Login with device doesn't work with multiple replicas

[denysvitali]

Vaultwarden Support String

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.33.2
• Web-vault version: v2025.1.1
• OS/Arch: linux/aarch64
• Running within a container: true (Base: Debian)
• Database type: PostgreSQL
• Database version: PostgreSQL 17.4 (Debian 17.4-1.pgdg110+2) on aarch64-unknown-linux-gnu, compiled by gcc (Debian 10.2.1-6) 10.2.1 20210110, 64-bit
• Environment settings overridden!: true
• Uses a reverse proxy: true
• IP Header check: true (X-Forwarded-For)
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• Browser/Server Time Check: true
• Server/NTP Time Check: n/a
• Domain Configuration Check: true
• HTTPS Check: true
• Websocket Check: true
• HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Environment settings which are overridden: DOMAIN, ADMIN_TOKEN

(The rest of the config was omitted)

Vaultwarden Build Version

v1.33.2

Deployment method

Official Container Image

Custom deployment method

Vaultwarden deployed via a Deployment and connected to an PostgreSQL HA cluster (via CloudNativePG).

Reverse Proxy

Traefik

Host/Server Operating System

Linux

Clients

Web Vault

Steps To Reproduce

1. Deploy Vaultwarden in HA mode (multiple replicas)
2. Use "Login With Device"

Expected Result

User is able to log-in on the first try

Actual Result

User has to be "lucky" that the accepted authentication response ends up on the same instance as the client is listening on (websocket).

Additional Context

When deployed using Kubernetes, multiple replicas and using PostgreSQL - Login With Device is partially faulty.

It looks like the implementation of the /anonymous-hub websocket server doesn't consider the fact that the accepted login message doesn't come from the same instance where the client is listening on.

sequenceDiagram
    participant Client as Client Device
    participant AuthDevice as Authorizing Device
    participant PodA as Vaultwarden Pod A
    participant PodB as Vaultwarden Pod B
    participant DB as PostgreSQL

    Note over PodA,PodB: Kubernetes with multiple replicas
    
    Client->>PodA: 1. Connect to /anonymous-hub WebSocket
    PodA-->>PodA: 2. Create WebSocket connection
    Client->>PodA: 3. Send device login request
    PodA->>DB: 4. Store device_token in PostgreSQL
    PodA-->>Client: 5. Return verification text/fingerprint
    
    AuthDevice->>PodB: 6. Load approval page (different pod!)
    AuthDevice->>PodB: 7. Approve device login
    PodB->>DB: 8. Update token status to approved
    
    PodB-->>PodB: 9. Send approval notification
    Note over PodB: ❌ Problem: Notification sent within Pod B
    
    Note over Client,PodA: But client is connected to Pod A's WebSocket!
    Note over Client: Client never receives approval notification
    Note over Client: WebSocket times out or fails

Loading

[BlackDex]

Vaultwarden doesn't support HA deployments.
If you want something like this, use an active passive solution.

[x-real-ip]

Is this still the case in the current version were the webaocket endpoint and http has been combined? Can someone explain more technical why multiple instance won't work?

[BlackDex]

This is still the case.

Websockets are held in memory, and therefore not sharing anything. Only clients connected to a specific server will receive the websocket messages from that specific server.

Combining websocket wnd http made no difference, as it was still inside the same application.