Serve Apple app site association file (#7191 )

Switch to Edition 2024, more clippy lints, and less macro calls (#7200 )
* Update to Rust 2024 Edition Updated to the Rust 2024 Edition and added and fixed several lint checks. This is a large change which, because of the extra lints, added some possible fixes for issues. Signed-off-by: BlackDex <black.dex@gmail.com> * Reorder and merge imports Signed-off-by: BlackDex <black.dex@gmail.com> * Remove "db_run!" macro calls where possible Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com>
2026-06-01 00:00:15 +03:00 · 2026-05-17 21:46:10 +02:00 · 2026-05-17 19:38:49 +02:00 · 2026-05-17 00:43:58 +02:00 · 2026-05-16 21:19:01 +02:00 · 2026-05-16 21:18:53 +02:00
117 changed files with 10758 additions and 11054 deletions
@@ -50,10 +50,11 @@
 #########################

 ## Database URL
-## When using SQLite, this is the path to the DB file, and it defaults to
-## %DATA_FOLDER%/db.sqlite3. If DATA_FOLDER is set to an external location, this
-## must be set to a local sqlite3 file path.
-# DATABASE_URL=data/db.sqlite3
+## When using SQLite, this should use the sqlite:// scheme followed by the path
+## to the DB file. It defaults to sqlite://%DATA_FOLDER%/db.sqlite3.
+## Bare paths without the sqlite:// scheme are supported for backwards compatibility,
+## but only if the database file already exists.
+# DATABASE_URL=sqlite://data/db.sqlite3
 ## When using MySQL, specify an appropriate connection URI.
 ## Details: https://docs.diesel.rs/2.1.x/diesel/mysql/struct.MysqlConnection.html
 # DATABASE_URL=mysql://user:password@host[:port]/database_name
@@ -372,16 +373,22 @@
 ## Note that clients cache the /api/config endpoint for about 1 hour and it could take some time before they are enabled or disabled!
 ##
 ## The following flags are available:
-## - "inline-menu-positioning-improvements": Enable the use of inline menu password generator and identity suggestions in the browser extension.
-## - "inline-menu-totp": Enable the use of inline menu TOTP codes in the browser extension.
-## - "ssh-agent": Enable SSH agent support on Desktop. (Needs desktop >=2024.12.0)
-## - "ssh-key-vault-item": Enable the creation and use of SSH key vault items. (Needs clients >=2024.12.0)
-## - "pm-25373-windows-biometrics-v2": Enable the new implementation of biometrics on Windows. (Needs desktop >= 2025.11.0)
-## - "export-attachments": Enable support for exporting attachments (Clients >=2025.4.0)
-## - "anon-addy-self-host-alias": Enable configuring self-hosted Anon Addy alias generator. (Needs Android >=2025.3.0, iOS >=2025.4.0)
-## - "simple-login-self-host-alias": Enable configuring self-hosted Simple Login alias generator. (Needs Android >=2025.3.0, iOS >=2025.4.0)
-## - "mutual-tls": Enable the use of mutual TLS on Android (Client >= 2025.2.0)
-# EXPERIMENTAL_CLIENT_FEATURE_FLAGS=fido2-vault-credentials
+## - "pm-5594-safari-account-switching": Enable account switching in Safari. (Safari >= 2026.2.0)
+## - "ssh-agent": Enable SSH agent support on Desktop. (Desktop >= 2024.12.0)
+## - "ssh-agent-v2": Enable newer SSH agent support. (Desktop >= 2026.2.1)
+## - "ssh-key-vault-item": Enable the creation and use of SSH key vault items. (Clients >= 2024.12.0)
+## - "pm-25373-windows-biometrics-v2": Enable the new implementation of biometrics on Windows. (Desktop >= 2025.11.0)
+## - "anon-addy-self-host-alias": Enable configuring self-hosted Anon Addy alias generator. (Android >= 2025.3.0, iOS >= 2025.4.0)
+## - "simple-login-self-host-alias": Enable configuring self-hosted Simple Login alias generator. (Android >= 2025.3.0, iOS >= 2025.4.0)
+## - "mutual-tls": Enable the use of mutual TLS on Android (Clients >= 2025.2.0)
+## - "cxp-import-mobile": Enable the import via CXP on iOS (Clients >= 2025.9.2)
+## - "cxp-export-mobile": Enable the export via CXP on iOS (Clients >= 2025.9.2)
+## - "pm-30529-webauthn-related-origins":
+## - "desktop-ui-migration-milestone-1": Special feature flag for desktop UI (Desktop >= 2026.2.0)
+## - "desktop-ui-migration-milestone-2": Special feature flag for desktop UI (Desktop >= 2026.2.0)
+## - "desktop-ui-migration-milestone-3": Special feature flag for desktop UI (Desktop >= 2026.2.0)
+## - "desktop-ui-migration-milestone-4": Special feature flag for desktop UI (Desktop >= 2026.2.0)
+# EXPERIMENTAL_CLIENT_FEATURE_FLAGS=

 ## Require new device emails. When a user logs in an email is required to be sent.
 ## If sending the email fails the login attempt will fail!!
@@ -1,3 +1,2 @@
 # Ignore vendored scripts in GitHub stats
 src/static/scripts/* linguist-vendored
-
@@ -1,6 +1,10 @@
 name: Build
 permissions: {}

+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 on:
  push:
    paths:
@@ -30,6 +34,10 @@ on:
      - "docker/DockerSettings.yaml"
      - "macros/**"

+defaults:
+  run:
+    shell: bash
+
 jobs:
  build:
    name: Build and Test ${{ matrix.channel }}
@@ -54,7 +62,7 @@ jobs:

      # Checkout the repo
      - name: "Checkout"
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 #v6.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
          fetch-depth: 0
@@ -63,7 +71,6 @@ jobs:
      # Determine rust-toolchain version
      - name: Init Variables
        id: toolchain
-        shell: bash
        env:
          CHANNEL: ${{ matrix.channel }}
        run: |
@@ -78,32 +85,23 @@ jobs:
      # End Determine rust-toolchain version


-      # Only install the clippy and rustfmt components on the default rust-toolchain
-      - name: "Install rust-toolchain version"
-        uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561 # master @ Dec 16, 2025, 6:11 PM GMT+1
-        if: ${{ matrix.channel == 'rust-toolchain' }}
-        with:
-          toolchain: "${{steps.toolchain.outputs.RUST_TOOLCHAIN}}"
-          components: clippy, rustfmt
-      # End Uses the rust-toolchain file to determine version
-
-
-      # Install the any other channel to be used for which we do not execute clippy and rustfmt
-      - name: "Install MSRV version"
-        uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561 # master @ Dec 16, 2025, 6:11 PM GMT+1
-        if: ${{ matrix.channel != 'rust-toolchain' }}
-        with:
-          toolchain: "${{steps.toolchain.outputs.RUST_TOOLCHAIN}}"
-      # End Install the MSRV channel to be used
-
-      # Set the current matrix toolchain version as default
-      - name: "Set toolchain ${{steps.toolchain.outputs.RUST_TOOLCHAIN}} as default"
+      - name: "Install toolchain ${{steps.toolchain.outputs.RUST_TOOLCHAIN}} as default"
        env:
+          CHANNEL: ${{ matrix.channel }}
          RUST_TOOLCHAIN: ${{steps.toolchain.outputs.RUST_TOOLCHAIN}}
        run: |
          # Remove the rust-toolchain.toml
          rm rust-toolchain.toml
-          # Set the default
+
+          # Install the correct toolchain version
+          rustup toolchain install "${RUST_TOOLCHAIN}" --profile minimal --no-self-update
+
+          # If this matrix is the `rust-toolchain` flow, also install rustfmt and clippy
+          if [[ "${CHANNEL}" == 'rust-toolchain' ]]; then
+            rustup component add --toolchain "${RUST_TOOLCHAIN}" rustfmt clippy
+          fi
+
+          # Set as the default toolchain
          rustup default "${RUST_TOOLCHAIN}"

      # Show environment
@@ -115,7 +113,7 @@ jobs:

      # Enable Rust Caching
      - name: Rust Caching
-        uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2
+        uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1
        with:
          # Use a custom prefix-key to force a fresh start. This is sometimes needed with bigger changes.
          # Like changing the build host from Ubuntu 20.04 to 22.04 for example.
@@ -1,8 +1,16 @@
 name: Check templates
 permissions: {}

+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 on: [ push, pull_request ]

+defaults:
+  run:
+    shell: bash
+
 jobs:
  docker-templates:
    name: Validate docker templates
@@ -12,7 +20,7 @@ jobs:
    steps:
      # Checkout the repo
      - name: "Checkout"
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 #v6.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
      # End Checkout the repo
@@ -1,8 +1,15 @@
 name: Hadolint
-
-on: [ push, pull_request ]
 permissions: {}

+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+on: [ push, pull_request ]
+
+defaults:
+  run:
+    shell: bash

 jobs:
  hadolint:
@@ -13,7 +20,7 @@ jobs:
    steps:
      # Start Docker Buildx
      - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
        # https://github.com/moby/buildkit/issues/3969
        # Also set max parallelism to 2, the default of 4 breaks GitHub Actions and causes OOMKills
        with:
@@ -25,7 +32,6 @@ jobs:

      # Download hadolint - https://github.com/hadolint/hadolint/releases
      - name: Download hadolint
-        shell: bash
        run: |
          sudo curl -L https://github.com/hadolint/hadolint/releases/download/v${HADOLINT_VERSION}/hadolint-$(uname -s)-$(uname -m) -o /usr/local/bin/hadolint && \
          sudo chmod +x /usr/local/bin/hadolint
@@ -34,20 +40,18 @@ jobs:
      # End Download hadolint
      # Checkout the repo
      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 #v6.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
      # End Checkout the repo

      # Test Dockerfiles with hadolint
      - name: Run hadolint
-        shell: bash
        run: hadolint docker/Dockerfile.{debian,alpine}
      # End Test Dockerfiles with hadolint

      # Test Dockerfiles with docker build checks
      - name: Run docker build check
-        shell: bash
        run: |
          echo "Checking docker/Dockerfile.debian"
          docker build --check . -f docker/Dockerfile.debian
@@ -1,6 +1,12 @@
 name: Release
 permissions: {}

+concurrency:
+  # Apply concurrency control only on the upstream repo
+  group: ${{ github.repository == 'dani-garcia/vaultwarden' && format('{0}-{1}', github.workflow, github.ref) || github.run_id }}
+  # Don't cancel other runs when creating a tag
+  cancel-in-progress: ${{ github.ref_type == 'branch' }}
+
 on:
  push:
    branches:
@@ -10,33 +16,31 @@ on:
      # https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet
      - '[1-2].[0-9]+.[0-9]+'

-concurrency:
-  # Apply concurrency control only on the upstream repo
-  group: ${{ github.repository == 'dani-garcia/vaultwarden' && format('{0}-{1}', github.workflow, github.ref) || github.run_id }}
-  # Don't cancel other runs when creating a tag
-  cancel-in-progress: ${{ github.ref_type == 'branch' }}
-
 defaults:
  run:
    shell: bash

-env:
-  # The *_REPO variables need to be configured as repository variables
-  # Append `/settings/variables/actions` to your repo url
-  # DOCKERHUB_REPO needs to be 'index.docker.io/<user>/<repo>'
-  # Check for Docker hub credentials in secrets
-  HAVE_DOCKERHUB_LOGIN: ${{ vars.DOCKERHUB_REPO != '' && secrets.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '' }}
-  # GHCR_REPO needs to be 'ghcr.io/<user>/<repo>'
-  # Check for Github credentials in secrets
-  HAVE_GHCR_LOGIN: ${{ vars.GHCR_REPO != '' && github.repository_owner != '' && secrets.GITHUB_TOKEN != '' }}
-  # QUAY_REPO needs to be 'quay.io/<user>/<repo>'
-  # Check for Quay.io credentials in secrets
-  HAVE_QUAY_LOGIN: ${{ vars.QUAY_REPO != '' && secrets.QUAY_USERNAME != '' && secrets.QUAY_TOKEN != '' }}
+# A "release" environment must be created in the repository settings
+# (Settings > Environments > New environment) with the following
+# variables and secrets configured as needed.
+#
+# Variables (only set the ones for registries you want to push to):
+#   DOCKERHUB_REPO: 'index.docker.io/<user>/<repo>'
+#   QUAY_REPO: 'quay.io/<user>/<repo>'
+#   GHCR_REPO: 'ghcr.io/<user>/<repo>'
+#
+# Secrets (only required when the corresponding *_REPO variable is set):
+#   DOCKERHUB_REPO => DOCKERHUB_USERNAME, DOCKERHUB_TOKEN
+#   QUAY_REPO      => QUAY_USERNAME, QUAY_TOKEN
+#   GITHUB_TOKEN is provided automatically

 jobs:
  docker-build:
    name: Build Vaultwarden containers
    if: ${{ github.repository == 'dani-garcia/vaultwarden' }}
+    environment: 
+      name: release
+      deployment: false
    permissions:
      packages: write # Needed to upload packages and artifacts
      contents: read
@@ -54,13 +58,13 @@ jobs:

    steps:
      - name: Initialize QEMU binfmt support
-        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
        with:
          platforms: "arm64,arm"

      # Start Docker Buildx
      - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
        # https://github.com/moby/buildkit/issues/3969
        # Also set max parallelism to 2, the default of 4 breaks GitHub Actions and causes OOMKills
        with:
@@ -73,7 +77,7 @@ jobs:

      # Checkout the repo
      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 #v6.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        # We need fetch-depth of 0 so we also get all the tag metadata
        with:
          persist-credentials: false
@@ -102,14 +106,14 @@ jobs:

      # Login to Docker Hub
      - name: Login to Docker Hub
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
-        if: ${{ env.HAVE_DOCKERHUB_LOGIN == 'true' }}
+        if: ${{ vars.DOCKERHUB_REPO != '' }}

      - name: Add registry for DockerHub
-        if: ${{ env.HAVE_DOCKERHUB_LOGIN == 'true' }}
+        if: ${{ vars.DOCKERHUB_REPO != '' }}
        env:
          DOCKERHUB_REPO: ${{ vars.DOCKERHUB_REPO }}
        run: |
@@ -117,15 +121,15 @@ jobs:

      # Login to GitHub Container Registry
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
-        if: ${{ env.HAVE_GHCR_LOGIN == 'true' }}
+        if: ${{ vars.GHCR_REPO != '' }}

      - name: Add registry for ghcr.io
-        if: ${{ env.HAVE_GHCR_LOGIN == 'true' }}
+        if: ${{ vars.GHCR_REPO != '' }}
        env:
          GHCR_REPO: ${{ vars.GHCR_REPO }}
        run: |
@@ -133,15 +137,15 @@ jobs:

      # Login to Quay.io
      - name: Login to Quay.io
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          registry: quay.io
          username: ${{ secrets.QUAY_USERNAME }}
          password: ${{ secrets.QUAY_TOKEN }}
-        if: ${{ env.HAVE_QUAY_LOGIN == 'true' }}
+        if: ${{ vars.QUAY_REPO != '' }}

      - name: Add registry for Quay.io
-        if: ${{ env.HAVE_QUAY_LOGIN == 'true' }}
+        if: ${{ vars.QUAY_REPO != '' }}
        env:
          QUAY_REPO: ${{ vars.QUAY_REPO }}
        run: |
@@ -155,7 +159,7 @@ jobs:
        run: |
          #
          # Check if there is a GitHub Container Registry Login and use it for caching
-          if [[ -n "${HAVE_GHCR_LOGIN}" ]]; then
+          if [[ -n "${GHCR_REPO}" ]]; then
            echo "BAKE_CACHE_FROM=type=registry,ref=${GHCR_REPO}-buildcache:${BASE_IMAGE}-${NORMALIZED_ARCH}" | tee -a "${GITHUB_ENV}"
            echo "BAKE_CACHE_TO=type=registry,ref=${GHCR_REPO}-buildcache:${BASE_IMAGE}-${NORMALIZED_ARCH},compression=zstd,mode=max" | tee -a "${GITHUB_ENV}"
          else
@@ -181,7 +185,7 @@ jobs:

      - name: Bake ${{ matrix.base_image }} containers
        id: bake_vw
-        uses: docker/bake-action@5be5f02ff8819ecd3092ea6b2e6261c31774f2b4 # v6.10.0
+        uses: docker/bake-action@a66e1c87e2eca0503c343edf1d208c716d54b8a8 # v7.1.0
        env:
          BASE_TAGS: "${{ steps.determine-version.outputs.BASE_TAGS }}"
          SOURCE_COMMIT: "${{ env.SOURCE_COMMIT }}"
@@ -218,7 +222,7 @@ jobs:
          touch "${RUNNER_TEMP}/digests/${digest#sha256:}"

      - name: Upload digest
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: digests-${{ env.NORMALIZED_ARCH }}-${{ matrix.base_image }}
          path: ${{ runner.temp }}/digests/*
@@ -233,12 +237,12 @@ jobs:

      # Upload artifacts to Github Actions and Attest the binaries
      - name: Attest binaries
-        uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3.1.0
+        uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
        with:
          subject-path: vaultwarden-${{ env.NORMALIZED_ARCH }}

      - name: Upload binaries as artifacts
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-${{ env.NORMALIZED_ARCH }}-${{ matrix.base_image }}
          path: vaultwarden-${{ env.NORMALIZED_ARCH }}
@@ -247,6 +251,9 @@ jobs:
    name: Merge manifests
    runs-on: ubuntu-latest
    needs: docker-build
+    environment: 
+      name: release
+      deployment: false
    permissions:
      packages: write # Needed to upload packages and artifacts
      attestations: write # Needed to generate an artifact attestation for a build
@@ -257,7 +264,7 @@ jobs:

    steps:
      - name: Download digests
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
        with:
          path: ${{ runner.temp }}/digests
          pattern: digests-*-${{ matrix.base_image }}
@@ -265,14 +272,14 @@ jobs:

      # Login to Docker Hub
      - name: Login to Docker Hub
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
-        if: ${{ env.HAVE_DOCKERHUB_LOGIN == 'true' }}
+        if: ${{ vars.DOCKERHUB_REPO != '' }}

      - name: Add registry for DockerHub
-        if: ${{ env.HAVE_DOCKERHUB_LOGIN == 'true' }}
+        if: ${{ vars.DOCKERHUB_REPO != '' }}
        env:
          DOCKERHUB_REPO: ${{ vars.DOCKERHUB_REPO }}
        run: |
@@ -280,15 +287,15 @@ jobs:

      # Login to GitHub Container Registry
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
-        if: ${{ env.HAVE_GHCR_LOGIN == 'true' }}
+        if: ${{ vars.GHCR_REPO != '' }}

      - name: Add registry for ghcr.io
-        if: ${{ env.HAVE_GHCR_LOGIN == 'true' }}
+        if: ${{ vars.GHCR_REPO != '' }}
        env:
          GHCR_REPO: ${{ vars.GHCR_REPO }}
        run: |
@@ -296,15 +303,15 @@ jobs:

      # Login to Quay.io
      - name: Login to Quay.io
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          registry: quay.io
          username: ${{ secrets.QUAY_USERNAME }}
          password: ${{ secrets.QUAY_TOKEN }}
-        if: ${{ env.HAVE_QUAY_LOGIN == 'true' }}
+        if: ${{ vars.QUAY_REPO != '' }}

      - name: Add registry for Quay.io
-        if: ${{ env.HAVE_QUAY_LOGIN == 'true' }}
+        if: ${{ vars.QUAY_REPO != '' }}
        env:
          QUAY_REPO: ${{ vars.QUAY_REPO }}
        run: |
@@ -357,24 +364,24 @@ jobs:

      # Attest container images
      - name: Attest - docker.io - ${{ matrix.base_image }}
-        if: ${{ env.HAVE_DOCKERHUB_LOGIN == 'true' && env.DIGEST_SHA != ''}}
-        uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3.1.0
+        if: ${{ vars.DOCKERHUB_REPO != '' && env.DIGEST_SHA != ''}}
+        uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
        with:
          subject-name: ${{ vars.DOCKERHUB_REPO }}
          subject-digest: ${{ env.DIGEST_SHA }}
          push-to-registry: true

      - name: Attest - ghcr.io - ${{ matrix.base_image }}
-        if: ${{ env.HAVE_GHCR_LOGIN == 'true' && env.DIGEST_SHA != ''}}
-        uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3.1.0
+        if: ${{ vars.GHCR_REPO != '' && env.DIGEST_SHA != ''}}
+        uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
        with:
          subject-name: ${{ vars.GHCR_REPO }}
          subject-digest: ${{ env.DIGEST_SHA }}
          push-to-registry: true

      - name: Attest - quay.io - ${{ matrix.base_image }}
-        if: ${{ env.HAVE_QUAY_LOGIN == 'true' && env.DIGEST_SHA != ''}}
-        uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3.1.0
+        if: ${{ vars.QUAY_REPO != '' && env.DIGEST_SHA != ''}}
+        uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
        with:
          subject-name: ${{ vars.QUAY_REPO }}
          subject-digest: ${{ env.DIGEST_SHA }}
@@ -1,6 +1,10 @@
 name: Cleanup
 permissions: {}

+concurrency:
+  group: ${{ github.workflow }}
+  cancel-in-progress: false
+
 on:
  workflow_dispatch:
    inputs:
@@ -1,6 +1,10 @@
 name: Trivy
 permissions: {}

+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 on:
  push:
    branches:
@@ -29,12 +33,12 @@ jobs:

    steps:
      - name: Checkout code
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 #v6.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
+        uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
        env:
          TRIVY_DB_REPOSITORY: docker.io/aquasec/trivy-db:2,public.ecr.aws/aquasecurity/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2
          TRIVY_JAVA_DB_REPOSITORY: docker.io/aquasec/trivy-java-db:1,public.ecr.aws/aquasecurity/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1
@@ -46,6 +50,6 @@ jobs:
          severity: CRITICAL,HIGH

      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
+        uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
        with:
          sarif_file: 'trivy-results.sarif'
@@ -1,7 +1,11 @@
 name: Code Spell Checking
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true

 on: [ push, pull_request ]
-permissions: {}

 jobs:
  typos:
@@ -12,11 +16,11 @@ jobs:
    steps:
      # Checkout the repo
      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 #v6.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
      # End Checkout the repo

      # When this version is updated, do not forget to update this in `.pre-commit-config.yaml` too
      - name: Spell Check Repo
-        uses: crate-ci/typos@1a319b54cc9e3b333fed6a5c88ba1a90324da514 # v1.40.1
+        uses: crate-ci/typos@5374cbf686e897b15713110e233094e2874de7ef # v1.46.1
@@ -1,4 +1,9 @@
 name: Security Analysis with zizmor
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true

 on:
  push:
@@ -6,8 +11,6 @@ on:
  pull_request:
    branches: ["**"]

-permissions: {}
-
 jobs:
  zizmor:
    name: Run zizmor
@@ -16,12 +19,12 @@ jobs:
      security-events: write # To write the security report
    steps:
      - name: Checkout repository
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 #v6.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

      - name: Run zizmor
-        uses: zizmorcore/zizmor-action@e639db99335bc9038abc0e066dfcd72e23d26fb4 # v0.3.0
+        uses: zizmorcore/zizmor-action@b572f7b1a1c2d41efaab43d504f68d215c3cd727 # v0.5.4
        with:
          # intentionally not scanning the entire repository,
          # since it contains integration tests.
@@ -1,58 +1,60 @@
 ---
 repos:
-   repo: https://github.com/pre-commit/pre-commit-hooks
+  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: 3e8a8703264a2f4a69428a0aa4dcb512790b2c8c # v6.0.0
    hooks:
-    - id: check-yaml
-    - id: check-json
-    - id: check-toml
-    - id: mixed-line-ending
-      args: ["--fix=no"]
-    - id: end-of-file-fixer
-      exclude: "(.*js$|.*css$)"
-    - id: check-case-conflict
-    - id: check-merge-conflict
-    - id: detect-private-key
-    - id: check-symlinks
-    - id: forbid-submodules
-   repo: local
+      - id: check-yaml
+      - id: check-json
+      - id: check-toml
+      - id: mixed-line-ending
+        args: [ "--fix=no" ]
+      - id: end-of-file-fixer
+        exclude: "(.*js$|.*css$)"
+      - id: check-case-conflict
+      - id: check-merge-conflict
+      - id: detect-private-key
+      - id: check-symlinks
+      - id: forbid-submodules
+
+  # When this version is updated, do not forget to update this in `.github/workflows/typos.yaml` too
+  - repo: https://github.com/crate-ci/typos
+    rev: 5374cbf686e897b15713110e233094e2874de7ef # v1.46.1
    hooks:
-    - id: fmt
-      name: fmt
-      description: Format files with cargo fmt.
-      entry: cargo fmt
-      language: system
-      always_run: true
-      pass_filenames: false
-      args: ["--", "--check"]
-    - id: cargo-test
-      name: cargo test
-      description: Test the package for errors.
-      entry: cargo test
-      language: system
-      args: ["--features", "sqlite,mysql,postgresql", "--"]
-      types_or: [rust, file]
-      files: (Cargo.toml|Cargo.lock|rust-toolchain.toml|rustfmt.toml|.*\.rs$)
-      pass_filenames: false
-    - id: cargo-clippy
-      name: cargo clippy
-      description: Lint Rust sources
-      entry: cargo clippy
-      language: system
-      args: ["--features", "sqlite,mysql,postgresql", "--", "-D", "warnings"]
-      types_or: [rust, file]
-      files: (Cargo.toml|Cargo.lock|rust-toolchain.toml|rustfmt.toml|.*\.rs$)
-      pass_filenames: false
-    - id: check-docker-templates
-      name: check docker templates
-      description: Check if the Docker templates are updated
-      language: system
-      entry: sh
-      args:
-        - "-c"
-        - "cd docker && make"
-# When this version is updated, do not forget to update this in `.github/workflows/typos.yaml` too
- repo: https://github.com/crate-ci/typos
-  rev: 1a319b54cc9e3b333fed6a5c88ba1a90324da514 # v1.40.1
-  hooks:
-    - id: typos
+      - id: typos
+
+  - repo: local
+    hooks:
+      - id: fmt
+        name: fmt
+        description: Format files with cargo fmt.
+        entry: cargo fmt
+        language: system
+        always_run: true
+        pass_filenames: false
+        args: [ "--", "--check" ]
+      - id: cargo-test
+        name: cargo test
+        description: Test the package for errors.
+        entry: cargo test
+        language: system
+        args: [ "--features", "sqlite,mysql,postgresql", "--" ]
+        types_or: [ rust, file ]
+        files: (Cargo.toml|Cargo.lock|rust-toolchain.toml|rustfmt.toml|.*\.rs$)
+        pass_filenames: false
+      - id: cargo-clippy
+        name: cargo clippy
+        description: Lint Rust sources
+        entry: cargo clippy
+        language: system
+        args: [ "--features", "sqlite,mysql,postgresql", "--", "-D", "warnings" ]
+        types_or: [ rust, file ]
+        files: (Cargo.toml|Cargo.lock|rust-toolchain.toml|rustfmt.toml|.*\.rs$)
+        pass_filenames: false
+      - id: check-docker-templates
+        name: check docker templates
+        description: Check if the Docker templates are updated
+        language: system
+        entry: sh
+        args:
+          - "-c"
+          - "cd docker && make"
@@ -23,4 +23,6 @@ extend-ignore-re = [
    # https://github.com/bitwarden/server/blob/dff9f1cf538198819911cf2c20f8cda3307701c5/src/Notifications/HubHelpers.cs#L86
    # https://github.com/bitwarden/clients/blob/9612a4ac45063e372a6fbe87eb253c7cb3c588fb/libs/common/src/auth/services/anonymous-hub.service.ts#L45
    "AuthRequestResponseRecieved",
+    # Ignore Punycode/IDN tests
+    "xn--.+"
 ]
@@ -1,6 +1,6 @@
 [workspace.package]
-edition = "2021"
-rust-version = "1.90.0"
+edition = "2024"
+rust-version = "1.93.0"
 license = "AGPL-3.0-only"
 repository = "https://github.com/dani-garcia/vaultwarden"
 publish = false
@@ -24,20 +24,31 @@ publish.workspace = true
 [features]
 default = [
    # "sqlite",
+    # "sqlite_system",
    # "mysql",
    # "postgresql",
 ]
 # Empty to keep compatibility, prefer to set USE_SYSLOG=true
 enable_syslog = []
+# Please enable at least one of these DB backends.
 mysql = ["diesel/mysql", "diesel_migrations/mysql"]
 postgresql = ["diesel/postgres", "diesel_migrations/postgres"]
-sqlite = ["diesel/sqlite", "diesel_migrations/sqlite", "dep:libsqlite3-sys"]
+sqlite_system = ["diesel/sqlite", "diesel_migrations/sqlite"] # Dynamically link SQLite
+sqlite = ["sqlite_system", "libsqlite3-sys/bundled"] # Statically link SQLite into the binary instead of dynamically.
 # Enable to use a vendored and statically linked openssl
 vendored_openssl = ["openssl/vendored"]
 # Enable MiMalloc memory allocator to replace the default malloc
 # This can improve performance for Alpine builds
 enable_mimalloc = ["dep:mimalloc"]
-s3 = ["opendal/services-s3", "dep:aws-config", "dep:aws-credential-types", "dep:aws-smithy-runtime-api", "dep:anyhow", "dep:http", "dep:reqsign"]
+s3 = [
+    "opendal/services-s3",
+    "dep:aws-config",
+    "dep:aws-credential-types",
+    "dep:aws-smithy-runtime-api",
+    "dep:http",
+    "dep:reqsign-aws-v4",
+    "dep:reqsign-core",
+]

 # OIDC specific features
 oidc-accept-rfc3339-timestamps = ["openidconnect/accept-rfc3339-timestamps"]
@@ -57,7 +68,8 @@ macros = { path = "./macros" }
 # Logging
 log = "0.4.29"
 fern = { version = "0.7.1", features = ["syslog-7", "reopen-1"] }
-tracing = { version = "0.1.44", features = ["log"] } # Needed to have lettre and webauthn-rs trace logging to work
+# We need the `log` feature for `tracing` to enable logging for several crates to work, like lettre or webauthn-rs
+tracing = { version = "0.1.44", features = ["log"] }

 # A `dotenv` implementation for Rust
 dotenvy = { version = "0.15.7", default-features = false }
@@ -68,8 +80,8 @@ num-derive = "0.4.2"
 bigdecimal = "0.4.10"

 # Web framework
-rocket = { version = "0.5.1", features = ["tls", "json"], default-features = false }
-rocket_ws = { version ="0.1.1" }
+rocket = { version = "0.5.1", default-features = false, features = ["json", "tls"] }
+rocket_ws = { version = "0.1.1" }

 # WebSockets libraries
 rmpv = "1.3.1" # MessagePack library
@@ -78,131 +90,184 @@ rmpv = "1.3.1" # MessagePack library
 dashmap = "6.1.0"

 # Async futures
-futures = "0.3.31"
-tokio = { version = "1.48.0", features = ["rt-multi-thread", "fs", "io-util", "parking_lot", "time", "signal", "net"] }
-tokio-util = { version = "0.7.17", features = ["compat"]}
+futures = "0.3.32"
+tokio = { version = "1.52.3", features = [
+    "fs",
+    "io-util",
+    "net",
+    "parking_lot",
+    "rt-multi-thread",
+    "signal",
+    "time",
+] }
+tokio-util = { version = "0.7.18", features = ["compat"] }

 # A generic serialization/deserialization framework
 serde = { version = "1.0.228", features = ["derive"] }
-serde_json = "1.0.148"
+serde_json = "1.0.149"

 # A safe, extensible ORM and Query builder
-# Currently pinned diesel to v2.3.3 as newer version break MySQL/MariaDB compatibility
-diesel = { version = "2.3.5", features = ["chrono", "r2d2", "numeric"] }
-diesel_migrations = "2.3.1"
+diesel = { version = "2.3.9", features = ["chrono", "r2d2", "numeric"] }
+diesel_migrations = "2.3.2"

-derive_more = { version = "2.1.1", features = ["from", "into", "as_ref", "deref", "display"] }
+derive_more = { version = "2.1.1", features = [
+    "as_ref",
+    "deref",
+    "display",
+    "from",
+    "into",
+] }
 diesel-derive-newtype = "2.1.2"

-# Bundled/Static SQLite
-libsqlite3-sys = { version = "0.35.0", features = ["bundled"], optional = true }
+# SQLite, statically bundled unless the `sqlite_system` feature is enabled
+libsqlite3-sys = { version = "0.37.0", optional = true }

 # Crypto-related libraries
-rand = "0.9.2"
+rand = "0.10.1"
 ring = "0.17.14"
+rustls = { version = "0.23.40", features = ["ring", "std"], default-features = false }
 subtle = "2.6.1"

 # UUID generation
-uuid = { version = "1.19.0", features = ["v4"] }
+uuid = { version = "1.23.1", features = ["v4"] }

 # Date and time libraries
-chrono = { version = "0.4.42", features = ["clock", "serde"], default-features = false }
+chrono = { version = "0.4.44", default-features = false, features = ["clock", "serde"] }
 chrono-tz = "0.10.4"
-time = "0.3.44"
+time = "0.3.47"

 # Job scheduler
 job_scheduler_ng = "2.4.0"

 # Data encoding library Hex/Base32/Base64
-data-encoding = "2.9.0"
+data-encoding = "2.11.0"

 # JWT library
-jsonwebtoken = { version = "10.2.0", features = ["use_pem", "rust_crypto"], default-features = false }
+jsonwebtoken = { version = "10.4.0", default-features = false, features = ["rust_crypto", "use_pem"] }

 # TOTP library
 totp-lite = "2.0.1"

 # Yubico Library
-yubico = { package = "yubico_ng", version = "0.14.1", features = ["online-tokio"], default-features = false }
+yubico = { package = "yubico_ng", version = "0.15.0", default-features = false, features = ["online-tokio"] }

 # WebAuthn libraries
 # danger-allow-state-serialisation is needed to save the state in the db
 # danger-credential-internals is needed to support U2F to Webauthn migration
-webauthn-rs = { version = "0.5.4", features = ["danger-allow-state-serialisation", "danger-credential-internals"] }
-webauthn-rs-proto = "0.5.4"
-webauthn-rs-core = "0.5.4"
+webauthn-rs = { version = "0.5.5", features = ["danger-allow-state-serialisation", "danger-credential-internals"] }
+webauthn-rs-proto = "0.5.5"
+webauthn-rs-core = "0.5.5"

 # Handling of URL's for WebAuthn and favicons
-url = "2.5.7"
+url = "2.5.8"

 # Email libraries
-lettre = { version = "0.11.19", features = ["smtp-transport", "sendmail-transport", "builder", "serde", "hostname", "tracing", "tokio1-rustls", "ring", "rustls-native-certs"], default-features = false }
+lettre = { version = "0.11.22", default-features = false, features = [
+    # Misc
+    "tracing",
+    "serde",
+    "builder",
+    "hostname",
+    # TLS/Security
+    "ring",
+    "rustls-native-certs",
+    "tokio1-rustls",
+    # Transport
+    "smtp-transport",
+    "sendmail-transport",
+] }
 percent-encoding = "2.3.2" # URL encoding library used for URL's in the emails
 email_address = "0.2.9"

 # HTML Template library
-handlebars = { version = "6.3.2", features = ["dir_source"] }
+handlebars = { version = "6.4.0", features = ["dir_source"] }

 # HTTP client (Used for favicons, version check, DUO and HIBP API)
-reqwest = { version = "0.12.28", features = ["rustls-tls", "rustls-tls-native-roots", "stream", "json", "deflate", "gzip", "brotli", "zstd", "socks", "cookies", "charset", "http2", "system-proxy"], default-features = false}
-hickory-resolver = "0.25.2"
+reqwest = { version = "0.13.3", default-features = false, features = [
+    # Misc
+    "charset",
+    "cookies",
+    "http2",
+    "json",
+    "form",
+    "rustls-no-provider",
+    "stream",
+    # Compression
+    "brotli",
+    "deflate",
+    "gzip",
+    "zstd",
+    # Proxy
+    "socks",
+    "system-proxy",
+] }
+hickory-resolver = "0.26.1"

 # Favicon extraction libraries
 html5gum = "0.8.3"
-regex = { version = "1.12.2", features = ["std", "perf", "unicode-perl"], default-features = false }
+regex = { version = "1.12.3", default-features = false, features = [
+    "perf",
+    "std",
+    "unicode-perl",
+] }
 data-url = "0.3.2"
-bytes = "1.11.0"
-svg-hush = "0.9.5"
+bytes = "1.11.1"
+svg-hush = "0.9.6"

 # Cache function results (Used for version check and favicon fetching)
-cached = { version = "0.56.0", features = ["async"] }
+cached = { version = "0.59.0", features = ["async"] }

 # Used for custom short lived cookie jar during favicon extraction
 cookie = "0.18.1"
-cookie_store = "0.22.0"
+cookie_store = "0.22.1"

 # Used by U2F, JWT and PostgreSQL
-openssl = "0.10.75"
+openssl = "0.10.79"

 # CLI argument parsing
 pico-args = "0.5.0"

 # Macro ident concatenation
-pastey = "0.2.1"
+pastey = "0.2.2"
 governor = "0.10.4"

 # OIDC for SSO
-openidconnect = { version = "4.0.1", features = ["reqwest", "native-tls"] }
-mini-moka = "0.10.3"
+openidconnect = { version = "4.0.1", default-features = false }
+moka = { version = "0.12.15", features = ["future"] }

 # Check client versions for specific features.
-semver = "1.0.27"
+semver = "1.0.28"

 # Allow overriding the default memory allocator
 # Mainly used for the musl builds, since the default musl malloc is very slow
-mimalloc = { version = "0.1.48", features = ["secure"], default-features = false, optional = true }
+mimalloc = { version = "0.1.50", optional = true, default-features = false, features = ["secure"] }

-which = "8.0.0"
+which = "8.0.2"

 # Argon2 library with support for the PHC format
 argon2 = "0.5.3"

 # Reading a password from the cli for generating the Argon2id ADMIN_TOKEN
-rpassword = "7.4.0"
+rpassword = "7.5.2"

 # Loading a dynamic CSS Stylesheet
 grass_compiler = { version = "0.13.4", default-features = false }

 # File are accessed through Apache OpenDAL
-opendal = { version = "0.55.0", features = ["services-fs"], default-features = false }
+opendal = { version = "0.56.0", default-features = false, features = ["services-fs"] }

 # For retrieving AWS credentials, including temporary SSO credentials
-anyhow = { version = "1.0.100", optional = true }
-aws-config = { version = "1.8.12", features = ["behavior-version-latest", "rt-tokio", "credentials-process", "sso"], default-features = false, optional = true }
-aws-credential-types = { version = "1.2.11", optional = true }
-aws-smithy-runtime-api = { version = "1.9.3", optional = true }
+aws-config = { version = "1.8.16", optional = true, default-features = false, features = [
+    "behavior-version-latest",
+    "credentials-process",
+    "rt-tokio",
+    "sso",
+] }
+aws-credential-types = { version = "1.2.14", optional = true }
+aws-smithy-runtime-api = { version = "1.12.0", optional = true }
 http = { version = "1.4.0", optional = true }
-reqsign = { version = "0.16.5", optional = true }
+reqsign-aws-v4 = { version = "3.0.0", optional = true }
+reqsign-core = { version = "3.0.0", optional = true }

 # Strip debuginfo from the release builds
 # The debug symbols are to provide better panic traces
@@ -262,75 +327,74 @@ unsafe_code = "forbid"
 non_ascii_idents = "forbid"

 # Deny
-deprecated_in_future = "deny"
+warnings = "deny" # Explicitly deny all warnings since we deny all warnings in the end
+
+# Deny lint groups
 deprecated_safe = { level = "deny", priority = -1 }
 future_incompatible = { level = "deny", priority = -1 }
 keyword_idents = { level = "deny", priority = -1 }
 let_underscore = { level = "deny", priority = -1 }
 nonstandard_style = { level = "deny", priority = -1 }
-noop_method_call = "deny"
 refining_impl_trait = { level = "deny", priority = -1 }
 rust_2018_idioms = { level = "deny", priority = -1 }
 rust_2021_compatibility = { level = "deny", priority = -1 }
 rust_2024_compatibility = { level = "deny", priority = -1 }
+unused = { level = "deny", priority = -1 }
+
+# Deny individual lints
+closure_returning_async_block = "deny"
+deprecated_in_future = "deny"
 single_use_lifetimes = "deny"
 trivial_casts = "deny"
 trivial_numeric_casts = "deny"
-unused = { level = "deny", priority = -1 }
 unused_import_braces = "deny"
 unused_lifetimes = "deny"
 unused_qualifications = "deny"
 variant_size_differences = "deny"
-# Allow the following lints since these cause issues with Rust v1.84.0 or newer
-# Building Vaultwarden with Rust v1.85.0 with edition 2024 also works without issues
-edition_2024_expr_fragment_specifier = "allow" # Once changed to Rust 2024 this should be removed and macro's should be validated again
-if_let_rescope = "allow"
-tail_expr_drop_order = "allow"

 # https://rust-lang.github.io/rust-clippy/stable/index.html
 [workspace.lints.clippy]
-# Warn
+# Warn only so you can still use these during development, but not in the final code
 dbg_macro = "warn"
 todo = "warn"

 # Ignore/Allow
 result_large_err = "allow"

-# Deny
+# Warn on these lint group (Some might be warn by default already though)
+# Will be denied during CI!
+complexity = { level = "warn", priority = -1 }
+pedantic = { level = "warn", priority = -1 }
+perf = { level = "warn", priority = -1 }
+style = { level = "warn", priority = -1 }
+suspicious = { level = "warn", priority = -1 }
+
+# Deny individual lints
 branches_sharing_code = "deny"
-case_sensitive_file_extension_comparisons = "deny"
-cast_lossless = "deny"
 clone_on_ref_ptr = "deny"
 equatable_if_let = "deny"
-excessive_precision = "deny"
-filter_map_next = "deny"
 float_cmp_const = "deny"
-implicit_clone = "deny"
-inefficient_to_string = "deny"
 iter_on_empty_collections = "deny"
 iter_on_single_items = "deny"
-linkedlist = "deny"
-macro_use_imports = "deny"
-manual_assert = "deny"
-manual_instant_elapsed = "deny"
-manual_string_new = "deny"
-match_wildcard_for_single_variants = "deny"
 mem_forget = "deny"
-needless_borrow = "deny"
 needless_collect = "deny"
-needless_continue = "deny"
-needless_lifetimes = "deny"
-option_option = "deny"
 redundant_clone = "deny"
-string_add_assign = "deny"
-unnecessary_join = "deny"
 unnecessary_self_imports = "deny"
-unnested_or_patterns = "deny"
-unused_async = "deny"
-unused_self = "deny"
 useless_let_if_seq = "deny"
 verbose_file_reads = "deny"
-zero_sized_map_values = "deny"
+str_to_string = "deny"
+
+# Pedantic Opt-Outs
+inline_always = "allow" # We use this sparsely
+struct_field_names = "allow" # Noisy and some items are Bitwarden controlled
+large_futures = "allow" # Causes a fail in some Rocket macro's, since we experience no issues, allow it
+too_many_lines = "allow" # For now, allow this, good to enable in the future and see if we can refactor
+unnecessary_wraps = "allow" # Too much false positives because of Rocket integrations
+# We do not use these doc items
+doc_link_with_quotes = "allow"
+doc_markdown = "allow"
+missing_errors_doc = "allow"
+missing_panics_doc = "allow"

 [lints]
 workspace = true
@@ -59,8 +59,9 @@ A nearly complete implementation of the Bitwarden Client API is provided, includ
 ## Usage

 > [!IMPORTANT]
-> The web-vault requires the use a secure context for the [Web Crypto API](https://developer.mozilla.org/en-US/docs/Web/API/Web_Crypto_API).
-> That means it will only work via `http://localhost:8000` (using the port from the example below) or if you [enable HTTPS](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-HTTPS).
+> The web-vault requires the use of HTTPS and a secure context for the [Web Crypto API](https://developer.mozilla.org/en-US/docs/Web/API/Web_Crypto_API). <br>
+> That means it will only work if you [enable HTTPS](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-HTTPS). <br>
+> We also suggest to use a [reverse proxy](https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples).

 The recommended way to install and use Vaultwarden is via our container images which are published to [ghcr.io](https://github.com/dani-garcia/vaultwarden/pkgs/container/vaultwarden), [docker.io](https://hub.docker.com/r/vaultwarden/server) and [quay.io](https://quay.io/repository/vaultwarden/server).
 See [which container image to use](https://github.com/dani-garcia/vaultwarden/wiki/Which-container-image-to-use) for an explanation of the provided tags.
@@ -1,22 +1,21 @@
-use std::env;
-use std::process::Command;
+use std::{env, io::Error, process::Command};

 fn main() {
-    // This allow using #[cfg(sqlite)] instead of #[cfg(feature = "sqlite")], which helps when trying to add them through macros
-    #[cfg(feature = "sqlite")]
+    // These allow using e.g. #[cfg(mysql)] instead of #[cfg(feature = "mysql")], which helps when trying to add them through macros
+    #[cfg(feature = "sqlite_system")] // The `sqlite` feature implies this one.
    println!("cargo:rustc-cfg=sqlite");
    #[cfg(feature = "mysql")]
    println!("cargo:rustc-cfg=mysql");
    #[cfg(feature = "postgresql")]
    println!("cargo:rustc-cfg=postgresql");
-    #[cfg(feature = "s3")]
-    println!("cargo:rustc-cfg=s3");
-
-    #[cfg(not(any(feature = "sqlite", feature = "mysql", feature = "postgresql")))]
+    #[cfg(not(any(feature = "sqlite_system", feature = "mysql", feature = "postgresql")))]
    compile_error!(
        "You need to enable one DB backend. To build with previous defaults do: cargo build --features sqlite"
    );

+    #[cfg(feature = "s3")]
+    println!("cargo:rustc-cfg=s3");
+
    // Use check-cfg to let cargo know which cfg's we define,
    // and avoid warnings when they are used in the code.
    println!("cargo::rustc-check-cfg=cfg(sqlite)");
@@ -42,13 +41,12 @@ fn main() {
    }
 }

-fn run(args: &[&str]) -> Result<String, std::io::Error> {
+fn run(args: &[&str]) -> Result<String, Error> {
    let out = Command::new(args[0]).args(&args[1..]).output()?;
    if !out.status.success() {
-        use std::io::Error;
        return Err(Error::other("Command not successful"));
    }
-    Ok(String::from_utf8(out.stdout).unwrap().trim().to_string())
+    Ok(String::from_utf8(out.stdout).unwrap().trim().to_owned())
 }

 /// This method reads info from Git, namely tags, branch, and revision
@@ -58,7 +56,7 @@ fn run(args: &[&str]) -> Result<String, std::io::Error> {
 ///    - `env!("GIT_BRANCH")`
 ///    - `env!("GIT_REV")`
 ///    - `env!("VW_VERSION")`
-fn version_from_git_info() -> Result<String, std::io::Error> {
+fn version_from_git_info() -> Result<String, Error> {
    // The exact tag for the current commit, can be empty when
    // the current commit doesn't have an associated tag
    let exact_tag = run(&["git", "describe", "--abbrev=0", "--tags", "--exact-match"]).ok();
@@ -2,4 +2,4 @@
 # see diesel.rs/guides/configuring-diesel-cli

 [print_schema]
-file = "src/db/schema.rs"
+file = "src/db/schema.rs"
@@ -1,11 +1,11 @@
 ---
-vault_version: "v2025.12.1+build.3"
-vault_image_digest: "sha256:bf5aa55dc7bcb99f85d2a88ff44d32cdc832e934a0603fe28e5c3f92904bad42"
+vault_version: "v2026.4.1"
+vault_image_digest: "sha256:ca2a4251c4e63c9ad428262b4dd452789a1b9f6fce71da351e93dceed0d2edbe"
 # Cross Compile Docker Helper Scripts v1.9.0
 # We use the linux/amd64 platform shell scripts since there is no difference between the different platform scripts
 # https://github.com/tonistiigi/xx | https://hub.docker.com/r/tonistiigi/xx/tags
 xx_image_digest: "sha256:c64defb9ed5a91eacb37f96ccc3d4cd72521c4bd18d5442905b95e2226b0e707"
-rust_version: 1.92.0 # Rust version to be used
+rust_version: 1.95.0 # Rust version to be used
 debian_version: trixie # Debian release name to be used
 alpine_version: "3.23" # Alpine version to be used
 # For which platforms/architectures will we try to build images
@@ -19,23 +19,23 @@
 # - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
 #   click the tag name to view the digest of the image it currently points to.
 # - From the command line:
-#     $ docker pull docker.io/vaultwarden/web-vault:v2025.12.1_build.3
-#     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2025.12.1_build.3
-#     [docker.io/vaultwarden/web-vault@sha256:bf5aa55dc7bcb99f85d2a88ff44d32cdc832e934a0603fe28e5c3f92904bad42]
+#     $ docker pull docker.io/vaultwarden/web-vault:v2026.4.1
+#     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2026.4.1
+#     [docker.io/vaultwarden/web-vault@sha256:ca2a4251c4e63c9ad428262b4dd452789a1b9f6fce71da351e93dceed0d2edbe]
 #
 # - Conversely, to get the tag name from the digest:
-#     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:bf5aa55dc7bcb99f85d2a88ff44d32cdc832e934a0603fe28e5c3f92904bad42
-#     [docker.io/vaultwarden/web-vault:v2025.12.1_build.3]
+#     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:ca2a4251c4e63c9ad428262b4dd452789a1b9f6fce71da351e93dceed0d2edbe
+#     [docker.io/vaultwarden/web-vault:v2026.4.1]
 #
-FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:bf5aa55dc7bcb99f85d2a88ff44d32cdc832e934a0603fe28e5c3f92904bad42 AS vault
+FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:ca2a4251c4e63c9ad428262b4dd452789a1b9f6fce71da351e93dceed0d2edbe AS vault

 ########################## ALPINE BUILD IMAGES ##########################
 ## NOTE: The Alpine Base Images do not support other platforms then linux/amd64 and linux/arm64
 ## And for Alpine we define all build images here, they will only be loaded when actually used
-FROM --platform=$BUILDPLATFORM ghcr.io/blackdex/rust-musl:x86_64-musl-stable-1.92.0 AS build_amd64
-FROM --platform=$BUILDPLATFORM ghcr.io/blackdex/rust-musl:aarch64-musl-stable-1.92.0 AS build_arm64
-FROM --platform=$BUILDPLATFORM ghcr.io/blackdex/rust-musl:armv7-musleabihf-stable-1.92.0 AS build_armv7
-FROM --platform=$BUILDPLATFORM ghcr.io/blackdex/rust-musl:arm-musleabi-stable-1.92.0 AS build_armv6
+FROM --platform=$BUILDPLATFORM ghcr.io/blackdex/rust-musl:x86_64-musl-stable-1.95.0 AS build_amd64
+FROM --platform=$BUILDPLATFORM ghcr.io/blackdex/rust-musl:aarch64-musl-stable-1.95.0 AS build_arm64
+FROM --platform=$BUILDPLATFORM ghcr.io/blackdex/rust-musl:armv7-musleabihf-stable-1.95.0 AS build_armv7
+FROM --platform=$BUILDPLATFORM ghcr.io/blackdex/rust-musl:arm-musleabi-stable-1.95.0 AS build_armv6

 ########################## BUILD IMAGE ##########################
 # hadolint ignore=DL3006
@@ -57,7 +57,6 @@ ENV DEBIAN_FRONTEND=noninteractive \
    # Debian Trixie uses libpq v17
    PQ_LIB_DIR="/usr/local/musl/pq17/lib"

-
 # Create CARGO_HOME folder and don't download rust docs
 RUN mkdir -pv "${CARGO_HOME}" && \
    rustup set profile minimal
@@ -19,15 +19,15 @@
 # - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
 #   click the tag name to view the digest of the image it currently points to.
 # - From the command line:
-#     $ docker pull docker.io/vaultwarden/web-vault:v2025.12.1_build.3
-#     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2025.12.1_build.3
-#     [docker.io/vaultwarden/web-vault@sha256:bf5aa55dc7bcb99f85d2a88ff44d32cdc832e934a0603fe28e5c3f92904bad42]
+#     $ docker pull docker.io/vaultwarden/web-vault:v2026.4.1
+#     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2026.4.1
+#     [docker.io/vaultwarden/web-vault@sha256:ca2a4251c4e63c9ad428262b4dd452789a1b9f6fce71da351e93dceed0d2edbe]
 #
 # - Conversely, to get the tag name from the digest:
-#     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:bf5aa55dc7bcb99f85d2a88ff44d32cdc832e934a0603fe28e5c3f92904bad42
-#     [docker.io/vaultwarden/web-vault:v2025.12.1_build.3]
+#     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:ca2a4251c4e63c9ad428262b4dd452789a1b9f6fce71da351e93dceed0d2edbe
+#     [docker.io/vaultwarden/web-vault:v2026.4.1]
 #
-FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:bf5aa55dc7bcb99f85d2a88ff44d32cdc832e934a0603fe28e5c3f92904bad42 AS vault
+FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:ca2a4251c4e63c9ad428262b4dd452789a1b9f6fce71da351e93dceed0d2edbe AS vault

 ########################## Cross Compile Docker Helper Scripts ##########################
 ## We use the linux/amd64 no matter which Build Platform, since these are all bash scripts
@@ -36,7 +36,7 @@ FROM --platform=linux/amd64 docker.io/tonistiigi/xx@sha256:c64defb9ed5a91eacb37f

 ########################## BUILD IMAGE ##########################
 # hadolint ignore=DL3006
-FROM --platform=$BUILDPLATFORM docker.io/library/rust:1.92.0-slim-trixie AS build
+FROM --platform=$BUILDPLATFORM docker.io/library/rust:1.95.0-slim-trixie AS build
 COPY --from=xx / /
 ARG TARGETARCH
 ARG TARGETVARIANT
@@ -51,7 +51,7 @@ ENV DEBIAN_FRONTEND=noninteractive \
    TERM=xterm-256color \
    CARGO_HOME="/root/.cargo" \
    USER="root"
-# Install clang to get `xx-cargo` working
+# Install clang && xx-c-essentials to get `xx-cargo` working
 # Install pkg-config to allow amd64 builds to find all libraries
 # Install git so build.rs can determine the correct version
 # Install the libc cross packages based upon the debian-arch
@@ -59,19 +59,16 @@ RUN apt-get update && \
    apt-get install -y \
        --no-install-recommends \
        clang \
-        pkg-config \
-        git \
-        "libc6-$(xx-info debian-arch)-cross" \
-        "libc6-dev-$(xx-info debian-arch)-cross" \
-        "linux-libc-dev-$(xx-info debian-arch)-cross" && \
+        git && \
    xx-apt-get install -y \
        --no-install-recommends \
-        gcc \
        libpq-dev \
        libpq5 \
        libssl-dev \
        libmariadb-dev \
-        zlib1g-dev && \
+        pkg-config \
+        zlib1g-dev \
+        xx-c-essentials && \
    # Run xx-cargo early, since it sometimes seems to break when run at a later stage
    echo "export CARGO_TARGET=$(xx-cargo --print-target-triple)" >> /env-cargo

@@ -83,29 +80,6 @@ RUN mkdir -pv "${CARGO_HOME}" && \
 RUN USER=root cargo new --bin /app
 WORKDIR /app

-# Environment variables for Cargo on Debian based builds
-ARG TARGET_PKG_CONFIG_PATH
-
-RUN source /env-cargo && \
-    if xx-info is-cross ; then \
-        # We can't use xx-cargo since that uses clang, which doesn't work for our libraries.
-        # Because of this we generate the needed environment variables here which we can load in the needed steps.
-        echo "export CC_$(echo "${CARGO_TARGET}" | tr '[:upper:]' '[:lower:]' | tr - _)=/usr/bin/$(xx-info)-gcc" >> /env-cargo && \
-        echo "export CARGO_TARGET_$(echo "${CARGO_TARGET}" | tr '[:lower:]' '[:upper:]' | tr - _)_LINKER=/usr/bin/$(xx-info)-gcc" >> /env-cargo && \
-        echo "export CROSS_COMPILE=1" >> /env-cargo && \
-        echo "export PKG_CONFIG_ALLOW_CROSS=1" >> /env-cargo && \
-        # For some architectures `xx-info` returns a triple which doesn't matches the path on disk
-        # In those cases you can override this by setting the `TARGET_PKG_CONFIG_PATH` build-arg
-        if [[ -n "${TARGET_PKG_CONFIG_PATH}" ]]; then \
-            echo "export TARGET_PKG_CONFIG_PATH=${TARGET_PKG_CONFIG_PATH}" >> /env-cargo ; \
-        else \
-            echo "export PKG_CONFIG_PATH=/usr/lib/$(xx-info)/pkgconfig" >> /env-cargo ; \
-        fi && \
-        echo "# End of env-cargo" >> /env-cargo ; \
-    fi && \
-    # Output the current contents of the file
-    cat /env-cargo
-
 RUN source /env-cargo && \
    rustup target add "${CARGO_TARGET}"

@@ -122,7 +96,9 @@ ARG DB=sqlite,mysql,postgresql
 # dummy project, except the target folder
 # This folder contains the compiled dependencies
 RUN source /env-cargo && \
-    cargo build --features ${DB} --profile "${CARGO_PROFILE}" --target="${CARGO_TARGET}" && \
+    # Workaround for xx related build issues
+    # https://github.com/tonistiigi/xx/pull/108#issuecomment-3700635977
+    PKG_CONFIG="$(command -v "$(xx-info)-pkg-config")" xx-cargo build --features ${DB} --profile "${CARGO_PROFILE}" && \
    find . -not -path "./target*" -delete

 # Copies the complete project
@@ -137,7 +113,9 @@ RUN source /env-cargo && \
    # Also do this for build.rs to ensure the version is rechecked
    touch build.rs src/main.rs && \
    # Create a symlink to the binary target folder to easy copy the binary in the final stage
-    cargo build --features ${DB} --profile "${CARGO_PROFILE}" --target="${CARGO_TARGET}" && \
+    # Workaround for xx related build issues
+    # https://github.com/tonistiigi/xx/pull/108#issuecomment-3700635977
+    PKG_CONFIG="$(command -v "$(xx-info)-pkg-config")" xx-cargo build --features ${DB} --profile "${CARGO_PROFILE}" && \
    if [[ "${CARGO_PROFILE}" == "dev" ]] ; then \
        ln -vfsr "/app/target/${CARGO_TARGET}/debug" /app/target/final ; \
    else \
@@ -27,6 +27,11 @@
 #     $ docker image inspect --format "{{ '{{' }}.RepoTags}}" docker.io/vaultwarden/web-vault@{{ vault_image_digest }}
 #     [docker.io/vaultwarden/web-vault:{{ vault_version | replace('+', '_') }}]
 #
+{% macro xx_cargo_config() -%}
+# Workaround for xx related build issues
+    # https://github.com/tonistiigi/xx/pull/108#issuecomment-3700635977
+    PKG_CONFIG="$(command -v "$(xx-info)-pkg-config")" xx-cargo build --features ${DB} --profile "${CARGO_PROFILE}"
+{%- endmacro %}
 FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@{{ vault_image_digest }} AS vault

 {% if base == "debian" %}
@@ -66,10 +71,10 @@ ENV DEBIAN_FRONTEND=noninteractive \
    # Use PostgreSQL v17 during Alpine/MUSL builds instead of the default v16
    # Debian Trixie uses libpq v17
    PQ_LIB_DIR="/usr/local/musl/pq17/lib"
-{% endif %}
+{%- endif %}

 {% if base == "debian" %}
-# Install clang to get `xx-cargo` working
+# Install clang && xx-c-essentials to get `xx-cargo` working
 # Install pkg-config to allow amd64 builds to find all libraries
 # Install git so build.rs can determine the correct version
 # Install the libc cross packages based upon the debian-arch
@@ -77,19 +82,16 @@ RUN apt-get update && \
    apt-get install -y \
        --no-install-recommends \
        clang \
-        pkg-config \
-        git \
-        "libc6-$(xx-info debian-arch)-cross" \
-        "libc6-dev-$(xx-info debian-arch)-cross" \
-        "linux-libc-dev-$(xx-info debian-arch)-cross" && \
+        git && \
    xx-apt-get install -y \
        --no-install-recommends \
-        gcc \
        libpq-dev \
        libpq5 \
        libssl-dev \
        libmariadb-dev \
-        zlib1g-dev && \
+        pkg-config \
+        zlib1g-dev \
+        xx-c-essentials && \
    # Run xx-cargo early, since it sometimes seems to break when run at a later stage
    echo "export CARGO_TARGET=$(xx-cargo --print-target-triple)" >> /env-cargo
 {% endif %}
@@ -102,31 +104,7 @@ RUN mkdir -pv "${CARGO_HOME}" && \
 RUN USER=root cargo new --bin /app
 WORKDIR /app

-{% if base == "debian" %}
-# Environment variables for Cargo on Debian based builds
-ARG TARGET_PKG_CONFIG_PATH
-
-RUN source /env-cargo && \
-    if xx-info is-cross ; then \
-        # We can't use xx-cargo since that uses clang, which doesn't work for our libraries.
-        # Because of this we generate the needed environment variables here which we can load in the needed steps.
-        echo "export CC_$(echo "${CARGO_TARGET}" | tr '[:upper:]' '[:lower:]' | tr - _)=/usr/bin/$(xx-info)-gcc" >> /env-cargo && \
-        echo "export CARGO_TARGET_$(echo "${CARGO_TARGET}" | tr '[:lower:]' '[:upper:]' | tr - _)_LINKER=/usr/bin/$(xx-info)-gcc" >> /env-cargo && \
-        echo "export CROSS_COMPILE=1" >> /env-cargo && \
-        echo "export PKG_CONFIG_ALLOW_CROSS=1" >> /env-cargo && \
-        # For some architectures `xx-info` returns a triple which doesn't matches the path on disk
-        # In those cases you can override this by setting the `TARGET_PKG_CONFIG_PATH` build-arg
-        if [[ -n "${TARGET_PKG_CONFIG_PATH}" ]]; then \
-            echo "export TARGET_PKG_CONFIG_PATH=${TARGET_PKG_CONFIG_PATH}" >> /env-cargo ; \
-        else \
-            echo "export PKG_CONFIG_PATH=/usr/lib/$(xx-info)/pkgconfig" >> /env-cargo ; \
-        fi && \
-        echo "# End of env-cargo" >> /env-cargo ; \
-    fi && \
-    # Output the current contents of the file
-    cat /env-cargo
-
-{% elif base == "alpine" %}
+{% if base == "alpine" %}
 # Environment variables for Cargo on Alpine based builds
 RUN echo "export CARGO_TARGET=${RUST_MUSL_CROSS_TARGET}" >> /env-cargo && \
    # Output the current contents of the file
@@ -154,7 +132,11 @@ ARG DB=sqlite,mysql,postgresql,enable_mimalloc
 # dummy project, except the target folder
 # This folder contains the compiled dependencies
 RUN source /env-cargo && \
+{% if base == "debian" %}
+    {{ xx_cargo_config() }} && \
+{% elif base == "alpine" %}
    cargo build --features ${DB} --profile "${CARGO_PROFILE}" --target="${CARGO_TARGET}" && \
+{% endif %}
    find . -not -path "./target*" -delete

 # Copies the complete project
@@ -169,7 +151,11 @@ RUN source /env-cargo && \
    # Also do this for build.rs to ensure the version is rechecked
    touch build.rs src/main.rs && \
    # Create a symlink to the binary target folder to easy copy the binary in the final stage
+{% if base == "debian" %}
+    {{ xx_cargo_config() }} && \
+{% elif base == "alpine" %}
    cargo build --features ${DB} --profile "${CARGO_PROFILE}" --target="${CARGO_TARGET}" && \
+{% endif %}
    if [[ "${CARGO_PROFILE}" == "dev" ]] ; then \
        ln -vfsr "/app/target/${CARGO_TARGET}/debug" /app/target/final ; \
    else \
@@ -13,8 +13,8 @@ path = "src/lib.rs"
 proc-macro = true

 [dependencies]
-quote = "1.0.42"
-syn = "2.0.111"
+quote = "1.0.45"
+syn = "2.0.117"

 [lints]
 workspace = true
@@ -1,14 +1,15 @@
 use proc_macro::TokenStream;
 use quote::quote;
+use syn::{DeriveInput, parse_macro_input};

 #[proc_macro_derive(UuidFromParam)]
 pub fn derive_uuid_from_param(input: TokenStream) -> TokenStream {
-    let ast = syn::parse(input).unwrap();
+    let ast = parse_macro_input!(input as DeriveInput);

    impl_derive_uuid_macro(&ast)
 }

-fn impl_derive_uuid_macro(ast: &syn::DeriveInput) -> TokenStream {
+fn impl_derive_uuid_macro(ast: &DeriveInput) -> TokenStream {
    let name = &ast.ident;
    let gen_derive = quote! {
        #[automatically_derived]
@@ -30,12 +31,12 @@ fn impl_derive_uuid_macro(ast: &syn::DeriveInput) -> TokenStream {

 #[proc_macro_derive(IdFromParam)]
 pub fn derive_id_from_param(input: TokenStream) -> TokenStream {
-    let ast = syn::parse(input).unwrap();
+    let ast = parse_macro_input!(input as DeriveInput);

    impl_derive_safestring_macro(&ast)
 }

-fn impl_derive_safestring_macro(ast: &syn::DeriveInput) -> TokenStream {
+fn impl_derive_safestring_macro(ast: &DeriveInput) -> TokenStream {
    let name = &ast.ident;
    let gen_derive = quote! {
        #[automatically_derived]
@@ -0,0 +1 @@
+DROP TABLE IF EXISTS archives;
@@ -0,0 +1,10 @@
+DROP TABLE IF EXISTS archives;
+
+CREATE TABLE archives (
+    user_uuid   CHAR(36) NOT NULL,
+    cipher_uuid CHAR(36) NOT NULL,
+    archived_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    PRIMARY KEY (user_uuid, cipher_uuid),
+    FOREIGN KEY (user_uuid) REFERENCES users (uuid) ON DELETE CASCADE,
+    FOREIGN KEY (cipher_uuid) REFERENCES ciphers (uuid) ON DELETE CASCADE
+);
@@ -0,0 +1 @@
+ALTER TABLE sso_auth DROP COLUMN binding_hash;
@@ -0,0 +1 @@
+ALTER TABLE sso_auth ADD COLUMN binding_hash TEXT;
@@ -0,0 +1 @@
+ALTER TABLE sso_auth DROP COLUMN code_response_error;
@@ -0,0 +1 @@
+ALTER TABLE sso_auth ADD COLUMN code_response_error TEXT;
@@ -0,0 +1 @@
+DROP TABLE IF EXISTS archives;
@@ -0,0 +1,8 @@
+DROP TABLE IF EXISTS archives;
+
+CREATE TABLE archives (
+    user_uuid   CHAR(36) NOT NULL REFERENCES users (uuid) ON DELETE CASCADE,
+    cipher_uuid CHAR(36) NOT NULL REFERENCES ciphers (uuid) ON DELETE CASCADE,
+    archived_at TIMESTAMP NOT NULL DEFAULT now(),
+    PRIMARY KEY (user_uuid, cipher_uuid)
+);
@@ -0,0 +1 @@
+ALTER TABLE sso_auth DROP COLUMN binding_hash;
@@ -0,0 +1 @@
+ALTER TABLE sso_auth ADD COLUMN binding_hash TEXT;
@@ -0,0 +1 @@
+ALTER TABLE sso_auth DROP COLUMN IF EXISTS code_response_error;
@@ -0,0 +1 @@
+ALTER TABLE sso_auth ADD COLUMN IF NOT EXISTS code_response_error TEXT;
@@ -0,0 +1 @@
+DROP TABLE IF EXISTS archives;
@@ -0,0 +1,8 @@
+DROP TABLE IF EXISTS archives;
+
+CREATE TABLE archives (
+    user_uuid   CHAR(36) NOT NULL REFERENCES users (uuid) ON DELETE CASCADE,
+    cipher_uuid CHAR(36) NOT NULL REFERENCES ciphers (uuid) ON DELETE CASCADE,
+    archived_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    PRIMARY KEY (user_uuid, cipher_uuid)
+);
@@ -0,0 +1 @@
+ALTER TABLE sso_auth DROP COLUMN binding_hash;
@@ -0,0 +1 @@
+ALTER TABLE sso_auth ADD COLUMN binding_hash TEXT;
@@ -0,0 +1 @@
+ALTER TABLE sso_auth DROP COLUMN code_response_error;
@@ -0,0 +1 @@
+ALTER TABLE sso_auth ADD COLUMN code_response_error TEXT;
@@ -1,4 +1,4 @@
 [toolchain]
-channel = "1.92.0"
+channel = "1.95.0"
 components = [ "rustfmt", "clippy" ]
 profile = "minimal"
@@ -1,4 +1,4 @@
-edition = "2021"
+edition = "2024"
 max_width = 120
 newline_style = "Unix"
 use_small_heuristics = "Off"
@@ -2,39 +2,40 @@ use std::{env, sync::LazyLock};

 use reqwest::Method;
 use rocket::{
+    Catcher, Route,
    form::Form,
    http::{Cookie, CookieJar, MediaType, SameSite, Status},
    request::{FromRequest, Outcome, Request},
-    response::{content::RawHtml as Html, Redirect},
+    response::{Redirect, content::RawHtml as Html},
    serde::json::Json,
-    Catcher, Route,
 };
 use serde::de::DeserializeOwned;
 use serde_json::Value;

 use crate::{
+    CONFIG, VERSION,
    api::{
+        ApiResult, EmptyResult, JsonResult, Notify,
        core::{log_event, two_factor},
-        unregister_push_device, ApiResult, EmptyResult, JsonResult, Notify,
+        unregister_push_device,
    },
-    auth::{decode_admin, encode_jwt, generate_admin_claims, ClientIp, Secure},
+    auth::{ClientIp, Secure, decode_admin, encode_jwt, generate_admin_claims},
    config::ConfigBuilder,
    db::{
-        backup_sqlite, get_sql_server_version,
+        ACTIVE_DB_TYPE, DbConn, DbConnType, backup_sqlite, get_sql_server_version,
        models::{
            Attachment, Cipher, Collection, Device, Event, EventType, Group, Invitation, Membership, MembershipId,
            MembershipType, OrgPolicy, Organization, OrganizationId, SsoUser, TwoFactor, User, UserId,
        },
-        DbConn, DbConnType, ACTIVE_DB_TYPE,
    },
    error::{Error, MapResult},
    http_client::make_http_request,
    mail,
+    sso::FAKE_SSO_IDENTIFIER,
    util::{
-        container_base_image, format_naive_datetime_local, get_active_web_release, get_display_size,
-        is_running_in_container, NumberOrString,
+        FeatureFlagFilter, NumberOrString, container_base_image, format_naive_datetime_local, get_active_web_release,
+        get_display_size, is_running_in_container, parse_experimental_client_feature_flags,
    },
-    CONFIG, VERSION,
 };

 pub fn routes() -> Vec<Route> {
@@ -92,8 +93,7 @@ static DB_TYPE: LazyLock<&str> = LazyLock::new(|| match ACTIVE_DB_TYPE.get() {
 });

 #[cfg(sqlite)]
-static CAN_BACKUP: LazyLock<bool> =
-    LazyLock::new(|| ACTIVE_DB_TYPE.get().map(|t| *t == DbConnType::Sqlite).unwrap_or(false));
+static CAN_BACKUP: LazyLock<bool> = LazyLock::new(|| ACTIVE_DB_TYPE.get().is_some_and(|t| *t == DbConnType::Sqlite));
 #[cfg(not(sqlite))]
 static CAN_BACKUP: LazyLock<bool> = LazyLock::new(|| false);

@@ -199,13 +199,7 @@ fn post_admin_login(
    }

    // If the token is invalid, redirect to login page
-    if !_validate_token(&data.token) {
-        error!("Invalid admin token. IP: {}", ip.ip);
-        Err(AdminResponse::Unauthorized(render_admin_login(
-            Some("Invalid admin token, please try again."),
-            redirect.as_deref(),
-        )))
-    } else {
+    if validate_token(&data.token) {
        // If the token received is valid, generate JWT and save it as a cookie
        let claims = generate_admin_claims();
        let jwt = encode_jwt(&claims);
@@ -223,10 +217,16 @@ fn post_admin_login(
        } else {
            Err(AdminResponse::Ok(render_admin_page()))
        }
+    } else {
+        error!("Invalid admin token. IP: {}", ip.ip);
+        Err(AdminResponse::Unauthorized(render_admin_login(
+            Some("Invalid admin token, please try again."),
+            redirect.as_deref(),
+        )))
    }
 }

-fn _validate_token(token: &str) -> bool {
+fn validate_token(token: &str) -> bool {
    match CONFIG.admin_token().as_ref() {
        None => false,
        Some(t) if t.starts_with("$argon2") => {
@@ -306,17 +306,14 @@ async fn get_user_or_404(user_id: &UserId, conn: &DbConn) -> ApiResult<User> {

 #[post("/invite", format = "application/json", data = "<data>")]
 async fn invite_user(data: Json<InviteData>, _token: AdminToken, conn: DbConn) -> JsonResult {
-    let data: InviteData = data.into_inner();
-    if User::find_by_mail(&data.email, &conn).await.is_some() {
-        err_code!("User already exists", Status::Conflict.code)
-    }
-
-    let mut user = User::new(&data.email, None);
-
-    async fn _generate_invite(user: &User, conn: &DbConn) -> EmptyResult {
+    async fn generate_invite(user: &User, conn: &DbConn) -> EmptyResult {
        if CONFIG.mail_enabled() {
-            let org_id: OrganizationId = FAKE_ADMIN_UUID.to_string().into();
-            let member_id: MembershipId = FAKE_ADMIN_UUID.to_string().into();
+            let org_id: OrganizationId = if CONFIG.sso_enabled() {
+                FAKE_SSO_IDENTIFIER.into()
+            } else {
+                FAKE_ADMIN_UUID.into()
+            };
+            let member_id: MembershipId = FAKE_ADMIN_UUID.to_owned().into();
            mail::send_invite(user, org_id, member_id, &CONFIG.invitation_org_name(), None).await
        } else {
            let invitation = Invitation::new(&user.email);
@@ -324,7 +321,14 @@ async fn invite_user(data: Json<InviteData>, _token: AdminToken, conn: DbConn) -
        }
    }

-    _generate_invite(&user, &conn).await.map_err(|e| e.with_code(Status::InternalServerError.code))?;
+    let data: InviteData = data.into_inner();
+    if User::find_by_mail(&data.email, &conn).await.is_some() {
+        err_code!("User already exists", Status::Conflict.code)
+    }
+
+    let mut user = User::new(&data.email, None);
+
+    generate_invite(&user, &conn).await.map_err(|e| e.with_code(Status::InternalServerError.code))?;
    user.save(&conn).await.map_err(|e| e.with_code(Status::InternalServerError.code))?;

    Ok(Json(user.to_json(&conn).await))
@@ -381,7 +385,7 @@ async fn users_overview(_token: AdminToken, conn: DbConn) -> ApiResult<Html<Stri
            None => json!("Never"),
        };

-        usr["sso_identifier"] = json!(sso_u.map(|u| u.identifier.to_string()).unwrap_or(String::new()));
+        usr["sso_identifier"] = json!(sso_u.map_or(String::new(), |u| u.identifier.to_string()));

        users_json.push(usr);
    }
@@ -464,15 +468,15 @@ async fn deauth_user(user_id: UserId, _token: AdminToken, conn: DbConn, nt: Noti

    if CONFIG.push_enabled() {
        for device in Device::find_push_devices_by_user(&user.uuid, &conn).await {
-            match unregister_push_device(&device.push_uuid).await {
+            match unregister_push_device(device.push_uuid.as_ref()).await {
                Ok(r) => r,
                Err(e) => error!("Unable to unregister devices from Bitwarden server: {e}"),
-            };
+            }
        }
    }

    Device::delete_all_by_user(&user.uuid, &conn).await?;
-    user.reset_security_stamp();
+    user.reset_security_stamp(&conn).await?;

    user.save(&conn).await
 }
@@ -480,14 +484,15 @@ async fn deauth_user(user_id: UserId, _token: AdminToken, conn: DbConn, nt: Noti
 #[post("/users/<user_id>/disable", format = "application/json")]
 async fn disable_user(user_id: UserId, _token: AdminToken, conn: DbConn, nt: Notify<'_>) -> EmptyResult {
    let mut user = get_user_or_404(&user_id, &conn).await?;
-    Device::delete_all_by_user(&user.uuid, &conn).await?;
-    user.reset_security_stamp();
+    user.reset_security_stamp(&conn).await?;
    user.enabled = false;

    let save_result = user.save(&conn).await;

    nt.send_logout(&user, None, &conn).await;

