Add option to Chrome extension to disable autofill for basic auth

lucianofantuzzi · December 23, 2024, 5:53am

Hi, I need an option to disable the autofill feature in Chrome extension for basic auth.

I’m a dev and I build/manage multiple websites from my clients, most of them hosted on my own server. Due to annoying bots and despite having other protection mechanisms, the #1 resource saving mechanism to stop common attacks on login pages is the all-time classic basic auth.

Since it’s just the first protection layer, a common protection layer across all my websites, I only need a single user/pass to cover all of them. The real websites’ admin credentials are unique, of course, and I have one different for every one of them.

So, for every website, I have 2 credentials: basic auth and user auth. In my BW vault, I have my basic auth credentials without a domain (because it applies to all my websites), and my user credentials (one per domain).

When I open, let’s say, mywebsite.com/admin, in my BW extension there’s only 1 credentials matching that website, so it’s automatically being sent. What happen next is that the webserver responds with a 401 page or, sometimes, it stays loading forever and it eventually crashes due to a connection timeout. Here’s a video with a demo: HTTP Basic authentication is being sent wrong by default · Issue #11250 · bitwarden/clients · GitHub

It’s not the same, but this FR is also asking for an option like the one I need: Improve basic auth in browser extension - #3 by grb Maybe adding that checkbox disabled by default, or allowing to disable this autofill feature just for basic auth in settings.

My current (and horrible) workaround is adding basic auth credentials inline like: https://user:[email protected]/admin and when the page is loaded I have to reload it without that credentials part for BW to identify the website. It’s tedious and I forget to do it the most of time so I usually get stuck with a loading forever request or the 401 depending on my webserver’s mood, which in any case I end up restarting my browser, trying again in a private session or opening another browser. It’s a nightmare!

Could you please please please add this option? Thank you very much.

grb · December 23, 2024, 2:31pm

@lucianofantuzzi Welcome to the forum!

Could you please explain what you mean when you say that you are having difficulties getting Bitwarden “to identify the website” after a successful Basic Auth login using the above method?

As you can see from the number 1 that is shown on the Bitwarden extension icon in the screenshot below, Bitwarden is recognizing the website as a match for autofilling:

Do you not see such a 1 counter on your Bitwarden icon?

lucianofantuzzi · December 23, 2024, 3:07pm

Thank you for taking the time to read this. It’s not an issue identifying the website. It’s just the extension is assuming that the matching credentials is for basic auth (wrong, it’s for the website login and not for Apache’s basic auth login) so it’s autofilling it wrong. So I never get the opportunity to fill the basic auth popup with the right credentials and instead I get a 401 page, making it impossible to login. There’s a demo video about this in the link I shared from Github. It’s something that needs to be fixed just allowing the user to choose if the password in BW vault is for basic auth or just allowing me to disable autofilling for basic auth.

lucianofantuzzi · December 23, 2024, 3:17pm

Just in case, especifically answering your question, some BW matching rules detection don’t work when the url contains user:[email protected], so after using this hack to force and overpass basic auth, I need to manually reload the page removing this part of the string: user:[email protected] => domain.com so BW is again able to match the URL and filter the login credentials for the website.

grb · December 23, 2024, 3:43pm

This is the part that I don’t fully understand. What URI Match Detection setting do you have for this account? If it is set to “Base Domain”, it should work.

Alternatively, if you need a more complex URI Match Detection rule for the back-end login, you should be able to set up your login items using the following approach (in which the user:[email protected] URI is the first URI, with match detection set to “Never”):

lucianofantuzzi · December 23, 2024, 3:54pm

I have complex rules for some websites, with regex like this:

Anyways, this is not the issue or something relevant to me, it’s a consequence of dealing with the real problem through a workaround. If they add the option to stop autofilling basic auth I won’t need to add inline credentials in the url and this won’t be an issue anymore.