About

PassWeaver-GUI is a WEB interface to PassWeaver-API, bringing you a portable, collaborative and enterprise-scale password management system.

PassWeaver-GUI is an opensource project, released under MIT license. See Technical info for some details.

Features

• Personal folders for each user
• Favorite items
• Share one-time secrets with anyone, even if they have not an account; an alternative server name can be specified in case of public shares
• One-time share items (also with optional server name)
• Share items through permalinks; an alternative server name can be specified for these links
• Read only mode
• Folder level permissions
• User groups
• Extensive log actions on items
• Both LDAP and local authentication
• CSP compliant pages
• Quick and clean user interface
• Light and dark theme setting for each user

Forewords

PassWeaver-GUI is a complete frontend for PassWeaver-API; everything you can do with your items, folders, users and groups is defined in PassWeaver-API. See docs at this link for a detailed description of what PassWeaver-API is.

While PassWeaver-API is a generic and independent backend API, PassWeaver-GUI is its perfect UI companion.

Basics

With PassWeaver-GUI you will manage these entities:

• Items, holding your secret data
• Items type
• Users
• Groups
• Folders
• One time secrets

In a few words:

• items are stored in folders, and folders can contain both items and other folders.
• users join groups (one or more), and…
• groups can read or write a given folder, its items and subfolders.

Login

Access the site using your credentials:

Searchbox

In the top bar you can fast search items: the top 10 results will be shown:

Items

This is what the items page looks like:

In “Folders” left pane you can create a subfolder, modify or delete a folder, if you have write permissions. You can also search for a folder and use the previous/next buttons to navigate the tree.

In “Items” right pane you have a list of folder items with the following actions:

• Toggle favorite
• View item
• Edit item
• Delete item
• Clone item
• Copy link
• One-time share link (see below)
• View history

You have also buttons for showing or copying the passwords without the need of showing them.

You can create items using the blue “plus” button.

Some actions may be unavailable if you don’t have write permissions on the folder.

By double clicking the item title, or by clicking on details or edit buttons, the following popup is shown.

In the header, you have a button to copy the item permalink and to show the item history.

When creating a new item, only the “Title” field is mandatory, all the remaining fields are optional.

One time item share

By clicking the “One time share” icon (the circled 1) in item list, you can share this item with someone who normally does not have access to the folder (or even to the application itself): you’ll be prompted with a dialog to choose the type of “peer” you are willing to share with:

By clicking “Share” button, a link will be copied in your clipboard: share this link with your peer and he will be able to show this item, only once.

For public links (items shared with anyone) you can also specify an alternative server name, see below

Personal folders

Each user has a personal folder named after its login. Only the user can unlock this folder because it’s protected with an additional password that is set the first time the user clicks on the folder:

Note that this password is used to further encrypt user’s personal items, so if it get lost it will not be possible to decrypt them anymore!

The password will be asked again at every new login:

Once unlocked, the personal folder will work as any other folder.

Search

You can search items by using the left pane menu or by clicking Ctrl+\ as a shortcut (start typing something and press Enter).

You can search items with a matching title, username or folder name (parents included) within all the folders you have access to. Items can be filtered by type and favorite flag.

In the actions column, you have buttons to toggle favorite, view the item, copy the permalink or access the folder.

Generator

This page lets you generate a random secure password both with symbols or without. You can copy it or generate another one by clicking on the wand button. By clicking the circled “1” icon, you can rapidly create a one time token (see below).

One time secret

With one-time-secret you can share a secret information by creating a public link that will be visible only once.

Type the secret and then press the “Create link” button:

You can decide who is authorized to read this secret:

• Anyone: anyone who has the link, logged in or not in PassWeaver (public links)
• Anyone logged in PassWeaver
• A specific logged in user

You can then share the link with your peer: the link is public and will be usable only once.

By clicking the “Show secret” button, the secret will be displayed, and the link will be “burnt”:

Alternative server name for public links

You can configure (see onetimesecret_public_server in Configure below) a different server name for public links (onetime secrets shared with anyone): this is convenient in case you want to publish on the Internet only the page that allows anyone to see public shared secrets, but not the entire site (e.g. no login page): you can then configure a reverse proxy to accept requests for your “alternative” domain name only if they begin with /noauth/onetimesecret or /public.

Preferences

In the “Preferences” page, you can:

• Choose your theme (light or dark)
• Change your login password (if Authentication is local, see Users )
• Change your personal folder password (if you have unlocked the personal folder)
• Reset your personal folder (if you have not unlocked the personal folder)

Note that resetting the personal folder password will require you a couple of confirmation steps, because doing so will cause ALL YOUR PERSONAL ITEMS WILL BECOME UNREADABLE, being encrypted with the old password.

Admin pages

Administrators have a different set of pages: they do NOT have access to any item, but they have the possibility to create, rename or delete folders (if empty), manage users and groups, and assign/revoke permissions on folders to groups.

Folders

In this page you can assign/remove groups to a given folder, and you can toggle the permissions by clicking on the shield icon.

Inherited permissions from parent folders cannot be modified.

Admins can create or rename folders and also delete folders, if empty.

Users

From this page you can add or delete users, and assign/remove the groups membership.

Activity

By clicking the history button (the clock icon) in user list you can access a history of user’s activity:

Only more recent events are shown, click on “Load more” button in order to load more activity.

Folder visibility

By clicking the folder icon in user list, you can see what folders he has access to:

User groups

You can copy the current users groups in order to assign them to another user:

• Select a user from the list
• Click “Copy groups” button
• Select the target user
• Click:
  • Paste groups: add the copied groups to the target users
  • Replace groups: replace target user’s groups with the copied ones

When creating a new user you’re prompted with this dialog:

• Login: mandatory
• Email: mandatory
• Last name: mandatory
• First name
• Locale: at the moment only en_US is supported; mandatory
• Authentication method: local or LDAP; mandatory
• Password and confirm password: only used in local authentication, they are nevertheless mandatory even if you use LDAP auth.

Groups

From this page you can create or delete groups, and add/remove members. You can nest groups, but membership is NOT inherited: the user is only member of explicitly assigned groups.

You can also copy all users of a group and paste/replace into another, as already explained for users.

Info

This page displays some information about API and GUI status:

Settings

Item types

From this page you can manage item types:

Note that when you delete and item types, every item that used that type will be reset to ‘null’.

Clear cache

In the “Cache” tab, you can reset the API cache causing it to reload users permissions and visible folders.

Clearing the cache is needed only after directly operating on the database… which is not advisable anyway.

Read-only mode

Admins can set the system in a read-only status: this will make all write operations (even admin ones like creating new users) result in an error.

Lock system

When locking the system, only admins will be able to login; all currently logged in users will be logged out automatically.

Note that when you click the “Lock system”, you will be logged out as well (but being an admin, you will be able to log back in).

Install and run

Prerequisites

In order to be able to install PassWeaver API, you need:

• NodeJS and npm
• A running PassWeaver-API

A running Redis instance is warmly advised for a production environment.

Install

• Download the latest release from GitHub lastest release
• Install all dependencies with npm:

npm ci

Configure

Copy config-skel.json to config.json and adjust the options; note that ALL configuration entries are mandatory, leave blank if not used.

• listen:
  • port: port to bind the HTTP server
  • host: IP address to bind the HTTP server (or blank for any address)
• server:
  • item_link_server: If not blank, this URL will be used for items links, instead of the current one it must be in the form protocol://server<:port> (e.g. https://my.server.com)
  • onetimesecret_public_server: If not blank, this URL will be used for public one time secrets, instead of the current one; it must be in the form protocol://server<:port> (e.g. https://my.server.com)
  • rate_limit_max_requests: Max number of request PER MINUTE for these two pages:
    • Authorization page (not the login page, but the one called after you insert the credentials)
    • If onetimesecret_public_server is specified, the public link for onetimesecrets
• passweaverapi_url: URL for PassWeaver-API (/api/v1 included)
• company_name: Company name
• log:
  • dir: Logs directory. It will be created if necessary.
  • rotation: Rotation interval. For example, “12h” or “1d”
  • retention: Log files retention (number of rotated log files kept)
• https:
  • enabled: HTTPS enabled (true/false)
  • certificate: certificate file path
  • private_key: certificate private key
  • hsts: enable HSTS (true/false)
• onetimetokens:
  • default_hours: Default one-time tokens expiration in hours
• redis:
  • enabled: true or false; if false, internal cache is used (not good for production)
  • url: Redis url
• folders:
  • user_managed: if true, non-admin can create and delete folders; false otherwise

Environment

If you’re installing a production environment, don’t forget to set variable NODE_ENV to production, Passweaver GUI and some of its dependencies use this variable to optimize operations.

Run

You can run PassWeaver GUI by executing:

npm start

Technical specs

Passweaver-GUI is developed in NodeJS and uses these great libs (among others):

• ExpressJS (v5)
• EJS for HTML templating
• Shoelace WEB components
• Morgan for logging
• Helmet and Lusca for CSFR and CSP compliance