1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
|
Passman offers a api for extensions.
## Table of Contents
- [Authentication](#authentication)
- [Get vaults](#get-vaults-get)
- [Get vault](#get-vault-get)
- [Create new credential](#create-new-credential-post)
- [Update credential](#update-credential-patch)
- [Decrypting Credentials / challenge password ](#decrypting-credentials--challenge-password)
## Authentication
All apps must authenticate.
For example in JS it would be:
```
var encodedLogin ="MyUsername:MyPassword";
var request = new XMLHttpRequest({"mozAnon": true});
request.setRequestHeader("Authorization", "Basic " + encodedLogin);
request.setRequestHeader("Content-Type", "application/json");
```
An other option is logging in via HTTP Basic auth.
In this case an example would be:
`https://MyUsername:Mypassword@nextcloudinstance.com`
Connectivity via http is possible, but you *MUST* warn that their login credentials are send in plaintext.
The credentials from Passman are still send encrypted if http is used.
### Get vaults [GET]
`/apps/passman/api/v2/vaults`
This will return a list of vaults.
A vault consists of the following properties:
```
{
"vault_id": 17,
"guid": "64DDADA1-54A6-4BE6-AA2F-BCB2EC8E8455",
"name": "test",
"created": 1484175865,
"public_sharing_key": "-----BEGIN PUBLIC KEY-----\r\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1h6j+vLcvJDUgOi6VkjzDKTT0\r\nLXluie7+VH2DjnzeXO2QalHI1qAzd\/G51r2NArgwzKMm9g\/kGN1V+mcX3j2WZu\/E\r\n8o5jk83LaSlgcG9GIbOyXUXJlflvctnhPa8Em3GoM\/ZfO2EkkDYANTKvyiyRXroa\r\ny6m2C+aJVzxmhj5tvQIDAQAB\r\n-----END PUBLIC KEY-----\r\n",
"last_access": 1484216598,
"challenge_password": "eyJpdiI6IkFEWExocDFsRWFZSEZhc0cxY2NzUnciLCJ2IjoxLCJpdGVyIjoxMDAwLCJrcyI6MjU2LCJ0cyI6NjQsIm1vZGUiOiJjY20iLCJhZGF0YSI6IiIsImNpcGhlciI6ImFlcyIsInNhbHQiOiJFVmdZLzIxNmI0USIsImN0IjoiU3d5QUkzdVFqenh1cStwaCJ9"
}
```
Short description of the fields:
- `vault_id` - Id of the vault, only used within queries.
- `vault_guid` - The guid of the vault, use this when making requests.
- `name` - The name of the vault.
- `created` - Timestamp when the vault was created.
- `public_sharing_key` - The public sharing key.
- `last_access` - Timestamp when the vault was last accessed.
- `challenge_password` - Encrypted challenge password, you can use this to check if the user provided a correct password.
### Get vault [GET]
`/apps/passman/api/v2/vaults/{vault_guid}`
To request the credentials.
This will return the requested vault and it's credentials:
```$xslt
created: 1484175865
credentials: [{}, {}, ....]
guid: "64DDADA1-54A6-4BE6-AA2F-BCB2EC8E8455"
last_access: 1484217620
name: "test"
private_sharing_key ''
public_sharing_key: ''
sharing_keys_generated: 1484175865
vault_id: 17
vault_settings: null
```
To see how a credential is build up (which fields), see [create new credential](#Create new credential).
### Create new credential [POST]
`/api/v2/credentials`
Fields:
```$xslt
var credential = {
'vault_id': int,
'label': string,
'description': string,
'created': null (Will be set server side),
'changed': null (Will be set server side),
'tags': [{text: string}],
'email': string,
'username': string,
'password': string (encrypted),
'url': string (encrypted),
'favicon': string,
'renew_interval': int,
'expire_time': timestamp,
'delete_time': timestamp,
'files': [
{
filename: string,
size: int (size in bytes),
mimetype: string,
guid: string (generated server side)
}
],
'custom_fields': [
{
label: string,
value: string,
secret: bool,
field_type: 'text'
}
],
'otp': {},
'hidden': false
};
```
There are a few special fields here.
- `custom_fields`
- Those fields are added by the user `secret` indicates if the value should be hidden.
When posting to the endpoint the following fields are required:
- `label`
- `vault_id`
### Update credential [PATCH]
`/api/v2/credentials/{credential_guid}`
See [create new credential](#Create new credential).
### Decrypting Credentials / challenge password
For the client side encryption we use [sjcl](https://github.com/bitwiseshiftleft/sjcl).
To decrypt (and test if a valid key is given):
```$xslt
var encryption_config = {
adata: "",
iter: 1000,
ks: 256,
mode: 'ccm',
ts: 64
};
var ciphertext = window.atob(encryptedString);
var rp = {};
try {
return sjcl.decrypt(_key, ciphertext, encryption_config, rp);
} catch (e) {
throw e; // Invalid key
}
```
For decrypting the credentials you can use above code.
The following fields are encrypted:
- `description`
- `username`
- `password`
- `files`
- `custom_fields`
- `otp`
- `email`
- `tags`
- `url`
|
