starred/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-02-05 00:29:40 +03:00
Code Issues 32 Packages Projects Releases 10 Wiki Activity

Invalid or expired admin JWT #419

New Issue
Closed
opened 2026-02-04 20:25:20 +03:00 by OVERLORD · 4 comments
OVERLORD commented 2026-02-04 20:25:20 +03:00
Owner
Copy Link

Originally created by @rhd on GitHub (Sep 15, 2019).

Hi,

I recently had a drive failure and I had to restore the bitwarden data dir. I'm not using the bitwardenrs/server image. I have 2FA enabled and I am unable to log in after I enter the token. It kicks me out saying the "login has expired". The logs say:

[2019-09-14 16:44:44][_][INFO] Outcome: Success
[2019-09-14 16:44:44][_][INFO] Response succeeded.
[2019-09-14 16:44:45][rocket::rocket][INFO] GET /alive:
[2019-09-14 16:44:45][_][INFO] Matched: GET /alive (alive)
[2019-09-14 16:44:45][_][INFO] Outcome: Success
[2019-09-14 16:44:45][_][INFO] Response succeeded.
[2019-09-14 16:44:46][rocket::rocket][INFO] GET /api/accounts/revision-date application/json:
[2019-09-14 16:44:46][_][INFO] Matched: GET /api/accounts/revision-date (revision_date)
[2019-09-14 16:44:46][bitwarden_rs::auth][ERROR] Unauthorized Error: Invalid claim
[2019-09-14 16:44:46][_][INFO] Outcome: Failure
[2019-09-14 16:44:46][_][WARN] Responding with 401 Unauthorized catcher.
[2019-09-14 16:44:46][_][INFO] Response succeeded.
[2019-09-14 16:44:57][rocket::rocket][INFO] POST /identity/connect/token application/x-www-form-urlencoded; charset=utf-8:
[2019-09-14 16:44:57][_][INFO] Matched: POST /identity/connect/token (login)
[2019-09-14 16:44:57][bitwarden_rs::api::identity][INFO] User xxx@gmail.com logged in successfully. IP: 172.17.0.1
[2019-09-14 16:44:57][_][INFO] Outcome: Success
[2019-09-14 16:44:57][_][INFO] Response succeeded.
[2019-09-14 16:44:58][rocket::rocket][INFO] POST /notifications/hub/negotiate text/plain; charset=UTF-8:
[2019-09-14 16:44:58][_][INFO] Matched: POST /notifications/hub/negotiate (negotiate)
[2019-09-14 16:44:58][bitwarden_rs::auth][ERROR] Unauthorized Error: Invalid claim

Ok, so I figured I could enable the admin interface, I set the ADMIN_TOKEN and when I go to /admin and type in the token, it doesn't let me in. The log states:

[2019-09-14 16:47:55][_][INFO] Outcome: Forward
[2019-09-14 16:47:55][_][INFO] Matched: GET /admin [2] (admin_login)
[2019-09-14 16:47:55][_][INFO] Outcome: Success
[2019-09-14 16:47:55][_][INFO] Response succeeded.
[2019-09-14 16:47:56][rocket::rocket][INFO] GET /bwrs_static/bootstrap.css text/css:
[2019-09-14 16:47:56][rocket::rocket][INFO] GET /bwrs_static/identicon.js:
[2019-09-14 16:47:56][_][INFO] Matched: GET /bwrs_static/<filename> (static_files)
[2019-09-14 16:47:56][_][INFO] Matched: GET /bwrs_static/<filename> (static_files)
[2019-09-14 16:47:56][_][INFO] Outcome: Success
[2019-09-14 16:47:56][_][INFO] Outcome: Success
[2019-09-14 16:47:56][rocket::rocket][INFO] GET /bwrs_static/bootstrap-native-v4.js:
[2019-09-14 16:47:56][rocket::rocket][INFO] GET /bwrs_static/md5.js:
[2019-09-14 16:47:56][_][INFO] Matched: GET /bwrs_static/<filename> (static_files)
[2019-09-14 16:47:56][_][INFO] Outcome: Success
[2019-09-14 16:47:56][_][INFO] Matched: GET /bwrs_static/<filename> (static_files)
[2019-09-14 16:47:56][_][INFO] Response succeeded.
[2019-09-14 16:47:56][_][INFO] Response succeeded.
[2019-09-14 16:47:56][_][INFO] Outcome: Success
[2019-09-14 16:47:56][_][INFO] Response succeeded.
[2019-09-14 16:47:56][_][INFO] Response succeeded.
[2019-09-14 16:47:58][rocket::rocket][INFO] POST /admin application/x-www-form-urlencoded:
[2019-09-14 16:47:58][_][INFO] Matched: POST /admin (post_admin_login)
[2019-09-14 16:47:58][_][INFO] Outcome: Success
[2019-09-14 16:47:58][_][INFO] Response succeeded.
[2019-09-14 16:47:58][rocket::rocket][INFO] GET /admin text/html:
[2019-09-14 16:47:58][_][INFO] Matched: GET /admin (admin_page)
[2019-09-14 16:47:58][bitwarden_rs::api::admin][ERROR] Invalid or expired admin JWT. IP: 172.17.0.1

I've tried restoring several versions of the database all with the same result. I'm stuck here. Can anyone provide any guidance or have any thoughts? The FF extension is unable to log in as well - gives the same error after I type in the token. I have verified the date in the VM is the same as my PC. I have also set DOMAIN=https://my.domain.com (with my actual domain) as I use a reverse proxy - doesn't help.

