starred/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2025-12-11 09:13:02 +03:00
Code Issues 429 Packages Projects Releases 10 Wiki Activity

Opening an invitation link from Office365 webmail gives you a wrong URL leading to a 404 Not Found on account creation #1181

New Issue
Closed
opened 2025-10-09 17:06:58 +03:00 by OVERLORD · 5 comments
OVERLORD commented 2025-10-09 17:06:58 +03:00
Owner
Copy Link

Originally created by @Minaru on GitHub.

Subject of the issue

When inviting a user to join a vaultwarden instance and said user attempts to click join link from office365 webmail browser client, user is directed to a bad URL which leads them to a 404 not found message when attempting to validate their account creation

Said user can however log in a web client application (i.e. Outlook), open the same mail, click on the join link in the vaultwarden invitation email, and gets a proper URL which leads them to a successful account creation when attempting to validate

Deployment environment

Your environment (Generated via diagnostics page)

  • Vaultwarden version: v1.24.0
  • Web-vault version: v2.25.1
  • Running within Docker: true (Base: Debian)
  • Environment settings overridden: true
  • Uses a reverse proxy: true
  • IP Header check: true (X-Real-IP)
  • Internet access: true
  • Internet access via a proxy: false
  • DNS Check: true
  • Time Check: true
  • Domain Configuration Check: true
  • HTTPS Check: true
  • Database type: SQLite
  • Database version: 3.35.4
  • Clients used:
  • Reverse proxy and version:
  • Other relevant information:

Config (Generated via diagnostics page)

Show Running Config

Environment settings which are overridden: ADMIN_TOKEN

{
  "_duo_akey": null,
  "_enable_duo": false,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": false,
  "_ip_header_enabled": true,
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_max_conns": 10,
  "database_url": "****/**.*******",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://**************.****.*****.**",
  "domain_origin": "*****://**************.****.*****.**",
  "domain_path": "",
  "domain_set": true,
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "email_attempts_limit": 3,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 5 * * * *",
  "emergency_request_timeout_schedule": "0 5 * * * *",
  "enable_db_wal": true,
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "Info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "password_iterations": 100000,
  "reload_templates": false,
  "require_device_email": true,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": true,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": "nothing",
  "smtp_debug": false,
  "smtp_explicit_tls": false,
  "smtp_from": "**@*****.**",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": "****.*****.**",
  "smtp_password": null,
  "smtp_port": 25,
  "smtp_ssl": false,
  "smtp_timeout": 15,
  "smtp_username": null,
  "templates_folder": "data/templates",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_syslog": false,
  "user_attachment_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "websocket_address": "0.0.0.0",
  "websocket_enabled": false,
  "websocket_port": 3012,
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

  • vaultwarden version: 1.24.0

  • Install method: Docker (Base: Debian 10)

  • Clients used: Web Vault

  • Reverse proxy and version: Nginx 1.14.2

  • Other relevant details: N/A

Steps to reproduce

Log in Admin panel and go in the Users tab.

Invite a new User.

Said user receives an invitation email to join the vaultwarden instance

User clicks on link in their email

When prompted to "Log in" or "Create account", they "Create account" since they do not have an account yet (1)

User fills their name and master password + confirmation

User clicks Submit

Expected behaviour

User gets redirected to log in screen with a notification that says their account is created
image

Actual behaviour

User gets a 404 not found notification
image

Troubleshooting data

WEBCLIENT CASE

When opening link from webclient, user gets this link:

https://<host>/?organizationId=_&organizationUserId=_&email=<first_name>%2E<last_name>%40<domain>%2E<country_tld>&organizationName=Vaultwarden&token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJuYmYiOjE2NDc2MjY0NzYsImV4cCI6MTY0ODA1ODQ3NiwiaXNzIjoiaHR0cHM6Ly92YXVsdHdhcmRlbi1yZC5wcml2LnNld2FuLmZyfGludml0ZSIsInN1YiI6IjMwYWJhMzE1LTRjZTQtNDJhYy1hYzY2LThmODE3OTg2M2VjMiIsImVtYWlsIjoibWF4aW1lLmRlbW9kZUBzZXdhbi5mciIsIm9yZ19pZCI6bnVsbCwidXNlcl9vcmdfaWQiOm51bGwsImludml0ZWRfYnlfZW1haWwiOm51bGx9.eo_F4iV5LkI8NTJXxINm7ZbXnSkQ-hqY-SwU0ZyPXHUUMCZwXYA2po9g-WsmcuKkOGTx7tlm8dIbhTyzF3QHXBFRM3_q4NgUNuJi8ModyztYq_oibqBCo0UXuQALAWsyjZpcU9jjALuUdov3C_AW-ZG15ul4qmFlqMnhtJMyywKvrXbNtKAPJBURBTMWuRms835EOUp_-QyzlHNkenYoQbzCF2jmE_-lMHBB6qyyt2y-D5VnrevWtF_XrrceuGLCiNLPjLLUf-tHXM12klgfMuKM5ftgv2OMdrtIzugn-_v7HorP39aZpf6FSQJEPeBV8kb5iW93AXlAzigWbrICjw#/accept-organization?organizationId=_&organizationUserId=_&email=<first_name>.<last_name>@<domain>.<country_tld>&organizationName=Vaultwarden&token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJuYmYiOjE2NDc2MjY0NzYsImV4cCI6MTY0ODA1ODQ3NiwiaXNzIjoiaHR0cHM6Ly92YXVsdHdhcmRlbi1yZC5wcml2LnNld2FuLmZyfGludml0ZSIsInN1YiI6IjMwYWJhMzE1LTRjZTQtNDJhYy1hYzY2LThmODE3OTg2M2VjMiIsImVtYWlsIjoibWF4aW1lLmRlbW9kZUBzZXdhbi5mciIsIm9yZ19pZCI6bnVsbCwidXNlcl9vcmdfaWQiOm51bGwsImludml0ZWRfYnlfZW1haWwiOm51bGx9.eo_F4iV5LkI8NTJXxINm7ZbXnSkQ-hqY-SwU0ZyPXHUUMCZwXYA2po9g-WsmcuKkOGTx7tlm8dIbhTyzF3QHXBFRM3_q4NgUNuJi8ModyztYq_oibqBCo0UXuQALAWsyjZpcU9jjALuUdov3C_AW-ZG15ul4qmFlqMnhtJMyywKvrXbNtKAPJBURBTMWuRms835EOUp_-QyzlHNkenYoQbzCF2jmE_-lMHBB6qyyt2y-D5VnrevWtF_XrrceuGLCiNLPjLLUf-tHXM12klgfMuKM5ftgv2OMdrtIzugn-_v7HorP39aZpf6FSQJEPeBV8kb5iW93AXlAzigWbrICjw

When they click "Create Account" from this link, they get to this link:

https://<host>/?organizationId=_&organizationUserId=_&email=<first_name>%2E<last_name>%40<domain>%2E<country_tld>&organizationName=Vaultwarden&token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJuYmYiOjE2NDc2MjY0NzYsImV4cCI6MTY0ODA1ODQ3NiwiaXNzIjoiaHR0cHM6Ly92YXVsdHdhcmRlbi1yZC5wcml2LnNld2FuLmZyfGludml0ZSIsInN1YiI6IjMwYWJhMzE1LTRjZTQtNDJhYy1hYzY2LThmODE3OTg2M2VjMiIsImVtYWlsIjoibWF4aW1lLmRlbW9kZUBzZXdhbi5mciIsIm9yZ19pZCI6bnVsbCwidXNlcl9vcmdfaWQiOm51bGwsImludml0ZWRfYnlfZW1haWwiOm51bGx9.eo_F4iV5LkI8NTJXxINm7ZbXnSkQ-hqY-SwU0ZyPXHUUMCZwXYA2po9g-WsmcuKkOGTx7tlm8dIbhTyzF3QHXBFRM3_q4NgUNuJi8ModyztYq_oibqBCo0UXuQALAWsyjZpcU9jjALuUdov3C_AW-ZG15ul4qmFlqMnhtJMyywKvrXbNtKAPJBURBTMWuRms835EOUp_-QyzlHNkenYoQbzCF2jmE_-lMHBB6qyyt2y-D5VnrevWtF_XrrceuGLCiNLPjLLUf-tHXM12klgfMuKM5ftgv2OMdrtIzugn-_v7HorP39aZpf6FSQJEPeBV8kb5iW93AXlAzigWbrICjw#/register?email=<first_name>.<last_name>@<domain>.<country_tld>

