[GH-ISSUE #955] DUO 2FA - login fails if email is not lowercase #680

New issue

Closed

opened 2026-03-03 02:02:07 +03:00 by kerem · 4 comments

kerem commented 2026-03-03 02:02:07 +03:00

Owner

Copy link

Originally created by @defung on GitHub (Apr 7, 2020).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/955

Subject of the issue

When logging in with DUO 2FA configured, login fails if email entered is not all lowercase.

Your environment

• Bitwarden_rs version:
  1.14.1-843604c9
• Install method: official docker image: bitwardenrs/server:latest
• Clients used: Web (Chrome)
• Reverse proxy and version: Traefik 1.7.21
• Version of mysql/postgresql: n/a
• Other relevant information:

Steps to reproduce

1. start up a bitwarden_rs container
2. create an account with the following email: Test@test.com
3. log in, and set up 2FA via DUO normally
4. log out
5. log in with the following email (note the capital T): Test@test.com
6. perform DUO 2FA
7. observe that login FAILED
8. go back to login screen, and log in with the following email (note the lowercase t): test@test.com
9. perform DUO 2FA
10. observe that login SUCCEEDS, and you are now in your vault

Expected behaviour

From what I understand, email shouldn't be required to be all lowercase. Without DUO, we are able to login using mixed uppercase and lowercase email. But with DUO enabled, we are forced to use lowercase email.

Actual behaviour

With DUO enabled, users cannot login using mixed case emails. Users are forced to enter lower case email, even though the user registered with mixed case emails initially.

Relevant logs

AJAX call received HTTP 400 error:

POST /identity/connect/token response:
{"ErrorModel":{"Message":"Error validating duo authentication","Object":"error"},"Message":"","Object":"error","ValidationErrors":{"":["Error validating duo authentication"]},"error":"","error_description":""}

docker log output:

[2020-04-07 19:48:38][request][INFO] POST /api/accounts/prelogin
[2020-04-07 19:48:38][response][INFO] POST /api/accounts/prelogin (prelogin) => 200 OK
[2020-04-07 19:48:38][request][INFO] POST /identity/connect/token
[2020-04-07 19:48:38][error][ERROR] 2FA token not provided
[2020-04-07 19:48:38][response][INFO] POST /identity/connect/token (login) => 400 Bad Request
[2020-04-07 19:48:51][request][INFO] POST /identity/connect/token
[2020-04-07 19:48:51][error][ERROR] Error validating duo authentication
[2020-04-07 19:48:51][response][INFO] POST /identity/connect/token (login) => 400 Bad Request

Originally created by @defung on GitHub (Apr 7, 2020). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/955 <!-- Please fill out the following template to make solving your problem easier and faster for us. This is only a guideline. If you think that parts are unneccessary for your issue, feel free to remove them. Remember to hide/obfuscate personal and confidential information, such as names, global IP/DNS adresses and especially passwords, if neccessary. --> ### Subject of the issue When logging in with DUO 2FA configured, login fails if email entered is not all lowercase. ### Your environment <!-- The version number, obtained from the logs or the admin page --> * Bitwarden_rs version: 1.14.1-843604c9 * Install method: official docker image: bitwardenrs/server:latest * Clients used: Web (Chrome) * Reverse proxy and version: Traefik 1.7.21 * Version of mysql/postgresql: n/a * Other relevant information: ### Steps to reproduce 1. start up a bitwarden_rs container 2. create an account with the following email: Test@test.com 3. log in, and set up 2FA via DUO normally 4. log out 5. log in with the following email (note the capital T): Test@test.com 6. perform DUO 2FA 7. observe that login FAILED 8. go back to login screen, and log in with the following email (note the lowercase t): test@test.com 9. perform DUO 2FA 10. observe that login SUCCEEDS, and you are now in your vault ### Expected behaviour From what I understand, email shouldn't be required to be all lowercase. Without DUO, we are able to login using mixed uppercase and lowercase email. But with DUO enabled, we are forced to use lowercase email. ### Actual behaviour With DUO enabled, users cannot login using mixed case emails. Users are forced to enter lower case email, even though the user registered with mixed case emails initially. ### Relevant logs AJAX call received HTTP 400 error: ``` POST /identity/connect/token response: {"ErrorModel":{"Message":"Error validating duo authentication","Object":"error"},"Message":"","Object":"error","ValidationErrors":{"":["Error validating duo authentication"]},"error":"","error_description":""} ``` docker log output: ``` [2020-04-07 19:48:38][request][INFO] POST /api/accounts/prelogin [2020-04-07 19:48:38][response][INFO] POST /api/accounts/prelogin (prelogin) => 200 OK [2020-04-07 19:48:38][request][INFO] POST /identity/connect/token [2020-04-07 19:48:38][error][ERROR] 2FA token not provided [2020-04-07 19:48:38][response][INFO] POST /identity/connect/token (login) => 400 Bad Request [2020-04-07 19:48:51][request][INFO] POST /identity/connect/token [2020-04-07 19:48:51][error][ERROR] Error validating duo authentication [2020-04-07 19:48:51][response][INFO] POST /identity/connect/token (login) => 400 Bad Request ```

