dani-garcia / vaultwarden Goto Github PK

Trying to import a 1password export (.1pif) file results in an error.

Docker logs show:

POST /api/ciphers/import application/json; charset=utf-8:
    => Matched: POST /api/ciphers/import
    => Warning: Data left unread. Force closing network stream.
    => Error: Couldn't parse JSON body: Error("EOF while parsing a string", line: 1, column: 1048576)
    => Outcome: Failure
    => Warning: Responding with 400 Bad Request catcher.
    => Error: Failed to write response: Os { code: 32, kind: BrokenPipe, message: "Broken pipe" }.

@ptman asked in #75 whether there's any official chat room for the project. I've just created #bitwarden_rs:matrix.org room on Matrix to get us started, just because I happen to use Matrix.

But is there any preference or interest on your side @dani-garcia? We should be able to link Matrix room with IRC quite easily for example.

When you read the documentation here: https://help.bitwarden.com/article/collections/

There's a note:

Collections are different than folders. Collections are a way to organize items and control user access within an organization’s vault while folders are a way for individual users to organize items within their own personal vault. An individual user may wish to further organize the items being shared with them in their own vault into a personalized folder structure that makes sense just for them.

This means, that Folders are per-user organization. This is only an issue once you start using Organization ciphers as they are shared and one user changing the folder would affect all other users. There probably needs to be some CipherInFolder mapping and we need to return folder ID of the Cipher depending on user as well.

The web vault already contains a exhaustive CSP as meta tag, but there are some more headers which should be set to protect API and vault:

1. Referrer-Policy=same-origin to avoid leaking the web vault's address to 3rd parties, see MDN: Referrer-Policy
2. X-Frame-Options=SAMEORIGIN to prevent embedding of the web vault into malicious 3rd party sites ("clickjacking"), see MDN: X-Frame-Options
3. X-Content-Type-Options=nosniff to prevent some browser's content based mime type detection, see MDN: X-Content-Type-Options
4. X-XSS-Protection=1; mode=block for inline-JS protection in some pre-CSP compatible browsers, see MDN: X-XSS-Protection

I'm currently setting those headers in a web facing nginx proxy, but it can't hurt to already amend the responses from the rust server properly.

When editing cipher that's already in some folder, I can select No folder and click save.

Expected result is, that cipher will no longer be in any folder.

Actual result is, that the folder setting isn't updated.

I think there's extra check for None where it shouldn't be when updating the cipher, so when no folder id is provided in the post data (which is the case of selecting No folder) we don't update it. Might be a simple fix (I did something similar in the move handler) but first need to check if it won't affect some other functionality.

There's some ground work laid out already, let's track the progress here.
Endpoints to implement:

• /api/organizations
• /api/organizations/{orgId}/collections
• /api/organizations/{orgId}/users
• /organizations/{org_id}/collections/{coll_id}/users
• /api/organizations/{orgId}/users/{orgUserId}/accept
• /api/organizations/{orgId}/users/{orgUserId}/confirm
• /api/organizations/{orgId}/users/invite
• /api/organizations/users
• /api/users/{userId}/public-key
• /organizations/{org_id}/delete
• /api/ciphers/{cipher_id}/collections-admin (#13)

Other changes:

• /accounts/profile needs to list organizations for user
• separate folder id from cipher to allow per-user folders (#10)
• Respect the read_only bit when a user tries to modify a Cipher from a Collection
• List all user Ciphers, including those from Collections the User has access to (#14)

Would like to manage the users by enabling an OAuth source like Google or a custom one like a Keycloak instance.

The web (vault?) client asks for payment when I'm trying to create an org.

Is there some place to discuss this project? On Matrix? IRC? Email list?

I have followed the build instructionns and everything goes good till I try to run it. It complains about the web vault not being installed and to follow the directions. I downloaded the webvault did npm install npx and moved the directory to the right folder.

Been testing a little still, and have noticed that items don't show a icon related the the site saved in it.

Looking at the dev console shows:

I think there's a deeper issue though as navigating to the link that's meant to be to the image doesn't display anything:

This issue appears in the web vault, desktop and chrome browser clients.

I think we should report any Organization as Enterprise (5) to remove the artificial limits imposed by client applications for Free type. Just changing the Plan and PlanType fields doesn't seem to work however as we don't really return them outside of Organization creation. I'm actually not sure what API is the client using to figure the current plan for Organization.

This is about @mprasil's container: Newest version listens on localhost rather than 0.0.0.0. As a result, docker cannot expose the port and Bitwarden is unreachable.

