Merge branch 'openssl-fix'

Update Vault to v2.3.0

.env

@@ -14,6 +14,9 @@
 # WEB_VAULT_FOLDER=web-vault/
 # WEB_VAULT_ENABLED=true
 
+## Controls the WebSocket server port
+# WEBSOCKET_PORT=3012
+
 ## Controls if new users can register
 # SIGNUPS_ALLOWED=true
 
@@ -27,6 +30,9 @@
 ## The change only applies when the password is changed
 # PASSWORD_ITERATIONS=100000
 
+## Whether password hint should be sent into the error response when the client request it
+# SHOW_PASSWORD_HINT=true
+
 ## Domain settings
 ## The domain must match the address from where you access the server
 ## Unless you are using U2F, or having problems with attachments not downloading, there is no need to change this
@@ -38,3 +44,12 @@
 # ROCKET_ADDRESS=0.0.0.0 # Enable this to test mobile app
 # ROCKET_PORT=8000
 # ROCKET_TLS={certs="/path/to/certs.pem",key="/path/to/key.pem"}
+
+## Mail specific settings, set SMTP_HOST and SMTP_FROM to enable the mail service.
+## Note: if SMTP_USERNAME is specified, SMTP_PASSWORD is mandatory
+# SMTP_HOST=smtp.domain.tld
+# SMTP_FROM=bitwarden-rs@domain.tld
+# SMTP_PORT=587
+# SMTP_SSL=true
+# SMTP_USERNAME=username
+# SMTP_PASSWORD=password

.travis.yml

@@ -0,0 +1,7 @@
+# Copied from Rocket's .travis.yml
+language: rust
+sudo: required # so we get a VM with higher specs
+dist: trusty # so we get a VM with higher specs
+cache: cargo
+rust:
+- nightly

BUILD.md

@@ -17,28 +17,29 @@ cargo build --release
 When run, the server is accessible in [http://localhost:80](http://localhost:80).
 
 ### Install the web-vault
-Download the latest official release from the [releases page](https://github.com/bitwarden/web/releases) and extract it.
-
-Modify `web-vault/settings.Production.json` to look like this:
-```json
-{
-  "appSettings": {
-    "apiUri": "/api",
-    "identityUri": "/identity",
-    "iconsUri": "/icons",
-    "stripeKey": "",
-    "braintreeKey": ""
-  }
-}
-```
-
-Then, run the following from the `web-vault` directory:
+Clone the git repository at [bitwarden/web](https://github.com/bitwarden/web) and checkout the latest release tag (e.g. v2.1.1):
 ```sh
-npm install
-npx gulp dist:selfHosted
+# clone the repository
+git clone https://github.com/bitwarden/web.git web-vault
+cd web-vault
+# switch to the latest tag
+git checkout "$(git tag | tail -n1)"
 ```
 
-Finally copy the contents of the `web-vault/dist` folder into the `bitwarden_rs/web-vault` folder.
+Apply the patch file from `docker/set-vault-baseurl.patch`:
+```sh
+# In the Vault repository directory
+git apply /path/to/bitwarden_rs/docker/set-vault-baseurl.patch
+```
+
+Then, build the Vault:
+```sh
+npm run sub:init
+npm install
+npm run dist
+```
+
+Finally copy the contents of the `build` folder into the `bitwarden_rs/web-vault` folder.
 
 # Configuration
 The available configuration options are documented in the default `.env` file, and they can be modified by uncommenting the desired options in that file or by setting their respective environment variables. Look at the README file for the main configuration options available.

Cargo.toml

@@ -1,40 +1,49 @@
 [package]
 name = "bitwarden_rs"
-version = "0.12.0"
+version = "1.0.0"
 authors = ["Daniel García <dani-garcia@users.noreply.github.com>"]
 
 [dependencies]
 # Web framework for nightly with a focus on ease-of-use, expressibility, and speed.
-rocket = { version = "0.3.14", features = ["tls"] }
-rocket_codegen = "0.3.14"
-rocket_contrib = "0.3.14"
+rocket = { version = "0.3.16", features = ["tls"] }
+rocket_codegen = "0.3.16"
+rocket_contrib = "0.3.16"
 
 # HTTP client
-reqwest = "0.8.6"
+reqwest = "0.9.0"
 
 # multipart/form-data support
-multipart = "0.14.2"
+multipart = "0.15.3"
+
+# WebSockets library
+ws = "0.7.8"
+
+# MessagePack library
+rmpv = "0.4.0"
+
+# Concurrent hashmap implementation
+chashmap = "2.2.0"
 
 # A generic serialization/deserialization framework
-serde = "1.0.70"
-serde_derive = "1.0.70"
-serde_json = "1.0.22"
+serde = "1.0.79"
+serde_derive = "1.0.79"
+serde_json = "1.0.28"
 
 # A safe, extensible ORM and Query builder
-diesel = { version = "1.3.2", features = ["sqlite", "chrono", "r2d2"] }
+diesel = { version = "1.3.3", features = ["sqlite", "chrono", "r2d2"] }
 diesel_migrations = { version = "1.3.0", features = ["sqlite"] }
 
 # Bundled SQLite
-libsqlite3-sys = { version = "0.9.1", features = ["bundled"] }
+libsqlite3-sys = { version = "0.9.3", features = ["bundled"] }
 
 # Crypto library
 ring = { version = "= 0.11.0", features = ["rsa_signing"] }
 
 # UUID generation
-uuid = { version = "0.6.5", features = ["v4"] }
+uuid = { version = "0.7.1", features = ["v4"] }
 
 # Date and time library for Rust
-chrono = "0.4.4"
+chrono = "0.4.6"
 
 # TOTP library
 oath = "0.10.2"
@@ -52,15 +61,27 @@ u2f = "0.1.2"
 dotenv = { version = "0.13.0", default-features = false }
 
 # Lazy static macro
-lazy_static = "1.0.1"
+lazy_static = "1.1.0"
 
 # Numerical libraries
-num-traits = "0.2.5"
+num-traits = "0.2.6"
 num-derive = "0.2.2"
 
+# Email libraries
+lettre = "0.9.0"
+lettre_email = "0.9.0"
+native-tls = "0.2.1"
+fast_chemail = "0.9.5"
+
+# Number encoding library
+byteorder = "1.2.6"
+
 [patch.crates-io]
  # Make jwt use ring 0.11, to match rocket
 jsonwebtoken = { path = "libs/jsonwebtoken" }
+rmp = { git = 'https://github.com/dani-garcia/msgpack-rust' }
+lettre = { git = 'https://github.com/lettre/lettre', rev = 'fc91bb6ee8f9a' }
+lettre_email = { git = 'https://github.com/lettre/lettre', rev = 'fc91bb6ee8f9a' }
 
 # Version 0.1.2 from crates.io lacks a commit that fixes a certificate error
-u2f = { git = 'https://github.com/wisespace-io/u2f-rs', rev = '193de35093a44' }
+u2f = { git = 'https://github.com/wisespace-io/u2f-rs', rev = '193de35093a44' }

Dockerfile

@@ -2,31 +2,27 @@
 # 	https://docs.docker.com/develop/develop-images/multistage-build/
 # 	https://whitfin.io/speeding-up-rust-docker-builds/
 ####################### VAULT BUILD IMAGE  #######################
-FROM node:9-alpine as vault
+FROM node:8-alpine as vault
 
-ENV VAULT_VERSION "1.27.0"
-ENV URL "https://github.com/bitwarden/web/archive/v${VAULT_VERSION}.tar.gz"
+ENV VAULT_VERSION "v2.3.0"
+
+ENV URL "https://github.com/bitwarden/web.git"
 
 RUN apk add --update-cache --upgrade \
     curl \
     git \
-    tar \
-    && npm install -g \
-        gulp-cli \
-        gulp
-
-RUN mkdir /web-build \
-    && cd /web-build \
-    && curl -L "${URL}" | tar -xvz --strip-components=1
+    tar
 
+RUN git clone -b $VAULT_VERSION --depth 1 $URL web-build
 WORKDIR /web-build
 
-COPY /docker/settings.Production.json /web-build/
+COPY /docker/set-vault-baseurl.patch /web-build/    
+RUN git apply set-vault-baseurl.patch
 
-RUN git config --global url."https://github.com/".insteadOf ssh://git@github.com/ \
-    && npm install \
-    && gulp dist:selfHosted \
-    && mv dist /web-vault
+RUN npm run sub:init && npm install
+
+RUN npm run dist \
+    && mv build /web-vault
 
 ########################## BUILD IMAGE  ##########################
 # We need to use the Rust build image, because
@@ -80,6 +76,7 @@ RUN apt-get update && apt-get install -y\
 RUN mkdir /data
 VOLUME /data
 EXPOSE 80
+EXPOSE 3012
 
 # Copies the files from the context (env file and web-vault)
 # and the binary from the "build" stage to the current stage

Dockerfile.alpine

@@ -0,0 +1,81 @@
+# Using multistage build: 
+# 	https://docs.docker.com/develop/develop-images/multistage-build/
+# 	https://whitfin.io/speeding-up-rust-docker-builds/
+####################### VAULT BUILD IMAGE  #######################
+FROM node:8-alpine as vault
+
+ENV VAULT_VERSION "v2.3.0"
+
+ENV URL "https://github.com/bitwarden/web.git"
+
+RUN apk add --update-cache --upgrade \
+    curl \
+    git \
+    tar
+
+RUN git clone -b $VAULT_VERSION --depth 1 $URL web-build
+WORKDIR /web-build
+
+COPY /docker/set-vault-baseurl.patch /web-build/    
+RUN git apply set-vault-baseurl.patch
+
+RUN npm run sub:init && npm install
+
+RUN npm run dist \
+    && mv build /web-vault
+
+########################## BUILD IMAGE  ##########################
+# Musl build image for statically compiled binary
+FROM clux/muslrust:nightly-2018-08-24 as build
+
+# Creates a dummy project used to grab dependencies
+RUN USER=root cargo init --bin
+
+# Copies over *only* your manifests and vendored dependencies
+COPY ./Cargo.* ./
+COPY ./libs ./libs
+COPY ./rust-toolchain ./rust-toolchain
+
+# Builds your dependencies and removes the
+# dummy project, except the target folder
+# This folder contains the compiled dependencies
+RUN cargo build --release
+RUN find . -not -path "./target*" -delete
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+# Builds again, this time it'll just be
+# your actual source files being built
+RUN cargo build --release
+
+######################## RUNTIME IMAGE  ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+FROM alpine:3.8
+
+ENV ROCKET_ENV "staging"
+ENV ROCKET_WORKERS=10
+ENV SSL_CERT_DIR=/etc/ssl/certs
+
+# Install needed libraries
+RUN apk add \
+        openssl\
+        ca-certificates \
+    && rm /var/cache/apk/*
+
+RUN mkdir /data
+VOLUME /data
+EXPOSE 80
+EXPOSE 3012
+
+# Copies the files from the context (env file and web-vault)
+# and the binary from the "build" stage to the current stage
+COPY .env .
+COPY Rocket.toml .
+COPY --from=vault /web-vault ./web-vault
+COPY --from=build /volume/target/x86_64-unknown-linux-musl/release/bitwarden_rs .
+
+# Configures the startup!
+CMD ./bitwarden_rs

Dockerfile.armv7

@@ -0,0 +1,113 @@
+# Using multistage build: 
+# 	https://docs.docker.com/develop/develop-images/multistage-build/
+# 	https://whitfin.io/speeding-up-rust-docker-builds/
+####################### VAULT BUILD IMAGE  #######################
+FROM node:8-alpine as vault
+
+ENV VAULT_VERSION "v2.3.0"
+
+ENV URL "https://github.com/bitwarden/web.git"
+
+RUN apk add --update-cache --upgrade \
+    curl \
+    git \
+    tar
+
+RUN git clone -b $VAULT_VERSION --depth 1 $URL web-build
+WORKDIR /web-build
+
+COPY /docker/set-vault-baseurl.patch /web-build/    
+RUN git apply set-vault-baseurl.patch
+
+RUN npm run sub:init && npm install
+
+RUN npm run dist \
+    && mv build /web-vault
+
+########################## BUILD IMAGE  ##########################
+# We need to use the Rust build image, because
+# we need the Rust compiler and Cargo tooling
+FROM rust as build
+
+RUN apt-get update \
+    && apt-get install -y \
+        gcc-arm-linux-gnueabihf \
+    && mkdir -p ~/.cargo \
+    && echo '[target.armv7-unknown-linux-gnueabihf]' >> ~/.cargo/config \
+    && echo 'linker = "arm-linux-gnueabihf-gcc"' >> ~/.cargo/config
+
+ENV CARGO_HOME "/root/.cargo"
+ENV USER "root"
+
+# Creates a dummy project used to grab dependencies
+RUN USER=root cargo new --bin app
+WORKDIR /app
+
+# Copies over *only* your manifests and vendored dependencies
+COPY ./Cargo.* ./
+COPY ./libs ./libs
+COPY ./rust-toolchain ./rust-toolchain
+
+# Prepare openssl armhf libs
+RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \
+        /etc/apt/sources.list.d/deb-src.list \
+    && dpkg --add-architecture armhf \
+    && apt-get update \
+    && apt-get install -y \
+        libssl-dev:armhf \
+        libc6-dev:armhf
+
+ENV CC_armv7_unknown_linux_gnueabihf="/usr/bin/arm-linux-gnueabihf-gcc"
+ENV CROSS_COMPILE="1"
+ENV OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabihf"
+ENV OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabihf"
+
+# Builds your dependencies and removes the
+# dummy project, except the target folder
+# This folder contains the compiled dependencies
+COPY . .
+RUN rustup target add armv7-unknown-linux-gnueabihf
+RUN cargo build --release --target=armv7-unknown-linux-gnueabihf -v
+RUN find . -not -path "./target*" -delete
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+# Builds again, this time it'll just be
+# your actual source files being built
+RUN cargo build --release --target=armv7-unknown-linux-gnueabihf -v
+
+######################## RUNTIME IMAGE  ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+FROM resin/armv7hf-debian:stretch
+
+ENV ROCKET_ENV "staging"
+ENV ROCKET_WORKERS=10
+
+RUN [ "cross-build-start" ]
+
+# Install needed libraries
+RUN apt-get update && apt-get install -y\
+    openssl\
+    ca-certificates\
+    --no-install-recommends\
+ && rm -rf /var/lib/apt/lists/*
+
+RUN mkdir /data
+
+RUN [ "cross-build-end" ]  
+
+VOLUME /data
+EXPOSE 80
+
+# Copies the files from the context (env file and web-vault)
+# and the binary from the "build" stage to the current stage
+COPY .env .
+COPY Rocket.toml .
+COPY --from=vault /web-vault ./web-vault
+COPY --from=build /app/target/armv7-unknown-linux-gnueabihf/release/bitwarden_rs .
+
+# Configures the startup!
+CMD ./bitwarden_rs

PROXY.md

@@ -0,0 +1,95 @@
+# Proxy examples
+
+In this document, `<SERVER>` refers to the IP or domain where bitwarden_rs is accessible from. If both the proxy and bitwarden_rs are running in the same system, simply use `localhost`.
+The ports proxied by default are `80` for the web server and `3012` for the WebSocket server. The proxies are configured to listen in port `443` with HTTPS enabled, which is recommended.
+
+When using a proxy, it's preferrable to configure HTTPS at the proxy level and not at the application level, this way the WebSockets connection is also secured.
+
+## Caddy
+
+```nginx
+localhost:443 {
+    # The negotiation endpoint is also proxied to Rocket
+    proxy /notifications/hub/negotiate <SERVER>:80 {
+        transparent
+    }
+    
+    # Notifications redirected to the websockets server
+    proxy /notifications/hub <SERVER>:3012 {
+        websocket
+    }
+    
+    # Proxy the Root directory to Rocket
+    proxy / <SERVER>:80 {
+        transparent
+    }
+
+    tls ${SSLCERTIFICATE} ${SSLKEY}
+}
+```
+
+## Nginx (by shauder)
+```nginx
+server {
+  include conf.d/ssl/ssl.conf;
+
+  listen 443 ssl http2;
+  server_name vault.*;
+
+  location /notifications/hub/negotiate {
+    include conf.d/proxy-confs/proxy.conf;
+    proxy_pass http://<SERVER>:80;
+  }
+
+  location / {
+    include conf.d/proxy-confs/proxy.conf;
+    proxy_pass http://<SERVER>:80;
+  }
+
+  location /notifications/hub {
+    proxy_pass http://<SERVER>:3012;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+  }
+}
+```
+
+## Apache (by fbartels)
+```apache
+<VirtualHost *:443>
+    SSLEngine on
+    ServerName bitwarden.$hostname.$domainname
+
+    SSLCertificateFile ${SSLCERTIFICATE}
+    SSLCertificateKeyFile ${SSLKEY}
+    SSLCACertificateFile ${SSLCA}
+    ${SSLCHAIN}
+
+    ErrorLog \${APACHE_LOG_DIR}/bitwarden-error.log
+    CustomLog \${APACHE_LOG_DIR}/bitwarden-access.log combined
+
+    RewriteEngine On
+    RewriteCond %{HTTP:Upgrade} =websocket [NC]
+    RewriteRule /(.*)           ws://<SERVER>:3012/$1 [P,L]
+
+    ProxyPass / http://<SERVER>:80/
+
+    ProxyPreserveHost On
+    ProxyRequests Off
+</VirtualHost>
+```
+
+## Traefik (docker-compose example)
+```traefik
+    labels:
+      - 'traefik.frontend.rule=Host:vault.example.local'
+      - 'traefik.docker.network=traefik'
+      - 'traefik.port=80'
+      - 'traefik.enable=true'
+      - 'traefik.web.frontend.rule=Host:vault.example.local'
+      - 'traefik.web.port=80'
+      - 'traefik.hub.frontend.rule=Path:/notifications/hub'
+      - 'traefik.hub.port=3012'
+      - 'traefik.negotiate.frontend.rule=Path:/notifications/hub/negotiate'
+      - 'traefik.negotiate.port=80'
+```

README.md

@@ -1,9 +1,19 @@
-This is Bitwarden server API implementation written in rust compatible with [upstream Bitwarden clients](https://bitwarden.com/#download)*, ideal for self-hosted deployment where running official resource-heavy service might not be ideal.
+### This is a Bitwarden server API implementation written in Rust compatible with [upstream Bitwarden clients](https://bitwarden.com/#download)*, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal.
+
+---
+
+[![Travis Build Status](https://travis-ci.org/dani-garcia/bitwarden_rs.svg?branch=master)](https://travis-ci.org/dani-garcia/bitwarden_rs)
+[![Dependency Status](https://deps.rs/repo/github/dani-garcia/bitwarden_rs/status.svg)](https://deps.rs/repo/github/dani-garcia/bitwarden_rs)
+[![GitHub Release](https://img.shields.io/github/release/dani-garcia/bitwarden_rs.svg)](https://github.com/dani-garcia/bitwarden_rs/releases/latest)
+[![GPL-3.0 Licensed](https://img.shields.io/github/license/dani-garcia/bitwarden_rs.svg)](https://github.com/dani-garcia/bitwarden_rs/blob/master/LICENSE.txt)
+[![Matrix Chat](https://matrix.to/img/matrix-badge.svg)](https://matrix.to/#/#bitwarden_rs:matrix.org)
 
 Image is based on [Rust implementation of Bitwarden API](https://github.com/dani-garcia/bitwarden_rs).
 
