Fix token error while accepting invite

Fixed issue #908

.env.template

@@ -21,6 +21,10 @@
 ## Automatically reload the templates for every request, slow, use only for development
 # RELOAD_TEMPLATES=false
 
+## Client IP Header, used to identify the IP of the client, defaults to "X-Client-IP"
+## Set to the string "none" (without quotes), to disable any headers and just use the remote IP
+# IP_HEADER=X-Client-IP
+
 ## Cache time-to-live for successfully obtained icons, in seconds (0 is "forever")
 # ICON_CACHE_TTL=2592000
 ## Cache time-to-live for icons which weren't available, in seconds (0 is "forever")
@@ -37,14 +41,10 @@
 # WEBSOCKET_ADDRESS=0.0.0.0
 # WEBSOCKET_PORT=3012
 
-## Enable extended logging
-## This shows timestamps and allows logging to file and to syslog
-### To enable logging to file, use the LOG_FILE env variable
-### To enable syslog, use the USE_SYSLOG env variable
+## Enable extended logging, which shows timestamps and targets in the logs
 # EXTENDED_LOGGING=true
 
 ## Logging to file
-## This requires extended logging
 ## It's recommended to also set 'ROCKET_CLI_COLORS=off'
 # LOG_FILE=/path/to/log
 
@@ -56,7 +56,8 @@
 ## Log level
 ## Change the verbosity of the log output
 ## Valid values are "trace", "debug", "info", "warn", "error" and "off"
-## This requires extended logging
+## Setting it to "trace" or "debug" would also show logs for mounted 
+## routes and static file, websocket and alive requests
 # LOG_LEVEL=Info
 
 ## Enable WAL for the DB
@@ -95,12 +96,22 @@
 ## Controls if new users can register
 # SIGNUPS_ALLOWED=true
 
+## Controls if new users need to verify their email address upon registration
+## Note that setting this option to true prevents logins until the email address has been verified!
+## The welcome email will include a verification link, and login attempts will periodically
+## trigger another verification email to be sent.
+# SIGNUPS_VERIFY=false
+
+## If SIGNUPS_VERIFY is set to true, this limits how many seconds after the last time
+## an email verification link has been sent another verification email will be sent
+# SIGNUPS_VERIFY_RESEND_TIME=3600
+
+## If SIGNUPS_VERIFY is set to true, this limits how many times an email verification
+## email will be re-sent upon an attempted login.
+# SIGNUPS_VERIFY_RESEND_LIMIT=6
+
 ## Controls if new users from a list of comma-separated domains can register
 ## even if SIGNUPS_ALLOWED is set to false
-##
-## WARNING: There is currently no validation that prevents anyone from
-##          signing up with any made-up email address from one of these
-##          whitelisted domains!
 # SIGNUPS_DOMAINS_WHITELIST=example.com,example.net,example.org
 
 ## Token for the admin interface, preferably use a long random string

.github/FUNDING.yml

@@ -0,0 +1,2 @@
+github: dani-garcia
+custom: ["https://paypal.me/DaniGG"]

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,42 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+<!--
+Please fill out the following template to make solving your problem easier and faster for us.
+This is only a guideline. If you think that parts are unneccessary for your issue, feel free to remove them.
+
+Remember to hide/obfuscate personal and confidential information, 
+such as names, global IP/DNS adresses and especially passwords, if neccessary.
+-->
+
+### Subject of the issue
+<!-- Describe your issue here.-->
+
+### Your environment
+<!-- The version number, obtained from the logs or the admin page -->
+* Bitwarden_rs version: 
+<!-- How the server was installed: Docker image / package / built from source -->
+* Install method: 
+* Clients used: <!-- if applicable -->
+* Reverse proxy and version: <!-- if applicable -->
+* Version of mysql/postgresql: <!-- if applicable -->
+* Other relevant information: 
+
+### Steps to reproduce
+<!-- Tell us how to reproduce this issue. What parameters did you set (differently from the defaults)
+and how did you start bitwarden_rs? -->
+
+### Expected behaviour
+<!-- Tell us what should happen -->
+
+### Actual behaviour
+<!-- Tell us what happens instead -->
+
+### Relevant logs
+<!-- Share some logfiles, screenshots or output of relevant programs with us. -->

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,11 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: better for forum
+assignees: ''
+
+---
+
+# Please submit all your feature requests to the forum
+Link: https://bitwardenrs.discourse.group/c/feature-requests

.github/ISSUE_TEMPLATE/help-with-installation-configuration.md

@@ -0,0 +1,11 @@
+---
+name: Help with installation/configuration
+about: Any questions about the setup of bitwarden_rs
+title: ''
+labels: better for forum
+assignees: ''
+
+---
+
+# Please submit all your third party help requests to the forum
+Link: https://bitwardenrs.discourse.group/c/help

.github/ISSUE_TEMPLATE/help-with-proxy-database-nas-setup.md

@@ -0,0 +1,11 @@
+---
+name: Help with proxy/database/NAS setup
+about: Any questions about third party software
+title: ''
+labels: better for forum
+assignees: ''
+
+---
+
+# Please submit all your third party help requests to the forum
+Link: https://bitwardenrs.discourse.group/c/third-party-help

.github/workflows/workspace.yml

@@ -0,0 +1,148 @@
+name: Workflow
+
+on:
+  push:
+    paths-ignore:
+      - "**.md"
+  #pull_request:
+  #  paths-ignore:
+  #    - "**.md"
+
+jobs:
+  build:
+    name: Build
+    strategy:
+      fail-fast: false
+      matrix:
+        db-backend: [sqlite, mysql, postgresql]
+        target:
+          - x86_64-unknown-linux-gnu
+          # - x86_64-unknown-linux-musl
+          # - x86_64-apple-darwin
+          # - x86_64-pc-windows-msvc
+        include:
+          - target: x86_64-unknown-linux-gnu
+            os: ubuntu-latest
+            ext:
+          # - target: x86_64-unknown-linux-musl
+          #   os: ubuntu-latest
+          #   ext:
+          # - target: x86_64-apple-darwin
+          #   os: macOS-latest
+          #   ext:
+          # - target: x86_64-pc-windows-msvc
+          #   os: windows-latest
+          #   ext: .exe
+    runs-on: ${{ matrix.os }}
+    steps:
+    - uses: actions/checkout@v1
+
+    # - name: Cache choco cache
+    #   uses: actions/cache@v1.0.3
+    #   if: matrix.os == 'windows-latest'
+    #   with:
+    #     path: ~\AppData\Local\Temp\chocolatey
+    #     key: ${{ runner.os }}-choco-cache-${{ matrix.db-backend }}
+
+    - name: Cache vcpkg installed
+      uses: actions/cache@v1.0.3
+      if: matrix.os == 'windows-latest'
+      with:
+        path: $VCPKG_ROOT/installed
+        key: ${{ runner.os }}-vcpkg-cache-${{ matrix.db-backend }}
+      env:
+        VCPKG_ROOT: 'C:\vcpkg'
+
+    - name: Cache vcpkg downloads
+      uses: actions/cache@v1.0.3
+      if: matrix.os == 'windows-latest'
+      with:
+        path: $VCPKG_ROOT/downloads
+        key: ${{ runner.os }}-vcpkg-cache-${{ matrix.db-backend }}
+      env:
+        VCPKG_ROOT: 'C:\vcpkg'
+
+    # - name: Cache homebrew
+    #   uses: actions/cache@v1.0.3
+    #   if: matrix.os == 'macOS-latest'
+    #   with:
+    #     path: ~/Library/Caches/Homebrew
+    #     key: ${{ runner.os }}-brew-cache
+
+    # - name: Cache apt
+    #   uses: actions/cache@v1.0.3
+    #   if: matrix.os == 'ubuntu-latest'
+    #   with:
+    #     path: /var/cache/apt/archives
+    #     key: ${{ runner.os }}-apt-cache
+
+    # Install dependencies
+    - name: Install dependencies macOS
+      run: brew update; brew install openssl sqlite libpq mysql
+      if: matrix.os == 'macOS-latest'
+
+    - name: Install dependencies Ubuntu
+      run: sudo apt-get update && sudo apt-get install --no-install-recommends openssl sqlite libpq-dev libmysql++-dev
+      if: matrix.os == 'ubuntu-latest'
+
+    - name: Install dependencies Windows
+      run: vcpkg integrate install; vcpkg install sqlite3:x64-windows openssl:x64-windows libpq:x64-windows libmysql:x64-windows
+      if: matrix.os == 'windows-latest'
+      env:
+        VCPKG_ROOT: 'C:\vcpkg'
+    # End Install dependencies
+
+    # Install rust nightly toolchain
+    - name: Cache cargo registry
+      uses: actions/cache@v1.0.3
+      with:
+        path: ~/.cargo/registry
+        key: ${{ runner.os }}-${{matrix.db-backend}}-cargo-registry-${{ hashFiles('**/Cargo.lock') }}
+    - name: Cache cargo index
+      uses: actions/cache@v1.0.3
+      with:
+        path: ~/.cargo/git
+        key: ${{ runner.os }}-${{matrix.db-backend}}-cargo-index-${{ hashFiles('**/Cargo.lock') }}
+    - name: Cache cargo build
+      uses: actions/cache@v1.0.3
+      with:
+        path: target
+        key: ${{ runner.os }}-${{matrix.db-backend}}-cargo-build-target-${{ hashFiles('**/Cargo.lock') }}
+
+    - name: Install latest nightly
+      uses: actions-rs/toolchain@v1.0.5
+      with:
+        # Uses rust-toolchain to determine version
+        profile: minimal
+        target: ${{ matrix.target }}
+
+    # Build
+    - name: Build Win
+      if: matrix.os == 'windows-latest'
+      run: cargo.exe build --features ${{ matrix.db-backend }} --release --target ${{ matrix.target }}
+      env:
+        RUSTFLAGS: -Ctarget-feature=+crt-static
+        VCPKG_ROOT: 'C:\vcpkg'
+
+    - name: Build macOS / Ubuntu
+      if: matrix.os == 'macOS-latest' || matrix.os == 'ubuntu-latest'
+      run: cargo build --verbose --features ${{ matrix.db-backend }} --release --target ${{ matrix.target }}
+
+    # Test
+    - name: Run tests
+      run: cargo test --features ${{ matrix.db-backend }}
+
+    # Upload & Release
+    - name: Upload artifact
+      uses: actions/upload-artifact@v1.0.0
+      with:
+        name: bitwarden_rs-${{ matrix.db-backend }}-${{ matrix.target }}${{ matrix.ext }}
+        path: target/${{ matrix.target }}/release/bitwarden_rs${{ matrix.ext }}
+
+    - name: Release
+      uses: Shopify/upload-to-release@1.0.0
+      if: startsWith(github.ref, 'refs/tags/')
+      with:
+        name: bitwarden_rs-${{ matrix.db-backend }}-${{ matrix.target }}${{ matrix.ext }}
+        path: target/${{ matrix.target }}/release/bitwarden_rs${{ matrix.ext }}
+        repo-token: ${{ secrets.GITHUB_TOKEN }}

.travis.yml

@@ -17,5 +17,5 @@ before_install:
 install: true
 script:
 - git ls-files --exclude='Dockerfile*' --ignored | xargs --max-lines=1 hadolint
-- cargo build --features "sqlite"
-- cargo build --features "mysql"
+- cargo test --features "sqlite"
+- cargo test --features "mysql"

Cargo.toml

@@ -14,7 +14,7 @@ build = "build.rs"
 # Empty to keep compatibility, prefer to set USE_SYSLOG=true
 enable_syslog = []
 mysql = ["diesel/mysql", "diesel_migrations/mysql"]
-postgresql = ["diesel/postgres", "diesel_migrations/postgres", "openssl"]
+postgresql = ["diesel/postgres", "diesel_migrations/postgres"]
 sqlite = ["diesel/sqlite", "diesel_migrations/sqlite", "libsqlite3-sys"]
 
 [target."cfg(not(windows))".dependencies]
@@ -26,7 +26,7 @@ rocket = { version = "0.5.0-dev", features = ["tls"], default-features = false }
 rocket_contrib = "0.5.0-dev"
 
 # HTTP client
-reqwest = "0.9.22"
+reqwest = { version = "0.10.4", features = ["blocking", "json"] }
 
 # multipart/form-data support
 multipart = { version = "0.16.1", features = ["server"], default-features = false }
@@ -35,19 +35,19 @@ multipart = { version = "0.16.1", features = ["server"], default-features = fals
 ws = "0.9.1"
 
 # MessagePack library
-rmpv = "0.4.2"
+rmpv = "0.4.4"
 
 # Concurrent hashmap implementation
 chashmap = "2.2.2"
 
 # A generic serialization/deserialization framework
-serde = "1.0.102"
-serde_derive = "1.0.102"
-serde_json = "1.0.41"
+serde = "1.0.104"
+serde_derive = "1.0.104"
+serde_json = "1.0.48"
 
 # Logging
 log = "0.4.8"
-fern = { version = "0.5.9", features = ["syslog-4"] }
+fern = { version = "0.6.0", features = ["syslog-4"] }
 
 # A safe, extensible ORM and Query builder
 diesel = { version = "1.4.3", features = [ "chrono", "r2d2"] }
@@ -57,69 +57,77 @@ diesel_migrations = "1.4.0"
 libsqlite3-sys = { version = "0.16.0", features = ["bundled"], optional = true }
 
 # Crypto library
-ring = "0.14.6"
+ring = "0.16.11"
 
 # UUID generation
 uuid = { version = "0.8.1", features = ["v4"] }
 
-# Date and time library for Rust
-chrono = "0.4.9"
+# Date and time librar for Rust
+chrono = "0.4.11"
+time = "0.2.9"
 
 # TOTP library
 oath = "0.10.2"
 
 # Data encoding library
-data-encoding = "2.1.2"
+data-encoding = "2.2.0"
 
 # JWT library
-jsonwebtoken = "6.0.1"
+jsonwebtoken = "7.1.0"
 
 # U2F library
-u2f = "0.1.6"
+u2f = "0.2.0"
 
 # Yubico Library
-yubico = { version = "0.7.1", features = ["online-tokio"], default-features = false }
+yubico = { version = "0.9.0", features = ["online-tokio"], default-features = false }
 
 # A `dotenv` implementation for Rust
 dotenv = { version = "0.15.0", default-features = false }
 
-# Lazy static macro
-lazy_static = "1.4.0"
+# Lazy initialization
+once_cell = "1.3.1"
 
 # More derives
-derive_more = "0.99.2"
+derive_more = "0.99.3"
 
 # Numerical libraries
-num-traits = "0.2.9"
+num-traits = "0.2.11"
 num-derive = "0.3.0"
 
 # Email libraries
-lettre = "0.9.2"
-lettre_email = "0.9.2"
-native-tls = "0.2.3"
-quoted_printable = "0.4.1"
+lettre = "0.10.0-pre"
+native-tls = "0.2.4"
+quoted_printable = "0.4.2"
 
 # Template library
-handlebars = "2.0.2"
+handlebars = { version = "3.0.1", features = ["dir_source"] }
 
 # For favicon extraction from main website
-soup = "0.4.1"
-regex = "1.3.1"
+soup = "0.5.0"
+regex = "1.3.4"
+data-url = "0.1.0"
 
-# Required for SSL support for PostgreSQL
-openssl = { version = "0.10.25", optional = true }
+# Used by U2F, JWT and Postgres
+openssl = "0.10.28"
 
 # URL encoding library
 percent-encoding = "2.1.0"
+# Punycode conversion
+idna = "0.2.0"
+
+# CLI argument parsing
+structopt = "0.3.11"
+
+# Logging panics to logfile instead stderr only
+backtrace = "0.3.45"
 
 [patch.crates-io]
-# Add support for Timestamp type
-rmp = { git = 'https://github.com/3Hren/msgpack-rust', rev = 'd6c6c672e470341207ed9feb69b56322b5597a11' }
-
 # Use newest ring
-rocket = { git = 'https://github.com/SergioBenitez/Rocket', rev = 'b95b6765e1cc8be7c1e7eaef8a9d9ad940b0ac13' }
-rocket_contrib = { git = 'https://github.com/SergioBenitez/Rocket', rev = 'b95b6765e1cc8be7c1e7eaef8a9d9ad940b0ac13' }
+rocket = { git = 'https://github.com/SergioBenitez/Rocket', rev = 'dfc9e9aab01d349da32c52db393e35b7fffea63c' }
+rocket_contrib = { git = 'https://github.com/SergioBenitez/Rocket', rev = 'dfc9e9aab01d349da32c52db393e35b7fffea63c' }
 
 # Use git version for timeout fix #706
-lettre = { git = 'https://github.com/lettre/lettre', rev = '24d694db3be017d82b1cdc8bf9da601420b31bb0' }
-lettre_email = { git = 'https://github.com/lettre/lettre', rev = '24d694db3be017d82b1cdc8bf9da601420b31bb0' }
+lettre = { git = 'https://github.com/lettre/lettre', rev = '245c600c82ee18b766e8729f005ff453a55dce34' }
+
+# For favicon extraction from main website
+data-url = { git = 'https://github.com/servo/rust-url', package="data-url", rev = '7f1bd6ce1c2fde599a757302a843a60e714c5f72' }

README.md

@@ -13,7 +13,7 @@ Image is based on [Rust implementation of Bitwarden API](https://github.com/dani
 
 **This project is not associated with the [Bitwarden](https://bitwarden.com/) project nor 8bit Solutions LLC.**
 
-#### ⚠️**IMPORTANT**⚠️: When using this server, please report any Bitwarden related bug-reports or suggestions [here](https://github.com/dani-garcia/bitwarden_rs/issues/new), regardless of whatever clients you are using (mobile, desktop, browser...). DO NOT use the official support channels.
+#### ⚠️**IMPORTANT**⚠️: When using this server, please report any bugs or suggestions to us directly (look at the bottom of this page for ways to get in touch), regardless of whatever clients you are using (mobile, desktop, browser...). DO NOT use the official support channels.
 
 ---
 
@@ -21,14 +21,14 @@ Image is based on [Rust implementation of Bitwarden API](https://github.com/dani
 
 Basically full implementation of Bitwarden API is provided including:
 
- * Basic single user functionality
+ * Single user functionality
  * Organizations support
  * Attachments
  * Vault API support
  * Serving the static files for Vault interface
  * Website icons API
  * Authenticator and U2F support
- * YubiKey OTP
+ * YubiKey and Duo support
 
 ## Installation
 Pull the docker image and mount a volume from the host for persistent storage:
@@ -49,7 +49,13 @@ If you have an available domain name, you can get HTTPS certificates with [Let's
 See the [bitwarden_rs wiki](https://github.com/dani-garcia/bitwarden_rs/wiki) for more information on how to configure and run the bitwarden_rs server.
 
 ## Get in touch
+To ask a question, offer suggestions or new features or to get help configuring or installing the software, please [use the forum](https://bitwardenrs.discourse.group/).
 
-To ask a question, [raising an issue](https://github.com/dani-garcia/bitwarden_rs/issues/new) is fine. Please also report any bugs spotted here.
+If you spot any bugs or crashes with bitwarden_rs itself, please [create an issue](https://github.com/dani-garcia/bitwarden_rs/issues/). Make sure there aren't any similar issues open, though!
 
 If you prefer to chat, we're usually hanging around at [#bitwarden_rs:matrix.org](https://matrix.to/#/#bitwarden_rs:matrix.org) room on Matrix. Feel free to join us!
+
+### Sponsors
+Thanks for your contribution to the project!
+
+- [@ChonoN](https://github.com/ChonoN)

azure-pipelines.yml

@@ -18,8 +18,8 @@ steps:
     cargo -V
   displayName: Query rust and cargo versions
 
-- script : cargo build --features "sqlite"
-  displayName: 'Build project with sqlite backend'
+- script : cargo test --features "sqlite"
+  displayName: 'Test project with sqlite backend'
 
-- script : cargo build --features "mysql"
-  displayName: 'Build project with mysql backend'
+- script : cargo test --features "mysql"
+  displayName: 'Test project with mysql backend'