Steps to reproduce:

# docker run -d --rm --name bitwarden --user 1002 -e ROCKET_PORT=8080 -v /srv/bitwarden/:/data/ -p 127.0.0.1:32080:8080 mprasil/bitwarden:latest
c6e390f52c899b0af595143d9692fd2644a0d7e18c8a4350fb834ebd38ac0618
# wget http://localhost:32080
--2018-07-12 13:34:16--  http://localhost:32080/
Resolving localhost (localhost)... 127.0.0.1, ::1
Connecting to localhost (localhost)|127.0.0.1|:32080... connected.
HTTP request sent, awaiting response... Read error (Connection reset by peer) in headers.

Previous image 110e31f98241 runs fine.

Hello, first of all thanks you @dani-garcia and @mprasil for this this project.

Is there a reason for exposing port 80 by default from Dockerfile? I think this should by up to user to decide with docker run.

Also can we get ROCKET_ENV set to prod or make it user-customizable with docker run ... -e ROCKET_ENV=prod... it should give us better performance so its worth to try.

EDIT: I have created PR.

I am having issues with downloading attachments and in some cases uploaded them from my bitwarden_rs behind an nginx reverse proxy. I am not seeing anything in the docker logs or the nginx logs that seems to be pointing me to any specific issue. Has anyone else ran into this? Attachments seem to be working fine if I upload them or download them from the machine running the docker container.

nginx config

    #BITWARDEN
    server {
        listen 80;
        server_name    bitwarden.domain.com www.bitwarden.domain.com vault.domain.com www.vault.domain.com;
        return 301 https://$server_name$request_uri;
    }
    server {
        listen 443 ssl http2;
        server_name bitwarden.domain.com www.bitwarden.domain.com vault.domain.com www.vault.domain.com;

        ssl_certificate     /ProgramData/letsencrypt-win-simple/httpsacme-v01.api.letsencrypt.org/domain.com-chain.pem;
        ssl_certificate_key /ProgramData/letsencrypt-win-simple/httpsacme-v01.api.letsencrypt.org/domain.com-key.pem;
        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers         HIGH:!aNULL:!MD5;

        location / {
            proxy_pass http://127.0.0.1:7080;
            proxy_set_header  X-Real-IP  $remote_addr;
            proxy_set_header        Host            $host;
            proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header        X-Forwarded-Proto $scheme;
            proxy_redirect off;
        } 

        location /.well-known {
            alias         C:/nginx/html/.well-known;
        }
    }

EDIT: If I don't redirect the reverse proxy to HTTPS then I am able to download them as expected.

I tried running the docker container enabling https internally to see if that would help but it does not seem to work even locally.

docker run -dit --restart unless-stopped -d --name bitwarden -e 'ROCKET_TLS={certs="/ProgramData/letsencrypt-win-simple/httpsacme-v01.api.letsencrypt.org/domain.com-chain.pem",key="/ProgramData/letsencrypt-win-simple/httpsacme-v01.api.letsencrypt.org/domain.com-key.pem"}' -v c:/bw-data/:/data/ -p 7080:443 mprasil/bitwarden:latest

I am guessing this may end up having more to do with rocket and not so much the server.

Hi,
at first thanks for your great work on this project.
I get an "An unexpected error has occurred" if would like enable 2FA.

I use this docker image with Web Vault (version 1.26.0)
the log show
POST /api/two-factor/authenticator application/json; charset=utf-8:
=> Matched: POST /api/two-factor/authenticator
=> Error: Couldn't parse JSON body: Error("invalid type: string "731025", expected u64", line: 1, column: 17)
=> Outcome: Failure
=> Warning: Responding with 400 Bad Request catcher.
=> Response succeeded.

best regards

Is this possible? When I go to the page to add, it just sits at loading....

When importing a file that contains folders using the Web Vault, I get the following error message:

POST /api/ciphers/import application/json; charset=utf-8:
    => Matched: POST /api/ciphers/import
    => Error: Couldn't parse JSON body: Error("missing field `key`", line: 1, column: 602)
    => Outcome: Failure
    => Warning: Responding with 400 Bad Request catcher.
    => Response succeeded.

I've attached a simple KeePass 2 (xml) file that causes a problem. (rename to .xml)
folders.txt

The api endpoint for getting password hints appears to be unimplemented. When either through a client or through the webapp, a user requests a password hint an Errors have occurred message pops up.

The server log reports:

POST /api/accounts/password-hint application/json; charset=UTF-8:
    => Error: No matching routes for POST /api/accounts/password-hint application/json; charset=UTF-8.
    => Warning: Responding with 404 Not Found catcher.
    => Response succeeded.

