Vaultwarden Emergency access Unlimited Loading

Help
1

Hello Vaultwarden Team,

I would like to bring to your attention a recurring issue I’ve encountered with the “Emergency Contact” feature in Vaultwarden.

Context: I am part of a collaborative Vaultwarden instance, which I use with my family and a few friends. We are about ten users sharing the same server and using the “Emergency Contact” feature for added security.

Issue: Recently, I added a third emergency contact to my account. Since then, the web interface shows indefinite loading when I try to access the settings for this feature. This UI issue effectively locks me out from managing my emergency contacts. Before the blockage I had 2 emergency contacts and a user added me as an emergency contact. I accepted by email and after the green message when connecting to bitwarden, infinite loading was present

Capture d’écran 2023-10-29 123432
Capture d’écran 2023-10-29 1234321352×703 103 KB

Consequence: The only workaround I’ve found so far is to reset my account. As you can imagine, this is not a viable long-term solution.

This issue has happened twice, and resetting the account seems to be the only way to regain access to the emergency contact settings. However, this comes at the cost of data loss and the considerable effort to reconfigure everything.

I would be happy to provide further details or logs if needed to assist in resolving this bug. Thank you in advance for your attention to this matter.

Diagnostics
Versions
Server Installed Ok
1.29.2
Server Latest
1.29.2
Web Installed
2023.7.1
Database
SQLite: 3.41.2
Checks
OS/Arch
linux / x86_64
Running within Docker
Yes (Base: Debian)
Environment settings overridden
Yes
Uses a reverse proxy
Yes
IP header Match
Config/Server: X-Real-IP
Internet access Ok
Yes
Internet access via a proxy
No
DNS (github.com) Ok
Date & Time (Local)
Server: 2023-10-29 11:22:43 +00:00
Date & Time (UTC) Server/Browser Ok Server NTP Ok Browser NTP Ok
NTP: 2023-10-29 11:22:43 UTC
Server: 2023-10-29 11:22:43 UTC
Browser: 2023-10-29 11:22:44 UTC
Domain configuration Match HTTPS

Diagnotic

### Your environment (Generated via diagnostics page)
* Vaultwarden version: v1.29.2
* Web-vault version: v2023.7.1
* OS/Arch: linux/x86_64
* Running within Docker: true (Base: Debian)
* Environment settings overridden: true
* Uses a reverse proxy: true
* IP Header check: true (X-Real-IP)
* Internet access: true
* Internet access via a proxy: false
* DNS Check: true
* Browser/Server Time Check: true
* Server/NTP Time Check: true
* Domain Configuration Check: true
* HTTPS Check: true
* Database type: SQLite
* Database version: 3.41.2
* Clients used: 
* Reverse proxy and version: 
* Other relevant information: 

### Config (Generated via diagnostics page)
<details><summary>Show Running Config</summary>

**Environment settings which are overridden:** ADMIN_TOKEN


```json
{
  "_duo_akey": null,
  "_enable_duo": false,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_smtp_img_src": "cid:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://************************",
  "domain_origin": "*****://************************",
  "domain_path": "",
  "domain_set": true,
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "email_attempts_limit": 3,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Bitwarden DominArsen",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "Info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": 30000,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 100000,
  "push_enabled": false,
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": true,
  "signups_domains_whitelist": "",
  "signups_verify": true,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": "Login",
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "**********************",
  "smtp_from_name": "Bitwarden DominArsen",
  "smtp_host": "*****************",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "**********************",
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": 360,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": 30000,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "websocket_address": "0.0.0.0",
  "websocket_enabled": false,
  "websocket_port": 3012,
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}


Best regards,
2

What do the server logs say when you try to load the emergency contacts overview? And does the browser console return any errors?

3

Hi @stefan0xC

thanks for your help;

The web interface lets the dot symbol rotate infinitely.
With Synology container manager on the log is written “content
2023/10/29 15:05:37 stdout [2023-10-29 14:05:37.076][response][INFO] (get_contacts) GET /api/emergency-access/trusted => 500 Internal Server Error”

For others users, the “emergency contact continues to work” functionality. To prevent friends and family from crashing the function, they no longer use it

Logs extract when I connection and sending the emergency contact request + my validation

2023/10/29 12:10:51	stdout	  10: rocket::server::hyper_service_fn::{{closure}}::{{closure}}
2023/10/29 12:10:51	stdout	   9: rocket::server::<impl rocket::rocket::Rocket<rocket::phase::Orbit>>::route::{{closure}}
2023/10/29 12:10:51	stdout	   8: vaultwarden::api::core::emergency_access::get_contacts::into_info::monomorphized_function::{{closure}}
2023/10/29 12:10:51	stdout	   7: vaultwarden::db::models::emergency_access::EmergencyAccess::to_json_grantee_details::{{closure}}
2023/10/29 12:10:51	stdout	   6: core::option::expect_failed
2023/10/29 12:10:51	stdout	   5: core::panicking::panic_fmt
2023/10/29 12:10:51	stdout	   4: rust_begin_unwind
2023/10/29 12:10:51	stdout	   3: std::sys_common::backtrace::__rust_end_short_backtrace
2023/10/29 12:10:51	stdout	   2: std::panicking::begin_panic_handler::{{closure}}
2023/10/29 12:10:51	stdout	   1: std::panicking::rust_panic_with_hook
2023/10/29 12:10:51	stdout	   0: vaultwarden::init_logging::{{closure}}
2023/10/29 12:10:50	stdout	[2023-10-29 11:10:50.989][panic][ERROR] thread 'rocket-worker-thread' panicked at 'Grantee user not found.': src/db/models/emergency_access.rs:88
2023/10/29 12:10:50	stdout	[2023-10-29 11:10:50.961][request][INFO] GET /api/emergency-access/trusted
2023/10/29 12:10:49	stdout	[2023-10-29 11:10:49.244][response][INFO] (get_twofactor) GET /api/two-factor => 200 OK
2023/10/29 12:10:49	stdout	[2023-10-29 11:10:49.244][response][INFO] (profile) GET /api/accounts/profile => 200 OK
2023/10/29 12:10:49	stdout	[2023-10-29 11:10:49.242][request][INFO] GET /api/two-factor
2023/10/29 12:10:49	stdout	[2023-10-29 11:10:49.242][request][INFO] GET /api/accounts/profile
2023/10/29 12:10:49	stdout	[2023-10-29 11:10:49.136][response][INFO] (config) GET /api/config => 200 OK
2023/10/29 12:10:49	stdout	[2023-10-29 11:10:49.136][request][INFO] GET /api/config
2023/10/29 12:10:47	stdout	[2023-10-29 11:10:47.504][response][INFO] (config) GET /api/config => 200 OK
2023/10/29 12:10:47	stdout	[2023-10-29 11:10:47.504][request][INFO] GET /api/config
2023/10/29 12:10:46	stdout	[2023-10-29 11:10:46.844][response][INFO] (config) GET /api/config => 200 OK
2023/10/29 12:10:46	stdout	[2023-10-29 11:10:46.844][request][INFO] GET /api/config
2023/10/29 12:10:46	stdout	[2023-10-29 11:10:46.669][response][INFO] (config) GET /api/config => 200 OK
2023/10/29 12:10:46	stdout	[2023-10-29 11:10:46.669][request][INFO] GET /api/config
2023/10/29 12:10:46	stdout	[2023-10-29 11:10:46.632][response][INFO] (sync) GET /api/sync?<data..> => 200 OK
