search

dani-garcia / vaultwarden

Unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs
GNU Affero General Public License v3.0
39.31k stars 1.9k forks source link

new entries not saved due to invalid Refresh token #5227

Closed JRehkemper closed 1 hour ago

JRehkemper commented 2 hours ago

Vaultwarden Support String

Your environment (Generated via diagnostics page)

Config (Generated via diagnostics page)

Show Running Config **Environment settings which are overridden:** ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "cid:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "***************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://*************************", "domain_origin": "*****://*************************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "fido2-vault-credentials", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 600000, "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "********************", "smtp_from_name": "Vaultwarden", "smtp_host": "**************", "smtp_password": "***", "smtp_port": 465, "smtp_security": "force_tls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": "********************", "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ```

Vaultwarden Build Version

1.32.5

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

Traefik 3.2.1

Host/Server Operating System

Linux

Operating System Version

AlmaLinux 9.4

Clients

Web Vault, Desktop, Android, iOS

Client Version

Brave 1.73.91

Steps To Reproduce

Expected Result

When you get the green "saved"-popup it should be saved to your vault.

Actual Result

You get a green "saved"-popup but the entry is not present if I resync the vault, check on a different device or log back in again.

Logs

vaultwarden  | [2024-11-24 09:27:02.049][request][INFO] POST /api/ciphers
vaultwarden  | [2024-11-24 09:27:02.049][vaultwarden::auth][ERROR] Error decoding JWT
vaultwarden  | [2024-11-24 09:27:02.049][auth][ERROR] Unauthorized Error: Invalid claim
vaultwarden  | [2024-11-24 09:27:02.049][vaultwarden::api::core::ciphers::_][WARN] Request guard `Headers` failed: "Invalid claim".
vaultwarden  | [2024-11-24 09:27:02.049][response][INFO] (post_ciphers) POST /api/ciphers => 401 Unauthorized
vaultwarden  | [2024-11-24 09:27:02.060][request][INFO] POST /identity/connect/token
vaultwarden  | [2024-11-24 09:27:02.060][response][INFO] (login) POST /identity/connect/token => 400 Bad Request
vaultwarden  | [2024-11-24 09:27:08.440][request][INFO] GET /api/sync
vaultwarden  | [2024-11-24 09:27:08.440][vaultwarden::auth][ERROR] Error decoding JWT
vaultwarden  | [2024-11-24 09:27:08.440][auth][ERROR] Unauthorized Error: Invalid claim
vaultwarden  | [2024-11-24 09:27:08.440][vaultwarden::api::core::ciphers::_][WARN] Request guard `Headers` failed: "Invalid claim".
vaultwarden  | [2024-11-24 09:27:08.440][response][INFO] (sync) GET /api/sync?<data..> => 401 Unauthorized
vaultwarden  | [2024-11-24 09:27:08.454][request][INFO] POST /identity/connect/token
vaultwarden  | [2024-11-24 09:27:08.454][response][INFO] (login) POST /identity/connect/token => 400 Bad Request

Screenshots or Videos

Screenshot 2024-11-24 110854

Additional Context

Hello, I get sporadic errors with invalid refresh token on multiple devices. The frustrating thing is, sometimes you can open the app and everything looks fine and if you create a new entry, it will tell you everything is ok. You only notice the invalid refresh token if you want to login again. Usually this can be fixed by completely logging out and in again, but the newly created password isn't saved anywhere because of the invalid refresh token. I tried the webinterface and clients for Android, IOS, WIndows and Linux and all have the same problem. I suspected an database corruption and created a new instance of vaultwarden. But after a reimport of the reimport of the vault the problem persists. Any ideas how to troubleshoot this issue is appreciated.

BlackDex commented 2 hours ago

Do you have since kind of HA setup running for Vaultwarden? An invalid claim doesn't come by it self. Something must be invalid, like date/time different or modified private key used to create those tokens.

JRehkemper commented 1 hour ago

There is no high availability in place. Just a single Docker server. The time is synced. Clients and Docker-server are in CET and the container is running in UTC but they are the expect hour apart. I did not change any keys.

BlackDex commented 1 hour ago

Does the server restart? What is the date/time of the rsa_key.pem file in your data directory?

Is there any WAF, ModSecurity or something like CloudFlare or CloudFront i front of it?

Something must mangle the token. You can also try to delete the rsa_key.pem, restart Vaultwarden and see if that solves it. But it think you kinda did that already, unless you copied that exact same file over. Doing that will invalidate all tokens and invites though.