Revert yubikey feature, not needed anymore

Updated dependencies, removing need for yubico fork
Implement unofficial warning message
2025-09-09 18:25:58 +03:00 · 2019-01-12 15:28:41 +01:00 · 2019-01-12 15:23:46 +01:00 · 2019-01-11 14:20:42 +01:00 · 2019-01-11 13:54:43 +01:00 · 2019-01-11 01:35:15 +01:00
67 changed files with 7547 additions and 3351 deletions
--- a/.env
+++ b/.env
@@ -1,13 +0,0 @@
-# DATABASE_URL=data/db.sqlite3
-# PRIVATE_RSA_KEY=data/private_rsa_key.der
-# PUBLIC_RSA_KEY=data/public_rsa_key.der
-# ICON_CACHE_FOLDER=data/icon_cache
-# ATTACHMENTS_FOLDER=data/attachments
-
-# true for yes, anything else for no
-SIGNUPS_ALLOWED=true
-
-# ROCKET_ENV=production
-# ROCKET_ADDRESS=0.0.0.0 # Enable this to test mobile app
-# ROCKET_PORT=8000
-# ROCKET_TLS={certs="/path/to/certs.pem",key="/path/to/key.pem"}
--- a/.env.template
+++ b/.env.template
@@ -0,0 +1,88 @@
+## Bitwarden_RS Configuration File
+## Uncomment any of the following lines to change the defaults
+
+## Main data folder
+# DATA_FOLDER=data
+
+## Individual folders, these override %DATA_FOLDER%
+# DATABASE_URL=data/db.sqlite3
+# RSA_KEY_FILENAME=data/rsa_key
+# ICON_CACHE_FOLDER=data/icon_cache
+# ATTACHMENTS_FOLDER=data/attachments
+
+## Cache time-to-live for successfully obtained icons, in seconds (0 is "forever")
+# ICON_CACHE_TTL=2592000
+## Cache time-to-live for icons which weren't available, in seconds (0 is "forever")
+# ICON_CACHE_NEGTTL=259200
+
+## Web vault settings
+# WEB_VAULT_FOLDER=web-vault/
+# WEB_VAULT_ENABLED=true
+
+## Controls the WebSocket server address and port
+# WEBSOCKET_ADDRESS=0.0.0.0
+# WEBSOCKET_PORT=3012
+
+## Enable extended logging
+## This shows timestamps and allows logging to file and to syslog
+### To enable logging to file, use the LOG_FILE env variable
+### To enable syslog, you need to compile with `cargo build --features=enable_syslog'
+# EXTENDED_LOGGING=true
+
+## Logging to file
+## This requires extended logging
+## It's recommended to also set 'ROCKET_CLI_COLORS=off'
+# LOG_FILE=/path/to/log
+
+## Use a local favicon extractor
+## Set to false to use bitwarden's official icon servers
+## Set to true to use the local version, which is not as smart,
+##   but it doesn't send the cipher domains to bitwarden's servers
+# LOCAL_ICON_EXTRACTOR=false
+
+## Controls if new users can register
+# SIGNUPS_ALLOWED=true
+
+## Token for the admin interface, preferably use a long random string
+## One option is to use 'openssl rand -base64 48'
+## If not set, the admin panel is disabled
+# ADMIN_TOKEN=Vy2VyYTTsKPv8W5aEOWUbB/Bt3DEKePbHmI4m9VcemUMS2rEviDowNAFqYi1xjmp
+
+## Invitations org admins to invite users, even when signups are disabled
+# INVITATIONS_ALLOWED=true
+
+## Controls the PBBKDF password iterations to apply on the server
+## The change only applies when the password is changed
+# PASSWORD_ITERATIONS=100000
+
+## Whether password hint should be sent into the error response when the client request it
+# SHOW_PASSWORD_HINT=true
+
+## Domain settings
+## The domain must match the address from where you access the server
+## Unless you are using U2F, or having problems with attachments not downloading, there is no need to change this
+## For U2F to work, the server must use HTTPS, you can use Let's Encrypt for free certs
+# DOMAIN=https://bw.domain.tld:8443
+
+## Yubico (Yubikey) Settings
+## Set your Client ID and Secret Key for Yubikey OTP
+## You can generate it here: https://upgrade.yubico.com/getapikey/
+## You can optionally specify a custom OTP server
+# YUBICO_CLIENT_ID=11111
+# YUBICO_SECRET_KEY=AAAAAAAAAAAAAAAAAAAAAAAA
+# YUBICO_SERVER=http://yourdomain.com/wsapi/2.0/verify
+
+## Rocket specific settings, check Rocket documentation to learn more
+# ROCKET_ENV=staging
+# ROCKET_ADDRESS=0.0.0.0 # Enable this to test mobile app
+# ROCKET_PORT=8000
+# ROCKET_TLS={certs="/path/to/certs.pem",key="/path/to/key.pem"}
+
+## Mail specific settings, set SMTP_HOST and SMTP_FROM to enable the mail service.
+## Note: if SMTP_USERNAME is specified, SMTP_PASSWORD is mandatory
+# SMTP_HOST=smtp.domain.tld
+# SMTP_FROM=bitwarden-rs@domain.tld
+# SMTP_PORT=587
+# SMTP_SSL=true
+# SMTP_USERNAME=username
+# SMTP_PASSWORD=password
--- a/.gitignore
+++ b/.gitignore
@@ -10,7 +10,7 @@ data
 *.iml

 # Environment file
-# .env
+.env

 # Web vault
-web-vault
+web-vault
--- a/.travis.yml
+++ b/.travis.yml
@@ -0,0 +1,9 @@
+# Copied from Rocket's .travis.yml
+language: rust
+sudo: required # so we get a VM with higher specs
+dist: trusty # so we get a VM with higher specs
+cache: cargo
+rust:
+- nightly
+script:
+- cargo build --verbose --all-features
--- a/Cargo.lock
+++ b/Cargo.lock
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,55 +1,104 @@
 [package]
 name = "bitwarden_rs"
-version = "0.9.0"
+version = "1.0.0"
 authors = ["Daniel García <dani-garcia@users.noreply.github.com>"]
+edition = "2018"
+
+repository = "https://github.com/dani-garcia/bitwarden_rs"
+readme = "README.md"
+license = "GPL-3.0-only"
+publish = false
+build = "build.rs"
+
+[features]
+enable_syslog = ["syslog", "fern/syslog-4"]

 [dependencies]
 # Web framework for nightly with a focus on ease-of-use, expressibility, and speed.
-rocket = { version = "0.3.12", features = ["tls"] }
-rocket_codegen = "0.3.12"
-rocket_contrib = "0.3.12"
+rocket = { version = "0.4.0", features = ["tls"], default-features = false }
+rocket_contrib = "0.4.0"

 # HTTP client
-reqwest = "0.8.6"
+reqwest = "0.9.8"

 # multipart/form-data support
-multipart = "0.14.2"
+multipart = "0.15.4"
+
+# WebSockets library
+ws = "0.7.9"
+
+# MessagePack library
+rmpv = "0.4.0"
+
+# Concurrent hashmap implementation
+chashmap = "2.2.0"

 # A generic serialization/deserialization framework
-serde = "1.0.64"
-serde_derive = "1.0.64"
-serde_json = "1.0.19"
+serde = "1.0.84"
+serde_derive = "1.0.84"
+serde_json = "1.0.34"
+
+# Logging
+log = "0.4.6"
+fern = "0.5.7"
+syslog = { version = "4.0.1", optional = true }

 # A safe, extensible ORM and Query builder
-diesel = { version = "~1.2.2", features = ["sqlite", "chrono", "r2d2"] }
-diesel_migrations = { version = "~1.2.0", features = ["sqlite"] }
+diesel = { version = "1.3.3", features = ["sqlite", "chrono", "r2d2"] }
+diesel_migrations = { version = "1.3.0", features = ["sqlite"] }

 # Bundled SQLite
-libsqlite3-sys = { version = "0.9.1", features = ["bundled"] }
+libsqlite3-sys = { version = "0.9.3", features = ["bundled"] }

 # Crypto library
-ring = { version = "= 0.11.0", features = ["rsa_signing"] }
+ring = { version = "0.13.5", features = ["rsa_signing"] }

 # UUID generation
-uuid = { version = "0.6.5", features = ["v4"] }
+uuid = { version = "0.7.1", features = ["v4"] }

 # Date and time library for Rust
-chrono = "0.4.2"
+chrono = "0.4.6"

 # TOTP library
 oath = "0.10.2"

 # Data encoding library
-data-encoding = "2.1.1"
+data-encoding = "2.1.2"

 # JWT library
-jsonwebtoken = "= 4.0.1"
+jsonwebtoken = "5.0.1"
+
+# U2F library
+u2f = "0.1.4"
+
+# Yubico Library
+yubico = { version = "0.5.0", features = ["online"], default-features = false }

 # A `dotenv` implementation for Rust
 dotenv = { version = "0.13.0", default-features = false }

 # Lazy static macro
-lazy_static = "1.0.1"
+lazy_static = { version = "1.2.0", features = ["nightly"] }
+
+# More derives
+derive_more = "0.13.0"
+
+# Numerical libraries
+num-traits = "0.2.6"
+num-derive = "0.2.3"
+
+# Email libraries
+lettre = "0.9.0"
+lettre_email = "0.9.0"
+native-tls = "0.2.2"
+
+# Number encoding library
+byteorder = "1.2.7"

 [patch.crates-io]
-jsonwebtoken = { path = "libs/jsonwebtoken" } # Make jwt use ring 0.11, to match rocket
+# Add support for Timestamp type
+rmp = { git = 'https://github.com/dani-garcia/msgpack-rust' }
+
+# Use new native_tls version 0.2
+lettre = { git = 'https://github.com/lettre/lettre', rev = 'c988b1760ad81' }
+lettre_email = { git = 'https://github.com/lettre/lettre', rev = 'c988b1760ad81' }
--- a/52
+++ b/52
@@ -2,36 +2,26 @@
 # 	https://docs.docker.com/develop/develop-images/multistage-build/
 # 	https://whitfin.io/speeding-up-rust-docker-builds/
 ####################### VAULT BUILD IMAGE  #######################
-FROM node:9-alpine as vault
+FROM alpine as vault

-ENV VAULT_VERSION "1.26.0"
-ENV URL "https://github.com/bitwarden/web/archive/v${VAULT_VERSION}.tar.gz"
+ENV VAULT_VERSION "v2.8.0b"
+
+ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"

 RUN apk add --update-cache --upgrade \
    curl \
-    git \
-    tar \
-    && npm install -g \
-        gulp-cli \
-        gulp
+    tar

-RUN mkdir /web-build \
-    && cd /web-build \
-    && curl -L "${URL}" | tar -xvz --strip-components=1
+RUN mkdir /web-vault
+WORKDIR /web-vault

-WORKDIR /web-build
-
-COPY /docker/settings.Production.json /web-build/
-
-RUN git config --global url."https://github.com/".insteadOf ssh://git@github.com/ \
-    && npm install \
-    && gulp dist:selfHosted \
-    && mv dist /web-vault
+RUN curl -L $URL | tar xz
+RUN ls

 ########################## BUILD IMAGE  ##########################
 # We need to use the Rust build image, because
 # we need the Rust compiler and Cargo tooling
-FROM rustlang/rust:nightly as build
+FROM rust as build

 # Using bundled SQLite, no need to install it
 # RUN apt-get update && apt-get install -y\
@@ -43,9 +33,10 @@ FROM rustlang/rust:nightly as build
 RUN USER=root cargo new --bin app
 WORKDIR /app

-# Copies over *only* your manifests and vendored dependencies
+# Copies over *only* your manifests and build files
 COPY ./Cargo.* ./
-COPY ./libs ./libs
+COPY ./rust-toolchain ./rust-toolchain
+COPY ./build.rs ./build.rs

 # Builds your dependencies and removes the
 # dummy project, except the target folder
@@ -57,6 +48,9 @@ RUN find . -not -path "./target*" -delete
 # To avoid copying unneeded files, use .dockerignore
 COPY . .

+# Make sure that we actually build the project
+RUN touch src/main.rs
+
 # Builds again, this time it'll just be
 # your actual source files being built
 RUN cargo build --release
@@ -66,23 +60,27 @@ RUN cargo build --release
 # because we already have a binary built
 FROM debian:stretch-slim

+ENV ROCKET_ENV "staging"
+ENV ROCKET_PORT=80
+ENV ROCKET_WORKERS=10
+
 # Install needed libraries
 RUN apt-get update && apt-get install -y\
    openssl\
+    ca-certificates\
    --no-install-recommends\
 && rm -rf /var/lib/apt/lists/*

 RUN mkdir /data
 VOLUME /data
 EXPOSE 80
+EXPOSE 3012

-# Copies the files from the context (env file and web-vault)
+# Copies the files from the context (Rocket.toml file and web-vault)
 # and the binary from the "build" stage to the current stage
-COPY .env .
+COPY Rocket.toml .
 COPY --from=vault /web-vault ./web-vault
 COPY --from=build app/target/release/bitwarden_rs .

 # Configures the startup!
-# Use production to disable Rocket logging
-#CMD ROCKET_ENV=production ./bitwarden_rs
-CMD ROCKET_ENV=staging ./bitwarden_rs
+CMD ./bitwarden_rs
--- a/Dockerfile.aarch64
+++ b/Dockerfile.aarch64
@@ -0,0 +1,92 @@
+# Using multistage build: 
+# 	https://docs.docker.com/develop/develop-images/multistage-build/
+# 	https://whitfin.io/speeding-up-rust-docker-builds/
+####################### VAULT BUILD IMAGE  #######################
+FROM alpine as vault
+
+ENV VAULT_VERSION "v2.8.0b"
+
+ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
+
+RUN apk add --update-cache --upgrade \
+    curl \
+    tar
+
+RUN mkdir /web-vault
+WORKDIR /web-vault
+
+RUN curl -L $URL | tar xz
+RUN ls
+
+########################## BUILD IMAGE  ##########################
+# We need to use the Rust build image, because
+# we need the Rust compiler and Cargo tooling
+FROM rust as build
+
+RUN apt-get update \
+    && apt-get install -y \
+        gcc-aarch64-linux-gnu \
+    && mkdir -p ~/.cargo \
+    && echo '[target.aarch64-unknown-linux-gnu]' >> ~/.cargo/config \
+    && echo 'linker = "aarch64-linux-gnu-gcc"' >> ~/.cargo/config
+
+ENV CARGO_HOME "/root/.cargo"
+ENV USER "root"
+
+WORKDIR /app
+
+# Prepare openssl arm64 libs
+RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \
+        /etc/apt/sources.list.d/deb-src.list \
+    && dpkg --add-architecture arm64 \
+    && apt-get update \
+    && apt-get install -y \
+        libssl-dev:arm64 \
+        libc6-dev:arm64
+
+ENV CC_aarch64_unknown_linux_gnu="/usr/bin/aarch64-linux-gnu-gcc"
+ENV CROSS_COMPILE="1"
+ENV OPENSSL_INCLUDE_DIR="/usr/include/aarch64-linux-gnu"
+ENV OPENSSL_LIB_DIR="/usr/lib/aarch64-linux-gnu"
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+# Build
+RUN rustup target add aarch64-unknown-linux-gnu
+RUN cargo build --release --target=aarch64-unknown-linux-gnu -v
+
+######################## RUNTIME IMAGE  ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+FROM balenalib/aarch64-debian:stretch
+
+ENV ROCKET_ENV "staging"
+ENV ROCKET_PORT=80
+ENV ROCKET_WORKERS=10
+
+RUN [ "cross-build-start" ]
+
+# Install needed libraries
+RUN apt-get update && apt-get install -y\
+    openssl\
+    ca-certificates\
+    --no-install-recommends\
+ && rm -rf /var/lib/apt/lists/*
+
+RUN mkdir /data
+
+RUN [ "cross-build-end" ]  
+
+VOLUME /data
+EXPOSE 80
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+COPY Rocket.toml .
+COPY --from=vault /web-vault ./web-vault
+COPY --from=build /app/target/aarch64-unknown-linux-gnu/release/bitwarden_rs .
+
+# Configures the startup!
+CMD ./bitwarden_rs
--- a/Dockerfile.alpine
+++ b/Dockerfile.alpine
@@ -0,0 +1,66 @@
+# Using multistage build: 
+# 	https://docs.docker.com/develop/develop-images/multistage-build/
+# 	https://whitfin.io/speeding-up-rust-docker-builds/
+####################### VAULT BUILD IMAGE  #######################
+FROM alpine as vault
+
+ENV VAULT_VERSION "v2.8.0b"
+
+ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
+
+RUN apk add --update-cache --upgrade \
+    curl \
+    tar
+
+RUN mkdir /web-vault
+WORKDIR /web-vault
+
+RUN curl -L $URL | tar xz
+RUN ls
+
+########################## BUILD IMAGE  ##########################
+# Musl build image for statically compiled binary
+FROM clux/muslrust:nightly-2018-12-01 as build
+
+ENV USER "root"
+
+WORKDIR /app
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+RUN rustup target add x86_64-unknown-linux-musl
+
+# Build
+RUN cargo build --release
+
+######################## RUNTIME IMAGE  ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+FROM alpine:3.8
+
+ENV ROCKET_ENV "staging"
+ENV ROCKET_PORT=80
+ENV ROCKET_WORKERS=10
+ENV SSL_CERT_DIR=/etc/ssl/certs
+
+# Install needed libraries
+RUN apk add \
+        openssl\
+        ca-certificates \
+    && rm /var/cache/apk/*
+
+RUN mkdir /data
+VOLUME /data
+EXPOSE 80
+EXPOSE 3012
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+COPY Rocket.toml .
+COPY --from=vault /web-vault ./web-vault
+COPY --from=build /app/target/x86_64-unknown-linux-musl/release/bitwarden_rs .
+
+# Configures the startup!
+CMD ./bitwarden_rs
--- a/Dockerfile.armv7
+++ b/Dockerfile.armv7
@@ -0,0 +1,92 @@
+# Using multistage build: 
+# 	https://docs.docker.com/develop/develop-images/multistage-build/
+# 	https://whitfin.io/speeding-up-rust-docker-builds/
+####################### VAULT BUILD IMAGE  #######################
+FROM alpine as vault
+
+ENV VAULT_VERSION "v2.8.0b"
+
+ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
+
+RUN apk add --update-cache --upgrade \
+    curl \
+    tar
+
+RUN mkdir /web-vault
+WORKDIR /web-vault
+
+RUN curl -L $URL | tar xz
+RUN ls
+
+########################## BUILD IMAGE  ##########################
+# We need to use the Rust build image, because
+# we need the Rust compiler and Cargo tooling
+FROM rust as build
+
+RUN apt-get update \
+    && apt-get install -y \
+        gcc-arm-linux-gnueabihf \
+    && mkdir -p ~/.cargo \
+    && echo '[target.armv7-unknown-linux-gnueabihf]' >> ~/.cargo/config \
+    && echo 'linker = "arm-linux-gnueabihf-gcc"' >> ~/.cargo/config
+
+ENV CARGO_HOME "/root/.cargo"
+ENV USER "root"
+
+WORKDIR /app
+
+# Prepare openssl armhf libs
+RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \
+        /etc/apt/sources.list.d/deb-src.list \
+    && dpkg --add-architecture armhf \
+    && apt-get update \
+    && apt-get install -y \
+        libssl-dev:armhf \
+        libc6-dev:armhf
+
+ENV CC_armv7_unknown_linux_gnueabihf="/usr/bin/arm-linux-gnueabihf-gcc"
+ENV CROSS_COMPILE="1"
+ENV OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabihf"
+ENV OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabihf"
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+# Build
+RUN rustup target add armv7-unknown-linux-gnueabihf
+RUN cargo build --release --target=armv7-unknown-linux-gnueabihf -v
+
+######################## RUNTIME IMAGE  ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+FROM balenalib/armv7hf-debian:stretch
+
+ENV ROCKET_ENV "staging"
+ENV ROCKET_PORT=80
+ENV ROCKET_WORKERS=10
+
+RUN [ "cross-build-start" ]
+
+# Install needed libraries
+RUN apt-get update && apt-get install -y\
+    openssl\
+    ca-certificates\
+    --no-install-recommends\
+ && rm -rf /var/lib/apt/lists/*
+
+RUN mkdir /data
+
+RUN [ "cross-build-end" ]  
+
+VOLUME /data
+EXPOSE 80
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+COPY Rocket.toml .
+COPY --from=vault /web-vault ./web-vault
+COPY --from=build /app/target/armv7-unknown-linux-gnueabihf/release/bitwarden_rs .
+
+# Configures the startup!
+CMD ./bitwarden_rs
--- a/README.md
+++ b/README.md
@@ -1,97 +1,55 @@
-## Easy setup (Docker)
-Install Docker to your system and then, from the project root, run:
+### This is a Bitwarden server API implementation written in Rust compatible with [upstream Bitwarden clients](https://bitwarden.com/#download)*, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal.
+
+---
+
+[![Travis Build Status](https://travis-ci.org/dani-garcia/bitwarden_rs.svg?branch=master)](https://travis-ci.org/dani-garcia/bitwarden_rs)
+[![Docker Pulls](https://img.shields.io/docker/pulls/mprasil/bitwarden.svg)](https://hub.docker.com/r/mprasil/bitwarden)
+[![Dependency Status](https://deps.rs/repo/github/dani-garcia/bitwarden_rs/status.svg)](https://deps.rs/repo/github/dani-garcia/bitwarden_rs)
+[![GitHub Release](https://img.shields.io/github/release/dani-garcia/bitwarden_rs.svg)](https://github.com/dani-garcia/bitwarden_rs/releases/latest)
+[![GPL-3.0 Licensed](https://img.shields.io/github/license/dani-garcia/bitwarden_rs.svg)](https://github.com/dani-garcia/bitwarden_rs/blob/master/LICENSE.txt)
+[![Matrix Chat](https://img.shields.io/matrix/bitwarden_rs:matrix.org.svg?logo=matrix)](https://matrix.to/#/#bitwarden_rs:matrix.org)
+
+Image is based on [Rust implementation of Bitwarden API](https://github.com/dani-garcia/bitwarden_rs).
+
+**This project is not associated with the [Bitwarden](https://bitwarden.com/) project nor 8bit Solutions LLC.**
+
+#### ⚠️**IMPORTANT**⚠️: When using this server, please report any Bitwarden related bug-reports or suggestions [here](https://github.com/dani-garcia/bitwarden_rs/issues/new), regardless of whatever clients you are using (mobile, desktop, browser...). DO NOT use the official support channels.
+
+---
+
+## Features
+
+Basically full implementation of Bitwarden API is provided including:
+
+ * Basic single user functionality
+ * Organizations support
+ * Attachments
+ * Vault API support
+ * Serving the static files for Vault interface
+ * Website icons API
+ * Authenticator and U2F support
+ * YubiKey OTP
+
+## Installation
+Pull the docker image and mount a volume from the host for persistent storage:
+
 ```sh
-# Build the docker image:
-docker build -t dani/bitwarden_rs .
-
-# Run the docker image with a docker volume:
-docker volume create bw_data
-docker run --name bitwarden_rs -t --init --rm --mount source=bw_data,target=/data -p 8000:80 dani/bitwarden_rs
+docker pull mprasil/bitwarden:latest
+docker run -d --name bitwarden -v /bw-data/:/data/ -p 80:80 mprasil/bitwarden:latest
 ```
+This will preserve any persistent data under /bw-data/, you can adapt the path to whatever suits you.

-#### Other possible Docker options
+**IMPORTANT**: Some web browsers, like Chrome, disallow the use of Web Crypto APIs in insecure contexts. In this case, you might get an error like `Cannot read property 'importKey'`. To solve this problem, you need to access the web vault from HTTPS. 

-To run the container in the background, add the `-d` parameter.
+This can be configured in [bitwarden_rs directly](https://github.com/dani-garcia/bitwarden_rs/wiki/Enabling-HTTPS) or using a third-party reverse proxy ([some examples](https://github.com/dani-garcia/bitwarden_rs/wiki/Proxy-examples)).

-To check the logs when in background, run `docker logs bitwarden_rs`
+If you have an available domain name, you can get HTTPS certificates with [Let's Encrypt](https://letsencrypt.org/), or you can generate self-signed certificates with utilities like [mkcert](https://github.com/FiloSottile/mkcert). Some proxies automatically do this step, like Caddy (see examples linked above).

-To stop the container in background, run `docker stop bitwarden_rs`
+## Usage
+See the [bitwarden_rs wiki](https://github.com/dani-garcia/bitwarden_rs/wiki) for more information on how to configure and run the bitwarden_rs server.

-To make sure the container is restarted automatically, add the `--restart unless-stopped` parameter
+## Get in touch

-To run the image with a host bind, change the `--mount` parameter to:
-```
--mount type=bind,source=<absolute_path>,target=/data
-```
-Where <absolute_path> is an absolute path in the hosts file system (e.g. C:\bitwarden\data)
+To ask an question, [raising an issue](https://github.com/dani-garcia/bitwarden_rs/issues/new) is fine, also please report any bugs spotted here.

