Get a Browserpass popup instead of basic auth login mask

[CaptainMalu]

I tried to login to two sites with basic auth in front of them. But I had to disable browserpass to get login popup.
With browserpass enabled there poped up another small window witch looks like the browserpass popup.

First I thought it's a problem with vivaldi but I got the same behavior in firefox.

I need this sites daily. How can I stop this behavior so I can log in again without disabling browserpass?

[maximbaz]

Great question! First things first, just to get it out of the way, the one obvious idea is to store your credentials in browserpass, so that you can use the small window to choose those credentials instead of typing them manually (just like on any other website you do with the popup).

Regardless whether you want to do this or not, I think it's definitely a bug.

@patgmiller do you think it's possible to let the browser present the built-in login-password prompt, when we close the detached popup without selecting any entry?

[CaptainMalu]

That will work for the two sites I noticed it first. But for most sites I'll have to open for work it's not an option. It would only clutter the password manager.
I noticed after some waiting time the login-prompt shows up. But 1 to 2 minutes is to much for daily use.

[patgmiller]

@CaptainMalu are you saying to want to use browserpass without the basic auth feature, so only for other logins?

@maximbaz I think it's possible I just want to understand the desired behavior.

[CaptainMalu]

until today I didn't know browserpass can be used for basic auth.
For some sites I visit daily it would be nice to use it. But I often use websites were I don't save the login data, too.

I'm working for a hoster so I have to visit sites with basic auth only once or twice for debugging.
And I don't want to store so much credentials of my customers in my passwordmanger.

I use browserpass mostly for my personal login credentials for private and work use.

[maximbaz]

Desired behavior:

1. Open website that uses basic auth
2. Browserpass opens detached popup
   1. Select an entry with the right credentials in the detached popup => you are automatically logged in
   2. Select an entry with wrong credentials in the detached popup => some kind of error is shown, detached popup is still available, so that you can choose the right entry instead.
   3. Close the detached popup without selecting any entry => browser "falls back" to instantly show the native built-in prompt where you can type login and password - as if browserpass was not installed.

[CaptainMalu]

that sounds perfect.

[daniele-athome]

I can confirm this as well on Firefox 137 on Linux. When browserpass is enabled, any site with HTTP basic authentication causes a popup to appear - a fully fledged window, with decoration and everything:

Beneath that, Firefox will be stuck in a loading state for the page; if I close the popup, Firefox aborts loading the address altogether. Development tools (network tab) reports "Blocked by Browserpass".

I'd like to use the built-in password manager for this specific site (many other too actually, browserpass previously wasn't interfering with that).

EDIT: this is not a native app issue, the toolbar button works perfectly.

[maximbaz]

This sounds like an interesting separate bug, I wonder if you can see some error logs in the background script?

[patgmiller]

@danele-athome #370 (comment) are you able to decrypt any secrets with the normal popup? In light of the storage settings issue I wonder if not having settings or the native not being able to find the gpg binary would cause any of this?

[SjoerdV]

@CaptainMalu unchecking the optional permissions 'Access your data for all websites' in the extension settings will get rid of this behavior.

[CaptainMalu]

@SjoerdV do you mean setting "site access" to "on click" instead of "on all sites"?

I tried that, but than browserpass didn't work for any site.

[SjoerdV]

@CaptainMalu on Android/Chrome It’s probably equivalent to setting the ‘Site Access’ setting to ‘No Access’ (or on click if that’s the only setting)

[CaptainMalu]

@SjoerdV hmm I tested again in firefox and vivaldi (chrome based) and now with the setting "on click" it worked on normal sites again. Don't know what it was earlier this day.
Also the basic auth login mask will be shown as has to be filled manually. So it's the behavior like before the update.

in Vivaldi the options for "site access" are

• all sites
• specific sites
• on click

[patgmiller]

@maximbaz @CaptainMalu The simplest method, and probably the correct method, to accomplish this is to not cancel the auth request in the automatic resolve method for browserpass. I've pushed that change to my branch 370-friendly-auth-fallback, (commit 66f4796ba0c8f9ecca1798cf71babdc8598e4d96).

browserpass-kinder-auth-handling.webm

Maxium, we can improve upon this behavior in another task if you'd like, to filter which auth requests browserpass were to handle.

[maximbaz]

Thanks, I think that's the expected and desired behavior 👍 This way like you have now it matches the "normal popup" behavior perfectly, i.e. even if you have the right credentials but stored under a different path, just like on normal websites, you can hit Backspace and find it.

[daniele-athome]

@danele-athome #370 (comment) are you able to decrypt any secrets with the normal popup? In light of the storage settings issue I wonder if not having settings or the native not being able to find the gpg binary would cause any of this?

Sorry for the late reply. Yes, I'm able to decrypt secrets with the normal popup (from the toolbar button). I see this has been fixed, maybe I'll have more luck with the next release :-)

[daniele-athome]

Ok it works now: HTTP basic auth opens up a modal that I can dismiss to let the browser use its native authentication. Although it would be nice if this behaviour could be disabled (i.e. for people not using browserpass for HTTP basic auth).

Thank you!!

[patgmiller]

Ok it works now: HTTP basic auth opens up a modal that I can dismiss to let the browser use its native authentication. Although it would be nice if this behaviour could be disabled (i.e. for people not using browserpass for HTTP basic auth).

Thank you!!

You're welcome!