API endpoint `/accounts/prelogin` to be removed from the official Bitwarden server
dezeroku opened this issue · 3 comments
After this change goes live on the prod instance of Bitwarden all new rbw login
calls will likely fail due to our usage of this endpoint.
Information about KDF, iterations, etc. is now returned as part of the /connect/token
response and should be parsed from there.
There's only one place where we use this call: https://github.com/doy/rbw/blob/main/src/actions.rs#L31
Probably the best idea here is to first calculate hash of the master password, then perform the login flow and only create the Identity at the end.
It's also a good moment to think about making master_password_hash
an Option in call to client.login()
(and the Identity
struct), it's only really used in the email+password auth flow and isn't needed for SSO/apikey. With this in place we could not ask for master password for these flows when rbw login
is run.
from what i can tell from that pr, it doesn't look like the structure of the flow itself is changing, it looks like it's just that the api endpoint for prelogin is moving from the main api to the identity api - am i missing something else? the entire point of the prelogin call is that you can't calculate the password hash ahead of time without knowing the kdf to use, so there's no way to make the initial call to /connect/token without it. this should be easy to fix though.
i think a06655c should be sufficient, let me know if i'm missing anything. thanks for the heads up!
You're right, it should be enough. Some kind of panic mode kicked in on my end 😅
And yup, this looks like a proper fix, thanks!