Odd Behavior From Bitwarden

Bit of an odd issue,

I’m self-hosted using the Docker container, pay for premium…

This is a bit of a mixed bag, bear with me…

I noticed a bit ago that when using 2-factor (Google Auth) when logging into BW that I would get a message that said “an error occurred an unexpected error has occurred” when entering in the 2FA code. Clicking “continue” a second time would get me into the vault. For my account I’ve recently switched to Yubico hardware keys that seem to be working fine.

My wife still uses Google Auth for her BW login and she recently got a new phone. Before I could check to see if her Google Auth app was set to back up the auth codes, she wiped her phone. No big deal I have the recovery code. Except the recovery code did not work. I received an error “invalid login information.” I was able to get into her Google account and reset her password and 2FA settings there (I’m the admin) and then login to her Google Auth app and luckily her 2FA codes were all there.

But then I realized that when I clicked on “use other 2FA method” that it was redirecting me to the Bitwarden site and not my hosted server. Ok, I went to my site, with the URL ending in #/recover-2fa and tried her recovery code, I received an error “unexpected error has occurred” but realized that it did in fact removed the 2FA settings and rotate her recovery code.

So here are the issues:

• Self-hosted BW seems to not redirect to the 2FA recovery page correctly, it redirects to bitwarden.com and not the self hosted domain. Maybe this is a misconfiguration on my part…

• When logging into BW through a browser (I don’t think I’ve see the behavior in the app) at the 2FA prompt, I get an error “an unexpected error has occurred” but get past it by clicking continue a second time. I’m using Google Authenticator.

• When using a recovery key you get an error “unexpected error has occurred” but the recovery key does work, the 2FA requirement is removed and the recovery key is rotated.

I’ve looked through the server logs but can’t find anything that seems to indicate and issue. Time on the server and device is correct. I am proxying BW thr9ogh HAproxy in case that matters.

Any help/thoughts on these issues is appreciated.

Ok, more digging on my part, guess I didn’t look at the logs thoroughly enough… I think I’ve discovered the issue for all but the improper 2FA recovery redirect…

Looking at the /opt/bitwarden/bwdata/logs/identity/Identity log when attempting to login using Google Auth, I noticed this error:

 [Fatal] Unhandled exception: "535: 5.7.8 Username and Password not accepted. Learn more at
5.7.8  https://support.google.com/mail/?p=BadCredentials o20-20020a170902779400b001bd62419744sm2551438pll.147 - gsmtp"

So, Bitwarden wasn’t able to send an email (to notify of a new login) because the Google smtp login was invalid. The second login attempt didn’t produce the error, so it looks like first time, tries to send the notification fails, errors out, no login. Second time, it doesn’t try to send the notification, login successful.

This makes sense because I recently switched to Google’s advanced protection which invalidates all app passwords… I didn’t think it explained this issue having been occurring over the last several months but it’s entirely possible I inadvertently deleted the app password BW was using when doing one of my periodic cleanup of app passwords (doh!).

I fixed the SMTP credentials and everything is working as it should…

This explains the 2FA errors, and the error that was showing when using the recovery code. It seems that invalid SMTP info will cause 2FA to fail the first time, and for BW to erroneously report that there was an error when using the recovery code (which, to be fair, there was but not one that should make the user think something horrible went wrong).

Oh, one other thing.

In the identity log I’m seeing this error:

[Error] Request to “https://push.bitwarden.com/push/register” is unsuccessful with status of BadRequest-“Bad Request”

does not seem to be affecting anything but seems odd…