Unable to login from web, desktop-app & browser-plugin: OTP expected but never quested #1294

New Issue

MrUnknownDE · 2026-04-06T01:43:04+02:00

MrUnknownDE commented

2026-04-06 01:43:04 +02:00

Originally created by @RastaTaz on 12/29/2023

Subject of the issue

It is impossible to login using web ui, linux app or browser extention using Brave.
Used account has 2FA enabled and also login with device but nor of those method works, resulting in 2FA errors in VW logs.

Deployment environment

vaultwarden version: 1.30.1

Install method: Docker image
Clients used: Web, Linux desktop app v2023.12.1, Brave (chrome clone) browser extension v2023.12.1
Reverse proxy and version: Traefik 2.10.7 + Nginx 1.25.3
MySQL/MariaDB or PostgreSQL version: Ver 15.1 Distrib 10.11.6-MariaDB
Other relevant details:
- As related in #4024, I updated docker compose file to remove WS rules in traefik router in order to use only rocket (port 80) and also commented the WEBSOCKET_ENABLE=true environment variable in compose as container logs showed it still poped-up a WS server on port 3012.
- Allready logged in clients have no problem with sync or receiving device login notifications (either using th old WS conf on port 3012 or the rocket integrated WS on port 80)

Steps to reproduce

As I'm just locking out from vault and not login off I can't really tell since when this issue occurs, as already connected clients keep on behaving normally...
I usually update my middleware (NginX, Traefik, MariaDB) and VW docker image as soon as there're updates available.

When using device login: I have error poping only in the desktop app but not in web ui nor browser pluging (they just stay in rest status), but logs showing VW expects an additional OTP token but is was never requested by clients
When using password/OTP: I have error after submitting password, token is also never requested by clients but logs show it is expected...

Expected behaviour

Sucessful login.

Actual behaviour

Troubleshooting data

Logs from container for 2FA (master password + OTP) login failure:

[2023-12-29 11:25:34.434][start][INFO] Rocket has launched from http://0.0.0.0:80
[2023-12-29 11:26:43.031][request][INFO] POST /identity/accounts/prelogin
[2023-12-29 11:26:43.032][response][INFO] (prelogin) POST /identity/accounts/prelogin => 200 OK
[2023-12-29 11:26:44.200][request][INFO] POST /identity/connect/token
[2023-12-29 11:26:44.297][error][ERROR] 2FA token not provided
[2023-12-29 11:26:44.297][response][INFO] (login) POST /identity/connect/token => 400 Bad Request
(...)
[2023-12-29 11:30:31.685][request][INFO] GET /notifications/anonymous-hub?Token=aff18889-5e9a-4fb2-9cbe-
[2023-12-29 11:30:31.685][vaultwarden::api::notifications][INFO] Accepting Anonymous Rocket WS connection from 2a01:e0a:XXX:XXX:XXX:63a8:ddda:1060
[2023-12-29 11:30:31.685][response][INFO] (anonymous_websockets_hub) GET /notifications/anonymous-hub?<token..> => 200 OK
[2023-12-29 11:30:34.442][vaultwarden::api::core::two_factor][INFO] User XXXXXXXXX did not complete a 2FA login within the configured time limit. IP: 2a01:e0a:XXX:XXX:XXX:63a8:ddda:1060

Logs from container for device login failure:

[2023-12-29 11:30:29.182][request][INFO] GET /api/devices/knowndevice
[2023-12-29 11:30:29.184][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK
[2023-12-29 11:30:31.669][request][INFO] POST /api/auth-requests/
[2023-12-29 11:30:31.673][response][INFO] (post_auth_request) POST /api/auth-requests => 200 OK
[2023-12-29 11:30:31.685][request][INFO] GET /notifications/anonymous-hub?Token=aff18889-5e9a-4fb2-9cbe-
[2023-12-29 11:30:31.685][vaultwarden::api::notifications][INFO] Accepting Anonymous Rocket WS connection from 2a01:e0a:XXX:XXX:XXX:63a8:ddda:1060
[2023-12-29 11:30:31.685][response][INFO] (anonymous_websockets_hub) GET /notifications/anonymous-hub?<token..> => 200 OK
[2023-12-29 11:30:37.447][request][INFO] GET /api/auth-requests/
[2023-12-29 11:30:37.448][response][INFO] (get_auth_requests) GET /api/auth-requests => 200 OK
[2023-12-29 11:30:40.165][request][INFO] GET /api/auth-requests/aff18889-5e9a-4fb2-9cbe-7a60bbf31b66
[2023-12-29 11:30:40.167][response][INFO] (get_auth_request) GET /api/auth-requests/<uuid> => 200 OK
[2023-12-29 11:30:41.706][request][INFO] GET /api/auth-requests/aff18889-5e9a-4fb2-9cbe-7a60bbf31b66
[2023-12-29 11:30:41.707][response][INFO] (get_auth_request) GET /api/auth-requests/<uuid> => 200 OK
[2023-12-29 11:30:41.863][request][INFO] PUT /api/auth-requests/aff18889-5e9a-4fb2-9cbe-7a60bbf31b66
[2023-12-29 11:30:41.867][response][INFO] (put_auth_request) PUT /api/auth-requests/<uuid> => 200 OK
[2023-12-29 11:30:41.873][request][INFO] GET /api/auth-requests/aff18889-5e9a-4fb2-9cbe-7a60bbf31b66/response?code=3hVRdvESL7SajRT5iqevLW3Kv
[2023-12-29 11:30:41.874][response][INFO] (get_auth_request_response) GET /api/auth-requests/<uuid>/response?<code> => 200 OK
[2023-12-29 11:30:41.884][request][INFO] POST /identity/connect/token
[2023-12-29 11:30:41.888][error][ERROR] 2FA token not provided
[2023-12-29 11:30:41.888][response][INFO] (login) POST /identity/connect/token => 400 Bad Request
[2023-12-29 11:30:41.911][vaultwarden::api::notifications][INFO] Closing WS connection from 2a01:e0a:XXX:XXX:XXX:63a8:ddda:1060
[2023-12-29 11:30:41.911][rocket::server][ERROR] Upgraded websocket I/O handler failed: WebSocket protocol error: Sending after closing is not allowed

*Originally created by @RastaTaz on 12/29/2023*   ### Subject of the issue  It is impossible to login using web ui, linux app or browser extention using Brave. Used account has 2FA enabled and also login with device but nor of those method works, resulting in 2FA errors in VW logs. ### Deployment environment     * vaultwarden version: 1.30.1  * Install method: Docker image * Clients used: Web, Linux desktop app v2023.12.1, Brave (chrome clone) browser extension v2023.12.1  * Reverse proxy and version: Traefik 2.10.7 + Nginx 1.25.3  * MySQL/MariaDB or PostgreSQL version: Ver 15.1 Distrib 10.11.6-MariaDB * Other relevant details: - As related in #4024, I updated docker compose file to remove WS rules in traefik router in order to use only rocket (port 80) and also commented the `WEBSOCKET_ENABLE=true` environment variable in compose as container logs showed it still poped-up a WS server on port 3012. - Allready logged in clients have no problem with sync or receiving device login notifications (either using th old WS conf on port 3012 or the rocket integrated WS on port 80) ### Steps to reproduce  As I'm just locking out from vault and not login off I can't really tell since when this issue occurs, as already connected clients keep on behaving normally... I usually update my middleware (NginX, Traefik, MariaDB) and VW docker image as soon as there're updates available. - When using device login: I have error poping only in the desktop app but not in web ui nor browser pluging (they just stay in rest status), but logs showing VW expects an additional OTP token but is was never requested by clients - When using password/OTP: I have error after submitting password, token is also never requested by clients but logs show it is expected... ### Expected behaviour  Sucessful login. ### Actual behaviour  ### Troubleshooting data  Logs from container for 2FA (master password + OTP) login failure: ``` [2023-12-29 11:25:34.434][start][INFO] Rocket has launched from http://0.0.0.0:80 [2023-12-29 11:26:43.031][request][INFO] POST /identity/accounts/prelogin [2023-12-29 11:26:43.032][response][INFO] (prelogin) POST /identity/accounts/prelogin => 200 OK [2023-12-29 11:26:44.200][request][INFO] POST /identity/connect/token [2023-12-29 11:26:44.297][error][ERROR] 2FA token not provided [2023-12-29 11:26:44.297][response][INFO] (login) POST /identity/connect/token => 400 Bad Request (...) [2023-12-29 11:30:31.685][request][INFO] GET /notifications/anonymous-hub?Token=aff18889-5e9a-4fb2-9cbe- [2023-12-29 11:30:31.685][vaultwarden::api::notifications][INFO] Accepting Anonymous Rocket WS connection from 2a01:e0a:XXX:XXX:XXX:63a8:ddda:1060 [2023-12-29 11:30:31.685][response][INFO] (anonymous_websockets_hub) GET /notifications/anonymous-hub?<token..> => 200 OK [2023-12-29 11:30:34.442][vaultwarden::api::core::two_factor][INFO] User XXXXXXXXX did not complete a 2FA login within the configured time limit. IP: 2a01:e0a:XXX:XXX:XXX:63a8:ddda:1060 ``` Logs from container for device login failure: ``` [2023-12-29 11:30:29.182][request][INFO] GET /api/devices/knowndevice [2023-12-29 11:30:29.184][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK [2023-12-29 11:30:31.669][request][INFO] POST /api/auth-requests/ [2023-12-29 11:30:31.673][response][INFO] (post_auth_request) POST /api/auth-requests => 200 OK [2023-12-29 11:30:31.685][request][INFO] GET /notifications/anonymous-hub?Token=aff18889-5e9a-4fb2-9cbe- [2023-12-29 11:30:31.685][vaultwarden::api::notifications][INFO] Accepting Anonymous Rocket WS connection from 2a01:e0a:XXX:XXX:XXX:63a8:ddda:1060 [2023-12-29 11:30:31.685][response][INFO] (anonymous_websockets_hub) GET /notifications/anonymous-hub?<token..> => 200 OK [2023-12-29 11:30:37.447][request][INFO] GET /api/auth-requests/ [2023-12-29 11:30:37.448][response][INFO] (get_auth_requests) GET /api/auth-requests => 200 OK [2023-12-29 11:30:40.165][request][INFO] GET /api/auth-requests/aff18889-5e9a-4fb2-9cbe-7a60bbf31b66 [2023-12-29 11:30:40.167][response][INFO] (get_auth_request) GET /api/auth-requests/<uuid> => 200 OK [2023-12-29 11:30:41.706][request][INFO] GET /api/auth-requests/aff18889-5e9a-4fb2-9cbe-7a60bbf31b66 [2023-12-29 11:30:41.707][response][INFO] (get_auth_request) GET /api/auth-requests/<uuid> => 200 OK [2023-12-29 11:30:41.863][request][INFO] PUT /api/auth-requests/aff18889-5e9a-4fb2-9cbe-7a60bbf31b66 [2023-12-29 11:30:41.867][response][INFO] (put_auth_request) PUT /api/auth-requests/<uuid> => 200 OK [2023-12-29 11:30:41.873][request][INFO] GET /api/auth-requests/aff18889-5e9a-4fb2-9cbe-7a60bbf31b66/response?code=3hVRdvESL7SajRT5iqevLW3Kv [2023-12-29 11:30:41.874][response][INFO] (get_auth_request_response) GET /api/auth-requests/<uuid>/response?<code> => 200 OK [2023-12-29 11:30:41.884][request][INFO] POST /identity/connect/token [2023-12-29 11:30:41.888][error][ERROR] 2FA token not provided [2023-12-29 11:30:41.888][response][INFO] (login) POST /identity/connect/token => 400 Bad Request [2023-12-29 11:30:41.911][vaultwarden::api::notifications][INFO] Closing WS connection from 2a01:e0a:XXX:XXX:XXX:63a8:ddda:1060 [2023-12-29 11:30:41.911][rocket::server][ERROR] Upgraded websocket I/O handler failed: WebSocket protocol error: Sending after closing is not allowed ```

MrUnknownDE closed this issue

2026-04-06 01:43:04 +02:00

Sign in to join this conversation.

No Label

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/vaultwarden#1294