Updated .env template

Fixed purging organization vault

.dockerignore

@@ -9,10 +9,6 @@ data
 .idea
 *.iml
 
-# Git files
-.git
-.gitignore
-
 # Documentation
 *.md
 

.env.template

@@ -10,6 +10,12 @@
 # ICON_CACHE_FOLDER=data/icon_cache
 # ATTACHMENTS_FOLDER=data/attachments
 
+## Templates data folder, by default uses embedded templates
+## Check source code to see the format
+# TEMPLATES_FOLDER=/path/to/templates
+## Automatically reload the templates for every request, slow, use only for development
+# RELOAD_TEMPLATES=false
+
 ## Cache time-to-live for successfully obtained icons, in seconds (0 is "forever")
 # ICON_CACHE_TTL=2592000
 ## Cache time-to-live for icons which weren't available, in seconds (0 is "forever")
@@ -19,6 +25,9 @@
 # WEB_VAULT_FOLDER=web-vault/
 # WEB_VAULT_ENABLED=true
 
+## Enables websocket notifications
+# WEBSOCKET_ENABLED=false
+
 ## Controls the WebSocket server address and port
 # WEBSOCKET_ADDRESS=0.0.0.0
 # WEBSOCKET_PORT=3012
@@ -26,7 +35,7 @@
 ## Enable extended logging
 ## This shows timestamps and allows logging to file and to syslog
 ### To enable logging to file, use the LOG_FILE env variable
-### To enable syslog, you need to compile with `cargo build --features=enable_syslog'
+### To enable syslog, use the USE_SYSLOG env variable
 # EXTENDED_LOGGING=true
 
 ## Logging to file
@@ -34,11 +43,45 @@
 ## It's recommended to also set 'ROCKET_CLI_COLORS=off'
 # LOG_FILE=/path/to/log
 
-## Use a local favicon extractor
-## Set to false to use bitwarden's official icon servers
-## Set to true to use the local version, which is not as smart,
-##   but it doesn't send the cipher domains to bitwarden's servers
-# LOCAL_ICON_EXTRACTOR=false
+## Logging to Syslog
+## This requires extended logging
+## It's recommended to also set 'ROCKET_CLI_COLORS=off'
+# USE_SYSLOG=false
+
+## Log level
+## Change the verbosity of the log output
+## Valid values are "trace", "debug", "info", "warn", "error" and "off"
+## This requires extended logging
+# LOG_LEVEL=Info
+
+## Enable WAL for the DB
+## Set to false to avoid enabling WAL during startup.
+## Note that if the DB already has WAL enabled, you will also need to disable WAL in the DB,
+## this setting only prevents bitwarden_rs from automatically enabling it on start.
+## Please read project wiki page about this setting first before changing the value as it can
+## cause performance degradation or might render  the service unable to start.
+# ENABLE_DB_WAL=true
+
+## Disable icon downloading
+## Set to true to disable icon downloading, this would still serve icons from $ICON_CACHE_FOLDER,
+## but it won't produce any external network request. Needs to set $ICON_CACHE_TTL to 0,
+## otherwise it will delete them and they won't be downloaded again.
+# DISABLE_ICON_DOWNLOAD=false
+
+## Icon download timeout
+## Configure the timeout value when downloading the favicons.
+## The default is 10 seconds, but this could be to low on slower network connections
+# ICON_DOWNLOAD_TIMEOUT=10
+
+## Icon blacklist Regex
+## Any domains or IPs that match this regex won't be fetched by the icon service.
+## Useful to hide other servers in the local network. Check the WIKI for more details
+# ICON_BLACKLIST_REGEX=192\.168\.1\.[0-9].*^
+
+## Disable 2FA remember
+## Enabling this would force the users to use a second factor to login every time.
+## Note that the checkbox would still be present, but ignored.
+# DISABLE_2FA_REMEMBER=false
 
 ## Controls if new users can register
 # SIGNUPS_ALLOWED=true
@@ -47,6 +90,7 @@
 ## One option is to use 'openssl rand -base64 48'
 ## If not set, the admin panel is disabled
 # ADMIN_TOKEN=Vy2VyYTTsKPv8W5aEOWUbB/Bt3DEKePbHmI4m9VcemUMS2rEviDowNAFqYi1xjmp
+# DISABLE_ADMIN_TOKEN=false
 
 ## Invitations org admins to invite users, even when signups are disabled
 # INVITATIONS_ALLOWED=true
@@ -60,7 +104,8 @@
 
 ## Domain settings
 ## The domain must match the address from where you access the server
-## Unless you are using U2F, or having problems with attachments not downloading, there is no need to change this
+## It's recommended to configure this value, otherwise certain functionality might not work,
+## like attachment downloads, email links and U2F.
 ## For U2F to work, the server must use HTTPS, you can use Let's Encrypt for free certs
 # DOMAIN=https://bw.domain.tld:8443
 
@@ -72,6 +117,17 @@
 # YUBICO_SECRET_KEY=AAAAAAAAAAAAAAAAAAAAAAAA
 # YUBICO_SERVER=http://yourdomain.com/wsapi/2.0/verify
 
+## Duo Settings
+## You need to configure all options to enable global Duo support, otherwise users would need to configure it themselves
+## Create an account and protect an application as mentioned in this link (only the first step, not the rest):
+## https://help.bitwarden.com/article/setup-two-step-login-duo/#create-a-duo-security-account
+## Then set the following options, based on the values obtained from the last step:
+# DUO_IKEY=<Integration Key>
+# DUO_SKEY=<Secret Key>
+# DUO_HOST=<API Hostname>
+## After that, you should be able to follow the rest of the guide linked above,
+## ignoring the fields that ask for the values that you already configured beforehand.
+
 ## Rocket specific settings, check Rocket documentation to learn more
 # ROCKET_ENV=staging
 # ROCKET_ADDRESS=0.0.0.0 # Enable this to test mobile app
@@ -79,10 +135,12 @@
 # ROCKET_TLS={certs="/path/to/certs.pem",key="/path/to/key.pem"}
 
 ## Mail specific settings, set SMTP_HOST and SMTP_FROM to enable the mail service.
+## To make sure the email links are pointing to the correct host, set the DOMAIN variable.
 ## Note: if SMTP_USERNAME is specified, SMTP_PASSWORD is mandatory
 # SMTP_HOST=smtp.domain.tld
 # SMTP_FROM=bitwarden-rs@domain.tld
+# SMTP_FROM_NAME=Bitwarden_RS
 # SMTP_PORT=587
 # SMTP_SSL=true
 # SMTP_USERNAME=username
-# SMTP_PASSWORD=password
+# SMTP_PASSWORD=password

.travis.yml

@@ -1,9 +1,9 @@
-# Copied from Rocket's .travis.yml
+dist: xenial
+
 language: rust
-sudo: required # so we get a VM with higher specs
-dist: trusty # so we get a VM with higher specs
+rust: nightly
 cache: cargo
-rust:
-- nightly
-script:
-- cargo build --verbose --all-features
+
+# Nothing to install
+install: true
+script: cargo build --all-features

Cargo.toml

@@ -11,9 +11,11 @@ publish = false
 build = "build.rs"
 
 [features]
-default = ["enable_yubikey"]
-enable_syslog = ["syslog", "fern/syslog-4"]
-enable_yubikey = ["yubico"]
+# Empty to keep compatibility, prefer to set USE_SYSLOG=true
+enable_syslog = []
+
+[target."cfg(not(windows))".dependencies]
+syslog = "4.0.1"
 
 [dependencies]
 # Web framework for nightly with a focus on ease-of-use, expressibility, and speed.
@@ -21,42 +23,41 @@ rocket = { version = "0.4.0", features = ["tls"], default-features = false }
 rocket_contrib = "0.4.0"
 
 # HTTP client
-reqwest = "0.9.6"
+reqwest = "0.9.15"
 
 # multipart/form-data support
-multipart = "0.15.4"
+multipart = { version = "0.16.1", features = ["server"], default-features = false }
 
 # WebSockets library
-ws = "0.7.9"
+ws = "0.8.0"
 
 # MessagePack library
 rmpv = "0.4.0"
 
 # Concurrent hashmap implementation
-chashmap = "2.2.0"
+chashmap = "2.2.2"
 
 # A generic serialization/deserialization framework
-serde = "1.0.84"
-serde_derive = "1.0.84"
-serde_json = "1.0.34"
+serde = "1.0.90"
+serde_derive = "1.0.90"
+serde_json = "1.0.39"
 
 # Logging
 log = "0.4.6"
-fern = "0.5.7"
-syslog = { version = "4.0.1", optional = true }
+fern = { version = "0.5.8", features = ["syslog-4"] }
 
 # A safe, extensible ORM and Query builder
-diesel = { version = "1.3.3", features = ["sqlite", "chrono", "r2d2"] }
-diesel_migrations = { version = "1.3.0", features = ["sqlite"] }
+diesel = { version = "1.4.2", features = ["sqlite", "chrono", "r2d2"] }
+diesel_migrations = { version = "1.4.0", features = ["sqlite"] }
 
 # Bundled SQLite
-libsqlite3-sys = { version = "0.9.3", features = ["bundled"] }
+libsqlite3-sys = { version = "0.12.0", features = ["bundled"] }
 
 # Crypto library
 ring = { version = "0.13.5", features = ["rsa_signing"] }
 
 # UUID generation
-uuid = { version = "0.7.1", features = ["v4"] }
+uuid = { version = "0.7.4", features = ["v4"] }
 
 # Date and time library for Rust
 chrono = "0.4.6"
@@ -74,36 +75,34 @@ jsonwebtoken = "5.0.1"
 u2f = "0.1.4"
 
 # Yubico Library
-yubico = { version = "=0.4.0", features = ["online"], default-features = false, optional = true }
+yubico = { version = "0.5.1", features = ["online"], default-features = false }
 
 # A `dotenv` implementation for Rust
 dotenv = { version = "0.13.0", default-features = false }
 
 # Lazy static macro
-lazy_static = { version = "1.2.0", features = ["nightly"] }
+lazy_static = "1.3.0"
 
 # More derives
-derive_more = "0.13.0"
+derive_more = "0.14.0"
 
 # Numerical libraries
 num-traits = "0.2.6"
-num-derive = "0.2.3"
+num-derive = "0.2.5"
 
 # Email libraries
 lettre = "0.9.0"
 lettre_email = "0.9.0"
 native-tls = "0.2.2"
+quoted_printable = "0.4.0"
 
-# Number encoding library
-byteorder = "1.2.7"
+# Template library
+handlebars = "1.1.0"
+
+# For favicon extraction from main website
+soup = "0.3.0"
+regex = "1.1.6"
 
 [patch.crates-io]
 # Add support for Timestamp type
 rmp = { git = 'https://github.com/dani-garcia/msgpack-rust' }
-
-# Use new native_tls version 0.2
-lettre = { git = 'https://github.com/lettre/lettre', rev = 'c988b1760ad81' }
-lettre_email = { git = 'https://github.com/lettre/lettre', rev = 'c988b1760ad81' }
-
-# Allows optional libusb support
-yubico = { git = 'https://github.com/dani-garcia/yubico-rs' }

Dockerfile

@@ -4,7 +4,7 @@
 ####################### VAULT BUILD IMAGE  #######################
 FROM alpine as vault
 
-ENV VAULT_VERSION "v2.8.0b"
+ENV VAULT_VERSION "v2.10.0b"
 
 ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
 

Dockerfile.aarch64

@@ -4,7 +4,7 @@
 ####################### VAULT BUILD IMAGE  #######################
 FROM alpine as vault
 
-ENV VAULT_VERSION "v2.8.0b"
+ENV VAULT_VERSION "v2.10.0b"
 
 ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
 
@@ -55,8 +55,7 @@ COPY . .
 
