Attachments are broken #993

New Issue

Closed

opened 2026-02-04 23:33:28 +03:00 by OVERLORD · 10 comments

OVERLORD commented 2026-02-04 23:33:28 +03:00

Owner

Copy Link

Originally created by @sempervictus on GitHub (Mar 26, 2021).

Subject of the issue

Attempting to upload attachments from any browser plugin or the electron app results in the app getting signed out immediately and no attachment uploaded.
Attempting to upload attachments through the bitwarden_rs-web interface results in an m is null error (which is interesting given that its Rust). The session is immediately logged out.

Deployment environment

# pacman -Qi bitwarden_rs-web bitwarden_rs
Name            : bitwarden_rs-web
Version         : 2.19.0-1
Description     : Bitwarden web vault with the patches to make it work with bitwarden_rs
Architecture    : any
URL             : https://github.com/dani-garcia/bw_web_builds
Licenses        : GPL3
Groups          : None
Provides        : bitwarden_rs-vault
Depends On      : bitwarden_rs
Optional Deps   : None
Required By     : None
Optional For    : bitwarden_rs
Conflicts With  : None
Replaces        : bitwarden_rs-vault
Installed Size  : 27.13 MiB
Packager        : Daniel M. Capella <polyzen@archlinux.org>
Build Date      : Sun 14 Mar 2021 08:38:12 PM UTC
Install Date    : Wed 24 Mar 2021 06:01:38 AM UTC
Install Reason  : Explicitly installed
Install Script  : Yes
Validated By    : Signature

Name            : bitwarden_rs
Version         : 1.19.0-1
Description     : Unofficial Bitwarden compatible server written in Rust
Architecture    : x86_64
URL             : https://github.com/dani-garcia/bitwarden_rs
Licenses        : GPL3
Groups          : None
Provides        : None
Depends On      : mariadb-libs  openssl  postgresql-libs  sqlite
Optional Deps   : bitwarden_rs-web: for the web app [installed]
Required By     : bitwarden_rs-web
Optional For    : None
Conflicts With  : None
Replaces        : None
Installed Size  : 21.32 MiB
Packager        : Daniel M. Capella <polyzen@archlinux.org>
Build Date      : Sun 07 Feb 2021 02:13:56 AM UTC
Install Date    : Wed 24 Mar 2021 06:01:32 AM UTC
Install Reason  : Installed as a dependency for another package
Install Script  : Yes
Validated By    : Signature

• Install method: package

• Clients used: web vault, desktop, Android

• Reverse proxy and version: Apache HTTPD 2.4.46-3

• SQLite-backed

Steps to reproduce

Expected behaviour

Attachments work

Actual behaviour

Session crashes resulting in loss of any unsaved data and forcing a full auth back into the client context (app or web).

Originally created by @sempervictus on GitHub (Mar 26, 2021). ### Subject of the issue Attempting to upload attachments from any browser plugin or the electron app results in the app getting signed out immediately and no attachment uploaded. Attempting to upload attachments through the bitwarden_rs-web interface results in an `m is null` error (which is interesting given that its Rust). The session is immediately logged out. ### Deployment environment <!-- ========================================================================================= Preferably, use the `Generate Support String` button on the admin page's Diagnostics tab. That will auto-generate most of the info requested in this section. ========================================================================================= --> <!-- The version number, obtained from the logs (at startup) or the admin diagnostics page --> <!-- This is NOT the version number shown on the web vault, which is versioned separately from bitwarden_rs --> <!-- Remember to check if your issue exists on the latest version first! --> ``` # pacman -Qi bitwarden_rs-web bitwarden_rs Name : bitwarden_rs-web Version : 2.19.0-1 Description : Bitwarden web vault with the patches to make it work with bitwarden_rs Architecture : any URL : https://github.com/dani-garcia/bw_web_builds Licenses : GPL3 Groups : None Provides : bitwarden_rs-vault Depends On : bitwarden_rs Optional Deps : None Required By : None Optional For : bitwarden_rs Conflicts With : None Replaces : bitwarden_rs-vault Installed Size : 27.13 MiB Packager : Daniel M. Capella <polyzen@archlinux.org> Build Date : Sun 14 Mar 2021 08:38:12 PM UTC Install Date : Wed 24 Mar 2021 06:01:38 AM UTC Install Reason : Explicitly installed Install Script : Yes Validated By : Signature Name : bitwarden_rs Version : 1.19.0-1 Description : Unofficial Bitwarden compatible server written in Rust Architecture : x86_64 URL : https://github.com/dani-garcia/bitwarden_rs Licenses : GPL3 Groups : None Provides : None Depends On : mariadb-libs openssl postgresql-libs sqlite Optional Deps : bitwarden_rs-web: for the web app [installed] Required By : bitwarden_rs-web Optional For : None Conflicts With : None Replaces : None Installed Size : 21.32 MiB Packager : Daniel M. Capella <polyzen@archlinux.org> Build Date : Sun 07 Feb 2021 02:13:56 AM UTC Install Date : Wed 24 Mar 2021 06:01:32 AM UTC Install Reason : Installed as a dependency for another package Install Script : Yes Validated By : Signature ``` <!-- How the server was installed: Docker image, OS package, built from source, etc. --> * Install method: package * Clients used: web vault, desktop, Android * Reverse proxy and version: Apache HTTPD 2.4.46-3 * SQLite-backed ### Steps to reproduce <!-- Tell us how to reproduce this issue. What parameters did you set (differently from the defaults) and how did you start bitwarden_rs? --> ### Expected behaviour Attachments work ### Actual behaviour Session crashes resulting in loss of any unsaved data and forcing a full auth back into the client context (app or web).

OVERLORD closed this issue 2026-02-04 23:33:30 +03:00

OVERLORD commented 2026-02-04 23:33:34 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub (Mar 26, 2021):

Probably the DOMAIN variable is not configured correctly.
Could you post the support string from the/admin/diagnostics page?

@BlackDex commented on GitHub (Mar 26, 2021): Probably the DOMAIN variable is not configured correctly. Could you post the support string from the/admin/diagnostics page?

OVERLORD commented 2026-02-04 23:33:43 +03:00

Author

Owner

Copy Link

@sempervictus commented on GitHub (Mar 26, 2021):

There is none - this is all there is on that page:

Bitwarden_rs Admin

    Settings
    Users
    Organizations
    Diagnostics
    Vault

Diagnostics
Version

Server Installed Update
    1.17.0 
Server Latest
    1.19.0 
Web Installed Ok
    2.19.0 
Web Latest
    2.19.0 

Checks

DNS (github.com) Ok
    140.82.114.4 
Date & Time (UTC) Ok
    Server: 2021-03-25 21:27:54 Browser: 2021-03-25 21:27:54 

^^ which shows the problem - the package installation doesn't restart the service so there's a version mismatch.
Thanks.

@sempervictus commented on GitHub (Mar 26, 2021): There is none - this is all there is on that page: ``` Bitwarden_rs Admin Settings Users Organizations Diagnostics Vault Diagnostics Version Server Installed Update 1.17.0 Server Latest 1.19.0 Web Installed Ok 2.19.0 Web Latest 2.19.0 Checks DNS (github.com) Ok 140.82.114.4 Date & Time (UTC) Ok Server: 2021-03-25 21:27:54 Browser: 2021-03-25 21:27:54 ``` ^^ which shows the problem - the package installation doesn't restart the service so there's a version mismatch. Thanks.

OVERLORD commented 2026-02-04 23:33:47 +03:00

Author

Owner

Copy Link

@sempervictus commented on GitHub (Mar 26, 2021):

Turns out its still broken:

Logged out
Your login session has expired.
An error has occurred.
m is null

Domain configuration and HTTPS show match in diagnostics (not looking to post the URL on github - sort of the point of a private server).

@sempervictus commented on GitHub (Mar 26, 2021): Turns out its still broken: ``` Logged out Your login session has expired. An error has occurred. m is null ``` Domain configuration and HTTPS show match in diagnostics (not looking to post the URL on github - sort of the point of a private server). 

OVERLORD commented 2026-02-04 23:33:54 +03:00

Author

Owner

Copy Link

@sempervictus commented on GitHub (Mar 26, 2021):

The diagnostics page is incorrectly saying Uses a proxy No - there's an httpd in front of it dealing with TLS.

@sempervictus commented on GitHub (Mar 26, 2021): The diagnostics page is incorrectly saying `Uses a proxy No` - there's an `httpd` in front of it dealing with TLS.

OVERLORD commented 2026-02-04 23:33:58 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub (Mar 26, 2021):

That is where the support string function is for, so if you could post that, that would help.

Also, the proxy is a check for outgoing, i need to rephrase that.

