data loss. user disappeared.

[bbrendon]

I'm reporting this because, well, it seems a bit important. There were 10 users, now 9. /admin lists old disabled users, but not the user that has vanished.

Version : 1.29.2

From what the user said:

Gotcha, I tried updating a password in Bitwarden since I changed a password, got an error "invalid refresh token" and I thought maybe my bitwarden wasn't synced so I manually synced it again and the timestamp changed to today which meant that it was synced up. Tried to update password again got the same "invalid refresh token". I said ok, let me try relogging back into Bitwarden, attempted a login and it kept failing. Asked it for a password hint and got no email back, usually its supposed to email u back even if you dont have one. And then I let you know that I can't get in.

I realized now I can't find an audit log. I'm going to see if something like that exists.

I'm using sqlite.

Things I've done:

• checked the normal GUI
• checked /admin.
• Looked through docker compose logs. I can't find anything interesting.
• Restarted vaultwarden. User still missing.
• Made a backup of the current broken state. - 2023-11-09_111401
• Saved output of dc logs for future reference.
• Created github issue.

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.29.2
• Web-vault version: v2023.7.1
• OS/Arch: linux/x86_64
• Running within Docker: true (Base: Debian)
• Environment settings overridden: true
• Uses a reverse proxy: true
• IP Header check: true (X-Real-IP)
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• Browser/Server Time Check: true
• Server/NTP Time Check: true
• Domain Configuration Check: true
• HTTPS Check: true
• Database type: SQLite
• Database version: 3.41.2
• Clients used: 5 active users. 10 total
• Reverse proxy and version: nginx + LE
• Other relevant information:

Config (Generated via diagnostics page)

Show Running Config

Environment settings which are overridden: DOMAIN, SIGNUPS_ALLOWED, ADMIN_TOKEN, SMTP_HOST, SMTP_PORT, SMTP_FROM

{
  "_duo_akey": "***",
  "_enable_duo": true,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_smtp_img_src": "cid:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://****************",
  "domain_origin": "*****://****************",
  "domain_path": "",
  "domain_set": true,
  "duo_host": "api- .duosecurity.com",
  "duo_ikey": " ",
  "duo_skey": "***",
  "email_attempts_limit": 3,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "xxxx",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "Info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 100000,
  "push_enabled": false,
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": true,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": false,
  "smtp_from": "*************************",
  "smtp_from_name": "xx",
  "smtp_host": "*********",
  "smtp_password": null,
  "smtp_port": 25,
  "smtp_security": "off",
  "smtp_ssl": false,
  "smtp_timeout": 15,
  "smtp_username": null,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "websocket_address": "0.0.0.0",
  "websocket_enabled": true,
  "websocket_port": 3012,
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

[BlackDex]

Users can't disappear by them selfs. So either someone deleted the user, the user did it them self via https://bitwarden.com/help/account-recovery/ , or there is something wrong with the database, like a corrupt database or something. If it is a corruption, then there probably still is some evidence in the database of the users uuid or something else, if not, then it would have been a clean deletion and action done by someone.

Check the logs for delete, remove or purge, i think those are the main names for functions we used for these kind of actions.

[sammyke007]

Just FYI:
The last 2 updates I've did, I had lost all of my data.
Somehow after updating the container images, a new /v1/vw-data/ folder is created instead of /vw-data/ with a new database (thus losing your users).

My solution was copying over /vw-data/ to /v1/vw-data/

[BlackDex]

@sammyke007 then the platform you use to run containers is not very robust. Or you need to verify on how to update the containers using that platform. But that is not normal. Also, you didn't lost it, there was just a different volume created. The OP mentions a single user has disappeared, which is also strange, but not comparable.

[sammyke007]

To come back to this (and ask for forgiving me), the problem was my volume in the compose file / portainer stack...

The quoted one was the old one resulting in v1 folders while updating the stack in portainer. The new / correct one works flawless.

volumes:
  #- ./vw-data:/data
  - /opt/vaultwarden/vw-data:/data

[BlackDex]

@bbrendon did you got any more insights into what it could have been?
Something from the logs of Vaultwarden, or the reverse proxy logs maybe?

[bbrendon]

I haven't had time to look at it. This week for sure I'm going to look at it.

