New organisation results in "GET /api/plans => 401 Unauthorized" #1038

New Issue

Closed

opened 2025-10-09 17:01:45 +03:00 by OVERLORD · 1 comment

OVERLORD commented 2025-10-09 17:01:45 +03:00

Owner

Copy Link

Originally created by @bhenstra on GitHub.

New organisation results in "GET /api/plans => 401 Unauthorized"

Running vaultwarden and vaultwaden-web on Arch Linux:

- Linux secure 5.19.13-arch1-1 #1 SMP PREEMPT_DYNAMIC Tue, 04 Oct 2022 14:36:58 +0000 x86_64 GNU/Linux
- community/vaultwarden 1.25.2-1 [installed]
-     Unofficial Bitwarden compatible server written in Rust
- community/vaultwarden-web 2022.9.0-1 [installed]
-     Bitwarden web vault with the patches to make it work with Vaultwarden

When I click the button "+ New organisation" the "New organisation" text is visible with a animated gif / loading indicator.
In the log file there's the following eror:

[2022-10-06 22:32:48.043][request][INFO] GET /api/plans/
[2022-10-06 22:32:48.043][auth][ERROR] Unauthorized Error: No access token provided
[2022-10-06 22:32:48.043][_][WARN] Request guard `Headers` failed: "No access token provided".
[2022-10-06 22:32:48.043][_][WARN] No 401 catcher registered. Using Rocket default.
[2022-10-06 22:32:48.043][response][INFO] (get_plans) GET /api/plans => 401 Unauthorized

Deployment environment

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.25.2
• Web-vault version: v2022.9.0
• Running within Docker: false (Base: Unknown)
• Environment settings overridden: true
• Uses a reverse proxy: true
• IP Header check: true (X-Real-IP)
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• Time Check: true
• Domain Configuration Check: true
• HTTPS Check: true
• Database type: SQLite
• Database version: 3.35.4
• Clients used:
• Reverse proxy and version:
• Other relevant information:

Config (Generated via diagnostics page)

Show Running Config

Environment settings which are overridden: DOMAIN, SENDS_ALLOWED, ADMIN_TOKEN, INVITATION_ORG_NAME, IP_HEADER, LOG_TIMESTAMP_FORMAT, DISABLE_ADMIN_TOKEN, SMTP_HOST, SMTP_SECURITY, SMTP_PORT, SMTP_FROM, SMTP_FROM_NAME, SMTP_USERNAME, SMTP_PASSWORD, SMTP_AUTH_MECHANISM, SMTP_TIMEOUT, SMTP_ACCEPT_INVALID_CERTS

{
  "_duo_akey": null,
  "_enable_duo": false,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "/var/lib/vaultwarden/attachments",
  "authenticator_disable_time_drift": false,
  "data_folder": "/var/lib/vaultwarden",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "/***/***/***********/**.*******",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://******.***.**",
  "domain_origin": "*****://******.***.**",
  "domain_path": "",
  "domain_set": true,
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "email_attempts_limit": 3,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 5 * * * *",
  "emergency_request_timeout_schedule": "0 5 * * * *",
  "enable_db_wal": true,
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "/var/lib/vaultwarden/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "invitation_org_name": "Censored - Company Name Removed",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": "/var/log/vaultwarden.log",
  "log_level": "Info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "password_hints_allowed": true,
  "password_iterations": 100000,
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "/var/lib/vaultwarden/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sends_allowed": true,
  "sends_folder": "/var/lib/vaultwarden/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": true,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": "Plain",
  "smtp_debug": false,
  "smtp_explicit_tls": null,
  "smtp_from": "******@******.********.**",
  "smtp_from_name": "Censored - Company Name Removed",
  "smtp_host": "******.********.**",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "******@******.********.**",
  "templates_folder": "/var/lib/vaultwarden/templates",
  "tmp_folder": "/var/lib/vaultwarden/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_syslog": false,
  "user_attachment_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "/usr/share/webapps/vaultwarden-web",
  "websocket_address": "127.0.0.1",
  "websocket_enabled": true,
  "websocket_port": 3012,
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

• vaultwarden version: v1.25.2

• Install method: pacman

• Clients used: web vault

• Reverse proxy and version: Caddy v2.6.1

• MySQL/MariaDB or PostgreSQL version: not applicable

• Other relevant details: I did install Vaultwarden + Vaultwarden-Web and Caddy on Arch Linux before. I have two servers running like this. I am not sure why this error appears and I am hoping you can help. Please let me know if I have to provide more details. Thank you.
  

Steps to reproduce

Click "+ New organisation"

Expected behaviour

Create a new organisation.

Actual behaviour

When I click the button "+ New organisation" the "New organisation" text is visible with a animated gif / loading indicator.

