Hello,
I have deployed Vaultwarden in a containerized environment with the latest image (digest
sha256:e81ca01351ecf40083366202b163e7a31abca04d96e2194e9e1f78a57052f65c) and have it hosted behind a reverse proxy and authelia where /notifications or /identity resources are bypassed. This setup worked fine on an android device with the C# client version 2024.10.0. It also worked fine with the browser extensions.
Once Bitwarden android client was updated to the native version written in Kotlin (for example the most recent v2025.1.0), I can log in just fine for the first time, but then after a while I no longer can sync. That is after the vault locks and I unlock it using biometrics.
I have noticed that the api/accounts/revision-date is what the app uses, which gets redirected to authelia. I tried adding the bypass /api which matches api/accounts/revision-date when I test the regex, but the traffic still gets redirected to authelia instead of being bypassed somehow. When I remove authelia altogether and visit the endpooint in a browser, I get the vaultwarden page that says authentication is required. When I do the same with authelia active though, I get an infinite redirect loop.
# partial authelia config:
access_control:
default_policy: deny
rules:
...
- domain: ...
policy: bypass
resources:
- '^/api([/?].*)?$'
- '^/(notifications|identity)/.+$'
...
Now, I realize this may not be an issue stemmed from vaultwarden, but I thought maybe someone else has run into the same issue that can help me, so any input is appreciated. Thank you for your assistance and for all the effort you put into this project.
As a side note, I am aware of issues 3970 and 3188 but these do not address the root cause.