APPCLIENT (Outlook) CASE

When opening link from Outlook, user gets this link:

https://<host>/#/accept-organization?organizationId=_&organizationUserId=_&email=<first_name>.<last_name>@<domain>.<country_tld>&organizationName=Vaultwarden&token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJuYmYiOjE2NDc2MjY0NzYsImV4cCI6MTY0ODA1ODQ3NiwiaXNzIjoiaHR0cHM6Ly92YXVsdHdhcmRlbi1yZC5wcml2LnNld2FuLmZyfGludml0ZSIsInN1YiI6IjMwYWJhMzE1LTRjZTQtNDJhYy1hYzY2LThmODE3OTg2M2VjMiIsImVtYWlsIjoibWF4aW1lLmRlbW9kZUBzZXdhbi5mciIsIm9yZ19pZCI6bnVsbCwidXNlcl9vcmdfaWQiOm51bGwsImludml0ZWRfYnlfZW1haWwiOm51bGx9.eo_F4iV5LkI8NTJXxINm7ZbXnSkQ-hqY-SwU0ZyPXHUUMCZwXYA2po9g-WsmcuKkOGTx7tlm8dIbhTyzF3QHXBFRM3_q4NgUNuJi8ModyztYq_oibqBCo0UXuQALAWsyjZpcU9jjALuUdov3C_AW-ZG15ul4qmFlqMnhtJMyywKvrXbNtKAPJBURBTMWuRms835EOUp_-QyzlHNkenYoQbzCF2jmE_-lMHBB6qyyt2y-D5VnrevWtF_XrrceuGLCiNLPjLLUf-tHXM12klgfMuKM5ftgv2OMdrtIzugn-_v7HorP39aZpf6FSQJEPeBV8kb5iW93AXlAzigWbrICjw

When they click "Create Account" from this link, they get to this link:

https://<host>/#/register?email=<first_name>.<last_name>@<domain>.<country_tld>

POTENTIAL ISSUE IDENTIFIED ?

From what I can see, when I click on the "Join" button from webclient, I get a malformed URL which inserts

?organizationId=_&organizationUserId=_&email=<first_name>%2E<last_name>%40<domain>%2E<country_tld>&organizationName=Vaultwarden&token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJuYmYiOjE2NDc2MjY0NzYsImV4cCI6MTY0ODA1ODQ3NiwiaXNzIjoiaHR0cHM6Ly92YXVsdHdhcmRlbi1yZC5wcml2LnNld2FuLmZyfGludml0ZSIsInN1YiI6IjMwYWJhMzE1LTRjZTQtNDJhYy1hYzY2LThmODE3OTg2M2VjMiIsImVtYWlsIjoibWF4aW1lLmRlbW9kZUBzZXdhbi5mciIsIm9yZ19pZCI6bnVsbCwidXNlcl9vcmdfaWQiOm51bGwsImludml0ZWRfYnlfZW1haWwiOm51bGx9.eo_F4iV5LkI8NTJXxINm7ZbXnSkQ-hqY-SwU0ZyPXHUUMCZwXYA2po9g-WsmcuKkOGTx7tlm8dIbhTyzF3QHXBFRM3_q4NgUNuJi8ModyztYq_oibqBCo0UXuQALAWsyjZpcU9jjALuUdov3C_AW-ZG15ul4qmFlqMnhtJMyywKvrXbNtKAPJBURBTMWuRms835EOUp_-QyzlHNkenYoQbzCF2jmE_-lMHBB6qyyt2y-D5VnrevWtF_XrrceuGLCiNLPjLLUf-tHXM12klgfMuKM5ftgv2OMdrtIzugn-_v7HorP39aZpf6FSQJEPeBV8kb5iW93AXlAzigWbrICjw