docker/Dockerfile.j2

@@ -0,0 +1,296 @@
+# This file was generated using a Jinja2 template.
+# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfile's.
+
+{% set build_stage_base_image = "rust:1.40" %}
+{% if "alpine" in target_file %}
+{%   set build_stage_base_image = "clux/muslrust:nightly-2020-03-09" %}
+{%   set runtime_stage_base_image = "alpine:3.11" %}
+{%   set package_arch_name = "" %}
+{% elif "amd64" in target_file %}
+{%   set runtime_stage_base_image = "debian:buster-slim" %}
+{%   set package_arch_name = "" %}
+{% elif "aarch64" in target_file %}
+{%   set runtime_stage_base_image = "balenalib/aarch64-debian:buster" %}
+{%   set package_arch_name = "arm64" %}
+{% elif "armv6" in target_file %}
+{%   set runtime_stage_base_image = "balenalib/rpi-debian:buster" %}
+{%   set package_arch_name = "armel" %}
+{% elif "armv7" in target_file %}
+{%   set runtime_stage_base_image = "balenalib/armv7hf-debian:buster" %}
+{%   set package_arch_name = "armhf" %}
+{% endif %}
+{% set package_arch_prefix = ":" + package_arch_name %}
+{% if package_arch_name == "" %}
+{%   set package_arch_prefix = "" %}
+{% endif %}
+# Using multistage build:
+# 	https://docs.docker.com/develop/develop-images/multistage-build/
+# 	https://whitfin.io/speeding-up-rust-docker-builds/
+####################### VAULT BUILD IMAGE  #######################
+{% set vault_image_hash = "sha256:feb3f46d15738191b9043be4cdb1be2c0078ed411e7b7be73a2f4fcbca01e13c" %}
+{% raw %}
+#  This hash is extracted from the docker web-vault builds and it's prefered over a simple tag because it's immutable.
+#  It can be viewed in multiple ways:
+#  - From the https://hub.docker.com/repository/docker/bitwardenrs/web-vault/tags page, click the tag name and the digest should be there.
+#  - From the console, with the following commands:
+#      docker pull bitwardenrs/web-vault:v2.12.0e
+#      docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.12.0e
+#
+#  - To do the opposite, and get the tag from the hash, you can do:
+#      docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:feb3f46d15738191b9043be4cdb1be2c0078ed411e7b7be73a2f4fcbca01e13c
+{% endraw %}
+FROM bitwardenrs/web-vault@{{ vault_image_hash }} as vault
+
+########################## BUILD IMAGE  ##########################
+{% if "musl" in build_stage_base_image %}
+# Musl build image for statically compiled binary
+{% else %}
+# We need to use the Rust build image, because
+# we need the Rust compiler and Cargo tooling
+{% endif %}
+FROM {{ build_stage_base_image }} as build
+
+{% if "sqlite" in target_file %}
+# set sqlite as default for DB ARG for backward compatibility
+ARG DB=sqlite
+
+{% elif "mysql" in target_file %}
+# set mysql backend
+ARG DB=mysql
+
+{% elif "postgresql" in target_file %}
+# set postgresql backend
+ARG DB=postgresql
+
+{% endif %}
+# Build time options to avoid dpkg warnings and help with reproducible builds.
+ENV DEBIAN_FRONTEND=noninteractive LANG=C.UTF-8 TZ=UTC TERM=xterm-256color
+
+# Don't download rust docs
+RUN rustup set profile minimal
+
+{% if "alpine" in target_file %}
+ENV USER "root"
+ENV RUSTFLAGS='-C link-arg=-s'
+
+{% elif "aarch64" in target_file or "armv" in target_file %}
+# Install required build libs for {{ package_arch_name }} architecture.
+RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \
+        /etc/apt/sources.list.d/deb-src.list \
+    && dpkg --add-architecture {{ package_arch_name }} \
+    && apt-get update \
+    && apt-get install -y \
+        --no-install-recommends \
+        libssl-dev{{ package_arch_prefix }} \
+        libc6-dev{{ package_arch_prefix }}
+
+{% endif -%}
+{% if "aarch64" in target_file %}
+RUN apt-get update \
+    && apt-get install -y \
+        --no-install-recommends \
+        gcc-aarch64-linux-gnu \
+    && mkdir -p ~/.cargo \
+    && echo '[target.aarch64-unknown-linux-gnu]' >> ~/.cargo/config \
+    && echo 'linker = "aarch64-linux-gnu-gcc"' >> ~/.cargo/config
+
+ENV CARGO_HOME "/root/.cargo"
+ENV USER "root"
+
+{% elif "armv6" in target_file %}
+RUN apt-get update \
+    && apt-get install -y \
+        --no-install-recommends \
+        gcc-arm-linux-gnueabi \
+    && mkdir -p ~/.cargo \
+    && echo '[target.arm-unknown-linux-gnueabi]' >> ~/.cargo/config \
+    && echo 'linker = "arm-linux-gnueabi-gcc"' >> ~/.cargo/config
+
+ENV CARGO_HOME "/root/.cargo"
+ENV USER "root"
+
+{% elif "armv6" in target_file %}
+RUN apt-get update \
+    && apt-get install -y \
+        --no-install-recommends \
+        gcc-arm-linux-gnueabihf \
+    && mkdir -p ~/.cargo \
+    && echo '[target.armv7-unknown-linux-gnueabihf]' >> ~/.cargo/config \
+    && echo 'linker = "arm-linux-gnueabihf-gcc"' >> ~/.cargo/config
+
+ENV CARGO_HOME "/root/.cargo"
+ENV USER "root"
+
+{% elif "armv7" in target_file %}
+RUN apt-get update \
+    && apt-get install -y \
+        --no-install-recommends \
+        gcc-arm-linux-gnueabihf \
+    && mkdir -p ~/.cargo \
+    && echo '[target.armv7-unknown-linux-gnueabihf]' >> ~/.cargo/config \
+    && echo 'linker = "arm-linux-gnueabihf-gcc"' >> ~/.cargo/config
+
+ENV CARGO_HOME "/root/.cargo"
+ENV USER "root"
+
+{% endif %}
+{% if "mysql" in target_file %}
+# Install MySQL package
+RUN apt-get update && apt-get install -y \
+    --no-install-recommends \
+{% if "musl" in build_stage_base_image %}
+    libmysqlclient-dev{{ package_arch_prefix }} \
+{% else %}
+    libmariadb-dev{{ package_arch_prefix }} \
+{% endif %}
+    && rm -rf /var/lib/apt/lists/*
+
+{% elif "postgresql" in target_file %}
+# Install PostgreSQL package
+RUN apt-get update && apt-get install -y \
+    --no-install-recommends \
+    libpq-dev{{ package_arch_prefix }} \
+    && rm -rf /var/lib/apt/lists/*
+
+{% endif %}
+# Creates a dummy project used to grab dependencies
+RUN USER=root cargo new --bin /app
+WORKDIR /app
+
+# Copies over *only* your manifests and build files
+COPY ./Cargo.* ./
+COPY ./rust-toolchain ./rust-toolchain
+COPY ./build.rs ./build.rs
+
+{% if "aarch64" in target_file %}
+ENV CC_aarch64_unknown_linux_gnu="/usr/bin/aarch64-linux-gnu-gcc"
+ENV CROSS_COMPILE="1"
+ENV OPENSSL_INCLUDE_DIR="/usr/include/aarch64-linux-gnu"
+ENV OPENSSL_LIB_DIR="/usr/lib/aarch64-linux-gnu"
+{% elif "armv6" in target_file %}
+ENV CC_arm_unknown_linux_gnueabi="/usr/bin/arm-linux-gnueabi-gcc"
+ENV CROSS_COMPILE="1"
+ENV OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabi"
+ENV OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabi"
+{% elif "armv7" in target_file %}
+ENV CC_armv7_unknown_linux_gnueabihf="/usr/bin/arm-linux-gnueabihf-gcc"
+ENV CROSS_COMPILE="1"
+ENV OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabihf"
+ENV OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabihf"
+{% endif -%}
+
+{% if "alpine" in target_file %}
+RUN rustup target add x86_64-unknown-linux-musl
+
+{% elif "aarch64" in target_file %}
+RUN rustup target add aarch64-unknown-linux-gnu
+
+{% elif "armv6" in target_file %}
+RUN rustup target add arm-unknown-linux-gnueabi
+
+{% elif "armv7" in target_file %}
+RUN rustup target add armv7-unknown-linux-gnueabihf
+{% endif %}
+# Builds your dependencies and removes the
+# dummy project, except the target folder
+# This folder contains the compiled dependencies
+RUN cargo build --features ${DB} --release
+RUN find . -not -path "./target*" -delete
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+# Make sure that we actually build the project
+RUN touch src/main.rs
+
+# Builds again, this time it'll just be
+# your actual source files being built
+{% if "amd64" in target_file %}
+RUN cargo build --features ${DB} --release
+{% elif "aarch64" in target_file %}
+RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu
+{% elif "armv6" in target_file %}
+RUN cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi
+{% elif "armv7" in target_file %}
+RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf
+{% endif %}
+
+######################## RUNTIME IMAGE  ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+FROM {{ runtime_stage_base_image }}
+
+ENV ROCKET_ENV "staging"
+ENV ROCKET_PORT=80
+ENV ROCKET_WORKERS=10
+{% if "alpine" in runtime_stage_base_image %}
+ENV SSL_CERT_DIR=/etc/ssl/certs
+{% endif %}
+
+{% if "amd64" not in target_file %}
+RUN [ "cross-build-start" ]
+
+{% endif %}
+# Install needed libraries
+{% if "alpine" in runtime_stage_base_image %}
+RUN apk add --no-cache \
+        openssl \
+        curl \
+{%   if "sqlite" in target_file %}
+        sqlite \
+{%   elif "mysql" in target_file %}
+        mariadb-connector-c \
+{%   elif "postgresql" in target_file %}
+        postgresql-libs \
+{%   endif %}
+        ca-certificates
+{% else %}
+RUN apt-get update && apt-get install -y \
+    --no-install-recommends \
+    openssl \
+    ca-certificates \
+    curl \
+{%   if "sqlite" in target_file %}
+    sqlite3 \
+{%   elif "mysql" in target_file %}
+    libmariadbclient-dev \
+{%   elif "postgresql" in target_file %}
+    libpq5 \
+{%   endif %}
+    && rm -rf /var/lib/apt/lists/*
+{% endif %}
+
+RUN mkdir /data
+{% if "amd64" not in target_file %}
+
+RUN [ "cross-build-end" ]
+
+{% endif %}
+VOLUME /data
+EXPOSE 80
+EXPOSE 3012
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+COPY Rocket.toml .
+COPY --from=vault /web-vault ./web-vault
+{% if "alpine" in target_file %}
+COPY --from=build /app/target/x86_64-unknown-linux-musl/release/bitwarden_rs .
+{% elif "aarch64" in target_file %}
+COPY --from=build /app/target/aarch64-unknown-linux-gnu/release/bitwarden_rs .
+{% elif "armv6" in target_file %}
+COPY --from=build /app/target/arm-unknown-linux-gnueabi/release/bitwarden_rs .
+{% elif "armv7" in target_file %}
+COPY --from=build /app/target/armv7-unknown-linux-gnueabihf/release/bitwarden_rs .
+{% else %}
+COPY --from=build app/target/release/bitwarden_rs .
+{% endif %}
+
+COPY docker/healthcheck.sh ./healthcheck.sh
+
+HEALTHCHECK --interval=30s --timeout=3s CMD sh healthcheck.sh || exit 1
+
+# Configures the startup!
+WORKDIR /
+CMD ["/bitwarden_rs"]

docker/Makefile

@@ -0,0 +1,9 @@
+OBJECTS := $(shell find -mindepth 2 -name 'Dockerfile*')
+
+all: $(OBJECTS)
+
+%/Dockerfile: Dockerfile.j2 render_template
+	./render_template "$<" "{\"target_file\":\"$@\"}" > "$@"
+
+%/Dockerfile.alpine: Dockerfile.j2 render_template
+	./render_template "$<" "{\"target_file\":\"$@\"}" > "$@"

docker/aarch64/mysql/Dockerfile

@@ -1,33 +1,46 @@
+# This file was generated using a Jinja2 template.
+# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfile's.
+
 # Using multistage build:
 # 	https://docs.docker.com/develop/develop-images/multistage-build/
 # 	https://whitfin.io/speeding-up-rust-docker-builds/
 ####################### VAULT BUILD IMAGE  #######################
-FROM alpine:3.10 as vault
 
-ENV VAULT_VERSION "v2.12.0b"
-
-ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
-
-RUN apk add --no-cache --upgrade \
-    curl \
-    tar
-
-RUN mkdir /web-vault
-WORKDIR /web-vault
-
-SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
-
-RUN curl -L $URL | tar xz
-RUN ls
+#  This hash is extracted from the docker web-vault builds and it's prefered over a simple tag because it's immutable.
+#  It can be viewed in multiple ways:
+#  - From the https://hub.docker.com/repository/docker/bitwardenrs/web-vault/tags page, click the tag name and the digest should be there.
+#  - From the console, with the following commands:
+#      docker pull bitwardenrs/web-vault:v2.12.0e
+#      docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.12.0e
+#      
+#  - To do the opposite, and get the tag from the hash, you can do:
+#      docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:feb3f46d15738191b9043be4cdb1be2c0078ed411e7b7be73a2f4fcbca01e13c
+FROM bitwardenrs/web-vault@sha256:feb3f46d15738191b9043be4cdb1be2c0078ed411e7b7be73a2f4fcbca01e13c as vault
 
 ########################## BUILD IMAGE  ##########################
 # We need to use the Rust build image, because
 # we need the Rust compiler and Cargo tooling
-FROM rust:1.38 as build
+FROM rust:1.40 as build
 
 # set mysql backend
 ARG DB=mysql
 
+# Build time options to avoid dpkg warnings and help with reproducible builds.
+ENV DEBIAN_FRONTEND=noninteractive LANG=C.UTF-8 TZ=UTC TERM=xterm-256color
+
+# Don't download rust docs
+RUN rustup set profile minimal
+
+# Install required build libs for arm64 architecture.
+RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \
+        /etc/apt/sources.list.d/deb-src.list \
+    && dpkg --add-architecture arm64 \
+    && apt-get update \
+    && apt-get install -y \
+        --no-install-recommends \
+        libssl-dev:arm64 \
+        libc6-dev:arm64
+
 RUN apt-get update \
     && apt-get install -y \
         --no-install-recommends \
@@ -39,31 +52,43 @@ RUN apt-get update \
 ENV CARGO_HOME "/root/.cargo"
 ENV USER "root"
 
+# Install MySQL package
+RUN apt-get update && apt-get install -y \
+    --no-install-recommends \
+    libmariadb-dev:arm64 \
+    && rm -rf /var/lib/apt/lists/*
+
+# Creates a dummy project used to grab dependencies
+RUN USER=root cargo new --bin /app
 WORKDIR /app
 
-# Prepare openssl arm64 libs
-RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \
-        /etc/apt/sources.list.d/deb-src.list \
-    && dpkg --add-architecture arm64 \
-    && apt-get update \
-    && apt-get install -y \
-        --no-install-recommends \
-        libssl-dev:arm64 \
-        libc6-dev:arm64 \
-        libmariadb-dev:arm64
+# Copies over *only* your manifests and build files
+COPY ./Cargo.* ./
+COPY ./rust-toolchain ./rust-toolchain
+COPY ./build.rs ./build.rs
 
 ENV CC_aarch64_unknown_linux_gnu="/usr/bin/aarch64-linux-gnu-gcc"
 ENV CROSS_COMPILE="1"
 ENV OPENSSL_INCLUDE_DIR="/usr/include/aarch64-linux-gnu"
 ENV OPENSSL_LIB_DIR="/usr/lib/aarch64-linux-gnu"
+RUN rustup target add aarch64-unknown-linux-gnu
+
+# Builds your dependencies and removes the
+# dummy project, except the target folder
+# This folder contains the compiled dependencies
+RUN cargo build --features ${DB} --release
+RUN find . -not -path "./target*" -delete
 
 # Copies the complete project
 # To avoid copying unneeded files, use .dockerignore
 COPY . .
 
-# Build
-RUN rustup target add aarch64-unknown-linux-gnu
-RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu -v
+# Make sure that we actually build the project
+RUN touch src/main.rs
+
+# Builds again, this time it'll just be
+# your actual source files being built
+RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu
 
 ######################## RUNTIME IMAGE  ########################
 # Create a new stage with a minimal image
@@ -91,6 +116,7 @@ RUN [ "cross-build-end" ]
 
 VOLUME /data
 EXPOSE 80
+EXPOSE 3012
 
 # Copies the files from the context (Rocket.toml file and web-vault)
 # and the binary from the "build" stage to the current stage

docker/aarch64/sqlite/Dockerfile

@@ -1,33 +1,46 @@
+# This file was generated using a Jinja2 template.
+# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfile's.
+
 # Using multistage build:
 # 	https://docs.docker.com/develop/develop-images/multistage-build/
 # 	https://whitfin.io/speeding-up-rust-docker-builds/
 ####################### VAULT BUILD IMAGE  #######################
-FROM alpine:3.10 as vault
 
-ENV VAULT_VERSION "v2.12.0b"
-
-ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
-
-RUN apk add --no-cache --upgrade \
-    curl \
-    tar
-
-RUN mkdir /web-vault
-WORKDIR /web-vault
-
-SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
-
-RUN curl -L $URL | tar xz
-RUN ls
+#  This hash is extracted from the docker web-vault builds and it's prefered over a simple tag because it's immutable.
+#  It can be viewed in multiple ways:
+#  - From the https://hub.docker.com/repository/docker/bitwardenrs/web-vault/tags page, click the tag name and the digest should be there.
+#  - From the console, with the following commands:
+#      docker pull bitwardenrs/web-vault:v2.12.0e
+#      docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.12.0e
+#      
+#  - To do the opposite, and get the tag from the hash, you can do:
+#      docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:feb3f46d15738191b9043be4cdb1be2c0078ed411e7b7be73a2f4fcbca01e13c
+FROM bitwardenrs/web-vault@sha256:feb3f46d15738191b9043be4cdb1be2c0078ed411e7b7be73a2f4fcbca01e13c as vault
 
 ########################## BUILD IMAGE  ##########################
 # We need to use the Rust build image, because
 # we need the Rust compiler and Cargo tooling
-FROM rust:1.38 as build
+FROM rust:1.40 as build
 
-# set sqlite as default for DB ARG for backward comaptibility
+# set sqlite as default for DB ARG for backward compatibility
 ARG DB=sqlite
 
+# Build time options to avoid dpkg warnings and help with reproducible builds.
+ENV DEBIAN_FRONTEND=noninteractive LANG=C.UTF-8 TZ=UTC TERM=xterm-256color
+
+# Don't download rust docs
+RUN rustup set profile minimal
+
+# Install required build libs for arm64 architecture.
+RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \
+        /etc/apt/sources.list.d/deb-src.list \
+    && dpkg --add-architecture arm64 \
+    && apt-get update \
+    && apt-get install -y \
+        --no-install-recommends \
+        libssl-dev:arm64 \
+        libc6-dev:arm64
+
 RUN apt-get update \
     && apt-get install -y \
         --no-install-recommends \
@@ -39,30 +52,37 @@ RUN apt-get update \
 ENV CARGO_HOME "/root/.cargo"
 ENV USER "root"
 
+# Creates a dummy project used to grab dependencies
+RUN USER=root cargo new --bin /app
 WORKDIR /app
 
-# Prepare openssl arm64 libs
-RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \
-        /etc/apt/sources.list.d/deb-src.list \
-    && dpkg --add-architecture arm64 \
-    && apt-get update \
-    && apt-get install -y \
-        --no-install-recommends \
-        libssl-dev:arm64 \
-        libc6-dev:arm64
+# Copies over *only* your manifests and build files
+COPY ./Cargo.* ./
+COPY ./rust-toolchain ./rust-toolchain
+COPY ./build.rs ./build.rs
 
 ENV CC_aarch64_unknown_linux_gnu="/usr/bin/aarch64-linux-gnu-gcc"
 ENV CROSS_COMPILE="1"
 ENV OPENSSL_INCLUDE_DIR="/usr/include/aarch64-linux-gnu"
 ENV OPENSSL_LIB_DIR="/usr/lib/aarch64-linux-gnu"
+RUN rustup target add aarch64-unknown-linux-gnu
+
+# Builds your dependencies and removes the
+# dummy project, except the target folder
+# This folder contains the compiled dependencies
+RUN cargo build --features ${DB} --release
+RUN find . -not -path "./target*" -delete
 
 # Copies the complete project
 # To avoid copying unneeded files, use .dockerignore
 COPY . .
 
-# Build
-RUN rustup target add aarch64-unknown-linux-gnu
-RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu -v
+# Make sure that we actually build the project
+RUN touch src/main.rs
+
+# Builds again, this time it'll just be
+# your actual source files being built
+RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu
 
 ######################## RUNTIME IMAGE  ########################
 # Create a new stage with a minimal image
@@ -90,6 +110,7 @@ RUN [ "cross-build-end" ]
 
 VOLUME /data
 EXPOSE 80
+EXPOSE 3012
 
 # Copies the files from the context (Rocket.toml file and web-vault)
 # and the binary from the "build" stage to the current stage

docker/amd64/mysql/Dockerfile

@@ -1,38 +1,35 @@
+# This file was generated using a Jinja2 template.
+# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfile's.
+
 # Using multistage build:
 # 	https://docs.docker.com/develop/develop-images/multistage-build/
 # 	https://whitfin.io/speeding-up-rust-docker-builds/
 ####################### VAULT BUILD IMAGE  #######################
-FROM alpine:3.10 as vault
 
-ENV VAULT_VERSION "v2.12.0b"
-
-ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
-
-RUN apk add --no-cache --upgrade \
-    curl \
-    tar
-
-RUN mkdir /web-vault
-WORKDIR /web-vault
-
-SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
-
-RUN curl -L $URL | tar xz
-RUN ls
+#  This hash is extracted from the docker web-vault builds and it's prefered over a simple tag because it's immutable.
+#  It can be viewed in multiple ways:
+#  - From the https://hub.docker.com/repository/docker/bitwardenrs/web-vault/tags page, click the tag name and the digest should be there.
+#  - From the console, with the following commands:
+#      docker pull bitwardenrs/web-vault:v2.12.0e
+#      docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.12.0e
+#      
+#  - To do the opposite, and get the tag from the hash, you can do:
+#      docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:feb3f46d15738191b9043be4cdb1be2c0078ed411e7b7be73a2f4fcbca01e13c
+FROM bitwardenrs/web-vault@sha256:feb3f46d15738191b9043be4cdb1be2c0078ed411e7b7be73a2f4fcbca01e13c as vault
 
 ########################## BUILD IMAGE  ##########################
 # We need to use the Rust build image, because
 # we need the Rust compiler and Cargo tooling
-FROM rust:1.38 as build
+FROM rust:1.40 as build
 
 # set mysql backend
 ARG DB=mysql
 
-# Using bundled SQLite, no need to install it
-# RUN apt-get update && apt-get install -y\
-#    --no-install-recommends \
-#    sqlite3\
-# && rm -rf /var/lib/apt/lists/*
+# Build time options to avoid dpkg warnings and help with reproducible builds.
+ENV DEBIAN_FRONTEND=noninteractive LANG=C.UTF-8 TZ=UTC TERM=xterm-256color
+
+# Don't download rust docs
+RUN rustup set profile minimal
 
 # Install MySQL package
 RUN apt-get update && apt-get install -y \
@@ -41,7 +38,7 @@ RUN apt-get update && apt-get install -y \
     && rm -rf /var/lib/apt/lists/*
 
 # Creates a dummy project used to grab dependencies
-RUN USER=root cargo new --bin app
+RUN USER=root cargo new --bin /app
 WORKDIR /app
 
 # Copies over *only* your manifests and build files

docker/amd64/mysql/Dockerfile.alpine

@@ -1,58 +1,75 @@
+# This file was generated using a Jinja2 template.
+# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfile's.
+
 # Using multistage build:
 # 	https://docs.docker.com/develop/develop-images/multistage-build/
 # 	https://whitfin.io/speeding-up-rust-docker-builds/
 ####################### VAULT BUILD IMAGE  #######################
-FROM alpine:3.10 as vault
 
-ENV VAULT_VERSION "v2.12.0b"
-
-ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
-
-RUN apk add --no-cache --upgrade \
-    curl \
-    tar
-
-RUN mkdir /web-vault
-WORKDIR /web-vault
-
-SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
-
-RUN curl -L $URL | tar xz
-RUN ls
+#  This hash is extracted from the docker web-vault builds and it's prefered over a simple tag because it's immutable.
+#  It can be viewed in multiple ways:
+#  - From the https://hub.docker.com/repository/docker/bitwardenrs/web-vault/tags page, click the tag name and the digest should be there.
+#  - From the console, with the following commands:
+#      docker pull bitwardenrs/web-vault:v2.12.0e
+#      docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.12.0e
+#      
+#  - To do the opposite, and get the tag from the hash, you can do:
+#      docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:feb3f46d15738191b9043be4cdb1be2c0078ed411e7b7be73a2f4fcbca01e13c
+FROM bitwardenrs/web-vault@sha256:feb3f46d15738191b9043be4cdb1be2c0078ed411e7b7be73a2f4fcbca01e13c as vault
 
 ########################## BUILD IMAGE  ##########################
 # Musl build image for statically compiled binary
-FROM clux/muslrust:nightly-2019-10-19 as build
+FROM clux/muslrust:nightly-2019-12-19 as build
 
 # set mysql backend
 ARG DB=mysql
 
+# Build time options to avoid dpkg warnings and help with reproducible builds.
+ENV DEBIAN_FRONTEND=noninteractive LANG=C.UTF-8 TZ=UTC TERM=xterm-256color
+
+# Don't download rust docs
+RUN rustup set profile minimal
+
 ENV USER "root"
 
-# Install needed libraries
+# Install MySQL package
 RUN apt-get update && apt-get install -y \
     --no-install-recommends \
     libmysqlclient-dev \
     && rm -rf /var/lib/apt/lists/*
 
+# Creates a dummy project used to grab dependencies
+RUN USER=root cargo new --bin /app
 WORKDIR /app
 
+# Copies over *only* your manifests and build files
+COPY ./Cargo.* ./
+COPY ./rust-toolchain ./rust-toolchain
+COPY ./build.rs ./build.rs
+
+RUN rustup target add x86_64-unknown-linux-musl
+
+# Builds your dependencies and removes the
+# dummy project, except the target folder
+# This folder contains the compiled dependencies
+RUN cargo build --features ${DB} --release
+RUN find . -not -path "./target*" -delete
+
 # Copies the complete project
 # To avoid copying unneeded files, use .dockerignore
 COPY . .
 
