diff --git a/docs/_data/main-nav.yaml b/docs/_data/main-nav.yaml index da60ea7..455c5d0 100644 --- a/docs/_data/main-nav.yaml +++ b/docs/_data/main-nav.yaml @@ -1,7 +1,7 @@ toc: - title: Get Started, Design Debug and Test collapse-id: get-started - items: + items: - title: Introduction to Insomnia url: /insomnia/get-started - title: Install Insomnia @@ -19,10 +19,8 @@ toc: items: - title: Insomnia Accounts url: /insomnia/accounts - - title: Forgotten Passwords - url: /insomnia/forgot-password - - title: Change Password - url: /insomnia/change-password + - title: Forgotten Passphrase + url: /insomnia/forgot-passphrase - title: Insomnia Teams collapse-id: teams items: @@ -37,7 +35,7 @@ toc: url: /insomnia/subscription-management - title: Debug Requests and Responses collapse-id: debug - items: + items: - title: Requests url: /insomnia/requests - title: Responses @@ -71,7 +69,7 @@ toc: url: /insomnia/migrate-from-designer - title: Test APIs collapse-id: test - items: + items: - title: Unit Testing url: /insomnia/unit-testing - title: Stress Testing @@ -79,8 +77,6 @@ toc: - title: Sync with Insomnia Collections with Insomnia Cloud collapse-id: insomnia-sync items: - - title: Sign into Insomnia Cloud - url: /insomnia/insomnia-sign-login - title: Sync Collections with Insomnia Cloud url: /insomnia/insomnia-sync - title: Teams @@ -105,7 +101,7 @@ toc: url: /insomnia/analytics-collected - title: Built-In Features collapse-id: features - items: + items: - title: Authentication url: /insomnia/authentication - title: Client Certificates @@ -159,7 +155,7 @@ toc: url: /inso-cli/install - title: CLI Command Reference url: /inso-cli/cli-command-reference - subfolderitems: + subfolderitems: - title: inso generate config url: /inso-cli/cli-command-reference/inso-generate-config - title: inso run test diff --git a/docs/assets/images/app-manual-token.jpg b/docs/assets/images/app-manual-token.jpg new file mode 100644 index 0000000..ce25865 Binary files /dev/null and b/docs/assets/images/app-manual-token.jpg differ diff --git a/docs/assets/images/check-your-email.jpg b/docs/assets/images/check-your-email.jpg new file mode 100644 index 0000000..59ac2b5 Binary files /dev/null and b/docs/assets/images/check-your-email.jpg differ diff --git a/docs/assets/images/encryption-passphrase-input.jpg b/docs/assets/images/encryption-passphrase-input.jpg new file mode 100644 index 0000000..6e7dbb7 Binary files /dev/null and b/docs/assets/images/encryption-passphrase-input.jpg differ diff --git a/docs/assets/images/forgot-passphrase-menu.jpg b/docs/assets/images/forgot-passphrase-menu.jpg new file mode 100644 index 0000000..d0216a1 Binary files /dev/null and b/docs/assets/images/forgot-passphrase-menu.jpg differ diff --git a/docs/assets/images/forgot-passphrase-via-invite.jpg b/docs/assets/images/forgot-passphrase-via-invite.jpg new file mode 100644 index 0000000..915a9d6 Binary files /dev/null and b/docs/assets/images/forgot-passphrase-via-invite.jpg differ diff --git a/docs/assets/images/forgot-passphrase-via-login.jpg b/docs/assets/images/forgot-passphrase-via-login.jpg new file mode 100644 index 0000000..216b63b Binary files /dev/null and b/docs/assets/images/forgot-passphrase-via-login.jpg differ diff --git a/docs/assets/images/logged-in-title-bar.jpg b/docs/assets/images/logged-in-title-bar.jpg new file mode 100644 index 0000000..2b837ac Binary files /dev/null and b/docs/assets/images/logged-in-title-bar.jpg differ diff --git a/docs/assets/images/login-code.jpg b/docs/assets/images/login-code.jpg new file mode 100644 index 0000000..69a6479 Binary files /dev/null and b/docs/assets/images/login-code.jpg differ diff --git a/docs/assets/images/login-manual-token.jpg b/docs/assets/images/login-manual-token.jpg new file mode 100644 index 0000000..ffd8ae2 Binary files /dev/null and b/docs/assets/images/login-manual-token.jpg differ diff --git a/docs/assets/images/passphrase-input.jpg b/docs/assets/images/passphrase-input.jpg new file mode 100644 index 0000000..216b63b Binary files /dev/null and b/docs/assets/images/passphrase-input.jpg differ diff --git a/docs/assets/images/signup-or-login.jpg b/docs/assets/images/signup-or-login.jpg new file mode 100644 index 0000000..b139287 Binary files /dev/null and b/docs/assets/images/signup-or-login.jpg differ diff --git a/docs/insomnia/accounts.md b/docs/insomnia/accounts.md index 7d1f7a5..5062600 100644 --- a/docs/insomnia/accounts.md +++ b/docs/insomnia/accounts.md @@ -8,45 +8,76 @@ category-url: insomnia-accounts ## Creating Your Insomnia Account -### Signing up from the Insomnia Desktop Application +### Signing up from the Insomnia Desktop Application + You can Sign Up for Insomnia by clicking on the **Sign Up** button on the top bar of the Insomnia Desktop App, on the right hand side. -[Login and Signup button](!