Closed TheGorf closed 2 months ago
stefan0xC
commented
2 months ago From the logs it doesn't look like vaultwarden gets a request (should be PUT /api/ciphers/share), so there might be something else going on. (Could be caused by the WAF if it blocks a request.)
What does the browser console say? Is a request sent to the server? If so, what's the response? If not, is there an error message?
BlackDex
commented
2 months ago I did noticed the following:
[2024-04-15 22:51:59.729][vaultwarden::api::core::accounts][DEBUG] Purging auth requests
It can't be the Chrono updates, since those are not in this release.
BlackDex
commented
2 months ago I'm not able to reproduce, at least not on the testing tagged image.
Please try the testing tagged image and see if that solves your problem.
Else, please provide a more detailed step-by-step instructions on how to try and do this. Also include login, mfa, etc... It might also be a browser setting or extension which is causing issues.
BlackDex
commented
2 months ago I did some more testing but I'm unable to reproduce.
Going to close this, if this still is an issue with the testing tagged images, please provide the more detailed information as requested in my previous post and re-open this issue.
NoEpicLoot
commented
2 weeks ago We stumbled upon this behaviour few days ago on a fresh install whenever a new user was being part of an organization, without being assigned to any collections. Seems like the button "move to organization" appears as soon as one is part of an organization. However the following popup tries to reach an org-api-endpoint so it can render the available collections the user is allowed to move this item to,- which are none and forced the logout.
iirc when the user is assigned to a collection without being allowed to write to that collection, the same behaviour would appear upon hitting save
Vaultwarden Version 1.30.5 Vaultwarden Web Version 2024.1.2
BlackDex
commented
2 weeks ago Try testingand report back of it still persist
Subject of the issue
After importing data from LastPass, I began reorganizing the logins. I have a small group of logins that I try to move, as a group using the multi-select check box, from my local vault and folder into an Organization collection. I select the Organization and the collection, then click "save" and I am immediately logged out of Vaultwarden. After logging back in, the items have not been moved. In the logfile at the end here, you will see there is a 400 Bad Request logged, but that appears to be all I can gather at the moment without further guidance.
Deployment environment
Your environment (Generated via diagnostics page)
Config (Generated via diagnostics page)
Show Running Config
**Environment settings which are overridden:** ADMIN_TOKEN ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": false, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_smtp_img_src": "cid:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "*****://***************************************************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "****://*****************", "domain_origin": "****://*****************", "domain_path": "", "domain_set": true, "duo_host": null, "duo_ikey": null, "duo_skey": null, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "fido2-vault-credentials", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "X-Forwarded-For", "job_poll_interval_ms": 30000, "log_file": "/data/vaultwarden.log", "log_level": "debug", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 750000, "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": true, "signups_domains_whitelist": "", "signups_verify": true, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "*****************", "smtp_from_name": "Vaultwarden", "smtp_host": "*********************", "smtp_password": "***", "smtp_port": 587, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": "*****************", "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": 30, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "websocket_address": "0.0.0.0", "websocket_enabled": false, "websocket_port": 3012, "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ```Install method: Docker image, separate MariaDB SQL server.
Clients used: In this case, I am logged into the vault via Firefox on Linux OS.
Reverse proxy and version:
MySQL/MariaDB or PostgreSQL version: 10.5
Other relevant details: Hosted on EC2, behind AWS ALB with WAF. However, note that the HTTP 400 is coming from the VW server. WAF blocking a request would come directly from the AWS service.
Steps to reproduce
This is the hard part. It appears to only happen for a very specific set of logins. There appears to be some sort of condition for values in the login that is causing this. Other logins can be moved just fine.
Expected behaviour
The logins should be moved to the Org and collection,
Actual behaviour
Client is forced logged out.
Troubleshooting data
Attempts to catch this via debug logs is not really producing any thing. I'm trying to reconfigure my loadbalancer to catch the actual raw request. If I get logs I can share them sanitized. I adjusted my LOG_LEVEL to debug but when the even happens, this is the only log that is caught: