Moving logins from local folder to Organization collection forces logout #1159

New Issue

MrUnknownDE · 2026-04-06T01:41:21+02:00

MrUnknownDE commented

2026-04-06 01:41:21 +02:00

Originally created by @TheGorf on 4/15/2024

Subject of the issue

After importing data from LastPass, I began reorganizing the logins. I have a small group of logins that I try to move, as a group using the multi-select check box, from my local vault and folder into an Organization collection. I select the Organization and the collection, then click "save" and I am immediately logged out of Vaultwarden. After logging back in, the items have not been moved. In the logfile at the end here, you will see there is a 400 Bad Request logged, but that appears to be all I can gather at the moment without further guidance.

Deployment environment

Your environment (Generated via diagnostics page)

Vaultwarden version: v1.30.5
Web-vault version: v2024.1.2b
OS/Arch: linux/x86_64
Running within a container: true (Base: Debian)
Environment settings overridden: true
Uses a reverse proxy: true
IP Header check: true (X-Forwarded-For)
Internet access: true
Internet access via a proxy: false
DNS Check: true
Browser/Server Time Check: true
Server/NTP Time Check: true
Domain Configuration Check: false
HTTPS Check: false
Database type: MySQL
Database version: 10.5.23-MariaDB
Clients used:
Reverse proxy and version:
Other relevant information:

Config (Generated via diagnostics page)

Show Running Config

Environment settings which are overridden: ADMIN_TOKEN

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": false,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_smtp_img_src": "cid:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "*****://***************************************************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "****://*****************",
  "domain_origin": "****://*****************",
  "domain_path": "",
  "domain_set": true,
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "fido2-vault-credentials",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Forwarded-For",
  "job_poll_interval_ms": 30000,
  "log_file": "/data/vaultwarden.log",
  "log_level": "debug",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 750000,
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": true,
  "signups_domains_whitelist": "",
  "signups_verify": true,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "*****************",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": "*********************",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "*****************",
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": 30,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "websocket_address": "0.0.0.0",
  "websocket_enabled": false,
  "websocket_port": 3012,
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

vaultwarden version: 1.30.5

Install method: Docker image, separate MariaDB SQL server.
Clients used:
In this case, I am logged into the vault via Firefox on Linux OS.
Reverse proxy and version:
MySQL/MariaDB or PostgreSQL version:
10.5
Other relevant details:
Hosted on EC2, behind AWS ALB with WAF. However, note that the HTTP 400 is coming from the VW server. WAF blocking a request would come directly from the AWS service.

Steps to reproduce

This is the hard part. It appears to only happen for a very specific set of logins. There appears to be some sort of condition for values in the login that is causing this. Other logins can be moved just fine.

Expected behaviour

The logins should be moved to the Org and collection,

Actual behaviour

Client is forced logged out.

Troubleshooting data

Attempts to catch this via debug logs is not really producing any thing. I'm trying to reconfigure my loadbalancer to catch the actual raw request. If I get logs I can share them sanitized. I adjusted my LOG_LEVEL to debug but when the even happens, this is the only log that is caught:

[2024-04-15 22:49:59.761][start][INFO] Rocket has launched from http://0.0.0.0:80
[2024-04-15 22:50:19.800][request][INFO] GET /
[2024-04-15 22:50:19.801][response][INFO] (web_index) GET / => 200 OK
[2024-04-15 22:50:28.480][request][INFO] GET /
[2024-04-15 22:50:28.480][response][INFO] (web_index) GET / => 200 OK
[2024-04-15 22:50:49.809][request][INFO] GET /
[2024-04-15 22:50:49.809][response][INFO] (web_index) GET / => 200 OK
[2024-04-15 22:50:58.505][request][INFO] GET /
[2024-04-15 22:50:58.505][response][INFO] (web_index) GET / => 200 OK
[2024-04-15 22:50:59.727][vaultwarden::api::core::two_factor][DEBUG] Sending notifications for incomplete 2FA logins
[2024-04-15 22:50:59.727][vaultwarden::api::core::accounts][DEBUG] Purging auth requests
[2024-04-15 22:50:59.792][request][INFO] GET /alive
[2024-04-15 22:50:59.797][response][INFO] (alive) GET /alive => 200 OK
[2024-04-15 22:51:19.835][request][INFO] GET /
[2024-04-15 22:51:19.836][response][INFO] (web_index) GET / => 200 OK
[2024-04-15 22:51:28.536][request][INFO] GET /
[2024-04-15 22:51:28.536][response][INFO] (web_index) GET / => 200 OK
[2024-04-15 22:51:30.599][request][INFO] GET /api/devices/knowndevice
[2024-04-15 22:51:30.602][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK
[2024-04-15 22:51:33.833][request][INFO] POST /identity/accounts/prelogin
[2024-04-15 22:51:33.835][response][INFO] (prelogin) POST /identity/accounts/prelogin => 200 OK
[2024-04-15 22:51:34.374][request][INFO] POST /identity/connect/token
[2024-04-15 22:51:34.791][vaultwarden::api::identity][INFO] User [MY_EMAIL_LOGIN] logged in successfully. IP: 50.210.46.13
[2024-04-15 22:51:34.796][response][INFO] (login) POST /identity/connect/token => 200 OK
[2024-04-15 22:51:34.866][request][INFO] GET /api/config
[2024-04-15 22:51:34.867][response][INFO] (config) GET /api/config => 200 OK
[2024-04-15 22:51:34.961][request][INFO] POST /identity/connect/token
[2024-04-15 22:51:34.967][response][INFO] (login) POST /identity/connect/token => 200 OK
[2024-04-15 22:51:35.029][request][INFO] GET /api/sync?excludeDomains=true
[2024-04-15 22:51:35.053][request][INFO] GET /notifications/hub?access_token=[obfuscated_by_me]
[2024-04-15 22:51:35.054][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from 50.210.46.13
[2024-04-15 22:51:35.055][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 200 OK
[2024-04-15 22:51:35.106][response][INFO] (sync) GET /api/sync?<data..> => 200 OK
[2024-04-15 22:51:35.516][request][INFO] GET /api/config
[2024-04-15 22:51:35.520][response][INFO] (config) GET /api/config => 200 OK
[2024-04-15 22:51:49.864][request][INFO] GET /
[2024-04-15 22:51:49.864][response][INFO] (web_index) GET / => 200 OK
[2024-04-15 22:51:57.828][request][INFO] GET /api/config
[2024-04-15 22:51:57.828][response][INFO] (config) GET /api/config => 200 OK
[2024-04-15 22:51:57.895][tungstenite::protocol][DEBUG] Received close frame: None
[2024-04-15 22:51:57.896][tungstenite::protocol][DEBUG] Replying to close with Frame { header: FrameHeader { is_final: true, rsv1: false, rsv2: false, rsv3: false, opcode: Control(Close), mask: None }, payload: [] }
[2024-04-15 22:51:57.896][vaultwarden::api::notifications][INFO] Closing WS connection from 50.210.46.13
[2024-04-15 22:51:58.566][request][INFO] GET /
[2024-04-15 22:51:58.566][response][INFO] (web_index) GET / => 200 OK
[2024-04-15 22:51:59.729][vaultwarden::api::core::two_factor][DEBUG] Sending notifications for incomplete 2FA logins
[2024-04-15 22:51:59.729][vaultwarden::api::core::accounts][DEBUG] Purging auth requests
[2024-04-15 22:51:59.882][request][INFO] GET /alive
[2024-04-15 22:51:59.883][response][INFO] (alive) GET /alive => 200 OK
[2024-04-15 22:52:10.827][request][INFO] POST /identity/connect/token
[2024-04-15 22:52:10.829][response][INFO] (login) POST /identity/connect/token => 400 Bad Request
[2024-04-15 22:52:11.833][request][INFO] GET /notifications/hub?access_token=[obfuscated_by_me]
[2024-04-15 22:52:11.833][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from 50.210.46.13
[2024-04-15 22:52:11.833][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 200 OK
[2024-04-15 22:52:11.897][request][INFO] GET /api/accounts/revision-date
[2024-04-15 22:52:11.900][response][INFO] (revision_date) GET /api/accounts/revision-date => 200 OK
[2024-04-15 22:52:19.894][request][INFO] GET /
[2024-04-15 22:52:19.895][response][INFO] (web_index) GET / => 200 OK

*Originally created by @TheGorf on 4/15/2024* ### Subject of the issue After importing data from LastPass, I began reorganizing the logins. I have a small group of logins that I try to move, as a group using the multi-select check box, from my local vault and folder into an Organization collection. I select the Organization and the collection, then click "save" and I am immediately logged out of Vaultwarden. After logging back in, the items have not been moved. In the logfile at the end here, you will see there is a 400 Bad Request logged, but that appears to be all I can gather at the moment without further guidance. ### Deployment environment ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.30.5 * Web-vault version: v2024.1.2b * OS/Arch: linux/x86_64 * Running within a container: true (Base: Debian) * Environment settings overridden: true * Uses a reverse proxy: true * IP Header check: true (X-Forwarded-For) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: false * HTTPS Check: false * Database type: MySQL * Database version: 10.5.23-MariaDB * Clients used: * Reverse proxy and version: * Other relevant information: ### Config (Generated via diagnostics page) <details><summary>Show Running Config</summary> **Environment settings which are overridden:** ADMIN_TOKEN ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": false, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_smtp_img_src": "cid:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "*****://***************************************************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "****://*****************", "domain_origin": "****://*****************", "domain_path": "", "domain_set": true, "duo_host": null, "duo_ikey": null, "duo_skey": null, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "fido2-vault-credentials", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "X-Forwarded-For", "job_poll_interval_ms": 30000, "log_file": "/data/vaultwarden.log", "log_level": "debug", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 750000, "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": true, "signups_domains_whitelist": "", "signups_verify": true, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "*****************", "smtp_from_name": "Vaultwarden", "smtp_host": "*********************", "smtp_password": "***", "smtp_port": 587, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": "*****************", "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": 30, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "websocket_address": "0.0.0.0", "websocket_enabled": false, "websocket_port": 3012, "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details>    * vaultwarden version: 1.30.5  * Install method: Docker image, separate MariaDB SQL server. * Clients used:  In this case, I am logged into the vault via Firefox on Linux OS. * Reverse proxy and version:  * MySQL/MariaDB or PostgreSQL version:  10.5 * Other relevant details: Hosted on EC2, behind AWS ALB with WAF. However, note that the HTTP 400 is coming from the VW server. WAF blocking a request would come directly from the AWS service. ### Steps to reproduce  This is the hard part. It appears to only happen for a very specific set of logins. There appears to be some sort of condition for values in the login that is causing this. Other logins can be moved just fine. ### Expected behaviour The logins should be moved to the Org and collection, ### Actual behaviour Client is forced logged out. ### Troubleshooting data Attempts to catch this via debug logs is not really producing any thing. I'm trying to reconfigure my loadbalancer to catch the actual raw request. If I get logs I can share them sanitized. I adjusted my LOG_LEVEL to debug but when the even happens, this is the only log that is caught: ``` [2024-04-15 22:49:59.761][start][INFO] Rocket has launched from http://0.0.0.0:80 [2024-04-15 22:50:19.800][request][INFO] GET / [2024-04-15 22:50:19.801][response][INFO] (web_index) GET / => 200 OK [2024-04-15 22:50:28.480][request][INFO] GET / [2024-04-15 22:50:28.480][response][INFO] (web_index) GET / => 200 OK [2024-04-15 22:50:49.809][request][INFO] GET / [2024-04-15 22:50:49.809][response][INFO] (web_index) GET / => 200 OK [2024-04-15 22:50:58.505][request][INFO] GET / [2024-04-15 22:50:58.505][response][INFO] (web_index) GET / => 200 OK [2024-04-15 22:50:59.727][vaultwarden::api::core::two_factor][DEBUG] Sending notifications for incomplete 2FA logins [2024-04-15 22:50:59.727][vaultwarden::api::core::accounts][DEBUG] Purging auth requests [2024-04-15 22:50:59.792][request][INFO] GET /alive [2024-04-15 22:50:59.797][response][INFO] (alive) GET /alive => 200 OK [2024-04-15 22:51:19.835][request][INFO] GET / [2024-04-15 22:51:19.836][response][INFO] (web_index) GET / => 200 OK [2024-04-15 22:51:28.536][request][INFO] GET / [2024-04-15 22:51:28.536][response][INFO] (web_index) GET / => 200 OK [2024-04-15 22:51:30.599][request][INFO] GET /api/devices/knowndevice [2024-04-15 22:51:30.602][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK [2024-04-15 22:51:33.833][request][INFO] POST /identity/accounts/prelogin [2024-04-15 22:51:33.835][response][INFO] (prelogin) POST /identity/accounts/prelogin => 200 OK [2024-04-15 22:51:34.374][request][INFO] POST /identity/connect/token [2024-04-15 22:51:34.791][vaultwarden::api::identity][INFO] User [MY_EMAIL_LOGIN] logged in successfully. IP: 50.210.46.13 [2024-04-15 22:51:34.796][response][INFO] (login) POST /identity/connect/token => 200 OK [2024-04-15 22:51:34.866][request][INFO] GET /api/config [2024-04-15 22:51:34.867][response][INFO] (config) GET /api/config => 200 OK [2024-04-15 22:51:34.961][request][INFO] POST /identity/connect/token [2024-04-15 22:51:34.967][response][INFO] (login) POST /identity/connect/token => 200 OK [2024-04-15 22:51:35.029][request][INFO] GET /api/sync?excludeDomains=true [2024-04-15 22:51:35.053][request][INFO] GET /notifications/hub?access_token=[obfuscated_by_me] [2024-04-15 22:51:35.054][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from 50.210.46.13 [2024-04-15 22:51:35.055][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 200 OK [2024-04-15 22:51:35.106][response][INFO] (sync) GET /api/sync?<data..> => 200 OK [2024-04-15 22:51:35.516][request][INFO] GET /api/config [2024-04-15 22:51:35.520][response][INFO] (config) GET /api/config => 200 OK [2024-04-15 22:51:49.864][request][INFO] GET / [2024-04-15 22:51:49.864][response][INFO] (web_index) GET / => 200 OK [2024-04-15 22:51:57.828][request][INFO] GET /api/config [2024-04-15 22:51:57.828][response][INFO] (config) GET /api/config => 200 OK [2024-04-15 22:51:57.895][tungstenite::protocol][DEBUG] Received close frame: None [2024-04-15 22:51:57.896][tungstenite::protocol][DEBUG] Replying to close with Frame { header: FrameHeader { is_final: true, rsv1: false, rsv2: false, rsv3: false, opcode: Control(Close), mask: None }, payload: [] } [2024-04-15 22:51:57.896][vaultwarden::api::notifications][INFO] Closing WS connection from 50.210.46.13 [2024-04-15 22:51:58.566][request][INFO] GET / [2024-04-15 22:51:58.566][response][INFO] (web_index) GET / => 200 OK [2024-04-15 22:51:59.729][vaultwarden::api::core::two_factor][DEBUG] Sending notifications for incomplete 2FA logins [2024-04-15 22:51:59.729][vaultwarden::api::core::accounts][DEBUG] Purging auth requests [2024-04-15 22:51:59.882][request][INFO] GET /alive [2024-04-15 22:51:59.883][response][INFO] (alive) GET /alive => 200 OK [2024-04-15 22:52:10.827][request][INFO] POST /identity/connect/token [2024-04-15 22:52:10.829][response][INFO] (login) POST /identity/connect/token => 400 Bad Request [2024-04-15 22:52:11.833][request][INFO] GET /notifications/hub?access_token=[obfuscated_by_me] [2024-04-15 22:52:11.833][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from 50.210.46.13 [2024-04-15 22:52:11.833][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 200 OK [2024-04-15 22:52:11.897][request][INFO] GET /api/accounts/revision-date [2024-04-15 22:52:11.900][response][INFO] (revision_date) GET /api/accounts/revision-date => 200 OK [2024-04-15 22:52:19.894][request][INFO] GET / [2024-04-15 22:52:19.895][response][INFO] (web_index) GET / => 200 OK ```

MrUnknownDE closed this issue

2026-04-06 01:41:21 +02:00

MrUnknownDE referenced this issue

2026-04-06 04:08:36 +02:00

Fixed foreign-key (mariadb) errors. #2794

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/vaultwarden#1159