-
-## How to compile bitwarden_rs
-Install `rust nightly`, in Windows the recommended way is through `rustup`.
-
-Install the `openssl` library, in Windows the best option is Microsoft's `vcpkg`,
-on other systems use their respective package managers.
-
-Then run:
-```sh
-cargo run
-# or
-cargo build
-```
-
-## How to install the web-vault locally
-If you're using docker image, you can just update `VAULT_VERSION` variable in Dockerfile and rebuild the image.
-
-Install `node.js` and either `yarn` or `npm` (usually included with node)
-
-Clone the web-vault outside the project:
-```
-git clone https://github.com/bitwarden/web.git web-vault
-```
-
-Modify `web-vault/settings.Production.json` to look like this:
-```json
-{
-  "appSettings": {
-    "apiUri": "/api",
-    "identityUri": "/identity",
-    "iconsUri": "/icons",
-    "stripeKey": "",
-    "braintreeKey": ""
-  }
-}
-```
-
-Then, run the following from the `web-vault` dir:
-```sh
-# With yarn (recommended)
-yarn
-yarn gulp dist:selfHosted
-
-# With npm
-npm install
-npx gulp dist:selfHosted
-```
-
-Finally copy the contents of the `web-vault/dist` folder into the `bitwarden_rs/web-vault` folder.
-
-## How to recreate database schemas
-Install diesel-cli with cargo:
-```sh
-cargo install diesel_cli --no-default-features --features sqlite-bundled # Or use only sqlite to use the system version
-```
-
-Make sure that the correct path to the database is in the `.env` file.
-
-If you want to modify the schemas, create a new migration with:
-```
-diesel migration generate <name>
-```
-
-Modify the *.sql files, making sure that any changes are reverted in the down.sql file.
-
-Apply the migrations and save the generated schemas as follows:
-```
-diesel migration redo
-diesel print-schema > src/db/schema.rs
-```
+If you prefer to chat, we're usually hanging around at [#bitwarden_rs:matrix.org](https://matrix.to/#/#bitwarden_rs:matrix.org) room on Matrix. Feel free to join us!
--- a/Rocket.toml
+++ b/Rocket.toml
@@ -0,0 +1,2 @@
+[global.limits]
+json = 10485760 # 10 MiB
--- a/build.rs
+++ b/build.rs
@@ -0,0 +1,39 @@
+use std::process::Command;
+
+fn main() {
+    read_git_info().expect("Unable to read Git info");
+}
+
+fn run(args: &[&str]) -> Result<String, std::io::Error> {
+    let out = Command::new(args[0]).args(&args[1..]).output()?;
+    Ok(String::from_utf8(out.stdout).unwrap().trim().to_string())
+}
+
+/// This method reads info from Git, namely tags, branch, and revision
+fn read_git_info() -> Result<(), std::io::Error> {
+    // The exact tag for the current commit, can be empty when
+    // the current commit doesn't have an associated tag
+    let exact_tag = run(&["git", "describe", "--abbrev=0", "--tags", "--exact-match"])?;
+    println!("cargo:rustc-env=GIT_EXACT_TAG={}", exact_tag);
+
+    // The last available tag, equal to exact_tag when
+    // the current commit is tagged
+    let last_tag = run(&["git", "describe", "--abbrev=0", "--tags"])?;
+    println!("cargo:rustc-env=GIT_LAST_TAG={}", last_tag);
+
+    // The current branch name
+    let branch = run(&["git", "rev-parse", "--abbrev-ref", "HEAD"])?;
+    println!("cargo:rustc-env=GIT_BRANCH={}", branch);
+
+    // The current git commit hash
+    let rev = run(&["git", "rev-parse", "HEAD"])?;
+    let rev_short = rev.get(..12).unwrap_or_default();
+    println!("cargo:rustc-env=GIT_REV={}", rev_short);
+
+    // To access these values, use:
+    //    env!("GIT_EXACT_TAG")
+    //    env!("GIT_LAST_TAG")
+    //    env!("GIT_BRANCH")
+    //    env!("GIT_REV")
+    Ok(())
+}
--- a/diesel.toml
+++ b/diesel.toml
@@ -0,0 +1,5 @@
+# For documentation on how to configure this file,
+# see diesel.rs/guides/configuring-diesel-cli
+
+[print_schema]
+file = "src/db/schema.rs"
--- a/docker/settings.Production.json
+++ b/docker/settings.Production.json
@@ -1,9 +0,0 @@
-{
-  "appSettings": {
-    "apiUri": "/api",
-    "identityUri": "/identity",
-    "iconsUri": "/icons",
-    "stripeKey": "",
-    "braintreeKey": ""
-  }
-}
--- a/libs/jsonwebtoken/Cargo.toml
+++ b/libs/jsonwebtoken/Cargo.toml
@@ -1,20 +0,0 @@
-[package]
-name = "jsonwebtoken"
-version = "4.0.1"
-authors = ["Vincent Prouillet <prouillet.vincent@gmail.com>"]
-license = "MIT"
-readme = "README.md"
-description = "Create and parse JWT in a strongly typed way."
-homepage = "https://github.com/Keats/rust-jwt"
-repository = "https://github.com/Keats/rust-jwt"
-keywords = ["jwt", "web", "api", "token", "json"]
-
-[dependencies]
-error-chain = { version = "0.11", default-features = false }
-serde_json = "1.0"
-serde_derive = "1.0"
-serde = "1.0"
-ring = { version = "0.11.0", features = ["rsa_signing", "dev_urandom_fallback"] }
-base64 = "0.9"
-untrusted = "0.5"
-chrono = "0.4"
--- a/libs/jsonwebtoken/LICENSE
+++ b/libs/jsonwebtoken/LICENSE
@@ -1,21 +0,0 @@
-The MIT License (MIT)
-
-Copyright (c) 2015 Vincent Prouillet
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
--- a/libs/jsonwebtoken/src/crypto.rs
+++ b/libs/jsonwebtoken/src/crypto.rs
@@ -1,120 +0,0 @@
-use std::sync::Arc;
-
-use base64;
-use ring::{rand, digest, hmac, signature};
-use ring::constant_time::verify_slices_are_equal;
-use untrusted;
-
-use errors::{Result, ErrorKind};
-
-
-/// The algorithms supported for signing/verifying
-#[derive(Debug, PartialEq, Copy, Clone, Serialize, Deserialize)]
-pub enum Algorithm {
-    /// HMAC using SHA-256
-    HS256,
-    /// HMAC using SHA-384
-    HS384,
-    /// HMAC using SHA-512
-    HS512,
-
-    /// RSASSA-PKCS1-v1_5 using SHA-256
-    RS256,
-    /// RSASSA-PKCS1-v1_5 using SHA-384
-    RS384,
-    /// RSASSA-PKCS1-v1_5 using SHA-512
-    RS512,
-}
-
-/// The actual HS signing + encoding
-fn sign_hmac(alg: &'static digest::Algorithm, key: &[u8], signing_input: &str) -> Result<String> {
-    let signing_key = hmac::SigningKey::new(alg, key);
-    let digest = hmac::sign(&signing_key, signing_input.as_bytes());
-
-    Ok(
-        base64::encode_config::<hmac::Signature>(&digest, base64::URL_SAFE_NO_PAD)
-    )
-}
-
-/// The actual RSA signing + encoding
-/// Taken from Ring doc https://briansmith.org/rustdoc/ring/signature/index.html
-fn sign_rsa(alg: Algorithm, key: &[u8], signing_input: &str) -> Result<String> {
-    let ring_alg = match alg {
-        Algorithm::RS256 => &signature::RSA_PKCS1_SHA256,
-        Algorithm::RS384 => &signature::RSA_PKCS1_SHA384,
-        Algorithm::RS512 => &signature::RSA_PKCS1_SHA512,
-        _ => unreachable!(),
-    };
-
-    let key_pair = Arc::new(
-        signature::RSAKeyPair::from_der(untrusted::Input::from(key))
-            .map_err(|_| ErrorKind::InvalidKey)?
-    );
-    let mut signing_state = signature::RSASigningState::new(key_pair)
-        .map_err(|_| ErrorKind::InvalidKey)?;
-    let mut signature = vec![0; signing_state.key_pair().public_modulus_len()];
-    let rng = rand::SystemRandom::new();
-    signing_state.sign(ring_alg, &rng, signing_input.as_bytes(), &mut signature)
-        .map_err(|_| ErrorKind::InvalidKey)?;
-
-    Ok(
-        base64::encode_config::<[u8]>(&signature, base64::URL_SAFE_NO_PAD)
-    )
-}
-
-/// Take the payload of a JWT, sign it using the algorithm given and return
-/// the base64 url safe encoded of the result.
-///
-/// Only use this function if you want to do something other than JWT.
-pub fn sign(signing_input: &str, key: &[u8], algorithm: Algorithm) -> Result<String> {
-    match algorithm {
-        Algorithm::HS256 => sign_hmac(&digest::SHA256, key, signing_input),
-        Algorithm::HS384 => sign_hmac(&digest::SHA384, key, signing_input),
-        Algorithm::HS512 => sign_hmac(&digest::SHA512, key, signing_input),
-
-        Algorithm::RS256 | Algorithm::RS384 | Algorithm::RS512 => sign_rsa(algorithm, key, signing_input),
-//        TODO: if PKCS1 is made prublic, remove the line above and uncomment below
-//        Algorithm::RS256 => sign_rsa(&signature::RSA_PKCS1_SHA256, key, signing_input),
-//        Algorithm::RS384 => sign_rsa(&signature::RSA_PKCS1_SHA384, key, signing_input),
-//        Algorithm::RS512 => sign_rsa(&signature::RSA_PKCS1_SHA512, key, signing_input),
-    }
-}
-
-/// See Ring RSA docs for more details
-fn verify_rsa(alg: &signature::RSAParameters, signature: &str, signing_input: &str, key: &[u8]) -> Result<bool> {
-    let signature_bytes = base64::decode_config(signature, base64::URL_SAFE_NO_PAD)?;
-    let public_key_der = untrusted::Input::from(key);
-    let message = untrusted::Input::from(signing_input.as_bytes());
-    let expected_signature = untrusted::Input::from(signature_bytes.as_slice());
-
-    let res = signature::verify(alg, public_key_der, message, expected_signature);
-
-    Ok(res.is_ok())
-}
-
-/// Compares the signature given with a re-computed signature for HMAC or using the public key
-/// for RSA.
-///
-/// Only use this function if you want to do something other than JWT.
-///
-/// `signature` is the signature part of a jwt (text after the second '.')
-///
-/// `signing_input` is base64(header) + "." + base64(claims)
-pub fn verify(signature: &str, signing_input: &str, key: &[u8], algorithm: Algorithm) -> Result<bool> {
-    match algorithm {
-        Algorithm::HS256 | Algorithm::HS384 | Algorithm::HS512 => {
-            // we just re-sign the data with the key and compare if they are equal
-            let signed = sign(signing_input, key, algorithm)?;
-            Ok(verify_slices_are_equal(signature.as_ref(), signed.as_ref()).is_ok())
-        },
-        Algorithm::RS256 => verify_rsa(&signature::RSA_PKCS1_2048_8192_SHA256, signature, signing_input, key),
-        Algorithm::RS384 => verify_rsa(&signature::RSA_PKCS1_2048_8192_SHA384, signature, signing_input, key),
-        Algorithm::RS512 => verify_rsa(&signature::RSA_PKCS1_2048_8192_SHA512, signature, signing_input, key),
-    }
-}
-
-impl Default for Algorithm {
-    fn default() -> Self {
-        Algorithm::HS256
-    }
-}
--- a/libs/jsonwebtoken/src/errors.rs
+++ b/libs/jsonwebtoken/src/errors.rs
@@ -1,68 +0,0 @@
-use base64;
-use serde_json;
-use ring;
-
-error_chain! {
-    errors {
-        /// When a token doesn't have a valid JWT shape
-        InvalidToken {
-            description("invalid token")
-            display("Invalid token")
-        }
-        /// When the signature doesn't match
-        InvalidSignature {
-            description("invalid signature")
-            display("Invalid signature")
-        }
-        /// When the secret given is not a valid RSA key
-        InvalidKey {
-            description("invalid key")
-            display("Invalid Key")
-        }
-
-        // Validation error
-
-        /// When a token’s `exp` claim indicates that it has expired
-        ExpiredSignature {
-            description("expired signature")
-            display("Expired Signature")
-        }
-        /// When a token’s `iss` claim does not match the expected issuer
-        InvalidIssuer {
-            description("invalid issuer")
-            display("Invalid Issuer")
-        }
-        /// When a token’s `aud` claim does not match one of the expected audience values
-        InvalidAudience {
-            description("invalid audience")
-            display("Invalid Audience")
-        }
-        /// When a token’s `aud` claim does not match one of the expected audience values
-        InvalidSubject {
-            description("invalid subject")
-            display("Invalid Subject")
-        }
-        /// When a token’s `iat` claim is in the future
-        InvalidIssuedAt {
-            description("invalid issued at")
-            display("Invalid Issued At")
-        }
-        /// When a token’s nbf claim represents a time in the future
-        ImmatureSignature {
-            description("immature signature")
-            display("Immature Signature")
-        }
-        /// When the algorithm in the header doesn't match the one passed to `decode`
-        InvalidAlgorithm {
-            description("Invalid algorithm")
-            display("Invalid Algorithm")
-        }
-    }
-
-    foreign_links {
-        Unspecified(ring::error::Unspecified) #[doc = "An error happened while signing/verifying a token with RSA"];
-        Base64(base64::DecodeError) #[doc = "An error happened while decoding some base64 text"];
-        Json(serde_json::Error) #[doc = "An error happened while serializing/deserializing JSON"];
-        Utf8(::std::string::FromUtf8Error) #[doc = "An error happened while trying to convert the result of base64 decoding to a String"];
-    }
-}
--- a/libs/jsonwebtoken/src/header.rs
+++ b/libs/jsonwebtoken/src/header.rs
@@ -1,64 +0,0 @@
-use crypto::Algorithm;
-
-
-/// A basic JWT header, the alg defaults to HS256 and typ is automatically
-/// set to `JWT`. All the other fields are optional.
-#[derive(Debug, Clone, PartialEq, Serialize, Deserialize)]
-pub struct Header {
-    /// The type of JWS: it can only be "JWT" here
-    ///
-    /// Defined in [RFC7515#4.1.9](https://tools.ietf.org/html/rfc7515#section-4.1.9).
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub typ: Option<String>,
-    /// The algorithm used
-    ///
-    /// Defined in [RFC7515#4.1.1](https://tools.ietf.org/html/rfc7515#section-4.1.1).
-    pub alg: Algorithm,
-    /// Content type
-    ///
-    /// Defined in [RFC7519#5.2](https://tools.ietf.org/html/rfc7519#section-5.2).
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub cty: Option<String>,
-    /// JSON Key URL
-    ///
-    /// Defined in [RFC7515#4.1.2](https://tools.ietf.org/html/rfc7515#section-4.1.2).
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub jku: Option<String>,
-    /// Key ID
-    ///
-    /// Defined in [RFC7515#4.1.4](https://tools.ietf.org/html/rfc7515#section-4.1.4).
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub kid: Option<String>,
-    /// X.509 URL
-    ///
-    /// Defined in [RFC7515#4.1.5](https://tools.ietf.org/html/rfc7515#section-4.1.5).
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub x5u: Option<String>,
-    /// X.509 certificate thumbprint
-    ///
-    /// Defined in [RFC7515#4.1.7](https://tools.ietf.org/html/rfc7515#section-4.1.7).
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub x5t: Option<String>,
-}
-
-impl Header {
-    /// Returns a JWT header with the algorithm given
-    pub fn new(algorithm: Algorithm) -> Header {
-        Header {
-            typ: Some("JWT".to_string()),
-            alg: algorithm,
-            cty: None,
-            jku: None,
-            kid: None,
-            x5u: None,
-            x5t: None,
-        }
-    }
-}
-
-impl Default for Header {
-    /// Returns a JWT header using the default Algorithm, HS256
-    fn default() -> Self {
-        Header::new(Algorithm::default())
-    }
-}
--- a/libs/jsonwebtoken/src/lib.rs
+++ b/libs/jsonwebtoken/src/lib.rs
@@ -1,142 +0,0 @@
-//! Create and parses JWT (JSON Web Tokens)
-//!
-//! Documentation:  [stable](https://docs.rs/jsonwebtoken/)
-#![recursion_limit = "300"]
-#![deny(missing_docs)]
-#![allow(unused_doc_comments)]
-#![allow(renamed_and_removed_lints)]
-
-#[macro_use]
-extern crate error_chain;
-#[macro_use]
-extern crate serde_derive;
-extern crate serde_json;
-extern crate serde;
-extern crate base64;
-extern crate ring;
-extern crate untrusted;
-extern crate chrono;
-
-/// All the errors, generated using error-chain
-pub mod errors;
-mod header;
-mod crypto;
-mod serialization;
-mod validation;
-
-pub use header::Header;
-pub use crypto::{
-    Algorithm,
-    sign,
-    verify,
-};
-pub use validation::Validation;
-pub use serialization::TokenData;
-
-
-use serde::de::DeserializeOwned;
-use serde::ser::Serialize;
-
-use errors::{Result, ErrorKind};
-use serialization::{from_jwt_part, from_jwt_part_claims, to_jwt_part};
-use validation::{validate};
-
-
-/// Encode the header and claims given and sign the payload using the algorithm from the header and the key
-///
-/// ```rust,ignore
-/// #[macro_use]
-/// extern crate serde_derive;
-/// use jsonwebtoken::{encode, Algorithm, Header};
-///
-/// /// #[derive(Debug, Serialize, Deserialize)]
-/// struct Claims {
-///    sub: String,
-///    company: String
-/// }
-///
-/// let my_claims = Claims {
-///     sub: "b@b.com".to_owned(),
-///     company: "ACME".to_owned()
-/// };
-///
-/// // my_claims is a struct that implements Serialize
-/// // This will create a JWT using HS256 as algorithm
-/// let token = encode(&Header::default(), &my_claims, "secret".as_ref()).unwrap();
-/// ```
-pub fn encode<T: Serialize>(header: &Header, claims: &T, key: &[u8]) -> Result<String> {
-    let encoded_header = to_jwt_part(&header)?;
-    let encoded_claims = to_jwt_part(&claims)?;
-    let signing_input = [encoded_header.as_ref(), encoded_claims.as_ref()].join(".");
-    let signature = sign(&*signing_input, key.as_ref(), header.alg)?;
-
-    Ok([signing_input, signature].join("."))
-}
-
-/// Used in decode: takes the result of a rsplit and ensure we only get 2 parts
-/// Errors if we don't
-macro_rules! expect_two {
-    ($iter:expr) => {{
-        let mut i = $iter;
-        match (i.next(), i.next(), i.next()) {
-            (Some(first), Some(second), None) => (first, second),
-            _ => return Err(ErrorKind::InvalidToken.into())
-        }
-    }}
-}
-
-/// Decode a token into a struct containing 2 fields: `claims` and `header`.
-///
-/// If the token or its signature is invalid or the claims fail validation, it will return an error.
-///
-/// ```rust,ignore
-/// #[macro_use]
-/// extern crate serde_derive;
-/// use jsonwebtoken::{decode, Validation, Algorithm};
-///
-/// #[derive(Debug, Serialize, Deserialize)]
-/// struct Claims {
-///    sub: String,
-///    company: String
-/// }
-///
-/// let token = "a.jwt.token".to_string();
-/// // Claims is a struct that implements Deserialize
-/// let token_data = decode::<Claims>(&token, "secret", &Validation::new(Algorithm::HS256));
-/// ```
-pub fn decode<T: DeserializeOwned>(token: &str, key: &[u8], validation: &Validation) -> Result<TokenData<T>> {
-    let (signature, signing_input) = expect_two!(token.rsplitn(2, '.'));
-    let (claims, header) = expect_two!(signing_input.rsplitn(2, '.'));
-    let header: Header = from_jwt_part(header)?;
-
-    if !verify(signature, signing_input, key, header.alg)? {
-        return Err(ErrorKind::InvalidSignature.into());
-    }
-
-    if !validation.algorithms.contains(&header.alg) {
-        return Err(ErrorKind::InvalidAlgorithm.into());
-    }
-
-    let (decoded_claims, claims_map): (T, _)  = from_jwt_part_claims(claims)?;
-
-    validate(&claims_map, validation)?;
-
-    Ok(TokenData { header: header, claims: decoded_claims })
-}
-
-/// Decode a token and return the Header. This is not doing any kind of validation: it is meant to be
-/// used when you don't know which `alg` the token is using and want to find out.
-///
-/// If the token has an invalid format, it will return an error.
-///
-/// ```rust,ignore
-/// use jsonwebtoken::decode_header;
-///
-/// let token = "a.jwt.token".to_string();
-/// let header = decode_header(&token);
-/// ```
-pub fn decode_header(token: &str) -> Result<Header> {
-    let (_, signing_input) = expect_two!(token.rsplitn(2, '.'));
-    let (_, header) = expect_two!(signing_input.rsplitn(2, '.'));
-    from_jwt_part(header)
-}
--- a/libs/jsonwebtoken/src/serialization.rs
+++ b/libs/jsonwebtoken/src/serialization.rs
@@ -1,42 +0,0 @@
-use base64;
-use serde::de::DeserializeOwned;
-use serde::ser::Serialize;
-use serde_json::{from_str, to_string, Value};
-use serde_json::map::Map;
-
-use errors::{Result};
-use header::Header;
-
-
-/// The return type of a successful call to decode
-#[derive(Debug)]
-pub struct TokenData<T> {
-    /// The decoded JWT header
-    pub header: Header,
-    /// The decoded JWT claims
-    pub claims: T
-}
-
-/// Serializes to JSON and encodes to base64
-pub fn to_jwt_part<T: Serialize>(input: &T) -> Result<String> {
-    let encoded = to_string(input)?;
-    Ok(base64::encode_config(encoded.as_bytes(), base64::URL_SAFE_NO_PAD))
-}
-
-/// Decodes from base64 and deserializes from JSON to a struct
-pub fn from_jwt_part<B: AsRef<str>, T: DeserializeOwned>(encoded: B) -> Result<T> {
-    let decoded = base64::decode_config(encoded.as_ref(), base64::URL_SAFE_NO_PAD)?;
-    let s = String::from_utf8(decoded)?;
-
-    Ok(from_str(&s)?)
-}
-
-/// Decodes from base64 and deserializes from JSON to a struct AND a hashmap
-pub fn from_jwt_part_claims<B: AsRef<str>, T: DeserializeOwned>(encoded: B) -> Result<(T, Map<String, Value>)> {
-    let decoded = base64::decode_config(encoded.as_ref(), base64::URL_SAFE_NO_PAD)?;
-    let s = String::from_utf8(decoded)?;
-
-    let claims: T = from_str(&s)?;
-    let map: Map<_,_> = from_str(&s)?;
-    Ok((claims, map))
-}
--- a/libs/jsonwebtoken/src/validation.rs
+++ b/libs/jsonwebtoken/src/validation.rs
@@ -1,377 +0,0 @@
-use chrono::Utc;
-use serde::ser::Serialize;
-use serde_json::{Value, from_value, to_value};
-use serde_json::map::Map;
-
-use errors::{Result, ErrorKind};
-use crypto::Algorithm;
-
-
-/// Contains the various validations that are applied after decoding a token.
-///
-/// All time validation happen on UTC timestamps.
-///
-/// ```rust
-/// use jsonwebtoken::Validation;
-///
-/// // Default value
-/// let validation = Validation::default();
-///
-/// // Changing one parameter
-/// let mut validation = Validation {leeway: 60, ..Default::default()};
-///
-/// // Setting audience
-/// let mut validation = Validation::default();
-/// validation.set_audience(&"Me"); // string
-/// validation.set_audience(&["Me", "You"]); // array of strings
-/// ```
-#[derive(Debug, Clone, PartialEq)]
-pub struct Validation {
-    /// Add some leeway (in seconds) to the `exp`, `iat` and `nbf` validation to
-    /// account for clock skew.
-    ///
-    /// Defaults to `0`.
-    pub leeway: i64,
-    /// Whether to validate the `exp` field.
-    ///
-    /// It will return an error if the time in the `exp` field is past.
-    ///
-    /// Defaults to `true`.
-    pub validate_exp: bool,
-    /// Whether to validate the `iat` field.
-    ///
-    /// It will return an error if the time in the `iat` field is in the future.
-    ///
-    /// Defaults to `true`.
-    pub validate_iat: bool,
-    /// Whether to validate the `nbf` field.
-    ///
-    /// It will return an error if the current timestamp is before the time in the `nbf` field.
-    ///
-    /// Defaults to `true`.
-    pub validate_nbf: bool,
-    /// If it contains a value, the validation will check that the `aud` field is the same as the
-    /// one provided and will error otherwise.
-    /// Since `aud` can be either a String or a Vec<String> in the JWT spec, you will need to use
-    /// the [set_audience](struct.Validation.html#method.set_audience) method to set it.
-    ///
-    /// Defaults to `None`.
-    pub aud: Option<Value>,
-    /// If it contains a value, the validation will check that the `iss` field is the same as the
-    /// one provided and will error otherwise.
-    ///
-    /// Defaults to `None`.
-    pub iss: Option<String>,
-    /// If it contains a value, the validation will check that the `sub` field is the same as the
-    /// one provided and will error otherwise.
-    ///
-    /// Defaults to `None`.
-    pub sub: Option<String>,
-    /// If it contains a value, the validation will check that the `alg` of the header is contained
-    /// in the ones provided and will error otherwise.
-    ///
-    /// Defaults to `vec![Algorithm::HS256]`.
-    pub algorithms: Vec<Algorithm>,
-}
-
-impl Validation {
-    /// Create a default validation setup allowing the given alg
-    pub fn new(alg: Algorithm) -> Validation {
-        let mut validation = Validation::default();
-        validation.algorithms = vec![alg];
-        validation
-    }
-
-    /// Since `aud` can be either a String or an array of String in the JWT spec, this method will take
-    /// care of serializing the value.
-    pub fn set_audience<T: Serialize>(&mut self, audience: &T) {
-        self.aud = Some(to_value(audience).unwrap());
-    }
-}
-
-impl Default for Validation {
-    fn default() -> Validation {
-        Validation {
-            leeway: 0,
-
-            validate_exp: true,
-            validate_iat: true,
-            validate_nbf: true,
-
-            iss: None,
-            sub: None,
-            aud: None,
-
-            algorithms: vec![Algorithm::HS256],
-        }
-    }
-}
-
-
-
-pub fn validate(claims: &Map<String, Value>, options: &Validation) -> Result<()> {
-    let now = Utc::now().timestamp();
-
-    if let Some(iat) = claims.get("iat") {
-        if options.validate_iat && from_value::<i64>(iat.clone())? > now + options.leeway {
-            return Err(ErrorKind::InvalidIssuedAt.into());
-        }
-    }
-
-    if let Some(exp) = claims.get("exp") {
-        if options.validate_exp && from_value::<i64>(exp.clone())? < now - options.leeway {
-            return Err(ErrorKind::ExpiredSignature.into());
-        }
-    }
-
-    if let Some(nbf) = claims.get("nbf") {
-        if options.validate_nbf && from_value::<i64>(nbf.clone())? > now + options.leeway {
-            return Err(ErrorKind::ImmatureSignature.into());
-        }
-    }
-
-    if let Some(iss) = claims.get("iss") {
-        if let Some(ref correct_iss) = options.iss {
-            if from_value::<String>(iss.clone())? != *correct_iss {
-                return Err(ErrorKind::InvalidIssuer.into());
-            }
-        }
-    }
-
-    if let Some(sub) = claims.get("sub") {
-        if let Some(ref correct_sub) = options.sub {
-            if from_value::<String>(sub.clone())? != *correct_sub {
-                return Err(ErrorKind::InvalidSubject.into());
-            }
-        }
-    }
-
-    if let Some(aud) = claims.get("aud") {
-        if let Some(ref correct_aud) = options.aud {
-            if aud != correct_aud {
-                return Err(ErrorKind::InvalidAudience.into());
-            }
-        }
-    }
-
-    Ok(())
-}
-
-
-#[cfg(test)]
-mod tests {
-    use serde_json::{to_value};
-    use serde_json::map::Map;
-    use chrono::Utc;
-
-    use super::{validate, Validation};
-
-    use errors::ErrorKind;
-
-    #[test]
-    fn iat_in_past_ok() {
-        let mut claims = Map::new();
-        claims.insert("iat".to_string(), to_value(Utc::now().timestamp() - 10000).unwrap());
-        let res = validate(&claims, &Validation::default());
-        assert!(res.is_ok());
-    }
-
-    #[test]
-    fn iat_in_future_fails() {
-        let mut claims = Map::new();
-        claims.insert("iat".to_string(), to_value(Utc::now().timestamp() + 100000).unwrap());
-        let res = validate(&claims, &Validation::default());
-        assert!(res.is_err());
-
-        match res.unwrap_err().kind() {
-            &ErrorKind::InvalidIssuedAt => (),
-            _ => assert!(false),
-        };
-    }
-
-    #[test]
-    fn iat_in_future_but_in_leeway_ok() {
-        let mut claims = Map::new();
-        claims.insert("iat".to_string(), to_value(Utc::now().timestamp() + 50).unwrap());
-        let validation = Validation {
-            leeway: 1000 * 60,
-            ..Default::default()
-        };
-        let res = validate(&claims, &validation);
-        assert!(res.is_ok());
-    }
-
-    #[test]
-    fn exp_in_future_ok() {
-        let mut claims = Map::new();
-        claims.insert("exp".to_string(), to_value(Utc::now().timestamp() + 10000).unwrap());
-        let res = validate(&claims, &Validation::default());
-        assert!(res.is_ok());
-    }
-
-    #[test]
-    fn exp_in_past_fails() {
-        let mut claims = Map::new();
-        claims.insert("exp".to_string(), to_value(Utc::now().timestamp() - 100000).unwrap());
-        let res = validate(&claims, &Validation::default());
-        assert!(res.is_err());
-
-        match res.unwrap_err().kind() {
-            &ErrorKind::ExpiredSignature => (),
-            _ => assert!(false),
-        };
-    }
-
-    #[test]
-    fn exp_in_past_but_in_leeway_ok() {
-        let mut claims = Map::new();
-        claims.insert("exp".to_string(), to_value(Utc::now().timestamp() - 500).unwrap());
-        let validation = Validation {
-            leeway: 1000 * 60,
-            ..Default::default()
-        };
-        let res = validate(&claims, &validation);
-        assert!(res.is_ok());
-    }
-
-    #[test]
-    fn nbf_in_past_ok() {
-        let mut claims = Map::new();
-        claims.insert("nbf".to_string(), to_value(Utc::now().timestamp() - 10000).unwrap());
-        let res = validate(&claims, &Validation::default());
-        assert!(res.is_ok());
-    }
-
-    #[test]
-    fn nbf_in_future_fails() {
-        let mut claims = Map::new();
-        claims.insert("nbf".to_string(), to_value(Utc::now().timestamp() + 100000).unwrap());
-        let res = validate(&claims, &Validation::default());
-        assert!(res.is_err());
-
-        match res.unwrap_err().kind() {
-            &ErrorKind::ImmatureSignature => (),
-            _ => assert!(false),
-        };
-    }
-
-    #[test]
-    fn nbf_in_future_but_in_leeway_ok() {
-        let mut claims = Map::new();
-        claims.insert("nbf".to_string(), to_value(Utc::now().timestamp() + 500).unwrap());
-        let validation = Validation {
-            leeway: 1000 * 60,
-            ..Default::default()
-        };
-        let res = validate(&claims, &validation);
-        assert!(res.is_ok());
-    }
-
-    #[test]
-    fn iss_ok() {
-        let mut claims = Map::new();
-        claims.insert("iss".to_string(), to_value("Keats").unwrap());
-        let validation = Validation {
-            iss: Some("Keats".to_string()),
-            ..Default::default()
-        };
-        let res = validate(&claims, &validation);
-        assert!(res.is_ok());
-    }
-
-    #[test]
-    fn iss_not_matching_fails() {
-        let mut claims = Map::new();
-        claims.insert("iss".to_string(), to_value("Hacked").unwrap());
-        let validation = Validation {
-            iss: Some("Keats".to_string()),
-            ..Default::default()
-        };
-        let res = validate(&claims, &validation);
-        assert!(res.is_err());
-
-        match res.unwrap_err().kind() {
-            &ErrorKind::InvalidIssuer => (),
-            _ => assert!(false),
-        };
-    }
-
-    #[test]
-    fn sub_ok() {
-        let mut claims = Map::new();
-        claims.insert("sub".to_string(), to_value("Keats").unwrap());
-        let validation = Validation {
-            sub: Some("Keats".to_string()),
-            ..Default::default()
-        };
-        let res = validate(&claims, &validation);
-        assert!(res.is_ok());
-    }
-
-    #[test]
-    fn sub_not_matching_fails() {
-        let mut claims = Map::new();
-        claims.insert("sub".to_string(), to_value("Hacked").unwrap());
-        let validation = Validation {
-            sub: Some("Keats".to_string()),
-            ..Default::default()
-        };
-        let res = validate(&claims, &validation);
-        assert!(res.is_err());
-
-        match res.unwrap_err().kind() {
-            &ErrorKind::InvalidSubject => (),
-            _ => assert!(false),
-        };
-    }
-
-    #[test]
-    fn aud_string_ok() {
-        let mut claims = Map::new();
-        claims.insert("aud".to_string(), to_value("Everyone").unwrap());
-        let mut validation = Validation::default();
-        validation.set_audience(&"Everyone");
-        let res = validate(&claims, &validation);
-        assert!(res.is_ok());
-    }
-
-    #[test]
-    fn aud_array_of_string_ok() {
-        let mut claims = Map::new();
-        claims.insert("aud".to_string(), to_value(["UserA", "UserB"]).unwrap());
-        let mut validation = Validation::default();
-        validation.set_audience(&["UserA", "UserB"]);
-        let res = validate(&claims, &validation);
-        assert!(res.is_ok());
-    }
-
-    #[test]
-    fn aud_type_mismatch_fails() {
-        let mut claims = Map::new();
-        claims.insert("aud".to_string(), to_value("Everyone").unwrap());
-        let mut validation = Validation::default();
-        validation.set_audience(&["UserA", "UserB"]);
-        let res = validate(&claims, &validation);
-        assert!(res.is_err());
-
-        match res.unwrap_err().kind() {
-            &ErrorKind::InvalidAudience => (),
-            _ => assert!(false),
-        };
-    }
-
-    #[test]
-    fn aud_correct_type_not_matching_fails() {
-        let mut claims = Map::new();
-        claims.insert("aud".to_string(), to_value("Everyone").unwrap());
-        let mut validation = Validation::default();
-        validation.set_audience(&"None");
-        let res = validate(&claims, &validation);
-        assert!(res.is_err());
-
-        match res.unwrap_err().kind() {
-            &ErrorKind::InvalidAudience => (),
-            _ => assert!(false),
-        };
-    }
-}
--- a/migrations/2018-07-11-181453_create_u2f_twofactor/down.sql
+++ b/migrations/2018-07-11-181453_create_u2f_twofactor/down.sql
@@ -0,0 +1,8 @@
+UPDATE users
+SET totp_secret = (
+    SELECT twofactor.data FROM twofactor
+    WHERE twofactor.type = 0 
+    AND twofactor.user_uuid = users.uuid
+);
+
+DROP TABLE twofactor;
--- a/migrations/2018-07-11-181453_create_u2f_twofactor/up.sql
+++ b/migrations/2018-07-11-181453_create_u2f_twofactor/up.sql
@@ -0,0 +1,15 @@
+CREATE TABLE twofactor (
+  uuid      TEXT     NOT NULL PRIMARY KEY,
+  user_uuid TEXT     NOT NULL REFERENCES users (uuid),
+  type      INTEGER  NOT NULL,
+  enabled   BOOLEAN  NOT NULL,
+  data      TEXT     NOT NULL,
+
+  UNIQUE (user_uuid, type)
+);
+
+
+INSERT INTO twofactor (uuid, user_uuid, type, enabled, data) 
+SELECT lower(hex(randomblob(16))) , uuid, 0, 1, u.totp_secret FROM users u where u.totp_secret IS NOT NULL;
+
+UPDATE users SET totp_secret = NULL; -- Instead of recreating the table, just leave the columns empty
--- a/migrations/2018-08-27-172114_update_ciphers/down.sql
+++ b/migrations/2018-08-27-172114_update_ciphers/down.sql
--- a/migrations/2018-08-27-172114_update_ciphers/up.sql
+++ b/migrations/2018-08-27-172114_update_ciphers/up.sql
@@ -0,0 +1,3 @@
+ALTER TABLE ciphers
+    ADD COLUMN
+    password_history TEXT;
--- a/migrations/2018-09-10-111213_add_invites/down.sql
+++ b/migrations/2018-09-10-111213_add_invites/down.sql
@@ -0,0 +1 @@
+DROP TABLE invitations;
--- a/migrations/2018-09-10-111213_add_invites/up.sql
+++ b/migrations/2018-09-10-111213_add_invites/up.sql
@@ -0,0 +1,3 @@
+CREATE TABLE invitations (
+    email   TEXT NOT NULL PRIMARY KEY
+);
--- a/migrations/2018-09-19-144557_add_kdf_columns/down.sql
+++ b/migrations/2018-09-19-144557_add_kdf_columns/down.sql
--- a/migrations/2018-09-19-144557_add_kdf_columns/up.sql
+++ b/migrations/2018-09-19-144557_add_kdf_columns/up.sql
@@ -0,0 +1,7 @@
+ALTER TABLE users
+    ADD COLUMN
+    client_kdf_type INTEGER NOT NULL DEFAULT 0; -- PBKDF2
+
+ALTER TABLE users
+    ADD COLUMN
+    client_kdf_iter INTEGER NOT NULL DEFAULT 5000;
--- a/migrations/2018-11-27-152651_add_att_key_columns/down.sql
+++ b/migrations/2018-11-27-152651_add_att_key_columns/down.sql
--- a/migrations/2018-11-27-152651_add_att_key_columns/up.sql
+++ b/migrations/2018-11-27-152651_add_att_key_columns/up.sql
@@ -0,0 +1,3 @@
+ALTER TABLE attachments
+    ADD COLUMN
+    key TEXT;
--- a/1
+++ b/1
@@ -0,0 +1 @@
+nightly-2019-01-08
--- a/rustfmt.toml
+++ b/rustfmt.toml
@@ -0,0 +1 @@
+max_width = 120
--- a/src/api/admin.rs
+++ b/src/api/admin.rs
@@ -0,0 +1,107 @@
+use rocket_contrib::json::Json;
+use serde_json::Value;
+
+use crate::api::{JsonResult, JsonUpcase};
+use crate::CONFIG;
+
+use crate::db::models::*;
+use crate::db::DbConn;
+use crate::mail;
+
+use rocket::request::{self, FromRequest, Request};
+use rocket::{Outcome, Route};
+
+pub fn routes() -> Vec<Route> {
+    routes![get_users, invite_user, delete_user]
+}
+
+#[derive(Deserialize, Debug)]
+#[allow(non_snake_case)]
+struct InviteData {
+    Email: String,
+}
+
+#[get("/users")]
+fn get_users(_token: AdminToken, conn: DbConn) -> JsonResult {
+    let users = User::get_all(&conn);
+    let users_json: Vec<Value> = users.iter().map(|u| u.to_json(&conn)).collect();
+
+    Ok(Json(Value::Array(users_json)))
+}
+
+#[post("/invite", data = "<data>")]
+fn invite_user(data: JsonUpcase<InviteData>, _token: AdminToken, conn: DbConn) -> JsonResult {
+    let data: InviteData = data.into_inner().data;
+    let email = data.Email.clone();
+    if User::find_by_mail(&data.Email, &conn).is_some() {
+        err!("User already exists")
+    }
+
+    if !CONFIG.invitations_allowed {
+        err!("Invitations are not allowed")
+    }
+
+    if let Some(ref mail_config) = CONFIG.mail {
+        let mut user = User::new(email);
+        user.save(&conn)?;
+        let org_name = "bitwarden_rs";
+        mail::send_invite(&user.email, &user.uuid, None, None, &org_name, None, mail_config)?;
+    } else {
+        let mut invitation = Invitation::new(data.Email);
+        invitation.save(&conn)?;
+    }
+
+    Ok(Json(json!({})))
+}
+
+#[post("/users/<uuid>/delete")]
+fn delete_user(uuid: String, _token: AdminToken, conn: DbConn) -> JsonResult {
+    let user = match User::find_by_uuid(&uuid, &conn) {
+        Some(user) => user,
+        None => err!("User doesn't exist"),
+    };
+
+    user.delete(&conn)?;
+    Ok(Json(json!({})))
+}
+
+pub struct AdminToken {}
+
+impl<'a, 'r> FromRequest<'a, 'r> for AdminToken {
+    type Error = &'static str;
+
+    fn from_request(request: &'a Request<'r>) -> request::Outcome<Self, Self::Error> {
+        let config_token = match CONFIG.admin_token.as_ref() {
+            Some(token) => token,
+            None => err_handler!("Admin panel is disabled"),
+        };
+
+        // Get access_token
+        let access_token: &str = match request.headers().get_one("Authorization") {
+            Some(a) => match a.rsplit("Bearer ").next() {
+                Some(split) => split,
+                None => err_handler!("No access token provided"),
+            },
+            None => err_handler!("No access token provided"),
+        };
+
+        // TODO: What authentication to use?
+        // Option 1: Make it a config option
+        // Option 2: Generate random token, and
+        // Option 2a: Send it to admin email, like upstream
+        // Option 2b: Print in console or save to data dir, so admin can check
+
+        use crate::auth::ClientIp;
+
+        let ip = match request.guard::<ClientIp>() {
+            Outcome::Success(ip) => ip,
+            _ => err_handler!("Error getting Client IP"),
+        };
+
+        if access_token != config_token {
+            err_handler!("Invalid admin token", format!("IP: {}.", ip.ip))
+        }
+
+        Outcome::Success(AdminToken {})
+    }
+}
--- a/src/api/core/accounts.rs
+++ b/src/api/core/accounts.rs
@@ -1,25 +1,51 @@
-use rocket_contrib::Json;
+use rocket_contrib::json::Json;

-use db::DbConn;
-use db::models::*;
+use crate::db::models::*;
+use crate::db::DbConn;

-use api::{PasswordData, JsonResult, EmptyResult, JsonUpcase};
-use auth::Headers;
+use crate::api::{EmptyResult, JsonResult, JsonUpcase, Notify, NumberOrString, PasswordData, UpdateType};
+use crate::auth::{decode_invite_jwt, Headers, InviteJWTClaims};
+use crate::mail;

-use util;
+use crate::CONFIG;

-use CONFIG;
+use rocket::Route;
+
+pub fn routes() -> Vec<Route> {
+    routes![
+        register,
+        profile,
+        put_profile,
+        post_profile,
+        get_public_keys,
+        post_keys,
+        post_password,
+        post_kdf,
+        post_rotatekey,
+        post_sstamp,
+        post_email_token,
+        post_email,
+        delete_account,
+        post_delete_account,
+        revision_date,
+        password_hint,
+        prelogin,
+    ]
+}

 #[derive(Deserialize, Debug)]
 #[allow(non_snake_case)]
 struct RegisterData {
    Email: String,
+    Kdf: Option<i32>,
+    KdfIterations: Option<i32>,
    Key: String,
-    #[serde(deserialize_with = "util::upcase_deserialize")]
    Keys: Option<KeysData>,
    MasterPasswordHash: String,
    MasterPasswordHint: Option<String>,
    Name: Option<String>,
+    Token: Option<String>,
+    OrganizationUserId: Option<String>,
 }

 #[derive(Deserialize, Debug)]
@@ -33,15 +59,54 @@ struct KeysData {
 fn register(data: JsonUpcase<RegisterData>, conn: DbConn) -> EmptyResult {
    let data: RegisterData = data.into_inner().data;

-    if !CONFIG.signups_allowed {
-        err!(format!("Signups not allowed"))
+    let mut user = match User::find_by_mail(&data.Email, &conn) {
+        Some(user) => {
+            if !user.password_hash.is_empty() {
+                err!("User already exists")
+            }
+
+            if let Some(token) = data.Token {
+                let claims: InviteJWTClaims = decode_invite_jwt(&token)?;
+                if claims.email == data.Email {
+                    user
+                } else {
+                    err!("Registration email does not match invite email")
+                }
+            } else if Invitation::take(&data.Email, &conn) {
+                for mut user_org in UserOrganization::find_invited_by_user(&user.uuid, &conn).iter_mut() {
+                    user_org.status = UserOrgStatus::Accepted as i32;
+                    user_org.save(&conn)?;
+                }
+
+                user
+            } else if CONFIG.signups_allowed {
+                err!("Account with this email already exists")
+            } else {
+                err!("Registration not allowed")
+            }
+        }
+        None => {
+            if CONFIG.signups_allowed || Invitation::take(&data.Email, &conn) {
+                User::new(data.Email.clone())
+            } else {
+                err!("Registration not allowed")
+            }
+        }
+    };
+
+    // Make sure we don't leave a lingering invitation.
+    Invitation::take(&data.Email, &conn);
+
+    if let Some(client_kdf_iter) = data.KdfIterations {
+        user.client_kdf_iter = client_kdf_iter;
    }

-    if let Some(_) = User::find_by_mail(&data.Email, &conn) {
-        err!("Email already exists")
+    if let Some(client_kdf_type) = data.Kdf {
+        user.client_kdf_type = client_kdf_type;
    }

-    let mut user = User::new(data.Email, data.Key, data.MasterPasswordHash);
+    user.set_password(&data.MasterPasswordHash);
+    user.key = data.Key;

    // Add extra fields if present
    if let Some(name) = data.Name {
@@ -57,9 +122,7 @@ fn register(data: JsonUpcase<RegisterData>, conn: DbConn) -> EmptyResult {
        user.public_key = Some(keys.PublicKey);
    }

-    user.save(&conn);
-
-    Ok(())
+    user.save(&conn)
 }

 #[get("/accounts/profile")]
@@ -67,11 +130,40 @@ fn profile(headers: Headers, conn: DbConn) -> JsonResult {
    Ok(Json(headers.user.to_json(&conn)))
 }

+#[derive(Deserialize, Debug)]
+#[allow(non_snake_case)]
+struct ProfileData {
+    #[serde(rename = "Culture")]
+    _Culture: String, // Ignored, always use en-US
+    MasterPasswordHint: Option<String>,
+    Name: String,
+}
+
+#[put("/accounts/profile", data = "<data>")]
+fn put_profile(data: JsonUpcase<ProfileData>, headers: Headers, conn: DbConn) -> JsonResult {
+    post_profile(data, headers, conn)
+}
+
+#[post("/accounts/profile", data = "<data>")]
+fn post_profile(data: JsonUpcase<ProfileData>, headers: Headers, conn: DbConn) -> JsonResult {
+    let data: ProfileData = data.into_inner().data;
+
+    let mut user = headers.user;
+
+    user.name = data.Name;
+    user.password_hint = match data.MasterPasswordHint {
+        Some(ref h) if h.is_empty() => None,
+        _ => data.MasterPasswordHint,
+    };
+    user.save(&conn)?;
+    Ok(Json(user.to_json(&conn)))
+}
+
 #[get("/users/<uuid>/public-key")]
 fn get_public_keys(uuid: String, _headers: Headers, conn: DbConn) -> JsonResult {
    let user = match User::find_by_uuid(&uuid, &conn) {
        Some(user) => user,
-        None => err!("User doesn't exist")
+        None => err!("User doesn't exist"),
    };

    Ok(Json(json!({
@@ -90,8 +182,7 @@ fn post_keys(data: JsonUpcase<KeysData>, headers: Headers, conn: DbConn) -> Json
    user.private_key = Some(data.EncryptedPrivateKey);
    user.public_key = Some(data.PublicKey);

-    user.save(&conn);
-
+    user.save(&conn)?;
    Ok(Json(user.to_json(&conn)))
 }

@@ -114,9 +205,112 @@ fn post_password(data: JsonUpcase<ChangePassData>, headers: Headers, conn: DbCon

    user.set_password(&data.NewMasterPasswordHash);
    user.key = data.Key;
-    user.save(&conn);
+    user.save(&conn)
+}

-    Ok(())
+#[derive(Deserialize)]
+#[allow(non_snake_case)]
+struct ChangeKdfData {
+    Kdf: i32,
+    KdfIterations: i32,
+
+    MasterPasswordHash: String,
+    NewMasterPasswordHash: String,
+    Key: String,
+}
+
+#[post("/accounts/kdf", data = "<data>")]
+fn post_kdf(data: JsonUpcase<ChangeKdfData>, headers: Headers, conn: DbConn) -> EmptyResult {
+    let data: ChangeKdfData = data.into_inner().data;
+    let mut user = headers.user;
+
+    if !user.check_valid_password(&data.MasterPasswordHash) {
+        err!("Invalid password")
+    }
+
+    user.client_kdf_iter = data.KdfIterations;
+    user.client_kdf_type = data.Kdf;
+    user.set_password(&data.NewMasterPasswordHash);
+    user.key = data.Key;
+    user.save(&conn)
+}
+
+#[derive(Deserialize)]
+#[allow(non_snake_case)]
+struct UpdateFolderData {
+    Id: String,
+    Name: String,
+}
+
+use super::ciphers::CipherData;
+
+#[derive(Deserialize)]
+#[allow(non_snake_case)]
+struct KeyData {
+    Ciphers: Vec<CipherData>,
+    Folders: Vec<UpdateFolderData>,
+    Key: String,
+    PrivateKey: String,
+    MasterPasswordHash: String,
+}
+
+#[post("/accounts/key", data = "<data>")]
+fn post_rotatekey(data: JsonUpcase<KeyData>, headers: Headers, conn: DbConn, nt: Notify) -> EmptyResult {
+    let data: KeyData = data.into_inner().data;
+
+    if !headers.user.check_valid_password(&data.MasterPasswordHash) {
+        err!("Invalid password")
+    }
+
+    let user_uuid = &headers.user.uuid;
+
+    // Update folder data
+    for folder_data in data.Folders {
+        let mut saved_folder = match Folder::find_by_uuid(&folder_data.Id, &conn) {
+            Some(folder) => folder,
+            None => err!("Folder doesn't exist"),
+        };
+
+        if &saved_folder.user_uuid != user_uuid {
+            err!("The folder is not owned by the user")
+        }
+
+        saved_folder.name = folder_data.Name;
+        saved_folder.save(&conn)?
+    }
+
+    // Update cipher data
+    use super::ciphers::update_cipher_from_data;
+
+    for cipher_data in data.Ciphers {
+        let mut saved_cipher = match Cipher::find_by_uuid(cipher_data.Id.as_ref().unwrap(), &conn) {
+            Some(cipher) => cipher,
+            None => err!("Cipher doesn't exist"),
+        };
+
+        if saved_cipher.user_uuid.as_ref().unwrap() != user_uuid {
+            err!("The cipher is not owned by the user")
+        }
+
+        update_cipher_from_data(
+            &mut saved_cipher,
+            cipher_data,
+            &headers,
+            false,
+            &conn,
+            &nt,
+            UpdateType::CipherUpdate,
+        )?
+    }
+
+    // Update user data
+    let mut user = headers.user;
+
+    user.key = data.Key;
+    user.private_key = Some(data.PrivateKey);
+    user.reset_security_stamp();
+
+    user.save(&conn)
 }