+    Device::delete_all_by_user(&user.uuid, &conn).await?;
+
    save_result
 }

@@ -517,8 +522,12 @@ async fn resend_user_invite(user_id: UserId, _token: AdminToken, conn: DbConn) -
        }

        if CONFIG.mail_enabled() {
-            let org_id: OrganizationId = FAKE_ADMIN_UUID.to_string().into();
-            let member_id: MembershipId = FAKE_ADMIN_UUID.to_string().into();
+            let org_id: OrganizationId = if CONFIG.sso_enabled() {
+                FAKE_SSO_IDENTIFIER.into()
+            } else {
+                FAKE_ADMIN_UUID.into()
+            };
+            let member_id: MembershipId = FAKE_ADMIN_UUID.to_owned().into();
            mail::send_invite(&user, org_id, member_id, &CONFIG.invitation_org_name(), None).await
        } else {
            Ok(())
@@ -544,9 +553,10 @@ async fn update_membership_type(data: Json<MembershipTypeData>, token: AdminToke
        err!("The specified user isn't member of the organization")
    };

-    let new_type = match MembershipType::from_str(&data.user_type.into_string()) {
-        Some(new_type) => new_type as i32,
-        None => err!("Invalid type"),
+    let new_type = if let Some(new_type) = MembershipType::from_str(&data.user_type.into_string()) {
+        new_type as i32
+    } else {
+        err!("Invalid type")
    };

    if member_to_edit.atype == MembershipType::Owner && new_type != MembershipType::Owner {
@@ -637,7 +647,6 @@ use cached::proc_macro::cached;
 /// Cache this function to prevent API call rate limit. Github only allows 60 requests per hour, and we use 3 here already
 /// It will cache this function for 600 seconds (10 minutes) which should prevent the exhaustion of the rate limit
 /// Any cache will be lost if Vaultwarden is restarted
-use std::time::Duration; // Needed for cached
 #[cached(time = 600, sync_writes = "default")]
 async fn get_release_info(has_http_access: bool) -> (String, String, String) {
    // If the HTTP Check failed, do not even attempt to check for new versions since we were not able to connect with github.com anyway.
@@ -647,42 +656,40 @@ async fn get_release_info(has_http_access: bool) -> (String, String, String) {
                .await
            {
                Ok(r) => r.tag_name,
-                _ => "-".to_string(),
+                _ => "-".to_owned(),
            },
            match get_json_api::<GitCommit>("https://api.github.com/repos/dani-garcia/vaultwarden/commits/main").await {
                Ok(mut c) => {
                    c.sha.truncate(8);
                    c.sha
                }
-                _ => "-".to_string(),
+                _ => "-".to_owned(),
            },
            // Do not fetch the web-vault version when running within a container
            // The web-vault version is embedded within the container it self, and should not be updated manually
            match get_json_api::<GitRelease>("https://api.github.com/repos/dani-garcia/bw_web_builds/releases/latest")
                .await
            {
-                Ok(r) => r.tag_name.trim_start_matches('v').to_string(),
-                _ => "-".to_string(),
+                Ok(r) => r.tag_name.trim_start_matches('v').to_owned(),
+                _ => "-".to_owned(),
            },
        )
    } else {
-        ("-".to_string(), "-".to_string(), "-".to_string())
+        ("-".to_owned(), "-".to_owned(), "-".to_owned())
    }
 }

 async fn get_ntp_time(has_http_access: bool) -> String {
-    if has_http_access {
-        if let Ok(cf_trace) = get_text_api("https://cloudflare.com/cdn-cgi/trace").await {
-            for line in cf_trace.lines() {
-                if let Some((key, value)) = line.split_once('=') {
-                    if key == "ts" {
-                        let ts = value.split_once('.').map_or(value, |(s, _)| s);
-                        if let Ok(dt) = chrono::DateTime::parse_from_str(ts, "%s") {
-                            return dt.format("%Y-%m-%d %H:%M:%S UTC").to_string();
-                        }
-                        break;
-                    }
+    if has_http_access && let Ok(cf_trace) = get_text_api("https://cloudflare.com/cdn-cgi/trace").await {
+        for line in cf_trace.lines() {
+            if let Some((key, value)) = line.split_once('=')
+                && key == "ts"
+            {
+                let ts = value.split_once('.').map_or(value, |(s, _)| s);
+                if let Ok(dt) = chrono::DateTime::parse_from_str(ts, "%s") {
+                    return dt.format("%Y-%m-%d %H:%M:%S UTC").to_string();
                }
+                break;
            }
        }
    }
@@ -725,7 +732,7 @@ async fn diagnostics(_token: AdminToken, ip_header: IpHeader, conn: DbConn) -> A
    // Check if we are able to resolve DNS entries
    let dns_resolved = match ("github.com", 0).to_socket_addrs().map(|mut i| i.next()) {
        Ok(Some(a)) => a.ip().to_string(),
-        _ => "Unable to resolve domain name.".to_string(),
+        _ => "Unable to resolve domain name.".to_owned(),
    };

    let (latest_vw_release, latest_vw_commit, latest_web_release) = get_release_info(has_http_access).await;
@@ -734,6 +741,13 @@ async fn diagnostics(_token: AdminToken, ip_header: IpHeader, conn: DbConn) -> A

    let ip_header_name = &ip_header.0.unwrap_or_default();

+    let invalid_feature_flags: Vec<String> = parse_experimental_client_feature_flags(
+        &CONFIG.experimental_client_feature_flags(),
+        &FeatureFlagFilter::InvalidOnly,
+    )
+    .into_keys()
+    .collect();
+
    let diagnostics_json = json!({
        "dns_resolved": dns_resolved,
        "current_release": VERSION,
@@ -756,6 +770,7 @@ async fn diagnostics(_token: AdminToken, ip_header: IpHeader, conn: DbConn) -> A
        "db_version": get_sql_server_version(&conn).await,
        "admin_url": format!("{}/diagnostics", admin_url()),
        "overrides": &CONFIG.get_overrides().join(", "),
+        "invalid_feature_flags": invalid_feature_flags,
        "host_arch": env::consts::ARCH,
        "host_os":  env::consts::OS,
        "tz_env": env::var("TZ").unwrap_or_default(),
@@ -817,33 +832,30 @@ impl<'r> FromRequest<'r> for AdminToken {
    type Error = &'static str;

    async fn from_request(request: &'r Request<'_>) -> Outcome<Self, Self::Error> {
-        let ip = match ClientIp::from_request(request).await {
-            Outcome::Success(ip) => ip,
-            _ => err_handler!("Error getting Client IP"),
+        let Outcome::Success(ip) = ClientIp::from_request(request).await else {
+            err_handler!("Error getting Client IP")
        };

        if !CONFIG.disable_admin_token() {
            let cookies = request.cookies();

-            let access_token = match cookies.get(COOKIE_NAME) {
-                Some(cookie) => cookie.value(),
-                None => {
-                    let requested_page =
-                        request.segments::<std::path::PathBuf>(0..).unwrap_or_default().display().to_string();
-                    // When the requested page is empty, it is `/admin`, in that case, Forward, so it will render the login page
-                    // Else, return a 401 failure, which will be caught
-                    if requested_page.is_empty() {
-                        return Outcome::Forward(Status::Unauthorized);
-                    } else {
-                        return Outcome::Error((Status::Unauthorized, "Unauthorized"));
-                    }
+            let access_token = if let Some(cookie) = cookies.get(COOKIE_NAME) {
+                cookie.value()
+            } else {
+                let requested_page =
+                    request.segments::<std::path::PathBuf>(0..).unwrap_or_default().display().to_string();
+                // When the requested page is empty, it is `/admin`, in that case, Forward, so it will render the login page
+                // Else, return a 401 failure, which will be caught
+                if requested_page.is_empty() {
+                    return Outcome::Forward(Status::Unauthorized);
                }
+                return Outcome::Error((Status::Unauthorized, "Unauthorized"));
            };

            if decode_admin(access_token).is_err() {
                // Remove admin cookie
                cookies.remove(Cookie::build(COOKIE_NAME).path(admin_path()));
-                error!("Invalid or expired admin JWT. IP: {}.", &ip.ip);
+                error!("Invalid or expired admin JWT. IP: {}.", ip.ip);
                return Outcome::Error((Status::Unauthorized, "Session expired"));
            }
        }
@@ -1,39 +1,41 @@
 use std::collections::HashSet;

-use crate::db::DbPool;
 use chrono::Utc;
-use rocket::serde::json::Json;
-use serde_json::Value;
-
-use crate::{
-    api::{
-        core::{accept_org_invite, log_user_event, two_factor::email},
-        master_password_policy, register_push_device, unregister_push_device, AnonymousNotify, ApiResult, EmptyResult,
-        JsonResult, Notify, PasswordOrOtpData, UpdateType,
-    },
-    auth::{decode_delete, decode_invite, decode_verify_email, ClientHeaders, Headers},
-    crypto,
-    db::{
-        models::{
-            AuthRequest, AuthRequestId, Cipher, CipherId, Device, DeviceId, DeviceType, EmergencyAccess,
-            EmergencyAccessId, EventType, Folder, FolderId, Invitation, Membership, MembershipId, OrgPolicy,
-            OrgPolicyType, Organization, OrganizationId, Send, SendId, User, UserId, UserKdfType,
-        },
-        DbConn,
-    },
-    mail,
-    util::{format_date, NumberOrString},
-    CONFIG,
-};
-
 use rocket::{
    http::Status,
    request::{FromRequest, Outcome, Request},
+    serde::json::Json,
+};
+use serde_json::Value;
+
+use crate::{
+    CONFIG,
+    api::{
+        AnonymousNotify, ApiResult, EmptyResult, JsonResult, Notify, PasswordOrOtpData, UpdateType,
+        core::{accept_org_invite, log_user_event, two_factor::email},
+        master_password_policy, register_push_device, unregister_push_device,
+    },
+    auth::{ClientHeaders, Headers, decode_delete, decode_invite, decode_verify_email},
+    crypto,
+    db::{
+        DbConn, DbPool,
+        models::{
+            AuthRequest, AuthRequestId, Cipher, CipherId, Device, DeviceId, DeviceType, DeviceWithAuthRequest,
+            EmergencyAccess, EmergencyAccessId, EventType, Folder, FolderId, Invitation, Membership, MembershipId,
+            OrgPolicy, OrgPolicyType, Organization, OrganizationId, Send, SendId, User, UserId, UserKdfType,
+        },
+    },
+    mail,
+    util::{NumberOrString, deser_opt_nonempty_str, format_date},
+};
+
+use super::{
+    ciphers::{CipherData, update_cipher_from_data},
+    sends::{SendData, update_send_from_data},
 };

 pub fn routes() -> Vec<rocket::Route> {
    routes![
-        register,
        profile,
        put_profile,
        post_profile,
@@ -55,9 +57,9 @@ pub fn routes() -> Vec<rocket::Route> {
        delete_account,
        revision_date,
        password_hint,
-        prelogin,
+        post_prelogin,
        verify_password,
-        api_key,
+        post_api_key,
        rotate_api_key,
        get_known_device,
        get_all_devices,
@@ -107,7 +109,6 @@ pub struct RegisterData {

    name: Option<String>,

-    #[allow(dead_code)]
    organization_user_id: Option<MembershipId>,

    // Used only from the register/finish endpoint
@@ -139,17 +140,17 @@ struct KeysData {
 }

 /// Trims whitespace from password hints, and converts blank password hints to `None`.
-fn clean_password_hint(password_hint: &Option<String>) -> Option<String> {
+fn clean_password_hint(password_hint: Option<&String>) -> Option<String> {
    match password_hint {
        None => None,
        Some(h) => match h.trim() {
            "" => None,
-            ht => Some(ht.to_string()),
+            ht => Some(ht.to_owned()),
        },
    }
 }

-fn enforce_password_hint_setting(password_hint: &Option<String>) -> EmptyResult {
+fn enforce_password_hint_setting(password_hint: Option<&String>) -> EmptyResult {
    if password_hint.is_some() && !CONFIG.password_hints_allowed() {
        err!("Password hints have been disabled by the administrator. Remove the hint and try again.");
    }
@@ -168,12 +169,7 @@ async fn is_email_2fa_required(member_id: Option<MembershipId>, conn: &DbConn) -
    false
 }

-#[post("/accounts/register", data = "<data>")]
-async fn register(data: Json<RegisterData>, conn: DbConn) -> JsonResult {
-    _register(data, false, conn).await
-}
-
-pub async fn _register(data: Json<RegisterData>, email_verification: bool, conn: DbConn) -> JsonResult {
+pub async fn register(data: Json<RegisterData>, email_verification: bool, conn: DbConn) -> JsonResult {
    let mut data: RegisterData = data.into_inner();
    let email = data.email.to_lowercase();

@@ -244,16 +240,16 @@ pub async fn _register(data: Json<RegisterData>, email_verification: bool, conn:

    // Check if the length of the username exceeds 50 characters (Same is Upstream Bitwarden)
    // This also prevents issues with very long usernames causing to large JWT's. See #2419
-    if let Some(ref name) = data.name {
-        if name.len() > 50 {
-            err!("The field Name must be a string with a maximum length of 50.");
-        }
+    if let Some(ref name) = data.name
+        && name.len() > 50
+    {
+        err!("The field Name must be a string with a maximum length of 50.");
    }

    // Check against the password hint setting here so if it fails, the user
    // can retry without losing their invitation below.
-    let password_hint = clean_password_hint(&data.master_password_hint);
-    enforce_password_hint_setting(&password_hint)?;
+    let password_hint = clean_password_hint(data.master_password_hint.as_ref());
+    enforce_password_hint_setting(password_hint.as_ref())?;

    let mut user = match User::find_by_mail(&email, &conn).await {
        Some(user) => {
@@ -302,7 +298,7 @@ pub async fn _register(data: Json<RegisterData>, email_verification: bool, conn:

    set_kdf_data(&mut user, &data.kdf)?;

-    user.set_password(&data.master_password_hash, Some(data.key), true, None);
+    user.set_password(&data.master_password_hash, Some(data.key), true, None, &conn).await?;
    user.password_hint = password_hint;

    // Add extra fields if present
@@ -360,8 +356,8 @@ async fn post_set_password(data: Json<SetPasswordData>, headers: Headers, conn:

    // Check against the password hint setting here so if it fails,
    // the user can retry without losing their invitation below.
-    let password_hint = clean_password_hint(&data.master_password_hint);
-    enforce_password_hint_setting(&password_hint)?;
+    let password_hint = clean_password_hint(data.master_password_hint.as_ref());
+    enforce_password_hint_setting(password_hint.as_ref())?;

    set_kdf_data(&mut user, &data.kdf)?;

@@ -370,7 +366,9 @@ async fn post_set_password(data: Json<SetPasswordData>, headers: Headers, conn:
        Some(data.key),
        false,
        Some(vec![String::from("revision_date")]), // We need to allow revision-date to use the old security_timestamp
-    );
+        &conn,
+    )
+    .await?;
    user.password_hint = password_hint;

    if let Some(keys) = data.keys {
@@ -378,20 +376,19 @@ async fn post_set_password(data: Json<SetPasswordData>, headers: Headers, conn:
        user.public_key = Some(keys.public_key);
    }

-    if let Some(identifier) = data.org_identifier {
-        if identifier != crate::sso::FAKE_IDENTIFIER && identifier != crate::api::admin::FAKE_ADMIN_UUID {
-            let org = match Organization::find_by_uuid(&identifier.into(), &conn).await {
-                None => err!("Failed to retrieve the associated organization"),
-                Some(org) => org,
-            };
+    if let Some(identifier) = data.org_identifier
+        && identifier != crate::sso::FAKE_SSO_IDENTIFIER
+        && identifier != crate::api::admin::FAKE_ADMIN_UUID
+    {
+        let Some(org) = Organization::find_by_uuid(&identifier.into(), &conn).await else {
+            err!("Failed to retrieve the associated organization")
+        };

-            let membership = match Membership::find_by_user_and_org(&user.uuid, &org.uuid, &conn).await {
-                None => err!("Failed to retrieve the invitation"),
-                Some(org) => org,
-            };
+        let Some(membership) = Membership::find_by_user_and_org(&user.uuid, &org.uuid, &conn).await else {
+            err!("Failed to retrieve the invitation")
+        };

-            accept_org_invite(&user, membership, None, &conn).await?;
-        }
+        accept_org_invite(&user, membership, None, &conn).await?;
    }

    if CONFIG.mail_enabled() {
@@ -458,10 +455,10 @@ async fn put_avatar(data: Json<AvatarData>, headers: Headers, conn: DbConn) -> J
    // It looks like it only supports the 6 hex color format.
    // If you try to add the short value it will not show that color.
    // Check and force 7 chars, including the #.
-    if let Some(color) = &data.avatar_color {
-        if color.len() != 7 {
-            err!("The field AvatarColor must be a HTML/Hex color code with a length of 7 characters")
-        }
+    if let Some(color) = &data.avatar_color
+        && color.len() != 7
+    {
+        err!("The field AvatarColor must be a HTML/Hex color code with a length of 7 characters")
    }

    let mut user = headers.user;
@@ -522,8 +519,8 @@ async fn post_password(data: Json<ChangePassData>, headers: Headers, conn: DbCon
        err!("Invalid password")
    }

-    user.password_hint = clean_password_hint(&data.master_password_hint);
-    enforce_password_hint_setting(&user.password_hint)?;
+    user.password_hint = clean_password_hint(data.master_password_hint.as_ref());
+    enforce_password_hint_setting(user.password_hint.as_ref())?;

    log_user_event(EventType::UserChangedPassword as i32, &user.uuid, headers.device.atype, &headers.ip.ip, &conn)
        .await;
@@ -538,14 +535,16 @@ async fn post_password(data: Json<ChangePassData>, headers: Headers, conn: DbCon
            String::from("get_public_keys"),
            String::from("get_api_webauthn"),
        ]),
-    );
+        &conn,
+    )
+    .await?;

    let save_result = user.save(&conn).await;

    // Prevent logging out the client where the user requested this endpoint from.
    // If you do logout the user it will causes issues at the client side.
    // Adding the device uuid will prevent this.
-    nt.send_logout(&user, Some(headers.device.uuid.clone()), &conn).await;
+    nt.send_logout(&user, Some(&headers.device), &conn).await;

    save_result
 }
@@ -585,7 +584,6 @@ fn set_kdf_data(user: &mut User, data: &KDFData) -> EmptyResult {
    Ok(())
 }

-#[allow(dead_code)]
 #[derive(Deserialize)]
 #[serde(rename_all = "camelCase")]
 struct AuthenticationData {
@@ -594,7 +592,6 @@ struct AuthenticationData {
    master_password_authentication_hash: String,
 }

-#[allow(dead_code)]
 #[derive(Deserialize)]
 #[serde(rename_all = "camelCase")]
 struct UnlockData {
@@ -603,11 +600,12 @@ struct UnlockData {
    master_key_wrapped_user_key: String,
 }

-#[allow(dead_code)]
 #[derive(Deserialize)]
 #[serde(rename_all = "camelCase")]
 struct ChangeKdfData {
+    #[allow(dead_code)]
    new_master_password_hash: String,
+    #[allow(dead_code)]
    key: String,
    authentication_data: AuthenticationData,
    unlock_data: UnlockData,
@@ -639,10 +637,12 @@ async fn post_kdf(data: Json<ChangeKdfData>, headers: Headers, conn: DbConn, nt:
        Some(data.unlock_data.master_key_wrapped_user_key),
        true,
        None,
-    );
+        &conn,
+    )
+    .await?;
    let save_result = user.save(&conn).await;

-    nt.send_logout(&user, Some(headers.device.uuid.clone()), &conn).await;
+    nt.send_logout(&user, Some(&headers.device), &conn).await;

    save_result
 }
@@ -653,6 +653,7 @@ struct UpdateFolderData {
    // There is a bug in 2024.3.x which adds a `null` item.
    // To bypass this we allow a Option here, but skip it during the updates
    // See: https://github.com/bitwarden/clients/issues/8453
+    #[serde(default, deserialize_with = "deser_opt_nonempty_str")]
    id: Option<FolderId>,
    name: String,
 }
@@ -671,9 +672,6 @@ struct UpdateResetPasswordData {
    reset_password_key: String,
 }

-use super::ciphers::CipherData;
-use super::sends::{update_send_from_data, SendData};
-
 #[derive(Deserialize)]
 #[serde(rename_all = "camelCase")]
 struct KeyData {
@@ -843,7 +841,7 @@ async fn post_rotatekey(data: Json<KeyData>, headers: Headers, conn: DbConn, nt:
            };

            saved_folder.name = folder_data.name;
-            saved_folder.save(&conn).await?
+            saved_folder.save(&conn).await?;
        }
    }

@@ -856,7 +854,7 @@ async fn post_rotatekey(data: Json<KeyData>, headers: Headers, conn: DbConn, nt:
        };

        saved_emergency_access.key_encrypted = Some(emergency_access_data.key_encrypted);
-        saved_emergency_access.save(&conn).await?
+        saved_emergency_access.save(&conn).await?;
    }

    // Update reset password data
@@ -868,7 +866,7 @@ async fn post_rotatekey(data: Json<KeyData>, headers: Headers, conn: DbConn, nt:
        };

        membership.reset_password_key = Some(reset_password_data.reset_password_key);
-        membership.save(&conn).await?
+        membership.save(&conn).await?;
    }

    // Update send data
@@ -881,8 +879,6 @@ async fn post_rotatekey(data: Json<KeyData>, headers: Headers, conn: DbConn, nt:
    }

    // Update cipher data
-    use super::ciphers::update_cipher_from_data;
-
    for cipher_data in data.account_data.ciphers {
        if cipher_data.organization_id.is_none() {
            let Some(saved_cipher) = existing_ciphers.iter_mut().find(|c| &c.uuid == cipher_data.id.as_ref().unwrap())
@@ -893,7 +889,7 @@ async fn post_rotatekey(data: Json<KeyData>, headers: Headers, conn: DbConn, nt:
            // Prevent triggering cipher updates via WebSockets by settings UpdateType::None
            // The user sessions are invalidated because all the ciphers were re-encrypted and thus triggering an update could cause issues.
            // We force the users to logout after the user has been saved to try and prevent these issues.
-            update_cipher_from_data(saved_cipher, cipher_data, &headers, None, &conn, &nt, UpdateType::None).await?
+            update_cipher_from_data(saved_cipher, cipher_data, &headers, None, &conn, &nt, UpdateType::None).await?;
        }
    }

@@ -906,14 +902,16 @@ async fn post_rotatekey(data: Json<KeyData>, headers: Headers, conn: DbConn, nt:
        Some(data.account_unlock_data.master_password_unlock_data.master_key_encrypted_user_key),
        true,
        None,
-    );
+        &conn,
+    )
+    .await?;

    let save_result = user.save(&conn).await;

    // Prevent logging out the client where the user requested this endpoint from.
    // If you do logout the user it will causes issues at the client side.
    // Adding the device uuid will prevent this.
-    nt.send_logout(&user, Some(headers.device.uuid.clone()), &conn).await;
+    nt.send_logout(&user, Some(&headers.device), &conn).await;

    save_result
 }
@@ -925,12 +923,13 @@ async fn post_sstamp(data: Json<PasswordOrOtpData>, headers: Headers, conn: DbCo

    data.validate(&user, true, &conn).await?;

-    Device::delete_all_by_user(&user.uuid, &conn).await?;
-    user.reset_security_stamp();
+    user.reset_security_stamp(&conn).await?;
    let save_result = user.save(&conn).await;

    nt.send_logout(&user, None, &conn).await;

+    Device::delete_all_by_user(&user.uuid, &conn).await?;
+
    save_result
 }

@@ -1020,24 +1019,22 @@ async fn post_email(data: Json<ChangeEmailData>, headers: Headers, conn: DbConn,
        err!("Email already in use");
    }

-    match user.email_new {
-        Some(ref val) => {
-            if val != &data.new_email {
-                err!("Email change mismatch");
-            }
+    if let Some(ref val) = user.email_new {
+        if val != &data.new_email {
+            err!("Email change mismatch");
        }
-        None => err!("No email change pending"),
+    } else {
+        err!("No email change pending")
    }

    if CONFIG.mail_enabled() {
        // Only check the token if we sent out an email...
-        match user.email_new_token {
-            Some(ref val) => {
-                if *val != data.token.into_string() {
-                    err!("Token mismatch");
-                }
+        if let Some(ref val) = user.email_new_token {
+            if *val != data.token.into_string() {
+                err!("Token mismatch");
            }
-            None => err!("No email change pending"),
+        } else {
+            err!("No email change pending")
        }
        user.verified_at = Some(Utc::now().naive_utc());
    } else {
@@ -1048,7 +1045,7 @@ async fn post_email(data: Json<ChangeEmailData>, headers: Headers, conn: DbConn,
    user.email_new = None;
    user.email_new_token = None;

-    user.set_password(&data.new_master_password_hash, Some(data.key), true, None);
+    user.set_password(&data.new_master_password_hash, Some(data.key), true, None, &conn).await?;

    let save_result = user.save(&conn).await;

@@ -1114,10 +1111,10 @@ async fn post_delete_recover(data: Json<DeleteRecoverData>, conn: DbConn) -> Emp
    let data: DeleteRecoverData = data.into_inner();

    if CONFIG.mail_enabled() {
-        if let Some(user) = User::find_by_mail(&data.email, &conn).await {
-            if let Err(e) = mail::send_delete_account(&user.email, &user.uuid).await {
-                error!("Error sending delete account email: {e:#?}");
-            }
+        if let Some(user) = User::find_by_mail(&data.email, &conn).await
+            && let Err(e) = mail::send_delete_account(&user.email, &user.uuid).await
+        {
+            error!("Error sending delete account email: {e:#?}");
        }
        Ok(())
    } else {
@@ -1169,6 +1166,7 @@ async fn delete_account(data: Json<PasswordOrOtpData>, headers: Headers, conn: D
    user.delete(&conn).await
 }

+#[expect(clippy::needless_pass_by_value, reason = "Not beneficial for Headers")]
 #[get("/accounts/revision-date")]
 fn revision_date(headers: Headers) -> JsonResult {
    let revision_date = headers.user.updated_at.and_utc().timestamp_millis();
@@ -1183,12 +1181,12 @@ struct PasswordHintData {

 #[post("/accounts/password-hint", data = "<data>")]
 async fn password_hint(data: Json<PasswordHintData>, conn: DbConn) -> EmptyResult {
+    const NO_HINT: &str = "Sorry, you have no password hint...";
+
    if !CONFIG.password_hints_allowed() || (!CONFIG.mail_enabled() && !CONFIG.show_password_hint()) {
        err!("This server is not configured to provide password hints.");
    }

-    const NO_HINT: &str = "Sorry, you have no password hint...";
-
    let data: PasswordHintData = data.into_inner();
    let email = &data.email;

@@ -1199,10 +1197,9 @@ async fn password_hint(data: Json<PasswordHintData>, conn: DbConn) -> EmptyResul
                // There is still a timing side channel here in that the code
                // paths that send mail take noticeably longer than ones that
                // don't. Add a randomized sleep to mitigate this somewhat.
-                use rand::{rngs::SmallRng, Rng, SeedableRng};
-                let mut rng = SmallRng::from_os_rng();
-                let delta: i32 = 100;
-                let sleep_ms = (1_000 + rng.random_range(-delta..=delta)) as u64;
+                use rand::{RngExt, rngs::SmallRng};
+                let mut rng: SmallRng = rand::make_rng();
+                let sleep_ms: u64 = rng.random_range(900..=1100);
                tokio::time::sleep(tokio::time::Duration::from_millis(sleep_ms)).await;
                Ok(())
            } else {
@@ -1230,11 +1227,11 @@ pub struct PreloginData {
 }

 #[post("/accounts/prelogin", data = "<data>")]
-async fn prelogin(data: Json<PreloginData>, conn: DbConn) -> Json<Value> {
-    _prelogin(data, conn).await
+async fn post_prelogin(data: Json<PreloginData>, conn: DbConn) -> Json<Value> {
+    prelogin(data, conn).await
 }

-pub async fn _prelogin(data: Json<PreloginData>, conn: DbConn) -> Json<Value> {
+pub async fn prelogin(data: Json<PreloginData>, conn: DbConn) -> Json<Value> {
    let data: PreloginData = data.into_inner();

    let (kdf_type, kdf_iter, kdf_mem, kdf_para) = match User::find_by_mail(&data.email, &conn).await {
@@ -1261,7 +1258,7 @@ struct SecretVerificationRequest {
 pub async fn kdf_upgrade(user: &mut User, pwd_hash: &str, conn: &DbConn) -> ApiResult<()> {
    if user.password_iterations < CONFIG.password_iterations() {
        user.password_iterations = CONFIG.password_iterations();
-        user.set_password(pwd_hash, None, false, None);
+        user.set_password(pwd_hash, None, false, None, conn).await?;

        if let Err(e) = user.save(conn).await {
            error!("Error updating user: {e:#?}");
@@ -1284,9 +1281,7 @@ async fn verify_password(data: Json<SecretVerificationRequest>, headers: Headers
    Ok(Json(master_password_policy(&user, &conn).await))
 }

-async fn _api_key(data: Json<PasswordOrOtpData>, rotate: bool, headers: Headers, conn: DbConn) -> JsonResult {
-    use crate::util::format_date;
-
+async fn update_api_key(data: Json<PasswordOrOtpData>, rotate: bool, headers: Headers, conn: DbConn) -> JsonResult {
    let data: PasswordOrOtpData = data.into_inner();
    let mut user = headers.user;

@@ -1305,13 +1300,13 @@ async fn _api_key(data: Json<PasswordOrOtpData>, rotate: bool, headers: Headers,
 }

 #[post("/accounts/api-key", data = "<data>")]
-async fn api_key(data: Json<PasswordOrOtpData>, headers: Headers, conn: DbConn) -> JsonResult {
-    _api_key(data, false, headers, conn).await
+async fn post_api_key(data: Json<PasswordOrOtpData>, headers: Headers, conn: DbConn) -> JsonResult {
+    update_api_key(data, false, headers, conn).await
 }

 #[post("/accounts/rotate-api-key", data = "<data>")]
 async fn rotate_api_key(data: Json<PasswordOrOtpData>, headers: Headers, conn: DbConn) -> JsonResult {
-    _api_key(data, true, headers, conn).await
+    update_api_key(data, true, headers, conn).await
 }

 #[get("/devices/knowndevice")]
@@ -1335,6 +1330,11 @@ impl<'r> FromRequest<'r> for KnownDevice {

    async fn from_request(req: &'r Request<'_>) -> Outcome<Self, Self::Error> {
        let email = if let Some(email_b64) = req.headers().get_one("X-Request-Email") {
+            // Bitwarden seems to send padded Base64 strings since 2026.2.1
+            // Since these values are not streamed and Headers are always split by newlines
+            // we can safely ignore padding here and remove any '=' appended.
+            let email_b64 = email_b64.trim_end_matches('=');
+
            let Ok(email_bytes) = data_encoding::BASE64URL_NOPAD.decode(email_b64.as_bytes()) else {
                return Outcome::Error((Status::BadRequest, "X-Request-Email value failed to decode as base64url"));
            };
@@ -1349,7 +1349,7 @@ impl<'r> FromRequest<'r> for KnownDevice {
        };

        let uuid = if let Some(uuid) = req.headers().get_one("X-Device-Identifier") {
-            uuid.to_string().into()
+            uuid.to_owned().into()
        } else {
            return Outcome::Error((Status::BadRequest, "X-Device-Identifier value is required"));
        };
@@ -1364,7 +1364,7 @@ impl<'r> FromRequest<'r> for KnownDevice {
 #[get("/devices")]
 async fn get_all_devices(headers: Headers, conn: DbConn) -> JsonResult {
    let devices = Device::find_with_auth_request_by_user(&headers.user.uuid, &conn).await;
-    let devices = devices.iter().map(|device| device.to_json()).collect::<Vec<Value>>();
+    let devices = devices.iter().map(DeviceWithAuthRequest::to_json).collect::<Vec<Value>>();

    Ok(Json(json!({
        "data": devices,
@@ -1434,7 +1434,7 @@ async fn put_clear_device_token(device_id: DeviceId, conn: DbConn) -> EmptyResul

    if let Some(device) = Device::find_by_uuid(&device_id, &conn).await {
        Device::clear_push_token_by_uuid(&device_id, &conn).await?;
-        unregister_push_device(&device.push_uuid).await?;
+        unregister_push_device(device.push_uuid.as_ref()).await?;
    }

    Ok(())
@@ -1704,6 +1704,6 @@ pub async fn purge_auth_requests(pool: DbPool) {
    if let Ok(conn) = pool.get().await {
        AuthRequest::purge_expired_auth_requests(&conn).await;
    } else {
-        error!("Failed to get DB connection while purging trashed ciphers")
+        error!("Failed to get DB connection while purging auth requests");
    }
 }
@@ -2,30 +2,30 @@ use std::collections::{HashMap, HashSet};

 use chrono::{NaiveDateTime, Utc};
 use num_traits::ToPrimitive;
-use rocket::fs::TempFile;
-use rocket::serde::json::Json;
 use rocket::{
-    form::{Form, FromForm},
    Route,
+    form::{Form, FromForm},
+    fs::TempFile,
+    serde::json::Json,
 };
 use serde_json::Value;

-use crate::auth::ClientVersion;
-use crate::util::{save_temp_file, NumberOrString};
 use crate::{
-    api::{self, core::log_event, EmptyResult, JsonResult, Notify, PasswordOrOtpData, UpdateType},
-    auth::Headers,
+    CONFIG,
+    api::{self, EmptyResult, JsonResult, Notify, PasswordOrOtpData, UpdateType, core::log_event},
+    auth::ClientVersion,
+    auth::{Headers, OrgIdGuard, OwnerHeaders},
    config::PathType,
    crypto,
    db::{
-        models::{
-            Attachment, AttachmentId, Cipher, CipherId, Collection, CollectionCipher, CollectionGroup, CollectionId,
-            CollectionUser, EventType, Favorite, Folder, FolderCipher, FolderId, Group, Membership, MembershipType,
-            OrgPolicy, OrgPolicyType, OrganizationId, RepromptType, Send, UserId,
-        },
        DbConn, DbPool,
+        models::{
+            Archive, Attachment, AttachmentId, Cipher, CipherId, Collection, CollectionCipher, CollectionGroup,
+            CollectionId, CollectionUser, EventType, Favorite, Folder, FolderCipher, FolderId, Group, Membership,
+            MembershipType, OrgPolicy, OrgPolicyType, OrganizationId, RepromptType, Send, UserId,
+        },
    },
-    CONFIG,
+    util::{NumberOrString, deser_opt_nonempty_str, save_temp_file},
 };

 use super::folders::FolderData;
@@ -86,7 +86,8 @@ pub fn routes() -> Vec<Route> {
        restore_cipher_put_admin,
        restore_cipher_selected,
        restore_cipher_selected_admin,
-        delete_all,
+        purge_org_vault,
+        purge_personal_vault,
        move_cipher_selected,
        move_cipher_selected_put,
        put_collections2_update,
@@ -95,6 +96,10 @@ pub fn routes() -> Vec<Route> {
        post_collections_update,
        post_collections_admin,
        put_collections_admin,
+        archive_cipher_put,
+        archive_cipher_selected,
+        unarchive_cipher_put,
+        unarchive_cipher_selected,
    ]
 }

@@ -103,7 +108,7 @@ pub async fn purge_trashed_ciphers(pool: DbPool) {
    if let Ok(conn) = pool.get().await {
        Cipher::purge_trash(&conn).await;
    } else {
-        error!("Failed to get DB connection while purging trashed ciphers")
+        error!("Failed to get DB connection while purging trashed ciphers");
    }
 }

@@ -159,7 +164,7 @@ async fn sync(data: SyncData, headers: Headers, client_version: Option<ClientVer
    let domains_json = if data.exclude_domains {
        Value::Null
    } else {
-        api::core::_get_eq_domains(&headers, true).into_inner()
+        api::core::get_eq_domains(&headers, true).into_inner()
    };

    // This is very similar to the the userDecryptionOptions sent in connect/token,
@@ -247,6 +252,7 @@ pub struct CipherData {
    // Id is optional as it is included only in bulk share
    pub id: Option<CipherId>,
    // Folder id is not included in import
+    #[serde(default, deserialize_with = "deser_opt_nonempty_str")]
    pub folder_id: Option<FolderId>,
    // TODO: Some of these might appear all the time, no need for Option
    #[serde(alias = "organizationID")]
@@ -291,11 +297,13 @@ pub struct CipherData {
    // when using older client versions, or if the operation doesn't involve
    // updating an existing cipher.
    last_known_revision_date: Option<String>,
+    archived_date: Option<String>,
 }

 #[derive(Debug, Deserialize)]
 #[serde(rename_all = "camelCase")]
 pub struct PartialCipherData {
+    #[serde(default, deserialize_with = "deser_opt_nonempty_str")]
    folder_id: Option<FolderId>,
    favorite: bool,
 }
@@ -393,20 +401,34 @@ pub async fn update_cipher_from_data(
    nt: &Notify<'_>,
    ut: UpdateType,
 ) -> EmptyResult {
+    // Cleanup cipher data, like removing the 'Response' key.
+    // This key is somewhere generated during Javascript so no way for us this fix this.
+    // Also, upstream only retrieves keys they actually want to store, and thus skip the 'Response' key.
+    // We do not mind which data is in it, the keep our model more flexible when there are upstream changes.
+    // But, we at least know we do not need to store and return this specific key.
+    fn clean_cipher_data(mut json_data: Value) -> Value {
+        if json_data.is_array() {
+            json_data.as_array_mut().unwrap().iter_mut().for_each(|ref mut f| {
+                f.as_object_mut().unwrap().remove("response");
+            });
+        }
+        json_data
+    }
+
    enforce_personal_ownership_policy(Some(&data), headers, conn).await?;

    // Check that the client isn't updating an existing cipher with stale data.
    // And only perform this check when not importing ciphers, else the date/time check will fail.
-    if ut != UpdateType::None {
-        if let Some(dt) = data.last_known_revision_date {
-            match NaiveDateTime::parse_from_str(&dt, "%+") {
-                // ISO 8601 format
-                Err(err) => warn!("Error parsing LastKnownRevisionDate '{dt}': {err}"),
-                Ok(dt) if cipher.updated_at.signed_duration_since(dt).num_seconds() > 1 => {
-                    err!("The client copy of this cipher is out of date. Resync the client and try again.")
-                }
-                Ok(_) => (),
+    if ut != UpdateType::None
+        && let Some(dt) = data.last_known_revision_date
+    {
+        match NaiveDateTime::parse_from_str(&dt, "%+") {
+            // ISO 8601 format
+            Err(err) => warn!("Error parsing LastKnownRevisionDate '{dt}': {err}"),
+            Ok(dt) if cipher.updated_at.signed_duration_since(dt).num_seconds() > 1 => {
+                err!("The client copy of this cipher is out of date. Resync the client and try again.")
            }
+            Ok(_) => (),
        }
    }

@@ -425,7 +447,7 @@ pub async fn update_cipher_from_data(
    let transfer_cipher = cipher.organization_uuid.is_none() && data.organization_id.is_some();

    if let Some(org_id) = data.organization_id {
-        match Membership::find_by_user_and_org(&headers.user.uuid, &org_id, conn).await {
+        match Membership::find_confirmed_by_user_and_org(&headers.user.uuid, &org_id, conn).await {
            None => err!("You don't have permission to add item to organization"),
            Some(member) => {
                if shared_to_collections.is_some()
@@ -448,25 +470,22 @@ pub async fn update_cipher_from_data(
        cipher.user_uuid = Some(headers.user.uuid.clone());
    }

-    if let Some(ref folder_id) = data.folder_id {
-        if Folder::find_by_uuid_and_user(folder_id, &headers.user.uuid, conn).await.is_none() {
-            err!("Invalid folder", "Folder does not exist or belongs to another user");
-        }
+    if let Some(ref folder_id) = data.folder_id
+        && Folder::find_by_uuid_and_user(folder_id, &headers.user.uuid, conn).await.is_none()
+    {
+        err!("Invalid folder", "Folder does not exist or belongs to another user");
    }

    // Modify attachments name and keys when rotating
    if let Some(attachments) = data.attachments2 {
        for (id, attachment) in attachments {
-            let mut saved_att = match Attachment::find_by_id(&id, conn).await {
-                Some(att) => att,
-                None => {
-                    // Warn and continue here.
-                    // A missing attachment means it was removed via an other client.
-                    // Also the Desktop Client supports removing attachments and save an update afterwards.
-                    // Bitwarden it self ignores these mismatches server side.
-                    warn!("Attachment {id} doesn't exist");
-                    continue;
-                }
+            let Some(mut saved_att) = Attachment::find_by_id(&id, conn).await else {
+                // Warn and continue here.
+                // A missing attachment means it was removed via an other client.
+                // Also the Desktop Client supports removing attachments and save an update afterwards.
+                // Bitwarden it self ignores these mismatches server side.
+                warn!("Attachment {id} doesn't exist");
+                continue;
            };

            if saved_att.cipher_uuid != cipher.uuid {
@@ -483,20 +502,6 @@ pub async fn update_cipher_from_data(
        }
    }

-    // Cleanup cipher data, like removing the 'Response' key.
-    // This key is somewhere generated during Javascript so no way for us this fix this.
-    // Also, upstream only retrieves keys they actually want to store, and thus skip the 'Response' key.
-    // We do not mind which data is in it, the keep our model more flexible when there are upstream changes.
-    // But, we at least know we do not need to store and return this specific key.
-    fn _clean_cipher_data(mut json_data: Value) -> Value {
-        if json_data.is_array() {
-            json_data.as_array_mut().unwrap().iter_mut().for_each(|ref mut f| {
-                f.as_object_mut().unwrap().remove("response");
-            });
-        };
-        json_data
-    }
-
    let type_data_opt = match data.r#type {
        1 => data.login,
        2 => data.secure_note,
@@ -506,23 +511,22 @@ pub async fn update_cipher_from_data(
        _ => err!("Invalid type"),
    };

-    let type_data = match type_data_opt {
-        Some(mut data) => {
-            // Remove the 'Response' key from the base object.
-            data.as_object_mut().unwrap().remove("response");
-            // Remove the 'Response' key from every Uri.
-            if data["uris"].is_array() {
-                data["uris"] = _clean_cipher_data(data["uris"].clone());
-            }
-            data
+    let type_data = if let Some(mut data) = type_data_opt {
+        // Remove the 'Response' key from the base object.
+        data.as_object_mut().unwrap().remove("response");
+        // Remove the 'Response' key from every Uri.
+        if data["uris"].is_array() {
+            data["uris"] = clean_cipher_data(data["uris"].clone());
        }
-        None => err!("Data missing"),
+        data
+    } else {
+        err!("Data missing")
    };

    cipher.key = data.key;
    cipher.name = data.name;
    cipher.notes = data.notes;
-    cipher.fields = data.fields.map(|f| _clean_cipher_data(f).to_string());
+    cipher.fields = data.fields.map(|f| clean_cipher_data(f).to_string());
    cipher.data = type_data.to_string();
    cipher.password_history = data.password_history.map(|f| f.to_string());
    cipher.reprompt = data.reprompt.filter(|r| *r == RepromptType::None as i32 || *r == RepromptType::Password as i32);
@@ -531,6 +535,13 @@ pub async fn update_cipher_from_data(
    cipher.move_to_folder(data.folder_id, &headers.user.uuid, conn).await?;
    cipher.set_favorite(data.favorite, &headers.user.uuid, conn).await?;

+    if let Some(dt_str) = data.archived_date {
+        match NaiveDateTime::parse_from_str(&dt_str, "%+") {
+            Ok(dt) => cipher.set_archived_at(dt, &headers.user.uuid, conn).await?,
+            Err(err) => warn!("Error parsing ArchivedDate '{dt_str}': {err}"),
+        }
+    }
+
    if ut != UpdateType::None {
        // Only log events for organizational ciphers
        if let Some(org_id) = &cipher.organization_uuid {
@@ -597,7 +608,7 @@ async fn post_ciphers_import(data: Json<ImportData>, headers: Headers, conn: DbC
    let existing_folders: HashSet<Option<FolderId>> =
        Folder::find_by_user(&headers.user.uuid, &conn).await.into_iter().map(|f| Some(f.uuid)).collect();
    let mut folders: Vec<FolderId> = Vec::with_capacity(data.folders.len());
-    for folder in data.folders.into_iter() {
+    for folder in data.folders {
        let folder_id = if existing_folders.contains(&folder.id) {
            folder.id.unwrap()
        } else {
@@ -627,7 +638,7 @@ async fn post_ciphers_import(data: Json<ImportData>, headers: Headers, conn: DbC

    let mut user = headers.user;
    user.update_revision(&conn).await?;
-    nt.send_user_update(UpdateType::SyncVault, &user, &headers.device.push_uuid, &conn).await;
+    nt.send_user_update(UpdateType::SyncVault, &user, headers.device.push_uuid.as_ref(), &conn).await;

    Ok(())
 }
@@ -715,13 +726,17 @@ async fn put_cipher_partial(
    let data: PartialCipherData = data.into_inner();

    let Some(cipher) = Cipher::find_by_uuid(&cipher_id, &conn).await else {
-        err!("Cipher doesn't exist")
+        err!("Cipher does not exist")
    };

-    if let Some(ref folder_id) = data.folder_id {
-        if Folder::find_by_uuid_and_user(folder_id, &headers.user.uuid, &conn).await.is_none() {
-            err!("Invalid folder", "Folder does not exist or belongs to another user");
-        }
+    if !cipher.is_accessible_to_user(&headers.user.uuid, &conn).await {
+        err!("Cipher does not exist", "Cipher is not accessible for the current user")
+    }
+
+    if let Some(ref folder_id) = data.folder_id
+        && Folder::find_by_uuid_and_user(folder_id, &headers.user.uuid, &conn).await.is_none()
+    {
+        err!("Invalid folder", "Folder does not exist or belongs to another user");
    }

    // Move cipher
@@ -795,12 +810,16 @@ async fn post_collections_update(
        err!("Collection cannot be changed")
    }

+    let Some(ref org_uuid) = cipher.organization_uuid else {
+        err!("Cipher is not owned by an organization")
+    };
+
    let posted_collections = HashSet::<CollectionId>::from_iter(data.collection_ids);
    let current_collections =
        HashSet::<CollectionId>::from_iter(cipher.get_collections(headers.user.uuid.clone(), &conn).await);

    for collection in posted_collections.symmetric_difference(&current_collections) {
-        match Collection::find_by_uuid_and_org(collection, cipher.organization_uuid.as_ref().unwrap(), &conn).await {
+        match Collection::find_by_uuid_and_org(collection, org_uuid, &conn).await {
            None => err!("Invalid collection ID provided"),
            Some(collection) => {
                if collection.is_writable_by_user(&headers.user.uuid, &conn).await {
@@ -831,7 +850,7 @@ async fn post_collections_update(
    log_event(
        EventType::CipherUpdatedCollections as i32,
        &cipher.uuid,
-        &cipher.organization_uuid.clone().unwrap(),
+        org_uuid,
        &headers.user.uuid,
        headers.device.atype,
        &headers.ip.ip,
@@ -871,12 +890,16 @@ async fn post_collections_admin(
        err!("Collection cannot be changed")
    }

+    let Some(ref org_uuid) = cipher.organization_uuid else {
+        err!("Cipher is not owned by an organization")
+    };
+
    let posted_collections = HashSet::<CollectionId>::from_iter(data.collection_ids);
    let current_collections =
        HashSet::<CollectionId>::from_iter(cipher.get_admin_collections(headers.user.uuid.clone(), &conn).await);

    for collection in posted_collections.symmetric_difference(&current_collections) {
-        match Collection::find_by_uuid_and_org(collection, cipher.organization_uuid.as_ref().unwrap(), &conn).await {
+        match Collection::find_by_uuid_and_org(collection, org_uuid, &conn).await {
            None => err!("Invalid collection ID provided"),
            Some(collection) => {
                if collection.is_writable_by_user(&headers.user.uuid, &conn).await {
@@ -907,7 +930,7 @@ async fn post_collections_admin(
    log_event(
        EventType::CipherUpdatedCollections as i32,
        &cipher.uuid,
-        &cipher.organization_uuid.unwrap(),
+        org_uuid,
        &headers.user.uuid,
        headers.device.atype,
        &headers.ip.ip,
@@ -977,7 +1000,7 @@ async fn put_cipher_share_selected(
        err!("You must select at least one collection.")
    }

-    for cipher in data.ciphers.iter() {
+    for cipher in &data.ciphers {
        if cipher.id.is_none() {
            err!("Request missing ids field")
        }
@@ -989,16 +1012,15 @@ async fn put_cipher_share_selected(
            collection_ids: data.collection_ids.clone(),
        };

-        match shared_cipher_data.cipher.id.take() {
-            Some(id) => {
-                share_cipher_by_uuid(&id, shared_cipher_data, &headers, &conn, &nt, Some(UpdateType::None)).await?
-            }
-            None => err!("Request missing ids field"),
+        if let Some(id) = shared_cipher_data.cipher.id.take() {
+            share_cipher_by_uuid(&id, shared_cipher_data, &headers, &conn, &nt, Some(UpdateType::None)).await?
+        } else {
+            err!("Request missing ids field")
        };
    }

    // Multi share actions do not send out a push for each cipher, we need to send a general sync here
-    nt.send_user_update(UpdateType::SyncCiphers, &headers.user, &headers.device.push_uuid, &conn).await;
+    nt.send_user_update(UpdateType::SyncCiphers, &headers.user, headers.device.push_uuid.as_ref(), &conn).await;

    Ok(())
 }
@@ -1011,15 +1033,14 @@ async fn share_cipher_by_uuid(
    nt: &Notify<'_>,
    override_ut: Option<UpdateType>,
 ) -> JsonResult {
-    let mut cipher = match Cipher::find_by_uuid(cipher_id, conn).await {
-        Some(cipher) => {
-            if cipher.is_write_accessible_to_user(&headers.user.uuid, conn).await {
-                cipher
-            } else {
-                err!("Cipher is not write accessible")
-            }
+    let mut cipher = if let Some(cipher) = Cipher::find_by_uuid(cipher_id, conn).await {
+        if cipher.is_write_accessible_to_user(&headers.user.uuid, conn).await {
+            cipher
+        } else {
+            err!("Cipher is not write accessible")
        }
-        None => err!("Cipher doesn't exist"),
+    } else {
+        err!("Cipher doesn't exist")
    };

    let mut shared_to_collections = vec![];
@@ -1038,7 +1059,7 @@ async fn share_cipher_by_uuid(
                }
            }
        }
-    };
+    }

    // When LastKnownRevisionDate is None, it is a new cipher, so send CipherCreate.
    // If there is an override, like when handling multiple items, we want to prevent a push notification for every single item
@@ -1236,10 +1257,10 @@ async fn save_attachment(
        err!("Cipher is neither owned by a user nor an organization");
    };

-    if let Some(size_limit) = size_limit {
-        if size > size_limit {
-            err!("Attachment storage limit exceeded with this file");
-        }
+    if let Some(size_limit) = size_limit
+        && size > size_limit
+    {
+        err!("Attachment storage limit exceeded with this file");
    }

    let file_id = match &attachment {
@@ -1381,7 +1402,7 @@ async fn post_attachment_share(
    conn: DbConn,
    nt: Notify<'_>,
 ) -> JsonResult {
-    _delete_cipher_attachment_by_id(&cipher_id, &attachment_id, &headers, &conn, &nt).await?;
+    delete_cipher_attachment_by_id(&cipher_id, &attachment_id, &headers, &conn, &nt).await?;
    post_attachment(cipher_id, data, headers, conn, nt).await
 }

@@ -1415,7 +1436,7 @@ async fn delete_attachment(
    conn: DbConn,
    nt: Notify<'_>,
 ) -> JsonResult {
-    _delete_cipher_attachment_by_id(&cipher_id, &attachment_id, &headers, &conn, &nt).await
+    delete_cipher_attachment_by_id(&cipher_id, &attachment_id, &headers, &conn, &nt).await
 }

 #[delete("/ciphers/<cipher_id>/attachment/<attachment_id>/admin")]
@@ -1426,42 +1447,42 @@ async fn delete_attachment_admin(
    conn: DbConn,
    nt: Notify<'_>,
 ) -> JsonResult {
-    _delete_cipher_attachment_by_id(&cipher_id, &attachment_id, &headers, &conn, &nt).await
+    delete_cipher_attachment_by_id(&cipher_id, &attachment_id, &headers, &conn, &nt).await
 }

 #[post("/ciphers/<cipher_id>/delete")]
 async fn delete_cipher_post(cipher_id: CipherId, headers: Headers, conn: DbConn, nt: Notify<'_>) -> EmptyResult {
-    _delete_cipher_by_uuid(&cipher_id, &headers, &conn, &CipherDeleteOptions::HardSingle, &nt).await
+    delete_cipher_by_uuid(&cipher_id, &headers, &conn, &CipherDeleteOptions::HardSingle, &nt).await
    // permanent delete
 }

 #[post("/ciphers/<cipher_id>/delete-admin")]
 async fn delete_cipher_post_admin(cipher_id: CipherId, headers: Headers, conn: DbConn, nt: Notify<'_>) -> EmptyResult {
-    _delete_cipher_by_uuid(&cipher_id, &headers, &conn, &CipherDeleteOptions::HardSingle, &nt).await
+    delete_cipher_by_uuid(&cipher_id, &headers, &conn, &CipherDeleteOptions::HardSingle, &nt).await
    // permanent delete
 }

 #[put("/ciphers/<cipher_id>/delete")]
 async fn delete_cipher_put(cipher_id: CipherId, headers: Headers, conn: DbConn, nt: Notify<'_>) -> EmptyResult {
-    _delete_cipher_by_uuid(&cipher_id, &headers, &conn, &CipherDeleteOptions::SoftSingle, &nt).await
+    delete_cipher_by_uuid(&cipher_id, &headers, &conn, &CipherDeleteOptions::SoftSingle, &nt).await
    // soft delete
 }

 #[put("/ciphers/<cipher_id>/delete-admin")]
 async fn delete_cipher_put_admin(cipher_id: CipherId, headers: Headers, conn: DbConn, nt: Notify<'_>) -> EmptyResult {
-    _delete_cipher_by_uuid(&cipher_id, &headers, &conn, &CipherDeleteOptions::SoftSingle, &nt).await
+    delete_cipher_by_uuid(&cipher_id, &headers, &conn, &CipherDeleteOptions::SoftSingle, &nt).await
    // soft delete
 }

 #[delete("/ciphers/<cipher_id>")]
 async fn delete_cipher(cipher_id: CipherId, headers: Headers, conn: DbConn, nt: Notify<'_>) -> EmptyResult {
-    _delete_cipher_by_uuid(&cipher_id, &headers, &conn, &CipherDeleteOptions::HardSingle, &nt).await
+    delete_cipher_by_uuid(&cipher_id, &headers, &conn, &CipherDeleteOptions::HardSingle, &nt).await
    // permanent delete
 }

 #[delete("/ciphers/<cipher_id>/admin")]
 async fn delete_cipher_admin(cipher_id: CipherId, headers: Headers, conn: DbConn, nt: Notify<'_>) -> EmptyResult {
-    _delete_cipher_by_uuid(&cipher_id, &headers, &conn, &CipherDeleteOptions::HardSingle, &nt).await
+    delete_cipher_by_uuid(&cipher_id, &headers, &conn, &CipherDeleteOptions::HardSingle, &nt).await
    // permanent delete
 }

@@ -1472,7 +1493,7 @@ async fn delete_cipher_selected(
    conn: DbConn,
    nt: Notify<'_>,
 ) -> EmptyResult {
-    _delete_multiple_ciphers(data, headers, conn, CipherDeleteOptions::HardMulti, nt).await
+    delete_multiple_ciphers(data, headers, conn, CipherDeleteOptions::HardMulti, nt).await
    // permanent delete
 }

@@ -1483,7 +1504,7 @@ async fn delete_cipher_selected_post(
    conn: DbConn,
    nt: Notify<'_>,
 ) -> EmptyResult {
-    _delete_multiple_ciphers(data, headers, conn, CipherDeleteOptions::HardMulti, nt).await
+    delete_multiple_ciphers(data, headers, conn, CipherDeleteOptions::HardMulti, nt).await
    // permanent delete
 }

@@ -1494,7 +1515,7 @@ async fn delete_cipher_selected_put(
    conn: DbConn,
    nt: Notify<'_>,
 ) -> EmptyResult {
-    _delete_multiple_ciphers(data, headers, conn, CipherDeleteOptions::SoftMulti, nt).await
+    delete_multiple_ciphers(data, headers, conn, CipherDeleteOptions::SoftMulti, nt).await
    // soft delete
 }

@@ -1505,7 +1526,7 @@ async fn delete_cipher_selected_admin(
    conn: DbConn,
    nt: Notify<'_>,
 ) -> EmptyResult {
-    _delete_multiple_ciphers(data, headers, conn, CipherDeleteOptions::HardMulti, nt).await
+    delete_multiple_ciphers(data, headers, conn, CipherDeleteOptions::HardMulti, nt).await
    // permanent delete
 }

@@ -1516,7 +1537,7 @@ async fn delete_cipher_selected_post_admin(
    conn: DbConn,
    nt: Notify<'_>,
 ) -> EmptyResult {
-    _delete_multiple_ciphers(data, headers, conn, CipherDeleteOptions::HardMulti, nt).await
+    delete_multiple_ciphers(data, headers, conn, CipherDeleteOptions::HardMulti, nt).await
    // permanent delete
 }

@@ -1527,18 +1548,18 @@ async fn delete_cipher_selected_put_admin(
    conn: DbConn,
    nt: Notify<'_>,
 ) -> EmptyResult {
-    _delete_multiple_ciphers(data, headers, conn, CipherDeleteOptions::SoftMulti, nt).await
+    delete_multiple_ciphers(data, headers, conn, CipherDeleteOptions::SoftMulti, nt).await
    // soft delete
 }

 #[put("/ciphers/<cipher_id>/restore")]
 async fn restore_cipher_put(cipher_id: CipherId, headers: Headers, conn: DbConn, nt: Notify<'_>) -> JsonResult {
-    _restore_cipher_by_uuid(&cipher_id, &headers, false, &conn, &nt).await
+    restore_cipher_by_uuid(&cipher_id, &headers, false, &conn, &nt).await
 }

 #[put("/ciphers/<cipher_id>/restore-admin")]
 async fn restore_cipher_put_admin(cipher_id: CipherId, headers: Headers, conn: DbConn, nt: Notify<'_>) -> JsonResult {
-    _restore_cipher_by_uuid(&cipher_id, &headers, false, &conn, &nt).await
+    restore_cipher_by_uuid(&cipher_id, &headers, false, &conn, &nt).await
 }

 #[put("/ciphers/restore-admin", data = "<data>")]
@@ -1548,7 +1569,7 @@ async fn restore_cipher_selected_admin(
    conn: DbConn,
    nt: Notify<'_>,
 ) -> JsonResult {
-    _restore_multiple_ciphers(data, &headers, &conn, &nt).await
+    restore_multiple_ciphers(data, &headers, &conn, &nt).await
 }

 #[put("/ciphers/restore", data = "<data>")]
@@ -1558,12 +1579,13 @@ async fn restore_cipher_selected(
    conn: DbConn,
    nt: Notify<'_>,
 ) -> JsonResult {
-    _restore_multiple_ciphers(data, &headers, &conn, &nt).await
+    restore_multiple_ciphers(data, &headers, &conn, &nt).await
 }

 #[derive(Deserialize)]
 #[serde(rename_all = "camelCase")]
 struct MoveCipherData {
+    #[serde(default, deserialize_with = "deser_opt_nonempty_str")]
    folder_id: Option<FolderId>,
    ids: Vec<CipherId>,
 }
@@ -1578,10 +1600,10 @@ async fn move_cipher_selected(
    let data = data.into_inner();
    let user_id = &headers.user.uuid;

-    if let Some(ref folder_id) = data.folder_id {
-        if Folder::find_by_uuid_and_user(folder_id, user_id, &conn).await.is_none() {
-            err!("Invalid folder", "Folder does not exist or belongs to another user");
-        }
+    if let Some(ref folder_id) = data.folder_id
+        && Folder::find_by_uuid_and_user(folder_id, user_id, &conn).await.is_none()
+    {
+        err!("Invalid folder", "Folder does not exist or belongs to another user");
    }

    let cipher_count = data.ids.len();
@@ -1610,7 +1632,7 @@ async fn move_cipher_selected(
        .await;
    } else {
        // Multi move actions do not send out a push for each cipher, we need to send a general sync here
-        nt.send_user_update(UpdateType::SyncCiphers, &headers.user, &headers.device.push_uuid, &conn).await;
+        nt.send_user_update(UpdateType::SyncCiphers, &headers.user, headers.device.push_uuid.as_ref(), &conn).await;
    }

    if cipher_count != accessible_ciphers_count {
@@ -1638,9 +1660,51 @@ struct OrganizationIdData {
    org_id: OrganizationId,
 }

+// Use the OrgIdGuard here, to ensure there an organization id present.
+// If there is no organization id present, it should be forwarded to purge_personal_vault.
+// This guard needs to be the first argument, else OwnerHeaders will be triggered which will logout the user.
 #[post("/ciphers/purge?<organization..>", data = "<data>")]
-async fn delete_all(
-    organization: Option<OrganizationIdData>,
+async fn purge_org_vault(
+    _org_id_guard: OrgIdGuard,
+    organization: OrganizationIdData,
+    data: Json<PasswordOrOtpData>,
+    headers: OwnerHeaders,
+    conn: DbConn,
+    nt: Notify<'_>,
+) -> EmptyResult {
+    if organization.org_id != headers.org_id {
+        err!("Organization not found", "Organization id's do not match");
+    }
+
+    let data: PasswordOrOtpData = data.into_inner();
+    let user = headers.user;
+
+    data.validate(&user, true, &conn).await?;
+
+    match Membership::find_confirmed_by_user_and_org(&user.uuid, &organization.org_id, &conn).await {
+        Some(member) if member.atype == MembershipType::Owner => {
+            Cipher::delete_all_by_organization(&organization.org_id, &conn).await?;
+            nt.send_user_update(UpdateType::SyncVault, &user, headers.device.push_uuid.as_ref(), &conn).await;
+
+            log_event(
+                EventType::OrganizationPurgedVault as i32,
+                &organization.org_id,
+                &organization.org_id,
+                &user.uuid,
+                headers.device.atype,
+                &headers.ip.ip,
+                &conn,
+            )
+            .await;
+
+            Ok(())
+        }
+        _ => err!("You don't have permission to purge the organization vault"),
+    }
+}
+
+#[post("/ciphers/purge", data = "<data>")]
+async fn purge_personal_vault(
    data: Json<PasswordOrOtpData>,
    headers: Headers,
    conn: DbConn,
@@ -1651,52 +1715,48 @@ async fn delete_all(

    data.validate(&user, true, &conn).await?;

-    match organization {
-        Some(org_data) => {
-            // Organization ID in query params, purging organization vault
-            match Membership::find_by_user_and_org(&user.uuid, &org_data.org_id, &conn).await {
-                None => err!("You don't have permission to purge the organization vault"),
-                Some(member) => {
-                    if member.atype == MembershipType::Owner {
-                        Cipher::delete_all_by_organization(&org_data.org_id, &conn).await?;
-                        nt.send_user_update(UpdateType::SyncVault, &user, &headers.device.push_uuid, &conn).await;
-
-                        log_event(
-                            EventType::OrganizationPurgedVault as i32,
-                            &org_data.org_id,
-                            &org_data.org_id,
-                            &user.uuid,
-                            headers.device.atype,
-                            &headers.ip.ip,
-                            &conn,
-                        )
-                        .await;
-
-                        Ok(())
-                    } else {
-                        err!("You don't have permission to purge the organization vault");
-                    }
-                }
-            }
-        }
-        None => {
-            // No organization ID in query params, purging user vault
-            // Delete ciphers and their attachments
-            for cipher in Cipher::find_owned_by_user(&user.uuid, &conn).await {
-                cipher.delete(&conn).await?;
-            }
-
-            // Delete folders
-            for f in Folder::find_by_user(&user.uuid, &conn).await {
-                f.delete(&conn).await?;
-            }
-
-            user.update_revision(&conn).await?;
-            nt.send_user_update(UpdateType::SyncVault, &user, &headers.device.push_uuid, &conn).await;
-
-            Ok(())
-        }
+    for cipher in Cipher::find_owned_by_user(&user.uuid, &conn).await {
+        cipher.delete(&conn).await?;
    }
+
+    for f in Folder::find_by_user(&user.uuid, &conn).await {
+        f.delete(&conn).await?;
+    }
+
+    user.update_revision(&conn).await?;
+    nt.send_user_update(UpdateType::SyncVault, &user, headers.device.push_uuid.as_ref(), &conn).await;
+
+    Ok(())
+}
+
+#[put("/ciphers/<cipher_id>/archive")]
+async fn archive_cipher_put(cipher_id: CipherId, headers: Headers, conn: DbConn, nt: Notify<'_>) -> JsonResult {
+    archive_cipher(&cipher_id, &headers, false, &conn, &nt).await
+}
+
+#[put("/ciphers/archive", data = "<data>")]
+async fn archive_cipher_selected(
+    data: Json<CipherIdsData>,
+    headers: Headers,
+    conn: DbConn,
+    nt: Notify<'_>,
+) -> JsonResult {
+    archive_multiple_ciphers(data, &headers, &conn, &nt).await
+}
+
+#[put("/ciphers/<cipher_id>/unarchive")]
+async fn unarchive_cipher_put(cipher_id: CipherId, headers: Headers, conn: DbConn, nt: Notify<'_>) -> JsonResult {
+    unarchive_cipher(&cipher_id, &headers, false, &conn, &nt).await
+}
+
+#[put("/ciphers/unarchive", data = "<data>")]
+async fn unarchive_cipher_selected(
+    data: Json<CipherIdsData>,
+    headers: Headers,
+    conn: DbConn,
+    nt: Notify<'_>,
+) -> JsonResult {
+    unarchive_multiple_ciphers(data, &headers, &conn, &nt).await
 }

 #[derive(PartialEq)]
@@ -1707,7 +1767,7 @@ pub enum CipherDeleteOptions {
    HardMulti,
 }

-async fn _delete_cipher_by_uuid(
+async fn delete_cipher_by_uuid(
    cipher_id: &CipherId,
    headers: &Headers,
    conn: &DbConn,
@@ -1773,7 +1833,7 @@ struct CipherIdsData {
    ids: Vec<CipherId>,
 }

-async fn _delete_multiple_ciphers(
+async fn delete_multiple_ciphers(
    data: Json<CipherIdsData>,
    headers: Headers,
    conn: DbConn,
@@ -1783,18 +1843,18 @@ async fn _delete_multiple_ciphers(
    let data = data.into_inner();

    for cipher_id in data.ids {
-        if let error @ Err(_) = _delete_cipher_by_uuid(&cipher_id, &headers, &conn, &delete_options, &nt).await {
+        if let error @ Err(_) = delete_cipher_by_uuid(&cipher_id, &headers, &conn, &delete_options, &nt).await {
            return error;
-        };
+        }
    }

    // Multi delete actions do not send out a push for each cipher, we need to send a general sync here
-    nt.send_user_update(UpdateType::SyncCiphers, &headers.user, &headers.device.push_uuid, &conn).await;
+    nt.send_user_update(UpdateType::SyncCiphers, &headers.user, headers.device.push_uuid.as_ref(), &conn).await;

    Ok(())
 }

-async fn _restore_cipher_by_uuid(
+async fn restore_cipher_by_uuid(
    cipher_id: &CipherId,
    headers: &Headers,
    multi_restore: bool,
@@ -1840,7 +1900,7 @@ async fn _restore_cipher_by_uuid(
    Ok(Json(cipher.to_json(&headers.host, &headers.user.uuid, None, CipherSyncType::User, conn).await?))
 }

-async fn _restore_multiple_ciphers(
+async fn restore_multiple_ciphers(
    data: Json<CipherIdsData>,
    headers: &Headers,
    conn: &DbConn,
@@ -1850,14 +1910,14 @@ async fn _restore_multiple_ciphers(

    let mut ciphers: Vec<Value> = Vec::new();
    for cipher_id in data.ids {
-        match _restore_cipher_by_uuid(&cipher_id, headers, true, conn, nt).await {
+        match restore_cipher_by_uuid(&cipher_id, headers, true, conn, nt).await {
            Ok(json) => ciphers.push(json.into_inner()),
            err => return err,
        }
    }

    // Multi move actions do not send out a push for each cipher, we need to send a general sync here
-    nt.send_user_update(UpdateType::SyncCiphers, &headers.user, &headers.device.push_uuid, conn).await;
+    nt.send_user_update(UpdateType::SyncCiphers, &headers.user, headers.device.push_uuid.as_ref(), conn).await;

    Ok(Json(json!({
      "data": ciphers,
@@ -1866,7 +1926,7 @@ async fn _restore_multiple_ciphers(
    })))
 }

-async fn _delete_cipher_attachment_by_id(
+async fn delete_cipher_attachment_by_id(
    cipher_id: &CipherId,
    attachment_id: &AttachmentId,
    headers: &Headers,
@@ -1917,6 +1977,122 @@ async fn _delete_cipher_attachment_by_id(
    Ok(Json(json!({"cipher":cipher_json})))
 }

+async fn archive_cipher(
+    cipher_id: &CipherId,
+    headers: &Headers,
+    multi_archive: bool,
+    conn: &DbConn,
+    nt: &Notify<'_>,
+) -> JsonResult {
+    let Some(cipher) = Cipher::find_by_uuid(cipher_id, conn).await else {
+        err!("Cipher doesn't exist")
+    };
+
+    if !cipher.is_accessible_to_user(&headers.user.uuid, conn).await {
+        err!("Cipher is not accessible for the current user")
+    }
+
+    cipher.set_archived_at(Utc::now().naive_utc(), &headers.user.uuid, conn).await?;
+
+    if !multi_archive {
+        nt.send_cipher_update(
+            UpdateType::SyncCipherUpdate,
+            &cipher,
+            &cipher.update_users_revision(conn).await,
+            &headers.device,
+            None,
+            conn,
+        )
+        .await;
+    }
+
+    Ok(Json(cipher.to_json(&headers.host, &headers.user.uuid, None, CipherSyncType::User, conn).await?))
+}
+
+async fn unarchive_cipher(
+    cipher_id: &CipherId,
+    headers: &Headers,
+    multi_unarchive: bool,
+    conn: &DbConn,
+    nt: &Notify<'_>,
+) -> JsonResult {
+    let Some(cipher) = Cipher::find_by_uuid(cipher_id, conn).await else {
+        err!("Cipher doesn't exist")
+    };
+
+    if !cipher.is_accessible_to_user(&headers.user.uuid, conn).await {
+        err!("Cipher is not accessible for the current user")
+    }
+
+    cipher.unarchive(&headers.user.uuid, conn).await?;
+
+    if !multi_unarchive {
+        nt.send_cipher_update(
+            UpdateType::SyncCipherUpdate,
+            &cipher,
+            &cipher.update_users_revision(conn).await,
+            &headers.device,
+            None,
+            conn,
+        )
+        .await;
+    }
+
+    Ok(Json(cipher.to_json(&headers.host, &headers.user.uuid, None, CipherSyncType::User, conn).await?))
+}
+
+async fn archive_multiple_ciphers(
+    data: Json<CipherIdsData>,
+    headers: &Headers,
+    conn: &DbConn,
+    nt: &Notify<'_>,
+) -> JsonResult {
+    let data = data.into_inner();
+
+    let mut ciphers: Vec<Value> = Vec::new();
+    for cipher_id in data.ids {
+        match archive_cipher(&cipher_id, headers, true, conn, nt).await {
+            Ok(json) => ciphers.push(json.into_inner()),
+            err => return err,
+        }
+    }
+
+    // Multi archive does not send out a push for each cipher, we need to send a general sync here
+    nt.send_user_update(UpdateType::SyncCiphers, &headers.user, headers.device.push_uuid.as_ref(), conn).await;
+
+    Ok(Json(json!({
+      "data": ciphers,
+      "object": "list",
+      "continuationToken": null
+    })))
+}
+
+async fn unarchive_multiple_ciphers(
+    data: Json<CipherIdsData>,
+    headers: &Headers,
+    conn: &DbConn,
+    nt: &Notify<'_>,
+) -> JsonResult {
+    let data = data.into_inner();
+
+    let mut ciphers: Vec<Value> = Vec::new();
+    for cipher_id in data.ids {
+        match unarchive_cipher(&cipher_id, headers, true, conn, nt).await {
+            Ok(json) => ciphers.push(json.into_inner()),
+            err => return err,
+        }
+    }
+
+    // Multi unarchive does not send out a push for each cipher, we need to send a general sync here
+    nt.send_user_update(UpdateType::SyncCiphers, &headers.user, headers.device.push_uuid.as_ref(), conn).await;
+
+    Ok(Json(json!({
+      "data": ciphers,
+      "object": "list",
+      "continuationToken": null
+    })))
+}
+
 /// This will hold all the necessary data to improve a full sync of all the ciphers
 /// It can be used during the `Cipher::to_json()` call.
 /// It will prevent the so called N+1 SQL issue by running just a few queries which will hold all the data needed.
@@ -1926,6 +2102,7 @@ pub struct CipherSyncData {
    pub cipher_folders: HashMap<CipherId, FolderId>,
    pub cipher_favorites: HashSet<CipherId>,
    pub cipher_collections: HashMap<CipherId, Vec<CollectionId>>,
+    pub cipher_archives: HashMap<CipherId, NaiveDateTime>,
    pub members: HashMap<OrganizationId, Membership>,
    pub user_collections: HashMap<CollectionId, CollectionUser>,
    pub user_collections_groups: HashMap<CollectionId, CollectionGroup>,
@@ -1942,20 +2119,25 @@ impl CipherSyncData {
    pub async fn new(user_id: &UserId, sync_type: CipherSyncType, conn: &DbConn) -> Self {
        let cipher_folders: HashMap<CipherId, FolderId>;
        let cipher_favorites: HashSet<CipherId>;
+        let cipher_archives: HashMap<CipherId, NaiveDateTime>;
        match sync_type {
-            // User Sync supports Folders and Favorites
+            // User Sync supports Folders, Favorites, and Archives
            CipherSyncType::User => {
                // Generate a HashMap with the Cipher UUID as key and the Folder UUID as value
                cipher_folders = FolderCipher::find_by_user(user_id, conn).await.into_iter().collect();

                // Generate a HashSet of all the Cipher UUID's which are marked as favorite
                cipher_favorites = Favorite::get_all_cipher_uuid_by_user(user_id, conn).await.into_iter().collect();
+
+                // Generate a HashMap with the Cipher UUID as key and the archived date time as value
+                cipher_archives = Archive::find_by_user(user_id, conn).await.into_iter().collect();
            }
-            // Organization Sync does not support Folders and Favorites.
+            // Organization Sync does not support Folders, Favorites, or Archives.
            // If these are set, it will cause issues in the web-vault.
            CipherSyncType::Organization => {
                cipher_folders = HashMap::with_capacity(0);
                cipher_favorites = HashSet::with_capacity(0);
+                cipher_archives = HashMap::with_capacity(0);
            }
        }

@@ -1976,8 +2158,11 @@ impl CipherSyncData {
        }

        // Generate a HashMap with the Organization UUID as key and the Membership record
-        let members: HashMap<OrganizationId, Membership> =
-            Membership::find_by_user(user_id, conn).await.into_iter().map(|m| (m.org_uuid.clone(), m)).collect();
+        let members: HashMap<OrganizationId, Membership> = Membership::find_confirmed_by_user(user_id, conn)
+            .await
+            .into_iter()
+            .map(|m| (m.org_uuid.clone(), m))
+            .collect();

