Bitwarden CLI - Get passwords, username, TOTP and more from Bitwarden

[Petru]

@blacs30 Could you add notifications for login? Like "Login successful"  / "Cannot login - Incorrect password" ?
Also: Is there any clipboard wiping done after a few seconds? Other security measures in place?

Edited August 23, 2019 by Petru

[alexbet]

I installed this workflow and installed the Node version of the CLI, but the workflow doesn't work for me. I set the email, I set the server, and when i try to login and type bwlogin and hit enter, nothing happens. The Alfred search bar disappears, and that is it. Am I doing something wrong?

[blacs30]

@alexbet Thanks for reporting this issue. So the workflow doesn't ask you for the password for your bitwarden account, correct?

Which macOS version do you run? Are you running Alfred 4 and have you upgraded it from version 3 or is it der first time you are using Alfred?

Did you allow Alfred in the Accessibility settings (System Preferences > Security & Privacy > Privacy > Accessibility > add Alfred here)

 

Currently there is a known issue for a clean Alfred 4 installation on macOS without having Alfred 3 installed before that. I didn't find time to fix it yet.

[alexbet]

Hi @blacs30 you are correct, the workflow doesn't ask for a password when I try to login with my BitWarden account. I am using the latest Mac OS X 10.14.6. Yes, I upgraded Alfred from v3 to v4, and I am running the latest Alfred 4.0.4 version. Also, Alfred is already enabled in the Privacy/Accessibility settings in System Preferences.

 

Edited September 19, 2019 by alexbet

[blacs30]

Hi @alexbet,

thanks for the information. That is a strange behaviour. Can you please check the logs of the workflow (in the Alfred Preferences select the workflow and then enable the debug mode by clicking on the bug icon at the top right )

[alexbet]

@blacs30, here is what appears in the debugging console when I try to login (see the error):

 

[12:14:41.910] Logging Started...
[12:14:51.982] Bitwarden CLI[Keyword] Processing complete
[12:14:51.983] Bitwarden CLI[Keyword] Passing output '' to Run Script
[12:14:52.520] ERROR: Bitwarden CLI[Run Script] 2910:2911: syntax error: Expected end of line but found “"”. (-2741)
[12:14:52.523] Bitwarden CLI[Run Script] Processing complete
[12:14:52.523] Bitwarden CLI[Run Script] Passing output '' to Post Notification

[blacs30]

@alexbet just for confirmation, are you using version 1.2.4?

You can also find it here on Github https://github.com/blacs30/bitwarden-alfred-workflow/releases

[thomasSDK]

Hi blacs30,

 

This is an amazing Workflow but im running into some issues getting it up and running and it would be great if you could help me out and if you can explain whats going wrong in the code as well that would be amazing (ive had a bit of a poke around but dont have much experience with Python).

 

Im running version 1.2.4 and Alfred 4 with Script Editor and Alfred both added to the Accessibly permissions of Privacy and Security.

 

When trying to Login the enter password popup shows but when I enter my password nothing happens, here is the log from the debug console (ive managed to login via the bitwarden-cli in the terminal btws)

 

Cheers

[22:32:04.480] Bitwarden CLI[Keyword] Processing complete
[22:32:04.481] Bitwarden CLI[Keyword] Passing output '' to Run Script
[22:32:09.923] STDERR: Bitwarden CLI[Run Script] .
22:32:04 workflow.py:2055 DEBUG    ---------- Bitwarden CLI (1.2.4) ----------
22:32:04 <string>:120 DEBUG    MAIN: Started
22:32:04 <string>:132 DEBUG    MAIN: 2fa method not set
22:32:04 <string>:142 DEBUG    MAIN: 2fa not used
22:32:04 <string>:97 DEBUG    START get_bw_exec
22:32:04 <string>:106 DEBUG    END found get_bw_exec
22:32:04 <string>:149 DEBUG    MAIN: Start login without 2fa
22:32:04 <string>:54 DEBUG    login: - bw Start running bw login
22:32:04 <string>:17 DEBUG    login: START for ********@mail.com and title: Enter Bitwarden password
22:32:04 <string>:37 DEBUG    login: START osascript to ask for the password.
22:32:09 <string>:40 DEBUG    login: Evaluate returned result status from the password entry.
22:32:09 <string>:45 DEBUG    login: osascript - An error occured: 2019-09-28 22:32:04.818 osascript[96370:371271] isPrefsCreateCacheFromEnabledAndDefaultInputSources - can't find anything from GetInputSourceEnabledPrefs, use defaultASCIIKeyLayoutDict = <CFBasicHash 0x7fb48d532f10 [0x7fff9600f8e0]>{type = mutable dict, count = 3,
entries =>
	0 : <CFString 0x7fff9607a818 [0x7fff9600f8e0]>{contents = "InputSourceKind"} = <CFString 0x7fff960bfd58 [0x7fff9600f8e0]>{contents = "Keyboard Layout"}
	1 : <CFString 0x7fff960abe98 [0x7fff9600f8e0]>{contents = "KeyboardLayout ID"} = <CFNumber 0x7c28f854af23cc1f [0x7fff9600f8e0]>{value = +2, type = kCFNumberSInt64Type}
	9 : <CFString 0x7fff96075518 [0x7fff9600f8e0]>{contents = "KeyboardLayout Name"} = British
}