inbetween https://<host>/ and

#/accept-organization?organizationId=_&organizationUserId=_&email=<first_name>.<last_name>@<domain>.<country_tld>&organizationName=Vaultwarden&token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJuYmYiOjE2NDc2MjY0NzYsImV4cCI6MTY0ODA1ODQ3NiwiaXNzIjoiaHR0cHM6Ly92YXVsdHdhcmRlbi1yZC5wcml2LnNld2FuLmZyfGludml0ZSIsInN1YiI6IjMwYWJhMzE1LTRjZTQtNDJhYy1hYzY2LThmODE3OTg2M2VjMiIsImVtYWlsIjoibWF4aW1lLmRlbW9kZUBzZXdhbi5mciIsIm9yZ19pZCI6bnVsbCwidXNlcl9vcmdfaWQiOm51bGwsImludml0ZWRfYnlfZW1haWwiOm51bGx9.eo_F4iV5LkI8NTJXxINm7ZbXnSkQ-hqY-SwU0ZyPXHUUMCZwXYA2po9g-WsmcuKkOGTx7tlm8dIbhTyzF3QHXBFRM3_q4NgUNuJi8ModyztYq_oibqBCo0UXuQALAWsyjZpcU9jjALuUdov3C_AW-ZG15ul4qmFlqMnhtJMyywKvrXbNtKAPJBURBTMWuRms835EOUp_-QyzlHNkenYoQbzCF2jmE_-lMHBB6qyyt2y-D5VnrevWtF_XrrceuGLCiNLPjLLUf-tHXM12klgfMuKM5ftgv2OMdrtIzugn-_v7HorP39aZpf6FSQJEPeBV8kb5iW93AXlAzigWbrICjw

The inserted part from the webclient URL is the issues since it seems like if you concatenate the host part and the part starting with #/ you pretty much gets the proper URL that Outlook gives you.

