passwall / passwall-server Goto Github PK
View Code? Open in Web Editor NEWPasswall Server is the core backend infrastructure for Passwall platform
Home Page: https://passwall.io
License: GNU Affero General Public License v3.0
Passwall Server is the core backend infrastructure for Passwall platform
Home Page: https://passwall.io
License: GNU Affero General Public License v3.0
We need to store JWT to be able to disable stolen JWT tokens.
Passwal docker image should build with specific built tag example passwall/passwall-server:1.1.0
for Backward Compatibility
The important part of this app is the ability to auto fill user login forms on websites. We need this chrome extension.
Export logins is missing at frontend
Users should be able to deploy on heroku easily
User should be warned when using same password on login create or update.
We have an import function. However we don't check the uploaded file. This is the most vulnerable point we have. We can check the file extension and content type. Do you have any idea for hardening?
Do anyone can work on this?
login.Password
is a string
in the struct, but encrypt
func generating the binary data for store in the login.Password
, if you use postgresql (maybe mysql too) it throwing the invalid byte sequence error
(here)
I think login model needs to gorm column type tags, postgresql uses bytea
type for that.
When I starting this project, this was just a weekend project. However, now I think it should have a future.
Today, I searched internet and found gpass.io, which is also a password manager. I think we should better find a new name.
Any suggestions?
For now import only works for CSV files. It should support KDB and KDBX files too. While doing this, the import endpoint and functions should be seperated from logins API.
Hi,
i created an account on gpass.io to see how is made.
i think has some very nice features:
###Types
you can create types with predefined fields. This allows for multiple type of credentials.
###Folders
you can group credentials into folders.
###Tags
very useful
###Adding new fields for same entry
on every credentials you can have new fields, dynamically added.
if you consider adding this support, it should be structured at the begging.
To make it easier to install passwall-api, homebrew installation as a service is needed.
Passwords need to be hidden on table. There should be an show/hide button.
Now we have a strong backup system with rotation and timestamp based filenames. However we didn't update our restore system. I think there should be 2 steps on restore.
curl request's don't contain content type header , it did not work on my first attempts
current version
curl --location --request POST 'http://localhost:3625/auth/signin' \ ✔
--data-raw '{
"Username":"passwall",
"Password":"password"
}'
working version with curl
curl --location --request POST 'http://localhost:3625/auth/signin' \ ✔
--header 'Content-Type: application/json' \
--data-raw '{
"Username":"passwall",
"Password":"password"
}'
Can you share Postman requests files for import local development?
Users should be able to pull from docker easily
if put/post body like that when we create/update a login
{
"URL":"notwebsite.com",
"Username": "[email protected]",
"Password": "notpassword"
}
it response like that
{
"ID": 2,
"URL": "",
"Username": "[email protected]",
"Password": "notpassword"
}
Can you fix it?
All requests must be checked and cleaned by a middleware. Maybe gin contrib's secure middleware is suitable for this job.
Can someone capture a video which explains the import feature?
Search login is missing at frontend
We have endpoints and using a return struct login.LoginResponse. However, we will have more models in the future like Categories and shouldn't use login's response struct. Also this response isn't about login package, it is about whole project's behaviour.
We should change LoginResponse name to a generic name (maybe just Response) and move it outside and higher of login package.
Do anyone want to work on this?
User should export all logins as csv file.
Endpoint: /logins/export
Method: POST
Example csv file:
URL,Username,Password
http://dummy.com,dummyuser,dummypassword
http://dummyweb.com,dummyuser2,dummypassword2
In main_test.go file, there are some tests. However those test should be written with SQL mock using Gorm DB model.
For now, the backup path is ./store/passwall.bak. However this is hard coded in project. This declaration should be moved to config file and in default env variables.
https://goreportcard.com/report/github.com/pass-wall/passwall-server
I have a fix for this. Need collaborator permission to submit a pull request.
Update login is missing at frontend
We took step 1 for basic backup. Now we should take step 2.
Well in this step;
If anyone wants to work on this, I can assign the issue.
