bitwarden: check local env vars for password or api key

[jessebot]

No description provided.

[cloudymax]

Looks like this can be accomplished via using the bw login --apikey option

according to: https://bitwarden.com/help/cli/#using-an-api-key

In scenarios where automated work is being done with the Bitwarden CLI, you can save environment variables to prevent the need for manual intervention at authentication.

Environment Variable Name	Required Value
BW_CLIENTID	client_id
BW_CLIENTSECRET	client_secret

to get the api-key you have to login to the web-vault via bitwarden.com..

From there you need to click on the user icon at the top-right of the page and select account settings

Next you'll need to select the Security option form the menu on the left, and then select the Keys tab.

At the bottom of the page you should get the options to view the key:

Enter your password at the following screen, and get your api key

Then export the client and client secret values as BW_CLIENTID and BW_CLIENTSECRET.

bw login --apikey
You are logged in!

To unlock your vault, use the `unlock` command. ex:
$ bw unlock

[jessebot]

Amazing writeup, thank you! :D

[cloudymax]

Amazing writeup, thank you! :D

no problem! 🥳

[jessebot]

Checked and it looks like even with the api key, you still need to enter in the password to unlock the vault. I don't knoow that we're gaining anything by introducing the API key :(

Unlock

Using an API key or SSO to log in will require you to follow-up the login command with an explicit bw unlock if you'll be working with vault data directly.

Unlocking your vault generates a session key which acts as a decryption key used to interact with data in your vault. The session key must be used to perform any command that touches vault data (for example, list, get, edit). Session keys are valid until invalidated using bw lock or bw logout, however they will not persist if you open a new terminal window. Generate a new session key at any time using:

bw unlock

When you're finished, always end your session using the bw lock command.

Unlock options

You can use the --passwordenv or --passwordfile options with bw unlock to retrieve your master password rather than enter it manually

Source: https://bitwarden.com/help/cli/#unlock

[jessebot]

Well, it's hacky, but we can maybe suggest local users use libsecret to grab their bitwarden password and then export that in their shell on login, and then that can be used to unlock the vault. So, going back to the default option for this ticket: We should check local env vars for password. More importantly, it might make sense to add a "add to vault command" option, where we can add things to your vault of any password manager of your choice, but this would still require the user to know that they need to export certain env variables ahead of time to have the vault command work 🤔

I hate this for us. D: I wish that the API key actually worked like a normal API key and didn't still require the password key. This feels like it just adds complexity and no extra security, because you can't even set "require api key".

[jessebot]

Reopening because although we now check for session tokens in the env vars, we do not accept API keys yet.

[jessebot]

#45 is semi related to this.

[jessebot]

I guess if the user is not logged in already, we could potentially try logging in via an api key, but after that, I am closing this ticket, because this is a lot to handle for the scope of this project currently.

[jessebot]

Ok, we will now check local env vars not only for a password but also the api key in #79 Closing and we can handle local keyring in #45