Module login_via_password

bitwarden_auth::login

Module login_via_password 

Source
Expand description

Password-based authentication for Bitwarden users.

This module implements the password login flow, which requires two steps:

  1. Prelogin: Retrieve the user’s KDF configuration with LoginClient::get_password_prelogin
  2. Login: Authenticate with LoginClient::login_via_password using the KDF settings

§Security Model

The master password is never sent to the server. Instead:

  • User’s KDF settings (PBKDF2 or Argon2id) are fetched during prelogin
  • Master password is stretched with KDF to derive the master key
  • Master key is stretched again into an AES256-CBC-HMAC key to unwrap the user key
  • Master key is hashed with single-round PBKDF2 (using password as salt) to create the server authentication hash
  • Only the authentication hash is transmitted to the server
  • All requests include no-cache headers to prevent sensitive data caching

§Current Limitations

  • Two-factor authentication (2FA) not yet supported
  • New device verification not yet implemented

§Complete Example

// Create the core client
let client = Client::new(None);
let auth_client = AuthClient::new(client);

// Create login client with settings
let settings = ClientSettings {
    identity_url: "https://identity.bitwarden.com".to_string(),
    api_url: "https://api.bitwarden.com".to_string(),
    user_agent: "MyApp/1.0".to_string(),
    device_type: DeviceType::SDK,
    device_identifier: None,
    bitwarden_client_version: None,
    bitwarden_package_type: None,
};
let login_client = auth_client.login(settings);

// Step 1: Get user's KDF configuration
let prelogin = login_client
    .get_password_prelogin("[email protected]".to_string())
    .await?;

// Step 2: Construct and send login request
let response = login_client.login_via_password(PasswordLoginRequest {
    login_request: LoginRequest {
        client_id: "connector".to_string(),
        device: LoginDeviceRequest {
            device_type: DeviceType::SDK,
            device_identifier: "device-id".to_string(),
            device_name: "My Device".to_string(),
            device_push_token: None,
        },
    },
    email: "[email protected]".to_string(),
    password: "master-password".to_string(),
    prelogin_response: prelogin,
}).await?;

// Step 3: Use tokens from response for authenticated requests
match response {
    LoginResponse::Authenticated(success) => {
        let access_token = success.access_token;
        // Use access_token for authenticated requests
    }
}

Modules§

login_via_password_impl 🔒
password_login_api_request 🔒
password_login_error 🔒
password_login_request 🔒
password_prelogin 🔒
password_prelogin_response 🔒

Structs§

PasswordLoginRequest
Public SDK request model for logging in via password
PasswordPreloginResponse
Response containing the data required before password-based authentication

Enums§

PasswordLoginError
Errors that can occur during password-based login.
PasswordPreloginError
Error type for password prelogin operations