 _*Note, that this project is not associated with the [Bitwarden](https://bitwarden.com/) project nor 8bit Solutions LLC._
 
+---
+
 **Table of contents**
 
 - [Features](#features)
@@ -13,7 +23,9 @@ _*Note, that this project is not associated with the [Bitwarden](https://bitward
   - [Updating the bitwarden image](#updating-the-bitwarden-image)
 - [Configuring bitwarden service](#configuring-bitwarden-service)
   - [Disable registration of new users](#disable-registration-of-new-users)
+  - [Disable invitations](#disable-invitations)
   - [Enabling HTTPS](#enabling-https)
+  - [Enabling WebSocket notifications](#enabling-websocket-notifications)
   - [Enabling U2F authentication](#enabling-u2f-authentication)
   - [Changing persistent data location](#changing-persistent-data-location)
     - [/data prefix:](#data-prefix)
@@ -22,6 +34,9 @@ _*Note, that this project is not associated with the [Bitwarden](https://bitward
     - [icons cache](#icons-cache)
   - [Changing the API request size limit](#changing-the-api-request-size-limit)
   - [Changing the number of workers](#changing-the-number-of-workers)
+  - [SMTP configuration](#smtp-configuration)
+  - [Password hint display](#password-hint-display)
+  - [Disabling or overriding the Vault interface hosting](#disabling-or-overriding-the-vault-interface-hosting)
   - [Other configuration](#other-configuration)
 - [Building your own image](#building-your-own-image)
 - [Building binary](#building-binary)
@@ -33,6 +48,11 @@ _*Note, that this project is not associated with the [Bitwarden](https://bitward
   - [3. the key files](#3-the-key-files)
   - [4. Icon Cache](#4-icon-cache)
 - [Running the server with non-root user](#running-the-server-with-non-root-user)
+- [Differences from upstream API implementation](#differences-from-upstream-api-implementation)
+  - [Changing user email](#changing-user-email)
+  - [Creating organization](#creating-organization)
+  - [Inviting users into organization](#inviting-users-into-organization)
+  - [Running on unencrypted connection](#running-on-unencrypted-connection)
 - [Get in touch](#get-in-touch)
 
 ## Features
@@ -120,6 +140,20 @@ docker run -d --name bitwarden \
   -p 80:80 \
   mprasil/bitwarden:latest
 ```
+Note: While users can't register on their own, they can still be invited by already registered users. Read bellow if you also want to disable that.
+
+### Disable invitations
+
+Even when registration is disabled, organization administrators or owners can invite users to join organization. This won't send email invitation to the users, but after they are invited, they can register with the invited email even if `SIGNUPS_ALLOWED` is actually set to `false`. You can disable this functionality completely by setting `INVITATIONS_ALLOWED` env variable to `false`:
+
+```sh
+docker run -d --name bitwarden \
+  -e SIGNUPS_ALLOWED=false \
+  -e INVITATIONS_ALLOWED=false \
+  -v /bw-data/:/data/ \
+  -p 80:80 \
+  mprasil/bitwarden:latest
+```
 
 ### Enabling HTTPS
 To enable HTTPS, you need to configure the `ROCKET_TLS`.
@@ -134,15 +168,42 @@ Where:
 
 ```sh
 docker run -d --name bitwarden \
-  -e ROCKET_TLS={certs='"/ssl/certs.pem",key="/ssl/key.pem"}' \
+  -e ROCKET_TLS='{certs="/ssl/certs.pem",key="/ssl/key.pem"}' \
   -v /ssl/keys/:/ssl/ \
   -v /bw-data/:/data/ \
-  -v /icon_cache/ \
   -p 443:80 \
   mprasil/bitwarden:latest
 ```
 Note that you need to mount ssl files and you need to forward appropriate port.
 
+Softwares used for getting certs are often using symlinks. If that is the case, both locations need to be accessible to the docker container.
+
+Example: [certbot](https://certbot.eff.org/) will create a folder that contains the needed `cert.pem` and `privacy.pem` files in `/etc/letsencrypt/live/mydomain/`
+
+These files are symlinked to `../../archive/mydomain/mykey.pem`
+
+So to use from bitwarden container:
+
+```sh
+docker run -d --name bitwarden \
+  -e ROCKET_TLS='{certs="/ssl/live/mydomain/cert.pem",key="/ssl/live/mydomain/privkey.pem"}' \
+  -v /etc/letsencrypt/:/ssl/ \
+  -v /bw-data/:/data/ \
+  -p 443:80 \
+  mprasil/bitwarden:latest
+```
+### Enabling WebSocket notifications
+*Important: This does not apply to the mobile clients, which use push notifications.*
+
+To enable WebSockets notifications, an external reverse proxy is necessary, and it must be configured to do the following:
+- Route the `/notifications/hub` endpoint to the WebSocket server, by default at port `3012`, making sure to pass the `Connection` and `Upgrade` headers.
+- Route everything else, including `/notifications/hub/negotiate`, to the standard Rocket server, by default at port `80`.
+- If using Docker, you may need to map both ports with the `-p` flag
+
+Example configurations are included in the [PROXY.md](https://github.com/dani-garcia/bitwarden_rs/blob/master/PROXY.md) file.
+
+Note: The reason for this workaround is the lack of support for WebSockets from Rocket (though [it's a planned feature](https://github.com/SergioBenitez/Rocket/issues/90)), which forces us to launch a secondary server on a separate port.
+
 ### Enabling U2F authentication
 To enable U2F authentication, you must be serving bitwarden_rs from an HTTPS domain with a valid certificate (Either using the included
 HTTPS options or with a reverse proxy). We recommend using a free certificate from Let's Encrypt.
@@ -248,6 +309,60 @@ docker run -d --name bitwarden \
   mprasil/bitwarden:latest
 ```
 
+### SMTP configuration
+
+You can configure bitwarden_rs to send emails via a SMTP agent:
+
+```sh
+docker run -d --name bitwarden \
+  -e SMTP_HOST=<smtp.domain.tld> \
+  -e SMTP_FROM=<bitwarden@domain.tld> \
+  -e SMTP_PORT=587 \
+  -e SMTP_SSL=true \
+  -e SMTP_USERNAME=<username> \
+  -e SMTP_PASSWORD=<password> \
+  -v /bw-data/:/data/ \
+  -p 80:80 \
+  mprasil/bitwarden:latest
+```
+  
+When `SMTP_SSL` is set to `true`(this is the default), only TLSv1.1 and TLSv1.2 protocols will be accepted and `SMTP_PORT` will default to `587`. If set to `false`, `SMTP_PORT` will default to `25` and the connection won't be encrypted. This can be very insecure, use this setting only if you know what you're doing.
+
+### Password hint display
+
+Usually, password hints are sent by email. But as bitwarden_rs is made with small or personal deployment in mind, hints are also available from the password hint page, so you don't have to configure an email service. If you want to disable this feature, you can use the `SHOW_PASSWORD_HINT` variable:
+
+```sh
+docker run -d --name bitwarden \
+  -e SHOW_PASSWORD_HINT=false \
+  -v /bw-data/:/data/ \
+  -p 80:80 \
+  mprasil/bitwarden:latest
+```
+
+### Disabling or overriding the Vault interface hosting
+
+As a convenience bitwarden_rs image will also host static files for Vault web interface. You can disable this static file hosting completely by setting the WEB_VAULT_ENABLED variable.
+
+```sh
+docker run -d --name bitwarden \
+  -e WEB_VAULT_ENABLED=false \
+  -v /bw-data/:/data/ \
+  -p 80:80 \
+  mprasil/bitwarden:latest
+```
+Alternatively you can override the Vault files and provide your own static files to host. You can do that by mounting a path with your files over the `/web-vault` directory in the container. Just make sure the directory contains at least `index.html` file.
+
+```sh
+docker run -d --name bitwarden \
+  -v /path/to/static/files_directory:/web-vault \
+  -v /bw-data/:/data/ \
+  -p 80:80 \
+  mprasil/bitwarden:latest
+``` 
+
+Note that you can also change the path where bitwarden_rs looks for static files by providing the `WEB_VAULT_FOLDER` environment variable with the path.
+
 ### Other configuration
 
 Though this is unlikely to be required in small deployment, you can fine-tune some other settings like number of workers using environment variables that are processed by [Rocket](https://rocket.rs), please see details in [documentation](https://rocket.rs/guide/configuration/#environment-variables).
@@ -263,7 +378,7 @@ docker build -t bitwarden_rs .
 
 ## Building binary
 
-For building binary outside the Docker environment and running it locally without docker, please see [build instructions](BUILD.md).
+For building binary outside the Docker environment and running it locally without docker, please see [build instructions](https://github.com/dani-garcia/bitwarden_rs/blob/master/BUILD.md).
 
