[GH-ISSUE #5641] Missing ForcePasswordReset on API key login responses #2209

New issue

Closed

opened 2026-03-03 02:16:18 +03:00 by kerem · 0 comments

kerem commented

2026-03-03 02:16:18 +03:00

Owner

Originally created by @TymanWasTaken on GitHub (Feb 26, 2025).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/5641

Vaultwarden Support String

Your environment (Generated via diagnostics page)

Vaultwarden version: v1.33.2
Web-vault version: v2025.1.1
OS/Arch: linux/aarch64
Running within a container: true (Base: Alpine)
Database type: SQLite
Database version: 3.48.0
Environment settings overridden!: false
Uses a reverse proxy: true
IP Header check: false (X-Forwarded-For)
Internet access: true
Internet access via a proxy: false
DNS Check: true
Browser/Server Time Check: true
Server/NTP Time Check: true
Domain Configuration Check: true
HTTPS Check: true
Websocket Check: true
HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Config:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://****************",
  "domain_origin": "*****://****************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "fido2-vault-credentials",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "*************************",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": "*******************",
  "smtp_password": "***",
  "smtp_port": 465,
  "smtp_security": "force_tls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "*************************",
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

1.33.2

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

caddy 2.8.4

Host/Server Operating System

Linux

Operating System Version

Ubuntu 24.04.1 aarch64

Clients

Rust SDK

Client Version

Rust SDK v1.0.0

Steps To Reproduce

Create rust project using public rust SDK
Configure a client to connect to your Vaultwarden server
Attempt to login with API key
See panic by SDK as the response was parsed incorrectly due to missing ForcePasswordReset

Expected Result

API Key login with scope api should return a JSON response including ForcePasswordReset key, to enable proper parsing by the Bitwarden Rust SDK

Actual Result

Login response does not include the ForcePasswordReset key, causing the rust SDK to assume the response is a refresh token response, causing a panic:

thread 'main' panicked at [...]/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/bitwarden-core-1.0.0/src/auth/login/password.rs:149:17:
internal error: entered unreachable code: Got a `refresh_token` answer to a login request

Logs

Screenshots or Videos

No response

Additional Context

I am not entirely sure whether this is technically an issue with Vaultwarden or the Bitwarden SDK, but given Vaultwarden attempts to maintain compatibility with all Bitwarden Clients (which technically includes the Rust SDK), I figured I would report it here first.

To summarize the issue, I am attempting to develop a Rust program that interfaces with my personal Vaultwarden server, however when trying to login to the Vaultwarden server via API key, the SDK panicked, mentioning how it received a refresh_token response instead of a login response. After using a MITM proxy to get the API requests, I noticed the only difference from what Bitwarden's SDK was expecting and what was being returned was a missing ForcePasswordReset property.

Looking at github.com/dani-garcia/vaultwarden@871a3f214a/src/api/identity.rs, I notice that the _password_login function includes this property, but not _user_api_key_login for whatever reason, so the only change that should be needed is adding that property to the other function.

Originally created by @TymanWasTaken on GitHub (Feb 26, 2025). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/5641 ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.33.2 * Web-vault version: v2025.1.1 * OS/Arch: linux/aarch64 * Running within a container: true (Base: Alpine) * Database type: SQLite * Database version: 3.48.0 * Environment settings overridden!: false * Uses a reverse proxy: true * IP Header check: false (X-Forwarded-For) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Websocket Check: true * HTTP Response Checks: true ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Config:** ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "***************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://****************", "domain_origin": "*****://****************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "fido2-vault-credentials", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 600000, "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "*************************", "smtp_from_name": "Vaultwarden", "smtp_host": "*******************", "smtp_password": "***", "smtp_port": 465, "smtp_security": "force_tls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": "*************************", "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Vaultwarden Build Version 1.33.2 ### Deployment method Official Container Image ### Custom deployment method _No response_ ### Reverse Proxy caddy 2.8.4 ### Host/Server Operating System Linux ### Operating System Version Ubuntu 24.04.1 aarch64 ### Clients [Rust SDK](https://lib.rs/bitwarden) ### Client Version Rust SDK v1.0.0 ### Steps To Reproduce 1. Create rust project using public rust SDK 2. Configure a client to connect to your Vaultwarden server 3. Attempt to login with API key 4. See panic by SDK as the response was parsed incorrectly due to missing `ForcePasswordReset` ### Expected Result API Key login with scope `api` should return a JSON response including `ForcePasswordReset` key, to enable proper parsing by the Bitwarden Rust SDK ### Actual Result Login response does not include the `ForcePasswordReset` key, causing the rust SDK to assume the response is a refresh token response, causing a panic: ``` thread 'main' panicked at [...]/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/bitwarden-core-1.0.0/src/auth/login/password.rs:149:17: internal error: entered unreachable code: Got a `refresh_token` answer to a login request ``` ### Logs ```text ``` ### Screenshots or Videos _No response_ ### Additional Context I am not entirely sure whether this is technically an issue with Vaultwarden or the Bitwarden SDK, but given Vaultwarden attempts to maintain compatibility with all Bitwarden Clients (which technically includes the Rust SDK), I figured I would report it here first. To summarize the issue, I am attempting to develop a Rust program that interfaces with my personal Vaultwarden server, however when trying to login to the Vaultwarden server via API key, the SDK panicked, mentioning how it received a refresh_token response instead of a login response. After using a MITM proxy to get the API requests, I noticed the only difference from what Bitwarden's SDK was expecting and what was being returned was a missing `ForcePasswordReset` property. Looking at https://github.com/dani-garcia/vaultwarden/blob/871a3f214aefc6a7b3fbc3f5662b5295d590a54e/src/api/identity.rs, I notice that the `_password_login` function includes this property, but not `_user_api_key_login` for whatever reason, so the only change that should be needed is adding that property to the other function.