Use updated fern instead of patch (#5298)

Signed-off-by: BlackDex <black.dex@gmail.com>

.env.template

@@ -280,12 +280,13 @@
 ## The default for new users. If changed, it will be updated during login for existing users.
 # PASSWORD_ITERATIONS=600000
 
-## Controls whether users can set password hints. This setting applies globally to all users.
+## Controls whether users can set or show password hints. This setting applies globally to all users.
 # PASSWORD_HINTS_ALLOWED=true
 
 ## Controls whether a password hint should be shown directly in the web page if
-## SMTP service is not configured. Not recommended for publicly-accessible instances
-## as this provides unauthenticated access to potentially sensitive data.
+## SMTP service is not configured and password hints are allowed.
+## Not recommended for publicly-accessible instances because this provides
+## unauthenticated access to potentially sensitive data.
 # SHOW_PASSWORD_HINT=false
 
 #########################
@@ -349,6 +350,8 @@
 ## - "browser-fileless-import": Directly import credentials from other providers without a file.
 ## - "extension-refresh": Temporarily enable the new extension design until general availability (should be used with the beta Chrome extension)
 ## - "fido2-vault-credentials": Enable the use of FIDO2 security keys as second factor.
+## - "ssh-key-vault-item": Enable the creation and use of SSH key vault items. (Needs clients >=2024.12.0)
+## - "ssh-agent": Enable SSH agent support on Desktop. (Needs desktop >=2024.12.0)
 # EXPERIMENTAL_CLIENT_FEATURE_FLAGS=fido2-vault-credentials
 
 ## Require new device emails. When a user logs in an email is required to be sent.
@@ -407,6 +410,14 @@
 ## Multiple values must be separated with a whitespace.
 # ALLOWED_IFRAME_ANCESTORS=
 
+## Allowed connect-src (Know the risks!)
+## https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src
+## Allows other domains to URLs which can be loaded using script interfaces like the Forwarded email alias feature
+## This adds the configured value to the 'Content-Security-Policy' headers 'connect-src' value.
+## Multiple values must be separated with a whitespace. And only HTTPS values are allowed.
+## Example: "https://my-addy-io.domain.tld https://my-simplelogin.domain.tld"
+# ALLOWED_CONNECT_SRC=""
+
 ## Number of seconds, on average, between login requests from the same IP address before rate limiting kicks in.
 # LOGIN_RATELIMIT_SECONDS=60
 ## Allow a burst of requests of up to this size, while maintaining the average indicated by `LOGIN_RATELIMIT_SECONDS`.

.github/workflows/build.yml

@@ -47,7 +47,7 @@ jobs:
     steps:
       # Checkout the repo
       - name: "Checkout"
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
       # End Checkout the repo
 
 
@@ -75,7 +75,7 @@ jobs:
 
       # Only install the clippy and rustfmt components on the default rust-toolchain
       - name: "Install rust-toolchain version"
-        uses: dtolnay/rust-toolchain@7b1c307e0dcbda6122208f10795a713336a9b35a # master @ Aug 8, 2024, 7:36 PM GMT+2
+        uses: dtolnay/rust-toolchain@315e265cd78dad1e1dcf3a5074f6d6c47029d5aa # master @ Nov 18, 2024, 5:36 AM GMT+1
         if: ${{ matrix.channel == 'rust-toolchain' }}
         with:
           toolchain: "${{steps.toolchain.outputs.RUST_TOOLCHAIN}}"
@@ -85,7 +85,7 @@ jobs:
 
       # Install the any other channel to be used for which we do not execute clippy and rustfmt
       - name: "Install MSRV version"
-        uses: dtolnay/rust-toolchain@7b1c307e0dcbda6122208f10795a713336a9b35a # master @ Aug 8, 2024, 7:36 PM GMT+2
+        uses: dtolnay/rust-toolchain@315e265cd78dad1e1dcf3a5074f6d6c47029d5aa # master @ Nov 18, 2024, 5:36 AM GMT+1
         if: ${{ matrix.channel != 'rust-toolchain' }}
         with:
           toolchain: "${{steps.toolchain.outputs.RUST_TOOLCHAIN}}"
@@ -107,7 +107,7 @@ jobs:
       # End Show environment
 
       # Enable Rust Caching
-      - uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84 # v2.7.3
+      - uses: Swatinem/rust-cache@82a92a6e8fbeee089604da2575dc567ae9ddeaab # v2.7.5
         with:
           # Use a custom prefix-key to force a fresh start. This is sometimes needed with bigger changes.
           # Like changing the build host from Ubuntu 20.04 to 22.04 for example.
@@ -117,6 +117,12 @@ jobs:
 
       # Run cargo tests
       # First test all features together, afterwards test them separately.
+      - name: "test features: sqlite,mysql,postgresql,enable_mimalloc,query_logger"
+        id: test_sqlite_mysql_postgresql_mimalloc_logger
+        if: $${{ always() }}
+        run: |
+          cargo test --features sqlite,mysql,postgresql,enable_mimalloc,query_logger
+
       - name: "test features: sqlite,mysql,postgresql,enable_mimalloc"
         id: test_sqlite_mysql_postgresql_mimalloc
         if: $${{ always() }}
@@ -176,6 +182,7 @@ jobs:
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "|Job|Status|" >> $GITHUB_STEP_SUMMARY
           echo "|---|------|" >> $GITHUB_STEP_SUMMARY
+          echo "|test (sqlite,mysql,postgresql,enable_mimalloc,query_logger)|${{ steps.test_sqlite_mysql_postgresql_mimalloc_logger.outcome }}|" >> $GITHUB_STEP_SUMMARY
           echo "|test (sqlite,mysql,postgresql,enable_mimalloc)|${{ steps.test_sqlite_mysql_postgresql_mimalloc.outcome }}|" >> $GITHUB_STEP_SUMMARY
           echo "|test (sqlite,mysql,postgresql)|${{ steps.test_sqlite_mysql_postgresql.outcome }}|" >> $GITHUB_STEP_SUMMARY
           echo "|test (sqlite)|${{ steps.test_sqlite.outcome }}|" >> $GITHUB_STEP_SUMMARY

.github/workflows/hadolint.yml

@@ -13,7 +13,7 @@ jobs:
     steps:
       # Checkout the repo
       - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
       # End Checkout the repo
 
       # Start Docker Buildx

.github/workflows/release.yml

@@ -58,7 +58,7 @@ jobs:
     steps:
       # Checkout the repo
       - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
         with:
           fetch-depth: 0
 

.github/workflows/trivy.yml

@@ -28,10 +28,13 @@ jobs:
       actions: read
     steps:
       - name: Checkout code
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@5681af892cd0f4997658e2bacc62bd0a894cf564 # v0.27.0
+        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0
+        env:
+          TRIVY_DB_REPOSITORY: docker.io/aquasec/trivy-db:2,public.ecr.aws/aquasecurity/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2
+          TRIVY_JAVA_DB_REPOSITORY: docker.io/aquasec/trivy-java-db:1,public.ecr.aws/aquasecurity/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1
         with:
           scan-type: repo
           ignore-unfixed: true
@@ -40,6 +43,6 @@ jobs:
           severity: CRITICAL,HIGH
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@2bbafcdd7fbf96243689e764c2f15d9735164f33 # v3.26.6
+        uses: github/codeql-action/upload-sarif@86b04fb0e47484f7282357688f21d5d0e32175fe # v3.27.5
         with:
           sarif_file: 'trivy-results.sarif'

Cargo.toml

@@ -3,7 +3,7 @@ name = "vaultwarden"
 version = "1.0.0"
 authors = ["Daniel García <dani-garcia@users.noreply.github.com>"]
 edition = "2021"
-rust-version = "1.80.0"
+rust-version = "1.82.0"
 resolver = "2"
 
 repository = "https://github.com/dani-garcia/vaultwarden"
@@ -36,13 +36,13 @@ unstable = []
 
 [target."cfg(unix)".dependencies]
 # Logging
-syslog = "6.1.1"
+syslog = "7.0.0"
 
 [dependencies]
 # Logging
 log = "0.4.22"
-fern = { version = "0.7.0", features = ["syslog-6", "reopen-1"] }
-tracing = { version = "0.1.40", features = ["log"] } # Needed to have lettre and webauthn-rs trace logging to work
+fern = { version = "0.7.1", features = ["syslog-7", "reopen-1"] }
+tracing = { version = "0.1.41", features = ["log"] } # Needed to have lettre and webauthn-rs trace logging to work
 
 # A `dotenv` implementation for Rust
 dotenvy = { version = "0.15.7", default-features = false }
@@ -53,7 +53,7 @@ once_cell = "1.20.2"
 # Numerical libraries
 num-traits = "0.2.19"
 num-derive = "0.4.2"
-bigdecimal = "0.4.5"
+bigdecimal = "0.4.7"
 
 # Web framework
 rocket = { version = "0.5.1", features = ["tls", "json"], default-features = false }
@@ -67,16 +67,16 @@ dashmap = "6.1.0"
 
 # Async futures
 futures = "0.3.31"
-tokio = { version = "1.41.0", features = ["rt-multi-thread", "fs", "io-util", "parking_lot", "time", "signal", "net"] }
+tokio = { version = "1.42.0", features = ["rt-multi-thread", "fs", "io-util", "parking_lot", "time", "signal", "net"] }
 
 # A generic serialization/deserialization framework
-serde = { version = "1.0.213", features = ["derive"] }
-serde_json = "1.0.132"
+serde = { version = "1.0.216", features = ["derive"] }
+serde_json = "1.0.133"
 
 # A safe, extensible ORM and Query builder
-diesel = { version = "2.2.4", features = ["chrono", "r2d2", "numeric"] }
+diesel = { version = "2.2.6", features = ["chrono", "r2d2", "numeric"] }
 diesel_migrations = "2.2.0"
-diesel_logger = { version = "0.3.0", optional = true }
+diesel_logger = { version = "0.4.0", optional = true }
 
 # Bundled/Static SQLite
 libsqlite3-sys = { version = "0.30.1", features = ["bundled"], optional = true }
@@ -89,9 +89,9 @@ ring = "0.17.8"
 uuid = { version = "1.11.0", features = ["v4"] }
 
