starred/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-02-05 00:29:40 +03:00
Code Issues 32 Packages Projects Releases 10 Wiki Activity

1.29.0 docker image: VAULTWARDEN_ADMIN_TOKEN vs ADMIN_TOKEN #1645

New Issue
Closed
opened 2026-02-05 01:24:33 +03:00 by OVERLORD · 0 comments
OVERLORD commented 2026-02-05 01:24:33 +03:00
Owner
Copy Link

Originally created by @gStart9 on GitHub (Jul 19, 2023).

Subject of the issue

1.29.0 docker image: VAULTWARDEN_ADMIN_TOKEN vs ADMIN_TOKEN

Deployment environment

  • vaultwarden version:

Docker vaultwarden/server:1.29.0

  • Install method: Docker image image:

FROM vaultwarden/server:1.29.0

  • Clients used:

browser: FF115

  • Reverse proxy and version:

nginx version: nginx/1.18.0

  • Other relevant details:

I have read https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page#secure-the-admin_token but no matter what I do, if I've included ADMIN_TOKEN= in my .env file, like:
ADMIN_TOKEN=$argon2id$v=19$m=65540,t=3,p=4$MW84Wi9HakowU2c2UjRCYXduNGZUMlpUeS92SXV2eDk3MFgwaTBvNE5UST0$VCMT5AbHh0evoz9fyJEcdXgjRbGTCfyIzYSXz7s42qE

Then when I startup Vaultwarden, the log complains that I don't have a secure password:

2023-07-19T19:29:05+00:00  /--------------------------------------------------------------------\
2023-07-19T19:29:05+00:00  |                        Starting Vaultwarden                        |
2023-07-19T19:29:05+00:00  |                           Version 1.29.0                           |
2023-07-19T19:29:05+00:00  |--------------------------------------------------------------------|
2023-07-19T19:29:05+00:00  | This is an *unofficial* Bitwarden implementation, DO NOT use the   |
2023-07-19T19:29:05+00:00  | official channels to report bugs/features, regardless of client.   |
2023-07-19T19:29:05+00:00  | Send usage/configuration questions or feature requests to:         |
2023-07-19T19:29:05+00:00  |   https://github.com/dani-garcia/vaultwarden/discussions or        |
2023-07-19T19:29:05+00:00  |   https://vaultwarden.discourse.group/                             |
2023-07-19T19:29:05+00:00  | Report suspected bugs/issues in the software itself at:            |
2023-07-19T19:29:05+00:00  |   https://github.com/dani-garcia/vaultwarden/issues/new            |
2023-07-19T19:29:05+00:00  \--------------------------------------------------------------------/
2023-07-19T19:29:05+00:00  
2023-07-19T19:29:05+00:00  [INFO] Using environment file `.env` for configuration.
2023-07-19T19:29:05+00:00  
2023-07-19T19:29:05+00:00  [NOTICE] You are using a plain text `ADMIN_TOKEN` which is insecure.
2023-07-19T19:29:05+00:00  Please generate a secure Argon2 PHC string by using `vaultwarden hash` or `argon2`.
2023-07-19T19:29:05+00:00  See: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page#secure-the-admin_token
2023-07-19T19:29:05+00:00  
2023-07-19T19:29:05+00:00  [2023-07-19 19:29:05.476][start][INFO] Rocket has launched from http://0.0.0.0:80

But I am able to access /admin/

However, if, in order to get rid of the nasty log message, I use only VAULTWARDEN_ADMIN_TOKEN in .env, as such:
VAULTWARDEN_ADMIN_TOKEN=$argon2id$v=19$m=65540,t=3,p=4$MW84Wi9HakowU2c2UjRCYXduNGZUMlpUeS92SXV2eDk3MFgwaTBvNE5UST0$VCMT5AbHh0evoz9fyJEcdXgjRbGTCfyIzYSXz7s42qE

Then the log is clean on startup but a request to access /admin/ results in the following response:
<pre>The admin panel is disabled, please configure the 'ADMIN_TOKEN' variable to enable it</pre>

It seems I can only use ADMIN_TOKEN if I want /admin/ to be available, yet Vaultwarden still thinks it's insecure even though I'm using the $argon2id$... format.
VAULTWARDEN_ADMIN_TOKEN being set correctly in .env does not make /admin/ available.

Steps to reproduce

We package vaultwarden for Start9's personal servers here so it's kind of a custom docker setup but I believe you can reproduce this if you simply:
Use 1.29.0 docker image and put either ADMIN_TOKEN or VAULTWARDEN_ADMIN_TOKEN only into .env

Expected behaviour

After reading this: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page#secure-the-admin_token
I expected setting VAULTWARDEN_ADMIN_TOKEN was a valid way to have /admin/ work.

Alternatively, after setting this in .env:
ADMIN_TOKEN=$argon2id$v=19$m=65540,t=3,p=4$MW84Wi9HakowU2c2UjRCYXduNGZUMlpUeS92SXV2eDk3MFgwaTBvNE5UST0$VCMT5AbHh0evoz9fyJEcdXgjRbGTCfyIzYSXz7s42qE
... I expected vaultwarden to not complain in the log that my token is still insecure.