 #[post("/accounts/security-stamp", data = "<data>")]
@@ -129,7 +323,27 @@ fn post_sstamp(data: JsonUpcase<PasswordData>, headers: Headers, conn: DbConn) -
    }

    user.reset_security_stamp();
-    user.save(&conn);
+    user.save(&conn)
+}
+
+#[derive(Deserialize)]
+#[allow(non_snake_case)]
+struct EmailTokenData {
+    MasterPasswordHash: String,
+    NewEmail: String,
+}
+
+#[post("/accounts/email-token", data = "<data>")]
+fn post_email_token(data: JsonUpcase<EmailTokenData>, headers: Headers, conn: DbConn) -> EmptyResult {
+    let data: EmailTokenData = data.into_inner().data;
+
+    if !headers.user.check_valid_password(&data.MasterPasswordHash) {
+        err!("Invalid password")
+    }
+
+    if User::find_by_mail(&data.NewEmail, &conn).is_some() {
+        err!("Email already in use");
+    }

    Ok(())
 }
@@ -139,10 +353,14 @@ fn post_sstamp(data: JsonUpcase<PasswordData>, headers: Headers, conn: DbConn) -
 struct ChangeEmailData {
    MasterPasswordHash: String,
    NewEmail: String,
+
+    Key: String,
+    NewMasterPasswordHash: String,
+    #[serde(rename = "Token")]
+    _Token: NumberOrString,
 }

-
-#[post("/accounts/email-token", data = "<data>")]
+#[post("/accounts/email", data = "<data>")]
 fn post_email(data: JsonUpcase<ChangeEmailData>, headers: Headers, conn: DbConn) -> EmptyResult {
    let data: ChangeEmailData = data.into_inner().data;
    let mut user = headers.user;
@@ -156,12 +374,19 @@ fn post_email(data: JsonUpcase<ChangeEmailData>, headers: Headers, conn: DbConn)
    }

    user.email = data.NewEmail;
-    user.save(&conn);

-    Ok(())
+    user.set_password(&data.NewMasterPasswordHash);
+    user.key = data.Key;
+
+    user.save(&conn)
 }

 #[post("/accounts/delete", data = "<data>")]
+fn post_delete_account(data: JsonUpcase<PasswordData>, headers: Headers, conn: DbConn) -> EmptyResult {
+    delete_account(data, headers, conn)
+}
+
+#[delete("/accounts", data = "<data>")]
 fn delete_account(data: JsonUpcase<PasswordData>, headers: Headers, conn: DbConn) -> EmptyResult {
    let data: PasswordData = data.into_inner().data;
    let user = headers.user;
@@ -170,33 +395,60 @@ fn delete_account(data: JsonUpcase<PasswordData>, headers: Headers, conn: DbConn
        err!("Invalid password")
    }

-    // Delete ciphers and their attachments
-    for cipher in Cipher::find_owned_by_user(&user.uuid, &conn) {
-        match cipher.delete(&conn) {
-            Ok(()) => (),
-            Err(_) => err!("Failed deleting cipher")
-        }
-    }
-
-    // Delete folders
-    for f in Folder::find_by_user(&user.uuid, &conn) {
-        match f.delete(&conn) {
-            Ok(()) => (),
-            Err(_) => err!("Failed deleting folder")
-        } 
-    }
-
-    // Delete devices
-    for d in Device::find_by_user(&user.uuid, &conn) { d.delete(&conn); }
-
-    // Delete user
-    user.delete(&conn);
-
-    Ok(())
+    user.delete(&conn)
 }

 #[get("/accounts/revision-date")]
 fn revision_date(headers: Headers) -> String {
-    let revision_date = headers.user.updated_at.timestamp();
+    let revision_date = headers.user.updated_at.timestamp_millis();
    revision_date.to_string()
 }
+
+#[derive(Deserialize)]
+#[allow(non_snake_case)]
+struct PasswordHintData {
+    Email: String,
+}
+
+#[post("/accounts/password-hint", data = "<data>")]
+fn password_hint(data: JsonUpcase<PasswordHintData>, conn: DbConn) -> EmptyResult {
+    let data: PasswordHintData = data.into_inner().data;
+
+    let hint = match User::find_by_mail(&data.Email, &conn) {
+        Some(user) => user.password_hint,
+        None => return Ok(()),
+    };
+
+    if let Some(ref mail_config) = CONFIG.mail {
+        mail::send_password_hint(&data.Email, hint, mail_config)?;
+    } else if CONFIG.show_password_hint {
+        if let Some(hint) = hint {
+            err!(format!("Your password hint is: {}", &hint));
+        } else {
+            err!("Sorry, you have no password hint...");
+        }
+    }
+
+    Ok(())
+}
+
+#[derive(Deserialize)]
+#[allow(non_snake_case)]
+struct PreloginData {
+    Email: String,
+}
+
+#[post("/accounts/prelogin", data = "<data>")]
+fn prelogin(data: JsonUpcase<PreloginData>, conn: DbConn) -> JsonResult {
+    let data: PreloginData = data.into_inner().data;
+
+    let (kdf_type, kdf_iter) = match User::find_by_mail(&data.Email, &conn) {
+        Some(user) => (user.client_kdf_type, user.client_kdf_iter),
+        None => (User::CLIENT_KDF_TYPE_DEFAULT, User::CLIENT_KDF_ITER_DEFAULT),
+    };
+
+    Ok(Json(json!({
+        "Kdf": kdf_type,
+        "KdfIterations": kdf_iter
+    })))
+}
--- a/src/api/core/ciphers.rs
+++ b/src/api/core/ciphers.rs
--- a/src/api/core/folders.rs
+++ b/src/api/core/folders.rs
@@ -1,10 +1,25 @@
-use rocket_contrib::{Json, Value};
+use rocket_contrib::json::Json;
+use serde_json::Value;

-use db::DbConn;
-use db::models::*;
+use crate::db::models::*;
+use crate::db::DbConn;

-use api::{JsonResult, EmptyResult, JsonUpcase};
-use auth::Headers;
+use crate::api::{EmptyResult, JsonResult, JsonUpcase, Notify, UpdateType};
+use crate::auth::Headers;
+
+use rocket::Route;
+
+pub fn routes() -> Vec<Route> {
+    routes![
+        get_folders,
+        get_folder,
+        post_folders,
+        post_folder,
+        put_folder,
+        delete_folder_post,
+        delete_folder,
+    ]
+}

 #[get("/folders")]
 fn get_folders(headers: Headers, conn: DbConn) -> JsonResult {
@@ -15,6 +30,7 @@ fn get_folders(headers: Headers, conn: DbConn) -> JsonResult {
    Ok(Json(json!({
      "Data": folders_json,
      "Object": "list",
+      "ContinuationToken": null,
    })))
 }

@@ -22,7 +38,7 @@ fn get_folders(headers: Headers, conn: DbConn) -> JsonResult {
 fn get_folder(uuid: String, headers: Headers, conn: DbConn) -> JsonResult {
    let folder = match Folder::find_by_uuid(&uuid, &conn) {
        Some(folder) => folder,
-        _ => err!("Invalid folder")
+        _ => err!("Invalid folder"),
    };

    if folder.user_uuid != headers.user.uuid {
@@ -36,32 +52,33 @@ fn get_folder(uuid: String, headers: Headers, conn: DbConn) -> JsonResult {
 #[allow(non_snake_case)]

 pub struct FolderData {
-    pub Name: String
+    pub Name: String,
 }

 #[post("/folders", data = "<data>")]
-fn post_folders(data: JsonUpcase<FolderData>, headers: Headers, conn: DbConn) -> JsonResult {
+fn post_folders(data: JsonUpcase<FolderData>, headers: Headers, conn: DbConn, nt: Notify) -> JsonResult {
    let data: FolderData = data.into_inner().data;

    let mut folder = Folder::new(headers.user.uuid.clone(), data.Name);

-    folder.save(&conn);
+    folder.save(&conn)?;
+    nt.send_folder_update(UpdateType::FolderCreate, &folder);

    Ok(Json(folder.to_json()))
 }

 #[post("/folders/<uuid>", data = "<data>")]
-fn post_folder(uuid: String, data: JsonUpcase<FolderData>, headers: Headers, conn: DbConn) -> JsonResult {
-    put_folder(uuid, data, headers, conn)
+fn post_folder(uuid: String, data: JsonUpcase<FolderData>, headers: Headers, conn: DbConn, nt: Notify) -> JsonResult {
+    put_folder(uuid, data, headers, conn, nt)
 }

 #[put("/folders/<uuid>", data = "<data>")]
-fn put_folder(uuid: String, data: JsonUpcase<FolderData>, headers: Headers, conn: DbConn) -> JsonResult {
+fn put_folder(uuid: String, data: JsonUpcase<FolderData>, headers: Headers, conn: DbConn, nt: Notify) -> JsonResult {
    let data: FolderData = data.into_inner().data;

    let mut folder = match Folder::find_by_uuid(&uuid, &conn) {
        Some(folder) => folder,
-        _ => err!("Invalid folder")
+        _ => err!("Invalid folder"),
    };

    if folder.user_uuid != headers.user.uuid {
@@ -70,21 +87,22 @@ fn put_folder(uuid: String, data: JsonUpcase<FolderData>, headers: Headers, conn

    folder.name = data.Name;

-    folder.save(&conn);
+    folder.save(&conn)?;
+    nt.send_folder_update(UpdateType::FolderUpdate, &folder);

    Ok(Json(folder.to_json()))
 }

 #[post("/folders/<uuid>/delete")]
-fn delete_folder_post(uuid: String, headers: Headers, conn: DbConn) -> EmptyResult {
-    delete_folder(uuid, headers, conn)
+fn delete_folder_post(uuid: String, headers: Headers, conn: DbConn, nt: Notify) -> EmptyResult {
+    delete_folder(uuid, headers, conn, nt)
 }

 #[delete("/folders/<uuid>")]
-fn delete_folder(uuid: String, headers: Headers, conn: DbConn) -> EmptyResult {
+fn delete_folder(uuid: String, headers: Headers, conn: DbConn, nt: Notify) -> EmptyResult {
    let folder = match Folder::find_by_uuid(&uuid, &conn) {
        Some(folder) => folder,
-        _ => err!("Invalid folder")
+        _ => err!("Invalid folder"),
    };

    if folder.user_uuid != headers.user.uuid {
@@ -92,8 +110,8 @@ fn delete_folder(uuid: String, headers: Headers, conn: DbConn) -> EmptyResult {
    }

    // Delete the actual folder entry
-    match folder.delete(&conn) {
-        Ok(()) => Ok(()),
-        Err(_) => err!("Failed deleting folder")
-    }
+    folder.delete(&conn)?;
+
+    nt.send_folder_update(UpdateType::FolderDelete, &folder);
+    Ok(())
 }
--- a/src/api/core/mod.rs
+++ b/src/api/core/mod.rs
@@ -2,144 +2,70 @@ mod accounts;
 mod ciphers;
 mod folders;
 mod organizations;
-mod two_factor;
-
-use self::accounts::*;
-use self::ciphers::*;
-use self::folders::*;
-use self::organizations::*;
-use self::two_factor::*;
+pub(crate) mod two_factor;

 pub fn routes() -> Vec<Route> {
-    routes![
-        register,
-        profile,
-        get_public_keys,
-        post_keys,
-        post_password,
-        post_sstamp,
-        post_email,
-        delete_account,
-        revision_date,
-
-        sync,
-
-        get_ciphers,
-        get_cipher,
-        get_cipher_admin,
-        get_cipher_details,
-        post_ciphers,
-        post_ciphers_admin,
-        post_ciphers_import,
-        post_attachment,
-        delete_attachment_post,
-        delete_attachment,
-        post_cipher_admin,
-        post_cipher_share,
-        post_cipher,
-        put_cipher,
-        delete_cipher_post,
-        delete_cipher,
-        delete_cipher_selected,
-        delete_all,
-        move_cipher_selected,
-
-        get_folders,
-        get_folder,
-        post_folders,
-        post_folder,
-        put_folder,
-        delete_folder_post,
-        delete_folder,
-
-        get_twofactor,
-        get_recover,
-        recover,
-        generate_authenticator,
-        activate_authenticator,
-        disable_authenticator,
-
-        get_organization,
-        create_organization,
-        delete_organization,
-        get_user_collections,
-        get_org_collections,
-        get_org_collection_detail,
-        get_collection_users,
-        post_organization,
-        post_organization_collections,
-        post_organization_collection_delete_user,
-        post_organization_collection_update,
-        post_organization_collection_delete,
-        post_collections_update,
-        post_collections_admin,
-        get_org_details,
-        get_org_users,
-        send_invite,
-        confirm_invite,
-        get_user,
-        edit_user,
-        delete_user,
-
+    let mut mod_routes = routes![
        clear_device_token,
        put_device_token,
-
        get_eq_domains,
        post_eq_domains,
+        put_eq_domains,
+    ];

-    ]
+    let mut routes = Vec::new();
+    routes.append(&mut accounts::routes());
+    routes.append(&mut ciphers::routes());
+    routes.append(&mut folders::routes());
+    routes.append(&mut organizations::routes());
+    routes.append(&mut two_factor::routes());
+    routes.append(&mut mod_routes);
+
+    routes
 }

-///
-/// Move this somewhere else
-///
-
+//
+// Move this somewhere else
+//
 use rocket::Route;

-use rocket_contrib::{Json, Value};
+use rocket_contrib::json::Json;
+use serde_json::Value;

-use db::DbConn;
-use db::models::*;
+use crate::db::DbConn;

-use api::{JsonResult, EmptyResult, JsonUpcase};
-use auth::Headers;
+use crate::api::{EmptyResult, JsonResult, JsonUpcase};
+use crate::auth::Headers;

-#[put("/devices/identifier/<uuid>/clear-token", data = "<data>")]
-fn clear_device_token(uuid: String, data: Json<Value>, headers: Headers, conn: DbConn) -> EmptyResult {
-    println!("UUID: {:#?}", uuid);
-    println!("DATA: {:#?}", data);
-    
-    let device = match Device::find_by_uuid(&uuid, &conn) {
-        Some(device) => device,
-        None => err!("Device not found")
-    };
+#[put("/devices/identifier/<uuid>/clear-token")]
+fn clear_device_token(uuid: String) -> EmptyResult {
+    // This endpoint doesn't have auth header

-    if device.user_uuid != headers.user.uuid {
-        err!("Device not owned by user")
-    }
-
-    device.delete(&conn);
+    let _ = uuid;
+    // uuid is not related to deviceId

+    // This only clears push token
+    // https://github.com/bitwarden/core/blob/master/src/Api/Controllers/DevicesController.cs#L109
+    // https://github.com/bitwarden/core/blob/master/src/Core/Services/Implementations/DeviceService.cs#L37
    Ok(())
 }

 #[put("/devices/identifier/<uuid>/token", data = "<data>")]
-fn put_device_token(uuid: String, data: Json<Value>, headers: Headers, conn: DbConn) -> JsonResult {
-    println!("UUID: {:#?}", uuid);
-    println!("DATA: {:#?}", data);
+fn put_device_token(uuid: String, data: JsonUpcase<Value>, headers: Headers) -> JsonResult {
+    let _data: Value = data.into_inner().data;
+    // Data has a single string value "PushToken"
+    let _ = uuid;
+    // uuid is not related to deviceId

-    let device = match Device::find_by_uuid(&uuid, &conn) {
-        Some(device) => device,
-        None => err!("Device not found")
-    };
+    // TODO: This should save the push token, but we don't have push functionality

-    if device.user_uuid != headers.user.uuid {
-        err!("Device not owned by user")
-    }
-
-    // TODO: What does this do?
-
-    err!("Not implemented")
+    Ok(Json(json!({
+        "Id": headers.device.uuid,
+        "Name": headers.device.name,
+        "Type": headers.device.type_,
+        "Identifier": headers.device.uuid,
+        "CreationDate": crate::util::format_date(&headers.device.created_at),
+    })))
 }

 #[derive(Serialize, Deserialize, Debug)]
@@ -150,7 +76,7 @@ struct GlobalDomain {
    Excluded: bool,
 }

-const GLOBAL_DOMAINS: &'static str = include_str!("global_domains.json");
+const GLOBAL_DOMAINS: &str = include_str!("../../static/global_domains.json");

 #[get("/settings/domains")]
 fn get_eq_domains(headers: Headers) -> JsonResult {
@@ -173,7 +99,6 @@ fn get_eq_domains(headers: Headers) -> JsonResult {
    })))
 }

-
 #[derive(Deserialize, Debug)]
 #[allow(non_snake_case)]
 struct EquivDomainData {
@@ -182,11 +107,11 @@ struct EquivDomainData {
 }

 #[post("/settings/domains", data = "<data>")]
-fn post_eq_domains(data: JsonUpcase<EquivDomainData>, headers: Headers, conn: DbConn) -> EmptyResult {
+fn post_eq_domains(data: JsonUpcase<EquivDomainData>, headers: Headers, conn: DbConn) -> JsonResult {
    let data: EquivDomainData = data.into_inner().data;

-    let excluded_globals = data.ExcludedGlobalEquivalentDomains.unwrap_or(Vec::new());
-    let equivalent_domains = data.EquivalentDomains.unwrap_or(Vec::new());
+    let excluded_globals = data.ExcludedGlobalEquivalentDomains.unwrap_or_default();
+    let equivalent_domains = data.EquivalentDomains.unwrap_or_default();

    let mut user = headers.user;
    use serde_json::to_string;
@@ -194,7 +119,12 @@ fn post_eq_domains(data: JsonUpcase<EquivDomainData>, headers: Headers, conn: Db
    user.excluded_globals = to_string(&excluded_globals).unwrap_or("[]".to_string());
    user.equivalent_domains = to_string(&equivalent_domains).unwrap_or("[]".to_string());

-    user.save(&conn);
+    user.save(&conn)?;

-    Ok(())
+    Ok(Json(json!({})))
+}
+
+#[put("/settings/domains", data = "<data>")]
+fn put_eq_domains(data: JsonUpcase<EquivDomainData>, headers: Headers, conn: DbConn) -> JsonResult {
+    post_eq_domains(data, headers, conn)
 }
--- a/src/api/core/organizations.rs
+++ b/src/api/core/organizations.rs
--- a/src/api/core/two_factor.rs
+++ b/src/api/core/two_factor.rs
@@ -1,29 +1,49 @@
-use rocket_contrib::{Json, Value};
-
 use data_encoding::BASE32;
+use rocket_contrib::json::Json;
+use serde_json;
+use serde_json::Value;

-use db::DbConn;
+use crate::db::{
+    models::{TwoFactor, TwoFactorType, User},
+    DbConn,
+};

-use crypto;
+use crate::crypto;

-use api::{PasswordData, JsonResult, NumberOrString, JsonUpcase};
-use auth::Headers;
+use crate::api::{ApiResult, EmptyResult, JsonResult, JsonUpcase, NumberOrString, PasswordData};
+use crate::auth::Headers;
+
+use rocket::Route;
+
+pub fn routes() -> Vec<Route> {
+    routes![
+        get_twofactor,
+        get_recover,
+        recover,
+        disable_twofactor,
+        disable_twofactor_put,
+        generate_authenticator,
+        activate_authenticator,
+        activate_authenticator_put,
+        generate_u2f,
+        generate_u2f_challenge,
+        activate_u2f,
+        activate_u2f_put,
+        generate_yubikey,
+        activate_yubikey,
+        activate_yubikey_put,
+    ]
+}

 #[get("/two-factor")]
-fn get_twofactor(headers: Headers) -> JsonResult {
-    let data = if headers.user.totp_secret.is_none() {
-        Value::Null
-    } else {
-        json!([{
-            "Enabled": true,
-            "Type": 0,
-            "Object": "twoFactorProvider"
-        }])
-    };
+fn get_twofactor(headers: Headers, conn: DbConn) -> JsonResult {
+    let twofactors = TwoFactor::find_by_user(&headers.user.uuid, &conn);
+    let twofactors_json: Vec<Value> = twofactors.iter().map(|c| c.to_json_list()).collect();

    Ok(Json(json!({
-        "Data": data,
-        "Object": "list"
+        "Data": twofactors_json,
+        "Object": "list",
+        "ContinuationToken": null,
    })))
 }

@@ -53,12 +73,12 @@ struct RecoverTwoFactor {
 fn recover(data: JsonUpcase<RecoverTwoFactor>, conn: DbConn) -> JsonResult {
    let data: RecoverTwoFactor = data.into_inner().data;

-    use db::models::User;
+    use crate::db::models::User;

    // Get the user
    let mut user = match User::find_by_mail(&data.Email, &conn) {
        Some(user) => user,
-        None => err!("Username or password is incorrect. Try again.")
+        None => err!("Username or password is incorrect. Try again."),
    };

    // Check password
@@ -71,24 +91,65 @@ fn recover(data: JsonUpcase<RecoverTwoFactor>, conn: DbConn) -> JsonResult {
        err!("Recovery code is incorrect. Try again.")
    }

-    user.totp_secret = None;
-    user.totp_recover = None;
-    user.save(&conn);
+    // Remove all twofactors from the user
+    for twofactor in TwoFactor::find_by_user(&user.uuid, &conn) {
+        twofactor.delete(&conn).expect("Error deleting twofactor");
+    }

+    // Remove the recovery code, not needed without twofactors
+    user.totp_recover = None;
+    user.save(&conn)?;
    Ok(Json(json!({})))
 }

+#[derive(Deserialize)]
+#[allow(non_snake_case)]
+struct DisableTwoFactorData {
+    MasterPasswordHash: String,
+    Type: NumberOrString,
+}
+
+#[post("/two-factor/disable", data = "<data>")]
+fn disable_twofactor(data: JsonUpcase<DisableTwoFactorData>, headers: Headers, conn: DbConn) -> JsonResult {
+    let data: DisableTwoFactorData = data.into_inner().data;
+    let password_hash = data.MasterPasswordHash;
+
+    if !headers.user.check_valid_password(&password_hash) {
+        err!("Invalid password");
+    }
+
+    let type_ = data.Type.into_i32().expect("Invalid type");
+
+    if let Some(twofactor) = TwoFactor::find_by_user_and_type(&headers.user.uuid, type_, &conn) {
+        twofactor.delete(&conn).expect("Error deleting twofactor");
+    }
+
+    Ok(Json(json!({
+        "Enabled": false,
+        "Type": type_,
+        "Object": "twoFactorProvider"
+    })))
+}
+
+#[put("/two-factor/disable", data = "<data>")]
+fn disable_twofactor_put(data: JsonUpcase<DisableTwoFactorData>, headers: Headers, conn: DbConn) -> JsonResult {
+    disable_twofactor(data, headers, conn)
+}
+
 #[post("/two-factor/get-authenticator", data = "<data>")]
-fn generate_authenticator(data: JsonUpcase<PasswordData>, headers: Headers) -> JsonResult {
+fn generate_authenticator(data: JsonUpcase<PasswordData>, headers: Headers, conn: DbConn) -> JsonResult {
    let data: PasswordData = data.into_inner().data;

    if !headers.user.check_valid_password(&data.MasterPasswordHash) {
        err!("Invalid password");
    }

-    let (enabled, key) = match headers.user.totp_secret {
-        Some(secret) => (true, secret),
-        _ => (false, BASE32.encode(&crypto::get_random(vec![0u8; 20])))
+    let type_ = TwoFactorType::Authenticator as i32;
+    let twofactor = TwoFactor::find_by_user_and_type(&headers.user.uuid, type_, &conn);
+
+    let (enabled, key) = match twofactor {
+        Some(tf) => (true, tf.data),
+        _ => (false, BASE32.encode(&crypto::get_random(vec![0u8; 20]))),
    };

    Ok(Json(json!({
@@ -100,20 +161,20 @@ fn generate_authenticator(data: JsonUpcase<PasswordData>, headers: Headers) -> J

 #[derive(Deserialize, Debug)]
 #[allow(non_snake_case)]
-struct EnableTwoFactorData {
+struct EnableAuthenticatorData {
    MasterPasswordHash: String,
    Key: String,
    Token: NumberOrString,
 }

 #[post("/two-factor/authenticator", data = "<data>")]
-fn activate_authenticator(data: JsonUpcase<EnableTwoFactorData>, headers: Headers, conn: DbConn) -> JsonResult {
-    let data: EnableTwoFactorData = data.into_inner().data;
+fn activate_authenticator(data: JsonUpcase<EnableAuthenticatorData>, headers: Headers, conn: DbConn) -> JsonResult {
+    let data: EnableAuthenticatorData = data.into_inner().data;
    let password_hash = data.MasterPasswordHash;
    let key = data.Key;
-    let token = match data.Token.to_i32() {
+    let token = match data.Token.into_i32() {
        Some(n) => n as u64,
-        None => err!("Malformed token")
+        None => err!("Malformed token"),
    };

    if !headers.user.check_valid_password(&password_hash) {
@@ -123,27 +184,24 @@ fn activate_authenticator(data: JsonUpcase<EnableTwoFactorData>, headers: Header
    // Validate key as base32 and 20 bytes length
    let decoded_key: Vec<u8> = match BASE32.decode(key.as_bytes()) {
        Ok(decoded) => decoded,
-        _ => err!("Invalid totp secret")
+        _ => err!("Invalid totp secret"),
    };

    if decoded_key.len() != 20 {
        err!("Invalid key length")
    }

-    // Set key in user.totp_secret
-    let mut user = headers.user;
-    user.totp_secret = Some(key.to_uppercase());
+    let type_ = TwoFactorType::Authenticator;
+    let twofactor = TwoFactor::new(headers.user.uuid.clone(), type_, key.to_uppercase());

    // Validate the token provided with the key
-    if !user.check_totp_code(token) {
+    if !twofactor.check_totp_code(token) {
        err!("Invalid totp code")
    }

-    // Generate totp_recover
-    let totp_recover = BASE32.encode(&crypto::get_random(vec![0u8; 20]));
-    user.totp_recover = Some(totp_recover);
-
-    user.save(&conn);
+    let mut user = headers.user;
+    _generate_recover_code(&mut user, &conn);
+    twofactor.save(&conn).expect("Error saving twofactor");

    Ok(Json(json!({
        "Enabled": true,
@@ -152,32 +210,466 @@ fn activate_authenticator(data: JsonUpcase<EnableTwoFactorData>, headers: Header
    })))
 }

-#[derive(Deserialize)]
-#[allow(non_snake_case)]
-struct DisableTwoFactorData {
-    MasterPasswordHash: String,
-    Type: NumberOrString,
+#[put("/two-factor/authenticator", data = "<data>")]
+fn activate_authenticator_put(data: JsonUpcase<EnableAuthenticatorData>, headers: Headers, conn: DbConn) -> JsonResult {
+    activate_authenticator(data, headers, conn)
 }

-#[post("/two-factor/disable", data = "<data>")]
-fn disable_authenticator(data: JsonUpcase<DisableTwoFactorData>, headers: Headers, conn: DbConn) -> JsonResult {
-    let data: DisableTwoFactorData = data.into_inner().data;
-    let password_hash = data.MasterPasswordHash;
-    let _type = data.Type;
+fn _generate_recover_code(user: &mut User, conn: &DbConn) {
+    if user.totp_recover.is_none() {
+        let totp_recover = BASE32.encode(&crypto::get_random(vec![0u8; 20]));
+        user.totp_recover = Some(totp_recover);
+        user.save(conn).ok();
+    }
+}

-    if !headers.user.check_valid_password(&password_hash) {
+use u2f::messages::{RegisterResponse, SignResponse, U2fSignRequest};
+use u2f::protocol::{Challenge, U2f};
+use u2f::register::Registration;
+
+use crate::CONFIG;
+
+const U2F_VERSION: &str = "U2F_V2";
+
+lazy_static! {
+    static ref APP_ID: String = format!("{}/app-id.json", &CONFIG.domain);
+    static ref U2F: U2f = U2f::new(APP_ID.clone());
+}
+
+#[post("/two-factor/get-u2f", data = "<data>")]
+fn generate_u2f(data: JsonUpcase<PasswordData>, headers: Headers, conn: DbConn) -> JsonResult {
+    if !CONFIG.domain_set {
+        err!("`DOMAIN` environment variable is not set. U2F disabled")
+    }
+
+    let data: PasswordData = data.into_inner().data;
+
+    if !headers.user.check_valid_password(&data.MasterPasswordHash) {
        err!("Invalid password");
    }

-    let mut user = headers.user;
-    user.totp_secret = None;
-    user.totp_recover = None;
+    let user_uuid = &headers.user.uuid;

-    user.save(&conn);
+    let u2f_type = TwoFactorType::U2f as i32;
+    let enabled = TwoFactor::find_by_user_and_type(user_uuid, u2f_type, &conn).is_some();

    Ok(Json(json!({
-        "Enabled": false,
-        "Type": 0,
-        "Object": "twoFactorProvider"
+        "Enabled": enabled,
+        "Object": "twoFactorU2f"
    })))
 }
+
+#[post("/two-factor/get-u2f-challenge", data = "<data>")]
+fn generate_u2f_challenge(data: JsonUpcase<PasswordData>, headers: Headers, conn: DbConn) -> JsonResult {
+    let data: PasswordData = data.into_inner().data;
+
+    if !headers.user.check_valid_password(&data.MasterPasswordHash) {
+        err!("Invalid password");
+    }
+
+    let user_uuid = &headers.user.uuid;
+
+    let challenge = _create_u2f_challenge(user_uuid, TwoFactorType::U2fRegisterChallenge, &conn).challenge;
+
+    Ok(Json(json!({
+        "UserId": headers.user.uuid,
+        "AppId": APP_ID.to_string(),
+        "Challenge": challenge,
+        "Version": U2F_VERSION,
+    })))
+}
+
+#[derive(Deserialize, Debug)]
+#[allow(non_snake_case)]
+struct EnableU2FData {
+    MasterPasswordHash: String,
+    DeviceResponse: String,
+}
+
+// This struct is copied from the U2F lib
+// to add an optional error code
+#[derive(Deserialize)]
+#[serde(rename_all = "camelCase")]
+struct RegisterResponseCopy {
+    pub registration_data: String,
+    pub version: String,
+    pub client_data: String,
+
+    pub error_code: Option<NumberOrString>,
+}
+
+impl RegisterResponseCopy {
+    fn into_response(self) -> RegisterResponse {
+        RegisterResponse {
+            registration_data: self.registration_data,
+            version: self.version,
+            client_data: self.client_data,
+        }
+    }
+}
+
+#[post("/two-factor/u2f", data = "<data>")]
+fn activate_u2f(data: JsonUpcase<EnableU2FData>, headers: Headers, conn: DbConn) -> JsonResult {
+    let data: EnableU2FData = data.into_inner().data;
+
+    if !headers.user.check_valid_password(&data.MasterPasswordHash) {
+        err!("Invalid password");
+    }
+
+    let tf_challenge =
+        TwoFactor::find_by_user_and_type(&headers.user.uuid, TwoFactorType::U2fRegisterChallenge as i32, &conn);
+
+    if let Some(tf_challenge) = tf_challenge {
+        let challenge: Challenge = serde_json::from_str(&tf_challenge.data)?;
+
+        tf_challenge.delete(&conn)?;
+
+        let response_copy: RegisterResponseCopy = serde_json::from_str(&data.DeviceResponse)?;
+
+        let error_code = response_copy
+            .error_code
+            .clone()
+            .map_or("0".into(), NumberOrString::into_string);
+
+        if error_code != "0" {
+            err!("Error registering U2F token")
+        }
+
+        let response = response_copy.into_response();
+
+        let registration = U2F.register_response(challenge.clone(), response)?;
+        // TODO: Allow more than one U2F device
+        let mut registrations = Vec::new();
+        registrations.push(registration);
+
+        let tf_registration = TwoFactor::new(
+            headers.user.uuid.clone(),
+            TwoFactorType::U2f,
+            serde_json::to_string(&registrations).unwrap(),
+        );
+        tf_registration.save(&conn)?;
+
+        let mut user = headers.user;
+        _generate_recover_code(&mut user, &conn);
+
+        Ok(Json(json!({
+            "Enabled": true,
+            "Challenge": {
+                "UserId": user.uuid,
+                "AppId": APP_ID.to_string(),
+                "Challenge": challenge,
+                "Version": U2F_VERSION,
+            },
+            "Object": "twoFactorU2f"
+        })))
+    } else {
+        err!("Can't recover challenge")
+    }
+}
+
+#[put("/two-factor/u2f", data = "<data>")]
+fn activate_u2f_put(data: JsonUpcase<EnableU2FData>, headers: Headers, conn: DbConn) -> JsonResult {
+    activate_u2f(data, headers, conn)
+}
+
+fn _create_u2f_challenge(user_uuid: &str, type_: TwoFactorType, conn: &DbConn) -> Challenge {
+    let challenge = U2F.generate_challenge().unwrap();
+
+    TwoFactor::new(user_uuid.into(), type_, serde_json::to_string(&challenge).unwrap())
+        .save(conn)
+        .expect("Error saving challenge");
+
+    challenge
+}
+
+// This struct is copied from the U2F lib
+// because it doesn't implement Deserialize
+#[derive(Serialize, Deserialize, Clone)]
+#[serde(rename_all = "camelCase")]
+struct RegistrationCopy {
+    pub key_handle: Vec<u8>,
+    pub pub_key: Vec<u8>,
+    pub attestation_cert: Option<Vec<u8>>,
+}
+
+impl Into<Registration> for RegistrationCopy {
+    fn into(self) -> Registration {
+        Registration {
+            key_handle: self.key_handle,
+            pub_key: self.pub_key,
+            attestation_cert: self.attestation_cert,
+        }
+    }
+}
+
+fn _parse_registrations(registations: &str) -> Vec<Registration> {
+    let registrations_copy: Vec<RegistrationCopy> =
+        serde_json::from_str(registations).expect("Can't parse RegistrationCopy data");
+
+    registrations_copy.into_iter().map(Into::into).collect()
+}
+
+pub fn generate_u2f_login(user_uuid: &str, conn: &DbConn) -> ApiResult<U2fSignRequest> {
+    let challenge = _create_u2f_challenge(user_uuid, TwoFactorType::U2fLoginChallenge, conn);
+
+    let type_ = TwoFactorType::U2f as i32;
+    let twofactor = match TwoFactor::find_by_user_and_type(user_uuid, type_, conn) {
+        Some(tf) => tf,
+        None => err!("No U2F devices registered"),
+    };
+
+    let registrations = _parse_registrations(&twofactor.data);
+    let signed_request: U2fSignRequest = U2F.sign_request(challenge, registrations);
+
+    Ok(signed_request)
+}
+
+pub fn validate_u2f_login(user_uuid: &str, response: &str, conn: &DbConn) -> EmptyResult {
+    let challenge_type = TwoFactorType::U2fLoginChallenge as i32;
+    let u2f_type = TwoFactorType::U2f as i32;
+
+    let tf_challenge = TwoFactor::find_by_user_and_type(user_uuid, challenge_type, &conn);
+
+    let challenge = match tf_challenge {
+        Some(tf_challenge) => {
+            let challenge: Challenge = serde_json::from_str(&tf_challenge.data)?;
+            tf_challenge.delete(&conn)?;
+            challenge
+        }
+        None => err!("Can't recover login challenge"),
+    };
+
+    let twofactor = match TwoFactor::find_by_user_and_type(user_uuid, u2f_type, conn) {
+        Some(tf) => tf,
+        None => err!("No U2F devices registered"),
+    };
+
+    let registrations = _parse_registrations(&twofactor.data);
+
+    let response: SignResponse = serde_json::from_str(response)?;
+
+    let mut _counter: u32 = 0;
+    for registration in registrations {
+        let response = U2F.sign_response(challenge.clone(), registration, response.clone(), _counter);
+        match response {
+            Ok(new_counter) => {
+                _counter = new_counter;
+                info!("O {:#}", new_counter);
+                return Ok(());
+            }
+            Err(e) => {
+                info!("E {:#}", e);
+                break;
+            }
+        }
+    }
+    err!("error verifying response")
+}
+
+#[derive(Deserialize, Debug)]
+#[allow(non_snake_case)]
+struct EnableYubikeyData {
+    MasterPasswordHash: String,
+    Key1: Option<String>,
+    Key2: Option<String>,
+    Key3: Option<String>,
+    Key4: Option<String>,
+    Key5: Option<String>,
+    Nfc: bool,
+}
+
+#[derive(Deserialize, Serialize, Debug)]
+#[allow(non_snake_case)]
+pub struct YubikeyMetadata {
+    Keys: Vec<String>,
+    pub Nfc: bool,
+}
+
+use yubico::config::Config;
+use yubico::Yubico;
+
+fn parse_yubikeys(data: &EnableYubikeyData) -> Vec<String> {
+    let mut yubikeys: Vec<String> = Vec::new();
+
+    if data.Key1.is_some() {
+        yubikeys.push(data.Key1.as_ref().unwrap().to_owned());
+    }
+
+    if data.Key2.is_some() {
+        yubikeys.push(data.Key2.as_ref().unwrap().to_owned());
+    }
+
+    if data.Key3.is_some() {
+        yubikeys.push(data.Key3.as_ref().unwrap().to_owned());
+    }
+
+    if data.Key4.is_some() {
+        yubikeys.push(data.Key4.as_ref().unwrap().to_owned());
+    }
+
+    if data.Key5.is_some() {
+        yubikeys.push(data.Key5.as_ref().unwrap().to_owned());
+    }
+
+    yubikeys
+}
+
+fn jsonify_yubikeys(yubikeys: Vec<String>) -> serde_json::Value {
+    let mut result = json!({});
+
+    for (i, key) in yubikeys.into_iter().enumerate() {
+        result[format!("Key{}", i + 1)] = Value::String(key);
+    }
+
+    result
+}
+
+fn verify_yubikey_otp(otp: String) -> JsonResult {
+    if !CONFIG.yubico_cred_set {
+        err!("`YUBICO_CLIENT_ID` or `YUBICO_SECRET_KEY` environment variable is not set. Yubikey OTP Disabled")
+    }
+
+    let yubico = Yubico::new();
+    let config = Config::default()
+        .set_client_id(CONFIG.yubico_client_id.to_owned())
+        .set_key(CONFIG.yubico_secret_key.to_owned());
+
+    let result = match CONFIG.yubico_server {
+        Some(ref server) => yubico.verify(otp, config.set_api_hosts(vec![server.to_owned()])),
+        None => yubico.verify(otp, config),
+    };
+
+    match result {
+        Ok(_answer) => Ok(Json(json!({}))),
+        Err(_e) => err!("Failed to verify OTP"),
+    }
+}
+
+#[post("/two-factor/get-yubikey", data = "<data>")]
+fn generate_yubikey(data: JsonUpcase<PasswordData>, headers: Headers, conn: DbConn) -> JsonResult {
+    if !CONFIG.yubico_cred_set {
+        err!("`YUBICO_CLIENT_ID` or `YUBICO_SECRET_KEY` environment variable is not set. Yubikey OTP Disabled")
+    }
+
+    let data: PasswordData = data.into_inner().data;
+
+    if !headers.user.check_valid_password(&data.MasterPasswordHash) {
+        err!("Invalid password");
+    }
+
+    let user_uuid = &headers.user.uuid;
+    let yubikey_type = TwoFactorType::YubiKey as i32;
+
+    let r = TwoFactor::find_by_user_and_type(user_uuid, yubikey_type, &conn);
+
+    if let Some(r) = r {
+        let yubikey_metadata: YubikeyMetadata = serde_json::from_str(&r.data)?;
+
+        let mut result = jsonify_yubikeys(yubikey_metadata.Keys);
+
+        result["Enabled"] = Value::Bool(true);
+        result["Nfc"] = Value::Bool(yubikey_metadata.Nfc);
+        result["Object"] = Value::String("twoFactorU2f".to_owned());
+
+        Ok(Json(result))
+    } else {
+        Ok(Json(json!({
+            "Enabled": false,
+            "Object": "twoFactorU2f",
+        })))
+    }
+}
+
+#[post("/two-factor/yubikey", data = "<data>")]
+fn activate_yubikey(data: JsonUpcase<EnableYubikeyData>, headers: Headers, conn: DbConn) -> JsonResult {
+    let data: EnableYubikeyData = data.into_inner().data;
+
+    if !headers.user.check_valid_password(&data.MasterPasswordHash) {
+        err!("Invalid password");
+    }
+
+    // Check if we already have some data
+    let yubikey_data = TwoFactor::find_by_user_and_type(&headers.user.uuid, TwoFactorType::YubiKey as i32, &conn);
+
+    if let Some(yubikey_data) = yubikey_data {
+        yubikey_data.delete(&conn)?;
+    }
+
+    let yubikeys = parse_yubikeys(&data);
+
+    if yubikeys.is_empty() {
+        return Ok(Json(json!({
+            "Enabled": false,
+            "Object": "twoFactorU2f",
+        })));
+    }
+
+    // Ensure they are valid OTPs
+    for yubikey in &yubikeys {
+        if yubikey.len() == 12 {
+            // YubiKey ID
+            continue;
+        }
+
+        let result = verify_yubikey_otp(yubikey.to_owned());
+
+        if let Err(_e) = result {
+            err!("Invalid Yubikey OTP provided");
+        }
+    }
+
+    let yubikey_ids: Vec<String> = yubikeys.into_iter().map(|x| (&x[..12]).to_owned()).collect();
+
+    let yubikey_metadata = YubikeyMetadata {
+        Keys: yubikey_ids,
+        Nfc: data.Nfc,
+    };
+
+    let yubikey_registration = TwoFactor::new(
+        headers.user.uuid.clone(),
+        TwoFactorType::YubiKey,
+        serde_json::to_string(&yubikey_metadata).unwrap(),
+    );
+    yubikey_registration.save(&conn)?;
+
+    let mut result = jsonify_yubikeys(yubikey_metadata.Keys);
+
+    result["Enabled"] = Value::Bool(true);
+    result["Nfc"] = Value::Bool(yubikey_metadata.Nfc);
+    result["Object"] = Value::String("twoFactorU2f".to_owned());
+
+    Ok(Json(result))
+}
+
+#[put("/two-factor/yubikey", data = "<data>")]
+fn activate_yubikey_put(data: JsonUpcase<EnableYubikeyData>, headers: Headers, conn: DbConn) -> JsonResult {
+    activate_yubikey(data, headers, conn)
+}
+
+pub fn validate_yubikey_login(user_uuid: &str, response: &str, conn: &DbConn) -> EmptyResult {
+    if response.len() != 44 {
+        err!("Invalid Yubikey OTP length");
+    }
+
+    let yubikey_type = TwoFactorType::YubiKey as i32;
+
+    let twofactor = match TwoFactor::find_by_user_and_type(user_uuid, yubikey_type, &conn) {
+        Some(tf) => tf,
+        None => err!("No YubiKey devices registered"),
+    };
+
+    let yubikey_metadata: YubikeyMetadata =
+        serde_json::from_str(&twofactor.data).expect("Can't parse Yubikey Metadata");
+    let response_id = &response[..12];
+
+    if !yubikey_metadata.Keys.contains(&response_id.to_owned()) {
+        err!("Given Yubikey is not registered");
+    }
+
+    let result = verify_yubikey_otp(response.to_owned());
+
+    match result {
+        Ok(_answer) => Ok(()),
+        Err(_e) => err!("Failed to verify Yubikey against OTP server"),
+    }
+}
--- a/src/api/icons.rs
+++ b/src/api/icons.rs
@@ -1,46 +1,132 @@
-use std::io;
+use std::error::Error;
+use std::fs::{create_dir_all, remove_file, symlink_metadata, File};
 use std::io::prelude::*;
-use std::fs::{create_dir_all, File};
+use std::time::SystemTime;