kerem closed this issue 2026-03-03 02:02:07 +03:00

kerem commented 2026-03-03 02:02:08 +03:00

Author

Owner

Copy link

@defung commented on GitHub (Apr 8, 2020):

I don't know rust too well, but I suspect this needs some equalsIgnoreCase type of thing here:

https://github.com/dani-garcia/bitwarden_rs/blob/master/src/api/core/two_factor/duo.rs#L286

<!-- gh-comment-id:610723512 --> @defung commented on GitHub (Apr 8, 2020): I don't know rust too well, but I suspect this needs some `equalsIgnoreCase` type of thing here: https://github.com/dani-garcia/bitwarden_rs/blob/master/src/api/core/two_factor/duo.rs#L286

kerem commented 2026-03-03 02:02:08 +03:00

Author

Owner

Copy link

@jjlin commented on GitHub (Apr 8, 2020):

Yeah, I already tested a fix.

<!-- gh-comment-id:610734527 --> @jjlin commented on GitHub (Apr 8, 2020): Yeah, I already tested a fix.

kerem commented 2026-03-03 02:02:08 +03:00

Author

Owner

Copy link

@defung commented on GitHub (Apr 8, 2020):

Thanks for the quick fix, @jjlin and @dani-garcia! When can we expect the new docker image to be released?

<!-- gh-comment-id:610934286 --> @defung commented on GitHub (Apr 8, 2020): Thanks for the quick fix, @jjlin and @dani-garcia! When can we expect the new docker image to be released?

kerem commented 2026-03-03 02:02:08 +03:00

Author

Owner

Copy link

@dani-garcia commented on GitHub (Apr 8, 2020):

The :latest tag should finish building in an hour or two, and a new numbered release on the weekend probably.

<!-- gh-comment-id:610942938 --> @dani-garcia commented on GitHub (Apr 8, 2020): The :latest tag should finish building in an hour or two, and a new numbered release on the weekend probably.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

revert-7033-patch-1

cached-config-operations

test_dylint

1.35.8

1.35.7

1.35.6

1.35.5

1.35.4

1.35.3

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels   

SSO

  

Third party

  

better for forum

  

bug

  

bug

  

documentation

  

duplicate

  

enhancement

  

future Vault

  

future Vault

  

future Vault

  

good first issue

  

help wanted

  

low priority

  

notes

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

troubleshooting

  

wontfix

No labels

SSO

Third party

better for forum

bug

bug

documentation

duplicate

enhancement

future Vault

future Vault

future Vault

good first issue

help wanted

low priority

notes

pull-request

question

troubleshooting

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/vaultwarden#680

No description provided.