Multiple Domain URL (for MFA/2FA)

mgarcia · August 10, 2020, 3:02am

I would like to request the ability to add multiple domains (possibly comma separated) to the Domain URL field.

I usually setup two domains for services I self-host. One domain is used internally. Another domain is slightly obfuscated for use externally, proxied through cloudflare access. This sometimes causes issues with services when FIDO U2F keys are desired for MFA. I have successfully set these up for multiple domains in a selfhosted nextcloud install.

I have successfully setup U2F MFA on my internal domain in bitwarden_rs (running in home assistant), however whey I try with my external domain, it fails with no error message. I tried entering multiple (comma separated: https://domain1.tld,https://domain2.tld) domains in the ‘Domain URL’ field in the admin page, however, this resulted in rendering the admin page and vault completely inaccessible, and I had to start again from scratch.

At the very least, documentation should be clear that only one domain can be used, and if possible better input sanitizing should be used to ensure access an installation isn’t broken as a result of improper Domain URL input.

BlackDex · September 24, 2020, 4:35pm

Hello @mgarcia,

Thank you for taking the time to report this.
The variable is called DOMAIN and not DOMAINS (plural), so that kinda suggests only one is allowed.
Also the example given in the .env.template and the comment in front of the variable also suggests only one is allowed.

I just tried to add a comma separated value in there, which indeed stopped my dev environment from working, but after changing that value back again, it all worked as it should.

Also, the domain is used for all the e-mails, so that should be something accessible to the people receiving those e-mails. And we can’t go and guess which one that is going to be.

So therefore we only allow one domain. Also, it doesn’t matter if you fill in a correct one or not for using the web-vault or admin interface (besides adding a , or something). You can even just put in an IP address and browse to it by DNS, that is all just fine.

What i don’t know is how the FIDO U2F works in this case.
I don’t have a key my self and don’t really know how the protocol works.
I see that we use the domain to create a unique id for U2F, so i also think that it shouldn’t matter which DNS entry you use to browse to the site, or use within one of the apps.

If i read the documentation about U2F it states that you need to use a TLD and the format needs to be https://my.domain.tld with the option to allow a port. ( see: https://developers.yubico.com/U2F/App_ID.html ).

So i think it is implemented the right way, and the bitwarden_rs server can be accessed without entering a valid hostname, but not by using comma’s.

I hope i have explained it good enough.
If you have any more questions please let us know.