-RUN rustup target add x86_64-unknown-linux-musl
-
 # Make sure that we actually build the project
 RUN touch src/main.rs
 
-# Build
+# Builds again, this time it'll just be
+# your actual source files being built
 RUN cargo build --features ${DB} --release
 
 ######################## RUNTIME IMAGE  ########################
 # Create a new stage with a minimal image
 # because we already have a binary built
-FROM alpine:3.10
+FROM alpine:3.11
 
 ENV ROCKET_ENV "staging"
 ENV ROCKET_PORT=80
@@ -62,8 +79,8 @@ ENV SSL_CERT_DIR=/etc/ssl/certs
 # Install needed libraries
 RUN apk add --no-cache \
         openssl \
-        mariadb-connector-c \
         curl \
+        mariadb-connector-c \
         ca-certificates
 
 RUN mkdir /data

docker/amd64/postgresql/Dockerfile

@@ -1,47 +1,44 @@
+# This file was generated using a Jinja2 template.
+# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfile's.
+
 # Using multistage build:
 # 	https://docs.docker.com/develop/develop-images/multistage-build/
 # 	https://whitfin.io/speeding-up-rust-docker-builds/
 ####################### VAULT BUILD IMAGE  #######################
-FROM alpine:3.10 as vault
 
-ENV VAULT_VERSION "v2.12.0b"
-
-ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
-
-RUN apk add --no-cache --upgrade \
-    curl \
-    tar
-
-RUN mkdir /web-vault
-WORKDIR /web-vault
-
-SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
-
-RUN curl -L $URL | tar xz
-RUN ls
+#  This hash is extracted from the docker web-vault builds and it's prefered over a simple tag because it's immutable.
+#  It can be viewed in multiple ways:
+#  - From the https://hub.docker.com/repository/docker/bitwardenrs/web-vault/tags page, click the tag name and the digest should be there.
+#  - From the console, with the following commands:
+#      docker pull bitwardenrs/web-vault:v2.12.0e
+#      docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.12.0e
+#      
+#  - To do the opposite, and get the tag from the hash, you can do:
+#      docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:feb3f46d15738191b9043be4cdb1be2c0078ed411e7b7be73a2f4fcbca01e13c
+FROM bitwardenrs/web-vault@sha256:feb3f46d15738191b9043be4cdb1be2c0078ed411e7b7be73a2f4fcbca01e13c as vault
 
 ########################## BUILD IMAGE  ##########################
 # We need to use the Rust build image, because
 # we need the Rust compiler and Cargo tooling
-FROM rust:1.38 as build
+FROM rust:1.40 as build
 
-# set mysql backend
+# set postgresql backend
 ARG DB=postgresql
 
-# Using bundled SQLite, no need to install it
-# RUN apt-get update && apt-get install -y\
-#    --no-install-recommends \
-#    sqlite3\
-# && rm -rf /var/lib/apt/lists/*
+# Build time options to avoid dpkg warnings and help with reproducible builds.
+ENV DEBIAN_FRONTEND=noninteractive LANG=C.UTF-8 TZ=UTC TERM=xterm-256color
 
-# Install MySQL package
+# Don't download rust docs
+RUN rustup set profile minimal
+
+# Install PostgreSQL package
 RUN apt-get update && apt-get install -y \
     --no-install-recommends \
     libpq-dev \
     && rm -rf /var/lib/apt/lists/*
 
 # Creates a dummy project used to grab dependencies
-RUN USER=root cargo new --bin app
+RUN USER=root cargo new --bin /app
 WORKDIR /app
 
 # Copies over *only* your manifests and build files
@@ -81,7 +78,6 @@ RUN apt-get update && apt-get install -y \
     openssl \
     ca-certificates \
     curl \
-    sqlite3 \
     libpq5 \
     && rm -rf /var/lib/apt/lists/*
 

docker/amd64/postgresql/Dockerfile.alpine

@@ -1,58 +1,75 @@
+# This file was generated using a Jinja2 template.
+# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfile's.
+
 # Using multistage build:
 # 	https://docs.docker.com/develop/develop-images/multistage-build/
 # 	https://whitfin.io/speeding-up-rust-docker-builds/
 ####################### VAULT BUILD IMAGE  #######################
-FROM alpine:3.10 as vault
 
-ENV VAULT_VERSION "v2.12.0b"
-
-ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
-
-RUN apk add --no-cache --upgrade \
-    curl \
-    tar
-
-RUN mkdir /web-vault
-WORKDIR /web-vault
-
-SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
-
-RUN curl -L $URL | tar xz
-RUN ls
+#  This hash is extracted from the docker web-vault builds and it's prefered over a simple tag because it's immutable.
+#  It can be viewed in multiple ways:
+#  - From the https://hub.docker.com/repository/docker/bitwardenrs/web-vault/tags page, click the tag name and the digest should be there.
+#  - From the console, with the following commands:
+#      docker pull bitwardenrs/web-vault:v2.12.0e
+#      docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.12.0e
+#      
+#  - To do the opposite, and get the tag from the hash, you can do:
+#      docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:feb3f46d15738191b9043be4cdb1be2c0078ed411e7b7be73a2f4fcbca01e13c
+FROM bitwardenrs/web-vault@sha256:feb3f46d15738191b9043be4cdb1be2c0078ed411e7b7be73a2f4fcbca01e13c as vault
 
 ########################## BUILD IMAGE  ##########################
 # Musl build image for statically compiled binary
-FROM clux/muslrust:nightly-2019-10-19 as build
+FROM clux/muslrust:nightly-2019-12-19 as build
 
-# set mysql backend
+# set postgresql backend
 ARG DB=postgresql
 
+# Build time options to avoid dpkg warnings and help with reproducible builds.
+ENV DEBIAN_FRONTEND=noninteractive LANG=C.UTF-8 TZ=UTC TERM=xterm-256color
+
+# Don't download rust docs
+RUN rustup set profile minimal
+
 ENV USER "root"
 
-# Install needed libraries
+# Install PostgreSQL package
 RUN apt-get update && apt-get install -y \
     --no-install-recommends \
     libpq-dev \
     && rm -rf /var/lib/apt/lists/*
 
+# Creates a dummy project used to grab dependencies
+RUN USER=root cargo new --bin /app
 WORKDIR /app
 
+# Copies over *only* your manifests and build files
+COPY ./Cargo.* ./
+COPY ./rust-toolchain ./rust-toolchain
+COPY ./build.rs ./build.rs
+
+RUN rustup target add x86_64-unknown-linux-musl
+
+# Builds your dependencies and removes the
+# dummy project, except the target folder
+# This folder contains the compiled dependencies
+RUN cargo build --features ${DB} --release
+RUN find . -not -path "./target*" -delete
+
 # Copies the complete project
 # To avoid copying unneeded files, use .dockerignore
 COPY . .
 
-RUN rustup target add x86_64-unknown-linux-musl
-
 # Make sure that we actually build the project
 RUN touch src/main.rs
 
-# Build
+# Builds again, this time it'll just be
+# your actual source files being built
 RUN cargo build --features ${DB} --release
 
 ######################## RUNTIME IMAGE  ########################
 # Create a new stage with a minimal image
 # because we already have a binary built
-FROM alpine:3.10
+FROM alpine:3.11
 
 ENV ROCKET_ENV "staging"
 ENV ROCKET_PORT=80
@@ -62,9 +79,8 @@ ENV SSL_CERT_DIR=/etc/ssl/certs
 # Install needed libraries
 RUN apk add --no-cache \
         openssl \
-        postgresql-libs \
         curl \
-        sqlite \
+        postgresql-libs \
         ca-certificates
 
 RUN mkdir /data

docker/amd64/sqlite/Dockerfile

@@ -1,41 +1,38 @@
+# This file was generated using a Jinja2 template.
+# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfile's.
+
 # Using multistage build:
 # 	https://docs.docker.com/develop/develop-images/multistage-build/
 # 	https://whitfin.io/speeding-up-rust-docker-builds/
 ####################### VAULT BUILD IMAGE  #######################
-FROM alpine:3.10 as vault
 
-ENV VAULT_VERSION "v2.12.0b"
-
-ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
-
-RUN apk add --no-cache --upgrade \
-    curl \
-    tar
-
-RUN mkdir /web-vault
-WORKDIR /web-vault
-
-SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
-
-RUN curl -L $URL | tar xz
-RUN ls
+#  This hash is extracted from the docker web-vault builds and it's prefered over a simple tag because it's immutable.
+#  It can be viewed in multiple ways:
+#  - From the https://hub.docker.com/repository/docker/bitwardenrs/web-vault/tags page, click the tag name and the digest should be there.
+#  - From the console, with the following commands:
+#      docker pull bitwardenrs/web-vault:v2.12.0e
+#      docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.12.0e
+#      
+#  - To do the opposite, and get the tag from the hash, you can do:
+#      docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:feb3f46d15738191b9043be4cdb1be2c0078ed411e7b7be73a2f4fcbca01e13c
+FROM bitwardenrs/web-vault@sha256:feb3f46d15738191b9043be4cdb1be2c0078ed411e7b7be73a2f4fcbca01e13c as vault
 
 ########################## BUILD IMAGE  ##########################
 # We need to use the Rust build image, because
 # we need the Rust compiler and Cargo tooling
-FROM rust:1.38 as build
+FROM rust:1.40 as build
 
-# set sqlite as default for DB ARG for backward comaptibility
+# set sqlite as default for DB ARG for backward compatibility
 ARG DB=sqlite
 
-# Using bundled SQLite, no need to install it
-# RUN apt-get update && apt-get install -y\
-#    --no-install-recommends \
-#    sqlite3 \
-# && rm -rf /var/lib/apt/lists/*
+# Build time options to avoid dpkg warnings and help with reproducible builds.
+ENV DEBIAN_FRONTEND=noninteractive LANG=C.UTF-8 TZ=UTC TERM=xterm-256color
+
+# Don't download rust docs
+RUN rustup set profile minimal
 
 # Creates a dummy project used to grab dependencies
-RUN USER=root cargo new --bin app
+RUN USER=root cargo new --bin /app
 WORKDIR /app
 
 # Copies over *only* your manifests and build files

docker/amd64/sqlite/Dockerfile.alpine

@@ -1,52 +1,69 @@
+# This file was generated using a Jinja2 template.
+# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfile's.
+
 # Using multistage build:
 # 	https://docs.docker.com/develop/develop-images/multistage-build/
 # 	https://whitfin.io/speeding-up-rust-docker-builds/
 ####################### VAULT BUILD IMAGE  #######################
-FROM alpine:3.10 as vault
 
-ENV VAULT_VERSION "v2.12.0b"
-
-ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
-
-RUN apk add --no-cache --upgrade \
-    curl \
-    tar
-
-RUN mkdir /web-vault
-WORKDIR /web-vault
-
-SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
-
-RUN curl -L $URL | tar xz
-RUN ls
+#  This hash is extracted from the docker web-vault builds and it's prefered over a simple tag because it's immutable.
+#  It can be viewed in multiple ways:
+#  - From the https://hub.docker.com/repository/docker/bitwardenrs/web-vault/tags page, click the tag name and the digest should be there.
+#  - From the console, with the following commands:
+#      docker pull bitwardenrs/web-vault:v2.12.0e
+#      docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.12.0e
+#      
+#  - To do the opposite, and get the tag from the hash, you can do:
+#      docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:feb3f46d15738191b9043be4cdb1be2c0078ed411e7b7be73a2f4fcbca01e13c
+FROM bitwardenrs/web-vault@sha256:feb3f46d15738191b9043be4cdb1be2c0078ed411e7b7be73a2f4fcbca01e13c as vault
 
 ########################## BUILD IMAGE  ##########################
 # Musl build image for statically compiled binary
-FROM clux/muslrust:nightly-2019-10-19 as build
+FROM clux/muslrust:nightly-2019-12-19 as build
 
-# set sqlite as default for DB ARG for backward comaptibility
+# set sqlite as default for DB ARG for backward compatibility
 ARG DB=sqlite
 
+# Build time options to avoid dpkg warnings and help with reproducible builds.
+ENV DEBIAN_FRONTEND=noninteractive LANG=C.UTF-8 TZ=UTC TERM=xterm-256color
+
+# Don't download rust docs
+RUN rustup set profile minimal
+
 ENV USER "root"
 
+# Creates a dummy project used to grab dependencies
+RUN USER=root cargo new --bin /app
 WORKDIR /app
 
+# Copies over *only* your manifests and build files
+COPY ./Cargo.* ./
+COPY ./rust-toolchain ./rust-toolchain
+COPY ./build.rs ./build.rs
+
+RUN rustup target add x86_64-unknown-linux-musl
+
+# Builds your dependencies and removes the
+# dummy project, except the target folder
+# This folder contains the compiled dependencies
+RUN cargo build --features ${DB} --release
+RUN find . -not -path "./target*" -delete
+
 # Copies the complete project
 # To avoid copying unneeded files, use .dockerignore
 COPY . .
 
-RUN rustup target add x86_64-unknown-linux-musl
-
 # Make sure that we actually build the project
 RUN touch src/main.rs
 
-# Build
+# Builds again, this time it'll just be
+# your actual source files being built
 RUN cargo build --features ${DB} --release
 
 ######################## RUNTIME IMAGE  ########################
 # Create a new stage with a minimal image
 # because we already have a binary built
-FROM alpine:3.10
+FROM alpine:3.11
 
 ENV ROCKET_ENV "staging"
 ENV ROCKET_PORT=80
@@ -75,7 +92,6 @@ COPY docker/healthcheck.sh ./healthcheck.sh
 
 HEALTHCHECK --interval=30s --timeout=3s CMD sh healthcheck.sh || exit 1
 
-
 # Configures the startup!
 WORKDIR /
 CMD ["/bitwarden_rs"]

docker/armv6/mysql/Dockerfile

@@ -1,33 +1,46 @@
+# This file was generated using a Jinja2 template.
+# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfile's.
+
 # Using multistage build:
 # 	https://docs.docker.com/develop/develop-images/multistage-build/
 # 	https://whitfin.io/speeding-up-rust-docker-builds/
 ####################### VAULT BUILD IMAGE  #######################
-FROM alpine:3.10 as vault
 
-ENV VAULT_VERSION "v2.12.0b"
-
-ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
-
-RUN apk add --no-cache --upgrade \
-    curl \
-    tar
-
-RUN mkdir /web-vault
-WORKDIR /web-vault
-
-SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
-
-RUN curl -L $URL | tar xz
-RUN ls
+#  This hash is extracted from the docker web-vault builds and it's prefered over a simple tag because it's immutable.
+#  It can be viewed in multiple ways:
+#  - From the https://hub.docker.com/repository/docker/bitwardenrs/web-vault/tags page, click the tag name and the digest should be there.
+#  - From the console, with the following commands:
+#      docker pull bitwardenrs/web-vault:v2.12.0e
+#      docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.12.0e
+#      
+#  - To do the opposite, and get the tag from the hash, you can do:
+#      docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:feb3f46d15738191b9043be4cdb1be2c0078ed411e7b7be73a2f4fcbca01e13c
+FROM bitwardenrs/web-vault@sha256:feb3f46d15738191b9043be4cdb1be2c0078ed411e7b7be73a2f4fcbca01e13c as vault
 
 ########################## BUILD IMAGE  ##########################
 # We need to use the Rust build image, because
 # we need the Rust compiler and Cargo tooling
-FROM rust:1.38 as build
+FROM rust:1.40 as build
 
 # set mysql backend
 ARG DB=mysql
 
+# Build time options to avoid dpkg warnings and help with reproducible builds.
+ENV DEBIAN_FRONTEND=noninteractive LANG=C.UTF-8 TZ=UTC TERM=xterm-256color
+
+# Don't download rust docs
+RUN rustup set profile minimal
+
+# Install required build libs for armel architecture.
+RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \
+        /etc/apt/sources.list.d/deb-src.list \
+    && dpkg --add-architecture armel \
+    && apt-get update \
+    && apt-get install -y \
+        --no-install-recommends \
+        libssl-dev:armel \
+        libc6-dev:armel
+
 RUN apt-get update \
     && apt-get install -y \
         --no-install-recommends \
@@ -39,31 +52,43 @@ RUN apt-get update \
 ENV CARGO_HOME "/root/.cargo"
 ENV USER "root"
 
+# Install MySQL package
+RUN apt-get update && apt-get install -y \
+    --no-install-recommends \
+    libmariadb-dev:armel \
+    && rm -rf /var/lib/apt/lists/*
+
+# Creates a dummy project used to grab dependencies
+RUN USER=root cargo new --bin /app
 WORKDIR /app
 
-# Prepare openssl armel libs
-RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \
-        /etc/apt/sources.list.d/deb-src.list \
-    && dpkg --add-architecture armel \
-    && apt-get update \
-    && apt-get install -y \
-        --no-install-recommends \
-        libssl-dev:armel \
-        libc6-dev:armel \
-        libmariadb-dev:armel
+# Copies over *only* your manifests and build files
+COPY ./Cargo.* ./
+COPY ./rust-toolchain ./rust-toolchain
+COPY ./build.rs ./build.rs
 
 ENV CC_arm_unknown_linux_gnueabi="/usr/bin/arm-linux-gnueabi-gcc"
 ENV CROSS_COMPILE="1"
 ENV OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabi"
 ENV OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabi"
+RUN rustup target add arm-unknown-linux-gnueabi
+
+# Builds your dependencies and removes the
+# dummy project, except the target folder
+# This folder contains the compiled dependencies
+RUN cargo build --features ${DB} --release
+RUN find . -not -path "./target*" -delete
 
 # Copies the complete project
 # To avoid copying unneeded files, use .dockerignore
 COPY . .
 
-# Build
-RUN rustup target add arm-unknown-linux-gnueabi
-RUN cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi -v
+# Make sure that we actually build the project
+RUN touch src/main.rs
+
+# Builds again, this time it'll just be
+# your actual source files being built
+RUN cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi
 
 ######################## RUNTIME IMAGE  ########################
 # Create a new stage with a minimal image
@@ -91,6 +116,7 @@ RUN [ "cross-build-end" ]
 
 VOLUME /data
 EXPOSE 80
+EXPOSE 3012
 
 # Copies the files from the context (Rocket.toml file and web-vault)
 # and the binary from the "build" stage to the current stage

docker/armv6/sqlite/Dockerfile

@@ -1,33 +1,46 @@
+# This file was generated using a Jinja2 template.
+# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfile's.
+
 # Using multistage build:
 # 	https://docs.docker.com/develop/develop-images/multistage-build/
 # 	https://whitfin.io/speeding-up-rust-docker-builds/
 ####################### VAULT BUILD IMAGE  #######################
-FROM alpine:3.10 as vault
 
-ENV VAULT_VERSION "v2.12.0b"
-
-ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
-
-RUN apk add --no-cache --upgrade \
-    curl \
-    tar
-
-RUN mkdir /web-vault
-WORKDIR /web-vault
-
-SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
-
-RUN curl -L $URL | tar xz
-RUN ls
+#  This hash is extracted from the docker web-vault builds and it's prefered over a simple tag because it's immutable.
+#  It can be viewed in multiple ways:
+#  - From the https://hub.docker.com/repository/docker/bitwardenrs/web-vault/tags page, click the tag name and the digest should be there.
+#  - From the console, with the following commands:
+#      docker pull bitwardenrs/web-vault:v2.12.0e
+#      docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.12.0e
+#      
+#  - To do the opposite, and get the tag from the hash, you can do:
+#      docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:feb3f46d15738191b9043be4cdb1be2c0078ed411e7b7be73a2f4fcbca01e13c
+FROM bitwardenrs/web-vault@sha256:feb3f46d15738191b9043be4cdb1be2c0078ed411e7b7be73a2f4fcbca01e13c as vault
 
 ########################## BUILD IMAGE  ##########################
 # We need to use the Rust build image, because
 # we need the Rust compiler and Cargo tooling
-FROM rust:1.38 as build
+FROM rust:1.40 as build
 
-# set sqlite as default for DB ARG for backward comaptibility
+# set sqlite as default for DB ARG for backward compatibility
 ARG DB=sqlite
 
+# Build time options to avoid dpkg warnings and help with reproducible builds.
+ENV DEBIAN_FRONTEND=noninteractive LANG=C.UTF-8 TZ=UTC TERM=xterm-256color
+
+# Don't download rust docs
+RUN rustup set profile minimal
+
+# Install required build libs for armel architecture.
+RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \
+        /etc/apt/sources.list.d/deb-src.list \
+    && dpkg --add-architecture armel \
+    && apt-get update \
+    && apt-get install -y \
+        --no-install-recommends \
+        libssl-dev:armel \
+        libc6-dev:armel
+
 RUN apt-get update \
     && apt-get install -y \
         --no-install-recommends \
@@ -39,30 +52,37 @@ RUN apt-get update \
 ENV CARGO_HOME "/root/.cargo"
 ENV USER "root"
 
+# Creates a dummy project used to grab dependencies
+RUN USER=root cargo new --bin /app
 WORKDIR /app
 
-# Prepare openssl armel libs
-RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \
-        /etc/apt/sources.list.d/deb-src.list \
-    && dpkg --add-architecture armel \
-    && apt-get update \
-    && apt-get install -y \
-        --no-install-recommends \
-        libssl-dev:armel \
-        libc6-dev:armel
+# Copies over *only* your manifests and build files
+COPY ./Cargo.* ./
+COPY ./rust-toolchain ./rust-toolchain
+COPY ./build.rs ./build.rs
 
 ENV CC_arm_unknown_linux_gnueabi="/usr/bin/arm-linux-gnueabi-gcc"
 ENV CROSS_COMPILE="1"
 ENV OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabi"
 ENV OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabi"
+RUN rustup target add arm-unknown-linux-gnueabi
+
+# Builds your dependencies and removes the
+# dummy project, except the target folder
+# This folder contains the compiled dependencies
+RUN cargo build --features ${DB} --release
+RUN find . -not -path "./target*" -delete
 
 # Copies the complete project
 # To avoid copying unneeded files, use .dockerignore
 COPY . .
 
-# Build
-RUN rustup target add arm-unknown-linux-gnueabi
-RUN cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi -v
+# Make sure that we actually build the project
+RUN touch src/main.rs
+
+# Builds again, this time it'll just be
+# your actual source files being built
+RUN cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi
 
 ######################## RUNTIME IMAGE  ########################
 # Create a new stage with a minimal image
@@ -90,6 +110,7 @@ RUN [ "cross-build-end" ]
 
 VOLUME /data
 EXPOSE 80
+EXPOSE 3012
 
 # Copies the files from the context (Rocket.toml file and web-vault)
 # and the binary from the "build" stage to the current stage

docker/armv7/mysql/Dockerfile

@@ -1,33 +1,46 @@
+# This file was generated using a Jinja2 template.
+# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfile's.
+
 # Using multistage build:
 # 	https://docs.docker.com/develop/develop-images/multistage-build/
 # 	https://whitfin.io/speeding-up-rust-docker-builds/
 ####################### VAULT BUILD IMAGE  #######################
-FROM alpine:3.10 as vault
 
-ENV VAULT_VERSION "v2.12.0b"
-
-ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
-
-RUN apk add --no-cache --upgrade \
-    curl \
-    tar
-
-RUN mkdir /web-vault
-WORKDIR /web-vault
-
-SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
-
-RUN curl -L $URL | tar xz
-RUN ls
+#  This hash is extracted from the docker web-vault builds and it's prefered over a simple tag because it's immutable.
+#  It can be viewed in multiple ways:
+#  - From the https://hub.docker.com/repository/docker/bitwardenrs/web-vault/tags page, click the tag name and the digest should be there.
+#  - From the console, with the following commands:
+#      docker pull bitwardenrs/web-vault:v2.12.0e
+#      docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.12.0e
+#      
+#  - To do the opposite, and get the tag from the hash, you can do:
+#      docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:feb3f46d15738191b9043be4cdb1be2c0078ed411e7b7be73a2f4fcbca01e13c
+FROM bitwardenrs/web-vault@sha256:feb3f46d15738191b9043be4cdb1be2c0078ed411e7b7be73a2f4fcbca01e13c as vault
 
 ########################## BUILD IMAGE  ##########################
 # We need to use the Rust build image, because
 # we need the Rust compiler and Cargo tooling
-FROM rust:1.38 as build
+FROM rust:1.40 as build
 
 # set mysql backend
 ARG DB=mysql
 
+# Build time options to avoid dpkg warnings and help with reproducible builds.
+ENV DEBIAN_FRONTEND=noninteractive LANG=C.UTF-8 TZ=UTC TERM=xterm-256color
+
+# Don't download rust docs
+RUN rustup set profile minimal
+
+# Install required build libs for armhf architecture.
+RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \
+        /etc/apt/sources.list.d/deb-src.list \
+    && dpkg --add-architecture armhf \
+    && apt-get update \
+    && apt-get install -y \
+        --no-install-recommends \
+        libssl-dev:armhf \
+        libc6-dev:armhf
+
 RUN apt-get update \
     && apt-get install -y \
         --no-install-recommends \
@@ -39,32 +52,42 @@ RUN apt-get update \
 ENV CARGO_HOME "/root/.cargo"
 ENV USER "root"
 
+# Install MySQL package
+RUN apt-get update && apt-get install -y \
+    --no-install-recommends \
+    libmariadb-dev:armhf \
+    && rm -rf /var/lib/apt/lists/*
+
+# Creates a dummy project used to grab dependencies
+RUN USER=root cargo new --bin /app
 WORKDIR /app
 
-# Prepare openssl armhf libs
-RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \
-        /etc/apt/sources.list.d/deb-src.list \
-    && dpkg --add-architecture armhf \
-    && apt-get update \
-    && apt-get install -y \
-        --no-install-recommends \
-        libssl-dev:armhf \
-        libc6-dev:armhf \
-        libmariadb-dev:armhf
-
+# Copies over *only* your manifests and build files
+COPY ./Cargo.* ./
+COPY ./rust-toolchain ./rust-toolchain
+COPY ./build.rs ./build.rs
 
 ENV CC_armv7_unknown_linux_gnueabihf="/usr/bin/arm-linux-gnueabihf-gcc"
 ENV CROSS_COMPILE="1"
 ENV OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabihf"
 ENV OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabihf"
+RUN rustup target add armv7-unknown-linux-gnueabihf
+# Builds your dependencies and removes the
+# dummy project, except the target folder
+# This folder contains the compiled dependencies
+RUN cargo build --features ${DB} --release
+RUN find . -not -path "./target*" -delete
 
 # Copies the complete project
 # To avoid copying unneeded files, use .dockerignore
 COPY . .
 
-# Build
-RUN rustup target add armv7-unknown-linux-gnueabihf
-RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf -v
+# Make sure that we actually build the project
+RUN touch src/main.rs
+
+# Builds again, this time it'll just be
+# your actual source files being built
+RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf
 
 ######################## RUNTIME IMAGE  ########################
 # Create a new stage with a minimal image
@@ -92,6 +115,7 @@ RUN [ "cross-build-end" ]
 
 VOLUME /data
 EXPOSE 80
+EXPOSE 3012
 
 # Copies the files from the context (Rocket.toml file and web-vault)
 # and the binary from the "build" stage to the current stage

docker/armv7/sqlite/Dockerfile

@@ -1,33 +1,46 @@
+# This file was generated using a Jinja2 template.
+# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfile's.
+
 # Using multistage build:
 # 	https://docs.docker.com/develop/develop-images/multistage-build/
 # 	https://whitfin.io/speeding-up-rust-docker-builds/
 ####################### VAULT BUILD IMAGE  #######################
-FROM alpine:3.10 as vault
 
-ENV VAULT_VERSION "v2.12.0b"
-
-ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
-
-RUN apk add --no-cache --upgrade \
-    curl \
-    tar
-
-RUN mkdir /web-vault
-WORKDIR /web-vault
-
-SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
-
-RUN curl -L $URL | tar xz
-RUN ls
+#  This hash is extracted from the docker web-vault builds and it's prefered over a simple tag because it's immutable.
+#  It can be viewed in multiple ways:
+#  - From the https://hub.docker.com/repository/docker/bitwardenrs/web-vault/tags page, click the tag name and the digest should be there.
+#  - From the console, with the following commands:
+#      docker pull bitwardenrs/web-vault:v2.12.0e
+#      docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.12.0e
+#      
+#  - To do the opposite, and get the tag from the hash, you can do:
+#      docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:feb3f46d15738191b9043be4cdb1be2c0078ed411e7b7be73a2f4fcbca01e13c
+FROM bitwardenrs/web-vault@sha256:feb3f46d15738191b9043be4cdb1be2c0078ed411e7b7be73a2f4fcbca01e13c as vault
 
 ########################## BUILD IMAGE  ##########################
 # We need to use the Rust build image, because
 # we need the Rust compiler and Cargo tooling
-FROM rust:1.38 as build
+FROM rust:1.40 as build
 
-# set sqlite as default for DB ARG for backward comaptibility
+# set sqlite as default for DB ARG for backward compatibility
 ARG DB=sqlite
 
+# Build time options to avoid dpkg warnings and help with reproducible builds.
+ENV DEBIAN_FRONTEND=noninteractive LANG=C.UTF-8 TZ=UTC TERM=xterm-256color
+
+# Don't download rust docs
+RUN rustup set profile minimal
+
+# Install required build libs for armhf architecture.
+RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \
+        /etc/apt/sources.list.d/deb-src.list \
+    && dpkg --add-architecture armhf \
+    && apt-get update \
+    && apt-get install -y \
+        --no-install-recommends \
+        libssl-dev:armhf \
+        libc6-dev:armhf
+
 RUN apt-get update \
     && apt-get install -y \
         --no-install-recommends \
@@ -39,30 +52,36 @@ RUN apt-get update \
 ENV CARGO_HOME "/root/.cargo"
 ENV USER "root"
 
+# Creates a dummy project used to grab dependencies
+RUN USER=root cargo new --bin /app
 WORKDIR /app
 
-# Prepare openssl armhf libs
-RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \
-        /etc/apt/sources.list.d/deb-src.list \
-    && dpkg --add-architecture armhf \
-    && apt-get update \
-    && apt-get install -y \
-        --no-install-recommends \
-        libssl-dev:armhf \
-        libc6-dev:armhf
+# Copies over *only* your manifests and build files
+COPY ./Cargo.* ./
+COPY ./rust-toolchain ./rust-toolchain
+COPY ./build.rs ./build.rs
 
 ENV CC_armv7_unknown_linux_gnueabihf="/usr/bin/arm-linux-gnueabihf-gcc"
 ENV CROSS_COMPILE="1"
 ENV OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabihf"
 ENV OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabihf"
+RUN rustup target add armv7-unknown-linux-gnueabihf
+# Builds your dependencies and removes the
+# dummy project, except the target folder
+# This folder contains the compiled dependencies
+RUN cargo build --features ${DB} --release
+RUN find . -not -path "./target*" -delete
 
 # Copies the complete project
 # To avoid copying unneeded files, use .dockerignore
 COPY . .
 
-# Build
-RUN rustup target add armv7-unknown-linux-gnueabihf
-RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf -v
+# Make sure that we actually build the project
+RUN touch src/main.rs
+
+# Builds again, this time it'll just be
+# your actual source files being built
+RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf
 
 ######################## RUNTIME IMAGE  ########################
 # Create a new stage with a minimal image
@@ -90,6 +109,7 @@ RUN [ "cross-build-end" ]
 
 VOLUME /data
 EXPOSE 80
+EXPOSE 3012
 
 # Copies the files from the context (Rocket.toml file and web-vault)
 # and the binary from the "build" stage to the current stage

docker/render_template

@@ -0,0 +1,17 @@
+#!/usr/bin/env python3
+
+import os, argparse, json
+
+import jinja2
+
+args_parser = argparse.ArgumentParser()
+args_parser.add_argument('template_file', help='Jinja2 template file to render.')
+args_parser.add_argument('render_vars', help='JSON-encoded data to pass to the templating engine.')
+cli_args = args_parser.parse_args()
+
+render_vars = json.loads(cli_args.render_vars)
+environment = jinja2.Environment(
+	loader=jinja2.FileSystemLoader(os.getcwd()),
+	trim_blocks=True,
+)
+print(environment.get_template(cli_args.template_file).render(render_vars))

migrations/mysql/2019-11-17-011009_add_email_verification/down.sql

@@ -0,0 +1 @@
+

migrations/mysql/2019-11-17-011009_add_email_verification/up.sql

@@ -0,0 +1,5 @@
+ALTER TABLE users ADD COLUMN verified_at DATETIME DEFAULT NULL;
+ALTER TABLE users ADD COLUMN last_verifying_at DATETIME DEFAULT NULL;
+ALTER TABLE users ADD COLUMN login_verify_count INTEGER NOT NULL DEFAULT 0;
+ALTER TABLE users ADD COLUMN email_new VARCHAR(255) DEFAULT NULL;
+ALTER TABLE users ADD COLUMN email_new_token VARCHAR(16) DEFAULT NULL;

migrations/mysql/2020-03-13-205045_add_policy_table/down.sql

@@ -0,0 +1 @@
+DROP TABLE org_policies;

migrations/mysql/2020-03-13-205045_add_policy_table/up.sql

@@ -0,0 +1,9 @@
+CREATE TABLE org_policies (
+  uuid      CHAR(36) NOT NULL PRIMARY KEY,
+  org_uuid  CHAR(36) NOT NULL REFERENCES organizations (uuid),
+  atype     INTEGER  NOT NULL,
+  enabled   BOOLEAN  NOT NULL,
+  data      TEXT     NOT NULL,
+
+  UNIQUE (org_uuid, atype)
+);

migrations/postgresql/2019-11-17-011009_add_email_verification/down.sql

@@ -0,0 +1 @@
+

migrations/postgresql/2019-11-17-011009_add_email_verification/up.sql

@@ -0,0 +1,5 @@
+ALTER TABLE users ADD COLUMN verified_at TIMESTAMP DEFAULT NULL;
+ALTER TABLE users ADD COLUMN last_verifying_at TIMESTAMP DEFAULT NULL;
+ALTER TABLE users ADD COLUMN login_verify_count INTEGER NOT NULL DEFAULT 0;
+ALTER TABLE users ADD COLUMN email_new VARCHAR(255) DEFAULT NULL;
+ALTER TABLE users ADD COLUMN email_new_token VARCHAR(16) DEFAULT NULL;

migrations/postgresql/2020-03-13-205045_add_policy_table/down.sql

@@ -0,0 +1 @@
+DROP TABLE org_policies;

migrations/postgresql/2020-03-13-205045_add_policy_table/up.sql

@@ -0,0 +1,9 @@
+CREATE TABLE org_policies (
+  uuid      CHAR(36) NOT NULL PRIMARY KEY,
+  org_uuid  CHAR(36) NOT NULL REFERENCES organizations (uuid),
+  atype     INTEGER  NOT NULL,
+  enabled   BOOLEAN  NOT NULL,
+  data      TEXT     NOT NULL,
+  
+  UNIQUE (org_uuid, atype)
+);

migrations/sqlite/2019-11-17-011009_add_email_verification/down.sql

@@ -0,0 +1 @@
+

migrations/sqlite/2019-11-17-011009_add_email_verification/up.sql

@@ -0,0 +1,5 @@
+ALTER TABLE users ADD COLUMN verified_at DATETIME DEFAULT NULL;
+ALTER TABLE users ADD COLUMN last_verifying_at DATETIME DEFAULT NULL;
+ALTER TABLE users ADD COLUMN login_verify_count INTEGER NOT NULL DEFAULT 0;
+ALTER TABLE users ADD COLUMN email_new TEXT DEFAULT NULL;
+ALTER TABLE users ADD COLUMN email_new_token TEXT DEFAULT NULL;

migrations/sqlite/2020-03-13-205045_add_policy_table/down.sql

@@ -0,0 +1 @@
+DROP TABLE org_policies;

migrations/sqlite/2020-03-13-205045_add_policy_table/up.sql

@@ -0,0 +1,9 @@
+CREATE TABLE org_policies (
+  uuid      TEXT     NOT NULL PRIMARY KEY,
+  org_uuid  TEXT     NOT NULL REFERENCES organizations (uuid),
+  atype     INTEGER  NOT NULL,
+  enabled   BOOLEAN  NOT NULL,
+  data      TEXT     NOT NULL,
+
+  UNIQUE (org_uuid, atype)
+);

rust-toolchain

@@ -1 +1 @@
-nightly-2019-11-17
+nightly-2020-03-09

rustfmt.toml

@@ -1 +1,2 @@
+version = "Two"
 max_width = 120

src/api/admin.rs

@@ -1,3 +1,4 @@
+use once_cell::sync::Lazy;
 use serde_json::Value;
 use std::process::Command;
 
@@ -26,6 +27,7 @@ pub fn routes() -> Vec<Route> {
         post_admin_login,
         admin_page,
         invite_user,
+        logout,
         delete_user,
         deauth_user,
         remove_2fa,
@@ -33,12 +35,12 @@ pub fn routes() -> Vec<Route> {
         post_config,
         delete_config,
         backup_db,
+        test_smtp,
     ]
 }
 
-lazy_static! {
-    static ref CAN_BACKUP: bool = cfg!(feature = "sqlite") && Command::new("sqlite3").arg("-version").status().is_ok();
-}
+static CAN_BACKUP: Lazy<bool> =
+    Lazy::new(|| cfg!(feature = "sqlite") && Command::new("sqlite3").arg("-version").status().is_ok());
 
 #[get("/")]
 fn admin_disabled() -> &'static str {
@@ -51,11 +53,15 @@ const ADMIN_PATH: &str = "/admin";
 const BASE_TEMPLATE: &str = "admin/base";
 const VERSION: Option<&str> = option_env!("GIT_VERSION");
 
+fn admin_path() -> String {
+    format!("{}{}", CONFIG.domain_path(), ADMIN_PATH)
+}
+
 #[get("/", rank = 2)]
 fn admin_login(flash: Option<FlashMessage>) -> ApiResult<Html<String>> {
     // If there is an error, show it
     let msg = flash.map(|msg| format!("{}: {}", msg.name(), msg.msg()));
-    let json = json!({"page_content": "admin/login", "version": VERSION, "error": msg});
+    let json = json!({"page_content": "admin/login", "version": VERSION, "error": msg, "urlpath": CONFIG.domain_path()});
 
     // Return the page
     let text = CONFIG.render_template(BASE_TEMPLATE, &json)?;
@@ -75,7 +81,7 @@ fn post_admin_login(data: Form<LoginForm>, mut cookies: Cookies, ip: ClientIp) -
     if !_validate_token(&data.token) {
         error!("Invalid admin token. IP: {}", ip.ip);
         Err(Flash::error(
-            Redirect::to(ADMIN_PATH),
+            Redirect::to(admin_path()),
             "Invalid admin token, please try again.",
         ))
     } else {
@@ -84,14 +90,14 @@ fn post_admin_login(data: Form<LoginForm>, mut cookies: Cookies, ip: ClientIp) -
         let jwt = encode_jwt(&claims);
 
         let cookie = Cookie::build(COOKIE_NAME, jwt)
-            .path(ADMIN_PATH)
-            .max_age(chrono::Duration::minutes(20))
+            .path(admin_path())
+            .max_age(time::Duration::minutes(20))
             .same_site(SameSite::Strict)
             .http_only(true)
             .finish();
 
         cookies.add(cookie);
-        Ok(Redirect::to(ADMIN_PATH))
+        Ok(Redirect::to(admin_path()))
     }
 }
 
@@ -109,6 +115,8 @@ struct AdminTemplateData {
     users: Vec<Value>,
     config: Value,
     can_backup: bool,
+    logged_in: bool,
+    urlpath: String,
 }
 
 impl AdminTemplateData {
@@ -119,6 +127,8 @@ impl AdminTemplateData {
             users,
             config: CONFIG.prepare_json(),
             can_backup: *CAN_BACKUP,
+            logged_in: true,
+            urlpath: CONFIG.domain_path(),
         }
     }
 
@@ -150,22 +160,35 @@ fn invite_user(data: Json<InviteData>, _token: AdminToken, conn: DbConn) -> Empt
         err!("User already exists")
     }
 
-    if !CONFIG.invitations_allowed() {
-        err!("Invitations are not allowed")
-    }
-
     let mut user = User::new(email);
     user.save(&conn)?;
 
     if CONFIG.mail_enabled() {
-        let org_name = "bitwarden_rs";
-        mail::send_invite(&user.email, &user.uuid, None, None, &org_name, None)
+        mail::send_invite(&user.email, &user.uuid, None, None, &CONFIG.invitation_org_name(), None)
     } else {
         let invitation = Invitation::new(data.email);
         invitation.save(&conn)
     }
 }
 
+#[post("/test/smtp", data = "<data>")]
+fn test_smtp(data: Json<InviteData>, _token: AdminToken) -> EmptyResult {
+    let data: InviteData = data.into_inner();
+    let email = data.email.clone();
+
+    if CONFIG.mail_enabled() {
+        mail::send_test(&email)
+    } else {
+        err!("Mail is not enabled")
+    }
+}
+
+#[get("/logout")]
+fn logout(mut cookies: Cookies) -> Result<Redirect, ()> {
+    cookies.remove(Cookie::named(COOKIE_NAME));
+    Ok(Redirect::to(admin_path()))
+}
+
 #[get("/users")]
 fn get_users(_token: AdminToken, conn: DbConn) -> JsonResult {
     let users = User::get_all(&conn);

src/api/core/accounts.rs

@@ -1,10 +1,12 @@
+use chrono::Utc;
 use rocket_contrib::json::Json;
 
 use crate::db::models::*;
 use crate::db::DbConn;
 
 use crate::api::{EmptyResult, JsonResult, JsonUpcase, Notify, NumberOrString, PasswordData, UpdateType};
-use crate::auth::{decode_invite, Headers};
+use crate::auth::{decode_delete, decode_invite, decode_verify_email, Headers};
+use crate::crypto;
 use crate::mail;
 
 use crate::CONFIG;
@@ -25,6 +27,10 @@ pub fn routes() -> Vec<Route> {
         post_sstamp,
         post_email_token,
         post_email,
+        post_verify_email,
+        post_verify_email_token,
+        post_delete_recover,
+        post_delete_recover_token,
         delete_account,
         post_delete_account,
         revision_date,
@@ -126,6 +132,20 @@ fn register(data: JsonUpcase<RegisterData>, conn: DbConn) -> EmptyResult {
         user.public_key = Some(keys.PublicKey);
     }
 
+    if CONFIG.mail_enabled() {
+        if CONFIG.signups_verify() {
+            if let Err(e) = mail::send_welcome_must_verify(&user.email, &user.uuid) {
+                error!("Error sending welcome email: {:#?}", e);
+            }
+
+            user.last_verifying_at = Some(user.created_at);
+        } else {
+            if let Err(e) = mail::send_welcome(&user.email) {
+                error!("Error sending welcome email: {:#?}", e);
+            }
+        }
+    }
+
     user.save(&conn)
 }
 
@@ -341,8 +361,9 @@ struct EmailTokenData {
 #[post("/accounts/email-token", data = "<data>")]
 fn post_email_token(data: JsonUpcase<EmailTokenData>, headers: Headers, conn: DbConn) -> EmptyResult {
     let data: EmailTokenData = data.into_inner().data;
+    let mut user = headers.user;
 
-    if !headers.user.check_valid_password(&data.MasterPasswordHash) {
+    if !user.check_valid_password(&data.MasterPasswordHash) {
         err!("Invalid password")
     }
 
@@ -350,7 +371,21 @@ fn post_email_token(data: JsonUpcase<EmailTokenData>, headers: Headers, conn: Db
         err!("Email already in use");
     }
 
-    Ok(())
+    if !CONFIG.signups_allowed() && !CONFIG.can_signup_user(&data.NewEmail) {
+        err!("Email cannot be changed to this address");
+    }
+
+    let token = crypto::generate_token(6)?;
+
+    if CONFIG.mail_enabled() {
+        if let Err(e) = mail::send_change_email(&data.NewEmail, &token) {
+            error!("Error sending change-email email: {:#?}", e);
+        }
+    }
+
+    user.email_new = Some(data.NewEmail);
+    user.email_new_token = Some(token);
+    user.save(&conn)
 }
 
 #[derive(Deserialize)]
@@ -361,8 +396,7 @@ struct ChangeEmailData {
 
     Key: String,
     NewMasterPasswordHash: String,
-    #[serde(rename = "Token")]
-    _Token: NumberOrString,
+    Token: NumberOrString,
 }
 
 #[post("/accounts/email", data = "<data>")]
@@ -378,7 +412,33 @@ fn post_email(data: JsonUpcase<ChangeEmailData>, headers: Headers, conn: DbConn)
         err!("Email already in use");
     }
 
+    match user.email_new {
+        Some(ref val) => {
+            if val != &data.NewEmail {
+                err!("Email change mismatch");
+            }
+        }
+        None => err!("No email change pending"),
+    }
+
+    if CONFIG.mail_enabled() {
+        // Only check the token if we sent out an email...
+        match user.email_new_token {
+            Some(ref val) => {
+                if *val != data.Token.into_string() {
+                    err!("Token mismatch");
+                }
+            }
+            None => err!("No email change pending"),
+        }
+        user.verified_at = Some(Utc::now().naive_utc());
+    } else {
+        user.verified_at = None;
+    }
+
     user.email = data.NewEmail;
+    user.email_new = None;
+    user.email_new_token = None;
 
     user.set_password(&data.NewMasterPasswordHash);
     user.akey = data.Key;
@@ -386,6 +446,108 @@ fn post_email(data: JsonUpcase<ChangeEmailData>, headers: Headers, conn: DbConn)
     user.save(&conn)
 }
 
+#[post("/accounts/verify-email")]
+fn post_verify_email(headers: Headers, _conn: DbConn) -> EmptyResult {
+    let user = headers.user;
+
+    if !CONFIG.mail_enabled() {
+        err!("Cannot verify email address");
+    }
+
+    if let Err(e) = mail::send_verify_email(&user.email, &user.uuid) {
+        error!("Error sending delete account email: {:#?}", e);
+    }
+
+    Ok(())
+}
+
+#[derive(Deserialize)]
+#[allow(non_snake_case)]
+struct VerifyEmailTokenData {
+    UserId: String,
+    Token: String,
+}
+
+#[post("/accounts/verify-email-token", data = "<data>")]
+fn post_verify_email_token(data: JsonUpcase<VerifyEmailTokenData>, conn: DbConn) -> EmptyResult {
+    let data: VerifyEmailTokenData = data.into_inner().data;
+
+    let mut user = match User::find_by_uuid(&data.UserId, &conn) {
+        Some(user) => user,
+        None => err!("User doesn't exist"),
+    };
+
+    let claims = match decode_verify_email(&data.Token) {
+        Ok(claims) => claims,
+        Err(_) => err!("Invalid claim"),
+    };
+    if claims.sub != user.uuid {
+        err!("Invalid claim");
+    }
+    user.verified_at = Some(Utc::now().naive_utc());
+    user.last_verifying_at = None;
+    user.login_verify_count = 0;
+    if let Err(e) = user.save(&conn) {
+        error!("Error saving email verification: {:#?}", e);
+    }
+
+    Ok(())
+}
+
+#[derive(Deserialize)]
+#[allow(non_snake_case)]
+struct DeleteRecoverData {
+    Email: String,
+}
+
+#[post("/accounts/delete-recover", data = "<data>")]
+fn post_delete_recover(data: JsonUpcase<DeleteRecoverData>, conn: DbConn) -> EmptyResult {
+    let data: DeleteRecoverData = data.into_inner().data;
+
+    let user = User::find_by_mail(&data.Email, &conn);
+
+    if CONFIG.mail_enabled() {
+        if let Some(user) = user {
+            if let Err(e) = mail::send_delete_account(&user.email, &user.uuid) {
+                error!("Error sending delete account email: {:#?}", e);
+            }
+        }
+        Ok(())
+    } else {
+        // We don't support sending emails, but we shouldn't allow anybody
+        // to delete accounts without at least logging in... And if the user
+        // cannot remember their password then they will need to contact
+        // the administrator to delete it...
+        err!("Please contact the administrator to delete your account");
+    }
+}
+
+#[derive(Deserialize)]
+#[allow(non_snake_case)]
+struct DeleteRecoverTokenData {
+    UserId: String,
+    Token: String,
+}
+
+#[post("/accounts/delete-recover-token", data = "<data>")]
+fn post_delete_recover_token(data: JsonUpcase<DeleteRecoverTokenData>, conn: DbConn) -> EmptyResult {
+    let data: DeleteRecoverTokenData = data.into_inner().data;
+
+    let user = match User::find_by_uuid(&data.UserId, &conn) {
+        Some(user) => user,
+        None => err!("User doesn't exist"),
+    };
+
+    let claims = match decode_delete(&data.Token) {
+        Ok(claims) => claims,
+        Err(_) => err!("Invalid claim"),
+    };
+    if claims.sub != user.uuid {
+        err!("Invalid claim");
+    }
+    user.delete(&conn)
+}
+
 #[post("/accounts/delete", data = "<data>")]
 fn post_delete_account(data: JsonUpcase<PasswordData>, headers: Headers, conn: DbConn) -> EmptyResult {
     delete_account(data, headers, conn)

src/api/core/ciphers.rs

@@ -79,6 +79,9 @@ fn sync(data: Form<SyncData>, headers: Headers, conn: DbConn) -> JsonResult {
     let collections = Collection::find_by_user_uuid(&headers.user.uuid, &conn);
     let collections_json: Vec<Value> = collections.iter().map(Collection::to_json).collect();
 
+    let policies = OrgPolicy::find_by_user(&headers.user.uuid, &conn);
+    let policies_json: Vec<Value> = policies.iter().map(OrgPolicy::to_json).collect();
+
     let ciphers = Cipher::find_by_user(&headers.user.uuid, &conn);
     let ciphers_json: Vec<Value> = ciphers
         .iter()
@@ -95,6 +98,7 @@ fn sync(data: Form<SyncData>, headers: Headers, conn: DbConn) -> JsonResult {
         "Profile": user_json,
         "Folders": folders_json,
         "Collections": collections_json,
+        "Policies": policies_json,
         "Ciphers": ciphers_json,
         "Domains": domains_json,
         "Object": "sync"
@@ -599,10 +603,14 @@ fn share_cipher_by_uuid(
         None => err!("Cipher doesn't exist"),
     };
 
-    match data.Cipher.OrganizationId.clone() {
-        None => err!("Organization id not provided"),
-        Some(organization_uuid) => {
     let mut shared_to_collection = false;
+
+    match data.Cipher.OrganizationId.clone() {
+        // If we don't get an organization ID, we don't do anything
+        // No error because this is used when using the Clone functionality
+        None => {},
+        Some(organization_uuid) => {
+
             for uuid in &data.CollectionIds {
                 match Collection::find_by_uuid_and_org(uuid, &organization_uuid, &conn) {
                     None => err!("Invalid collection ID provided"),
@@ -616,6 +624,9 @@ fn share_cipher_by_uuid(
                     }
                 }
             }
+        }
+    };
+
     update_cipher_from_data(
         &mut cipher,
         data.Cipher,
@@ -627,8 +638,6 @@ fn share_cipher_by_uuid(
     )?;
 
     Ok(Json(cipher.to_json(&headers.host, &headers.user.uuid, &conn)))
-        }
-    }
 }
 
 #[post("/ciphers/<uuid>/attachment", format = "multipart/form-data", data = "<data>")]
@@ -642,20 +651,49 @@ fn post_attachment(
 ) -> JsonResult {
     let cipher = match Cipher::find_by_uuid(&uuid, &conn) {
         Some(cipher) => cipher,
-        None => err!("Cipher doesn't exist"),
+        None => err_discard!("Cipher doesn't exist", data),
     };
 
     if !cipher.is_write_accessible_to_user(&headers.user.uuid, &conn) {
-        err!("Cipher is not write accessible")
+        err_discard!("Cipher is not write accessible", data)
     }
 
     let mut params = content_type.params();
     let boundary_pair = params.next().expect("No boundary provided");
     let boundary = boundary_pair.1;
 
+    let size_limit = if let Some(ref user_uuid) = cipher.user_uuid {
+        match CONFIG.user_attachment_limit() {
+            Some(0) => err_discard!("Attachments are disabled", data),
+            Some(limit) => {
+                let left = limit - Attachment::size_by_user(user_uuid, &conn);
+                if left <= 0 {
+                    err_discard!("Attachment size limit reached! Delete some files to open space", data)
+                }
+                Some(left as u64)
+            }
+            None => None,
+        }
+    } else if let Some(ref org_uuid) = cipher.organization_uuid {
+        match CONFIG.org_attachment_limit() {
+            Some(0) => err_discard!("Attachments are disabled", data),
+            Some(limit) => {
+                let left = limit - Attachment::size_by_org(org_uuid, &conn);
+                if left <= 0 {
+                    err_discard!("Attachment size limit reached! Delete some files to open space", data)
+                }
+                Some(left as u64)
+            }
+            None => None,
+        }
+    } else {
+        err_discard!("Cipher is neither owned by a user nor an organization", data);
+    };
+
     let base_path = Path::new(&CONFIG.attachments_folder()).join(&cipher.uuid);
 
     let mut attachment_key = None;
+    let mut error = None;
 
     Multipart::with_body(data.open(), boundary)
         .foreach_entry(|mut field| {
@@ -674,18 +712,21 @@ fn post_attachment(
                     let file_name = HEXLOWER.encode(&crypto::get_random(vec![0; 10]));
                     let path = base_path.join(&file_name);
 
-                    let size = match field.data.save().memory_threshold(0).size_limit(None).with_path(path) {
+                    let size = match field.data.save().memory_threshold(0).size_limit(size_limit).with_path(path.clone()) {
                         SaveResult::Full(SavedData::File(_, size)) => size as i32,
                         SaveResult::Full(other) => {
-                            error!("Attachment is not a file: {:?}", other);
+                            std::fs::remove_file(path).ok();
+                            error = Some(format!("Attachment is not a file: {:?}", other));
                             return;
                         }
                         SaveResult::Partial(_, reason) => {
-                            error!("Partial result: {:?}", reason);
+                            std::fs::remove_file(path).ok();
+                            error = Some(format!("Attachment size limit exceeded with this file: {:?}", reason));
                             return;
                         }
                         SaveResult::Error(e) => {
-                            error!("Error: {:?}", e);
+                            std::fs::remove_file(path).ok();
+                            error = Some(format!("Error: {:?}", e));
                             return;
                         }
                     };
@@ -699,6 +740,10 @@ fn post_attachment(
         })
         .expect("Error processing multipart data");
 
+    if let Some(ref e) = error {
+        err!(e);
+    }
+
     nt.send_cipher_update(UpdateType::CipherUpdate, &cipher, &cipher.update_users_revision(&conn));
 
     Ok(Json(cipher.to_json(&headers.host, &headers.user.uuid, &conn)))

src/api/core/mod.rs

@@ -146,14 +146,13 @@ fn hibp_breach(username: String) -> JsonResult {
         username
     );
 
-    use reqwest::{header::USER_AGENT, Client};
+    use reqwest::{header::USER_AGENT, blocking::Client};
 
     if let Some(api_key) = crate::CONFIG.hibp_api_key() {
-        let hibp_client = Client::builder()
-            .use_sys_proxy()
-            .build()?;
+        let hibp_client = Client::builder().build()?;
 
-        let res = hibp_client.get(&url)
+        let res = hibp_client
+            .get(&url)
             .header(USER_AGENT, user_agent)
             .header("hibp-api-key", api_key)
             .send()?;
@@ -173,7 +172,7 @@ fn hibp_breach(username: String) -> JsonResult {
             "BreachDate": "2019-08-18T00:00:00Z",
             "AddedDate": "2019-08-18T00:00:00Z",
             "Description": format!("Go to: <a href=\"https://haveibeenpwned.com/account/{account}\" target=\"_blank\" rel=\"noopener\">https://haveibeenpwned.com/account/{account}</a> for a manual check.<br/><br/>HaveIBeenPwned API key not set!<br/>Go to <a href=\"https://haveibeenpwned.com/API/Key\" target=\"_blank\" rel=\"noopener\">https://haveibeenpwned.com/API/Key</a> to purchase an API key from HaveIBeenPwned.<br/><br/>", account=username),
-            "LogoPath": "/bwrs_static/hibp.png",
+            "LogoPath": "bwrs_static/hibp.png",
             "PwnCount": 0,
             "DataClasses": [
                 "Error - No API key set!"

src/api/core/organizations.rs

@@ -2,6 +2,7 @@ use rocket::request::Form;
 use rocket::Route;
 use rocket_contrib::json::Json;
 use serde_json::Value;
+use num_traits::FromPrimitive;
 
 use crate::api::{
     EmptyResult, JsonResult, JsonUpcase, JsonUpcaseVec, Notify, NumberOrString, PasswordData, UpdateType,
@@ -45,6 +46,10 @@ pub fn routes() -> Vec<Route> {
         delete_user,
         post_delete_user,
         post_org_import,
+        list_policies,
+        list_policies_token,
+        get_policy,
+        put_policy,
     ]
 }
 
@@ -830,22 +835,13 @@ struct RelationsData {
 fn post_org_import(
     query: Form<OrgIdData>,
     data: JsonUpcase<ImportData>,
-    headers: Headers,
+    headers: AdminHeaders,
     conn: DbConn,
     nt: Notify,
 ) -> EmptyResult {
     let data: ImportData = data.into_inner().data;
     let org_id = query.into_inner().organization_id;
 
-    let org_user = match UserOrganization::find_by_user_and_org(&headers.user.uuid, &org_id, &conn) {
-        Some(user) => user,
-        None => err!("User is not part of the organization"),
-    };
-
-    if org_user.atype < UserOrgType::Admin {
-        err!("Only admins or owners can import into an organization")
-    }
-
     // Read and create the collections
     let collections: Vec<_> = data
         .Collections
@@ -866,6 +862,8 @@ fn post_org_import(
         relations.push((relation.Key, relation.Value));
     }
 
+    let headers: Headers = headers.into();
+
     // Read and create the ciphers
     let ciphers: Vec<_> = data
         .Ciphers
@@ -901,3 +899,83 @@ fn post_org_import(
     let mut user = headers.user;
     user.update_revision(&conn)
 }
+
+#[get("/organizations/<org_id>/policies")]
+fn list_policies(org_id: String, _headers: AdminHeaders, conn: DbConn) -> JsonResult {
+    let policies = OrgPolicy::find_by_org(&org_id, &conn);
+    let policies_json: Vec<Value> = policies.iter().map(OrgPolicy::to_json).collect();
+
+    Ok(Json(json!({
+        "Data": policies_json,
+        "Object": "list",
+        "ContinuationToken": null
+    })))
+}
+
+#[get("/organizations/<org_id>/policies/token?<token>")]
+fn list_policies_token(org_id: String, token: String, conn: DbConn) -> JsonResult {
+    let invite = crate::auth::decode_invite(&token)?;
+
+    let invite_org_id = match invite.org_id {
+        Some(invite_org_id) => invite_org_id,
+        None => err!("Invalid token"),
+    };
+
+    if invite_org_id != org_id {
+        err!("Token doesn't match request organization");
+    }
+    
+    // TODO: We receive the invite token as ?token=<>, validate it contains the org id
+    let policies = OrgPolicy::find_by_org(&org_id, &conn);
+    let policies_json: Vec<Value> = policies.iter().map(OrgPolicy::to_json).collect();
+
+    Ok(Json(json!({
+        "Data": policies_json,
+        "Object": "list",
+        "ContinuationToken": null
+    })))
+}
+
+#[get("/organizations/<org_id>/policies/<pol_type>")]
+fn get_policy(org_id: String, pol_type: i32, _headers: AdminHeaders, conn: DbConn) -> JsonResult {
+    let pol_type_enum = match OrgPolicyType::from_i32(pol_type) {
+        Some(pt) => pt,
+        None => err!("Invalid policy type"),
+    };
+
+    let policy = match OrgPolicy::find_by_org_and_type(&org_id, pol_type, &conn) {
+        Some(p) => p,
+        None => OrgPolicy::new(org_id, pol_type_enum, "{}".to_string()),
+    };
+
+    Ok(Json(policy.to_json()))
+}
+
+#[derive(Deserialize)]
+struct PolicyData {
+    enabled: bool,
+    #[serde(rename = "type")]
+    _type: i32,
+    data: Value,
+}
+
+#[put("/organizations/<org_id>/policies/<pol_type>", data = "<data>")]
+fn put_policy(org_id: String, pol_type: i32, data: Json<PolicyData>, _headers: AdminHeaders, conn: DbConn) -> JsonResult {
+    let data: PolicyData = data.into_inner();
+
+    let pol_type_enum = match OrgPolicyType::from_i32(pol_type) {
+        Some(pt) => pt,
+        None => err!("Invalid policy type"),
+    };
+
+    let mut policy = match OrgPolicy::find_by_org_and_type(&org_id, pol_type, &conn) {
+        Some(p) => p,
+        None => OrgPolicy::new(org_id, pol_type_enum, "{}".to_string()),
+    };
+
+    policy.enabled = data.enabled;
+    policy.data = serde_json::to_string(&data.data)?;
+    policy.save(&conn)?;
+
+    Ok(Json(policy.to_json()))
+}

src/api/core/two_factor/authenticator.rs

@@ -103,7 +103,6 @@ pub fn validate_totp_code_str(user_uuid: &str, totp_code: &str, secret: &str, co
 
 pub fn validate_totp_code(user_uuid: &str, totp_code: u64, secret: &str, conn: &DbConn) -> EmptyResult {
     use oath::{totp_raw_custom_time, HashType};
-    use std::time::{UNIX_EPOCH, SystemTime};
 
     let decoded_secret = match BASE32.decode(secret.as_bytes()) {
         Ok(s) => s,
@@ -116,24 +115,23 @@ pub fn validate_totp_code(user_uuid: &str, totp_code: u64, secret: &str, conn: &
     };
 
     // Get the current system time in UNIX Epoch (UTC)
-    let current_time: u64 = SystemTime::now().duration_since(UNIX_EPOCH)
-        .expect("Earlier than 1970-01-01 00:00:00 UTC").as_secs();
+    let current_time = chrono::Utc::now();
+    let current_timestamp = current_time.timestamp();
 
     // The amount of steps back and forward in time
     // Also check if we need to disable time drifted TOTP codes.
     // If that is the case, we set the steps to 0 so only the current TOTP is valid.
-    let steps = if CONFIG.authenticator_disable_time_drift() { 0 } else { 1 };
+    let steps: i64 = if CONFIG.authenticator_disable_time_drift() { 0 } else { 1 };
 
     for step in -steps..=steps {
-        let time_step = (current_time / 30) as i32 + step;
+        let time_step = current_timestamp / 30i64 + step;
         // We need to calculate the time offsite and cast it as an i128.
         // Else we can't do math with it on a default u64 variable.
-        let time_offset: i128 = (step * 30).into();
-        let generated = totp_raw_custom_time(&decoded_secret, 6, 0, 30, (current_time as i128 + time_offset) as u64, &HashType::SHA1);
+        let time = (current_timestamp + step * 30i64) as u64;
+        let generated = totp_raw_custom_time(&decoded_secret, 6, 0, 30, time, &HashType::SHA1);
 
         // Check the the given code equals the generated and if the time_step is larger then the one last used.
-        if generated == totp_code && time_step > twofactor.last_used {
-
+        if generated == totp_code && time_step > twofactor.last_used as i64 {
             // If the step does not equals 0 the time is drifted either server or client side.
             if step != 0 {
                 info!("TOTP Time drift detected. The step offset is {}", step);
@@ -141,15 +139,15 @@ pub fn validate_totp_code(user_uuid: &str, totp_code: u64, secret: &str, conn: &
 
             // Save the last used time step so only totp time steps higher then this one are allowed.
             // This will also save a newly created twofactor if the code is correct.
-            twofactor.last_used = time_step;
+            twofactor.last_used = time_step as i32;
             twofactor.save(&conn)?;
             return Ok(());
-        } else if generated == totp_code && time_step <= twofactor.last_used {
+        } else if generated == totp_code && time_step <= twofactor.last_used as i64 {
             warn!("This or a TOTP code within {} steps back and forward has already been used!", steps);
-            err!("Invalid TOTP Code!");
+            err!(format!("Invalid TOTP code! Server time: {}", current_time.format("%F %T UTC")));
         }
     }
 
     // Else no valide code received, deny access
-    err!("Invalid TOTP code!");
+    err!(format!("Invalid TOTP code! Server time: {}", current_time.format("%F %T UTC")));
 }

src/api/core/two_factor/duo.rs

@@ -16,11 +16,7 @@ use crate::error::MapResult;
 use crate::CONFIG;
 
 pub fn routes() -> Vec<Route> {
-    routes![
-        get_duo,
-        activate_duo,
-        activate_duo_put,
-    ]
+    routes![get_duo, activate_duo, activate_duo_put,]
 }
 
 #[derive(Serialize, Deserialize)]
@@ -191,7 +187,7 @@ fn activate_duo_put(data: JsonUpcase<EnableDuoData>, headers: Headers, conn: DbC
 fn duo_api_request(method: &str, path: &str, params: &str, data: &DuoData) -> EmptyResult {
     const AGENT: &str = "bitwarden_rs:Duo/1.0 (Rust)";
 
-    use reqwest::{header::*, Client, Method};
+    use reqwest::{header::*, Method, blocking::Client};
     use std::str::FromStr;
 
     let url = format!("https://{}{}", &data.host, path);

src/api/core/two_factor/email.rs

@@ -18,12 +18,7 @@ use chrono::{Duration, NaiveDateTime, Utc};
 use std::ops::Add;
 
 pub fn routes() -> Vec<Route> {
-    routes![
-        get_email,
-        send_email_login,
-        send_email,
-        email,
-    ]
+    routes![get_email, send_email_login, send_email, email,]
 }
 
 #[derive(Deserialize)]
@@ -66,7 +61,7 @@ pub fn send_token(user_uuid: &str, conn: &DbConn) -> EmptyResult {
     let type_ = TwoFactorType::Email as i32;
     let mut twofactor = TwoFactor::find_by_user_and_type(user_uuid, type_, &conn)?;
 
-    let generated_token = generate_token(CONFIG.email_token_size())?;
+    let generated_token = crypto::generate_token(CONFIG.email_token_size())?;
 
     let mut twofactor_data = EmailTokenData::from_json(&twofactor.data)?;
     twofactor_data.set_token(generated_token);
@@ -109,22 +104,6 @@ struct SendEmailData {
     MasterPasswordHash: String,
 }
 
-
-fn generate_token(token_size: u32) -> Result<String, Error> {
-    if token_size > 19 {
-        err!("Generating token failed")
-    }
-
-    // 8 bytes to create an u64 for up to 19 token digits
-    let bytes = crypto::get_random(vec![0; 8]);
-    let mut bytes_array = [0u8; 8];
-    bytes_array.copy_from_slice(&bytes);
-
-    let number = u64::from_be_bytes(bytes_array) % 10u64.pow(token_size);
-    let token = format!("{:0size$}", number, size = token_size as usize);
-    Ok(token)
-}
-
 /// Send a verification email to the specified email address to check whether it exists/belongs to user.
 #[post("/two-factor/send-email", data = "<data>")]
 fn send_email(data: JsonUpcase<SendEmailData>, headers: Headers, conn: DbConn) -> EmptyResult {
@@ -145,7 +124,7 @@ fn send_email(data: JsonUpcase<SendEmailData>, headers: Headers, conn: DbConn) -
         tf.delete(&conn)?;
     }
 
-    let generated_token = generate_token(CONFIG.email_token_size())?;
+    let generated_token = crypto::generate_token(CONFIG.email_token_size())?;
     let twofactor_data = EmailTokenData::new(data.Email, generated_token);
 
     // Uses EmailVerificationChallenge as type to show that it's not verified yet.
@@ -292,10 +271,10 @@ impl EmailTokenData {
 
 /// Takes an email address and obscures it by replacing it with asterisks except two characters.
 pub fn obscure_email(email: &str) -> String {
-    let split: Vec<&str> = email.split('@').collect();
+    let split: Vec<&str> = email.rsplitn(2, '@').collect();
 
-    let mut name = split[0].to_string();
-    let domain = &split[1];
+    let mut name = split[1].to_string();
+    let domain = &split[0];
 
     let name_size = name.chars().count();
 
@@ -337,14 +316,14 @@ mod tests {
 
     #[test]
     fn test_token() {
-        let result = generate_token(19).unwrap();
+        let result = crypto::generate_token(19).unwrap();
 
         assert_eq!(result.chars().count(), 19);
     }
 
     #[test]
     fn test_token_too_large() {
-        let result = generate_token(20);
+        let result = crypto::generate_token(20);
 
         assert!(result.is_err(), "too large token should give an error");
     }

src/api/core/two_factor/u2f.rs

@@ -1,3 +1,4 @@
+use once_cell::sync::Lazy;
 use rocket::Route;
 use rocket_contrib::json::Json;
 use serde_json;
@@ -18,10 +19,8 @@ use crate::CONFIG;
 
 const U2F_VERSION: &str = "U2F_V2";
 
-lazy_static! {
-    static ref APP_ID: String = format!("{}/app-id.json", &CONFIG.domain());
-    static ref U2F: U2f = U2f::new(APP_ID.clone());
-}
+static APP_ID: Lazy<String> = Lazy::new(|| format!("{}/app-id.json", &CONFIG.domain()));
+static U2F: Lazy<U2f> = Lazy::new(|| U2f::new(APP_ID.clone()));
 
 pub fn routes() -> Vec<Route> {
     routes![
@@ -29,6 +28,7 @@ pub fn routes() -> Vec<Route> {
         generate_u2f_challenge,
         activate_u2f,
         activate_u2f_put,
+        delete_u2f,
     ]
 }
 
@@ -91,6 +91,7 @@ struct RegistrationDef {
     key_handle: Vec<u8>,
     pub_key: Vec<u8>,
     attestation_cert: Option<Vec<u8>>,
+    device_name: Option<String>,
 }
 
 #[derive(Serialize, Deserialize)]
@@ -194,6 +195,50 @@ fn activate_u2f_put(data: JsonUpcase<EnableU2FData>, headers: Headers, conn: DbC
     activate_u2f(data, headers, conn)
 }
 
+#[derive(Deserialize, Debug)]
+#[allow(non_snake_case)]
+struct DeleteU2FData {
+    Id: NumberOrString,
+    MasterPasswordHash: String,
+}
+
+#[delete("/two-factor/u2f", data = "<data>")]
+fn delete_u2f(data: JsonUpcase<DeleteU2FData>, headers: Headers, conn: DbConn) -> JsonResult {
+    let data: DeleteU2FData = data.into_inner().data;
+
+    let id = data.Id.into_i32()?;
+
+    if !headers.user.check_valid_password(&data.MasterPasswordHash) {
+        err!("Invalid password");
+    }
+
+    let type_ = TwoFactorType::U2f as i32;
+    let mut tf = match TwoFactor::find_by_user_and_type(&headers.user.uuid, type_, &conn) {
+        Some(tf) => tf,
+        None => err!("U2F data not found!"),
+    };
+
+    let mut data: Vec<U2FRegistration> = match serde_json::from_str(&tf.data) {
+        Ok(d) => d,
+        Err(_) => err!("Error parsing U2F data"),
+    };
+
+    data.retain(|r| r.id != id);
+
+    let new_data_str = serde_json::to_string(&data)?;
+
+    tf.data = new_data_str;
+    tf.save(&conn)?;
+
+    let keys_json: Vec<Value> = data.iter().map(U2FRegistration::to_json).collect();
+
+    Ok(Json(json!({
+        "Enabled": true,
+        "Keys": keys_json,
+        "Object": "twoFactorU2f"
+    })))
+}
+
 fn _create_u2f_challenge(user_uuid: &str, type_: TwoFactorType, conn: &DbConn) -> Challenge {
     let challenge = U2F.generate_challenge().unwrap();
 

src/api/core/two_factor/yubikey.rs

@@ -16,11 +16,7 @@ use crate::error::{Error, MapResult};
 use crate::CONFIG;
 
 pub fn routes() -> Vec<Route> {
-    routes![
-        generate_yubikey,
-        activate_yubikey,
-        activate_yubikey_put,
-    ]
+    routes![generate_yubikey, activate_yubikey, activate_yubikey_put,]
 }
 
 #[derive(Deserialize, Debug)]

src/api/icons.rs

@@ -1,3 +1,4 @@
+use once_cell::sync::Lazy;
 use std::fs::{create_dir_all, remove_file, symlink_metadata, File};
 use std::io::prelude::*;
 use std::net::ToSocketAddrs;
@@ -7,7 +8,7 @@ use rocket::http::ContentType;
 use rocket::response::Content;
 use rocket::Route;
 
-use reqwest::{header::HeaderMap, Client, Response, Url};
+use reqwest::{Url, header::HeaderMap, blocking::Client, blocking::Response};
 
 use rocket::http::Cookie;
 
@@ -16,6 +17,7 @@ use soup::prelude::*;
 
 use crate::error::Error;
 use crate::CONFIG;
+use crate::util::Cached;
 
 pub fn routes() -> Vec<Route> {
     routes![icon]
@@ -25,16 +27,14 @@ const FALLBACK_ICON: &[u8; 344] = include_bytes!("../static/fallback-icon.png");
 
 const ALLOWED_CHARS: &str = "_-.";
 
-lazy_static! {
+static CLIENT: Lazy<Client> = Lazy::new(|| {
     // Reuse the client between requests
-    static ref CLIENT: Client = Client::builder()
-        .use_sys_proxy()
-        .gzip(true)
+    Client::builder()
         .timeout(Duration::from_secs(CONFIG.icon_download_timeout()))
         .default_headers(_header_map())
         .build()
-        .unwrap();
-}
+        .unwrap()
+});
 
 fn is_valid_domain(domain: &str) -> bool {
     // Don't allow empty or too big domains or path traversal
@@ -53,15 +53,15 @@ fn is_valid_domain(domain: &str) -> bool {
 }
 
 #[get("/<domain>/icon.png")]
-fn icon(domain: String) -> Content<Vec<u8>> {
+fn icon(domain: String) -> Cached<Content<Vec<u8>>> {
     let icon_type = ContentType::new("image", "x-icon");
 
     if !is_valid_domain(&domain) {
         warn!("Invalid domain: {:#?}", domain);
-        return Content(icon_type, FALLBACK_ICON.to_vec());
+        return Cached::long(Content(icon_type, FALLBACK_ICON.to_vec()));
     }
 
-    Content(icon_type, get_icon(&domain))
+    Cached::long(Content(icon_type, get_icon(&domain)))
 }
 
 fn check_icon_domain_is_blacklisted(domain: &str) -> bool {
@@ -213,7 +213,7 @@ fn get_icon_url(domain: &str) -> Result<(Vec<Icon>, String), Error> {
     let mut cookie_str = String::new();
 
     let resp = get_page(&ssldomain).or_else(|_| get_page(&httpdomain));
-    if let Ok(content) = resp {
+    if let Ok(mut content) = resp {
         // Extract the URL from the respose in case redirects occured (like @ gitlab.com)
         let url = content.url().clone();
 
@@ -233,12 +233,16 @@ fn get_icon_url(domain: &str) -> Result<(Vec<Icon>, String), Error> {
         // Add the default favicon.ico to the list with the domain the content responded from.
         iconlist.push(Icon::new(35, url.join("/favicon.ico").unwrap().into_string()));
 
-        let soup = Soup::from_reader(content)?;
+        // 512KB should be more than enough for the HTML, though as we only really need
+        // the HTML header, it could potentially be reduced even further
+        let limited_reader = crate::util::LimitedReader::new(&mut content, 512 * 1024);
+
+        let soup = Soup::from_reader(limited_reader)?;
         // Search for and filter
         let favicons = soup
             .tag("link")
             .attr("rel", Regex::new(r"icon$|apple.*icon")?) // Only use icon rels
-            .attr("href", Regex::new(r"(?i)\w+\.(jpg|jpeg|png|ico)(\?.*)?$")?) // Only allow specific extensions
+            .attr("href", Regex::new(r"(?i)\w+\.(jpg|jpeg|png|ico)(\?.*)?$|^data:image.*base64")?) // Only allow specific extensions
             .find_all();
 
         // Loop through all the found icons and determine it's priority
@@ -373,7 +377,23 @@ fn download_icon(domain: &str) -> Result<Vec<u8>, Error> {
 
     let mut buffer = Vec::new();
 
+    use data_url::DataUrl;
+
     for icon in iconlist.iter().take(5) {
+        if icon.href.starts_with("data:image") {
+            let datauri = DataUrl::process(&icon.href).unwrap();
+            // Check if we are able to decode the data uri
+            match datauri.decode_to_vec() {
+                Ok((body, _fragment)) => {
+                    // Also check if the size is atleast 67 bytes, which seems to be the smallest png i could create
+                    if body.len() >= 67 {
+                        buffer = body;
+                        break;
+                    }
+                }
+                _ => warn!("data uri is invalid"),
+            };
+        } else {
             match get_page_with_cookies(&icon.href, &cookie_str) {
                 Ok(mut res) => {
                     info!("Downloaded icon from {}", icon.href);
@@ -383,6 +403,7 @@ fn download_icon(domain: &str) -> Result<Vec<u8>, Error> {
                 Err(_) => info!("Download failed for {}", icon.href),
             };
         }
+    }
 
     if buffer.is_empty() {
         err!("Empty response")

src/api/identity.rs

@@ -1,3 +1,4 @@
+use chrono::Utc;
 use num_traits::FromPrimitive;
 use rocket::request::{Form, FormItems, FromForm};
 use rocket::Route;
@@ -96,6 +97,34 @@ fn _password_login(data: ConnectData, conn: DbConn, ip: ClientIp) -> JsonResult
         )
     }
 
+    if user.verified_at.is_none() && CONFIG.mail_enabled() && CONFIG.signups_verify() {
+        let now = Utc::now().naive_utc();
+        if user.last_verifying_at.is_none() || now.signed_duration_since(user.last_verifying_at.unwrap()).num_seconds() > CONFIG.signups_verify_resend_time() as i64 {
+            let resend_limit = CONFIG.signups_verify_resend_limit() as i32;
+            if resend_limit == 0 || user.login_verify_count < resend_limit {
+                // We want to send another email verification if we require signups to verify
+                // their email address, and we haven't sent them a reminder in a while...
+                let mut user = user;
+                user.last_verifying_at = Some(now);
+                user.login_verify_count += 1;
+
+                if let Err(e) = user.save(&conn) {
+                    error!("Error updating user: {:#?}", e);
+                }
+
+                if let Err(e) = mail::send_verify_email(&user.email, &user.uuid) {
+                    error!("Error auto-sending email verification email: {:#?}", e);
+                }
+            }
+        }
+
+        // We still want the login to fail until they actually verified the email address
+        err!(
+            "Please verify your email before trying again.",
+            format!("IP: {}. Username: {}.", ip.ip, username)
+        )
+    }
+
     let (mut device, new_device) = get_device(&data, &conn, &user);
 
     let twofactor_token = twofactor_auth(&user.uuid, &data, &mut device, &conn)?;
@@ -182,7 +211,7 @@ fn twofactor_auth(
 
     let twofactor_code = match data.two_factor_token {
         Some(ref code) => code,
-        None => err_json!(_json_err_twofactor(&twofactor_ids, user_uuid, conn)?),
+        None => err_json!(_json_err_twofactor(&twofactor_ids, user_uuid, conn)?, "2FA token not provided"),
     };
 
     let selected_twofactor = twofactors
@@ -208,7 +237,7 @@ fn twofactor_auth(
                 Some(ref code) if !CONFIG.disable_2fa_remember() && ct_eq(code, twofactor_code) => {
                     remember = 1; // Make sure we also return the token here, otherwise it will only remember the first time
                 }
-                _ => err_json!(_json_err_twofactor(&twofactor_ids, user_uuid, conn)?),
+                _ => err_json!(_json_err_twofactor(&twofactor_ids, user_uuid, conn)?, "2FA Remember token not provided"),
             }
         }
         _ => err!("Invalid two factor provider"),

src/api/notifications.rs

@@ -1,20 +1,31 @@
+use std::sync::atomic::{AtomicBool, Ordering};
+
 use rocket::Route;
 use rocket_contrib::json::Json;
 use serde_json::Value as JsonValue;
 
-use crate::api::JsonResult;
+use crate::api::{EmptyResult, JsonResult};
 use crate::auth::Headers;
 use crate::db::DbConn;
 
-use crate::CONFIG;
+use crate::{Error, CONFIG};
 
 pub fn routes() -> Vec<Route> {
     routes![negotiate, websockets_err]
 }
 
+static SHOW_WEBSOCKETS_MSG: AtomicBool = AtomicBool::new(true);
+
 #[get("/hub")]
-fn websockets_err() -> JsonResult {
-    err!("'/notifications/hub' should be proxied to the websocket server or notifications won't work. Go to the README for more info.")
+fn websockets_err() -> EmptyResult {
+    if CONFIG.websocket_enabled() && SHOW_WEBSOCKETS_MSG.compare_and_swap(true, false, Ordering::Relaxed) {
+        err!("###########################################################
+    '/notifications/hub' should be proxied to the websocket server or notifications won't work.
+    Go to the Wiki for more info, or disable WebSockets setting WEBSOCKET_ENABLED=false.
+    ###########################################################################################")
+    } else {
+        Err(Error::empty())
+    }
 }
 
 #[post("/hub/negotiate")]
@@ -43,10 +54,11 @@ fn negotiate(_headers: Headers, _conn: DbConn) -> JsonResult {
 //
 // Websockets server
 //
+use std::io;
 use std::sync::Arc;
 use std::thread;
 
-use ws::{self, util::Token, Factory, Handler, Handshake, Message, Sender, WebSocket};
+use ws::{self, util::Token, Factory, Handler, Handshake, Message, Sender};
 
 use chashmap::CHashMap;
 use chrono::NaiveDateTime;
@@ -124,20 +136,51 @@ struct InitialMessage {
 const PING_MS: u64 = 15_000;
 const PING: Token = Token(1);
 
+const ID_KEY: &str = "id=";
+const ACCESS_TOKEN_KEY: &str = "access_token=";
+
+impl WSHandler {
+    fn err(&self, msg: &'static str) -> ws::Result<()> {
+        self.out.close(ws::CloseCode::Invalid)?;
+
+        // We need to specifically return an IO error so ws closes the connection
+        let io_error = io::Error::from(io::ErrorKind::InvalidData);
+        Err(ws::Error::new(ws::ErrorKind::Io(io_error), msg))
+    }
+}
+
 impl Handler for WSHandler {
     fn on_open(&mut self, hs: Handshake) -> ws::Result<()> {
-        // TODO: Improve this split
+        // Path == "/notifications/hub?id=<id>==&access_token=<access_token>"
         let path = hs.request.resource();
-        let mut query_split: Vec<_> = path.split('?').nth(1).unwrap().split('&').collect();
-        query_split.sort();
-        let access_token = &query_split[0][13..];
-        let _id = &query_split[1][3..];
+
+        let (_id, access_token) = match path.split('?').nth(1) {
+            Some(params) => {
+                let mut params_iter = params.split('&').take(2);
+
+                let mut id = None;
+                let mut access_token = None;
+                while let Some(val) = params_iter.next() {
+                    if val.starts_with(ID_KEY) {
+                        id = Some(&val[ID_KEY.len()..]);
+                    } else if val.starts_with(ACCESS_TOKEN_KEY) {
+                        access_token = Some(&val[ACCESS_TOKEN_KEY.len()..]);
+                    }
+                }
+
+                match (id, access_token) {
+                    (Some(a), Some(b)) => (a, b),
+                    _ => return self.err("Missing id or access token"),
+                }
+            }
+            None => return self.err("Missing query path"),
+        };
 
         // Validate the user
         use crate::auth;
         let claims = match auth::decode_login(access_token) {
             Ok(claims) => claims,
-            Err(_) => return Err(ws::Error::new(ws::ErrorKind::Internal, "Invalid access token provided")),
+            Err(_) => return self.err("Invalid access token provided"),
         };
 
         // Assign the user to the handler
@@ -179,10 +222,7 @@ impl Handler for WSHandler {
             // reschedule the timeout
             self.out.timeout(PING_MS, PING)
         } else {
-            Err(ws::Error::new(
-                ws::ErrorKind::Internal,
-                "Invalid timeout token provided",
-            ))
+            Ok(())
         }
     }
 }
@@ -351,7 +391,14 @@ pub fn start_notification_server() -> WebSocketUsers {
 
     if CONFIG.websocket_enabled() {
         thread::spawn(move || {
-            WebSocket::new(factory)
+            let mut settings = ws::Settings::default();
+            settings.max_connections = 500;
+            settings.queue_size = 2;
+            settings.panic_on_internal = false;
+
+            ws::Builder::new()
+                .with_settings(settings)
+                .build(factory)
                 .unwrap()
                 .listen((CONFIG.websocket_address().as_str(), CONFIG.websocket_port()))
                 .unwrap();

src/api/web.rs

@@ -7,11 +7,13 @@ use rocket::Route;
 use rocket_contrib::json::Json;
 use serde_json::Value;
 
-use crate::util::Cached;
 use crate::error::Error;
+use crate::util::Cached;
 use crate::CONFIG;
 
 pub fn routes() -> Vec<Route> {
+    // If addding more routes here, consider also adding them to
+    // crate::utils::LOGGED_ROUTES to make sure they appear in the log
     if CONFIG.web_vault_enabled() {
         routes![web_index, app_id, web_files, attachments, alive, static_files]
     } else {
@@ -21,9 +23,7 @@ pub fn routes() -> Vec<Route> {
 
 #[get("/")]
 fn web_index() -> Cached<Option<NamedFile>> {
-    Cached::short(NamedFile::open(
-        Path::new(&CONFIG.web_vault_folder()).join("index.html"),
-    ).ok())
+    Cached::short(NamedFile::open(Path::new(&CONFIG.web_vault_folder()).join("index.html")).ok())
 }
 
 #[get("/app-id.json")]
@@ -37,7 +37,17 @@ fn app_id() -> Cached<Content<Json<Value>>> {
             {
             "version": { "major": 1, "minor": 0 },
             "ids": [
-                &CONFIG.domain(),
+                // Per <https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-appid-and-facets-v2.0-id-20180227.html#determining-the-facetid-of-a-calling-application>:
+                //
+                // "In the Web case, the FacetID MUST be the Web Origin [RFC6454]
+                // of the web page triggering the FIDO operation, written as
+                // a URI with an empty path. Default ports are omitted and any
+                // path component is ignored."
+                //
+                // This leaves it unclear as to whether the path must be empty,
+                // or whether it can be non-empty and will be ignored. To be on
+                // the safe side, use a proper web origin (with empty path).
+                &CONFIG.domain_origin(),
                 "ios:bundle-id:com.8bit.bitwarden",
                 "android:apk-key-hash:dUGFzUzf3lmHSLBDBIv+WaFyZMI" ]
             }]
@@ -75,6 +85,6 @@ fn static_files(filename: String) -> Result<Content<&'static [u8]>, Error> {
         "bootstrap-native-v4.js" => Ok(Content(ContentType::JavaScript, include_bytes!("../static/scripts/bootstrap-native-v4.js"))),
         "md5.js" => Ok(Content(ContentType::JavaScript, include_bytes!("../static/scripts/md5.js"))),
         "identicon.js" => Ok(Content(ContentType::JavaScript, include_bytes!("../static/scripts/identicon.js"))),
-        _ => err!("Image not found"),
+        _ => err!(format!("Static file not found: {}", filename)),
     }
 }

src/auth.rs

@@ -3,8 +3,10 @@
 //
 use crate::util::read_file;
 use chrono::{Duration, Utc};
+use once_cell::sync::Lazy;
+use num_traits::FromPrimitive;
 
-use jsonwebtoken::{self, Algorithm, Header};
+use jsonwebtoken::{self, Algorithm, Header, EncodingKey, DecodingKey};
 use serde::de::DeserializeOwned;
 use serde::ser::Serialize;
 
@@ -13,24 +15,24 @@ use crate::CONFIG;
 
 const JWT_ALGORITHM: Algorithm = Algorithm::RS256;
 
-lazy_static! {
-    pub static ref DEFAULT_VALIDITY: Duration = Duration::hours(2);
-    static ref JWT_HEADER: Header = Header::new(JWT_ALGORITHM);
-    pub static ref JWT_LOGIN_ISSUER: String = format!("{}|login", CONFIG.domain());
-    pub static ref JWT_INVITE_ISSUER: String = format!("{}|invite", CONFIG.domain());
-    pub static ref JWT_ADMIN_ISSUER: String = format!("{}|admin", CONFIG.domain());
-    static ref PRIVATE_RSA_KEY: Vec<u8> = match read_file(&CONFIG.private_rsa_key()) {
+pub static DEFAULT_VALIDITY: Lazy<Duration> = Lazy::new(|| Duration::hours(2));
+static JWT_HEADER: Lazy<Header> = Lazy::new(|| Header::new(JWT_ALGORITHM));
+pub static JWT_LOGIN_ISSUER: Lazy<String> = Lazy::new(|| format!("{}|login", CONFIG.domain_origin()));
+static JWT_INVITE_ISSUER: Lazy<String> = Lazy::new(|| format!("{}|invite", CONFIG.domain_origin()));
+static JWT_DELETE_ISSUER: Lazy<String> = Lazy::new(|| format!("{}|delete", CONFIG.domain_origin()));
+static JWT_VERIFYEMAIL_ISSUER: Lazy<String> = Lazy::new(|| format!("{}|verifyemail", CONFIG.domain_origin()));
+static JWT_ADMIN_ISSUER: Lazy<String> = Lazy::new(|| format!("{}|admin", CONFIG.domain_origin()));
+static PRIVATE_RSA_KEY: Lazy<Vec<u8>> = Lazy::new(|| match read_file(&CONFIG.private_rsa_key()) {
     Ok(key) => key,
     Err(e) => panic!("Error loading private RSA Key.\n Error: {}", e),
-    };
-    static ref PUBLIC_RSA_KEY: Vec<u8> = match read_file(&CONFIG.public_rsa_key()) {
+});
+static PUBLIC_RSA_KEY: Lazy<Vec<u8>> = Lazy::new(|| match read_file(&CONFIG.public_rsa_key()) {
     Ok(key) => key,
     Err(e) => panic!("Error loading public RSA Key.\n Error: {}", e),
-    };
-}
+});
 
 pub fn encode_jwt<T: Serialize>(claims: &T) -> String {
-    match jsonwebtoken::encode(&JWT_HEADER, claims, &PRIVATE_RSA_KEY) {
+    match jsonwebtoken::encode(&JWT_HEADER, claims, &EncodingKey::from_rsa_der(&PRIVATE_RSA_KEY)) {
         Ok(token) => token,
         Err(e) => panic!("Error encoding jwt {}", e),
     }
@@ -49,7 +51,7 @@ fn decode_jwt<T: DeserializeOwned>(token: &str, issuer: String) -> Result<T, Err
 
     let token = token.replace(char::is_whitespace, "");
 
-    jsonwebtoken::decode(&token, &PUBLIC_RSA_KEY, &validation)
+    jsonwebtoken::decode(&token, &DecodingKey::from_rsa_der(&PUBLIC_RSA_KEY), &validation)
         .map(|d| d.claims)
         .map_res("Error decoding JWT")
 }
@@ -62,6 +64,14 @@ pub fn decode_invite(token: &str) -> Result<InviteJWTClaims, Error> {
     decode_jwt(token, JWT_INVITE_ISSUER.to_string())
 }
 
+pub fn decode_delete(token: &str) -> Result<DeleteJWTClaims, Error> {
+    decode_jwt(token, JWT_DELETE_ISSUER.to_string())
+}
+
+pub fn decode_verify_email(token: &str) -> Result<VerifyEmailJWTClaims, Error> {
+    decode_jwt(token, JWT_VERIFYEMAIL_ISSUER.to_string())
+}
+
 pub fn decode_admin(token: &str) -> Result<AdminJWTClaims, Error> {
     decode_jwt(token, JWT_ADMIN_ISSUER.to_string())
 }
@@ -134,6 +144,50 @@ pub fn generate_invite_claims(
     }
 }
 
+#[derive(Debug, Serialize, Deserialize)]
+pub struct DeleteJWTClaims {
+    // Not before
+    pub nbf: i64,
+    // Expiration time
+    pub exp: i64,
+    // Issuer
+    pub iss: String,
+    // Subject
+    pub sub: String,
+}
+
+pub fn generate_delete_claims(uuid: String) -> DeleteJWTClaims {
+    let time_now = Utc::now().naive_utc();
+    DeleteJWTClaims {
+        nbf: time_now.timestamp(),
+        exp: (time_now + Duration::days(5)).timestamp(),
+        iss: JWT_DELETE_ISSUER.to_string(),
+        sub: uuid,
+    }
+}
+
+#[derive(Debug, Serialize, Deserialize)]
+pub struct VerifyEmailJWTClaims {
+    // Not before
+    pub nbf: i64,
+    // Expiration time
+    pub exp: i64,
+    // Issuer
+    pub iss: String,
+    // Subject
+    pub sub: String,
+}
+
+pub fn generate_verify_email_claims(uuid: String) -> DeleteJWTClaims {
+    let time_now = Utc::now().naive_utc();
+    DeleteJWTClaims {
+        nbf: time_now.timestamp(),
+        exp: (time_now + Duration::days(5)).timestamp(),
+        iss: JWT_VERIFYEMAIL_ISSUER.to_string(),
+        sub: uuid,
+    }
+}
+
 #[derive(Debug, Serialize, Deserialize)]
 pub struct AdminJWTClaims {
     // Not before
@@ -253,6 +307,25 @@ pub struct OrgHeaders {
     pub org_user_type: UserOrgType,
 }
 
+// org_id is usually the second param ("/organizations/<org_id>")
+// But there are cases where it is located in a query value.
+// First check the param, if this is not a valid uuid, we will try the query value.
+fn get_org_id(request: &Request) -> Option<String> {
+    if let Some(Ok(org_id)) = request.get_param::<String>(1) {
+        if uuid::Uuid::parse_str(&org_id).is_ok() {
+            return Some(org_id);
+        }
+    }
+
+    if let Some(Ok(org_id)) = request.get_query_value::<String>("organizationId") {
+        if uuid::Uuid::parse_str(&org_id).is_ok() {
+            return Some(org_id);
+        }
+    }
+
+    None
+}
+
 impl<'a, 'r> FromRequest<'a, 'r> for OrgHeaders {
     type Error = &'static str;
 
@@ -261,9 +334,8 @@ impl<'a, 'r> FromRequest<'a, 'r> for OrgHeaders {
             Outcome::Forward(_) => Outcome::Forward(()),
             Outcome::Failure(f) => Outcome::Failure(f),
             Outcome::Success(headers) => {
-                // org_id is expected to be the second param ("/organizations/<org_id>")
-                match request.get_param::<String>(1) {
-                    Some(Ok(org_id)) => {
+                match get_org_id(request) {
+                    Some(org_id) => {
                         let conn = match request.guard::<DbConn>() {
                             Outcome::Success(conn) => conn,
                             _ => err_handler!("Error getting DB"),
@@ -294,7 +366,7 @@ impl<'a, 'r> FromRequest<'a, 'r> for OrgHeaders {
                                 }
                             },
                         })
-                    }
+                    },
                     _ => err_handler!("Error getting the organization id"),
                 }
             }
@@ -332,6 +404,16 @@ impl<'a, 'r> FromRequest<'a, 'r> for AdminHeaders {
     }
 }
 
+impl Into<Headers> for AdminHeaders {    
+    fn into(self) -> Headers { 
+        Headers {
+            host: self.host,
+            device: self.device,
+            user: self.user
+        }
+     }
+}
+
 pub struct OwnerHeaders {
     pub host: String,
     pub device: Device,
@@ -372,12 +454,25 @@ pub struct ClientIp {
 impl<'a, 'r> FromRequest<'a, 'r> for ClientIp {
     type Error = ();
 
-    fn from_request(request: &'a Request<'r>) -> request::Outcome<Self, Self::Error> {
-        let ip = match request.client_ip() {
-            Some(addr) => addr,
-            None => "0.0.0.0".parse().unwrap(),
+    fn from_request(req: &'a Request<'r>) -> request::Outcome<Self, Self::Error> {
+        let ip = if CONFIG._ip_header_enabled() {
+            req.headers().get_one(&CONFIG.ip_header()).and_then(|ip| {
+                match ip.find(',') {
+                    Some(idx) => &ip[..idx],
+                    None => ip,
+                }
+                .parse()
+                .map_err(|_| warn!("'{}' header is malformed: {}", CONFIG.ip_header(), ip))
+                .ok()
+            })
+        } else {
+            None
         };
 
+        let ip = ip
+            .or_else(|| req.remote().map(|r| r.ip()))
+            .unwrap_or_else(|| "0.0.0.0".parse().unwrap());
+
         Outcome::Success(ClientIp { ip })
     }
 }

src/config.rs

@@ -1,19 +1,23 @@
+use once_cell::sync::Lazy;
 use std::process::exit;
 use std::sync::RwLock;
 
-use crate::error::Error;
-use crate::util::get_env;
+use reqwest::Url;
 
-lazy_static! {
-    pub static ref CONFIG: Config = Config::load().unwrap_or_else(|e| {
-        println!("Error loading config:\n\t{:?}\n", e);
-        exit(12)
-    });
-    pub static ref CONFIG_FILE: String = {
+use crate::error::Error;
+use crate::util::{get_env, get_env_bool};
+
+static CONFIG_FILE: Lazy<String> = Lazy::new(|| {
     let data_folder = get_env("DATA_FOLDER").unwrap_or_else(|| String::from("data"));
     get_env("CONFIG_FILE").unwrap_or_else(|| format!("{}/config.json", data_folder))
-    };
-}
+});
+
+pub static CONFIG: Lazy<Config> = Lazy::new(|| {
+    Config::load().unwrap_or_else(|e| {
+        println!("Error loading config:\n\t{:?}\n", e);
+        exit(12)
+    })
+});
 
 pub type Pass = String;
 
@@ -23,13 +27,13 @@ macro_rules! make_config {
         $group:ident $(: $group_enabled:ident)? {
         $(
             $(#[doc = $doc:literal])+
-            $name:ident : $ty:ty, $editable:literal, $none_action:ident $(, $default:expr)?;
+            $name:ident : $ty:ident, $editable:literal, $none_action:ident $(, $default:expr)?;
         )+},
     )+) => {
         pub struct Config { inner: RwLock<Inner> }
 
         struct Inner {
-            templates: Handlebars,
+            templates: Handlebars<'static>,
             config: ConfigItems,
 
             _env: ConfigBuilder,
@@ -50,7 +54,7 @@ macro_rules! make_config {
 
                 let mut builder = ConfigBuilder::default();
                 $($(
-                    builder.$name = get_env(&stringify!($name).to_uppercase());
+                    builder.$name = make_config! { @getenv &stringify!($name).to_uppercase(), $ty };
                 )+)+
 
                 builder
@@ -185,19 +189,28 @@ macro_rules! make_config {
             }
         }
     }};
+    ( @build $value:expr, $config:expr, gen, $default_fn:expr ) => {{
+        let f: &dyn Fn(&ConfigItems) -> _ = &$default_fn;
+        f($config)
+    }};
+
+    ( @getenv $name:expr, bool ) => { get_env_bool($name) };
+    ( @getenv $name:expr, $ty:ident ) => { get_env($name) };
+
 }
 
