starred/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2025-12-10 01:10:09 +03:00
Code Issues 429 Packages Projects Releases 10 Wiki Activity

Webauthn fails on browser extensions #1307

New Issue
Closed
opened 2025-10-09 17:10:55 +03:00 by OVERLORD · 2 comments
OVERLORD commented 2025-10-09 17:10:55 +03:00
Owner
Copy Link

Originally created by @HandyHat on GitHub.

Subject of the issue

Using Webauthn 2FA on the browser extension results in an error (Cannot parse data) even though using it on the web client works fine.

Deployment environment

Your environment (Generated via diagnostics page)

  • Vaultwarden version: v1.22.2
  • Web-vault version: v2.21.1
  • Running within Docker: true
  • Environment settings overridden: false
  • Uses a reverse proxy: true
  • IP Header check: true (X-Real-IP)
  • Internet access: true
  • Internet access via a proxy: false
  • DNS Check: true
  • Time Check: true
  • Domain Configuration Check: true
  • HTTPS Check: true
  • Database type: SQLite
  • Database version: 3.35.4

Config (Generated via diagnostics page)

Show Running Config

Environment settings which are overridden:

{
  "_duo_akey": null,
  "_enable_duo": false,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": false,
  "_ip_header_enabled": true,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_max_conns": 10,
  "database_url": "****/**.*******",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://****.*****.**.**",
  "domain_origin": "*****://****.*****.**.**",
  "domain_path": "",
  "domain_set": true,
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "email_attempts_limit": 3,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "enable_db_wal": true,
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "invitation_org_name": "Gargs",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "debug",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "org_attachment_limit": null,
  "org_creation_users": "",
  "password_iterations": 100000,
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": true,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_explicit_tls": false,
  "smtp_from": "****@*****.**.**",
  "smtp_from_name": "Bitwarden",
  "smtp_host": "*******.****.**",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_ssl": true,
  "smtp_timeout": 15,
  "smtp_username": "****@*****.**.**",
  "templates_folder": "data/templates",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_syslog": false,
  "user_attachment_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "websocket_address": "0.0.0.0",
  "websocket_enabled": true,
  "websocket_port": 3012,
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

  • Reverse proxy and version: Caddy v2.4.3 h1:Y1FaV2N4WO3rBqxSYA8UZsZTQdN+PwcoOcAiZTM8C0I=

  • Other relevant details:
    Using Windows Hello PIN for my Webauthn method.

Steps to reproduce

  1. Set up Windows Hello PIN as a Webauthn Method
  2. Attempt to log in on the browser extension

Expected behaviour

A Windows Security screen to appear, allowing me to enter my PIN.
image

Actual behaviour

An error (Cannot parse data) is thrown
image

Troubleshooting data

  • Issue is reproducable on multiple computers, and occurs when using the Firefox, Edge or Chrome extensions (using the web client on any of them works fine)
  • I've tried removing my webauth keys and setting them up again
  • Issue occurs when Cloudflare is disabled and headers are not being altered
  • The Chrome console shows this error when the extension is opened in its own tab and the error occurs:
ERROR Error: Uncaught (in promise): ReferenceError: Cannot access 'queryParamsSub' before initialization
ReferenceError: Cannot access 'queryParamsSub' before initialization
    at accounts_two_factor_component_TwoFactorComponent.<anonymous> (main.js:8227)
    at Generator.next (<anonymous>)
    at main.js:8159
    at new ZoneAwarePromise (polyfills.js:14909)
    at 761.two_factor_component_awaiter (main.js:8155)
    at SafeSubscriber._next (main.js:8223)
    at SafeSubscriber.push.26.SafeSubscriber.__tryOrUnsub (vendor.js:10502)
    at SafeSubscriber.push.26.SafeSubscriber.next (vendor.js:10440)
    at Subscriber.push.26.Subscriber._next (vendor.js:10386)
    at Subscriber.push.26.Subscriber.next (vendor.js:10363)
    at resolvePromise (polyfills.js:14824)
    at new ZoneAwarePromise (polyfills.js:14912)
    at 761.two_factor_component_awaiter (main.js:8155)
    at SafeSubscriber._next (main.js:8223)
    at SafeSubscriber.push.26.SafeSubscriber.__tryOrUnsub (vendor.js:10502)
    at SafeSubscriber.push.26.SafeSubscriber.next (vendor.js:10440)
    at Subscriber.push.26.Subscriber._next (vendor.js:10386)
    at Subscriber.push.26.Subscriber.next (vendor.js:10363)
    at BehaviorSubject.push.143.BehaviorSubject._subscribe (vendor.js:4369)
    at BehaviorSubject.push.20.Observable._trySubscribe (vendor.js:8888)
  • I turned on debug logging, and the difference between a successful log in from the web client and a failed log in from the browser extension seems to be the webauthn-connector page