/assets/login-signup.png) -When you click on **Sign Up**, you will be redirected to the [insomnia website](https://app.insomnia.rest/app/signup) to finish the process. +![Login and Signup button](/assets/images/login-signup.png) +When you click on **Sign Up**, you will be redirected to the [insomnia website](https://app.insomnia.rest/app/authorize) to finish the process. ### Signing up for Insomnia on Insomnia.rest -To create an Insomnia account, you will be required to enter: -* First Name -* Last Name -* Email -* Password -Click on **Proceed to Next Step**. You'll be asked again to enter your passphrase. It is important to remember your password because [passwords cannot be reset](https://docs.insomnia.rest/insomnia/security-features#passwords-cannot-be-reset) +Once in the insomnia website, you can sign up with one of the following: + +- Email address, +- Google account, +- GitHub account, +- Enterprise Single-sign-on account + +![Multiple sign up options](../assets/images/signup-or-login.jpg) + +If you select `Continue with Email address` option, you will receive a verification email with a 6-digit code: + +![Verification code input](../assets/images/check-your-email.jpg) + +Check your email inbox for the verification code, you should get an email similar to the following: + +![Verification code example](../assets/images/login-code.jpg) + +The verification code is valid for 30 minutes. + +### Setting up encryption passphrase -Click on **I agree to the Service Terms**, **I have backed-up my password**. +Regardless of the method you choose to sign up an Insomnia account, you will be required to enter an Encryption Passphrase: -Finally click on **Create Account** to finish the process. When your account has been created, you will receive an email confirming your account on the email address you registered. +![Encryption passphrase setup](../assets/images/encryption-passphrase-input.jpg ) +End to end encryption (E2EE) is enabled by default to keep all of your Insomnia data secure, and it will require a passphrase to decrypt the data. + +{:.alert .alert-primary} +**Note**: Losing the passphrase will render your data unaccessible and it will be lost forever. Find more about this on [Forgot passphrase](forgot-passphrase.md). + +Fill in your passphrase, click on **I have backed-up my password**. + +Finally click on **Enable E2EE** to finish the process. When your account has been created, you will receive an email confirming your account on the email address you registered. ## Signing into Insomnia ### Signing in on the Desktop App -On the top bar of the Insomnia App, click on **login**. + +On the top bar of the Insomnia App, click on **login**. + ![Click on login or sign up](/assets/images/login-signup.png) -Doing so will redirect you to [Insomnia login](https://app.insomnia.rest/app/login/) page on your default browser. Finish signing in on your browser. +Doing so will redirect you to [Insomnia login](https://app.insomnia.rest/app/authorise/) page on your default browser. Finish signing in on your browser. + +After login, you will be prompted for your encryption passphrase. + +![Passphrase input](../assets/images/passphrase-input.jpg) On successful login, the browser will automatically reopen your Insomnia Desktop App with active session. In the top bar on the right hand side, you'll see your name which signifies that you are currently logged in. -![Logged-in in Insomnia App](/assets/images/logged-in-title-bar.png) + +![Logged-in in Insomnia App](/assets/images/logged-in-title-bar.jpg) #### My Insomnia App didn't Reopen Successfully after Logging in -In the case that login didn't lead to the Insomnia App reopening, you can manually enter your session token into the Insomnia Application by following the instructions on the insomnia.rest screen after successful login. -![Copy and Paste your Token in Manually](/assets/images/copy-paste-token-login.png) +In the case that login didn't lead to the Insomnia App reopening, you can manually copy your session token from the website: + +![Copy your Token Manually](/assets/images/login-manual-token.jpg) +And then paste the token into the app: -### Signing into Insomnia on the Web -Enter the email address associated with your Insomnia Account and password. Click **Log