only validate SMTP_FROM if necessary (#5442)

* Security fixes for admin and sendmail

Because the Vaultwarden Admin Backend endpoints did not validated the Content-Type during a request, it was possible to update settings via CSRF. But, this was only possible if there was no `ADMIN_TOKEN` set at all. To make sure these environments are also safe I added the needed content-type checks at the functions.
This could cause some users who have scripts which uses cURL for example to adjust there commands to provide the correct headers.

By using a crafted favicon and having access to the Admin Backend an attacker could run custom commands on the host/container where Vaultwarden is running on. The main issue here is that we allowed the sendmail binary name/path to be changed. To mitigate this we removed this configuration item and only then `sendmail` binary as a name can be used.
This could cause some issues where the `sendmail` binary is not in the `$PATH` and thus not able to be started. In these cases the admins should make sure `$PATH` is set correctly or create a custom shell script or symlink at a location which is in the `$PATH`.

Added an extra security header and adjusted the CSP to be more strict by setting `default-src` to `none` and added the needed missing specific policies.

Also created a general email validation function which does some more checking to catch invalid email address not found by the email_address crate.

Signed-off-by: BlackDex <black.dex@gmail.com>

* Fix security issue with organizationId validation

Because of a invalid check/validation of the OrganizationId which most of the time is located in the path but sometimes provided as a URL Parameter, the parameter overruled the path ID during the Guard checks.
This resulted in someone being able to execute commands as an Admin or Owner of the OrganizationId fetched from the parameter, but the API endpoints then used the OrganizationId located in the path instead.

This commit fixes the extraction of the OrganizationId in the Guard and also added some extra validations of this OrgId in several functions.

Also added an extra `OrgMemberHeaders` which can be used to only allow access to organization endpoints which should only be accessible by members of that org.

Signed-off-by: BlackDex <black.dex@gmail.com>

* Update server version in config endpoint

Updated the server version reported to the clients to `2025.1.0`.
This should make Vaultwarden future proof for the newer clients released by Bitwarden.

Signed-off-by: BlackDex <black.dex@gmail.com>

* Fix and adjust build workflow

The build workflow had an issue with some `if` checks.
For one they had two `$` signs, and it is not recommended to use `always()` since canceling a workflow does not cancel those calls.
Using `!cancelled()` is the preferred way.

Signed-off-by: BlackDex <black.dex@gmail.com>

* Update crates

Signed-off-by: BlackDex <black.dex@gmail.com>

* Allow sendmail to be configurable

This reverts a previous change which removed the sendmail to be configurable.
We now set the config to be read-only, and omit all read-only values from being stored during a save action from the admin interface.

Signed-off-by: BlackDex <black.dex@gmail.com>

* Add more org_id checks

Added more org_id checks at all functions which use the org_id in there path.

Signed-off-by: BlackDex <black.dex@gmail.com>

---------

Signed-off-by: BlackDex <black.dex@gmail.com>

.dockerignore

@@ -5,6 +5,7 @@
 !.git
 !docker/healthcheck.sh
 !docker/start.sh
+!macros
 !migrations
 !src
 

.env.template

@@ -280,12 +280,13 @@
 ## The default for new users. If changed, it will be updated during login for existing users.
 # PASSWORD_ITERATIONS=600000
 
-## Controls whether users can set password hints. This setting applies globally to all users.
+## Controls whether users can set or show password hints. This setting applies globally to all users.
 # PASSWORD_HINTS_ALLOWED=true
 
 ## Controls whether a password hint should be shown directly in the web page if
-## SMTP service is not configured. Not recommended for publicly-accessible instances
-## as this provides unauthenticated access to potentially sensitive data.
+## SMTP service is not configured and password hints are allowed.
+## Not recommended for publicly-accessible instances because this provides
+## unauthenticated access to potentially sensitive data.
 # SHOW_PASSWORD_HINT=false
 
 #########################
@@ -349,6 +350,9 @@
 ## - "browser-fileless-import": Directly import credentials from other providers without a file.
 ## - "extension-refresh": Temporarily enable the new extension design until general availability (should be used with the beta Chrome extension)
 ## - "fido2-vault-credentials": Enable the use of FIDO2 security keys as second factor.
+## - "inline-menu-positioning-improvements": Enable the use of inline menu password generator and identity suggestions in the browser extension.
+## - "ssh-key-vault-item": Enable the creation and use of SSH key vault items. (Needs clients >=2024.12.0)
+## - "ssh-agent": Enable SSH agent support on Desktop. (Needs desktop >=2024.12.0)
 # EXPERIMENTAL_CLIENT_FEATURE_FLAGS=fido2-vault-credentials
 
 ## Require new device emails. When a user logs in an email is required to be sent.
@@ -407,6 +411,14 @@
 ## Multiple values must be separated with a whitespace.
 # ALLOWED_IFRAME_ANCESTORS=
 
+## Allowed connect-src (Know the risks!)
+## https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src
+## Allows other domains to URLs which can be loaded using script interfaces like the Forwarded email alias feature
+## This adds the configured value to the 'Content-Security-Policy' headers 'connect-src' value.
+## Multiple values must be separated with a whitespace. And only HTTPS values are allowed.
+## Example: "https://my-addy-io.domain.tld https://my-simplelogin.domain.tld"
+# ALLOWED_CONNECT_SRC=""
+
 ## Number of seconds, on average, between login requests from the same IP address before rate limiting kicks in.
 # LOGIN_RATELIMIT_SECONDS=60
 ## Allow a burst of requests of up to this size, while maintaining the average indicated by `LOGIN_RATELIMIT_SECONDS`.

.github/workflows/build.yml

@@ -47,7 +47,7 @@ jobs:
     steps:
       # Checkout the repo
       - name: "Checkout"
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
       # End Checkout the repo
 
 
@@ -75,7 +75,7 @@ jobs:
 
       # Only install the clippy and rustfmt components on the default rust-toolchain
       - name: "Install rust-toolchain version"
-        uses: dtolnay/rust-toolchain@7b1c307e0dcbda6122208f10795a713336a9b35a # master @ Aug 8, 2024, 7:36 PM GMT+2
+        uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203 # master @ Dec 14, 2024, 5:49 AM GMT+1
         if: ${{ matrix.channel == 'rust-toolchain' }}
         with:
           toolchain: "${{steps.toolchain.outputs.RUST_TOOLCHAIN}}"
@@ -85,7 +85,7 @@ jobs:
 
       # Install the any other channel to be used for which we do not execute clippy and rustfmt
       - name: "Install MSRV version"
-        uses: dtolnay/rust-toolchain@7b1c307e0dcbda6122208f10795a713336a9b35a # master @ Aug 8, 2024, 7:36 PM GMT+2
+        uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203 # master @ Dec 14, 2024, 5:49 AM GMT+1
         if: ${{ matrix.channel != 'rust-toolchain' }}
         with:
           toolchain: "${{steps.toolchain.outputs.RUST_TOOLCHAIN}}"
@@ -107,7 +107,8 @@ jobs:
       # End Show environment
 
