Problem using workflow decryption

[AndreasNasman]

Hi! 👋

First, thanks for the excellent workflow! It's a real productivity booster! 💪

I noticed this error message when copying a password with the workflow:

Debug log

NB: Sensitive information is changed to foo, bar1, etc.

10:16:25 workflow.go:328: -------- Bitwarden v2/3.0.4 (AwGo/0.27.1) --------
10:16:25 main.go:162: &main.options{Search:false, Config:false, SetConfigs:false, Auth:false, OnOffConfigs:false, AuthConfig:false, Lock:false, Icons:false, Folder:false, Unlock:false, Login:false, Logout:false, Sync:false, Open:false, GetItem:true, Force:false, Totp:false, Last:false, Background:false, Id:"foo", Query:"login.password", Attachment:"", Output:""}
10:16:25 main.go:164: args=[]string{"-getitem", "-id", "foo", "login.password"} => []string{"login.password"}
10:16:25 main.go:165: (main.config) {
 AutoFetchIconCacheAge: (int) 1440,
 AutoFetchIconMaxCacheAge: (time.Duration) 24h0m0s,
 BwconfKeyword: (string) (len=9) ".bwconfig",
 BwauthKeyword: (string) (len=7) ".bwauth",
 BwKeyword: (string) (len=3) ".bw",
 BwfKeyword: (string) (len=4) ".bwf",
 BwExec: (string) (len=2) "bw",
 BwDataPath: (string) "",
 Debug: (bool) true,
 Email: (string) (len=26) "[email protected]",
 EmailMaxWait: (int) 15,
 EmptyDetailResults: (bool) false,
 IconCacheAge: (int) 43200,
 IconCacheEnabled: (bool) true,
 IconMaxCacheAge: (time.Duration) 720h0m0s,
 MaxResults: (int) 1000,
 Mod1: (string) (len=3) "alt",
 Mod1Action: (string) (len=13) "username,code",
 Mod2: (string) (len=5) "shift",
 Mod2Action: (string) (len=3) "url",
 Mod3: (string) (len=4) "ctrl",
 Mod3Action: (string) (len=4) "totp",
 Mod4: (string) (len=7) "cmd,opt",
 Mod4Action: (string) (len=4) "more",
 Mod5: (string) (len=9) "cmd,shift",
 Mod5Action: (string) (len=5) "webui",
 NoModAction: (string) (len=13) "password,card",
 OpenLoginUrl: (bool) true,
 OutputFolder: (string) (len=23) "/Users/nasse/Downloads/",
 Path: (string) (len=101) "/usr/bin:/usr/local/bin:/usr/local/sbin:/usr/local/share/npm/bin:/usr/bin:/usr/sbin:/opt/homebrew/bin",
 ReorderingDisabled: (bool) true,
 Server: (string) "",
 Sfa: (bool) true,
 SfaMode: (int) 0,
 SkipTypes: (string) "",
 TitleWithUser: (bool) true,
 TitleWithUrls: (bool) false,
 UseApikey: (bool) false,
 WebUiURL: (string) (len=27) "https://vault.bitwarden.com"
}
10:16:25 bitwarden.go:239: Getting item for id foo
10:16:25 utils.go:172: [DEBUG] base64 decode protected key
10:16:25 utils.go:172: [DEBUG] protected Key length is: 129
10:16:25 utils.go:172: [DEBUG] protected Key encryption type is: 2
10:16:25 utils.go:172: [DEBUG] base64 decode session key
10:16:25 utils.go:172: [DEBUG] Session key length is: 64
10:16:25 utils.go:172: [DEBUG] comparing session mac with protected key
10:16:25 utils.go:172: [DEBUG] making the source key
10:16:25 utils.go:172: [DEBUG] making intermediate keys
10:16:25 utils.go:172: [DEBUG] decrypting final encryption keys
10:16:25 utils.go:172: [DEBUG] cs.encryptionType 2
10:16:25 bitwarden.go:242: Error making source key is:
error decrypting key, MAC doesn't match bar baz
10:16:25 utils.go:172: [DEBUG] encryptedSecret value is: 2.f/a [truncated]
10:16:25 utils.go:172: [DEBUG] cs.encryptionType 2
10:16:25 bitwarden.go:279: MAC doesn't match foo1 bar1
10:16:25 bitwarden.go:292: Falling back to Bitwarden CLI to get item.
10:16:34 bitwarden.go:328: Received jsonPath for item is login.password
10:16:34 bitwarden.go:345: Received key is: v0*
10:16:34 workflow.go:405: ------------------ 8.978477583s ------------------
[10:16:34.649] Bitwarden v2[Run Script] Processing complete
[10:16:34.651] Bitwarden v2[Run Script] Passing output 'baz1' to Copy to Clipboard
[10:16:34.653] Bitwarden v2[Run Script] Passing output 'baz1' to Arg and Vars
[10:16:34.655] Bitwarden v2[Arg and Vars] Processing complete
[10:16:34.656] Bitwarden v2[Arg and Vars] Passing output 'Copy Password for user:
nasse' to Post Notification

Namely this part:

10:16:25 bitwarden.go:242: Error making source key is:
error decrypting key, MAC doesn't match bar baz
10:16:25 utils.go:172: [DEBUG] encryptedSecret value is: 2.f/a [truncated]
10:16:25 utils.go:172: [DEBUG] cs.encryptionType 2
10:16:25 bitwarden.go:279: MAC doesn't match foo1 bar1
10:16:25 bitwarden.go:292: Falling back to Bitwarden CLI to get item.

I found the same issue (I think) mentioned as the last item in troubleshooting section of the documentation. The link in the documentation is outdated (#142) so I tried these things to fix the problem:

1. I navigated to https://vault.bitwarden.com/#/settings/security/change-password, ticked Also rotate my account's encryption key, and clicked Change master password. I kept my password the same since you can do that according to the Bitwarden documentation. I kept my encryption key as KDF algorithm: PBKDF2 SHA-256 and KDF iterations: 600000.
2. I ran Sync Bitwarden Secrets for the changes to take effect but the error persisted. I also tried creating a new Login entry in Bitwarden to see if it only happened for old ones, but same outcome.
3. I then tried changing the KDF algorithm to Argon2id, keeping the other default values (iterations: 3, memory: 64 MB, parallelism: 4).
4. I ran Sync Bitwarden Secrets for the changes to take effect but the error persisted. I also tried creating a new Login entry in Bitwarden to see if it only happened for old ones, but same outcome.

---

Reading the logs, I noticed that BW_DATA_PATH was an empty string:

10:16:25 main.go:165: (main.config) {
 …
 BwDataPath: (string) "",

I changed the value to ~/Library/Application Support/Bitwarden CLI/data.json in the Environment Variables tab.

After doing so, the workflow always thinks I need to log in, even though bw status in the CLI returns

bw status
(node:57138) [DEP0040] DeprecationWarning: The `punycode` module is deprecated. Please use a userland alternative instead.
(Use `node --trace-deprecation ...` to show where the warning was created)
{"serverUrl":null,"lastSync":"2023-11-14T08:50:18.408Z","userEmail":"[email protected]","userId":"foo","status":"locked"}

I tried deleting ~/Library/Application Support/Bitwarden CLI/data.json and log in again but the same login-loop persisted. I also tried deleting the workflow and ~/Library/Application Support/com.lisowski-development.alfred.bitwarden/ but that didn't help either.

Here is the log when doing a log in after deleting data.json:
login-log.txt

This is how the workflow looks after the login:

If I now try to log in again through the workflow, I get this error message:

If I log out through the workflow, it succeeds.

---

What else can I try to fix this issue? Here is some additional information:

• macOS version: 13.5 (22G74)
• I've installed bitwarden-cli with Homebrew.
• Workflow Version: 3.0.4
• Bitwarden CLI Version: 2023.10.0

[blacs30]

Thanks for the detailed description of the situation.
Have you checked if the secret was copied successfully into the clipboard?
The message 10:16:25 bitwarden.go:292: Falling back to Bitwarden CLI to get item. indicates that the normal bw cli is used to get the secret as the internal mechanism is broken since the rewrite of the encryption mechanism with version 2023.9 of the upstream Bitwarden cli.

Setting a value of BW_DATA_PATH in the environment variables shouldn't be needed unless it's not the default, but you're still using the default. I would revert that change. FYI here it's setting the default

bitwarden-alfred-workflow/src/config.go

Line 46 in 805639f

bwDataPath = fmt.Sprintf("%s/Library/Application Support/Bitwarden CLI/data.json", homedir)

The log output Received key is: v0* indicates that the password was received correctly.

So it was basically everything working fine in the beginning, it's just little bit annoying to wait ~3 seconds for the password. But that is currently a limitation (probably that should be mentioned more clearly and/or the logs not displayed which indicate a problem)

[AndreasNasman]

I see, thanks for your detailed answer! 😊

Have you checked if the secret was copied successfully into the clipboard?
…
So it was basically everything working fine in the beginning, it's just little bit annoying to wait ~3 seconds for the password.

Ah sorry, completely forgot to write that the password is indeed copied successfully initially 👍 It often takes a lot longer than 3 seconds on my machine though, sometimes up to 10 seconds. That was why I started to look into this.

The message 10:16:25 bitwarden.go:292: Falling back to Bitwarden CLI to get item. indicates that the normal bw cli is used to get the secret as the internal mechanism is broken since the rewrite of the encryption mechanism with version 2023.9 of the upstream Bitwarden cli.

I checked through the open issues but missed this one. Here it is for future reference: #171

Setting a value of BW_DATA_PATH in the environment variables shouldn't be needed unless it's not the default, but you're still using the default. I would revert that change.

OK, I will revert that 👍 It's a bit strange still that explicitly defining the default value results in a different behavior.

[AndreasNasman]

Opened a PR to make the issue a bit easier to detect: #183