mirror of
https://github.com/dani-garcia/vaultwarden.git
synced 2026-07-17 09:22:30 -05:00
[GH-ISSUE #3776] WebSocket notifications require access_token query parameter
#18439
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @AChep on GitHub (Aug 14, 2023).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/3776
Originally assigned to: @BlackDex on GitHub.
Subject of the issue
Looking at the updated WebSocket notifications implementation, we explicitly check for the
access_tokenparameter here:3dbfc484a5/src/api/notifications.rs (L86)While this is correct most of the time, the token can actually be passed with Authorization Bearer token!
ts:
721cd72b62/src/SignalR/clients/ts/signalr/src/WebSocketTransport.ts (L55)java:
721cd72b62/src/SignalR/clients/java/signalr/core/src/main/java/com/microsoft/signalr/WebSocketTransport.java (L48)Expected behaviour
Access token is derived from either query params or bearer header.
Actual behaviour
Access token is derived from only query params.
@AChep commented on GitHub (Aug 14, 2023):
This issue currently prevents my Bitwarden client Keyguard from connecting to the server, as SignalR Java implementation always passes access token via headers.
@BlackDex commented on GitHub (Aug 14, 2023):
Looks like Bitwarden it self checks both indeed.
We would need to add a check if the access_token isn't there, then check the
Authorizationheader.Thanks for reporting.
@BlackDex commented on GitHub (Aug 27, 2023):
Well, i fixed the auth-check, but sync doesn't work, as it seems to not understand the response we send.
The app tells me the sync failed.
Probably something in the json data, but i'm not sure what it could be right now.
@AChep commented on GitHub (Aug 27, 2023):
Hmm, that is interesting. Do you test with a personal vault or is there any chance I could grab that data to test it on my end?
What is the sync error that it shows?
@BlackDex commented on GitHub (Aug 27, 2023):
It's just a vault using Vaultwarden. Nothing more or less.
I have not yet tried with a personal only account, not linked to org's.
The current one i used was one linked to several org's.
I first thought it had to do with the casing of the json response, but that wasn't an issue either.
There is no specific message shown in the app, maybe there is some debug setting?
Also, did not checked
adb logcat.@AChep commented on GitHub (Aug 27, 2023):
Any chance you could grab a logcat? I think it might contain the original exception. Or I could send you a dev build tomorrow that has more logs in it, if that's fine for you. Thanks! 🙏
The sync exception is definitely due to the app not being able to parse the sync response, not because of the sockets. So there's something unusual in your vault that I didn't account for.
@BlackDex commented on GitHub (Aug 27, 2023):
Looks like some value we send as
null, or maybe not at all which breaks it.These are cryptic messages for me, but hopefully it helps you :).
@AChep commented on GitHub (Aug 28, 2023):
@BlackDex this is indeed due to app failing to parse the JSON from the server. Could you please check this build? https://drive.google.com/file/d/1AqSTu22Ut4oZgHNOr7ChtpHEPG0uxi7o/view?usp=sharing The log should be right after "Sanitized response json:" line.
@BlackDex commented on GitHub (Aug 28, 2023):
That made it clear.
The problem is the following, i seem to have 2 SecureNote entries which do not have a
typedefined.It should look like this:
But for those two items it looks like:
Because, that is how it is stored in the database, else it would have returned
nullinstead if there was nothing.The strange thing is, we do not change anything on that specific field, we just store it as it is received (except maybe for removing a key called
Response). It might be that some older versions of Bitwarden didn't created those entries, or it had something to do with import.Edit:
btw, you should be able to replicate this your self by just editing the database look for a
type2cipher, and update thedatacolumn with just{}.Edit2:
I quickly tested it btw by fixing those entries, and it sync just nice.
@AChep commented on GitHub (Aug 28, 2023):
Thanks for debugging it! I was able to fix it on my end.
@Laibalion commented on GitHub (Aug 28, 2023):
Is this the same issue as what I'm seeing? In my Vaultwarden container logs I'm seeing
Needless to mention I guess that the push notifications aren't working.
PUSH_ENABLED, PUSH_INSTALLATION_KEY and PUSH_INSTALLATION_ID are being set via my container's Environement variables.
@BlackDex commented on GitHub (Aug 28, 2023):
@Laibalion , no that has nothing to do with this issue.
There are other issues/discussion regarding this.
There are two items which probably is the issue in your case.
For all other discussions i would suggest too look here: https://github.com/dani-garcia/vaultwarden/discussions/2469
@Laibalion commented on GitHub (Aug 28, 2023):
Oh, my bad. Was indeed using EU key/id :|
Thanks for the info.