In**. +![Paste the token into the App](../assets/images/app-manual-token.jpg) diff --git a/docs/insomnia/change-password.md b/docs/insomnia/change-password.md deleted file mode 100644 index 8043e93..0000000 --- a/docs/insomnia/change-password.md +++ /dev/null @@ -1,18 +0,0 @@ ---- -layout: article-detail -title: Change Password -category: "Insomnia Accounts" -category-url: change-password ---- - -## Change your Password - -You can change your password through your [account management page](https://app.insomnia.rest/app/account/). - -Click on **Change Password** on the bottom of the page. -![Change Password Button](/assets/images/change-password.png) - -On the next page, enter your old password, the new password you wish to use, and reconfirm the new password. -![change password page](/assets/images/change-password-page.png) - -Click **Update Password**. Your new password should be set now diff --git a/docs/insomnia/data-encryption.md b/docs/insomnia/data-encryption.md index b3d4a85..c5e1b0e 100644 --- a/docs/insomnia/data-encryption.md +++ b/docs/insomnia/data-encryption.md @@ -7,22 +7,18 @@ category-url: insomnia-sync HTTP requests often contain sensitive information like API keys, usernames, and passwords. This is why Insomnia treats security with such a high priority, implementing many of the same techniques used by industry-leading password managers like [1Password](https://1password.com/), [LastPass](https://www.lastpass.com/), [DashLane](https://www.dashlane.com/), and others. -As detailed above, the user’s password is used to derive a secret key, which is then used to encrypt the account private key. Once decrypted, the private key can then be used to decrypt the keys for the Resource Group. +As detailed above, the user's password is used to derive a secret key, which is then used to encrypt the account private key. Once decrypted, the private key can then be used to decrypt the keys for the Resource Group. -Now you may be asking why all these keys are necessary. Why not just encrypt and decrypt data using the user’s password directly? There are few key scenarios that make having this many keys necessary. +Now you may be asking why all these keys are necessary. Why not just encrypt and decrypt data using the user's password directly? There are few key scenarios that make having this many keys necessary. -### Forgot Passwords +### Forgot Passphrase Due to the usage of [SRP](https://en.wikipedia.org/wiki/Secure_Remote_Password_protocol) to handle logging into the Insomnia App, the Insomnia Cloud never stores a user's passphrase in any form. In addition, the derivation of encryption keys based on the user's password means that all user data is encrypted in a manner that requires the user's password to decrypt. When Insomnia Passwords are forgotten, this means that synced Insomnia Request data cannot be decrypted. Please create passwords with care. -### Changing Passwords - -The ability for a user to change passwords is one reason that data is not directly encrypted using a password. If the user has large amounts of encrypted data, changing the password would mean decrypting and re-encrypting all data with the new password. This would quickly become too slow with even medium sized amounts of data. - ### Sharing a Resource Group -The ability to share Resource Groups is the reason that every Resource Group needs its own key, and every account needs a public/private key-pair to securely share said key. Here’s an example involving two users, Jane and Bob. +The ability to share Resource Groups is the reason that every Resource Group needs its own key, and every account needs a public/private key-pair to securely share said key. Here's an example involving two users, Jane and Bob. -For Jane to share a Resource Group with Bob, she must encrypt the Resource Group’s key with Bob’s public key and store it on the server (`M_Link`). Now, Bob can use his account’s private key to decrypt the Resource Group’s key and gain access to the data. This is a classic example of the [Diffie–Hellman key exchange](https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange) being put to good use. +For Jane to share a Resource Group with Bob, she must encrypt the Resource Group's key with Bob's public key and store it on the server (`M_Link`). Now, Bob can use his account's private key to decrypt the Resource Group's key and gain access to the data. This is a classic example of the [Diffie-Hellman key exchange](https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange) being put to