Updated all the crates to the latest version.
We can unpin mimalloc, since the musl issues have been fixed
Also fix a RUSTSEC https://osv.dev/vulnerability/RUSTSEC-2025-0023 for tokio
Fixed some clippy lints reported by nightly.
Ensure lints and are also run on the macro crate.
This resulted in some lints being triggered, which I fixed.
Updated some GHA uses.
Signed-off-by: BlackDex <black.dex@gmail.com>
- Updated crates
Pinned mimalloc, since it has issues with musl
- Updated web-vault to v2025.3.1
- Updated bootstrap
Signed-off-by: BlackDex <black.dex@gmail.com>
- Added a new org policy
- Some new lint fixes
- Crate updates
Switched to `pastey`, since `paste` is unmaintained.
Signed-off-by: BlackDex <black.dex@gmail.com>
Because we were using the `has_full_access()` function we did not returned assigned collections for an owner/admin even if the did not have the `access_all` flag set.
This commit will change that to use the `access_all` flag instead, and return assigned collections too.
While saving a member and having it assigned collections would still save those rights, and it was also visible in the collection management, it wasn't at the member it self.
So, it did work, but was not visible.
Fixes#5554Fixes#5555
Signed-off-by: BlackDex <black.dex@gmail.com>
* Fix icon redirect not working on desktop
We also need to exclude the header in case we do an external_icon call.
Fixes#5535
Signed-off-by: BlackDex <black.dex@gmail.com>
* Add informational comments to the icon_external function
Signed-off-by: BlackDex <black.dex@gmail.com>
* Fix spelling/grammar
Signed-off-by: BlackDex <black.dex@gmail.com>
---------
Signed-off-by: BlackDex <black.dex@gmail.com>
* Allow all manager to create collections again
This commit checks if the member is a manager or better, and if so allows it to createCollections.
We actually check if it is less then a Manager, since the `limitCollectionCreation` should be set to false to allow it and true to prevent.
This should fix an issue discussed in #5484
Signed-off-by: BlackDex <black.dex@gmail.com>
* Fix some small issues
Signed-off-by: BlackDex <black.dex@gmail.com>
---------
Signed-off-by: BlackDex <black.dex@gmail.com>
* add additional event_types
* use correct event_type when leaving an org
* use correct event type when deleting a user
* also correctly log auth requests
* add correct membership info to event log
* Security fixes for admin and sendmail
Because the Vaultwarden Admin Backend endpoints did not validated the Content-Type during a request, it was possible to update settings via CSRF. But, this was only possible if there was no `ADMIN_TOKEN` set at all. To make sure these environments are also safe I added the needed content-type checks at the functions.
This could cause some users who have scripts which uses cURL for example to adjust there commands to provide the correct headers.
By using a crafted favicon and having access to the Admin Backend an attacker could run custom commands on the host/container where Vaultwarden is running on. The main issue here is that we allowed the sendmail binary name/path to be changed. To mitigate this we removed this configuration item and only then `sendmail` binary as a name can be used.
This could cause some issues where the `sendmail` binary is not in the `$PATH` and thus not able to be started. In these cases the admins should make sure `$PATH` is set correctly or create a custom shell script or symlink at a location which is in the `$PATH`.
Added an extra security header and adjusted the CSP to be more strict by setting `default-src` to `none` and added the needed missing specific policies.
Also created a general email validation function which does some more checking to catch invalid email address not found by the email_address crate.
Signed-off-by: BlackDex <black.dex@gmail.com>
* Fix security issue with organizationId validation
Because of a invalid check/validation of the OrganizationId which most of the time is located in the path but sometimes provided as a URL Parameter, the parameter overruled the path ID during the Guard checks.
This resulted in someone being able to execute commands as an Admin or Owner of the OrganizationId fetched from the parameter, but the API endpoints then used the OrganizationId located in the path instead.
This commit fixes the extraction of the OrganizationId in the Guard and also added some extra validations of this OrgId in several functions.
Also added an extra `OrgMemberHeaders` which can be used to only allow access to organization endpoints which should only be accessible by members of that org.
Signed-off-by: BlackDex <black.dex@gmail.com>
* Update server version in config endpoint
Updated the server version reported to the clients to `2025.1.0`.