Originally created by @Minaru on GitHub. ### Subject of the issue When inviting a user to join a vaultwarden instance and said user attempts to click join link from office365 webmail browser client, user is directed to a bad URL which leads them to a 404 not found message when attempting to validate their account creation Said user can however log in a web client application (i.e. Outlook), open the same mail, click on the join link in the vaultwarden invitation email, and gets a proper URL which leads them to a successful account creation when attempting to validate ### Deployment environment ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.24.0 * Web-vault version: v2.25.1 * Running within Docker: true (Base: Debian) * Environment settings overridden: true * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Database type: SQLite * Database version: 3.35.4 * Clients used: * Reverse proxy and version: * Other relevant information: ### Config (Generated via diagnostics page) <details><summary>Show Running Config</summary> **Environment settings which are overridden:** ADMIN_TOKEN ```json { "_duo_akey": null, "_enable_duo": false, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": false, "_ip_header_enabled": true, "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_token": "***", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "authenticator_disable_time_drift": false, "data_folder": "data", "database_max_conns": 10, "database_url": "****/**.*******", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://**************.****.*****.**", "domain_origin": "*****://**************.****.*****.**", "domain_path": "", "domain_set": true, "duo_host": null, "duo_ikey": null, "duo_skey": null, "email_attempts_limit": 3, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 5 * * * *", "emergency_request_timeout_schedule": "0 5 * * * *", "enable_db_wal": true, "extended_logging": true, "helo_name": null, "hibp_api_key": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "Info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "password_iterations": 100000, "reload_templates": false, "require_device_email": true, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": true, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": "nothing", "smtp_debug": false, "smtp_explicit_tls": false, "smtp_from": "**@*****.**", "smtp_from_name": "Vaultwarden", "smtp_host": "****.*****.**", "smtp_password": null, "smtp_port": 25, "smtp_ssl": false, "smtp_timeout": 15, "smtp_username": null, "templates_folder": "data/templates", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_syslog": false, "user_attachment_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "websocket_address": "0.0.0.0", "websocket_enabled": false, "websocket_port": 3012, "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> * vaultwarden version: 1.24.0 * Install method: Docker (Base: Debian 10) * Clients used: Web Vault * Reverse proxy and version: Nginx 1.14.2 * Other relevant details: N/A ### Steps to reproduce Log in Admin panel and go in the Users tab. Invite a new User. Said user receives an invitation email to join the vaultwarden instance User clicks on link in their email When prompted to "Log in" or "Create account", they "Create account" since they do