Cannot configure 2FA using OTP / Yubikey/ U2F #870

New Issue

OVERLORD · 2026-02-04T23:09:20+03:00

OVERLORD commented

2026-02-04 23:09:20 +03:00

Originally created by @o2droid on GitHub (Nov 24, 2020).

Cannot configure 2FA using OTP / Yubikey/ U2F

I cannot configure any of those 2FA. After trying to savce changes, I'm logout with error "Unexpected error occured" and "Your login session has expired". I cannot also login to android app as it timeouts me just after login.

Your environment

Debian 10.6, docker installed using apt

Bitwarden_rs version: docker image, latest (2.16.1)
Install method: using bitwarden_rs wiki
Clients used: Firefox, Edge
Reverse proxy and version: apache with location redirect (also tried without)
Version of mysql/postgresql: N/A
Other relevant information: Bitwarden RS run options:
-e YUBICO_CLIENT_ID=###########-e YUBICO_SECRET_KEY=###########-e ADMIN_TOKEN=########### -e LOG_FILE=/data/bitwarden.log -e SMTP_HOST=smtp.gmail.com -e SMTP_FROM=########### -e SMTP_PORT=587 -e SMTP_USERNAME=########### -e SMTP_PASSWORD=########### -e SMTP_SSL=true -e SMTP_AUTH_MECHANISM="Plain","Login","Xoauth2" -e DOMAIN=https://###########/bw -e EXTENDED_LOGGING=true -e LOG_TIMESTAMP_FORMAT="%Y-%m-%d %H:%M:%S.%3f" -e TZ=Europe/Warsaw -p 880:80 bitwardenrs/server:latest

Steps to reproduce

Just try to configure 2FA.

Expected behaviour

2FA should be configured

Actual behaviour

I'm logout with error "Unexpected error occured" and "Your login session has expired".

Relevant logs

No additional logs.

Originally created by @o2droid on GitHub (Nov 24, 2020). Cannot configure 2FA using OTP / Yubikey/ U2F I cannot configure any of those 2FA. After trying to savce changes, I'm logout with error "Unexpected error occured" and "Your login session has expired". I cannot also login to android app as it timeouts me just after login. ### Your environment Debian 10.6, docker installed using apt * Bitwarden_rs version: docker image, latest (2.16.1) * Install method: using bitwarden_rs wiki * Clients used: Firefox, Edge * Reverse proxy and version: apache with location redirect (also tried without) * Version of mysql/postgresql: N/A * Other relevant information: Bitwarden RS run options: -e YUBICO_CLIENT_ID=###########-e YUBICO_SECRET_KEY=###########-e ADMIN_TOKEN=########### -e LOG_FILE=/data/bitwarden.log -e SMTP_HOST=smtp.gmail.com -e SMTP_FROM=########### -e SMTP_PORT=587 -e SMTP_USERNAME=########### -e SMTP_PASSWORD=########### -e SMTP_SSL=true -e SMTP_AUTH_MECHANISM="Plain","Login","Xoauth2" -e DOMAIN=https://###########/bw -e EXTENDED_LOGGING=true -e LOG_TIMESTAMP_FORMAT="%Y-%m-%d %H:%M:%S.%3f" -e TZ=Europe/Warsaw -p 880:80 bitwardenrs/server:latest ### Steps to reproduce Just try to configure 2FA. ### Expected behaviour 2FA should be configured ### Actual behaviour I'm logout with error "Unexpected error occured" and "Your login session has expired". ### Relevant logs No additional logs.

OVERLORD added the question troubleshooting labels 2026-02-04 23:09:20 +03:00

OVERLORD closed this issue

2026-02-04 23:09:25 +03:00

OVERLORD commented

2026-02-04 23:09:33 +03:00

@BlackDex commented on GitHub (Nov 26, 2020):

Could you provide a bit more details? Like the logging during this error? That would help.

@BlackDex commented on GitHub (Nov 26, 2020): Could you provide a bit more details? Like the logging during this error? That would help.