This should make Vaultwarden future proof for the newer clients released by Bitwarden.
Signed-off-by: BlackDex <black.dex@gmail.com>
* Fix and adjust build workflow
The build workflow had an issue with some `if` checks.
For one they had two `$` signs, and it is not recommended to use `always()` since canceling a workflow does not cancel those calls.
Using `!cancelled()` is the preferred way.
Signed-off-by: BlackDex <black.dex@gmail.com>
* Update crates
Signed-off-by: BlackDex <black.dex@gmail.com>
* Allow sendmail to be configurable
This reverts a previous change which removed the sendmail to be configurable.
We now set the config to be read-only, and omit all read-only values from being stored during a save action from the admin interface.
Signed-off-by: BlackDex <black.dex@gmail.com>
* Add more org_id checks
Added more org_id checks at all functions which use the org_id in there path.
Signed-off-by: BlackDex <black.dex@gmail.com>
---------
Signed-off-by: BlackDex <black.dex@gmail.com>
* Add manage role for collections and groups
This commit will add the manage role/column to collections and groups.
We need this to allow users part of a collection either directly or via groups to be able to delete ciphers.
Without this, they are only able to either edit or view them when using new clients, since these check the manage role.
Still trying to keep it compatible with previous versions and able to revert to an older Vaultwarden version and the `access_all` feature of the older installations.
In a future version we should really check and fix these rights and create some kind of migration step to also remove the `access_all` feature and convert that to a `manage` option.
But this commit at least creates the base for this already.
This should resolve#5367
Signed-off-by: BlackDex <black.dex@gmail.com>
* Fix an issue with access_all
If owners or admins do not have the `access_all` flag set, in case they do not want to see all collection on the password manager view, they didn't see any collections at all anymore.
This should fix that they are still able to view all the collections and have access to it.
Signed-off-by: BlackDex <black.dex@gmail.com>
---------
Signed-off-by: BlackDex <black.dex@gmail.com>
During the refactoring done in #5320 there has a buggy slipped through which changed a uuid.
This commit fixes this, and also made some vars pass by reference.
Fixes#5377
Signed-off-by: BlackDex <black.dex@gmail.com>
* rename membership
rename UserOrganization to Membership to clarify the relation
and prevent confusion whether something refers to a member(ship) or user
* use newtype pattern
* implement custom derive macro IdFromParam
* add UuidFromParam macro for UUIDs
* add macros to Docker build
Co-authored-by: dfunkt <dfunkt@users.noreply.github.com>
---------
Co-authored-by: dfunkt <dfunkt@users.noreply.github.com>
* Prevent new users/members when invite fails
Currently when a (new) user gets invited as a member to an org, and SMTP is enabled, but sending the invite fails, the user is still created.
They will only not have received a mail, and admins/owners need to re-invite the member again.
Since the dialog window still keeps on-top when this fails, it kinda invites to click try again, but that will fail in mentioning the user is already a member.
To prevent this weird flow, this commit will delete the user, invite and member if sending the mail failed.
This allows the inviter to try again if there was a temporary hiccup for example, or contact the server admin and does not leave stray users/members around.
Fixes#5349
Signed-off-by: BlackDex <black.dex@gmail.com>
* Adjust deleting records
Signed-off-by: BlackDex <black.dex@gmail.com>
---------
Signed-off-by: BlackDex <black.dex@gmail.com>
The new web-vault seems to call an extra endpoint, which looks like it is only used when passkeys can be used for login.
Since we do not support this (yet), we can just return an empty data object.
Signed-off-by: BlackDex <black.dex@gmail.com>
* Add partial role support for manager only
- Add the custom role which replaces the manager role
- Added mini-details endpoint used by v2024.11.1
These changes try to add the custom role in such a way that it stays compatible with the older manager role.
It will convert a manager role into a custom role, and if a manager has `access-all` rights, it will enable the correct custom roles.
Upon saving it will convert these back to the old format.
What this does is making sure you are able to revert back to an older version of Vaultwarden without issues.
This way we can support newer web-vault's and still be compatible with a previous Vaultwarden version if needed.
In the future this needs to be changed to full role support though.
Fixed the 2FA hide CSS since the order of options has changed
Signed-off-by: BlackDex <black.dex@gmail.com>
* Fix hide passkey login
Signed-off-by: BlackDex <black.dex@gmail.com>
* Fix hide create account
Signed-off-by: BlackDex <black.dex@gmail.com>
* Small changes for v2024.12.0
Signed-off-by: BlackDex <black.dex@gmail.com>
* Fix hide create account link
Signed-off-by: BlackDex <black.dex@gmail.com>
* Add pre-release web-vault
Signed-off-by: BlackDex <black.dex@gmail.com>
* Rename function to mention swapping uuid's
Signed-off-by: BlackDex <black.dex@gmail.com>
---------
Signed-off-by: BlackDex <black.dex@gmail.com>
* Refactor the uri match change
Refactored the uri match fix to also convert numbers within a string to an int.
If it fails it will be null.
Signed-off-by: BlackDex <black.dex@gmail.com>
* Fix ssh-key sync issues
If any of the mandatory ssh-key json data values are not a string or are an empty string, this will break the mobile clients.
This commit fixes this by checking if any of the values are missing or invalid and converts the json data to `null`.
It will ensure the clients can sync and show the vault.
Fixes#5343Fixes#5322
Signed-off-by: BlackDex <black.dex@gmail.com>
---------
Signed-off-by: BlackDex <black.dex@gmail.com>
Bitwarden allows to use self-hosted forwarded email services.
But for this to work you need to add custom URL's to the `connect-src` CSP entry.
This commit allows setting this and checks if the URL starts with `https://` else it will abort loading.
Fixes#5290
Signed-off-by: BlackDex <black.dex@gmail.com>
- Refactored several code to use more modern syntax
- Made some checks a bit more strict
- Updated crates
Signed-off-by: BlackDex <black.dex@gmail.com>
* Some Backend Admin fixes and updates
- Updated datatables
- Added a `X-Robots-Tags` header to prevent indexing
- Modified some layout settings
- Added Websocket check to diagnostics
- Added Security Header checks to diagnostics
- Added Error page response checks to diagnostics
- Modifed support string layout a bit
Signed-off-by: BlackDex <black.dex@gmail.com>
* Some small fixes
Signed-off-by: BlackDex <black.dex@gmail.com>
---------
Signed-off-by: BlackDex <black.dex@gmail.com>
The `reprompt` value somehow sometimes has a value of `4`.
This isn't a valid value, and doesn't cause issues with other clients, but the native clients are more strict.
This commit fixes this by validating the value before storing and returning.
Signed-off-by: BlackDex <black.dex@gmail.com>
* Update Rust and crates
- Updated Rust to v1.83.0
- Updated MSRV to v1.82.0 (Needed for html5gum crate)
- Updated icon fetching code to match new html5gum version
- Updated workflows
- Enabled edition 2024 clippy lints
Nightly reports some clippy hints, but that would be too much to change in this PR i think.
Signed-off-by: BlackDex <black.dex@gmail.com>
* Some additional updates
- Patch fern to allow syslog-7 feature
- Fixed diesel logger which was broken because of the sqlite backup feature
Refactored the sqlite backup because of this
- Added a build workflow test to include the query_logger feature
Signed-off-by: BlackDex <black.dex@gmail.com>
* Also patch yubico-rs and latest updates
Signed-off-by: BlackDex <black.dex@gmail.com>
---------
Signed-off-by: BlackDex <black.dex@gmail.com>
With web-vault v2024.6.2 and lower, if a user has access-all rights either as an org-member or via a group it shouldn't return individual collections.
This probably needs to be changed with newer versions which do not support the `access-all` feature anymore and work with manage.
But with the current version this should solve access right issues.
Fixes#5212
Signed-off-by: BlackDex <black.dex@gmail.com>
The new native mobile clients seem to use PascalCase for the push payload.
Also the date/time could cause issues.
This PR fixes this by formatting the date/time correctly and use PascalCase for the payload key's
I now receive cipher updates and login-with-device requests again.
Fixes#5182
Signed-off-by: BlackDex <black.dex@gmail.com>
