feat: add feature flag export-attachments (#5784 )

respond with cipher json when deleting attachments (#5823 )
On member invite and edit access_all is not sent anymore (#5673 )
2025-05-01 17:40:26 +02:00 · 2025-05-01 17:28:23 +02:00 · 2025-04-16 17:52:26 +02:00 · 2025-04-09 21:21:10 +02:00 · 2025-04-05 17:58:32 +02:00 · 2025-04-04 19:02:19 +02:00
55 changed files with 2454 additions and 1185 deletions
@@ -229,7 +229,8 @@
 # SIGNUPS_ALLOWED=true

 ## Controls if new users need to verify their email address upon registration
-## Note that setting this option to true prevents logins until the email address has been verified!
+## On new client versions, this will require the user to verify their email at signup time.
+## On older clients, it will require the user to verify their email before they can log in.
 ## The welcome email will include a verification link, and login attempts will periodically
 ## trigger another verification email to be sent.
 # SIGNUPS_VERIFY=false
@@ -353,6 +354,10 @@
 ## - "inline-menu-positioning-improvements": Enable the use of inline menu password generator and identity suggestions in the browser extension.
 ## - "ssh-key-vault-item": Enable the creation and use of SSH key vault items. (Needs clients >=2024.12.0)
 ## - "ssh-agent": Enable SSH agent support on Desktop. (Needs desktop >=2024.12.0)
+## - "anon-addy-self-host-alias": Enable configuring self-hosted Anon Addy alias generator. (Needs Android >=2025.2.0)
+## - "simple-login-self-host-alias": Enable configuring self-hosted Simple Login alias generator. (Needs Android >=2025.2.0)
+## - "mutual-tls": Enable the use of mutual TLS on Android (Client >= 2025.2.0)
+## - "export-attachments": Enable support for exporting attachments (Clients >=2025.4.0)
 # EXPERIMENTAL_CLIENT_FEATURE_FLAGS=fido2-vault-credentials

 ## Require new device emails. When a user logs in an email is required to be sent.
@@ -486,7 +491,7 @@
 ## Maximum attempts before an email token is reset and a new email will need to be sent.
 # EMAIL_ATTEMPTS_LIMIT=3
 ##
-## Setup email 2FA regardless of any organization policy
+## Setup email 2FA on registration regardless of any organization policy
 # EMAIL_2FA_ENFORCE_ON_VERIFIED_INVITE=false
 ## Automatically setup email 2FA as fallback provider when needed
 # EMAIL_2FA_AUTO_FALLBACK=false
@@ -1,3 +1,5 @@
 /.github @dani-garcia @BlackDex
+/.github/** @dani-garcia @BlackDex
 /.github/CODEOWNERS @dani-garcia @BlackDex
 /.github/workflows/** @dani-garcia @BlackDex
+/SECURITY.md @dani-garcia @BlackDex
@@ -1,4 +1,5 @@
 name: Build
+permissions: {}

 on:
  push:
@@ -13,6 +14,7 @@ on:
      - "diesel.toml"
      - "docker/Dockerfile.j2"
      - "docker/DockerSettings.yaml"
+
  pull_request:
    paths:
      - ".github/workflows/build.yml"
@@ -28,13 +30,17 @@ on:

 jobs:
  build:
+    name: Build and Test ${{ matrix.channel }}
+    permissions:
+      actions: write
+      contents: read
    # We use Ubuntu 22.04 here because this matches the library versions used within the Debian docker containers
    runs-on: ubuntu-22.04
    timeout-minutes: 120
    # Make warnings errors, this is to prevent warnings slipping through.
    # This is done globally to prevent rebuilds when the RUSTFLAGS env variable changes.
    env:
-      RUSTFLAGS: "-D warnings"
+      RUSTFLAGS: "-Dwarnings"
    strategy:
      fail-fast: false
      matrix:
@@ -42,20 +48,19 @@ jobs:
          - "rust-toolchain" # The version defined in rust-toolchain
          - "msrv" # The supported MSRV

-    name: Build and Test ${{ matrix.channel }}
-
    steps:
-      # Checkout the repo
-      - name: "Checkout"
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
-      # End Checkout the repo
-
-
      # Install dependencies
      - name: "Install dependencies Ubuntu"
        run: sudo apt-get update && sudo apt-get install -y --no-install-recommends openssl build-essential libmariadb-dev-compat libpq-dev libssl-dev pkg-config
      # End Install dependencies

+      # Checkout the repo
+      - name: "Checkout"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+        with:
+          persist-credentials: false
+          fetch-depth: 0
+      # End Checkout the repo

      # Determine rust-toolchain version
      - name: Init Variables
@@ -75,7 +80,7 @@ jobs:

      # Only install the clippy and rustfmt components on the default rust-toolchain
      - name: "Install rust-toolchain version"
-        uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203 # master @ Dec 14, 2024, 5:49 AM GMT+1
+        uses: dtolnay/rust-toolchain@56f84321dbccf38fb67ce29ab63e4754056677e0 # master @ Mar 18, 2025, 8:14 PM GMT+1
        if: ${{ matrix.channel == 'rust-toolchain' }}
        with:
          toolchain: "${{steps.toolchain.outputs.RUST_TOOLCHAIN}}"
@@ -85,7 +90,7 @@ jobs:

      # Install the any other channel to be used for which we do not execute clippy and rustfmt
      - name: "Install MSRV version"
-        uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203 # master @ Dec 14, 2024, 5:49 AM GMT+1
+        uses: dtolnay/rust-toolchain@56f84321dbccf38fb67ce29ab63e4754056677e0 # master @ Mar 18, 2025, 8:14 PM GMT+1
        if: ${{ matrix.channel != 'rust-toolchain' }}
        with:
          toolchain: "${{steps.toolchain.outputs.RUST_TOOLCHAIN}}"
@@ -93,11 +98,13 @@ jobs:

      # Set the current matrix toolchain version as default
      - name: "Set toolchain ${{steps.toolchain.outputs.RUST_TOOLCHAIN}} as default"
+        env:
+          RUST_TOOLCHAIN: ${{steps.toolchain.outputs.RUST_TOOLCHAIN}}
        run: |
          # Remove the rust-toolchain.toml
          rm rust-toolchain.toml
          # Set the default
-          rustup default ${{steps.toolchain.outputs.RUST_TOOLCHAIN}}
+          rustup default "${RUST_TOOLCHAIN}"

      # Show environment
      - name: "Show environment"
@@ -108,7 +115,7 @@ jobs:

      # Enable Rust Caching
      - name: Rust Caching
-        uses: Swatinem/rust-cache@f0deed1e0edfc6a9be95417288c0e1099b1eeec3 # v2.7.7
+        uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8
        with:
          # Use a custom prefix-key to force a fresh start. This is sometimes needed with bigger changes.
          # Like changing the build host from Ubuntu 20.04 to 22.04 for example.
@@ -120,37 +127,37 @@ jobs:
      # First test all features together, afterwards test them separately.
      - name: "test features: sqlite,mysql,postgresql,enable_mimalloc,query_logger"
        id: test_sqlite_mysql_postgresql_mimalloc_logger
-        if: $${{ always() }}
+        if: ${{ !cancelled() }}
        run: |
          cargo test --features sqlite,mysql,postgresql,enable_mimalloc,query_logger

      - name: "test features: sqlite,mysql,postgresql,enable_mimalloc"
        id: test_sqlite_mysql_postgresql_mimalloc
-        if: $${{ always() }}
+        if: ${{ !cancelled() }}
        run: |
          cargo test --features sqlite,mysql,postgresql,enable_mimalloc

      - name: "test features: sqlite,mysql,postgresql"
        id: test_sqlite_mysql_postgresql
-        if: $${{ always() }}
+        if: ${{ !cancelled() }}
        run: |
          cargo test --features sqlite,mysql,postgresql

      - name: "test features: sqlite"
        id: test_sqlite
-        if: $${{ always() }}
+        if: ${{ !cancelled() }}
        run: |
          cargo test --features sqlite

      - name: "test features: mysql"
        id: test_mysql
-        if: $${{ always() }}
+        if: ${{ !cancelled() }}
        run: |
          cargo test --features mysql

      - name: "test features: postgresql"
        id: test_postgresql
-        if: $${{ always() }}
+        if: ${{ !cancelled() }}
        run: |
          cargo test --features postgresql
      # End Run cargo tests
@@ -159,16 +166,16 @@ jobs:
      # Run cargo clippy, and fail on warnings
      - name: "clippy features: sqlite,mysql,postgresql,enable_mimalloc"
        id: clippy
-        if: ${{ always() && matrix.channel == 'rust-toolchain' }}
+        if: ${{ !cancelled() && matrix.channel == 'rust-toolchain' }}
        run: |
-          cargo clippy --features sqlite,mysql,postgresql,enable_mimalloc -- -D warnings
+          cargo clippy --features sqlite,mysql,postgresql,enable_mimalloc
      # End Run cargo clippy


      # Run cargo fmt (Only run on rust-toolchain defined version)
      - name: "check formatting"
        id: formatting
-        if: ${{ always() && matrix.channel == 'rust-toolchain' }}
+        if: ${{ !cancelled() && matrix.channel == 'rust-toolchain' }}
        run: |
          cargo fmt --all -- --check
      # End Run cargo fmt
@@ -178,22 +185,31 @@ jobs:
      # This is useful so all test/clippy/fmt actions are done, and they can all be addressed
      - name: "Some checks failed"
        if: ${{ failure() }}
+        env:
+          TEST_DB_M_L: ${{ steps.test_sqlite_mysql_postgresql_mimalloc_logger.outcome }}
+          TEST_DB_M: ${{ steps.test_sqlite_mysql_postgresql_mimalloc.outcome }}
+          TEST_DB: ${{ steps.test_sqlite_mysql_postgresql.outcome }}
+          TEST_SQLITE: ${{ steps.test_sqlite.outcome }}
+          TEST_MYSQL: ${{ steps.test_mysql.outcome }}
+          TEST_POSTGRESQL: ${{ steps.test_postgresql.outcome }}
+          CLIPPY: ${{ steps.clippy.outcome }}
+          FMT: ${{ steps.formatting.outcome }}
        run: |
-          echo "### :x: Checks Failed!" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "|Job|Status|" >> $GITHUB_STEP_SUMMARY
-          echo "|---|------|" >> $GITHUB_STEP_SUMMARY
-          echo "|test (sqlite,mysql,postgresql,enable_mimalloc,query_logger)|${{ steps.test_sqlite_mysql_postgresql_mimalloc_logger.outcome }}|" >> $GITHUB_STEP_SUMMARY
-          echo "|test (sqlite,mysql,postgresql,enable_mimalloc)|${{ steps.test_sqlite_mysql_postgresql_mimalloc.outcome }}|" >> $GITHUB_STEP_SUMMARY
-          echo "|test (sqlite,mysql,postgresql)|${{ steps.test_sqlite_mysql_postgresql.outcome }}|" >> $GITHUB_STEP_SUMMARY
-          echo "|test (sqlite)|${{ steps.test_sqlite.outcome }}|" >> $GITHUB_STEP_SUMMARY
-          echo "|test (mysql)|${{ steps.test_mysql.outcome }}|" >> $GITHUB_STEP_SUMMARY
-          echo "|test (postgresql)|${{ steps.test_postgresql.outcome }}|" >> $GITHUB_STEP_SUMMARY
-          echo "|clippy (sqlite,mysql,postgresql,enable_mimalloc)|${{ steps.clippy.outcome }}|" >> $GITHUB_STEP_SUMMARY
-          echo "|fmt|${{ steps.formatting.outcome }}|" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "Please check the failed jobs and fix where needed." >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "### :x: Checks Failed!" >> "${GITHUB_STEP_SUMMARY}"
+          echo "" >> "${GITHUB_STEP_SUMMARY}"
+          echo "|Job|Status|" >> "${GITHUB_STEP_SUMMARY}"
+          echo "|---|------|" >> "${GITHUB_STEP_SUMMARY}"
+          echo "|test (sqlite,mysql,postgresql,enable_mimalloc,query_logger)|${TEST_DB_M_L}|" >> "${GITHUB_STEP_SUMMARY}"
+          echo "|test (sqlite,mysql,postgresql,enable_mimalloc)|${TEST_DB_M}|" >> "${GITHUB_STEP_SUMMARY}"
+          echo "|test (sqlite,mysql,postgresql)|${TEST_DB}|" >> "${GITHUB_STEP_SUMMARY}"
+          echo "|test (sqlite)|${TEST_SQLITE}|" >> "${GITHUB_STEP_SUMMARY}"
+          echo "|test (mysql)|${TEST_MYSQL}|" >> "${GITHUB_STEP_SUMMARY}"
+          echo "|test (postgresql)|${TEST_POSTGRESQL}|" >> "${GITHUB_STEP_SUMMARY}"
+          echo "|clippy (sqlite,mysql,postgresql,enable_mimalloc)|${CLIPPY}|" >> "${GITHUB_STEP_SUMMARY}"
+          echo "|fmt|${FMT}|" >> "${GITHUB_STEP_SUMMARY}"
+          echo "" >> "${GITHUB_STEP_SUMMARY}"
+          echo "Please check the failed jobs and fix where needed." >> "${GITHUB_STEP_SUMMARY}"
+          echo "" >> "${GITHUB_STEP_SUMMARY}"
          exit 1


