Update web vault to fix twofactorauth.org integration

Update dependencies and toolchain
Update included equivalent domains with upstream changes

.dockerignore

@@ -9,10 +9,6 @@ data
 .idea
 *.iml
 
-# Git files
-.git
-.gitignore
-
 # Documentation
 *.md
 

.env

@@ -1,13 +0,0 @@
-# DATABASE_URL=data/db.sqlite3
-# PRIVATE_RSA_KEY=data/private_rsa_key.der
-# PUBLIC_RSA_KEY=data/public_rsa_key.der
-# ICON_CACHE_FOLDER=data/icon_cache
-# ATTACHMENTS_FOLDER=data/attachments
-
-# true for yes, anything else for no
-SIGNUPS_ALLOWED=true
-
-# ROCKET_ENV=production
-# ROCKET_ADDRESS=0.0.0.0 # Enable this to test mobile app
-# ROCKET_PORT=8000
-# ROCKET_TLS={certs="/path/to/certs.pem",key="/path/to/key.pem"}

.env.template

@@ -0,0 +1,182 @@
+## Bitwarden_RS Configuration File
+## Uncomment any of the following lines to change the defaults
+
+## Main data folder
+# DATA_FOLDER=data
+
+## Database URL
+## When using SQLite, this is the path to the DB file, default to %DATA_FOLDER%/db.sqlite3
+## When using MySQL, this it is the URL to the DB, including username and password:
+## Format: mysql://[user[:password]@]host/database_name
+# DATABASE_URL=data/db.sqlite3
+
+## Individual folders, these override %DATA_FOLDER%
+# RSA_KEY_FILENAME=data/rsa_key
+# ICON_CACHE_FOLDER=data/icon_cache
+# ATTACHMENTS_FOLDER=data/attachments
+
+## Templates data folder, by default uses embedded templates
+## Check source code to see the format
+# TEMPLATES_FOLDER=/path/to/templates
+## Automatically reload the templates for every request, slow, use only for development
+# RELOAD_TEMPLATES=false
+
+## Cache time-to-live for successfully obtained icons, in seconds (0 is "forever")
+# ICON_CACHE_TTL=2592000
+## Cache time-to-live for icons which weren't available, in seconds (0 is "forever")
+# ICON_CACHE_NEGTTL=259200
+
+## Web vault settings
+# WEB_VAULT_FOLDER=web-vault/
+# WEB_VAULT_ENABLED=true
+
+## Enables websocket notifications
+# WEBSOCKET_ENABLED=false
+
+## Controls the WebSocket server address and port
+# WEBSOCKET_ADDRESS=0.0.0.0
+# WEBSOCKET_PORT=3012
+
+## Enable extended logging
+## This shows timestamps and allows logging to file and to syslog
+### To enable logging to file, use the LOG_FILE env variable
+### To enable syslog, use the USE_SYSLOG env variable
+# EXTENDED_LOGGING=true
+
+## Logging to file
+## This requires extended logging
+## It's recommended to also set 'ROCKET_CLI_COLORS=off'
+# LOG_FILE=/path/to/log
+
+## Logging to Syslog
+## This requires extended logging
+## It's recommended to also set 'ROCKET_CLI_COLORS=off'
+# USE_SYSLOG=false
+
+## Log level
+## Change the verbosity of the log output
+## Valid values are "trace", "debug", "info", "warn", "error" and "off"
+## This requires extended logging
+# LOG_LEVEL=Info
+
+## Enable WAL for the DB
+## Set to false to avoid enabling WAL during startup.
+## Note that if the DB already has WAL enabled, you will also need to disable WAL in the DB,
+## this setting only prevents bitwarden_rs from automatically enabling it on start.
+## Please read project wiki page about this setting first before changing the value as it can
+## cause performance degradation or might render  the service unable to start.
+# ENABLE_DB_WAL=true
+
+## Disable icon downloading
+## Set to true to disable icon downloading, this would still serve icons from $ICON_CACHE_FOLDER,
+## but it won't produce any external network request. Needs to set $ICON_CACHE_TTL to 0,
+## otherwise it will delete them and they won't be downloaded again.
+# DISABLE_ICON_DOWNLOAD=false
+
+## Icon download timeout
+## Configure the timeout value when downloading the favicons.
+## The default is 10 seconds, but this could be to low on slower network connections
+# ICON_DOWNLOAD_TIMEOUT=10
+
+## Icon blacklist Regex
+## Any domains or IPs that match this regex won't be fetched by the icon service.
+## Useful to hide other servers in the local network. Check the WIKI for more details
+# ICON_BLACKLIST_REGEX=192\.168\.1\.[0-9].*^
+
+## Any IP which is not defined as a global IP will be blacklisted.
+## Usefull to secure your internal environment: See https://en.wikipedia.org/wiki/Reserved_IP_addresses for a list of IPs which it will block
+# ICON_BLACKLIST_NON_GLOBAL_IPS=true
+
+## Disable 2FA remember
+## Enabling this would force the users to use a second factor to login every time.
+## Note that the checkbox would still be present, but ignored.
+# DISABLE_2FA_REMEMBER=false
+
+## Controls if new users can register
+# SIGNUPS_ALLOWED=true
+
+## Controls if new users from a list of comma-separated domains can register
+## even if SIGNUPS_ALLOWED is set to false
+##
+## WARNING: There is currently no validation that prevents anyone from
+##          signing up with any made-up email address from one of these
+##          whitelisted domains!
+# SIGNUPS_DOMAINS_WHITELIST=example.com,example.net,example.org
+
+## Token for the admin interface, preferably use a long random string
+## One option is to use 'openssl rand -base64 48'
+## If not set, the admin panel is disabled
+# ADMIN_TOKEN=Vy2VyYTTsKPv8W5aEOWUbB/Bt3DEKePbHmI4m9VcemUMS2rEviDowNAFqYi1xjmp
+
+## Enable this to bypass the admin panel security. This option is only
+## meant to be used with the use of a separate auth layer in front
+# DISABLE_ADMIN_TOKEN=false
+
+## Invitations org admins to invite users, even when signups are disabled
+# INVITATIONS_ALLOWED=true
+
+## Controls the PBBKDF password iterations to apply on the server
+## The change only applies when the password is changed
+# PASSWORD_ITERATIONS=100000
+
+## Whether password hint should be sent into the error response when the client request it
+# SHOW_PASSWORD_HINT=true
+
+## Domain settings
+## The domain must match the address from where you access the server
+## It's recommended to configure this value, otherwise certain functionality might not work,
+## like attachment downloads, email links and U2F.
+## For U2F to work, the server must use HTTPS, you can use Let's Encrypt for free certs
+# DOMAIN=https://bw.domain.tld:8443
+
+## Yubico (Yubikey) Settings
+## Set your Client ID and Secret Key for Yubikey OTP
+## You can generate it here: https://upgrade.yubico.com/getapikey/
+## You can optionally specify a custom OTP server
+# YUBICO_CLIENT_ID=11111
+# YUBICO_SECRET_KEY=AAAAAAAAAAAAAAAAAAAAAAAA
+# YUBICO_SERVER=http://yourdomain.com/wsapi/2.0/verify
+
+## Duo Settings
+## You need to configure all options to enable global Duo support, otherwise users would need to configure it themselves
+## Create an account and protect an application as mentioned in this link (only the first step, not the rest):
+## https://help.bitwarden.com/article/setup-two-step-login-duo/#create-a-duo-security-account
+## Then set the following options, based on the values obtained from the last step:
+# DUO_IKEY=<Integration Key>
+# DUO_SKEY=<Secret Key>
+# DUO_HOST=<API Hostname>
+## After that, you should be able to follow the rest of the guide linked above,
+## ignoring the fields that ask for the values that you already configured beforehand.
+
+## Authenticator Settings
+## Disable authenticator time drifted codes to be valid.
+## TOTP codes of the previous and next 30 seconds will be invalid
+## 
+## According to the RFC6238 (https://tools.ietf.org/html/rfc6238),
+## we allow by default the TOTP code which was valid one step back and one in the future.
+## This can however allow attackers to be a bit more lucky with there attempts because there are 3 valid codes.
+## You can disable this, so that only the current TOTP Code is allowed.
+## Keep in mind that when a sever drifts out of time, valid codes could be marked as invalid.
+## In any case, if a code has been used it can not be used again, also codes which predates it will be invalid.
+# AUTHENTICATOR_DISABLE_TIME_DRIFT = false
+
+## Rocket specific settings, check Rocket documentation to learn more
+# ROCKET_ENV=staging
+# ROCKET_ADDRESS=0.0.0.0 # Enable this to test mobile app
+# ROCKET_PORT=8000
+# ROCKET_TLS={certs="/path/to/certs.pem",key="/path/to/key.pem"}
+
+## Mail specific settings, set SMTP_HOST and SMTP_FROM to enable the mail service.
+## To make sure the email links are pointing to the correct host, set the DOMAIN variable.
+## Note: if SMTP_USERNAME is specified, SMTP_PASSWORD is mandatory
+# SMTP_HOST=smtp.domain.tld
+# SMTP_FROM=bitwarden-rs@domain.tld
+# SMTP_FROM_NAME=Bitwarden_RS
+# SMTP_PORT=587
+# SMTP_SSL=true
+# SMTP_USERNAME=username
+# SMTP_PASSWORD=password
+# SMTP_AUTH_MECHANISM="Plain"
+# SMTP_TIMEOUT=15
+
+# vim: syntax=ini

.gitignore

@@ -10,7 +10,7 @@ data
 *.iml
 
 # Environment file
-# .env
+.env
 
 # Web vault
-web-vault
+web-vault

.hadolint.yaml

@@ -0,0 +1,7 @@
+ignored:
+  # disable explicit version for apt install
+  - DL3008
+  # disable explicit version for apk install
+  - DL3018
+trustedRegistries:
+  - docker.io

.travis.yml

@@ -0,0 +1,21 @@
+dist: xenial
+
+env:
+  global:
+    - HADOLINT_VERSION=1.17.1
+
+language: rust
+rust: nightly
+cache: cargo
+
+before_install:
+  - sudo curl -L https://github.com/hadolint/hadolint/releases/download/v$HADOLINT_VERSION/hadolint-$(uname -s)-$(uname -m) -o /usr/local/bin/hadolint
+  - sudo chmod +rx /usr/local/bin/hadolint
+  - rustup set profile minimal
+
+# Nothing to install
+install: true
+script:
+- git ls-files --exclude='Dockerfile*' --ignored | xargs --max-lines=1 hadolint
+- cargo build --features "sqlite"
+- cargo build --features "mysql"

BUILD.md

@@ -1,69 +0,0 @@
-## How to compile bitwarden_rs
-Install `rust nightly`, in Windows the recommended way is through `rustup`.
-
-Install the `openssl` library, in Windows the best option is Microsoft's `vcpkg`,
-on other systems use their respective package managers.
-
-Then run:
-```sh
-cargo run
-# or
-cargo build
-```
-
-## How to install the web-vault locally
-If you're using docker image, you can just update `VAULT_VERSION` variable in Dockerfile and rebuild the image.
-
-Install `node.js` and either `yarn` or `npm` (usually included with node)
-
-Clone the web-vault outside the project:
-```
-git clone https://github.com/bitwarden/web.git web-vault
-```
-
-Modify `web-vault/settings.Production.json` to look like this:
-```json
-{
-  "appSettings": {
-    "apiUri": "/api",
-    "identityUri": "/identity",
-    "iconsUri": "/icons",
-    "stripeKey": "",
-    "braintreeKey": ""
-  }
-}
-```
-
-Then, run the following from the `web-vault` dir:
-```sh
-# With yarn (recommended)
-yarn
-yarn gulp dist:selfHosted
-
-# With npm
-npm install
-npx gulp dist:selfHosted
-```
-
-Finally copy the contents of the `web-vault/dist` folder into the `bitwarden_rs/web-vault` folder.
-
-## How to recreate database schemas
-Install diesel-cli with cargo:
-```sh
-cargo install diesel_cli --no-default-features --features sqlite-bundled # Or use only sqlite to use the system version
-```
-
-Make sure that the correct path to the database is in the `.env` file.
-
-If you want to modify the schemas, create a new migration with:
-```
-diesel migration generate <name>
-```
-
-Modify the *.sql files, making sure that any changes are reverted in the down.sql file.
-
-Apply the migrations and save the generated schemas as follows:
-```
-diesel migration redo
-diesel print-schema > src/db/schema.rs
-```

Cargo.toml

@@ -1,55 +1,125 @@
 [package]
 name = "bitwarden_rs"
-version = "0.9.0"
+version = "1.0.0"
 authors = ["Daniel García <dani-garcia@users.noreply.github.com>"]
+edition = "2018"
+
+repository = "https://github.com/dani-garcia/bitwarden_rs"
+readme = "README.md"
+license = "GPL-3.0-only"
+publish = false
+build = "build.rs"
+
+[features]
+# Empty to keep compatibility, prefer to set USE_SYSLOG=true
+enable_syslog = []
+mysql = ["diesel/mysql", "diesel_migrations/mysql"]
+postgresql = ["diesel/postgres", "diesel_migrations/postgres", "openssl"]
+sqlite = ["diesel/sqlite", "diesel_migrations/sqlite", "libsqlite3-sys"]
+
+[target."cfg(not(windows))".dependencies]
+syslog = "4.0.1"
 
 [dependencies]
 # Web framework for nightly with a focus on ease-of-use, expressibility, and speed.
-rocket = { version = "0.3.12", features = ["tls"] }
-rocket_codegen = "0.3.12"
-rocket_contrib = "0.3.12"
+rocket = { version = "0.5.0-dev", features = ["tls"], default-features = false }
+rocket_contrib = "0.5.0-dev"
 
 # HTTP client
-reqwest = "0.8.6"
+reqwest = "0.9.22"
 
 # multipart/form-data support
-multipart = "0.14.2"
+multipart = { version = "0.16.1", features = ["server"], default-features = false }
+
+# WebSockets library
+ws = "0.9.1"
+
+# MessagePack library
+rmpv = "0.4.2"
+
+# Concurrent hashmap implementation
+chashmap = "2.2.2"
 
 # A generic serialization/deserialization framework
-serde = "1.0.64"
-serde_derive = "1.0.64"
-serde_json = "1.0.19"
+serde = "1.0.102"
+serde_derive = "1.0.102"
+serde_json = "1.0.41"
+
+# Logging
+log = "0.4.8"
+fern = { version = "0.5.9", features = ["syslog-4"] }
 
 # A safe, extensible ORM and Query builder
-diesel = { version = "~1.2.2", features = ["sqlite", "chrono", "r2d2"] }
-diesel_migrations = { version = "~1.2.0", features = ["sqlite"] }
+diesel = { version = "1.4.3", features = [ "chrono", "r2d2"] }
+diesel_migrations = "1.4.0"
 
-# Bundled SQLite
-libsqlite3-sys = { version = "0.9.1", features = ["bundled"] }
+# Bundled SQLite                                           
+libsqlite3-sys = { version = "0.16.0", features = ["bundled"], optional = true }
 
 # Crypto library
-ring = { version = "= 0.11.0", features = ["rsa_signing"] }
+ring = "0.14.6"
 
 # UUID generation
-uuid = { version = "0.6.5", features = ["v4"] }
+uuid = { version = "0.8.1", features = ["v4"] }
 
 # Date and time library for Rust
-chrono = "0.4.2"
+chrono = "0.4.9"
 
 # TOTP library
 oath = "0.10.2"
 
 # Data encoding library
-data-encoding = "2.1.1"
+data-encoding = "2.1.2"
 
 # JWT library
-jsonwebtoken = "= 4.0.1"
+jsonwebtoken = "6.0.1"
+
+# U2F library
+u2f = "0.1.6"
+
+# Yubico Library
+yubico = { version = "0.7.1", features = ["online-tokio"], default-features = false }
 
 # A `dotenv` implementation for Rust
-dotenv = { version = "0.13.0", default-features = false }
+dotenv = { version = "0.15.0", default-features = false }
 
 # Lazy static macro
-lazy_static = "1.0.1"
+lazy_static = "1.4.0"
+
+# More derives
+derive_more = "0.99.2"
+
+# Numerical libraries
+num-traits = "0.2.9"
+num-derive = "0.3.0"
+
+# Email libraries
+lettre = "0.9.2"
+lettre_email = "0.9.2"
+native-tls = "0.2.3"
+quoted_printable = "0.4.1"
+
+# Template library
+handlebars = "2.0.2"
+
+# For favicon extraction from main website
+soup = "0.4.1"
+regex = "1.3.1"
+
+# Required for SSL support for PostgreSQL
+openssl = { version = "0.10.25", optional = true }
+
+# URL encoding library
+percent-encoding = "2.1.0"
 
 [patch.crates-io]
-jsonwebtoken = { path = "libs/jsonwebtoken" } # Make jwt use ring 0.11, to match rocket
+# Add support for Timestamp type
+rmp = { git = 'https://github.com/3Hren/msgpack-rust', rev = 'd6c6c672e470341207ed9feb69b56322b5597a11' }
+
+# Use newest ring
+rocket = { git = 'https://github.com/SergioBenitez/Rocket', rev = 'b95b6765e1cc8be7c1e7eaef8a9d9ad940b0ac13' }
+rocket_contrib = { git = 'https://github.com/SergioBenitez/Rocket', rev = 'b95b6765e1cc8be7c1e7eaef8a9d9ad940b0ac13' }
+
+# Use git version for timeout fix #706
+lettre = { git = 'https://github.com/lettre/lettre', rev = '24d694db3be017d82b1cdc8bf9da601420b31bb0' }
+lettre_email = { git = 'https://github.com/lettre/lettre', rev = '24d694db3be017d82b1cdc8bf9da601420b31bb0' }