 # Build
 RUN rustup target add aarch64-unknown-linux-gnu
-# TODO: Enable yubico when #262 is fixed
-RUN cargo build --release --target=aarch64-unknown-linux-gnu -v --no-default-features
+RUN cargo build --release --target=aarch64-unknown-linux-gnu -v
 
 ######################## RUNTIME IMAGE  ########################
 # Create a new stage with a minimal image

Dockerfile.alpine

@@ -4,7 +4,7 @@
 ####################### VAULT BUILD IMAGE  #######################
 FROM alpine as vault
 
-ENV VAULT_VERSION "v2.8.0b"
+ENV VAULT_VERSION "v2.10.0b"
 
 ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
 

Dockerfile.armv6

@@ -0,0 +1,93 @@
+# Using multistage build: 
+# 	https://docs.docker.com/develop/develop-images/multistage-build/
+# 	https://whitfin.io/speeding-up-rust-docker-builds/
+####################### VAULT BUILD IMAGE  #######################
+FROM alpine as vault
+
+ENV VAULT_VERSION "v2.10.0b"
+
+ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
+
+RUN apk add --update-cache --upgrade \
+    curl \
+    tar
+
+RUN mkdir /web-vault
+WORKDIR /web-vault
+
+RUN curl -L $URL | tar xz
+RUN ls
+
+########################## BUILD IMAGE  ##########################
+# We need to use the Rust build image, because
+# we need the Rust compiler and Cargo tooling
+FROM rust as build
+
+RUN apt-get update \
+    && apt-get install -y \
+        gcc-arm-linux-gnueabi \
+    && mkdir -p ~/.cargo \
+    && echo '[target.arm-unknown-linux-gnueabi]' >> ~/.cargo/config \
+    && echo 'linker = "arm-linux-gnueabi-gcc"' >> ~/.cargo/config
+
+ENV CARGO_HOME "/root/.cargo"
+ENV USER "root"
+
+WORKDIR /app
+
+# Prepare openssl armel libs
+RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \
+        /etc/apt/sources.list.d/deb-src.list \
+    && dpkg --add-architecture armel \
+    && apt-get update \
+    && apt-get install -y \
+        libssl-dev:armel \
+        libc6-dev:armel
+
+ENV CC_arm_unknown_linux_gnueabi="/usr/bin/arm-linux-gnueabi-gcc"
+ENV CROSS_COMPILE="1"
+ENV OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabi"
+ENV OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabi"
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+# Build
+RUN rustup target add arm-unknown-linux-gnueabi
+RUN cargo build --release --target=arm-unknown-linux-gnueabi -v
+
+######################## RUNTIME IMAGE  ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+FROM balenalib/rpi-debian:stretch
+
+ENV ROCKET_ENV "staging"
+ENV ROCKET_PORT=80
+ENV ROCKET_WORKERS=10
+
+RUN [ "cross-build-start" ]
+
+# Install needed libraries
+RUN apt-get update && apt-get install -y\
+    openssl\
+    ca-certificates\
+    --no-install-recommends\
+ && ln -s /lib/ld-linux-armhf.so.3 /lib/ld-linux.so.3\
+ && rm -rf /var/lib/apt/lists/*
+
+RUN mkdir /data
+
+RUN [ "cross-build-end" ]  
+
+VOLUME /data
+EXPOSE 80
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+COPY Rocket.toml .
+COPY --from=vault /web-vault ./web-vault
+COPY --from=build /app/target/arm-unknown-linux-gnueabi/release/bitwarden_rs .
+
+# Configures the startup!
+CMD ./bitwarden_rs

Dockerfile.armv7

@@ -4,7 +4,7 @@
 ####################### VAULT BUILD IMAGE  #######################
 FROM alpine as vault
 
-ENV VAULT_VERSION "v2.8.0b"
+ENV VAULT_VERSION "v2.10.0b"
 
 ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
 

README.md

@@ -11,7 +11,9 @@
 
 Image is based on [Rust implementation of Bitwarden API](https://github.com/dani-garcia/bitwarden_rs).
 
-_*Note, that this project is not associated with the [Bitwarden](https://bitwarden.com/) project nor 8bit Solutions LLC._
+**This project is not associated with the [Bitwarden](https://bitwarden.com/) project nor 8bit Solutions LLC.**
+
+#### ⚠️**IMPORTANT**⚠️: When using this server, please report any Bitwarden related bug-reports or suggestions [here](https://github.com/dani-garcia/bitwarden_rs/issues/new), regardless of whatever clients you are using (mobile, desktop, browser...). DO NOT use the official support channels.
 
 ---
 

azure-pipelines.yml

@@ -0,0 +1,17 @@
+pool:
+  vmImage: 'Ubuntu-16.04'
+
+steps:
+- script: |
+    ls -la
+    curl https://sh.rustup.rs -sSf | sh -s -- -y --default-toolchain $(cat rust-toolchain)
+    echo "##vso[task.prependpath]$HOME/.cargo/bin"
+  displayName: 'Install Rust'
+
+- script: |
+    rustc -Vv
+    cargo -V
+  displayName: Query rust and cargo versions
+
+- script : cargo build --all-features
+  displayName: 'Build project'

build.rs

@@ -1,11 +1,15 @@
 use std::process::Command;
 
 fn main() {
-    read_git_info().expect("Unable to read Git info");
+    read_git_info().ok();
 }
 
 fn run(args: &[&str]) -> Result<String, std::io::Error> {
     let out = Command::new(args[0]).args(&args[1..]).output()?;
+    if !out.status.success() {
+        use std::io::{Error, ErrorKind};
+        return Err(Error::new(ErrorKind::Other, "Command not successful"));
+    }
     Ok(String::from_utf8(out.stdout).unwrap().trim().to_string())
 }
 
@@ -13,8 +17,10 @@ fn run(args: &[&str]) -> Result<String, std::io::Error> {
 fn read_git_info() -> Result<(), std::io::Error> {
     // The exact tag for the current commit, can be empty when
     // the current commit doesn't have an associated tag
-    let exact_tag = run(&["git", "describe", "--abbrev=0", "--tags", "--exact-match"])?;
-    println!("cargo:rustc-env=GIT_EXACT_TAG={}", exact_tag);
+    let exact_tag = run(&["git", "describe", "--abbrev=0", "--tags", "--exact-match"]).ok();
+    if let Some(ref exact) = exact_tag {
+        println!("cargo:rustc-env=GIT_EXACT_TAG={}", exact);
+    }
 
     // The last available tag, equal to exact_tag when
     // the current commit is tagged
@@ -27,13 +33,25 @@ fn read_git_info() -> Result<(), std::io::Error> {
 
     // The current git commit hash
     let rev = run(&["git", "rev-parse", "HEAD"])?;
-    let rev_short = rev.get(..12).unwrap_or_default();
+    let rev_short = rev.get(..8).unwrap_or_default();
     println!("cargo:rustc-env=GIT_REV={}", rev_short);
 
+    // Combined version
+    let version = if let Some(exact) = exact_tag {
+        exact
+    } else if &branch != "master" {
+        format!("{}-{} ({})", last_tag, rev_short, branch)
+    } else {
+        format!("{}-{}", last_tag, rev_short)
+    };
+    println!("cargo:rustc-env=GIT_VERSION={}", version);
+
     // To access these values, use:
     //    env!("GIT_EXACT_TAG")
     //    env!("GIT_LAST_TAG")
     //    env!("GIT_BRANCH")
     //    env!("GIT_REV")
+    //    env!("GIT_VERSION")
+
     Ok(())
 }

rust-toolchain

@@ -1 +1 @@
-nightly-2019-01-08
+nightly-2019-04-26

src/api/admin.rs

@@ -1,24 +1,160 @@
-use rocket_contrib::json::Json;
 use serde_json::Value;
 
-use crate::api::{JsonResult, JsonUpcase};
+use rocket::http::{Cookie, Cookies, SameSite};
+use rocket::request::{self, FlashMessage, Form, FromRequest, Request};
+use rocket::response::{content::Html, Flash, Redirect};
+use rocket::{Outcome, Route};
+use rocket_contrib::json::Json;
+
+use crate::api::{ApiResult, EmptyResult, JsonResult};
+use crate::auth::{decode_admin, encode_jwt, generate_admin_claims, ClientIp};
+use crate::config::ConfigBuilder;
+use crate::db::{models::*, DbConn};
+use crate::error::Error;
+use crate::mail;
 use crate::CONFIG;
 