@@ -202,5 +218,5 @@ jobs:
      - name: "All checks passed"
        if: ${{ success() }}
        run: |
-          echo "### :tada: Checks Passed!" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "### :tada: Checks Passed!" >> "${GITHUB_STEP_SUMMARY}"
+          echo "" >> "${GITHUB_STEP_SUMMARY}"
@@ -0,0 +1,28 @@
+name: Check templates
+permissions: {}
+
+on: [ push, pull_request ]
+
+jobs:
+  docker-templates:	
+    permissions:
+      contents: read
+    runs-on: ubuntu-24.04
+    timeout-minutes: 30
+
+    steps:
+      # Checkout the repo
+      - name: "Checkout"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+        with:
+          persist-credentials: false
+      # End Checkout the repo
+
+      - name: Run make to rebuild templates
+        working-directory: docker
+        run: make 
+
+      - name: Check for unstaged changes
+        working-directory: docker
+        run: git diff --exit-code
+        continue-on-error: false
@@ -1,24 +1,20 @@
 name: Hadolint
+permissions: {}

-on: [
-      push,
-      pull_request
-    ]
+on: [ push, pull_request ]

 jobs:
  hadolint:
    name: Validate Dockerfile syntax
+    permissions:
+      contents: read
    runs-on: ubuntu-24.04
    timeout-minutes: 30
-    steps:
-      # Checkout the repo
-      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
-      # End Checkout the repo

+    steps:
      # Start Docker Buildx
      - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
        # https://github.com/moby/buildkit/issues/3969
        # Also set max parallelism to 2, the default of 4 breaks GitHub Actions and causes OOMKills
        with:
@@ -37,6 +33,12 @@ jobs:
        env:
          HADOLINT_VERSION: 2.12.0
      # End Download hadolint
+      # Checkout the repo
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+        with:
+          persist-credentials: false
+      # End Checkout the repo

      # Test Dockerfiles with hadolint
      - name: Run hadolint
@@ -1,4 +1,5 @@
 name: Release
+permissions: {}

 on:
  push:
@@ -6,17 +7,23 @@ on:
      - main

    tags:
-      - '*'
+      # https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet
+      - '[1-2].[0-9]+.[0-9]+'

 jobs:
  # https://github.com/marketplace/actions/skip-duplicate-actions
  # Some checks to determine if we need to continue with building a new docker.
  # We will skip this check if we are creating a tag, because that has the same hash as a previous run already.
  skip_check:
-    runs-on: ubuntu-24.04
+    # Only run this in the upstream repo and not on forks
    if: ${{ github.repository == 'dani-garcia/vaultwarden' }}
+    name: Cancel older jobs when running
+    permissions:
+      actions: write
+    runs-on: ubuntu-24.04
    outputs:
      should_skip: ${{ steps.skip_check.outputs.should_skip }}
+
    steps:
      - name: Skip Duplicates Actions
        id: skip_check
@@ -27,6 +34,9 @@ jobs:
        if: ${{ github.ref_type == 'branch' }}

  docker-build:
+    needs: skip_check
+    if: ${{ needs.skip_check.outputs.should_skip != 'true' && github.repository == 'dani-garcia/vaultwarden' }}
+    name: Build Vaultwarden containers
    permissions:
      packages: write
      contents: read
@@ -34,8 +44,6 @@ jobs:
      id-token: write
    runs-on: ubuntu-24.04
    timeout-minutes: 120
-    needs: skip_check
-    if: ${{ needs.skip_check.outputs.should_skip != 'true' && github.repository == 'dani-garcia/vaultwarden' }}
    # Start a local docker registry to extract the compiled binaries to upload as artifacts and attest them
    services:
      registry:
@@ -61,37 +69,42 @@ jobs:
        base_image: ["debian","alpine"]

    steps:
-      # Checkout the repo
-      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
-        with:
-          fetch-depth: 0
-
      - name: Initialize QEMU binfmt support
-        uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3.3.0
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
        with:
          platforms: "arm64,arm"

      # Start Docker Buildx
      - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
        # https://github.com/moby/buildkit/issues/3969
        # Also set max parallelism to 2, the default of 4 breaks GitHub Actions and causes OOMKills
        with:
+          cache-binary: false
          buildkitd-config-inline: |
            [worker.oci]
              max-parallelism = 2
          driver-opts: |
            network=host

+      # Checkout the repo
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+        # We need fetch-depth of 0 so we also get all the tag metadata
+        with:
+          persist-credentials: false
+          fetch-depth: 0
+
      # Determine Base Tags and Source Version
      - name: Determine Base Tags and Source Version
        shell: bash
+        env:
+          REF_TYPE: ${{ github.ref_type }}
        run: |
-          # Check which main tag we are going to build determined by github.ref_type
-          if [[ "${{ github.ref_type }}" == "tag" ]]; then
+          # Check which main tag we are going to build determined by ref_type
+          if [[ "${REF_TYPE}" == "tag" ]]; then
            echo "BASE_TAGS=latest,${GITHUB_REF#refs/*/}" | tee -a "${GITHUB_ENV}"
-          elif [[ "${{ github.ref_type }}" == "branch" ]]; then
+          elif [[ "${REF_TYPE}" == "branch" ]]; then
            echo "BASE_TAGS=testing" | tee -a "${GITHUB_ENV}"
          fi

@@ -107,7 +120,7 @@ jobs:

      # Login to Docker Hub
      - name: Login to Docker Hub
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -116,12 +129,14 @@ jobs:
      - name: Add registry for DockerHub
        if: ${{ env.HAVE_DOCKERHUB_LOGIN == 'true' }}
        shell: bash
+        env:
+          DOCKERHUB_REPO: ${{ vars.DOCKERHUB_REPO }}
        run: |
-          echo "CONTAINER_REGISTRIES=${{ vars.DOCKERHUB_REPO }}" | tee -a "${GITHUB_ENV}"
+          echo "CONTAINER_REGISTRIES=${DOCKERHUB_REPO}" | tee -a "${GITHUB_ENV}"

      # Login to GitHub Container Registry
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
@@ -131,12 +146,14 @@ jobs:
      - name: Add registry for ghcr.io
        if: ${{ env.HAVE_GHCR_LOGIN == 'true' }}
        shell: bash
+        env:
+          GHCR_REPO: ${{ vars.GHCR_REPO }}
        run: |
-          echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}${{ vars.GHCR_REPO }}" | tee -a "${GITHUB_ENV}"
+          echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}${GHCR_REPO}" | tee -a "${GITHUB_ENV}"

      # Login to Quay.io
      - name: Login to Quay.io
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          registry: quay.io
          username: ${{ secrets.QUAY_USERNAME }}
@@ -146,17 +163,22 @@ jobs:
      - name: Add registry for Quay.io
        if: ${{ env.HAVE_QUAY_LOGIN == 'true' }}
        shell: bash
+        env:
+          QUAY_REPO: ${{ vars.QUAY_REPO }}
        run: |
-          echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}${{ vars.QUAY_REPO }}" | tee -a "${GITHUB_ENV}"
+          echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}${QUAY_REPO}" | tee -a "${GITHUB_ENV}"

      - name: Configure build cache from/to
        shell: bash
+        env:
+          GHCR_REPO: ${{ vars.GHCR_REPO }}
+          BASE_IMAGE: ${{ matrix.base_image }}
        run: |
          #
          # Check if there is a GitHub Container Registry Login and use it for caching
          if [[ -n "${HAVE_GHCR_LOGIN}" ]]; then
-            echo "BAKE_CACHE_FROM=type=registry,ref=${{ vars.GHCR_REPO }}-buildcache:${{ matrix.base_image }}" | tee -a "${GITHUB_ENV}"
-            echo "BAKE_CACHE_TO=type=registry,ref=${{ vars.GHCR_REPO }}-buildcache:${{ matrix.base_image }},compression=zstd,mode=max" | tee -a "${GITHUB_ENV}"
+            echo "BAKE_CACHE_FROM=type=registry,ref=${GHCR_REPO}-buildcache:${BASE_IMAGE}" | tee -a "${GITHUB_ENV}"
+            echo "BAKE_CACHE_TO=type=registry,ref=${GHCR_REPO}-buildcache:${BASE_IMAGE},compression=zstd,mode=max" | tee -a "${GITHUB_ENV}"
          else
            echo "BAKE_CACHE_FROM="
            echo "BAKE_CACHE_TO="
@@ -170,7 +192,7 @@ jobs:

      - name: Bake ${{ matrix.base_image }} containers
        id: bake_vw
-        uses: docker/bake-action@5ca506d06f70338a4968df87fd8bfee5cbfb84c7 # v6.0.0
+        uses: docker/bake-action@4ba453fbc2db7735392b93edf935aaf9b1e8f747 # v6.5.0
        env:
          BASE_TAGS: "${{ env.BASE_TAGS }}"
          SOURCE_COMMIT: "${{ env.SOURCE_COMMIT }}"
@@ -189,14 +211,16 @@ jobs:

      - name: Extract digest SHA
        shell: bash
+        env:
+          BAKE_METADATA: ${{ steps.bake_vw.outputs.metadata }}
        run: |
-          GET_DIGEST_SHA="$(jq -r '.["${{ matrix.base_image }}-multi"]."containerimage.digest"' <<< '${{ steps.bake_vw.outputs.metadata }}')"
+          GET_DIGEST_SHA="$(jq -r '.["${{ matrix.base_image }}-multi"]."containerimage.digest"' <<< "${BAKE_METADATA}")"
          echo "DIGEST_SHA=${GET_DIGEST_SHA}" | tee -a "${GITHUB_ENV}"

      # Attest container images
      - name: Attest - docker.io - ${{ matrix.base_image }}
        if: ${{ env.HAVE_DOCKERHUB_LOGIN == 'true' && steps.bake_vw.outputs.metadata != ''}}
-        uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0
+        uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3
        with:
          subject-name: ${{ vars.DOCKERHUB_REPO }}
          subject-digest: ${{ env.DIGEST_SHA }}
@@ -204,7 +228,7 @@ jobs:

      - name: Attest - ghcr.io - ${{ matrix.base_image }}
        if: ${{ env.HAVE_GHCR_LOGIN == 'true' && steps.bake_vw.outputs.metadata != ''}}
-        uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0
+        uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3
        with:
          subject-name: ${{ vars.GHCR_REPO }}
          subject-digest: ${{ env.DIGEST_SHA }}
@@ -212,7 +236,7 @@ jobs:

      - name: Attest - quay.io - ${{ matrix.base_image }}
        if: ${{ env.HAVE_QUAY_LOGIN == 'true' && steps.bake_vw.outputs.metadata != ''}}
-        uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0
+        uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3
        with:
          subject-name: ${{ vars.QUAY_REPO }}
          subject-digest: ${{ env.DIGEST_SHA }}
@@ -222,11 +246,13 @@ jobs:
      # Extract the Alpine binaries from the containers
      - name: Extract binaries
        shell: bash
+        env:
+          REF_TYPE: ${{ github.ref_type }}
        run: |
-          # Check which main tag we are going to build determined by github.ref_type
-          if [[ "${{ github.ref_type }}" == "tag" ]]; then
+          # Check which main tag we are going to build determined by ref_type
+          if [[ "${REF_TYPE}" == "tag" ]]; then
            EXTRACT_TAG="latest"
-          elif [[ "${{ github.ref_type }}" == "branch" ]]; then
+          elif [[ "${REF_TYPE}" == "branch" ]]; then
            EXTRACT_TAG="testing"
          fi

@@ -264,31 +290,31 @@ jobs:

      # Upload artifacts to Github Actions and Attest the binaries
      - name: "Upload amd64 artifact ${{ matrix.base_image }}"
-        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b #v4.5.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-amd64-${{ matrix.base_image }}
          path: vaultwarden-amd64-${{ matrix.base_image }}

      - name: "Upload arm64 artifact ${{ matrix.base_image }}"
-        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b #v4.5.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-arm64-${{ matrix.base_image }}
          path: vaultwarden-arm64-${{ matrix.base_image }}

      - name: "Upload armv7 artifact ${{ matrix.base_image }}"
-        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b #v4.5.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-armv7-${{ matrix.base_image }}
          path: vaultwarden-armv7-${{ matrix.base_image }}

      - name: "Upload armv6 artifact ${{ matrix.base_image }}"
-        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b #v4.5.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-armv6-${{ matrix.base_image }}
          path: vaultwarden-armv6-${{ matrix.base_image }}

      - name: "Attest artifacts ${{ matrix.base_image }}"
-        uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0
+        uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3
        with:
          subject-path: vaultwarden-*
      # End Upload artifacts to Github Actions
@@ -1,3 +1,6 @@
+name: Cleanup
+permissions: {}
+
 on:
  workflow_dispatch:
    inputs:
@@ -9,10 +12,11 @@ on:
  schedule:
    - cron: '0 1 * * FRI'

-name: Cleanup
 jobs:
  releasecache-cleanup:
    name: Releasecache Cleanup
+    permissions:
+      packages: write
    runs-on: ubuntu-24.04
    continue-on-error: true
    timeout-minutes: 30
@@ -1,37 +1,42 @@
-name: trivy
+name: Trivy
+permissions: {}

 on:
  push:
    branches:
      - main
+
    tags:
      - '*'
+
  pull_request:
-    branches: [ "main" ]
+    branches:
+      - main
+
  schedule:
    - cron: '08 11 * * *'

-permissions:
-  contents: read
-
 jobs:
  trivy-scan:
-    # Only run this in the master repo and not on forks
+    # Only run this in the upstream repo and not on forks
    # When all forks run this at the same time, it is causing `Too Many Requests` issues
    if: ${{ github.repository == 'dani-garcia/vaultwarden' }}
-    name: Check
-    runs-on: ubuntu-24.04
-    timeout-minutes: 30
+    name: Trivy Scan
    permissions:
      contents: read
-      security-events: write
      actions: read
+      security-events: write
+    runs-on: ubuntu-24.04
+    timeout-minutes: 30
+
    steps:
      - name: Checkout code
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+        with:
+          persist-credentials: false

      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0
+        uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 # v0.30.0
        env:
          TRIVY_DB_REPOSITORY: docker.io/aquasec/trivy-db:2,public.ecr.aws/aquasecurity/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2
          TRIVY_JAVA_DB_REPOSITORY: docker.io/aquasec/trivy-java-db:1,public.ecr.aws/aquasecurity/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1
@@ -1,7 +1,7 @@
 ---
 repos:
 -   repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.6.0
+    rev: v5.0.0
    hooks:
    - id: check-yaml
    - id: check-json
@@ -31,7 +31,7 @@ repos:
      language: system
      args: ["--features", "sqlite,mysql,postgresql,enable_mimalloc", "--"]
      types_or: [rust, file]
-      files: (Cargo.toml|Cargo.lock|rust-toolchain|.*\.rs$)
+      files: (Cargo.toml|Cargo.lock|rust-toolchain.toml|rustfmt.toml|.*\.rs$)
      pass_filenames: false
    - id: cargo-clippy
      name: cargo clippy
@@ -40,5 +40,13 @@ repos:
      language: system
      args: ["--features", "sqlite,mysql,postgresql,enable_mimalloc", "--", "-D", "warnings"]
      types_or: [rust, file]
-      files: (Cargo.toml|Cargo.lock|rust-toolchain|clippy.toml|.*\.rs$)
+      files: (Cargo.toml|Cargo.lock|rust-toolchain.toml|rustfmt.toml|.*\.rs$)
      pass_filenames: false
+    - id: check-docker-templates
+      name: check docker templates
+      description: Check if the Docker templates are updated
+      language: system
+      entry: sh
+      args:
+        - "-c"
+        - "cd docker && make"
@@ -1,11 +1,12 @@
-workspace = { members = ["macros"] }
+[workspace]
+members = ["macros"]

 [package]
 name = "vaultwarden"
 version = "1.0.0"
 authors = ["Daniel García <dani-garcia@users.noreply.github.com>"]
 edition = "2021"
-rust-version = "1.83.0"
+rust-version = "1.84.0"
 resolver = "2"

 repository = "https://github.com/dani-garcia/vaultwarden"
@@ -44,7 +45,7 @@ syslog = "7.0.0"
 macros = { path = "./macros" }

 # Logging
-log = "0.4.22"
+log = "0.4.27"
 fern = { version = "0.7.1", features = ["syslog-7", "reopen-1"] }
 tracing = { version = "0.1.41", features = ["log"] } # Needed to have lettre and webauthn-rs trace logging to work

@@ -52,12 +53,12 @@ tracing = { version = "0.1.41", features = ["log"] } # Needed to have lettre and
 dotenvy = { version = "0.15.7", default-features = false }

 # Lazy initialization
-once_cell = "1.20.2"
+once_cell = "1.21.3"

 # Numerical libraries
 num-traits = "0.2.19"
 num-derive = "0.4.2"
-bigdecimal = "0.4.7"
+bigdecimal = "0.4.8"

 # Web framework
 rocket = { version = "0.5.1", features = ["tls", "json"], default-features = false }
@@ -71,43 +72,44 @@ dashmap = "6.1.0"

 # Async futures
 futures = "0.3.31"
-tokio = { version = "1.42.0", features = ["rt-multi-thread", "fs", "io-util", "parking_lot", "time", "signal", "net"] }
+tokio = { version = "1.44.2", features = ["rt-multi-thread", "fs", "io-util", "parking_lot", "time", "signal", "net"] }

 # A generic serialization/deserialization framework
-serde = { version = "1.0.217", features = ["derive"] }
-serde_json = "1.0.135"
+serde = { version = "1.0.219", features = ["derive"] }
+serde_json = "1.0.140"

 # A safe, extensible ORM and Query builder
-diesel = { version = "2.2.6", features = ["chrono", "r2d2", "numeric"] }
+diesel = { version = "2.2.9", features = ["chrono", "r2d2", "numeric"] }
 diesel_migrations = "2.2.0"
 diesel_logger = { version = "0.4.0", optional = true }

-derive_more = { version = "1.0.0", features = ["from", "into", "as_ref", "deref", "display"] }
+derive_more = { version = "2.0.1", features = ["from", "into", "as_ref", "deref", "display"] }
 diesel-derive-newtype = "2.1.2"

 # Bundled/Static SQLite
-libsqlite3-sys = { version = "0.30.1", features = ["bundled"], optional = true }
+libsqlite3-sys = { version = "0.32.0", features = ["bundled"], optional = true }

 # Crypto-related libraries
-rand = { version = "0.8.5", features = ["small_rng"] }
-ring = "0.17.8"
+rand = "0.9.0"
+ring = "0.17.14"
+subtle = "2.6.1"

 # UUID generation
-uuid = { version = "1.11.0", features = ["v4"] }
+uuid = { version = "1.16.0", features = ["v4"] }

 # Date and time libraries
-chrono = { version = "0.4.39", features = ["clock", "serde"], default-features = false }
-chrono-tz = "0.10.0"
-time = "0.3.37"
+chrono = { version = "0.4.40", features = ["clock", "serde"], default-features = false }
+chrono-tz = "0.10.3"
+time = "0.3.41"

 # Job scheduler
 job_scheduler_ng = "2.0.5"

 # Data encoding library Hex/Base32/Base64
-data-encoding = "2.6.0"
+data-encoding = "2.8.0"

 # JWT library
-jsonwebtoken = "9.3.0"
+jsonwebtoken = "9.3.1"

 # TOTP library
 totp-lite = "2.0.1"
@@ -122,47 +124,48 @@ webauthn-rs = "0.3.2"
 url = "2.5.4"

 # Email libraries
-lettre = { version = "0.11.11", features = ["smtp-transport", "sendmail-transport", "builder", "serde", "tokio1-native-tls", "hostname", "tracing", "tokio1"], default-features = false }
+lettre = { version = "0.11.15", features = ["smtp-transport", "sendmail-transport", "builder", "serde", "tokio1-native-tls", "hostname", "tracing", "tokio1"], default-features = false }
 percent-encoding = "2.3.1" # URL encoding library used for URL's in the emails
 email_address = "0.2.9"

 # HTML Template library
-handlebars = { version = "6.3.0", features = ["dir_source"] }
+handlebars = { version = "6.3.2", features = ["dir_source"] }

 # HTTP client (Used for favicons, version check, DUO and HIBP API)
-reqwest = { version = "0.12.12", features = ["native-tls-alpn", "stream", "json", "gzip", "brotli", "socks", "cookies"] }
-hickory-resolver = "0.24.2"
+reqwest = { version = "0.12.15", features = ["native-tls-alpn", "stream", "json", "gzip", "brotli", "socks", "cookies"] }
+hickory-resolver = "0.25.1"

 # Favicon extraction libraries
 html5gum = "0.7.0"
 regex = { version = "1.11.1", features = ["std", "perf", "unicode-perl"], default-features = false }
 data-url = "0.3.1"
-bytes = "1.9.0"
+bytes = "1.10.1"

 # Cache function results (Used for version check and favicon fetching)
-cached = { version = "0.54.0", features = ["async"] }
+cached = { version = "0.55.1", features = ["async"] }

