can't login using any bitwarden app

[Phizicks]

Using the github pull at of this post, I can get it working but when using FF bitwarden plugin or bitwarden app, or anything not the vaultwarden browser, I can't login.

vaultwarden logs shows the login attempt but fails to login.

[2022-10-30 08:21:35.837][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: a,b,c,d. Username: [email protected].

[stefan0xC]

Can you add the support string from the diagnostic page in the admin panel? Which client OS/Firefox/Bitwarden App/Extension versions are you using?

Since this is a login issue, you should also make sure that you are using the correct login details. And you might also want to check in the admin panel if the user exists.

[pabianj]

I am having he same issue. Tried Firefox and Chrome, the Bitwarden App, the Firefox extension, on both MacOS and Windows11, and via the the URL of my vault.

Access via the admin token works, and my user does exist. I was able to disable 2FA on my user account via the admin panel and still am unable to log in. Credentials were correct.

Seems like others are having the issue as well:
#2829

I am running via Docker. I can docker exec -it vaultwarden /bin/bash and see the sqlite dbs in the volume. I've deleted the container (kept the volumes) and restarted.

`### Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.26.0
• Web-vault version: v2022.10.0
• Running within Docker: true (Base: Debian)
• Environment settings overridden: true
• Uses a reverse proxy: true
• IP Header check: true (X-Real-IP)
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• Time Check: false
• Domain Configuration Check: true
• HTTPS Check: true
• Database type: SQLite
• Database version: 3.35.4
• Clients used:
• Reverse proxy and version:
• Other relevant information:

Config (Generated via diagnostics page)`

Downgrading the container image to 1.25.2 did not resolve the issue.

[2022-10-31 16:55:51.796][request][INFO] POST /api/accounts/prelogin
[2022-10-31 16:55:51.807][response][INFO] (prelogin) POST /api/accounts/prelogin => 200 OK
[2022-10-31 16:55:51.847][request][INFO] POST /identity/connect/token
[2022-10-31 16:55:51.980][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: XXX.XXX.XXX.XXX . Username: [email protected].
[2022-10-31 16:55:51.981][response][INFO] (login) POST /identity/connect/token => 400 Bad Request

EDIT: Additional info. I tried again by bypassing the proxy and still had the same issue.

[oliverl-21]

Could it be some kind of header which is removed by some reverse Proxies. All people which I read are facing this issue seem to use some kind of Reverse Proxy.

I'm using traefik behind a ha-Proxy running on an opnsense and experienced the same. But after adding a middleware in traefik which allows a couple of headers it seemed to work again. I also noted that after adding the middleware the site shows a custom 404 which I never noted before.

I will update the traefik config later

[BlackDex]

I see that the time check has failed. Check your time settings, that probably causes the issue because the token isn't valid i think.

[oliverl-21]

In my case time was correct. Client and server use the same ntp source.

[BlackDex]

A bad request could also mean a cut off transaction. So in short, instead of all bites transferred, it didn't sent everything which causes the json to be invalid. Some waf/security features could cause these issues die example

[oliverl-21]

i know the error on my end. I had a middleware defined on the service which listens for status codes. While logging in the attempt generates a 400 and the 2fa is triggered as seen in the screenshot.

[Phizicks]

I doubt it's a reverse proxy issue. Used them for 30 years.
I can tcpdump and see the payload sent with vaultwarden throwing the error

I don't know what kind of hashing they have used before sending on the password (if anyone knows), I can verify it on cli to see if it matches

scope=api%20offline_access&client_id=desktop&deviceType=6&deviceIdentifier=50443542-050d-4468-b2e0-0ec46b06cb5e&deviceName=windows&grant_type=password&username=user%40domain.com&password=hlyqrDvQfhp****3GM4o%3D9

error is response

{"ErrorModel":{"Message":"Username or password is incorrect. Try again","Object":"error"},"ExceptionMessage":null,"ExceptionStackTrace":null,"InnerExceptionMessage":null,"Message":"Username or password is incorrect. Try again","Object":"error","ValidationErrors":{"":["Username or password is incorrect. Try again"]},"error":"","error_description":""}

[BlackDex]

I doubt it's a reverse proxy issue. Used them for 30 years. I can tcpdump and see the payload sent with vaultwarden throwing the error

In in those 30 years you never updated the reverse proxy? And if you did, that never added new features or whatever?
To be honest, i have had my fair share of issues with updated software because they added new default enabled features, or even fixed previously broken default values. Again, if the reverse proxy catches error's and returns there own that will cause issues with the Bitwarden clients.

