vvondra / bitwarden-serverless Goto Github PK
View Code? Open in Web Editor NEW[Abandoned] Implementation of the Bitwarden API using an AWS serverless stack
License: MIT License
[Abandoned] Implementation of the Bitwarden API using an AWS serverless stack
License: MIT License
I see in the README that the webvault login and some other features work.
When I go to /prod
I get the error "Missing Authentication Token"
and when I go to any of the API paths such as /prod/api/accounts/keys
I get the error Not Found
.
How can I access the login page for the web vault login page? What is the url?
This implementation hosts cipher deletion at DELETE /api/ciphers/{uuid}
but the Bitwarden client (at least, latest Firefox extension version 1.45.0 and seemingly the iOS app) makes the request to PUT /api/ciphers/{uuid}/delete
which results in a 404 from API Gateway.
I haven't done enough digging to determine whether this is a change made in Bitwarden or it's always been like this but I assume the former based on this test case. Might look into mapping the newer route when I get back from vacation, but this is admittedly not a frequently used bit of functionality.
Try to delete a vault entry using the latest Firefox extension. Network inspector for the Bitwarden extension:
Cloning the request with /delete
removed from the URI and changing the method to DELETE
works as expected:
I'd like to be able to set globalSettings__disableUserRegistration to true but cannot find if the config file ever gets set?
The request to the register endpoint provides them but they are not being saved by the handle function.
There seem to be a few things needed for full compatibility with the Angular web vault:
Up-to-date list of missing features
Typing the AWS API Gateway domain name can be tedious an error prone, it's possible to add your own custom domain on top of it, but there are extra steps required.
deleted
While was deploying this program to aws, I encountered an error as I did not setup sufficient permission. When I deploy the second time, I encountered various deploy error like
Serverless Error ---------------------------------------
An error occurred: IamRoleLambdaExecution - bitwarden-serverless-prod-us-east-1-lambdaRole already exists.
and
Serverless Error ---------------------------------------
An error occurred: FoldersTable - bitwarden-serverless-prod-folders already exists.
I have to delete the all the tables and roles before continue. Is it possible to check if bitwarden-serverless-prod-folders
is empty before directly aborting the deployment? The deployment process should be idempotent.
Using 1.1 I was unable to register using the Bitwarden mac app. iOS worked though.
Error was "supply a valid key"
There should be a necessary cooldown period after X attempts at logging in
The easiest way seems to be to enable a API Gateway Usage Plan or method level throttling. Something like 1 request per second and 1000 call bucket size
Existing Lastpass users should be able to migrate to this stack from the CSV export provided by Lastpass
vault.bitwarden.com
I deployed a version, now i want import my passwords from chrome - but need to login to web vault. Is this possible?
First, thanks for the great work done on this project!
I am having some issues however, with 2FA. The initial error, which I've since possibly worked around, was the issue "Email not supplied" when passing the email into the two_factor_auth.sh
, as seen in the image below...
Notice, I added an echo
in the script to see what values it was passing.
I then went and edited the script by adding a space after -d
so it would pass the correct value along for email. After that, the URL seemed to just be a Base64 encoded string...
I then decoded the string into an image using https://codebeautify.org/base64-to-image-converter.
At this point, 2FA is active on my account and Authy can generate tokens. However, at this point, I cannot login the account in either the Chrome Add-on or the CLI .
bw login [email protected] --method 0 --code 340021
? Master password: [hidden]
(node:2103) UnhandledPromiseRejectionWarning: TypeError: Cannot read property 'message' of null
at Function.error (/usr/local/lib/node_modules/@bitwarden/cli/build/bw.js:21317:33)
at commands_login_command_LoginCommand.<anonymous> (/usr/local/lib/node_modules/@bitwarden/cli/build/bw.js:23231:33)
at Generator.throw (<anonymous>)
at rejected (/usr/local/lib/node_modules/@bitwarden/cli/build/bw.js:23101:65)
at processTicksAndRejections (internal/process/task_queues.js:97:5)
(node:2103) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). (rejection id: 2)
(node:2103) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code.
I have since been locked out of my Bitwarden and unable to find a resolution. Any advice is greatly appreciated!
Hi @vvondra. Thanks for making this solution available to the open source community. I'm pretty excited to implement it for myself -- I'm thinking about using your project to set up my own instance of 'serverless bitwarden' in the cloud as a replacement to a local KeypassX file that I've saved in Dropbox for some time.
As a general practice, I try to think about security in all things I do that involve the cloud and solutions in general, and as I considered implementing your solution, I realized that I immediately had some
concerns.
