Merge pull request #804 from publicarray/master

Improve Github Actions Workflow

.env.template

@@ -21,6 +21,10 @@
 ## Automatically reload the templates for every request, slow, use only for development
 # RELOAD_TEMPLATES=false
 
+## Client IP Header, used to identify the IP of the client, defaults to "X-Client-IP"
+## Set to the string "none" (without quotes), to disable any headers and just use the remote IP
+# IP_HEADER=X-Client-IP
+
 ## Cache time-to-live for successfully obtained icons, in seconds (0 is "forever")
 # ICON_CACHE_TTL=2592000
 ## Cache time-to-live for icons which weren't available, in seconds (0 is "forever")
@@ -37,14 +41,10 @@
 # WEBSOCKET_ADDRESS=0.0.0.0
 # WEBSOCKET_PORT=3012
 
-## Enable extended logging
-## This shows timestamps and allows logging to file and to syslog
-### To enable logging to file, use the LOG_FILE env variable
-### To enable syslog, use the USE_SYSLOG env variable
+## Enable extended logging, which shows timestamps and targets in the logs
 # EXTENDED_LOGGING=true
 
 ## Logging to file
-## This requires extended logging
 ## It's recommended to also set 'ROCKET_CLI_COLORS=off'
 # LOG_FILE=/path/to/log
 
@@ -56,7 +56,8 @@
 ## Log level
 ## Change the verbosity of the log output
 ## Valid values are "trace", "debug", "info", "warn", "error" and "off"
-## This requires extended logging
+## Setting it to "trace" or "debug" would also show logs for mounted 
+## routes and static file, websocket and alive requests
 # LOG_LEVEL=Info
 
 ## Enable WAL for the DB
@@ -83,6 +84,10 @@
 ## Useful to hide other servers in the local network. Check the WIKI for more details
 # ICON_BLACKLIST_REGEX=192\.168\.1\.[0-9].*^
 
+## Any IP which is not defined as a global IP will be blacklisted.
+## Usefull to secure your internal environment: See https://en.wikipedia.org/wiki/Reserved_IP_addresses for a list of IPs which it will block
+# ICON_BLACKLIST_NON_GLOBAL_IPS=true
+
 ## Disable 2FA remember
 ## Enabling this would force the users to use a second factor to login every time.
 ## Note that the checkbox would still be present, but ignored.
@@ -91,10 +96,31 @@
 ## Controls if new users can register
 # SIGNUPS_ALLOWED=true
 
+## Controls if new users need to verify their email address upon registration
+## Note that setting this option to true prevents logins until the email address has been verified!
+## The welcome email will include a verification link, and login attempts will periodically
+## trigger another verification email to be sent.
+# SIGNUPS_VERIFY=false
+
+## If SIGNUPS_VERIFY is set to true, this limits how many seconds after the last time
+## an email verification link has been sent another verification email will be sent
+# SIGNUPS_VERIFY_RESEND_TIME=3600
+
+## If SIGNUPS_VERIFY is set to true, this limits how many times an email verification
+## email will be re-sent upon an attempted login.
+# SIGNUPS_VERIFY_RESEND_LIMIT=6
+
+## Controls if new users from a list of comma-separated domains can register
+## even if SIGNUPS_ALLOWED is set to false
+# SIGNUPS_DOMAINS_WHITELIST=example.com,example.net,example.org
+
 ## Token for the admin interface, preferably use a long random string
 ## One option is to use 'openssl rand -base64 48'
 ## If not set, the admin panel is disabled
 # ADMIN_TOKEN=Vy2VyYTTsKPv8W5aEOWUbB/Bt3DEKePbHmI4m9VcemUMS2rEviDowNAFqYi1xjmp
+
+## Enable this to bypass the admin panel security. This option is only
+## meant to be used with the use of a separate auth layer in front
 # DISABLE_ADMIN_TOKEN=false
 
 ## Invitations org admins to invite users, even when signups are disabled
@@ -133,6 +159,18 @@
 ## After that, you should be able to follow the rest of the guide linked above,
 ## ignoring the fields that ask for the values that you already configured beforehand.
 
+## Authenticator Settings
+## Disable authenticator time drifted codes to be valid.
+## TOTP codes of the previous and next 30 seconds will be invalid
+## 
+## According to the RFC6238 (https://tools.ietf.org/html/rfc6238),
+## we allow by default the TOTP code which was valid one step back and one in the future.
+## This can however allow attackers to be a bit more lucky with there attempts because there are 3 valid codes.
+## You can disable this, so that only the current TOTP Code is allowed.
+## Keep in mind that when a sever drifts out of time, valid codes could be marked as invalid.
+## In any case, if a code has been used it can not be used again, also codes which predates it will be invalid.
+# AUTHENTICATOR_DISABLE_TIME_DRIFT = false
+
 ## Rocket specific settings, check Rocket documentation to learn more
 # ROCKET_ENV=staging
 # ROCKET_ADDRESS=0.0.0.0 # Enable this to test mobile app
@@ -150,3 +188,6 @@
 # SMTP_USERNAME=username
 # SMTP_PASSWORD=password
 # SMTP_AUTH_MECHANISM="Plain"
+# SMTP_TIMEOUT=15
+
+# vim: syntax=ini

.github/FUNDING.yml

@@ -0,0 +1 @@
+github: dani-garcia

.github/ISSUE_TEMPLATE.md

@@ -0,0 +1,33 @@
+<!--
+Please fill out the following template to make solving your problem easier and faster for us.
+This is only a guideline. If you think that parts are unneccessary for your issue, feel free to remove them.
+
+Remember to hide/obfuscate personal and confidential information, 
+such as names, global IP/DNS adresses and especially passwords, if neccessary.
+-->
+
+### Subject of the issue
+<!-- Describe your issue here.-->
+
+### Your environment
+<!-- The version number, obtained from the logs or the admin page -->
+* Bitwarden_rs version: 
+<!-- How the server was installed: Docker image / package / built from source -->
+* Install method: 
+* Clients used: <!-- if applicable -->
+* Reverse proxy and version: <!-- if applicable -->
+* Version of mysql/postgresql: <!-- if applicable -->
+* Other relevant information: 
+
+### Steps to reproduce
+<!-- Tell us how to reproduce this issue. What parameters did you set (differently from the defaults)
+and how did you start bitwarden_rs? -->
+
+### Expected behaviour
+<!-- Tell us what should happen -->
+
+### Actual behaviour
+<!-- Tell us what happens instead -->
+
+### Relevant logs
+<!-- Share some logfiles, screenshots or output of relevant programs with us. -->

.github/workflows/rust-win.yml.disabled

@@ -0,0 +1,70 @@
+name: build-windows
+
+on: [push, pull_request]
+
+jobs:
+  build:
+
+    runs-on: windows-latest
+
+    strategy:
+      matrix:
+        db-backend: [sqlite, mysql, postgresql]
+
+    steps:
+    - uses: actions/checkout@v1
+
+    - name: Cache choco cache
+      uses: actions/cache@v1.0.3
+      with:
+        path: ~\AppData\Local\Temp\chocolatey
+        key: ${{ runner.os }}-choco-cache
+
+    - name: Install dependencies
+      run: choco install openssl sqlite postgresql12 mysql
+
+    - name: Cache cargo registry
+      uses: actions/cache@v1.0.3
+      with:
+        path: ~/.cargo/registry
+        key: ${{ runner.os }}-cargo-registry-${{ hashFiles('**/Cargo.lock') }}
+    - name: Cache cargo index
+      uses: actions/cache@v1.0.3
+      with:
+        path: ~/.cargo/git
+        key: ${{ runner.os }}-cargo-index-${{ hashFiles('**/Cargo.lock') }}
+    - name: Cache cargo build
+      uses: actions/cache@v1.0.3
+      with:
+        path: target
+        key: ${{ runner.os }}-cargo-build-target-${{ hashFiles('**/Cargo.lock') }}
+
+    - name: Install latest nightly
+      uses: actions-rs/toolchain@v1
+      with:
+        toolchain: nightly
+        override: true
+        profile: minimal
+        target: x86_64-pc-windows-msvc
+
+    - name: Build
+      run: cargo.exe build --verbose --features ${{ matrix.db-backend }} --release --target x86_64-pc-windows-msvc
+      env:
+        OPENSSL_DIR: C:\Program Files\OpenSSL-Win64\
+
+    - name: Run tests
+      run: cargo test --features ${{ matrix.db-backend }}
+
+    - name: Upload windows artifact
+      uses: actions/upload-artifact@v1.0.0
+      with:
+        name: x86_64-pc-windows-msvc-${{ matrix.db-backend }}-bitwarden_rs
+        path: target/release/bitwarden_rs.exe
+
+    - name: Release
+      uses: Shopify/upload-to-release@1.0.0
+      if: startsWith(github.ref, 'refs/tags/')
+      with:
+        name: x86_64-pc-windows-msvc-${{ matrix.db-backend }}-bitwarden_rs
+        path: target/release/bitwarden_rs.exe
+        repo-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/workspace.yml

@@ -0,0 +1,149 @@
+name: Workflow
+
+on:
+  push:
+    paths-ignore:
+      - "**.md"
+  pull_request:
+    paths-ignore:
+      - "**.md"
+
+jobs:
+  build:
+    name: Build
+    strategy:
+      fail-fast: false
+      matrix:
+        db-backend: [sqlite, mysql, postgresql]
+        target:
+          - x86_64-unknown-linux-gnu
+          # - x86_64-unknown-linux-musl
+          - x86_64-apple-darwin
+          # - x86_64-pc-windows-msvc
+        include:
+          - target: x86_64-unknown-linux-gnu
+            os: ubuntu-latest
+            ext:
+          # - target: x86_64-unknown-linux-musl
+          #   os: ubuntu-latest
+          #   ext:
+          - target: x86_64-apple-darwin
+            os: macOS-latest
+            ext:
+          # - target: x86_64-pc-windows-msvc
+          #   os: windows-latest
+          #   ext: .exe
+    runs-on: ${{ matrix.os }}
+    steps:
+    - uses: actions/checkout@v1
+
+    # - name: Cache choco cache
+    #   uses: actions/cache@v1.0.3
+    #   if: matrix.os == 'windows-latest'
+    #   with:
+    #     path: ~\AppData\Local\Temp\chocolatey
+    #     key: ${{ runner.os }}-choco-cache-${{ matrix.db-backend }}
+
+    - name: Cache vcpkg installed
+      uses: actions/cache@v1.0.3
+      if: matrix.os == 'windows-latest'
+      with:
+        path: $VCPKG_ROOT/installed
+        key: ${{ runner.os }}-vcpkg-cache-${{ matrix.db-backend }}
+      env:
+        VCPKG_ROOT: 'C:\vcpkg'
+
+    - name: Cache vcpkg downloads
+      uses: actions/cache@v1.0.3
+      if: matrix.os == 'windows-latest'
+      with:
+        path: $VCPKG_ROOT/downloads
+        key: ${{ runner.os }}-vcpkg-cache-${{ matrix.db-backend }}
+      env:
+        VCPKG_ROOT: 'C:\vcpkg'
+
+    # - name: Cache homebrew
+    #   uses: actions/cache@v1.0.3
+    #   if: matrix.os == 'macOS-latest'
+    #   with:
+    #     path: ~/Library/Caches/Homebrew
+    #     key: ${{ runner.os }}-brew-cache
+
+    # - name: Cache apt
+    #   uses: actions/cache@v1.0.3
+    #   if: matrix.os == 'ubuntu-latest'
+    #   with:
+    #     path: /var/cache/apt/archives
+    #     key: ${{ runner.os }}-apt-cache
+
+    # Install dependencies
+    - name: Install dependencies macOS
+      run: brew update; brew install openssl sqlite libpq mysql
+      if: matrix.os == 'macOS-latest'
+
+    - name: Install dependencies Ubuntu
+      run: sudo apt-get update && sudo apt-get install --no-install-recommends openssl sqlite libpq-dev libmysql++-dev
+      if: matrix.os == 'ubuntu-latest'
+
+    - name: Install dependencies Windows
+      run: vcpkg integrate install; vcpkg install sqlite3:x64-windows openssl:x64-windows libpq:x64-windows libmysql:x64-windows
+      if: matrix.os == 'windows-latest'
+      env:
+        VCPKG_ROOT: 'C:\vcpkg'
+    # End Install dependencies
+
+    # Install rust nightly toolchain
+    - name: Cache cargo registry
+      uses: actions/cache@v1.0.3
+      with:
+        path: ~/.cargo/registry
+        key: ${{ runner.os }}-${{matrix.db-backend}}-cargo-registry-${{ hashFiles('**/Cargo.lock') }}
+    - name: Cache cargo index
+      uses: actions/cache@v1.0.3
+      with:
+        path: ~/.cargo/git
+        key: ${{ runner.os }}-${{matrix.db-backend}}-cargo-index-${{ hashFiles('**/Cargo.lock') }}
+    - name: Cache cargo build
+      uses: actions/cache@v1.0.3
+      with:
+        path: target
+        key: ${{ runner.os }}-${{matrix.db-backend}}-cargo-build-target-${{ hashFiles('**/Cargo.lock') }}
+
+    - name: Install latest nightly
+      uses: actions-rs/toolchain@v1
+      with:
+        toolchain: nightly
+        override: true
+        profile: minimal
+        target: ${{ matrix.target }}
+
+    # Build
+    - name: Build Win
+      if: matrix.os == 'windows-latest'
+      run: cargo.exe build --features ${{ matrix.db-backend }} --release --target ${{ matrix.target }}
+      env:
+        RUSTFLAGS: -Ctarget-feature=+crt-static
+        VCPKG_ROOT: 'C:\vcpkg'
+
+    - name: Build macOS / Ubuntu
+      if: matrix.os == 'macOS-latest' || matrix.os == 'ubuntu-latest'
+      run: cargo build --verbose --features ${{ matrix.db-backend }} --release --target ${{ matrix.target }}
+
+    # Test
+    - name: Run tests
+      run: cargo test --features ${{ matrix.db-backend }}
+
+    # Upload & Release
+    - name: Upload artifact
+      uses: actions/upload-artifact@v1.0.0
+      with:
+        name: bitwarden_rs-${{ matrix.db-backend }}-${{ matrix.target }}${{ matrix.ext }}
+        path: target/${{ matrix.target }}/release/bitwarden_rs${{ matrix.ext }}
+
+    - name: Release
+      uses: Shopify/upload-to-release@1.0.0
+      if: startsWith(github.ref, 'refs/tags/')
+      with:
+        name: bitwarden_rs-${{ matrix.db-backend }}-${{ matrix.target }}${{ matrix.ext }}
+        path: target/${{ matrix.target }}/release/bitwarden_rs${{ matrix.ext }}
+        repo-token: ${{ secrets.GITHUB_TOKEN }}

.travis.yml

@@ -11,10 +11,11 @@ cache: cargo
 before_install:
   - sudo curl -L https://github.com/hadolint/hadolint/releases/download/v$HADOLINT_VERSION/hadolint-$(uname -s)-$(uname -m) -o /usr/local/bin/hadolint
   - sudo chmod +rx /usr/local/bin/hadolint
+  - rustup set profile minimal
 
 # Nothing to install
 install: true
 script:
 - git ls-files --exclude='Dockerfile*' --ignored | xargs --max-lines=1 hadolint
-- cargo build --features "sqlite"
-- cargo build --features "mysql"
+- cargo test --features "sqlite"
+- cargo test --features "mysql"

Cargo.toml

@@ -14,6 +14,7 @@ build = "build.rs"
 # Empty to keep compatibility, prefer to set USE_SYSLOG=true
 enable_syslog = []
 mysql = ["diesel/mysql", "diesel_migrations/mysql"]
+postgresql = ["diesel/postgres", "diesel_migrations/postgres", "openssl"]
 sqlite = ["diesel/sqlite", "diesel_migrations/sqlite", "libsqlite3-sys"]
 
 [target."cfg(not(windows))".dependencies]
@@ -25,44 +26,44 @@ rocket = { version = "0.5.0-dev", features = ["tls"], default-features = false }
 rocket_contrib = "0.5.0-dev"
 
 # HTTP client
-reqwest = "0.9.19"
+reqwest = "0.9.24"
 
 # multipart/form-data support
 multipart = { version = "0.16.1", features = ["server"], default-features = false }
 
 # WebSockets library
-ws = "0.9.0"
+ws = "0.9.1"
 
 # MessagePack library
-rmpv = "0.4.0"
+rmpv = "0.4.3"
 
 # Concurrent hashmap implementation
 chashmap = "2.2.2"
 
 # A generic serialization/deserialization framework
-serde = "1.0.99"
-serde_derive = "1.0.99"
-serde_json = "1.0.40"
+serde = "1.0.104"
+serde_derive = "1.0.104"
+serde_json = "1.0.44"
 
 # Logging
 log = "0.4.8"
-fern = { version = "0.5.8", features = ["syslog-4"] }
+fern = { version = "0.5.9", features = ["syslog-4"] }
 
 # A safe, extensible ORM and Query builder
-diesel = { version = "1.4.2", features = [ "chrono", "r2d2"] }
+diesel = { version = "1.4.3", features = [ "chrono", "r2d2"] }
 diesel_migrations = "1.4.0"
 
 # Bundled SQLite                                           
-libsqlite3-sys = { version = "0.12.0", features = ["bundled"], optional = true }
+libsqlite3-sys = { version = "0.16.0", features = ["bundled"], optional = true }
 
 # Crypto library
 ring = "0.14.6"
 
 # UUID generation
-uuid = { version = "0.7.4", features = ["v4"] }
+uuid = { version = "0.8.1", features = ["v4"] }
 
 # Date and time library for Rust
-chrono = "0.4.7"
+chrono = "0.4.10"
 
 # TOTP library
 oath = "0.10.2"
@@ -77,20 +78,20 @@ jsonwebtoken = "6.0.1"
 u2f = "0.1.6"
 
 # Yubico Library
-yubico = { version = "0.6.1", features = ["online", "online-tokio"], default-features = false }
+yubico = { version = "0.7.1", features = ["online-tokio"], default-features = false }
 
 # A `dotenv` implementation for Rust
-dotenv = { version = "0.14.1", default-features = false }
+dotenv = { version = "0.15.0", default-features = false }
 
 # Lazy static macro
-lazy_static = "1.3.0"
+lazy_static = "1.4.0"
 
 # More derives
-derive_more = "0.15.0"
+derive_more = "0.99.2"
 
 # Numerical libraries
-num-traits = "0.2.8"
-num-derive = "0.2.5"
+num-traits = "0.2.10"
+num-derive = "0.3.0"
 
 # Email libraries
 lettre = "0.9.2"
@@ -99,19 +100,27 @@ native-tls = "0.2.3"
 quoted_printable = "0.4.1"
 
 # Template library
-handlebars = "2.0.1"
+handlebars = "=2.0.2"
 
 # For favicon extraction from main website
 soup = "0.4.1"
-regex = "1.2.1"
+regex = "1.3.1"
+data-url = "0.1.0"
+
+# Required for SSL support for PostgreSQL
+openssl = { version = "0.10.26", optional = true }
 
 # URL encoding library
 percent-encoding = "2.1.0"
 
 [patch.crates-io]
-# Add support for Timestamp type
-rmp = { git = 'https://github.com/dani-garcia/msgpack-rust' }
-
 # Use newest ring
-rocket = { git = 'https://github.com/SergioBenitez/Rocket', rev = 'dbcb0a75b9556763ac3ab708f40c8f8ed75f1a1e' }
-rocket_contrib = { git = 'https://github.com/SergioBenitez/Rocket', rev = 'dbcb0a75b9556763ac3ab708f40c8f8ed75f1a1e' }
+rocket = { git = 'https://github.com/SergioBenitez/Rocket', rev = 'b95b6765e1cc8be7c1e7eaef8a9d9ad940b0ac13' }
+rocket_contrib = { git = 'https://github.com/SergioBenitez/Rocket', rev = 'b95b6765e1cc8be7c1e7eaef8a9d9ad940b0ac13' }
+
+# Use git version for timeout fix #706
+lettre = { git = 'https://github.com/lettre/lettre', rev = '24d694db3be017d82b1cdc8bf9da601420b31bb0' }
+lettre_email = { git = 'https://github.com/lettre/lettre', rev = '24d694db3be017d82b1cdc8bf9da601420b31bb0' }
+
+# For favicon extraction from main website
+data-url = { git = 'https://github.com/servo/rust-url', package="data-url", rev = '7f1bd6ce1c2fde599a757302a843a60e714c5f72' }

README.md

@@ -50,6 +50,11 @@ See the [bitwarden_rs wiki](https://github.com/dani-garcia/bitwarden_rs/wiki) fo
 
 ## Get in touch
 
-To ask an question, [raising an issue](https://github.com/dani-garcia/bitwarden_rs/issues/new) is fine, also please report any bugs spotted here.
+To ask a question, [raising an issue](https://github.com/dani-garcia/bitwarden_rs/issues/new) is fine. Please also report any bugs spotted here.
 
 If you prefer to chat, we're usually hanging around at [#bitwarden_rs:matrix.org](https://matrix.to/#/#bitwarden_rs:matrix.org) room on Matrix. Feel free to join us!
+
+### Sponsors
+Thanks for your contribution to the project!
+
+- [@Skaronator](https://github.com/Skaronator)

azure-pipelines.yml

@@ -4,7 +4,7 @@ pool:
 steps:
 - script: |
     ls -la
-    curl https://sh.rustup.rs -sSf | sh -s -- -y --default-toolchain $(cat rust-toolchain)
+    curl https://sh.rustup.rs -sSf | sh -s -- -y --default-toolchain $(cat rust-toolchain) --profile=minimal
     echo "##vso[task.prependpath]$HOME/.cargo/bin"
   displayName: 'Install Rust'
 
@@ -18,8 +18,8 @@ steps:
     cargo -V
   displayName: Query rust and cargo versions
 
-- script : cargo build --features "sqlite"
-  displayName: 'Build project with sqlite backend'
+- script : cargo test --features "sqlite"
+  displayName: 'Test project with sqlite backend'
 
-- script : cargo build --features "mysql"
-  displayName: 'Build project with mysql backend'
+- script : cargo test --features "mysql"
+  displayName: 'Test project with mysql backend'

build.rs

@@ -2,9 +2,13 @@ use std::process::Command;
 
 fn main() {
     #[cfg(all(feature = "sqlite", feature = "mysql"))]
-    compile_error!("Can't enable both backends");
+    compile_error!("Can't enable both sqlite and mysql at the same time");
+    #[cfg(all(feature = "sqlite", feature = "postgresql"))]
+    compile_error!("Can't enable both sqlite and postgresql at the same time");
+    #[cfg(all(feature = "mysql", feature = "postgresql"))]
+    compile_error!("Can't enable both mysql and postgresql at the same time");
 
-    #[cfg(not(any(feature = "sqlite", feature = "mysql")))]
+    #[cfg(not(any(feature = "sqlite", feature = "mysql", feature = "postgresql")))]
     compile_error!("You need to enable one DB backend. To build with previous defaults do: cargo build --features sqlite");
 
     read_git_info().ok();

docker/aarch64/mysql/Dockerfile

@@ -2,9 +2,9 @@
 # 	https://docs.docker.com/develop/develop-images/multistage-build/
 # 	https://whitfin.io/speeding-up-rust-docker-builds/
 ####################### VAULT BUILD IMAGE  #######################
-FROM alpine:3.10 as vault
+FROM alpine:3.11 as vault
 
-ENV VAULT_VERSION "v2.11.0"
+ENV VAULT_VERSION "v2.12.0b"
 
 ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
 
@@ -23,11 +23,14 @@ RUN ls
 ########################## BUILD IMAGE  ##########################
 # We need to use the Rust build image, because
 # we need the Rust compiler and Cargo tooling
-FROM rust:1.36 as build
+FROM rust:1.40 as build
 
 # set mysql backend
 ARG DB=mysql
 
+# Don't download rust docs
+RUN rustup set profile minimal
+
 RUN apt-get update \
     && apt-get install -y \
         --no-install-recommends \
@@ -63,12 +66,12 @@ COPY . .
 
 # Build
 RUN rustup target add aarch64-unknown-linux-gnu
-RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu -v
+RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu
 
 ######################## RUNTIME IMAGE  ########################
 # Create a new stage with a minimal image
 # because we already have a binary built
-FROM balenalib/aarch64-debian:stretch
+FROM balenalib/aarch64-debian:buster
 
 ENV ROCKET_ENV "staging"
 ENV ROCKET_PORT=80
@@ -81,6 +84,7 @@ RUN apt-get update && apt-get install -y \
     --no-install-recommends \
     openssl \
     ca-certificates \
+    curl \
     libmariadbclient-dev \
  && rm -rf /var/lib/apt/lists/*
 
@@ -97,5 +101,10 @@ COPY Rocket.toml .
 COPY --from=vault /web-vault ./web-vault
 COPY --from=build /app/target/aarch64-unknown-linux-gnu/release/bitwarden_rs .
 
+COPY docker/healthcheck.sh ./healthcheck.sh
+
+HEALTHCHECK --interval=30s --timeout=3s CMD sh healthcheck.sh || exit 1
+
 # Configures the startup!
-CMD ["./bitwarden_rs"]
+WORKDIR /
+CMD ["/bitwarden_rs"]

docker/aarch64/sqlite/Dockerfile

@@ -2,9 +2,9 @@
 # 	https://docs.docker.com/develop/develop-images/multistage-build/
 # 	https://whitfin.io/speeding-up-rust-docker-builds/
 ####################### VAULT BUILD IMAGE  #######################
-FROM alpine:3.10 as vault
+FROM alpine:3.11 as vault
 
-ENV VAULT_VERSION "v2.11.0"
+ENV VAULT_VERSION "v2.12.0b"
 
 ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
 
@@ -23,11 +23,14 @@ RUN ls
 ########################## BUILD IMAGE  ##########################
 # We need to use the Rust build image, because
 # we need the Rust compiler and Cargo tooling
-FROM rust:1.36 as build
+FROM rust:1.40 as build
 
 # set sqlite as default for DB ARG for backward comaptibility
 ARG DB=sqlite
 
+# Don't download rust docs
+RUN rustup set profile minimal
+
 RUN apt-get update \
     && apt-get install -y \
         --no-install-recommends \
@@ -49,8 +52,7 @@ RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \
     && apt-get install -y \
         --no-install-recommends \
         libssl-dev:arm64 \
-        libc6-dev:arm64 \
-        libmariadb-dev:arm64
+        libc6-dev:arm64
 
 ENV CC_aarch64_unknown_linux_gnu="/usr/bin/aarch64-linux-gnu-gcc"
 ENV CROSS_COMPILE="1"
@@ -63,12 +65,12 @@ COPY . .
 
 # Build
 RUN rustup target add aarch64-unknown-linux-gnu
-RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu -v
+RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu
 
 ######################## RUNTIME IMAGE  ########################
 # Create a new stage with a minimal image
 # because we already have a binary built
-FROM balenalib/aarch64-debian:stretch
+FROM balenalib/aarch64-debian:buster
 
 ENV ROCKET_ENV "staging"
 ENV ROCKET_PORT=80
@@ -81,7 +83,8 @@ RUN apt-get update && apt-get install -y \
     --no-install-recommends \
     openssl \
     ca-certificates \
-    libmariadbclient-dev \
+    curl \
+    sqlite3 \
  && rm -rf /var/lib/apt/lists/*
 
 RUN mkdir /data
@@ -97,5 +100,10 @@ COPY Rocket.toml .
 COPY --from=vault /web-vault ./web-vault
 COPY --from=build /app/target/aarch64-unknown-linux-gnu/release/bitwarden_rs .
 
+COPY docker/healthcheck.sh ./healthcheck.sh
+
+HEALTHCHECK --interval=30s --timeout=3s CMD sh healthcheck.sh || exit 1
+
 # Configures the startup!
-CMD ["./bitwarden_rs"]
+WORKDIR /
+CMD ["/bitwarden_rs"]

docker/amd64/mysql/Dockerfile

@@ -2,9 +2,9 @@
 # 	https://docs.docker.com/develop/develop-images/multistage-build/
 # 	https://whitfin.io/speeding-up-rust-docker-builds/
 ####################### VAULT BUILD IMAGE  #######################
-FROM alpine:3.10 as vault
+FROM alpine:3.11 as vault
 
-ENV VAULT_VERSION "v2.11.0"
+ENV VAULT_VERSION "v2.12.0b"
 
 ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
 
@@ -23,16 +23,13 @@ RUN ls
 ########################## BUILD IMAGE  ##########################
 # We need to use the Rust build image, because
 # we need the Rust compiler and Cargo tooling
-FROM rust:1.36 as build
+FROM rust:1.40 as build
 
 # set mysql backend
 ARG DB=mysql
 
-# Using bundled SQLite, no need to install it
-# RUN apt-get update && apt-get install -y\
-#    --no-install-recommends \
-#    sqlite3\
-# && rm -rf /var/lib/apt/lists/*
+# Don't download rust docs
+RUN rustup set profile minimal
 
 # Install MySQL package
 RUN apt-get update && apt-get install -y \
@@ -69,7 +66,7 @@ RUN cargo build --features ${DB} --release
 ######################## RUNTIME IMAGE  ########################
 # Create a new stage with a minimal image
 # because we already have a binary built
-FROM debian:stretch-slim
+FROM debian:buster-slim
 
 ENV ROCKET_ENV "staging"
 ENV ROCKET_PORT=80
@@ -80,6 +77,7 @@ RUN apt-get update && apt-get install -y \
     --no-install-recommends \
     openssl \
     ca-certificates \
+    curl \
     libmariadbclient-dev \
     && rm -rf /var/lib/apt/lists/*
 
@@ -94,5 +92,10 @@ COPY Rocket.toml .
 COPY --from=vault /web-vault ./web-vault
 COPY --from=build app/target/release/bitwarden_rs .
 
+COPY docker/healthcheck.sh ./healthcheck.sh
+
+HEALTHCHECK --interval=30s --timeout=3s CMD sh healthcheck.sh || exit 1
+
 # Configures the startup!
-CMD ["./bitwarden_rs"]
+WORKDIR /
+CMD ["/bitwarden_rs"]

docker/amd64/mysql/Dockerfile.alpine

@@ -2,9 +2,9 @@
 # 	https://docs.docker.com/develop/develop-images/multistage-build/
 # 	https://whitfin.io/speeding-up-rust-docker-builds/
 ####################### VAULT BUILD IMAGE  #######################
-FROM alpine:3.10 as vault
+FROM alpine:3.11 as vault
 
-ENV VAULT_VERSION "v2.11.0"
+ENV VAULT_VERSION "v2.12.0b"
 
 ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
 
@@ -22,11 +22,14 @@ RUN ls
 
 ########################## BUILD IMAGE  ##########################
 # Musl build image for statically compiled binary
-FROM clux/muslrust:nightly-2019-07-08 as build
+FROM clux/muslrust:nightly-2019-12-19 as build
 
 # set mysql backend
 ARG DB=mysql
 
+# Don't download rust docs
+RUN rustup set profile minimal
+
 ENV USER "root"
 
 # Install needed libraries
@@ -52,7 +55,7 @@ RUN cargo build --features ${DB} --release
 ######################## RUNTIME IMAGE  ########################
 # Create a new stage with a minimal image
 # because we already have a binary built
-FROM alpine:3.10
+FROM alpine:3.11
 
 ENV ROCKET_ENV "staging"
 ENV ROCKET_PORT=80
@@ -63,6 +66,7 @@ ENV SSL_CERT_DIR=/etc/ssl/certs
 RUN apk add --no-cache \
         openssl \
         mariadb-connector-c \
+        curl \
         ca-certificates
 
 RUN mkdir /data
@@ -76,5 +80,10 @@ COPY Rocket.toml .
 COPY --from=vault /web-vault ./web-vault
 COPY --from=build /app/target/x86_64-unknown-linux-musl/release/bitwarden_rs .
 
+COPY docker/healthcheck.sh ./healthcheck.sh
+
+HEALTHCHECK --interval=30s --timeout=3s CMD sh healthcheck.sh || exit 1
+
 # Configures the startup!
-CMD ["./bitwarden_rs"]
+WORKDIR /
+CMD ["/bitwarden_rs"]

docker/amd64/postgresql/Dockerfile

@@ -0,0 +1,108 @@
+# Using multistage build: 
+# 	https://docs.docker.com/develop/develop-images/multistage-build/
+# 	https://whitfin.io/speeding-up-rust-docker-builds/
+####################### VAULT BUILD IMAGE  #######################
+FROM alpine:3.11 as vault
+
+ENV VAULT_VERSION "v2.12.0b"
+
+ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
+
+RUN apk add --no-cache --upgrade \
+    curl \
+    tar
+
+RUN mkdir /web-vault
+WORKDIR /web-vault
+
+SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
+
+RUN curl -L $URL | tar xz
+RUN ls
+
+########################## BUILD IMAGE  ##########################
+# We need to use the Rust build image, because
+# we need the Rust compiler and Cargo tooling
+FROM rust:1.40 as build
+
+# set mysql backend
+ARG DB=postgresql
+
+# Don't download rust docs
+RUN rustup set profile minimal
+
+# Using bundled SQLite, no need to install it
+# RUN apt-get update && apt-get install -y\
+#    --no-install-recommends \
+#    sqlite3\
+# && rm -rf /var/lib/apt/lists/*
+
+# Install MySQL package
+RUN apt-get update && apt-get install -y \
+    --no-install-recommends \
+    libpq-dev \
+    && rm -rf /var/lib/apt/lists/*
+
+# Creates a dummy project used to grab dependencies
+RUN USER=root cargo new --bin app
+WORKDIR /app
+
+# Copies over *only* your manifests and build files
+COPY ./Cargo.* ./
+COPY ./rust-toolchain ./rust-toolchain
+COPY ./build.rs ./build.rs
+
+# Builds your dependencies and removes the
+# dummy project, except the target folder
+# This folder contains the compiled dependencies
+RUN cargo build --features ${DB} --release
+RUN find . -not -path "./target*" -delete
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+# Make sure that we actually build the project
+RUN touch src/main.rs
+
+# Builds again, this time it'll just be
+# your actual source files being built
+RUN cargo build --features ${DB} --release
+
+######################## RUNTIME IMAGE  ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+FROM debian:buster-slim
+
+ENV ROCKET_ENV "staging"
+ENV ROCKET_PORT=80
+ENV ROCKET_WORKERS=10
+
+# Install needed libraries
+RUN apt-get update && apt-get install -y \
+    --no-install-recommends \
+    openssl \
+    ca-certificates \
+    curl \
+    sqlite3 \
+    libpq5 \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN mkdir /data
+VOLUME /data
+EXPOSE 80
+EXPOSE 3012
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+COPY Rocket.toml .
+COPY --from=vault /web-vault ./web-vault
+COPY --from=build app/target/release/bitwarden_rs .
+
+COPY docker/healthcheck.sh ./healthcheck.sh
+
+HEALTHCHECK --interval=30s --timeout=3s CMD sh healthcheck.sh || exit 1
+
+# Configures the startup!
+WORKDIR /
+CMD ["/bitwarden_rs"]

docker/amd64/postgresql/Dockerfile.alpine

@@ -0,0 +1,90 @@
+# Using multistage build: 
+# 	https://docs.docker.com/develop/develop-images/multistage-build/
+# 	https://whitfin.io/speeding-up-rust-docker-builds/
+####################### VAULT BUILD IMAGE  #######################
+FROM alpine:3.11 as vault
+
+ENV VAULT_VERSION "v2.12.0b"
+
+ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
+
+RUN apk add --no-cache --upgrade \
+    curl \
+    tar
+
+RUN mkdir /web-vault
+WORKDIR /web-vault
+
+SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
+
+RUN curl -L $URL | tar xz
+RUN ls
+
+########################## BUILD IMAGE  ##########################
+# Musl build image for statically compiled binary
+FROM clux/muslrust:nightly-2019-12-19 as build
+
+# set postgresql backend
+ARG DB=postgresql
+
+# Don't download rust docs
+RUN rustup set profile minimal
+
+ENV USER "root"
+
+# Install needed libraries
+RUN apt-get update && apt-get install -y \
+    --no-install-recommends \
+    libpq-dev \
+    && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /app
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+RUN rustup target add x86_64-unknown-linux-musl
+
+# Make sure that we actually build the project
+RUN touch src/main.rs
+
+# Build
+RUN cargo build --features ${DB} --release
+
+######################## RUNTIME IMAGE  ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+FROM alpine:3.11
+
+ENV ROCKET_ENV "staging"
+ENV ROCKET_PORT=80
+ENV ROCKET_WORKERS=10
+ENV SSL_CERT_DIR=/etc/ssl/certs
+
+# Install needed libraries
+RUN apk add --no-cache \
+        openssl \
+        postgresql-libs \
+        curl \
+        sqlite \
+        ca-certificates
+
+RUN mkdir /data
+VOLUME /data
+EXPOSE 80
+EXPOSE 3012
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+COPY Rocket.toml .
+COPY --from=vault /web-vault ./web-vault
+COPY --from=build /app/target/x86_64-unknown-linux-musl/release/bitwarden_rs .
+
+COPY docker/healthcheck.sh ./healthcheck.sh
+
+HEALTHCHECK --interval=30s --timeout=3s CMD sh healthcheck.sh || exit 1
+
+# Configures the startup!
+WORKDIR /
+CMD ["/bitwarden_rs"]

docker/amd64/sqlite/Dockerfile

@@ -2,9 +2,9 @@
 # 	https://docs.docker.com/develop/develop-images/multistage-build/
 # 	https://whitfin.io/speeding-up-rust-docker-builds/
 ####################### VAULT BUILD IMAGE  #######################
-FROM alpine:3.10 as vault
+FROM alpine:3.11 as vault
 
-ENV VAULT_VERSION "v2.11.0"
+ENV VAULT_VERSION "v2.12.0b"
 
 ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
 
@@ -23,22 +23,13 @@ RUN ls
 ########################## BUILD IMAGE  ##########################
 # We need to use the Rust build image, because
 # we need the Rust compiler and Cargo tooling
-FROM rust:1.36 as build
+FROM rust:1.40 as build
 
 # set sqlite as default for DB ARG for backward comaptibility
 ARG DB=sqlite
 
-# Using bundled SQLite, no need to install it
-# RUN apt-get update && apt-get install -y\
-#    --no-install-recommends \
-#    sqlite3 \
-# && rm -rf /var/lib/apt/lists/*
-
-# Install MySQL package
-RUN apt-get update && apt-get install -y \
-    --no-install-recommends \
-    libmariadb-dev \
-    && rm -rf /var/lib/apt/lists/*
+# Don't download rust docs
+RUN rustup set profile minimal
 
 # Creates a dummy project used to grab dependencies
 RUN USER=root cargo new --bin app
@@ -69,7 +60,7 @@ RUN cargo build --features ${DB} --release
 ######################## RUNTIME IMAGE  ########################
 # Create a new stage with a minimal image
 # because we already have a binary built
-FROM debian:stretch-slim
+FROM debian:buster-slim
 
 ENV ROCKET_ENV "staging"
 ENV ROCKET_PORT=80
@@ -80,7 +71,8 @@ RUN apt-get update && apt-get install -y \
     --no-install-recommends \
     openssl \
     ca-certificates \
-    libmariadbclient-dev \
+    curl \
+    sqlite3 \
     && rm -rf /var/lib/apt/lists/*
 
 RUN mkdir /data
@@ -94,5 +86,10 @@ COPY Rocket.toml .
 COPY --from=vault /web-vault ./web-vault
 COPY --from=build app/target/release/bitwarden_rs .
 
+COPY docker/healthcheck.sh ./healthcheck.sh
+
+HEALTHCHECK --interval=30s --timeout=3s CMD sh healthcheck.sh || exit 1
+
 # Configures the startup!
-CMD ["./bitwarden_rs"]
+WORKDIR /
+CMD ["/bitwarden_rs"]

docker/amd64/sqlite/Dockerfile.alpine

@@ -2,9 +2,9 @@
 # 	https://docs.docker.com/develop/develop-images/multistage-build/
 # 	https://whitfin.io/speeding-up-rust-docker-builds/
 ####################### VAULT BUILD IMAGE  #######################
-FROM alpine:3.10 as vault
+FROM alpine:3.11 as vault
 
-ENV VAULT_VERSION "v2.11.0"
+ENV VAULT_VERSION "v2.12.0b"
 
 ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
 
@@ -22,18 +22,15 @@ RUN ls
 
 ########################## BUILD IMAGE  ##########################
 # Musl build image for statically compiled binary
-FROM clux/muslrust:nightly-2019-07-08 as build
+FROM clux/muslrust:nightly-2019-12-19 as build
 
 # set sqlite as default for DB ARG for backward comaptibility
 ARG DB=sqlite
 
-ENV USER "root"
+# Don't download rust docs
+RUN rustup set profile minimal
 
-# Install needed libraries
-RUN apt-get update && apt-get install -y \
-    --no-install-recommends \
-    libmysqlclient-dev \
-    && rm -rf /var/lib/apt/lists/*
+ENV USER "root"
 
 WORKDIR /app
 
@@ -52,7 +49,7 @@ RUN cargo build --features ${DB} --release
 ######################## RUNTIME IMAGE  ########################
 # Create a new stage with a minimal image
 # because we already have a binary built
-FROM alpine:3.10
+FROM alpine:3.11
 
 ENV ROCKET_ENV "staging"
 ENV ROCKET_PORT=80
@@ -62,7 +59,8 @@ ENV SSL_CERT_DIR=/etc/ssl/certs
 # Install needed libraries
 RUN apk add --no-cache \
         openssl \
-        mariadb-connector-c \
+        curl \
+        sqlite \
         ca-certificates
 
 RUN mkdir /data
@@ -76,5 +74,11 @@ COPY Rocket.toml .
 COPY --from=vault /web-vault ./web-vault
 COPY --from=build /app/target/x86_64-unknown-linux-musl/release/bitwarden_rs .
 
+COPY docker/healthcheck.sh ./healthcheck.sh
+
+HEALTHCHECK --interval=30s --timeout=3s CMD sh healthcheck.sh || exit 1
+
+
 # Configures the startup!
-CMD ["./bitwarden_rs"]
+WORKDIR /
+CMD ["/bitwarden_rs"]

docker/armv6/mysql/Dockerfile

@@ -2,9 +2,9 @@
 # 	https://docs.docker.com/develop/develop-images/multistage-build/
 # 	https://whitfin.io/speeding-up-rust-docker-builds/
 ####################### VAULT BUILD IMAGE  #######################
-FROM alpine:3.10 as vault
+FROM alpine:3.11 as vault
 
-ENV VAULT_VERSION "v2.11.0"
+ENV VAULT_VERSION "v2.12.0b"
 
 ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
 
@@ -23,11 +23,14 @@ RUN ls
 ########################## BUILD IMAGE  ##########################
 # We need to use the Rust build image, because
 # we need the Rust compiler and Cargo tooling
-FROM rust:1.36 as build
+FROM rust:1.40 as build
 
 # set mysql backend
 ARG DB=mysql
 
+# Don't download rust docs
+RUN rustup set profile minimal
+
 RUN apt-get update \
     && apt-get install -y \
         --no-install-recommends \
@@ -63,12 +66,12 @@ COPY . .
 
 # Build
 RUN rustup target add arm-unknown-linux-gnueabi
-RUN cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi -v
+RUN cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi
 
 ######################## RUNTIME IMAGE  ########################
 # Create a new stage with a minimal image
 # because we already have a binary built
-FROM balenalib/rpi-debian:stretch
+FROM balenalib/rpi-debian:buster
 
 ENV ROCKET_ENV "staging"
 ENV ROCKET_PORT=80
@@ -81,6 +84,7 @@ RUN apt-get update && apt-get install -y \
     --no-install-recommends \
     openssl \
     ca-certificates \
+    curl \
     libmariadbclient-dev \
     && rm -rf /var/lib/apt/lists/*
 
@@ -97,5 +101,10 @@ COPY Rocket.toml .
 COPY --from=vault /web-vault ./web-vault
 COPY --from=build /app/target/arm-unknown-linux-gnueabi/release/bitwarden_rs .
 
+COPY docker/healthcheck.sh ./healthcheck.sh
+
+HEALTHCHECK --interval=30s --timeout=3s CMD sh healthcheck.sh || exit 1
+
 # Configures the startup!
-CMD ["./bitwarden_rs"]
+WORKDIR /
+CMD ["/bitwarden_rs"]

docker/armv6/sqlite/Dockerfile

@@ -2,9 +2,9 @@
 # 	https://docs.docker.com/develop/develop-images/multistage-build/
 # 	https://whitfin.io/speeding-up-rust-docker-builds/
 ####################### VAULT BUILD IMAGE  #######################
-FROM alpine:3.10 as vault
+FROM alpine:3.11 as vault
 
-ENV VAULT_VERSION "v2.11.0"
+ENV VAULT_VERSION "v2.12.0b"
 
 ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
 
@@ -23,11 +23,14 @@ RUN ls
 ########################## BUILD IMAGE  ##########################
 # We need to use the Rust build image, because
 # we need the Rust compiler and Cargo tooling
-FROM rust:1.36 as build
+FROM rust:1.40 as build
 
 # set sqlite as default for DB ARG for backward comaptibility
 ARG DB=sqlite
 
+# Don't download rust docs
+RUN rustup set profile minimal
+
 RUN apt-get update \
     && apt-get install -y \
         --no-install-recommends \
@@ -49,8 +52,7 @@ RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \
     && apt-get install -y \
         --no-install-recommends \
         libssl-dev:armel \
-        libc6-dev:armel \
-        libmariadb-dev:armel
+        libc6-dev:armel
 
 ENV CC_arm_unknown_linux_gnueabi="/usr/bin/arm-linux-gnueabi-gcc"
 ENV CROSS_COMPILE="1"
@@ -63,12 +65,12 @@ COPY . .
 
 # Build
 RUN rustup target add arm-unknown-linux-gnueabi
-RUN cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi -v
+RUN cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi
 
 ######################## RUNTIME IMAGE  ########################
 # Create a new stage with a minimal image
 # because we already have a binary built
-FROM balenalib/rpi-debian:stretch
+FROM balenalib/rpi-debian:buster
 
 ENV ROCKET_ENV "staging"
 ENV ROCKET_PORT=80
@@ -81,7 +83,8 @@ RUN apt-get update && apt-get install -y \
     --no-install-recommends \
     openssl \
     ca-certificates \
-    libmariadbclient-dev \
+    curl \
+    sqlite3 \
     && rm -rf /var/lib/apt/lists/*
 
 RUN mkdir /data
@@ -97,5 +100,10 @@ COPY Rocket.toml .
 COPY --from=vault /web-vault ./web-vault
 COPY --from=build /app/target/arm-unknown-linux-gnueabi/release/bitwarden_rs .
 
+COPY docker/healthcheck.sh ./healthcheck.sh
+
+HEALTHCHECK --interval=30s --timeout=3s CMD sh healthcheck.sh || exit 1
+
 # Configures the startup!
-CMD ["./bitwarden_rs"]
+WORKDIR /
+CMD ["/bitwarden_rs"]

docker/armv7/mysql/Dockerfile

@@ -2,9 +2,9 @@
 # 	https://docs.docker.com/develop/develop-images/multistage-build/
 # 	https://whitfin.io/speeding-up-rust-docker-builds/
 ####################### VAULT BUILD IMAGE  #######################
-FROM alpine:3.10 as vault
+FROM alpine:3.11 as vault
 
-ENV VAULT_VERSION "v2.11.0"
+ENV VAULT_VERSION "v2.12.0b"
 
 ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
 
@@ -23,11 +23,14 @@ RUN ls
 ########################## BUILD IMAGE  ##########################
 # We need to use the Rust build image, because
 # we need the Rust compiler and Cargo tooling
-FROM rust:1.36 as build
+FROM rust:1.40 as build
 
 # set mysql backend
 ARG DB=mysql
 
+# Don't download rust docs
+RUN rustup set profile minimal
+
 RUN apt-get update \
     && apt-get install -y \
         --no-install-recommends \
@@ -64,12 +67,12 @@ COPY . .
 
 # Build
 RUN rustup target add armv7-unknown-linux-gnueabihf
-RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf -v
+RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf
 
 ######################## RUNTIME IMAGE  ########################
 # Create a new stage with a minimal image
 # because we already have a binary built
-FROM balenalib/armv7hf-debian:stretch
+FROM balenalib/armv7hf-debian:buster
 
 ENV ROCKET_ENV "staging"
 ENV ROCKET_PORT=80
@@ -82,6 +85,7 @@ RUN apt-get update && apt-get install -y \
     --no-install-recommends \
     openssl \
     ca-certificates \
+    curl \
     libmariadbclient-dev \
     && rm -rf /var/lib/apt/lists/*
 
@@ -98,5 +102,10 @@ COPY Rocket.toml .
 COPY --from=vault /web-vault ./web-vault
 COPY --from=build /app/target/armv7-unknown-linux-gnueabihf/release/bitwarden_rs .
 
+COPY docker/healthcheck.sh ./healthcheck.sh
+
+HEALTHCHECK --interval=30s --timeout=3s CMD sh healthcheck.sh || exit 1
+
 # Configures the startup!
-CMD ["./bitwarden_rs"]
+WORKDIR /
+CMD ["/bitwarden_rs"]

docker/armv7/sqlite/Dockerfile

@@ -2,9 +2,9 @@
 # 	https://docs.docker.com/develop/develop-images/multistage-build/
 # 	https://whitfin.io/speeding-up-rust-docker-builds/
 ####################### VAULT BUILD IMAGE  #######################
-FROM alpine:3.10 as vault
+FROM alpine:3.11 as vault
 
-ENV VAULT_VERSION "v2.11.0"
+ENV VAULT_VERSION "v2.12.0b"
 
 ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
 
@@ -23,11 +23,14 @@ RUN ls
 ########################## BUILD IMAGE  ##########################
 # We need to use the Rust build image, because
 # we need the Rust compiler and Cargo tooling
-FROM rust:1.36 as build
+FROM rust:1.40 as build
 
 # set sqlite as default for DB ARG for backward comaptibility
 ARG DB=sqlite
 
+# Don't download rust docs
+RUN rustup set profile minimal
+
 RUN apt-get update \
     && apt-get install -y \
         --no-install-recommends \
@@ -49,8 +52,7 @@ RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \
     && apt-get install -y \
         --no-install-recommends \
         libssl-dev:armhf \
-        libc6-dev:armhf \
-        libmariadb-dev:armhf
+        libc6-dev:armhf
 
 ENV CC_armv7_unknown_linux_gnueabihf="/usr/bin/arm-linux-gnueabihf-gcc"
 ENV CROSS_COMPILE="1"
@@ -63,12 +65,12 @@ COPY . .
 
 # Build
 RUN rustup target add armv7-unknown-linux-gnueabihf
-RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf -v
+RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf
 
 ######################## RUNTIME IMAGE  ########################
 # Create a new stage with a minimal image
 # because we already have a binary built
-FROM balenalib/armv7hf-debian:stretch
+FROM balenalib/armv7hf-debian:buster
 
 ENV ROCKET_ENV "staging"
 ENV ROCKET_PORT=80
@@ -81,7 +83,8 @@ RUN apt-get update && apt-get install -y \
     --no-install-recommends \
     openssl \
     ca-certificates \
-    libmariadbclient-dev \
+    curl \
+    sqlite3 \
     && rm -rf /var/lib/apt/lists/*
 
 RUN mkdir /data
@@ -97,5 +100,10 @@ COPY Rocket.toml .
 COPY --from=vault /web-vault ./web-vault
 COPY --from=build /app/target/armv7-unknown-linux-gnueabihf/release/bitwarden_rs .
 
+COPY docker/healthcheck.sh ./healthcheck.sh
+
+HEALTHCHECK --interval=30s --timeout=3s CMD sh healthcheck.sh || exit 1
+
 # Configures the startup!
-CMD ["./bitwarden_rs"]
+WORKDIR /
+CMD ["/bitwarden_rs"]

docker/healthcheck.sh

@@ -0,0 +1,8 @@
+#!/usr/bin/env sh
+
+if [ -z "$ROCKET_TLS"]
+then
+  curl --fail http://localhost:${ROCKET_PORT:-"80"}/alive || exit 1
+else
+  curl --insecure --fail https://localhost:${ROCKET_PORT:-"80"}/alive || exit 1
+fi

migrations/mysql/2018-09-19-144557_add_kdf_columns/up.sql

@@ -4,4 +4,4 @@ ALTER TABLE users
 
 ALTER TABLE users
     ADD COLUMN
-    client_kdf_iter INTEGER NOT NULL DEFAULT 5000;
+    client_kdf_iter INTEGER NOT NULL DEFAULT 100000;

migrations/mysql/2019-10-10-083032_add_column_to_twofactor/up.sql

@@ -0,0 +1 @@
+ALTER TABLE twofactor ADD COLUMN last_used INTEGER NOT NULL DEFAULT 0;

migrations/mysql/2019-11-17-011009_add_email_verification/down.sql

@@ -0,0 +1 @@
+

migrations/mysql/2019-11-17-011009_add_email_verification/up.sql

@@ -0,0 +1,5 @@
+ALTER TABLE users ADD COLUMN verified_at DATETIME DEFAULT NULL;
+ALTER TABLE users ADD COLUMN last_verifying_at DATETIME DEFAULT NULL;
+ALTER TABLE users ADD COLUMN login_verify_count INTEGER NOT NULL DEFAULT 0;
+ALTER TABLE users ADD COLUMN email_new VARCHAR(255) DEFAULT NULL;
+ALTER TABLE users ADD COLUMN email_new_token VARCHAR(16) DEFAULT NULL;

migrations/postgresql/2019-09-12-100000_create_tables/down.sql

@@ -0,0 +1,13 @@
+DROP TABLE devices;
+DROP TABLE attachments;
+DROP TABLE users_collections;
+DROP TABLE users_organizations;
+DROP TABLE folders_ciphers;
+DROP TABLE ciphers_collections;
+DROP TABLE twofactor;
+DROP TABLE invitations;
+DROP TABLE collections;
+DROP TABLE folders;
+DROP TABLE ciphers;
+DROP TABLE users;
+DROP TABLE organizations;

migrations/postgresql/2019-09-12-100000_create_tables/up.sql

@@ -0,0 +1,121 @@
+CREATE TABLE users (
+  uuid                CHAR(36) NOT NULL PRIMARY KEY,
+  created_at          TIMESTAMP NOT NULL,
+  updated_at          TIMESTAMP NOT NULL,
+  email               VARCHAR(255) NOT NULL UNIQUE,
+  name                TEXT     NOT NULL,
+  password_hash       BYTEA     NOT NULL,
+  salt                BYTEA     NOT NULL,
+  password_iterations INTEGER  NOT NULL,
+  password_hint       TEXT,
+  akey                TEXT     NOT NULL,
+  private_key         TEXT,
+  public_key          TEXT,
+  totp_secret         TEXT,
+  totp_recover        TEXT,
+  security_stamp      TEXT     NOT NULL,
+  equivalent_domains  TEXT     NOT NULL,
+  excluded_globals    TEXT     NOT NULL,
+  client_kdf_type     INTEGER NOT NULL DEFAULT 0,
+  client_kdf_iter INTEGER NOT NULL DEFAULT 100000
+);
+
+CREATE TABLE devices (
+  uuid          CHAR(36) NOT NULL PRIMARY KEY,
+  created_at    TIMESTAMP NOT NULL,
+  updated_at    TIMESTAMP NOT NULL,
+  user_uuid     CHAR(36) NOT NULL REFERENCES users (uuid),
+  name          TEXT     NOT NULL,
+  atype         INTEGER  NOT NULL,
+  push_token    TEXT,
+  refresh_token TEXT     NOT NULL,
+  twofactor_remember TEXT
+);
+
+CREATE TABLE organizations (
+  uuid          VARCHAR(40) NOT NULL PRIMARY KEY,
+  name          TEXT NOT NULL,
+  billing_email TEXT NOT NULL
+);
+
+CREATE TABLE ciphers (
+  uuid              CHAR(36) NOT NULL PRIMARY KEY,
+  created_at        TIMESTAMP NOT NULL,
+  updated_at        TIMESTAMP NOT NULL,
+  user_uuid         CHAR(36) REFERENCES users (uuid),
+  organization_uuid CHAR(36) REFERENCES organizations (uuid),
+  atype             INTEGER  NOT NULL,
+  name              TEXT     NOT NULL,
+  notes             TEXT,
+  fields            TEXT,
+  data              TEXT     NOT NULL,
+  favorite          BOOLEAN  NOT NULL,
+  password_history  TEXT
+);
+
+CREATE TABLE attachments (
+  id          CHAR(36) NOT NULL PRIMARY KEY,
+  cipher_uuid CHAR(36) NOT NULL REFERENCES ciphers (uuid),
+  file_name   TEXT    NOT NULL,
+  file_size   INTEGER NOT NULL,
+  akey        TEXT
+);
+
+CREATE TABLE folders (
+  uuid       CHAR(36) NOT NULL PRIMARY KEY,
+  created_at TIMESTAMP NOT NULL,
+  updated_at TIMESTAMP NOT NULL,
+  user_uuid  CHAR(36) NOT NULL REFERENCES users (uuid),
+  name       TEXT     NOT NULL
+);
+
+CREATE TABLE collections (
+  uuid     VARCHAR(40) NOT NULL PRIMARY KEY,
+  org_uuid VARCHAR(40) NOT NULL REFERENCES organizations (uuid),
+  name     TEXT NOT NULL
+);
+
+CREATE TABLE users_collections (
+  user_uuid       CHAR(36) NOT NULL REFERENCES users (uuid),
+  collection_uuid CHAR(36) NOT NULL REFERENCES collections (uuid),
+  read_only       BOOLEAN NOT NULL DEFAULT false,
+  PRIMARY KEY (user_uuid, collection_uuid)
+);
+
+CREATE TABLE users_organizations (
+  uuid       CHAR(36) NOT NULL PRIMARY KEY,
+  user_uuid  CHAR(36) NOT NULL REFERENCES users (uuid),
+  org_uuid   CHAR(36) NOT NULL REFERENCES organizations (uuid),
+
+  access_all BOOLEAN NOT NULL,
+  akey       TEXT    NOT NULL,
+  status     INTEGER NOT NULL,
+  atype      INTEGER NOT NULL,
+
+  UNIQUE (user_uuid, org_uuid)
+);
+
+CREATE TABLE folders_ciphers (
+  cipher_uuid CHAR(36) NOT NULL REFERENCES ciphers (uuid),
+  folder_uuid CHAR(36) NOT NULL REFERENCES folders (uuid),
+  PRIMARY KEY (cipher_uuid, folder_uuid)
+);
+
+CREATE TABLE ciphers_collections (
+  cipher_uuid       CHAR(36) NOT NULL REFERENCES ciphers (uuid),
+  collection_uuid CHAR(36) NOT NULL REFERENCES collections (uuid),
+  PRIMARY KEY (cipher_uuid, collection_uuid)
+);
+
+CREATE TABLE twofactor (
+  uuid      CHAR(36) NOT NULL PRIMARY KEY,
+  user_uuid CHAR(36) NOT NULL REFERENCES users (uuid),
+  atype     INTEGER  NOT NULL,
+  enabled   BOOLEAN  NOT NULL,
+  data      TEXT     NOT NULL,
+  UNIQUE (user_uuid, atype)
+);
+
+CREATE TABLE invitations (
+    email   VARCHAR(255) NOT NULL PRIMARY KEY
+);

migrations/postgresql/2019-09-16-150000_fix_attachments/down.sql

@@ -0,0 +1,26 @@
+ALTER TABLE attachments ALTER COLUMN id TYPE CHAR(36);
+ALTER TABLE attachments ALTER COLUMN cipher_uuid TYPE CHAR(36);
+ALTER TABLE users ALTER COLUMN uuid TYPE CHAR(36);
+ALTER TABLE users ALTER COLUMN email TYPE VARCHAR(255);
+ALTER TABLE devices ALTER COLUMN uuid TYPE CHAR(36);
+ALTER TABLE devices ALTER COLUMN user_uuid TYPE CHAR(36);
+ALTER TABLE organizations ALTER COLUMN uuid TYPE CHAR(40);
+ALTER TABLE ciphers ALTER COLUMN uuid TYPE CHAR(36);
+ALTER TABLE ciphers ALTER COLUMN user_uuid TYPE CHAR(36);
+ALTER TABLE ciphers ALTER COLUMN organization_uuid TYPE CHAR(36);
+ALTER TABLE folders ALTER COLUMN uuid TYPE CHAR(36);
+ALTER TABLE folders ALTER COLUMN user_uuid TYPE CHAR(36);
+ALTER TABLE collections ALTER COLUMN uuid TYPE CHAR(40);
+ALTER TABLE collections ALTER COLUMN org_uuid TYPE CHAR(40);
+ALTER TABLE users_collections ALTER COLUMN user_uuid TYPE CHAR(36);
+ALTER TABLE users_collections ALTER COLUMN collection_uuid TYPE CHAR(36);
+ALTER TABLE users_organizations ALTER COLUMN uuid TYPE CHAR(36);
+ALTER TABLE users_organizations ALTER COLUMN user_uuid TYPE CHAR(36);
+ALTER TABLE users_organizations ALTER COLUMN org_uuid TYPE CHAR(36);
+ALTER TABLE folders_ciphers ALTER COLUMN cipher_uuid TYPE CHAR(36);
+ALTER TABLE folders_ciphers ALTER COLUMN folder_uuid TYPE CHAR(36);
+ALTER TABLE ciphers_collections ALTER COLUMN cipher_uuid TYPE CHAR(36);
+ALTER TABLE ciphers_collections ALTER COLUMN collection_uuid TYPE CHAR(36);
+ALTER TABLE twofactor ALTER COLUMN uuid TYPE CHAR(36);
+ALTER TABLE twofactor ALTER COLUMN user_uuid TYPE CHAR(36);
+ALTER TABLE invitations ALTER COLUMN email TYPE VARCHAR(255);

migrations/postgresql/2019-09-16-150000_fix_attachments/up.sql

@@ -0,0 +1,27 @@
+-- Switch from CHAR() types to VARCHAR() types to avoid padding issues.
+ALTER TABLE attachments ALTER COLUMN id TYPE TEXT;
+ALTER TABLE attachments ALTER COLUMN cipher_uuid TYPE VARCHAR(40);
+ALTER TABLE users ALTER COLUMN uuid TYPE VARCHAR(40);
+ALTER TABLE users ALTER COLUMN email TYPE TEXT;
+ALTER TABLE devices ALTER COLUMN uuid TYPE VARCHAR(40);
+ALTER TABLE devices ALTER COLUMN user_uuid TYPE VARCHAR(40);
+ALTER TABLE organizations ALTER COLUMN uuid TYPE VARCHAR(40);
+ALTER TABLE ciphers ALTER COLUMN uuid TYPE VARCHAR(40);
+ALTER TABLE ciphers ALTER COLUMN user_uuid TYPE VARCHAR(40);
+ALTER TABLE ciphers ALTER COLUMN organization_uuid TYPE VARCHAR(40);
+ALTER TABLE folders ALTER COLUMN uuid TYPE VARCHAR(40);
+ALTER TABLE folders ALTER COLUMN user_uuid TYPE VARCHAR(40);
+ALTER TABLE collections ALTER COLUMN uuid TYPE VARCHAR(40);
+ALTER TABLE collections ALTER COLUMN org_uuid TYPE VARCHAR(40);
+ALTER TABLE users_collections ALTER COLUMN user_uuid TYPE VARCHAR(40);
+ALTER TABLE users_collections ALTER COLUMN collection_uuid TYPE VARCHAR(40);
+ALTER TABLE users_organizations ALTER COLUMN uuid TYPE VARCHAR(40);
+ALTER TABLE users_organizations ALTER COLUMN user_uuid TYPE VARCHAR(40);
+ALTER TABLE users_organizations ALTER COLUMN org_uuid TYPE VARCHAR(40);
+ALTER TABLE folders_ciphers ALTER COLUMN cipher_uuid TYPE VARCHAR(40);
+ALTER TABLE folders_ciphers ALTER COLUMN folder_uuid TYPE VARCHAR(40);
+ALTER TABLE ciphers_collections ALTER COLUMN cipher_uuid TYPE VARCHAR(40);
+ALTER TABLE ciphers_collections ALTER COLUMN collection_uuid TYPE VARCHAR(40);
+ALTER TABLE twofactor ALTER COLUMN uuid TYPE VARCHAR(40);
+ALTER TABLE twofactor ALTER COLUMN user_uuid TYPE VARCHAR(40);
+ALTER TABLE invitations ALTER COLUMN email TYPE TEXT;

migrations/postgresql/2019-10-10-083032_add_column_to_twofactor/up.sql

@@ -0,0 +1 @@
+ALTER TABLE twofactor ADD COLUMN last_used INTEGER NOT NULL DEFAULT 0;

migrations/postgresql/2019-11-17-011009_add_email_verification/down.sql

@@ -0,0 +1 @@
+

migrations/postgresql/2019-11-17-011009_add_email_verification/up.sql

@@ -0,0 +1,5 @@
+ALTER TABLE users ADD COLUMN verified_at TIMESTAMP DEFAULT NULL;
+ALTER TABLE users ADD COLUMN last_verifying_at TIMESTAMP DEFAULT NULL;
+ALTER TABLE users ADD COLUMN login_verify_count INTEGER NOT NULL DEFAULT 0;
+ALTER TABLE users ADD COLUMN email_new VARCHAR(255) DEFAULT NULL;
+ALTER TABLE users ADD COLUMN email_new_token VARCHAR(16) DEFAULT NULL;

migrations/sqlite/2018-09-19-144557_add_kdf_columns/up.sql

@@ -4,4 +4,4 @@ ALTER TABLE users
 
 ALTER TABLE users
     ADD COLUMN
-    client_kdf_iter INTEGER NOT NULL DEFAULT 5000;
+    client_kdf_iter INTEGER NOT NULL DEFAULT 100000;

migrations/sqlite/2019-10-10-083032_add_column_to_twofactor/up.sql

@@ -0,0 +1 @@
+ALTER TABLE twofactor ADD COLUMN last_used INTEGER NOT NULL DEFAULT 0;

migrations/sqlite/2019-11-17-011009_add_email_verification/down.sql

@@ -0,0 +1 @@
+

migrations/sqlite/2019-11-17-011009_add_email_verification/up.sql

@@ -0,0 +1,5 @@
+ALTER TABLE users ADD COLUMN verified_at DATETIME DEFAULT NULL;
+ALTER TABLE users ADD COLUMN last_verifying_at DATETIME DEFAULT NULL;
+ALTER TABLE users ADD COLUMN login_verify_count INTEGER NOT NULL DEFAULT 0;
+ALTER TABLE users ADD COLUMN email_new TEXT DEFAULT NULL;
+ALTER TABLE users ADD COLUMN email_new_token TEXT DEFAULT NULL;

rust-toolchain

@@ -1 +1 @@
-nightly-2019-08-18
+nightly-2019-12-19

rustfmt.toml

@@ -1 +1,2 @@
+version = "Two"
 max_width = 120

src/api/admin.rs

@@ -26,6 +26,7 @@ pub fn routes() -> Vec<Route> {
         post_admin_login,
         admin_page,
         invite_user,
+        logout,
         delete_user,
         deauth_user,
         remove_2fa,
@@ -37,7 +38,7 @@ pub fn routes() -> Vec<Route> {
 }
 
 lazy_static! {
-    static ref CAN_BACKUP: bool = cfg!(feature = "sqlite") && Command::new("sqlite").arg("-version").status().is_ok();
+    static ref CAN_BACKUP: bool = cfg!(feature = "sqlite") && Command::new("sqlite3").arg("-version").status().is_ok();
 }
 
 #[get("/")]
@@ -109,6 +110,7 @@ struct AdminTemplateData {
     users: Vec<Value>,
     config: Value,
     can_backup: bool,
+    logged_in: bool,
 }
 
 impl AdminTemplateData {
@@ -119,6 +121,7 @@ impl AdminTemplateData {
             users,
             config: CONFIG.prepare_json(),
             can_backup: *CAN_BACKUP,
+            logged_in: true,
         }
     }
 
@@ -166,6 +169,12 @@ fn invite_user(data: Json<InviteData>, _token: AdminToken, conn: DbConn) -> Empt
     }
 }
 
