Admin Page: Remove all 2FA doesn't do anything

[jonathanmmm]

Hi,

I am using vaultwarden/server:latest (updated today from bitwardenrs/server:latest, didn't work there either, sadly in my service file there was still the wrong image pulled and so).

If I go on the admin page first the token field is half behind the top nav bar.
Second if I am logged in and I press "Remove all 2FA" from a user, the following happens:
https://bitwarden.my-domain.com/admin/users/overview
changes to
https://bitwarden.my-domain.com/admin/users/overview#
and it autoscrolls to the top.
Still 2FA is displayed, even if I switch menus or log in from a different browser.

[BlackDex]

It works for me locally at least.
What browser are you using, and do you have any extensions which block javascript or part of it?
Also are you accessing it via HTTP or HTTPS.

Are you using a reverse proxy? If so, does it do caching? If so, try to clear the cache, or restart the reverse proxy.

If you Press F12 to open the developer console of the browser, and then reload the page, and click the delete again, do you see any error's appear?

[jonathanmmm]

I am having it behind a proxy (nginx):

  location /admin {
allow 127.0.0.1;
allow 10.6.0.0/24;
deny all;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_pass http://127.0.0.1:90;
  }

If I access port 90 directly it works flawlessly (forgot about that, that is what I normally used before), couldn't find any "caching" enabled, gzip is off.

[jonathanmmm]

It is there behind https (if it matters), just in the normal proxy settings for vaultwarden (which works normal)

[BlackDex]

Well, try F12 when you access it through the proxy, because it seems to be blocking something.

[jonathanmmm]

It seems to be my Security Header settings:

in nginx:
add_header Content-Security-Policy "default-src 'self';script-src 'self';object-src 'none'; frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb moz-extension://* https://my-top-domain.com; style-src 'self' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=' 'sha256-JVRXyYPueLWdwGwY9m/7u4QlZ1xeQdqUj2t8OVIzZE4='";

This is from Dev-Tools in browser:

Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=' 'sha256-JVRXyYPueLWdwGwY9m/7u4QlZ1xeQdqUj2t8OVIzZE4='". 
Either the 'unsafe-inline' keyword, a hash ('sha256-7AoFXY3/IoDDih1FMmhvMeo4f8W6z9IvYPNEAakodqs='), or a nonce ('nonce-...') is required to enable inline execution.

admin:25 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". 
Either the 'unsafe-inline' keyword, a hash ('sha256-+Zp/NW7p2umtnt4QWKObqRPgYvXph9rpjYLhhXyweaE='), or a nonce ('nonce-...') is required to enable inline execution.

admin:119 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". 
Either the 'unsafe-inline' keyword, a hash ('sha256-HRvCdjRwsdTvEcEBNlHySwpcxFo1kGNXiZM1bO8KjTw='), or a nonce ('nonce-...') is required to enable inline execution.

admin:1 Refused to load the image 'data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 30 30'%3e%3cpath stroke='rgba%28255, 255, 255, 0.55%29' stroke-linecap='round' stroke-miterlimit='10' stroke-width='2' d='M4 7h22M4 15h22M4 23h22'/%3e%3c/svg%3e' because it violates the following Content Security Policy directive: "default-src 'self'". 
Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.

[BlackDex]

This is what vaultwarden sends it self:

vaultwarden/src/util.rs

Lines 32 to 38 in e194201

	let csp = format!(
	// Chrome Web Store: https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb
	// Edge Add-ons: https://microsoftedge.microsoft.com/addons/detail/bitwarden-free-password/jbkfoedolllekgbhcbcoahefnbanhhlh?hl=en-US
	// Firefox Browser Add-ons: https://addons.mozilla.org/en-US/firefox/addon/bitwarden-password-manager/
	"frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh moz-extension://* {};",
	CONFIG.allowed_iframe_ancestors()
	);