Don't update non editable fields from the API

update web-vault to v2025.1.1 and add /api/devices (#5422 )
* add /api/devices endpoints * load pending device requests * order pending authrequests by creation date * update web-vault to v2025.1.1
2025-01-24 16:49:16 +01:00 · 2025-01-23 12:30:55 +01:00 · 2025-01-21 23:33:41 +01:00 · 2025-01-20 20:21:44 +01:00 · 2025-01-13 19:16:10 +01:00 · 2025-01-11 11:54:38 +01:00
85 changed files with 6230 additions and 4039 deletions
@@ -5,6 +5,7 @@
 !.git
 !docker/healthcheck.sh
 !docker/start.sh
+!macros
 !migrations
 !src

@@ -280,12 +280,13 @@
 ## The default for new users. If changed, it will be updated during login for existing users.
 # PASSWORD_ITERATIONS=600000

-## Controls whether users can set password hints. This setting applies globally to all users.
+## Controls whether users can set or show password hints. This setting applies globally to all users.
 # PASSWORD_HINTS_ALLOWED=true

 ## Controls whether a password hint should be shown directly in the web page if
-## SMTP service is not configured. Not recommended for publicly-accessible instances
-## as this provides unauthenticated access to potentially sensitive data.
+## SMTP service is not configured and password hints are allowed.
+## Not recommended for publicly-accessible instances because this provides
+## unauthenticated access to potentially sensitive data.
 # SHOW_PASSWORD_HINT=false

 #########################
@@ -349,6 +350,9 @@
 ## - "browser-fileless-import": Directly import credentials from other providers without a file.
 ## - "extension-refresh": Temporarily enable the new extension design until general availability (should be used with the beta Chrome extension)
 ## - "fido2-vault-credentials": Enable the use of FIDO2 security keys as second factor.
+## - "inline-menu-positioning-improvements": Enable the use of inline menu password generator and identity suggestions in the browser extension.
+## - "ssh-key-vault-item": Enable the creation and use of SSH key vault items. (Needs clients >=2024.12.0)
+## - "ssh-agent": Enable SSH agent support on Desktop. (Needs desktop >=2024.12.0)
 # EXPERIMENTAL_CLIENT_FEATURE_FLAGS=fido2-vault-credentials

 ## Require new device emails. When a user logs in an email is required to be sent.
@@ -407,6 +411,14 @@
 ## Multiple values must be separated with a whitespace.
 # ALLOWED_IFRAME_ANCESTORS=

+## Allowed connect-src (Know the risks!)
+## https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src
+## Allows other domains to URLs which can be loaded using script interfaces like the Forwarded email alias feature
+## This adds the configured value to the 'Content-Security-Policy' headers 'connect-src' value.
+## Multiple values must be separated with a whitespace. And only HTTPS values are allowed.
+## Example: "https://my-addy-io.domain.tld https://my-simplelogin.domain.tld"
+# ALLOWED_CONNECT_SRC=""
+
 ## Number of seconds, on average, between login requests from the same IP address before rate limiting kicks in.
 # LOGIN_RATELIMIT_SECONDS=60
 ## Allow a burst of requests of up to this size, while maintaining the average indicated by `LOGIN_RATELIMIT_SECONDS`.
@@ -47,7 +47,7 @@ jobs:
    steps:
      # Checkout the repo
      - name: "Checkout"
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
      # End Checkout the repo


@@ -75,7 +75,7 @@ jobs:

      # Only install the clippy and rustfmt components on the default rust-toolchain
      - name: "Install rust-toolchain version"
-        uses: dtolnay/rust-toolchain@7b1c307e0dcbda6122208f10795a713336a9b35a # master @ Aug 8, 2024, 7:36 PM GMT+2
+        uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203 # master @ Dec 14, 2024, 5:49 AM GMT+1
        if: ${{ matrix.channel == 'rust-toolchain' }}
        with:
          toolchain: "${{steps.toolchain.outputs.RUST_TOOLCHAIN}}"
@@ -85,7 +85,7 @@ jobs:

      # Install the any other channel to be used for which we do not execute clippy and rustfmt
      - name: "Install MSRV version"
-        uses: dtolnay/rust-toolchain@7b1c307e0dcbda6122208f10795a713336a9b35a # master @ Aug 8, 2024, 7:36 PM GMT+2
+        uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203 # master @ Dec 14, 2024, 5:49 AM GMT+1
        if: ${{ matrix.channel != 'rust-toolchain' }}
        with:
          toolchain: "${{steps.toolchain.outputs.RUST_TOOLCHAIN}}"
@@ -107,7 +107,8 @@ jobs:
      # End Show environment

      # Enable Rust Caching
-      - uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84 # v2.7.3
+      - name: Rust Caching
+        uses: Swatinem/rust-cache@f0deed1e0edfc6a9be95417288c0e1099b1eeec3 # v2.7.7
        with:
          # Use a custom prefix-key to force a fresh start. This is sometimes needed with bigger changes.
          # Like changing the build host from Ubuntu 20.04 to 22.04 for example.
@@ -117,6 +118,12 @@ jobs:

      # Run cargo tests
      # First test all features together, afterwards test them separately.
+      - name: "test features: sqlite,mysql,postgresql,enable_mimalloc,query_logger"
+        id: test_sqlite_mysql_postgresql_mimalloc_logger
+        if: $${{ always() }}
+        run: |
+          cargo test --features sqlite,mysql,postgresql,enable_mimalloc,query_logger
+
      - name: "test features: sqlite,mysql,postgresql,enable_mimalloc"
        id: test_sqlite_mysql_postgresql_mimalloc
        if: $${{ always() }}
@@ -176,6 +183,7 @@ jobs:
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "|Job|Status|" >> $GITHUB_STEP_SUMMARY
          echo "|---|------|" >> $GITHUB_STEP_SUMMARY
+          echo "|test (sqlite,mysql,postgresql,enable_mimalloc,query_logger)|${{ steps.test_sqlite_mysql_postgresql_mimalloc_logger.outcome }}|" >> $GITHUB_STEP_SUMMARY
          echo "|test (sqlite,mysql,postgresql,enable_mimalloc)|${{ steps.test_sqlite_mysql_postgresql_mimalloc.outcome }}|" >> $GITHUB_STEP_SUMMARY
          echo "|test (sqlite,mysql,postgresql)|${{ steps.test_sqlite_mysql_postgresql.outcome }}|" >> $GITHUB_STEP_SUMMARY
          echo "|test (sqlite)|${{ steps.test_sqlite.outcome }}|" >> $GITHUB_STEP_SUMMARY
@@ -13,12 +13,12 @@ jobs:
    steps:
      # Checkout the repo
      - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
      # End Checkout the repo

      # Start Docker Buildx
      - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
        # https://github.com/moby/buildkit/issues/3969
        # Also set max parallelism to 2, the default of 4 breaks GitHub Actions and causes OOMKills
        with:
@@ -27,11 +27,16 @@ jobs:
        if: ${{ github.ref_type == 'branch' }}

  docker-build:
+    permissions:
+      packages: write
+      contents: read
+      attestations: write
+      id-token: write
    runs-on: ubuntu-24.04
    timeout-minutes: 120
    needs: skip_check
    if: ${{ needs.skip_check.outputs.should_skip != 'true' && github.repository == 'dani-garcia/vaultwarden' }}
-    # Start a local docker registry to extract the final Alpine static build binaries
+    # Start a local docker registry to extract the compiled binaries to upload as artifacts and attest them
    services:
      registry:
        image: registry:2
@@ -58,18 +63,18 @@ jobs:
    steps:
      # Checkout the repo
      - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
        with:
          fetch-depth: 0

      - name: Initialize QEMU binfmt support
-        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
+        uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3.3.0
        with:
          platforms: "arm64,arm"

      # Start Docker Buildx
      - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
        # https://github.com/moby/buildkit/issues/3969
        # Also set max parallelism to 2, the default of 4 breaks GitHub Actions and causes OOMKills
        with:
@@ -159,13 +164,13 @@ jobs:
          #

      - name: Add localhost registry
-        if: ${{ matrix.base_image == 'alpine' }}
        shell: bash
        run: |
          echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}localhost:5000/vaultwarden/server" | tee -a "${GITHUB_ENV}"

      - name: Bake ${{ matrix.base_image }} containers
-        uses: docker/bake-action@2e3d19baedb14545e5d41222653874f25d5b4dfb # v5.10.0
+        id: bake_vw
+        uses: docker/bake-action@5ca506d06f70338a4968df87fd8bfee5cbfb84c7 # v6.0.0
        env:
          BASE_TAGS: "${{ env.BASE_TAGS }}"
          SOURCE_COMMIT: "${{ env.SOURCE_COMMIT }}"
@@ -175,16 +180,47 @@ jobs:
        with:
          pull: true
          push: true
+          source: .
          files: docker/docker-bake.hcl
          targets: "${{ matrix.base_image }}-multi"
          set: |
            *.cache-from=${{ env.BAKE_CACHE_FROM }}
            *.cache-to=${{ env.BAKE_CACHE_TO }}

+      - name: Extract digest SHA
+        shell: bash
+        run: |
+          GET_DIGEST_SHA="$(jq -r '.["${{ matrix.base_image }}-multi"]."containerimage.digest"' <<< '${{ steps.bake_vw.outputs.metadata }}')"
+          echo "DIGEST_SHA=${GET_DIGEST_SHA}" | tee -a "${GITHUB_ENV}"
+
+      # Attest container images
+      - name: Attest - docker.io - ${{ matrix.base_image }}
+        if: ${{ env.HAVE_DOCKERHUB_LOGIN == 'true' && steps.bake_vw.outputs.metadata != ''}}
+        uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0
+        with:
+          subject-name: ${{ vars.DOCKERHUB_REPO }}
+          subject-digest: ${{ env.DIGEST_SHA }}
+          push-to-registry: true
+
+      - name: Attest - ghcr.io - ${{ matrix.base_image }}
+        if: ${{ env.HAVE_GHCR_LOGIN == 'true' && steps.bake_vw.outputs.metadata != ''}}
+        uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0
+        with:
+          subject-name: ${{ vars.GHCR_REPO }}
+          subject-digest: ${{ env.DIGEST_SHA }}
+          push-to-registry: true
+
+      - name: Attest - quay.io - ${{ matrix.base_image }}
+        if: ${{ env.HAVE_QUAY_LOGIN == 'true' && steps.bake_vw.outputs.metadata != ''}}
+        uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0
+        with:
+          subject-name: ${{ vars.QUAY_REPO }}
+          subject-digest: ${{ env.DIGEST_SHA }}
+          push-to-registry: true
+

      # Extract the Alpine binaries from the containers
      - name: Extract binaries
-        if: ${{ matrix.base_image == 'alpine' }}
        shell: bash
        run: |
          # Check which main tag we are going to build determined by github.ref_type
@@ -194,59 +230,65 @@ jobs:
            EXTRACT_TAG="testing"
          fi

+          # Check which base_image was used and append -alpine if needed
+          if [[ "${{ matrix.base_image }}" == "alpine" ]]; then
+            EXTRACT_TAG="${EXTRACT_TAG}-alpine"
+          fi
+
          # After each extraction the image is removed.
          # This is needed because using different platforms doesn't trigger a new pull/download

          # Extract amd64 binary
-          docker create --name amd64 --platform=linux/amd64 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine"
-          docker cp amd64:/vaultwarden vaultwarden-amd64
+          docker create --name amd64 --platform=linux/amd64 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}"
+          docker cp amd64:/vaultwarden vaultwarden-amd64-${{ matrix.base_image }}
          docker rm --force amd64
-          docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine"
+          docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}"

          # Extract arm64 binary
-          docker create --name arm64 --platform=linux/arm64 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine"
-          docker cp arm64:/vaultwarden vaultwarden-arm64
+          docker create --name arm64 --platform=linux/arm64 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}"
+          docker cp arm64:/vaultwarden vaultwarden-arm64-${{ matrix.base_image }}
          docker rm --force arm64
-          docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine"
+          docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}"

          # Extract armv7 binary
-          docker create --name armv7 --platform=linux/arm/v7 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine"
-          docker cp armv7:/vaultwarden vaultwarden-armv7
+          docker create --name armv7 --platform=linux/arm/v7 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}"
+          docker cp armv7:/vaultwarden vaultwarden-armv7-${{ matrix.base_image }}
          docker rm --force armv7
-          docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine"
+          docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}"

          # Extract armv6 binary
-          docker create --name armv6 --platform=linux/arm/v6 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine"
-          docker cp armv6:/vaultwarden vaultwarden-armv6
+          docker create --name armv6 --platform=linux/arm/v6 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}"
+          docker cp armv6:/vaultwarden vaultwarden-armv6-${{ matrix.base_image }}
          docker rm --force armv6
-          docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine"
+          docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}"

-      # Upload artifacts to Github Actions
-      - name: "Upload amd64 artifact"
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
-        if: ${{ matrix.base_image == 'alpine' }}
+      # Upload artifacts to Github Actions and Attest the binaries
+      - name: "Upload amd64 artifact ${{ matrix.base_image }}"
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b #v4.5.0
        with:
-          name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-amd64
-          path: vaultwarden-amd64
+          name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-amd64-${{ matrix.base_image }}
+          path: vaultwarden-amd64-${{ matrix.base_image }}

-      - name: "Upload arm64 artifact"
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
-        if: ${{ matrix.base_image == 'alpine' }}
+      - name: "Upload arm64 artifact ${{ matrix.base_image }}"
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b #v4.5.0
        with:
-          name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-arm64
-          path: vaultwarden-arm64
+          name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-arm64-${{ matrix.base_image }}
+          path: vaultwarden-arm64-${{ matrix.base_image }}

-      - name: "Upload armv7 artifact"
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
-        if: ${{ matrix.base_image == 'alpine' }}
+      - name: "Upload armv7 artifact ${{ matrix.base_image }}"
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b #v4.5.0
        with:
-          name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-armv7
-          path: vaultwarden-armv7
+          name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-armv7-${{ matrix.base_image }}
+          path: vaultwarden-armv7-${{ matrix.base_image }}

-      - name: "Upload armv6 artifact"
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
-        if: ${{ matrix.base_image == 'alpine' }}
+      - name: "Upload armv6 artifact ${{ matrix.base_image }}"
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b #v4.5.0
        with:
-          name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-armv6
-          path: vaultwarden-armv6
+          name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-armv6-${{ matrix.base_image }}
+          path: vaultwarden-armv6-${{ matrix.base_image }}
+
+      - name: "Attest artifacts ${{ matrix.base_image }}"
+        uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0
+        with:
+          subject-path: vaultwarden-*
      # End Upload artifacts to Github Actions
@@ -28,10 +28,13 @@ jobs:
      actions: read
    steps:
      - name: Checkout code
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2

      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@5681af892cd0f4997658e2bacc62bd0a894cf564 # v0.27.0
+        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0
+        env:
+          TRIVY_DB_REPOSITORY: docker.io/aquasec/trivy-db:2,public.ecr.aws/aquasecurity/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2
+          TRIVY_JAVA_DB_REPOSITORY: docker.io/aquasec/trivy-java-db:1,public.ecr.aws/aquasecurity/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1
        with:
          scan-type: repo
          ignore-unfixed: true
@@ -40,6 +43,6 @@ jobs:
          severity: CRITICAL,HIGH

      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@2bbafcdd7fbf96243689e764c2f15d9735164f33 # v3.26.6
+        uses: github/codeql-action/upload-sarif@86b04fb0e47484f7282357688f21d5d0e32175fe # v3.27.5
        with:
          sarif_file: 'trivy-results.sarif'
@@ -1,9 +1,11 @@
+workspace = { members = ["macros"] }
+
 [package]
 name = "vaultwarden"
 version = "1.0.0"
 authors = ["Daniel García <dani-garcia@users.noreply.github.com>"]
 edition = "2021"
-rust-version = "1.80.0"
+rust-version = "1.83.0"
 resolver = "2"

 repository = "https://github.com/dani-garcia/vaultwarden"
@@ -36,13 +38,15 @@ unstable = []

 [target."cfg(unix)".dependencies]
 # Logging
-syslog = "6.1.1"
+syslog = "7.0.0"

 [dependencies]
+macros = { path = "./macros" }
+
 # Logging
 log = "0.4.22"
-fern = { version = "0.7.0", features = ["syslog-6", "reopen-1"] }
-tracing = { version = "0.1.40", features = ["log"] } # Needed to have lettre and webauthn-rs trace logging to work
+fern = { version = "0.7.1", features = ["syslog-7", "reopen-1"] }
+tracing = { version = "0.1.41", features = ["log"] } # Needed to have lettre and webauthn-rs trace logging to work

 # A `dotenv` implementation for Rust
 dotenvy = { version = "0.15.7", default-features = false }
@@ -53,7 +57,7 @@ once_cell = "1.20.2"
 # Numerical libraries
 num-traits = "0.2.19"
 num-derive = "0.4.2"
-bigdecimal = "0.4.5"
+bigdecimal = "0.4.7"

 # Web framework
 rocket = { version = "0.5.1", features = ["tls", "json"], default-features = false }
@@ -67,16 +71,19 @@ dashmap = "6.1.0"

 # Async futures
 futures = "0.3.31"
-tokio = { version = "1.41.0", features = ["rt-multi-thread", "fs", "io-util", "parking_lot", "time", "signal", "net"] }
+tokio = { version = "1.42.0", features = ["rt-multi-thread", "fs", "io-util", "parking_lot", "time", "signal", "net"] }

 # A generic serialization/deserialization framework
-serde = { version = "1.0.213", features = ["derive"] }
-serde_json = "1.0.132"
+serde = { version = "1.0.217", features = ["derive"] }
+serde_json = "1.0.135"

 # A safe, extensible ORM and Query builder
-diesel = { version = "2.2.4", features = ["chrono", "r2d2", "numeric"] }
+diesel = { version = "2.2.6", features = ["chrono", "r2d2", "numeric"] }
 diesel_migrations = "2.2.0"
-diesel_logger = { version = "0.3.0", optional = true }
+diesel_logger = { version = "0.4.0", optional = true }
+
+derive_more = { version = "1.0.0", features = ["from", "into", "as_ref", "deref", "display"] }
+diesel-derive-newtype = "2.1.2"