-use rocket::Route;
-use rocket::response::Content;
 use rocket::http::ContentType;
+use rocket::response::Content;
+use rocket::Route;

 use reqwest;

-use CONFIG;
+use crate::CONFIG;

 pub fn routes() -> Vec<Route> {
    routes![icon]
 }

+const FALLBACK_ICON: &[u8; 344] = include_bytes!("../static/fallback-icon.png");
+
 #[get("/<domain>/icon.png")]
 fn icon(domain: String) -> Content<Vec<u8>> {
    let icon_type = ContentType::new("image", "x-icon");

    // Validate the domain to avoid directory traversal attacks
-    if domain.contains("/") || domain.contains("..") {
-        return Content(icon_type, get_fallback_icon());
+    if domain.contains('/') || domain.contains("..") {
+        return Content(icon_type, FALLBACK_ICON.to_vec());
    }

-    let url = format!("https://icons.bitwarden.com/{}/icon.png", domain);
-
-    // Get the icon, or fallback in case of error
-    let icon = match get_icon_cached(&domain, &url) {
-        Ok(icon) => icon,
-        Err(_) => return Content(icon_type, get_fallback_icon())
-    };
+    let icon = get_icon(&domain);

    Content(icon_type, icon)
 }

-fn get_icon(url: &str) -> Result<Vec<u8>, reqwest::Error> {
+fn get_icon(domain: &str) -> Vec<u8> {
+    let path = format!("{}/{}.png", CONFIG.icon_cache_folder, domain);
+
+    if let Some(icon) = get_cached_icon(&path) {
+        return icon;
+    }
+
+    let url = get_icon_url(&domain);
+
+    // Get the icon, or fallback in case of error
+    match download_icon(&url) {
+        Ok(icon) => {
+            save_icon(&path, &icon);
+            icon
+        }
+        Err(e) => {
+            error!("Error downloading icon: {:?}", e);
+            mark_negcache(&path);
+            FALLBACK_ICON.to_vec()
+        }
+    }
+}
+
+fn get_cached_icon(path: &str) -> Option<Vec<u8>> {
+    // Check for expiration of negatively cached copy
+    if icon_is_negcached(path) {
+        return Some(FALLBACK_ICON.to_vec());
+    }
+
+    // Check for expiration of successfully cached copy
+    if icon_is_expired(path) {
+        return None;
+    }
+
+    // Try to read the cached icon, and return it if it exists
+    if let Ok(mut f) = File::open(path) {
+        let mut buffer = Vec::new();
+
+        if f.read_to_end(&mut buffer).is_ok() {
+            return Some(buffer);
+        }
+    }
+
+    None
+}
+
+fn file_is_expired(path: &str, ttl: u64) -> Result<bool, Box<Error>> {
+    let meta = symlink_metadata(path)?;
+    let modified = meta.modified()?;
+    let age = SystemTime::now().duration_since(modified)?;
+
+    Ok(ttl > 0 && ttl <= age.as_secs())
+}
+
+fn icon_is_negcached(path: &str) -> bool {
+    let miss_indicator = path.to_owned() + ".miss";
+    let expired = file_is_expired(&miss_indicator, CONFIG.icon_cache_negttl);
+
+    match expired {
+        // No longer negatively cached, drop the marker
+        Ok(true) => {
+            if let Err(e) = remove_file(&miss_indicator) {
+                error!("Could not remove negative cache indicator for icon {:?}: {:?}", path, e);
+            }
+            false
+        }
+        // The marker hasn't expired yet.
+        Ok(false) => true,
+        // The marker is missing or inaccessible in some way.
+        Err(_) => false,
+    }
+}
+
+fn mark_negcache(path: &str) {
+    let miss_indicator = path.to_owned() + ".miss";
+    File::create(&miss_indicator).expect("Error creating negative cache marker");
+}
+
+fn icon_is_expired(path: &str) -> bool {
+    let expired = file_is_expired(path, CONFIG.icon_cache_ttl);
+    expired.unwrap_or(true)
+}
+
+fn get_icon_url(domain: &str) -> String {
+    if CONFIG.local_icon_extractor {
+        format!("http://{}/favicon.ico", domain)
+    } else {
+        format!("https://icons.bitwarden.com/{}/icon.png", domain)
+    }
+}
+
+fn download_icon(url: &str) -> Result<Vec<u8>, reqwest::Error> {
+    info!("Downloading icon for {}...", url);
    let mut res = reqwest::get(url)?;

-    res = match res.error_for_status() {
-        Err(e) => return Err(e),
-        Ok(res) => res
-    };
+    res = res.error_for_status()?;

    let mut buffer: Vec<u8> = vec![];
    res.copy_to(&mut buffer)?;
@@ -48,39 +134,10 @@ fn get_icon(url: &str) -> Result<Vec<u8>, reqwest::Error> {
    Ok(buffer)
 }

-fn get_icon_cached(key: &str, url: &str) -> io::Result<Vec<u8>> {
-    create_dir_all(&CONFIG.icon_cache_folder)?;
-    let path = &format!("{}/{}.png", CONFIG.icon_cache_folder, key);
+fn save_icon(path: &str, icon: &[u8]) {
+    create_dir_all(&CONFIG.icon_cache_folder).expect("Error creating icon cache");

-    // Try to read the cached icon, and return it if it exists
-    match File::open(path) {
-        Ok(mut f) => {
-            let mut buffer = Vec::new();
-
-            if f.read_to_end(&mut buffer).is_ok() {
-                return Ok(buffer);
-            }
-            /* If error reading file continue */
-        }
-        Err(_) => { /* Continue */ }
-    }
-
-    println!("Downloading icon for {}...", key);
-    let icon = match get_icon(url) {
-        Ok(icon) => icon,
-        Err(_) => return Err(io::Error::new(io::ErrorKind::NotFound, ""))
+    if let Ok(mut f) = File::create(path) {
+        f.write_all(icon).expect("Error writing icon file");
    };
-
-    // Save the currently downloaded icon
-    match File::create(path) {
-        Ok(mut f) => { f.write_all(&icon).expect("Error writing icon file"); }
-        Err(_) => { /* Continue */ }
-    };
-
-    Ok(icon)
-}
-
-fn get_fallback_icon() -> Vec<u8> {
-    let fallback_icon = "https://raw.githubusercontent.com/bitwarden/web/master/src/images/fa-globe.png";
-    get_icon_cached("default", fallback_icon).unwrap()
 }
--- a/src/api/identity.rs
+++ b/src/api/identity.rs
@@ -1,40 +1,59 @@
-use std::collections::HashMap;
+use rocket::request::{Form, FormItems, FromForm};
+use rocket::Route;

-use rocket::{Route, Outcome};
-use rocket::request::{self, Request, FromRequest, Form, FormItems, FromForm};
+use rocket_contrib::json::Json;
+use serde_json::Value;

-use rocket_contrib::{Json, Value};
+use num_traits::FromPrimitive;

-use db::DbConn;
-use db::models::*;
+use crate::db::models::*;
+use crate::db::DbConn;

-use util;
+use crate::util::{self, JsonMap};

-use api::JsonResult;
+use crate::api::{ApiResult, EmptyResult, JsonResult};
+
+use crate::auth::ClientIp;
+
+use crate::CONFIG;

 pub fn routes() -> Vec<Route> {
-    routes![ login]
+    routes![login]
 }

-#[post("/connect/token", data = "<connect_data>")]
-fn login(connect_data: Form<ConnectData>, device_type: DeviceType, conn: DbConn) -> JsonResult {
-    let data = connect_data.get();
-    println!("{:#?}", data);
+#[post("/connect/token", data = "<data>")]
+fn login(data: Form<ConnectData>, conn: DbConn, ip: ClientIp) -> JsonResult {
+    let data: ConnectData = data.into_inner();

-    match data.grant_type {
-        GrantType::RefreshToken =>_refresh_login(data, device_type, conn),
-        GrantType::Password => _password_login(data, device_type, conn)
+    match data.grant_type.as_ref() {
+        "refresh_token" => {
+            _check_is_some(&data.refresh_token, "refresh_token cannot be blank")?;
+            _refresh_login(data, conn)
+        }
+        "password" => {
+            _check_is_some(&data.client_id, "client_id cannot be blank")?;
+            _check_is_some(&data.password, "password cannot be blank")?;
+            _check_is_some(&data.scope, "scope cannot be blank")?;
+            _check_is_some(&data.username, "username cannot be blank")?;
+
+            _check_is_some(&data.device_identifier, "device_identifier cannot be blank")?;
+            _check_is_some(&data.device_name, "device_name cannot be blank")?;
+            _check_is_some(&data.device_type, "device_type cannot be blank")?;
+
+            _password_login(data, conn, ip)
+        }
+        t => err!("Invalid type", t),
    }
 }

-fn _refresh_login(data: &ConnectData, _device_type: DeviceType, conn: DbConn) -> JsonResult {
+fn _refresh_login(data: ConnectData, conn: DbConn) -> JsonResult {
    // Extract token
-    let token = data.get("refresh_token").unwrap();
+    let token = data.refresh_token.unwrap();

    // Get device by refresh token
-    let mut device = match Device::find_by_refresh_token(token, &conn) {
+    let mut device = match Device::find_by_refresh_token(&token, &conn) {
        Some(device) => device,
-        None => err!("Invalid refresh token")
+        None => err!("Invalid refresh token"),
    };

    // COMMON
@@ -42,8 +61,8 @@ fn _refresh_login(data: &ConnectData, _device_type: DeviceType, conn: DbConn) ->
    let orgs = UserOrganization::find_by_user(&user.uuid, &conn);

    let (access_token, expires_in) = device.refresh_tokens(&user, orgs);
-    device.save(&conn);

+    device.save(&conn)?;
    Ok(Json(json!({
        "access_token": access_token,
        "expires_in": expires_in,
@@ -54,99 +73,59 @@ fn _refresh_login(data: &ConnectData, _device_type: DeviceType, conn: DbConn) ->
    })))
 }

-fn _password_login(data: &ConnectData, device_type: DeviceType, conn: DbConn) -> JsonResult {
+fn _password_login(data: ConnectData, conn: DbConn, ip: ClientIp) -> JsonResult {
    // Validate scope
-    let scope = data.get("scope").unwrap();
+    let scope = data.scope.as_ref().unwrap();
    if scope != "api offline_access" {
        err!("Scope not supported")
    }

    // Get the user
-    let username = data.get("username").unwrap();
+    let username = data.username.as_ref().unwrap();
    let user = match User::find_by_mail(username, &conn) {
        Some(user) => user,
-        None => err!("Username or password is incorrect. Try again.")
+        None => err!(
+            "Username or password is incorrect. Try again",
+            format!("IP: {}. Username: {}.", ip.ip, username)
+        ),
    };

    // Check password
-    let password = data.get("password").unwrap();
+    let password = data.password.as_ref().unwrap();
    if !user.check_valid_password(password) {
-        err!("Username or password is incorrect. Try again.")
+        err!(
+            "Username or password is incorrect. Try again",
+            format!("IP: {}. Username: {}.", ip.ip, username)
+        )
    }
-    
-    // Let's only use the header and ignore the 'devicetype' parameter
-    let device_type_num = device_type.0;

-    let (device_id, device_name) = match data.is_device {
-        false => { (format!("web-{}", user.uuid), String::from("web")) }
-        true => {
-            (
-                data.get("deviceidentifier").unwrap().clone(),
-                data.get("devicename").unwrap().clone(),
-            )
-        }
-    };
+    // On iOS, device_type sends "iOS", on others it sends a number
+    let device_type = util::try_parse_string(data.device_type.as_ref()).unwrap_or(0);
+    let device_id = data.device_identifier.clone().expect("No device id provided");
+    let device_name = data.device_name.clone().expect("No device name provided");

    // Find device or create new
    let mut device = match Device::find_by_uuid(&device_id, &conn) {
        Some(device) => {
-            // Check if valid device
+            // Check if owned device, and recreate if not
            if device.user_uuid != user.uuid {
-                device.delete(&conn);
-                err!("Device is not owned by user")
+                info!("Device exists but is owned by another user. The old device will be discarded");
+                Device::new(device_id, user.uuid.clone(), device_name, device_type)
+            } else {
+                device
            }
-
-            device
-        }
-        None => {
-            // Create new device
-            Device::new(device_id, user.uuid.clone(), device_name, device_type_num)
        }
+        None => Device::new(device_id, user.uuid.clone(), device_name, device_type),
    };

-    let twofactor_token = if user.requires_twofactor() {
-        let twofactor_provider = util::parse_option_string(data.get("twoFactorProvider")).unwrap_or(0);
-        let twofactor_code = match data.get("twoFactorToken") {
-            Some(code) => code,
-            None => err_json!(_json_err_twofactor())
-        };
-
-       match twofactor_provider {
-            0 /* TOTP */ => { 
-                let totp_code: u64 = match twofactor_code.parse() {
-                    Ok(code) => code,
-                    Err(_) => err!("Invalid Totp code")
-                };
-
-                if !user.check_totp_code(totp_code) {
-                    err_json!(_json_err_twofactor())
-                }
-
-                if util::parse_option_string(data.get("twoFactorRemember")).unwrap_or(0) == 1 {
-                    device.refresh_twofactor_remember();
-                    device.twofactor_remember.clone()
-                } else {
-                    device.delete_twofactor_remember();
-                    None
-                }
-            },
-            5 /* Remember */ => {
-                match device.twofactor_remember {
-                    Some(ref remember) if remember == twofactor_code => (),
-                    _ => err_json!(_json_err_twofactor())
-                };
-                None // No twofactor token needed here
-            },
-            _ => err!("Invalid two factor provider"),
-        }
-    } else { None };  // No twofactor token if twofactor is disabled
+    let twofactor_token = twofactor_auth(&user.uuid, &data.clone(), &mut device, &conn)?;

    // Common
    let user = User::find_by_uuid(&device.user_uuid, &conn).unwrap();
    let orgs = UserOrganization::find_by_user(&user.uuid, &conn);

    let (access_token, expires_in) = device.refresh_tokens(&user, orgs);
-    device.save(&conn);
+    device.save(&conn)?;

    let mut result = json!({
        "access_token": access_token,
@@ -162,128 +141,201 @@ fn _password_login(data: &ConnectData, device_type: DeviceType, conn: DbConn) ->
        result["TwoFactorToken"] = Value::String(token);
    }

+    info!("User {} logged in successfully. IP: {}", username, ip.ip);
    Ok(Json(result))
 }

-fn _json_err_twofactor() -> Value {
-    json!({
+fn twofactor_auth(
+    user_uuid: &str,
+    data: &ConnectData,
+    device: &mut Device,
+    conn: &DbConn,
+) -> ApiResult<Option<String>> {
+    let twofactors_raw = TwoFactor::find_by_user(user_uuid, conn);
+    // Remove u2f challenge twofactors (impl detail)
+    let twofactors: Vec<_> = twofactors_raw.iter().filter(|tf| tf.type_ < 1000).collect();
+
+    let providers: Vec<_> = twofactors.iter().map(|tf| tf.type_).collect();
+
+    // No twofactor token if twofactor is disabled
+    if twofactors.is_empty() {
+        return Ok(None);
+    }
+
+    let provider = data.two_factor_provider.unwrap_or(providers[0]); // If we aren't given a two factor provider, asume the first one
+
+    let twofactor_code = match data.two_factor_token {
+        Some(ref code) => code,
+        None => err_json!(_json_err_twofactor(&providers, user_uuid, conn)?),
+    };
+
+    let twofactor = twofactors.iter().filter(|tf| tf.type_ == provider).nth(0);
+
+    match TwoFactorType::from_i32(provider) {
+        Some(TwoFactorType::Remember) => {
+            match device.twofactor_remember {
+                Some(ref remember) if remember == twofactor_code => return Ok(None), // No twofactor token needed here
+                _ => err_json!(_json_err_twofactor(&providers, user_uuid, conn)?),
+            }
+        }
+
+        Some(TwoFactorType::Authenticator) => {
+            let twofactor = match twofactor {
+                Some(tf) => tf,
+                None => err!("TOTP not enabled"),
+            };
+
+            let totp_code: u64 = match twofactor_code.parse() {
+                Ok(code) => code,
+                _ => err!("Invalid TOTP code"),
+            };
+
+            if !twofactor.check_totp_code(totp_code) {
+                err_json!(_json_err_twofactor(&providers, user_uuid, conn)?)
+            }
+        }
+
+        Some(TwoFactorType::U2f) => {
+            use crate::api::core::two_factor;
+
+            two_factor::validate_u2f_login(user_uuid, &twofactor_code, conn)?;
+        }
+
+        Some(TwoFactorType::YubiKey) => {
+            use crate::api::core::two_factor;
+
+            two_factor::validate_yubikey_login(user_uuid, twofactor_code, conn)?;
+        }
+
+        _ => err!("Invalid two factor provider"),
+    }
+
+    if data.two_factor_remember.unwrap_or(0) == 1 {
+        Ok(Some(device.refresh_twofactor_remember()))
+    } else {
+        device.delete_twofactor_remember();
+        Ok(None)
+    }
+}
+
+fn _json_err_twofactor(providers: &[i32], user_uuid: &str, conn: &DbConn) -> ApiResult<Value> {
+    use crate::api::core::two_factor;
+
+    let mut result = json!({
        "error" : "invalid_grant",
        "error_description" : "Two factor required.",
-        "TwoFactorProviders" : [ 0 ],
-        "TwoFactorProviders2" : { "0" : null }
-    })
-}
+        "TwoFactorProviders" : providers,
+        "TwoFactorProviders2" : {} // { "0" : null }
+    });

-/*
-ConnectData {
-    grant_type: Password,
-    is_device: false,
-    data: {
-        "scope": "api offline_access",
-        "client_id": "web",
-        "grant_type": "password",
-        "username": "dani@mail",
-        "password": "8IuV1sJ94tPjyYIK+E+PTjblzjm4W6C4N5wqM0KKsSg="
+    for provider in providers {
+        result["TwoFactorProviders2"][provider.to_string()] = Value::Null;
+
+        match TwoFactorType::from_i32(*provider) {
+            Some(TwoFactorType::Authenticator) => { /* Nothing to do for TOTP */ }
+
+            Some(TwoFactorType::U2f) if CONFIG.domain_set => {
+                let request = two_factor::generate_u2f_login(user_uuid, conn)?;
+                let mut challenge_list = Vec::new();
+
+                for key in request.registered_keys {
+                    let mut challenge_map = JsonMap::new();
+
+                    challenge_map.insert("appId".into(), Value::String(request.app_id.clone()));
+                    challenge_map.insert("challenge".into(), Value::String(request.challenge.clone()));
+                    challenge_map.insert("version".into(), Value::String(key.version));
+                    challenge_map.insert("keyHandle".into(), Value::String(key.key_handle.unwrap_or_default()));
+
+                    challenge_list.push(Value::Object(challenge_map));
+                }
+
+                let mut map = JsonMap::new();
+                use serde_json;
+                let challenge_list_str = serde_json::to_string(&challenge_list).unwrap();
+
+                map.insert("Challenges".into(), Value::String(challenge_list_str));
+                result["TwoFactorProviders2"][provider.to_string()] = Value::Object(map);
+            }
+
+            Some(tf_type @ TwoFactorType::YubiKey) => {
+                let twofactor = match TwoFactor::find_by_user_and_type(user_uuid, tf_type as i32, &conn) {
+                    Some(tf) => tf,
+                    None => err!("No YubiKey devices registered"),
+                };
+
+                let yubikey_metadata: two_factor::YubikeyMetadata =
+                    serde_json::from_str(&twofactor.data).expect("Can't parse Yubikey Metadata");
+
+                let mut map = JsonMap::new();
+                map.insert("Nfc".into(), Value::Bool(yubikey_metadata.Nfc));
+                result["TwoFactorProviders2"][provider.to_string()] = Value::Object(map);
+            }
+
+            _ => {}
+        }
    }
+
+    Ok(result)
 }

-RETURNS "TwoFactorToken": "11122233333444555666777888999"
-
-Next login
-ConnectData {
-    grant_type: Password,
-    is_device: false,
-    data: {
-        "scope": "api offline_access",
-        "username": "dani@mail",
-        "client_id": "web",
-        "twofactorprovider": "5",
-        "twofactortoken": "11122233333444555666777888999",
-        "grant_type": "password",
-        "twofactorremember": "0",
-        "password": "8IuV1sJ94tPjyYIK+E+PTjblzjm4W6C4N5wqM0KKsSg="
-    }
-}
-*/
-
-
-struct DeviceType(i32);
-
-impl<'a, 'r> FromRequest<'a, 'r> for DeviceType {
-    type Error = &'static str;
-
-    fn from_request(request: &'a Request<'r>) -> request::Outcome<Self, Self::Error> {
-        let headers = request.headers();
-        let type_opt = headers.get_one("Device-Type");
-        let type_num = util::parse_option_string(type_opt).unwrap_or(0);
-
-        Outcome::Success(DeviceType(type_num))
-    }
-}
-
-
-#[derive(Debug)]
+#[derive(Debug, Clone, Default)]
+#[allow(non_snake_case)]
 struct ConnectData {
-    grant_type: GrantType,
-    is_device: bool,
-    data: HashMap<String, String>,
+    grant_type: String, // refresh_token, password
+
+    // Needed for grant_type="refresh_token"
+    refresh_token: Option<String>,
+
+    // Needed for grant_type="password"
+    client_id: Option<String>, // web, cli, desktop, browser, mobile
+    password: Option<String>,
+    scope: Option<String>,
+    username: Option<String>,
+
+    device_identifier: Option<String>,
+    device_name: Option<String>,
+    device_type: Option<String>,
+
+    // Needed for two-factor auth
+    two_factor_provider: Option<i32>,
+    two_factor_token: Option<String>,
+    two_factor_remember: Option<i32>,
 }

-#[derive(Debug, Copy, Clone)]
-enum GrantType { RefreshToken, Password }
-
-impl ConnectData {
-    fn get(&self, key: &str) -> Option<&String> {
-        self.data.get(&key.to_lowercase())
-    }
-}
-
-const VALUES_REFRESH: [&str; 1] = ["refresh_token"];
-const VALUES_PASSWORD: [&str; 5] = ["client_id", "grant_type", "password", "scope", "username"];
-const VALUES_DEVICE: [&str; 3] = ["deviceidentifier", "devicename", "devicetype"];
-
 impl<'f> FromForm<'f> for ConnectData {
    type Error = String;

    fn from_form(items: &mut FormItems<'f>, _strict: bool) -> Result<Self, Self::Error> {
-        let mut data = HashMap::new();
+        let mut form = Self::default();
+        for item in items {
+            let (key, value) = item.key_value_decoded();
+            let mut normalized_key = key.to_lowercase();
+            normalized_key.retain(|c| c != '_'); // Remove '_'

-        // Insert data into map
-        for (key, value) in items {
-            match (key.url_decode(), value.url_decode()) {
-                (Ok(key), Ok(value)) => data.insert(key.to_lowercase(), value),
-                _ => return Err(format!("Error decoding key or value")),
-            };
+            match normalized_key.as_ref() {
+                "granttype" => form.grant_type = value,
+                "refreshtoken" => form.refresh_token = Some(value),
+                "clientid" => form.client_id = Some(value),
+                "password" => form.password = Some(value),
+                "scope" => form.scope = Some(value),
+                "username" => form.username = Some(value),
+                "deviceidentifier" => form.device_identifier = Some(value),
+                "devicename" => form.device_name = Some(value),
+                "devicetype" => form.device_type = Some(value),
+                "twofactorprovider" => form.two_factor_provider = value.parse().ok(),
+                "twofactortoken" => form.two_factor_token = Some(value),
+                "twofactorremember" => form.two_factor_remember = value.parse().ok(),
+                key => warn!("Detected unexpected parameter during login: {}", key),
+            }
        }

-        // Validate needed values
-        let (grant_type, is_device) =
-            match data.get("grant_type").map(String::as_ref) {
-                Some("refresh_token") => {
-                    check_values(&data, &VALUES_REFRESH)?;
-                    (GrantType::RefreshToken, false) // Device doesn't matter here
-                }
-                Some("password") => {
-                    check_values(&data, &VALUES_PASSWORD)?;
-
-                    let is_device = match data.get("client_id").unwrap().as_ref() {
-                        "browser" | "mobile" => check_values(&data, &VALUES_DEVICE)?,
-                        _ => false
-                    };
-                    (GrantType::Password, is_device)
-                }
-                _ => return Err(format!("Grant type not supported"))
-            };
-
-        Ok(ConnectData { grant_type, is_device, data })
+        Ok(form)
    }
 }

-fn check_values(map: &HashMap<String, String>, values: &[&str]) -> Result<bool, String> {
-    for value in values {
-        if !map.contains_key(*value) {
-            return Err(format!("{} cannot be blank", value));
-        }
+fn _check_is_some<T>(value: &Option<T>, msg: &str) -> EmptyResult {
+    if value.is_none() {
+        err!(msg)
    }
-    Ok(true)
+    Ok(())
 }
--- a/src/api/mod.rs
+++ b/src/api/mod.rs
@@ -1,31 +1,37 @@
-mod core;
+mod admin;
+pub(crate) mod core;
 mod icons;
 mod identity;
+mod notifications;
 mod web;

+pub use self::admin::routes as admin_routes;
 pub use self::core::routes as core_routes;
 pub use self::icons::routes as icons_routes;
 pub use self::identity::routes as identity_routes;
+pub use self::notifications::routes as notifications_routes;
+pub use self::notifications::{start_notification_server, Notify, UpdateType};
 pub use self::web::routes as web_routes;

-use rocket::response::status::BadRequest;
-use rocket_contrib::Json;
+use rocket_contrib::json::Json;
+use serde_json::Value;

 // Type aliases for API methods results
-type JsonResult = Result<Json, BadRequest<Json>>;
-type EmptyResult = Result<(), BadRequest<Json>>;
+type ApiResult<T> = Result<T, crate::error::Error>;
+pub type JsonResult = ApiResult<Json<Value>>;
+pub type EmptyResult = ApiResult<()>;

-use util;
+use crate::util;
 type JsonUpcase<T> = Json<util::UpCase<T>>;

 // Common structs representing JSON data received
 #[derive(Deserialize)]
 #[allow(non_snake_case)]
 struct PasswordData {
-    MasterPasswordHash: String
+    MasterPasswordHash: String,
 }

-#[derive(Deserialize, Debug)]
+#[derive(Deserialize, Debug, Clone)]
 #[serde(untagged)]
 enum NumberOrString {
    Number(i32),
@@ -33,17 +39,17 @@ enum NumberOrString {
 }

 impl NumberOrString {
-    fn to_string(self) -> String {
+    fn into_string(self) -> String {
        match self {
            NumberOrString::Number(n) => n.to_string(),
-            NumberOrString::String(s) => s
+            NumberOrString::String(s) => s,
        }
    }

-    fn to_i32(self) -> Option<i32> {
+    fn into_i32(self) -> Option<i32> {
        match self {
            NumberOrString::Number(n) => Some(n),
-            NumberOrString::String(s) => s.parse().ok()
-        }  
+            NumberOrString::String(s) => s.parse().ok(),
+        }
    }
 }
--- a/src/api/notifications.rs
+++ b/src/api/notifications.rs
@@ -0,0 +1,362 @@
+use rocket::Route;
+use rocket_contrib::json::Json;
+use serde_json::Value as JsonValue;
+
+use crate::api::JsonResult;
+use crate::auth::Headers;
+use crate::db::DbConn;
+
+use crate::CONFIG;
+
+pub fn routes() -> Vec<Route> {
+    routes![negotiate, websockets_err]
+}
+
+#[get("/hub")]
+fn websockets_err() -> JsonResult {
+    err!("'/notifications/hub' should be proxied to the websocket server or notifications won't work. Go to the README for more info.")
+}
+
+#[post("/hub/negotiate")]
+fn negotiate(_headers: Headers, _conn: DbConn) -> JsonResult {
+    use crate::crypto;
+    use data_encoding::BASE64URL;
+
+    let conn_id = BASE64URL.encode(&crypto::get_random(vec![0u8; 16]));
+    let mut available_transports: Vec<JsonValue> = Vec::new();
+
+    if CONFIG.websocket_enabled {
+        available_transports.push(json!({"transport":"WebSockets", "transferFormats":["Text","Binary"]}));
+    }
+
+    // TODO: Implement transports
+    // Rocket WS support: https://github.com/SergioBenitez/Rocket/issues/90
+    // Rocket SSE support: https://github.com/SergioBenitez/Rocket/issues/33
+    // {"transport":"ServerSentEvents", "transferFormats":["Text"]},
+    // {"transport":"LongPolling", "transferFormats":["Text","Binary"]}
+    Ok(Json(json!({
+        "connectionId": conn_id,
+        "availableTransports": available_transports
+    })))
+}
+
+//
+// Websockets server
+//
+use std::sync::Arc;
+use std::thread;
+
+use ws::{self, util::Token, Factory, Handler, Handshake, Message, Sender, WebSocket};
+
+use chashmap::CHashMap;
+use chrono::NaiveDateTime;
+use serde_json::from_str;
+
+use crate::db::models::{Cipher, Folder, User};
+
+use rmpv::Value;
+
+fn serialize(val: Value) -> Vec<u8> {
+    use rmpv::encode::write_value;
+
+    let mut buf = Vec::new();
+    write_value(&mut buf, &val).expect("Error encoding MsgPack");
+
+    // Add size bytes at the start
+    // Extracted from BinaryMessageFormat.js
+    let mut size: usize = buf.len();
+    let mut len_buf: Vec<u8> = Vec::new();
+
+    loop {
+        let mut size_part = size & 0x7f;
+        size >>= 7;
+
+        if size > 0 {
+            size_part |= 0x80;
+        }
+
+        len_buf.push(size_part as u8);
+
+        if size == 0 {
+            break;
+        }
+    }
+
+    len_buf.append(&mut buf);
+    len_buf
+}
+
+fn serialize_date(date: NaiveDateTime) -> Value {
+    let seconds: i64 = date.timestamp();
+    let nanos: i64 = date.timestamp_subsec_nanos() as i64;
+    let timestamp = nanos << 34 | seconds;
+
+    use byteorder::{BigEndian, WriteBytesExt};
+
+    let mut bs = [0u8; 8];
+    bs.as_mut().write_i64::<BigEndian>(timestamp).expect("Unable to write");
+
+    // -1 is Timestamp
+    // https://github.com/msgpack/msgpack/blob/master/spec.md#timestamp-extension-type
+    Value::Ext(-1, bs.to_vec())
+}
+
+fn convert_option<T: Into<Value>>(option: Option<T>) -> Value {
+    match option {
+        Some(a) => a.into(),
+        None => Value::Nil,
+    }
+}
+
+// Server WebSocket handler
+pub struct WSHandler {
+    out: Sender,
+    user_uuid: Option<String>,
+    users: WebSocketUsers,
+}
+
+const RECORD_SEPARATOR: u8 = 0x1e;
+const INITIAL_RESPONSE: [u8; 3] = [0x7b, 0x7d, RECORD_SEPARATOR]; // {, }, <RS>
+
+#[derive(Deserialize)]
+struct InitialMessage {
+    protocol: String,
+    version: i32,
+}
+
+const PING_MS: u64 = 15_000;
+const PING: Token = Token(1);
+
+impl Handler for WSHandler {
+    fn on_open(&mut self, hs: Handshake) -> ws::Result<()> {
+        // TODO: Improve this split
+        let path = hs.request.resource();
+        let mut query_split: Vec<_> = path.split('?').nth(1).unwrap().split('&').collect();
+        query_split.sort();
+        let access_token = &query_split[0][13..];
+        let _id = &query_split[1][3..];
+
+        // Validate the user
+        use crate::auth;
+        let claims = match auth::decode_jwt(access_token) {
+            Ok(claims) => claims,
+            Err(_) => return Err(ws::Error::new(ws::ErrorKind::Internal, "Invalid access token provided")),
+        };
+
+        // Assign the user to the handler
+        let user_uuid = claims.sub;
+        self.user_uuid = Some(user_uuid.clone());
+
+        // Add the current Sender to the user list
+        let handler_insert = self.out.clone();
+        let handler_update = self.out.clone();
+
+        self.users
+            .map
+            .upsert(user_uuid, || vec![handler_insert], |ref mut v| v.push(handler_update));
+
+        // Schedule a ping to keep the connection alive
+        self.out.timeout(PING_MS, PING)
+    }
+
+    fn on_message(&mut self, msg: Message) -> ws::Result<()> {
+        info!("Server got message '{}'. ", msg);
+
+        if let Message::Text(text) = msg.clone() {
+            let json = &text[..text.len() - 1]; // Remove last char
+
+            if let Ok(InitialMessage { protocol, version }) = from_str::<InitialMessage>(json) {
+                if &protocol == "messagepack" && version == 1 {
+                    return self.out.send(&INITIAL_RESPONSE[..]); // Respond to initial message
+                }
+            }
+        }
+
+        // If it's not the initial message, just echo the message
+        self.out.send(msg)
+    }
+
+    fn on_timeout(&mut self, event: Token) -> ws::Result<()> {
+        if event == PING {
+            // send ping
+            self.out.send(create_ping())?;
+
+            // reschedule the timeout
+            self.out.timeout(PING_MS, PING)
+        } else {
+            Err(ws::Error::new(
+                ws::ErrorKind::Internal,
+                "Invalid timeout token provided",
+            ))
+        }
+    }
+}
+
+struct WSFactory {
+    pub users: WebSocketUsers,
+}
+
+impl WSFactory {
+    pub fn init() -> Self {
+        WSFactory {
+            users: WebSocketUsers {
+                map: Arc::new(CHashMap::new()),
+            },
+        }
+    }
+}
+
+impl Factory for WSFactory {
+    type Handler = WSHandler;
+
+    fn connection_made(&mut self, out: Sender) -> Self::Handler {
+        WSHandler {
+            out,
+            user_uuid: None,
+            users: self.users.clone(),
+        }
+    }
+
+    fn connection_lost(&mut self, handler: Self::Handler) {
+        // Remove handler
+        if let Some(user_uuid) = &handler.user_uuid {
+            if let Some(mut user_conn) = self.users.map.get_mut(user_uuid) {
+                user_conn.remove_item(&handler.out);
+            }
+        }
+    }
+}
+
+#[derive(Clone)]
+pub struct WebSocketUsers {
+    map: Arc<CHashMap<String, Vec<Sender>>>,
+}
+
+impl WebSocketUsers {
+    fn send_update(&self, user_uuid: &String, data: &[u8]) -> ws::Result<()> {
+        if let Some(user) = self.map.get(user_uuid) {
+            for sender in user.iter() {
+                sender.send(data)?;
+            }
+        }
+        Ok(())
+    }
+
+    // NOTE: The last modified date needs to be updated before calling these methods
+    #[allow(dead_code)]
+    pub fn send_user_update(&self, ut: UpdateType, user: &User) {
+        let data = create_update(
+            vec![
+                ("UserId".into(), user.uuid.clone().into()),
+                ("Date".into(), serialize_date(user.updated_at)),
+            ],
+            ut,
+        );
+
+        self.send_update(&user.uuid.clone(), &data).ok();
+    }
+
+    pub fn send_folder_update(&self, ut: UpdateType, folder: &Folder) {
+        let data = create_update(
+            vec![
+                ("Id".into(), folder.uuid.clone().into()),
+                ("UserId".into(), folder.user_uuid.clone().into()),
+                ("RevisionDate".into(), serialize_date(folder.updated_at)),
+            ],
+            ut,
+        );
+
+        self.send_update(&folder.user_uuid, &data).ok();
+    }
+
+    pub fn send_cipher_update(&self, ut: UpdateType, cipher: &Cipher, user_uuids: &[String]) {
+        let user_uuid = convert_option(cipher.user_uuid.clone());
+        let org_uuid = convert_option(cipher.organization_uuid.clone());
+
+        let data = create_update(
+            vec![
+                ("Id".into(), cipher.uuid.clone().into()),
+                ("UserId".into(), user_uuid),
+                ("OrganizationId".into(), org_uuid),
+                ("CollectionIds".into(), Value::Nil),
+                ("RevisionDate".into(), serialize_date(cipher.updated_at)),
+            ],
+            ut,
+        );
+
+        for uuid in user_uuids {
+            self.send_update(&uuid, &data).ok();
+        }
+    }
+}
+
+/* Message Structure
+[
+    1, // MessageType.Invocation
+    {}, // Headers
+    null, // InvocationId
+    "ReceiveMessage", // Target
+    [ // Arguments
+        {
+            "ContextId": "app_id",
+            "Type": ut as i32,
+            "Payload": {}
+        }
+    ]
+]
+*/
+fn create_update(payload: Vec<(Value, Value)>, ut: UpdateType) -> Vec<u8> {
+    use rmpv::Value as V;
+
+    let value = V::Array(vec![
+        1.into(),
+        V::Array(vec![]),
+        V::Nil,
+        "ReceiveMessage".into(),
+        V::Array(vec![V::Map(vec![
+            ("ContextId".into(), "app_id".into()),
+            ("Type".into(), (ut as i32).into()),
+            ("Payload".into(), payload.into()),
+        ])]),
+    ]);
+
+    serialize(value)
+}
+
+fn create_ping() -> Vec<u8> {
+    serialize(Value::Array(vec![6.into()]))
+}
+
+#[allow(dead_code)]
+pub enum UpdateType {
+    CipherUpdate = 0,
+    CipherCreate = 1,
+    LoginDelete = 2,
+    FolderDelete = 3,
+    Ciphers = 4,
+
+    Vault = 5,
+    OrgKeys = 6,
+    FolderCreate = 7,
+    FolderUpdate = 8,
+    CipherDelete = 9,
+    SyncSettings = 10,
+
+    LogOut = 11,
+}
+
+use rocket::State;
+pub type Notify<'a> = State<'a, WebSocketUsers>;
+
+pub fn start_notification_server() -> WebSocketUsers {
+    let factory = WSFactory::init();
+    let users = factory.users.clone();
+
+    if CONFIG.websocket_enabled {
+        thread::spawn(move || {
+            WebSocket::new(factory).unwrap().listen(&CONFIG.websocket_url).unwrap();
+        });
+    }
+
+    users
+}
--- a/src/api/web.rs
+++ b/src/api/web.rs
@@ -1,45 +1,102 @@
 use std::io;
 use std::path::{Path, PathBuf};

