starred/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-04-26 01:35:54 +03:00
Code Issues 39 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #1544] Issue: WebSocket Token in URI #999

New issue
Closed
opened 2026-03-03 02:05:24 +03:00 by kerem · 2 comments
kerem commented 2026-03-03 02:05:24 +03:00
Owner
Copy link

Originally created by @Berndinox on GitHub (Mar 26, 2021).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/1544

Subject of the issue

I dont want my Token to be sent via URI
After authentication JWT Token is transmitted in HTTP Header as usually. However Bitwarden is also trying to establish an WebSocket Connection for Realtime. For that porpose the following URL is called:
wss://domain.com/notifications/hub?access_token=JWT_TOKEN

That call can easily be logged without breaking the SSL Connection. (Forward-Proxy, Reverse-Proxy, Wireshark)

An Attacker can use that token to get access to the account.
YES, the passwords are still client side encrypted so there is no "super-danger".

However, in my optionion a password-manager should not send long living Token via URI.

See also: https://self-issued.info/docs/draft-ietf-oauth-v2-bearer.html#query-param
"This method is included to document current use; its use is not recommended, due to its security deficiencies (see Section 5) and also because it uses a reserved query parameter name, which is counter to URI namespace best practices, per "Architecture of the World Wide Web, Volume One" [W3C.REC‑webarch‑20041215]."

Temporary Token with short lifetime could fix that issue.

EDIT:
What is strange, that i still log this after setting: WEBSOCKET_ENABLED: "false"

WebSocket connection to 'wss://domain.com/notifications/hub?access_token=TOKEN' failed: Error during WebSocket handshake: Unexpected response code: 403

403 is just because i have not rule for /notification/hub to Websocket Port

Originally created by @Berndinox on GitHub (Mar 26, 2021). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/1544 ### Subject of the issue I dont want my Token to be sent via URI After authentication JWT Token is transmitted in HTTP Header as usually. However Bitwarden is also trying to establish an WebSocket Connection for Realtime. For that porpose the following URL is called: wss://domain.com/notifications/hub?access_token=JWT_TOKEN That call can easily be logged without breaking the SSL Connection. (Forward-Proxy, Reverse-Proxy, Wireshark) An Attacker can use that token to get access to the account. **YES, the passwords are still client side encrypted so there is no "super-danger".** However, in my optionion a password-manager should not send long living Token via URI. See also: https://self-issued.info/docs/draft-ietf-oauth-v2-bearer.html#query-param "This method is included to document current use; its use is not recommended, due to its security deficiencies (see Section 5) and also because it uses a reserved query parameter name, which is counter to URI namespace best practices, per "Architecture of the World Wide Web, Volume One" [W3C.REC‑webarch‑20041215]." Temporary Token with short lifetime could fix that issue. EDIT: What is strange, that i still log this after setting: WEBSOCKET_ENABLED: "false" WebSocket connection to 'wss://domain.com/notifications/hub?access_token=TOKEN' failed: Error during WebSocket handshake: Unexpected response code: 403 _403 is just because i have not rule for /notification/hub to Websocket Port_
kerem 2026-03-03 02:05:24 +03:00
kerem commented 2026-03-03 02:05:25 +03:00
Author
Owner
Copy link

@jjlin commented on GitHub (Mar 27, 2021):

I dont want my Token to be sent via URI
After authentication JWT Token is transmitted in HTTP Header as usually. However Bitwarden is also trying to establish an WebSocket Connection for Realtime. For that porpose the following URL is called:
wss://domain.com/notifications/hub?access_token=JWT_TOKEN

That call can easily be logged without breaking the SSL Connection. (Forward-Proxy, Reverse-Proxy, Wireshark)

This is how upstream Bitwarden works currently, so there's nothing bitwarden_rs can do about it if it wants to remain compatible. I don't know if upstream would consider this to be a feature request, but you could try https://community.bitwarden.com/c/feature-requests/5 or https://github.com/bitwarden/server/issues.