-use crate::db::models::*;
-use crate::db::DbConn;
-use crate::mail;
-
-use rocket::request::{self, FromRequest, Request};
-use rocket::{Outcome, Route};
-
 pub fn routes() -> Vec<Route> {
-    routes![get_users, invite_user, delete_user]
+    if CONFIG.admin_token().is_none() && !CONFIG.disable_admin_token() {
+        return routes![admin_disabled];
+    }
+
+    routes![
+        admin_login,
+        get_users,
+        post_admin_login,
+        admin_page,
+        invite_user,
+        delete_user,
+        deauth_user,
+        update_revision_users,
+        post_config,
+        delete_config,
+    ]
+}
+
+#[get("/")]
+fn admin_disabled() -> &'static str {
+    "The admin panel is disabled, please configure the 'ADMIN_TOKEN' variable to enable it"
+}
+
+const COOKIE_NAME: &str = "BWRS_ADMIN";
+const ADMIN_PATH: &str = "/admin";
+
+const BASE_TEMPLATE: &str = "admin/base";
+const VERSION: Option<&str> = option_env!("GIT_VERSION");
+
+#[get("/", rank = 2)]
+fn admin_login(flash: Option<FlashMessage>) -> ApiResult<Html<String>> {
+    // If there is an error, show it
+    let msg = flash.map(|msg| format!("{}: {}", msg.name(), msg.msg()));
+    let json = json!({"page_content": "admin/login", "version": VERSION, "error": msg});
+
+    // Return the page
+    let text = CONFIG.render_template(BASE_TEMPLATE, &json)?;
+    Ok(Html(text))
+}
+
+#[derive(FromForm)]
+struct LoginForm {
+    token: String,
+}
+
+#[post("/", data = "<data>")]
+fn post_admin_login(data: Form<LoginForm>, mut cookies: Cookies, ip: ClientIp) -> Result<Redirect, Flash<Redirect>> {
+    let data = data.into_inner();
+
+    // If the token is invalid, redirect to login page
+    if !_validate_token(&data.token) {
+        error!("Invalid admin token. IP: {}", ip.ip);
+        Err(Flash::error(
+            Redirect::to(ADMIN_PATH),
+            "Invalid admin token, please try again.",
+        ))
+    } else {
+        // If the token received is valid, generate JWT and save it as a cookie
+        let claims = generate_admin_claims();
+        let jwt = encode_jwt(&claims);
+
+        let cookie = Cookie::build(COOKIE_NAME, jwt)
+            .path(ADMIN_PATH)
+            .max_age(chrono::Duration::minutes(20))
+            .same_site(SameSite::Strict)
+            .http_only(true)
+            .finish();
+
+        cookies.add(cookie);
+        Ok(Redirect::to(ADMIN_PATH))
+    }
+}
+
+fn _validate_token(token: &str) -> bool {
+    match CONFIG.admin_token().as_ref() {
+        None => false,
+        Some(t) => crate::crypto::ct_eq(t.trim(), token.trim()),
+    }
+}
+
+#[derive(Serialize)]
+struct AdminTemplateData {
+    page_content: String,
+    version: Option<&'static str>,
+    users: Vec<Value>,
+    config: Value,
+}
+
+impl AdminTemplateData {
+    fn new(users: Vec<Value>) -> Self {
+        Self {
+            page_content: String::from("admin/page"),
+            version: VERSION,
+            users,
+            config: CONFIG.prepare_json(),
+        }
+    }
+
+    fn render(self) -> Result<String, Error> {
+        CONFIG.render_template(BASE_TEMPLATE, &self)
+    }
+}
+
+#[get("/", rank = 1)]
+fn admin_page(_token: AdminToken, conn: DbConn) -> ApiResult<Html<String>> {
+    let users = User::get_all(&conn);
+    let users_json: Vec<Value> = users.iter().map(|u| u.to_json(&conn)).collect();
+
+    let text = AdminTemplateData::new(users_json).render()?;
+    Ok(Html(text))
 }
 
 #[derive(Deserialize, Debug)]
 #[allow(non_snake_case)]
 struct InviteData {
-    Email: String,
+    email: String,
+}
+
+#[post("/invite", data = "<data>")]
+fn invite_user(data: Json<InviteData>, _token: AdminToken, conn: DbConn) -> EmptyResult {
+    let data: InviteData = data.into_inner();
+    let email = data.email.clone();
+    if User::find_by_mail(&data.email, &conn).is_some() {
+        err!("User already exists")
+    }
+
+    if !CONFIG.invitations_allowed() {
+        err!("Invitations are not allowed")
+    }
+
+    let mut user = User::new(email);
+    user.save(&conn)?;
+
+    if CONFIG.mail_enabled() {
+        let org_name = "bitwarden_rs";
+        mail::send_invite(&user.email, &user.uuid, None, None, &org_name, None)
+    } else {
+        let invitation = Invitation::new(data.email);
+        invitation.save(&conn)
+    }
 }
 
 #[get("/users")]
@@ -29,40 +165,43 @@ fn get_users(_token: AdminToken, conn: DbConn) -> JsonResult {
     Ok(Json(Value::Array(users_json)))
 }
 
-#[post("/invite", data = "<data>")]
-fn invite_user(data: JsonUpcase<InviteData>, _token: AdminToken, conn: DbConn) -> JsonResult {
-    let data: InviteData = data.into_inner().data;
-    let email = data.Email.clone();
-    if User::find_by_mail(&data.Email, &conn).is_some() {
-        err!("User already exists")
-    }
-
-    if !CONFIG.invitations_allowed {
-        err!("Invitations are not allowed")
-    }
-
-    if let Some(ref mail_config) = CONFIG.mail {
-        let mut user = User::new(email);
-        user.save(&conn)?;
-        let org_name = "bitwarden_rs";
-        mail::send_invite(&user.email, &user.uuid, None, None, &org_name, None, mail_config)?;
-    } else {
-        let mut invitation = Invitation::new(data.Email);
-        invitation.save(&conn)?;
-    }
-
-    Ok(Json(json!({})))
-}
-
 #[post("/users/<uuid>/delete")]
-fn delete_user(uuid: String, _token: AdminToken, conn: DbConn) -> JsonResult {
+fn delete_user(uuid: String, _token: AdminToken, conn: DbConn) -> EmptyResult {
     let user = match User::find_by_uuid(&uuid, &conn) {
         Some(user) => user,
         None => err!("User doesn't exist"),
     };
 
-    user.delete(&conn)?;
-    Ok(Json(json!({})))
+    user.delete(&conn)
+}
+
+#[post("/users/<uuid>/deauth")]
+fn deauth_user(uuid: String, _token: AdminToken, conn: DbConn) -> EmptyResult {
+    let mut user = match User::find_by_uuid(&uuid, &conn) {
+        Some(user) => user,
+        None => err!("User doesn't exist"),
+    };
+
+    Device::delete_all_by_user(&user.uuid, &conn)?;
+    user.reset_security_stamp();
+
+    user.save(&conn)
+}
+
+#[post("/users/update_revision")]
+fn update_revision_users(_token: AdminToken, conn: DbConn) -> EmptyResult {
+    User::update_all_revisions(&conn)
+}
+
+#[post("/config", data = "<data>")]
+fn post_config(data: Json<ConfigBuilder>, _token: AdminToken) -> EmptyResult {
+    let data: ConfigBuilder = data.into_inner();
+    CONFIG.update_config(data)
+}
+
+#[post("/config/delete")]
+fn delete_config(_token: AdminToken) -> EmptyResult {
+    CONFIG.delete_user_config()
 }
 
 pub struct AdminToken {}
@@ -71,37 +210,29 @@ impl<'a, 'r> FromRequest<'a, 'r> for AdminToken {
     type Error = &'static str;
 
     fn from_request(request: &'a Request<'r>) -> request::Outcome<Self, Self::Error> {
-        let config_token = match CONFIG.admin_token.as_ref() {
-            Some(token) => token,
-            None => err_handler!("Admin panel is disabled"),
-        };
+        if CONFIG.disable_admin_token() {
+            Outcome::Success(AdminToken {})
+        } else {
+            let mut cookies = request.cookies();
 
-        // Get access_token
-        let access_token: &str = match request.headers().get_one("Authorization") {
-            Some(a) => match a.rsplit("Bearer ").next() {
-                Some(split) => split,
-                None => err_handler!("No access token provided"),
-            },
-            None => err_handler!("No access token provided"),
-        };
+            let access_token = match cookies.get(COOKIE_NAME) {
+                Some(cookie) => cookie.value(),
+                None => return Outcome::Forward(()), // If there is no cookie, redirect to login
+            };
 
-        // TODO: What authentication to use?
-        // Option 1: Make it a config option
-        // Option 2: Generate random token, and
-        // Option 2a: Send it to admin email, like upstream
-        // Option 2b: Print in console or save to data dir, so admin can check
+            let ip = match request.guard::<ClientIp>() {
+                Outcome::Success(ip) => ip.ip,
+                _ => err_handler!("Error getting Client IP"),
+            };
 
-        use crate::auth::ClientIp;
+            if decode_admin(access_token).is_err() {
+                // Remove admin cookie
+                cookies.remove(Cookie::named(COOKIE_NAME));
+                error!("Invalid or expired admin JWT. IP: {}.", ip);
+                return Outcome::Forward(());
+            }
 
-        let ip = match request.guard::<ClientIp>() {
-            Outcome::Success(ip) => ip,
-            _ => err_handler!("Error getting Client IP"),
-        };
-
-        if access_token != config_token {
-            err_handler!("Invalid admin token", format!("IP: {}.", ip.ip))
+            Outcome::Success(AdminToken {})
         }
-
-        Outcome::Success(AdminToken {})
     }
 }

src/api/core/accounts.rs

@@ -4,7 +4,7 @@ use crate::db::models::*;
 use crate::db::DbConn;
 
 use crate::api::{EmptyResult, JsonResult, JsonUpcase, Notify, NumberOrString, PasswordData, UpdateType};
-use crate::auth::{decode_invite_jwt, Headers, InviteJWTClaims};
+use crate::auth::{decode_invite, Headers};
 use crate::mail;
 
 use crate::CONFIG;
@@ -66,7 +66,7 @@ fn register(data: JsonUpcase<RegisterData>, conn: DbConn) -> EmptyResult {
             }
 
             if let Some(token) = data.Token {
-                let claims: InviteJWTClaims = decode_invite_jwt(&token)?;
+                let claims = decode_invite(&token)?;
                 if claims.email == data.Email {
                     user
                 } else {
@@ -79,14 +79,14 @@ fn register(data: JsonUpcase<RegisterData>, conn: DbConn) -> EmptyResult {
                 }
 
                 user
-            } else if CONFIG.signups_allowed {
+            } else if CONFIG.signups_allowed() {
                 err!("Account with this email already exists")
             } else {
                 err!("Registration not allowed")
             }
         }
         None => {
-            if CONFIG.signups_allowed || Invitation::take(&data.Email, &conn) {
+            if CONFIG.signups_allowed() || Invitation::take(&data.Email, &conn) {
                 User::new(data.Email.clone())
             } else {
                 err!("Registration not allowed")
@@ -322,6 +322,7 @@ fn post_sstamp(data: JsonUpcase<PasswordData>, headers: Headers, conn: DbConn) -
         err!("Invalid password")
     }
 
+    Device::delete_all_by_user(&user.uuid, &conn)?;
     user.reset_security_stamp();
     user.save(&conn)
 }
@@ -419,9 +420,9 @@ fn password_hint(data: JsonUpcase<PasswordHintData>, conn: DbConn) -> EmptyResul
         None => return Ok(()),
     };
 
-    if let Some(ref mail_config) = CONFIG.mail {
-        mail::send_password_hint(&data.Email, hint, mail_config)?;
-    } else if CONFIG.show_password_hint {
+    if CONFIG.mail_enabled() {
+        mail::send_password_hint(&data.Email, hint)?;
+    } else if CONFIG.show_password_hint() {
         if let Some(hint) = hint {
             err!(format!("Your password hint is: {}", &hint));
         } else {

src/api/core/ciphers.rs

@@ -74,10 +74,10 @@ fn sync(data: Form<SyncData>, headers: Headers, conn: DbConn) -> JsonResult {
     let user_json = headers.user.to_json(&conn);
 
     let folders = Folder::find_by_user(&headers.user.uuid, &conn);
-    let folders_json: Vec<Value> = folders.iter().map(|c| c.to_json()).collect();
+    let folders_json: Vec<Value> = folders.iter().map(Folder::to_json).collect();
 
     let collections = Collection::find_by_user_uuid(&headers.user.uuid, &conn);
-    let collections_json: Vec<Value> = collections.iter().map(|c| c.to_json()).collect();
+    let collections_json: Vec<Value> = collections.iter().map(Collection::to_json).collect();
 
     let ciphers = Cipher::find_by_user(&headers.user.uuid, &conn);
     let ciphers_json: Vec<Value> = ciphers
@@ -221,6 +221,10 @@ pub fn update_cipher_from_data(
     nt: &Notify,
     ut: UpdateType,
 ) -> EmptyResult {
+    if cipher.organization_uuid.is_some() && cipher.organization_uuid != data.OrganizationId {
+        err!("Organization mismatch. Please resync the client before updating the cipher")
+    }
+
     if let Some(org_id) = data.OrganizationId {
         match UserOrganization::find_by_user_and_org(&headers.user.uuid, &org_id, &conn) {
             None => err!("You don't have permission to add item to organization"),
@@ -300,10 +304,13 @@ pub fn update_cipher_from_data(
     cipher.password_history = data.PasswordHistory.map(|f| f.to_string());
 
     cipher.save(&conn)?;
+    cipher.move_to_folder(data.FolderId, &headers.user.uuid, &conn)?;
 
-    nt.send_cipher_update(ut, &cipher, &cipher.update_users_revision(&conn));
+    if ut != UpdateType::None {
+        nt.send_cipher_update(ut, &cipher, &cipher.update_users_revision(&conn));
+    }
 
-    cipher.move_to_folder(data.FolderId, &headers.user.uuid, &conn)
+    Ok(())
 }
 
 use super::folders::FolderData;
@@ -346,25 +353,18 @@ fn post_ciphers_import(data: JsonUpcase<ImportData>, headers: Headers, conn: DbC
     }
 
     // Read and create the ciphers
-    for (index, cipher_data) in data.Ciphers.into_iter().enumerate() {
+    for (index, mut cipher_data) in data.Ciphers.into_iter().enumerate() {
         let folder_uuid = relations_map.get(&index).map(|i| folders[*i].uuid.clone());
+        cipher_data.FolderId = folder_uuid;
 
         let mut cipher = Cipher::new(cipher_data.Type, cipher_data.Name.clone());
-        update_cipher_from_data(
-            &mut cipher,
-            cipher_data,
-            &headers,
-            false,
-            &conn,
-            &nt,
-            UpdateType::CipherCreate,
-        )?;
-
-        cipher.move_to_folder(folder_uuid, &headers.user.uuid.clone(), &conn)?;
+        update_cipher_from_data(&mut cipher, cipher_data, &headers, false, &conn, &nt, UpdateType::None)?;
     }
 
     let mut user = headers.user;
-    user.update_revision(&conn)
+    user.update_revision(&conn)?;
+    nt.send_user_update(UpdateType::Vault, &user);
+    Ok(())
 }
 
 #[put("/ciphers/<uuid>/admin", data = "<data>")]
@@ -608,7 +608,7 @@ fn share_cipher_by_uuid(
                     None => err!("Invalid collection ID provided"),
                     Some(collection) => {
                         if collection.is_writable_by_user(&headers.user.uuid, &conn) {
-                            CollectionCipher::save(&cipher.uuid.clone(), &collection.uuid, &conn)?;
+                            CollectionCipher::save(&cipher.uuid, &collection.uuid, &conn)?;
                             shared_to_collection = true;
                         } else {
                             err!("No rights to modify the collection")
@@ -632,7 +632,14 @@ fn share_cipher_by_uuid(
 }
 
 #[post("/ciphers/<uuid>/attachment", format = "multipart/form-data", data = "<data>")]
-fn post_attachment(uuid: String, data: Data, content_type: &ContentType, headers: Headers, conn: DbConn) -> JsonResult {
+fn post_attachment(
+    uuid: String,
+    data: Data,
+    content_type: &ContentType,
+    headers: Headers,
+    conn: DbConn,
+    nt: Notify,
+) -> JsonResult {
     let cipher = match Cipher::find_by_uuid(&uuid, &conn) {
         Some(cipher) => cipher,
         None => err!("Cipher doesn't exist"),
@@ -646,13 +653,13 @@ fn post_attachment(uuid: String, data: Data, content_type: &ContentType, headers
     let boundary_pair = params.next().expect("No boundary provided");
     let boundary = boundary_pair.1;
 
-    let base_path = Path::new(&CONFIG.attachments_folder).join(&cipher.uuid);
+    let base_path = Path::new(&CONFIG.attachments_folder()).join(&cipher.uuid);
 
     let mut attachment_key = None;
 
     Multipart::with_body(data.open(), boundary)
         .foreach_entry(|mut field| {
-            match field.headers.name.as_str() {
+            match &*field.headers.name {
                 "key" => {
                     use std::io::Read;
                     let mut key_buffer = String::new();
@@ -692,6 +699,8 @@ fn post_attachment(uuid: String, data: Data, content_type: &ContentType, headers
         })
         .expect("Error processing multipart data");
 
+    nt.send_cipher_update(UpdateType::CipherUpdate, &cipher, &cipher.update_users_revision(&conn));
+
     Ok(Json(cipher.to_json(&headers.host, &headers.user.uuid, &conn)))
 }
 
@@ -702,8 +711,9 @@ fn post_attachment_admin(
     content_type: &ContentType,
     headers: Headers,
     conn: DbConn,
+    nt: Notify,
 ) -> JsonResult {
-    post_attachment(uuid, data, content_type, headers, conn)
+    post_attachment(uuid, data, content_type, headers, conn, nt)
 }
 
 #[post(
@@ -721,7 +731,7 @@ fn post_attachment_share(
     nt: Notify,
 ) -> JsonResult {
     _delete_cipher_attachment_by_id(&uuid, &attachment_id, &headers, &conn, &nt)?;
-    post_attachment(uuid, data, content_type, headers, conn)
+    post_attachment(uuid, data, content_type, headers, conn, nt)
 }
 
 #[post("/ciphers/<uuid>/attachment/<attachment_id>/delete-admin")]
@@ -808,83 +818,115 @@ fn delete_cipher_selected_post(data: JsonUpcase<Value>, headers: Headers, conn:
     delete_cipher_selected(data, headers, conn, nt)
 }
 
+#[derive(Deserialize)]
+#[allow(non_snake_case)]
+struct MoveCipherData {
+    FolderId: Option<String>,
+    Ids: Vec<String>,
+}
+
 #[post("/ciphers/move", data = "<data>")]
-fn move_cipher_selected(data: JsonUpcase<Value>, headers: Headers, conn: DbConn, nt: Notify) -> EmptyResult {
+fn move_cipher_selected(data: JsonUpcase<MoveCipherData>, headers: Headers, conn: DbConn, nt: Notify) -> EmptyResult {
     let data = data.into_inner().data;
+    let user_uuid = headers.user.uuid;
 
-    let folder_id = match data.get("FolderId") {
-        Some(folder_id) => match folder_id.as_str() {
-            Some(folder_id) => match Folder::find_by_uuid(folder_id, &conn) {
-                Some(folder) => {
-                    if folder.user_uuid != headers.user.uuid {
-                        err!("Folder is not owned by user")
-                    }
-                    Some(folder.uuid)
+    if let Some(ref folder_id) = data.FolderId {
+        match Folder::find_by_uuid(folder_id, &conn) {
+            Some(folder) => {
+                if folder.user_uuid != user_uuid {
+                    err!("Folder is not owned by user")
                 }
-                None => err!("Folder doesn't exist"),
-            },
-            None => err!("Folder id provided in wrong format"),
-        },
-        None => None,
-    };
+            }
+            None => err!("Folder doesn't exist"),
+        }
+    }
 
-    let uuids = match data.get("Ids") {
-        Some(ids) => match ids.as_array() {
-            Some(ids) => ids.iter().filter_map(Value::as_str),
-            None => err!("Posted ids field is not an array"),
-        },
-        None => err!("Request missing ids field"),
-    };
-
-    for uuid in uuids {
-        let mut cipher = match Cipher::find_by_uuid(uuid, &conn) {
+    for uuid in data.Ids {
+        let cipher = match Cipher::find_by_uuid(&uuid, &conn) {
             Some(cipher) => cipher,
             None => err!("Cipher doesn't exist"),
         };
 
-        if !cipher.is_accessible_to_user(&headers.user.uuid, &conn) {
+        if !cipher.is_accessible_to_user(&user_uuid, &conn) {
             err!("Cipher is not accessible by user")
         }
 
         // Move cipher
-        cipher.move_to_folder(folder_id.clone(), &headers.user.uuid, &conn)?;
-        cipher.save(&conn)?;
+        cipher.move_to_folder(data.FolderId.clone(), &user_uuid, &conn)?;
 
-        nt.send_cipher_update(UpdateType::CipherUpdate, &cipher, &cipher.update_users_revision(&conn));
+        nt.send_cipher_update(UpdateType::CipherUpdate, &cipher, &[user_uuid.clone()]);
     }
 
     Ok(())
 }
 
 #[put("/ciphers/move", data = "<data>")]
-fn move_cipher_selected_put(data: JsonUpcase<Value>, headers: Headers, conn: DbConn, nt: Notify) -> EmptyResult {
+fn move_cipher_selected_put(
+    data: JsonUpcase<MoveCipherData>,
+    headers: Headers,
+    conn: DbConn,
+    nt: Notify,
+) -> EmptyResult {
     move_cipher_selected(data, headers, conn, nt)
 }
 
-#[post("/ciphers/purge", data = "<data>")]
-fn delete_all(data: JsonUpcase<PasswordData>, headers: Headers, conn: DbConn, nt: Notify) -> EmptyResult {
+#[derive(FromForm)]
+struct OrganizationId {
+    #[form(field = "organizationId")]
+    org_id: String,
+}
+
+#[post("/ciphers/purge?<organization..>", data = "<data>")]
+fn delete_all(
+    organization: Option<Form<OrganizationId>>,
+    data: JsonUpcase<PasswordData>,
+    headers: Headers,
+    conn: DbConn,
+    nt: Notify,
+) -> EmptyResult {
     let data: PasswordData = data.into_inner().data;
     let password_hash = data.MasterPasswordHash;
 
-    let user = headers.user;
+    let mut user = headers.user;
 
     if !user.check_valid_password(&password_hash) {
         err!("Invalid password")
     }
 
