Issue: WebSocket Token in URI #1423

New Issue

Closed

opened 2025-10-09 17:14:50 +03:00 by OVERLORD · 2 comments

OVERLORD commented 2025-10-09 17:14:50 +03:00

Owner

Copy Link

Originally created by @Berndinox on GitHub.

Subject of the issue

I dont want my Token to be sent via URI
After authentication JWT Token is transmitted in HTTP Header as usually. However Bitwarden is also trying to establish an WebSocket Connection for Realtime. For that porpose the following URL is called:
wss://domain.com/notifications/hub?access_token=JWT_TOKEN

That call can easily be logged without breaking the SSL Connection. (Forward-Proxy, Reverse-Proxy, Wireshark)

An Attacker can use that token to get access to the account.
YES, the passwords are still client side encrypted so there is no "super-danger".

However, in my optionion a password-manager should not send long living Token via URI.

See also: https://self-issued.info/docs/draft-ietf-oauth-v2-bearer.html#query-param
"This method is included to document current use; its use is not recommended, due to its security deficiencies (see Section 5) and also because it uses a reserved query parameter name, which is counter to URI namespace best practices, per "Architecture of the World Wide Web, Volume One" [W3C.REC‑webarch‑20041215]."

Temporary Token with short lifetime could fix that issue.

EDIT:
What is strange, that i still log this after setting: WEBSOCKET_ENABLED: "false"

WebSocket connection to 'wss://domain.com/notifications/hub?access_token=TOKEN' failed: Error during WebSocket handshake: Unexpected response code: 403

403 is just because i have not rule for /notification/hub to Websocket Port

Originally created by @Berndinox on GitHub. ### Subject of the issue I dont want my Token to be sent via URI After authentication JWT Token is transmitted in HTTP Header as usually. However Bitwarden is also trying to establish an WebSocket Connection for Realtime. For that porpose the following URL is called: wss://domain.com/notifications/hub?access_token=JWT_TOKEN That call can easily be logged without breaking the SSL Connection. (Forward-Proxy, Reverse-Proxy, Wireshark) An Attacker can use that token to get access to the account. **YES, the passwords are still client side encrypted so there is no "super-danger".** However, in my optionion a password-manager should not send long living Token via URI. See also: https://self-issued.info/docs/draft-ietf-oauth-v2-bearer.html#query-param "This method is included to document current use; its use is not recommended, due to its security deficiencies (see Section 5) and also because it uses a reserved query parameter name, which is counter to URI namespace best practices, per "Architecture of the World Wide Web, Volume One" [W3C.REC‑webarch‑20041215]." Temporary Token with short lifetime could fix that issue. EDIT: What is strange, that i still log this after setting: WEBSOCKET_ENABLED: "false" WebSocket connection to 'wss://domain.com/notifications/hub?access_token=TOKEN' failed: Error during WebSocket handshake: Unexpected response code: 403 _403 is just because i have not rule for /notification/hub to Websocket Port_

OVERLORD added the troubleshootingenhancement labels 2025-10-09 17:14:50 +03:00

OVERLORD closed this issue 2025-10-09 17:14:50 +03:00

OVERLORD commented 2025-10-09 17:14:51 +03:00

Author

Owner

Copy Link

@jjlin commented on GitHub:

I dont want my Token to be sent via URI
After authentication JWT Token is transmitted in HTTP Header as usually. However Bitwarden is also trying to establish an WebSocket Connection for Realtime. For that porpose the following URL is called:
wss://domain.com/notifications/hub?access_token=JWT_TOKEN

That call can easily be logged without breaking the SSL Connection. (Forward-Proxy, Reverse-Proxy, Wireshark)

This is how upstream Bitwarden works currently, so there's nothing bitwarden_rs can do about it if it wants to remain compatible. I don't know if upstream would consider this to be a feature request, but you could try https://community.bitwarden.com/c/feature-requests/5 or https://github.com/bitwarden/server/issues.

What is strange, that i still log this after setting: WEBSOCKET_ENABLED: "false"

WebSocket connection to 'wss://domain.com/notifications/hub?access_token=TOKEN' failed: Error during WebSocket handshake: Unexpected response code: 403

403 is just because i have not rule for /notification/hub to Websocket Port

This is expected. The web/browser/desktop clients always try to establish a WebSocket connection, regardless of whether the server has it enabled (I'm not sure the upstream server even allows you to disable WebSockets).

@jjlin commented on GitHub: > I dont want my Token to be sent via URI > After authentication JWT Token is transmitted in HTTP Header as usually. However Bitwarden is also trying to establish an WebSocket Connection for Realtime. For that porpose the following URL is called: > wss://domain.com/notifications/hub?access_token=JWT_TOKEN > > That call can easily be logged without breaking the SSL Connection. (Forward-Proxy, Reverse-Proxy, Wireshark) This is how upstream Bitwarden works currently, so there's nothing bitwarden_rs can do about it if it wants to remain compatible. I don't know if upstream would consider this to be a feature request, but you could try https://community.bitwarden.com/c/feature-requests/5 or https://github.com/bitwarden/server/issues. > What is strange, that i still log this after setting: WEBSOCKET_ENABLED: "false" > > WebSocket connection to 'wss://domain.com/notifications/hub?access_token=TOKEN' failed: Error during WebSocket handshake: Unexpected response code: 403 > > _403 is just because i have not rule for /notification/hub to Websocket Port_ This is expected. The web/browser/desktop clients always try to establish a WebSocket connection, regardless of whether the server has it enabled (I'm not sure the upstream server even allows you to disable WebSockets).

OVERLORD commented 2025-10-09 17:14:52 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub:

Upstream doesn't allow to disable it. Actually, the only reason we have that option i think is because there is no native integration with rocket right now.

@BlackDex commented on GitHub: Upstream doesn't allow to disable it. Actually, the only reason we have that option i think is because there is no native integration with rocket right now.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

test_dylint

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

better for forum

bug

bug

bug

documentation

duplicate

enhancement

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

SSO

Third party

troubleshooting

troubleshooting

wontfix

No Label enhancement troubleshooting

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/vaultwarden#1423