Request guard KnownDevice failed: "X-Request-Email value failed to decode as base64url"

[NoseyNick]

Subject of the issue

Request guard KnownDevice failed: "X-Request-Email value failed to decode as base64url".

Web vault works fine (2023.3.0)

Android app (2023.3.2 - latest?) gives "we were unable to process your request, please try again or contact us".

Firefox addon (2023.3.0 - latest? but also 2023.2.1 before that) gives whirly wait-spinner thing.

... but only for ONE USER. Six other users work fine. Log says:

[2023-03-29 23:46:25.766][request][INFO] GET /vault/api/devices/knowndevice
[2023-03-29 23:46:25.766][vaultwarden::api::core::accounts::_][WARN] Request guard `KnownDevice` failed: "X-Request-Email value failed to decode as base64url".
[2023-03-29 23:46:25.766][rocket::server::_][WARN] No 400 catcher registered. Using Rocket default.
[2023-03-29 23:46:25.766][response][INFO] (get_known_device) GET /vault/api/devices/knowndevice => 400 Bad Request

Deployment environment

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.28.0
• Web-vault version: v2023.3.0b
• OS/Arch: linux/x86_64
• Running within Docker: false (Base: Not applicable)
• Environment settings overridden: false
• Uses a reverse proxy: true
• IP Header check: true (X-Real-IP)
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• Browser/Server Time Check: true
• Server/NTP Time Check: true
• Domain Configuration Check: true
• HTTPS Check: true
• Database type: SQLite
• Database version: 3.39.2
• Clients used:
• Reverse proxy and version:
• Other relevant information:

Config (Generated via diagnostics page)

Show Running Config

Environment settings which are overridden:

{
  "_duo_akey": null,
  "_enable_duo": false,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_smtp_img_src": "cid:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://*******************",
  "domain_origin": "*****://*************",
  "domain_path": "******",
  "domain_set": true,
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "email_attempts_limit": 3,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "NoseyNick's Vault",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "Info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 100000,
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": true,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "*************************",
  "smtp_from_name": "NoseyNick's Vault",
  "smtp_host": "*********",
  "smtp_password": null,
  "smtp_port": 25,
  "smtp_security": "off",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": null,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": 14,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "websocket_address": "0.0.0.0",
  "websocket_enabled": false,
  "websocket_port": 3012,
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

• Install method:

It's not "running under docker" as such, but it IS running the docker image - vaultwarden/server:alpine - 2023.3.0 - under runc. Essentially exactly the same as running under Podman. A lot like docker but with less bloat.

• Clients used: Web vault works fine (2023.3.0)
  Android app (2023.3.2 - latest?) gives "we were unable to process your request, please try again or contact us".
  Firefox addon (2023.3.0 - latest? but also 2023.2.1 before that)

• Reverse proxy and version: Apache

• Other relevant details:

Steps to reproduce

Honestly not sure what's so "special" about this one particular user 😐

Expected behaviour

Log in?

Actual behaviour

Above error on android. Whirly wait-pointer on firefox plugin.

Troubleshooting data

[NoseyNick]

If I sniff the traffic on the unencrypted side, INSIDE Apache...
I don't have permission to share the user's email address, but the header it's complaining about is a lot like...

X-Request-Email: dXNlckBkb21haW4uZmljdA

Where is is indeed arguably not valid base64 UNTIL you add the == on the end, then it decodes (user@domain.fict above)... Which is not unusual for HTTP transfer like this? It's also working fine for 6 other users, one of whom has an email address of the same length 😕

[tessus]

fixed 3 days ago.

see 62cebeb

[NoseyNick]

Wait... has that made it into vaultwarden/server:alpine yet, or am I waiting for a docker image to be spun? 🤔

[tessus]

it should be in the testing image

[NoseyNick]

Is there such a thing as an alpine-testing for the slimmed down version? I'll give it a go

[NoseyNick]

Found vaultwarden/server:testing-alpine and...

[2023-03-30 00:43:33.008][request][INFO] GET /vault/api/devices/knowndevice
[2023-03-30 00:43:33.009][response][INFO] (get_known_device) GET /vault/api/devices/knowndevice => 200 OK

... and asks for master password, and syncs fine 😀

Splendiiiiid, will stick on testing-alpine until I see the next real release then.

Many thanks @tessus !

Duplicates #3375 - apologies! 🙈

[tessus]

You are welcome

[NoseyNick]

Would vote for a full release though. I assume almost 2/3rds of Android users and 2/3rds of browser plugin users are broken right now? Some may not know it until they next need to log in?

[stefan0xC]

@dani-garcia I think it would make sense to make a hot fix release (once #3390 has been merged).

[BlackDex]

We want to wait for more issues to be reported on other items. We already had one other besides this one. Both are fixed. But yea, a .1 release is probably a good thing