       # Enable Rust Caching
-      - uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84 # v2.7.3
+      - name: Rust Caching
+        uses: Swatinem/rust-cache@f0deed1e0edfc6a9be95417288c0e1099b1eeec3 # v2.7.7
         with:
           # Use a custom prefix-key to force a fresh start. This is sometimes needed with bigger changes.
           # Like changing the build host from Ubuntu 20.04 to 22.04 for example.
@@ -117,33 +118,39 @@ jobs:
 
       # Run cargo tests
       # First test all features together, afterwards test them separately.
+      - name: "test features: sqlite,mysql,postgresql,enable_mimalloc,query_logger"
+        id: test_sqlite_mysql_postgresql_mimalloc_logger
+        if: ${{ !cancelled() }}
+        run: |
+          cargo test --features sqlite,mysql,postgresql,enable_mimalloc,query_logger
+
       - name: "test features: sqlite,mysql,postgresql,enable_mimalloc"
         id: test_sqlite_mysql_postgresql_mimalloc
-        if: $${{ always() }}
+        if: ${{ !cancelled() }}
         run: |
           cargo test --features sqlite,mysql,postgresql,enable_mimalloc
 
       - name: "test features: sqlite,mysql,postgresql"
         id: test_sqlite_mysql_postgresql
-        if: $${{ always() }}
+        if: ${{ !cancelled() }}
         run: |
           cargo test --features sqlite,mysql,postgresql
 
       - name: "test features: sqlite"
         id: test_sqlite
-        if: $${{ always() }}
+        if: ${{ !cancelled() }}
         run: |
           cargo test --features sqlite
 
       - name: "test features: mysql"
         id: test_mysql
-        if: $${{ always() }}
+        if: ${{ !cancelled() }}
         run: |
           cargo test --features mysql
 
       - name: "test features: postgresql"
         id: test_postgresql
-        if: $${{ always() }}
+        if: ${{ !cancelled() }}
         run: |
           cargo test --features postgresql
       # End Run cargo tests
@@ -152,7 +159,7 @@ jobs:
       # Run cargo clippy, and fail on warnings
       - name: "clippy features: sqlite,mysql,postgresql,enable_mimalloc"
         id: clippy
-        if: ${{ always() && matrix.channel == 'rust-toolchain' }}
+        if: ${{ !cancelled() && matrix.channel == 'rust-toolchain' }}
         run: |
           cargo clippy --features sqlite,mysql,postgresql,enable_mimalloc -- -D warnings
       # End Run cargo clippy
@@ -161,7 +168,7 @@ jobs:
       # Run cargo fmt (Only run on rust-toolchain defined version)
       - name: "check formatting"
         id: formatting
-        if: ${{ always() && matrix.channel == 'rust-toolchain' }}
+        if: ${{ !cancelled() && matrix.channel == 'rust-toolchain' }}
         run: |
           cargo fmt --all -- --check
       # End Run cargo fmt
@@ -176,6 +183,7 @@ jobs:
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "|Job|Status|" >> $GITHUB_STEP_SUMMARY
           echo "|---|------|" >> $GITHUB_STEP_SUMMARY
+          echo "|test (sqlite,mysql,postgresql,enable_mimalloc,query_logger)|${{ steps.test_sqlite_mysql_postgresql_mimalloc_logger.outcome }}|" >> $GITHUB_STEP_SUMMARY
           echo "|test (sqlite,mysql,postgresql,enable_mimalloc)|${{ steps.test_sqlite_mysql_postgresql_mimalloc.outcome }}|" >> $GITHUB_STEP_SUMMARY
           echo "|test (sqlite,mysql,postgresql)|${{ steps.test_sqlite_mysql_postgresql.outcome }}|" >> $GITHUB_STEP_SUMMARY
           echo "|test (sqlite)|${{ steps.test_sqlite.outcome }}|" >> $GITHUB_STEP_SUMMARY

.github/workflows/hadolint.yml

@@ -13,12 +13,12 @@ jobs:
     steps:
       # Checkout the repo
       - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
       # End Checkout the repo
 
       # Start Docker Buildx
       - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
         # https://github.com/moby/buildkit/issues/3969
         # Also set max parallelism to 2, the default of 4 breaks GitHub Actions and causes OOMKills
         with:

.github/workflows/release.yml

@@ -27,11 +27,16 @@ jobs:
         if: ${{ github.ref_type == 'branch' }}
 
   docker-build:
+    permissions:
+      packages: write
+      contents: read
+      attestations: write
+      id-token: write
     runs-on: ubuntu-24.04
     timeout-minutes: 120
     needs: skip_check
     if: ${{ needs.skip_check.outputs.should_skip != 'true' && github.repository == 'dani-garcia/vaultwarden' }}
-    # Start a local docker registry to extract the final Alpine static build binaries
+    # Start a local docker registry to extract the compiled binaries to upload as artifacts and attest them
     services:
       registry:
         image: registry:2
@@ -58,18 +63,18 @@ jobs:
     steps:
       # Checkout the repo
       - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
         with:
           fetch-depth: 0
 
       - name: Initialize QEMU binfmt support
-        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
+        uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3.3.0
         with:
           platforms: "arm64,arm"
 
       # Start Docker Buildx
       - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
         # https://github.com/moby/buildkit/issues/3969
         # Also set max parallelism to 2, the default of 4 breaks GitHub Actions and causes OOMKills
         with:
@@ -159,13 +164,13 @@ jobs:
           #
 
       - name: Add localhost registry
-        if: ${{ matrix.base_image == 'alpine' }}
         shell: bash
         run: |
           echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}localhost:5000/vaultwarden/server" | tee -a "${GITHUB_ENV}"
 
       - name: Bake ${{ matrix.base_image }} containers
-        uses: docker/bake-action@2e3d19baedb14545e5d41222653874f25d5b4dfb # v5.10.0
+        id: bake_vw
+        uses: docker/bake-action@5ca506d06f70338a4968df87fd8bfee5cbfb84c7 # v6.0.0
         env:
           BASE_TAGS: "${{ env.BASE_TAGS }}"
           SOURCE_COMMIT: "${{ env.SOURCE_COMMIT }}"
@@ -175,16 +180,47 @@ jobs:
         with:
           pull: true
           push: true
+          source: .
           files: docker/docker-bake.hcl
           targets: "${{ matrix.base_image }}-multi"
           set: |
             *.cache-from=${{ env.BAKE_CACHE_FROM }}
             *.cache-to=${{ env.BAKE_CACHE_TO }}
 
+      - name: Extract digest SHA
+        shell: bash
+        run: |
+          GET_DIGEST_SHA="$(jq -r '.["${{ matrix.base_image }}-multi"]."containerimage.digest"' <<< '${{ steps.bake_vw.outputs.metadata }}')"
+          echo "DIGEST_SHA=${GET_DIGEST_SHA}" | tee -a "${GITHUB_ENV}"
+
+      # Attest container images
+      - name: Attest - docker.io - ${{ matrix.base_image }}
+        if: ${{ env.HAVE_DOCKERHUB_LOGIN == 'true' && steps.bake_vw.outputs.metadata != ''}}
+        uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0
+        with:
+          subject-name: ${{ vars.DOCKERHUB_REPO }}
+          subject-digest: ${{ env.DIGEST_SHA }}
+          push-to-registry: true
+
+      - name: Attest - ghcr.io - ${{ matrix.base_image }}
+        if: ${{ env.HAVE_GHCR_LOGIN == 'true' && steps.bake_vw.outputs.metadata != ''}}
+        uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0
+        with:
+          subject-name: ${{ vars.GHCR_REPO }}
+          subject-digest: ${{ env.DIGEST_SHA }}
+          push-to-registry: true
+
+      - name: Attest - quay.io - ${{ matrix.base_image }}
+        if: ${{ env.HAVE_QUAY_LOGIN == 'true' && steps.bake_vw.outputs.metadata != ''}}
+        uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0
+        with:
+          subject-name: ${{ vars.QUAY_REPO }}
+          subject-digest: ${{ env.DIGEST_SHA }}
+          push-to-registry: true
+
 
