Files
keepassgo/docs/browser-extension.md
T
2026-04-11 23:45:48 -07:00

5.3 KiB

Browser Extension

KeePassGO browser integration uses:

  • the existing local gRPC API in KeePassGO
  • API tokens for authorization
  • a tiny native messaging host for browser-to-gRPC transport adaptation

The browser extension does not talk to vault files directly.

Security Model

  • KeePassGO remains the source of truth for authentication, authorization, approvals, and audit events.
  • The browser extension stores the gRPC address and API token in browser extension storage.
  • The native messaging host receives the token on each request from the extension.
  • The native messaging host uses the token only to attach authorization: Bearer ... metadata to the local gRPC request.
  • The native messaging host does not persist the token to disk.

The native messaging host is therefore part of the trusted client for that browser profile. Scope the API token accordingly.

RPCs Used

The browser integration uses:

  • GetSessionStatus
  • FindBrowserLogins
  • GetBrowserCredential

The browser feature intentionally stays on the same secure gRPC surface used by other trusted automation.

Default Listener

On desktop KeePassGO listens on a Unix socket by default:

  • primary location: under the user runtime directory
  • fallback: /run/user/<uid> if present
  • final fallback: a private directory under the system temp directory

Override the listener with -grpc-addr or KEEPASSGO_GRPC_ADDR, for example:

KEEPASSGO_GRPC_ADDR=tcp://127.0.0.1:47777 ./keepassgo

Native Host

Build the bridge:

go build ./cmd/keepassgo-browser-bridge

On Linux desktop builds, KeePassGO now refreshes the user-scoped native messaging manifests on launch. That automatic update always installs the Firefox manifest and also installs Chrome or Chromium manifests when it finds an installed KeePassGO Browser extension in that browser profile. The Arch package also ships the extension assets under /usr/share/keepassgo/browser-extension/.

Install a Firefox native messaging manifest:

./keepassgo-browser-bridge install-native-host --browser firefox --binary /absolute/path/to/keepassgo-browser-bridge

Install a Chromium native messaging manifest:

./keepassgo-browser-bridge install-native-host --browser chromium --binary /absolute/path/to/keepassgo-browser-bridge --extension-key-file /path/to/chromium-extension-public-key.txt

Chrome and Chromium require the actual extension id in the native host manifest. KeePassGO can derive that id from the Chromium manifest public key so you do not have to type it separately.

For a fixed Chromium ID:

  1. Keep a stable Chromium extension signing key outside the repo.
  2. Add the corresponding public key to the Chromium manifest as "key": "<base64-public-key>".
  3. Use the same public key with install-native-host --extension-key-file ... so the native host manifest is locked to that stable extension ID.

Extension Setup

Firefox:

  1. Load browser/extension/manifest.firefox.json as a temporary add-on or package it as an extension.
  2. Open the extension settings page.
  3. Leave the gRPC address blank to use the local default Unix socket, or set an explicit address if you overrode the listener.
  4. Paste an API token scoped for browser login lookup and credential copy.

Chromium / Chrome:

  1. Load a Chromium manifest based on browser/extension/manifest.chromium.json, or install the published extension when that distribution exists.
  2. Start KeePassGO once so it can refresh the native host manifest for the discovered extension id.
  3. Configure the gRPC address and API token in the extension settings page.

Current Browser Flow

  • The extension checks sign-in pages in the background and caches per-tab match state instead of waiting for the popup to be opened first.
  • The toolbar badge shows when KeePassGO found matches for the current page.
  • Username and password fields get an inline KeePassGO affordance that opens a candidate chooser anchored to the focused field and keeps fills scoped to that field's form when possible.
  • If a fill request needs user approval, the extension keeps the pending state visible in both the page affordance and the popup until KeePassGO resolves it, using the token-scoped pending-approval count from the local gRPC API.

For extension-side regression checks, run:

node --test browser/extension/background.test.cjs browser/extension/content.test.cjs

For a reproducible real-browser Chromium validation harness, run:

make browser-extension-validate

That target:

  • validates the Firefox flow by default with a temporary addon install
  • can also validate Chromium with make browser-extension-validate BROWSER=chromium
  • builds the native messaging bridge
  • starts a stub KeePassGO gRPC server and a local login page
  • drives the browser through inline match discovery, approval visibility, and fill completion

If validation fails, the script preserves its temporary workspace path so the captured HTML, screenshots, logs, and native-host files can be inspected.

Required Token Scope

At minimum, the browser token should have policy rules allowing:

  • list_entries for the groups you want the browser to search
  • copy_username for entries the browser may fill
  • copy_password for entries the browser may fill
  • copy_url for entries the browser may confirm against page URL