starred/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-04-26 01:35:54 +03:00
Code Issues 39 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #770] Invalid TOTP code when trying to log in #530

New issue
Closed
opened 2026-03-03 01:30:14 +03:00 by kerem · 7 comments
kerem commented 2026-03-03 01:30:14 +03:00
Owner
Copy link

Originally created by @timaschew on GitHub (Dec 18, 2019).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/770

Subject of the issue

Invalid TOTP code when logging in via web vault. I'm pretty sure it worked when I've set it up.
I'm running bitwardn inside of dokku (docker). I've restarted the app and run sudo timedatectl set-ntp true to sync the time but it didn't help. On my phone I'm using andOTP and I've tested to login to GitHub with the same app and it works. So it seems that the server is the problem.

Your environment

  • Bitwarden_rs version: VAULT_VERSION="v2.10.1"
  • Install method: Docker, Dockerfile, see at the bottom
  • Clients used: web, Android, Chrome browser extension
  • Reverse proxy and version: nginx (built-in with dokku)
  • Version of mysql/postgresql: - (sqlite)
  • Other relevant information:

Steps to reproduce

Just deployed everything as it is via the Dockerfile. Deployment is handled by dokku

Expected behaviour

Login to web vault and typing in password and afterwards 2FA code without any error.

Actual behaviour

Logging in to to my web vault and typing in my password. After typing in the 2FA code it shows a red notification with the text: An error has occurred. Invalid TOTP code

Here is the server log:

[2019-12-18 06:19:04][rocket::rocket][INFO] POST /api/accounts/prelogin application/json; charset=utf-8:
[2019-12-18 06:19:04][_][INFO] Matched: POST /api/accounts/prelogin (prelogin)
[2019-12-18 06:19:04][_][INFO] Outcome: Success
[2019-12-18 06:19:04][_][INFO] Response succeeded.
[2019-12-18 06:19:05][rocket::rocket][INFO] POST /identity/connect/token application/x-www-form-urlencoded; charset=utf-8:
[2019-12-18 06:19:05][_][INFO] Matched: POST /identity/connect/token (login)
[2019-12-18 06:19:05][bitwarden_rs::error][ERROR] JsonError. {"TwoFactorProviders":[0],"TwoFactorProviders2":{"0":null},"error":"invalid_grant","error_description":"Two factor required."}
[2019-12-18 06:19:05][_][INFO] Outcome: Success
[2019-12-18 06:19:05][_][INFO] Response succeeded.
[2019-12-18 06:19:18][rocket::rocket][INFO] POST /identity/connect/token application/x-www-form-urlencoded; charset=utf-8:
[2019-12-18 06:19:18][_][INFO] Matched: POST /identity/connect/token (login)
[2019-12-18 06:19:18][bitwarden_rs::error][ERROR] Invalid TOTP code. Invalid TOTP code
[2019-12-18 06:19:18][_][INFO] Outcome: Success
[2019-12-18 06:19:18][_][INFO] Response succeeded.

Relevant logs

Here is the dockerfile which is used for deployment:

# Using multistage build: 
# 	https://docs.docker.com/develop/develop-images/multistage-build/
# 	https://whitfin.io/speeding-up-rust-docker-builds/
####################### VAULT BUILD IMAGE  #######################
FROM alpine as vault

ENV VAULT_VERSION "v2.10.1"

ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"

RUN apk add --update-cache --upgrade \
    curl \
    tar

RUN mkdir /web-vault
WORKDIR /web-vault

RUN curl -L $URL | tar xz
RUN ls

########################## BUILD IMAGE  ##########################
# Musl build image for statically compiled binary
FROM clux/muslrust:nightly-2018-12-01 as build

ENV USER "root"

WORKDIR /app

# Copies the complete project
# To avoid copying unneeded files, use .dockerignore
COPY . .

RUN rustup target add x86_64-unknown-linux-musl

# Build
RUN cargo build --release

######################## RUNTIME IMAGE  ########################
# Create a new stage with a minimal image
# because we already have a binary built
FROM alpine:3.9

ENV ROCKET_ENV "staging"
ENV ROCKET_PORT=80
ENV ROCKET_WORKERS=10
ENV SSL_CERT_DIR=/etc/ssl/certs

# Install needed libraries
RUN apk add \
        openssl\
        ca-certificates \
    && rm /var/cache/apk/*

RUN mkdir /data
VOLUME /data
EXPOSE 80
EXPOSE 3012

# Copies the files from the context (Rocket.toml file and web-vault)
# and the binary from the "build" stage to the current stage
COPY Rocket.toml .
COPY --from=vault /web-vault ./web-vault
COPY --from=build /app/target/x86_64-unknown-linux-musl/release/bitwarden_rs .

