[GH-ISSUE #904] Data breach option from web vault gives 401 #645

New issue

Closed

opened 2026-03-03 02:01:39 +03:00 by kerem · 2 comments

kerem commented

2026-03-03 02:01:39 +03:00

Owner

Originally created by @manofthepeace on GitHub (Mar 14, 2020).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/904

Subject of the issue

Using webvault 2.13.1, when using data breach report, I always get a 401 unauthorized error. HIBP_API_KEY is set properly, and works for exposed passwords report. I cannot say if it worked with older version or older vault has I just got a hibp key.

I did try to restart bitwarden_rs and also logout and back in in the web vault but same thing happens. Tested with firefox and chrome.

Your environment

Bitwarden_rs version: 1.14

Install method: built from source
Clients used: web-vault 2.13.1
Reverse proxy and version: apache
Version of mysql/postgresql: sqlite3

Steps to reproduce

1-go to web-vault 2.13.1, #/tools/breach-report
2-enter a email address in the box, or username
3-Click check breaches

Expected behaviour

Should get the report instead of the error.

Actual behaviour

Getting a 401 in the logs and the UI is showing a red error popup "An unexpected error has occurred"

Relevant logs

2020-03-14 12:20:24][error][ERROR] ReqError.
[CAUSE] Error(
    Status(
        401,
    ),
    "https://haveibeenpwned.com/api/v3/breachedaccount/<EMAIL>?truncateResponse=false&includeUnverified=false",

Originally created by @manofthepeace on GitHub (Mar 14, 2020). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/904  ### Subject of the issue  Using webvault 2.13.1, when using data breach report, I always get a 401 unauthorized error. HIBP_API_KEY is set properly, and works for exposed passwords report. I cannot say if it worked with older version or older vault has I just got a hibp key. I did try to restart bitwarden_rs and also logout and back in in the web vault but same thing happens. Tested with firefox and chrome. ### Your environment  * Bitwarden_rs version: 1.14  * Install method: built from source * Clients used: web-vault 2.13.1 * Reverse proxy and version: apache * Version of mysql/postgresql: sqlite3 ### Steps to reproduce  1-go to web-vault 2.13.1, #/tools/breach-report 2-enter a email address in the box, or username 3-Click check breaches ### Expected behaviour  Should get the report instead of the error. ### Actual behaviour  Getting a 401 in the logs and the UI is showing a red error popup "An unexpected error has occurred" ### Relevant logs  ``` 2020-03-14 12:20:24][error][ERROR] ReqError. [CAUSE] Error( Status( 401, ), "https://haveibeenpwned.com/api/v3/breachedaccount/<EMAIL>?truncateResponse=false&includeUnverified=false", ```

kerem closed this issue

2026-03-03 02:01:39 +03:00

kerem commented

2026-03-03 02:01:40 +03:00

Author

Owner

@BlackDex commented on GitHub (Mar 15, 2020):

Are you sure the api key is correct? Please double check in the /admin interface.

Only the email breach report needs the api key. The exposed passwords are free to use.

I don't have a api key so i can't check. But the code looks oke, just as the API documentation tells it to be.

@BlackDex commented on GitHub (Mar 15, 2020): Are you sure the api key is correct? Please double check in the /admin interface. Only the email breach report needs the api key. The exposed passwords are free to use. I don't have a api key so i can't check. But the code looks oke, just as the API documentation tells it to be.

kerem commented

2026-03-03 02:01:40 +03:00

Author

Owner

@manofthepeace commented on GitHub (Mar 15, 2020):

Ok false alert, sorry for the noise. There was an extra char in the key I did input in the env file. What mislead me was the fact that the check from within the mobile app, and also the exposed password report from web-vault worked.

Also curl was working fine with my key, but the extra char was not there.

I did look at the code, I saw that the key seemed to be added to the header properly, and if the key was missing I would get something like this.

{ "statusCode": 401, "message": "Access denied due to missing hibp-api-key." }

Still unsure how other functionalities were working, but maybe its the only one that actually needs the api key.

Thank you.

@manofthepeace commented on GitHub (Mar 15, 2020): Ok false alert, sorry for the noise. There was an extra char in the key I did input in the env file. What mislead me was the fact that the check from within the mobile app, and also the exposed password report from web-vault worked. Also curl was working fine with my key, but the extra char was not there. I did look at the code, I saw that the key seemed to be added to the header properly, and if the key was missing I would get something like this. ` { "statusCode": 401, "message": "Access denied due to missing hibp-api-key." }` Still unsure how other functionalities were working, but maybe its the only one that actually needs the api key. Thank you.