dahjah/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-03-26 22:18:29 -06:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Fix User API Key login (#6712)
Some checks failed
Build / Build and Test ${{ matrix.channel }} (msrv) (push) Has been cancelled
Details
Build / Build and Test ${{ matrix.channel }} (rust-toolchain) (push) Has been cancelled
Details
Check templates / Validate docker templates (push) Has been cancelled
Details
Hadolint / Validate Dockerfile syntax (push) Has been cancelled
Details
Release / Build Vaultwarden containers (amd64, alpine) (push) Has been cancelled
Details
Release / Build Vaultwarden containers (amd64, debian) (push) Has been cancelled
Details
Release / Build Vaultwarden containers (arm/v6, alpine) (push) Has been cancelled
Details
Release / Build Vaultwarden containers (arm/v6, debian) (push) Has been cancelled
Details
Release / Build Vaultwarden containers (arm/v7, alpine) (push) Has been cancelled
Details
Release / Build Vaultwarden containers (arm/v7, debian) (push) Has been cancelled
Details
Release / Build Vaultwarden containers (arm64, alpine) (push) Has been cancelled
Details
Release / Build Vaultwarden containers (arm64, debian) (push) Has been cancelled
Details
Trivy / Trivy Scan (push) Has been cancelled
Details
Code Spell Checking / Run typos spell checking (push) Has been cancelled
Details
Security Analysis with zizmor / Run zizmor (push) Has been cancelled
Details
Release / Merge manifests (alpine) (push) Has been cancelled
Details
Release / Merge manifests (debian) (push) Has been cancelled
Details

Browse Source 
When using the latest Bitwarden CLI and logging in using the API Key, it expects some extra fields, same as for normal login.
This PR adds those fields and login is possible again via API Key.

Fixes #6709

Signed-off-by: BlackDex <black.dex@gmail.com>
This commit is contained in:
Mathijs van Veluw 2026-01-14 13:11:43 +01:00 committed by GitHub
parent 4352fffeec
commit b2cd556f3e
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 24 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
src/api/identity.rs
View File

@ -610,6 +610,25 @@ async fn _user_api_key_login(
info!("User {} logged in successfully via API key. IP: {}", user.email, ip.ip);
let has_master_password = !user.password_hash.is_empty();
let master_password_unlock = if has_master_password {
json!({
"Kdf": {
"KdfType": user.client_kdf_type,
"Iterations": user.client_kdf_iter,
"Memory": user.client_kdf_memory,
"Parallelism": user.client_kdf_parallelism
},
// This field is named inconsistently and will be removed and replaced by the "wrapped" variant in the apps.
// https://github.com/bitwarden/android/blob/release/2025.12-rc41/network/src/main/kotlin/com/bitwarden/network/model/MasterPasswordUnlockDataJson.kt#L22-L26
"MasterKeyEncryptedUserKey": user.akey,
"MasterKeyWrappedUserKey": user.akey,
"Salt": user.email
})
} else {
Value::Null
};
// Note: No refresh_token is returned. The CLI just repeats the
// client_credentials login flow when the existing token expires.
let result = json!({
@ -625,6 +644,11 @@ async fn _user_api_key_login(
"KdfParallelism": user.client_kdf_parallelism,
"ResetMasterPassword": false, // TODO: according to official server seems something like: user.password_hash.is_empty(), but would need testing
"scope": AuthMethod::UserApiKey.scope(),
"UserDecryptionOptions": {
"HasMasterPassword": has_master_password,
"MasterPasswordUnlock": master_password_unlock,
"Object": "userDecryptionOptions"
},
});
Ok(Json(result))