Locally storing tokens

Hello! I’m a developer thats really interested in how Bitwarden encryption and data storage works, and as I was examining the client code for the Windows password manager on GitHub, I came across a function which pulled the access token from the disk:

const refreshToken = await this.tokenService.getRefreshToken();

As I dug deeper in the code, I noticed that this function tries to get the access tokens by checking the memory, then disk, and lastly secure storage if all fails.

const refreshTokenDisk = await this.getStateValueByUserIdAndKeyDef(userId, REFRESH_TOKEN_DISK);

This got me wondering, where does Bitwarden store tokens locally? How can I locate the path where Bitwarden stores these to get the vault files?

In short, what is the local Windows path to TOKEN_DISK?

@joemartin Welcome to the forum!

I have no answer to your question, but perhaps someone with the requisite knowledge (@mgibson, @Quexten) will see your post.

Thanks for the ping @grb . Preface this with the note that there are changes planned in this area, to address concerns with how unsandboxed OS APIs on Windows & Linux handle “secure storage”, so this comment might be invalid in a few months, and I mostly am familiar with the secure storage part, not the disk fallback.

For the disk storage, the “electron-store” npm package is used, which stores at “app.getpath(‘userData’)” (varies by os, on Mac f.e this is ~/Library/Application Support/Bitwarden/data.json, on unsandboxed linux this is .config/Bitwarden/data.json. I don’t have a Windows device to test, but I would assume it is in %APPDATA%.

I do wonder though if the order is right. Is secure storage really less preferred compared to disk storage? (I did not investigate this, but it seems weird).

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.