        // Generate a HashMap with the User_Collections UUID as key and the CollectionUser record
        let user_collections: HashMap<CollectionId, CollectionUser> = CollectionUser::find_by_user(user_id, conn)
@@ -2019,6 +2204,7 @@ impl CipherSyncData {
            cipher_folders,
            cipher_favorites,
            cipher_collections,
+            cipher_archives,
            members,
            user_collections,
            user_collections_groups,
@@ -1,23 +1,23 @@
 use chrono::{TimeDelta, Utc};
-use rocket::{serde::json::Json, Route};
+use rocket::{Route, serde::json::Json};
 use serde_json::Value;

 use crate::{
+    CONFIG,
    api::{
-        core::{CipherSyncData, CipherSyncType},
        EmptyResult, JsonResult,
+        core::{CipherSyncData, CipherSyncType},
    },
-    auth::{decode_emergency_access_invite, Headers},
+    auth::{Headers, decode_emergency_access_invite},
    db::{
+        DbConn, DbPool,
        models::{
            Cipher, EmergencyAccess, EmergencyAccessId, EmergencyAccessStatus, EmergencyAccessType, Invitation,
            Membership, MembershipType, OrgPolicy, TwoFactor, User, UserId,
        },
-        DbConn, DbPool,
    },
    mail,
    util::NumberOrString,
-    CONFIG,
 };

 pub fn routes() -> Vec<Route> {
@@ -55,7 +55,7 @@ async fn get_contacts(headers: Headers, conn: DbConn) -> Json<Value> {
    let mut emergency_access_list_json = Vec::with_capacity(emergency_access_list.len());
    for ea in emergency_access_list {
        if let Some(grantee) = ea.to_json_grantee_details(&conn).await {
-            emergency_access_list_json.push(grantee)
+            emergency_access_list_json.push(grantee);
        }
    }

@@ -89,11 +89,14 @@ async fn get_grantees(headers: Headers, conn: DbConn) -> Json<Value> {
 async fn get_emergency_access(emer_id: EmergencyAccessId, headers: Headers, conn: DbConn) -> JsonResult {
    check_emergency_access_enabled()?;

-    match EmergencyAccess::find_by_uuid_and_grantor_uuid(&emer_id, &headers.user.uuid, &conn).await {
-        Some(emergency_access) => Ok(Json(
+    if let Some(emergency_access) =
+        EmergencyAccess::find_by_uuid_and_grantor_uuid(&emer_id, &headers.user.uuid, &conn).await
+    {
+        Ok(Json(
            emergency_access.to_json_grantee_details(&conn).await.expect("Grantee user should exist but does not!"),
-        )),
-        None => err!("Emergency access not valid."),
+        ))
+    } else {
+        err!("Emergency access not valid.")
    }
 }

@@ -136,9 +139,10 @@ async fn post_emergency_access(
        err!("Emergency access not valid.")
    };

-    let new_type = match EmergencyAccessType::from_str(&data.r#type.into_string()) {
-        Some(new_type) => new_type as i32,
-        None => err!("Invalid emergency access type."),
+    let new_type = if let Some(new_type) = EmergencyAccessType::from_str(&data.r#type.into_string()) {
+        new_type as i32
+    } else {
+        err!("Invalid emergency access type.")
    };

    emergency_access.atype = new_type;
@@ -205,9 +209,10 @@ async fn send_invite(data: Json<EmergencyAccessInviteData>, headers: Headers, co

    let emergency_access_status = EmergencyAccessStatus::Invited as i32;

-    let new_type = match EmergencyAccessType::from_str(&data.r#type.into_string()) {
-        Some(new_type) => new_type as i32,
-        None => err!("Invalid emergency access type."),
+    let new_type = if let Some(new_type) = EmergencyAccessType::from_str(&data.r#type.into_string()) {
+        new_type as i32
+    } else {
+        err!("Invalid emergency access type.")
    };

    let grantor_user = headers.user;
@@ -342,12 +347,11 @@ async fn accept_invite(
        err!("Claim email does not match current users email")
    }

-    let grantee_user = match User::find_by_mail(&claims.email, &conn).await {
-        Some(user) => {
-            Invitation::take(&claims.email, &conn).await;
-            user
-        }
-        None => err!("Invited user not found"),
+    let grantee_user = if let Some(user) = User::find_by_mail(&claims.email, &conn).await {
+        Invitation::take(&claims.email, &conn).await;
+        user
+    } else {
+        err!("Invited user not found")
    };

    // We need to search for the uuid in combination with the email, since we do not yet store the uuid of the grantee in the database.
@@ -653,7 +657,7 @@ async fn password_emergency_access(
    };

    // change grantor_user password
-    grantor_user.set_password(new_master_password_hash, Some(data.key), true, None);
+    grantor_user.set_password(new_master_password_hash, Some(data.key), true, None, &conn).await?;
    grantor_user.save(&conn).await?;

    // Disable TwoFactor providers since they will otherwise block logins
@@ -766,7 +770,7 @@ pub async fn emergency_request_timeout_job(pool: DbPool) {
            }
        }
    } else {
-        error!("Failed to get DB connection while searching emergency request timed out")
+        error!("Failed to get DB connection while searching emergency request timed out");
    }
 }

@@ -825,6 +829,6 @@ pub async fn emergency_notification_reminder_job(pool: DbPool) {
            }
        }
    } else {
-        error!("Failed to get DB connection while searching emergency notification reminder")
+        error!("Failed to get DB connection while searching emergency notification reminder");
    }
 }
@@ -1,18 +1,18 @@
 use std::net::IpAddr;

 use chrono::NaiveDateTime;
-use rocket::{form::FromForm, serde::json::Json, Route};
+use rocket::{Route, form::FromForm, serde::json::Json};
 use serde_json::Value;

 use crate::{
+    CONFIG,
    api::{EmptyResult, JsonResult},
    auth::{AdminHeaders, Headers},
    db::{
-        models::{Cipher, CipherId, Event, Membership, MembershipId, OrganizationId, UserId},
        DbConn, DbPool,
+        models::{Cipher, CipherId, Event, Membership, MembershipId, OrganizationId, UserId},
    },
    util::parse_date,
-    CONFIG,
 };

 /// ###############################################################################################################
@@ -38,9 +38,7 @@ async fn get_org_events(org_id: OrganizationId, data: EventRange, headers: Admin

    // Return an empty vec when we org events are disabled.
    // This prevents client errors
-    let events_json: Vec<Value> = if !CONFIG.org_events_enabled() {
-        Vec::with_capacity(0)
-    } else {
+    let events_json: Vec<Value> = if CONFIG.org_events_enabled() {
        let start_date = parse_date(&data.start);
        let end_date = if let Some(before_date) = &data.continuation_token {
            parse_date(before_date)
@@ -51,8 +49,10 @@ async fn get_org_events(org_id: OrganizationId, data: EventRange, headers: Admin
        Event::find_by_organization_uuid(&org_id, &start_date, &end_date, &conn)
            .await
            .iter()
-            .map(|e| e.to_json())
+            .map(Event::to_json)
            .collect()
+    } else {
+        Vec::with_capacity(0)
    };

    Ok(Json(json!({
@@ -64,27 +64,21 @@ async fn get_org_events(org_id: OrganizationId, data: EventRange, headers: Admin

 #[get("/ciphers/<cipher_id>/events?<data..>")]
 async fn get_cipher_events(cipher_id: CipherId, data: EventRange, headers: Headers, conn: DbConn) -> JsonResult {
-    // Return an empty vec when we org events are disabled.
+    // Return an empty vec when org events are disabled.
    // This prevents client errors
-    let events_json: Vec<Value> = if !CONFIG.org_events_enabled() {
-        Vec::with_capacity(0)
-    } else {
-        let mut events_json = Vec::with_capacity(0);
-        if Membership::user_has_ge_admin_access_to_cipher(&headers.user.uuid, &cipher_id, &conn).await {
-            let start_date = parse_date(&data.start);
-            let end_date = if let Some(before_date) = &data.continuation_token {
-                parse_date(before_date)
-            } else {
-                parse_date(&data.end)
-            };
+    let events_json: Vec<Value> = if CONFIG.org_events_enabled()
+        && Membership::user_has_ge_admin_access_to_cipher(&headers.user.uuid, &cipher_id, &conn).await
+    {
+        let start_date = parse_date(&data.start);
+        let end_date = if let Some(before_date) = &data.continuation_token {
+            parse_date(before_date)
+        } else {
+            parse_date(&data.end)
+        };

-            events_json = Event::find_by_cipher_uuid(&cipher_id, &start_date, &end_date, &conn)
-                .await
-                .iter()
-                .map(|e| e.to_json())
-                .collect()
-        }
-        events_json
+        Event::find_by_cipher_uuid(&cipher_id, &start_date, &end_date, &conn).await.iter().map(Event::to_json).collect()
+    } else {
+        Vec::with_capacity(0)
    };

    Ok(Json(json!({
@@ -107,9 +101,7 @@ async fn get_user_events(
    }
    // Return an empty vec when we org events are disabled.
    // This prevents client errors
-    let events_json: Vec<Value> = if !CONFIG.org_events_enabled() {
-        Vec::with_capacity(0)
-    } else {
+    let events_json: Vec<Value> = if CONFIG.org_events_enabled() {
        let start_date = parse_date(&data.start);
        let end_date = if let Some(before_date) = &data.continuation_token {
            parse_date(before_date)
@@ -120,8 +112,10 @@ async fn get_user_events(
        Event::find_by_org_and_member(&org_id, &member_id, &start_date, &end_date, &conn)
            .await
            .iter()
-            .map(|e| e.to_json())
+            .map(Event::to_json)
            .collect()
+    } else {
+        Vec::with_capacity(0)
    };

    Ok(Json(json!({
@@ -134,7 +128,8 @@ async fn get_user_events(
 fn get_continuation_token(events_json: &[Value]) -> Option<&str> {
    // When the length of the vec equals the max page_size there probably is more data
    // When it is less, then all events are loaded.
-    if events_json.len() as i64 == Event::PAGE_SIZE {
+    #[expect(clippy::cast_possible_truncation, reason = "PAGE_SIZE fits within usize")]
+    if events_json.len() == Event::PAGE_SIZE as usize {
        if let Some(last_event) = events_json.last() {
            last_event["date"].as_str()
        } else {
@@ -176,7 +171,7 @@ async fn post_events_collect(data: Json<Vec<EventCollection>>, headers: Headers,
        let event_date = parse_date(&event.date);
        match event.r#type {
            1000..=1099 => {
-                _log_user_event(
+                log_user_event_impl(
                    event.r#type,
                    &headers.user.uuid,
                    headers.device.atype,
@@ -188,7 +183,7 @@ async fn post_events_collect(data: Json<Vec<EventCollection>>, headers: Headers,
            }
            1600..=1699 => {
                if let Some(org_id) = &event.organization_id {
-                    _log_event(
+                    log_event_impl(
                        event.r#type,
                        org_id,
                        org_id,
@@ -202,22 +197,21 @@ async fn post_events_collect(data: Json<Vec<EventCollection>>, headers: Headers,
                }
            }
            _ => {
-                if let Some(cipher_uuid) = &event.cipher_id {
-                    if let Some(cipher) = Cipher::find_by_uuid(cipher_uuid, &conn).await {
-                        if let Some(org_id) = cipher.organization_uuid {
-                            _log_event(
-                                event.r#type,
-                                cipher_uuid,
-                                &org_id,
-                                &headers.user.uuid,
-                                headers.device.atype,
-                                Some(event_date),
-                                &headers.ip.ip,
-                                &conn,
-                            )
-                            .await;
-                        }
-                    }
+                if let Some(cipher_uuid) = &event.cipher_id
+                    && let Some(cipher) = Cipher::find_by_uuid(cipher_uuid, &conn).await
+                    && let Some(org_id) = cipher.organization_uuid
+                {
+                    log_event_impl(
+                        event.r#type,
+                        cipher_uuid,
+                        &org_id,
+                        &headers.user.uuid,
+                        headers.device.atype,
+                        Some(event_date),
+                        &headers.ip.ip,
+                        &conn,
+                    )
+                    .await;
                }
            }
        }
@@ -229,10 +223,10 @@ pub async fn log_user_event(event_type: i32, user_id: &UserId, device_type: i32,
    if !CONFIG.org_events_enabled() {
        return;
    }
-    _log_user_event(event_type, user_id, device_type, None, ip, conn).await;
+    log_user_event_impl(event_type, user_id, device_type, None, ip, conn).await;
 }

-async fn _log_user_event(
+async fn log_user_event_impl(
    event_type: i32,
    user_id: &UserId,
    device_type: i32,
@@ -240,7 +234,7 @@ async fn _log_user_event(
    ip: &IpAddr,
    conn: &DbConn,
 ) {
-    let memberships = Membership::find_by_user(user_id, conn).await;
+    let memberships = Membership::find_confirmed_by_user(user_id, conn).await;
    let mut events: Vec<Event> = Vec::with_capacity(memberships.len() + 1); // We need an event per org and one without an org

    // Upstream saves the event also without any org_id.
@@ -278,11 +272,11 @@ pub async fn log_event(
    if !CONFIG.org_events_enabled() {
        return;
    }
-    _log_event(event_type, source_uuid, org_id, act_user_id, device_type, None, ip, conn).await;
+    log_event_impl(event_type, source_uuid, org_id, act_user_id, device_type, None, ip, conn).await;
 }

-#[allow(clippy::too_many_arguments)]
-async fn _log_event(
+#[expect(clippy::too_many_arguments)]
+async fn log_event_impl(
    event_type: i32,
    source_uuid: &str,
    org_id: &OrganizationId,
@@ -298,24 +292,24 @@ async fn _log_event(
        // 1000..=1099 Are user events, they need to be logged via log_user_event()
        // Cipher Events
        1100..=1199 => {
-            event.cipher_uuid = Some(source_uuid.to_string().into());
+            event.cipher_uuid = Some(source_uuid.to_owned().into());
        }
        // Collection Events
        1300..=1399 => {
-            event.collection_uuid = Some(source_uuid.to_string().into());
+            event.collection_uuid = Some(source_uuid.to_owned().into());
        }
        // Group Events
        1400..=1499 => {
-            event.group_uuid = Some(source_uuid.to_string().into());
+            event.group_uuid = Some(source_uuid.to_owned().into());
        }
        // Org User Events
        1500..=1599 => {
-            event.org_user_uuid = Some(source_uuid.to_string().into());
+            event.org_user_uuid = Some(source_uuid.to_owned().into());
        }
        // 1600..=1699 Are organizational events, and they do not need the source_uuid
        // Policy Events
        1700..=1799 => {
-            event.policy_uuid = Some(source_uuid.to_string().into());
+            event.policy_uuid = Some(source_uuid.to_owned().into());
        }
        // Ignore others
        _ => {}
@@ -338,6 +332,6 @@ pub async fn event_cleanup_job(pool: DbPool) {
    if let Ok(conn) = pool.get().await {
        Event::clean_events(&conn).await.ok();
    } else {
-        error!("Failed to get DB connection while trying to cleanup the events table")
+        error!("Failed to get DB connection while trying to cleanup the events table");
    }
 }
@@ -5,9 +5,10 @@ use crate::{
    api::{EmptyResult, JsonResult, Notify, UpdateType},
    auth::Headers,
    db::{
-        models::{Folder, FolderId},
        DbConn,
+        models::{Folder, FolderId},
    },
+    util::deser_opt_nonempty_str,
 };

 pub fn routes() -> Vec<rocket::Route> {
@@ -28,9 +29,10 @@ async fn get_folders(headers: Headers, conn: DbConn) -> Json<Value> {

 #[get("/folders/<folder_id>")]
 async fn get_folder(folder_id: FolderId, headers: Headers, conn: DbConn) -> JsonResult {
-    match Folder::find_by_uuid_and_user(&folder_id, &headers.user.uuid, &conn).await {
-        Some(folder) => Ok(Json(folder.to_json())),
-        _ => err!("Invalid folder", "Folder does not exist or belongs to another user"),
+    if let Some(folder) = Folder::find_by_uuid_and_user(&folder_id, &headers.user.uuid, &conn).await {
+        Ok(Json(folder.to_json()))
+    } else {
+        err!("Invalid folder", "Folder does not exist or belongs to another user")
    }
 }

@@ -38,6 +40,7 @@ async fn get_folder(folder_id: FolderId, headers: Headers, conn: DbConn) -> Json
 #[serde(rename_all = "camelCase")]
 pub struct FolderData {
    pub name: String,
+    #[serde(default, deserialize_with = "deser_opt_nonempty_str")]
    pub id: Option<FolderId>,
 }

@@ -1,4 +1,6 @@
 pub mod accounts;
+pub mod two_factor;
+
 mod ciphers;
 mod emergency_access;
 mod events;
@@ -6,17 +8,32 @@ mod folders;
 mod organizations;
 mod public;
 mod sends;
-pub mod two_factor;

 pub use accounts::purge_auth_requests;
-pub use ciphers::{purge_trashed_ciphers, CipherData, CipherSyncData, CipherSyncType};
+pub use ciphers::{CipherData, CipherSyncData, CipherSyncType, purge_trashed_ciphers};
 pub use emergency_access::{emergency_notification_reminder_job, emergency_request_timeout_job};
 pub use events::{event_cleanup_job, log_event, log_user_event};
-use reqwest::Method;
 pub use sends::purge_sends;

+use reqwest::Method;
+use rocket::{Catcher, Route, serde::json::Json, serde::json::Value};
+
+use crate::{
+    CONFIG,
+    api::{EmptyResult, JsonResult, Notify, UpdateType},
+    auth::Headers,
+    db::{
+        DbConn,
+        models::{Membership, MembershipStatus, OrgPolicy, Organization, User},
+    },
+    error::Error,
+    http_client::make_http_request,
+    mail,
+    util::{FeatureFlagFilter, parse_experimental_client_feature_flags},
+};
+
 pub fn routes() -> Vec<Route> {
-    let mut eq_domains_routes = routes![get_eq_domains, post_eq_domains, put_eq_domains];
+    let mut eq_domains_routes = routes![get_settings_domains, post_settings_domains, put_settings_domains];
    let mut hibp_routes = routes![hibp_breach];
    let mut meta_routes = routes![alive, now, version, config, get_api_webauthn];

@@ -44,24 +61,6 @@ pub fn events_routes() -> Vec<Route> {
    routes
 }

-//
-// Move this somewhere else
-//
-use rocket::{serde::json::Json, serde::json::Value, Catcher, Route};
-
-use crate::{
-    api::{EmptyResult, JsonResult, Notify, UpdateType},
-    auth::Headers,
-    db::{
-        models::{Membership, MembershipStatus, OrgPolicy, Organization, User},
-        DbConn,
-    },
-    error::Error,
-    http_client::make_http_request,
-    mail,
-    util::parse_experimental_client_feature_flags,
-};
-
 #[derive(Debug, Serialize, Deserialize)]
 #[serde(rename_all = "camelCase")]
 struct GlobalDomain {
@@ -72,15 +71,17 @@ struct GlobalDomain {

 const GLOBAL_DOMAINS: &str = include_str!("../../static/global_domains.json");

+#[expect(clippy::needless_pass_by_value, reason = "Not beneficial for Headers")]
 #[get("/settings/domains")]
-fn get_eq_domains(headers: Headers) -> Json<Value> {
-    _get_eq_domains(&headers, false)
+fn get_settings_domains(headers: Headers) -> Json<Value> {
+    get_eq_domains(&headers, false)
 }

-fn _get_eq_domains(headers: &Headers, no_excluded: bool) -> Json<Value> {
-    let user = &headers.user;
+fn get_eq_domains(headers: &Headers, no_excluded: bool) -> Json<Value> {
    use serde_json::from_str;

+    let user = &headers.user;
+
    let equivalent_domains: Vec<Vec<String>> = from_str(&user.equivalent_domains).unwrap();
    let excluded_globals: Vec<i32> = from_str(&user.excluded_globals).unwrap();

@@ -109,34 +110,45 @@ struct EquivDomainData {
 }

 #[post("/settings/domains", data = "<data>")]
-async fn post_eq_domains(data: Json<EquivDomainData>, headers: Headers, conn: DbConn, nt: Notify<'_>) -> JsonResult {
+async fn post_settings_domains(
+    data: Json<EquivDomainData>,
+    headers: Headers,
+    conn: DbConn,
+    nt: Notify<'_>,
+) -> JsonResult {
+    use serde_json::to_string;
+
    let data: EquivDomainData = data.into_inner();

    let excluded_globals = data.excluded_global_equivalent_domains.unwrap_or_default();
    let equivalent_domains = data.equivalent_domains.unwrap_or_default();

    let mut user = headers.user;
-    use serde_json::to_string;

-    user.excluded_globals = to_string(&excluded_globals).unwrap_or_else(|_| "[]".to_string());
-    user.equivalent_domains = to_string(&equivalent_domains).unwrap_or_else(|_| "[]".to_string());
+    user.excluded_globals = to_string(&excluded_globals).unwrap_or_else(|_| "[]".to_owned());
+    user.equivalent_domains = to_string(&equivalent_domains).unwrap_or_else(|_| "[]".to_owned());

    user.save(&conn).await?;

-    nt.send_user_update(UpdateType::SyncSettings, &user, &headers.device.push_uuid, &conn).await;
+    nt.send_user_update(UpdateType::SyncSettings, &user, headers.device.push_uuid.as_ref(), &conn).await;

    Ok(Json(json!({})))
 }

 #[put("/settings/domains", data = "<data>")]
-async fn put_eq_domains(data: Json<EquivDomainData>, headers: Headers, conn: DbConn, nt: Notify<'_>) -> JsonResult {
-    post_eq_domains(data, headers, conn, nt).await
+async fn put_settings_domains(
+    data: Json<EquivDomainData>,
+    headers: Headers,
+    conn: DbConn,
+    nt: Notify<'_>,
+) -> JsonResult {
+    post_settings_domains(data, headers, conn, nt).await
 }

 #[get("/hibp/breach?<username>")]
 async fn hibp_breach(username: &str, _headers: Headers) -> JsonResult {
    let username: String = url::form_urlencoded::byte_serialize(username.as_bytes()).collect();
-    if let Some(api_key) = crate::CONFIG.hibp_api_key() {
+    if let Some(api_key) = CONFIG.hibp_api_key() {
        let url = format!(
            "https://haveibeenpwned.com/api/v3/breachedaccount/{username}?truncateResponse=false&includeUnverified=false"
        );
@@ -197,19 +209,17 @@ fn get_api_webauthn(_headers: Headers) -> Json<Value> {

 #[get("/config")]
 fn config() -> Json<Value> {
-    let domain = crate::CONFIG.domain();
+    let domain = CONFIG.domain();
    // Official available feature flags can be found here:
-    // Server (v2025.6.2): https://github.com/bitwarden/server/blob/d094be3267f2030bd0dc62106bc6871cf82682f5/src/Core/Constants.cs#L103
-    // Client (web-v2025.6.1): https://github.com/bitwarden/clients/blob/747c2fd6a1c348a57a76e4a7de8128466ffd3c01/libs/common/src/enums/feature-flag.enum.ts#L12
-    // Android (v2025.6.0): https://github.com/bitwarden/android/blob/b5b022caaad33390c31b3021b2c1205925b0e1a2/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/model/FlagKey.kt#L22
-    // iOS (v2025.6.0): https://github.com/bitwarden/ios/blob/ff06d9c6cc8da89f78f37f376495800201d7261a/BitwardenShared/Core/Platform/Models/Enum/FeatureFlag.swift#L7
-    let mut feature_states =
-        parse_experimental_client_feature_flags(&crate::CONFIG.experimental_client_feature_flags());
-    feature_states.insert("duo-redirect".to_string(), true);
-    feature_states.insert("email-verification".to_string(), true);
-    feature_states.insert("unauth-ui-refresh".to_string(), true);
-    feature_states.insert("enable-pm-flight-recorder".to_string(), true);
-    feature_states.insert("mobile-error-reporting".to_string(), true);
+    // Server (v2026.2.1): https://github.com/bitwarden/server/blob/0e42725d0837bd1c0dabd864ff621a579959744b/src/Core/Constants.cs#L135
+    // Client (v2026.2.1): https://github.com/bitwarden/clients/blob/f96380c3138291a028bdd2c7a5fee540d5c98ba5/libs/common/src/enums/feature-flag.enum.ts#L12
+    // Android (v2026.2.1): https://github.com/bitwarden/android/blob/6902c19c0093fa476bbf74ccaa70c9f14afbb82f/core/src/main/kotlin/com/bitwarden/core/data/manager/model/FlagKey.kt#L31
+    // iOS (v2026.2.1): https://github.com/bitwarden/ios/blob/cdd9ba1770ca2ffc098d02d12cc3208e3a830454/BitwardenShared/Core/Platform/Models/Enum/FeatureFlag.swift#L7
+    let mut feature_states = parse_experimental_client_feature_flags(
+        &CONFIG.experimental_client_feature_flags(),
+        &FeatureFlagFilter::ValidOnly,
+    );
+    feature_states.insert("pm-19148-innovation-archive".to_owned(), true);

    Json(json!({
        // Note: The clients use this version to handle backwards compatibility concerns
@@ -225,7 +235,7 @@ fn config() -> Json<Value> {
          "url": "https://github.com/dani-garcia/vaultwarden"
        },
        "settings": {
-            "disableUserRegistration": crate::CONFIG.is_signup_disabled()
+            "disableUserRegistration": CONFIG.is_signup_disabled()
        },
        "environment": {
          "vault": domain,
@@ -278,10 +288,9 @@ async fn accept_org_invite(

    member.save(conn).await?;

-    if crate::CONFIG.mail_enabled() {
-        let org = match Organization::find_by_uuid(&member.org_uuid, conn).await {
-            Some(org) => org,
-            None => err!("Organization not found."),
+    if CONFIG.mail_enabled() {
+        let Some(org) = Organization::find_by_uuid(&member.org_uuid, conn).await else {
+            err!("Organization not found.")
        };
        // User was invited to an organization, so they must be confirmed manually after acceptance
        mail::send_invite_accepted(&user.email, &member.invited_by_email.unwrap_or(org.billing_email), &org.name)
@@ -1,23 +1,24 @@
-use chrono::Utc;
-use rocket::{
-    request::{FromRequest, Outcome},
-    serde::json::Json,
-    Request, Route,
-};
-
 use std::collections::HashSet;

+use chrono::Utc;
+use rocket::{
+    Request, Route,
+    request::{FromRequest, Outcome},
+    serde::json::Json,
+};
+
 use crate::{
+    CONFIG,
    api::EmptyResult,
    auth,
    db::{
+        DbConn,
        models::{
            Group, GroupUser, Invitation, Membership, MembershipStatus, MembershipType, Organization,
            OrganizationApiKey, OrganizationId, User,
        },
-        DbConn,
    },
-    mail, CONFIG,
+    mail,
 };

 pub fn routes() -> Vec<Route> {
@@ -90,19 +91,18 @@ async fn ldap_import(data: Json<OrgImportData>, token: PublicToken, conn: DbConn
            }
        } else {
            // If user is not part of the organization
-            let user = match User::find_by_mail(&user_data.email, &conn).await {
-                Some(user) => user, // exists in vaultwarden
-                None => {
-                    // User does not exist yet
-                    let mut new_user = User::new(&user_data.email, None);
-                    new_user.save(&conn).await?;
+            let user = if let Some(user) = User::find_by_mail(&user_data.email, &conn).await {
+                user
+            } else {
+                // User does not exist yet
+                let mut new_user = User::new(&user_data.email, None);
+                new_user.save(&conn).await?;

-                    if !CONFIG.mail_enabled() {
-                        Invitation::new(&new_user.email).save(&conn).await?;
-                    }
-                    user_created = true;
-                    new_user
+                if !CONFIG.mail_enabled() {
+                    Invitation::new(&new_user.email).save(&conn).await?;
                }
+                user_created = true;
+                new_user
            };
            let member_status = if CONFIG.mail_enabled() || user.password_hash.is_empty() {
                MembershipStatus::Invited as i32
@@ -110,9 +110,10 @@ async fn ldap_import(data: Json<OrgImportData>, token: PublicToken, conn: DbConn
                MembershipStatus::Accepted as i32 // Automatically mark user as accepted if no email invites
            };

-            let (org_name, org_email) = match Organization::find_by_uuid(&org_id, &conn).await {
-                Some(org) => (org.name, org.billing_email),
-                None => err!("Error looking up organization"),
+            let (org_name, org_email) = if let Some(org) = Organization::find_by_uuid(&org_id, &conn).await {
+                (org.name, org.billing_email)
+            } else {
+                err!("Error looking up organization")
            };

            let mut new_member = Membership::new(user.uuid.clone(), org_id.clone(), Some(org_email.clone()));
@@ -123,40 +124,36 @@ async fn ldap_import(data: Json<OrgImportData>, token: PublicToken, conn: DbConn

            new_member.save(&conn).await?;

-            if CONFIG.mail_enabled() {
-                if let Err(e) =
+            if CONFIG.mail_enabled()
+                && let Err(e) =
                    mail::send_invite(&user, org_id.clone(), new_member.uuid.clone(), &org_name, Some(org_email)).await
-                {
-                    // Upon error delete the user, invite and org member records when needed
-                    if user_created {
-                        user.delete(&conn).await?;
-                    } else {
-                        new_member.delete(&conn).await?;
-                    }
-
-                    err!(format!("Error sending invite: {e:?} "));
+            {
+                // Upon error delete the user, invite and org member records when needed
+                if user_created {
+                    user.delete(&conn).await?;
+                } else {
+                    new_member.delete(&conn).await?;
                }
+
+                err!(format!("Error sending invite: {e:?} "));
            }
        }
    }

    if CONFIG.org_groups_enabled() {
        for group_data in &data.groups {
-            let group_uuid = match Group::find_by_external_id_and_org(&group_data.external_id, &org_id, &conn).await {
-                Some(group) => group.uuid,
-                None => {
-                    let mut group = Group::new(
-                        org_id.clone(),
-                        group_data.name.clone(),
-                        false,
-                        Some(group_data.external_id.clone()),
-                    );
-                    group.save(&conn).await?;
-                    group.uuid
-                }
+            let group_uuid = if let Some(group) =
+                Group::find_by_external_id_and_org(&group_data.external_id, &org_id, &conn).await
+            {
+                group.uuid
+            } else {
+                let mut group =
+                    Group::new(org_id.clone(), group_data.name.clone(), false, Some(group_data.external_id.clone()));
+                group.save(&conn).await?;
+                group.uuid
            };

-            GroupUser::delete_all_by_group(&group_uuid, &conn).await?;
+            GroupUser::delete_all_by_group(&group_uuid, &org_id, &conn).await?;

            for ext_id in &group_data.member_external_ids {
                if let Some(member) = Membership::find_by_external_id_and_org(ext_id, &org_id, &conn).await {
@@ -174,18 +171,17 @@ async fn ldap_import(data: Json<OrgImportData>, token: PublicToken, conn: DbConn
        // Generate a HashSet to quickly verify if a member is listed or not.
        let sync_members: HashSet<String> = data.members.into_iter().map(|m| m.external_id).collect();
        for member in Membership::find_by_org(&org_id, &conn).await {
-            if let Some(ref user_external_id) = member.external_id {
-                if !sync_members.contains(user_external_id) {
-                    if member.atype == MembershipType::Owner && member.status == MembershipStatus::Confirmed as i32 {
-                        // Removing owner, check that there is at least one other confirmed owner
-                        if Membership::count_confirmed_by_org_and_type(&org_id, MembershipType::Owner, &conn).await <= 1
-                        {
-                            warn!("Can't delete the last owner");
-                            continue;
-                        }
+            if let Some(ref user_external_id) = member.external_id
+                && !sync_members.contains(user_external_id)
+            {
+                if member.atype == MembershipType::Owner && member.status == MembershipStatus::Confirmed as i32 {
+                    // Removing owner, check that there is at least one other confirmed owner
+                    if Membership::count_confirmed_by_org_and_type(&org_id, MembershipType::Owner, &conn).await <= 1 {
+                        warn!("Can't delete the last owner");
+                        continue;
                    }
-                    member.delete(&conn).await?;
                }
+                member.delete(&conn).await?;
            }
        }
    }
@@ -202,12 +198,14 @@ impl<'r> FromRequest<'r> for PublicToken {
    async fn from_request(request: &'r Request<'_>) -> Outcome<Self, Self::Error> {
        let headers = request.headers();
        // Get access_token
-        let access_token: &str = match headers.get_one("Authorization") {
-            Some(a) => match a.rsplit("Bearer ").next() {
-                Some(split) => split,
-                None => err_handler!("No access token provided"),
-            },
-            None => err_handler!("No access token provided"),
+        let access_token: &str = if let Some(a) = headers.get_one("Authorization") {
+            if let Some(split) = a.rsplit("Bearer ").next() {
+                split
+            } else {
+                err_handler!("No access token provided")
+            }
+        } else {
+            err_handler!("No access token provided")
        };
        // Check JWT token is valid and get device and user from it
        let Ok(claims) = auth::decode_api_org(access_token) else {
@@ -229,14 +227,13 @@ impl<'r> FromRequest<'r> for PublicToken {

        // Check if claims.sub is org_api_key.uuid
        // Check if claims.client_sub is org_api_key.org_uuid
-        let conn = match DbConn::from_request(request).await {
-            Outcome::Success(conn) => conn,
-            _ => err_handler!("Error getting DB"),
+        let Outcome::Success(conn) = DbConn::from_request(request).await else {
+            err_handler!("Error getting DB")
        };
        let Some(org_id) = claims.client_id.strip_prefix("organization.") else {
            err_handler!("Malformed client_id")
        };
-        let org_id: OrganizationId = org_id.to_string().into();
+        let org_id: OrganizationId = org_id.to_owned().into();
        let Some(org_api_key) = OrganizationApiKey::find_by_org_uuid(&org_id, &conn).await else {
            err_handler!("Invalid client_id")
        };
@@ -10,15 +10,15 @@ use rocket::{
 use serde_json::Value;

 use crate::{
+    CONFIG,
    api::{ApiResult, EmptyResult, JsonResult, Notify, UpdateType},
    auth::{ClientIp, Headers, Host},
    config::PathType,
    db::{
-        models::{Device, OrgPolicy, OrgPolicyType, Send, SendFileId, SendId, SendType, UserId},
        DbConn, DbPool,
+        models::{Device, OrgPolicy, OrgPolicyType, Send, SendFileId, SendId, SendType, UserId},
    },
-    util::{save_temp_file, NumberOrString},
-    CONFIG,
+    util::{NumberOrString, save_temp_file},
 };

 const SEND_INACCESSIBLE_MSG: &str = "Send does not exist or is no longer available";
@@ -63,7 +63,7 @@ pub async fn purge_sends(pool: DbPool) {
    if let Ok(conn) = pool.get().await {
        Send::purge(&conn).await;
    } else {
-        error!("Failed to get DB connection while purging sends")
+        error!("Failed to get DB connection while purging sends");
    }
 }

@@ -168,7 +168,7 @@ fn create_send(data: SendData, user_id: UserId) -> ApiResult<Send> {
 #[get("/sends")]
 async fn get_sends(headers: Headers, conn: DbConn) -> Json<Value> {
    let sends = Send::find_by_user(&headers.user.uuid, &conn);
-    let sends_json: Vec<Value> = sends.await.iter().map(|s| s.to_json()).collect();
+    let sends_json: Vec<Value> = sends.await.iter().map(Send::to_json).collect();

    Json(json!({
      "data": sends_json,
@@ -179,9 +179,10 @@ async fn get_sends(headers: Headers, conn: DbConn) -> Json<Value> {

 #[get("/sends/<send_id>")]
 async fn get_send(send_id: SendId, headers: Headers, conn: DbConn) -> JsonResult {
-    match Send::find_by_uuid_and_user(&send_id, &headers.user.uuid, &conn).await {
-        Some(send) => Ok(Json(send.to_json())),
-        None => err!("Send not found", "Invalid send uuid or does not belong to user"),
+    if let Some(send) = Send::find_by_uuid_and_user(&send_id, &headers.user.uuid, &conn).await {
+        Ok(Json(send.to_json()))
+    } else {
+        err!("Send not found", "Invalid send uuid or does not belong to user")
    }
 }

@@ -310,9 +311,10 @@ async fn post_send_file_v2(data: Json<SendData>, headers: Headers, conn: DbConn)

    enforce_disable_hide_email_policy(&data, &headers, &conn).await?;

-    let file_length = match &data.file_length {
-        Some(m) => m.into_i64()?,
-        _ => err!("Invalid send length"),
+    let file_length = if let Some(m) = &data.file_length {
+        m.into_i64()?
+    } else {
+        err!("Invalid send length")
    };
    if file_length < 0 {
        err!("Send size can't be negative")
@@ -457,16 +459,16 @@ async fn post_access(
        err_code!(SEND_INACCESSIBLE_MSG, 404)
    };

-    if let Some(max_access_count) = send.max_access_count {
-        if send.access_count >= max_access_count {
-            err_code!(SEND_INACCESSIBLE_MSG, 404);
-        }
+    if let Some(max_access_count) = send.max_access_count
+        && send.access_count >= max_access_count
+    {
+        err_code!(SEND_INACCESSIBLE_MSG, 404);
    }

-    if let Some(expiration) = send.expiration_date {
-        if Utc::now().naive_utc() >= expiration {
-            err_code!(SEND_INACCESSIBLE_MSG, 404)
-        }
+    if let Some(expiration) = send.expiration_date
+        && Utc::now().naive_utc() >= expiration
+    {
+        err_code!(SEND_INACCESSIBLE_MSG, 404)
    }

    if Utc::now().naive_utc() >= send.deletion_date {
@@ -517,16 +519,16 @@ async fn post_access_file(
        err_code!(SEND_INACCESSIBLE_MSG, 404)
    };

-    if let Some(max_access_count) = send.max_access_count {
-        if send.access_count >= max_access_count {
-            err_code!(SEND_INACCESSIBLE_MSG, 404)
-        }
+    if let Some(max_access_count) = send.max_access_count
+        && send.access_count >= max_access_count
+    {
+        err_code!(SEND_INACCESSIBLE_MSG, 404)
    }

-    if let Some(expiration) = send.expiration_date {
-        if Utc::now().naive_utc() >= expiration {
-            err_code!(SEND_INACCESSIBLE_MSG, 404)
-        }
+    if let Some(expiration) = send.expiration_date
+        && Utc::now().naive_utc() >= expiration
+    {
+        err_code!(SEND_INACCESSIBLE_MSG, 404)
    }

    if Utc::now().naive_utc() >= send.deletion_date {
@@ -568,22 +570,22 @@ async fn post_access_file(
 async fn download_url(host: &Host, send_id: &SendId, file_id: &SendFileId) -> Result<String, crate::Error> {
    let operator = CONFIG.opendal_operator_for_path_type(&PathType::Sends)?;

-    if operator.info().scheme() == <&'static str>::from(opendal::Scheme::Fs) {
+    if crate::storage::is_fs_operator(&operator) {
        let token_claims = crate::auth::generate_send_claims(send_id, file_id);
        let token = crate::auth::encode_jwt(&token_claims);

-        Ok(format!("{}/api/sends/{send_id}/{file_id}?t={token}", &host.host))
+        Ok(format!("{}/api/sends/{send_id}/{file_id}?t={token}", host.host))
    } else {
-        Ok(operator.presign_read(&format!("{send_id}/{file_id}"), Duration::from_secs(5 * 60)).await?.uri().to_string())
+        Ok(operator.presign_read(&format!("{send_id}/{file_id}"), Duration::from_mins(5)).await?.uri().to_string())
    }
 }

 #[get("/sends/<send_id>/<file_id>?<t>")]
 async fn download_send(send_id: SendId, file_id: SendFileId, t: &str) -> Option<NamedFile> {
-    if let Ok(claims) = crate::auth::decode_send(t) {
-        if claims.sub == format!("{send_id}/{file_id}") {
-            return NamedFile::open(Path::new(&CONFIG.sends_folder()).join(send_id).join(file_id)).await.ok();
-        }
+    if let Ok(claims) = crate::auth::decode_send(t)
+        && claims.sub == format!("{send_id}/{file_id}")
+    {
+        return NamedFile::open(Path::new(&CONFIG.sends_folder()).join(send_id).join(file_id)).await.ok();
    }
    None
 }
@@ -1,14 +1,13 @@
 use data_encoding::BASE32;
-use rocket::serde::json::Json;
-use rocket::Route;
+use rocket::{Route, serde::json::Json};

 use crate::{
-    api::{core::log_user_event, core::two_factor::_generate_recover_code, EmptyResult, JsonResult, PasswordOrOtpData},
+    api::{EmptyResult, JsonResult, PasswordOrOtpData, core::log_user_event, core::two_factor::generate_recover_code},
    auth::{ClientIp, Headers},
    crypto,
    db::{
-        models::{EventType, TwoFactor, TwoFactorType, UserId},
        DbConn,
+        models::{EventType, TwoFactor, TwoFactorType, UserId},
    },
    util::NumberOrString,
 };
@@ -70,9 +69,10 @@ async fn activate_authenticator(data: Json<EnableAuthenticatorData>, headers: He
    .await?;

    // Validate key as base32 and 20 bytes length
-    let decoded_key: Vec<u8> = match BASE32.decode(key.as_bytes()) {
-        Ok(decoded) => decoded,
-        _ => err!("Invalid totp secret"),
+    let decoded_key: Vec<u8> = if let Ok(decoded) = BASE32.decode(key.as_bytes()) {
+        decoded
+    } else {
+        err!("Invalid totp secret")
    };

    if decoded_key.len() != 20 {
@@ -82,7 +82,7 @@ async fn activate_authenticator(data: Json<EnableAuthenticatorData>, headers: He
    // Validate the token provided with the key, and save new twofactor
    validate_totp_code(&user.uuid, &token, &key.to_uppercase(), &headers.ip, &conn).await?;

-    _generate_recover_code(&mut user, &conn).await;
+    generate_recover_code(&mut user, &conn).await;

    log_user_event(EventType::UserUpdated2fa as i32, &user.uuid, headers.device.atype, &headers.ip.ip, &conn).await;

@@ -119,7 +119,7 @@ pub async fn validate_totp_code(
    ip: &ClientIp,
    conn: &DbConn,
 ) -> EmptyResult {
-    use totp_lite::{totp_custom, Sha1};
+    use totp_lite::{Sha1, totp_custom};

    let Ok(decoded_secret) = BASE32.decode(secret.as_bytes()) else {
        err!("Invalid TOTP secret")
@@ -128,7 +128,7 @@ pub async fn validate_totp_code(
    let mut twofactor = match TwoFactor::find_by_user_and_type(user_id, TwoFactorType::Authenticator as i32, conn).await
    {
        Some(tf) => tf,
-        _ => TwoFactor::new(user_id.clone(), TwoFactorType::Authenticator, secret.to_string()),
+        _ => TwoFactor::new(user_id.clone(), TwoFactorType::Authenticator, secret.to_owned()),
    };

    // The amount of steps back and forward in time
@@ -145,7 +145,7 @@ pub async fn validate_totp_code(

        // We need to calculate the time offsite and cast it as an u64.
        // Since we only have times into the future and the totp generator needs an u64 instead of the default i64.
-        let time = (current_timestamp + step * 30i64) as u64;
+        let time: u64 = (current_timestamp + step * 30i64).cast_unsigned();
        let generated = totp_custom::<Sha1>(30, 6, &decoded_secret, time);

        // Check the given code equals the generated and if the time_step is larger then the one last used.
@@ -1,22 +1,21 @@
 use chrono::Utc;
 use data_encoding::BASE64;
-use rocket::serde::json::Json;
-use rocket::Route;
+use rocket::{Route, serde::json::Json};

 use crate::{
+    CONFIG,
    api::{
-        core::log_user_event, core::two_factor::_generate_recover_code, ApiResult, EmptyResult, JsonResult,
-        PasswordOrOtpData,
+        ApiResult, EmptyResult, JsonResult, PasswordOrOtpData, core::log_user_event,
+        core::two_factor::generate_recover_code,
    },
    auth::Headers,
    crypto,
    db::{
-        models::{EventType, TwoFactor, TwoFactorType, User, UserId},
        DbConn,
+        models::{EventType, TwoFactor, TwoFactorType, User, UserId},
    },
    error::MapResult,
    http_client::make_http_request,
-    CONFIG,
 };

 pub fn routes() -> Vec<Route> {
@@ -82,8 +81,7 @@ enum DuoStatus {
 impl DuoStatus {
    fn data(self) -> Option<DuoData> {
        match self {
-            DuoStatus::Global(data) => Some(data),
-            DuoStatus::User(data) => Some(data),
+            DuoStatus::Global(data) | DuoStatus::User(data) => Some(data),
            DuoStatus::Disabled(_) => None,
        }
    }
@@ -182,7 +180,7 @@ async fn activate_duo(data: Json<EnableDuoData>, headers: Headers, conn: DbConn)
    let twofactor = TwoFactor::new(user.uuid.clone(), type_, data_str);
    twofactor.save(&conn).await?;

-    _generate_recover_code(&mut user, &conn).await;
+    generate_recover_code(&mut user, &conn).await;

    log_user_event(EventType::UserUpdated2fa as i32, &user.uuid, headers.device.atype, &headers.ip.ip, &conn).await;

@@ -201,14 +199,14 @@ async fn activate_duo_put(data: Json<EnableDuoData>, headers: Headers, conn: DbC
 }

 async fn duo_api_request(method: &str, path: &str, params: &str, data: &DuoData) -> EmptyResult {
-    use reqwest::{header, Method};
+    use reqwest::{Method, header};
    use std::str::FromStr;

    // https://duo.com/docs/authapi#api-details
-    let url = format!("https://{}{path}", &data.host);
-    let date = Utc::now().to_rfc2822();
+    let url = format!("https://{}{path}", data.host);
+    let dt = Utc::now().to_rfc2822();
    let username = &data.ik;
-    let fields = [&date, method, &data.host, path, params];
+    let fields = [&dt, method, &data.host, path, params];
    let password = crypto::hmac_sign(&data.sk, &fields.join("\n"));

    let m = Method::from_str(method).unwrap_or_default();
@@ -216,7 +214,7 @@ async fn duo_api_request(method: &str, path: &str, params: &str, data: &DuoData)
    make_http_request(m, &url)?
        .basic_auth(username, Some(password))
        .header(header::USER_AGENT, "vaultwarden:Duo/1.0 (Rust)")
-        .header(header::DATE, date)
+        .header(header::DATE, dt)
        .send()
        .await?
        .error_for_status()?;
@@ -356,9 +354,10 @@ fn parse_duo_values(key: &str, val: &str, ikey: &str, prefix: &str, time: i64) -
        err!("Invalid ikey")
    }

-    let expire: i64 = match expire.parse() {
-        Ok(e) => e,
-        Err(_) => err!("Invalid expire time"),
+    let expire: i64 = if let Ok(e) = expire.parse() {
+        e
+    } else {
+        err!("Invalid expire time")
    };

    if time >= expire {
@@ -1,23 +1,24 @@
+use std::collections::HashMap;
+
 use chrono::Utc;
 use data_encoding::HEXLOWER;
 use jsonwebtoken::{Algorithm, DecodingKey, EncodingKey, Header, Validation};
-use reqwest::{header, StatusCode};
-use ring::digest::{digest, Digest, SHA512_256};
+use reqwest::{StatusCode, header};
+use ring::digest::{Digest, SHA512_256, digest};
 use serde::Serialize;
-use std::collections::HashMap;
+use url::Url;

 use crate::{
-    api::{core::two_factor::duo::get_duo_keys_email, EmptyResult},
+    CONFIG,
+    api::{EmptyResult, core::two_factor::duo::get_duo_keys_email},
    crypto,
    db::{
-        models::{DeviceId, EventType, TwoFactorDuoContext},
        DbConn, DbPool,
+        models::{DeviceId, EventType, TwoFactorDuoContext},
    },
    error::Error,
    http_client::make_http_request,
-    CONFIG,
 };
-use url::Url;

 // The location on this service that Duo should redirect users to. For us, this is a bridge
 // built in to the Bitwarden clients.
@@ -124,7 +125,7 @@ impl DuoClient {
        ClientAssertion {
            iss: self.client_id.clone(),
            sub: self.client_id.clone(),
-            aud: url.to_string(),
+            aud: url.to_owned(),
            exp: now + JWT_VALIDITY_SECS,
            jti: jwt_id,
            iat: now,
@@ -302,7 +303,7 @@ impl DuoClient {

        if !(matching_nonces && matching_usernames) {
            err!("Error validating Duo authorization, nonce or username mismatch.")
-        };
+        }

        Ok(())
    }
@@ -347,7 +348,7 @@ pub async fn purge_duo_contexts(pool: DbPool) {
    if let Ok(conn) = pool.get().await {
        TwoFactorDuoContext::purge_expired_duo_contexts(&conn).await;
    } else {
-        error!("Failed to get DB connection while purging expired Duo authentications")
+        error!("Failed to get DB connection while purging expired Duo authentications");
    }
 }

@@ -394,7 +395,7 @@ pub async fn get_duo_auth_url(
    match client.health_check().await {
        Ok(()) => {}
        Err(e) => return Err(e),
-    };
+    }

    // Generate random OAuth2 state and OIDC Nonce
    let state: String = crypto::get_random_string_alphanum(STATE_LENGTH);
@@ -438,16 +439,13 @@ pub async fn validate_duo_login(

    // Get the context by the state reported by the client. If we don't have one,
    // it means the context is either missing or expired.
-    let ctx = match extract_context(state, conn).await {
-        Some(c) => c,
-        None => {
-            err!(
-                "Error validating duo authentication",
-                ErrorEvent {
-                    event: EventType::UserFailedLogIn2fa
-                }
-            )
-        }
+    let Some(ctx) = extract_context(state, conn).await else {
+        err!(
+            "Error validating duo authentication",
+            ErrorEvent {
+                event: EventType::UserFailedLogIn2fa
+            }
+        )
    };

    // Context validation steps
@@ -476,13 +474,13 @@ pub async fn validate_duo_login(
    match client.health_check().await {
        Ok(()) => {}
        Err(e) => return Err(e),
-    };
+    }

    let d: Digest = digest(&SHA512_256, format!("{}{device_identifier}", ctx.nonce).as_bytes());
    let hash: String = HEXLOWER.encode(d.as_ref());

    match client.exchange_authz_code_for_result(code, email, hash.as_str()).await {
-        Ok(_) => Ok(()),
+        Ok(()) => Ok(()),
        Err(_) => {
            err!(
                "Error validating duo authentication",
@@ -1,20 +1,20 @@
 use chrono::{DateTime, TimeDelta, Utc};
-use rocket::serde::json::Json;
-use rocket::Route;
+use rocket::{Route, serde::json::Json};

 use crate::{
+    CONFIG,
    api::{
-        core::{log_user_event, two_factor::_generate_recover_code},
        EmptyResult, JsonResult, PasswordOrOtpData,
+        core::{log_user_event, two_factor::generate_recover_code},
    },
-    auth::Headers,
+    auth::{ClientHeaders, Headers},
    crypto,
    db::{
-        models::{DeviceId, EventType, TwoFactor, TwoFactorType, User, UserId},
        DbConn,
+        models::{AuthRequest, AuthRequestId, DeviceId, EventType, TwoFactor, TwoFactorType, User, UserId},
    },
    error::{Error, MapResult},
-    mail, CONFIG,
+    mail,
 };

 pub fn routes() -> Vec<Route> {
@@ -25,46 +25,77 @@ pub fn routes() -> Vec<Route> {
 #[serde(rename_all = "camelCase")]
 struct SendEmailLoginData {
    #[serde(alias = "DeviceIdentifier")]
-    device_identifier: DeviceId,
+    device_identifier: Option<DeviceId>,
    #[serde(alias = "Email")]
    email: Option<String>,
    #[serde(alias = "MasterPasswordHash")]
    master_password_hash: Option<String>,
+    auth_request_id: Option<AuthRequestId>,
+    auth_request_access_code: Option<String>,
 }

 /// User is trying to login and wants to use email 2FA.
 /// Does not require Bearer token
 #[post("/two-factor/send-email-login", data = "<data>")] // JsonResult
-async fn send_email_login(data: Json<SendEmailLoginData>, conn: DbConn) -> EmptyResult {
+async fn send_email_login(data: Json<SendEmailLoginData>, client_headers: ClientHeaders, conn: DbConn) -> EmptyResult {
    let data: SendEmailLoginData = data.into_inner();

    if !CONFIG._enable_email_2fa() {
        err!("Email 2FA is disabled")
    }

+    // Ratelimit the login
+    crate::ratelimit::check_limit_login(&client_headers.ip.ip)?;
+
    // Get the user
    let email = match &data.email {
        Some(email) if !email.is_empty() => Some(email),
        _ => None,
    };
-    let user = if let Some(email) = email {
-        let Some(master_password_hash) = &data.master_password_hash else {
-            err!("No password hash has been submitted.")
-        };
+    let master_password_hash = match &data.master_password_hash {
+        Some(password_hash) if !password_hash.is_empty() => Some(password_hash),
+        _ => None,
+    };
+    let auth_request_id = match &data.auth_request_id {
+        Some(auth_request_id) if !auth_request_id.is_empty() => Some(auth_request_id),
+        _ => None,
+    };

+    let user = if let Some(email) = email {
        let Some(user) = User::find_by_mail(email, &conn).await else {
            err!("Username or password is incorrect. Try again.")
        };

-        // Check password
-        if !user.check_valid_password(master_password_hash) {
-            err!("Username or password is incorrect. Try again.")
+        if let Some(master_password_hash) = master_password_hash {
+            // Check password
+            if !user.check_valid_password(master_password_hash) {
+                err!("Username or password is incorrect. Try again.")
+            }
+        } else if let Some(auth_request_id) = auth_request_id {
+            let Some(auth_request) = AuthRequest::find_by_uuid(auth_request_id, &conn).await else {
+                err!("AuthRequest doesn't exist", "User not found")
+            };
+            let Some(code) = &data.auth_request_access_code else {
+                err!("no auth request access code")
+            };
+
+            if auth_request.device_type != client_headers.device_type
+                || auth_request.request_ip != client_headers.ip.ip.to_string()
+                || !auth_request.check_access_code(code)
+            {
+                err!("AuthRequest doesn't exist", "Invalid device, IP or code")
+            }
+        } else {
+            err!("No password hash has been submitted.")
        }

        user
    } else {
+        let Some(device_identifier) = &data.device_identifier else {
+            err!("No device identifier has been submitted.")
+        };
        // SSO login only sends device id, so we get the user by the most recently used device
-        let Some(user) = User::find_by_device_for_email2fa(&data.device_identifier, &conn).await else {
+        let Some(user) = User::find_by_device_for_email2fa(device_identifier, &conn).await else {
            err!("Username or password is incorrect. Try again.")
        };

@@ -201,7 +232,7 @@ async fn email(data: Json<EmailData>, headers: Headers, conn: DbConn) -> JsonRes
    twofactor.data = email_data.to_json();
    twofactor.save(&conn).await?;

-    _generate_recover_code(&mut user, &conn).await;
+    generate_recover_code(&mut user, &conn).await;

    log_user_event(EventType::UserUpdated2fa as i32, &user.uuid, headers.device.atype, &headers.ip.ip, &conn).await;

@@ -253,9 +284,9 @@ pub async fn validate_email_code_str(
    twofactor.data = email_data.to_json();
    twofactor.save(conn).await?;

-    let date = DateTime::from_timestamp(email_data.token_sent, 0).expect("Email token timestamp invalid.").naive_utc();
-    let max_time = CONFIG.email_expiration_time() as i64;
-    if date + TimeDelta::try_seconds(max_time).unwrap() < Utc::now().naive_utc() {
+    let dt = DateTime::from_timestamp(email_data.token_sent, 0).expect("Email token timestamp invalid.").naive_utc();
+    let max_time = CONFIG.email_expiration_time().cast_signed();
+    if dt + TimeDelta::try_seconds(max_time).unwrap() < Utc::now().naive_utc() {
        err!(
            "Token has expired",
            ErrorEvent {
@@ -311,9 +342,10 @@ impl EmailTokenData {

    pub fn from_json(string: &str) -> Result<EmailTokenData, Error> {
        let res: Result<EmailTokenData, serde_json::Error> = serde_json::from_str(string);
-        match res {
-            Ok(x) => Ok(x),
-            Err(_) => err!("Could not decode EmailTokenData from string"),
+        if let Ok(x) = res {
+            Ok(x)
+        } else {
+            err!("Could not decode EmailTokenData from string")
        }
    }
 }
@@ -331,18 +363,17 @@ pub async fn activate_email_2fa(user: &User, conn: &DbConn) -> EmptyResult {
 pub fn obscure_email(email: &str) -> String {
    let split: Vec<&str> = email.rsplitn(2, '@').collect();

-    let mut name = split[1].to_string();
+    let mut name = split[1].to_owned();
    let domain = &split[0];

    let name_size = name.chars().count();

-    let new_name = match name_size {
-        1..=3 => "*".repeat(name_size),
-        _ => {
-            let stars = "*".repeat(name_size - 2);
-            name.truncate(2);
-            format!("{name}{stars}")
-        }
+    let new_name = if let 1..=3 = name_size {
+        "*".repeat(name_size)
+    } else {
+        let stars = "*".repeat(name_size - 2);
+        name.truncate(2);
+        format!("{name}{stars}")
    };

    format!("{new_name}@{domain}")
@@ -1,26 +1,27 @@
 use chrono::{TimeDelta, Utc};
 use data_encoding::BASE32;
-use rocket::serde::json::Json;
-use rocket::Route;
+use num_traits::FromPrimitive;
+use rocket::{Route, serde::json::Json};
+use serde::Deserialize;
 use serde_json::Value;

 use crate::{
+    CONFIG,
    api::{
-        core::{log_event, log_user_event},
        EmptyResult, JsonResult, PasswordOrOtpData,
+        core::{log_event, log_user_event},
    },
-    auth::{ClientHeaders, Headers},
+    auth::Headers,
    crypto,
    db::{
+        DbConn, DbPool,
        models::{
            DeviceType, EventType, Membership, MembershipType, OrgPolicyType, Organization, OrganizationId, TwoFactor,
-            TwoFactorIncomplete, User, UserId,
+            TwoFactorIncomplete, TwoFactorType, User, UserId,
        },
-        DbConn, DbPool,
    },
    mail,
    util::NumberOrString,
-    CONFIG,
 };

 pub mod authenticator;
@@ -31,11 +32,46 @@ pub mod protected_actions;
 pub mod webauthn;
 pub mod yubikey;

+fn has_global_duo_credentials() -> bool {
+    CONFIG._enable_duo() && CONFIG.duo_host().is_some() && CONFIG.duo_ikey().is_some() && CONFIG.duo_skey().is_some()
+}
+
+pub fn is_twofactor_provider_usable(provider_type: &TwoFactorType, provider_data: Option<&str>) -> bool {
+    #[derive(Deserialize)]
+    struct DuoProviderData {
+        host: String,
+        ik: String,
+        sk: String,
+    }
+
+    match provider_type {
+        TwoFactorType::Authenticator | TwoFactorType::RecoveryCode => true,
+        TwoFactorType::Email => CONFIG._enable_email_2fa(),
+        TwoFactorType::Duo | TwoFactorType::OrganizationDuo => {
+            provider_data
+                .and_then(|raw| serde_json::from_str::<DuoProviderData>(raw).ok())
+                .is_some_and(|duo| !duo.host.is_empty() && !duo.ik.is_empty() && !duo.sk.is_empty())
+                || has_global_duo_credentials()
+        }
+        TwoFactorType::YubiKey => {
+            CONFIG._enable_yubico() && CONFIG.yubico_client_id().is_some() && CONFIG.yubico_secret_key().is_some()
+        }
+        TwoFactorType::Webauthn => CONFIG.is_webauthn_2fa_supported(),
+        TwoFactorType::Remember => !CONFIG.disable_2fa_remember(),
+        TwoFactorType::U2f
+        | TwoFactorType::U2fRegisterChallenge
+        | TwoFactorType::U2fLoginChallenge
+        | TwoFactorType::EmailVerificationChallenge
+        | TwoFactorType::WebauthnRegisterChallenge
+        | TwoFactorType::WebauthnLoginChallenge
+        | TwoFactorType::ProtectedActions => false,
+    }
+}
+
 pub fn routes() -> Vec<Route> {
    let mut routes = routes![
        get_twofactor,
        get_recover,
-        recover,
        disable_twofactor,
        disable_twofactor_put,
        get_device_verification_settings,
@@ -54,7 +90,13 @@ pub fn routes() -> Vec<Route> {
 #[get("/two-factor")]
 async fn get_twofactor(headers: Headers, conn: DbConn) -> Json<Value> {
    let twofactors = TwoFactor::find_by_user(&headers.user.uuid, &conn).await;
-    let twofactors_json: Vec<Value> = twofactors.iter().map(TwoFactor::to_json_provider).collect();
+    let twofactors_json: Vec<Value> = twofactors
+        .iter()
+        .filter_map(|tf| {
+            let provider_type = TwoFactorType::from_i32(tf.atype)?;
+            is_twofactor_provider_usable(&provider_type, Some(&tf.data)).then(|| TwoFactor::to_json_provider(tf))
+        })
+        .collect();

    Json(json!({
        "data": twofactors_json,
@@ -76,55 +118,7 @@ async fn get_recover(data: Json<PasswordOrOtpData>, headers: Headers, conn: DbCo
    })))
 }

-#[derive(Deserialize)]
-#[serde(rename_all = "camelCase")]
-struct RecoverTwoFactor {
-    master_password_hash: String,
-    email: String,
-    recovery_code: String,
-}
-
-#[post("/two-factor/recover", data = "<data>")]
-async fn recover(data: Json<RecoverTwoFactor>, client_headers: ClientHeaders, conn: DbConn) -> JsonResult {
-    let data: RecoverTwoFactor = data.into_inner();
-
-    use crate::db::models::User;
-
-    // Get the user
-    let Some(mut user) = User::find_by_mail(&data.email, &conn).await else {
-        err!("Username or password is incorrect. Try again.")
-    };
-
-    // Check password
-    if !user.check_valid_password(&data.master_password_hash) {
-        err!("Username or password is incorrect. Try again.")
-    }
-
-    // Check if recovery code is correct
-    if !user.check_valid_recovery_code(&data.recovery_code) {
-        err!("Recovery code is incorrect. Try again.")
-    }
-
-    // Remove all twofactors from the user
-    TwoFactor::delete_all_by_user(&user.uuid, &conn).await?;
-    enforce_2fa_policy(&user, &user.uuid, client_headers.device_type, &client_headers.ip.ip, &conn).await?;
-
-    log_user_event(
-        EventType::UserRecovered2fa as i32,
-        &user.uuid,
-        client_headers.device_type,
-        &client_headers.ip.ip,
-        &conn,
-    )
-    .await;
-
-    // Remove the recovery code, not needed without twofactors
-    user.totp_recover = None;
-    user.save(&conn).await?;
-    Ok(Json(Value::Object(serde_json::Map::new())))
-}
-
-async fn _generate_recover_code(user: &mut User, conn: &DbConn) {
+async fn generate_recover_code(user: &mut User, conn: &DbConn) {
    if user.totp_recover.is_none() {
        let totp_recover = crypto::encode_random_bytes::<20>(&BASE32);
        user.totp_recover = Some(totp_recover);
@@ -184,9 +178,7 @@ pub async fn enforce_2fa_policy(
    ip: &std::net::IpAddr,
    conn: &DbConn,
 ) -> EmptyResult {
-    for member in
-        Membership::find_by_user_and_policy(&user.uuid, OrgPolicyType::TwoFactorAuthentication, conn).await.into_iter()
-    {
+    for member in Membership::find_by_user_and_policy(&user.uuid, OrgPolicyType::TwoFactorAuthentication, conn).await {
        // Policy only applies to non-Owner/non-Admin members who have accepted joining the org
        if member.atype < MembershipType::Admin {
            if CONFIG.mail_enabled() {
@@ -221,7 +213,7 @@ pub async fn enforce_2fa_policy_for_org(
    conn: &DbConn,
 ) -> EmptyResult {
    let org = Organization::find_by_uuid(org_id, conn).await.unwrap();
-    for member in Membership::find_confirmed_by_org(org_id, conn).await.into_iter() {
+    for member in Membership::find_confirmed_by_org(org_id, conn).await {
        // Don't enforce the policy for Admins and Owners.
        if member.atype < MembershipType::Admin && TwoFactor::find_by_user(&member.user_uuid, conn).await.is_empty() {
            if CONFIG.mail_enabled() {
@@ -255,12 +247,9 @@ pub async fn send_incomplete_2fa_notifications(pool: DbPool) {
        return;
    }

-    let conn = match pool.get().await {
-        Ok(conn) => conn,
-        _ => {
-            error!("Failed to get DB connection in send_incomplete_2fa_notifications()");
-            return;
-        }
+    let Ok(conn) = pool.get().await else {
+        error!("Failed to get DB connection in send_incomplete_2fa_notifications()");
+        return;
    };

    let now = Utc::now().naive_utc();
@@ -282,7 +271,7 @@ pub async fn send_incomplete_2fa_notifications(pool: DbPool) {
        )
        .await
        {
-            Ok(_) => {
+            Ok(()) => {
                if let Err(e) = login.delete(&conn).await {
                    error!("Error deleting incomplete 2FA record: {e:#?}");
                }
@@ -1,16 +1,17 @@
-use chrono::{naive::serde::ts_seconds, NaiveDateTime, TimeDelta, Utc};
-use rocket::{serde::json::Json, Route};
+use chrono::{NaiveDateTime, TimeDelta, Utc, naive::serde::ts_seconds};
+use rocket::{Route, serde::json::Json};

 use crate::{
+    CONFIG,
    api::EmptyResult,
    auth::Headers,
    crypto,
    db::{
-        models::{TwoFactor, TwoFactorType, UserId},
        DbConn,
+        models::{TwoFactor, TwoFactorType, UserId},
    },
    error::{Error, MapResult},
-    mail, CONFIG,
+    mail,
 };

 pub fn routes() -> Vec<Route> {
@@ -44,9 +45,10 @@ impl ProtectedActionData {

    pub fn from_json(string: &str) -> Result<Self, Error> {
        let res: Result<Self, serde_json::Error> = serde_json::from_str(string);
-        match res {
-            Ok(x) => Ok(x),
-            Err(_) => err!("Could not decode ProtectedActionData from string"),
+        if let Ok(x) = res {
+            Ok(x)
+        } else {
+            err!("Could not decode ProtectedActionData from string")
        }
    }

@@ -62,7 +64,9 @@ impl ProtectedActionData {
 #[post("/accounts/request-otp")]
 async fn request_otp(headers: Headers, conn: DbConn) -> EmptyResult {
    if !CONFIG.mail_enabled() {
-        err!("Email is disabled for this server. Either enable email or login using your master password instead of login via device.");
+        err!(
+            "Email is disabled for this server. Either enable email or login using your master password instead of login via device."
+        );
    }

    let user = headers.user;
@@ -102,7 +106,9 @@ struct ProtectedActionVerify {
 #[post("/accounts/verify-otp", data = "<data>")]
 async fn verify_otp(data: Json<ProtectedActionVerify>, headers: Headers, conn: DbConn) -> EmptyResult {
    if !CONFIG.mail_enabled() {
-        err!("Email is disabled for this server. Either enable email or login using your master password instead of login via device.");
+        err!(
+            "Email is disabled for this server. Either enable email or login using your master password instead of login via device."
+        );
    }

    let user = headers.user;
@@ -133,7 +139,7 @@ pub async fn validate_protected_action_otp(
    }

    // Check if the token has expired (Using the email 2fa expiration time)
-    let max_time = CONFIG.email_expiration_time() as i64;
+    let max_time = CONFIG.email_expiration_time().cast_signed();
    if pa_data.time_since_sent().num_seconds() > max_time {
        pa.delete(conn).await?;
        err!("Token has expired")
@@ -1,34 +1,35 @@
-use crate::{
-    api::{
-        core::{log_user_event, two_factor::_generate_recover_code},
-        EmptyResult, JsonResult, PasswordOrOtpData,
-    },
-    auth::Headers,
-    crypto::ct_eq,
-    db::{
-        models::{EventType, TwoFactor, TwoFactorType, UserId},
-        DbConn,
-    },
-    error::Error,
-    util::NumberOrString,
-    CONFIG,
-};
-use rocket::serde::json::Json;
-use rocket::Route;
+use std::{str::FromStr, sync::LazyLock, time::Duration};
+
+use rocket::{Route, serde::json::Json};
 use serde_json::Value;
-use std::str::FromStr;
-use std::sync::LazyLock;
-use std::time::Duration;
 use url::Url;
 use uuid::Uuid;
-use webauthn_rs::prelude::{Base64UrlSafeData, Credential, Passkey, PasskeyAuthentication, PasskeyRegistration};
-use webauthn_rs::{Webauthn, WebauthnBuilder};
+use webauthn_rs::{
+    Webauthn, WebauthnBuilder,
+    prelude::{Base64UrlSafeData, Credential, Passkey, PasskeyAuthentication, PasskeyRegistration},
+};
 use webauthn_rs_proto::{
    AuthenticationExtensionsClientOutputs, AuthenticatorAssertionResponseRaw, AuthenticatorAttestationResponseRaw,
    PublicKeyCredential, RegisterPublicKeyCredential, RegistrationExtensionsClientOutputs,
    RequestAuthenticationExtensions, UserVerificationPolicy,
 };

+use crate::{
+    CONFIG,
+    api::{
+        EmptyResult, JsonResult, PasswordOrOtpData,
+        core::{log_user_event, two_factor::generate_recover_code},
+    },
+    auth::Headers,
+    crypto::ct_eq,
+    db::{
+        DbConn,
+        models::{EventType, TwoFactor, TwoFactorType, UserId},
+    },
+    error::Error,
+    util::NumberOrString,
+};
+
 static WEBAUTHN: LazyLock<Webauthn> = LazyLock::new(|| {
    let domain = CONFIG.domain();
    let domain_origin = CONFIG.domain_origin();
@@ -38,7 +39,7 @@ static WEBAUTHN: LazyLock<Webauthn> = LazyLock::new(|| {
    let webauthn = WebauthnBuilder::new(&rp_id, &rp_origin)
        .expect("Creating WebauthnBuilder failed")
        .rp_name(&domain)
-        .timeout(Duration::from_millis(60000));
+        .timeout(Duration::from_mins(1));

    webauthn.build().expect("Building Webauthn failed")
 });
@@ -108,8 +109,8 @@ impl WebauthnRegistration {

 #[post("/two-factor/get-webauthn", data = "<data>")]
 async fn get_webauthn(data: Json<PasswordOrOtpData>, headers: Headers, conn: DbConn) -> JsonResult {
-    if !CONFIG.domain_set() {
-        err!("`DOMAIN` environment variable is not set. Webauthn disabled")
+    if !CONFIG.is_webauthn_2fa_supported() {
+        err!("Configured `DOMAIN` is not compatible with Webauthn")
    }

    let data: PasswordOrOtpData = data.into_inner();
@@ -149,7 +150,7 @@ async fn generate_webauthn_challenge(data: Json<PasswordOrOtpData>, headers: Hea
    )?;

    let mut state = serde_json::to_value(&state)?;
-    state["rs"]["policy"] = Value::String("discouraged".to_string());
+    state["rs"]["policy"] = Value::String("discouraged".to_owned());
    state["rs"]["extensions"].as_object_mut().unwrap().clear();

    let type_ = TwoFactorType::WebauthnRegisterChallenge;
@@ -265,13 +266,12 @@ async fn activate_webauthn(data: Json<EnableWebauthnData>, headers: Headers, con

    // Retrieve and delete the saved challenge state
    let type_ = TwoFactorType::WebauthnRegisterChallenge as i32;
-    let state = match TwoFactor::find_by_user_and_type(&user.uuid, type_, &conn).await {
-        Some(tf) => {
-            let state: PasskeyRegistration = serde_json::from_str(&tf.data)?;
-            tf.delete(&conn).await?;
-            state
-        }
-        None => err!("Can't recover challenge"),
+    let state = if let Some(tf) = TwoFactor::find_by_user_and_type(&user.uuid, type_, &conn).await {
+        let state: PasskeyRegistration = serde_json::from_str(&tf.data)?;
+        tf.delete(&conn).await?;
+        state
+    } else {
+        err!("Can't recover challenge")
    };

    // Verify the credentials with the saved state
@@ -291,7 +291,7 @@ async fn activate_webauthn(data: Json<EnableWebauthnData>, headers: Headers, con
    TwoFactor::new(user.uuid.clone(), TwoFactorType::Webauthn, serde_json::to_string(&registrations)?)
        .save(&conn)
        .await?;
-    _generate_recover_code(&mut user, &conn).await;
+    generate_recover_code(&mut user, &conn).await;

    log_user_event(EventType::UserUpdated2fa as i32, &user.uuid, headers.device.atype, &headers.ip.ip, &conn).await;

@@ -342,9 +342,10 @@ async fn delete_webauthn(data: Json<DeleteU2FData>, headers: Headers, conn: DbCo
    // If entry is migrated from u2f, delete the u2f entry as well
    if let Some(mut u2f) = TwoFactor::find_by_user_and_type(&headers.user.uuid, TwoFactorType::U2f as i32, &conn).await
    {
-        let mut data: Vec<U2FRegistration> = match serde_json::from_str(&u2f.data) {
-            Ok(d) => d,
-            Err(_) => err!("Error parsing U2F data"),
+        let mut data: Vec<U2FRegistration> = if let Ok(d) = serde_json::from_str(&u2f.data) {
+            d
+        } else {
+            err!("Error parsing U2F data")
        };

        data.retain(|r| r.reg.key_handle != removed_item.credential.cred_id().as_slice());
@@ -388,10 +389,10 @@ pub async fn generate_webauthn_login(user_id: &UserId, conn: &DbConn) -> JsonRes

    // Modify to discourage user verification
    let mut state = serde_json::to_value(&state)?;
-    state["ast"]["policy"] = Value::String("discouraged".to_string());
+    state["ast"]["policy"] = Value::String("discouraged".to_owned());

    // Add appid, this is only needed for U2F compatibility, so maybe it can be removed as well
-    let app_id = format!("{}/app-id.json", &CONFIG.domain());
+    let app_id = format!("{}/app-id.json", CONFIG.domain());
    state["ast"]["appid"] = Value::String(app_id.clone());

    response.public_key.user_verification = UserVerificationPolicy::Discouraged_DO_NOT_USE;
@@ -416,18 +417,17 @@ pub async fn generate_webauthn_login(user_id: &UserId, conn: &DbConn) -> JsonRes

 pub async fn validate_webauthn_login(user_id: &UserId, response: &str, conn: &DbConn) -> EmptyResult {
    let type_ = TwoFactorType::WebauthnLoginChallenge as i32;
-    let mut state = match TwoFactor::find_by_user_and_type(user_id, type_, conn).await {
-        Some(tf) => {
-            let state: PasskeyAuthentication = serde_json::from_str(&tf.data)?;
-            tf.delete(conn).await?;
-            state
-        }
-        None => err!(
+    let mut state = if let Some(tf) = TwoFactor::find_by_user_and_type(user_id, type_, conn).await {
+        let state: PasskeyAuthentication = serde_json::from_str(&tf.data)?;
+        tf.delete(conn).await?;
+        state
+    } else {
+        err!(
            "Can't recover login challenge",
            ErrorEvent {
                event: EventType::UserFailedLogIn2fa
            }
-        ),
+        )
    };

    let rsp: PublicKeyCredentialCopy = serde_json::from_str(response)?;
@@ -438,7 +438,7 @@ pub async fn validate_webauthn_login(user_id: &UserId, response: &str, conn: &Db
    // We need to check for and update the backup_eligible flag when needed.
    // Vaultwarden did not have knowledge of this flag prior to migrating to webauthn-rs v0.5.x
    // Because of this we check the flag at runtime and update the registrations and state when needed
-    check_and_update_backup_eligible(user_id, &rsp, &mut registrations, &mut state, conn).await?;
+    let backup_flags_updated = check_and_update_backup_eligible(&rsp, &mut registrations, &mut state)?;

    let authentication_result = WEBAUTHN.finish_passkey_authentication(&rsp, &state)?;

@@ -446,7 +446,8 @@ pub async fn validate_webauthn_login(user_id: &UserId, response: &str, conn: &Db
        if ct_eq(reg.credential.cred_id(), authentication_result.cred_id()) {
            // If the cred id matches and the credential is updated, Some(true) is returned
            // In those cases, update the record, else leave it alone
-            if reg.credential.update_credential(&authentication_result) == Some(true) {
+            let credential_updated = reg.credential.update_credential(&authentication_result) == Some(true);
+            if credential_updated || backup_flags_updated {
                TwoFactor::new(user_id.clone(), TwoFactorType::Webauthn, serde_json::to_string(&registrations)?)
                    .save(conn)
                    .await?;
@@ -463,13 +464,11 @@ pub async fn validate_webauthn_login(user_id: &UserId, response: &str, conn: &Db
    )
 }

