Bitwarden CLI Client Token has expired

Subject of the issue

I just started having random auth issues on Bitwarden CLI that runs in a docker on Azure app service and serves an HTTP endpoint.

Deployment environment

Support String:

{
"_duo_akey": null,
"_enable_duo": true,
"_enable_email_2fa": true,
"_enable_smtp": true,
"_enable_yubico": true,
"_icon_service_csp": "",
"_icon_service_url": "",
"_ip_header_enabled": true,
"_smtp_img_src": "cid:",
"admin_ratelimit_max_burst": 3,
"admin_ratelimit_seconds": 300,
"admin_session_lifetime": 20,
"admin_token": "***",
"allowed_iframe_ancestors": "",
"attachments_folder": "data/attachments",
"auth_request_purge_schedule": "30 * * * * *",
"authenticator_disable_time_drift": false,
"data_folder": "data",
"database_conn_init": "",
"database_max_conns": 10,
"database_timeout": 30,
"database_url": "**********://************************************************************************************************************************************",
"db_connection_retries": 15,
"disable_2fa_remember": false,
"disable_admin_token": false,
"disable_icon_download": false,
"domain": "*****://*************************",
"domain_origin": "*****://*************************",
"domain_path": "",
"domain_set": true,
"duo_host": null,
"duo_ikey": null,
"duo_skey": null,
"email_attempts_limit": 3,
"email_change_allowed": true,
"email_expiration_time": 600,
"email_token_size": 6,
"emergency_access_allowed": true,
"emergency_notification_reminder_schedule": "0 3 * * * *",
"emergency_request_timeout_schedule": "0 7 * * * *",
"enable_db_wal": false,
"event_cleanup_schedule": "0 10 0 * * *",
"events_days_retain": null,
"experimental_client_feature_flags": "fido2-vault-credentials",
"extended_logging": true,
"helo_name": null,
"hibp_api_key": null,
"icon_blacklist_non_global_ips": true,
"icon_blacklist_regex": null,
"icon_cache_folder": "data/icon_cache",
"icon_cache_negttl": 259200,
"icon_cache_ttl": 2592000,
"icon_download_timeout": 10,
"icon_redirect_code": 302,
"icon_service": "internal",
"incomplete_2fa_schedule": "30 * * * * *",
"incomplete_2fa_time_limit": 3,
"invitation_expiration_hours": 120,
"invitation_org_name": "Vaultwarden",
"invitations_allowed": true,
"ip_header": "X-Client-IP",
"job_poll_interval_ms": 30000,
"log_file": "/data/bitwarden.log",
"log_level": "warn",
"log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
"login_ratelimit_max_burst": 10,
"login_ratelimit_seconds": 60,
"org_attachment_limit": null,
"org_creation_users": "",
"org_events_enabled": false,
"org_groups_enabled": false,
"password_hints_allowed": true,
"password_iterations": 600000,
"push_enabled": false,
"push_identity_uri": "https://identity.bitwarden.com",
"push_installation_id": "***",
"push_installation_key": "***",
"push_relay_uri": "https://push.bitwarden.com",
"reload_templates": false,
"require_device_email": false,
"rsa_key_filename": "data/rsa_key",
"send_purge_schedule": "0 5 * * * *",
"sendmail_command": null,
"sends_allowed": true,
"sends_folder": "data/sends",
"show_password_hint": false,
"signups_allowed": false,
"signups_domains_whitelist": "",
"signups_verify": false,
"signups_verify_resend_limit": 6,
"signups_verify_resend_time": 3600,
"smtp_accept_invalid_certs": false,
"smtp_accept_invalid_hostnames": false,
"smtp_auth_mechanism": null,
"smtp_debug": false,
"smtp_embed_images": true,
"smtp_explicit_tls": null,
"smtp_from": "*********************************",
"smtp_from_name": "Vaultwarden",
"smtp_host": "*************************",
"smtp_password": "***",
"smtp_port": 587,
"smtp_security": "starttls",
"smtp_ssl": null,
"smtp_timeout": 15,
"smtp_username": "*************************************************",
"templates_folder": "data/templates",
"tmp_folder": "data/tmp",
"trash_auto_delete_days": null,
"trash_purge_schedule": "0 5 0 * * *",
"use_sendmail": false,
"use_syslog": false,
"user_attachment_limit": null,
"user_send_limit": null,
"web_vault_enabled": true,
"web_vault_folder": "web-vault/",
"websocket_address": "0.0.0.0",
"websocket_enabled": true,
"websocket_port": 3012,
"yubico_client_id": null,
"yubico_secret_key": null,
"yubico_server": null
}

