API endpoint /accounts/prelogin to be removed from the official Bitwarden server
#190
Comments
dezeroku
changed the title
/accounts/prelogin is deprecated/accounts/prelogin to be removed from the official Bitwarden server
|
from what i can tell from that pr, it doesn't look like the structure of the flow itself is changing, it looks like it's just that the api endpoint for prelogin is moving from the main api to the identity api - am i missing something else? the entire point of the prelogin call is that you can't calculate the password hash ahead of time without knowing the kdf to use, so there's no way to make the initial call to /connect/token without it. this should be easy to fix though. |
|
i think a06655c should be sufficient, let me know if i'm missing anything. thanks for the heads up! |
|
You're right, it should be enough. Some kind of panic mode kicked in on my end 😅 And yup, this looks like a proper fix, thanks! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
bitwarden/server#4206
After this change goes live on the prod instance of Bitwarden all new
rbw logincalls will likely fail due to our usage of this endpoint.Information about KDF, iterations, etc. is now returned as part of the
/connect/tokenresponse and should be parsed from there.There's only one place where we use this call: https://github.com/doy/rbw/blob/main/src/actions.rs#L31
Probably the best idea here is to first calculate hash of the master password, then perform the login flow and only create the Identity at the end.
It's also a good moment to think about making
master_password_hashan Option in call toclient.login()(and theIdentitystruct), it's only really used in the email+password auth flow and isn't needed for SSO/apikey. With this in place we could not ask for master password for these flows whenrbw loginis run.The text was updated successfully, but these errors were encountered: