vvondra / bitwarden-serverless Goto Github PK

I see in the README that the webvault login and some other features work.

When I go to /prod I get the error "Missing Authentication Token" and when I go to any of the API paths such as /prod/api/accounts/keys I get the error Not Found.

How can I access the login page for the web vault login page? What is the url?

This implementation hosts cipher deletion at DELETE /api/ciphers/{uuid} but the Bitwarden client (at least, latest Firefox extension version 1.45.0 and seemingly the iOS app) makes the request to PUT /api/ciphers/{uuid}/delete which results in a 404 from API Gateway.

I haven't done enough digging to determine whether this is a change made in Bitwarden or it's always been like this but I assume the former based on this test case. Might look into mapping the newer route when I get back from vacation, but this is admittedly not a frequently used bit of functionality.

Repro Steps

Try to delete a vault entry using the latest Firefox extension. Network inspector for the Bitwarden extension:

Cloning the request with /delete removed from the URI and changing the method to DELETE works as expected:

I'd like to be able to set globalSettings__disableUserRegistration to true but cannot find if the config file ever gets set?

The request to the register endpoint provides them but they are not being saved by the handle function.

There seem to be a few things needed for full compatibility with the Angular web vault:

Up-to-date list of missing features

• verify create/update cipher works
• profile section is missing endpoints
• 2fa configuration is missing endpoints
• custom domain settings is not supported at all
• ... other thing not yet discovered

Typing the AWS API Gateway domain name can be tedious an error prone, it's possible to add your own custom domain on top of it, but there are extra steps required.

• Check if the process can be (mostly) automated with serverless
• Document how to set up the CNAME and certificate in README

deleted

While was deploying this program to aws, I encountered an error as I did not setup sufficient permission. When I deploy the second time, I encountered various deploy error like

 Serverless Error ---------------------------------------

  An error occurred: IamRoleLambdaExecution - bitwarden-serverless-prod-us-east-1-lambdaRole already exists.

and

 Serverless Error ---------------------------------------

  An error occurred: FoldersTable - bitwarden-serverless-prod-folders already exists.

I have to delete the all the tables and roles before continue. Is it possible to check if bitwarden-serverless-prod-folders is empty before directly aborting the deployment? The deployment process should be idempotent.

Using 1.1 I was unable to register using the Bitwarden mac app. iOS worked though.

Error was "supply a valid key"

There should be a necessary cooldown period after X attempts at logging in

The easiest way seems to be to enable a API Gateway Usage Plan or method level throttling. Something like 1 request per second and 1000 call bucket size

Existing Lastpass users should be able to migrate to this stack from the CSV export provided by Lastpass

vault.bitwarden.com

I deployed a version, now i want import my passwords from chrome - but need to login to web vault. Is this possible?

First, thanks for the great work done on this project!

I am having some issues however, with 2FA. The initial error, which I've since possibly worked around, was the issue "Email not supplied" when passing the email into the two_factor_auth.sh, as seen in the image below...

Notice, I added an echo in the script to see what values it was passing.

I then went and edited the script by adding a space after -d so it would pass the correct value along for email. After that, the URL seemed to just be a Base64 encoded string...

I then decoded the string into an image using https://codebeautify.org/base64-to-image-converter.

At this point, 2FA is active on my account and Authy can generate tokens. However, at this point, I cannot login the account in either the Chrome Add-on or the CLI .

bw login [email protected] --method 0 --code 340021
? Master password: [hidden]
(node:2103) UnhandledPromiseRejectionWarning: TypeError: Cannot read property 'message' of null
    at Function.error (/usr/local/lib/node_modules/@bitwarden/cli/build/bw.js:21317:33)
    at commands_login_command_LoginCommand.<anonymous> (/usr/local/lib/node_modules/@bitwarden/cli/build/bw.js:23231:33)
    at Generator.throw (<anonymous>)
    at rejected (/usr/local/lib/node_modules/@bitwarden/cli/build/bw.js:23101:65)
    at processTicksAndRejections (internal/process/task_queues.js:97:5)
(node:2103) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). (rejection id: 2)
(node:2103) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code.

I have since been locked out of my Bitwarden and unable to find a resolution. Any advice is greatly appreciated!

Hi @vvondra. Thanks for making this solution available to the open source community. I'm pretty excited to implement it for myself -- I'm thinking about using your project to set up my own instance of 'serverless bitwarden' in the cloud as a replacement to a local KeypassX file that I've saved in Dropbox for some time.

As a general practice, I try to think about security in all things I do that involve the cloud and solutions in general, and as I considered implementing your solution, I realized that I immediately had some
concerns.