 //STRUCTURE:
 // /// Short description (without this they won't appear on the list)
 // group {
 //   /// Friendly Name |> Description (Optional)
-//   name: type, is_editable, none_action, <default_value (Optional)>
+//   name: type, is_editable, action, <default_value (Optional)>
 // }
 //
-// Where none_action applied when the value wasn't provided and can be:
+// Where action applied when the value wasn't provided and can be:
 //  def:    Use a default value
 //  auto:   Value is auto generated based on other values
 //  option: Value is optional
+//  gen:    Value is always autogenerated and it's original value ignored
 make_config! {
     folders {
         ///  Data folder |> Main data folder
@@ -231,18 +244,33 @@ make_config! {
         domain:                 String, true,   def,    "http://localhost".to_string();
         /// Domain Set |> Indicates if the domain is set by the admin. Otherwise the default will be used.
         domain_set:             bool,   false,  def,    false;
+        /// Domain origin |> Domain URL origin (in https://example.com:8443/path, https://example.com:8443 is the origin)
+        domain_origin:          String, false,  auto,   |c| extract_url_origin(&c.domain);
+        /// Domain path |> Domain URL path (in https://example.com:8443/path, /path is the path)
+        domain_path:            String, false,  auto,   |c| extract_url_path(&c.domain);
         /// Enable web vault
         web_vault_enabled:      bool,   false,  def,    true;
 
         /// HIBP Api Key |> HaveIBeenPwned API Key, request it here: https://haveibeenpwned.com/API/Key
         hibp_api_key:           Pass,   true,   option;
 
+        /// Per-user attachment limit (KB) |> Limit in kilobytes for a users attachments, once the limit is exceeded it won't be possible to upload more
+        user_attachment_limit:  i64,    true,   option;
+        /// Per-organization attachment limit (KB) |> Limit in kilobytes for an organization attachments, once the limit is exceeded it won't be possible to upload more
+        org_attachment_limit:   i64,    true,   option;
+
         /// Disable icon downloads |> Set to true to disable icon downloading, this would still serve icons from
         /// $ICON_CACHE_FOLDER, but it won't produce any external network request. Needs to set $ICON_CACHE_TTL to 0,
         /// otherwise it will delete them and they won't be downloaded again.
         disable_icon_download:  bool,   true,   def,    false;
         /// Allow new signups |> Controls if new users can register. Note that while this is disabled, users could still be invited
         signups_allowed:        bool,   true,   def,    true;
+        /// Require email verification on signups. This will prevent logins from succeeding until the address has been verified
+        signups_verify:         bool,   true,   def,    false;
+        /// If signups require email verification, automatically re-send verification email if it hasn't been sent for a while (in seconds)
+        signups_verify_resend_time: u64, true,  def,    3_600;
+        /// If signups require email verification, limit how many emails are automatically sent when login is attempted (0 means no limit)
+        signups_verify_resend_limit: u32, true, def,    6;
         /// Allow signups only from this list of comma-separated domains
         signups_domains_whitelist: String, true, def,   "".to_string();
         /// Allow invitations |> Controls whether users can be invited by organization admins, even when signups are disabled
@@ -256,10 +284,18 @@ make_config! {
 
         /// Admin page token |> The token used to authenticate in this very same page. Changing it here won't deauthorize the current session
         admin_token:            Pass,   true,   option;
+
+        /// Invitation organization name |> Name shown in the invitation emails that don't come from a specific organization
+        invitation_org_name:    String, true,   def,    "Bitwarden_RS".to_string();
     },
 
     /// Advanced settings
     advanced {
+        /// Client IP header |> If not present, the remote IP is used.
+        /// Set to the string "none" (without quotes), to disable any headers and just use the remote IP
+        ip_header:              String, true,   def,    "X-Real-IP".to_string();
+        /// Internal IP header property, used to avoid recomputing each time
+        _ip_header_enabled:     bool,   false,  gen,    |c| &c.ip_header.trim().to_lowercase() != "none";
         /// Positive icon cache expiry |> Number of seconds to consider that an already cached icon is fresh. After this period, the icon will be redownloaded
         icon_cache_ttl:         u64,    true,   def,    2_592_000;
         /// Negative icon cache expiry |> Number of seconds before trying to download an icon that failed again.
@@ -288,9 +324,6 @@ make_config! {
         /// Reload templates (Dev) |> When this is set to true, the templates get reloaded with every request.
         /// ONLY use this during development, as it can slow down the server
         reload_templates:       bool,   true,   def,    false;
-
-        /// Log routes at launch (Dev)
-        log_mounts:             bool,   true,   def,    false;
         /// Enable extended logging
         extended_logging:       bool,   false,  def,    true;
         /// Enable the log to output to Syslog
@@ -306,6 +339,9 @@ make_config! {
 
         /// Bypass admin page security (Know the risks!) |> Disables the Admin Token for the admin page so you may use your own auth in-front
         disable_admin_token:    bool,   true,   def,    false;
+
+        /// Allowed iframe ancestors (Know the risks!) |> Allows other domains to embed the web vault into an iframe, useful for embedding into secure intranets
+        allowed_iframe_ancestors: String, true, def,    String::new();
     },
 
     /// Yubikey settings
@@ -375,7 +411,6 @@ make_config! {
 
 fn validate_config(cfg: &ConfigItems) -> Result<(), Error> {
     let db_url = cfg.database_url.to_lowercase();
-    
     if cfg!(feature = "sqlite") && (db_url.starts_with("mysql:") || db_url.starts_with("postgresql:")) {
         err!("`DATABASE_URL` is meant for MySQL or Postgres, while this server is meant for SQLite")
     }
@@ -388,8 +423,13 @@ fn validate_config(cfg: &ConfigItems) -> Result<(), Error> {
         err!("`DATABASE_URL` should start with postgresql: when using the PostgreSQL server")
     }
 
+    let dom = cfg.domain.to_lowercase();
+    if !dom.starts_with("http://") && !dom.starts_with("https://") {
+        err!("DOMAIN variable needs to contain the protocol (http, https). Use 'http[s]://bw.example.com' instead of 'bw.example.com'"); 
+    }
+
     if let Some(ref token) = cfg.admin_token {
-        if token.trim().is_empty() {
+        if token.trim().is_empty() && !cfg.disable_admin_token {
             err!("`ADMIN_TOKEN` is enabled but has an empty value. To enable the admin page without token, use `DISABLE_ADMIN_TOKEN`")
         }
     }
@@ -430,6 +470,29 @@ fn validate_config(cfg: &ConfigItems) -> Result<(), Error> {
     Ok(())
 }
 
+/// Extracts an RFC 6454 web origin from a URL.
+fn extract_url_origin(url: &str) -> String {
+    match Url::parse(url) {
+        Ok(u) => u.origin().ascii_serialization(),
+        Err(e) => {
+            println!("Error validating domain: {}", e);
+            String::new()
+        }
+    }
+}
+
+/// Extracts the path from a URL.
+/// All trailing '/' chars are trimmed, even if the path is a lone '/'.
+fn extract_url_path(url: &str) -> String {
+    match Url::parse(url) {
+        Ok(u) => u.path().trim_end_matches('/').to_string(),
+        Err(_) => {
+            // We already print it in the method above, no need to do it again
+            String::new()
+        }
+    }
+}
+
 impl Config {
     pub fn load() -> Result<Self, Error> {
         // Loading from env and file
@@ -444,12 +507,7 @@ impl Config {
         validate_config(&config)?;
 
         Ok(Config {
-            inner: RwLock::new(Inner {
-                templates: load_templates(&config.templates_folder),
-                config,
-                _env,
-                _usr,
-            }),
+            inner: RwLock::new(Inner { templates: load_templates(&config.templates_folder), config, _env, _usr }),
         })
     }
 
@@ -494,13 +552,17 @@ impl Config {
     }
 
     pub fn can_signup_user(&self, email: &str) -> bool {
-        let e: Vec<&str> = email.rsplitn(2, "@").collect();
+        let e: Vec<&str> = email.rsplitn(2, '@').collect();
         if e.len() != 2 || e[0].is_empty() || e[1].is_empty() {
             warn!("Failed to parse email address '{}'", email);
-            return false
+            return false;
         }
 
-        self.signups_domains_whitelist().split(",").any(|d| d == e[0])
+        // Allow signups if the whitelist is empty/not configured
+        // (it doesn't contain any domains), or if it matches at least
+        // one domain.
+        let whitelist_str = self.signups_domains_whitelist();
+        ( whitelist_str.is_empty() && CONFIG.signups_allowed() )|| whitelist_str.split(',').filter(|s| !s.is_empty()).any(|d| d == e[0])
     }
 
     pub fn delete_user_config(&self) -> Result<(), Error> {
@@ -562,7 +624,7 @@ impl Config {
     ) -> Result<String, crate::error::Error> {
         if CONFIG.reload_templates() {
             warn!("RELOADING TEMPLATES");
-            let hb = load_templates(CONFIG.templates_folder().as_ref());
+            let hb = load_templates(CONFIG.templates_folder());
             hb.render(name, data).map_err(Into::into)
         } else {
             let hb = &CONFIG.inner.read().unwrap().templates;
@@ -571,17 +633,18 @@ impl Config {
     }
 }
 
-use handlebars::{
-    Context, Handlebars, Helper, HelperDef, HelperResult, Output, RenderContext, RenderError, Renderable,
-};
+use handlebars::{Context, Handlebars, Helper, HelperResult, Output, RenderContext, RenderError, Renderable};
 
-fn load_templates(path: &str) -> Handlebars {
+fn load_templates<P>(path: P) -> Handlebars<'static>
+where
+    P: AsRef<std::path::Path>,
+{
     let mut hb = Handlebars::new();
     // Error on missing params
     hb.set_strict_mode(true);
     // Register helpers
-    hb.register_helper("case", Box::new(CaseHelper));
-    hb.register_helper("jsesc", Box::new(JsEscapeHelper));
+    hb.register_helper("case", Box::new(case_helper));
+    hb.register_helper("jsesc", Box::new(js_escape_helper));
 
     macro_rules! reg {
         ($name:expr) => {{
@@ -595,6 +658,8 @@ fn load_templates(path: &str) -> Handlebars {
     }
 
     // First register default templates here
+    reg!("email/change_email", ".html");
+    reg!("email/delete_account", ".html");
     reg!("email/invite_accepted", ".html");
     reg!("email/invite_confirmed", ".html");
     reg!("email/new_device_logged_in", ".html");
@@ -602,6 +667,10 @@ fn load_templates(path: &str) -> Handlebars {
     reg!("email/pw_hint_some", ".html");
     reg!("email/send_org_invite", ".html");
     reg!("email/twofactor_email", ".html");
+    reg!("email/verify_email", ".html");
+    reg!("email/welcome", ".html");
+    reg!("email/welcome_must_verify", ".html");
+    reg!("email/smtp_test", ".html");
 
     reg!("admin/base");
     reg!("admin/login");
@@ -615,17 +684,13 @@ fn load_templates(path: &str) -> Handlebars {
     hb
 }
 
-pub struct CaseHelper;
-
-impl HelperDef for CaseHelper {
-    fn call<'reg: 'rc, 'rc>(
-        &self,
+fn case_helper<'reg, 'rc>(
     h: &Helper<'reg, 'rc>,
     r: &'reg Handlebars,
-        ctx: &Context,
-        rc: &mut RenderContext<'reg>,
+    ctx: &'rc Context,
+    rc: &mut RenderContext<'reg, 'rc>,
     out: &mut dyn Output,
-    ) -> HelperResult {
+) -> HelperResult {
     let param = h
         .param(0)
         .ok_or_else(|| RenderError::new("Param not found for helper \"case\""))?;
@@ -636,20 +701,15 @@ impl HelperDef for CaseHelper {
     } else {
         Ok(())
     }
-    }
 }
 
-pub struct JsEscapeHelper;
-
-impl HelperDef for JsEscapeHelper {
-    fn call<'reg: 'rc, 'rc>(
-        &self,
+fn js_escape_helper<'reg, 'rc>(
     h: &Helper<'reg, 'rc>,
-        _: &'reg Handlebars,
-        _: &Context,
-        _: &mut RenderContext<'reg>,
+    _r: &'reg Handlebars,
+    _ctx: &'rc Context,
+    _rc: &mut RenderContext<'reg, 'rc>,
     out: &mut dyn Output,
-    ) -> HelperResult {
+) -> HelperResult {
     let param = h
         .param(0)
         .ok_or_else(|| RenderError::new("Param not found for helper \"js_escape\""))?;
@@ -664,5 +724,4 @@ impl HelperDef for JsEscapeHelper {
 
     out.write(&quoted_value)?;
     Ok(())
-    }
 }

src/crypto.rs

@@ -2,10 +2,11 @@
 // PBKDF2 derivation
 //
 
+use crate::error::Error;
 use ring::{digest, hmac, pbkdf2};
 use std::num::NonZeroU32;
 
-static DIGEST_ALG: &digest::Algorithm = &digest::SHA256;
+static DIGEST_ALG: pbkdf2::Algorithm = pbkdf2::PBKDF2_HMAC_SHA256;
 const OUTPUT_LEN: usize = digest::SHA256_OUTPUT_LEN;
 
 pub fn hash_password(secret: &[u8], salt: &[u8], iterations: u32) -> Vec<u8> {
@@ -28,7 +29,7 @@ pub fn verify_password_hash(secret: &[u8], salt: &[u8], previous: &[u8], iterati
 pub fn hmac_sign(key: &str, data: &str) -> String {
     use data_encoding::HEXLOWER;
 
-    let key = hmac::SigningKey::new(&digest::SHA1, key.as_bytes());
+    let key = hmac::Key::new(hmac::HMAC_SHA1_FOR_LEGACY_USE_ONLY, key.as_bytes());
     let signature = hmac::sign(&key, data.as_bytes());
 
     HEXLOWER.encode(signature.as_ref())
@@ -52,6 +53,21 @@ pub fn get_random(mut array: Vec<u8>) -> Vec<u8> {
     array
 }
 
+pub fn generate_token(token_size: u32) -> Result<String, Error> {
+    if token_size > 19 {
+        err!("Generating token failed")
+    }
+
+    // 8 bytes to create an u64 for up to 19 token digits
+    let bytes = get_random(vec![0; 8]);
+    let mut bytes_array = [0u8; 8];
+    bytes_array.copy_from_slice(&bytes);
+
+    let number = u64::from_be_bytes(bytes_array) % 10u64.pow(token_size);
+    let token = format!("{:0size$}", number, size = token_size as usize);
+    Ok(token)
+}
+
 //
 // Constant time compare
 //

src/db/mod.rs

@@ -76,7 +76,8 @@ impl<'a, 'r> FromRequest<'a, 'r> for DbConn {
     type Error = ();
 
     fn from_request(request: &'a Request<'r>) -> request::Outcome<DbConn, ()> {
-        let pool = request.guard::<State<Pool>>()?;
+        // https://github.com/SergioBenitez/Rocket/commit/e3c1a4ad3ab9b840482ec6de4200d30df43e357c
+        let pool = try_outcome!(request.guard::<State<Pool>>());
         match pool.get() {
             Ok(conn) => Outcome::Success(DbConn(conn)),
             Err(_) => Outcome::Failure((Status::ServiceUnavailable, ())),

src/db/models/attachment.rs

@@ -49,7 +49,7 @@ impl Attachment {
     }
 }
 
-use crate::db::schema::attachments;
+use crate::db::schema::{attachments, ciphers};
 use crate::db::DbConn;
 use diesel;
 use diesel::prelude::*;
@@ -118,4 +118,26 @@ impl Attachment {
             .load::<Self>(&**conn)
             .expect("Error loading attachments")
     }
+
+    pub fn size_by_user(user_uuid: &str, conn: &DbConn) -> i64 {
+        let result: Option<i64> = attachments::table
+            .left_join(ciphers::table.on(ciphers::uuid.eq(attachments::cipher_uuid)))
+            .filter(ciphers::user_uuid.eq(user_uuid))
+            .select(diesel::dsl::sum(attachments::file_size))
+            .first(&**conn)
+            .expect("Error loading user attachment total size");
+
+        result.unwrap_or(0)
+    }
+
+    pub fn size_by_org(org_uuid: &str, conn: &DbConn) -> i64 {
+        let result: Option<i64> = attachments::table
+            .left_join(ciphers::table.on(ciphers::uuid.eq(attachments::cipher_uuid)))
+            .filter(ciphers::organization_uuid.eq(org_uuid))
+            .select(diesel::dsl::sum(attachments::file_size))
+            .first(&**conn)
+            .expect("Error loading user attachment total size");
+
+        result.unwrap_or(0)
+    }
 }

src/db/models/device.rs

@@ -1,6 +1,7 @@
 use chrono::{NaiveDateTime, Utc};
 
 use super::User;
+use crate::CONFIG;
 
 #[derive(Debug, Identifiable, Queryable, Insertable, Associations, AsChangeset)]
 #[table_name = "devices"]
@@ -87,7 +88,7 @@ impl Device {
             premium: true,
             name: user.name.to_string(),
             email: user.email.to_string(),
-            email_verified: true,
+            email_verified: !CONFIG.mail_enabled() || user.verified_at.is_some(),
 
             orgowner,
             orgadmin,

src/db/models/mod.rs

@@ -7,6 +7,7 @@ mod user;
 mod collection;
 mod organization;
 mod two_factor;
+mod org_policy;
 
 pub use self::attachment::Attachment;
 pub use self::cipher::Cipher;
@@ -17,3 +18,4 @@ pub use self::organization::Organization;
 pub use self::organization::{UserOrgStatus, UserOrgType, UserOrganization};
 pub use self::two_factor::{TwoFactor, TwoFactorType};
 pub use self::user::{Invitation, User};
+pub use self::org_policy::{OrgPolicy, OrgPolicyType};

src/db/models/org_policy.rs

@@ -0,0 +1,142 @@
+use diesel;
+use diesel::prelude::*;
+use serde_json::Value;
+
+use crate::api::EmptyResult;
+use crate::db::schema::org_policies;
+use crate::db::DbConn;
+use crate::error::MapResult;
+
+use super::Organization;
+
+#[derive(Debug, Identifiable, Queryable, Insertable, Associations, AsChangeset)]
+#[table_name = "org_policies"]
+#[belongs_to(Organization, foreign_key = "org_uuid")]
+#[primary_key(uuid)]
+pub struct OrgPolicy {
+    pub uuid: String,
+    pub org_uuid: String,
+    pub atype: i32,
+    pub enabled: bool,
+    pub data: String,
+}
+
+#[allow(dead_code)]
+#[derive(FromPrimitive)]
+pub enum OrgPolicyType {
+    TwoFactorAuthentication = 0,
+    MasterPassword = 1,
+    PasswordGenerator = 2,
+}
+
+/// Local methods
+impl OrgPolicy {
+    pub fn new(org_uuid: String, atype: OrgPolicyType, data: String) -> Self {
+        Self {
+            uuid: crate::util::get_uuid(),
+            org_uuid,
+            atype: atype as i32,
+            enabled: false,
+            data,
+        }
+    }
+
+    pub fn to_json(&self) -> Value {
+        let data_json: Value = serde_json::from_str(&self.data).unwrap_or(Value::Null);
+        json!({
+            "Id": self.uuid,
+            "OrganizationId": self.org_uuid,
+            "Type": self.atype,
+            "Data": data_json,
+            "Enabled": self.enabled,
+            "Object": "policy",
+        })
+    }
+}
+
+/// Database methods
+impl OrgPolicy {
+    #[cfg(feature = "postgresql")]
+    pub fn save(&self, conn: &DbConn) -> EmptyResult {
+        // We need to make sure we're not going to violate the unique constraint on org_uuid and atype.
+        // This happens automatically on other DBMS backends due to replace_into(). PostgreSQL does
+        // not support multiple constraints on ON CONFLICT clauses.
+        diesel::delete(
+            org_policies::table
+                .filter(org_policies::org_uuid.eq(&self.org_uuid))
+                .filter(org_policies::atype.eq(&self.atype)),
+        )
+        .execute(&**conn)
+        .map_res("Error deleting org_policy for insert")?;
+
+        diesel::insert_into(org_policies::table)
+            .values(self)
+            .on_conflict(org_policies::uuid)
+            .do_update()
+            .set(self)
+            .execute(&**conn)
+            .map_res("Error saving org_policy")
+    }
+
+    #[cfg(not(feature = "postgresql"))]
+    pub fn save(&self, conn: &DbConn) -> EmptyResult {
+        diesel::replace_into(org_policies::table)
+            .values(&*self)
+            .execute(&**conn)
+            .map_res("Error saving org_policy")
+    }
+
+    pub fn delete(self, conn: &DbConn) -> EmptyResult {
+        diesel::delete(org_policies::table.filter(org_policies::uuid.eq(self.uuid)))
+            .execute(&**conn)
+            .map_res("Error deleting org_policy")
+    }
+
+    pub fn find_by_uuid(uuid: &str, conn: &DbConn) -> Option<Self> {
+        org_policies::table
+            .filter(org_policies::uuid.eq(uuid))
+            .first::<Self>(&**conn)
+            .ok()
+    }
+
+    pub fn find_by_org(org_uuid: &str, conn: &DbConn) -> Vec<Self> {
+        org_policies::table
+            .filter(org_policies::org_uuid.eq(org_uuid))
+            .load::<Self>(&**conn)
+            .expect("Error loading org_policy")
+    }
+
+    pub fn find_by_user(user_uuid: &str, conn: &DbConn) -> Vec<Self> {
+        use crate::db::schema::users_organizations;
+
+        org_policies::table
+            .left_join(
+                users_organizations::table.on(
+                    users_organizations::org_uuid.eq(org_policies::org_uuid)
+                        .and(users_organizations::user_uuid.eq(user_uuid)))
+            )
+            .select(org_policies::all_columns)
+            .load::<Self>(&**conn)
+            .expect("Error loading org_policy")
+    }
+
+    pub fn find_by_org_and_type(org_uuid: &str, atype: i32, conn: &DbConn) -> Option<Self> {
+        org_policies::table
+            .filter(org_policies::org_uuid.eq(org_uuid))
+            .filter(org_policies::atype.eq(atype))
+            .first::<Self>(&**conn)
+            .ok()
+    }
+
+    pub fn delete_all_by_organization(org_uuid: &str, conn: &DbConn) -> EmptyResult {
+        diesel::delete(org_policies::table.filter(org_policies::org_uuid.eq(org_uuid)))
+            .execute(&**conn)
+            .map_res("Error deleting org_policy")
+    }
+
+    /*pub fn delete_all_by_user(user_uuid: &str, conn: &DbConn) -> EmptyResult {
+        diesel::delete(twofactor::table.filter(twofactor::user_uuid.eq(user_uuid)))
+            .execute(&**conn)
+            .map_res("Error deleting twofactors")
+    }*/
+}

src/db/models/organization.rs

@@ -1,7 +1,8 @@
 use serde_json::Value;
 use std::cmp::Ordering;
+use num_traits::FromPrimitive;
 
-use super::{CollectionUser, User};
+use super::{CollectionUser, User, OrgPolicy};
 
 #[derive(Debug, Identifiable, Queryable, Insertable, AsChangeset)]
 #[table_name = "organizations"]
@@ -33,6 +34,7 @@ pub enum UserOrgStatus {
 }
 
 #[derive(Copy, Clone, PartialEq, Eq)]
+#[derive(FromPrimitive)]
 pub enum UserOrgType {
     Owner = 0,
     Admin = 1,
@@ -135,16 +137,6 @@ impl UserOrgType {
             _ => None,
         }
     }
-
-    pub fn from_i32(i: i32) -> Option<Self> {
-        match i {
-            0 => Some(UserOrgType::Owner),
-            1 => Some(UserOrgType::Admin),
-            2 => Some(UserOrgType::User),
-            3 => Some(UserOrgType::Manager),
-            _ => None,
-        }
-    }
 }
 
 /// Local methods
@@ -170,6 +162,7 @@ impl Organization {
             "UseEvents": false,
             "UseGroups": false,
             "UseTotp": true,
+            "UsePolicies": true,
 
             "BusinessName": null,
             "BusinessAddress1":	null,
@@ -250,6 +243,7 @@ impl Organization {
         Cipher::delete_all_by_organization(&self.uuid, &conn)?;
         Collection::delete_all_by_organization(&self.uuid, &conn)?;
         UserOrganization::delete_all_by_organization(&self.uuid, &conn)?;
+        OrgPolicy::delete_all_by_organization(&self.uuid, &conn)?;
 
         diesel::delete(organizations::table.filter(organizations::uuid.eq(self.uuid)))
             .execute(&**conn)
@@ -280,6 +274,7 @@ impl UserOrganization {
             "UseEvents": false,
             "UseGroups": false,
             "UseTotp": true,
+            "UsePolicies": true,
 