…

On Sun, Nov 12, 2023 at 12:17 PM Mathijs van Veluw ***@***.***> wrote: @bbrendon <https://github.com/bbrendon> did you got any more insights into what it could have been? Something from the logs of Vaultwarden, or the reverse proxy logs maybe? — Reply to this email directly, view it on GitHub <#4060 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABQR2PLTBSP5KBIHDUMNES3YEEVFNAVCNFSM6AAAAAA7FCJBMOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMBXGIZDOOJXGA> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[Kjemme]

I am a Bitwarden/Vaultwarden user in a company. I use the system more or less every weekday - and used it Friday last week (= 3 days ago). This morning all my data is gone. Both the elements shared with me by the company AND my own data. Does this sound like it has something to do with the update discussed in this thread? If yes, then what can I do /or tell the administraitor to do?

[BlackDex]

I am a Bitwarden/Vaultwarden user in a company. I use the system more or less every weekday - and used it Friday last week (= 3 days ago). This morning all my data is gone. Both the elements shared with me by the company AND my own data. Does this sound like it has something to do with the update discussed in this thread? If yes, then what can I do /or tell the administraitor to do?

No it doesn't. Data is not deleted or removed during any upgrade.
Data can be deleted by an admin, or via a recovery action executed by a user it self, or purged or anything, but not just one single user out of two or more.

It could be a database is corrupted in some way, which could make the data inaccessible for example.

The admin should check the logs for any delete or purge or remove action in the logs. And also check the integrity of the database.

And, the backups of course.

[bbrendon]

We don't have account recovery enabled.

# cat logs-vanished |grep -Ei '(delete|remove|purg)'
...
vaultwarden-bitwarden-1  | [2023-10-10 17:58:54.112][response][INFO] (delete_cipher_put) PUT /api/ciphers/<uuid>/delete => 200 OK
vaultwarden-bitwarden-1  | [2023-10-18 20:00:11.829][request][INFO] POST /api/accounts/delete-recover
vaultwarden-bitwarden-1  | [2023-10-18 20:00:11.848][response][INFO] (post_delete_recover) POST /api/accounts/delete-recover => 200 OK
vaultwarden-bitwarden-1  | [2023-10-18 20:00:33.063][request][INFO] POST /api/accounts/delete-recover-token
vaultwarden-bitwarden-1  | [2023-10-18 20:00:33.106][response][INFO] (post_delete_recover_token) POST /api/accounts/delete-recover-token => 200 OK
vaultwarden-bitwarden-1  | [2023-10-25 23:44:08.835][request][INFO] PUT /api/ciphers/d0569d6a-2a64-432c-94ce-607b24420bc3/delete
vaultwarden-bitwarden-1  | [2023-10-25 23:44:08.839][response][INFO] (delete_cipher_put) PUT /api/ciphers/<uuid>/delete => 200 OK

...

I then opened the logfile to see the full contents of around 2023-10-18 20:00:11.829

Found the below. I believe 107.142.15.16 is the IP of user as well.

