Fix duplicate AuthRequestResponse notification on approving device #65

New Issue

MrUnknownDE · 2026-04-05T20:29:28+02:00

MrUnknownDE commented

2026-04-05 20:29:28 +02:00

Originally created by @xjohnyknox on 3/13/2026

Summary

When approving a login-with-device request, nt.send_auth_response() broadcasts an AuthRequestResponse (type 16) through the authenticated WebSocket hub to all user devices — including the approving device itself. This causes a duplicate auth request notification on Android.

Root cause

In put_auth_request, two notification calls are made after approval:

ant.send_auth_response(...) // anonymous hub → correct, reaches only Device A
nt.send_auth_response(...)  // authenticated hub + push relay → broadcasts to ALL devices

The authenticated WebSocket hub (self.send_update(user_id, &data)) sends to every connected device of the user, including Device B (the approving device), which should not receive AuthRequestResponse at all.

How the official Bitwarden server handles this

Per the official server code (HubHelpers.cs), AuthRequestResponse (type 16) is sent only through _anonymousHubContext to Group(AuthRequest.Id). It is not sent through the authenticated _hubContext. This is the key difference from AuthRequest (type 15), which uses _hubContext.Clients.User().

Fix

Remove the authenticated WebSocket broadcast from send_auth_response(), keeping only the push relay call as a fallback for devices not connected via WebSocket. The anonymous hub (ant.send_auth_response) already handles WebSocket delivery to the requesting device.

Test plan

On Device A (browser), choose "Log in with device"
On Device B (Android), approve the login request
Verify Device B does not show a duplicate notification after approving
Verify Device A still receives the approval and completes login

Fixes #6788

*Originally created by @xjohnyknox on 3/13/2026* ## Summary When approving a login-with-device request, `nt.send_auth_response()` broadcasts an `AuthRequestResponse` (type 16) through the **authenticated** WebSocket hub to all user devices — including the approving device itself. This causes a duplicate auth request notification on Android. ### Root cause In `put_auth_request`, two notification calls are made after approval: ```rust ant.send_auth_response(...) // anonymous hub → correct, reaches only Device A nt.send_auth_response(...) // authenticated hub + push relay → broadcasts to ALL devices ``` The authenticated WebSocket hub (`self.send_update(user_id, &data)`) sends to every connected device of the user, including Device B (the approving device), which should not receive `AuthRequestResponse` at all. ### How the official Bitwarden server handles this Per the official server code (`HubHelpers.cs`), `AuthRequestResponse` (type 16) is sent **only** through `_anonymousHubContext` to `Group(AuthRequest.Id)`. It is **not** sent through the authenticated `_hubContext`. This is the key difference from `AuthRequest` (type 15), which uses `_hubContext.Clients.User()`. ### Fix Remove the authenticated WebSocket broadcast from `send_auth_response()`, keeping only the push relay call as a fallback for devices not connected via WebSocket. The anonymous hub (`ant.send_auth_response`) already handles WebSocket delivery to the requesting device. ## Test plan - [ ] On Device A (browser), choose "Log in with device" - [ ] On Device B (Android), approve the login request - [ ] Verify Device B does **not** show a duplicate notification after approving - [ ] Verify Device A still receives the approval and completes login Fixes #6788

MrUnknownDE closed this issue

2026-04-05 20:29:28 +02:00

Sign in to join this conversation.

No Label

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/vaultwarden#65