# Configures the startup!
CMD ./bitwarden_rs
Originally created by @timaschew on GitHub (Dec 18, 2019). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/770 ### Subject of the issue Invalid TOTP code when logging in via web vault. I'm pretty sure it worked when I've set it up. I'm running bitwardn inside of dokku (docker). I've restarted the app and run `sudo timedatectl set-ntp true` to sync the time but it didn't help. On my phone I'm using andOTP and I've tested to login to GitHub with the same app and it works. So it seems that the server is the problem. ### Your environment * Bitwarden_rs version: VAULT_VERSION="v2.10.1" * Install method: Docker, Dockerfile, see at the bottom * Clients used: web, Android, Chrome browser extension * Reverse proxy and version: nginx (built-in with dokku) * Version of mysql/postgresql: - (sqlite) * Other relevant information: ### Steps to reproduce Just deployed everything as it is via the Dockerfile. Deployment is handled by [dokku](https://github.com/dokku/dokku) ### Expected behaviour Login to web vault and typing in password and afterwards 2FA code without any error. ### Actual behaviour Logging in to to my web vault and typing in my password. After typing in the 2FA code it shows a red notification with the text: **An error has occurred. Invalid TOTP code** Here is the server log: ``` [2019-12-18 06:19:04][rocket::rocket][INFO] POST /api/accounts/prelogin application/json; charset=utf-8: [2019-12-18 06:19:04][_][INFO] Matched: POST /api/accounts/prelogin (prelogin) [2019-12-18 06:19:04][_][INFO] Outcome: Success [2019-12-18 06:19:04][_][INFO] Response succeeded. [2019-12-18 06:19:05][rocket::rocket][INFO] POST /identity/connect/token application/x-www-form-urlencoded; charset=utf-8: [2019-12-18 06:19:05][_][INFO] Matched: POST /identity/connect/token (login) [2019-12-18 06:19:05][bitwarden_rs::error][ERROR] JsonError. {"TwoFactorProviders":[0],"TwoFactorProviders2":{"0":null},"error":"invalid_grant","error_description":"Two factor required."} [2019-12-18 06:19:05][_][INFO] Outcome: Success [2019-12-18 06:19:05][_][INFO] Response succeeded. [2019-12-18 06:19:18][rocket::rocket][INFO] POST /identity/connect/token application/x-www-form-urlencoded; charset=utf-8: [2019-12-18 06:19:18][_][INFO] Matched: POST /identity/connect/token (login) [2019-12-18 06:19:18][bitwarden_rs::error][ERROR] Invalid TOTP code. Invalid TOTP code [2019-12-18 06:19:18][_][INFO] Outcome: Success [2019-12-18 06:19:18][_][INFO] Response succeeded. ``` ### Relevant logs Here is the dockerfile which is used for deployment: ```Dockerfile # Using multistage build: # https://docs.docker.com/develop/develop-images/multistage-build/ # https://whitfin.io/speeding-up-rust-docker-builds/ ####################### VAULT BUILD IMAGE ####################### FROM alpine as vault ENV VAULT_VERSION "v2.10.1" ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz" RUN apk add --update-cache --upgrade \ curl \ tar RUN mkdir /web-vault WORKDIR /web-vault RUN curl -L $URL | tar xz RUN ls ########################## BUILD IMAGE ########################## # Musl build image for statically compiled binary FROM clux/muslrust:nightly-2018-12-01 as build ENV USER "root" WORKDIR /app # Copies the complete project # To avoid copying unneeded files, use .dockerignore COPY . . RUN rustup target add x86_64-unknown-linux-musl # Build RUN cargo build --release ######################## RUNTIME IMAGE ######################## # Create a new stage with a minimal image # because we already have a binary built FROM alpine:3.9 ENV ROCKET_ENV "staging" ENV ROCKET_PORT=80 ENV ROCKET_WORKERS=10 ENV SSL_CERT_DIR=/etc/ssl/certs # Install needed libraries RUN apk add \ openssl\ ca-certificates \ && rm /var/cache/apk/* RUN mkdir /data VOLUME /data EXPOSE 80 EXPOSE 3012 # Copies the files from the context (Rocket.toml file and web-vault) # and the binary from the "build" stage to the current stage COPY Rocket.toml . COPY --from=vault /web-vault ./web-vault COPY --from=build /app/target/x86_64-unknown-linux-musl/release/bitwarden_rs . # Configures the startup! CMD ./bitwarden_rs ```
kerem closed this issue 2026-03-03 01:30:15 +03:00
kerem commented 2026-03-03 01:30:16 +03:00
Author
Owner
Copy link

@BlackDex commented on GitHub (Dec 19, 2019):

Could you verify the date/time on the docker host?
Most of the time this is an issue with timedrifting of the server.
By default there is a timedrift allowed of 30 seconds before and after. But if the server exceeds that, you will get invalid TOTP code messages.

<!-- gh-comment-id:567407391 --> @BlackDex commented on GitHub (Dec 19, 2019): Could you verify the date/time on the docker host? Most of the time this is an issue with timedrifting of the server. By default there is a timedrift allowed of 30 seconds before and after. But if the server exceeds that, you will get invalid TOTP code messages.
kerem commented 2026-03-03 01:30:16 +03:00
Author
Owner
Copy link

@timaschew commented on GitHub (Dec 20, 2019):

Yes I've checked the time and it is good.

date -u is equal in host, container and my local machine, just date shows a UTC zone in the container and CET in the host but I don't think this should be a problem.