 ## Available packages
 
@@ -313,6 +428,29 @@ docker run -d --name bitwarden \
   -p 80:8080 \
   mprasil/bitwarden:latest
 ```
+
+## Differences from upstream API implementation
+
+### Changing user email
+
+Because we don't have any SMTP functionality at the moment, there's no way to deliver the verification token when you try to change the email. User just needs to enter any random token to continue and the change will be applied.
+
+### Creating organization
+
+We use upstream Vault interface directly without any (significant) changes, this is why user is presented with paid options when creating organization. To create an organization, just use the free option, none of the limits apply when using bitwarden_rs as back-end API and after the organization is created it should behave like Enterprise organization.
+
+### Inviting users into organization
+
+The invited users won't get the invitation email, instead all already registered users will appear in the interface as if they already accepted the invitation. Organization admin then just needs to confirm them to be proper Organization members and to give them access to the shared secrets.
+
+Invited users, that aren't registered yet will show up in the Organization admin interface as "Invited". At the same time an invitation record is created that allows the users to register even if [user registration is disabled](#disable-registration-of-new-users). (unless you [disable this functionality](#disable-invitations)) They will automatically become "Accepted" once they register. From there Organization admin can confirm them to give them access to Organization.
+
+### Running on unencrypted connection
+
+It is strongly recommended to run bitwarden_rs service over HTTPS. However the server itself while [supporting it](#enabling-https) does not strictly require such setup. This makes it a bit easier to spin up the service in cases where you can generally trust the connection (internal and secure network, access over VPN,..) or when you want to put the service behind HTTP proxy, that will do the encryption on the proxy end.
+
+Running over HTTP is still reasonably secure provided you use really strong master password and that you avoid using web Vault over connection that is vulnerable to MITM attacks where attacker could inject javascript into your interface. However some forms of 2FA might not work in this setup and [Vault doesn't work in this configuration in Chrome](https://github.com/bitwarden/web/issues/254).
+
 ## Get in touch
 
 To ask an question, [raising an issue](https://github.com/dani-garcia/bitwarden_rs/issues/new) is fine, also please report any bugs spotted here.

docker/set-vault-baseurl.patch

@@ -0,0 +1,28 @@
+--- a/src/app/services/services.module.ts
++++ b/src/app/services/services.module.ts
+@@ -120,20 +120,17 @@ const notificationsService = new NotificationsService(userService, syncService,
+ const environmentService = new EnvironmentService(apiService, storageService, notificationsService);
+ const auditService = new AuditService(cryptoFunctionService, apiService);
+ 
+-const analytics = new Analytics(window, () => platformUtilsService.isDev() || platformUtilsService.isSelfHost(),
++const analytics = new Analytics(window, () => platformUtilsService.isDev() || platformUtilsService.isSelfHost() || true,
+     platformUtilsService, storageService, appIdService);
+ containerService.attachToWindow(window);
+ 
+ export function initFactory(): Function {
+     return async () => {
+         await (storageService as HtmlStorageService).init();
+-        const isDev = platformUtilsService.isDev();
+-        if (!isDev && platformUtilsService.isSelfHost()) {
+-            environmentService.baseUrl = window.location.origin;
+-        } else {
+-            environmentService.notificationsUrl = isDev ? 'http://localhost:61840' :
+-                'https://notifications.bitwarden.com'; // window.location.origin + '/notifications';
+-        }
++        const isDev = false;
++        environmentService.baseUrl = window.location.origin;
++        environmentService.notificationsUrl = window.location.origin + '/notifications';
++
+         await apiService.setUrls({
+             base: isDev ? null : window.location.origin,
+             api: isDev ? 'http://localhost:4000' : null,

docker/settings.Production.json

@@ -1,9 +0,0 @@
-{
-  "appSettings": {
-    "apiUri": "/api",
-    "identityUri": "/identity",
-    "iconsUri": "/icons",
-    "stripeKey": "",
-    "braintreeKey": ""
-  }
-}

migrations/2018-08-27-172114_update_ciphers/up.sql

@@ -0,0 +1,3 @@
+ALTER TABLE ciphers
+    ADD COLUMN
+    password_history TEXT;

migrations/2018-09-10-111213_add_invites/down.sql

@@ -0,0 +1 @@
+DROP TABLE invitations;

migrations/2018-09-10-111213_add_invites/up.sql

@@ -0,0 +1,3 @@
+CREATE TABLE invitations (
+    email   TEXT NOT NULL PRIMARY KEY
+);

migrations/2018-09-19-144557_add_kdf_columns/up.sql

@@ -0,0 +1,7 @@
+ALTER TABLE users
+    ADD COLUMN
+    client_kdf_type INTEGER NOT NULL DEFAULT 0; -- PBKDF2
+
+ALTER TABLE users
+    ADD COLUMN
+    client_kdf_iter INTEGER NOT NULL DEFAULT 5000;

rust-toolchain

@@ -1 +1 @@
-nightly-2018-06-26
+nightly-2018-09-12

src/api/core/accounts.rs

@@ -5,6 +5,8 @@ use db::models::*;
 
 use api::{PasswordData, JsonResult, EmptyResult, JsonUpcase, NumberOrString};
 use auth::Headers;
+use fast_chemail::is_valid_email;
+use mail;
 
 use CONFIG;
 
@@ -12,6 +14,8 @@ use CONFIG;
 #[allow(non_snake_case)]
 struct RegisterData {
     Email: String,
+    Kdf: Option<i32>,
+    KdfIterations: Option<i32>,
     Key: String,
     Keys: Option<KeysData>,
     MasterPasswordHash: String,
@@ -30,15 +34,40 @@ struct KeysData {
 fn register(data: JsonUpcase<RegisterData>, conn: DbConn) -> EmptyResult {
     let data: RegisterData = data.into_inner().data;
 
-    if !CONFIG.signups_allowed {
-        err!("Signups not allowed")
+
+    let mut user = match User::find_by_mail(&data.Email, &conn) {
+        Some(mut user) => {
+            if Invitation::take(&data.Email, &conn) {
+                for mut user_org in UserOrganization::find_invited_by_user(&user.uuid, &conn).iter_mut() {
+                    user_org.status = UserOrgStatus::Accepted as i32;
+                    user_org.save(&conn);
+                };
+                user
+            } else if CONFIG.signups_allowed {
+                 err!("Account with this email already exists")
+            } else {
+                 err!("Registration not allowed")
+            }
+        },
+        None => {
+            if CONFIG.signups_allowed || Invitation::take(&data.Email, &conn) {
+                User::new(data.Email)
+            } else {
+                err!("Registration not allowed")
+            }
+        }
+    };
+
+    if let Some(client_kdf_iter) = data.KdfIterations {
+        user.client_kdf_iter = client_kdf_iter;
     }
 
-    if User::find_by_mail(&data.Email, &conn).is_some() {
-        err!("Email already exists")
+    if let Some(client_kdf_type) = data.Kdf {
+        user.client_kdf_type = client_kdf_type;
     }
 
-    let mut user = User::new(data.Email, data.Key, data.MasterPasswordHash);
+    user.set_password(&data.MasterPasswordHash);
+    user.key = data.Key;
 
     // Add extra fields if present
     if let Some(name) = data.Name {
@@ -73,6 +102,11 @@ struct ProfileData {
     Name: String,
 }
 
+#[put("/accounts/profile", data = "<data>")]
+fn put_profile(data: JsonUpcase<ProfileData>, headers: Headers, conn: DbConn) -> JsonResult {
+    post_profile(data, headers, conn)
+}
+
 #[post("/accounts/profile", data = "<data>")]
 fn post_profile(data: JsonUpcase<ProfileData>, headers: Headers, conn: DbConn) -> JsonResult {
     let data: ProfileData = data.into_inner().data;
@@ -80,7 +114,10 @@ fn post_profile(data: JsonUpcase<ProfileData>, headers: Headers, conn: DbConn) -
     let mut user = headers.user;
 
     user.name = data.Name;
-    user.password_hint = data.MasterPasswordHint;
+    user.password_hint = match data.MasterPasswordHint {
+        Some(ref h) if h.is_empty() => None,
+        _ => data.MasterPasswordHint,
+    };
     user.save(&conn);
 
     Ok(Json(user.to_json(&conn)))
@@ -138,6 +175,35 @@ fn post_password(data: JsonUpcase<ChangePassData>, headers: Headers, conn: DbCon
     Ok(())
 }
 
+#[derive(Deserialize)]
+#[allow(non_snake_case)]
+struct ChangeKdfData {
+    Kdf: i32,
+    KdfIterations: i32,
+
+    MasterPasswordHash: String,
+    NewMasterPasswordHash: String,
+    Key: String,
+}
+
+#[post("/accounts/kdf", data = "<data>")]
+fn post_kdf(data: JsonUpcase<ChangeKdfData>, headers: Headers, conn: DbConn) -> EmptyResult {
+    let data: ChangeKdfData = data.into_inner().data;
+    let mut user = headers.user;
+
+    if !user.check_valid_password(&data.MasterPasswordHash) {
+        err!("Invalid password")
+    }
+
+    user.client_kdf_iter = data.KdfIterations;
+    user.client_kdf_type = data.Kdf;
+    user.set_password(&data.NewMasterPasswordHash);
+    user.key = data.Key;
+    user.save(&conn);
+
+    Ok(())
+}
+
 #[post("/accounts/security-stamp", data = "<data>")]
 fn post_sstamp(data: JsonUpcase<PasswordData>, headers: Headers, conn: DbConn) -> EmptyResult {
     let data: PasswordData = data.into_inner().data;
@@ -211,6 +277,11 @@ fn post_email(data: JsonUpcase<ChangeEmailData>, headers: Headers, conn: DbConn)
 }
 
 #[post("/accounts/delete", data = "<data>")]
+fn post_delete_account(data: JsonUpcase<PasswordData>, headers: Headers, conn: DbConn) -> EmptyResult {
+    delete_account(data, headers, conn)
+}
+
+#[delete("/accounts", data = "<data>")]
 fn delete_account(data: JsonUpcase<PasswordData>, headers: Headers, conn: DbConn) -> EmptyResult {
     let data: PasswordData = data.into_inner().data;
     let user = headers.user;
@@ -244,6 +315,62 @@ fn delete_account(data: JsonUpcase<PasswordData>, headers: Headers, conn: DbConn
 
 #[get("/accounts/revision-date")]
 fn revision_date(headers: Headers) -> String {
-    let revision_date = headers.user.updated_at.timestamp();
+    let revision_date = headers.user.updated_at.timestamp_millis();
     revision_date.to_string()
 }
+
+#[derive(Deserialize)]
+#[allow(non_snake_case)]
+struct PasswordHintData {
+    Email: String,
+}
+
+#[post("/accounts/password-hint", data = "<data>")]
+fn password_hint(data: JsonUpcase<PasswordHintData>, conn: DbConn) -> EmptyResult {
+    let data: PasswordHintData = data.into_inner().data;
+
+    if !is_valid_email(&data.Email) {
+        err!("This email address is not valid...");
+    }
+
+    let user = User::find_by_mail(&data.Email, &conn);
+    if user.is_none() {
+        return Ok(());
+    }
+
+    let user = user.unwrap();
+    if let Some(ref mail_config) = CONFIG.mail {
+        if let Err(e) = mail::send_password_hint(&user.email, user.password_hint, mail_config) {
+            err!(format!("There have been a problem sending the email: {}", e));
+        }
+    } else if CONFIG.show_password_hint {
+        if let Some(hint) = user.password_hint {
+            err!(format!("Your password hint is: {}", &hint));
+        } else {
+            err!("Sorry, you have no password hint...");
+        }
+    }
+
+    Ok(())
+}
+
+#[derive(Deserialize)]
+#[allow(non_snake_case)]
+struct PreloginData {
+    Email: String,
+}
+
+#[post("/accounts/prelogin", data = "<data>")]
+fn prelogin(data: JsonUpcase<PreloginData>, conn: DbConn) -> JsonResult {
+    let data: PreloginData = data.into_inner().data;
+
+    let (kdf_type, kdf_iter) = match User::find_by_mail(&data.Email, &conn) {
+        Some(user) => (user.client_kdf_type, user.client_kdf_iter),
+        None => (User::CLIENT_KDF_TYPE_DEFAULT, User::CLIENT_KDF_ITER_DEFAULT),
+    };
+
+    Ok(Json(json!({
+        "Kdf": kdf_type,
+        "KdfIterations": kdf_iter
+    })))
+}

src/api/core/ciphers.rs

@@ -1,6 +1,7 @@
 use std::path::Path;
 use std::collections::HashSet;
 
+use rocket::State;
 use rocket::Data;
 use rocket::http::ContentType;
 
@@ -16,7 +17,7 @@ use db::models::*;
 
 use crypto;
 
-use api::{self, PasswordData, JsonResult, EmptyResult, JsonUpcase};
+use api::{self, PasswordData, JsonResult, EmptyResult, JsonUpcase, WebSocketUsers, UpdateType};
 use auth::Headers;
 
 use CONFIG;
@@ -86,7 +87,9 @@ fn get_cipher_details(uuid: String, headers: Headers, conn: DbConn) -> JsonResul
 
 #[derive(Deserialize, Debug)]
 #[allow(non_snake_case)]
-struct CipherData {
+pub struct CipherData {
+    // Id is optional as it is included only in bulk share
+    Id: Option<String>,
     // Folder id is not included in import
     FolderId: Option<String>,
     // TODO: Some of these might appear all the time, no need for Option
@@ -98,8 +101,8 @@ struct CipherData {
     Card = 3,
     Identity = 4
     */
-    Type: i32, // TODO: Change this to NumberOrString
-    Name: String,
+    pub Type: i32, // TODO: Change this to NumberOrString
+    pub Name: String,
     Notes: Option<String>,
     Fields: Option<Value>,
 
@@ -110,39 +113,41 @@ struct CipherData {
     Identity: Option<Value>,
 
     Favorite: Option<bool>,
+
+    PasswordHistory: Option<Value>,
 }
 
 #[post("/ciphers/admin", data = "<data>")]
-fn post_ciphers_admin(data: JsonUpcase<CipherData>, headers: Headers, conn: DbConn) -> JsonResult {
+fn post_ciphers_admin(data: JsonUpcase<CipherData>, headers: Headers, conn: DbConn, ws: State<WebSocketUsers>) -> JsonResult {
     // TODO: Implement this correctly
-    post_ciphers(data, headers, conn)
+    post_ciphers(data, headers, conn, ws)
 }
 
 #[post("/ciphers", data = "<data>")]
-fn post_ciphers(data: JsonUpcase<CipherData>, headers: Headers, conn: DbConn) -> JsonResult {
+fn post_ciphers(data: JsonUpcase<CipherData>, headers: Headers, conn: DbConn, ws: State<WebSocketUsers>) -> JsonResult {
     let data: CipherData = data.into_inner().data;
 
     let mut cipher = Cipher::new(data.Type, data.Name.clone());
-    update_cipher_from_data(&mut cipher, data, &headers, true, &conn)?;
+    update_cipher_from_data(&mut cipher, data, &headers, false, &conn, &ws, UpdateType::SyncCipherCreate)?;
 
     Ok(Json(cipher.to_json(&headers.host, &headers.user.uuid, &conn)))
 }
 
-fn update_cipher_from_data(cipher: &mut Cipher, data: CipherData, headers: &Headers, is_new_or_shared: bool, conn: &DbConn) -> EmptyResult {
-    if is_new_or_shared {
-        if let Some(org_id) = data.OrganizationId {
-            match UserOrganization::find_by_user_and_org(&headers.user.uuid, &org_id, &conn) {
-                None => err!("You don't have permission to add item to organization"),
-                Some(org_user) => if org_user.has_full_access() {
-                    cipher.organization_uuid = Some(org_id);
-                    cipher.user_uuid = None;
-                } else {
-                    err!("You don't have permission to add cipher directly to organization")
-                }
+pub fn update_cipher_from_data(cipher: &mut Cipher, data: CipherData, headers: &Headers, shared_to_collection: bool, conn: &DbConn, ws: &State<WebSocketUsers>, ut: UpdateType) -> EmptyResult {
+    if let Some(org_id) = data.OrganizationId {
+        match UserOrganization::find_by_user_and_org(&headers.user.uuid, &org_id, &conn) {
+            None => err!("You don't have permission to add item to organization"),
+            Some(org_user) => if shared_to_collection 
+                              || org_user.has_full_access() 
+                              || cipher.is_write_accessible_to_user(&headers.user.uuid, &conn) {
+                cipher.organization_uuid = Some(org_id);
+                cipher.user_uuid = None;
+            } else {
+                err!("You don't have permission to add cipher directly to organization")
             }
-        } else {
-            cipher.user_uuid = Some(headers.user.uuid.clone());
         }
+    } else {
+        cipher.user_uuid = Some(headers.user.uuid.clone());
     }
 
     if let Some(ref folder_id) = data.FolderId {
@@ -175,6 +180,7 @@ fn update_cipher_from_data(cipher: &mut Cipher, data: CipherData, headers: &Head
     type_data["Name"] = Value::String(data.Name.clone());
     type_data["Notes"] = data.Notes.clone().map(Value::String).unwrap_or(Value::Null);
     type_data["Fields"] = data.Fields.clone().unwrap_or(Value::Null);
+    type_data["PasswordHistory"] = data.PasswordHistory.clone().unwrap_or(Value::Null);
     // TODO: ******* Backwards compat end **********
 
     cipher.favorite = data.Favorite.unwrap_or(false);
@@ -182,8 +188,10 @@ fn update_cipher_from_data(cipher: &mut Cipher, data: CipherData, headers: &Head
     cipher.notes = data.Notes;
     cipher.fields = data.Fields.map(|f| f.to_string());
     cipher.data = type_data.to_string();
+    cipher.password_history = data.PasswordHistory.map(|f| f.to_string());
 
     cipher.save(&conn);
+    ws.send_cipher_update(ut, &cipher, &cipher.update_users_revision(&conn));
 
     if cipher.move_to_folder(data.FolderId, &headers.user.uuid, &conn).is_err() {
         err!("Error saving the folder information")
@@ -213,7 +221,7 @@ struct RelationsData {
 
 
 #[post("/ciphers/import", data = "<data>")]
-fn post_ciphers_import(data: JsonUpcase<ImportData>, headers: Headers, conn: DbConn) -> EmptyResult {
+fn post_ciphers_import(data: JsonUpcase<ImportData>, headers: Headers, conn: DbConn, ws: State<WebSocketUsers>) -> EmptyResult {
     let data: ImportData = data.into_inner().data;
 
     // Read and create the folders
@@ -237,27 +245,36 @@ fn post_ciphers_import(data: JsonUpcase<ImportData>, headers: Headers, conn: DbC
             .map(|i| folders[*i].uuid.clone());
 
         let mut cipher = Cipher::new(cipher_data.Type, cipher_data.Name.clone());
-        update_cipher_from_data(&mut cipher, cipher_data, &headers, true, &conn)?;
+        update_cipher_from_data(&mut cipher, cipher_data, &headers, false, &conn, &ws, UpdateType::SyncCipherCreate)?;
 