It could be a best practice to use auto generated issues template for creating issues as described over here
Of course, it does not mean that it is preventing from opening blank issue however, when the templates are available, then everyone can easily understand the bug or proposed feature and taking care of any issue might be flawless.
Import logins is missing at frontend
if @yakuter have any time , could you move github project to manage issue
It would be nice if there is a docker-compose.yml for start gpass by one line command simply.
Delete login is missing at frontend
The JWT secret key is same in all new installations. It is set both in code and config-sample.yml files. The problem is this secret key must be unique and generated dynamically. The way to do that is generate config.yml file dynamically.
When program starts before reading and setting config, we must check if config file is exist.
If it is not we must create one.
We already have our default values and a struct (Configuration).
So we can easily create a yaml file with yaml.Marshall().
While setting the values we should change secret (and maybe passphrase).
This is the solution in my mind. What do you think?
It would be nice to integrate Goreleaser process into CI/CD step to have automated release action with tagged commit.
Proposal
With integration of (Github actions) (could be ? or Travis CI does not matter very much ) + Goreleaser, the process of releasing new version would be much convenient.
Having Goreleaser in pocket means that uploading necessary binary to homebrew (or another package manager ) will be much easy than anticipated. Seems, homebrew issue #30 has been assigned to @patyogesh however with this approach, it is possible to shot two birds (-tasks-) with one stone :)
@patyogesh, would like to have comment on it ? I have no glue about the process of your development at the moment however if you think or might think in same way , we can figure out something in common. Otherwise, this issue can also close #30.
Any suggestion, comment, or improvement related to this issue is very welcome !
Hey there!
First of all congrats on the project. Even though this was a security focused project, I've had some issues with the codebase which I couldn't just do nothing about it. So, sorry about that :)
This seems to be a serious problem, since any person who has access to the login page, can brute force passwords.
In order to invalidate existing sessions in such a case that an environment is hijacked, there has to be token invalidation process in the passwall server.
Think of such a scenario: an attacker listened to local network traffic and saw a request with JWT Token and grabbed the token. Magically, on the backend we invalidated the JWT token, but since JWT Token includes user's username, now the attacker knows the username and can perform brute force attack with the username.
The password is sent to the backend using the HTTP layer. If no SSL is setup, (in local setup case), the password is sent without any encryption. This is open to MITM attacks.
AES passphrase is either a static text or got through runtime. Any attack who has access to the environment objects can automatically decrypt all of your passwords.
Referencing from: https://github.com/pass-wall/passwall-web/blob/master/pages/index.js#L37
await fetch('/logins/', { method: 'POST', body: JSON.stringify(values) })
This is wrong in some many ways. Password shouldn't be sent to the server in plain text.
Title says it all.
Hope this feedback helps!
Gin is really limiting us. We are moving to native net/http and mux router. We are going to use these tools:
net/http
mux router
jwt-go with HMAC signing (https://github.com/dgrijalva/jwt-go)
Negroni for middlewares
I started working on this. 1 or 2 day later it will be finished.
Your json returns have different keys. For example when we post a generate password request it returns:
{
"Status": "Success",
"Message": "E$X+oVdgfBF=Whzm"
}
or
{
"code": 401,
"message": "Token is expired"
}
So you create two different key Message
and message
. Please, can you review your code and standardize your keys? It's hard to parse json data.
API needs a backup plan. Any ideas? For SQL lite file, it can be stored (icloud, google folder etc.) anywhere but what about Postgres and MySQL databases? I think there can be a cron job which gets the backup of dataabse table.
main.go is so big in size for now. We need to move all the router directives to /api/router.go
Well, I removed all the gin framework codes from codebase in nongin branch. Now we need to add JWT authentication.
The stack I want to use:
net/http
mux router
negroni middleware
jwt-go (https://github.com/dgrijalva/jwt-go)
In this issue we need 3 endpoints;
/auth/signin
/auth/refresh
/auth/logout
HS256 signin method jwt-go must be used. There is example here:
https://godoc.org/github.com/dgrijalva/jwt-go#example-New--Hmac
I know this is a big job but do anyone wants to work on this?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.