[PR #6629] [MERGED] Try old refresh token if we fail to decode jwt #7456

New Issue

GiteaMirror · 2026-03-07T21:17:53-06:00

GiteaMirror commented

2026-03-07 21:17:53 -06:00

📋 Pull Request Information

Original PR: https://github.com/dani-garcia/vaultwarden/pull/6629
Author: @dani-garcia
Created: 12/29/2025
Status: ✅ Merged
Merged: 12/29/2025
Merged by: @dani-garcia

Base: main ← Head: try-old-refresh-token

📝 Commits (1)

dcb4491 Try old refresh token if we fail to decode jwt

📊 Changes

1 file changed (+14 additions, -2 deletions)

View changed files

📝 src/auth.rs (+14 -2)

📄 Description

The mobile apps don't seem to handle an error during the usage of refresh_token very well, so this code adds a backwards compatibility path to process the access token the old school way when it fails to decode as a JWT.

To test that this worked, what I've done is:

Setup an instance of 1.34.3, log in to a web vault, lock it but don't close it.
With dev tools open (and with preserve log enabled) try to unlock, which will make a successful /connect/token call with the refresh token
Update to 1.35.0
With dev tools open (and with preserve log enabled) try to unlock, this will return a 401, which will redirect you back to the login screen

With this patch, the connect call will succeed and return a new JWT refresh token.

Should fix https://github.com/dani-garcia/vaultwarden/issues/6610

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/dani-garcia/vaultwarden/pull/6629 **Author:** [@dani-garcia](https://github.com/dani-garcia) **Created:** 12/29/2025 **Status:** ✅ Merged **Merged:** 12/29/2025 **Merged by:** [@dani-garcia](https://github.com/dani-garcia) **Base:** `main` ← **Head:** `try-old-refresh-token` --- ### 📝 Commits (1) - [`dcb4491`](https://github.com/dani-garcia/vaultwarden/commit/dcb44910b51c794855b84267656a8cef30ec467e) Try old refresh token if we fail to decode jwt ### 📊 Changes **1 file changed** (+14 additions, -2 deletions) <details> <summary>View changed files</summary> 📝 `src/auth.rs` (+14 -2) </details> ### 📄 Description The mobile apps don't seem to handle an error during the usage of `refresh_token` very well, so this code adds a backwards compatibility path to process the access token the old school way when it fails to decode as a JWT. To test that this worked, what I've done is: - Setup an instance of 1.34.3, log in to a web vault, lock it but don't close it. - With dev tools open (and with `preserve log` enabled) try to unlock, which will make a successful /connect/token call with the refresh token - Update to 1.35.0 - With dev tools open (and with `preserve log` enabled) try to unlock, this will return a 401, which will redirect you back to the login screen With this patch, the connect call will succeed and return a new JWT refresh token. Should fix https://github.com/dani-garcia/vaultwarden/issues/6610 --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2026-03-07 21:17:53 -06:00

GiteaMirror closed this issue

2026-03-07 21:17:53 -06:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/vaultwarden#7456