         cipher.move_to_folder(folder_uuid, &headers.user.uuid.clone(), &conn).ok();
     }
 
-    Ok(())
+    let mut user = headers.user;
+    match user.update_revision(&conn) {
+        Ok(()) => Ok(()),
+        Err(_) => err!("Failed to update the revision, please log out and log back in to finish import.")
+    }
+}
+
+
+#[put("/ciphers/<uuid>/admin", data = "<data>")]
+fn put_cipher_admin(uuid: String, data: JsonUpcase<CipherData>, headers: Headers, conn: DbConn, ws: State<WebSocketUsers>) -> JsonResult {
+    put_cipher(uuid, data, headers, conn, ws)
 }
 
 #[post("/ciphers/<uuid>/admin", data = "<data>")]
-fn post_cipher_admin(uuid: String, data: JsonUpcase<CipherData>, headers: Headers, conn: DbConn) -> JsonResult {
-    // TODO: Implement this correctly
-    post_cipher(uuid, data, headers, conn)
+fn post_cipher_admin(uuid: String, data: JsonUpcase<CipherData>, headers: Headers, conn: DbConn, ws: State<WebSocketUsers>) -> JsonResult {
+    post_cipher(uuid, data, headers, conn, ws)
 }
 
 #[post("/ciphers/<uuid>", data = "<data>")]
-fn post_cipher(uuid: String, data: JsonUpcase<CipherData>, headers: Headers, conn: DbConn) -> JsonResult {
-    put_cipher(uuid, data, headers, conn)
+fn post_cipher(uuid: String, data: JsonUpcase<CipherData>, headers: Headers, conn: DbConn, ws: State<WebSocketUsers>) -> JsonResult {
+    put_cipher(uuid, data, headers, conn, ws)
 }
 
 #[put("/ciphers/<uuid>", data = "<data>")]
-fn put_cipher(uuid: String, data: JsonUpcase<CipherData>, headers: Headers, conn: DbConn) -> JsonResult {
+fn put_cipher(uuid: String, data: JsonUpcase<CipherData>, headers: Headers, conn: DbConn, ws: State<WebSocketUsers>) -> JsonResult {
     let data: CipherData = data.into_inner().data;
 
     let mut cipher = match Cipher::find_by_uuid(&uuid, &conn) {
@@ -269,7 +286,7 @@ fn put_cipher(uuid: String, data: JsonUpcase<CipherData>, headers: Headers, conn
         err!("Cipher is not write accessible")
     }
 
-    update_cipher_from_data(&mut cipher, data, &headers, false, &conn)?;
+    update_cipher_from_data(&mut cipher, data, &headers, false, &conn, &ws, UpdateType::SyncCipherUpdate)?;
 
     Ok(Json(cipher.to_json(&headers.host, &headers.user.uuid, &conn)))
 }
@@ -285,6 +302,11 @@ fn post_collections_update(uuid: String, data: JsonUpcase<CollectionsAdminData>,
     post_collections_admin(uuid, data, headers, conn)
 }
 
+#[put("/ciphers/<uuid>/collections-admin", data = "<data>")]
+fn put_collections_admin(uuid: String, data: JsonUpcase<CollectionsAdminData>, headers: Headers, conn: DbConn) -> EmptyResult {
+    post_collections_admin(uuid, data, headers, conn)
+}
+
 #[post("/ciphers/<uuid>/collections-admin", data = "<data>")]
 fn post_collections_admin(uuid: String, data: JsonUpcase<CollectionsAdminData>, headers: Headers, conn: DbConn) -> EmptyResult {
     let data: CollectionsAdminData = data.into_inner().data;
@@ -329,9 +351,69 @@ struct ShareCipherData {
 }
 
 #[post("/ciphers/<uuid>/share", data = "<data>")]
-fn post_cipher_share(uuid: String, data: JsonUpcase<ShareCipherData>, headers: Headers, conn: DbConn) -> JsonResult {
+fn post_cipher_share(uuid: String, data: JsonUpcase<ShareCipherData>, headers: Headers, conn: DbConn, ws: State<WebSocketUsers>) -> JsonResult {
     let data: ShareCipherData = data.into_inner().data;
 
+    share_cipher_by_uuid(&uuid, data, &headers, &conn, &ws)
+}
+
+#[put("/ciphers/<uuid>/share", data = "<data>")]
+fn put_cipher_share(uuid: String, data: JsonUpcase<ShareCipherData>, headers: Headers, conn: DbConn, ws: State<WebSocketUsers>) -> JsonResult {
+    let data: ShareCipherData = data.into_inner().data;
+
+    share_cipher_by_uuid(&uuid, data, &headers, &conn, &ws)
+}
+
+#[derive(Deserialize)]
+#[allow(non_snake_case)]
+struct ShareSelectedCipherData {
+    Ciphers: Vec<CipherData>,
+    CollectionIds: Vec<String>
+}
+
+#[put("/ciphers/share", data = "<data>")]
+fn put_cipher_share_seleted(data: JsonUpcase<ShareSelectedCipherData>, headers: Headers, conn: DbConn, ws: State<WebSocketUsers>) -> EmptyResult {
+    let mut data: ShareSelectedCipherData = data.into_inner().data;
+    let mut cipher_ids: Vec<String> = Vec::new();
+
+    if data.Ciphers.is_empty() {
+        err!("You must select at least one cipher.")
+    }
+
+    if data.CollectionIds.is_empty() {
+        err!("You must select at least one collection.")
+    }
+
+    for cipher in data.Ciphers.iter() {
+        match cipher.Id {
+            Some(ref id) => cipher_ids.push(id.to_string()),
+            None => err!("Request missing ids field")
+        };
+    }
+
+    let attachments = Attachment::find_by_ciphers(cipher_ids, &conn);
+
+    if !attachments.is_empty() {
+        err!("Ciphers should not have any attachments.")
+    }
+
+    while let Some(cipher) = data.Ciphers.pop() {
+        let mut shared_cipher_data = ShareCipherData {
+            Cipher: cipher,
+            CollectionIds: data.CollectionIds.clone()
+        };
+
+        match shared_cipher_data.Cipher.Id.take() {
+            Some(id) => share_cipher_by_uuid(&id, shared_cipher_data , &headers, &conn, &ws)?,
+            None => err!("Request missing ids field")
+
+        };
+    }
+
+    Ok(())
+}
+
+fn share_cipher_by_uuid(uuid: &str, data: ShareCipherData, headers: &Headers, conn: &DbConn, ws: &State<WebSocketUsers>) -> JsonResult {
     let mut cipher = match Cipher::find_by_uuid(&uuid, &conn) {
         Some(cipher) => {
             if cipher.is_write_accessible_to_user(&headers.user.uuid, &conn) {
@@ -343,22 +425,28 @@ fn post_cipher_share(uuid: String, data: JsonUpcase<ShareCipherData>, headers: H
         None => err!("Cipher doesn't exist")
     };
 
-    match data.Cipher.OrganizationId {
+    match data.Cipher.OrganizationId.clone() {
         None => err!("Organization id not provided"),
-        Some(_) => {
-            update_cipher_from_data(&mut cipher, data.Cipher, &headers, true, &conn)?;
+        Some(organization_uuid) => {
+            let mut shared_to_collection = false;
             for uuid in &data.CollectionIds {
                 match Collection::find_by_uuid(uuid, &conn) {
                     None => err!("Invalid collection ID provided"),
                     Some(collection) => {
                         if collection.is_writable_by_user(&headers.user.uuid, &conn) {
-                            CollectionCipher::save(&cipher.uuid.clone(), &collection.uuid, &conn);
+                            if collection.org_uuid == organization_uuid {
+                                CollectionCipher::save(&cipher.uuid.clone(), &collection.uuid, &conn);
+                                shared_to_collection = true;
+                            } else {
+                                err!("Collection does not belong to organization")
+                            }
                         } else {
                             err!("No rights to modify the collection")
                         }
                     }
                 }
             }
+            update_cipher_from_data(&mut cipher, data.Cipher, &headers, shared_to_collection, &conn, &ws, UpdateType::SyncCipherUpdate)?;
 
             Ok(Json(cipher.to_json(&headers.host, &headers.user.uuid, &conn)))
         }
@@ -409,7 +497,10 @@ fn post_attachment(uuid: String, data: Data, content_type: &ContentType, headers
         };
 
         let attachment = Attachment::new(file_name, cipher.uuid.clone(), name, size);
-        attachment.save(&conn);
+        match attachment.save(&conn) {
+            Ok(()) => (),
+            Err(_) => println!("Error: failed to save attachment")
+        };
     }).expect("Error processing multipart data");
 
     Ok(Json(cipher.to_json(&headers.host, &headers.user.uuid, &conn)))
@@ -421,55 +512,65 @@ fn post_attachment_admin(uuid: String, data: Data, content_type: &ContentType, h
 }
 
 #[post("/ciphers/<uuid>/attachment/<attachment_id>/share", format = "multipart/form-data", data = "<data>")]
-fn post_attachment_share(uuid: String, attachment_id: String, data: Data, content_type: &ContentType, headers: Headers, conn: DbConn) -> JsonResult {
-    _delete_cipher_attachment_by_id(&uuid, &attachment_id, &headers, &conn)?;
+fn post_attachment_share(uuid: String, attachment_id: String, data: Data, content_type: &ContentType, headers: Headers, conn: DbConn, ws: State<WebSocketUsers>) -> JsonResult {
+    _delete_cipher_attachment_by_id(&uuid, &attachment_id, &headers, &conn, &ws)?;
     post_attachment(uuid, data, content_type, headers, conn)
 }
 
 #[post("/ciphers/<uuid>/attachment/<attachment_id>/delete-admin")]
-fn delete_attachment_post_admin(uuid: String, attachment_id: String, headers: Headers, conn: DbConn) -> EmptyResult {
-    delete_attachment(uuid, attachment_id, headers, conn)
+fn delete_attachment_post_admin(uuid: String, attachment_id: String, headers: Headers, conn: DbConn, ws: State<WebSocketUsers>) -> EmptyResult {
+    delete_attachment(uuid, attachment_id, headers, conn, ws)
 }
 
 #[post("/ciphers/<uuid>/attachment/<attachment_id>/delete")]
-fn delete_attachment_post(uuid: String, attachment_id: String, headers: Headers, conn: DbConn) -> EmptyResult {
-    delete_attachment(uuid, attachment_id, headers, conn)
+fn delete_attachment_post(uuid: String, attachment_id: String, headers: Headers, conn: DbConn, ws: State<WebSocketUsers>) -> EmptyResult {
+    delete_attachment(uuid, attachment_id, headers, conn, ws)
 }
 
 #[delete("/ciphers/<uuid>/attachment/<attachment_id>")]
-fn delete_attachment(uuid: String, attachment_id: String, headers: Headers, conn: DbConn) -> EmptyResult {
-    _delete_cipher_attachment_by_id(&uuid, &attachment_id, &headers, &conn)
+fn delete_attachment(uuid: String, attachment_id: String, headers: Headers, conn: DbConn, ws: State<WebSocketUsers>) -> EmptyResult {
+    _delete_cipher_attachment_by_id(&uuid, &attachment_id, &headers, &conn, &ws)
+}
+
+#[delete("/ciphers/<uuid>/attachment/<attachment_id>/admin")]
+fn delete_attachment_admin(uuid: String, attachment_id: String, headers: Headers, conn: DbConn, ws: State<WebSocketUsers>) -> EmptyResult {
+    _delete_cipher_attachment_by_id(&uuid, &attachment_id, &headers, &conn, &ws)
 }
 
 #[post("/ciphers/<uuid>/delete")]
-fn delete_cipher_post(uuid: String, headers: Headers, conn: DbConn) -> EmptyResult {
-    _delete_cipher_by_uuid(&uuid, &headers, &conn)
+fn delete_cipher_post(uuid: String, headers: Headers, conn: DbConn, ws: State<WebSocketUsers>) -> EmptyResult {
+    _delete_cipher_by_uuid(&uuid, &headers, &conn, &ws)
 }
 
 #[post("/ciphers/<uuid>/delete-admin")]
-fn delete_cipher_post_admin(uuid: String, headers: Headers, conn: DbConn) -> EmptyResult {
-    _delete_cipher_by_uuid(&uuid, &headers, &conn)
+fn delete_cipher_post_admin(uuid: String, headers: Headers, conn: DbConn, ws: State<WebSocketUsers>) -> EmptyResult {
+    _delete_cipher_by_uuid(&uuid, &headers, &conn, &ws)
 }
 
 #[delete("/ciphers/<uuid>")]
-fn delete_cipher(uuid: String, headers: Headers, conn: DbConn) -> EmptyResult {
-    _delete_cipher_by_uuid(&uuid, &headers, &conn)
+fn delete_cipher(uuid: String, headers: Headers, conn: DbConn, ws: State<WebSocketUsers>) -> EmptyResult {
+    _delete_cipher_by_uuid(&uuid, &headers, &conn, &ws)
 }
 
-#[post("/ciphers/delete", data = "<data>")]
-fn delete_cipher_selected(data: JsonUpcase<Value>, headers: Headers, conn: DbConn) -> EmptyResult {
+#[delete("/ciphers/<uuid>/admin")]
+fn delete_cipher_admin(uuid: String, headers: Headers, conn: DbConn, ws: State<WebSocketUsers>) -> EmptyResult {
+    _delete_cipher_by_uuid(&uuid, &headers, &conn, &ws)
+}
+
+#[delete("/ciphers", data = "<data>")]
+fn delete_cipher_selected(data: JsonUpcase<Value>, headers: Headers, conn: DbConn, ws: State<WebSocketUsers>) -> EmptyResult {
     let data: Value = data.into_inner().data;
 
     let uuids = match data.get("Ids") {
         Some(ids) => match ids.as_array() {
-            Some(ids) => ids.iter().filter_map(|uuid| { uuid.as_str() }),
+            Some(ids) => ids.iter().filter_map(Value::as_str),
             None => err!("Posted ids field is not an array")
         },
         None => err!("Request missing ids field")
     };
 
     for uuid in uuids {
-        if let error @ Err(_) = _delete_cipher_by_uuid(uuid, &headers, &conn) {
+        if let error @ Err(_) = _delete_cipher_by_uuid(uuid, &headers, &conn, &ws) {
             return error;
         };
     }
@@ -477,8 +578,13 @@ fn delete_cipher_selected(data: JsonUpcase<Value>, headers: Headers, conn: DbCon
     Ok(())
 }
 
+#[post("/ciphers/delete", data = "<data>")]
+fn delete_cipher_selected_post(data: JsonUpcase<Value>, headers: Headers, conn: DbConn, ws: State<WebSocketUsers>) -> EmptyResult {
+    delete_cipher_selected(data, headers, conn, ws)
+}
+
 #[post("/ciphers/move", data = "<data>")]
-fn move_cipher_selected(data: JsonUpcase<Value>, headers: Headers, conn: DbConn) -> EmptyResult {
+fn move_cipher_selected(data: JsonUpcase<Value>, headers: Headers, conn: DbConn, ws: State<WebSocketUsers>) -> EmptyResult {
     let data = data.into_inner().data;
 
     let folder_id = match data.get("FolderId") {
@@ -503,7 +609,7 @@ fn move_cipher_selected(data: JsonUpcase<Value>, headers: Headers, conn: DbConn)
 
     let uuids = match data.get("Ids") {
         Some(ids) => match ids.as_array() {
-            Some(ids) => ids.iter().filter_map(|uuid| { uuid.as_str() }),
+            Some(ids) => ids.iter().filter_map(Value::as_str),
             None => err!("Posted ids field is not an array")
         },
         None => err!("Request missing ids field")
@@ -524,13 +630,19 @@ fn move_cipher_selected(data: JsonUpcase<Value>, headers: Headers, conn: DbConn)
             err!("Error saving the folder information")
         }
         cipher.save(&conn);
+        ws.send_cipher_update(UpdateType::SyncCipherUpdate, &cipher, &cipher.update_users_revision(&conn));
     }
 
     Ok(())
 }
 
+#[put("/ciphers/move", data = "<data>")]
+fn move_cipher_selected_put(data: JsonUpcase<Value>, headers: Headers, conn: DbConn, ws: State<WebSocketUsers>) -> EmptyResult {
+    move_cipher_selected(data, headers, conn, ws)
+}
+
 #[post("/ciphers/purge", data = "<data>")]
-fn delete_all(data: JsonUpcase<PasswordData>, headers: Headers, conn: DbConn) -> EmptyResult {
+fn delete_all(data: JsonUpcase<PasswordData>, headers: Headers, conn: DbConn, ws: State<WebSocketUsers>) -> EmptyResult {
     let data: PasswordData = data.into_inner().data;
     let password_hash = data.MasterPasswordHash;
 
@@ -545,20 +657,26 @@ fn delete_all(data: JsonUpcase<PasswordData>, headers: Headers, conn: DbConn) ->
         if cipher.delete(&conn).is_err() {
             err!("Failed deleting cipher")
         }
+        else {
+            ws.send_cipher_update(UpdateType::SyncCipherDelete, &cipher, &cipher.update_users_revision(&conn));
+        }
     }
 
     // Delete folders
     for f in Folder::find_by_user(&user.uuid, &conn) {
         if f.delete(&conn).is_err() {
             err!("Failed deleting folder")
-        } 
+        }
+        else {
+            ws.send_folder_update(UpdateType::SyncFolderCreate, &f);
+        }
     }
 
     Ok(())
 }
 
-fn _delete_cipher_by_uuid(uuid: &str, headers: &Headers, conn: &DbConn) -> EmptyResult {
-    let cipher = match Cipher::find_by_uuid(uuid, conn) {
+fn _delete_cipher_by_uuid(uuid: &str, headers: &Headers, conn: &DbConn, ws: &State<WebSocketUsers>) -> EmptyResult {
+    let cipher = match Cipher::find_by_uuid(&uuid, &conn) {
         Some(cipher) => cipher,
         None => err!("Cipher doesn't exist"),
     };
@@ -567,13 +685,16 @@ fn _delete_cipher_by_uuid(uuid: &str, headers: &Headers, conn: &DbConn) -> Empty
         err!("Cipher can't be deleted by user")
     }
 
-    match cipher.delete(conn) {
-        Ok(()) => Ok(()),
+    match cipher.delete(&conn) {
+        Ok(()) => {
+            ws.send_cipher_update(UpdateType::SyncCipherDelete, &cipher, &cipher.update_users_revision(&conn));
+            Ok(())
+        }
         Err(_) => err!("Failed deleting cipher")
     }
 }
 
-fn _delete_cipher_attachment_by_id(uuid: &str, attachment_id: &str, headers: &Headers, conn: &DbConn) -> EmptyResult {
+fn _delete_cipher_attachment_by_id(uuid: &str, attachment_id: &str, headers: &Headers, conn: &DbConn, ws: &State<WebSocketUsers>) -> EmptyResult {
     let attachment = match Attachment::find_by_id(&attachment_id, &conn) {
         Some(attachment) => attachment,
         None => err!("Attachment doesn't exist")
@@ -594,7 +715,10 @@ fn _delete_cipher_attachment_by_id(uuid: &str, attachment_id: &str, headers: &He
 
     // Delete attachment
     match attachment.delete(&conn) {
-        Ok(()) => Ok(()),
+        Ok(()) => {
+            ws.send_cipher_update(UpdateType::SyncCipherDelete, &cipher, &cipher.update_users_revision(&conn));
+            Ok(())
+        }
         Err(_) => err!("Deleting attachement failed")
     }
 }

src/api/core/folders.rs

@@ -1,9 +1,10 @@
+use rocket::State;
 use rocket_contrib::{Json, Value};
 
 use db::DbConn;
 use db::models::*;
 
-use api::{JsonResult, EmptyResult, JsonUpcase};
+use api::{JsonResult, EmptyResult, JsonUpcase, WebSocketUsers, UpdateType};
 use auth::Headers;
 
 #[get("/folders")]
@@ -40,23 +41,24 @@ pub struct FolderData {
 }
 
 #[post("/folders", data = "<data>")]
-fn post_folders(data: JsonUpcase<FolderData>, headers: Headers, conn: DbConn) -> JsonResult {
+fn post_folders(data: JsonUpcase<FolderData>, headers: Headers, conn: DbConn, ws: State<WebSocketUsers>) -> JsonResult {
     let data: FolderData = data.into_inner().data;
 
     let mut folder = Folder::new(headers.user.uuid.clone(), data.Name);
 
     folder.save(&conn);
+    ws.send_folder_update(UpdateType::SyncFolderCreate, &folder);
 
     Ok(Json(folder.to_json()))
 }
 
 #[post("/folders/<uuid>", data = "<data>")]
-fn post_folder(uuid: String, data: JsonUpcase<FolderData>, headers: Headers, conn: DbConn) -> JsonResult {