Actual behaviour

Described above

Originally created by @gStart9 on GitHub (Jul 19, 2023). ### Subject of the issue 1.29.0 docker image: VAULTWARDEN_ADMIN_TOKEN vs ADMIN_TOKEN ### Deployment environment * vaultwarden version: > Docker vaultwarden/server:1.29.0 * Install method: Docker image image: > FROM vaultwarden/server:1.29.0 * Clients used: > browser: FF115 * Reverse proxy and version: > nginx version: nginx/1.18.0 * Other relevant details: > I have read https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page#secure-the-admin_token but no matter what I do, if I've included ADMIN_TOKEN= in my .env file, like: ADMIN_TOKEN=$argon2id$v=19$m=65540,t=3,p=4$MW84Wi9HakowU2c2UjRCYXduNGZUMlpUeS92SXV2eDk3MFgwaTBvNE5UST0$VCMT5AbHh0evoz9fyJEcdXgjRbGTCfyIzYSXz7s42qE Then when I startup Vaultwarden, the log complains that I don't have a secure password: ``` 2023-07-19T19:29:05+00:00 /--------------------------------------------------------------------\ 2023-07-19T19:29:05+00:00 | Starting Vaultwarden | 2023-07-19T19:29:05+00:00 | Version 1.29.0 | 2023-07-19T19:29:05+00:00 |--------------------------------------------------------------------| 2023-07-19T19:29:05+00:00 | This is an *unofficial* Bitwarden implementation, DO NOT use the | 2023-07-19T19:29:05+00:00 | official channels to report bugs/features, regardless of client. | 2023-07-19T19:29:05+00:00 | Send usage/configuration questions or feature requests to: | 2023-07-19T19:29:05+00:00 | https://github.com/dani-garcia/vaultwarden/discussions or | 2023-07-19T19:29:05+00:00 | https://vaultwarden.discourse.group/ | 2023-07-19T19:29:05+00:00 | Report suspected bugs/issues in the software itself at: | 2023-07-19T19:29:05+00:00 | https://github.com/dani-garcia/vaultwarden/issues/new | 2023-07-19T19:29:05+00:00 \--------------------------------------------------------------------/ 2023-07-19T19:29:05+00:00 2023-07-19T19:29:05+00:00 [INFO] Using environment file `.env` for configuration. 2023-07-19T19:29:05+00:00 2023-07-19T19:29:05+00:00 [NOTICE] You are using a plain text `ADMIN_TOKEN` which is insecure. 2023-07-19T19:29:05+00:00 Please generate a secure Argon2 PHC string by using `vaultwarden hash` or `argon2`. 2023-07-19T19:29:05+00:00 See: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page#secure-the-admin_token 2023-07-19T19:29:05+00:00 2023-07-19T19:29:05+00:00 [2023-07-19 19:29:05.476][start][INFO] Rocket has launched from http://0.0.0.0:80 ``` But I am able to access /admin/ However, if, in order to get rid of the nasty log message, I use only VAULTWARDEN_ADMIN_TOKEN in .env, as such: VAULTWARDEN_ADMIN_TOKEN=$argon2id$v=19$m=65540,t=3,p=4$MW84Wi9HakowU2c2UjRCYXduNGZUMlpUeS92SXV2eDk3MFgwaTBvNE5UST0$VCMT5AbHh0evoz9fyJEcdXgjRbGTCfyIzYSXz7s42qE Then the log is clean on startup but a request to access /admin/ results in the following response: `<pre>The admin panel is disabled, please configure the 'ADMIN_TOKEN' variable to enable it</pre>` It seems I can only use ADMIN_TOKEN if I want /admin/ to be available, yet Vaultwarden still thinks it's insecure even though I'm using the `$argon2id$...` format. VAULTWARDEN_ADMIN_TOKEN being set correctly in .env does not make /admin/ available. ### Steps to reproduce We package vaultwarden for Start9's personal servers [here](https://github.com/Start9Labs/vaultwarden-wrapper/) so it's kind of a custom docker setup but I believe you can reproduce this if you simply: Use 1.29.0 docker image and put either ADMIN_TOKEN or VAULTWARDEN_ADMIN_TOKEN only into .env ### Expected behaviour After reading this: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page#secure-the-admin_token I expected setting VAULTWARDEN_ADMIN_TOKEN was a valid way to have /admin/ work. Alternatively, after setting this in .env: `ADMIN_TOKEN=$argon2id$v=19$m=65540,t=3,p=4$MW84Wi9HakowU2c2UjRCYXduNGZUMlpUeS92SXV2eDk3MFgwaTBvNE5UST0$VCMT5AbHh0evoz9fyJEcdXgjRbGTCfyIzYSXz7s42qE` ... I expected vaultwarden to not complain in the log that my token is still insecure. ### Actual behaviour Described above
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
SSO
Third party
better for forum
bug
bug
documentation
duplicate
enhancement
future Vault
future Vault
future Vault
good first issue
help wanted
low priority
notes
pull-request
Mirrored from GitHub Pull Request
 question
troubleshooting
wontfix
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/vaultwarden#1645
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?