starred/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-04-25 17:25:57 +03:00
Code Issues 39 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #724] Admin page choices seem restrictive #490

New issue
Closed
opened 2026-03-03 01:29:51 +03:00 by kerem · 10 comments
kerem commented 2026-03-03 01:29:51 +03:00
Owner
Copy link

Originally created by @ngoonee on GitHub (Nov 14, 2019).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/724

So unless I'm missing something, the bitwarden_rs self-hosted admin panel is:-

  1. Globally accessible (can't be restricted to just a few users with admin permissions)
  2. Password-only (no 2-factor unlike normal users)
  3. Inconvenient (the password must be specified on startup and can't be changed without bringing the docker image down and up)
  4. Unsafe (if because of number 3 you just do not use and admin_token, which is a HUGE BAD IDEA)

Seems it would have been easiest just to make the first user an admin (or perhaps you'd need to specify the admin list when starting the server)? At least you'd get 2FA etc.

Originally created by @ngoonee on GitHub (Nov 14, 2019). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/724 So unless I'm missing something, the bitwarden\_rs self-hosted admin panel is:- 1. Globally accessible (can't be restricted to just a few users with admin permissions) 2. Password-only (no 2-factor unlike normal users) 3. Inconvenient (the password must be specified on startup and can't be changed without bringing the docker image down and up) 4. Unsafe (if because of number 3 you just do not use and admin\_token, which is a HUGE BAD IDEA) Seems it would have been easiest just to make the first user an admin (or perhaps you'd need to specify the admin list when starting the server)? At least you'd get 2FA etc.
kerem closed this issue 2026-03-03 01:29:51 +03:00
kerem commented 2026-03-03 01:29:52 +03:00
Author
Owner
Copy link

@dani-garcia commented on GitHub (Nov 14, 2019):

1- Not sure what do you mean, the admin page is protected by the password set in admin_token, if we used one of the users credentials it would still be protected by an email and a password, security wise it's the same.

2- This one is true, implementing TOTP authenticator support should be fairly easy and I've been meaning to do it for some time now. The rest would be harder but doable still.

3- The admin token can be changed in the admin page, it's at the bottom of the general settings section.

4-I don't understand what do you mean here, yeah not using an admin_token is a bad idea, but I don't think having it set up is that inconvenient, you can change it from the admin page and you can save it in your vault for easy logins.

The reason we don't support using a users credentials in the admin page is because that can mean two things:

  • Sending the user's plain password to the server, which is something I've generally tried to avoid and isn't done at the moment (The clients hash the password before sending it to the server)
  • Implementing the hashing in the admin page code, which would take a decent amount of work for not much benefit.

For what it's worth, in my instance I generate long admin_tokens (60+ chars) and save them as a cipher inside my bitwarden account, that way I can use autocomplete to log in quickly.

<!-- gh-comment-id:554012635 --> @dani-garcia commented on GitHub (Nov 14, 2019): 1- Not sure what do you mean, the admin page is protected by the password set in admin_token, if we used one of the users credentials it would still be protected by an email and a password, security wise it's the same. 2- This one is true, implementing TOTP authenticator support should be fairly easy and I've been meaning to do it for some time now. The rest would be harder but doable still. 3- The admin token can be changed in the admin page, it's at the bottom of the general settings section. 4-I don't understand what do you mean here, yeah not using an admin_token is a bad idea, but I don't think having it set up is that inconvenient, you can change it from the admin page and you can save it in your vault for easy logins. The reason we don't support using a users credentials in the admin page is because that can mean two things: - Sending the user's plain password to the server, which is something I've generally tried to avoid and isn't done at the moment (The clients hash the password before sending it to the server) - Implementing the hashing in the admin page code, which would take a decent amount of work for not much benefit. For what it's worth, in my instance I generate long admin_tokens (60+ chars) and save them as a cipher inside my bitwarden account, that way I can use autocomplete to log in quickly.
kerem commented 2026-03-03 01:29:52 +03:00
Author
Owner
Copy link

@BlackDex commented on GitHub (Nov 14, 2019):

Also, the official bitwarden project doesn't link the accounts to the admin panel.

It provides login via email which sends a special link to login.

In any case, if you use a reverse proxy like nginx, apache or haproxy even you can add extra basic auth pre-login if you want.