2023/10/29 12:10:46	stdout	[2023-10-29 11:10:46.542][request][INFO] GET /api/sync?excludeDomains=true
2023/10/29 12:10:46	stdout	[2023-10-29 11:10:46.492][response][INFO] (login) POST /identity/connect/token => 200 OK
2023/10/29 12:10:46	stdout	[2023-10-29 11:10:46.489][request][INFO] POST /identity/connect/token
2023/10/29 12:10:46	stdout	[2023-10-29 11:10:46.412][response][INFO] (accept_invite) POST /api/emergency-access/<emer_id>/accept => 200 OK
2023/10/29 12:10:45	stdout	[2023-10-29 11:10:45.756][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 200 OK
2023/10/29 12:10:45	stdout	[2023-10-29 11:10:45.756][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from 192.168.1.1
2023/10/29 12:10:45	stdout	[2023-10-29 11:10:45.756][request][INFO] GET /notifications/hub?access_token=eyJ0eXAiOiJKV1QiL
2023/10/29 12:10:45	stdout	[2023-10-29 11:10:45.747][request][INFO] POST /api/emergency-access/f8697ba8-7347-424c-a84b-908f60803358/accept
2023/10/29 12:10:45	stdout	[2023-10-29 11:10:45.719][response][INFO] (config) GET /api/config => 200 OK
2023/10/29 12:10:45	stdout	[2023-10-29 11:10:45.719][request][INFO] GET /api/config
2023/10/29 12:10:45	stdout	[2023-10-29 11:10:45.716][response][INFO] (config) GET /api/config => 200 OK
2023/10/29 12:10:45	stdout	[2023-10-29 11:10:45.716][request][INFO] GET /api/config
2023/10/29 12:10:45	stdout	[2023-10-29 11:10:45.696][response][INFO] (login) POST /identity/connect/token => 200 OK
2023/10/29 12:10:45	stdout	[2023-10-29 11:10:45.696][vaultwarden::api::identity][INFO] User *******@gmail.com logged in successfully. IP: ***.***.*.*
2023/10/29 12:10:45	stdout	[2023-10-29 11:10:45.606][request][INFO] POST /identity/connect/token
2023/10/29 12:10:45	stdout	[2023-10-29 11:10:45.014][response][INFO] (prelogin) POST /identity/accounts/prelogin => 200 OK
2023/10/29 12:10:45	stdout	[2023-10-29 11:10:45.014][request][INFO] POST /identity/accounts/prelogin
2023/10/29 12:10:33	stdout	[2023-10-29 11:10:33.793][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK
2023/10/29 12:10:33	stdout	[2023-10-29 11:10:33.792][request][INFO] GET /api/devices/knowndevice
2023/10/29 12:10:30	stdout	[2023-10-29 11:10:30.151][response][INFO] (config) GET /api/config => 200 OK
2023/10/29 12:10:30	stdout	[2023-10-29 11:10:30.151][request][INFO] GET /api/config
2023/10/29 12:10:30	stdout	[2023-10-29 11:10:30.081][response][INFO] (config) GET /api/config => 200 OK
2023/10/29 12:10:30	stdout	[2023-10-29 11:10:30.080][request][INFO] GET /api/config
2023/10/29 12:10:09	stdout	[2023-10-29 11:10:09.986][response][INFO] (sync) GET /api/sync?<data..> => 200 OK
2023/10/29 12:10:09	stdout	[2023-10-29 11:10:09.884][request][INFO] GET /api/sync
2023/10/29 12:10:08	stdout	[2023-10-29 11:10:08.367][response][INFO] (login) POST /identity/connect/token => 200 OK
2023/10/29 12:10:08	stdout	[2023-10-29 11:10:08.364][request][INFO] POST /identity/connect/token
2023/10/29 12:10:08	stdout	[2023-10-29 11:10:08.339][response][INFO] (revision_date) GET /api/accounts/revision-date => 200 OK
2023/10/29 12:10:08	stdout	[2023-10-29 11:10:08.339][request][INFO] GET /api/accounts/revision-date
2023/10/29 12:10:08	stdout	[2023-10-29 11:10:08.265][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 200 OK
2023/10/29 12:10:08	stdout	[2023-10-29 11:10:08.264][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from 192.168.1.1
2023/10/29 12:10:08	stdout	[2023-10-29 11:10:08.264][request][INFO] GET /notifications/hub?access_token=eyJ0eXAiOiJKV1QiL
2023/10/29 12:09:30	stdout	[2023-10-29 11:09:30.088][response][INFO] (get_grantees) GET /api/emergency-access/granted => 200 OK
2023/10/29 12:09:30	stdout	[2023-10-29 11:09:30.087][request][INFO] GET /api/emergency-access/granted
2023/10/29 12:09:30	stdout	[2023-10-29 11:09:30.080][response][INFO] (get_contacts) GET /api/emergency-access/trusted => 200 OK
2023/10/29 12:09:30	stdout	[2023-10-29 11:09:30.079][request][INFO] GET /api/emergency-access/trusted
2023/10/29 12:09:30	stdout	[2023-10-29 11:09:30.072][response][INFO] (send_invite) POST /api/emergency-access/invite => 200 OK
2023/10/29 12:09:29	stdout	[2023-10-29 11:09:29.408][request][INFO] POST /api/emergency-access/invite
2023/10/29 12:09:05	stdout	[2023-10-29 11:09:05.301][response][INFO] (get_grantees) GET /api/emergency-access/granted => 200 OK
2023/10/29 12:09:05	stdout	[2023-10-29 11:09:05.300][request][INFO] GET /api/emergency-access/granted
2023/10/29 12:09:05	stdout	[2023-10-29 11:09:05.292][response][INFO] (get_contacts) GET /api/emergency-access/trusted => 200 OK
2023/10/29 12:09:05	stdout	[2023-10-29 11:09:05.291][request][INFO] GET /api/emergency-access/trusted
2023/10/29 12:09:01	stdout	[2023-10-29 11:09:01.257][response][INFO] (profile) GET /api/accounts/profile => 200 OK
2023/10/29 12:09:01	stdout	[2023-10-29 11:09:01.256][request][INFO] GET /api/accounts/profile
