Password Store: Support harvesting username via filename without decrypting #3293
Labels
feature
Feature requests.
Comments
|
I wrote an extension which extends the built-in pass interface with the above requested filename-based usernames capability. If the dev team likes my implementation, I'm all too happy to port my work into the official password-mode. With that being said... I'm not in any particular rush, so for now I'll just leave the extension code linked below so that it can get seen the next time this issue would normally come up for review: https://gist.github.com/chaorace/98417a693ca73c51a8688ac09e61d2b0 |
chaorace
added a commit
to chaorace/nyxt
that referenced
this issue
Jul 7, 2024
Fixes atlas-engineer#3293 The new filename-based username check is used as a fallback to the current key-based username behavior. Users who only want the filename-based behavior can disable scanning the credential for username keys via the new scan-for-username-entries slot. Disabling scanning for a key-based username is particularly useful in use-cases where credential files are encrypted and require touch verification to open.
5 tasks
chaorace
added a commit
to chaorace/nyxt
that referenced
this issue
Jul 9, 2024
Fixes atlas-engineer#3293 The new filename-based username check is used as a fallback to the current key-based username behavior. Users who only want the filename-based behavior can disable scanning the credential for username keys via the new scan-for-username-entries slot. Disabling scanning for a key-based username is particularly useful in use-cases where credential files are encrypted and require touch verification to open.
chaorace
added a commit
to chaorace/nyxt
that referenced
this issue
Jul 9, 2024
Fixes atlas-engineer#3293 The new filename-based username check is used as a fallback to the current key-based username behavior. Users who only want the filename-based behavior can disable scanning the credential for username keys via the new scan-for-username-entries slot. Disabling scanning for a key-based username is particularly useful in use-cases where credential files are encrypted and require touch verification to open.
chaorace
added a commit
to chaorace/nyxt
that referenced
this issue
Jul 9, 2024
Fixes atlas-engineer#3293 The new filename-based username check is used as a fallback to the current key-based username behavior. Users who only want the filename-based behavior can disable scanning the credential for username keys via the new scan-for-username-entries slot. Disabling scanning for a key-based username is particularly useful in use-cases where credential files are encrypted and require touch verification to open.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
Currently, the Nyxt password manager integration with
passwill query for a username by decrypting the secret file and searching for a key by one of the following names:login/user/username. This convention, however, is not the only one in common use.Many users (myself included) choose to instead use the convention of including the username as part of the secret's filename (e.g.: [email protected]) so that it may remain easily and automatically disambiguated with other credentials in the same domain (e.g.: Microsoft SSO).
For illustrative purposes, here's what a password store directory using this format might look like:
graph TD A["~/.password-store/"]-->B["example.com/"] A-->C["sso.example.net/"] B-->D["[email protected]"] C-->E["[email protected]"] C-->F["[email protected]"] A-->G["[email protected]"] class D,E,F,G secret classDef secret stroke:#333Because I follow the above convention rather than storing usernames as keys in the encrypted file body, my credential usernames cannot currently be retrieved by Nyxt when invoking
copy-username. I'd very much like it if Nyxt was made to support this convention on an optional basis so that I could take full advantage of its password management features without having to considerably rework my existing setup.Relevant prior art:
Describe the solution you'd like
When
copy-passwordis invoked with the password-store backend active, I would like the backend to first attempt extracting the username from the filename. Ideally, it should be able to automatically detect and extract the expected username from each of the following common well-known filename patterns (source)Describe alternatives you've considered
I've considered abandoning this scheme and moving the username into the content of the secret file. This is probably viable, but I'd very much rather not rewrite and reencrypt hundreds of secrets when my current & preferred format is quite standard and commonly supported elsewhere -- not to mention that reencrypting hundreds of keys would take me hours since I am using a strict mandatory-touch hardware-based encryption.
The text was updated successfully, but these errors were encountered: