Closed Bug 1360944 Opened 7 years ago Closed 7 years ago

password autofill needs to stop trying to autofill passwords if the user cancels the master password dialog

Categories

(Toolkit :: Password Manager, defect)

Product:
Toolkit
Component:
Password Manager
Version:
53 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1348791

People

(Reporter: realRaven, Unassigned)

References

Details

Attachments

(1 file)

Master Password Loop.png
28.05 KB, image/png
Details 
Firefox repeatedly asks for the masterpassword when dialog is cancelled, on the following page:

http://arenec.azurewebsites.net/Home/GetIfu?GUID=0d90987b-697d-46b4-8aa9-3de74afa6dc5

The error thrown is 

NS_ERROR_ABORT: User canceled master password entry 
resource://gre/components/crypto-SDR.js line:134

This happens after I lock the master password with the following code:

const Ci = Components.interfaces,
      Cc = Components.classes,
      tokenDB = Cc["@mozilla.org/security/pk11tokendb;1"].getService(Ci.nsIPK11TokenDB);
    try {
      let token = tokenDB.getInternalKeyToken();
      token.logoutSimple();
    }

This code maybe wrong beforehand I was using 
tokenDB.findTokenByName("").logoutAndDropAuthenticatedResources();

but that is deprecated by Bug 1353916
Note the dialog will appear both after pressing Cancel or entering the wrong password, so you cannot continue using Firefox without entering the correct master password. 

The password lock meachnism that I programmed is tied to a button on the password manager window "lock master password after closing this window" and is invoked on the close event:

close: function close() {
  if (!this.isMasterPasswordActive)
    return;
  let cbProtect = document.getElementById('quickPasswordsLockAfterClosing');
  if (cbProtect) {
    if (cbProtect.checked) {
      this.logoutMaster();
    }  
  }
}
Presumably you have some saved passwords? It looks like that page has a password field, so I imagine Firefox is attempting to autofill it. This requires unlocking the key database with your master password, so Firefox asks for it. Maybe it will work if you disable the password manager completely? Otherwise, I think this is basically expected behavior (well, the UX of asking for the password could definitely be improved, but the same general thing is going to happen).
Flags: needinfo?(axelg)
(In reply to David Keeler [:keeler] (use needinfo?) from comment #2)
> Presumably you have some saved passwords? It looks like that page has a
> password field, so I imagine Firefox is attempting to autofill it. This
> requires unlocking the key database with your master password, so Firefox
> asks for it. Maybe it will work if you disable the password manager
> completely? Otherwise, I think this is basically expected behavior (well,
> the UX of asking for the password could definitely be improved, but the same
> general thing is going to happen).

I have a Masterpassword set. I have written an Addon (QuickPasswords) which I am in the process of fixing for the recent changes of not being able to using the "empty token" - tokenDB.findTokenByName("") - in order to log out. 

Among other things, the addon adds a "lock" button to the password manageer dialog, which is used to toggle the protection status of Firefox as soon as you leave the dialog. Basically it does this:

const Ci = Components.interfaces,
      Cc = Components.classes,
      tokenDB = Cc["@mozilla.org/security/pk11tokendb;1"].getService(Ci.nsIPK11TokenDB);

let token = tokenDB.getInternalKeyToken();
token.logoutSimple();

... this puts the browser back into the mode from _before_ the master password was entered. When I am on the site and the login form has focus, I am prompted for the masterr password right away (I didn't observe this behavior before necessarily, but this is not the actual problem)
The problem is that I cannot cancel this query - if I cancel it (because I want to stay "protected" and do not need to enter the master password) the dialog will be shown again and again, UNTIL I ENTER THE CORRECT MASTER PASSWORD. This clearly shouldn't happen; any ideas what I can do in my code to avoid this? I tried debugging it just have to find the right place in the core code to see why it is retriggered.
Flags: needinfo?(axelg)
Hmmm - doesn't look like it's your code (the same thing happens when I use the built-in "log out" button in the "device manager" / "security devices" dialog). What I'm seeing is if the softoken is logged out (master password is "locked", to use the terminology of the password manager) and the page focuses a username field, the password manager will attempt to autofill it, which pops up the master password dialog. When that gets cancelled, focus goes back to the username field, which causes the password manager to attempt to autofill it, and so on (if you're quick and you focus elsewhere, you might be able to get it to stop, if the page doesn't have js that autofocuses the field again). Long story short, the password autofill functionality is doing the wrong thing here - it probably needs to remember that the user cancelled and stop attempting to autofill passwords until navigation/refresh happens or something.
Component: Security → Password Manager
Product: Firefox → Toolkit
Summary: Endless loop asking for master password (azure website) → password autofill needs to stop trying to autofill passwords if the user cancels the master password dialog
Pretty sure this is a dupe of bug 1348791.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: