iOS app complains "an error has occured" when token expires #303

New Issue

Closed

opened 2025-10-09 16:21:23 +03:00 by OVERLORD · 14 comments

OVERLORD commented 2025-10-09 16:21:23 +03:00

Owner

Copy Link

Originally created by @tinythomasffm on GitHub.

Vaultwarden Support String

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.32.5
• Web-vault version: v2024.6.2c
• OS/Arch: linux/aarch64
• Running within a container: true (Base: Alpine)
• Environment settings overridden: true
• Uses a reverse proxy: true
• IP Header check: true (X-Real-IP)
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• Browser/Server Time Check: true
• Server/NTP Time Check: true
• Domain Configuration Check: true
• HTTPS Check: true
• Database type: SQLite
• Database version: 3.47.0
• Clients used:
• Reverse proxy and version:
• Other relevant information:

Config (Generated via diagnostics page)

Show Running Config

Environment settings which are overridden: DOMAIN

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "cid:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://*******************",
  "domain_origin": "*****://*******************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "fido2-vault-credentials",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": "***",
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "XXX Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": true,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "***************",
  "smtp_from_name": "XXX Vaultwarden",
  "smtp_host": "***************************************",
  "smtp_password": null,
  "smtp_port": 25,
  "smtp_security": "off",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": null,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

v1.32.5

Deployment method

Official Container Image

Custom deployment method

official container image running on kubernetes (k3s)

Reverse Proxy

ingress-nginx, deployed via helm chart ingress-nginx-4.11.3 (latest)

Host/Server Operating System

Linux

Operating System Version

iOS

Clients

iOS

Client Version

2024.11.0 (1680)

Steps To Reproduce

1. log in iOS app
2. wait until token expires on server
3. open/unlock iOS app

Expected Result

the sync should happen without any issues.

Actual Result

when trying to sync, iOS app throws "an error has occured". Logging off in the app and re-login fixes the problem (until the next token expire).

Logs

[2024-12-08 11:58:10.616][request][INFO] GET /api/sync
[2024-12-08 11:58:10.617][vaultwarden::auth][ERROR] Token has expired
[2024-12-08 11:58:10.617][auth][ERROR] Unauthorized Error: Invalid claim
[2024-12-08 11:58:10.617][vaultwarden::api::core::ciphers::_][WARN] Request guard `Headers` failed: "Invalid claim".
[2024-12-08 11:58:10.617][response][INFO] (sync) GET /api/sync?<data..> => 401 Unauthorized

Screenshots or Videos

No response

Additional Context

No response

Originally created by @tinythomasffm on GitHub. ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.32.5 * Web-vault version: v2024.6.2c * OS/Arch: linux/aarch64 * Running within a container: true (Base: Alpine) * Environment settings overridden: true * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Database type: SQLite * Database version: 3.47.0 * Clients used: * Reverse proxy and version: * Other relevant information: ### Config (Generated via diagnostics page) <details><summary>Show Running Config</summary> **Environment settings which are overridden:** DOMAIN ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "cid:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "***************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://*******************", "domain_origin": "*****://*******************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "fido2-vault-credentials", "extended_logging": true, "helo_name": null, "hibp_api_key": "***", "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "XXX Vaultwarden", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 600000, "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": true, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "***************", "smtp_from_name": "XXX Vaultwarden", "smtp_host": "***************************************", "smtp_password": null, "smtp_port": 25, "smtp_security": "off", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": null, "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Vaultwarden Build Version v1.32.5 ### Deployment method Official Container Image ### Custom deployment method official container image running on kubernetes (k3s) ### Reverse Proxy ingress-nginx, deployed via helm chart ingress-nginx-4.11.3 (latest) ### Host/Server Operating System Linux ### Operating System Version iOS ### Clients iOS ### Client Version 2024.11.0 (1680) ### Steps To Reproduce 1. log in iOS app 2. wait until token expires on server 3. open/unlock iOS app ### Expected Result the sync should happen without any issues. ### Actual Result when trying to sync, iOS app throws "an error has occured". Logging off in the app and re-login fixes the problem (until the next token expire). ### Logs ```text [2024-12-08 11:58:10.616][request][INFO] GET /api/sync [2024-12-08 11:58:10.617][vaultwarden::auth][ERROR] Token has expired [2024-12-08 11:58:10.617][auth][ERROR] Unauthorized Error: Invalid claim [2024-12-08 11:58:10.617][vaultwarden::api::core::ciphers::_][WARN] Request guard `Headers` failed: "Invalid claim". [2024-12-08 11:58:10.617][response][INFO] (sync) GET /api/sync?<data..> => 401 Unauthorized ``` ### Screenshots or Videos _No response_ ### Additional Context _No response_

