mirror of
https://github.com/dani-garcia/vaultwarden.git
synced 2026-07-17 17:32:27 -05:00
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
📋 Pull Request Information
Original PR: https://github.com/dani-garcia/vaultwarden/pull/7080
Author: @pmhnam
Created: 4/10/2026
Status: ❌ Closed
Base:
main← Head:fix/refresh-token-invalid-grant-7060📝 Commits (1)
f2e57ebReturn invalid_grant on expired refresh token (#7060)📊 Changes
1 file changed (+15 additions, -2 deletions)
View changed files
📝
src/api/identity.rs(+15 -2)📄 Description
Summary
Fixes #7060
When a client's
refresh_tokenexpires, the server returns a response that Bitwarden clients don't recognize as a session expiration, causing them to silently fail instead of prompting the user to re-authenticate.Root Cause
Bitwarden clients detect expired sessions by checking the token refresh response for:
400 Bad Request"error": "invalid_grant"(Reference: api.service.ts#L1799-L1810)
However, Vaultwarden was returning
401 Unauthorizedwith a standard error body where"error"is an empty string — none of the client's checks matched, so the client never triggered re-authentication.Changes
src/api/identity.rs—_refresh_login():Changed the error response for failed refresh token exchanges to return an OAuth2-compliant
invalid_granterror:401 Unauthorized400 Bad Requesterrorfield""(empty)"invalid_grant"error_description""(empty)This follows the same pattern already used for 2FA errors in the codebase (see
_json_err_twofactor), and aligns with RFC 6749 §5.2 which specifiesinvalid_grantfor expired/revoked tokens.Testing
invalid_grant, triggerssessionExpiredlogout callback, and prompts user to re-authenticate🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.