[GH-ISSUE #4042] Unable to Deauthorize sessions #1761

New issue

Closed

opened 2026-03-03 02:11:51 +03:00 by kerem · 9 comments

kerem commented 2026-03-03 02:11:51 +03:00

Owner

Copy link

Originally created by @MButcho on GitHub (Nov 6, 2023).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/4042

Subject of the issue

When I try to Deauthorize sessions, I receive following error:

The reason is I wanted to implement push notifications, which are not working

Deployment environment

• vaultwarden version :v1.30.0

• Install method: Docker image

• Clients used: web vault, desktop, iOS

• Reverse proxy and version: nginx version: nginx/1.18.0 (Ubuntu)

• Nginx config:

http {
    upstream vaultwarden-default {
    zone vaultwarden-default 64k;
    server 127.0.0.1:8088;
    keepalive 2;
  }
  
  upstream vaultwarden-ws {
    zone vaultwarden-ws 64k;
    server 127.0.0.1:3012;
    keepalive 2;
  }

  server {
    server_name some.domain.com;
    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;
    
    client_max_body_size 128M;

    location / {
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "Upgrade";

      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;

      proxy_pass http://vaultwarden-default;
    }

    location /notifications/hub/negotiate {
      proxy_http_version 1.1;
      proxy_set_header "Connection" "";

      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;

      proxy_pass http://vaultwarden-default;
    }

    location /notifications/hub {
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";

      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header Forwarded $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;

      proxy_pass http://vaultwarden-ws;
    }

    # Optionally add extra authentication besides the ADMIN_TOKEN
    # Remove the comments below `#` and create the htpasswd_file to have it active
    #
    #location /admin {
    #  # See: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/
    #  auth_basic "Private";
    #  auth_basic_user_file /path/to/htpasswd_file;
    #
    #  proxy_http_version 1.1;
    #  proxy_set_header "Connection" "";
    #
    #  proxy_set_header Host $host;
    #  proxy_set_header X-Real-IP $remote_addr;
    #  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    #  proxy_set_header X-Forwarded-Proto $scheme;
    #
    #  proxy_pass http://vaultwarden-default;
    #}
    
    listen 443 ssl; # managed by Certbot
    ...
  }

Steps to reproduce

Log into web account / Account Settings / My Account / Deauthorize sessions / Send Code

Expected behaviour

Send email to confirm sessions deauthorize

Actual behaviour

Error above

Troubleshooting data

Log:
[2023-11-06 20:21:16.316][request][INFO] POST /api/accounts/request-otp
[2023-11-06 20:21:16.316][response][INFO] 404 Not Found

Originally created by @MButcho on GitHub (Nov 6, 2023). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/4042 ### Subject of the issue When I try to Deauthorize sessions, I receive following error:  The reason is I wanted to implement push notifications, which are not working ### Deployment environment * vaultwarden version :v1.30.0 * Install method: Docker image * Clients used: web vault, desktop, iOS * Reverse proxy and version: nginx version: nginx/1.18.0 (Ubuntu) * Nginx config: ``` http { upstream vaultwarden-default { zone vaultwarden-default 64k; server 127.0.0.1:8088; keepalive 2; } upstream vaultwarden-ws { zone vaultwarden-ws 64k; server 127.0.0.1:3012; keepalive 2; } server { server_name some.domain.com; access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; client_max_body_size 128M; location / { proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://vaultwarden-default; } location /notifications/hub/negotiate { proxy_http_version 1.1; proxy_set_header "Connection" ""; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://vaultwarden-default; } location /notifications/hub { proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Forwarded $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://vaultwarden-ws; } # Optionally add extra authentication besides the ADMIN_TOKEN # Remove the comments below `#` and create the htpasswd_file to have it active # #location /admin { # # See: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/ # auth_basic "Private"; # auth_basic_user_file /path/to/htpasswd_file; # # proxy_http_version 1.1; # proxy_set_header "Connection" ""; # # proxy_set_header Host $host; # proxy_set_header X-Real-IP $remote_addr; # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # proxy_set_header X-Forwarded-Proto $scheme; # # proxy_pass http://vaultwarden-default; #} listen 443 ssl; # managed by Certbot ... } ``` ### Steps to reproduce Log into web account / Account Settings / My Account / Deauthorize sessions / Send Code ### Expected behaviour Send email to confirm sessions deauthorize ### Actual behaviour Error above ### Troubleshooting data Log: [2023-11-06 20:21:16.316][request][INFO] POST /api/accounts/request-otp [2023-11-06 20:21:16.316][response][INFO] 404 Not Found

kerem 2026-03-03 02:11:51 +03:00

• closed this issue
• added the
  enhancement
  bug
  labels

kerem commented 2026-03-03 02:11:52 +03:00

Author

Owner

Copy link

@MButcho commented on GitHub (Nov 6, 2023):

Other actions that require OTP have the same issue, like exporting vault

<!-- gh-comment-id:1796417593 --> @MButcho commented on GitHub (Nov 6, 2023): Other actions that require OTP have the same issue, like exporting vault

kerem commented 2026-03-03 02:11:52 +03:00

Author

Owner

Copy link

@BlackDex commented on GitHub (Nov 6, 2023):

Seems this only gets triggered when using Login With Device i think when looking at the Bitwarden client code.