+#[get("/logout")]
+fn logout(mut cookies: Cookies) -> Result<Redirect, ()> {
+    cookies.remove(Cookie::named(COOKIE_NAME));
+    Ok(Redirect::to(ADMIN_PATH))
+}
+
 #[get("/users")]
 fn get_users(_token: AdminToken, conn: DbConn) -> JsonResult {
     let users = User::get_all(&conn);

src/api/core/accounts.rs

@@ -1,10 +1,12 @@
+use chrono::Utc;
 use rocket_contrib::json::Json;
 
 use crate::db::models::*;
 use crate::db::DbConn;
 
 use crate::api::{EmptyResult, JsonResult, JsonUpcase, Notify, NumberOrString, PasswordData, UpdateType};
-use crate::auth::{decode_invite, Headers};
+use crate::auth::{decode_delete, decode_invite, decode_verify_email, Headers};
+use crate::crypto;
 use crate::mail;
 
 use crate::CONFIG;
@@ -25,6 +27,10 @@ pub fn routes() -> Vec<Route> {
         post_sstamp,
         post_email_token,
         post_email,
+        post_verify_email,
+        post_verify_email_token,
+        post_delete_recover,
+        post_delete_recover_token,
         delete_account,
         post_delete_account,
         revision_date,
@@ -62,7 +68,11 @@ fn register(data: JsonUpcase<RegisterData>, conn: DbConn) -> EmptyResult {
     let mut user = match User::find_by_mail(&data.Email, &conn) {
         Some(user) => {
             if !user.password_hash.is_empty() {
-                err!("User already exists")
+                if CONFIG.signups_allowed() {
+                    err!("User already exists")
+                } else {
+                    err!("Registration not allowed or user already exists")
+                }
             }
 
             if let Some(token) = data.Token {
@@ -82,14 +92,14 @@ fn register(data: JsonUpcase<RegisterData>, conn: DbConn) -> EmptyResult {
             } else if CONFIG.signups_allowed() {
                 err!("Account with this email already exists")
             } else {
-                err!("Registration not allowed")
+                err!("Registration not allowed or user already exists")
             }
         }
         None => {
-            if CONFIG.signups_allowed() || Invitation::take(&data.Email, &conn) {
+            if CONFIG.signups_allowed() || Invitation::take(&data.Email, &conn) || CONFIG.can_signup_user(&data.Email) {
                 User::new(data.Email.clone())
             } else {
-                err!("Registration not allowed")
+                err!("Registration not allowed or user already exists")
             }
         }
     };
@@ -122,6 +132,20 @@ fn register(data: JsonUpcase<RegisterData>, conn: DbConn) -> EmptyResult {
         user.public_key = Some(keys.PublicKey);
     }
 
+    if CONFIG.mail_enabled() {
+        if CONFIG.signups_verify() {
+            if let Err(e) = mail::send_welcome_must_verify(&user.email, &user.uuid) {
+                error!("Error sending welcome email: {:#?}", e);
+            }
+
+            user.last_verifying_at = Some(user.created_at);
+        } else {
+            if let Err(e) = mail::send_welcome(&user.email) {
+                error!("Error sending welcome email: {:#?}", e);
+            }
+        }
+    }
+
     user.save(&conn)
 }
 
@@ -337,8 +361,9 @@ struct EmailTokenData {
 #[post("/accounts/email-token", data = "<data>")]
 fn post_email_token(data: JsonUpcase<EmailTokenData>, headers: Headers, conn: DbConn) -> EmptyResult {
     let data: EmailTokenData = data.into_inner().data;
+    let mut user = headers.user;
 
-    if !headers.user.check_valid_password(&data.MasterPasswordHash) {
+    if !user.check_valid_password(&data.MasterPasswordHash) {
         err!("Invalid password")
     }
 
@@ -346,7 +371,21 @@ fn post_email_token(data: JsonUpcase<EmailTokenData>, headers: Headers, conn: Db
         err!("Email already in use");
     }
 
-    Ok(())
+    if !CONFIG.signups_allowed() && !CONFIG.can_signup_user(&data.NewEmail) {
+        err!("Email cannot be changed to this address");
+    }
+
+    let token = crypto::generate_token(6)?;
+
+    if CONFIG.mail_enabled() {
+        if let Err(e) = mail::send_change_email(&data.NewEmail, &token) {
+            error!("Error sending change-email email: {:#?}", e);
+        }
+    }
+
+    user.email_new = Some(data.NewEmail);
+    user.email_new_token = Some(token);
+    user.save(&conn)
 }
 
 #[derive(Deserialize)]
@@ -357,8 +396,7 @@ struct ChangeEmailData {
 
     Key: String,
     NewMasterPasswordHash: String,
-    #[serde(rename = "Token")]
-    _Token: NumberOrString,
+    Token: NumberOrString,
 }
 
 #[post("/accounts/email", data = "<data>")]
@@ -374,7 +412,33 @@ fn post_email(data: JsonUpcase<ChangeEmailData>, headers: Headers, conn: DbConn)
         err!("Email already in use");
     }
 
+    match user.email_new {
+        Some(ref val) => {
+            if val != &data.NewEmail {
+                err!("Email change mismatch");
+            }
+        }
+        None => err!("No email change pending"),
+    }
+
+    if CONFIG.mail_enabled() {
+        // Only check the token if we sent out an email...
+        match user.email_new_token {
+            Some(ref val) => {
+                if *val != data.Token.into_string() {
+                    err!("Token mismatch");
+                }
+            }
+            None => err!("No email change pending"),
+        }
+        user.verified_at = Some(Utc::now().naive_utc());
+    } else {
+        user.verified_at = None;
+    }
+
     user.email = data.NewEmail;
+    user.email_new = None;
+    user.email_new_token = None;
 
     user.set_password(&data.NewMasterPasswordHash);
     user.akey = data.Key;
@@ -382,6 +446,108 @@ fn post_email(data: JsonUpcase<ChangeEmailData>, headers: Headers, conn: DbConn)
     user.save(&conn)
 }
 
+#[post("/accounts/verify-email")]
+fn post_verify_email(headers: Headers, _conn: DbConn) -> EmptyResult {
+    let user = headers.user;
+
+    if !CONFIG.mail_enabled() {
+        err!("Cannot verify email address");
+    }
+
+    if let Err(e) = mail::send_verify_email(&user.email, &user.uuid) {
+        error!("Error sending delete account email: {:#?}", e);
+    }
+
+    Ok(())
+}
+
+#[derive(Deserialize)]
+#[allow(non_snake_case)]
+struct VerifyEmailTokenData {
+    UserId: String,
+    Token: String,
+}
+
+#[post("/accounts/verify-email-token", data = "<data>")]
+fn post_verify_email_token(data: JsonUpcase<VerifyEmailTokenData>, conn: DbConn) -> EmptyResult {
+    let data: VerifyEmailTokenData = data.into_inner().data;
+
+    let mut user = match User::find_by_uuid(&data.UserId, &conn) {
+        Some(user) => user,
+        None => err!("User doesn't exist"),
+    };
+
+    let claims = match decode_verify_email(&data.Token) {
+        Ok(claims) => claims,
+        Err(_) => err!("Invalid claim"),
+    };
+    if claims.sub != user.uuid {
+        err!("Invalid claim");
+    }
+    user.verified_at = Some(Utc::now().naive_utc());
+    user.last_verifying_at = None;
+    user.login_verify_count = 0;
+    if let Err(e) = user.save(&conn) {
+        error!("Error saving email verification: {:#?}", e);
+    }
+
+    Ok(())
+}
+
+#[derive(Deserialize)]
+#[allow(non_snake_case)]
+struct DeleteRecoverData {
+    Email: String,
+}
+
+#[post("/accounts/delete-recover", data = "<data>")]
+fn post_delete_recover(data: JsonUpcase<DeleteRecoverData>, conn: DbConn) -> EmptyResult {
+    let data: DeleteRecoverData = data.into_inner().data;
+
+    let user = User::find_by_mail(&data.Email, &conn);
+
+    if CONFIG.mail_enabled() {
+        if let Some(user) = user {
+            if let Err(e) = mail::send_delete_account(&user.email, &user.uuid) {
+                error!("Error sending delete account email: {:#?}", e);
+            }
+        }
+        Ok(())
+    } else {
+        // We don't support sending emails, but we shouldn't allow anybody
+        // to delete accounts without at least logging in... And if the user
+        // cannot remember their password then they will need to contact
+        // the administrator to delete it...
+        err!("Please contact the administrator to delete your account");
+    }
+}
+
+#[derive(Deserialize)]
+#[allow(non_snake_case)]
+struct DeleteRecoverTokenData {
+    UserId: String,
+    Token: String,
+}
+
+#[post("/accounts/delete-recover-token", data = "<data>")]
+fn post_delete_recover_token(data: JsonUpcase<DeleteRecoverTokenData>, conn: DbConn) -> EmptyResult {
+    let data: DeleteRecoverTokenData = data.into_inner().data;
+
+    let user = match User::find_by_uuid(&data.UserId, &conn) {
+        Some(user) => user,
+        None => err!("User doesn't exist"),
+    };
+
+    let claims = match decode_delete(&data.Token) {
+        Ok(claims) => claims,
+        Err(_) => err!("Invalid claim"),
+    };
+    if claims.sub != user.uuid {
+        err!("Invalid claim");
+    }
+    user.delete(&conn)
+}
+
 #[post("/accounts/delete", data = "<data>")]
 fn post_delete_account(data: JsonUpcase<PasswordData>, headers: Headers, conn: DbConn) -> EmptyResult {
     delete_account(data, headers, conn)

src/api/core/ciphers.rs

@@ -88,7 +88,7 @@ fn sync(data: Form<SyncData>, headers: Headers, conn: DbConn) -> JsonResult {
     let domains_json = if data.exclude_domains {
         Value::Null
     } else {
-        api::core::get_eq_domains(headers).unwrap().into_inner()
+        api::core::_get_eq_domains(headers, true).unwrap().into_inner()
     };
 
     Ok(Json(json!({

src/api/core/folders.rs

@@ -59,7 +59,7 @@ pub struct FolderData {
 fn post_folders(data: JsonUpcase<FolderData>, headers: Headers, conn: DbConn, nt: Notify) -> JsonResult {
     let data: FolderData = data.into_inner().data;
 
-    let mut folder = Folder::new(headers.user.uuid.clone(), data.Name);
+    let mut folder = Folder::new(headers.user.uuid, data.Name);
 
     folder.save(&conn)?;
     nt.send_folder_update(UpdateType::FolderCreate, &folder);

src/api/core/mod.rs

@@ -81,6 +81,10 @@ const GLOBAL_DOMAINS: &str = include_str!("../../static/global_domains.json");
 
 #[get("/settings/domains")]
 fn get_eq_domains(headers: Headers) -> JsonResult {
+    _get_eq_domains(headers, false)
+}
+
+fn _get_eq_domains(headers: Headers, no_excluded: bool) -> JsonResult {
     let user = headers.user;
     use serde_json::from_str;
 
@@ -93,6 +97,10 @@ fn get_eq_domains(headers: Headers) -> JsonResult {
         global.Excluded = excluded_globals.contains(&global.Type);
     }
 
+    if no_excluded {
+        globals.retain(|g| !g.Excluded);
+    }
+
     Ok(Json(json!({
         "EquivalentDomains": equivalent_domains,
         "GlobalEquivalentDomains": globals,
@@ -141,7 +149,9 @@ fn hibp_breach(username: String) -> JsonResult {
     use reqwest::{header::USER_AGENT, Client};
 
     if let Some(api_key) = crate::CONFIG.hibp_api_key() {
-        let res = Client::new()
+        let hibp_client = Client::builder().use_sys_proxy().build()?;
+
+        let res = hibp_client
             .get(&url)
             .header(USER_AGENT, user_agent)
             .header("hibp-api-key", api_key)
@@ -156,9 +166,17 @@ fn hibp_breach(username: String) -> JsonResult {
         Ok(Json(value))
     } else {
         Ok(Json(json!([{
-            "title": "--- Error! ---",
-            "description": "HaveIBeenPwned API key not set! Go to https://haveibeenpwned.com/API/Key",
-            "logopath": "/bwrs_images/error-x.svg"
+            "Name": "HaveIBeenPwned",
+            "Title": "Manual HIBP Check",
+            "Domain": "haveibeenpwned.com",
+            "BreachDate": "2019-08-18T00:00:00Z",
+            "AddedDate": "2019-08-18T00:00:00Z",
+            "Description": format!("Go to: <a href=\"https://haveibeenpwned.com/account/{account}\" target=\"_blank\" rel=\"noopener\">https://haveibeenpwned.com/account/{account}</a> for a manual check.<br/><br/>HaveIBeenPwned API key not set!<br/>Go to <a href=\"https://haveibeenpwned.com/API/Key\" target=\"_blank\" rel=\"noopener\">https://haveibeenpwned.com/API/Key</a> to purchase an API key from HaveIBeenPwned.<br/><br/>", account=username),
+            "LogoPath": "/bwrs_static/hibp.png",
+            "PwnCount": 0,
+            "DataClasses": [
+                "Error - No API key set!"
+            ]
         }])))
     }
 }

src/api/core/organizations.rs

@@ -77,7 +77,7 @@ fn create_organization(headers: Headers, data: JsonUpcase<OrgData>, conn: DbConn
     let data: OrgData = data.into_inner().data;
 
     let org = Organization::new(data.Name, data.BillingEmail);
-    let mut user_org = UserOrganization::new(headers.user.uuid.clone(), org.uuid.clone());
+    let mut user_org = UserOrganization::new(headers.user.uuid, org.uuid.clone());
     let collection = Collection::new(org.uuid.clone(), data.CollectionName);
 
     user_org.akey = data.Key;
@@ -221,7 +221,7 @@ fn post_organization_collections(
         None => err!("Can't find organization details"),
     };
 
-    let collection = Collection::new(org.uuid.clone(), data.Name);
+    let collection = Collection::new(org.uuid, data.Name);
     collection.save(&conn)?;
 
     Ok(Json(collection.to_json()))
@@ -262,7 +262,7 @@ fn post_organization_collection_update(
         err!("Collection is not owned by organization");
     }
 
-    collection.name = data.Name.clone();
+    collection.name = data.Name;
     collection.save(&conn)?;
 
     Ok(Json(collection.to_json()))
@@ -581,7 +581,7 @@ fn reinvite_user(org_id: String, user_org: String, headers: AdminHeaders, conn:
             Some(headers.user.email),
         )?;
     } else {
-        let invitation = Invitation::new(user.email.clone());
+        let invitation = Invitation::new(user.email);
         invitation.save(&conn)?;
     }
 

src/api/core/two_factor/authenticator.rs

@@ -0,0 +1,153 @@
+use data_encoding::BASE32;
+use rocket::Route;
+use rocket_contrib::json::Json;
+
+use crate::api::core::two_factor::_generate_recover_code;
+use crate::api::{EmptyResult, JsonResult, JsonUpcase, NumberOrString, PasswordData};
+use crate::auth::Headers;
+use crate::crypto;
+use crate::db::{
+    models::{TwoFactor, TwoFactorType},
+    DbConn,
+};
+
+pub use crate::config::CONFIG;
+
+pub fn routes() -> Vec<Route> {
+    routes![
+        generate_authenticator,
+        activate_authenticator,
+        activate_authenticator_put,
+    ]
+}
+#[post("/two-factor/get-authenticator", data = "<data>")]
+fn generate_authenticator(data: JsonUpcase<PasswordData>, headers: Headers, conn: DbConn) -> JsonResult {
+    let data: PasswordData = data.into_inner().data;
+    let user = headers.user;
+
+    if !user.check_valid_password(&data.MasterPasswordHash) {
+        err!("Invalid password");
+    }
+
+    let type_ = TwoFactorType::Authenticator as i32;
+    let twofactor = TwoFactor::find_by_user_and_type(&user.uuid, type_, &conn);
+
+    let (enabled, key) = match twofactor {
+        Some(tf) => (true, tf.data),
+        _ => (false, BASE32.encode(&crypto::get_random(vec![0u8; 20]))),
+    };
+
+    Ok(Json(json!({
+        "Enabled": enabled,
+        "Key": key,
+        "Object": "twoFactorAuthenticator"
+    })))
+}
+
+#[derive(Deserialize, Debug)]
+#[allow(non_snake_case)]
+struct EnableAuthenticatorData {
+    MasterPasswordHash: String,
+    Key: String,
+    Token: NumberOrString,
+}
+
+#[post("/two-factor/authenticator", data = "<data>")]
+fn activate_authenticator(data: JsonUpcase<EnableAuthenticatorData>, headers: Headers, conn: DbConn) -> JsonResult {
+    let data: EnableAuthenticatorData = data.into_inner().data;
+    let password_hash = data.MasterPasswordHash;
+    let key = data.Key;
+    let token = data.Token.into_i32()? as u64;
+
+    let mut user = headers.user;
+
+    if !user.check_valid_password(&password_hash) {
+        err!("Invalid password");
+    }
+
+    // Validate key as base32 and 20 bytes length
+    let decoded_key: Vec<u8> = match BASE32.decode(key.as_bytes()) {
+        Ok(decoded) => decoded,
+        _ => err!("Invalid totp secret"),
+    };
+
+    if decoded_key.len() != 20 {
+        err!("Invalid key length")
+    }
+
+    // Validate the token provided with the key, and save new twofactor
+    validate_totp_code(&user.uuid, token, &key.to_uppercase(), &conn)?;
+
+    _generate_recover_code(&mut user, &conn);
+
+    Ok(Json(json!({
+        "Enabled": true,
+        "Key": key,
+        "Object": "twoFactorAuthenticator"
+    })))
+}
+
+#[put("/two-factor/authenticator", data = "<data>")]
+fn activate_authenticator_put(data: JsonUpcase<EnableAuthenticatorData>, headers: Headers, conn: DbConn) -> JsonResult {
+    activate_authenticator(data, headers, conn)
+}
+
+pub fn validate_totp_code_str(user_uuid: &str, totp_code: &str, secret: &str, conn: &DbConn) -> EmptyResult {
+    let totp_code: u64 = match totp_code.parse() {
+        Ok(code) => code,
+        _ => err!("TOTP code is not a number"),
+    };
+
+    validate_totp_code(user_uuid, totp_code, secret, &conn)
+}
+
+pub fn validate_totp_code(user_uuid: &str, totp_code: u64, secret: &str, conn: &DbConn) -> EmptyResult {
+    use oath::{totp_raw_custom_time, HashType};
+
+    let decoded_secret = match BASE32.decode(secret.as_bytes()) {
+        Ok(s) => s,
+        Err(_) => err!("Invalid TOTP secret"),
+    };
+
+    let mut twofactor = match TwoFactor::find_by_user_and_type(&user_uuid, TwoFactorType::Authenticator as i32, &conn) {
+        Some(tf) => tf,
+        _ => TwoFactor::new(user_uuid.to_string(), TwoFactorType::Authenticator, secret.to_string()),
+    };
+
+    // Get the current system time in UNIX Epoch (UTC)
+    let current_time = chrono::Utc::now();
+    let current_timestamp = current_time.timestamp();
+
+    // The amount of steps back and forward in time
+    // Also check if we need to disable time drifted TOTP codes.
+    // If that is the case, we set the steps to 0 so only the current TOTP is valid.
+    let steps: i64 = if CONFIG.authenticator_disable_time_drift() { 0 } else { 1 };
+
+    for step in -steps..=steps {
+        let time_step = current_timestamp / 30i64 + step;
+        // We need to calculate the time offsite and cast it as an i128.
+        // Else we can't do math with it on a default u64 variable.
+        let time = (current_timestamp + step * 30i64) as u64;
+        let generated = totp_raw_custom_time(&decoded_secret, 6, 0, 30, time, &HashType::SHA1);
+
+        // Check the the given code equals the generated and if the time_step is larger then the one last used.
+        if generated == totp_code && time_step > twofactor.last_used as i64 {
+            // If the step does not equals 0 the time is drifted either server or client side.
+            if step != 0 {
+                info!("TOTP Time drift detected. The step offset is {}", step);
+            }
+
+            // Save the last used time step so only totp time steps higher then this one are allowed.
+            // This will also save a newly created twofactor if the code is correct.
+            twofactor.last_used = time_step as i32;
+            twofactor.save(&conn)?;
+            return Ok(());
+        } else if generated == totp_code && time_step <= twofactor.last_used as i64 {
+            warn!("This or a TOTP code within {} steps back and forward has already been used!", steps);
+            err!(format!("Invalid TOTP code! Server time: {}", current_time.format("%F %T UTC")));
+        }
+    }
+
+    // Else no valide code received, deny access
+    err!(format!("Invalid TOTP code! Server time: {}", current_time.format("%F %T UTC")));
+}

src/api/core/two_factor/duo.rs

@@ -0,0 +1,346 @@
+use chrono::Utc;
+use data_encoding::BASE64;
+use rocket::Route;
+use rocket_contrib::json::Json;
+use serde_json;
+
+use crate::api::core::two_factor::_generate_recover_code;
+use crate::api::{ApiResult, EmptyResult, JsonResult, JsonUpcase, PasswordData};
+use crate::auth::Headers;
+use crate::crypto;
+use crate::db::{
+    models::{TwoFactor, TwoFactorType, User},
+    DbConn,
+};
+use crate::error::MapResult;
+use crate::CONFIG;
+
+pub fn routes() -> Vec<Route> {
+    routes![get_duo, activate_duo, activate_duo_put,]
+}
+
+#[derive(Serialize, Deserialize)]
+struct DuoData {
+    host: String,
+    ik: String,
+    sk: String,
+}
+
+impl DuoData {
+    fn global() -> Option<Self> {
+        match (CONFIG._enable_duo(), CONFIG.duo_host()) {
+            (true, Some(host)) => Some(Self {
+                host,
+                ik: CONFIG.duo_ikey().unwrap(),
+                sk: CONFIG.duo_skey().unwrap(),
+            }),
+            _ => None,
+        }
+    }
+    fn msg(s: &str) -> Self {
+        Self {
+            host: s.into(),
+            ik: s.into(),
+            sk: s.into(),
+        }
+    }
+    fn secret() -> Self {
+        Self::msg("<global_secret>")
+    }
+    fn obscure(self) -> Self {
+        let mut host = self.host;
+        let mut ik = self.ik;
+        let mut sk = self.sk;
+
+        let digits = 4;
+        let replaced = "************";
+
+        host.replace_range(digits.., replaced);
+        ik.replace_range(digits.., replaced);
+        sk.replace_range(digits.., replaced);
+
+        Self { host, ik, sk }
+    }
+}
+
+enum DuoStatus {
+    Global(DuoData),
+    // Using the global duo config
+    User(DuoData),
+    // Using the user's config
+    Disabled(bool), // True if there is a global setting
+}
+
+impl DuoStatus {
+    fn data(self) -> Option<DuoData> {
+        match self {
+            DuoStatus::Global(data) => Some(data),
+            DuoStatus::User(data) => Some(data),
+            DuoStatus::Disabled(_) => None,
+        }
+    }
+}
+
+const DISABLED_MESSAGE_DEFAULT: &str = "<To use the global Duo keys, please leave these fields untouched>";
+
+#[post("/two-factor/get-duo", data = "<data>")]
+fn get_duo(data: JsonUpcase<PasswordData>, headers: Headers, conn: DbConn) -> JsonResult {
+    let data: PasswordData = data.into_inner().data;
+
+    if !headers.user.check_valid_password(&data.MasterPasswordHash) {
+        err!("Invalid password");
+    }
+
+    let data = get_user_duo_data(&headers.user.uuid, &conn);
+
+    let (enabled, data) = match data {
+        DuoStatus::Global(_) => (true, Some(DuoData::secret())),
+        DuoStatus::User(data) => (true, Some(data.obscure())),
+        DuoStatus::Disabled(true) => (false, Some(DuoData::msg(DISABLED_MESSAGE_DEFAULT))),
+        DuoStatus::Disabled(false) => (false, None),
+    };
+
+    let json = if let Some(data) = data {
+        json!({
+            "Enabled": enabled,
+            "Host": data.host,
+            "SecretKey": data.sk,
+            "IntegrationKey": data.ik,
+            "Object": "twoFactorDuo"
+        })
+    } else {
+        json!({
+            "Enabled": enabled,
+            "Object": "twoFactorDuo"
+        })
+    };
+
+    Ok(Json(json))
+}
+
+#[derive(Deserialize)]
+#[allow(non_snake_case, dead_code)]
+struct EnableDuoData {
+    MasterPasswordHash: String,
+    Host: String,
+    SecretKey: String,
+    IntegrationKey: String,
+}
+
+impl From<EnableDuoData> for DuoData {
+    fn from(d: EnableDuoData) -> Self {
+        Self {
+            host: d.Host,
+            ik: d.IntegrationKey,
+            sk: d.SecretKey,
+        }
+    }
+}
+
+fn check_duo_fields_custom(data: &EnableDuoData) -> bool {
+    fn empty_or_default(s: &str) -> bool {
+        let st = s.trim();
+        st.is_empty() || s == DISABLED_MESSAGE_DEFAULT
+    }
+
+    !empty_or_default(&data.Host) && !empty_or_default(&data.SecretKey) && !empty_or_default(&data.IntegrationKey)
+}
+
+#[post("/two-factor/duo", data = "<data>")]
+fn activate_duo(data: JsonUpcase<EnableDuoData>, headers: Headers, conn: DbConn) -> JsonResult {
+    let data: EnableDuoData = data.into_inner().data;
+    let mut user = headers.user;
+
+    if !user.check_valid_password(&data.MasterPasswordHash) {
+        err!("Invalid password");
+    }
+
+    let (data, data_str) = if check_duo_fields_custom(&data) {
+        let data_req: DuoData = data.into();
+        let data_str = serde_json::to_string(&data_req)?;
+        duo_api_request("GET", "/auth/v2/check", "", &data_req).map_res("Failed to validate Duo credentials")?;
+        (data_req.obscure(), data_str)
+    } else {
+        (DuoData::secret(), String::new())
+    };
+
+    let type_ = TwoFactorType::Duo;
+    let twofactor = TwoFactor::new(user.uuid.clone(), type_, data_str);
+    twofactor.save(&conn)?;
+
+    _generate_recover_code(&mut user, &conn);
+
+    Ok(Json(json!({
+        "Enabled": true,
+        "Host": data.host,
+        "SecretKey": data.sk,
+        "IntegrationKey": data.ik,
+        "Object": "twoFactorDuo"
+    })))
+}
+
+#[put("/two-factor/duo", data = "<data>")]
+fn activate_duo_put(data: JsonUpcase<EnableDuoData>, headers: Headers, conn: DbConn) -> JsonResult {
+    activate_duo(data, headers, conn)
+}
+
+fn duo_api_request(method: &str, path: &str, params: &str, data: &DuoData) -> EmptyResult {
+    const AGENT: &str = "bitwarden_rs:Duo/1.0 (Rust)";
+
+    use reqwest::{header::*, Client, Method};
+    use std::str::FromStr;
+
+    let url = format!("https://{}{}", &data.host, path);
+    let date = Utc::now().to_rfc2822();
+    let username = &data.ik;
+    let fields = [&date, method, &data.host, path, params];
+    let password = crypto::hmac_sign(&data.sk, &fields.join("\n"));
+
+    let m = Method::from_str(method).unwrap_or_default();
+
+    Client::new()
+        .request(m, &url)
+        .basic_auth(username, Some(password))
+        .header(USER_AGENT, AGENT)
+        .header(DATE, date)
+        .send()?
+        .error_for_status()?;
+
+    Ok(())
+}
+
+const DUO_EXPIRE: i64 = 300;
+const APP_EXPIRE: i64 = 3600;
+
+const AUTH_PREFIX: &str = "AUTH";
+const DUO_PREFIX: &str = "TX";
+const APP_PREFIX: &str = "APP";
+
+fn get_user_duo_data(uuid: &str, conn: &DbConn) -> DuoStatus {
+    let type_ = TwoFactorType::Duo as i32;
+
+    // If the user doesn't have an entry, disabled
+    let twofactor = match TwoFactor::find_by_user_and_type(uuid, type_, &conn) {
+        Some(t) => t,
+        None => return DuoStatus::Disabled(DuoData::global().is_some()),
+    };
+
+    // If the user has the required values, we use those
+    if let Ok(data) = serde_json::from_str(&twofactor.data) {
+        return DuoStatus::User(data);
+    }
+
+    // Otherwise, we try to use the globals
+    if let Some(global) = DuoData::global() {
+        return DuoStatus::Global(global);
+    }
+
+    // If there are no globals configured, just disable it
+    DuoStatus::Disabled(false)
+}
+
+// let (ik, sk, ak, host) = get_duo_keys();
+fn get_duo_keys_email(email: &str, conn: &DbConn) -> ApiResult<(String, String, String, String)> {
+    let data = User::find_by_mail(email, &conn)
+        .and_then(|u| get_user_duo_data(&u.uuid, &conn).data())
+        .or_else(DuoData::global)
+        .map_res("Can't fetch Duo keys")?;
+
+    Ok((data.ik, data.sk, CONFIG.get_duo_akey(), data.host))
+}
+
+pub fn generate_duo_signature(email: &str, conn: &DbConn) -> ApiResult<(String, String)> {
+    let now = Utc::now().timestamp();
+
+    let (ik, sk, ak, host) = get_duo_keys_email(email, conn)?;
+
+    let duo_sign = sign_duo_values(&sk, email, &ik, DUO_PREFIX, now + DUO_EXPIRE);
+    let app_sign = sign_duo_values(&ak, email, &ik, APP_PREFIX, now + APP_EXPIRE);
+
+    Ok((format!("{}:{}", duo_sign, app_sign), host))
+}
+
+fn sign_duo_values(key: &str, email: &str, ikey: &str, prefix: &str, expire: i64) -> String {
+    let val = format!("{}|{}|{}", email, ikey, expire);
+    let cookie = format!("{}|{}", prefix, BASE64.encode(val.as_bytes()));
+
+    format!("{}|{}", cookie, crypto::hmac_sign(key, &cookie))
+}
+
+pub fn validate_duo_login(email: &str, response: &str, conn: &DbConn) -> EmptyResult {
+    let split: Vec<&str> = response.split(':').collect();
+    if split.len() != 2 {
+        err!("Invalid response length");
+    }
+
+    let auth_sig = split[0];
+    let app_sig = split[1];
+
+    let now = Utc::now().timestamp();
+
+    let (ik, sk, ak, _host) = get_duo_keys_email(email, conn)?;
+
+    let auth_user = parse_duo_values(&sk, auth_sig, &ik, AUTH_PREFIX, now)?;
+    let app_user = parse_duo_values(&ak, app_sig, &ik, APP_PREFIX, now)?;
+
+    if !crypto::ct_eq(&auth_user, app_user) || !crypto::ct_eq(&auth_user, email) {
+        err!("Error validating duo authentication")
+    }
+
+    Ok(())
+}
+
+fn parse_duo_values(key: &str, val: &str, ikey: &str, prefix: &str, time: i64) -> ApiResult<String> {
+    let split: Vec<&str> = val.split('|').collect();
+    if split.len() != 3 {
+        err!("Invalid value length")
+    }
+
+    let u_prefix = split[0];
+    let u_b64 = split[1];
+    let u_sig = split[2];
+
+    let sig = crypto::hmac_sign(key, &format!("{}|{}", u_prefix, u_b64));
+
+    if !crypto::ct_eq(crypto::hmac_sign(key, &sig), crypto::hmac_sign(key, u_sig)) {
+        err!("Duo signatures don't match")
+    }
+
+    if u_prefix != prefix {
+        err!("Prefixes don't match")
+    }
+
+    let cookie_vec = match BASE64.decode(u_b64.as_bytes()) {
+        Ok(c) => c,
+        Err(_) => err!("Invalid Duo cookie encoding"),
+    };
+
+    let cookie = match String::from_utf8(cookie_vec) {
+        Ok(c) => c,
+        Err(_) => err!("Invalid Duo cookie encoding"),
+    };
+
+    let cookie_split: Vec<&str> = cookie.split('|').collect();
+    if cookie_split.len() != 3 {
+        err!("Invalid cookie length")
+    }
+
+    let username = cookie_split[0];
+    let u_ikey = cookie_split[1];
+    let expire = cookie_split[2];
+
+    if !crypto::ct_eq(ikey, u_ikey) {
+        err!("Invalid ikey")
+    }
+
+    let expire = match expire.parse() {
+        Ok(e) => e,
+        Err(_) => err!("Invalid expire time"),
+    };
+
+    if time >= expire {
+        err!("Expired authorization")
+    }
+
+    Ok(username.into())
+}

