starred/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-02-05 00:29:40 +03:00
Code Issues 32 Packages Projects Releases 10 Wiki Activity

2FA not working on new device with firefox plugin #1716

New Issue
Closed
opened 2026-02-05 01:34:21 +03:00 by OVERLORD · 4 comments
OVERLORD commented 2026-02-05 01:34:21 +03:00
Owner
Copy Link

Originally created by @timaschew on GitHub (Sep 23, 2023).

Subject of the issue

I tried to setup bitwarden on my new computer, so I've installed the official Firefox plugin, version 2023.8.3
After typing my master password, there is a 2FA prompt, but it fails with this error message:

Two-step token ins invalid. Try again

I can login via web interface with 2FA.
I can also login via Bitwarden CLI with 2FA.

Deployment environment

Your environment (Generated via diagnostics page)

  • Vaultwarden version: v1.29.1
  • Web-vault version: v2023.5.0
  • OS/Arch: linux/x86_64
  • Running within Docker: true (Base: Debian)
  • Environment settings overridden: true
  • Uses a reverse proxy: true
  • IP Header check: true (X-Real-IP)
  • Internet access: true
  • Internet access via a proxy: false
  • DNS Check: true
  • Browser/Server Time Check: true
  • Server/NTP Time Check: true
  • Domain Configuration Check: true
  • HTTPS Check: true
  • Database type: SQLite
  • Database version: 3.41.2
  • Clients used:
  • Reverse proxy and version:
  • Other relevant information:

Config (Generated via diagnostics page)

Show Running Config

Environment settings which are overridden: DOMAIN, SIGNUPS_ALLOWED, SIGNUPS_VERIFY, ADMIN_TOKEN, SMTP_HOST, SMTP_PORT, SMTP_FROM, SMTP_FROM_NAME, SMTP_USERNAME, SMTP_PASSWORD

{
  "_duo_akey": null,
  "_enable_duo": false,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_smtp_img_src": "cid:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://******************",
  "domain_origin": "*****://******************",
  "domain_path": "",
  "domain_set": true,
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "email_attempts_limit": 3,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "Info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 100000,
  "push_enabled": false,
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": true,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": false,
  "smtp_from": "*************",
  "smtp_from_name": "Bitwarden",
  "smtp_host": "**********************",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": true,
  "smtp_timeout": 15,
  "smtp_username": "********",
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "websocket_address": "0.0.0.0",
  "websocket_enabled": true,
  "websocket_port": 3012,
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Steps to reproduce

Use Server 1.29.1 and latest Firefox Plugin and try to login into an account with 2FA.

Expected behaviour

2FA works

Actual behaviour

2FA doesn't work, tells that the code is invalid.

Troubleshooting data

I don't see anything interesting in the logs (via docker logs). Is there any other place?