-    // Delete ciphers and their attachments
-    for cipher in Cipher::find_owned_by_user(&user.uuid, &conn) {
-        cipher.delete(&conn)?;
-        nt.send_cipher_update(UpdateType::CipherDelete, &cipher, &cipher.update_users_revision(&conn));
-    }
+    match organization {
+        Some(org_data) => {
+            // Organization ID in query params, purging organization vault
+            match UserOrganization::find_by_user_and_org(&user.uuid, &org_data.org_id, &conn) {
+                None => err!("You don't have permission to purge the organization vault"),
+                Some(user_org) => {
+                    if user_org.type_ == UserOrgType::Owner {
+                        Cipher::delete_all_by_organization(&org_data.org_id, &conn)?;
+                        Collection::delete_all_by_organization(&org_data.org_id, &conn)?;
+                        nt.send_user_update(UpdateType::Vault, &user);
+                        Ok(())
+                    } else {
+                        err!("You don't have permission to purge the organization vault");
+                    }
+                }
+            }
+        }
+        None => {
+            // No organization ID in query params, purging user vault
+            // Delete ciphers and their attachments
+            for cipher in Cipher::find_owned_by_user(&user.uuid, &conn) {
+                cipher.delete(&conn)?;
+            }
 
-    // Delete folders
-    for f in Folder::find_by_user(&user.uuid, &conn) {
-        f.delete(&conn)?;
-        nt.send_folder_update(UpdateType::FolderCreate, &f);
-    }
+            // Delete folders
+            for f in Folder::find_by_user(&user.uuid, &conn) {
+                f.delete(&conn)?;
+            }
 
-    Ok(())
+            user.update_revision(&conn)?;
+            nt.send_user_update(UpdateType::Vault, &user);
+            Ok(())
+        }
+    }
 }
 
 fn _delete_cipher_by_uuid(uuid: &str, headers: &Headers, conn: &DbConn, nt: &Notify) -> EmptyResult {
@@ -929,6 +971,6 @@ fn _delete_cipher_attachment_by_id(
 
     // Delete attachment
     attachment.delete(&conn)?;
-    nt.send_cipher_update(UpdateType::CipherDelete, &cipher, &cipher.update_users_revision(&conn));
+    nt.send_cipher_update(UpdateType::CipherUpdate, &cipher, &cipher.update_users_revision(&conn));
     Ok(())
 }

src/api/core/folders.rs

@@ -25,7 +25,7 @@ pub fn routes() -> Vec<Route> {
 fn get_folders(headers: Headers, conn: DbConn) -> JsonResult {
     let folders = Folder::find_by_user(&headers.user.uuid, &conn);
 
-    let folders_json: Vec<Value> = folders.iter().map(|c| c.to_json()).collect();
+    let folders_json: Vec<Value> = folders.iter().map(Folder::to_json).collect();
 
     Ok(Json(json!({
       "Data": folders_json,

src/api/core/mod.rs

@@ -11,6 +11,7 @@ pub fn routes() -> Vec<Route> {
         get_eq_domains,
         post_eq_domains,
         put_eq_domains,
+        hibp_breach,
     ];
 
     let mut routes = Vec::new();
@@ -32,10 +33,10 @@ use rocket::Route;
 use rocket_contrib::json::Json;
 use serde_json::Value;
 
-use crate::db::DbConn;
-
 use crate::api::{EmptyResult, JsonResult, JsonUpcase};
 use crate::auth::Headers;
+use crate::db::DbConn;
+use crate::error::Error;
 
 #[put("/devices/identifier/<uuid>/clear-token")]
 fn clear_device_token(uuid: String) -> EmptyResult {
@@ -116,8 +117,8 @@ fn post_eq_domains(data: JsonUpcase<EquivDomainData>, headers: Headers, conn: Db
     let mut user = headers.user;
     use serde_json::to_string;
 
-    user.excluded_globals = to_string(&excluded_globals).unwrap_or("[]".to_string());
-    user.equivalent_domains = to_string(&equivalent_domains).unwrap_or("[]".to_string());
+    user.excluded_globals = to_string(&excluded_globals).unwrap_or_else(|_| "[]".to_string());
+    user.equivalent_domains = to_string(&equivalent_domains).unwrap_or_else(|_| "[]".to_string());
 
     user.save(&conn)?;
 
@@ -128,3 +129,21 @@ fn post_eq_domains(data: JsonUpcase<EquivDomainData>, headers: Headers, conn: Db
 fn put_eq_domains(data: JsonUpcase<EquivDomainData>, headers: Headers, conn: DbConn) -> JsonResult {
     post_eq_domains(data, headers, conn)
 }
+
+#[get("/hibp/breach?<username>")]
+fn hibp_breach(username: String) -> JsonResult {
+    let url = format!("https://haveibeenpwned.com/api/v2/breachedaccount/{}", username);
+    let user_agent = "Bitwarden_RS";
+
+    use reqwest::{header::USER_AGENT, Client};
+
+    let res = Client::new().get(&url).header(USER_AGENT, user_agent).send()?;
+
+    // If we get a 404, return a 404, it means no breached accounts
+    if res.status() == 404 {
+        return Err(Error::empty().with_code(404));
+    }
+
+    let value: Value = res.error_for_status()?.json()?;
+    Ok(Json(value))
+}

src/api/core/organizations.rs

@@ -1,19 +1,16 @@
 use rocket::request::Form;
+use rocket::Route;
 use rocket_contrib::json::Json;
 use serde_json::Value;
 
+use crate::api::{
+    EmptyResult, JsonResult, JsonUpcase, JsonUpcaseVec, Notify, NumberOrString, PasswordData, UpdateType,
+};
+use crate::auth::{decode_invite, AdminHeaders, Headers, OwnerHeaders};
 use crate::db::models::*;
 use crate::db::DbConn;
-use crate::CONFIG;
-
-use crate::api::{EmptyResult, JsonResult, JsonUpcase, Notify, NumberOrString, PasswordData, UpdateType};
-use crate::auth::{decode_invite_jwt, AdminHeaders, Headers, InviteJWTClaims, OwnerHeaders};
-
 use crate::mail;
-
-use serde::{Deserialize, Deserializer};
-
-use rocket::Route;
+use crate::CONFIG;
 
 pub fn routes() -> Vec<Route> {
     routes![
@@ -26,6 +23,7 @@ pub fn routes() -> Vec<Route> {
         get_org_collections,
         get_org_collection_detail,
         get_collection_users,
+        put_collection_users,
         put_organization,
         post_organization,
         post_organization_collections,
@@ -78,9 +76,9 @@ struct NewCollectionData {
 fn create_organization(headers: Headers, data: JsonUpcase<OrgData>, conn: DbConn) -> JsonResult {
     let data: OrgData = data.into_inner().data;
 
-    let mut org = Organization::new(data.Name, data.BillingEmail);
+    let org = Organization::new(data.Name, data.BillingEmail);
     let mut user_org = UserOrganization::new(headers.user.uuid.clone(), org.uuid.clone());
-    let mut collection = Collection::new(org.uuid.clone(), data.CollectionName);
+    let collection = Collection::new(org.uuid.clone(), data.CollectionName);
 
     user_org.key = data.Key;
     user_org.access_all = true;
@@ -223,7 +221,7 @@ fn post_organization_collections(
         None => err!("Can't find organization details"),
     };
 
-    let mut collection = Collection::new(org.uuid.clone(), data.Name);
+    let collection = Collection::new(org.uuid.clone(), data.Name);
     collection.save(&conn)?;
 
     Ok(Json(collection.to_json()))
@@ -371,15 +369,44 @@ fn get_collection_users(org_id: String, coll_id: String, _headers: AdminHeaders,
         .map(|col_user| {
             UserOrganization::find_by_user_and_org(&col_user.user_uuid, &org_id, &conn)
                 .unwrap()
-                .to_json_collection_user_details(col_user.read_only, &conn)
+                .to_json_collection_user_details(col_user.read_only)
         })
         .collect();
 
-    Ok(Json(json!({
-        "Data": user_list,
-        "Object": "list",
-        "ContinuationToken": null,
-    })))
+    Ok(Json(json!(user_list)))
+}
+
+#[put("/organizations/<org_id>/collections/<coll_id>/users", data = "<data>")]
+fn put_collection_users(
+    org_id: String,
+    coll_id: String,
+    data: JsonUpcaseVec<CollectionData>,
+    _headers: AdminHeaders,
+    conn: DbConn,
+) -> EmptyResult {
+    // Get org and collection, check that collection is from org
+    if Collection::find_by_uuid_and_org(&coll_id, &org_id, &conn).is_none() {
+        err!("Collection not found in Organization")
+    }
+
+    // Delete all the user-collections
+    CollectionUser::delete_all_by_collection(&coll_id, &conn)?;
+
+    // And then add all the received ones (except if the user has access_all)
+    for d in data.iter().map(|d| &d.data) {
+        let user = match UserOrganization::find_by_uuid(&d.Id, &conn) {
+            Some(u) => u,
+            None => err!("User is not part of organization"),
+        };
+
+        if user.access_all {
+            continue;
+        }
+
+        CollectionUser::save(&user.user_uuid, &coll_id, d.ReadOnly, &conn)?;
+    }
+
+    Ok(())
 }
 
 #[derive(FromForm)]
@@ -415,14 +442,6 @@ fn get_org_users(org_id: String, _headers: AdminHeaders, conn: DbConn) -> JsonRe
     })))
 }
 
-fn deserialize_collections<'de, D>(deserializer: D) -> Result<Vec<CollectionData>, D::Error>
-where
-    D: Deserializer<'de>,
-{
-    // Deserialize null to empty Vec
-    Deserialize::deserialize(deserializer).or(Ok(vec![]))
-}
-
 #[derive(Deserialize)]
 #[allow(non_snake_case)]
 struct CollectionData {
@@ -435,8 +454,7 @@ struct CollectionData {
 struct InviteData {
     Emails: Vec<String>,
     Type: NumberOrString,
-    #[serde(deserialize_with = "deserialize_collections")]
-    Collections: Vec<CollectionData>,
+    Collections: Option<Vec<CollectionData>>,
     AccessAll: Option<bool>,
 }
 
@@ -454,18 +472,19 @@ fn send_invite(org_id: String, data: JsonUpcase<InviteData>, headers: AdminHeade
     }
 
     for email in data.Emails.iter() {
-        let mut user_org_status = match CONFIG.mail {
-            Some(_) => UserOrgStatus::Invited as i32,
-            None => UserOrgStatus::Accepted as i32, // Automatically mark user as accepted if no email invites
+        let mut user_org_status = if CONFIG.mail_enabled() {
+            UserOrgStatus::Invited as i32
+        } else {
+            UserOrgStatus::Accepted as i32 // Automatically mark user as accepted if no email invites
         };
         let user = match User::find_by_mail(&email, &conn) {
             None => {
-                if !CONFIG.invitations_allowed {
+                if !CONFIG.invitations_allowed() {
                     err!(format!("User email does not exist: {}", email))
                 }
 
-                if CONFIG.mail.is_none() {
-                    let mut invitation = Invitation::new(email.clone());
+                if !CONFIG.mail_enabled() {
+                    let invitation = Invitation::new(email.clone());
                     invitation.save(&conn)?;
                 }
 