src/api/core/two_factor/email.rs

@@ -0,0 +1,330 @@
+use rocket::Route;
+use rocket_contrib::json::Json;
+use serde_json;
+
+use crate::api::core::two_factor::_generate_recover_code;
+use crate::api::{EmptyResult, JsonResult, JsonUpcase, PasswordData};
+use crate::auth::Headers;
+use crate::crypto;
+use crate::db::{
+    models::{TwoFactor, TwoFactorType},
+    DbConn,
+};
+use crate::error::Error;
+use crate::mail;
+use crate::CONFIG;
+
+use chrono::{Duration, NaiveDateTime, Utc};
+use std::ops::Add;
+
+pub fn routes() -> Vec<Route> {
+    routes![get_email, send_email_login, send_email, email,]
+}
+
+#[derive(Deserialize)]
+#[allow(non_snake_case)]
+struct SendEmailLoginData {
+    Email: String,
+    MasterPasswordHash: String,
+}
+
+/// User is trying to login and wants to use email 2FA.
+/// Does not require Bearer token
+#[post("/two-factor/send-email-login", data = "<data>")] // JsonResult
+fn send_email_login(data: JsonUpcase<SendEmailLoginData>, conn: DbConn) -> EmptyResult {
+    let data: SendEmailLoginData = data.into_inner().data;
+
+    use crate::db::models::User;
+
+    // Get the user
+    let user = match User::find_by_mail(&data.Email, &conn) {
+        Some(user) => user,
+        None => err!("Username or password is incorrect. Try again."),
+    };
+
+    // Check password
+    if !user.check_valid_password(&data.MasterPasswordHash) {
+        err!("Username or password is incorrect. Try again.")
+    }
+
+    if !CONFIG._enable_email_2fa() {
+        err!("Email 2FA is disabled")
+    }
+
+    send_token(&user.uuid, &conn)?;
+
+    Ok(())
+}
+
+/// Generate the token, save the data for later verification and send email to user
+pub fn send_token(user_uuid: &str, conn: &DbConn) -> EmptyResult {
+    let type_ = TwoFactorType::Email as i32;
+    let mut twofactor = TwoFactor::find_by_user_and_type(user_uuid, type_, &conn)?;
+
+    let generated_token = crypto::generate_token(CONFIG.email_token_size())?;
+
+    let mut twofactor_data = EmailTokenData::from_json(&twofactor.data)?;
+    twofactor_data.set_token(generated_token);
+    twofactor.data = twofactor_data.to_json();
+    twofactor.save(&conn)?;
+
+    mail::send_token(&twofactor_data.email, &twofactor_data.last_token?)?;
+
+    Ok(())
+}
+
+/// When user clicks on Manage email 2FA show the user the related information
+#[post("/two-factor/get-email", data = "<data>")]
+fn get_email(data: JsonUpcase<PasswordData>, headers: Headers, conn: DbConn) -> JsonResult {
+    let data: PasswordData = data.into_inner().data;
+    let user = headers.user;
+
+    if !user.check_valid_password(&data.MasterPasswordHash) {
+        err!("Invalid password");
+    }
+
+    let type_ = TwoFactorType::Email as i32;
+    let enabled = match TwoFactor::find_by_user_and_type(&user.uuid, type_, &conn) {
+        Some(x) => x.enabled,
+        _ => false,
+    };
+
+    Ok(Json(json!({
+        "Email": user.email,
+        "Enabled": enabled,
+        "Object": "twoFactorEmail"
+    })))
+}
+
+#[derive(Deserialize)]
+#[allow(non_snake_case)]
+struct SendEmailData {
+    /// Email where 2FA codes will be sent to, can be different than user email account.
+    Email: String,
+    MasterPasswordHash: String,
+}
+
+/// Send a verification email to the specified email address to check whether it exists/belongs to user.
+#[post("/two-factor/send-email", data = "<data>")]
+fn send_email(data: JsonUpcase<SendEmailData>, headers: Headers, conn: DbConn) -> EmptyResult {
+    let data: SendEmailData = data.into_inner().data;
+    let user = headers.user;
+
+    if !user.check_valid_password(&data.MasterPasswordHash) {
+        err!("Invalid password");
+    }
+
+    if !CONFIG._enable_email_2fa() {
+        err!("Email 2FA is disabled")
+    }
+
+    let type_ = TwoFactorType::Email as i32;
+
+    if let Some(tf) = TwoFactor::find_by_user_and_type(&user.uuid, type_, &conn) {
+        tf.delete(&conn)?;
+    }
+
+    let generated_token = crypto::generate_token(CONFIG.email_token_size())?;
+    let twofactor_data = EmailTokenData::new(data.Email, generated_token);
+
+    // Uses EmailVerificationChallenge as type to show that it's not verified yet.
+    let twofactor = TwoFactor::new(
+        user.uuid,
+        TwoFactorType::EmailVerificationChallenge,
+        twofactor_data.to_json(),
+    );
+    twofactor.save(&conn)?;
+
+    mail::send_token(&twofactor_data.email, &twofactor_data.last_token?)?;
+
+    Ok(())
+}
+
+#[derive(Deserialize, Serialize)]
+#[allow(non_snake_case)]
+struct EmailData {
+    Email: String,
+    MasterPasswordHash: String,
+    Token: String,
+}
+
+/// Verify email belongs to user and can be used for 2FA email codes.
+#[put("/two-factor/email", data = "<data>")]
+fn email(data: JsonUpcase<EmailData>, headers: Headers, conn: DbConn) -> JsonResult {
+    let data: EmailData = data.into_inner().data;
+    let mut user = headers.user;
+
+    if !user.check_valid_password(&data.MasterPasswordHash) {
+        err!("Invalid password");
+    }
+
+    let type_ = TwoFactorType::EmailVerificationChallenge as i32;
+    let mut twofactor = TwoFactor::find_by_user_and_type(&user.uuid, type_, &conn)?;
+
+    let mut email_data = EmailTokenData::from_json(&twofactor.data)?;
+
+    let issued_token = match &email_data.last_token {
+        Some(t) => t,
+        _ => err!("No token available"),
+    };
+
+    if !crypto::ct_eq(issued_token, data.Token) {
+        err!("Token is invalid")
+    }
+
+    email_data.reset_token();
+    twofactor.atype = TwoFactorType::Email as i32;
+    twofactor.data = email_data.to_json();
+    twofactor.save(&conn)?;
+
+    _generate_recover_code(&mut user, &conn);
+
+    Ok(Json(json!({
+        "Email": email_data.email,
+        "Enabled": "true",
+        "Object": "twoFactorEmail"
+    })))
+}
+
+/// Validate the email code when used as TwoFactor token mechanism
+pub fn validate_email_code_str(user_uuid: &str, token: &str, data: &str, conn: &DbConn) -> EmptyResult {
+    let mut email_data = EmailTokenData::from_json(&data)?;
+    let mut twofactor = TwoFactor::find_by_user_and_type(&user_uuid, TwoFactorType::Email as i32, &conn)?;
+    let issued_token = match &email_data.last_token {
+        Some(t) => t,
+        _ => err!("No token available"),
+    };
+
+    if !crypto::ct_eq(issued_token, token) {
+        email_data.add_attempt();
+        if email_data.attempts >= CONFIG.email_attempts_limit() {
+            email_data.reset_token();
+        }
+        twofactor.data = email_data.to_json();
+        twofactor.save(&conn)?;
+
+        err!("Token is invalid")
+    }
+
+    email_data.reset_token();
+    twofactor.data = email_data.to_json();
+    twofactor.save(&conn)?;
+
+    let date = NaiveDateTime::from_timestamp(email_data.token_sent, 0);
+    let max_time = CONFIG.email_expiration_time() as i64;
+    if date.add(Duration::seconds(max_time)) < Utc::now().naive_utc() {
+        err!("Token has expired")
+    }
+
+    Ok(())
+}
+/// Data stored in the TwoFactor table in the db
+#[derive(Serialize, Deserialize)]
+pub struct EmailTokenData {
+    /// Email address where the token will be sent to. Can be different from account email.
+    pub email: String,
+    /// Some(token): last valid token issued that has not been entered.
+    /// None: valid token was used and removed.
+    pub last_token: Option<String>,
+    /// UNIX timestamp of token issue.
+    pub token_sent: i64,
+    /// Amount of token entry attempts for last_token.
+    pub attempts: u64,
+}
+
+impl EmailTokenData {
+    pub fn new(email: String, token: String) -> EmailTokenData {
+        EmailTokenData {
+            email,
+            last_token: Some(token),
+            token_sent: Utc::now().naive_utc().timestamp(),
+            attempts: 0,
+        }
+    }
+
+    pub fn set_token(&mut self, token: String) {
+        self.last_token = Some(token);
+        self.token_sent = Utc::now().naive_utc().timestamp();
+    }
+
+    pub fn reset_token(&mut self) {
+        self.last_token = None;
+        self.attempts = 0;
+    }
+
+    pub fn add_attempt(&mut self) {
+        self.attempts += 1;
+    }
+
+    pub fn to_json(&self) -> String {
+        serde_json::to_string(&self).unwrap()
+    }
+
+    pub fn from_json(string: &str) -> Result<EmailTokenData, Error> {
+        let res: Result<EmailTokenData, crate::serde_json::Error> = serde_json::from_str(&string);
+        match res {
+            Ok(x) => Ok(x),
+            Err(_) => err!("Could not decode EmailTokenData from string"),
+        }
+    }
+}
+
+/// Takes an email address and obscures it by replacing it with asterisks except two characters.
+pub fn obscure_email(email: &str) -> String {
+    let split: Vec<&str> = email.split('@').collect();
+
+    let mut name = split[0].to_string();
+    let domain = &split[1];
+
+    let name_size = name.chars().count();
+
+    let new_name = match name_size {
+        1..=3 => "*".repeat(name_size),
+        _ => {
+            let stars = "*".repeat(name_size - 2);
+            name.truncate(2);
+            format!("{}{}", name, stars)
+        }
+    };
+
+    format!("{}@{}", new_name, &domain)
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_obscure_email_long() {
+        let email = "bytes@example.ext";
+
+        let result = obscure_email(&email);
+
+        // Only first two characters should be visible.
+        assert_eq!(result, "by***@example.ext");
+    }
+
+    #[test]
+    fn test_obscure_email_short() {
+        let email = "byt@example.ext";
+
+        let result = obscure_email(&email);
+
+        // If it's smaller than 3 characters it should only show asterisks.
+        assert_eq!(result, "***@example.ext");
+    }
+
+    #[test]
+    fn test_token() {
+        let result = crypto::generate_token(19).unwrap();
+
+        assert_eq!(result.chars().count(), 19);
+    }
+
+    #[test]
+    fn test_token_too_large() {
+        let result = crypto::generate_token(20);
+
+        assert!(result.is_err(), "too large token should give an error");
+    }
+}

src/api/core/two_factor/mod.rs

@@ -0,0 +1,146 @@
+use data_encoding::BASE32;
+use rocket::Route;
+use rocket_contrib::json::Json;
+use serde_json;
+use serde_json::Value;
+
+use crate::api::{JsonResult, JsonUpcase, NumberOrString, PasswordData};
+use crate::auth::Headers;
+use crate::crypto;
+use crate::db::{
+    models::{TwoFactor, User},
+    DbConn,
+};
+
+pub(crate) mod authenticator;
+pub(crate) mod duo;
+pub(crate) mod email;
+pub(crate) mod u2f;
+pub(crate) mod yubikey;
+
+pub fn routes() -> Vec<Route> {
+    let mut routes = routes![
+        get_twofactor,
+        get_recover,
+        recover,
+        disable_twofactor,
+        disable_twofactor_put,
+    ];
+
+    routes.append(&mut authenticator::routes());
+    routes.append(&mut duo::routes());
+    routes.append(&mut email::routes());
+    routes.append(&mut u2f::routes());
+    routes.append(&mut yubikey::routes());
+
+    routes
+}
+
+#[get("/two-factor")]
+fn get_twofactor(headers: Headers, conn: DbConn) -> JsonResult {
+    let twofactors = TwoFactor::find_by_user(&headers.user.uuid, &conn);
+    let twofactors_json: Vec<Value> = twofactors.iter().map(TwoFactor::to_json_list).collect();
+
+    Ok(Json(json!({
+        "Data": twofactors_json,
+        "Object": "list",
+        "ContinuationToken": null,
+    })))
+}
+
+#[post("/two-factor/get-recover", data = "<data>")]
+fn get_recover(data: JsonUpcase<PasswordData>, headers: Headers) -> JsonResult {
+    let data: PasswordData = data.into_inner().data;
+    let user = headers.user;
+
+    if !user.check_valid_password(&data.MasterPasswordHash) {
+        err!("Invalid password");
+    }
+
+    Ok(Json(json!({
+        "Code": user.totp_recover,
+        "Object": "twoFactorRecover"
+    })))
+}
+
+#[derive(Deserialize)]
+#[allow(non_snake_case)]
+struct RecoverTwoFactor {
+    MasterPasswordHash: String,
+    Email: String,
+    RecoveryCode: String,
+}
+
+#[post("/two-factor/recover", data = "<data>")]
+fn recover(data: JsonUpcase<RecoverTwoFactor>, conn: DbConn) -> JsonResult {
+    let data: RecoverTwoFactor = data.into_inner().data;
+
+    use crate::db::models::User;
+
+    // Get the user
+    let mut user = match User::find_by_mail(&data.Email, &conn) {
+        Some(user) => user,
+        None => err!("Username or password is incorrect. Try again."),
+    };
+
+    // Check password
+    if !user.check_valid_password(&data.MasterPasswordHash) {
+        err!("Username or password is incorrect. Try again.")
+    }
+
+    // Check if recovery code is correct
+    if !user.check_valid_recovery_code(&data.RecoveryCode) {
+        err!("Recovery code is incorrect. Try again.")
+    }
+
+    // Remove all twofactors from the user
+    TwoFactor::delete_all_by_user(&user.uuid, &conn)?;
+
+    // Remove the recovery code, not needed without twofactors
+    user.totp_recover = None;
+    user.save(&conn)?;
+    Ok(Json(json!({})))
+}
+
+fn _generate_recover_code(user: &mut User, conn: &DbConn) {
+    if user.totp_recover.is_none() {
+        let totp_recover = BASE32.encode(&crypto::get_random(vec![0u8; 20]));
+        user.totp_recover = Some(totp_recover);
+        user.save(conn).ok();
+    }
+}
+
+#[derive(Deserialize)]
+#[allow(non_snake_case)]
+struct DisableTwoFactorData {
+    MasterPasswordHash: String,
+    Type: NumberOrString,
+}
+
+#[post("/two-factor/disable", data = "<data>")]
+fn disable_twofactor(data: JsonUpcase<DisableTwoFactorData>, headers: Headers, conn: DbConn) -> JsonResult {
+    let data: DisableTwoFactorData = data.into_inner().data;
+    let password_hash = data.MasterPasswordHash;
+    let user = headers.user;
+
+    if !user.check_valid_password(&password_hash) {
+        err!("Invalid password");
+    }
+
+    let type_ = data.Type.into_i32()?;
+
+    if let Some(twofactor) = TwoFactor::find_by_user_and_type(&user.uuid, type_, &conn) {
+        twofactor.delete(&conn)?;
+    }
+
+    Ok(Json(json!({
+        "Enabled": false,
+        "Type": type_,
+        "Object": "twoFactorProvider"
+    })))
+}
+
+#[put("/two-factor/disable", data = "<data>")]
+fn disable_twofactor_put(data: JsonUpcase<DisableTwoFactorData>, headers: Headers, conn: DbConn) -> JsonResult {
+    disable_twofactor(data, headers, conn)
+}

src/api/core/two_factor/u2f.rs

@@ -0,0 +1,360 @@
+use rocket::Route;
+use rocket_contrib::json::Json;
+use serde_json;
+use serde_json::Value;
+use u2f::messages::{RegisterResponse, SignResponse, U2fSignRequest};
+use u2f::protocol::{Challenge, U2f};
+use u2f::register::Registration;
+
+use crate::api::core::two_factor::_generate_recover_code;
+use crate::api::{ApiResult, EmptyResult, JsonResult, JsonUpcase, NumberOrString, PasswordData};
+use crate::auth::Headers;
+use crate::db::{
+    models::{TwoFactor, TwoFactorType},
+    DbConn,
+};
+use crate::error::Error;
+use crate::CONFIG;
+
+const U2F_VERSION: &str = "U2F_V2";
+
+lazy_static! {
+    static ref APP_ID: String = format!("{}/app-id.json", &CONFIG.domain());
+    static ref U2F: U2f = U2f::new(APP_ID.clone());
+}
+
+pub fn routes() -> Vec<Route> {
+    routes![
+        generate_u2f,
+        generate_u2f_challenge,
+        activate_u2f,
+        activate_u2f_put,
+        delete_u2f,
+    ]
+}
+
+#[post("/two-factor/get-u2f", data = "<data>")]
+fn generate_u2f(data: JsonUpcase<PasswordData>, headers: Headers, conn: DbConn) -> JsonResult {
+    if !CONFIG.domain_set() {
+        err!("`DOMAIN` environment variable is not set. U2F disabled")
+    }
+    let data: PasswordData = data.into_inner().data;
+
+    if !headers.user.check_valid_password(&data.MasterPasswordHash) {
+        err!("Invalid password");
+    }
+
+    let (enabled, keys) = get_u2f_registrations(&headers.user.uuid, &conn)?;
+    let keys_json: Vec<Value> = keys.iter().map(U2FRegistration::to_json).collect();
+
+    Ok(Json(json!({
+        "Enabled": enabled,
+        "Keys": keys_json,
+        "Object": "twoFactorU2f"
+    })))
+}
+
+#[post("/two-factor/get-u2f-challenge", data = "<data>")]
+fn generate_u2f_challenge(data: JsonUpcase<PasswordData>, headers: Headers, conn: DbConn) -> JsonResult {
+    let data: PasswordData = data.into_inner().data;
+
+    if !headers.user.check_valid_password(&data.MasterPasswordHash) {
+        err!("Invalid password");
+    }
+
+    let _type = TwoFactorType::U2fRegisterChallenge;
+    let challenge = _create_u2f_challenge(&headers.user.uuid, _type, &conn).challenge;
+
+    Ok(Json(json!({
+        "UserId": headers.user.uuid,
+        "AppId": APP_ID.to_string(),
+        "Challenge": challenge,
+        "Version": U2F_VERSION,
+    })))
+}
+
+#[derive(Deserialize, Debug)]
+#[allow(non_snake_case)]
+struct EnableU2FData {
+    Id: NumberOrString,
+    // 1..5
+    Name: String,
+    MasterPasswordHash: String,
+    DeviceResponse: String,
+}
+
+// This struct is referenced from the U2F lib
+// because it doesn't implement Deserialize
+#[derive(Serialize, Deserialize)]
+#[serde(rename_all = "camelCase")]
+#[serde(remote = "Registration")]
+struct RegistrationDef {
+    key_handle: Vec<u8>,
+    pub_key: Vec<u8>,
+    attestation_cert: Option<Vec<u8>>,
+}
+
+#[derive(Serialize, Deserialize)]
+struct U2FRegistration {
+    id: i32,
+    name: String,
+    #[serde(with = "RegistrationDef")]
+    reg: Registration,
+    counter: u32,
+    compromised: bool,
+}
+
+impl U2FRegistration {
+    fn to_json(&self) -> Value {
+        json!({
+            "Id": self.id,
+            "Name": self.name,
+            "Compromised": self.compromised,
+        })
+    }
+}
+
+// This struct is copied from the U2F lib
+// to add an optional error code
+#[derive(Deserialize)]
+#[serde(rename_all = "camelCase")]
+struct RegisterResponseCopy {
+    pub registration_data: String,
+    pub version: String,
+    pub client_data: String,
+
+    pub error_code: Option<NumberOrString>,
+}
+
+impl Into<RegisterResponse> for RegisterResponseCopy {
+    fn into(self) -> RegisterResponse {
+        RegisterResponse {
+            registration_data: self.registration_data,
+            version: self.version,
+            client_data: self.client_data,
+        }
+    }
+}
+
+#[post("/two-factor/u2f", data = "<data>")]
+fn activate_u2f(data: JsonUpcase<EnableU2FData>, headers: Headers, conn: DbConn) -> JsonResult {
+    let data: EnableU2FData = data.into_inner().data;
+    let mut user = headers.user;
+
+    if !user.check_valid_password(&data.MasterPasswordHash) {
+        err!("Invalid password");
+    }
+
+    let tf_type = TwoFactorType::U2fRegisterChallenge as i32;
+    let tf_challenge = match TwoFactor::find_by_user_and_type(&user.uuid, tf_type, &conn) {
+        Some(c) => c,
+        None => err!("Can't recover challenge"),
+    };
+
+    let challenge: Challenge = serde_json::from_str(&tf_challenge.data)?;
+    tf_challenge.delete(&conn)?;
+
+    let response: RegisterResponseCopy = serde_json::from_str(&data.DeviceResponse)?;
+
+    let error_code = response
+        .error_code
+        .clone()
+        .map_or("0".into(), NumberOrString::into_string);
+
+    if error_code != "0" {
+        err!("Error registering U2F token")
+    }
+
+    let registration = U2F.register_response(challenge, response.into())?;
+    let full_registration = U2FRegistration {
+        id: data.Id.into_i32()?,
+        name: data.Name,
+        reg: registration,
+        compromised: false,
+        counter: 0,
+    };
+
+    let mut regs = get_u2f_registrations(&user.uuid, &conn)?.1;
+
+    // TODO: Check that there is no repeat Id
+    regs.push(full_registration);
+    save_u2f_registrations(&user.uuid, &regs, &conn)?;
+
+    _generate_recover_code(&mut user, &conn);
+
+    let keys_json: Vec<Value> = regs.iter().map(U2FRegistration::to_json).collect();
+    Ok(Json(json!({
+        "Enabled": true,
+        "Keys": keys_json,
+        "Object": "twoFactorU2f"
+    })))
+}
+
+#[put("/two-factor/u2f", data = "<data>")]
+fn activate_u2f_put(data: JsonUpcase<EnableU2FData>, headers: Headers, conn: DbConn) -> JsonResult {
+    activate_u2f(data, headers, conn)
+}
+
+#[derive(Deserialize, Debug)]
+#[allow(non_snake_case)]
+struct DeleteU2FData {
+    Id: NumberOrString,
+    MasterPasswordHash: String,
+}
+
+#[delete("/two-factor/u2f", data = "<data>")]
+fn delete_u2f(data: JsonUpcase<DeleteU2FData>, headers: Headers, conn: DbConn) -> JsonResult {
+    let data: DeleteU2FData = data.into_inner().data;
+
+    let id = data.Id.into_i32()?;
+
+    if !headers.user.check_valid_password(&data.MasterPasswordHash) {
+        err!("Invalid password");
+    }
+
+    let type_ = TwoFactorType::U2f as i32;
+    let mut tf = match TwoFactor::find_by_user_and_type(&headers.user.uuid, type_, &conn) {
+        Some(tf) => tf,
+        None => err!("U2F data not found!"),
+    };
+
+    let mut data: Vec<U2FRegistration> = match serde_json::from_str(&tf.data) {
+        Ok(d) => d,
+        Err(_) => err!("Error parsing U2F data"),
+    };
+
+    data.retain(|r| r.id != id);
+
+    let new_data_str = serde_json::to_string(&data)?;
+
+    tf.data = new_data_str;
+    tf.save(&conn)?;
+
+    let keys_json: Vec<Value> = data.iter().map(U2FRegistration::to_json).collect();
+
+    Ok(Json(json!({
+        "Enabled": true,
+        "Keys": keys_json,
+        "Object": "twoFactorU2f"
+    })))
+}
+
+fn _create_u2f_challenge(user_uuid: &str, type_: TwoFactorType, conn: &DbConn) -> Challenge {
+    let challenge = U2F.generate_challenge().unwrap();
+
+    TwoFactor::new(user_uuid.into(), type_, serde_json::to_string(&challenge).unwrap())
+        .save(conn)
+        .expect("Error saving challenge");
+
+    challenge
+}
+
+fn save_u2f_registrations(user_uuid: &str, regs: &[U2FRegistration], conn: &DbConn) -> EmptyResult {
+    TwoFactor::new(user_uuid.into(), TwoFactorType::U2f, serde_json::to_string(regs)?).save(&conn)
+}
+
+fn get_u2f_registrations(user_uuid: &str, conn: &DbConn) -> Result<(bool, Vec<U2FRegistration>), Error> {
+    let type_ = TwoFactorType::U2f as i32;
+    let (enabled, regs) = match TwoFactor::find_by_user_and_type(user_uuid, type_, conn) {
+        Some(tf) => (tf.enabled, tf.data),
+        None => return Ok((false, Vec::new())), // If no data, return empty list
+    };
+
+    let data = match serde_json::from_str(&regs) {
+        Ok(d) => d,
+        Err(_) => {
+            // If error, try old format
+            let mut old_regs = _old_parse_registrations(&regs);
+
+            if old_regs.len() != 1 {
+                err!("The old U2F format only allows one device")
+            }
+
+            // Convert to new format
+            let new_regs = vec![U2FRegistration {
+                id: 1,
+                name: "Unnamed U2F key".into(),
+                reg: old_regs.remove(0),
+                compromised: false,
+                counter: 0,
+            }];
+
+            // Save new format
+            save_u2f_registrations(user_uuid, &new_regs, &conn)?;
+
+            new_regs
+        }
+    };
+
+    Ok((enabled, data))
+}
+
+fn _old_parse_registrations(registations: &str) -> Vec<Registration> {
+    #[derive(Deserialize)]
+    struct Helper(#[serde(with = "RegistrationDef")] Registration);
+
+    let regs: Vec<Value> = serde_json::from_str(registations).expect("Can't parse Registration data");
+
+    regs.into_iter()
+        .map(|r| serde_json::from_value(r).unwrap())
+        .map(|Helper(r)| r)
+        .collect()
+}
+
+pub fn generate_u2f_login(user_uuid: &str, conn: &DbConn) -> ApiResult<U2fSignRequest> {
+    let challenge = _create_u2f_challenge(user_uuid, TwoFactorType::U2fLoginChallenge, conn);
+
+    let registrations: Vec<_> = get_u2f_registrations(user_uuid, conn)?
+        .1
+        .into_iter()
+        .map(|r| r.reg)
+        .collect();
+
+    if registrations.is_empty() {
+        err!("No U2F devices registered")
+    }
+
+    Ok(U2F.sign_request(challenge, registrations))
+}
+
+pub fn validate_u2f_login(user_uuid: &str, response: &str, conn: &DbConn) -> EmptyResult {
+    let challenge_type = TwoFactorType::U2fLoginChallenge as i32;
+    let tf_challenge = TwoFactor::find_by_user_and_type(user_uuid, challenge_type, &conn);
+
+    let challenge = match tf_challenge {
+        Some(tf_challenge) => {
+            let challenge: Challenge = serde_json::from_str(&tf_challenge.data)?;
+            tf_challenge.delete(&conn)?;
+            challenge
+        }
+        None => err!("Can't recover login challenge"),
+    };
+    let response: SignResponse = serde_json::from_str(response)?;
+    let mut registrations = get_u2f_registrations(user_uuid, conn)?.1;
+    if registrations.is_empty() {
+        err!("No U2F devices registered")
+    }
+
+    for reg in &mut registrations {
+        let response = U2F.sign_response(challenge.clone(), reg.reg.clone(), response.clone(), reg.counter);
+        match response {
+            Ok(new_counter) => {
+                reg.counter = new_counter;
+                save_u2f_registrations(user_uuid, &registrations, &conn)?;
+
+                return Ok(());
+            }
+            Err(u2f::u2ferror::U2fError::CounterTooLow) => {
+                reg.compromised = true;
+                save_u2f_registrations(user_uuid, &registrations, &conn)?;
+
+                err!("This device might be compromised!");
+            }
+            Err(e) => {
+                warn!("E {:#}", e);
+                // break;
+            }
+        }
+    }
+    err!("error verifying response")
+}

src/api/core/two_factor/yubikey.rs

@@ -0,0 +1,194 @@
+use rocket::Route;
+use rocket_contrib::json::Json;
+use serde_json;
+use serde_json::Value;
+use yubico::config::Config;
+use yubico::verify;
+
+use crate::api::core::two_factor::_generate_recover_code;
+use crate::api::{EmptyResult, JsonResult, JsonUpcase, PasswordData};
+use crate::auth::Headers;
+use crate::db::{
+    models::{TwoFactor, TwoFactorType},
+    DbConn,
+};
+use crate::error::{Error, MapResult};
+use crate::CONFIG;
+
+pub fn routes() -> Vec<Route> {
+    routes![generate_yubikey, activate_yubikey, activate_yubikey_put,]
+}
+
+#[derive(Deserialize, Debug)]
+#[allow(non_snake_case)]
+struct EnableYubikeyData {
+    MasterPasswordHash: String,
+    Key1: Option<String>,
+    Key2: Option<String>,
+    Key3: Option<String>,
+    Key4: Option<String>,
+    Key5: Option<String>,
+    Nfc: bool,
+}
+
+#[derive(Deserialize, Serialize, Debug)]
+#[allow(non_snake_case)]
+pub struct YubikeyMetadata {
+    Keys: Vec<String>,
+    pub Nfc: bool,
+}
+
+fn parse_yubikeys(data: &EnableYubikeyData) -> Vec<String> {
+    let data_keys = [&data.Key1, &data.Key2, &data.Key3, &data.Key4, &data.Key5];
+
+    data_keys.iter().filter_map(|e| e.as_ref().cloned()).collect()
+}
+
+fn jsonify_yubikeys(yubikeys: Vec<String>) -> serde_json::Value {
+    let mut result = json!({});
+
+    for (i, key) in yubikeys.into_iter().enumerate() {
+        result[format!("Key{}", i + 1)] = Value::String(key);
+    }
+
+    result
+}
+
+fn get_yubico_credentials() -> Result<(String, String), Error> {
+    if !CONFIG._enable_yubico() {
+        err!("Yubico support is disabled");
+    }
+
+    match (CONFIG.yubico_client_id(), CONFIG.yubico_secret_key()) {
+        (Some(id), Some(secret)) => Ok((id, secret)),
+        _ => err!("`YUBICO_CLIENT_ID` or `YUBICO_SECRET_KEY` environment variable is not set. Yubikey OTP Disabled"),
+    }
+}
+
+fn verify_yubikey_otp(otp: String) -> EmptyResult {
+    let (yubico_id, yubico_secret) = get_yubico_credentials()?;
+
+    let config = Config::default().set_client_id(yubico_id).set_key(yubico_secret);
+
+    match CONFIG.yubico_server() {
+        Some(server) => verify(otp, config.set_api_hosts(vec![server])),
+        None => verify(otp, config),
+    }
+    .map_res("Failed to verify OTP")
+    .and(Ok(()))
+}
+
+#[post("/two-factor/get-yubikey", data = "<data>")]
+fn generate_yubikey(data: JsonUpcase<PasswordData>, headers: Headers, conn: DbConn) -> JsonResult {
+    // Make sure the credentials are set
+    get_yubico_credentials()?;
+
+    let data: PasswordData = data.into_inner().data;
+    let user = headers.user;
+
+    if !user.check_valid_password(&data.MasterPasswordHash) {
+        err!("Invalid password");
+    }
+
+    let user_uuid = &user.uuid;
+    let yubikey_type = TwoFactorType::YubiKey as i32;
+
+    let r = TwoFactor::find_by_user_and_type(user_uuid, yubikey_type, &conn);
+
+    if let Some(r) = r {
+        let yubikey_metadata: YubikeyMetadata = serde_json::from_str(&r.data)?;
+
+        let mut result = jsonify_yubikeys(yubikey_metadata.Keys);
+
+        result["Enabled"] = Value::Bool(true);
+        result["Nfc"] = Value::Bool(yubikey_metadata.Nfc);
+        result["Object"] = Value::String("twoFactorU2f".to_owned());
+
+        Ok(Json(result))
+    } else {
+        Ok(Json(json!({
+            "Enabled": false,
+            "Object": "twoFactorU2f",
+        })))
+    }
+}
+
+#[post("/two-factor/yubikey", data = "<data>")]
+fn activate_yubikey(data: JsonUpcase<EnableYubikeyData>, headers: Headers, conn: DbConn) -> JsonResult {
+    let data: EnableYubikeyData = data.into_inner().data;
+    let mut user = headers.user;
+
+    if !user.check_valid_password(&data.MasterPasswordHash) {
+        err!("Invalid password");
+    }
+
+    // Check if we already have some data
+    let mut yubikey_data = match TwoFactor::find_by_user_and_type(&user.uuid, TwoFactorType::YubiKey as i32, &conn) {
+        Some(data) => data,
+        None => TwoFactor::new(user.uuid.clone(), TwoFactorType::YubiKey, String::new()),
+    };
+
+    let yubikeys = parse_yubikeys(&data);
+
+    if yubikeys.is_empty() {
+        return Ok(Json(json!({
+            "Enabled": false,
+            "Object": "twoFactorU2f",
+        })));
+    }
+
+    // Ensure they are valid OTPs
+    for yubikey in &yubikeys {
+        if yubikey.len() == 12 {
+            // YubiKey ID
+            continue;
+        }
+
+        verify_yubikey_otp(yubikey.to_owned()).map_res("Invalid Yubikey OTP provided")?;
+    }
+
+    let yubikey_ids: Vec<String> = yubikeys.into_iter().map(|x| (&x[..12]).to_owned()).collect();
+
+    let yubikey_metadata = YubikeyMetadata {
+        Keys: yubikey_ids,
+        Nfc: data.Nfc,
+    };
+
+    yubikey_data.data = serde_json::to_string(&yubikey_metadata).unwrap();
+    yubikey_data.save(&conn)?;
+
+    _generate_recover_code(&mut user, &conn);
+
+    let mut result = jsonify_yubikeys(yubikey_metadata.Keys);
+
+    result["Enabled"] = Value::Bool(true);
+    result["Nfc"] = Value::Bool(yubikey_metadata.Nfc);
+    result["Object"] = Value::String("twoFactorU2f".to_owned());
+
+    Ok(Json(result))
+}
+
+#[put("/two-factor/yubikey", data = "<data>")]
+fn activate_yubikey_put(data: JsonUpcase<EnableYubikeyData>, headers: Headers, conn: DbConn) -> JsonResult {
+    activate_yubikey(data, headers, conn)
+}
+
+pub fn validate_yubikey_login(response: &str, twofactor_data: &str) -> EmptyResult {
+    if response.len() != 44 {
+        err!("Invalid Yubikey OTP length");
+    }
+
+    let yubikey_metadata: YubikeyMetadata = serde_json::from_str(twofactor_data).expect("Can't parse Yubikey Metadata");
+    let response_id = &response[..12];
+
+    if !yubikey_metadata.Keys.contains(&response_id.to_owned()) {
+        err!("Given Yubikey is not registered");
+    }
+
+    let result = verify_yubikey_otp(response.to_owned());
+
+    match result {
+        Ok(_answer) => Ok(()),
+        Err(_e) => err!("Failed to verify Yubikey against OTP server"),
+    }
+}

src/api/icons.rs

@@ -1,12 +1,13 @@
 use std::fs::{create_dir_all, remove_file, symlink_metadata, File};
 use std::io::prelude::*;
+use std::net::ToSocketAddrs;
 use std::time::{Duration, SystemTime};
 
 use rocket::http::ContentType;
 use rocket::response::Content;
 use rocket::Route;
 
-use reqwest::{header::HeaderMap, Client, Response};
+use reqwest::{header::HeaderMap, Client, Response, Url};
 
 use rocket::http::Cookie;
 
@@ -60,20 +61,36 @@ fn icon(domain: String) -> Content<Vec<u8>> {
         return Content(icon_type, FALLBACK_ICON.to_vec());
     }
 
-    if let Some(blacklist) = CONFIG.icon_blacklist_regex() {
-        info!("Icon blacklist enabled: {:#?}", blacklist);
+    Content(icon_type, get_icon(&domain))
+}
 
-        let regex = Regex::new(&blacklist).expect("Valid Regex");
+fn check_icon_domain_is_blacklisted(domain: &str) -> bool {
+    let mut is_blacklisted = CONFIG.icon_blacklist_non_global_ips()
+        && (domain, 0)
+            .to_socket_addrs()
+            .map(|x| {
+                for ip_port in x {
+                    if !ip_port.ip().is_global() {
+                        warn!("IP {} for domain '{}' is not a global IP!", ip_port.ip(), domain);
+                        return true;
+                    }
+                }
+                false
+            })
+            .unwrap_or(false);
 
-        if regex.is_match(&domain) {
-            warn!("Blacklisted domain: {:#?}", domain);
-            return Content(icon_type, FALLBACK_ICON.to_vec());
+    // Skip the regex check if the previous one is true already
+    if !is_blacklisted {
+        if let Some(blacklist) = CONFIG.icon_blacklist_regex() {
+            let regex = Regex::new(&blacklist).expect("Valid Regex");
+            if regex.is_match(&domain) {
+                warn!("Blacklisted domain: {:#?} matched {:#?}", domain, blacklist);
+                is_blacklisted = true;
+            }
         }
     }
 
-    let icon = get_icon(&domain);
-
-    Content(icon_type, icon)
+    is_blacklisted
 }
 
 fn get_icon(domain: &str) -> Vec<u8> {
@@ -95,7 +112,9 @@ fn get_icon(domain: &str) -> Vec<u8> {
         }
         Err(e) => {
             error!("Error downloading icon: {:?}", e);
-            mark_negcache(&path);
+            let miss_indicator = path + ".miss";
+            let empty_icon = Vec::new();
+            save_icon(&miss_indicator, &empty_icon);
             FALLBACK_ICON.to_vec()
         }
     }
@@ -151,11 +170,6 @@ fn icon_is_negcached(path: &str) -> bool {
     }
 }
 
-fn mark_negcache(path: &str) {
-    let miss_indicator = path.to_owned() + ".miss";
-    File::create(&miss_indicator).expect("Error creating negative cache marker");
-}
-
 fn icon_is_expired(path: &str) -> bool {
     let expired = file_is_expired(path, CONFIG.icon_cache_ttl());
     expired.unwrap_or(true)
@@ -199,9 +213,10 @@ fn get_icon_url(domain: &str) -> Result<(Vec<Icon>, String), Error> {
     let mut cookie_str = String::new();
 
     let resp = get_page(&ssldomain).or_else(|_| get_page(&httpdomain));
-    if let Ok(content) = resp {
+    if let Ok(mut content) = resp {
         // Extract the URL from the respose in case redirects occured (like @ gitlab.com)
         let url = content.url().clone();
+
         let raw_cookies = content.headers().get_all("set-cookie");
         cookie_str = raw_cookies
             .iter()
@@ -218,12 +233,16 @@ fn get_icon_url(domain: &str) -> Result<(Vec<Icon>, String), Error> {
         // Add the default favicon.ico to the list with the domain the content responded from.
         iconlist.push(Icon::new(35, url.join("/favicon.ico").unwrap().into_string()));
 
-        let soup = Soup::from_reader(content)?;
+        // 512KB should be more than enough for the HTML, though as we only really need
+        // the HTML header, it could potentially be reduced even further
+        let limited_reader = crate::util::LimitedReader::new(&mut content, 512 * 1024);
+
+        let soup = Soup::from_reader(limited_reader)?;
         // Search for and filter
         let favicons = soup
             .tag("link")
             .attr("rel", Regex::new(r"icon$|apple.*icon")?) // Only use icon rels
-            .attr("href", Regex::new(r"(?i)\w+\.(jpg|jpeg|png|ico)(\?.*)?$")?) // Only allow specific extensions
+            .attr("href", Regex::new(r"(?i)\w+\.(jpg|jpeg|png|ico)(\?.*)?$|^data:image.*base64")?) // Only allow specific extensions
             .find_all();
 
         // Loop through all the found icons and determine it's priority
@@ -239,6 +258,7 @@ fn get_icon_url(domain: &str) -> Result<(Vec<Icon>, String), Error> {
     } else {
         // Add the default favicon.ico to the list with just the given domain
         iconlist.push(Icon::new(35, format!("{}/favicon.ico", ssldomain)));
+        iconlist.push(Icon::new(35, format!("{}/favicon.ico", httpdomain)));
     }
 
     // Sort the iconlist by priority
@@ -253,12 +273,20 @@ fn get_page(url: &str) -> Result<Response, Error> {
 }
 
 fn get_page_with_cookies(url: &str, cookie_str: &str) -> Result<Response, Error> {
-    CLIENT
-        .get(url)
-        .header("cookie", cookie_str)
-        .send()?
-        .error_for_status()
-        .map_err(Into::into)
+    if check_icon_domain_is_blacklisted(Url::parse(url).unwrap().host_str().unwrap_or_default()) {
+        err!("Favicon rel linked to a non blacklisted domain!");
+    }
+
+    if cookie_str.is_empty() {
+        CLIENT.get(url).send()?.error_for_status().map_err(Into::into)
+    } else {
+        CLIENT
+            .get(url)
+            .header("cookie", cookie_str)
+            .send()?
+            .error_for_status()
+            .map_err(Into::into)
+    }
 }
 
 /// Returns a Integer with the priority of the type of the icon which to prefer.
@@ -341,19 +369,40 @@ fn parse_sizes(sizes: Option<String>) -> (u16, u16) {
 }
 
 fn download_icon(domain: &str) -> Result<Vec<u8>, Error> {
+    if check_icon_domain_is_blacklisted(domain) {
+        err!("Domain is blacklisted", domain)
+    }
+
     let (iconlist, cookie_str) = get_icon_url(&domain)?;
 
     let mut buffer = Vec::new();
 
+    use data_url::DataUrl;
+
     for icon in iconlist.iter().take(5) {
-        match get_page_with_cookies(&icon.href, &cookie_str) {
-            Ok(mut res) => {
-                info!("Downloaded icon from {}", icon.href);
-                res.copy_to(&mut buffer)?;
-                break;
-            }
-            Err(_) => info!("Download failed for {}", icon.href),
-        };
+        if icon.href.starts_with("data:image") {
+            let datauri = DataUrl::process(&icon.href).unwrap();
+            // Check if we are able to decode the data uri
+            match datauri.decode_to_vec() {
+                Ok((body, _fragment)) => {
+                    // Also check if the size is atleast 67 bytes, which seems to be the smallest png i could create
+                    if body.len() >= 67 {
+                        buffer = body;
+                        break;
+                    }
+                }
+                _ => warn!("data uri is invalid"),
+            };
+        } else {
+            match get_page_with_cookies(&icon.href, &cookie_str) {
+                Ok(mut res) => {
+                    info!("Downloaded icon from {}", icon.href);
+                    res.copy_to(&mut buffer)?;
+                    break;
+                }
+                Err(_) => info!("Download failed for {}", icon.href),
+            };
+        }
     }
 
     if buffer.is_empty() {
@@ -364,11 +413,17 @@ fn download_icon(domain: &str) -> Result<Vec<u8>, Error> {
 }
 
 fn save_icon(path: &str, icon: &[u8]) {
-    create_dir_all(&CONFIG.icon_cache_folder()).expect("Error creating icon cache");
-
-    if let Ok(mut f) = File::create(path) {
-        f.write_all(icon).expect("Error writing icon file");
-    };
+    match File::create(path) {
+        Ok(mut f) => {
+            f.write_all(icon).expect("Error writing icon file");
+        }
+        Err(ref e) if e.kind() == std::io::ErrorKind::NotFound => {
+            create_dir_all(&CONFIG.icon_cache_folder()).expect("Error creating icon cache");
+        }
+        Err(e) => {
+            info!("Icon save error: {:?}", e);
+        }
+    }
 }
 
 fn _header_map() -> HeaderMap {

src/api/identity.rs

@@ -1,22 +1,18 @@
+use chrono::Utc;
+use num_traits::FromPrimitive;
 use rocket::request::{Form, FormItems, FromForm};
 use rocket::Route;
-
 use rocket_contrib::json::Json;
 use serde_json::Value;
 
-use num_traits::FromPrimitive;
-
+use crate::api::core::two_factor::email::EmailTokenData;
+use crate::api::core::two_factor::{duo, email, yubikey};
+use crate::api::{ApiResult, EmptyResult, JsonResult};
+use crate::auth::ClientIp;
 use crate::db::models::*;
 use crate::db::DbConn;
-
-use crate::util;
-
-use crate::api::{ApiResult, EmptyResult, JsonResult};
-
-use crate::auth::ClientIp;
-
 use crate::mail;
-
+use crate::util;
 use crate::CONFIG;
 
 pub fn routes() -> Vec<Route> {
@@ -101,6 +97,34 @@ fn _password_login(data: ConnectData, conn: DbConn, ip: ClientIp) -> JsonResult
         )
     }
 
+    if user.verified_at.is_none() && CONFIG.mail_enabled() && CONFIG.signups_verify() {
+        let now = Utc::now().naive_utc();
+        if user.last_verifying_at.is_none() || now.signed_duration_since(user.last_verifying_at.unwrap()).num_seconds() > CONFIG.signups_verify_resend_time() as i64 {
+            let resend_limit = CONFIG.signups_verify_resend_limit() as i32;
+            if resend_limit == 0 || user.login_verify_count < resend_limit {
+                // We want to send another email verification if we require signups to verify
+                // their email address, and we haven't sent them a reminder in a while...
+                let mut user = user;
+                user.last_verifying_at = Some(now);
+                user.login_verify_count += 1;
+
+                if let Err(e) = user.save(&conn) {
+                    error!("Error updating user: {:#?}", e);
+                }
+
+                if let Err(e) = mail::send_verify_email(&user.email, &user.uuid) {
+                    error!("Error auto-sending email verification email: {:#?}", e);
+                }
+            }
+        }
+
+        // We still want the login to fail until they actually verified the email address
+        err!(
+            "Please verify your email before trying again.",
+            format!("IP: {}. Username: {}.", ip.ip, username)
+        )
+    }
+
     let (mut device, new_device) = get_device(&data, &conn, &user);
 
     let twofactor_token = twofactor_auth(&user.uuid, &data, &mut device, &conn)?;
@@ -129,6 +153,7 @@ fn _password_login(data: ConnectData, conn: DbConn, ip: ClientIp) -> JsonResult
         "refresh_token": device.refresh_token,
         "Key": user.akey,
         "PrivateKey": user.private_key,
+        //"TwoFactorToken": "11122233333444555666777888999"
     });
 
     if let Some(token) = twofactor_token {
@@ -186,10 +211,13 @@ fn twofactor_auth(
 
     let twofactor_code = match data.two_factor_token {
         Some(ref code) => code,
-        None => err_json!(_json_err_twofactor(&twofactor_ids, user_uuid, conn)?),
+        None => err_json!(_json_err_twofactor(&twofactor_ids, user_uuid, conn)?, "2FA token not provided"),
     };
 
-    let selected_twofactor = twofactors.into_iter().filter(|tf| tf.atype == selected_id).nth(0);
+    let selected_twofactor = twofactors
+        .into_iter()
+        .filter(|tf| tf.atype == selected_id && tf.enabled)
+        .nth(0);
 
     use crate::api::core::two_factor as _tf;
     use crate::crypto::ct_eq;
@@ -198,17 +226,18 @@ fn twofactor_auth(
     let mut remember = data.two_factor_remember.unwrap_or(0);
 
     match TwoFactorType::from_i32(selected_id) {
-        Some(TwoFactorType::Authenticator) => _tf::validate_totp_code_str(twofactor_code, &selected_data?)?,
-        Some(TwoFactorType::U2f) => _tf::validate_u2f_login(user_uuid, twofactor_code, conn)?,
-        Some(TwoFactorType::YubiKey) => _tf::validate_yubikey_login(twofactor_code, &selected_data?)?,
-        Some(TwoFactorType::Duo) => _tf::validate_duo_login(data.username.as_ref().unwrap(), twofactor_code, conn)?,
+        Some(TwoFactorType::Authenticator) => _tf::authenticator::validate_totp_code_str(user_uuid, twofactor_code, &selected_data?, conn)?,
+        Some(TwoFactorType::U2f) => _tf::u2f::validate_u2f_login(user_uuid, twofactor_code, conn)?,
+        Some(TwoFactorType::YubiKey) => _tf::yubikey::validate_yubikey_login(twofactor_code, &selected_data?)?,
+        Some(TwoFactorType::Duo) => _tf::duo::validate_duo_login(data.username.as_ref().unwrap(), twofactor_code, conn)?,
+        Some(TwoFactorType::Email) => _tf::email::validate_email_code_str(user_uuid, twofactor_code, &selected_data?, conn)?,
 
         Some(TwoFactorType::Remember) => {
             match device.twofactor_remember {
                 Some(ref code) if !CONFIG.disable_2fa_remember() && ct_eq(code, twofactor_code) => {
                     remember = 1; // Make sure we also return the token here, otherwise it will only remember the first time
                 }
-                _ => err_json!(_json_err_twofactor(&twofactor_ids, user_uuid, conn)?),
+                _ => err_json!(_json_err_twofactor(&twofactor_ids, user_uuid, conn)?, "2FA Remember token not provided"),
             }
         }
         _ => err!("Invalid two factor provider"),
@@ -246,7 +275,7 @@ fn _json_err_twofactor(providers: &[i32], user_uuid: &str, conn: &DbConn) -> Api
             Some(TwoFactorType::Authenticator) => { /* Nothing to do for TOTP */ }
 
             Some(TwoFactorType::U2f) if CONFIG.domain_set() => {
-                let request = two_factor::generate_u2f_login(user_uuid, conn)?;
+                let request = two_factor::u2f::generate_u2f_login(user_uuid, conn)?;
                 let mut challenge_list = Vec::new();
 
                 for key in request.registered_keys {
@@ -271,7 +300,7 @@ fn _json_err_twofactor(providers: &[i32], user_uuid: &str, conn: &DbConn) -> Api
                     None => err!("User does not exist"),
                 };
 
-                let (signature, host) = two_factor::generate_duo_signature(&email, conn)?;
+                let (signature, host) = duo::generate_duo_signature(&email, conn)?;
 
                 result["TwoFactorProviders2"][provider.to_string()] = json!({
                     "Host": host,
@@ -285,13 +314,32 @@ fn _json_err_twofactor(providers: &[i32], user_uuid: &str, conn: &DbConn) -> Api
                     None => err!("No YubiKey devices registered"),
                 };
 
-                let yubikey_metadata: two_factor::YubikeyMetadata = serde_json::from_str(&twofactor.data)?;
+                let yubikey_metadata: yubikey::YubikeyMetadata = serde_json::from_str(&twofactor.data)?;
 
                 result["TwoFactorProviders2"][provider.to_string()] = json!({
                     "Nfc": yubikey_metadata.Nfc,
                 })
             }
 
+            Some(tf_type @ TwoFactorType::Email) => {
+                use crate::api::core::two_factor as _tf;
+
+                let twofactor = match TwoFactor::find_by_user_and_type(user_uuid, tf_type as i32, &conn) {
+                    Some(tf) => tf,
+                    None => err!("No twofactor email registered"),
+                };
+
+                // Send email immediately if email is the only 2FA option
+                if providers.len() == 1 {
+                    _tf::email::send_token(&user_uuid, &conn)?
+                }
+
+                let email_data = EmailTokenData::from_json(&twofactor.data)?;
+                result["TwoFactorProviders2"][provider.to_string()] = json!({
+                    "Email": email::obscure_email(&email_data.email),
+                })
+            }
+
             _ => {}
         }
     }

src/api/notifications.rs

@@ -1,20 +1,31 @@
+use std::sync::atomic::{AtomicBool, Ordering};
+
 use rocket::Route;
 use rocket_contrib::json::Json;
 use serde_json::Value as JsonValue;
 
-use crate::api::JsonResult;
+use crate::api::{EmptyResult, JsonResult};
 use crate::auth::Headers;
 use crate::db::DbConn;
 
-use crate::CONFIG;
+use crate::{Error, CONFIG};
 
 pub fn routes() -> Vec<Route> {
     routes![negotiate, websockets_err]
 }
 
+static SHOW_WEBSOCKETS_MSG: AtomicBool = AtomicBool::new(true);
+
 #[get("/hub")]
-fn websockets_err() -> JsonResult {
-    err!("'/notifications/hub' should be proxied to the websocket server or notifications won't work. Go to the README for more info.")
+fn websockets_err() -> EmptyResult {
+    if CONFIG.websocket_enabled() && SHOW_WEBSOCKETS_MSG.compare_and_swap(true, false, Ordering::Relaxed) {
+        err!("###########################################################
+    '/notifications/hub' should be proxied to the websocket server or notifications won't work.
+    Go to the Wiki for more info, or disable WebSockets setting WEBSOCKET_ENABLED=false.
+    ###########################################################################################")
+    } else {
+        Err(Error::empty())
+    }
 }
 
 #[post("/hub/negotiate")]
@@ -43,10 +54,11 @@ fn negotiate(_headers: Headers, _conn: DbConn) -> JsonResult {
 //
 // Websockets server
 //
+use std::io;
 use std::sync::Arc;
 use std::thread;
 
-use ws::{self, util::Token, Factory, Handler, Handshake, Message, Sender, WebSocket};
+use ws::{self, util::Token, Factory, Handler, Handshake, Message, Sender};
 
 use chashmap::CHashMap;
 use chrono::NaiveDateTime;
@@ -124,20 +136,51 @@ struct InitialMessage {
 const PING_MS: u64 = 15_000;
 const PING: Token = Token(1);
 
+const ID_KEY: &str = "id=";
+const ACCESS_TOKEN_KEY: &str = "access_token=";
+
+impl WSHandler {
+    fn err(&self, msg: &'static str) -> ws::Result<()> {
+        self.out.close(ws::CloseCode::Invalid)?;
+
+        // We need to specifically return an IO error so ws closes the connection
+        let io_error = io::Error::from(io::ErrorKind::InvalidData);
+        Err(ws::Error::new(ws::ErrorKind::Io(io_error), msg))
+    }
+}
+
 impl Handler for WSHandler {
     fn on_open(&mut self, hs: Handshake) -> ws::Result<()> {
-        // TODO: Improve this split
+        // Path == "/notifications/hub?id=<id>==&access_token=<access_token>"
         let path = hs.request.resource();
-        let mut query_split: Vec<_> = path.split('?').nth(1).unwrap().split('&').collect();
-        query_split.sort();
-        let access_token = &query_split[0][13..];
-        let _id = &query_split[1][3..];
+
+        let (_id, access_token) = match path.split('?').nth(1) {
+            Some(params) => {
+                let mut params_iter = params.split('&').take(2);
+
+                let mut id = None;
+                let mut access_token = None;
+                while let Some(val) = params_iter.next() {
+                    if val.starts_with(ID_KEY) {
+                        id = Some(&val[ID_KEY.len()..]);
+                    } else if val.starts_with(ACCESS_TOKEN_KEY) {
+                        access_token = Some(&val[ACCESS_TOKEN_KEY.len()..]);
+                    }
+                }
+
+                match (id, access_token) {
+                    (Some(a), Some(b)) => (a, b),
+                    _ => return self.err("Missing id or access token"),
+                }
+            }
+            None => return self.err("Missing query path"),
+        };
 
         // Validate the user
         use crate::auth;
         let claims = match auth::decode_login(access_token) {
             Ok(claims) => claims,
-            Err(_) => return Err(ws::Error::new(ws::ErrorKind::Internal, "Invalid access token provided")),
+            Err(_) => return self.err("Invalid access token provided"),
         };
 
         // Assign the user to the handler
@@ -157,8 +200,6 @@ impl Handler for WSHandler {
     }
 
     fn on_message(&mut self, msg: Message) -> ws::Result<()> {
-        info!("Server got message '{}'. ", msg);
-
         if let Message::Text(text) = msg.clone() {
             let json = &text[..text.len() - 1]; // Remove last char
 
@@ -181,10 +222,7 @@ impl Handler for WSHandler {
             // reschedule the timeout
             self.out.timeout(PING_MS, PING)
         } else {
-            Err(ws::Error::new(
-                ws::ErrorKind::Internal,
-                "Invalid timeout token provided",
-            ))
+            Ok(())
         }
     }
 }
@@ -353,7 +391,14 @@ pub fn start_notification_server() -> WebSocketUsers {
 
     if CONFIG.websocket_enabled() {
         thread::spawn(move || {
-            WebSocket::new(factory)
+            let mut settings = ws::Settings::default();
+            settings.max_connections = 500;
+            settings.queue_size = 2;
+            settings.panic_on_internal = false;
+
+            ws::Builder::new()
+                .with_settings(settings)
+                .build(factory)
                 .unwrap()
                 .listen((CONFIG.websocket_address().as_str(), CONFIG.websocket_port()))
                 .unwrap();

src/api/web.rs

@@ -1,4 +1,3 @@
-use std::io;
 use std::path::{Path, PathBuf};
 
 use rocket::http::ContentType;
@@ -8,23 +7,23 @@ use rocket::Route;
 use rocket_contrib::json::Json;
 use serde_json::Value;
 
-use crate::util::Cached;
 use crate::error::Error;
+use crate::util::Cached;
 use crate::CONFIG;
 
 pub fn routes() -> Vec<Route> {
+    // If addding more routes here, consider also adding them to
+    // crate::utils::LOGGED_ROUTES to make sure they appear in the log
     if CONFIG.web_vault_enabled() {
-        routes![web_index, app_id, web_files, attachments, alive, images]
+        routes![web_index, app_id, web_files, attachments, alive, static_files]
     } else {
-        routes![attachments, alive]
+        routes![attachments, alive, static_files]
     }
 }
 
 #[get("/")]
-fn web_index() -> Cached<io::Result<NamedFile>> {
-    Cached::short(NamedFile::open(
-        Path::new(&CONFIG.web_vault_folder()).join("index.html"),
-    ))
+fn web_index() -> Cached<Option<NamedFile>> {
+    Cached::short(NamedFile::open(Path::new(&CONFIG.web_vault_folder()).join("index.html")).ok())
 }
 
 #[get("/app-id.json")]
@@ -47,13 +46,13 @@ fn app_id() -> Cached<Content<Json<Value>>> {
 }
 
 #[get("/<p..>", rank = 10)] // Only match this if the other routes don't match
-fn web_files(p: PathBuf) -> Cached<io::Result<NamedFile>> {
-    Cached::long(NamedFile::open(Path::new(&CONFIG.web_vault_folder()).join(p)))
+fn web_files(p: PathBuf) -> Cached<Option<NamedFile>> {
+    Cached::long(NamedFile::open(Path::new(&CONFIG.web_vault_folder()).join(p)).ok())
 }
 
 #[get("/attachments/<uuid>/<file..>")]
-fn attachments(uuid: String, file: PathBuf) -> io::Result<NamedFile> {
-    NamedFile::open(Path::new(&CONFIG.attachments_folder()).join(uuid).join(file))
+fn attachments(uuid: String, file: PathBuf) -> Option<NamedFile> {
+    NamedFile::open(Path::new(&CONFIG.attachments_folder()).join(uuid).join(file)).ok()
 }
 
 #[get("/alive")]
@@ -64,12 +63,18 @@ fn alive() -> Json<String> {
     Json(format_date(&Utc::now().naive_utc()))
 }
 
-#[get("/bwrs_images/<filename>")]
-fn images(filename: String) -> Result<Content<&'static [u8]>, Error> {
+#[get("/bwrs_static/<filename>")]
+fn static_files(filename: String) -> Result<Content<&'static [u8]>, Error> {
     match filename.as_ref() {
         "mail-github.png" => Ok(Content(ContentType::PNG, include_bytes!("../static/images/mail-github.png"))),
         "logo-gray.png" => Ok(Content(ContentType::PNG, include_bytes!("../static/images/logo-gray.png"))),
         "error-x.svg" => Ok(Content(ContentType::SVG, include_bytes!("../static/images/error-x.svg"))),
+        "hibp.png" => Ok(Content(ContentType::PNG, include_bytes!("../static/images/hibp.png"))),
+
+        "bootstrap.css" => Ok(Content(ContentType::CSS, include_bytes!("../static/scripts/bootstrap.css"))),
+        "bootstrap-native-v4.js" => Ok(Content(ContentType::JavaScript, include_bytes!("../static/scripts/bootstrap-native-v4.js"))),
+        "md5.js" => Ok(Content(ContentType::JavaScript, include_bytes!("../static/scripts/md5.js"))),
+        "identicon.js" => Ok(Content(ContentType::JavaScript, include_bytes!("../static/scripts/identicon.js"))),
         _ => err!("Image not found"),
     }
 }

src/auth.rs

@@ -18,6 +18,8 @@ lazy_static! {
     static ref JWT_HEADER: Header = Header::new(JWT_ALGORITHM);
     pub static ref JWT_LOGIN_ISSUER: String = format!("{}|login", CONFIG.domain());
     pub static ref JWT_INVITE_ISSUER: String = format!("{}|invite", CONFIG.domain());
+    pub static ref JWT_DELETE_ISSUER: String = format!("{}|delete", CONFIG.domain());
+    pub static ref JWT_VERIFYEMAIL_ISSUER: String = format!("{}|verifyemail", CONFIG.domain());
     pub static ref JWT_ADMIN_ISSUER: String = format!("{}|admin", CONFIG.domain());
     static ref PRIVATE_RSA_KEY: Vec<u8> = match read_file(&CONFIG.private_rsa_key()) {
         Ok(key) => key,
@@ -62,6 +64,14 @@ pub fn decode_invite(token: &str) -> Result<InviteJWTClaims, Error> {
     decode_jwt(token, JWT_INVITE_ISSUER.to_string())
 }
 
+pub fn decode_delete(token: &str) -> Result<DeleteJWTClaims, Error> {
+    decode_jwt(token, JWT_DELETE_ISSUER.to_string())
+}
+
+pub fn decode_verify_email(token: &str) -> Result<VerifyEmailJWTClaims, Error> {
+    decode_jwt(token, JWT_VERIFYEMAIL_ISSUER.to_string())
+}
+
 pub fn decode_admin(token: &str) -> Result<AdminJWTClaims, Error> {
     decode_jwt(token, JWT_ADMIN_ISSUER.to_string())
 }
@@ -118,7 +128,7 @@ pub fn generate_invite_claims(
     uuid: String,
     email: String,
     org_id: Option<String>,
-    org_user_id: Option<String>,
+    user_org_id: Option<String>,
     invited_by_email: Option<String>,
 ) -> InviteJWTClaims {
     let time_now = Utc::now().naive_utc();
@@ -126,11 +136,55 @@ pub fn generate_invite_claims(
         nbf: time_now.timestamp(),
         exp: (time_now + Duration::days(5)).timestamp(),
         iss: JWT_INVITE_ISSUER.to_string(),
-        sub: uuid.clone(),
-        email: email.clone(),
-        org_id: org_id.clone(),
-        user_org_id: org_user_id.clone(),
-        invited_by_email: invited_by_email.clone(),
+        sub: uuid,
+        email,
+        org_id,
+        user_org_id,
+        invited_by_email,
+    }
+}
+
+#[derive(Debug, Serialize, Deserialize)]
+pub struct DeleteJWTClaims {
+    // Not before
+    pub nbf: i64,
+    // Expiration time
+    pub exp: i64,
+    // Issuer
+    pub iss: String,
+    // Subject
+    pub sub: String,
+}
+
+pub fn generate_delete_claims(uuid: String) -> DeleteJWTClaims {
+    let time_now = Utc::now().naive_utc();
+    DeleteJWTClaims {
+        nbf: time_now.timestamp(),
+        exp: (time_now + Duration::days(5)).timestamp(),
+        iss: JWT_DELETE_ISSUER.to_string(),
+        sub: uuid,
+    }
+}
+
+#[derive(Debug, Serialize, Deserialize)]
+pub struct VerifyEmailJWTClaims {
+    // Not before
+    pub nbf: i64,
+    // Expiration time
+    pub exp: i64,
+    // Issuer
+    pub iss: String,
+    // Subject
+    pub sub: String,
+}
+
+pub fn generate_verify_email_claims(uuid: String) -> DeleteJWTClaims {
+    let time_now = Utc::now().naive_utc();
+    DeleteJWTClaims {
+        nbf: time_now.timestamp(),
+        exp: (time_now + Duration::days(5)).timestamp(),
+        iss: JWT_VERIFYEMAIL_ISSUER.to_string(),
+        sub: uuid,
     }
 }
 
@@ -372,12 +426,25 @@ pub struct ClientIp {
 impl<'a, 'r> FromRequest<'a, 'r> for ClientIp {
     type Error = ();
 
-    fn from_request(request: &'a Request<'r>) -> request::Outcome<Self, Self::Error> {
-        let ip = match request.client_ip() {
-            Some(addr) => addr,
-            None => "0.0.0.0".parse().unwrap(),
+    fn from_request(req: &'a Request<'r>) -> request::Outcome<Self, Self::Error> {
+        let ip = if CONFIG._ip_header_enabled() {
+            req.headers().get_one(&CONFIG.ip_header()).and_then(|ip| {
+                match ip.find(',') {
+                    Some(idx) => &ip[..idx],
+                    None => ip,
+                }
+                .parse()
+                .map_err(|_| warn!("'{}' header is malformed: {}", CONFIG.ip_header(), ip))
+                .ok()
+            })
+        } else {
+            None
         };
 
+        let ip = ip
+            .or_else(|| req.remote().map(|r| r.ip()))
+            .unwrap_or_else(|| "0.0.0.0".parse().unwrap());
+
         Outcome::Success(ClientIp { ip })
     }
 }

src/config.rs

@@ -185,19 +185,24 @@ macro_rules! make_config {
             }
         }
     }};
+    ( @build $value:expr, $config:expr, gen, $default_fn:expr ) => {{
+        let f: &dyn Fn(&ConfigItems) -> _ = &$default_fn;
+        f($config)
+    }};
 }
 
 //STRUCTURE:
 // /// Short description (without this they won't appear on the list)
 // group {
 //   /// Friendly Name |> Description (Optional)
-//   name: type, is_editable, none_action, <default_value (Optional)>
+//   name: type, is_editable, action, <default_value (Optional)>
 // }
 //
-// Where none_action applied when the value wasn't provided and can be:
+// Where action applied when the value wasn't provided and can be:
 //  def:    Use a default value
 //  auto:   Value is auto generated based on other values
 //  option: Value is optional
+//  gen:    Value is always autogenerated and it's original value ignored
 make_config! {
     folders {
         ///  Data folder |> Main data folder
@@ -243,6 +248,14 @@ make_config! {
         disable_icon_download:  bool,   true,   def,    false;
         /// Allow new signups |> Controls if new users can register. Note that while this is disabled, users could still be invited
         signups_allowed:        bool,   true,   def,    true;
+        /// Require email verification on signups. This will prevent logins from succeeding until the address has been verified
+        signups_verify:         bool,   true,   def,    false;
+        /// If signups require email verification, automatically re-send verification email if it hasn't been sent for a while (in seconds)
+        signups_verify_resend_time: u64, true,  def,    3_600;
+        /// If signups require email verification, limit how many emails are automatically sent when login is attempted (0 means no limit)
+        signups_verify_resend_limit: u32, true, def,    6;
+        /// Allow signups only from this list of comma-separated domains
+        signups_domains_whitelist: String, true, def,   "".to_string();
         /// Allow invitations |> Controls whether users can be invited by organization admins, even when signups are disabled
         invitations_allowed:    bool,   true,   def,    true;
         /// Password iterations |> Number of server-side passwords hashing iterations.
@@ -258,6 +271,11 @@ make_config! {
 
     /// Advanced settings
     advanced {
+        /// Client IP header |> If not present, the remote IP is used.
+        /// Set to the string "none" (without quotes), to disable any headers and just use the remote IP
+        ip_header:              String, true,   def,    "X-Real-IP".to_string();
+        /// Internal IP header property, used to avoid recomputing each time
+        _ip_header_enabled:     bool,   false,  gen,    |c| &c.ip_header.trim().to_lowercase() != "none";
         /// Positive icon cache expiry |> Number of seconds to consider that an already cached icon is fresh. After this period, the icon will be redownloaded
         icon_cache_ttl:         u64,    true,   def,    2_592_000;
         /// Negative icon cache expiry |> Number of seconds before trying to download an icon that failed again.
@@ -267,11 +285,18 @@ make_config! {
         /// Icon blacklist Regex |> Any domains or IPs that match this regex won't be fetched by the icon service.
         /// Useful to hide other servers in the local network. Check the WIKI for more details
         icon_blacklist_regex:   String, true,   option;
+        /// Icon blacklist non global IPs |> Any IP which is not defined as a global IP will be blacklisted.
+        /// Usefull to secure your internal environment: See https://en.wikipedia.org/wiki/Reserved_IP_addresses for a list of IPs which it will block
+        icon_blacklist_non_global_ips:  bool,   true,   def,    true;
 
         /// Disable Two-Factor remember |> Enabling this would force the users to use a second factor to login every time.
         /// Note that the checkbox would still be present, but ignored.
         disable_2fa_remember:   bool,   true,   def,    false;
 
+        /// Disable authenticator time drifted codes to be valid |> Enabling this only allows the current TOTP code to be valid
+        /// TOTP codes of the previous and next 30 seconds will be invalid.
+        authenticator_disable_time_drift:     bool,   true,  def,    false;
+
         /// Require new device emails |> When a user logs in an email is required to be sent.
         /// If sending the email fails the login attempt will fail.
         require_device_email:   bool,   true,   def,     false;
@@ -279,9 +304,6 @@ make_config! {
         /// Reload templates (Dev) |> When this is set to true, the templates get reloaded with every request.
         /// ONLY use this during development, as it can slow down the server
         reload_templates:       bool,   true,   def,    false;
-
-        /// Log routes at launch (Dev)
-        log_mounts:             bool,   true,   def,    false;
         /// Enable extended logging
         extended_logging:       bool,   false,  def,    true;
         /// Enable the log to output to Syslog
@@ -295,7 +317,7 @@ make_config! {
         /// that do not support WAL. Please make sure you read project wiki on the topic before changing this setting.
         enable_db_wal:          bool,   false,  def,    true;
 
-        /// Disable Admin Token (Know the risks!) |> Disables the Admin Token for the admin page so you may use your own auth in-front
+        /// Bypass admin page security (Know the risks!) |> Disables the Admin Token for the admin page so you may use your own auth in-front
         disable_admin_token:    bool,   true,   def,    false;
     },
 