-async fn check_and_update_backup_eligible(
-    user_id: &UserId,
+fn check_and_update_backup_eligible(
    rsp: &PublicKeyCredential,
    registrations: &mut Vec<WebauthnRegistration>,
    state: &mut PasskeyAuthentication,
-    conn: &DbConn,
-) -> EmptyResult {
+) -> Result<bool, Error> {
    // The feature flags from the response
    // For details see: https://www.w3.org/TR/webauthn-3/#sctn-authenticator-data
    const FLAG_BACKUP_ELIGIBLE: u8 = 0b0000_1000;
@@ -486,16 +485,7 @@ async fn check_and_update_backup_eligible(
            let rsp_id = rsp.raw_id.as_slice();
            for reg in &mut *registrations {
                if ct_eq(reg.credential.cred_id().as_slice(), rsp_id) {
-                    // Try to update the key, and if needed also update the database, before the actual state check is done
                    if reg.set_backup_eligible(backup_eligible, backup_state) {
-                        TwoFactor::new(
-                            user_id.clone(),
-                            TwoFactorType::Webauthn,
-                            serde_json::to_string(&registrations)?,
-                        )
-                        .save(conn)
-                        .await?;
-
                        // We also need to adjust the current state which holds the challenge used to start the authentication verification
                        // Because Vaultwarden supports multiple keys, we need to loop through the deserialized state and check which key to update
                        let mut raw_state = serde_json::to_value(&state)?;
@@ -517,11 +507,12 @@ async fn check_and_update_backup_eligible(
                        }

                        *state = serde_json::from_value(raw_state)?;
+                        return Ok(true);
                    }
                    break;
                }
            }
        }
    }
-    Ok(())
+    Ok(false)
 }
@@ -1,20 +1,19 @@
-use rocket::serde::json::Json;
-use rocket::Route;
+use rocket::{Route, serde::json::Json};
 use serde_json::Value;
 use yubico::{config::Config, verify_async};

 use crate::{
+    CONFIG,
    api::{
-        core::{log_user_event, two_factor::_generate_recover_code},
        EmptyResult, JsonResult, PasswordOrOtpData,
+        core::{log_user_event, two_factor::generate_recover_code},
    },
    auth::Headers,
    db::{
-        models::{EventType, TwoFactor, TwoFactorType},
        DbConn,
+        models::{EventType, TwoFactor, TwoFactorType},
    },
    error::{Error, MapResult},
-    CONFIG,
 };

 pub fn routes() -> Vec<Route> {
@@ -46,7 +45,7 @@ pub struct YubikeyMetadata {
 fn parse_yubikeys(data: &EnableYubikeyData) -> Vec<String> {
    let data_keys = [&data.key1, &data.key2, &data.key3, &data.key4, &data.key5];

-    data_keys.iter().filter_map(|e| e.as_ref().cloned()).collect()
+    data_keys.into_iter().flatten().cloned().collect()
 }

 fn jsonify_yubikeys(yubikeys: Vec<String>) -> Value {
@@ -64,9 +63,10 @@ fn get_yubico_credentials() -> Result<(String, String), Error> {
        err!("Yubico support is disabled");
    }

-    match (CONFIG.yubico_client_id(), CONFIG.yubico_secret_key()) {
-        (Some(id), Some(secret)) => Ok((id, secret)),
-        _ => err!("`YUBICO_CLIENT_ID` or `YUBICO_SECRET_KEY` environment variable is not set. Yubikey OTP Disabled"),
+    if let (Some(id), Some(secret)) = (CONFIG.yubico_client_id(), CONFIG.yubico_secret_key()) {
+        Ok((id, secret))
+    } else {
+        err!("`YUBICO_CLIENT_ID` or `YUBICO_SECRET_KEY` environment variable is not set. Yubikey OTP Disabled")
    }
 }

@@ -162,7 +162,7 @@ async fn activate_yubikey(data: Json<EnableYubikeyData>, headers: Headers, conn:
    yubikey_data.data = serde_json::to_string(&yubikey_metadata).unwrap();
    yubikey_data.save(&conn).await?;

-    _generate_recover_code(&mut user, &conn).await;
+    generate_recover_code(&mut user, &conn).await;

    log_user_event(EventType::UserUpdated2fa as i32, &user.uuid, headers.device.atype, &headers.ip.ip, &conn).await;

@@ -6,28 +6,29 @@ use std::{
 };

 use bytes::{Bytes, BytesMut};
-use futures::{stream::StreamExt, TryFutureExt};
+use futures::{TryFutureExt, stream::StreamExt};
 use html5gum::{Emitter, HtmlString, Readable, StringReader, Tokenizer};
 use regex::Regex;
 use reqwest::{
-    header::{self, HeaderMap, HeaderValue},
    Client, Response,
+    header::{self, HeaderMap, HeaderValue},
 };
-use rocket::{http::ContentType, response::Redirect, Route};
-use svg_hush::{data_url_filter, Filter};
+use rocket::{Route, http::ContentType, response::Redirect};
+use svg_hush::{Filter, data_url_filter};

 use crate::{
+    CONFIG,
    config::PathType,
    error::Error,
-    http_client::{get_reqwest_client_builder, should_block_address, CustomHttpClientError},
+    http_client::{CustomHttpClientError, get_reqwest_client_builder, get_valid_host, should_block_host},
    util::Cached,
-    CONFIG,
 };

 pub fn routes() -> Vec<Route> {
-    match CONFIG.icon_service().as_str() {
-        "internal" => routes![icon_internal],
-        _ => routes![icon_external],
+    if CONFIG.icon_service().as_str() == "internal" {
+        routes![icon_internal]
+    } else {
+        routes![icon_external]
    }
 }

@@ -81,19 +82,19 @@ static ICON_SIZE_REGEX: LazyLock<Regex> = LazyLock::new(|| Regex::new(r"(?x)(\d+
 // The function name `icon_external` is checked in the `on_response` function in `AppHeaders`
 // It is used to prevent sending a specific header which breaks icon downloads.
 // If this function needs to be renamed, also adjust the code in `util.rs`
-#[get("/<domain>/icon.png")]
-fn icon_external(domain: &str) -> Cached<Option<Redirect>> {
-    if !is_valid_domain(domain) {
-        warn!("Invalid domain: {domain}");
+#[get("/<host>/icon.png")]
+fn icon_external(host: &str) -> Cached<Option<Redirect>> {
+    let Ok(host) = get_valid_host(host) else {
+        warn!("Invalid host: {host}");
+        return Cached::ttl(None, CONFIG.icon_cache_negttl(), true);
+    };
+
+    if should_block_host(&host).is_err() {
+        warn!("Blocked address: {host}");
        return Cached::ttl(None, CONFIG.icon_cache_negttl(), true);
    }

-    if should_block_address(domain) {
-        warn!("Blocked address: {domain}");
-        return Cached::ttl(None, CONFIG.icon_cache_negttl(), true);
-    }
-
-    let url = CONFIG._icon_service_url().replace("{}", domain);
+    let url = CONFIG._icon_service_url().replace("{}", &host.to_string());
    let redir = match CONFIG.icon_redirect_code() {
        301 => Some(Redirect::moved(url)), // legacy permanent redirect
        302 => Some(Redirect::found(url)), // legacy temporary redirect
@@ -107,12 +108,21 @@ fn icon_external(domain: &str) -> Cached<Option<Redirect>> {
    Cached::ttl(redir, CONFIG.icon_cache_ttl(), true)
 }

-#[get("/<domain>/icon.png")]
-async fn icon_internal(domain: &str) -> Cached<(ContentType, Vec<u8>)> {
+#[get("/<host>/icon.png")]
+async fn icon_internal(host: &str) -> Cached<(ContentType, Vec<u8>)> {
    const FALLBACK_ICON: &[u8] = include_bytes!("../static/images/fallback-icon.png");

-    if !is_valid_domain(domain) {
-        warn!("Invalid domain: {domain}");
+    let Ok(host) = get_valid_host(host) else {
+        warn!("Invalid host: {host}");
+        return Cached::ttl(
+            (ContentType::new("image", "png"), FALLBACK_ICON.to_vec()),
+            CONFIG.icon_cache_negttl(),
+            true,
+        );
+    };
+
+    if should_block_host(&host).is_err() {
+        warn!("Blocked address: {host}");
        return Cached::ttl(
            (ContentType::new("image", "png"), FALLBACK_ICON.to_vec()),
            CONFIG.icon_cache_negttl(),
@@ -120,16 +130,7 @@ async fn icon_internal(domain: &str) -> Cached<(ContentType, Vec<u8>)> {
        );
    }

-    if should_block_address(domain) {
-        warn!("Blocked address: {domain}");
-        return Cached::ttl(
-            (ContentType::new("image", "png"), FALLBACK_ICON.to_vec()),
-            CONFIG.icon_cache_negttl(),
-            true,
-        );
-    }
-
-    match get_icon(domain).await {
+    match get_icon(&host.to_string()).await {
        Some((icon, icon_type)) => {
            Cached::ttl((ContentType::new("image", icon_type), icon), CONFIG.icon_cache_ttl(), true)
        }
@@ -137,42 +138,6 @@ async fn icon_internal(domain: &str) -> Cached<(ContentType, Vec<u8>)> {
    }
 }

-/// Returns if the domain provided is valid or not.
-///
-/// This does some manual checks and makes use of Url to do some basic checking.
-/// domains can't be larger then 63 characters (not counting multiple subdomains) according to the RFC's, but we limit the total size to 255.
-fn is_valid_domain(domain: &str) -> bool {
-    const ALLOWED_CHARS: &str = "-.";
-
-    // If parsing the domain fails using Url, it will not work with reqwest.
-    if let Err(parse_error) = url::Url::parse(format!("https://{domain}").as_str()) {
-        debug!("Domain parse error: '{domain}' - {parse_error:?}");
-        return false;
-    } else if domain.is_empty()
-        || domain.contains("..")
-        || domain.starts_with('.')
-        || domain.starts_with('-')
-        || domain.ends_with('-')
-    {
-        debug!(
-            "Domain validation error: '{domain}' is either empty, contains '..', starts with an '.', starts or ends with a '-'"
-        );
-        return false;
-    } else if domain.len() > 255 {
-        debug!("Domain validation error: '{domain}' exceeds 255 characters");
-        return false;
-    }
-
-    for c in domain.chars() {
-        if !c.is_alphanumeric() && !ALLOWED_CHARS.contains(c) {
-            debug!("Domain validation error: '{domain}' contains an invalid character '{c}'");
-            return false;
-        }
-    }
-
-    true
-}
-
 async fn get_icon(domain: &str) -> Option<(Vec<u8>, String)> {
    let path = format!("{domain}.png");

@@ -183,7 +148,7 @@ async fn get_icon(domain: &str) -> Option<(Vec<u8>, String)> {

    if let Some(icon) = get_cached_icon(&path).await {
        let icon_type = get_icon_type(&icon).unwrap_or("x-icon");
-        return Some((icon, icon_type.to_string()));
+        return Some((icon, icon_type.to_owned()));
    }

    if CONFIG.disable_icon_download() {
@@ -194,7 +159,7 @@ async fn get_icon(domain: &str) -> Option<(Vec<u8>, String)> {
    match download_icon(domain).await {
        Ok((icon, icon_type)) => {
            save_icon(&path, icon.to_vec()).await;
-            Some((icon.to_vec(), icon_type.unwrap_or("x-icon").to_string()))
+            Some((icon.to_vec(), icon_type.unwrap_or("x-icon").to_owned()))
        }
        Err(e) => {
            // If this error comes from the custom resolver, this means this is a blocked domain
@@ -219,10 +184,10 @@ async fn get_cached_icon(path: &str) -> Option<Vec<u8>> {
    }

    // Try to read the cached icon, and return it if it exists
-    if let Ok(operator) = CONFIG.opendal_operator_for_path_type(&PathType::IconCache) {
-        if let Ok(buf) = operator.read(path).await {
-            return Some(buf.to_vec());
-        }
+    if let Ok(operator) = CONFIG.opendal_operator_for_path_type(&PathType::IconCache)
+        && let Ok(buf) = operator.read(path).await
+    {
+        return Some(buf.to_vec());
    }

    None
@@ -316,17 +281,17 @@ fn get_favicons_node(dom: Tokenizer<StringReader<'_>, FaviconEmitter>, icons: &m
    }

    for icon_tag in icon_tags {
-        if let Some(icon_href) = icon_tag.attributes.get(ATTR_HREF) {
-            if let Ok(full_href) = base_url.join(std::str::from_utf8(icon_href).unwrap_or_default()) {
-                let sizes = if let Some(v) = icon_tag.attributes.get(ATTR_SIZES) {
-                    std::str::from_utf8(v).unwrap_or_default()
-                } else {
-                    ""
-                };
-                let priority = get_icon_priority(full_href.as_str(), sizes);
-                icons.push(Icon::new(priority, full_href.to_string()));
-            }
-        };
+        if let Some(icon_href) = icon_tag.attributes.get(ATTR_HREF)
+            && let Ok(full_href) = base_url.join(std::str::from_utf8(icon_href).unwrap_or_default())
+        {
+            let sizes = if let Some(v) = icon_tag.attributes.get(ATTR_SIZES) {
+                std::str::from_utf8(v).unwrap_or_default()
+            } else {
+                ""
+            };
+            let priority = get_icon_priority(full_href.as_str(), sizes);
+            icons.push(Icon::new(priority, full_href.to_string()));
+        }
    }
 }

@@ -367,7 +332,7 @@ async fn get_icon_url(domain: &str) -> Result<IconUrlResult, Error> {
                            tld = domain_parts.next_back().unwrap(),
                            base = domain_parts.next_back().unwrap()
                        );
-                        if is_valid_domain(&base_domain) {
+                        if get_valid_host(&base_domain).is_ok() {
                            let sslbase = format!("https://{base_domain}");
                            let httpbase = format!("http://{base_domain}");
                            debug!("[get_icon_url]: Trying without subdomains '{base_domain}'");
@@ -378,7 +343,7 @@ async fn get_icon_url(domain: &str) -> Result<IconUrlResult, Error> {
                    // When the domain is not an IP, and has less then 2 dots, try to add www. infront of it.
                    } else if is_ip.is_err() && domain.matches('.').count() < 2 {
                        let www_domain = format!("www.{domain}");
-                        if is_valid_domain(&www_domain) {
+                        if get_valid_host(&www_domain).is_ok() {
                            let sslwww = format!("https://{www_domain}");
                            let httpwww = format!("http://{www_domain}");
                            debug!("[get_icon_url]: Trying with www. prefix '{www_domain}'");
@@ -442,7 +407,7 @@ async fn get_page(url: &str) -> Result<Response, Error> {
 async fn get_page_with_referer(url: &str, referer: &str) -> Result<Response, Error> {
    let mut client = CLIENT.get(url);
    if !referer.is_empty() {
-        client = client.header("Referer", referer)
+        client = client.header("Referer", referer);
    }

    Ok(client.send().await?.error_for_status()?)
@@ -513,13 +478,11 @@ fn parse_sizes(sizes: &str) -> (u16, u16) {

    if !sizes.is_empty() {
        match ICON_SIZE_REGEX.captures(sizes.trim()) {
-            None => {}
-            Some(dimensions) => {
-                if dimensions.len() >= 3 {
-                    width = dimensions[1].parse::<u16>().unwrap_or_default();
-                    height = dimensions[2].parse::<u16>().unwrap_or_default();
-                }
+            Some(dimensions) if dimensions.len() >= 3 => {
+                width = dimensions[1].parse::<u16>().unwrap_or_default();
+                height = dimensions[2].parse::<u16>().unwrap_or_default();
            }
+            _ => {}
        }
    }

@@ -532,11 +495,10 @@ async fn download_icon(domain: &str) -> Result<(Bytes, Option<&str>), Error> {
    let mut buffer = Bytes::new();
    let mut icon_type: Option<&str> = None;

-    use data_url::DataUrl;
-
-    for icon in icon_result.iconlist.iter().take(5) {
+    let mut icons = icon_result.iconlist.iter().take(5).peekable();
+    while let Some(icon) = icons.next() {
        if icon.href.starts_with("data:image") {
-            let Ok(datauri) = DataUrl::process(&icon.href) else {
+            let Ok(datauri) = data_url::DataUrl::process(&icon.href) else {
                continue;
            };
            // Check if we are able to decode the data uri
@@ -560,13 +522,25 @@ async fn download_icon(domain: &str) -> Result<(Bytes, Option<&str>), Error> {
                    }
                }
                _ => debug!("Extracted icon from data:image uri is invalid"),
-            };
+            }
        } else {
-            let res = get_page_with_referer(&icon.href, &icon_result.referer).await?;
+            debug!("Trying {}", icon.href);
+            // Make sure all icons are checked before returning error
+            let res = match get_page_with_referer(&icon.href, &icon_result.referer).await {
+                Ok(r) => r,
+                Err(e) if icons.peek().is_none() => return Err(e),
+                Err(e) if CustomHttpClientError::downcast_ref(&e).is_some() => return Err(e), // If blacklisted stop immediately instead of checking the rest of the icons. see explanation and actual handling inside get_icon()
+                Err(e) => {
+                    warn!("Unable to download icon: {e:?}");
+
+                    // Continue to next icon
+                    continue;
+                }
+            };

            buffer = stream_to_bytes_limit(res, 5120 * 1024).await?; // 5120KB/5MB for each icon max (Same as icons.bitwarden.net)

-            // Check if the icon type is allowed, else try an icon from the list.
+            // Check if the icon type is allowed, else try another icon from the list.
            icon_type = get_icon_type(&buffer);
            if icon_type.is_none() {
                buffer.clear();
@@ -612,22 +586,25 @@ async fn save_icon(path: &str, icon: Vec<u8>) {
 fn get_icon_type(bytes: &[u8]) -> Option<&'static str> {
    fn check_svg_after_xml_declaration(bytes: &[u8]) -> Option<&'static str> {
        // Look for SVG tag within the first 1KB
-        if let Ok(content) = std::str::from_utf8(&bytes[..bytes.len().min(1024)]) {
-            if content.contains("<svg") || content.contains("<SVG") {
-                return Some("svg+xml");
-            }
+        if let Ok(content) = std::str::from_utf8(&bytes[..bytes.len().min(1024)])
+            && (content.contains("<svg") || content.contains("<SVG"))
+        {
+            return Some("svg+xml");
        }
        None
    }

+    // Some details can be found here:
+    // - https://www.garykessler.net/library/file_sigs_GCK_latest.html
+    // - https://en.wikipedia.org/wiki/List_of_file_signatures
    match bytes {
-        [137, 80, 78, 71, ..] => Some("png"),
-        [0, 0, 1, 0, ..] => Some("x-icon"),
-        [82, 73, 70, 70, ..] => Some("webp"),
-        [255, 216, 255, ..] => Some("jpeg"),
-        [71, 73, 70, 56, ..] => Some("gif"),
-        [66, 77, ..] => Some("bmp"),
-        [60, 115, 118, 103, ..] => Some("svg+xml"), // Normal svg
+        [137, 80, 78, 71, 13, 10, 26, 10, ..] => Some("png"),
+        [0, 0, 1, 0, n1, n2, ..] if u16::from_le_bytes([*n1, *n2]) > 0 => Some("x-icon"), // https://en.wikipedia.org/wiki/ICO_(file_format)
+        [82, 73, 70, 70, _, _, _, _, 87, 69, 66, 80, ..] => Some("webp"),                 // Only match WebP Images
+        [255, 216, 255, b, ..] if *b >= 0xC0 => Some("jpeg"),
+        [71, 73, 70, 56, 55 | 57, 97, ..] => Some("gif"),
+        [66, 77, _, _, _, _, 0, 0, 0, 0, ..] => Some("bmp"), // https://en.wikipedia.org/wiki/BMP_file_format
+        [60, 115, 118, 103, ..] => Some("svg+xml"),          // Normal svg
        [60, 63, 120, 109, 108, ..] => check_svg_after_xml_declaration(bytes), // An svg starting with <?xml
        _ => None,
    }
@@ -755,7 +732,7 @@ impl FaviconEmitter {
                    let rel_value =
                        std::str::from_utf8(token.tag.attributes.get(ATTR_REL).unwrap()).unwrap_or_default();
                    if rel_value.contains("icon") && !rel_value.contains("mask-icon") {
-                        self.emit_token = true
+                        self.emit_token = true;
                    }
                }
                _ => (),
@@ -828,13 +805,13 @@ impl Emitter for FaviconEmitter {

    fn push_attribute_name(&mut self, s: &[u8]) {
        if let Some(attr) = &mut self.current_attribute {
-            attr.0.extend(s)
+            attr.0.extend(s);
        }
    }

    fn push_attribute_value(&mut self, s: &[u8]) {
        if let Some(attr) = &mut self.current_attribute {
-            attr.1.extend(s)
+            attr.1.extend(s);
        }
    }

@@ -1,44 +1,51 @@
 use chrono::Utc;
 use num_traits::FromPrimitive;
 use rocket::{
+    Route,
    form::{Form, FromForm},
-    http::Status,
+    http::{Cookie, CookieJar, SameSite},
    response::Redirect,
    serde::json::Json,
-    Route,
 };
 use serde_json::Value;

 use crate::{
+    CONFIG,
    api::{
+        ApiResult, EmptyResult, JsonResult,
        core::{
-            accounts::{PreloginData, RegisterData, _prelogin, _register, kdf_upgrade},
+            accounts::{PreloginData, RegisterData, kdf_upgrade, prelogin, register},
            log_user_event,
-            two_factor::{authenticator, duo, duo_oidc, email, enforce_2fa_policy, webauthn, yubikey},
+            two_factor::{
+                authenticator, duo, duo_oidc, email, enforce_2fa_policy, is_twofactor_provider_usable, webauthn,
+                yubikey,
+            },
        },
        master_password_policy,
        push::register_push_device,
-        ApiResult, EmptyResult, JsonResult,
    },
    auth,
-    auth::{generate_organization_api_key_login_claims, AuthMethod, ClientHeaders, ClientIp, ClientVersion},
+    auth::{AuthMethod, ClientHeaders, ClientIp, ClientVersion, Secure, generate_organization_api_key_login_claims},
+    crypto,
    db::{
-        models::{
-            AuthRequest, AuthRequestId, Device, DeviceId, EventType, Invitation, OIDCCodeWrapper, OrganizationApiKey,
-            OrganizationId, SsoAuth, SsoUser, TwoFactor, TwoFactorIncomplete, TwoFactorType, User, UserId,
-        },
        DbConn,
+        models::{
+            AuthRequest, AuthRequestId, Device, DeviceId, EventType, Invitation, OIDCCodeResponseError,
+            OrganizationApiKey, OrganizationId, SsoAuth, SsoUser, TwoFactor, TwoFactorIncomplete, TwoFactorType, User,
+            UserId,
+        },
    },
    error::MapResult,
    mail, sso,
    sso::{OIDCCode, OIDCCodeChallenge, OIDCCodeVerifier, OIDCState},
-    util, CONFIG,
+    util,
 };

 pub fn routes() -> Vec<Route> {
    routes![
        login,
-        prelogin,
+        post_prelogin,
+        prelogin_password,
        identity_register,
        register_verification_email,
        register_finish,
@@ -62,43 +69,43 @@ async fn login(

    let login_result = match data.grant_type.as_ref() {
        "refresh_token" => {
-            _check_is_some(&data.refresh_token, "refresh_token cannot be blank")?;
-            _refresh_login(data, &conn, &client_header.ip).await
+            check_is_some(data.refresh_token.as_ref(), "refresh_token cannot be blank")?;
+            refresh_login(data, &conn, &client_header.ip).await
        }
        "password" if CONFIG.sso_enabled() && CONFIG.sso_only() => err!("SSO sign-in is required"),
        "password" => {
-            _check_is_some(&data.client_id, "client_id cannot be blank")?;
-            _check_is_some(&data.password, "password cannot be blank")?;
-            _check_is_some(&data.scope, "scope cannot be blank")?;
-            _check_is_some(&data.username, "username cannot be blank")?;
+            check_is_some(data.client_id.as_ref(), "client_id cannot be blank")?;
+            check_is_some(data.password.as_ref(), "password cannot be blank")?;
+            check_is_some(data.scope.as_ref(), "scope cannot be blank")?;
+            check_is_some(data.username.as_ref(), "username cannot be blank")?;

-            _check_is_some(&data.device_identifier, "device_identifier cannot be blank")?;
-            _check_is_some(&data.device_name, "device_name cannot be blank")?;
-            _check_is_some(&data.device_type, "device_type cannot be blank")?;
+            check_is_some(data.device_identifier.as_ref(), "device_identifier cannot be blank")?;
+            check_is_some(data.device_name.as_ref(), "device_name cannot be blank")?;
+            check_is_some(data.device_type.as_ref(), "device_type cannot be blank")?;

-            _password_login(data, &mut user_id, &conn, &client_header.ip, &client_version).await
+            password_login(data, &mut user_id, &conn, &client_header.ip, client_version.as_ref()).await
        }
        "client_credentials" => {
-            _check_is_some(&data.client_id, "client_id cannot be blank")?;
-            _check_is_some(&data.client_secret, "client_secret cannot be blank")?;
-            _check_is_some(&data.scope, "scope cannot be blank")?;
+            check_is_some(data.client_id.as_ref(), "client_id cannot be blank")?;
+            check_is_some(data.client_secret.as_ref(), "client_secret cannot be blank")?;
+            check_is_some(data.scope.as_ref(), "scope cannot be blank")?;

-            _check_is_some(&data.device_identifier, "device_identifier cannot be blank")?;
-            _check_is_some(&data.device_name, "device_name cannot be blank")?;
-            _check_is_some(&data.device_type, "device_type cannot be blank")?;
+            check_is_some(data.device_identifier.as_ref(), "device_identifier cannot be blank")?;
+            check_is_some(data.device_name.as_ref(), "device_name cannot be blank")?;
+            check_is_some(data.device_type.as_ref(), "device_type cannot be blank")?;

-            _api_key_login(data, &mut user_id, &conn, &client_header.ip).await
+            api_key_login(data, &mut user_id, &conn, &client_header.ip).await
        }
        "authorization_code" if CONFIG.sso_enabled() => {
-            _check_is_some(&data.client_id, "client_id cannot be blank")?;
-            _check_is_some(&data.code, "code cannot be blank")?;
-            _check_is_some(&data.code_verifier, "code verifier cannot be blank")?;
+            check_is_some(data.client_id.as_ref(), "client_id cannot be blank")?;
+            check_is_some(data.code.as_ref(), "code cannot be blank")?;
+            check_is_some(data.code_verifier.as_ref(), "code verifier cannot be blank")?;

-            _check_is_some(&data.device_identifier, "device_identifier cannot be blank")?;
-            _check_is_some(&data.device_name, "device_name cannot be blank")?;
-            _check_is_some(&data.device_type, "device_type cannot be blank")?;
+            check_is_some(data.device_identifier.as_ref(), "device_identifier cannot be blank")?;
+            check_is_some(data.device_name.as_ref(), "device_name cannot be blank")?;
+            check_is_some(data.device_type.as_ref(), "device_type cannot be blank")?;

-            _sso_login(data, &mut user_id, &conn, &client_header.ip, &client_version).await
+            sso_login(data, &mut user_id, &conn, &client_header.ip, client_version.as_ref()).await
        }
        "authorization_code" => err!("SSO sign-in is not available"),
        t => err!("Invalid type", t),
@@ -119,7 +126,7 @@ async fn login(
            Err(e) => {
                if let Some(ev) = e.get_event() {
                    log_user_event(ev.event as i32, &user_id, client_header.device_type, &client_header.ip.ip, &conn)
-                        .await
+                        .await;
                }
            }
        }
@@ -128,12 +135,14 @@ async fn login(
    login_result
 }

-// Return Status::Unauthorized to trigger logout
-async fn _refresh_login(data: ConnectData, conn: &DbConn, ip: &ClientIp) -> JsonResult {
-    // Extract token
-    let refresh_token = match data.refresh_token {
-        Some(token) => token,
-        None => err_code!("Missing refresh_token", Status::Unauthorized.code),
+async fn refresh_login(data: ConnectData, conn: &DbConn, ip: &ClientIp) -> JsonResult {
+    // When a refresh token is invalid or missing we need to respond with an HTTP BadRequest (400)
+    // It also needs to return a json which holds at least a key `error` with the value `invalid_grant`
+    // See the link below for details
+    // https://github.com/bitwarden/clients/blob/2ee158e720a5e7dbe3641caf80b569e97a1dd91b/libs/common/src/services/api.service.ts#L1786-L1797
+
+    let Some(refresh_token) = data.refresh_token else {
+        err_json!(json!({"error": "invalid_grant"}), "Missing refresh_token")
    };

    // ---
@@ -144,7 +153,10 @@ async fn _refresh_login(data: ConnectData, conn: &DbConn, ip: &ClientIp) -> Json
    // let members = Membership::find_confirmed_by_user(&user.uuid, conn).await;
    match auth::refresh_tokens(ip, &refresh_token, data.client_id, conn).await {
        Err(err) => {
-            err_code!(format!("Unable to refresh login credentials: {}", err.message()), Status::Unauthorized.code)
+            err_json!(
+                json!({"error": "invalid_grant"}),
+                format!("Unable to refresh login credentials: {}", err.message())
+            )
        }
        Ok((mut device, auth_tokens)) => {
            // Save to update `device.updated_at` to track usage and toggle new status
@@ -164,19 +176,19 @@ async fn _refresh_login(data: ConnectData, conn: &DbConn, ip: &ClientIp) -> Json
 }

 // After exchanging the code we need to check first if 2FA is needed before continuing
-async fn _sso_login(
+async fn sso_login(
    data: ConnectData,
    user_id: &mut Option<UserId>,
    conn: &DbConn,
    ip: &ClientIp,
-    client_version: &Option<ClientVersion>,
+    client_version: Option<&ClientVersion>,
 ) -> JsonResult {
    AuthMethod::Sso.check_scope(data.scope.as_ref())?;

    // Ratelimit the login
    crate::ratelimit::check_limit_login(&ip.ip)?;

-    let (state, code_verifier) = match (data.code.as_ref(), data.code_verifier.as_ref()) {
+    let (code, code_verifier) = match (data.code.as_ref(), data.code_verifier.as_ref()) {
        (None, _) => err!(
            "Got no code in OIDC data",
            ErrorEvent {
@@ -192,7 +204,7 @@ async fn _sso_login(
        (Some(code), Some(code_verifier)) => (code, code_verifier.clone()),
    };

-    let (sso_auth, user_infos) = sso::exchange_code(state, code_verifier, conn).await?;
+    let (sso_auth, user_infos) = sso::exchange_code(code, code_verifier, conn).await?;
    let user_with_sso = match SsoUser::find_by_identifier(&user_infos.identifier, conn).await {
        None => match SsoUser::find_by_mail(&user_infos.email, conn).await {
            None => None,
@@ -220,7 +232,33 @@ async fn _sso_login(
                    }
                )
            }
-            Some((user, None)) => Some((user, None)),
+            Some((user, None)) => match user_infos.email_verified {
+                None if !CONFIG.sso_allow_unknown_email_verification() => {
+                    error!(
+                        "Login failure ({}), existing non SSO user ({}) with same email ({}) and email verification status is unknown",
+                        user_infos.identifier, user.uuid, user.email
+                    );
+                    err_silent!(
+                        "Email verification status is unknown",
+                        ErrorEvent {
+                            event: EventType::UserFailedLogIn
+                        }
+                    )
+                }
+                Some(false) => {
+                    error!(
+                        "Login failure ({}), existing non SSO user ({}) with same email ({}) and email is not verified",
+                        user_infos.identifier, user.uuid, user.email
+                    );
+                    err_silent!(
+                        "Email is not verified by the SSO provider",
+                        ErrorEvent {
+                            event: EventType::UserFailedLogIn
+                        }
+                    )
+                }
+                _ => Some((user, None)),
+            },
        },
        Some((user, sso_user)) => Some((user, Some(sso_user))),
    };
@@ -307,12 +345,12 @@ async fn _sso_login(
    authenticated_response(&user, &mut device, auth_tokens, twofactor_token, conn, ip).await
 }

-async fn _password_login(
+async fn password_login(
    data: ConnectData,
    user_id: &mut Option<UserId>,
    conn: &DbConn,
    ip: &ClientIp,
-    client_version: &Option<ClientVersion>,
+    client_version: Option<&ClientVersion>,
 ) -> JsonResult {
    // Validate scope
    AuthMethod::Password.check_scope(data.scope.as_ref())?;
@@ -391,9 +429,9 @@ async fn _password_login(
    if user.verified_at.is_none() && CONFIG.mail_enabled() && CONFIG.signups_verify() {
        if user.last_verifying_at.is_none()
            || now.signed_duration_since(user.last_verifying_at.unwrap()).num_seconds()
-                > CONFIG.signups_verify_resend_time() as i64
+                > CONFIG.signups_verify_resend_time().cast_signed()
        {
-            let resend_limit = CONFIG.signups_verify_resend_limit() as i32;
+            let resend_limit = CONFIG.signups_verify_resend_limit().cast_signed();
            if resend_limit == 0 || user.login_verify_count < resend_limit {
                // We want to send another email verification if we require signups to verify
                // their email address, and we haven't sent them a reminder in a while...
@@ -482,14 +520,18 @@ async fn authenticated_response(
        Value::Null
    };

-    let account_keys = json!({
-        "publicKeyEncryptionKeyPair": {
-            "wrappedPrivateKey": user.private_key,
-            "publicKey": user.public_key,
-            "Object": "publicKeyEncryptionKeyPair"
-        },
-        "Object": "privateKeys"
-    });
+    let account_keys = if user.private_key.is_some() {
+        json!({
+            "publicKeyEncryptionKeyPair": {
+                "wrappedPrivateKey": user.private_key,
+                "publicKey": user.public_key,
+                "Object": "publicKeyEncryptionKeyPair"
+            },
+            "Object": "privateKeys"
+        })
+    } else {
+        Value::Null
+    };

    let mut result = json!({
        "access_token": auth_tokens.access_token(),
@@ -525,19 +567,19 @@ async fn authenticated_response(
    Ok(Json(result))
 }

-async fn _api_key_login(data: ConnectData, user_id: &mut Option<UserId>, conn: &DbConn, ip: &ClientIp) -> JsonResult {
+async fn api_key_login(data: ConnectData, user_id: &mut Option<UserId>, conn: &DbConn, ip: &ClientIp) -> JsonResult {
    // Ratelimit the login
    crate::ratelimit::check_limit_login(&ip.ip)?;

    // Validate scope
    match data.scope.as_ref() {
-        Some(scope) if scope == &AuthMethod::UserApiKey.scope() => _user_api_key_login(data, user_id, conn, ip).await,
-        Some(scope) if scope == &AuthMethod::OrgApiKey.scope() => _organization_api_key_login(data, conn, ip).await,
+        Some(scope) if scope == &AuthMethod::UserApiKey.scope() => user_api_key_login(data, user_id, conn, ip).await,
+        Some(scope) if scope == &AuthMethod::OrgApiKey.scope() => organization_api_key_login(data, conn, ip).await,
        _ => err!("Scope not supported"),
    }
 }

-async fn _user_api_key_login(
+async fn user_api_key_login(
    data: ConnectData,
    user_id: &mut Option<UserId>,
    conn: &DbConn,
@@ -629,6 +671,19 @@ async fn _user_api_key_login(
        Value::Null
    };

+    let account_keys = if user.private_key.is_some() {
+        json!({
+            "publicKeyEncryptionKeyPair": {
+                "wrappedPrivateKey": user.private_key,
+                "publicKey": user.public_key,
+                "Object": "publicKeyEncryptionKeyPair"
+            },
+            "Object": "privateKeys"
+        })
+    } else {
+        Value::Null
+    };
+
    // Note: No refresh_token is returned. The CLI just repeats the
    // client_credentials login flow when the existing token expires.
    let result = json!({
@@ -643,7 +698,9 @@ async fn _user_api_key_login(
        "KdfMemory": user.client_kdf_memory,
        "KdfParallelism": user.client_kdf_parallelism,
        "ResetMasterPassword": false, // TODO: according to official server seems something like: user.password_hash.is_empty(), but would need testing
+        "ForcePasswordReset": false,
        "scope": AuthMethod::UserApiKey.scope(),
+        "AccountKeys": account_keys,
        "UserDecryptionOptions": {
            "HasMasterPassword": has_master_password,
            "MasterPasswordUnlock": master_password_unlock,
@@ -654,13 +711,13 @@ async fn _user_api_key_login(
    Ok(Json(result))
 }

-async fn _organization_api_key_login(data: ConnectData, conn: &DbConn, ip: &ClientIp) -> JsonResult {
+async fn organization_api_key_login(data: ConnectData, conn: &DbConn, ip: &ClientIp) -> JsonResult {
    // Get the org via the client_id
    let client_id = data.client_id.as_ref().unwrap();
    let Some(org_id) = client_id.strip_prefix("organization.") else {
        err!("Malformed client_id", format!("IP: {}.", ip.ip))
    };
-    let org_id: OrganizationId = org_id.to_string().into();
+    let org_id: OrganizationId = org_id.to_owned().into();
    let Some(org_api_key) = OrganizationApiKey::find_by_org_uuid(&org_id, conn).await else {
        err!("Invalid client_id", format!("IP: {}.", ip.ip))
    };
@@ -691,14 +748,13 @@ async fn get_device(data: &ConnectData, conn: &DbConn, user: &User) -> ApiResult
    let device_name = data.device_name.clone().expect("No device name provided");

    // Find device or create new
-    match Device::find_by_uuid_and_user(&device_id, &user.uuid, conn).await {
-        Some(device) => Ok(device),
-        None => {
-            let mut device = Device::new(device_id, user.uuid.clone(), device_name, device_type);
-            // save device without updating `device.updated_at`
-            device.save(false, conn).await?;
-            Ok(device)
-        }
+    if let Some(device) = Device::find_by_uuid_and_user(&device_id, &user.uuid, conn).await {
+        Ok(device)
+    } else {
+        let mut device = Device::new(device_id, user.uuid.clone(), device_name, device_type);
+        // save device without updating `device.updated_at`
+        device.save(false, conn).await?;
+        Ok(device)
    }
 }

@@ -707,7 +763,7 @@ async fn twofactor_auth(
    data: &ConnectData,
    device: &mut Device,
    ip: &ClientIp,
-    client_version: &Option<ClientVersion>,
+    client_version: Option<&ClientVersion>,
    conn: &DbConn,
 ) -> ApiResult<Option<String>> {
    let twofactors = TwoFactor::find_by_user(&user.uuid, conn).await;
@@ -720,63 +776,83 @@ async fn twofactor_auth(

    TwoFactorIncomplete::mark_incomplete(&user.uuid, &device.uuid, &device.name, device.atype, ip, conn).await?;

-    let twofactor_ids: Vec<_> = twofactors.iter().map(|tf| tf.atype).collect();
-    let selected_id = data.two_factor_provider.unwrap_or(twofactor_ids[0]); // If we aren't given a two factor provider, assume the first one
+    let twofactor_ids: Vec<_> = twofactors
+        .iter()
+        .filter_map(|tf| {
+            let provider_type = TwoFactorType::from_i32(tf.atype)?;
+            (tf.enabled && is_twofactor_provider_usable(&provider_type, Some(&tf.data))).then_some(tf.atype)
+        })
+        .collect();
+    if twofactor_ids.is_empty() {
+        err!("No enabled and usable two factor providers are available for this account")
+    }

-    let twofactor_code = match data.two_factor_token {
-        Some(ref code) => code,
-        None => {
-            err_json!(
-                _json_err_twofactor(&twofactor_ids, &user.uuid, data, client_version, conn).await?,
-                "2FA token not provided"
-            )
-        }
+    let selected_id = data.two_factor_provider.unwrap_or(twofactor_ids[0]); // If we aren't given a two factor provider, assume the first one
+    // Ignore Remember and RecoveryCode Types during this check, these are special
+    if ![TwoFactorType::Remember as i32, TwoFactorType::RecoveryCode as i32].contains(&selected_id)
+        && !twofactor_ids.contains(&selected_id)
+    {
+        err_json!(
+            json_err_twofactor(&twofactor_ids, &user.uuid, data, client_version, conn).await?,
+            "Invalid two factor provider"
+        )
+    }
+
+    let Some(ref twofactor_code) = data.two_factor_token else {
+        err_json!(
+            json_err_twofactor(&twofactor_ids, &user.uuid, data, client_version, conn).await?,
+            "2FA token not provided"
+        )
    };

    let selected_twofactor = twofactors.into_iter().find(|tf| tf.atype == selected_id && tf.enabled);

-    use crate::crypto::ct_eq;
-
-    let selected_data = _selected_data(selected_twofactor);
-    let mut remember = data.two_factor_remember.unwrap_or(0);
+    let selected_data = selected_data(selected_twofactor);

    match TwoFactorType::from_i32(selected_id) {
        Some(TwoFactorType::Authenticator) => {
-            authenticator::validate_totp_code_str(&user.uuid, twofactor_code, &selected_data?, ip, conn).await?
+            authenticator::validate_totp_code_str(&user.uuid, twofactor_code, &selected_data?, ip, conn).await?;
        }
        Some(TwoFactorType::Webauthn) => webauthn::validate_webauthn_login(&user.uuid, twofactor_code, conn).await?,
        Some(TwoFactorType::YubiKey) => yubikey::validate_yubikey_login(twofactor_code, &selected_data?).await?,
        Some(TwoFactorType::Duo) => {
-            match CONFIG.duo_use_iframe() {
-                true => {
-                    // Legacy iframe prompt flow
-                    duo::validate_duo_login(&user.email, twofactor_code, conn).await?
-                }
-                false => {
-                    // OIDC based flow
-                    duo_oidc::validate_duo_login(
-                        &user.email,
-                        twofactor_code,
-                        data.client_id.as_ref().unwrap(),
-                        data.device_identifier.as_ref().unwrap(),
-                        conn,
-                    )
-                    .await?
-                }
+            if CONFIG.duo_use_iframe() {
+                // Legacy iframe prompt flow
+                duo::validate_duo_login(&user.email, twofactor_code, conn).await?;
+            } else {
+                // OIDC based flow
+                duo_oidc::validate_duo_login(
+                    &user.email,
+                    twofactor_code,
+                    data.client_id.as_ref().unwrap(),
+                    data.device_identifier.as_ref().unwrap(),
+                    conn,
+                )
+                .await?;
            }
        }
        Some(TwoFactorType::Email) => {
-            email::validate_email_code_str(&user.uuid, twofactor_code, &selected_data?, &ip.ip, conn).await?
+            email::validate_email_code_str(&user.uuid, twofactor_code, &selected_data?, &ip.ip, conn).await?;
        }
        Some(TwoFactorType::Remember) => {
            match device.twofactor_remember {
-                Some(ref code) if !CONFIG.disable_2fa_remember() && ct_eq(code, twofactor_code) => {
-                    remember = 1; // Make sure we also return the token here, otherwise it will only remember the first time
-                }
+                // When a 2FA Remember token is used, check and validate this JWT token, if it is valid, just continue
+                // If it is invalid we need to trigger the 2FA Login prompt
+                Some(ref token)
+                    if !CONFIG.disable_2fa_remember()
+                        && (crypto::ct_eq(token, twofactor_code)
+                            && auth::decode_2fa_remember(twofactor_code)
+                                .is_ok_and(|t| t.sub == device.uuid && t.user_uuid == user.uuid)) => {}
                _ => {
+                    // Always delete the current twofactor remember token here if it exists
+                    if device.twofactor_remember.is_some() {
+                        device.delete_twofactor_remember();
+                        // We need to save here, since we send a err_json!() which prevents saving `device` at a later stage
+                        device.save(true, conn).await?;
+                    }
                    err_json!(
-                        _json_err_twofactor(&twofactor_ids, &user.uuid, data, client_version, conn).await?,
-                        "2FA Remember token not provided"
+                        json_err_twofactor(&twofactor_ids, &user.uuid, data, client_version, conn).await?,
+                        "2FA Remember token not provided or expired"
                    )
                }
            }
@@ -807,24 +883,24 @@ async fn twofactor_auth(

    TwoFactorIncomplete::mark_complete(&user.uuid, &device.uuid, conn).await?;

+    let remember = data.two_factor_remember.unwrap_or(0);
    let two_factor = if !CONFIG.disable_2fa_remember() && remember == 1 {
        Some(device.refresh_twofactor_remember())
    } else {
-        device.delete_twofactor_remember();
        None
    };
    Ok(two_factor)
 }

-fn _selected_data(tf: Option<TwoFactor>) -> ApiResult<String> {
+fn selected_data(tf: Option<TwoFactor>) -> ApiResult<String> {
    tf.map(|t| t.data).map_res("Two factor doesn't exist")
 }

-async fn _json_err_twofactor(
+async fn json_err_twofactor(
    providers: &[i32],
    user_id: &UserId,
    data: &ConnectData,
-    client_version: &Option<ClientVersion>,
+    client_version: Option<&ClientVersion>,
    conn: &DbConn,
 ) -> ApiResult<Value> {
    let mut result = json!({
@@ -841,42 +917,38 @@ async fn _json_err_twofactor(
        result["TwoFactorProviders2"][provider.to_string()] = Value::Null;

        match TwoFactorType::from_i32(*provider) {
-            Some(TwoFactorType::Authenticator) => { /* Nothing to do for TOTP */ }
-
-            Some(TwoFactorType::Webauthn) if CONFIG.domain_set() => {
+            Some(TwoFactorType::Webauthn) if CONFIG.is_webauthn_2fa_supported() => {
                let request = webauthn::generate_webauthn_login(user_id, conn).await?;
                result["TwoFactorProviders2"][provider.to_string()] = request.0;
            }

            Some(TwoFactorType::Duo) => {
-                let email = match User::find_by_uuid(user_id, conn).await {
-                    Some(u) => u.email,
-                    None => err!("User does not exist"),
+                let email = if let Some(u) = User::find_by_uuid(user_id, conn).await {
+                    u.email
+                } else {
+                    err!("User does not exist")
                };

-                match CONFIG.duo_use_iframe() {
-                    true => {
-                        // Legacy iframe prompt flow
-                        let (signature, host) = duo::generate_duo_signature(&email, conn).await?;
-                        result["TwoFactorProviders2"][provider.to_string()] = json!({
-                            "Host": host,
-                            "Signature": signature,
-                        })
-                    }
-                    false => {
-                        // OIDC based flow
-                        let auth_url = duo_oidc::get_duo_auth_url(
-                            &email,
-                            data.client_id.as_ref().unwrap(),
-                            data.device_identifier.as_ref().unwrap(),
-                            conn,
-                        )
-                        .await?;
+                if CONFIG.duo_use_iframe() {
+                    // Legacy iframe prompt flow
+                    let (signature, host) = duo::generate_duo_signature(&email, conn).await?;
+                    result["TwoFactorProviders2"][provider.to_string()] = json!({
+                        "Host": host,
+                        "Signature": signature,
+                    });
+                } else {
+                    // OIDC based flow
+                    let auth_url = duo_oidc::get_duo_auth_url(
+                        &email,
+                        data.client_id.as_ref().unwrap(),
+                        data.device_identifier.as_ref().unwrap(),
+                        conn,
+                    )
+                    .await?;

-                        result["TwoFactorProviders2"][provider.to_string()] = json!({
-                            "AuthUrl": auth_url,
-                        })
-                    }
+                    result["TwoFactorProviders2"][provider.to_string()] = json!({
+                        "AuthUrl": auth_url,
+                    });
                }
            }

@@ -889,7 +961,7 @@ async fn _json_err_twofactor(

                result["TwoFactorProviders2"][provider.to_string()] = json!({
                    "Nfc": yubikey_metadata.nfc,
-                })
+                });
            }

            Some(tf_type @ TwoFactorType::Email) => {
@@ -907,16 +979,30 @@ async fn _json_err_twofactor(

                // Send email immediately if email is the only 2FA option.
                if providers.len() == 1 && !disabled_send {
-                    email::send_token(user_id, conn).await?
+                    email::send_token(user_id, conn).await?;
                }

                let email_data = email::EmailTokenData::from_json(&twofactor.data)?;
                result["TwoFactorProviders2"][provider.to_string()] = json!({
                    "Email": email::obscure_email(&email_data.email),
-                })
+                });
            }

-            _ => {}
+            None
+            | Some(
+                TwoFactorType::Authenticator
+                | TwoFactorType::EmailVerificationChallenge
+                | TwoFactorType::OrganizationDuo
+                | TwoFactorType::ProtectedActions
+                | TwoFactorType::RecoveryCode
+                | TwoFactorType::Remember
+                | TwoFactorType::U2f
+                | TwoFactorType::U2fLoginChallenge
+                | TwoFactorType::U2fRegisterChallenge
+                | TwoFactorType::Webauthn
+                | TwoFactorType::WebauthnLoginChallenge
+                | TwoFactorType::WebauthnRegisterChallenge,
+            ) => { /* Nothing special to do for these providers */ }
        }
    }

@@ -924,13 +1010,18 @@ async fn _json_err_twofactor(
 }

 #[post("/accounts/prelogin", data = "<data>")]
-async fn prelogin(data: Json<PreloginData>, conn: DbConn) -> Json<Value> {
-    _prelogin(data, conn).await
+async fn post_prelogin(data: Json<PreloginData>, conn: DbConn) -> Json<Value> {
+    prelogin(data, conn).await
+}
+
+#[post("/accounts/prelogin/password", data = "<data>")]
+async fn prelogin_password(data: Json<PreloginData>, conn: DbConn) -> Json<Value> {
+    prelogin(data, conn).await
 }

 #[post("/accounts/register", data = "<data>")]
 async fn identity_register(data: Json<RegisterData>, conn: DbConn) -> JsonResult {
-    _register(data, false, conn).await
+    register(data, false, conn).await
 }

 #[derive(Debug, Deserialize)]
@@ -969,14 +1060,13 @@ async fn register_verification_email(

    if should_send_mail {
        let user = User::find_by_mail(&data.email, &conn).await;
-        if user.filter(|u| u.private_key.is_some()).is_some() {
+        if user.as_ref().is_some_and(|u| u.private_key.is_some()) {
            // There is still a timing side channel here in that the code
-            // paths that send mail take noticeably longer than ones that
-            // don't. Add a randomized sleep to mitigate this somewhat.
-            use rand::{rngs::SmallRng, Rng, SeedableRng};
-            let mut rng = SmallRng::from_os_rng();
-            let delta: i32 = 100;
-            let sleep_ms = (1_000 + rng.random_range(-delta..=delta)) as u64;
+            // paths that send mail take noticeably longer than ones that don't.
+            // Add a randomized sleep to mitigate this somewhat.
+            use rand::{RngExt, rngs::SmallRng};
+            let mut rng: SmallRng = rand::make_rng();
+            let sleep_ms: u64 = rng.random_range(900..=1100);
            tokio::time::sleep(tokio::time::Duration::from_millis(sleep_ms)).await;
        } else {
            mail::send_register_verify_email(&data.email, &token).await?;
@@ -992,7 +1082,7 @@ async fn register_verification_email(

 #[post("/accounts/register/finish", data = "<data>")]
 async fn register_finish(data: Json<RegisterData>, conn: DbConn) -> JsonResult {
-    _register(data, true, conn).await
+    register(data, true, conn).await
 }

 // https://github.com/bitwarden/jslib/blob/master/common/src/models/request/tokenRequest.ts
@@ -1051,11 +1141,11 @@ struct ConnectData {

    // Needed for authorization code
    #[field(name = uncased("code"))]
-    code: Option<OIDCState>,
+    code: Option<OIDCCode>,
    #[field(name = uncased("code_verifier"))]
    code_verifier: Option<OIDCCodeVerifier>,
 }
-fn _check_is_some<T>(value: &Option<T>, msg: &str) -> EmptyResult {
+fn check_is_some<T>(value: Option<&T>, msg: &str) -> EmptyResult {
    if value.is_none() {
        err!(msg)
    }
@@ -1074,33 +1164,32 @@ fn prevalidate() -> JsonResult {
    }
 }

+const SSO_BINDING_COOKIE: &str = "VW_SSO_BINDING";
+
 #[get("/connect/oidc-signin?<code>&<state>", rank = 1)]
-async fn oidcsignin(code: OIDCCode, state: String, mut conn: DbConn) -> ApiResult<Redirect> {
-    _oidcsignin_redirect(
-        state,
-        OIDCCodeWrapper::Ok {
-            code,
-        },
-        &mut conn,
-    )
-    .await
+async fn oidcsignin(code: OIDCCode, state: String, cookies: &CookieJar<'_>, mut conn: DbConn) -> ApiResult<Redirect> {
+    oidcsignin_redirect(state, code, None, cookies, &mut conn).await
 }

-// Bitwarden client appear to only care for code and state so we pipe it through
-// cf: https://github.com/bitwarden/clients/blob/80b74b3300e15b4ae414dc06044cc9b02b6c10a6/libs/auth/src/angular/sso/sso.component.ts#L141
+// Bitwarden client appear to only care for code and state
+// We save the error in the database and set the encoded state as the code to be able to retrieve them later on
+// cf: https://github.com/bitwarden/clients/blob/afd36d290ce18fb0048e0575e7d5a8f78b5dbffc/libs/auth/src/angular/sso/sso.component.ts#L156
 #[get("/connect/oidc-signin?<state>&<error>&<error_description>", rank = 2)]
 async fn oidcsignin_error(
    state: String,
    error: String,
    error_description: Option<String>,
+    cookies: &CookieJar<'_>,
    mut conn: DbConn,
 ) -> ApiResult<Redirect> {
-    _oidcsignin_redirect(
-        state,
-        OIDCCodeWrapper::Error {
+    oidcsignin_redirect(
+        state.clone(),
+        state.into(),
+        Some(OIDCCodeResponseError {
            error,
            error_description,
-        },
+        }),
+        cookies,
        &mut conn,
    )
    .await
@@ -1109,18 +1198,32 @@ async fn oidcsignin_error(
 // The state was encoded using Base64 to ensure no issue with providers.
 // iss and scope parameters are needed for redirection to work on IOS.
 // We pass the state as the code to get it back later on.
-async fn _oidcsignin_redirect(
+async fn oidcsignin_redirect(
    base64_state: String,
-    code_response: OIDCCodeWrapper,
+    code: OIDCCode,
+    error: Option<OIDCCodeResponseError>,
+    cookies: &CookieJar<'_>,
    conn: &mut DbConn,
 ) -> ApiResult<Redirect> {
    let state = sso::decode_state(&base64_state)?;

-    let mut sso_auth = match SsoAuth::find(&state, conn).await {
-        None => err!(format!("Cannot retrieve sso_auth for {state}")),
-        Some(sso_auth) => sso_auth,
+    let Some(mut sso_auth) = SsoAuth::find(&state, conn).await else {
+        err!(format!("Cannot retrieve sso_auth for {state}"))
    };
-    sso_auth.code_response = Some(code_response);
+
+    // Browser-binding check
+    // The cookie was set on /connect/authorize and must come from the same browser that initiated the flow.
+    let cookie_value = cookies.get(SSO_BINDING_COOKIE).map(|c| c.value().to_owned());
+    let provided_hash = cookie_value.as_deref().map(|v| crypto::sha256_hex(v.as_bytes()));
+    match (sso_auth.binding_hash.as_deref(), provided_hash.as_deref()) {
+        (Some(expected), Some(actual)) if crypto::ct_eq(expected, actual) => {}
+        _ => err!(format!("SSO session binding mismatch for {state}")),
+    }
+    cookies
+        .remove(Cookie::build(SSO_BINDING_COOKIE).path(format!("{}/identity/connect/", CONFIG.domain_path())).build());
+
+    sso_auth.code_response = Some(code.clone());
+    sso_auth.code_response_error = error;
    sso_auth.updated_at = Utc::now().naive_utc();
    sso_auth.save(conn).await?;

@@ -1130,7 +1233,7 @@ async fn _oidcsignin_redirect(
    };

    url.query_pairs_mut()
-        .append_pair("code", &state)
+        .append_pair("code", &code)
        .append_pair("state", &state)
        .append_pair("scope", &AuthMethod::Sso.scope())
        .append_pair("iss", &CONFIG.domain());
@@ -1166,7 +1269,7 @@ struct AuthorizeData {

 // The `redirect_uri` will change depending of the client (web, android, ios ..)
 #[get("/connect/authorize?<data..>")]
-async fn authorize(data: AuthorizeData, conn: DbConn) -> ApiResult<Redirect> {
+async fn authorize(data: AuthorizeData, cookies: &CookieJar<'_>, secure: Secure, conn: DbConn) -> ApiResult<Redirect> {
    let AuthorizeData {
        client_id,
        redirect_uri,
@@ -1180,7 +1283,23 @@ async fn authorize(data: AuthorizeData, conn: DbConn) -> ApiResult<Redirect> {
        err!("Unsupported code challenge method");
    }

-    let auth_url = sso::authorize_url(state, code_challenge, &client_id, &redirect_uri, conn).await?;
+    // Generate browser-binding token. Stored hashed in DB; raw value handed to the browser as a cookie.
+    // Validated on /connect/oidc-signin
+    let binding_token = data_encoding::BASE64URL_NOPAD.encode(&crypto::get_random_bytes::<32>());
+    let binding_hash = crypto::sha256_hex(binding_token.as_bytes());
+
+    let auth_url =
+        sso::authorize_url(state, code_challenge, &client_id, &redirect_uri, Some(binding_hash), conn).await?;
+
+    cookies.add(
+        Cookie::build((SSO_BINDING_COOKIE, binding_token))
+            .path(format!("{}/identity/connect/", CONFIG.domain_path()))
+            .max_age(time::Duration::seconds(sso::SSO_AUTH_EXPIRATION.num_seconds()))
+            .same_site(SameSite::Lax) // Lax is needed because the IdP runs on a different FQDN
+            .http_only(true)
+            .secure(secure.https)
+            .build(),
+    );

    Ok(Redirect::temporary(String::from(auth_url)))
 }
@@ -32,11 +32,13 @@ pub use crate::api::{
    web::routes as web_routes,
    web::static_files,
 };
-use crate::db::{
-    models::{OrgPolicy, OrgPolicyType, User},
-    DbConn,
+use crate::{
+    CONFIG,
+    db::{
+        DbConn,
+        models::{OrgPolicy, OrgPolicyType, User},
+    },
 };
-use crate::CONFIG;

 // Type aliases for API methods results
 pub type ApiResult<T> = Result<T, crate::error::Error>;
@@ -74,6 +76,7 @@ impl PasswordOrOtpData {
    }
 }

+#[expect(clippy::struct_excessive_bools, reason = "Bitwarden clients expect the data in this specific format")]
 #[derive(Debug, Default, Deserialize, Serialize)]
 #[serde(rename_all = "camelCase")]
 pub struct MasterPasswordPolicy {
@@ -6,17 +6,22 @@ use std::{

 use chrono::{NaiveDateTime, Utc};
 use rmpv::Value;
-use rocket::{futures::StreamExt, Route};
+use rocket::{Route, futures::StreamExt};
 use rocket_ws::{Message, WebSocket};
 use tokio::sync::mpsc::Sender;

 use crate::{
+    CONFIG, Error,
    auth::{ClientIp, WsAccessTokenHeader},
    db::{
-        models::{AuthRequestId, Cipher, CollectionId, Device, DeviceId, Folder, PushId, Send as DbSend, User, UserId},
        DbConn,
+        models::{AuthRequestId, Cipher, CollectionId, Device, DeviceId, Folder, PushId, Send as DbSend, User, UserId},
    },
-    Error, CONFIG,
+};
+
+use super::{
+    push::push_auth_request, push::push_auth_response, push_cipher_update, push_folder_update, push_logout,
+    push_send_update, push_user_update,
 };

 pub static WS_USERS: LazyLock<Arc<WebSocketUsers>> = LazyLock::new(|| {
@@ -31,11 +36,6 @@ pub static WS_ANONYMOUS_SUBSCRIPTIONS: LazyLock<Arc<AnonymousWebSocketSubscripti
    })
 });

-use super::{
-    push::push_auth_request, push::push_auth_response, push_cipher_update, push_folder_update, push_logout,
-    push_send_update, push_user_update,
-};
-
 static NOTIFICATIONS_DISABLED: LazyLock<bool> = LazyLock::new(|| !CONFIG.enable_websocket() && !CONFIG.push_enabled());

 pub fn routes() -> Vec<Route> {
@@ -102,7 +102,7 @@ impl Drop for WSAnonymousEntryMapGuard {
    }
 }

-#[allow(tail_expr_drop_order)]
+#[expect(tail_expr_drop_order)]
 #[get("/hub?<data..>")]
 fn websockets_hub<'r>(
    ws: WebSocket,
@@ -186,7 +186,7 @@ fn websockets_hub<'r>(
    })
 }

-#[allow(tail_expr_drop_order)]
+#[expect(tail_expr_drop_order)]
 #[get("/anonymous-hub?<token..>")]
 fn anonymous_websockets_hub<'r>(ws: WebSocket, token: String, ip: ClientIp) -> Result<rocket_ws::Stream!['r], Error> {
    info!("Accepting Anonymous Rocket WS connection from {}", ip.ip);
@@ -268,14 +268,15 @@ fn serialize(val: &Value) -> Vec<u8> {
    let mut len_buf: Vec<u8> = Vec::new();

    loop {
-        let mut size_part = size & 0x7f;
+        #[expect(clippy::cast_possible_truncation, reason = "masked to 7 bits, fits u8")]
+        let mut size_part = (size & 0x7f) as u8;
        size >>= 7;

        if size > 0 {
            size_part |= 0x80;
        }

-        len_buf.push(size_part as u8);
+        len_buf.push(size_part);

        if size == 0 {
            break;
@@ -329,7 +330,7 @@ pub struct WebSocketUsers {
 impl WebSocketUsers {
    async fn send_update(&self, user_id: &UserId, data: &[u8]) {
        if let Some(user) = self.map.get(user_id.as_ref()).map(|v| v.clone()) {
-            for (_, sender) in user.iter() {
+            for (_, sender) in &user {
                if let Err(e) = sender.send(Message::binary(data)).await {
                    error!("Error sending WS update {e}");
                }
@@ -338,7 +339,7 @@ impl WebSocketUsers {
    }

    // NOTE: The last modified date needs to be updated before calling these methods
-    pub async fn send_user_update(&self, ut: UpdateType, user: &User, push_uuid: &Option<PushId>, conn: &DbConn) {
+    pub async fn send_user_update(&self, ut: UpdateType, user: &User, push_uuid: Option<&PushId>, conn: &DbConn) {
        // Skip any processing if both WebSockets and Push are not active
        if *NOTIFICATIONS_DISABLED {
            return;
@@ -358,15 +359,16 @@ impl WebSocketUsers {
        }
    }

-    pub async fn send_logout(&self, user: &User, acting_device_id: Option<DeviceId>, conn: &DbConn) {
+    pub async fn send_logout(&self, user: &User, acting_device: Option<&Device>, conn: &DbConn) {
        // Skip any processing if both WebSockets and Push are not active
        if *NOTIFICATIONS_DISABLED {
            return;
        }
+        let acting_device_id = acting_device.map(|d| d.uuid.clone());
        let data = create_update(
            vec![("UserId".into(), user.uuid.to_string().into()), ("Date".into(), serialize_date(user.updated_at))],
            UpdateType::LogOut,
-            acting_device_id.clone(),
+            acting_device_id,
        );

        if CONFIG.enable_websocket() {
@@ -374,7 +376,7 @@ impl WebSocketUsers {
        }

        if CONFIG.push_enabled() {
-            push_logout(user, acting_device_id.clone(), conn).await;
+            push_logout(user, acting_device, conn).await;
        }
    }

@@ -537,10 +539,10 @@ pub struct AnonymousWebSocketSubscriptions {

 impl AnonymousWebSocketSubscriptions {
    async fn send_update(&self, token: &str, data: &[u8]) {
-        if let Some(sender) = self.map.get(token).map(|v| v.clone()) {
-            if let Err(e) = sender.send(Message::binary(data)).await {
-                error!("Error sending WS update {e}");
-            }
+        if let Some(sender) = self.map.get(token).map(|v| v.clone())
+            && let Err(e) = sender.send(Message::binary(data)).await
+        {
+            error!("Error sending WS update {e}");
        }
    }

@@ -581,7 +583,7 @@ fn create_update(payload: Vec<(Value, Value)>, ut: UpdateType, acting_device_id:
        V::Nil,
        "ReceiveMessage".into(),
        V::Array(vec![V::Map(vec![
-            ("ContextId".into(), acting_device_id.map(|v| v.to_string().into()).unwrap_or_else(|| V::Nil)),
+            ("ContextId".into(), acting_device_id.map_or(V::Nil, |v| v.to_string().into())),
            ("Type".into(), (ut as i32).into()),
            ("Payload".into(), payload.into()),
        ])]),
@@ -4,21 +4,21 @@ use std::{
 };

 use reqwest::{
-    header::{ACCEPT, AUTHORIZATION, CONTENT_TYPE},
    Method,
+    header::{ACCEPT, AUTHORIZATION, CONTENT_TYPE},
 };
 use serde_json::Value;
 use tokio::sync::RwLock;

 use crate::{
+    CONFIG,
    api::{ApiResult, EmptyResult, UpdateType},
    db::{
-        models::{AuthRequestId, Cipher, Device, DeviceId, Folder, PushId, Send, User, UserId},
        DbConn,
+        models::{AuthRequestId, Cipher, Device, Folder, PushId, Send, User, UserId},
    },
    http_client::make_http_request,
    util::{format_date, get_uuid},
-    CONFIG,
 };

 #[derive(Deserialize)]
@@ -74,9 +74,9 @@ async fn get_auth_api_token() -> ApiResult<String> {
    };

    let mut api_token = API_TOKEN.write().await;
-    api_token.valid_until = Instant::now()
-        .checked_add(Duration::new((json_pushtoken.expires_in / 2) as u64, 0)) // Token valid for half the specified time
-        .unwrap();
+    // Token valid for half the specified time
+    let half_expires_in = u64::from((json_pushtoken.expires_in / 2).max(0).cast_unsigned());
+    api_token.valid_until = Instant::now().checked_add(Duration::from_secs(half_expires_in)).unwrap();

    api_token.access_token = json_pushtoken.access_token;

@@ -135,7 +135,7 @@ pub async fn register_push_device(device: &mut Device, conn: &DbConn) -> EmptyRe
    Ok(())
 }

-pub async fn unregister_push_device(push_id: &Option<PushId>) -> EmptyResult {
+pub async fn unregister_push_device(push_id: Option<&PushId>) -> EmptyResult {
    if !CONFIG.push_enabled() || push_id.is_none() {
        return Ok(());
    }
@@ -161,7 +161,7 @@ pub async fn push_cipher_update(ut: UpdateType, cipher: &Cipher, device: &Device
    // We shouldn't send a push notification on cipher update if the cipher belongs to an organization, this isn't implemented in the upstream server too.
    if cipher.organization_uuid.is_some() {
        return;
-    };
+    }
    let Some(user_id) = &cipher.user_uuid else {
        debug!("Cipher has no uuid");
        return;
@@ -188,15 +188,13 @@ pub async fn push_cipher_update(ut: UpdateType, cipher: &Cipher, device: &Device
    }
 }

-pub async fn push_logout(user: &User, acting_device_id: Option<DeviceId>, conn: &DbConn) {
-    let acting_device_id: Value = acting_device_id.map(|v| v.to_string().into()).unwrap_or_else(|| Value::Null);
-
+pub async fn push_logout(user: &User, acting_device: Option<&Device>, conn: &DbConn) {
    if Device::check_user_has_push_device(&user.uuid, conn).await {
        tokio::task::spawn(send_to_push_relay(json!({
            "userId": user.uuid,
            "organizationId": (),
-            "deviceId": acting_device_id,
-            "identifier": acting_device_id,
+            "deviceId": acting_device.and_then(|d| d.push_uuid.as_ref()),
+            "identifier": acting_device.map(|d| &d.uuid),
            "type": UpdateType::LogOut as i32,
            "payload": {
                "userId": user.uuid,
@@ -208,7 +206,7 @@ pub async fn push_logout(user: &User, acting_device_id: Option<DeviceId>, conn:
    }
 }

-pub async fn push_user_update(ut: UpdateType, user: &User, push_uuid: &Option<PushId>, conn: &DbConn) {
+pub async fn push_user_update(ut: UpdateType, user: &User, push_uuid: Option<&PushId>, conn: &DbConn) {
    if Device::check_user_has_push_device(&user.uuid, conn).await {
        tokio::task::spawn(send_to_push_relay(json!({
            "userId": user.uuid,
@@ -246,23 +244,23 @@ pub async fn push_folder_update(ut: UpdateType, folder: &Folder, device: &Device
 }

 pub async fn push_send_update(ut: UpdateType, send: &Send, device: &Device, conn: &DbConn) {
-    if let Some(s) = &send.user_uuid {
-        if Device::check_user_has_push_device(s, conn).await {
-            tokio::task::spawn(send_to_push_relay(json!({
+    if let Some(s) = &send.user_uuid
+        && Device::check_user_has_push_device(s, conn).await
+    {
+        tokio::task::spawn(send_to_push_relay(json!({
+            "userId": send.user_uuid,
+            "organizationId": null,
+            "deviceId": device.push_uuid, // Should be the records unique uuid of the acting device (unique uuid per user/device)
+            "identifier": device.uuid, // Should be the acting device id (aka uuid per device/app)
+            "type": ut as i32,
+            "payload": {
+                "id": send.uuid,
                "userId": send.user_uuid,
-                "organizationId": null,
-                "deviceId": device.push_uuid, // Should be the records unique uuid of the acting device (unique uuid per user/device)
-                "identifier": device.uuid, // Should be the acting device id (aka uuid per device/app)
-                "type": ut as i32,
-                "payload": {
-                    "id": send.uuid,
-                    "userId": send.user_uuid,
-                    "revisionDate": format_date(&send.revision_date)
-                },
-                "clientType": null,
-                "installationId": null
-            })));
-        }
+                "revisionDate": format_date(&send.revision_date)
+            },
+            "clientType": null,
+            "installationId": null
+        })));
    }
 }

@@ -298,7 +296,7 @@ async fn send_to_push_relay(notification_data: Value) {
        .await
    {
        error!("An error occurred while sending a send update to the push relay: {e}");
-    };
+    }
 }

 pub async fn push_auth_request(user_id: &UserId, auth_request_id: &str, device: &Device, conn: &DbConn) {
@@ -1,21 +1,24 @@
 use std::path::{Path, PathBuf};

 use rocket::{
+    Catcher, Route,
    fs::NamedFile,
    http::ContentType,
-    response::{content::RawCss as Css, content::RawHtml as Html, Redirect},
+    response::{Redirect, content::RawCss as Css, content::RawHtml as Html},
    serde::json::Json,
-    Catcher, Route,
 };
 use serde_json::Value;

 use crate::{
-    api::{core::now, ApiResult, EmptyResult},
+    CONFIG,
+    api::{ApiResult, EmptyResult, core::now},
    auth::decode_file_download,
-    db::models::{AttachmentId, CipherId},
+    db::{
+        DbConn,
+        models::{AttachmentId, CipherId},
+    },
    error::Error,
    util::Cached,
-    CONFIG,
 };

 pub fn routes() -> Vec<Route> {
@@ -23,12 +26,20 @@ pub fn routes() -> Vec<Route> {
    // crate::utils::LOGGED_ROUTES to make sure they appear in the log
    let mut routes = routes![attachments, alive, alive_head, static_files];
    if CONFIG.web_vault_enabled() {
-        routes.append(&mut routes![web_index, web_index_direct, web_index_head, app_id, web_files, vaultwarden_css]);
+        routes.append(&mut routes![
+            web_index,
+            web_index_direct,
+            web_index_head,
+            app_id,
+            apple_app_site_association,
+            web_files,
+            vaultwarden_css
+        ]);
    }

    #[cfg(debug_assertions)]
    if CONFIG.reload_templates() {
-        routes.append(&mut routes![_static_files_dev]);
+        routes.append(&mut routes![static_files_dev]);
    }

    routes
@@ -60,6 +71,7 @@ fn vaultwarden_css() -> Cached<Css<String>> {
        "mail_2fa_enabled": CONFIG._enable_email_2fa(),
        "mail_enabled": CONFIG.mail_enabled(),
        "sends_allowed": CONFIG.sends_allowed(),
+        "remember_2fa_disabled": CONFIG.disable_2fa_remember(),
        "password_hints_allowed": CONFIG.password_hints_allowed(),
        "signup_disabled": CONFIG.is_signup_disabled(),
        "sso_enabled": CONFIG.sso_enabled(),
@@ -159,6 +171,24 @@ fn app_id() -> Cached<(ContentType, Json<Value>)> {
    )
 }

+#[get("/.well-known/apple-app-site-association")]
+fn apple_app_site_association() -> Cached<(ContentType, Json<Value>)> {
+    Cached::long(
+        (
+            ContentType::JSON,
+            Json(json!({
+                "webcredentials": {
+                    "apps": [
+                        "LTZ2PFU5D6.com.8bit.bitwarden",
+                        "LTZ2PFU5D6.com.8bit.bitwarden.beta"
+                    ]
+                }
+            })),
+        ),
+        true,
+    )
+}
+
 #[get("/<p..>", rank = 10)] // Only match this if the other routes don't match
 async fn web_files(p: PathBuf) -> Cached<Option<NamedFile>> {
    Cached::long(NamedFile::open(Path::new(&CONFIG.web_vault_folder()).join(p)).await.ok(), true)
@@ -177,7 +207,6 @@ async fn attachments(cipher_id: CipherId, file_id: AttachmentId, token: String)
 }

 // We use DbConn here to let the alive healthcheck also verify the database connection.
-use crate::db::DbConn;
 #[get("/alive")]
 fn alive(_conn: DbConn) -> Json<String> {
    now()
@@ -196,7 +225,7 @@ fn alive_head(_conn: DbConn) -> EmptyResult {
 // NOTE: Do not forget to add any new files added to the `static_files` function below!
 #[cfg(debug_assertions)]
 #[get("/vw_static/<filename>", rank = 1)]
-pub async fn _static_files_dev(filename: PathBuf) -> Option<NamedFile> {
+pub async fn static_files_dev(filename: PathBuf) -> Option<NamedFile> {
    warn!("LOADING STATIC FILES FROM DISK");
    let file = filename.to_str().unwrap_or_default();
    let ext = filename.extension().unwrap_or_default();
@@ -209,7 +238,7 @@ pub async fn _static_files_dev(filename: PathBuf) -> Option<NamedFile> {

    if let Ok(path) = path {
        return NamedFile::open(path).await.ok();
-    };
+    }
    None
 }

@@ -239,8 +268,8 @@ pub fn static_files(filename: &str) -> Result<(ContentType, &'static [u8]), Erro
        "jdenticon-3.3.0.js" => Ok((ContentType::JavaScript, include_bytes!("../static/scripts/jdenticon-3.3.0.js"))),
        "datatables.js" => Ok((ContentType::JavaScript, include_bytes!("../static/scripts/datatables.js"))),
        "datatables.css" => Ok((ContentType::CSS, include_bytes!("../static/scripts/datatables.css"))),
-        "jquery-3.7.1.slim.js" => {
-            Ok((ContentType::JavaScript, include_bytes!("../static/scripts/jquery-3.7.1.slim.js")))
+        "jquery-4.0.0.slim.js" => {
+            Ok((ContentType::JavaScript, include_bytes!("../static/scripts/jquery-4.0.0.slim.js")))
        }
        _ => err!(format!("Static file not found: {filename}")),
    }
@@ -5,21 +5,30 @@ use std::{
 };

 use chrono::{DateTime, TimeDelta, Utc};
-use jsonwebtoken::{errors::ErrorKind, Algorithm, DecodingKey, EncodingKey, Header};
+use jsonwebtoken::{Algorithm, DecodingKey, EncodingKey, Header, errors::ErrorKind};
 use num_traits::FromPrimitive;
 use openssl::rsa::Rsa;
-use serde::de::DeserializeOwned;
-use serde::ser::Serialize;
+use serde::{de::DeserializeOwned, ser::Serialize};
+
+use rocket::{
+    outcome::try_outcome,
+    request::{FromRequest, Outcome, Request},
+};

 use crate::{
+    CONFIG,
    api::ApiResult,
    config::PathType,
-    db::models::{
-        AttachmentId, CipherId, CollectionId, DeviceId, DeviceType, EmergencyAccessId, MembershipId, OrgApiKeyId,
-        OrganizationId, SendFileId, SendId, UserId,
+    db::{
+        DbConn,
+        models::{
+            AttachmentId, CipherId, Collection, CollectionId, Device, DeviceId, DeviceType, EmergencyAccessId,
+            Membership, MembershipId, MembershipStatus, MembershipType, OrgApiKeyId, OrganizationId, SendFileId,
+            SendId, User, UserId, UserStampException,
+        },
    },
    error::Error,
-    sso, CONFIG,
+    sso,
 };

 const JWT_ALGORITHM: Algorithm = Algorithm::RS256;
@@ -46,21 +55,18 @@ static JWT_FILE_DOWNLOAD_ISSUER: LazyLock<String> =
    LazyLock::new(|| format!("{}|file_download", CONFIG.domain_origin()));
 static JWT_REGISTER_VERIFY_ISSUER: LazyLock<String> =
    LazyLock::new(|| format!("{}|register_verify", CONFIG.domain_origin()));
+static JWT_2FA_REMEMBER_ISSUER: LazyLock<String> = LazyLock::new(|| format!("{}|2faremember", CONFIG.domain_origin()));

 static PRIVATE_RSA_KEY: OnceLock<EncodingKey> = OnceLock::new();
 static PUBLIC_RSA_KEY: OnceLock<DecodingKey> = OnceLock::new();

 pub async fn initialize_keys() -> Result<(), Error> {
-    use std::io::Error;
+    use std::io::Error as IoError;

