- Updated crates
- Switched to rustls instead of native-tls
Some dependency were already using rustls by default or without option.
By removing native-tls we also have just one way of working here.
Updated favicon fetching which now is able to fetch more icons.
- Use rustls instead of native-tls
This seems to work better, probably because of tls sniffing
- Use different user-agent and added several other headers
- Added SVG support. SVG Images will be sanitized first before stored or presented.
Also, a special CSP for images will be sent to prevent scripts etc.. from SVG images.
Signed-off-by: BlackDex <black.dex@gmail.com>
* Abstract file access through Apache OpenDAL
* Add AWS S3 support via OpenDAL for data files
* PR improvements
* Additional PR improvements
* Config setting comments for local/remote data locations
* WIP Sync with Upstream
WIP on syncing API Responses with upstream.
This to prevent issues with new clients, and find possible current issues like members, collections, groups etc..
Signed-off-by: BlackDex <black.dex@gmail.com>
* More API Response fixes
- Some 2fa checks
- Some org checks
- Reconfigured the experimental flags and noted which are deprecated
Also removed some hard-coded defaults.
- Updated crates
Signed-off-by: BlackDex <black.dex@gmail.com>
* Add avatar color to emergency access api
Signed-off-by: BlackDex <black.dex@gmail.com>
* Fix spelling and some crate updates
Signed-off-by: BlackDex <black.dex@gmail.com>
* Use PushId and always generate the PushId
Signed-off-by: BlackDex <black.dex@gmail.com>
* Fix clippy lints
Signed-off-by: BlackDex <black.dex@gmail.com>
* Fix several Push issues and API's
Signed-off-by: BlackDex <black.dex@gmail.com>
* Check if push_uuid is empty and generate when needed
Signed-off-by: BlackDex <black.dex@gmail.com>
* Updated some comments and removed old export format
Signed-off-by: BlackDex <black.dex@gmail.com>
* cargo update
Signed-off-by: BlackDex <black.dex@gmail.com>
* Fix bulk edit Fixes#5737
Signed-off-by: BlackDex <black.dex@gmail.com>
* Send an email when an account exists already
When you want to change your email address into an account which already exists, upstream sends an email to the existing account.
Lets do the same.
Kinda fixes#5630
Signed-off-by: BlackDex <black.dex@gmail.com>
* Update 2fa removal/revoke email
Signed-off-by: BlackDex <black.dex@gmail.com>
* Allow col managers to import
This commit adds functionality to allow users with manage access to a collection, or managers with all access to import into an organization.
Fixes#5592
Signed-off-by: BlackDex <black.dex@gmail.com>
* Filter deprected flags and only return active flags
Signed-off-by: BlackDex <black.dex@gmail.com>
* Fix grammer
Signed-off-by: BlackDex <black.dex@gmail.com>
* Rename Small to Compact
Signed-off-by: BlackDex <black.dex@gmail.com>
* Rebase with upstream and fix conflicts
Signed-off-by: BlackDex <black.dex@gmail.com>
---------
Signed-off-by: BlackDex <black.dex@gmail.com>
- Updated web-vault to v2025.5.0
- Updated Rust to v1.87.0
- Updated all the crates
- Replaced yubico with yubico_ng
- Fixed several new (nightly) clippy lints
Signed-off-by: BlackDex <black.dex@gmail.com>
* Fix icon redirect not working on desktop
We also need to exclude the header in case we do an external_icon call.
Fixes#5535
Signed-off-by: BlackDex <black.dex@gmail.com>
* Add informational comments to the icon_external function
Signed-off-by: BlackDex <black.dex@gmail.com>
* Fix spelling/grammar
Signed-off-by: BlackDex <black.dex@gmail.com>
---------
Signed-off-by: BlackDex <black.dex@gmail.com>
* Security fixes for admin and sendmail
Because the Vaultwarden Admin Backend endpoints did not validated the Content-Type during a request, it was possible to update settings via CSRF. But, this was only possible if there was no `ADMIN_TOKEN` set at all. To make sure these environments are also safe I added the needed content-type checks at the functions.
This could cause some users who have scripts which uses cURL for example to adjust there commands to provide the correct headers.