What is strange, that i still log this after setting: WEBSOCKET_ENABLED: "false"

WebSocket connection to 'wss://domain.com/notifications/hub?access_token=TOKEN' failed: Error during WebSocket handshake: Unexpected response code: 403

403 is just because i have not rule for /notification/hub to Websocket Port

This is expected. The web/browser/desktop clients always try to establish a WebSocket connection, regardless of whether the server has it enabled (I'm not sure the upstream server even allows you to disable WebSockets).

<!-- gh-comment-id:808813799 --> @jjlin commented on GitHub (Mar 27, 2021): > I dont want my Token to be sent via URI > After authentication JWT Token is transmitted in HTTP Header as usually. However Bitwarden is also trying to establish an WebSocket Connection for Realtime. For that porpose the following URL is called: > wss://domain.com/notifications/hub?access_token=JWT_TOKEN > > That call can easily be logged without breaking the SSL Connection. (Forward-Proxy, Reverse-Proxy, Wireshark) This is how upstream Bitwarden works currently, so there's nothing bitwarden_rs can do about it if it wants to remain compatible. I don't know if upstream would consider this to be a feature request, but you could try https://community.bitwarden.com/c/feature-requests/5 or https://github.com/bitwarden/server/issues. > What is strange, that i still log this after setting: WEBSOCKET_ENABLED: "false" > > WebSocket connection to 'wss://domain.com/notifications/hub?access_token=TOKEN' failed: Error during WebSocket handshake: Unexpected response code: 403 > > _403 is just because i have not rule for /notification/hub to Websocket Port_ This is expected. The web/browser/desktop clients always try to establish a WebSocket connection, regardless of whether the server has it enabled (I'm not sure the upstream server even allows you to disable WebSockets).
kerem commented 2026-03-03 02:05:25 +03:00
Author
Owner
Copy link

@BlackDex commented on GitHub (Mar 27, 2021):

Upstream doesn't allow to disable it. Actually, the only reason we have that option i think is because there is no native integration with rocket right now.

<!-- gh-comment-id:808817240 --> @BlackDex commented on GitHub (Mar 27, 2021): Upstream doesn't allow to disable it. Actually, the only reason we have that option i think is because there is no native integration with rocket right now.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
revert-7033-patch-1
cached-config-operations
test_dylint
1.35.8
1.35.7
1.35.6
1.35.5
1.35.4
1.35.3
1.35.2
1.35.1
1.35.0
1.34.3
1.34.2
1.34.1
1.34.0
1.33.2
1.33.1
1.33.0
1.32.7
1.32.6
1.32.5
1.32.4
1.32.3
1.32.2
1.32.1
1.32.0
1.31.0
1.30.5
1.30.4
1.30.3
1.30.2
1.30.1
1.30.0
1.29.2
1.29.1
1.29.0
1.28.1
1.28.0
1.27.0
1.26.0
1.25.2
1.25.1
1.25.0
1.24.0
1.23.1
1.23.0
1.22.2
1.22.1
1.22.0
1.21.0
1.20.0
1.19.0
1.18.0
1.17.0
1.16.3
1.16.2
1.16.1
1.16.0
1.15.1
1.15.0
1.14.2
1.14.1
1.14
1.13.1
1.13.0
1.12.0
1.11.0
1.10.0
1.9.1
1.9.0
1.8.0
1.7.0
1.6.1
1.6.0
1.5.0
1.4.0
1.3.0
1.2.0
1.1.0
1.0.0
0.13.0
0.12.0
0.11.0
0.10.0
0.9.0
Labels
Clear labels   
SSO

   
Third party

   
better for forum

   
bug

   
bug

   
documentation

   
duplicate

   
enhancement

   
future Vault

   
future Vault

   
future Vault

   
good first issue

   
help wanted

   
low priority

   
notes

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
troubleshooting

   
wontfix
No labels
SSO
Third party
better for forum
bug
bug
documentation
duplicate
enhancement
future Vault
future Vault
future Vault
good first issue
help wanted
low priority
notes
pull-request
question
troubleshooting
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/vaultwarden#999
No description provided.