vaultwarden-bitwarden-1  | [2023-10-18 19:59:16.938][request][INFO] GET /api/config
vaultwarden-bitwarden-1  | [2023-10-18 19:59:16.938][response][INFO] (config) GET /api/config => 200 OK
vaultwarden-bitwarden-1  | [2023-10-18 19:59:16.958][request][INFO] GET /api/config
vaultwarden-bitwarden-1  | [2023-10-18 19:59:16.958][response][INFO] (config) GET /api/config => 200 OK
vaultwarden-bitwarden-1  | [2023-10-18 19:59:47.887][request][INFO] POST /identity/accounts/register
vaultwarden-bitwarden-1  | [2023-10-18 19:59:47.890][vaultwarden::api::core::accounts][ERROR] Registration not allowed or user already exists
vaultwarden-bitwarden-1  | [2023-10-18 19:59:47.892][response][INFO] (identity_register) POST /identity/accounts/register => 400 Bad Request
vaultwarden-bitwarden-1  | [2023-10-18 19:59:54.258][request][INFO] GET /api/devices/knowndevice
vaultwarden-bitwarden-1  | [2023-10-18 19:59:54.259][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK
vaultwarden-bitwarden-1  | [2023-10-18 19:59:56.679][request][INFO] POST /api/accounts/password-hint
vaultwarden-bitwarden-1  | [2023-10-18 19:59:56.719][response][INFO] (password_hint) POST /api/accounts/password-hint => 200 OK
vaultwarden-bitwarden-1  | [2023-10-18 20:00:07.622][request][INFO] GET /api/config
vaultwarden-bitwarden-1  | [2023-10-18 20:00:07.623][response][INFO] (config) GET /api/config => 200 OK
vaultwarden-bitwarden-1  | [2023-10-18 20:00:07.647][request][INFO] GET /api/config
vaultwarden-bitwarden-1  | [2023-10-18 20:00:07.647][response][INFO] (config) GET /api/config => 200 OK
vaultwarden-bitwarden-1  | [2023-10-18 20:00:11.829][request][INFO] POST /api/accounts/delete-recover
vaultwarden-bitwarden-1  | [2023-10-18 20:00:11.848][response][INFO] (post_delete_recover) POST /api/accounts/delete-recover => 200 OK
vaultwarden-bitwarden-1  | [2023-10-18 20:00:31.066][request][INFO] GET /api/config
vaultwarden-bitwarden-1  | [2023-10-18 20:00:31.067][response][INFO] (config) GET /api/config => 200 OK
vaultwarden-bitwarden-1  | [2023-10-18 20:00:31.074][request][INFO] GET /api/config
vaultwarden-bitwarden-1  | [2023-10-18 20:00:31.074][response][INFO] (config) GET /api/config => 200 OK
vaultwarden-bitwarden-1  | [2023-10-18 20:00:33.063][request][INFO] POST /api/accounts/delete-recover-token
vaultwarden-bitwarden-1  | [2023-10-18 20:00:33.106][response][INFO] (post_delete_recover_token) POST /api/accounts/delete-recover-token => 200 OK
vaultwarden-bitwarden-1  | [2023-10-18 20:00:50.840][request][INFO] POST /identity/accounts/register
vaultwarden-bitwarden-1  | [2023-10-18 20:00:50.842][vaultwarden::api::core::accounts][ERROR] Registration not allowed or user already exists
vaultwarden-bitwarden-1  | [2023-10-18 20:00:50.842][response][INFO] (identity_register) POST /identity/accounts/register => 400 Bad Request
vaultwarden-bitwarden-1  | [2023-10-18 20:01:01.318][request][INFO] GET /api/devices/knowndevice
vaultwarden-bitwarden-1  | [2023-10-18 20:01:01.320][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK
vaultwarden-bitwarden-1  | [2023-10-18 20:01:06.487][request][INFO] POST /identity/accounts/prelogin
vaultwarden-bitwarden-1  | [2023-10-18 20:01:06.488][response][INFO] (prelogin) POST /identity/accounts/prelogin => 200 OK
vaultwarden-bitwarden-1  | [2023-10-18 20:01:06.695][request][INFO] POST /identity/connect/token
vaultwarden-bitwarden-1  | [2023-10-18 20:01:06.695][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: 107.142.15.16. Username: <user_that_vanished>@domain.com.
vaultwarden-bitwarden-1  | [2023-10-18 20:01:06.695][response][INFO] (login) POST /identity/connect/token => 400 Bad Request
vaultwarden-bitwarden-1  | [2023-10-18 20:01:29.818][vaultwarden::api::notifications][INFO] Accepting WS connection from 10.2.1.21:54730
vaultwarden-bitwarden-1  | [2023-10-18 20:01:39.160][request][INFO] POST /identity/connect/token
vaultwarden-bitwarden-1  | [2023-10-18 20:01:39.166][response][INFO] (login) POST /identity/connect/token => 200 OK
vaultwarden-bitwarden-1  | [2023-10-18 20:01:39.430][vaultwarden::api::notifications][INFO] Accepting WS connection from 10.2.1.21:45592
vaultwarden-bitwarden-1  | [2023-10-18 20:03:10.387][vaultwarden::api::notifications][INFO] Accepting WS connection from 10.2.1.21:45782
vaultwarden-bitwarden-1  | [2023-10-18 20:03:39.566][request][INFO] POST /identity/connect/token
vaultwarden-bitwarden-1  | [2023-10-18 20:03:39.572][response][INFO] (login) POST /identity/connect/token => 200 OK

So I don't really understand, but it seems maybe the account was somehow deleted sometime last month but his vault was cached on his computer so it took awhile for him to notice? Maybe someone can piece it together based on the log above.

[bbrendon]

Regarding the database.

In the database where the user vanished:

• The user is not in the user table
• The users UUID (c0630375-187d-49b0-a6b2-06ce01afedc9) (obtained from a very old backup) doesn't exist in the ciphers table

So I'm guessing it's not DB corruption.

