passwall / passwall-server Goto Github PK

We need to store JWT to be able to disable stolen JWT tokens.

Passwal docker image should build with specific built tag example passwall/passwall-server:1.1.0 for Backward Compatibility

Returning 404 status code on successfully backup process.

The important part of this app is the ability to auto fill user login forms on websites. We need this chrome extension.

Export logins is missing at frontend

Users should be able to deploy on heroku easily

• Depency manager doesn't exist
• Dockerfile doesn't exist
• Package imports doesn't work

User should be warned when using same password on login create or update.

We have an import function. However we don't check the uploaded file. This is the most vulnerable point we have. We can check the file extension and content type. Do you have any idea for hardening?

Do anyone can work on this?

login.Password is a string in the struct, but encrypt func generating the binary data for store in the login.Password, if you use postgresql (maybe mysql too) it throwing the invalid byte sequence error (here)

I think login model needs to gorm column type tags, postgresql uses bytea type for that.

When I starting this project, this was just a weekend project. However, now I think it should have a future.

Today, I searched internet and found gpass.io, which is also a password manager. I think we should better find a new name.

Any suggestions?

For now import only works for CSV files. It should support KDB and KDBX files too. While doing this, the import endpoint and functions should be seperated from logins API.

Our backup system is complicated for end user. We need a simple import mechanism from other companies. User should only chose the source. Of course our job is to provide the suitable endpoint only at passwall server. Something like this:

Hi,
i created an account on gpass.io to see how is made.
i think has some very nice features:

###Types
you can create types with predefined fields. This allows for multiple type of credentials.

###Folders
you can group credentials into folders.

###Tags
very useful

###Adding new fields for same entry
on every credentials you can have new fields, dynamically added.

if you consider adding this support, it should be structured at the begging.

To make it easier to install passwall-api, homebrew installation as a service is needed.

Passwords need to be hidden on table. There should be an show/hide button.

Now we have a strong backup system with rotation and timestamp based filenames. However we didn't update our restore system. I think there should be 2 steps on restore.

1. We need an endpoint to show backed up filenames. It means in frontend user will have a chance to select backup file.
2. We need an endpoint to restore with the filename which comes with json body.

curl request's don't contain content type header , it did not work on my first attempts

current version

curl --location --request POST 'http://localhost:3625/auth/signin' \   ✔
--data-raw '{
        "Username":"passwall",
        "Password":"password"
}'

working version with curl

curl --location --request POST 'http://localhost:3625/auth/signin' \   ✔
--header 'Content-Type: application/json' \
--data-raw '{
        "Username":"passwall",
        "Password":"password"
}'

Can you share Postman requests files for import local development?

Users should be able to pull from docker easily

if put/post body like that when we create/update a login

{
	"URL":"notwebsite.com",
	"Username": "[email protected]",
	"Password": "notpassword"
}

it response like that

{
  "ID": 2,
  "URL": "",
  "Username": "[email protected]",
  "Password": "notpassword"
}

Can you fix it?

All requests must be checked and cleaned by a middleware. Maybe gin contrib's secure middleware is suitable for this job.

I just finished import ability. I tested it locally and it works fine. However some other tests should be great.

Also I am not sure if I explained well how to import in readme. Can you anyone check it out?

Can someone capture a video which explains the import feature?

Search login is missing at frontend

We have endpoints and using a return struct login.LoginResponse. However, we will have more models in the future like Categories and shouldn't use login's response struct. Also this response isn't about login package, it is about whole project's behaviour.

We should change LoginResponse name to a generic name (maybe just Response) and move it outside and higher of login package.

Do anyone want to work on this?

User should export all logins as csv file.

Endpoint: /logins/export
Method: POST

Example csv file:

URL,Username,Password
http://dummy.com,dummyuser,dummypassword
http://dummyweb.com,dummyuser2,dummypassword2

In main_test.go file, there are some tests. However those test should be written with SQL mock using Gorm DB model.

For now, the backup path is ./store/passwall.bak. However this is hard coded in project. This declaration should be moved to config file and in default env variables.

https://goreportcard.com/report/github.com/pass-wall/passwall-server

I have a fix for this. Need collaborator permission to submit a pull request.

Update login is missing at frontend

Merhaba,

Demo için kullanılan web sayfasına ulaşılamıyor. (404)

We took step 1 for basic backup. Now we should take step 2.

Well in this step;

1. The time cycle (24 hours, 1 week, etc.) should be on config file under backup section.
2. Backup files should contain datetime as @omerbasoglu-co said before.
3. There should be a limit for backup files. Let's say 7 which means a week for 24 time cycle. After 7 backupfiles generated in backup folder, the oldest one should be deleted.
4. This is a feature and should be worked on another branch.

If anyone wants to work on this, I can assign the issue.

It could be a best practice to use auto generated issues template for creating issues as described over here

Of course, it does not mean that it is preventing from opening blank issue however, when the templates are available, then everyone can easily understand the bug or proposed feature and taking care of any issue might be flawless.

This credentials is incorrect, returning error message like this.

Import logins is missing at frontend

if @yakuter have any time , could you move github project to manage issue

It would be nice if there is a docker-compose.yml for start gpass by one line command simply.

Delete login is missing at frontend

The JWT secret key is same in all new installations. It is set both in code and config-sample.yml files. The problem is this secret key must be unique and generated dynamically. The way to do that is generate config.yml file dynamically.

When program starts before reading and setting config, we must check if config file is exist.
If it is not we must create one.
We already have our default values and a struct (Configuration).
So we can easily create a yaml file with yaml.Marshall().
While setting the values we should change secret (and maybe passphrase).

This is the solution in my mind. What do you think?

It would be nice to integrate Goreleaser process into CI/CD step to have automated release action with tagged commit.

Proposal

• With integration of (Github actions) (could be ? or Travis CI does not matter very much ) + Goreleaser, the process of releasing new version would be much convenient.

• Having Goreleaser in pocket means that uploading necessary binary to homebrew (or another package manager ) will be much easy than anticipated. Seems, homebrew issue #30 has been assigned to @patyogesh however with this approach, it is possible to shot two birds (-tasks-) with one stone :)

@patyogesh, would like to have comment on it ? I have no glue about the process of your development at the moment however if you think or might think in same way , we can figure out something in common. Otherwise, this issue can also close #30.

Any suggestion, comment, or improvement related to this issue is very welcome !

Hey there!

First of all congrats on the project. Even though this was a security focused project, I've had some issues with the codebase which I couldn't just do nothing about it. So, sorry about that :)

Rate limiting

This seems to be a serious problem, since any person who has access to the login page, can brute force passwords.

Possible solution

• To use Redis and keep track of ip address of the user and limit if an offset is done. (This doesnt prevent user from attacking from different ip addresses. In that scenario having a timeout for account on invalid password requests can fix this vulnerability.)

JWT Token Invalidation

In order to invalidate existing sessions in such a case that an environment is hijacked, there has to be token invalidation process in the passwall server.

JWT Token information retrieval

Think of such a scenario: an attacker listened to local network traffic and saw a request with JWT Token and grabbed the token. Magically, on the backend we invalidated the JWT token, but since JWT Token includes user's username, now the attacker knows the username and can perform brute force attack with the username.

Possible solutions

• Using user id (which should be a randomly generated UUID, to not reveal user count on the database) instead of username on JWT payload.

Authentication transport

The password is sent to the backend using the HTTP layer. If no SSL is setup, (in local setup case), the password is sent without any encryption. This is open to MITM attacks.

Possible solutions

• Use HMAC algorithm to verify whether the request is not manipulated using MITM attack. In such case, you need to exchange HMAC secret using Diffie Hellman algorithm to securely exchange keys.
• Use SSL pinning, and using a self signed certificate on the server side. This solves MITM attack scenarios. But you need to distribute SSL keys initial vectors to the clients.

AES Passphrase storage

AES passphrase is either a static text or got through runtime. Any attack who has access to the environment objects can automatically decrypt all of your passwords.

Possible solutions

• Storing AES is a tricky topic. 1Password solves this by having a master password (likely to be 10+ characters) and decrypting AES passphrase on runtime and using that decrypted AES passphrase to decrypt encrypted passwords on the database.

Password store request

Referencing from: https://github.com/pass-wall/passwall-web/blob/master/pages/index.js#L37

await fetch('/logins/', { method: 'POST', body: JSON.stringify(values) })

This is wrong in some many ways. Password shouldn't be sent to the server in plain text.

SQL Injection

Title says it all.

Hope this feedback helps!

Gin is really limiting us. We are moving to native net/http and mux router. We are going to use these tools:

net/http
mux router
jwt-go with HMAC signing (https://github.com/dgrijalva/jwt-go)
Negroni for middlewares

I started working on this. 1 or 2 day later it will be finished.

Your json returns have different keys. For example when we post a generate password request it returns:

{
  "Status": "Success",
  "Message": "E$X+oVdgfBF=Whzm"
}

or

{
  "code": 401,
  "message": "Token is expired"
}

So you create two different key Message and message. Please, can you review your code and standardize your keys? It's hard to parse json data.

API needs a backup plan. Any ideas? For SQL lite file, it can be stored (icloud, google folder etc.) anywhere but what about Postgres and MySQL databases? I think there can be a cron job which gets the backup of dataabse table.

When I look at request logs on comman line, I see something like these:
(0x48950a0,0xc000518ab0)
Can somenone fix this issue?

When I look at logs, even I do one GET request with postman, logs shows that there is 2 requests. I don't know if it is normal with negroni but we better look for this.

The given demo-server link is currently down. (Excuse me, if it's never been up.)

main.go is so big in size for now. We need to move all the router directives to /api/router.go

Well, I removed all the gin framework codes from codebase in nongin branch. Now we need to add JWT authentication.

The stack I want to use:
net/http
mux router
negroni middleware
jwt-go (https://github.com/dgrijalva/jwt-go)

In this issue we need 3 endpoints;
/auth/signin
/auth/refresh
/auth/logout

HS256 signin method jwt-go must be used. There is example here:
https://godoc.org/github.com/dgrijalva/jwt-go#example-New--Hmac

I know this is a big job but do anyone wants to work on this?