Dockerfile

@@ -1,88 +0,0 @@
-# Using multistage build: 
-# 	https://docs.docker.com/develop/develop-images/multistage-build/
-# 	https://whitfin.io/speeding-up-rust-docker-builds/
-####################### VAULT BUILD IMAGE  #######################
-FROM node:9-alpine as vault
-
-ENV VAULT_VERSION "1.26.0"
-ENV URL "https://github.com/bitwarden/web/archive/v${VAULT_VERSION}.tar.gz"
-
-RUN apk add --update-cache --upgrade \
-    curl \
-    git \
-    tar \
-    && npm install -g \
-        gulp-cli \
-        gulp
-
-RUN mkdir /web-build \
-    && cd /web-build \
-    && curl -L "${URL}" | tar -xvz --strip-components=1
-
-WORKDIR /web-build
-
-COPY /docker/settings.Production.json /web-build/
-
-RUN git config --global url."https://github.com/".insteadOf ssh://git@github.com/ \
-    && npm install \
-    && gulp dist:selfHosted \
-    && mv dist /web-vault
-
-########################## BUILD IMAGE  ##########################
-# We need to use the Rust build image, because
-# we need the Rust compiler and Cargo tooling
-FROM rustlang/rust:nightly as build
-
-# Using bundled SQLite, no need to install it
-# RUN apt-get update && apt-get install -y\
-#    sqlite3\
-#    --no-install-recommends\
-# && rm -rf /var/lib/apt/lists/*
-
-# Creates a dummy project used to grab dependencies
-RUN USER=root cargo new --bin app
-WORKDIR /app
-
-# Copies over *only* your manifests and vendored dependencies
-COPY ./Cargo.* ./
-COPY ./libs ./libs
-
-# Builds your dependencies and removes the
-# dummy project, except the target folder
-# This folder contains the compiled dependencies
-RUN cargo build --release
-RUN find . -not -path "./target*" -delete
-
-# Copies the complete project
-# To avoid copying unneeded files, use .dockerignore
-COPY . .
-
-# Builds again, this time it'll just be
-# your actual source files being built
-RUN cargo build --release
-
-######################## RUNTIME IMAGE  ########################
-# Create a new stage with a minimal image
-# because we already have a binary built
-FROM debian:stretch-slim
-
-# Install needed libraries
-RUN apt-get update && apt-get install -y\
-    openssl\
-    --no-install-recommends\
- && rm -rf /var/lib/apt/lists/*
-
-RUN mkdir /data
-VOLUME /data
-EXPOSE 80
-
-# Copies the files from the context (env file and web-vault)
-# and the binary from the "build" stage to the current stage
-COPY .env .
-COPY --from=vault /web-vault ./web-vault
-COPY --from=build app/target/release/bitwarden_rs .
-
-# Configures the startup!
-# Use production to disable Rocket logging
-#CMD ROCKET_ENV=production ./bitwarden_rs
-CMD ROCKET_ENV=staging ./bitwarden_rs

Dockerfile

@@ -0,0 +1 @@
+docker/amd64/sqlite/Dockerfile

README.md

@@ -1,8 +1,21 @@
-This is Bitwarden server API implementation written in rust compatible with [upstream Bitwarden clients](https://bitwarden.com/#download)*, ideal for self-hosted deployment where running official resource-heavy service might not be ideal.
+### This is a Bitwarden server API implementation written in Rust compatible with [upstream Bitwarden clients](https://bitwarden.com/#download)*, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal.
+
+---
+
+[![Travis Build Status](https://travis-ci.org/dani-garcia/bitwarden_rs.svg?branch=master)](https://travis-ci.org/dani-garcia/bitwarden_rs)
+[![Docker Pulls](https://img.shields.io/docker/pulls/bitwardenrs/server.svg)](https://hub.docker.com/r/bitwardenrs/server)
+[![Dependency Status](https://deps.rs/repo/github/dani-garcia/bitwarden_rs/status.svg)](https://deps.rs/repo/github/dani-garcia/bitwarden_rs)
+[![GitHub Release](https://img.shields.io/github/release/dani-garcia/bitwarden_rs.svg)](https://github.com/dani-garcia/bitwarden_rs/releases/latest)
+[![GPL-3.0 Licensed](https://img.shields.io/github/license/dani-garcia/bitwarden_rs.svg)](https://github.com/dani-garcia/bitwarden_rs/blob/master/LICENSE.txt)
+[![Matrix Chat](https://img.shields.io/matrix/bitwarden_rs:matrix.org.svg?logo=matrix)](https://matrix.to/#/#bitwarden_rs:matrix.org)
 
 Image is based on [Rust implementation of Bitwarden API](https://github.com/dani-garcia/bitwarden_rs).
 
-_*Note, that this project is not associated with the [Bitwarden](https://bitwarden.com/) project nor 8bit Solutions LLC._
+**This project is not associated with the [Bitwarden](https://bitwarden.com/) project nor 8bit Solutions LLC.**
+
+#### ⚠️**IMPORTANT**⚠️: When using this server, please report any Bitwarden related bug-reports or suggestions [here](https://github.com/dani-garcia/bitwarden_rs/issues/new), regardless of whatever clients you are using (mobile, desktop, browser...). DO NOT use the official support channels.
+
+---
 
 ## Features
 
@@ -11,138 +24,32 @@ Basically full implementation of Bitwarden API is provided including:
  * Basic single user functionality
  * Organizations support
  * Attachments
- * Vault API support 
+ * Vault API support
  * Serving the static files for Vault interface
  * Website icons API
+ * Authenticator and U2F support
+ * YubiKey OTP
 
-## Docker image usage
-
-### Starting a container
-
-The persistent data is stored under /data inside the container, so the only requirement for persistent deployment using Docker is to mount persistent volume at the path:
-
-```
-docker run -d --name bitwarden -v /bw-data/:/data/ -p 80:80 mprasil/bitwarden:latest
-```
-
-This will preserve any persistent data under `/bw-data/`, you can adapt the path to whatever suits you.
-
-The service will be exposed on port 80.
-
-### Updating the bitwarden image
-
-Updating is straightforward, you just make sure to preserve the mounted volume. If you used the bind-mounted path as in the example above, you just need to `pull` the latest image, `stop` and `rm` the current container and then start a new one the same way as before:
+## Installation
+Pull the docker image and mount a volume from the host for persistent storage:
 
 ```sh
-# Pull the latest version
-docker pull mprasil/bitwarden:latest
-
-# Stop and remove the old container
-docker stop bitwarden
-docker rm bitwarden
-
-# Start new container with the data mounted
-docker run -d --name bitwarden -v /bw-data/:/data/ -p 80:80 mprasil/bitwarden:latest
+docker pull bitwardenrs/server:latest
+docker run -d --name bitwarden -v /bw-data/:/data/ -p 80:80 bitwardenrs/server:latest
 ```
+This will preserve any persistent data under /bw-data/, you can adapt the path to whatever suits you.
 
-In case you didn't bind mount the volume for persistent data, you need an intermediate step where you preserve the data with an intermediate container:
+**IMPORTANT**: Some web browsers, like Chrome, disallow the use of Web Crypto APIs in insecure contexts. In this case, you might get an error like `Cannot read property 'importKey'`. To solve this problem, you need to access the web vault from HTTPS. 
 
-```sh
-# Pull the latest version
-docker pull mprasil/bitwarden:latest
+This can be configured in [bitwarden_rs directly](https://github.com/dani-garcia/bitwarden_rs/wiki/Enabling-HTTPS) or using a third-party reverse proxy ([some examples](https://github.com/dani-garcia/bitwarden_rs/wiki/Proxy-examples)).
 
-# Create intermediate container to preserve data
-docker run --volumes-from bitwarden --name bitwarden_data busybox true
+If you have an available domain name, you can get HTTPS certificates with [Let's Encrypt](https://letsencrypt.org/), or you can generate self-signed certificates with utilities like [mkcert](https://github.com/FiloSottile/mkcert). Some proxies automatically do this step, like Caddy (see examples linked above).
 
-# Stop and remove the old container
-docker stop bitwarden
-docker rm bitwarden
+## Usage
+See the [bitwarden_rs wiki](https://github.com/dani-garcia/bitwarden_rs/wiki) for more information on how to configure and run the bitwarden_rs server.
 
-# Start new container with the data mounted
-docker run -d --volumes-from bitwarden_data --name bitwarden -p 80:80 mprasil/bitwarden:latest
+## Get in touch
 
-# Optionally remove the intermediate container
-docker rm bitwarden_data
+To ask a question, [raising an issue](https://github.com/dani-garcia/bitwarden_rs/issues/new) is fine. Please also report any bugs spotted here.
 
-# Alternatively you can keep data container around for future updates in which case you can skip last step.
-```
-
-## Configuring bitwarden service
-
-### Changing persistent data location
-
-#### /data prefix:
-
-By default all persistent data is saved under `/data`, you can override this path by setting the `DATA_FOLDER` env variable:
-
-```sh
-docker run -d --name bitwarden \
-  -e DATA_FOLDER=/persistent \
-  -v /bw-data/:/persistent/ \
-  -p 80:80 \
-  mprasil/bitwarden:latest
-```
-
-Notice, that you need to adapt your volume mount accordingly.
-
-#### database name and location
-
-Default is `$DATA_FOLDER/db.sqlite3`, you can change the path specifically for database using `DATABASE_URL` variable:
-
-```sh
-docker run -d --name bitwarden \
-  -e DATABASE_URL=/database/bitwarden.sqlite3 \
-  -v /bw-data/:/data/ \
-  -v /bw-database/:/database/ \
-  -p 80:80 \
-  mprasil/bitwarden:latest
-```
-
-Note, that you need to remember to mount the volume for both database and other persistent data if they are different.
-
-#### attachments location
-
-Default is `$DATA_FOLDER/attachments`, you can change the path using `ATTACHMENTS_FOLDER` variable:
-
-```sh
-docker run -d --name bitwarden \
-  -e ATTACHMENTS_FOLDER=/attachments \
-  -v /bw-data/:/data/ \
-  -v /bw-attachments/:/attachments/ \
-  -p 80:80 \
-  mprasil/bitwarden:latest
-```
-
-Note, that you need to remember to mount the volume for both attachments and other persistent data if they are different.
-
-#### icons cache
-
-Default is `$DATA_FOLDER/icon_cache`, you can change the path using `ICON_CACHE_FOLDER` variable:
-
-```sh
-docker run -d --name bitwarden \
-  -e ICON_CACHE_FOLDER=/icon_cache \
-  -v /bw-data/:/data/ \
-  -v /icon_cache/ \
-  -p 80:80 \
-  mprasil/bitwarden:latest
-```
-
-Note, that in the above example we don't mount the volume locally, which means it won't be persisted during the upgrade unless you use intermediate data container using `--volumes-from`. This will impact performance as bitwarden will have to re-dowload the icons on restart, but might save you from having stale icons in cache as they are not automatically cleaned.
-
-### Other configuration
-
-Though this is unlikely to be required in small deployment, you can fine-tune some other settings like number of workers using environment variables that are processed by [Rocket](https://rocket.rs), please see details in [documentation](https://rocket.rs/guide/configuration/#environment-variables).
-
-## Building your own image
-
-Clone the repository, then from the root of the repository run:
-
-```sh
-# Build the docker image:
-docker build -t bitwarden_rs .
-```
-
-## Building binary
-
-For building binary outside the Docker environment and running it locally without docker, please see [build instructions](BUILD.md).
+If you prefer to chat, we're usually hanging around at [#bitwarden_rs:matrix.org](https://matrix.to/#/#bitwarden_rs:matrix.org) room on Matrix. Feel free to join us!

Rocket.toml

@@ -0,0 +1,2 @@
+[global.limits]
+json = 10485760 # 10 MiB

azure-pipelines.yml

@@ -0,0 +1,25 @@
+pool:
+  vmImage: 'Ubuntu-16.04'
+
+steps:
+- script: |
+    ls -la
+    curl https://sh.rustup.rs -sSf | sh -s -- -y --default-toolchain $(cat rust-toolchain) --profile=minimal
+    echo "##vso[task.prependpath]$HOME/.cargo/bin"
+  displayName: 'Install Rust'
+
+- script: |
+    sudo apt-get update
+    sudo apt-get install -y libmysql++-dev
+  displayName: Install libmysql
+
+- script: |
+    rustc -Vv
+    cargo -V
+  displayName: Query rust and cargo versions
+
+- script : cargo build --features "sqlite"
+  displayName: 'Build project with sqlite backend'
+
+- script : cargo build --features "mysql"
+  displayName: 'Build project with mysql backend'

build.rs

@@ -0,0 +1,67 @@
+use std::process::Command;
+
+fn main() {
+    #[cfg(all(feature = "sqlite", feature = "mysql"))]
+    compile_error!("Can't enable both sqlite and mysql at the same time");
+    #[cfg(all(feature = "sqlite", feature = "postgresql"))]
+    compile_error!("Can't enable both sqlite and postgresql at the same time");
+    #[cfg(all(feature = "mysql", feature = "postgresql"))]
+    compile_error!("Can't enable both mysql and postgresql at the same time");
+
+    #[cfg(not(any(feature = "sqlite", feature = "mysql", feature = "postgresql")))]
+    compile_error!("You need to enable one DB backend. To build with previous defaults do: cargo build --features sqlite");
+
+    read_git_info().ok();
+}
+
+fn run(args: &[&str]) -> Result<String, std::io::Error> {
+    let out = Command::new(args[0]).args(&args[1..]).output()?;
+    if !out.status.success() {
+        use std::io::{Error, ErrorKind};
+        return Err(Error::new(ErrorKind::Other, "Command not successful"));
+    }
+    Ok(String::from_utf8(out.stdout).unwrap().trim().to_string())
+}
+
+/// This method reads info from Git, namely tags, branch, and revision
+fn read_git_info() -> Result<(), std::io::Error> {
+    // The exact tag for the current commit, can be empty when
+    // the current commit doesn't have an associated tag
+    let exact_tag = run(&["git", "describe", "--abbrev=0", "--tags", "--exact-match"]).ok();
+    if let Some(ref exact) = exact_tag {
+        println!("cargo:rustc-env=GIT_EXACT_TAG={}", exact);
+    }
+
+    // The last available tag, equal to exact_tag when
+    // the current commit is tagged
+    let last_tag = run(&["git", "describe", "--abbrev=0", "--tags"])?;
+    println!("cargo:rustc-env=GIT_LAST_TAG={}", last_tag);
+
+    // The current branch name
+    let branch = run(&["git", "rev-parse", "--abbrev-ref", "HEAD"])?;
+    println!("cargo:rustc-env=GIT_BRANCH={}", branch);
+
+    // The current git commit hash
+    let rev = run(&["git", "rev-parse", "HEAD"])?;
+    let rev_short = rev.get(..8).unwrap_or_default();
+    println!("cargo:rustc-env=GIT_REV={}", rev_short);
+
+    // Combined version
+    let version = if let Some(exact) = exact_tag {
+        exact
+    } else if &branch != "master" {
+        format!("{}-{} ({})", last_tag, rev_short, branch)
+    } else {
+        format!("{}-{}", last_tag, rev_short)
+    };
+    println!("cargo:rustc-env=GIT_VERSION={}", version);
+
+    // To access these values, use:
+    //    env!("GIT_EXACT_TAG")
+    //    env!("GIT_LAST_TAG")
+    //    env!("GIT_BRANCH")
+    //    env!("GIT_REV")
+    //    env!("GIT_VERSION")
+
+    Ok(())
+}

diesel.toml

@@ -0,0 +1,5 @@
+# For documentation on how to configure this file,
+# see diesel.rs/guides/configuring-diesel-cli
+
+[print_schema]
+file = "src/db/schema.rs"

docker/aarch64/mysql/Dockerfile

@@ -0,0 +1,107 @@
+# Using multistage build: 
+# 	https://docs.docker.com/develop/develop-images/multistage-build/
+# 	https://whitfin.io/speeding-up-rust-docker-builds/
+####################### VAULT BUILD IMAGE  #######################
+FROM alpine:3.10 as vault
+
+ENV VAULT_VERSION "v2.12.0b"
+
+ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
+
+RUN apk add --no-cache --upgrade \
+    curl \
+    tar
+
+RUN mkdir /web-vault
+WORKDIR /web-vault
+
+SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
+
+RUN curl -L $URL | tar xz
+RUN ls
+
+########################## BUILD IMAGE  ##########################
+# We need to use the Rust build image, because
+# we need the Rust compiler and Cargo tooling
+FROM rust:1.38 as build
+
+# set mysql backend
+ARG DB=mysql
+
+RUN apt-get update \
+    && apt-get install -y \
+        --no-install-recommends \
+        gcc-aarch64-linux-gnu \
+    && mkdir -p ~/.cargo \
+    && echo '[target.aarch64-unknown-linux-gnu]' >> ~/.cargo/config \
+    && echo 'linker = "aarch64-linux-gnu-gcc"' >> ~/.cargo/config
+
+ENV CARGO_HOME "/root/.cargo"
+ENV USER "root"
+
+WORKDIR /app
+
+# Prepare openssl arm64 libs
+RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \
+        /etc/apt/sources.list.d/deb-src.list \
+    && dpkg --add-architecture arm64 \
+    && apt-get update \
+    && apt-get install -y \
+        --no-install-recommends \
+        libssl-dev:arm64 \
+        libc6-dev:arm64 \
+        libmariadb-dev:arm64
+
+ENV CC_aarch64_unknown_linux_gnu="/usr/bin/aarch64-linux-gnu-gcc"
+ENV CROSS_COMPILE="1"
+ENV OPENSSL_INCLUDE_DIR="/usr/include/aarch64-linux-gnu"
+ENV OPENSSL_LIB_DIR="/usr/lib/aarch64-linux-gnu"
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+# Build
+RUN rustup target add aarch64-unknown-linux-gnu
+RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu -v
+
+######################## RUNTIME IMAGE  ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+FROM balenalib/aarch64-debian:buster
+
+ENV ROCKET_ENV "staging"
+ENV ROCKET_PORT=80
+ENV ROCKET_WORKERS=10
+
+RUN [ "cross-build-start" ]
+
+# Install needed libraries
+RUN apt-get update && apt-get install -y \
+    --no-install-recommends \
+    openssl \
+    ca-certificates \
+    curl \
+    libmariadbclient-dev \
+ && rm -rf /var/lib/apt/lists/*
+
+RUN mkdir /data
+
+RUN [ "cross-build-end" ]  
+
+VOLUME /data
+EXPOSE 80
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+COPY Rocket.toml .
+COPY --from=vault /web-vault ./web-vault
+COPY --from=build /app/target/aarch64-unknown-linux-gnu/release/bitwarden_rs .
+
+COPY docker/healthcheck.sh ./healthcheck.sh
+
+HEALTHCHECK --interval=30s --timeout=3s CMD sh healthcheck.sh || exit 1
+
+# Configures the startup!
+WORKDIR /
+CMD ["/bitwarden_rs"]