 # Used for custom short lived cookie jar during favicon extraction
 cookie = "0.18.1"
 cookie_store = "0.21.1"

 # Used by U2F, JWT and PostgreSQL
-openssl = "0.10.68"
+openssl = "0.10.72"

 # CLI argument parsing
 pico-args = "0.5.0"

 # Macro ident concatenation
-paste = "1.0.15"
-governor = "0.8.0"
+pastey = "0.1.0"
+governor = "0.10.0"

 # Check client versions for specific features.
-semver = "1.0.24"
+semver = "1.0.26"

 # Allow overriding the default memory allocator
 # Mainly used for the musl builds, since the default musl malloc is very slow
-mimalloc = { version = "0.1.43", features = ["secure"], default-features = false, optional = true }
-which = "7.0.1"
+mimalloc = { version = "0.1.46", features = ["secure"], default-features = false, optional = true }
+
+which = "7.0.3"

 # Argon2 library with support for the PHC format
 argon2 = "0.5.3"
@@ -213,7 +216,7 @@ codegen-units = 16

 # Linting config
 # https://doc.rust-lang.org/rustc/lints/groups.html
-[lints.rust]
+[workspace.lints.rust]
 # Forbid
 unsafe_code = "forbid"
 non_ascii_idents = "forbid"
@@ -243,11 +246,14 @@ if_let_rescope = "allow"
 tail_expr_drop_order = "allow"

 # https://rust-lang.github.io/rust-clippy/stable/index.html
-[lints.clippy]
+[workspace.lints.clippy]
 # Warn
 dbg_macro = "warn"
 todo = "warn"

+# Ignore/Allow
+result_large_err = "allow"
+
 # Deny
 case_sensitive_file_extension_comparisons = "deny"
 cast_lossless = "deny"
@@ -278,3 +284,6 @@ unused_async = "deny"
 unused_self = "deny"
 verbose_file_reads = "deny"
 zero_sized_map_values = "deny"
+
+[lints]
+workspace = true
@@ -48,8 +48,8 @@ fn main() {
 fn run(args: &[&str]) -> Result<String, std::io::Error> {
    let out = Command::new(args[0]).args(&args[1..]).output()?;
    if !out.status.success() {
-        use std::io::{Error, ErrorKind};
-        return Err(Error::new(ErrorKind::Other, "Command not successful"));
+        use std::io::Error;
+        return Err(Error::other("Command not successful"));
    }
    Ok(String::from_utf8(out.stdout).unwrap().trim().to_string())
 }
@@ -1,11 +1,11 @@
 ---
-vault_version: "v2025.1.1"
-vault_image_digest: "sha256:cb6b2095a4afc1d9d243a33f6d09211f40e3d82c7ae829fd025df5ff175a4918"
+vault_version: "v2025.3.1"
+vault_image_digest: "sha256:5b11739052c26dc3c2135b28dc5b072bc607f870a3e81fbbcc72e0cd1f124bcd"
 # Cross Compile Docker Helper Scripts v1.6.1
 # We use the linux/amd64 platform shell scripts since there is no difference between the different platform scripts
 # https://github.com/tonistiigi/xx | https://hub.docker.com/r/tonistiigi/xx/tags
 xx_image_digest: "sha256:9c207bead753dda9430bdd15425c6518fc7a03d866103c516a2c6889188f5894"
-rust_version: 1.84.0 # Rust version to be used
+rust_version: 1.86.0 # Rust version to be used
 debian_version: bookworm # Debian release name to be used
 alpine_version: "3.21" # Alpine version to be used
 # For which platforms/architectures will we try to build images
@@ -19,23 +19,23 @@
 # - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
 #   click the tag name to view the digest of the image it currently points to.
 # - From the command line:
-#     $ docker pull docker.io/vaultwarden/web-vault:v2025.1.1
-#     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2025.1.1
-#     [docker.io/vaultwarden/web-vault@sha256:cb6b2095a4afc1d9d243a33f6d09211f40e3d82c7ae829fd025df5ff175a4918]
+#     $ docker pull docker.io/vaultwarden/web-vault:v2025.3.1
+#     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2025.3.1
+#     [docker.io/vaultwarden/web-vault@sha256:5b11739052c26dc3c2135b28dc5b072bc607f870a3e81fbbcc72e0cd1f124bcd]
 #
 # - Conversely, to get the tag name from the digest:
-#     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:cb6b2095a4afc1d9d243a33f6d09211f40e3d82c7ae829fd025df5ff175a4918
-#     [docker.io/vaultwarden/web-vault:v2025.1.1]
+#     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:5b11739052c26dc3c2135b28dc5b072bc607f870a3e81fbbcc72e0cd1f124bcd
+#     [docker.io/vaultwarden/web-vault:v2025.3.1]
 #
-FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:cb6b2095a4afc1d9d243a33f6d09211f40e3d82c7ae829fd025df5ff175a4918 AS vault
+FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:5b11739052c26dc3c2135b28dc5b072bc607f870a3e81fbbcc72e0cd1f124bcd AS vault

 ########################## ALPINE BUILD IMAGES ##########################
 ## NOTE: The Alpine Base Images do not support other platforms then linux/amd64
 ## And for Alpine we define all build images here, they will only be loaded when actually used
-FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:x86_64-musl-stable-1.84.0 AS build_amd64
-FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:aarch64-musl-stable-1.84.0 AS build_arm64
-FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:armv7-musleabihf-stable-1.84.0 AS build_armv7
-FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:arm-musleabi-stable-1.84.0 AS build_armv6
+FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:x86_64-musl-stable-1.86.0 AS build_amd64
+FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:aarch64-musl-stable-1.86.0 AS build_arm64
+FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:armv7-musleabihf-stable-1.86.0 AS build_armv7
+FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:arm-musleabi-stable-1.86.0 AS build_armv6

 ########################## BUILD IMAGE ##########################
 # hadolint ignore=DL3006
@@ -19,15 +19,15 @@
 # - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
 #   click the tag name to view the digest of the image it currently points to.
 # - From the command line:
-#     $ docker pull docker.io/vaultwarden/web-vault:v2025.1.1
-#     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2025.1.1
-#     [docker.io/vaultwarden/web-vault@sha256:cb6b2095a4afc1d9d243a33f6d09211f40e3d82c7ae829fd025df5ff175a4918]
+#     $ docker pull docker.io/vaultwarden/web-vault:v2025.3.1
+#     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2025.3.1
+#     [docker.io/vaultwarden/web-vault@sha256:5b11739052c26dc3c2135b28dc5b072bc607f870a3e81fbbcc72e0cd1f124bcd]
 #
 # - Conversely, to get the tag name from the digest:
-#     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:cb6b2095a4afc1d9d243a33f6d09211f40e3d82c7ae829fd025df5ff175a4918
-#     [docker.io/vaultwarden/web-vault:v2025.1.1]
+#     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:5b11739052c26dc3c2135b28dc5b072bc607f870a3e81fbbcc72e0cd1f124bcd
+#     [docker.io/vaultwarden/web-vault:v2025.3.1]
 #
-FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:cb6b2095a4afc1d9d243a33f6d09211f40e3d82c7ae829fd025df5ff175a4918 AS vault
+FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:5b11739052c26dc3c2135b28dc5b072bc607f870a3e81fbbcc72e0cd1f124bcd AS vault

 ########################## Cross Compile Docker Helper Scripts ##########################
 ## We use the linux/amd64 no matter which Build Platform, since these are all bash scripts
@@ -36,7 +36,7 @@ FROM --platform=linux/amd64 docker.io/tonistiigi/xx@sha256:9c207bead753dda9430bd

 ########################## BUILD IMAGE ##########################
 # hadolint ignore=DL3006
-FROM --platform=$BUILDPLATFORM docker.io/library/rust:1.84.0-slim-bookworm AS build
+FROM --platform=$BUILDPLATFORM docker.io/library/rust:1.86.0-slim-bookworm AS build
 COPY --from=xx / /
 ARG TARGETARCH
 ARG TARGETVARIANT
@@ -89,24 +89,24 @@ RUN USER=root cargo new --bin /app
 WORKDIR /app

 # Environment variables for Cargo on Debian based builds
-ARG ARCH_OPENSSL_LIB_DIR \
-    ARCH_OPENSSL_INCLUDE_DIR
+ARG TARGET_PKG_CONFIG_PATH

 RUN source /env-cargo && \
    if xx-info is-cross ; then \
-        # Some special variables if needed to override some build paths
-        if [[ -n "${ARCH_OPENSSL_LIB_DIR}" && -n "${ARCH_OPENSSL_INCLUDE_DIR}" ]]; then \
-            echo "export $(echo "${CARGO_TARGET}" | tr '[:lower:]' '[:upper:]' | tr - _)_OPENSSL_LIB_DIR=${ARCH_OPENSSL_LIB_DIR}" >> /env-cargo && \
-            echo "export $(echo "${CARGO_TARGET}" | tr '[:lower:]' '[:upper:]' | tr - _)_OPENSSL_INCLUDE_DIR=${ARCH_OPENSSL_INCLUDE_DIR}" >> /env-cargo ; \
-        fi && \
        # We can't use xx-cargo since that uses clang, which doesn't work for our libraries.
        # Because of this we generate the needed environment variables here which we can load in the needed steps.
        echo "export CC_$(echo "${CARGO_TARGET}" | tr '[:upper:]' '[:lower:]' | tr - _)=/usr/bin/$(xx-info)-gcc" >> /env-cargo && \
        echo "export CARGO_TARGET_$(echo "${CARGO_TARGET}" | tr '[:lower:]' '[:upper:]' | tr - _)_LINKER=/usr/bin/$(xx-info)-gcc" >> /env-cargo && \
-        echo "export PKG_CONFIG=/usr/bin/$(xx-info)-pkg-config" >> /env-cargo && \
        echo "export CROSS_COMPILE=1" >> /env-cargo && \
-        echo "export OPENSSL_INCLUDE_DIR=/usr/include/$(xx-info)" >> /env-cargo && \
-        echo "export OPENSSL_LIB_DIR=/usr/lib/$(xx-info)" >> /env-cargo ; \
+        echo "export PKG_CONFIG_ALLOW_CROSS=1" >> /env-cargo && \
+        # For some architectures `xx-info` returns a triple which doesn't matches the path on disk
+        # In those cases you can override this by setting the `TARGET_PKG_CONFIG_PATH` build-arg
+        if [[ -n "${TARGET_PKG_CONFIG_PATH}" ]]; then \
+            echo "export TARGET_PKG_CONFIG_PATH=${TARGET_PKG_CONFIG_PATH}" >> /env-cargo ; \
+        else \
+            echo "export PKG_CONFIG_PATH=/usr/lib/$(xx-info)/pkgconfig" >> /env-cargo ; \
+        fi && \
+        echo "# End of env-cargo" >> /env-cargo ; \
    fi && \
    # Output the current contents of the file
    cat /env-cargo
@@ -109,24 +109,24 @@ WORKDIR /app

 {% if base == "debian" %}
 # Environment variables for Cargo on Debian based builds
-ARG ARCH_OPENSSL_LIB_DIR \
-    ARCH_OPENSSL_INCLUDE_DIR
+ARG TARGET_PKG_CONFIG_PATH