[BlackDex]

Regarding the database.

In the database where the user vanished:

• The user is not in the user table
• The users UUID (c0630375-187d-49b0-a6b2-06ce01afedc9) (obtained from a very old backup) doesn't exist in the ciphers table

So I'm guessing it's not DB corruption.

If that is the case, then the user is deleted by someone, not by an upgrade, not by a database corruption or something.
Also since other user(s) still work and just a single user is deleted.

[Kjemme]

Thank you for taking up the subject. Apparently I am not the first one to open up a "blank" Bitwarden/Vaultwarden. So I found a colleague who suggested that I restart my pc (I always close down every evening - so I had only just opened it on Monday morning). After a restart of pc/browser - all my own entries and the shared company entries were back in the vault. I really don't know why, but apparently happened to other colleagues before - to my understanding. And again today all is in there.

[Hir0-84]

I have had a similar issue yesterday or at least this is the day where I discovered it for the first time. I am running Vaultwarden within a container of the NAS. The image has been taken from https://registry.hub.docker.com/r/vaultwarden/server/::latest which seems to be down at the moment. An update is available but I have not updated the container yet. I might have updated the OS of the nas or the application that run the containers. I am using Vaultwarden version 1.28.1.
Yesterday, 3/4 of the accounts had an empty vault, and for 1 user I had the error failed to fetch at the login screen. I have tried restarting the container, restarting the NAS without success.
This morning everything is back to normal. Likely, I did not reinstalled the all thing from scratch. But this experience worries me. How to debug/investigate similar situations. I though my db were corrupted while apparently they were not.

[Hir0-84]

That is exactly what happend to me unfortunately. I do not find anything wrong in the log of the container except that, when the password where not shown, I had the following:

1st attempt:
2023/11/29 12:03:26,stdout,[2023-11-29 11:03:26.868][request][INFO] POST /identity/connect/token
2023/11/29 12:03:26,stdout,[2023-11-29 11:03:26.353][response][INFO] (prelogin) POST /identity/accounts/prelogin => 200 OK
2023/11/29 12:03:26,stdout,[2023-11-29 11:03:26.353][request][INFO] POST /identity/accounts/prelogin
2023/11/29 12:03:16,stdout,[2023-11-29 11:03:16.550][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK
2023/11/29 12:03:16,stdout,[2023-11-29 11:03:16.542][request][INFO] GET /api/devices/knowndevice
2023/11/29 12:01:22,stdout,[2023-11-29 11:01:22.297][response][INFO] (login) POST /identity/connect/token => 200 OK
2023/11/29 12:01:22,stdout,[2023-11-29 11:01:22.297][vaultwarden::api::identity][INFO] User logged in successfully. IP: x.x.x.x

2nd attempt + restarting the container:
2023/11/29 12:13:26,stdout,|--------------------------------------------------------------------|
2023/11/29 12:13:26,stdout,| Version 1.28.1 |
2023/11/29 12:13:26,stdout,| Starting Vaultwarden |
2023/11/29 12:13:26,stdout,/--------------------------------------------------------------------
2023/11/29 12:13:12,stdout,[2023-11-29 11:13:12.643][vaultwarden][INFO] Vaultwarden process exited!
2023/11/29 12:13:12,stdout,[2023-11-29 11:13:12.642][rocket::server][WARN] Received SIGTERM. Requesting shutdown.
2023/11/29 12:03:39,stdout,[2023-11-29 11:03:39.251][response][INFO] (login) POST /identity/connect/token => 200 OK
2023/11/29 12:03:39,stdout,[2023-11-29 11:03:39.251][vaultwarden::api::identity][INFO] User logged in successfully. IP: x.x.x.x

while the day after, when everything went back to normal:

2023/11/30 08:36:48,stdout,[2023-11-30 07:36:48.161][request][INFO] GET /icons/www.blabla.com/icon.png
2023/11/30 08:36:46,stdout,[2023-11-30 07:36:46.722][response][INFO] (sync) GET /api/sync?<data..> => 200 OK
2023/11/30 08:36:46,stdout,[2023-11-30 07:36:46.713][request][INFO] GET /api/sync?excludeDomains=true
2023/11/30 08:36:46,stdout,[2023-11-30 07:36:46.677][response][INFO] (login) POST /identity/connect/token => 200 OK
2023/11/30 08:36:46,stdout,[2023-11-30 07:36:46.674][request][INFO] POST /identity/connect/token
2023/11/30 08:36:46,stdout,[2023-11-30 07:36:46.509][response][INFO] (login) POST /identity/connect/token => 200 OK
2023/11/30 08:36:46,stdout,[2023-11-30 07:36:46.509][vaultwarden::api::identity][INFO] User logged in successfully. IP: x.x.x.x

but I did not find any error message or warning concerning the failed to fetch error I have received with only one user.

