Admin API rejects invalid tokens with 303 instead of 401 status code #2015

New Issue

MrUnknownDE · 2026-04-06T02:49:20+02:00

MrUnknownDE commented

2026-04-06 02:49:20 +02:00

Originally created by @linkvt on 8/27/2022

Hi,

first of all thanks for this nice project, I really appreciate it!

Subject of the issue

I was setting up fail2ban for my Vaultwarden instance and noticed, that on invalid tokens the Vaultwarden Admin API responds with a 303 HTTP status code instead of a 401 I usually see.

Deployment environment

I removed most of the fields as they are IMO irrelevant.

vaultwarden version: 1.25.2

Steps to reproduce

Try to log into the admin UI with an incorrect token.

Expected behaviour

HTTP response with 401 Unauthorized status code.

Actual behaviour

HTTP response with 303 See Other redirect status code.

Comment

Is this really intended from a behaviour perspective, see the implementation at
60ed5ff99d/src/api/admin.rs (L181)

If I understand the comment https://github.com/dani-garcia/vaultwarden/discussions/2448#discussioncomment-2666185 correctly it might be intended by you as the authors/contributors, but this is as far as I know not the correct behaviour for bad requests due to user issues (-> 4xx status code) due to failing authentication (narrowing to 401 Unauthorized).

While I understand the reasoning that a GET should follow the POST in this case, it does not make sense to me that a 303 is used.

Thanks for looking into this already!

Best, Vincent

P.S.: If you agree that this can be changed to a 401 I would be happy to open the PR myself.

*Originally created by @linkvt on 8/27/2022*   Hi, first of all thanks for this nice project, I really appreciate it! ### Subject of the issue I was setting up fail2ban for my Vaultwarden instance and noticed, that on invalid tokens the Vaultwarden Admin API responds with a 303 HTTP status code instead of a 401 I usually see.  ### Deployment environment I removed most of the fields as they are IMO irrelevant.     * vaultwarden version: 1.25.2  ### Steps to reproduce  Try to log into the admin UI with an incorrect token. ### Expected behaviour HTTP response with [401 Unauthorized](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/401) status code.  ### Actual behaviour HTTP response with 303 See Other redirect status code.  ### Comment Is this really intended from a behaviour perspective, see the implementation at https://github.com/dani-garcia/vaultwarden/blob/60ed5ff99d15dec0b82c85987f9a3e244b8bde91/src/api/admin.rs#L181 If I understand the comment https://github.com/dani-garcia/vaultwarden/discussions/2448#discussioncomment-2666185 correctly it might be intended by you as the authors/contributors, but this is as far as I know not the correct behaviour for bad requests due to user issues (-> 4xx status code) due to failing authentication (narrowing to 401 Unauthorized). While I understand the reasoning that a GET should follow the POST in this case, it does not make sense to me that a 303 is used. Thanks for looking into this already! Best, Vincent P.S.: If you agree that this can be changed to a 401 I would be happy to open the PR myself.

MrUnknownDE closed this issue

2026-04-06 02:49:20 +02:00

Sign in to join this conversation.

No Label enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement low priority low priority low priority low priority low priority low priority low priority low priority low priority low priority low priority low priority low priority low priority low priority low priority low priority low priority low priority low priority low priority low priority

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/vaultwarden#2015