Successful log in attempt logs (web client):

vaultwarden    | [2021-08-25 00:51:20.386][request][INFO] POST /api/accounts/prelogin
vaultwarden    | [2021-08-25 00:51:20.390][response][INFO] POST /api/accounts/prelogin (prelogin) => 200 OK
vaultwarden    | [2021-08-25 00:51:20.520][request][INFO] POST /identity/connect/token
vaultwarden    | [2021-08-25 00:51:20.786][error][ERROR] 2FA token not provided
vaultwarden    | [2021-08-25 00:51:20.786][response][INFO] POST /identity/connect/token (login) => 400 Bad Request
vaultwarden    | [2021-08-25 00:51:21.379][request][INFO] GET /webauthn-connector.html?data=eyJhbGxvd0NyZWRlbnRpYWxzI
vaultwarden    | [2021-08-25 00:51:21.379][response][INFO] GET /<p..> [10] (web_files) => 200 OK

Failed log in attempt logs (browser extension):

vaultwarden    | [2021-08-25 00:50:55.245][request][INFO] POST /api/accounts/prelogin
vaultwarden    | [2021-08-25 00:50:55.246][response][INFO] POST /api/accounts/prelogin (prelogin) => 200 OK
vaultwarden    | [2021-08-25 00:50:55.405][request][INFO] POST /identity/connect/token
vaultwarden    | [2021-08-25 00:50:55.646][error][ERROR] 2FA token not provided
vaultwarden    | [2021-08-25 00:50:55.646][response][INFO] POST /identity/connect/token (login) => 400 Bad Request
vaultwarden    | [2021-08-25 00:50:56.254][request][INFO] GET /webauthn-connector.html?data=eyJkYXRhIjoie1wiYWxsb3dDc
vaultwarden    | [2021-08-25 00:50:56.254][response][INFO] GET /<p..> [10] (web_files) => 200 OK
Originally created by @HandyHat on GitHub. ### Subject of the issue Using Webauthn 2FA on the browser extension results in an error (`Cannot parse data`) even though using it on the web client works fine. ### Deployment environment ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.22.2 * Web-vault version: v2.21.1 * Running within Docker: true * Environment settings overridden: false * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Database type: SQLite * Database version: 3.35.4 ### Config (Generated via diagnostics page) <details><summary>Show Running Config</summary> **Environment settings which are overridden:** ```json { "_duo_akey": null, "_enable_duo": false, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": false, "_ip_header_enabled": true, "admin_token": "***", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "authenticator_disable_time_drift": false, "data_folder": "data", "database_max_conns": 10, "database_url": "****/**.*******", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://****.*****.**.**", "domain_origin": "*****://****.*****.**.**", "domain_path": "", "domain_set": true, "duo_host": null, "duo_ikey": null, "duo_skey": null, "email_attempts_limit": 3, "email_expiration_time": 600, "email_token_size": 6, "enable_db_wal": true, "extended_logging": true, "helo_name": null, "hibp_api_key": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "invitation_org_name": "Gargs", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "debug", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "org_attachment_limit": null, "org_creation_users": "", "password_iterations": 100000, "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": true, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_explicit_tls": false, "smtp_from": "****@*****.**.**", "smtp_from_name": "Bitwarden", "smtp_host": "*******.****.**", "smtp_password": "***", "smtp_port": 587, "smtp_ssl": true, "smtp_timeout": 15, "smtp_username": "****@*****.**.**", "templates_folder": "data/templates", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_syslog": false, "user_attachment_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "websocket_address": "0.0.0.0", "websocket_enabled": true, "websocket_port": 3012, "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> * Reverse proxy and version: Caddy v2.4.3 h1:Y1FaV2N4WO3rBqxSYA8UZsZTQdN+PwcoOcAiZTM8C0I= * Other relevant details: Using Windows Hello PIN for my Webauthn method. ### Steps to reproduce 1. Set up Windows Hello PIN as a Webauthn Method 2. Attempt to log in on the browser extension ### Expected behaviour A Windows Security screen to appear, allowing me to enter my PIN. ![image](https://user-images.githubusercontent.com/58530748/130707223-7b16eeba-0f11-4ff5-a369-dddfc580f73b.png) ### Actual behaviour An error (`Cannot parse data`) is thrown ![image](https://user-images.githubusercontent.com/58530748/130707168-c09574a7-71b8-4bcd-8bb0-c10c60d17708.png) ### Troubleshooting