 # Date and time libraries
-chrono = { version = "0.4.38", features = ["clock", "serde"], default-features = false }
+chrono = { version = "0.4.39", features = ["clock", "serde"], default-features = false }
 chrono-tz = "0.10.0"
-time = "0.3.36"
+time = "0.3.37"
 
 # Job scheduler
 job_scheduler_ng = "2.0.5"
@@ -106,38 +106,38 @@ jsonwebtoken = "9.3.0"
 totp-lite = "2.0.1"
 
 # Yubico Library
-yubico = { version = "0.11.0", features = ["online-tokio"], default-features = false }
+yubico = { version = "0.12.0", features = ["online-tokio"], default-features = false }
 
 # WebAuthn libraries
 webauthn-rs = "0.3.2"
 
 # Handling of URL's for WebAuthn and favicons
-url = "2.5.2"
+url = "2.5.4"
 
 # Email libraries
-lettre = { version = "0.11.10", features = ["smtp-transport", "sendmail-transport", "builder", "serde", "tokio1-native-tls", "hostname", "tracing", "tokio1"], default-features = false }
+lettre = { version = "0.11.11", features = ["smtp-transport", "sendmail-transport", "builder", "serde", "tokio1-native-tls", "hostname", "tracing", "tokio1"], default-features = false }
 percent-encoding = "2.3.1" # URL encoding library used for URL's in the emails
 email_address = "0.2.9"
 
 # HTML Template library
-handlebars = { version = "6.1.0", features = ["dir_source"] }
+handlebars = { version = "6.2.0", features = ["dir_source"] }
 
 # HTTP client (Used for favicons, version check, DUO and HIBP API)
-reqwest = { version = "0.12.8", features = ["native-tls-alpn", "stream", "json", "gzip", "brotli", "socks", "cookies"] }
-hickory-resolver = "0.24.1"
+reqwest = { version = "0.12.9", features = ["native-tls-alpn", "stream", "json", "gzip", "brotli", "socks", "cookies"] }
+hickory-resolver = "0.24.2"
 
 # Favicon extraction libraries
-html5gum = "0.5.7"
-regex = { version = "1.11.0", features = ["std", "perf", "unicode-perl"], default-features = false }
+html5gum = "0.7.0"
+regex = { version = "1.11.1", features = ["std", "perf", "unicode-perl"], default-features = false }
 data-url = "0.3.1"
-bytes = "1.8.0"
+bytes = "1.9.0"
 
 # Cache function results (Used for version check and favicon fetching)
-cached = { version = "0.53.1", features = ["async"] }
+cached = { version = "0.54.0", features = ["async"] }
 
 # Used for custom short lived cookie jar during favicon extraction
 cookie = "0.18.1"
-cookie_store = "0.21.0"
+cookie_store = "0.21.1"
 
 # Used by U2F, JWT and PostgreSQL
 openssl = "0.10.68"
@@ -147,15 +147,15 @@ pico-args = "0.5.0"
 
 # Macro ident concatenation
 paste = "1.0.15"
-governor = "0.7.0"
+governor = "0.8.0"
 
 # Check client versions for specific features.
-semver = "1.0.23"
+semver = "1.0.24"
 
 # Allow overriding the default memory allocator
 # Mainly used for the musl builds, since the default musl malloc is very slow
 mimalloc = { version = "0.1.43", features = ["secure"], default-features = false, optional = true }
-which = "6.0.3"
+which = "7.0.0"
 
 # Argon2 library with support for the PHC format
 argon2 = "0.5.3"
@@ -163,6 +163,13 @@ argon2 = "0.5.3"
 # Reading a password from the cli for generating the Argon2id ADMIN_TOKEN
 rpassword = "7.3.1"
 
+# Loading a dynamic CSS Stylesheet
+grass_compiler = { version = "0.13.4", default-features = false }
+
+[patch.crates-io]
+# Patch yubico to remove duplicate crates of older versions
+yubico = { git = "https://github.com/BlackDex/yubico-rs", rev = "00df14811f58155c0f02e3ab10f1570ed3e115c6" }
+
 # Strip debuginfo from the release builds
 # The symbols are the provide better panic traces
 # Also enable fat LTO and use 1 codegen unit for optimizations
@@ -213,7 +220,8 @@ noop_method_call = "deny"
 refining_impl_trait = { level = "deny", priority = -1 }
 rust_2018_idioms = { level = "deny", priority = -1 }
 rust_2021_compatibility = { level = "deny", priority = -1 }
-# rust_2024_compatibility = { level = "deny", priority = -1 } # Enable once we are at MSRV 1.81.0
+rust_2024_compatibility = { level = "deny", priority = -1 }
+edition_2024_expr_fragment_specifier = "allow" # Once changed to Rust 2024 this should be removed and macro's should be validated again
 single_use_lifetimes = "deny"
 trivial_casts = "deny"
 trivial_numeric_casts = "deny"
@@ -222,9 +230,6 @@ unused_import_braces = "deny"
 unused_lifetimes = "deny"
 unused_qualifications = "deny"
 variant_size_differences = "deny"
-# The lints below are part of the rust_2024_compatibility group
-static-mut-refs = "deny"
-unsafe-op-in-unsafe-fn = "deny"
 
 # https://rust-lang.github.io/rust-clippy/stable/index.html
 [lints.clippy]

README.md

@@ -1,102 +1,144 @@
-### Alternative implementation of the Bitwarden server API written in Rust and compatible with [upstream Bitwarden clients](https://bitwarden.com/download/)*, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal.
+![Vaultwarden Logo](./resources/vaultwarden-logo-auto.svg)
 
-📢 Note: This project was known as Bitwarden_RS and has been renamed to separate itself from the official Bitwarden server in the hopes of avoiding confusion and trademark/branding issues. Please see [#1642](https://github.com/dani-garcia/vaultwarden/discussions/1642) for more explanation.
+An alternative server implementation of the Bitwarden Client API, written in Rust and compatible with [official Bitwarden clients](https://bitwarden.com/download/) [[disclaimer](#disclaimer)], perfect for self-hosted deployment where running the official resource-heavy service might not be ideal.
 
 ---
-[![Build](https://github.com/dani-garcia/vaultwarden/actions/workflows/build.yml/badge.svg)](https://github.com/dani-garcia/vaultwarden/actions/workflows/build.yml)
-[![ghcr.io](https://img.shields.io/badge/ghcr.io-download-blue)](https://github.com/dani-garcia/vaultwarden/pkgs/container/vaultwarden)
-[![Docker Pulls](https://img.shields.io/docker/pulls/vaultwarden/server.svg)](https://hub.docker.com/r/vaultwarden/server)
-[![Quay.io](https://img.shields.io/badge/Quay.io-download-blue)](https://quay.io/repository/vaultwarden/server)
-[![Dependency Status](https://deps.rs/repo/github/dani-garcia/vaultwarden/status.svg)](https://deps.rs/repo/github/dani-garcia/vaultwarden)
-[![GitHub Release](https://img.shields.io/github/release/dani-garcia/vaultwarden.svg)](https://github.com/dani-garcia/vaultwarden/releases/latest)
-[![AGPL-3.0 Licensed](https://img.shields.io/github/license/dani-garcia/vaultwarden.svg)](https://github.com/dani-garcia/vaultwarden/blob/main/LICENSE.txt)
-[![Matrix Chat](https://img.shields.io/matrix/vaultwarden:matrix.org.svg?logo=matrix)](https://matrix.to/#/#vaultwarden:matrix.org)
 
-Image is based on [Rust implementation of Bitwarden API](https://github.com/dani-garcia/vaultwarden).
+[![GitHub Release](https://img.shields.io/github/release/dani-garcia/vaultwarden.svg?style=for-the-badge&logo=vaultwarden&color=005AA4)](https://github.com/dani-garcia/vaultwarden/releases/latest)
+[![ghcr.io Pulls](https://img.shields.io/badge/dynamic/json?style=for-the-badge&logo=github&logoColor=fff&color=005AA4&url=https%3A%2F%2Fipitio.github.io%2Fbackage%2Fdani-garcia%2Fvaultwarden%2Fvaultwarden.json&query=%24.downloads&label=ghcr.io%20pulls&cacheSeconds=14400)](https://github.com/dani-garcia/vaultwarden/pkgs/container/vaultwarden)
+[![Docker Pulls](https://img.shields.io/docker/pulls/vaultwarden/server.svg?style=for-the-badge&logo=docker&logoColor=fff&color=005AA4&label=docker.io%20pulls)](https://hub.docker.com/r/vaultwarden/server)
+[![Quay.io](https://img.shields.io/badge/quay.io-download-005AA4?style=for-the-badge&logo=redhat&cacheSeconds=14400)](https://quay.io/repository/vaultwarden/server) <br>
+[![Contributors](https://img.shields.io/github/contributors-anon/dani-garcia/vaultwarden.svg?style=flat-square&logo=vaultwarden&color=005AA4)](https://github.com/dani-garcia/vaultwarden/graphs/contributors)
+[![Forks](https://img.shields.io/github/forks/dani-garcia/vaultwarden.svg?style=flat-square&logo=github&logoColor=fff&color=005AA4)](https://github.com/dani-garcia/vaultwarden/network/members)
+[![Stars](https://img.shields.io/github/stars/dani-garcia/vaultwarden.svg?style=flat-square&logo=github&logoColor=fff&color=005AA4)](https://github.com/dani-garcia/vaultwarden/stargazers)
+[![Issues Open](https://img.shields.io/github/issues/dani-garcia/vaultwarden.svg?style=flat-square&logo=github&logoColor=fff&color=005AA4&cacheSeconds=300)](https://github.com/dani-garcia/vaultwarden/issues)
+[![Issues Closed](https://img.shields.io/github/issues-closed/dani-garcia/vaultwarden.svg?style=flat-square&logo=github&logoColor=fff&color=005AA4&cacheSeconds=300)](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue+is%3Aclosed)
+[![AGPL-3.0 Licensed](https://img.shields.io/github/license/dani-garcia/vaultwarden.svg?style=flat-square&logo=vaultwarden&color=944000&cacheSeconds=14400)](https://github.com/dani-garcia/vaultwarden/blob/main/LICENSE.txt) <br>
+[![Dependency Status](https://img.shields.io/badge/dynamic/xml?url=https%3A%2F%2Fdeps.rs%2Frepo%2Fgithub%2Fdani-garcia%2Fvaultwarden%2Fstatus.svg&query=%2F*%5Blocal-name()%3D'svg'%5D%2F*%5Blocal-name()%3D'g'%5D%5B2%5D%2F*%5Blocal-name()%3D'text'%5D%5B4%5D&style=flat-square&logo=rust&label=dependencies&color=005AA4)](https://deps.rs/repo/github/dani-garcia/vaultwarden)
+[![GHA Release](https://img.shields.io/github/actions/workflow/status/dani-garcia/vaultwarden/release.yml?style=flat-square&logo=github&logoColor=fff&label=Release%20Workflow)](https://github.com/dani-garcia/vaultwarden/actions/workflows/release.yml)
+[![GHA Build](https://img.shields.io/github/actions/workflow/status/dani-garcia/vaultwarden/build.yml?style=flat-square&logo=github&logoColor=fff&label=Build%20Workflow)](https://github.com/dani-garcia/vaultwarden/actions/workflows/build.yml) <br>
+[![Matrix Chat](https://img.shields.io/matrix/vaultwarden:matrix.org.svg?style=flat-square&logo=matrix&logoColor=fff&color=953B00&cacheSeconds=14400)](https://matrix.to/#/#vaultwarden:matrix.org)
+[![GitHub Discussions](https://img.shields.io/github/discussions/dani-garcia/vaultwarden?style=flat-square&logo=github&logoColor=fff&color=953B00&cacheSeconds=300)](https://github.com/dani-garcia/vaultwarden/discussions)
+[![Discourse Discussions](https://img.shields.io/discourse/topics?server=https%3A%2F%2Fvaultwarden.discourse.group%2F&style=flat-square&logo=discourse&color=953B00)](https://vaultwarden.discourse.group/)
 