<!-- gh-comment-id:554070840 --> @BlackDex commented on GitHub (Nov 14, 2019): Also, the official bitwarden project doesn't link the accounts to the admin panel. It provides login via email which sends a special link to login. In any case, if you use a reverse proxy like nginx, apache or haproxy even you can add extra basic auth pre-login if you want.
kerem commented 2026-03-03 01:29:52 +03:00
Author
Owner
Copy link

@ngoonee commented on GitHub (Nov 14, 2019):

  1. The page is a totally separate account with a separate password, which means its globally accessible to anyone who knows the password (admin_token). This wouldn't be much of a problem if 2FA was possible, but under the current situation it does seem like the security (single password) is much lower than if you could just re-use the login credentials.
  2. Does setting the admin token in the settings page persist across reboots? My concern with setting it on startup is that startup scripts tend to be uploaded to people's dotfiles etc. and no sensitive information should ever exist in a startup script. Of course, if its possible to set a dummy password and immediately change it permanently from the admin page, this is a non-issue.
  3. This stems from my misunderstandings of the above I think. If 3. is viable then 4. becomes a non-issue. However 2FA of course would be very welcome.

Thanks for the follow-up para as well, yes sending plaintext passwords is a bad idea. I guess I thought admin page could just re-use the session from the web vault, hence you'd need to be logged in to the web vault first. Could even put a convenient 'admin' link on the top bar there. Wouldn't this handover the responsibility to the web vault for authentication?

<!-- gh-comment-id:554105121 --> @ngoonee commented on GitHub (Nov 14, 2019): 1. The page is a totally separate account with a separate password, which means its globally accessible to anyone who knows the password (admin_token). This wouldn't be much of a problem if 2FA was possible, but under the current situation it does seem like the security (single password) is much lower than if you could just re-use the login credentials. 3. Does setting the admin token in the settings page persist across reboots? My concern with setting it on startup is that startup scripts tend to be uploaded to people's dotfiles etc. and no sensitive information should ever exist in a startup script. Of course, if its possible to set a dummy password and immediately change it permanently from the admin page, this is a non-issue. 4. This stems from my misunderstandings of the above I think. If 3. is viable then 4. becomes a non-issue. However 2FA of course would be very welcome. Thanks for the follow-up para as well, yes sending plaintext passwords is a bad idea. I guess I thought admin page could just re-use the session from the web vault, hence you'd need to be logged in to the web vault first. Could even put a convenient 'admin' link on the top bar there. Wouldn't this handover the responsibility to the web vault for authentication?
kerem commented 2026-03-03 01:29:52 +03:00
Author
Owner
Copy link

@dani-garcia commented on GitHub (Nov 14, 2019):

Yes, the admin page configuration and the admin token are all saved in the config.json file, by default in the data folder. Once that's set there, you can remove it from the environment variables, as the config file would take precedence anyway.

Well I've never thought about it before, but reusing the session tokens would technically work, though it would create a very unintuitive login process: first go to vault.example.com, login, then manually go to vault.example.com/admin, we could redirect from the admin page to the login page but not the other way around, not without modifying the web vault code.

<!-- gh-comment-id:554133565 --> @dani-garcia commented on GitHub (Nov 14, 2019): Yes, the admin page configuration and the admin token are all saved in the config.json file, by default in the data folder. Once that's set there, you can remove it from the environment variables, as the config file would take precedence anyway. Well I've never thought about it before, but reusing the session tokens would technically work, though it would create a very unintuitive login process: first go to vault.example.com, login, then manually go to vault.example.com/admin, we could redirect from the admin page to the login page but not the other way around, not without modifying the web vault code.
kerem commented 2026-03-03 01:29:52 +03:00
Author
Owner
Copy link

@ngoonee commented on GitHub (Nov 15, 2019):

This is beyond my expertise as I'm not a web/UI guy, but would it be possible to 'inject' an additional div or something to the web vault for that purpose? Is the current web vault code directly taken from bitwarden?

Will the config file take precedence even when removing and recreating the docker? Currently I can't find 'config.json' anywhere on my system or inside the docker.

<!-- gh-comment-id:554199738 --> @ngoonee commented on GitHub (Nov 15, 2019): This is beyond my expertise as I'm not a web/UI guy, but would it be possible to 'inject' an additional div or something to the web vault for that purpose? Is the current web vault code directly taken from bitwarden? Will the config file take precedence even when removing and recreating the docker? Currently I can't find 'config.json' anywhere on my system or inside the docker.
kerem commented 2026-03-03 01:29:52 +03:00
Author
Owner
Copy link

@dani-garcia commented on GitHub (Nov 15, 2019):

Yes the current vault code is pretty much the same as upstream, just changing the URLs to not point to the official API and some style changes to hide stuff like billing pages and similar. We try to not touch any of the functionality because that would mean more work to keep it updated as new web vault releases come out.