-    put_folder(uuid, data, headers, conn)
+fn post_folder(uuid: String, data: JsonUpcase<FolderData>, headers: Headers, conn: DbConn, ws: State<WebSocketUsers>) -> JsonResult {
+    put_folder(uuid, data, headers, conn, ws)
 }
 
 #[put("/folders/<uuid>", data = "<data>")]
-fn put_folder(uuid: String, data: JsonUpcase<FolderData>, headers: Headers, conn: DbConn) -> JsonResult {
+fn put_folder(uuid: String, data: JsonUpcase<FolderData>, headers: Headers, conn: DbConn, ws: State<WebSocketUsers>) -> JsonResult {
     let data: FolderData = data.into_inner().data;
 
     let mut folder = match Folder::find_by_uuid(&uuid, &conn) {
@@ -71,17 +73,18 @@ fn put_folder(uuid: String, data: JsonUpcase<FolderData>, headers: Headers, conn
     folder.name = data.Name;
 
     folder.save(&conn);
+    ws.send_folder_update(UpdateType::SyncFolderUpdate, &folder);
 
     Ok(Json(folder.to_json()))
 }
 
 #[post("/folders/<uuid>/delete")]
-fn delete_folder_post(uuid: String, headers: Headers, conn: DbConn) -> EmptyResult {
-    delete_folder(uuid, headers, conn)
+fn delete_folder_post(uuid: String, headers: Headers, conn: DbConn, ws: State<WebSocketUsers>) -> EmptyResult {
+    delete_folder(uuid, headers, conn, ws)
 }
 
 #[delete("/folders/<uuid>")]
-fn delete_folder(uuid: String, headers: Headers, conn: DbConn) -> EmptyResult {
+fn delete_folder(uuid: String, headers: Headers, conn: DbConn, ws: State<WebSocketUsers>) -> EmptyResult {
     let folder = match Folder::find_by_uuid(&uuid, &conn) {
         Some(folder) => folder,
         _ => err!("Invalid folder")
@@ -93,7 +96,10 @@ fn delete_folder(uuid: String, headers: Headers, conn: DbConn) -> EmptyResult {
 
     // Delete the actual folder entry
     match folder.delete(&conn) {
-        Ok(()) => Ok(()),
+        Ok(()) => {
+            ws.send_folder_update(UpdateType::SyncFolderDelete, &folder);
+            Ok(())
+        }
         Err(_) => err!("Failed deleting folder")
     }
 }

src/api/core/mod.rs

@@ -14,15 +14,20 @@ pub fn routes() -> Vec<Route> {
     routes![
         register,
         profile,
+        put_profile,
         post_profile,
         get_public_keys,
         post_keys,
         post_password,
+        post_kdf,
         post_sstamp,
         post_email_token,
         post_email,
         delete_account,
+        post_delete_account,
         revision_date,
+        password_hint,
+        prelogin,
 
         sync,
 
@@ -31,6 +36,7 @@ pub fn routes() -> Vec<Route> {
         get_cipher_admin,
         get_cipher_details,
         post_ciphers,
+        put_cipher_admin,
         post_ciphers_admin,
         post_ciphers_import,
         post_attachment,
@@ -39,16 +45,22 @@ pub fn routes() -> Vec<Route> {
         delete_attachment_post,
         delete_attachment_post_admin,
         delete_attachment,
+        delete_attachment_admin,
         post_cipher_admin,
         post_cipher_share,
+        put_cipher_share,
+        put_cipher_share_seleted,
         post_cipher,
         put_cipher,
         delete_cipher_post,
         delete_cipher_post_admin,
         delete_cipher,
+        delete_cipher_admin,
         delete_cipher_selected,
+        delete_cipher_selected_post,
         delete_all,
         move_cipher_selected,
+        move_cipher_selected_put,
 
         get_folders,
         get_folder,
@@ -62,33 +74,45 @@ pub fn routes() -> Vec<Route> {
         get_recover,
         recover,
         disable_twofactor,
+        disable_twofactor_put,
         generate_authenticator,
         activate_authenticator,
+        activate_authenticator_put,
         generate_u2f,
         activate_u2f,
+        activate_u2f_put,
 
         get_organization,
         create_organization,
         delete_organization,
+        post_delete_organization,
         leave_organization,
         get_user_collections,
         get_org_collections,
         get_org_collection_detail,
         get_collection_users,
+        put_organization,
         post_organization,
         post_organization_collections,
+        delete_organization_collection_user,
         post_organization_collection_delete_user,
         post_organization_collection_update,
+        put_organization_collection_update,
+        delete_organization_collection,
         post_organization_collection_delete,
         post_collections_update,
         post_collections_admin,
+        put_collections_admin,
         get_org_details,
         get_org_users,
         send_invite,
         confirm_invite,
         get_user,
         edit_user,
+        put_organization_user,
         delete_user,
+        post_delete_user,
+        post_org_import,
 
         clear_device_token,
         put_device_token,

src/api/core/organizations.rs

@@ -1,13 +1,14 @@
-#![allow(unused_imports)]
-
+use rocket::State;
 use rocket_contrib::{Json, Value};
-
+use CONFIG;
 use db::DbConn;
 use db::models::*;
 
-use api::{PasswordData, JsonResult, EmptyResult, NumberOrString, JsonUpcase};
+use api::{PasswordData, JsonResult, EmptyResult, NumberOrString, JsonUpcase, WebSocketUsers, UpdateType};
 use auth::{Headers, AdminHeaders, OwnerHeaders};
 
+use serde::{Deserialize, Deserializer};
+
 
 #[derive(Deserialize)]
 #[allow(non_snake_case)]
@@ -17,7 +18,7 @@ struct OrgData {
     Key: String,
     Name: String,
     #[serde(rename = "PlanType")]
-    _PlanType: String, // Ignored, always use the same plan
+    _PlanType: NumberOrString, // Ignored, always use the same plan
 }
 
 #[derive(Deserialize, Debug)]
@@ -55,7 +56,7 @@ fn create_organization(headers: Headers, data: JsonUpcase<OrgData>, conn: DbConn
     Ok(Json(org.to_json()))
 }
 
-#[post("/organizations/<org_id>/delete", data = "<data>")]
+#[delete("/organizations/<org_id>", data = "<data>")]
 fn delete_organization(org_id: String, data: JsonUpcase<PasswordData>, headers: OwnerHeaders, conn: DbConn) -> EmptyResult {
     let data: PasswordData = data.into_inner().data;
     let password_hash = data.MasterPasswordHash;
@@ -73,6 +74,11 @@ fn delete_organization(org_id: String, data: JsonUpcase<PasswordData>, headers:
     }
 }
 
+#[post("/organizations/<org_id>/delete", data = "<data>")]
+fn post_delete_organization(org_id: String, data: JsonUpcase<PasswordData>, headers: OwnerHeaders, conn: DbConn) -> EmptyResult {
+    delete_organization(org_id, data, headers, conn)
+}
+
 #[post("/organizations/<org_id>/leave")]
 fn leave_organization(org_id: String, headers: Headers, conn: DbConn) -> EmptyResult {
     match UserOrganization::find_by_user_and_org(&headers.user.uuid, &org_id, &conn) {
@@ -104,6 +110,11 @@ fn get_organization(org_id: String, _headers: OwnerHeaders, conn: DbConn) -> Jso
     }
 }
 
+#[put("/organizations/<org_id>", data = "<data>")]
+fn put_organization(org_id: String, headers: OwnerHeaders, data: JsonUpcase<OrganizationUpdateData>, conn: DbConn) -> JsonResult {
+    post_organization(org_id, headers, data, conn)
+}
+
 #[post("/organizations/<org_id>", data = "<data>")]
 fn post_organization(org_id: String, _headers: OwnerHeaders, data: JsonUpcase<OrganizationUpdateData>, conn: DbConn) -> JsonResult {
     let data: OrganizationUpdateData = data.into_inner().data;
@@ -128,9 +139,8 @@ fn get_user_collections(headers: Headers, conn: DbConn) -> JsonResult {
         "Data":
             Collection::find_by_user_uuid(&headers.user.uuid, &conn)
             .iter()
-            .map(|collection| {
-                collection.to_json()
-            }).collect::<Value>(),
+            .map(Collection::to_json)
+            .collect::<Value>(),
         "Object": "list"
     })))
 }
@@ -141,9 +151,8 @@ fn get_org_collections(org_id: String, _headers: AdminHeaders, conn: DbConn) ->
         "Data":
             Collection::find_by_organization(&org_id, &conn)
             .iter()
-            .map(|collection| {
-                collection.to_json()
-            }).collect::<Value>(),
+            .map(Collection::to_json)
+            .collect::<Value>(),
         "Object": "list"
     })))
 }
@@ -164,6 +173,11 @@ fn post_organization_collections(org_id: String, _headers: AdminHeaders, data: J
     Ok(Json(collection.to_json()))
 }
 
+#[put("/organizations/<org_id>/collections/<col_id>", data = "<data>")]
+fn put_organization_collection_update(org_id: String, col_id: String, headers: AdminHeaders, data: JsonUpcase<NewCollectionData>, conn: DbConn) -> JsonResult {
+    post_organization_collection_update(org_id, col_id, headers, data, conn)
+}
+
 #[post("/organizations/<org_id>/collections/<col_id>", data = "<data>")]
 fn post_organization_collection_update(org_id: String, col_id: String, _headers: AdminHeaders, data: JsonUpcase<NewCollectionData>, conn: DbConn) -> JsonResult {
     let data: NewCollectionData = data.into_inner().data;
@@ -188,8 +202,9 @@ fn post_organization_collection_update(org_id: String, col_id: String, _headers:
     Ok(Json(collection.to_json()))
 }
 
-#[post("/organizations/<org_id>/collections/<col_id>/delete-user/<org_user_id>")]
-fn post_organization_collection_delete_user(org_id: String, col_id: String, org_user_id: String, _headers: AdminHeaders, conn: DbConn) -> EmptyResult {
+
+#[delete("/organizations/<org_id>/collections/<col_id>/user/<org_user_id>")]
+fn delete_organization_collection_user(org_id: String, col_id: String, org_user_id: String, _headers: AdminHeaders, conn: DbConn) -> EmptyResult {
     let collection = match Collection::find_by_uuid(&col_id, &conn) {
         None => err!("Collection not found"),
         Some(collection) => if collection.org_uuid == org_id {
@@ -199,7 +214,7 @@ fn post_organization_collection_delete_user(org_id: String, col_id: String, org_
         }
     };
 
-    match UserOrganization::find_by_uuid(&org_user_id, &conn) {
+    match UserOrganization::find_by_uuid_and_org(&org_user_id, &org_id, &conn) {
         None => err!("User not found in organization"),
         Some(user_org) => {
             match CollectionUser::find_by_collection_and_user(&collection.uuid, &user_org.user_uuid, &conn) {
@@ -215,17 +230,13 @@ fn post_organization_collection_delete_user(org_id: String, col_id: String, org_
     }
 }
 
-#[derive(Deserialize, Debug)]
-#[allow(non_snake_case)]
-struct DeleteCollectionData {
-    Id: String,
-    OrgId: String,
+#[post("/organizations/<org_id>/collections/<col_id>/delete-user/<org_user_id>")]
+fn post_organization_collection_delete_user(org_id: String, col_id: String, org_user_id: String, headers: AdminHeaders, conn: DbConn) -> EmptyResult {
+    delete_organization_collection_user(org_id, col_id, org_user_id, headers, conn)
 }
 
-#[post("/organizations/<org_id>/collections/<col_id>/delete", data = "<data>")]
-fn post_organization_collection_delete(org_id: String, col_id: String, _headers: AdminHeaders, data: JsonUpcase<DeleteCollectionData>, conn: DbConn) -> EmptyResult {
-    let _data: DeleteCollectionData = data.into_inner().data;
-
+#[delete("/organizations/<org_id>/collections/<col_id>")]
+fn delete_organization_collection(org_id: String, col_id: String, _headers: AdminHeaders, conn: DbConn) -> EmptyResult {
     match Collection::find_by_uuid(&col_id, &conn) {
         None => err!("Collection not found"),
         Some(collection) => if collection.org_uuid == org_id {
@@ -239,6 +250,18 @@ fn post_organization_collection_delete(org_id: String, col_id: String, _headers:
     }
 }
 
+#[derive(Deserialize, Debug)]
+#[allow(non_snake_case)]
+struct DeleteCollectionData {
+    Id: String,
+    OrgId: String,
+}
+
+#[post("/organizations/<org_id>/collections/<col_id>/delete", data = "<_data>")]
+fn post_organization_collection_delete(org_id: String, col_id: String, headers: AdminHeaders, _data: JsonUpcase<DeleteCollectionData>, conn: DbConn) -> EmptyResult {
+    delete_organization_collection(org_id, col_id, headers, conn)
+}
+
 #[get("/organizations/<org_id>/collections/<coll_id>/details")]
 fn get_org_collection_detail(org_id: String, coll_id: String, headers: AdminHeaders, conn: DbConn) -> JsonResult {
     match Collection::find_by_uuid_and_user(&coll_id, &headers.user.uuid, &conn) {
@@ -266,7 +289,7 @@ fn get_collection_users(org_id: String, coll_id: String, _headers: AdminHeaders,
     .iter().map(|col_user|  {
         UserOrganization::find_by_user_and_org(&col_user.user_uuid, &org_id, &conn)
         .unwrap()
-        .to_json_collection_user_details(&col_user.read_only, &conn)
+        .to_json_collection_user_details(col_user.read_only, &conn)
     }).collect();
 
     Ok(Json(json!({
@@ -308,6 +331,14 @@ fn get_org_users(org_id: String, headers: AdminHeaders, conn: DbConn) -> JsonRes
     })))
 }
 
+fn deserialize_collections<'de, D>(deserializer: D) -> Result<Vec<CollectionData>, D::Error>
+where
+    D: Deserializer<'de>,
+{
+    // Deserialize null to empty Vec
+    Deserialize::deserialize(deserializer).or(Ok(vec![])) 
+}
+
 #[derive(Deserialize)]
 #[allow(non_snake_case)]
 struct CollectionData {
@@ -320,6 +351,7 @@ struct CollectionData {
 struct InviteData {
     Emails: Vec<String>,
     Type: NumberOrString,
+    #[serde(deserialize_with = "deserialize_collections")]
     Collections: Vec<CollectionData>,
     AccessAll: Option<bool>,
 }
@@ -338,54 +370,70 @@ fn send_invite(org_id: String, data: JsonUpcase<InviteData>, headers: AdminHeade
         err!("Only Owners can invite Admins or Owners")
     }
 
-    for user_opt in data.Emails.iter().map(|email| User::find_by_mail(email, &conn)) {
-        match user_opt {
-            None => err!("User email does not exist"),
-            Some(user) => {
-                if UserOrganization::find_by_user_and_org(&user.uuid, &org_id, &conn).is_some() {
-                    err!("User already in organization")
+    for email in data.Emails.iter() {
+        let mut user_org_status = UserOrgStatus::Accepted as i32;
+        let user = match User::find_by_mail(&email, &conn) {
+            None => if CONFIG.invitations_allowed { // Invite user if that's enabled
+                let mut invitation = Invitation::new(email.clone());
+                match invitation.save(&conn) {
+                    Ok(()) => {
+                        let mut user = User::new(email.clone());
+                        if user.save(&conn) {
+                            user_org_status = UserOrgStatus::Invited as i32;
+                            user
+                        } else {
+                            err!("Failed to create placeholder for invited user")
+                        }
+                    }
+                    Err(_) => err!(format!("Failed to invite: {}", email))
                 }
+                
+            } else {
+                err!(format!("User email does not exist: {}", email))
+            },
+            Some(user) => if UserOrganization::find_by_user_and_org(&user.uuid, &org_id, &conn).is_some() {
+                err!(format!("User already in organization: {}", email))
+            } else {
+                user
+            }
 
-                let mut new_user = UserOrganization::new(user.uuid.clone(), org_id.clone());
-                let access_all = data.AccessAll.unwrap_or(false);
-                new_user.access_all = access_all;
-                new_user.type_ = new_type;
+        };
 
-                // If no accessAll, add the collections received
-                if !access_all {
-                    for col in &data.Collections {
-                        match Collection::find_by_uuid_and_org(&col.Id, &org_id, &conn) {
-                            None => err!("Collection not found in Organization"),
-                            Some(collection) => {
-                                if CollectionUser::save(&user.uuid, &collection.uuid, col.ReadOnly, &conn).is_err() {
-                                    err!("Failed saving collection access for user")
-                                }
-                            }
+        let mut new_user = UserOrganization::new(user.uuid.clone(), org_id.clone());
+        let access_all = data.AccessAll.unwrap_or(false);
+        new_user.access_all = access_all;
+        new_user.type_ = new_type;
+        new_user.status = user_org_status;
+
+        // If no accessAll, add the collections received
+        if !access_all {
+            for col in &data.Collections {
+                match Collection::find_by_uuid_and_org(&col.Id, &org_id, &conn) {
+                    None => err!("Collection not found in Organization"),
+                    Some(collection) => {
+                        if CollectionUser::save(&user.uuid, &collection.uuid, col.ReadOnly, &conn).is_err() {
+                            err!("Failed saving collection access for user")
                         }
                     }
                 }
-
-                new_user.save(&conn);
             }
         }
+
+        new_user.save(&conn);
     }
 
     Ok(())
 }
 
-#[post("/organizations/<org_id>/users/<user_id>/confirm", data = "<data>")]
-fn confirm_invite(org_id: String, user_id: String, data: JsonUpcase<Value>, headers: AdminHeaders, conn: DbConn) -> EmptyResult {
+#[post("/organizations/<org_id>/users/<org_user_id>/confirm", data = "<data>")]
+fn confirm_invite(org_id: String, org_user_id: String, data: JsonUpcase<Value>, headers: AdminHeaders, conn: DbConn) -> EmptyResult {
     let data = data.into_inner().data;
 
-    let mut user_to_confirm = match UserOrganization::find_by_uuid(&user_id, &conn) {
+    let mut user_to_confirm = match UserOrganization::find_by_uuid_and_org(&org_user_id, &org_id, &conn) {
         Some(user) => user,
-        None => err!("Failed to find user membership")
+        None => err!("The specified user isn't a member of the organization")
     };
 
-    if user_to_confirm.org_uuid != org_id {
-        err!("The specified user isn't a member of the organization")
-    }
-
     if user_to_confirm.type_ != UserOrgType::User as i32 &&
         headers.org_user_type != UserOrgType::Owner as i32 {
