New organisation results in "GET /api/plans => 401 Unauthorized"

[bhenstra]

New organisation results in "GET /api/plans => 401 Unauthorized"

Running vaultwarden and vaultwaden-web on Arch Linux:

- Linux secure 5.19.13-arch1-1 #1 SMP PREEMPT_DYNAMIC Tue, 04 Oct 2022 14:36:58 +0000 x86_64 GNU/Linux
- community/vaultwarden 1.25.2-1 [installed]
-     Unofficial Bitwarden compatible server written in Rust
- community/vaultwarden-web 2022.9.0-1 [installed]
-     Bitwarden web vault with the patches to make it work with Vaultwarden

When I click the button "+ New organisation" the "New organisation" text is visible with a animated gif / loading indicator.
In the log file there's the following eror:

[2022-10-06 22:32:48.043][request][INFO] GET /api/plans/
[2022-10-06 22:32:48.043][auth][ERROR] Unauthorized Error: No access token provided
[2022-10-06 22:32:48.043][_][WARN] Request guard `Headers` failed: "No access token provided".
[2022-10-06 22:32:48.043][_][WARN] No 401 catcher registered. Using Rocket default.
[2022-10-06 22:32:48.043][response][INFO] (get_plans) GET /api/plans => 401 Unauthorized

Deployment environment

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.25.2
• Web-vault version: v2022.9.0
• Running within Docker: false (Base: Unknown)
• Environment settings overridden: true
• Uses a reverse proxy: true
• IP Header check: true (X-Real-IP)
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• Time Check: true
• Domain Configuration Check: true
• HTTPS Check: true
• Database type: SQLite
• Database version: 3.35.4
• Clients used:
• Reverse proxy and version:
• Other relevant information:

Config (Generated via diagnostics page)

Show Running Config

Environment settings which are overridden: DOMAIN, SENDS_ALLOWED, ADMIN_TOKEN, INVITATION_ORG_NAME, IP_HEADER, LOG_TIMESTAMP_FORMAT, DISABLE_ADMIN_TOKEN, SMTP_HOST, SMTP_SECURITY, SMTP_PORT, SMTP_FROM, SMTP_FROM_NAME, SMTP_USERNAME, SMTP_PASSWORD, SMTP_AUTH_MECHANISM, SMTP_TIMEOUT, SMTP_ACCEPT_INVALID_CERTS

{
  "_duo_akey": null,
  "_enable_duo": false,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "/var/lib/vaultwarden/attachments",
  "authenticator_disable_time_drift": false,
  "data_folder": "/var/lib/vaultwarden",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "/***/***/***********/**.*******",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://******.***.**",
  "domain_origin": "*****://******.***.**",
  "domain_path": "",
  "domain_set": true,
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "email_attempts_limit": 3,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 5 * * * *",
  "emergency_request_timeout_schedule": "0 5 * * * *",
  "enable_db_wal": true,
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "/var/lib/vaultwarden/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "invitation_org_name": "Censored - Company Name Removed",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": "/var/log/vaultwarden.log",
  "log_level": "Info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "password_hints_allowed": true,
  "password_iterations": 100000,
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "/var/lib/vaultwarden/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sends_allowed": true,
  "sends_folder": "/var/lib/vaultwarden/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": true,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": "Plain",
  "smtp_debug": false,
  "smtp_explicit_tls": null,
  "smtp_from": "******@******.********.**",
  "smtp_from_name": "Censored - Company Name Removed",
  "smtp_host": "******.********.**",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "******@******.********.**",
  "templates_folder": "/var/lib/vaultwarden/templates",
  "tmp_folder": "/var/lib/vaultwarden/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_syslog": false,
  "user_attachment_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "/usr/share/webapps/vaultwarden-web",
  "websocket_address": "127.0.0.1",
  "websocket_enabled": true,
  "websocket_port": 3012,
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

• vaultwarden version: v1.25.2

• Install method: pacman

• Clients used: web vault

• Reverse proxy and version: Caddy v2.6.1

• MySQL/MariaDB or PostgreSQL version: not applicable

• Other relevant details: I did install Vaultwarden + Vaultwarden-Web and Caddy on Arch Linux before. I have two servers running like this. I am not sure why this error appears and I am hoping you can help. Please let me know if I have to provide more details. Thank you.
  