@@ -491,7 +510,7 @@ fn send_invite(org_id: String, data: JsonUpcase<InviteData>, headers: AdminHeade
 
         // If no accessAll, add the collections received
         if !access_all {
-            for col in &data.Collections {
+            for col in data.Collections.iter().flatten() {
                 match Collection::find_by_uuid_and_org(&col.Id, &org_id, &conn) {
                     None => err!("Collection not found in Organization"),
                     Some(collection) => {
@@ -503,7 +522,7 @@ fn send_invite(org_id: String, data: JsonUpcase<InviteData>, headers: AdminHeade
 
         new_user.save(&conn)?;
 
-        if let Some(ref mail_config) = CONFIG.mail {
+        if CONFIG.mail_enabled() {
             let org_name = match Organization::find_by_uuid(&org_id, &conn) {
                 Some(org) => org.name,
                 None => err!("Error looking up organization"),
@@ -516,7 +535,6 @@ fn send_invite(org_id: String, data: JsonUpcase<InviteData>, headers: AdminHeade
                 Some(new_user.uuid),
                 &org_name,
                 Some(headers.user.email.clone()),
-                mail_config,
             )?;
         }
     }
@@ -526,11 +544,11 @@ fn send_invite(org_id: String, data: JsonUpcase<InviteData>, headers: AdminHeade
 
 #[post("/organizations/<org_id>/users/<user_org>/reinvite")]
 fn reinvite_user(org_id: String, user_org: String, headers: AdminHeaders, conn: DbConn) -> EmptyResult {
-    if !CONFIG.invitations_allowed {
+    if !CONFIG.invitations_allowed() {
         err!("Invitations are not allowed.")
     }
 
-    if CONFIG.mail.is_none() {
+    if !CONFIG.mail_enabled() {
         err!("SMTP is not configured.")
     }
 
@@ -553,7 +571,7 @@ fn reinvite_user(org_id: String, user_org: String, headers: AdminHeaders, conn:
         None => err!("Error looking up organization."),
     };
 
-    if let Some(ref mail_config) = CONFIG.mail {
+    if CONFIG.mail_enabled() {
         mail::send_invite(
             &user.email,
             &user.uuid,
@@ -561,10 +579,9 @@ fn reinvite_user(org_id: String, user_org: String, headers: AdminHeaders, conn:
             Some(user_org.uuid),
             &org_name,
             Some(headers.user.email),
-            mail_config,
         )?;
     } else {
-        let mut invitation = Invitation::new(user.email.clone());
+        let invitation = Invitation::new(user.email.clone());
         invitation.save(&conn)?;
     }
 
@@ -582,7 +599,7 @@ fn accept_invite(_org_id: String, _org_user_id: String, data: JsonUpcase<AcceptD
     // The web-vault passes org_id and org_user_id in the URL, but we are just reading them from the JWT instead
     let data: AcceptData = data.into_inner().data;
     let token = &data.Token;
-    let claims: InviteJWTClaims = decode_invite_jwt(&token)?;
+    let claims = decode_invite(&token)?;
 
     match User::find_by_mail(&claims.email, &conn) {
         Some(_) => {
@@ -605,7 +622,7 @@ fn accept_invite(_org_id: String, _org_user_id: String, data: JsonUpcase<AcceptD
         None => err!("Invited user not found"),
     }
 
-    if let Some(ref mail_config) = CONFIG.mail {
+    if CONFIG.mail_enabled() {
         let mut org_name = String::from("bitwarden_rs");
         if let Some(org_id) = &claims.org_id {
             org_name = match Organization::find_by_uuid(&org_id, &conn) {
@@ -615,10 +632,10 @@ fn accept_invite(_org_id: String, _org_user_id: String, data: JsonUpcase<AcceptD
         };
         if let Some(invited_by_email) = &claims.invited_by_email {
             // User was invited to an organization, so they must be confirmed manually after acceptance
-            mail::send_invite_accepted(&claims.email, invited_by_email, &org_name, mail_config)?;
+            mail::send_invite_accepted(&claims.email, invited_by_email, &org_name)?;
         } else {
             // User was invited from /admin, so they are automatically confirmed
-            mail::send_invite_confirmed(&claims.email, &org_name, mail_config)?;
+            mail::send_invite_confirmed(&claims.email, &org_name)?;
         }
     }
 
@@ -654,7 +671,7 @@ fn confirm_invite(
         None => err!("Invalid key provided"),
     };
 
-    if let Some(ref mail_config) = CONFIG.mail {
+    if CONFIG.mail_enabled() {
         let org_name = match Organization::find_by_uuid(&org_id, &conn) {
             Some(org) => org.name,
             None => err!("Error looking up organization."),
@@ -663,7 +680,7 @@ fn confirm_invite(
             Some(user) => user.email,
             None => err!("Error looking up user."),
         };
-        mail::send_invite_confirmed(&address, &org_name, mail_config)?;
+        mail::send_invite_confirmed(&address, &org_name)?;
     }
 
     user_to_confirm.save(&conn)
@@ -683,8 +700,7 @@ fn get_user(org_id: String, org_user_id: String, _headers: AdminHeaders, conn: D
 #[allow(non_snake_case)]
 struct EditUserData {
     Type: NumberOrString,
-    #[serde(deserialize_with = "deserialize_collections")]
-    Collections: Vec<CollectionData>,
+    Collections: Option<Vec<CollectionData>>,
     AccessAll: bool,
 }
 
@@ -749,7 +765,7 @@ fn edit_user(
 
     // If no accessAll, add the collections received
     if !data.AccessAll {
-        for col in &data.Collections {
+        for col in data.Collections.iter().flatten() {
             match Collection::find_by_uuid_and_org(&col.Id, &org_id, &conn) {
                 None => err!("Collection not found in Organization"),
                 Some(collection) => {
@@ -835,7 +851,7 @@ fn post_org_import(
         .Collections
         .into_iter()
         .map(|coll| {
-            let mut collection = Collection::new(org_id.clone(), coll.Name);
+            let collection = Collection::new(org_id.clone(), coll.Name);
             if collection.save(&conn).is_err() {
                 err!("Failed to create Collection");
             }

src/api/identity.rs

@@ -9,7 +9,7 @@ use num_traits::FromPrimitive;
 use crate::db::models::*;
 use crate::db::DbConn;
 
-use crate::util::{self, JsonMap};
+use crate::util;
 
 use crate::api::{ApiResult, EmptyResult, JsonResult};
 
@@ -118,7 +118,7 @@ fn _password_login(data: ConnectData, conn: DbConn, ip: ClientIp) -> JsonResult
         None => Device::new(device_id, user.uuid.clone(), device_name, device_type),
     };
 
-    let twofactor_token = twofactor_auth(&user.uuid, &data.clone(), &mut device, &conn)?;
+    let twofactor_token = twofactor_auth(&user.uuid, &data, &mut device, &conn)?;
 
     // Common
     let user = User::find_by_uuid(&device.user_uuid, &conn).unwrap();
@@ -151,66 +151,47 @@ fn twofactor_auth(
     device: &mut Device,
     conn: &DbConn,
 ) -> ApiResult<Option<String>> {
-    let twofactors_raw = TwoFactor::find_by_user(user_uuid, conn);
-    // Remove u2f challenge twofactors (impl detail)
-    let twofactors: Vec<_> = twofactors_raw.iter().filter(|tf| tf.type_ < 1000).collect();
-
-    let providers: Vec<_> = twofactors.iter().map(|tf| tf.type_).collect();
+    let twofactors = TwoFactor::find_by_user(user_uuid, conn);
 
     // No twofactor token if twofactor is disabled
     if twofactors.is_empty() {
         return Ok(None);
     }
 
-    let provider = data.two_factor_provider.unwrap_or(providers[0]); // If we aren't given a two factor provider, asume the first one
+    let twofactor_ids: Vec<_> = twofactors.iter().map(|tf| tf.type_).collect();
+    let selected_id = data.two_factor_provider.unwrap_or(twofactor_ids[0]); // If we aren't given a two factor provider, asume the first one
 
     let twofactor_code = match data.two_factor_token {
         Some(ref code) => code,
-        None => err_json!(_json_err_twofactor(&providers, user_uuid, conn)?),
+        None => err_json!(_json_err_twofactor(&twofactor_ids, user_uuid, conn)?),
     };
 
-    let twofactor = twofactors.iter().filter(|tf| tf.type_ == provider).nth(0);
+    let selected_twofactor = twofactors.into_iter().filter(|tf| tf.type_ == selected_id).nth(0);
+
+    use crate::api::core::two_factor as _tf;
+    use crate::crypto::ct_eq;
+
+    let selected_data = _selected_data(selected_twofactor);
+    let mut remember = data.two_factor_remember.unwrap_or(0);
+
+    match TwoFactorType::from_i32(selected_id) {
+        Some(TwoFactorType::Authenticator) => _tf::validate_totp_code_str(twofactor_code, &selected_data?)?,
+        Some(TwoFactorType::U2f) => _tf::validate_u2f_login(user_uuid, twofactor_code, conn)?,
+        Some(TwoFactorType::YubiKey) => _tf::validate_yubikey_login(twofactor_code, &selected_data?)?,
+        Some(TwoFactorType::Duo) => _tf::validate_duo_login(data.username.as_ref().unwrap(), twofactor_code, conn)?,
 
-    match TwoFactorType::from_i32(provider) {
         Some(TwoFactorType::Remember) => {
             match device.twofactor_remember {
-                Some(ref remember) if remember == twofactor_code => return Ok(None), // No twofactor token needed here
-                _ => err_json!(_json_err_twofactor(&providers, user_uuid, conn)?),
+                Some(ref code) if !CONFIG.disable_2fa_remember() && ct_eq(code, twofactor_code) => {
+                    remember = 1; // Make sure we also return the token here, otherwise it will only remember the first time
+                }
+                _ => err_json!(_json_err_twofactor(&twofactor_ids, user_uuid, conn)?),
             }
         }
-
-        Some(TwoFactorType::Authenticator) => {
-            let twofactor = match twofactor {
-                Some(tf) => tf,
-                None => err!("TOTP not enabled"),
-            };
-
-            let totp_code: u64 = match twofactor_code.parse() {
-                Ok(code) => code,
-                _ => err!("Invalid TOTP code"),
-            };
-
-            if !twofactor.check_totp_code(totp_code) {
-                err_json!(_json_err_twofactor(&providers, user_uuid, conn)?)
-            }
-        }
-
-        Some(TwoFactorType::U2f) => {
-            use crate::api::core::two_factor;
-
-            two_factor::validate_u2f_login(user_uuid, &twofactor_code, conn)?;
-        }
-
-        Some(TwoFactorType::YubiKey) => {
-            use crate::api::core::two_factor;
-
-            two_factor::validate_yubikey_login(user_uuid, twofactor_code, conn)?;
-        }
-
         _ => err!("Invalid two factor provider"),
     }
 