data - Issue is reproducable on multiple computers, and occurs when using the Firefox, Edge or Chrome extensions (using the web client on any of them works fine) - I've tried removing my webauth keys and setting them up again - Issue occurs when Cloudflare is disabled and headers are not being altered - The Chrome console shows this error when the extension is opened in its own tab and the error occurs: ``` ERROR Error: Uncaught (in promise): ReferenceError: Cannot access 'queryParamsSub' before initialization ReferenceError: Cannot access 'queryParamsSub' before initialization at accounts_two_factor_component_TwoFactorComponent.<anonymous> (main.js:8227) at Generator.next (<anonymous>) at main.js:8159 at new ZoneAwarePromise (polyfills.js:14909) at 761.two_factor_component_awaiter (main.js:8155) at SafeSubscriber._next (main.js:8223) at SafeSubscriber.push.26.SafeSubscriber.__tryOrUnsub (vendor.js:10502) at SafeSubscriber.push.26.SafeSubscriber.next (vendor.js:10440) at Subscriber.push.26.Subscriber._next (vendor.js:10386) at Subscriber.push.26.Subscriber.next (vendor.js:10363) at resolvePromise (polyfills.js:14824) at new ZoneAwarePromise (polyfills.js:14912) at 761.two_factor_component_awaiter (main.js:8155) at SafeSubscriber._next (main.js:8223) at SafeSubscriber.push.26.SafeSubscriber.__tryOrUnsub (vendor.js:10502) at SafeSubscriber.push.26.SafeSubscriber.next (vendor.js:10440) at Subscriber.push.26.Subscriber._next (vendor.js:10386) at Subscriber.push.26.Subscriber.next (vendor.js:10363) at BehaviorSubject.push.143.BehaviorSubject._subscribe (vendor.js:4369) at BehaviorSubject.push.20.Observable._trySubscribe (vendor.js:8888) ``` - I turned on debug logging, and the difference between a successful log in from the web client and a failed log in from the browser extension seems to be the webauthn-connector page Successful log in attempt logs (web client): ``` vaultwarden | [2021-08-25 00:51:20.386][request][INFO] POST /api/accounts/prelogin vaultwarden | [2021-08-25 00:51:20.390][response][INFO] POST /api/accounts/prelogin (prelogin) => 200 OK vaultwarden | [2021-08-25 00:51:20.520][request][INFO] POST /identity/connect/token vaultwarden | [2021-08-25 00:51:20.786][error][ERROR] 2FA token not provided vaultwarden | [2021-08-25 00:51:20.786][response][INFO] POST /identity/connect/token (login) => 400 Bad Request vaultwarden | [2021-08-25 00:51:21.379][request][INFO] GET /webauthn-connector.html?data=eyJhbGxvd0NyZWRlbnRpYWxzI vaultwarden | [2021-08-25 00:51:21.379][response][INFO] GET /<p..> [10] (web_files) => 200 OK ``` Failed log in attempt logs (browser extension): ``` vaultwarden | [2021-08-25 00:50:55.245][request][INFO] POST /api/accounts/prelogin vaultwarden | [2021-08-25 00:50:55.246][response][INFO] POST /api/accounts/prelogin (prelogin) => 200 OK vaultwarden | [2021-08-25 00:50:55.405][request][INFO] POST /identity/connect/token vaultwarden | [2021-08-25 00:50:55.646][error][ERROR] 2FA token not provided vaultwarden | [2021-08-25 00:50:55.646][response][INFO] POST /identity/connect/token (login) => 400 Bad Request vaultwarden | [2021-08-25 00:50:56.254][request][INFO] GET /webauthn-connector.html?data=eyJkYXRhIjoie1wiYWxsb3dDc vaultwarden | [2021-08-25 00:50:56.254][response][INFO] GET /<p..> [10] (web_files) => 200 OK ```
OVERLORD commented 2025-10-09 17:10:58 +03:00
Author
Owner
Copy Link

@jjlin commented on GitHub:

Probably related to https://github.com/bitwarden/jslib/pull/462

@jjlin commented on GitHub: Probably related to https://github.com/bitwarden/jslib/pull/462
OVERLORD commented 2025-10-09 17:10:58 +03:00
Author
Owner
Copy Link

@jjlin commented on GitHub:

This is working again in the 1.52.1 release of the browser extensions, which is now available for Chrome at least.

@jjlin commented on GitHub: This is working again in the 1.52.1 release of the browser extensions, which is now available for Chrome at least.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
better for forum
bug
bug
bug
documentation
duplicate
enhancement
future Vault
good first issue
help wanted
low priority
notes
pull-request
Mirrored from GitHub Pull Request
 question
SSO
Third party
troubleshooting
troubleshooting
wontfix
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/vaultwarden#1307
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?