starred/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-04-25 17:25:57 +03:00
Code Issues 39 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #4208] Unable to login from web, desktop-app & browser-plugin: OTP expected but never quested #1820

New issue
Closed
opened 2026-03-03 02:12:30 +03:00 by kerem · 0 comments
kerem commented 2026-03-03 02:12:30 +03:00
Owner
Copy link

Originally created by @RastaTaz on GitHub (Dec 29, 2023).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/4208

Subject of the issue

It is impossible to login using web ui, linux app or browser extention using Brave.
Used account has 2FA enabled and also login with device but nor of those method works, resulting in 2FA errors in VW logs.

Deployment environment

  • vaultwarden version: 1.30.1

  • Install method: Docker image

  • Clients used: Web, Linux desktop app v2023.12.1, Brave (chrome clone) browser extension v2023.12.1

  • Reverse proxy and version: Traefik 2.10.7 + Nginx 1.25.3

  • MySQL/MariaDB or PostgreSQL version: Ver 15.1 Distrib 10.11.6-MariaDB

  • Other relevant details:

    • As related in #4024, I updated docker compose file to remove WS rules in traefik router in order to use only rocket (port 80) and also commented the WEBSOCKET_ENABLE=true environment variable in compose as container logs showed it still poped-up a WS server on port 3012.
    • Allready logged in clients have no problem with sync or receiving device login notifications (either using th old WS conf on port 3012 or the rocket integrated WS on port 80)

Steps to reproduce

As I'm just locking out from vault and not login off I can't really tell since when this issue occurs, as already connected clients keep on behaving normally...
I usually update my middleware (NginX, Traefik, MariaDB) and VW docker image as soon as there're updates available.

  • When using device login: I have error poping only in the desktop app but not in web ui nor browser pluging (they just stay in rest status), but logs showing VW expects an additional OTP token but is was never requested by clients
  • When using password/OTP: I have error after submitting password, token is also never requested by clients but logs show it is expected...

Expected behaviour

Sucessful login.

Actual behaviour

Troubleshooting data

Logs from container for 2FA (master password + OTP) login failure:

[2023-12-29 11:25:34.434][start][INFO] Rocket has launched from http://0.0.0.0:80
[2023-12-29 11:26:43.031][request][INFO] POST /identity/accounts/prelogin
[2023-12-29 11:26:43.032][response][INFO] (prelogin) POST /identity/accounts/prelogin => 200 OK
[2023-12-29 11:26:44.200][request][INFO] POST /identity/connect/token
[2023-12-29 11:26:44.297][error][ERROR] 2FA token not provided
[2023-12-29 11:26:44.297][response][INFO] (login) POST /identity/connect/token => 400 Bad Request
(...)
[2023-12-29 11:30:31.685][request][INFO] GET /notifications/anonymous-hub?Token=aff18889-5e9a-4fb2-9cbe-
[2023-12-29 11:30:31.685][vaultwarden::api::notifications][INFO] Accepting Anonymous Rocket WS connection from 2a01:e0a:XXX:XXX:XXX:63a8:ddda:1060
[2023-12-29 11:30:31.685][response][INFO] (anonymous_websockets_hub) GET /notifications/anonymous-hub?<token..> => 200 OK
[2023-12-29 11:30:34.442][vaultwarden::api::core::two_factor][INFO] User XXXXXXXXX did not complete a 2FA login within the configured time limit. IP: 2a01:e0a:XXX:XXX:XXX:63a8:ddda:1060

Logs from container for device login failure:

[2023-12-29 11:30:29.182][request][INFO] GET /api/devices/knowndevice
[2023-12-29 11:30:29.184][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK
[2023-12-29 11:30:31.669][request][INFO] POST /api/auth-requests/
[2023-12-29 11:30:31.673][response][INFO] (post_auth_request) POST /api/auth-requests => 200 OK
[2023-12-29 11:30:31.685][request][INFO] GET /notifications/anonymous-hub?Token=aff18889-5e9a-4fb2-9cbe-
[2023-12-29 11:30:31.685][vaultwarden::api::notifications][INFO] Accepting Anonymous Rocket WS connection from 2a01:e0a:XXX:XXX:XXX:63a8:ddda:1060
[2023-12-29 11:30:31.685][response][INFO] (anonymous_websockets_hub) GET /notifications/anonymous-hub?<token..> => 200 OK
[2023-12-29 11:30:37.447][request][INFO] GET /api/auth-requests/
[2023-12-29 11:30:37.448][response][INFO] (get_auth_requests) GET /api/auth-requests => 200 OK
[2023-12-29 11:30:40.165][request][INFO] GET /api/auth-requests/aff18889-5e9a-4fb2-9cbe-7a60bbf31b66
[2023-12-29 11:30:40.167][response][INFO] (get_auth_request) GET /api/auth-requests/<uuid> => 200 OK
[2023-12-29 11:30:41.706][request][INFO] GET /api/auth-requests/aff18889-5e9a-4fb2-9cbe-7a60bbf31b66
[2023-12-29 11:30:41.707][response][INFO] (get_auth_request) GET /api/auth-requests/<uuid> => 200 OK
[2023-12-29 11:30:41.863][request][INFO] PUT /api/auth-requests/aff18889-5e9a-4fb2-9cbe-7a60bbf31b66
[2023-12-29 11:30:41.867][response][INFO] (put_auth_request) PUT /api/auth-requests/<uuid> => 200 OK
[2023-12-29 11:30:41.873][request][INFO] GET /api/auth-requests/aff18889-5e9a-4fb2-9cbe-7a60bbf31b66/response?code=3hVRdvESL7SajRT5iqevLW3Kv
[2023-12-29 11:30:41.874][response][INFO] (get_auth_request_response) GET /api/auth-requests/<uuid>/response?<code> => 200 OK
[2023-12-29 11:30:41.884][request][INFO] POST /identity/connect/token
[2023-12-29 11:30:41.888][error][ERROR] 2FA token not provided
[2023-12-29 11:30:41.888][response][INFO] (login) POST /identity/connect/token => 400 Bad Request
[2023-12-29 11:30:41.911][vaultwarden::api::notifications][INFO] Closing WS connection from 2a01:e0a:XXX:XXX:XXX:63a8:ddda:1060
[2023-12-29 11:30:41.911][rocket::server][ERROR] Upgraded websocket I/O handler failed: WebSocket protocol error: Sending after closing is not allowed
Originally created by @RastaTaz on GitHub (Dec 29, 2023). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/4208 <!-- # ### NOTE: Please update to the latest version of vaultwarden before reporting an issue! This saves you and us a lot of time and troubleshooting. See: * https://github.com/dani-garcia/vaultwarden/issues/1180 * https://github.com/dani-garcia/vaultwarden/wiki/Updating-the-vaultwarden-image # ### --> <!-- Please fill out the following template to make solving your problem easier and faster for us. This is only a guideline. If you think that parts are unnecessary for your issue, feel free to remove them. Remember to hide/redact personal or confidential information, such as passwords, IP addresses, and DNS names as appropriate. --> ### Subject of the issue <!-- Describe your issue here. --> It is impossible to login using web ui, linux app or browser extention using Brave. Used account has 2FA enabled and also login with device but nor of those method works, resulting in 2FA errors in VW logs. ### Deployment environment <!-- ========================================================================================= Preferably, use the `Generate Support String` button on the admin page's Diagnostics tab. That will auto-generate most of the info requested in this section. ========================================================================================= --> <!-- The version number, obtained from the logs (at startup) or the admin diagnostics page --> <!-- This is NOT the version number shown on the web vault, which is versioned separately from vaultwarden --> <!-- Remember to check if your issue exists on the latest version first! --> * vaultwarden version: 1.30.1 <!-- How the server was installed: Docker image, OS package, built from source, etc. --> * Install method: Docker image * Clients used: Web, Linux desktop app v2023.12.1, Brave (chrome clone) browser extension v2023.12.1 <!-- web vault, desktop, Android, iOS, etc. (if applicable) --> * Reverse proxy and version: Traefik 2.10.7 + Nginx 1.25.3 <!-- if applicable --> * MySQL/MariaDB or PostgreSQL version: Ver 15.1 Distrib 10.11.6-MariaDB<!-- if applicable --> * Other relevant details: - As related in #4024, I updated docker compose file to remove WS rules in traefik router in order to use only rocket (port 80) and also commented the `WEBSOCKET_ENABLE=true` environment variable in compose as container logs showed it still poped-up a WS server on port 3012. - Allready logged in clients have no problem with sync or receiving device login notifications (either using th old WS conf on port 3012 or the rocket integrated WS on port 80) ### Steps to reproduce <!-- Tell us how to reproduce this issue. What parameters did you set (differently from the defaults) and how did you start vaultwarden? --> As I'm just locking out from vault and not login off I can't really tell since when this issue occurs, as already connected clients keep on behaving normally... I usually update my middleware (NginX, Traefik, MariaDB) and VW docker image as soon as there're updates available. - When using device login: I have error poping only in the desktop app but not in web ui nor browser pluging (they just stay in rest status), but logs showing VW expects an additional OTP token but is was never requested by clients - When using password/OTP: I have error after submitting password, token is also never requested by clients but logs show it is expected... ### Expected behaviour <!-- Tell us what you expected to happen --> Sucessful login. ### Actual behaviour <!-- Tell us what actually happened --> ### Troubleshooting data <!-- Share any log files, screenshots, or other relevant troubleshooting data --> Logs from container for 2FA (master password + OTP) login failure: ``` [2023-12-29 11:25:34.434][start][INFO] Rocket has launched from http://0.0.0.0:80 [2023-12-29 11:26:43.031][request][INFO] POST /identity/accounts/prelogin [2023-12-29 11:26:43.032][response][INFO] (prelogin) POST /identity/accounts/prelogin => 200 OK [2023-12-29 11:26:44.200][request][INFO] POST /identity/connect/token [2023-12-29 11:26:44.297][error][ERROR] 2FA token not provided [2023-12-29 11:26:44.297][response][INFO] (login) POST /identity/connect/token => 400 Bad Request (...) [2023-12-29 11:30:31.685][request][INFO] GET /notifications/anonymous-hub?Token=aff18889-5e9a-4fb2-9cbe- [2023-12-29 11:30:31.685][vaultwarden::api::notifications][INFO] Accepting Anonymous Rocket WS connection from 2a01:e0a:XXX:XXX:XXX:63a8:ddda:1060 [2023-12-29 11:30:31.685][response][INFO] (anonymous_websockets_hub) GET /notifications/anonymous-hub?<token..