-    let rsa_key_filename = std::path::PathBuf::from(CONFIG.private_rsa_key())
-        .file_name()
-        .ok_or_else(|| Error::other("Private RSA key path missing filename"))?
-        .to_str()
-        .ok_or_else(|| Error::other("Private RSA key path filename is not valid UTF-8"))?
-        .to_string();
+    let rsa_key_filename = crate::storage::file_name(&CONFIG.private_rsa_key())
+        .ok_or_else(|| IoError::other("Private RSA key path missing filename"))?;

-    let operator = CONFIG.opendal_operator_for_path_type(&PathType::RsaKey).map_err(Error::other)?;
+    let operator = CONFIG.opendal_operator_for_path_type(&PathType::RsaKey).map_err(IoError::other)?;

    let priv_key_buffer = match operator.read(&rsa_key_filename).await {
        Ok(buffer) => Some(buffer),
@@ -160,6 +166,10 @@ pub fn decode_register_verify(token: &str) -> Result<RegisterVerifyClaims, Error
    decode_jwt(token, JWT_REGISTER_VERIFY_ISSUER.to_string())
 }

+pub fn decode_2fa_remember(token: &str) -> Result<TwoFactorRememberClaims, Error> {
+    decode_jwt(token, JWT_2FA_REMEMBER_ISSUER.to_string())
+}
+
 #[derive(Debug, Serialize, Deserialize)]
 pub struct LoginJwtClaims {
    // Not before
@@ -225,7 +235,7 @@ impl LoginJwtClaims {
        // let orgmanager: Vec<_> = orgs.iter().filter(|o| o.atype == 3).map(|o| o.org_uuid.clone()).collect();

        if exp <= (now + *BW_EXPIRATION).timestamp() {
-            warn!("Raise access_token lifetime to more than 5min.")
+            warn!("Raise access_token lifetime to more than 5min.");
        }

        // Create the JWT claims struct, to send to the client
@@ -252,7 +262,7 @@ impl LoginJwtClaims {
            sstamp: user.security_stamp.clone(),
            device: device.uuid.clone(),
            devicetype: DeviceType::from_i32(device.atype).to_string(),
-            client_id: client_id.unwrap_or("undefined".to_string()),
+            client_id: client_id.unwrap_or("undefined".to_owned()),
            scope,
            amr: vec!["Application".into()],
        }
@@ -440,6 +450,31 @@ pub fn generate_register_verify_claims(email: String, name: Option<String>, veri
    }
 }

+#[derive(Serialize, Deserialize)]
+pub struct TwoFactorRememberClaims {
+    // Not before
+    pub nbf: i64,
+    // Expiration time
+    pub exp: i64,
+    // Issuer
+    pub iss: String,
+    // Subject
+    pub sub: DeviceId,
+    // UserId
+    pub user_uuid: UserId,
+}
+
+pub fn generate_2fa_remember_claims(device_uuid: DeviceId, user_uuid: UserId) -> TwoFactorRememberClaims {
+    let time_now = Utc::now();
+    TwoFactorRememberClaims {
+        nbf: time_now.timestamp(),
+        exp: (time_now + TimeDelta::try_days(30).unwrap()).timestamp(),
+        iss: JWT_2FA_REMEMBER_ISSUER.to_string(),
+        sub: device_uuid,
+        user_uuid,
+    }
+}
+
 #[derive(Debug, Serialize, Deserialize)]
 pub struct BasicJwtClaims {
    // Not before
@@ -480,7 +515,7 @@ pub fn generate_admin_claims() -> BasicJwtClaims {
        nbf: time_now.timestamp(),
        exp: (time_now + TimeDelta::try_minutes(CONFIG.admin_session_lifetime()).unwrap()).timestamp(),
        iss: JWT_ADMIN_ISSUER.to_string(),
-        sub: "admin_panel".to_string(),
+        sub: "admin_panel".to_owned(),
    }
 }

@@ -497,16 +532,6 @@ pub fn generate_send_claims(send_id: &SendId, file_id: &SendFileId) -> BasicJwtC
 //
 // Bearer token authentication
 //
-use rocket::{
-    outcome::try_outcome,
-    request::{FromRequest, Outcome, Request},
-};
-
-use crate::db::{
-    models::{Collection, Device, Membership, MembershipStatus, MembershipType, User, UserStampException},
-    DbConn,
-};
-
 pub struct Host {
    pub host: String,
 }
@@ -522,7 +547,7 @@ impl<'r> FromRequest<'r> for Host {
        let host = if CONFIG.domain_set() {
            CONFIG.domain()
        } else if let Some(referer) = headers.get_one("Referer") {
-            referer.to_string()
+            referer.to_owned()
        } else {
            // Try to guess from the headers
            let protocol = if let Some(proto) = headers.get_one("X-Forwarded-Proto") {
@@ -558,13 +583,15 @@ impl<'r> FromRequest<'r> for ClientHeaders {
    type Error = &'static str;

    async fn from_request(request: &'r Request<'_>) -> Outcome<Self, Self::Error> {
-        let ip = match ClientIp::from_request(request).await {
-            Outcome::Success(ip) => ip,
-            _ => err_handler!("Error getting Client IP"),
+        let Outcome::Success(ip) = ClientIp::from_request(request).await else {
+            err_handler!("Error getting Client IP")
        };
-        // When unknown or unable to parse, return 14, which is 'Unknown Browser'
-        let device_type: i32 =
-            request.headers().get_one("device-type").map(|d| d.parse().unwrap_or(14)).unwrap_or_else(|| 14);
+        // When unknown or unable to parse, return 'UnknownBrowser'
+        let device_type: i32 = request
+            .headers()
+            .get_one("device-type")
+            .and_then(|d| d.parse().ok())
+            .unwrap_or(DeviceType::UnknownBrowser as i32);

        Outcome::Success(ClientHeaders {
            device_type,
@@ -588,18 +615,19 @@ impl<'r> FromRequest<'r> for Headers {
        let headers = request.headers();

        let host = try_outcome!(Host::from_request(request).await).host;
-        let ip = match ClientIp::from_request(request).await {
-            Outcome::Success(ip) => ip,
-            _ => err_handler!("Error getting Client IP"),
+        let Outcome::Success(ip) = ClientIp::from_request(request).await else {
+            err_handler!("Error getting Client IP")
        };

        // Get access_token
-        let access_token: &str = match headers.get_one("Authorization") {
-            Some(a) => match a.rsplit("Bearer ").next() {
-                Some(split) => split,
-                None => err_handler!("No access token provided"),
-            },
-            None => err_handler!("No access token provided"),
+        let access_token: &str = if let Some(a) = headers.get_one("Authorization") {
+            if let Some(split) = a.rsplit("Bearer ").next() {
+                split
+            } else {
+                err_handler!("No access token provided")
+            }
+        } else {
+            err_handler!("No access token provided")
        };

        // Check JWT token is valid and get device and user from it
@@ -610,9 +638,8 @@ impl<'r> FromRequest<'r> for Headers {
        let device_id = claims.device;
        let user_id = claims.sub;

-        let conn = match DbConn::from_request(request).await {
-            Outcome::Success(conn) => conn,
-            _ => err_handler!("Error getting DB"),
+        let Outcome::Success(conn) = DbConn::from_request(request).await else {
+            err_handler!("Error getting DB")
        };

        let Some(device) = Device::find_by_uuid_and_user(&device_id, &user_id, &conn).await else {
@@ -643,7 +670,7 @@ impl<'r> FromRequest<'r> for Headers {
                        error!("Error updating user: {e:#?}");
                    }
                    err_handler!("Stamp exception is expired")
-                } else if !stamp_exception.routes.contains(&current_route.to_string()) {
+                } else if !stamp_exception.routes.contains(&current_route.to_owned()) {
                    err_handler!("Invalid security stamp: Current route and exception route do not match")
                } else if stamp_exception.security_stamp != claims.sstamp {
                    err_handler!("Invalid security stamp for matched stamp exception")
@@ -674,10 +701,9 @@ pub struct OrgHeaders {

 impl OrgHeaders {
    fn is_member(&self) -> bool {
-        // NOTE: we don't care about MembershipStatus at the moment because this is only used
-        // where an invited, accepted or confirmed user is expected if this ever changes or
-        // if from_i32 is changed to return Some(Revoked) this check needs to be changed accordingly
-        self.membership_type >= MembershipType::User
+        // Only allow not revoked members, we can not use the Confirmed status here
+        // as some endpoints can be triggered by invited users during joining
+        self.membership_status != MembershipStatus::Revoked && self.membership_type >= MembershipType::User
    }
    fn is_confirmed_and_admin(&self) -> bool {
        self.membership_status == MembershipStatus::Confirmed && self.membership_type >= MembershipType::Admin
@@ -690,6 +716,36 @@ impl OrgHeaders {
    }
 }

+// org_id is usually the second path param ("/organizations/<org_id>"),
+// but there are cases where it is a query value.
+// First check the path, if this is not a valid uuid, try the query values.
+fn get_org_id(request: &Request<'_>) -> Option<OrganizationId> {
+    if let Some(Ok(org_id)) = request.param::<OrganizationId>(1) {
+        Some(org_id)
+    } else if let Some(Ok(org_id)) = request.query_value::<OrganizationId>("organizationId") {
+        Some(org_id)
+    } else {
+        None
+    }
+}
+
+// Special Guard to ensure that there is an organization id present
+// If there is no org id trigger the Outcome::Forward.
+// This is useful for endpoints which work for both organization and personal vaults, like purge.
+pub struct OrgIdGuard;
+
+#[rocket::async_trait]
+impl<'r> FromRequest<'r> for OrgIdGuard {
+    type Error = &'static str;
+
+    async fn from_request(request: &'r Request<'_>) -> Outcome<Self, Self::Error> {
+        match get_org_id(request) {
+            Some(_) => Outcome::Success(OrgIdGuard),
+            None => Outcome::Forward(rocket::http::Status::NotFound),
+        }
+    }
+}
+
 #[rocket::async_trait]
 impl<'r> FromRequest<'r> for OrgHeaders {
    type Error = &'static str;
@@ -697,24 +753,13 @@ impl<'r> FromRequest<'r> for OrgHeaders {
    async fn from_request(request: &'r Request<'_>) -> Outcome<Self, Self::Error> {
        let headers = try_outcome!(Headers::from_request(request).await);

-        // org_id is usually the second path param ("/organizations/<org_id>"),
-        // but there are cases where it is a query value.
-        // First check the path, if this is not a valid uuid, try the query values.
-        let url_org_id: Option<OrganizationId> = {
-            if let Some(Ok(org_id)) = request.param::<OrganizationId>(1) {
-                Some(org_id)
-            } else if let Some(Ok(org_id)) = request.query_value::<OrganizationId>("organizationId") {
-                Some(org_id)
-            } else {
-                None
-            }
-        };
+        // Extract the org_id from the request
+        let url_org_id = get_org_id(request);

        match url_org_id {
            Some(org_id) if uuid::Uuid::parse_str(&org_id).is_ok() => {
-                let conn = match DbConn::from_request(request).await {
-                    Outcome::Success(conn) => conn,
-                    _ => err_handler!("Error getting DB"),
+                let Outcome::Success(conn) = DbConn::from_request(request).await else {
+                    err_handler!("Error getting DB")
                };

                let user = headers.user;
@@ -786,16 +831,16 @@ impl<'r> FromRequest<'r> for AdminHeaders {
 // but there could be cases where it is a query value.
 // First check the path, if this is not a valid uuid, try the query values.
 fn get_col_id(request: &Request<'_>) -> Option<CollectionId> {
-    if let Some(Ok(col_id)) = request.param::<String>(3) {
-        if uuid::Uuid::parse_str(&col_id).is_ok() {
-            return Some(col_id.into());
-        }
+    if let Some(Ok(col_id)) = request.param::<String>(3)
+        && uuid::Uuid::parse_str(&col_id).is_ok()
+    {
+        return Some(col_id.into());
    }

-    if let Some(Ok(col_id)) = request.query_value::<String>("collectionId") {
-        if uuid::Uuid::parse_str(&col_id).is_ok() {
-            return Some(col_id.into());
-        }
+    if let Some(Ok(col_id)) = request.query_value::<String>("collectionId")
+        && uuid::Uuid::parse_str(&col_id).is_ok()
+    {
+        return Some(col_id.into());
    }

    None
@@ -819,18 +864,16 @@ impl<'r> FromRequest<'r> for ManagerHeaders {
    async fn from_request(request: &'r Request<'_>) -> Outcome<Self, Self::Error> {
        let headers = try_outcome!(OrgHeaders::from_request(request).await);
        if headers.is_confirmed_and_manager() {
-            match get_col_id(request) {
-                Some(col_id) => {
-                    let conn = match DbConn::from_request(request).await {
-                        Outcome::Success(conn) => conn,
-                        _ => err_handler!("Error getting DB"),
-                    };
+            if let Some(col_id) = get_col_id(request) {
+                let Outcome::Success(conn) = DbConn::from_request(request).await else {
+                    err_handler!("Error getting DB")
+                };

-                    if !Collection::can_access_collection(&headers.membership, &col_id, &conn).await {
-                        err_handler!("The current user isn't a manager for this collection")
-                    }
+                if !Collection::is_coll_manageable_by_user(&col_id, &headers.membership.user_uuid, &conn).await {
+                    err_handler!("The current user isn't a manager for this collection")
                }
-                _ => err_handler!("Error getting the collection id"),
+            } else {
+                err_handler!("Error getting the collection id")
            }

            Outcome::Success(Self {
@@ -908,8 +951,8 @@ impl ManagerHeaders {
            if uuid::Uuid::parse_str(col_id.as_ref()).is_err() {
                err!("Collection Id is malformed!");
            }
-            if !Collection::can_access_collection(&h.membership, col_id, conn).await {
-                err!("You don't have access to all collections!");
+            if !Collection::is_coll_manageable_by_user(col_id, &h.membership.user_uuid, conn).await {
+                err!("Collection not found", "The current user isn't a manager for this collection")
            }
        }

@@ -991,7 +1034,7 @@ impl From<OrgMemberHeaders> for Headers {
 //
 // Client IP address detection
 //
-
+#[derive(Copy, Clone)]
 pub struct ClientIp {
    pub ip: IpAddr,
 }
@@ -1023,6 +1066,7 @@ impl<'r> FromRequest<'r> for ClientIp {
    }
 }

+#[derive(Copy, Clone)]
 pub struct Secure {
    pub https: bool,
 }
@@ -1108,15 +1152,14 @@ pub enum AuthMethod {
 impl AuthMethod {
    pub fn scope(&self) -> String {
        match self {
-            AuthMethod::OrgApiKey => "api.organization".to_string(),
-            AuthMethod::Password => "api offline_access".to_string(),
-            AuthMethod::Sso => "api offline_access".to_string(),
-            AuthMethod::UserApiKey => "api".to_string(),
+            AuthMethod::OrgApiKey => "api.organization".to_owned(),
+            AuthMethod::UserApiKey => "api".to_owned(),
+            AuthMethod::Password | AuthMethod::Sso => "api offline_access".to_owned(),
        }
    }

    pub fn scope_vec(&self) -> Vec<String> {
-        self.scope().split_whitespace().map(str::to_string).collect()
+        self.scope().split_whitespace().map(str::to_owned).collect()
    }

    pub fn check_scope(&self, scope: Option<&String>) -> ApiResult<String> {
@@ -1229,17 +1272,15 @@ pub async fn refresh_tokens(
    };

    // Get device by refresh token
-    let mut device = match Device::find_by_refresh_token(&refresh_claims.device_token, conn).await {
-        None => err!("Invalid refresh token"),
-        Some(device) => device,
+    let Some(mut device) = Device::find_by_refresh_token(&refresh_claims.device_token, conn).await else {
+        err!("Invalid refresh token")
    };

    // Save to update `updated_at`.
    device.save(true, conn).await?;

-    let user = match User::find_by_uuid(&device.user_uuid, conn).await {
-        None => err!("Impossible to find user"),
-        Some(user) => user,
+    let Some(user) = User::find_by_uuid(&device.user_uuid, conn).await else {
+        err!("Impossible to find user")
    };

    let auth_tokens = match refresh_claims.sub {
@@ -3,8 +3,8 @@ use std::{
    fmt,
    process::exit,
    sync::{
-        atomic::{AtomicBool, Ordering},
        LazyLock, RwLock,
+        atomic::{AtomicBool, Ordering},
    },
 };

@@ -14,23 +14,23 @@ use serde::de::{self, Deserialize, Deserializer, MapAccess, Visitor};

 use crate::{
    error::Error,
-    util::{get_active_web_release, get_env, get_env_bool, is_valid_email, parse_experimental_client_feature_flags},
+    storage,
+    util::{
+        FeatureFlagFilter, get_active_web_release, get_env, get_env_bool, is_valid_email,
+        parse_experimental_client_feature_flags,
+    },
 };

 static CONFIG_FILE: LazyLock<String> = LazyLock::new(|| {
    let data_folder = get_env("DATA_FOLDER").unwrap_or_else(|| String::from("data"));
-    get_env("CONFIG_FILE").unwrap_or_else(|| format!("{data_folder}/config.json"))
+    get_env("CONFIG_FILE").unwrap_or_else(|| storage::join_path(&data_folder, "config.json"))
 });

-static CONFIG_FILE_PARENT_DIR: LazyLock<String> = LazyLock::new(|| {
-    let path = std::path::PathBuf::from(&*CONFIG_FILE);
-    path.parent().unwrap_or(std::path::Path::new("data")).to_str().unwrap_or("data").to_string()
-});
+static CONFIG_FILE_PARENT_DIR: LazyLock<String> =
+    LazyLock::new(|| storage::parent(&CONFIG_FILE).unwrap_or_else(|| "data".to_owned()));

-static CONFIG_FILENAME: LazyLock<String> = LazyLock::new(|| {
-    let path = std::path::PathBuf::from(&*CONFIG_FILE);
-    path.file_name().unwrap_or(std::ffi::OsStr::new("config.json")).to_str().unwrap_or("config.json").to_string()
-});
+static CONFIG_FILENAME: LazyLock<String> =
+    LazyLock::new(|| storage::file_name(&CONFIG_FILE).unwrap_or_else(|| "config.json".to_owned()));

 pub static SKIP_CONFIG_VALIDATION: AtomicBool = AtomicBool::new(false);

@@ -260,7 +260,7 @@ macro_rules! make_config {
            }

            async fn from_file() -> Result<Self, Error> {
-                let operator = opendal_operator_for_path(&CONFIG_FILE_PARENT_DIR)?;
+                let operator = storage::operator_for_path(&CONFIG_FILE_PARENT_DIR)?;
                let config_bytes = operator.read(&CONFIG_FILENAME).await?;
                println!("[INFO] Using saved config from `{}` for configuration.\n", *CONFIG_FILE);
                serde_json::from_slice(&config_bytes.to_vec()).map_err(Into::into)
@@ -360,13 +360,7 @@ macro_rules! make_config {
            )+)+

            pub fn prepare_json(&self) -> serde_json::Value {
-                let (def, cfg, overridden) = {
-                    // Lock the inner as short as possible and clone what is needed to prevent deadlocks
-                    let inner = &self.inner.read().unwrap();
-                    (inner._env.build(), inner.config.clone(), inner._overrides.clone())
-                };
-
-                fn _get_form_type(rust_type: &'static str) -> &'static str {
+                fn get_form_type(rust_type: &'static str) -> &'static str {
                    match rust_type {
                        "Pass" => "password",
                        "String" => "text",
@@ -375,7 +369,7 @@ macro_rules! make_config {
                    }
                }

-                fn _get_doc(doc_str: &'static str) -> ElementDoc {
+                fn get_doc(doc_str: &'static str) -> ElementDoc {
                    let mut split = doc_str.split("|>").map(str::trim);
                    ElementDoc {
                        name: split.next().unwrap_or_default(),
@@ -383,6 +377,12 @@ macro_rules! make_config {
                    }
                }

+                let (def, cfg, overridden) = {
+                    // Lock the inner as short as possible and clone what is needed to prevent deadlocks
+                    let inner = &self.inner.read().unwrap();
+                    (inner._env.build(), inner.config.clone(), inner._overrides.clone())
+                };
+
                let data: Vec<GroupData> = vec![
                $( // This repetition is for each group
                    GroupData {
@@ -397,8 +397,8 @@ macro_rules! make_config {
                                name: stringify!($name),
                                value: serde_json::to_value(&cfg.$name).unwrap_or_default(),
                                default: serde_json::to_value(&def.$name).unwrap_or_default(),
-                                r#type: _get_form_type(stringify!($ty)),
-                                doc: _get_doc(concat!($($doc),+)),
+                                r#type: get_form_type(stringify!($ty)),
+                                doc: get_doc(concat!($($doc),+)),
                                overridden: overridden.contains(&pastey::paste!(stringify!([<$name:upper>]))),
                            },
                        )+], // End of elements repetition
@@ -408,9 +408,31 @@ macro_rules! make_config {
            }

            pub fn get_support_json(&self) -> serde_json::Value {
+                /// We map over the string and remove all alphanumeric, _ and - characters.
+                /// This is the fastest way (within micro-seconds) instead of using a regex (which takes mili-seconds)
+                fn privacy_mask(value: &str) -> String {
+                    let mut n: u16 = 0;
+                    let mut colon_match = false;
+                    value
+                        .chars()
+                        .map(|c| {
+                            n += 1;
+                            match c {
+                                ':' if n <= 11 => {
+                                    colon_match = true;
+                                    c
+                                }
+                                '/' if n <= 13 && colon_match => c,
+                                ',' => c,
+                                _ => '*',
+                            }
+                        })
+                        .collect::<String>()
+                }
+
                // Define which config keys need to be masked.
                // Pass types will always be masked and no need to put them in the list.
-                // Besides Pass, only String types will be masked via _privacy_mask.
+                // Besides Pass, only String types will be masked via privacy_mask.
                const PRIVACY_CONFIG: &[&str] = &[
                    "allowed_connect_src",
                    "allowed_iframe_ancestors",
@@ -437,28 +459,6 @@ macro_rules! make_config {
                    inner.config.clone()
                };

-                /// We map over the string and remove all alphanumeric, _ and - characters.
-                /// This is the fastest way (within micro-seconds) instead of using a regex (which takes mili-seconds)
-                fn _privacy_mask(value: &str) -> String {
-                    let mut n: u16 = 0;
-                    let mut colon_match = false;
-                    value
-                        .chars()
-                        .map(|c| {
-                            n += 1;
-                            match c {
-                                ':' if n <= 11 => {
-                                    colon_match = true;
-                                    c
-                                }
-                                '/' if n <= 13 && colon_match => c,
-                                ',' => c,
-                                _ => '*',
-                            }
-                        })
-                        .collect::<String>()
-                }
-
                serde_json::Value::Object({
                    let mut json = serde_json::Map::new();
                    $($(
@@ -468,7 +468,7 @@ macro_rules! make_config {
                    for mask_key in PRIVACY_CONFIG {
                        if let Some(value) = json.get_mut(*mask_key) {
                            if let Some(s) = value.as_str() {
-                                *value = _privacy_mask(s).into();
+                                *value = privacy_mask(s).into();
                            }
                        }
                    }
@@ -502,23 +502,23 @@ macro_rules! make_config {
 make_config! {
    folders {
        ///  Data folder |> Main data folder
-        data_folder:            String, false,  def,    "data".to_string();
+        data_folder:            String, false,  def,    "data".to_owned();
        /// Database URL
-        database_url:           String, false,  auto,   |c| format!("{}/db.sqlite3", c.data_folder);
+        database_url:           String, false,  auto,   |c| format!("sqlite://{}", storage::join_path(&c.data_folder, "db.sqlite3"));
        /// Icon cache folder
-        icon_cache_folder:      String, false,  auto,   |c| format!("{}/icon_cache", c.data_folder);
+        icon_cache_folder:      String, false,  auto,   |c| storage::join_path(&c.data_folder, "icon_cache");
        /// Attachments folder
-        attachments_folder:     String, false,  auto,   |c| format!("{}/attachments", c.data_folder);
+        attachments_folder:     String, false,  auto,   |c| storage::join_path(&c.data_folder, "attachments");
        /// Sends folder
-        sends_folder:           String, false,  auto,   |c| format!("{}/sends", c.data_folder);
+        sends_folder:           String, false,  auto,   |c| storage::join_path(&c.data_folder, "sends");
        /// Temp folder |> Used for storing temporary file uploads
-        tmp_folder:             String, false,  auto,   |c| format!("{}/tmp", c.data_folder);
+        tmp_folder:             String, false,  auto,   |c| storage::join_path(&c.data_folder, "tmp");
        /// Templates folder
-        templates_folder:       String, false,  auto,   |c| format!("{}/templates", c.data_folder);
+        templates_folder:       String, false,  auto,   |c| storage::join_path(&c.data_folder, "templates");
        /// Session JWT key
-        rsa_key_filename:       String, false,  auto,   |c| format!("{}/rsa_key", c.data_folder);
+        rsa_key_filename:       String, false,  auto,   |c| storage::join_path(&c.data_folder, "rsa_key");
        /// Web vault folder
-        web_vault_folder:       String, false,  def,    "web-vault/".to_string();
+        web_vault_folder:       String, false,  def,    "web-vault/".to_owned();
    },
    ws {
        /// Enable websocket notifications
@@ -528,9 +528,9 @@ make_config! {
        /// Enable push notifications
        push_enabled:           bool,   false,  def,    false;
        /// Push relay uri
-        push_relay_uri:         String, false,  def,    "https://push.bitwarden.com".to_string();
+        push_relay_uri:         String, false,  def,    "https://push.bitwarden.com".to_owned();
        /// Push identity uri
-        push_identity_uri:      String, false,  def,    "https://identity.bitwarden.com".to_string();
+        push_identity_uri:      String, false,  def,    "https://identity.bitwarden.com".to_owned();
        /// Installation id |> The installation id from https://bitwarden.com/host
        push_installation_id:   Pass,   false,  def,    String::new();
        /// Installation key |> The installation key from https://bitwarden.com/host
@@ -542,38 +542,38 @@ make_config! {
        job_poll_interval_ms:   u64,    false,  def,    30_000;
        /// Send purge schedule |> Cron schedule of the job that checks for Sends past their deletion date.
        /// Defaults to hourly. Set blank to disable this job.
-        send_purge_schedule:    String, false,  def,    "0 5 * * * *".to_string();
+        send_purge_schedule:    String, false,  def,    "0 5 * * * *".to_owned();
        /// Trash purge schedule |> Cron schedule of the job that checks for trashed items to delete permanently.
        /// Defaults to daily. Set blank to disable this job.
-        trash_purge_schedule:   String, false,  def,    "0 5 0 * * *".to_string();
+        trash_purge_schedule:   String, false,  def,    "0 5 0 * * *".to_owned();
        /// Incomplete 2FA login schedule |> Cron schedule of the job that checks for incomplete 2FA logins.
        /// Defaults to once every minute. Set blank to disable this job.
-        incomplete_2fa_schedule: String, false,  def,   "30 * * * * *".to_string();
+        incomplete_2fa_schedule: String, false,  def,   "30 * * * * *".to_owned();
        /// Emergency notification reminder schedule |> Cron schedule of the job that sends expiration reminders to emergency access grantors.
        /// Defaults to hourly. (3 minutes after the hour) Set blank to disable this job.
-        emergency_notification_reminder_schedule:   String, false,  def,    "0 3 * * * *".to_string();
+        emergency_notification_reminder_schedule:   String, false,  def,    "0 3 * * * *".to_owned();
        /// Emergency request timeout schedule |> Cron schedule of the job that grants emergency access requests that have met the required wait time.
        /// Defaults to hourly. (7 minutes after the hour) Set blank to disable this job.
-        emergency_request_timeout_schedule:   String, false,  def,    "0 7 * * * *".to_string();
+        emergency_request_timeout_schedule:   String, false,  def,    "0 7 * * * *".to_owned();
        /// Event cleanup schedule |> Cron schedule of the job that cleans old events from the event table.
        /// Defaults to daily. Set blank to disable this job.
-        event_cleanup_schedule:   String, false,  def,    "0 10 0 * * *".to_string();
+        event_cleanup_schedule:   String, false,  def,    "0 10 0 * * *".to_owned();
        /// Auth Request cleanup schedule |> Cron schedule of the job that cleans old auth requests from the auth request.
        /// Defaults to every minute. Set blank to disable this job.
-        auth_request_purge_schedule:   String, false,  def,    "30 * * * * *".to_string();
+        auth_request_purge_schedule:   String, false,  def,    "30 * * * * *".to_owned();
        /// Duo Auth context cleanup schedule |> Cron schedule of the job that cleans expired Duo contexts from the database. Does nothing if Duo MFA is disabled or set to use the legacy iframe prompt.
        /// Defaults to once every minute. Set blank to disable this job.
-        duo_context_purge_schedule:   String, false,  def,    "30 * * * * *".to_string();
+        duo_context_purge_schedule:   String, false,  def,    "30 * * * * *".to_owned();
        /// Purge incomplete SSO auth. |> Cron schedule of the job that cleans leftover auth in db due to incomplete SSO login.
        /// Defaults to daily. Set blank to disable this job.
-        purge_incomplete_sso_auth: String, false,  def,   "0 20 0 * * *".to_string();
+        purge_incomplete_sso_auth: String, false,  def,   "0 20 0 * * *".to_owned();
    },

    /// General settings
    settings {
        /// Domain URL |> This needs to be set to the URL used to access the server, including 'http[s]://'
        /// and port, if it's different than the default. Some server functions don't work correctly without this value
-        domain:                 String, true,   def,    "http://localhost".to_string();
+        domain:                 String, true,   def,    "http://localhost".to_owned();
        /// Domain Set |> Indicates if the domain is set by the admin. Otherwise the default will be used.
        domain_set:             bool,   false,  def,    false;
        /// Domain origin |> Domain URL origin (in https://example.com:8443/path, https://example.com:8443 is the origin)
@@ -653,7 +653,7 @@ make_config! {
        admin_token:            Pass,   true,   option;

        /// Invitation organization name |> Name shown in the invitation emails that don't come from a specific organization
-        invitation_org_name:    String, true,   def,    "Vaultwarden".to_string();
+        invitation_org_name:    String, true,   def,    "Vaultwarden".to_owned();

        /// Events days retain |> Number of days to retain events stored in the database. If unset, events are kept indefinitely.
        events_days_retain:     i64,    false,   option;
@@ -663,7 +663,7 @@ make_config! {
    advanced {
        /// Client IP header |> If not present, the remote IP is used.
        /// Set to the string "none" (without quotes), to disable any headers and just use the remote IP
-        ip_header:              String, true,   def,    "X-Real-IP".to_string();
+        ip_header:              String, true,   def,    "X-Real-IP".to_owned();
        /// Internal IP header property, used to avoid recomputing each time
        _ip_header_enabled:     bool,   false,  generated,    |c| &c.ip_header.trim().to_lowercase() != "none";
        /// Icon service |> The predefined icon services are: internal, bitwarden, duckduckgo, google.
@@ -672,7 +672,7 @@ make_config! {
        /// `internal` refers to Vaultwarden's built-in icon fetching implementation. If an external
        /// service is set, an icon request to Vaultwarden will return an HTTP redirect to the
        /// corresponding icon at the external service.
-        icon_service:           String, false,  def,    "internal".to_string();
+        icon_service:           String, false,  def,    "internal".to_owned();
        /// _icon_service_url
        _icon_service_url:      String, false,  generated,    |c| generate_icon_service_url(&c.icon_service);
        /// _icon_service_csp
@@ -723,14 +723,14 @@ make_config! {
        /// Enable extended logging
        extended_logging:       bool,   false,  def,    true;
        /// Log timestamp format
-        log_timestamp_format:   String, true,   def,    "%Y-%m-%d %H:%M:%S.%3f".to_string();
+        log_timestamp_format:   String, true,   def,    "%Y-%m-%d %H:%M:%S.%3f".to_owned();
        /// Enable the log to output to Syslog
        use_syslog:             bool,   false,  def,    false;
        /// Log file path
        log_file:               String, false,  option;
        /// Log level |> Valid values are "trace", "debug", "info", "warn", "error" and "off"
        /// For a specific module append it as a comma separated value "info,path::to::module=debug"
-        log_level:              String, false,  def,    "info".to_string();
+        log_level:              String, false,  def,    "info".to_owned();

        /// Enable DB WAL |> Turning this off might lead to worse performance, but might help if using vaultwarden on some exotic filesystems,
        /// that do not support WAL. Please make sure you read project wiki on the topic before changing this setting.
@@ -812,7 +812,7 @@ make_config! {
        /// Authority Server |> Base url of the OIDC provider discovery endpoint (without `/.well-known/openid-configuration`)
        sso_authority:                  String, true,   def,    String::new();
        /// Authorization request scopes |> List the of the needed scope (`openid` is implicit)
-        sso_scopes:                     String, true,  def,   "email profile".to_string();
+        sso_scopes:                     String, true,  def,   "email profile".to_owned();
        /// Authorization request extra parameters
        sso_authorize_extra_params:     String, true,  def,    String::new();
        /// Use PKCE during Authorization flow
@@ -880,7 +880,7 @@ make_config! {
        /// From Address
        smtp_from:                     String, true,   def,     String::new();
        /// From Name
-        smtp_from_name:                String, true,   def,     "Vaultwarden".to_string();
+        smtp_from_name:                String, true,   def,     "Vaultwarden".to_owned();
        /// Username
        smtp_username:                 String, true,   option;
        /// Password
@@ -920,16 +920,19 @@ make_config! {
    },
 }

-fn validate_config(cfg: &ConfigItems) -> Result<(), Error> {
+fn validate_config(cfg: &ConfigItems, on_update: bool) -> Result<(), Error> {
    // Validate connection URL is valid and DB feature is enabled
    #[cfg(sqlite)]
    {
        use crate::db::DbConnType;
        let url = &cfg.database_url;
-        if DbConnType::from_url(url)? == DbConnType::Sqlite && url.contains('/') {
-            let path = std::path::Path::new(&url);
-            if let Some(parent) = path.parent() {
-                if !parent.is_dir() {
+        if DbConnType::from_url(url)? == DbConnType::Sqlite {
+            let file_path = url.strip_prefix("sqlite://").unwrap_or(url);
+            if file_path.contains('/') {
+                let path = std::path::Path::new(file_path);
+                if let Some(parent) = path.parent()
+                    && !parent.is_dir()
+                {
                    err!(format!(
                        "SQLite database directory `{}` does not exist or is not a directory",
                        parent.display()
@@ -956,10 +959,10 @@ fn validate_config(cfg: &ConfigItems) -> Result<(), Error> {
        err!(format!("`DATABASE_MIN_CONNS` must be smaller than or equal to `DATABASE_MAX_CONNS`.",));
    }

-    if let Some(log_file) = &cfg.log_file {
-        if std::fs::OpenOptions::new().append(true).create(true).open(log_file).is_err() {
-            err!("Unable to write to log file", log_file);
-        }
+    if let Some(log_file) = &cfg.log_file
+        && std::fs::OpenOptions::new().append(true).create(true).open(log_file).is_err()
+    {
+        err!("Unable to write to log file", log_file);
    }

    let dom = cfg.domain.to_lowercase();
@@ -972,7 +975,9 @@ fn validate_config(cfg: &ConfigItems) -> Result<(), Error> {
    let connect_src = cfg.allowed_connect_src.to_lowercase();
    for url in connect_src.split_whitespace() {
        if !url.starts_with("https://") || Url::parse(url).is_err() {
-            err!("ALLOWED_CONNECT_SRC variable contains one or more invalid URLs. Only FQDN's starting with https are allowed");
+            err!(
+                "ALLOWED_CONNECT_SRC variable contains one or more invalid URLs. Only FQDN's starting with https are allowed"
+            );
        }
    }

@@ -988,11 +993,12 @@ fn validate_config(cfg: &ConfigItems) -> Result<(), Error> {
        err!("`ORG_CREATION_USERS` contains invalid email addresses");
    }

-    if let Some(ref token) = cfg.admin_token {
-        if token.trim().is_empty() && !cfg.disable_admin_token {
-            println!("[WARNING] `ADMIN_TOKEN` is enabled but has an empty value, so the admin page will be disabled.");
-            println!("[WARNING] To enable the admin page without a token, use `DISABLE_ADMIN_TOKEN`.");
-        }
+    if let Some(ref token) = cfg.admin_token
+        && token.trim().is_empty()
+        && !cfg.disable_admin_token
+    {
+        println!("[WARNING] `ADMIN_TOKEN` is enabled but has an empty value, so the admin page will be disabled.");
+        println!("[WARNING] To enable the admin page without a token, use `DISABLE_ADMIN_TOKEN`.");
    }

    if cfg.push_enabled && (cfg.push_installation_id == String::new() || cfg.push_installation_key == String::new()) {
@@ -1026,53 +1032,41 @@ fn validate_config(cfg: &ConfigItems) -> Result<(), Error> {
        }
    }

-    // Server (v2025.6.2): https://github.com/bitwarden/server/blob/d094be3267f2030bd0dc62106bc6871cf82682f5/src/Core/Constants.cs#L103
-    // Client (web-v2025.6.1): https://github.com/bitwarden/clients/blob/747c2fd6a1c348a57a76e4a7de8128466ffd3c01/libs/common/src/enums/feature-flag.enum.ts#L12
-    // Android (v2025.6.0): https://github.com/bitwarden/android/blob/b5b022caaad33390c31b3021b2c1205925b0e1a2/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/model/FlagKey.kt#L22
-    // iOS (v2025.6.0): https://github.com/bitwarden/ios/blob/ff06d9c6cc8da89f78f37f376495800201d7261a/BitwardenShared/Core/Platform/Models/Enum/FeatureFlag.swift#L7
-    //
-    // NOTE: Move deprecated flags to the utils::parse_experimental_client_feature_flags() DEPRECATED_FLAGS const!
-    const KNOWN_FLAGS: &[&str] = &[
-        // Autofill Team
-        "inline-menu-positioning-improvements",
-        "inline-menu-totp",
-        "ssh-agent",
-        // Key Management Team
-        "ssh-key-vault-item",
-        "pm-25373-windows-biometrics-v2",
-        // Tools
-        "export-attachments",
-        // Mobile Team
-        "anon-addy-self-host-alias",
-        "simple-login-self-host-alias",
-        "mutual-tls",
-    ];
-    let configured_flags = parse_experimental_client_feature_flags(&cfg.experimental_client_feature_flags);
-    let invalid_flags: Vec<_> = configured_flags.keys().filter(|flag| !KNOWN_FLAGS.contains(&flag.as_str())).collect();
+    let invalid_flags = parse_experimental_client_feature_flags(
+        &cfg.experimental_client_feature_flags,
+        &FeatureFlagFilter::InvalidOnly,
+    );
    if !invalid_flags.is_empty() {
-        err!(format!("Unrecognized experimental client feature flags: {invalid_flags:?}.\n\n\
+        let feature_flags_error = format!(
+            "Unrecognized experimental client feature flags: {invalid_flags:?}.\n\
                     Please ensure all feature flags are spelled correctly and that they are supported in this version.\n\
-                     Supported flags: {KNOWN_FLAGS:?}"));
+                     Supported flags: {SUPPORTED_FEATURE_FLAGS:?}\n"
+        );
+        if on_update {
+            err!(feature_flags_error);
+        }
+        println!("[WARNING] {feature_flags_error}");
    }

+    #[expect(clippy::items_after_statements, reason = "Keep this close to where it is used")]
    const MAX_FILESIZE_KB: i64 = i64::MAX >> 10;

-    if let Some(limit) = cfg.user_attachment_limit {
-        if !(0i64..=MAX_FILESIZE_KB).contains(&limit) {
-            err!("`USER_ATTACHMENT_LIMIT` is out of bounds");
-        }
+    if let Some(limit) = cfg.user_attachment_limit
+        && !(0i64..=MAX_FILESIZE_KB).contains(&limit)
+    {
+        err!("`USER_ATTACHMENT_LIMIT` is out of bounds");
    }

-    if let Some(limit) = cfg.org_attachment_limit {
-        if !(0i64..=MAX_FILESIZE_KB).contains(&limit) {
-            err!("`ORG_ATTACHMENT_LIMIT` is out of bounds");
-        }
+    if let Some(limit) = cfg.org_attachment_limit
+        && !(0i64..=MAX_FILESIZE_KB).contains(&limit)
+    {
+        err!("`ORG_ATTACHMENT_LIMIT` is out of bounds");
    }

-    if let Some(limit) = cfg.user_send_limit {
-        if !(0i64..=MAX_FILESIZE_KB).contains(&limit) {
-            err!("`USER_SEND_LIMIT` is out of bounds");
-        }
+    if let Some(limit) = cfg.user_send_limit
+        && !(0i64..=MAX_FILESIZE_KB).contains(&limit)
+    {
+        err!("`USER_SEND_LIMIT` is out of bounds");
    }

    if cfg._enable_duo
@@ -1089,7 +1083,7 @@ fn validate_config(cfg: &ConfigItems) -> Result<(), Error> {

        validate_internal_sso_issuer_url(&cfg.sso_authority)?;
        validate_internal_sso_redirect_url(&cfg.sso_callback_path)?;
-        validate_sso_master_password_policy(&cfg.sso_master_password_policy)?;
+        validate_sso_master_password_policy(cfg.sso_master_password_policy.as_ref())?;
    }

    if cfg._enable_yubico {
@@ -1100,7 +1094,9 @@ fn validate_config(cfg: &ConfigItems) -> Result<(), Error> {
        if let Some(yubico_server) = &cfg.yubico_server {
            let yubico_server = yubico_server.to_lowercase();
            if !yubico_server.starts_with("https://") {
-                err!("`YUBICO_SERVER` must be a valid URL and start with 'https://'. Either unset this variable or provide a valid URL.")
+                err!(
+                    "`YUBICO_SERVER` must be a valid URL and start with 'https://'. Either unset this variable or provide a valid URL."
+                )
            }
        }
    }
@@ -1152,7 +1148,9 @@ fn validate_config(cfg: &ConfigItems) -> Result<(), Error> {
            }

            if cfg.smtp_username.is_some() != cfg.smtp_password.is_some() {
-                err!("Both `SMTP_USERNAME` and `SMTP_PASSWORD` need to be set to enable email authentication without `USE_SENDMAIL`")
+                err!(
+                    "Both `SMTP_USERNAME` and `SMTP_PASSWORD` need to be set to enable email authentication without `USE_SENDMAIL`"
+                )
            }
        }

@@ -1284,7 +1282,7 @@ fn validate_internal_sso_redirect_url(sso_callback_path: &String) -> Result<open
 }

 fn validate_sso_master_password_policy(
-    sso_master_password_policy: &Option<String>,
+    sso_master_password_policy: Option<&String>,
 ) -> Result<Option<serde_json::Value>, Error> {
    let policy = sso_master_password_policy.as_ref().map(|mpp| serde_json::from_str::<serde_json::Value>(mpp));

@@ -1313,7 +1311,7 @@ fn extract_url_origin(url: &str) -> String {
 /// All trailing '/' chars are trimmed, even if the path is a lone '/'.
 fn extract_url_path(url: &str) -> String {
    match Url::parse(url) {
-        Ok(u) => u.path().trim_end_matches('/').to_string(),
+        Ok(u) => u.path().trim_end_matches('/').to_owned(),
        Err(_) => {
            // We already print it in the method above, no need to do it again
            String::new()
@@ -1323,7 +1321,7 @@ fn extract_url_path(url: &str) -> String {

 fn generate_smtp_img_src(embed_images: bool, domain: &str) -> String {
    if embed_images {
-        "cid:".to_string()
+        "cid:".to_owned()
    } else {
        // normalize base_url
        let base_url = domain.trim_end_matches('/');
@@ -1342,10 +1340,10 @@ fn generate_sso_callback_path(domain: &str) -> String {
 fn generate_icon_service_url(icon_service: &str) -> String {
    match icon_service {
        "internal" => String::new(),
-        "bitwarden" => "https://icons.bitwarden.net/{}/icon.png".to_string(),
-        "duckduckgo" => "https://icons.duckduckgo.com/ip3/{}.ico".to_string(),
-        "google" => "https://www.google.com/s2/favicons?domain={}&sz=32".to_string(),
-        _ => icon_service.to_string(),
+        "bitwarden" => "https://icons.bitwarden.net/{}/icon.png".to_owned(),
+        "duckduckgo" => "https://icons.duckduckgo.com/ip3/{}.ico".to_owned(),
+        "google" => "https://www.google.com/s2/favicons?domain={}&sz=32".to_owned(),
+        _ => icon_service.to_owned(),
    }
 }

@@ -1354,7 +1352,7 @@ fn generate_icon_service_csp(icon_service: &str, icon_service_url: &str) -> Stri
    // We split on the first '{', since that is the variable delimiter for an icon service URL.
    // Everything up until the first '{' should be fixed and can be used as an CSP string.
    let csp_string = match icon_service_url.split_once('{') {
-        Some((c, _)) => c.to_string(),
+        Some((c, _)) => c.to_owned(),
        None => String::new(),
    };

@@ -1371,96 +1369,12 @@ fn smtp_convert_deprecated_ssl_options(smtp_ssl: Option<bool>, smtp_explicit_tls
        println!("[DEPRECATED]: `SMTP_SSL` or `SMTP_EXPLICIT_TLS` is set. Please use `SMTP_SECURITY` instead.");
    }
    if smtp_explicit_tls.is_some() && smtp_explicit_tls.unwrap() {
-        return "force_tls".to_string();
+        return "force_tls".to_owned();
    } else if smtp_ssl.is_some() && !smtp_ssl.unwrap() {
-        return "off".to_string();
+        return "off".to_owned();
    }
    // Return the default `starttls` in all other cases
-    "starttls".to_string()
-}
-
-fn opendal_operator_for_path(path: &str) -> Result<opendal::Operator, Error> {
-    // Cache of previously built operators by path
-    static OPERATORS_BY_PATH: LazyLock<dashmap::DashMap<String, opendal::Operator>> =
-        LazyLock::new(dashmap::DashMap::new);
-
-    if let Some(operator) = OPERATORS_BY_PATH.get(path) {
-        return Ok(operator.clone());
-    }
-
-    let operator = if path.starts_with("s3://") {
-        #[cfg(not(s3))]
-        return Err(opendal::Error::new(opendal::ErrorKind::ConfigInvalid, "S3 support is not enabled").into());
-
-        #[cfg(s3)]
-        opendal_s3_operator_for_path(path)?
-    } else {
-        let builder = opendal::services::Fs::default().root(path);
-        opendal::Operator::new(builder)?.finish()
-    };
-
-    OPERATORS_BY_PATH.insert(path.to_string(), operator.clone());
-
-    Ok(operator)
-}
-
-#[cfg(s3)]
-fn opendal_s3_operator_for_path(path: &str) -> Result<opendal::Operator, Error> {
-    use crate::http_client::aws::AwsReqwestConnector;
-    use aws_config::{default_provider::credentials::DefaultCredentialsChain, provider_config::ProviderConfig};
-
-    // This is a custom AWS credential loader that uses the official AWS Rust
-    // SDK config crate to load credentials. This ensures maximum compatibility
-    // with AWS credential configurations. For example, OpenDAL doesn't support
-    // AWS SSO temporary credentials yet.
-    struct OpenDALS3CredentialLoader {}
-
-    #[async_trait]
-    impl reqsign::AwsCredentialLoad for OpenDALS3CredentialLoader {
-        async fn load_credential(&self, _client: reqwest::Client) -> anyhow::Result<Option<reqsign::AwsCredential>> {
-            use aws_credential_types::provider::ProvideCredentials as _;
-            use tokio::sync::OnceCell;
-
-            static DEFAULT_CREDENTIAL_CHAIN: OnceCell<DefaultCredentialsChain> = OnceCell::const_new();
-
-            let chain = DEFAULT_CREDENTIAL_CHAIN
-                .get_or_init(|| {
-                    let reqwest_client = reqwest::Client::builder().build().unwrap();
-                    let connector = AwsReqwestConnector {
-                        client: reqwest_client,
-                    };
-
-                    let conf = ProviderConfig::default().with_http_client(connector);
-
-                    DefaultCredentialsChain::builder().configure(conf).build()
-                })
-                .await;
-
-            let creds = chain.provide_credentials().await?;
-
-            Ok(Some(reqsign::AwsCredential {
-                access_key_id: creds.access_key_id().to_string(),
-                secret_access_key: creds.secret_access_key().to_string(),
-                session_token: creds.session_token().map(|s| s.to_string()),
-                expires_in: creds.expiry().map(|expiration| expiration.into()),
-            }))
-        }
-    }
-
-    const OPEN_DAL_S3_CREDENTIAL_LOADER: OpenDALS3CredentialLoader = OpenDALS3CredentialLoader {};
-
-    let url = Url::parse(path).map_err(|e| format!("Invalid path S3 URL path {path:?}: {e}"))?;
-
-    let bucket = url.host_str().ok_or_else(|| format!("Missing Bucket name in data folder S3 URL {path:?}"))?;
-
-    let builder = opendal::services::S3::default()
-        .customized_credential_load(Box::new(OPEN_DAL_S3_CREDENTIAL_LOADER))
-        .enable_virtual_host_style()
-        .bucket(bucket)
-        .root(url.path())
-        .default_storage_class("INTELLIGENT_TIERING");
-
-    Ok(opendal::Operator::new(builder)?.finish())
+    "starttls".to_owned()
 }

 pub enum PathType {
@@ -1471,20 +1385,49 @@ pub enum PathType {
    RsaKey,
 }

+// Official available feature flags can be found here:
+// Server (v2026.2.1): https://github.com/bitwarden/server/blob/0e42725d0837bd1c0dabd864ff621a579959744b/src/Core/Constants.cs#L135
+// Client (v2026.2.1): https://github.com/bitwarden/clients/blob/f96380c3138291a028bdd2c7a5fee540d5c98ba5/libs/common/src/enums/feature-flag.enum.ts#L12
+// Android (v2026.2.1): https://github.com/bitwarden/android/blob/6902c19c0093fa476bbf74ccaa70c9f14afbb82f/core/src/main/kotlin/com/bitwarden/core/data/manager/model/FlagKey.kt#L31
+// iOS (v2026.2.1): https://github.com/bitwarden/ios/blob/cdd9ba1770ca2ffc098d02d12cc3208e3a830454/BitwardenShared/Core/Platform/Models/Enum/FeatureFlag.swift#L7
+pub const SUPPORTED_FEATURE_FLAGS: &[&str] = &[
+    // Architecture
+    "desktop-ui-migration-milestone-1",
+    "desktop-ui-migration-milestone-2",
+    "desktop-ui-migration-milestone-3",
+    "desktop-ui-migration-milestone-4",
+    // Auth Team
+    "pm-5594-safari-account-switching",
+    // Autofill Team
+    "ssh-agent",
+    "ssh-agent-v2",
+    // Key Management Team
+    "ssh-key-vault-item",
+    "pm-25373-windows-biometrics-v2",
+    // Mobile Team
+    "anon-addy-self-host-alias",
+    "simple-login-self-host-alias",
+    "mutual-tls",
+    "cxp-import-mobile",
+    "cxp-export-mobile",
+    // Platform Team
+    "pm-30529-webauthn-related-origins",
+];
+
 impl Config {
    pub async fn load() -> Result<Self, Error> {
        // Loading from env and file
-        let _env = ConfigBuilder::from_env();
-        let _usr = ConfigBuilder::from_file().await.unwrap_or_default();
+        let env = ConfigBuilder::from_env();
+        let usr = ConfigBuilder::from_file().await.unwrap_or_default();

        // Create merged config, config file overwrites env
-        let mut _overrides = Vec::new();
-        let builder = _env.merge(&_usr, true, &mut _overrides);
+        let mut overrides = Vec::new();
+        let builder = env.merge(&usr, true, &mut overrides);

        // Fill any missing with defaults
        let config = builder.build();
        if !SKIP_CONFIG_VALIDATION.load(Ordering::Relaxed) {
-            validate_config(&config)?;
+            validate_config(&config, false)?;
        }

        Ok(Config {
@@ -1492,9 +1435,9 @@ impl Config {
                rocket_shutdown_handle: None,
                templates: load_templates(&config.templates_folder),
                config,
-                _env,
-                _usr,
-                _overrides,
+                _env: env,
+                _usr: usr,
+                _overrides: overrides,
            }),
        })
    }
@@ -1520,7 +1463,7 @@ impl Config {
            let env = &self.inner.read().unwrap()._env;
            env.merge(&builder, false, &mut overrides).build()
        };
-        validate_config(&config)?;
+        validate_config(&config, true)?;

        // Save both the user and the combined config
        {
@@ -1531,7 +1474,7 @@ impl Config {
        }

        //Save to file
-        let operator = opendal_operator_for_path(&CONFIG_FILE_PARENT_DIR)?;
+        let operator = storage::operator_for_path(&CONFIG_FILE_PARENT_DIR)?;
        operator.write(&CONFIG_FILENAME, config_str).await?;

        Ok(())
@@ -1540,8 +1483,8 @@ impl Config {
    async fn update_config_partial(&self, other: ConfigBuilder) -> Result<(), Error> {
        let builder = {
            let usr = &self.inner.read().unwrap()._usr;
-            let mut _overrides = Vec::new();
-            usr.merge(&other, false, &mut _overrides)
+            let mut overrides = Vec::new();
+            usr.merge(&other, false, &mut overrides)
        };
        self.update_config(builder, false).await
    }
@@ -1564,11 +1507,11 @@ impl Config {
    /// Tests whether signup is allowed for an email address, taking into
    /// account the signups_allowed and signups_domains_whitelist settings.
    pub fn is_signup_allowed(&self, email: &str) -> bool {
-        if !self.signups_domains_whitelist().is_empty() {
+        if self.signups_domains_whitelist().is_empty() {
+            self.signups_allowed()
+        } else {
            // The whitelist setting overrides the signups_allowed setting.
            self.is_email_domain_allowed(email)
-        } else {
-            self.signups_allowed()
        }
    }

@@ -1596,7 +1539,7 @@ impl Config {
    }

    pub async fn delete_user_config(&self) -> Result<(), Error> {
-        let operator = opendal_operator_for_path(&CONFIG_FILE_PARENT_DIR)?;
+        let operator = storage::operator_for_path(&CONFIG_FILE_PARENT_DIR)?;
        operator.delete(&CONFIG_FILENAME).await?;

        // Empty user config
@@ -1620,7 +1563,7 @@ impl Config {
    }

    pub fn private_rsa_key(&self) -> String {
-        format!("{}.pem", self.rsa_key_filename())
+        storage::with_extension(&self.rsa_key_filename(), "pem")
    }
    pub fn mail_enabled(&self) -> bool {
        let inner = &self.inner.read().unwrap().config;
@@ -1661,15 +1604,11 @@ impl Config {
            PathType::IconCache => self.icon_cache_folder(),
            PathType::Attachments => self.attachments_folder(),
            PathType::Sends => self.sends_folder(),
-            PathType::RsaKey => std::path::Path::new(&self.rsa_key_filename())
-                .parent()
-                .ok_or_else(|| std::io::Error::other("Failed to get directory of RSA key file"))?
-                .to_str()
-                .ok_or_else(|| std::io::Error::other("Failed to convert RSA key file directory to UTF-8 string"))?
-                .to_string(),
+            PathType::RsaKey => storage::parent(&self.private_rsa_key())
+                .ok_or_else(|| std::io::Error::other("Failed to get directory of RSA key file"))?,
        };

-        opendal_operator_for_path(&path)
+        storage::operator_for_path(&path)
    }

    pub fn render_template<T: serde::ser::Serialize>(&self, name: &str, data: &T) -> Result<String, Error> {
@@ -1693,10 +1632,10 @@ impl Config {
    }

    pub fn shutdown(&self) {
-        if let Ok(mut c) = self.inner.write() {
-            if let Some(handle) = c.rocket_shutdown_handle.take() {
-                handle.notify();
-            }
+        if let Ok(mut c) = self.inner.write()
+            && let Some(handle) = c.rocket_shutdown_handle.take()
+        {
+            handle.notify();
        }
    }

@@ -1709,11 +1648,11 @@ impl Config {
    }

    pub fn sso_master_password_policy_value(&self) -> Option<serde_json::Value> {
-        validate_sso_master_password_policy(&self.sso_master_password_policy()).ok().flatten()
+        validate_sso_master_password_policy(self.sso_master_password_policy().as_ref()).ok().flatten()
    }

    pub fn sso_scopes_vec(&self) -> Vec<String> {
-        self.sso_scopes().split_whitespace().map(str::to_string).collect()
+        self.sso_scopes().split_whitespace().map(str::to_owned).collect()
    }

    pub fn sso_authorize_extra_params_vec(&self) -> Vec<(String, String)> {
@@ -1823,7 +1762,7 @@ fn case_helper<'reg, 'rc>(
    let value = param.value().clone();

    if h.params().iter().skip(1).any(|x| x.value() == &value) {
-        h.template().map(|t| t.render(r, ctx, rc, out)).unwrap_or_else(|| Ok(()))
+        h.template().map_or(Ok(()), |t| t.render(r, ctx, rc, out))
    } else {
        Ok(())
    }
@@ -55,13 +55,13 @@ pub fn encode_random_bytes<const N: usize>(e: &Encoding) -> String {
 /// Generates a random string over a specified alphabet.
 pub fn get_random_string(alphabet: &[u8], num_chars: usize) -> String {
    // Ref: https://rust-lang-nursery.github.io/rust-cookbook/algorithms/randomness.html
-    use rand::Rng;
+    use rand::RngExt;
    let mut rng = rand::rng();

    (0..num_chars)
        .map(|_| {
            let i = rng.random_range(0..alphabet.len());
-            alphabet[i] as char
+            char::from(alphabet[i])
        })
        .collect()
 }
@@ -113,3 +113,10 @@ pub fn ct_eq<T: AsRef<[u8]>, U: AsRef<[u8]>>(a: T, b: U) -> bool {
    use subtle::ConstantTimeEq;
    a.as_ref().ct_eq(b.as_ref()).into()
 }
+
+//
+// SHA256
+//
+pub fn sha256_hex(data: &[u8]) -> String {
+    HEXLOWER.encode(digest::digest(&digest::SHA256, data).as_ref())
+}
@@ -6,25 +6,23 @@ use std::{
 };

 use diesel::{
+    Connection, RunQueryDsl,
    connection::SimpleConnection,
    r2d2::{CustomizeConnection, Pool, PooledConnection},
-    Connection, RunQueryDsl,
 };
-
 use rocket::{
+    Request,
    http::Status,
    request::{FromRequest, Outcome},
-    Request,
 };
-
 use tokio::{
    sync::{Mutex, OwnedSemaphorePermit, Semaphore},
    time::timeout,
 };

 use crate::{
-    error::{Error, MapResult},
    CONFIG,
+    error::{Error, MapResult},
 };

 // These changes are based on Rocket 0.5-rc wrapper of Diesel: https://github.com/SergioBenitez/Rocket/blob/v0.5-rc/contrib/sync_db_pools
@@ -62,7 +60,7 @@ pub struct DbConnManager {
 impl DbConnManager {
    pub fn new(database_url: &str) -> Self {
        Self {
-            database_url: database_url.to_string(),
+            database_url: database_url.to_owned(),
        }
    }

@@ -224,7 +222,7 @@ impl DbPool {

        // Set a global to determine the database more easily throughout the rest of the code
        if ACTIVE_DB_TYPE.set(conn_type).is_err() {
-            error!("Tried to set the active database connection type more than once.")
+            error!("Tried to set the active database connection type more than once.");
        }

        Ok(DbPool {
@@ -272,22 +270,40 @@ impl DbConnType {
            #[cfg(not(postgresql))]
            err!("`DATABASE_URL` is a PostgreSQL URL, but the 'postgresql' feature is not enabled")

-        //Sqlite
-        } else {
+        // Sqlite (explicit)
+        } else if url.len() > 7 && &url[..7] == "sqlite:" {
            #[cfg(sqlite)]
            return Ok(DbConnType::Sqlite);

            #[cfg(not(sqlite))]
-            err!("`DATABASE_URL` looks like a SQLite URL, but 'sqlite' feature is not enabled")
+            err!("`DATABASE_URL` is a SQLite URL, but the 'sqlite' feature is not enabled")
        }
+
+        // No recognized scheme — assume legacy bare-path SQLite, but the database file must already exist.
+        // This prevents misconfigured URLs (typos, quoted strings) from silently creating a new empty SQLite database.
+        #[cfg(sqlite)]
+        {
+            if std::path::Path::new(url).exists() {
+                return Ok(DbConnType::Sqlite);
+            }
+            err!(format!(
+                "`DATABASE_URL` does not match any known database scheme (mysql://, postgresql://, sqlite://) \
+                    and no existing SQLite database was found at '{url}'. \
+                    If you intend to use SQLite, use an explicit `sqlite://` scheme in your `DATABASE_URL`. \
+                    Otherwise, check your DATABASE_URL for typos or quoting issues."
+            ))
+        }
+
+        #[cfg(not(sqlite))]
+        err!("`DATABASE_URL` does not match any known database scheme (mysql://, postgresql://, sqlite://)")
    }

    pub fn get_init_stmts(&self) -> String {
        let init_stmts = CONFIG.database_conn_init();
-        if !init_stmts.is_empty() {
-            init_stmts
-        } else {
+        if init_stmts.is_empty() {
            self.default_init_stmts()
+        } else {
+            init_stmts
        }
    }

@@ -298,7 +314,7 @@ impl DbConnType {
            #[cfg(postgresql)]
            Self::Postgresql => String::new(),
            #[cfg(sqlite)]
-            Self::Sqlite => "PRAGMA busy_timeout = 5000; PRAGMA synchronous = NORMAL;".to_string(),
+            Self::Sqlite => "PRAGMA busy_timeout = 5000; PRAGMA synchronous = NORMAL;".to_owned(),
        }
    }
 }
@@ -387,30 +403,27 @@ pub mod models;
 #[cfg(sqlite)]
 pub fn backup_sqlite() -> Result<String, Error> {
    use diesel::Connection;
-    use std::{fs::File, io::Write};

    let db_url = CONFIG.database_url();
-    if DbConnType::from_url(&CONFIG.database_url()).map(|t| t == DbConnType::Sqlite).unwrap_or(false) {
-        // Since we do not allow any schema for sqlite database_url's like `file:` or `sqlite:` to be set, we can assume here it isn't
-        // This way we can set a readonly flag on the opening mode without issues.
-        let mut conn = diesel::sqlite::SqliteConnection::establish(&format!("sqlite://{db_url}?mode=ro"))?;
+    if DbConnType::from_url(&CONFIG.database_url()).is_ok_and(|t| t == DbConnType::Sqlite) {
+        // Strip the sqlite:// prefix if present to get the raw file path
+        let file_path = db_url.strip_prefix("sqlite://").unwrap_or(&db_url);
+        // Open a read-only connection for the backup
+        let mut conn = diesel::sqlite::SqliteConnection::establish(&format!("sqlite://{file_path}?mode=ro"))?;

-        let db_path = std::path::Path::new(&db_url).parent().unwrap();
+        let db_path = std::path::Path::new(file_path).parent().unwrap();
        let backup_file = db_path
            .join(format!("db_{}.sqlite3", chrono::Utc::now().format("%Y%m%d_%H%M%S")))
            .to_string_lossy()
            .into_owned();

-        match File::create(backup_file.clone()) {
-            Ok(mut f) => {
-                let serialized_db = conn.serialize_database_to_buffer();
-                f.write_all(serialized_db.as_slice()).expect("Error writing SQLite backup");
-                Ok(backup_file)
-            }
-            Err(e) => {
-                err_silent!(format!("Unable to save SQLite backup: {e:?}"))
-            }
-        }
+        diesel::sql_query("VACUUM INTO ?")
+            .bind::<diesel::sql_types::Text, _>(&backup_file)
+            .execute(&mut conn)
+            .map(|_| ())
+            .map_res("VACUUM INTO failed")?;
+
+        Ok(backup_file)
    } else {
        err_silent!("The database type is not SQLite. Backups only works for SQLite databases")
    }
@@ -427,12 +440,12 @@ pub async fn get_sql_server_version(conn: &DbConn) -> String {
        postgresql,mysql {
            diesel::select(diesel::dsl::sql::<diesel::sql_types::Text>("version();"))
            .get_result::<String>(conn)
-            .unwrap_or_else(|_| "Unknown".to_string())
+            .unwrap_or_else(|_| "Unknown".to_owned())
        }
        sqlite {
            diesel::select(diesel::dsl::sql::<diesel::sql_types::Text>("sqlite_version();"))
            .get_result::<String>(conn)
-            .unwrap_or_else(|_| "Unknown".to_string())
+            .unwrap_or_else(|_| "Unknown".to_owned())
        }
    }
 }
@@ -0,0 +1,95 @@
+use chrono::NaiveDateTime;
+use diesel::prelude::*;
+
+use crate::{
+    api::EmptyResult,
+    db::{DbConn, schema::archives},
+    error::MapResult,
+};
+
+use super::{CipherId, User, UserId};
+
+#[derive(Identifiable, Queryable, Insertable)]
+#[diesel(table_name = archives)]
+#[diesel(primary_key(user_uuid, cipher_uuid))]
+pub struct Archive {
+    pub user_uuid: UserId,
+    pub cipher_uuid: CipherId,
+    pub archived_at: NaiveDateTime,
+}
+
+impl Archive {
+    // Returns the date the specified cipher was archived
+    pub async fn get_archived_at(cipher_uuid: &CipherId, user_uuid: &UserId, conn: &DbConn) -> Option<NaiveDateTime> {
+        conn.run(move |conn| {
+            archives::table
+                .filter(archives::cipher_uuid.eq(cipher_uuid))
+                .filter(archives::user_uuid.eq(user_uuid))
+                .select(archives::archived_at)
+                .first::<NaiveDateTime>(conn)
+                .ok()
+        })
+        .await
+    }
+
+    // Saves (inserts or updates) an archive record with the provided timestamp
+    pub async fn save(
+        user_uuid: &UserId,
+        cipher_uuid: &CipherId,
+        archived_at: NaiveDateTime,
+        conn: &DbConn,
+    ) -> EmptyResult {
+        User::update_uuid_revision(user_uuid, conn).await;
+        db_run! { conn:
+            sqlite, mysql {
+                diesel::replace_into(archives::table)
+                    .values((
+                        archives::user_uuid.eq(user_uuid),
+                        archives::cipher_uuid.eq(cipher_uuid),
+                        archives::archived_at.eq(archived_at),
+                    ))
+                    .execute(conn)
+                    .map_res("Error saving archive")
+            }
+            postgresql {
+                diesel::insert_into(archives::table)
+                    .values((
+                        archives::user_uuid.eq(user_uuid),
+                        archives::cipher_uuid.eq(cipher_uuid),
+                        archives::archived_at.eq(archived_at),
+                    ))
+                    .on_conflict((archives::user_uuid, archives::cipher_uuid))
+                    .do_update()
+                    .set(archives::archived_at.eq(archived_at))
+                    .execute(conn)
+                    .map_res("Error saving archive")
+            }
+        }
+    }
+
+    // Deletes an archive record for a specific cipher
+    pub async fn delete_by_cipher(user_uuid: &UserId, cipher_uuid: &CipherId, conn: &DbConn) -> EmptyResult {
+        User::update_uuid_revision(user_uuid, conn).await;
+        conn.run(move |conn| {
+            diesel::delete(
+                archives::table.filter(archives::user_uuid.eq(user_uuid)).filter(archives::cipher_uuid.eq(cipher_uuid)),
+            )
+            .execute(conn)
+            .map_res("Error deleting archive")
+        })
+        .await
+    }
+
+    /// Return a vec with (cipher_uuid, archived_at)
+    /// This is used during a full sync so we only need one query for all archive matches
+    pub async fn find_by_user(user_uuid: &UserId, conn: &DbConn) -> Vec<(CipherId, NaiveDateTime)> {
+        conn.run(move |conn| {
+            archives::table
+                .filter(archives::user_uuid.eq(user_uuid))
+                .select((archives::cipher_uuid, archives::archived_at))
+                .load::<(CipherId, NaiveDateTime)>(conn)
+                .unwrap_or_default()
+        })
+        .await
+    }
+}
@@ -1,13 +1,24 @@
+use std::time::Duration;
+
 use bigdecimal::{BigDecimal, ToPrimitive};
 use derive_more::{AsRef, Deref, Display};
 use diesel::prelude::*;
 use serde_json::Value;
-use std::time::Duration;
+
+use crate::{
+    CONFIG,
+    api::EmptyResult,
+    auth::{encode_jwt, generate_file_download_claims},
+    config::PathType,
+    db::{
+        DbConn,
+        schema::{attachments, ciphers},
+    },
+    error::MapResult,
+};
+use macros::IdFromParam;

 use super::{CipherId, OrganizationId, UserId};
-use crate::db::schema::{attachments, ciphers};
-use crate::{config::PathType, CONFIG};
-use macros::IdFromParam;

 #[derive(Identifiable, Queryable, Insertable, AsChangeset)]
 #[diesel(table_name = attachments)]
@@ -46,11 +57,11 @@ impl Attachment {
    pub async fn get_url(&self, host: &str) -> Result<String, crate::Error> {
        let operator = CONFIG.opendal_operator_for_path_type(&PathType::Attachments)?;

-        if operator.info().scheme() == <&'static str>::from(opendal::Scheme::Fs) {
+        if crate::storage::is_fs_operator(&operator) {
            let token = encode_jwt(&generate_file_download_claims(self.cipher_uuid.clone(), self.id.clone()));
            Ok(format!("{host}/attachments/{}/{}?token={token}", self.cipher_uuid, self.id))
        } else {
-            Ok(operator.presign_read(&self.get_file_path(), Duration::from_secs(5 * 60)).await?.uri().to_string())
+            Ok(operator.presign_read(&self.get_file_path(), Duration::from_mins(5)).await?.uri().to_string())
        }
    }

@@ -67,12 +78,6 @@ impl Attachment {
    }
 }

-use crate::auth::{encode_jwt, generate_file_download_claims};
-use crate::db::DbConn;
-
-use crate::api::EmptyResult;
-use crate::error::MapResult;
-
 /// Database methods
 impl Attachment {
    pub async fn save(&self, conn: &DbConn) -> EmptyResult {
@@ -107,15 +112,15 @@ impl Attachment {
    }

    pub async fn delete(&self, conn: &DbConn) -> EmptyResult {
-        db_run! { conn: {
-            crate::util::retry(||
-                diesel::delete(attachments::table.filter(attachments::id.eq(&self.id)))
-                .execute(conn),
+        conn.run(move |conn| {
+            crate::util::retry(
+                || diesel::delete(attachments::table.filter(attachments::id.eq(&self.id))).execute(conn),
                10,
            )
            .map(|_| ())
            .map_res("Error deleting attachment")
-        }}?;
+        })
+        .await?;

        let operator = CONFIG.opendal_operator_for_path_type(&PathType::Attachments)?;
        let file_path = self.get_file_path();
@@ -139,25 +144,22 @@ impl Attachment {
    }

    pub async fn find_by_id(id: &AttachmentId, conn: &DbConn) -> Option<Self> {
-        db_run! { conn: {
-            attachments::table
-                .filter(attachments::id.eq(id.to_lowercase()))
-                .first::<Self>(conn)
-                .ok()
-        }}
+        conn.run(move |conn| attachments::table.filter(attachments::id.eq(id.to_lowercase())).first::<Self>(conn).ok())
+            .await
    }

    pub async fn find_by_cipher(cipher_uuid: &CipherId, conn: &DbConn) -> Vec<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            attachments::table
                .filter(attachments::cipher_uuid.eq(cipher_uuid))
                .load::<Self>(conn)
                .expect("Error loading attachments")
-        }}
+        })
+        .await
    }

    pub async fn size_by_user(user_uuid: &UserId, conn: &DbConn) -> i64 {
-        db_run! { conn: {
+        conn.run(move |conn| {
            let result: Option<BigDecimal> = attachments::table
                .left_join(ciphers::table.on(ciphers::uuid.eq(attachments::cipher_uuid)))
                .filter(ciphers::user_uuid.eq(user_uuid))
@@ -168,24 +170,26 @@ impl Attachment {
            match result.map(|r| r.to_i64()) {
                Some(Some(r)) => r,
                Some(None) => i64::MAX,
-                None => 0
+                None => 0,
            }
-        }}
+        })
+        .await
    }

    pub async fn count_by_user(user_uuid: &UserId, conn: &DbConn) -> i64 {
-        db_run! { conn: {
+        conn.run(move |conn| {
            attachments::table
                .left_join(ciphers::table.on(ciphers::uuid.eq(attachments::cipher_uuid)))
                .filter(ciphers::user_uuid.eq(user_uuid))
                .count()
                .first(conn)
                .unwrap_or(0)
-        }}
+        })
+        .await
    }

    pub async fn size_by_org(org_uuid: &OrganizationId, conn: &DbConn) -> i64 {
-        db_run! { conn: {
+        conn.run(move |conn| {
            let result: Option<BigDecimal> = attachments::table
                .left_join(ciphers::table.on(ciphers::uuid.eq(attachments::cipher_uuid)))
                .filter(ciphers::organization_uuid.eq(org_uuid))
@@ -196,20 +200,22 @@ impl Attachment {
            match result.map(|r| r.to_i64()) {
                Some(Some(r)) => r,
                Some(None) => i64::MAX,
-                None => 0
+                None => 0,
            }
-        }}
+        })
+        .await
    }

    pub async fn count_by_org(org_uuid: &OrganizationId, conn: &DbConn) -> i64 {
-        db_run! { conn: {
+        conn.run(move |conn| {
            attachments::table
                .left_join(ciphers::table.on(ciphers::uuid.eq(attachments::cipher_uuid)))
                .filter(ciphers::organization_uuid.eq(org_uuid))
                .count()
                .first(conn)
                .unwrap_or(0)
-        }}
+        })
+        .await
    }

    // This will return all attachments linked to the user or org
@@ -220,7 +226,7 @@ impl Attachment {
        org_uuids: &Vec<OrganizationId>,
        conn: &DbConn,
    ) -> Vec<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            attachments::table
                .left_join(ciphers::table.on(ciphers::uuid.eq(attachments::cipher_uuid)))
                .filter(ciphers::user_uuid.eq(user_uuid))
@@ -228,7 +234,8 @@ impl Attachment {
                .select(attachments::all_columns)
                .load::<Self>(conn)
                .expect("Error loading attachments")
-        }}
+        })
+        .await
    }
 }

@@ -1,12 +1,19 @@
-use super::{DeviceId, OrganizationId, UserId};
-use crate::db::schema::auth_requests;
-use crate::{crypto::ct_eq, util::format_date};
 use chrono::{NaiveDateTime, Utc};
 use derive_more::{AsRef, Deref, Display, From};
 use diesel::prelude::*;
-use macros::UuidFromParam;
 use serde_json::Value;

