Invite user to organization. New users can't accept invite

[klaas0]

Prerequisites

• I have searched the existing Closed AND Open Issues AND Discussions
• I have searched and read the documentation

Vaultwarden Support String

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.34.3
• Web-vault version: v2025.7.0
• OS/Arch: linux/x86_64
• Running within a container: true (Base: Debian)
• Database type: MySQL
• Database version: 12.0.2-MariaDB-ubu2404
• Uses config.json: true
• Uses a reverse proxy: true
• IP Header check: true (X-Real-IP)
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• TZ environment: Europe/Amsterdam
• Browser/Server Time Check: true
• Server/NTP Time Check: true
• Domain Configuration Check: true
• HTTPS Check: true
• Websocket Check: false
• HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Environment settings which are overridden: DOMAIN, ADMIN_TOKEN

Config:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": false,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "*****://********************************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://************************",
  "domain_origin": "*****://************************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "**************************",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": "*******",
  "smtp_password": "***",
  "smtp_port": 1025,
  "smtp_security": "off",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "*****",
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

1.34.3

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

Nginx Proxy manager v2.12.6

Host/Server Operating System

Linux

Operating System Version

Ubuntu 24.04.3 LTS

Clients

Web Vault

Client Version

No response

Steps To Reproduce

I created an organization. Then invited a new user. The new user registred. It doesn't auto join because it needs to enable 2FA.
Now the new user can't accept the invite, because the link in email auto directs to creating a new account. But they already have an account.
When the new user fills in a new password they get an error that account already exists, that is good. BUT they also get an email that someone just signed into their account, that's not correct.
So I have to resend the invite to the new user, otherwise they can't accept. The new link will redirect to login and when they login they join the organization. So that's correct.

Expected Result

I expect that after the new user creates their account, that when they click the link again, they get redirect to invite of the organisation.

Another option is that the new user can view their invites in their account.

Actual Result

now the new user keeps getting redictected to creating a new account, when they click the link from the invite

Logs

Screenshots or Videos

No response

Additional Context

No response

[7heMech]

I honestly would expect if a user creates acc via inv to an org, it should automatically join them to the organization when they create their account. That being said I don't know how upstream Bitwarden handles this.

[klaas0]

Normally it does, but 2FA was required on this organization. Since the account is just created, it doesn't have 2FA enabled. So they get an error that they need to enable 2FA before joining. After that there is no way for the user to join. Because the link in the email only directs to creating a new account. But they already did so

[7heMech]

Normally it does, but 2FA was required on this organization. Since the account is just created, it doesn't have 2FA enabled. So they get an error that they need to enable 2FA before joining. After that there is no way for the user to join. Because the link in the email only directs to creating a new account. But they already did so

Aha, so if you globally require 2fa then it'd be good?

[klaas0]

I couldn't find any documentation about enforcing globally 2FA. Do you maybe have a link? Then I'll test it.

[BlackDex]

I would suggest to read the Bitwarden documentation https://bitwarden.com/help/managing-users/#invite

[klaas0]

Indeed, the problem is that 2FA is required for the organization. So the user can't auto accept when creating the account.

[klaas0]

I would suggest to read the Bitwarden documentation https://bitwarden.com/help/managing-users/#invite

@BlackDex I know you propably got a lot of bugs which aren't bugs. But I don't think this is one of them. I've read the guide but that has nothing to do with my issue. If you want to I can create a video of the bug

[stefan0xC]

@BlackDex I think I know now why I did not get the verification code on my google mail account but only on my other mail provider. Because the device id is not unique to each user and even though the requests sends an email parameter we don't use that to further narrow it down.

vaultwarden/src/api/core/two_factor/email.rs

Line 48 in 319d982

let Some(user) = User::find_by_device_id(&data.device_identifier, &conn).await else {

In other words I got the mail sent to the wrong mail account:

[BlackDex]

I also find it strange that we do not use the email address there to lookup the right user. And in case of a new device for some reason, this will always fall. Also, not sure if the password hash is also sent, since we do not check that either.

Might be code from when multi login wasn't possible yet, and never touched afterwards?

[stefan0xC]

Seems like this was changed by the SSO PR (in e3d6621)

[klaas0]

Reproduction:
Make sure you have 2FA required for your organization:

Invite a new user, which DOESN'T have a account on your server:

The new user receives this email:

When the new user clicks the link, they see this page to create a new account on my server:

When the account is created they get this notification:

So they enable 2FA on their account:

Now they don't have a way to join the organization. They don't automatically join, also when they click the link in the email they are asked to create an account which they already have.
Only way to get the new user to join is to RESEND the invite, that's the bug. I have to resend, that can be smoother right?

[stefan0xC]

Cf. #6473 for my explanation why this happens. I'm not sure we can fix that if mail as second factor has been disabled. (If you append &orgUserHasExistingUser=true to the invitation link you can complete signup without re-inviting but yeah the invitation flow is a bit broken...)

[klaas0]

Maybe send a link to the user to a page which checks if the user has already created an account. So don't put those vars in the url, but let the page itself check it (maybe only check with valid token for security reasons)

[BlackDex]

This project (Vaultwarden) doesn't maintain or develop the web-vault which is done by Bitwarden. Adjusting that flow is hard, and adding flows is probably even harder.

[stefan0xC]

Maybe send a link to the user to a page which checks if the user has already created an account. So don't put those vars in the url, but let the page itself check it (maybe only check with valid token for security reasons)

That's not how this works. It used to be that you had to decide whether to create an or account or login if you got an invite but upstream changed the behavior for organization invites so it's not a choice anymore in the web-vault. (It could be that there's a way to improve it but I wouldn't know how.) So if at the time of the invite you don't have an account yet you get an link that sends you to the registration form; if it passes an parameter that tells the web-vault an account already exists, you will be routed to the login page. Since this distinction is handled entirely on the client side and there isn't a server side check done whether an account exists, I don't think that we can affect the outcome.