 # Bundled/Static SQLite
 libsqlite3-sys = { version = "0.30.1", features = ["bundled"], optional = true }
@@ -89,9 +96,9 @@ ring = "0.17.8"
 uuid = { version = "1.11.0", features = ["v4"] }

 # Date and time libraries
-chrono = { version = "0.4.38", features = ["clock", "serde"], default-features = false }
+chrono = { version = "0.4.39", features = ["clock", "serde"], default-features = false }
 chrono-tz = "0.10.0"
-time = "0.3.36"
+time = "0.3.37"

 # Job scheduler
 job_scheduler_ng = "2.0.5"
@@ -106,38 +113,38 @@ jsonwebtoken = "9.3.0"
 totp-lite = "2.0.1"

 # Yubico Library
-yubico = { version = "0.11.0", features = ["online-tokio"], default-features = false }
+yubico = { version = "0.12.0", features = ["online-tokio"], default-features = false }

 # WebAuthn libraries
 webauthn-rs = "0.3.2"

 # Handling of URL's for WebAuthn and favicons
-url = "2.5.2"
+url = "2.5.4"

 # Email libraries
-lettre = { version = "0.11.10", features = ["smtp-transport", "sendmail-transport", "builder", "serde", "tokio1-native-tls", "hostname", "tracing", "tokio1"], default-features = false }
+lettre = { version = "0.11.11", features = ["smtp-transport", "sendmail-transport", "builder", "serde", "tokio1-native-tls", "hostname", "tracing", "tokio1"], default-features = false }
 percent-encoding = "2.3.1" # URL encoding library used for URL's in the emails
 email_address = "0.2.9"

 # HTML Template library
-handlebars = { version = "6.1.0", features = ["dir_source"] }
+handlebars = { version = "6.3.0", features = ["dir_source"] }

 # HTTP client (Used for favicons, version check, DUO and HIBP API)
-reqwest = { version = "0.12.8", features = ["native-tls-alpn", "stream", "json", "gzip", "brotli", "socks", "cookies"] }
-hickory-resolver = "0.24.1"
+reqwest = { version = "0.12.12", features = ["native-tls-alpn", "stream", "json", "gzip", "brotli", "socks", "cookies"] }
+hickory-resolver = "0.24.2"

 # Favicon extraction libraries
-html5gum = "0.5.7"
-regex = { version = "1.11.0", features = ["std", "perf", "unicode-perl"], default-features = false }
+html5gum = "0.7.0"
+regex = { version = "1.11.1", features = ["std", "perf", "unicode-perl"], default-features = false }
 data-url = "0.3.1"
-bytes = "1.8.0"
+bytes = "1.9.0"

 # Cache function results (Used for version check and favicon fetching)
-cached = { version = "0.53.1", features = ["async"] }
+cached = { version = "0.54.0", features = ["async"] }

 # Used for custom short lived cookie jar during favicon extraction
 cookie = "0.18.1"
-cookie_store = "0.21.0"
+cookie_store = "0.21.1"

 # Used by U2F, JWT and PostgreSQL
 openssl = "0.10.68"
@@ -147,15 +154,15 @@ pico-args = "0.5.0"

 # Macro ident concatenation
 paste = "1.0.15"
-governor = "0.7.0"
+governor = "0.8.0"

 # Check client versions for specific features.
-semver = "1.0.23"
+semver = "1.0.24"

 # Allow overriding the default memory allocator
 # Mainly used for the musl builds, since the default musl malloc is very slow
 mimalloc = { version = "0.1.43", features = ["secure"], default-features = false, optional = true }
-which = "6.0.3"
+which = "7.0.1"

 # Argon2 library with support for the PHC format
 argon2 = "0.5.3"
@@ -163,6 +170,13 @@ argon2 = "0.5.3"
 # Reading a password from the cli for generating the Argon2id ADMIN_TOKEN
 rpassword = "7.3.1"

+# Loading a dynamic CSS Stylesheet
+grass_compiler = { version = "0.13.4", default-features = false }
+
+[patch.crates-io]
+# Patch yubico to remove duplicate crates of older versions
+yubico = { git = "https://github.com/BlackDex/yubico-rs", rev = "00df14811f58155c0f02e3ab10f1570ed3e115c6" }
+
 # Strip debuginfo from the release builds
 # The symbols are the provide better panic traces
 # Also enable fat LTO and use 1 codegen unit for optimizations
@@ -213,7 +227,8 @@ noop_method_call = "deny"
 refining_impl_trait = { level = "deny", priority = -1 }
 rust_2018_idioms = { level = "deny", priority = -1 }
 rust_2021_compatibility = { level = "deny", priority = -1 }
-# rust_2024_compatibility = { level = "deny", priority = -1 } # Enable once we are at MSRV 1.81.0
+rust_2024_compatibility = { level = "deny", priority = -1 }
+edition_2024_expr_fragment_specifier = "allow" # Once changed to Rust 2024 this should be removed and macro's should be validated again
 single_use_lifetimes = "deny"
 trivial_casts = "deny"
 trivial_numeric_casts = "deny"
@@ -222,9 +237,10 @@ unused_import_braces = "deny"
 unused_lifetimes = "deny"
 unused_qualifications = "deny"
 variant_size_differences = "deny"
-# The lints below are part of the rust_2024_compatibility group
-static-mut-refs = "deny"
-unsafe-op-in-unsafe-fn = "deny"
+# Allow the following lints since these cause issues with Rust v1.84.0 or newer
+# Building Vaultwarden with Rust v1.85.0 and edition 2024 also works without issues
+if_let_rescope = "allow"
+tail_expr_drop_order = "allow"

 # https://rust-lang.github.io/rust-clippy/stable/index.html
 [lints.clippy]
@@ -21,7 +21,7 @@ notify us. We welcome working with you to resolve the issue promptly. Thanks in
 The following bug classes are out-of scope:

 - Bugs that are already reported on Vaultwarden's issue tracker (https://github.com/dani-garcia/vaultwarden/issues)
- Bugs that are not part of Vaultwarden, like on the the web-vault or mobile and desktop clients. These issues need to be reported in the respective project issue tracker at https://github.com/bitwarden to which we are not associated
+- Bugs that are not part of Vaultwarden, like on the web-vault or mobile and desktop clients. These issues need to be reported in the respective project issue tracker at https://github.com/bitwarden to which we are not associated
 - Issues in an upstream software dependency (ex: Rust, or External Libraries) which are already reported to the upstream maintainer
 - Attacks requiring physical access to a user's device
 - Issues related to software or protocols not under Vaultwarden's control
@@ -1,13 +1,13 @@
 ---
-vault_version: "v2024.6.2c"
-vault_image_digest: "sha256:409ab328ca931439cb916b388a4bb784bd44220717aaf74cf71620c23e34fc2b"
-# Cross Compile Docker Helper Scripts v1.5.0
+vault_version: "v2025.1.1"
+vault_image_digest: "sha256:cb6b2095a4afc1d9d243a33f6d09211f40e3d82c7ae829fd025df5ff175a4918"
+# Cross Compile Docker Helper Scripts v1.6.1
 # We use the linux/amd64 platform shell scripts since there is no difference between the different platform scripts
 # https://github.com/tonistiigi/xx | https://hub.docker.com/r/tonistiigi/xx/tags
-xx_image_digest: "sha256:1978e7a58a1777cb0ef0dde76bad60b7914b21da57cfa88047875e4f364297aa"
-rust_version: 1.82.0 # Rust version to be used
+xx_image_digest: "sha256:9c207bead753dda9430bdd15425c6518fc7a03d866103c516a2c6889188f5894"
+rust_version: 1.84.0 # Rust version to be used
 debian_version: bookworm # Debian release name to be used
-alpine_version: "3.20" # Alpine version to be used
+alpine_version: "3.21" # Alpine version to be used
 # For which platforms/architectures will we try to build images
 platforms: ["linux/amd64", "linux/arm64", "linux/arm/v7", "linux/arm/v6"]
 # Determine the build images per OS/Arch
@@ -19,23 +19,23 @@
 # - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
 #   click the tag name to view the digest of the image it currently points to.
 # - From the command line:
-#     $ docker pull docker.io/vaultwarden/web-vault:v2024.6.2c
-#     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2024.6.2c
-#     [docker.io/vaultwarden/web-vault@sha256:409ab328ca931439cb916b388a4bb784bd44220717aaf74cf71620c23e34fc2b]
+#     $ docker pull docker.io/vaultwarden/web-vault:v2025.1.1
+#     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2025.1.1
+#     [docker.io/vaultwarden/web-vault@sha256:cb6b2095a4afc1d9d243a33f6d09211f40e3d82c7ae829fd025df5ff175a4918]
 #
 # - Conversely, to get the tag name from the digest:
-#     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:409ab328ca931439cb916b388a4bb784bd44220717aaf74cf71620c23e34fc2b
-#     [docker.io/vaultwarden/web-vault:v2024.6.2c]
+#     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:cb6b2095a4afc1d9d243a33f6d09211f40e3d82c7ae829fd025df5ff175a4918
+#     [docker.io/vaultwarden/web-vault:v2025.1.1]
 #
-FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:409ab328ca931439cb916b388a4bb784bd44220717aaf74cf71620c23e34fc2b AS vault
+FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:cb6b2095a4afc1d9d243a33f6d09211f40e3d82c7ae829fd025df5ff175a4918 AS vault

 ########################## ALPINE BUILD IMAGES ##########################
 ## NOTE: The Alpine Base Images do not support other platforms then linux/amd64
 ## And for Alpine we define all build images here, they will only be loaded when actually used
-FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:x86_64-musl-stable-1.82.0 AS build_amd64
-FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:aarch64-musl-stable-1.82.0 AS build_arm64
-FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:armv7-musleabihf-stable-1.82.0 AS build_armv7
-FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:arm-musleabi-stable-1.82.0 AS build_armv6
+FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:x86_64-musl-stable-1.84.0 AS build_amd64
+FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:aarch64-musl-stable-1.84.0 AS build_arm64
+FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:armv7-musleabihf-stable-1.84.0 AS build_armv7
+FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:arm-musleabi-stable-1.84.0 AS build_armv6

 ########################## BUILD IMAGE ##########################
 # hadolint ignore=DL3006
@@ -76,6 +76,7 @@ RUN source /env-cargo && \

 # Copies over *only* your manifests and build files
 COPY ./Cargo.* ./rust-toolchain.toml ./build.rs ./
+COPY ./macros ./macros

 ARG CARGO_PROFILE=release

@@ -126,7 +127,7 @@ RUN source /env-cargo && \
 # To uninstall: docker run --privileged --rm tonistiigi/binfmt --uninstall 'qemu-*'
 #
 # We need to add `--platform` here, because of a podman bug: https://github.com/containers/buildah/issues/4742
-FROM --platform=$TARGETPLATFORM docker.io/library/alpine:3.20
+FROM --platform=$TARGETPLATFORM docker.io/library/alpine:3.21

 ENV ROCKET_PROFILE="release" \
    ROCKET_ADDRESS=0.0.0.0 \
@@ -19,24 +19,24 @@
 # - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
 #   click the tag name to view the digest of the image it currently points to.
 # - From the command line:
-#     $ docker pull docker.io/vaultwarden/web-vault:v2024.6.2c
-#     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2024.6.2c
-#     [docker.io/vaultwarden/web-vault@sha256:409ab328ca931439cb916b388a4bb784bd44220717aaf74cf71620c23e34fc2b]
+#     $ docker pull docker.io/vaultwarden/web-vault:v2025.1.1
+#     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2025.1.1
+#     [docker.io/vaultwarden/web-vault@sha256:cb6b2095a4afc1d9d243a33f6d09211f40e3d82c7ae829fd025df5ff175a4918]
 #
 # - Conversely, to get the tag name from the digest:
-#     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:409ab328ca931439cb916b388a4bb784bd44220717aaf74cf71620c23e34fc2b
-#     [docker.io/vaultwarden/web-vault:v2024.6.2c]
+#     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:cb6b2095a4afc1d9d243a33f6d09211f40e3d82c7ae829fd025df5ff175a4918
+#     [docker.io/vaultwarden/web-vault:v2025.1.1]
 #
-FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:409ab328ca931439cb916b388a4bb784bd44220717aaf74cf71620c23e34fc2b AS vault
+FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:cb6b2095a4afc1d9d243a33f6d09211f40e3d82c7ae829fd025df5ff175a4918 AS vault

 ########################## Cross Compile Docker Helper Scripts ##########################
 ## We use the linux/amd64 no matter which Build Platform, since these are all bash scripts
 ## And these bash scripts do not have any significant difference if at all
-FROM --platform=linux/amd64 docker.io/tonistiigi/xx@sha256:1978e7a58a1777cb0ef0dde76bad60b7914b21da57cfa88047875e4f364297aa AS xx
+FROM --platform=linux/amd64 docker.io/tonistiigi/xx@sha256:9c207bead753dda9430bdd15425c6518fc7a03d866103c516a2c6889188f5894 AS xx

 ########################## BUILD IMAGE ##########################
 # hadolint ignore=DL3006
-FROM --platform=$BUILDPLATFORM docker.io/library/rust:1.82.0-slim-bookworm AS build
+FROM --platform=$BUILDPLATFORM docker.io/library/rust:1.84.0-slim-bookworm AS build
 COPY --from=xx / /
 ARG TARGETARCH
 ARG TARGETVARIANT
@@ -116,6 +116,7 @@ RUN source /env-cargo && \

 # Copies over *only* your manifests and build files
 COPY ./Cargo.* ./rust-toolchain.toml ./build.rs ./
+COPY ./macros ./macros

 ARG CARGO_PROFILE=release

@@ -143,6 +143,7 @@ RUN source /env-cargo && \

 # Copies over *only* your manifests and build files
 COPY ./Cargo.* ./rust-toolchain.toml ./build.rs ./
+COPY ./macros ./macros

 ARG CARGO_PROFILE=release

@@ -46,7 +46,7 @@ There also is an option to use an other docker container to provide support for
 ```bash
 # To install and activate
 docker run --privileged --rm tonistiigi/binfmt --install arm64,arm
-# To unistall
+# To uninstall
 docker run --privileged --rm tonistiigi/binfmt --uninstall 'qemu-*'
 ```

@@ -17,7 +17,7 @@ variable "SOURCE_REPOSITORY_URL" {
  default = null
 }

-// The commit hash of of the current commit this build was triggered on
+// The commit hash of the current commit this build was triggered on
 variable "SOURCE_COMMIT" {
  default = null
 }
@@ -0,0 +1,13 @@
+[package]
+name = "macros"
+version = "0.1.0"
+edition = "2021"
+
+[lib]
+name = "macros"
+path = "src/lib.rs"
+proc-macro = true
+
+[dependencies]
+quote = "1.0.38"
+syn = "2.0.94"
@@ -0,0 +1,58 @@
+extern crate proc_macro;
+
+use proc_macro::TokenStream;
+use quote::quote;
+
+#[proc_macro_derive(UuidFromParam)]
+pub fn derive_uuid_from_param(input: TokenStream) -> TokenStream {
+    let ast = syn::parse(input).unwrap();
+
+    impl_derive_uuid_macro(&ast)
+}
+
+fn impl_derive_uuid_macro(ast: &syn::DeriveInput) -> TokenStream {
+    let name = &ast.ident;
+    let gen = quote! {
+        #[automatically_derived]
+        impl<'r> rocket::request::FromParam<'r> for #name {
+            type Error = ();
+
+            #[inline(always)]
+            fn from_param(param: &'r str) -> Result<Self, Self::Error> {
+                if uuid::Uuid::parse_str(param).is_ok() {
+                    Ok(Self(param.to_string()))
+                } else {
+                    Err(())
+                }
+            }
+        }
+    };
+    gen.into()
+}
+
+#[proc_macro_derive(IdFromParam)]
+pub fn derive_id_from_param(input: TokenStream) -> TokenStream {
+    let ast = syn::parse(input).unwrap();
+
+    impl_derive_safestring_macro(&ast)
+}
+
+fn impl_derive_safestring_macro(ast: &syn::DeriveInput) -> TokenStream {
+    let name = &ast.ident;
+    let gen = quote! {
+        #[automatically_derived]
+        impl<'r> rocket::request::FromParam<'r> for #name {
+            type Error = ();
+
+            #[inline(always)]
+            fn from_param(param: &'r str) -> Result<Self, Self::Error> {
+                if param.chars().all(|c| matches!(c, 'a'..='z' | 'A'..='Z' |'0'..='9' | '-')) {
+                    Ok(Self(param.to_string()))
+                } else {
+                    Err(())
+                }
+            }
+        }
+    };
+    gen.into()
+}
@@ -0,0 +1,5 @@
+ALTER TABLE users_collections
+ADD COLUMN manage BOOLEAN NOT NULL DEFAULT FALSE;
+
+ALTER TABLE collections_groups
+ADD COLUMN manage BOOLEAN NOT NULL DEFAULT FALSE;
@@ -0,0 +1,5 @@
+ALTER TABLE users_collections
+ADD COLUMN manage BOOLEAN NOT NULL DEFAULT FALSE;
+
+ALTER TABLE collections_groups
+ADD COLUMN manage BOOLEAN NOT NULL DEFAULT FALSE;
@@ -0,0 +1,5 @@
+ALTER TABLE users_collections
+ADD COLUMN manage BOOLEAN NOT NULL DEFAULT 0; -- FALSE
+
+ALTER TABLE collections_groups
+ADD COLUMN manage BOOLEAN NOT NULL DEFAULT 0; -- FALSE
@@ -1,4 +1,4 @@
 [toolchain]
-channel = "1.82.0"
+channel = "1.84.0"
 components = [ "rustfmt", "clippy" ]
 profile = "minimal"
@@ -50,7 +50,7 @@ pub fn routes() -> Vec<Route> {
        disable_user,
        enable_user,
        remove_2fa,
-        update_user_org_type,
+        update_membership_type,
        update_revision_users,
        post_config,
        delete_config,
@@ -62,6 +62,7 @@ pub fn routes() -> Vec<Route> {
        diagnostics,
        get_diagnostics_config,
        resend_user_invite,
+        get_diagnostics_http,
    ]
 }