 RUN source /env-cargo && \
    if xx-info is-cross ; then \
-        # Some special variables if needed to override some build paths
-        if [[ -n "${ARCH_OPENSSL_LIB_DIR}" && -n "${ARCH_OPENSSL_INCLUDE_DIR}" ]]; then \
-            echo "export $(echo "${CARGO_TARGET}" | tr '[:lower:]' '[:upper:]' | tr - _)_OPENSSL_LIB_DIR=${ARCH_OPENSSL_LIB_DIR}" >> /env-cargo && \
-            echo "export $(echo "${CARGO_TARGET}" | tr '[:lower:]' '[:upper:]' | tr - _)_OPENSSL_INCLUDE_DIR=${ARCH_OPENSSL_INCLUDE_DIR}" >> /env-cargo ; \
-        fi && \
        # We can't use xx-cargo since that uses clang, which doesn't work for our libraries.
        # Because of this we generate the needed environment variables here which we can load in the needed steps.
        echo "export CC_$(echo "${CARGO_TARGET}" | tr '[:upper:]' '[:lower:]' | tr - _)=/usr/bin/$(xx-info)-gcc" >> /env-cargo && \
        echo "export CARGO_TARGET_$(echo "${CARGO_TARGET}" | tr '[:lower:]' '[:upper:]' | tr - _)_LINKER=/usr/bin/$(xx-info)-gcc" >> /env-cargo && \
-        echo "export PKG_CONFIG=/usr/bin/$(xx-info)-pkg-config" >> /env-cargo && \
        echo "export CROSS_COMPILE=1" >> /env-cargo && \
-        echo "export OPENSSL_INCLUDE_DIR=/usr/include/$(xx-info)" >> /env-cargo && \
-        echo "export OPENSSL_LIB_DIR=/usr/lib/$(xx-info)" >> /env-cargo ; \
+        echo "export PKG_CONFIG_ALLOW_CROSS=1" >> /env-cargo && \
+        # For some architectures `xx-info` returns a triple which doesn't matches the path on disk
+        # In those cases you can override this by setting the `TARGET_PKG_CONFIG_PATH` build-arg
+        if [[ -n "${TARGET_PKG_CONFIG_PATH}" ]]; then \
+            echo "export TARGET_PKG_CONFIG_PATH=${TARGET_PKG_CONFIG_PATH}" >> /env-cargo ; \
+        else \
+            echo "export PKG_CONFIG_PATH=/usr/lib/$(xx-info)/pkgconfig" >> /env-cargo ; \
+        fi && \
+        echo "# End of env-cargo" >> /env-cargo ; \
    fi && \
    # Output the current contents of the file
    cat /env-cargo
@@ -133,8 +133,7 @@ target "debian-386" {
  platforms = ["linux/386"]
  tags = generate_tags("", "-386")
  args = {
-    ARCH_OPENSSL_LIB_DIR = "/usr/lib/i386-linux-gnu"
-    ARCH_OPENSSL_INCLUDE_DIR = "/usr/include/i386-linux-gnu"
+    TARGET_PKG_CONFIG_PATH = "/usr/lib/i386-linux-gnu/pkgconfig"
  }
 }

@@ -142,20 +141,12 @@ target "debian-ppc64le" {
  inherits = ["debian"]
  platforms = ["linux/ppc64le"]
  tags = generate_tags("", "-ppc64le")
-  args = {
-    ARCH_OPENSSL_LIB_DIR = "/usr/lib/powerpc64le-linux-gnu"
-    ARCH_OPENSSL_INCLUDE_DIR = "/usr/include/powerpc64le-linux-gnu"
-  }
 }

 target "debian-s390x" {
  inherits = ["debian"]
  platforms = ["linux/s390x"]
  tags = generate_tags("", "-s390x")
-  args = {
-    ARCH_OPENSSL_LIB_DIR = "/usr/lib/s390x-linux-gnu"
-    ARCH_OPENSSL_INCLUDE_DIR = "/usr/include/s390x-linux-gnu"
-  }
 }
 // ==== End of unsupported Debian architecture targets ===

@@ -9,5 +9,8 @@ path = "src/lib.rs"
 proc-macro = true

 [dependencies]
-quote = "1.0.38"
-syn = "2.0.94"
+quote = "1.0.40"
+syn = "2.0.100"
+
+[lints]
+workspace = true
@@ -1,5 +1,3 @@
-extern crate proc_macro;
-
 use proc_macro::TokenStream;
 use quote::quote;

@@ -12,7 +10,7 @@ pub fn derive_uuid_from_param(input: TokenStream) -> TokenStream {

 fn impl_derive_uuid_macro(ast: &syn::DeriveInput) -> TokenStream {
    let name = &ast.ident;
-    let gen = quote! {
+    let gen_derive = quote! {
        #[automatically_derived]
        impl<'r> rocket::request::FromParam<'r> for #name {
            type Error = ();
@@ -27,7 +25,7 @@ fn impl_derive_uuid_macro(ast: &syn::DeriveInput) -> TokenStream {
            }
        }
    };
-    gen.into()
+    gen_derive.into()
 }

 #[proc_macro_derive(IdFromParam)]
@@ -39,7 +37,7 @@ pub fn derive_id_from_param(input: TokenStream) -> TokenStream {

 fn impl_derive_safestring_macro(ast: &syn::DeriveInput) -> TokenStream {
    let name = &ast.ident;
-    let gen = quote! {
+    let gen_derive = quote! {
        #[automatically_derived]
        impl<'r> rocket::request::FromParam<'r> for #name {
            type Error = ();
@@ -54,5 +52,5 @@ fn impl_derive_safestring_macro(ast: &syn::DeriveInput) -> TokenStream {
            }
        }
    };
-    gen.into()
+    gen_derive.into()
 }
@@ -1,4 +1,4 @@
 [toolchain]
-channel = "1.84.0"
+channel = "1.86.0"
 components = [ "rustfmt", "clippy" ]
 profile = "minimal"
@@ -171,7 +171,7 @@ struct LoginForm {
    redirect: Option<String>,
 }

-#[post("/", data = "<data>")]
+#[post("/", format = "application/x-www-form-urlencoded", data = "<data>")]
 fn post_admin_login(
    data: Form<LoginForm>,
    cookies: &CookieJar<'_>,
@@ -289,7 +289,7 @@ async fn get_user_or_404(user_id: &UserId, conn: &mut DbConn) -> ApiResult<User>
    }
 }

-#[post("/invite", data = "<data>")]
+#[post("/invite", format = "application/json", data = "<data>")]
 async fn invite_user(data: Json<InviteData>, _token: AdminToken, mut conn: DbConn) -> JsonResult {
    let data: InviteData = data.into_inner();
    if User::find_by_mail(&data.email, &mut conn).await.is_some() {
@@ -315,7 +315,7 @@ async fn invite_user(data: Json<InviteData>, _token: AdminToken, mut conn: DbCon
    Ok(Json(user.to_json(&mut conn).await))
 }

-#[post("/test/smtp", data = "<data>")]
+#[post("/test/smtp", format = "application/json", data = "<data>")]
 async fn test_smtp(data: Json<InviteData>, _token: AdminToken) -> EmptyResult {
    let data: InviteData = data.into_inner();

@@ -393,7 +393,7 @@ async fn get_user_json(user_id: UserId, _token: AdminToken, mut conn: DbConn) ->
    Ok(Json(usr))
 }

-#[post("/users/<user_id>/delete")]
+#[post("/users/<user_id>/delete", format = "application/json")]
 async fn delete_user(user_id: UserId, token: AdminToken, mut conn: DbConn) -> EmptyResult {
    let user = get_user_or_404(&user_id, &mut conn).await?;

@@ -403,7 +403,7 @@ async fn delete_user(user_id: UserId, token: AdminToken, mut conn: DbConn) -> Em

    for membership in memberships {
        log_event(
-            EventType::OrganizationUserRemoved as i32,
+            EventType::OrganizationUserDeleted as i32,
            &membership.uuid,
            &membership.org_uuid,
            &ACTING_ADMIN_USER.into(),
@@ -417,7 +417,7 @@ async fn delete_user(user_id: UserId, token: AdminToken, mut conn: DbConn) -> Em
    res
 }

-#[post("/users/<user_id>/deauth")]
+#[post("/users/<user_id>/deauth", format = "application/json")]
 async fn deauth_user(user_id: UserId, _token: AdminToken, mut conn: DbConn, nt: Notify<'_>) -> EmptyResult {
    let mut user = get_user_or_404(&user_id, &mut conn).await?;

@@ -438,7 +438,7 @@ async fn deauth_user(user_id: UserId, _token: AdminToken, mut conn: DbConn, nt:
    user.save(&mut conn).await
 }

-#[post("/users/<user_id>/disable")]
+#[post("/users/<user_id>/disable", format = "application/json")]
 async fn disable_user(user_id: UserId, _token: AdminToken, mut conn: DbConn, nt: Notify<'_>) -> EmptyResult {
    let mut user = get_user_or_404(&user_id, &mut conn).await?;
    Device::delete_all_by_user(&user.uuid, &mut conn).await?;
@@ -452,7 +452,7 @@ async fn disable_user(user_id: UserId, _token: AdminToken, mut conn: DbConn, nt:
    save_result
 }

-#[post("/users/<user_id>/enable")]
+#[post("/users/<user_id>/enable", format = "application/json")]
 async fn enable_user(user_id: UserId, _token: AdminToken, mut conn: DbConn) -> EmptyResult {
    let mut user = get_user_or_404(&user_id, &mut conn).await?;
    user.enabled = true;
@@ -460,7 +460,7 @@ async fn enable_user(user_id: UserId, _token: AdminToken, mut conn: DbConn) -> E
    user.save(&mut conn).await
 }

-#[post("/users/<user_id>/remove-2fa")]
+#[post("/users/<user_id>/remove-2fa", format = "application/json")]
 async fn remove_2fa(user_id: UserId, token: AdminToken, mut conn: DbConn) -> EmptyResult {
    let mut user = get_user_or_404(&user_id, &mut conn).await?;
    TwoFactor::delete_all_by_user(&user.uuid, &mut conn).await?;
@@ -469,7 +469,7 @@ async fn remove_2fa(user_id: UserId, token: AdminToken, mut conn: DbConn) -> Emp
    user.save(&mut conn).await
 }

-#[post("/users/<user_id>/invite/resend")]
+#[post("/users/<user_id>/invite/resend", format = "application/json")]
 async fn resend_user_invite(user_id: UserId, _token: AdminToken, mut conn: DbConn) -> EmptyResult {
    if let Some(user) = User::find_by_uuid(&user_id, &mut conn).await {
        //TODO: replace this with user.status check when it will be available (PR#3397)
@@ -496,7 +496,7 @@ struct MembershipTypeData {
    org_uuid: OrganizationId,
 }

-#[post("/users/org_type", data = "<data>")]
+#[post("/users/org_type", format = "application/json", data = "<data>")]
 async fn update_membership_type(data: Json<MembershipTypeData>, token: AdminToken, mut conn: DbConn) -> EmptyResult {
    let data: MembershipTypeData = data.into_inner();

@@ -550,7 +550,7 @@ async fn update_membership_type(data: Json<MembershipTypeData>, token: AdminToke
    member_to_edit.save(&mut conn).await
 }

-#[post("/users/update_revision")]
+#[post("/users/update_revision", format = "application/json")]
 async fn update_revision_users(_token: AdminToken, mut conn: DbConn) -> EmptyResult {
    User::update_all_revisions(&mut conn).await
 }
@@ -575,7 +575,7 @@ async fn organizations_overview(_token: AdminToken, mut conn: DbConn) -> ApiResu
    Ok(Html(text))
 }

-#[post("/organizations/<org_id>/delete")]
+#[post("/organizations/<org_id>/delete", format = "application/json")]
 async fn delete_organization(org_id: OrganizationId, _token: AdminToken, mut conn: DbConn) -> EmptyResult {
    let org = Organization::find_by_uuid(&org_id, &mut conn).await.map_res("Organization doesn't exist")?;
    org.delete(&mut conn).await
@@ -618,7 +618,7 @@ async fn has_http_access() -> bool {
 use cached::proc_macro::cached;
 /// Cache this function to prevent API call rate limit. Github only allows 60 requests per hour, and we use 3 here already.
 /// It will cache this function for 300 seconds (5 minutes) which should prevent the exhaustion of the rate limit.
-#[cached(time = 300, sync_writes = true)]
+#[cached(time = 300, sync_writes = "default")]
 async fn get_release_info(has_http_access: bool, running_within_container: bool) -> (String, String, String) {
    // If the HTTP Check failed, do not even attempt to check for new versions since we were not able to connect with github.com anyway.
    if has_http_access {
@@ -733,7 +733,7 @@ async fn diagnostics(_token: AdminToken, ip_header: IpHeader, mut conn: DbConn)
    Ok(Html(text))
 }

