Would you consider adding the possibility to have per-domain or per-folder URI matching rules ?
I am an IT guy and even if the default “Base Domain” matching rule works well for the public Internet, all those intranet networks definitely need the “Host” matching criteria. Examples are:
wifi.corporate.local
intranet.corporate.local
firewall.corporate.local
My only solution so far has been to group the entries of the private domains in separate folders and use some cli-fu with the bw binary to batch update the entries.
Also, when quickly saving new credentials for such domains, they are obviously added using the default matching criteria so I need to run those scripts on a regular basis.
A domain-based option or a folder-based option (with inheritance) would work for me.
While waiting for this feature, I have written the following bash script that uses the “bw” Linux binary as well as “jq” to mass update the matching method in my vault.
It creates a regular expression that contains all the internal domains (listed at the top of the script) and then logs into BitWarden to extract a list of entry IDs that need an update. Finally the matching method is updated on those entries.
#!/bin/bash
# list of domains that require host-level matching for URIs
domains=(
"internal1.local"
"domain2.int"
"customer3.corp"
)
# bitwarden username
bwuser="[email protected]"
# bitwarden executable name
bw_bin="bw"
if [[ ! -x $(command -v "$bw_bin") ]]; then
echo "BitWarden executable not found: $bw_bin"
exit
fi
# jq executable name
jq_bin="jq"
if [[ ! -x $(command -v "$jq_bin") ]]; then
echo "BitWarden executable not found: $jq_bin"
exit
fi
# build jq regexp
domregexp=$(IFS="|" ; echo "${domains[*]}")
# login to bitwarden
echo "* Logging into BitWarden"
bwsession=$($bw_bin --raw login $bwuser)
# sync vault
#echo "* Syncing vault"
#$bw_bin --session $bwsession sync
# extract list of id that need update
echo "* Extracting list of items that require URI match update"
readarray -t array1 <<< $($bw_bin --session $bwsession list items | \
$jq_bin --arg DOMEXP $domregexp -r \
'.[] |
select(.type == 1) |
select((.login.uris | length) > 0) |
select(any(.login.uris[]; .uri | test($DOMEXP))) |
select(any(.login.uris[]; .match != 1)) |
[.id, .name] |
@tsv'
)
if [[ -z $array1 ]]; then
echo "* noting to do"
else
count=${#array1[@]}
echo "* Number of items found: $count"
for index in ${!array1[@]}; do
read id name <<<$(echo ${array1[$index]})
echo "* ($(( $index + 1))/$count) updating $id ($name)"
$bw_bin --session $bwsession get item $id | \
$jq_bin '.login.uris[].match = 1' | \
$bw_bin --session $bwsession encode | \
$bw_bin --quiet --session $bwsession edit item $id
done
fi
# logout from bitwarden
echo "* Logging out of BitWarden"
$bw_bin --session $bwsession logout
I have found one small bug which is that it would also match entries with URLs containing the internal domains as part of the path/arguments and not only as the actual domain name. For instance, if I want to update the matching method for “internal.local” entries, the script would update this entry:
I wish this idea had more traction, this is a common annoyance of mine and I think it would be a huge value-add QoL improvement, especially for corporate/enterprise users.
I have edited the title of your post to add the word “Default” at the start, which should make the topic less confusing.
Using “Host” as your Default URI domain matching method will require a match to both subdomain and port (if present in the specified URL). In case you’ve missed it, you can set the default method by going to Settings > Auto-fill.
Usually, I think the way to go for match detection is base domain matching (where subdomain1.domain.com = subdomain2.domain.com). I think the default match detection is this for new Bitwarden users, and that’s perfect.
But there are some specific domains where base domain matching doesn’t make sense, which is for example the case for auth0.com. This is one of many services that provides authentication services to other websites. For example, they have:
Hence my suggestion: would it be possible to, in addition to the default match detection, also be able to choose a default match detection for specific domains (like auth0.com)?
That way, new auth0.com hosts would be detected correctly, and users wouldn’t have to see a list of matching hosts that are actually completely irrelevant and might prevent autofill from autofilling the right item.
You could even keep a list of common domains that have this property of hosting login forms for several other websites, and update this list at each app update. That way, even non-technical users could enjoy the added ease of use.
In the browser extension, open the login item for editing, then click on the icon to the right of the URI. This will toggle the display of a dropdown selection menu for the URI match detection rule to use with that URI. Change the selection from “Default match detection” to “Host”, and then click “Save” to save your changes.
What you describe lets us set the match detection for specific URIs. What I’m talking about is the item “Default URI match detection” setting under “Auto-fill” in the settings. I’d like it if below that there was the possibility to create a list a base domains (including for example auth0.com), with a different “Default URI match detection” (for auth0.com it would be host matching). It could be called something like “Domain-specific default URI match detection rules” and could open another screen listing all registered hosts.
Doing that, plus potentially prefilling the list with known domains that have this particularity, lets users not have to worry about thinking to change the match detection every time they encounter a subdomain of auth0.com.
I admit this might sound like a gadget-like feature without prefilling the list, but if you do maintain a list of such domains and prefill it, that basically means users will have better match detection and better auto-fill even if they are not familiar with the difference between a host and a base domain and don’t bother changing these settings. This could really simplify things for people using often two distinct auth0.com hosts to connect to differents service providers (e.g. Mozilla and Stability AI), because Bitwarden would stop confusing the two all the time.
I think what @Maxime might be talking about is something like LastPass’ URL Rules feature, where within settings, you can add some specific rules per domain (like “Never save for this site”).
Here is their example: Manage URL Rules in Account Settings
And a quick Medium article about it: LastPass URL Rules
I ditched them a while ago, went elsewhere and today switched to Bitwarden and sadly, this is the one thing I miss about LastPass (although I’m not going back! Don’t worry about that!!!)
With decently managed folders, being able to set certain defaults “per folder” would be ideal. I have a number of self hosted services and test environments that I keep all passwords organised in folders.
What I found even worse is that you can’t set it on a per ‘Login’ basis either.
Example for 1 service I run, I have it at:
app1.mydomain,com - For external
app1.mylan.lan - With local DNS for easy access
192.168.0.1:30000 - Direct http port access
192.168.0.1:30001 - Direct https port access
Each one has to be changed to “host” manually.
Some sort of folder level management would be amazing. It could be an “Override” style setting, where whatever the folder rules are, they overrule the individual. Or it could just be a 1 time “set” of the settings and then a case of manually amending anything that you didn’t want and resetting it when you have added more items.
Another feature I miss is the ability to basically “Exclude” a folder from being used in Autofill. Great for when you have multiple logins for sites that might be old and can sit in an Archive folder.
[EDIT] Just discovered you can set a URI match to “Never” which would be perfect for my Archived accounts. Again, being able to do so by folder would be lovely.
I would also like this feature. My use case is exactly like the one described by @flashpaz
My company has so many intranet sites that any new logins for server1.company.net are auto-suggested for every*.company.net site, and it messes up the auto-fill hot-key and makes it useless 50% of the time. There is also a third-party company that we are partnered with, but they use a single login for all their services, so I have the same credentials for service1.third-party.com and service2.third-party.com, so setting “Host” match detection as the default would break auto-complete for all the third-party.com sites, and I would have to set all of them to “Base Domain” manually.
Please allow me to set the default match detection for any company.net site to “Host”. The “pre-populated list” suggestion by @Maxime is a good one as well.
p.s. I know I can change the match detection on a per-login basis, and I know I can change the “global” default match detection.