@@ -98,6 +99,7 @@ const DT_FMT: &str = "%Y-%m-%d %H:%M:%S %Z";
 const BASE_TEMPLATE: &str = "admin/base";

 const ACTING_ADMIN_USER: &str = "vaultwarden-admin-00000-000000000000";
+pub const FAKE_ADMIN_UUID: &str = "00000000-0000-0000-0000-000000000000";

 fn admin_path() -> String {
    format!("{}{}", CONFIG.domain_path(), ADMIN_PATH)
@@ -279,8 +281,8 @@ struct InviteData {
    email: String,
 }

-async fn get_user_or_404(uuid: &str, conn: &mut DbConn) -> ApiResult<User> {
-    if let Some(user) = User::find_by_uuid(uuid, conn).await {
+async fn get_user_or_404(user_id: &UserId, conn: &mut DbConn) -> ApiResult<User> {
+    if let Some(user) = User::find_by_uuid(user_id, conn).await {
        Ok(user)
    } else {
        err_code!("User doesn't exist", Status::NotFound.code);
@@ -298,7 +300,9 @@ async fn invite_user(data: Json<InviteData>, _token: AdminToken, mut conn: DbCon

    async fn _generate_invite(user: &User, conn: &mut DbConn) -> EmptyResult {
        if CONFIG.mail_enabled() {
-            mail::send_invite(user, None, None, &CONFIG.invitation_org_name(), None).await
+            let org_id: OrganizationId = FAKE_ADMIN_UUID.to_string().into();
+            let member_id: MembershipId = FAKE_ADMIN_UUID.to_string().into();
+            mail::send_invite(user, org_id, member_id, &CONFIG.invitation_org_name(), None).await
        } else {
            let invitation = Invitation::new(&user.email);
            invitation.save(conn).await
@@ -380,29 +384,29 @@ async fn get_user_by_mail_json(mail: &str, _token: AdminToken, mut conn: DbConn)
    }
 }

-#[get("/users/<uuid>")]
-async fn get_user_json(uuid: &str, _token: AdminToken, mut conn: DbConn) -> JsonResult {
-    let u = get_user_or_404(uuid, &mut conn).await?;
+#[get("/users/<user_id>")]
+async fn get_user_json(user_id: UserId, _token: AdminToken, mut conn: DbConn) -> JsonResult {
+    let u = get_user_or_404(&user_id, &mut conn).await?;
    let mut usr = u.to_json(&mut conn).await;
    usr["userEnabled"] = json!(u.enabled);
    usr["createdAt"] = json!(format_naive_datetime_local(&u.created_at, DT_FMT));
    Ok(Json(usr))
 }

-#[post("/users/<uuid>/delete")]
-async fn delete_user(uuid: &str, token: AdminToken, mut conn: DbConn) -> EmptyResult {
-    let user = get_user_or_404(uuid, &mut conn).await?;
+#[post("/users/<user_id>/delete")]
+async fn delete_user(user_id: UserId, token: AdminToken, mut conn: DbConn) -> EmptyResult {
+    let user = get_user_or_404(&user_id, &mut conn).await?;

-    // Get the user_org records before deleting the actual user
-    let user_orgs = UserOrganization::find_any_state_by_user(uuid, &mut conn).await;
+    // Get the membership records before deleting the actual user
+    let memberships = Membership::find_any_state_by_user(&user_id, &mut conn).await;
    let res = user.delete(&mut conn).await;

-    for user_org in user_orgs {
+    for membership in memberships {
        log_event(
            EventType::OrganizationUserRemoved as i32,
-            &user_org.uuid,
-            &user_org.org_uuid,
-            ACTING_ADMIN_USER,
+            &membership.uuid,
+            &membership.org_uuid,
+            &ACTING_ADMIN_USER.into(),
            14, // Use UnknownBrowser type
            &token.ip.ip,
            &mut conn,
@@ -413,9 +417,9 @@ async fn delete_user(uuid: &str, token: AdminToken, mut conn: DbConn) -> EmptyRe
    res
 }

-#[post("/users/<uuid>/deauth")]
-async fn deauth_user(uuid: &str, _token: AdminToken, mut conn: DbConn, nt: Notify<'_>) -> EmptyResult {
-    let mut user = get_user_or_404(uuid, &mut conn).await?;
+#[post("/users/<user_id>/deauth")]
+async fn deauth_user(user_id: UserId, _token: AdminToken, mut conn: DbConn, nt: Notify<'_>) -> EmptyResult {
+    let mut user = get_user_or_404(&user_id, &mut conn).await?;

    nt.send_logout(&user, None).await;

@@ -434,9 +438,9 @@ async fn deauth_user(uuid: &str, _token: AdminToken, mut conn: DbConn, nt: Notif
    user.save(&mut conn).await
 }

-#[post("/users/<uuid>/disable")]
-async fn disable_user(uuid: &str, _token: AdminToken, mut conn: DbConn, nt: Notify<'_>) -> EmptyResult {
-    let mut user = get_user_or_404(uuid, &mut conn).await?;
+#[post("/users/<user_id>/disable")]
+async fn disable_user(user_id: UserId, _token: AdminToken, mut conn: DbConn, nt: Notify<'_>) -> EmptyResult {
+    let mut user = get_user_or_404(&user_id, &mut conn).await?;
    Device::delete_all_by_user(&user.uuid, &mut conn).await?;
    user.reset_security_stamp();
    user.enabled = false;
@@ -448,33 +452,35 @@ async fn disable_user(uuid: &str, _token: AdminToken, mut conn: DbConn, nt: Noti
    save_result
 }

-#[post("/users/<uuid>/enable")]
-async fn enable_user(uuid: &str, _token: AdminToken, mut conn: DbConn) -> EmptyResult {
-    let mut user = get_user_or_404(uuid, &mut conn).await?;
+#[post("/users/<user_id>/enable")]
+async fn enable_user(user_id: UserId, _token: AdminToken, mut conn: DbConn) -> EmptyResult {
+    let mut user = get_user_or_404(&user_id, &mut conn).await?;
    user.enabled = true;

    user.save(&mut conn).await
 }

-#[post("/users/<uuid>/remove-2fa")]
-async fn remove_2fa(uuid: &str, token: AdminToken, mut conn: DbConn) -> EmptyResult {
-    let mut user = get_user_or_404(uuid, &mut conn).await?;
+#[post("/users/<user_id>/remove-2fa")]
+async fn remove_2fa(user_id: UserId, token: AdminToken, mut conn: DbConn) -> EmptyResult {
+    let mut user = get_user_or_404(&user_id, &mut conn).await?;
    TwoFactor::delete_all_by_user(&user.uuid, &mut conn).await?;
-    two_factor::enforce_2fa_policy(&user, ACTING_ADMIN_USER, 14, &token.ip.ip, &mut conn).await?;
+    two_factor::enforce_2fa_policy(&user, &ACTING_ADMIN_USER.into(), 14, &token.ip.ip, &mut conn).await?;
    user.totp_recover = None;
    user.save(&mut conn).await
 }

-#[post("/users/<uuid>/invite/resend")]
-async fn resend_user_invite(uuid: &str, _token: AdminToken, mut conn: DbConn) -> EmptyResult {
-    if let Some(user) = User::find_by_uuid(uuid, &mut conn).await {
+#[post("/users/<user_id>/invite/resend")]
+async fn resend_user_invite(user_id: UserId, _token: AdminToken, mut conn: DbConn) -> EmptyResult {
+    if let Some(user) = User::find_by_uuid(&user_id, &mut conn).await {
        //TODO: replace this with user.status check when it will be available (PR#3397)
        if !user.password_hash.is_empty() {
            err_code!("User already accepted invitation", Status::BadRequest.code);
        }

        if CONFIG.mail_enabled() {
-            mail::send_invite(&user, None, None, &CONFIG.invitation_org_name(), None).await
+            let org_id: OrganizationId = FAKE_ADMIN_UUID.to_string().into();
+            let member_id: MembershipId = FAKE_ADMIN_UUID.to_string().into();
+            mail::send_invite(&user, org_id, member_id, &CONFIG.invitation_org_name(), None).await
        } else {
            Ok(())
        }
@@ -484,42 +490,41 @@ async fn resend_user_invite(uuid: &str, _token: AdminToken, mut conn: DbConn) ->
 }

 #[derive(Debug, Deserialize)]
-struct UserOrgTypeData {
+struct MembershipTypeData {
    user_type: NumberOrString,
-    user_uuid: String,
-    org_uuid: String,
+    user_uuid: UserId,
+    org_uuid: OrganizationId,
 }

 #[post("/users/org_type", data = "<data>")]
-async fn update_user_org_type(data: Json<UserOrgTypeData>, token: AdminToken, mut conn: DbConn) -> EmptyResult {
-    let data: UserOrgTypeData = data.into_inner();
+async fn update_membership_type(data: Json<MembershipTypeData>, token: AdminToken, mut conn: DbConn) -> EmptyResult {
+    let data: MembershipTypeData = data.into_inner();

