Locally storing tokens

Hello! I’m a developer thats really interested in how Bitwarden encryption and data storage works, and as I was examining the client code for the Windows password manager on GitHub, I came across a function which pulled the access token from the disk:

const refreshToken = await this.tokenService.getRefreshToken();

As I dug deeper in the code, I noticed that this function tries to get the access tokens by checking the memory, then disk, and lastly secure storage if all fails.

const refreshTokenDisk = await this.getStateValueByUserIdAndKeyDef(userId, REFRESH_TOKEN_DISK);

This got me wondering, where does Bitwarden store tokens locally? How can I locate the path where Bitwarden stores these to get the vault files?

In short, what is the local Windows path to TOKEN_DISK?

@joemartin Welcome to the forum!

I have no answer to your question, but perhaps someone with the requisite knowledge (@mgibson, @Quexten) will see your post. :eyes:

Thanks for the ping @grb . Preface this with the note that there are changes planned in this area, to address concerns with how unsandboxed OS APIs on Windows & Linux handle “secure storage”, so this comment might be invalid in a few months, and I mostly am familiar with the secure storage part, not the disk fallback.

For the disk storage, the “electron-store” npm package is used, which stores at “app.getpath(‘userData’)” (varies by os, on Mac f.e this is ~/Library/Application Support/Bitwarden/data.json, on unsandboxed linux this is .config/Bitwarden/data.json. I don’t have a Windows device to test, but I would assume it is in %APPDATA%.

I do wonder though if the order is right. Is secure storage really less preferred compared to disk storage? (I did not investigate this, but it seems weird).

2 Likes