mirror of
https://github.com/dani-garcia/vaultwarden.git
synced 2026-07-16 05:34:10 +03:00
AuthRequestResponse notification incorrectly sent to approving device, causing duplicate notification on Android #2533
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @ivulit on GitHub (Feb 4, 2026).
Prerequisites
Vaultwarden Support String
Your environment (Generated via diagnostics page)
Config & Details (Generated via diagnostics page)
Show Config & Details
Config:
Vaultwarden Build Version
1.35.2
Deployment method
Official Container Image
Custom deployment method
No response
Reverse Proxy
nginx 1.28.0
Host/Server Operating System
Linux
Operating System Version
Alpine Linux v3.23
Clients
Android
Client Version
Android 2026.1.0 (21141)
Steps To Reproduce
Expected Result
Device B shows no further notifications after approval. Device A receives the approval and completes login
Actual Result
Device B receives an AuthRequestResponse (type 16) push notification immediately after approving, which appears as a duplicate auth request notification on Android.
Logs
Screenshots or Videos
No response
Additional Context
Analysis
In put_auth_request (src/api/core/accounts.rs:1591-1592), two notification calls are made after approval:
ant.send_auth_response(&auth_request.user_uuid, &auth_request.uuid).await;
nt.send_auth_response(&auth_request.user_uuid, &auth_request.uuid, &headers.device, &conn).await;
ant.send_auth_response() sends through the anonymous WebSocket hub, keyed by auth_request_id — this correctly reaches only Device A (the requesting device).
nt.send_auth_response() does two things:
Both reach Device B (the approving device), which should not receive AuthRequestResponse at all.
Official Bitwarden server behavior
In the official server, PushAuthRequestResponseAsync (IPushNotificationService.cs:387-399) creates a single PushNotification with ExcludeCurrentContext = true.
This notification is routed through all push engines:
authenticated _hubContext. This is the key difference from AuthRequest (type 15), which is sent through _hubContext.Clients.User() (line 130).
(BuildTag, line 94) builds an exclusion tag !deviceIdentifier:{identifier}, preventing the push from reaching the approving device.
As a result, Device B receives nothing on the official server.
This analysis was conducted with the help of Claude (Anthropic).