-#[get("/diagnostics/config")]
+#[get("/diagnostics/config", format = "application/json")]
 fn get_diagnostics_config(_token: AdminToken) -> Json<Value> {
    let support_json = CONFIG.get_support_json();
    Json(support_json)
@@ -744,16 +744,16 @@ fn get_diagnostics_http(code: u16, _token: AdminToken) -> EmptyResult {
    err_code!(format!("Testing error {code} response"), code);
 }

-#[post("/config", data = "<data>")]
+#[post("/config", format = "application/json", data = "<data>")]
 fn post_config(data: Json<ConfigBuilder>, _token: AdminToken) -> EmptyResult {
    let data: ConfigBuilder = data.into_inner();
-    if let Err(e) = CONFIG.update_config(data) {
+    if let Err(e) = CONFIG.update_config(data, true) {
        err!(format!("Unable to save config: {e:?}"))
    }
    Ok(())
 }

-#[post("/config/delete")]
+#[post("/config/delete", format = "application/json")]
 fn delete_config(_token: AdminToken) -> EmptyResult {
    if let Err(e) = CONFIG.delete_user_config() {
        err!(format!("Unable to delete config: {e:?}"))
@@ -761,7 +761,7 @@ fn delete_config(_token: AdminToken) -> EmptyResult {
    Ok(())
 }

-#[post("/config/backup_db")]
+#[post("/config/backup_db", format = "application/json")]
 async fn backup_db(_token: AdminToken, mut conn: DbConn) -> ApiResult<String> {
    if *CAN_BACKUP {
        match backup_database(&mut conn).await {
@@ -70,18 +70,31 @@ pub fn routes() -> Vec<rocket::Route> {
 #[serde(rename_all = "camelCase")]
 pub struct RegisterData {
    email: String,
+
    kdf: Option<i32>,
    kdf_iterations: Option<i32>,
    kdf_memory: Option<i32>,
    kdf_parallelism: Option<i32>,
+
+    #[serde(alias = "userSymmetricKey")]
    key: String,
+    #[serde(alias = "userAsymmetricKeys")]
    keys: Option<KeysData>,
+
    master_password_hash: String,
    master_password_hint: Option<String>,
+
    name: Option<String>,
-    token: Option<String>,
+
    #[allow(dead_code)]
    organization_user_id: Option<MembershipId>,
+
+    // Used only from the register/finish endpoint
+    email_verification_token: Option<String>,
+    accept_emergency_access_id: Option<EmergencyAccessId>,
+    accept_emergency_access_invite_token: Option<String>,
+    #[serde(alias = "token")]
+    org_invite_token: Option<String>,
 }

 #[derive(Debug, Deserialize)]
@@ -124,13 +137,78 @@ async fn is_email_2fa_required(member_id: Option<MembershipId>, conn: &mut DbCon

 #[post("/accounts/register", data = "<data>")]
 async fn register(data: Json<RegisterData>, conn: DbConn) -> JsonResult {
-    _register(data, conn).await
+    _register(data, false, conn).await
 }

-pub async fn _register(data: Json<RegisterData>, mut conn: DbConn) -> JsonResult {
-    let data: RegisterData = data.into_inner();
+pub async fn _register(data: Json<RegisterData>, email_verification: bool, mut conn: DbConn) -> JsonResult {
+    let mut data: RegisterData = data.into_inner();
    let email = data.email.to_lowercase();

+    let mut email_verified = false;
+
+    let mut pending_emergency_access = None;
+
+    // First, validate the provided verification tokens
+    if email_verification {
+        match (
+            &data.email_verification_token,
+            &data.accept_emergency_access_id,
+            &data.accept_emergency_access_invite_token,
+            &data.organization_user_id,
+            &data.org_invite_token,
+        ) {
+            // Normal user registration, when email verification is required
+            (Some(email_verification_token), None, None, None, None) => {
+                let claims = crate::auth::decode_register_verify(email_verification_token)?;
+                if claims.sub != data.email {
+                    err!("Email verification token does not match email");
+                }
+
+                // During this call we don't get the name, so extract it from the claims
+                if claims.name.is_some() {
+                    data.name = claims.name;
+                }
+                email_verified = claims.verified;
+            }
+            // Emergency access registration
+            (None, Some(accept_emergency_access_id), Some(accept_emergency_access_invite_token), None, None) => {
+                if !CONFIG.emergency_access_allowed() {
+                    err!("Emergency access is not enabled.")
+                }
+
+                let claims = crate::auth::decode_emergency_access_invite(accept_emergency_access_invite_token)?;
+
+                if claims.email != data.email {
+                    err!("Claim email does not match email")
+                }
+                if &claims.emer_id != accept_emergency_access_id {
+                    err!("Claim emer_id does not match accept_emergency_access_id")
+                }
+
+                pending_emergency_access = Some((accept_emergency_access_id, claims));
+                email_verified = true;
+            }
+            // Org invite
+            (None, None, None, Some(organization_user_id), Some(org_invite_token)) => {
+                let claims = decode_invite(org_invite_token)?;
+
+                if claims.email != data.email {
+                    err!("Claim email does not match email")
+                }
+
+                if &claims.member_id != organization_user_id {
+                    err!("Claim org_user_id does not match organization_user_id")
+                }
+
+                email_verified = true;
+            }
+
+            _ => {
+                err!("Registration is missing required parameters")
+            }
+        }
+    }
+
    // Check if the length of the username exceeds 50 characters (Same is Upstream Bitwarden)
    // This also prevents issues with very long usernames causing to large JWT's. See #2419
    if let Some(ref name) = data.name {
@@ -144,20 +222,17 @@ pub async fn _register(data: Json<RegisterData>, mut conn: DbConn) -> JsonResult
    let password_hint = clean_password_hint(&data.master_password_hint);
    enforce_password_hint_setting(&password_hint)?;

-    let mut verified_by_invite = false;
-
    let mut user = match User::find_by_mail(&email, &mut conn).await {
-        Some(mut user) => {
+        Some(user) => {
            if !user.password_hash.is_empty() {
                err!("Registration not allowed or user already exists")
            }

-            if let Some(token) = data.token {
+            if let Some(token) = data.org_invite_token {
                let claims = decode_invite(&token)?;
                if claims.email == email {
                    // Verify the email address when signing up via a valid invite token
-                    verified_by_invite = true;
-                    user.verified_at = Some(Utc::now().naive_utc());
+                    email_verified = true;
                    user
                } else {
                    err!("Registration email does not match invite email")
@@ -181,7 +256,10 @@ pub async fn _register(data: Json<RegisterData>, mut conn: DbConn) -> JsonResult
            // Order is important here; the invitation check must come first
            // because the vaultwarden admin can invite anyone, regardless
            // of other signup restrictions.
-            if Invitation::take(&email, &mut conn).await || CONFIG.is_signup_allowed(&email) {
+            if Invitation::take(&email, &mut conn).await
+                || CONFIG.is_signup_allowed(&email)
+                || pending_emergency_access.is_some()
+            {
                User::new(email.clone())
            } else {
                err!("Registration not allowed or user already exists")
@@ -216,8 +294,12 @@ pub async fn _register(data: Json<RegisterData>, mut conn: DbConn) -> JsonResult
        user.public_key = Some(keys.public_key);
    }

+    if email_verified {
+        user.verified_at = Some(Utc::now().naive_utc());
+    }
+
    if CONFIG.mail_enabled() {
-        if CONFIG.signups_verify() && !verified_by_invite {
+        if CONFIG.signups_verify() && !email_verified {
            if let Err(e) = mail::send_welcome_must_verify(&user.email, &user.uuid).await {
                error!("Error sending welcome email: {:#?}", e);
            }
@@ -226,7 +308,7 @@ pub async fn _register(data: Json<RegisterData>, mut conn: DbConn) -> JsonResult
            error!("Error sending welcome email: {:#?}", e);
        }

-        if verified_by_invite && is_email_2fa_required(data.organization_user_id, &mut conn).await {
+        if email_verified && is_email_2fa_required(data.organization_user_id, &mut conn).await {
            email::activate_email_2fa(&user, &mut conn).await.ok();
        }
    }
@@ -925,9 +1007,9 @@ async fn password_hint(data: Json<PasswordHintData>, mut conn: DbConn) -> EmptyR
                // paths that send mail take noticeably longer than ones that
                // don't. Add a randomized sleep to mitigate this somewhat.
                use rand::{rngs::SmallRng, Rng, SeedableRng};
-                let mut rng = SmallRng::from_entropy();
+                let mut rng = SmallRng::from_os_rng();
                let delta: i32 = 100;
-                let sleep_ms = (1_000 + rng.gen_range(-delta..=delta)) as u64;
+                let sleep_ms = (1_000 + rng.random_range(-delta..=delta)) as u64;
                tokio::time::sleep(tokio::time::Duration::from_millis(sleep_ms)).await;
                Ok(())
            } else {
@@ -1206,6 +1288,15 @@ async fn post_auth_request(

    nt.send_auth_request(&user.uuid, &auth_request.uuid, &data.device_identifier, &mut conn).await;

+    log_user_event(
+        EventType::UserRequestedDeviceApproval as i32,
+        &user.uuid,
+        client_headers.device_type,
+        &client_headers.ip.ip,
+        &mut conn,
+    )
+    .await;
+
    Ok(Json(json!({
        "id": auth_request.uuid,
        "publicKey": auth_request.public_key,
@@ -1287,9 +1378,26 @@ async fn put_auth_request(

        ant.send_auth_response(&auth_request.user_uuid, &auth_request.uuid).await;
        nt.send_auth_response(&auth_request.user_uuid, &auth_request.uuid, &data.device_identifier, &mut conn).await;
+
+        log_user_event(
+            EventType::OrganizationUserApprovedAuthRequest as i32,
+            &headers.user.uuid,
+            headers.device.atype,
+            &headers.ip.ip,
+            &mut conn,
+        )
+        .await;
    } else {
        // If denied, there's no reason to keep the request
        auth_request.delete(&mut conn).await?;
+        log_user_event(
+            EventType::OrganizationUserRejectedAuthRequest as i32,
+            &headers.user.uuid,
+            headers.device.atype,
+            &headers.ip.ip,
+            &mut conn,
+        )
+        .await;
    }

    Ok(Json(json!({
@@ -1376,7 +1376,7 @@ async fn delete_attachment_post_admin(
    headers: Headers,
    conn: DbConn,
    nt: Notify<'_>,
-) -> EmptyResult {
+) -> JsonResult {
    delete_attachment(cipher_id, attachment_id, headers, conn, nt).await
 }

@@ -1387,7 +1387,7 @@ async fn delete_attachment_post(
    headers: Headers,
    conn: DbConn,
    nt: Notify<'_>,
-) -> EmptyResult {
+) -> JsonResult {
    delete_attachment(cipher_id, attachment_id, headers, conn, nt).await
 }

@@ -1398,7 +1398,7 @@ async fn delete_attachment(
    headers: Headers,
    mut conn: DbConn,
    nt: Notify<'_>,
-) -> EmptyResult {
+) -> JsonResult {
    _delete_cipher_attachment_by_id(&cipher_id, &attachment_id, &headers, &mut conn, &nt).await
 }

@@ -1409,7 +1409,7 @@ async fn delete_attachment_admin(
    headers: Headers,
    mut conn: DbConn,
    nt: Notify<'_>,
-) -> EmptyResult {
+) -> JsonResult {
    _delete_cipher_attachment_by_id(&cipher_id, &attachment_id, &headers, &mut conn, &nt).await
 }