Effectively, a password safe is used to store my keys to kingdoms, so to speak, so it makes sense to be particularly careful with trusting this app.

I am unfamiliar with node, so I wasn't sure how to determine that the code was safe to run. Ultimately, I plan on going through the code line-by-line as I don't see any other way of verifying that the code is truly safe to run.

However, I think vulnerabilities in the software dependencies used by the project can be scanned. To this end, I'm working through getting the OWASP dependency checker working against the project, and I've successfully scanned the project with sonarcloud.io. ( It got an 'A' from Sonarcloud -- no vulnerabilities detected, at the time I scanned it. )

Originally, I had planned to do all of this as an independent project. But then it occurred to me that it your project could benefit from any steps I took and documented, if I approached this as an opportunity to share on your project instead.

Have you given any thought to what a member of the open source community might need to do to prove for themselves that your app is safe to trust? As mentioned, I'm willing to document the steps that I take as I walk through this process myself. I'm just looking for any ideas that you might have that I didn't think of.

Thanks for you time!

I am doing a 1password CLI import and it appears to work (as well as it does using web vault). But the result is this:
{"success":false,"message":"Cannot read property 'message' of null"}

I don't see any errors in the Cloudwatch logs, so I'm thinking its a miscommunication between the bitwarden CLI and the import API?

Currently the implementation for import is to send the unencrypted import CSV to lambda.

• Beyond API gateway, this data is completely unencrypted and could be sniffed by whatever evil traffic analysis AWS is probably doing.
• Even if you trust AWS, there is still the issue that the lambda echoes requests into the logs, which means all your passwords get written to CloudWatch forever.

To fix this, I have opened bitwarden/cli#18 to do proper client-side encryption. After that gets merged, I propose re-writing the import lambda to function just like bitwarden/core's import such that bitwarden-serverless will be compatible with the CLI and web vault's import.

Until that time, It would probably be best to remove the import code altogether.

When accessing the instance directly, I can login and use the web vault like normal. However, when accessing through Cloudfront, the page loads and looks normal...but I get two errors:

An error has occurred.
An unexpected error has occurred.

Logged out
Your login session has expired.

Are there special settings that need to be set in Cloudfront?

Hello, first of all thanks for the great code. I deployed it and confirmed that it works well with desktop app (on mac OS). However when I try to login on iOS using the login created on desktop app it gives me the "Internal error". I wish I had more debug details, but I don't.

With this said - if I sign up for a new account using iOS app it goes through and I can then login using desktop app. But I still cannot login using iOS app, even if I signed up using iOS app.

Any ideas on what to try next or how to debug it further?

hello

i didn't use aws till now and afer searcing the er for days i need to ask

woud it be posibel to ofer me a more(step by step) description what i need to do to deploy it?

Hey incredible tool, seems to be exactly what I want.

I was able to set it up but I am unable to import a BitWarden CSV into my own self hosted instance.

I seem to be getting a serverless error.

Serverless Error ---------------------------------------

Trying to populate non string value into a string for variable ${opt:stage, self:provider.stage}. Please make sure the value of the property is a string.

Get Support --------------------------------------------
Docs: docs.serverless.com
Bugs: github.com/serverless/serverless/issues
Issues: forum.serverless.com

My guess there was something wrong with import.sh. Unfortunately I'm not very knowledgeable about BASH but I'm curious about a few particular lines.

Line 11 and 12

stage=${STAGE:-prod}
region=${STAGE:-us-east-1}

Correct me if I'm wrong, but I believe these lines check to see if STAGE is set, if not it defaults to prod. Why is the same variable being checked for both stage and region?

Line 43

serverless invoke -s $STAGE -r $REGION -f import_${provider}

Where is the variable $STAGE coming from when we're using $stage and $region (From my understanding $STAGE is not guaranteed to be set).

Anyways, I don't know much about bash so I'd appreciation a clarification on that. It seems serverless is not properly receiving the stage option and that is blocking me from importing my BitWarden CSV.

Is it possible to enable the admin page to manage users? Additionally, it would be interesting if it's possible to send mails to the users e.g. reset password. Both are features of https://github.com/dani-garcia/bitwarden_rs/ but it would be helpful to use the serverless architecture to save money 👍

Hi @vvondra ,
This is pretty cool. I'm reading up on the instructions on how to set this up. Are the instructions as written using DynamoDB client-side or server-side encryption? This link has more details. I have a preference for AWS not to keep my encryption key, and for me to manage it by myself.

I'm a (very) beginner coder / scripter, so I wonder how easy it would be to change to using client-side encryption?