-**This project is not associated with the [Bitwarden](https://bitwarden.com/) project nor Bitwarden, Inc.**
+> [!IMPORTANT]
+> **When using this server, please report any bugs or suggestions directly to us (see [Get in touch](#get-in-touch)), regardless of whatever clients you are using (mobile, desktop, browser...). DO NOT use the official Bitwarden support channels.**
 
-#### ⚠️**IMPORTANT**⚠️: When using this server, please report any bugs or suggestions to us directly (look at the bottom of this page for ways to get in touch), regardless of whatever clients you are using (mobile, desktop, browser...). DO NOT use the official support channels.
-
----
+<br>
 
 ## Features
 
-Basically full implementation of Bitwarden API is provided including:
+A nearly complete implementation of the Bitwarden Client API is provided, including:
 
- * Organizations support
- * Attachments and Send
- * Vault API support
- * Serving the static files for Vault interface
- * Website icons API
- * Authenticator and U2F support
- * YubiKey and Duo support
- * Emergency Access
+ * [Personal Vault](https://bitwarden.com/help/managing-items/)
+ * [Send](https://bitwarden.com/help/about-send/)
+ * [Attachments](https://bitwarden.com/help/attachments/)
+ * [Website icons](https://bitwarden.com/help/website-icons/)
+ * [Personal API Key](https://bitwarden.com/help/personal-api-key/)
+ * [Organizations](https://bitwarden.com/help/getting-started-organizations/)
+   - [Collections](https://bitwarden.com/help/about-collections/),
+     [Password Sharing](https://bitwarden.com/help/sharing/),
+     [Member Roles](https://bitwarden.com/help/user-types-access-control/),
+     [Groups](https://bitwarden.com/help/about-groups/),
+     [Event Logs](https://bitwarden.com/help/event-logs/),
+     [Admin Password Reset](https://bitwarden.com/help/admin-reset/),
+     [Directory Connector](https://bitwarden.com/help/directory-sync/),
+     [Policies](https://bitwarden.com/help/policies/)
+ * [Multi/Two Factor Authentication](https://bitwarden.com/help/bitwarden-field-guide-two-step-login/)
+   - [Authenticator](https://bitwarden.com/help/setup-two-step-login-authenticator/),
+     [Email](https://bitwarden.com/help/setup-two-step-login-email/),
+     [FIDO2 WebAuthn](https://bitwarden.com/help/setup-two-step-login-fido/),
+     [YubiKey](https://bitwarden.com/help/setup-two-step-login-yubikey/),
+     [Duo](https://bitwarden.com/help/setup-two-step-login-duo/)
+ * [Emergency Access](https://bitwarden.com/help/emergency-access/)
+ * [Vaultwarden Admin Backend](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page)
+ * [Modified Web Vault client](https://github.com/dani-garcia/bw_web_builds) (Bundled within our containers)
 
-## Installation
-Pull the docker image and mount a volume from the host for persistent storage:
-
-```sh
-docker pull vaultwarden/server:latest
-docker run -d --name vaultwarden -v /vw-data/:/data/ --restart unless-stopped -p 80:80 vaultwarden/server:latest
-```
-This will preserve any persistent data under /vw-data/, you can adapt the path to whatever suits you.
-
-**IMPORTANT**: Most modern web browsers disallow the use of Web Crypto APIs in insecure contexts. In this case, you might get an error like `Cannot read property 'importKey'`. To solve this problem, you need to access the web vault via HTTPS or localhost.
-
-This can be configured in [vaultwarden directly](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-HTTPS) or using a third-party reverse proxy ([some examples](https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples)).
-
-If you have an available domain name, you can get HTTPS certificates with [Let's Encrypt](https://letsencrypt.org/), or you can generate self-signed certificates with utilities like [mkcert](https://github.com/FiloSottile/mkcert). Some proxies automatically do this step, like Caddy (see examples linked above).
+<br>
 
 ## Usage
-See the [vaultwarden wiki](https://github.com/dani-garcia/vaultwarden/wiki) for more information on how to configure and run the vaultwarden server.
+
+> [!IMPORTANT]
+> Most modern web browsers disallow the use of Web Crypto APIs in insecure contexts. In this case, you might get an error like `Cannot read property 'importKey'`. To solve this problem, you need to access the web vault via HTTPS or localhost.
+>
+>This can be configured in [Vaultwarden directly](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-HTTPS) or using a third-party reverse proxy ([some examples](https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples)).
+>
+>If you have an available domain name, you can get HTTPS certificates with [Let's Encrypt](https://letsencrypt.org/), or you can generate self-signed certificates with utilities like [mkcert](https://github.com/FiloSottile/mkcert). Some proxies automatically do this step, like Caddy or Traefik (see examples linked above).
+
+> [!TIP]
+>**For more detailed examples on how to install, use and configure Vaultwarden you can check our [Wiki](https://github.com/dani-garcia/vaultwarden/wiki).**
+
+The main way to use Vaultwarden is via our container images which are published to [ghcr.io](https://github.com/dani-garcia/vaultwarden/pkgs/container/vaultwarden), [docker.io](https://hub.docker.com/r/vaultwarden/server) and [quay.io](https://quay.io/repository/vaultwarden/server).
+
+There are also [community driven packages](https://github.com/dani-garcia/vaultwarden/wiki/Third-party-packages) which can be used, but those might be lagging behind the latest version or might deviate in the way Vaultwarden is configured, as described in our [Wiki](https://github.com/dani-garcia/vaultwarden/wiki).
+
+### Docker/Podman CLI
+
+Pull the container image and mount a volume from the host for persistent storage.<br>
+You can replace `docker` with `podman` if you prefer to use podman.
+
+```shell
+docker pull vaultwarden/server:latest
+docker run --detach --name vaultwarden \
+  --env DOMAIN="https://vw.domain.tld" \
+  --volume /vw-data/:/data/ \
+  --restart unless-stopped \
+  --publish 80:80 \
+  vaultwarden/server:latest
+```
+
+This will preserve any persistent data under `/vw-data/`, you can adapt the path to whatever suits you.
+
+### Docker Compose
+
+To use Docker compose you need to create a `compose.yaml` which will hold the configuration to run the Vaultwarden container.
+
+```yaml
+services:
+  vaultwarden:
+    image: vaultwarden/server:latest
+    container_name: vaultwarden
+    restart: unless-stopped
+    environment:
+      DOMAIN: "https://vw.domain.tld"
+    volumes:
+      - ./vw-data/:/data/
+    ports:
+      - 80:80
+```
+
+<br>
 
 ## Get in touch
-To ask a question, offer suggestions or new features or to get help configuring or installing the software, please use [GitHub Discussions](https://github.com/dani-garcia/vaultwarden/discussions) or [the forum](https://vaultwarden.discourse.group/).
 
-If you spot any bugs or crashes with vaultwarden itself, please [create an issue](https://github.com/dani-garcia/vaultwarden/issues/). Make sure you are on the latest version and there aren't any similar issues open, though!
+Have a question, suggestion or need help? Join our community on [Matrix](https://matrix.to/#/#vaultwarden:matrix.org), [GitHub Discussions](https://github.com/dani-garcia/vaultwarden/discussions) or [Discourse Forums](https://vaultwarden.discourse.group/).
 
-If you prefer to chat, we're usually hanging around at [#vaultwarden:matrix.org](https://matrix.to/#/#vaultwarden:matrix.org) room on Matrix. Feel free to join us!
+Encountered a bug or crash? Please search our issue tracker and discussions to see if it's already been reported. If not, please [start a new discussion](https://github.com/dani-garcia/vaultwarden/discussions) or [create a new issue](https://github.com/dani-garcia/vaultwarden/issues/). Ensure you're using the latest version of Vaultwarden and there aren't any similar issues open or closed!
+
+<br>
+
+## Contributors
 
-### Sponsors
 Thanks for your contribution to the project!
 
