-
-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Emergency Access Takeover not storing password #3196
Comments
The database record in the Emergency Access table is: |
[2023-01-29 16:30:13.214][request][INFO] POST /identity/accounts/prelogin |
Seems to work fine for me. |
I know and I did try to login with the username of the grantor with the new password, but failed. The thing is: if I click on save as grantee, nothing seems to happen. Window doesn't close, no message saying that the new password is save/applied, ... (I do see a message if the 2nd password doesn't match the first. So that works...) |
Again, it does work for me. Just tested it without any issues. Maybe something else on your side is blocking the request? Try to set it via a different browser, or use a Private/incognito window. Also, on the reverse proxy side, i suggest to check the logs there. because i'm missing the POST that tells it to change the password. It should look like this, but i only see the POST to the
|
I think I can reproduce this by adding (and confirming) someone as an emergency contact with only view access and then later changing their role to takeover. Afterwards I can attempt an takeover but even if I approve it, it will not work (i.e. do nothing as described above) because the field On the other hand, if I add and confirm someone with takeover permissions from the beginning, this field will not be empty. |
@stefan0xC But, as far as i know, you can't change it from takeover to view without removing/rejecting the previous approved one. So, that is probably not the issue here. Update: Ah, wait, you can indeed. That does cause issues. |
We probably need to prevent updating the key if it is not set. |
That value is derived from the If you are sure that you did not switched anything, not even the amount of days for example, then i suggest to check (as mentioned before) your reverse proxy log and anything else infront of Vaultwarden which could have blocked calls. Because i'm missing the POST call to update the password as mentioned earlier. |
OK, the deauthorized sessions will indeed be the cause of Never. I did try that to force a full login for the user. I will have a look at the proxy logs tonight. |
Can confirm that this is the case. If I replace vaultwarden/src/api/core/emergency_access.rs Line 126 in 9366e31
if data.KeyEncrypted.is_some() {
emergency_access.key_encrypted = data.KeyEncrypted;
} the field will not be emptied when changing the user level from view to takeover (or the number of days). |
I tried my best to get a self signed certificate setup using https://github.com/dani-garcia/vaultwarden/wiki/Private-CA-and-self-signed-certs-that-work-with-Chrome but could not get it to work. As it explicitely states no support will be provided, I will not ask any ;-) The logging from my nginx is below: This seems to correspond to the following lines in the VaultWarden log: I've tried this in both Chrome and Edge (although I'm not sure there's too much difference as both are Chromium based), in private modes and with UBlock Origin disabled for the VaultWarden site. I'm not sure where things are going wrong and why the /password POST is not even reaching my nginx, but for now I'm not sure I can do any additional debugging. For me it's fine to close this issue, but I'm not sure you already want it closed as you may have identified a bug (although it may be unrelated to this issue). So I'll leave the honours to close it to you :-D Thanks for your help! |
@rsoftnl given that the table did not have the If you did check the developer console of your browser while trying to save a new password for the grantor and nothing happens you would have seen that what actually happens is that the web-vault will throw an error
Since this is happening on the client side it's not something you can check (or even notice) in the server logs aside from not seeing the call you expect. And because the database entry has been corrupted somehow (maybe you just opened and saved the grantee again without changing anything?) there's not really anything you could do except removing the grantee and adding them again. |
Hi,
I'm trying to access a users vault by means of the Emergency Access feature. Everything appears to be setup correctly, but when I'm given the opportunity to takeover the Master Password (after 7 days wait period, E-mail from Vaultwarden received it has granted me rights) I can't change the Master Password. It will allow me to enter the new password, but Save seems to not do anything at all. The window does not close and the LOG shows a 200 message
Your environment (Generated via diagnostics page)
Config (Generated via diagnostics page)
Show Running Config
Environment settings which are overridden: ADMIN_TOKEN
Thanks in advance for any suggestions
The text was updated successfully, but these errors were encountered: