rk9:formatted:1312Uncaught TypeError: s[r].split is not a function
    at o (app.min.js?v=xqdea5rk9:formatted:1312)
    at FileReader.c.onload (app.min.js?v=xqdea5rk9:formatted:1340)
o @ app.min.js?v=xqdea5rk9:formatted:1312
c.onload @ app.min.js?v=xqdea5rk9:formatted:1340

I'm not sure if bitwarden should support storing CC info, or if the documentation on exporting 1Password data should include this caveat?

Hello,

Can you add the possibility to make a massive folder change for a list of password ?

Thanks.

Trying to delete account because I can't bulk delete imported logins, but get a server error.

Chrome Version 55.0.2883.87 m (64-bit)
Windows 10

Not sure how easy this would be to implement, but having the option to delete a folder (and all the sites inside of it) would be appreciated. Instead, I have to manually delete every single site in the folder before deleting the folder.

When saving a new site to my vault on Firefox 49.0 the "Would you like Firefox remember this login?" pop-up exposes the password in the field where the user name usually shows.

As a test i created a new site:

Site: http://test.com
Name: TestName
Username: TestUserName
Password: password123

My concern is not that Firefox doesn't store it correct, i guess it is not supposed to save anything at all, but my concern is that it exposes the password in clear text, so anyone looking at your screen can see it.

Also tested in Chrome version 54.0.2840.59 (64-bit), same thing happens.

If I enable two-factor authentication, and then lose/break/explode my phone, am I permanently locked out of my account?

There doesn't seem to be any fallback mode in the website login process. Presumably an SMS/telephone based solution is a bit out of scope for a project your size, so it would have to be some kind of email verification, or second super-secret password, or maybe a print-out-and-keep-safe single-use password like Google use.

If you need to collect analytics at least look into an alternative to Google's. I've linked to an issue from when Homebrew decided to use Google Analytics which should show you why this is a bad idea to start with and what some alternatives are.

Ref: Homebrew/brew#142

At https://vault.bitwarden.com/#/login, when typing in an email address before submitting the form, the only requirement is that there is an "@" symbol present. It does not actually validate whether it is a properly formatted email address before submitting to the back end and returning a validation error.

This allows submissions such as "test@test".

This also affects the registration page at https://vault.bitwarden.com/#/register

When hovering over the "Copy Password" button inside the ValutEditSite modal until the tooltip displays the size of the "Copy Password" field changes to about 50% of its original size.

Hi,
The filed for the recovery code is empty:

Tested on my Android phone and 2 web browsers (Iridium and Firefox).
Thanks.

This means no inline JS

Add a feature that will allow users to recover their account through email verification. Unfortunately due to the nature of how bitwarden works, resetting a password is not an option. Allow the user to click a link that is emailed to their account email address that will completely delete the account and re-create it with a new master password of their choice.

• This will allow users to gain access to an account that has squatted on their email address
• This will allow users to gain access to an account that they have forgotten their password to
• This will allow users to gain access to an account that they have lost access to due to losing their authentication device

Only "base" domains are allowed. Do not enter subdomains. For example, enter "google.com" instead of "www.google.com".
You can also enter "androidapp://package.name" to associate an android app with other website domains.

Here is the guide in the web vault. However here is my experience with the Android app of my bank (Fortuneo). The same applies for Protonmail website/Android app.

URI: https://mabanque.fortuneo.fr/......
Android package name: com.fortuneo.android

The domain rule that really works is **fortuneo.fr, fortuneo.android, **
If I set androidapp://com.fortuneo.android (androidapp://package.name) instead of fortuneo.android then it doesn't work. It doesn't work either if I set androidapp://fortuneo.android

I know I talked to you about this on gitter @kspearrin, but I also want to write it here to make it more formal.

I think it would be great for the webvault to be i18n ready, so translators could help you localize the platform!

Once it's done, I could help with the French language.

Thank you and keep up the good work!

It would be nice if I could collapse all folders so that I can get an overview of what folders I have.

I have had a few reports from users who are having issues importing their exports from Lastpass. I have not been able to reproduce the issue and there are many others who have imported their sites from Lastpass without issue (including those with thousands of sites). Obviously I cannot just ask those users to just send me their export file so that I can debug it. More investigation is needed to try to reproduce this issue so that all users can import from Lastpass.

So when you minimize the sidebar (personally I really like it minimized) it shows smaller icons. When you hover over the icons, the sidebar then expands, forcing you to be then hovering over a list item that does not pertain to what you originally wanted to hover over.

On top of this, the hovering also has some glitchy-ness to it, like the containing text flashes outside the sidebar.

This seems a little silly, and I'm wondering if I can help out by removing this expand feature on hover, while providing in turn a tooltip upon hovering of an icon on the (minimized) sidebar. I think this will provide a fully minimized sidebar if the user wants, and also prevent glitchy-ness!

Thanks.

