feat: added support for apikey authorization

.gitignore

@@ -1,2 +1,4 @@
 .docker-export
 results
+*.enc
+.env

CHANGELOG.md

@@ -5,6 +5,11 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.2.0](https://hub.docker.com/r/mastermindzh/bw-export/tags)
+
+- Added support for apikey authorization
+  - Skips 2 factor authentication
+
 ## [1.1.1]
 
 Cleaned up the export.sh script from extraneous documentation and a useless empty echo.

Dockerfile

@@ -2,11 +2,11 @@ FROM node:lts-slim
 
 # install openssl
 RUN apt-get update && \
-    apt-get install -y --no-install-recommends openssl && \
+    apt-get install -y --no-install-recommends openssl expect && \
     rm -rf /var/cache/apk/*
 
 # install bitwarden-cli
-RUN npm install -g @bitwarden/cli@2023.2.0
+RUN npm install -g @bitwarden/cli
 
 # add the export script
 RUN mkdir -p /opt/bw-export

README.md

@@ -42,7 +42,7 @@ You can tweak a lot of the internal workings of bw-export with simple environmen
 The list below outlines most of them:
 
 | Variable            | Default value                             | Description                                                           |
-| ------------------- | ---------------------------------------- | -------------------------------------------------------------- |
+| ------------------- | ----------------------------------------- | --------------------------------------------------------------------- |
 | BW_ACCOUNT          | `bitwarden_vault_test@mastermindzh.tech`  | Bitwarden email address                                               |
 | BW_PASS             | `VGhpc0lzQVZhdWx0UGFzc3dvcmQK`            | Bitwarden password                                                    |
 | BW_FILENAME_PREFIX  | `bitwarden_vault_export_`                 | Prefix to use for generated files ($prefix$timestamp.enc)             |
@@ -52,3 +52,6 @@ The list below outlines most of them:
 | BW_PASSWORD_ENCODE  | `base64`                                  | "plain", or "base64", depending on whether you encoded BW_PASS        |
 | BW_OPENSSL_OPTIONS  | `aes-256-cbc -pbkdf2 -iter 100000`        | Options passed to openssl's "enc" command                             |
 | BW_ENCRYPTION_PASS  | `$BW_PASS` (same value as BW_PASS)        | Password to encrypt the json file                                     |
+| BW_AUTH_METHOD      | password                                  | Whether to login with a password or  apikey (apikey required for 2fa) |
+| BW_CLIENT_ID        | user.cc433b96-4767-432f-85a5-b11100d4faa6 | Bitwarden client id                                                   |
+| BW_APIKEY           | OG1LS3RSVzdXVWRZN25UWEgwdkdOUVMzV0QzVTZr  | Bitwarden api key                                                     |

export.sh

@@ -9,8 +9,13 @@ bw_logout() {
 }
 
 # environment variables
-BW_ACCOUNT=${BW_ACCOUNT:-"bitwarden_vault_test@mastermindzh.tech"}
-BW_PASS=${BW_PASS:-"VGhpc0lzQVZhdWx0UGFzc3dvcmQK"}
+# BW_AUTH_METHOD=${BW_AUTH_METHOD:-"password"}
+BW_AUTH_METHOD=${BW_AUTH_METHOD:-"apikey"}
+BW_CLIENT_ID=${BW_CLIENT_ID:-"fake_client_id"}
+BW_APIKEY=${BW_APIKEY:-"fake_apikey"}
+
+BW_ACCOUNT=${BW_ACCOUNT:-"fake_account"}
+BW_PASS=${BW_PASS:-"fake_password"}
 BW_FILENAME_PREFIX=${BW_FILENAME_PREFIX:-"bitwarden_vault_export_"}
 BW_TIMESTAMP=${BW_TIMESTAMP:-"+%Y-%m-%d %H:%M:%S"}
 BW_EXPORT_FOLDER=${BW_EXPORT_FOLDER:-"/export"}
@@ -23,6 +28,7 @@ BW_ENCRYPTION_PASS=${BW_ENCRYPTION_PASS:-"$BW_PASS"}
 BW_INTERNAL_TIMESTAMP=$(date "$BW_TIMESTAMP")
 BW_INTERNAL_PASSWORD="$BW_PASS"
 BW_INTERNAL_ENCRYPTION_PASS="$BW_ENCRYPTION_PASS"
+BW_INTERNAL_API_KEY="$BW_APIKEY"
 BW_INTERNAL_FOLDER_STRUCTURE="$BW_EXPORT_FOLDER"
 BW_ENC_OUTPUT_FILE="$BW_FILENAME_PREFIX$BW_INTERNAL_TIMESTAMP.enc"
 if [ -n "$BW_FOLDER_STRUCTURE" ]; then
@@ -39,6 +45,7 @@ case $BW_PASSWORD_ENCODE in
 "base64")
     BW_INTERNAL_PASSWORD=$(echo "$BW_INTERNAL_PASSWORD" | base64 -d)
     BW_INTERNAL_ENCRYPTION_PASS=$(echo "$BW_INTERNAL_ENCRYPTION_PASS" | base64 -d)
+    BW_INTERNAL_API_KEY=$(echo "$BW_INTERNAL_API_KEY" | base64 -d)
     ;;
 "none" | "plain")
     echo "using un-encoded password."
@@ -51,7 +58,31 @@ case $BW_PASSWORD_ENCODE in
 esac
 
 #login
+case $BW_AUTH_METHOD in
+
+"password")
     BW_SESSION=$(bw login "$BW_ACCOUNT" "$BW_INTERNAL_PASSWORD" --raw)
+    ;;
+"apikey")
+
+    export BW_CLIENT_ID=$BW_CLIENT_ID
+    export BW_INTERNAL_API_KEY=$BW_INTERNAL_API_KEY
+    expect >/dev/null <<'EOF'
+        spawn bw login --apikey
+        expect "client_id:"
+        send "$env(BW_CLIENT_ID)\n" 
+        expect "client_secret:"
+        send "$env(BW_INTERNAL_API_KEY)\n" 
+        expect eof
+EOF
+
+    BW_SESSION=$(bw unlock --raw "$BW_INTERNAL_PASSWORD")
+    ;;
+*)
+    echo "unrecognized authorization method."
+    exit 1
+    ;;
+esac
 
 # commands
 echo "Exporting to \"$BW_ENC_OUTPUT_FILE\""
@@ -59,6 +90,9 @@ bw --raw --session "$BW_SESSION" export --format json | openssl enc $BW_OPENSSL_
 bw_logout
 
 # make sure none of these are available later
+unset BW_CLIENT_ID
+unset BW_APIKEY
+unset BW_INTERNAL_API_KEY
 unset BW_SESSION
 unset BW_ACCOUNT
 unset BW_PASS

package.json

@@ -1,10 +1,12 @@
 {
   "name": "bw-export",
-  "version": "1.1.1",
+  "version": "1.2.0",
   "description": "bw-export is a simple bash script that exports a raw, encrypted JSON copy of your Bitwarden vault.",
   "main": "export.sh",
   "scripts": {
-    "docker-build": "docker build -t bw-export .",
+    "start": "export $(cat .env | xargs) && bash export.sh",
+    "build": "docker build -t bw-export .",
+    "test": "docker run -v \"$PWD\":/export bw-export:latest",
     "publish": "bash docker-publish.sh"
   },
   "repository": {