not have an account yet **(1)** User fills their name and master password + confirmation User clicks Submit ### Expected behaviour User gets redirected to log in screen with a notification that says their account is created ![image](https://user-images.githubusercontent.com/17097702/159062527-d37ca82b-58c1-4a5d-b86f-9339c61fe718.png) ### Actual behaviour User gets a 404 not found notification ![image](https://user-images.githubusercontent.com/17097702/159059884-f8ab1f73-09d2-4d01-a6f4-bb9f630fcd71.png) ### Troubleshooting data **WEBCLIENT CASE** When opening link from webclient, user gets this link: ```https://<host>/?organizationId=_&organizationUserId=_&email=<first_name>%2E<last_name>%40<domain>%2E<country_tld>&organizationName=Vaultwarden&token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJuYmYiOjE2NDc2MjY0NzYsImV4cCI6MTY0ODA1ODQ3NiwiaXNzIjoiaHR0cHM6Ly92YXVsdHdhcmRlbi1yZC5wcml2LnNld2FuLmZyfGludml0ZSIsInN1YiI6IjMwYWJhMzE1LTRjZTQtNDJhYy1hYzY2LThmODE3OTg2M2VjMiIsImVtYWlsIjoibWF4aW1lLmRlbW9kZUBzZXdhbi5mciIsIm9yZ19pZCI6bnVsbCwidXNlcl9vcmdfaWQiOm51bGwsImludml0ZWRfYnlfZW1haWwiOm51bGx9.eo_F4iV5LkI8NTJXxINm7ZbXnSkQ-hqY-SwU0ZyPXHUUMCZwXYA2po9g-WsmcuKkOGTx7tlm8dIbhTyzF3QHXBFRM3_q4NgUNuJi8ModyztYq_oibqBCo0UXuQALAWsyjZpcU9jjALuUdov3C_AW-ZG15ul4qmFlqMnhtJMyywKvrXbNtKAPJBURBTMWuRms835EOUp_-QyzlHNkenYoQbzCF2jmE_-lMHBB6qyyt2y-D5VnrevWtF_XrrceuGLCiNLPjLLUf-tHXM12klgfMuKM5ftgv2OMdrtIzugn-_v7HorP39aZpf6FSQJEPeBV8kb5iW93AXlAzigWbrICjw#/accept-organization?organizationId=_&organizationUserId=_&email=<first_name>.<last_name>@<domain>.<country_tld>&organizationName=Vaultwarden&token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJuYmYiOjE2NDc2MjY0NzYsImV4cCI6MTY0ODA1ODQ3NiwiaXNzIjoiaHR0cHM6Ly92YXVsdHdhcmRlbi1yZC5wcml2LnNld2FuLmZyfGludml0ZSIsInN1YiI6IjMwYWJhMzE1LTRjZTQtNDJhYy1hYzY2LThmODE3OTg2M2VjMiIsImVtYWlsIjoibWF4aW1lLmRlbW9kZUBzZXdhbi5mciIsIm9yZ19pZCI6bnVsbCwidXNlcl9vcmdfaWQiOm51bGwsImludml0ZWRfYnlfZW1haWwiOm51bGx9.eo_F4iV5LkI8NTJXxINm7ZbXnSkQ-hqY-SwU0ZyPXHUUMCZwXYA2po9g-WsmcuKkOGTx7tlm8dIbhTyzF3QHXBFRM3_q4NgUNuJi8ModyztYq_oibqBCo0UXuQALAWsyjZpcU9jjALuUdov3C_AW-ZG15ul4qmFlqMnhtJMyywKvrXbNtKAPJBURBTMWuRms835EOUp_-QyzlHNkenYoQbzCF2jmE_-lMHBB6qyyt2y-D5VnrevWtF_XrrceuGLCiNLPjLLUf-tHXM12klgfMuKM5ftgv2OMdrtIzugn-_v7HorP39aZpf6FSQJEPeBV8kb5iW93AXlAzigWbrICjw``` When they click "Create Account" from this link, they get to this link: ```https://<host>/?organizationId=_&organizationUserId=_&email=<first_name>%2E<last_name>%40<domain>%2E<country_tld>&organizationName=Vaultwarden&token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJuYmYiOjE2NDc2MjY0NzYsImV4cCI6MTY0ODA1ODQ3NiwiaXNzIjoiaHR0cHM6Ly92YXVsdHdhcmRlbi1yZC5wcml2LnNld2FuLmZyfGludml0ZSIsInN1YiI6IjMwYWJhMzE1LTRjZTQtNDJhYy1hYzY2LThmODE3OTg2M2VjMiIsImVtYWlsIjoibWF4aW1lLmRlbW9kZUBzZXdhbi5mciIsIm9yZ19pZCI6bnVsbCwidXNlcl9vcmdfaWQiOm51bGwsImludml0ZWRfYnlfZW1haWwiOm51bGx9.eo_F4iV5LkI8NTJXxINm7ZbXnSkQ-hqY-SwU0ZyPXHUUMCZwXYA2po9g-WsmcuKkOGTx7tlm8dIbhTyzF3QHXBFRM3_q4NgUNuJi8ModyztYq_oibqBCo0UXuQALAWsyjZpcU9jjALuUdov3C_AW-ZG15ul4qmFlqMnhtJMyywKvrXbNtKAPJBURBTMWuRms835EOUp_-QyzlHNkenYoQbzCF2jmE_-lMHBB6qyyt2y-D5VnrevWtF_XrrceuGLCiNLPjLLUf-tHXM12klgfMuKM5ftgv2OMdrtIzugn-_v7HorP39aZpf6FSQJEPeBV8kb5iW93AXlAzigWbrICjw#/register?email=<first_name>.<last_name>@<domain>.