+use crate::{
+    api::EmptyResult,
+    crypto::ct_eq,
+    db::{DbConn, schema::auth_requests},
+    error::MapResult,
+    util::format_date,
+};
+use macros::UuidFromParam;
+
+use super::{DeviceId, OrganizationId, UserId};
+
 #[derive(Identifiable, Queryable, Insertable, AsChangeset, Deserialize, Serialize)]
 #[diesel(table_name = auth_requests)]
 #[diesel(treat_none_as_null = true)]
@@ -74,11 +81,6 @@ impl AuthRequest {
    }
 }

-use crate::db::DbConn;
-
-use crate::api::EmptyResult;
-use crate::error::MapResult;
-
 impl AuthRequest {
    pub async fn save(&mut self, conn: &DbConn) -> EmptyResult {
        db_run! { conn:
@@ -112,31 +114,28 @@ impl AuthRequest {
    }

    pub async fn find_by_uuid(uuid: &AuthRequestId, conn: &DbConn) -> Option<Self> {
-        db_run! { conn: {
-            auth_requests::table
-                .filter(auth_requests::uuid.eq(uuid))
-                .first::<Self>(conn)
-                .ok()
-        }}
+        conn.run(move |conn| auth_requests::table.filter(auth_requests::uuid.eq(uuid)).first::<Self>(conn).ok()).await
    }

    pub async fn find_by_uuid_and_user(uuid: &AuthRequestId, user_uuid: &UserId, conn: &DbConn) -> Option<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            auth_requests::table
                .filter(auth_requests::uuid.eq(uuid))
                .filter(auth_requests::user_uuid.eq(user_uuid))
                .first::<Self>(conn)
                .ok()
-        }}
+        })
+        .await
    }

    pub async fn find_by_user(user_uuid: &UserId, conn: &DbConn) -> Vec<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            auth_requests::table
                .filter(auth_requests::user_uuid.eq(user_uuid))
                .load::<Self>(conn)
                .expect("Error loading auth_requests")
-        }}
+        })
+        .await
    }

    pub async fn find_by_user_and_requested_device(
@@ -144,7 +143,7 @@ impl AuthRequest {
        device_uuid: &DeviceId,
        conn: &DbConn,
    ) -> Option<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            auth_requests::table
                .filter(auth_requests::user_uuid.eq(user_uuid))
                .filter(auth_requests::request_device_identifier.eq(device_uuid))
@@ -152,24 +151,27 @@ impl AuthRequest {
                .order_by(auth_requests::creation_date.desc())
                .first::<Self>(conn)
                .ok()
-        }}
+        })
+        .await
    }

    pub async fn find_created_before(dt: &NaiveDateTime, conn: &DbConn) -> Vec<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            auth_requests::table
                .filter(auth_requests::creation_date.lt(dt))
                .load::<Self>(conn)
                .expect("Error loading auth_requests")
-        }}
+        })
+        .await
    }

    pub async fn delete(&self, conn: &DbConn) -> EmptyResult {
-        db_run! { conn: {
+        conn.run(move |conn| {
            diesel::delete(auth_requests::table.filter(auth_requests::uuid.eq(&self.uuid)))
                .execute(conn)
                .map_res("Error deleting auth request")
-        }}
+        })
+        .await
    }

    pub fn check_access_code(&self, access_code: &str) -> bool {
@@ -177,7 +179,9 @@ impl AuthRequest {
    }

    pub async fn purge_expired_auth_requests(conn: &DbConn) {
-        let expiry_time = Utc::now().naive_utc() - chrono::TimeDelta::try_minutes(5).unwrap(); //after 5 minutes, clients reject the request
+        // delete auth requests older than 15 minutes which is functionally equivalent to upstream:
+        // https://github.com/bitwarden/server/blob/f8ee2270409f7a13125cd414c450740af605a175/src/Sql/dbo/Auth/Stored%20Procedures/AuthRequest_DeleteIfExpired.sql
+        let expiry_time = Utc::now().naive_utc() - chrono::TimeDelta::try_minutes(15).unwrap();
        for auth_request in Self::find_created_before(&expiry_time, conn).await {
            auth_request.delete(conn).await.ok();
        }
@@ -1,16 +1,25 @@
 use derive_more::{AsRef, Deref, Display, From};
+use diesel::prelude::*;
 use serde_json::Value;

+use crate::{
+    CONFIG,
+    api::EmptyResult,
+    db::{
+        DbConn,
+        schema::{
+            ciphers_collections, collections, collections_groups, groups, groups_users, users_collections,
+            users_organizations,
+        },
+    },
+    error::MapResult,
+};
+use macros::UuidFromParam;
+
 use super::{
    CipherId, CollectionGroup, GroupUser, Membership, MembershipId, MembershipStatus, MembershipType, OrganizationId,
    User, UserId,
 };
-use crate::db::schema::{
-    ciphers_collections, collections, collections_groups, groups, groups_users, users_collections, users_organizations,
-};
-use crate::CONFIG;
-use diesel::prelude::*;
-use macros::UuidFromParam;

 #[derive(Identifiable, Queryable, Insertable, AsChangeset)]
 #[diesel(table_name = collections)]
@@ -74,7 +83,7 @@ impl Collection {
                if external_id.is_empty() {
                    self.external_id = None;
                } else {
-                    self.external_id = Some(external_id)
+                    self.external_id = Some(external_id);
                }
            }
            None => self.external_id = None,
@@ -147,11 +156,6 @@ impl Collection {
    }
 }

-use crate::db::DbConn;
-
-use crate::api::EmptyResult;
-use crate::error::MapResult;
-
 /// Database methods
 impl Collection {
    pub async fn save(&self, conn: &DbConn) -> EmptyResult {
@@ -191,13 +195,14 @@ impl Collection {
        self.update_users_revision(conn).await;
        CollectionCipher::delete_all_by_collection(&self.uuid, conn).await?;
        CollectionUser::delete_all_by_collection(&self.uuid, conn).await?;
-        CollectionGroup::delete_all_by_collection(&self.uuid, conn).await?;
+        CollectionGroup::delete_all_by_collection(&self.uuid, &self.org_uuid, conn).await?;

-        db_run! { conn: {
+        conn.run(move |conn| {
            diesel::delete(collections::table.filter(collections::uuid.eq(self.uuid)))
                .execute(conn)
                .map_res("Error deleting collection")
-        }}
+        })
+        .await
    }

    pub async fn delete_all_by_organization(org_uuid: &OrganizationId, conn: &DbConn) -> EmptyResult {
@@ -208,90 +213,90 @@ impl Collection {
    }

    pub async fn update_users_revision(&self, conn: &DbConn) {
-        for member in Membership::find_by_collection_and_org(&self.uuid, &self.org_uuid, conn).await.iter() {
+        for member in &Membership::find_by_collection_and_org(&self.uuid, &self.org_uuid, conn).await {
            User::update_uuid_revision(&member.user_uuid, conn).await;
        }
    }

    pub async fn find_by_uuid(uuid: &CollectionId, conn: &DbConn) -> Option<Self> {
-        db_run! { conn: {
-            collections::table
-                .filter(collections::uuid.eq(uuid))
-                .first::<Self>(conn)
-                .ok()
-        }}
+        conn.run(move |conn| collections::table.filter(collections::uuid.eq(uuid)).first::<Self>(conn).ok()).await
    }

    pub async fn find_by_user_uuid(user_uuid: UserId, conn: &DbConn) -> Vec<Self> {
        if CONFIG.org_groups_enabled() {
-            db_run! { conn: {
+            conn.run(move |conn| {
                collections::table
-                .left_join(users_collections::table.on(
-                    users_collections::collection_uuid.eq(collections::uuid).and(
-                        users_collections::user_uuid.eq(user_uuid.clone())
+                    .left_join(
+                        users_collections::table.on(users_collections::collection_uuid
+                            .eq(collections::uuid)
+                            .and(users_collections::user_uuid.eq(user_uuid.clone()))),
                    )
-                ))
-                .left_join(users_organizations::table.on(
-                    collections::org_uuid.eq(users_organizations::org_uuid).and(
-                        users_organizations::user_uuid.eq(user_uuid.clone())
+                    .left_join(
+                        users_organizations::table.on(collections::org_uuid
+                            .eq(users_organizations::org_uuid)
+                            .and(users_organizations::user_uuid.eq(user_uuid.clone()))),
                    )
-                ))
-                .left_join(groups_users::table.on(
-                    groups_users::users_organizations_uuid.eq(users_organizations::uuid)
-                ))
-                .left_join(groups::table.on(
-                    groups::uuid.eq(groups_users::groups_uuid)
-                ))
-                .left_join(collections_groups::table.on(
-                    collections_groups::groups_uuid.eq(groups_users::groups_uuid).and(
-                        collections_groups::collections_uuid.eq(collections::uuid)
+                    .left_join(
+                        groups_users::table.on(groups_users::users_organizations_uuid.eq(users_organizations::uuid)),
                    )
-                ))
-                .filter(
-                    users_organizations::status.eq(MembershipStatus::Confirmed as i32)
-                )
-                .filter(
-                    users_collections::user_uuid.eq(user_uuid).or( // Directly accessed collection
-                        users_organizations::access_all.eq(true) // access_all in Organization
-                    ).or(
-                        groups::access_all.eq(true) // access_all in groups
-                    ).or( // access via groups
-                        groups_users::users_organizations_uuid.eq(users_organizations::uuid).and(
-                            collections_groups::collections_uuid.is_not_null()
-                        )
+                    .left_join(
+                        groups::table.on(groups::uuid
+                            .eq(groups_users::groups_uuid)
+                            .and(groups::organizations_uuid.eq(users_organizations::org_uuid))),
                    )
-                )
-                .select(collections::all_columns)
-                .distinct()
-                .load::<Self>(conn)
-                .expect("Error loading collections")
-            }}
+                    .left_join(
+                        collections_groups::table.on(collections_groups::groups_uuid
+                            .eq(groups_users::groups_uuid)
+                            .and(collections_groups::collections_uuid.eq(collections::uuid))),
+                    )
+                    .filter(users_organizations::status.eq(MembershipStatus::Confirmed as i32))
+                    .filter(
+                        users_collections::user_uuid
+                            .eq(user_uuid)
+                            .or(
+                                // Directly accessed collection
+                                users_organizations::access_all.eq(true), // access_all in Organization
+                            )
+                            .or(
+                                groups::access_all.eq(true), // access_all in groups
+                            )
+                            .or(
+                                // access via groups
+                                groups_users::users_organizations_uuid
+                                    .eq(users_organizations::uuid)
+                                    .and(collections_groups::collections_uuid.is_not_null()),
+                            ),
+                    )
+                    .select(collections::all_columns)
+                    .distinct()
+                    .load::<Self>(conn)
+                    .expect("Error loading collections")
+            })
+            .await
        } else {
-            db_run! { conn: {
+            conn.run(move |conn| {
                collections::table
-                .left_join(users_collections::table.on(
-                    users_collections::collection_uuid.eq(collections::uuid).and(
-                        users_collections::user_uuid.eq(user_uuid.clone())
+                    .left_join(
+                        users_collections::table.on(users_collections::collection_uuid
+                            .eq(collections::uuid)
+                            .and(users_collections::user_uuid.eq(user_uuid.clone()))),
                    )
-                ))
-                .left_join(users_organizations::table.on(
-                    collections::org_uuid.eq(users_organizations::org_uuid).and(
-                        users_organizations::user_uuid.eq(user_uuid.clone())
+                    .left_join(
+                        users_organizations::table.on(collections::org_uuid
+                            .eq(users_organizations::org_uuid)
+                            .and(users_organizations::user_uuid.eq(user_uuid.clone()))),
                    )
-                ))
-                .filter(
-                    users_organizations::status.eq(MembershipStatus::Confirmed as i32)
-                )
-                .filter(
-                    users_collections::user_uuid.eq(user_uuid).or( // Directly accessed collection
-                        users_organizations::access_all.eq(true) // access_all in Organization
-                    )
-                )
-                .select(collections::all_columns)
-                .distinct()
-                .load::<Self>(conn)
-                .expect("Error loading collections")
-            }}
+                    .filter(users_organizations::status.eq(MembershipStatus::Confirmed as i32))
+                    .filter(users_collections::user_uuid.eq(user_uuid).or(
+                        // Directly accessed collection
+                        users_organizations::access_all.eq(true), // access_all in Organization
+                    ))
+                    .select(collections::all_columns)
+                    .distinct()
+                    .load::<Self>(conn)
+                    .expect("Error loading collections")
+            })
+            .await
        }
    }

@@ -308,255 +313,315 @@ impl Collection {
    }

    pub async fn find_by_organization(org_uuid: &OrganizationId, conn: &DbConn) -> Vec<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            collections::table
                .filter(collections::org_uuid.eq(org_uuid))
                .load::<Self>(conn)
                .expect("Error loading collections")
-        }}
+        })
+        .await
    }

    pub async fn count_by_org(org_uuid: &OrganizationId, conn: &DbConn) -> i64 {
-        db_run! { conn: {
-            collections::table
-                .filter(collections::org_uuid.eq(org_uuid))
-                .count()
-                .first::<i64>(conn)
-                .ok()
-                .unwrap_or(0)
-        }}
+        conn.run(move |conn| {
+            collections::table.filter(collections::org_uuid.eq(org_uuid)).count().first::<i64>(conn).ok().unwrap_or(0)
+        })
+        .await
    }

    pub async fn find_by_uuid_and_org(uuid: &CollectionId, org_uuid: &OrganizationId, conn: &DbConn) -> Option<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            collections::table
                .filter(collections::uuid.eq(uuid))
                .filter(collections::org_uuid.eq(org_uuid))
                .select(collections::all_columns)
                .first::<Self>(conn)
                .ok()
-        }}
+        })
+        .await
    }

    pub async fn find_by_uuid_and_user(uuid: &CollectionId, user_uuid: UserId, conn: &DbConn) -> Option<Self> {
        if CONFIG.org_groups_enabled() {
-            db_run! { conn: {
+            conn.run(move |conn| {
                collections::table
-                .left_join(users_collections::table.on(
-                    users_collections::collection_uuid.eq(collections::uuid).and(
-                        users_collections::user_uuid.eq(user_uuid.clone())
+                    .left_join(
+                        users_collections::table.on(users_collections::collection_uuid
+                            .eq(collections::uuid)
+                            .and(users_collections::user_uuid.eq(user_uuid.clone()))),
                    )
-                ))
-                .left_join(users_organizations::table.on(
-                    collections::org_uuid.eq(users_organizations::org_uuid).and(
-                        users_organizations::user_uuid.eq(user_uuid)
+                    .left_join(
+                        users_organizations::table.on(collections::org_uuid
+                            .eq(users_organizations::org_uuid)
+                            .and(users_organizations::user_uuid.eq(user_uuid))),
                    )
-                ))
-                .left_join(groups_users::table.on(
-                    groups_users::users_organizations_uuid.eq(users_organizations::uuid)
-                ))
-                .left_join(groups::table.on(
-                    groups::uuid.eq(groups_users::groups_uuid)
-                ))
-                .left_join(collections_groups::table.on(
-                    collections_groups::groups_uuid.eq(groups_users::groups_uuid).and(
-                        collections_groups::collections_uuid.eq(collections::uuid)
+                    .left_join(
+                        groups_users::table.on(groups_users::users_organizations_uuid.eq(users_organizations::uuid)),
                    )
-                ))
-                .filter(collections::uuid.eq(uuid))
-                .filter(
-                    users_collections::collection_uuid.eq(uuid).or( // Directly accessed collection
-                        users_organizations::access_all.eq(true).or( // access_all in Organization
-                            users_organizations::atype.le(MembershipType::Admin as i32) // Org admin or owner
-                    )).or(
-                        groups::access_all.eq(true) // access_all in groups
-                    ).or( // access via groups
-                        groups_users::users_organizations_uuid.eq(users_organizations::uuid).and(
-                            collections_groups::collections_uuid.is_not_null()
-                        )
+                    .left_join(
+                        groups::table.on(groups::uuid
+                            .eq(groups_users::groups_uuid)
+                            .and(groups::organizations_uuid.eq(users_organizations::org_uuid))),
                    )
-                ).select(collections::all_columns)
-                .first::<Self>(conn)
-                .ok()
-            }}
+                    .left_join(
+                        collections_groups::table.on(collections_groups::groups_uuid
+                            .eq(groups_users::groups_uuid)
+                            .and(collections_groups::collections_uuid.eq(collections::uuid))),
+                    )
+                    .filter(collections::uuid.eq(uuid))
+                    .filter(
+                        users_collections::collection_uuid
+                            .eq(uuid)
+                            .or(
+                                // Directly accessed collection
+                                users_organizations::access_all.eq(true).or(
+                                    // access_all in Organization
+                                    users_organizations::atype.le(MembershipType::Admin as i32), // Org admin or owner
+                                ),
+                            )
+                            .or(
+                                groups::access_all.eq(true), // access_all in groups
+                            )
+                            .or(
+                                // access via groups
+                                groups_users::users_organizations_uuid
+                                    .eq(users_organizations::uuid)
+                                    .and(collections_groups::collections_uuid.is_not_null()),
+                            ),
+                    )
+                    .select(collections::all_columns)
+                    .first::<Self>(conn)
+                    .ok()
+            })
+            .await
        } else {
-            db_run! { conn: {
+            conn.run(move |conn| {
                collections::table
-                .left_join(users_collections::table.on(
-                    users_collections::collection_uuid.eq(collections::uuid).and(
-                        users_collections::user_uuid.eq(user_uuid.clone())
+                    .left_join(
+                        users_collections::table.on(users_collections::collection_uuid
+                            .eq(collections::uuid)
+                            .and(users_collections::user_uuid.eq(user_uuid.clone()))),
                    )
-                ))
-                .left_join(users_organizations::table.on(
-                    collections::org_uuid.eq(users_organizations::org_uuid).and(
-                        users_organizations::user_uuid.eq(user_uuid)
+                    .left_join(
+                        users_organizations::table.on(collections::org_uuid
+                            .eq(users_organizations::org_uuid)
+                            .and(users_organizations::user_uuid.eq(user_uuid))),
                    )
-                ))
-                .filter(collections::uuid.eq(uuid))
-                .filter(
-                    users_collections::collection_uuid.eq(uuid).or( // Directly accessed collection
-                        users_organizations::access_all.eq(true).or( // access_all in Organization
-                            users_organizations::atype.le(MembershipType::Admin as i32) // Org admin or owner
+                    .filter(collections::uuid.eq(uuid))
+                    .filter(users_collections::collection_uuid.eq(uuid).or(
+                        // Directly accessed collection
+                        users_organizations::access_all.eq(true).or(
+                            // access_all in Organization
+                            users_organizations::atype.le(MembershipType::Admin as i32), // Org admin or owner
+                        ),
                    ))
-                ).select(collections::all_columns)
-                .first::<Self>(conn)
-                .ok()
-            }}
+                    .select(collections::all_columns)
+                    .first::<Self>(conn)
+                    .ok()
+            })
+            .await
        }
    }

    pub async fn is_writable_by_user(&self, user_uuid: &UserId, conn: &DbConn) -> bool {
        let user_uuid = user_uuid.to_string();
        if CONFIG.org_groups_enabled() {
-            db_run! { conn: {
+            conn.run(move |conn| {
                collections::table
                    .filter(collections::uuid.eq(&self.uuid))
-                    .inner_join(users_organizations::table.on(
-                        collections::org_uuid.eq(users_organizations::org_uuid)
-                        .and(users_organizations::user_uuid.eq(user_uuid.clone()))
-                    ))
-                    .left_join(users_collections::table.on(
-                        users_collections::collection_uuid.eq(collections::uuid)
-                        .and(users_collections::user_uuid.eq(user_uuid))
-                    ))
-                    .left_join(groups_users::table.on(
-                        groups_users::users_organizations_uuid.eq(users_organizations::uuid)
-                    ))
-                    .left_join(groups::table.on(
-                        groups::uuid.eq(groups_users::groups_uuid)
-                    ))
-                    .left_join(collections_groups::table.on(
-                        collections_groups::groups_uuid.eq(groups_users::groups_uuid)
-                        .and(collections_groups::collections_uuid.eq(collections::uuid))
-                    ))
-                    .filter(users_organizations::atype.le(MembershipType::Admin as i32) // Org admin or owner
-                        .or(users_organizations::access_all.eq(true)) // access_all via membership
-                        .or(users_collections::collection_uuid.eq(&self.uuid) // write access given to collection
-                            .and(users_collections::read_only.eq(false)))
-                        .or(groups::access_all.eq(true)) // access_all via group
-                        .or(collections_groups::collections_uuid.is_not_null() // write access given via group
-                            .and(collections_groups::read_only.eq(false)))
+                    .inner_join(
+                        users_organizations::table.on(collections::org_uuid
+                            .eq(users_organizations::org_uuid)
+                            .and(users_organizations::user_uuid.eq(user_uuid.clone()))),
+                    )
+                    .left_join(
+                        users_collections::table.on(users_collections::collection_uuid
+                            .eq(collections::uuid)
+                            .and(users_collections::user_uuid.eq(user_uuid))),
+                    )
+                    .left_join(
+                        groups_users::table.on(groups_users::users_organizations_uuid.eq(users_organizations::uuid)),
+                    )
+                    .left_join(
+                        groups::table.on(groups::uuid
+                            .eq(groups_users::groups_uuid)
+                            .and(groups::organizations_uuid.eq(users_organizations::org_uuid))),
+                    )
+                    .left_join(
+                        collections_groups::table.on(collections_groups::groups_uuid
+                            .eq(groups_users::groups_uuid)
+                            .and(collections_groups::collections_uuid.eq(collections::uuid))),
+                    )
+                    .filter(
+                        users_organizations::atype
+                            .le(MembershipType::Admin as i32) // Org admin or owner
+                            .or(users_organizations::access_all.eq(true)) // access_all via membership
+                            .or(users_collections::collection_uuid
+                                .eq(&self.uuid) // write access given to collection
+                                .and(users_collections::read_only.eq(false)))
+                            .or(groups::access_all.eq(true)) // access_all via group
+                            .or(collections_groups::collections_uuid
+                                .is_not_null() // write access given via group
+                                .and(collections_groups::read_only.eq(false))),
                    )
                    .count()
                    .first::<i64>(conn)
                    .ok()
-                    .unwrap_or(0) != 0
-            }}
+                    .unwrap_or(0)
+                    != 0
+            })
+            .await
        } else {
-            db_run! { conn: {
+            conn.run(move |conn| {
                collections::table
                    .filter(collections::uuid.eq(&self.uuid))
-                    .inner_join(users_organizations::table.on(
-                        collections::org_uuid.eq(users_organizations::org_uuid)
-                        .and(users_organizations::user_uuid.eq(user_uuid.clone()))
-                    ))
-                    .left_join(users_collections::table.on(
-                        users_collections::collection_uuid.eq(collections::uuid)
-                        .and(users_collections::user_uuid.eq(user_uuid))
-                    ))
-                    .filter(users_organizations::atype.le(MembershipType::Admin as i32) // Org admin or owner
-                        .or(users_organizations::access_all.eq(true)) // access_all via membership
-                        .or(users_collections::collection_uuid.eq(&self.uuid) // write access given to collection
-                            .and(users_collections::read_only.eq(false)))
+                    .inner_join(
+                        users_organizations::table.on(collections::org_uuid
+                            .eq(users_organizations::org_uuid)
+                            .and(users_organizations::user_uuid.eq(user_uuid.clone()))),
+                    )
+                    .left_join(
+                        users_collections::table.on(users_collections::collection_uuid
+                            .eq(collections::uuid)
+                            .and(users_collections::user_uuid.eq(user_uuid))),
+                    )
+                    .filter(
+                        users_organizations::atype
+                            .le(MembershipType::Admin as i32) // Org admin or owner
+                            .or(users_organizations::access_all.eq(true)) // access_all via membership
+                            .or(users_collections::collection_uuid
+                                .eq(&self.uuid) // write access given to collection
+                                .and(users_collections::read_only.eq(false))),
                    )
                    .count()
                    .first::<i64>(conn)
                    .ok()
-                    .unwrap_or(0) != 0
-            }}
+                    .unwrap_or(0)
+                    != 0
+            })
+            .await
        }
    }

    pub async fn hide_passwords_for_user(&self, user_uuid: &UserId, conn: &DbConn) -> bool {
        let user_uuid = user_uuid.to_string();
-        db_run! { conn: {
+        conn.run(move |conn| {
            collections::table
-            .left_join(users_collections::table.on(
-                users_collections::collection_uuid.eq(collections::uuid).and(
-                    users_collections::user_uuid.eq(user_uuid.clone())
+                .left_join(
+                    users_collections::table.on(users_collections::collection_uuid
+                        .eq(collections::uuid)
+                        .and(users_collections::user_uuid.eq(user_uuid.clone()))),
                )
-            ))
-            .left_join(users_organizations::table.on(
-                collections::org_uuid.eq(users_organizations::org_uuid).and(
-                    users_organizations::user_uuid.eq(user_uuid)
+                .left_join(
+                    users_organizations::table.on(collections::org_uuid
+                        .eq(users_organizations::org_uuid)
+                        .and(users_organizations::user_uuid.eq(user_uuid))),
                )
-            ))
-            .left_join(groups_users::table.on(
-                groups_users::users_organizations_uuid.eq(users_organizations::uuid)
-            ))
-            .left_join(groups::table.on(
-                groups::uuid.eq(groups_users::groups_uuid)
-            ))
-            .left_join(collections_groups::table.on(
-                collections_groups::groups_uuid.eq(groups_users::groups_uuid).and(
-                    collections_groups::collections_uuid.eq(collections::uuid)
+                .left_join(groups_users::table.on(groups_users::users_organizations_uuid.eq(users_organizations::uuid)))
+                .left_join(
+                    groups::table.on(groups::uuid
+                        .eq(groups_users::groups_uuid)
+                        .and(groups::organizations_uuid.eq(users_organizations::org_uuid))),
                )
-            ))
-            .filter(collections::uuid.eq(&self.uuid))
-            .filter(
-                users_collections::collection_uuid.eq(&self.uuid).and(users_collections::hide_passwords.eq(true)).or(// Directly accessed collection
-                    users_organizations::access_all.eq(true).or( // access_all in Organization
-                        users_organizations::atype.le(MembershipType::Admin as i32) // Org admin or owner
-                )).or(
-                    groups::access_all.eq(true) // access_all in groups
-                ).or( // access via groups
-                    groups_users::users_organizations_uuid.eq(users_organizations::uuid).and(
-                        collections_groups::collections_uuid.is_not_null().and(
-                            collections_groups::hide_passwords.eq(true))
-                    )
+                .left_join(
+                    collections_groups::table.on(collections_groups::groups_uuid
+                        .eq(groups_users::groups_uuid)
+                        .and(collections_groups::collections_uuid.eq(collections::uuid))),
                )
-            )
-            .count()
-            .first::<i64>(conn)
-            .ok()
-            .unwrap_or(0) != 0
-        }}
+                .filter(collections::uuid.eq(&self.uuid))
+                .filter(
+                    users_collections::collection_uuid
+                        .eq(&self.uuid)
+                        .and(users_collections::hide_passwords.eq(true))
+                        .or(
+                            // Directly accessed collection
+                            users_organizations::access_all.eq(true).or(
+                                // access_all in Organization
+                                users_organizations::atype.le(MembershipType::Admin as i32), // Org admin or owner
+                            ),
+                        )
+                        .or(
+                            groups::access_all.eq(true), // access_all in groups
+                        )
+                        .or(
+                            // access via groups
+                            groups_users::users_organizations_uuid.eq(users_organizations::uuid).and(
+                                collections_groups::collections_uuid
+                                    .is_not_null()
+                                    .and(collections_groups::hide_passwords.eq(true)),
+                            ),
+                        ),
+                )
+                .count()
+                .first::<i64>(conn)
+                .ok()
+                .unwrap_or(0)
+                != 0
+        })
+        .await
+    }
+
+    pub async fn is_coll_manageable_by_user(uuid: &CollectionId, user_uuid: &UserId, conn: &DbConn) -> bool {
+        let uuid = uuid.to_string();
+        let user_uuid = user_uuid.to_string();
+        conn.run(move |conn| {
+            collections::table
+                .left_join(
+                    users_collections::table.on(users_collections::collection_uuid
+                        .eq(collections::uuid)
+                        .and(users_collections::user_uuid.eq(user_uuid.clone()))),
+                )
+                .left_join(
+                    users_organizations::table.on(collections::org_uuid
+                        .eq(users_organizations::org_uuid)
+                        .and(users_organizations::user_uuid.eq(user_uuid))),
+                )
+                .left_join(groups_users::table.on(groups_users::users_organizations_uuid.eq(users_organizations::uuid)))
+                .left_join(
+                    groups::table.on(groups::uuid
+                        .eq(groups_users::groups_uuid)
+                        .and(groups::organizations_uuid.eq(users_organizations::org_uuid))),
+                )
+                .left_join(
+                    collections_groups::table.on(collections_groups::groups_uuid
+                        .eq(groups_users::groups_uuid)
+                        .and(collections_groups::collections_uuid.eq(collections::uuid))),
+                )
+                .filter(collections::uuid.eq(&uuid))
+                .filter(
+                    users_collections::collection_uuid
+                        .eq(&uuid)
+                        .and(users_collections::manage.eq(true))
+                        .or(
+                            // Directly accessed collection
+                            users_organizations::access_all.eq(true).or(
+                                // access_all in Organization
+                                users_organizations::atype.le(MembershipType::Admin as i32), // Org admin or owner
+                            ),
+                        )
+                        .or(
+                            groups::access_all.eq(true), // access_all in groups
+                        )
+                        .or(
+                            // access via groups
+                            groups_users::users_organizations_uuid.eq(users_organizations::uuid).and(
+                                collections_groups::collections_uuid
+                                    .is_not_null()
+                                    .and(collections_groups::manage.eq(true)),
+                            ),
+                        ),
+                )
+                .count()
+                .first::<i64>(conn)
+                .ok()
+                .unwrap_or(0)
+                != 0
+        })
+        .await
    }

    pub async fn is_manageable_by_user(&self, user_uuid: &UserId, conn: &DbConn) -> bool {
-        let user_uuid = user_uuid.to_string();
-        db_run! { conn: {
-            collections::table
-            .left_join(users_collections::table.on(
-                users_collections::collection_uuid.eq(collections::uuid).and(
-                    users_collections::user_uuid.eq(user_uuid.clone())
-                )
-            ))
-            .left_join(users_organizations::table.on(
-                collections::org_uuid.eq(users_organizations::org_uuid).and(
-                    users_organizations::user_uuid.eq(user_uuid)
-                )
-            ))
-            .left_join(groups_users::table.on(
-                groups_users::users_organizations_uuid.eq(users_organizations::uuid)
-            ))
-            .left_join(groups::table.on(
-                groups::uuid.eq(groups_users::groups_uuid)
-            ))
-            .left_join(collections_groups::table.on(
-                collections_groups::groups_uuid.eq(groups_users::groups_uuid).and(
-                    collections_groups::collections_uuid.eq(collections::uuid)
-                )
-            ))
-            .filter(collections::uuid.eq(&self.uuid))
-            .filter(
-                users_collections::collection_uuid.eq(&self.uuid).and(users_collections::manage.eq(true)).or(// Directly accessed collection
-                    users_organizations::access_all.eq(true).or( // access_all in Organization
-                        users_organizations::atype.le(MembershipType::Admin as i32) // Org admin or owner
-                )).or(
-                    groups::access_all.eq(true) // access_all in groups
-                ).or( // access via groups
-                    groups_users::users_organizations_uuid.eq(users_organizations::uuid).and(
-                        collections_groups::collections_uuid.is_not_null().and(
-                            collections_groups::manage.eq(true))
-                    )
-                )
-            )
-            .count()
-            .first::<i64>(conn)
-            .ok()
-            .unwrap_or(0) != 0
-        }}
+        Self::is_coll_manageable_by_user(&self.uuid, user_uuid, conn).await
    }
 }

@@ -567,7 +632,7 @@ impl CollectionUser {
        user_uuid: &UserId,
        conn: &DbConn,
    ) -> Vec<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            users_collections::table
                .filter(users_collections::user_uuid.eq(user_uuid))
                .inner_join(collections::table.on(collections::uuid.eq(users_collections::collection_uuid)))
@@ -575,24 +640,35 @@ impl CollectionUser {
                .select(users_collections::all_columns)
                .load::<Self>(conn)
                .expect("Error loading users_collections")
-        }}
+        })
+        .await
    }

    pub async fn find_by_organization_swap_user_uuid_with_member_uuid(
        org_uuid: &OrganizationId,
        conn: &DbConn,
    ) -> Vec<CollectionMembership> {
-        let col_users = db_run! { conn: {
-            users_collections::table
-                .inner_join(collections::table.on(collections::uuid.eq(users_collections::collection_uuid)))
-                .filter(collections::org_uuid.eq(org_uuid))
-                .inner_join(users_organizations::table.on(users_organizations::user_uuid.eq(users_collections::user_uuid)))
-                .filter(users_organizations::org_uuid.eq(org_uuid))
-                .select((users_organizations::uuid, users_collections::collection_uuid, users_collections::read_only, users_collections::hide_passwords, users_collections::manage))
-                .load::<Self>(conn)
-                .expect("Error loading users_collections")
-        }};
-        col_users.into_iter().map(|c| c.into()).collect()
+        let col_users = conn
+            .run(move |conn| {
+                users_collections::table
+                    .inner_join(collections::table.on(collections::uuid.eq(users_collections::collection_uuid)))
+                    .filter(collections::org_uuid.eq(org_uuid))
+                    .inner_join(
+                        users_organizations::table.on(users_organizations::user_uuid.eq(users_collections::user_uuid)),
+                    )
+                    .filter(users_organizations::org_uuid.eq(org_uuid))
+                    .select((
+                        users_organizations::uuid,
+                        users_collections::collection_uuid,
+                        users_collections::read_only,
+                        users_collections::hide_passwords,
+                        users_collections::manage,
+                    ))
+                    .load::<Self>(conn)
+                    .expect("Error loading users_collections")
+            })
+            .await;
+        col_users.into_iter().map(Into::into).collect()
    }

    pub async fn save(
@@ -661,7 +737,7 @@ impl CollectionUser {
    pub async fn delete(self, conn: &DbConn) -> EmptyResult {
        User::update_uuid_revision(&self.user_uuid, conn).await;

-        db_run! { conn: {
+        conn.run(move |conn| {
            diesel::delete(
                users_collections::table
                    .filter(users_collections::user_uuid.eq(&self.user_uuid))
@@ -669,17 +745,19 @@ impl CollectionUser {
            )
            .execute(conn)
            .map_res("Error removing user from collection")
-        }}
+        })
+        .await
    }

    pub async fn find_by_collection(collection_uuid: &CollectionId, conn: &DbConn) -> Vec<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            users_collections::table
                .filter(users_collections::collection_uuid.eq(collection_uuid))
                .select(users_collections::all_columns)
                .load::<Self>(conn)
                .expect("Error loading users_collections")
-        }}
+        })
+        .await
    }

    pub async fn find_by_org_and_coll_swap_user_uuid_with_member_uuid(
@@ -687,16 +765,26 @@ impl CollectionUser {
        collection_uuid: &CollectionId,
        conn: &DbConn,
    ) -> Vec<CollectionMembership> {
-        let col_users = db_run! { conn: {
-            users_collections::table
-                .filter(users_collections::collection_uuid.eq(collection_uuid))
-                .filter(users_organizations::org_uuid.eq(org_uuid))
-                .inner_join(users_organizations::table.on(users_organizations::user_uuid.eq(users_collections::user_uuid)))
-                .select((users_organizations::uuid, users_collections::collection_uuid, users_collections::read_only, users_collections::hide_passwords, users_collections::manage))
-                .load::<Self>(conn)
-                .expect("Error loading users_collections")
-        }};
-        col_users.into_iter().map(|c| c.into()).collect()
+        let col_users = conn
+            .run(move |conn| {
+                users_collections::table
+                    .filter(users_collections::collection_uuid.eq(collection_uuid))
+                    .filter(users_organizations::org_uuid.eq(org_uuid))
+                    .inner_join(
+                        users_organizations::table.on(users_organizations::user_uuid.eq(users_collections::user_uuid)),
+                    )
+                    .select((
+                        users_organizations::uuid,
+                        users_collections::collection_uuid,
+                        users_collections::read_only,
+                        users_collections::hide_passwords,
+                        users_collections::manage,
+                    ))
+                    .load::<Self>(conn)
+                    .expect("Error loading users_collections")
+            })
+            .await;
+        col_users.into_iter().map(Into::into).collect()
    }

    pub async fn find_by_collection_and_user(
@@ -704,36 +792,39 @@ impl CollectionUser {
        user_uuid: &UserId,
        conn: &DbConn,
    ) -> Option<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            users_collections::table
                .filter(users_collections::collection_uuid.eq(collection_uuid))
                .filter(users_collections::user_uuid.eq(user_uuid))
                .select(users_collections::all_columns)
                .first::<Self>(conn)
                .ok()
-        }}
+        })
+        .await
    }

    pub async fn find_by_user(user_uuid: &UserId, conn: &DbConn) -> Vec<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            users_collections::table
                .filter(users_collections::user_uuid.eq(user_uuid))
                .select(users_collections::all_columns)
                .load::<Self>(conn)
                .expect("Error loading users_collections")
-        }}
+        })
+        .await
    }

    pub async fn delete_all_by_collection(collection_uuid: &CollectionId, conn: &DbConn) -> EmptyResult {
-        for collection in CollectionUser::find_by_collection(collection_uuid, conn).await.iter() {
+        for collection in &CollectionUser::find_by_collection(collection_uuid, conn).await {
            User::update_uuid_revision(&collection.user_uuid, conn).await;
        }

-        db_run! { conn: {
+        conn.run(move |conn| {
            diesel::delete(users_collections::table.filter(users_collections::collection_uuid.eq(collection_uuid)))
                .execute(conn)
                .map_res("Error deleting users from collection")
-        }}
+        })
+        .await
    }

    pub async fn delete_all_by_user_and_org(
@@ -743,17 +834,21 @@ impl CollectionUser {
    ) -> EmptyResult {
        let collectionusers = Self::find_by_organization_and_user_uuid(org_uuid, user_uuid, conn).await;

-        db_run! { conn: {
+        conn.run(move |conn| {
            for user in collectionusers {
-                let _: () = diesel::delete(users_collections::table.filter(
-                    users_collections::user_uuid.eq(user_uuid)
-                    .and(users_collections::collection_uuid.eq(user.collection_uuid))
-                ))
-                    .execute(conn)
-                    .map_res("Error removing user from collections")?;
+                let _: () = diesel::delete(
+                    users_collections::table.filter(
+                        users_collections::user_uuid
+                            .eq(user_uuid)
+                            .and(users_collections::collection_uuid.eq(user.collection_uuid)),
+                    ),
+                )
+                .execute(conn)
+                .map_res("Error removing user from collections")?;
            }
            Ok(())
-        }}
+        })
+        .await
    }

    pub async fn has_access_to_collection_by_user(col_id: &CollectionId, user_uuid: &UserId, conn: &DbConn) -> bool {
@@ -796,7 +891,7 @@ impl CollectionCipher {
    pub async fn delete(cipher_uuid: &CipherId, collection_uuid: &CollectionId, conn: &DbConn) -> EmptyResult {
        Self::update_users_revision(collection_uuid, conn).await;

-        db_run! { conn: {
+        conn.run(move |conn| {
            diesel::delete(
                ciphers_collections::table
                    .filter(ciphers_collections::cipher_uuid.eq(cipher_uuid))
@@ -804,23 +899,26 @@ impl CollectionCipher {
            )
            .execute(conn)
            .map_res("Error deleting cipher from collection")
-        }}
+        })
+        .await
    }

    pub async fn delete_all_by_cipher(cipher_uuid: &CipherId, conn: &DbConn) -> EmptyResult {
-        db_run! { conn: {
+        conn.run(move |conn| {
            diesel::delete(ciphers_collections::table.filter(ciphers_collections::cipher_uuid.eq(cipher_uuid)))
                .execute(conn)
                .map_res("Error removing cipher from collections")
-        }}
+        })
+        .await
    }

    pub async fn delete_all_by_collection(collection_uuid: &CollectionId, conn: &DbConn) -> EmptyResult {
-        db_run! { conn: {
+        conn.run(move |conn| {
            diesel::delete(ciphers_collections::table.filter(ciphers_collections::collection_uuid.eq(collection_uuid)))
                .execute(conn)
                .map_res("Error removing ciphers from collection")
-        }}
+        })
+        .await
    }

    pub async fn update_users_revision(collection_uuid: &CollectionId, conn: &DbConn) {
@@ -1,18 +1,20 @@
 use chrono::{NaiveDateTime, Utc};
-
-use data_encoding::{BASE64, BASE64URL};
+use data_encoding::BASE64URL;
 use derive_more::{Display, From};
+use diesel::prelude::*;
 use serde_json::Value;

-use super::{AuthRequest, UserId};
-use crate::db::schema::devices;
 use crate::{
+    api::EmptyResult,
    crypto,
+    db::{DbConn, schema::devices},
+    error::MapResult,
    util::{format_date, get_uuid},
 };
-use diesel::prelude::*;
 use macros::{IdFromParam, UuidFromParam};

+use super::{AuthRequest, UserId};
+
 #[derive(Identifiable, Queryable, Insertable, AsChangeset)]
 #[diesel(table_name = devices)]
 #[diesel(treat_none_as_null = true)]
@@ -25,7 +27,7 @@ pub struct Device {
    pub user_uuid: UserId,

    pub name: String,
-    pub atype: i32, // https://github.com/bitwarden/server/blob/9ebe16587175b1c0e9208f84397bb75d0d595510/src/Core/Enums/DeviceType.cs
+    pub atype: i32, // https://github.com/bitwarden/server/blob/8d547dcc280babab70dd4a3c94ced6a34b12dfbf/src/Core/Enums/DeviceType.cs
    pub push_uuid: Option<PushId>,
    pub push_token: Option<String>,

@@ -49,11 +51,16 @@ impl Device {

            push_uuid: Some(PushId(get_uuid())),
            push_token: None,
-            refresh_token: crypto::encode_random_bytes::<64>(&BASE64URL),
+            refresh_token: Device::generate_refresh_token(),
            twofactor_remember: None,
        }
    }

+    #[inline(always)]
+    pub fn generate_refresh_token() -> String {
+        crypto::encode_random_bytes::<64>(&BASE64URL)
+    }
+
    pub fn to_json(&self) -> Value {
        json!({
            "id": self.uuid,
@@ -67,10 +74,13 @@ impl Device {
    }

    pub fn refresh_twofactor_remember(&mut self) -> String {
-        let twofactor_remember = crypto::encode_random_bytes::<180>(&BASE64);
-        self.twofactor_remember = Some(twofactor_remember.clone());
+        use crate::auth::{encode_jwt, generate_2fa_remember_claims};

-        twofactor_remember
+        let two_factor_remember_claim = generate_2fa_remember_claims(self.uuid.clone(), self.user_uuid.clone());
+        let two_factor_remember_string = encode_jwt(&two_factor_remember_claim);
+        self.twofactor_remember = Some(two_factor_remember_string.clone());
+
+        two_factor_remember_string
    }

    pub fn delete_twofactor_remember(&mut self) {
@@ -127,10 +137,6 @@ impl DeviceWithAuthRequest {
        }
    }
 }
-use crate::db::DbConn;
-
-use crate::api::EmptyResult;
-use crate::error::MapResult;

 /// Database methods
 impl Device {
@@ -163,21 +169,23 @@ impl Device {
    }

    pub async fn delete_all_by_user(user_uuid: &UserId, conn: &DbConn) -> EmptyResult {
-        db_run! { conn: {
+        conn.run(move |conn| {
            diesel::delete(devices::table.filter(devices::user_uuid.eq(user_uuid)))
                .execute(conn)
                .map_res("Error removing devices for user")
-        }}
+        })
+        .await
    }

    pub async fn find_by_uuid_and_user(uuid: &DeviceId, user_uuid: &UserId, conn: &DbConn) -> Option<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            devices::table
                .filter(devices::uuid.eq(uuid))
                .filter(devices::user_uuid.eq(user_uuid))
                .first::<Self>(conn)
                .ok()
-        }}
+        })
+        .await
    }

    pub async fn find_with_auth_request_by_user(user_uuid: &UserId, conn: &DbConn) -> Vec<DeviceWithAuthRequest> {
@@ -191,71 +199,76 @@ impl Device {
    }

    pub async fn find_by_user(user_uuid: &UserId, conn: &DbConn) -> Vec<Self> {
-        db_run! { conn: {
-            devices::table
-                .filter(devices::user_uuid.eq(user_uuid))
-                .load::<Self>(conn)
-                .expect("Error loading devices")
-        }}
+        conn.run(move |conn| {
+            devices::table.filter(devices::user_uuid.eq(user_uuid)).load::<Self>(conn).expect("Error loading devices")
+        })
+        .await
    }

    pub async fn find_by_uuid(uuid: &DeviceId, conn: &DbConn) -> Option<Self> {
-        db_run! { conn: {
-            devices::table
-                .filter(devices::uuid.eq(uuid))
-                .first::<Self>(conn)
-                .ok()
-        }}
+        conn.run(move |conn| devices::table.filter(devices::uuid.eq(uuid)).first::<Self>(conn).ok()).await
    }

    pub async fn clear_push_token_by_uuid(uuid: &DeviceId, conn: &DbConn) -> EmptyResult {
-        db_run! { conn: {
+        conn.run(move |conn| {
            diesel::update(devices::table)
                .filter(devices::uuid.eq(uuid))
                .set(devices::push_token.eq::<Option<String>>(None))
                .execute(conn)
                .map_res("Error removing push token")
-        }}
+        })
+        .await
    }
    pub async fn find_by_refresh_token(refresh_token: &str, conn: &DbConn) -> Option<Self> {
-        db_run! { conn: {
-            devices::table
-                .filter(devices::refresh_token.eq(refresh_token))
-                .first::<Self>(conn)
-                .ok()
-        }}
+        conn.run(move |conn| devices::table.filter(devices::refresh_token.eq(refresh_token)).first::<Self>(conn).ok())
+            .await
    }

    pub async fn find_latest_active_by_user(user_uuid: &UserId, conn: &DbConn) -> Option<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            devices::table
                .filter(devices::user_uuid.eq(user_uuid))
                .order(devices::updated_at.desc())
                .first::<Self>(conn)
                .ok()
-        }}
+        })
+        .await
    }

    pub async fn find_push_devices_by_user(user_uuid: &UserId, conn: &DbConn) -> Vec<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            devices::table
                .filter(devices::user_uuid.eq(user_uuid))
                .filter(devices::push_token.is_not_null())
                .load::<Self>(conn)
                .expect("Error loading push devices")
-        }}
+        })
+        .await
    }

    pub async fn check_user_has_push_device(user_uuid: &UserId, conn: &DbConn) -> bool {
-        db_run! { conn: {
+        conn.run(move |conn| {
            devices::table
-            .filter(devices::user_uuid.eq(user_uuid))
-            .filter(devices::push_token.is_not_null())
-            .count()
-            .first::<i64>(conn)
-            .ok()
-            .unwrap_or(0) != 0
-        }}
+                .filter(devices::user_uuid.eq(user_uuid))
+                .filter(devices::push_token.is_not_null())
+                .count()
+                .first::<i64>(conn)
+                .ok()
+                .unwrap_or(0)
+                != 0
+        })
+        .await
+    }
+
+    pub async fn rotate_refresh_tokens_by_user(user_uuid: &UserId, conn: &DbConn) -> EmptyResult {
+        // Generate a new token per device.
+        // We cannot do a single UPDATE with one value because each device needs a unique token.
+        let devices = Self::find_by_user(user_uuid, conn).await;
+        for mut device in devices {
+            device.refresh_token = Device::generate_refresh_token();
+            device.save(false, conn).await?;
+        }
+        Ok(())
    }
 }

@@ -313,9 +326,12 @@ pub enum DeviceType {
    MacOsCLI = 24,
    #[display("Linux CLI")]
    LinuxCLI = 25,
+    #[display("DuckDuckGo")]
+    DuckDuckGoBrowser = 26,
 }

 impl DeviceType {
+    #[expect(clippy::match_same_arms, reason = "Specifically define 14 and have a fallback for new types")]
    pub fn from_i32(value: i32) -> DeviceType {
        match value {
            0 => DeviceType::Android,
@@ -344,6 +360,7 @@ impl DeviceType {
            23 => DeviceType::WindowsCLI,
            24 => DeviceType::MacOsCLI,
            25 => DeviceType::LinuxCLI,
+            26 => DeviceType::DuckDuckGoBrowser,
            _ => DeviceType::UnknownBrowser,
        }
    }
@@ -1,13 +1,17 @@
 use chrono::{NaiveDateTime, Utc};
 use derive_more::{AsRef, Deref, Display, From};
+use diesel::prelude::*;
 use serde_json::Value;

-use super::{User, UserId};
-use crate::db::schema::emergency_access;
-use crate::{api::EmptyResult, db::DbConn, error::MapResult};
-use diesel::prelude::*;
+use crate::{
+    api::EmptyResult,
+    db::{DbConn, schema::emergency_access},
+    error::MapResult,
+};
 use macros::UuidFromParam;

+use super::{User, UserId};
+
 #[derive(Identifiable, Queryable, Insertable, AsChangeset)]
 #[diesel(table_name = emergency_access)]
 #[diesel(treat_none_as_null = true)]
@@ -85,17 +89,15 @@ impl EmergencyAccess {
    pub async fn to_json_grantee_details(&self, conn: &DbConn) -> Option<Value> {
        let grantee_user = if let Some(grantee_uuid) = &self.grantee_uuid {
            User::find_by_uuid(grantee_uuid, conn).await.expect("Grantee user not found.")
-        } else if let Some(email) = self.email.as_deref() {
-            match User::find_by_mail(email, conn).await {
-                Some(user) => user,
-                None => {
-                    // remove outstanding invitations which should not exist
-                    Self::delete_all_by_grantee_email(email, conn).await.ok();
-                    return None;
-                }
-            }
        } else {
-            return None;
+            let email = self.email.as_deref()?;
+            if let Some(user) = User::find_by_mail(email, conn).await {
+                user
+            } else {
+                // remove outstanding invitations which should not exist
+                Self::delete_all_by_grantee_email(email, conn).await.ok();
+                return None;
+            }
        };

        Some(json!({
@@ -184,28 +186,36 @@ impl EmergencyAccess {
        self.status = status;
        date.clone_into(&mut self.updated_at);

-        db_run! { conn: {
-            crate::util::retry(|| {
-                diesel::update(emergency_access::table.filter(emergency_access::uuid.eq(&self.uuid)))
-                    .set((emergency_access::status.eq(status), emergency_access::updated_at.eq(date)))
-                    .execute(conn)
-            }, 10)
+        conn.run(move |conn| {
+            crate::util::retry(
+                || {
+                    diesel::update(emergency_access::table.filter(emergency_access::uuid.eq(&self.uuid)))
+                        .set((emergency_access::status.eq(status), emergency_access::updated_at.eq(date)))
+                        .execute(conn)
+                },
+                10,
+            )
            .map_res("Error updating emergency access status")
-        }}
+        })
+        .await
    }

    pub async fn update_last_notification_date_and_save(&mut self, date: &NaiveDateTime, conn: &DbConn) -> EmptyResult {
        self.last_notification_at = Some(date.to_owned());
        date.clone_into(&mut self.updated_at);

-        db_run! { conn: {
-            crate::util::retry(|| {
-                diesel::update(emergency_access::table.filter(emergency_access::uuid.eq(&self.uuid)))
-                    .set((emergency_access::last_notification_at.eq(date), emergency_access::updated_at.eq(date)))
-                    .execute(conn)
-            }, 10)
+        conn.run(move |conn| {
+            crate::util::retry(
+                || {
+                    diesel::update(emergency_access::table.filter(emergency_access::uuid.eq(&self.uuid)))
+                        .set((emergency_access::last_notification_at.eq(date), emergency_access::updated_at.eq(date)))
+                        .execute(conn)
+                },
+                10,
+            )
            .map_res("Error updating emergency access status")
-        }}
+        })
+        .await
    }

    pub async fn delete_all_by_user(user_uuid: &UserId, conn: &DbConn) -> EmptyResult {
@@ -228,11 +238,12 @@ impl EmergencyAccess {
    pub async fn delete(self, conn: &DbConn) -> EmptyResult {
        User::update_uuid_revision(&self.grantor_uuid, conn).await;

-        db_run! { conn: {
+        conn.run(move |conn| {
            diesel::delete(emergency_access::table.filter(emergency_access::uuid.eq(self.uuid)))
                .execute(conn)
                .map_res("Error removing user from emergency access")
-        }}
+        })
+        .await
    }

    pub async fn find_by_grantor_uuid_and_grantee_uuid_or_email(
@@ -241,23 +252,25 @@ impl EmergencyAccess {
        email: &str,
        conn: &DbConn,
    ) -> Option<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            emergency_access::table
                .filter(emergency_access::grantor_uuid.eq(grantor_uuid))
                .filter(emergency_access::grantee_uuid.eq(grantee_uuid).or(emergency_access::email.eq(email)))
                .first::<Self>(conn)
                .ok()
-        }}
+        })
+        .await
    }

    pub async fn find_all_recoveries_initiated(conn: &DbConn) -> Vec<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            emergency_access::table
                .filter(emergency_access::status.eq(EmergencyAccessStatus::RecoveryInitiated as i32))
                .filter(emergency_access::recovery_initiated_at.is_not_null())
                .load::<Self>(conn)
                .expect("Error loading emergency_access")
-        }}
+        })
+        .await
    }

    pub async fn find_by_uuid_and_grantor_uuid(
@@ -265,13 +278,14 @@ impl EmergencyAccess {
        grantor_uuid: &UserId,
        conn: &DbConn,
    ) -> Option<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            emergency_access::table
                .filter(emergency_access::uuid.eq(uuid))
                .filter(emergency_access::grantor_uuid.eq(grantor_uuid))
                .first::<Self>(conn)
                .ok()
-        }}
+        })
+        .await
    }

    pub async fn find_by_uuid_and_grantee_uuid(
@@ -279,13 +293,14 @@ impl EmergencyAccess {
        grantee_uuid: &UserId,
        conn: &DbConn,
    ) -> Option<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            emergency_access::table
                .filter(emergency_access::uuid.eq(uuid))
                .filter(emergency_access::grantee_uuid.eq(grantee_uuid))
                .first::<Self>(conn)
                .ok()
-        }}
+        })
+        .await
    }

    pub async fn find_by_uuid_and_grantee_email(
@@ -293,61 +308,67 @@ impl EmergencyAccess {
        grantee_email: &str,
        conn: &DbConn,
    ) -> Option<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            emergency_access::table
                .filter(emergency_access::uuid.eq(uuid))
                .filter(emergency_access::email.eq(grantee_email))
                .first::<Self>(conn)
                .ok()
-        }}
+        })
+        .await
    }

    pub async fn find_all_by_grantee_uuid(grantee_uuid: &UserId, conn: &DbConn) -> Vec<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            emergency_access::table
                .filter(emergency_access::grantee_uuid.eq(grantee_uuid))
                .load::<Self>(conn)
                .expect("Error loading emergency_access")
-        }}
+        })
+        .await
    }

    pub async fn find_invited_by_grantee_email(grantee_email: &str, conn: &DbConn) -> Option<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            emergency_access::table
                .filter(emergency_access::email.eq(grantee_email))
                .filter(emergency_access::status.eq(EmergencyAccessStatus::Invited as i32))
                .first::<Self>(conn)
                .ok()
-        }}
+        })
+        .await
    }

    pub async fn find_all_invited_by_grantee_email(grantee_email: &str, conn: &DbConn) -> Vec<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            emergency_access::table
                .filter(emergency_access::email.eq(grantee_email))
                .filter(emergency_access::status.eq(EmergencyAccessStatus::Invited as i32))
                .load::<Self>(conn)
                .expect("Error loading emergency_access")
-        }}
+        })
+        .await
    }

    pub async fn find_all_by_grantor_uuid(grantor_uuid: &UserId, conn: &DbConn) -> Vec<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            emergency_access::table
                .filter(emergency_access::grantor_uuid.eq(grantor_uuid))
                .load::<Self>(conn)
                .expect("Error loading emergency_access")
-        }}
+        })
+        .await
    }

    pub async fn find_all_confirmed_by_grantor_uuid(grantor_uuid: &UserId, conn: &DbConn) -> Vec<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            emergency_access::table
                .filter(emergency_access::grantor_uuid.eq(grantor_uuid))
                .filter(emergency_access::status.ge(EmergencyAccessStatus::Confirmed as i32))
                .load::<Self>(conn)
                .expect("Error loading emergency_access")
-        }}
+        })
+        .await
    }

    pub async fn accept_invite(&mut self, grantee_uuid: &UserId, grantee_email: &str, conn: &DbConn) -> EmptyResult {
@@ -1,11 +1,18 @@
 use chrono::{NaiveDateTime, TimeDelta, Utc};
-//use derive_more::{AsRef, Deref, Display, From};
+use diesel::prelude::*;
 use serde_json::Value;

+use crate::{
+    CONFIG,
+    api::EmptyResult,
+    db::{
+        DbConn,
+        schema::{event, users_organizations},
+    },
+    error::MapResult,
+};
+
 use super::{CipherId, CollectionId, GroupId, MembershipId, OrgPolicyId, OrganizationId, UserId};
-use crate::db::schema::{event, users_organizations};
-use crate::{api::EmptyResult, db::DbConn, error::MapResult, CONFIG};
-use diesel::prelude::*;

 // https://bitwarden.com/help/event-logs/

@@ -249,11 +256,10 @@ impl Event {
    }

    pub async fn delete(self, conn: &DbConn) -> EmptyResult {
-        db_run! { conn: {
-            diesel::delete(event::table.filter(event::uuid.eq(self.uuid)))
-                .execute(conn)
-                .map_res("Error deleting event")
-        }}
+        conn.run(move |conn| {
+            diesel::delete(event::table.filter(event::uuid.eq(self.uuid))).execute(conn).map_res("Error deleting event")
+        })
+        .await
    }

    /// ##############
@@ -264,7 +270,7 @@ impl Event {
        end: &NaiveDateTime,
        conn: &DbConn,
    ) -> Vec<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            event::table
                .filter(event::org_uuid.eq(org_uuid))
                .filter(event::event_date.between(start, end))
@@ -272,18 +278,15 @@ impl Event {
                .limit(Self::PAGE_SIZE)
                .load::<Self>(conn)
                .expect("Error filtering events")
-        }}
+        })
+        .await
    }

    pub async fn count_by_org(org_uuid: &OrganizationId, conn: &DbConn) -> i64 {
-        db_run! { conn: {
-            event::table
-                .filter(event::org_uuid.eq(org_uuid))
-                .count()
-                .first::<i64>(conn)
-                .ok()
-                .unwrap_or(0)
-        }}
+        conn.run(move |conn| {
+            event::table.filter(event::org_uuid.eq(org_uuid)).count().first::<i64>(conn).ok().unwrap_or(0)
+        })
+        .await
    }

    pub async fn find_by_org_and_member(
@@ -293,18 +296,23 @@ impl Event {
        end: &NaiveDateTime,
        conn: &DbConn,
    ) -> Vec<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            event::table
                .inner_join(users_organizations::table.on(users_organizations::uuid.eq(member_uuid)))
                .filter(event::org_uuid.eq(org_uuid))
                .filter(event::event_date.between(start, end))
-                .filter(event::user_uuid.eq(users_organizations::user_uuid.nullable()).or(event::act_user_uuid.eq(users_organizations::user_uuid.nullable())))
+                .filter(
+                    event::user_uuid
+                        .eq(users_organizations::user_uuid.nullable())
+                        .or(event::act_user_uuid.eq(users_organizations::user_uuid.nullable())),
+                )
                .select(event::all_columns)
                .order_by(event::event_date.desc())
                .limit(Self::PAGE_SIZE)
                .load::<Self>(conn)
                .expect("Error filtering events")
-        }}
+        })
+        .await
    }

    pub async fn find_by_cipher_uuid(
@@ -313,7 +321,7 @@ impl Event {
        end: &NaiveDateTime,
        conn: &DbConn,
    ) -> Vec<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            event::table
                .filter(event::cipher_uuid.eq(cipher_uuid))
                .filter(event::event_date.between(start, end))
@@ -321,17 +329,19 @@ impl Event {
                .limit(Self::PAGE_SIZE)
                .load::<Self>(conn)
                .expect("Error filtering events")
-        }}
+        })
+        .await
    }

    pub async fn clean_events(conn: &DbConn) -> EmptyResult {
        if let Some(days_to_retain) = CONFIG.events_days_retain() {
            let dt = Utc::now().naive_utc() - TimeDelta::try_days(days_to_retain).unwrap();
-            db_run! { conn: {
+            conn.run(move |conn| {
                diesel::delete(event::table.filter(event::event_date.lt(dt)))
-                .execute(conn)
-                .map_res("Error cleaning old events")
-            }}
+                    .execute(conn)
+                    .map_res("Error cleaning old events")
+            })
+            .await
        } else {
            Ok(())
        }
@@ -1,7 +1,13 @@
-use super::{CipherId, User, UserId};
-use crate::db::schema::favorites;
 use diesel::prelude::*;

+use crate::{
+    api::EmptyResult,
+    db::{DbConn, schema::favorites},
+    error::MapResult,
+};
+
+use super::{CipherId, User, UserId};
+
 #[derive(Identifiable, Queryable, Insertable)]
 #[diesel(table_name = favorites)]
 #[diesel(primary_key(user_uuid, cipher_uuid))]
@@ -10,24 +16,18 @@ pub struct Favorite {
    pub cipher_uuid: CipherId,
 }

-use crate::db::DbConn;
-
-use crate::api::EmptyResult;
-use crate::error::MapResult;
-
 impl Favorite {
    // Returns whether the specified cipher is a favorite of the specified user.
    pub async fn is_favorite(cipher_uuid: &CipherId, user_uuid: &UserId, conn: &DbConn) -> bool {
-        db_run! { conn: {
+        conn.run(move |conn| {
            let query = favorites::table
                .filter(favorites::cipher_uuid.eq(cipher_uuid))
                .filter(favorites::user_uuid.eq(user_uuid))
                .count();

-            query.first::<i64>(conn)
-                .ok()
-                .unwrap_or(0) != 0
-        }}
+            query.first::<i64>(conn).ok().unwrap_or(0) != 0
+        })
+        .await
    }

    // Sets whether the specified cipher is a favorite of the specified user.
@@ -41,27 +41,26 @@ impl Favorite {
        match (old, new) {
            (false, true) => {
                User::update_uuid_revision(user_uuid, conn).await;
-                db_run! { conn: {
-                diesel::insert_into(favorites::table)
-                    .values((
-                        favorites::user_uuid.eq(user_uuid),
-                        favorites::cipher_uuid.eq(cipher_uuid),
-                    ))
-                    .execute(conn)
-                    .map_res("Error adding favorite")
-                }}
+                conn.run(move |conn| {
+                    diesel::insert_into(favorites::table)
+                        .values((favorites::user_uuid.eq(user_uuid), favorites::cipher_uuid.eq(cipher_uuid)))
+                        .execute(conn)
+                        .map_res("Error adding favorite")
+                })
+                .await
            }
            (true, false) => {
                User::update_uuid_revision(user_uuid, conn).await;
-                db_run! { conn: {
+                conn.run(move |conn| {
                    diesel::delete(
                        favorites::table
                            .filter(favorites::user_uuid.eq(user_uuid))
-                            .filter(favorites::cipher_uuid.eq(cipher_uuid))
+                            .filter(favorites::cipher_uuid.eq(cipher_uuid)),
                    )
                    .execute(conn)
                    .map_res("Error removing favorite")
-                }}
+                })
+                .await
            }
            // Otherwise, the favorite status is already what it should be.
            _ => Ok(()),
@@ -70,31 +69,34 @@ impl Favorite {

    // Delete all favorite entries associated with the specified cipher.
    pub async fn delete_all_by_cipher(cipher_uuid: &CipherId, conn: &DbConn) -> EmptyResult {
-        db_run! { conn: {
+        conn.run(move |conn| {
            diesel::delete(favorites::table.filter(favorites::cipher_uuid.eq(cipher_uuid)))
                .execute(conn)
                .map_res("Error removing favorites by cipher")
-        }}
+        })
+        .await
    }

    // Delete all favorite entries associated with the specified user.
    pub async fn delete_all_by_user(user_uuid: &UserId, conn: &DbConn) -> EmptyResult {
-        db_run! { conn: {
+        conn.run(move |conn| {
            diesel::delete(favorites::table.filter(favorites::user_uuid.eq(user_uuid)))
                .execute(conn)
                .map_res("Error removing favorites by user")
-        }}
+        })
+        .await
    }

    /// Return a vec with (cipher_uuid) this will only contain favorite flagged ciphers
    /// This is used during a full sync so we only need one query for all favorite cipher matches.
    pub async fn get_all_cipher_uuid_by_user(user_uuid: &UserId, conn: &DbConn) -> Vec<CipherId> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            favorites::table
                .filter(favorites::user_uuid.eq(user_uuid))
                .select(favorites::cipher_uuid)
                .load::<CipherId>(conn)
                .unwrap_or_default()
-        }}
+        })
+        .await
    }
 }
@@ -1,12 +1,20 @@
 use chrono::{NaiveDateTime, Utc};
 use derive_more::{AsRef, Deref, Display, From};
+use diesel::prelude::*;
 use serde_json::Value;

-use super::{CipherId, User, UserId};
-use crate::db::schema::{folders, folders_ciphers};
-use diesel::prelude::*;
+use crate::{
+    api::EmptyResult,
+    db::{
+        DbConn,
+        schema::{folders, folders_ciphers},
+    },
+    error::MapResult,
+};
 use macros::UuidFromParam;

+use super::{CipherId, User, UserId};
+
 #[derive(Identifiable, Queryable, Insertable, AsChangeset)]
 #[diesel(table_name = folders)]
 #[diesel(primary_key(uuid))]
@@ -56,17 +64,12 @@ impl Folder {
 impl FolderCipher {
    pub fn new(folder_uuid: FolderId, cipher_uuid: CipherId) -> Self {
        Self {
-            folder_uuid,
            cipher_uuid,
+            folder_uuid,
        }
    }
 }

-use crate::db::DbConn;
-
-use crate::api::EmptyResult;
-use crate::error::MapResult;
-
 /// Database methods
 impl Folder {
    pub async fn save(&mut self, conn: &DbConn) -> EmptyResult {
@@ -107,11 +110,12 @@ impl Folder {
        User::update_uuid_revision(&self.user_uuid, conn).await;
        FolderCipher::delete_all_by_folder(&self.uuid, conn).await?;

-        db_run! { conn: {
+        conn.run(move |conn| {
            diesel::delete(folders::table.filter(folders::uuid.eq(&self.uuid)))
                .execute(conn)
                .map_res("Error deleting folder")
-        }}
+        })
+        .await
    }

    pub async fn delete_all_by_user(user_uuid: &UserId, conn: &DbConn) -> EmptyResult {
@@ -122,22 +126,21 @@ impl Folder {
    }

    pub async fn find_by_uuid_and_user(uuid: &FolderId, user_uuid: &UserId, conn: &DbConn) -> Option<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            folders::table
                .filter(folders::uuid.eq(uuid))
                .filter(folders::user_uuid.eq(user_uuid))
                .first::<Self>(conn)
                .ok()
-        }}
+        })
+        .await
    }

    pub async fn find_by_user(user_uuid: &UserId, conn: &DbConn) -> Vec<Self> {
-        db_run! { conn: {
-            folders::table
-                .filter(folders::user_uuid.eq(user_uuid))
-                .load::<Self>(conn)
-                .expect("Error loading folders")
-        }}
+        conn.run(move |conn| {
+            folders::table.filter(folders::user_uuid.eq(user_uuid)).load::<Self>(conn).expect("Error loading folders")
+        })
+        .await
    }
 }

@@ -165,7 +168,7 @@ impl FolderCipher {
    }

    pub async fn delete(self, conn: &DbConn) -> EmptyResult {
-        db_run! { conn: {
+        conn.run(move |conn| {
            diesel::delete(
                folders_ciphers::table
                    .filter(folders_ciphers::cipher_uuid.eq(self.cipher_uuid))
@@ -173,23 +176,26 @@ impl FolderCipher {
            )
            .execute(conn)
            .map_res("Error removing cipher from folder")
-        }}
+        })
+        .await
    }

    pub async fn delete_all_by_cipher(cipher_uuid: &CipherId, conn: &DbConn) -> EmptyResult {
-        db_run! { conn: {
+        conn.run(move |conn| {
            diesel::delete(folders_ciphers::table.filter(folders_ciphers::cipher_uuid.eq(cipher_uuid)))
                .execute(conn)
                .map_res("Error removing cipher from folders")
-        }}
+        })
+        .await
    }

    pub async fn delete_all_by_folder(folder_uuid: &FolderId, conn: &DbConn) -> EmptyResult {
-        db_run! { conn: {
+        conn.run(move |conn| {
            diesel::delete(folders_ciphers::table.filter(folders_ciphers::folder_uuid.eq(folder_uuid)))
                .execute(conn)
                .map_res("Error removing ciphers from folder")
-        }}
+        })
+        .await
    }

    pub async fn find_by_folder_and_cipher(
@@ -197,35 +203,38 @@ impl FolderCipher {
        cipher_uuid: &CipherId,
        conn: &DbConn,
    ) -> Option<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            folders_ciphers::table
                .filter(folders_ciphers::folder_uuid.eq(folder_uuid))
                .filter(folders_ciphers::cipher_uuid.eq(cipher_uuid))
                .first::<Self>(conn)
                .ok()
-        }}
+        })
+        .await
    }

    pub async fn find_by_folder(folder_uuid: &FolderId, conn: &DbConn) -> Vec<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            folders_ciphers::table
                .filter(folders_ciphers::folder_uuid.eq(folder_uuid))
                .load::<Self>(conn)
                .expect("Error loading folders")
-        }}
+        })
+        .await
    }

    /// Return a vec with (cipher_uuid, folder_uuid)
    /// This is used during a full sync so we only need one query for all folder matches.
    pub async fn find_by_user(user_uuid: &UserId, conn: &DbConn) -> Vec<(CipherId, FolderId)> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            folders_ciphers::table
                .inner_join(folders::table)
                .filter(folders::user_uuid.eq(user_uuid))
                .select(folders_ciphers::all_columns)
                .load::<(CipherId, FolderId)>(conn)
                .unwrap_or_default()
-        }}
+        })
+        .await
    }
 }

@@ -1,14 +1,20 @@
-use super::{CollectionId, Membership, MembershipId, OrganizationId, User, UserId};
-use crate::api::EmptyResult;
-use crate::db::schema::{collections_groups, groups, groups_users, users_organizations};
-use crate::db::DbConn;
-use crate::error::MapResult;
 use chrono::{NaiveDateTime, Utc};
 use derive_more::{AsRef, Deref, Display, From};
 use diesel::prelude::*;
-use macros::UuidFromParam;
 use serde_json::Value;

+use crate::{
+    api::EmptyResult,
+    db::{
+        DbConn,
+        schema::{collections, collections_groups, groups, groups_users, users_organizations},
+    },
+    error::MapResult,
+};
+use macros::UuidFromParam;
+
+use super::{CollectionId, Membership, MembershipId, OrganizationId, User, UserId};
+
 #[derive(Identifiable, Queryable, Insertable, AsChangeset)]
 #[diesel(table_name = groups)]
 #[diesel(treat_none_as_null = true)]
@@ -81,7 +87,7 @@ impl Group {
        // If both read_only and hide_passwords are false, then manage should be true
        // You can't have an entry with read_only and manage, or hide_passwords and manage
        // Or an entry with everything to false
-        let collections_groups: Vec<Value> = CollectionGroup::find_by_group(&self.uuid, conn)
+        let collections_groups: Vec<Value> = CollectionGroup::find_by_group(&self.uuid, &self.organizations_uuid, conn)
            .await
            .iter()
            .map(|entry| {
@@ -191,39 +197,37 @@ impl Group {

    pub async fn delete_all_by_organization(org_uuid: &OrganizationId, conn: &DbConn) -> EmptyResult {
        for group in Self::find_by_organization(org_uuid, conn).await {
-            group.delete(conn).await?;
+            group.delete(org_uuid, conn).await?;
        }
        Ok(())
    }

    pub async fn find_by_organization(org_uuid: &OrganizationId, conn: &DbConn) -> Vec<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            groups::table
                .filter(groups::organizations_uuid.eq(org_uuid))
                .load::<Self>(conn)
                .expect("Error loading groups")
-        }}
+        })
+        .await
    }

    pub async fn count_by_org(org_uuid: &OrganizationId, conn: &DbConn) -> i64 {
-        db_run! { conn: {
-            groups::table
-                .filter(groups::organizations_uuid.eq(org_uuid))
-                .count()
-                .first::<i64>(conn)
-                .ok()
-                .unwrap_or(0)
-        }}
+        conn.run(move |conn| {
+            groups::table.filter(groups::organizations_uuid.eq(org_uuid)).count().first::<i64>(conn).ok().unwrap_or(0)
+        })
+        .await
    }

    pub async fn find_by_uuid_and_org(uuid: &GroupId, org_uuid: &OrganizationId, conn: &DbConn) -> Option<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            groups::table
                .filter(groups::uuid.eq(uuid))
                .filter(groups::organizations_uuid.eq(org_uuid))
                .first::<Self>(conn)
                .ok()
-        }}
+        })
+        .await
    }

    pub async fn find_by_external_id_and_org(
@@ -231,83 +235,91 @@ impl Group {
        org_uuid: &OrganizationId,
        conn: &DbConn,
    ) -> Option<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            groups::table
                .filter(groups::external_id.eq(external_id))
                .filter(groups::organizations_uuid.eq(org_uuid))
                .first::<Self>(conn)
                .ok()
-        }}
+        })
+        .await
    }
    //Returns all organizations the user has full access to
    pub async fn get_orgs_by_user_with_full_access(user_uuid: &UserId, conn: &DbConn) -> Vec<OrganizationId> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            groups_users::table
-                .inner_join(users_organizations::table.on(
-                    users_organizations::uuid.eq(groups_users::users_organizations_uuid)
-                ))
-                .inner_join(groups::table.on(
-                    groups::uuid.eq(groups_users::groups_uuid)
-                ))
+                .inner_join(
+                    users_organizations::table.on(users_organizations::uuid.eq(groups_users::users_organizations_uuid)),
+                )
+                .inner_join(
+                    groups::table.on(groups::uuid
+                        .eq(groups_users::groups_uuid)
+                        .and(groups::organizations_uuid.eq(users_organizations::org_uuid))),
+                )
                .filter(users_organizations::user_uuid.eq(user_uuid))
                .filter(groups::access_all.eq(true))
                .select(groups::organizations_uuid)
                .distinct()
                .load::<OrganizationId>(conn)
                .expect("Error loading organization group full access information for user")
-        }}
+        })
+        .await
    }

    pub async fn is_in_full_access_group(user_uuid: &UserId, org_uuid: &OrganizationId, conn: &DbConn) -> bool {
-        db_run! { conn: {
+        conn.run(move |conn| {
            groups::table
-                .inner_join(groups_users::table.on(
-                    groups_users::groups_uuid.eq(groups::uuid)
-                ))
-                .inner_join(users_organizations::table.on(
-                    users_organizations::uuid.eq(groups_users::users_organizations_uuid)
-                ))
+                .inner_join(groups_users::table.on(groups_users::groups_uuid.eq(groups::uuid)))
+                .inner_join(
+                    users_organizations::table.on(users_organizations::uuid.eq(groups_users::users_organizations_uuid)),
+                )
                .filter(users_organizations::user_uuid.eq(user_uuid))
                .filter(groups::organizations_uuid.eq(org_uuid))
                .filter(groups::access_all.eq(true))
                .select(groups::access_all)
                .first::<bool>(conn)
                .unwrap_or_default()
-        }}
+        })
+        .await
    }

-    pub async fn delete(&self, conn: &DbConn) -> EmptyResult {
-        CollectionGroup::delete_all_by_group(&self.uuid, conn).await?;
-        GroupUser::delete_all_by_group(&self.uuid, conn).await?;
+    pub async fn delete(&self, org_uuid: &OrganizationId, conn: &DbConn) -> EmptyResult {
+        CollectionGroup::delete_all_by_group(&self.uuid, org_uuid, conn).await?;
+        GroupUser::delete_all_by_group(&self.uuid, org_uuid, conn).await?;