+use rocket::http::ContentType;
+use rocket::request::Request;
+use rocket::response::content::Content;
+use rocket::response::{self, NamedFile, Responder};
 use rocket::Route;
-use rocket::response::NamedFile;
-use rocket_contrib::Json;
+use rocket_contrib::json::Json;
+use serde_json::Value;

-use CONFIG;
+use crate::CONFIG;

 pub fn routes() -> Vec<Route> {
-    routes![index, files, attachments, alive]
+    if CONFIG.web_vault_enabled {
+        routes![web_index, app_id, web_files, admin_page, attachments, alive]
+    } else {
+        routes![attachments, alive]
+    }
 }

-// TODO: Might want to use in memory cache: https://github.com/hgzimmerman/rocket-file-cache
 #[get("/")]
-fn index() -> io::Result<NamedFile> {
-    NamedFile::open(
-        Path::new(&CONFIG.web_vault_folder)
-            .join("index.html"))
+fn web_index() -> Cached<io::Result<NamedFile>> {
+    Cached::short(NamedFile::open(Path::new(&CONFIG.web_vault_folder).join("index.html")))
 }

+#[get("/app-id.json")]
+fn app_id() -> Cached<Content<Json<Value>>> {
+    let content_type = ContentType::new("application", "fido.trusted-apps+json");
+
+    Cached::long(Content(
+        content_type,
+        Json(json!({
+        "trustedFacets": [
+            {
+            "version": { "major": 1, "minor": 0 },
+            "ids": [
+                &CONFIG.domain,
+                "ios:bundle-id:com.8bit.bitwarden",
+                "android:apk-key-hash:dUGFzUzf3lmHSLBDBIv+WaFyZMI" ]
+            }]
+        })),
+    ))
+}
+
+const ADMIN_PAGE: &'static str = include_str!("../static/admin.html");
+use rocket::response::content::Html;
+
+#[get("/admin")]
+fn admin_page() -> Cached<Html<&'static str>> {
+    Cached::short(Html(ADMIN_PAGE))
+}
+
+/* // Use this during Admin page development
+#[get("/admin")]
+fn admin_page() -> Cached<io::Result<NamedFile>> {
+    Cached::short(NamedFile::open("src/static/admin.html"))
+}
+*/
+
 #[get("/<p..>", rank = 1)] // Only match this if the other routes don't match
-fn files(p: PathBuf) -> io::Result<NamedFile> {
-    NamedFile::open(
-        Path::new(&CONFIG.web_vault_folder)
-            .join(p))
+fn web_files(p: PathBuf) -> Cached<io::Result<NamedFile>> {
+    Cached::long(NamedFile::open(Path::new(&CONFIG.web_vault_folder).join(p)))
 }

+struct Cached<R>(R, &'static str);
+
+impl<R> Cached<R> {
+    fn long(r: R) -> Cached<R> {
+        // 7 days
+        Cached(r, "public, max-age=604800")
+    }
+
+    fn short(r: R) -> Cached<R> {
+        // 10 minutes
+        Cached(r, "public, max-age=600")
+    }
+}
+
+impl<'r, R: Responder<'r>> Responder<'r> for Cached<R> {
+    fn respond_to(self, req: &Request) -> response::Result<'r> {
+        match self.0.respond_to(req) {
+            Ok(mut res) => {
+                res.set_raw_header("Cache-Control", self.1);
+                Ok(res)
+            }
+            e @ Err(_) => e,
+        }
+    }
+}

 #[get("/attachments/<uuid>/<file..>")]
 fn attachments(uuid: String, file: PathBuf) -> io::Result<NamedFile> {
-    NamedFile::open(
-        Path::new(&CONFIG.attachments_folder)
-            .join(uuid)
-            .join(file)
-    )
+    NamedFile::open(Path::new(&CONFIG.attachments_folder).join(uuid).join(file))
 }

-
 #[get("/alive")]
 fn alive() -> Json<String> {
-    use util::format_date;
+    use crate::util::format_date;
    use chrono::Utc;

    Json(format_date(&Utc::now().naive_utc()))
--- a/src/auth.rs
+++ b/src/auth.rs
@@ -1,59 +1,80 @@
-///
-/// JWT Handling
-///
+//
+// JWT Handling
+//
+use crate::util::read_file;
+use chrono::{Duration, Utc};

-use util::read_file;
-use chrono::Duration;
-
-use jwt;
+use jsonwebtoken::{self, Algorithm, Header};
 use serde::ser::Serialize;

-use CONFIG;
+use crate::error::{Error, MapResult};
+use crate::CONFIG;

-const JWT_ALGORITHM: jwt::Algorithm = jwt::Algorithm::RS256;
-pub const JWT_ISSUER: &'static str = "localhost:8000/identity";
+const JWT_ALGORITHM: Algorithm = Algorithm::RS256;

 lazy_static! {
    pub static ref DEFAULT_VALIDITY: Duration = Duration::hours(2);
-    static ref JWT_HEADER: jwt::Header = jwt::Header::new(JWT_ALGORITHM);
-
+    pub static ref JWT_ISSUER: String = CONFIG.domain.clone();
+    static ref JWT_HEADER: Header = Header::new(JWT_ALGORITHM);
    static ref PRIVATE_RSA_KEY: Vec<u8> = match read_file(&CONFIG.private_rsa_key) {
        Ok(key) => key,
-        Err(e) => panic!("Error loading private RSA Key from {}\n Error: {}", CONFIG.private_rsa_key, e)
+        Err(e) => panic!(
+            "Error loading private RSA Key from {}\n Error: {}",
+            CONFIG.private_rsa_key, e
+        ),
    };
-
    static ref PUBLIC_RSA_KEY: Vec<u8> = match read_file(&CONFIG.public_rsa_key) {
        Ok(key) => key,
-        Err(e) => panic!("Error loading public RSA Key from {}\n Error: {}", CONFIG.public_rsa_key, e)
+        Err(e) => panic!(
+            "Error loading public RSA Key from {}\n Error: {}",
+            CONFIG.public_rsa_key, e
+        ),
    };
 }

 pub fn encode_jwt<T: Serialize>(claims: &T) -> String {
-    match jwt::encode(&JWT_HEADER, claims, &PRIVATE_RSA_KEY) {
-        Ok(token) => return token,
-        Err(e) => panic!("Error encoding jwt {}", e)
-    };
+    match jsonwebtoken::encode(&JWT_HEADER, claims, &PRIVATE_RSA_KEY) {
+        Ok(token) => token,
+        Err(e) => panic!("Error encoding jwt {}", e),
+    }
 }

-pub fn decode_jwt(token: &str) -> Result<JWTClaims, String> {
-    let validation = jwt::Validation {
+pub fn decode_jwt(token: &str) -> Result<JWTClaims, Error> {
+    let validation = jsonwebtoken::Validation {
        leeway: 30, // 30 seconds
        validate_exp: true,
-        validate_iat: true,
+        validate_iat: false, // IssuedAt is the same as NotBefore
        validate_nbf: true,
        aud: None,
-        iss: Some(JWT_ISSUER.into()),
+        iss: Some(JWT_ISSUER.clone()),
        sub: None,
        algorithms: vec![JWT_ALGORITHM],
    };

-    match jwt::decode(token, &PUBLIC_RSA_KEY, &validation) {
-        Ok(decoded) => Ok(decoded.claims),
-        Err(msg) => {
-            println!("Error validating jwt - {:#?}", msg);
-            Err(msg.to_string())
-        }
-    }
+    let token = token.replace(char::is_whitespace, "");
+
+    jsonwebtoken::decode(&token, &PUBLIC_RSA_KEY, &validation)
+        .map(|d| d.claims)
+        .map_res("Error decoding login JWT")
+}
+
+pub fn decode_invite_jwt(token: &str) -> Result<InviteJWTClaims, Error> {
+    let validation = jsonwebtoken::Validation {
+        leeway: 30, // 30 seconds
+        validate_exp: true,
+        validate_iat: false, // IssuedAt is the same as NotBefore
+        validate_nbf: true,
+        aud: None,
+        iss: Some(JWT_ISSUER.clone()),
+        sub: None,
+        algorithms: vec![JWT_ALGORITHM],
+    };
+
+    let token = token.replace(char::is_whitespace, "");
+
+    jsonwebtoken::decode(&token, &PUBLIC_RSA_KEY, &validation)
+        .map(|d| d.claims)
+        .map_res("Error decoding invite JWT")
 }

 #[derive(Debug, Serialize, Deserialize)]
@@ -75,6 +96,7 @@ pub struct JWTClaims {
    pub orgowner: Vec<String>,
    pub orgadmin: Vec<String>,
    pub orguser: Vec<String>,
+    pub orgmanager: Vec<String>,

    // user security_stamp
    pub sstamp: String,
@@ -86,15 +108,50 @@ pub struct JWTClaims {
    pub amr: Vec<String>,
 }

-///
-/// Bearer token authentication
-///
+#[derive(Debug, Serialize, Deserialize)]
+pub struct InviteJWTClaims {
+    // Not before
+    pub nbf: i64,
+    // Expiration time
+    pub exp: i64,
+    // Issuer
+    pub iss: String,
+    // Subject
+    pub sub: String,

+    pub email: String,
+    pub org_id: Option<String>,
+    pub user_org_id: Option<String>,
+    pub invited_by_email: Option<String>,
+}
+
+pub fn generate_invite_claims(uuid: String, 
+                          email: String, 
+                          org_id: Option<String>, 
+                          org_user_id: Option<String>, 
+                          invited_by_email: Option<String>,
+) -> InviteJWTClaims {
+    let time_now = Utc::now().naive_utc();
+    InviteJWTClaims {
+        nbf: time_now.timestamp(),
+        exp: (time_now + Duration::days(5)).timestamp(),
+        iss: JWT_ISSUER.to_string(),
+        sub: uuid.clone(),
+        email: email.clone(),
+        org_id: org_id.clone(),
+        user_org_id: org_user_id.clone(),
+        invited_by_email: invited_by_email.clone(),
+    }
+}
+
+//
+// Bearer token authentication
+//
+use rocket::request::{self, FromRequest, Request};
 use rocket::Outcome;
-use rocket::request::{self, Request, FromRequest};

-use db::DbConn;
-use db::models::{User, UserOrganization, UserOrgType, Device};
+use crate::db::models::{Device, User, UserOrgStatus, UserOrgType, UserOrganization};
+use crate::db::DbConn;

 pub struct Headers {
    pub host: String,
@@ -109,26 +166,46 @@ impl<'a, 'r> FromRequest<'a, 'r> for Headers {
        let headers = request.headers();

        // Get host
-        let host = match headers.get_one("Host") {
-            Some(host) => format!("http://{}", host), // TODO: Check if HTTPS
-            _ => String::new()
+        let host = if CONFIG.domain_set {
+            CONFIG.domain.clone()
+        } else if let Some(referer) = headers.get_one("Referer") {
+            referer.to_string()
+        } else {
+            // Try to guess from the headers
+            use std::env;
+
+            let protocol = if let Some(proto) = headers.get_one("X-Forwarded-Proto") {
+                proto
+            } else if env::var("ROCKET_TLS").is_ok() {
+                "https"
+            } else {
+                "http"
+            };
+
+            let host = if let Some(host) = headers.get_one("X-Forwarded-Host") {
+                host
+            } else if let Some(host) = headers.get_one("Host") {
+                host
+            } else {
+                ""
+            };
+
+            format!("{}://{}", protocol, host)
        };

        // Get access_token
-        let access_token: &str = match request.headers().get_one("Authorization") {
-            Some(a) => {
-                match a.rsplit("Bearer ").next() {
-                    Some(split) => split,
-                    None => err_handler!("No access token provided")
-                }
-            }
-            None => err_handler!("No access token provided")
+        let access_token: &str = match headers.get_one("Authorization") {
+            Some(a) => match a.rsplit("Bearer ").next() {
+                Some(split) => split,
+                None => err_handler!("No access token provided"),
+            },
+            None => err_handler!("No access token provided"),
        };

        // Check JWT token is valid and get device and user from it
        let claims: JWTClaims = match decode_jwt(access_token) {
            Ok(claims) => claims,
-            Err(_) => err_handler!("Invalid claim")
+            Err(_) => err_handler!("Invalid claim"),
        };

        let device_uuid = claims.device;
@@ -136,17 +213,17 @@ impl<'a, 'r> FromRequest<'a, 'r> for Headers {

        let conn = match request.guard::<DbConn>() {
            Outcome::Success(conn) => conn,
-            _ => err_handler!("Error getting DB")
+            _ => err_handler!("Error getting DB"),
        };

        let device = match Device::find_by_uuid(&device_uuid, &conn) {
            Some(device) => device,
-            None => err_handler!("Invalid device id")
+            None => err_handler!("Invalid device id"),
        };

        let user = match User::find_by_uuid(&user_uuid, &conn) {
            Some(user) => user,
-            None => err_handler!("Device has no user associated")
+            None => err_handler!("Device has no user associated"),
        };

        if user.security_stamp != claims.sstamp {
@@ -161,7 +238,7 @@ pub struct OrgHeaders {
    pub host: String,
    pub device: Device,
    pub user: User,
-    pub org_user_type: i32,
+    pub org_user_type: UserOrgType,
 }

 impl<'a, 'r> FromRequest<'a, 'r> for OrgHeaders {
@@ -169,30 +246,44 @@ impl<'a, 'r> FromRequest<'a, 'r> for OrgHeaders {

    fn from_request(request: &'a Request<'r>) -> request::Outcome<Self, Self::Error> {
        match request.guard::<Headers>() {
-            Outcome::Forward(f) => Outcome::Forward(f),
+            Outcome::Forward(_) => Outcome::Forward(()),
            Outcome::Failure(f) => Outcome::Failure(f),
            Outcome::Success(headers) => {
-                // org_id is expected to be the first dynamic param
-                match request.get_param::<String>(0) {
-                    Err(_) => err_handler!("Error getting the organization id"),
-                    Ok(org_id) => {
+                // org_id is expected to be the second param ("/organizations/<org_id>")
+                match request.get_param::<String>(1) {
+                    Some(Ok(org_id)) => {
                        let conn = match request.guard::<DbConn>() {
                            Outcome::Success(conn) => conn,
-                            _ => err_handler!("Error getting DB")
+                            _ => err_handler!("Error getting DB"),
                        };

-                        let org_user = match UserOrganization::find_by_user_and_org(&headers.user.uuid, &org_id, &conn) {
-                            Some(user) => user,
-                            None => err_handler!("The current user isn't member of the organization")
+                        let user = headers.user;
+                        let org_user = match UserOrganization::find_by_user_and_org(&user.uuid, &org_id, &conn) {
+                            Some(user) => {
+                                if user.status == UserOrgStatus::Confirmed as i32 {
+                                    user
+                                } else {
+                                    err_handler!("The current user isn't confirmed member of the organization")
+                                }
+                            }
+                            None => err_handler!("The current user isn't member of the organization"),
                        };

-                        Outcome::Success(Self{
+                        Outcome::Success(Self {
                            host: headers.host,
                            device: headers.device,
-                            user: headers.user,
-                            org_user_type: org_user.type_,
+                            user,
+                            org_user_type: {
+                                if let Some(org_usr_type) = UserOrgType::from_i32(org_user.type_) {
+                                    org_usr_type
+                                } else {
+                                    // This should only happen if the DB is corrupted
+                                    err_handler!("Unknown user type in the database")
+                                }
+                            },
                        })
                    }
+                    _ => err_handler!("Error getting the organization id"),
                }
            }
        }
@@ -203,7 +294,7 @@ pub struct AdminHeaders {
    pub host: String,
    pub device: Device,
    pub user: User,
-    pub org_user_type: i32,
+    pub org_user_type: UserOrgType,
 }

 impl<'a, 'r> FromRequest<'a, 'r> for AdminHeaders {
@@ -211,18 +302,18 @@ impl<'a, 'r> FromRequest<'a, 'r> for AdminHeaders {

    fn from_request(request: &'a Request<'r>) -> request::Outcome<Self, Self::Error> {
        match request.guard::<OrgHeaders>() {
-            Outcome::Forward(f) => Outcome::Forward(f),
+            Outcome::Forward(_) => Outcome::Forward(()),
            Outcome::Failure(f) => Outcome::Failure(f),
            Outcome::Success(headers) => {
-                if headers.org_user_type > UserOrgType::Admin as i32 {
-                    err_handler!("You need to be Admin or Owner to call this endpoint")
-                } else {
-                    Outcome::Success(Self{
+                if headers.org_user_type >= UserOrgType::Admin {
+                    Outcome::Success(Self {
                        host: headers.host,
                        device: headers.device,
                        user: headers.user,
                        org_user_type: headers.org_user_type,
                    })
+                } else {
+                    err_handler!("You need to be Admin or Owner to call this endpoint")
                }
            }
        }
@@ -240,19 +331,41 @@ impl<'a, 'r> FromRequest<'a, 'r> for OwnerHeaders {

    fn from_request(request: &'a Request<'r>) -> request::Outcome<Self, Self::Error> {
        match request.guard::<OrgHeaders>() {
-            Outcome::Forward(f) => Outcome::Forward(f),
+            Outcome::Forward(_) => Outcome::Forward(()),
            Outcome::Failure(f) => Outcome::Failure(f),
            Outcome::Success(headers) => {
-                if headers.org_user_type > UserOrgType::Owner as i32 {
-                    err_handler!("You need to be Owner to call this endpoint")
-                } else {
-                    Outcome::Success(Self{
+                if headers.org_user_type == UserOrgType::Owner {
+                    Outcome::Success(Self {
                        host: headers.host,
                        device: headers.device,
                        user: headers.user,
                    })
+                } else {
+                    err_handler!("You need to be Owner to call this endpoint")
                }
            }
        }
    }
-}
+}
+
+//
+// Client IP address detection
+//
+use std::net::IpAddr;
+
+pub struct ClientIp {
+    pub ip: IpAddr,
+}
+
+impl<'a, 'r> FromRequest<'a, 'r> for ClientIp {
+    type Error = ();
+
+    fn from_request(request: &'a Request<'r>) -> request::Outcome<Self, Self::Error> {
+        let ip = match request.client_ip() {
+            Some(addr) => addr,
+            None => "0.0.0.0".parse().unwrap(),
+        };
+
+        Outcome::Success(ClientIp { ip })
+    }
+}
--- a/src/crypto.rs
+++ b/src/crypto.rs
@@ -1,6 +1,6 @@
-///
-/// PBKDF2 derivation
-///
+//
+// PBKDF2 derivation
+//

 use ring::{digest, pbkdf2};

@@ -19,9 +19,9 @@ pub fn verify_password_hash(secret: &[u8], salt: &[u8], previous: &[u8], iterati
    pbkdf2::verify(DIGEST_ALG, iterations, salt, secret, previous).is_ok()
 }

-///
-/// Random values
-///
+//
+// Random values
+//

 pub fn get_random_64() -> Vec<u8> {
    get_random(vec![0u8; 64])
@@ -30,7 +30,9 @@ pub fn get_random_64() -> Vec<u8> {
 pub fn get_random(mut array: Vec<u8>) -> Vec<u8> {
    use ring::rand::{SecureRandom, SystemRandom};

-    SystemRandom::new().fill(&mut array).expect("Error generating random values");
+    SystemRandom::new()
+        .fill(&mut array)
+        .expect("Error generating random values");

    array
 }
--- a/src/db/mod.rs
+++ b/src/db/mod.rs
@@ -1,15 +1,15 @@
 use std::ops::Deref;

-use diesel::{Connection as DieselConnection, ConnectionError};
-use diesel::sqlite::SqliteConnection;
 use diesel::r2d2;
 use diesel::r2d2::ConnectionManager;
+use diesel::sqlite::SqliteConnection;
+use diesel::{Connection as DieselConnection, ConnectionError};

 use rocket::http::Status;
 use rocket::request::{self, FromRequest};
 use rocket::{Outcome, Request, State};

-use CONFIG;
+use crate::CONFIG;

 /// An alias to the database connection used
 type Connection = SqliteConnection;
@@ -20,16 +20,14 @@ type Pool = r2d2::Pool<ConnectionManager<Connection>>;
 /// Connection request guard type: a wrapper around an r2d2 pooled connection.
 pub struct DbConn(pub r2d2::PooledConnection<ConnectionManager<Connection>>);

-pub mod schema;
 pub mod models;
+pub mod schema;

 /// Initializes a database pool.
 pub fn init_pool() -> Pool {
    let manager = ConnectionManager::new(&*CONFIG.database_url);

-    r2d2::Pool::builder()
-        .build(manager)
-        .expect("Failed to create pool")
+    r2d2::Pool::builder().build(manager).expect("Failed to create pool")
 }

 pub fn get_connection() -> Result<Connection, ConnectionError> {
@@ -46,7 +44,7 @@ impl<'a, 'r> FromRequest<'a, 'r> for DbConn {
        let pool = request.guard::<State<Pool>>()?;
        match pool.get() {
            Ok(conn) => Outcome::Success(DbConn(conn)),
-            Err(_) => Outcome::Failure((Status::ServiceUnavailable, ()))
+            Err(_) => Outcome::Failure((Status::ServiceUnavailable, ())),
        }
    }
 }
--- a/src/db/models/attachment.rs
+++ b/src/db/models/attachment.rs
@@ -1,7 +1,7 @@
-use serde_json::Value as JsonValue;
+use serde_json::Value;

 use super::Cipher;
-use CONFIG;
+use crate::CONFIG;

 #[derive(Debug, Identifiable, Queryable, Insertable, Associations)]
 #[table_name = "attachments"]
@@ -12,6 +12,7 @@ pub struct Attachment {
    pub cipher_uuid: String,
    pub file_name: String,
    pub file_size: i32,
+    pub key: Option<String>,
 }

 /// Local methods
@@ -22,6 +23,7 @@ impl Attachment {
            cipher_uuid,
            file_name,
            file_size,
+            key: None,
        }
    }

@@ -29,8 +31,8 @@ impl Attachment {
        format!("{}/{}/{}", CONFIG.attachments_folder, self.cipher_uuid, self.id)
    }

-    pub fn to_json(&self, host: &str) -> JsonValue {
-        use util::get_display_size;
+    pub fn to_json(&self, host: &str) -> Value {
+        use crate::util::get_display_size;

        let web_path = format!("{}/attachments/{}/{}", host, self.cipher_uuid, self.id);
        let display_size = get_display_size(self.file_size);
@@ -41,55 +43,67 @@ impl Attachment {
            "FileName": self.file_name,
            "Size": self.file_size.to_string(),
            "SizeName": display_size,
+            "Key": self.key,
            "Object": "attachment"
        })
    }
 }

+use crate::db::schema::attachments;
+use crate::db::DbConn;
 use diesel;
 use diesel::prelude::*;
-use db::DbConn;
-use db::schema::attachments;
+
+use crate::api::EmptyResult;
+use crate::error::MapResult;

 /// Database methods
 impl Attachment {
-    pub fn save(&self, conn: &DbConn) -> bool {
-        match diesel::replace_into(attachments::table)
+    pub fn save(&self, conn: &DbConn) -> EmptyResult {
+        diesel::replace_into(attachments::table)
            .values(self)
-            .execute(&**conn) {
-            Ok(1) => true, // One row inserted
-            _ => false,
-        }
+            .execute(&**conn)
+            .map_res("Error saving attachment")
    }

-    pub fn delete(self, conn: &DbConn) -> QueryResult<()> {
-        use util;
+    pub fn delete(self, conn: &DbConn) -> EmptyResult {
+        crate::util::retry(
+            || diesel::delete(attachments::table.filter(attachments::id.eq(&self.id))).execute(&**conn),
+            10,
+        )
+        .map_res("Error deleting attachment")?;

-        util::delete_file(&self.get_file_path());
-
-        diesel::delete(
-            attachments::table.filter(
-                attachments::id.eq(self.id)
-            )
-        ).execute(&**conn).and(Ok(()))
+        crate::util::delete_file(&self.get_file_path())?;
+        Ok(())
    }

-    pub fn delete_all_by_cipher(cipher_uuid: &str, conn: &DbConn) -> QueryResult<()> {
-        for attachement in Attachment::find_by_cipher(&cipher_uuid, &conn) {
-            attachement.delete(&conn)?;
+    pub fn delete_all_by_cipher(cipher_uuid: &str, conn: &DbConn) -> EmptyResult {
+        for attachment in Attachment::find_by_cipher(&cipher_uuid, &conn) {
+            attachment.delete(&conn)?;
        }
        Ok(())
    }

    pub fn find_by_id(id: &str, conn: &DbConn) -> Option<Self> {
+        let id = id.to_lowercase();
+        
        attachments::table
            .filter(attachments::id.eq(id))
-            .first::<Self>(&**conn).ok()
+            .first::<Self>(&**conn)
+            .ok()
    }

    pub fn find_by_cipher(cipher_uuid: &str, conn: &DbConn) -> Vec<Self> {
        attachments::table
            .filter(attachments::cipher_uuid.eq(cipher_uuid))
-            .load::<Self>(&**conn).expect("Error loading attachments")
+            .load::<Self>(&**conn)
+            .expect("Error loading attachments")
+    }
+
+    pub fn find_by_ciphers(cipher_uuids: Vec<String>, conn: &DbConn) -> Vec<Self> {
+        attachments::table
+            .filter(attachments::cipher_uuid.eq_any(cipher_uuids))
+            .load::<Self>(&**conn)
+            .expect("Error loading attachments")
    }
 }
--- a/src/db/models/cipher.rs
+++ b/src/db/models/cipher.rs
@@ -1,9 +1,9 @@
 use chrono::{NaiveDateTime, Utc};
-use serde_json::Value as JsonValue;
+use serde_json::Value;

-use uuid::Uuid;
-
-use super::{User, Organization, Attachment, FolderCipher, CollectionCipher, UserOrgType};
+use super::{
+    Attachment, CollectionCipher, FolderCipher, Organization, User, UserOrgStatus, UserOrgType, UserOrganization,
+};

 #[derive(Debug, Identifiable, Queryable, Insertable, Associations)]
 #[table_name = "ciphers"]
@@ -32,6 +32,7 @@ pub struct Cipher {
    pub data: String,

    pub favorite: bool,
+    pub password_history: Option<String>,
 }

 /// Local methods
@@ -40,7 +41,7 @@ impl Cipher {
        let now = Utc::now().naive_utc();

        Self {
-            uuid: Uuid::new_v4().to_string(),
+            uuid: crate::util::get_uuid(),
            created_at: now,
            updated_at: now,

@@ -55,36 +56,48 @@ impl Cipher {
            fields: None,

            data: String::new(),
+            password_history: None,
        }
    }
 }

+use crate::db::schema::*;
+use crate::db::DbConn;
 use diesel;
 use diesel::prelude::*;
-use db::DbConn;
-use db::schema::*;
+
+use crate::api::EmptyResult;
+use crate::error::MapResult;

 /// Database methods
 impl Cipher {
-    pub fn to_json(&self, host: &str, user_uuid: &str, conn: &DbConn) -> JsonValue {
-        use serde_json;
-        use util::format_date;
+    pub fn to_json(&self, host: &str, user_uuid: &str, conn: &DbConn) -> Value {
        use super::Attachment;
+        use crate::util::format_date;
+        use serde_json;

        let attachments = Attachment::find_by_cipher(&self.uuid, conn);
-        let attachments_json: Vec<JsonValue> = attachments.iter().map(|c| c.to_json(host)).collect();
+        let attachments_json: Vec<Value> = attachments.iter().map(|c| c.to_json(host)).collect();

-        let fields_json: JsonValue = if let Some(ref fields) = self.fields {
+        let fields_json: Value = if let Some(ref fields) = self.fields {
            serde_json::from_str(fields).unwrap()
-        } else { JsonValue::Null };
+        } else {
+            Value::Null
+        };

-        let mut data_json: JsonValue = serde_json::from_str(&self.data).unwrap();
+        let password_history_json: Value = if let Some(ref password_history) = self.password_history {
+            serde_json::from_str(password_history).unwrap()
+        } else {
+            Value::Null
+        };
+
+        let mut data_json: Value = serde_json::from_str(&self.data).unwrap();

        // TODO: ******* Backwards compat start **********
        // To remove backwards compatibility, just remove this entire section
        // and remove the compat code from ciphers::update_cipher_from_data
        if self.type_ == 1 && data_json["Uris"].is_array() {
-            let uri = data_json["Uris"][0]["uri"].clone();
+            let uri = data_json["Uris"][0]["Uri"].clone();
            data_json["Uri"] = uri;
        }
        // TODO: ******* Backwards compat end **********
@@ -97,7 +110,7 @@ impl Cipher {
            "Favorite": self.favorite,
            "OrganizationId": self.organization_uuid,
            "Attachments": attachments_json,
-            "OrganizationUseTotp": false,
+            "OrganizationUseTotp": true,
            "CollectionIds": self.get_collections(user_uuid, &conn),

            "Name": self.name,
@@ -108,6 +121,8 @@ impl Cipher {

            "Object": "cipher",
            "Edit": true,
+
+            "PasswordHistory": password_history_json,
        });

        let key = match self.type_ {
@@ -122,70 +137,96 @@ impl Cipher {
        json_object
    }

-    pub fn save(&mut self, conn: &DbConn) -> bool {
-        self.updated_at = Utc::now().naive_utc();
-
-        match diesel::replace_into(ciphers::table)
-            .values(&*self)
-            .execute(&**conn) {
-            Ok(1) => true, // One row inserted
-            _ => false,
-        }
+    pub fn update_users_revision(&self, conn: &DbConn) -> Vec<String> {
+        let mut user_uuids = Vec::new();
+        match self.user_uuid {
+            Some(ref user_uuid) => {
+                User::update_uuid_revision(&user_uuid, conn);
+                user_uuids.push(user_uuid.clone())
+            }
+            None => {
+                // Belongs to Organization, need to update affected users
+                if let Some(ref org_uuid) = self.organization_uuid {
+                    UserOrganization::find_by_cipher_and_org(&self.uuid, &org_uuid, conn)
+                        .iter()
+                        .for_each(|user_org| {
+                            User::update_uuid_revision(&user_org.user_uuid, conn);
+                            user_uuids.push(user_org.user_uuid.clone())
+                        });
+                }
+            }
+        };
+        user_uuids
    }

-    pub fn delete(self, conn: &DbConn) -> QueryResult<()> {
+    pub fn save(&mut self, conn: &DbConn) -> EmptyResult {
+        self.update_users_revision(conn);
+        self.updated_at = Utc::now().naive_utc();
+
+        diesel::replace_into(ciphers::table)
+            .values(&*self)
+            .execute(&**conn)
+            .map_res("Error saving cipher")
+    }
+
+    pub fn delete(&self, conn: &DbConn) -> EmptyResult {
+        self.update_users_revision(conn);
+
        FolderCipher::delete_all_by_cipher(&self.uuid, &conn)?;
        CollectionCipher::delete_all_by_cipher(&self.uuid, &conn)?;
        Attachment::delete_all_by_cipher(&self.uuid, &conn)?;

-        diesel::delete(
-            ciphers::table.filter(
-                ciphers::uuid.eq(self.uuid)
-            )
-        ).execute(&**conn).and(Ok(()))
+        diesel::delete(ciphers::table.filter(ciphers::uuid.eq(&self.uuid)))
+            .execute(&**conn)
+            .map_res("Error deleting cipher")
    }

-    pub fn delete_all_by_organization(org_uuid: &str, conn: &DbConn) -> QueryResult<()> {
+    pub fn delete_all_by_organization(org_uuid: &str, conn: &DbConn) -> EmptyResult {
        for cipher in Self::find_by_org(org_uuid, &conn) {
            cipher.delete(&conn)?;
        }
        Ok(())
    }

