Skip to content

feat(bitwarden): Password Manager / Vaultwarden support with cached session token#779

Open
theoephraim wants to merge 2 commits into
mainfrom
bitwarden-pm-cached-session
Open

feat(bitwarden): Password Manager / Vaultwarden support with cached session token#779
theoephraim wants to merge 2 commits into
mainfrom
bitwarden-pm-cached-session

Conversation

@theoephraim

@theoephraim theoephraim commented Jun 12, 2026
edited
Loading

Copy link
Copy Markdown
Member

Supersedes #585 (that branch was too stale to rebase, so this re-applies the Password Manager work onto current main and redesigns auth around the cache infra that has since landed).

Adds Bitwarden Password Manager (and self-hosted Vaultwarden) support to the bitwarden plugin via the bw CLI — distinct from the existing Secrets Manager support. The key improvement over #585: varlock unlocks the vault itself and caches the session token, so you no longer manually run bw unlock and paste a token into .env.local.

What's new

  • @initBwp() + bwp() — load fields (password/username/notes/totp/uri + custom fields) from vault items by name or UUID.
  • Auto-unlock by default — on first load, varlock runs bw unlock (interactive master-password prompt) and caches the resulting session token in varlock's encrypted cache. Each bw unlock invalidates prior session keys, so caching is essential, not just convenience.
  • sessionTtl defaults to forever — the cached token is encrypted at rest (biometric/Touch-ID-gated on platforms with a secure enclave), and Bitwarden's own vault-timeout governs when a fresh master-password unlock is actually needed (self-healing re-unlocks when the vault locks). A short varlock-side TTL would just add redundant prompts; set sessionTtl shorter to force periodic master-password re-auth anyway.
  • Both auth paths — omit sessionToken for auto-unlock, or pass sessionToken=$BWP_SESSION (pre-obtained token) / masterPassword=... for non-interactive / CI use.
  • Self-healing — a stale cached session ("Vault is locked.") triggers one transparent re-unlock + retry.
  • Optional value caching via cacheTtl, mirroring the existing bitwarden() resolver.
  • bwSessionToken data type.

Notes

  • Password Manager is CLI-only (unlike Secrets Manager's REST API), so @initBwp() itself is the signal to use bw — no extra opt-in flag.
  • In-flight dedupe ensures parallel resolutions never race competing unlocks.
  • Install guidance recommends trusted bw sources (and never auto-installs) given prior supply-chain incidents around the CLI.

Tests

9 integration tests against a fake bw CLI: auto-unlock, manual token, field/custom-field selection, error paths, stale-session re-unlock, and multiple instances. Error mapping validated against the real bw CLI (v2026.3.0).

@theoephraim
feat(bitwarden): add Password Manager / Vaultwarden support via bw CLI
9bad861 
Adds @initBwp / bwp() for the Bitwarden Password Manager (and self-hosted
Vaultwarden), accessed through the bw CLI. varlock unlocks the vault itself
and caches the resulting session token (encrypted, sessionTtl default 15m),
so users no longer have to manually run bw unlock and paste a session token
into a .env file.

- Auto-unlock by default; sessionToken=$BWP_SESSION or masterPassword= for
  non-interactive / CI use
- Optional cacheTtl to also cache resolved item field values
- Self-healing re-unlock when a cached session goes stale (Vault is locked)
- bwSessionToken data type; field selection (password/username/notes/totp/uri
  + custom fields)
- Integration tests with a fake bw CLI; docs + README updated
@theoephraim theoephraim mentioned this pull request Jun 12, 2026
Draft
11 tasks
@github-actions

github-actions Bot commented Jun 12, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

bumpy-frog

The changes in this PR will be included in the next version bump.

minor Minor releases

  • @varlock/bitwarden-plugin 1.1.0 → 1.2.0

Bump files in this PR

Click here if you want to add another bump file to this PR

This comment is maintained by bumpy.

@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jun 12, 2026
edited
Loading

Copy link
Copy Markdown

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs		 varlock-website 8c84706 Commit Preview URL

Branch Preview URL		 Jun 12 2026, 06:58 AM

@pkg-pr-new

pkg-pr-new Bot commented Jun 12, 2026
edited
Loading

Copy link
Copy Markdown

Open in StackBlitz

npm i https://pkg.pr.new/@varlock/bitwarden-plugin@779

commit: 8c84706

@theoephraim
feat(bitwarden): default bwp sessionTtl to forever
8c84706 
The cached session token is encrypted at rest with varlock's local key
(biometric-gated on platforms with a secure enclave), so day-to-day cache
reads are already gated by the user. Bitwarden's own vault-timeout governs
when a fresh master-password unlock is actually required (self-healing
re-unlocks when the vault locks), so a short varlock-side TTL just adds
redundant master-password prompts. Default to forever; overridable via
sessionTtl.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

core:website maintainer plugin:bitwarden

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@theoephraim