Troubleshooting data

caddy config (note: real domain name has been removed)

file: /etc/caddy/conf.d/real.domain-name-replaced.com

(doRevProx) {

    # The negotiation endpoint is also proxied to Rocket
      reverse_proxy /notifications/hub/negotiate localhost:8000
    # Notifications redirected to the websockets server
      reverse_proxy /notifications/hub localhost:3012
      ### Credits: https://community.hetzner.com/tutorials/how-to-set-up-vaultwarden
    # Send all other traffic to the regular Vaultwarden endpoint
      reverse_proxy * localhost:8000 {
        header_up X-Real-IP {remote}
        }
    # Remove server response header
      header /* {
        -Server
      }
}

real.domain-name-replaced.com {

# General settings
  encode gzip
  file_server

# Security
  import /etc/caddy/caddy_security.conf

### Geo Filtering ################

    @geofilter {
      maxmind_geolocation {
        db_path "/var/lib/GeoIP/GeoLite2-Country.mmdb"
          allow_countries NL
        }
    }

    handle @geofilter {
      import doRevProx
    }

### White Listing ################

    @allowed {
      remote_ip forwarded 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 100.64.0.0/10
      }
      handle @allowed {
        import doRevProx

      }
      respond "Access denied - 403" 403

# Logging
  log {

    format transform "{common_log}"

    # access logs
      output file /var/log/caddy/real.domain-name-replaced.com/access.log {
        roll_size 100MiB
        roll_keep 90
        roll_keep_for 2160h
        level INFO
        }

    # error logs
      output file /var/log/caddy/real.domain-name-replaced.com/errors.log {
        roll_size 100MiB
        roll_keep 90
        roll_keep_for 2160h
        level ERROR
        }

      }

}

file: /etc/caddy/caddy_security.conf

header {
    Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
        X-Xss-Protection "1; mode=block"
        X-Content-Type-Options "nosniff"
        X-Frame-Options "DENY"
        Content-Security-Policy "upgrade-insecure-requests"
        Referrer-Policy "strict-origin-when-cross-origin"
        Cache-Control "public, max-age=15, must-revalidate"
        Feature-Policy "accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'self'; camera 'none'; encrypted-media 'none'; fullscreen 'self'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture *; speaker 'none'; sync-xhr 'none'; usb 'none'; vr 'none'"
}