-    let mut user_to_edit =
-        match UserOrganization::find_by_user_and_org(&data.user_uuid, &data.org_uuid, &mut conn).await {
-            Some(user) => user,
-            None => err!("The specified user isn't member of the organization"),
-        };
+    let Some(mut member_to_edit) = Membership::find_by_user_and_org(&data.user_uuid, &data.org_uuid, &mut conn).await
+    else {
+        err!("The specified user isn't member of the organization")
+    };

-    let new_type = match UserOrgType::from_str(&data.user_type.into_string()) {
+    let new_type = match MembershipType::from_str(&data.user_type.into_string()) {
        Some(new_type) => new_type as i32,
        None => err!("Invalid type"),
    };

-    if user_to_edit.atype == UserOrgType::Owner && new_type != UserOrgType::Owner {
+    if member_to_edit.atype == MembershipType::Owner && new_type != MembershipType::Owner {
        // Removing owner permission, check that there is at least one other confirmed owner
-        if UserOrganization::count_confirmed_by_org_and_type(&data.org_uuid, UserOrgType::Owner, &mut conn).await <= 1 {
+        if Membership::count_confirmed_by_org_and_type(&data.org_uuid, MembershipType::Owner, &mut conn).await <= 1 {
            err!("Can't change the type of the last owner")
        }
    }

-    // This check is also done at api::organizations::{accept_invite(), _confirm_invite, _activate_user(), edit_user()}, update_user_org_type
+    // This check is also done at api::organizations::{accept_invite, _confirm_invite, _activate_member, edit_member}, update_membership_type
    // It returns different error messages per function.
-    if new_type < UserOrgType::Admin {
-        match OrgPolicy::is_user_allowed(&user_to_edit.user_uuid, &user_to_edit.org_uuid, true, &mut conn).await {
+    if new_type < MembershipType::Admin {
+        match OrgPolicy::is_user_allowed(&member_to_edit.user_uuid, &member_to_edit.org_uuid, true, &mut conn).await {
            Ok(_) => {}
            Err(OrgPolicyErr::TwoFactorMissing) => {
                if CONFIG.email_2fa_auto_fallback() {
-                    two_factor::email::find_and_activate_email_2fa(&user_to_edit.user_uuid, &mut conn).await?;
+                    two_factor::email::find_and_activate_email_2fa(&member_to_edit.user_uuid, &mut conn).await?;
                } else {
                    err!("You cannot modify this user to this type because they have not setup 2FA");
                }
@@ -532,17 +537,17 @@ async fn update_user_org_type(data: Json<UserOrgTypeData>, token: AdminToken, mu

    log_event(
        EventType::OrganizationUserUpdated as i32,
-        &user_to_edit.uuid,
+        &member_to_edit.uuid,
        &data.org_uuid,
-        ACTING_ADMIN_USER,
+        &ACTING_ADMIN_USER.into(),
        14, // Use UnknownBrowser type
        &token.ip.ip,
        &mut conn,
    )
    .await;

-    user_to_edit.atype = new_type;
-    user_to_edit.save(&mut conn).await
+    member_to_edit.atype = new_type;
+    member_to_edit.save(&mut conn).await
 }

 #[post("/users/update_revision")]
@@ -556,7 +561,7 @@ async fn organizations_overview(_token: AdminToken, mut conn: DbConn) -> ApiResu
    let mut organizations_json = Vec::with_capacity(organizations.len());
    for o in organizations {
        let mut org = o.to_json();
-        org["user_count"] = json!(UserOrganization::count_by_org(&o.uuid, &mut conn).await);
+        org["user_count"] = json!(Membership::count_by_org(&o.uuid, &mut conn).await);
        org["cipher_count"] = json!(Cipher::count_by_org(&o.uuid, &mut conn).await);
        org["collection_count"] = json!(Collection::count_by_org(&o.uuid, &mut conn).await);
        org["group_count"] = json!(Group::count_by_org(&o.uuid, &mut conn).await);
@@ -570,9 +575,9 @@ async fn organizations_overview(_token: AdminToken, mut conn: DbConn) -> ApiResu
    Ok(Html(text))
 }

-#[post("/organizations/<uuid>/delete")]
-async fn delete_organization(uuid: &str, _token: AdminToken, mut conn: DbConn) -> EmptyResult {
-    let org = Organization::find_by_uuid(uuid, &mut conn).await.map_res("Organization doesn't exist")?;
+#[post("/organizations/<org_id>/delete")]
+async fn delete_organization(org_id: OrganizationId, _token: AdminToken, mut conn: DbConn) -> EmptyResult {
+    let org = Organization::find_by_uuid(&org_id, &mut conn).await.map_res("Organization doesn't exist")?;
    org.delete(&mut conn).await
 }

@@ -601,9 +606,8 @@ async fn get_json_api<T: DeserializeOwned>(url: &str) -> Result<T, Error> {
 }

 async fn has_http_access() -> bool {
-    let req = match make_http_request(Method::HEAD, "https://github.com/dani-garcia/vaultwarden") {
-        Ok(r) => r,
-        Err(_) => return false,
+    let Ok(req) = make_http_request(Method::HEAD, "https://github.com/dani-garcia/vaultwarden") else {
+        return false;
    };
    match req.send().await {
        Ok(r) => r.status().is_success(),
@@ -713,6 +717,7 @@ async fn diagnostics(_token: AdminToken, ip_header: IpHeader, mut conn: DbConn)
        "ip_header_name": ip_header_name,
        "ip_header_config": &CONFIG.ip_header(),
        "uses_proxy": uses_proxy,
+        "enable_websocket": &CONFIG.enable_websocket(),
        "db_type": *DB_TYPE,
        "db_version": get_sql_server_version(&mut conn).await,
        "admin_url": format!("{}/diagnostics", admin_url()),
@@ -734,10 +739,15 @@ fn get_diagnostics_config(_token: AdminToken) -> Json<Value> {
    Json(support_json)
 }

+#[get("/diagnostics/http?<code>")]
+fn get_diagnostics_http(code: u16, _token: AdminToken) -> EmptyResult {
+    err_code!(format!("Testing error {code} response"), code);
+}
+
 #[post("/config", data = "<data>")]
 fn post_config(data: Json<ConfigBuilder>, _token: AdminToken) -> EmptyResult {
    let data: ConfigBuilder = data.into_inner();
-    if let Err(e) = CONFIG.update_config(data) {
+    if let Err(e) = CONFIG.update_config(data, true) {
        err!(format!("Unable to save config: {e:?}"))
    }
    Ok(())
@@ -23,25 +23,19 @@ async fn get_folders(headers: Headers, mut conn: DbConn) -> Json<Value> {
    }))
 }

-#[get("/folders/<uuid>")]
-async fn get_folder(uuid: &str, headers: Headers, mut conn: DbConn) -> JsonResult {
-    let folder = match Folder::find_by_uuid(uuid, &mut conn).await {
-        Some(folder) => folder,
-        _ => err!("Invalid folder"),
-    };
-
-    if folder.user_uuid != headers.user.uuid {
-        err!("Folder belongs to another user")
+#[get("/folders/<folder_id>")]
+async fn get_folder(folder_id: FolderId, headers: Headers, mut conn: DbConn) -> JsonResult {
+    match Folder::find_by_uuid_and_user(&folder_id, &headers.user.uuid, &mut conn).await {
+        Some(folder) => Ok(Json(folder.to_json())),
+        _ => err!("Invalid folder", "Folder does not exist or belongs to another user"),
    }
-
-    Ok(Json(folder.to_json()))
 }

 #[derive(Deserialize)]
 #[serde(rename_all = "camelCase")]
 pub struct FolderData {
    pub name: String,
-    pub id: Option<String>,
+    pub id: Option<FolderId>,
 }

 #[post("/folders", data = "<data>")]
@@ -56,14 +50,20 @@ async fn post_folders(data: Json<FolderData>, headers: Headers, mut conn: DbConn
    Ok(Json(folder.to_json()))
 }

-#[post("/folders/<uuid>", data = "<data>")]
-async fn post_folder(uuid: &str, data: Json<FolderData>, headers: Headers, conn: DbConn, nt: Notify<'_>) -> JsonResult {
-    put_folder(uuid, data, headers, conn, nt).await
+#[post("/folders/<folder_id>", data = "<data>")]
+async fn post_folder(
+    folder_id: FolderId,
+    data: Json<FolderData>,
+    headers: Headers,
+    conn: DbConn,
+    nt: Notify<'_>,
+) -> JsonResult {
+    put_folder(folder_id, data, headers, conn, nt).await
 }

-#[put("/folders/<uuid>", data = "<data>")]
+#[put("/folders/<folder_id>", data = "<data>")]
 async fn put_folder(
-    uuid: &str,
+    folder_id: FolderId,
    data: Json<FolderData>,
    headers: Headers,
    mut conn: DbConn,
@@ -71,15 +71,10 @@ async fn put_folder(
 ) -> JsonResult {
    let data: FolderData = data.into_inner();