22:32:09 workflow.py:2074 ERROR    local variable 'out' referenced before assignment
Traceback (most recent call last):
  File "workflow/workflow.py", line 2067, in run
    func(self)
  File "<string>", line 150, in main
  File "<string>", line 57, in login
UnboundLocalError: local variable 'out' referenced before assignment
22:32:09 workflow.py:2097 DEBUG    ---------- finished in 5.290s ----------
[22:32:09.928] Bitwarden CLI[Run Script] Processing complete
[22:32:09.929] Bitwarden CLI[Run Script] Passing output '<?xml version="1.0" encoding="utf-8"?>
<items><item valid="no"><title>Error in workflow 'Bitwarden CLI'</title><subtitle>local variable 'out' referenced before assignment</subtitle><icon>/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/AlertStopIcon.icns</icon></item></items>' to Post Notification

 

[Al30]

Hi @blacs30,

 

I'm so excited to get this one working! Kudos for the work. It seems that I'm having some issues and wanted to put them out there in case someone is having a similar issue and for your information so that it can be resolved:

 

Environment:

MacOs Catalina v10.15.2

Homebrew: v2.2.2

bitwarden cli: v1.8.0

Alfred: v3.8.6

Alfred Bitwarden Workflow: v1.2.4 (Only because the latest version v1.3.0 -I think- is "incompatible" with Alfred version 3.8.6)

 

Actions:

• bwsetemail - Set the Bitwarden user account email
• bwsetserver - Set the Bitwarden server to connect to
• bwset2fa - Enable 2FA for Bitwarden login
• bwset2famethod - Set the method for the Bitwarden 2FA login (1)
• bwlogin - Log in to Bitwarden
• Verified that the accessibility is correctly set up as recommended earlier in the thread.

Issue:

[2020-01-10 11:32:44][input.keyword] Processing output of 'action.script' with arg ''
[2020-01-10 11:33:09][ERROR: action.script] .
11:32:44 workflow.py:2055 DEBUG    ---------- Bitwarden CLI (1.2.4) ----------
11:32:44 <string>:120 DEBUG    MAIN: Started
11:32:44 <string>:97 DEBUG    START get_bw_exec
11:32:44 <string>:106 DEBUG    END found get_bw_exec
11:32:44 <string>:157 DEBUG    MAIN: Start login with 2fa and method set to: 1
11:32:44 <string>:54 DEBUG    login: - bw Start running bw login
11:32:44 <string>:17 DEBUG    login: START for ***********@gmail.com and title: Enter Bitwarden password
11:32:44 <string>:37 DEBUG    login: START osascript to ask for the password.
11:32:51 <string>:40 DEBUG    login: Evaluate returned result status from the password entry.
11:32:51 <string>:17 DEBUG    login: START for alvarobolanos@gmail.com and title: Enter Bitwarden second factor code
11:32:51 <string>:37 DEBUG    login: START osascript to ask for the password.
11:33:05 <string>:40 DEBUG    login: Evaluate returned result status from the password entry.
11:33:08 <string>:73 DEBUG    login: bw Evaluating bw login result
11:33:08 <string>:78 DEBUG    login: bw An error occured: [object Object]
11:33:08 <string>:159 DEBUG    MAIN: 2fa with method set login result:  (trimmed)
11:33:08 <string>:162 DEBUG    MAIN: Error occured: [object Object]
11:33:09 workflow.py:2097 DEBUG    ---------- finished in 24.185s ----------
[2020-01-10 11:33:09][action.script] Processing output of 'output.notification' with arg 'error output: [object Object]
'

 

Here's the notification related to it.

 

 

Let me know if you need more information and I'll be happy to share what I can.

 

Regards.

 

Edited January 10, 2020 by Al30
Added @ and 2fa option I've selected.

