Event Log: Token has expired #312

New Issue

Closed

opened 2025-10-09 16:22:13 +03:00 by OVERLORD · 4 comments

OVERLORD commented 2025-10-09 16:22:13 +03:00

Owner

Copy Link

Originally created by @sbdiun on GitHub.

Vaultwarden Support String

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.32.5
• Web-vault version: v2024.6.2c
• OS/Arch: linux/x86_64
• Running within a container: true (Base: Alpine)
• Environment settings overridden: true
• Uses a reverse proxy: true
• IP Header check: false (X-Forwarded-For)
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• Browser/Server Time Check: true
• Server/NTP Time Check: true
• Domain Configuration Check: true
• HTTPS Check: true
• Database type: MySQL
• Database version: 8.0.36
• Clients used:
• Reverse proxy and version:
• Other relevant information:

Config (Generated via diagnostics page)

Show Running Config

Environment settings which are overridden: DOMAIN, TRASH_AUTO_DELETE_DAYS, SIGNUPS_ALLOWED, ORG_CREATION_USERS, YUBICO_CLIENT_ID, YUBICO_SECRET_KEY, SMTP_HOST, SMTP_PORT, SMTP_FROM, SMTP_FROM_NAME

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": true,
  "_enable_smtp": false,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "cid:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "*****://*******************************************************************************************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://**********************************",
  "domain_origin": "*****://**********************************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": 30,
  "experimental_client_feature_flags": "fido2-vault-credentials",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 72,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "*****************************,******************************",
  "org_events_enabled": true,
  "org_groups_enabled": true,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "*************************",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": "******************",
  "smtp_password": null,
  "smtp_port": 25,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": null,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": 30,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": "******",
  "yubico_secret_key": "***",
  "yubico_server": null
}

Vaultwarden Build Version

1.32.5

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

Server version: Apache/2.4.62 (AlmaLinux) Server built: Aug 3 2024 00:00:00

Host/Server Operating System

Linux

Operating System Version

AlmaLinux 9.5

Clients

Web Vault, Browser Extension, CLI, Desktop

Client Version

2024.10.0

Steps To Reproduce

I have activated the organization event log on the server.

On a second host, I access data in Vaultwarden via Bitwarden CLI (bw) in Ansible using the community.general.bitwarden module.

This was logged in 11 days ago and remains connected so that several Ansible roles can run simultaneously.

The status is always “unlocked”.

Since this morning, this error appears every time the server is accessed:

[2024-11-26 10:47:32.643][vaultwarden::auth][ERROR] Token has expired
[2024-11-26 10:47:32.643][auth][ERROR] Unauthorized Error: Invalid claim
[2024-11-26 10:47:32.643][vaultwarden::api::core::events::_][WARN] Request guard Headers failed: “Invalid claim”.

and on the Ansible host “Event post failed”

Data access was still possible without any problems, but the events were then no longer recorded until I logged the user out and back in on the other host.

Expected Result

For me, either the log should always work as long as I have access, or access should be denied when the token has expired.

Actual Result

Data access is possible without restrictions
Event recording stops with error

Logs

[2024-11-26 10:47:32.643][request][INFO] POST /events/collect
[2024-11-26 10:47:32.643][vaultwarden::auth][ERROR] Token has expired
[2024-11-26 10:47:32.643][auth][ERROR] Unauthorized Error: Invalid claim
[2024-11-26 10:47:32.643][vaultwarden::api::core::events::_][WARN] Request guard `Headers` failed: "Invalid claim".
[2024-11-26 10:47:32.643][response][INFO] (post_events_collect) POST /events/collect application/json => 401 Unauthorized

