github-starred/vaultwarden
2
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-05-07 12:34:03 -05:00
Code Issues 266 Packages Projects Releases 82 Wiki Activity

[PR #6935] [CLOSED] Fix duplicate AuthRequestResponse notification on approving device #8761

New Issue
Closed
opened 2026-04-16 12:36:54 -05:00 by GiteaMirror · 0 comments
GiteaMirror commented 2026-04-16 12:36:54 -05:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/dani-garcia/vaultwarden/pull/6935
Author: @xjohnyknox
Created: 3/13/2026
Status: Closed

Base: mainHead: fix/auth-response-duplicate-notification

📝 Commits (1)

  • ae53286 Fix duplicate AuthRequestResponse notification on approving device

📊 Changes

1 file changed (+5 additions, -9 deletions)

View changed files

📝 src/api/notifications.rs (+5 -9)

📄 Description

Summary

When approving a login-with-device request, nt.send_auth_response() broadcasts an AuthRequestResponse (type 16) through the authenticated WebSocket hub to all user devices — including the approving device itself. This causes a duplicate auth request notification on Android.

Root cause

In put_auth_request, two notification calls are made after approval:

ant.send_auth_response(...) // anonymous hub → correct, reaches only Device A
nt.send_auth_response(...)  // authenticated hub + push relay → broadcasts to ALL devices

The authenticated WebSocket hub (self.send_update(user_id, &data)) sends to every connected device of the user, including Device B (the approving device), which should not receive AuthRequestResponse at all.

How the official Bitwarden server handles this

Per the official server code (HubHelpers.cs), AuthRequestResponse (type 16) is sent only through _anonymousHubContext to Group(AuthRequest.Id). It is not sent through the authenticated _hubContext. This is the key difference from AuthRequest (type 15), which uses _hubContext.Clients.User().

Fix

Remove the authenticated WebSocket broadcast from send_auth_response(), keeping only the push relay call as a fallback for devices not connected via WebSocket. The anonymous hub (ant.send_auth_response) already handles WebSocket delivery to the requesting device.

Test plan

  • On Device A (browser), choose "Log in with device"
  • On Device B (Android), approve the login request
  • Verify Device B does not show a duplicate notification after approving
  • Verify Device A still receives the approval and completes login

Fixes #6788

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/dani-garcia/vaultwarden/pull/6935 **Author:** [@xjohnyknox](https://github.com/xjohnyknox) **Created:** 3/13/2026 **Status:** ❌ Closed **Base:** `main` ← **Head:** `fix/auth-response-duplicate-notification` --- ### 📝 Commits (1) - [`ae53286`](https://github.com/dani-garcia/vaultwarden/commit/ae532868ad00c779e11b762ae7ae2666622f9dc2) Fix duplicate AuthRequestResponse notification on approving device ### 📊 Changes **1 file changed** (+5 additions, -9 deletions) <details> <summary>View changed files</summary> 📝 `src/api/notifications.rs` (+5 -9) </details> ### 📄 Description ## Summary When approving a login-with-device request, `nt.send_auth_response()` broadcasts an `AuthRequestResponse` (type 16) through the **authenticated** WebSocket hub to all user devices — including the approving device itself. This causes a duplicate auth request notification on Android. ### Root cause In `put_auth_request`, two notification calls are made after approval: ```rust ant.send_auth_response(...) // anonymous hub → correct, reaches only Device A nt.send_auth_response(...) // authenticated hub + push relay → broadcasts to ALL devices ``` The authenticated WebSocket hub (`self.send_update(user_id, &data)`) sends to every connected device of the user, including Device B (the approving device), which should not receive `AuthRequestResponse` at all. ### How the official Bitwarden server handles this Per the official server code (`HubHelpers.cs`), `AuthRequestResponse` (type 16) is sent **only** through `_anonymousHubContext` to `Group(AuthRequest.Id)`. It is **not** sent through the authenticated `_hubContext`. This is the key difference from `AuthRequest` (type 15), which uses `_hubContext.Clients.User()`. ### Fix Remove the authenticated WebSocket broadcast from `send_auth_response()`, keeping only the push relay call as a fallback for devices not connected via WebSocket. The anonymous hub (`ant.send_auth_response`) already handles WebSocket delivery to the requesting device. ## Test plan - [ ] On Device A (browser), choose "Log in with device" - [ ] On Device B (Android), approve the login request - [ ] Verify Device B does **not** show a duplicate notification after approving - [ ] Verify Device A still receives the approval and completes login Fixes #6788 --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-04-16 12:36:54 -05:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
better for forum
bug
documentation
duplicate
enhancement
future Vault
good first issue
help wanted
low priority
notes
pull-request
Mirrored from GitHub Pull Request
 question
SSO
Third party
troubleshooting
wontfix
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/vaultwarden#8761
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?