Catch and prompt user of potential duplicate passwords on import

Feature name:

  • import_warden

Feature Description

  • The intent of this feature is to prompt the user of imported password entries that overlap with current passwords.
  • The goal is to compare imported password files against current password entries, and prompt the user when there are import passwords that have the same domain and username as existing passwords.
  • The plan of attack is to add to or supplement the current import API to load existing passwords as an object, load import passwords as an object, compare the two objects, and prepare a new object containing duplicates. This duplicate object can then be rendered in the UI to let a user view the duplicates. User will then decide and command which of the current vs imported passwords to keep, or to keep both.

Clients / Repos Affected:

  • Web

Timeline to completion (estimate): unknown

ETA: Q2/2021

1 Like

Hi all,

This topic is for discussion of this feature, refining of the things to add, and the plan of attack.

I am a noob to C#, but I’ve worked with python, bash, and html/css/javascript enough to be open to trying. My goal is to treat this as a project for learning, which unfortunately means it might take longer than someone well versed in C# and the bitwarden application. I like bitwarden, so I see this as a way of giving back. If it is inappropriate to work on this feature for these reasons, please let me know.

Best,
SnailsToGo

@SnailsToGo, this looks promising so I would say go for it. As far as anything to add, you may want to start with simple wire-frames and a flow, from the front-backwards as far as design. This would have to be completely done client-side as you can’t compare encrypted blobs against each other on the server-side of things, so there would be zero C# to write, only TypeScript (Angular), HTML and SCSS (we’re using Bootstrap). There would be impacts/changes to jslib and web for this, but everything else server-side should flow through normally for the import itself… I would see this as an intermediary step to saving the imported items. Once you have some wire-frames as a lightweight PoC I’m sure you’ll be able to get more community feedback.

Thank you for the contribution!

Hi @cscharf,

Glad to hear this should be client side! Thanks for the recommendations, and I’ll start putting this together.

Hi all,

How to I log into the web app in a development environment? I’m having a hard time making an account, so if there is a test or admin account for development can someone share that that is?

So you do need to register a new account. It would depend on the error/issue you’re having attempting to register that new account. If you’re developing completely local (everything points to your local API, Identity service, etc.) there are plenty of things that can go wrong, however if you’re running against our production cloud services it gets much easier, but in order to do that you must change some code locally (but not commit it):

src/app/services/services.module.ts Line 152 to 158, you simply comment out the localhost URLs and uncomment the production URLs; there’re some comments in there that also explain this. Hopefully that helps. You can use your own existing cloud account at that point, OR (my suggestion) create a new free account to play around with so you don’t hose your own passwords, which would suck.

Awesome that helps, thanks!

Last thing on this (for now I hope): I’m having a CORS policy issue.
Console.log:Access to fetch at ‘https://api.bitwarden.com/accounts/prelogin’ from origin ‘https://localhost:8080’ has been blocked by CORS policy: Request header field device-type is not allowed by Access-Control-Allow-Headers in preflight response.

I installed a CORS changer, and when I turn it on I get this console:
polyfills.74930badf6b0c1500779.js:20628 POST https://api.bitwarden.com/accounts/prelogin net::ERR_FAILED

I’ve used a CORS changer before, and I forgot what all was needed. Should I be trying to change my CORS to appear as https://vault.bitwarden.com?

Any thoughts or resources are much appreciated!

So, to be honest I’ve not actually tried using the web vault locally against prod, but the CORS issues make sense… hmm :thinking:, what you could try to reduce complexity with manipulating the CORS headers, etc. is to simply add the following to your hosts file and debugging that way… you’ll get a certificate error in the browser which I’m hoping can just be circumvented/ignored (depending on the browser):

# Comment out the line below after done debugging
127.0.0.1    api.bitwarden.com     identity.bitwarden.com

Unfortunately that didn’t help much. Here’s my log on login:
zone.js:1118 POST https://api.bitwarden.com/accounts/prelogin net::ERR_CONNECTION_REFUSED

No login, it seems like I’m still refused based on CORS. I even changed my hosts file with all combinations of the following lines:
127.0.0.1 api.bitwarden.com identity.bitwarden.com
127.0.0.1 api.bitwarden.com
127.0.0.1 identity.bitwarden.com
127.0.0.1 events.bitwarden.com

Last idea: is there a place where I can set the login request mode to ‘no-cors’? If not, it seems like self hosting for development is the best approach.

For self hosting, is it necessary that I request self hosting? When I try to run the containers with bitwarden.ps1, it calls a docker compose file that doesn’t exist on my machine. Is the docker compose file only given to users after they request to self host?

I’m trying to start the server from the repo for now, and I’m unsure if I should ‘deploy’ or just ‘Build/Run’.

I did start the api/identity (and events) as per the repo, and I changed my services.modules.ts to have urls for the localhost paths included by default. The following urls that are given to check if the services are running cannot connect for me right now:
http://localhost:5000/alive
http://localhost:33657/.well-known/openid-configuration

Is there something I’m missing? Also should I be seeing docker containers running from the dotnet run commands? I see no containers running with docker ps.

All of your help is appreciated!

I found an issue and followed what was reported. The change of what I was running
npm run build:watch

To
npm run build:prod:watch

And change of the cors changer to this one from the one I first used. Fixed it. I can now use the production API for my local front end. Any issues with using this CORS changer? I believe it changes the response header to include
Access-Control-Allow-Origin: *

For now, this seems to get the job done. If CORS changing is not appropriate, please let me know.

That should be fine for local development @SnailsToGo; I’m glad you got something working there. As far as dotnet run that will run the API/Identity locally in that console process using the Kestrel web server, so there’s no docker container. The port number for that service should be shown in the console itself which may need adjustment in the web vault if it’s listening on a different port.

Got it, thanks!

How do I get permissions to push a branch to the repo? I’d like to push some README fixes, since I found scss needs node version v8.11-v13.9.0 (no higher), and I’d like to add instructions for running the vault against production. I already signed the CLA assistant agreement listed in CONTRIBUTING, is there anything else I need to do?

My github is https://github.com/jdmccauley

The process would be to fork our repo, create your branch, and then open a PR back into our repo’s master branch. You won’t have permissions to branch directly in the Bitwarden repos so you’ll have to fork your own copy of it to contribute. Looking forward to seeing the changes/updates!

@cscharf

Hi Chad,

I am struggling to understand and plan how to work on this contribution given the time I have available. I naively miscalculated how much I could do without spending significant time formally learning Angular and understanding the application as a whole. Unless I can work alongside someone more experienced, I’m not seeing how I can finish this contribution by Q2 2021. Does/can someone else take this up? I appreciate all the help you’ve given, and I thank you for letting a noob take a crack at this.

Best,
SnailsToGo

1 Like

Hi SnailsToGo, no worries, sometimes there can be a bit of a barrier to entry on a complex application such as this. We still have this in our product backlog, but simply not prioritized at the moment. The team and I are always here to try to help answer questions on code or direction when we can, as well as the community at large if or when they come up, but we still have somewhat limited capacity. Hopefully someone else in the community is willing to take this up.

2 Likes

Hi @cscharf,

Thank you for your understanding. Best of luck, I hope someone takes this up and does well!

Cheers,
SnailsToGo