-<!--
-<table>
-  <tr>
-    <td align="center">
-      <a href="https://github.com/username">
-        <img src="https://avatars.githubusercontent.com/u/725423?s=75&v=4" width="75px;" alt="username"/>
-        <br />
-        <sub><b>username</b></sub>
-      </a>
-  </td>
-  </tr>
-</table>
+[![Contributors Count](https://img.shields.io/github/contributors-anon/dani-garcia/vaultwarden?style=for-the-badge&logo=vaultwarden&color=005AA4)](https://github.com/dani-garcia/vaultwarden/graphs/contributors)<br>
+[![Contributors Avatars](https://contributors-img.web.app/image?repo=dani-garcia/vaultwarden)](https://github.com/dani-garcia/vaultwarden/graphs/contributors)
 
-<br/>
--->
+<br>
 
-<table>
-  <tr>
-    <td align="center">
-       <a href="https://github.com/themightychris" style="width: 75px">
-        <sub><b>Chris Alfano</b></sub>
-      </a>
-    </td>
-  </tr>
-  <tr>
-    <td align="center">
-      <a href="https://github.com/numberly" style="width: 75px">
-        <sub><b>Numberly</b></sub>
-      </a>
-    </td>
-  </tr>
-  <tr>
-    <td align="center">
-      <a href="https://github.com/IQ333777" style="width: 75px">
-        <sub><b>IQ333777</b></sub>
-      </a>
-    </td>
-  </tr>
-</table>
+## Disclaimer
+
+**This project is not associated with [Bitwarden](https://bitwarden.com/) or Bitwarden, Inc.**
+
+However, one of the active maintainers for Vaultwarden is employed by Bitwarden and is allowed to contribute to the project on their own time. These contributions are independent of Bitwarden and are reviewed by other maintainers.
+
+The maintainers work together to set the direction for the project, focusing on serving the self-hosting community, including individuals, families, and small organizations, while ensuring the project's sustainability.
+
+**Please note:** We cannot be held liable for any data loss that may occur while using Vaultwarden. This includes passwords, attachments, and other information handled by the application. We highly recommend performing regular backups of your files and database. However, should you experience data loss, we encourage you to contact us immediately.
+
+<br>
+
+## Bitwarden_RS
+
+This project was known as Bitwarden_RS and has been renamed to separate itself from the official Bitwarden server in the hopes of avoiding confusion and trademark/branding issues.<br>
+Please see [#1642 - v1.21.0 release and project rename to Vaultwarden](https://github.com/dani-garcia/vaultwarden/discussions/1642) for more explanation.

SECURITY.md

@@ -21,7 +21,7 @@ notify us. We welcome working with you to resolve the issue promptly. Thanks in
 The following bug classes are out-of scope:
 
 - Bugs that are already reported on Vaultwarden's issue tracker (https://github.com/dani-garcia/vaultwarden/issues)
-- Bugs that are not part of Vaultwarden, like on the the web-vault or mobile and desktop clients. These issues need to be reported in the respective project issue tracker at https://github.com/bitwarden to which we are not associated
+- Bugs that are not part of Vaultwarden, like on the web-vault or mobile and desktop clients. These issues need to be reported in the respective project issue tracker at https://github.com/bitwarden to which we are not associated
 - Issues in an upstream software dependency (ex: Rust, or External Libraries) which are already reported to the upstream maintainer
 - Attacks requiring physical access to a user's device
 - Issues related to software or protocols not under Vaultwarden's control

docker/DockerSettings.yaml

@@ -5,9 +5,9 @@ vault_image_digest: "sha256:409ab328ca931439cb916b388a4bb784bd44220717aaf74cf716
 # We use the linux/amd64 platform shell scripts since there is no difference between the different platform scripts
 # https://github.com/tonistiigi/xx | https://hub.docker.com/r/tonistiigi/xx/tags
 xx_image_digest: "sha256:1978e7a58a1777cb0ef0dde76bad60b7914b21da57cfa88047875e4f364297aa"
-rust_version: 1.82.0 # Rust version to be used
+rust_version: 1.83.0 # Rust version to be used
 debian_version: bookworm # Debian release name to be used
-alpine_version: "3.20" # Alpine version to be used
+alpine_version: "3.21" # Alpine version to be used
 # For which platforms/architectures will we try to build images
 platforms: ["linux/amd64", "linux/arm64", "linux/arm/v7", "linux/arm/v6"]
 # Determine the build images per OS/Arch

docker/Dockerfile.alpine

@@ -32,10 +32,10 @@ FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:409ab328ca931
 ########################## ALPINE BUILD IMAGES ##########################
 ## NOTE: The Alpine Base Images do not support other platforms then linux/amd64
 ## And for Alpine we define all build images here, they will only be loaded when actually used
-FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:x86_64-musl-stable-1.82.0 AS build_amd64
-FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:aarch64-musl-stable-1.82.0 AS build_arm64
-FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:armv7-musleabihf-stable-1.82.0 AS build_armv7
-FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:arm-musleabi-stable-1.82.0 AS build_armv6
+FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:x86_64-musl-stable-1.83.0 AS build_amd64
+FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:aarch64-musl-stable-1.83.0 AS build_arm64
+FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:armv7-musleabihf-stable-1.83.0 AS build_armv7
+FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:arm-musleabi-stable-1.83.0 AS build_armv6
 
 ########################## BUILD IMAGE ##########################
 # hadolint ignore=DL3006
@@ -126,7 +126,7 @@ RUN source /env-cargo && \
 # To uninstall: docker run --privileged --rm tonistiigi/binfmt --uninstall 'qemu-*'
 #
 # We need to add `--platform` here, because of a podman bug: https://github.com/containers/buildah/issues/4742
-FROM --platform=$TARGETPLATFORM docker.io/library/alpine:3.20
+FROM --platform=$TARGETPLATFORM docker.io/library/alpine:3.21
 
 ENV ROCKET_PROFILE="release" \
     ROCKET_ADDRESS=0.0.0.0 \

docker/Dockerfile.debian

@@ -36,7 +36,7 @@ FROM --platform=linux/amd64 docker.io/tonistiigi/xx@sha256:1978e7a58a1777cb0ef0d
 
 ########################## BUILD IMAGE ##########################
 # hadolint ignore=DL3006
-FROM --platform=$BUILDPLATFORM docker.io/library/rust:1.82.0-slim-bookworm AS build
+FROM --platform=$BUILDPLATFORM docker.io/library/rust:1.83.0-slim-bookworm AS build
 COPY --from=xx / /
 ARG TARGETARCH
 ARG TARGETVARIANT

docker/README.md

@@ -46,7 +46,7 @@ There also is an option to use an other docker container to provide support for
 ```bash
 # To install and activate
 docker run --privileged --rm tonistiigi/binfmt --install arm64,arm
-# To unistall
+# To uninstall
 docker run --privileged --rm tonistiigi/binfmt --uninstall 'qemu-*'
 ```
 

docker/docker-bake.hcl

@@ -17,7 +17,7 @@ variable "SOURCE_REPOSITORY_URL" {
   default = null
 }
 
-// The commit hash of of the current commit this build was triggered on
+// The commit hash of the current commit this build was triggered on
 variable "SOURCE_COMMIT" {
   default = null
 }

