1.29.0 docker image: VAULTWARDEN_ADMIN_TOKEN vs ADMIN_TOKEN

[gStart9]

Subject of the issue

1.29.0 docker image: VAULTWARDEN_ADMIN_TOKEN vs ADMIN_TOKEN

Deployment environment

• vaultwarden version:

Docker vaultwarden/server:1.29.0

• Install method: Docker image image:

FROM vaultwarden/server:1.29.0

• Clients used:

browser: FF115

• Reverse proxy and version:

nginx version: nginx/1.18.0

• Other relevant details:

I have read https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page#secure-the-admin_token but no matter what I do, if I've included ADMIN_TOKEN= in my .env file, like:
ADMIN_TOKEN=$argon2id$v=19$m=65540,t=3,p=4$MW84Wi9HakowU2c2UjRCYXduNGZUMlpUeS92SXV2eDk3MFgwaTBvNE5UST0$VCMT5AbHh0evoz9fyJEcdXgjRbGTCfyIzYSXz7s42qE

Then when I startup Vaultwarden, the log complains that I don't have a secure password:

2023-07-19T19:29:05+00:00  /--------------------------------------------------------------------\
2023-07-19T19:29:05+00:00  |                        Starting Vaultwarden                        |
2023-07-19T19:29:05+00:00  |                           Version 1.29.0                           |
2023-07-19T19:29:05+00:00  |--------------------------------------------------------------------|
2023-07-19T19:29:05+00:00  | This is an *unofficial* Bitwarden implementation, DO NOT use the   |
2023-07-19T19:29:05+00:00  | official channels to report bugs/features, regardless of client.   |
2023-07-19T19:29:05+00:00  | Send usage/configuration questions or feature requests to:         |
2023-07-19T19:29:05+00:00  |   https://github.com/dani-garcia/vaultwarden/discussions or        |
2023-07-19T19:29:05+00:00  |   https://vaultwarden.discourse.group/                             |
2023-07-19T19:29:05+00:00  | Report suspected bugs/issues in the software itself at:            |
2023-07-19T19:29:05+00:00  |   https://github.com/dani-garcia/vaultwarden/issues/new            |
2023-07-19T19:29:05+00:00  \--------------------------------------------------------------------/
2023-07-19T19:29:05+00:00  
2023-07-19T19:29:05+00:00  [INFO] Using environment file `.env` for configuration.
2023-07-19T19:29:05+00:00  
2023-07-19T19:29:05+00:00  [NOTICE] You are using a plain text `ADMIN_TOKEN` which is insecure.
2023-07-19T19:29:05+00:00  Please generate a secure Argon2 PHC string by using `vaultwarden hash` or `argon2`.
2023-07-19T19:29:05+00:00  See: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page#secure-the-admin_token
2023-07-19T19:29:05+00:00  
2023-07-19T19:29:05+00:00  [2023-07-19 19:29:05.476][start][INFO] Rocket has launched from http://0.0.0.0:80

But I am able to access /admin/

However, if, in order to get rid of the nasty log message, I use only VAULTWARDEN_ADMIN_TOKEN in .env, as such:
VAULTWARDEN_ADMIN_TOKEN=$argon2id$v=19$m=65540,t=3,p=4$MW84Wi9HakowU2c2UjRCYXduNGZUMlpUeS92SXV2eDk3MFgwaTBvNE5UST0$VCMT5AbHh0evoz9fyJEcdXgjRbGTCfyIzYSXz7s42qE

Then the log is clean on startup but a request to access /admin/ results in the following response:
<pre>The admin panel is disabled, please configure the 'ADMIN_TOKEN' variable to enable it</pre>

It seems I can only use ADMIN_TOKEN if I want /admin/ to be available, yet Vaultwarden still thinks it's insecure even though I'm using the $argon2id$... format.
VAULTWARDEN_ADMIN_TOKEN being set correctly in .env does not make /admin/ available.

Steps to reproduce

We package vaultwarden for Start9's personal servers here so it's kind of a custom docker setup but I believe you can reproduce this if you simply:
Use 1.29.0 docker image and put either ADMIN_TOKEN or VAULTWARDEN_ADMIN_TOKEN only into .env

Expected behaviour

After reading this: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page#secure-the-admin_token
I expected setting VAULTWARDEN_ADMIN_TOKEN was a valid way to have /admin/ work.

Alternatively, after setting this in .env:
ADMIN_TOKEN=$argon2id$v=19$m=65540,t=3,p=4$MW84Wi9HakowU2c2UjRCYXduNGZUMlpUeS92SXV2eDk3MFgwaTBvNE5UST0$VCMT5AbHh0evoz9fyJEcdXgjRbGTCfyIzYSXz7s42qE
... I expected vaultwarden to not complain in the log that my token is still insecure.

Actual behaviour

Described above

[BlackDex]

There is no VAULTWARDEN_ADMIN_TOKEN, I'm not sure where you have seen that.

Just use ADMIN_TOKEN.
That works as it should unless it's somehow overridden by a config.json, though i didn't see that in the logs you posted.

[gStart9]

That worked perfectly! Thank you so much!

[BlackDex]

Strange, for some reason it looks like your .env file gets pre-processed which then replaces non-existing variables probably with nothing.

Ill double check tomorrow on my local dev instance

[disgustipated]

i recently switched to the new argon2 admin pass and i also had to put single quotes around the .env entry. when i did not i got some odd parsing messages when running compose up that looked like this
WARN[0000] The "<part of the string in .env file here>" variable is not set. Defaulting to a blank string

Docker version 24.0.4, build 3713ee1
Docker Compose version v2.19.1

[BlackDex]

@disgustipated if you put that string directly into a docker-compose file you do need to put quotes around it, that is also mentioned in the wiki.

[disgustipated]

it is in my env file, not the compose file. sorry this kind of diverts from the OPs post, was just confirming that for some reason my env file required the single quotes as well.

this is what i have in my compose file

• ADMIN_TOKEN=${VAULTWARDEN_ADMIN_TOKEN}
  and in the .env
  VAULTWARDEN_ADMIN_TOKEN='$argon2id$v=19$....'

without the single quotes in the .env file i received the WARN message above that seemed to parse the values at each special character. adding the single quote in the .env file seemed to make it work for me. so maybe all thats needed here is the admin token update page mentioning the possible need to surround the .env entry with single quotes, it currently seems very explicit about escaping not being needed but could help others with mention of the single quotes.

output from 'docker exec vaultwarden env' with expected results with the single quotes in .env
ADMIN_TOKEN=$argon2id$v=19$...