       # Extract the Alpine binaries from the containers
       - name: Extract binaries
-        if: ${{ matrix.base_image == 'alpine' }}
         shell: bash
         run: |
           # Check which main tag we are going to build determined by github.ref_type
@@ -194,59 +230,65 @@ jobs:
             EXTRACT_TAG="testing"
           fi
 
+          # Check which base_image was used and append -alpine if needed
+          if [[ "${{ matrix.base_image }}" == "alpine" ]]; then
+            EXTRACT_TAG="${EXTRACT_TAG}-alpine"
+          fi
+
           # After each extraction the image is removed.
           # This is needed because using different platforms doesn't trigger a new pull/download
 
           # Extract amd64 binary
-          docker create --name amd64 --platform=linux/amd64 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine"
-          docker cp amd64:/vaultwarden vaultwarden-amd64
+          docker create --name amd64 --platform=linux/amd64 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}"
+          docker cp amd64:/vaultwarden vaultwarden-amd64-${{ matrix.base_image }}
           docker rm --force amd64
-          docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine"
+          docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}"
 
           # Extract arm64 binary
-          docker create --name arm64 --platform=linux/arm64 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine"
-          docker cp arm64:/vaultwarden vaultwarden-arm64
+          docker create --name arm64 --platform=linux/arm64 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}"
+          docker cp arm64:/vaultwarden vaultwarden-arm64-${{ matrix.base_image }}
           docker rm --force arm64
-          docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine"
+          docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}"
 
           # Extract armv7 binary
-          docker create --name armv7 --platform=linux/arm/v7 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine"
-          docker cp armv7:/vaultwarden vaultwarden-armv7
+          docker create --name armv7 --platform=linux/arm/v7 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}"
+          docker cp armv7:/vaultwarden vaultwarden-armv7-${{ matrix.base_image }}
           docker rm --force armv7
-          docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine"
+          docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}"
 
           # Extract armv6 binary
-          docker create --name armv6 --platform=linux/arm/v6 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine"
-          docker cp armv6:/vaultwarden vaultwarden-armv6
+          docker create --name armv6 --platform=linux/arm/v6 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}"
+          docker cp armv6:/vaultwarden vaultwarden-armv6-${{ matrix.base_image }}
           docker rm --force armv6
-          docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine"
+          docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}"
 
-      # Upload artifacts to Github Actions
-      - name: "Upload amd64 artifact"
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
-        if: ${{ matrix.base_image == 'alpine' }}
+      # Upload artifacts to Github Actions and Attest the binaries
+      - name: "Upload amd64 artifact ${{ matrix.base_image }}"
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b #v4.5.0
         with:
-          name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-amd64
-          path: vaultwarden-amd64
+          name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-amd64-${{ matrix.base_image }}
+          path: vaultwarden-amd64-${{ matrix.base_image }}
 
-      - name: "Upload arm64 artifact"
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
-        if: ${{ matrix.base_image == 'alpine' }}
+      - name: "Upload arm64 artifact ${{ matrix.base_image }}"
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b #v4.5.0
         with:
-          name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-arm64
-          path: vaultwarden-arm64
+          name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-arm64-${{ matrix.base_image }}
+          path: vaultwarden-arm64-${{ matrix.base_image }}
 
-      - name: "Upload armv7 artifact"
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
-        if: ${{ matrix.base_image == 'alpine' }}
+      - name: "Upload armv7 artifact ${{ matrix.base_image }}"
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b #v4.5.0
         with:
-          name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-armv7
-          path: vaultwarden-armv7
+          name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-armv7-${{ matrix.base_image }}
+          path: vaultwarden-armv7-${{ matrix.base_image }}
 
-      - name: "Upload armv6 artifact"
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
-        if: ${{ matrix.base_image == 'alpine' }}
+      - name: "Upload armv6 artifact ${{ matrix.base_image }}"
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b #v4.5.0
         with:
-          name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-armv6
-          path: vaultwarden-armv6
+          name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-armv6-${{ matrix.base_image }}
+          path: vaultwarden-armv6-${{ matrix.base_image }}
+
+      - name: "Attest artifacts ${{ matrix.base_image }}"
+        uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0
+        with:
+          subject-path: vaultwarden-*
       # End Upload artifacts to Github Actions

.github/workflows/trivy.yml

@@ -28,10 +28,13 @@ jobs:
       actions: read
     steps:
       - name: Checkout code
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@5681af892cd0f4997658e2bacc62bd0a894cf564 # v0.27.0
+        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0
+        env:
+          TRIVY_DB_REPOSITORY: docker.io/aquasec/trivy-db:2,public.ecr.aws/aquasecurity/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2
+          TRIVY_JAVA_DB_REPOSITORY: docker.io/aquasec/trivy-java-db:1,public.ecr.aws/aquasecurity/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1
         with:
           scan-type: repo
           ignore-unfixed: true
@@ -40,6 +43,6 @@ jobs:
           severity: CRITICAL,HIGH
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@2bbafcdd7fbf96243689e764c2f15d9735164f33 # v3.26.6
+        uses: github/codeql-action/upload-sarif@86b04fb0e47484f7282357688f21d5d0e32175fe # v3.27.5
         with:
           sarif_file: 'trivy-results.sarif'

Cargo.toml

@@ -1,9 +1,11 @@
+workspace = { members = ["macros"] }
+
 [package]
 name = "vaultwarden"
 version = "1.0.0"
 authors = ["Daniel García <dani-garcia@users.noreply.github.com>"]
 edition = "2021"
-rust-version = "1.80.0"
+rust-version = "1.83.0"
 resolver = "2"
 
 repository = "https://github.com/dani-garcia/vaultwarden"
@@ -36,13 +38,15 @@ unstable = []
 
 [target."cfg(unix)".dependencies]
 # Logging
-syslog = "6.1.1"
+syslog = "7.0.0"
 
 [dependencies]
+macros = { path = "./macros" }
+
 # Logging
-log = "0.4.22"
-fern = { version = "0.7.0", features = ["syslog-6", "reopen-1"] }
-tracing = { version = "0.1.40", features = ["log"] } # Needed to have lettre and webauthn-rs trace logging to work
+log = "0.4.25"
+fern = { version = "0.7.1", features = ["syslog-7", "reopen-1"] }
+tracing = { version = "0.1.41", features = ["log"] } # Needed to have lettre and webauthn-rs trace logging to work
 