OVERLORD commented

2026-02-04 23:09:40 +03:00

@o2droid commented on GitHub (Nov 26, 2020):

I checked it once again - looking also on all Apache proxy logs and found the issue - I forgot that I'm using modsecurity for my instalaltion. It turned out that one of the default rules blocked requests with PUT type which is non standard. I did a whitelist by adding SecRuleRemoveById 911100 in Apache conf location for BitWarden_RS.

Maybe it is worth to add this to some faq. Also, is it possible to use POST instead of PUT?

@o2droid commented on GitHub (Nov 26, 2020): I checked it once again - looking also on all Apache proxy logs and found the issue - I forgot that I'm using modsecurity for my instalaltion. It turned out that one of the default rules blocked requests with PUT type which is non standard. I did a whitelist by adding `SecRuleRemoveById 911100` in Apache conf location for BitWarden_RS. Maybe it is worth to add this to some faq. Also, is it possible to use POST instead of PUT?

OVERLORD commented

2026-02-04 23:09:44 +03:00

@jjlin commented on GitHub (Nov 26, 2020):

PUT is totally standard, as is DELETE, which you'll also need to allow. If you're going to run a WAF, it's your responsibility to make sure your rules are appropriate for the applications you run.

@jjlin commented on GitHub (Nov 26, 2020): `PUT` is totally standard, as is `DELETE`, which you'll also need to allow. If you're going to run a WAF, it's your responsibility to make sure your rules are appropriate for the applications you run.

OVERLORD commented

2026-02-04 23:09:51 +03:00

@o2droid commented on GitHub (Nov 26, 2020):

PUT is totally standard, as is DELETE, which you'll also need to allow. If you're going to run a WAF, it's your responsibility to make sure your rules are appropriate for the applications you run.

Thanks, you're right - I just forgot that I'm running WAF (since long time), that's why maybe its worth to mention it on Wiki.
For which operations DELETE could be required?

@o2droid commented on GitHub (Nov 26, 2020): > > > `PUT` is totally standard, as is `DELETE`, which you'll also need to allow. If you're going to run a WAF, it's your responsibility to make sure your rules are appropriate for the applications you run. Thanks, you're right - I just forgot that I'm running WAF (since long time), that's why maybe its worth to mention it on Wiki. For which operations DELETE could be required?

OVERLORD commented

2026-02-04 23:09:56 +03:00

@BlackDex commented on GitHub (Nov 26, 2020):

For deleting entries, users, orgs, collections, etc...

@BlackDex commented on GitHub (Nov 26, 2020): For deleting entries, users, orgs, collections, etc...

OVERLORD commented

2026-02-04 23:10:00 +03:00

@o2droid commented on GitHub (Nov 26, 2020):

For deleting entries, users, orgs, collections, etc...

Just checked - it seems, that delete of entry goes using PUT request :)

@o2droid commented on GitHub (Nov 26, 2020): > > > For deleting entries, users, orgs, collections, etc... Just checked - it seems, that delete of entry goes using PUT request :)

OVERLORD commented

2026-02-04 23:10:04 +03:00

@BlackDex commented on GitHub (Nov 28, 2020):

Um, i don't know where you are seeing that, but there are definitely DELETE request, so i think adding DELETE to the allow list is needed.
Like the following for example, to delete a folder.
be1ddb4203/src/api/core/folders.rs (L98)

Methods used are: POST, GET, PUT, DELETE.

Anyway's. I'm going to close this ticket, since this is not an issue with bitwarden_rs.

@BlackDex commented on GitHub (Nov 28, 2020): Um, i don't know where you are seeing that, but there are definitely DELETE request, so i think adding DELETE to the allow list is needed. Like the following for example, to delete a folder. https://github.com/dani-garcia/bitwarden_rs/blob/be1ddb4203d47331a141a8916c7067c8be7ebd3d/src/api/core/folders.rs#L98 Methods used are: POST, GET, PUT, DELETE. Anyway's. I'm going to close this ticket, since this is not an issue with bitwarden_rs.

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/vaultwarden#870