[blacs30]

On 1/10/2020 at 5:55 PM, Al30 said:

Hi @blacs30,

 

I'm so excited to get this one working! Kudos for the work. It seems that I'm having some issues and wanted to put them out there in case someone is having a similar issue and for your information so that it can be resolved:

 

 

I'm sorry not to have answered before @Al30 . I think I messed up my notifications here from the forum.

Do you still need help? For the logs it looked like that the setting for 2fa mode might have been wrong. I would ask you to try to login via cli in the terminal. If the cli asks you to choose an 2fa auth method (which only happens if multiple 2fa ways are setup) then you need to configure the method otherwise it's 0.

Edited May 19, 2020 by blacs30

[blacs30]

On 9/28/2019 at 11:51 PM, thomasSDK said:

Hi blacs30,

 

This is an amazing Workflow but im running into some issues getting it up and running and it would be great if you could help me out and if you can explain whats going wrong in the code as well that would be amazing (ive had a bit of a poke around but dont have much experience with Python).

 

Im running version 1.2.4 and Alfred 4 with Script Editor and Alfred both added to the Accessibly permissions of Privacy and Security.

 

When trying to Login the enter password popup shows but when I enter my password nothing happens, here is the log from the debug console (ive managed to login via the bitwarden-cli in the terminal btws)

 

 

 

 

Also sorry to you @thomasSDK for my very very last reply. I will configure my notifications here on the forum.

 

This error you showed looks heavily like this one https://stackoverflow.com/questions/53603246/strange-error-running-osascript-e-command-on-macos-mojave

Edited May 19, 2020 by blacs30

[raultaboraz]

Hello I am using High Sierra and Alfred v4 and v1.30 extension and I have the same problem. I use bwsetemail me@mail.com & hit ENTER and nothing happens... I tried to add another keyboard input (as you suggested a bug in MOVAJE) but it doesn't work...

 

However if I use bwlogin I can see a popup.

 

I have tried bitwarden cli and it works perfectly in terminal.

 

Could you please help me? I really NEED this workflow.

 

Thanks in advance

[deanishe]

2 hours ago, raultaboraz said:

and nothing happens...

 

That isn’t a useful description of the problem. Something is happening, and we need to know what it is in order to help you. What does Alfred's debugger say?

[blacs30]

2 hours ago, raultaboraz said:

I use bwsetemail me@mail.com & hit ENTER and nothing happens...

 

If Alfred is allowed to send notifications you should set a confirmation notification like this (screenshot 1)

 

You can also double check the keychain if items have been created there. 

Open the app "Keychain Access", search for "bitwarden", you should be able to see couple of entries, but at least the one for the email-address.

 

Can you try to search for an item like "bw google", it could be that you also need to run "bwunlock", that is needed in case bitwarden cli unlock is run in the meantime. It is so that bitwarden then invalidates the previous generated session key.

 

Thanks @deanishe taking part here as well, it's an honour  I hope to soon fully rewrite this workflow in go with help of your library.

 

[blacs30]

With version 2.0.0 I have rewritten the complete workflow and added many new features.

 

I've released version 2.0.3 now and updated the first post in this thread

You can find the latest version on github https://github.com/blacs30/bitwarden-alfred-workflow/release

Edited August 11, 2020 by blacs30

[new member]

I updated from version 1.4.0 to version 2.0.3.
I was looking forward to the new Workflow, but it doesn't seem to work as well as it should.

 

In the new Workflow, the command was changed to ".bw", so I typed it in.
Alfred thinks for a moment and then only shows the ".bwauth unlock" option.

Looking at GitHub, I can see that I can change the settings with the command ".bwconfig", but when I type that command, it says ".bwauth unlock".

 

I thought the Bitwarden CLI was not unlocked and ran ".bwauth unlock".

Then I was prompted to enter my password.
I joyfully entered my password.

But next, I was asked to enter "2FA".
Since I don't have 2FA enabled, I get an error no matter what I enter.

 

You won't find these steps in Git's ReadMe either.
It looks like I can change the enable/disable of 2FA, but I can't get to ".bwconfig" and change it.

Obviously, the new Workflow has a problem.
I immediately reverted to version 1.4.0.

 

[paulw]

On 8/11/2020 at 10:56 PM, new member said:

But next, I was asked to enter "2FA".

Since I don't have 2FA enabled, I get an error no matter what I enter.

Go to the workflow environment variables, and change "2FA_ENABLED" from to "true" to "false", and then you can log in.

Edited January 4, 2021 by paulw

[Hoogo]

Hi,

I would love to start using this workflow. I'm not a expert in reading code so I don't really understand what's happening under the hood. I just wanted to ask if it is secure to use this workflow and if there is any of my data (email, masterpassword) beeing send to the workflow developer or to any servers.

 

Best regards

Noah

[deanishe]

1 hour ago, Hoogo said:

if there is any of my data (email, masterpassword) beeing send to the workflow developer or to any servers.

 

So, I've just gone through the source code.

 

All the workflow does with your email & master password is pass them to the Bitwarden CLI client (it does save the email, but not the password). The only network connections the workflow itself makes are to fetch favicons and to check for updates.

 

The workflow caches your Bitwarden data (for speed), but the data are encrypted on disk, the encryption key is stored in your Keychain, and the cached data are deleted when you lock Bitwarden.

 

All in all, very well done. @blacs30 is very security aware. I would trust this workflow much more than the browser extension, which was written—at least in part—by idiots.

 

Also, thanks for getting me to look at the source code. I am totally going to steal the trick of fetching favicons from DDG. Thanks @blacs30!

Edited January 13, 2021 by deanishe

[blacs30]

42 minutes ago, deanishe said:

 

So, I've just gone through the source code.

 

All the workflow does with your email & master password is pass them to the Bitwarden CLI client (it does save the email, but not the password). The only network connections the workflow itself makes are to fetch favicons and to check for updates.

 

The workflow caches your Bitwarden data (for speed), but the data are encrypted on disk, the encryption key is stored in your Keychain, and the cached data are deleted when you lock Bitwarden.

 

All in all, very well done. @blacs30 is very security aware. I would trust this workflow much more than the browser extension, which was written—at least in part—by idiots.

 

Also, thanks for getting me to look at the source code. I am totally going to steal the trick of fetching favicons from DDG. Thanks @blacs30!

 

Thank you @deanishe, was only my second golang project but with the Alfred go package provided by you it was fun, and the github interactions since then grew. 

Currently there is one open improvement on github which makes sense to me: optional time based lock of the Bitwarden workflow.
As said already, the encryption key is stored in Keychain and it stays there until manually "lock" or "logout" is called from the workflow (or manually deleted via Keychain) or it get's invalidated by another Bitwarden cli client login in the meantime.

The locally cached data also doesn't contain any secrets (unless secrets are put into non secret fields like username or name of the secret).

[blacs30]

2 hours ago, Hoogo said:

Hi,

I would love to start using this workflow. I'm not a expert in reading code so I don't really understand what's happening under the hood. I just wanted to ask if it is secure to use this workflow and if there is any of my data (email, masterpassword) beeing send to the workflow developer or to any servers.

 

Best regards

Noah

 

Good that you ask and not just "trust" or "hope". Little snitch is a great firewall which can show up all the hidden traffic going out from applications.

[deanishe]

21 minutes ago, blacs30 said:

Currently there is one open improvement on github which makes sense to me: optional time based lock of the Bitwarden workflow

 

Definitely a good feature to have. How would you do that? Have a background job running that deletes the cache and exits after it's been running for X minutes, and then kill the job every time the user uses the workflow?

 

24 minutes ago, blacs30 said:

with the Alfred go package provided by you it was fun

 

Thanks! Please let me know if you have any feedback. I've got very little feedback on the library one way or the other, and I'm not sure if that means I nailed it or people really hate it…

 

23 minutes ago, blacs30 said:

Little snitch is a great firewall which can show up all the hidden traffic going out from applications.

 

This. If you care who your apps are talking to, I can't recommend Little Snitch enough. I'm really annoyed Apple have changed Big Sur so that Apple's own programs can bypass 3rd-party firewalls.

 

[paulw]

I just started using this extension, thanks so much @blacs30 for developing it!

 

Suggestion for the future—could you add an option to display details of an item in the vault? For example, I might want to view the contents of a note, or even copy and paste a portion of an item.

 

[blacs30]

7 hours ago, paulw said:

Suggestion for the future—could you add an option to display details of an item in the vault? For example, I might want to view the contents of a note, or even copy and paste a portion of an item.

 

 

Partly I would say it is implemented. Per default it shows "show more" with the modifier keys command + option (or alt). It shows every possible, used field for each item. any of this can be copied. just it's not currently possible to copy only a part of a field, e.g. a part of a note.
Secure note content is hidden in the workflow and is treated like a password.

[Hoogo]

Thanks @blacs30 and @deanishe for your quick answers, appreciate that. I'm definitely gonna use this workflow now.

Edited January 14, 2021 by Hoogo