docker/aarch64/sqlite/Dockerfile

@@ -0,0 +1,106 @@
+# Using multistage build: 
+# 	https://docs.docker.com/develop/develop-images/multistage-build/
+# 	https://whitfin.io/speeding-up-rust-docker-builds/
+####################### VAULT BUILD IMAGE  #######################
+FROM alpine:3.10 as vault
+
+ENV VAULT_VERSION "v2.12.0b"
+
+ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
+
+RUN apk add --no-cache --upgrade \
+    curl \
+    tar
+
+RUN mkdir /web-vault
+WORKDIR /web-vault
+
+SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
+
+RUN curl -L $URL | tar xz
+RUN ls
+
+########################## BUILD IMAGE  ##########################
+# We need to use the Rust build image, because
+# we need the Rust compiler and Cargo tooling
+FROM rust:1.38 as build
+
+# set sqlite as default for DB ARG for backward comaptibility
+ARG DB=sqlite
+
+RUN apt-get update \
+    && apt-get install -y \
+        --no-install-recommends \
+        gcc-aarch64-linux-gnu \
+    && mkdir -p ~/.cargo \
+    && echo '[target.aarch64-unknown-linux-gnu]' >> ~/.cargo/config \
+    && echo 'linker = "aarch64-linux-gnu-gcc"' >> ~/.cargo/config
+
+ENV CARGO_HOME "/root/.cargo"
+ENV USER "root"
+
+WORKDIR /app
+
+# Prepare openssl arm64 libs
+RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \
+        /etc/apt/sources.list.d/deb-src.list \
+    && dpkg --add-architecture arm64 \
+    && apt-get update \
+    && apt-get install -y \
+        --no-install-recommends \
+        libssl-dev:arm64 \
+        libc6-dev:arm64
+
+ENV CC_aarch64_unknown_linux_gnu="/usr/bin/aarch64-linux-gnu-gcc"
+ENV CROSS_COMPILE="1"
+ENV OPENSSL_INCLUDE_DIR="/usr/include/aarch64-linux-gnu"
+ENV OPENSSL_LIB_DIR="/usr/lib/aarch64-linux-gnu"
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+# Build
+RUN rustup target add aarch64-unknown-linux-gnu
+RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu -v
+
+######################## RUNTIME IMAGE  ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+FROM balenalib/aarch64-debian:buster
+
+ENV ROCKET_ENV "staging"
+ENV ROCKET_PORT=80
+ENV ROCKET_WORKERS=10
+
+RUN [ "cross-build-start" ]
+
+# Install needed libraries
+RUN apt-get update && apt-get install -y \
+    --no-install-recommends \
+    openssl \
+    ca-certificates \
+    curl \
+    sqlite3 \
+ && rm -rf /var/lib/apt/lists/*
+
+RUN mkdir /data
+
+RUN [ "cross-build-end" ]  
+
+VOLUME /data
+EXPOSE 80
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+COPY Rocket.toml .
+COPY --from=vault /web-vault ./web-vault
+COPY --from=build /app/target/aarch64-unknown-linux-gnu/release/bitwarden_rs .
+
+COPY docker/healthcheck.sh ./healthcheck.sh
+
+HEALTHCHECK --interval=30s --timeout=3s CMD sh healthcheck.sh || exit 1
+
+# Configures the startup!
+WORKDIR /
+CMD ["/bitwarden_rs"]

docker/amd64/mysql/Dockerfile

@@ -0,0 +1,104 @@
+# Using multistage build: 
+# 	https://docs.docker.com/develop/develop-images/multistage-build/
+# 	https://whitfin.io/speeding-up-rust-docker-builds/
+####################### VAULT BUILD IMAGE  #######################
+FROM alpine:3.10 as vault
+
+ENV VAULT_VERSION "v2.12.0b"
+
+ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
+
+RUN apk add --no-cache --upgrade \
+    curl \
+    tar
+
+RUN mkdir /web-vault
+WORKDIR /web-vault
+
+SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
+
+RUN curl -L $URL | tar xz
+RUN ls
+
+########################## BUILD IMAGE  ##########################
+# We need to use the Rust build image, because
+# we need the Rust compiler and Cargo tooling
+FROM rust:1.38 as build
+
+# set mysql backend
+ARG DB=mysql
+
+# Using bundled SQLite, no need to install it
+# RUN apt-get update && apt-get install -y\
+#    --no-install-recommends \
+#    sqlite3\
+# && rm -rf /var/lib/apt/lists/*
+
+# Install MySQL package
+RUN apt-get update && apt-get install -y \
+    --no-install-recommends \
+    libmariadb-dev \
+    && rm -rf /var/lib/apt/lists/*
+
+# Creates a dummy project used to grab dependencies
+RUN USER=root cargo new --bin app
+WORKDIR /app
+
+# Copies over *only* your manifests and build files
+COPY ./Cargo.* ./
+COPY ./rust-toolchain ./rust-toolchain
+COPY ./build.rs ./build.rs
+
+# Builds your dependencies and removes the
+# dummy project, except the target folder
+# This folder contains the compiled dependencies
+RUN cargo build --features ${DB} --release
+RUN find . -not -path "./target*" -delete
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+# Make sure that we actually build the project
+RUN touch src/main.rs
+
+# Builds again, this time it'll just be
+# your actual source files being built
+RUN cargo build --features ${DB} --release
+
+######################## RUNTIME IMAGE  ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+FROM debian:buster-slim
+
+ENV ROCKET_ENV "staging"
+ENV ROCKET_PORT=80
+ENV ROCKET_WORKERS=10
+
+# Install needed libraries
+RUN apt-get update && apt-get install -y \
+    --no-install-recommends \
+    openssl \
+    ca-certificates \
+    curl \
+    libmariadbclient-dev \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN mkdir /data
+VOLUME /data
+EXPOSE 80
+EXPOSE 3012
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+COPY Rocket.toml .
+COPY --from=vault /web-vault ./web-vault
+COPY --from=build app/target/release/bitwarden_rs .
+
+COPY docker/healthcheck.sh ./healthcheck.sh
+
+HEALTHCHECK --interval=30s --timeout=3s CMD sh healthcheck.sh || exit 1
+
+# Configures the startup!
+WORKDIR /
+CMD ["/bitwarden_rs"]

docker/amd64/mysql/Dockerfile.alpine

@@ -0,0 +1,86 @@
+# Using multistage build: 
+# 	https://docs.docker.com/develop/develop-images/multistage-build/
+# 	https://whitfin.io/speeding-up-rust-docker-builds/
+####################### VAULT BUILD IMAGE  #######################
+FROM alpine:3.10 as vault
+
+ENV VAULT_VERSION "v2.12.0b"
+
+ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
+
+RUN apk add --no-cache --upgrade \
+    curl \
+    tar
+
+RUN mkdir /web-vault
+WORKDIR /web-vault
+
+SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
+
+RUN curl -L $URL | tar xz
+RUN ls
+
+########################## BUILD IMAGE  ##########################
+# Musl build image for statically compiled binary
+FROM clux/muslrust:nightly-2019-10-19 as build
+
+# set mysql backend
+ARG DB=mysql
+
+ENV USER "root"
+
+# Install needed libraries
+RUN apt-get update && apt-get install -y \
+    --no-install-recommends \
+    libmysqlclient-dev \
+    && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /app
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+RUN rustup target add x86_64-unknown-linux-musl
+
+# Make sure that we actually build the project
+RUN touch src/main.rs
+
+# Build
+RUN cargo build --features ${DB} --release
+
+######################## RUNTIME IMAGE  ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+FROM alpine:3.10
+
+ENV ROCKET_ENV "staging"
+ENV ROCKET_PORT=80
+ENV ROCKET_WORKERS=10
+ENV SSL_CERT_DIR=/etc/ssl/certs
+
+# Install needed libraries
+RUN apk add --no-cache \
+        openssl \
+        mariadb-connector-c \
+        curl \
+        ca-certificates
+
+RUN mkdir /data
+VOLUME /data
+EXPOSE 80
+EXPOSE 3012
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+COPY Rocket.toml .
+COPY --from=vault /web-vault ./web-vault
+COPY --from=build /app/target/x86_64-unknown-linux-musl/release/bitwarden_rs .
+
+COPY docker/healthcheck.sh ./healthcheck.sh
+
+HEALTHCHECK --interval=30s --timeout=3s CMD sh healthcheck.sh || exit 1
+
+# Configures the startup!
+WORKDIR /
+CMD ["/bitwarden_rs"]

docker/amd64/postgresql/Dockerfile

@@ -0,0 +1,105 @@
+# Using multistage build: 
+# 	https://docs.docker.com/develop/develop-images/multistage-build/
+# 	https://whitfin.io/speeding-up-rust-docker-builds/
+####################### VAULT BUILD IMAGE  #######################
+FROM alpine:3.10 as vault
+
+ENV VAULT_VERSION "v2.12.0b"
+
+ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
+
+RUN apk add --no-cache --upgrade \
+    curl \
+    tar
+
+RUN mkdir /web-vault
+WORKDIR /web-vault
+
+SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
+
+RUN curl -L $URL | tar xz
+RUN ls
+
+########################## BUILD IMAGE  ##########################
+# We need to use the Rust build image, because
+# we need the Rust compiler and Cargo tooling
+FROM rust:1.38 as build
+
+# set mysql backend
+ARG DB=postgresql
+
+# Using bundled SQLite, no need to install it
+# RUN apt-get update && apt-get install -y\
+#    --no-install-recommends \
+#    sqlite3\
+# && rm -rf /var/lib/apt/lists/*
+
+# Install MySQL package
+RUN apt-get update && apt-get install -y \
+    --no-install-recommends \
+    libpq-dev \
+    && rm -rf /var/lib/apt/lists/*
+
+# Creates a dummy project used to grab dependencies
+RUN USER=root cargo new --bin app
+WORKDIR /app
+
+# Copies over *only* your manifests and build files
+COPY ./Cargo.* ./
+COPY ./rust-toolchain ./rust-toolchain
+COPY ./build.rs ./build.rs
+
+# Builds your dependencies and removes the
+# dummy project, except the target folder
+# This folder contains the compiled dependencies
+RUN cargo build --features ${DB} --release
+RUN find . -not -path "./target*" -delete
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+# Make sure that we actually build the project
+RUN touch src/main.rs
+
+# Builds again, this time it'll just be
+# your actual source files being built
+RUN cargo build --features ${DB} --release
+
+######################## RUNTIME IMAGE  ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+FROM debian:buster-slim
+
+ENV ROCKET_ENV "staging"
+ENV ROCKET_PORT=80
+ENV ROCKET_WORKERS=10
+
+# Install needed libraries
+RUN apt-get update && apt-get install -y \
+    --no-install-recommends \
+    openssl \
+    ca-certificates \
+    curl \
+    sqlite3 \
+    libpq5 \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN mkdir /data
+VOLUME /data
+EXPOSE 80
+EXPOSE 3012
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+COPY Rocket.toml .
+COPY --from=vault /web-vault ./web-vault
+COPY --from=build app/target/release/bitwarden_rs .
+
+COPY docker/healthcheck.sh ./healthcheck.sh
+
+HEALTHCHECK --interval=30s --timeout=3s CMD sh healthcheck.sh || exit 1
+
+# Configures the startup!
+WORKDIR /
+CMD ["/bitwarden_rs"]

docker/amd64/postgresql/Dockerfile.alpine

@@ -0,0 +1,87 @@
+# Using multistage build: 
+# 	https://docs.docker.com/develop/develop-images/multistage-build/
+# 	https://whitfin.io/speeding-up-rust-docker-builds/
+####################### VAULT BUILD IMAGE  #######################
+FROM alpine:3.10 as vault
+
+ENV VAULT_VERSION "v2.12.0b"
+
+ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
+
+RUN apk add --no-cache --upgrade \
+    curl \
+    tar
+
+RUN mkdir /web-vault
+WORKDIR /web-vault
+
+SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
+
+RUN curl -L $URL | tar xz
+RUN ls
+
+########################## BUILD IMAGE  ##########################
+# Musl build image for statically compiled binary
+FROM clux/muslrust:nightly-2019-10-19 as build
+
+# set mysql backend
+ARG DB=postgresql
+
+ENV USER "root"
+
+# Install needed libraries
+RUN apt-get update && apt-get install -y \
+    --no-install-recommends \
+    libpq-dev \
+    && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /app
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+RUN rustup target add x86_64-unknown-linux-musl
+
+# Make sure that we actually build the project
+RUN touch src/main.rs
+
+# Build
+RUN cargo build --features ${DB} --release
+
+######################## RUNTIME IMAGE  ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+FROM alpine:3.10
+
+ENV ROCKET_ENV "staging"
+ENV ROCKET_PORT=80
+ENV ROCKET_WORKERS=10
+ENV SSL_CERT_DIR=/etc/ssl/certs
+
+# Install needed libraries
+RUN apk add --no-cache \
+        openssl \
+        postgresql-libs \
+        curl \
+        sqlite \
+        ca-certificates
+
+RUN mkdir /data
+VOLUME /data
+EXPOSE 80
+EXPOSE 3012
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+COPY Rocket.toml .
+COPY --from=vault /web-vault ./web-vault
+COPY --from=build /app/target/x86_64-unknown-linux-musl/release/bitwarden_rs .
+
+COPY docker/healthcheck.sh ./healthcheck.sh
+
+HEALTHCHECK --interval=30s --timeout=3s CMD sh healthcheck.sh || exit 1
+
+# Configures the startup!
+WORKDIR /
+CMD ["/bitwarden_rs"]

docker/amd64/sqlite/Dockerfile

@@ -0,0 +1,98 @@
+# Using multistage build: 
+# 	https://docs.docker.com/develop/develop-images/multistage-build/
+# 	https://whitfin.io/speeding-up-rust-docker-builds/
+####################### VAULT BUILD IMAGE  #######################
+FROM alpine:3.10 as vault
+
+ENV VAULT_VERSION "v2.12.0b"
+
+ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
+
+RUN apk add --no-cache --upgrade \
+    curl \
+    tar
+
+RUN mkdir /web-vault
+WORKDIR /web-vault
+
+SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
+
+RUN curl -L $URL | tar xz
+RUN ls
+
+########################## BUILD IMAGE  ##########################
+# We need to use the Rust build image, because
+# we need the Rust compiler and Cargo tooling
+FROM rust:1.38 as build
+
+# set sqlite as default for DB ARG for backward comaptibility
+ARG DB=sqlite
+
+# Using bundled SQLite, no need to install it
+# RUN apt-get update && apt-get install -y\
+#    --no-install-recommends \
+#    sqlite3 \
+# && rm -rf /var/lib/apt/lists/*
+
+# Creates a dummy project used to grab dependencies
+RUN USER=root cargo new --bin app
+WORKDIR /app
+
+# Copies over *only* your manifests and build files
+COPY ./Cargo.* ./
+COPY ./rust-toolchain ./rust-toolchain
+COPY ./build.rs ./build.rs
+
+# Builds your dependencies and removes the
+# dummy project, except the target folder
+# This folder contains the compiled dependencies
+RUN cargo build --features ${DB} --release
+RUN find . -not -path "./target*" -delete
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+# Make sure that we actually build the project
+RUN touch src/main.rs
+
+# Builds again, this time it'll just be
+# your actual source files being built
+RUN cargo build --features ${DB} --release
+
+######################## RUNTIME IMAGE  ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+FROM debian:buster-slim
+
+ENV ROCKET_ENV "staging"
+ENV ROCKET_PORT=80
+ENV ROCKET_WORKERS=10
+
+# Install needed libraries
+RUN apt-get update && apt-get install -y \
+    --no-install-recommends \
+    openssl \
+    ca-certificates \
+    curl \
+    sqlite3 \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN mkdir /data
+VOLUME /data
+EXPOSE 80
+EXPOSE 3012
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+COPY Rocket.toml .
+COPY --from=vault /web-vault ./web-vault
+COPY --from=build app/target/release/bitwarden_rs .
+
+COPY docker/healthcheck.sh ./healthcheck.sh
+
+HEALTHCHECK --interval=30s --timeout=3s CMD sh healthcheck.sh || exit 1
+
+# Configures the startup!
+WORKDIR /
+CMD ["/bitwarden_rs"]

docker/amd64/sqlite/Dockerfile.alpine

@@ -0,0 +1,81 @@
+# Using multistage build: 
+# 	https://docs.docker.com/develop/develop-images/multistage-build/
+# 	https://whitfin.io/speeding-up-rust-docker-builds/
+####################### VAULT BUILD IMAGE  #######################
+FROM alpine:3.10 as vault
+
+ENV VAULT_VERSION "v2.12.0b"
+
+ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
+
+RUN apk add --no-cache --upgrade \
+    curl \
+    tar
+
+RUN mkdir /web-vault
+WORKDIR /web-vault
+
+SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
+
+RUN curl -L $URL | tar xz
+RUN ls
+
+########################## BUILD IMAGE  ##########################
+# Musl build image for statically compiled binary
+FROM clux/muslrust:nightly-2019-10-19 as build
+
+# set sqlite as default for DB ARG for backward comaptibility
+ARG DB=sqlite
+
+ENV USER "root"
+
+WORKDIR /app
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+RUN rustup target add x86_64-unknown-linux-musl
+
+# Make sure that we actually build the project
+RUN touch src/main.rs
+
+# Build
+RUN cargo build --features ${DB} --release
+
+######################## RUNTIME IMAGE  ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+FROM alpine:3.10
+
+ENV ROCKET_ENV "staging"
+ENV ROCKET_PORT=80
+ENV ROCKET_WORKERS=10
+ENV SSL_CERT_DIR=/etc/ssl/certs
+
+# Install needed libraries
+RUN apk add --no-cache \
+        openssl \
+        curl \
+        sqlite \
+        ca-certificates
+
+RUN mkdir /data
+VOLUME /data
+EXPOSE 80
+EXPOSE 3012
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+COPY Rocket.toml .
+COPY --from=vault /web-vault ./web-vault
+COPY --from=build /app/target/x86_64-unknown-linux-musl/release/bitwarden_rs .
+
+COPY docker/healthcheck.sh ./healthcheck.sh
+
+HEALTHCHECK --interval=30s --timeout=3s CMD sh healthcheck.sh || exit 1
+
+
+# Configures the startup!
+WORKDIR /
+CMD ["/bitwarden_rs"]