good use. diff --git a/docs/insomnia/forgot-passphrase.md b/docs/insomnia/forgot-passphrase.md new file mode 100644 index 0000000..f9dc6e8 --- /dev/null +++ b/docs/insomnia/forgot-passphrase.md @@ -0,0 +1,47 @@ +--- +layout: article-detail +title: Forgot passphrase +category: "Insomnia Accounts" +category-url: forgot-passphrase +--- + +### Forgot Passphrase + +Due to the usage of [SRP](https://en.wikipedia.org/wiki/Secure_Remote_Password_protocol) to handle data encryption of the Insomnia App, the Insomnia Cloud never stores a user's passphrase in any form. + +In addition, the derivation of encryption keys based on the user's passphrase means that all user data (e.g. Requests, Collections, Environments, ...) is encrypted in a manner that requires the user's passphrase to decrypt. + +When Insomnia passphrases are forgotten, this means that synced Insomnia data cannot be decrypted. **Please create passphrases with care.** + +### Warnings about resetting passphrase + +We are afraid that if you lost your passphrase, **your only action is to reset your account with a new passphrase**. Keep in mind this operation will cause the **loss of all data encrypted with the previous passphrase**. Also be aware that: + +- By resetting your passphrase you will lose access to organizations you have been invited to. +- You will lose access to encrypted (E2EE) data of which you have no previous or current backup. + +## How to reset passphrase + +You can reset passphrase when you attempt to login from the Insomnia App and/or when you invite someone into your organization. + +![Forgot passphrase via Login](../assets/images/forgot-passphrase-via-login.jpg) + +![Forgot passphrase via Invite](../assets/images/forgot-passphrase-via-invite.jpg) + +By clicking on the "Forgot your Passphrase?" link you will be lead to the menu that allows for resetting passphrase. + +![Forgot passphrase menu](../assets/images/forgot-passphrase-menu.jpg) + +Once in the reset passphrase menu, you will need to fill out a new Passphrase and confirm that: + +- You have backed-up your new passphrase +- You understand that by resetting yor passphrase you will lose access to organizations you have been invited to. +- You understand that you will lose access to encrypted (E2EE) data of which you have no backup. + +### Retrieving data after account passphrase reset + +There are edge-cases where you may still be able to retrieve some data after a passphrase reset. + +1. If you have been invited to collaborate on other organizations, you can reset your account and then ask to be invited again. You will only retrieve data for the organizations that you are being invited back to. + +2. If you have shared your organizations or projects, you can ask other users with admin permission to also re-invite you after resetting the account. diff --git a/docs/insomnia/forgot-password.md b/docs/insomnia/forgot-password.md deleted file mode 100644 index 9f25f46..0000000 --- a/docs/insomnia/forgot-password.md +++ /dev/null @@ -1,12 +0,0 @@ ---- -layout: article-detail -title: Forgot Password -category: "Insomnia Accounts" -category-url: forgot-password ---- - -### Forgot Passwords - -Due to the usage of [SRP](https://en.wikipedia.org/wiki/Secure_Remote_Password_protocol) to handle logging into the Insomnia App, the Insomnia Cloud never stores a user's passphrase in any form. In addition, the derivation of encryption keys based on the user's password means that all user data is encrypted in a manner that requires the user's password to decrypt. - -When Insomnia Passwords are forgotten, this means that synced Insomnia Request data cannot be decrypted. Please create passwords with care. diff --git a/docs/insomnia/insomnia-sign-login.md b/docs/insomnia/insomnia-sign-login.md deleted file mode 100644 index 21bee45..0000000 --- a/docs/insomnia/insomnia-sign-login.md +++ /dev/null @@ -1,32 +0,0 @@ ---- -layout: article-detail -title: Sign into Insomnia -category: "Get Started" -category-url: get-started ---- - - -## Log-in or Sign Up on the Insomnia App -On the top bar of the Insomnia App, click on **login** or **sign up**. -![Click on login or sign up](/assets/images/login-signup.png) - -Doing so will redirect you to the [insomnia accounts page](https://app.insomnia.rest/). If you clicked on **login**, you'll be asked to [login](https://app.insomnia.rest/app/login/). -![Login page on insomnia.rest](/assets/images/insomnia-rest-login.png) - -If you clicked on **Sign Up**, you'll be asked to create an [Insomnia Account](https://app.insomnia.rest/app/signup/). - -![Sign