<!-- gh-comment-id:568004810 --> @timaschew commented on GitHub (Dec 20, 2019): Yes I've checked the time and it is good. `date -u` is equal in host, container and my local machine, just `date` shows a **UTC** zone in the container and **CET** in the host but I don't think this should be a problem.
kerem commented 2026-03-03 01:30:16 +03:00
Author
Owner
Copy link

@timaschew commented on GitHub (Dec 20, 2019):

I've deleted the row from the twofactory database and logged in and added again 2FA and now it works again.
BTW: changing the enabled in the twofactory table do 0 didn't work.

<!-- gh-comment-id:568061636 --> @timaschew commented on GitHub (Dec 20, 2019): I've deleted the row from the twofactory database and logged in and added again 2FA and now it works again. BTW: changing the `enabled` in the twofactory table do `0` didn't work.
kerem commented 2026-03-03 01:30:16 +03:00
Author
Owner
Copy link

@BlackDex commented on GitHub (Jan 3, 2020):

Well, if you deleted the row, and enabled the 2FA again, it looks like the 2FA key was invalid.
It could mean two things, it was wrongly generated/displayed, or wrongly saved.
But that would also be strange since it will only activate after a verification code.

In any case, in the code the current time used is also printed during the TOTP error just for an extra check.

<!-- gh-comment-id:570540678 --> @BlackDex commented on GitHub (Jan 3, 2020): Well, if you deleted the row, and enabled the 2FA again, it looks like the 2FA key was invalid. It could mean two things, it was wrongly generated/displayed, or wrongly saved. But that would also be strange since it will only activate after a verification code. In any case, in the code the current time used is also printed during the TOTP error just for an extra check.
kerem commented 2026-03-03 01:30:16 +03:00
Author
Owner
Copy link

@dani-garcia commented on GitHub (May 13, 2020):

Closed due to inactivity.

<!-- gh-comment-id:628280492 --> @dani-garcia commented on GitHub (May 13, 2020): Closed due to inactivity.
kerem commented 2026-03-03 01:30:16 +03:00
Author
Owner
Copy link

@ghost commented on GitHub (Oct 19, 2022):

Open it because it's a genuine issue :)

<!-- gh-comment-id:1284366886 --> @ghost commented on GitHub (Oct 19, 2022): Open it because it's a genuine issue :)
kerem commented 2026-03-03 01:30:16 +03:00
Author
Owner
Copy link

@BlackDex commented on GitHub (Oct 19, 2022):

@Jackdrl are you sure? Have you checked the date and time etc..
Also, i would suggest to open a discussion with an output of the support string you can generate from the diagnostics page.

<!-- gh-comment-id:1284372944 --> @BlackDex commented on GitHub (Oct 19, 2022): @Jackdrl are you sure? Have you checked the date and time etc.. Also, i would suggest to open a discussion with an output of the support string you can generate from the diagnostics page.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
revert-7033-patch-1
cached-config-operations
test_dylint
1.35.8
1.35.7
1.35.6
1.35.5
1.35.4
1.35.3
1.35.2
1.35.1
1.35.0
1.34.3
1.34.2
1.34.1
1.34.0
1.33.2
1.33.1
1.33.0
1.32.7
1.32.6
1.32.5
1.32.4
1.32.3
1.32.2
1.32.1
1.32.0
1.31.0
1.30.5
1.30.4
1.30.3
1.30.2
1.30.1
1.30.0
1.29.2
1.29.1
1.29.0
1.28.1
1.28.0
1.27.0
1.26.0
1.25.2
1.25.1
1.25.0
1.24.0
1.23.1
1.23.0
1.22.2
1.22.1
1.22.0
1.21.0
1.20.0
1.19.0
1.18.0
1.17.0
1.16.3
1.16.2
1.16.1
1.16.0
1.15.1
1.15.0
1.14.2
1.14.1
1.14
1.13.1
1.13.0
1.12.0
1.11.0
1.10.0
1.9.1
1.9.0
1.8.0
1.7.0
1.6.1
1.6.0
1.5.0
1.4.0
1.3.0
1.2.0
1.1.0
1.0.0
0.13.0
0.12.0
0.11.0
0.10.0
0.9.0
Labels
Clear labels   
SSO

   
Third party

   
better for forum

   
bug

   
bug

   
documentation

   
duplicate

   
enhancement

   
future Vault

   
future Vault

   
future Vault

   
good first issue

   
help wanted

   
low priority

   
notes

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
troubleshooting

   
wontfix
No labels
SSO
Third party
better for forum
bug
bug
documentation
duplicate
enhancement
future Vault
future Vault
future Vault
good first issue
help wanted
low priority
notes
pull-request
question
troubleshooting
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/vaultwarden#530
No description provided.