doy/rbw

API endpoint `/accounts/prelogin` to be removed from the official Bitwarden server

dezeroku opened this issue · 3 comments

bitwarden/server#4206

After this change goes live on the prod instance of Bitwarden all new rbw login calls will likely fail due to our usage of this endpoint.
Information about KDF, iterations, etc. is now returned as part of the /connect/token response and should be parsed from there.

There's only one place where we use this call: https://github.com/doy/rbw/blob/main/src/actions.rs#L31
Probably the best idea here is to first calculate hash of the master password, then perform the login flow and only create the Identity at the end.

It's also a good moment to think about making master_password_hash an Option in call to client.login() (and the Identity struct), it's only really used in the email+password auth flow and isn't needed for SSO/apikey. With this in place we could not ask for master password for these flows when rbw login is run.

doy commented

from what i can tell from that pr, it doesn't look like the structure of the flow itself is changing, it looks like it's just that the api endpoint for prelogin is moving from the main api to the identity api - am i missing something else? the entire point of the prelogin call is that you can't calculate the password hash ahead of time without knowing the kdf to use, so there's no way to make the initial call to /connect/token without it. this should be easy to fix though.

doy commented

i think a06655c should be sufficient, let me know if i'm missing anything. thanks for the heads up!

You're right, it should be enough. Some kind of panic mode kicked in on my end 😅

And yup, this looks like a proper fix, thanks!