Can you confirm this?

<!-- gh-comment-id:1796432734 --> @BlackDex commented on GitHub (Nov 6, 2023): Seems this only gets triggered when using `Login With Device` i think when looking at the Bitwarden client code. Can you confirm this?

kerem commented 2026-03-03 02:11:52 +03:00

Author

Owner

Copy link

@MButcho commented on GitHub (Nov 6, 2023):

Correct, when using master password to log in, the export and deauthorize is possible

<!-- gh-comment-id:1796490635 --> @MButcho commented on GitHub (Nov 6, 2023): Correct, when using master password to log in, the export and deauthorize is possible

kerem commented 2026-03-03 02:11:52 +03:00

Author

Owner

Copy link

@BlackDex commented on GitHub (Nov 6, 2023):

Great thanks!

<!-- gh-comment-id:1796500805 --> @BlackDex commented on GitHub (Nov 6, 2023): Great thanks!

kerem commented 2026-03-03 02:11:52 +03:00

Author

Owner

Copy link

@BlackDex commented on GitHub (Nov 6, 2023):

Also, i would suggest to update your nginx config to not use port 3012 anymore, and remove those locations. Also, sending Connect: Upgrade all the time is probably not good.

Check the https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples for more details.

<!-- gh-comment-id:1796512036 --> @BlackDex commented on GitHub (Nov 6, 2023): Also, i would suggest to update your nginx config to not use port 3012 anymore, and remove those locations. Also, sending `Connect: Upgrade` all the time is probably not good. Check the https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples for more details.

kerem commented 2026-03-03 02:11:52 +03:00

Author

Owner

Copy link

@BlackDex commented on GitHub (Nov 7, 2023):

I'm able to reproduce this, so now to find the correct solution to fix this.

<!-- gh-comment-id:1799069264 --> @BlackDex commented on GitHub (Nov 7, 2023): I'm able to reproduce this, so now to find the correct solution to fix this.

kerem commented 2026-03-03 02:11:52 +03:00

Author

Owner

Copy link

@BlackDex commented on GitHub (Nov 7, 2023):

Ok, it looks like this needs SMTP to be enabled.
Without this, you can't export, deauthorize, and maybe more specific items, like purge vault etc..

With this feature a mail will be sent with a passcode which enables you to verify you are you when you used Login with device which was unlocked via either PIN or Biometrics.

<!-- gh-comment-id:1799139454 --> @BlackDex commented on GitHub (Nov 7, 2023): Ok, it looks like this needs SMTP to be enabled. Without this, you can't export, deauthorize, and maybe more specific items, like purge vault etc.. With this feature a mail will be sent with a passcode which enables you to verify you are you when you used `Login with device` which was unlocked via either PIN or Biometrics.

kerem commented 2026-03-03 02:11:52 +03:00

Author

Owner

Copy link

@kqmaverick commented on GitHub (Nov 7, 2023):

I have SMTP enabled and still see this error.

<!-- gh-comment-id:1800431226 --> @kqmaverick commented on GitHub (Nov 7, 2023): I have SMTP enabled and still see this error.

kerem commented 2026-03-03 02:11:52 +03:00

Author

Owner

Copy link

@BlackDex commented on GitHub (Nov 8, 2023):

I have SMTP enabled and still see this error.

That is correct, since the endpoints which are called are not supported by Vaultwarden.

But there could be people who do not have SMTP enabled for which this could be an issue.

Only way they can bypass is to login without an other device.

<!-- gh-comment-id:1801124603 --> @BlackDex commented on GitHub (Nov 8, 2023): > I have SMTP enabled and still see this error. That is correct, since the endpoints which are called are not supported by Vaultwarden. But there could be people who do not have SMTP enabled for which this could be an issue. Only way they can bypass is to login without an other device.

kerem referenced this issue 2026-03-03 09:09:19 +03:00

[PR #1761] [MERGED] Update dependencies #3003

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

revert-7033-patch-1

cached-config-operations

test_dylint

1.35.8

1.35.7

1.35.6

1.35.5

1.35.4

1.35.3

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels   

SSO

  

Third party

  

better for forum

  

bug

  

bug

  

documentation

  

duplicate

  

enhancement

  

future Vault

  

future Vault

  

future Vault

  

good first issue

  

help wanted

  

low priority

  

notes

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

troubleshooting

  

wontfix

No labels

SSO

Third party

better for forum

bug

bug

documentation

duplicate

enhancement

future Vault

future Vault

future Vault

good first issue

help wanted

low priority

notes

pull-request

question

troubleshooting

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/vaultwarden#1761

No description provided.