-    pub fn move_to_folder(&self, folder_uuid: Option<String>, user_uuid: &str, conn: &DbConn) -> Result<(), &str> {
-        match self.get_folder_uuid(&user_uuid, &conn)  {
+    pub fn delete_all_by_user(user_uuid: &str, conn: &DbConn) -> EmptyResult {
+        for cipher in Self::find_owned_by_user(user_uuid, &conn) {
+            cipher.delete(&conn)?;
+        }
+        Ok(())
+    }
+
+    pub fn move_to_folder(&self, folder_uuid: Option<String>, user_uuid: &str, conn: &DbConn) -> EmptyResult {
+        match self.get_folder_uuid(&user_uuid, &conn) {
            None => {
                match folder_uuid {
                    Some(new_folder) => {
+                        self.update_users_revision(conn);
                        let folder_cipher = FolderCipher::new(&new_folder, &self.uuid);
-                        folder_cipher.save(&conn).or(Err("Couldn't save folder setting"))
-                    },
-                    None => Ok(()) //nothing to do
+                        folder_cipher.save(&conn)
+                    }
+                    None => Ok(()), //nothing to do
                }
-            },
+            }
            Some(current_folder) => {
                match folder_uuid {
                    Some(new_folder) => {
                        if current_folder == new_folder {
                            Ok(()) //nothing to do
                        } else {
-                            match FolderCipher::find_by_folder_and_cipher(&current_folder, &self.uuid, &conn) {
-                                Some(current_folder) => {
-                                    current_folder.delete(&conn).or(Err("Failed removing old folder mapping"))
-                                },
-                                None => Ok(()) // Weird, but nothing to do
-                            }.and_then(
-                                |()| FolderCipher::new(&new_folder, &self.uuid)
-                                .save(&conn).or(Err("Couldn't save folder setting"))
-                            )
+                            self.update_users_revision(conn);
+                            if let Some(current_folder) =
+                                FolderCipher::find_by_folder_and_cipher(&current_folder, &self.uuid, &conn)
+                            {
+                                current_folder.delete(&conn)?;
+                            }
+                            FolderCipher::new(&new_folder, &self.uuid).save(&conn)
                        }
-                    },
+                    }
                    None => {
+                        self.update_users_revision(conn);
                        match FolderCipher::find_by_folder_and_cipher(&current_folder, &self.uuid, &conn) {
-                            Some(current_folder) => {
-                                current_folder.delete(&conn).or(Err("Failed removing old folder mapping"))
-                            },
-                            None => Err("Couldn't move from previous folder")
+                            Some(current_folder) => current_folder.delete(&conn),
+                            None => err!("Couldn't move from previous folder"),
                        }
                    }
                }
@@ -194,89 +235,104 @@ impl Cipher {
    }

    pub fn is_write_accessible_to_user(&self, user_uuid: &str, conn: &DbConn) -> bool {
-        match ciphers::table
-        .filter(ciphers::uuid.eq(&self.uuid))
-        .left_join(users_organizations::table.on(
-            ciphers::organization_uuid.eq(users_organizations::org_uuid.nullable()).and(
-                users_organizations::user_uuid.eq(user_uuid)
+        ciphers::table
+            .filter(ciphers::uuid.eq(&self.uuid))
+            .left_join(
+                users_organizations::table.on(ciphers::organization_uuid
+                    .eq(users_organizations::org_uuid.nullable())
+                    .and(users_organizations::user_uuid.eq(user_uuid))),
            )
-        ))
-        .left_join(ciphers_collections::table)
-        .left_join(users_collections::table.on(
-            ciphers_collections::collection_uuid.eq(users_collections::collection_uuid)
-        ))
-        .filter(ciphers::user_uuid.eq(user_uuid).or( // Cipher owner
-            users_organizations::access_all.eq(true).or( // access_all in Organization
-                users_organizations::type_.le(UserOrgType::Admin as i32).or( // Org admin or owner
-                    users_collections::user_uuid.eq(user_uuid).and(
-                        users_collections::read_only.eq(false) //R/W access to collection
-                    )
-                )
+            .left_join(ciphers_collections::table)
+            .left_join(
+                users_collections::table
+                    .on(ciphers_collections::collection_uuid.eq(users_collections::collection_uuid)),
            )
-        ))
-        .select(ciphers::all_columns)
-        .first::<Self>(&**conn).ok() {
-            Some(_) => true,
-            None => false
-        }
+            .filter(ciphers::user_uuid.eq(user_uuid).or(
+                // Cipher owner
+                users_organizations::access_all.eq(true).or(
+                    // access_all in Organization
+                    users_organizations::type_.le(UserOrgType::Admin as i32).or(
+                        // Org admin or owner
+                        users_collections::user_uuid.eq(user_uuid).and(
+                            users_collections::read_only.eq(false), //R/W access to collection
+                        ),
+                    ),
+                ),
+            ))
+            .select(ciphers::all_columns)
+            .first::<Self>(&**conn)
+            .ok()
+            .is_some()
    }

    pub fn is_accessible_to_user(&self, user_uuid: &str, conn: &DbConn) -> bool {
-        match ciphers::table
-        .filter(ciphers::uuid.eq(&self.uuid))
-        .left_join(users_organizations::table.on(
-            ciphers::organization_uuid.eq(users_organizations::org_uuid.nullable()).and(
-                users_organizations::user_uuid.eq(user_uuid)
+        ciphers::table
+            .filter(ciphers::uuid.eq(&self.uuid))
+            .left_join(
+                users_organizations::table.on(ciphers::organization_uuid
+                    .eq(users_organizations::org_uuid.nullable())
+                    .and(users_organizations::user_uuid.eq(user_uuid))),
            )
-        ))
-        .left_join(ciphers_collections::table)
-        .left_join(users_collections::table.on(
-            ciphers_collections::collection_uuid.eq(users_collections::collection_uuid)
-        ))
-        .filter(ciphers::user_uuid.eq(user_uuid).or( // Cipher owner
-            users_organizations::access_all.eq(true).or( // access_all in Organization
-                users_organizations::type_.le(UserOrgType::Admin as i32).or( // Org admin or owner
-                    users_collections::user_uuid.eq(user_uuid) // Access to Collection
-                )
+            .left_join(ciphers_collections::table)
+            .left_join(
+                users_collections::table
+                    .on(ciphers_collections::collection_uuid.eq(users_collections::collection_uuid)),
            )
-        ))
-        .select(ciphers::all_columns)
-        .first::<Self>(&**conn).ok() {
-            Some(_) => true,
-            None => false
-        }
+            .filter(ciphers::user_uuid.eq(user_uuid).or(
+                // Cipher owner
+                users_organizations::access_all.eq(true).or(
+                    // access_all in Organization
+                    users_organizations::type_.le(UserOrgType::Admin as i32).or(
+                        // Org admin or owner
+                        users_collections::user_uuid.eq(user_uuid), // Access to Collection
+                    ),
+                ),
+            ))
+            .select(ciphers::all_columns)
+            .first::<Self>(&**conn)
+            .ok()
+            .is_some()
    }

    pub fn get_folder_uuid(&self, user_uuid: &str, conn: &DbConn) -> Option<String> {
-        folders_ciphers::table.inner_join(folders::table)
+        folders_ciphers::table
+            .inner_join(folders::table)
            .filter(folders::user_uuid.eq(&user_uuid))
            .filter(folders_ciphers::cipher_uuid.eq(&self.uuid))
            .select(folders_ciphers::folder_uuid)
-            .first::<String>(&**conn).ok()
+            .first::<String>(&**conn)
+            .ok()
    }

    pub fn find_by_uuid(uuid: &str, conn: &DbConn) -> Option<Self> {
        ciphers::table
            .filter(ciphers::uuid.eq(uuid))
-            .first::<Self>(&**conn).ok()
+            .first::<Self>(&**conn)
+            .ok()
    }

-    // Find all ciphers accesible to user
+    // Find all ciphers accessible to user
    pub fn find_by_user(user_uuid: &str, conn: &DbConn) -> Vec<Self> {
        ciphers::table
        .left_join(users_organizations::table.on(
            ciphers::organization_uuid.eq(users_organizations::org_uuid.nullable()).and(
-                users_organizations::user_uuid.eq(user_uuid)
+                users_organizations::user_uuid.eq(user_uuid).and(
+                    users_organizations::status.eq(UserOrgStatus::Confirmed as i32)
+                )
            )
        ))
-        .left_join(ciphers_collections::table)
+        .left_join(ciphers_collections::table.on(
+            ciphers::uuid.eq(ciphers_collections::cipher_uuid)
+        ))
        .left_join(users_collections::table.on(
            ciphers_collections::collection_uuid.eq(users_collections::collection_uuid)
        ))
        .filter(ciphers::user_uuid.eq(user_uuid).or( // Cipher owner
            users_organizations::access_all.eq(true).or( // access_all in Organization
                users_organizations::type_.le(UserOrgType::Admin as i32).or( // Org admin or owner
-                    users_collections::user_uuid.eq(user_uuid) // Access to Collection
+                    users_collections::user_uuid.eq(user_uuid).and( // Access to Collection
+                        users_organizations::status.eq(UserOrgStatus::Confirmed as i32)
+                    )
                )
            )
        ))
@@ -316,7 +372,9 @@ impl Cipher {
            )
        ))
        .left_join(users_collections::table.on(
-            users_collections::collection_uuid.eq(ciphers_collections::collection_uuid)
+            users_collections::collection_uuid.eq(ciphers_collections::collection_uuid).and(
+                users_collections::user_uuid.eq(user_id)
+            )
        ))
        .filter(ciphers_collections::cipher_uuid.eq(&self.uuid))
        .filter(users_collections::user_uuid.eq(user_id).or( // User has access to collection
@@ -325,6 +383,6 @@ impl Cipher {
            )
        ))
        .select(ciphers_collections::collection_uuid)
-        .load::<String>(&**conn).unwrap_or(vec![])
+        .load::<String>(&**conn).unwrap_or_default()
    }
 }
--- a/src/db/models/collection.rs
+++ b/src/db/models/collection.rs
@@ -1,8 +1,6 @@
-use serde_json::Value as JsonValue;
+use serde_json::Value;

-use uuid::Uuid;
-
-use super::{Organization, UserOrganization, UserOrgType};
+use super::{Organization, UserOrgStatus, UserOrgType, UserOrganization};

 #[derive(Debug, Identifiable, Queryable, Insertable, Associations)]
 #[table_name = "collections"]
@@ -18,14 +16,14 @@ pub struct Collection {
 impl Collection {
    pub fn new(org_uuid: String, name: String) -> Self {
        Self {
-            uuid: Uuid::new_v4().to_string(),
+            uuid: crate::util::get_uuid(),

            org_uuid,
            name,
        }
    }

-    pub fn to_json(&self) -> JsonValue {
+    pub fn to_json(&self) -> Value {
        json!({
            "Id": self.uuid,
            "OrganizationId": self.org_uuid,
@@ -35,34 +33,40 @@ impl Collection {
    }
 }

+use crate::db::schema::*;
+use crate::db::DbConn;
 use diesel;
 use diesel::prelude::*;
-use db::DbConn;
-use db::schema::*;
+
+use crate::api::EmptyResult;
+use crate::error::MapResult;

 /// Database methods
 impl Collection {
-    pub fn save(&mut self, conn: &DbConn) -> bool {
-        match diesel::replace_into(collections::table)
+    pub fn save(&mut self, conn: &DbConn) -> EmptyResult {
+        // Update affected users revision
+        UserOrganization::find_by_collection_and_org(&self.uuid, &self.org_uuid, conn)
+            .iter()
+            .for_each(|user_org| {
+                User::update_uuid_revision(&user_org.user_uuid, conn);
+            });
+
+        diesel::replace_into(collections::table)
            .values(&*self)
-            .execute(&**conn) {
-            Ok(1) => true, // One row inserted
-            _ => false,
-        }
+            .execute(&**conn)
+            .map_res("Error saving collection")
    }

-    pub fn delete(self, conn: &DbConn) -> QueryResult<()> {
+    pub fn delete(self, conn: &DbConn) -> EmptyResult {
        CollectionCipher::delete_all_by_collection(&self.uuid, &conn)?;
        CollectionUser::delete_all_by_collection(&self.uuid, &conn)?;

-        diesel::delete(
-            collections::table.filter(
-                collections::uuid.eq(self.uuid)
-            )
-        ).execute(&**conn).and(Ok(()))
+        diesel::delete(collections::table.filter(collections::uuid.eq(self.uuid)))
+            .execute(&**conn)
+            .map_res("Error deleting collection")
    }

-    pub fn delete_all_by_organization(org_uuid: &str, conn: &DbConn) -> QueryResult<()> {
+    pub fn delete_all_by_organization(org_uuid: &str, conn: &DbConn) -> EmptyResult {
        for collection in Self::find_by_organization(org_uuid, &conn) {
            collection.delete(&conn)?;
        }
@@ -72,42 +76,54 @@ impl Collection {
    pub fn find_by_uuid(uuid: &str, conn: &DbConn) -> Option<Self> {
        collections::table
            .filter(collections::uuid.eq(uuid))
-            .first::<Self>(&**conn).ok()
+            .first::<Self>(&**conn)
+            .ok()
    }

    pub fn find_by_user_uuid(user_uuid: &str, conn: &DbConn) -> Vec<Self> {
-        let mut all_access_collections = users_organizations::table
-            .filter(users_organizations::user_uuid.eq(user_uuid))
-            .filter(users_organizations::access_all.eq(true))
-            .inner_join(collections::table.on(collections::org_uuid.eq(users_organizations::org_uuid)))
-            .select(collections::all_columns)
-            .load::<Self>(&**conn).expect("Error loading collections");
-
-        let mut assigned_collections = users_collections::table.inner_join(collections::table)
-            .filter(users_collections::user_uuid.eq(user_uuid))
-            .select(collections::all_columns)
-            .load::<Self>(&**conn).expect("Error loading collections");
-
-        all_access_collections.append(&mut assigned_collections);
-        all_access_collections
+        collections::table
+        .left_join(users_collections::table.on(
+            users_collections::collection_uuid.eq(collections::uuid).and(
+                users_collections::user_uuid.eq(user_uuid)
+            )
+        ))
+        .left_join(users_organizations::table.on(
+            collections::org_uuid.eq(users_organizations::org_uuid).and(
+                users_organizations::user_uuid.eq(user_uuid)
+            )
+        ))
+        .filter(
+            users_organizations::status.eq(UserOrgStatus::Confirmed as i32)
+        )
+        .filter(
+            users_collections::user_uuid.eq(user_uuid).or( // Directly accessed collection
+                users_organizations::access_all.eq(true) // access_all in Organization
+            )
+        ).select(collections::all_columns)
+        .load::<Self>(&**conn).expect("Error loading collections")
    }

    pub fn find_by_organization_and_user_uuid(org_uuid: &str, user_uuid: &str, conn: &DbConn) -> Vec<Self> {
-        Self::find_by_user_uuid(user_uuid, conn).into_iter().filter(|c| c.org_uuid == org_uuid).collect()
+        Self::find_by_user_uuid(user_uuid, conn)
+            .into_iter()
+            .filter(|c| c.org_uuid == org_uuid)
+            .collect()
    }

    pub fn find_by_organization(org_uuid: &str, conn: &DbConn) -> Vec<Self> {
        collections::table
            .filter(collections::org_uuid.eq(org_uuid))
-            .load::<Self>(&**conn).expect("Error loading collections")
+            .load::<Self>(&**conn)
+            .expect("Error loading collections")
    }

    pub fn find_by_uuid_and_org(uuid: &str, org_uuid: &str, conn: &DbConn) -> Option<Self> {
        collections::table
-        .filter(collections::uuid.eq(uuid))
-        .filter(collections::org_uuid.eq(org_uuid))
-        .select(collections::all_columns)
-        .first::<Self>(&**conn).ok()
+            .filter(collections::uuid.eq(uuid))
+            .filter(collections::org_uuid.eq(org_uuid))
+            .select(collections::all_columns)
+            .first::<Self>(&**conn)
+            .ok()
    }

    pub fn find_by_uuid_and_user(uuid: &str, user_uuid: &str, conn: &DbConn) -> Option<Self> {
@@ -137,25 +153,25 @@ impl Collection {
        match UserOrganization::find_by_user_and_org(&user_uuid, &self.org_uuid, &conn) {
            None => false, // Not in Org
            Some(user_org) => {
-               if user_org.access_all {
-                   true
-               } else {
-                   match users_collections::table.inner_join(collections::table)
-                   .filter(users_collections::collection_uuid.eq(&self.uuid))
-                   .filter(users_collections::user_uuid.eq(&user_uuid))
-                   .filter(users_collections::read_only.eq(false))
-                   .select(collections::all_columns)
-                   .first::<Self>(&**conn).ok() {
-                       None => false, // Read only or no access to collection
-                       Some(_) => true,
-                   }
-               }
+                if user_org.access_all {
+                    true
+                } else {
+                    users_collections::table
+                        .inner_join(collections::table)
+                        .filter(users_collections::collection_uuid.eq(&self.uuid))
+                        .filter(users_collections::user_uuid.eq(&user_uuid))
+                        .filter(users_collections::read_only.eq(false))
+                        .select(collections::all_columns)
+                        .first::<Self>(&**conn)
+                        .ok()
+                        .is_some() // Read only or no access to collection
+                }
            }
        }
    }
 }

-use super::User; 
+use super::User;

 #[derive(Debug, Identifiable, Queryable, Insertable, Associations)]
 #[table_name = "users_collections"]
@@ -176,54 +192,72 @@ impl CollectionUser {
            .inner_join(collections::table.on(collections::uuid.eq(users_collections::collection_uuid)))
            .filter(collections::org_uuid.eq(org_uuid))
            .select(users_collections::all_columns)
-            .load::<Self>(&**conn).expect("Error loading users_collections")
+            .load::<Self>(&**conn)
+            .expect("Error loading users_collections")
    }

-    pub fn save(user_uuid: &str, collection_uuid: &str, read_only:bool, conn: &DbConn) -> QueryResult<()> {
+    pub fn save(user_uuid: &str, collection_uuid: &str, read_only: bool, conn: &DbConn) -> EmptyResult {
+        User::update_uuid_revision(&user_uuid, conn);
+
        diesel::replace_into(users_collections::table)
-        .values((
-            users_collections::user_uuid.eq(user_uuid),
-            users_collections::collection_uuid.eq(collection_uuid),
-            users_collections::read_only.eq(read_only),
-        )).execute(&**conn).and(Ok(()))
+            .values((
+                users_collections::user_uuid.eq(user_uuid),
+                users_collections::collection_uuid.eq(collection_uuid),
+                users_collections::read_only.eq(read_only),
+            ))
+            .execute(&**conn)
+            .map_res("Error adding user to collection")
    }

-    pub fn delete(self, conn: &DbConn) -> QueryResult<()> {
-        diesel::delete(users_collections::table
-        .filter(users_collections::user_uuid.eq(&self.user_uuid))
-        .filter(users_collections::collection_uuid.eq(&self.collection_uuid)))
-        .execute(&**conn).and(Ok(()))
+    pub fn delete(self, conn: &DbConn) -> EmptyResult {
+        User::update_uuid_revision(&self.user_uuid, conn);
+
+        diesel::delete(
+            users_collections::table
+                .filter(users_collections::user_uuid.eq(&self.user_uuid))
+                .filter(users_collections::collection_uuid.eq(&self.collection_uuid)),
+        )
+        .execute(&**conn)
+        .map_res("Error removing user from collection")
    }

    pub fn find_by_collection(collection_uuid: &str, conn: &DbConn) -> Vec<Self> {
        users_collections::table
-        .filter(users_collections::collection_uuid.eq(collection_uuid))
-        .select(users_collections::all_columns)
-        .load::<Self>(&**conn).expect("Error loading users_collections")
+            .filter(users_collections::collection_uuid.eq(collection_uuid))
+            .select(users_collections::all_columns)
+            .load::<Self>(&**conn)
+            .expect("Error loading users_collections")
    }

    pub fn find_by_collection_and_user(collection_uuid: &str, user_uuid: &str, conn: &DbConn) -> Option<Self> {
        users_collections::table
-        .filter(users_collections::collection_uuid.eq(collection_uuid))
-        .filter(users_collections::user_uuid.eq(user_uuid))
-        .select(users_collections::all_columns)
-        .first::<Self>(&**conn).ok()
-    }
-
-    pub fn delete_all_by_collection(collection_uuid: &str, conn: &DbConn) -> QueryResult<()> {
-        diesel::delete(users_collections::table
            .filter(users_collections::collection_uuid.eq(collection_uuid))
-        ).execute(&**conn).and(Ok(()))
+            .filter(users_collections::user_uuid.eq(user_uuid))
+            .select(users_collections::all_columns)
+            .first::<Self>(&**conn)
+            .ok()
    }

-    pub fn delete_all_by_user(user_uuid: &str, conn: &DbConn) -> QueryResult<()> {
-        diesel::delete(users_collections::table
-            .filter(users_collections::user_uuid.eq(user_uuid))
-        ).execute(&**conn).and(Ok(()))
+    pub fn delete_all_by_collection(collection_uuid: &str, conn: &DbConn) -> EmptyResult {
+        CollectionUser::find_by_collection(&collection_uuid, conn)
+            .iter()
+            .for_each(|collection| User::update_uuid_revision(&collection.user_uuid, conn));
+
+        diesel::delete(users_collections::table.filter(users_collections::collection_uuid.eq(collection_uuid)))
+            .execute(&**conn)
+            .map_res("Error deleting users from collection")
+    }
+
+    pub fn delete_all_by_user(user_uuid: &str, conn: &DbConn) -> EmptyResult {
+        User::update_uuid_revision(&user_uuid, conn);
+
+        diesel::delete(users_collections::table.filter(users_collections::user_uuid.eq(user_uuid)))
+            .execute(&**conn)
+            .map_res("Error removing user from collections")
    }
 }

-use super::Cipher; 
+use super::Cipher;

 #[derive(Debug, Identifiable, Queryable, Insertable, Associations)]
 #[table_name = "ciphers_collections"]
@@ -237,36 +271,35 @@ pub struct CollectionCipher {

 /// Database methods
 impl CollectionCipher {
-    pub fn save(cipher_uuid: &str, collection_uuid: &str, conn: &DbConn) -> bool {
-        match diesel::replace_into(ciphers_collections::table)
+    pub fn save(cipher_uuid: &str, collection_uuid: &str, conn: &DbConn) -> EmptyResult {
+        diesel::replace_into(ciphers_collections::table)
            .values((
                ciphers_collections::cipher_uuid.eq(cipher_uuid),
                ciphers_collections::collection_uuid.eq(collection_uuid),
-            )).execute(&**conn) {
-            Ok(1) => true, // One row inserted
-            _ => false,
-        }
+            ))
+            .execute(&**conn)
+            .map_res("Error adding cipher to collection")
    }

-    pub fn delete(cipher_uuid: &str, collection_uuid: &str, conn: &DbConn) -> bool {
-        match diesel::delete(ciphers_collections::table
-            .filter(ciphers_collections::cipher_uuid.eq(cipher_uuid))
-            .filter(ciphers_collections::collection_uuid.eq(collection_uuid)))
-            .execute(&**conn) {
-            Ok(1) => true, // One row deleted
-            _ => false,
-        }
+    pub fn delete(cipher_uuid: &str, collection_uuid: &str, conn: &DbConn) -> EmptyResult {
+        diesel::delete(
+            ciphers_collections::table
+                .filter(ciphers_collections::cipher_uuid.eq(cipher_uuid))
+                .filter(ciphers_collections::collection_uuid.eq(collection_uuid)),
+        )
+        .execute(&**conn)
+        .map_res("Error deleting cipher from collection")
    }

-    pub fn delete_all_by_cipher(cipher_uuid: &str, conn: &DbConn) -> QueryResult<()> {
-        diesel::delete(ciphers_collections::table
-            .filter(ciphers_collections::cipher_uuid.eq(cipher_uuid))
-        ).execute(&**conn).and(Ok(()))
+    pub fn delete_all_by_cipher(cipher_uuid: &str, conn: &DbConn) -> EmptyResult {
+        diesel::delete(ciphers_collections::table.filter(ciphers_collections::cipher_uuid.eq(cipher_uuid)))
+            .execute(&**conn)
+            .map_res("Error removing cipher from collections")
    }

-    pub fn delete_all_by_collection(collection_uuid: &str, conn: &DbConn) -> QueryResult<()> {
-        diesel::delete(ciphers_collections::table
-            .filter(ciphers_collections::collection_uuid.eq(collection_uuid))
-        ).execute(&**conn).and(Ok(()))
+    pub fn delete_all_by_collection(collection_uuid: &str, conn: &DbConn) -> EmptyResult {
+        diesel::delete(ciphers_collections::table.filter(ciphers_collections::collection_uuid.eq(collection_uuid)))
+            .execute(&**conn)
+            .map_res("Error removing ciphers from collection")
    }
-}
+}
--- a/src/db/models/device.rs
+++ b/src/db/models/device.rs
@@ -43,23 +43,25 @@ impl Device {
        }
    }

-    pub fn refresh_twofactor_remember(&mut self) {
+    pub fn refresh_twofactor_remember(&mut self) -> String {
+        use crate::crypto;
        use data_encoding::BASE64;
-        use crypto;

-        self.twofactor_remember = Some(BASE64.encode(&crypto::get_random(vec![0u8; 180])));
+        let twofactor_remember = BASE64.encode(&crypto::get_random(vec![0u8; 180]));
+        self.twofactor_remember = Some(twofactor_remember.clone());
+
+        twofactor_remember
    }

    pub fn delete_twofactor_remember(&mut self) {
        self.twofactor_remember = None;
    }

-
    pub fn refresh_tokens(&mut self, user: &super::User, orgs: Vec<super::UserOrganization>) -> (String, i64) {
        // If there is no refresh token, we create one
        if self.refresh_token.is_empty() {
+            use crate::crypto;
            use data_encoding::BASE64URL;
-            use crypto;

            self.refresh_token = BASE64URL.encode(&crypto::get_random_64());
        }
@@ -68,14 +70,14 @@ impl Device {
        let time_now = Utc::now().naive_utc();
        self.updated_at = time_now;

-
        let orgowner: Vec<_> = orgs.iter().filter(|o| o.type_ == 0).map(|o| o.org_uuid.clone()).collect();
        let orgadmin: Vec<_> = orgs.iter().filter(|o| o.type_ == 1).map(|o| o.org_uuid.clone()).collect();
        let orguser: Vec<_> = orgs.iter().filter(|o| o.type_ == 2).map(|o| o.org_uuid.clone()).collect();
+        let orgmanager: Vec<_> = orgs.iter().filter(|o| o.type_ == 3).map(|o| o.org_uuid.clone()).collect();


        // Create the JWT claims struct, to send to the client
-        use auth::{encode_jwt, JWTClaims, DEFAULT_VALIDITY, JWT_ISSUER};
+        use crate::auth::{encode_jwt, JWTClaims, DEFAULT_VALIDITY, JWT_ISSUER};
        let claims = JWTClaims {
            nbf: time_now.timestamp(),
            exp: (time_now + *DEFAULT_VALIDITY).timestamp(),
@@ -90,6 +92,7 @@ impl Device {
            orgowner,
            orgadmin,
            orguser,
+            orgmanager,

            sstamp: user.security_stamp.to_string(),
            device: self.uuid.to_string(),
@@ -97,53 +100,61 @@ impl Device {
            amr: vec!["Application".into()],
        };

-
        (encode_jwt(&claims), DEFAULT_VALIDITY.num_seconds())
    }
 }

+use crate::db::schema::devices;
+use crate::db::DbConn;
 use diesel;
 use diesel::prelude::*;
-use db::DbConn;
-use db::schema::devices;
+
+use crate::api::EmptyResult;
+use crate::error::MapResult;

 /// Database methods
 impl Device {
-    pub fn save(&mut self, conn: &DbConn) -> bool {
+    pub fn save(&mut self, conn: &DbConn) -> EmptyResult {
        self.updated_at = Utc::now().naive_utc();

-        match diesel::replace_into(devices::table)
-            .values(&*self)
-            .execute(&**conn) {
-            Ok(1) => true, // One row inserted
-            _ => false,
-        }
+        crate::util::retry(
+            || diesel::replace_into(devices::table).values(&*self).execute(&**conn),
+            10,
+        )
+        .map_res("Error saving device")
    }

-    pub fn delete(self, conn: &DbConn) -> bool {
-        match diesel::delete(devices::table.filter(
-            devices::uuid.eq(self.uuid)))
-            .execute(&**conn) {
-            Ok(1) => true, // One row deleted
-            _ => false,
+    pub fn delete(self, conn: &DbConn) -> EmptyResult {
+        diesel::delete(devices::table.filter(devices::uuid.eq(self.uuid)))
+            .execute(&**conn)
+            .map_res("Error removing device")
+    }
+
+    pub fn delete_all_by_user(user_uuid: &str, conn: &DbConn) -> EmptyResult {
+        for device in Self::find_by_user(user_uuid, &conn) {
+            device.delete(&conn)?;
        }
+        Ok(())
    }

    pub fn find_by_uuid(uuid: &str, conn: &DbConn) -> Option<Self> {
        devices::table
            .filter(devices::uuid.eq(uuid))
-            .first::<Self>(&**conn).ok()
+            .first::<Self>(&**conn)
+            .ok()
    }

    pub fn find_by_refresh_token(refresh_token: &str, conn: &DbConn) -> Option<Self> {
        devices::table
            .filter(devices::refresh_token.eq(refresh_token))
-            .first::<Self>(&**conn).ok()
+            .first::<Self>(&**conn)
+            .ok()
    }

    pub fn find_by_user(user_uuid: &str, conn: &DbConn) -> Vec<Self> {
        devices::table
            .filter(devices::user_uuid.eq(user_uuid))
-            .load::<Self>(&**conn).expect("Error loading devices")
+            .load::<Self>(&**conn)
+            .expect("Error loading devices")
    }
 }
--- a/src/db/models/folder.rs
+++ b/src/db/models/folder.rs
@@ -1,9 +1,7 @@
 use chrono::{NaiveDateTime, Utc};
-use serde_json::Value as JsonValue;
+use serde_json::Value;

-use uuid::Uuid;
-
-use super::{User, Cipher};
+use super::{Cipher, User};

 #[derive(Debug, Identifiable, Queryable, Insertable, Associations)]
 #[table_name = "folders"]
@@ -33,7 +31,7 @@ impl Folder {
        let now = Utc::now().naive_utc();

        Self {
-            uuid: Uuid::new_v4().to_string(),
+            uuid: crate::util::get_uuid(),
            created_at: now,
            updated_at: now,

@@ -42,8 +40,8 @@ impl Folder {
        }
    }

-    pub fn to_json(&self) -> JsonValue {
-        use util::format_date;
+    pub fn to_json(&self) -> Value {
+        use crate::util::format_date;

        json!({
            "Id": self.uuid,
@@ -63,83 +61,99 @@ impl FolderCipher {
    }
 }

+use crate::db::schema::{folders, folders_ciphers};
+use crate::db::DbConn;
 use diesel;
 use diesel::prelude::*;
-use db::DbConn;
-use db::schema::{folders, folders_ciphers};
+
+use crate::api::EmptyResult;
+use crate::error::MapResult;

 /// Database methods
 impl Folder {
-    pub fn save(&mut self, conn: &DbConn) -> bool {
+    pub fn save(&mut self, conn: &DbConn) -> EmptyResult {
+        User::update_uuid_revision(&self.user_uuid, conn);
        self.updated_at = Utc::now().naive_utc();

-        match diesel::replace_into(folders::table)
+        diesel::replace_into(folders::table)
            .values(&*self)
-            .execute(&**conn) {
-            Ok(1) => true, // One row inserted
-            _ => false,
-        }
+            .execute(&**conn)
+            .map_res("Error saving folder")
    }

-    pub fn delete(self, conn: &DbConn) -> QueryResult<()> {
+    pub fn delete(&self, conn: &DbConn) -> EmptyResult {
+        User::update_uuid_revision(&self.user_uuid, conn);
        FolderCipher::delete_all_by_folder(&self.uuid, &conn)?;

-        diesel::delete(
-            folders::table.filter(
-                folders::uuid.eq(self.uuid)
-            )
-        ).execute(&**conn).and(Ok(()))
+        diesel::delete(folders::table.filter(folders::uuid.eq(&self.uuid)))
+            .execute(&**conn)
+            .map_res("Error deleting folder")
+    }
+
+    pub fn delete_all_by_user(user_uuid: &str, conn: &DbConn) -> EmptyResult {
+        for folder in Self::find_by_user(user_uuid, &conn) {
+            folder.delete(&conn)?;
+        }
+        Ok(())
    }

    pub fn find_by_uuid(uuid: &str, conn: &DbConn) -> Option<Self> {
        folders::table
            .filter(folders::uuid.eq(uuid))
-            .first::<Self>(&**conn).ok()
+            .first::<Self>(&**conn)
+            .ok()
    }

    pub fn find_by_user(user_uuid: &str, conn: &DbConn) -> Vec<Self> {
        folders::table
            .filter(folders::user_uuid.eq(user_uuid))
-            .load::<Self>(&**conn).expect("Error loading folders")
+            .load::<Self>(&**conn)
+            .expect("Error loading folders")
    }
 }

 impl FolderCipher {
-    pub fn save(&self, conn: &DbConn) -> QueryResult<()> {
+    pub fn save(&self, conn: &DbConn) -> EmptyResult {
        diesel::replace_into(folders_ciphers::table)
-        .values(&*self)
-        .execute(&**conn).and(Ok(()))
+            .values(&*self)
+            .execute(&**conn)
+            .map_res("Error adding cipher to folder")
    }

-    pub fn delete(self, conn: &DbConn) -> QueryResult<()> {
-        diesel::delete(folders_ciphers::table
-            .filter(folders_ciphers::cipher_uuid.eq(self.cipher_uuid))
-            .filter(folders_ciphers::folder_uuid.eq(self.folder_uuid))
-        ).execute(&**conn).and(Ok(()))
+    pub fn delete(self, conn: &DbConn) -> EmptyResult {
+        diesel::delete(
+            folders_ciphers::table
+                .filter(folders_ciphers::cipher_uuid.eq(self.cipher_uuid))
+                .filter(folders_ciphers::folder_uuid.eq(self.folder_uuid)),
+        )
+        .execute(&**conn)
+        .map_res("Error removing cipher from folder")
    }

-    pub fn delete_all_by_cipher(cipher_uuid: &str, conn: &DbConn) -> QueryResult<()> {
-        diesel::delete(folders_ciphers::table
-            .filter(folders_ciphers::cipher_uuid.eq(cipher_uuid))
-        ).execute(&**conn).and(Ok(()))
+    pub fn delete_all_by_cipher(cipher_uuid: &str, conn: &DbConn) -> EmptyResult {
+        diesel::delete(folders_ciphers::table.filter(folders_ciphers::cipher_uuid.eq(cipher_uuid)))
+            .execute(&**conn)
+            .map_res("Error removing cipher from folders")
    }

-    pub fn delete_all_by_folder(folder_uuid: &str, conn: &DbConn) -> QueryResult<()> {
-        diesel::delete(folders_ciphers::table
-            .filter(folders_ciphers::folder_uuid.eq(folder_uuid))
-        ).execute(&**conn).and(Ok(()))
+    pub fn delete_all_by_folder(folder_uuid: &str, conn: &DbConn) -> EmptyResult {
+        diesel::delete(folders_ciphers::table.filter(folders_ciphers::folder_uuid.eq(folder_uuid)))
+            .execute(&**conn)
+            .map_res("Error removing ciphers from folder")
    }

    pub fn find_by_folder_and_cipher(folder_uuid: &str, cipher_uuid: &str, conn: &DbConn) -> Option<Self> {
        folders_ciphers::table
            .filter(folders_ciphers::folder_uuid.eq(folder_uuid))
            .filter(folders_ciphers::cipher_uuid.eq(cipher_uuid))
-            .first::<Self>(&**conn).ok()
+            .first::<Self>(&**conn)
+            .ok()
    }

    pub fn find_by_folder(folder_uuid: &str, conn: &DbConn) -> Vec<Self> {
        folders_ciphers::table
            .filter(folders_ciphers::folder_uuid.eq(folder_uuid))
-            .load::<Self>(&**conn).expect("Error loading folders")
+            .load::<Self>(&**conn)
+            .expect("Error loading folders")
    }
 }
--- a/src/db/models/mod.rs
+++ b/src/db/models/mod.rs
@@ -6,12 +6,14 @@ mod user;

 mod collection;
 mod organization;
+mod two_factor;

 pub use self::attachment::Attachment;
 pub use self::cipher::Cipher;
+pub use self::collection::{Collection, CollectionCipher, CollectionUser};
 pub use self::device::Device;
 pub use self::folder::{Folder, FolderCipher};
-pub use self::user::User;
 pub use self::organization::Organization;
-pub use self::organization::{UserOrganization, UserOrgStatus, UserOrgType};
-pub use self::collection::{Collection, CollectionUser, CollectionCipher};
+pub use self::organization::{UserOrgStatus, UserOrgType, UserOrganization};
+pub use self::two_factor::{TwoFactor, TwoFactorType};
+pub use self::user::{Invitation, User};
--- a/src/db/models/organization.rs
+++ b/src/db/models/organization.rs
@@ -1,6 +1,7 @@
-use serde_json::Value as JsonValue;
+use serde_json::Value;
+use std::cmp::Ordering;

-use uuid::Uuid;
+use super::{CollectionUser, User};

 #[derive(Debug, Identifiable, Queryable, Insertable)]
 #[table_name = "organizations"]
@@ -26,15 +27,102 @@ pub struct UserOrganization {
 }

 pub enum UserOrgStatus {
-    _Invited = 0, // Unused, users are accepted automatically
+    Invited = 0,
    Accepted = 1,
    Confirmed = 2,
 }

+#[derive(Copy, Clone, PartialEq, Eq)]
 pub enum UserOrgType {
    Owner = 0,
    Admin = 1,
    User = 2,
+    Manager = 3,
+}
+
+impl Ord for UserOrgType {
+    fn cmp(&self, other: &UserOrgType) -> Ordering {
+        if self == other {
+            Ordering::Equal
+        } else {
+            match self {
+                UserOrgType::Owner => Ordering::Greater,
+                UserOrgType::Admin => match other {
+                    UserOrgType::Owner => Ordering::Less,
+                    _ => Ordering::Greater,
+                },
+                UserOrgType::Manager => match other {
+                    UserOrgType::Owner | UserOrgType::Admin => Ordering::Less,
+                    _ => Ordering::Greater,
+                },
+                UserOrgType::User => Ordering::Less,
+            }
+        }
+    }
+}
+
+impl PartialOrd for UserOrgType {
+    fn partial_cmp(&self, other: &UserOrgType) -> Option<Ordering> {
+        Some(self.cmp(other))
+    }
+}
+
+impl PartialEq<i32> for UserOrgType {
+    fn eq(&self, other: &i32) -> bool {
+        *other == *self as i32
+    }
+}
+
+impl PartialOrd<i32> for UserOrgType {
+    fn partial_cmp(&self, other: &i32) -> Option<Ordering> {
+        if let Some(other) = Self::from_i32(*other) {
+            return Some(self.cmp(&other));
+        }
+        None
+    }
+
+    fn gt(&self, other: &i32) -> bool {
+        match self.partial_cmp(other) {
+            Some(Ordering::Less) | Some(Ordering::Equal) => false,
+            _ => true,
+        }
+    }
+
+    fn ge(&self, other: &i32) -> bool {
+        match self.partial_cmp(other) {
+            Some(Ordering::Less) => false,
+            _ => true,
+        }
+    }
+}
+
+impl PartialEq<UserOrgType> for i32 {
+    fn eq(&self, other: &UserOrgType) -> bool {
+        *self == *other as i32
+    }
+}
+
+impl PartialOrd<UserOrgType> for i32 {
+    fn partial_cmp(&self, other: &UserOrgType) -> Option<Ordering> {
+        if let Some(self_type) = UserOrgType::from_i32(*self) {
+            return Some(self_type.cmp(other));
+        }
+        None
+    }
+
+    fn lt(&self, other: &UserOrgType) -> bool {
+        match self.partial_cmp(other) {
+            Some(Ordering::Less) | None => true,
+            _ => false,
+        }
+    }
+
+    fn le(&self, other: &UserOrgType) -> bool {
+        match self.partial_cmp(other) {
+            Some(Ordering::Less) | Some(Ordering::Equal) | None => true,
+            _ => false,
+        }
+    }
 }

 impl UserOrgType {
@@ -43,6 +131,17 @@ impl UserOrgType {
            "0" | "Owner" => Some(UserOrgType::Owner),
            "1" | "Admin" => Some(UserOrgType::Admin),
            "2" | "User" => Some(UserOrgType::User),
+            "3" | "Manager" => Some(UserOrgType::Manager),
+            _ => None,
+        }
+    }
+
+    pub fn from_i32(i: i32) -> Option<Self> {
+        match i {
+            0 => Some(UserOrgType::Owner),
+            1 => Some(UserOrgType::Admin),
+            2 => Some(UserOrgType::User),
+            3 => Some(UserOrgType::Manager),
            _ => None,
        }
    }
@@ -52,25 +151,25 @@ impl UserOrgType {
 impl Organization {
    pub fn new(name: String, billing_email: String) -> Self {
        Self {
-            uuid: Uuid::new_v4().to_string(),
+            uuid: crate::util::get_uuid(),

            name,
            billing_email,
        }
    }

-    pub fn to_json(&self) -> JsonValue {
+    pub fn to_json(&self) -> Value {
        json!({
            "Id": self.uuid,
            "Name": self.name,
            "Seats": 10,
            "MaxCollections": 10,
-
-            "Use2fa": false,
+            "MaxStorageGb": 10, // The value doesn't matter, we don't check server-side
+            "Use2fa": true,
            "UseDirectory": false,
            "UseEvents": false,
            "UseGroups": false,
-            "UseTotp": false,
+            "UseTotp": true,