<country_tld>``` **APPCLIENT (Outlook) CASE** When opening link from Outlook, user gets this link: ```https://<host>/#/accept-organization?organizationId=_&organizationUserId=_&email=<first_name>.<last_name>@<domain>.<country_tld>&organizationName=Vaultwarden&token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJuYmYiOjE2NDc2MjY0NzYsImV4cCI6MTY0ODA1ODQ3NiwiaXNzIjoiaHR0cHM6Ly92YXVsdHdhcmRlbi1yZC5wcml2LnNld2FuLmZyfGludml0ZSIsInN1YiI6IjMwYWJhMzE1LTRjZTQtNDJhYy1hYzY2LThmODE3OTg2M2VjMiIsImVtYWlsIjoibWF4aW1lLmRlbW9kZUBzZXdhbi5mciIsIm9yZ19pZCI6bnVsbCwidXNlcl9vcmdfaWQiOm51bGwsImludml0ZWRfYnlfZW1haWwiOm51bGx9.eo_F4iV5LkI8NTJXxINm7ZbXnSkQ-hqY-SwU0ZyPXHUUMCZwXYA2po9g-WsmcuKkOGTx7tlm8dIbhTyzF3QHXBFRM3_q4NgUNuJi8ModyztYq_oibqBCo0UXuQALAWsyjZpcU9jjALuUdov3C_AW-ZG15ul4qmFlqMnhtJMyywKvrXbNtKAPJBURBTMWuRms835EOUp_-QyzlHNkenYoQbzCF2jmE_-lMHBB6qyyt2y-D5VnrevWtF_XrrceuGLCiNLPjLLUf-tHXM12klgfMuKM5ftgv2OMdrtIzugn-_v7HorP39aZpf6FSQJEPeBV8kb5iW93AXlAzigWbrICjw``` When they click "Create Account" from this link, they get to this link: ```https://<host>/#/register?email=<first_name>.<last_name>@<domain>.<country_tld>``` **POTENTIAL ISSUE IDENTIFIED ?** _From what I can see, when I click on the "Join" button from webclient, I get a malformed URL which inserts_ ```?organizationId=_&organizationUserId=_&email=<first_name>%2E<last_name>%40<domain>%2E<country_tld>&organizationName=Vaultwarden&token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJuYmYiOjE2NDc2MjY0NzYsImV4cCI6MTY0ODA1ODQ3NiwiaXNzIjoiaHR0cHM6Ly92YXVsdHdhcmRlbi1yZC5wcml2LnNld2FuLmZyfGludml0ZSIsInN1YiI6IjMwYWJhMzE1LTRjZTQtNDJhYy1hYzY2LThmODE3OTg2M2VjMiIsImVtYWlsIjoibWF4aW1lLmRlbW9kZUBzZXdhbi5mciIsIm9yZ19pZCI6bnVsbCwidXNlcl9vcmdfaWQiOm51bGwsImludml0ZWRfYnlfZW1haWwiOm51bGx9.eo_F4iV5LkI8NTJXxINm7ZbXnSkQ-hqY-SwU0ZyPXHUUMCZwXYA2po9g-WsmcuKkOGTx7tlm8dIbhTyzF3QHXBFRM3_q4NgUNuJi8ModyztYq_oibqBCo0UXuQALAWsyjZpcU9jjALuUdov3C_AW-ZG15ul4qmFlqMnhtJMyywKvrXbNtKAPJBURBTMWuRms835EOUp_-QyzlHNkenYoQbzCF2jmE_-lMHBB6qyyt2y-D5VnrevWtF_XrrceuGLCiNLPjLLUf-tHXM12klgfMuKM5ftgv2OMdrtIzugn-_v7HorP39aZpf6FSQJEPeBV8kb5iW93AXlAzigWbrICjw``` _inbetween_ `https://<host>/` _and_ ```#/accept-organization?organizationId=_&organizationUserId=_&email=<first_name>.<last_name>@<domain>.<country_tld>&organizationName=Vaultwarden&token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJuYmYiOjE2NDc2MjY0NzYsImV4cCI6MTY0ODA1ODQ3NiwiaXNzIjoiaHR0cHM6Ly92YXVsdHdhcmRlbi1yZC5wcml2LnNld2FuLmZyfGludml0ZSIsInN1YiI6IjMwYWJhMzE1LTRjZTQtNDJhYy1hYzY2LThmODE3OTg2M2VjMiIsImVtYWlsIjoibWF4aW1lLmRlbW9kZUBzZXdhbi5mciIsIm9yZ19pZCI6bnVsbCwidXNlcl9vcmdfaWQiOm51bGwsImludml0ZWRfYnlfZW1haWwiOm51bGx9.eo_F4iV5LkI8NTJXxINm7ZbXnSkQ-hqY-SwU0ZyPXHUUMCZwXYA2po9g-WsmcuKkOGTx7tlm8dIbhTyzF3QHXBFRM3_q4NgUNuJi8ModyztYq_oibqBCo0UXuQALAWsyjZpcU9jjALuUdov3C_AW-ZG15ul4qmFlqMnhtJMyywKvrXbNtKAPJBURBTMWuRms835EOUp_-QyzlHNkenYoQbzCF2jmE_-lMHBB6qyyt2y-D5VnrevWtF_XrrceuGLCiNLPjLLUf-tHXM12klgfMuKM5ftgv2OMdrtIzugn-_v7HorP39aZpf6FSQJEPeBV8kb5iW93AXlAzigWbrICjw``` _The inserted part from the webclient URL is the issues since it seems like if you concatenate the host part and the part starting with #/ you pretty much gets the proper URL that Outlook gives you._
OVERLORD added the Third partytroubleshooting labels 2025-10-09 17:06:58 +03:00
OVERLORD commented 2025-10-09 17:07:01 +03:00
Author
Owner
Copy Link