 # A `dotenv` implementation for Rust
 dotenvy = { version = "0.15.7", default-features = false }
@@ -53,7 +57,7 @@ once_cell = "1.20.2"
 # Numerical libraries
 num-traits = "0.2.19"
 num-derive = "0.4.2"
-bigdecimal = "0.4.6"
+bigdecimal = "0.4.7"
 
 # Web framework
 rocket = { version = "0.5.1", features = ["tls", "json"], default-features = false }
@@ -67,16 +71,19 @@ dashmap = "6.1.0"
 
 # Async futures
 futures = "0.3.31"
-tokio = { version = "1.41.1", features = ["rt-multi-thread", "fs", "io-util", "parking_lot", "time", "signal", "net"] }
+tokio = { version = "1.43.0", features = ["rt-multi-thread", "fs", "io-util", "parking_lot", "time", "signal", "net"] }
 
 # A generic serialization/deserialization framework
-serde = { version = "1.0.214", features = ["derive"] }
-serde_json = "1.0.132"
+serde = { version = "1.0.217", features = ["derive"] }
+serde_json = "1.0.137"
 
 # A safe, extensible ORM and Query builder
-diesel = { version = "2.2.4", features = ["chrono", "r2d2", "numeric"] }
+diesel = { version = "2.2.6", features = ["chrono", "r2d2", "numeric"] }
 diesel_migrations = "2.2.0"
-diesel_logger = { version = "0.3.0", optional = true }
+diesel_logger = { version = "0.4.0", optional = true }
+
+derive_more = { version = "1.0.0", features = ["from", "into", "as_ref", "deref", "display"] }
+diesel-derive-newtype = "2.1.2"
 
 # Bundled/Static SQLite
 libsqlite3-sys = { version = "0.30.1", features = ["bundled"], optional = true }
@@ -86,18 +93,18 @@ rand = { version = "0.8.5", features = ["small_rng"] }
 ring = "0.17.8"
 
 # UUID generation
-uuid = { version = "1.11.0", features = ["v4"] }
+uuid = { version = "1.12.1", features = ["v4"] }
 
 # Date and time libraries
-chrono = { version = "0.4.38", features = ["clock", "serde"], default-features = false }
-chrono-tz = "0.10.0"
-time = "0.3.36"
+chrono = { version = "0.4.39", features = ["clock", "serde"], default-features = false }
+chrono-tz = "0.10.1"
+time = "0.3.37"
 
 # Job scheduler
 job_scheduler_ng = "2.0.5"
 
 # Data encoding library Hex/Base32/Base64
-data-encoding = "2.6.0"
+data-encoding = "2.7.0"
 
 # JWT library
 jsonwebtoken = "9.3.0"
@@ -106,31 +113,31 @@ jsonwebtoken = "9.3.0"
 totp-lite = "2.0.1"
 
 # Yubico Library
-yubico = { version = "0.11.0", features = ["online-tokio"], default-features = false }
+yubico = { version = "0.12.0", features = ["online-tokio"], default-features = false }
 
 # WebAuthn libraries
 webauthn-rs = "0.3.2"
 
 # Handling of URL's for WebAuthn and favicons
-url = "2.5.3"
+url = "2.5.4"
 
 # Email libraries
-lettre = { version = "0.11.10", features = ["smtp-transport", "sendmail-transport", "builder", "serde", "tokio1-native-tls", "hostname", "tracing", "tokio1"], default-features = false }
+lettre = { version = "0.11.11", features = ["smtp-transport", "sendmail-transport", "builder", "serde", "tokio1-native-tls", "hostname", "tracing", "tokio1"], default-features = false }
 percent-encoding = "2.3.1" # URL encoding library used for URL's in the emails
 email_address = "0.2.9"
 
 # HTML Template library
-handlebars = { version = "6.2.0", features = ["dir_source"] }
+handlebars = { version = "6.3.0", features = ["dir_source"] }
 
 # HTTP client (Used for favicons, version check, DUO and HIBP API)
-reqwest = { version = "0.12.9", features = ["native-tls-alpn", "stream", "json", "gzip", "brotli", "socks", "cookies"] }
-hickory-resolver = "0.24.1"
+reqwest = { version = "0.12.12", features = ["native-tls-alpn", "stream", "json", "gzip", "brotli", "socks", "cookies"] }
+hickory-resolver = "0.24.2"
 
 # Favicon extraction libraries
-html5gum = "0.6.1"
+html5gum = "0.7.0"
 regex = { version = "1.11.1", features = ["std", "perf", "unicode-perl"], default-features = false }
 data-url = "0.3.1"
-bytes = "1.8.0"
+bytes = "1.9.0"
 
 # Cache function results (Used for version check and favicon fetching)
 cached = { version = "0.54.0", features = ["async"] }
@@ -147,15 +154,15 @@ pico-args = "0.5.0"
 
 # Macro ident concatenation
 paste = "1.0.15"
-governor = "0.7.0"
+governor = "0.8.0"
 
 # Check client versions for specific features.
-semver = "1.0.23"
+semver = "1.0.25"
 
 # Allow overriding the default memory allocator
 # Mainly used for the musl builds, since the default musl malloc is very slow
 mimalloc = { version = "0.1.43", features = ["secure"], default-features = false, optional = true }
-which = "7.0.0"
+which = "7.0.1"
 
 # Argon2 library with support for the PHC format
 argon2 = "0.5.3"
@@ -163,6 +170,13 @@ argon2 = "0.5.3"
 # Reading a password from the cli for generating the Argon2id ADMIN_TOKEN
 rpassword = "7.3.1"
 
+# Loading a dynamic CSS Stylesheet
+grass_compiler = { version = "0.13.4", default-features = false }
+
+[patch.crates-io]
+# Patch yubico to remove duplicate crates of older versions
+yubico = { git = "https://github.com/BlackDex/yubico-rs", rev = "00df14811f58155c0f02e3ab10f1570ed3e115c6" }
+
 # Strip debuginfo from the release builds
 # The symbols are the provide better panic traces
 # Also enable fat LTO and use 1 codegen unit for optimizations
@@ -213,7 +227,8 @@ noop_method_call = "deny"
 refining_impl_trait = { level = "deny", priority = -1 }
 rust_2018_idioms = { level = "deny", priority = -1 }
 rust_2021_compatibility = { level = "deny", priority = -1 }
-# rust_2024_compatibility = { level = "deny", priority = -1 } # Enable once we are at MSRV 1.81.0
+rust_2024_compatibility = { level = "deny", priority = -1 }
+edition_2024_expr_fragment_specifier = "allow" # Once changed to Rust 2024 this should be removed and macro's should be validated again
 single_use_lifetimes = "deny"
 trivial_casts = "deny"
 trivial_numeric_casts = "deny"
@@ -222,9 +237,10 @@ unused_import_braces = "deny"
 unused_lifetimes = "deny"
 unused_qualifications = "deny"
 variant_size_differences = "deny"
-# The lints below are part of the rust_2024_compatibility group
-static-mut-refs = "deny"
-unsafe-op-in-unsafe-fn = "deny"
+# Allow the following lints since these cause issues with Rust v1.84.0 or newer
+# Building Vaultwarden with Rust v1.85.0 and edition 2024 also works without issues
+if_let_rescope = "allow"
+tail_expr_drop_order = "allow"
 
