server icon indicating copy to clipboard operation
server copied to clipboard

Published 20 hours ago verified publisher icon bitwarden

HTTP 500 on /api/two-factor/yubikey for Yubico OTP keys "typed" in non-QWERTY layout

Open drdaeman opened this issue 7 years ago • 15 comments

I've just noticed that trying to register Yubikey (using Yubico OTP method) in non-QWERTY layout makes server respond with an HTTP 500 error and UI shows "An unhandled server error has occurred."

An example request, with two already registered keys (where I've switched to QWERTY; asterisks are mine, don't want to unnecessarily expose key IDs in public) and one new key (actually the same as key1, but this happens regardless of this) when I've "forgot" to switch from Dvorak:

POST /api/two-factor/yubikey
{
    "key1": "cccccc******",
    "key2": "vv**********",
    "key3": "jjjjjj*************************************",
    "masterPasswordHash": "********",
    "nfc": false
}

Results in the following response with HTTP 500 status code:

{
    "Message":"An unhandled server error has occurred.",
    "ValidationErrors":null,
    "ExceptionMessage":null,
    "ExceptionStackTrace":null,
    "InnerExceptionMessage":null,
    "Object":"error"
}

This does not happen if I provide long-enough invalid code like "abcdefghijklmnopqrstuvwxyz". In such case I get the correct HTTP 400 with ValidationErrors saying "Key3 is invalid." error response. Re-submitting the same token also makes server respond with HTTP 400. This is why I suspect this only happens with valid tokens - exactly once, because the second time replay protection would kick in and such key is rejected.

Of course, it would be best if non-QWERTY inputs would be recognized (some projects implement this with a mapping table, trying the original and a few remapped strings), but that would be a feature request. :) One way or another, I believe an unhanded exception is something worth reporting and investigating.

Sorry, I don't have enough ASP.NET experience (and spare time) to debug this myself. Just reporting the behavior I've seen on the website.

drdaeman avatar Jun 26 '18 18:06 drdaeman

I am getting the same error. Hope this problem gets fixed soon.

FabioWidmer avatar Sep 18 '18 11:09 FabioWidmer

For now you will have to temporarily switch to qwerty mode when using the YubiKey.

kspearrin avatar Sep 18 '18 11:09 kspearrin

I did that but this doesn't work for me.

FabioWidmer avatar Sep 18 '18 12:09 FabioWidmer

For now you will have to temporarily switch to qwerty mode when using the YubiKey.

Do I understand correctly? Switching the keyboard layout? Not working for me.

I think the issue might be even different. Playing out strings in a text editor from my Yubikey there seem not to be any Zs or Ys, so maybe they disabled those switching characters? If so the issue could be completely different.

Could somebody with a working setup test against this question?

labor4 avatar Nov 04 '18 19:11 labor4

For me this was solved like this. API key was missing. Conditions:

  • hosted it myself
  • get API Key here https://upgrade.yubico.com/getapikey
  • put credentials into file "global.override.env" under keys "globalSettings__yubico__clientId" and "globalSettings__yubico__key"
  • restart bitwarden

...thereby giving your own server access to the official yubikey verification servers.

labor4 avatar Dec 04 '18 01:12 labor4

If you use mostly one non-QWERTY keyboard layout, the easiest solution may be just to reprogram your yubikey's scancodes with the new keymap using ykpersonalize.

For example, this worked to update a Yubikey 5 to us-dvorak:

ykpersonalize -S0c110b071c180d0a0619130f120e09378c918b879c988d8a8699938f928e89b7271e1f202122232425269e2b28

bradediger avatar Jul 02 '19 13:07 bradediger

Same for me

Linux 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64 GNU/Linux

{"Object":"error","Message":"An unhandled server error has occurred.","ValidationErrors":null,"ExceptionMessage":null,"ExceptionStackTrace":null,"InnerExceptionMessage":null}

piotrkochan avatar Nov 03 '19 19:11 piotrkochan

Sorry, actually I'm getting 500 on the register endpoint.

piotrkochan avatar Nov 03 '19 19:11 piotrkochan

I am getting the same error. Hope this problem gets fixed soon.

Got the bug just now so it seems that "soon" is relative...

rangzen avatar Dec 16 '20 07:12 rangzen

Hi @drdaeman, We're cleaning up our repositories in preparation for a major reorganization. Issues from last year will be marked as stale and closed after two weeks. If you still need help, comment to let us know and we'll look into it. Thanks!

bitwarden-bot avatar Apr 12 '22 19:04 bitwarden-bot

@bitwarden-bot Please robot, don't close this one. The issue is still relevant.

rangzen avatar Apr 13 '22 21:04 rangzen

Hi, @drdaeman and @rangzen! I tried to replicate this issue but with no luck. Any other information you can provide me will be appreciated!

ifernandezdiaz avatar Aug 05 '22 14:08 ifernandezdiaz

Hello @ifernandezdiaz, add the French language pack, by default in azerty keymap, everything is fine. Add a keymap lik "bépo", change to this keymap, the login in Bitwarden is now impossible. Everytime I use Bitwarden, I have to change from bépo to azerty, login, go back to bépo...

rangzen avatar Aug 07 '22 05:08 rangzen

I'm having the same issue with the latest Bitwarden version (2022.8.1).

EDIT: I've fixed it by using the method provided by @labor4

CryptoSiD avatar Aug 25 '22 06:08 CryptoSiD

Hello im facing a different error after resolving the first problem with the solution of @labor4

I register my Yubico 5C NFC at https://upgrade.yubico.com/getapikey I put the credentials into file "global.override.env" I rebuild and restart bitwarden

When I try to add a new OTP Yubico key I got the 500 error. Here is api log:

2022-11-08 20:48:21.775 +00:00 [Error] Object reference not set to an instance of an object. System.NullReferenceException: Object reference not set to an instance of an object. at Bit.Core.Identity.YubicoOtpTokenProvider.ValidateAsync(String purpose, String token, UserManager1 manager, User user) in /home/runner/work/server/server/src/Core/Identity/YubicoOtpTokenProvider.cs:line 72 at Microsoft.AspNetCore.Identity.UserManager1.VerifyTwoFactorTokenAsync(TUser user, String tokenProvider, String token) at Bit.Api.Controllers.TwoFactorController.ValidateYubiKeyAsync(User user, String name, String value) in /home/runner/work/server/server/src/Api/Controllers/TwoFactorController.cs:line 447 at Bit.Api.Controllers.TwoFactorController.PutYubiKey(UpdateTwoFactorYubicoOtpRequestModel model) in /home/runner/work/server/server/src/Api/Controllers/TwoFactorController.cs:line 125 at lambda_method137(Closure , Object ) at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.AwaitableObjectResultExecutor.Execute(IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments) at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeActionMethodAsync>g__Awaited|12_0(ControllerActionInvoker invoker, ValueTask`1 actionResultValueTask) at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeNextActionFilterAsync>g__Awaited|10_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted) at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Rethrow(ActionExecutedContextSealed context) at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted) at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeInnerFilterAsync>g__Awaited|13_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted) at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeNextExceptionFilterAsync>g__Awaited|26_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)

EDIT Im running seflhosted bitwarden version 2022.10.0

Anthony-95 avatar Nov 08 '22 20:11 Anthony-95