Screenshots or Videos

No response

Additional Context

No response

Originally created by @sbdiun on GitHub. ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.32.5 * Web-vault version: v2024.6.2c * OS/Arch: linux/x86_64 * Running within a container: true (Base: Alpine) * Environment settings overridden: true * Uses a reverse proxy: true * IP Header check: false (X-Forwarded-For) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Database type: MySQL * Database version: 8.0.36 * Clients used: * Reverse proxy and version: * Other relevant information: ### Config (Generated via diagnostics page) <details><summary>Show Running Config</summary> **Environment settings which are overridden:** DOMAIN, TRASH_AUTO_DELETE_DAYS, SIGNUPS_ALLOWED, ORG_CREATION_USERS, YUBICO_CLIENT_ID, YUBICO_SECRET_KEY, SMTP_HOST, SMTP_PORT, SMTP_FROM, SMTP_FROM_NAME ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": true, "_enable_smtp": false, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "cid:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "*****://*******************************************************************************************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://**********************************", "domain_origin": "*****://**********************************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": 30, "experimental_client_feature_flags": "fido2-vault-credentials", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 72, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "*****************************,******************************", "org_events_enabled": true, "org_groups_enabled": true, "password_hints_allowed": true, "password_iterations": 600000, "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "*************************", "smtp_from_name": "Vaultwarden", "smtp_host": "******************", "smtp_password": null, "smtp_port": 25, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": null, "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": 30, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": "******", "yubico_secret_key": "***", "yubico_server": null } ``` </details> ### Vaultwarden Build Version 1.32.5 ### Deployment method Official Container Image ### Custom deployment method _No response_ ### Reverse Proxy Server version: Apache/2.4.62 (AlmaLinux) Server built: Aug 3 2024 00:00:00 ### Host/Server Operating System Linux ### Operating System Version AlmaLinux 9.5 ### Clients Web Vault, Browser Extension, CLI, Desktop ### Client Version 2024.10.0 ### Steps To Reproduce I have activated the organization event log on the server. On a second host, I access data in Vaultwarden via Bitwarden CLI (bw) in Ansible using the community.general.bitwarden module. This was logged in 11 days ago and remains connected so that several Ansible roles can run simultaneously. The status is always “unlocked”. Since this morning, this error appears every time the server is accessed: [2024-11-26 10:47:32.643][vaultwarden::auth][ERROR] Token has expired [2024-11-26 10:47:32.643][auth][ERROR] Unauthorized Error: Invalid claim [2024-11-26 10:47:32.643][vaultwarden::api::core::events::_][WARN] Request guard `Headers` failed: “Invalid claim”. and on the Ansible host “Event post failed” Data access was still possible without any problems, but the events were then no longer recorded until I logged the user out and back in on the other host. ### Expected Result For me, either the log should always work as long as I have access, or access should be denied when the token has expired. ### Actual Result Data access is possible without restrictions Event recording stops with error ### Logs ```text [2024-11-26 10:47:32.643][request][INFO] POST /events/collect [2024-11-26 10:47:32.643][vaultwarden::auth][ERROR] Token has expired [2024-11-26 10:47:32.643][auth][ERROR] Unauthorized Error: Invalid claim [2024-11-26 10:47:32.643][vaultwarden::api::core::events::_][WARN] Request guard `Headers` failed: "Invalid claim". [2024-11-26 10:47:32.643][response][INFO] (post_events_collect) POST /events/collect application/json => 401 Unauthorized ``` ### Screenshots or Videos _No response_ ### Additional Context _No response_

OVERLORD added the bug label 2025-10-09 16:22:13 +03:00

OVERLORD closed this issue 2025-10-09 16:22:15 +03:00

OVERLORD commented 2025-10-09 16:22:17 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub:

The client can refresh the auth token via a refresh token.
As mentioned in my previous comment, the clients can work offline without access to the internet since they have an offline copy of the data.

@BlackDex commented on GitHub: The client can refresh the auth token via a refresh token. As mentioned in my previous comment, the clients can work offline without access to the internet since they have an offline copy of the data.

OVERLORD commented 2025-10-09 16:22:18 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub:

To be fair, a token which can expire needs to be refreshed. The the Ansible module isn't doing that, it's a fault on that side.

The Bitwarden CLI can still provide vault items since it had a local copy and works offline.

Allowing an expired token to still send events is a security risk in my opinion.

@BlackDex commented on GitHub: To be fair, a token which can expire needs to be refreshed. The the Ansible module isn't doing that, it's a fault on that side. The Bitwarden CLI can still provide vault items since it had a local copy and works offline. Allowing an expired token to still send events is a security risk in my opinion.

OVERLORD commented 2025-10-09 16:22:20 +03:00

Author

Owner

Copy Link

@sbdiun commented on GitHub:

Thanks for the explanation.
I'll close the case then.

@sbdiun commented on GitHub: Thanks for the explanation. I'll close the case then.

OVERLORD commented 2025-10-09 16:22:20 +03:00

Author

Owner

Copy Link

@sbdiun commented on GitHub:

Ok, then the client should be logged out and in from time to time, and thus always use a new, fresh token.

@sbdiun commented on GitHub: Ok, then the client should be logged out and in from time to time, and thus always use a new, fresh token.

OVERLORD referenced this issue 2025-10-09 18:29:28 +03:00

[PR #312] [MERGED] Change logging timestamp format so fail2ban can parse it #3755

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

test_dylint

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

better for forum

bug

bug

bug

documentation

duplicate

enhancement

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

SSO

Third party

troubleshooting

troubleshooting

wontfix

No Label bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/vaultwarden#312