Breakdown of web app

So I've picked through sync.com and for the most part is was pretty easy to follow. 1Password has been the opposite.
I can see there are a few items stored in localStorage (email,deviceUUID,prefix and encrypted account key?) I notice that images come through on scroll in the form of data URIs others as png files so I am thinking all or most of the text data comes through at once. I should mention I get a ton of failures with png. I see some protocol switching, a bunch of overview requests, password lists, misses from Cloudfront etc.

Anyway I can go on but is there a breakdown of how the web app works? I expected keys to be in localStorage however the only piece that seems to be in there is the account key which only effects the next login if changed. So keys are being decrypted and stored somewhere other than Chrome cache or localStorage.

I'd love to know as much as possible however no comments and 20,000+ lines of JS in one file (a lot of which I can barely if at all understand) leads me hear asking for a breakdown. My recommendation is/has been 1Password to clients and for most the web app is not a thing they use but it came up as a few went on vacation and asked questions about the web app I could no answer. I personally am on families but I assume something like this is the same regardless of teams which they are on.

Thanks in advance,
Tom
@jpgoldberg seems to like these questions perhaps he can :)

Also can't say this enough you guys rock! Though I did just do the most recent Windows client with a new client and I had to keep saying this is not how it works on Mac. Hopefully it catches up ;)


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • JasperJasper

    Team Member

    Hi @tommyent,

    Anyway I can go on but is there a breakdown of how the web app works?

    We don't currently have any detailed/technical documentation of how the web app works, but we're happy to answer any specific questions you have.

    I can see there are a few items stored in localStorage (email,deviceUUID,prefix and encrypted account key?)

    That's right... we store various data in Local Storage that needs to be saved for the next time the user loads the web app. This includes account info (like the four things you've mentioned), local preferences (password generator, auto-lock, etc), and other state info (banner dismissed, etc). If you check the "public computer" box on the sign in page, the use of Local Storage is limited.

    Also, please note the Account Key is only obfuscated, not encrypted.

    I notice that images come through on scroll in the form of data URIs others as png files so I am thinking all or most of the text data comes through at once. I should mention I get a ton of failures with png. I see some protocol switching, a bunch of overview requests, password lists, misses from Cloudfront etc.

    Based on your description here, I'm guessing you're looking at the vault view and scrolling though the item list.

    The PNG files would be from our rich icon service, which provides icons for most popular websites. The web app requests a rich icon for every login item, but if we don't have that site in our rich icon database, the request will fail (404 Not Found).

    If an item has a custom icon set, the encrypted icon will be downloaded, decrypted, then converted to a data URI.

    The overview requests are for the encrypted overviews of all the items in the vault.

    And the password lists are used for the password generator and strength meter.

    I expected keys to be in localStorage however the only piece that seems to be in there is the account key which only effects the next login if changed. So keys are being decrypted and stored somewhere other than Chrome cache or localStorage.

    Your keys are never saved anywhere, only kept in JavaScript memory. If you open a new window or tab, you will need to sign in with your Master Password again.

    I'd love to know as much as possible however no comments and 20,000+ lines of JS in one file (a lot of which I can barely if at all understand) leads me hear asking for a breakdown.

    The JavaScript you see in the browser is compressed... what you're looking at is not the original code. That's why there's no proper naming and formatting, comments, etc.

    Please let us know if you have any other questions and we'll be happy to help.

  • Thanks

  • brentybrenty

    Team Member

    On behalf of Jasper, you are most welcome! I'm glad that he was able to help. Be sure to let us know if you have any other questions, comments, or suggestions. And have a great weekend! :)

This discussion has been closed.