         err!("Only Owners can confirm Admins or Owners")
@@ -406,17 +454,13 @@ fn confirm_invite(org_id: String, user_id: String, data: JsonUpcase<Value>, head
     Ok(())
 }
 
-#[get("/organizations/<org_id>/users/<user_id>")]
-fn get_user(org_id: String, user_id: String, _headers: AdminHeaders, conn: DbConn) -> JsonResult {
-    let user = match UserOrganization::find_by_uuid(&user_id, &conn) {
+#[get("/organizations/<org_id>/users/<org_user_id>")]
+fn get_user(org_id: String, org_user_id: String, _headers: AdminHeaders, conn: DbConn) -> JsonResult {
+    let user = match UserOrganization::find_by_uuid_and_org(&org_user_id, &org_id, &conn) {
         Some(user) => user,
-        None => err!("Failed to find user membership")
+        None => err!("The specified user isn't a member of the organization")
     };
 
-    if user.org_uuid != org_id {
-        err!("The specified user isn't a member of the organization")
-    }
-
     Ok(Json(user.to_json_details(&conn)))
 }
 
@@ -424,12 +468,18 @@ fn get_user(org_id: String, user_id: String, _headers: AdminHeaders, conn: DbCon
 #[allow(non_snake_case)]
 struct EditUserData {
     Type: NumberOrString,
+    #[serde(deserialize_with = "deserialize_collections")]
     Collections: Vec<CollectionData>,
     AccessAll: bool,
 }
 
-#[post("/organizations/<org_id>/users/<user_id>", data = "<data>", rank = 1)]
-fn edit_user(org_id: String, user_id: String, data: JsonUpcase<EditUserData>, headers: AdminHeaders, conn: DbConn) -> EmptyResult {
+#[put("/organizations/<org_id>/users/<org_user_id>", data = "<data>", rank = 1)]
+fn put_organization_user(org_id: String, org_user_id: String, data: JsonUpcase<EditUserData>, headers: AdminHeaders, conn: DbConn) -> EmptyResult {
+    edit_user(org_id, org_user_id, data, headers, conn)
+}
+
+#[post("/organizations/<org_id>/users/<org_user_id>", data = "<data>", rank = 1)]
+fn edit_user(org_id: String, org_user_id: String, data: JsonUpcase<EditUserData>, headers: AdminHeaders, conn: DbConn) -> EmptyResult {
     let data: EditUserData = data.into_inner().data;
 
     let new_type = match UserOrgType::from_str(&data.Type.into_string()) {
@@ -437,19 +487,22 @@ fn edit_user(org_id: String, user_id: String, data: JsonUpcase<EditUserData>, he
         None => err!("Invalid type")
     };
 
-    let mut user_to_edit = match UserOrganization::find_by_uuid(&user_id, &conn) {
+    let mut user_to_edit = match UserOrganization::find_by_uuid_and_org(&org_user_id, &org_id, &conn) {
         Some(user) => user,
         None => err!("The specified user isn't member of the organization")
     };
 
-    if new_type != UserOrgType::User as i32 &&
+    if new_type != user_to_edit.type_ as i32 && (
+            user_to_edit.type_ <= UserOrgType::Admin as i32 ||
+            new_type <= UserOrgType::Admin as i32
+        ) &&
         headers.org_user_type != UserOrgType::Owner as i32 {
-        err!("Only Owners can grant Admin or Owner type")
+        err!("Only Owners can grant and remove Admin or Owner privileges")
     }
 
-    if user_to_edit.type_ != UserOrgType::User as i32 &&
+    if user_to_edit.type_ == UserOrgType::Owner as i32 &&
         headers.org_user_type != UserOrgType::Owner as i32 {
-        err!("Only Owners can edit Admin or Owner")
+        err!("Only Owners can edit Owner users")
     }
 
     if user_to_edit.type_ == UserOrgType::Owner as i32 &&
@@ -494,9 +547,9 @@ fn edit_user(org_id: String, user_id: String, data: JsonUpcase<EditUserData>, he
     Ok(())
 }
 
-#[post("/organizations/<org_id>/users/<user_id>/delete")]
-fn delete_user(org_id: String, user_id: String, headers: AdminHeaders, conn: DbConn) -> EmptyResult {
-    let user_to_delete = match UserOrganization::find_by_uuid(&user_id, &conn) {
+#[delete("/organizations/<org_id>/users/<org_user_id>")]
+fn delete_user(org_id: String, org_user_id: String, headers: AdminHeaders, conn: DbConn) -> EmptyResult {
+    let user_to_delete = match UserOrganization::find_by_uuid_and_org(&org_user_id, &org_id, &conn) {
         Some(user) => user,
         None => err!("User to delete isn't member of the organization")
     };
@@ -521,4 +574,78 @@ fn delete_user(org_id: String, user_id: String, headers: AdminHeaders, conn: DbC
         Ok(()) => Ok(()),
         Err(_) => err!("Failed deleting user from organization")
     }
+}
+
+#[post("/organizations/<org_id>/users/<org_user_id>/delete")]
+fn post_delete_user(org_id: String, org_user_id: String, headers: AdminHeaders, conn: DbConn) -> EmptyResult {
+    delete_user(org_id, org_user_id, headers, conn)
+}
+
+use super::ciphers::CipherData;
+use super::ciphers::update_cipher_from_data;
+
+#[derive(Deserialize)]
+#[allow(non_snake_case)]
+struct ImportData {
+    Ciphers: Vec<CipherData>,
+    Collections: Vec<NewCollectionData>,
+    CollectionRelationships: Vec<RelationsData>,
+}
+
+#[derive(Deserialize)]
+#[allow(non_snake_case)]
+struct RelationsData {
+    // Cipher index
+    Key: usize,
+    // Collection index
+    Value: usize,
+}
+
+#[post("/ciphers/import-organization?<query>", data = "<data>")]
+fn post_org_import(query: OrgIdData, data: JsonUpcase<ImportData>, headers: Headers, conn: DbConn, ws: State<WebSocketUsers>) -> EmptyResult {
+    let data: ImportData = data.into_inner().data;
+    let org_id = query.organizationId;
+
+    let org_user = match UserOrganization::find_by_user_and_org(&headers.user.uuid, &org_id, &conn) {
+        Some(user) => user,
+        None => err!("User is not part of the organization")
+    };
+
+    if org_user.type_ > UserOrgType::Admin as i32 {
+        err!("Only admins or owners can import into an organization")
+    }
+
+    // Read and create the collections
+    let collections: Vec<_> = data.Collections.into_iter().map(|coll| {
+        let mut collection = Collection::new(org_id.clone(), coll.Name);
+        collection.save(&conn);
+        collection
+    }).collect();
+
+    // Read the relations between collections and ciphers
+    let mut relations = Vec::new();
+    for relation in data.CollectionRelationships {
+        relations.push((relation.Key, relation.Value));
+    }
+
+    // Read and create the ciphers
+    let ciphers: Vec<_> = data.Ciphers.into_iter().map(|cipher_data| {
+        let mut cipher = Cipher::new(cipher_data.Type, cipher_data.Name.clone());
+        update_cipher_from_data(&mut cipher, cipher_data, &headers, false, &conn, &ws, UpdateType::SyncCipherCreate).ok();
+        cipher
+    }).collect();
+
+    // Assign the collections
+    for (cipher_index, coll_index) in relations {
+        let cipher_id = &ciphers[cipher_index].uuid;
+        let coll_id = &collections[coll_index].uuid;
+
+        CollectionCipher::save(cipher_id, coll_id, &conn);
+    }
+
+    let mut user = headers.user;
+    match user.update_revision(&conn) {
+        Ok(()) => Ok(()),
+        Err(_) => err!("Failed to update the revision, please log out and log back in to finish import.")
+    }
 }

src/api/core/two_factor.rs

@@ -112,6 +112,15 @@ fn disable_twofactor(
     })))
 }
 
+#[put("/two-factor/disable", data = "<data>")]
+fn disable_twofactor_put(
+    data: JsonUpcase<DisableTwoFactorData>,
+    headers: Headers,
+    conn: DbConn,
+) -> JsonResult {
+    disable_twofactor(data, headers, conn)
+}
+
 #[post("/two-factor/get-authenticator", data = "<data>")]
 fn generate_authenticator(
     data: JsonUpcase<PasswordData>,
@@ -194,6 +203,15 @@ fn activate_authenticator(
     })))
 }
 
+#[put("/two-factor/authenticator", data = "<data>")]
+fn activate_authenticator_put(
+    data: JsonUpcase<EnableAuthenticatorData>,
+    headers: Headers,
+    conn: DbConn,
+) -> JsonResult {
+    activate_authenticator(data, headers, conn)
+}
+
 fn _generate_recover_code(user: &mut User, conn: &DbConn) {
     if user.totp_recover.is_none() {
         let totp_recover = BASE32.encode(&crypto::get_random(vec![0u8; 20]));
@@ -275,7 +293,7 @@ impl RegisterResponseCopy {
         RegisterResponse {
             registration_data: self.registration_data,
             version: self.version,
-            challenge: challenge,
+            challenge,
             client_data: self.client_data,
         }
     }
@@ -356,6 +374,11 @@ fn activate_u2f(data: JsonUpcase<EnableU2FData>, headers: Headers, conn: DbConn)
     }
 }
 
+#[put("/two-factor/u2f", data = "<data>")]
+fn activate_u2f_put(data: JsonUpcase<EnableU2FData>, headers: Headers, conn: DbConn) -> JsonResult {
+    activate_u2f(data,headers, conn)
+}
+
 fn _create_u2f_challenge(user_uuid: &str, type_: TwoFactorType, conn: &DbConn) -> Challenge {
     let challenge = U2F.generate_challenge().unwrap();
 

src/api/icons.rs

@@ -18,7 +18,7 @@ fn icon(domain: String) -> Content<Vec<u8>> {
     let icon_type = ContentType::new("image", "x-icon");
 
     // Validate the domain to avoid directory traversal attacks
-    if domain.contains("/") || domain.contains("..") {
+    if domain.contains('/') || domain.contains("..") {
         return Content(icon_type, get_fallback_icon());
     }
 

src/api/identity.rs

@@ -1,4 +1,5 @@
 use std::collections::HashMap;
+use std::net::{IpAddr, Ipv4Addr, SocketAddr};
 
 use rocket::request::{self, Form, FormItems, FromForm, FromRequest, Request};
 use rocket::{Outcome, Route};
@@ -21,12 +22,12 @@ pub fn routes() -> Vec<Route> {
 }
 
 #[post("/connect/token", data = "<connect_data>")]
-fn login(connect_data: Form<ConnectData>, device_type: DeviceType, conn: DbConn) -> JsonResult {
+fn login(connect_data: Form<ConnectData>, device_type: DeviceType, conn: DbConn, socket: Option<SocketAddr>) -> JsonResult {
     let data = connect_data.get();
 
     match data.grant_type {
         GrantType::RefreshToken => _refresh_login(data, device_type, conn),
-        GrantType::Password => _password_login(data, device_type, conn),
+        GrantType::Password => _password_login(data, device_type, conn, socket),
     }
 }
 
@@ -57,7 +58,13 @@ fn _refresh_login(data: &ConnectData, _device_type: DeviceType, conn: DbConn) ->
     })))
 }
 
-fn _password_login(data: &ConnectData, device_type: DeviceType, conn: DbConn) -> JsonResult {
+fn _password_login(data: &ConnectData, device_type: DeviceType, conn: DbConn, remote: Option<SocketAddr>) -> JsonResult {
+    // Get the ip for error reporting
+    let ip = match remote {
+        Some(ip) => ip.ip(),
+        None => IpAddr::V4(Ipv4Addr::new(0, 0, 0, 0)),
+    };
+
     // Validate scope
     let scope = data.get("scope");
     if scope != "api offline_access" {
@@ -68,13 +75,19 @@ fn _password_login(data: &ConnectData, device_type: DeviceType, conn: DbConn) ->
     let username = data.get("username");
     let user = match User::find_by_mail(username, &conn) {
         Some(user) => user,
-        None => err!("Username or password is incorrect. Try again."),
+        None => err!(format!(
+            "Username or password is incorrect. Try again. IP: {}. Username: {}.",
+            ip, username
+        )),
     };
 
     // Check password
     let password = data.get("password");
     if !user.check_valid_password(password) {
-        err!("Username or password is incorrect. Try again.")
+        err!(format!(
+            "Username or password is incorrect. Try again. IP: {}. Username: {}.",
+            ip, username
+        ))
     }
 
     // Let's only use the header and ignore the 'devicetype' parameter
@@ -145,11 +158,11 @@ fn twofactor_auth(
     let providers: Vec<_> = twofactors.iter().map(|tf| tf.type_).collect();
 
     // No twofactor token if twofactor is disabled
-    if twofactors.len() == 0 {
+    if twofactors.is_empty() {
         return Ok(None);
     }
 
-    let provider = match util::parse_option_string(data.get_opt("twoFactorProvider")) {
+    let provider = match util::try_parse_string(data.get_opt("twoFactorProvider")) {
         Some(provider) => provider,
         None => providers[0], // If we aren't given a two factor provider, asume the first one
     };
@@ -194,7 +207,7 @@ fn twofactor_auth(
         _ => err!("Invalid two factor provider"),
     }
 
-    if util::parse_option_string(data.get_opt("twoFactorRemember")).unwrap_or(0) == 1 {
+    if util::try_parse_string_or(data.get_opt("twoFactorRemember"), 0) == 1 {
         Ok(Some(device.refresh_twofactor_remember()))
     } else {
         device.delete_twofactor_remember();
@@ -261,7 +274,7 @@ impl<'a, 'r> FromRequest<'a, 'r> for DeviceType {
     fn from_request(request: &'a Request<'r>) -> request::Outcome<Self, Self::Error> {
         let headers = request.headers();
         let type_opt = headers.get_one("Device-Type");
-        let type_num = util::parse_option_string(type_opt).unwrap_or(0);
+        let type_num = util::try_parse_string_or(type_opt, 0);
 
         Outcome::Success(DeviceType(type_num))
     }

src/api/mod.rs

@@ -2,11 +2,14 @@ pub(crate) mod core;
 mod icons;
 mod identity;
 mod web;
+mod notifications;
 
 pub use self::core::routes as core_routes;
 pub use self::icons::routes as icons_routes;
 pub use self::identity::routes as identity_routes;
 pub use self::web::routes as web_routes;
+pub use self::notifications::routes as notifications_routes;
+pub use self::notifications::{start_notification_server, WebSocketUsers, UpdateType};
 
 use rocket::response::status::BadRequest;
 use rocket_contrib::Json;

src/api/notifications.rs

@@ -0,0 +1,366 @@
+use rocket::Route;
+use rocket_contrib::Json;
+
+use api::JsonResult;
+use auth::Headers;
+use db::DbConn;
+
+use CONFIG;
+
+pub fn routes() -> Vec<Route> {
+    routes![negotiate, websockets_err]
+}
+
+#[get("/hub")]
+fn websockets_err() -> JsonResult {
+    err!("'/notifications/hub' should be proxied towards the websocket server, otherwise notifications will not work. Go to the README for more info.")
+}
+
+#[post("/hub/negotiate")]
+fn negotiate(_headers: Headers, _conn: DbConn) -> JsonResult {
+    use crypto;
+    use data_encoding::BASE64URL;
+
+    let conn_id = BASE64URL.encode(&crypto::get_random(vec![0u8; 16]));
+
+    // TODO: Implement transports
+    // Rocket WS support: https://github.com/SergioBenitez/Rocket/issues/90
+    // Rocket SSE support: https://github.com/SergioBenitez/Rocket/issues/33
+    Ok(Json(json!({
+        "connectionId": conn_id,
+        "availableTransports":[
+                {"transport":"WebSockets", "transferFormats":["Text","Binary"]},
+                // {"transport":"ServerSentEvents", "transferFormats":["Text"]},
+                // {"transport":"LongPolling", "transferFormats":["Text","Binary"]}
+        ]
+    })))
+}
+
+///
+/// Websockets server
+///
+use std::sync::Arc;
+use std::thread;
+
+use ws::{self, util::Token, Factory, Handler, Handshake, Message, Sender, WebSocket};
+
+use chashmap::CHashMap;
+use chrono::NaiveDateTime;
+use serde_json::from_str;
+
+use db::models::{Cipher, Folder, User};
+
+use rmpv::Value;
+
+fn serialize(val: Value) -> Vec<u8> {
+    use rmpv::encode::write_value;
+
+    let mut buf = Vec::new();
+    write_value(&mut buf, &val).expect("Error encoding MsgPack");
+
+    // Add size bytes at the start
+    // Extracted from BinaryMessageFormat.js
+    let mut size: usize = buf.len();
+    let mut len_buf: Vec<u8> = Vec::new();
+
+    loop {
+        let mut size_part = size & 0x7f;
+        size >>= 7;
+
+        if size > 0 {
+            size_part |= 0x80;
+        }
+
+        len_buf.push(size_part as u8);
+
+        if size == 0 {
+            break;
+        }
+    }
+
+    len_buf.append(&mut buf);
+    len_buf
+}
+
+fn serialize_date(date: NaiveDateTime) -> Value {
+    let seconds: i64 = date.timestamp();
+    let nanos: i64 = date.timestamp_subsec_nanos() as i64;
+    let timestamp = nanos << 34 | seconds;
+
+    use byteorder::{BigEndian, WriteBytesExt};
+
+    let mut bs = [0u8; 8];
+    bs.as_mut()
+        .write_i64::<BigEndian>(timestamp)
+        .expect("Unable to write");
+
+    // -1 is Timestamp
+    // https://github.com/msgpack/msgpack/blob/master/spec.md#timestamp-extension-type
+    Value::Ext(-1, bs.to_vec())
+}
+
+fn convert_option<T: Into<Value>>(option: Option<T>) -> Value {
+    match option {
+        Some(a) => a.into(),
+        None => Value::Nil,
+    }
+}
+
+// Server WebSocket handler
+pub struct WSHandler {
+    out: Sender,
+    user_uuid: Option<String>,
+    users: WebSocketUsers,
+}
+
+const RECORD_SEPARATOR: u8 = 0x1e;
+const INITIAL_RESPONSE: [u8; 3] = [0x7b, 0x7d, RECORD_SEPARATOR]; // {, }, <RS>
+
+#[derive(Deserialize)]
+struct InitialMessage {
+    protocol: String,
+    version: i32,
+}
+
+const PING_MS: u64 = 15_000;
+const PING: Token = Token(1);
+
+impl Handler for WSHandler {
+    fn on_open(&mut self, hs: Handshake) -> ws::Result<()> {
+        // TODO: Improve this split
+        let path = hs.request.resource();
+        let mut query_split: Vec<_> = path.split('?').nth(1).unwrap().split('&').collect();
+        query_split.sort();
+        let access_token = &query_split[0][13..];
+        let _id = &query_split[1][3..];
+
+        // Validate the user
+        use auth;
+        let claims = match auth::decode_jwt(access_token) {
+            Ok(claims) => claims,
+            Err(_) => {
+                return Err(ws::Error::new(
+                    ws::ErrorKind::Internal,
+                    "Invalid access token provided",
+                ))
+            }
+        };
+
+        // Assign the user to the handler
+        let user_uuid = claims.sub;
+        self.user_uuid = Some(user_uuid.clone());
+
+        // Add the current Sender to the user list
+        let handler_insert = self.out.clone();
+        let handler_update = self.out.clone();
+
+        self.users.map.upsert(
+            user_uuid,
+            || vec![handler_insert],
+            |ref mut v| v.push(handler_update),
+        );
+
+        // Schedule a ping to keep the connection alive
+        self.out.timeout(PING_MS, PING)
+    }
+
+    fn on_message(&mut self, msg: Message) -> ws::Result<()> {