@@ -347,32 +369,74 @@ make_config! {
         smtp_password:          Pass,   true,   option;
         /// Json form auth mechanism |> Defaults for ssl is "Plain" and "Login" and nothing for non-ssl connections. Possible values: ["Plain", "Login", "Xoauth2"]
         smtp_auth_mechanism:    String, true,   option;
+        /// SMTP connection timeout |> Number of seconds when to stop trying to connect to the SMTP server
+        smtp_timeout:           u64,     true,   def,     15;
+    },
+
+    /// Email 2FA Settings
+    email_2fa: _enable_email_2fa {
+        /// Enabled |> Disabling will prevent users from setting up new email 2FA and using existing email 2FA configured
+        _enable_email_2fa:      bool,   true,   auto,    |c| c._enable_smtp && c.smtp_host.is_some();
+        /// Token number length |> Length of the numbers in an email token. Minimum of 6. Maximum is 19.
+        email_token_size:       u32,    true,   def,      6;
+        /// Token expiration time |> Maximum time in seconds a token is valid. The time the user has to open email client and copy token.
+        email_expiration_time:  u64,    true,   def,      600;
+        /// Maximum attempts |> Maximum attempts before an email token is reset and a new email will need to be sent
+        email_attempts_limit:   u64,    true,   def,      3;
     },
 }
 
 fn validate_config(cfg: &ConfigItems) -> Result<(), Error> {
+    let db_url = cfg.database_url.to_lowercase();
+    if cfg!(feature = "sqlite") && (db_url.starts_with("mysql:") || db_url.starts_with("postgresql:")) {
+        err!("`DATABASE_URL` is meant for MySQL or Postgres, while this server is meant for SQLite")
+    }
+
+    if cfg!(feature = "mysql") && !db_url.starts_with("mysql:") {
+        err!("`DATABASE_URL` should start with mysql: when using the MySQL server")
+    }
+
+    if cfg!(feature = "postgresql") && !db_url.starts_with("postgresql:") {
+        err!("`DATABASE_URL` should start with postgresql: when using the PostgreSQL server")
+    }
+
     if let Some(ref token) = cfg.admin_token {
         if token.trim().is_empty() {
             err!("`ADMIN_TOKEN` is enabled but has an empty value. To enable the admin page without token, use `DISABLE_ADMIN_TOKEN`")
         }
     }
 
-    if (cfg.duo_host.is_some() || cfg.duo_ikey.is_some() || cfg.duo_skey.is_some())
+    if cfg._enable_duo
+        && (cfg.duo_host.is_some() || cfg.duo_ikey.is_some() || cfg.duo_skey.is_some())
         && !(cfg.duo_host.is_some() && cfg.duo_ikey.is_some() && cfg.duo_skey.is_some())
     {
         err!("All Duo options need to be set for global Duo support")
     }
 
-    if cfg.yubico_client_id.is_some() != cfg.yubico_secret_key.is_some() {
+    if cfg._enable_yubico && cfg.yubico_client_id.is_some() != cfg.yubico_secret_key.is_some() {
         err!("Both `YUBICO_CLIENT_ID` and `YUBICO_SECRET_KEY` need to be set for Yubikey OTP support")
     }
 
-    if cfg.smtp_host.is_some() == cfg.smtp_from.is_empty() {
-        err!("Both `SMTP_HOST` and `SMTP_FROM` need to be set for email support")
-    }
+    if cfg._enable_smtp {
+        if cfg.smtp_host.is_some() == cfg.smtp_from.is_empty() {
+            err!("Both `SMTP_HOST` and `SMTP_FROM` need to be set for email support")
+        }
 
-    if cfg.smtp_username.is_some() != cfg.smtp_password.is_some() {
-        err!("Both `SMTP_USERNAME` and `SMTP_PASSWORD` need to be set to enable email authentication")
+        if cfg.smtp_username.is_some() != cfg.smtp_password.is_some() {
+            err!("Both `SMTP_USERNAME` and `SMTP_PASSWORD` need to be set to enable email authentication")
+        }
+
+        if cfg._enable_email_2fa && (!cfg._enable_smtp || cfg.smtp_host.is_none()) {
+            err!("To enable email 2FA, SMTP must be configured")
+        }
+
+        if cfg._enable_email_2fa && cfg.email_token_size < 6 {
+            err!("`EMAIL_TOKEN_SIZE` has a minimum size of 6")
+        }
+
+        if cfg._enable_email_2fa && cfg.email_token_size > 19 {
+            err!("`EMAIL_TOKEN_SIZE` has a maximum size of 19")
+        }
     }
 
     Ok(())
@@ -392,12 +456,7 @@ impl Config {
         validate_config(&config)?;
 
         Ok(Config {
-            inner: RwLock::new(Inner {
-                templates: load_templates(&config.templates_folder),
-                config,
-                _env,
-                _usr,
-            }),
+            inner: RwLock::new(Inner { templates: load_templates(&config.templates_folder), config, _env, _usr }),
         })
     }
 
@@ -441,6 +500,15 @@ impl Config {
         self.update_config(builder)
     }
 
+    pub fn can_signup_user(&self, email: &str) -> bool {
+        let e: Vec<&str> = email.rsplitn(2, '@').collect();
+        if e.len() != 2 || e[0].is_empty() || e[1].is_empty() {
+            warn!("Failed to parse email address '{}'", email);
+            return false;
+        }
+        self.signups_domains_whitelist().split(',').any(|d| d == e[0])
+    }
+
     pub fn delete_user_config(&self) -> Result<(), Error> {
         crate::util::delete_file(&CONFIG_FILE)?;
 
@@ -533,12 +601,18 @@ fn load_templates(path: &str) -> Handlebars {
     }
 
     // First register default templates here
+    reg!("email/change_email", ".html");
+    reg!("email/delete_account", ".html");
     reg!("email/invite_accepted", ".html");
     reg!("email/invite_confirmed", ".html");
     reg!("email/new_device_logged_in", ".html");
     reg!("email/pw_hint_none", ".html");
     reg!("email/pw_hint_some", ".html");
     reg!("email/send_org_invite", ".html");
+    reg!("email/twofactor_email", ".html");
+    reg!("email/verify_email", ".html");
+    reg!("email/welcome", ".html");
+    reg!("email/welcome_must_verify", ".html");
 
     reg!("admin/base");
     reg!("admin/login");
@@ -563,9 +637,7 @@ impl HelperDef for CaseHelper {
         rc: &mut RenderContext<'reg>,
         out: &mut dyn Output,
     ) -> HelperResult {
-        let param = h
-            .param(0)
-            .ok_or_else(|| RenderError::new("Param not found for helper \"case\""))?;
+        let param = h.param(0).ok_or_else(|| RenderError::new("Param not found for helper \"case\""))?;
         let value = param.value().clone();
 
         if h.params().iter().skip(1).any(|x| x.value() == &value) {
@@ -587,14 +659,10 @@ impl HelperDef for JsEscapeHelper {
         _: &mut RenderContext<'reg>,
         out: &mut dyn Output,
     ) -> HelperResult {
-        let param = h
-            .param(0)
-            .ok_or_else(|| RenderError::new("Param not found for helper \"js_escape\""))?;
+        let param = h.param(0).ok_or_else(|| RenderError::new("Param not found for helper \"js_escape\""))?;
 
-        let value = param
-            .value()
-            .as_str()
-            .ok_or_else(|| RenderError::new("Param for helper \"js_escape\" is not a String"))?;
+        let value =
+            param.value().as_str().ok_or_else(|| RenderError::new("Param for helper \"js_escape\" is not a String"))?;
 
         let escaped_value = value.replace('\\', "").replace('\'', "\\x22").replace('\"', "\\x27");
         let quoted_value = format!("&quot;{}&quot;", escaped_value);

src/crypto.rs

@@ -2,6 +2,7 @@
 // PBKDF2 derivation
 //
 
+use crate::error::Error;
 use ring::{digest, hmac, pbkdf2};
 use std::num::NonZeroU32;
 
@@ -52,6 +53,21 @@ pub fn get_random(mut array: Vec<u8>) -> Vec<u8> {
     array
 }
 
+pub fn generate_token(token_size: u32) -> Result<String, Error> {
+    if token_size > 19 {
+        err!("Generating token failed")
+    }
+
+    // 8 bytes to create an u64 for up to 19 token digits
+    let bytes = get_random(vec![0; 8]);
+    let mut bytes_array = [0u8; 8];
+    bytes_array.copy_from_slice(&bytes);
+
+    let number = u64::from_be_bytes(bytes_array) % 10u64.pow(token_size);
+    let token = format!("{:0size$}", number, size = token_size as usize);
+    Ok(token)
+}
+
 //
 // Constant time compare
 //

src/db/mod.rs

@@ -19,6 +19,8 @@ use crate::CONFIG;
 type Connection = diesel::sqlite::SqliteConnection;
 #[cfg(feature = "mysql")]
 type Connection = diesel::mysql::MysqlConnection;
+#[cfg(feature = "postgresql")]
+type Connection = diesel::pg::PgConnection;
 
 /// An alias to the type for a pool of Diesel connections.
 type Pool = r2d2::Pool<ConnectionManager<Connection>>;
@@ -33,6 +35,9 @@ pub mod schema;
 #[cfg(feature = "mysql")]
 #[path = "schemas/mysql/schema.rs"]
 pub mod schema;
+#[cfg(feature = "postgresql")]
+#[path = "schemas/postgresql/schema.rs"]
+pub mod schema;
 
 /// Initializes a database pool.
 pub fn init_pool() -> Pool {
@@ -47,12 +52,16 @@ pub fn get_connection() -> Result<Connection, ConnectionError> {
 
 /// Creates a back-up of the database using sqlite3
 pub fn backup_database() -> Result<(), Error> {
+    use std::path::Path;
+    let db_url = CONFIG.database_url();
+    let db_path = Path::new(&db_url).parent().unwrap();
+
     let now: DateTime<Utc> = Utc::now();
     let file_date = now.format("%Y%m%d").to_string();
     let backup_command: String = format!("{}{}{}", ".backup 'db_", file_date, ".sqlite3'");
 
     Command::new("sqlite3")
-        .current_dir("./data")
+        .current_dir(db_path)
         .args(&["db.sqlite3", &backup_command])
         .output()
         .expect("Can't open database, sqlite3 is not available, make sure it's installed and available on the PATH");

src/db/models/attachment.rs

@@ -3,7 +3,7 @@ use serde_json::Value;
 use super::Cipher;
 use crate::CONFIG;
 
-#[derive(Debug, Identifiable, Queryable, Insertable, Associations)]
+#[derive(Debug, Identifiable, Queryable, Insertable, Associations, AsChangeset)]
 #[table_name = "attachments"]
 #[belongs_to(Cipher, foreign_key = "cipher_uuid")]
 #[primary_key(id)]
@@ -59,6 +59,18 @@ use crate::error::MapResult;
 
 /// Database methods
 impl Attachment {
+    #[cfg(feature = "postgresql")]
+    pub fn save(&self, conn: &DbConn) -> EmptyResult {
+        diesel::insert_into(attachments::table)
+            .values(self)
+            .on_conflict(attachments::id)
+            .do_update()
+            .set(self)
+            .execute(&**conn)
+            .map_res("Error saving attachment")
+    }
+
+    #[cfg(not(feature = "postgresql"))]
     pub fn save(&self, conn: &DbConn) -> EmptyResult {
         diesel::replace_into(attachments::table)
             .values(self)

src/db/models/cipher.rs

@@ -5,7 +5,7 @@ use super::{
     Attachment, CollectionCipher, FolderCipher, Organization, User, UserOrgStatus, UserOrgType, UserOrganization,
 };
 
-#[derive(Debug, Identifiable, Queryable, Insertable, Associations)]
+#[derive(Debug, Identifiable, Queryable, Insertable, Associations, AsChangeset)]
 #[table_name = "ciphers"]
 #[belongs_to(User, foreign_key = "user_uuid")]
 #[belongs_to(Organization, foreign_key = "organization_uuid")]
@@ -148,6 +148,21 @@ impl Cipher {
         user_uuids
     }
 
+    #[cfg(feature = "postgresql")]
+    pub fn save(&mut self, conn: &DbConn) -> EmptyResult {
+        self.update_users_revision(conn);
+        self.updated_at = Utc::now().naive_utc();
+
+        diesel::insert_into(ciphers::table)
+            .values(&*self)
+            .on_conflict(ciphers::uuid)
+            .do_update()
+            .set(&*self)
+            .execute(&**conn)
+            .map_res("Error saving cipher")
+    }
+
+    #[cfg(not(feature = "postgresql"))]
     pub fn save(&mut self, conn: &DbConn) -> EmptyResult {
         self.update_users_revision(conn);
         self.updated_at = Utc::now().naive_utc();

src/db/models/collection.rs

@@ -2,7 +2,7 @@ use serde_json::Value;
 
 use super::{Organization, UserOrgStatus, UserOrgType, UserOrganization};
 
-#[derive(Debug, Identifiable, Queryable, Insertable, Associations)]
+#[derive(Debug, Identifiable, Queryable, Insertable, Associations, AsChangeset)]
 #[table_name = "collections"]
 #[belongs_to(Organization, foreign_key = "org_uuid")]
 #[primary_key(uuid)]
@@ -43,6 +43,20 @@ use crate::error::MapResult;
 
 /// Database methods
 impl Collection {
+    #[cfg(feature = "postgresql")]
+    pub fn save(&self, conn: &DbConn) -> EmptyResult {
+        self.update_users_revision(conn);
+
+        diesel::insert_into(collections::table)
+            .values(self)
+            .on_conflict(collections::uuid)
+            .do_update()
+            .set(self)
+            .execute(&**conn)
+            .map_res("Error saving collection")
+    }
+
+    #[cfg(not(feature = "postgresql"))]
     pub fn save(&self, conn: &DbConn) -> EmptyResult {
         self.update_users_revision(conn);
 
@@ -200,6 +214,24 @@ impl CollectionUser {
             .expect("Error loading users_collections")
     }
 
+    #[cfg(feature = "postgresql")]
+    pub fn save(user_uuid: &str, collection_uuid: &str, read_only: bool, conn: &DbConn) -> EmptyResult {
+        User::update_uuid_revision(&user_uuid, conn);
+
+        diesel::insert_into(users_collections::table)
+            .values((
+                users_collections::user_uuid.eq(user_uuid),
+                users_collections::collection_uuid.eq(collection_uuid),
+                users_collections::read_only.eq(read_only),
+            ))
+            .on_conflict((users_collections::user_uuid, users_collections::collection_uuid))
+            .do_update()
+            .set(users_collections::read_only.eq(read_only))
+            .execute(&**conn)
+            .map_res("Error adding user to collection")
+    }
+
+    #[cfg(not(feature = "postgresql"))]
     pub fn save(user_uuid: &str, collection_uuid: &str, read_only: bool, conn: &DbConn) -> EmptyResult {
         User::update_uuid_revision(&user_uuid, conn);
 
@@ -277,6 +309,21 @@ pub struct CollectionCipher {
 
 /// Database methods
 impl CollectionCipher {
+    #[cfg(feature = "postgresql")]
+    pub fn save(cipher_uuid: &str, collection_uuid: &str, conn: &DbConn) -> EmptyResult {
+        Self::update_users_revision(&collection_uuid, conn);
+        diesel::insert_into(ciphers_collections::table)
+            .values((
+                ciphers_collections::cipher_uuid.eq(cipher_uuid),
+                ciphers_collections::collection_uuid.eq(collection_uuid),
+            ))
+            .on_conflict((ciphers_collections::cipher_uuid, ciphers_collections::collection_uuid))
+            .do_nothing()
+            .execute(&**conn)
+            .map_res("Error adding cipher to collection")
+    }
+
+    #[cfg(not(feature = "postgresql"))]
     pub fn save(cipher_uuid: &str, collection_uuid: &str, conn: &DbConn) -> EmptyResult {
         Self::update_users_revision(&collection_uuid, conn);
         diesel::replace_into(ciphers_collections::table)

src/db/models/device.rs

@@ -1,8 +1,9 @@
 use chrono::{NaiveDateTime, Utc};
 
 use super::User;
+use crate::CONFIG;
 
-#[derive(Debug, Identifiable, Queryable, Insertable, Associations)]
+#[derive(Debug, Identifiable, Queryable, Insertable, Associations, AsChangeset)]
 #[table_name = "devices"]
 #[belongs_to(User, foreign_key = "user_uuid")]
 #[primary_key(uuid)]
@@ -87,7 +88,7 @@ impl Device {
             premium: true,
             name: user.name.to_string(),
             email: user.email.to_string(),
-            email_verified: true,
+            email_verified: !CONFIG.mail_enabled() || user.verified_at.is_some(),
 
             orgowner,
             orgadmin,
@@ -114,6 +115,18 @@ use crate::error::MapResult;
 
 /// Database methods
 impl Device {
+    #[cfg(feature = "postgresql")]
+    pub fn save(&mut self, conn: &DbConn) -> EmptyResult {
+        self.updated_at = Utc::now().naive_utc();
+
+        crate::util::retry(
+            || diesel::insert_into(devices::table).values(&*self).on_conflict(devices::uuid).do_update().set(&*self).execute(&**conn),
+            10,
+        )
+            .map_res("Error saving device")
+    }
+
+    #[cfg(not(feature = "postgresql"))]
     pub fn save(&mut self, conn: &DbConn) -> EmptyResult {
         self.updated_at = Utc::now().naive_utc();
 

src/db/models/folder.rs

@@ -3,7 +3,7 @@ use serde_json::Value;
 
 use super::{Cipher, User};
 
-#[derive(Debug, Identifiable, Queryable, Insertable, Associations)]
+#[derive(Debug, Identifiable, Queryable, Insertable, Associations, AsChangeset)]
 #[table_name = "folders"]
 #[belongs_to(User, foreign_key = "user_uuid")]
 #[primary_key(uuid)]
@@ -71,6 +71,21 @@ use crate::error::MapResult;
 
 /// Database methods
 impl Folder {
+    #[cfg(feature = "postgresql")]
+    pub fn save(&mut self, conn: &DbConn) -> EmptyResult {
+        User::update_uuid_revision(&self.user_uuid, conn);
+        self.updated_at = Utc::now().naive_utc();
+
+        diesel::insert_into(folders::table)
+            .values(&*self)
+            .on_conflict(folders::uuid)
+            .do_update()
+            .set(&*self)
+            .execute(&**conn)
+            .map_res("Error saving folder")
+    }
+
+    #[cfg(not(feature = "postgresql"))]
     pub fn save(&mut self, conn: &DbConn) -> EmptyResult {
         User::update_uuid_revision(&self.user_uuid, conn);
         self.updated_at = Utc::now().naive_utc();
@@ -113,6 +128,17 @@ impl Folder {
 }
 
 impl FolderCipher {
+    #[cfg(feature = "postgresql")]
+    pub fn save(&self, conn: &DbConn) -> EmptyResult {
+        diesel::insert_into(folders_ciphers::table)
+            .values(&*self)
+            .on_conflict((folders_ciphers::cipher_uuid, folders_ciphers::folder_uuid))
+            .do_nothing()
+            .execute(&**conn)
+            .map_res("Error adding cipher to folder")
+    }
+
+    #[cfg(not(feature = "postgresql"))]
     pub fn save(&self, conn: &DbConn) -> EmptyResult {
         diesel::replace_into(folders_ciphers::table)
             .values(&*self)

src/db/models/organization.rs

@@ -3,7 +3,7 @@ use std::cmp::Ordering;
 
 use super::{CollectionUser, User};
 
-#[derive(Debug, Identifiable, Queryable, Insertable)]
+#[derive(Debug, Identifiable, Queryable, Insertable, AsChangeset)]
 #[table_name = "organizations"]
 #[primary_key(uuid)]
 pub struct Organization {
@@ -12,7 +12,7 @@ pub struct Organization {
     pub billing_email: String,
 }
 
-#[derive(Debug, Identifiable, Queryable, Insertable)]
+#[derive(Debug, Identifiable, Queryable, Insertable, AsChangeset)]
 #[table_name = "users_organizations"]
 #[primary_key(uuid)]
 pub struct UserOrganization {
@@ -213,6 +213,24 @@ use crate::error::MapResult;
 
 /// Database methods
 impl Organization {
+    #[cfg(feature = "postgresql")]
+    pub fn save(&self, conn: &DbConn) -> EmptyResult {
+        UserOrganization::find_by_org(&self.uuid, conn)
+            .iter()
+            .for_each(|user_org| {
+                User::update_uuid_revision(&user_org.user_uuid, conn);
+            });
+
+        diesel::insert_into(organizations::table)
+            .values(self)
+            .on_conflict(organizations::uuid)
+            .do_update()
+            .set(self)
+            .execute(&**conn)
+            .map_res("Error saving organization")
+    }
+
+    #[cfg(not(feature = "postgresql"))]
     pub fn save(&self, conn: &DbConn) -> EmptyResult {
         UserOrganization::find_by_org(&self.uuid, conn)
             .iter()
@@ -323,6 +341,20 @@ impl UserOrganization {
         })
     }
 
+    #[cfg(feature = "postgresql")]
+    pub fn save(&self, conn: &DbConn) -> EmptyResult {
+        User::update_uuid_revision(&self.user_uuid, conn);
+
+        diesel::insert_into(users_organizations::table)
+            .values(self)
+            .on_conflict(users_organizations::uuid)
+            .do_update()
+            .set(self)
+            .execute(&**conn)
+            .map_res("Error adding user to organization")
+    }
+
+    #[cfg(not(feature = "postgresql"))]
     pub fn save(&self, conn: &DbConn) -> EmptyResult {
         User::update_uuid_revision(&self.user_uuid, conn);
 

src/db/models/two_factor.rs

@@ -1,8 +1,15 @@
+use diesel;
+use diesel::prelude::*;
 use serde_json::Value;
 
+use crate::api::EmptyResult;
+use crate::db::schema::twofactor;
+use crate::db::DbConn;
+use crate::error::MapResult;
+
 use super::User;
 
-#[derive(Debug, Identifiable, Queryable, Insertable, Associations)]
+#[derive(Debug, Identifiable, Queryable, Insertable, Associations, AsChangeset)]
 #[table_name = "twofactor"]
 #[belongs_to(User, foreign_key = "user_uuid")]
 #[primary_key(uuid)]
@@ -12,6 +19,7 @@ pub struct TwoFactor {
     pub atype: i32,
     pub enabled: bool,
     pub data: String,
+    pub last_used: i32,
 }
 
 #[allow(dead_code)]
@@ -28,6 +36,7 @@ pub enum TwoFactorType {
     // These are implementation details
     U2fRegisterChallenge = 1000,
     U2fLoginChallenge = 1001,
+    EmailVerificationChallenge = 1002,
 }
 
 /// Local methods
@@ -39,6 +48,7 @@ impl TwoFactor {
             atype: atype as i32,
             enabled: true,
             data,
+            last_used: 0,
         }
     }
 
@@ -59,16 +69,20 @@ impl TwoFactor {
     }
 }
 
-use crate::db::schema::twofactor;
-use crate::db::DbConn;
-use diesel;
-use diesel::prelude::*;
-
-use crate::api::EmptyResult;
-use crate::error::MapResult;
-
 /// Database methods
 impl TwoFactor {
+    #[cfg(feature = "postgresql")]
+    pub fn save(&self, conn: &DbConn) -> EmptyResult {
+        diesel::insert_into(twofactor::table)
+            .values(self)
+            .on_conflict(twofactor::uuid)
+            .do_update()
+            .set(self)
+            .execute(&**conn)
+            .map_res("Error saving twofactor")
+    }
+
+    #[cfg(not(feature = "postgresql"))]
     pub fn save(&self, conn: &DbConn) -> EmptyResult {
         diesel::replace_into(twofactor::table)
             .values(self)

src/db/models/user.rs

@@ -4,15 +4,20 @@ use serde_json::Value;
 use crate::crypto;
 use crate::CONFIG;
 
-#[derive(Debug, Identifiable, Queryable, Insertable)]
+#[derive(Debug, Identifiable, Queryable, Insertable, AsChangeset)]
 #[table_name = "users"]
 #[primary_key(uuid)]
 pub struct User {
     pub uuid: String,
     pub created_at: NaiveDateTime,
     pub updated_at: NaiveDateTime,
+    pub verified_at: Option<NaiveDateTime>,
+    pub last_verifying_at: Option<NaiveDateTime>,
+    pub login_verify_count: i32,
 
     pub email: String,
+    pub email_new: Option<String>,
+    pub email_new_token: Option<String>,
     pub name: String,
 
     pub password_hash: Vec<u8>,
@@ -46,7 +51,7 @@ enum UserStatus {
 /// Local methods
 impl User {
     pub const CLIENT_KDF_TYPE_DEFAULT: i32 = 0; // PBKDF2: 0
-    pub const CLIENT_KDF_ITER_DEFAULT: i32 = 5_000;
+    pub const CLIENT_KDF_ITER_DEFAULT: i32 = 100_000;
 
     pub fn new(mail: String) -> Self {
         let now = Utc::now().naive_utc();
@@ -56,9 +61,14 @@ impl User {
             uuid: crate::util::get_uuid(),
             created_at: now,
             updated_at: now,
+            verified_at: None,
+            last_verifying_at: None,
+            login_verify_count: 0,
             name: email.clone(),
             email,
             akey: String::new(),
+            email_new: None,
+            email_new_token: None,
 
             password_hash: Vec::new(),
             salt: crypto::get_random_64(),
@@ -135,7 +145,7 @@ impl User {
             "Id": self.uuid,
             "Name": self.name,
             "Email": self.email,
-            "EmailVerified": true,
+            "EmailVerified": !CONFIG.mail_enabled() || self.verified_at.is_some(),
             "Premium": true,
             "MasterPasswordHint": self.password_hint,
             "Culture": "en-US",
@@ -148,6 +158,24 @@ impl User {
         })
     }
 
+    #[cfg(feature = "postgresql")]
+    pub fn save(&mut self, conn: &DbConn) -> EmptyResult {
+        if self.email.trim().is_empty() {
+            err!("User email can't be empty")
+        }
+
+        self.updated_at = Utc::now().naive_utc();
+
+        diesel::insert_into(users::table) // Insert or update
+            .values(&*self)
+            .on_conflict(users::uuid)
+            .do_update()
+            .set(&*self)
+            .execute(&**conn)
+            .map_res("Error saving user")
+    }
+
+    #[cfg(not(feature = "postgresql"))]
     pub fn save(&mut self, conn: &DbConn) -> EmptyResult {
         if self.email.trim().is_empty() {
             err!("User email can't be empty")
@@ -250,6 +278,21 @@ impl Invitation {
         Self { email }
     }
 
+    #[cfg(feature = "postgresql")]
+    pub fn save(&self, conn: &DbConn) -> EmptyResult {
+        if self.email.trim().is_empty() {
+            err!("Invitation email can't be empty")
+        }
+
+        diesel::insert_into(invitations::table)
+            .values(self)
+            .on_conflict(invitations::email)
+            .do_nothing()
+            .execute(&**conn)
+            .map_res("Error saving invitation")
+    }
+
+    #[cfg(not(feature = "postgresql"))]
     pub fn save(&self, conn: &DbConn) -> EmptyResult {
         if self.email.trim().is_empty() {
             err!("Invitation email can't be empty")

src/db/schemas/mysql/schema.rs

@@ -92,6 +92,7 @@ table! {
         atype -> Integer,
         enabled -> Bool,
         data -> Text,
+        last_used -> Integer,
     }
 }
 
@@ -100,7 +101,12 @@ table! {
         uuid -> Varchar,
         created_at -> Datetime,
         updated_at -> Datetime,
+        verified_at -> Nullable<Datetime>,
+        last_verifying_at -> Nullable<Datetime>,
+        login_verify_count -> Integer,
         email -> Varchar,
+        email_new -> Nullable<Varchar>,
+        email_new_token -> Nullable<Varchar>,
         name -> Text,
         password_hash -> Blob,
         salt -> Blob,

src/db/schemas/postgresql/schema.rs

@@ -0,0 +1,178 @@
+table! {
+    attachments (id) {
+        id -> Text,
+        cipher_uuid -> Text,
+        file_name -> Text,
+        file_size -> Integer,
+        akey -> Nullable<Text>,
+    }
+}
+
+table! {
+    ciphers (uuid) {
+        uuid -> Text,
+        created_at -> Timestamp,
+        updated_at -> Timestamp,
+        user_uuid -> Nullable<Text>,
+        organization_uuid -> Nullable<Text>,
+        atype -> Integer,
+        name -> Text,
+        notes -> Nullable<Text>,
+        fields -> Nullable<Text>,
+        data -> Text,
+        favorite -> Bool,
+        password_history -> Nullable<Text>,
+    }
+}
+
+table! {
+    ciphers_collections (cipher_uuid, collection_uuid) {
+        cipher_uuid -> Text,
+        collection_uuid -> Text,
+    }
+}
+
+table! {
+    collections (uuid) {
+        uuid -> Text,
+        org_uuid -> Text,
+        name -> Text,
+    }
+}
+
+table! {
+    devices (uuid) {
+        uuid -> Text,
+        created_at -> Timestamp,
+        updated_at -> Timestamp,
+        user_uuid -> Text,
+        name -> Text,
+        atype -> Integer,
+        push_token -> Nullable<Text>,
+        refresh_token -> Text,
+        twofactor_remember -> Nullable<Text>,
+    }
+}
+
+table! {
+    folders (uuid) {
+        uuid -> Text,
+        created_at -> Timestamp,
+        updated_at -> Timestamp,
+        user_uuid -> Text,
+        name -> Text,
+    }
+}
+
+table! {
+    folders_ciphers (cipher_uuid, folder_uuid) {
+        cipher_uuid -> Text,
+        folder_uuid -> Text,
+    }
+}
+
+table! {
+    invitations (email) {
+        email -> Text,
+    }
+}
+
+table! {
+    organizations (uuid) {
+        uuid -> Text,
+        name -> Text,
+        billing_email -> Text,
+    }
+}
+
+table! {
+    twofactor (uuid) {
+        uuid -> Text,
+        user_uuid -> Text,
+        atype -> Integer,
+        enabled -> Bool,
+        data -> Text,
+        last_used -> Integer,
+    }
+}
+
+table! {
+    users (uuid) {
+        uuid -> Text,
+        created_at -> Timestamp,
+        updated_at -> Timestamp,
+        verified_at -> Nullable<Timestamp>,
+        last_verifying_at -> Nullable<Timestamp>,
+        login_verify_count -> Integer,
+        email -> Text,
+        email_new -> Nullable<Text>,
+        email_new_token -> Nullable<Text>,
+        name -> Text,
+        password_hash -> Binary,
+        salt -> Binary,
+        password_iterations -> Integer,
+        password_hint -> Nullable<Text>,
+        akey -> Text,
+        private_key -> Nullable<Text>,
+        public_key -> Nullable<Text>,
+        totp_secret -> Nullable<Text>,
+        totp_recover -> Nullable<Text>,
+        security_stamp -> Text,
+        equivalent_domains -> Text,
+        excluded_globals -> Text,
+        client_kdf_type -> Integer,
+        client_kdf_iter -> Integer,
+    }
+}
+
+table! {
+    users_collections (user_uuid, collection_uuid) {
+        user_uuid -> Text,
+        collection_uuid -> Text,
+        read_only -> Bool,
+    }
+}
+
+table! {
+    users_organizations (uuid) {
+        uuid -> Text,
+        user_uuid -> Text,
+        org_uuid -> Text,
+        access_all -> Bool,
+        akey -> Text,
+        status -> Integer,
+        atype -> Integer,
+    }
+}
+
+joinable!(attachments -> ciphers (cipher_uuid));
+joinable!(ciphers -> organizations (organization_uuid));
+joinable!(ciphers -> users (user_uuid));
+joinable!(ciphers_collections -> ciphers (cipher_uuid));
+joinable!(ciphers_collections -> collections (collection_uuid));
+joinable!(collections -> organizations (org_uuid));
+joinable!(devices -> users (user_uuid));
+joinable!(folders -> users (user_uuid));
+joinable!(folders_ciphers -> ciphers (cipher_uuid));
+joinable!(folders_ciphers -> folders (folder_uuid));
+joinable!(twofactor -> users (user_uuid));
+joinable!(users_collections -> collections (collection_uuid));
+joinable!(users_collections -> users (user_uuid));
+joinable!(users_organizations -> organizations (org_uuid));
+joinable!(users_organizations -> users (user_uuid));
+
+allow_tables_to_appear_in_same_query!(
+    attachments,
+    ciphers,
+    ciphers_collections,
+    collections,
+    devices,
+    folders,
+    folders_ciphers,
+    invitations,
+    organizations,
+    twofactor,
+    users,
+    users_collections,
+    users_organizations,
+);

src/db/schemas/sqlite/schema.rs

@@ -92,6 +92,7 @@ table! {
         atype -> Integer,
         enabled -> Bool,
         data -> Text,
+        last_used -> Integer,
     }
 }
 
@@ -100,7 +101,12 @@ table! {
         uuid -> Text,
         created_at -> Timestamp,
         updated_at -> Timestamp,
+        verified_at -> Nullable<Timestamp>,
+        last_verifying_at -> Nullable<Timestamp>,
+        login_verify_count -> Integer,
         email -> Text,
+        email_new -> Nullable<Text>,
+        email_new_token -> Nullable<Text>,
         name -> Text,
         password_hash -> Binary,
         salt -> Binary,

src/error.rs

@@ -86,7 +86,18 @@ impl std::fmt::Debug for Error {
     fn fmt(&self, f: &mut std::fmt::Formatter) -> std::fmt::Result {
         match self.source() {
             Some(e) => write!(f, "{}.\n[CAUSE] {:#?}", self.message, e),
-            None => write!(f, "{}. {}", self.message, self.error),
+            None => match self.error {
+                ErrorKind::EmptyError(_) => Ok(()),
+                ErrorKind::SimpleError(ref s) => {
+                    if &self.message == s {
+                        write!(f, "{}", self.message)
+                    } else {
+                        write!(f, "{}. {}", self.message, s)
+                    }
+                }
+                ErrorKind::JsonError(_) => write!(f, "{}", self.message),
+                _ => unreachable!(),
+            },
         }
     }
 }
@@ -170,15 +181,17 @@ use rocket::response::{self, Responder, Response};
 
 impl<'r> Responder<'r> for Error {
     fn respond_to(self, _: &Request) -> response::Result<'r> {
-        let usr_msg = format!("{}", self);
-        error!("{:#?}", self);
+        match self.error {
+            ErrorKind::EmptyError(_) => {} // Don't print the error in this situation
+            _ => error!(target: "error", "{:#?}", self),
+        };
 
         let code = Status::from_code(self.error_code).unwrap_or(Status::BadRequest);
 
         Response::build()
             .status(code)
             .header(ContentType::JSON)
-            .sized_body(Cursor::new(usr_msg))
+            .sized_body(Cursor::new(format!("{}", self)))
             .ok()
     }
 }
@@ -198,19 +211,19 @@ macro_rules! err {
 
 #[macro_export]
 macro_rules! err_json {
-    ($expr:expr) => {{
-        return Err(crate::error::Error::from($expr));
+    ($expr:expr, $log_value:expr) => {{
+        return Err(($log_value, $expr).into());
     }};
 }
 