Out of ideas...

Thanks!

Originally created by @rhd on GitHub (Sep 15, 2019). Hi, I recently had a drive failure and I had to restore the bitwarden data dir. I'm not using the `bitwardenrs/server` image. I have 2FA enabled and I am unable to log in after I enter the token. It kicks me out saying the "login has expired". The logs say: ``` [2019-09-14 16:44:44][_][INFO] Outcome: Success [2019-09-14 16:44:44][_][INFO] Response succeeded. [2019-09-14 16:44:45][rocket::rocket][INFO] GET /alive: [2019-09-14 16:44:45][_][INFO] Matched: GET /alive (alive) [2019-09-14 16:44:45][_][INFO] Outcome: Success [2019-09-14 16:44:45][_][INFO] Response succeeded. [2019-09-14 16:44:46][rocket::rocket][INFO] GET /api/accounts/revision-date application/json: [2019-09-14 16:44:46][_][INFO] Matched: GET /api/accounts/revision-date (revision_date) [2019-09-14 16:44:46][bitwarden_rs::auth][ERROR] Unauthorized Error: Invalid claim [2019-09-14 16:44:46][_][INFO] Outcome: Failure [2019-09-14 16:44:46][_][WARN] Responding with 401 Unauthorized catcher. [2019-09-14 16:44:46][_][INFO] Response succeeded. [2019-09-14 16:44:57][rocket::rocket][INFO] POST /identity/connect/token application/x-www-form-urlencoded; charset=utf-8: [2019-09-14 16:44:57][_][INFO] Matched: POST /identity/connect/token (login) [2019-09-14 16:44:57][bitwarden_rs::api::identity][INFO] User xxx@gmail.com logged in successfully. IP: 172.17.0.1 [2019-09-14 16:44:57][_][INFO] Outcome: Success [2019-09-14 16:44:57][_][INFO] Response succeeded. [2019-09-14 16:44:58][rocket::rocket][INFO] POST /notifications/hub/negotiate text/plain; charset=UTF-8: [2019-09-14 16:44:58][_][INFO] Matched: POST /notifications/hub/negotiate (negotiate) [2019-09-14 16:44:58][bitwarden_rs::auth][ERROR] Unauthorized Error: Invalid claim ``` Ok, so I figured I could enable the admin interface, I set the `ADMIN_TOKEN` and when I go to `/admin` and type in the token, it doesn't let me in. The log states: ``` [2019-09-14 16:47:55][_][INFO] Outcome: Forward [2019-09-14 16:47:55][_][INFO] Matched: GET /admin [2] (admin_login) [2019-09-14 16:47:55][_][INFO] Outcome: Success [2019-09-14 16:47:55][_][INFO] Response succeeded. [2019-09-14 16:47:56][rocket::rocket][INFO] GET /bwrs_static/bootstrap.css text/css: [2019-09-14 16:47:56][rocket::rocket][INFO] GET /bwrs_static/identicon.js: [2019-09-14 16:47:56][_][INFO] Matched: GET /bwrs_static/<filename> (static_files) [2019-09-14 16:47:56][_][INFO] Matched: GET /bwrs_static/<filename> (static_files) [2019-09-14 16:47:56][_][INFO] Outcome: Success [2019-09-14 16:47:56][_][INFO] Outcome: Success [2019-09-14 16:47:56][rocket::rocket][INFO] GET /bwrs_static/bootstrap-native-v4.js: [2019-09-14 16:47:56][rocket::rocket][INFO] GET /bwrs_static/md5.js: [2019-09-14 16:47:56][_][INFO] Matched: GET /bwrs_static/<filename> (static_files) [2019-09-14 16:47:56][_][INFO] Outcome: Success [2019-09-14 16:47:56][_][INFO] Matched: GET /bwrs_static/<filename> (static_files) [2019-09-14 16:47:56][_][INFO] Response succeeded. [2019-09-14 16:47:56][_][INFO] Response succeeded. [2019-09-14 16:47:56][_][INFO] Outcome: Success [2019-09-14 16:47:56][_][INFO] Response succeeded. [2019-09-14 16:47:56][_][INFO] Response succeeded. [2019-09-14 16:47:58][rocket::rocket][INFO] POST /admin application/x-www-form-urlencoded: [2019-09-14 16:47:58][_][INFO] Matched: POST /admin (post_admin_login) [2019-09-14 16:47:58][_][INFO] Outcome: Success [2019-09-14 16:47:58][_][INFO] Response succeeded. [2019-09-14 16:47:58][rocket::rocket][INFO] GET /admin text/html: [2019-09-14 16:47:58][_][INFO] Matched: GET /admin (admin_page) [2019-09-14 16:47:58][bitwarden_rs::api::admin][ERROR] Invalid or expired admin JWT. IP: 172.17.0.1 ``` I've tried restoring several versions of the database all with the same result. I'm stuck here. Can anyone provide any guidance or have any thoughts? The FF extension is unable to log in as well - gives the same error after I type in the token. I have verified the `date` in the VM is the same as my PC. I have also set `DOMAIN=https://my.domain.com` (with my actual domain) as I use a reverse proxy - doesn't help. Out of ideas... Thanks!
OVERLORD commented 2026-02-04 20:25:27 +03:00
Author
Owner
Copy Link