resources/vaultwarden-logo-auto.svg

@@ -0,0 +1,78 @@
+<svg width="1365.8256" height="280.48944" version="1.1" viewBox="0 0 1365.8255 280.48944" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+<style>
+@media (prefers-color-scheme: dark) {
+  svg { -webkit-filter:invert(0.90); filter:invert(0.90); }
+}</style>
+<title>Vaultwarden Logo</title>
+<defs>
+<mask id="d">
+<rect x="-60" y="-60" width="120" height="120" fill="#fff"/>
+<circle id="b" cy="-40" r="3"/>
+<use transform="rotate(72)" xlink:href="#b"/>
+<use transform="rotate(144)" xlink:href="#b"/>
+<use transform="rotate(216)" xlink:href="#b"/>
+<use transform="rotate(-72)" xlink:href="#b"/>
+</mask>
+</defs>
+<g transform="translate(-10.708266,-9.2965379)" aria-label="aultwarden">
+<path d="m371.55338 223.43649-5.76172-14.84375h-0.78125q-7.51953 9.47266-15.52735 13.1836-7.91015 3.61328-20.70312 3.61328-15.72266 0-24.80469-8.98438-8.98437-8.98437-8.98437-25.58593 0-17.38282 12.10937-25.58594 12.20703-8.30078 36.71875-9.17969l18.94531-0.58594v-4.78515q0-16.60157-16.99218-16.60157-13.08594 0-30.76172 7.91016l-9.86328-20.11719q18.84765-9.86328 41.79687-9.86328 21.97266 0 33.69141 9.57031 11.71875 9.57032 11.71875 29.10157v72.7539zm-8.78907-50.58593-11.52343 0.39062q-12.98829 0.39063-19.33594 4.6875-6.34766 4.29688-6.34766 13.08594 0 12.59765 14.45313 12.59765 10.35156 0 16.5039-5.95703 6.25-5.95703 6.25-15.82031zm137.59766 50.58593-4.00391-13.96484h-1.5625q-4.78515 7.61719-13.57422 11.81641-8.78906 4.10156-20.01953 4.10156-19.23828 0-29.0039-10.25391-9.76563-10.35156-9.76563-29.6875v-71.1914h29.78516v63.76953q0 11.8164 4.19922 17.77343 4.19922 5.85938 13.3789 5.85938 12.5 0 18.06641-8.30078 5.56641-8.39844 5.56641-27.73438v-51.36718h29.78515v109.17968zm83.88672 0h-29.78516v-151.953122h29.78516zm77.24609-21.77734q7.8125 0 18.75-3.41797v22.16797q-11.13281 4.98047-27.34375 4.98047-17.87109 0-26.07422-8.98438-8.10547-9.08203-8.10547-27.14843v-52.63672h-14.25781v-12.59766l16.40625-9.96094 8.59375-23.046872h19.04297v23.242192h30.56641v22.36328h-30.56641v52.63672q0 6.34765 3.51563 9.375 3.61328 3.02734 9.47265 3.02734z"/>
+<path d="m791.27994 223.43649-19.62891-62.79297q-1.85547-5.76171-6.93359-26.17187h-0.78125q-3.90625 17.08984-6.83594 26.36719l-20.21484 62.59765h-18.75l-29.19922-107.03125h16.99219q10.35156 40.33203 15.72265 61.42578 5.46875 21.09375 6.25 28.41797h0.78125q1.07422-5.5664 3.41797-14.35547 2.44141-8.88671 4.19922-14.0625l19.62891-61.42578h17.57812l19.14063 61.42578q5.46875 16.79688 7.42187 28.22266h0.78125q0.39063-3.51562 2.05078-10.83984 1.75781-7.32422 20.41016-78.8086h16.79687l-29.58984 107.03125zm133.98437 0-3.22265-15.23437h-0.78125q-8.00782 10.05859-16.01563 13.67187-7.91015 3.51563-19.82422 3.51563-15.91797 0-25-8.20313-8.98437-8.20312-8.98437-23.33984 0-32.42188 51.85547-33.98438l18.16406-0.58593v-6.64063q0-12.59765-5.46875-18.55469-5.37109-6.05468-17.28516-6.05468-13.3789 0-30.27343 8.20312l-4.98047-12.40234q7.91015-4.29688 17.28515-6.73828 9.47266-2.44141 18.94532-2.44141 19.14062 0 28.32031 8.49609 9.27734 8.4961 9.27734 27.2461v73.04687zm-36.62109-11.42578q15.13672 0 23.73047-8.30078 8.6914-8.30078 8.6914-23.24219v-9.66797l-16.21093 0.6836q-19.33594 0.68359-27.92969 6.05469-8.49609 5.27343-8.49609 16.5039 0 8.78906 5.27343 13.37891 5.3711 4.58984 14.94141 4.58984zm130.85938-97.55859q7.1289 0 12.793 1.17187l-2.2461 15.03907q-6.6407-1.46485-11.7188-1.46485-12.9883 0-22.26561 10.54688-9.17968 10.54687-9.17968 26.26953v57.42187h-16.21094v-107.03125h13.37891l1.85546 19.82422h0.78125q5.95704-10.44922 14.35551-16.11328 8.3984-5.66406 18.457-5.66406zm101.6602 94.6289h-0.879q-11.2304 16.3086-33.5937 16.3086-20.9961 0-32.7148-14.35547-11.6211-14.35547-11.6211-40.82031 0-26.46485 11.7187-41.11328 11.7188-14.64844 32.6172-14.64844 21.7773 0 33.3984 15.82031h1.2696l-0.6836-7.71484-0.3907-7.51953v-43.554692h16.211v151.953122h-13.1836zm-32.4219 2.73438q16.6015 0 24.0234-8.98438 7.5195-9.08203 7.5195-29.19921v-3.41797q0-22.75391-7.6171-32.42188-7.5196-9.76562-24.1211-9.76562-14.2578 0-21.875 11.13281-7.5196 11.03516-7.5196 31.25 0 20.50781 7.5196 30.95703 7.5195 10.44922 22.0703 10.44922zm127.3437 13.57422q-23.7304 0-37.5-14.45313-13.6718-14.45312-13.6718-40.13672 0-25.8789 12.6953-41.11328 12.7929-15.23437 34.2773-15.23437 20.1172 0 31.8359 13.28125 11.7188 13.18359 11.7188 34.86328v10.25391h-73.7305q0.4883 18.84765 9.4727 28.61328 9.082 9.76562 25.4883 9.76562 17.2851 0 34.1797-7.22656v14.45312q-8.5938 3.71094-16.3086 5.27344-7.6172 1.66016-18.4571 1.66016zm-4.3945-97.36328q-12.8906 0-20.6055 8.39843-7.6172 8.39844-8.9843 23.24219h55.957q0-15.33203-6.836-23.4375-6.8359-8.20312-19.5312-8.20312zm144.6289 95.41015v-69.23828q0-13.08594-5.957-19.53125-5.9571-6.44531-18.6524-6.44531-16.7968 0-24.6093 9.08203t-7.8125 29.98047v56.15234h-16.211v-107.03125h13.1836l2.6367 14.64844h0.7813q4.9804-7.91016 13.9648-12.20703 8.9844-4.39453 20.0196-4.39453 19.3359 0 29.1015 9.375 9.7656 9.27734 9.7656 29.78515v69.82422z"/>
+</g>
+<g transform="translate(-10.708266,-9.2965379)">
+<g id="e" transform="matrix(2.6712834,0,0,2.6712834,150.95027,149.53854)">
+<g id="f" mask="url(#d)">
+<path d="m-31.1718-33.813208 26.496029 74.188883h9.3515399l26.49603-74.188883h-9.767164l-16.728866 47.588948q-1.662496 4.571864-2.805462 8.624198-1.142966 3.948427-1.870308 7.585137-.72734199-3.63671-1.8703079-7.689043-1.142966-4.052334-2.805462-8.728104l-16.624959-47.381136z" stroke="#000" stroke-width="4.51171"/>
+<circle transform="scale(-1,1)" r="43" fill="none" stroke="#000" stroke-width="9"/>
+<g id="g" transform="scale(-1,1)">
+<polygon id="a" points="46 -3 46 3 51 0" stroke="#000" stroke-linejoin="round" stroke-width="3"/>
+<use transform="rotate(11.25)" xlink:href="#a"/>
+<use transform="rotate(22.5)" xlink:href="#a"/>
+<use transform="rotate(33.75)" xlink:href="#a"/>
+<use transform="rotate(45)" xlink:href="#a"/>
+<use transform="rotate(56.25)" xlink:href="#a"/>
+<use transform="rotate(67.5)" xlink:href="#a"/>
+<use transform="rotate(78.75)" xlink:href="#a"/>
+<use transform="rotate(90)" xlink:href="#a"/>
+<use transform="rotate(101.25)" xlink:href="#a"/>
+<use transform="rotate(112.5)" xlink:href="#a"/>
+<use transform="rotate(123.75)" xlink:href="#a"/>
+<use transform="rotate(135)" xlink:href="#a"/>
+<use transform="rotate(146.25)" xlink:href="#a"/>
+<use transform="rotate(157.5)" xlink:href="#a"/>
+<use transform="rotate(168.75)" xlink:href="#a"/>
+<use transform="scale(-1)" xlink:href="#a"/>
+<use transform="rotate(191.25)" xlink:href="#a"/>
+<use transform="rotate(202.5)" xlink:href="#a"/>
+<use transform="rotate(213.75)" xlink:href="#a"/>
+<use transform="rotate(225)" xlink:href="#a"/>
+<use transform="rotate(236.25)" xlink:href="#a"/>
+<use transform="rotate(247.5)" xlink:href="#a"/>
+<use transform="rotate(258.75)" xlink:href="#a"/>
+<use transform="rotate(-90)" xlink:href="#a"/>
+<use transform="rotate(-78.75)" xlink:href="#a"/>
+<use transform="rotate(-67.5)" xlink:href="#a"/>
+<use transform="rotate(-56.25)" xlink:href="#a"/>
+<use transform="rotate(-45)" xlink:href="#a"/>
+<use transform="rotate(-33.75)" xlink:href="#a"/>
+<use transform="rotate(-22.5)" xlink:href="#a"/>
+<use transform="rotate(-11.25)" xlink:href="#a"/>
+</g>
+<g id="h" transform="scale(-1,1)">
+<polygon id="c" points="7 -42 -7 -42 0 -35" stroke="#000" stroke-linejoin="round" stroke-width="6"/>
+<use transform="rotate(72)" xlink:href="#c"/>
+<use transform="rotate(144)" xlink:href="#c"/>
+<use transform="rotate(216)" xlink:href="#c"/>
+<use transform="rotate(-72)" xlink:href="#c"/>
+</g>
+</g>
+<mask>
+<rect x="-60" y="-60" width="120" height="120" fill="#fff"/>
+<circle cy="-40" r="3"/>
+<use transform="rotate(72)" xlink:href="#b"/>
+<use transform="rotate(144)" xlink:href="#b"/>
+<use transform="rotate(216)" xlink:href="#b"/>
+<use transform="rotate(-72)" xlink:href="#b"/>
+</mask>
+</g>
+</g>
+</svg>

rust-toolchain.toml

@@ -1,4 +1,4 @@
 [toolchain]
-channel = "1.82.0"
+channel = "1.83.0"
 components = [ "rustfmt", "clippy" ]
 profile = "minimal"

src/api/admin.rs

@@ -62,6 +62,7 @@ pub fn routes() -> Vec<Route> {
         diagnostics,
         get_diagnostics_config,
         resend_user_invite,
+        get_diagnostics_http,
     ]
 }
 
@@ -494,11 +495,11 @@ struct UserOrgTypeData {
 async fn update_user_org_type(data: Json<UserOrgTypeData>, token: AdminToken, mut conn: DbConn) -> EmptyResult {
     let data: UserOrgTypeData = data.into_inner();
 
-    let mut user_to_edit =
-        match UserOrganization::find_by_user_and_org(&data.user_uuid, &data.org_uuid, &mut conn).await {
-            Some(user) => user,
-            None => err!("The specified user isn't member of the organization"),
-        };
+    let Some(mut user_to_edit) =
+        UserOrganization::find_by_user_and_org(&data.user_uuid, &data.org_uuid, &mut conn).await
+    else {
+        err!("The specified user isn't member of the organization")
+    };
 
     let new_type = match UserOrgType::from_str(&data.user_type.into_string()) {
         Some(new_type) => new_type as i32,
@@ -601,9 +602,8 @@ async fn get_json_api<T: DeserializeOwned>(url: &str) -> Result<T, Error> {
 }
 
 async fn has_http_access() -> bool {
-    let req = match make_http_request(Method::HEAD, "https://github.com/dani-garcia/vaultwarden") {
-        Ok(r) => r,
-        Err(_) => return false,
+    let Ok(req) = make_http_request(Method::HEAD, "https://github.com/dani-garcia/vaultwarden") else {
+        return false;
     };
     match req.send().await {
         Ok(r) => r.status().is_success(),
@@ -713,6 +713,7 @@ async fn diagnostics(_token: AdminToken, ip_header: IpHeader, mut conn: DbConn)
         "ip_header_name": ip_header_name,
         "ip_header_config": &CONFIG.ip_header(),
         "uses_proxy": uses_proxy,
+        "enable_websocket": &CONFIG.enable_websocket(),
         "db_type": *DB_TYPE,
         "db_version": get_sql_server_version(&mut conn).await,
         "admin_url": format!("{}/diagnostics", admin_url()),
@@ -734,6 +735,11 @@ fn get_diagnostics_config(_token: AdminToken) -> Json<Value> {
     Json(support_json)
 }
 
+#[get("/diagnostics/http?<code>")]
+fn get_diagnostics_http(code: u16, _token: AdminToken) -> EmptyResult {
+    err_code!(format!("Testing error {code} response"), code);
+}
+
 #[post("/config", data = "<data>")]
 fn post_config(data: Json<ConfigBuilder>, _token: AdminToken) -> EmptyResult {
     let data: ConfigBuilder = data.into_inner();

src/api/core/emergency_access.rs

@@ -137,11 +137,11 @@ async fn post_emergency_access(
 
     let data: EmergencyAccessUpdateData = data.into_inner();
 
-    let mut emergency_access =
-        match EmergencyAccess::find_by_uuid_and_grantor_uuid(emer_id, &headers.user.uuid, &mut conn).await {
-            Some(emergency_access) => emergency_access,
-            None => err!("Emergency access not valid."),
-        };
+    let Some(mut emergency_access) =
+        EmergencyAccess::find_by_uuid_and_grantor_uuid(emer_id, &headers.user.uuid, &mut conn).await
+    else {
+        err!("Emergency access not valid.")
+    };
 
     let new_type = match EmergencyAccessType::from_str(&data.r#type.into_string()) {
         Some(new_type) => new_type as i32,
@@ -284,24 +284,22 @@ async fn send_invite(data: Json<EmergencyAccessInviteData>, headers: Headers, mu
 async fn resend_invite(emer_id: &str, headers: Headers, mut conn: DbConn) -> EmptyResult {
     check_emergency_access_enabled()?;
 
-    let mut emergency_access =
-        match EmergencyAccess::find_by_uuid_and_grantor_uuid(emer_id, &headers.user.uuid, &mut conn).await {
-            Some(emer) => emer,
-            None => err!("Emergency access not valid."),
-        };
+    let Some(mut emergency_access) =
+        EmergencyAccess::find_by_uuid_and_grantor_uuid(emer_id, &headers.user.uuid, &mut conn).await
+    else {
+        err!("Emergency access not valid.")
+    };
 
     if emergency_access.status != EmergencyAccessStatus::Invited as i32 {
         err!("The grantee user is already accepted or confirmed to the organization");
     }
 
-    let email = match emergency_access.email.clone() {
-        Some(email) => email,
-        None => err!("Email not valid."),
+    let Some(email) = emergency_access.email.clone() else {
+        err!("Email not valid.")
     };
 
-    let grantee_user = match User::find_by_mail(&email, &mut conn).await {
-        Some(user) => user,
-        None => err!("Grantee user not found."),
+    let Some(grantee_user) = User::find_by_mail(&email, &mut conn).await else {
+        err!("Grantee user not found.")
     };
 
     let grantor_user = headers.user;
@@ -356,16 +354,15 @@ async fn accept_invite(emer_id: &str, data: Json<AcceptData>, headers: Headers,
 
     // We need to search for the uuid in combination with the email, since we do not yet store the uuid of the grantee in the database.
     // The uuid of the grantee gets stored once accepted.
-    let mut emergency_access =
-        match EmergencyAccess::find_by_uuid_and_grantee_email(emer_id, &headers.user.email, &mut conn).await {
-            Some(emer) => emer,
-            None => err!("Emergency access not valid."),
-        };
+    let Some(mut emergency_access) =
+        EmergencyAccess::find_by_uuid_and_grantee_email(emer_id, &headers.user.email, &mut conn).await
+    else {
+        err!("Emergency access not valid.")
+    };
 
     // get grantor user to send Accepted email
-    let grantor_user = match User::find_by_uuid(&emergency_access.grantor_uuid, &mut conn).await {
-        Some(user) => user,
-        None => err!("Grantor user not found."),
+    let Some(grantor_user) = User::find_by_uuid(&emergency_access.grantor_uuid, &mut conn).await else {
+        err!("Grantor user not found.")
     };
 
     if emer_id == claims.emer_id
@@ -403,11 +400,11 @@ async fn confirm_emergency_access(
     let data: ConfirmData = data.into_inner();
     let key = data.key;
 
-    let mut emergency_access =
-        match EmergencyAccess::find_by_uuid_and_grantor_uuid(emer_id, &confirming_user.uuid, &mut conn).await {
-            Some(emer) => emer,
-            None => err!("Emergency access not valid."),
-        };
+    let Some(mut emergency_access) =
+        EmergencyAccess::find_by_uuid_and_grantor_uuid(emer_id, &confirming_user.uuid, &mut conn).await
+    else {
+        err!("Emergency access not valid.")
+    };
 
     if emergency_access.status != EmergencyAccessStatus::Accepted as i32
         || emergency_access.grantor_uuid != confirming_user.uuid
@@ -415,15 +412,13 @@ async fn confirm_emergency_access(
         err!("Emergency access not valid.")
     }
 
-    let grantor_user = match User::find_by_uuid(&confirming_user.uuid, &mut conn).await {
-        Some(user) => user,
-        None => err!("Grantor user not found."),
+    let Some(grantor_user) = User::find_by_uuid(&confirming_user.uuid, &mut conn).await else {
+        err!("Grantor user not found.")
     };
 
     if let Some(grantee_uuid) = emergency_access.grantee_uuid.as_ref() {
-        let grantee_user = match User::find_by_uuid(grantee_uuid, &mut conn).await {
-            Some(user) => user,
-            None => err!("Grantee user not found."),
+        let Some(grantee_user) = User::find_by_uuid(grantee_uuid, &mut conn).await else {
+            err!("Grantee user not found.")
         };
 
         emergency_access.status = EmergencyAccessStatus::Confirmed as i32;
@@ -450,19 +445,18 @@ async fn initiate_emergency_access(emer_id: &str, headers: Headers, mut conn: Db
     check_emergency_access_enabled()?;
 
     let initiating_user = headers.user;
-    let mut emergency_access =
-        match EmergencyAccess::find_by_uuid_and_grantee_uuid(emer_id, &initiating_user.uuid, &mut conn).await {
-            Some(emer) => emer,
-            None => err!("Emergency access not valid."),
-        };
+    let Some(mut emergency_access) =
+        EmergencyAccess::find_by_uuid_and_grantee_uuid(emer_id, &initiating_user.uuid, &mut conn).await
+    else {
+        err!("Emergency access not valid.")
+    };
 
     if emergency_access.status != EmergencyAccessStatus::Confirmed as i32 {
         err!("Emergency access not valid.")
     }
 
-    let grantor_user = match User::find_by_uuid(&emergency_access.grantor_uuid, &mut conn).await {
-        Some(user) => user,
-        None => err!("Grantor user not found."),
+    let Some(grantor_user) = User::find_by_uuid(&emergency_access.grantor_uuid, &mut conn).await else {
+        err!("Grantor user not found.")
     };
 
     let now = Utc::now().naive_utc();
@@ -488,25 +482,23 @@ async fn initiate_emergency_access(emer_id: &str, headers: Headers, mut conn: Db
 async fn approve_emergency_access(emer_id: &str, headers: Headers, mut conn: DbConn) -> JsonResult {
     check_emergency_access_enabled()?;
 
-    let mut emergency_access =
-        match EmergencyAccess::find_by_uuid_and_grantor_uuid(emer_id, &headers.user.uuid, &mut conn).await {
-            Some(emer) => emer,
-            None => err!("Emergency access not valid."),
-        };
+    let Some(mut emergency_access) =
+        EmergencyAccess::find_by_uuid_and_grantor_uuid(emer_id, &headers.user.uuid, &mut conn).await
+    else {
+        err!("Emergency access not valid.")
+    };
 
     if emergency_access.status != EmergencyAccessStatus::RecoveryInitiated as i32 {
         err!("Emergency access not valid.")
     }
 
-    let grantor_user = match User::find_by_uuid(&headers.user.uuid, &mut conn).await {
-        Some(user) => user,
-        None => err!("Grantor user not found."),
+    let Some(grantor_user) = User::find_by_uuid(&headers.user.uuid, &mut conn).await else {
+        err!("Grantor user not found.")
     };
 
     if let Some(grantee_uuid) = emergency_access.grantee_uuid.as_ref() {
-        let grantee_user = match User::find_by_uuid(grantee_uuid, &mut conn).await {
-            Some(user) => user,
-            None => err!("Grantee user not found."),
+        let Some(grantee_user) = User::find_by_uuid(grantee_uuid, &mut conn).await else {
+            err!("Grantee user not found.")
         };
 
         emergency_access.status = EmergencyAccessStatus::RecoveryApproved as i32;
@@ -525,11 +517,11 @@ async fn approve_emergency_access(emer_id: &str, headers: Headers, mut conn: DbC
 async fn reject_emergency_access(emer_id: &str, headers: Headers, mut conn: DbConn) -> JsonResult {
     check_emergency_access_enabled()?;
 
-    let mut emergency_access =
-        match EmergencyAccess::find_by_uuid_and_grantor_uuid(emer_id, &headers.user.uuid, &mut conn).await {
-            Some(emer) => emer,
-            None => err!("Emergency access not valid."),
-        };
+    let Some(mut emergency_access) =
+        EmergencyAccess::find_by_uuid_and_grantor_uuid(emer_id, &headers.user.uuid, &mut conn).await
+    else {
+        err!("Emergency access not valid.")
+    };
 
     if emergency_access.status != EmergencyAccessStatus::RecoveryInitiated as i32
         && emergency_access.status != EmergencyAccessStatus::RecoveryApproved as i32
@@ -538,9 +530,8 @@ async fn reject_emergency_access(emer_id: &str, headers: Headers, mut conn: DbCo
     }
 
     if let Some(grantee_uuid) = emergency_access.grantee_uuid.as_ref() {
-        let grantee_user = match User::find_by_uuid(grantee_uuid, &mut conn).await {
-            Some(user) => user,
-            None => err!("Grantee user not found."),
+        let Some(grantee_user) = User::find_by_uuid(grantee_uuid, &mut conn).await else {
+            err!("Grantee user not found.")
         };
 
         emergency_access.status = EmergencyAccessStatus::Confirmed as i32;
@@ -563,11 +554,11 @@ async fn reject_emergency_access(emer_id: &str, headers: Headers, mut conn: DbCo
 async fn view_emergency_access(emer_id: &str, headers: Headers, mut conn: DbConn) -> JsonResult {
     check_emergency_access_enabled()?;
 
