Prompt for 2FA code on initial login. Closes #14

Author: firecat53

README.md

@@ -10,6 +10,8 @@ LLC.
 
 - Auto-type username and/or password on selection. No clipboard copy/paste
   involved.
+- Login with 2FA code from Authenticator(TOTP), Email, or Yubikey (only these
+  are supported by the Bitwarden CLI).
 - Select any single field and have it typed into the active window. Notes fields
   can be viewed line-by-line from within dmenu and the selected line will be
   typed when selected.
@@ -67,7 +69,8 @@ LLC.
   + Available in the [Archlinux AUR][aur].
 
 - If you start bwm for the first time without a config file, it will prompt
-  you for server name and login email and save them in the config file.
+  you for server name, login email, and 2FA type and save them in the config
+  file.
 
 - Copy config.ini.example to ~/.config/bwm/config.ini, or use it as a
   reference for additional options.
@@ -107,8 +110,8 @@ convenience for testing.
 ## Usage
 
 - Run script or bind to keystroke combination
-- Enter server URL (default `vault.bitwarden.com`) and login email if not
-  entered into config.ini already.
+- Enter server URL (default `vault.bitwarden.com`), login email and 2FA type if
+  not entered into config.ini already.
 - Start typing to match entries.
 - Hit Enter immediately after dmenu opens ("`View/Type individual entries`") to
   switch modes to view and/or type the individual fields for the entry. If

bwm.1

@@ -10,46 +10,49 @@ vaults.
 \fB1.\fR Auto\-type username and/or password on selection. No clipboard
 copy/paste involved.
 
-\fB2.\fR Use a custom Keepass 2.x style auto\-type sequence if you have one
+\fB2.\fR Login with 2FA code from Authenticator(TOTP), Email, or Yubikey (only
+these are supported by the Bitwarden CLI).
+
+\fB3.\fR Use a custom Keepass 2.x style auto\-type sequence if you have one
 defined (except for character repetition and the \(aqspecial commands\(aq). Set
 it per entry and/or set a default in the config file for all entries.
 
-\fB3.\fR Select any single field and have it typed into the active window. Notes
+\fB4.\fR Select any single field and have it typed into the active window. Notes
 fields can be viewed line\-by\-line from within dmenu and the selected line will
 be typed when selected.
 
-\fB4.\fR Open the URL in the default web browser from the View/Type menu.
+\fB5.\fR Open the URL in the default web browser from the View/Type menu.
 
-\fB5.\fR Alternate keyboard languages and layouts supported via xdotool or
+\fB6.\fR Alternate keyboard languages and layouts supported via xdotool or
 ydotool (for Wayland).
 
-\fB6.\fR Edit entry title, username, URL and password (manually typed or
+\fB7.\fR Edit entry title, username, URL and password (manually typed or
 auto\-generate).
 
-\fB7.\fR Edit notes using terminal or gui editor (set in config.ini, or uses
+\fB8.\fR Edit notes using terminal or gui editor (set in config.ini, or uses
 $EDITOR).
 
-\fB8.\fR Add and Delete entries.
+\fB9.\fR Add and Delete entries.
 
-\fB9.\fR Rename, move, delete and add folders and collections.
+\fB10.\fR Rename, move, delete and add folders and collections.
 
-\fB10.\fR Move any item to or from an organization, including support for multiple collections.
+\fB11.\fR Move any item to or from an organization, including support for multiple collections.
 
-\fB11.\fR Prompts for and saves initial server URL and login email.
+\fB12.\fR Prompts for and saves initial server URL and login email.
 
-\fB12.\fR Define multiple vault URLs in the config file.
+\fB13.\fR Define multiple vault URLs in the config file.
 
-\fB13.\fR Hide selected folders from the default and \(aqView/Type Individual
+\fB14.\fR Hide selected folders from the default and \(aqView/Type Individual
 entries\(aq views.
 
-\fB14.\fR Configure session timeout.
+\fB15.\fR Configure session timeout.
 
-\fB15. \fR Configure the characters and groups of characters used during
+\fB16. \fR Configure the characters and groups of characters used during
 password generation in the config file (see config.ini.example for
 instructions). Multiple character sets can be selected on the fly when using
 Rofi if the `-multi-select` option is passed via `dmenu_command`.
 
-\fB16.\fR Optional Pinentry support for secure passphrase entry.
+\fB17.\fR Optional Pinentry support for secure passphrase entry.
 
 .SH LICENSE
 Copyright © 2021 Scott Hansen <firecat4153@gmail.com>.  Bitwarden-menu is
@@ -98,7 +101,8 @@ OR
 
 .SH CONFIGURATION
 \fB1.\fR If you start bwm for the first time without a config file, it will
-prompt you for server name and login email and save them in the config file.
+prompt you for server name, login email and 2FA type and save them in the config
+file.
 
 \fB2.\fR Copy config.ini.example to ~/.config/bwm/config.ini, or use it as a
 reference for additional options.
@@ -153,8 +157,8 @@ convenience for testing.
 .SH USAGE
 \fB1.\fR Run script or bind to keystroke combination
 
-\fB2.\fR Enter server URL (default vault.bitwarden.com) and login email if not
-entered into config.ini already.
+\fB2.\fR Enter server URL (default vault.bitwarden.com), login email and 2FA
+type if not entered into config.ini already.
 