-        db_run! { conn: {
+        conn.run(move |conn| {
            diesel::delete(groups::table.filter(groups::uuid.eq(&self.uuid)))
                .execute(conn)
                .map_res("Error deleting group")
-        }}
+        })
+        .await
    }

    pub async fn update_revision(uuid: &GroupId, conn: &DbConn) {
-        if let Err(e) = Self::_update_revision(uuid, &Utc::now().naive_utc(), conn).await {
+        if let Err(e) = Self::update_revision_impl(uuid, &Utc::now().naive_utc(), conn).await {
            warn!("Failed to update revision for {uuid}: {e:#?}");
        }
    }

-    async fn _update_revision(uuid: &GroupId, date: &NaiveDateTime, conn: &DbConn) -> EmptyResult {
-        db_run! { conn: {
-            crate::util::retry(|| {
-                diesel::update(groups::table.filter(groups::uuid.eq(uuid)))
-                    .set(groups::revision_date.eq(date))
-                    .execute(conn)
-            }, 10)
+    async fn update_revision_impl(uuid: &GroupId, date: &NaiveDateTime, conn: &DbConn) -> EmptyResult {
+        conn.run(move |conn| {
+            crate::util::retry(
+                || {
+                    diesel::update(groups::table.filter(groups::uuid.eq(uuid)))
+                        .set(groups::revision_date.eq(date))
+                        .execute(conn)
+                },
+                10,
+            )
            .map_res("Error updating group revision")
-        }}
+        })
+        .await
    }
 }

 impl CollectionGroup {
-    pub async fn save(&mut self, conn: &DbConn) -> EmptyResult {
-        let group_users = GroupUser::find_by_group(&self.groups_uuid, conn).await;
+    pub async fn save(&mut self, org_uuid: &OrganizationId, conn: &DbConn) -> EmptyResult {
+        let group_users = GroupUser::find_by_group(&self.groups_uuid, org_uuid, conn).await;
        for group_user in group_users {
            group_user.update_user_revision(conn).await;
        }
@@ -365,85 +377,117 @@ impl CollectionGroup {
        }
    }

-    pub async fn find_by_group(group_uuid: &GroupId, conn: &DbConn) -> Vec<Self> {
-        db_run! { conn: {
+    pub async fn find_by_group(group_uuid: &GroupId, org_uuid: &OrganizationId, conn: &DbConn) -> Vec<Self> {
+        conn.run(move |conn| {
            collections_groups::table
+                .inner_join(groups::table.on(groups::uuid.eq(collections_groups::groups_uuid)))
+                .inner_join(
+                    collections::table.on(collections::uuid
+                        .eq(collections_groups::collections_uuid)
+                        .and(collections::org_uuid.eq(groups::organizations_uuid))),
+                )
                .filter(collections_groups::groups_uuid.eq(group_uuid))
+                .filter(collections::org_uuid.eq(org_uuid))
+                .select(collections_groups::all_columns)
                .load::<Self>(conn)
                .expect("Error loading collection groups")
-        }}
+        })
+        .await
    }

    pub async fn find_by_user(user_uuid: &UserId, conn: &DbConn) -> Vec<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            collections_groups::table
-                .inner_join(groups_users::table.on(
-                    groups_users::groups_uuid.eq(collections_groups::groups_uuid)
-                ))
-                .inner_join(users_organizations::table.on(
-                    users_organizations::uuid.eq(groups_users::users_organizations_uuid)
-                ))
+                .inner_join(groups_users::table.on(groups_users::groups_uuid.eq(collections_groups::groups_uuid)))
+                .inner_join(
+                    users_organizations::table.on(users_organizations::uuid.eq(groups_users::users_organizations_uuid)),
+                )
+                .inner_join(
+                    groups::table.on(groups::uuid
+                        .eq(collections_groups::groups_uuid)
+                        .and(groups::organizations_uuid.eq(users_organizations::org_uuid))),
+                )
+                .inner_join(
+                    collections::table.on(collections::uuid
+                        .eq(collections_groups::collections_uuid)
+                        .and(collections::org_uuid.eq(groups::organizations_uuid))),
+                )
                .filter(users_organizations::user_uuid.eq(user_uuid))
                .select(collections_groups::all_columns)
                .load::<Self>(conn)
                .expect("Error loading user collection groups")
-        }}
+        })
+        .await
    }

    pub async fn find_by_collection(collection_uuid: &CollectionId, conn: &DbConn) -> Vec<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            collections_groups::table
                .filter(collections_groups::collections_uuid.eq(collection_uuid))
+                .inner_join(collections::table.on(collections::uuid.eq(collections_groups::collections_uuid)))
+                .inner_join(
+                    groups::table.on(groups::uuid
+                        .eq(collections_groups::groups_uuid)
+                        .and(groups::organizations_uuid.eq(collections::org_uuid))),
+                )
                .select(collections_groups::all_columns)
                .load::<Self>(conn)
                .expect("Error loading collection groups")
-        }}
+        })
+        .await
    }

-    pub async fn delete(&self, conn: &DbConn) -> EmptyResult {
-        let group_users = GroupUser::find_by_group(&self.groups_uuid, conn).await;
+    pub async fn delete(&self, org_uuid: &OrganizationId, conn: &DbConn) -> EmptyResult {
+        let group_users = GroupUser::find_by_group(&self.groups_uuid, org_uuid, conn).await;
        for group_user in group_users {
            group_user.update_user_revision(conn).await;
        }

-        db_run! { conn: {
+        conn.run(move |conn| {
            diesel::delete(collections_groups::table)
                .filter(collections_groups::collections_uuid.eq(&self.collections_uuid))
                .filter(collections_groups::groups_uuid.eq(&self.groups_uuid))
                .execute(conn)
                .map_res("Error deleting collection group")
-        }}
+        })
+        .await
    }

-    pub async fn delete_all_by_group(group_uuid: &GroupId, conn: &DbConn) -> EmptyResult {
-        let group_users = GroupUser::find_by_group(group_uuid, conn).await;
+    pub async fn delete_all_by_group(group_uuid: &GroupId, org_uuid: &OrganizationId, conn: &DbConn) -> EmptyResult {
+        let group_users = GroupUser::find_by_group(group_uuid, org_uuid, conn).await;
        for group_user in group_users {
            group_user.update_user_revision(conn).await;
        }

-        db_run! { conn: {
+        conn.run(move |conn| {
            diesel::delete(collections_groups::table)
                .filter(collections_groups::groups_uuid.eq(group_uuid))
                .execute(conn)
                .map_res("Error deleting collection group")
-        }}
+        })
+        .await
    }

-    pub async fn delete_all_by_collection(collection_uuid: &CollectionId, conn: &DbConn) -> EmptyResult {
+    pub async fn delete_all_by_collection(
+        collection_uuid: &CollectionId,
+        org_uuid: &OrganizationId,
+        conn: &DbConn,
+    ) -> EmptyResult {
        let collection_assigned_to_groups = CollectionGroup::find_by_collection(collection_uuid, conn).await;
        for collection_assigned_to_group in collection_assigned_to_groups {
-            let group_users = GroupUser::find_by_group(&collection_assigned_to_group.groups_uuid, conn).await;
+            let group_users = GroupUser::find_by_group(&collection_assigned_to_group.groups_uuid, org_uuid, conn).await;
            for group_user in group_users {
                group_user.update_user_revision(conn).await;
            }
        }

-        db_run! { conn: {
+        conn.run(move |conn| {
            diesel::delete(collections_groups::table)
                .filter(collections_groups::collections_uuid.eq(collection_uuid))
                .execute(conn)
                .map_res("Error deleting collection group")
-        }}
+        })
+        .await
    }
 }

@@ -494,22 +538,32 @@ impl GroupUser {
        }
    }

-    pub async fn find_by_group(group_uuid: &GroupId, conn: &DbConn) -> Vec<Self> {
-        db_run! { conn: {
+    pub async fn find_by_group(group_uuid: &GroupId, org_uuid: &OrganizationId, conn: &DbConn) -> Vec<Self> {
+        conn.run(move |conn| {
            groups_users::table
+                .inner_join(groups::table.on(groups::uuid.eq(groups_users::groups_uuid)))
+                .inner_join(
+                    users_organizations::table.on(users_organizations::uuid
+                        .eq(groups_users::users_organizations_uuid)
+                        .and(users_organizations::org_uuid.eq(groups::organizations_uuid))),
+                )
                .filter(groups_users::groups_uuid.eq(group_uuid))
+                .filter(groups::organizations_uuid.eq(org_uuid))
+                .select(groups_users::all_columns)
                .load::<Self>(conn)
                .expect("Error loading group users")
-        }}
+        })
+        .await
    }

    pub async fn find_by_member(member_uuid: &MembershipId, conn: &DbConn) -> Vec<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            groups_users::table
                .filter(groups_users::users_organizations_uuid.eq(member_uuid))
                .load::<Self>(conn)
                .expect("Error loading groups for user")
-        }}
+        })
+        .await
    }

    pub async fn has_access_to_collection_by_member(
@@ -517,17 +571,23 @@ impl GroupUser {
        member_uuid: &MembershipId,
        conn: &DbConn,
    ) -> bool {
-        db_run! { conn: {
+        conn.run(move |conn| {
            groups_users::table
-                .inner_join(collections_groups::table.on(
-                    collections_groups::groups_uuid.eq(groups_users::groups_uuid)
-                ))
+                .inner_join(collections_groups::table.on(collections_groups::groups_uuid.eq(groups_users::groups_uuid)))
+                .inner_join(groups::table.on(groups::uuid.eq(groups_users::groups_uuid)))
+                .inner_join(
+                    collections::table.on(collections::uuid
+                        .eq(collections_groups::collections_uuid)
+                        .and(collections::org_uuid.eq(groups::organizations_uuid))),
+                )
                .filter(collections_groups::collections_uuid.eq(collection_uuid))
                .filter(groups_users::users_organizations_uuid.eq(member_uuid))
                .count()
                .first::<i64>(conn)
-                .unwrap_or(0) != 0
-        }}
+                .unwrap_or(0)
+                != 0
+        })
+        .await
    }

    pub async fn has_full_access_by_member(
@@ -535,18 +595,18 @@ impl GroupUser {
        member_uuid: &MembershipId,
        conn: &DbConn,
    ) -> bool {
-        db_run! { conn: {
+        conn.run(move |conn| {
            groups_users::table
-                .inner_join(groups::table.on(
-                    groups::uuid.eq(groups_users::groups_uuid)
-                ))
+                .inner_join(groups::table.on(groups::uuid.eq(groups_users::groups_uuid)))
                .filter(groups::organizations_uuid.eq(org_uuid))
                .filter(groups::access_all.eq(true))
                .filter(groups_users::users_organizations_uuid.eq(member_uuid))
                .count()
                .first::<i64>(conn)
-                .unwrap_or(0) != 0
-        }}
+                .unwrap_or(0)
+                != 0
+        })
+        .await
    }

    pub async fn update_user_revision(&self, conn: &DbConn) {
@@ -564,29 +624,31 @@ impl GroupUser {
        match Membership::find_by_uuid(member_uuid, conn).await {
            Some(member) => User::update_uuid_revision(&member.user_uuid, conn).await,
            None => warn!("Member could not be found!"),
-        };
+        }

-        db_run! { conn: {
+        conn.run(move |conn| {
            diesel::delete(groups_users::table)
                .filter(groups_users::groups_uuid.eq(group_uuid))
                .filter(groups_users::users_organizations_uuid.eq(member_uuid))
                .execute(conn)
                .map_res("Error deleting group users")
-        }}
+        })
+        .await
    }

-    pub async fn delete_all_by_group(group_uuid: &GroupId, conn: &DbConn) -> EmptyResult {
-        let group_users = GroupUser::find_by_group(group_uuid, conn).await;
+    pub async fn delete_all_by_group(group_uuid: &GroupId, org_uuid: &OrganizationId, conn: &DbConn) -> EmptyResult {
+        let group_users = GroupUser::find_by_group(group_uuid, org_uuid, conn).await;
        for group_user in group_users {
            group_user.update_user_revision(conn).await;
        }

-        db_run! { conn: {
+        conn.run(move |conn| {
            diesel::delete(groups_users::table)
                .filter(groups_users::groups_uuid.eq(group_uuid))
                .execute(conn)
                .map_res("Error deleting group users")
-        }}
+        })
+        .await
    }

    pub async fn delete_all_by_member(member_uuid: &MembershipId, conn: &DbConn) -> EmptyResult {
@@ -595,12 +657,13 @@ impl GroupUser {
            None => warn!("Member could not be found!"),
        }

-        db_run! { conn: {
+        conn.run(move |conn| {
            diesel::delete(groups_users::table)
                .filter(groups_users::users_organizations_uuid.eq(member_uuid))
                .execute(conn)
                .map_res("Error deleting user groups")
-        }}
+        })
+        .await
    }
 }

@@ -1,3 +1,4 @@
+mod archive;
 mod attachment;
 mod auth_request;
 mod cipher;
@@ -17,11 +18,12 @@ mod two_factor_duo_context;
 mod two_factor_incomplete;
 mod user;

+pub use self::archive::Archive;
 pub use self::attachment::{Attachment, AttachmentId};
 pub use self::auth_request::{AuthRequest, AuthRequestId};
 pub use self::cipher::{Cipher, CipherId, RepromptType};
 pub use self::collection::{Collection, CollectionCipher, CollectionId, CollectionUser};
-pub use self::device::{Device, DeviceId, DeviceType, PushId};
+pub use self::device::{Device, DeviceId, DeviceType, DeviceWithAuthRequest, PushId};
 pub use self::emergency_access::{EmergencyAccess, EmergencyAccessId, EmergencyAccessStatus, EmergencyAccessType};
 pub use self::event::{Event, EventType};
 pub use self::favorite::Favorite;
@@ -33,10 +35,10 @@ pub use self::organization::{
    OrganizationId,
 };
 pub use self::send::{
-    id::{SendFileId, SendId},
    Send, SendType,
+    id::{SendFileId, SendId},
 };
-pub use self::sso_auth::{OIDCAuthenticatedUser, OIDCCodeWrapper, SsoAuth};
+pub use self::sso_auth::{OIDCAuthenticatedUser, OIDCCodeResponseError, SsoAuth};
 pub use self::two_factor::{TwoFactor, TwoFactorType};
 pub use self::two_factor_duo_context::TwoFactorDuoContext;
 pub use self::two_factor_incomplete::TwoFactorIncomplete;
@@ -1,14 +1,17 @@
 use derive_more::{AsRef, From};
+use diesel::prelude::*;
 use serde::Deserialize;
 use serde_json::Value;

-use crate::api::core::two_factor;
-use crate::api::EmptyResult;
-use crate::db::schema::{org_policies, users_organizations};
-use crate::db::DbConn;
-use crate::error::MapResult;
-use crate::CONFIG;
-use diesel::prelude::*;
+use crate::{
+    CONFIG,
+    api::{EmptyResult, core::two_factor},
+    db::{
+        DbConn,
+        schema::{org_policies, users_organizations},
+    },
+    error::MapResult,
+};

 use super::{Membership, MembershipId, MembershipStatus, MembershipType, OrganizationId, TwoFactor, UserId};

@@ -148,37 +151,38 @@ impl OrgPolicy {
    }

    pub async fn delete(self, conn: &DbConn) -> EmptyResult {
-        db_run! { conn: {
+        conn.run(move |conn| {
            diesel::delete(org_policies::table.filter(org_policies::uuid.eq(self.uuid)))
                .execute(conn)
                .map_res("Error deleting org_policy")
-        }}
+        })
+        .await
    }

    pub async fn find_by_org(org_uuid: &OrganizationId, conn: &DbConn) -> Vec<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            org_policies::table
                .filter(org_policies::org_uuid.eq(org_uuid))
                .load::<Self>(conn)
                .expect("Error loading org_policy")
-        }}
+        })
+        .await
    }

    pub async fn find_confirmed_by_user(user_uuid: &UserId, conn: &DbConn) -> Vec<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            org_policies::table
                .inner_join(
-                    users_organizations::table.on(
-                        users_organizations::org_uuid.eq(org_policies::org_uuid)
-                            .and(users_organizations::user_uuid.eq(user_uuid)))
-                )
-                .filter(
-                    users_organizations::status.eq(MembershipStatus::Confirmed as i32)
+                    users_organizations::table.on(users_organizations::org_uuid
+                        .eq(org_policies::org_uuid)
+                        .and(users_organizations::user_uuid.eq(user_uuid))),
                )
+                .filter(users_organizations::status.eq(MembershipStatus::Confirmed as i32))
                .select(org_policies::all_columns)
                .load::<Self>(conn)
                .expect("Error loading org_policy")
-        }}
+        })
+        .await
    }

    pub async fn find_by_org_and_type(
@@ -186,21 +190,23 @@ impl OrgPolicy {
        policy_type: OrgPolicyType,
        conn: &DbConn,
    ) -> Option<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            org_policies::table
                .filter(org_policies::org_uuid.eq(org_uuid))
                .filter(org_policies::atype.eq(policy_type as i32))
                .first::<Self>(conn)
                .ok()
-        }}
+        })
+        .await
    }

    pub async fn delete_all_by_organization(org_uuid: &OrganizationId, conn: &DbConn) -> EmptyResult {
-        db_run! { conn: {
+        conn.run(move |conn| {
            diesel::delete(org_policies::table.filter(org_policies::org_uuid.eq(org_uuid)))
                .execute(conn)
                .map_res("Error deleting org_policy")
-        }}
+        })
+        .await
    }

    pub async fn find_accepted_and_confirmed_by_user_and_active_policy(
@@ -208,25 +214,22 @@ impl OrgPolicy {
        policy_type: OrgPolicyType,
        conn: &DbConn,
    ) -> Vec<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            org_policies::table
                .inner_join(
-                    users_organizations::table.on(
-                        users_organizations::org_uuid.eq(org_policies::org_uuid)
-                            .and(users_organizations::user_uuid.eq(user_uuid)))
-                )
-                .filter(
-                    users_organizations::status.eq(MembershipStatus::Accepted as i32)
-                )
-                .or_filter(
-                    users_organizations::status.eq(MembershipStatus::Confirmed as i32)
+                    users_organizations::table.on(users_organizations::org_uuid
+                        .eq(org_policies::org_uuid)
+                        .and(users_organizations::user_uuid.eq(user_uuid))),
                )
+                .filter(users_organizations::status.eq(MembershipStatus::Accepted as i32))
+                .or_filter(users_organizations::status.eq(MembershipStatus::Confirmed as i32))
                .filter(org_policies::atype.eq(policy_type as i32))
                .filter(org_policies::enabled.eq(true))
                .select(org_policies::all_columns)
                .load::<Self>(conn)
                .expect("Error loading org_policy")
-        }}
+        })
+        .await
    }

    pub async fn find_confirmed_by_user_and_active_policy(
@@ -234,22 +237,21 @@ impl OrgPolicy {
        policy_type: OrgPolicyType,
        conn: &DbConn,
    ) -> Vec<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            org_policies::table
                .inner_join(
-                    users_organizations::table.on(
-                        users_organizations::org_uuid.eq(org_policies::org_uuid)
-                            .and(users_organizations::user_uuid.eq(user_uuid)))
-                )
-                .filter(
-                    users_organizations::status.eq(MembershipStatus::Confirmed as i32)
+                    users_organizations::table.on(users_organizations::org_uuid
+                        .eq(org_policies::org_uuid)
+                        .and(users_organizations::user_uuid.eq(user_uuid))),
                )
+                .filter(users_organizations::status.eq(MembershipStatus::Confirmed as i32))
                .filter(org_policies::atype.eq(policy_type as i32))
                .filter(org_policies::enabled.eq(true))
                .select(org_policies::all_columns)
                .load::<Self>(conn)
                .expect("Error loading org_policy")
-        }}
+        })
+        .await
    }

    /// Returns true if the user belongs to an org that has enabled the specified policy type,
@@ -269,10 +271,10 @@ impl OrgPolicy {
                continue;
            }

-            if let Some(user) = Membership::find_by_user_and_org(user_uuid, &policy.org_uuid, conn).await {
-                if user.atype < MembershipType::Admin {
-                    return true;
-                }
+            if let Some(user) = Membership::find_confirmed_by_user_and_org(user_uuid, &policy.org_uuid, conn).await
+                && user.atype < MembershipType::Admin
+            {
+                return true;
            }
        }
        false
@@ -282,13 +284,13 @@ impl OrgPolicy {
        if m.atype < MembershipType::Admin && m.status > (MembershipStatus::Invited as i32) {
            // Enforce TwoFactor/TwoStep login
            if let Some(p) = Self::find_by_org_and_type(&m.org_uuid, OrgPolicyType::TwoFactorAuthentication, conn).await
+                && p.enabled
+                && TwoFactor::find_by_user(&m.user_uuid, conn).await.is_empty()
            {
-                if p.enabled && TwoFactor::find_by_user(&m.user_uuid, conn).await.is_empty() {
-                    if CONFIG.email_2fa_auto_fallback() {
-                        two_factor::email::find_and_activate_email_2fa(&m.user_uuid, conn).await?;
-                    } else {
-                        err!(format!("Cannot {} because 2FA is required (membership {})", action, m.uuid));
-                    }
+                if CONFIG.email_2fa_auto_fallback() {
+                    two_factor::email::find_and_activate_email_2fa(&m.user_uuid, conn).await?;
+                } else {
+                    err!(format!("Cannot {} because 2FA is required (membership {})", action, m.uuid));
                }
            }

@@ -300,12 +302,14 @@ impl OrgPolicy {
                ));
            }

-            if let Some(p) = Self::find_by_org_and_type(&m.org_uuid, OrgPolicyType::SingleOrg, conn).await {
-                if p.enabled
-                    && Membership::count_accepted_and_confirmed_by_user(&m.user_uuid, &m.org_uuid, conn).await > 0
-                {
-                    err!(format!("Cannot {} because the organization policy forbids being part of other organization (membership {})", action, m.uuid));
-                }
+            if let Some(p) = Self::find_by_org_and_type(&m.org_uuid, OrgPolicyType::SingleOrg, conn).await
+                && p.enabled
+                && Membership::count_accepted_and_confirmed_by_user(&m.user_uuid, &m.org_uuid, conn).await > 0
+            {
+                err!(format!(
+                    "Cannot {} because the organization policy forbids being part of other organization (membership {})",
+                    action, m.uuid
+                ));
            }
        }

@@ -332,16 +336,16 @@ impl OrgPolicy {
        for policy in
            OrgPolicy::find_confirmed_by_user_and_active_policy(user_uuid, OrgPolicyType::SendOptions, conn).await
        {
-            if let Some(user) = Membership::find_by_user_and_org(user_uuid, &policy.org_uuid, conn).await {
-                if user.atype < MembershipType::Admin {
-                    match serde_json::from_str::<SendOptionsPolicyData>(&policy.data) {
-                        Ok(opts) => {
-                            if opts.disable_hide_email {
-                                return true;
-                            }
+            if let Some(user) = Membership::find_confirmed_by_user_and_org(user_uuid, &policy.org_uuid, conn).await
+                && user.atype < MembershipType::Admin
+            {
+                match serde_json::from_str::<SendOptionsPolicyData>(&policy.data) {
+                    Ok(opts) => {
+                        if opts.disable_hide_email {
+                            return true;
                        }
-                        _ => error!("Failed to deserialize SendOptionsPolicyData: {}", policy.data),
                    }
+                    _ => error!("Failed to deserialize SendOptionsPolicyData: {}", policy.data),
                }
            }
        }
@@ -349,10 +353,10 @@ impl OrgPolicy {
    }

    pub async fn is_enabled_for_member(member_uuid: &MembershipId, policy_type: OrgPolicyType, conn: &DbConn) -> bool {
-        if let Some(member) = Membership::find_by_uuid(member_uuid, conn).await {
-            if let Some(policy) = OrgPolicy::find_by_org_and_type(&member.org_uuid, policy_type, conn).await {
-                return policy.enabled;
-            }
+        if let Some(member) = Membership::find_by_uuid(member_uuid, conn).await
+            && let Some(policy) = OrgPolicy::find_by_org_and_type(&member.org_uuid, policy_type, conn).await
+        {
+            return policy.enabled;
        }
        false
    }
@@ -1,23 +1,32 @@
-use chrono::{NaiveDateTime, Utc};
-use derive_more::{AsRef, Deref, Display, From};
-use diesel::prelude::*;
-use num_traits::FromPrimitive;
-use serde_json::Value;
 use std::{
    cmp::Ordering,
    collections::{HashMap, HashSet},
 };

+use chrono::{NaiveDateTime, Utc};
+use derive_more::{AsRef, Deref, Display, From};
+use diesel::prelude::*;
+use num_traits::FromPrimitive;
+use serde_json::Value;
+
+use crate::{
+    CONFIG,
+    api::EmptyResult,
+    db::{
+        DbConn,
+        schema::{
+            ciphers, ciphers_collections, collections_groups, groups, groups_users, org_policies, organization_api_key,
+            organizations, users, users_collections, users_organizations,
+        },
+    },
+    error::MapResult,
+};
+use macros::UuidFromParam;
+
 use super::{
-    CipherId, Collection, CollectionGroup, CollectionId, CollectionUser, Group, GroupId, GroupUser, OrgPolicy,
+    Cipher, CipherId, Collection, CollectionGroup, CollectionId, CollectionUser, Group, GroupId, GroupUser, OrgPolicy,
    OrgPolicyType, TwoFactor, User, UserId,
 };
-use crate::db::schema::{
-    ciphers, ciphers_collections, collections_groups, groups, groups_users, org_policies, organization_api_key,
-    organizations, users, users_collections, users_organizations,
-};
-use crate::CONFIG;
-use macros::UuidFromParam;

 #[derive(Identifiable, Queryable, Insertable, AsChangeset)]
 #[diesel(table_name = organizations)]
@@ -93,6 +102,10 @@ pub enum MembershipType {

 impl MembershipType {
    pub fn from_str(s: &str) -> Option<Self> {
+        #[expect(
+            clippy::match_same_arms,
+            reason = "Specifically define `4|Custom` since this is a hack, not a default"
+        )]
        match s {
            "0" | "Owner" => Some(MembershipType::Owner),
            "1" | "Admin" => Some(MembershipType::Admin),
@@ -321,11 +334,6 @@ impl OrganizationApiKey {
    }
 }

-use crate::db::DbConn;
-
-use crate::api::EmptyResult;
-use crate::error::MapResult;
-
 /// Database methods
 impl Organization {
    pub async fn save(&self, conn: &DbConn) -> EmptyResult {
@@ -333,7 +341,7 @@ impl Organization {
            err!(format!("BillingEmail {} is not a valid email address", self.billing_email))
        }

-        for member in Membership::find_by_org(&self.uuid, conn).await.iter() {
+        for member in &Membership::find_by_org(&self.uuid, conn).await {
            User::update_uuid_revision(&member.user_uuid, conn).await;
        }

@@ -369,8 +377,6 @@ impl Organization {
    }

    pub async fn delete(self, conn: &DbConn) -> EmptyResult {
-        use super::{Cipher, Collection};
-
        Cipher::delete_all_by_organization(&self.uuid, conn).await?;
        Collection::delete_all_by_organization(&self.uuid, conn).await?;
        Membership::delete_all_by_organization(&self.uuid, conn).await?;
@@ -378,43 +384,30 @@ impl Organization {
        Group::delete_all_by_organization(&self.uuid, conn).await?;
        OrganizationApiKey::delete_all_by_organization(&self.uuid, conn).await?;

-        db_run! { conn: {
+        conn.run(move |conn| {
            diesel::delete(organizations::table.filter(organizations::uuid.eq(self.uuid)))
                .execute(conn)
                .map_res("Error saving organization")
-        }}
+        })
+        .await
    }

    pub async fn find_by_uuid(uuid: &OrganizationId, conn: &DbConn) -> Option<Self> {
-        db_run! { conn: {
-            organizations::table
-                .filter(organizations::uuid.eq(uuid))
-                .first::<Self>(conn)
-                .ok()
-        }}
+        conn.run(move |conn| organizations::table.filter(organizations::uuid.eq(uuid)).first::<Self>(conn).ok()).await
    }

    pub async fn find_by_name(name: &str, conn: &DbConn) -> Option<Self> {
-        db_run! { conn: {
-            organizations::table
-                .filter(organizations::name.eq(name))
-                .first::<Self>(conn)
-                .ok()
-        }}
+        conn.run(move |conn| organizations::table.filter(organizations::name.eq(name)).first::<Self>(conn).ok()).await
    }

    pub async fn get_all(conn: &DbConn) -> Vec<Self> {
-        db_run! { conn: {
-            organizations::table
-                .load::<Self>(conn)
-                .expect("Error loading organizations")
-        }}
+        conn.run(move |conn| organizations::table.load::<Self>(conn).expect("Error loading organizations")).await
    }

    pub async fn find_main_org_user_email(user_email: &str, conn: &DbConn) -> Option<Self> {
        let lower_mail = user_email.to_lowercase();

-        db_run! { conn: {
+        conn.run(move |conn| {
            organizations::table
                .inner_join(users_organizations::table.on(users_organizations::org_uuid.eq(organizations::uuid)))
                .inner_join(users::table.on(users::uuid.eq(users_organizations::user_uuid)))
@@ -424,13 +417,14 @@ impl Organization {
                .select(organizations::all_columns)
                .first::<Self>(conn)
                .ok()
-        }}
+        })
+        .await
    }

    pub async fn find_org_user_email(user_email: &str, conn: &DbConn) -> Vec<Self> {
        let lower_mail = user_email.to_lowercase();

-        db_run! { conn: {
+        conn.run(move |conn| {
            organizations::table
                .inner_join(users_organizations::table.on(users_organizations::org_uuid.eq(organizations::uuid)))
                .inner_join(users::table.on(users::uuid.eq(users_organizations::user_uuid)))
@@ -440,7 +434,8 @@ impl Organization {
                .select(organizations::all_columns)
                .load::<Self>(conn)
                .expect("Error loading user orgs")
-        }}
+        })
+        .await
    }
 }

@@ -514,7 +509,8 @@ impl Membership {
            "familySponsorshipValidUntil": null,
            "familySponsorshipToDelete": null,
            "accessSecretsManager": false,
-            "limitCollectionCreation": self.atype < MembershipType::Manager, // If less then a manager return true, to limit collection creations
+            // limit collection creation to managers with access_all permission to prevent issues
+            "limitCollectionCreation": self.atype < MembershipType::Manager || !self.access_all,
            "limitCollectionDeletion": true,
            "limitItemDeletion": false,
            "allowAdminAccessToAllCollectionItems": true,
@@ -779,11 +775,12 @@ impl Membership {
        CollectionUser::delete_all_by_user_and_org(&self.user_uuid, &self.org_uuid, conn).await?;
        GroupUser::delete_all_by_member(&self.uuid, conn).await?;

-        db_run! { conn: {
+        conn.run(move |conn| {
            diesel::delete(users_organizations::table.filter(users_organizations::uuid.eq(self.uuid)))
                .execute(conn)
                .map_res("Error removing user from organization")
-        }}
+        })
+        .await
    }

    pub async fn delete_all_by_organization(org_uuid: &OrganizationId, conn: &DbConn) -> EmptyResult {
@@ -801,10 +798,10 @@ impl Membership {
    }

    pub async fn find_by_email_and_org(email: &str, org_uuid: &OrganizationId, conn: &DbConn) -> Option<Membership> {
-        if let Some(user) = User::find_by_mail(email, conn).await {
-            if let Some(member) = Membership::find_by_user_and_org(&user.uuid, org_uuid, conn).await {
-                return Some(member);
-            }
+        if let Some(user) = User::find_by_mail(email, conn).await
+            && let Some(member) = Membership::find_by_user_and_org(&user.uuid, org_uuid, conn).await
+        {
+            return Some(member);
        }

        None
@@ -823,64 +820,67 @@ impl Membership {
    }

    pub async fn find_by_uuid(uuid: &MembershipId, conn: &DbConn) -> Option<Self> {
-        db_run! { conn: {
-            users_organizations::table
-                .filter(users_organizations::uuid.eq(uuid))
-                .first::<Self>(conn)
-                .ok()
-        }}
+        conn.run(move |conn| {
+            users_organizations::table.filter(users_organizations::uuid.eq(uuid)).first::<Self>(conn).ok()
+        })
+        .await
    }

    pub async fn find_by_uuid_and_org(uuid: &MembershipId, org_uuid: &OrganizationId, conn: &DbConn) -> Option<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            users_organizations::table
                .filter(users_organizations::uuid.eq(uuid))
                .filter(users_organizations::org_uuid.eq(org_uuid))
                .first::<Self>(conn)
                .ok()
-        }}
+        })
+        .await
    }

    pub async fn find_confirmed_by_user(user_uuid: &UserId, conn: &DbConn) -> Vec<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            users_organizations::table
                .filter(users_organizations::user_uuid.eq(user_uuid))
                .filter(users_organizations::status.eq(MembershipStatus::Confirmed as i32))
                .load::<Self>(conn)
                .unwrap_or_default()
-        }}
+        })
+        .await
    }

    pub async fn find_invited_by_user(user_uuid: &UserId, conn: &DbConn) -> Vec<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            users_organizations::table
                .filter(users_organizations::user_uuid.eq(user_uuid))
                .filter(users_organizations::status.eq(MembershipStatus::Invited as i32))
                .load::<Self>(conn)
                .unwrap_or_default()
-        }}
+        })
+        .await
    }

    // Should be used only when email are disabled.
    // In Organizations::send_invite status is set to Accepted only if the user has a password.
    pub async fn accept_user_invitations(user_uuid: &UserId, conn: &DbConn) -> EmptyResult {
-        db_run! { conn: {
+        conn.run(move |conn| {
            diesel::update(users_organizations::table)
                .filter(users_organizations::user_uuid.eq(user_uuid))
                .filter(users_organizations::status.eq(MembershipStatus::Invited as i32))
                .set(users_organizations::status.eq(MembershipStatus::Accepted as i32))
                .execute(conn)
                .map_res("Error confirming invitations")
-        }}
+        })
+        .await
    }

    pub async fn find_any_state_by_user(user_uuid: &UserId, conn: &DbConn) -> Vec<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            users_organizations::table
                .filter(users_organizations::user_uuid.eq(user_uuid))
                .load::<Self>(conn)
                .unwrap_or_default()
-        }}
+        })
+        .await
    }

    pub async fn count_accepted_and_confirmed_by_user(
@@ -888,70 +888,83 @@ impl Membership {
        excluded_org: &OrganizationId,
        conn: &DbConn,
    ) -> i64 {
-        db_run! { conn: {
+        conn.run(move |conn| {
            users_organizations::table
                .filter(users_organizations::user_uuid.eq(user_uuid))
                .filter(users_organizations::org_uuid.ne(excluded_org))
-                .filter(users_organizations::status.eq(MembershipStatus::Accepted as i32).or(users_organizations::status.eq(MembershipStatus::Confirmed as i32)))
+                .filter(
+                    users_organizations::status
+                        .eq(MembershipStatus::Accepted as i32)
+                        .or(users_organizations::status.eq(MembershipStatus::Confirmed as i32)),
+                )
                .count()
                .first::<i64>(conn)
                .unwrap_or(0)
-        }}
+        })
+        .await
    }

    pub async fn find_by_org(org_uuid: &OrganizationId, conn: &DbConn) -> Vec<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            users_organizations::table
                .filter(users_organizations::org_uuid.eq(org_uuid))
                .load::<Self>(conn)
                .expect("Error loading user organizations")
-        }}
+        })
+        .await
    }

    pub async fn find_confirmed_by_org(org_uuid: &OrganizationId, conn: &DbConn) -> Vec<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            users_organizations::table
                .filter(users_organizations::org_uuid.eq(org_uuid))
                .filter(users_organizations::status.eq(MembershipStatus::Confirmed as i32))
                .load::<Self>(conn)
                .unwrap_or_default()
-        }}
+        })
+        .await
    }

    // Get all users which are either owner or admin, or a manager which can manage/access all
    pub async fn find_confirmed_and_manage_all_by_org(org_uuid: &OrganizationId, conn: &DbConn) -> Vec<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            users_organizations::table
                .filter(users_organizations::org_uuid.eq(org_uuid))
                .filter(users_organizations::status.eq(MembershipStatus::Confirmed as i32))
                .filter(
-                    users_organizations::atype.eq_any(vec![MembershipType::Owner as i32, MembershipType::Admin as i32])
-                    .or(users_organizations::atype.eq(MembershipType::Manager as i32).and(users_organizations::access_all.eq(true)))
+                    users_organizations::atype
+                        .eq_any(vec![MembershipType::Owner as i32, MembershipType::Admin as i32])
+                        .or(users_organizations::atype
+                            .eq(MembershipType::Manager as i32)
+                            .and(users_organizations::access_all.eq(true))),
                )
                .load::<Self>(conn)
                .unwrap_or_default()
-        }}
+        })
+        .await
    }

    pub async fn count_by_org(org_uuid: &OrganizationId, conn: &DbConn) -> i64 {
-        db_run! { conn: {
+        conn.run(move |conn| {
            users_organizations::table
                .filter(users_organizations::org_uuid.eq(org_uuid))
                .count()
                .first::<i64>(conn)
                .ok()
                .unwrap_or(0)
-        }}
+        })
+        .await
    }

    pub async fn find_by_org_and_type(org_uuid: &OrganizationId, atype: MembershipType, conn: &DbConn) -> Vec<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            users_organizations::table
                .filter(users_organizations::org_uuid.eq(org_uuid))
                .filter(users_organizations::atype.eq(atype as i32))
                .load::<Self>(conn)
                .expect("Error loading user organizations")
-        }}
+        })
+        .await
    }

    pub async fn count_confirmed_by_org_and_type(
@@ -959,7 +972,7 @@ impl Membership {
        atype: MembershipType,
        conn: &DbConn,
    ) -> i64 {
-        db_run! { conn: {
+        conn.run(move |conn| {
            users_organizations::table
                .filter(users_organizations::org_uuid.eq(org_uuid))
                .filter(users_organizations::atype.eq(atype as i32))
@@ -967,17 +980,19 @@ impl Membership {
                .count()
                .first::<i64>(conn)
                .unwrap_or(0)
-        }}
+        })
+        .await
    }

    pub async fn find_by_user_and_org(user_uuid: &UserId, org_uuid: &OrganizationId, conn: &DbConn) -> Option<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            users_organizations::table
                .filter(users_organizations::user_uuid.eq(user_uuid))
                .filter(users_organizations::org_uuid.eq(org_uuid))
                .first::<Self>(conn)
                .ok()
-        }}
+        })
+        .await
    }

    pub async fn find_confirmed_by_user_and_org(
@@ -985,78 +1000,76 @@ impl Membership {
        org_uuid: &OrganizationId,
        conn: &DbConn,
    ) -> Option<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            users_organizations::table
                .filter(users_organizations::user_uuid.eq(user_uuid))
                .filter(users_organizations::org_uuid.eq(org_uuid))
-                .filter(
-                    users_organizations::status.eq(MembershipStatus::Confirmed as i32)
-                )
+                .filter(users_organizations::status.eq(MembershipStatus::Confirmed as i32))
                .first::<Self>(conn)
                .ok()
-        }}
+        })
+        .await
    }

    pub async fn find_by_user(user_uuid: &UserId, conn: &DbConn) -> Vec<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            users_organizations::table
                .filter(users_organizations::user_uuid.eq(user_uuid))
                .load::<Self>(conn)
                .expect("Error loading user organizations")
-        }}
+        })
+        .await
    }

    pub async fn get_orgs_by_user(user_uuid: &UserId, conn: &DbConn) -> Vec<OrganizationId> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            users_organizations::table
                .filter(users_organizations::user_uuid.eq(user_uuid))
                .select(users_organizations::org_uuid)
                .load::<OrganizationId>(conn)
                .unwrap_or_default()
-        }}
+        })
+        .await
    }

    pub async fn find_by_user_and_policy(user_uuid: &UserId, policy_type: OrgPolicyType, conn: &DbConn) -> Vec<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            users_organizations::table
                .inner_join(
-                    org_policies::table.on(
-                        org_policies::org_uuid.eq(users_organizations::org_uuid)
-                            .and(users_organizations::user_uuid.eq(user_uuid))
-                            .and(org_policies::atype.eq(policy_type as i32))
-                            .and(org_policies::enabled.eq(true)))
-                )
-                .filter(
-                    users_organizations::status.eq(MembershipStatus::Confirmed as i32)
+                    org_policies::table.on(org_policies::org_uuid
+                        .eq(users_organizations::org_uuid)
+                        .and(users_organizations::user_uuid.eq(user_uuid))
+                        .and(org_policies::atype.eq(policy_type as i32))
+                        .and(org_policies::enabled.eq(true))),
                )
+                .filter(users_organizations::status.eq(MembershipStatus::Confirmed as i32))
                .select(users_organizations::all_columns)
                .load::<Self>(conn)
                .unwrap_or_default()
-        }}
+        })
+        .await
    }

    pub async fn find_by_cipher_and_org(cipher_uuid: &CipherId, org_uuid: &OrganizationId, conn: &DbConn) -> Vec<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            users_organizations::table
-            .filter(users_organizations::org_uuid.eq(org_uuid))
-            .left_join(users_collections::table.on(
-                users_collections::user_uuid.eq(users_organizations::user_uuid)
-            ))
-            .left_join(ciphers_collections::table.on(
-                ciphers_collections::collection_uuid.eq(users_collections::collection_uuid).and(
-                    ciphers_collections::cipher_uuid.eq(&cipher_uuid)
+                .filter(users_organizations::org_uuid.eq(org_uuid))
+                .left_join(users_collections::table.on(users_collections::user_uuid.eq(users_organizations::user_uuid)))
+                .left_join(
+                    ciphers_collections::table.on(ciphers_collections::collection_uuid
+                        .eq(users_collections::collection_uuid)
+                        .and(ciphers_collections::cipher_uuid.eq(&cipher_uuid))),
                )
-            ))
-            .filter(
-                users_organizations::access_all.eq(true).or( // AccessAll..
-                    ciphers_collections::cipher_uuid.eq(&cipher_uuid) // ..or access to collection with cipher
-                )
-            )
-            .select(users_organizations::all_columns)
-            .distinct()
-            .load::<Self>(conn)
-            .expect("Error loading user organizations")
-        }}
+                .filter(users_organizations::access_all.eq(true).or(
+                    // AccessAll..
+                    ciphers_collections::cipher_uuid.eq(&cipher_uuid), // ..or access to collection with cipher
+                ))
+                .select(users_organizations::all_columns)
+                .distinct()
+                .load::<Self>(conn)
+                .expect("Error loading user organizations")
+        })
+        .await
    }

    pub async fn find_by_cipher_and_org_with_group(
@@ -1064,43 +1077,54 @@ impl Membership {
        org_uuid: &OrganizationId,
        conn: &DbConn,
    ) -> Vec<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            users_organizations::table
-            .filter(users_organizations::org_uuid.eq(org_uuid))
-            .inner_join(groups_users::table.on(
-                groups_users::users_organizations_uuid.eq(users_organizations::uuid)
-            ))
-            .left_join(collections_groups::table.on(
-                collections_groups::groups_uuid.eq(groups_users::groups_uuid)
-            ))
-            .left_join(groups::table.on(groups::uuid.eq(groups_users::groups_uuid)))
-            .left_join(ciphers_collections::table.on(
-                    ciphers_collections::collection_uuid.eq(collections_groups::collections_uuid).and(ciphers_collections::cipher_uuid.eq(&cipher_uuid))
-
-                ))
-            .filter(
-                    groups::access_all.eq(true).or( // AccessAll via groups
-                        ciphers_collections::cipher_uuid.eq(&cipher_uuid) // ..or access to collection via group
-                    )
+                .filter(users_organizations::org_uuid.eq(org_uuid))
+                .inner_join(
+                    groups_users::table.on(groups_users::users_organizations_uuid.eq(users_organizations::uuid)),
                )
+                .left_join(collections_groups::table.on(collections_groups::groups_uuid.eq(groups_users::groups_uuid)))
+                .left_join(
+                    groups::table.on(groups::uuid
+                        .eq(groups_users::groups_uuid)
+                        .and(groups::organizations_uuid.eq(users_organizations::org_uuid))),
+                )
+                .left_join(
+                    ciphers_collections::table.on(ciphers_collections::collection_uuid
+                        .eq(collections_groups::collections_uuid)
+                        .and(ciphers_collections::cipher_uuid.eq(&cipher_uuid))),
+                )
+                .filter(groups::access_all.eq(true).or(
+                    // AccessAll via groups
+                    ciphers_collections::cipher_uuid.eq(&cipher_uuid), // ..or access to collection via group
+                ))
                .select(users_organizations::all_columns)
                .distinct()
-            .load::<Self>(conn)
-            .expect("Error loading user organizations with groups")
-        }}
+                .load::<Self>(conn)
+                .expect("Error loading user organizations with groups")
+        })
+        .await
    }

    pub async fn user_has_ge_admin_access_to_cipher(user_uuid: &UserId, cipher_uuid: &CipherId, conn: &DbConn) -> bool {
-        db_run! { conn: {
+        conn.run(move |conn| {
            users_organizations::table
-            .inner_join(ciphers::table.on(ciphers::uuid.eq(cipher_uuid).and(ciphers::organization_uuid.eq(users_organizations::org_uuid.nullable()))))
-            .filter(users_organizations::user_uuid.eq(user_uuid))
-            .filter(users_organizations::atype.eq_any(vec![MembershipType::Owner as i32, MembershipType::Admin as i32]))
-            .count()
-            .first::<i64>(conn)
-            .ok()
-            .unwrap_or(0) != 0
-        }}
+                .inner_join(
+                    ciphers::table.on(ciphers::uuid
+                        .eq(cipher_uuid)
+                        .and(ciphers::organization_uuid.eq(users_organizations::org_uuid.nullable()))),
+                )
+                .filter(users_organizations::user_uuid.eq(user_uuid))
+                .filter(
+                    users_organizations::atype.eq_any(vec![MembershipType::Owner as i32, MembershipType::Admin as i32]),
+                )
+                .count()
+                .first::<i64>(conn)
+                .ok()
+                .unwrap_or(0)
+                != 0
+        })
+        .await
    }

    pub async fn find_by_collection_and_org(
@@ -1108,44 +1132,41 @@ impl Membership {
        org_uuid: &OrganizationId,
        conn: &DbConn,
    ) -> Vec<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            users_organizations::table
-            .filter(users_organizations::org_uuid.eq(org_uuid))
-            .left_join(users_collections::table.on(
-                users_collections::user_uuid.eq(users_organizations::user_uuid)
-            ))
-            .filter(
-                users_organizations::access_all.eq(true).or( // AccessAll..
-                    users_collections::collection_uuid.eq(&collection_uuid) // ..or access to collection with cipher
-                )
-            )
-            .select(users_organizations::all_columns)
-            .load::<Self>(conn)
-            .expect("Error loading user organizations")
-        }}
+                .filter(users_organizations::org_uuid.eq(org_uuid))
+                .left_join(users_collections::table.on(users_collections::user_uuid.eq(users_organizations::user_uuid)))
+                .filter(users_organizations::access_all.eq(true).or(
+                    // AccessAll..
+                    users_collections::collection_uuid.eq(&collection_uuid), // ..or access to collection with cipher
+                ))
+                .select(users_organizations::all_columns)
+                .load::<Self>(conn)
+                .expect("Error loading user organizations")
+        })
+        .await
    }

    pub async fn find_by_external_id_and_org(ext_id: &str, org_uuid: &OrganizationId, conn: &DbConn) -> Option<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            users_organizations::table
-            .filter(
-                users_organizations::external_id.eq(ext_id)
-                .and(users_organizations::org_uuid.eq(org_uuid))
-            )
-            .first::<Self>(conn)
-            .ok()
-        }}
+                .filter(users_organizations::external_id.eq(ext_id).and(users_organizations::org_uuid.eq(org_uuid)))
+                .first::<Self>(conn)
+                .ok()
+        })
+        .await
    }

    pub async fn find_main_user_org(user_uuid: &str, conn: &DbConn) -> Option<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            users_organizations::table
                .filter(users_organizations::user_uuid.eq(user_uuid))
                .filter(users_organizations::status.ne(MembershipStatus::Revoked as i32))
                .order(users_organizations::atype.asc())
                .first::<Self>(conn)
                .ok()
-        }}
+        })
+        .await
    }
 }

@@ -1183,20 +1204,19 @@ impl OrganizationApiKey {
    }

    pub async fn find_by_org_uuid(org_uuid: &OrganizationId, conn: &DbConn) -> Option<Self> {
-        db_run! { conn: {
-            organization_api_key::table
-                .filter(organization_api_key::org_uuid.eq(org_uuid))
-                .first::<Self>(conn)
-                .ok()
-        }}
+        conn.run(move |conn| {
+            organization_api_key::table.filter(organization_api_key::org_uuid.eq(org_uuid)).first::<Self>(conn).ok()
+        })
+        .await
    }

    pub async fn delete_all_by_organization(org_uuid: &OrganizationId, conn: &DbConn) -> EmptyResult {
-        db_run! { conn: {
+        conn.run(move |conn| {
            diesel::delete(organization_api_key::table.filter(organization_api_key::org_uuid.eq(org_uuid)))
                .execute(conn)
                .map_res("Error removing organization api key from organization")
-        }}
+        })
+        .await
    }
 }

@@ -1,11 +1,19 @@
 use chrono::{NaiveDateTime, Utc};
+use data_encoding::BASE64URL_NOPAD;
+use diesel::prelude::*;
 use serde_json::Value;
+use uuid::Uuid;

-use crate::{config::PathType, util::LowerCase, CONFIG};
+use crate::{
+    CONFIG,
+    api::EmptyResult,
+    config::PathType,
+    db::{DbConn, schema::sends},
+    error::MapResult,
+    util::{LowerCase, NumberOrString, format_date},
+};

 use super::{OrganizationId, User, UserId};
-use crate::db::schema::sends;
-use diesel::prelude::*;
 use id::SendId;

 #[derive(Identifiable, Queryable, Insertable, AsChangeset)]
@@ -46,6 +54,16 @@ pub enum SendType {
    File = 1,
 }

+enum SendAuthType {
+    #[allow(dead_code)]
+    // Send requires email OTP verification
+    Email = 0, // Not yet supported by Vaultwarden
+    // Send requires a password
+    Password = 1,
+    // Send requires no auth
+    None = 2,
+}
+
 impl Send {
    pub fn new(atype: i32, name: String, data: String, akey: String, deletion_date: NaiveDateTime) -> Self {
        let now = Utc::now().naive_utc();
@@ -97,37 +115,33 @@ impl Send {
    pub fn check_password(&self, password: &str) -> bool {
        match (&self.password_hash, &self.password_salt, self.password_iter) {
            (Some(hash), Some(salt), Some(iter)) => {
-                crate::crypto::verify_password_hash(password.as_bytes(), salt, hash, iter as u32)
+                crate::crypto::verify_password_hash(password.as_bytes(), salt, hash, iter.cast_unsigned())
            }
            _ => false,
        }
    }

    pub async fn creator_identifier(&self, conn: &DbConn) -> Option<String> {
-        if let Some(hide_email) = self.hide_email {
-            if hide_email {
-                return None;
-            }
+        if let Some(hide_email) = self.hide_email
+            && hide_email
+        {
+            return None;
        }

-        if let Some(user_uuid) = &self.user_uuid {
-            if let Some(user) = User::find_by_uuid(user_uuid, conn).await {
-                return Some(user.email);
-            }
+        if let Some(user_uuid) = &self.user_uuid
+            && let Some(user) = User::find_by_uuid(user_uuid, conn).await
+        {
+            return Some(user.email);
        }

        None
    }

    pub fn to_json(&self) -> Value {
-        use crate::util::format_date;
-        use data_encoding::BASE64URL_NOPAD;
-        use uuid::Uuid;
-
        let mut data = serde_json::from_str::<LowerCase<Value>>(&self.data).map(|d| d.data).unwrap_or_default();

        // Mobile clients expect size to be a string instead of a number
-        if let Some(size) = data.get("size").and_then(|v| v.as_i64()) {
+        if let Some(size) = data.get("size").and_then(Value::as_i64) {
            data["size"] = Value::String(size.to_string());
        }

@@ -145,6 +159,7 @@ impl Send {
            "maxAccessCount": self.max_access_count,
            "accessCount": self.access_count,
            "password": self.password_hash.as_deref().map(|h| BASE64URL_NOPAD.encode(h)),
+            "authType": if self.password_hash.is_some() { SendAuthType::Password as i32 } else { SendAuthType::None as i32 },
            "disabled": self.disabled,
            "hideEmail": self.hide_email,

@@ -156,12 +171,10 @@ impl Send {
    }

    pub async fn to_json_access(&self, conn: &DbConn) -> Value {
-        use crate::util::format_date;
-
        let mut data = serde_json::from_str::<LowerCase<Value>>(&self.data).map(|d| d.data).unwrap_or_default();

        // Mobile clients expect size to be a string instead of a number
-        if let Some(size) = data.get("size").and_then(|v| v.as_i64()) {
+        if let Some(size) = data.get("size").and_then(Value::as_i64) {
            data["size"] = Value::String(size.to_string());
        }

@@ -180,12 +193,6 @@ impl Send {
    }
 }

-use crate::db::DbConn;
-
-use crate::api::EmptyResult;
-use crate::error::MapResult;
-use crate::util::NumberOrString;
-
 impl Send {
    pub async fn save(&mut self, conn: &DbConn) -> EmptyResult {
        self.update_users_revision(conn).await;
@@ -226,14 +233,13 @@ impl Send {

        if self.atype == SendType::File as i32 {
            let operator = CONFIG.opendal_operator_for_path_type(&PathType::Sends)?;
-            operator.remove_all(&self.uuid).await.ok();
+            operator.delete_with(&self.uuid).recursive(true).await.ok();
        }

-        db_run! { conn: {
-            diesel::delete(sends::table.filter(sends::uuid.eq(&self.uuid)))
-                .execute(conn)
-                .map_res("Error deleting send")
-        }}
+        conn.run(move |conn| {
+            diesel::delete(sends::table.filter(sends::uuid.eq(&self.uuid))).execute(conn).map_res("Error deleting send")
+        })
+        .await
    }

    /// Purge all sends that are past their deletion date.
@@ -245,15 +251,12 @@ impl Send {

    pub async fn update_users_revision(&self, conn: &DbConn) -> Vec<UserId> {
        let mut user_uuids = Vec::new();
-        match &self.user_uuid {
-            Some(user_uuid) => {
-                User::update_uuid_revision(user_uuid, conn).await;
-                user_uuids.push(user_uuid.clone())
-            }
-            None => {
-                // Belongs to Organization, not implemented
-            }
-        };
+        if let Some(user_uuid) = &self.user_uuid {
+            User::update_uuid_revision(user_uuid, conn).await;
+            user_uuids.push(user_uuid.clone());
+        } else {
+            // Belongs to Organization, not implemented
+        }
        user_uuids
    }

@@ -265,9 +268,6 @@ impl Send {
    }

    pub async fn find_by_access_id(access_id: &str, conn: &DbConn) -> Option<Self> {
-        use data_encoding::BASE64URL_NOPAD;
-        use uuid::Uuid;
-
        let Ok(uuid_vec) = BASE64URL_NOPAD.decode(access_id.as_bytes()) else {
            return None;
        };
@@ -281,50 +281,38 @@ impl Send {
    }

    pub async fn find_by_uuid(uuid: &SendId, conn: &DbConn) -> Option<Self> {
-        db_run! { conn: {
-            sends::table
-                .filter(sends::uuid.eq(uuid))
-                .first::<Self>(conn)
-                .ok()
-        }}
+        conn.run(move |conn| sends::table.filter(sends::uuid.eq(uuid)).first::<Self>(conn).ok()).await
    }

    pub async fn find_by_uuid_and_user(uuid: &SendId, user_uuid: &UserId, conn: &DbConn) -> Option<Self> {
-        db_run! { conn: {
-            sends::table
-                .filter(sends::uuid.eq(uuid))
-                .filter(sends::user_uuid.eq(user_uuid))
-                .first::<Self>(conn)
-                .ok()
-        }}
+        conn.run(move |conn| {
+            sends::table.filter(sends::uuid.eq(uuid)).filter(sends::user_uuid.eq(user_uuid)).first::<Self>(conn).ok()
+        })
+        .await
    }

    pub async fn find_by_user(user_uuid: &UserId, conn: &DbConn) -> Vec<Self> {
-        db_run! { conn: {
-            sends::table
-                .filter(sends::user_uuid.eq(user_uuid))
-                .load::<Self>(conn)
-                .expect("Error loading sends")
-        }}
+        conn.run(move |conn| {
+            sends::table.filter(sends::user_uuid.eq(user_uuid)).load::<Self>(conn).expect("Error loading sends")
+        })
+        .await
    }

    pub async fn size_by_user(user_uuid: &UserId, conn: &DbConn) -> Option<i64> {
-        let sends = Self::find_by_user(user_uuid, conn).await;
-
        #[derive(serde::Deserialize)]
        struct FileData {
            #[serde(rename = "size", alias = "Size")]
            size: NumberOrString,
        }

+        let sends = Self::find_by_user(user_uuid, conn).await;
        let mut total: i64 = 0;
        for send in sends {
-            if send.atype == SendType::File as i32 {
-                if let Ok(size) =
+            if send.atype == SendType::File as i32
+                && let Ok(size) =
                    serde_json::from_str::<FileData>(&send.data).map_err(Into::into).and_then(|d| d.size.into_i64())
-                {
-                    total = total.checked_add(size)?;
-                };
+            {
+                total = total.checked_add(size)?;
            }
        }

@@ -332,22 +320,18 @@ impl Send {
    }

    pub async fn find_by_org(org_uuid: &OrganizationId, conn: &DbConn) -> Vec<Self> {
-        db_run! { conn: {
-            sends::table
-                .filter(sends::organization_uuid.eq(org_uuid))
-                .load::<Self>(conn)
-                .expect("Error loading sends")
-        }}
+        conn.run(move |conn| {
+            sends::table.filter(sends::organization_uuid.eq(org_uuid)).load::<Self>(conn).expect("Error loading sends")
+        })
+        .await
    }

    pub async fn find_by_past_deletion_date(conn: &DbConn) -> Vec<Self> {
        let now = Utc::now().naive_utc();
-        db_run! { conn: {
-            sends::table
-                .filter(sends::deletion_date.lt(now))
-                .load::<Self>(conn)
-                .expect("Error loading sends")
-        }}
+        conn.run(move |conn| {
+            sends::table.filter(sends::deletion_date.lt(now)).load::<Self>(conn).expect("Error loading sends")
+        })
+        .await
    }
 }

@@ -1,31 +1,29 @@
-use chrono::{NaiveDateTime, Utc};
 use std::time::Duration;

-use crate::api::EmptyResult;
-use crate::db::schema::sso_auth;
-use crate::db::{DbConn, DbPool};
-use crate::error::MapResult;
-use crate::sso::{OIDCCode, OIDCCodeChallenge, OIDCIdentifier, OIDCState, SSO_AUTH_EXPIRATION};
+use chrono::{NaiveDateTime, Utc};
+use diesel::{
+    deserialize::FromSql,
+    expression::AsExpression,
+    prelude::*,
+    serialize::{Output, ToSql},
+    sql_types::Text,
+};

-use diesel::deserialize::FromSql;
-use diesel::expression::AsExpression;
-use diesel::prelude::*;
-use diesel::serialize::{Output, ToSql};
-use diesel::sql_types::Text;
+use crate::{
+    api::EmptyResult,
+    db::{DbConn, DbPool, schema::sso_auth},
+    error::MapResult,
+    sso::{OIDCCode, OIDCCodeChallenge, OIDCIdentifier, OIDCState, SSO_AUTH_EXPIRATION},
+};

 #[derive(AsExpression, Clone, Debug, Serialize, Deserialize, FromSqlRow)]
 #[diesel(sql_type = Text)]
-pub enum OIDCCodeWrapper {
-    Ok {
-        code: OIDCCode,
-    },
-    Error {
-        error: String,
-        error_description: Option<String>,
-    },
+pub struct OIDCCodeResponseError {
+    pub error: String,
+    pub error_description: Option<String>,
 }

-impl_FromToSqlText!(OIDCCodeWrapper);
+impl_FromToSqlText!(OIDCCodeResponseError);

 #[derive(AsExpression, Clone, Debug, Serialize, Deserialize, FromSqlRow)]
 #[diesel(sql_type = Text)]
@@ -50,15 +48,23 @@ pub struct SsoAuth {
    pub client_challenge: OIDCCodeChallenge,
    pub nonce: String,
    pub redirect_uri: String,
-    pub code_response: Option<OIDCCodeWrapper>,
+    pub code_response: Option<OIDCCode>,
+    pub code_response_error: Option<OIDCCodeResponseError>,
    pub auth_response: Option<OIDCAuthenticatedUser>,
    pub created_at: NaiveDateTime,
    pub updated_at: NaiveDateTime,
+    pub binding_hash: Option<String>,
 }

 /// Local methods
 impl SsoAuth {
-    pub fn new(state: OIDCState, client_challenge: OIDCCodeChallenge, nonce: String, redirect_uri: String) -> Self {
+    pub fn new(
+        state: OIDCState,
+        client_challenge: OIDCCodeChallenge,
+        nonce: String,
+        redirect_uri: String,
+        binding_hash: Option<String>,
+    ) -> Self {
        let now = Utc::now().naive_utc();

        SsoAuth {
@@ -69,7 +75,9 @@ impl SsoAuth {
            created_at: now,
            updated_at: now,
            code_response: None,
+            code_response_error: None,
            auth_response: None,
+            binding_hash,
        }
    }
 }
@@ -101,32 +109,46 @@ impl SsoAuth {

    pub async fn find(state: &OIDCState, conn: &DbConn) -> Option<Self> {
        let oldest = Utc::now().naive_utc() - *SSO_AUTH_EXPIRATION;
-        db_run! { conn: {
+        conn.run(move |conn| {
            sso_auth::table
                .filter(sso_auth::state.eq(state))
                .filter(sso_auth::created_at.ge(oldest))
                .first::<Self>(conn)
                .ok()
+        })
+        .await
+    }
+
+    pub async fn find_by_code(code: &OIDCCode, conn: &DbConn) -> Option<Self> {
+        let oldest = Utc::now().naive_utc() - *SSO_AUTH_EXPIRATION;
+        db_run! { conn: {
+            sso_auth::table
+                .filter(sso_auth::code_response.eq(code))
+                .filter(sso_auth::created_at.ge(oldest))
+                .first::<Self>(conn)
+                .ok()
        }}
    }

    pub async fn delete(self, conn: &DbConn) -> EmptyResult {
-        db_run! {conn: {
+        conn.run(move |conn| {
            diesel::delete(sso_auth::table.filter(sso_auth::state.eq(self.state)))
                .execute(conn)
                .map_res("Error deleting sso_auth")
-        }}
+        })
+        .await
    }

    pub async fn delete_expired(pool: DbPool) -> EmptyResult {
        debug!("Purging expired sso_auth");
        if let Ok(conn) = pool.get().await {
            let oldest = Utc::now().naive_utc() - *SSO_AUTH_EXPIRATION;
-            db_run! { conn: {
+            conn.run(move |conn| {
                diesel::delete(sso_auth::table.filter(sso_auth::created_at.lt(oldest)))
                    .execute(conn)
                    .map_res("Error deleting expired SSO nonce")
-            }}
+            })
+            .await
        } else {
            err!("Failed to get DB connection while purging expired sso_auth")
        }
@@ -1,13 +1,17 @@
-use super::UserId;
-use crate::api::core::two_factor::webauthn::WebauthnRegistration;
-use crate::db::schema::twofactor;
-use crate::{api::EmptyResult, db::DbConn, error::MapResult};
 use diesel::prelude::*;
 use serde_json::Value;
 use webauthn_rs::prelude::{Credential, ParsedAttestation};
 use webauthn_rs_core::proto::CredentialV3;
 use webauthn_rs_proto::{AttestationFormat, RegisteredExtensions};

+use crate::{
+    api::{EmptyResult, core::two_factor::webauthn::WebauthnRegistration},
+    db::{DbConn, schema::twofactor},
+    error::MapResult,
+};
+
+use super::UserId;
+
 #[derive(Identifiable, Queryable, Insertable, AsChangeset)]
 #[diesel(table_name = twofactor)]
 #[diesel(primary_key(uuid))]
@@ -20,7 +24,6 @@ pub struct TwoFactor {
    pub last_used: i64,
 }

-#[allow(dead_code)]
 #[derive(num_derive::FromPrimitive)]
 pub enum TwoFactorType {
    Authenticator = 0,
@@ -115,54 +118,59 @@ impl TwoFactor {
    }

    pub async fn delete(self, conn: &DbConn) -> EmptyResult {
-        db_run! { conn: {
+        conn.run(move |conn| {
            diesel::delete(twofactor::table.filter(twofactor::uuid.eq(self.uuid)))
                .execute(conn)
                .map_res("Error deleting twofactor")
-        }}
+        })
+        .await
    }

    pub async fn find_by_user(user_uuid: &UserId, conn: &DbConn) -> Vec<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            twofactor::table
                .filter(twofactor::user_uuid.eq(user_uuid))
                .filter(twofactor::atype.lt(1000)) // Filter implementation types
                .load::<Self>(conn)
                .expect("Error loading twofactor")
-        }}
+        })
+        .await
    }

    pub async fn find_by_user_and_type(user_uuid: &UserId, atype: i32, conn: &DbConn) -> Option<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            twofactor::table
                .filter(twofactor::user_uuid.eq(user_uuid))
                .filter(twofactor::atype.eq(atype))
                .first::<Self>(conn)
                .ok()
-        }}
+        })
+        .await
    }

    pub async fn delete_all_by_user(user_uuid: &UserId, conn: &DbConn) -> EmptyResult {
-        db_run! { conn: {
+        conn.run(move |conn| {
            diesel::delete(twofactor::table.filter(twofactor::user_uuid.eq(user_uuid)))
                .execute(conn)
                .map_res("Error deleting twofactors")
-        }}
+        })
+        .await
    }

    pub async fn migrate_u2f_to_webauthn(conn: &DbConn) -> EmptyResult {
-        let u2f_factors = db_run! { conn: {
-            twofactor::table
-                .filter(twofactor::atype.eq(TwoFactorType::U2f as i32))
-                .load::<Self>(conn)
-                .expect("Error loading twofactor")
-        }};
-
-        use crate::api::core::two_factor::webauthn::U2FRegistration;
-        use crate::api::core::two_factor::webauthn::{get_webauthn_registrations, WebauthnRegistration};
+        use crate::api::core::two_factor::webauthn::{U2FRegistration, get_webauthn_registrations};
        use webauthn_rs::prelude::{COSEEC2Key, COSEKey, COSEKeyType, ECDSACurve};
        use webauthn_rs_proto::{COSEAlgorithm, UserVerificationPolicy};

+        let u2f_factors = conn
+            .run(move |conn| {
+                twofactor::table
+                    .filter(twofactor::atype.eq(TwoFactorType::U2f as i32))
+                    .load::<Self>(conn)
+                    .expect("Error loading twofactor")
+            })
+            .await;
+
        for mut u2f in u2f_factors {
            let mut regs: Vec<U2FRegistration> = serde_json::from_str(&u2f.data)?;
            // If there are no registrations or they are migrated (we do the migration in batch so we can consider them all migrated when the first one is)
@@ -228,12 +236,14 @@ impl TwoFactor {
    }

    pub async fn migrate_credential_to_passkey(conn: &DbConn) -> EmptyResult {
-        let webauthn_factors = db_run! { conn: {
-            twofactor::table
-                .filter(twofactor::atype.eq(TwoFactorType::Webauthn as i32))
-                .load::<Self>(conn)
-                .expect("Error loading twofactor")
-        }};
+        let webauthn_factors = conn
+            .run(move |conn| {
+                twofactor::table
+                    .filter(twofactor::atype.eq(TwoFactorType::Webauthn as i32))
+                    .load::<Self>(conn)
+                    .expect("Error loading twofactor")
+            })
+            .await;

        for webauthn_factor in webauthn_factors {
            // assume that a failure to parse into the old struct, means that it was already converted
@@ -242,7 +252,7 @@ impl TwoFactor {
                continue;
            };

-            let regs = regs.into_iter().map(|r| r.into()).collect::<Vec<WebauthnRegistration>>();
+            let regs = regs.into_iter().map(Into::into).collect::<Vec<WebauthnRegistration>>();

            TwoFactor::new(webauthn_factor.user_uuid.clone(), TwoFactorType::Webauthn, serde_json::to_string(&regs)?)
                .save(conn)
@@ -1,9 +1,12 @@
 use chrono::Utc;
-
-use crate::db::schema::twofactor_duo_ctx;
-use crate::{api::EmptyResult, db::DbConn, error::MapResult};
 use diesel::prelude::*;

+use crate::{
+    api::EmptyResult,
+    db::{DbConn, schema::twofactor_duo_ctx},
+    error::MapResult,
+};
+
 #[derive(Identifiable, Queryable, Insertable, AsChangeset)]
 #[diesel(table_name = twofactor_duo_ctx)]
 #[diesel(primary_key(state))]
@@ -16,12 +19,10 @@ pub struct TwoFactorDuoContext {

 impl TwoFactorDuoContext {
    pub async fn find_by_state(state: &str, conn: &DbConn) -> Option<Self> {
-        db_run! { conn: {
-            twofactor_duo_ctx::table
-                .filter(twofactor_duo_ctx::state.eq(state))
-                .first::<Self>(conn)
-                .ok()
-        }}
+        conn.run(move |conn| {
+            twofactor_duo_ctx::table.filter(twofactor_duo_ctx::state.eq(state)).first::<Self>(conn).ok()
+        })
+        .await
    }

    pub async fn save(state: &str, user_email: &str, nonce: &str, ttl: i64, conn: &DbConn) -> EmptyResult {
@@ -29,41 +30,42 @@ impl TwoFactorDuoContext {
        let exists = Self::find_by_state(state, conn).await;
        if exists.is_some() {
            return Ok(());
-        };
+        }

        let exp = Utc::now().timestamp() + ttl;

-        db_run! { conn: {
+        conn.run(move |conn| {
            diesel::insert_into(twofactor_duo_ctx::table)
                .values((
                    twofactor_duo_ctx::state.eq(state),
                    twofactor_duo_ctx::user_email.eq(user_email),
                    twofactor_duo_ctx::nonce.eq(nonce),
-                    twofactor_duo_ctx::exp.eq(exp)
-            ))
-            .execute(conn)
-            .map_res("Error saving context to twofactor_duo_ctx")
-        }}
+                    twofactor_duo_ctx::exp.eq(exp),
+                ))
+                .execute(conn)
+                .map_res("Error saving context to twofactor_duo_ctx")
+        })
+        .await
    }

    pub async fn find_expired(conn: &DbConn) -> Vec<Self> {
        let now = Utc::now().timestamp();
-        db_run! { conn: {
+        conn.run(move |conn| {
            twofactor_duo_ctx::table
                .filter(twofactor_duo_ctx::exp.lt(now))
                .load::<Self>(conn)
                .expect("Error finding expired contexts in twofactor_duo_ctx")
-        }}
+        })
+        .await
    }

    pub async fn delete(&self, conn: &DbConn) -> EmptyResult {
-        db_run! { conn: {
-            diesel::delete(
-                twofactor_duo_ctx::table
-                .filter(twofactor_duo_ctx::state.eq(&self.state)))
+        conn.run(move |conn| {
+            diesel::delete(twofactor_duo_ctx::table.filter(twofactor_duo_ctx::state.eq(&self.state)))
                .execute(conn)
                .map_res("Error deleting from twofactor_duo_ctx")
-        }}
+        })
+        .await
    }

    pub async fn purge_expired_duo_contexts(conn: &DbConn) {
@@ -1,17 +1,17 @@
 use chrono::{NaiveDateTime, Utc};
+use diesel::prelude::*;

-use crate::db::schema::twofactor_incomplete;
 use crate::{
+    CONFIG,
    api::EmptyResult,
    auth::ClientIp,
    db::{
-        models::{DeviceId, UserId},
        DbConn,
+        models::{DeviceId, UserId},
+        schema::twofactor_incomplete,
    },
    error::MapResult,
-    CONFIG,
 };
-use diesel::prelude::*;

 #[derive(Identifiable, Queryable, Insertable, AsChangeset)]
 #[diesel(table_name = twofactor_incomplete)]
@@ -49,7 +49,7 @@ impl TwoFactorIncomplete {
            return Ok(());
        }

-        db_run! { conn: {
+        conn.run(move |conn| {
            diesel::insert_into(twofactor_incomplete::table)
                .values((
                    twofactor_incomplete::user_uuid.eq(user_uuid),
@@ -61,7 +61,8 @@ impl TwoFactorIncomplete {
                ))
                .execute(conn)
                .map_res("Error adding twofactor_incomplete record")
-        }}
+        })
+        .await
    }

    pub async fn mark_complete(user_uuid: &UserId, device_uuid: &DeviceId, conn: &DbConn) -> EmptyResult {
@@ -73,22 +74,24 @@ impl TwoFactorIncomplete {
    }

    pub async fn find_by_user_and_device(user_uuid: &UserId, device_uuid: &DeviceId, conn: &DbConn) -> Option<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            twofactor_incomplete::table
                .filter(twofactor_incomplete::user_uuid.eq(user_uuid))
                .filter(twofactor_incomplete::device_uuid.eq(device_uuid))
                .first::<Self>(conn)
                .ok()
-        }}
+        })
+        .await
    }

    pub async fn find_logins_before(dt: &NaiveDateTime, conn: &DbConn) -> Vec<Self> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            twofactor_incomplete::table
                .filter(twofactor_incomplete::login_time.lt(dt))
                .load::<Self>(conn)
                .expect("Error loading twofactor_incomplete")
-        }}
+        })
+        .await
    }

    pub async fn delete(self, conn: &DbConn) -> EmptyResult {
@@ -96,20 +99,24 @@ impl TwoFactorIncomplete {
    }

    pub async fn delete_by_user_and_device(user_uuid: &UserId, device_uuid: &DeviceId, conn: &DbConn) -> EmptyResult {
-        db_run! { conn: {
-            diesel::delete(twofactor_incomplete::table
-                           .filter(twofactor_incomplete::user_uuid.eq(user_uuid))
-                           .filter(twofactor_incomplete::device_uuid.eq(device_uuid)))
-                .execute(conn)
-                .map_res("Error in twofactor_incomplete::delete_by_user_and_device()")
-        }}
+        conn.run(move |conn| {
+            diesel::delete(
+                twofactor_incomplete::table
+                    .filter(twofactor_incomplete::user_uuid.eq(user_uuid))
+                    .filter(twofactor_incomplete::device_uuid.eq(device_uuid)),
+            )
+            .execute(conn)
+            .map_res("Error in twofactor_incomplete::delete_by_user_and_device()")
+        })
+        .await
    }

    pub async fn delete_all_by_user(user_uuid: &UserId, conn: &DbConn) -> EmptyResult {
-        db_run! { conn: {
+        conn.run(move |conn| {
            diesel::delete(twofactor_incomplete::table.filter(twofactor_incomplete::user_uuid.eq(user_uuid)))
                .execute(conn)
                .map_res("Error in twofactor_incomplete::delete_all_by_user()")
-        }}
+        })
+        .await
    }
 }
@@ -1,23 +1,27 @@
-use crate::db::schema::{invitations, sso_users, twofactor_incomplete, users};
 use chrono::{NaiveDateTime, TimeDelta, Utc};
 use derive_more::{AsRef, Deref, Display, From};
 use diesel::prelude::*;
 use serde_json::Value;

-use super::{
-    Cipher, Device, EmergencyAccess, Favorite, Folder, Membership, MembershipType, TwoFactor, TwoFactorIncomplete,
-};
 use crate::{
+    CONFIG,
    api::EmptyResult,
    crypto,
-    db::{models::DeviceId, DbConn},
+    db::{
+        DbConn,
+        models::DeviceId,
+        schema::{invitations, sso_users, twofactor_incomplete, users},
+    },
    error::MapResult,
    sso::OIDCIdentifier,
    util::{format_date, get_uuid, retry},
-    CONFIG,
 };
 use macros::UuidFromParam;

+use super::{
+    Cipher, Device, EmergencyAccess, Favorite, Folder, Membership, MembershipType, TwoFactor, TwoFactorIncomplete,
+};
+
 #[derive(Identifiable, Queryable, Insertable, AsChangeset, Selectable)]
 #[diesel(table_name = users)]
 #[diesel(treat_none_as_null = true)]
@@ -137,8 +141,8 @@ impl User {
            _totp_secret: None,
            totp_recover: None,