Originally created by @timaschew on GitHub (Sep 23, 2023). <!-- # ### NOTE: Please update to the latest version of vaultwarden before reporting an issue! This saves you and us a lot of time and troubleshooting. See: * https://github.com/dani-garcia/vaultwarden/issues/1180 * https://github.com/dani-garcia/vaultwarden/wiki/Updating-the-vaultwarden-image # ### --> <!-- Please fill out the following template to make solving your problem easier and faster for us. This is only a guideline. If you think that parts are unnecessary for your issue, feel free to remove them. Remember to hide/redact personal or confidential information, such as passwords, IP addresses, and DNS names as appropriate. --> ### Subject of the issue I tried to setup bitwarden on my new computer, so I've installed the [official Firefox plugin](https://addons.mozilla.org/de/firefox/addon/bitwarden-password-manager/), version 2023.8.3 After typing my master password, there is a 2FA prompt, but it fails with this error message: `Two-step token ins invalid. Try again` I can login via web interface with 2FA. I can also login via Bitwarden CLI with 2FA. ### Deployment environment ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.29.1 * Web-vault version: v2023.5.0 * OS/Arch: linux/x86_64 * Running within Docker: true (Base: Debian) * Environment settings overridden: true * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Database type: SQLite * Database version: 3.41.2 * Clients used: * Reverse proxy and version: * Other relevant information: ### Config (Generated via diagnostics page) <details><summary>Show Running Config</summary> **Environment settings which are overridden:** DOMAIN, SIGNUPS_ALLOWED, SIGNUPS_VERIFY, ADMIN_TOKEN, SMTP_HOST, SMTP_PORT, SMTP_FROM, SMTP_FROM_NAME, SMTP_USERNAME, SMTP_PASSWORD ```json { "_duo_akey": null, "_enable_duo": false, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_smtp_img_src": "cid:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "***************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://******************", "domain_origin": "*****://******************", "domain_path": "", "domain_set": true, "duo_host": null, "duo_ikey": null, "duo_skey": null, "email_attempts_limit": 3, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "extended_logging": true, "helo_name": null, "hibp_api_key": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "Info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 100000, "push_enabled": false, "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": true, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": false, "smtp_from": "*************", "smtp_from_name": "Bitwarden", "smtp_host": "**********************", "smtp_password": "***", "smtp_port": 587, "smtp_security": "starttls", "smtp_ssl": true, "smtp_timeout": 15, "smtp_username": "********", "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "websocket_address": "0.0.0.0", "websocket_enabled": true, "websocket_port": 3012, "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Steps to reproduce Use Server 1.29.1 and latest Firefox Plugin and try to login into an account with 2FA. ### Expected behaviour 2FA works ### Actual behaviour 2FA doesn't work, tells that the code is invalid. ### Troubleshooting data I don't see anything interesting in the logs (via docker logs). Is there any other place?
OVERLORD commented 2026-02-05 01:34:30 +03:00
Author
Owner
Copy Link

@BlackDex commented on GitHub (Sep 23, 2023):

There must be something in the Vaultwarden logs. At least a log line that that request was done.

Else try to set the log_level to debug, and see if that provides some more details.

@BlackDex commented on GitHub (Sep 23, 2023): There must be something in the Vaultwarden logs. At least a log line that that request was done. Else try to set the log_level to debug, and see if that provides some more details.
OVERLORD commented 2026-02-05 01:34:33 +03:00
Author
Owner
Copy Link

@stefan0xC commented on GitHub (Sep 23, 2023):

How do you generate the two-step token? Have you made sure that the device's clock (on which the 2FA authenticator is installed) is not off? (You can check with sites like https://time.gov and https://uhr.ptb.de)

Also does the issue arise with the 2023.7.1 version of the add-on?

@stefan0xC commented on GitHub (Sep 23, 2023): How do you generate the two-step token? Have you made sure that the device's clock (on which the 2FA authenticator is installed) is not off? (You can check with sites like https://time.gov and https://uhr.ptb.de) Also does the issue arise with the [`2023.7.1` version of the add-on](https://addons.mozilla.org/firefox/downloads/file/4140393/bitwarden_password_manager-2023.7.1.xpi)?
OVERLORD commented 2026-02-05 01:34:36 +03:00
Author
Owner
Copy Link

@timaschew commented on GitHub (Sep 23, 2023):

I'm using an auth app on my mobile phone.
I've checked the time on the 2FA device and on the server, it's fine.
I've insalled version 2023.7.1 for the add-on, still same issue.

