Unable to Deauthorize sessions #1756

New Issue

Closed

opened 2026-02-05 01:40:09 +03:00 by OVERLORD · 9 comments

OVERLORD commented 2026-02-05 01:40:09 +03:00

Owner

Copy Link

Originally created by @MButcho on GitHub (Nov 6, 2023).

Subject of the issue

When I try to Deauthorize sessions, I receive following error:

The reason is I wanted to implement push notifications, which are not working

Deployment environment

• vaultwarden version :v1.30.0

• Install method: Docker image

• Clients used: web vault, desktop, iOS

• Reverse proxy and version: nginx version: nginx/1.18.0 (Ubuntu)

• Nginx config:

http {
    upstream vaultwarden-default {
    zone vaultwarden-default 64k;
    server 127.0.0.1:8088;
    keepalive 2;
  }
  
  upstream vaultwarden-ws {
    zone vaultwarden-ws 64k;
    server 127.0.0.1:3012;
    keepalive 2;
  }

  server {
    server_name some.domain.com;
    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;
    
    client_max_body_size 128M;

    location / {
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "Upgrade";

      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;

      proxy_pass http://vaultwarden-default;
    }

    location /notifications/hub/negotiate {
      proxy_http_version 1.1;
      proxy_set_header "Connection" "";

      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;

      proxy_pass http://vaultwarden-default;
    }

    location /notifications/hub {
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";

      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header Forwarded $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;

      proxy_pass http://vaultwarden-ws;
    }

    # Optionally add extra authentication besides the ADMIN_TOKEN
    # Remove the comments below `#` and create the htpasswd_file to have it active
    #
    #location /admin {
    #  # See: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/
    #  auth_basic "Private";
    #  auth_basic_user_file /path/to/htpasswd_file;
    #
    #  proxy_http_version 1.1;
    #  proxy_set_header "Connection" "";
    #
    #  proxy_set_header Host $host;
    #  proxy_set_header X-Real-IP $remote_addr;
    #  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    #  proxy_set_header X-Forwarded-Proto $scheme;
    #
    #  proxy_pass http://vaultwarden-default;
    #}
    
    listen 443 ssl; # managed by Certbot
    ...
  }

Steps to reproduce

Log into web account / Account Settings / My Account / Deauthorize sessions / Send Code

Expected behaviour

Send email to confirm sessions deauthorize

Actual behaviour

Error above

Troubleshooting data

Log:
[2023-11-06 20:21:16.316][request][INFO] POST /api/accounts/request-otp
[2023-11-06 20:21:16.316][response][INFO] 404 Not Found

Originally created by @MButcho on GitHub (Nov 6, 2023). ### Subject of the issue When I try to Deauthorize sessions, I receive following error:  The reason is I wanted to implement push notifications, which are not working ### Deployment environment * vaultwarden version :v1.30.0 * Install method: Docker image * Clients used: web vault, desktop, iOS * Reverse proxy and version: nginx version: nginx/1.18.0 (Ubuntu) * Nginx config: ``` http { upstream vaultwarden-default { zone vaultwarden-default 64k; server 127.0.0.1:8088; keepalive 2; } upstream vaultwarden-ws { zone vaultwarden-ws 64k; server 127.0.0.1:3012; keepalive 2; } server { server_name some.domain.com; access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; client_max_body_size 128M; location / { proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://vaultwarden-default; } location /notifications/hub/negotiate { proxy_http_version 1.1; proxy_set_header "Connection" ""; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://vaultwarden-default; } location /notifications/hub { proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Forwarded $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://vaultwarden-ws; } # Optionally add extra authentication besides the ADMIN_TOKEN # Remove the comments below `#` and create the htpasswd_file to have it active # #location /admin { # # See: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/ # auth_basic "Private"; # auth_basic_user_file /path/to/htpasswd_file; # # proxy_http_version 1.1; # proxy_set_header "Connection" ""; # # proxy_set_header Host $host; # proxy_set_header X-Real-IP $remote_addr; # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # proxy_set_header X-Forwarded-Proto $scheme; # # proxy_pass http://vaultwarden-default; #} listen 443 ssl; # managed by Certbot ... } ``` ### Steps to reproduce Log into web account / Account Settings / My Account / Deauthorize sessions / Send Code ### Expected behaviour Send email to confirm sessions deauthorize ### Actual behaviour Error above ### Troubleshooting data Log: [2023-11-06 20:21:16.316][request][INFO] POST /api/accounts/request-otp [2023-11-06 20:21:16.316][response][INFO] 404 Not Found

OVERLORD added the enhancementbug labels 2026-02-05 01:40:09 +03:00

OVERLORD closed this issue 2026-02-05 01:40:10 +03:00

OVERLORD commented 2026-02-05 01:40:15 +03:00

Author

Owner

Copy Link

@MButcho commented on GitHub (Nov 6, 2023):

Other actions that require OTP have the same issue, like exporting vault

@MButcho commented on GitHub (Nov 6, 2023): Other actions that require OTP have the same issue, like exporting vault

OVERLORD commented 2026-02-05 01:40:20 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub (Nov 7, 2023):

Seems this only gets triggered when using Login With Device i think when looking at the Bitwarden client code.

Can you confirm this?

@BlackDex commented on GitHub (Nov 7, 2023): Seems this only gets triggered when using `Login With Device` i think when looking at the Bitwarden client code. Can you confirm this?

OVERLORD commented 2026-02-05 01:40:24 +03:00

Author

Owner

Copy Link

@MButcho commented on GitHub (Nov 7, 2023):

Correct, when using master password to log in, the export and deauthorize is possible

@MButcho commented on GitHub (Nov 7, 2023): Correct, when using master password to log in, the export and deauthorize is possible

OVERLORD commented 2026-02-05 01:40:33 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub (Nov 7, 2023):

Great thanks!

@BlackDex commented on GitHub (Nov 7, 2023): Great thanks!

OVERLORD commented 2026-02-05 01:40:35 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub (Nov 7, 2023):

Also, i would suggest to update your nginx config to not use port 3012 anymore, and remove those locations. Also, sending Connect: Upgrade all the time is probably not good.

Check the https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples for more details.

@BlackDex commented on GitHub (Nov 7, 2023): Also, i would suggest to update your nginx config to not use port 3012 anymore, and remove those locations. Also, sending `Connect: Upgrade` all the time is probably not good. Check the https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples for more details.

OVERLORD commented 2026-02-05 01:40:37 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub (Nov 7, 2023):

I'm able to reproduce this, so now to find the correct solution to fix this.

@BlackDex commented on GitHub (Nov 7, 2023): I'm able to reproduce this, so now to find the correct solution to fix this.

OVERLORD commented 2026-02-05 01:40:38 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub (Nov 7, 2023):

Ok, it looks like this needs SMTP to be enabled.
Without this, you can't export, deauthorize, and maybe more specific items, like purge vault etc..

With this feature a mail will be sent with a passcode which enables you to verify you are you when you used Login with device which was unlocked via either PIN or Biometrics.

@BlackDex commented on GitHub (Nov 7, 2023): Ok, it looks like this needs SMTP to be enabled. Without this, you can't export, deauthorize, and maybe more specific items, like purge vault etc.. With this feature a mail will be sent with a passcode which enables you to verify you are you when you used `Login with device` which was unlocked via either PIN or Biometrics.

OVERLORD commented 2026-02-05 01:40:41 +03:00

Author

Owner

Copy Link

@kqmaverick commented on GitHub (Nov 8, 2023):

I have SMTP enabled and still see this error.

@kqmaverick commented on GitHub (Nov 8, 2023): I have SMTP enabled and still see this error.

OVERLORD commented 2026-02-05 01:40:43 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub (Nov 8, 2023):

I have SMTP enabled and still see this error.

That is correct, since the endpoints which are called are not supported by Vaultwarden.

But there could be people who do not have SMTP enabled for which this could be an issue.

Only way they can bypass is to login without an other device.

@BlackDex commented on GitHub (Nov 8, 2023): > I have SMTP enabled and still see this error. That is correct, since the endpoints which are called are not supported by Vaultwarden. But there could be people who do not have SMTP enabled for which this could be an issue. Only way they can bypass is to login without an other device.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

cached-config-operations

test_dylint

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

SSO

Third party

better for forum

bug

bug

documentation

duplicate

enhancement

future Vault

future Vault

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

troubleshooting

wontfix

No Label bug enhancement

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/vaultwarden#1756