Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

License status corruption #4274

Closed
1 task done
tmmvn opened this issue Jun 25, 2024 · 4 comments
Closed
1 task done

License status corruption #4274

tmmvn opened this issue Jun 25, 2024 · 4 comments
Labels
bug bw-unified-deploy An Issue related to Bitwarden unified deployment

Comments

@tmmvn
Copy link

tmmvn commented Jun 25, 2024

Steps To Reproduce

Noticed last week while traveling, that the Bitwarden Android app was reporting no premium to allow viewing a TOTP. I now got back, and checked the admin page
Näyttökuva 2024-06-24 kello 10 45 40 ip
So somehow the premium expiration is in the future, yet there is no premium status on the user. Trying to re-upload the license downloaded from vault.bitwarden.com says the license is not supported for the user, with the server returning a 400 on /api/accounts/license.

On further debugging and looking at the license files, my guess is that changing the user email invalidated the license (the license file still has the old email). Similarly, the newly downloaded license file on bitwarden.com has a different email address, which I guess results in the 400 and invalid user.

Hopefully you are not using the email address as an identifier for users, and also don't require the self-host and bitwarden.com accounts to have the same email addresses to function properly. Emails are not immutable, and that would mean any time you change your email on the self-hosted version, you would need to re-do a license upload dance.

So hopefully just a bug.

Expected Result

User has access to premium features, or is able to re-upload a license file.

Actual Result

User has no premium features, and is unable to re-upload a license file.

Screenshots or Videos

No response

Additional Context

Tried to upgrade to 2024.6.2 to see if the issue would resolve, but nope. Android app has been auto-updating, server had not been updated from 2024.4.2. Single home / personal user, not an organization account either on bitwarden.com nor at the self-hosted server. Changed user email some time ago and quite sure after logout / login, the TOTP was still working on the mobile devices. Similarly, TOTP was still working on the browser extension, though that died today too.

Githash Version

f59c17d-dirty

Environment Details

Docker image from docker hub.

Database Image

postgres:14

Issue-Link

#2480

Issue Tracking Info

  • I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.
@tmmvn tmmvn added bug bw-unified-deploy An Issue related to Bitwarden unified deployment labels Jun 25, 2024
@sammbw
Copy link

sammbw commented Jun 25, 2024

Hi there,

I am unable to reproduce this issue, it has been escalated for further investigation. If you have more information that can help us, please add it below.

Thanks!

@tmmvn
Copy link
Author

tmmvn commented Jun 25, 2024

I can see if I can dig up anything from logs later today if there'd be more information somewhere. Let me know if there is anything specific that would be helpful.

I might also test creating another user and seeing how that one behaves, since not having access to the 2fA codes locks me out of a fair number of services (luckily I have kept a slightly older backup in iCloud, but trickier to use with Android).

@tmmvn
Copy link
Author

tmmvn commented Jun 25, 2024

Here are a couple of errors from the runtime log that I think are related:

System.ArgumentException: An item with the same key has already been added.
 Key: 482f930e-e9e6-XXXX-XXXX-XXXXXXXXXXXX
         at System.Collections.Generic.Dictionary`2.TryInsert(TKey key, TValue value, InsertionBehavior behavior)
         at System.Collections.Generic.Dictionary`2.Add(TKey key, TValue value)
         at Bit.Core.Services.LicensingService.ValidateUserPremiumAsync(User user) in /source/src/Core/Services/Implementations/LicensingService.cs:line 189
         at Bit.Identity.IdentityServer.ProfileService.GetProfileDataAsync(ProfileDataRequestContext context) in /source/src/Identity/IdentityServer/ProfileService.cs:line 46
         at Duende.IdentityServer.Services.DefaultClaimsService.GetAccessTokenClaimsAsync(ClaimsPrincipal subject, ResourceValidationResult resourceResult, ValidatedRequest request) in /_/src/IdentityServer/Services/Default/DefaultClaimsService.cs:line 211
         at Duende.IdentityServer.Services.DefaultTokenService.CreateAccessTokenAsync(TokenCreationRequest request) in /_/src/IdentityServer/Services/Default/DefaultTokenService.cs:line 191
         at Duende.IdentityServer.ResponseHandling.TokenResponseGenerator.ProcessRefreshTokenRequestAsync(TokenRequestValidationResult request) in /_/src/IdentityServer/ResponseHandling/Default/TokenResponseGenerator.cs:line 201
         at Duende.IdentityServer.ResponseHandling.TokenResponseGenerator.ProcessAsync(TokenRequestValidationResult request) in /_/src/IdentityServer/ResponseHandling/Default/TokenResponseGenerator.cs:line 102
         at Duende.IdentityServer.Endpoints.TokenEndpoint.ProcessTokenRequestAsync(HttpContext context) in /_/src/IdentityServer/Endpoints/TokenEndpoint.cs:line 128
         at Duende.IdentityServer.Endpoints.TokenEndpoint.ProcessAsync(HttpContext context) in /_/src/IdentityServer/Endpoints/TokenEndpoint.cs:line 81
         at Duende.IdentityServer.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IdentityServerOptions options, IEndpointRouter router, IUserSession userSession, IEventService events, IIssuerNameService issuerNameService, ISessionCoordinationService sessionCoordinationService) in /_/src/IdentityServer/Hosting/IdentityServerMiddleware.cs:line 101

