34 lines
1.5 KiB
Markdown
34 lines
1.5 KiB
Markdown
## Context
|
||
We need a password manager across extension and web, with admin visibility and per-user isolation. Non-admin users must re-verify their login password to view plaintext.
|
||
|
||
## Goals / Non-Goals
|
||
- Goals:
|
||
- Save credentials with explicit confirmation.
|
||
- Autofill selector for saved accounts per site.
|
||
- Admin can view all users’ credentials.
|
||
- Non-admin must re-verify password before plaintext reveal.
|
||
- Encrypt credentials at rest.
|
||
- Non-Goals:
|
||
- Browser-level credential integration outside the extension.
|
||
- Password sharing between users.
|
||
|
||
## Decisions
|
||
- Site key = URL origin (scheme + host + port).
|
||
- Storage model: one row per (user_id, site_origin, username), allowing multiple accounts per site.
|
||
- Encrypt password using AES-256-GCM with server-side master key (env), store iv + tag + ciphertext.
|
||
- Use a session-only toggle to reveal plaintext in the web UI (sessionStorage; reset on browser close).
|
||
- Extension content script detects login forms; popup asks to save; only on confirm does it call API.
|
||
|
||
## Risks / Trade-offs
|
||
- Storing decryptable passwords increases risk. Mitigation: encryption at rest, strict auth, session-only plaintext reveal, audit logging (future).
|
||
|
||
## Migration Plan
|
||
- Add DB migration for credential tables and indexes.
|
||
- Add API endpoints and update OpenAPI.
|
||
- Implement extension flows and web UI.
|
||
- Add tests for CRUD, reauth, admin access.
|
||
|
||
## Open Questions
|
||
- Confirm site matching scope (origin vs eTLD+1).
|
||
- Save prompt triggers on form submit (username + password present).
|