docker/armv6/mysql/Dockerfile

@@ -0,0 +1,107 @@
+# Using multistage build: 
+# 	https://docs.docker.com/develop/develop-images/multistage-build/
+# 	https://whitfin.io/speeding-up-rust-docker-builds/
+####################### VAULT BUILD IMAGE  #######################
+FROM alpine:3.10 as vault
+
+ENV VAULT_VERSION "v2.12.0b"
+
+ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
+
+RUN apk add --no-cache --upgrade \
+    curl \
+    tar
+
+RUN mkdir /web-vault
+WORKDIR /web-vault
+
+SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
+
+RUN curl -L $URL | tar xz
+RUN ls
+
+########################## BUILD IMAGE  ##########################
+# We need to use the Rust build image, because
+# we need the Rust compiler and Cargo tooling
+FROM rust:1.38 as build
+
+# set mysql backend
+ARG DB=mysql
+
+RUN apt-get update \
+    && apt-get install -y \
+        --no-install-recommends \
+        gcc-arm-linux-gnueabi \
+    && mkdir -p ~/.cargo \
+    && echo '[target.arm-unknown-linux-gnueabi]' >> ~/.cargo/config \
+    && echo 'linker = "arm-linux-gnueabi-gcc"' >> ~/.cargo/config
+
+ENV CARGO_HOME "/root/.cargo"
+ENV USER "root"
+
+WORKDIR /app
+
+# Prepare openssl armel libs
+RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \
+        /etc/apt/sources.list.d/deb-src.list \
+    && dpkg --add-architecture armel \
+    && apt-get update \
+    && apt-get install -y \
+        --no-install-recommends \
+        libssl-dev:armel \
+        libc6-dev:armel \
+        libmariadb-dev:armel
+
+ENV CC_arm_unknown_linux_gnueabi="/usr/bin/arm-linux-gnueabi-gcc"
+ENV CROSS_COMPILE="1"
+ENV OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabi"
+ENV OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabi"
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+# Build
+RUN rustup target add arm-unknown-linux-gnueabi
+RUN cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi -v
+
+######################## RUNTIME IMAGE  ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+FROM balenalib/rpi-debian:buster
+
+ENV ROCKET_ENV "staging"
+ENV ROCKET_PORT=80
+ENV ROCKET_WORKERS=10
+
+RUN [ "cross-build-start" ]
+
+# Install needed libraries
+RUN apt-get update && apt-get install -y \
+    --no-install-recommends \
+    openssl \
+    ca-certificates \
+    curl \
+    libmariadbclient-dev \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN mkdir /data
+
+RUN [ "cross-build-end" ]  
+
+VOLUME /data
+EXPOSE 80
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+COPY Rocket.toml .
+COPY --from=vault /web-vault ./web-vault
+COPY --from=build /app/target/arm-unknown-linux-gnueabi/release/bitwarden_rs .
+
+COPY docker/healthcheck.sh ./healthcheck.sh
+
+HEALTHCHECK --interval=30s --timeout=3s CMD sh healthcheck.sh || exit 1
+
+# Configures the startup!
+WORKDIR /
+CMD ["/bitwarden_rs"]

docker/armv6/sqlite/Dockerfile

@@ -0,0 +1,106 @@
+# Using multistage build: 
+# 	https://docs.docker.com/develop/develop-images/multistage-build/
+# 	https://whitfin.io/speeding-up-rust-docker-builds/
+####################### VAULT BUILD IMAGE  #######################
+FROM alpine:3.10 as vault
+
+ENV VAULT_VERSION "v2.12.0b"
+
+ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
+
+RUN apk add --no-cache --upgrade \
+    curl \
+    tar
+
+RUN mkdir /web-vault
+WORKDIR /web-vault
+
+SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
+
+RUN curl -L $URL | tar xz
+RUN ls
+
+########################## BUILD IMAGE  ##########################
+# We need to use the Rust build image, because
+# we need the Rust compiler and Cargo tooling
+FROM rust:1.38 as build
+
+# set sqlite as default for DB ARG for backward comaptibility
+ARG DB=sqlite
+
+RUN apt-get update \
+    && apt-get install -y \
+        --no-install-recommends \
+        gcc-arm-linux-gnueabi \
+    && mkdir -p ~/.cargo \
+    && echo '[target.arm-unknown-linux-gnueabi]' >> ~/.cargo/config \
+    && echo 'linker = "arm-linux-gnueabi-gcc"' >> ~/.cargo/config
+
+ENV CARGO_HOME "/root/.cargo"
+ENV USER "root"
+
+WORKDIR /app
+
+# Prepare openssl armel libs
+RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \
+        /etc/apt/sources.list.d/deb-src.list \
+    && dpkg --add-architecture armel \
+    && apt-get update \
+    && apt-get install -y \
+        --no-install-recommends \
+        libssl-dev:armel \
+        libc6-dev:armel
+
+ENV CC_arm_unknown_linux_gnueabi="/usr/bin/arm-linux-gnueabi-gcc"
+ENV CROSS_COMPILE="1"
+ENV OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabi"
+ENV OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabi"
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+# Build
+RUN rustup target add arm-unknown-linux-gnueabi
+RUN cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi -v
+
+######################## RUNTIME IMAGE  ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+FROM balenalib/rpi-debian:buster
+
+ENV ROCKET_ENV "staging"
+ENV ROCKET_PORT=80
+ENV ROCKET_WORKERS=10
+
+RUN [ "cross-build-start" ]
+
+# Install needed libraries
+RUN apt-get update && apt-get install -y \
+    --no-install-recommends \
+    openssl \
+    ca-certificates \
+    curl \
+    sqlite3 \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN mkdir /data
+
+RUN [ "cross-build-end" ]  
+
+VOLUME /data
+EXPOSE 80
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+COPY Rocket.toml .
+COPY --from=vault /web-vault ./web-vault
+COPY --from=build /app/target/arm-unknown-linux-gnueabi/release/bitwarden_rs .
+
+COPY docker/healthcheck.sh ./healthcheck.sh
+
+HEALTHCHECK --interval=30s --timeout=3s CMD sh healthcheck.sh || exit 1
+
+# Configures the startup!
+WORKDIR /
+CMD ["/bitwarden_rs"]

docker/armv7/mysql/Dockerfile

@@ -0,0 +1,108 @@
+# Using multistage build: 
+# 	https://docs.docker.com/develop/develop-images/multistage-build/
+# 	https://whitfin.io/speeding-up-rust-docker-builds/
+####################### VAULT BUILD IMAGE  #######################
+FROM alpine:3.10 as vault
+
+ENV VAULT_VERSION "v2.12.0b"
+
+ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
+
+RUN apk add --no-cache --upgrade \
+    curl \
+    tar
+
+RUN mkdir /web-vault
+WORKDIR /web-vault
+
+SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
+
+RUN curl -L $URL | tar xz
+RUN ls
+
+########################## BUILD IMAGE  ##########################
+# We need to use the Rust build image, because
+# we need the Rust compiler and Cargo tooling
+FROM rust:1.38 as build
+
+# set mysql backend
+ARG DB=mysql
+
+RUN apt-get update \
+    && apt-get install -y \
+        --no-install-recommends \
+        gcc-arm-linux-gnueabihf \
+    && mkdir -p ~/.cargo \
+    && echo '[target.armv7-unknown-linux-gnueabihf]' >> ~/.cargo/config \
+    && echo 'linker = "arm-linux-gnueabihf-gcc"' >> ~/.cargo/config
+
+ENV CARGO_HOME "/root/.cargo"
+ENV USER "root"
+
+WORKDIR /app
+
+# Prepare openssl armhf libs
+RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \
+        /etc/apt/sources.list.d/deb-src.list \
+    && dpkg --add-architecture armhf \
+    && apt-get update \
+    && apt-get install -y \
+        --no-install-recommends \
+        libssl-dev:armhf \
+        libc6-dev:armhf \
+        libmariadb-dev:armhf
+
+
+ENV CC_armv7_unknown_linux_gnueabihf="/usr/bin/arm-linux-gnueabihf-gcc"
+ENV CROSS_COMPILE="1"
+ENV OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabihf"
+ENV OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabihf"
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+# Build
+RUN rustup target add armv7-unknown-linux-gnueabihf
+RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf -v
+
+######################## RUNTIME IMAGE  ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+FROM balenalib/armv7hf-debian:buster
+
+ENV ROCKET_ENV "staging"
+ENV ROCKET_PORT=80
+ENV ROCKET_WORKERS=10
+
+RUN [ "cross-build-start" ]
+
+# Install needed libraries
+RUN apt-get update && apt-get install -y \
+    --no-install-recommends \
+    openssl \
+    ca-certificates \
+    curl \
+    libmariadbclient-dev \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN mkdir /data
+
+RUN [ "cross-build-end" ]  
+
+VOLUME /data
+EXPOSE 80
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+COPY Rocket.toml .
+COPY --from=vault /web-vault ./web-vault
+COPY --from=build /app/target/armv7-unknown-linux-gnueabihf/release/bitwarden_rs .
+
+COPY docker/healthcheck.sh ./healthcheck.sh
+
+HEALTHCHECK --interval=30s --timeout=3s CMD sh healthcheck.sh || exit 1
+
+# Configures the startup!
+WORKDIR /
+CMD ["/bitwarden_rs"]

docker/armv7/sqlite/Dockerfile

@@ -0,0 +1,106 @@
+# Using multistage build: 
+# 	https://docs.docker.com/develop/develop-images/multistage-build/
+# 	https://whitfin.io/speeding-up-rust-docker-builds/
+####################### VAULT BUILD IMAGE  #######################
+FROM alpine:3.10 as vault
+
+ENV VAULT_VERSION "v2.12.0b"
+
+ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
+
+RUN apk add --no-cache --upgrade \
+    curl \
+    tar
+
+RUN mkdir /web-vault
+WORKDIR /web-vault
+
+SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
+
+RUN curl -L $URL | tar xz
+RUN ls
+
+########################## BUILD IMAGE  ##########################
+# We need to use the Rust build image, because
+# we need the Rust compiler and Cargo tooling
+FROM rust:1.38 as build
+
+# set sqlite as default for DB ARG for backward comaptibility
+ARG DB=sqlite
+
+RUN apt-get update \
+    && apt-get install -y \
+        --no-install-recommends \
+        gcc-arm-linux-gnueabihf \
+    && mkdir -p ~/.cargo \
+    && echo '[target.armv7-unknown-linux-gnueabihf]' >> ~/.cargo/config \
+    && echo 'linker = "arm-linux-gnueabihf-gcc"' >> ~/.cargo/config
+
+ENV CARGO_HOME "/root/.cargo"
+ENV USER "root"
+
+WORKDIR /app
+
+# Prepare openssl armhf libs
+RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \
+        /etc/apt/sources.list.d/deb-src.list \
+    && dpkg --add-architecture armhf \
+    && apt-get update \
+    && apt-get install -y \
+        --no-install-recommends \
+        libssl-dev:armhf \
+        libc6-dev:armhf
+
+ENV CC_armv7_unknown_linux_gnueabihf="/usr/bin/arm-linux-gnueabihf-gcc"
+ENV CROSS_COMPILE="1"
+ENV OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabihf"
+ENV OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabihf"
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+# Build
+RUN rustup target add armv7-unknown-linux-gnueabihf
+RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf -v
+
+######################## RUNTIME IMAGE  ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+FROM balenalib/armv7hf-debian:buster
+
+ENV ROCKET_ENV "staging"
+ENV ROCKET_PORT=80
+ENV ROCKET_WORKERS=10
+
+RUN [ "cross-build-start" ]
+
+# Install needed libraries
+RUN apt-get update && apt-get install -y \
+    --no-install-recommends \
+    openssl \
+    ca-certificates \
+    curl \
+    sqlite3 \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN mkdir /data
+
+RUN [ "cross-build-end" ]  
+
+VOLUME /data
+EXPOSE 80
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+COPY Rocket.toml .
+COPY --from=vault /web-vault ./web-vault
+COPY --from=build /app/target/armv7-unknown-linux-gnueabihf/release/bitwarden_rs .
+
+COPY docker/healthcheck.sh ./healthcheck.sh
+
+HEALTHCHECK --interval=30s --timeout=3s CMD sh healthcheck.sh || exit 1
+
+# Configures the startup!
+WORKDIR /
+CMD ["/bitwarden_rs"]

docker/healthcheck.sh

@@ -0,0 +1,8 @@
+#!/usr/bin/env sh
+
+if [ -z "$ROCKET_TLS"]
+then
+  curl --fail http://localhost:${ROCKET_PORT:-"80"}/alive || exit 1
+else
+  curl --insecure --fail https://localhost:${ROCKET_PORT:-"80"}/alive || exit 1
+fi

docker/settings.Production.json

@@ -1,9 +0,0 @@
-{
-  "appSettings": {
-    "apiUri": "/api",
-    "identityUri": "/identity",
-    "iconsUri": "/icons",
-    "stripeKey": "",
-    "braintreeKey": ""
-  }
-}

libs/jsonwebtoken/Cargo.toml

@@ -1,20 +0,0 @@
-[package]
-name = "jsonwebtoken"
-version = "4.0.1"
-authors = ["Vincent Prouillet <prouillet.vincent@gmail.com>"]
-license = "MIT"
-readme = "README.md"
-description = "Create and parse JWT in a strongly typed way."
-homepage = "https://github.com/Keats/rust-jwt"
-repository = "https://github.com/Keats/rust-jwt"
-keywords = ["jwt", "web", "api", "token", "json"]
-
-[dependencies]
-error-chain = { version = "0.11", default-features = false }
-serde_json = "1.0"
-serde_derive = "1.0"
-serde = "1.0"
-ring = { version = "0.11.0", features = ["rsa_signing", "dev_urandom_fallback"] }
-base64 = "0.9"
-untrusted = "0.5"
-chrono = "0.4"

libs/jsonwebtoken/LICENSE

@@ -1,21 +0,0 @@
-The MIT License (MIT)
-
-Copyright (c) 2015 Vincent Prouillet
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.

libs/jsonwebtoken/src/crypto.rs

@@ -1,120 +0,0 @@
-use std::sync::Arc;
-
-use base64;
-use ring::{rand, digest, hmac, signature};
-use ring::constant_time::verify_slices_are_equal;
-use untrusted;
-
-use errors::{Result, ErrorKind};
-
-
-/// The algorithms supported for signing/verifying
-#[derive(Debug, PartialEq, Copy, Clone, Serialize, Deserialize)]
-pub enum Algorithm {
-    /// HMAC using SHA-256
-    HS256,
-    /// HMAC using SHA-384
-    HS384,
-    /// HMAC using SHA-512
-    HS512,
-
-    /// RSASSA-PKCS1-v1_5 using SHA-256
-    RS256,
-    /// RSASSA-PKCS1-v1_5 using SHA-384
-    RS384,
-    /// RSASSA-PKCS1-v1_5 using SHA-512
-    RS512,
-}
-
-/// The actual HS signing + encoding
-fn sign_hmac(alg: &'static digest::Algorithm, key: &[u8], signing_input: &str) -> Result<String> {
-    let signing_key = hmac::SigningKey::new(alg, key);
-    let digest = hmac::sign(&signing_key, signing_input.as_bytes());
-
-    Ok(
-        base64::encode_config::<hmac::Signature>(&digest, base64::URL_SAFE_NO_PAD)
-    )
-}
-
-/// The actual RSA signing + encoding
-/// Taken from Ring doc https://briansmith.org/rustdoc/ring/signature/index.html
-fn sign_rsa(alg: Algorithm, key: &[u8], signing_input: &str) -> Result<String> {
-    let ring_alg = match alg {
-        Algorithm::RS256 => &signature::RSA_PKCS1_SHA256,
-        Algorithm::RS384 => &signature::RSA_PKCS1_SHA384,
-        Algorithm::RS512 => &signature::RSA_PKCS1_SHA512,
-        _ => unreachable!(),
-    };
-
-    let key_pair = Arc::new(
-        signature::RSAKeyPair::from_der(untrusted::Input::from(key))
-            .map_err(|_| ErrorKind::InvalidKey)?
-    );
-    let mut signing_state = signature::RSASigningState::new(key_pair)
-        .map_err(|_| ErrorKind::InvalidKey)?;
-    let mut signature = vec![0; signing_state.key_pair().public_modulus_len()];
-    let rng = rand::SystemRandom::new();
-    signing_state.sign(ring_alg, &rng, signing_input.as_bytes(), &mut signature)
-        .map_err(|_| ErrorKind::InvalidKey)?;
-
-    Ok(
-        base64::encode_config::<[u8]>(&signature, base64::URL_SAFE_NO_PAD)
-    )
-}
-
-/// Take the payload of a JWT, sign it using the algorithm given and return
-/// the base64 url safe encoded of the result.
-///
-/// Only use this function if you want to do something other than JWT.
-pub fn sign(signing_input: &str, key: &[u8], algorithm: Algorithm) -> Result<String> {
-    match algorithm {
-        Algorithm::HS256 => sign_hmac(&digest::SHA256, key, signing_input),
-        Algorithm::HS384 => sign_hmac(&digest::SHA384, key, signing_input),
-        Algorithm::HS512 => sign_hmac(&digest::SHA512, key, signing_input),
-
-        Algorithm::RS256 | Algorithm::RS384 | Algorithm::RS512 => sign_rsa(algorithm, key, signing_input),
-//        TODO: if PKCS1 is made prublic, remove the line above and uncomment below
-//        Algorithm::RS256 => sign_rsa(&signature::RSA_PKCS1_SHA256, key, signing_input),
-//        Algorithm::RS384 => sign_rsa(&signature::RSA_PKCS1_SHA384, key, signing_input),
-//        Algorithm::RS512 => sign_rsa(&signature::RSA_PKCS1_SHA512, key, signing_input),
-    }
-}
-
-/// See Ring RSA docs for more details
-fn verify_rsa(alg: &signature::RSAParameters, signature: &str, signing_input: &str, key: &[u8]) -> Result<bool> {
-    let signature_bytes = base64::decode_config(signature, base64::URL_SAFE_NO_PAD)?;
-    let public_key_der = untrusted::Input::from(key);
-    let message = untrusted::Input::from(signing_input.as_bytes());
-    let expected_signature = untrusted::Input::from(signature_bytes.as_slice());
-
-    let res = signature::verify(alg, public_key_der, message, expected_signature);
-
-    Ok(res.is_ok())
-}
-
-/// Compares the signature given with a re-computed signature for HMAC or using the public key
-/// for RSA.
-///
-/// Only use this function if you want to do something other than JWT.
-///
-/// `signature` is the signature part of a jwt (text after the second '.')
-///
-/// `signing_input` is base64(header) + "." + base64(claims)
-pub fn verify(signature: &str, signing_input: &str, key: &[u8], algorithm: Algorithm) -> Result<bool> {
-    match algorithm {
-        Algorithm::HS256 | Algorithm::HS384 | Algorithm::HS512 => {
-            // we just re-sign the data with the key and compare if they are equal
-            let signed = sign(signing_input, key, algorithm)?;
-            Ok(verify_slices_are_equal(signature.as_ref(), signed.as_ref()).is_ok())
-        },
-        Algorithm::RS256 => verify_rsa(&signature::RSA_PKCS1_2048_8192_SHA256, signature, signing_input, key),
-        Algorithm::RS384 => verify_rsa(&signature::RSA_PKCS1_2048_8192_SHA384, signature, signing_input, key),
-        Algorithm::RS512 => verify_rsa(&signature::RSA_PKCS1_2048_8192_SHA512, signature, signing_input, key),
-    }
-}
-
-impl Default for Algorithm {
-    fn default() -> Self {
-        Algorithm::HS256
-    }
-}