            "BusinessName": null,
            "BusinessAddress1":	null,
@@ -80,9 +179,9 @@ impl Organization {
            "BusinessTaxNumber": null,

            "BillingEmail": self.billing_email,
-            "Plan": "Free",
-            "PlanType": 0, // Free plan
-
+            "Plan": "TeamsAnnually",
+            "PlanType": 5, // TeamsAnnually plan
+            "UsersGetPremium": true,
            "Object": "organization",
        })
    }
@@ -91,7 +190,7 @@ impl Organization {
 impl UserOrganization {
    pub fn new(user_uuid: String, org_uuid: String) -> Self {
        Self {
-            uuid: Uuid::new_v4().to_string(),
+            uuid: crate::util::get_uuid(),

            user_uuid,
            org_uuid,
@@ -104,47 +203,51 @@ impl UserOrganization {
    }
 }

-
+use crate::db::schema::{ciphers_collections, organizations, users_collections, users_organizations};
+use crate::db::DbConn;
 use diesel;
 use diesel::prelude::*;
-use db::DbConn;
-use db::schema::organizations;
-use db::schema::users_organizations;
+
+use crate::api::EmptyResult;
+use crate::error::MapResult;

 /// Database methods
 impl Organization {
-    pub fn save(&mut self, conn: &DbConn) -> bool {
-        match diesel::replace_into(organizations::table)
+    pub fn save(&mut self, conn: &DbConn) -> EmptyResult {
+        UserOrganization::find_by_org(&self.uuid, conn)
+            .iter()
+            .for_each(|user_org| {
+                User::update_uuid_revision(&user_org.user_uuid, conn);
+            });
+
+        diesel::replace_into(organizations::table)
            .values(&*self)
-            .execute(&**conn) {
-            Ok(1) => true, // One row inserted
-            _ => false,
-        }
+            .execute(&**conn)
+            .map_res("Error saving organization")
    }

-    pub fn delete(self, conn: &DbConn) -> QueryResult<()> {
+    pub fn delete(self, conn: &DbConn) -> EmptyResult {
        use super::{Cipher, Collection};

        Cipher::delete_all_by_organization(&self.uuid, &conn)?;
        Collection::delete_all_by_organization(&self.uuid, &conn)?;
        UserOrganization::delete_all_by_organization(&self.uuid, &conn)?;

-        diesel::delete(
-            organizations::table.filter(
-                organizations::uuid.eq(self.uuid)
-            )
-        ).execute(&**conn).and(Ok(()))
+        diesel::delete(organizations::table.filter(organizations::uuid.eq(self.uuid)))
+            .execute(&**conn)
+            .map_res("Error saving organization")
    }

    pub fn find_by_uuid(uuid: &str, conn: &DbConn) -> Option<Self> {
        organizations::table
            .filter(organizations::uuid.eq(uuid))
-            .first::<Self>(&**conn).ok()
+            .first::<Self>(&**conn)
+            .ok()
    }
 }

 impl UserOrganization {
-    pub fn to_json(&self, conn: &DbConn) -> JsonValue {
+    pub fn to_json(&self, conn: &DbConn) -> Value {
        let org = Organization::find_by_uuid(&self.org_uuid, conn).unwrap();

        json!({
@@ -152,12 +255,13 @@ impl UserOrganization {
            "Name": org.name,
            "Seats": 10,
            "MaxCollections": 10,
+            "UsersGetPremium": true,

-            "Use2fa": false,
+            "Use2fa": true,
            "UseDirectory": false,
            "UseEvents": false,
            "UseGroups": false,
-            "UseTotp": false,
+            "UseTotp": true,

            "MaxStorageGb": 10, // The value doesn't matter, we don't check server-side

@@ -171,8 +275,7 @@ impl UserOrganization {
        })
    }

-    pub fn to_json_user_details(&self, conn: &DbConn) -> JsonValue {
-        use super::User;
+    pub fn to_json_user_details(&self, conn: &DbConn) -> Value {
        let user = User::find_by_uuid(&self.user_uuid, conn).unwrap();

        json!({
@@ -189,8 +292,7 @@ impl UserOrganization {
        })
    }

-    pub fn to_json_collection_user_details(&self, read_only: &bool, conn: &DbConn) -> JsonValue {
-        use super::User;
+    pub fn to_json_collection_user_details(&self, read_only: bool, conn: &DbConn) -> Value {
        let user = User::find_by_uuid(&self.user_uuid, conn).unwrap();

        json!({
@@ -205,13 +307,15 @@ impl UserOrganization {
        })
    }

-    pub fn to_json_details(&self, conn: &DbConn) -> JsonValue {        
-        let coll_uuids = if self.access_all { 
+    pub fn to_json_details(&self, conn: &DbConn) -> Value {
+        let coll_uuids = if self.access_all {
            vec![] // If we have complete access, no need to fill the array
        } else {
-            use super::CollectionUser;
            let collections = CollectionUser::find_by_organization_and_user_uuid(&self.org_uuid, &self.user_uuid, conn);
-            collections.iter().map(|c| json!({"Id": c.collection_uuid, "ReadOnly": c.read_only})).collect()
+            collections
+                .iter()
+                .map(|c| json!({"Id": c.collection_uuid, "ReadOnly": c.read_only}))
+                .collect()
        };

        json!({
@@ -227,69 +331,136 @@ impl UserOrganization {
        })
    }

-    pub fn save(&mut self, conn: &DbConn) -> bool {
-        match diesel::replace_into(users_organizations::table)
+    pub fn save(&mut self, conn: &DbConn) -> EmptyResult {
+        User::update_uuid_revision(&self.user_uuid, conn);
+
+        diesel::replace_into(users_organizations::table)
            .values(&*self)
-            .execute(&**conn) {
-            Ok(1) => true, // One row inserted
-            _ => false,
-        }
+            .execute(&**conn)
+            .map_res("Error adding user to organization")
    }

-    pub fn delete(self, conn: &DbConn) -> QueryResult<()> {
-        use super::CollectionUser;
+    pub fn delete(self, conn: &DbConn) -> EmptyResult {
+        User::update_uuid_revision(&self.user_uuid, conn);

        CollectionUser::delete_all_by_user(&self.user_uuid, &conn)?;

-        diesel::delete(
-            users_organizations::table.filter(
-                users_organizations::uuid.eq(self.uuid)
-            )
-        ).execute(&**conn).and(Ok(()))
+        diesel::delete(users_organizations::table.filter(users_organizations::uuid.eq(self.uuid)))
+            .execute(&**conn)
+            .map_res("Error removing user from organization")
    }

-    pub fn delete_all_by_organization(org_uuid: &str, conn: &DbConn) -> QueryResult<()> {
+    pub fn delete_all_by_organization(org_uuid: &str, conn: &DbConn) -> EmptyResult {
        for user_org in Self::find_by_org(&org_uuid, &conn) {
            user_org.delete(&conn)?;
        }
        Ok(())
    }

+    pub fn delete_all_by_user(user_uuid: &str, conn: &DbConn) -> EmptyResult {
+        for user_org in Self::find_any_state_by_user(&user_uuid, &conn) {
+            user_org.delete(&conn)?;
+        }
+        Ok(())
+    }
+
    pub fn has_full_access(self) -> bool {
-        self.access_all || self.type_ < UserOrgType::User as i32
+        self.access_all || self.type_ >= UserOrgType::Admin
    }

    pub fn find_by_uuid(uuid: &str, conn: &DbConn) -> Option<Self> {
        users_organizations::table
            .filter(users_organizations::uuid.eq(uuid))
-            .first::<Self>(&**conn).ok()
+            .first::<Self>(&**conn)
+            .ok()
+    }
+
+    pub fn find_by_uuid_and_org(uuid: &str, org_uuid: &str, conn: &DbConn) -> Option<Self> {
+        users_organizations::table
+            .filter(users_organizations::uuid.eq(uuid))
+            .filter(users_organizations::org_uuid.eq(org_uuid))
+            .first::<Self>(&**conn)
+            .ok()
    }

    pub fn find_by_user(user_uuid: &str, conn: &DbConn) -> Vec<Self> {
        users_organizations::table
            .filter(users_organizations::user_uuid.eq(user_uuid))
-            .load::<Self>(&**conn).unwrap_or(vec![])
+            .filter(users_organizations::status.eq(UserOrgStatus::Confirmed as i32))
+            .load::<Self>(&**conn)
+            .unwrap_or_default()
+    }
+
+    pub fn find_invited_by_user(user_uuid: &str, conn: &DbConn) -> Vec<Self> {
+        users_organizations::table
+            .filter(users_organizations::user_uuid.eq(user_uuid))
+            .filter(users_organizations::status.eq(UserOrgStatus::Invited as i32))
+            .load::<Self>(&**conn)
+            .unwrap_or_default()
+    }
+
+    pub fn find_any_state_by_user(user_uuid: &str, conn: &DbConn) -> Vec<Self> {
+        users_organizations::table
+            .filter(users_organizations::user_uuid.eq(user_uuid))
+            .load::<Self>(&**conn)
+            .unwrap_or_default()
    }

    pub fn find_by_org(org_uuid: &str, conn: &DbConn) -> Vec<Self> {
        users_organizations::table
            .filter(users_organizations::org_uuid.eq(org_uuid))
-            .load::<Self>(&**conn).expect("Error loading user organizations")
+            .load::<Self>(&**conn)
+            .expect("Error loading user organizations")
    }

    pub fn find_by_org_and_type(org_uuid: &str, type_: i32, conn: &DbConn) -> Vec<Self> {
        users_organizations::table
            .filter(users_organizations::org_uuid.eq(org_uuid))
            .filter(users_organizations::type_.eq(type_))
-            .load::<Self>(&**conn).expect("Error loading user organizations")
+            .load::<Self>(&**conn)
+            .expect("Error loading user organizations")
    }

    pub fn find_by_user_and_org(user_uuid: &str, org_uuid: &str, conn: &DbConn) -> Option<Self> {
        users_organizations::table
            .filter(users_organizations::user_uuid.eq(user_uuid))
            .filter(users_organizations::org_uuid.eq(org_uuid))
-            .first::<Self>(&**conn).ok()
+            .first::<Self>(&**conn)
+            .ok()
+    }
+
+    pub fn find_by_cipher_and_org(cipher_uuid: &str, org_uuid: &str, conn: &DbConn) -> Vec<Self> {
+        users_organizations::table
+        .filter(users_organizations::org_uuid.eq(org_uuid))
+        .left_join(users_collections::table.on(
+            users_collections::user_uuid.eq(users_organizations::user_uuid)
+        ))
+        .left_join(ciphers_collections::table.on(
+            ciphers_collections::collection_uuid.eq(users_collections::collection_uuid).and(
+                ciphers_collections::cipher_uuid.eq(&cipher_uuid)
+            )
+        ))
+        .filter(
+            users_organizations::access_all.eq(true).or( // AccessAll..
+                ciphers_collections::cipher_uuid.eq(&cipher_uuid) // ..or access to collection with cipher
+            )
+        )
+        .select(users_organizations::all_columns)
+        .load::<Self>(&**conn).expect("Error loading user organizations")
+    }
+
+    pub fn find_by_collection_and_org(collection_uuid: &str, org_uuid: &str, conn: &DbConn) -> Vec<Self> {
+        users_organizations::table
+        .filter(users_organizations::org_uuid.eq(org_uuid))
+        .left_join(users_collections::table.on(
+            users_collections::user_uuid.eq(users_organizations::user_uuid)
+        ))
+        .filter(
+            users_organizations::access_all.eq(true).or( // AccessAll..
+                users_collections::collection_uuid.eq(&collection_uuid) // ..or access to collection with cipher
+            )
+        )
+        .select(users_organizations::all_columns)
+        .load::<Self>(&**conn).expect("Error loading user organizations")
    }
 }
-
-
--- a/src/db/models/two_factor.rs
+++ b/src/db/models/two_factor.rs
@@ -0,0 +1,120 @@
+use serde_json::Value;
+
+use super::User;
+
+#[derive(Debug, Identifiable, Queryable, Insertable, Associations)]
+#[table_name = "twofactor"]
+#[belongs_to(User, foreign_key = "user_uuid")]
+#[primary_key(uuid)]
+pub struct TwoFactor {
+    pub uuid: String,
+    pub user_uuid: String,
+    pub type_: i32,
+    pub enabled: bool,
+    pub data: String,
+}
+
+#[allow(dead_code)]
+#[derive(FromPrimitive, ToPrimitive)]
+pub enum TwoFactorType {
+    Authenticator = 0,
+    Email = 1,
+    Duo = 2,
+    YubiKey = 3,
+    U2f = 4,
+    Remember = 5,
+    OrganizationDuo = 6,
+
+    // These are implementation details
+    U2fRegisterChallenge = 1000,
+    U2fLoginChallenge = 1001,
+}
+
+/// Local methods
+impl TwoFactor {
+    pub fn new(user_uuid: String, type_: TwoFactorType, data: String) -> Self {
+        Self {
+            uuid: crate::util::get_uuid(),
+            user_uuid,
+            type_: type_ as i32,
+            enabled: true,
+            data,
+        }
+    }
+
+    pub fn check_totp_code(&self, totp_code: u64) -> bool {
+        let totp_secret = self.data.as_bytes();
+
+        use data_encoding::BASE32;
+        use oath::{totp_raw_now, HashType};
+
+        let decoded_secret = match BASE32.decode(totp_secret) {
+            Ok(s) => s,
+            Err(_) => return false,
+        };
+
+        let generated = totp_raw_now(&decoded_secret, 6, 0, 30, &HashType::SHA1);
+        generated == totp_code
+    }
+
+    pub fn to_json(&self) -> Value {
+        json!({
+            "Enabled": self.enabled,
+            "Key": "", // This key and value vary
+            "Object": "twoFactorAuthenticator" // This value varies
+        })
+    }
+
+    pub fn to_json_list(&self) -> Value {
+        json!({
+            "Enabled": self.enabled,
+            "Type": self.type_,
+            "Object": "twoFactorProvider"
+        })
+    }
+}
+
+use crate::db::schema::twofactor;
+use crate::db::DbConn;
+use diesel;
+use diesel::prelude::*;
+
+use crate::api::EmptyResult;
+use crate::error::MapResult;
+
+/// Database methods
+impl TwoFactor {
+    pub fn save(&self, conn: &DbConn) -> EmptyResult {
+        diesel::replace_into(twofactor::table)
+            .values(self)
+            .execute(&**conn)
+            .map_res("Error saving twofactor")
+    }
+
+    pub fn delete(self, conn: &DbConn) -> EmptyResult {
+        diesel::delete(twofactor::table.filter(twofactor::uuid.eq(self.uuid)))
+            .execute(&**conn)
+            .map_res("Error deleting twofactor")
+    }
+
+    pub fn find_by_user(user_uuid: &str, conn: &DbConn) -> Vec<Self> {
+        twofactor::table
+            .filter(twofactor::user_uuid.eq(user_uuid))
+            .load::<Self>(&**conn)
+            .expect("Error loading twofactor")
+    }
+
+    pub fn find_by_user_and_type(user_uuid: &str, type_: i32, conn: &DbConn) -> Option<Self> {
+        twofactor::table
+            .filter(twofactor::user_uuid.eq(user_uuid))
+            .filter(twofactor::type_.eq(type_))
+            .first::<Self>(&**conn)
+            .ok()
+    }
+
+    pub fn delete_all_by_user(user_uuid: &str, conn: &DbConn) -> EmptyResult {
+        diesel::delete(twofactor::table.filter(twofactor::user_uuid.eq(user_uuid)))
+            .execute(&**conn)
+            .map_res("Error deleting twofactors")
+    }
+}
--- a/src/db/models/user.rs
+++ b/src/db/models/user.rs
@@ -1,11 +1,8 @@
 use chrono::{NaiveDateTime, Utc};
-use serde_json::Value as JsonValue;
-
-use uuid::Uuid;
-
-use crypto;
-use CONFIG;
+use serde_json::Value;

+use crate::crypto;
+use crate::CONFIG;

 #[derive(Debug, Identifiable, Queryable, Insertable)]
 #[table_name = "users"]
@@ -26,57 +23,65 @@ pub struct User {
    pub key: String,
    pub private_key: Option<String>,
    pub public_key: Option<String>,
-    
-    pub totp_secret: Option<String>,
+
+    #[column_name = "totp_secret"]
+    _totp_secret: Option<String>,
    pub totp_recover: Option<String>,

    pub security_stamp: String,

    pub equivalent_domains: String,
    pub excluded_globals: String,
+
+    pub client_kdf_type: i32,
+    pub client_kdf_iter: i32,
 }

 /// Local methods
 impl User {
-    pub fn new(mail: String, key: String, password: String) -> Self {
+    pub const CLIENT_KDF_TYPE_DEFAULT: i32 = 0; // PBKDF2: 0
+    pub const CLIENT_KDF_ITER_DEFAULT: i32 = 5_000;
+
+    pub fn new(mail: String) -> Self {
        let now = Utc::now().naive_utc();
        let email = mail.to_lowercase();

-        let iterations = CONFIG.password_iterations;
-        let salt = crypto::get_random_64();
-        let password_hash = crypto::hash_password(password.as_bytes(), &salt, iterations as u32);
-
        Self {
-            uuid: Uuid::new_v4().to_string(),
+            uuid: crate::util::get_uuid(),
            created_at: now,
            updated_at: now,
            name: email.clone(),
            email,
-            key,
+            key: String::new(),

-            password_hash,
-            salt,
-            password_iterations: iterations,
+            password_hash: Vec::new(),
+            salt: crypto::get_random_64(),
+            password_iterations: CONFIG.password_iterations,

-            security_stamp: Uuid::new_v4().to_string(),
+            security_stamp: crate::util::get_uuid(),

            password_hint: None,
            private_key: None,
            public_key: None,
-            
-            totp_secret: None,
+
+            _totp_secret: None,
            totp_recover: None,

            equivalent_domains: "[]".to_string(),
            excluded_globals: "[]".to_string(),
+
+            client_kdf_type: Self::CLIENT_KDF_TYPE_DEFAULT,
+            client_kdf_iter: Self::CLIENT_KDF_ITER_DEFAULT,
        }
    }

    pub fn check_valid_password(&self, password: &str) -> bool {
-        crypto::verify_password_hash(password.as_bytes(),
-                                     &self.salt,
-                                     &self.password_hash,
-                                     self.password_iterations as u32)
+        crypto::verify_password_hash(
+            password.as_bytes(),
+            &self.salt,
+            &self.password_hash,
+            self.password_iterations as u32,
+        )
    }

    pub fn check_valid_recovery_code(&self, recovery_code: &str) -> bool {
@@ -88,51 +93,31 @@ impl User {
    }

    pub fn set_password(&mut self, password: &str) {
-        self.password_hash = crypto::hash_password(password.as_bytes(),
-                                                   &self.salt,
-                                                   self.password_iterations as u32);
-        self.reset_security_stamp();
+        self.password_hash = crypto::hash_password(password.as_bytes(), &self.salt, self.password_iterations as u32);
    }

    pub fn reset_security_stamp(&mut self) {
-        self.security_stamp = Uuid::new_v4().to_string();
-    }
-
-    pub fn requires_twofactor(&self) -> bool {
-        self.totp_secret.is_some()
-    }
-
-    pub fn check_totp_code(&self, totp_code: u64) -> bool {
-        if let Some(ref totp_secret) = self.totp_secret {
-            // Validate totp
-            use data_encoding::BASE32;
-            use oath::{totp_raw_now, HashType};
-
-            let decoded_secret = match BASE32.decode(totp_secret.as_bytes()) {
-                Ok(s) => s,
-                Err(_) => return false
-            };
-
-            let generated = totp_raw_now(&decoded_secret, 6, 0, 30, &HashType::SHA1);
-            generated == totp_code
-        } else {
-            true
-        }
+        self.security_stamp = crate::util::get_uuid();
    }
 }

+use super::{Cipher, Device, Folder, TwoFactor, UserOrgType, UserOrganization};
+use crate::db::schema::{invitations, users};
+use crate::db::DbConn;
 use diesel;
 use diesel::prelude::*;
-use db::DbConn;
-use db::schema::users;
+
+use crate::api::EmptyResult;
+use crate::error::MapResult;

 /// Database methods
 impl User {
-    pub fn to_json(&self, conn: &DbConn) -> JsonValue {
-        use super::UserOrganization;
+    pub fn to_json(&self, conn: &DbConn) -> Value {
+        use super::{TwoFactor, UserOrganization};

        let orgs = UserOrganization::find_by_user(&self.uuid, conn);
-        let orgs_json: Vec<JsonValue> = orgs.iter().map(|c| c.to_json(&conn)).collect();
+        let orgs_json: Vec<Value> = orgs.iter().map(|c| c.to_json(&conn)).collect();
+        let twofactor_enabled = !TwoFactor::find_by_user(&self.uuid, conn).is_empty();

        json!({
            "Id": self.uuid,
@@ -142,7 +127,7 @@ impl User {
            "Premium": true,
            "MasterPasswordHint": self.password_hint,
            "Culture": "en-US",
-            "TwoFactorEnabled": self.totp_secret.is_some(),
+            "TwoFactorEnabled": twofactor_enabled,
            "Key": self.key,
            "PrivateKey": self.private_key,
            "SecurityStamp": self.security_stamp,
@@ -151,37 +136,108 @@ impl User {
        })
    }

-
-    pub fn save(&mut self, conn: &DbConn) -> bool {
+    pub fn save(&mut self, conn: &DbConn) -> EmptyResult {
        self.updated_at = Utc::now().naive_utc();

-        match diesel::replace_into(users::table) // Insert or update
+        diesel::replace_into(users::table) // Insert or update
            .values(&*self)
-            .execute(&**conn) {
-            Ok(1) => true, // One row inserted
-            _ => false,
-        }
+            .execute(&**conn)
+            .map_res("Error saving user")
    }

-    pub fn delete(self, conn: &DbConn) -> bool {
-        match diesel::delete(users::table.filter(
-            users::uuid.eq(self.uuid)))
-            .execute(&**conn) {
-            Ok(1) => true, // One row deleted
-            _ => false,
+    pub fn delete(self, conn: &DbConn) -> EmptyResult {
+        for user_org in UserOrganization::find_by_user(&self.uuid, &*conn) {
+            if user_org.type_ == UserOrgType::Owner {
+                let owner_type = UserOrgType::Owner as i32;
+                if UserOrganization::find_by_org_and_type(&user_org.org_uuid, owner_type, &conn).len() <= 1 {
+                    err!("Can't delete last owner")
+                }
+            }
        }
+
+        UserOrganization::delete_all_by_user(&self.uuid, &*conn)?;
+        Cipher::delete_all_by_user(&self.uuid, &*conn)?;
+        Folder::delete_all_by_user(&self.uuid, &*conn)?;
+        Device::delete_all_by_user(&self.uuid, &*conn)?;
+        TwoFactor::delete_all_by_user(&self.uuid, &*conn)?;
+        Invitation::take(&self.email, &*conn); // Delete invitation if any
+
+        diesel::delete(users::table.filter(users::uuid.eq(self.uuid)))
+            .execute(&**conn)
+            .map_res("Error deleting user")
+    }
+
+    pub fn update_uuid_revision(uuid: &str, conn: &DbConn) {
+        if let Some(mut user) = User::find_by_uuid(&uuid, conn) {
+            if user.update_revision(conn).is_err() {
+                warn!("Failed to update revision for {}", user.email);
+            };
+        };
+    }
+
+    pub fn update_revision(&mut self, conn: &DbConn) -> EmptyResult {
+        self.updated_at = Utc::now().naive_utc();
+        diesel::update(users::table.filter(users::uuid.eq(&self.uuid)))
+            .set(users::updated_at.eq(&self.updated_at))
+            .execute(&**conn)
+            .map_res("Error updating user revision")
    }

    pub fn find_by_mail(mail: &str, conn: &DbConn) -> Option<Self> {
        let lower_mail = mail.to_lowercase();
        users::table
            .filter(users::email.eq(lower_mail))
-            .first::<Self>(&**conn).ok()
+            .first::<Self>(&**conn)
+            .ok()
    }

    pub fn find_by_uuid(uuid: &str, conn: &DbConn) -> Option<Self> {
-        users::table
-            .filter(users::uuid.eq(uuid))
-            .first::<Self>(&**conn).ok()
+        users::table.filter(users::uuid.eq(uuid)).first::<Self>(&**conn).ok()
+    }
+
+    pub fn get_all(conn: &DbConn) -> Vec<Self> {
+        users::table.load::<Self>(&**conn).expect("Error loading users")
+    }
+}
+
+#[derive(Debug, Identifiable, Queryable, Insertable)]
+#[table_name = "invitations"]
+#[primary_key(email)]
+pub struct Invitation {
+    pub email: String,
+}
+
+impl Invitation {
+    pub fn new(email: String) -> Self {
+        Self { email }
+    }
+
+    pub fn save(&mut self, conn: &DbConn) -> EmptyResult {
+        diesel::replace_into(invitations::table)
+            .values(&*self)
+            .execute(&**conn)
+            .map_res("Error saving invitation")
+    }
+
+    pub fn delete(self, conn: &DbConn) -> EmptyResult {
+        diesel::delete(invitations::table.filter(invitations::email.eq(self.email)))
+            .execute(&**conn)
+            .map_res("Error deleting invitation")
+    }
+
+    pub fn find_by_mail(mail: &str, conn: &DbConn) -> Option<Self> {
+        let lower_mail = mail.to_lowercase();
+        invitations::table
+            .filter(invitations::email.eq(lower_mail))
+            .first::<Self>(&**conn)
+            .ok()
+    }
+
+    pub fn take(mail: &str, conn: &DbConn) -> bool {
+        CONFIG.invitations_allowed
+            && match Self::find_by_mail(mail, &conn) {
+                Some(invitation) => invitation.delete(&conn).is_ok(),
+                None => false,
+            }
    }
 }
--- a/src/db/schema.rs
+++ b/src/db/schema.rs
@@ -4,6 +4,7 @@ table! {
        cipher_uuid -> Text,
        file_name -> Text,
        file_size -> Integer,
+        key -> Nullable<Text>,
    }
 }

@@ -21,6 +22,7 @@ table! {
        fields -> Nullable<Text>,
        data -> Text,
        favorite -> Bool,
+        password_history -> Nullable<Text>,
    }
 }

@@ -71,6 +73,12 @@ table! {
    }
 }

+table! {
+    invitations (email) {
+        email -> Text,
+    }
+}
+
 table! {
    organizations (uuid) {
        uuid -> Text,
@@ -79,6 +87,17 @@ table! {
    }
 }

+table! {
+    twofactor (uuid) {
+        uuid -> Text,
+        user_uuid -> Text,
+        #[sql_name = "type"]
+        type_ -> Integer,
+        enabled -> Bool,
+        data -> Text,
+    }
+}
+
 table! {
    users (uuid) {
        uuid -> Text,
@@ -98,6 +117,8 @@ table! {
        security_stamp -> Text,
        equivalent_domains -> Text,
        excluded_globals -> Text,
+        client_kdf_type -> Integer,
+        client_kdf_iter -> Integer,
    }
 }

@@ -132,6 +153,7 @@ joinable!(devices -> users (user_uuid));
 joinable!(folders -> users (user_uuid));
 joinable!(folders_ciphers -> ciphers (cipher_uuid));
 joinable!(folders_ciphers -> folders (folder_uuid));
+joinable!(twofactor -> users (user_uuid));
 joinable!(users_collections -> collections (collection_uuid));
 joinable!(users_collections -> users (user_uuid));
 joinable!(users_organizations -> organizations (org_uuid));
@@ -145,7 +167,9 @@ allow_tables_to_appear_in_same_query!(
    devices,
    folders,
    folders_ciphers,
+    invitations,
    organizations,
+    twofactor,
    users,
    users_collections,
    users_organizations,
--- a/src/error.rs
+++ b/src/error.rs
@@ -0,0 +1,173 @@
+//
+// Error generator macro
+//
+use std::error::Error as StdError;
+
+macro_rules! make_error {
+    ( $( $name:ident ( $ty:ty ): $src_fn:expr, $usr_msg_fun:expr ),+ $(,)* ) => {
+        #[derive(Display)]
+        enum ErrorKind { $($name( $ty )),+ }
+        pub struct Error { message: String, error: ErrorKind }
+
+        $(impl From<$ty> for Error {
+            fn from(err: $ty) -> Self { Error::from((stringify!($name), err)) }
+        })+
+        $(impl<S: Into<String>> From<(S, $ty)> for Error {
+            fn from(val: (S, $ty)) -> Self {
+                Error { message: val.0.into(), error: ErrorKind::$name(val.1) }
+            }
+        })+
+        impl StdError for Error {
+            fn source(&self) -> Option<&(dyn StdError + 'static)> {
+                match &self.error {$( ErrorKind::$name(e) => $src_fn(e), )+}
+            }
+        }
+        impl std::fmt::Display for Error {
+            fn fmt(&self, f: &mut std::fmt::Formatter) -> std::fmt::Result {
+                match &self.error {$(
+                   ErrorKind::$name(e) => f.write_str(&$usr_msg_fun(e, &self.message)),
+                )+}
+            }
+        }
+    };
+}
+
+use diesel::result::Error as DieselError;
+use jsonwebtoken::errors::Error as JwtError;
+use serde_json::{Error as SerError, Value};
+use std::io::Error as IOError;
+use u2f::u2ferror::U2fError as U2fErr;
+
+// Error struct
+// Contains a String error message, meant for the user and an enum variant, with an error of different types.
+//
+// After the variant itself, there are two expressions. The first one indicates whether the error contains a source error (that we pretty print).
+// The second one contains the function used to obtain the response sent to the client
+make_error! {
+    // Used to represent err! calls
+    SimpleError(String):  _no_source,  _api_error,
+    // Used for special return values, like 2FA errors
+    JsonError(Value):     _no_source,  _serialize,
+    DbError(DieselError): _has_source, _api_error,
+    U2fError(U2fErr):     _has_source, _api_error,
+    SerdeError(SerError): _has_source, _api_error,
+    JWTError(JwtError):   _has_source, _api_error,
+    IoErrror(IOError):    _has_source, _api_error,
+    //WsError(ws::Error): _has_source, _api_error,
+}
+
+impl std::fmt::Debug for Error {
+    fn fmt(&self, f: &mut std::fmt::Formatter) -> std::fmt::Result {
+        match self.source() {
+            Some(e) => write!(f, "{}.\n[CAUSE] {:#?}", self.message, e),
+            None => write!(f, "{}. {}", self.message, self.error),
+        }
+    }
+}
+
+impl Error {
+    pub fn new<M: Into<String>, N: Into<String>>(usr_msg: M, log_msg: N) -> Self {
+        (usr_msg, log_msg.into()).into()
+    }
+
+    pub fn with_msg<M: Into<String>>(mut self, msg: M) -> Self {
+        self.message = msg.into();
+        self
+    }
+}
+
+pub trait MapResult<S> {
+    fn map_res(self, msg: &str) -> Result<S, Error>;
+}
+
+impl<S, E: Into<Error>> MapResult<S> for Result<S, E> {
+    fn map_res(self, msg: &str) -> Result<S, Error> {
+        self.map_err(|e| e.into().with_msg(msg))
+    }
+}
+
+impl<E: Into<Error>> MapResult<()> for Result<usize, E> {
+    fn map_res(self, msg: &str) -> Result<(), Error> {
+        self.and(Ok(())).map_res(msg)
+    }
+}
+
+fn _has_source<T>(e: T) -> Option<T> {
+    Some(e)
+}
+fn _no_source<T, S>(_: T) -> Option<S> {
+    None
+}
+
+fn _serialize(e: &impl serde::Serialize, _msg: &str) -> String {
+    serde_json::to_string(e).unwrap()
+}
+
+fn _api_error(_: &impl std::any::Any, msg: &str) -> String {
+    let json = json!({
+        "Message": "",
+        "error": "",
+        "error_description": "",
+        "ValidationErrors": {"": [ msg ]},
+        "ErrorModel": {
+            "Message": msg,
+            "Object": "error"
+        },
+        "Object": "error"
+    });
+    _serialize(&json, "")
+}
+
+//
+// Rocket responder impl
+//
+use std::io::Cursor;
+
+use rocket::http::{ContentType, Status};
+use rocket::request::Request;
+use rocket::response::{self, Responder, Response};
+
+impl<'r> Responder<'r> for Error {
+    fn respond_to(self, _: &Request) -> response::Result<'r> {
+        let usr_msg = format!("{}", self);
+        error!("{:#?}", self);
+
+        Response::build()
+            .status(Status::BadRequest)
+            .header(ContentType::JSON)
+            .sized_body(Cursor::new(usr_msg))
+            .ok()
+    }
+}
+
+//
+// Error return macros
+//
+#[macro_export]
+macro_rules! err {
+    ($msg:expr) => {{
+        return Err(crate::error::Error::new($msg, $msg));
+    }};
+    ($usr_msg:expr, $log_value:expr) => {{
+        return Err(crate::error::Error::new($usr_msg, $log_value));
+    }};
+}
+
+#[macro_export]
+macro_rules! err_json {
+    ($expr:expr) => {{
+        return Err(crate::error::Error::from($expr));
+    }};
+}
+
+#[macro_export]
+macro_rules! err_handler {
+    ($expr:expr) => {{
+        error!("Unauthorized Error: {}", $expr);
+        return rocket::Outcome::Failure((rocket::http::Status::Unauthorized, $expr));
+    }};
+    ($usr_msg:expr, $log_value:expr) => {{
+        error!("Unauthorized Error: {}. {}", $usr_msg, $log_value);
+        return rocket::Outcome::Failure((rocket::http::Status::Unauthorized, $usr_msg));
+    }};
+}
--- a/src/mail.rs
+++ b/src/mail.rs
@@ -0,0 +1,139 @@
+use lettre::smtp::authentication::Credentials;
+use lettre::smtp::ConnectionReuseParameters;
+use lettre::{ClientSecurity, ClientTlsParameters, SmtpClient, SmtpTransport, Transport};
+use lettre_email::EmailBuilder;
+use native_tls::{Protocol, TlsConnector};
+
+use crate::MailConfig;
+use crate::CONFIG;
+use crate::auth::{generate_invite_claims, encode_jwt};
+use crate::api::EmptyResult;
+use crate::error::Error;
+
+fn mailer(config: &MailConfig) -> SmtpTransport {
+    let client_security = if config.smtp_ssl {
+        let tls = TlsConnector::builder()
+            .min_protocol_version(Some(Protocol::Tlsv11))
+            .build()
+            .unwrap();
+
+        ClientSecurity::Required(ClientTlsParameters::new(config.smtp_host.clone(), tls))
+    } else {
+        ClientSecurity::None
+    };
+
+    let smtp_client = SmtpClient::new((config.smtp_host.as_str(), config.smtp_port), client_security).unwrap();
+
+    let smtp_client = match (&config.smtp_username, &config.smtp_password) {
+        (Some(user), Some(pass)) => smtp_client.credentials(Credentials::new(user.clone(), pass.clone())),
+        _ => smtp_client,
+    };
+
+    smtp_client
+        .smtp_utf8(true)
+        .connection_reuse(ConnectionReuseParameters::NoReuse)
+        .transport()
+}
+
+pub fn send_password_hint(address: &str, hint: Option<String>, config: &MailConfig) -> EmptyResult {
+    let (subject, body) = if let Some(hint) = hint {
+        (
+            "Your master password hint",
+            format!(
+                "You (or someone) recently requested your master password hint.\n\n\
+                 Your hint is:  \"{}\"\n\n\
+                 If you did not request your master password hint you can safely ignore this email.\n",
+                hint
+            ),
+        )
+    } else {
+        (
+            "Sorry, you have no password hint...",
+            "Sorry, you have not specified any password hint...\n".into(),
+        )
+    };
+
+    send_email(&address, &subject, &body, &config)
+}
+
+pub fn send_invite(
+    address: &str,
+    uuid: &str,
+    org_id: Option<String>,
+    org_user_id: Option<String>,
+    org_name: &str,
+    invited_by_email: Option<String>,
+    config: &MailConfig,
+) -> EmptyResult {
+    let claims = generate_invite_claims(
+                uuid.to_string(),
+                String::from(address),
+                org_id.clone(),
+                org_user_id.clone(),
+                invited_by_email.clone(),
+            );
+    let invite_token = encode_jwt(&claims);
+    let (subject, body) = {
+        (format!("Join {}", &org_name),
+        format!(
+            "<html>
+             <p>You have been invited to join the <b>{}</b> organization.<br><br>
+             <a href=\"{}/#/accept-organization/?organizationId={}&organizationUserId={}&email={}&organizationName={}&token={}\">
+             Click here to join</a></p>
+             <p>If you do not wish to join this organization, you can safely ignore this email.</p>
+             </html>",
+            org_name, CONFIG.domain, org_id.unwrap_or("_".to_string()), org_user_id.unwrap_or("_".to_string()), address, org_name, invite_token
+        ))
+    };
+
+    send_email(&address, &subject, &body, &config)
+}
+
+pub fn send_invite_accepted(
+    new_user_email: &str,
+    address: &str,
+    org_name: &str,
+    config: &MailConfig,
+) -> EmptyResult {
+    let (subject, body) = {
+        ("Invitation accepted",
+        format!(
+            "<html>
+             <p>Your invitation for <b>{}</b> to join <b>{}</b> was accepted. Please <a href=\"{}\">log in</a> to the bitwarden_rs server and confirm them from the organization management page.</p>
+             </html>", new_user_email, org_name, CONFIG.domain))
+    };
+
+    send_email(&address, &subject, &body, &config)
+}
+
+pub fn send_invite_confirmed(
+    address: &str,
+    org_name: &str,
+    config: &MailConfig,
+) -> EmptyResult {
+    let (subject, body) = {
+        (format!("Invitation to {} confirmed", org_name),
+        format!(
+            "<html>
+             <p>Your invitation to join <b>{}</b> was confirmed. It will now appear under the Organizations the next time you <a href=\"{}\">log in</a> to the web vault.</p>
+             </html>", org_name, CONFIG.domain))
+    };
+
+    send_email(&address, &subject, &body, &config)
+}
+
+fn send_email(address: &str, subject: &str, body: &str, config: &MailConfig) -> EmptyResult {
+    let email = EmailBuilder::new()
+    .to(address)
+    .from((config.smtp_from.clone(), "Bitwarden-rs"))
+    .subject(subject)
+    .header(("Content-Type", "text/html"))
+    .body(body)
+    .build()
+    .map_err(|e| Error::new("Error building email", e.to_string()))?;
+
+    mailer(config)
+        .send(email.into())
+        .map_err(|e| Error::new("Error sending email", e.to_string()))
+        .and(Ok(()))
+}
--- a/src/main.rs
+++ b/src/main.rs
@@ -1,172 +1,386 @@
-#![feature(plugin, custom_derive)]
-#![plugin(rocket_codegen)]
+#![feature(proc_macro_hygiene, decl_macro, vec_remove_item, try_trait)]
+#![recursion_limit = "128"]
+#![allow(proc_macro_derive_resolution_fallback)] // TODO: Remove this when diesel update fixes warnings
+
+#[macro_use]
 extern crate rocket;
-extern crate rocket_contrib;
-extern crate reqwest;
-extern crate multipart;
-extern crate serde;
 #[macro_use]
 extern crate serde_derive;
 #[macro_use]
 extern crate serde_json;
 #[macro_use]
+extern crate log;
+#[macro_use]
 extern crate diesel;
 #[macro_use]
 extern crate diesel_migrations;
-extern crate ring;
-extern crate uuid;
-extern crate chrono;
-extern crate oath;
-extern crate data_encoding;
-extern crate jsonwebtoken as jwt;
-extern crate dotenv;
 #[macro_use]
 extern crate lazy_static;
+#[macro_use]
+extern crate derive_more;
+#[macro_use]
+extern crate num_derive;