I have tried to block internet to the NAS trying to see if I have had some temporary connection loss but I could not reproduce it

[Hir0-84]

PS: I could not find any logs file of Vaultwarden

[BlackDex]

I'm not seeing anything wrong here. The logs do not say anything wrong. I only see a restart/sigterm but that is all.

Logs are only in a separate file if you enabled it. Else the docker logs are fine too.

[Hir0-84]

On Syno nas they have switched to Container manager and I still do not know where the logs are. I will activate the Vaultwarden logging in case it will happen again.

In case where the account was empty this part was missing proving that something went wrong:

2023/11/30 08:36:48,stdout,[2023-11-30 07:36:48.161][request][INFO] GET /icons/www.blabla.com/icon.png
2023/11/30 08:36:46,stdout,[2023-11-30 07:36:46.722][response][INFO] (sync) GET /api/sync?<data..> => 200 OK
2023/11/30 08:36:46,stdout,[2023-11-30 07:36:46.713][request][INFO] GET /api/sync?excludeDomains=true

[BlackDex]

It doesn't prove anything. Could be cached, so no calls to the server. The client could have crashed in some way not loading the ciphers (because i also do not see a sync request).

The reverse proxy could have blocked something.

And again, data doesn't disappear and reappear by it self.
There might have been an error in loading the data either server side or client side. But server side should have caused an error in the logs.

[Kjemme]

Thank you! I also had the issue again Yesterday. So glad to hear that I'm not alone and I will look into your reply Tomorrow (urgent deadline Today).

…

On Thu, 30 Nov 2023 at 09:03, Hir0-84 ***@***.***> wrote: I have had a similar issue yesterday or at least this is the day where I discovered it for the first time. I am running Vaultwarden within a container of the NAS. The image has been taken from https://registry.hub.docker.com/r/vaultwarden/server/::latest which seems to be down at the moment. An update is available but I have not updated the container yet. I might have updated the OS of the nas or the application that run the containers. I am using Vaultwarden version 1.28.1. Yesterday, 3/4 of the accounts had an empty vault, and for 1 user I had the error failed to fetch at the login screen. I have tried restarting the container, restarting the NAS without success. This morning everything is back to normal. Likely, I did not reinstalled the all thing from scratch. But this experience worries me. How to debug/investigate similar situations. I though my db were corrupted while apparently they were not. — Reply to this email directly, view it on GitHub <#4071 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/BD5PP5NCXHBDTOVZCYSIEPLYHA4U5AVCNFSM6AAAAABAAXYAV2VHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM3TOMJUGQYDQ> . You are receiving this because you commented.Message ID: ***@***.*** com>

-- Kind regards, *Ellen Kjemtrup * Controller - Partisia Phone: +45 2239 5593 Email: ***@***.*** Web: partisia.com

[BlackDex]

Again? In what sense? And did it recover by it self?
That just isn't possible. Something must do that.

[BlackDex]

@bbrendon you closed it as resolved? Did you find anything pointing to a user action?

[bbrendon]

@BlackDex No. I just restored the data. Mostly got tired of people hijacking the thread.

[Hir0-84]

??? then you should have rephrased the title of your thread or disable the notification if you are not interested anymore. By reading your title, I though I was reporting into the right one.

[BlackDex]

Well if people have similar issues that's not really hijacking in my opinion. All information with a similar issues could be helpful. Unfortunately these were all not useful.

But if you were not able to find anything and all was cleanly purged from the database and it was only one user, then that user must have deleted there own account, or it must have been done by someone with admin access.

[BlackDex]

I might take a look into add some better logging regarding this topic. That might help in the future.