I don't know what kind of hashing they have used before sending on the password (if anyone knows), I can verify it on cli to see if it matches

The password sent is a hash from pbkdf2 generated by the client which is then verified by the server.
A nice simple overview on how this is generated can be viewed here in this python library i think: https://github.com/corpusops/bitwardentools/blob/main/src/bitwardentools/crypto.py#L115-L130

Even though, all works fine for me, and many others on the latest version. Either there is something strange going on with the database, or the actual password is really not valid in a combination with the username.

[BlackDex]

Also, some reverse proxies catch error codes and return a customized one. This also interrupts the working of the clients.

[pabianj]

I made an edit to my original comment but just so it has more visibility, I took the proxy (in my case, Nginx) out of the equation and tried logging in directly to the http://ip:port of my container and still couldn't log in with the same info in the logs.

I also created a new user via the admin console and am able to log in with the new user, but that doesn't help me much since all my data i locked away with the original account.

I should also add that while I did have 2FA enabled on my original account, I was never prompted for the code.

[pabianj]

Both of those ran and didn't report any errors:

root@07e85ff7cd97:/data# sqlite3 db.sqlite3 "PRAGMA integrity_check;" ok root@07e85ff7cd97:/data# sqlite3 db.sqlite3 "PRAGMA foreign_key_check;" root@07e85ff7cd97:/data# sqlite3 db.sqlite3 "PRAGMA foreign_key_check;" ; echo $? 0 root@07e85ff7cd97:/data#

I will double check my password again. Thank you for the suggestions regarding sqlite.

[pabianj]

Okay, another piece of information. I am able to log in with the iOS Bitwarden App with Face ID. However, when I try to export my vault, I get an error "Invalid Master Password." Just to make doubly sure I wasn't typing in correctly, I copy & pasted the password directly out of iOS and am still unable to log in.

[BlackDex]

Ok, i just tried something. But before you continue, first create a backup of the database.
I used https://sqlitebrowser.org/dl/ to edit the database.

What i did to try and mimic this:

1. Modified the BLOB of my user in the users table for the columns password_hash and salt by changing one hex value, applied and written the database to disk.
2. Checked if i was able to login, which i wasn't because my password now is invalid.
3. Configured Vaultwarden to use a different database, which triggered it to create a new database.
4. Invited my self using the exact same email address.
5. Created an account with the password i know was correct for that user.
6. Opened the newly created database and copied the hex values of both password_hash and salt, and copied those over to replace the contents in the actual database.
   Make sure the Mode is set to Binary and the hex values are 1:1 copied from the new database and also check if the text part on the right looks the same on both, just to be sure.
7. Apply and write those changes to the database with all the passwords.
8. re-configure Vaultwarden again to use the correct database
9. Try to login again.

This should at least work to let you login. It will not work if you actually used a different password, since the original password is still needed to decrypt the vault data. But, if that is correct, then you should at least be able to login and decrypt everything again. Unless, something is also wrong with the users key/private-key, then you are either out of luck, or you need to check if you are able to restore that specific row from an older backup (which btw is also an option instead of following the steps above ;) ).

[pabianj]

Amazing. I will try this later this afternoon in between meetings. Thank you.

[pabianj]

That... worked! Thank you! I did steps 3 - 8 a little differently. I just spun up another container using a different volume and had them running side by side, then shut down both instances, moved the db to the right location and I'm able to get back in.

FWIW I used backup files for everything and did a "dry run" on the backup files first. Thanks for the help.