-use std::{io, env, path::Path, process::{exit, Command}};
-use rocket::Rocket;
+use rocket::{fairing::AdHoc, Rocket};
+use std::{
+    path::Path,
+    process::{exit, Command},
+};

 #[macro_use]
-mod util;
-
+mod error;
 mod api;
-mod db;
-mod crypto;
 mod auth;
+mod crypto;
+mod db;
+mod mail;
+mod util;

 fn init_rocket() -> Rocket {
    rocket::ignite()
        .mount("/", api::web_routes())
        .mount("/api", api::core_routes())
+        .mount("/admin", api::admin_routes())
        .mount("/identity", api::identity_routes())
        .mount("/icons", api::icons_routes())
+        .mount("/notifications", api::notifications_routes())
        .manage(db::init_pool())
+        .manage(api::start_notification_server())
+        .attach(util::AppHeaders())
+        .attach(unofficial_warning())
 }

 // Embed the migrations from the migrations folder into the application
 // This way, the program automatically migrates the database to the latest version
 // https://docs.rs/diesel_migrations/*/diesel_migrations/macro.embed_migrations.html
-embed_migrations!();
+#[allow(unused_imports)]
+mod migrations {
+    embed_migrations!();
+
+    pub fn run_migrations() {
+        // Make sure the database is up to date (create if it doesn't exist, or run the migrations)
+        let connection = crate::db::get_connection().expect("Can't conect to DB");
+
+        use std::io::stdout;
+        embedded_migrations::run_with_output(&connection, &mut stdout()).expect("Can't run migrations");
+    }
+}

 fn main() {
+    if CONFIG.extended_logging {
+        init_logging().ok();
+    }
+
    check_db();
    check_rsa_keys();
-    check_web_vault();   
-
-    // Make sure the database is up to date (create if it doesn't exist, or run the migrations)
-    let connection = db::get_connection().expect("Can't conect to DB");
-    embedded_migrations::run_with_output(&connection, &mut io::stdout()).expect("Can't run migrations");
+    check_web_vault();
+    migrations::run_migrations();

    init_rocket().launch();
 }

+fn init_logging() -> Result<(), fern::InitError> {
+    let mut logger = fern::Dispatch::new()
+        .format(|out, message, record| {
+            out.finish(format_args!(
+                "{}[{}][{}] {}",
+                chrono::Local::now().format("[%Y-%m-%d %H:%M:%S]"),
+                record.target(),
+                record.level(),
+                message
+            ))
+        })
+        .level(log::LevelFilter::Debug)
+        .level_for("hyper", log::LevelFilter::Warn)
+        .level_for("rustls", log::LevelFilter::Warn)
+        .level_for("ws", log::LevelFilter::Info)
+        .level_for("multipart", log::LevelFilter::Info)
+        .chain(std::io::stdout());
+
+    if let Some(log_file) = CONFIG.log_file.as_ref() {
+        logger = logger.chain(fern::log_file(log_file)?);
+    }
+
+    logger = chain_syslog(logger);
+    logger.apply()?;
+
+    Ok(())
+}
+
+#[cfg(not(feature = "enable_syslog"))]
+fn chain_syslog(logger: fern::Dispatch) -> fern::Dispatch {
+    logger
+}
+
+#[cfg(feature = "enable_syslog")]
+fn chain_syslog(logger: fern::Dispatch) -> fern::Dispatch {
+    let syslog_fmt = syslog::Formatter3164 {
+        facility: syslog::Facility::LOG_USER,
+        hostname: None,
+        process: "bitwarden_rs".into(),
+        pid: 0,
+    };
+
+    match syslog::unix(syslog_fmt) {
+        Ok(sl) => logger.chain(sl),
+        Err(e) => {
+            error!("Unable to connect to syslog: {:?}", e);
+            logger
+        }
+    }
+}
+
 fn check_db() {
    let path = Path::new(&CONFIG.database_url);

    if let Some(parent) = path.parent() {
        use std::fs;
        if fs::create_dir_all(parent).is_err() {
-            println!("Error creating database directory");
+            error!("Error creating database directory");
            exit(1);
        }
    }
+
+    // Turn on WAL in SQLite
+    use diesel::RunQueryDsl;
+    let connection = db::get_connection().expect("Can't conect to DB");
+    diesel::sql_query("PRAGMA journal_mode=wal")
+        .execute(&connection)
+        .expect("Failed to turn on WAL");
 }

 fn check_rsa_keys() {
    // If the RSA keys don't exist, try to create them
-    if !util::file_exists(&CONFIG.private_rsa_key)
-        || !util::file_exists(&CONFIG.public_rsa_key) {
-        println!("JWT keys don't exist, checking if OpenSSL is available...");
+    if !util::file_exists(&CONFIG.private_rsa_key) || !util::file_exists(&CONFIG.public_rsa_key) {
+        info!("JWT keys don't exist, checking if OpenSSL is available...");

-        Command::new("openssl")
-            .arg("version")
-            .output().unwrap_or_else(|_| {
-            println!("Can't create keys because OpenSSL is not available, make sure it's installed and available on the PATH");
+        Command::new("openssl").arg("version").output().unwrap_or_else(|_| {
+            info!("Can't create keys because OpenSSL is not available, make sure it's installed and available on the PATH");
            exit(1);
        });

-        println!("OpenSSL detected, creating keys...");
+        info!("OpenSSL detected, creating keys...");

-        let mut success = Command::new("openssl").arg("genrsa")
-            .arg("-out").arg(&CONFIG.private_rsa_key_pem)
-            .output().expect("Failed to create private pem file")
-            .status.success();
+        let mut success = Command::new("openssl")
+            .arg("genrsa")
+            .arg("-out")
+            .arg(&CONFIG.private_rsa_key_pem)
+            .output()
+            .expect("Failed to create private pem file")
+            .status
+            .success();

-        success &= Command::new("openssl").arg("rsa")
-            .arg("-in").arg(&CONFIG.private_rsa_key_pem)
-            .arg("-outform").arg("DER")
-            .arg("-out").arg(&CONFIG.private_rsa_key)
-            .output().expect("Failed to create private der file")
-            .status.success();
+        success &= Command::new("openssl")
+            .arg("rsa")
+            .arg("-in")
+            .arg(&CONFIG.private_rsa_key_pem)
+            .arg("-outform")
+            .arg("DER")
+            .arg("-out")
+            .arg(&CONFIG.private_rsa_key)
+            .output()
+            .expect("Failed to create private der file")
+            .status
+            .success();

-        success &= Command::new("openssl").arg("rsa")
-            .arg("-in").arg(&CONFIG.private_rsa_key)
-            .arg("-inform").arg("DER")
+        success &= Command::new("openssl")
+            .arg("rsa")
+            .arg("-in")
+            .arg(&CONFIG.private_rsa_key)
+            .arg("-inform")
+            .arg("DER")
            .arg("-RSAPublicKey_out")
-            .arg("-outform").arg("DER")
-            .arg("-out").arg(&CONFIG.public_rsa_key)
-            .output().expect("Failed to create public der file")
-            .status.success();
+            .arg("-outform")
+            .arg("DER")
+            .arg("-out")
+            .arg(&CONFIG.public_rsa_key)
+            .output()
+            .expect("Failed to create public der file")
+            .status
+            .success();

        if success {
-            println!("Keys created correctly.");
+            info!("Keys created correctly.");
        } else {
-            println!("Error creating keys, exiting...");
+            error!("Error creating keys, exiting...");
            exit(1);
        }
    }
 }

 fn check_web_vault() {
+    if !CONFIG.web_vault_enabled {
+        return;
+    }
+
    let index_path = Path::new(&CONFIG.web_vault_folder).join("index.html");

    if !index_path.exists() {
-        println!("Web vault is not found. Please follow the steps in the README to install it");
+        error!("Web vault is not found. Please follow the steps in the README to install it");
        exit(1);
    }
 }

+fn unofficial_warning() -> AdHoc {
+    AdHoc::on_launch("Unofficial Warning", |_| {
+        warn!("/--------------------------------------------------------------------\\");
+        warn!("| This is an *unofficial* Bitwarden implementation, DO NOT use the   |");
+        warn!("| official channels to report bugs/features, regardless of client.   |");
+        warn!("| Report URL: https://github.com/dani-garcia/bitwarden_rs/issues/new |");
+        warn!("\\--------------------------------------------------------------------/");
+    })
+}
+
 lazy_static! {
    // Load the config from .env or from environment variables
    static ref CONFIG: Config = Config::load();
 }

+#[derive(Debug)]
+pub struct MailConfig {
+    smtp_host: String,
+    smtp_port: u16,
+    smtp_ssl: bool,
+    smtp_from: String,
+    smtp_username: Option<String>,
+    smtp_password: Option<String>,
+}
+
+impl MailConfig {
+    fn load() -> Option<Self> {
+        use crate::util::{get_env, get_env_or};
+
+        // When SMTP_HOST is absent, we assume the user does not want to enable it.
+        let smtp_host = match get_env("SMTP_HOST") {
+            Some(host) => host,
+            None => return None,
+        };
+
+        let smtp_from = get_env("SMTP_FROM").unwrap_or_else(|| {
+            error!("Please specify SMTP_FROM to enable SMTP support.");
+            exit(1);
+        });
+
+        let smtp_ssl = get_env_or("SMTP_SSL", true);
+        let smtp_port = get_env("SMTP_PORT").unwrap_or_else(|| if smtp_ssl { 587u16 } else { 25u16 });
+
+        let smtp_username = get_env("SMTP_USERNAME");
+        let smtp_password = get_env("SMTP_PASSWORD").or_else(|| {
+            if smtp_username.as_ref().is_some() {
+                error!("SMTP_PASSWORD is mandatory when specifying SMTP_USERNAME.");
+                exit(1);
+            } else {
+                None
+            }
+        });
+
+        Some(MailConfig {
+            smtp_host,
+            smtp_port,
+            smtp_ssl,
+            smtp_from,
+            smtp_username,
+            smtp_password,
+        })
+    }
+}
+
 #[derive(Debug)]
 pub struct Config {
    database_url: String,
    icon_cache_folder: String,
    attachments_folder: String,

+    icon_cache_ttl: u64,
+    icon_cache_negttl: u64,
+
    private_rsa_key: String,
    private_rsa_key_pem: String,
    public_rsa_key: String,

    web_vault_folder: String,
+    web_vault_enabled: bool,

+    websocket_enabled: bool,
+    websocket_url: String,
+
+    extended_logging: bool,
+    log_file: Option<String>,
+
+    local_icon_extractor: bool,
    signups_allowed: bool,
+    invitations_allowed: bool,
+    admin_token: Option<String>,
    password_iterations: i32,
+    show_password_hint: bool,
+
+    domain: String,
+    domain_set: bool,
+
+    yubico_cred_set: bool,
+    yubico_client_id: String,
+    yubico_secret_key: String,
+    yubico_server: Option<String>,
+
+    mail: Option<MailConfig>,
 }

 impl Config {
    fn load() -> Self {
+        use crate::util::{get_env, get_env_or};
        dotenv::dotenv().ok();

-        let df = env::var("DATA_FOLDER").unwrap_or("data".into());
-        let key = env::var("RSA_KEY_NAME").unwrap_or("rsa_key".into());
+        let df = get_env_or("DATA_FOLDER", "data".to_string());
+        let key = get_env_or("RSA_KEY_FILENAME", format!("{}/{}", &df, "rsa_key"));
+
+        let domain = get_env("DOMAIN");
+
+        let yubico_client_id = get_env("YUBICO_CLIENT_ID");
+        let yubico_secret_key = get_env("YUBICO_SECRET_KEY");

        Config {
-            database_url: env::var("DATABASE_URL").unwrap_or(format!("{}/{}", &df, "db.sqlite3")),
-            icon_cache_folder: env::var("ICON_CACHE_FOLDER").unwrap_or(format!("{}/{}", &df, "icon_cache")),
-            attachments_folder: env::var("ATTACHMENTS_FOLDER").unwrap_or(format!("{}/{}", &df, "attachments")),
+            database_url: get_env_or("DATABASE_URL", format!("{}/{}", &df, "db.sqlite3")),
+            icon_cache_folder: get_env_or("ICON_CACHE_FOLDER", format!("{}/{}", &df, "icon_cache")),
+            attachments_folder: get_env_or("ATTACHMENTS_FOLDER", format!("{}/{}", &df, "attachments")),

-            private_rsa_key: format!("{}/{}.der", &df, &key),
-            private_rsa_key_pem: format!("{}/{}.pem", &df, &key),
-            public_rsa_key: format!("{}/{}.pub.der", &df, &key),
+            // icon_cache_ttl defaults to 30 days (30 * 24 * 60 * 60 seconds)
+            icon_cache_ttl: get_env_or("ICON_CACHE_TTL", 2_592_000),
+            // icon_cache_negttl defaults to 3 days (3 * 24 * 60 * 60 seconds)
+            icon_cache_negttl: get_env_or("ICON_CACHE_NEGTTL", 259_200),

-            web_vault_folder: env::var("WEB_VAULT_FOLDER").unwrap_or("web-vault/".into()),
+            private_rsa_key: format!("{}.der", &key),
+            private_rsa_key_pem: format!("{}.pem", &key),
+            public_rsa_key: format!("{}.pub.der", &key),

-            signups_allowed: util::parse_option_string(env::var("SIGNUPS_ALLOWED").ok()).unwrap_or(false),
-            password_iterations: util::parse_option_string(env::var("PASSWORD_ITERATIONS").ok()).unwrap_or(100_000),
+            web_vault_folder: get_env_or("WEB_VAULT_FOLDER", "web-vault/".into()),
+            web_vault_enabled: get_env_or("WEB_VAULT_ENABLED", true),
+
+            websocket_enabled: get_env_or("WEBSOCKET_ENABLED", false),
+            websocket_url: format!(
+                "{}:{}",
+                get_env_or("WEBSOCKET_ADDRESS", "0.0.0.0".to_string()),
+                get_env_or("WEBSOCKET_PORT", 3012)
+            ),
+
+            extended_logging: get_env_or("EXTENDED_LOGGING", true),
+            log_file: get_env("LOG_FILE"),
+
+            local_icon_extractor: get_env_or("LOCAL_ICON_EXTRACTOR", false),
+            signups_allowed: get_env_or("SIGNUPS_ALLOWED", true),
+            admin_token: get_env("ADMIN_TOKEN"),
+            invitations_allowed: get_env_or("INVITATIONS_ALLOWED", true),
+            password_iterations: get_env_or("PASSWORD_ITERATIONS", 100_000),
+            show_password_hint: get_env_or("SHOW_PASSWORD_HINT", true),
+
+            domain_set: domain.is_some(),
+            domain: domain.unwrap_or("http://localhost".into()),
+
+            yubico_cred_set: yubico_client_id.is_some() && yubico_secret_key.is_some(),
+            yubico_client_id: yubico_client_id.unwrap_or("00000".into()),
+            yubico_secret_key: yubico_secret_key.unwrap_or("AAAAAAA".into()),
+            yubico_server: get_env("YUBICO_SERVER"),
+
+            mail: MailConfig::load(),
        }
    }
 }
--- a/src/static/admin.html
+++ b/src/static/admin.html
@@ -0,0 +1,195 @@
+<!DOCTYPE html>
+<html lang="en">
+
+<head>
+    <meta http-equiv="content-type" content="text/html; charset=UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
+    <meta name="description" content="">
+    <meta name="author" content="">
+    <title>Bitwarden_rs Admin Panel</title>
+
+    <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css"
+        integrity="sha256-eSi1q2PG6J7g7ib17yAaWMcrr5GrtohYChqibrV7PBE=" crossorigin="anonymous" />
+    <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js" integrity="sha256-FgpCb/KJQlLNfOu91ta32o/NMZxltwRo8QtmkMRdAu8="
+        crossorigin="anonymous"></script>
+    <script src="https://cdnjs.cloudflare.com/ajax/libs/blueimp-md5/2.10.0/js/md5.js" integrity="sha256-tCQ/BldMlN2vWe5gAiNoNb5svoOgVUhlUgv7UjONKKQ="
+        crossorigin="anonymous"></script>
+    <script src="https://cdnjs.cloudflare.com/ajax/libs/identicon.js/2.3.3/identicon.min.js" integrity="sha256-nYoL3nK/HA1e1pJvLwNPnpKuKG9q89VFX862r5aohmA="
+        crossorigin="anonymous"></script>
+
+    <style>
+        body { padding-top: 70px; }
+        img { width: 48px; height: 48px; }
+    </style>
+
+    <script>
+        let key = null;
+
+        function identicon(email) {
+            const data = new Identicon(md5(email), {
+                size: 48, format: 'svg'
+            }).toString();
+            return "data:image/svg+xml;base64," + data;
+        }
+
+        function setVis(elem, vis) {
+            if (vis) { $(elem).removeClass('d-none'); }
+            else { $(elem).addClass('d-none'); }
+        }
+
+        function updateVis() {
+            setVis("#no-key-form", !key);
+            setVis("#users-block", key);
+            setVis("#invite-form-block", key);
+        }
+
+        function setKey() {
+            key = $('#key').val() || window.location.hash.slice(1);
+            updateVis();
+            if (key) { loadUsers(); }
+            return false;
+        }
+
+        function resetKey() {
+            key = null;
+            updateVis();
+        }
+
+        function fillRow(data) {
+            for (i in data) {
+                const user = data[i];
+                const row = $("#tmp-row").clone();
+
+                row.attr("id", "user-row:" + user.Id);
+                row.find(".tmp-name").text(user.Name);
+                row.find(".tmp-mail").text(user.Email);
+                row.find(".tmp-icon").attr("src", identicon(user.Email))
+
+                row.find(".tmp-del").on("click", function (e) {
+                    var name = prompt("To delete user '" + user.Name + "', please type the name below")
+                    if (name) {
+                        if (name == user.Name) {
+                            deleteUser(user.Id);
+                        } else {
+                            alert("Wrong name, please try again")
+                        }
+                    }
+                    return false;
+                });
+
+                row.appendTo("#users-list");
+                setVis(row, true);
+            }
+        }
+
+        function _headers() { return { "Authorization": "Bearer " + key }; }
+
+        function loadUsers() {
+            $("#users-list").empty();
+            $.get({ url: "/admin/users", headers: _headers() })
+                .done(fillRow).fail(resetKey);
+
+            return false;
+        }
+
+        function _post(url, successMsg, errMsg, resetOnErr, data) {
+            $.post({ url: url, headers: _headers(), data: data })
+                .done(function () {
+                    alert(successMsg);
+                    loadUsers();
+                }).fail(function (e) {
+                    const r = e.responseJSON;
+                    const msg = r ? r.ErrorModel.Message : "Unknown error";
+                    alert(errMsg + ": " + msg);
+                    if (resetOnErr) { resetKey(); }
+                });
+        }
+
+        function deleteUser(id) {
+            _post("/admin/users/" + id + "/delete",
+                "User deleted correctly",
+                "Error deleting user", true);
+        }
+
+        function inviteUser() {
+            inv = $("#email-invite");
+            data = JSON.stringify({ "Email": inv.val() });
+            inv.val("");
+            _post("/admin/invite/", "User invited correctly",
+                "Error inviting user", false, data);
+            return false;
+        }
+
+        $(window).on('load', function () {
+            setKey();
+
+            $("#key-form").submit(setKey);
+            $("#reload-btn").click(loadUsers);
+            $("#invite-form").submit(inviteUser);
+        });
+    </script>
+</head>
+
+<body class="bg-light">
+    <nav class="navbar navbar-expand-md navbar-dark bg-dark fixed-top shadow">
+        <a class="navbar-brand" href="#">Bitwarden_rs</a>
+        <div class="navbar-collapse">
+            <ul class="navbar-nav">
+                <li class="nav-item active">
+                    <a class="nav-link" href="/admin">Admin Panel</a>
+                </li>
+                <li class="nav-item">
+                    <a class="nav-link" href="/">Vault</a>
+                </li>
+            </ul>
+        </div>
+    </nav>
+    <main class="container">
+        <div id="no-key-form" class="d-none align-items-center p-3 mb-3 text-white-50 bg-danger rounded shadow">
+            <div>
+                <h6 class="mb-0 text-white">Authentication key needed to continue</h6>
+                <small>Please provide it below:</small>
+
+                <form class="form-inline" id="key-form">
+                    <input type="password" class="form-control w-50 mr-2" id="key" placeholder="Enter admin key">
+                    <button type="submit" class="btn btn-primary">Save</button>
+                </form>
+            </div>
+        </div>
+
+        <div id="users-block" class="d-none my-3 p-3 bg-white rounded shadow">
+            <h6 class="border-bottom pb-2 mb-0">Registered Users</h6>
+
+            <div id="users-list"></div>
+
+            <small class="d-block text-right mt-3">
+                <a id="reload-btn" href="#">Reload users</a>
+            </small>
+        </div>
+
+        <div id="invite-form-block" class="d-none align-items-center p-3 mb-3 text-white-50 bg-secondary rounded shadow">
+            <div>
+                <h6 class="mb-0 text-white">Invite User</h6>
+                <small>Email:</small>
+
+                <form class="form-inline" id="invite-form">
+                    <input type="email" class="form-control w-50 mr-2" id="email-invite" placeholder="Enter email">
+                    <button type="submit" class="btn btn-primary">Invite</button>
+                </form>
+            </div>
+        </div>
+
+        <div id="tmp-row" class="d-none media pt-3">
+            <img class="mr-2 rounded tmp-icon">
+            <div class="media-body pb-3 mb-0 small border-bottom">
+                <div class="d-flex justify-content-between">
+                    <strong class="tmp-name">Full Name</strong>
+                    <a class="tmp-del mr-3" href="#">Delete User</a>
+                </div>
+                <span class="d-block tmp-mail">Email</span>
+            </div>
+        </div>
+    </main>
+</body>
+
+</html>
--- a/src/static/fallback-icon.png
+++ b/src/static/fallback-icon.png
--- a/src/api/core/global_domains.json
+++ b/src/api/core/global_domains.json
@@ -260,7 +260,8 @@
    "Type": 26,
    "Domains": [
      "steampowered.com",
-      "steamcommunity.com"
+      "steamcommunity.com",
+      "steamgames.com"
    ],
    "Excluded": false
  },
@@ -646,5 +647,121 @@
      "wiktionary.org"
    ],
    "Excluded": false
+  },
+  {
+    "Type": 72,
+    "Domains": [
+      "airbnb.at",
+      "airbnb.be",
+      "airbnb.ca",
+      "airbnb.ch",
+      "airbnb.cl",
+      "airbnb.co.cr",
+      "airbnb.co.id",
+      "airbnb.co.in",
+      "airbnb.co.kr",
+      "airbnb.co.nz",
+      "airbnb.co.uk",
+      "airbnb.co.ve",
+      "airbnb.com",
+      "airbnb.com.ar",
+      "airbnb.com.au",
+      "airbnb.com.bo",
+      "airbnb.com.br",
+      "airbnb.com.bz",
+      "airbnb.com.co",
+      "airbnb.com.ec",
+      "airbnb.com.gt",
+      "airbnb.com.hk",
+      "airbnb.com.hn",
+      "airbnb.com.mt",
+      "airbnb.com.my",
+      "airbnb.com.ni",
+      "airbnb.com.pa",
+      "airbnb.com.pe",
+      "airbnb.com.py",
+      "airbnb.com.sg",
+      "airbnb.com.sv",
+      "airbnb.com.tr",
+      "airbnb.com.tw",
+      "airbnb.cz",
+      "airbnb.de",
+      "airbnb.dk",
+      "airbnb.es",
+      "airbnb.fi",
+      "airbnb.fr",
+      "airbnb.gr",
+      "airbnb.gy",
+      "airbnb.hu",
+      "airbnb.ie",
+      "airbnb.is",
+      "airbnb.it",
+      "airbnb.jp",
+      "airbnb.mx",
+      "airbnb.nl",
+      "airbnb.no",
+      "airbnb.pl",
+      "airbnb.pt",
+      "airbnb.ru",
+      "airbnb.se"
+    ],
+    "Excluded": false
+  },
+  {
+    "Type": 73,
+    "Domains": [
+      "eventbrite.at",
+      "eventbrite.be",
+      "eventbrite.ca",
+      "eventbrite.ch",
+      "eventbrite.cl",
+      "eventbrite.co.id",
+      "eventbrite.co.in",
+      "eventbrite.co.kr",
+      "eventbrite.co.nz",
+      "eventbrite.co.uk",
+      "eventbrite.co.ve",
+      "eventbrite.com",
+      "eventbrite.com.au",
+      "eventbrite.com.bo",
+      "eventbrite.com.br",
+      "eventbrite.com.co",
+      "eventbrite.com.hk",
+      "eventbrite.com.hn",
+      "eventbrite.com.pe",
+      "eventbrite.com.sg",
+      "eventbrite.com.tr",
+      "eventbrite.com.tw",
+      "eventbrite.cz",
+      "eventbrite.de",
+      "eventbrite.dk",
+      "eventbrite.fi",
+      "eventbrite.fr",
+      "eventbrite.gy",
+      "eventbrite.hu",
+      "eventbrite.ie",
+      "eventbrite.is",
+      "eventbrite.it",
+      "eventbrite.jp",
+      "eventbrite.mx",
+      "eventbrite.nl",
+      "eventbrite.no",
+      "eventbrite.pl",
+      "eventbrite.pt",
+      "eventbrite.ru",
+      "eventbrite.se"
+    ],
+    "Excluded": false
+  },
+  {
+    "Type": 74,
+    "Domains": [
+      "stackexchange.com",
+      "superuser.com",
+      "stackoverflow.com",
+      "serverfault.com",
+      "mathoverflow.net"
+    ],
+    "Excluded": false
  }
 ]
--- a/src/util.rs
+++ b/src/util.rs
@@ -1,64 +1,56 @@
-///
-/// Macros
-///
-#[macro_export]
-macro_rules! err {
-    ($err:expr, $err_desc:expr, $msg:expr) => {
-        err_json!(json!({
-          "error": $err,
-          "error_description": $err_desc,
-          "ErrorModel": {
-            "Message": $msg,
-            "ValidationErrors": null,
-            "Object": "error"
-          }
-        }))
-    };
-    ($msg:expr) => { err!("default_error", "default_error_description", $msg) }
+//
+// Web Headers
+//
+use rocket::fairing::{Fairing, Info, Kind};
+use rocket::{Request, Response};
+
+pub struct AppHeaders();
+
+impl Fairing for AppHeaders {
+    fn info(&self) -> Info {
+        Info {
+            name: "Application Headers",
+            kind: Kind::Response,
+        }
+    }
+
+    fn on_response(&self, _req: &Request, res: &mut Response) {
+        res.set_raw_header("Referrer-Policy", "same-origin");
+        res.set_raw_header("X-Frame-Options", "SAMEORIGIN");
+        res.set_raw_header("X-Content-Type-Options", "nosniff");
+        res.set_raw_header("X-XSS-Protection", "1; mode=block");
+        let csp = "frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb moz-extension://*;";
+        res.set_raw_header("Content-Security-Policy", csp);
+
+        // Disable cache unless otherwise specified
+        if !res.headers().contains("cache-control") {
+            res.set_raw_header("Cache-Control", "no-cache, no-store, max-age=0");
+        }
+    }
 }

-#[macro_export]
-macro_rules! err_json {
-    ($expr:expr) => {{
-        println!("ERROR: {}", $expr);
-        return Err($crate::rocket::response::status::BadRequest(Some($crate::rocket_contrib::Json($expr))));
-    }}
-}
-
-#[macro_export]
-macro_rules! err_handler {
-    ($expr:expr) => {{
-        println!("ERROR: {}", $expr);
-        return $crate::rocket::Outcome::Failure(($crate::rocket::http::Status::Unauthorized, $expr));
-    }}
-}
-
-///
-/// File handling
-///
-
-use std::path::Path;
-use std::io::Read;
+//
+// File handling
+//
 use std::fs::{self, File};
+use std::io::{Read, Result as IOResult};
+use std::path::Path;

 pub fn file_exists(path: &str) -> bool {
    Path::new(path).exists()
 }

-pub fn read_file(path: &str) -> Result<Vec<u8>, String> {
-    let mut file = File::open(Path::new(path))
-        .map_err(|e| format!("Error opening file: {}", e))?;
-
+pub fn read_file(path: &str) -> IOResult<Vec<u8>> {
    let mut contents: Vec<u8> = Vec::new();

-    file.read_to_end(&mut contents)
-        .map_err(|e| format!("Error reading file: {}", e))?;
+    let mut file = File::open(Path::new(path))?;
+    file.read_to_end(&mut contents)?;

    Ok(contents)
 }

-pub fn delete_file(path: &str) -> bool {
-    let res = fs::remove_file(path).is_ok();
+pub fn delete_file(path: &str) -> IOResult<()> {
+    let res = fs::remove_file(path);

    if let Some(parent) = Path::new(path).parent() {
        // If the directory isn't empty, this returns an error, which we ignore
@@ -69,8 +61,7 @@ pub fn delete_file(path: &str) -> bool {
    res
 }

-
-const UNITS: [&'static str; 6] = ["bytes", "KB", "MB", "GB", "TB", "PB"];
+const UNITS: [&str; 6] = ["bytes", "KB", "MB", "GB", "TB", "PB"];

 pub fn get_display_size(size: i32) -> String {
    let mut size = size as f64;
@@ -83,18 +74,22 @@ pub fn get_display_size(size: i32) -> String {
        } else {
            break;
        }
-    };
+    }

    // Round to two decimals
    size = (size * 100.).round() / 100.;
    format!("{} {}", size, UNITS[unit_counter])
 }

+pub fn get_uuid() -> String {
+    uuid::Uuid::new_v4().to_string()
+}

-///
-/// String util methods
-///
+//
+// String util methods
+//

+use std::ops::Try;
 use std::str::FromStr;

 pub fn upcase_first(s: &str) -> String {
@@ -105,44 +100,72 @@ pub fn upcase_first(s: &str) -> String {
    }
 }

-pub fn parse_option_string<S, T>(string: Option<S>) -> Option<T> where S: AsRef<str>, T: FromStr {
-    if let Some(Ok(value)) = string.map(|s| s.as_ref().parse::<T>()) {
+pub fn try_parse_string<S, T, U>(string: impl Try<Ok = S, Error = U>) -> Option<T>
+where
+    S: AsRef<str>,
+    T: FromStr,
+{
+    if let Ok(Ok(value)) = string.into_result().map(|s| s.as_ref().parse::<T>()) {
        Some(value)
    } else {
        None
    }
 }

-///
-/// Date util methods
-///
+pub fn try_parse_string_or<S, T, U>(string: impl Try<Ok = S, Error = U>, default: T) -> T
+where
+    S: AsRef<str>,
+    T: FromStr,
+{
+    if let Ok(Ok(value)) = string.into_result().map(|s| s.as_ref().parse::<T>()) {
+        value
+    } else {
+        default
+    }
+}
+
+//
+// Env methods
+//
+
+use std::env;
+
+pub fn get_env<V>(key: &str) -> Option<V>
+where
+    V: FromStr,
+{
+    try_parse_string(env::var(key))
+}
+
+pub fn get_env_or<V>(key: &str, default: V) -> V
+where
+    V: FromStr,
+{
+    try_parse_string_or(env::var(key), default)
+}
+
+//
+// Date util methods
+//

 use chrono::NaiveDateTime;

-const DATETIME_FORMAT: &'static str = "%Y-%m-%dT%H:%M:%S%.6fZ";
+const DATETIME_FORMAT: &str = "%Y-%m-%dT%H:%M:%S%.6fZ";

 pub fn format_date(date: &NaiveDateTime) -> String {
    date.format(DATETIME_FORMAT).to_string()
 }

-///
-/// Deserialization methods
-///
+//
+// Deserialization methods
+//

-use std::collections::BTreeMap as Map;
+use std::fmt;

-use serde::de::{self, Deserialize, DeserializeOwned, Deserializer};
-use serde_json::Value;
+use serde::de::{self, DeserializeOwned, Deserializer, MapAccess, SeqAccess, Visitor};
+use serde_json::{self, Value};

-/// https://github.com/serde-rs/serde/issues/586
-pub fn upcase_deserialize<'de, T, D>(deserializer: D) -> Result<T, D::Error>
-    where T: DeserializeOwned,
-          D: Deserializer<'de>
-{
-    let map = Map::<String, Value>::deserialize(deserializer)?;
-    let lower = map.into_iter().map(|(k, v)| (upcase_first(&k), v)).collect();
-    T::deserialize(Value::Object(lower)).map_err(de::Error::custom)
-}
+pub type JsonMap = serde_json::Map<String, Value>;

 #[derive(PartialEq, Serialize, Deserialize)]
 pub struct UpCase<T: DeserializeOwned> {
@@ -150,3 +173,105 @@ pub struct UpCase<T: DeserializeOwned> {
    #[serde(flatten)]
    pub data: T,
 }
+
+// https://github.com/serde-rs/serde/issues/586
+pub fn upcase_deserialize<'de, T, D>(deserializer: D) -> Result<T, D::Error>
+where
+    T: DeserializeOwned,
+    D: Deserializer<'de>,
+{
+    let d = deserializer.deserialize_any(UpCaseVisitor)?;
+    T::deserialize(d).map_err(de::Error::custom)
+}
+
+struct UpCaseVisitor;
+
+impl<'de> Visitor<'de> for UpCaseVisitor {
+    type Value = Value;
+
+    fn expecting(&self, formatter: &mut fmt::Formatter) -> fmt::Result {
+        formatter.write_str("an object or an array")
+    }
+
+    fn visit_map<A>(self, mut map: A) -> Result<Self::Value, A::Error>
+    where
+        A: MapAccess<'de>,
+    {
+        let mut result_map = JsonMap::new();
+
+        while let Some((key, value)) = map.next_entry()? {
+            result_map.insert(upcase_first(key), upcase_value(&value));
+        }
+
+        Ok(Value::Object(result_map))
+    }
+
+    fn visit_seq<A>(self, mut seq: A) -> Result<Self::Value, A::Error>
+    where
+        A: SeqAccess<'de>,
+    {
+        let mut result_seq = Vec::<Value>::new();
+
+        while let Some(value) = seq.next_element()? {
+            result_seq.push(upcase_value(&value));
+        }
+
+        Ok(Value::Array(result_seq))
+    }
+}
+
+fn upcase_value(value: &Value) -> Value {
+    if let Some(map) = value.as_object() {
+        let mut new_value = json!({});
+
+        for (key, val) in map {
+            let processed_key = _process_key(key);
+            new_value[processed_key] = upcase_value(val);
+        }
+        new_value
+    } else if let Some(array) = value.as_array() {
+        // Initialize array with null values
+        let mut new_value = json!(vec![Value::Null; array.len()]);
+
+        for (index, val) in array.iter().enumerate() {
+            new_value[index] = upcase_value(val);
+        }
+        new_value
+    } else {
+        value.clone()
+    }
+}
+
+fn _process_key(key: &str) -> String {
+    match key.to_lowercase().as_ref() {
+        "ssn" => "SSN".into(),
+        _ => self::upcase_first(key),
+    }
+}
+
+//
+// Retry methods
+//
+
+pub fn retry<F, T, E>(func: F, max_tries: i32) -> Result<T, E>
+where
+    F: Fn() -> Result<T, E>,
+{
+    use std::{thread::sleep, time::Duration};
+    let mut tries = 0;
+
+    loop {
+        match func() {
+            ok @ Ok(_) => return ok,
+            err @ Err(_) => {
+                tries += 1;
+
+                if tries >= max_tries {
+                    return err;
+                }
+
+                sleep(Duration::from_millis(500));
+            }
+        }
+    }
+}