mirror of
https://github.com/dani-garcia/vaultwarden.git
synced 2026-07-16 17:02:14 -05:00
[GH-ISSUE #7212] send-email-login rejects bw CLI requests with 422 (deviceIdentifier required but unused in email+password branch) #30137
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @hoobio on GitHub (May 13, 2026).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/7212
Prerequisites
Vaultwarden Support String
Your environment (Generated via diagnostics page)
Config & Details (Generated via diagnostics page)
Show Config & Details
Config:
Vaultwarden Build Version
v1.36.0
Deployment method
Official Container Image
Custom deployment method
n/a
Reverse Proxy
nginx (in front of Cloudflare Tunnel) + OWASP ModSecurity CRS sidecar in detection mode. Verified the WAF is not the cause: the 422 is generated by vaultwarden's data guard before the handler runs.
Host/Server Operating System
Linux
Operating System Version
Debian GNU/Linux 13 (trixie), kernel 6.17.13, x86_64.
Clients
Client Version
Bitwarden CLI v2026.4.1 (Web-Vault 2026.4.1)
Steps To Reproduce
bw login <email> --passwordenv BW_MP --method 1(no--code) against vaultwarden, withBW_MPset to the master password.POST /identity/connect/tokenreturns 400 with2FA token not provided, as expected).POST /api/two-factor/send-email-loginto trigger the code email.Expected Result
vaultwarden sends the email code. The CLI then prompts for the token.
Actual Result
vaultwarden returns 422. No code email is ever sent. Roughly three minutes later the user receives the standard incomplete-2FA security warning email instead.
Logs
Screenshots or Videos
n/a
Additional Context
Root cause
SendEmailLoginDatadeclaresdevice_identifier: DeviceId(mandatory):But
device_identifieris only used in the SSO/auth-request branch:The upstream Bitwarden CLI's
TwoFactorEmailRequestdeclares the field butlogin.command.tsnever sets it before callingpostTwoFactorEmail, so it serialises to nothing. The official server tolerates the omission, so the failure only shows up on vaultwarden.Suggested fix
Make
device_identifier: Option<DeviceId>and require it only in the SSO branch:That matches what the email+master-password-hash flow already does (which never touches
device_identifier) and keeps the SSO flow honest.Impact
Any client that uses the upstream Bitwarden CLI to log in with email 2FA against vaultwarden is affected. Caught while building a Command Palette extension that wraps
bw login. Happy to test a fix.@BlackDex commented on GitHub (May 13, 2026):
Please provide the support string as requested. All environment details which should be private are masked or omitted. That is the whole reason we ask for it and created it like that.
@hoobio commented on GitHub (May 13, 2026):
@BlackDex Support string added to the issue body, sorry for the omission
@hoobio commented on GitHub (May 13, 2026):
Happy to put up a PR if you'd like. Wanted to confirm the suggested shape lands well first:
device_identifier: Option<DeviceId>, validated only in the SSO / auth-request branch (the email + master-password-hash branch never reads it today). Any other call sites in this handler that rely on it being mandatory I should mirror?@BlackDex commented on GitHub (May 13, 2026):
I doubt it is only validated during the SSO flow, AI Has it wrong, because if that was the case, web-vault and other clients like desktop, browser extensions would have had this issue too, which is not the case.
@hoobio commented on GitHub (May 13, 2026):
@BlackDex The GUI clients DO send
deviceIdentifier, it's just the CLI that doesn't (and iis probably a genuine upstream bug).e.g. Captured both bodies for the same
POST /api/two-factor/send-email-loginflow on the same (vaultwarden) account:[bw CLI 2026.4.1]
{"email":"...","masterPasswordHash":"..."}[Web vault]
{"email":"...","masterPasswordHash":"...","ssoEmail2FaSessionToken":"","deviceIdentifier":"99ce32d5-...","authRequestAccessCode":"","authRequestId":""}Confirmed against vault.bitwarden.com too: identical CLI body, the official server accepts it and the code email arrives.
Whereas vaultwarden rejects the same request with 422.
I'll log an issue in the official bitwarden/clients repo for this gap.
Open question on your end: there's still a behavioural delta where Bitwarden Server tolerates the missing field and vaultwarden rejects it. If you'd like to keep that strict (push the fix to the CLI side and let stale callers feel the 422 until they update), totally fair, and honestly the correct path (surprised official bitwarden doesn't validate it). Your call.
@BlackDex commented on GitHub (May 13, 2026):
I think this can be changed to an
Option<>, my guess would be that this wasn't tested by @stefan0xC when fixing the SSO issue.@stefan0xC commented on GitHub (May 14, 2026):
Indeed. I was assuming that all clients send a device identifier for this endpoint when I undid #6473 for SSO again with #6495. Before the SSO PR the
device_identiferwas commented out as unused, so I think it makes sense to make it optional. (Though this will still fail for SSO users if this call neither provides a device id nor an email address...)@stefan0xC commented on GitHub (May 15, 2026):
I've looked a bit into it (with
mitmproxy) and the device identifier is only sent as request headerDevice-Identifier. This is probably sent by all clients (so we could probably rewrite the way we get the device identifier) but given that the actual problem is that theemailandmaster_password_hashfields are empty when usingSSOI still think this is a bug in the client (or maybe a design flaw with the SSO login strategy?).The other question is whether it would be fine to make this less strict since upstream does not seem to require either? I am wondering if the Bitwarden server does anything different so that an email can be sent or if it actually fails as well? Since SSO is an enterprise feature and they don't recommend enabling two factor for SSO I am not sure if someone has run into this. As far as I've looked they are seemingly fine with the CLI not working with some 2FA providers or if you are not using a master password at all, cf. https://github.com/bitwarden/clients/issues/18992 so maybe SSO with master password and email as 2FA just does not work?