-            equivalent_domains: "[]".to_string(),
-            excluded_globals: "[]".to_string(),
+            equivalent_domains: "[]".to_owned(),
+            excluded_globals: "[]".to_owned(),

            client_kdf_type: Self::CLIENT_KDF_TYPE_DEFAULT,
            client_kdf_iter: Self::CLIENT_KDF_ITER_DEFAULT,
@@ -158,7 +162,7 @@ impl User {
            password.as_bytes(),
            &self.salt,
            &self.password_hash,
-            self.password_iterations as u32,
+            self.password_iterations.cast_unsigned(),
        )
    }

@@ -185,14 +189,16 @@ impl User {
    ///   These routes are able to use the previous stamp id for the next 2 minutes.
    ///   After these 2 minutes this stamp will expire.
    ///
-    pub fn set_password(
+    pub async fn set_password(
        &mut self,
        password: &str,
        new_key: Option<String>,
        reset_security_stamp: bool,
        allow_next_route: Option<Vec<String>>,
-    ) {
-        self.password_hash = crypto::hash_password(password.as_bytes(), &self.salt, self.password_iterations as u32);
+        conn: &DbConn,
+    ) -> EmptyResult {
+        self.password_hash =
+            crypto::hash_password(password.as_bytes(), &self.salt, self.password_iterations.cast_unsigned());

        if let Some(route) = allow_next_route {
            self.set_stamp_exception(route);
@@ -203,12 +209,15 @@ impl User {
        }

        if reset_security_stamp {
-            self.reset_security_stamp()
+            self.reset_security_stamp(conn).await?;
        }
+        Ok(())
    }

-    pub fn reset_security_stamp(&mut self) {
+    pub async fn reset_security_stamp(&mut self, conn: &DbConn) -> EmptyResult {
        self.security_stamp = get_uuid();
+        Device::rotate_refresh_tokens_by_user(&self.uuid, conn).await?;
+        Ok(())
    }

    /// Set the stamp_exception to only allow a subsequent request matching a specific route using the current security-stamp.
@@ -234,10 +243,10 @@ impl User {

    pub fn display_name(&self) -> &str {
        // default to email if name is empty
-        if !&self.name.is_empty() {
-            &self.name
-        } else {
+        if self.name.is_empty() {
            &self.email
+        } else {
+            &self.name
        }
    }
 }
@@ -333,15 +342,14 @@ impl User {
        TwoFactorIncomplete::delete_all_by_user(&self.uuid, conn).await?;
        Invitation::take(&self.email, conn).await; // Delete invitation if any

-        db_run! { conn: {
-            diesel::delete(users::table.filter(users::uuid.eq(self.uuid)))
-                .execute(conn)
-                .map_res("Error deleting user")
-        }}
+        conn.run(move |conn| {
+            diesel::delete(users::table.filter(users::uuid.eq(self.uuid))).execute(conn).map_res("Error deleting user")
+        })
+        .await
    }

    pub async fn update_uuid_revision(uuid: &UserId, conn: &DbConn) {
-        if let Err(e) = Self::_update_revision(uuid, &Utc::now().naive_utc(), conn).await {
+        if let Err(e) = Self::update_revision_impl(uuid, &Utc::now().naive_utc(), conn).await {
            warn!("Failed to update revision for {uuid}: {e:#?}");
        }
    }
@@ -349,68 +357,62 @@ impl User {
    pub async fn update_all_revisions(conn: &DbConn) -> EmptyResult {
        let updated_at = Utc::now().naive_utc();

-        db_run! { conn: {
-            retry(|| {
-                diesel::update(users::table)
-                    .set(users::updated_at.eq(updated_at))
-                    .execute(conn)
-            }, 10)
-            .map_res("Error updating revision date for all users")
-        }}
+        conn.run(move |conn| {
+            retry(|| diesel::update(users::table).set(users::updated_at.eq(updated_at)).execute(conn), 10)
+                .map_res("Error updating revision date for all users")
+        })
+        .await
    }

    pub async fn update_revision(&mut self, conn: &DbConn) -> EmptyResult {
        self.updated_at = Utc::now().naive_utc();

-        Self::_update_revision(&self.uuid, &self.updated_at, conn).await
+        Self::update_revision_impl(&self.uuid, &self.updated_at, conn).await
    }

-    async fn _update_revision(uuid: &UserId, date: &NaiveDateTime, conn: &DbConn) -> EmptyResult {
-        db_run! { conn: {
-            retry(|| {
-                diesel::update(users::table.filter(users::uuid.eq(uuid)))
-                    .set(users::updated_at.eq(date))
-                    .execute(conn)
-            }, 10)
+    async fn update_revision_impl(uuid: &UserId, date: &NaiveDateTime, conn: &DbConn) -> EmptyResult {
+        conn.run(move |conn| {
+            retry(
+                || {
+                    diesel::update(users::table.filter(users::uuid.eq(uuid)))
+                        .set(users::updated_at.eq(date))
+                        .execute(conn)
+                },
+                10,
+            )
            .map_res("Error updating user revision")
-        }}
+        })
+        .await
    }

    pub async fn find_by_mail(mail: &str, conn: &DbConn) -> Option<Self> {
        let lower_mail = mail.to_lowercase();
-        db_run! { conn: {
-            users::table
-                .filter(users::email.eq(lower_mail))
-                .first::<Self>(conn)
-                .ok()
-        }}
+        conn.run(move |conn| users::table.filter(users::email.eq(lower_mail)).first::<Self>(conn).ok()).await
    }

    pub async fn find_by_uuid(uuid: &UserId, conn: &DbConn) -> Option<Self> {
-        db_run! { conn: {
-            users::table
-                .filter(users::uuid.eq(uuid))
-                .first::<Self>(conn)
-                .ok()
-        }}
+        conn.run(move |conn| users::table.filter(users::uuid.eq(uuid)).first::<Self>(conn).ok()).await
    }

    pub async fn find_by_device_for_email2fa(device_uuid: &DeviceId, conn: &DbConn) -> Option<Self> {
-        if let Some(user_uuid) = db_run! ( conn: {
-            twofactor_incomplete::table
-                .filter(twofactor_incomplete::device_uuid.eq(device_uuid))
-                .order_by(twofactor_incomplete::login_time.desc())
-                .select(twofactor_incomplete::user_uuid)
-                .first::<UserId>(conn)
-                .ok()
-        }) {
+        if let Some(user_uuid) = conn
+            .run(move |conn| {
+                twofactor_incomplete::table
+                    .filter(twofactor_incomplete::device_uuid.eq(device_uuid))
+                    .order_by(twofactor_incomplete::login_time.desc())
+                    .select(twofactor_incomplete::user_uuid)
+                    .first::<UserId>(conn)
+                    .ok()
+            })
+            .await
+        {
            return Self::find_by_uuid(&user_uuid, conn).await;
        }
        None
    }

    pub async fn get_all(conn: &DbConn) -> Vec<(Self, Option<SsoUser>)> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            users::table
                .left_join(sso_users::table)
                .select(<(Self, Option<SsoUser>)>::as_select())
@@ -418,7 +420,8 @@ impl User {
                .expect("Error loading groups for user")
                .into_iter()
                .collect()
-        }}
+        })
+        .await
    }

    pub async fn last_active(&self, conn: &DbConn) -> Option<NaiveDateTime> {
@@ -463,21 +466,18 @@ impl Invitation {
    }

    pub async fn delete(self, conn: &DbConn) -> EmptyResult {
-        db_run! { conn: {
+        conn.run(move |conn| {
            diesel::delete(invitations::table.filter(invitations::email.eq(self.email)))
                .execute(conn)
                .map_res("Error deleting invitation")
-        }}
+        })
+        .await
    }

    pub async fn find_by_mail(mail: &str, conn: &DbConn) -> Option<Self> {
        let lower_mail = mail.to_lowercase();
-        db_run! { conn: {
-            invitations::table
-                .filter(invitations::email.eq(lower_mail))
-                .first::<Self>(conn)
-                .ok()
-        }}
+        conn.run(move |conn| invitations::table.filter(invitations::email.eq(lower_mail)).first::<Self>(conn).ok())
+            .await
    }

    pub async fn take(mail: &str, conn: &DbConn) -> bool {
@@ -527,34 +527,37 @@ impl SsoUser {
    }

    pub async fn find_by_identifier(identifier: &str, conn: &DbConn) -> Option<(User, Self)> {
-        db_run! { conn: {
+        conn.run(move |conn| {
            users::table
                .inner_join(sso_users::table)
                .select(<(User, Self)>::as_select())
                .filter(sso_users::identifier.eq(identifier))
                .first::<(User, Self)>(conn)
                .ok()
-        }}
+        })
+        .await
    }

    pub async fn find_by_mail(mail: &str, conn: &DbConn) -> Option<(User, Option<Self>)> {
        let lower_mail = mail.to_lowercase();

-        db_run! { conn: {
+        conn.run(move |conn| {
            users::table
                .left_join(sso_users::table)
                .select(<(User, Option<Self>)>::as_select())
                .filter(users::email.eq(lower_mail))
                .first::<(User, Option<Self>)>(conn)
                .ok()
-        }}
+        })
+        .await
    }

    pub async fn delete(user_uuid: &UserId, conn: &DbConn) -> EmptyResult {
-        db_run! { conn: {
+        conn.run(move |conn| {
            diesel::delete(sso_users::table.filter(sso_users::user_uuid.eq(user_uuid)))
                .execute(conn)
                .map_res("Error deleting sso user")
-        }}
+        })
+        .await
    }
 }
@@ -1,6 +1,7 @@
-use diesel::connection::{Instrumentation, InstrumentationEvent};
 use std::{cell::RefCell, collections::HashMap, time::Instant};

+use diesel::connection::{Instrumentation, InstrumentationEvent};
+
 thread_local! {
    static QUERY_PERF_TRACKER: RefCell<HashMap<String, Instant>> = RefCell::new(HashMap::new());
 }
@@ -11,7 +12,7 @@ pub fn simple_logger() -> Option<Box<dyn Instrumentation>> {
            url,
            ..
        } => {
-            debug!("Establishing connection: {url}")
+            debug!("Establishing connection: {url}");
        }
        InstrumentationEvent::FinishEstablishConnection {
            url,
@@ -19,9 +20,9 @@ pub fn simple_logger() -> Option<Box<dyn Instrumentation>> {
            ..
        } => {
            if let Some(e) = error {
-                error!("Error during establishing a connection with {url}: {e:?}")
+                error!("Error during establishing a connection with {url}: {e:?}");
            } else {
-                debug!("Connection established: {url}")
+                debug!("Connection established: {url}");
            }
        }
        InstrumentationEvent::StartQuery {
@@ -47,7 +48,7 @@ pub fn simple_logger() -> Option<Box<dyn Instrumentation>> {
                    } else if duration.as_secs() >= 1 {
                        info!("SLOW QUERY [{:.2}s]: {}", duration.as_secs_f32(), query_string);
                    } else {
-                        debug!("QUERY [{:?}]: {}", duration, query_string);
+                        debug!("QUERY [{duration:?}]: {query_string}");
                    }
                }
            });
@@ -262,9 +262,11 @@ table! {
        nonce -> Text,
        redirect_uri -> Text,
        code_response -> Nullable<Text>,
+        code_response_error -> Nullable<Text>,
        auth_response -> Nullable<Text>,
        created_at -> Timestamp,
        updated_at -> Timestamp,
+        binding_hash -> Nullable<Text>,
    }
 }

@@ -341,6 +343,16 @@ table! {
    }
 }

+table! {
+    archives (user_uuid, cipher_uuid) {
+        user_uuid -> Text,
+        cipher_uuid -> Text,
+        archived_at -> Timestamp,
+    }
+}
+
+joinable!(archives -> users (user_uuid));
+joinable!(archives -> ciphers (cipher_uuid));
 joinable!(attachments -> ciphers (cipher_uuid));
 joinable!(ciphers -> organizations (organization_uuid));
 joinable!(ciphers -> users (user_uuid));
@@ -372,6 +384,7 @@ joinable!(auth_requests -> users (user_uuid));
 joinable!(sso_users -> users (user_uuid));

 allow_tables_to_appear_in_same_query!(
+    archives,
    attachments,
    ciphers,
    ciphers_collections,
@@ -1,10 +1,11 @@
 //
 // Error generator macro
 //
+use std::error::Error as StdError;
+
 use crate::db::models::EventType;
 use crate::http_client::CustomHttpClientError;
 use serde::ser::{Serialize, SerializeStruct, Serializer};
-use std::error::Error as StdError;

 macro_rules! make_error {
    ( $( $name:ident ( $ty:ty ): $src_fn:expr, $usr_msg_fun:expr ),+ $(,)? ) => {
@@ -14,24 +15,24 @@ macro_rules! make_error {

        #[derive(Debug)]
        pub struct ErrorEvent { pub event: EventType }
-        pub struct Error { message: String, error: ErrorKind, error_code: u16, event: Option<ErrorEvent> }
+        pub struct Error { message: String, kind: ErrorKind, code: u16, event: Option<ErrorEvent> }

        $(impl From<$ty> for Error {
            fn from(err: $ty) -> Self { Error::from((stringify!($name), err)) }
        })+
        $(impl<S: Into<String>> From<(S, $ty)> for Error {
            fn from(val: (S, $ty)) -> Self {
-                Error { message: val.0.into(), error: ErrorKind::$name(val.1), error_code: BAD_REQUEST, event: None }
+                Error { message: val.0.into(), kind: ErrorKind::$name(val.1), code: BAD_REQUEST, event: None }
            }
        })+
        impl StdError for Error {
            fn source(&self) -> Option<&(dyn StdError + 'static)> {
-                match &self.error {$( ErrorKind::$name(e) => $src_fn(e), )+}
+                match &self.kind {$( ErrorKind::$name(e) => $src_fn(e), )+}
            }
        }
        impl std::fmt::Display for Error {
            fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
-                match &self.error {$(
+                match &self.kind {$(
                   ErrorKind::$name(e) => f.write_str(&$usr_msg_fun(e, &self.message)),
                )+}
            }
@@ -39,10 +40,10 @@ macro_rules! make_error {
    };
 }

+use diesel::ConnectionError as DieselConErr;
 use diesel::r2d2::Error as R2d2Err;
 use diesel::r2d2::PoolError as R2d2PoolErr;
 use diesel::result::Error as DieselErr;
-use diesel::ConnectionError as DieselConErr;
 use handlebars::RenderError as HbErr;
 use jsonwebtoken::errors::Error as JwtErr;
 use lettre::address::AddressError as AddrErr;
@@ -71,46 +72,46 @@ pub struct Compact {}
 // The second one contains the function used to obtain the response sent to the client
 make_error! {
    // Just an empty error
-    Empty(Empty):     _no_source, _serialize,
+    Empty(Empty):     no_source, serialize,
    // Used to represent err! calls
-    Simple(String):  _no_source,  _api_error,
-    Compact(Compact):  _no_source,  _compact_api_error,
+    Simple(String):  no_source,  api_error,
+    Compact(Compact):  no_source,  compact_api_error,

    // Used in our custom http client to handle non-global IPs and blocked domains
-    CustomHttpClient(CustomHttpClientError): _has_source, _api_error,
+    CustomHttpClient(CustomHttpClientError): has_source, api_error,

    // Used for special return values, like 2FA errors
-    Json(Value):           _no_source,  _serialize,
-    Db(DieselErr):         _has_source, _api_error,
-    R2d2(R2d2Err):         _has_source, _api_error,
-    R2d2Pool(R2d2PoolErr): _has_source, _api_error,
-    Serde(SerdeErr):       _has_source, _api_error,
-    JWt(JwtErr):           _has_source, _api_error,
-    Handlebars(HbErr):     _has_source, _api_error,
+    Json(Value):           no_source,  serialize,
+    Db(DieselErr):         has_source, api_error,
+    R2d2(R2d2Err):         has_source, api_error,
+    R2d2Pool(R2d2PoolErr): has_source, api_error,
+    Serde(SerdeErr):       has_source, api_error,
+    JWt(JwtErr):           has_source, api_error,
+    Handlebars(HbErr):     has_source, api_error,

-    Io(IoErr):       _has_source, _api_error,
-    Time(TimeErr):   _has_source, _api_error,
-    Req(ReqErr):     _has_source, _api_error,
-    Regex(RegexErr): _has_source, _api_error,
-    Yubico(YubiErr): _has_source, _api_error,
+    Io(IoErr):       has_source, api_error,
+    Time(TimeErr):   has_source, api_error,
+    Req(ReqErr):     has_source, api_error,
+    Regex(RegexErr): has_source, api_error,
+    Yubico(YubiErr): has_source, api_error,

-    Lettre(LettreErr): _has_source, _api_error,
-    Address(AddrErr):  _has_source, _api_error,
-    Smtp(SmtpErr):     _has_source, _api_error,
-    OpenSSL(SSLErr):   _has_source, _api_error,
-    Rocket(RocketErr): _has_source, _api_error,
+    Lettre(LettreErr): has_source, api_error,
+    Address(AddrErr):  has_source, api_error,
+    Smtp(SmtpErr):     has_source, api_error,
+    OpenSSL(SSLErr):   has_source, api_error,
+    Rocket(RocketErr): has_source, api_error,

-    DieselCon(DieselConErr): _has_source, _api_error,
-    Webauthn(WebauthnErr):   _has_source, _api_error,
+    DieselCon(DieselConErr): has_source, api_error,
+    Webauthn(WebauthnErr):   has_source, api_error,

-    OpenDAL(OpenDALErr): _has_source, _api_error,
+    OpenDAL(OpenDALErr): has_source, api_error,
 }

 impl std::fmt::Debug for Error {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        match self.source() {
            Some(e) => write!(f, "{}.\n[CAUSE] {:#?}", self.message, e),
-            None => match self.error {
+            None => match self.kind {
                ErrorKind::Empty(_) => Ok(()),
                ErrorKind::Simple(ref s) => {
                    if &self.message == s {
@@ -135,6 +136,7 @@ impl Error {
        (usr_msg.clone(), usr_msg.into()).into()
    }

+    #[must_use]
    pub fn empty() -> Self {
        Empty {}.into()
    }
@@ -147,13 +149,13 @@ impl Error {

    #[must_use]
    pub fn with_kind(mut self, kind: ErrorKind) -> Self {
-        self.error = kind;
+        self.kind = kind;
        self
    }

    #[must_use]
    pub const fn with_code(mut self, code: u16) -> Self {
-        self.error_code = code;
+        self.code = code;
        self
    }

@@ -194,14 +196,14 @@ impl<S> MapResult<S> for Option<S> {
    }
 }

-const fn _has_source<T>(e: T) -> Option<T> {
+const fn has_source<T>(e: T) -> Option<T> {
    Some(e)
 }
-fn _no_source<T, S>(_: T) -> Option<S> {
+fn no_source<T, S>(_: T) -> Option<S> {
    None
 }

-fn _serialize(e: &impl Serialize, _msg: &str) -> String {
+fn serialize(e: &impl Serialize, _msg: &str) -> String {
    serde_json::to_string(e).unwrap()
 }

@@ -280,14 +282,14 @@ struct ApiErrorResponse<'a>(ApiErrorMsg<'a>);
 /// The custom serialization adds all other needed fields
 struct CompactApiErrorResponse<'a>(ApiErrorMsg<'a>);

-fn _api_error(_: &impl std::any::Any, msg: &str) -> String {
+fn api_error(_: &impl std::any::Any, msg: &str) -> String {
    let response = ApiErrorMsg {
        message: msg,
    };
    serde_json::to_string(&ApiErrorResponse(response)).unwrap()
 }

-fn _compact_api_error(_: &impl std::any::Any, msg: &str) -> String {
+fn compact_api_error(_: &impl std::any::Any, msg: &str) -> String {
    let response = ApiErrorMsg {
        message: msg,
    };
@@ -299,18 +301,20 @@ fn _compact_api_error(_: &impl std::any::Any, msg: &str) -> String {
 //
 use std::io::Cursor;

-use rocket::http::{ContentType, Status};
-use rocket::request::Request;
-use rocket::response::{self, Responder, Response};
+use rocket::{
+    http::{ContentType, Status},
+    request::Request,
+    response::{self, Responder, Response},
+};

 impl Responder<'_, 'static> for Error {
    fn respond_to(self, _: &Request<'_>) -> response::Result<'static> {
-        match self.error {
+        match self.kind {
            ErrorKind::Empty(_) | ErrorKind::Simple(_) | ErrorKind::Compact(_) => {} // Don't print the error in this situation
            _ => error!(target: "error", "{self:#?}"),
-        };
+        }

-        let code = Status::from_code(self.error_code).unwrap_or(Status::BadRequest);
+        let code = Status::from_code(self.code).unwrap_or(Status::BadRequest);
        let body = self.to_string();
        Response::build().status(code).header(ContentType::JSON).sized_body(Some(body.len()), Cursor::new(body)).ok()
    }
@@ -1,22 +1,25 @@
 use std::{
    fmt,
    net::{IpAddr, SocketAddr},
-    str::FromStr,
    sync::{Arc, LazyLock, Mutex},
    time::Duration,
 };

-use hickory_resolver::{name_server::TokioConnectionProvider, TokioResolver};
+use hickory_resolver::{TokioResolver, net::runtime::TokioRuntimeProvider};
 use regex::Regex;
 use reqwest::{
+    Client, ClientBuilder,
    dns::{Name, Resolve, Resolving},
-    header, Client, ClientBuilder,
+    header,
 };
 use url::Host;

-use crate::{util::is_global, CONFIG};
+use crate::{CONFIG, util::is_global};

 pub fn make_http_request(method: reqwest::Method, url: &str) -> Result<reqwest::RequestBuilder, crate::Error> {
+    static INSTANCE: LazyLock<Client> =
+        LazyLock::new(|| get_reqwest_client_builder().build().expect("Failed to build client"));
+
    let Ok(url) = url::Url::parse(url) else {
        err!("Invalid URL");
    };
@@ -26,9 +29,6 @@ pub fn make_http_request(method: reqwest::Method, url: &str) -> Result<reqwest::

    should_block_host(&host)?;

-    static INSTANCE: LazyLock<Client> =
-        LazyLock::new(|| get_reqwest_client_builder().build().expect("Failed to build client"));
-
    Ok(INSTANCE.request(method, url))
 }

@@ -59,16 +59,6 @@ pub fn get_reqwest_client_builder() -> ClientBuilder {
        .timeout(Duration::from_secs(10))
 }

-pub fn should_block_address(domain_or_ip: &str) -> bool {
-    if let Ok(ip) = IpAddr::from_str(domain_or_ip) {
-        if should_block_ip(ip) {
-            return true;
-        }
-    }
-
-    should_block_address_regex(domain_or_ip)
-}
-
 fn should_block_ip(ip: IpAddr) -> bool {
    if !CONFIG.http_request_block_non_global_ips() {
        return false;
@@ -78,18 +68,19 @@ fn should_block_ip(ip: IpAddr) -> bool {
 }

 fn should_block_address_regex(domain_or_ip: &str) -> bool {
+    static COMPILED_REGEX: Mutex<Option<(String, Regex)>> = Mutex::new(None);
+
    let Some(block_regex) = CONFIG.http_request_block_regex() else {
        return false;
    };

-    static COMPILED_REGEX: Mutex<Option<(String, Regex)>> = Mutex::new(None);
    let mut guard = COMPILED_REGEX.lock().unwrap();

    // If the stored regex is up to date, use it
-    if let Some((value, regex)) = &*guard {
-        if value == &block_regex {
-            return regex.is_match(domain_or_ip);
-        }
+    if let Some((value, regex)) = &*guard
+        && value == &block_regex
+    {
+        return regex.is_match(domain_or_ip);
    }

    // If we don't have a regex stored, or it's not up to date, recreate it
@@ -100,20 +91,63 @@ fn should_block_address_regex(domain_or_ip: &str) -> bool {
    is_match
 }

-fn should_block_host(host: &Host<&str>) -> Result<(), CustomHttpClientError> {
+pub fn get_valid_host(host: &str) -> Result<Host, CustomHttpClientError> {
+    let Ok(host) = Host::parse(host) else {
+        return Err(CustomHttpClientError::Invalid {
+            domain: host.to_owned(),
+        });
+    };
+
+    // Some extra checks to validate hosts
+    match host {
+        Host::Domain(ref domain) => {
+            // Host::parse() does not verify length or all possible invalid characters
+            // We do some extra checks here to prevent issues
+            if domain.len() > 253 {
+                debug!("Domain validation error: '{domain}' exceeds 253 characters");
+                return Err(CustomHttpClientError::Invalid {
+                    domain: host.to_string(),
+                });
+            }
+            if !domain.split('.').all(|label| {
+                !label.is_empty()
+                    // Labels can't be longer than 63 chars
+                    && label.len() <= 63
+                    // Labels are not allowed to start or end with a hyphen `-`
+                    && !label.starts_with('-')
+                    && !label.ends_with('-')
+                    // Only ASCII Alphanumeric characters are allowed
+                    // We already received a punycoded domain back, so no unicode should exists here
+                    && label.chars().all(|c| c.is_ascii_alphanumeric() || c == '-')
+            }) {
+                debug!(
+                    "Domain validation error: '{domain}' labels contain invalid characters or exceed the maximum length"
+                );
+                return Err(CustomHttpClientError::Invalid {
+                    domain: host.to_string(),
+                });
+            }
+        }
+        Host::Ipv4(_) | Host::Ipv6(_) => {}
+    }
+
+    Ok(host)
+}
+
+pub fn should_block_host<S: AsRef<str>>(host: &Host<S>) -> Result<(), CustomHttpClientError> {
    let (ip, host_str): (Option<IpAddr>, String) = match host {
        Host::Ipv4(ip) => (Some(IpAddr::V4(*ip)), ip.to_string()),
        Host::Ipv6(ip) => (Some(IpAddr::V6(*ip)), ip.to_string()),
-        Host::Domain(d) => (None, (*d).to_string()),
+        Host::Domain(d) => (None, d.as_ref().to_owned()),
    };

-    if let Some(ip) = ip {
-        if should_block_ip(ip) {
-            return Err(CustomHttpClientError::NonGlobalIp {
-                domain: None,
-                ip,
-            });
-        }
+    if let Some(ip) = ip
+        && should_block_ip(ip)
+    {
+        return Err(CustomHttpClientError::NonGlobalIp {
+            domain: None,
+            ip,
+        });
    }

    if should_block_address_regex(&host_str) {
@@ -134,6 +168,9 @@ pub enum CustomHttpClientError {
        domain: Option<String>,
        ip: IpAddr,
    },
+    Invalid {
+        domain: String,
+    },
 }

 impl CustomHttpClientError {
@@ -155,7 +192,7 @@ impl fmt::Display for CustomHttpClientError {
        match self {
            Self::Blocked {
                domain,
-            } => write!(f, "Blocked domain: {domain} matched HTTP_REQUEST_BLOCK_REGEX"),
+            } => write!(f, "Blocked domain: '{domain}' matched HTTP_REQUEST_BLOCK_REGEX"),
            Self::NonGlobalIp {
                domain: Some(domain),
                ip,
@@ -163,7 +200,10 @@ impl fmt::Display for CustomHttpClientError {
            Self::NonGlobalIp {
                domain: None,
                ip,
-            } => write!(f, "IP {ip} is not a global IP!"),
+            } => write!(f, "IP '{ip}' is not a global IP!"),
+            Self::Invalid {
+                domain,
+            } => write!(f, "Invalid host: '{domain}' contains invalid characters or exceeds the maximum length"),
        }
    }
 }
@@ -184,42 +224,47 @@ impl CustomDnsResolver {
    }

    fn new() -> Arc<Self> {
-        match TokioResolver::builder(TokioConnectionProvider::default()) {
-            Ok(mut builder) => {
-                if CONFIG.dns_prefer_ipv6() {
-                    builder.options_mut().ip_strategy = hickory_resolver::config::LookupIpStrategy::Ipv6thenIpv4;
+        TokioResolver::builder(TokioRuntimeProvider::default())
+            .and_then(|mut builder| {
+                // Hickory's default since v0.26 is `Ipv6AndIpv4`, which sorts IPv6 first
+                // This might cause issues on IPv4 only systems or containers
+                // Unless someone enabled DNS_PREFER_IPV6, use Ipv4AndIpv6, which returns IPv4 first which was our previous default
+                if !CONFIG.dns_prefer_ipv6() {
+                    builder.options_mut().ip_strategy = hickory_resolver::config::LookupIpStrategy::Ipv4AndIpv6;
                }
-                let resolver = builder.build();
-                Arc::new(Self::Hickory(Arc::new(resolver)))
-            }
-            Err(e) => {
-                warn!("Error creating Hickory resolver, falling back to default: {e:?}");
-                Arc::new(Self::Default())
-            }
-        }
+                builder.build()
+            })
+            .inspect_err(|e| warn!("Error creating Hickory resolver, falling back to default: {e:?}"))
+            .map_or_else(|_| Arc::new(Self::Default()), |resolver| Arc::new(Self::Hickory(Arc::new(resolver))))
    }

    // Note that we get an iterator of addresses, but we only grab the first one for convenience
-    async fn resolve_domain(&self, name: &str) -> Result<Option<SocketAddr>, BoxError> {
+    async fn resolve_domain(&self, name: &str) -> Result<Vec<SocketAddr>, BoxError> {
        pre_resolve(name)?;

-        let result = match self {
-            Self::Default() => tokio::net::lookup_host(name).await?.next(),
-            Self::Hickory(r) => r.lookup_ip(name).await?.iter().next().map(|a| SocketAddr::new(a, 0)),
+        let results: Vec<SocketAddr> = match self {
+            Self::Default() => tokio::net::lookup_host((name, 0)).await?.collect(),
+            Self::Hickory(r) => r.lookup_ip(name).await?.iter().map(|i| SocketAddr::new(i, 0)).collect(),
        };

-        if let Some(addr) = &result {
+        for addr in &results {
            post_resolve(name, addr.ip())?;
        }

-        Ok(result)
+        Ok(results)
    }
 }

 fn pre_resolve(name: &str) -> Result<(), CustomHttpClientError> {
-    if should_block_address(name) {
+    let Ok(host) = get_valid_host(name) else {
+        return Err(CustomHttpClientError::Invalid {
+            domain: name.to_owned(),
+        });
+    };
+
+    if should_block_host(&host).is_err() {
        return Err(CustomHttpClientError::Blocked {
-            domain: name.to_string(),
+            domain: name.to_owned(),
        });
    }

@@ -229,7 +274,7 @@ fn pre_resolve(name: &str) -> Result<(), CustomHttpClientError> {
 fn post_resolve(name: &str, ip: IpAddr) -> Result<(), CustomHttpClientError> {
    if should_block_ip(ip) {
        Err(CustomHttpClientError::NonGlobalIp {
-            domain: Some(name.to_string()),
+            domain: Some(name.to_owned()),
            ip,
        })
    } else {
@@ -242,8 +287,11 @@ impl Resolve for CustomDnsResolver {
        let this = self.clone();
        Box::pin(async move {
            let name = name.as_str();
-            let result = this.resolve_domain(name).await?;
-            Ok::<reqwest::dns::Addrs, _>(Box::new(result.into_iter()))
+            let results = this.resolve_domain(name).await?;
+            if results.is_empty() {
+                warn!("Unable to resolve {name} to any valid IP address");
+            }
+            Ok::<reqwest::dns::Addrs, _>(Box::new(results.into_iter()))
        })
    }
 }
@@ -271,7 +319,7 @@ pub(crate) mod aws {
            let future = async move {
                let method = reqwest::Method::from_bytes(request.method().as_bytes())
                    .map_err(|e| ConnectorError::user(Box::new(e)))?;
-                let mut req_builder = client.request(method, request.uri().to_string());
+                let mut req_builder = client.request(method, request.uri().to_owned());

                for (name, value) in request.headers() {
                    req_builder = req_builder.header(name, value);
@@ -305,3 +353,209 @@ pub(crate) mod aws {
        }
    }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use crate::util::is_global_hardcoded;
+    use std::net::Ipv4Addr;
+    use url::Host;
+
+    // ===
+    // IPv4 numeric-format normalization
+    fn parse_to_ip(s: &str) -> Option<IpAddr> {
+        match Host::parse(s).ok()? {
+            Host::Ipv4(v4) => Some(IpAddr::V4(v4)),
+            Host::Ipv6(v6) => Some(IpAddr::V6(v6)),
+            Host::Domain(_) => None,
+        }
+    }
+
+    #[test]
+    fn dotted_decimal_loopback_normalizes() {
+        let ip = parse_to_ip("127.0.0.1").unwrap();
+        assert_eq!(ip, IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)));
+        assert!(!is_global_hardcoded(ip));
+    }
+
+    #[test]
+    fn single_decimal_loopback_normalizes() {
+        // 127.0.0.1 == 2130706433
+        let ip = parse_to_ip("2130706433").unwrap();
+        assert_eq!(ip, IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)));
+        assert!(!is_global_hardcoded(ip));
+    }
+
+    #[test]
+    fn hex_loopback_normalizes() {
+        let ip = parse_to_ip("0x7f000001").unwrap();
+        assert_eq!(ip, IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)));
+        assert!(!is_global_hardcoded(ip));
+    }
+
+    #[test]
+    fn dotted_hex_loopback_normalizes() {
+        let ip = parse_to_ip("0x7f.0.0.1").unwrap();
+        assert_eq!(ip, IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)));
+        assert!(!is_global_hardcoded(ip));
+    }
+
+    #[test]
+    fn octal_loopback_normalizes() {
+        // 017700000001 == 127.0.0.1
+        let ip = parse_to_ip("017700000001").unwrap();
+        assert_eq!(ip, IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)));
+        assert!(!is_global_hardcoded(ip));
+    }
+
+    #[test]
+    fn dotted_octal_loopback_normalizes() {
+        let ip = parse_to_ip("0177.0.0.01").unwrap();
+        assert_eq!(ip, IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)));
+        assert!(!is_global_hardcoded(ip));
+    }
+
+    #[test]
+    fn aws_metadata_decimal_blocked() {
+        // 169.254.169.254 == 2852039166 (link-local, AWS IMDS)
+        let ip = parse_to_ip("2852039166").unwrap();
+        assert_eq!(ip, IpAddr::V4(Ipv4Addr::new(169, 254, 169, 254)));
+        assert!(!is_global_hardcoded(ip));
+    }
+
+    #[test]
+    fn rfc1918_hex_blocked() {
+        // 10.0.0.1
+        let ip = parse_to_ip("0x0a000001").unwrap();
+        assert!(!is_global_hardcoded(ip));
+    }
+
+    #[test]
+    fn public_ip_decimal_allowed() {
+        // 8.8.8.8 == 134744072
+        let ip = parse_to_ip("134744072").unwrap();
+        assert_eq!(ip, IpAddr::V4(Ipv4Addr::new(8, 8, 8, 8)));
+        assert!(is_global_hardcoded(ip));
+    }
+
+    // ===
+    // get_valid_host integration: numeric forms become Host::Ipv4
+    #[test]
+    fn get_valid_host_normalizes_decimal_int() {
+        let h = get_valid_host("2130706433").expect("valid");
+        assert!(matches!(h, Host::Ipv4(ip) if ip == Ipv4Addr::new(127, 0, 0, 1)));
+    }
+
+    #[test]
+    fn get_valid_host_normalizes_hex() {
+        let h = get_valid_host("0x7f000001").expect("valid");
+        assert!(matches!(h, Host::Ipv4(ip) if ip == Ipv4Addr::new(127, 0, 0, 1)));
+    }
+
+    #[test]
+    fn get_valid_host_normalizes_octal() {
+        let h = get_valid_host("017700000001").expect("valid");
+        assert!(matches!(h, Host::Ipv4(ip) if ip == Ipv4Addr::new(127, 0, 0, 1)));
+    }
+
+    // ===
+    // IPv6 formats
+    #[test]
+    fn ipv6_loopback_blocked() {
+        let h = get_valid_host("[::1]").expect("valid");
+        let Host::Ipv6(ip) = h else {
+            panic!("expected v6")
+        };
+        assert!(!is_global_hardcoded(IpAddr::V6(ip)));
+    }
+
+    #[test]
+    fn ipv4_mapped_in_ipv6_loopback_blocked() {
+        // ::ffff:127.0.0.1 — v4-mapped form; is_global_hardcoded blocks via ::ffff:0:0/96
+        let h = get_valid_host("[::ffff:127.0.0.1]").expect("valid");
+        let Host::Ipv6(ip) = h else {
+            panic!("expected v6")
+        };
+        assert!(!is_global_hardcoded(IpAddr::V6(ip)));
+    }
+
+    #[test]
+    fn ipv6_unique_local_blocked() {
+        let h = get_valid_host("[fc00::1]").expect("valid");
+        let Host::Ipv6(ip) = h else {
+            panic!("expected v6")
+        };
+        assert!(!is_global_hardcoded(IpAddr::V6(ip)));
+    }
+
+    // ===
+    // Punycode / IDN
+    #[test]
+    fn punycode_passthrough() {
+        let h = get_valid_host("xn--deadbeafcaf-lbb.test").expect("valid");
+        match h {
+            Host::Domain(d) => assert_eq!(d, "xn--deadbeafcaf-lbb.test"),
+            _ => panic!("expected domain"),
+        }
+    }
+
+    #[test]
+    fn idn_unicode_gets_punycoded() {
+        let h = get_valid_host("deadbeafcafé.test").expect("valid");
+        match h {
+            Host::Domain(d) => assert_eq!(d, "xn--deadbeafcaf-lbb.test"),
+            _ => panic!("expected domain"),
+        }
+    }
+
+    #[test]
+    fn idn_unicode_gets_punycoded_tld() {
+        let h = get_valid_host("deadbeaf.café").expect("valid");
+        match h {
+            Host::Domain(d) => assert_eq!(d, "deadbeaf.xn--caf-dma"),
+            _ => panic!("expected domain"),
+        }
+    }
+
+    #[test]
+    fn idn_emoji_gets_punycoded() {
+        let h = get_valid_host("xn--t88h.test").expect("valid"); // 🛡️.test
+        match h {
+            Host::Domain(d) => assert_eq!(d, "xn--t88h.test"),
+            _ => panic!("expected domain"),
+        }
+    }
+
+    #[test]
+    fn idn_unicode_to_punycode_roundtrip() {
+        let from_unicode = get_valid_host("🛡️.test").expect("valid");
+        let from_puny = get_valid_host("xn--t88h.test").expect("valid");
+        match (from_unicode, from_puny) {
+            (Host::Domain(a), Host::Domain(b)) => assert_eq!(a, b),
+            _ => panic!("expected domains"),
+        }
+    }
+
+    #[test]
+    fn invalid_punycode_rejected() {
+        // bare invalid punycode
+        assert!(get_valid_host("xn--").is_err());
+    }
+
+    #[test]
+    fn underscore_in_label_rejected() {
+        assert!(get_valid_host("dead_beaf.cafe").is_err());
+    }
+
+    #[test]
+    fn label_too_long_rejected() {
+        let label = "a".repeat(64);
+        assert!(get_valid_host(&format!("{label}.test")).is_err());
+    }
+
+    #[test]
+    fn domain_too_long_rejected() {
+        let big = "a.".repeat(130) + "test"; // > 253
+        assert!(get_valid_host(&big).is_err());
+    }
+}
@@ -1,16 +1,17 @@
-use chrono::NaiveDateTime;
-use percent_encoding::{percent_encode, NON_ALPHANUMERIC};
 use std::{env::consts::EXE_SUFFIX, str::FromStr};

+use chrono::NaiveDateTime;
 use lettre::{
+    Address, AsyncSendmailTransport, AsyncSmtpTransport, AsyncTransport, Tokio1Executor,
    message::{Attachment, Body, Mailbox, Message, MultiPart, SinglePart},
    transport::smtp::authentication::{Credentials, Mechanism as SmtpAuthMechanism},
    transport::smtp::client::{Tls, TlsParameters},
    transport::smtp::extension::ClientId,
-    Address, AsyncSendmailTransport, AsyncSmtpTransport, AsyncTransport, Tokio1Executor,
 };
+use percent_encoding::{NON_ALPHANUMERIC, percent_encode};

 use crate::{
+    CONFIG,
    api::EmptyResult,
    auth::{
        encode_jwt, generate_delete_claims, generate_emergency_access_invite_claims, generate_invite_claims,
@@ -18,7 +19,7 @@ use crate::{
    },
    db::models::{Device, DeviceType, EmergencyAccessId, MembershipId, OrganizationId, User, UserId},
    error::Error,
-    CONFIG,
+    util::upcase_first,
 };

 fn sendmail_transport() -> AsyncSendmailTransport<Tokio1Executor> {
@@ -38,7 +39,9 @@ fn smtp_transport() -> AsyncSmtpTransport<Tokio1Executor> {
        .timeout(Some(Duration::from_secs(CONFIG.smtp_timeout())));

    // Determine security
-    let smtp_client = if CONFIG.smtp_security() != *"off" {
+    let smtp_client = if CONFIG.smtp_security() == *"off" {
+        smtp_client
+    } else {
        let mut tls_parameters = TlsParameters::builder(host);
        if CONFIG.smtp_accept_invalid_hostnames() {
            tls_parameters = tls_parameters.dangerous_accept_invalid_hostnames(true);
@@ -53,8 +56,6 @@ fn smtp_transport() -> AsyncSmtpTransport<Tokio1Executor> {
        } else {
            smtp_client.tls(Tls::Required(tls_parameters))
        }
-    } else {
-        smtp_client
    };

    let smtp_client = match (CONFIG.smtp_username(), CONFIG.smtp_password()) {
@@ -81,12 +82,12 @@ fn smtp_transport() -> AsyncSmtpTransport<Tokio1Executor> {
                }
            }

-            if !selected_mechanisms.is_empty() {
-                smtp_client.authentication(selected_mechanisms)
-            } else {
+            if selected_mechanisms.is_empty() {
                // Only show a warning, and return without setting an actual authentication mechanism
                warn!("No valid SMTP Auth mechanism found for '{mechanism}', using default values");
                smtp_client
+            } else {
+                smtp_client.authentication(selected_mechanisms)
            }
        }
        _ => smtp_client,
@@ -129,14 +130,16 @@ fn get_template(template_name: &str, data: &serde_json::Value) -> Result<(String
    let text = CONFIG.render_template(template_name, data)?;
    let mut text_split = text.split("<!---------------->");

-    let subject = match text_split.next() {
-        Some(s) => s.trim().to_string(),
-        None => err!("Template doesn't contain subject"),
+    let subject = if let Some(s) = text_split.next() {
+        s.trim().to_owned()
+    } else {
+        err!("Template doesn't contain subject")
    };

-    let body = match text_split.next() {
-        Some(s) => s.trim().to_string(),
-        None => err!("Template doesn't contain body"),
+    let body = if let Some(s) = text_split.next() {
+        s.trim().to_owned()
+    } else {
+        err!("Template doesn't contain body")
    };

    if text_split.next().is_some() {
@@ -204,9 +207,8 @@ pub async fn send_verify_email(address: &str, user_id: &UserId) -> EmptyResult {
 pub async fn send_register_verify_email(email: &str, token: &str) -> EmptyResult {
    let mut query = url::Url::parse("https://query.builder").unwrap();
    query.query_pairs_mut().append_pair("email", email).append_pair("token", token);
-    let query_string = match query.query() {
-        None => err!("Failed to build verify URL query parameters"),
-        Some(query) => query,
+    let Some(query_string) = query.query() else {
+        err!("Failed to build verify URL query parameters")
    };

    let (subject, body_html, body_text) = get_text(
@@ -302,10 +304,10 @@ pub async fn send_invite(
            .append_pair("organizationUserId", &member_id)
            .append_pair("token", &invite_token);

-        if CONFIG.sso_enabled() {
-            query_params.append_pair("orgUserHasExistingUser", "false");
+        if CONFIG.sso_enabled() && CONFIG.sso_only() {
            query_params.append_pair("orgSsoIdentifier", &org_id);
-        } else if user.private_key.is_some() {
+        }
+        if user.private_key.is_some() {
            query_params.append_pair("orgUserHasExistingUser", "true");
        }
    }
@@ -504,8 +506,6 @@ pub async fn send_invite_confirmed(address: &str, org_name: &str) -> EmptyResult
 }

 pub async fn send_new_device_logged_in(address: &str, ip: &str, dt: &NaiveDateTime, device: &Device) -> EmptyResult {
-    use crate::util::upcase_first;
-
    let fmt = "%A, %B %_d, %Y at %r %Z";
    let (subject, body_html, body_text) = get_text(
        "email/new_device_logged_in",
@@ -529,8 +529,6 @@ pub async fn send_incomplete_2fa_login(
    device_name: &str,
    device_type: &str,
 ) -> EmptyResult {
-    use crate::util::upcase_first;
-
    let fmt = "%A, %B %_d, %Y at %r %Z";
    let (subject, body_html, body_text) = get_text(
        "email/incomplete_2fa_login",
@@ -655,7 +653,7 @@ pub async fn send_protected_action_token(address: &str, token: &str) -> EmptyRes
 async fn send_with_selected_transport(email: Message) -> EmptyResult {
    if CONFIG.use_sendmail() {
        match sendmail_transport().send(email).await {
-            Ok(_) => Ok(()),
+            Ok(()) => Ok(()),
            // Match some common errors and make them more user friendly
            Err(e) => {
                if e.is_client() {
@@ -664,10 +662,9 @@ async fn send_with_selected_transport(email: Message) -> EmptyResult {
                } else if e.is_response() {
                    debug!("Sendmail response error: {e:?}");
                    err!(format!("Sendmail response error: {e}"));
-                } else {
-                    debug!("Sendmail error: {e:?}");
-                    err!(format!("Sendmail error: {e}"));
                }
+                debug!("Sendmail error: {e:?}");
+                err!(format!("Sendmail error: {e}"));
            }
        }
    } else {
@@ -695,10 +692,9 @@ async fn send_with_selected_transport(email: Message) -> EmptyResult {
                } else if e.is_tls() {
                    debug!("SMTP encryption error: {e:#?}");
                    err!(format!("SMTP encryption error: {e}"));
-                } else {
-                    debug!("SMTP error: {e:#?}");
-                    err!(format!("SMTP error: {e}"));
                }
+                debug!("SMTP error: {e:#?}");
+                err!(format!("SMTP error: {e}"));
            }
        }
    }
@@ -33,6 +33,7 @@ use std::{
    path::Path,
    process::exit,
    str::FromStr,
+    sync::{Arc, atomic::Ordering},
    thread,
 };

@@ -44,6 +45,8 @@ use tokio::{
 #[cfg(unix)]
 use tokio::signal::unix::SignalKind;

+use rocket::data::{Limits, ToByteUnit};
+
 #[macro_use]
 mod error;
 mod api;
@@ -57,19 +60,19 @@ mod mail;
 mod ratelimit;
 mod sso;
 mod sso_client;
+mod storage;
 mod util;

-use crate::api::core::two_factor::duo_oidc::purge_duo_contexts;
-use crate::api::purge_auth_requests;
-use crate::api::{WS_ANONYMOUS_SUBSCRIPTIONS, WS_USERS};
-pub use config::{PathType, CONFIG};
+use crate::api::{
+    WS_ANONYMOUS_SUBSCRIPTIONS, WS_USERS, core::two_factor::duo_oidc::purge_duo_contexts, purge_auth_requests,
+};
+pub use config::{CONFIG, PathType};
 pub use error::{Error, MapResult};
-use rocket::data::{Limits, ToByteUnit};
-use std::sync::{atomic::Ordering, Arc};
 pub use util::is_running_in_container;

 #[rocket::main]
 async fn main() -> Result<(), Error> {
+    install_rustls_crypto_provider();
    parse_args();
    launch_info();

@@ -135,26 +138,23 @@ fn parse_args() {
    if let Some(command) = pargs.subcommand().unwrap_or_default() {
        if command == "hash" {
            use argon2::{
-                password_hash::SaltString, Algorithm::Argon2id, Argon2, ParamsBuilder, PasswordHasher, Version::V0x13,
+                Algorithm::Argon2id, Argon2, ParamsBuilder, PasswordHasher, Version::V0x13, password_hash::SaltString,
            };

            let mut argon2_params = ParamsBuilder::new();
            let preset: Option<String> = pargs.opt_value_from_str(["-p", "--preset"]).unwrap_or_default();
            let selected_preset;
-            match preset.as_deref() {
-                Some("owasp") => {
-                    selected_preset = "owasp";
-                    argon2_params.m_cost(19456);
-                    argon2_params.t_cost(2);
-                    argon2_params.p_cost(1);
-                }
-                _ => {
-                    // Bitwarden preset is the default
-                    selected_preset = "bitwarden";
-                    argon2_params.m_cost(65540);
-                    argon2_params.t_cost(3);
-                    argon2_params.p_cost(4);
-                }
+            if preset.as_deref() == Some("owasp") {
+                selected_preset = "owasp";
+                argon2_params.m_cost(19456);
+                argon2_params.t_cost(2);
+                argon2_params.p_cost(1);
+            } else {
+                // Bitwarden preset is the default
+                selected_preset = "bitwarden";
+                argon2_params.m_cost(65540);
+                argon2_params.t_cost(3);
+                argon2_params.p_cost(4);
            }

            println!("Generate an Argon2id PHC string using the '{selected_preset}' preset:\n");
@@ -202,6 +202,14 @@ fn parse_args() {
    }
 }

+fn install_rustls_crypto_provider() {
+    if rustls::crypto::CryptoProvider::get_default().is_none() {
+        rustls::crypto::ring::default_provider()
+            .install_default()
+            .expect("failed to install rustls ring crypto provider");
+    }
+}
+
 fn launch_info() {
    println!(
        "\
@@ -237,7 +245,7 @@ fn init_logging() -> Result<log::LevelFilter, Error> {
        let level = caps
            .get(1)
            .and_then(|m| log::LevelFilter::from_str(m.as_str()).ok())
-            .ok_or(Error::new("Failed to parse global log level".to_string(), ""))?;
+            .ok_or(Error::new("Failed to parse global log level".to_owned(), ""))?;

        let levels_override: Vec<(&str, log::LevelFilter)> = caps
            .get(2)
@@ -246,13 +254,13 @@ fn init_logging() -> Result<log::LevelFilter, Error> {
                    .split(',')
                    .collect::<Vec<&str>>()
                    .into_iter()
-                    .flat_map(|s| match s.split_once('=') {
+                    .filter_map(|s| match s.split_once('=') {
                        Some((log, lvl_str)) => log::LevelFilter::from_str(lvl_str).ok().map(|lvl| (log, lvl)),
                        _ => None,
                    })
                    .collect()
            })
-            .ok_or(Error::new("Failed to parse overrides".to_string(), ""))?;
+            .ok_or(Error::new("Failed to parse overrides".to_owned(), ""))?;

        (level, levels_override)
    } else {
@@ -328,7 +336,7 @@ fn init_logging() -> Result<log::LevelFilter, Error> {
        ("vaultwarden::db::query_logger", log::LevelFilter::Off),
    ]);

-    for (path, level) in levels_override.into_iter() {
+    for (path, level) in levels_override {
        let _ = default_levels.insert(path, level);
    }

@@ -342,7 +350,7 @@ fn init_logging() -> Result<log::LevelFilter, Error> {
    let mut logger = fern::Dispatch::new().level(level).chain(std::io::stdout());

    for (path, level) in default_levels {
-        logger = logger.level_for(path.to_string(), level);
+        logger = logger.level_for(path.to_owned(), level);
    }

    if CONFIG.extended_logging() {
@@ -353,7 +361,7 @@ fn init_logging() -> Result<log::LevelFilter, Error> {
                record.target(),
                record.level(),
                message
-            ))
+            ));
        });
    } else {
        logger = logger.format(|out, message, _| out.finish(format_args!("{message}")));
@@ -558,6 +566,12 @@ async fn launch_rocket(pool: db::DbPool, extra_debug: bool) -> Result<(), Error>
    let basepath = &CONFIG.domain_path();

    let mut config = rocket::Config::from(rocket::Config::figment());
+
+    // We install our own signal handlers below; disable Rocket's built-in handlers
+    config.shutdown.ctrlc = false;
+    #[cfg(unix)]
+    config.shutdown.signals.clear();
+
    config.temp_dir = canonicalize(CONFIG.tmp_folder()).unwrap().into();
    config.cli_colors = false; // Make sure Rocket does not color any values for logging.
    config.limits = Limits::new()
@@ -589,17 +603,11 @@ async fn launch_rocket(pool: db::DbPool, extra_debug: bool) -> Result<(), Error>

    CONFIG.set_rocket_shutdown_handle(instance.shutdown());

-    tokio::spawn(async move {
-        tokio::signal::ctrl_c().await.expect("Error setting Ctrl-C handler");
-        info!("Exiting Vaultwarden!");
-        CONFIG.shutdown();
-    });
+    spawn_shutdown_signal_handler();

    #[cfg(all(unix, sqlite))]
    {
-        if db::ACTIVE_DB_TYPE.get() != Some(&db::DbConnType::Sqlite) {
-            debug!("PostgreSQL and MySQL/MariaDB do not support this backup feature, skip adding USR1 signal.");
-        } else {
+        if db::ACTIVE_DB_TYPE.get() == Some(&db::DbConnType::Sqlite) {
            tokio::spawn(async move {
                let mut signal_user1 = tokio::signal::unix::signal(SignalKind::user_defined1()).unwrap();
                loop {
@@ -612,6 +620,8 @@ async fn launch_rocket(pool: db::DbPool, extra_debug: bool) -> Result<(), Error>
                    }
                }
            });
+        } else {
+            debug!("PostgreSQL and MySQL/MariaDB do not support this backup feature, skip adding USR1 signal.");
        }
    }

@@ -621,6 +631,35 @@ async fn launch_rocket(pool: db::DbPool, extra_debug: bool) -> Result<(), Error>
    Ok(())
 }

+#[cfg(unix)]
+fn spawn_shutdown_signal_handler() {
+    tokio::spawn(async move {
+        use tokio::signal::unix::signal;
+
+        let mut sigint = signal(SignalKind::interrupt()).expect("Error setting SIGINT handler");
+        let mut sigterm = signal(SignalKind::terminate()).expect("Error setting SIGTERM handler");
+        let mut sigquit = signal(SignalKind::quit()).expect("Error setting SIGQUIT handler");
+
+        let signal_name = tokio::select! {
+            _ = sigint.recv() => "SIGINT",
+            _ = sigterm.recv() => "SIGTERM",
+            _ = sigquit.recv() => "SIGQUIT",
+        };
+
+        info!("Received {signal_name}, initiating graceful shutdown");
+        CONFIG.shutdown();
+    });
+}
+
+#[cfg(not(unix))]
+fn spawn_shutdown_signal_handler() {
+    tokio::spawn(async move {
+        tokio::signal::ctrl_c().await.expect("Error setting Ctrl-C handler");
+        info!("Received Ctrl-C, initiating graceful shutdown");
+        CONFIG.shutdown();
+    });
+}
+
 fn schedule_jobs(pool: db::DbPool) {
    if CONFIG.job_poll_interval_ms() == 0 {
        info!("Job scheduler disabled.");
@@ -630,7 +669,7 @@ fn schedule_jobs(pool: db::DbPool) {
    let runtime = tokio::runtime::Runtime::new().unwrap();

    thread::Builder::new()
-        .name("job-scheduler".to_string())
+        .name("job-scheduler".to_owned())
        .spawn(move || {
            use job_scheduler_ng::{Job, JobScheduler};
            let _runtime_guard = runtime.enter();
@@ -1,8 +1,8 @@
 use std::{net::IpAddr, num::NonZeroU32, sync::LazyLock, time::Duration};

-use governor::{clock::DefaultClock, state::keyed::DashMapStateStore, Quota, RateLimiter};
+use governor::{Quota, RateLimiter, clock::DefaultClock, state::keyed::DashMapStateStore};

-use crate::{Error, CONFIG};
+use crate::{CONFIG, Error};

 type Limiter<T = IpAddr> = RateLimiter<T, DashMapStateStore<T>, DefaultClock>;

@@ -20,7 +20,7 @@ static LIMITER_ADMIN: LazyLock<Limiter> = LazyLock::new(|| {

 pub fn check_limit_login(ip: &IpAddr) -> Result<(), Error> {
    match LIMITER_LOGIN.check_key(ip) {
-        Ok(_) => Ok(()),
+        Ok(()) => Ok(()),
        Err(_e) => {
            err_code!("Too many login requests", 429);
        }
@@ -29,7 +29,7 @@ pub fn check_limit_login(ip: &IpAddr) -> Result<(), Error> {

 pub fn check_limit_admin(ip: &IpAddr) -> Result<(), Error> {
    match LIMITER_ADMIN.check_key(ip) {
-        Ok(_) => Ok(()),
+        Ok(()) => Ok(()),
        Err(_e) => {
            err_code!("Too many admin requests", 429);
        }
@@ -6,18 +6,18 @@ use regex::Regex;
 use url::Url;

 use crate::{
+    CONFIG,
    api::ApiResult,
    auth,
-    auth::{AuthMethod, AuthTokens, TokenWrapper, BW_EXPIRATION, DEFAULT_REFRESH_VALIDITY},
+    auth::{AuthMethod, AuthTokens, BW_EXPIRATION, DEFAULT_REFRESH_VALIDITY, TokenWrapper},
    db::{
-        models::{Device, OIDCAuthenticatedUser, OIDCCodeWrapper, SsoAuth, SsoUser, User},
        DbConn,
+        models::{Device, OIDCAuthenticatedUser, SsoAuth, SsoUser, User},
    },
    sso_client::Client,
-    CONFIG,
 };

-pub static FAKE_IDENTIFIER: &str = "VW_DUMMY_IDENTIFIER_FOR_OIDC";
+pub static FAKE_SSO_IDENTIFIER: &str = "00000000-01DC-01DC-01DC-000000000000";

 static SSO_JWT_ISSUER: LazyLock<String> = LazyLock::new(|| format!("{}|sso", CONFIG.domain_origin()));

@@ -123,7 +123,7 @@ pub fn encode_ssotoken_claims() -> String {
        nbf: time_now.timestamp(),
        exp: (time_now + chrono::TimeDelta::try_minutes(2).unwrap()).timestamp(),
        iss: SSO_JWT_ISSUER.to_string(),
-        sub: "vaultwarden".to_string(),
+        sub: "vaultwarden".to_owned(),
    };

    auth::encode_jwt(&claims)
@@ -171,12 +171,14 @@ fn decode_token_claims(token_name: &str, token: &str) -> ApiResult<BasicTokenCla
 }

 pub fn decode_state(base64_state: &str) -> ApiResult<OIDCState> {
-    let state = match data_encoding::BASE64.decode(base64_state.as_bytes()) {
-        Ok(vec) => match String::from_utf8(vec) {
-            Ok(valid) => OIDCState(valid),
-            Err(_) => err!(format!("Invalid utf8 chars in {base64_state} after base64 decoding")),
-        },
-        Err(_) => err!(format!("Failed to decode {base64_state} using base64")),
+    let state = if let Ok(vec) = data_encoding::BASE64.decode(base64_state.as_bytes()) {
+        if let Ok(valid) = String::from_utf8(vec) {
+            OIDCState(valid)
+        } else {
+            err!(format!("Invalid utf8 chars in {base64_state} after base64 decoding"))
+        }
+    } else {
+        err!(format!("Failed to decode {base64_state} using base64"))
    };

    Ok(state)
@@ -188,22 +190,26 @@ pub async fn authorize_url(
    client_challenge: OIDCCodeChallenge,
    client_id: &str,
    raw_redirect_uri: &str,
+    binding_hash: Option<String>,
    conn: DbConn,
 ) -> ApiResult<Url> {
    let redirect_uri = match client_id {
        "web" | "browser" => format!("{}/sso-connector.html", CONFIG.domain()),
-        "desktop" | "mobile" => "bitwarden://sso-callback".to_string(),
+        "desktop" | "mobile" => "bitwarden://sso-callback".to_owned(),
        "cli" => {
            let port_regex = Regex::new(r"^http://localhost:([0-9]{4})$").unwrap();
-            match port_regex.captures(raw_redirect_uri).and_then(|captures| captures.get(1).map(|c| c.as_str())) {
-                Some(port) => format!("http://localhost:{port}"),
-                None => err!("Failed to extract port number"),
+            if let Some(port) =
+                port_regex.captures(raw_redirect_uri).and_then(|captures| captures.get(1).map(|c| c.as_str()))
+            {
+                format!("http://localhost:{port}")
+            } else {
+                err!("Failed to extract port number")
            }
        }
        _ => err!(format!("Unsupported client {client_id}")),
    };

-    let (auth_url, sso_auth) = Client::authorize_url(state, client_challenge, redirect_uri).await?;
+    let (auth_url, sso_auth) = Client::authorize_url(state, client_challenge, redirect_uri, binding_hash).await?;
    sso_auth.save(&conn).await?;
    Ok(auth_url)
 }
@@ -239,33 +245,32 @@ impl OIDCIdentifier {
 //  - second time we will rely on `SsoAuth.auth_response` since the `code` has already been exchanged.
 // The `SsoAuth` will ensure that the user is authorized only once.
 pub async fn exchange_code(
-    state: &OIDCState,
+    code: &OIDCCode,
    client_verifier: OIDCCodeVerifier,
    conn: &DbConn,
 ) -> ApiResult<(SsoAuth, OIDCAuthenticatedUser)> {
    use openidconnect::OAuth2TokenResponse;

-    let mut sso_auth = match SsoAuth::find(state, conn).await {
-        None => err!(format!("Invalid state cannot retrieve sso auth")),
-        Some(sso_auth) => sso_auth,
+    let Some(mut sso_auth) = SsoAuth::find_by_code(code, conn).await else {
+        err!("Invalid code cannot retrieve sso auth")
    };

    if let Some(authenticated_user) = sso_auth.auth_response.clone() {
        return Ok((sso_auth, authenticated_user));
    }

-    let code = match sso_auth.code_response.clone() {
-        Some(OIDCCodeWrapper::Ok {
-            code,
-        }) => code.clone(),
-        Some(OIDCCodeWrapper::Error {
-            error,
-            error_description,
-        }) => {
+    let code = match (sso_auth.code_response.clone(), sso_auth.code_response_error.as_ref()) {
+        (Some(code), None) => code,
+        (_, Some(re)) => {
+            let error_msg = format!(
+                "SSO authorization failed: {}, {}",
+                re.error,
+                re.error_description.as_ref().unwrap_or(&String::new())
+            );
            sso_auth.delete(conn).await?;
-            err!(format!("SSO authorization failed: {error}, {}", error_description.as_ref().unwrap_or(&String::new())))
+            err!(error_msg);
        }
-        None => {
+        (None, _) => {
            sso_auth.delete(conn).await?;
            err!("Missing authorization provider return");
        }
@@ -283,10 +288,10 @@ pub async fn exchange_code(

    let email_verified = id_claims.email_verified().or(user_info.email_verified());

-    let user_name = id_claims.preferred_username().map(|un| un.to_string());
+    let user_name = id_claims.preferred_username().or(user_info.preferred_username()).map(|un| un.to_string());

-    let refresh_token = token_response.refresh_token().map(|t| t.secret());
-    if refresh_token.is_none() && CONFIG.sso_scopes_vec().contains(&"offline_access".to_string()) {
+    let refresh_token = token_response.refresh_token().map(openidconnect::RefreshToken::secret);
+    if refresh_token.is_none() && CONFIG.sso_scopes_vec().contains(&"offline_access".to_owned()) {
        error!("Scope offline_access is present but response contain no refresh_token");
    }

@@ -330,7 +335,9 @@ pub async fn redeem(
        user_sso.save(conn).await?;
    }

-    if !CONFIG.sso_auth_only_not_session() {
+    if CONFIG.sso_auth_only_not_session() {
+        Ok(AuthTokens::new(device, user, AuthMethod::Sso, client_id))
+    } else {
        let now = Utc::now();

        let (ap_nbf, ap_exp) =
@@ -343,9 +350,7 @@ pub async fn redeem(
        let access_claims =
            auth::LoginJwtClaims::new(device, user, ap_nbf, ap_exp, AuthMethod::Sso.scope_vec(), client_id, now);

-        _create_auth_tokens(device, auth_user.refresh_token, access_claims, auth_user.access_token)
-    } else {
-        Ok(AuthTokens::new(device, user, AuthMethod::Sso, client_id))
+        create_auth_tokens_impl(device, auth_user.refresh_token, access_claims, auth_user.access_token)
    }
 }

@@ -359,7 +364,9 @@ pub fn create_auth_tokens(
    access_token: String,
    expires_in: Option<Duration>,
 ) -> ApiResult<AuthTokens> {
-    if !CONFIG.sso_auth_only_not_session() {
+    if CONFIG.sso_auth_only_not_session() {
+        Ok(AuthTokens::new(device, user, AuthMethod::Sso, client_id))
+    } else {
        let now = Utc::now();

        let (ap_nbf, ap_exp) = match (decode_token_claims("access_token", &access_token), expires_in) {
@@ -371,13 +378,11 @@ pub fn create_auth_tokens(
        let access_claims =
            auth::LoginJwtClaims::new(device, user, ap_nbf, ap_exp, AuthMethod::Sso.scope_vec(), client_id, now);

-        _create_auth_tokens(device, refresh_token, access_claims, access_token)
-    } else {
-        Ok(AuthTokens::new(device, user, AuthMethod::Sso, client_id))
+        create_auth_tokens_impl(device, refresh_token, access_claims, access_token)
    }
 }

-fn _create_auth_tokens(
+fn create_auth_tokens_impl(
    device: &Device,
    refresh_token: Option<String>,
    access_claims: auth::LoginJwtClaims,
@@ -461,7 +466,7 @@ pub async fn exchange_refresh_token(
                now,
            );

-            _create_auth_tokens(device, None, access_claims, access_token)
+            create_auth_tokens_impl(device, None, access_claims, access_token)
        }
        None => err!("No token present while in SSO"),
    }
@@ -1,21 +1,39 @@
-use std::{borrow::Cow, sync::LazyLock, time::Duration};
+use std::{borrow::Cow, future::Future, pin::Pin, sync::LazyLock, time::Duration};

-use mini_moka::sync::Cache;
-use openidconnect::{core::*, reqwest, *};
+use openidconnect::{
+    AccessToken, AsyncHttpClient, AuthDisplay, AuthPrompt, AuthenticationFlow, AuthorizationCode, AuthorizationRequest,
+    ClientId, ClientSecret, CsrfToken, EmptyAdditionalClaims, EmptyExtraTokenFields, EndpointNotSet, EndpointSet,
+    HttpClientError, HttpRequest, HttpResponse, IdTokenClaims, IdTokenFields, Nonce, OAuth2TokenResponse,
+    PkceCodeChallenge, PkceCodeVerifier, RefreshToken, ResponseType, Scope, StandardErrorResponse,
+    StandardTokenResponse,
+    core::{
+        CoreAuthDisplay, CoreAuthPrompt, CoreClient, CoreErrorResponseType, CoreGenderClaim, CoreIdTokenVerifier,
+        CoreJsonWebKey, CoreJweContentEncryptionAlgorithm, CoreJwsSigningAlgorithm, CoreProviderMetadata,
+        CoreResponseType, CoreRevocableToken, CoreRevocationErrorResponse, CoreTokenIntrospectionResponse,
+        CoreTokenResponse, CoreTokenType, CoreUserInfoClaims,
+    },
+    http, url,
+};
 use regex::Regex;
 use url::Url;

 use crate::{
+    CONFIG,
    api::{ApiResult, EmptyResult},
    db::models::SsoAuth,
+    http_client::get_reqwest_client_builder,
    sso::{OIDCCode, OIDCCodeChallenge, OIDCCodeVerifier, OIDCState},
-    CONFIG,
 };

-static CLIENT_CACHE_KEY: LazyLock<String> = LazyLock::new(|| "sso-client".to_string());
-static CLIENT_CACHE: LazyLock<Cache<String, Client>> = LazyLock::new(|| {
-    Cache::builder().max_capacity(1).time_to_live(Duration::from_secs(CONFIG.sso_client_cache_expiration())).build()
+static CLIENT_CACHE_KEY: LazyLock<String> = LazyLock::new(|| "sso-client".to_owned());
+static CLIENT_CACHE: LazyLock<moka::sync::Cache<String, Client>> = LazyLock::new(|| {
+    moka::sync::Cache::builder()
+        .max_capacity(1)
+        .time_to_live(Duration::from_secs(CONFIG.sso_client_cache_expiration()))
+        .build()
 });
+static REFRESH_CACHE: LazyLock<moka::future::Cache<String, Result<RefreshTokenResponse, String>>> =
+    LazyLock::new(|| moka::future::Cache::builder().max_capacity(1000).time_to_live(Duration::from_secs(30)).build());

 /// OpenID Connect Core client.
 pub type CustomClient = openidconnect::Client<
@@ -38,21 +56,55 @@ pub type CustomClient = openidconnect::Client<
    EndpointSet,
 >;

+pub type RefreshTokenResponse = (Option<String>, String, Option<Duration>);
+
 #[derive(Clone)]
 pub struct Client {
-    pub http_client: reqwest::Client,
+    pub http_client: OidcHttpClient,
    pub core_client: CustomClient,
 }

+#[derive(Clone)]
+pub struct OidcHttpClient {
+    client: reqwest::Client,
+}
+
+impl OidcHttpClient {
+    fn new() -> Result<Self, reqwest::Error> {
+        get_reqwest_client_builder().redirect(reqwest::redirect::Policy::none()).build().map(|client| Self {
+            client,
+        })
+    }
+}
+
+impl<'c> AsyncHttpClient<'c> for OidcHttpClient {
+    type Error = HttpClientError<reqwest::Error>;
+    type Future = Pin<Box<dyn Future<Output = Result<HttpResponse, Self::Error>> + Send + Sync + 'c>>;
+
+    fn call(&'c self, request: HttpRequest) -> Self::Future {
+        Box::pin(async move {
+            let response = self.client.execute(request.try_into().map_err(Box::new)?).await.map_err(Box::new)?;
+
+            let mut builder = http::Response::builder().status(response.status()).version(response.version());
+
+            for (name, value) in response.headers() {
+                builder = builder.header(name, value);
+            }
+
+            builder.body(response.bytes().await.map_err(Box::new)?.to_vec()).map_err(HttpClientError::Http)
+        })
+    }
+}
+
 impl Client {
    // Call the OpenId discovery endpoint to retrieve configuration
-    async fn _get_client() -> ApiResult<Self> {
+    async fn get_client() -> ApiResult<Self> {
        let client_id = ClientId::new(CONFIG.sso_client_id());
        let client_secret = ClientSecret::new(CONFIG.sso_client_secret());

        let issuer_url = CONFIG.sso_issuer_url()?;

-        let http_client = match reqwest::ClientBuilder::new().redirect(reqwest::redirect::Policy::none()).build() {
+        let http_client = match OidcHttpClient::new() {
            Err(err) => err!(format!("Failed to build http client: {err}")),
            Ok(client) => client,
        };
@@ -64,14 +116,16 @@ impl Client {

        let base_client = CoreClient::from_provider_metadata(provider_metadata, client_id, Some(client_secret));

-        let token_uri = match base_client.token_uri() {
-            Some(uri) => uri.clone(),
-            None => err!("Failed to discover token_url, cannot proceed"),
+        let token_uri = if let Some(uri) = base_client.token_uri() {
+            uri.clone()
+        } else {
+            err!("Failed to discover token_url, cannot proceed")
        };

-        let user_info_url = match base_client.user_info_url() {
-            Some(url) => url.clone(),
-            None => err!("Failed to discover user_info url, cannot proceed"),
+        let user_info_url = if let Some(url) = base_client.user_info_url() {
+            url.clone()
+        } else {
+            err!("Failed to discover user_info url, cannot proceed")
        };

        let core_client = base_client
@@ -90,13 +144,13 @@ impl Client {
        if CONFIG.sso_client_cache_expiration() > 0 {
            match CLIENT_CACHE.get(&*CLIENT_CACHE_KEY) {
                Some(client) => Ok(client),
-                None => Self::_get_client().await.inspect(|client| {
+                None => Self::get_client().await.inspect(|client| {
                    debug!("Inserting new client in cache");
                    CLIENT_CACHE.insert(CLIENT_CACHE_KEY.clone(), client.clone());
                }),
            }
        } else {
-            Self::_get_client().await
+            Self::get_client().await
        }
    }

@@ -111,6 +165,7 @@ impl Client {
        state: OIDCState,
        client_challenge: OIDCCodeChallenge,
        redirect_uri: String,
+        binding_hash: Option<String>,
    ) -> ApiResult<(Url, SsoAuth)> {
        let scopes = CONFIG.sso_scopes_vec().into_iter().map(Scope::new);
        let base64_state = data_encoding::BASE64.encode(state.to_string().as_bytes());
@@ -133,7 +188,7 @@ impl Client {
        }

        let (auth_url, _, nonce) = auth_req.url();
-        Ok((auth_url, SsoAuth::new(state, client_challenge, nonce.secret().clone(), redirect_uri)))
+        Ok((auth_url, SsoAuth::new(state, client_challenge, nonce.secret().clone(), redirect_uri, binding_hash)))
    }

    pub async fn exchange_code(
@@ -174,15 +229,14 @@ impl Client {
            Ok(token_response) => {
                let oidc_nonce = Nonce::new(sso_auth.nonce.clone());

-                let id_token = match token_response.extra_fields().id_token() {
-                    None => err!("Token response did not contain an id_token"),
-                    Some(token) => token,
+                let Some(id_token) = token_response.extra_fields().id_token() else {
+                    err!("Token response did not contain an id_token")
                };

                if CONFIG.sso_debug_tokens() {
                    debug!("Id token: {}", id_token.to_string());
                    debug!("Access token: {}", token_response.access_token().secret());
-                    debug!("Refresh token: {:?}", token_response.refresh_token().map(|t| t.secret()));
+                    debug!("Refresh token: {:?}", token_response.refresh_token().map(RefreshToken::secret));
                    debug!("Expiration time: {:?}", token_response.expires_in());
                }

@@ -231,23 +285,29 @@ impl Client {
        verifier
    }

-    pub async fn exchange_refresh_token(
-        refresh_token: String,
-    ) -> ApiResult<(Option<String>, String, Option<Duration>)> {
+    pub async fn exchange_refresh_token(refresh_token: String) -> ApiResult<RefreshTokenResponse> {
+        let client = Client::cached().await?;
+
+        REFRESH_CACHE
+            .get_with(refresh_token.clone(), async move { client.exchange_refresh_token_impl(refresh_token).await })
+            .await
+            .map_err(Into::into)
+    }
+
+    async fn exchange_refresh_token_impl(&self, refresh_token: String) -> Result<RefreshTokenResponse, String> {
        let rt = RefreshToken::new(refresh_token);

-        let client = Client::cached().await?;
-        let token_response =
-            match client.core_client.exchange_refresh_token(&rt).request_async(&client.http_client).await {
-                Err(err) => err!(format!("Request to exchange_refresh_token endpoint failed: {:?}", err)),
-                Ok(token_response) => token_response,
-            };
-
-        Ok((
-            token_response.refresh_token().map(|token| token.secret().clone()),
-            token_response.access_token().secret().clone(),
-            token_response.expires_in(),
-        ))
+        match self.core_client.exchange_refresh_token(&rt).request_async(&self.http_client).await {
+            Err(err) => {
+                error!("Request to exchange_refresh_token endpoint failed: {err}");
+                Err(format!("Request to exchange_refresh_token endpoint failed: {err}"))
+            }
+            Ok(token_response) => Ok((
+                token_response.refresh_token().map(|token| token.secret().clone()),
+                token_response.access_token().secret().clone(),
+                token_response.expires_in(),
+            )),
+        }
    }
 }

--- a/Show More
+++ b/Show More
				`@@ -0,0 +1 @@`
				`ALTER TABLE sso_auth DROP COLUMN binding_hash;`
				`@@ -0,0 +1 @@`
				`ALTER TABLE sso_auth ADD COLUMN binding_hash TEXT;`
				`@@ -0,0 +1 @@`
				`ALTER TABLE sso_auth DROP COLUMN code_response_error;`
				`@@ -0,0 +1 @@`
				`ALTER TABLE sso_auth ADD COLUMN code_response_error TEXT;`
				`@@ -0,0 +1 @@`
				`ALTER TABLE sso_auth DROP COLUMN IF EXISTS code_response_error;`
				`@@ -0,0 +1 @@`
				`ALTER TABLE sso_auth ADD COLUMN IF NOT EXISTS code_response_error TEXT;`