Settings saved, but not (all) taken into account?

Hi there,

I am running Version 1.21.0 on Ubuntu Server 21.04. Some settings I configure via the Admin Panel are saved in the config.json, but have no effect on Vaultwarden (even after a restart of the container or the whole server).

For example on the one Organization I have created so far I enabled enforcement of 2FA, but a new User who registered can access the Organization just fine without having 2FA enabled.

Also I have set invitation_allowed to false. I can stil invite new Users.

Then I have signups_allowed set to false. You can still just sign up on the Login page and Vaultwarden sends the E-Mail.

Other settings like the SMTP settings for example are taken into account, so I am pretty sure Vaultwarden reads the config.json and of course by making the changes in the Admin Panel I can confirm that it is indeed saving the settings in the config.json.

I have no idea why only some of the settings have an effect and others do not.

Oh, and I also tried to set the signups_allowed=false via -e when starting the container, but it also did not work.

Here is the Support String, if that helps:

Your environment (Generated via diagnostics page)

  • Vaultwarden version: v1.21.0
  • Web-vault version: v2.19.0d
  • Running within Docker: true
  • Uses a reverse proxy: false
  • Internet access: true
  • Internet access via a proxy: false
  • DNS Check: true
  • Time Check: true
  • Domain Configuration Check: true
  • HTTPS Check: true
  • Database type: SQLite
  • Database version: 3.33.0
  • Clients used:
  • Reverse proxy and version:
  • Other relevant information:

Config (Generated via diagnostics page)

  "_duo_akey": null,
  "_enable_duo": false,
  "_enable_email_2fa": false,
  "_enable_smtp": true,
  "_enable_yubico": false,
  "_ip_header_enabled": true,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_max_conns": 10,
  "database_url": "****/**.*******",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://****-****-**",
  "domain_origin": "*****://****-****-**",
  "domain_path": "",
  "domain_set": true,
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "email_attempts_limit": 3,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "enable_db_wal": true,
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "invitation_org_name": "Password Manager",
  "invitations_allowed": false,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "Info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "org_attachment_limit": null,
  "org_creation_users": "**********@*******.*****",
  "password_iterations": 100000,
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "*******.**,*******.*****",
  "signups_verify": true,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_explicit_tls": false,
  "smtp_from": "****-****-**@*******.**",
  "smtp_from_name": "Password Manager",
  "smtp_host": "*******-**.****.**********.*******.***",
  "smtp_password": null,
  "smtp_port": 25,
  "smtp_ssl": true,
  "smtp_timeout": 15,
  "smtp_username": null,
  "templates_folder": "data/templates",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_syslog": false,
  "user_attachment_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "websocket_address": "",
  "websocket_enabled": false,
  "websocket_port": 3012,
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null

You do have a 2 domains whitelisted to be allowed to signup, this overrides the signups_allowed variable.

Also, all read-only variables should be configured via the environment variables option. All others can be changed via the admin. All variables also configured via env will be overridden by the admin saved config.json.

Oh! I totally missed that in the Documentation. I removed the 2 Domains and Users can not sign up / invite on their own now. Great :slight_smile:
Thank you!

I never touched the config.json by hand by the way. Everything that is in there came from Vaultwarden / the Admin Panel. I will check if there are read-only variables though, thanks for mentioning that.

I guess I will open another one regarding the MFA issue, since it is not really related to the config.json.

MFA is enabled but organization enforcement policy has not been enforced as of yet, see Organization Two-step Login · Issue #981 · dani-garcia/vaultwarden · GitHub

This was just merged in a recent pull request Two-step login organization policy enforcement - Resolves dani-garcia/bitwarden_rs#981 by olivierIllogika · Pull Request #1604 · dani-garcia/vaultwarden · GitHub
so should be appearing in future releases hopefully soon.