 # https://rust-lang.github.io/rust-clippy/stable/index.html
 [lints.clippy]

SECURITY.md

@@ -21,7 +21,7 @@ notify us. We welcome working with you to resolve the issue promptly. Thanks in
 The following bug classes are out-of scope:
 
 - Bugs that are already reported on Vaultwarden's issue tracker (https://github.com/dani-garcia/vaultwarden/issues)
-- Bugs that are not part of Vaultwarden, like on the the web-vault or mobile and desktop clients. These issues need to be reported in the respective project issue tracker at https://github.com/bitwarden to which we are not associated
+- Bugs that are not part of Vaultwarden, like on the web-vault or mobile and desktop clients. These issues need to be reported in the respective project issue tracker at https://github.com/bitwarden to which we are not associated
 - Issues in an upstream software dependency (ex: Rust, or External Libraries) which are already reported to the upstream maintainer
 - Attacks requiring physical access to a user's device
 - Issues related to software or protocols not under Vaultwarden's control

docker/DockerSettings.yaml

@@ -1,13 +1,13 @@
 ---
-vault_version: "v2024.6.2c"
-vault_image_digest: "sha256:409ab328ca931439cb916b388a4bb784bd44220717aaf74cf71620c23e34fc2b"
-# Cross Compile Docker Helper Scripts v1.5.0
+vault_version: "v2025.1.1"
+vault_image_digest: "sha256:cb6b2095a4afc1d9d243a33f6d09211f40e3d82c7ae829fd025df5ff175a4918"
+# Cross Compile Docker Helper Scripts v1.6.1
 # We use the linux/amd64 platform shell scripts since there is no difference between the different platform scripts
 # https://github.com/tonistiigi/xx | https://hub.docker.com/r/tonistiigi/xx/tags
-xx_image_digest: "sha256:1978e7a58a1777cb0ef0dde76bad60b7914b21da57cfa88047875e4f364297aa"
-rust_version: 1.82.0 # Rust version to be used
+xx_image_digest: "sha256:9c207bead753dda9430bdd15425c6518fc7a03d866103c516a2c6889188f5894"
+rust_version: 1.84.0 # Rust version to be used
 debian_version: bookworm # Debian release name to be used
-alpine_version: "3.20" # Alpine version to be used
+alpine_version: "3.21" # Alpine version to be used
 # For which platforms/architectures will we try to build images
 platforms: ["linux/amd64", "linux/arm64", "linux/arm/v7", "linux/arm/v6"]
 # Determine the build images per OS/Arch

docker/Dockerfile.alpine

@@ -19,23 +19,23 @@
 # - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
 #   click the tag name to view the digest of the image it currently points to.
 # - From the command line:
-#     $ docker pull docker.io/vaultwarden/web-vault:v2024.6.2c
-#     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2024.6.2c
-#     [docker.io/vaultwarden/web-vault@sha256:409ab328ca931439cb916b388a4bb784bd44220717aaf74cf71620c23e34fc2b]
+#     $ docker pull docker.io/vaultwarden/web-vault:v2025.1.1
+#     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2025.1.1
+#     [docker.io/vaultwarden/web-vault@sha256:cb6b2095a4afc1d9d243a33f6d09211f40e3d82c7ae829fd025df5ff175a4918]
 #
 # - Conversely, to get the tag name from the digest:
-#     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:409ab328ca931439cb916b388a4bb784bd44220717aaf74cf71620c23e34fc2b
-#     [docker.io/vaultwarden/web-vault:v2024.6.2c]
+#     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:cb6b2095a4afc1d9d243a33f6d09211f40e3d82c7ae829fd025df5ff175a4918
+#     [docker.io/vaultwarden/web-vault:v2025.1.1]
 #
-FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:409ab328ca931439cb916b388a4bb784bd44220717aaf74cf71620c23e34fc2b AS vault
+FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:cb6b2095a4afc1d9d243a33f6d09211f40e3d82c7ae829fd025df5ff175a4918 AS vault
 
 ########################## ALPINE BUILD IMAGES ##########################
 ## NOTE: The Alpine Base Images do not support other platforms then linux/amd64
 ## And for Alpine we define all build images here, they will only be loaded when actually used
-FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:x86_64-musl-stable-1.82.0 AS build_amd64
-FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:aarch64-musl-stable-1.82.0 AS build_arm64
-FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:armv7-musleabihf-stable-1.82.0 AS build_armv7
-FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:arm-musleabi-stable-1.82.0 AS build_armv6
+FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:x86_64-musl-stable-1.84.0 AS build_amd64
+FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:aarch64-musl-stable-1.84.0 AS build_arm64
+FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:armv7-musleabihf-stable-1.84.0 AS build_armv7
+FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:arm-musleabi-stable-1.84.0 AS build_armv6
 
 ########################## BUILD IMAGE ##########################
 # hadolint ignore=DL3006
@@ -76,6 +76,7 @@ RUN source /env-cargo && \
 
 # Copies over *only* your manifests and build files
 COPY ./Cargo.* ./rust-toolchain.toml ./build.rs ./
+COPY ./macros ./macros
 
 ARG CARGO_PROFILE=release
 
@@ -126,7 +127,7 @@ RUN source /env-cargo && \
 # To uninstall: docker run --privileged --rm tonistiigi/binfmt --uninstall 'qemu-*'
 #
 # We need to add `--platform` here, because of a podman bug: https://github.com/containers/buildah/issues/4742
-FROM --platform=$TARGETPLATFORM docker.io/library/alpine:3.20
+FROM --platform=$TARGETPLATFORM docker.io/library/alpine:3.21
 
 ENV ROCKET_PROFILE="release" \
     ROCKET_ADDRESS=0.0.0.0 \

docker/Dockerfile.debian

@@ -19,24 +19,24 @@
 # - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
 #   click the tag name to view the digest of the image it currently points to.
 # - From the command line:
-#     $ docker pull docker.io/vaultwarden/web-vault:v2024.6.2c
-#     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2024.6.2c
-#     [docker.io/vaultwarden/web-vault@sha256:409ab328ca931439cb916b388a4bb784bd44220717aaf74cf71620c23e34fc2b]
+#     $ docker pull docker.io/vaultwarden/web-vault:v2025.1.1
+#     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2025.1.1
+#     [docker.io/vaultwarden/web-vault@sha256:cb6b2095a4afc1d9d243a33f6d09211f40e3d82c7ae829fd025df5ff175a4918]
 #
 # - Conversely, to get the tag name from the digest:
-#     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:409ab328ca931439cb916b388a4bb784bd44220717aaf74cf71620c23e34fc2b
-#     [docker.io/vaultwarden/web-vault:v2024.6.2c]
+#     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:cb6b2095a4afc1d9d243a33f6d09211f40e3d82c7ae829fd025df5ff175a4918
+#     [docker.io/vaultwarden/web-vault:v2025.1.1]
 #
-FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:409ab328ca931439cb916b388a4bb784bd44220717aaf74cf71620c23e34fc2b AS vault
+FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:cb6b2095a4afc1d9d243a33f6d09211f40e3d82c7ae829fd025df5ff175a4918 AS vault
 