And

System.InvalidOperationException: Operations that change non-concurrent collections must have exclusive access. A concurrent update was performed on this collection and corrupted its state. The collection's state is no longer correct.
         at System.Collections.Generic.Dictionary`2.TryInsert(TKey key, TValue value, InsertionBehavior behavior)
         at System.Collections.Generic.Dictionary`2.Add(TKey key, TValue value)
         at Bit.Core.Services.LicensingService.ValidateUserPremiumAsync(User user) in /source/src/Core/Services/Implementations/LicensingService.cs:line 189
         at Bit.Identity.IdentityServer.ProfileService.GetProfileDataAsync(ProfileDataRequestContext context) in /source/src/Identity/IdentityServer/ProfileService.cs:line 46
         at Duende.IdentityServer.Services.DefaultClaimsService.GetAccessTokenClaimsAsync(ClaimsPrincipal subject, ResourceValidationResult resourceResult, ValidatedRequest request) in /_/src/IdentityServer/Services/Default/DefaultClaimsService.cs:line 211
         at Duende.IdentityServer.Services.DefaultTokenService.CreateAccessTokenAsync(TokenCreationRequest request) in /_/src/IdentityServer/Services/Default/DefaultTokenService.cs:line 191
         at Duende.IdentityServer.ResponseHandling.TokenResponseGenerator.ProcessRefreshTokenRequestAsync(TokenRequestValidationResult request) in /_/src/IdentityServer/ResponseHandling/Default/TokenResponseGenerator.cs:line 201
         at Duende.IdentityServer.ResponseHandling.TokenResponseGenerator.ProcessAsync(TokenRequestValidationResult request) in /_/src/IdentityServer/ResponseHandling/Default/TokenResponseGenerator.cs:line 102
         at Duende.IdentityServer.Endpoints.TokenEndpoint.ProcessTokenRequestAsync(HttpContext context) in /_/src/IdentityServer/Endpoints/TokenEndpoint.cs:line 128
         at Duende.IdentityServer.Endpoints.TokenEndpoint.ProcessAsync(HttpContext context) in /_/src/IdentityServer/Endpoints/TokenEndpoint.cs:line 81
         at Duende.IdentityServer.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IdentityServerOptions options, IEndpointRouter router, IUserSession userSession, IEventService events, IIssuerNameService issuerNameService, ISessionCoordinationService sessionCoordinationService) in /_/src/IdentityServer/Hosting/IdentityServerMiddleware.cs:line 101

@CirnoT
Copy link

CirnoT commented Jun 27, 2024

Hopefully you are not using the email address as an identifier for users, and also don't require the self-host and bitwarden.com accounts to have the same email addresses to function properly. Emails are not immutable, and that would mean any time you change your email on the self-hosted version, you would need to re-do a license upload dance.

As per https://bitwarden.com/help/licensing-on-premise/ the emails on cloud and self-hosted must match. The error seem to suggest that server is trying to upload license for different email of ID that already exists and is assigned to other user. You'll need to change your email on self-hosted instance to match cloud one and then upload new license file.

@tmmvn tmmvn closed this as completed Jul 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug bw-unified-deploy An Issue related to Bitwarden unified deployment
Projects
None yet
Development

No branches or pull requests

3 participants