Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Login session expired with account switching #2295

Closed
cksapp opened this issue Feb 11, 2022 · 4 comments · Fixed by #2354
Closed

Login session expired with account switching #2295

cksapp opened this issue Feb 11, 2022 · 4 comments · Fixed by #2354
Labels
bug Something isn't working enhancement New feature or request future Vault Issue specific to Vault that wasn't released yet

Comments

@cksapp
Copy link

cksapp commented Feb 11, 2022

Low priority issue, noticed a slight issue with the newest release of the Bitwarden Desktop app 1.31.0

When trying to use the new Account Switching feature, you are able to login to one account with Vaultwarden as normal.
2022-02-10_19h45_57

After login to another account with the same VW server, the first initial account logged in will time out.
2022-02-10_19h47_57

Latest release of the desktop app reinstalled, and Vaultwarden server upgraded to latest 1.24.0
@BlackDex
Copy link
Collaborator

Confirmed. It looks like it is trying to access the token, [INFO] (login) POST /identity/connect/token, but not allowed.

@cksapp
Copy link
Author

cksapp commented Feb 11, 2022

Thanks for the info, pretty interesting to know.
I will note it seems this is even less of a priority issue as upstream had several major issues with this release and have rolled back to 1.30 as latest. Who's to say what changes may be made, my guess not much would be changed but best not to even worry about it until this is fully patched and a new public release is available.

@BlackDex
Copy link
Collaborator

I digged a little bit into this. And it looks like we currently only have a uniqueness on the device-id.
This in turn makes it that we overwrite this when a new user logs-in, which effectively deletes there refresh token.
To change this we need to change the whole code regarding the device table to match on both device-id and user-id on all fronts.

This will take some time and needs some good testing. But it is one the list now :).
Thanks for the report.

@BlackDex BlackDex added bug Something isn't working enhancement New feature or request future Vault Issue specific to Vault that wasn't released yet labels Feb 24, 2022
@BlackDex BlackDex mentioned this issue Feb 28, 2022
Open
61 tasks
@BlackDex
Copy link
Collaborator

BlackDex commented Mar 3, 2022

Small update, i think i have a working patch. I just need some time to do some final checking :)

BlackDex added a commit to BlackDex/vaultwarden that referenced this issue Mar 3, 2022
@BlackDex
Update login API code
818b9ac 
- Updated jsonwebtoken to latest version
- Trim `username` received from the login form ( Fixes dani-garcia#2348 )
- Make uuid and user_uuid a combined primary key for the devices table ( Fixes dani-garcia#2295 )
@BlackDex BlackDex mentioned this issue Mar 3, 2022
Merged
BlackDex added a commit to BlackDex/vaultwarden that referenced this issue Mar 10, 2022
@BlackDex
Update login API code
b95f663 
- Updated jsonwebtoken to latest version
- Trim `username` received from the login form ( Fixes dani-garcia#2348 )
- Make uuid and user_uuid a combined primary key for the devices table ( Fixes dani-garcia#2295 )
- Updated crates including regex which contains a CVE ( https://blog.rust-lang.org/2022/03/08/cve-2022-24713.html )
BlackDex added a commit to BlackDex/vaultwarden that referenced this issue Mar 12, 2022
@BlackDex
Update login API code
c4d565b 
- Updated jsonwebtoken to latest version
- Trim `username` received from the login form ( Fixes dani-garcia#2348 )
- Make uuid and user_uuid a combined primary key for the devices table ( Fixes dani-garcia#2295 )
- Updated crates including regex which contains a CVE ( https://blog.rust-lang.org/2022/03/08/cve-2022-24713.html )
@BlackDex BlackDex mentioned this issue Apr 11, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working enhancement New feature or request future Vault Issue specific to Vault that wasn't released yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update login API code and update crates to fix CVE BlackDex/vaultwarden
2 participants
@BlackDex @cksapp