 ########################## Cross Compile Docker Helper Scripts ##########################
 ## We use the linux/amd64 no matter which Build Platform, since these are all bash scripts
 ## And these bash scripts do not have any significant difference if at all
-FROM --platform=linux/amd64 docker.io/tonistiigi/xx@sha256:1978e7a58a1777cb0ef0dde76bad60b7914b21da57cfa88047875e4f364297aa AS xx
+FROM --platform=linux/amd64 docker.io/tonistiigi/xx@sha256:9c207bead753dda9430bdd15425c6518fc7a03d866103c516a2c6889188f5894 AS xx
 
 ########################## BUILD IMAGE ##########################
 # hadolint ignore=DL3006
-FROM --platform=$BUILDPLATFORM docker.io/library/rust:1.82.0-slim-bookworm AS build
+FROM --platform=$BUILDPLATFORM docker.io/library/rust:1.84.0-slim-bookworm AS build
 COPY --from=xx / /
 ARG TARGETARCH
 ARG TARGETVARIANT
@@ -116,6 +116,7 @@ RUN source /env-cargo && \
 
 # Copies over *only* your manifests and build files
 COPY ./Cargo.* ./rust-toolchain.toml ./build.rs ./
+COPY ./macros ./macros
 
 ARG CARGO_PROFILE=release
 

docker/Dockerfile.j2

@@ -143,6 +143,7 @@ RUN source /env-cargo && \
 
 # Copies over *only* your manifests and build files
 COPY ./Cargo.* ./rust-toolchain.toml ./build.rs ./
+COPY ./macros ./macros
 
 ARG CARGO_PROFILE=release
 

docker/README.md

@@ -46,7 +46,7 @@ There also is an option to use an other docker container to provide support for
 ```bash
 # To install and activate
 docker run --privileged --rm tonistiigi/binfmt --install arm64,arm
-# To unistall
+# To uninstall
 docker run --privileged --rm tonistiigi/binfmt --uninstall 'qemu-*'
 ```
 

docker/docker-bake.hcl

@@ -17,7 +17,7 @@ variable "SOURCE_REPOSITORY_URL" {
   default = null
 }
 
-// The commit hash of of the current commit this build was triggered on
+// The commit hash of the current commit this build was triggered on
 variable "SOURCE_COMMIT" {
   default = null
 }

macros/Cargo.toml

@@ -0,0 +1,13 @@
+[package]
+name = "macros"
+version = "0.1.0"
+edition = "2021"
+
+[lib]
+name = "macros"
+path = "src/lib.rs"
+proc-macro = true
+
+[dependencies]
+quote = "1.0.38"
+syn = "2.0.96"

macros/src/lib.rs

@@ -0,0 +1,58 @@
+extern crate proc_macro;
+
+use proc_macro::TokenStream;
+use quote::quote;
+
+#[proc_macro_derive(UuidFromParam)]
+pub fn derive_uuid_from_param(input: TokenStream) -> TokenStream {
+    let ast = syn::parse(input).unwrap();
+
+    impl_derive_uuid_macro(&ast)
+}
+
+fn impl_derive_uuid_macro(ast: &syn::DeriveInput) -> TokenStream {
+    let name = &ast.ident;
+    let gen = quote! {
+        #[automatically_derived]
+        impl<'r> rocket::request::FromParam<'r> for #name {
+            type Error = ();
+
+            #[inline(always)]
+            fn from_param(param: &'r str) -> Result<Self, Self::Error> {
+                if uuid::Uuid::parse_str(param).is_ok() {
+                    Ok(Self(param.to_string()))
+                } else {
+                    Err(())
+                }
+            }
+        }
+    };
+    gen.into()
+}
+
+#[proc_macro_derive(IdFromParam)]
+pub fn derive_id_from_param(input: TokenStream) -> TokenStream {
+    let ast = syn::parse(input).unwrap();
+
+    impl_derive_safestring_macro(&ast)
+}
+
+fn impl_derive_safestring_macro(ast: &syn::DeriveInput) -> TokenStream {
+    let name = &ast.ident;
+    let gen = quote! {
+        #[automatically_derived]
+        impl<'r> rocket::request::FromParam<'r> for #name {
+            type Error = ();
+
+            #[inline(always)]
+            fn from_param(param: &'r str) -> Result<Self, Self::Error> {
+                if param.chars().all(|c| matches!(c, 'a'..='z' | 'A'..='Z' |'0'..='9' | '-')) {
+                    Ok(Self(param.to_string()))
+                } else {
+                    Err(())
+                }
+            }
+        }
+    };
+    gen.into()
+}

migrations/mysql/2025-01-09-172300_add_manage/up.sql

@@ -0,0 +1,5 @@
+ALTER TABLE users_collections
+ADD COLUMN manage BOOLEAN NOT NULL DEFAULT FALSE;
+
+ALTER TABLE collections_groups
+ADD COLUMN manage BOOLEAN NOT NULL DEFAULT FALSE;

migrations/postgresql/2025-01-09-172300_add_manage/up.sql

@@ -0,0 +1,5 @@
+ALTER TABLE users_collections
+ADD COLUMN manage BOOLEAN NOT NULL DEFAULT FALSE;
+
+ALTER TABLE collections_groups
+ADD COLUMN manage BOOLEAN NOT NULL DEFAULT FALSE;

migrations/sqlite/2025-01-09-172300_add_manage/up.sql

@@ -0,0 +1,5 @@
+ALTER TABLE users_collections
+ADD COLUMN manage BOOLEAN NOT NULL DEFAULT 0; -- FALSE
+
+ALTER TABLE collections_groups
+ADD COLUMN manage BOOLEAN NOT NULL DEFAULT 0; -- FALSE

rust-toolchain.toml

@@ -1,4 +1,4 @@
 [toolchain]
-channel = "1.82.0"
+channel = "1.84.0"
 components = [ "rustfmt", "clippy" ]
 profile = "minimal"

src/api/core/events.rs

@@ -8,7 +8,7 @@ use crate::{
     api::{EmptyResult, JsonResult},
     auth::{AdminHeaders, Headers},
     db::{
-        models::{Cipher, Event, UserOrganization},
+        models::{Cipher, CipherId, Event, Membership, MembershipId, OrganizationId, UserId},
         DbConn, DbPool,
     },
     util::parse_date,
@@ -31,7 +31,16 @@ struct EventRange {
 
 // Upstream: https://github.com/bitwarden/server/blob/9ecf69d9cabce732cf2c57976dd9afa5728578fb/src/Api/Controllers/EventsController.cs#LL84C35-L84C41
 #[get("/organizations/<org_id>/events?<data..>")]
-async fn get_org_events(org_id: &str, data: EventRange, _headers: AdminHeaders, mut conn: DbConn) -> JsonResult {
+async fn get_org_events(
+    org_id: OrganizationId,
+    data: EventRange,
+    headers: AdminHeaders,
+    mut conn: DbConn,
+) -> JsonResult {
+    if org_id != headers.org_id {
+        err!("Organization not found", "Organization id's do not match");
+    }
+
     // Return an empty vec when we org events are disabled.
     // This prevents client errors
     let events_json: Vec<Value> = if !CONFIG.org_events_enabled() {
@@ -44,7 +53,7 @@ async fn get_org_events(org_id: &str, data: EventRange, _headers: AdminHeaders,
             parse_date(&data.end)
         };
 
