starred/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-02-27 19:07:53 +03:00
Code Issues 32 Packages Projects Releases 12 Wiki Activity

data breach report broken with current webvault #199

New Issue
Closed
opened 2026-02-04 18:25:53 +03:00 by OVERLORD · 8 comments
OVERLORD commented 2026-02-04 18:25:53 +03:00
Owner
Copy Link

Originally created by @tycho on GitHub (Jan 20, 2019).

The current git version (and v2.9.0 release I believe) of the web vault uses this request to get the Have I Been Pwned breach report:

https://bitwarden.example.com/api/hibp/breach?username=username@example.com

Right now bitwarden_rs doesn't know how to respond to this, so it just causes a 500 error response.

I saw this on Reddit, where the Bitwarden developer explains that the HIBP API changed so now the HIBP query happens on the Bitwarden server side:

https://old.reddit.com/r/Bitwarden/comments/ahm5wc/haveibeenpwned_breached_account_lookups_denied/

Originally created by @tycho on GitHub (Jan 20, 2019). The current git version (and v2.9.0 release I believe) of the web vault uses this request to get the Have I Been Pwned breach report: ``` https://bitwarden.example.com/api/hibp/breach?username=username@example.com ``` Right now bitwarden_rs doesn't know how to respond to this, so it just causes a 500 error response. I saw this on Reddit, where the Bitwarden developer explains that the HIBP API changed so now the HIBP query happens on the Bitwarden server side: https://old.reddit.com/r/Bitwarden/comments/ahm5wc/haveibeenpwned_breached_account_lookups_denied/
OVERLORD commented 2026-02-04 18:25:58 +03:00
Author
Owner
Copy Link

@dani-garcia commented on GitHub (Jan 20, 2019):

I've added this in a797459560, but I'm getting 403s from the server, I'm not sure if it's only me though.

According to https://haveibeenpwned.com/API/v2#UserAgent and https://haveibeenpwned.com/API/v2#Authentication, the only thing that needs to be done is setting the User-Agent, so I don't know if the problem is that it doesn't work or that I got temporarily blocked while testing the service.

Upstream also sets an API key, client id and client IP, but the documentation doesn't mention anything about those three.

I'd appreciate if someone can give it a test to see if the problem is on my side only.

@dani-garcia commented on GitHub (Jan 20, 2019): I've added this in https://github.com/dani-garcia/bitwarden_rs/commit/a79745956025de9d3c859f6eec9eb329f2717c24, but I'm getting 403s from the server, I'm not sure if it's only me though. According to https://haveibeenpwned.com/API/v2#UserAgent and https://haveibeenpwned.com/API/v2#Authentication, the only thing that needs to be done is setting the User-Agent, so I don't know if the problem is that it doesn't work or that I got temporarily blocked while testing the service. [Upstream](https://github.com/bitwarden/server/commit/7f9d9793463d1d76ef673d2dfb8d941977bb8214) also sets an API key, client id and client IP, but the documentation doesn't mention anything about those three. I'd appreciate if someone can give it a test to see if the problem is on my side only.
OVERLORD commented 2026-02-04 18:26:01 +03:00
Author
Owner
Copy Link

@tycho commented on GitHub (Jan 20, 2019):

Looks good to me:

2019-01-20 07:31:11][rocket::rocket][INFO] GET /api/hibp/breach?username=username@example.com application/json:
2019-01-20 07:31:11][_][INFO] Matched: GET /api/hibp/breach?<username> (hibp_breach)
2019-01-20 07:31:11][rocket::rocket][INFO] GET /api/hibp/breach?username=username@example.com application/json:
2019-01-20 07:31:11][_][INFO] Matched: GET /api/hibp/breach?<username> (hibp_breach)
2019-01-20 07:31:11][reqwest::async_impl::response][DEBUG] Response: 200 OK for https://haveibeenpwned.com/api/v2/breachedaccount/username@example.com
2019-01-20 07:31:11][reqwest::async_impl::response][DEBUG] Response: 200 OK for https://haveibeenpwned.com/api/v2/breachedaccount/username@example.com
2019-01-20 07:31:11][tokio_reactor][DEBUG] dropping I/O source: 0
2019-01-20 07:31:11][tokio_reactor][DEBUG] dropping I/O source: 0
2019-01-20 07:31:11][_][INFO] Outcome: Success
2019-01-20 07:31:11][_][INFO] Outcome: Success
2019-01-20 07:31:11][_][INFO] Response succeeded.
2019-01-20 07:31:11][_][INFO] Response succeeded.

I wonder if the API key is needed if you exceed a certain number of requests?

