mirror of
https://github.com/dani-garcia/vaultwarden.git
synced 2026-07-17 17:32:27 -05:00
Unable to add "FIDO2 WebAuthn" for Two-step login #1978
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @Doraemonsan on GitHub (Jul 28, 2024).
Subject of the issue
When trying to add "FIDO2 WebAuthn" as a Two-step login method using the browser, it can be read but not saved. When attempting to save, an error message appears: “An error has occurred. An unexpected error has occurred.” Checking the browser console reveals the following information:

Deployment environment
Your environment (Generated via diagnostics page)
Config (Generated via diagnostics page)
Show Running Config
Environment settings which are overridden:
Steps to reproduce
After clicking the "Manage" button for "FIDO2 WebAuthn" under the "Two-Step Login" section in the "Security" tab, then clicking the "Read Key" button and following the prompts to use the browser extension and mobile device to add a Passkey, when the page prompts "Use the 'Save' button below to activate this security key for two-step login," clicking the "Save" button results in an error.
Expected behaviour
Clicking the "Save" button correctly adds "FIDO2 WebAuthn" as a two-step login verification method.
Actual behaviour
After clicking the "Save" button, both the browser and the backend encountered an error and could not add "FIDO2 WebAuthn" as a two-step login method.
Troubleshooting data
vaultwarden.log:
[2024-07-28 13:40:42.663][request][INFO] POST /password/api/two-factor/get-webauthn-challenge
[2024-07-28 13:40:42.926][response][INFO] (generate_webauthn_challenge) POST /password/api/two-factor/get-webauthn-challenge => 200 OK
[2024-07-28 13:40:42.945][request][INFO] GET /password/api/accounts/revision-date
[2024-07-28 13:40:42.947][response][INFO] (revision_date) GET /password/api/accounts/revision-date => 200 OK
[2024-07-28 13:40:42.953][request][INFO] POST /password/identity/connect/token
[2024-07-28 13:40:42.960][response][INFO] (login) POST /password/identity/connect/token => 200 OK
[2024-07-28 13:40:42.971][request][INFO] GET /password/api/sync
[2024-07-28 13:40:43.028][response][INFO] (sync) GET /password/api/sync?<data..> => 200 OK
[2024-07-28 13:40:53.170][request][INFO] PUT /password/api/ciphers/2eec9805-76f8-4d35-9253-8f0cde561870
[2024-07-28 13:40:53.192][request][INFO] GET /password/api/ciphers/2eec9805-76f8-4d35-9253-8f0cde561870/details
[2024-07-28 13:40:53.194][response][INFO] (get_cipher_details) GET /password/api/ciphers//details => 200 OK
[2024-07-28 13:40:53.200][request][INFO] GET /password/api/ciphers/2eec9805-76f8-4d35-9253-8f0cde561870/details
[2024-07-28 13:40:53.201][response][INFO] (get_cipher_details) GET /password/api/ciphers//details => 200 OK
[2024-07-28 13:40:53.210][request][INFO] GET /password/api/ciphers/2eec9805-76f8-4d35-9253-8f0cde561870/details
[2024-07-28 13:40:53.211][response][INFO] (get_cipher_details) GET /password/api/ciphers//details => 200 OK
[2024-07-28 13:40:53.562][response][INFO] (put_cipher) PUT /password/api/ciphers/ => 200 OK
[2024-07-28 13:40:54.939][request][INFO] PUT /password/api/two-factor/webauthn
[2024-07-28 13:40:54.941][vaultwarden::api::core::two_factor::webauthn::_][WARN] Data guard
Json < EnableWebauthnData >failed: Parse("{"masterPasswordHash":"xxx=","deviceResponse":{"id":"xxx-xxx","rawId":"xxx==","type":"public-key","extensions":{},"response":{"AttestationObject":"xxx+xxx+xxx+xxx==","clientDataJson":"xxx=="}},"id":1,"name":null}", Error("invalid type: null, expected a string", line: 1, column: 707)).[2024-07-28 13:40:54.943][response][INFO] (activate_webauthn_put) PUT /password/api/two-factor/webauthn => 422 Unprocessable Entity
Reverse Proxy Configuration:
upstream vaultwarden-default {
zone vaultwarden-default 64k;
server 127.0.0.1:8001;
keepalive 2;
}
map $http_upgrade $connection_upgrade {
default upgrade;
'' "";
}
server {
listen 80;
listen [::]:80;
listen [::]:8192 ssl;
http2 on;
server_name name.domain.com;
}
@BlackDex commented on GitHub (Jul 28, 2024):
First, i would rotate your password as you seem to have posted that from the logs. I redacted it just now, and it was a hashed version but still.
Second you do not have internet it looks like. Vaultwarden isn't able to go online, which is needed to check and verify the token.
Further, i tested the Fido tokens just a few days ago, and the work as it should.
I think if you fix your internet then it will be solved.