@BlackDex commented on GitHub (Mar 26, 2021): That is where the support string function is for, so if you could post that, that would help. Also, the proxy is a check for outgoing, i need to rephrase that.

OVERLORD commented 2026-02-04 23:34:01 +03:00

Author

Owner

Copy Link

@sempervictus commented on GitHub (Mar 26, 2021):

Your environment (Generated via diagnostics page)

• Bitwarden_rs version: v1.19.0
• Web-vault version: v2.19.0
• Running within Docker: false
• Internet access: true
• Uses a proxy: false
• DNS Check: true
• Time Check: true
• Domain Configuration Check: true
• HTTPS Check: true
• Database type: SQLite
• Clients used:
• Reverse proxy and version:
• Other relevant information:

Config (Generated via diagnostics page)

{
  "_duo_akey": null,
  "_enable_duo": false,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_ip_header_enabled": true,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_max_conns": 10,
  "database_url": "****/**.*******",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://*********.************.***",
  "domain_origin": "*****://*********.************.***",
  "domain_path": "",
  "domain_set": true,
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "email_attempts_limit": 3,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "enable_db_wal": true,
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": "***",
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "invitation_org_name": "Semper Victus",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "log_file": null,
  "log_level": "Info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "org_attachment_limit": null,
  "org_creation_users": "*********@************.***,*******@************.***",
  "password_iterations": 100000,
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "show_password_hint": true,
  "signups_allowed": true,
  "signups_domains_whitelist": "************.***,************.***,**************.***,*-****.***,**********.***,**********.***,************.***,*******.***,***********.***,**********.***",
  "signups_verify": true,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": "login",
  "smtp_debug": false,
  "smtp_explicit_tls": false,
  "smtp_from": "*********@************.***",
  "smtp_from_name": "***********",
  "smtp_host": "***********.************.***",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_ssl": true,
  "smtp_timeout": 15,
  "smtp_username": "************",
  "templates_folder": "data/templates",
  "use_syslog": false,
  "user_attachment_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "/usr/share/bitwarden_rs-web",
  "websocket_address": "127.0.0.1",
  "websocket_enabled": true,
  "websocket_port": 8098,
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

@sempervictus commented on GitHub (Mar 26, 2021): ### Your environment (Generated via diagnostics page) * Bitwarden_rs version: v1.19.0 * Web-vault version: v2.19.0 * Running within Docker: false * Internet access: true * Uses a proxy: false * DNS Check: true * Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Database type: SQLite * Clients used: * Reverse proxy and version: * Other relevant information: ### Config (Generated via diagnostics page) ```json { "_duo_akey": null, "_enable_duo": false, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_ip_header_enabled": true, "admin_token": "***", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "authenticator_disable_time_drift": false, "data_folder": "data", "database_max_conns": 10, "database_url": "****/**.*******", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://*********.************.***", "domain_origin": "*****://*********.************.***", "domain_path": "", "domain_set": true, "duo_host": null, "duo_ikey": null, "duo_skey": null, "email_attempts_limit": 3, "email_expiration_time": 600, "email_token_size": 6, "enable_db_wal": true, "extended_logging": true, "helo_name": null, "hibp_api_key": "***", "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "invitation_org_name": "Semper Victus", "invitations_allowed": true, "ip_header": "X-Real-IP", "log_file": null, "log_level": "Info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "org_attachment_limit": null, "org_creation_users": "*********@************.***,*******@************.***", "password_iterations": 100000, "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "show_password_hint": true, "signups_allowed": true, "signups_domains_whitelist": "************.***,************.***,**************.***,*-****.***,**********.***,**********.***,************.***,*******.***,***********.***,**********.***", "signups_verify": true, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": "login", "smtp_debug": false, "smtp_explicit_tls": false, "smtp_from": "*********@************.***", "smtp_from_name": "***********", "smtp_host": "***********.************.***", "smtp_password": "***", "smtp_port": 587, "smtp_ssl": true, "smtp_timeout": 15, "smtp_username": "************", "templates_folder": "data/templates", "use_syslog": false, "user_attachment_limit": null, "web_vault_enabled": true, "web_vault_folder": "/usr/share/bitwarden_rs-web", "websocket_address": "127.0.0.1", "websocket_enabled": true, "websocket_port": 8098, "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ```

OVERLORD commented 2026-02-04 23:34:04 +03:00

Author

Owner

Copy Link

@sempervictus commented on GitHub (Mar 26, 2021):

The HTTPD proxy:

<VirtualHost *:443>
    ServerName REDACTED

    # allow for upgrading to websockets
    RewriteEngine On
    RewriteCond %{HTTP:Upgrade} =websocket [NC]
    RewriteRule /(.*)           ws://127.0.0.1:8098/$1 [P,L]

    <Location /admin*>
        Require ip <REDACTED>
    </Location>

    <Proxy *>
        Require all granted
    </Proxy>

    ProxyPreserveHost On
    ProxyRequests Off
    RequestHeader set X-Real-IP %{REMOTE_ADDR}s
    
    ProxyPass / http://127.0.0.1:8000/
    ProxyPassReverse / http://127.0.0.1:8000/

    ProxyPass /notifications/hub ws://127.0.0.1:8098/notifications/hub
    ProxyPassReverse /notifications/hub ws://127.0.0.1:8098/notifications/hub

    ErrorLog /var/log/httpd/bitwarden-error_log
    CustomLog /var/log/httpd/bitwarden-access_log common

    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/current/<REDACTED>/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/current/<REDACTED>/key.pem
    SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
    SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    SSLHonorCipherOrder On
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    Header always set X-Frame-Options SAMEORIGIN
    Header always set X-Content-Type-Options nosniff
    SSLCompression off
    SSLSessionTickets Off

</VirtualHost>

@sempervictus commented on GitHub (Mar 26, 2021): The HTTPD proxy: ``` <VirtualHost *:443> ServerName REDACTED # allow for upgrading to websockets RewriteEngine On RewriteCond %{HTTP:Upgrade} =websocket [NC] RewriteRule /(.*) ws://127.0.0.1:8098/$1 [P,L] <Location /admin*> Require ip <REDACTED> </Location> <Proxy *> Require all granted </Proxy> ProxyPreserveHost On ProxyRequests Off RequestHeader set X-Real-IP %{REMOTE_ADDR}s ProxyPass / http://127.0.0.1:8000/ ProxyPassReverse / http://127.0.0.1:8000/ ProxyPass /notifications/hub ws://127.0.0.1:8098/notifications/hub ProxyPassReverse /notifications/hub ws://127.0.0.1:8098/notifications/hub ErrorLog /var/log/httpd/bitwarden-error_log CustomLog /var/log/httpd/bitwarden-access_log common SSLEngine on SSLCertificateFile /etc/letsencrypt/current/<REDACTED>/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/current/<REDACTED>/key.pem SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 SSLHonorCipherOrder On Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" Header always set X-Frame-Options SAMEORIGIN Header always set X-Content-Type-Options nosniff SSLCompression off SSLSessionTickets Off </VirtualHost> ```

OVERLORD commented 2026-02-04 23:34:08 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub (Mar 26, 2021):

The only thing missing is logs from bitwarden_rs during the upload and the error you get. Also maybe the Apache logs.

All the rest looks ok as far as i can tell.

@BlackDex commented on GitHub (Mar 26, 2021): The only thing missing is logs from bitwarden_rs during the upload and the error you get. Also maybe the Apache logs. All the rest looks ok as far as i can tell.

OVERLORD commented 2026-02-04 23:34:11 +03:00

Author

Owner

Copy Link

@sempervictus commented on GitHub (Mar 26, 2021):

Mar 25 21:04:39 HOSTNAME bitwarden_rs[268]: [2021-03-25 21:04:39.327][response][INFO] GET /<p..> [10] (web_files) => 404 Not Found

i'm going to guess Apache is doing something stupid, digging through there, but can probably close this unless i find something pointing to the back-end.

@sempervictus commented on GitHub (Mar 26, 2021): ``` Mar 25 21:04:39 HOSTNAME bitwarden_rs[268]: [2021-03-25 21:04:39.327][response][INFO] GET /<p..> [10] (web_files) => 404 Not Found ``` i'm going to guess Apache is doing something stupid, digging through there, but can probably close this unless i find something pointing to the back-end.

OVERLORD commented 2026-02-04 23:34:15 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub (Mar 26, 2021):

Not sure if you already checked the wiki, but take a look there.
And if you find anything wrong there feel free to update.

@BlackDex commented on GitHub (Mar 26, 2021): Not sure if you already checked the wiki, but take a look there. And if you find anything wrong there feel free to update.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

cached-config-operations

test_dylint

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

SSO

Third party

better for forum

bug

bug

documentation

duplicate

enhancement

future Vault

future Vault

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

troubleshooting

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/vaultwarden#993