I've set log level to debug, here is the output

# login via web - works

2023-09-23T07:05:50.279283760Z app[web.1]: [2023-09-23 07:05:50.279][request][INFO] POST /identity/connect/token
2023-09-23T07:05:50.385416363Z app[web.1]: [2023-09-23 07:05:50.385][vaultwarden::api::identity][INFO] User anton.w@tuta.io logged in successfully. IP: a.b.c.198
2023-09-23T07:05:50.385805538Z app[web.1]: [2023-09-23 07:05:50.385][response][INFO] (login) POST /identity/connect/token => 200 OK
2023-09-23T07:05:50.580734448Z app[web.1]: [2023-09-23 07:05:50.580][request][INFO] POST /identity/connect/token
2023-09-23T07:05:50.584801607Z app[web.1]: [2023-09-23 07:05:50.584][response][INFO] (login) POST /identity/connect/token => 200 OK
2023-09-23T07:05:50.773281696Z app[web.1]: [2023-09-23 07:05:50.772][vaultwarden::api::notifications][INFO] Accepting WS connection from 172.17.0.1:59134
2023-09-23T07:05:50.779502347Z app[web.1]: [2023-09-23 07:05:50.779][request][INFO] GET /api/sync?excludeDomains=true
2023-09-23T07:05:50.843039332Z app[web.1]: [2023-09-23 07:05:50.842][response][INFO] (sync) GET /api/sync?<data..> => 200 OK
2023-09-23T07:05:54.400334286Z app[web.1]: [2023-09-23 07:05:54.400][request][INFO] GET /api/config
2023-09-23T07:05:54.401325090Z app[web.1]: [2023-09-23 07:05:54.401][response][INFO] (config) GET /api/config => 200 OK
2023-09-23T07:06:03.811161160Z app[web.1]: [2023-09-23 07:06:03.810][request][INFO] GET /alive



# failed via firefox plugin first time

2023-09-23T07:07:03.589433887Z app[web.1]: [2023-09-23 07:07:03.589][vaultwarden::api::core::emergency_access][DEBUG] Start emergency_request_timeout_job
2023-09-23T07:07:03.590253858Z app[web.1]: [2023-09-23 07:07:03.589][vaultwarden::api::core::emergency_access][DEBUG] No emergency request timeout to approve
2023-09-23T07:07:03.946665226Z app[web.1]: [2023-09-23 07:07:03.946][request][INFO] GET /alive
2023-09-23T07:07:03.947619671Z app[web.1]: [2023-09-23 07:07:03.946][response][INFO] (alive) GET /alive => 200 OK
2023-09-23T07:07:33.590411144Z app[web.1]: [2023-09-23 07:07:33.590][vaultwarden::api::core::two_factor][DEBUG] Sending notifications for incomplete 2FA logins


# failed via firefox plugin second time

2023-09-23T07:09:04.168197732Z app[web.1]: [2023-09-23 07:09:04.167][request][INFO] GET /alive
2023-09-23T07:09:04.168461721Z app[web.1]: [2023-09-23 07:09:04.168][response][INFO] (alive) GET /alive => 200 OK
2023-09-23T07:09:33.596404927Z app[web.1]: [2023-09-23 07:09:33.596][vaultwarden::api::core::two_factor][DEBUG] Sending notifications for incomplete 2FA logins

The message Sending notifications for incomplete 2FA logins appears only a few seconds after the failed attempt.

On my old computer, I have latest firefox plugin 2023.8.3 and it's working fine. I've logged out, logged in again and 2FA works fine.

First I assumed that it's related to the Firefox version, but both are same, 117.0.1

Just the macOS version is different, old: 11.4 and new: 13.5 but I can't imagine that this can be the issue.
Both computers are in the same network, share the same public IP.