[Hir0-84]

Again this morning I do not have access to my password. I have activated the logging with an env variable LOG_FILE and LOG_LEVEL debug and I see the following error:

[2023-12-01 07:56:58.415][start][INFO] Rocket has launched from http://0.0.0.0:80
[2023-12-01 07:57:36.896][request][INFO] GET /notifications/hub?access_token=blabla
[2023-12-01 07:57:36.896][response][INFO] (websockets_err) GET /notifications/hub => 400 Bad Request
[2023-12-01 07:57:47.494][request][INFO] GET /admin/logout
[2023-12-01 07:57:47.494][rocket::response::responder::][WARN] Response was None.
[2023-12-01 07:57:47.494][rocket::server::][WARN] Responding with registered (not_found) 404 catcher.
[2023-12-01 07:57:47.494][handlebars::render][DEBUG] Rendering value: Path(Relative(([Named("urlpath")], "urlpath")))
[2023-12-01 07:57:47.495][handlebars::render][DEBUG] Rendering value: Path(Relative(([Named("urlpath")], "urlpath")))
[2023-12-01 07:57:47.495][handlebars::render][DEBUG] Rendering value: Path(Relative(([Named("urlpath")], "urlpath")))
[2023-12-01 07:57:47.495][handlebars::render][DEBUG] Rendering value: Path(Relative(([Named("urlpath")], "urlpath")))
[2023-12-01 07:57:47.495][handlebars::render][DEBUG] Rendering value: Path(Relative(([Named("urlpath")], "urlpath")))
[2023-12-01 07:57:47.495][handlebars::render][DEBUG] Rendering value: Path(Relative(([Named("urlpath")], "urlpath")))
[2023-12-01 07:57:47.495][handlebars::render][DEBUG] Rendering value: Path(Relative(([Named("urlpath")], "urlpath")))
[2023-12-01 07:57:47.495][handlebars::render][DEBUG] Rendering value: Path(Relative(([Named("urlpath")], "urlpath")))
[2023-12-01 07:57:47.495][response][INFO] (web_files) GET /<p..> [10] => 404 Not Found
[2023-12-01 07:59:15.740][vaultwarden::api::identity][INFO] User logged in successfully. IP: x.x.x.x
[2023-12-01 07:59:15.740][response][INFO] (login) POST /identity/connect/token => 200 OK
[2023-12-01 07:59:16.239][request][INFO] GET /notifications/hub?access_token=blabla
[2023-12-01 07:59:16.239][response][INFO] (websockets_err) GET /notifications/hub => 400 Bad Request

does it rings a bell to you?

Later:
[2023-12-01 07:59:58.414][vaultwarden::api::core::two_factor][DEBUG] Sending notifications for incomplete 2FA logins
[2023-12-01 07:59:58.840][request][INFO] GET /alive
[2023-12-01 07:59:58.840][response][INFO] (alive) GET /alive => 200 OK

Btw, I have not activated the 2FA yet.

[BlackDex]

It only tells me that you probably have configured your reverse proxy incorrectly, and mainly in regards to the websocket connections.
There might also be other items not configured correctly, or some security tooling is enabled like ModSecurity or WAF etc.. these tend to break Vaultwarden.

Regarding the 2FA, that is a cronjob that runs every x minutes and looks for unfinished 2FA attempts, those could mean someone is trying to login, has you password, but not your 2FA token/method to continue the login. So, that is nothing to worry about.

[Hir0-84]

I will check the reverse proxy again, but I can access to vault webpage, log in and see an empty db???
Then, I have tried to access with the browser in incognito mode and it worked. I went back to the old tab and it worked too. If it happens again i will try right away with another browser.

Concerning 2FA I have not understood. In theory I am the only one using vault, if 2FA is not active if someone has the password it can directly access it, right? So, I do not understand this notifications. It is possible to know which user triggers them?

Thank you anyhow for your time

[BlackDex]

It could also be you have a lot of ciphers and a large KDF setting which could cause slow decryption.
It might be browser extensions which block stuff, since some extensions are not enabled in Private/Incognito mode.
Also, if Incognito mode works, that kinda tells you that the data is all there, else it wouldn't have worked there either.

You can check /admin/users/overview and see how many personal ciphers a user has access to, or which organizations the user belongs to.

So from my side I'm almost 100% sure that i can rule out data-loss or data disappeared etc... in your specific use case.

[BlackDex]

Also, the 2FA message is from a cronjob running inside Vaultwarden. It just checks every x time if there are any pending items, if so it will mail them. It doesn't matter if you are a sole user or have 2FA enabled or not. That job just always run.