+        println!("Server got message '{}'. ", msg);
+
+        if let Message::Text(text) = msg.clone() {
+            let json = &text[..text.len() - 1]; // Remove last char
+
+            if let Ok(InitialMessage { protocol, version }) = from_str::<InitialMessage>(json) {
+                if &protocol == "messagepack" && version == 1 {
+                    return self.out.send(&INITIAL_RESPONSE[..]); // Respond to initial message
+                }
+            }
+        }
+
+        // If it's not the initial message, just echo the message
+        self.out.send(msg)
+    }
+
+    fn on_timeout(&mut self, event: Token) -> ws::Result<()> {
+        if event == PING {
+            // send ping
+            self.out.send(create_ping())?;
+
+            // reschedule the timeout
+            self.out.timeout(PING_MS, PING)
+        } else {
+            Err(ws::Error::new(
+                ws::ErrorKind::Internal,
+                "Invalid timeout token provided",
+            ))
+        }
+    }
+}
+
+struct WSFactory {
+    pub users: WebSocketUsers,
+}
+
+impl WSFactory {
+    pub fn init() -> Self {
+        WSFactory {
+            users: WebSocketUsers {
+                map: Arc::new(CHashMap::new()),
+            },
+        }
+    }
+}
+
+impl Factory for WSFactory {
+    type Handler = WSHandler;
+
+    fn connection_made(&mut self, out: Sender) -> Self::Handler {
+        println!("WS: Connection made");
+        WSHandler {
+            out,
+            user_uuid: None,
+            users: self.users.clone(),
+        }
+    }
+
+    fn connection_lost(&mut self, handler: Self::Handler) {
+        println!("WS: Connection lost");
+
+        // Remove handler
+        let user_uuid = &handler.user_uuid.unwrap();
+        if let Some(mut user_conn) = self.users.map.get_mut(user_uuid) {
+            user_conn.remove_item(&handler.out);
+        }
+    }
+}
+
+#[derive(Clone)]
+pub struct WebSocketUsers {
+    pub map: Arc<CHashMap<String, Vec<Sender>>>,
+}
+
+impl WebSocketUsers {
+    fn send_update(&self, user_uuid: &String, data: Vec<u8>) -> ws::Result<()> {
+        if let Some(user) = self.map.get(user_uuid) {
+            for sender in user.iter() {
+                sender.send(data.clone())?;
+            }
+        }
+        Ok(())
+    }
+
+    // NOTE: The last modified date needs to be updated before calling these methods
+    pub fn send_user_update(&self, ut: UpdateType, user: &User) {
+        let data = create_update(
+            vec![
+                ("UserId".into(), user.uuid.clone().into()),
+                ("Date".into(), serialize_date(user.updated_at)),
+            ],
+            ut,
+        );
+
+        self.send_update(&user.uuid.clone(), data).ok();
+    }
+
+    pub fn send_folder_update(&self, ut: UpdateType, folder: &Folder) {
+        let data = create_update(
+            vec![
+                ("Id".into(), folder.uuid.clone().into()),
+                ("UserId".into(), folder.user_uuid.clone().into()),
+                ("RevisionDate".into(), serialize_date(folder.updated_at)),
+            ],
+            ut,
+        );
+
+        self.send_update(&folder.user_uuid, data).ok();
+    }
+
+    pub fn send_cipher_update(&self, ut: UpdateType, cipher: &Cipher, user_uuids: &Vec<String>) {
+        let user_uuid = convert_option(cipher.user_uuid.clone());
+        let org_uuid = convert_option(cipher.organization_uuid.clone());
+
+        let data = create_update(
+            vec![
+                ("Id".into(), cipher.uuid.clone().into()),
+                ("UserId".into(), user_uuid),
+                ("OrganizationId".into(), org_uuid),
+                ("CollectionIds".into(), Value::Nil),
+                ("RevisionDate".into(), serialize_date(cipher.updated_at)),
+            ],
+            ut,
+        );
+
+        for uuid in user_uuids {
+            self.send_update(&uuid, data.clone()).ok();
+        }
+    }
+}
+
+/* Message Structure
+[
+    1, // MessageType.Invocation
+    {}, // Headers
+    null, // InvocationId
+    "ReceiveMessage", // Target
+    [ // Arguments
+        {
+            "ContextId": "app_id",
+            "Type": ut as i32,
+            "Payload": {}
+        }
+    ]
+]
+*/
+fn create_update(payload: Vec<(Value, Value)>, ut: UpdateType) -> Vec<u8> {
+    use rmpv::Value as V;
+
+    let value = V::Array(vec![
+        1.into(),
+        V::Array(vec![]),
+        V::Nil,
+        "ReceiveMessage".into(),
+        V::Array(vec![V::Map(vec![
+            ("ContextId".into(), "app_id".into()),
+            ("Type".into(), (ut as i32).into()),
+            ("Payload".into(), payload.into()),
+        ])]),
+    ]);
+
+    serialize(value)
+}
+
+fn create_ping() -> Vec<u8> {
+    serialize(Value::Array(vec![6.into()]))
+}
+
+#[allow(dead_code)]
+pub enum UpdateType {
+    SyncCipherUpdate = 0,
+    SyncCipherCreate = 1,
+    SyncLoginDelete = 2,
+    SyncFolderDelete = 3,
+    SyncCiphers = 4,
+
+    SyncVault = 5,
+    SyncOrgKeys = 6,
+    SyncFolderCreate = 7,
+    SyncFolderUpdate = 8,
+    SyncCipherDelete = 9,
+    SyncSettings = 10,
+
+    LogOut = 11,
+}
+
+pub fn start_notification_server() -> WebSocketUsers {
+    let factory = WSFactory::init();
+    let users = factory.users.clone();
+
+    thread::spawn(move || {
+        WebSocket::new(factory)
+            .unwrap()
+            .listen(format!("0.0.0.0:{}", CONFIG.websocket_port))
+            .unwrap();
+    });
+
+    users
+}

src/db/models/attachment.rs

@@ -53,13 +53,11 @@ use db::schema::attachments;
 
 /// Database methods
 impl Attachment {
-    pub fn save(&self, conn: &DbConn) -> bool {
-        match diesel::replace_into(attachments::table)
+    pub fn save(&self, conn: &DbConn) -> QueryResult<()> {
+        diesel::replace_into(attachments::table)
             .values(self)
-            .execute(&**conn) {
-            Ok(1) => true, // One row inserted
-            _ => false,
-        }
+            .execute(&**conn)
+            .and(Ok(()))
     }
 
     pub fn delete(self, conn: &DbConn) -> QueryResult<()> {
@@ -67,7 +65,7 @@ impl Attachment {
         use std::{thread, time};
 
         let mut retries = 10;
-        
+
         loop {
             match diesel::delete(
                 attachments::table.filter(
@@ -80,7 +78,7 @@ impl Attachment {
                         println!("ERROR: Failed with 10 retries");
                         return Err(err)
                     } else {
-                        retries = retries - 1;
+                        retries -= 1;
                         println!("Had to retry! Retries left: {}", retries);
                         thread::sleep(time::Duration::from_millis(500));
                         continue
@@ -111,4 +109,10 @@ impl Attachment {
             .filter(attachments::cipher_uuid.eq(cipher_uuid))
             .load::<Self>(&**conn).expect("Error loading attachments")
     }
+
+    pub fn find_by_ciphers(cipher_uuids: Vec<String>, conn: &DbConn) -> Vec<Self> {
+        attachments::table
+            .filter(attachments::cipher_uuid.eq_any(cipher_uuids))
+            .load::<Self>(&**conn).expect("Error loading attachments")
+    }
 }

src/db/models/cipher.rs

@@ -3,7 +3,7 @@ use serde_json::Value as JsonValue;
 
 use uuid::Uuid;
 
-use super::{User, Organization, Attachment, FolderCipher, CollectionCipher, UserOrgType, UserOrgStatus};
+use super::{User, Organization, Attachment, FolderCipher, CollectionCipher, UserOrganization, UserOrgType, UserOrgStatus};
 
 #[derive(Debug, Identifiable, Queryable, Insertable, Associations)]
 #[table_name = "ciphers"]
@@ -32,6 +32,7 @@ pub struct Cipher {
     pub data: String,
 
     pub favorite: bool,
+    pub password_history: Option<String>,
 }
 
 /// Local methods
@@ -55,6 +56,7 @@ impl Cipher {
             fields: None,
 
             data: String::new(),
+            password_history: None,
         }
     }
 }
@@ -77,6 +79,10 @@ impl Cipher {
         let fields_json: JsonValue = if let Some(ref fields) = self.fields {
             serde_json::from_str(fields).unwrap()
         } else { JsonValue::Null };
+        
+        let password_history_json: JsonValue = if let Some(ref password_history) = self.password_history {
+            serde_json::from_str(password_history).unwrap()
+        } else { JsonValue::Null };
 
         let mut data_json: JsonValue = serde_json::from_str(&self.data).unwrap();
 
@@ -108,6 +114,8 @@ impl Cipher {
 
             "Object": "cipher",
             "Edit": true,
+
+            "PasswordHistory": password_history_json,
         });
 
         let key = match self.type_ {
@@ -122,7 +130,29 @@ impl Cipher {
         json_object
     }
 
+    pub fn update_users_revision(&self, conn: &DbConn) -> Vec<String> {
+        let mut user_uuids = Vec::new();
+        match self.user_uuid {
+            Some(ref user_uuid) => {
+                User::update_uuid_revision(&user_uuid, conn);
+                user_uuids.push(user_uuid.clone())
+            },
+            None => { // Belongs to Organization, need to update affected users
+                if let Some(ref org_uuid) = self.organization_uuid {
+                    UserOrganization::find_by_cipher_and_org(&self.uuid, &org_uuid, conn)
+                    .iter()
+                    .for_each(|user_org| {
+                        User::update_uuid_revision(&user_org.user_uuid, conn);
+                        user_uuids.push(user_org.user_uuid.clone())
+                    });
+                }
+            }
+        };
+        user_uuids
+    }
+
     pub fn save(&mut self, conn: &DbConn) -> bool {
+        self.update_users_revision(conn);
         self.updated_at = Utc::now().naive_utc();
 
         match diesel::replace_into(ciphers::table)
@@ -133,14 +163,16 @@ impl Cipher {
         }
     }
 
-    pub fn delete(self, conn: &DbConn) -> QueryResult<()> {
+    pub fn delete(&self, conn: &DbConn) -> QueryResult<()> {
+        self.update_users_revision(conn);
+
         FolderCipher::delete_all_by_cipher(&self.uuid, &conn)?;
         CollectionCipher::delete_all_by_cipher(&self.uuid, &conn)?;
         Attachment::delete_all_by_cipher(&self.uuid, &conn)?;
 
         diesel::delete(
             ciphers::table.filter(
-                ciphers::uuid.eq(self.uuid)
+                ciphers::uuid.eq(&self.uuid)
             )
         ).execute(&**conn).and(Ok(()))
     }
@@ -157,6 +189,7 @@ impl Cipher {
             None => {
                 match folder_uuid {
                     Some(new_folder) => {
+                        self.update_users_revision(conn);
                         let folder_cipher = FolderCipher::new(&new_folder, &self.uuid);
                         folder_cipher.save(&conn).or(Err("Couldn't save folder setting"))
                     },
@@ -169,6 +202,7 @@ impl Cipher {
                         if current_folder == new_folder {
                             Ok(()) //nothing to do
                         } else {
+                            self.update_users_revision(conn);
                             match FolderCipher::find_by_folder_and_cipher(&current_folder, &self.uuid, &conn) {
                                 Some(current_folder) => {
                                     current_folder.delete(&conn).or(Err("Failed removing old folder mapping"))
@@ -181,6 +215,7 @@ impl Cipher {
                         }
                     },
                     None => {
+                        self.update_users_revision(conn);
                         match FolderCipher::find_by_folder_and_cipher(&current_folder, &self.uuid, &conn) {
                             Some(current_folder) => {
                                 current_folder.delete(&conn).or(Err("Failed removing old folder mapping"))
@@ -327,6 +362,6 @@ impl Cipher {
             )
         ))
         .select(ciphers_collections::collection_uuid)
-        .load::<String>(&**conn).unwrap_or(vec![])
+        .load::<String>(&**conn).unwrap_or_default()
     }
 }

src/db/models/collection.rs

@@ -185,6 +185,8 @@ impl CollectionUser {
     }
 
     pub fn save(user_uuid: &str, collection_uuid: &str, read_only:bool, conn: &DbConn) -> QueryResult<()> {
+        User::update_uuid_revision(&user_uuid, conn);
+
         diesel::replace_into(users_collections::table)
         .values((
             users_collections::user_uuid.eq(user_uuid),
@@ -194,6 +196,8 @@ impl CollectionUser {
     }
 
     pub fn delete(self, conn: &DbConn) -> QueryResult<()> {
+        User::update_uuid_revision(&self.user_uuid, conn);
+
         diesel::delete(users_collections::table
         .filter(users_collections::user_uuid.eq(&self.user_uuid))
         .filter(users_collections::collection_uuid.eq(&self.collection_uuid)))
@@ -216,12 +220,20 @@ impl CollectionUser {
     }
 
     pub fn delete_all_by_collection(collection_uuid: &str, conn: &DbConn) -> QueryResult<()> {
+        CollectionUser::find_by_collection(&collection_uuid, conn)
+        .iter()
+        .for_each(|collection| {
+            User::update_uuid_revision(&collection.user_uuid, conn)
+        });
+
         diesel::delete(users_collections::table
             .filter(users_collections::collection_uuid.eq(collection_uuid))
         ).execute(&**conn).and(Ok(()))
     }
 
     pub fn delete_all_by_user(user_uuid: &str, conn: &DbConn) -> QueryResult<()> {
+        User::update_uuid_revision(&user_uuid, conn);
+
         diesel::delete(users_collections::table
             .filter(users_collections::user_uuid.eq(user_uuid))
         ).execute(&**conn).and(Ok(()))

src/db/models/folder.rs

@@ -71,6 +71,7 @@ use db::schema::{folders, folders_ciphers};
 /// Database methods
 impl Folder {
     pub fn save(&mut self, conn: &DbConn) -> bool {
+        User::update_uuid_revision(&self.user_uuid, conn);
         self.updated_at = Utc::now().naive_utc();
 
         match diesel::replace_into(folders::table)
@@ -81,12 +82,13 @@ impl Folder {
         }
     }
 
-    pub fn delete(self, conn: &DbConn) -> QueryResult<()> {
+    pub fn delete(&self, conn: &DbConn) -> QueryResult<()> {
+        User::update_uuid_revision(&self.user_uuid, conn);
         FolderCipher::delete_all_by_folder(&self.uuid, &conn)?;
 
         diesel::delete(
             folders::table.filter(
-                folders::uuid.eq(self.uuid)
+                folders::uuid.eq(&self.uuid)
             )
         ).execute(&**conn).and(Ok(()))
     }

src/db/models/mod.rs

@@ -12,7 +12,7 @@ pub use self::attachment::Attachment;
 pub use self::cipher::Cipher;
 pub use self::device::Device;
 pub use self::folder::{Folder, FolderCipher};
-pub use self::user::User;
+pub use self::user::{User, Invitation};
 pub use self::organization::Organization;
 pub use self::organization::{UserOrganization, UserOrgStatus, UserOrgType};
 pub use self::collection::{Collection, CollectionUser, CollectionCipher};

src/db/models/organization.rs

@@ -1,6 +1,7 @@
 use serde_json::Value as JsonValue;
 
 use uuid::Uuid;
+use super::{User, CollectionUser};
 
 #[derive(Debug, Identifiable, Queryable, Insertable)]
 #[table_name = "organizations"]
@@ -26,7 +27,7 @@ pub struct UserOrganization {
 }
 
 pub enum UserOrgStatus {
-    _Invited = 0, // Unused, users are accepted automatically
+    Invited = 0,
     Accepted = 1,
     Confirmed = 2,
 }
@@ -108,12 +109,17 @@ impl UserOrganization {
 use diesel;
 use diesel::prelude::*;
 use db::DbConn;
-use db::schema::organizations;
-use db::schema::users_organizations;
+use db::schema::{organizations, users_organizations, users_collections, ciphers_collections};
 
 /// Database methods
 impl Organization {
     pub fn save(&mut self, conn: &DbConn) -> bool {
+        UserOrganization::find_by_org(&self.uuid, conn)
+        .iter()
+        .for_each(|user_org| {
+            User::update_uuid_revision(&user_org.user_uuid, conn);
+        });
+
         match diesel::replace_into(organizations::table)
             .values(&*self)
             .execute(&**conn) {
@@ -172,7 +178,6 @@ impl UserOrganization {
     }
 
     pub fn to_json_user_details(&self, conn: &DbConn) -> JsonValue {
-        use super::User;
         let user = User::find_by_uuid(&self.user_uuid, conn).unwrap();
 
         json!({
@@ -189,8 +194,7 @@ impl UserOrganization {
         })
     }
 
-    pub fn to_json_collection_user_details(&self, read_only: &bool, conn: &DbConn) -> JsonValue {
-        use super::User;
+    pub fn to_json_collection_user_details(&self, read_only: bool, conn: &DbConn) -> JsonValue {
         let user = User::find_by_uuid(&self.user_uuid, conn).unwrap();
 
         json!({
@@ -209,7 +213,6 @@ impl UserOrganization {
         let coll_uuids = if self.access_all { 
             vec![] // If we have complete access, no need to fill the array
         } else {
-            use super::CollectionUser;
             let collections = CollectionUser::find_by_organization_and_user_uuid(&self.org_uuid, &self.user_uuid, conn);
             collections.iter().map(|c| json!({"Id": c.collection_uuid, "ReadOnly": c.read_only})).collect()
         };
@@ -228,6 +231,8 @@ impl UserOrganization {
     }
 
     pub fn save(&mut self, conn: &DbConn) -> bool {
+        User::update_uuid_revision(&self.user_uuid, conn);
+
         match diesel::replace_into(users_organizations::table)
             .values(&*self)
             .execute(&**conn) {
@@ -237,7 +242,7 @@ impl UserOrganization {
     }
 
     pub fn delete(self, conn: &DbConn) -> QueryResult<()> {
-        use super::CollectionUser;
+        User::update_uuid_revision(&self.user_uuid, conn);
 
         CollectionUser::delete_all_by_user(&self.user_uuid, &conn)?;
 
@@ -265,11 +270,25 @@ impl UserOrganization {
             .first::<Self>(&**conn).ok()
     }
 
+    pub fn find_by_uuid_and_org(uuid: &str, org_uuid: &str, conn: &DbConn) -> Option<Self> {
+        users_organizations::table