-    let mut folder = match Folder::find_by_uuid(uuid, &mut conn).await {
-        Some(folder) => folder,
-        _ => err!("Invalid folder"),
+    let Some(mut folder) = Folder::find_by_uuid_and_user(&folder_id, &headers.user.uuid, &mut conn).await else {
+        err!("Invalid folder", "Folder does not exist or belongs to another user")
    };

-    if folder.user_uuid != headers.user.uuid {
-        err!("Folder belongs to another user")
-    }
-
    folder.name = data.name;

    folder.save(&mut conn).await?;
@@ -88,22 +83,17 @@ async fn put_folder(
    Ok(Json(folder.to_json()))
 }

-#[post("/folders/<uuid>/delete")]
-async fn delete_folder_post(uuid: &str, headers: Headers, conn: DbConn, nt: Notify<'_>) -> EmptyResult {
-    delete_folder(uuid, headers, conn, nt).await
+#[post("/folders/<folder_id>/delete")]
+async fn delete_folder_post(folder_id: FolderId, headers: Headers, conn: DbConn, nt: Notify<'_>) -> EmptyResult {
+    delete_folder(folder_id, headers, conn, nt).await
 }

-#[delete("/folders/<uuid>")]
-async fn delete_folder(uuid: &str, headers: Headers, mut conn: DbConn, nt: Notify<'_>) -> EmptyResult {
-    let folder = match Folder::find_by_uuid(uuid, &mut conn).await {
-        Some(folder) => folder,
-        _ => err!("Invalid folder"),
+#[delete("/folders/<folder_id>")]
+async fn delete_folder(folder_id: FolderId, headers: Headers, mut conn: DbConn, nt: Notify<'_>) -> EmptyResult {
+    let Some(folder) = Folder::find_by_uuid_and_user(&folder_id, &headers.user.uuid, &mut conn).await else {
+        err!("Invalid folder", "Folder does not exist or belongs to another user")
    };

-    if folder.user_uuid != headers.user.uuid {
-        err!("Folder belongs to another user")
-    }
-
    // Delete the actual folder entry
    folder.delete(&mut conn).await?;