vaultwarden version: 1.30.5

Install method: Vaultwarden runs on Azure App Service using the image from docker hub with the tag "vaultwarden/server:latest" and data folder mapped.
Clients used: CLI 2024.6.0 even downgrading wouldn't solve the issue running on Azure app service as a docker without mapping.
Reverse proxy and version: None
MySQL/MariaDB or PostgreSQL version: PostgreSQL 14.11
Other relevant details:

Steps to reproduce

I can't seem to find a proper way to reproduce the issue but last thing I did when it started acting like that was upgrading Bitwarden CLI client from 2024.4.1 to 2024.6.0 I also increased KDF to the recommended size on Vaultwarden user settings.

Expected behaviour

Bitwarden CLI will lock the vault only.

Actual behaviour

Bitwarden CLI is losing the authentication.

Troubleshooting data

Bitwarden CLI becomes unauthenticated returning:

{
    "success": true,
    "data": {
        "object": "template",
        "template": {
            "serverUrl": "https://******",
            "lastSync": null,
            "userEmail": "",
            "userId": "aca0fca5-0944-4b6e-a873-2c7e259c5efc",
            "status": "unauthenticated"
        }
    }
}

On Vaultwarden Logs i have:

[2024-07-02 14:30:10.482][vaultwarden::auth][ERROR] Token has expired
[2024-07-02 14:30:10.577][auth][ERROR] Unauthorized Error: Invalid claim
[2024-07-02 14:30:10.644][vaultwarden::api::core::sends::_][WARN] Request guard `Headers` failed: "Invalid claim".

Bitwarden CLI Dockerfile:

FROM --platform=linux/amd64 debian:latest
ENV DEBIAN_FRONTEND=noninteractive

WORKDIR /usr/local/bin
RUN apt update && apt install -y curl unzip libsecret-1-0 jq
COPY entrypoint.sh .
RUN chmod +x /usr/local/bin/entrypoint.sh
RUN export VER=$(curl -H "Accept: application/vnd.github+json" https://api.github.com/repos/bitwarden/clients/releases | jq  -r 'sort_by(.published_at) | reverse | .[].name | select( index("CLI") )' | sed 's:.*CLI v::' | head -n 1) && \
  curl -LO "https://github.com/bitwarden/clients/releases/download/cli-v{$VER}/bw-linux-{$VER}.zip" \
  && unzip *.zip && chmod +x ./bw
ENTRYPOINT [ "/usr/local/bin/entrypoint.sh" ]

entrypoint.sh

#!/usr/bin/env bash

# to enable interactive CLI usage
if [[ $# -gt 0 ]]; then
  bw "$@"
  exit $?
fi

STATUS="$(bw status | jq -r '.status')"

if [[ -n "$MFA_CODE" ]]; then
  # shellcheck disable=SC2034
  export MFA_LOGIN="--method 0 --code $MFA_CODE"
fi

if [[ -n "$BW_CLIENTSECRET" ]]; then
  export API_LOGIN="--apikey"
fi

if [[ "$STATUS" == "unauthenticated" ]]; then
  bw config server "$SERVER_HOST_URL" && echo
  # shellcheck disable=SC2086
  bw login "$VAULT_EMAIL" "$VAULT_PASSWORD" $API_LOGIN $MFA_LOGIN && echo
fi

bw serve --hostname all --port "${SERVE_PORT:-8087}" &
BW_SERVE_PID=$!
echo "\`bw serve\` pid: $BW_SERVE_PID"

if [[ "$UNLOCK_VAULT" == "true" ]]; then
  while ! curl -sX POST -H "Content-Type: application/json" -d "{\"password\": \"$VAULT_PASSWORD\"}" "http://localhost:${SERVE_PORT:-8087}/unlock" >/dev/null; do
    sleep 1
  done
  echo "Vault unlocked!"
fi

echo "Server can be reached at: http://localhost:${SERVE_PORT:-8087}/status"
sleep infinity

I tried to remove the rsa* files and they regenerated but the issue still persists until i restarted the CLI docker.

Any hint?

Thank you!

dani-garcia / vaultwarden