12

I'm doing a Greasemonkey script that communicates with the Redmine ticket manager through the REST API. As the user needs to login to get the data from Redmine, I need a way to ask the user for his credentials at script installation and save them to the script.

Can this be achieved without asking the user to edit the values directly in the script itself?

EDIT:
Since there is already an answer to this question I will validate the answer given just below as it is a very good framework.

Brock Adams
  • 90,639
  • 22
  • 233
  • 295
MaxouMask
  • 985
  • 1
  • 12
  • 33
  • 1
    If the credentials are not available in the local storage for your script, ask for them. As for "local storage for your script", I believe there is one offered by Greasemonkey, see for example this google hit on "greasemonkey local storage": http://stackoverflow.com/questions/13889995/local-storage-across-domains-using-a-greasemonkey-script – John Dvorak Mar 07 '13 at 10:29
  • Concerning tampermonkey - I didn't find anything, nor did I test if it suppports `GM_setvalue` – John Dvorak Mar 07 '13 at 10:32
  • 3
    I think tampermokey supports `GM_setvalue`, I've used it before without problems. – Salvatorelab Mar 07 '13 at 11:04

1 Answers1

13

Here is a framework for getting and storing login credentials. The script prompts for the information on the very first run and stores it, encrypted, using GM_setValue().

It also adds two items to the Greasemonkey context menu to allow changing the username or password.

// ==UserScript==
// @name     _Autologin, sensitive info framework
// @include  http://YOUR_SERVER.COM/YOUR_PATH/*
// @require  http://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js
// @require  http://crypto.stanford.edu/sjcl/sjcl.js
// @grant    GM_getValue
// @grant    GM_setValue
// @grant    GM_registerMenuCommand
// ==/UserScript==

var encKey  = GM_getValue ("encKey",  "");
var usr     = GM_getValue ("lognUsr", "");
var pword   = GM_getValue ("lognPwd", "");

if ( ! encKey) {
    encKey  = prompt (
        'Script key not set for ' + location.hostname + '. Please enter a random string:',
        ''
    );
    GM_setValue ("encKey", encKey);

    usr     = pword = "";   // New key makes prev stored values (if any) unable to decode.
}
usr         = decodeOrPrompt (usr,   "U-name", "lognUsr");
pword       = decodeOrPrompt (pword, "P-word", "lognPwd");


function decodeOrPrompt (targVar, userPrompt, setValVarName) {
    if (targVar) {
        targVar     = unStoreAndDecrypt (targVar);
    }
    else {
        targVar     = prompt (
            userPrompt + ' not set for ' + location.hostname + '. Please enter it now:',
            ''
        );
        GM_setValue (setValVarName, encryptAndStore (targVar) );
    }
    return targVar;
}

function encryptAndStore (clearText) {
    return  JSON.stringify (sjcl.encrypt (encKey, clearText) );
}

function unStoreAndDecrypt (jsonObj) {
    return  sjcl.decrypt (encKey, JSON.parse (jsonObj) );
}

//-- Add menu commands that will allow U and P to be changed.
GM_registerMenuCommand ("Change Username", changeUsername);
GM_registerMenuCommand ("Change Password", changePassword);

function changeUsername () {
    promptAndChangeStoredValue (usr,   "U-name", "lognUsr");
}

function changePassword () {
    promptAndChangeStoredValue (pword, "P-word", "lognPwd");
}

function promptAndChangeStoredValue (targVar, userPrompt, setValVarName) {
    targVar     = prompt (
        'Change ' + userPrompt + ' for ' + location.hostname + ':',
        targVar
    );
    GM_setValue (setValVarName, encryptAndStore (targVar) );
}

// ADD YOUR CODE TO SET THE USERNAME AND PASSWORD ON THE LOGIN PAGE, HERE.

Important:

  1. Logging in with a userscript always carries risk.
  2. This framework greatly reduces that risk, but the storage mechanisms available to Greasemonkey and Tampermonkey are not secure and browser vendors CYA against storing confidential information. If a bad guy gets both your userscript and your browser data, then he can reverse engineer your password. Of course if he has that, he's most likely pwned one of your machines anyway.
  3. The smart thing to do is to use a password manager like LastPass, KeePass, etc.
  4. The absolute worst thing to do, is to store credentials in a userscript itself. Even a guest can see them then and you will be "hacked", guaranteed.
Brock Adams
  • 90,639
  • 22
  • 233
  • 295
  • Why would you store the key? – binki Sep 19 '17 at 13:27
  • 2
    I am convinced that this is quite insecure and bad practice as the encryption key is stored in cleartext right next to the encrypted value. [`chrome.storage`, which `GM_setValue()` is implemented with in TamperMonkey, docs](https://developer.chrome.com/extensions/storage#using-sync) explicitly stated that sensitive data should not be stored. In this case, the encryption key is sensitive data and renders the encrypted text effectively plaintext. – binki Mar 12 '18 at 01:20
  • binki, would you suggest any other way then? – ggonmar Mar 27 '20 at 11:32