> => 200 OK [2023-12-29 11:30:34.442][vaultwarden::api::core::two_factor][INFO] User XXXXXXXXX did not complete a 2FA login within the configured time limit. IP: 2a01:e0a:XXX:XXX:XXX:63a8:ddda:1060 ``` Logs from container for device login failure: ``` [2023-12-29 11:30:29.182][request][INFO] GET /api/devices/knowndevice [2023-12-29 11:30:29.184][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK [2023-12-29 11:30:31.669][request][INFO] POST /api/auth-requests/ [2023-12-29 11:30:31.673][response][INFO] (post_auth_request) POST /api/auth-requests => 200 OK [2023-12-29 11:30:31.685][request][INFO] GET /notifications/anonymous-hub?Token=aff18889-5e9a-4fb2-9cbe- [2023-12-29 11:30:31.685][vaultwarden::api::notifications][INFO] Accepting Anonymous Rocket WS connection from 2a01:e0a:XXX:XXX:XXX:63a8:ddda:1060 [2023-12-29 11:30:31.685][response][INFO] (anonymous_websockets_hub) GET /notifications/anonymous-hub?<token..> => 200 OK [2023-12-29 11:30:37.447][request][INFO] GET /api/auth-requests/ [2023-12-29 11:30:37.448][response][INFO] (get_auth_requests) GET /api/auth-requests => 200 OK [2023-12-29 11:30:40.165][request][INFO] GET /api/auth-requests/aff18889-5e9a-4fb2-9cbe-7a60bbf31b66 [2023-12-29 11:30:40.167][response][INFO] (get_auth_request) GET /api/auth-requests/<uuid> => 200 OK [2023-12-29 11:30:41.706][request][INFO] GET /api/auth-requests/aff18889-5e9a-4fb2-9cbe-7a60bbf31b66 [2023-12-29 11:30:41.707][response][INFO] (get_auth_request) GET /api/auth-requests/<uuid> => 200 OK [2023-12-29 11:30:41.863][request][INFO] PUT /api/auth-requests/aff18889-5e9a-4fb2-9cbe-7a60bbf31b66 [2023-12-29 11:30:41.867][response][INFO] (put_auth_request) PUT /api/auth-requests/<uuid> => 200 OK [2023-12-29 11:30:41.873][request][INFO] GET /api/auth-requests/aff18889-5e9a-4fb2-9cbe-7a60bbf31b66/response?code=3hVRdvESL7SajRT5iqevLW3Kv [2023-12-29 11:30:41.874][response][INFO] (get_auth_request_response) GET /api/auth-requests/<uuid>/response?<code> => 200 OK [2023-12-29 11:30:41.884][request][INFO] POST /identity/connect/token [2023-12-29 11:30:41.888][error][ERROR] 2FA token not provided [2023-12-29 11:30:41.888][response][INFO] (login) POST /identity/connect/token => 400 Bad Request [2023-12-29 11:30:41.911][vaultwarden::api::notifications][INFO] Closing WS connection from 2a01:e0a:XXX:XXX:XXX:63a8:ddda:1060 [2023-12-29 11:30:41.911][rocket::server][ERROR] Upgraded websocket I/O handler failed: WebSocket protocol error: Sending after closing is not allowed ```
kerem closed this issue 2026-03-03 02:12:30 +03:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
revert-7033-patch-1
cached-config-operations
test_dylint
1.35.7
1.35.6
1.35.5
1.35.4
1.35.3
1.35.2
1.35.1
1.35.0
1.34.3
1.34.2
1.34.1
1.34.0
1.33.2
1.33.1
1.33.0
1.32.7
1.32.6
1.32.5
1.32.4
1.32.3
1.32.2
1.32.1
1.32.0
1.31.0
1.30.5
1.30.4
1.30.3
1.30.2
1.30.1
1.30.0
1.29.2
1.29.1
1.29.0
1.28.1
1.28.0
1.27.0
1.26.0
1.25.2
1.25.1
1.25.0
1.24.0
1.23.1
1.23.0
1.22.2
1.22.1
1.22.0
1.21.0
1.20.0
1.19.0
1.18.0
1.17.0
1.16.3
1.16.2
1.16.1
1.16.0
1.15.1
1.15.0
1.14.2
1.14.1
1.14
1.13.1
1.13.0
1.12.0
1.11.0
1.10.0
1.9.1
1.9.0
1.8.0
1.7.0
1.6.1
1.6.0
1.5.0
1.4.0
1.3.0
1.2.0
1.1.0
1.0.0
0.13.0
0.12.0
0.11.0
0.10.0
0.9.0
Labels
Clear labels   
SSO

   
Third party

   
better for forum

   
bug

   
bug

   
documentation

   
duplicate

   
enhancement

   
future Vault

   
future Vault

   
future Vault

   
good first issue

   
help wanted

   
low priority

   
notes

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
troubleshooting

   
wontfix
No labels
SSO
Third party
better for forum
bug
bug
documentation
duplicate
enhancement
future Vault
future Vault
future Vault
good first issue
help wanted
low priority
notes
pull-request
question
troubleshooting
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/vaultwarden#1820
No description provided.