API request returned error: 400 (CAPTCHA implementation)

[digital-mystik]

Just noticed yesterday after a reboot that I am unable to log in via api.bitwarden.com; could just be a hiccup but am not sure.

[ivankovnatsky]

i first noticed weird things, when i was trying to rbw sync, which was unsuccessful, similar to this: https://github.com/doy/rbw/issues/32

then, when i purged my db with rbw purge and trying to reconnect with rbw login, i'm getting:

[2021-10-09T11:44:32Z WARN  rbw::api] unexpected error received during login: ConnectErrorRes { error: "invalid_grant", error_description: "Captcha required.", error_model: None, two_factor_providers: None }

is there any way to logout of a client?

update, a probable fix in bitwarden: https://github.com/bitwarden/server/pull/1626

update2: bitwarden issue ref: https://github.com/bitwarden/cli/issues/383

[ajgraves]

Interestingly their "fix" is to bypass captcha for a known device. I use (or just tried to start using today) rbw on OpenBSD, where no Bitwarden app/client exists. I have however logged in to the web vault (and use the browser plugins) on this machine, so hopefully that is enough to consider it a "known device" whenever they implement this fix. I wanted to use rbw to keep an "offline copy" on my machine for when I travel.

[digital-mystik]

@ivankovnatsky looks like that PR was merged but the issue still remains on my end.. any luck for you?

[ivankovnatsky]

@ivankovnatsky looks like that PR was merged but the issue still remains on my end.. any luck for you?

i suspect that the change in master/main. but we most probably need to wait for the next release.

[ivankovnatsky]

Interestingly their "fix" is to bypass captcha for a known device. I use (or just tried to start using today) rbw on OpenBSD, where no Bitwarden app/client exists. I have however logged in to the web vault (and use the browser plugins) on this machine, so hopefully that is enough to consider it a "known device" whenever they implement this fix. I wanted to use rbw to keep an "offline copy" on my machine for when I travel.

agree, that looks weird.

[digital-mystik]

closing, not a rbw issue (appears PR will go live late October to address the captcha change)

[ivankovnatsky]

forgive me for after-post here, though it's likely that rbw code base should probably be adapted to accommodate latest changes with the captcha, the read: https://github.com/bitwarden/cli/issues/383.

for those who did not logout, that captcha fix-hack would probably work, but for the newer clients authenticating rbw, cloudflare (bitwarden waf) would flag all requests as coming from a bot, i presume.

[digital-mystik]

@ivankovnatsky agreed.. the workaround using the client_secret from the API key seems like a good option

[rotsix]

Hey @digital-mystik, I still cannot use rbw due to the 400 error. You seem to say we can fix this issue by using the client_secret from the API key. Once I have generated this key within Bitwarden, do you know where rbw look for this particular key?

[digital-mystik]

@rotsix hello, the workaround is not implemented in rbw, just bitwarden-cli

[rotsix]

Do you know when/if a workaround is going to be implemented? rbw is basically unusable for now.

[digital-mystik]

no idea.. depends on if doy has time or a PR is submitted/merged

[doy]

sorry - i'm paying attention to this but i've been busy the last couple weeks - if someone wants to submit a pull request, i could merge it, otherwise i'll hopefully be able to look into it in the next week or so

[doy]

okay, i believe this should be fixed in version 1.4.0. if you are running into this problem, try upgrading, and then use rbw register to provide it with your personal api key. once you have done that, everything should work as normal again.