--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Daniel García	e85a42a45f	Don't update non editable fields from the API	2025-01-24 16:49:16 +01:00
Stefan Melmuk	c0be36a17f	update web-vault to v2025.1.1 and add /api/devices (#5422 ) * add /api/devices endpoints * load pending device requests * order pending authrequests by creation date * update web-vault to v2025.1.1	2025-01-23 12:30:55 +01:00
Mathijs van Veluw	d1dee04615	Add manage role for collections and groups (#5386 ) * Add manage role for collections and groups This commit will add the manage role/column to collections and groups. We need this to allow users part of a collection either directly or via groups to be able to delete ciphers. Without this, they are only able to either edit or view them when using new clients, since these check the manage role. Still trying to keep it compatible with previous versions and able to revert to an older Vaultwarden version and the `access_all` feature of the older installations. In a future version we should really check and fix these rights and create some kind of migration step to also remove the `access_all` feature and convert that to a `manage` option. But this commit at least creates the base for this already. This should resolve #5367 Signed-off-by: BlackDex <black.dex@gmail.com> * Fix an issue with access_all If owners or admins do not have the `access_all` flag set, in case they do not want to see all collection on the password manager view, they didn't see any collections at all anymore. This should fix that they are still able to view all the collections and have access to it. Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com>	2025-01-21 23:33:41 +01:00
Stefan Melmuk	ef2695de0c	improve admin invite (#5403 ) * check for admin invite * refactor the invitation logic * cleanup check for undefined token * prevent wrong user from accepting invitation	2025-01-20 20:21:44 +01:00
Daniel	29f2b433f0	Simplify container image attestation (#5387 )	2025-01-13 19:16:10 +01:00
Mathijs van Veluw	07f80346b4	Fix version detection on bake (#5382 )	2025-01-11 11:54:38 +01:00
Mathijs van Veluw	4f68eafa3e	Add Attestations for containers and artifacts (#5378 ) * Add Attestations for containers and artifacts This commit will add attestation actions to sign the containers and binaries which can be verified via the gh cli. https://cli.github.com/manual/gh_attestation_verify The binaries from both Alpine and Debian based images are extracted and attested so that you can verify the binaries of all the containers. Signed-off-by: BlackDex <black.dex@gmail.com> * Adjust attest to use globbing Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com>	2025-01-10 21:32:38 +01:00
Integral	327d369188	refactor: replace static with const for global constants (#5260 ) Co-authored-by: Daniel García <dani-garcia@users.noreply.github.com>	2025-01-10 21:06:38 +01:00
Mathijs van Veluw	ca7483df85	Fix an issue with login with device (#5379 ) During the refactoring done in #5320 there has a buggy slipped through which changed a uuid. This commit fixes this, and also made some vars pass by reference. Fixes #5377 Signed-off-by: BlackDex <black.dex@gmail.com>	2025-01-10 20:37:23 +01:00
Helmut K. C. Tessarek	16b6d2a71e	build: raise msrv (1.83.0) rust toolchain (1.84.0) (#5374 ) * build: raise msrv (1.83.0) rust toolchain (1.84.0) * build: also update docker images	2025-01-10 20:34:48 +01:00
Stefan Melmuk	871a3f214a	rename membership and adopt newtype pattern (#5320 ) * rename membership rename UserOrganization to Membership to clarify the relation and prevent confusion whether something refers to a member(ship) or user * use newtype pattern * implement custom derive macro IdFromParam * add UuidFromParam macro for UUIDs * add macros to Docker build Co-authored-by: dfunkt <dfunkt@users.noreply.github.com> --------- Co-authored-by: dfunkt <dfunkt@users.noreply.github.com>	2025-01-09 18:37:23 +01:00
Mathijs van Veluw	10d12676cf	Allow building with Rust v1.84.0 or newer (#5371 )	2025-01-09 12:33:02 +01:00
Mathijs van Veluw	dec3a9603a	Update crates and web-vault to v2025.1.0 (#5368 ) - Updated the web-vault to use v2025.1.0 (pre-release) - Updated crates Signed-off-by: BlackDex <black.dex@gmail.com>	2025-01-08 18:14:08 +01:00
Mathijs van Veluw	86aaf27659	Prevent new users/members to be stored in db when invite fails (#5350 ) * Prevent new users/members when invite fails Currently when a (new) user gets invited as a member to an org, and SMTP is enabled, but sending the invite fails, the user is still created. They will only not have received a mail, and admins/owners need to re-invite the member again. Since the dialog window still keeps on-top when this fails, it kinda invites to click try again, but that will fail in mentioning the user is already a member. To prevent this weird flow, this commit will delete the user, invite and member if sending the mail failed. This allows the inviter to try again if there was a temporary hiccup for example, or contact the server admin and does not leave stray users/members around. Fixes #5349 Signed-off-by: BlackDex <black.dex@gmail.com> * Adjust deleting records Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com>	2025-01-08 18:13:45 +01:00
Stefan Melmuk	bc913d1156	fix manager role in admin users overview (#5359 ) due to the hack the returned type has changed	2025-01-07 12:47:37 +01:00
Mathijs van Veluw	ef4bff09eb	Fix issue with key-rotate (#5348 ) The new web-vault seems to call an extra endpoint, which looks like it is only used when passkeys can be used for login. Since we do not support this (yet), we can just return an empty data object. Signed-off-by: BlackDex <black.dex@gmail.com>	2025-01-04 23:00:05 +01:00
Mathijs van Veluw	4816f77fd7	Add partial role support for manager only using web-vault v2024.12.0 (#5219 ) * Add partial role support for manager only - Add the custom role which replaces the manager role - Added mini-details endpoint used by v2024.11.1 These changes try to add the custom role in such a way that it stays compatible with the older manager role. It will convert a manager role into a custom role, and if a manager has `access-all` rights, it will enable the correct custom roles. Upon saving it will convert these back to the old format. What this does is making sure you are able to revert back to an older version of Vaultwarden without issues. This way we can support newer web-vault's and still be compatible with a previous Vaultwarden version if needed. In the future this needs to be changed to full role support though. Fixed the 2FA hide CSS since the order of options has changed Signed-off-by: BlackDex <black.dex@gmail.com> * Fix hide passkey login Signed-off-by: BlackDex <black.dex@gmail.com> * Fix hide create account Signed-off-by: BlackDex <black.dex@gmail.com> * Small changes for v2024.12.0 Signed-off-by: BlackDex <black.dex@gmail.com> * Fix hide create account link Signed-off-by: BlackDex <black.dex@gmail.com> * Add pre-release web-vault Signed-off-by: BlackDex <black.dex@gmail.com> * Rename function to mention swapping uuid's Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com>	2025-01-04 19:31:59 +01:00
Mathijs van Veluw	dfd9e65396	Refactor the uri match fix and fix ssh-key sync (#5339 ) * Refactor the uri match change Refactored the uri match fix to also convert numbers within a string to an int. If it fails it will be null. Signed-off-by: BlackDex <black.dex@gmail.com> * Fix ssh-key sync issues If any of the mandatory ssh-key json data values are not a string or are an empty string, this will break the mobile clients. This commit fixes this by checking if any of the values are missing or invalid and converts the json data to `null`. It will ensure the clients can sync and show the vault. Fixes #5343 Fixes #5322 Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com>	2025-01-04 19:11:46 +01:00
Mathijs van Veluw	b1481c7c1a	Update crates and GHA (#5346 ) - Updated crates to the latest version - Updated GitHub Actions to the latest version Signed-off-by: BlackDex <black.dex@gmail.com>	2025-01-04 19:02:15 +01:00
Stefan Melmuk	d9e0d68f20	fix group issue in send_invite (#5321 )	2024-12-31 13:28:19 +01:00
Timshel	08183fc999	Add TOTP delete endpoint (#5327 )	2024-12-30 16:57:52 +01:00
Mathijs van Veluw	d9b043d32c	Fix issues when uri match is a string (#5332 )	2024-12-29 21:26:03 +01:00
Ephemera42	ed4ad67e73	Add `inline-menu-positioning-improvements` feature flag (#5313 )	2024-12-20 17:49:46 +01:00
Mathijs van Veluw	a523c82f5f	Use updated fern instead of patch (#5298 ) Signed-off-by: BlackDex <black.dex@gmail.com>	2024-12-15 23:13:29 +01:00
Mathijs van Veluw	4d6d3443ae	Allow adding connect-src entries (#5293 ) Bitwarden allows to use self-hosted forwarded email services. But for this to work you need to add custom URL's to the `connect-src` CSP entry. This commit allows setting this and checks if the URL starts with `https://` else it will abort loading. Fixes #5290 Signed-off-by: BlackDex <black.dex@gmail.com>	2024-12-15 00:27:20 +01:00
Mathijs van Veluw	9cd400db6c	Some refactoring and optimizations (#5291 ) - Refactored several code to use more modern syntax - Made some checks a bit more strict - Updated crates Signed-off-by: BlackDex <black.dex@gmail.com>	2024-12-14 00:55:34 +01:00
Helmut K. C. Tessarek	fd51230044	feat: mask _smtp_img_src in support string (#5281 )	2024-12-12 14:35:07 +01:00
Mathijs van Veluw	45e5f06b86	Some Backend Admin fixes and updates (#5272 ) * Some Backend Admin fixes and updates - Updated datatables - Added a `X-Robots-Tags` header to prevent indexing - Modified some layout settings - Added Websocket check to diagnostics - Added Security Header checks to diagnostics - Added Error page response checks to diagnostics - Modifed support string layout a bit Signed-off-by: BlackDex <black.dex@gmail.com> * Some small fixes Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com>	2024-12-10 21:52:12 +01:00
Daniel	620ad92331	Update crates (#5268 ) - fixes CVE-2024-12224	2024-12-10 17:59:28 +01:00
Mathijs van Veluw	c9860af11c	Fix another sync issue with native clients (#5259 ) The `reprompt` value somehow sometimes has a value of `4`. This isn't a valid value, and doesn't cause issues with other clients, but the native clients are more strict. This commit fixes this by validating the value before storing and returning. Signed-off-by: BlackDex <black.dex@gmail.com>	2024-12-08 21:48:19 +01:00
Daniel	d7adce97df	Update Alpine to version 3.21 (#5256 )	2024-12-06 11:05:52 +01:00
Mathijs van Veluw	71b3d3c818	Update Rust and crates (#5248 ) * Update Rust and crates - Updated Rust to v1.83.0 - Updated MSRV to v1.82.0 (Needed for html5gum crate) - Updated icon fetching code to match new html5gum version - Updated workflows - Enabled edition 2024 clippy lints Nightly reports some clippy hints, but that would be too much to change in this PR i think. Signed-off-by: BlackDex <black.dex@gmail.com> * Some additional updates - Patch fern to allow syslog-7 feature - Fixed diesel logger which was broken because of the sqlite backup feature Refactored the sqlite backup because of this - Added a build workflow test to include the query_logger feature Signed-off-by: BlackDex <black.dex@gmail.com> * Also patch yubico-rs and latest updates Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com>	2024-12-05 22:10:59 +01:00
chuangjinglu	da3701c0cf	chore: fix some comments (#5224 ) Signed-off-by: chuangjinglu <chuangjinglu@outlook.com>	2024-11-25 18:35:00 +01:00
Mathijs van Veluw	96813b1317	Fix editing members which have access-all rights (#5213 ) With web-vault v2024.6.2 and lower, if a user has access-all rights either as an org-member or via a group it shouldn't return individual collections. This probably needs to be changed with newer versions which do not support the `access-all` feature anymore and work with manage. But with the current version this should solve access right issues. Fixes #5212 Signed-off-by: BlackDex <black.dex@gmail.com>	2024-11-20 17:38:16 +01:00
Mathijs van Veluw	b0b953f348	Fix push not working (#5214 ) The new native mobile clients seem to use PascalCase for the push payload. Also the date/time could cause issues. This PR fixes this by formatting the date/time correctly and use PascalCase for the payload key's I now receive cipher updates and login-with-device requests again. Fixes #5182 Signed-off-by: BlackDex <black.dex@gmail.com>	2024-11-20 17:32:44 +01:00
Mathijs van Veluw	cdfdc6ff4f	Fix Org Import duplicate collections (#5200 ) This fixes an issue with collections be duplicated same as was an issue with folders. Also made some optimizations by using HashSet where possible and device the Vec/Hash capacity. And instead of passing objects only use the UUID which was the only value we needed. Also found an issue with importing a personal export via the Org import where folders are used. Since Org's do not use folder we needed to clear those out, same as Bitwarden does. Fixes #5193 Signed-off-by: BlackDex <black.dex@gmail.com>	2024-11-17 21:33:23 +01:00
Daniel García	2393c3f3c0	Support SSH keys on desktop 2024.12 (#5187 ) * Support SSH keys on desktop 2024.12 * Document flags in .env.template * Validate key rotation contents	2024-11-15 18:38:16 +01:00
Daniel García	0d16b38a68	Some more authrequest changes (#5188 )	2024-11-15 11:25:51 +01:00
Stefan Melmuk	ff33534c07	don't infer manage permission for groups (#5190 ) the web-vault v2024.6.2 currently cannot deal with manage permission so instead of relying on the org user type this should just default to false	2024-11-13 19:19:19 +01:00
Stefan Melmuk	adb21d5c1a	fix password hint check (#5189 ) * fix password hint check don't show password hints if you have disabled the hints with PASSWORD_HINTS_ALLOWED=false or if you have not configured mail and opted into showing password hints * update descriptions for pw hints options	2024-11-12 21:22:25 +01:00
Mathijs van Veluw	e927b8aa5e	Remove auth-request deletion (#5184 ) 2FA is needed to login even when using login-with-device. If the user didn't saved the 2FA token they still need to provide this. We deleted the auth-request after validation the request, but before 2FA was triggered. Removing the deletion of this record from that point as it will get cleaned-up automatically anyways. Signed-off-by: BlackDex <black.dex@gmail.com>	2024-11-12 15:48:39 +01:00
Mathijs van Veluw	ba48ca68fc	fix hibp username encoding and pw hint check (#5180 ) * fix hibp username encoding Signed-off-by: BlackDex <black.dex@gmail.com> * Fix password-hint check Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com>	2024-11-12 11:09:28 +01:00
Mathijs van Veluw	294b429436	Add dynamic CSS support (#4940 ) * Add dynamic CSS support Together with https://github.com/dani-garcia/bw_web_builds/pull/180 this PR will add support for dynamic CSS changes. For example, we could hide the register link if signups are not allowed. In the future show or hide the SSO button depending on if it is enabled or not. There also is a special `user.vaultwarden.scss` file so that users can add custom CSS without the need to modify the default (static) changes. This will prevent future changes from not being applied and still have the custom user changes to be added. Also added a special redirect when someone goes directly to `/index.html` as that might cause issues with loading other scripts and files. Signed-off-by: BlackDex <black.dex@gmail.com> * Add versions and fallback to built-in - Add both Vaultwarden and web-vault versions to the css_options. - Fallback to the inner templates if rendering or compiling the scss fails. This ensures the basics are always working even if someone breaks the templates. Signed-off-by: BlackDex <black.dex@gmail.com> * Fix fallback code to actually work The fallback now works by using an alternative `reg!` macro. This adds an extra template register which prefixes the template with `fallback_`. Signed-off-by: BlackDex <black.dex@gmail.com> * Updated the wiki link in the user template --------- Signed-off-by: BlackDex <black.dex@gmail.com>	2024-11-11 20:14:04 +01:00
Daniel García	37c14c3c69	More authrequest fixes (#5176 )	2024-11-11 20:13:02 +01:00
Mathijs van Veluw	d0581da638	Fix if logic error (#5171 ) Fixing a logical error in an if statement where we used `&&` which should have been `\|\|`. Signed-off-by: BlackDex <black.dex@gmail.com>	2024-11-11 11:50:33 +01:00
Daniel García	38aad4f7be	Limit HIBP to authed users	2024-11-10 23:59:06 +01:00
BlackDex	20d9e885bf	Update crates and fix several issues Signed-off-by: BlackDex <black.dex@gmail.com>	2024-11-10 23:56:19 +01:00