libs/jsonwebtoken/src/errors.rs

@@ -1,68 +0,0 @@
-use base64;
-use serde_json;
-use ring;
-
-error_chain! {
-    errors {
-        /// When a token doesn't have a valid JWT shape
-        InvalidToken {
-            description("invalid token")
-            display("Invalid token")
-        }
-        /// When the signature doesn't match
-        InvalidSignature {
-            description("invalid signature")
-            display("Invalid signature")
-        }
-        /// When the secret given is not a valid RSA key
-        InvalidKey {
-            description("invalid key")
-            display("Invalid Key")
-        }
-
-        // Validation error
-
-        /// When a token’s `exp` claim indicates that it has expired
-        ExpiredSignature {
-            description("expired signature")
-            display("Expired Signature")
-        }
-        /// When a token’s `iss` claim does not match the expected issuer
-        InvalidIssuer {
-            description("invalid issuer")
-            display("Invalid Issuer")
-        }
-        /// When a token’s `aud` claim does not match one of the expected audience values
-        InvalidAudience {
-            description("invalid audience")
-            display("Invalid Audience")
-        }
-        /// When a token’s `aud` claim does not match one of the expected audience values
-        InvalidSubject {
-            description("invalid subject")
-            display("Invalid Subject")
-        }
-        /// When a token’s `iat` claim is in the future
-        InvalidIssuedAt {
-            description("invalid issued at")
-            display("Invalid Issued At")
-        }
-        /// When a token’s nbf claim represents a time in the future
-        ImmatureSignature {
-            description("immature signature")
-            display("Immature Signature")
-        }
-        /// When the algorithm in the header doesn't match the one passed to `decode`
-        InvalidAlgorithm {
-            description("Invalid algorithm")
-            display("Invalid Algorithm")
-        }
-    }
-
-    foreign_links {
-        Unspecified(ring::error::Unspecified) #[doc = "An error happened while signing/verifying a token with RSA"];
-        Base64(base64::DecodeError) #[doc = "An error happened while decoding some base64 text"];
-        Json(serde_json::Error) #[doc = "An error happened while serializing/deserializing JSON"];
-        Utf8(::std::string::FromUtf8Error) #[doc = "An error happened while trying to convert the result of base64 decoding to a String"];
-    }
-}

libs/jsonwebtoken/src/header.rs

@@ -1,64 +0,0 @@
-use crypto::Algorithm;
-
-
-/// A basic JWT header, the alg defaults to HS256 and typ is automatically
-/// set to `JWT`. All the other fields are optional.
-#[derive(Debug, Clone, PartialEq, Serialize, Deserialize)]
-pub struct Header {
-    /// The type of JWS: it can only be "JWT" here
-    ///
-    /// Defined in [RFC7515#4.1.9](https://tools.ietf.org/html/rfc7515#section-4.1.9).
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub typ: Option<String>,
-    /// The algorithm used
-    ///
-    /// Defined in [RFC7515#4.1.1](https://tools.ietf.org/html/rfc7515#section-4.1.1).
-    pub alg: Algorithm,
-    /// Content type
-    ///
-    /// Defined in [RFC7519#5.2](https://tools.ietf.org/html/rfc7519#section-5.2).
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub cty: Option<String>,
-    /// JSON Key URL
-    ///
-    /// Defined in [RFC7515#4.1.2](https://tools.ietf.org/html/rfc7515#section-4.1.2).
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub jku: Option<String>,
-    /// Key ID
-    ///
-    /// Defined in [RFC7515#4.1.4](https://tools.ietf.org/html/rfc7515#section-4.1.4).
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub kid: Option<String>,
-    /// X.509 URL
-    ///
-    /// Defined in [RFC7515#4.1.5](https://tools.ietf.org/html/rfc7515#section-4.1.5).
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub x5u: Option<String>,
-    /// X.509 certificate thumbprint
-    ///
-    /// Defined in [RFC7515#4.1.7](https://tools.ietf.org/html/rfc7515#section-4.1.7).
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub x5t: Option<String>,
-}
-
-impl Header {
-    /// Returns a JWT header with the algorithm given
-    pub fn new(algorithm: Algorithm) -> Header {
-        Header {
-            typ: Some("JWT".to_string()),
-            alg: algorithm,
-            cty: None,
-            jku: None,
-            kid: None,
-            x5u: None,
-            x5t: None,
-        }
-    }
-}
-
-impl Default for Header {
-    /// Returns a JWT header using the default Algorithm, HS256
-    fn default() -> Self {
-        Header::new(Algorithm::default())
-    }
-}

libs/jsonwebtoken/src/lib.rs

@@ -1,142 +0,0 @@
-//! Create and parses JWT (JSON Web Tokens)
-//!
-//! Documentation:  [stable](https://docs.rs/jsonwebtoken/)
-#![recursion_limit = "300"]
-#![deny(missing_docs)]
-#![allow(unused_doc_comments)]
-#![allow(renamed_and_removed_lints)]
-
-#[macro_use]
-extern crate error_chain;
-#[macro_use]
-extern crate serde_derive;
-extern crate serde_json;
-extern crate serde;
-extern crate base64;
-extern crate ring;
-extern crate untrusted;
-extern crate chrono;
-
-/// All the errors, generated using error-chain
-pub mod errors;
-mod header;
-mod crypto;
-mod serialization;
-mod validation;
-
-pub use header::Header;
-pub use crypto::{
-    Algorithm,
-    sign,
-    verify,
-};
-pub use validation::Validation;
-pub use serialization::TokenData;
-
-
-use serde::de::DeserializeOwned;
-use serde::ser::Serialize;
-
-use errors::{Result, ErrorKind};
-use serialization::{from_jwt_part, from_jwt_part_claims, to_jwt_part};
-use validation::{validate};
-
-
-/// Encode the header and claims given and sign the payload using the algorithm from the header and the key
-///
-/// ```rust,ignore
-/// #[macro_use]
-/// extern crate serde_derive;
-/// use jsonwebtoken::{encode, Algorithm, Header};
-///
-/// /// #[derive(Debug, Serialize, Deserialize)]
-/// struct Claims {
-///    sub: String,
-///    company: String
-/// }
-///
-/// let my_claims = Claims {
-///     sub: "b@b.com".to_owned(),
-///     company: "ACME".to_owned()
-/// };
-///
-/// // my_claims is a struct that implements Serialize
-/// // This will create a JWT using HS256 as algorithm
-/// let token = encode(&Header::default(), &my_claims, "secret".as_ref()).unwrap();
-/// ```
-pub fn encode<T: Serialize>(header: &Header, claims: &T, key: &[u8]) -> Result<String> {
-    let encoded_header = to_jwt_part(&header)?;
-    let encoded_claims = to_jwt_part(&claims)?;
-    let signing_input = [encoded_header.as_ref(), encoded_claims.as_ref()].join(".");
-    let signature = sign(&*signing_input, key.as_ref(), header.alg)?;
-
-    Ok([signing_input, signature].join("."))
-}
-
-/// Used in decode: takes the result of a rsplit and ensure we only get 2 parts
-/// Errors if we don't
-macro_rules! expect_two {
-    ($iter:expr) => {{
-        let mut i = $iter;
-        match (i.next(), i.next(), i.next()) {
-            (Some(first), Some(second), None) => (first, second),
-            _ => return Err(ErrorKind::InvalidToken.into())
-        }
-    }}
-}
-
-/// Decode a token into a struct containing 2 fields: `claims` and `header`.
-///
-/// If the token or its signature is invalid or the claims fail validation, it will return an error.
-///
-/// ```rust,ignore
-/// #[macro_use]
-/// extern crate serde_derive;
-/// use jsonwebtoken::{decode, Validation, Algorithm};
-///
-/// #[derive(Debug, Serialize, Deserialize)]
-/// struct Claims {
-///    sub: String,
-///    company: String
-/// }
-///
-/// let token = "a.jwt.token".to_string();
-/// // Claims is a struct that implements Deserialize
-/// let token_data = decode::<Claims>(&token, "secret", &Validation::new(Algorithm::HS256));
-/// ```
-pub fn decode<T: DeserializeOwned>(token: &str, key: &[u8], validation: &Validation) -> Result<TokenData<T>> {
-    let (signature, signing_input) = expect_two!(token.rsplitn(2, '.'));
-    let (claims, header) = expect_two!(signing_input.rsplitn(2, '.'));
-    let header: Header = from_jwt_part(header)?;
-
-    if !verify(signature, signing_input, key, header.alg)? {
-        return Err(ErrorKind::InvalidSignature.into());
-    }
-
-    if !validation.algorithms.contains(&header.alg) {
-        return Err(ErrorKind::InvalidAlgorithm.into());
-    }
-
-    let (decoded_claims, claims_map): (T, _)  = from_jwt_part_claims(claims)?;
-
-    validate(&claims_map, validation)?;
-
-    Ok(TokenData { header: header, claims: decoded_claims })
-}
-
-/// Decode a token and return the Header. This is not doing any kind of validation: it is meant to be
-/// used when you don't know which `alg` the token is using and want to find out.
-///
-/// If the token has an invalid format, it will return an error.
-///
-/// ```rust,ignore
-/// use jsonwebtoken::decode_header;
-///
-/// let token = "a.jwt.token".to_string();
-/// let header = decode_header(&token);
-/// ```
-pub fn decode_header(token: &str) -> Result<Header> {
-    let (_, signing_input) = expect_two!(token.rsplitn(2, '.'));
-    let (_, header) = expect_two!(signing_input.rsplitn(2, '.'));
-    from_jwt_part(header)
-}

libs/jsonwebtoken/src/serialization.rs

@@ -1,42 +0,0 @@
-use base64;
-use serde::de::DeserializeOwned;
-use serde::ser::Serialize;
-use serde_json::{from_str, to_string, Value};
-use serde_json::map::Map;
-
-use errors::{Result};
-use header::Header;
-
-
-/// The return type of a successful call to decode
-#[derive(Debug)]
-pub struct TokenData<T> {
-    /// The decoded JWT header
-    pub header: Header,
-    /// The decoded JWT claims
-    pub claims: T
-}
-
-/// Serializes to JSON and encodes to base64
-pub fn to_jwt_part<T: Serialize>(input: &T) -> Result<String> {
-    let encoded = to_string(input)?;
-    Ok(base64::encode_config(encoded.as_bytes(), base64::URL_SAFE_NO_PAD))
-}
-
-/// Decodes from base64 and deserializes from JSON to a struct
-pub fn from_jwt_part<B: AsRef<str>, T: DeserializeOwned>(encoded: B) -> Result<T> {
-    let decoded = base64::decode_config(encoded.as_ref(), base64::URL_SAFE_NO_PAD)?;
-    let s = String::from_utf8(decoded)?;
-
-    Ok(from_str(&s)?)
-}
-
-/// Decodes from base64 and deserializes from JSON to a struct AND a hashmap
-pub fn from_jwt_part_claims<B: AsRef<str>, T: DeserializeOwned>(encoded: B) -> Result<(T, Map<String, Value>)> {
-    let decoded = base64::decode_config(encoded.as_ref(), base64::URL_SAFE_NO_PAD)?;
-    let s = String::from_utf8(decoded)?;
-
-    let claims: T = from_str(&s)?;
-    let map: Map<_,_> = from_str(&s)?;
-    Ok((claims, map))
-}

libs/jsonwebtoken/src/validation.rs

@@ -1,377 +0,0 @@
-use chrono::Utc;
-use serde::ser::Serialize;
-use serde_json::{Value, from_value, to_value};
-use serde_json::map::Map;
-
-use errors::{Result, ErrorKind};
-use crypto::Algorithm;
-
-
-/// Contains the various validations that are applied after decoding a token.
-///
-/// All time validation happen on UTC timestamps.
-///
-/// ```rust
-/// use jsonwebtoken::Validation;
-///
-/// // Default value
-/// let validation = Validation::default();
-///
-/// // Changing one parameter
-/// let mut validation = Validation {leeway: 60, ..Default::default()};
-///
-/// // Setting audience
-/// let mut validation = Validation::default();
-/// validation.set_audience(&"Me"); // string
-/// validation.set_audience(&["Me", "You"]); // array of strings
-/// ```
-#[derive(Debug, Clone, PartialEq)]
-pub struct Validation {
-    /// Add some leeway (in seconds) to the `exp`, `iat` and `nbf` validation to
-    /// account for clock skew.
-    ///
-    /// Defaults to `0`.
-    pub leeway: i64,
-    /// Whether to validate the `exp` field.
-    ///
-    /// It will return an error if the time in the `exp` field is past.
-    ///
-    /// Defaults to `true`.
-    pub validate_exp: bool,
-    /// Whether to validate the `iat` field.
-    ///
-    /// It will return an error if the time in the `iat` field is in the future.
-    ///
-    /// Defaults to `true`.
-    pub validate_iat: bool,
-    /// Whether to validate the `nbf` field.
-    ///
-    /// It will return an error if the current timestamp is before the time in the `nbf` field.
-    ///
-    /// Defaults to `true`.
-    pub validate_nbf: bool,
-    /// If it contains a value, the validation will check that the `aud` field is the same as the
-    /// one provided and will error otherwise.
-    /// Since `aud` can be either a String or a Vec<String> in the JWT spec, you will need to use
-    /// the [set_audience](struct.Validation.html#method.set_audience) method to set it.
-    ///
-    /// Defaults to `None`.
-    pub aud: Option<Value>,
-    /// If it contains a value, the validation will check that the `iss` field is the same as the
-    /// one provided and will error otherwise.
-    ///
-    /// Defaults to `None`.
-    pub iss: Option<String>,
-    /// If it contains a value, the validation will check that the `sub` field is the same as the
-    /// one provided and will error otherwise.
-    ///
-    /// Defaults to `None`.
-    pub sub: Option<String>,
-    /// If it contains a value, the validation will check that the `alg` of the header is contained
-    /// in the ones provided and will error otherwise.
-    ///
-    /// Defaults to `vec![Algorithm::HS256]`.
-    pub algorithms: Vec<Algorithm>,
-}
-
-impl Validation {
-    /// Create a default validation setup allowing the given alg
-    pub fn new(alg: Algorithm) -> Validation {
-        let mut validation = Validation::default();
-        validation.algorithms = vec![alg];
-        validation
-    }
-
-    /// Since `aud` can be either a String or an array of String in the JWT spec, this method will take
-    /// care of serializing the value.
-    pub fn set_audience<T: Serialize>(&mut self, audience: &T) {
-        self.aud = Some(to_value(audience).unwrap());
-    }
-}
-
-impl Default for Validation {
-    fn default() -> Validation {
-        Validation {
-            leeway: 0,
-
-            validate_exp: true,
-            validate_iat: true,
-            validate_nbf: true,
-
-            iss: None,
-            sub: None,
-            aud: None,
-
-            algorithms: vec![Algorithm::HS256],
-        }
-    }
-}
-
-
-
-pub fn validate(claims: &Map<String, Value>, options: &Validation) -> Result<()> {
-    let now = Utc::now().timestamp();
-
-    if let Some(iat) = claims.get("iat") {
-        if options.validate_iat && from_value::<i64>(iat.clone())? > now + options.leeway {
-            return Err(ErrorKind::InvalidIssuedAt.into());
-        }
-    }
-
-    if let Some(exp) = claims.get("exp") {
-        if options.validate_exp && from_value::<i64>(exp.clone())? < now - options.leeway {
-            return Err(ErrorKind::ExpiredSignature.into());
-        }
-    }
-
-    if let Some(nbf) = claims.get("nbf") {
-        if options.validate_nbf && from_value::<i64>(nbf.clone())? > now + options.leeway {
-            return Err(ErrorKind::ImmatureSignature.into());
-        }
-    }
-
-    if let Some(iss) = claims.get("iss") {
-        if let Some(ref correct_iss) = options.iss {
-            if from_value::<String>(iss.clone())? != *correct_iss {
-                return Err(ErrorKind::InvalidIssuer.into());
-            }
-        }
-    }
-
-    if let Some(sub) = claims.get("sub") {
-        if let Some(ref correct_sub) = options.sub {
-            if from_value::<String>(sub.clone())? != *correct_sub {
-                return Err(ErrorKind::InvalidSubject.into());
-            }
-        }
-    }
-
-    if let Some(aud) = claims.get("aud") {
-        if let Some(ref correct_aud) = options.aud {
-            if aud != correct_aud {
-                return Err(ErrorKind::InvalidAudience.into());
-            }
-        }
-    }
-
-    Ok(())
-}
-
-
-#[cfg(test)]
-mod tests {
-    use serde_json::{to_value};
-    use serde_json::map::Map;
-    use chrono::Utc;
-
-    use super::{validate, Validation};
-
-    use errors::ErrorKind;
-
-    #[test]
-    fn iat_in_past_ok() {
-        let mut claims = Map::new();
-        claims.insert("iat".to_string(), to_value(Utc::now().timestamp() - 10000).unwrap());
-        let res = validate(&claims, &Validation::default());
-        assert!(res.is_ok());
-    }
-
-    #[test]
-    fn iat_in_future_fails() {
-        let mut claims = Map::new();
-        claims.insert("iat".to_string(), to_value(Utc::now().timestamp() + 100000).unwrap());
-        let res = validate(&claims, &Validation::default());
-        assert!(res.is_err());
-
-        match res.unwrap_err().kind() {
-            &ErrorKind::InvalidIssuedAt => (),
-            _ => assert!(false),
-        };
-    }
-
-    #[test]
-    fn iat_in_future_but_in_leeway_ok() {
-        let mut claims = Map::new();
-        claims.insert("iat".to_string(), to_value(Utc::now().timestamp() + 50).unwrap());
-        let validation = Validation {
-            leeway: 1000 * 60,
-            ..Default::default()
-        };
-        let res = validate(&claims, &validation);
-        assert!(res.is_ok());
-    }
-
-    #[test]
-    fn exp_in_future_ok() {
-        let mut claims = Map::new();
-        claims.insert("exp".to_string(), to_value(Utc::now().timestamp() + 10000).unwrap());
-        let res = validate(&claims, &Validation::default());
-        assert!(res.is_ok());
-    }
-
-    #[test]
-    fn exp_in_past_fails() {
-        let mut claims = Map::new();
-        claims.insert("exp".to_string(), to_value(Utc::now().timestamp() - 100000).unwrap());
-        let res = validate(&claims, &Validation::default());
-        assert!(res.is_err());
-
-        match res.unwrap_err().kind() {
-            &ErrorKind::ExpiredSignature => (),
-            _ => assert!(false),
-        };
-    }
-
-    #[test]
-    fn exp_in_past_but_in_leeway_ok() {
-        let mut claims = Map::new();
-        claims.insert("exp".to_string(), to_value(Utc::now().timestamp() - 500).unwrap());
-        let validation = Validation {
-            leeway: 1000 * 60,
-            ..Default::default()
-        };
-        let res = validate(&claims, &validation);
-        assert!(res.is_ok());
-    }
-
-    #[test]
-    fn nbf_in_past_ok() {
-        let mut claims = Map::new();
-        claims.insert("nbf".to_string(), to_value(Utc::now().timestamp() - 10000).unwrap());
-        let res = validate(&claims, &Validation::default());
-        assert!(res.is_ok());
-    }
-
-    #[test]
-    fn nbf_in_future_fails() {
-        let mut claims = Map::new();
-        claims.insert("nbf".to_string(), to_value(Utc::now().timestamp() + 100000).unwrap());
-        let res = validate(&claims, &Validation::default());
-        assert!(res.is_err());
-
-        match res.unwrap_err().kind() {
-            &ErrorKind::ImmatureSignature => (),
-            _ => assert!(false),
-        };
-    }
-
-    #[test]
-    fn nbf_in_future_but_in_leeway_ok() {
-        let mut claims = Map::new();
-        claims.insert("nbf".to_string(), to_value(Utc::now().timestamp() + 500).unwrap());
-        let validation = Validation {
-            leeway: 1000 * 60,
-            ..Default::default()
-        };
-        let res = validate(&claims, &validation);
-        assert!(res.is_ok());
-    }
-
-    #[test]
-    fn iss_ok() {
-        let mut claims = Map::new();
-        claims.insert("iss".to_string(), to_value("Keats").unwrap());
-        let validation = Validation {
-            iss: Some("Keats".to_string()),
-            ..Default::default()
-        };
-        let res = validate(&claims, &validation);
-        assert!(res.is_ok());
-    }
-
-    #[test]
-    fn iss_not_matching_fails() {
-        let mut claims = Map::new();
-        claims.insert("iss".to_string(), to_value("Hacked").unwrap());
-        let validation = Validation {
-            iss: Some("Keats".to_string()),
-            ..Default::default()
-        };
-        let res = validate(&claims, &validation);
-        assert!(res.is_err());
-
-        match res.unwrap_err().kind() {
-            &ErrorKind::InvalidIssuer => (),
-            _ => assert!(false),
-        };
-    }
-
-    #[test]
-    fn sub_ok() {
-        let mut claims = Map::new();
-        claims.insert("sub".to_string(), to_value("Keats").unwrap());
-        let validation = Validation {
-            sub: Some("Keats".to_string()),
-            ..Default::default()
-        };
-        let res = validate(&claims, &validation);
-        assert!(res.is_ok());
-    }
-
-    #[test]
-    fn sub_not_matching_fails() {
-        let mut claims = Map::new();
-        claims.insert("sub".to_string(), to_value("Hacked").unwrap());
-        let validation = Validation {
-            sub: Some("Keats".to_string()),
-            ..Default::default()
-        };
-        let res = validate(&claims, &validation);
-        assert!(res.is_err());
-
-        match res.unwrap_err().kind() {
-            &ErrorKind::InvalidSubject => (),
-            _ => assert!(false),
-        };
-    }
-
-    #[test]
-    fn aud_string_ok() {
-        let mut claims = Map::new();
-        claims.insert("aud".to_string(), to_value("Everyone").unwrap());
-        let mut validation = Validation::default();
-        validation.set_audience(&"Everyone");
-        let res = validate(&claims, &validation);
-        assert!(res.is_ok());
-    }
-
-    #[test]
-    fn aud_array_of_string_ok() {
-        let mut claims = Map::new();
-        claims.insert("aud".to_string(), to_value(["UserA", "UserB"]).unwrap());
-        let mut validation = Validation::default();
-        validation.set_audience(&["UserA", "UserB"]);
-        let res = validate(&claims, &validation);
-        assert!(res.is_ok());
-    }
-
-    #[test]
-    fn aud_type_mismatch_fails() {
-        let mut claims = Map::new();
-        claims.insert("aud".to_string(), to_value("Everyone").unwrap());
-        let mut validation = Validation::default();
-        validation.set_audience(&["UserA", "UserB"]);
-        let res = validate(&claims, &validation);
-        assert!(res.is_err());
-
-        match res.unwrap_err().kind() {
-            &ErrorKind::InvalidAudience => (),
-            _ => assert!(false),
-        };
-    }
-
-    #[test]
-    fn aud_correct_type_not_matching_fails() {
-        let mut claims = Map::new();
-        claims.insert("aud".to_string(), to_value("Everyone").unwrap());
-        let mut validation = Validation::default();
-        validation.set_audience(&"None");
-        let res = validate(&claims, &validation);
-        assert!(res.is_err());
-
-        match res.unwrap_err().kind() {
-            &ErrorKind::InvalidAudience => (),
-            _ => assert!(false),
-        };
-    }
-}