-    let emergency_access =
-        match EmergencyAccess::find_by_uuid_and_grantee_uuid(emer_id, &headers.user.uuid, &mut conn).await {
-            Some(emer) => emer,
-            None => err!("Emergency access not valid."),
-        };
+    let Some(emergency_access) =
+        EmergencyAccess::find_by_uuid_and_grantee_uuid(emer_id, &headers.user.uuid, &mut conn).await
+    else {
+        err!("Emergency access not valid.")
+    };
 
     if !is_valid_request(&emergency_access, &headers.user.uuid, EmergencyAccessType::View) {
         err!("Emergency access not valid.")
@@ -602,19 +593,18 @@ async fn takeover_emergency_access(emer_id: &str, headers: Headers, mut conn: Db
     check_emergency_access_enabled()?;
 
     let requesting_user = headers.user;
-    let emergency_access =
-        match EmergencyAccess::find_by_uuid_and_grantee_uuid(emer_id, &requesting_user.uuid, &mut conn).await {
-            Some(emer) => emer,
-            None => err!("Emergency access not valid."),
-        };
+    let Some(emergency_access) =
+        EmergencyAccess::find_by_uuid_and_grantee_uuid(emer_id, &requesting_user.uuid, &mut conn).await
+    else {
+        err!("Emergency access not valid.")
+    };
 
     if !is_valid_request(&emergency_access, &requesting_user.uuid, EmergencyAccessType::Takeover) {
         err!("Emergency access not valid.")
     }
 
-    let grantor_user = match User::find_by_uuid(&emergency_access.grantor_uuid, &mut conn).await {
-        Some(user) => user,
-        None => err!("Grantor user not found."),
+    let Some(grantor_user) = User::find_by_uuid(&emergency_access.grantor_uuid, &mut conn).await else {
+        err!("Grantor user not found.")
     };
 
     let result = json!({
@@ -650,19 +640,18 @@ async fn password_emergency_access(
     //let key = &data.Key;
 
     let requesting_user = headers.user;
-    let emergency_access =
-        match EmergencyAccess::find_by_uuid_and_grantee_uuid(emer_id, &requesting_user.uuid, &mut conn).await {
-            Some(emer) => emer,
-            None => err!("Emergency access not valid."),
-        };
+    let Some(emergency_access) =
+        EmergencyAccess::find_by_uuid_and_grantee_uuid(emer_id, &requesting_user.uuid, &mut conn).await
+    else {
+        err!("Emergency access not valid.")
+    };
 
     if !is_valid_request(&emergency_access, &requesting_user.uuid, EmergencyAccessType::Takeover) {
         err!("Emergency access not valid.")
     }
 
-    let mut grantor_user = match User::find_by_uuid(&emergency_access.grantor_uuid, &mut conn).await {
-        Some(user) => user,
-        None => err!("Grantor user not found."),
+    let Some(mut grantor_user) = User::find_by_uuid(&emergency_access.grantor_uuid, &mut conn).await else {
+        err!("Grantor user not found.")
     };
 
     // change grantor_user password
@@ -686,19 +675,18 @@ async fn password_emergency_access(
 #[get("/emergency-access/<emer_id>/policies")]
 async fn policies_emergency_access(emer_id: &str, headers: Headers, mut conn: DbConn) -> JsonResult {
     let requesting_user = headers.user;
-    let emergency_access =
-        match EmergencyAccess::find_by_uuid_and_grantee_uuid(emer_id, &requesting_user.uuid, &mut conn).await {
-            Some(emer) => emer,
-            None => err!("Emergency access not valid."),
-        };
+    let Some(emergency_access) =
+        EmergencyAccess::find_by_uuid_and_grantee_uuid(emer_id, &requesting_user.uuid, &mut conn).await
+    else {
+        err!("Emergency access not valid.")
+    };
 
     if !is_valid_request(&emergency_access, &requesting_user.uuid, EmergencyAccessType::Takeover) {
         err!("Emergency access not valid.")
     }
 
-    let grantor_user = match User::find_by_uuid(&emergency_access.grantor_uuid, &mut conn).await {
-        Some(user) => user,
-        None => err!("Grantor user not found."),
+    let Some(grantor_user) = User::find_by_uuid(&emergency_access.grantor_uuid, &mut conn).await else {
+        err!("Grantor user not found.")
     };
 
     let policies = OrgPolicy::find_confirmed_by_user(&grantor_user.uuid, &mut conn);

src/api/core/folders.rs

@@ -25,16 +25,10 @@ async fn get_folders(headers: Headers, mut conn: DbConn) -> Json<Value> {
 
 #[get("/folders/<uuid>")]
 async fn get_folder(uuid: &str, headers: Headers, mut conn: DbConn) -> JsonResult {
-    let folder = match Folder::find_by_uuid(uuid, &mut conn).await {
-        Some(folder) => folder,
-        _ => err!("Invalid folder"),
-    };
-
-    if folder.user_uuid != headers.user.uuid {
-        err!("Folder belongs to another user")
+    match Folder::find_by_uuid_and_user(uuid, &headers.user.uuid, &mut conn).await {
+        Some(folder) => Ok(Json(folder.to_json())),
+        _ => err!("Invalid folder", "Folder does not exist or belongs to another user"),
     }
-
-    Ok(Json(folder.to_json()))
 }
 
 #[derive(Deserialize)]
@@ -71,15 +65,10 @@ async fn put_folder(
 ) -> JsonResult {
     let data: FolderData = data.into_inner();
 
-    let mut folder = match Folder::find_by_uuid(uuid, &mut conn).await {
-        Some(folder) => folder,
-        _ => err!("Invalid folder"),
+    let Some(mut folder) = Folder::find_by_uuid_and_user(uuid, &headers.user.uuid, &mut conn).await else {
+        err!("Invalid folder", "Folder does not exist or belongs to another user")
     };
 
-    if folder.user_uuid != headers.user.uuid {
-        err!("Folder belongs to another user")
-    }
-
     folder.name = data.name;
 
     folder.save(&mut conn).await?;
@@ -95,15 +84,10 @@ async fn delete_folder_post(uuid: &str, headers: Headers, conn: DbConn, nt: Noti
 
 #[delete("/folders/<uuid>")]
 async fn delete_folder(uuid: &str, headers: Headers, mut conn: DbConn, nt: Notify<'_>) -> EmptyResult {
-    let folder = match Folder::find_by_uuid(uuid, &mut conn).await {
-        Some(folder) => folder,
-        _ => err!("Invalid folder"),
+    let Some(folder) = Folder::find_by_uuid_and_user(uuid, &headers.user.uuid, &mut conn).await else {
+        err!("Invalid folder", "Folder does not exist or belongs to another user")
     };
 
-    if folder.user_uuid != headers.user.uuid {
-        err!("Folder belongs to another user")
-    }
-
     // Delete the actual folder entry
     folder.delete(&mut conn).await?;
 

src/api/core/mod.rs

@@ -135,12 +135,13 @@ async fn put_eq_domains(data: Json<EquivDomainData>, headers: Headers, conn: DbC
 }
 
 #[get("/hibp/breach?<username>")]
-async fn hibp_breach(username: &str) -> JsonResult {
-    let url = format!(
-        "https://haveibeenpwned.com/api/v3/breachedaccount/{username}?truncateResponse=false&includeUnverified=false"
-    );
-
+async fn hibp_breach(username: &str, _headers: Headers) -> JsonResult {
+    let username: String = url::form_urlencoded::byte_serialize(username.as_bytes()).collect();
     if let Some(api_key) = crate::CONFIG.hibp_api_key() {
+        let url = format!(
+            "https://haveibeenpwned.com/api/v3/breachedaccount/{username}?truncateResponse=false&includeUnverified=false"
+        );
+
         let res = make_http_request(Method::GET, &url)?.header("hibp-api-key", api_key).send().await?;
 
         // If we get a 404, return a 404, it means no breached accounts

src/api/core/public.rs

@@ -203,9 +203,8 @@ impl<'r> FromRequest<'r> for PublicToken {
             None => err_handler!("No access token provided"),
         };
         // Check JWT token is valid and get device and user from it
-        let claims = match auth::decode_api_org(access_token) {
-            Ok(claims) => claims,
-            Err(_) => err_handler!("Invalid claim"),
+        let Ok(claims) = auth::decode_api_org(access_token) else {
+            err_handler!("Invalid claim")
         };
         // Check if time is between claims.nbf and claims.exp
         let time_now = Utc::now().timestamp();
@@ -227,13 +226,11 @@ impl<'r> FromRequest<'r> for PublicToken {
             Outcome::Success(conn) => conn,
             _ => err_handler!("Error getting DB"),
         };
-        let org_uuid = match claims.client_id.strip_prefix("organization.") {
-            Some(uuid) => uuid,
-            None => err_handler!("Malformed client_id"),
+        let Some(org_uuid) = claims.client_id.strip_prefix("organization.") else {
+            err_handler!("Malformed client_id")
         };
-        let org_api_key = match OrganizationApiKey::find_by_org_uuid(org_uuid, &conn).await {
-            Some(org_api_key) => org_api_key,
-            None => err_handler!("Invalid client_id"),
+        let Some(org_api_key) = OrganizationApiKey::find_by_org_uuid(org_uuid, &conn).await else {
+            err_handler!("Invalid client_id")
         };
         if org_api_key.org_uuid != claims.client_sub {
             err_handler!("Token not issued for this org");

src/api/core/sends.rs

@@ -159,16 +159,10 @@ async fn get_sends(headers: Headers, mut conn: DbConn) -> Json<Value> {
 
 #[get("/sends/<uuid>")]
 async fn get_send(uuid: &str, headers: Headers, mut conn: DbConn) -> JsonResult {
-    let send = match Send::find_by_uuid(uuid, &mut conn).await {
-        Some(send) => send,
-        None => err!("Send not found"),
-    };
-
-    if send.user_uuid.as_ref() != Some(&headers.user.uuid) {
-        err!("Send is not owned by user")
+    match Send::find_by_uuid_and_user(uuid, &headers.user.uuid, &mut conn).await {
+        Some(send) => Ok(Json(send.to_json())),
+        None => err!("Send not found", "Invalid uuid or does not belong to user"),
     }
-
-    Ok(Json(send.to_json()))
 }
 
 #[post("/sends", data = "<data>")]
@@ -371,22 +365,14 @@ async fn post_send_file_v2_data(
 
     let mut data = data.into_inner();
 