 \fB3.\fR Start typing to match entries.
 

bwm/__init__.py

@@ -37,8 +37,9 @@
         CONF.set('dmenu_passphrase', 'obscure', 'True')
         CONF.set('dmenu_passphrase', 'obscure_color', '#222222')
         CONF.add_section('vault')
-        CONF.set('vault', 'server_1', 'https://vault.bitwarden.com')
+        CONF.set('vault', 'server_1', '')
         CONF.set('vault', 'email_1', '')
+        CONF.set('vault', 'twofactor_1', '')
         CONF.set('vault', 'session_timeout_min ', str(SESSION_TIMEOUT_DEFAULT_MIN))
         CONF.set('vault', 'autotype_default', SEQUENCE)
         CONF.write(conf_file)

bwm/bwcli.py

@@ -39,13 +39,21 @@ def set_server(url="https://vault.bitwarden.com"):
     return True
 
 
-def login(email, password):
+def login(email, password, method=None, code=""):
     """Initial login to Bitwarden Vault.
 
+        Args: email - string
+              password - string
+              method - int (0: Authenticator, 1: Email, 3: Yubikey)
+              code - OTP code
+
         Returns: session (bytes) or False on error, Error message
 
     """
-    res = run(["bw", "login", "--raw", email, password], capture_output=True, check=False)
+    cmd = ["bw", "login", "--raw", email, password]
+    if method and code:
+        cmd = ["bw", "login", "--raw", email, password, "--method", method, "--code", code]
+    res = run(cmd, capture_output=True, check=False)
     if not res.stdout:
         logging.error(res)
         return (False, res.stderr)

bwm/bwm.py

@@ -17,13 +17,16 @@
 import bwm
 
 
-def get_passphrase():
+def get_passphrase(twofac=False):
     """Get a vault password from dmenu or pinentry
 
-    Returns: string
+        Args: twofac - bool (default False) prompt for 2FA code
+        Returns: string
 
     """
     pinentry = None
+    pin_prompt = 'setdesc Enter vault password\ngetpin\n' if twofac is False \
+        else 'setdesc Enter 2FA code\ngetpin\n'
     if bwm.CONF.has_option("dmenu", "pinentry"):
         pinentry = bwm.CONF.get("dmenu", "pinentry")
     if pinentry:
@@ -32,13 +35,13 @@ def get_passphrase():
                              capture_output=True,
                              check=False,
                              encoding=bwm.ENC,
-                             input=b'setdesc Enter vault password\ngetpin\n').stdout
+                             input=pin_prompt).stdout
         if out:
             res = out.split("\n")[2]
             if res.startswith("D "):
                 password = res.split("D ")[1]
     else:
-        password = dmenu_select(0, "Password")
+        password = dmenu_select(0, "Password" if twofac is False else "2FA Code")
     return password
 
 
@@ -58,6 +61,9 @@ def get_vault():
         idx = srv.rsplit('_', 1)[-1]
         email = args_dict.get(f'email_{idx}', "")
         passw = args_dict.get(f'password_{idx}', "")
+        twofactor = args_dict.get(f'twofactor_{idx}', None)
+        if not args_dict[srv] or not email:
+            continue
         try:
             cmd = args_dict[f'password_cmd_{idx}']
             res = subprocess.run(shlex.split(cmd),
@@ -71,8 +77,7 @@ def get_vault():
                 passw = res.stdout.rstrip('\n') if res.stdout else passw
         except KeyError:
             pass
-        if srv:
-            vaults.append((args_dict[srv], email, passw))
+        vaults.append((args_dict[srv], email, passw, twofactor))
     if not vaults or (not vaults[0][0] or not vaults[0][1]):
         res = get_initial_vault()
         if res:
@@ -85,7 +90,7 @@ def get_vault():
         vaults = [i for i in vaults if i[0] == sel]
         if not sel or not vaults:
             return None
-    url, email, passw = vaults[0]
+    url, email, passw, twofactor = vaults[0]
     status = bwcli.status()
     if status is False:
         return None
@@ -98,7 +103,8 @@ def get_vault():
         if res is False:
             return None
     if status['userEmail'] != email or status['status'] == 'unauthenticated':
-        session, err = bwcli.login(email, passw)
+        code = get_passphrase(True) if twofactor else ""
+        session, err = bwcli.login(email, passw, twofactor, code)
     elif status['status'].endswith('locked'):
         session, err = bwcli.unlock(passw)
     if session is False:
@@ -111,17 +117,21 @@ def get_initial_vault():
     """Ask for initial server URL and email if not entered in config file
 
     """
-    url = dmenu_select(0, "Enter server URL.")
+    url = dmenu_select(0, "Enter server URL.", "https://vault.bitwarden.com")
     if not url:
         dmenu_err("No URL entered. Try again.")
         return False
     email = dmenu_select(0, "Enter login email address.")
+    twofa = {'None': '', 'TOTP': 0, 'Email': 1, 'Yubikey': 3}
+    method = dmenu_select(len(twofa), "Select Two Factor Auth type.", "\n".join(twofa))
     with open(bwm.CONF_FILE, 'w', encoding=bwm.ENC) as conf_file:
         bwm.CONF.set('vault', 'server_1', url)
         if email:
             bwm.CONF.set('vault', 'email_1', email)
+        if method:
+            bwm.CONF.set('vault', 'twofactor_1', str(twofa[method]))
         bwm.CONF.write(conf_file)
-    return (url, email, '')
+    return (url, email, '', twofa[method])
 
 
 def dmenu_view(entries, folders):

config.ini.example

@@ -16,6 +16,7 @@
 # email_1 = <login email>
 # password_1 = vault password  **INSECURE**
 # password_cmd_1 = <command to generate vault password>
+# twofactor_1 = <0 for totp, 1 for email or 3 for yubikey>
 # server_2 = <url>
 # email_2 = <login email>
 # etc....