-    if data.two_factor_remember.unwrap_or(0) == 1 {
+    if !CONFIG.disable_2fa_remember() && remember == 1 {
         Ok(Some(device.refresh_twofactor_remember()))
     } else {
         device.delete_twofactor_remember();
@@ -218,6 +199,13 @@ fn twofactor_auth(
     }
 }
 
+fn _selected_data(tf: Option<TwoFactor>) -> ApiResult<String> {
+    match tf {
+        Some(tf) => Ok(tf.data),
+        None => err!("Two factor doesn't exist"),
+    }
+}
+
 fn _json_err_twofactor(providers: &[i32], user_uuid: &str, conn: &DbConn) -> ApiResult<Value> {
     use crate::api::core::two_factor;
 
@@ -234,27 +222,38 @@ fn _json_err_twofactor(providers: &[i32], user_uuid: &str, conn: &DbConn) -> Api
         match TwoFactorType::from_i32(*provider) {
             Some(TwoFactorType::Authenticator) => { /* Nothing to do for TOTP */ }
 
-            Some(TwoFactorType::U2f) if CONFIG.domain_set => {
+            Some(TwoFactorType::U2f) if CONFIG.domain_set() => {
                 let request = two_factor::generate_u2f_login(user_uuid, conn)?;
                 let mut challenge_list = Vec::new();
 
                 for key in request.registered_keys {
-                    let mut challenge_map = JsonMap::new();
-
-                    challenge_map.insert("appId".into(), Value::String(request.app_id.clone()));
-                    challenge_map.insert("challenge".into(), Value::String(request.challenge.clone()));
-                    challenge_map.insert("version".into(), Value::String(key.version));
-                    challenge_map.insert("keyHandle".into(), Value::String(key.key_handle.unwrap_or_default()));
-
-                    challenge_list.push(Value::Object(challenge_map));
+                    challenge_list.push(json!({
+                        "appId": request.app_id,
+                        "challenge": request.challenge,
+                        "version": key.version,
+                        "keyHandle": key.key_handle,
+                    }));
                 }
 
-                let mut map = JsonMap::new();
-                use serde_json;
                 let challenge_list_str = serde_json::to_string(&challenge_list).unwrap();
 
-                map.insert("Challenges".into(), Value::String(challenge_list_str));
-                result["TwoFactorProviders2"][provider.to_string()] = Value::Object(map);
+                result["TwoFactorProviders2"][provider.to_string()] = json!({
+                    "Challenges": challenge_list_str,
+                });
+            }
+
+            Some(TwoFactorType::Duo) => {
+                let email = match User::find_by_uuid(user_uuid, &conn) {
+                    Some(u) => u.email,
+                    None => err!("User does not exist"),
+                };
+
+                let (signature, host) = two_factor::generate_duo_signature(&email, conn)?;
+
+                result["TwoFactorProviders2"][provider.to_string()] = json!({
+                    "Host": host,
+                    "Signature": signature,
+                });
             }
 
             Some(tf_type @ TwoFactorType::YubiKey) => {
@@ -263,12 +262,11 @@ fn _json_err_twofactor(providers: &[i32], user_uuid: &str, conn: &DbConn) -> Api
                     None => err!("No YubiKey devices registered"),
                 };
 
-                let yubikey_metadata: two_factor::YubikeyMetadata =
-                    serde_json::from_str(&twofactor.data).expect("Can't parse Yubikey Metadata");
+                let yubikey_metadata: two_factor::YubikeyMetadata = serde_json::from_str(&twofactor.data)?;
 
-                let mut map = JsonMap::new();
-                map.insert("Nfc".into(), Value::Bool(yubikey_metadata.Nfc));
-                result["TwoFactorProviders2"][provider.to_string()] = Value::Object(map);
+                result["TwoFactorProviders2"][provider.to_string()] = json!({
+                    "Nfc": yubikey_metadata.Nfc,
+                })
             }
 
             _ => {}

src/api/mod.rs

@@ -23,6 +23,7 @@ pub type EmptyResult = ApiResult<()>;
 
 use crate::util;
 type JsonUpcase<T> = Json<util::UpCase<T>>;
+type JsonUpcaseVec<T> = Json<Vec<util::UpCase<T>>>;
 
 // Common structs representing JSON data received
 #[derive(Deserialize)]
@@ -46,10 +47,13 @@ impl NumberOrString {
         }
     }
 
-    fn into_i32(self) -> Option<i32> {
+    fn into_i32(self) -> ApiResult<i32> {
+        use std::num::ParseIntError as PIE;
         match self {
-            NumberOrString::Number(n) => Some(n),
-            NumberOrString::String(s) => s.parse().ok(),
+            NumberOrString::Number(n) => Ok(n),
+            NumberOrString::String(s) => s
+                .parse()
+                .map_err(|e: PIE| crate::Error::new("Can't convert to number", e.to_string())),
         }
     }
 }

src/api/notifications.rs

@@ -25,7 +25,7 @@ fn negotiate(_headers: Headers, _conn: DbConn) -> JsonResult {
     let conn_id = BASE64URL.encode(&crypto::get_random(vec![0u8; 16]));
     let mut available_transports: Vec<JsonValue> = Vec::new();
 
-    if CONFIG.websocket_enabled {
+    if CONFIG.websocket_enabled() {
         available_transports.push(json!({"transport":"WebSockets", "transferFormats":["Text","Binary"]}));
     }
 
@@ -88,13 +88,10 @@ fn serialize(val: Value) -> Vec<u8> {
 
 fn serialize_date(date: NaiveDateTime) -> Value {
     let seconds: i64 = date.timestamp();
-    let nanos: i64 = date.timestamp_subsec_nanos() as i64;
+    let nanos: i64 = date.timestamp_subsec_nanos().into();
     let timestamp = nanos << 34 | seconds;
 
-    use byteorder::{BigEndian, WriteBytesExt};
-
-    let mut bs = [0u8; 8];
-    bs.as_mut().write_i64::<BigEndian>(timestamp).expect("Unable to write");
+    let bs = timestamp.to_be_bytes();
 
     // -1 is Timestamp
     // https://github.com/msgpack/msgpack/blob/master/spec.md#timestamp-extension-type
@@ -138,7 +135,7 @@ impl Handler for WSHandler {
 
         // Validate the user
         use crate::auth;
-        let claims = match auth::decode_jwt(access_token) {
+        let claims = match auth::decode_login(access_token) {
             Ok(claims) => claims,
             Err(_) => return Err(ws::Error::new(ws::ErrorKind::Internal, "Invalid access token provided")),
         };
@@ -233,7 +230,7 @@ pub struct WebSocketUsers {
 }
 
 impl WebSocketUsers {
-    fn send_update(&self, user_uuid: &String, data: &[u8]) -> ws::Result<()> {
+    fn send_update(&self, user_uuid: &str, data: &[u8]) -> ws::Result<()> {
         if let Some(user) = self.map.get(user_uuid) {
             for sender in user.iter() {
                 sender.send(data)?;
@@ -243,7 +240,6 @@ impl WebSocketUsers {
     }
 
     // NOTE: The last modified date needs to be updated before calling these methods
-    #[allow(dead_code)]
     pub fn send_user_update(&self, ut: UpdateType, user: &User) {
         let data = create_update(
             vec![
@@ -253,7 +249,7 @@ impl WebSocketUsers {
             ut,
         );
 
-        self.send_update(&user.uuid.clone(), &data).ok();
+        self.send_update(&user.uuid, &data).ok();
     }
 
     pub fn send_folder_update(&self, ut: UpdateType, folder: &Folder) {
@@ -328,6 +324,7 @@ fn create_ping() -> Vec<u8> {
 }
 
 #[allow(dead_code)]
+#[derive(PartialEq)]
 pub enum UpdateType {
     CipherUpdate = 0,
     CipherCreate = 1,
@@ -343,6 +340,8 @@ pub enum UpdateType {
     SyncSettings = 10,
 
     LogOut = 11,
+
+    None = 100,
 }
 
 use rocket::State;
@@ -352,9 +351,12 @@ pub fn start_notification_server() -> WebSocketUsers {
     let factory = WSFactory::init();
     let users = factory.users.clone();
 
-    if CONFIG.websocket_enabled {
+    if CONFIG.websocket_enabled() {
         thread::spawn(move || {
-            WebSocket::new(factory).unwrap().listen(&CONFIG.websocket_url).unwrap();
+            WebSocket::new(factory)
+                .unwrap()
+                .listen((CONFIG.websocket_address().as_str(), CONFIG.websocket_port()))
+                .unwrap();
         });
     }
 

src/api/web.rs

@@ -2,18 +2,18 @@ use std::io;
 use std::path::{Path, PathBuf};
 
 use rocket::http::ContentType;
-use rocket::request::Request;
 use rocket::response::content::Content;
-use rocket::response::{self, NamedFile, Responder};
+use rocket::response::NamedFile;
 use rocket::Route;
 use rocket_contrib::json::Json;
 use serde_json::Value;
 
+use crate::util::Cached;
 use crate::CONFIG;
 
 pub fn routes() -> Vec<Route> {
-    if CONFIG.web_vault_enabled {
-        routes![web_index, app_id, web_files, admin_page, attachments, alive]
+    if CONFIG.web_vault_enabled() {
+        routes![web_index, app_id, web_files, attachments, alive]
     } else {
         routes![attachments, alive]
     }
@@ -21,7 +21,9 @@ pub fn routes() -> Vec<Route> {
 
 #[get("/")]
 fn web_index() -> Cached<io::Result<NamedFile>> {
-    Cached::short(NamedFile::open(Path::new(&CONFIG.web_vault_folder).join("index.html")))
+    Cached::short(NamedFile::open(
+        Path::new(&CONFIG.web_vault_folder()).join("index.html"),
+    ))
 }
 
 #[get("/app-id.json")]
@@ -35,7 +37,7 @@ fn app_id() -> Cached<Content<Json<Value>>> {
             {
             "version": { "major": 1, "minor": 0 },
             "ids": [
-                &CONFIG.domain,
+                &CONFIG.domain(),
                 "ios:bundle-id:com.8bit.bitwarden",
                 "android:apk-key-hash:dUGFzUzf3lmHSLBDBIv+WaFyZMI" ]
             }]
@@ -43,55 +45,14 @@ fn app_id() -> Cached<Content<Json<Value>>> {
     ))
 }
 