By using a crafted favicon and having access to the Admin Backend an attacker could run custom commands on the host/container where Vaultwarden is running on. The main issue here is that we allowed the sendmail binary name/path to be changed. To mitigate this we removed this configuration item and only then `sendmail` binary as a name can be used.
This could cause some issues where the `sendmail` binary is not in the `$PATH` and thus not able to be started. In these cases the admins should make sure `$PATH` is set correctly or create a custom shell script or symlink at a location which is in the `$PATH`.
Added an extra security header and adjusted the CSP to be more strict by setting `default-src` to `none` and added the needed missing specific policies.
Also created a general email validation function which does some more checking to catch invalid email address not found by the email_address crate.
Signed-off-by: BlackDex <black.dex@gmail.com>
* Fix security issue with organizationId validation
Because of a invalid check/validation of the OrganizationId which most of the time is located in the path but sometimes provided as a URL Parameter, the parameter overruled the path ID during the Guard checks.
This resulted in someone being able to execute commands as an Admin or Owner of the OrganizationId fetched from the parameter, but the API endpoints then used the OrganizationId located in the path instead.
This commit fixes the extraction of the OrganizationId in the Guard and also added some extra validations of this OrgId in several functions.
Also added an extra `OrgMemberHeaders` which can be used to only allow access to organization endpoints which should only be accessible by members of that org.
Signed-off-by: BlackDex <black.dex@gmail.com>
* Update server version in config endpoint
Updated the server version reported to the clients to `2025.1.0`.
This should make Vaultwarden future proof for the newer clients released by Bitwarden.
Signed-off-by: BlackDex <black.dex@gmail.com>
* Fix and adjust build workflow
The build workflow had an issue with some `if` checks.
For one they had two `$` signs, and it is not recommended to use `always()` since canceling a workflow does not cancel those calls.
Using `!cancelled()` is the preferred way.
Signed-off-by: BlackDex <black.dex@gmail.com>
* Update crates
Signed-off-by: BlackDex <black.dex@gmail.com>
* Allow sendmail to be configurable
This reverts a previous change which removed the sendmail to be configurable.
We now set the config to be read-only, and omit all read-only values from being stored during a save action from the admin interface.
Signed-off-by: BlackDex <black.dex@gmail.com>
* Add more org_id checks
Added more org_id checks at all functions which use the org_id in there path.
Signed-off-by: BlackDex <black.dex@gmail.com>
---------
Signed-off-by: BlackDex <black.dex@gmail.com>
* rename membership
rename UserOrganization to Membership to clarify the relation
and prevent confusion whether something refers to a member(ship) or user
* use newtype pattern
* implement custom derive macro IdFromParam
* add UuidFromParam macro for UUIDs
* add macros to Docker build
Co-authored-by: dfunkt <dfunkt@users.noreply.github.com>
---------
Co-authored-by: dfunkt <dfunkt@users.noreply.github.com>
Bitwarden allows to use self-hosted forwarded email services.
But for this to work you need to add custom URL's to the `connect-src` CSP entry.
This commit allows setting this and checks if the URL starts with `https://` else it will abort loading.
Fixes#5290
Signed-off-by: BlackDex <black.dex@gmail.com>
* Some Backend Admin fixes and updates
- Updated datatables
- Added a `X-Robots-Tags` header to prevent indexing
- Modified some layout settings
- Added Websocket check to diagnostics
- Added Security Header checks to diagnostics
- Added Error page response checks to diagnostics
- Modifed support string layout a bit
Signed-off-by: BlackDex <black.dex@gmail.com>
* Some small fixes
Signed-off-by: BlackDex <black.dex@gmail.com>
---------
Signed-off-by: BlackDex <black.dex@gmail.com>
* Add extra linting
Added extra linting for some code styles.
Also added the Rust Edition 2024 lints.
Closes#4974
Signed-off-by: BlackDex <black.dex@gmail.com>
* Adjusted according to comments
Signed-off-by: BlackDex <black.dex@gmail.com>
---------
Signed-off-by: BlackDex <black.dex@gmail.com>
* Add a CLI feature to backup the SQLite DB
Many users request to add the sqlite3 binary to the container image.
This isn't really ideal as that might bring in other dependencies and will only bloat the image.