I've got two suggestions about @mprasil's Docker container:

• It's currently running as root, which is undesirable from a security standpoint. Could the container drop root privileges?
• When issuing a docker stop command, the container won't stop gracefully but wait to be killed after the default timeout of 10 secs and then quit with a non-zero exit code. Could the container react properly to stop commands?

Many thanks to @mprasil for the container and, of course, @dani-garcia for the Rust implementation!

Hello, following @mprasil advice on reddit I wanted to report performance issues.

I'm running my docker instance on a VPS with following spec: 1 core Intel Xeon E5, 4GB RAM, 20GB SSD

WebUI takes over 15 seconds to load logon screen (I can provide HAR file to developers on demand, I don't want to disclose exact domain and port here).
After I log in UI is often unresponsive - vault loads by default, but it does not react when I try to go to settings for example. If I refresh page (what took another 30 seconds as I write this) it may start reacting to my actions, not always.

Adblock I'm using is disabled for domain I'm using Bitwarden on, I'm not facing any other network/website issues but this one.

Please let me know if you need anything specific from me, I will be happy to provide any logs etc.

When one attempts to enable U2F, they get an error in the web UI, as well as a log error from the app:

POST /api/two-factor/get-u2f application/json; charset=utf-8:
    => Error: No matching routes for POST /api/two-factor/get-u2f application/json; charset=utf-8.
    => Warning: Responding with 404 Not Found catcher.
    => Response succeeded.

I'll take a look at working on adding support for U2F as it's a mandatory feature for me!

In current state one can either enable or disable user registration. I think it should be possible to implement some exception to the rule:

Admin and Owner of the Organization should be able to invite users not currently registered. For these special record would be made (possibly in a separate table?) that would allow registration of an user with specified email even if the registration is otherwise turned off. That way admin could turn off the self-registration, but he could still invite users if needed without having to restart Bitwarden to enable/disable it as it is implemented right now.

I'm not sure if I understand the invitation process on the client side properly, but I think it shouldn't clash with how it works right now.

Any thoughts?

A usual Gitlab build output produces:

 ---> Running in 7ffe886a95d1
   Compiling bitwarden_rs v0.9.0 (file:///app)
warning: unused variable: `data`
   --> src/api/core/mod.rs:111:37
    |
111 | fn clear_device_token(uuid: String, data: Json<Value>, headers: Headers, conn: DbConn) -> EmptyResult {
    |                                     ^^^^ help: consider using `_data` instead
    |
    = note: #[warn(unused_variables)] on by default

warning: unused variable: `data`
   --> src/api/core/mod.rs:127:35
    |
127 | fn put_device_token(uuid: String, data: Json<Value>, headers: Headers, conn: DbConn) -> JsonResult {
    |                                   ^^^^ help: consider using `_data` instead

    Finished release [optimized] target(s) in 43.63s
Removing intermediate container 7ffe886a95d1```

Is it a bug on our side or in the code? It doesn't break anything, it's just a "fyi" issue.

Hi,

i get an error if i want to create an new entry.
I use the later docker image from mprasil and the newest Android app.

following error are shown by server

POST /api/ciphers application/json; charset=utf-8:
=> Matched: POST /api/ciphers
=> Error: Couldn't parse JSON body: Error("missing field type", line: 1, column: 498)
=> Outcome: Failure
=> Warning: Responding with 400 Bad Request catcher.
=> Response succeeded.

How i can help to debug the problem?

Thanks a lot for your help and great job on this project.
@mprasil thanks for your nice docker images

best regards

Would you please setup an automated build for bitwarden_rs @ Docker Hub?

Documentation found here

Thanks for the hard work you put into this 😄

Hallo

Is it possible to run bitwarden_rs behind a reverse proxy in a subdirectoy?
Like mydomain.tld/bitwarden?

If I try I get errors:

GET /bitwarden text/html:
=> Matched: GET /<p..>
=> Error: Response was a non-Responder Err: Os { code: 2, kind: NotFound, message: "No such file or directory" }

Because rocket things I want to access /bitwarden.
From other services I'm used to set a http header to let the application know. Something possible here?

Thanks for reading :)

Thanks for your work in creatimg this :)

I have set the .env variable WEB_VAULT_ENABLED=false, which appears to work great and disable the web vault login page.

That said, I get the following error and wondered if I could get it to display a legal landing page, index.html instead of this 404 not found?

Is it also possible to remove ' Rocket ' from this message so the system behind the page is not given to others.

Thanks in advance

404: Not Found

The requested resource could not be found.
Rocket

and ..