-const ADMIN_PAGE: &'static str = include_str!("../static/admin.html");
-use rocket::response::content::Html;
-
-#[get("/admin")]
-fn admin_page() -> Cached<Html<&'static str>> {
-    Cached::short(Html(ADMIN_PAGE))
-}
-
-/* // Use this during Admin page development
-#[get("/admin")]
-fn admin_page() -> Cached<io::Result<NamedFile>> {
-    Cached::short(NamedFile::open("src/static/admin.html"))
-}
-*/
-
-#[get("/<p..>", rank = 1)] // Only match this if the other routes don't match
+#[get("/<p..>", rank = 10)] // Only match this if the other routes don't match
 fn web_files(p: PathBuf) -> Cached<io::Result<NamedFile>> {
-    Cached::long(NamedFile::open(Path::new(&CONFIG.web_vault_folder).join(p)))
-}
-
-struct Cached<R>(R, &'static str);
-
-impl<R> Cached<R> {
-    fn long(r: R) -> Cached<R> {
-        // 7 days
-        Cached(r, "public, max-age=604800")
-    }
-
-    fn short(r: R) -> Cached<R> {
-        // 10 minutes
-        Cached(r, "public, max-age=600")
-    }
-}
-
-impl<'r, R: Responder<'r>> Responder<'r> for Cached<R> {
-    fn respond_to(self, req: &Request) -> response::Result<'r> {
-        match self.0.respond_to(req) {
-            Ok(mut res) => {
-                res.set_raw_header("Cache-Control", self.1);
-                Ok(res)
-            }
-            e @ Err(_) => e,
-        }
-    }
+    Cached::long(NamedFile::open(Path::new(&CONFIG.web_vault_folder()).join(p)))
 }
 
 #[get("/attachments/<uuid>/<file..>")]
 fn attachments(uuid: String, file: PathBuf) -> io::Result<NamedFile> {
-    NamedFile::open(Path::new(&CONFIG.attachments_folder).join(uuid).join(file))
+    NamedFile::open(Path::new(&CONFIG.attachments_folder()).join(uuid).join(file))
 }
 
 #[get("/alive")]

src/auth.rs

@@ -5,6 +5,7 @@ use crate::util::read_file;
 use chrono::{Duration, Utc};
 
 use jsonwebtoken::{self, Algorithm, Header};
+use serde::de::DeserializeOwned;
 use serde::ser::Serialize;
 
 use crate::error::{Error, MapResult};
@@ -14,21 +15,17 @@ const JWT_ALGORITHM: Algorithm = Algorithm::RS256;
 
 lazy_static! {
     pub static ref DEFAULT_VALIDITY: Duration = Duration::hours(2);
-    pub static ref JWT_ISSUER: String = CONFIG.domain.clone();
     static ref JWT_HEADER: Header = Header::new(JWT_ALGORITHM);
-    static ref PRIVATE_RSA_KEY: Vec<u8> = match read_file(&CONFIG.private_rsa_key) {
+    pub static ref JWT_LOGIN_ISSUER: String = format!("{}|login", CONFIG.domain());
+    pub static ref JWT_INVITE_ISSUER: String = format!("{}|invite", CONFIG.domain());
+    pub static ref JWT_ADMIN_ISSUER: String = format!("{}|admin", CONFIG.domain());
+    static ref PRIVATE_RSA_KEY: Vec<u8> = match read_file(&CONFIG.private_rsa_key()) {
         Ok(key) => key,
-        Err(e) => panic!(
-            "Error loading private RSA Key from {}\n Error: {}",
-            CONFIG.private_rsa_key, e
-        ),
+        Err(e) => panic!("Error loading private RSA Key.\n Error: {}", e),
     };
-    static ref PUBLIC_RSA_KEY: Vec<u8> = match read_file(&CONFIG.public_rsa_key) {
+    static ref PUBLIC_RSA_KEY: Vec<u8> = match read_file(&CONFIG.public_rsa_key()) {
         Ok(key) => key,
-        Err(e) => panic!(
-            "Error loading public RSA Key from {}\n Error: {}",
-            CONFIG.public_rsa_key, e
-        ),
+        Err(e) => panic!("Error loading public RSA Key.\n Error: {}", e),
     };
 }
 
@@ -39,14 +36,14 @@ pub fn encode_jwt<T: Serialize>(claims: &T) -> String {
     }
 }
 
-pub fn decode_jwt(token: &str) -> Result<JWTClaims, Error> {
+fn decode_jwt<T: DeserializeOwned>(token: &str, issuer: String) -> Result<T, Error> {
     let validation = jsonwebtoken::Validation {
         leeway: 30, // 30 seconds
         validate_exp: true,
         validate_iat: false, // IssuedAt is the same as NotBefore
         validate_nbf: true,
         aud: None,
-        iss: Some(JWT_ISSUER.clone()),
+        iss: Some(issuer),
         sub: None,
         algorithms: vec![JWT_ALGORITHM],
     };
@@ -55,30 +52,23 @@ pub fn decode_jwt(token: &str) -> Result<JWTClaims, Error> {
 
     jsonwebtoken::decode(&token, &PUBLIC_RSA_KEY, &validation)
         .map(|d| d.claims)
-        .map_res("Error decoding login JWT")
+        .map_res("Error decoding JWT")
 }
 
-pub fn decode_invite_jwt(token: &str) -> Result<InviteJWTClaims, Error> {
-    let validation = jsonwebtoken::Validation {
-        leeway: 30, // 30 seconds
-        validate_exp: true,
-        validate_iat: false, // IssuedAt is the same as NotBefore
-        validate_nbf: true,
-        aud: None,
-        iss: Some(JWT_ISSUER.clone()),
-        sub: None,
-        algorithms: vec![JWT_ALGORITHM],
-    };
+pub fn decode_login(token: &str) -> Result<LoginJWTClaims, Error> {
+    decode_jwt(token, JWT_LOGIN_ISSUER.to_string())
+}
 
-    let token = token.replace(char::is_whitespace, "");
+pub fn decode_invite(token: &str) -> Result<InviteJWTClaims, Error> {
+    decode_jwt(token, JWT_INVITE_ISSUER.to_string())
+}
 
-    jsonwebtoken::decode(&token, &PUBLIC_RSA_KEY, &validation)
-        .map(|d| d.claims)
-        .map_res("Error decoding invite JWT")
+pub fn decode_admin(token: &str) -> Result<AdminJWTClaims, Error> {
+    decode_jwt(token, JWT_ADMIN_ISSUER.to_string())
 }
 
 #[derive(Debug, Serialize, Deserialize)]
-pub struct JWTClaims {
+pub struct LoginJWTClaims {
     // Not before
     pub nbf: i64,
     // Expiration time
@@ -125,17 +115,18 @@ pub struct InviteJWTClaims {
     pub invited_by_email: Option<String>,
 }
 
-pub fn generate_invite_claims(uuid: String, 
-                          email: String, 
-                          org_id: Option<String>, 
-                          org_user_id: Option<String>, 
-                          invited_by_email: Option<String>,
+pub fn generate_invite_claims(
+    uuid: String,
+    email: String,
+    org_id: Option<String>,
+    org_user_id: Option<String>,
+    invited_by_email: Option<String>,
 ) -> InviteJWTClaims {
     let time_now = Utc::now().naive_utc();
     InviteJWTClaims {
         nbf: time_now.timestamp(),
         exp: (time_now + Duration::days(5)).timestamp(),
-        iss: JWT_ISSUER.to_string(),
+        iss: JWT_INVITE_ISSUER.to_string(),
         sub: uuid.clone(),
         email: email.clone(),
         org_id: org_id.clone(),
@@ -144,6 +135,28 @@ pub fn generate_invite_claims(uuid: String,
     }
 }
 
+#[derive(Debug, Serialize, Deserialize)]
+pub struct AdminJWTClaims {
+    // Not before
+    pub nbf: i64,
+    // Expiration time
+    pub exp: i64,
+    // Issuer
+    pub iss: String,
+    // Subject
+    pub sub: String,
+}
+
+pub fn generate_admin_claims() -> AdminJWTClaims {
+    let time_now = Utc::now().naive_utc();
+    AdminJWTClaims {
+        nbf: time_now.timestamp(),
+        exp: (time_now + Duration::minutes(20)).timestamp(),
+        iss: JWT_ADMIN_ISSUER.to_string(),
+        sub: "admin_panel".to_string(),
+    }
+}
+
 //
 // Bearer token authentication
 //
@@ -166,8 +179,8 @@ impl<'a, 'r> FromRequest<'a, 'r> for Headers {
         let headers = request.headers();
 
         // Get host
-        let host = if CONFIG.domain_set {
-            CONFIG.domain.clone()
+        let host = if CONFIG.domain_set() {
+            CONFIG.domain()
         } else if let Some(referer) = headers.get_one("Referer") {
             referer.to_string()
         } else {
@@ -203,7 +216,7 @@ impl<'a, 'r> FromRequest<'a, 'r> for Headers {
         };
 
         // Check JWT token is valid and get device and user from it
-        let claims: JWTClaims = match decode_jwt(access_token) {
+        let claims = match decode_login(access_token) {
             Ok(claims) => claims,
             Err(_) => err_handler!("Invalid claim"),
         };

src/crypto.rs

@@ -2,7 +2,7 @@
 // PBKDF2 derivation
 //
 
-use ring::{digest, pbkdf2};
+use ring::{digest, hmac, pbkdf2};
 
 static DIGEST_ALG: &digest::Algorithm = &digest::SHA256;
 const OUTPUT_LEN: usize = digest::SHA256_OUTPUT_LEN;
@@ -19,6 +19,18 @@ pub fn verify_password_hash(secret: &[u8], salt: &[u8], previous: &[u8], iterati
     pbkdf2::verify(DIGEST_ALG, iterations, salt, secret, previous).is_ok()
 }
 
+//
+// HMAC
+//
+pub fn hmac_sign(key: &str, data: &str) -> String {
+    use data_encoding::HEXLOWER;
+
+    let key = hmac::SigningKey::new(&digest::SHA1, key.as_bytes());
+    let signature = hmac::sign(&key, data.as_bytes());
+
+    HEXLOWER.encode(signature.as_ref())
+}
+
 //
 // Random values
 //
@@ -36,3 +48,12 @@ pub fn get_random(mut array: Vec<u8>) -> Vec<u8> {
 
     array
 }
+
+//
+// Constant time compare
+//
+pub fn ct_eq<T: AsRef<[u8]>, U: AsRef<[u8]>>(a: T, b: U) -> bool {
+    use ring::constant_time::verify_slices_are_equal;
+
+    verify_slices_are_equal(a.as_ref(), b.as_ref()).is_ok()
+}

src/db/mod.rs

@@ -25,13 +25,13 @@ pub mod schema;
 
 /// Initializes a database pool.
 pub fn init_pool() -> Pool {
-    let manager = ConnectionManager::new(&*CONFIG.database_url);
+    let manager = ConnectionManager::new(CONFIG.database_url());
 
     r2d2::Pool::builder().build(manager).expect("Failed to create pool")
 }
 
 pub fn get_connection() -> Result<Connection, ConnectionError> {
-    Connection::establish(&CONFIG.database_url)
+    Connection::establish(&CONFIG.database_url())
 }
 
 /// Attempts to retrieve a single connection from the managed database pool. If