[GH-ISSUE #1164] Changing KDF iterations breaks logged in clients #821

New issue

Closed

opened 2026-03-03 02:03:34 +03:00 by kerem · 2 comments

kerem commented

2026-03-03 02:03:34 +03:00

Owner

Originally created by @julian-klode on GitHub (Sep 29, 2020).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/1164

Subject of the issue

Changing number KDF iterations breaks logged in clients. They should be logged out instead.

Your environment

Bitwarden_rs version: 1.16.3
Install method: Built from source
Clients used: latest Android from play store and Desktop from snap store
Reverse proxy and version: Nginx from focal

Steps to reproduce

Change KDF size, then sync client or wait for corruption to appear automatically.

Expected behaviour

Seeing what bitwarden.com does: Connected clients are logged out.

Actual behaviour

Connected clients fail to read the database

Relevant logs

Not much interesting going on. I triggered a sync on mobile manually, as it apparently did not get a push.

Sep 29 23:50:58 magenta bitwarden_rs[902666]: [2020-09-29 23:50:58.093][request][INFO] POST /api/accounts/kdf
Sep 29 23:50:58 magenta bitwarden_rs[902666]: [2020-09-29 23:50:58.181][response][INFO] POST /api/accounts/kdf (post_kdf) => 200 OK
Sep 29 23:51:07 magenta bitwarden_rs[902666]: [2020-09-29 23:51:07.393][request][INFO] GET /api/accounts/revision-date
Sep 29 23:51:07 magenta bitwarden_rs[902666]: [2020-09-29 23:51:07.393][response][INFO] GET /api/accounts/revision-date (revision_date) => 200 OK
Sep 29 23:51:07 magenta bitwarden_rs[902666]: [2020-09-29 23:51:07.445][request][INFO] GET /api/sync
Sep 29 23:51:07 magenta bitwarden_rs[902666]: [2020-09-29 23:51:07.459][response][INFO] GET /api/sync?<data..> (sync) => 200 OK

Originally created by @julian-klode on GitHub (Sep 29, 2020). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/1164 ### Subject of the issue Changing number KDF iterations breaks logged in clients. They should be logged out instead. ### Your environment * Bitwarden_rs version: 1.16.3 * Install method: Built from source * Clients used: latest Android from play store and Desktop from snap store * Reverse proxy and version: Nginx from focal ### Steps to reproduce Change KDF size, then sync client or wait for corruption to appear automatically. ### Expected behaviour Seeing what bitwarden.com does: Connected clients are logged out. ### Actual behaviour Connected clients fail to read the database ### Relevant logs Not much interesting going on. I triggered a sync on mobile manually, as it apparently did not get a push. ``` Sep 29 23:50:58 magenta bitwarden_rs[902666]: [2020-09-29 23:50:58.093][request][INFO] POST /api/accounts/kdf Sep 29 23:50:58 magenta bitwarden_rs[902666]: [2020-09-29 23:50:58.181][response][INFO] POST /api/accounts/kdf (post_kdf) => 200 OK Sep 29 23:51:07 magenta bitwarden_rs[902666]: [2020-09-29 23:51:07.393][request][INFO] GET /api/accounts/revision-date Sep 29 23:51:07 magenta bitwarden_rs[902666]: [2020-09-29 23:51:07.393][response][INFO] GET /api/accounts/revision-date (revision_date) => 200 OK Sep 29 23:51:07 magenta bitwarden_rs[902666]: [2020-09-29 23:51:07.445][request][INFO] GET /api/sync Sep 29 23:51:07 magenta bitwarden_rs[902666]: [2020-09-29 23:51:07.459][response][INFO] GET /api/sync?<data..> (sync) => 200 OK ```

kerem closed this issue

2026-03-03 02:03:34 +03:00

kerem commented

2026-03-03 02:03:35 +03:00

Author

Owner

@BlackDex commented on GitHub (Sep 29, 2020):

Hmm, we have to deauthorize all the user sessions in this case it seems. Thanks for reporting.

Please note that we do not support push messages so that is not possible on our side.

@BlackDex commented on GitHub (Sep 29, 2020): Hmm, we have to deauthorize all the user sessions in this case it seems. Thanks for reporting. Please note that we do not support push messages so that is not possible on our side.

kerem commented

2026-03-03 02:03:35 +03:00

Author

Owner

@dani-garcia commented on GitHub (Oct 3, 2020):

This should be fixed by github.com/dani-garcia/bitwarden_rs@448e6ac917, which invalidates users sessions when they change email, pass or kdf params.

@dani-garcia commented on GitHub (Oct 3, 2020): This should be fixed by https://github.com/dani-garcia/bitwarden_rs/commit/448e6ac917e6bf34f7a5af175714eef9058b6021, which invalidates users sessions when they change email, pass or kdf params.