 #[macro_export]
 macro_rules! err_handler {
     ($expr:expr) => {{
-        error!("Unauthorized Error: {}", $expr);
+        error!(target: "auth", "Unauthorized Error: {}", $expr);
         return rocket::Outcome::Failure((rocket::http::Status::Unauthorized, $expr));
     }};
     ($usr_msg:expr, $log_value:expr) => {{
-        error!("Unauthorized Error: {}. {}", $usr_msg, $log_value);
+        error!(target: "auth", "Unauthorized Error: {}. {}", $usr_msg, $log_value);
         return rocket::Outcome::Failure((rocket::http::Status::Unauthorized, $usr_msg));
     }};
 }

src/mail.rs

@@ -8,7 +8,7 @@ use percent_encoding::{percent_encode, NON_ALPHANUMERIC};
 use quoted_printable::encode_to_str;
 
 use crate::api::EmptyResult;
-use crate::auth::{encode_jwt, generate_invite_claims};
+use crate::auth::{encode_jwt, generate_delete_claims, generate_invite_claims, generate_verify_email_claims};
 use crate::error::Error;
 use crate::CONFIG;
 use chrono::NaiveDateTime;
@@ -33,6 +33,8 @@ fn mailer() -> SmtpTransport {
         ClientSecurity::None
     };
 
+    use std::time::Duration;
+
     let smtp_client = SmtpClient::new((host.as_str(), CONFIG.smtp_port()), client_security).unwrap();
 
     let smtp_client = match (&CONFIG.smtp_username(), &CONFIG.smtp_password()) {
@@ -45,14 +47,15 @@ fn mailer() -> SmtpTransport {
             let auth_mechanism = serde_json::from_str::<SmtpAuthMechanism>(&auth_mechanism_json);
             match auth_mechanism {
                 Ok(auth_mechanism) => smtp_client.authentication_mechanism(auth_mechanism),
-                Err(_) => panic!("Failure to parse mechanism. Is it proper Json? Eg. `\"Plain\"` not `Plain`"),
+                _ => panic!("Failure to parse mechanism. Is it proper Json? Eg. `\"Plain\"` not `Plain`"),
             }
-        },
+        }
         _ => smtp_client,
     };
 
     smtp_client
         .smtp_utf8(true)
+        .timeout(Some(Duration::from_secs(CONFIG.smtp_timeout())))
         .connection_reuse(ConnectionReuseParameters::NoReuse)
         .transport()
 }
@@ -92,6 +95,67 @@ pub fn send_password_hint(address: &str, hint: Option<String>) -> EmptyResult {
     send_email(&address, &subject, &body_html, &body_text)
 }
 
+pub fn send_delete_account(address: &str, uuid: &str) -> EmptyResult {
+    let claims = generate_delete_claims(uuid.to_string());
+    let delete_token = encode_jwt(&claims);
+
+    let (subject, body_html, body_text) = get_text(
+        "email/delete_account",
+        json!({
+            "url": CONFIG.domain(),
+            "user_id": uuid,
+            "email": percent_encode(address.as_bytes(), NON_ALPHANUMERIC).to_string(),
+            "token": delete_token,
+        }),
+    )?;
+
+    send_email(&address, &subject, &body_html, &body_text)
+}
+
+pub fn send_verify_email(address: &str, uuid: &str) -> EmptyResult {
+    let claims = generate_verify_email_claims(uuid.to_string());
+    let verify_email_token = encode_jwt(&claims);
+
+    let (subject, body_html, body_text) = get_text(
+        "email/verify_email",
+        json!({
+            "url": CONFIG.domain(),
+            "user_id": uuid,
+            "email": percent_encode(address.as_bytes(), NON_ALPHANUMERIC).to_string(),
+            "token": verify_email_token,
+        }),
+    )?;
+
+    send_email(&address, &subject, &body_html, &body_text)
+}
+
+pub fn send_welcome(address: &str) -> EmptyResult {
+    let (subject, body_html, body_text) = get_text(
+        "email/welcome",
+        json!({
+            "url": CONFIG.domain(),
+        }),
+    )?;
+
+    send_email(&address, &subject, &body_html, &body_text)
+}
+
+pub fn send_welcome_must_verify(address: &str, uuid: &str) -> EmptyResult {
+    let claims = generate_verify_email_claims(uuid.to_string());
+    let verify_email_token = encode_jwt(&claims);
+
+    let (subject, body_html, body_text) = get_text(
+        "email/welcome_must_verify",
+        json!({
+            "url": CONFIG.domain(),
+            "user_id": uuid,
+            "token": verify_email_token,
+        }),
+    )?;
+
+    send_email(&address, &subject, &body_html, &body_text)
+}
+
 pub fn send_invite(
     address: &str,
     uuid: &str,
@@ -105,7 +169,7 @@ pub fn send_invite(
         String::from(address),
         org_id.clone(),
         org_user_id.clone(),
-        invited_by_email.clone(),
+        invited_by_email,
     );
     let invite_token = encode_jwt(&claims);
 
@@ -168,6 +232,30 @@ pub fn send_new_device_logged_in(address: &str, ip: &str, dt: &NaiveDateTime, de
     send_email(&address, &subject, &body_html, &body_text)
 }
 
+pub fn send_token(address: &str, token: &str) -> EmptyResult {
+    let (subject, body_html, body_text) = get_text(
+        "email/twofactor_email",
+        json!({
+            "url": CONFIG.domain(),
+            "token": token,
+        }),
+    )?;
+
+    send_email(&address, &subject, &body_html, &body_text)
+}
+
+pub fn send_change_email(address: &str, token: &str) -> EmptyResult {
+    let (subject, body_html, body_text) = get_text(
+        "email/change_email",
+        json!({
+            "url": CONFIG.domain(),
+            "token": token,
+        }),
+    )?;
+
+    send_email(&address, &subject, &body_html, &body_text)
+}
+
 fn send_email(address: &str, subject: &str, body_html: &str, body_text: &str) -> EmptyResult {
     let html = PartBuilder::new()
         .body(encode_to_str(body_html))

src/main.rs

@@ -1,6 +1,8 @@
-#![feature(proc_macro_hygiene, decl_macro, vec_remove_item, try_trait)]
+#![feature(proc_macro_hygiene, vec_remove_item, try_trait, ip)]
 #![recursion_limit = "256"]
 
+#[cfg(feature = "openssl")]
+extern crate openssl;
 #[macro_use]
 extern crate rocket;
 #[macro_use]
@@ -21,8 +23,10 @@ extern crate derive_more;
 extern crate num_derive;
 
 use std::{
+    fs::create_dir_all,
     path::Path,
     process::{exit, Command},
+    str::FromStr,
 };
 
 #[macro_use]
@@ -41,16 +45,23 @@ pub use error::{Error, MapResult};
 fn main() {
     launch_info();
 
-    if CONFIG.extended_logging() {
-        init_logging().ok();
-    }
+    use log::LevelFilter as LF;
+    let level = LF::from_str(&CONFIG.log_level()).expect("Valid log level");
+    init_logging(level).ok();
+
+    let extra_debug = match level {
+        LF::Trace | LF::Debug => true,
+        _ => false,
+    };
 
     check_db();
     check_rsa_keys();
     check_web_vault();
     migrations::run_migrations();
 
-    launch_rocket();
+    create_icon_cache_folder();
+
+    launch_rocket(extra_debug);
 }
 
 fn launch_info() {
@@ -68,10 +79,23 @@ fn launch_info() {
     println!("\\--------------------------------------------------------------------/\n");
 }
 
-fn init_logging() -> Result<(), fern::InitError> {
-    use std::str::FromStr;
+fn init_logging(level: log::LevelFilter) -> Result<(), fern::InitError> {
     let mut logger = fern::Dispatch::new()
-        .format(|out, message, record| {
+        .level(level)
+        // Hide unknown certificate errors if using self-signed
+        .level_for("rustls::session", log::LevelFilter::Off)
+        // Hide failed to close stream messages
+        .level_for("hyper::server", log::LevelFilter::Warn)
+        // Silence rocket logs
+        .level_for("_", log::LevelFilter::Off)
+        .level_for("launch", log::LevelFilter::Off)
+        .level_for("launch_", log::LevelFilter::Off)
+        .level_for("rocket::rocket", log::LevelFilter::Off)
+        .level_for("rocket::fairing", log::LevelFilter::Off)
+        .chain(std::io::stdout());
+
+    if CONFIG.extended_logging() {
+        logger = logger.format(|out, message, record| {
             out.finish(format_args!(
                 "{}[{}][{}] {}",
                 chrono::Local::now().format("[%Y-%m-%d %H:%M:%S]"),
@@ -79,13 +103,10 @@ fn init_logging() -> Result<(), fern::InitError> {
                 record.level(),
                 message
             ))
-        })
-        .level(log::LevelFilter::from_str(&CONFIG.log_level()).expect("Valid log level"))
-        // Hide unknown certificate errors if using self-signed
-        .level_for("rustls::session", log::LevelFilter::Off)
-        // Hide failed to close stream messages
-        .level_for("hyper::server", log::LevelFilter::Warn)
-        .chain(std::io::stdout());
+        });
+    } else {
+        logger = logger.format(|out, message, _| out.finish(format_args!("{}", message)));
+    }
 
     if let Some(log_file) = CONFIG.log_file() {
         logger = logger.chain(fern::log_file(log_file)?);
@@ -127,8 +148,7 @@ fn check_db() {
         let path = Path::new(&url);
 
         if let Some(parent) = path.parent() {
-            use std::fs;
-            if fs::create_dir_all(parent).is_err() {
+            if create_dir_all(parent).is_err() {
                 error!("Error creating database directory");
                 exit(1);
             }
@@ -137,7 +157,7 @@ fn check_db() {
         // Turn on WAL in SQLite
         if CONFIG.enable_db_wal() {
             use diesel::RunQueryDsl;
-            let connection = db::get_connection().expect("Can't conect to DB");
+            let connection = db::get_connection().expect("Can't connect to DB");
             diesel::sql_query("PRAGMA journal_mode=wal")
                 .execute(&connection)
                 .expect("Failed to turn on WAL");
@@ -146,6 +166,11 @@ fn check_db() {
     db::get_connection().expect("Can't connect to DB");
 }
 
+fn create_icon_cache_folder() {
+    // Try to create the icon cache folder, and generate an error if it could not.
+    create_dir_all(&CONFIG.icon_cache_folder()).expect("Error creating icon cache directory");
+}
+
 fn check_rsa_keys() {
     // If the RSA keys don't exist, try to create them
     if !util::file_exists(&CONFIG.private_rsa_key()) || !util::file_exists(&CONFIG.public_rsa_key()) {
@@ -200,7 +225,9 @@ fn check_web_vault() {
     let index_path = Path::new(&CONFIG.web_vault_folder()).join("index.html");
 
     if !index_path.exists() {
-        error!("Web vault is not found. To install it, please follow the steps in https://github.com/dani-garcia/bitwarden_rs/wiki/Building-binary#install-the-web-vault");
+        error!("Web vault is not found. To install it, please follow the steps in: ");
+        error!("https://github.com/dani-garcia/bitwarden_rs/wiki/Building-binary#install-the-web-vault");
+        error!("You can also set the environment variable 'WEB_VAULT_ENABLED=false' to disable it");
         exit(1);
     }
 }
@@ -215,6 +242,8 @@ mod migrations {
     embed_migrations!("migrations/sqlite");
     #[cfg(feature = "mysql")]
     embed_migrations!("migrations/mysql");
+    #[cfg(feature = "postgresql")]
+    embed_migrations!("migrations/postgresql");
 
     pub fn run_migrations() {
         // Make sure the database is up to date (create if it doesn't exist, or run the migrations)
@@ -225,32 +254,24 @@ mod migrations {
     }
 }
 
-fn launch_rocket() {
+fn launch_rocket(extra_debug: bool) {
     // Create Rocket object, this stores current log level and sets it's own
     let rocket = rocket::ignite();
 
-    // If we aren't logging the mounts, we force the logging level down
-    if !CONFIG.log_mounts() {
-        log::set_max_level(log::LevelFilter::Warn);
-    }
-
+    // If addding more base paths here, consider also adding them to
+    // crate::utils::LOGGED_ROUTES to make sure they appear in the log
     let rocket = rocket
         .mount("/", api::web_routes())
         .mount("/api", api::core_routes())
         .mount("/admin", api::admin_routes())
         .mount("/identity", api::identity_routes())
         .mount("/icons", api::icons_routes())
-        .mount("/notifications", api::notifications_routes());
-
-    // Force the level up for the fairings, managed state and lauch
-    if !CONFIG.log_mounts() {
-        log::set_max_level(log::LevelFilter::max());
-    }
-
-    let rocket = rocket
+        .mount("/notifications", api::notifications_routes())
         .manage(db::init_pool())
         .manage(api::start_notification_server())
-        .attach(util::AppHeaders());
+        .attach(util::AppHeaders())
+        .attach(util::CORS())
+        .attach(util::BetterLogging(extra_debug));
 
     // Launch and print error if there is one
     // The launch will restore the original logging level

src/static/global_domains.json

@@ -39,7 +39,8 @@
     "Type": 1,
     "Domains": [
       "apple.com",
-      "icloud.com"
+      "icloud.com",
+      "tv.apple.com"
     ],
     "Excluded": false
   },
@@ -106,7 +107,8 @@
       "windows.com",
       "microsoftonline.com",
       "office365.com",
-      "microsoftstore.com"
+      "microsoftstore.com",
+      "xbox.com"
     ],
     "Excluded": false
   },
@@ -760,7 +762,17 @@
       "superuser.com",
       "stackoverflow.com",
       "serverfault.com",
-      "mathoverflow.net"
+      "mathoverflow.net",
+      "askubuntu.com"
+    ],
+    "Excluded": false
+  },
+  {
+    "Type": 75,
+    "Domains": [
+      "netcup.de",
+      "netcup.eu",
+      "customercontrolpanel.de"
     ],
     "Excluded": false
   }

src/static/scripts/identicon.js

@@ -0,0 +1,205 @@
+/**
+ * Identicon.js 2.3.3
+ * http://github.com/stewartlord/identicon.js
+ *
+ * PNGLib required for PNG output
+ * http://www.xarg.org/download/pnglib.js
+ *
+ * Copyright 2018, Stewart Lord
+ * Released under the BSD license
+ * http://www.opensource.org/licenses/bsd-license.php
+ */
+
+(function() {
+    var PNGlib;
+    if (typeof module !== 'undefined' && typeof module.exports !== 'undefined') {
+        PNGlib = require('./pnglib');
+    } else {
+        PNGlib = window.PNGlib;
+    }
+
+    var Identicon = function(hash, options){
+        if (typeof(hash) !== 'string' || hash.length < 15) {
+            throw 'A hash of at least 15 characters is required.';
+        }
+
+        this.defaults = {
+            background: [240, 240, 240, 255],
+            margin:     0.08,
+            size:       64,
+            saturation: 0.7,
+            brightness: 0.5,
+            format:     'png'
+        };
+
+        this.options = typeof(options) === 'object' ? options : this.defaults;
+
+        // backward compatibility with old constructor (hash, size, margin)
+        if (typeof(arguments[1]) === 'number') { this.options.size   = arguments[1]; }
+        if (arguments[2])                      { this.options.margin = arguments[2]; }
+
+        this.hash        = hash
+        this.background  = this.options.background || this.defaults.background;
+        this.size        = this.options.size       || this.defaults.size;
+        this.format      = this.options.format     || this.defaults.format;
+        this.margin      = this.options.margin !== undefined ? this.options.margin : this.defaults.margin;
+
+        // foreground defaults to last 7 chars as hue at 70% saturation, 50% brightness
+        var hue          = parseInt(this.hash.substr(-7), 16) / 0xfffffff;
+        var saturation   = this.options.saturation || this.defaults.saturation;
+        var brightness   = this.options.brightness || this.defaults.brightness;
+        this.foreground  = this.options.foreground || this.hsl2rgb(hue, saturation, brightness);
+    };
+
+    Identicon.prototype = {
+        background: null,
+        foreground: null,
+        hash:       null,
+        margin:     null,
+        size:       null,
+        format:     null,
+
+        image: function(){
+            return this.isSvg()
+                ? new Svg(this.size, this.foreground, this.background)
+                : new PNGlib(this.size, this.size, 256);
+        },
+
+        render: function(){
+            var image      = this.image(),
+                size       = this.size,
+                baseMargin = Math.floor(size * this.margin),
+                cell       = Math.floor((size - (baseMargin * 2)) / 5),
+                margin     = Math.floor((size - cell * 5) / 2),
+                bg         = image.color.apply(image, this.background),
+                fg         = image.color.apply(image, this.foreground);
+
+            // the first 15 characters of the hash control the pixels (even/odd)
+            // they are drawn down the middle first, then mirrored outwards
+            var i, color;
+            for (i = 0; i < 15; i++) {
+                color = parseInt(this.hash.charAt(i), 16) % 2 ? bg : fg;
+                if (i < 5) {
+                    this.rectangle(2 * cell + margin, i * cell + margin, cell, cell, color, image);
+                } else if (i < 10) {
+                    this.rectangle(1 * cell + margin, (i - 5) * cell + margin, cell, cell, color, image);
+                    this.rectangle(3 * cell + margin, (i - 5) * cell + margin, cell, cell, color, image);
+                } else if (i < 15) {
+                    this.rectangle(0 * cell + margin, (i - 10) * cell + margin, cell, cell, color, image);
+                    this.rectangle(4 * cell + margin, (i - 10) * cell + margin, cell, cell, color, image);
+                }
+            }
+
+            return image;
+        },
+
+        rectangle: function(x, y, w, h, color, image){
+            if (this.isSvg()) {
+                image.rectangles.push({x: x, y: y, w: w, h: h, color: color});
+            } else {
+                var i, j;
+                for (i = x; i < x + w; i++) {
+                    for (j = y; j < y + h; j++) {
+                        image.buffer[image.index(i, j)] = color;
+                    }
+                }
+            }
+        },
+
+        // adapted from: https://gist.github.com/aemkei/1325937
+        hsl2rgb: function(h, s, b){
+            h *= 6;
+            s = [
+                b += s *= b < .5 ? b : 1 - b,
+                b - h % 1 * s * 2,
+                b -= s *= 2,
+                b,
+                b + h % 1 * s,
+                b + s
+            ];
+
+            return[
+                s[ ~~h    % 6 ] * 255, // red
+                s[ (h|16) % 6 ] * 255, // green
+                s[ (h|8)  % 6 ] * 255  // blue
+            ];
+        },
+
+        toString: function(raw){
+            // backward compatibility with old toString, default to base64
+            if (raw) {
+                return this.render().getDump();
+            } else {
+                return this.render().getBase64();
+            }
+        },
+
+        isSvg: function(){
+            return this.format.match(/svg/i)
+        }
+    };
+
+    var Svg = function(size, foreground, background){
+        this.size       = size;
+        this.foreground = this.color.apply(this, foreground);
+        this.background = this.color.apply(this, background);
+        this.rectangles = [];
+    };
+
+    Svg.prototype = {
+        size:       null,
+        foreground: null,
+        background: null,
+        rectangles: null,
+
+        color: function(r, g, b, a){
+            var values = [r, g, b].map(Math.round);
+            values.push((a >= 0) && (a <= 255) ? a/255 : 1);
+            return 'rgba(' + values.join(',') + ')';
+        },
+
+        getDump: function(){
+          var i,
+                xml,
+                rect,
+                fg     = this.foreground,
+                bg     = this.background,
+                stroke = this.size * 0.005;
+
+            xml = "<svg xmlns='http://www.w3.org/2000/svg'"
+                + " width='" + this.size + "' height='" + this.size + "'"
+                + " style='background-color:" + bg + ";'>"
+                + "<g style='fill:" + fg + "; stroke:" + fg + "; stroke-width:" + stroke + ";'>";
+
+            for (i = 0; i < this.rectangles.length; i++) {
+                rect = this.rectangles[i];
+                if (rect.color == bg) continue;
+                xml += "<rect "
+                    + " x='"      + rect.x + "'"
+                    + " y='"      + rect.y + "'"
+                    + " width='"  + rect.w + "'"
+                    + " height='" + rect.h + "'"
+                    + "/>";
+            }
+            xml += "</g></svg>"
+
+            return xml;
+        },
+
+        getBase64: function(){
+            if ('function' === typeof btoa) {
+                return btoa(this.getDump());
+            } else if (Buffer) {
+                return new Buffer(this.getDump(), 'binary').toString('base64');
+            } else {
+                throw 'Cannot generate base64 output';
+            }
+        }
+    };
+
+    if (typeof module !== 'undefined' && typeof module.exports !== 'undefined') {
+        module.exports = Identicon;
+    } else {
+        window.Identicon = Identicon;
+    }
+})();

src/static/scripts/md5.js

@@ -0,0 +1,402 @@
+/*
+ * JavaScript MD5
+ * https://github.com/blueimp/JavaScript-MD5
+ *
+ * Copyright 2011, Sebastian Tschan
+ * https://blueimp.net
+ *
+ * Licensed under the MIT license:
+ * https://opensource.org/licenses/MIT
+ *
+ * Based on
+ * A JavaScript implementation of the RSA Data Security, Inc. MD5 Message
+ * Digest Algorithm, as defined in RFC 1321.
+ * Version 2.2 Copyright (C) Paul Johnston 1999 - 2009
+ * Other contributors: Greg Holt, Andrew Kepert, Ydnar, Lostinet
+ * Distributed under the BSD License
+ * See http://pajhome.org.uk/crypt/md5 for more info.
+ */
+
+/* global define */
+
+/* eslint-disable strict */
+
+;(function($) {
+  'use strict'
+
+  /**
+   * Add integers, wrapping at 2^32.
+   * This uses 16-bit operations internally to work around bugs in interpreters.
+   *
+   * @param {number} x First integer
+   * @param {number} y Second integer
+   * @returns {number} Sum
+   */
+  function safeAdd(x, y) {
+    var lsw = (x & 0xffff) + (y & 0xffff)
+    var msw = (x >> 16) + (y >> 16) + (lsw >> 16)
+    return (msw << 16) | (lsw & 0xffff)
+  }
+
+  /**
+   * Bitwise rotate a 32-bit number to the left.
+   *
+   * @param {number} num 32-bit number
+   * @param {number} cnt Rotation count
+   * @returns {number} Rotated number
+   */
+  function bitRotateLeft(num, cnt) {
+    return (num << cnt) | (num >>> (32 - cnt))
+  }
+
+  /**
+   * Basic operation the algorithm uses.
+   *
+   * @param {number} q q
+   * @param {number} a a
+   * @param {number} b b
+   * @param {number} x x
+   * @param {number} s s
+   * @param {number} t t
+   * @returns {number} Result
+   */
+  function md5cmn(q, a, b, x, s, t) {
+    return safeAdd(bitRotateLeft(safeAdd(safeAdd(a, q), safeAdd(x, t)), s), b)
+  }
+  /**
+   * Basic operation the algorithm uses.
+   *
+   * @param {number} a a
+   * @param {number} b b
+   * @param {number} c c
+   * @param {number} d d
+   * @param {number} x x
+   * @param {number} s s
+   * @param {number} t t
+   * @returns {number} Result
+   */
+  function md5ff(a, b, c, d, x, s, t) {
+    return md5cmn((b & c) | (~b & d), a, b, x, s, t)
+  }
+  /**
+   * Basic operation the algorithm uses.
+   *
+   * @param {number} a a
+   * @param {number} b b
+   * @param {number} c c
+   * @param {number} d d
+   * @param {number} x x
+   * @param {number} s s
+   * @param {number} t t
+   * @returns {number} Result
+   */
+  function md5gg(a, b, c, d, x, s, t) {
+    return md5cmn((b & d) | (c & ~d), a, b, x, s, t)
+  }
+  /**
+   * Basic operation the algorithm uses.
+   *
+   * @param {number} a a
+   * @param {number} b b
+   * @param {number} c c
+   * @param {number} d d
+   * @param {number} x x
+   * @param {number} s s
+   * @param {number} t t
+   * @returns {number} Result
+   */
+  function md5hh(a, b, c, d, x, s, t) {
+    return md5cmn(b ^ c ^ d, a, b, x, s, t)
+  }
+  /**
+   * Basic operation the algorithm uses.
+   *
+   * @param {number} a a
+   * @param {number} b b
+   * @param {number} c c
+   * @param {number} d d
+   * @param {number} x x
+   * @param {number} s s
+   * @param {number} t t
+   * @returns {number} Result
+   */
+  function md5ii(a, b, c, d, x, s, t) {
+    return md5cmn(c ^ (b | ~d), a, b, x, s, t)
+  }
+
+  /**
+   * Calculate the MD5 of an array of little-endian words, and a bit length.
+   *
+   * @param {Array} x Array of little-endian words
+   * @param {number} len Bit length
+   * @returns {Array<number>} MD5 Array
+   */
+  function binlMD5(x, len) {
+    /* append padding */
+    x[len >> 5] |= 0x80 << len % 32
+    x[(((len + 64) >>> 9) << 4) + 14] = len
+
+    var i
+    var olda
+    var oldb
+    var oldc
+    var oldd
+    var a = 1732584193
+    var b = -271733879
+    var c = -1732584194
+    var d = 271733878
+
+    for (i = 0; i < x.length; i += 16) {
+      olda = a
+      oldb = b
+      oldc = c
+      oldd = d
+
+      a = md5ff(a, b, c, d, x[i], 7, -680876936)
+      d = md5ff(d, a, b, c, x[i + 1], 12, -389564586)
+      c = md5ff(c, d, a, b, x[i + 2], 17, 606105819)
+      b = md5ff(b, c, d, a, x[i + 3], 22, -1044525330)
+      a = md5ff(a, b, c, d, x[i + 4], 7, -176418897)
+      d = md5ff(d, a, b, c, x[i + 5], 12, 1200080426)
+      c = md5ff(c, d, a, b, x[i + 6], 17, -1473231341)
+      b = md5ff(b, c, d, a, x[i + 7], 22, -45705983)
+      a = md5ff(a, b, c, d, x[i + 8], 7, 1770035416)
+      d = md5ff(d, a, b, c, x[i + 9], 12, -1958414417)
+      c = md5ff(c, d, a, b, x[i + 10], 17, -42063)
+      b = md5ff(b, c, d, a, x[i + 11], 22, -1990404162)
+      a = md5ff(a, b, c, d, x[i + 12], 7, 1804603682)
+      d = md5ff(d, a, b, c, x[i + 13], 12, -40341101)
+      c = md5ff(c, d, a, b, x[i + 14], 17, -1502002290)
+      b = md5ff(b, c, d, a, x[i + 15], 22, 1236535329)
+
+      a = md5gg(a, b, c, d, x[i + 1], 5, -165796510)
+      d = md5gg(d, a, b, c, x[i + 6], 9, -1069501632)
+      c = md5gg(c, d, a, b, x[i + 11], 14, 643717713)
+      b = md5gg(b, c, d, a, x[i], 20, -373897302)
+      a = md5gg(a, b, c, d, x[i + 5], 5, -701558691)
+      d = md5gg(d, a, b, c, x[i + 10], 9, 38016083)
+      c = md5gg(c, d, a, b, x[i + 15], 14, -660478335)
+      b = md5gg(b, c, d, a, x[i + 4], 20, -405537848)
+      a = md5gg(a, b, c, d, x[i + 9], 5, 568446438)
+      d = md5gg(d, a, b, c, x[i + 14], 9, -1019803690)
+      c = md5gg(c, d, a, b, x[i + 3], 14, -187363961)
+      b = md5gg(b, c, d, a, x[i + 8], 20, 1163531501)
+      a = md5gg(a, b, c, d, x[i + 13], 5, -1444681467)
+      d = md5gg(d, a, b, c, x[i + 2], 9, -51403784)
+      c = md5gg(c, d, a, b, x[i + 7], 14, 1735328473)
+      b = md5gg(b, c, d, a, x[i + 12], 20, -1926607734)
+
+      a = md5hh(a, b, c, d, x[i + 5], 4, -378558)
+      d = md5hh(d, a, b, c, x[i + 8], 11, -2022574463)
+      c = md5hh(c, d, a, b, x[i + 11], 16, 1839030562)
+      b = md5hh(b, c, d, a, x[i + 14], 23, -35309556)
+      a = md5hh(a, b, c, d, x[i + 1], 4, -1530992060)
+      d = md5hh(d, a, b, c, x[i + 4], 11, 1272893353)
+      c = md5hh(c, d, a, b, x[i + 7], 16, -155497632)
+      b = md5hh(b, c, d, a, x[i + 10], 23, -1094730640)
+      a = md5hh(a, b, c, d, x[i + 13], 4, 681279174)
+      d = md5hh(d, a, b, c, x[i], 11, -358537222)
+      c = md5hh(c, d, a, b, x[i + 3], 16, -722521979)
+      b = md5hh(b, c, d, a, x[i + 6], 23, 76029189)
+      a = md5hh(a, b, c, d, x[i + 9], 4, -640364487)
+      d = md5hh(d, a, b, c, x[i + 12], 11, -421815835)
+      c = md5hh(c, d, a, b, x[i + 15], 16, 530742520)
+      b = md5hh(b, c, d, a, x[i + 2], 23, -995338651)
+
+      a = md5ii(a, b, c, d, x[i], 6, -198630844)
+      d = md5ii(d, a, b, c, x[i + 7], 10, 1126891415)
+      c = md5ii(c, d, a, b, x[i + 14], 15, -1416354905)
+      b = md5ii(b, c, d, a, x[i + 5], 21, -57434055)
+      a = md5ii(a, b, c, d, x[i + 12], 6, 1700485571)
+      d = md5ii(d, a, b, c, x[i + 3], 10, -1894986606)
+      c = md5ii(c, d, a, b, x[i + 10], 15, -1051523)
+      b = md5ii(b, c, d, a, x[i + 1], 21, -2054922799)
+      a = md5ii(a, b, c, d, x[i + 8], 6, 1873313359)
+      d = md5ii(d, a, b, c, x[i + 15], 10, -30611744)
+      c = md5ii(c, d, a, b, x[i + 6], 15, -1560198380)
+      b = md5ii(b, c, d, a, x[i + 13], 21, 1309151649)
+      a = md5ii(a, b, c, d, x[i + 4], 6, -145523070)
+      d = md5ii(d, a, b, c, x[i + 11], 10, -1120210379)
+      c = md5ii(c, d, a, b, x[i + 2], 15, 718787259)
+      b = md5ii(b, c, d, a, x[i + 9], 21, -343485551)
+
+      a = safeAdd(a, olda)
+      b = safeAdd(b, oldb)
+      c = safeAdd(c, oldc)
+      d = safeAdd(d, oldd)
+    }
+    return [a, b, c, d]
+  }
+
+  /**
+   * Convert an array of little-endian words to a string
+   *
+   * @param {Array<number>} input MD5 Array
+   * @returns {string} MD5 string
+   */
+  function binl2rstr(input) {
+    var i
+    var output = ''
+    var length32 = input.length * 32
+    for (i = 0; i < length32; i += 8) {
+      output += String.fromCharCode((input[i >> 5] >>> i % 32) & 0xff)
+    }
+    return output
+  }
+
+  /**
+   * Convert a raw string to an array of little-endian words
+   * Characters >255 have their high-byte silently ignored.
+   *
+   * @param {string} input Raw input string
+   * @returns {Array<number>} Array of little-endian words
+   */
+  function rstr2binl(input) {
+    var i
+    var output = []
+    output[(input.length >> 2) - 1] = undefined
+    for (i = 0; i < output.length; i += 1) {
+      output[i] = 0
+    }
+    var length8 = input.length * 8
+    for (i = 0; i < length8; i += 8) {
+      output[i >> 5] |= (input.charCodeAt(i / 8) & 0xff) << i % 32
+    }
+    return output
+  }
+
+  /**
+   * Calculate the MD5 of a raw string
+   *
+   * @param {string} s Input string
+   * @returns {string} Raw MD5 string
+   */
+  function rstrMD5(s) {
+    return binl2rstr(binlMD5(rstr2binl(s), s.length * 8))
+  }
+
+  /**
+   * Calculates the HMAC-MD5 of a key and some data (raw strings)
+   *
+   * @param {string} key HMAC key
+   * @param {string} data Raw input string
+   * @returns {string} Raw MD5 string
+   */
+  function rstrHMACMD5(key, data) {
+    var i
+    var bkey = rstr2binl(key)
+    var ipad = []
+    var opad = []
+    var hash
+    ipad[15] = opad[15] = undefined
+    if (bkey.length > 16) {
+      bkey = binlMD5(bkey, key.length * 8)
+    }
+    for (i = 0; i < 16; i += 1) {
+      ipad[i] = bkey[i] ^ 0x36363636
+      opad[i] = bkey[i] ^ 0x5c5c5c5c
+    }
+    hash = binlMD5(ipad.concat(rstr2binl(data)), 512 + data.length * 8)
+    return binl2rstr(binlMD5(opad.concat(hash), 512 + 128))
+  }
+
+  /**
+   * Convert a raw string to a hex string
+   *
+   * @param {string} input Raw input string
+   * @returns {string} Hex encoded string
+   */
+  function rstr2hex(input) {
+    var hexTab = '0123456789abcdef'
+    var output = ''
+    var x
+    var i
+    for (i = 0; i < input.length; i += 1) {
+      x = input.charCodeAt(i)
+      output += hexTab.charAt((x >>> 4) & 0x0f) + hexTab.charAt(x & 0x0f)
+    }
+    return output
+  }
+
+  /**
+   * Encode a string as UTF-8
+   *
+   * @param {string} input Input string
+   * @returns {string} UTF8 string
+   */
+  function str2rstrUTF8(input) {
+    return unescape(encodeURIComponent(input))
+  }
+
+  /**
+   * Encodes input string as raw MD5 string
+   *
+   * @param {string} s Input string
+   * @returns {string} Raw MD5 string
+   */
+  function rawMD5(s) {
+    return rstrMD5(str2rstrUTF8(s))
+  }
+  /**
+   * Encodes input string as Hex encoded string
+   *
+   * @param {string} s Input string
+   * @returns {string} Hex encoded string
+   */
+  function hexMD5(s) {
+    return rstr2hex(rawMD5(s))
+  }
+  /**
+   * Calculates the raw HMAC-MD5 for the given key and data
+   *
+   * @param {string} k HMAC key
+   * @param {string} d Input string
+   * @returns {string} Raw MD5 string
+   */
+  function rawHMACMD5(k, d) {
+    return rstrHMACMD5(str2rstrUTF8(k), str2rstrUTF8(d))
+  }
+  /**
+   * Calculates the Hex encoded HMAC-MD5 for the given key and data
+   *
+   * @param {string} k HMAC key
+   * @param {string} d Input string
+   * @returns {string} Raw MD5 string
+   */
+  function hexHMACMD5(k, d) {
+    return rstr2hex(rawHMACMD5(k, d))
+  }
+
+  /**
+   * Calculates MD5 value for a given string.
+   * If a key is provided, calculates the HMAC-MD5 value.
+   * Returns a Hex encoded string unless the raw argument is given.
+   *
+   * @param {string} string Input string
+   * @param {string} [key] HMAC key
+   * @param {boolean} [raw] Raw output switch
+   * @returns {string} MD5 output
+   */
+  function md5(string, key, raw) {
+    if (!key) {
+      if (!raw) {
+        return hexMD5(string)
+      }
+      return rawMD5(string)
+    }
+    if (!raw) {
+      return hexHMACMD5(key, string)
+    }
+    return rawHMACMD5(key, string)
+  }
+
+  if (typeof define === 'function' && define.amd) {
+    define(function() {
+      return md5
+    })
+  } else if (typeof module === 'object' && module.exports) {
+    module.exports = md5
+  } else {
+    $.md5 = md5
+  }
+})(this)

src/static/templates/admin/base.hbs

@@ -6,16 +6,10 @@
     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
     <title>Bitwarden_rs Admin Panel</title>
 