@rhd commented on GitHub (Sep 15, 2019):

I just enabled signups and created a new user. The user creation works as expected but when when I tried to sign in with that user, I got the same failure. Obviously, the new user doesn't have 2FA enabled. The issue doesn't seem related to 2FA.

@rhd commented on GitHub (Sep 15, 2019): I just enabled signups and created a new user. The user creation works as expected but when when I tried to sign in with that user, I got the same failure. Obviously, the new user doesn't have 2FA enabled. The issue doesn't seem related to 2FA.
OVERLORD commented 2026-02-04 20:25:33 +03:00
Author
Owner
Copy Link

@rhd commented on GitHub (Sep 15, 2019):

A follow up. The original back I did was using crashplan. I restored from several different points in time - going back months. It turns out I also had a duplicati backup.

For some reason, the crashplan restore wasn't restoring the following files

db.sqlite3-shm
db.sqlite3-wal
rsa_key.der
rsa_key.pem

Maybe it was a permissions problem - not sure. But the duplicati backup, thankfully, was able to restore all these files (although it took several hours - soooooooo slow). But now I can log in and all works fine.

My question is - should I have been able to recover from this? Or did the incomplete restore leave me in a state that should not be possible to recover from?

@rhd commented on GitHub (Sep 15, 2019): A follow up. The original back I did was using crashplan. I restored from several different points in time - going back months. It turns out I also had a duplicati backup. For some reason, the crashplan restore wasn't restoring the following files ``` db.sqlite3-shm db.sqlite3-wal rsa_key.der rsa_key.pem ``` Maybe it was a permissions problem - not sure. But the duplicati backup, thankfully, was able to restore all these files (although it took several hours - soooooooo slow). But now I can log in and all works fine. My question is - should I have been able to recover from this? Or did the incomplete restore leave me in a state that should not be possible to recover from?
OVERLORD commented 2026-02-04 20:25:40 +03:00
Author
Owner
Copy Link

@dani-garcia commented on GitHub (Sep 15, 2019):

The error is weird but it might be caused by corrupted rsa_key files. Those handle the login token signing and can be deleted without any important side effects, it will just log out all users until they log back in again.

The other two db files work in conjunction with the main db.sqlite file. The wal file contains the most recent data before its writen to the main db file, so deleting it might cause some data loss. Not sure what the shm file does but I assume something similar to the wal file.

@dani-garcia commented on GitHub (Sep 15, 2019): The error is weird but it might be caused by corrupted `rsa_key` files. Those handle the login token signing and can be deleted without any important side effects, it will just log out all users until they log back in again. The other two db files work in conjunction with the main `db.sqlite` file. The wal file contains the most recent data before its writen to the main db file, so deleting it might cause some data loss. Not sure what the shm file does but I assume something similar to the wal file.
OVERLORD commented 2026-02-04 20:25:48 +03:00
Author
Owner
Copy Link

@rhd commented on GitHub (Sep 22, 2019):

@dani-garcia thanks. I guess we'll chalk this up to bad rsa_key files. I did a test where I deleted all of the rsa_key.* (including the public) and things worked as expected. I'm going to close this issue.

Thanks!

@rhd commented on GitHub (Sep 22, 2019): @dani-garcia thanks. I guess we'll chalk this up to bad `rsa_key` files. I did a test where I deleted all of the `rsa_key.*` (including the public) and things worked as expected. I'm going to close this issue. Thanks!
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
SSO
Third party
better for forum
bug
bug
documentation
duplicate
enhancement
future Vault
future Vault
future Vault
good first issue
help wanted
low priority
notes
pull-request
Mirrored from GitHub Pull Request
 question
troubleshooting
wontfix
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/vaultwarden#419
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?