The config.json file takes precedence over environment variables or the .env file, and should be inside the mounted data volume, but it's only created the first time the settings are saved in the admin panel, so maybe that's why you don't see it. The data volume will survive the containers being updated or deleted yes, which means the config file would still apply.

<!-- gh-comment-id:554561133 --> @dani-garcia commented on GitHub (Nov 15, 2019): Yes the current vault code is pretty much the same as upstream, just changing the URLs to not point to the official API and some style changes to hide stuff like billing pages and similar. We try to not touch any of the functionality because that would mean more work to keep it updated as new web vault releases come out. The config.json file takes precedence over environment variables or the .env file, and should be inside the mounted data volume, but it's only created the first time the settings are saved in the admin panel, so maybe that's why you don't see it. The data volume will survive the containers being updated or deleted yes, which means the config file would still apply.
kerem commented 2026-03-03 01:29:52 +03:00
Author
Owner
Copy link

@ngoonee commented on GitHub (Nov 16, 2019):

Thanks, have updated the wiki page with this information.

Final question on the admin page, is there no way to logout (beyond leaving it alone/closed for 20 minutes)?

<!-- gh-comment-id:554634306 --> @ngoonee commented on GitHub (Nov 16, 2019): Thanks, have updated the wiki page with this information. Final question on the admin page, is there no way to logout (beyond leaving it alone/closed for 20 minutes)?
kerem commented 2026-03-03 01:29:52 +03:00
Author
Owner
Copy link

@dani-garcia commented on GitHub (Nov 16, 2019):

You can also delete the cookies in the browser, but adding an explicit logout button is not a bad idea.

<!-- gh-comment-id:554676063 --> @dani-garcia commented on GitHub (Nov 16, 2019): You can also delete the cookies in the browser, but adding an explicit logout button is not a bad idea.
kerem commented 2026-03-03 01:29:52 +03:00
Author
Owner
Copy link

@dani-garcia commented on GitHub (Dec 1, 2019):

The logout button is now present in the latest commit.

<!-- gh-comment-id:560157008 --> @dani-garcia commented on GitHub (Dec 1, 2019): The logout button is now present in the latest commit.
kerem commented 2026-03-03 01:29:53 +03:00
Author
Owner
Copy link

@mprasil commented on GitHub (Jan 29, 2020):

I think this can be now closed since the logout button was added and the reason for separate "account" was explained. Feel free to reopen if you think there's more we can do here.

<!-- gh-comment-id:579721474 --> @mprasil commented on GitHub (Jan 29, 2020): I think this can be now closed since the logout button was added and the reason for separate "account" was explained. Feel free to reopen if you think there's more we can do here.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
revert-7033-patch-1
cached-config-operations
test_dylint
1.35.7
1.35.6
1.35.5
1.35.4
1.35.3
1.35.2
1.35.1
1.35.0
1.34.3
1.34.2
1.34.1
1.34.0
1.33.2
1.33.1
1.33.0
1.32.7
1.32.6
1.32.5
1.32.4
1.32.3
1.32.2
1.32.1
1.32.0
1.31.0
1.30.5
1.30.4
1.30.3
1.30.2
1.30.1
1.30.0
1.29.2
1.29.1
1.29.0
1.28.1
1.28.0
1.27.0
1.26.0
1.25.2
1.25.1
1.25.0
1.24.0
1.23.1
1.23.0
1.22.2
1.22.1
1.22.0
1.21.0
1.20.0
1.19.0
1.18.0
1.17.0
1.16.3
1.16.2
1.16.1
1.16.0
1.15.1
1.15.0
1.14.2
1.14.1
1.14
1.13.1
1.13.0
1.12.0
1.11.0
1.10.0
1.9.1
1.9.0
1.8.0
1.7.0
1.6.1
1.6.0
1.5.0
1.4.0
1.3.0
1.2.0
1.1.0
1.0.0
0.13.0
0.12.0
0.11.0
0.10.0
0.9.0
Labels
Clear labels   
SSO

   
Third party

   
better for forum

   
bug

   
bug

   
documentation

   
duplicate

   
enhancement

   
future Vault

   
future Vault

   
future Vault

   
good first issue

   
help wanted

   
low priority

   
notes

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
troubleshooting

   
wontfix
No labels
SSO
Third party
better for forum
bug
bug
documentation
duplicate
enhancement
future Vault
future Vault
future Vault
good first issue
help wanted
low priority
notes
pull-request
question
troubleshooting
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/vaultwarden#490
No description provided.