migrations/mysql/2018-01-14-171611_create_tables/up.sql

@@ -0,0 +1,62 @@
+CREATE TABLE users (
+  uuid                CHAR(36) NOT NULL PRIMARY KEY,
+  created_at          DATETIME NOT NULL,
+  updated_at          DATETIME NOT NULL,
+  email               VARCHAR(255) NOT NULL UNIQUE,
+  name                TEXT     NOT NULL,
+  password_hash       BLOB     NOT NULL,
+  salt                BLOB     NOT NULL,
+  password_iterations INTEGER  NOT NULL,
+  password_hint       TEXT,
+  `key`               TEXT     NOT NULL,
+  private_key         TEXT,
+  public_key          TEXT,
+  totp_secret         TEXT,
+  totp_recover        TEXT,
+  security_stamp      TEXT     NOT NULL,
+  equivalent_domains  TEXT     NOT NULL,
+  excluded_globals    TEXT     NOT NULL
+);
+
+CREATE TABLE devices (
+  uuid          CHAR(36) NOT NULL PRIMARY KEY,
+  created_at    DATETIME NOT NULL,
+  updated_at    DATETIME NOT NULL,
+  user_uuid     CHAR(36) NOT NULL REFERENCES users (uuid),
+  name          TEXT     NOT NULL,
+  type          INTEGER  NOT NULL,
+  push_token    TEXT,
+  refresh_token TEXT     NOT NULL
+);
+
+CREATE TABLE ciphers (
+  uuid              CHAR(36) NOT NULL PRIMARY KEY,
+  created_at        DATETIME NOT NULL,
+  updated_at        DATETIME NOT NULL,
+  user_uuid         CHAR(36) NOT NULL REFERENCES users (uuid),
+  folder_uuid       CHAR(36) REFERENCES folders (uuid),
+  organization_uuid CHAR(36),
+  type              INTEGER  NOT NULL,
+  name              TEXT     NOT NULL,
+  notes             TEXT,
+  fields            TEXT,
+  data              TEXT     NOT NULL,
+  favorite          BOOLEAN  NOT NULL
+);
+
+CREATE TABLE attachments (
+  id          CHAR(36) NOT NULL PRIMARY KEY,
+  cipher_uuid CHAR(36) NOT NULL REFERENCES ciphers (uuid),
+  file_name   TEXT    NOT NULL,
+  file_size   INTEGER NOT NULL
+
+);
+
+CREATE TABLE folders (
+  uuid       CHAR(36) NOT NULL PRIMARY KEY,
+  created_at DATETIME NOT NULL,
+  updated_at DATETIME NOT NULL,
+  user_uuid  CHAR(36) NOT NULL REFERENCES users (uuid),
+  name       TEXT     NOT NULL
+);
+  

migrations/mysql/2018-02-17-205753_create_collections_and_orgs/up.sql

@@ -0,0 +1,30 @@
+CREATE TABLE collections (
+  uuid     VARCHAR(40) NOT NULL PRIMARY KEY,
+  org_uuid VARCHAR(40) NOT NULL REFERENCES organizations (uuid),
+  name     TEXT NOT NULL
+);
+
+CREATE TABLE organizations (
+  uuid          VARCHAR(40) NOT NULL PRIMARY KEY,
+  name          TEXT NOT NULL,
+  billing_email TEXT NOT NULL
+);
+
+CREATE TABLE users_collections (
+  user_uuid       CHAR(36) NOT NULL REFERENCES users (uuid),
+  collection_uuid CHAR(36) NOT NULL REFERENCES collections (uuid),
+  PRIMARY KEY (user_uuid, collection_uuid)
+);
+
+CREATE TABLE users_organizations (
+  uuid       CHAR(36) NOT NULL PRIMARY KEY,
+  user_uuid  CHAR(36) NOT NULL REFERENCES users (uuid),
+  org_uuid   CHAR(36) NOT NULL REFERENCES organizations (uuid),
+
+  access_all BOOLEAN NOT NULL,
+  `key`      TEXT    NOT NULL,
+  status     INTEGER NOT NULL,
+  type       INTEGER NOT NULL,
+
+  UNIQUE (user_uuid, org_uuid)
+);

migrations/mysql/2018-04-27-155151_create_users_ciphers/up.sql

@@ -0,0 +1,34 @@
+ALTER TABLE ciphers RENAME TO oldCiphers;
+
+CREATE TABLE ciphers (
+  uuid              CHAR(36) NOT NULL PRIMARY KEY,
+  created_at        DATETIME NOT NULL,
+  updated_at        DATETIME NOT NULL,
+  user_uuid         CHAR(36) REFERENCES users (uuid), -- Make this optional
+  organization_uuid CHAR(36) REFERENCES organizations (uuid), -- Add reference to orgs table
+  -- Remove folder_uuid
+  type              INTEGER  NOT NULL,
+  name              TEXT     NOT NULL,
+  notes             TEXT,
+  fields            TEXT,
+  data              TEXT     NOT NULL,
+  favorite          BOOLEAN  NOT NULL
+);
+
+CREATE TABLE folders_ciphers (
+  cipher_uuid CHAR(36) NOT NULL REFERENCES ciphers (uuid),
+  folder_uuid CHAR(36) NOT NULL REFERENCES folders (uuid),
+
+  PRIMARY KEY (cipher_uuid, folder_uuid)
+);
+
+INSERT INTO ciphers (uuid, created_at, updated_at, user_uuid, organization_uuid, type, name, notes, fields, data, favorite) 
+SELECT uuid, created_at, updated_at, user_uuid, organization_uuid, type, name, notes, fields, data, favorite FROM oldCiphers;
+
+INSERT INTO folders_ciphers (cipher_uuid, folder_uuid)
+SELECT uuid, folder_uuid FROM oldCiphers WHERE folder_uuid IS NOT NULL;
+
+
+DROP TABLE oldCiphers;
+
+ALTER TABLE users_collections ADD COLUMN read_only BOOLEAN NOT NULL DEFAULT 0; -- False

migrations/mysql/2018-05-08-161616_create_collection_cipher_map/up.sql

@@ -0,0 +1,5 @@
+CREATE TABLE ciphers_collections (
+  cipher_uuid       CHAR(36) NOT NULL REFERENCES ciphers (uuid),
+  collection_uuid CHAR(36) NOT NULL REFERENCES collections (uuid),
+  PRIMARY KEY (cipher_uuid, collection_uuid)
+);

migrations/mysql/2018-05-25-232323_update_attachments_reference/up.sql

@@ -0,0 +1,14 @@
+ALTER TABLE attachments RENAME TO oldAttachments;
+
+CREATE TABLE attachments (
+  id          CHAR(36) NOT NULL PRIMARY KEY,
+  cipher_uuid CHAR(36) NOT NULL REFERENCES ciphers (uuid),
+  file_name   TEXT    NOT NULL,
+  file_size   INTEGER NOT NULL
+
+);
+
+INSERT INTO attachments (id, cipher_uuid, file_name, file_size) 
+SELECT id, cipher_uuid, file_name, file_size FROM oldAttachments;
+
+DROP TABLE oldAttachments;

migrations/mysql/2018-07-11-181453_create_u2f_twofactor/down.sql

@@ -0,0 +1,8 @@
+UPDATE users
+SET totp_secret = (
+    SELECT twofactor.data FROM twofactor
+    WHERE twofactor.type = 0 
+    AND twofactor.user_uuid = users.uuid
+);
+
+DROP TABLE twofactor;

migrations/mysql/2018-07-11-181453_create_u2f_twofactor/up.sql

@@ -0,0 +1,15 @@
+CREATE TABLE twofactor (
+  uuid      CHAR(36) NOT NULL PRIMARY KEY,
+  user_uuid CHAR(36) NOT NULL REFERENCES users (uuid),
+  type      INTEGER  NOT NULL,
+  enabled   BOOLEAN  NOT NULL,
+  data      TEXT     NOT NULL,
+
+  UNIQUE (user_uuid, type)
+);
+
+
+INSERT INTO twofactor (uuid, user_uuid, type, enabled, data) 
+SELECT UUID(), uuid, 0, 1, u.totp_secret FROM users u where u.totp_secret IS NOT NULL;
+
+UPDATE users SET totp_secret = NULL; -- Instead of recreating the table, just leave the columns empty

migrations/mysql/2018-08-27-172114_update_ciphers/up.sql

@@ -0,0 +1,3 @@
+ALTER TABLE ciphers
+    ADD COLUMN
+    password_history TEXT;

migrations/mysql/2018-09-10-111213_add_invites/down.sql

@@ -0,0 +1 @@
+DROP TABLE invitations;

migrations/mysql/2018-09-10-111213_add_invites/up.sql

@@ -0,0 +1,3 @@
+CREATE TABLE invitations (
+    email   VARCHAR(255) NOT NULL PRIMARY KEY
+);

migrations/mysql/2018-09-19-144557_add_kdf_columns/up.sql

@@ -0,0 +1,7 @@
+ALTER TABLE users
+    ADD COLUMN
+    client_kdf_type INTEGER NOT NULL DEFAULT 0; -- PBKDF2
+
+ALTER TABLE users
+    ADD COLUMN
+    client_kdf_iter INTEGER NOT NULL DEFAULT 100000;

migrations/mysql/2018-11-27-152651_add_att_key_columns/up.sql

@@ -0,0 +1,3 @@
+ALTER TABLE attachments
+    ADD COLUMN
+    `key` TEXT;

migrations/mysql/2019-05-26-216651_rename_key_and_type_columns/down.sql

@@ -0,0 +1,7 @@
+ALTER TABLE attachments CHANGE COLUMN akey `key` TEXT;
+ALTER TABLE ciphers CHANGE COLUMN atype type INTEGER NOT NULL;
+ALTER TABLE devices CHANGE COLUMN atype type INTEGER NOT NULL;
+ALTER TABLE twofactor CHANGE COLUMN atype type INTEGER NOT NULL;
+ALTER TABLE users CHANGE COLUMN akey `key` TEXT;
+ALTER TABLE users_organizations CHANGE COLUMN akey `key` TEXT;
+ALTER TABLE users_organizations CHANGE COLUMN atype type INTEGER NOT NULL;

migrations/mysql/2019-05-26-216651_rename_key_and_type_columns/up.sql

@@ -0,0 +1,7 @@
+ALTER TABLE attachments CHANGE COLUMN `key` akey TEXT;
+ALTER TABLE ciphers CHANGE COLUMN type atype INTEGER NOT NULL;
+ALTER TABLE devices CHANGE COLUMN type atype INTEGER NOT NULL;
+ALTER TABLE twofactor CHANGE COLUMN type atype INTEGER NOT NULL;
+ALTER TABLE users CHANGE COLUMN `key` akey TEXT;
+ALTER TABLE users_organizations CHANGE COLUMN `key` akey TEXT;
+ALTER TABLE users_organizations CHANGE COLUMN type atype INTEGER NOT NULL;

migrations/mysql/2019-10-10-083032_add_column_to_twofactor/up.sql

@@ -0,0 +1 @@
+ALTER TABLE twofactor ADD COLUMN last_used INTEGER NOT NULL DEFAULT 0;

migrations/postgresql/2019-09-12-100000_create_tables/down.sql

@@ -0,0 +1,13 @@
+DROP TABLE devices;
+DROP TABLE attachments;
+DROP TABLE users_collections;
+DROP TABLE users_organizations;
+DROP TABLE folders_ciphers;
+DROP TABLE ciphers_collections;
+DROP TABLE twofactor;
+DROP TABLE invitations;
+DROP TABLE collections;
+DROP TABLE folders;
+DROP TABLE ciphers;
+DROP TABLE users;
+DROP TABLE organizations;

migrations/postgresql/2019-09-12-100000_create_tables/up.sql

@@ -0,0 +1,121 @@
+CREATE TABLE users (
+  uuid                CHAR(36) NOT NULL PRIMARY KEY,
+  created_at          TIMESTAMP NOT NULL,
+  updated_at          TIMESTAMP NOT NULL,
+  email               VARCHAR(255) NOT NULL UNIQUE,
+  name                TEXT     NOT NULL,
+  password_hash       BYTEA     NOT NULL,
+  salt                BYTEA     NOT NULL,
+  password_iterations INTEGER  NOT NULL,
+  password_hint       TEXT,
+  akey                TEXT     NOT NULL,
+  private_key         TEXT,
+  public_key          TEXT,
+  totp_secret         TEXT,
+  totp_recover        TEXT,
+  security_stamp      TEXT     NOT NULL,
+  equivalent_domains  TEXT     NOT NULL,
+  excluded_globals    TEXT     NOT NULL,
+  client_kdf_type     INTEGER NOT NULL DEFAULT 0,
+  client_kdf_iter INTEGER NOT NULL DEFAULT 100000
+);
+
+CREATE TABLE devices (
+  uuid          CHAR(36) NOT NULL PRIMARY KEY,
+  created_at    TIMESTAMP NOT NULL,
+  updated_at    TIMESTAMP NOT NULL,
+  user_uuid     CHAR(36) NOT NULL REFERENCES users (uuid),
+  name          TEXT     NOT NULL,
+  atype         INTEGER  NOT NULL,
+  push_token    TEXT,
+  refresh_token TEXT     NOT NULL,
+  twofactor_remember TEXT
+);
+
+CREATE TABLE organizations (
+  uuid          VARCHAR(40) NOT NULL PRIMARY KEY,
+  name          TEXT NOT NULL,
+  billing_email TEXT NOT NULL
+);
+
+CREATE TABLE ciphers (
+  uuid              CHAR(36) NOT NULL PRIMARY KEY,
+  created_at        TIMESTAMP NOT NULL,
+  updated_at        TIMESTAMP NOT NULL,
+  user_uuid         CHAR(36) REFERENCES users (uuid),
+  organization_uuid CHAR(36) REFERENCES organizations (uuid),
+  atype             INTEGER  NOT NULL,
+  name              TEXT     NOT NULL,
+  notes             TEXT,
+  fields            TEXT,
+  data              TEXT     NOT NULL,
+  favorite          BOOLEAN  NOT NULL,
+  password_history  TEXT
+);
+
+CREATE TABLE attachments (
+  id          CHAR(36) NOT NULL PRIMARY KEY,
+  cipher_uuid CHAR(36) NOT NULL REFERENCES ciphers (uuid),
+  file_name   TEXT    NOT NULL,
+  file_size   INTEGER NOT NULL,
+  akey        TEXT
+);
+
+CREATE TABLE folders (
+  uuid       CHAR(36) NOT NULL PRIMARY KEY,
+  created_at TIMESTAMP NOT NULL,
+  updated_at TIMESTAMP NOT NULL,
+  user_uuid  CHAR(36) NOT NULL REFERENCES users (uuid),
+  name       TEXT     NOT NULL
+);
+
+CREATE TABLE collections (
+  uuid     VARCHAR(40) NOT NULL PRIMARY KEY,
+  org_uuid VARCHAR(40) NOT NULL REFERENCES organizations (uuid),
+  name     TEXT NOT NULL
+);
+
+CREATE TABLE users_collections (
+  user_uuid       CHAR(36) NOT NULL REFERENCES users (uuid),
+  collection_uuid CHAR(36) NOT NULL REFERENCES collections (uuid),
+  read_only       BOOLEAN NOT NULL DEFAULT false,
+  PRIMARY KEY (user_uuid, collection_uuid)
+);
+
+CREATE TABLE users_organizations (
+  uuid       CHAR(36) NOT NULL PRIMARY KEY,
+  user_uuid  CHAR(36) NOT NULL REFERENCES users (uuid),
+  org_uuid   CHAR(36) NOT NULL REFERENCES organizations (uuid),
+
+  access_all BOOLEAN NOT NULL,
+  akey       TEXT    NOT NULL,
+  status     INTEGER NOT NULL,
+  atype      INTEGER NOT NULL,
+
+  UNIQUE (user_uuid, org_uuid)
+);
+
+CREATE TABLE folders_ciphers (
+  cipher_uuid CHAR(36) NOT NULL REFERENCES ciphers (uuid),
+  folder_uuid CHAR(36) NOT NULL REFERENCES folders (uuid),
+  PRIMARY KEY (cipher_uuid, folder_uuid)
+);
+
+CREATE TABLE ciphers_collections (
+  cipher_uuid       CHAR(36) NOT NULL REFERENCES ciphers (uuid),
+  collection_uuid CHAR(36) NOT NULL REFERENCES collections (uuid),
+  PRIMARY KEY (cipher_uuid, collection_uuid)
+);
+
+CREATE TABLE twofactor (
+  uuid      CHAR(36) NOT NULL PRIMARY KEY,
+  user_uuid CHAR(36) NOT NULL REFERENCES users (uuid),
+  atype     INTEGER  NOT NULL,
+  enabled   BOOLEAN  NOT NULL,
+  data      TEXT     NOT NULL,
+  UNIQUE (user_uuid, atype)
+);
+
+CREATE TABLE invitations (
+    email   VARCHAR(255) NOT NULL PRIMARY KEY
+);

