starred/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2025-12-10 17:23:04 +03:00
Code Issues 429 Packages Projects Releases 10 Wiki Activity

Data breach option from web vault gives 401 #1773

New Issue
Closed
opened 2025-10-09 17:29:44 +03:00 by OVERLORD · 2 comments
OVERLORD commented 2025-10-09 17:29:44 +03:00
Owner
Copy Link

Originally created by @manofthepeace on GitHub.

Subject of the issue

Using webvault 2.13.1, when using data breach report, I always get a 401 unauthorized error. HIBP_API_KEY is set properly, and works for exposed passwords report. I cannot say if it worked with older version or older vault has I just got a hibp key.

I did try to restart bitwarden_rs and also logout and back in in the web vault but same thing happens. Tested with firefox and chrome.

Your environment

  • Bitwarden_rs version: 1.14
  • Install method: built from source
  • Clients used: web-vault 2.13.1
  • Reverse proxy and version: apache
  • Version of mysql/postgresql: sqlite3

Steps to reproduce

1-go to web-vault 2.13.1, #/tools/breach-report
2-enter a email address in the box, or username
3-Click check breaches

Expected behaviour

Should get the report instead of the error.

Actual behaviour

Getting a 401 in the logs and the UI is showing a red error popup "An unexpected error has occurred"

Relevant logs

2020-03-14 12:20:24][error][ERROR] ReqError.
[CAUSE] Error(
    Status(
        401,
    ),
    "https://haveibeenpwned.com/api/v3/breachedaccount/<EMAIL>?truncateResponse=false&includeUnverified=false",
Originally created by @manofthepeace on GitHub. <!-- Please fill out the following template to make solving your problem easier and faster for us. This is only a guideline. If you think that parts are unneccessary for your issue, feel free to remove them. Remember to hide/obfuscate personal and confidential information, such as names, global IP/DNS adresses and especially passwords, if neccessary. --> ### Subject of the issue <!-- Describe your issue here.--> Using webvault 2.13.1, when using data breach report, I always get a 401 unauthorized error. HIBP_API_KEY is set properly, and works for exposed passwords report. I cannot say if it worked with older version or older vault has I just got a hibp key. I did try to restart bitwarden_rs and also logout and back in in the web vault but same thing happens. Tested with firefox and chrome. ### Your environment <!-- The version number, obtained from the logs or the admin page --> * Bitwarden_rs version: 1.14 <!-- How the server was installed: Docker image / package / built from source --> * Install method: built from source * Clients used: web-vault 2.13.1 * Reverse proxy and version: apache * Version of mysql/postgresql: sqlite3 ### Steps to reproduce <!-- Tell us how to reproduce this issue. What parameters did you set (differently from the defaults) and how did you start bitwarden_rs? --> 1-go to web-vault 2.13.1, #/tools/breach-report 2-enter a email address in the box, or username 3-Click check breaches ### Expected behaviour <!-- Tell us what should happen --> Should get the report instead of the error. ### Actual behaviour <!-- Tell us what happens instead --> Getting a 401 in the logs and the UI is showing a red error popup "An unexpected error has occurred" ### Relevant logs <!-- Share some logfiles, screenshots or output of relevant programs with us. --> ``` 2020-03-14 12:20:24][error][ERROR] ReqError. [CAUSE] Error( Status( 401, ), "https://haveibeenpwned.com/api/v3/breachedaccount/<EMAIL>?truncateResponse=false&includeUnverified=false", ```
OVERLORD commented 2025-10-09 17:29:47 +03:00
Author
Owner
Copy Link

@manofthepeace commented on GitHub:

Ok false alert, sorry for the noise. There was an extra char in the key I did input in the env file. What mislead me was the fact that the check from within the mobile app, and also the exposed password report from web-vault worked.

Also curl was working fine with my key, but the extra char was not there.

I did look at the code, I saw that the key seemed to be added to the header properly, and if the key was missing I would get something like this.

{ "statusCode": 401, "message": "Access denied due to missing hibp-api-key." }

Still unsure how other functionalities were working, but maybe its the only one that actually needs the api key.

Thank you.

@manofthepeace commented on GitHub: Ok false alert, sorry for the noise. There was an extra char in the key I did input in the env file. What mislead me was the fact that the check from within the mobile app, and also the exposed password report from web-vault worked. Also curl was working fine with my key, but the extra char was not there. I did look at the code, I saw that the key seemed to be added to the header properly, and if the key was missing I would get something like this. ` { "statusCode": 401, "message": "Access denied due to missing hibp-api-key." }` Still unsure how other functionalities were working, but maybe its the only one that actually needs the api key. Thank you.
OVERLORD commented 2025-10-09 17:29:47 +03:00
Author
Owner
Copy Link

@BlackDex commented on GitHub:

Are you sure the api key is correct? Please double check in the /admin interface.

Only the email breach report needs the api key. The exposed passwords are free to use.

I don't have a api key so i can't check. But the code looks oke, just as the API documentation tells it to be.

@BlackDex commented on GitHub: Are you sure the api key is correct? Please double check in the /admin interface. Only the email breach report needs the api key. The exposed passwords are free to use. I don't have a api key so i can't check. But the code looks oke, just as the API documentation tells it to be.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
better for forum
bug
bug
bug
documentation
duplicate
enhancement
future Vault
good first issue
help wanted
low priority
notes
pull-request
Mirrored from GitHub Pull Request
 question
SSO
Third party
troubleshooting
troubleshooting
wontfix
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/vaultwarden#1773
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?