Originally created by @bhenstra on GitHub. ### New organisation results in "GET /api/plans => 401 Unauthorized" <!-- Describe your issue here. --> Running vaultwarden and vaultwaden-web on Arch Linux: ``` - Linux secure 5.19.13-arch1-1 #1 SMP PREEMPT_DYNAMIC Tue, 04 Oct 2022 14:36:58 +0000 x86_64 GNU/Linux - community/vaultwarden 1.25.2-1 [installed] - Unofficial Bitwarden compatible server written in Rust - community/vaultwarden-web 2022.9.0-1 [installed] - Bitwarden web vault with the patches to make it work with Vaultwarden ``` When I click the button "+ New organisation" the "New organisation" text is visible with a animated gif / loading indicator. In the log file there's the following eror: ``` [2022-10-06 22:32:48.043][request][INFO] GET /api/plans/ [2022-10-06 22:32:48.043][auth][ERROR] Unauthorized Error: No access token provided [2022-10-06 22:32:48.043][_][WARN] Request guard `Headers` failed: "No access token provided". [2022-10-06 22:32:48.043][_][WARN] No 401 catcher registered. Using Rocket default. [2022-10-06 22:32:48.043][response][INFO] (get_plans) GET /api/plans => 401 Unauthorized ``` ### Deployment environment ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.25.2 * Web-vault version: v2022.9.0 * Running within Docker: false (Base: Unknown) * Environment settings overridden: true * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Database type: SQLite * Database version: 3.35.4 * Clients used: * Reverse proxy and version: * Other relevant information: ### Config (Generated via diagnostics page) <details><summary>Show Running Config</summary> **Environment settings which are overridden:** DOMAIN, SENDS_ALLOWED, ADMIN_TOKEN, INVITATION_ORG_NAME, IP_HEADER, LOG_TIMESTAMP_FORMAT, DISABLE_ADMIN_TOKEN, SMTP_HOST, SMTP_SECURITY, SMTP_PORT, SMTP_FROM, SMTP_FROM_NAME, SMTP_USERNAME, SMTP_PASSWORD, SMTP_AUTH_MECHANISM, SMTP_TIMEOUT, SMTP_ACCEPT_INVALID_CERTS ```json { "_duo_akey": null, "_enable_duo": false, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_token": "***", "allowed_iframe_ancestors": "", "attachments_folder": "/var/lib/vaultwarden/attachments", "authenticator_disable_time_drift": false, "data_folder": "/var/lib/vaultwarden", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "/***/***/***********/**.*******", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://******.***.**", "domain_origin": "*****://******.***.**", "domain_path": "", "domain_set": true, "duo_host": null, "duo_ikey": null, "duo_skey": null, "email_attempts_limit": 3, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 5 * * * *", "emergency_request_timeout_schedule": "0 5 * * * *", "enable_db_wal": true, "extended_logging": true, "helo_name": null, "hibp_api_key": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "/var/lib/vaultwarden/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "invitation_org_name": "Censored - Company Name Removed", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": "/var/log/vaultwarden.log", "log_level": "Info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "password_hints_allowed": true, "password_iterations": 100000, "reload_templates": false, "require_device_email": false, "rsa_key_filename": "/var/lib/vaultwarden/rsa_key", "send_purge_schedule": "0 5 * * * *", "sends_allowed": true, "sends_folder": "/var/lib/vaultwarden/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": true, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": "Plain", "smtp_debug": false, "smtp_explicit_tls": null, "smtp_from": "******@******.********.**", "smtp_from_name": "Censored - Company Name Removed", "smtp_host": "******.********.**", "smtp_password": "***", "smtp_port": 587, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": "******@******.********.**", "templates_folder": "/var/lib/vaultwarden/templates", "tmp_folder": "/var/lib/vaultwarden/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_syslog": false, "user_attachment_limit": null, "web_vault_enabled": true, "web_vault_folder": "/usr/share/webapps/vaultwarden-web", "websocket_address": "127.0.0.1", "websocket_enabled": true, "websocket_port": 3012, "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> <!-- The version number, obtained from the logs (at startup) or the admin diagnostics page --> <!-- This is NOT the version number shown on the web vault, which is versioned separately from vaultwarden --> <!-- Remember to check if your issue exists on the latest version first! --> * vaultwarden version: v1.25.2 <!-- How the server was installed: Docker image, OS package, built from source, etc. --> * Install method: pacman * Clients used: web vault * Reverse proxy and version: Caddy v2.6.1 * MySQL/MariaDB or PostgreSQL version: not applicable * Other relevant details: I did install Vaultwarden + Vaultwarden-Web and Caddy on Arch Linux before. I have two servers running like this. I am not sure why this error appears and I am hoping you can help. Please let me know if I have to provide more details. Thank you.  ### Steps to reproduce Click "+ New organisation" ### Expected behaviour Create a new organisation. ### Actual behaviour When I click the button "+ New organisation" the "New organisation" text is visible with a animated gif / loading indicator. ### Troubleshooting data caddy config (note: real domain name has been removed) **file: /etc/caddy/conf.d/real.domain-name-replaced.com** ``` (doRevProx) { # The negotiation endpoint is also proxied to Rocket reverse_proxy /notifications/hub/negotiate localhost:8000 # Notifications redirected to the websockets server reverse_proxy /notifications/hub localhost:3012 ### Credits: https://community.hetzner.com/tutorials/how-to-set-up-vaultwarden # Send all other traffic to the regular Vaultwarden endpoint reverse_proxy * localhost:8000 { header_up X-Real-IP {remote} } # Remove server response header header /* { -Server } } real.domain-name-replaced.com { # General settings encode gzip file_server # Security import /etc/caddy/caddy_security.conf ### Geo Filtering ################ @geofilter { maxmind_geolocation { db_path "/var/lib/GeoIP/GeoLite2-Country.mmdb" allow_countries NL } } handle @geofilter { import doRevProx } ### White Listing ################ @allowed { remote_ip forwarded 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 100.64.0.0/10 } handle @allowed { import doRevProx } respond "Access denied - 403" 403 # Logging log { format transform "{common_log}" # access logs output file /var/log/caddy/real.domain-name-replaced.com/access.log { roll_size 100MiB roll_keep 90 roll_keep_for 2160h level INFO } # error logs output file /var/log/caddy/real.domain-name-replaced.com/errors.log { roll_size 100MiB roll_keep 90 roll_keep_for 2160h level ERROR } } } ``` **file: /etc/caddy/caddy_security.conf** ``` header { Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" X-Xss-Protection "1; mode=block" X-Content-Type-Options "nosniff" X-Frame-Options "DENY" Content-Security-Policy "upgrade-insecure-requests" Referrer-Policy "strict-origin-when-cross-origin" Cache-Control "public, max-age=15, must-revalidate" Feature-Policy "accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'self'; camera 'none'; encrypted-media 'none'; fullscreen 'self'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture *; speaker 'none'; sync-xhr 'none'; usb 'none'; vr 'none'" } ```

OVERLORD closed this issue 2025-10-09 17:01:46 +03:00

OVERLORD commented 2025-10-09 17:01:48 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub:

First, those headers set by caddy could break some functionality.
Second, it looks like that Vaultwarden version you are using isn't supporting the 2022.9.0 web-vault version. I think the Vaultwarden version is matching the released version and not the master branch.

That would cause the issue you have currently.

Either install a git release of Vaultwarden, or revert to the latest 2022.8.x web-vault.

@BlackDex commented on GitHub: First, those headers set by caddy could break some functionality. Second, it looks like that Vaultwarden version you are using isn't supporting the 2022.9.0 web-vault version. I think the Vaultwarden version is matching the released version and not the master branch. That would cause the issue you have currently. Either install a git release of Vaultwarden, or revert to the latest 2022.8.x web-vault.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

test_dylint

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

better for forum

bug

bug

bug

documentation

duplicate

enhancement

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

SSO

Third party

troubleshooting

troubleshooting

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/vaultwarden#1038