1.5 KiB
1.5 KiB
Context
We need a password manager across extension and web, with admin visibility and per-user isolation. Non-admin users must re-verify their login password to view plaintext.
Goals / Non-Goals
- Goals:
- Save credentials with explicit confirmation.
- Autofill selector for saved accounts per site.
- Admin can view all users’ credentials.
- Non-admin must re-verify password before plaintext reveal.
- Encrypt credentials at rest.
- Non-Goals:
- Browser-level credential integration outside the extension.
- Password sharing between users.
Decisions
- Site key = URL origin (scheme + host + port).
- Storage model: one row per (user_id, site_origin, username), allowing multiple accounts per site.
- Encrypt password using AES-256-GCM with server-side master key (env), store iv + tag + ciphertext.
- Use a session-only toggle to reveal plaintext in the web UI (sessionStorage; reset on browser close).
- Extension content script detects login forms; popup asks to save; only on confirm does it call API.
Risks / Trade-offs
- Storing decryptable passwords increases risk. Mitigation: encryption at rest, strict auth, session-only plaintext reveal, audit logging (future).
Migration Plan
- Add DB migration for credential tables and indexes.
- Add API endpoints and update OpenAPI.
- Implement extension flows and web UI.
- Add tests for CRUD, reauth, admin access.
Open Questions
- Confirm site matching scope (origin vs eTLD+1).
- Save prompt triggers on form submit (username + password present).