Always error "Logout before server config update" when CLI run in systemd service

[marius]

Steps To Reproduce

I'm running the bitwarden CLI client in a script started by systemd to do a restore test of a backup.

Now every time I run bw config server http://127.0.0.1:55555 I get
Logout required before server config update. even when running bw logout right before the command (it says You are not logged in.).
When running the same commands in a normal user shell things work as expexted.

bw is installed via Snap on Ubuntu 24.04.

Reverting back to the previous version fixed the issue:

$ snap list bw --all
Name  Version   Rev  Tracking       Publisher   Notes
bw    2024.6.0  64   latest/stable  bitwarden✓  disabled
bw    2024.6.1  65   latest/stable  bitwarden✓  -
$ sudo snap revert bw
bw reverted to 2024.6.0

Expected Result

It should just work like in version 2024.6.0.

Actual Result

Error Logout required before server config update.

Screenshots or Videos

No response

Additional Context

I think the problem was introduced by #9347

Operating System

Linux

Operating System Version

Ubuntu 24.04

Shell

Bash

Build Version

2024.6.1

Issue Tracking Info

• I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.

[SergeantConfused]

Hi @marius,

Thank you for this report. Could you please walk me through how you set that script up?

Thank you in advance,

[marius]

/usr/libexec/vaultwarden-restore-test

#!/bin/bash

source /etc/resticenv
VAULT_PASSWORD=example123

set -Eeuxo pipefail

cleanup() {
  rc=$?
  cd /
  docker stop $CONTAINER
  bw logout || true
  rm -r "$WORKDIR"
  exit $rc
}

WORKDIR=$(mktemp -d)
if [[ ! -d "$WORKDIR" ]]; then
  echo "Could not create temp dir"
  exit 1
fi
cd $WORKDIR
trap cleanup EXIT

export RESTIC_PROGRESS_FPS=0.05
PARAMS='--limit-download=4000 --limit-upload=4000 --verbose'
SNAPSHOT=$(restic $PARAMS --json snapshots --tag=docker latest)
ID=$(echo $SNAPSHOT | jq -r '.[].id')
DATETIME=$(echo $SNAPSHOT | jq -r '.[].time')
TIMESTAMP=$(date --date "$DATETIME" '+%s')
if [ "$TIMESTAMP" -lt "$(date --date '2 days ago' '+%s')" ]; then
  echo "Snapshot too old"
  exit 1
fi

restic $PARAMS restore --tag=docker --include=docker/vaultwarden --target=. "$ID" 2>&1 | cat

IC=$(sqlite3 ${WORKDIR}/tank/.zfs/snapshot/backup/docker/vaultwarden/db.sqlite3 "PRAGMA integrity_check")
if [ "$IC" != ok ]; then
  echo "Integrity check of the database failed"
  exit 1
fi

docker pull vaultwarden/server
CONTAINER=$(docker run -d -it --rm --name vaultwarden-restore-test -v ${WORKDIR}/tank/.zfs/snapshot/backup/docker/vaultwarden:/data -p 127.0.0.1:55555:80 vaultwarden/server)

# Make sure we are not logged in
bw logout || true 
bw config server http://127.0.0.1:55555
set +x
SESSION=$(echo $VAULT_PASSWORD | bw --raw login test@example.com)
set -x

PASSWORD=$(bw list items --session=$SESSION | jq -r '.[0].login.password')
if [ "$PASSWORD" != restore-test ]; then
  echo "Password did not match: $PASSWORD != restore-test"
  exit 1
fi

LENGTH=$(bw list items --session=$SESSION | jq '. | length')
if [ "$LENGTH" -ne 1 ]; then
  echo "Number of items != 1"
  exit 1
fi

/etc/systemd/system/vaultwarden-restore-test.service

[Unit]
Description=Restore a backup of Vaultwarden and test it

[Service]
Type=oneshot
ExecStart=/usr/libexec/vaultwarden-restore-test

/etc/systemd/system/vaultwarden-restore-test.timer

[Unit]
Description=Run vaultwarden-restore-test regularly

[Timer]
OnCalendar=09:38

[Install]
WantedBy=timers.target

[sincerelysaucy]

That "vaultwarden-restore-test" file is really scary, with the password stored in plain text in a file that is likely set to be readable by everyone. And echoing VAULT_PASSWORD which may have syntactic suger in it like pound signs, &, quote marks, or semi-colons is just begging for password management pain in the shell scripting, in ways unlikely to occur on a normal command line.

[marius]

Well, this is, of course, a restore-test account, and the password doesn't contain any weird characters.

[SergeantConfused]

Hi @marius,

Thank you for your patience. This matter has been escalated for further investigation; If you have any additional information that you think may assist, please feel free to post it below.

Thank you again,

[petertheautomator]

I have the same issue with version 2024.7.2 of the Windows CLI.

Version 2024.6.0 works fine, so I reverted back to that one. Same symptoms as @marius is experiencing.

Command:

bw config server https://vault.bitwarden.eu --response