migrations/postgresql/2019-09-16-150000_fix_attachments/down.sql

@@ -0,0 +1,26 @@
+ALTER TABLE attachments ALTER COLUMN id TYPE CHAR(36);
+ALTER TABLE attachments ALTER COLUMN cipher_uuid TYPE CHAR(36);
+ALTER TABLE users ALTER COLUMN uuid TYPE CHAR(36);
+ALTER TABLE users ALTER COLUMN email TYPE VARCHAR(255);
+ALTER TABLE devices ALTER COLUMN uuid TYPE CHAR(36);
+ALTER TABLE devices ALTER COLUMN user_uuid TYPE CHAR(36);
+ALTER TABLE organizations ALTER COLUMN uuid TYPE CHAR(40);
+ALTER TABLE ciphers ALTER COLUMN uuid TYPE CHAR(36);
+ALTER TABLE ciphers ALTER COLUMN user_uuid TYPE CHAR(36);
+ALTER TABLE ciphers ALTER COLUMN organization_uuid TYPE CHAR(36);
+ALTER TABLE folders ALTER COLUMN uuid TYPE CHAR(36);
+ALTER TABLE folders ALTER COLUMN user_uuid TYPE CHAR(36);
+ALTER TABLE collections ALTER COLUMN uuid TYPE CHAR(40);
+ALTER TABLE collections ALTER COLUMN org_uuid TYPE CHAR(40);
+ALTER TABLE users_collections ALTER COLUMN user_uuid TYPE CHAR(36);
+ALTER TABLE users_collections ALTER COLUMN collection_uuid TYPE CHAR(36);
+ALTER TABLE users_organizations ALTER COLUMN uuid TYPE CHAR(36);
+ALTER TABLE users_organizations ALTER COLUMN user_uuid TYPE CHAR(36);
+ALTER TABLE users_organizations ALTER COLUMN org_uuid TYPE CHAR(36);
+ALTER TABLE folders_ciphers ALTER COLUMN cipher_uuid TYPE CHAR(36);
+ALTER TABLE folders_ciphers ALTER COLUMN folder_uuid TYPE CHAR(36);
+ALTER TABLE ciphers_collections ALTER COLUMN cipher_uuid TYPE CHAR(36);
+ALTER TABLE ciphers_collections ALTER COLUMN collection_uuid TYPE CHAR(36);
+ALTER TABLE twofactor ALTER COLUMN uuid TYPE CHAR(36);
+ALTER TABLE twofactor ALTER COLUMN user_uuid TYPE CHAR(36);
+ALTER TABLE invitations ALTER COLUMN email TYPE VARCHAR(255);

migrations/postgresql/2019-09-16-150000_fix_attachments/up.sql

@@ -0,0 +1,27 @@
+-- Switch from CHAR() types to VARCHAR() types to avoid padding issues.
+ALTER TABLE attachments ALTER COLUMN id TYPE TEXT;
+ALTER TABLE attachments ALTER COLUMN cipher_uuid TYPE VARCHAR(40);
+ALTER TABLE users ALTER COLUMN uuid TYPE VARCHAR(40);
+ALTER TABLE users ALTER COLUMN email TYPE TEXT;
+ALTER TABLE devices ALTER COLUMN uuid TYPE VARCHAR(40);
+ALTER TABLE devices ALTER COLUMN user_uuid TYPE VARCHAR(40);
+ALTER TABLE organizations ALTER COLUMN uuid TYPE VARCHAR(40);
+ALTER TABLE ciphers ALTER COLUMN uuid TYPE VARCHAR(40);
+ALTER TABLE ciphers ALTER COLUMN user_uuid TYPE VARCHAR(40);
+ALTER TABLE ciphers ALTER COLUMN organization_uuid TYPE VARCHAR(40);
+ALTER TABLE folders ALTER COLUMN uuid TYPE VARCHAR(40);
+ALTER TABLE folders ALTER COLUMN user_uuid TYPE VARCHAR(40);
+ALTER TABLE collections ALTER COLUMN uuid TYPE VARCHAR(40);
+ALTER TABLE collections ALTER COLUMN org_uuid TYPE VARCHAR(40);
+ALTER TABLE users_collections ALTER COLUMN user_uuid TYPE VARCHAR(40);
+ALTER TABLE users_collections ALTER COLUMN collection_uuid TYPE VARCHAR(40);
+ALTER TABLE users_organizations ALTER COLUMN uuid TYPE VARCHAR(40);
+ALTER TABLE users_organizations ALTER COLUMN user_uuid TYPE VARCHAR(40);
+ALTER TABLE users_organizations ALTER COLUMN org_uuid TYPE VARCHAR(40);
+ALTER TABLE folders_ciphers ALTER COLUMN cipher_uuid TYPE VARCHAR(40);
+ALTER TABLE folders_ciphers ALTER COLUMN folder_uuid TYPE VARCHAR(40);
+ALTER TABLE ciphers_collections ALTER COLUMN cipher_uuid TYPE VARCHAR(40);
+ALTER TABLE ciphers_collections ALTER COLUMN collection_uuid TYPE VARCHAR(40);
+ALTER TABLE twofactor ALTER COLUMN uuid TYPE VARCHAR(40);
+ALTER TABLE twofactor ALTER COLUMN user_uuid TYPE VARCHAR(40);
+ALTER TABLE invitations ALTER COLUMN email TYPE TEXT;

migrations/postgresql/2019-10-10-083032_add_column_to_twofactor/up.sql

@@ -0,0 +1 @@
+ALTER TABLE twofactor ADD COLUMN last_used INTEGER NOT NULL DEFAULT 0;

migrations/sqlite/2018-01-14-171611_create_tables/down.sql

@@ -0,0 +1,9 @@
+DROP TABLE users;
+
+DROP TABLE devices;
+
+DROP TABLE ciphers;
+
+DROP TABLE attachments;
+
+DROP TABLE folders;

migrations/sqlite/2018-02-17-205753_create_collections_and_orgs/down.sql

@@ -0,0 +1,8 @@
+DROP TABLE collections;
+
+DROP TABLE organizations;
+
+
+DROP TABLE users_collections;
+
+DROP TABLE users_organizations;

migrations/sqlite/2018-05-08-161616_create_collection_cipher_map/down.sql

@@ -0,0 +1 @@
+DROP TABLE ciphers_collections;

migrations/sqlite/2018-06-01-112529_update_devices_twofactor_remember/down.sql

@@ -0,0 +1 @@
+-- This file should undo anything in `up.sql`

migrations/sqlite/2018-06-01-112529_update_devices_twofactor_remember/up.sql

@@ -0,0 +1,3 @@
+ALTER TABLE devices
+    ADD COLUMN
+    twofactor_remember TEXT;

migrations/sqlite/2018-07-11-181453_create_u2f_twofactor/down.sql

@@ -0,0 +1,8 @@
+UPDATE users
+SET totp_secret = (
+    SELECT twofactor.data FROM twofactor
+    WHERE twofactor.type = 0 
+    AND twofactor.user_uuid = users.uuid
+);
+
+DROP TABLE twofactor;

migrations/sqlite/2018-07-11-181453_create_u2f_twofactor/up.sql

@@ -0,0 +1,15 @@
+CREATE TABLE twofactor (
+  uuid      TEXT     NOT NULL PRIMARY KEY,
+  user_uuid TEXT     NOT NULL REFERENCES users (uuid),
+  type      INTEGER  NOT NULL,
+  enabled   BOOLEAN  NOT NULL,
+  data      TEXT     NOT NULL,
+
+  UNIQUE (user_uuid, type)
+);
+
+
+INSERT INTO twofactor (uuid, user_uuid, type, enabled, data) 
+SELECT lower(hex(randomblob(16))) , uuid, 0, 1, u.totp_secret FROM users u where u.totp_secret IS NOT NULL;
+
+UPDATE users SET totp_secret = NULL; -- Instead of recreating the table, just leave the columns empty

migrations/sqlite/2018-08-27-172114_update_ciphers/up.sql

@@ -0,0 +1,3 @@
+ALTER TABLE ciphers
+    ADD COLUMN
+    password_history TEXT;

migrations/sqlite/2018-09-10-111213_add_invites/down.sql

@@ -0,0 +1 @@
+DROP TABLE invitations;

migrations/sqlite/2018-09-10-111213_add_invites/up.sql

@@ -0,0 +1,3 @@
+CREATE TABLE invitations (
+    email   TEXT NOT NULL PRIMARY KEY
+);

migrations/sqlite/2018-09-19-144557_add_kdf_columns/up.sql

@@ -0,0 +1,7 @@
+ALTER TABLE users
+    ADD COLUMN
+    client_kdf_type INTEGER NOT NULL DEFAULT 0; -- PBKDF2
+
+ALTER TABLE users
+    ADD COLUMN
+    client_kdf_iter INTEGER NOT NULL DEFAULT 100000;

migrations/sqlite/2018-11-27-152651_add_att_key_columns/up.sql

@@ -0,0 +1,3 @@
+ALTER TABLE attachments
+    ADD COLUMN
+    key TEXT;

migrations/sqlite/2019-05-26-216651_rename_key_and_type_columns/down.sql

@@ -0,0 +1,7 @@
+ALTER TABLE attachments RENAME COLUMN akey TO key;
+ALTER TABLE ciphers RENAME COLUMN atype TO type;
+ALTER TABLE devices RENAME COLUMN atype TO type;
+ALTER TABLE twofactor RENAME COLUMN atype TO type;
+ALTER TABLE users RENAME COLUMN akey TO key;
+ALTER TABLE users_organizations RENAME COLUMN akey TO key;
+ALTER TABLE users_organizations RENAME COLUMN atype TO type;

migrations/sqlite/2019-05-26-216651_rename_key_and_type_columns/up.sql

@@ -0,0 +1,7 @@
+ALTER TABLE attachments RENAME COLUMN key TO akey;
+ALTER TABLE ciphers RENAME COLUMN type TO atype;
+ALTER TABLE devices RENAME COLUMN type TO atype;
+ALTER TABLE twofactor RENAME COLUMN type TO atype;
+ALTER TABLE users RENAME COLUMN key TO akey;
+ALTER TABLE users_organizations RENAME COLUMN key TO akey;
+ALTER TABLE users_organizations RENAME COLUMN type TO atype;

migrations/sqlite/2019-10-10-083032_add_column_to_twofactor/up.sql

@@ -0,0 +1 @@
+ALTER TABLE twofactor ADD COLUMN last_used INTEGER NOT NULL DEFAULT 0;

rust-toolchain

@@ -0,0 +1 @@
+nightly-2019-11-17

rustfmt.toml

@@ -0,0 +1 @@
+max_width = 120

src/api/admin.rs

@@ -0,0 +1,268 @@
+use serde_json::Value;
+use std::process::Command;
+
+use rocket::http::{Cookie, Cookies, SameSite};
+use rocket::request::{self, FlashMessage, Form, FromRequest, Request};
+use rocket::response::{content::Html, Flash, Redirect};
+use rocket::{Outcome, Route};
+use rocket_contrib::json::Json;
+
+use crate::api::{ApiResult, EmptyResult, JsonResult};
+use crate::auth::{decode_admin, encode_jwt, generate_admin_claims, ClientIp};
+use crate::config::ConfigBuilder;
+use crate::db::{backup_database, models::*, DbConn};
+use crate::error::Error;
+use crate::mail;
+use crate::CONFIG;
+
+pub fn routes() -> Vec<Route> {
+    if CONFIG.admin_token().is_none() && !CONFIG.disable_admin_token() {
+        return routes![admin_disabled];
+    }
+
+    routes![
+        admin_login,
+        get_users,
+        post_admin_login,
+        admin_page,
+        invite_user,
+        delete_user,
+        deauth_user,
+        remove_2fa,
+        update_revision_users,
+        post_config,
+        delete_config,
+        backup_db,
+    ]
+}
+
+lazy_static! {
+    static ref CAN_BACKUP: bool = cfg!(feature = "sqlite") && Command::new("sqlite3").arg("-version").status().is_ok();
+}
+
+#[get("/")]
+fn admin_disabled() -> &'static str {
+    "The admin panel is disabled, please configure the 'ADMIN_TOKEN' variable to enable it"
+}
+
+const COOKIE_NAME: &str = "BWRS_ADMIN";
+const ADMIN_PATH: &str = "/admin";
+
+const BASE_TEMPLATE: &str = "admin/base";
+const VERSION: Option<&str> = option_env!("GIT_VERSION");
+
+#[get("/", rank = 2)]
+fn admin_login(flash: Option<FlashMessage>) -> ApiResult<Html<String>> {
+    // If there is an error, show it
+    let msg = flash.map(|msg| format!("{}: {}", msg.name(), msg.msg()));
+    let json = json!({"page_content": "admin/login", "version": VERSION, "error": msg});
+
+    // Return the page
+    let text = CONFIG.render_template(BASE_TEMPLATE, &json)?;
+    Ok(Html(text))
+}
+
+#[derive(FromForm)]
+struct LoginForm {
+    token: String,
+}
+
+#[post("/", data = "<data>")]
+fn post_admin_login(data: Form<LoginForm>, mut cookies: Cookies, ip: ClientIp) -> Result<Redirect, Flash<Redirect>> {
+    let data = data.into_inner();
+
+    // If the token is invalid, redirect to login page
+    if !_validate_token(&data.token) {
+        error!("Invalid admin token. IP: {}", ip.ip);
+        Err(Flash::error(
+            Redirect::to(ADMIN_PATH),
+            "Invalid admin token, please try again.",
+        ))
+    } else {
+        // If the token received is valid, generate JWT and save it as a cookie
+        let claims = generate_admin_claims();
+        let jwt = encode_jwt(&claims);
+
+        let cookie = Cookie::build(COOKIE_NAME, jwt)
+            .path(ADMIN_PATH)
+            .max_age(chrono::Duration::minutes(20))
+            .same_site(SameSite::Strict)
+            .http_only(true)
+            .finish();
+
+        cookies.add(cookie);
+        Ok(Redirect::to(ADMIN_PATH))
+    }
+}
+
+fn _validate_token(token: &str) -> bool {
+    match CONFIG.admin_token().as_ref() {
+        None => false,
+        Some(t) => crate::crypto::ct_eq(t.trim(), token.trim()),
+    }
+}
+
+#[derive(Serialize)]
+struct AdminTemplateData {
+    page_content: String,
+    version: Option<&'static str>,
+    users: Vec<Value>,
+    config: Value,
+    can_backup: bool,
+}
+
+impl AdminTemplateData {
+    fn new(users: Vec<Value>) -> Self {
+        Self {
+            page_content: String::from("admin/page"),
+            version: VERSION,
+            users,
+            config: CONFIG.prepare_json(),
+            can_backup: *CAN_BACKUP,
+        }
+    }
+
+    fn render(self) -> Result<String, Error> {
+        CONFIG.render_template(BASE_TEMPLATE, &self)
+    }
+}
+
+#[get("/", rank = 1)]
+fn admin_page(_token: AdminToken, conn: DbConn) -> ApiResult<Html<String>> {
+    let users = User::get_all(&conn);
+    let users_json: Vec<Value> = users.iter().map(|u| u.to_json(&conn)).collect();
+
+    let text = AdminTemplateData::new(users_json).render()?;
+    Ok(Html(text))
+}
+
+#[derive(Deserialize, Debug)]
+#[allow(non_snake_case)]
+struct InviteData {
+    email: String,
+}
+
+#[post("/invite", data = "<data>")]
+fn invite_user(data: Json<InviteData>, _token: AdminToken, conn: DbConn) -> EmptyResult {
+    let data: InviteData = data.into_inner();
+    let email = data.email.clone();
+    if User::find_by_mail(&data.email, &conn).is_some() {
+        err!("User already exists")
+    }
+
+    if !CONFIG.invitations_allowed() {
+        err!("Invitations are not allowed")
+    }
+
+    let mut user = User::new(email);
+    user.save(&conn)?;
+
+    if CONFIG.mail_enabled() {
+        let org_name = "bitwarden_rs";
+        mail::send_invite(&user.email, &user.uuid, None, None, &org_name, None)
+    } else {
+        let invitation = Invitation::new(data.email);
+        invitation.save(&conn)
+    }
+}
+
+#[get("/users")]
+fn get_users(_token: AdminToken, conn: DbConn) -> JsonResult {
+    let users = User::get_all(&conn);
+    let users_json: Vec<Value> = users.iter().map(|u| u.to_json(&conn)).collect();
+
+    Ok(Json(Value::Array(users_json)))
+}
+
+#[post("/users/<uuid>/delete")]
+fn delete_user(uuid: String, _token: AdminToken, conn: DbConn) -> EmptyResult {
+    let user = match User::find_by_uuid(&uuid, &conn) {
+        Some(user) => user,
+        None => err!("User doesn't exist"),
+    };
+
+    user.delete(&conn)
+}
+
+#[post("/users/<uuid>/deauth")]
+fn deauth_user(uuid: String, _token: AdminToken, conn: DbConn) -> EmptyResult {
+    let mut user = match User::find_by_uuid(&uuid, &conn) {
+        Some(user) => user,
+        None => err!("User doesn't exist"),
+    };
+
+    Device::delete_all_by_user(&user.uuid, &conn)?;
+    user.reset_security_stamp();
+
+    user.save(&conn)
+}
+
+#[post("/users/<uuid>/remove-2fa")]
+fn remove_2fa(uuid: String, _token: AdminToken, conn: DbConn) -> EmptyResult {
+    let mut user = match User::find_by_uuid(&uuid, &conn) {
+        Some(user) => user,
+        None => err!("User doesn't exist"),
+    };
+
+    TwoFactor::delete_all_by_user(&user.uuid, &conn)?;
+    user.totp_recover = None;
+    user.save(&conn)
+}
+
+#[post("/users/update_revision")]
+fn update_revision_users(_token: AdminToken, conn: DbConn) -> EmptyResult {
+    User::update_all_revisions(&conn)
+}
+
+#[post("/config", data = "<data>")]
+fn post_config(data: Json<ConfigBuilder>, _token: AdminToken) -> EmptyResult {
+    let data: ConfigBuilder = data.into_inner();
+    CONFIG.update_config(data)
+}
+
+#[post("/config/delete")]
+fn delete_config(_token: AdminToken) -> EmptyResult {
+    CONFIG.delete_user_config()
+}
+
+#[post("/config/backup_db")]
+fn backup_db(_token: AdminToken) -> EmptyResult {
+    if *CAN_BACKUP {
+        backup_database()
+    } else {
+        err!("Can't back up current DB (either it's not SQLite or the 'sqlite' binary is not present)");
+    }
+}
+
+pub struct AdminToken {}
+
+impl<'a, 'r> FromRequest<'a, 'r> for AdminToken {
+    type Error = &'static str;
+
+    fn from_request(request: &'a Request<'r>) -> request::Outcome<Self, Self::Error> {
+        if CONFIG.disable_admin_token() {
+            Outcome::Success(AdminToken {})
+        } else {
+            let mut cookies = request.cookies();
+
+            let access_token = match cookies.get(COOKIE_NAME) {
+                Some(cookie) => cookie.value(),
+                None => return Outcome::Forward(()), // If there is no cookie, redirect to login
+            };
+
+            let ip = match request.guard::<ClientIp>() {
+                Outcome::Success(ip) => ip.ip,
+                _ => err_handler!("Error getting Client IP"),
+            };
+
+            if decode_admin(access_token).is_err() {
+                // Remove admin cookie
+                cookies.remove(Cookie::named(COOKIE_NAME));
+                error!("Invalid or expired admin JWT. IP: {}.", ip);
+                return Outcome::Forward(());
+            }
+
+            Outcome::Success(AdminToken {})
+        }
+    }
+}

