Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to Deauthorize sessions #4042

Closed
MButcho opened this issue Nov 6, 2023 · 9 comments · Fixed by #4067
Closed

Unable to Deauthorize sessions #4042

MButcho opened this issue Nov 6, 2023 · 9 comments · Fixed by #4067
Labels
bug Something isn't working enhancement New feature or request

Comments

@MButcho
Copy link

MButcho commented Nov 6, 2023
edited
Loading

Subject of the issue

When I try to Deauthorize sessions, I receive following error:
image

The reason is I wanted to implement push notifications, which are not working

Deployment environment

  • vaultwarden version :v1.30.0

  • Install method: Docker image

  • Clients used: web vault, desktop, iOS

  • Reverse proxy and version: nginx version: nginx/1.18.0 (Ubuntu)

  • Nginx config:

http {
    upstream vaultwarden-default {
    zone vaultwarden-default 64k;
    server 127.0.0.1:8088;
    keepalive 2;
  }
  
  upstream vaultwarden-ws {
    zone vaultwarden-ws 64k;
    server 127.0.0.1:3012;
    keepalive 2;
  }

  server {
    server_name some.domain.com;
    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;
    
    client_max_body_size 128M;

    location / {
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "Upgrade";

      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;

      proxy_pass http://vaultwarden-default;
    }

    location /notifications/hub/negotiate {
      proxy_http_version 1.1;
      proxy_set_header "Connection" "";

      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;

      proxy_pass http://vaultwarden-default;
    }

    location /notifications/hub {
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";

      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header Forwarded $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;

      proxy_pass http://vaultwarden-ws;
    }

    # Optionally add extra authentication besides the ADMIN_TOKEN
    # Remove the comments below `#` and create the htpasswd_file to have it active
    #
    #location /admin {
    #  # See: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/
    #  auth_basic "Private";
    #  auth_basic_user_file /path/to/htpasswd_file;
    #
    #  proxy_http_version 1.1;
    #  proxy_set_header "Connection" "";
    #
    #  proxy_set_header Host $host;
    #  proxy_set_header X-Real-IP $remote_addr;
    #  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    #  proxy_set_header X-Forwarded-Proto $scheme;
    #
    #  proxy_pass http://vaultwarden-default;
    #}
    
    listen 443 ssl; # managed by Certbot
    ...
  }

Steps to reproduce

Log into web account / Account Settings / My Account / Deauthorize sessions / Send Code

Expected behaviour

Send email to confirm sessions deauthorize

Actual behaviour

Error above

Troubleshooting data

Log:
[2023-11-06 20:21:16.316][request][INFO] POST /api/accounts/request-otp
[2023-11-06 20:21:16.316][response][INFO] 404 Not Found
@MButcho
Copy link
Author

MButcho commented Nov 6, 2023

Other actions that require OTP have the same issue, like exporting vault

@BlackDex
Copy link
Collaborator

BlackDex commented Nov 6, 2023

Seems this only gets triggered when using Login With Device i think when looking at the Bitwarden client code.

Can you confirm this?

@MButcho
Copy link
Author

MButcho commented Nov 6, 2023

Correct, when using master password to log in, the export and deauthorize is possible

@BlackDex
Copy link
Collaborator

BlackDex commented Nov 6, 2023

Great thanks!

@BlackDex BlackDex added bug Something isn't working enhancement New feature or request labels Nov 6, 2023
@BlackDex
Copy link
Collaborator

BlackDex commented Nov 6, 2023
edited
Loading

Also, i would suggest to update your nginx config to not use port 3012 anymore, and remove those locations. Also, sending Connect: Upgrade all the time is probably not good.

Check the https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples for more details.

@BlackDex BlackDex mentioned this issue Nov 7, 2023
Closed
@BlackDex
Copy link
Collaborator

BlackDex commented Nov 7, 2023

I'm able to reproduce this, so now to find the correct solution to fix this.

@BlackDex
Copy link
Collaborator

BlackDex commented Nov 7, 2023

Ok, it looks like this needs SMTP to be enabled.
Without this, you can't export, deauthorize, and maybe more specific items, like purge vault etc..

With this feature a mail will be sent with a passcode which enables you to verify you are you when you used Login with device which was unlocked via either PIN or Biometrics.

@kqmaverick
Copy link

I have SMTP enabled and still see this error.

@BlackDex
Copy link
Collaborator

BlackDex commented Nov 8, 2023

I have SMTP enabled and still see this error.

That is correct, since the endpoints which are called are not supported by Vaultwarden.

But there could be people who do not have SMTP enabled for which this could be an issue.

Only way they can bypass is to login without an other device.

BlackDex added a commit to BlackDex/vaultwarden that referenced this issue Nov 12, 2023
@BlackDex
Add Protected Actions Check
794c15e 
Since the feature `Login with device` some actions done via the
web-vault need to be verified via an OTP instead of providing the MasterPassword.

This only happens if a user used the `Login with device` on a device
which uses either Biometrics login or PIN. These actions prevent the
athorizing device to send the MasterPasswordHash. When this happens, the
web-vault requests an OTP to be filled-in and this OTP is send to the
users email address which is the same as the email address to login.

The only way to bypass this is by logging in with the your password, in
those cases a password is requested instead of an OTP.

In case SMTP is not enabled, it will show an error message telling to
user to login using there password.

Fixes dani-garcia#4042
@BlackDex BlackDex mentioned this issue Nov 12, 2023
Merged
BlackDex added a commit to BlackDex/vaultwarden that referenced this issue Nov 12, 2023
@BlackDex
Add Protected Actions Check
a7abb44 
Since the feature `Login with device` some actions done via the
web-vault need to be verified via an OTP instead of providing the MasterPassword.

This only happens if a user used the `Login with device` on a device
which uses either Biometrics login or PIN. These actions prevent the
athorizing device to send the MasterPasswordHash. When this happens, the
web-vault requests an OTP to be filled-in and this OTP is send to the
users email address which is the same as the email address to login.

The only way to bypass this is by logging in with the your password, in
those cases a password is requested instead of an OTP.

In case SMTP is not enabled, it will show an error message telling to
user to login using there password.

Fixes dani-garcia#4042
dani-garcia pushed a commit that referenced this issue Nov 12, 2023
@BlackDex
Add Protected Actions Check (#4067)
f863ffb 
Since the feature `Login with device` some actions done via the
web-vault need to be verified via an OTP instead of providing the MasterPassword.

This only happens if a user used the `Login with device` on a device
which uses either Biometrics login or PIN. These actions prevent the
athorizing device to send the MasterPasswordHash. When this happens, the
web-vault requests an OTP to be filled-in and this OTP is send to the
users email address which is the same as the email address to login.

The only way to bypass this is by logging in with the your password, in
those cases a password is requested instead of an OTP.

In case SMTP is not enabled, it will show an error message telling to
user to login using there password.

Fixes #4042
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add Protected Actions Check BlackDex/vaultwarden
3 participants
@BlackDex @MButcho @kqmaverick