1 | <h1 align="center">
|
2 | <br/>
|
3 | <img src="https://cdn.rawgit.com/buttercup-pw/buttercup-assets/054fc0fa/badge/core.svg" alt="Buttercup Core">
|
4 | <br/>
|
5 | <br/>
|
6 | <br/>
|
7 | </h1>
|
8 |
|
9 | # Buttercup core library
|
10 |
|
11 | A NodeJS secrets vault.
|
12 |
|
13 | [![Buttercup](https://cdn.rawgit.com/buttercup-pw/buttercup-assets/6582a033/badge/buttercup-slim.svg)](https://buttercup.pw) [![npm](https://img.shields.io/npm/dt/buttercup.svg)](https://www.npmjs.com/package/buttercup) [![npm version](https://badge.fury.io/js/buttercup.svg)](https://badge.fury.io/js/buttercup) ![node min version](https://img.shields.io/badge/node-%3E%3D%2010.x-lightgrey.svg) [![security](https://img.shields.io/badge/Security-As%20you%20wish-green.svg)](https://www.npmjs.com/package/buttercup) [![encryption](https://img.shields.io/badge/Encryption-AES%20256%20CBC%2FGCM-red.svg)](https://tools.ietf.org/html/rfc3602)
|
14 |
|
15 | [![Build Status](https://travis-ci.org/buttercup/buttercup-core.svg?branch=master)](https://travis-ci.org/buttercup/buttercup-core)
|
16 |
|
17 | [![NPM](https://nodei.co/npm/buttercup.png)](https://www.npmjs.com/package/buttercup)
|
18 |
|
19 | ## About
|
20 |
|
21 | Buttercup is a JavaScript password manager for NodeJS and the browser (though you can also see it used on platforms like [React Native](https://github.com/buttercup/buttercup-mobile)). It's based around the concept of a **Vault** and its secret **Entry** items (a login, credit card etc.). Entries are then separated into **Group** containers that make organising vaults a little easier.
|
22 |
|
23 | Because Buttercup is designed first and foremost to be consumed by users in some application, **VaultManager** and **VaultSource** constructs are provided to allow for easy control over several vaults in a somewhat shared environment. A vault manager provides easy-to-use methods to perform dehydration and rehydration (storage in serialised form) of vaults to some secure storage (files, remote datasources etc.).
|
24 |
|
25 | Buttercup can save and load vaults that are stored locally, in cloud service providers like Dropbox or Google Drive, or in our own [**My Buttercup**](https://my.buttercup.pw) hosted service. It does this by providing a **Datasource** construct for each provider.
|
26 |
|
27 | Because Buttercup can be consumed in some interesting and varied environments, serialisation tools called **facades** are provided to allow for greater flexibility when working with vault data structures. Facades provide a way to move data around without _classes_, converting vaults to and from JSON objects. Facades are used when attaching vaults to user interfaces like with the [Buttercup UI library](https://github.com/buttercup/ui).
|
28 |
|
29 | ### Features
|
30 |
|
31 | The core of the system, this **Buttercup Core**, boasts a few awesome features:
|
32 |
|
33 | * Merge-able vault contents
|
34 | * History for back-tracking to previous passwords etc.
|
35 | * AES CBC encryption
|
36 | * GZip compression
|
37 | * NodeJS and Browser support
|
38 |
|
39 | This library also supports a variety of datasources for loading from and saving to:
|
40 |
|
41 | * [My Buttercup](https://my.buttercup.pw)
|
42 | * WebDAV
|
43 | * [Dropbox](https://www.dropbox.com/)
|
44 | * [Google Drive](https://www.google.com/drive/)
|
45 | * Local files
|
46 |
|
47 | You may want to read the [API documentation](https://github.com/buttercup/buttercup-core/blob/master/API.md) and [changelog](https://github.com/buttercup/buttercup-core/blob/master/CHANGELOG.md). Please read our [guide to contributing](https://github.com/buttercup/buttercup-core/blob/master/CONTRIBUTING.md) before creating any issues or pull requests.
|
48 |
|
49 | ## Installation
|
50 |
|
51 | To use Buttercup in a NodeJS environment, you can simply install and require it:
|
52 |
|
53 | ```shell
|
54 | npm install buttercup --save
|
55 | ```
|
56 |
|
57 | _NB: `@buttercup/app-env` was previously required (on version 3.x), but is not required for version 4. Please uninstall this dependency, along with `@buttercup/facades`, `@buttercup/credentials`, `@buttercup/datasources` and `@buttercup/signing` if you have them installed. These dependencies are included within Buttercup core version 4._
|
58 |
|
59 | In a Node environment, for example:
|
60 |
|
61 | ```javascript
|
62 | const { Vault } = require("buttercup");
|
63 | ```
|
64 |
|
65 | In a _web_ environment, use the following:
|
66 |
|
67 | ```javascript
|
68 | import { Vault } from "buttercup/web";
|
69 | ```
|
70 |
|
71 | ## Usage
|
72 |
|
73 | Buttercup uses `Vault`s, `Group`s and `Entry`s to manipulate data in a _workspace_-like environment. These 3 constructs have no knowledge of encryption or storage, and simply provide interfaces for working with the data structures.
|
74 |
|
75 | To manage vaults, their storage and their states in a higher-level manner more appropriate for building applications, check out the `VaultManager` and `VaultSource` constructs.
|
76 |
|
77 | To get started, we should create a new Vault:
|
78 |
|
79 | ```javascript
|
80 | import { Vault, init } from "buttercup";
|
81 |
|
82 | // Initialise environment
|
83 | init();
|
84 |
|
85 | // Create an empty vault
|
86 | const vault1 = new Vault();
|
87 |
|
88 | // Create aa vault with "General" and "Trash" groups
|
89 | const vault2 = Vault.createWithDefaults();
|
90 | ```
|
91 |
|
92 | The `init()` function call is used to initialise the environment (performs the same function as `@buttercup/app-env` used to). It is required for Buttercup to work. It can be called more than once without affect.
|
93 |
|
94 | Entries can't be added directly to a Vault, but can be to Groups. Creating Groups and Entries is trivial:
|
95 |
|
96 | ```javascript
|
97 | const vault = Vault.createWithDefaults();
|
98 | const myGroup = vault.createGroup("My Group");
|
99 | const myEntry = myGroup.createEntry("My Entry");
|
100 | ```
|
101 |
|
102 | Every command on Vaults, Groups and Entries **modifies the Vault instance**, but does not save it to storage. There is no command or need to commit any data - each instance links back to the original Vault. Vaults are saved and loaded using Datasources:
|
103 |
|
104 | ```javascript
|
105 | import { Credentials, FileDatasource, Vault, init } from "buttercup";
|
106 |
|
107 | init();
|
108 |
|
109 | const datasourceCredentials = Credentials.fromDatasource({
|
110 | path: "./user.bcup"
|
111 | }, "masterPassword!");
|
112 | const fileDatasource = new FileDatasource(datasourceCredentials);
|
113 | const vault = Vault.createWithDefaults();
|
114 | vault
|
115 | .createGroup("Websites")
|
116 | .createEntry("My bank")
|
117 | .setProperty("username", "user-name")
|
118 | .setProperty("password", "s3cureP4$$");
|
119 |
|
120 | const vaultCredentials = Credentials.fromPassword("masterPassword!");
|
121 | await fileDatasource.save(vault.format.history, vaultCredentials);
|
122 | ```
|
123 |
|
124 | Later:
|
125 |
|
126 | ```javascript
|
127 | const datasourceCredentials = Credentials.fromDatasource({
|
128 | path: "./user.bcup"
|
129 | }, "masterPassword!");
|
130 | const fileDatasource = new FileDatasource(datasourceCredentials);
|
131 |
|
132 | fileDatasource
|
133 | .load(datasourceCredentials)
|
134 | .then(Vault.createFromHistory)
|
135 | .then(vault => {
|
136 | // ...
|
137 | });
|
138 | ```
|
139 |
|
140 | Using just a datasource is not recommended as saving and loading is quite low-level and cumbersome. Check the [browser extension](https://github.com/buttercup/buttercup-browser-extension) or [desktop application](https://github.com/buttercup/buttercup-desktop) for examples of how to use the `VaultManager` and other helpful classes.
|
141 |
|
142 | ## Compatibility
|
143 |
|
144 | Buttercup's compatibility is defined as the following:
|
145 |
|
146 | * NodeJS version 10 and up
|
147 | * Current versions of the following browsers:
|
148 | * Google Chrome
|
149 | * Mozilla Firefox
|
150 | * Safari
|
151 | * _React Native 0.60+_
|
152 |
|
153 | _NB: React Native support is not guaranteed under all circumstances as the platform's stability for low-level operations like cryptography is questionable. Use the [mobile app](https://github.com/buttercup/buttercup-mobile) as a guideline for implementation._
|
154 |
|
155 | Browser support is strictly dependent on:
|
156 |
|
157 | * Popularity
|
158 | * The availability of required crypto libaries such as `SubtleCrypto`
|