=> Response succeeded.
GET / text/html:
=> Error: No matching routes for GET / text/html.
=> Warning: Responding with 404 Not Found catcher.
=> Response succeeded.

From #58:

it would be nice to have the logs sent to a file rather than the console, that would make it easier to debug and also allow people to use a logging system like ELK to potentially track metrics.

The current logging is due to the web framework we use, Rocket. At the moment Rocket doen't support configuring the logging, but I know it's in the roadmap for future versions.

Sometime after 79fcccc the server became inaccessible. There's been no changes other then a docker update, I now cannot access the server.

Edit, I should point out, I'm getting a ERR_CONNECTION_REFUSED response.

In the Organization Vault, all the ciphers that have no Collection assigned do not show under Unassigned section. The ciphers are only visible under "All items". From what I can see the API correctly returns such ciphers with CollectionIds set to [] and when editing the collections assignment, Vault correctly displays that cipher is in no collection, it's just that filtering misbehaves for some reason.

Could be that the upstream API actually returns Null instead of [] or there is some extra field indicating no collection assignment, that we don't send?

Simply put, there's no way to unshare an item from an organization, and it remains accessible and editable by someone with the perms to in an organization. Even worse, those changes will done to the information in the users vault as well.

Ref to the issue on bitwarden's github: bitwarden/server#158

This is a breaking issue for me, I can't use this with such a glaring security issue, in part of the server I actually wanted to switch to it for, sharing passwords.

Hi,
Nice project. Could you please add a note to the README that this is an unofficial community developed project? I don't want people to get confused that this is some officially sanctioned version of Bitwarden.

A small note at the top similar to this this would be fine:
https://github.com/jcs/bitwarden-ruby/blob/master/README.md

Thanks.

• Created an account, and an organisation.
• Created a second account.
• Associated second account with organisation
• Created login item with first account
• When viewing the item with the second account, I just see [error: cannot decrypt]

Trying to upload an attachment to a vault item by creating a test vault item called attachment, then click on the gear button next to it and select attachment. I have tried various photos and text files, large, small and even a 0 byte text file. The save button just spins and the file never gets attached. I have to cancel the dialogue after 5 minutes.

I am running v1.27.0 in an unraid docker. I did not set a different path for the attachments, instead I have the default path as described here: https://hub.docker.com/r/mprasil/bitwarden/ .

The bitwarden sqlite file as well as the key files are all correctly in the data folder as configured.

Docker settings in unraid:

Is there a log or something I can upload? The docker container log doesn't show any indication that a file upload was attempted and I can't find any other log files.

Note, I am doing this over the local lan (http://192.168.1.31:90), the connection is unencrypted and there is no reverse proxy that may be interfering.

Been testing things out as I get ready to use this, and found that while sharing a password to an organization, it wouldn't show the TOTP code generated by the key.

After further testing:
You can make entries with authenticator key's. Only the code won't show.
The desktop app and the browser extension do show the codes generated.

My assumption is that while the apps do see the organization as a higher tier than free, the web vault doesn't.

Is this possible? Would love to be able to send out emails when setting up users and/or adding them to collections.

I receive an we when trying to create an account...

Error generating keys

Any idea why this is happening?

I am using the docker image...

I think I found a bug. I am unable to share attachments with an organization I create if it contains attachments. If I remove the attachments then I am able to share the credential. I can then go (from my personal vault) back to the credentials attachments and add them back.

The second part of this is that I cannot add attachments to a credential from within an Organizations vault. I can add them to credentials from the personal vault but if I go to the org vault and try to add to either one shared with the org from my personal or one created within the org itself I cannot add attachments (all from the web vault).

This is the docker errors I see when trying to share credentials with attachments

POST /api/ciphers/5c1ebdc8-cb84-4bbe-b028-a58e329f9df3/attachment/7bdf1a9f2b3e2a9ac7d3/share?organizationId=483d995a-f3bc-48bc-ac9a-6d2a86fbc137 multipart/form-data; boundary=---------------------------30775785013455629741874101108: => Error: No matching routes for POST /api/ciphers/5c1ebdc8-cb84-4bbe-b028-a58e329f9df3/attachment/7bdf1a9f2b3e2a9ac7d3/share?organizationId=483d995a-f3bc-48bc-ac9a-6d2a86fbc137 multipart/form-data; boundary=---------------------------30775785013455629741874101108. => Warning: Responding with 404 Not Found catcher. => Warning: Data left unread. Force closing network stream. => Error: Failed to write response: Os { code: 104, kind: ConnectionReset, message: "Connection reset by peer" }.

This is the docker errors I see when trying to add attachments to a credential from the org vault
POST /api/ciphers/91bab0fa-4a15-4687-8e96-b325f3af28d5/attachment-admin multipart/form-data; boundary=---------------------------1175028002436011802836152650: => Error: No matching routes for POST /api/ciphers/91bab0fa-4a15-4687-8e96-b325f3af28d5/attachment-admin multipart/form-data; boundary=---------------------------1175028002436011802836152650. => Warning: Responding with 404 Not Found catcher. => Warning: Data left unread. Force closing network stream. => Error: Failed to write response: Os { code: 32, kind: BrokenPipe, message: "Broken pipe" }.

A call to /api/ciphers/{{cipher-uuid}}/delete-admin throws 404.

Server logs:

POST /api/ciphers/CIPHER_UUID/delete-admin application/json; charset=utf-8:
    => Error: No matching routes for POST /api/ciphers/CIPHER_UUID/delete-admin application/json; charset=utf-8.
    => Warning: Responding with 404 Not Found catcher.
    => Response succeeded.

The POST data is a simple json:

{ "id":"CIPHER_UUID"}

I guess we can just use one of the current delete functions to handle this one with some extra checks for admin access.

Hi there.

I've been working on this for a few hours now and I'm makeing no headway.
I'm trying to to use the letsencrypt docker by linuxserver.io to serve bitwarden_rs over https to the internet.

It's all set up, the url is redirected from http to https if needed, and the proxy forwards the traffic to the http port on the bitwarden docker. However any attempt to load the page returns with ERR_CONNECTION_CLOSED

There doesn't seem to be anything happening, the dev interface for chrome says that it stalled.

Any change for some help please?

Hi! Would it be possible to add support for PostgreSQL? I'd like to use a database independent of the docker container.

I'm trying to do a backup of my vault. Reading the official documentation, there are some differences for the rust docker implementation (https://help.bitwarden.com/article/backup-on-premise/). In the docker implementation, by default all 3 folders mentioned in that link are combined into the data folder. I assume that backing up that one /data/ folder is sufficient for a full backup. Assuming that is correct, I can put in pull request into the readme to add a backup section to clarify this if you want.

Also the official docs talk about an automatic nightly backup of the database. Is that also the case with this sqlite implementation?

This leads to confusion and ciphers that can't be decrypted (#77)

It seems that we don't really check user's access rights when doing /organization/* API calls. While this is mostly harmless in theory, we should probably protect all of these under some common check.

It think implementing some form of request guard would probably be the best way to handle that.

Based on the error message I get below and the lack of reference to yubikey in the source I believe there isn't any support yet for yubikeys. Assuming that is correct this is a feature request for yubikey two factor support. If I am mistaken please help me figure out what I am doing wrong.

POST /api/two-factor/get-yubikey application/json; charset=UTF-8:
=> Error: No matching routes for POST /api/two-factor/get-yubikey application/json; charset=UTF-8.
=> Warning: Responding with 404 Not Found catcher.
=> Response succeeded.

I find that the bool actually masks the underlying issue, returning some sort of Result would probably be much better. Also the Result should actually be checked and API should respond appropriately. As a real world example, it took me quite a while to figure out that program couldn't write to DB due to permissions.

Here's the list of functions that are left to be updated:

• attachment.rs:
  • Attachment::save()
• cipher.rs:
  • Cipher::save()
• collection.rs:
  • Collection::save()
  • CollectionUser::save()
  • CollectionUser::delete()
  • CollectionCipher::save()
  • CollectionCipher::delete()
• device.rs:
  • Device:save()
  • Device::delete()
• folder.rs:
  • Folder::save()
• organization.rs:
  • Organization::save()
  • UserOrganization::save()
• user.rs:
  • User::save()
  • User::delete()

The function doesn't work for UserOrganization with access_all, for Admin or Owner that doesn't have direct CollectionUser mapping.

This is because we only use Collection::find_by_uuid_and_user() in the handler, but the above users don't necessarily need to have access allowed for specific Collection as they can generally access any Collection within Organization. We need to check whether that isn't the case before returning error.

The updates on the server side are actually done correctly, when I reload the Valut page, ciphers are in No_folder as they should be, it's only the client-side cache that's wrong. I assume, we should be returning some data from /api/folder/<id>/delete to let Vault know which ciphers were updated?

BTW this has nothing to do with #20 - the client side behavior didn't change before or after implementing those changes. It's just something I noticed while working on the PR.

The be compatible with the Bitwarden API, the endpoint /api/accounts/profile should also support POST requests to update your own full name.

This was just announced, I think we should create some test version to test it out and catch any bugs before the official release comes out.