There main reason is to create a backup of the database.
While there already was a feature within the admin interface to do so (or by using the admin API call), this might not be easy.
This PR adds several ways to generate a backup.
1. By calling the Vaultwarden binary with the `backup` command like:
- `/vaultwarden backup`
- `docker exec -it vaultwarden /vaultwarden backup`
2. By sending the USR1 signal to the running process like:
- `kill -s USR1 $(pidof vaultwarden)
- `killall -s USR1 vaultwarden)
This should help users to more easily create backups of there SQLite database.
Also added the Web-Vault version number when using `-v/--version` to the output.
Signed-off-by: BlackDex <black.dex@gmail.com>
* Spelling and small adjustments
Signed-off-by: BlackDex <black.dex@gmail.com>
---------
Signed-off-by: BlackDex <black.dex@gmail.com>
* Change API inputs/outputs and structs to camelCase
* Fix fields and password history
* Use convert_json_key_lcase_first
* Make sends lowercase
* Update admin and templates
* Update org revoke
* Fix sends expecting size to be a string on mobile
* Convert two-factor providers to string
- Updated Rust to v1.77.0
- Updated several crates
The `reqwest` update included `trust-dns` > `hickory-dns` changes.
Also, `reqwest` v0.12 is not working correctly for us, that is something to investigate.
- Fixed a new clippy warning
- Updated sqlite crate
- Updated chrono crate
The latter needed a lot of changes done, mostly `Duration` to `TimeDelta`.
And some changes on how to use Naive.
Also check if we are running within a Kubernetes environment.
These do not always run using Docker or Podman of course.
Also renamed all the functions and variables to use `container` instead
of `docker`.
* Allow customizing the featureStates
Use a comma separated list of features to enable using the FEATURE_FLAGS env variable
* Move feature flag parsing to util
* Fix formatting
* Update supported feature flags
* Rename feature_flags to experimental_client_feature_flags
Additionally, use a caret (^) instead of an exclamation mark (!) to disable features
* Fix formatting issue.
* Add documentation to env template
* Remove functionality to disable feature flags
* Fix JSON key for feature states
* Convert error to warning when feature flag is unrecognized
* Simplify parsing of feature flags
* Fix default value of feature flags in env template
* Fix formatting
* Fix BWDC when re-run with cleared cache
Using the BWDC with a cleared cache caused invited users to be converted
to accepted users.
The problem was a wrong check for the `restore` function.
Fixes#4114
* Remove useless variable
During some refactoring this seems to be overlooked.
This variable gets filled but isn't used at all afterwards.
Fixes#4105
* Check some `.git` paths to force a rebuild
When a checked-out repo switches to a specific tag, and that tag does
not have anything else changed in the files except the tag, it could
happen that the build process doesn't see any changes, while it could be
that the version string needs to be different.
This commit ensures that if some specific paths are changed within the
.git directory, cargo will be triggered to rebuild.
Fixes#4087
* Do not delete dir on file delete
Previously during a `delete_file` check we also tried to delete the
parent directory and ignored all errors, like not being empty for
example.
Since this function is called `delete_file` and does not mention
anything in regards to a directory i have removed that code and it will
now only delete the file and leave the rest as-is.
If this somehow is still needed or wanted, which i do not think we want,
then we should create a new function.
Fixes#4081
* Fix healthcheck when using an ENV file
If someone is using a `.env` file or configured the `ENV_FILE` variable
to use that as it's configuration, this was missed by the healthcheck.
So, `DOMAIN` and `ROCKET_TLS` were not seen, and not used in these cases.
This commit fixes this by checking for this file and if it exists, then
it will load those variables first.
Fixes#4112
* Add missing route
While there was a function and a derive, this endpoint wasn't part of
the routes. Since Bitwarden does have this endpoint ill add the route
instead of deleting it.
Fixes#4076Fixes#4144
* Update crates to update the openssl crate
Because of a bug in the openssl-sys crate we pinned the version to an
older version. This issue has been fixed and was released 2 days ago.
This commit updates the openssl crates including others.
This should also fix the issues with building Vaultwarden using newer
versions of LibreSSL.
Fixes#4051
* Remove another header for websocket connections
* Fix small bake issue
* Update crates
Updated crates and adjusted code where needed.
One major update is Rocket rc4, no need anymore (again) for crates.io patching.
The only item still pending is openssl/openssl-sys for which we need to
wait if https://github.com/sfackler/rust-openssl/pull/2094 will be
merged. If, then we can remove the pinned versions for the openssl crate.
During a WebSocket connection we currently also send several headers
which could cause issues with some reverse proxy, or with the CloudFlare
tunnel for example. This PR resolves these issues.
Fixes#3881
There now is a `v0.5` branch which will be the final release version
when the time is there. Switched to this instead of the `master` branch
which contains other fixes and enhancements as well (for `v0.6`).
This should solve all the endpoint issue we were having.
During setting the latest commit hash for Rocket and updating all the
other crates, there were some messages regarding the usage of `String`
for the Rocket endpoint function calls. I acted upon this message and
changed all `String` types to `&str` and modified the code where needed.
This ended up in less alloc calls, and probably also a bit less memory usage.
- Updated all the crates and commit hashes
- Modified all `String` to `&str` where applicable
- Updated workflows to use new checkout version
This probably fixes the curl download for hadolint also.
- Updated crates including Rocket to the latest rc3 :party:
- Applied 2 nightly clippy lints to prevent future clippy issues.
Since we now use the `ClientIp` Guard on a lot more places, it also
increases the size of binary, and the macro generated code because of
this extra Guard. By merging the `ClientIp` Guard with the several
`Header` guards we have it reduces the amount of code generated
(including LLVM IR), but also a small speedup in build time.
I also spotted some small `json!()` optimizations which also reduced the
amount of code generated.
- Removed `unsafe-inline` for javascript from CSP.
The admin interface now uses files instead of inline javascript.
- Modified javascript to work not being inline.
- Run eslint over javascript and fixed some items.
- Added a `to_json` Handlebars helper.
Used at the diagnostics page.
- Changed `AdminTemplateData` struct to be smaller.
The `config` was always added, but only used at one page.
Same goes for `can_backup` and `version`.
- Also inlined CSS.
We can't remove the `unsafe-inline` from css, because that seems to
break the web-vault currently. That might need some further checks.
But for now the 404 page and all the admin pages are clear of inline scripts and styles.
- Put groups support behind a feature flag, and disabled by default.
The reason is that it has some known issues, but we want to keep
optimizing this feature. Putting it behind a feature flag could help
some users, and the developers into optimizing this feature without to
much trouble.
Further:
- Updates Rust to v1.66.0
- Updated GHA workflows
- Updated Alpine to 3.17
- Updated jquery to v3.6.2
- Moved jdenticon.js to load at the bottom, fixes an issue on chromium
- Added autocomplete attribute to admin login password field
- Added some extra CSP options (Tested this on Safari, Firefox, Chrome, Bitwarden Desktop)
- Moved uppercase convertion from runtime to compile-time using `paste`
for building the environment variables, lowers heap allocations.
This PR adds event/audit logging support for organizations.
By default this feature is disabled, since it does log a lot and adds
extra database transactions.
All events are touched except a few, since we do not support those
features (yet), like SSO for example.
This feature is tested with multiple clients and all database types.
Fixes#229
The DuckDuckGo email service is not supported for self-hosted servers.
This option is already hidden via the latest web-vault.
This PR also removes some server side headers.
Fixes#2828
Since v2022.9.x it seems they changed the export endpoint and way of working.
This PR fixes this by adding the export endpoint.
Also, it looks like the clients can't handle uppercase first JSON key's.
Because of this there now is a function which converts all the key's to lowercase first.
I have an issue reported at Bitwarden if this is expected behavior: https://github.com/bitwarden/clients/issues/3606Fixes#2760Fixes#2764
- The new web-vault version supports fastmail.com anon email, add the
correct api host to support it.
- Removed Firefox Relay, this seems only to be supported on SaaS.
- Added a function to the two-factor api to prevent 404 errors.
When using anything else but the `internal` icon service it would
trigger an CSP block because the redirects were not allowed.
This PR fixes#2623 by dynamically adding the needed CSP strings.
This should also work with custom services.
For Google i needed to add an extra check because that does a redirect
it self to there gstatic.com domain.