OVERLORD added the bug label 2025-10-09 16:21:23 +03:00

OVERLORD closed this issue 2025-10-09 16:21:25 +03:00

OVERLORD commented 2025-10-09 16:21:28 +03:00

Author

Owner

Copy Link

@tinythomasffm commented on GitHub:

no HA setup. Nothing configured about rsa key storage, so /data/rsa_key.pem

@tinythomasffm commented on GitHub: no HA setup. Nothing configured about rsa key storage, so /data/rsa_key.pem

OVERLORD commented 2025-10-09 16:21:28 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub:

Do you have a HA setup?
Where is the rsa key stored?

@BlackDex commented on GitHub: Do you have a HA setup? Where is the rsa key stored?

OVERLORD commented 2025-10-09 16:21:28 +03:00

Author

Owner

Copy Link

@tinythomasffm commented on GitHub:

forgot to mention: macos browser plugins, web vault work without issues.

@tinythomasffm commented on GitHub: forgot to mention: macos browser plugins, web vault work without issues.

OVERLORD commented 2025-10-09 16:21:29 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub:

I can't reproduce this at all.
I used an iOS device with the exact same version, changed the expire/lifetime to 10 minutes to make my life easier.
But, i do get the same error message, but it will still be logged in and syncing after getting a new refresh token.

Ill leave it for longer now and see what happens.
But i suspect maybe your reverse proxy is modifying responses to error pages like 401 etc... and only passes on 3xx and 2xx unmodified.

@BlackDex commented on GitHub: I can't reproduce this at all. I used an iOS device with the exact same version, changed the expire/lifetime to 10 minutes to make my life easier. But, i do get the same error message, but it will still be logged in and syncing after getting a new refresh token. Ill leave it for longer now and see what happens. But i suspect maybe your reverse proxy is modifying responses to error pages like 401 etc... and only passes on 3xx and 2xx unmodified.

OVERLORD commented 2025-10-09 16:21:31 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub:

And /data is a persistent volume?

@BlackDex commented on GitHub: And `/data` is a persistent volume?

OVERLORD commented 2025-10-09 16:21:32 +03:00

Author

Owner

Copy Link

@tinythomasffm commented on GitHub:

And /data is a persistent volume?

yes.

@tinythomasffm commented on GitHub: > And `/data` is a persistent volume? yes.

OVERLORD commented 2025-10-09 16:21:33 +03:00

Author

Owner

Copy Link

@tinythomasffm commented on GitHub:

Maybe your reverse proxy setup has been updated too? Or K8s with some changes which could cause this.

I'm just checking that. The nginx helm chart I am using was updated to that version on Oct 8 - I cannot totally exclude that the issue came with that update, checking changelogs of that now.

@tinythomasffm commented on GitHub: > Maybe your reverse proxy setup has been updated too? Or K8s with some changes which could cause this. I'm just checking that. The nginx helm chart I am using was updated to that version on Oct 8 - I cannot totally exclude that the issue came with that update, checking changelogs of that now.

OVERLORD commented 2025-10-09 16:21:33 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub:

Maybe your reverse proxy setup has been updated too?
Or K8s with some changes which could cause this.

@BlackDex commented on GitHub: Maybe your reverse proxy setup has been updated too? Or K8s with some changes which could cause this.

OVERLORD commented 2025-10-09 16:21:33 +03:00

Author

Owner

Copy Link

@tinythomasffm commented on GitHub:

vaultwarden is deployed as a statefulset, the volume is persistent across container restarts

@tinythomasffm commented on GitHub: vaultwarden is deployed as a statefulset, the volume is persistent across container restarts

OVERLORD commented 2025-10-09 16:21:35 +03:00

Author

Owner

Copy Link

@tinythomasffm commented on GitHub:

I can't reproduce this at all. I used an iOS device with the exact same version, changed the expire/lifetime to 10 minutes to make my life easier. But, i do get the same error message, but it will still be logged in and syncing after getting a new refresh token.

