Update dashlane-vault extension#11326
Update dashlane-vault extension#11326neo773 wants to merge 5 commits intoraycast:mainfrom neo773:ext/dashlane-vault
Conversation
- feat: touchid authentication - Initial commit
|
Thank you for your contribution! 🎉 🔔 @tmwrnr you might want to have a look. |
|
(Dashlane developer here): I'm not a huge fan of Raycast managing secrets like the master password, I would rather implement this in the Dashlane CLI. |
|
@Mikescops can be recompiled by running npm run build-swift |
Thanks I figured out after a second read. It's an interesting approach, I'm wondering if I can build this in the CLI directly. |
| import Foundation | ||
| import LocalAuthentication | ||
|
|
||
| let policy = LAPolicy.deviceOwnerAuthenticationWithBiometrics |
There was a problem hiding this comment.
This policy here is insufficient, it can be bypassed, you should rather use kSecAttrAccessControl.
I recommend you to have a read to this post: https://www.andyibanez.com/posts/ios-keychain-touch-id-face-id/
There was a problem hiding this comment.
I looked into this but couldn't get it working as kSecAttrAccessControl requires "Keychain Access Groups" entitlement which is not supported by CLI Apps and also requires code signing. Workaround seems to be using a separate daemon for this.
Given the scope it would make more for Dashlane to integrate this natively in a secure manner, I expect this to take quite some time assuming your team approves this feature.
However in the meantime we could still merge this since something is better than simply leaving the vault open at all times which is a huge security hazard.
cc
@tmwrnr
tmwrnr
left a comment
There was a problem hiding this comment.
Hi @neo773,
thanks for opening this pull request and contribute to this extension. I like the idea that you don't need to save the master password by the Dashlane CLI! When I created the extension I was unsure how to achieve this.
I don't know enough about Swift to really review this part of the code. Maybe someone from Raycast can do this?
I could not really test this new feature because it did not work on my machine as mentioned in one of my comments. Regardless of the implementation, I do have a general question about your approach. As of my understanding Raycast is not allowing extensions accessing the keychain as mentioned here. Maybe someone from Raycast can confirm this?
Furthermore I, as an user, don't like the idea to insert my password to a Raycast extension even if I know, that the extension itself handles the keychain access. It just does not feel right for me. If a user has concerns with using the Dashlane CLI with the master password saved, maybe the CLI can implement the biometrics itself? I assume Dashlane is also just saving the password within keychain @Mikescops?
Maybe we could prompt the password every time the user want to access the vault?
Again, thank you very much for your time implementing this and I'm curious to see where this will lead to.
| const masterPassword = preferences.useTouchID ? await getMasterPassword() : null; | ||
|
|
||
| throw Error("Dashlane CLI is not found!"); | ||
| const { stdout, stderr } = await execa(CLI_PATH, args, { |
There was a problem hiding this comment.
This is not working on my machine. The promise never resolves. I updated the Dashlane CLI and set my master password. The Search Passwords command just shows me the loading state.
There was a problem hiding this comment.
Apparently my upstream commit for dashlane cli did not work, will look into this.
|
|
||
| const executeCommand = async (args: string[]) => { | ||
| const command = join(environment.assetsPath, "auth"); | ||
| await chmod(command, "755"); |
There was a problem hiding this comment.
Do we need to change this before every run or could this also be done once?
| const [keyName, setKeyName] = useState(""); | ||
| const [passwordExists, setPasswordExists] = useState(false); | ||
|
|
||
| const fetchKeyNameAndCheckPassword = async () => { |
There was a problem hiding this comment.
In this command the user wants to set his master password. Why do we need to fetch and insert the current password?
There was a problem hiding this comment.
It's mainly for UI purposes.
| setPasswordExists(true); | ||
| setPasswordInput(existingPassword); | ||
| } else { | ||
| const keyName = `dashlane-vault-master-password-${Math.random().toString(36).substring(2, 15)}`; |
There was a problem hiding this comment.
Is there the need of the random key name? I thought that the keychain has a "space" for each application. If so we just could use a static keyName.
|
Is this ready for a final review or does @tmwrnr and @Mikescops have any more comments? |
|
Hi @mil3na, there are still general questions that are not answered, mentioned in my comment. E.g.:
Could you or someone from Raycast do that?
What is your opinion about that?
What is the typical way of combining the ideas of an author and the contributors? Furthermore the dashlane CLI is not ready as mentioned here. So in my opinion this pull request is on hold even if everything else would be ready. |
This is fixed in the latest commit, I've tested it locally and it's working great Dashlane/dashlane-cli#229 |
For me this PR is a no go, the swift does not meet proper code quality standards and the security concerns raised in my first comments are not solved. |
Partly agree with this statement, you're basing it off from the blog post you mentioned and specifically this part Current implementation literally leaves the vault open, any program can call |
|
I understand the initial concern, and as I mentioned in my very first comment I'd rather have this implemented in the CLI itself rather than in a third party which won't solve what you previously mentioned about accessing the vault with a command line. |
|
Yes, I said the same thing before long term Dashlane should do this natively but short term this isn't so bad. |
@Mikescops It would be nice, if the CLI could handling this kind of stuff. In Raycast there are also extensions for Bitwarden and 1Password. Bitwarden works with a client ID and a client secret to access the vault, without knowing exactly the master password. 1Password is also using I think a secret which is I think just token.
@neo773 I don't want to include a refactoring and a new command for short term. Yes the current solution is not the best, but with the limitation of the CLI I think it's acceptable. If these constrains does not match your security standards, which is fine, than maybe wait to use the extension until the CLI is updated. Until a newer version of the CLI is released I could think of a prompt for the password every time you want to access the vault. The master password would only be saved in memory during runtime of the specific command. Would that be compromise? |
I've checked their code, the cID/secret grants access to the CLI. The CLI still handles the encryption of the vault. The vault can be open, similar to what we do, but can also be locked and then the Master Password will be requested and they will prompt this in Raycast. We have already started discussions internally on what we can do here, I'll keep you posted. |
|
@neo773 I added a couple of settings, more to be added in the next weeks: |
|
I was not convinced by the current nodejs implementations so I built my own native module for the macos keychain and biometrics. |
|
@neo773 You can start using https://github.com/Dashlane/dashlane-cli/releases/tag/v6.2415.0 and update this PR 🎉 |
|
Hi @neo773, the Dashlane CLI was updated again, because of an error where the complete output could not be read by nodejs. I opened a new pull request #11950 where I added the master password as an extension preference. With this you can already use the following configuration. I also refactored some code and added improved error handling. dcli c save-master-password falseThe CLI now supports biometrics so we don't have to implement this in the extension. If you still want to use biometrics to unlock the vault and want to contribute to this extension, I would suggest you to create a new branch after my pull request is merged. Thank you again for the pull requests, as this allowed the extension and CLI to be improved! I think we should close this pull request, what do you think? |
|
@tmwrnr |
Description
This PR adds support for authenticating the vault via Touch ID and not leaving it exposed.
Do not merge this before this PR
Screencast
My.Movie.1.mp4
Checklist
npm run buildand tested this distribution build in Raycastassetsfolder are used by the extension itselfREADMEare placed outside of themetadatafolder