@@ -1818,7 +1818,7 @@ async fn _delete_cipher_attachment_by_id(
    headers: &Headers,
    conn: &mut DbConn,
    nt: &Notify<'_>,
-) -> EmptyResult {
+) -> JsonResult {
    let Some(attachment) = Attachment::find_by_id(attachment_id, conn).await else {
        err!("Attachment doesn't exist")
    };
@@ -1847,11 +1847,11 @@ async fn _delete_cipher_attachment_by_id(
    )
    .await;

-    if let Some(org_id) = cipher.organization_uuid {
+    if let Some(ref org_id) = cipher.organization_uuid {
        log_event(
            EventType::CipherAttachmentDeleted as i32,
            &cipher.uuid,
-            &org_id,
+            org_id,
            &headers.user.uuid,
            headers.device.atype,
            &headers.ip.ip,
@@ -1859,7 +1859,8 @@ async fn _delete_cipher_attachment_by_id(
        )
        .await;
    }
-    Ok(())
+    let cipher_json = cipher.to_json(&headers.host, &headers.user.uuid, None, CipherSyncType::User, conn).await;
+    Ok(Json(json!({"cipher":cipher_json})))
 }

 /// This will hold all the necessary data to improve a full sync of all the ciphers
@@ -34,9 +34,13 @@ struct EventRange {
 async fn get_org_events(
    org_id: OrganizationId,
    data: EventRange,
-    _headers: AdminHeaders,
+    headers: AdminHeaders,
    mut conn: DbConn,
 ) -> JsonResult {
+    if org_id != headers.org_id {
+        err!("Organization not found", "Organization id's do not match");
+    }
+
    // Return an empty vec when we org events are disabled.
    // This prevents client errors
    let events_json: Vec<Value> = if !CONFIG.org_events_enabled() {
@@ -100,9 +104,12 @@ async fn get_user_events(
    org_id: OrganizationId,
    member_id: MembershipId,
    data: EventRange,
-    _headers: AdminHeaders,
+    headers: AdminHeaders,
    mut conn: DbConn,
 ) -> JsonResult {
+    if org_id != headers.org_id {
+        err!("Organization not found", "Organization id's do not match");
+    }
    // Return an empty vec when we org events are disabled.
    // This prevents client errors
    let events_json: Vec<Value> = if !CONFIG.org_events_enabled() {
@@ -238,8 +245,8 @@ async fn _log_user_event(
    ip: &IpAddr,
    conn: &mut DbConn,
 ) {
-    let orgs = Membership::get_orgs_by_user(user_id, conn).await;
-    let mut events: Vec<Event> = Vec::with_capacity(orgs.len() + 1); // We need an event per org and one without an org
+    let memberships = Membership::find_by_user(user_id, conn).await;
+    let mut events: Vec<Event> = Vec::with_capacity(memberships.len() + 1); // We need an event per org and one without an org

    // Upstream saves the event also without any org_id.
    let mut event = Event::new(event_type, event_date);
@@ -250,10 +257,11 @@ async fn _log_user_event(
    events.push(event);

    // For each org a user is a member of store these events per org
-    for org_id in orgs {
+    for membership in memberships {
        let mut event = Event::new(event_type, event_date);
        event.user_uuid = Some(user_id.clone());
-        event.org_uuid = Some(org_id);
+        event.org_uuid = Some(membership.org_uuid);
+        event.org_user_uuid = Some(membership.uuid);
        event.act_user_uuid = Some(user_id.clone());
        event.device_type = Some(device_type);
        event.ip_address = Some(ip.to_string());
@@ -205,13 +205,16 @@ fn config() -> Json<Value> {
    feature_states.insert("key-rotation-improvements".to_string(), true);
    feature_states.insert("flexible-collections-v-1".to_string(), false);

+    feature_states.insert("email-verification".to_string(), true);
+    feature_states.insert("unauth-ui-refresh".to_string(), true);
+
    Json(json!({
        // Note: The clients use this version to handle backwards compatibility concerns
        // This means they expect a version that closely matches the Bitwarden server version
        // We should make sure that we keep this updated when we support the new server features
        // Version history:
-        // - Individual cipher key encryption: 2023.9.1
-        "version": "2024.2.0",
+        // - Individual cipher key encryption: 2024.2.0
+        "version": "2025.1.0",
        "gitHash": option_env!("GIT_REV"),
        "server": {
          "name": "Vaultwarden",
@@ -378,7 +378,11 @@ async fn post_send_file_v2_data(
    };

    match data.data.raw_name() {
-        Some(raw_file_name) if raw_file_name.dangerous_unsafe_unsanitized_raw() == send_data.fileName => (),
+        Some(raw_file_name)
+            if raw_file_name.dangerous_unsafe_unsanitized_raw() == send_data.fileName
+            // be less strict only if using CLI, cf. https://github.com/dani-garcia/vaultwarden/issues/5614
+            || (headers.device.is_cli() && send_data.fileName.ends_with(raw_file_name.dangerous_unsafe_unsanitized_raw().as_str())
+            ) => {}
        Some(raw_file_name) => err!(
            "Send file name does not match.",
            format!(
@@ -26,8 +26,8 @@ pub fn routes() -> Vec<Route> {
 #[derive(Serialize, Deserialize)]
 struct DuoData {
    host: String, // Duo API hostname
-    ik: String,   // integration key
-    sk: String,   // secret key
+    ik: String,   // client id
+    sk: String,   // client secret
 }

 impl DuoData {
@@ -111,8 +111,8 @@ async fn get_duo(data: Json<PasswordOrOtpData>, headers: Headers, mut conn: DbCo
        json!({
            "enabled": enabled,
            "host": data.host,
-            "secretKey": data.sk,
-            "integrationKey": data.ik,
+            "clientSecret": data.sk,
+            "clientId": data.ik,
            "object": "twoFactorDuo"
        })
    } else {
@@ -129,8 +129,8 @@ async fn get_duo(data: Json<PasswordOrOtpData>, headers: Headers, mut conn: DbCo
 #[serde(rename_all = "camelCase")]
 struct EnableDuoData {
    host: String,
-    secret_key: String,
-    integration_key: String,
+    client_secret: String,
+    client_id: String,
    master_password_hash: Option<String>,
    otp: Option<String>,
 }
@@ -139,8 +139,8 @@ impl From<EnableDuoData> for DuoData {
    fn from(d: EnableDuoData) -> Self {
        Self {
            host: d.host,
-            ik: d.integration_key,
-            sk: d.secret_key,
+            ik: d.client_id,
+            sk: d.client_secret,
        }
    }
 }
@@ -151,7 +151,7 @@ fn check_duo_fields_custom(data: &EnableDuoData) -> bool {
        st.is_empty() || s == DISABLED_MESSAGE_DEFAULT
    }

-    !empty_or_default(&data.host) && !empty_or_default(&data.secret_key) && !empty_or_default(&data.integration_key)
+    !empty_or_default(&data.host) && !empty_or_default(&data.client_secret) && !empty_or_default(&data.client_id)
 }

 #[post("/two-factor/duo", data = "<data>")]
@@ -186,8 +186,8 @@ async fn activate_duo(data: Json<EnableDuoData>, headers: Headers, mut conn: DbC
    Ok(Json(json!({
        "enabled": true,
        "host": data.host,
-        "secretKey": data.sk,
-        "integrationKey": data.ik,
+        "clientSecret": data.sk,
+        "clientId": data.ik,
        "object": "twoFactorDuo"
    })))
 }
@@ -63,6 +63,9 @@ static CLIENT: Lazy<Client> = Lazy::new(|| {
 // Build Regex only once since this takes a lot of time.
 static ICON_SIZE_REGEX: Lazy<Regex> = Lazy::new(|| Regex::new(r"(?x)(\d+)\D*(\d+)").unwrap());

+// The function name `icon_external` is checked in the `on_response` function in `AppHeaders`
+// It is used to prevent sending a specific header which breaks icon downloads.
+// If this function needs to be renamed, also adjust the code in `util.rs`
 #[get("/<domain>/icon.png")]
 fn icon_external(domain: &str) -> Option<Redirect> {
    if !is_valid_domain(domain) {
@@ -24,7 +24,7 @@ use crate::{
 };

 pub fn routes() -> Vec<Route> {
-    routes![login, prelogin, identity_register]
+    routes![login, prelogin, identity_register, register_verification_email, register_finish]
 }

 #[post("/connect/token", data = "<data>")]
@@ -714,7 +714,66 @@ async fn prelogin(data: Json<PreloginData>, conn: DbConn) -> Json<Value> {

 #[post("/accounts/register", data = "<data>")]
 async fn identity_register(data: Json<RegisterData>, conn: DbConn) -> JsonResult {
-    _register(data, conn).await
+    _register(data, false, conn).await
+}
+
+#[derive(Debug, Deserialize)]
+#[serde(rename_all = "camelCase")]
+struct RegisterVerificationData {
+    email: String,
+    name: Option<String>,
+    // receiveMarketingEmails: bool,
+}
+
+#[derive(rocket::Responder)]
+enum RegisterVerificationResponse {
+    NoContent(()),
+    Token(Json<String>),
+}
+
+#[post("/accounts/register/send-verification-email", data = "<data>")]
+async fn register_verification_email(
+    data: Json<RegisterVerificationData>,
+    mut conn: DbConn,
+) -> ApiResult<RegisterVerificationResponse> {
+    let data = data.into_inner();
+
+    if !CONFIG.is_signup_allowed(&data.email) {
+        err!("Registration not allowed or user already exists")
+    }
+
+    let should_send_mail = CONFIG.mail_enabled() && CONFIG.signups_verify();
+
+    let token_claims =
+        crate::auth::generate_register_verify_claims(data.email.clone(), data.name.clone(), should_send_mail);
+    let token = crate::auth::encode_jwt(&token_claims);
+
+    if should_send_mail {
+        let user = User::find_by_mail(&data.email, &mut conn).await;
+        if user.filter(|u| u.private_key.is_some()).is_some() {
+            // There is still a timing side channel here in that the code
+            // paths that send mail take noticeably longer than ones that
+            // don't. Add a randomized sleep to mitigate this somewhat.
+            use rand::{rngs::SmallRng, Rng, SeedableRng};
+            let mut rng = SmallRng::from_os_rng();
+            let delta: i32 = 100;
+            let sleep_ms = (1_000 + rng.random_range(-delta..=delta)) as u64;
+            tokio::time::sleep(tokio::time::Duration::from_millis(sleep_ms)).await;
+        } else {
+            mail::send_register_verify_email(&data.email, &token).await?;
+        }
+
+        Ok(RegisterVerificationResponse::NoContent(()))
+    } else {
+        // If email verification is not required, return the token directly
+        // the clients will use this token to finish the registration
+        Ok(RegisterVerificationResponse::Token(Json(token)))
+    }
+}
+
+#[post("/accounts/register/finish", data = "<data>")]
+async fn register_finish(data: Json<RegisterData>, conn: DbConn) -> JsonResult {
+    _register(data, true, conn).await
 }