2023/10/29 12:08:59	stdout	[2023-10-29 11:08:59.054][response][INFO] (profile) GET /api/accounts/profile => 200 OK
2023/10/29 12:08:59	stdout	[2023-10-29 11:08:59.053][response][INFO] (get_twofactor) GET /api/two-factor => 200 OK
2023/10/29 12:08:59	stdout	[2023-10-29 11:08:59.052][request][INFO] GET /api/two-factor

Logs extract when I log in and click on the “Emergency Contact” page

date	stream	content
2023/10/29 15:06:56	stdout	[2023-10-29 14:06:56.304][response][INFO] (config) GET /api/config => 200 OK
2023/10/29 15:06:56	stdout	[2023-10-29 14:06:56.304][request][INFO] GET /api/config
2023/10/29 15:05:37	stdout	[2023-10-29 14:05:37.076][response][INFO] (get_contacts) GET /api/emergency-access/trusted => 500 Internal Server Error
2023/10/29 15:05:37	stdout	
2023/10/29 15:05:37	stdout	  24: clone
2023/10/29 15:05:37	stdout	  23: <unknown>
2023/10/29 15:05:37	stdout	  22: std::sys::unix::thread::Thread::new::thread_start
2023/10/29 15:05:37	stdout	  21: core::ops::function::FnOnce::call_once{{vtable.shim}}
2023/10/29 15:05:37	stdout	  20: std::sys_common::backtrace::__rust_begin_short_backtrace
2023/10/29 15:05:37	stdout	  19: tokio::runtime::blocking::pool::Inner::run
2023/10/29 15:05:37	stdout	  18: tokio::runtime::task::harness::Harness<T,S>::poll
2023/10/29 15:05:37	stdout	  17: tokio::runtime::task::core::Core<T,S>::poll
2023/10/29 15:05:37	stdout	  16: tokio::runtime::scheduler::multi_thread::worker::run
2023/10/29 15:05:37	stdout	  15: tokio::runtime::context::runtime::enter_runtime
2023/10/29 15:05:37	stdout	  14: tokio::runtime::context::scoped::Scoped<T>::set
2023/10/29 15:05:37	stdout	  13: tokio::runtime::scheduler::multi_thread::worker::Context::run_task
2023/10/29 15:05:37	stdout	  12: tokio::runtime::task::harness::Harness<T,S>::poll
2023/10/29 15:05:37	stdout	  11: tokio::runtime::task::core::Core<T,S>::poll
2023/10/29 15:05:37	stdout	  10: rocket::server::hyper_service_fn::{{closure}}::{{closure}}
2023/10/29 15:05:37	stdout	   9: rocket::server::<impl rocket::rocket::Rocket<rocket::phase::Orbit>>::route::{{closure}}
2023/10/29 15:05:37	stdout	   8: vaultwarden::api::core::emergency_access::get_contacts::into_info::monomorphized_function::{{closure}}
2023/10/29 15:05:37	stdout	   7: vaultwarden::db::models::emergency_access::EmergencyAccess::to_json_grantee_details::{{closure}}
2023/10/29 15:05:37	stdout	   6: core::option::expect_failed
2023/10/29 15:05:37	stdout	   5: core::panicking::panic_fmt
2023/10/29 15:05:37	stdout	   4: rust_begin_unwind
2023/10/29 15:05:37	stdout	   3: std::sys_common::backtrace::__rust_end_short_backtrace
2023/10/29 15:05:37	stdout	   2: std::panicking::begin_panic_handler::{{closure}}
2023/10/29 15:05:37	stdout	   1: std::panicking::rust_panic_with_hook
2023/10/29 15:05:37	stdout	   0: vaultwarden::init_logging::{{closure}}
2023/10/29 15:05:37	stdout	[2023-10-29 14:05:37.018][panic][ERROR] thread 'rocket-worker-thread' panicked at 'Grantee user not found.': src/db/models/emergency_access.rs:88
2023/10/29 15:05:37	stdout	[2023-10-29 14:05:37.017][request][INFO] GET /api/emergency-access/trusted
2023/10/29 15:05:35	stdout	[2023-10-29 14:05:35.934][response][INFO] (get_twofactor) GET /api/two-factor => 200 OK
2023/10/29 15:05:35	stdout	[2023-10-29 14:05:35.933][request][INFO] GET /api/two-factor
2023/10/29 15:05:35	stdout	[2023-10-29 14:05:35.931][response][INFO] (profile) GET /api/accounts/profile => 200 OK
4

According to the backtrace, it fails when calling the EmergencyAccess::to_json_grantee_details() function. The panic message comes from this part:

And the function is called from the get_contacts() function here:

So as far as I understand it, this fails because there are entries in the emergency_access table with your grantor_uuid but the corresponding grantee_uuid account in users is missing. (Alternatively it could be the email as the panic message is the same.)

So I was wondering if you maybe deleted some entries manually? Or if the database could be corrupted? Or if we have a bug somewhere that causes this issue (i.e. by not deleting the entry in the emergency_access table…)

Would you be willing to run some SQL queries on your database to confirm whether it’s caused by a missing grantee_uuid or email to narrow down the issue in case it’s the latter?

1 Like
5

Hello,

I thank you for your message. I would like to clarify that I am not a developer and do not know how to delete entries manually or interact with the system beyond using the features provided by the client interface or that of Synology and "Container Manager " in the interface. I will execute the commands or follow the instructions you provide me in order to elude the mystery.

Please feel free to guide me through the steps you would like me to take, and I will do my best.