-        Event::find_by_organization_uuid(org_id, &start_date, &end_date, &mut conn)
+        Event::find_by_organization_uuid(&org_id, &start_date, &end_date, &mut conn)
             .await
             .iter()
             .map(|e| e.to_json())
@@ -59,14 +68,14 @@ async fn get_org_events(org_id: &str, data: EventRange, _headers: AdminHeaders,
 }
 
 #[get("/ciphers/<cipher_id>/events?<data..>")]
-async fn get_cipher_events(cipher_id: &str, data: EventRange, headers: Headers, mut conn: DbConn) -> JsonResult {
+async fn get_cipher_events(cipher_id: CipherId, data: EventRange, headers: Headers, mut conn: DbConn) -> JsonResult {
     // Return an empty vec when we org events are disabled.
     // This prevents client errors
     let events_json: Vec<Value> = if !CONFIG.org_events_enabled() {
         Vec::with_capacity(0)
     } else {
         let mut events_json = Vec::with_capacity(0);
-        if UserOrganization::user_has_ge_admin_access_to_cipher(&headers.user.uuid, cipher_id, &mut conn).await {
+        if Membership::user_has_ge_admin_access_to_cipher(&headers.user.uuid, &cipher_id, &mut conn).await {
             let start_date = parse_date(&data.start);
             let end_date = if let Some(before_date) = &data.continuation_token {
                 parse_date(before_date)
@@ -74,7 +83,7 @@ async fn get_cipher_events(cipher_id: &str, data: EventRange, headers: Headers,
                 parse_date(&data.end)
             };
 
-            events_json = Event::find_by_cipher_uuid(cipher_id, &start_date, &end_date, &mut conn)
+            events_json = Event::find_by_cipher_uuid(&cipher_id, &start_date, &end_date, &mut conn)
                 .await
                 .iter()
                 .map(|e| e.to_json())
@@ -90,14 +99,17 @@ async fn get_cipher_events(cipher_id: &str, data: EventRange, headers: Headers,
     })))
 }
 
-#[get("/organizations/<org_id>/users/<user_org_id>/events?<data..>")]
+#[get("/organizations/<org_id>/users/<member_id>/events?<data..>")]
 async fn get_user_events(
-    org_id: &str,
-    user_org_id: &str,
+    org_id: OrganizationId,
+    member_id: MembershipId,
     data: EventRange,
-    _headers: AdminHeaders,
+    headers: AdminHeaders,
     mut conn: DbConn,
 ) -> JsonResult {
+    if org_id != headers.org_id {
+        err!("Organization not found", "Organization id's do not match");
+    }
     // Return an empty vec when we org events are disabled.
     // This prevents client errors
     let events_json: Vec<Value> = if !CONFIG.org_events_enabled() {
@@ -110,7 +122,7 @@ async fn get_user_events(
             parse_date(&data.end)
         };
 
-        Event::find_by_org_and_user_org(org_id, user_org_id, &start_date, &end_date, &mut conn)
+        Event::find_by_org_and_member(&org_id, &member_id, &start_date, &end_date, &mut conn)
             .await
             .iter()
             .map(|e| e.to_json())
@@ -152,8 +164,8 @@ struct EventCollection {
     date: String,
 
     // Optional
-    cipher_id: Option<String>,
-    organization_id: Option<String>,
+    cipher_id: Option<CipherId>,
+    organization_id: Option<OrganizationId>,
 }
 
 // Upstream:
@@ -180,11 +192,11 @@ async fn post_events_collect(data: Json<Vec<EventCollection>>, headers: Headers,
                 .await;
             }
             1600..=1699 => {
-                if let Some(org_uuid) = &event.organization_id {
+                if let Some(org_id) = &event.organization_id {
                     _log_event(
                         event.r#type,
-                        org_uuid,
-                        org_uuid,
+                        org_id,
+                        org_id,
                         &headers.user.uuid,
                         headers.device.atype,
                         Some(event_date),
@@ -197,11 +209,11 @@ async fn post_events_collect(data: Json<Vec<EventCollection>>, headers: Headers,
             _ => {
                 if let Some(cipher_uuid) = &event.cipher_id {
                     if let Some(cipher) = Cipher::find_by_uuid(cipher_uuid, &mut conn).await {
-                        if let Some(org_uuid) = cipher.organization_uuid {
+                        if let Some(org_id) = cipher.organization_uuid {
                             _log_event(
                                 event.r#type,
                                 cipher_uuid,
-                                &org_uuid,
+                                &org_id,
                                 &headers.user.uuid,
                                 headers.device.atype,
                                 Some(event_date),
@@ -218,38 +230,38 @@ async fn post_events_collect(data: Json<Vec<EventCollection>>, headers: Headers,
     Ok(())
 }
 
-pub async fn log_user_event(event_type: i32, user_uuid: &str, device_type: i32, ip: &IpAddr, conn: &mut DbConn) {
+pub async fn log_user_event(event_type: i32, user_id: &UserId, device_type: i32, ip: &IpAddr, conn: &mut DbConn) {
     if !CONFIG.org_events_enabled() {
         return;
     }
-    _log_user_event(event_type, user_uuid, device_type, None, ip, conn).await;
+    _log_user_event(event_type, user_id, device_type, None, ip, conn).await;
 }
 
 async fn _log_user_event(
     event_type: i32,
-    user_uuid: &str,
+    user_id: &UserId,
     device_type: i32,
     event_date: Option<NaiveDateTime>,
     ip: &IpAddr,
     conn: &mut DbConn,
 ) {
-    let orgs = UserOrganization::get_org_uuid_by_user(user_uuid, conn).await;
+    let orgs = Membership::get_orgs_by_user(user_id, conn).await;
     let mut events: Vec<Event> = Vec::with_capacity(orgs.len() + 1); // We need an event per org and one without an org
 
-    // Upstream saves the event also without any org_uuid.
+    // Upstream saves the event also without any org_id.
     let mut event = Event::new(event_type, event_date);
-    event.user_uuid = Some(String::from(user_uuid));
-    event.act_user_uuid = Some(String::from(user_uuid));
+    event.user_uuid = Some(user_id.clone());
+    event.act_user_uuid = Some(user_id.clone());
     event.device_type = Some(device_type);
     event.ip_address = Some(ip.to_string());
     events.push(event);
 
     // For each org a user is a member of store these events per org
-    for org_uuid in orgs {
+    for org_id in orgs {
         let mut event = Event::new(event_type, event_date);
-        event.user_uuid = Some(String::from(user_uuid));
-        event.org_uuid = Some(org_uuid);
-        event.act_user_uuid = Some(String::from(user_uuid));
+        event.user_uuid = Some(user_id.clone());
+        event.org_uuid = Some(org_id);
+        event.act_user_uuid = Some(user_id.clone());
         event.device_type = Some(device_type);
         event.ip_address = Some(ip.to_string());
         events.push(event);
@@ -261,8 +273,8 @@ async fn _log_user_event(
 pub async fn log_event(
     event_type: i32,
     source_uuid: &str,
-    org_uuid: &str,
-    act_user_uuid: &str,
+    org_id: &OrganizationId,
+    act_user_id: &UserId,
     device_type: i32,
     ip: &IpAddr,
     conn: &mut DbConn,
@@ -270,15 +282,15 @@ pub async fn log_event(
     if !CONFIG.org_events_enabled() {
         return;
     }
-    _log_event(event_type, source_uuid, org_uuid, act_user_uuid, device_type, None, ip, conn).await;
+    _log_event(event_type, source_uuid, org_id, act_user_id, device_type, None, ip, conn).await;
 }
 