@BlackDex commented on GitHub:

I have access. I will try tomorrow if i can see the same issue.

@BlackDex commented on GitHub: I have access. I will try tomorrow if i can see the same issue.
OVERLORD commented 2025-10-09 17:07:01 +03:00
Author
Owner
Copy Link

@BlackDex commented on GitHub:

I'm afraid that it is an issue with Outlook and not something we can fix at the Vaultwarden side.

@BlackDex commented on GitHub: I'm afraid that it is an issue with Outlook and not something we can fix at the Vaultwarden side.
OVERLORD commented 2025-10-09 17:07:02 +03:00
Author
Owner
Copy Link

@Minaru commented on GitHub:

Also, after the successful account creation via Outlook App link, if I try to click on "Verify Email Address Now" from webclient, I get:

image

If I try the same thing from Outlook App:

image

Most likely the same issue of malformed URL coming from webclient

@Minaru commented on GitHub: Also, after the successful account creation via Outlook App link, if I try to click on "Verify Email Address Now" from webclient, I get: ![image](https://user-images.githubusercontent.com/17097702/159064011-3a600d5d-4f81-4ac4-963b-0284dbca3a15.png) If I try the same thing from Outlook App: ![image](https://user-images.githubusercontent.com/17097702/159064090-0489680f-d801-4dff-96fd-46739dbfd0cc.png) Most likely the same issue of malformed URL coming from webclient
OVERLORD commented 2025-10-09 17:07:02 +03:00
Author
Owner
Copy Link

@BlackDex commented on GitHub:

It seems to work for my Office365 environment. I also disabled all of my browser extensions just in case some of them try to fix tracking URL's. I'm not able to reproduce this.

Also, you say it does work on the mobile client, which to me indicates the mail is sent and received correctly and the link in the mail does work. I suggest to check if you can see something strange with the developer tools of the browser maybe.

Also, try to use a different browser, disable extensions, use a private/incognito tab to see if that helps.

@BlackDex commented on GitHub: It seems to work for my Office365 environment. I also disabled all of my browser extensions just in case some of them try to fix tracking URL's. I'm not able to reproduce this. Also, you say it does work on the mobile client, which to me indicates the mail is sent and received correctly and the link in the mail does work. I suggest to check if you can see something strange with the developer tools of the browser maybe. Also, try to use a different browser, disable extensions, use a private/incognito tab to see if that helps.
OVERLORD commented 2025-10-09 17:07:02 +03:00
Author
Owner
Copy Link

@Minaru commented on GitHub:

I think so too since I just had a user successfully create their account from gmail webclient :(

I'm not sure if you have access to a professional Office365 account to verify that you can replicate ?

It could be linked to security settings on my company's side when filtering links coming from emails and not Microsoft as a whole.

@Minaru commented on GitHub: I think so too since I just had a user successfully create their account from gmail webclient :( I'm not sure if you have access to a professional Office365 account to verify that you can replicate ? It could be linked to security settings on my company's side when filtering links coming from emails and not Microsoft as a whole.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
better for forum
bug
bug
bug
documentation
duplicate
enhancement
future Vault
good first issue
help wanted
low priority
notes
pull-request
Mirrored from GitHub Pull Request
 question
SSO
Third party
troubleshooting
troubleshooting
wontfix
No Label Third party troubleshooting
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/vaultwarden#1181
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?