search

bitwarden / server

Bitwarden infrastructure/backend (API, database, Docker, etc).
https://bitwarden.com
Other
15.12k stars 1.26k forks source link

Microsoft.AspNetCore.Antiforgery.AntiforgeryValidationException in AWS Fargate #2944

Open sandeep-npg opened 1 year ago

sandeep-npg commented 1 year ago

Steps To Reproduce

Goto /admin

Expected Result

Log in to /admin console

Actual Result

The page does not load for a long time and eventually times out. logs show an error "Microsoft.AspNetCore.Antiforgery.AntiforgeryValidationException: The antiforgery token could not be decrypted."

Screenshots or Videos

No response

Additional Context

Error in the logs

2023-05-17T12:27:04.902-04:00 fail: Microsoft.AspNetCore.Antiforgery.DefaultAntiforgery[7] 2023-05-17T12:27:04.902-04:00 => SpanId:0d294eb19f860334, TraceId:6ebc560d8a5b80d2b6070fb09acb5e8f, ParentId:0000000000000000 => ConnectionId:0HMQMUE6H33RK => RequestPath:/admin/login RequestId:0HMQMUE6H33RK:00000002 => Bit.Admin.Auth.Controllers.LoginController.Index (Admin) 2023-05-17T12:27:04.902-04:00 An exception was thrown while deserializing the token. 2023-05-17T12:27:04.902-04:00 Microsoft.AspNetCore.Antiforgery.AntiforgeryValidationException: The antiforgery token could not be decrypted. 2023-05-17T12:27:04.902-04:00 ---> System.Security.Cryptography.CryptographicException: The key {0942ed38-9689-44bb-a91b-c96fbebe279e} was not found in the key ring. For more information go to http://aka.ms/dataprotectionwarning 2023-05-17T12:27:04.902-04:00 at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.UnprotectCore(Byte[] protectedData, Boolean allowOperationsOnRevokedKeys, UnprotectStatus& status) 2023-05-17T12:27:04.902-04:00 at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Unprotect(Byte[] protectedData) 2023-05-17T12:27:04.902-04:00 at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgeryTokenSerializer.Deserialize(String serializedToken) 2023-05-17T12:27:04.902-04:00 --- End of inner exception stack trace --- 2023-05-17T12:27:04.902-04:00 at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgeryTokenSerializer.Deserialize(String serializedToken) 2023-05-17T12:27:04.902-04:00 at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgery.GetCookieTokenDoesNotThrow(HttpContext httpContext)

Githash Version

8d9ca424-dirty

Environment Details

Database Image

mysql: 8.0.28

Issue-Link

https://github.com/bitwarden/server/issues/2480

Issue Tracking Info

justindbaur commented 1 year ago

Hi @sandeep-npg Can you share an example of the settings you are using? Please redact any passwords or PII.

sandeep-npg commented 1 year ago

Hi @justindbaur -

I may have just figured this out. This happens when I try to connect to a restarted container. It appears that the container dynamically generates the key used to encrypt the antiforgery token/cookie and loses it (understandably) upon restart. Is a mapped volume (at /etc/bitwarden) necessary in addition to a database (I'm using MySQL) or is it possible to save all required state to the database?

===Settings=========== BW_DOMAIN passwordsdev.napierparkglobal.com BW_DB_PROVIDER mysql BW_DB_SERVER sharedmysqldev.napierparkglobal.com BW_DB_DATABASE bitwarden BW_DB_USERNAME bitwarden BW_DB_PASSWORD ** BW_INSTALLATION_ID ** BW_INSTALLATION_KEY ** BW_ENABLE_SSO TRUE adminSettingsadmins sandeep.singh@napierparkglobal.com globalSettingsmailreplyToEmail sandeep.singh@napierparkglobal.com globalSettingsmailsmtphost email-smtp.us-east-1.amazonaws.com globalSettingsmailsmtpport 587 globalSettingsmailsmtpssl TRUE globalSettingsmailsmtpusername ** globalSettingsmailsmtppassword **

justindbaur commented 1 year ago

Yes, a volume mapped to /etc/bitwarden is necessary. That is where the key will be saved and if it's not there it will generate a new one each startup. It was not as required once upon a time but we now encrypt certain DB columns with that key so it's a requirement for it to be mapped somewhere.

We don't currently, or plan to support persisting that key to the database.

sandeep-npg commented 1 year ago

ok - thank you!

I'm seeing another issue after crossing that one. When trying to send out email using AWS SES I'm getting the error below - essentially MailKit fails to authenticate the SMTP server over SSL/TLS

I do not get this in my local dev environment (with a mapped volume). I am able to successfully login to "/admin" and get the email sent out using the same SES credentials. Is this also related to the mapped volume?

justindbaur commented 1 year ago

It appears the certificate of your server isn't valid. You can override that check with adding globalSettings__mail__smtp__trustServer=true to your settings file. As shown here this is not recommended for production and would be better to get a trusted cert.

crinjes commented 1 year ago

I have the same issue with mailing.

      The server's SSL certificate could not be validated for the following reasons:
      • The server certificate has the following errors:
        • unable to get certificate CRL
        • unable to get certificate CRL
      • An intermediate certificate has the following errors:
        • unable to get certificate CRL
        • unable to get certificate CRL

The certificates in the chain are all valid, they just do not include a CRL endpoint.