Effectively, a password safe is used to store my keys to kingdoms, so to speak, so it makes sense to be particularly careful with trusting this app.
I am unfamiliar with node, so I wasn't sure how to determine that the code was safe to run. Ultimately, I plan on going through the code line-by-line as I don't see any other way of verifying that the code is truly safe to run.
However, I think vulnerabilities in the software dependencies used by the project can be scanned. To this end, I'm working through getting the OWASP dependency checker working against the project, and I've successfully scanned the project with sonarcloud.io. ( It got an 'A' from Sonarcloud -- no vulnerabilities detected, at the time I scanned it. )
Originally, I had planned to do all of this as an independent project. But then it occurred to me that it your project could benefit from any steps I took and documented, if I approached this as an opportunity to share on your project instead.
Have you given any thought to what a member of the open source community might need to do to prove for themselves that your app is safe to trust? As mentioned, I'm willing to document the steps that I take as I walk through this process myself. I'm just looking for any ideas that you might have that I didn't think of.
Thanks for you time!
I am doing a 1password CLI import and it appears to work (as well as it does using web vault). But the result is this:
{"success":false,"message":"Cannot read property 'message' of null"}
I don't see any errors in the Cloudwatch logs, so I'm thinking its a miscommunication between the bitwarden CLI and the import API?
Currently the implementation for import is to send the unencrypted import CSV to lambda.
To fix this, I have opened bitwarden/cli#18 to do proper client-side encryption. After that gets merged, I propose re-writing the import lambda to function just like bitwarden/core's import such that bitwarden-serverless will be compatible with the CLI and web vault's import.
Until that time, It would probably be best to remove the import code altogether.
When accessing the instance directly, I can login and use the web vault like normal. However, when accessing through Cloudfront, the page loads and looks normal...but I get two errors:
An error has occurred.
An unexpected error has occurred.
Logged out
Your login session has expired.
Are there special settings that need to be set in Cloudfront?
Hello, first of all thanks for the great code. I deployed it and confirmed that it works well with desktop app (on mac OS). However when I try to login on iOS using the login created on desktop app it gives me the "Internal error". I wish I had more debug details, but I don't.
With this said - if I sign up for a new account using iOS app it goes through and I can then login using desktop app. But I still cannot login using iOS app, even if I signed up using iOS app.
Any ideas on what to try next or how to debug it further?
hello
i didn't use aws till now and afer searcing the er for days i need to ask
woud it be posibel to ofer me a more(step by step) description what i need to do to deploy it?
Hey incredible tool, seems to be exactly what I want.
I was able to set it up but I am unable to import a BitWarden CSV into my own self hosted instance.
I seem to be getting a serverless error.
Serverless Error ---------------------------------------
Trying to populate non string value into a string for variable ${opt:stage, self:provider.stage}. Please make sure the value of the property is a string.
Get Support --------------------------------------------
Docs: docs.serverless.com
Bugs: github.com/serverless/serverless/issues
Issues: forum.serverless.com
My guess there was something wrong with import.sh. Unfortunately I'm not very knowledgeable about BASH but I'm curious about a few particular lines.
Line 11 and 12
stage=${STAGE:-prod}
region=${STAGE:-us-east-1}
Correct me if I'm wrong, but I believe these lines check to see if STAGE is set, if not it defaults to prod. Why is the same variable being checked for both stage and region?
Line 43
serverless invoke -s $STAGE -r $REGION -f import_${provider}
Where is the variable $STAGE coming from when we're using $stage and $region (From my understanding $STAGE is not guaranteed to be set).
Anyways, I don't know much about bash so I'd appreciation a clarification on that. It seems serverless is not properly receiving the stage option and that is blocking me from importing my BitWarden CSV.
Is it possible to enable the admin page to manage users? Additionally, it would be interesting if it's possible to send mails to the users e.g. reset password. Both are features of https://github.com/dani-garcia/bitwarden_rs/ but it would be helpful to use the serverless architecture to save money ๐
Hi @vvondra ,
This is pretty cool. I'm reading up on the instructions on how to set this up. Are the instructions as written using DynamoDB client-side or server-side encryption? This link has more details. I have a preference for AWS not to keep my encryption key, and for me to manage it by myself.
I'm a (very) beginner coder / scripter, so I wonder how easy it would be to change to using client-side encryption?
