Android app kills session on network changes (selfhosted; split-horizon DNS; cloudflare tunnels)

[bennettmsherman]

Steps To Reproduce

1. Login to BW using self-hosted environment at vault.${mysite}.com on local network
2. Exit BW Android app
3. Leave local network for cellular network
4. Sign into BW app
5. Attempt a sync via the dropdown menu
6. Brought back to signin page with a toast message of: Your login session has expired.
7. Re-enter master password as requested, which fails with An error has occurred.

Expected Result

Sync should fail, but session should not be terminated, just as if I were in airplane mode (which works fine). Cached passwords should still be usable.

Actual Result

Sync fails and session is terminated. Cached data is not used.

Screenshots or Videos

No response

Additional Context

Hello!

I run vaultwarden on my local network at vault.${mysite}.com, which internally resolves to the local IP of my home server. vaultwarden is reverse proxied via Caddy. I also expose this page via a Cloudflare tunnel, such that external access requires a client certificate and logging in via Cloudflare Access. Exposing the BW web UI via CF tunnels is a convenience/backup (ex: to sign in on my work computer, which intentionally does not have the BW browser extension/client).

So, that is, on my home network vault.${mysite}.com resolves to a local IP, and outside my home network, it resolves to a Cloudflare IP.

I synchronize my Android phone when I'm at home, and use the cached passwords when I'm not at home since syncing expectedly does not work because of Cloudflare's auth + client cert enforcement.

As noted above, when a sync attempt is performed outside my home network, the bitwarden app kills my session and I can't access it again via the app until I get home.

I did find that if get rid of all the CF stuff, such that vault.${mysite}.com does not have a public IP, if I try to sync when not on my local network, I get a toast of Syncing complete. but the session is NOT terminated and the cached passwords persist. This is the behavior I'd like to see in the case where Cloudflare fronts the site externally.

Operating System

Android

Operating System Version

12

Device

Pixel 6

Build Version

2022.6.1 (4795)

Beta

• [ ] Using a pre-release version of the application.

[bennettmsherman]

I'd be happy to share the FQDN of my site (which, if you were to attempt to access it, would present the client cert) if that would be helpful, although I'd prefer not to post it on this public page.

[etgohomeok]

Hello, I am experiencing a very similar issue. My server is self-hosted on vault.example.com which goes through an NGINX reverse proxy that points to the internal IP for the Bitwarden server but only allows connections from internal IP addresses (if I try to navigate to vault.example.com in a web browser from any external network such as a cellular connection, I receive an error 403 forbidden page, as intended). When I am connected to my local network (or my VPN) it works fine, but if a vault sync occurs (either automatic or manual) when I am not on my local network then I am logged out and lose access to my passwords.

To add one potentially relevant data point: if my phone has no network connection at all (eg. if I put it into airplane mode), then the sync process properly aborts, gives me an error (Internet Connection Required), and does not log me out. It's only if the phone has a network connection but can't properly revolve vault.example.com.

Happy to provide logs/info if someone can point to where I should retrieve them from.

[mia1024]

I've also been looking at the issue of using a client certificate and this seems to be related to #582

[bennettmsherman]

I was thinking about this issue recently and decided to take another look.

I noticed this comment which states:

You should only be logged out if the server returns a 401 or 403 status code from an API request.

I know that when the mobile client fails to connect for other reasons, such as an unavailable host (no IP behind the FQDN), I am not signed out.

So, what I did was setup a CloudFlare redirect rule with expression:

(http.host eq "vault.${mysite}.com" and http.user_agent contains "Bitwarden_Mobile")

which redirects to

https://notreal.${mysite}.com

In effect, when the Bitwarden mobile client tries to connect outide my home network, it redirects to an FQDN which has no IPs behind it. As expected, the sync fails, but I am not logged out.