An alternative implementation of the Bitwarden API based on a AWS Serverless stack. Inspired by bitwarden-ruby.
- based on the serverless framework
- should run completely within AWS Free Tier limits
- automatic multi-zone availability
(Note: This project is not associated with the Bitwarden project nor 8bit Solutions LLC.)
- Tested with Chrome extension
- Tested with Android app
- Tested with Desktop app (macOS)
- Tested with iOS app
- Tested with Web vault (work needed for compatibility)
If you have AWS credentials set up, this should get you a running instance of the API. Just plug the AWS Gateway Service endpoint into your Bitwarden settings.
npm install -g serverless
npm install
# Feel free to deploy to an AWS region closer to your typical location
serverless deploy --region us-east-1 --stage prodThe deploy command will return a service URL (e.g. https://abcd01234.execute-api.us-east-1.amazonaws.com/prod), which you can set up in Bitwarden as your own self-hosted endpoint.
Simply re-deploy with serverless deploy from the latest checkout.
Some releases need a a database migration. A special function is deployed for this purpose, invoke with:
serverless invoke -f migrate [--stage] [--region]Run ./two_factor.sh, the script will ask you for the e-mail you want to set up two factor authentication form. Then copy the data URL with the QR code into your web browser and scan it with your authenticator app of choice. Provide one valid token to confirm the setup.
Note for all imports: consider adding more Write capacity to the DynamoDB table for the import. The script will re-try to import the data, but it's not very well tested. A write capacity of 5 units should be safe for 500-1000 items. It can be reset to 1 afterwards.
The import script will interactively ask for your master password. This is needed since the data in the CSV must be encrypted and some data like existing folders must be decrypted.
In the example below, replace STAGE and REGION if necessary in regards to your setup.
Go to https://help.bitwarden.com/article/export-your-data/
STAGE=prod REGION=us-east-1 ./import.sh -e user@example.com -f export.csv -p bitwardenGo to https://lastpass.com/support.php?cmd=showfaq&id=1206
STAGE=prod REGION=us-east-1 ./import.sh -e user@example.com -f export.csv -p lastpassBy default you will get a generated API gateway URL which is quite long. You can use the stack through a custom CNAME of your choice.
- Have a domain under your control.
- Issue an AWS ACM certificate for that domain in the
us-east-1region (free). This will require you to add a verification CNAME or confirm a link on an e-mail going to that domain. - Wait some time until the certificate activates (1 hour?)
- Go to the API Gateway console and under the Custom Domains section add a new mapping with your domain.
- Add the final CNAME in your DNS configuration, the target value will be in the format
<id>.cloudfront.net
I really like the idea of bitwarden-ruby and hosting my secrets under my own control. Unfortunately I don't trust my VPSes in terms of availability and crash recovery enough to host all my passwords on them.
I do however trust AWS infrastructure and with the traffic pattern needed for a password manager, I can completely fit it in Free tier while gaining multi-zone availability and basically free regular backups.
Javascript sources are transpiled using webpack and Babel to the AWS supported Node.js 8.10 target. Transpiling and bundling is part of the serverless deployment workflow.
The API is tested using blackbox integration tests against a fresh deployment on AWS. Simply run with ./test.sh with AWS credentials configured. This will create a temporary stack in AWS, run the tests against the API and tear down the stack after completion.
- Schema validation on input using Joi