@timaschew commented on GitHub (Sep 23, 2023): I'm using an auth app on my mobile phone. I've checked the time on the 2FA device and on the server, it's fine. I've insalled version 2023.7.1 for the add-on, still same issue. I've set log level to debug, here is the output ``` # login via web - works 2023-09-23T07:05:50.279283760Z app[web.1]: [2023-09-23 07:05:50.279][request][INFO] POST /identity/connect/token 2023-09-23T07:05:50.385416363Z app[web.1]: [2023-09-23 07:05:50.385][vaultwarden::api::identity][INFO] User anton.w@tuta.io logged in successfully. IP: a.b.c.198 2023-09-23T07:05:50.385805538Z app[web.1]: [2023-09-23 07:05:50.385][response][INFO] (login) POST /identity/connect/token => 200 OK 2023-09-23T07:05:50.580734448Z app[web.1]: [2023-09-23 07:05:50.580][request][INFO] POST /identity/connect/token 2023-09-23T07:05:50.584801607Z app[web.1]: [2023-09-23 07:05:50.584][response][INFO] (login) POST /identity/connect/token => 200 OK 2023-09-23T07:05:50.773281696Z app[web.1]: [2023-09-23 07:05:50.772][vaultwarden::api::notifications][INFO] Accepting WS connection from 172.17.0.1:59134 2023-09-23T07:05:50.779502347Z app[web.1]: [2023-09-23 07:05:50.779][request][INFO] GET /api/sync?excludeDomains=true 2023-09-23T07:05:50.843039332Z app[web.1]: [2023-09-23 07:05:50.842][response][INFO] (sync) GET /api/sync?<data..> => 200 OK 2023-09-23T07:05:54.400334286Z app[web.1]: [2023-09-23 07:05:54.400][request][INFO] GET /api/config 2023-09-23T07:05:54.401325090Z app[web.1]: [2023-09-23 07:05:54.401][response][INFO] (config) GET /api/config => 200 OK 2023-09-23T07:06:03.811161160Z app[web.1]: [2023-09-23 07:06:03.810][request][INFO] GET /alive # failed via firefox plugin first time 2023-09-23T07:07:03.589433887Z app[web.1]: [2023-09-23 07:07:03.589][vaultwarden::api::core::emergency_access][DEBUG] Start emergency_request_timeout_job 2023-09-23T07:07:03.590253858Z app[web.1]: [2023-09-23 07:07:03.589][vaultwarden::api::core::emergency_access][DEBUG] No emergency request timeout to approve 2023-09-23T07:07:03.946665226Z app[web.1]: [2023-09-23 07:07:03.946][request][INFO] GET /alive 2023-09-23T07:07:03.947619671Z app[web.1]: [2023-09-23 07:07:03.946][response][INFO] (alive) GET /alive => 200 OK 2023-09-23T07:07:33.590411144Z app[web.1]: [2023-09-23 07:07:33.590][vaultwarden::api::core::two_factor][DEBUG] Sending notifications for incomplete 2FA logins # failed via firefox plugin second time 2023-09-23T07:09:04.168197732Z app[web.1]: [2023-09-23 07:09:04.167][request][INFO] GET /alive 2023-09-23T07:09:04.168461721Z app[web.1]: [2023-09-23 07:09:04.168][response][INFO] (alive) GET /alive => 200 OK 2023-09-23T07:09:33.596404927Z app[web.1]: [2023-09-23 07:09:33.596][vaultwarden::api::core::two_factor][DEBUG] Sending notifications for incomplete 2FA logins ``` The message `Sending notifications for incomplete 2FA logins` appears only a few seconds after the failed attempt. On my old computer, I have latest firefox plugin 2023.8.3 and it's working fine. I've logged out, logged in again and 2FA works fine. First I assumed that it's related to the Firefox version, but both are same, 117.0.1 Just the macOS version is different, old: 11.4 and new: 13.5 but I can't imagine that this can be the issue. Both computers are in the same network, share the same public IP.
OVERLORD commented 2026-02-05 01:34:41 +03:00
Author
Owner
Copy Link

@timaschew commented on GitHub (Sep 23, 2023):

I've found the issue, sorry it was my fault.
I've typed the server URL not into the first field (Server URL), but below (Web vault server URL).

I wonder why the password verification was working fine, but not the 2FA.

I also wonder if any data was send to the official bitwarden server with my broken config.
If yes which data?

@timaschew commented on GitHub (Sep 23, 2023): I've found the issue, sorry it was my fault. I've typed the server URL not into the first field (Server URL), but below (Web vault server URL). I wonder why the password verification was working fine, but not the 2FA. I also wonder if any data was send to the official bitwarden server with my broken config. If yes which data?
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
SSO
Third party
better for forum
bug
bug
documentation
duplicate
enhancement
future Vault
future Vault
future Vault
good first issue
help wanted
low priority
notes
pull-request
Mirrored from GitHub Pull Request
 question
troubleshooting
wontfix
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/vaultwarden#1716
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?