AutoUni - Neptun, eduID Auto-Fill by grialion

🎓 AutoUni — Neptun & eduID Login Auto-Fill

A Firefox browser extension that auto-fills your Neptun and eduID credentials when you visit the login page. Intended for private, convenience use at your own risk — see the Security & Privacy section below.

Features

• Neptun auto-fill — When you visit https://neptun.bme.hu/hallgatoi/login, the extension automatically fills your Neptun code and password, then clicks the login button
• eduID auto-fill — When you visit https://edu.vik.bme.hu/login/index.php, it clicks the eduID button, follows the redirect to the BME IDP, fills your eduID credentials, and submits
• SPA-aware — Detects URL changes in Angular (Neptun) using the Navigation API and triggers auto-fill on in-place navigation
• Angular-ready — Fires input and change events so Angular Material detects the values
• Persistent credentials — Stored in browser's chrome.storage.local

How It Works

Neptun Flow

1. You navigate to https://neptun.bme.hu/hallgatoi/login
2. The content script detects the login page (on load and via Navigation API)
3. It waits up to 10 seconds for the form elements to appear in the DOM
4. Once found, it fills your Neptun code and password, then clicks the login button

eduID Flow

1. You navigate to https://edu.vik.bme.hu/login/index.php
2. The content script clicks .login-identityprovider-btn to redirect to the IDP
3. On the IDP page (idp.bme.hu), it fills #username and #password with your eduID credentials
4. It clicks the submit button

Supported Sites

• Neptun: https://neptun.bme.hu/hallgatoi/login ✅ active
• eduID / BME IDP: https://edu.vik.bme.hu/login → https://idp.bme.hu/ ✅ active

Security & Privacy

Encryption

Passwords are encrypted at rest using AES-GCM with a hardcoded key baked into the source code (crypto.js). The encryption is applied when you save settings in the Options page, and decrypted automatically by the content scripts before filling forms. Because the key is static and publicly visible in the source, the encryption provides obfuscation rather than true cryptographic security — it prevents casual inspection of stored credentials but can be reversed by anyone who can read your extension's storage.

Use at Your Own Risk

This extension is designed for convenience on a personal, private device where no other users have access. It is not suitable for shared or public computers.

If an attacker gains file-system or browser storage access to your machine, they can decrypt your stored passwords. However, at that point they would also be able to grab browser cookies, session tokens, and do far worse damage. In practice, the encryption provides a reasonable barrier against casual credential exposure (e.g., someone borrowing your unlocked laptop for a few minutes), but it should not be relied upon as a genuine security control.

What's Protected

• Credentials are stored locally in your browser's chrome.storage.local — never sent to any external server
• Only the relevant domains are included in the extension permissions
• The extension runs entirely in the browser — no cloud services

What's Not Protected

• The encryption key is hardcoded in plain text in crypto.js — anyone with source access knows it
• If the browser's storage is accessible (e.g., via file system access or a malicious extension), passwords can be decrypted
• Username fields are stored in plaintext (no encryption applied to usernames)
• Credentials are stored unencrypted on the server-side if browser sync is enabled (though storage.local typically doesn't sync)