Thanks,
Mike Jones

Your Environment Information ---------------------------
Operating System: linux
Node Version: 14.13.1
Framework Version: 2.8.0
Plugin Version: 4.1.1
SDK Version: 2.3.2
Components Version: 3.2.4

$ ./two_factor.sh Please provide the e-mail of the user you want to setup 2FA for: [email protected] Serverless: Configuration warning: Serverless: at root: unrecognized property 'default_cors' Serverless: at 'service': unrecognized property 'tableDeletionPolicy' Serverless: at 'functions.login.events[0].http.cors': unrecognized property 'allowMethods' Serverless: at 'functions.prelogin.events[0].http.cors': unrecognized property 'allowMethods' Serverless: at 'functions.profile.events[0].http.cors': unrecognized property 'allowMethods' Serverless: at 'functions.profile_put.events[0].http.cors': unrecognized property 'allowMethods' Serverless: at 'functions.keys.events[0].http.cors': unrecognized property 'allowMethods' Serverless: at 'functions.register.events[0].http.cors': unrecognized property 'allowMethods' Serverless: at 'functions.accounts_revision_date.events[0].http.cors': unrecognized property 'allowMethods' Serverless: at 'functions.device_push_token.events[0].http.cors': unrecognized property 'allowMethods' Serverless: at 'functions.sync.events[0].http.cors': unrecognized property 'allowMethods' Serverless: at 'functions.cipher_post.events[0].http.cors': unrecognized property 'allowMethods' Serverless: at 'functions.cipher_put.events[0].http.cors': unrecognized property 'allowMethods' Serverless: at 'functions.cipher_delete.events[0].http.cors': unrecognized property 'allowMethods' Serverless: at 'functions.folder_post.events[0].http.cors': unrecognized property 'allowMethods' Serverless: at 'functions.folder_put.events[0].http.cors': unrecognized property 'allowMethods' Serverless: at 'functions.folder_delete.events[0].http.cors': unrecognized property 'allowMethods' Serverless: at 'functions.import.events[0].http.cors': unrecognized property 'allowMethods' Serverless: at 'functions.default.events[0].http.cors': unrecognized property 'allowMethods' Serverless: Serverless: Learn more about configuration validation here: http://slss.io/configuration-validation Serverless: "ERROR: TypeError: Cannot read property 'set' of undefined" Copy the URL above into your browser, scan the QR code in your authenticator app, and enter a code once to verify:

I'm not sure if the default_cors definition is causing the TypeError in the serverless run or not.
I replaced all of the includes with "cors: yes"
but then:
Serverless: Configuration warning:
Serverless: at 'service': unrecognized property 'tableDeletionPolicy'
Serverless: at 'functions.login.events[0].http.cors': should be object
Serverless: at 'functions.login.events[0].http.cors': unsupported configuration format
Serverless: at 'functions.prelogin.events[0].http.cors': should be object
Serverless: at 'functions.prelogin.events[0].http.cors': unsupported configuration format
Serverless: at 'functions.profile.events[0].http.cors': should be object
Serverless: at 'functions.profile.events[0].http.cors': unsupported configuration format
Serverless: at 'functions.profile_put.events[0].http.cors': should be object
Serverless: at 'functions.profile_put.events[0].http.cors': unsupported configuration format
Serverless: at 'functions.keys.events[0].http.cors': should be object
Serverless: at 'functions.keys.events[0].http.cors': unsupported configuration format
Serverless: at 'functions.register.events[0].http.cors': should be object
Serverless: at 'functions.register.events[0].http.cors': unsupported configuration format
Serverless: at 'functions.accounts_revision_date.events[0].http.cors': should be object
Serverless: at 'functions.accounts_revision_date.events[0].http.cors': unsupported configuration format
Serverless: at 'functions.device_push_token.events[0].http.cors': should be object
Serverless: at 'functions.device_push_token.events[0].http.cors': unsupported configuration format
Serverless: at 'functions.sync.events[0].http.cors': should be object
Serverless: at 'functions.sync.events[0].http.cors': unsupported configuration format
Serverless: at 'functions.cipher_post.events[0].http.cors': should be object
Serverless: at 'functions.cipher_post.events[0].http.cors': unsupported configuration format
Serverless: at 'functions.cipher_put.events[0].http.cors': should be object
Serverless: at 'functions.cipher_put.events[0].http.cors': unsupported configuration format
Serverless: at 'functions.cipher_delete.events[0].http.cors': should be object
Serverless: at 'functions.cipher_delete.events[0].http.cors': unsupported configuration format
Serverless: at 'functions.folder_post.events[0].http.cors': should be object
Serverless: at 'functions.folder_post.events[0].http.cors': unsupported configuration format
Serverless: at 'functions.folder_put.events[0].http.cors': should be object
Serverless: at 'functions.folder_put.events[0].http.cors': unsupported configuration format
Serverless: at 'functions.folder_delete.events[0].http.cors': should be object
Serverless: at 'functions.folder_delete.events[0].http.cors': unsupported configuration format
Serverless: at 'functions.import.events[0].http.cors': should be object
Serverless: at 'functions.import.events[0].http.cors': unsupported configuration format
Serverless: at 'functions.default.events[0].http.cors': should be object
Serverless: at 'functions.default.events[0].http.cors': unsupported configuration format
Serverless:
Serverless: Learn more about configuration validation here: http://slss.io/configuration-validation

Hello,

I'm very interested by your project. I have the same issue as you, I don't trust my own server availability for this critical resource.