-    let Some(send) = Send::find_by_uuid(send_uuid, &mut conn).await else {
-        err!("Send not found. Unable to save the file.")
+    let Some(send) = Send::find_by_uuid_and_user(send_uuid, &headers.user.uuid, &mut conn).await else {
+        err!("Send not found. Unable to save the file.", "Invalid uuid or does not belong to user.")
     };
 
     if send.atype != SendType::File as i32 {
         err!("Send is not a file type send.");
     }
 
-    let Some(send_user_id) = &send.user_uuid else {
-        err!("Sends are only supported for users at the moment.")
-    };
-
-    if send_user_id != &headers.user.uuid {
-        err!("Send doesn't belong to user.");
-    }
-
     let Ok(send_data) = serde_json::from_str::<SendFileData>(&send.data) else {
         err!("Unable to decode send data as json.")
     };
@@ -456,9 +442,8 @@ async fn post_access(
     ip: ClientIp,
     nt: Notify<'_>,
 ) -> JsonResult {
-    let mut send = match Send::find_by_access_id(access_id, &mut conn).await {
-        Some(s) => s,
-        None => err_code!(SEND_INACCESSIBLE_MSG, 404),
+    let Some(mut send) = Send::find_by_access_id(access_id, &mut conn).await else {
+        err_code!(SEND_INACCESSIBLE_MSG, 404)
     };
 
     if let Some(max_access_count) = send.max_access_count {
@@ -517,9 +502,8 @@ async fn post_access_file(
     mut conn: DbConn,
     nt: Notify<'_>,
 ) -> JsonResult {
-    let mut send = match Send::find_by_uuid(send_id, &mut conn).await {
-        Some(s) => s,
-        None => err_code!(SEND_INACCESSIBLE_MSG, 404),
+    let Some(mut send) = Send::find_by_uuid(send_id, &mut conn).await else {
+        err_code!(SEND_INACCESSIBLE_MSG, 404)
     };
 
     if let Some(max_access_count) = send.max_access_count {
@@ -582,16 +566,15 @@ async fn download_send(send_id: SafeString, file_id: SafeString, t: &str) -> Opt
     None
 }
 
-#[put("/sends/<id>", data = "<data>")]
-async fn put_send(id: &str, data: Json<SendData>, headers: Headers, mut conn: DbConn, nt: Notify<'_>) -> JsonResult {
+#[put("/sends/<uuid>", data = "<data>")]
+async fn put_send(uuid: &str, data: Json<SendData>, headers: Headers, mut conn: DbConn, nt: Notify<'_>) -> JsonResult {
     enforce_disable_send_policy(&headers, &mut conn).await?;
 
     let data: SendData = data.into_inner();
     enforce_disable_hide_email_policy(&data, &headers, &mut conn).await?;
 
-    let mut send = match Send::find_by_uuid(id, &mut conn).await {
-        Some(s) => s,
-        None => err!("Send not found"),
+    let Some(mut send) = Send::find_by_uuid_and_user(uuid, &headers.user.uuid, &mut conn).await else {
+        err!("Send not found", "Send uuid is invalid or does not belong to user")
     };
 
     update_send_from_data(&mut send, data, &headers, &mut conn, &nt, UpdateType::SyncSendUpdate).await?;
@@ -657,17 +640,12 @@ pub async fn update_send_from_data(
     Ok(())
 }
 
-#[delete("/sends/<id>")]
-async fn delete_send(id: &str, headers: Headers, mut conn: DbConn, nt: Notify<'_>) -> EmptyResult {
-    let send = match Send::find_by_uuid(id, &mut conn).await {
-        Some(s) => s,
-        None => err!("Send not found"),
+#[delete("/sends/<uuid>")]
+async fn delete_send(uuid: &str, headers: Headers, mut conn: DbConn, nt: Notify<'_>) -> EmptyResult {
+    let Some(send) = Send::find_by_uuid_and_user(uuid, &headers.user.uuid, &mut conn).await else {
+        err!("Send not found", "Invalid send uuid, or does not belong to user")
     };
 
-    if send.user_uuid.as_ref() != Some(&headers.user.uuid) {
-        err!("Send is not owned by user")
-    }
-
     send.delete(&mut conn).await?;
     nt.send_send_update(
         UpdateType::SyncSendDelete,
@@ -681,19 +659,14 @@ async fn delete_send(id: &str, headers: Headers, mut conn: DbConn, nt: Notify<'_
     Ok(())
 }
 
-#[put("/sends/<id>/remove-password")]
-async fn put_remove_password(id: &str, headers: Headers, mut conn: DbConn, nt: Notify<'_>) -> JsonResult {
+#[put("/sends/<uuid>/remove-password")]
+async fn put_remove_password(uuid: &str, headers: Headers, mut conn: DbConn, nt: Notify<'_>) -> JsonResult {
     enforce_disable_send_policy(&headers, &mut conn).await?;
 
-    let mut send = match Send::find_by_uuid(id, &mut conn).await {
-        Some(s) => s,
-        None => err!("Send not found"),
+    let Some(mut send) = Send::find_by_uuid_and_user(uuid, &headers.user.uuid, &mut conn).await else {
+        err!("Send not found", "Invalid send uuid, or does not belong to user")
     };
 
-    if send.user_uuid.as_ref() != Some(&headers.user.uuid) {
-        err!("Send is not owned by user")
-    }
-
     send.set_password(None);
     send.save(&mut conn).await?;
     nt.send_send_update(

src/api/core/two_factor/authenticator.rs

@@ -117,9 +117,8 @@ pub async fn validate_totp_code(
 ) -> EmptyResult {
     use totp_lite::{totp_custom, Sha1};
 
-    let decoded_secret = match BASE32.decode(secret.as_bytes()) {
-        Ok(s) => s,
-        Err(_) => err!("Invalid TOTP secret"),
+    let Ok(decoded_secret) = BASE32.decode(secret.as_bytes()) else {
+        err!("Invalid TOTP secret")
     };
 
     let mut twofactor =

src/api/core/two_factor/duo.rs

@@ -232,9 +232,8 @@ async fn get_user_duo_data(uuid: &str, conn: &mut DbConn) -> DuoStatus {
     let type_ = TwoFactorType::Duo as i32;
 
     // If the user doesn't have an entry, disabled
-    let twofactor = match TwoFactor::find_by_user_and_type(uuid, type_, conn).await {
-        Some(t) => t,
-        None => return DuoStatus::Disabled(DuoData::global().is_some()),
+    let Some(twofactor) = TwoFactor::find_by_user_and_type(uuid, type_, conn).await else {
+        return DuoStatus::Disabled(DuoData::global().is_some());
     };
 
     // If the user has the required values, we use those
@@ -333,14 +332,12 @@ fn parse_duo_values(key: &str, val: &str, ikey: &str, prefix: &str, time: i64) -
         err!("Prefixes don't match")
     }
 
-    let cookie_vec = match BASE64.decode(u_b64.as_bytes()) {
-        Ok(c) => c,
-        Err(_) => err!("Invalid Duo cookie encoding"),
+    let Ok(cookie_vec) = BASE64.decode(u_b64.as_bytes()) else {
+        err!("Invalid Duo cookie encoding")
     };
 
-    let cookie = match String::from_utf8(cookie_vec) {
-        Ok(c) => c,
-        Err(_) => err!("Invalid Duo cookie encoding"),
+    let Ok(cookie) = String::from_utf8(cookie_vec) else {
+        err!("Invalid Duo cookie encoding")
     };
 
     let cookie_split: Vec<&str> = cookie.split('|').collect();

src/api/core/two_factor/duo_oidc.rs

@@ -211,10 +211,7 @@ impl DuoClient {
             nonce,
         };
 
-        let token = match self.encode_duo_jwt(jwt_payload) {
-            Ok(token) => token,
-            Err(e) => return Err(e),
-        };
+        let token = self.encode_duo_jwt(jwt_payload)?;
 
         let authz_endpoint = format!("https://{}/oauth/v1/authorize", self.api_host);
         let mut auth_url = match Url::parse(authz_endpoint.as_str()) {

src/api/core/two_factor/email.rs

@@ -40,9 +40,8 @@ async fn send_email_login(data: Json<SendEmailLoginData>, mut conn: DbConn) -> E
     use crate::db::models::User;
 
     // Get the user
-    let user = match User::find_by_mail(&data.email, &mut conn).await {
-        Some(user) => user,
-        None => err!("Username or password is incorrect. Try again."),
+    let Some(user) = User::find_by_mail(&data.email, &mut conn).await else {
+        err!("Username or password is incorrect. Try again.")
     };
 
     // Check password
@@ -174,9 +173,8 @@ async fn email(data: Json<EmailData>, headers: Headers, mut conn: DbConn) -> Jso
 
     let mut email_data = EmailTokenData::from_json(&twofactor.data)?;
 
-    let issued_token = match &email_data.last_token {
-        Some(t) => t,
-        _ => err!("No token available"),
+    let Some(issued_token) = &email_data.last_token else {
+        err!("No token available")
     };
 
     if !crypto::ct_eq(issued_token, data.token) {
@@ -205,14 +203,13 @@ pub async fn validate_email_code_str(user_uuid: &str, token: &str, data: &str, c
     let mut twofactor = TwoFactor::find_by_user_and_type(user_uuid, TwoFactorType::Email as i32, conn)
         .await
         .map_res("Two factor not found")?;
-    let issued_token = match &email_data.last_token {
-        Some(t) => t,
-        _ => err!(
+    let Some(issued_token) = &email_data.last_token else {
+        err!(
             "No token available",
             ErrorEvent {
                 event: EventType::UserFailedLogIn2fa
             }
-        ),
+        )
     };
 
     if !crypto::ct_eq(issued_token, token) {

src/api/core/two_factor/mod.rs

@@ -85,9 +85,8 @@ async fn recover(data: Json<RecoverTwoFactor>, client_headers: ClientHeaders, mu
     use crate::db::models::User;
 
     // Get the user
-    let mut user = match User::find_by_mail(&data.email, &mut conn).await {
-        Some(user) => user,
-        None => err!("Username or password is incorrect. Try again."),
+    let Some(mut user) = User::find_by_mail(&data.email, &mut conn).await else {
+        err!("Username or password is incorrect. Try again.")
     };
 
     // Check password