src/api/core/accounts.rs

@@ -1,25 +1,51 @@
-use rocket_contrib::Json;
+use rocket_contrib::json::Json;
 
-use db::DbConn;
-use db::models::*;
+use crate::db::models::*;
+use crate::db::DbConn;
 
-use api::{PasswordData, JsonResult, EmptyResult, JsonUpcase};
-use auth::Headers;
+use crate::api::{EmptyResult, JsonResult, JsonUpcase, Notify, NumberOrString, PasswordData, UpdateType};
+use crate::auth::{decode_invite, Headers};
+use crate::mail;
 
-use util;
+use crate::CONFIG;
 
-use CONFIG;
+use rocket::Route;
+
+pub fn routes() -> Vec<Route> {
+    routes![
+        register,
+        profile,
+        put_profile,
+        post_profile,
+        get_public_keys,
+        post_keys,
+        post_password,
+        post_kdf,
+        post_rotatekey,
+        post_sstamp,
+        post_email_token,
+        post_email,
+        delete_account,
+        post_delete_account,
+        revision_date,
+        password_hint,
+        prelogin,
+    ]
+}
 
 #[derive(Deserialize, Debug)]
 #[allow(non_snake_case)]
 struct RegisterData {
     Email: String,
+    Kdf: Option<i32>,
+    KdfIterations: Option<i32>,
     Key: String,
-    #[serde(deserialize_with = "util::upcase_deserialize")]
     Keys: Option<KeysData>,
     MasterPasswordHash: String,
     MasterPasswordHint: Option<String>,
     Name: Option<String>,
+    Token: Option<String>,
+    OrganizationUserId: Option<String>,
 }
 
 #[derive(Deserialize, Debug)]
@@ -33,15 +59,58 @@ struct KeysData {
 fn register(data: JsonUpcase<RegisterData>, conn: DbConn) -> EmptyResult {
     let data: RegisterData = data.into_inner().data;
 
-    if !CONFIG.signups_allowed {
-        err!(format!("Signups not allowed"))
+    let mut user = match User::find_by_mail(&data.Email, &conn) {
+        Some(user) => {
+            if !user.password_hash.is_empty() {
+                if CONFIG.signups_allowed() {
+                    err!("User already exists")
+                } else {
+                    err!("Registration not allowed or user already exists")
+                }
+            }
+
+            if let Some(token) = data.Token {
+                let claims = decode_invite(&token)?;
+                if claims.email == data.Email {
+                    user
+                } else {
+                    err!("Registration email does not match invite email")
+                }
+            } else if Invitation::take(&data.Email, &conn) {
+                for mut user_org in UserOrganization::find_invited_by_user(&user.uuid, &conn).iter_mut() {
+                    user_org.status = UserOrgStatus::Accepted as i32;
+                    user_org.save(&conn)?;
+                }
+
+                user
+            } else if CONFIG.signups_allowed() {
+                err!("Account with this email already exists")
+            } else {
+                err!("Registration not allowed or user already exists")
+            }
+        }
+        None => {
+            if CONFIG.signups_allowed() || Invitation::take(&data.Email, &conn) || CONFIG.can_signup_user(&data.Email) {
+                User::new(data.Email.clone())
+            } else {
+                err!("Registration not allowed or user already exists")
+            }
+        }
+    };
+
+    // Make sure we don't leave a lingering invitation.
+    Invitation::take(&data.Email, &conn);
+
+    if let Some(client_kdf_iter) = data.KdfIterations {
+        user.client_kdf_iter = client_kdf_iter;
     }
 
-    if let Some(_) = User::find_by_mail(&data.Email, &conn) {
-        err!("Email already exists")
+    if let Some(client_kdf_type) = data.Kdf {
+        user.client_kdf_type = client_kdf_type;
     }
 
-    let mut user = User::new(data.Email, data.Key, data.MasterPasswordHash);
+    user.set_password(&data.MasterPasswordHash);
+    user.akey = data.Key;
 
     // Add extra fields if present
     if let Some(name) = data.Name {
@@ -57,9 +126,7 @@ fn register(data: JsonUpcase<RegisterData>, conn: DbConn) -> EmptyResult {
         user.public_key = Some(keys.PublicKey);
     }
 
-    user.save(&conn);
-
-    Ok(())
+    user.save(&conn)
 }
 
 #[get("/accounts/profile")]
@@ -67,11 +134,40 @@ fn profile(headers: Headers, conn: DbConn) -> JsonResult {
     Ok(Json(headers.user.to_json(&conn)))
 }
 
+#[derive(Deserialize, Debug)]
+#[allow(non_snake_case)]
+struct ProfileData {
+    #[serde(rename = "Culture")]
+    _Culture: String, // Ignored, always use en-US
+    MasterPasswordHint: Option<String>,
+    Name: String,
+}
+
+#[put("/accounts/profile", data = "<data>")]
+fn put_profile(data: JsonUpcase<ProfileData>, headers: Headers, conn: DbConn) -> JsonResult {
+    post_profile(data, headers, conn)
+}
+
+#[post("/accounts/profile", data = "<data>")]
+fn post_profile(data: JsonUpcase<ProfileData>, headers: Headers, conn: DbConn) -> JsonResult {
+    let data: ProfileData = data.into_inner().data;
+
+    let mut user = headers.user;
+
+    user.name = data.Name;
+    user.password_hint = match data.MasterPasswordHint {
+        Some(ref h) if h.is_empty() => None,
+        _ => data.MasterPasswordHint,
+    };
+    user.save(&conn)?;
+    Ok(Json(user.to_json(&conn)))
+}
+
 #[get("/users/<uuid>/public-key")]
 fn get_public_keys(uuid: String, _headers: Headers, conn: DbConn) -> JsonResult {
     let user = match User::find_by_uuid(&uuid, &conn) {
         Some(user) => user,
-        None => err!("User doesn't exist")
+        None => err!("User doesn't exist"),
     };
 
     Ok(Json(json!({
@@ -90,8 +186,7 @@ fn post_keys(data: JsonUpcase<KeysData>, headers: Headers, conn: DbConn) -> Json
     user.private_key = Some(data.EncryptedPrivateKey);
     user.public_key = Some(data.PublicKey);
 
-    user.save(&conn);
-
+    user.save(&conn)?;
     Ok(Json(user.to_json(&conn)))
 }
 
@@ -113,10 +208,113 @@ fn post_password(data: JsonUpcase<ChangePassData>, headers: Headers, conn: DbCon
     }
 
     user.set_password(&data.NewMasterPasswordHash);
-    user.key = data.Key;
-    user.save(&conn);
+    user.akey = data.Key;
+    user.save(&conn)
+}
 
-    Ok(())
+#[derive(Deserialize)]
+#[allow(non_snake_case)]
+struct ChangeKdfData {
+    Kdf: i32,
+    KdfIterations: i32,
+
+    MasterPasswordHash: String,
+    NewMasterPasswordHash: String,
+    Key: String,
+}
+
+#[post("/accounts/kdf", data = "<data>")]
+fn post_kdf(data: JsonUpcase<ChangeKdfData>, headers: Headers, conn: DbConn) -> EmptyResult {
+    let data: ChangeKdfData = data.into_inner().data;
+    let mut user = headers.user;
+
+    if !user.check_valid_password(&data.MasterPasswordHash) {
+        err!("Invalid password")
+    }
+
+    user.client_kdf_iter = data.KdfIterations;
+    user.client_kdf_type = data.Kdf;
+    user.set_password(&data.NewMasterPasswordHash);
+    user.akey = data.Key;
+    user.save(&conn)
+}
+
+#[derive(Deserialize)]
+#[allow(non_snake_case)]
+struct UpdateFolderData {
+    Id: String,
+    Name: String,
+}
+
+use super::ciphers::CipherData;
+
+#[derive(Deserialize)]
+#[allow(non_snake_case)]
+struct KeyData {
+    Ciphers: Vec<CipherData>,
+    Folders: Vec<UpdateFolderData>,
+    Key: String,
+    PrivateKey: String,
+    MasterPasswordHash: String,
+}
+
+#[post("/accounts/key", data = "<data>")]
+fn post_rotatekey(data: JsonUpcase<KeyData>, headers: Headers, conn: DbConn, nt: Notify) -> EmptyResult {
+    let data: KeyData = data.into_inner().data;
+
+    if !headers.user.check_valid_password(&data.MasterPasswordHash) {
+        err!("Invalid password")
+    }
+
+    let user_uuid = &headers.user.uuid;
+
+    // Update folder data
+    for folder_data in data.Folders {
+        let mut saved_folder = match Folder::find_by_uuid(&folder_data.Id, &conn) {
+            Some(folder) => folder,
+            None => err!("Folder doesn't exist"),
+        };
+
+        if &saved_folder.user_uuid != user_uuid {
+            err!("The folder is not owned by the user")
+        }
+
+        saved_folder.name = folder_data.Name;
+        saved_folder.save(&conn)?
+    }
+
+    // Update cipher data
+    use super::ciphers::update_cipher_from_data;
+
+    for cipher_data in data.Ciphers {
+        let mut saved_cipher = match Cipher::find_by_uuid(cipher_data.Id.as_ref().unwrap(), &conn) {
+            Some(cipher) => cipher,
+            None => err!("Cipher doesn't exist"),
+        };
+
+        if saved_cipher.user_uuid.as_ref().unwrap() != user_uuid {
+            err!("The cipher is not owned by the user")
+        }
+
+        update_cipher_from_data(
+            &mut saved_cipher,
+            cipher_data,
+            &headers,
+            false,
+            &conn,
+            &nt,
+            UpdateType::CipherUpdate,
+        )?
+    }
+
+    // Update user data
+    let mut user = headers.user;
+
+    user.akey = data.Key;
+    user.private_key = Some(data.PrivateKey);
+    user.reset_security_stamp();
+
+    user.save(&conn)
 }
 
 #[post("/accounts/security-stamp", data = "<data>")]
@@ -128,8 +326,29 @@ fn post_sstamp(data: JsonUpcase<PasswordData>, headers: Headers, conn: DbConn) -
         err!("Invalid password")
     }
 
+    Device::delete_all_by_user(&user.uuid, &conn)?;
     user.reset_security_stamp();
-    user.save(&conn);
+    user.save(&conn)
+}
+
+#[derive(Deserialize)]
+#[allow(non_snake_case)]
+struct EmailTokenData {
+    MasterPasswordHash: String,
+    NewEmail: String,
+}
+
+#[post("/accounts/email-token", data = "<data>")]
+fn post_email_token(data: JsonUpcase<EmailTokenData>, headers: Headers, conn: DbConn) -> EmptyResult {
+    let data: EmailTokenData = data.into_inner().data;
+
+    if !headers.user.check_valid_password(&data.MasterPasswordHash) {
+        err!("Invalid password")
+    }
+
+    if User::find_by_mail(&data.NewEmail, &conn).is_some() {
+        err!("Email already in use");
+    }
 
     Ok(())
 }
@@ -139,10 +358,14 @@ fn post_sstamp(data: JsonUpcase<PasswordData>, headers: Headers, conn: DbConn) -
 struct ChangeEmailData {
     MasterPasswordHash: String,
     NewEmail: String,
+
+    Key: String,
+    NewMasterPasswordHash: String,
+    #[serde(rename = "Token")]
+    _Token: NumberOrString,
 }
 
-
-#[post("/accounts/email-token", data = "<data>")]
+#[post("/accounts/email", data = "<data>")]
 fn post_email(data: JsonUpcase<ChangeEmailData>, headers: Headers, conn: DbConn) -> EmptyResult {
     let data: ChangeEmailData = data.into_inner().data;
     let mut user = headers.user;
@@ -156,12 +379,19 @@ fn post_email(data: JsonUpcase<ChangeEmailData>, headers: Headers, conn: DbConn)
     }
 
     user.email = data.NewEmail;
-    user.save(&conn);
 
-    Ok(())
+    user.set_password(&data.NewMasterPasswordHash);
+    user.akey = data.Key;
+
+    user.save(&conn)
 }
 
 #[post("/accounts/delete", data = "<data>")]
+fn post_delete_account(data: JsonUpcase<PasswordData>, headers: Headers, conn: DbConn) -> EmptyResult {
+    delete_account(data, headers, conn)
+}
+
+#[delete("/accounts", data = "<data>")]
 fn delete_account(data: JsonUpcase<PasswordData>, headers: Headers, conn: DbConn) -> EmptyResult {
     let data: PasswordData = data.into_inner().data;
     let user = headers.user;
@@ -170,33 +400,60 @@ fn delete_account(data: JsonUpcase<PasswordData>, headers: Headers, conn: DbConn
         err!("Invalid password")
     }
 
-    // Delete ciphers and their attachments
-    for cipher in Cipher::find_owned_by_user(&user.uuid, &conn) {
-        match cipher.delete(&conn) {
-            Ok(()) => (),
-            Err(_) => err!("Failed deleting cipher")
-        }
-    }
-
-    // Delete folders
-    for f in Folder::find_by_user(&user.uuid, &conn) {
-        match f.delete(&conn) {
-            Ok(()) => (),
-            Err(_) => err!("Failed deleting folder")
-        } 
-    }
-
-    // Delete devices
-    for d in Device::find_by_user(&user.uuid, &conn) { d.delete(&conn); }
-
-    // Delete user
-    user.delete(&conn);
-
-    Ok(())
+    user.delete(&conn)
 }
 
 #[get("/accounts/revision-date")]
 fn revision_date(headers: Headers) -> String {
-    let revision_date = headers.user.updated_at.timestamp();
+    let revision_date = headers.user.updated_at.timestamp_millis();
     revision_date.to_string()
 }
+
+#[derive(Deserialize)]
+#[allow(non_snake_case)]
+struct PasswordHintData {
+    Email: String,
+}
+
+#[post("/accounts/password-hint", data = "<data>")]
+fn password_hint(data: JsonUpcase<PasswordHintData>, conn: DbConn) -> EmptyResult {
+    let data: PasswordHintData = data.into_inner().data;
+
+    let hint = match User::find_by_mail(&data.Email, &conn) {
+        Some(user) => user.password_hint,
+        None => return Ok(()),
+    };
+
+    if CONFIG.mail_enabled() {
+        mail::send_password_hint(&data.Email, hint)?;
+    } else if CONFIG.show_password_hint() {
+        if let Some(hint) = hint {
+            err!(format!("Your password hint is: {}", &hint));
+        } else {
+            err!("Sorry, you have no password hint...");
+        }
+    }
+
+    Ok(())
+}
+
+#[derive(Deserialize)]
+#[allow(non_snake_case)]
+struct PreloginData {
+    Email: String,
+}
+
+#[post("/accounts/prelogin", data = "<data>")]
+fn prelogin(data: JsonUpcase<PreloginData>, conn: DbConn) -> JsonResult {
+    let data: PreloginData = data.into_inner().data;
+
+    let (kdf_type, kdf_iter) = match User::find_by_mail(&data.Email, &conn) {
+        Some(user) => (user.client_kdf_type, user.client_kdf_iter),
+        None => (User::CLIENT_KDF_TYPE_DEFAULT, User::CLIENT_KDF_ITER_DEFAULT),
+    };
+
+    Ok(Json(json!({
+        "Kdf": kdf_type,
+        "KdfIterations": kdf_iter
+    })))
+}