 // https://github.com/bitwarden/jslib/blob/master/common/src/models/request/tokenRequest.ts
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Helmut K. C. Tessarek	2697fe8aba	feat: add feature flag export-attachments (#5784 )	2025-05-01 17:40:26 +02:00
Stefan Melmuk	674e444d67	respond with cipher json when deleting attachments (#5823 )	2025-05-01 17:28:23 +02:00
Timshel	0d16da440d	On member invite and edit access_all is not sent anymore (#5673 ) * On member invite and edit access_all is not sent anymore * Use MembershipType ordering for access_all check Fixes #5711	2025-04-16 17:52:26 +02:00
Mathijs van Veluw	66cf179bca	Updates and general fixes (#5762 ) Updated all the crates to the latest version. We can unpin mimalloc, since the musl issues have been fixed Also fix a RUSTSEC https://osv.dev/vulnerability/RUSTSEC-2025-0023 for tokio Fixed some clippy lints reported by nightly. Ensure lints and are also run on the macro crate. This resulted in some lints being triggered, which I fixed. Updated some GHA uses. Signed-off-by: BlackDex <black.dex@gmail.com>	2025-04-09 21:21:10 +02:00
Mathijs van Veluw	025bb90f8f	Fix debian docker building (#5752 ) In previous attempts to get mysqlclient-sys to build and work I added some extra build variables. These are not needed if you configure pkg-config correctly. The same goes for OpenSSL btw. This PR configures the pkg-config in the right way and allows the crates to build using the right lib paths automatically. Because of this change also the lib/include paths were not needed anymore for some architectures, except for i386. Also updated crates again. Signed-off-by: BlackDex <black.dex@gmail.com>	2025-04-05 17:58:32 +02:00
Mathijs van Veluw	d5039d9c17	Add Docker Templates pre-commit check (#5749 ) Added the same check as done via GitHub Actions to check template changes to the pre-commit checks. This should catch these mistakes before they are commited and pushed. Signed-off-by: BlackDex <black.dex@gmail.com>	2025-04-04 19:02:19 +02:00
Daniel García	e7c796a660	Verify templates in CI (#5748 ) * Verify templates in CI * No need to install packages * Remove unnecessary fetch depth	2025-04-04 18:14:19 +02:00
Daniel	bbbd2f6d15	Update Rust to 1.86.0 (#5744 ) - also raise MSRV to 1.84.0 - fix `Dockerfile` template - remove no longed needed `-vvv` argument for `cargo build`	2025-04-04 18:04:36 +02:00
Mathijs van Veluw	a2d7895586	Really fix building (#5745 ) Signed-off-by: BlackDex <black.dex@gmail.com>	2025-04-04 16:53:09 +02:00
Mathijs van Veluw	8a0cb1137e	Fix mysqlclient-sys building (#5743 ) Because of some issues with mysqlclient we need to use buildtime bindgen. This also needed some extra environment variables to point the bindgen to the correct files and correct version. Also update some other crates. Signed-off-by: BlackDex <black.dex@gmail.com>	2025-04-04 16:37:57 +02:00
Timshel	f960bf59bb	Fix invited user registration without SMTP (#5712 )	2025-04-04 13:54:28 +02:00
Mathijs van Veluw	3a1f1bae00	Update deps and web-vault (#5742 ) - Updated crates Pinned mimalloc, since it has issues with musl - Updated web-vault to v2025.3.1 - Updated bootstrap Signed-off-by: BlackDex <black.dex@gmail.com>	2025-04-04 12:18:09 +02:00
Mathijs van Veluw	8dfe805954	Update Rust, Crates and other deps (#5709 ) - Updated Rust to v1.85.1 - Updated crates and fixed breaking changes - Updated datatables js - Updated GitHub Actions Signed-off-by: BlackDex <black.dex@gmail.com>	2025-03-19 17:39:53 +01:00
Mathijs van Veluw	07b869b3ef	Some fixes for the new web-vault and updates (#5703 ) - Added a new org policy - Some new lint fixes - Crate updates Switched to `pastey`, since `paste` is unmaintained. Signed-off-by: BlackDex <black.dex@gmail.com>	2025-03-17 23:02:02 +01:00
Daniel García	2a18665288	Implement new registration flow with email verification (#5215 ) * Implement registration with required verified email * Optional name, emergency access, and signups_allowed * Implement org invite, remove unneeded invite accept * fix invitation logic for new registration flow (#5691) * fix invitation logic for new registration flow * clarify email_2fa_enforce_on_verified_invite --------- Co-authored-by: Stefan Melmuk <509385+stefan0xC@users.noreply.github.com>	2025-03-17 16:28:01 +01:00
Josh	71952a4ab5	Add AnonAddy/SimpleLogin self host feature flag (#5694 ) Co-authored-by: Daniel García <dani-garcia@users.noreply.github.com>	2025-03-15 19:57:04 +01:00
Ben Sherman	994d157064	Add support for mutual-tls feature flag (#5698 ) * Add support for mutual-tls feature flag * Fix formatting --------- Co-authored-by: Daniel García <dani-garcia@users.noreply.github.com>	2025-03-15 19:46:42 +01:00
Timshel	1dae6093c9	Use subtle to replace deprecated ring::constant_time::verify_slices_are_equal (#5680 )	2025-03-15 19:33:17 +01:00
Daniel	6edceb5f7a	Update Rust to 1.85.0 (#5634 ) - also update the crates	2025-02-24 12:12:34 +01:00
Stefan Melmuk	359a4a088a	allow CLI to upload files with truncated filenames (#5618 ) due to a bug in the CLI the filename in the form-data is not complete if the encrypted filename happens to contain a /	2025-02-19 10:40:59 +01:00
Mathijs van Veluw	3baffeee9a	Fix db issues with Option<> values and upd crates (#5594 ) Some tables were lacking an option to convert Option<> to NULL. This commit will fix that. Also updated the crates to the latest version available.	2025-02-14 17:58:57 +01:00
Daniel	d5c353427d	Update crates & fix CVE-2025-25188 (#5576 )	2025-02-12 10:21:12 +01:00
Mathijs van Veluw	1f868b8d22	Show assigned collections on member edit (#5556 ) Because we were using the `has_full_access()` function we did not returned assigned collections for an owner/admin even if the did not have the `access_all` flag set. This commit will change that to use the `access_all` flag instead, and return assigned collections too. While saving a member and having it assigned collections would still save those rights, and it was also visible in the collection management, it wasn't at the member it self. So, it did work, but was not visible. Fixes #5554 Fixes #5555 Signed-off-by: BlackDex <black.dex@gmail.com>	2025-02-07 22:33:11 +01:00
Mathijs van Veluw	8d1df08b81	Fix icon redirect not working on desktop (#5536 ) * Fix icon redirect not working on desktop We also need to exclude the header in case we do an external_icon call. Fixes #5535 Signed-off-by: BlackDex <black.dex@gmail.com> * Add informational comments to the icon_external function Signed-off-by: BlackDex <black.dex@gmail.com> * Fix spelling/grammar Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com>	2025-02-04 13:20:32 +01:00
Stefan Melmuk	3b6bccde97	add bulk-access endpoint for collections (#5542 )	2025-02-04 09:42:02 +01:00
Daniel	d2b36642a6	Update crates & fix CVE-2025-24898 (#5538 )	2025-02-04 01:01:06 +01:00
Mathijs van Veluw	a02fb0fd24	Update workflows and enhance security (#5537 ) This commit updates the workflow files and also fixes some security issues which were reported by using zizmor https://github.com/woodruffw/zizmor Signed-off-by: BlackDex <black.dex@gmail.com>	2025-02-04 00:33:43 +01:00
Daniel	1109293992	Update Rust to 1.84.1 (#5508 ) - also update the crates - add necessary modifications for `rand` upgrade - `small_rng` is enabled by default now	2025-02-01 13:16:32 +01:00
Mathijs van Veluw	3c29f82974	Allow all manager to create collections again (#5488 ) * Allow all manager to create collections again This commit checks if the member is a manager or better, and if so allows it to createCollections. We actually check if it is less then a Manager, since the `limitCollectionCreation` should be set to false to allow it and true to prevent. This should fix an issue discussed in #5484 Signed-off-by: BlackDex <black.dex@gmail.com> * Fix some small issues Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com>	2025-01-29 20:41:31 +01:00
Roman Ratiner	663f88e717	Fix Duo Field Names for Web Client (#5491 ) * Fix Duo Field Names for Web Client * Fix Api Validation * Rename Duo Labels In Admin	2025-01-29 12:00:14 +01:00
Stefan Melmuk	a3dccee243	add and use new event types (#5482 ) * add additional event_types * use correct event_type when leaving an org * use correct event type when deleting a user * also correctly log auth requests * add correct membership info to event log	2025-01-28 11:25:53 +01:00
Mathijs van Veluw	c0ebe0d982	Fix passwordRevisionDate format (#5477 )	2025-01-27 20:16:59 +01:00
Win‮8201‭Linux‬	1b46c80389	Make sure the icons are displayed correctly in desktop clients (#5469 )	2025-01-27 18:29:24 +01:00
Stefan Melmuk	2c549984c0	let invited members access OrgMemberHeaders (#5461 )	2025-01-27 18:27:11 +01:00
Stefan Melmuk	ecab7a50ea	hide already approved (or declined) devices (#5467 )	2025-01-27 18:21:22 +01:00
Stefan Melmuk	2903a3a13a	only validate SMTP_FROM if necessary (#5442 )	2025-01-25 05:46:43 +01:00
Mathijs van Veluw	952992c85b	Org fixes (#5438 ) * Security fixes for admin and sendmail Because the Vaultwarden Admin Backend endpoints did not validated the Content-Type during a request, it was possible to update settings via CSRF. But, this was only possible if there was no `ADMIN_TOKEN` set at all. To make sure these environments are also safe I added the needed content-type checks at the functions. This could cause some users who have scripts which uses cURL for example to adjust there commands to provide the correct headers. By using a crafted favicon and having access to the Admin Backend an attacker could run custom commands on the host/container where Vaultwarden is running on. The main issue here is that we allowed the sendmail binary name/path to be changed. To mitigate this we removed this configuration item and only then `sendmail` binary as a name can be used. This could cause some issues where the `sendmail` binary is not in the `$PATH` and thus not able to be started. In these cases the admins should make sure `$PATH` is set correctly or create a custom shell script or symlink at a location which is in the `$PATH`. Added an extra security header and adjusted the CSP to be more strict by setting `default-src` to `none` and added the needed missing specific policies. Also created a general email validation function which does some more checking to catch invalid email address not found by the email_address crate. Signed-off-by: BlackDex <black.dex@gmail.com> * Fix security issue with organizationId validation Because of a invalid check/validation of the OrganizationId which most of the time is located in the path but sometimes provided as a URL Parameter, the parameter overruled the path ID during the Guard checks. This resulted in someone being able to execute commands as an Admin or Owner of the OrganizationId fetched from the parameter, but the API endpoints then used the OrganizationId located in the path instead. This commit fixes the extraction of the OrganizationId in the Guard and also added some extra validations of this OrgId in several functions. Also added an extra `OrgMemberHeaders` which can be used to only allow access to organization endpoints which should only be accessible by members of that org. Signed-off-by: BlackDex <black.dex@gmail.com> * Update server version in config endpoint Updated the server version reported to the clients to `2025.1.0`. This should make Vaultwarden future proof for the newer clients released by Bitwarden. Signed-off-by: BlackDex <black.dex@gmail.com> * Fix and adjust build workflow The build workflow had an issue with some `if` checks. For one they had two `$` signs, and it is not recommended to use `always()` since canceling a workflow does not cancel those calls. Using `!cancelled()` is the preferred way. Signed-off-by: BlackDex <black.dex@gmail.com> * Update crates Signed-off-by: BlackDex <black.dex@gmail.com> * Allow sendmail to be configurable This reverts a previous change which removed the sendmail to be configurable. We now set the config to be read-only, and omit all read-only values from being stored during a save action from the admin interface. Signed-off-by: BlackDex <black.dex@gmail.com> * Add more org_id checks Added more org_id checks at all functions which use the org_id in there path. Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com>	2025-01-25 01:32:09 +01:00