Steps to reproduce

Click "+ New organisation"

Expected behaviour

Create a new organisation.

Actual behaviour

When I click the button "+ New organisation" the "New organisation" text is visible with a animated gif / loading indicator.

Troubleshooting data

caddy config (note: real domain name has been removed)

file: /etc/caddy/conf.d/real.domain-name-replaced.com

(doRevProx) {

    # The negotiation endpoint is also proxied to Rocket
      reverse_proxy /notifications/hub/negotiate localhost:8000
    # Notifications redirected to the websockets server
      reverse_proxy /notifications/hub localhost:3012
      ### Credits: https://community.hetzner.com/tutorials/how-to-set-up-vaultwarden
    # Send all other traffic to the regular Vaultwarden endpoint
      reverse_proxy * localhost:8000 {
        header_up X-Real-IP {remote}
        }
    # Remove server response header
      header /* {
        -Server
      }
}

real.domain-name-replaced.com {

# General settings
  encode gzip
  file_server

# Security
  import /etc/caddy/caddy_security.conf

### Geo Filtering ################

    @geofilter {
      maxmind_geolocation {
        db_path "/var/lib/GeoIP/GeoLite2-Country.mmdb"
          allow_countries NL
        }
    }

    handle @geofilter {
      import doRevProx
    }

### White Listing ################

    @allowed {
      remote_ip forwarded 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 100.64.0.0/10
      }
      handle @allowed {
        import doRevProx

      }
      respond "Access denied - 403" 403

# Logging
  log {

    format transform "{common_log}"

    # access logs
      output file /var/log/caddy/real.domain-name-replaced.com/access.log {
        roll_size 100MiB
        roll_keep 90
        roll_keep_for 2160h
        level INFO
        }

    # error logs
      output file /var/log/caddy/real.domain-name-replaced.com/errors.log {
        roll_size 100MiB
        roll_keep 90
        roll_keep_for 2160h
        level ERROR
        }

      }

}

file: /etc/caddy/caddy_security.conf

header {
    Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
        X-Xss-Protection "1; mode=block"
        X-Content-Type-Options "nosniff"
        X-Frame-Options "DENY"
        Content-Security-Policy "upgrade-insecure-requests"
        Referrer-Policy "strict-origin-when-cross-origin"
        Cache-Control "public, max-age=15, must-revalidate"
        Feature-Policy "accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'self'; camera 'none'; encrypted-media 'none'; fullscreen 'self'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture *; speaker 'none'; sync-xhr 'none'; usb 'none'; vr 'none'"
}

[BlackDex]

First, those headers set by caddy could break some functionality.
Second, it looks like that Vaultwarden version you are using isn't supporting the 2022.9.0 web-vault version. I think the Vaultwarden version is matching the released version and not the master branch.

That would cause the issue you have currently.

Either install a git release of Vaultwarden, or revert to the latest 2022.8.x web-vault.

[stefan0xC]

Can you try to register a new user with your instance? Last time I tested v2022.9.2 with v1.25.2 it returned an error in the client but the user has been created successfully. If there is an error you might want to let the maintainer know that there are still patches needed.

[bhenstra]

Can you try to register a new user with your instance? Last time I tested v2022.9.2 with v1.25.2 it returned an error in the client but the user has been created successfully. If there is an error you might want to let the maintainer know that there are still patches needed.

There's an error (something with JSON) when I register a user - but the user is created. I was able to confirm the new user.

I will report the problem to the maintainer by linking to this conversation. Thank you.

[BlackDex]

It's probably better to either build the main branch using the latest web-vault instead of cherry-picking i think.

[grawlinson]

Package maintainer for downstream Arch Linux here; Wouldn’t it be easier to cut a new release of vaultwarden instead?

[bhenstra]

First, those headers set by caddy could break some functionality.

I am trying to wrap my head around caddy. I think the header_up X-Real-IP {remote} is incorrect. I did change this to header_up X-Real-IP {remote_host} and now the IP Header matches (I did set X-Real-IP).