Thanks,
Mike Jones
Your Environment Information ---------------------------
Operating System: linux
Node Version: 14.13.1
Framework Version: 2.8.0
Plugin Version: 4.1.1
SDK Version: 2.3.2
Components Version: 3.2.4
$ ./two_factor.sh Please provide the e-mail of the user you want to setup 2FA for: [email protected] Serverless: Configuration warning: Serverless: at root: unrecognized property 'default_cors' Serverless: at 'service': unrecognized property 'tableDeletionPolicy' Serverless: at 'functions.login.events[0].http.cors': unrecognized property 'allowMethods' Serverless: at 'functions.prelogin.events[0].http.cors': unrecognized property 'allowMethods' Serverless: at 'functions.profile.events[0].http.cors': unrecognized property 'allowMethods' Serverless: at 'functions.profile_put.events[0].http.cors': unrecognized property 'allowMethods' Serverless: at 'functions.keys.events[0].http.cors': unrecognized property 'allowMethods' Serverless: at 'functions.register.events[0].http.cors': unrecognized property 'allowMethods' Serverless: at 'functions.accounts_revision_date.events[0].http.cors': unrecognized property 'allowMethods' Serverless: at 'functions.device_push_token.events[0].http.cors': unrecognized property 'allowMethods' Serverless: at 'functions.sync.events[0].http.cors': unrecognized property 'allowMethods' Serverless: at 'functions.cipher_post.events[0].http.cors': unrecognized property 'allowMethods' Serverless: at 'functions.cipher_put.events[0].http.cors': unrecognized property 'allowMethods' Serverless: at 'functions.cipher_delete.events[0].http.cors': unrecognized property 'allowMethods' Serverless: at 'functions.folder_post.events[0].http.cors': unrecognized property 'allowMethods' Serverless: at 'functions.folder_put.events[0].http.cors': unrecognized property 'allowMethods' Serverless: at 'functions.folder_delete.events[0].http.cors': unrecognized property 'allowMethods' Serverless: at 'functions.import.events[0].http.cors': unrecognized property 'allowMethods' Serverless: at 'functions.default.events[0].http.cors': unrecognized property 'allowMethods' Serverless: Serverless: Learn more about configuration validation here: http://slss.io/configuration-validation Serverless: "ERROR: TypeError: Cannot read property 'set' of undefined" Copy the URL above into your browser, scan the QR code in your authenticator app, and enter a code once to verify:
I'm not sure if the default_cors definition is causing the TypeError in the serverless run or not.
I replaced all of the includes with "cors: yes"
but then:
Serverless: Configuration warning:
Serverless: at 'service': unrecognized property 'tableDeletionPolicy'
Serverless: at 'functions.login.events[0].http.cors': should be object
Serverless: at 'functions.login.events[0].http.cors': unsupported configuration format
Serverless: at 'functions.prelogin.events[0].http.cors': should be object
Serverless: at 'functions.prelogin.events[0].http.cors': unsupported configuration format
Serverless: at 'functions.profile.events[0].http.cors': should be object
Serverless: at 'functions.profile.events[0].http.cors': unsupported configuration format
Serverless: at 'functions.profile_put.events[0].http.cors': should be object
Serverless: at 'functions.profile_put.events[0].http.cors': unsupported configuration format
Serverless: at 'functions.keys.events[0].http.cors': should be object
Serverless: at 'functions.keys.events[0].http.cors': unsupported configuration format
Serverless: at 'functions.register.events[0].http.cors': should be object
Serverless: at 'functions.register.events[0].http.cors': unsupported configuration format
Serverless: at 'functions.accounts_revision_date.events[0].http.cors': should be object
Serverless: at 'functions.accounts_revision_date.events[0].http.cors': unsupported configuration format
Serverless: at 'functions.device_push_token.events[0].http.cors': should be object
Serverless: at 'functions.device_push_token.events[0].http.cors': unsupported configuration format
Serverless: at 'functions.sync.events[0].http.cors': should be object
Serverless: at 'functions.sync.events[0].http.cors': unsupported configuration format
Serverless: at 'functions.cipher_post.events[0].http.cors': should be object
Serverless: at 'functions.cipher_post.events[0].http.cors': unsupported configuration format
Serverless: at 'functions.cipher_put.events[0].http.cors': should be object
Serverless: at 'functions.cipher_put.events[0].http.cors': unsupported configuration format
Serverless: at 'functions.cipher_delete.events[0].http.cors': should be object
Serverless: at 'functions.cipher_delete.events[0].http.cors': unsupported configuration format
Serverless: at 'functions.folder_post.events[0].http.cors': should be object
Serverless: at 'functions.folder_post.events[0].http.cors': unsupported configuration format
Serverless: at 'functions.folder_put.events[0].http.cors': should be object
Serverless: at 'functions.folder_put.events[0].http.cors': unsupported configuration format
Serverless: at 'functions.folder_delete.events[0].http.cors': should be object
Serverless: at 'functions.folder_delete.events[0].http.cors': unsupported configuration format
Serverless: at 'functions.import.events[0].http.cors': should be object
Serverless: at 'functions.import.events[0].http.cors': unsupported configuration format
Serverless: at 'functions.default.events[0].http.cors': should be object
Serverless: at 'functions.default.events[0].http.cors': unsupported configuration format
Serverless:
Serverless: Learn more about configuration validation here: http://slss.io/configuration-validation
./two_factor.sh
Please provide the e-mail of the user you want to setup 2FA for:
[email protected]
"ERROR: TypeError: Cannot read property 'set' of undefined"
Copy the URL above into your browser, scan the QR code in your authenticator app, and enter a code once to verify:
Hello,
I'm very interested by your project. I have the same issue as you, I don't trust my own server availability for this critical resource.
I only known AWS from name, your project made me to check a little more on AWS.
Just to fully understand, you're planning to use :
Is that correct ?
Your code is for the 3 above or just AWS Lambda ? Why using Node.js and not python for this "Engine" ?
Last question, if you plan to add the web vault, in which AWS solution it will be ?
Sorry for all this question. I'd like to fully understand before participating.
I added the web vault compatibility to JCS/bitwarden-ruby. So maybe I could help here.
Thanks.
I am getting "Unexpected token N in JSON at position 0" error when I request the master password hint using the bitwarden firefox extention
I just created a bitwarden serverless stack and downloaded the most recent version of Bitwarden on the Google Play store. I entered the URL into the Android client as:
I left all the other URLs blank under "CUSTOM ENVIRONMENT":
Web Vault Server URL
API Server URL
Identity Server URL
Icons Server URL
I can see that the user account was created (I see it in the DynamoDB table bitwarden-serverless-prod-users), but when I try to login, the client crashes immediately without any error message. Are there any logs on AWS that I can check to see what the issue is?
Currently the Bitwarden CLI doesn't work, a new endpoint managing user keys is needed, perhaps more:
$ bw login [email protected]
? Master password: **123***123***123****
? Two-step login code: 123123
{ FetchError: invalid json response body at https://testenv.com/api/accounts/keys reason: Unexpected token N in JSON at position 0
at /Users/me/.nvm/versions/node/v9.4.0/lib/node_modules/@bitwarden/cli/build/bw.js:32497:32
at <anonymous>
at process._tickCallback (internal/process/next_tick.js:160:7)
message: 'invalid json response body at https://testenv.com/api/accounts/keys reason: Unexpected token N in JSON at position 0',
type: 'invalid-json' }
You are logged in!
I suspect the error is caused by a simple "Not Found" message response
Support for CLI will be also needed to fix #21
Sync happens but items don't show up. Adding items works
Typically this installation will have a single user. An environment variable could disable further signups.
There is evidently a new prelogin endpoint... You can see it mentioned in the release notes in https://github.com/bitwarden/browser/releases
The implementation is in jslib.
Request: POST /api/accounts/prelogin
Request body: {email: "[email protected]"}
Response Body: {"Kdf":0,"KdfIterations":5000}
This is a breaking change that will prevent login, but it should be easy enough to fix.....
Inspiration for CSV import is already ready from Lastpass and Bitwarden formats.
The 1Password is a little different, but it should still be straightforward.
I do not currently see any ciphers being loaded using the newest Android build in Play Store.
Only have access to 1 iPhone to test this on, but I'm experiencing an immediate crash in iOS after a successful login. The CloudWatch logs show a perfectly good login, but my iPhone app is crashing.
Curiously, the iPad version is able to log in. iPhone works with the regular bitwarden hosted backend.
I don't have a Macbook to try the app in debug mode, unfortunately. Sorry for the vague issue.
Just reinstalled an OS and now having that issue. Initial authentication works fine, but then when I try to unlock an existing vault I get "Invalid Master Password".
Here's an error from keys
lambda:
{
"errorType": "TypeError",
"errorMessage": "Cannot read property 'split' of undefined",
"stack": [
"TypeError: Cannot read property 'split' of undefined",
" at Runtime.a [as handler] (/var/task/src/keys.js:9:500652)",
" at Runtime.handleOnce (/var/runtime/Runtime.js:66:25)"
]
}
Initially I thought it might be related to the wrong case of the header (https://github.com/vvondra/bitwarden-serverless/blob/master/src/keys.js#L13) - the event I looked at had lowercased content-type header: "content-type": "application/json; charset=utf-8",
, but this doesn't seem to be the origin of the error on the client.
deleted
Users should be able to migrate to this stack from the existing hosted Bitwarden vault.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.