I only known AWS from name, your project made me to check a little more on AWS.

Just to fully understand, you're planning to use :

• AWS API gateway -> to manage the http request
• AWS Lambda -> to retrieve the data from the DB
• AWS dynamodb -> as the DB

Is that correct ?

Your code is for the 3 above or just AWS Lambda ? Why using Node.js and not python for this "Engine" ?

Last question, if you plan to add the web vault, in which AWS solution it will be ?

Sorry for all this question. I'd like to fully understand before participating.
I added the web vault compatibility to JCS/bitwarden-ruby. So maybe I could help here.

Thanks.

I am getting "Unexpected token N in JSON at position 0" error when I request the master password hint using the bitwarden firefox extention

I just created a bitwarden serverless stack and downloaded the most recent version of Bitwarden on the Google Play store. I entered the URL into the Android client as:

https://X.amazonaws.com/prod

I left all the other URLs blank under "CUSTOM ENVIRONMENT":
Web Vault Server URL
API Server URL
Identity Server URL
Icons Server URL

I can see that the user account was created (I see it in the DynamoDB table bitwarden-serverless-prod-users), but when I try to login, the client crashes immediately without any error message. Are there any logs on AWS that I can check to see what the issue is?

Currently the Bitwarden CLI doesn't work, a new endpoint managing user keys is needed, perhaps more:

$ bw login [email protected]
? Master password: **123***123***123****
? Two-step login code: 123123
{ FetchError: invalid json response body at https://testenv.com/api/accounts/keys reason: Unexpected token N in JSON at position 0
    at /Users/me/.nvm/versions/node/v9.4.0/lib/node_modules/@bitwarden/cli/build/bw.js:32497:32
    at <anonymous>
    at process._tickCallback (internal/process/next_tick.js:160:7)
  message: 'invalid json response body at https://testenv.com/api/accounts/keys reason: Unexpected token N in JSON at position 0',
  type: 'invalid-json' }
You are logged in!

I suspect the error is caused by a simple "Not Found" message response

Support for CLI will be also needed to fix #21

Sync happens but items don't show up. Adding items works

Typically this installation will have a single user. An environment variable could disable further signups.

There is evidently a new prelogin endpoint... You can see it mentioned in the release notes in https://github.com/bitwarden/browser/releases

The implementation is in jslib.

Request: POST /api/accounts/prelogin
Request body: {email: "[email protected]"}

Response Body: {"Kdf":0,"KdfIterations":5000}

This is a breaking change that will prevent login, but it should be easy enough to fix.....

Inspiration for CSV import is already ready from Lastpass and Bitwarden formats.

The 1Password is a little different, but it should still be straightforward.

I do not currently see any ciphers being loaded using the newest Android build in Play Store.

Only have access to 1 iPhone to test this on, but I'm experiencing an immediate crash in iOS after a successful login. The CloudWatch logs show a perfectly good login, but my iPhone app is crashing.

Curiously, the iPad version is able to log in. iPhone works with the regular bitwarden hosted backend.

I don't have a Macbook to try the app in debug mode, unfortunately. Sorry for the vague issue.

Just reinstalled an OS and now having that issue. Initial authentication works fine, but then when I try to unlock an existing vault I get "Invalid Master Password".

Here's an error from keys lambda:

{
    "errorType": "TypeError",
    "errorMessage": "Cannot read property 'split' of undefined",
    "stack": [
        "TypeError: Cannot read property 'split' of undefined",
        "    at Runtime.a [as handler] (/var/task/src/keys.js:9:500652)",
        "    at Runtime.handleOnce (/var/runtime/Runtime.js:66:25)"
    ]
}

Initially I thought it might be related to the wrong case of the header (https://github.com/vvondra/bitwarden-serverless/blob/master/src/keys.js#L13) - the event I looked at had lowercased content-type header: "content-type": "application/json; charset=utf-8",, but this doesn't seem to be the origin of the error on the client.

deleted

Users should be able to migrate to this stack from the existing hosted Bitwarden vault.