4

We are sending requests to an external API. It is an public API but still requires to sent basic auth authentication. Since it is a public user with no further access this is no security issue. But when those requests are executed the password manager keeps asking to save the basic auth data for this external url. This is annoying and the users on the website might get confused why they suddenly can save a username and password for a domain they do not know.

I would like to know if we can somehow make password managers in general ignore those requests.

So far we only noticed last pass with this behavior (bitwarden and chrome build in do not show this behavior). I am wondering if it is a problem specifically with the last pass extension or if it might be happening with other managers too.

My research so far did not show any results.

It can be reproduced in this fiddle with the an request like this:

(function() {
  superagent('GET', 'https://httpbin.org/anything')
    .auth('Username', 'Password')
    .type('application/json')
    .then(res => {
      console.debug('res', res);
    })
    .catch(err => {
      console.debug('err', err)
    });
})();

This is how last pass asks to save the credentials:
last pass example

As per comment suggested I tried to implement the url as username:password@example.com and LastPass does not recognize this anymore.

I verified via curl that the API works with this syntax but when I implemented it into like this:

(function() {
  superagent('GET', 'https://username:password@httpbin.org/anything')
    .auth('Username', 'Password')
    .type('application/json')
    .then(res => {
      console.debug('res', res);
    })
    .catch(err => {
      console.debug('err', err)
    });
})();

the API does not accept this anymore.

I contacted the developer of the API and he said the request did not contain the authentication information. I wonder if the browser somehow stripped it out? When accessing the URL directly in the browser it works, but is the browser converting it behind the scenes into a header?
Calling the URL in Firefox shows an authentication header but in chrome it does not. Either way both seem to work.

Daniel
  • 971
  • 9
  • 23
  • 2
    If the API credentials are public, why does it need a username and password then. Ask the API vendor if they can remove the need for a password and default to the anonymous user. Maybe also `user@domain` with any empty password might work better? – Alex Apr 19 '23 at 11:14
  • Apparently the authentication has to be this way. – Daniel Apr 19 '23 at 12:38
  • 1
    It appears that last pass does not catch the `user:password@domain` and is not asking to save the credentials. – Daniel Apr 19 '23 at 12:50
  • You can exclude the URL or hostname of your API endpoint by adding it to Lastpass Never URLs. I doubt that you have accounts there and need to save passwords for them. – asiby May 03 '23 at 08:52
  • 2
    @asiby I am aware I can exclude the hostname but the problem is that we are using the API in our search in a shop so our customers will get the same notification. That's why we would like to prevent it in the first place. – Daniel May 03 '23 at 10:14

1 Answers1

1

We have now come up with a solution for this issue. We are using a proxy to set the authentication header and pass the request along to the api.

I remove the authentication from the original code and changed the url to the proxy path:

(function() {
  superagent('GET', 'https://example.com/proxy-path')
    .type('application/json')
    .then(res => {
      console.debug('res', res);
    })
    .catch(err => {
      console.debug('err', err)
    });
})();

Then in the apache we configured the proxy to add the header if it is not set:

SSLProxyEngine on
ProxyPass /proxy-path https://api-url.com/
ProxyPassReverse /proxy-path https://api-url.com/
<LocationMatch "/proxy-path">
    RequestHeader setifempty authorization "Basic base64Credentials"
</LocationMatch>

With this solution LastPass has no authentication header to scan and the request ist passed through to the api with the authentication header in place.

The disadvantage of the proxy is that we have an increased response time of 20-30ms. In our case this is not much and bearable .

Daniel
  • 971
  • 9
  • 23
  • 1
    It's unfortunate that you had to do this kind of compromise. The community should petition these password manager creators to consider backing down if the request contains a specific header. For instance: `X-ignore-password-manager` – asiby May 04 '23 at 05:18