Currently the user is required to have length 8, 1 letter, and 1 number or special character. This was an easy way to prevent users from using dictionary words as passwords. There is a desire for this rule to be more intelligent for users that create very long alpha passwords that are not dictionary terms.

Is there an option to quickly delete multiple logins? Or am I just missing it?

when I try to import my dump from passwordExporter, I have this issue:

Sites[0].Password: The field Password must be a string with a maximum length of 300. Logins[0].Password: The field Password must be a string with a maximum length of 300. 

The export from passwordExporter is good, and importing in keepass works.

What I did: Imported a file named "Enpass_2016-12-27_21-34-52.csv.txt" (exported from Enpass obviously)
What happened: I got a lot of sites in my vault with all fields empty except all their names were "--"

Removing the ".txt" from the filename resulted in a successful import.
I have only tested this with Enpass export/import.

:(

Cloudflare was recently disclosed to have been leaking information from HTTPS sessions. Since Bitwarden uses cloudflare it would be a good idea to determine if user data (master passwords, vault data) could have leaked to the outside world.

See here and here for posts on the leak.

There is little immediate validation done on the registration page beyond the email address before pressing the submit button. It is a best practice to do immediate validation and provide feedback for things such as:

• Email address
• Matching passwords
• Length / strength of passwords

It would be nice to see a notification prompting me to change my password for a website if the website was reported in a recent data breach. This could possibly be achieved by using the "Have I been pwned?" API. https://haveibeenpwned.com/API/v2

When adding a new login or edting a login, if a user made any changes in the fields, give a warning to prevent accidental closing of edit window.

When I use the export option from Lastpass, this is the output I get:

url,username,password,extra,name,grouping,fav
https://somesite.com/#/,someusername,G%W!7&#,,bitwarden.com,,0

bitwarden currently imports this output as is.

The problem is the password:
Exported: G%W!7&#
Imported: G%W!7&#
Actual password: G%W!7&#

It's the &

It broke 200 of my logins that were imported from Lastpass. I had to use search and replace to fix this.

1. Open https://vault.bitwarden.com
2. Try to go back

Expected result: you return to the previous page

Actual result: you remain on the current page

System details: Debian Stretch (testing); Firefox 49.

Due to lack of delete for folders, I've tried to do it "myself": called click on every button in a folder and confirmed all delete dialoges. This lead to some success deletes but mostly (> 100) failed with error 500.
Response:

{"Message":"An unhandled server error has occured.","ValidationErrors":null,"ExceptionMessage":null,"ExceptionStackTrace":null,"InnerExceptionMessage":null,"Object":"error"}

Screenshot:

Hi,

I'd like to enable this security layer to access to my vault but I do not want to share my private phone number to a 3rd party app like Authy (for Android).
Please offer another solution to enable two steps authentification.

In the web ui the name, username and password fields all show an error if they're not filled in. If the URI field is empty is just doesn't submit.

Gravatar is currently used by vault.bitwarden.com to provide an avatar image. This is conceivably a privacy breach; I know many people who don't want Gravatar to have a log of every "enhanced" website they visit.

Please default to Gravatar=off and have it as an option in the user's account settings.

While I had no issue exporting a CSV from LastPass and importing it, all of the URI entries in my imported passwords are blank.

Looking at the CSV does not reveal anything unusual. All entries in the CSV have URL fields. Deleting secure notes before importing does not make a difference. I've also tried exporting from both Firefox and Chromium on Linux to no avail: Even a hand-made CSV with a single entry has the same issue.

As a Bitwarden mobile web user,
when the network is flakey or non-existent,
I would like to retain access to my vault,
so that I can remain productive regardless of the network state.

Bitwarden is pretty great (kudos on the awesome work you're doing). I love that it has a web interface that is usable on both my laptop and my phone. However, if I'm on my phone and I lose network connectivity (and I don't have the Android app installed), I basically lose access to my vault.

There are new standards-based features available in some browsers today that might allow the app to remain functional even without network connectivity.

Service Worker allows an app to control caching so that the static assets and the vault are consistently available when the user is offline (depending on your architecture, possibly restricted to a read-only mode).

Web App Manifest isn't necessary for offline availability, but it would allow users in some browsers to easily add the web app to their homescreens and launch it without browser chrome.

As a user who always prefers web-based apps to native ones when available, it would be really delightful to me to have these features implemented in the Bitwarden web client.

Hi. It would be good if there was a secondary option that allows importing usernames/passwords via pasting into text box on the bitwarden vault.

With this method, the user does not have to create a CSV file and then dispose of it. Because most of us know that once files have been deleted they can still be recovered (unless the file is shredded of course).

Here is a rough mockup of what I am suggesting:

Ability to delete from the "Site Information" pop-up window.

Ex:

Same for folder too maybe?

Add edit button next to Copy Username/Password option - in the "Current Tab".

Also, have ability to delete when the edit window opens - similar to #25