Ill leave it for longer now and see what happens. But i suspect maybe your reverse proxy is modifying responses to error pages like 401 etc... and only passes on 3xx and 2xx unmodified.

that could be. But I only noticed this now, I'm using this setup (with older version of vaultwarden) for a long time and it just came up these days. Really strange.

@tinythomasffm commented on GitHub: > I can't reproduce this at all. I used an iOS device with the exact same version, changed the expire/lifetime to 10 minutes to make my life easier. But, i do get the same error message, but it will still be logged in and syncing after getting a new refresh token. > > Ill leave it for longer now and see what happens. But i suspect maybe your reverse proxy is modifying responses to error pages like 401 etc... and only passes on 3xx and 2xx unmodified. that could be. But I only noticed this now, I'm using this setup (with older version of vaultwarden) for a long time and it just came up these days. Really strange.

OVERLORD commented 2025-10-09 16:21:36 +03:00

Author

Owner

Copy Link

@tinythomasffm commented on GitHub:

I disabled the 401 custom error message and it seems to work now. I have no idea how it could have worked before, as these were in place the whole time… I‘ll watch it a little longer, but I feel this is not an issue with vaultwarden.Thanks for looking into this!Am 08.12.2024 um 15:05 schrieb Mathijs van Veluw @.***>:
Well, i tested it just now after waiting a very long time, and having the token only valid for 10 minutes, i was still able to sync without any issue at all.
I do not know if something else may have changed on the reserve proxy. Maybe there were some bugs or fixes which caused it not to happen before.
I'm just not able to reproduce it my self.

—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: @.***>

@tinythomasffm commented on GitHub: I disabled the 401 custom error message and it seems to work now. I have no idea how it could have worked before, as these were in place the whole time… I‘ll watch it a little longer, but I feel this is not an issue with vaultwarden.Thanks for looking into this!Am 08.12.2024 um 15:05 schrieb Mathijs van Veluw ***@***.***>: Well, i tested it just now after waiting a very long time, and having the token only valid for 10 minutes, i was still able to sync without any issue at all. I do not know if something else may have changed on the reserve proxy. Maybe there were some bugs or fixes which caused it not to happen before. I'm just not able to reproduce it my self. —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: ***@***.***>

OVERLORD commented 2025-10-09 16:21:36 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub:

Well, i tested it just now after waiting a very long time, and having the token only valid for 10 minutes, i was still able to sync without any issue at all.

I do not know if something else may have changed on the reserve proxy. Maybe there were some bugs or fixes which caused it not to happen before.

I'm just not able to reproduce it my self.

@BlackDex commented on GitHub: Well, i tested it just now after waiting a very long time, and having the token only valid for 10 minutes, i was still able to sync without any issue at all. I do not know if something else may have changed on the reserve proxy. Maybe there were some bugs or fixes which caused it not to happen before. I'm just not able to reproduce it my self.

OVERLORD commented 2025-10-09 16:21:37 +03:00

Author

Owner

Copy Link

@tinythomasffm commented on GitHub:

But wouldn't that issue then hit the browser plugins as well?
They work without problems.

@tinythomasffm commented on GitHub: But wouldn't that issue then hit the browser plugins as well? They work without problems.

OVERLORD commented 2025-10-09 16:21:37 +03:00

Author

Owner

Copy Link

@tinythomasffm commented on GitHub:

Hmm.. the nginx setup does indeed use custom error pages for 401,403,404,500,501,502,503.
I will remove 401 from that list and see if it fixes the issue. But I still wonder why this came up now - these error redirects where in place all the time and I never noticed anything.

Will check that out.

@tinythomasffm commented on GitHub: Hmm.. the nginx setup does indeed use custom error pages for 401,403,404,500,501,502,503. I will remove 401 from that list and see if it fixes the issue. But I still wonder why this came up now - these error redirects where in place all the time and I never noticed anything. Will check that out.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

test_dylint

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

better for forum

bug

bug

bug

documentation

duplicate

enhancement

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

SSO

Third party

troubleshooting

troubleshooting

wontfix

No Label bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/vaultwarden#303