+            .filter(users_organizations::uuid.eq(uuid))
+            .filter(users_organizations::org_uuid.eq(org_uuid))
+            .first::<Self>(&**conn).ok()
+    }
+
     pub fn find_by_user(user_uuid: &str, conn: &DbConn) -> Vec<Self> {
         users_organizations::table
             .filter(users_organizations::user_uuid.eq(user_uuid))
             .filter(users_organizations::status.eq(UserOrgStatus::Confirmed as i32))
-            .load::<Self>(&**conn).unwrap_or(vec![])
+            .load::<Self>(&**conn).unwrap_or_default()
+    }
+
+    pub fn find_invited_by_user(user_uuid: &str, conn: &DbConn) -> Vec<Self> {
+        users_organizations::table
+            .filter(users_organizations::user_uuid.eq(user_uuid))
+            .filter(users_organizations::status.eq(UserOrgStatus::Invited as i32))
+            .load::<Self>(&**conn).unwrap_or_default()
     }
 
     pub fn find_by_org(org_uuid: &str, conn: &DbConn) -> Vec<Self> {
@@ -291,6 +310,26 @@ impl UserOrganization {
             .filter(users_organizations::org_uuid.eq(org_uuid))
             .first::<Self>(&**conn).ok()
     }
+
+    pub fn find_by_cipher_and_org(cipher_uuid: &str, org_uuid: &str, conn: &DbConn) -> Vec<Self> {
+        users_organizations::table
+        .filter(users_organizations::org_uuid.eq(org_uuid))
+        .left_join(users_collections::table.on(
+            users_collections::user_uuid.eq(users_organizations::user_uuid)
+        ))
+        .left_join(ciphers_collections::table.on(
+            ciphers_collections::collection_uuid.eq(users_collections::collection_uuid).and(
+                ciphers_collections::cipher_uuid.eq(&cipher_uuid)
+            )
+        ))
+        .filter(
+            users_organizations::access_all.eq(true).or( // AccessAll..
+                ciphers_collections::cipher_uuid.eq(&cipher_uuid) // ..or access to collection with cipher
+            )
+        )
+        .select(users_organizations::all_columns)
+        .load::<Self>(&**conn).expect("Error loading user organizations")
+    }
 }
 
 

src/db/models/user.rs

@@ -35,29 +35,31 @@ pub struct User {
 
     pub equivalent_domains: String,
     pub excluded_globals: String,
+    
+    pub client_kdf_type: i32,
+    pub client_kdf_iter: i32,
 }
 
 /// Local methods
 impl User {
-    pub fn new(mail: String, key: String, password: String) -> Self {
+    pub const CLIENT_KDF_TYPE_DEFAULT: i32 = 0; // PBKDF2: 0
+    pub const CLIENT_KDF_ITER_DEFAULT: i32 = 5_000;
+
+    pub fn new(mail: String) -> Self {
         let now = Utc::now().naive_utc();
         let email = mail.to_lowercase();
 
-        let iterations = CONFIG.password_iterations;
-        let salt = crypto::get_random_64();
-        let password_hash = crypto::hash_password(password.as_bytes(), &salt, iterations as u32);
-
         Self {
             uuid: Uuid::new_v4().to_string(),
             created_at: now,
             updated_at: now,
             name: email.clone(),
             email,
-            key,
+            key: String::new(),
 
-            password_hash,
-            salt,
-            password_iterations: iterations,
+            password_hash: Vec::new(),
+            salt: crypto::get_random_64(),
+            password_iterations: CONFIG.password_iterations,
 
             security_stamp: Uuid::new_v4().to_string(),
 
@@ -70,6 +72,9 @@ impl User {
 
             equivalent_domains: "[]".to_string(),
             excluded_globals: "[]".to_string(),
+            
+            client_kdf_type: Self::CLIENT_KDF_TYPE_DEFAULT,
+            client_kdf_iter: Self::CLIENT_KDF_ITER_DEFAULT,
         }
     }
 
@@ -103,7 +108,7 @@ impl User {
 use diesel;
 use diesel::prelude::*;
 use db::DbConn;
-use db::schema::users;
+use db::schema::{users, invitations};
 
 /// Database methods
 impl User {
@@ -114,7 +119,7 @@ impl User {
         let orgs = UserOrganization::find_by_user(&self.uuid, conn);
         let orgs_json: Vec<JsonValue> = orgs.iter().map(|c| c.to_json(&conn)).collect();
 
-        let twofactor_enabled = TwoFactor::find_by_user(&self.uuid, conn).len() > 0;
+        let twofactor_enabled = !TwoFactor::find_by_user(&self.uuid, conn).is_empty();
 
         json!({
             "Id": self.uuid,
@@ -154,6 +159,25 @@ impl User {
         }
     }
 
+    pub fn update_uuid_revision(uuid: &str, conn: &DbConn) {
+        if let Some(mut user) = User::find_by_uuid(&uuid, conn) {
+            if user.update_revision(conn).is_err(){
+                println!("Warning: Failed to update revision for {}", user.email);
+            };
+        };
+    }
+
+    pub fn update_revision(&mut self, conn: &DbConn) -> QueryResult<()> {
+        self.updated_at = Utc::now().naive_utc();
+        diesel::update(
+            users::table.filter(
+                users::uuid.eq(&self.uuid)
+            )
+        )
+        .set(users::updated_at.eq(&self.updated_at))
+        .execute(&**conn).and(Ok(()))
+    }
+
     pub fn find_by_mail(mail: &str, conn: &DbConn) -> Option<Self> {
         let lower_mail = mail.to_lowercase();
         users::table
@@ -167,3 +191,47 @@ impl User {
             .first::<Self>(&**conn).ok()
     }
 }
+
+#[derive(Debug, Identifiable, Queryable, Insertable)]
+#[table_name = "invitations"]
+#[primary_key(email)]
+pub struct Invitation {
+    pub email: String,
+}
+
+impl Invitation {
+    pub fn new(email: String) -> Self {
+        Self {
+            email
+        }
+    }
+
+    pub fn save(&mut self, conn: &DbConn) -> QueryResult<()> {
+        diesel::replace_into(invitations::table)
+        .values(&*self)
+        .execute(&**conn)
+        .and(Ok(()))
+    }
+
+    pub fn delete(self, conn: &DbConn) -> QueryResult<()> {
+        diesel::delete(invitations::table.filter(
+        invitations::email.eq(self.email)))
+        .execute(&**conn)
+        .and(Ok(()))
+    }
+
+    pub fn find_by_mail(mail: &str, conn: &DbConn) -> Option<Self> {
+        let lower_mail = mail.to_lowercase();
+        invitations::table
+            .filter(invitations::email.eq(lower_mail))
+            .first::<Self>(&**conn).ok()
+    }
+
+    pub fn take(mail: &str, conn: &DbConn) -> bool {
+        CONFIG.invitations_allowed &&
+        match Self::find_by_mail(mail, &conn) {
+            Some(invitation) => invitation.delete(&conn).is_ok(),
+            None => false
+        }
+    }
+}

src/db/schema.rs

@@ -21,6 +21,7 @@ table! {
         fields -> Nullable<Text>,
         data -> Text,
         favorite -> Bool,
+        password_history -> Nullable<Text>,
     }
 }
 
@@ -71,6 +72,12 @@ table! {
     }
 }
 
+table! {
+    invitations (email) {
+        email -> Text,
+    }
+}
+
 table! {
     organizations (uuid) {
         uuid -> Text,
@@ -109,6 +116,8 @@ table! {
         security_stamp -> Text,
         equivalent_domains -> Text,
         excluded_globals -> Text,
+        client_kdf_type -> Integer,
+        client_kdf_iter -> Integer,
     }
 }
 
@@ -157,6 +166,7 @@ allow_tables_to_appear_in_same_query!(
     devices,
     folders,
     folders_ciphers,
+    invitations,
     organizations,
     twofactor,
     users,

src/mail.rs

@@ -0,0 +1,63 @@
+use std::error::Error;
+use native_tls::{Protocol, TlsConnector};
+use lettre::{Transport, SmtpTransport, SmtpClient, ClientTlsParameters, ClientSecurity};
+use lettre::smtp::ConnectionReuseParameters;
+use lettre::smtp::authentication::Credentials;
+use lettre_email::EmailBuilder;
+
+use MailConfig;
+
+fn mailer(config: &MailConfig) -> SmtpTransport {
+    let client_security = if config.smtp_ssl {
+        let mut tls_builder = TlsConnector::builder();
+        tls_builder.min_protocol_version(Some(Protocol::Tlsv11));
+        ClientSecurity::Required(
+            ClientTlsParameters::new(config.smtp_host.to_owned(), tls_builder.build().unwrap())
+        )
+    } else {
+        ClientSecurity::None
+    };
+
+    let smtp_client = SmtpClient::new(
+        (config.smtp_host.to_owned().as_str(), config.smtp_port),
+        client_security
+    ).unwrap();
+
+    let smtp_client = match (&config.smtp_username, &config.smtp_password) {
+        (Some(username), Some(password)) => {
+            smtp_client.credentials(Credentials::new(username.to_owned(), password.to_owned()))
+        },
+        (_, _) => smtp_client,
+    };
+
+    smtp_client
+        .smtp_utf8(true)
+        .connection_reuse(ConnectionReuseParameters::NoReuse)
+        .transport()
+}
+
+pub fn send_password_hint(address: &str, hint: Option<String>, config: &MailConfig) -> Result<(), String> {
+    let (subject, body) = if let Some(hint) = hint {
+        ("Your master password hint",
+         format!(
+            "You (or someone) recently requested your master password hint.\n\n\
+             Your hint is:  \"{}\"\n\n\
+             If you did not request your master password hint you can safely ignore this email.\n",
+            hint))
+    } else {
+        ("Sorry, you have no password hint...",
+         "Sorry, you have not specified any password hint...\n".to_string())
+    };
+
+    let email = EmailBuilder::new()
+        .to(address)
+        .from((config.smtp_from.to_owned(), "Bitwarden-rs"))
+        .subject(subject)
+        .body(body)
+        .build().unwrap();
+
+    match mailer(config).send(email.into()) {
+        Ok(_) => Ok(()),
+        Err(e) => Err(e.description().to_string()),
+    }
+}

src/main.rs

@@ -1,9 +1,13 @@
-#![feature(plugin, custom_derive)]
+#![feature(plugin, custom_derive, vec_remove_item, try_trait)]
 #![plugin(rocket_codegen)]
+#![allow(proc_macro_derive_resolution_fallback)] // TODO: Remove this when diesel update fixes warnings
 extern crate rocket;
 extern crate rocket_contrib;
 extern crate reqwest;
 extern crate multipart;
+extern crate ws;
+extern crate rmpv;
+extern crate chashmap;
 extern crate serde;
 #[macro_use]
 extern crate serde_derive;
@@ -26,8 +30,13 @@ extern crate lazy_static;
 #[macro_use]
 extern crate num_derive;
 extern crate num_traits;
+extern crate lettre;
+extern crate lettre_email;
+extern crate native_tls;
+extern crate fast_chemail;
+extern crate byteorder;
 
-use std::{env, path::Path, process::{exit, Command}};
+use std::{path::Path, process::{exit, Command}};
 use rocket::Rocket;
 
 #[macro_use]
@@ -37,6 +46,7 @@ mod api;
 mod db;
 mod crypto;
 mod auth;
+mod mail;
 
 fn init_rocket() -> Rocket {
     rocket::ignite()
@@ -44,7 +54,9 @@ fn init_rocket() -> Rocket {
         .mount("/api", api::core_routes())
         .mount("/identity", api::identity_routes())
         .mount("/icons", api::icons_routes())
+        .mount("/notifications", api::notifications_routes())
         .manage(db::init_pool())
+        .manage(api::start_notification_server())
 }
 
 // Embed the migrations from the migrations folder into the application
@@ -66,9 +78,8 @@ mod migrations {
 fn main() {
     check_db();
     check_rsa_keys();
-    check_web_vault();  
-    migrations::run_migrations(); 
-
+    check_web_vault();
+    migrations::run_migrations();
 
     init_rocket().launch();
 }
@@ -153,6 +164,61 @@ lazy_static! {
     static ref CONFIG: Config = Config::load();
 }
 
+#[derive(Debug)]
+pub struct MailConfig {
+    smtp_host: String,
+    smtp_port: u16,
+    smtp_ssl: bool,
+    smtp_from: String,
+    smtp_username: Option<String>,
+    smtp_password: Option<String>,
+}
+
+impl MailConfig {
+    fn load() -> Option<Self> {
+        use util::{get_env, get_env_or};
+
+        // When SMTP_HOST is absent, we assume the user does not want to enable it.
+        let smtp_host = match get_env("SMTP_HOST") {
+            Some(host) => host,
+            None => return None,
+        };
+
+        let smtp_from = get_env("SMTP_FROM").unwrap_or_else(|| {
+            println!("Please specify SMTP_FROM to enable SMTP support.");
+            exit(1);
+        });
+
+        let smtp_ssl = get_env_or("SMTP_SSL", true);
+        let smtp_port = get_env("SMTP_PORT").unwrap_or_else(|| 
+            if smtp_ssl { 
+                587u16 
+            } else { 
+                25u16 
+            }
+        );
+
+        let smtp_username = get_env("SMTP_USERNAME");
+        let smtp_password = get_env("SMTP_PASSWORD").or_else(|| {
+            if smtp_username.as_ref().is_some() {
+                println!("SMTP_PASSWORD is mandatory when specifying SMTP_USERNAME.");
+                exit(1);
+            } else {
+                None
+            }
+        });
+
+        Some(MailConfig {
+            smtp_host,
+            smtp_port,
+            smtp_ssl,
+            smtp_from,
+            smtp_username,
+            smtp_password,
+        })
+    }
+}
+
 #[derive(Debug)]
 pub struct Config {
     database_url: String,
@@ -166,39 +232,54 @@ pub struct Config {
     web_vault_folder: String,
     web_vault_enabled: bool,
 
+    websocket_port: i32,
+
     local_icon_extractor: bool,
     signups_allowed: bool,
+    invitations_allowed: bool,
     password_iterations: i32,
+    show_password_hint: bool,
+
     domain: String,
     domain_set: bool,
+
+    mail: Option<MailConfig>,
 }
 
 impl Config {
     fn load() -> Self {
+        use util::{get_env, get_env_or};
         dotenv::dotenv().ok();
 
-        let df = env::var("DATA_FOLDER").unwrap_or("data".into());
-        let key = env::var("RSA_KEY_FILENAME").unwrap_or(format!("{}/{}", &df, "rsa_key"));
+        let df = get_env_or("DATA_FOLDER", "data".to_string());
+        let key = get_env_or("RSA_KEY_FILENAME", format!("{}/{}", &df, "rsa_key"));
 
-        let domain = env::var("DOMAIN");
+        let domain = get_env("DOMAIN");
 
         Config {
-            database_url: env::var("DATABASE_URL").unwrap_or(format!("{}/{}", &df, "db.sqlite3")),
-            icon_cache_folder: env::var("ICON_CACHE_FOLDER").unwrap_or(format!("{}/{}", &df, "icon_cache")),
-            attachments_folder: env::var("ATTACHMENTS_FOLDER").unwrap_or(format!("{}/{}", &df, "attachments")),
+            database_url: get_env_or("DATABASE_URL", format!("{}/{}", &df, "db.sqlite3")),
+            icon_cache_folder: get_env_or("ICON_CACHE_FOLDER", format!("{}/{}", &df, "icon_cache")),
+            attachments_folder: get_env_or("ATTACHMENTS_FOLDER", format!("{}/{}", &df, "attachments")),
 
             private_rsa_key: format!("{}.der", &key),
             private_rsa_key_pem: format!("{}.pem", &key),
             public_rsa_key: format!("{}.pub.der", &key),
 
-            web_vault_folder: env::var("WEB_VAULT_FOLDER").unwrap_or("web-vault/".into()),
-            web_vault_enabled: util::parse_option_string(env::var("WEB_VAULT_ENABLED").ok()).unwrap_or(true),
+            web_vault_folder: get_env_or("WEB_VAULT_FOLDER", "web-vault/".into()),
+            web_vault_enabled: get_env_or("WEB_VAULT_ENABLED", true),
 
-            local_icon_extractor: util::parse_option_string(env::var("LOCAL_ICON_EXTRACTOR").ok()).unwrap_or(false),
-            signups_allowed: util::parse_option_string(env::var("SIGNUPS_ALLOWED").ok()).unwrap_or(true),
-            password_iterations: util::parse_option_string(env::var("PASSWORD_ITERATIONS").ok()).unwrap_or(100_000),
-            domain_set: domain.is_ok(),
+            websocket_port: get_env_or("WEBSOCKET_PORT", 3012),
+
+            local_icon_extractor: get_env_or("LOCAL_ICON_EXTRACTOR", false),
+            signups_allowed: get_env_or("SIGNUPS_ALLOWED", true),
+            invitations_allowed: get_env_or("INVITATIONS_ALLOWED", true),
+            password_iterations: get_env_or("PASSWORD_ITERATIONS", 100_000),
+            show_password_hint: get_env_or("SHOW_PASSWORD_HINT", true),
+
+            domain_set: domain.is_some(),
             domain: domain.unwrap_or("http://localhost".into()),
+
+            mail: MailConfig::load(),
         }
     }
 }

src/util.rs

@@ -3,19 +3,20 @@
 ///
 #[macro_export]
 macro_rules! err {
-    ($err:expr, $err_desc:expr, $msg:expr) => {{
+    ($err:expr, $msg:expr) => {{
         println!("ERROR: {}", $msg);
         err_json!(json!({
-          "error": $err,
-          "error_description": $err_desc,
-          "ErrorModel": {
-            "Message": $msg,
-            "ValidationErrors": null,
-            "Object": "error"
-          }
+          "Message": $err,
+          "ValidationErrors": {
+            "": [$msg,],
+          },
+          "ExceptionMessage": null,
+          "ExceptionStackTrace": null,
+          "InnerExceptionMessage": null,
+          "Object": "error",
         }))
     }};
-    ($msg:expr) => { err!("default_error", "default_error_description", $msg) }
+    ($msg:expr) => { err!("The model state is invalid", $msg) }
 }
 
 #[macro_export]
@@ -96,6 +97,7 @@ pub fn get_display_size(size: i32) -> String {
 ///
 
 use std::str::FromStr;
+use std::ops::Try;
 
 pub fn upcase_first(s: &str) -> String {
     let mut c = s.chars();
@@ -105,14 +107,37 @@ pub fn upcase_first(s: &str) -> String {
     }
 }
 
-pub fn parse_option_string<S, T>(string: Option<S>) -> Option<T> where S: AsRef<str>, T: FromStr {
-    if let Some(Ok(value)) = string.map(|s| s.as_ref().parse::<T>()) {
+pub fn try_parse_string<S, T, U>(string: impl Try<Ok = S, Error=U>) -> Option<T> where S: AsRef<str>, T: FromStr {
+    if let Ok(Ok(value)) = string.into_result().map(|s| s.as_ref().parse::<T>()) {
         Some(value)
     } else {
         None
     }
 }
 
+pub fn try_parse_string_or<S, T, U>(string: impl Try<Ok = S, Error=U>, default: T) -> T where S: AsRef<str>, T: FromStr {
+    if let Ok(Ok(value)) = string.into_result().map(|s| s.as_ref().parse::<T>()) {
+        value
+    } else {
+        default
+    }
+}
+
+
+///
+/// Env methods
+/// 
+
+use std::env;
+
+pub fn get_env<V>(key: &str) -> Option<V> where V: FromStr {
+    try_parse_string(env::var(key))
+}
+
+pub fn get_env_or<V>(key: &str, default: V) -> V where V: FromStr {
+    try_parse_string_or(env::var(key), default)
+}
+
 ///
 /// Date util methods
 ///