 #[allow(clippy::too_many_arguments)]
 async fn _log_event(
     event_type: i32,
     source_uuid: &str,
-    org_uuid: &str,
-    act_user_uuid: &str,
+    org_id: &OrganizationId,
+    act_user_id: &UserId,
     device_type: i32,
     event_date: Option<NaiveDateTime>,
     ip: &IpAddr,
@@ -290,31 +302,31 @@ async fn _log_event(
         // 1000..=1099 Are user events, they need to be logged via log_user_event()
         // Cipher Events
         1100..=1199 => {
-            event.cipher_uuid = Some(String::from(source_uuid));
+            event.cipher_uuid = Some(source_uuid.to_string().into());
         }
         // Collection Events
         1300..=1399 => {
-            event.collection_uuid = Some(String::from(source_uuid));
+            event.collection_uuid = Some(source_uuid.to_string().into());
         }
         // Group Events
         1400..=1499 => {
-            event.group_uuid = Some(String::from(source_uuid));
+            event.group_uuid = Some(source_uuid.to_string().into());
         }
         // Org User Events
         1500..=1599 => {
-            event.org_user_uuid = Some(String::from(source_uuid));
+            event.org_user_uuid = Some(source_uuid.to_string().into());
         }
         // 1600..=1699 Are organizational events, and they do not need the source_uuid
         // Policy Events
         1700..=1799 => {
-            event.policy_uuid = Some(String::from(source_uuid));
+            event.policy_uuid = Some(source_uuid.to_string().into());
         }
         // Ignore others
         _ => {}
     }
 
-    event.org_uuid = Some(String::from(org_uuid));
-    event.act_user_uuid = Some(String::from(act_user_uuid));
+    event.org_uuid = Some(org_id.clone());
+    event.act_user_uuid = Some(act_user_id.clone());
     event.device_type = Some(device_type);
     event.ip_address = Some(ip.to_string());
     event.save(conn).await.unwrap_or(());

src/api/core/folders.rs

@@ -23,25 +23,19 @@ async fn get_folders(headers: Headers, mut conn: DbConn) -> Json<Value> {
     }))
 }
 
-#[get("/folders/<uuid>")]
-async fn get_folder(uuid: &str, headers: Headers, mut conn: DbConn) -> JsonResult {
-    let folder = match Folder::find_by_uuid(uuid, &mut conn).await {
-        Some(folder) => folder,
-        _ => err!("Invalid folder"),
-    };
-
-    if folder.user_uuid != headers.user.uuid {
-        err!("Folder belongs to another user")
+#[get("/folders/<folder_id>")]
+async fn get_folder(folder_id: FolderId, headers: Headers, mut conn: DbConn) -> JsonResult {
+    match Folder::find_by_uuid_and_user(&folder_id, &headers.user.uuid, &mut conn).await {
+        Some(folder) => Ok(Json(folder.to_json())),
+        _ => err!("Invalid folder", "Folder does not exist or belongs to another user"),
     }
-
-    Ok(Json(folder.to_json()))
 }
 
 #[derive(Deserialize)]
 #[serde(rename_all = "camelCase")]
 pub struct FolderData {
     pub name: String,
-    pub id: Option<String>,
+    pub id: Option<FolderId>,
 }
 
 #[post("/folders", data = "<data>")]
@@ -56,14 +50,20 @@ async fn post_folders(data: Json<FolderData>, headers: Headers, mut conn: DbConn
     Ok(Json(folder.to_json()))
 }
 
-#[post("/folders/<uuid>", data = "<data>")]
-async fn post_folder(uuid: &str, data: Json<FolderData>, headers: Headers, conn: DbConn, nt: Notify<'_>) -> JsonResult {
-    put_folder(uuid, data, headers, conn, nt).await
+#[post("/folders/<folder_id>", data = "<data>")]
+async fn post_folder(
+    folder_id: FolderId,
+    data: Json<FolderData>,
+    headers: Headers,
+    conn: DbConn,
+    nt: Notify<'_>,
+) -> JsonResult {
+    put_folder(folder_id, data, headers, conn, nt).await
 }
 
-#[put("/folders/<uuid>", data = "<data>")]
+#[put("/folders/<folder_id>", data = "<data>")]
 async fn put_folder(
-    uuid: &str,
+    folder_id: FolderId,
     data: Json<FolderData>,
     headers: Headers,
     mut conn: DbConn,
@@ -71,15 +71,10 @@ async fn put_folder(
 ) -> JsonResult {
     let data: FolderData = data.into_inner();
 
-    let mut folder = match Folder::find_by_uuid(uuid, &mut conn).await {
-        Some(folder) => folder,
-        _ => err!("Invalid folder"),
+    let Some(mut folder) = Folder::find_by_uuid_and_user(&folder_id, &headers.user.uuid, &mut conn).await else {
+        err!("Invalid folder", "Folder does not exist or belongs to another user")
     };
 
-    if folder.user_uuid != headers.user.uuid {
-        err!("Folder belongs to another user")
-    }
-
     folder.name = data.name;
 
     folder.save(&mut conn).await?;
@@ -88,22 +83,17 @@ async fn put_folder(
     Ok(Json(folder.to_json()))
 }
 
-#[post("/folders/<uuid>/delete")]
-async fn delete_folder_post(uuid: &str, headers: Headers, conn: DbConn, nt: Notify<'_>) -> EmptyResult {
-    delete_folder(uuid, headers, conn, nt).await
+#[post("/folders/<folder_id>/delete")]
+async fn delete_folder_post(folder_id: FolderId, headers: Headers, conn: DbConn, nt: Notify<'_>) -> EmptyResult {
+    delete_folder(folder_id, headers, conn, nt).await
 }
 
-#[delete("/folders/<uuid>")]
-async fn delete_folder(uuid: &str, headers: Headers, mut conn: DbConn, nt: Notify<'_>) -> EmptyResult {
-    let folder = match Folder::find_by_uuid(uuid, &mut conn).await {
-        Some(folder) => folder,
-        _ => err!("Invalid folder"),
+#[delete("/folders/<folder_id>")]
+async fn delete_folder(folder_id: FolderId, headers: Headers, mut conn: DbConn, nt: Notify<'_>) -> EmptyResult {
+    let Some(folder) = Folder::find_by_uuid_and_user(&folder_id, &headers.user.uuid, &mut conn).await else {
+        err!("Invalid folder", "Folder does not exist or belongs to another user")
     };
 
-    if folder.user_uuid != headers.user.uuid {
-        err!("Folder belongs to another user")
-    }
-
     // Delete the actual folder entry
     folder.delete(&mut conn).await?;