@tycho commented on GitHub (Jan 20, 2019): Looks good to me: ``` 2019-01-20 07:31:11][rocket::rocket][INFO] GET /api/hibp/breach?username=username@example.com application/json: 2019-01-20 07:31:11][_][INFO] Matched: GET /api/hibp/breach?<username> (hibp_breach) 2019-01-20 07:31:11][rocket::rocket][INFO] GET /api/hibp/breach?username=username@example.com application/json: 2019-01-20 07:31:11][_][INFO] Matched: GET /api/hibp/breach?<username> (hibp_breach) 2019-01-20 07:31:11][reqwest::async_impl::response][DEBUG] Response: 200 OK for https://haveibeenpwned.com/api/v2/breachedaccount/username@example.com 2019-01-20 07:31:11][reqwest::async_impl::response][DEBUG] Response: 200 OK for https://haveibeenpwned.com/api/v2/breachedaccount/username@example.com 2019-01-20 07:31:11][tokio_reactor][DEBUG] dropping I/O source: 0 2019-01-20 07:31:11][tokio_reactor][DEBUG] dropping I/O source: 0 2019-01-20 07:31:11][_][INFO] Outcome: Success 2019-01-20 07:31:11][_][INFO] Outcome: Success 2019-01-20 07:31:11][_][INFO] Response succeeded. 2019-01-20 07:31:11][_][INFO] Response succeeded. ``` I wonder if the API key is needed if you exceed a certain number of requests?
OVERLORD commented 2026-02-04 18:26:06 +03:00
Author
Owner
Copy Link

@dani-garcia commented on GitHub (Jan 20, 2019):

Great, thanks for testing it!

Yeah, that may be it, but it's strange, usually when you hit a rate limit the code is 429 Too Many Requests and I was getting 403 Forbidden.

Oh well. At least we know the code works, so this can be closed.
PD: It's a bit strange that the vault 2.9.0 is already deployed, but not released in GitHub.

@dani-garcia commented on GitHub (Jan 20, 2019): Great, thanks for testing it! Yeah, that may be it, but it's strange, usually when you hit a rate limit the code is `429 Too Many Requests` and I was getting `403 Forbidden`. Oh well. At least we know the code works, so this can be closed. PD: It's a bit strange that the vault 2.9.0 is already deployed, but not released in GitHub.
OVERLORD commented 2026-02-04 18:26:19 +03:00
Author
Owner
Copy Link

@tycho commented on GitHub (Jan 20, 2019):

Yes, it is strange. I think maybe the developer just forgot to git push --tags.

@tycho commented on GitHub (Jan 20, 2019): Yes, it is strange. I think maybe the developer just forgot to `git push --tags`.
OVERLORD commented 2026-02-04 18:26:34 +03:00
Author
Owner
Copy Link

@mprasil commented on GitHub (Jan 20, 2019):

I think upstream Vault basically runs on master and 2.9.0 will be released later on. That was my experience in the past.

@mprasil commented on GitHub (Jan 20, 2019): I think upstream Vault basically runs on master and 2.9.0 will be released later on. That was my experience in the past.
OVERLORD commented 2026-02-04 18:26:47 +03:00
Author
Owner
Copy Link

@d19dotca commented on GitHub (Feb 24, 2019):

Are we waiting on 2.9.0 master to be released then before this is actually fixed for bitwarden_rs web vault? Or am I missing something in the latest bitwarden_rs build? I ask because I am still running into this issue but see this reported issue as "closed" already.

@d19dotca commented on GitHub (Feb 24, 2019): Are we waiting on 2.9.0 master to be released then before this is actually fixed for bitwarden_rs web vault? Or am I missing something in the latest bitwarden_rs build? I ask because I am still running into this issue but see this reported issue as "closed" already.
OVERLORD commented 2026-02-04 18:26:53 +03:00
Author
Owner
Copy Link

@dani-garcia commented on GitHub (Feb 24, 2019):

I created a vault build that should contain the breach fixes last week (https://github.com/dani-garcia/bw_web_builds/releases), but I marked it as prerelease waiting for the 2.9.0 release. Currently, the docker images don't use it, but maybe we should switch over anyway, seeing as the official vault is already using 2.9.0.

@dani-garcia commented on GitHub (Feb 24, 2019): I created a vault build that should contain the breach fixes last week (https://github.com/dani-garcia/bw_web_builds/releases), but I marked it as prerelease waiting for the 2.9.0 release. Currently, the docker images don't use it, but maybe we should switch over anyway, seeing as the official vault is already using 2.9.0.
OVERLORD commented 2026-02-04 18:26:58 +03:00
Author
Owner
Copy Link

@d19dotca commented on GitHub (Feb 26, 2019):

I agree, I think if we can use the latest code from the bitwarden/web project, it should be fixed then. It's not an issue in the main bitwarden project anymore (it used to be for a short bit though after hibp changed it's API around).

@d19dotca commented on GitHub (Feb 26, 2019): I agree, I think if we can use the latest code from the bitwarden/web project, it should be fixed then. It's not an issue in the main bitwarden project anymore (it used to be for a short bit though after hibp changed it's API around).
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
SSO
Third party
better for forum
bug
bug
documentation
duplicate
enhancement
future Vault
future Vault
future Vault
good first issue
help wanted
low priority
notes
pull-request
Mirrored from GitHub Pull Request
 question
troubleshooting
wontfix
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/vaultwarden#199
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?