-    <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.3.1/css/bootstrap.min.css"
-        integrity="sha256-YLGeXaapI0/5IgZopewRJcFXomhRMlYYjugPLSyNjTY=" crossorigin="anonymous" />
-    <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js"
-        integrity="sha256-FgpCb/KJQlLNfOu91ta32o/NMZxltwRo8QtmkMRdAu8=" crossorigin="anonymous"></script>
-    <script src="https://cdnjs.cloudflare.com/ajax/libs/blueimp-md5/2.10.0/js/md5.min.js"
-        integrity="sha256-J9IhvkIJb0diRVJOyu+Ndtg41RibFkF8eaA60jdjtB8=" crossorigin="anonymous"></script>
-    <script src="https://cdnjs.cloudflare.com/ajax/libs/identicon.js/2.3.3/identicon.min.js"
-        integrity="sha256-nYoL3nK/HA1e1pJvLwNPnpKuKG9q89VFX862r5aohmA=" crossorigin="anonymous"></script>
-    <script src="https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.3.1/js/bootstrap.bundle.min.js"
-        integrity="sha256-fzFFyH01cBVPYzl16KT40wqjhgPtq6FFUB6ckN2+GGw=" crossorigin="anonymous"></script>
+    <link rel="stylesheet" href="/bwrs_static/bootstrap.css" />
+    <script src="/bwrs_static/bootstrap-native-v4.js"></script>
+    <script src="/bwrs_static/md5.js"></script>
+    <script src="/bwrs_static/identicon.js"></script>
     <style>
         body {
             padding-top: 70px;
@@ -39,7 +33,7 @@
 </head>
 
 <body class="bg-light">
-    <nav class="navbar navbar-expand-md navbar-dark bg-dark fixed-top shadow">
+    <nav class="navbar navbar-expand-sm navbar-dark bg-dark fixed-top shadow">
         <a class="navbar-brand" href="#">Bitwarden_rs</a>
         <div class="navbar-collapse">
             <ul class="navbar-nav">
@@ -51,9 +45,20 @@
                 </li>
             </ul>
         </div>
-        {{#if version}}
-        <div class="navbar-text">Version: {{version}}</div>
-        {{/if}}
+
+        <ul class="navbar-nav">
+            {{#if version}}
+            <li class="nav-item">
+                <span class="navbar-text mr-2">Version: {{version}}</span>
+            </li>
+            {{/if}}
+
+            {{#if logged_in}}
+            <li class="nav-item">
+                <a class="nav-link" href="/admin/logout">Log Out</a>
+            </li>
+            {{/if}}
+        </ul>
     </nav>
 
     {{> (page_content) }}

src/static/templates/admin/login.hbs

@@ -14,7 +14,7 @@
 
             <form class="form-inline" method="post">
                 <input type="password" class="form-control w-50 mr-2" name="token" placeholder="Enter admin token">
-                <button type="submit" class="btn btn-primary">Save</button>
+                <button type="submit" class="btn btn-primary">Enter</button>
             </form>
         </div>
     </div>

src/static/templates/admin/page.hbs

@@ -56,7 +56,7 @@
             <h6 class="mb-0 text-white">Invite User</h6>
             <small>Email:</small>
 
-            <form class="form-inline" id="invite-form">
+            <form class="form-inline" id="invite-form" onsubmit="inviteUser(); return false;">
                 <input type="email" class="form-control w-50 mr-2" id="email-invite" placeholder="Enter email">
                 <button type="submit" class="btn btn-primary">Invite</button>
             </form>
@@ -71,7 +71,7 @@
                 them to avoid confusion. This does not apply to the read-only section, which can only be set through the
                 environment.
             </div>
-            <form class="form accordion" id="config-form">
+            <form class="form accordion" id="config-form" onsubmit="saveConfig(); return false;">
                 {{#each config}}
                 {{#if groupdoc}}
                 <div class="card bg-light mb-3">
@@ -91,7 +91,7 @@
                                 {{#case type "password"}}
                                 <div class="input-group-append">
                                     <button class="btn btn-outline-secondary" type="button"
-                                        onclick="toggleVis('#input_{{name}}');">Show/hide</button>
+                                        onclick="toggleVis('input_{{name}}');">Show/hide</button>
                                 </div>
                                 {{/case}}
                             </div>
@@ -138,7 +138,7 @@
                                 {{#case type "password"}}
                                 <div class="input-group-append">
                                     <button class="btn btn-outline-secondary" type="button"
-                                        onclick="toggleVis('#input_{{name}}');">Show/hide</button>
+                                        onclick="toggleVis('input_{{name}}');">Show/hide</button>
                                 </div>
                                 {{/case}}
                             </div>
@@ -191,35 +191,38 @@
 
 <script>
     function reload() { window.location.reload(); }
+    function msg(text) { text && alert(text); reload(); }
     function identicon(email) {
         const data = new Identicon(md5(email), { size: 48, format: 'svg' });
         return "data:image/svg+xml;base64," + data.toString();
     }
     function toggleVis(input_id) {
-        var type = $(input_id).attr("type");
+        const elem = document.getElementById(input_id);
+        const type = elem.getAttribute("type");
         if (type === "text") {
-            $(input_id).attr("type", "password");
+            elem.setAttribute("type", "password");
         } else {
-            $(input_id).attr("type", "text");
+            elem.setAttribute("type", "text");
         }
         return false;
     }
-    function _post(url, successMsg, errMsg, data) {
-        $.post({
-            url: url,
-            data: data,
-            //async: false,
-            contentType: "application/json",
-        }).done(function () {
-            alert(successMsg);
-        }).fail(function (e) {
-            const r = e.responseJSON;
-            const msg = r ? r.ErrorModel.Message : "Unknown error";
-            alert(errMsg + ": " + msg);
-        }).always(reload);
+    function _post(url, successMsg, errMsg, body) {
+        fetch(url, {
+            method: 'POST',
+            body: body,
+            mode: "same-origin",
+            credentials: "same-origin",
+            headers: { "Content-Type": "application/json" }
+        }).then(e => {
+            if (e.ok) { return msg(successMsg); }
+            e.json().then(json => {
+                const msg = json ? json.ErrorModel.Message : "Unknown error";
+                msg(errMsg + ": " + msg);
+            });
+        }).catch(e => { msg(errMsg + ": Unknown error") });
     }
     function deleteUser(id, mail) {
-        var input_mail = prompt("To delete user '" + mail + "', please type the name below")
+        var input_mail = prompt("To delete user '" + mail + "', please type the email below")
         if (input_mail != null) {
             if (input_mail == mail) {
                 _post("/admin/users/" + id + "/delete",
@@ -250,9 +253,9 @@
         return false;
     }
     function inviteUser() {
-        inv = $("#email-invite");
-        data = JSON.stringify({ "email": inv.val() });
-        inv.val("");
+        inv = document.getElementById("email-invite");
+        data = JSON.stringify({ "email": inv.value });
+        inv.value = "";
         _post("/admin/invite/", "User invited correctly",
             "Error inviting user", data);
         return false;
@@ -260,15 +263,15 @@
     function getFormData() {
         let data = {};
 
-        $(".conf-checkbox").each(function (i, e) {
-            data[e.name] = $(e).is(":checked");
+        document.querySelectorAll(".conf-checkbox").forEach(function (e, i) {
+            data[e.name] = e.checked;
         });
 
-        $(".conf-number").each(function (i, e) {
-            data[e.name] = +e.value;
+        document.querySelectorAll(".conf-number").forEach(function (e, i) {
+            data[e.name] = e.value ? +e.value : null;
         });
 
-        $(".conf-text, .conf-password").each(function (i, e) {
+        document.querySelectorAll(".conf-text, .conf-password").forEach(function (e, i) {
             data[e.name] = e.value || null;
         });
         return data;
@@ -299,19 +302,17 @@
         return false;
     }
     function masterCheck(check_id, inputs_query) {
-        function toggleEnabled(check_id, inputs_query, enabled) {
-            $(inputs_query).prop("disabled", !enabled)
-            if (!enabled)
-                $(inputs_query).val("");
-            $(check_id).prop("disabled", false);
-        };
-        function onChanged(check_id, inputs_query) {
-            return function _fn() { toggleEnabled(check_id, inputs_query, this.checked); };
+        function onChanged(checkbox, inputs_query) {
+            return function _fn() {
+                document.querySelectorAll(inputs_query).forEach(function (e, i) { e.disabled = !checkbox.checked; });
+                checkbox.disabled = false;
+            };
         };
 
-        toggleEnabled(check_id, inputs_query, $(check_id).is(":checked"));
-        $(check_id).change(onChanged(check_id, inputs_query));
-
+        const checkbox = document.getElementById(check_id);
+        const onChange = onChanged(checkbox, inputs_query);
+        onChange(); // Trigger the event initially
+        checkbox.addEventListener("change", onChange);
     }
     let OrgTypes = {
         "0": { "name": "Owner", "color": "orange" },
@@ -319,22 +320,20 @@
         "2": { "name": "User", "color": "blue" },
         "3": { "name": "Manager", "color": "green" },
     };
-    $(window).on('load', function () {
-        $("#invite-form").submit(inviteUser);
-        $("#config-form").submit(saveConfig);
-        $("img.identicon").each(function (i, e) {
-            e.src = identicon(e.dataset.src);
-        });
-        $('[data-orgtype]').each(function (i, e) {
-            let orgtype = OrgTypes[e.dataset.orgtype];
-            e.style.backgroundColor = orgtype.color;
-            e.title = orgtype.name;
-        });
 
-        // These are formatted because otherwise the 
-        // VSCode formatter breaks But they still work
-        // {{#each config}} {{#if grouptoggle}}
-        masterCheck("#input_{{grouptoggle}}", "#g_{{group}} input");
-        // {{/if}} {{/each}}       
+    document.querySelectorAll("img.identicon").forEach(function (e, i) {
+        e.src = identicon(e.dataset.src);
     });
+
+    document.querySelectorAll("[data-orgtype]").forEach(function (e, i) {
+        let orgtype = OrgTypes[e.dataset.orgtype];
+        e.style.backgroundColor = orgtype.color;
+        e.title = orgtype.name;
+    });
+
+    // These are formatted because otherwise the 
+    // VSCode formatter breaks But they still work
+    // {{#each config}} {{#if grouptoggle}}
+    masterCheck("input_{{grouptoggle}}", "#g_{{group}} input");
+    // {{/if}} {{/each}}
 </script>

src/static/templates/email/change_email.hbs

@@ -0,0 +1,6 @@
+Your Email Change
+<!---------------->
+<html>
+<p>To finalize changing your email address enter the following code in web vault: <b>{{token}}</b></p>
+<p>If you did not try to change an email address, you can safely ignore this email.</p>
+</html>

src/static/templates/email/change_email.html.hbs

@@ -0,0 +1,129 @@
+Your Email Change
+<!---------------->
+<html xmlns="http://www.w3.org/1999/xhtml" xmlns="http://www.w3.org/1999/xhtml" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
+   <head>
+      <meta name="viewport" content="width=device-width" />
+      <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+      <title>Bitwarden_rs</title>
+   </head>
+   <body style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; height: 100%; line-height: 25px; width: 100% !important;" bgcolor="#f6f6f6">
+      <style type="text/css">
+          body {
+         margin: 0;
+         font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;
+         box-sizing: border-box;
+         font-size: 16px;
+         color: #333;
+         line-height: 25px;
+         -webkit-font-smoothing: antialiased;
+         -webkit-text-size-adjust: none;
+         }
+         body * {
+         margin: 0;
+         font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;
+         box-sizing: border-box;
+         font-size: 16px;
+         color: #333;
+         line-height: 25px;
+         -webkit-font-smoothing: antialiased;
+         -webkit-text-size-adjust: none;
+         }
+         img {
+         max-width: 100%;
+         border: none;
+         }
+         body {
+         -webkit-font-smoothing: antialiased;
+         -webkit-text-size-adjust: none;
+         width: 100% !important;
+         height: 100%;
+         line-height: 25px;
+         }
+         body {
+         background-color: #f6f6f6;
+         }
+         @media only screen and (max-width: 600px) {
+         body {
+         padding: 0 !important;
+         }
+         .container {
+         padding: 0 !important;
+         width: 100% !important;
+         }
+         .container-table {
+         padding: 0 !important;
+         width: 100% !important;
+         }
+         .content {
+         padding: 0 0 10px 0 !important;
+         }
+         .content-wrap {
+         padding: 10px !important;
+         }
+         .invoice {
+         width: 100% !important;
+         }
+         .main {
+         border-right: none !important;
+         border-left: none !important;
+         border-radius: 0 !important;
+         }
+         .logo {
+         padding-top: 10px !important;
+         }
+         .footer {
+         margin-top: 10px !important;
+         }
+         .indented {
+         padding-left: 10px;
+         }
+         }
+      </style>
+      <table class="body-wrap" cellpadding="0" cellspacing="0" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; width: 100%;" bgcolor="#f6f6f6">
+         <tr style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
+            <td valign="middle" class="aligncenter middle logo" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; padding: 20px 0 10px;" align="center">
+                <img src="{{url}}/bwrs_static/logo-gray.png" alt="" width="250" height="39" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; border: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; max-width: 100%;" />
+            </td>
+         </tr>
+         <tr style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
+            <td class="container" align="center" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; clear: both !important; color: #333; display: block !important; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0 auto; max-width: 600px !important; width: 600px;" valign="top">
+               <table cellpadding="0" cellspacing="0" class="container-table" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; clear: both !important; color: #333; display: block !important; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0 auto; max-width: 600px !important; width: 600px;">
+                  <tr style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
+                     <td class="content" align="center" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; display: block; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 0; line-height: 0; margin: 0 auto; max-width: 600px; padding-bottom: 20px;" valign="top">
+                        <table class="main" width="100%" cellpadding="0" cellspacing="0" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; margin: 0; -webkit-text-size-adjust: none; border: 1px solid #e9e9e9; border-radius: 3px;" bgcolor="white">
+                           <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+                              <td class="content-wrap" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 20px; -webkit-text-size-adjust: none;" valign="top">
+                                 <table width="100%" cellpadding="0" cellspacing="0" style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+                                    <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+                                       <td class="content-block" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0 0 10px; -webkit-text-size-adjust: none; text-align: center;" valign="top" align="center">
+                                          To finalize changing your email address enter the following code in web vault: <b style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">{{token}}</b>
+                                       </td>
+                                    </tr>
+                                    <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+                                       <td class="content-block last" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0; -webkit-text-size-adjust: none; text-align: center;" valign="top" align="center">
+                                         If you did not try to change an email address, you can safely ignore this email. 
+                                       </td>
+                                    </tr>
+                                 </table>
+                              </td>
+                           </tr>
+                        </table>
+                        <table class="footer" cellpadding="0" cellspacing="0" width="100%" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; clear: both; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; width: 100%;">
+                           <tr style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
+                              <td class="aligncenter social-icons" align="center" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; padding: 15px 0 0 0;" valign="top">
+                                 <table cellpadding="0" cellspacing="0" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0 auto;">
+                                    <tr style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
+                                        <td style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; padding: 0 10px;" valign="top"><a href="https://github.com/dani-garcia/bitwarden_rs" target="_blank" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; text-decoration: underline;"><img src="{{url}}/bwrs_static/mail-github.png" alt="GitHub" width="30" height="30" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; border: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; max-width: 100%;" /></a></td>
+                                    </tr>
+                                 </table>
+                              </td>
+                           </tr>
+                        </table>
+                     </td>
+                  </tr>
+               </table>
+            </td>
+         </tr>
+      </table>
+   </body>
+</html>

src/static/templates/email/delete_account.hbs

@@ -0,0 +1,12 @@
+Delete Your Account
+<!---------------->
+<html>
+<p>
+click the link below to delete your account.
+<br>
+<br>
+<a href="{{url}}/#/verify-recover-delete?userId={{user_id}}&token={{token}}&email={{email}}">
+Delete Your Account</a>
+</p>
+<p>If you did not request this email to delete your account, you can safely ignore this email.</p>
+</html>

src/static/templates/email/delete_account.html.hbs

@@ -0,0 +1,137 @@
+Delete Your Account
+<!---------------->
+<html xmlns="http://www.w3.org/1999/xhtml" xmlns="http://www.w3.org/1999/xhtml" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
+   <head>
+      <meta name="viewport" content="width=device-width" />
+      <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+      <title>Bitwarden_rs</title>
+   </head>
+   <body style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; height: 100%; line-height: 25px; width: 100% !important;" bgcolor="#f6f6f6">
+      <style type="text/css">
+          body {
+         margin: 0;
+         font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;
+         box-sizing: border-box;
+         font-size: 16px;
+         color: #333;
+         line-height: 25px;
+         -webkit-font-smoothing: antialiased;
+         -webkit-text-size-adjust: none;
+         }
+         body * {
+         margin: 0;
+         font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;
+         box-sizing: border-box;
+         font-size: 16px;
+         color: #333;
+         line-height: 25px;
+         -webkit-font-smoothing: antialiased;
+         -webkit-text-size-adjust: none;
+         }
+         img {
+         max-width: 100%;
+         border: none;
+         }
+         body {
+         -webkit-font-smoothing: antialiased;
+         -webkit-text-size-adjust: none;
+         width: 100% !important;
+         height: 100%;
+         line-height: 25px;
+         }
+         body {
+         background-color: #f6f6f6;
+         }
+         @media only screen and (max-width: 600px) {
+         body {
+         padding: 0 !important;
+         }
+         .container {
+         padding: 0 !important;
+         width: 100% !important;
+         }
+         .container-table {
+         padding: 0 !important;
+         width: 100% !important;
+         }
+         .content {
+         padding: 0 0 10px 0 !important;
+         }
+         .content-wrap {
+         padding: 10px !important;
+         }
+         .invoice {
+         width: 100% !important;
+         }
+         .main {
+         border-right: none !important;
+         border-left: none !important;
+         border-radius: 0 !important;
+         }
+         .logo {
+         padding-top: 10px !important;
+         }
+         .footer {
+         margin-top: 10px !important;
+         }
+         .indented {
+         padding-left: 10px;
+         }
+         }
+      </style>
+      <table class="body-wrap" cellpadding="0" cellspacing="0" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; width: 100%;" bgcolor="#f6f6f6">
+         <tr style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
+            <td valign="middle" class="aligncenter middle logo" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; padding: 20px 0 10px;" align="center">
+                <img src="{{url}}/bwrs_static/logo-gray.png" alt="" width="250" height="39" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; border: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; max-width: 100%;" />
+            </td>
+         </tr>
+         <tr style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
+            <td class="container" align="center" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; clear: both !important; color: #333; display: block !important; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0 auto; max-width: 600px !important; width: 600px;" valign="top">
+               <table cellpadding="0" cellspacing="0" class="container-table" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; clear: both !important; color: #333; display: block !important; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0 auto; max-width: 600px !important; width: 600px;">
+                  <tr style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
+                     <td class="content" align="center" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; display: block; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 0; line-height: 0; margin: 0 auto; max-width: 600px; padding-bottom: 20px;" valign="top">
+                        <table class="main" width="100%" cellpadding="0" cellspacing="0" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; margin: 0; -webkit-text-size-adjust: none; border: 1px solid #e9e9e9; border-radius: 3px;" bgcolor="white">
+                           <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+                              <td class="content-wrap" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 20px; -webkit-text-size-adjust: none;" valign="top">
+                                 <table width="100%" cellpadding="0" cellspacing="0" style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+                                    <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+                                       <td class="content-block" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0 0 10px; -webkit-text-size-adjust: none; text-align: center;" valign="top" align="center">
+                                          click the link below to delete your account.
+                                       </td>
+                                    </tr>
+                                    <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+                                       <td class="content-block" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0 0 10px; -webkit-text-size-adjust: none; text-align: center;" valign="top" align="center">
+                                          <a href="{{url}}/#/verify-recover-delete?userId={{user_id}}&token={{token}}&email={{email}}"
+                                             clicktracking=off target="_blank" style="color: #ffffff; text-decoration: none; text-align: center; cursor: pointer; display: inline-block; border-radius: 5px; background-color: #3c8dbc; border-color: #3c8dbc; border-style: solid; border-width: 10px 20px; margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+                                          Delete Your Account
+                                          </a>
+                                       </td>
+                                    </tr>
+                                    <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+                                       <td class="content-block last" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0; -webkit-text-size-adjust: none; text-align: center;" valign="top" align="center">
+                                          If you did not request this email to delete your account, you can safely ignore this email.
+                                       </td>
+                                    </tr>
+                                 </table>
+                              </td>
+                           </tr>
+                        </table>
+                        <table class="footer" cellpadding="0" cellspacing="0" width="100%" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; clear: both; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; width: 100%;">
+                           <tr style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
+                              <td class="aligncenter social-icons" align="center" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; padding: 15px 0 0 0;" valign="top">
+                                 <table cellpadding="0" cellspacing="0" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0 auto;">
+                                    <tr style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
+                                        <td style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; padding: 0 10px;" valign="top"><a href="https://github.com/dani-garcia/bitwarden_rs" target="_blank" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; text-decoration: underline;"><img src="{{url}}/bwrs_static/mail-github.png" alt="GitHub" width="30" height="30" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; border: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; max-width: 100%;" /></a></td>
+                                    </tr>
+                                 </table>
+                              </td>
+                           </tr>
+                        </table>
+                     </td>
+                  </tr>
+               </table>
+            </td>
+         </tr>
+      </table>
+   </body>
+</html>

src/static/templates/email/invite_accepted.html.hbs

@@ -82,7 +82,7 @@ Invitation accepted
       <table class="body-wrap" cellpadding="0" cellspacing="0" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; width: 100%;" bgcolor="#f6f6f6">
          <tr style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
             <td valign="middle" class="aligncenter middle logo" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; padding: 20px 0 10px;" align="center">
-                <img src="{{url}}/bwrs_images/logo-gray.png" alt="" width="250" height="39" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; border: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; max-width: 100%;" />
+                <img src="{{url}}/bwrs_static/logo-gray.png" alt="" width="250" height="39" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; border: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; max-width: 100%;" />
             </td>
          </tr>
          <tr style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
@@ -118,7 +118,7 @@ Invitation accepted
                               <td class="aligncenter social-icons" align="center" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; padding: 15px 0 0 0;" valign="top">
                                  <table cellpadding="0" cellspacing="0" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0 auto;">
                                     <tr style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
-                                        <td style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; padding: 0 10px;" valign="top"><a href="https://github.com/dani-garcia/bitwarden_rs" target="_blank" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; text-decoration: underline;"><img src="{{url}}/bwrs_images/mail-github.png" alt="GitHub" width="30" height="30" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; border: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; max-width: 100%;" /></a></td>
+                                        <td style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; padding: 0 10px;" valign="top"><a href="https://github.com/dani-garcia/bitwarden_rs" target="_blank" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; text-decoration: underline;"><img src="{{url}}/bwrs_static/mail-github.png" alt="GitHub" width="30" height="30" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; border: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; max-width: 100%;" /></a></td>
                                     </tr>
                                  </table>
                               </td>

src/static/templates/email/invite_confirmed.html.hbs

@@ -82,7 +82,7 @@ Invitation to {{org_name}} confirmed
       <table class="body-wrap" cellpadding="0" cellspacing="0" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; width: 100%;" bgcolor="#f6f6f6">
          <tr style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
             <td valign="middle" class="aligncenter middle logo" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; padding: 20px 0 10px;" align="center">
-                <img src="{{url}}/bwrs_images/logo-gray.png" alt="" width="250" height="39" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; border: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; max-width: 100%;" />
+                <img src="{{url}}/bwrs_static/logo-gray.png" alt="" width="250" height="39" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; border: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; max-width: 100%;" />
             </td>
          </tr>
          <tr style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
@@ -114,7 +114,7 @@ Invitation to {{org_name}} confirmed
                               <td class="aligncenter social-icons" align="center" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; padding: 15px 0 0 0;" valign="top">
                                  <table cellpadding="0" cellspacing="0" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0 auto;">
                                     <tr style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
-                                        <td style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; padding: 0 10px;" valign="top"><a href="https://github.com/dani-garcia/bitwarden_rs" target="_blank" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; text-decoration: underline;"><img src="{{url}}/bwrs_images/mail-github.png" alt="GitHub" width="30" height="30" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; border: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; max-width: 100%;" /></a></td>
+                                        <td style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; padding: 0 10px;" valign="top"><a href="https://github.com/dani-garcia/bitwarden_rs" target="_blank" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; text-decoration: underline;"><img src="{{url}}/bwrs_static/mail-github.png" alt="GitHub" width="30" height="30" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; border: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; max-width: 100%;" /></a></td>
                                     </tr>
                                  </table>
                               </td>

src/static/templates/email/new_device_logged_in.html.hbs

@@ -82,7 +82,7 @@ New Device Logged In From {{device}}
       <table class="body-wrap" cellpadding="0" cellspacing="0" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; width: 100%;" bgcolor="#f6f6f6">
          <tr style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
             <td valign="middle" class="aligncenter middle logo" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; padding: 20px 0 10px;" align="center">
-                <img src="{{url}}/bwrs_images/logo-gray.png" alt="" width="250" height="39" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; border: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; max-width: 100%;" />
+                <img src="{{url}}/bwrs_static/logo-gray.png" alt="" width="250" height="39" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; border: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; max-width: 100%;" />
             </td>
          </tr>
          <tr style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
@@ -128,7 +128,7 @@ New Device Logged In From {{device}}
                               <td class="aligncenter social-icons" align="center" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; padding: 15px 0 0 0;" valign="top">
                                  <table cellpadding="0" cellspacing="0" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0 auto;">
                                     <tr style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
-                                        <td style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; padding: 0 10px;" valign="top"><a href="https://github.com/dani-garcia/bitwarden_rs" target="_blank" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; text-decoration: underline;"><img src="{{url}}/bwrs_images/mail-github.png" alt="GitHub" width="30" height="30" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; border: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; max-width: 100%;" /></a></td>
+                                        <td style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; padding: 0 10px;" valign="top"><a href="https://github.com/dani-garcia/bitwarden_rs" target="_blank" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; text-decoration: underline;"><img src="{{url}}/bwrs_static/mail-github.png" alt="GitHub" width="30" height="30" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; border: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; max-width: 100%;" /></a></td>
                                     </tr>
                                  </table>
                               </td>

src/static/templates/email/pw_hint_none.hbs

@@ -1,3 +1,7 @@
-Sorry, you have no password hint...
+Your master password hint
 <!---------------->
-Sorry, you have not specified any password hint...
+You (or someone) recently requested your master password hint. Unfortunately, your account does not have a master password hint.
+
+If you cannot remember your master password, there is no way to recover your data. The only option to gain access to your account again is to <a href="{{url}}/#/recover-delete">delete the account</a> so that you can register again and start over. All data associated with your account will be deleted.
+
+If you did not request your master password hint you can safely ignore this email.

src/static/templates/email/pw_hint_none.html.hbs

@@ -82,7 +82,7 @@ Sorry, you have no password hint...
       <table class="body-wrap" cellpadding="0" cellspacing="0" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; width: 100%;" bgcolor="#f6f6f6">
          <tr style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
             <td valign="middle" class="aligncenter middle logo" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; padding: 20px 0 10px;" align="center">
-                <img src="{{url}}/bwrs_images/logo-gray.png" alt="" width="250" height="39" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; border: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; max-width: 100%;" />
+                <img src="{{url}}/bwrs_static/logo-gray.png" alt="" width="250" height="39" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; border: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; max-width: 100%;" />
             </td>
          </tr>
          <tr style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
@@ -99,6 +99,11 @@ Sorry, you have no password hint...
                                           You (or someone) recently requested your master password hint. Unfortunately, your account does not have a master password hint. <br style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;" />
                                        </td>
                                     </tr>
+                                    <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+                                       <td class="content-block last" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0; -webkit-text-size-adjust: none;" valign="top">
+                                          If you cannot remember your master password, there is no way to recover your data. The only option to gain access to your account again is to <a href="{{url}}/#/recover-delete">delete the account</a> so that you can register again and start over. All data associated with your account will be deleted.
+                                       </td>
+                                    </tr>
                                     <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
                                        <td class="content-block last" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0; -webkit-text-size-adjust: none;" valign="top">
                                           If you did not request your master password hint you can safely ignore this email.
@@ -113,7 +118,7 @@ Sorry, you have no password hint...
                               <td class="aligncenter social-icons" align="center" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; padding: 15px 0 0 0;" valign="top">
                                  <table cellpadding="0" cellspacing="0" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0 auto;">
                                     <tr style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
-                                        <td style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; padding: 0 10px;" valign="top"><a href="https://github.com/dani-garcia/bitwarden_rs" target="_blank" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; text-decoration: underline;"><img src="{{url}}/bwrs_images/mail-github.png" alt="GitHub" width="30" height="30" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; border: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; max-width: 100%;" /></a></td>
+                                        <td style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; padding: 0 10px;" valign="top"><a href="https://github.com/dani-garcia/bitwarden_rs" target="_blank" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; text-decoration: underline;"><img src="{{url}}/bwrs_static/mail-github.png" alt="GitHub" width="30" height="30" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; border: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; max-width: 100%;" /></a></td>
                                     </tr>
                                  </table>
                               </td>

src/static/templates/email/pw_hint_some.hbs

@@ -5,4 +5,6 @@ You (or someone) recently requested your master password hint.
 Your hint is: "{{hint}}"
 Log in: <a href="{{url}}">Web Vault</a>
 
+If you cannot remember your master password, there is no way to recover your data. The only option to gain access to your account again is to <a href="{{url}}/#/recover-delete">delete the account</a> so that you can register again and start over. All data associated with your account will be deleted.
+
 If you did not request your master password hint you can safely ignore this email.

src/static/templates/email/pw_hint_some.html.hbs

@@ -82,7 +82,7 @@ Your master password hint
       <table class="body-wrap" cellpadding="0" cellspacing="0" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; width: 100%;" bgcolor="#f6f6f6">
          <tr style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
             <td valign="middle" class="aligncenter middle logo" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; padding: 20px 0 10px;" align="center">
-                <img src="{{url}}/bwrs_images/logo-gray.png" alt="" width="250" height="39" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; border: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; max-width: 100%;" />
+                <img src="{{url}}/bwrs_static/logo-gray.png" alt="" width="250" height="39" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; border: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; max-width: 100%;" />
             </td>
          </tr>
          <tr style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
@@ -105,6 +105,11 @@ Your master password hint
                                           Log in: <a href="{{url}}">Web Vault</a>
                                        </td>
                                     </tr>
+                                    <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+                                       <td class="content-block last" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0; -webkit-text-size-adjust: none;" valign="top">
+                                          If you cannot remember your master password, there is no way to recover your data. The only option to gain access to your account again is to <a href="{{url}}/#/recover-delete">delete the account</a> so that you can register again and start over. All data associated with your account will be deleted.
+                                       </td>
+                                    </tr>
                                     <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
                                        <td class="content-block last" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0; -webkit-text-size-adjust: none;" valign="top">
                                           If you did not request your master password hint you can safely ignore this email.
@@ -119,7 +124,7 @@ Your master password hint
                               <td class="aligncenter social-icons" align="center" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; padding: 15px 0 0 0;" valign="top">
                                  <table cellpadding="0" cellspacing="0" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0 auto;">
                                     <tr style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
-                                        <td style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; padding: 0 10px;" valign="top"><a href="https://github.com/dani-garcia/bitwarden_rs" target="_blank" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; text-decoration: underline;"><img src="{{url}}/bwrs_images/mail-github.png" alt="GitHub" width="30" height="30" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; border: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; max-width: 100%;" /></a></td>
+                                        <td style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; padding: 0 10px;" valign="top"><a href="https://github.com/dani-garcia/bitwarden_rs" target="_blank" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; text-decoration: underline;"><img src="{{url}}/bwrs_static/mail-github.png" alt="GitHub" width="30" height="30" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; border: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; max-width: 100%;" /></a></td>
                                     </tr>
                                  </table>
                               </td>

src/static/templates/email/send_org_invite.html.hbs

@@ -82,7 +82,7 @@ Join {{org_name}}
       <table class="body-wrap" cellpadding="0" cellspacing="0" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; width: 100%;" bgcolor="#f6f6f6">
          <tr style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
             <td valign="middle" class="aligncenter middle logo" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; padding: 20px 0 10px;" align="center">
-                <img src="{{url}}/bwrs_images/logo-gray.png" alt="" width="250" height="39" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; border: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; max-width: 100%;" />
+                <img src="{{url}}/bwrs_static/logo-gray.png" alt="" width="250" height="39" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; border: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; max-width: 100%;" />
             </td>
          </tr>
          <tr style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
@@ -121,7 +121,7 @@ Join {{org_name}}
                               <td class="aligncenter social-icons" align="center" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; padding: 15px 0 0 0;" valign="top">
                                  <table cellpadding="0" cellspacing="0" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0 auto;">
                                     <tr style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
-                                        <td style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; padding: 0 10px;" valign="top"><a href="https://github.com/dani-garcia/bitwarden_rs" target="_blank" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; text-decoration: underline;"><img src="{{url}}/bwrs_images/mail-github.png" alt="GitHub" width="30" height="30" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; border: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; max-width: 100%;" /></a></td>
+                                        <td style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; padding: 0 10px;" valign="top"><a href="https://github.com/dani-garcia/bitwarden_rs" target="_blank" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; text-decoration: underline;"><img src="{{url}}/bwrs_static/mail-github.png" alt="GitHub" width="30" height="30" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; border: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; max-width: 100%;" /></a></td>
                                     </tr>
                                  </table>
                               </td>