Up page on insomnia.rest](/assets/images/insomnia-rest-signup.png) - -When you have successfully logged in or signed up on insomnia.rest, your browser will ask to reopen your Insomnia App. - -![Reopen in Insomnia App](/assets/images/login-redirection.png) - -Click on **Open Insomnia**. You're Insomnia App should reopen. In the top bar on the right hand side, you'll see your name which signifies that you are currently logged in. -![Logged-in in Insomnia App](/assets/images/logged-in-title-bar.png) - - -### My Insomnia App didn't Repoen Successfully after Logging in -In the case that login didn't lead to the Insomnia App reopening, you can manually enter your session token into the Insomnia Application by following the instructions on the insomnia.rest screen after successful login. - -![Copy and Paste your Token in Manually](/assets/images/copy-paste-token-login.png) - diff --git a/docs/insomnia/password-recovery.md b/docs/insomnia/password-recovery.md index e8eecb3..8a8fbef 100644 --- a/docs/insomnia/password-recovery.md +++ b/docs/insomnia/password-recovery.md @@ -6,14 +6,4 @@ category-url: support --- {:.alert .alert-primary} -**Note**: If you already know your password and want to change it, login to your account and change your password from the web (not the client application). - -For your security, your Insomnia password is: - -* never transmitted over the Internet -* never logged locally -* never known to us at Insomnia -* only known to you -* the only way to decrypt your data - -This ensures that your data is safe from intruders, but it also means that no one can reset your password. Read more about how your data is protected in the Security Overview. +**Note**: Please refer to [Forgot Passphrase](/insomnia/forgot-passphrase) document. diff --git a/docs/insomnia/security-features.md b/docs/insomnia/security-features.md index de55058..fc5616d 100644 --- a/docs/insomnia/security-features.md +++ b/docs/insomnia/security-features.md @@ -33,7 +33,11 @@ All data is encrypted using randomly generated 256 bit symmetric keys for use wi Losing your passphrase means losing the ability to decrypt your account keys. If you lose your passphrase there is no way to access your project data that is not stored by you locally, and there is nothing Insomnia can do to help apart from resetting your passphrase as well as your account. -You can reset your passphrase through the "Forgot your Passphrase" flow. Once you go through the "Forgot your Passphrase" flow and define a new passphrase, you'll lose access to your previous encrypted project data. If you have been invited to collaborate with other organizations, you can reset your passphrase and then ask to be invited back. You will only be able to retrieve data for the organizations that you are invited back to. If you have shared your personal organizations or project data, you can ask other users with Admin permissions to also re-invite you after resetting the passphrase. +You can reset your passphrase through the "[Forgot Passphrase](/insomnia/forgot-passphrase)" flow. Once you go through the "[Forgot Passphrase](/insomnia/forgot-passphrase)" flow and define a new passphrase, you'll lose access to your previous encrypted project data. + +If you have been invited to collaborate with other organizations, you can reset your passphrase and then ask to be invited back. You will only be able to retrieve data for the organizations that you are invited back to. + +If you have shared your personal organizations or project data, you can ask other users with Admin permissions to also re-invite you after resetting the passphrase. ### Unencrypted Fields @@ -71,11 +75,11 @@ Name | Description | Stored? `SYM_Account` | Symmetric key for M_Account | Yes 🔒 `SYM_ResourceGroup` | Symmetric Key for data encryption | No `SYM_Link` | Encrypted form of SYM_ResourceGroup | Yes 🔒 -`SLT_Auth_1` | Salt for PBKDF2 of password for auth | Yes +`SLT_Auth_1` | Salt for PBKDF2 of passphrase for auth | Yes `SLT_Auth_2` | Salt for SRP authentication process | Yes -`SLT_Enc` | Salt for PBKDF2 of password for encryption | Yes -`SEC_PWD_Auth` | Secret derived from password using SLT_Auth_1 | No -`SEC_PWD_Enc` | Secret derived from password using SLT_Enc | No +`SLT_Enc` | Salt for PBKDF2 of passphrase for encryption | Yes +`SEC_PWD_Auth` | Secret derived from passphrase using SLT_Auth_1 | No +`SEC_PWD_Enc` | Secret derived from passphrase using SLT_Enc | No `SRP_Verifier` | Verification string used for SRP | Yes {:.alert .alert-primary}