             "MaxStorageGb": 10, // The value doesn't matter, we don't check server-side
 

src/db/models/two_factor.rs

@@ -73,6 +73,13 @@ impl TwoFactor {
 impl TwoFactor {
     #[cfg(feature = "postgresql")]
     pub fn save(&self, conn: &DbConn) -> EmptyResult {
+        // We need to make sure we're not going to violate the unique constraint on user_uuid and atype.
+        // This happens automatically on other DBMS backends due to replace_into(). PostgreSQL does
+        // not support multiple constraints on ON CONFLICT clauses.
+        diesel::delete(twofactor::table.filter(twofactor::user_uuid.eq(&self.user_uuid)).filter(twofactor::atype.eq(&self.atype)))
+            .execute(&**conn)
+            .map_res("Error deleting twofactor for insert")?;
+
         diesel::insert_into(twofactor::table)
             .values(self)
             .on_conflict(twofactor::uuid)

src/db/models/user.rs

@@ -11,8 +11,13 @@ pub struct User {
     pub uuid: String,
     pub created_at: NaiveDateTime,
     pub updated_at: NaiveDateTime,
+    pub verified_at: Option<NaiveDateTime>,
+    pub last_verifying_at: Option<NaiveDateTime>,
+    pub login_verify_count: i32,
 
     pub email: String,
+    pub email_new: Option<String>,
+    pub email_new_token: Option<String>,
     pub name: String,
 
     pub password_hash: Vec<u8>,
@@ -56,9 +61,14 @@ impl User {
             uuid: crate::util::get_uuid(),
             created_at: now,
             updated_at: now,
+            verified_at: None,
+            last_verifying_at: None,
+            login_verify_count: 0,
             name: email.clone(),
             email,
             akey: String::new(),
+            email_new: None,
+            email_new_token: None,
 
             password_hash: Vec::new(),
             salt: crypto::get_random_64(),
@@ -135,7 +145,7 @@ impl User {
             "Id": self.uuid,
             "Name": self.name,
             "Email": self.email,
-            "EmailVerified": true,
+            "EmailVerified": !CONFIG.mail_enabled() || self.verified_at.is_some(),
             "Premium": true,
             "MasterPasswordHint": self.password_hint,
             "Culture": "en-US",
@@ -309,8 +319,7 @@ impl Invitation {
     }
 
     pub fn take(mail: &str, conn: &DbConn) -> bool {
-        CONFIG.invitations_allowed()
-            && match Self::find_by_mail(mail, &conn) {
+        match Self::find_by_mail(mail, &conn) {
             Some(invitation) => invitation.delete(&conn).is_ok(),
             None => false,
         }

src/db/schemas/mysql/schema.rs

@@ -77,6 +77,16 @@ table! {
     }
 }
 
+table! {
+    org_policies (uuid) {
+        uuid -> Varchar,
+        org_uuid -> Varchar,
+        atype -> Integer,
+        enabled -> Bool,
+        data -> Text,
+    }
+}
+
 table! {
     organizations (uuid) {
         uuid -> Varchar,
@@ -101,7 +111,12 @@ table! {
         uuid -> Varchar,
         created_at -> Datetime,
         updated_at -> Datetime,
+        verified_at -> Nullable<Datetime>,
+        last_verifying_at -> Nullable<Datetime>,
+        login_verify_count -> Integer,
         email -> Varchar,
+        email_new -> Nullable<Varchar>,
+        email_new_token -> Nullable<Varchar>,
         name -> Text,
         password_hash -> Blob,
         salt -> Blob,
@@ -150,6 +165,7 @@ joinable!(devices -> users (user_uuid));
 joinable!(folders -> users (user_uuid));
 joinable!(folders_ciphers -> ciphers (cipher_uuid));
 joinable!(folders_ciphers -> folders (folder_uuid));
+joinable!(org_policies -> organizations (org_uuid));
 joinable!(twofactor -> users (user_uuid));
 joinable!(users_collections -> collections (collection_uuid));
 joinable!(users_collections -> users (user_uuid));
@@ -165,6 +181,7 @@ allow_tables_to_appear_in_same_query!(
     folders,
     folders_ciphers,
     invitations,
+    org_policies,
     organizations,
     twofactor,
     users,

src/db/schemas/postgresql/schema.rs

@@ -77,6 +77,16 @@ table! {
     }
 }
 
+table! {
+    org_policies (uuid) {
+        uuid -> Text,
+        org_uuid -> Text,
+        atype -> Integer,
+        enabled -> Bool,
+        data -> Text,
+    }
+}
+
 table! {
     organizations (uuid) {
         uuid -> Text,
@@ -101,7 +111,12 @@ table! {
         uuid -> Text,
         created_at -> Timestamp,
         updated_at -> Timestamp,
+        verified_at -> Nullable<Timestamp>,
+        last_verifying_at -> Nullable<Timestamp>,
+        login_verify_count -> Integer,
         email -> Text,
+        email_new -> Nullable<Text>,
+        email_new_token -> Nullable<Text>,
         name -> Text,
         password_hash -> Binary,
         salt -> Binary,
@@ -150,6 +165,7 @@ joinable!(devices -> users (user_uuid));
 joinable!(folders -> users (user_uuid));
 joinable!(folders_ciphers -> ciphers (cipher_uuid));
 joinable!(folders_ciphers -> folders (folder_uuid));
+joinable!(org_policies -> organizations (org_uuid));
 joinable!(twofactor -> users (user_uuid));
 joinable!(users_collections -> collections (collection_uuid));
 joinable!(users_collections -> users (user_uuid));
@@ -165,6 +181,7 @@ allow_tables_to_appear_in_same_query!(
     folders,
     folders_ciphers,
     invitations,
+    org_policies,
     organizations,
     twofactor,
     users,

src/db/schemas/sqlite/schema.rs

@@ -77,6 +77,16 @@ table! {
     }
 }
 
+table! {
+    org_policies (uuid) {
+        uuid -> Text,
+        org_uuid -> Text,
+        atype -> Integer,
+        enabled -> Bool,
+        data -> Text,
+    }
+}
+
 table! {
     organizations (uuid) {
         uuid -> Text,
@@ -101,7 +111,12 @@ table! {
         uuid -> Text,
         created_at -> Timestamp,
         updated_at -> Timestamp,
+        verified_at -> Nullable<Timestamp>,
+        last_verifying_at -> Nullable<Timestamp>,
+        login_verify_count -> Integer,
         email -> Text,
+        email_new -> Nullable<Text>,
+        email_new_token -> Nullable<Text>,
         name -> Text,
         password_hash -> Binary,
         salt -> Binary,
@@ -150,6 +165,7 @@ joinable!(devices -> users (user_uuid));
 joinable!(folders -> users (user_uuid));
 joinable!(folders_ciphers -> ciphers (cipher_uuid));
 joinable!(folders_ciphers -> folders (folder_uuid));
+joinable!(org_policies -> organizations (org_uuid));
 joinable!(twofactor -> users (user_uuid));
 joinable!(users_collections -> collections (collection_uuid));
 joinable!(users_collections -> users (user_uuid));
@@ -165,6 +181,7 @@ allow_tables_to_appear_in_same_query!(
     folders,
     folders_ciphers,
     invitations,
+    org_policies,
     organizations,
     twofactor,
     users,

src/error.rs

@@ -46,6 +46,7 @@ use std::option::NoneError as NoneErr;
 use std::time::SystemTimeError as TimeErr;
 use u2f::u2ferror::U2fError as U2fErr;
 use yubico::yubicoerror::YubicoError as YubiErr;
+use lettre::smtp::error::Error as LettreErr;
 
 #[derive(Display, Serialize)]
 pub struct Empty {}
@@ -73,6 +74,7 @@ make_error! {
     ReqError(ReqErr):     _has_source, _api_error,
     RegexError(RegexErr): _has_source, _api_error,
     YubiError(YubiErr):   _has_source, _api_error,
+    LetreErr(LettreErr):  _has_source, _api_error,
 }
 
 // This is implemented by hand because NoneError doesn't implement neither Display nor Error
@@ -86,7 +88,18 @@ impl std::fmt::Debug for Error {
     fn fmt(&self, f: &mut std::fmt::Formatter) -> std::fmt::Result {
         match self.source() {
             Some(e) => write!(f, "{}.\n[CAUSE] {:#?}", self.message, e),
-            None => write!(f, "{}. {}", self.message, self.error),
+            None => match self.error {
+                ErrorKind::EmptyError(_) => Ok(()),
+                ErrorKind::SimpleError(ref s) => {
+                    if &self.message == s {
+                        write!(f, "{}", self.message)
+                    } else {
+                        write!(f, "{}. {}", self.message, s)
+                    }
+                }
+                ErrorKind::JsonError(_) => write!(f, "{}", self.message),
+                _ => unreachable!(),
+            },
         }
     }
 }
@@ -170,15 +183,17 @@ use rocket::response::{self, Responder, Response};
 
 impl<'r> Responder<'r> for Error {
     fn respond_to(self, _: &Request) -> response::Result<'r> {
-        let usr_msg = format!("{}", self);
-        error!("{:#?}", self);
+        match self.error {
+            ErrorKind::EmptyError(_) => {} // Don't print the error in this situation
+            _ => error!(target: "error", "{:#?}", self),
+        };
 
         let code = Status::from_code(self.error_code).unwrap_or(Status::BadRequest);
 
         Response::build()
             .status(code)
             .header(ContentType::JSON)
-            .sized_body(Cursor::new(usr_msg))
+            .sized_body(Cursor::new(format!("{}", self)))
             .ok()
     }
 }
@@ -196,21 +211,33 @@ macro_rules! err {
     }};
 }
 
+#[macro_export]
+macro_rules! err_discard {
+    ($msg:expr, $data:expr) => {{
+        std::io::copy(&mut $data.open(), &mut std::io::sink()).ok();
+        return Err(crate::error::Error::new($msg, $msg));
+    }};
+    ($usr_msg:expr, $log_value:expr, $data:expr) => {{
+        std::io::copy(&mut $data.open(), &mut std::io::sink()).ok();
+        return Err(crate::error::Error::new($usr_msg, $log_value));
+    }};
+}
+
 #[macro_export]
 macro_rules! err_json {
-    ($expr:expr) => {{
-        return Err(crate::error::Error::from($expr));
+    ($expr:expr, $log_value:expr) => {{
+        return Err(($log_value, $expr).into());
     }};
 }
 
 #[macro_export]
 macro_rules! err_handler {
     ($expr:expr) => {{
-        error!("Unauthorized Error: {}", $expr);
+        error!(target: "auth", "Unauthorized Error: {}", $expr);
         return rocket::Outcome::Failure((rocket::http::Status::Unauthorized, $expr));
     }};
     ($usr_msg:expr, $log_value:expr) => {{
-        error!("Unauthorized Error: {}. {}", $usr_msg, $log_value);
+        error!(target: "auth", "Unauthorized Error: {}. {}", $usr_msg, $log_value);
         return rocket::Outcome::Failure((rocket::http::Status::Unauthorized, $usr_msg));
     }};
 }

src/mail.rs

@@ -1,14 +1,16 @@
 use lettre::smtp::authentication::Credentials;
 use lettre::smtp::authentication::Mechanism as SmtpAuthMechanism;
 use lettre::smtp::ConnectionReuseParameters;
-use lettre::{ClientSecurity, ClientTlsParameters, SmtpClient, SmtpTransport, Transport};
-use lettre_email::{EmailBuilder, MimeMultipartType, PartBuilder};
+use lettre::{
+    builder::{EmailBuilder, MimeMultipartType, PartBuilder},
+    ClientSecurity, ClientTlsParameters, SmtpClient, SmtpTransport, Transport,
+};
 use native_tls::{Protocol, TlsConnector};
 use percent_encoding::{percent_encode, NON_ALPHANUMERIC};
 use quoted_printable::encode_to_str;
 
 use crate::api::EmptyResult;
-use crate::auth::{encode_jwt, generate_invite_claims};
+use crate::auth::{encode_jwt, generate_delete_claims, generate_invite_claims, generate_verify_email_claims};
 use crate::error::Error;
 use crate::CONFIG;
 use chrono::NaiveDateTime;
@@ -42,10 +44,11 @@ fn mailer() -> SmtpTransport {
         _ => smtp_client,
     };
 
-    let smtp_client = match &CONFIG.smtp_auth_mechanism() {
-        Some(auth_mechanism_json) => {
-            let auth_mechanism = serde_json::from_str::<SmtpAuthMechanism>(&auth_mechanism_json);
-            match auth_mechanism {
+    let smtp_client = match CONFIG.smtp_auth_mechanism() {
+        Some(mechanism) => {
+            let correct_mechanism = format!("\"{}\"", crate::util::upcase_first(&mechanism.trim_matches('"')));
+
+            match serde_json::from_str::<SmtpAuthMechanism>(&correct_mechanism) {
                 Ok(auth_mechanism) => smtp_client.authentication_mechanism(auth_mechanism),
                 _ => panic!("Failure to parse mechanism. Is it proper Json? Eg. `\"Plain\"` not `Plain`"),
             }
@@ -95,6 +98,67 @@ pub fn send_password_hint(address: &str, hint: Option<String>) -> EmptyResult {
     send_email(&address, &subject, &body_html, &body_text)
 }
 
+pub fn send_delete_account(address: &str, uuid: &str) -> EmptyResult {
+    let claims = generate_delete_claims(uuid.to_string());
+    let delete_token = encode_jwt(&claims);
+
+    let (subject, body_html, body_text) = get_text(
+        "email/delete_account",
+        json!({
+            "url": CONFIG.domain(),
+            "user_id": uuid,
+            "email": percent_encode(address.as_bytes(), NON_ALPHANUMERIC).to_string(),
+            "token": delete_token,
+        }),
+    )?;
+
+    send_email(&address, &subject, &body_html, &body_text)
+}
+
+pub fn send_verify_email(address: &str, uuid: &str) -> EmptyResult {
+    let claims = generate_verify_email_claims(uuid.to_string());
+    let verify_email_token = encode_jwt(&claims);
+
+    let (subject, body_html, body_text) = get_text(
+        "email/verify_email",
+        json!({
+            "url": CONFIG.domain(),
+            "user_id": uuid,
+            "email": percent_encode(address.as_bytes(), NON_ALPHANUMERIC).to_string(),
+            "token": verify_email_token,
+        }),
+    )?;
+
+    send_email(&address, &subject, &body_html, &body_text)
+}
+
+pub fn send_welcome(address: &str) -> EmptyResult {
+    let (subject, body_html, body_text) = get_text(
+        "email/welcome",
+        json!({
+            "url": CONFIG.domain(),
+        }),
+    )?;
+
+    send_email(&address, &subject, &body_html, &body_text)
+}
+
+pub fn send_welcome_must_verify(address: &str, uuid: &str) -> EmptyResult {
+    let claims = generate_verify_email_claims(uuid.to_string());
+    let verify_email_token = encode_jwt(&claims);
+
+    let (subject, body_html, body_text) = get_text(
+        "email/welcome_must_verify",
+        json!({
+            "url": CONFIG.domain(),
+            "user_id": uuid,
+            "token": verify_email_token,
+        }),
+    )?;
+
+    send_email(&address, &subject, &body_html, &body_text)
+}
+
 pub fn send_invite(
     address: &str,
     uuid: &str,
@@ -183,7 +247,42 @@ pub fn send_token(address: &str, token: &str) -> EmptyResult {
     send_email(&address, &subject, &body_html, &body_text)
 }
 
+pub fn send_change_email(address: &str, token: &str) -> EmptyResult {
+    let (subject, body_html, body_text) = get_text(
+        "email/change_email",
+        json!({
+            "url": CONFIG.domain(),
+            "token": token,
+        }),
+    )?;
+
+    send_email(&address, &subject, &body_html, &body_text)
+}
+
+pub fn send_test(address: &str) -> EmptyResult {
+    let (subject, body_html, body_text) = get_text(
+        "email/smtp_test",
+        json!({
+            "url": CONFIG.domain(),
+        }),
+    )?;
+
+    send_email(&address, &subject, &body_html, &body_text)
+}
+
 fn send_email(address: &str, subject: &str, body_html: &str, body_text: &str) -> EmptyResult {
+    let address_split: Vec<&str> = address.rsplitn(2, '@').collect();
+    if address_split.len() != 2 {
+        err!("Invalid email address (no @)");
+    }
+
+    let domain_puny = match idna::domain_to_ascii_strict(address_split[0]) {
+        Ok(d) => d,
+        Err(_) => err!("Can't convert email domain to ASCII representation"),
+    };
+
+    let address = format!("{}@{}", address_split[1], domain_puny);
+
     let html = PartBuilder::new()
         .body(encode_to_str(body_html))
         .header(("Content-Type", "text/html; charset=utf-8"))
@@ -211,12 +310,11 @@ fn send_email(address: &str, subject: &str, body_html: &str, body_text: &str) ->
 
     let mut transport = mailer();
 
-    let result = transport
-        .send(email.into())
-        .map_err(|e| Error::new("Error sending email", e.to_string()))
-        .and(Ok(()));
+    let result = transport.send(email);
 
     // Explicitly close the connection, in case of error
     transport.close();
-    result
+    
+    result?;
+    Ok(())
 }

src/main.rs

@@ -1,7 +1,6 @@
 #![feature(proc_macro_hygiene, vec_remove_item, try_trait, ip)]
 #![recursion_limit = "256"]
 
-#[cfg(feature = "openssl")]
 extern crate openssl;
 #[macro_use]
 extern crate rocket;
@@ -16,16 +15,18 @@ extern crate diesel;
 #[macro_use]
 extern crate diesel_migrations;
 #[macro_use]
-extern crate lazy_static;
-#[macro_use]
 extern crate derive_more;
 #[macro_use]
 extern crate num_derive;
 
+extern crate backtrace;
+
 use std::{
+    fs::create_dir_all,
     path::Path,
     process::{exit, Command},
-    fs::create_dir_all,
+    str::FromStr,
+    panic, thread, fmt // For panic logging
 };
 
 #[macro_use]
@@ -41,12 +42,38 @@ mod util;
 pub use config::CONFIG;
 pub use error::{Error, MapResult};
 
+use structopt::StructOpt;
+
+// Used for catching panics and log them to file instead of stderr
+use backtrace::Backtrace;
+struct Shim(Backtrace);
+
+impl fmt::Debug for Shim {
+    fn fmt(&self, fmt: &mut fmt::Formatter) -> fmt::Result {
+        write!(fmt, "\n{:?}", self.0)
+    }
+}
+
+#[derive(Debug, StructOpt)]
+#[structopt(name = "bitwarden_rs", about = "A Bitwarden API server written in Rust")]
+struct Opt {
+    /// Prints the app version
+    #[structopt(short, long)]
+    version: bool,
+}
+
 fn main() {
+    parse_args();
     launch_info();
 
-    if CONFIG.extended_logging() {
-        init_logging().ok();
-    }
+    use log::LevelFilter as LF;
+    let level = LF::from_str(&CONFIG.log_level()).expect("Valid log level");
+    init_logging(level).ok();
+
+    let extra_debug = match level {
+        LF::Trace | LF::Debug => true,
+        _ => false,
+    };
 
     check_db();
     check_rsa_keys();
@@ -55,7 +82,19 @@ fn main() {
 
     create_icon_cache_folder();
 
-    launch_rocket();
+    launch_rocket(extra_debug);
+}
+
+fn parse_args() {
+    let opt = Opt::from_args();
+    if opt.version {
+        if let Some(version) = option_env!("GIT_VERSION") {
+            println!("bitwarden_rs {}", version);
+        } else {
+            println!("bitwarden_rs (Version info from Git not present)");
+        }
+        exit(0);
+    }
 }
 
 fn launch_info() {
@@ -73,10 +112,23 @@ fn launch_info() {
     println!("\\--------------------------------------------------------------------/\n");
 }
 
-fn init_logging() -> Result<(), fern::InitError> {
-    use std::str::FromStr;
+fn init_logging(level: log::LevelFilter) -> Result<(), fern::InitError> {
     let mut logger = fern::Dispatch::new()
-        .format(|out, message, record| {
+        .level(level)
+        // Hide unknown certificate errors if using self-signed
+        .level_for("rustls::session", log::LevelFilter::Off)
+        // Hide failed to close stream messages
+        .level_for("hyper::server", log::LevelFilter::Warn)
+        // Silence rocket logs
+        .level_for("_", log::LevelFilter::Off)
+        .level_for("launch", log::LevelFilter::Off)
+        .level_for("launch_", log::LevelFilter::Off)
+        .level_for("rocket::rocket", log::LevelFilter::Off)
+        .level_for("rocket::fairing", log::LevelFilter::Off)
+        .chain(std::io::stdout());
+
+    if CONFIG.extended_logging() {
+        logger = logger.format(|out, message, record| {
             out.finish(format_args!(
                 "{}[{}][{}] {}",
                 chrono::Local::now().format("[%Y-%m-%d %H:%M:%S]"),
@@ -84,13 +136,10 @@ fn init_logging() -> Result<(), fern::InitError> {
                 record.level(),
                 message
             ))
-        })
-        .level(log::LevelFilter::from_str(&CONFIG.log_level()).expect("Valid log level"))
-        // Hide unknown certificate errors if using self-signed
-        .level_for("rustls::session", log::LevelFilter::Off)
-        // Hide failed to close stream messages
-        .level_for("hyper::server", log::LevelFilter::Warn)
-        .chain(std::io::stdout());
+        });
+    } else {
+        logger = logger.format(|out, message, _| out.finish(format_args!("{}", message)));
+    }
 
     if let Some(log_file) = CONFIG.log_file() {
         logger = logger.chain(fern::log_file(log_file)?);
@@ -105,6 +154,44 @@ fn init_logging() -> Result<(), fern::InitError> {
 
     logger.apply()?;
 
+    // Catch panics and log them instead of default output to StdErr
+    panic::set_hook(Box::new(|info| {
+        let backtrace = Backtrace::new();
+
+        let thread = thread::current();
+        let thread = thread.name().unwrap_or("unnamed");
+
+        let msg = match info.payload().downcast_ref::<&'static str>() {
+            Some(s) => *s,
+            None => match info.payload().downcast_ref::<String>() {
+                Some(s) => &**s,
+                None => "Box<Any>",
+            },
+        };
+
+        match info.location() {
+            Some(location) => {
+                error!(
+                    target: "panic", "thread '{}' panicked at '{}': {}:{}{:?}",
+                    thread,
+                    msg,
+                    location.file(),
+                    location.line(),
+                    Shim(backtrace)
+                );
+            }
+            None => {
+                error!(
+                    target: "panic",
+                    "thread '{}' panicked at '{}'{:?}",
+                    thread,
+                    msg,
+                    Shim(backtrace)
+                )
+            }
+        }
+    }));
+
     Ok(())
 }
 
@@ -141,7 +228,7 @@ fn check_db() {
         // Turn on WAL in SQLite
         if CONFIG.enable_db_wal() {
             use diesel::RunQueryDsl;
-            let connection = db::get_connection().expect("Can't conect to DB");
+            let connection = db::get_connection().expect("Can't connect to DB");
             diesel::sql_query("PRAGMA journal_mode=wal")
                 .execute(&connection)
                 .expect("Failed to turn on WAL");
@@ -161,7 +248,9 @@ fn check_rsa_keys() {
         info!("JWT keys don't exist, checking if OpenSSL is available...");
 
         Command::new("openssl").arg("version").status().unwrap_or_else(|_| {
-            info!("Can't create keys because OpenSSL is not available, make sure it's installed and available on the PATH");
+            info!(
+                "Can't create keys because OpenSSL is not available, make sure it's installed and available on the PATH"
+            );
             exit(1);
         });
 
@@ -209,7 +298,9 @@ fn check_web_vault() {
     let index_path = Path::new(&CONFIG.web_vault_folder()).join("index.html");
 
     if !index_path.exists() {
-        error!("Web vault is not found. To install it, please follow the steps in https://github.com/dani-garcia/bitwarden_rs/wiki/Building-binary#install-the-web-vault");
+        error!("Web vault is not found. To install it, please follow the steps in: ");
+        error!("https://github.com/dani-garcia/bitwarden_rs/wiki/Building-binary#install-the-web-vault");
+        error!("You can also set the environment variable 'WEB_VAULT_ENABLED=false' to disable it");
         exit(1);
     }
 }
@@ -232,37 +323,40 @@ mod migrations {
         let connection = crate::db::get_connection().expect("Can't connect to DB");
 
         use std::io::stdout;
+
+        // Disable Foreign Key Checks during migration
+        use diesel::RunQueryDsl;
+        #[cfg(feature = "postgres")]
+        diesel::sql_query("SET CONSTRAINTS ALL DEFERRED").execute(&connection).expect("Failed to disable Foreign Key Checks during migrations");
+        #[cfg(feature = "mysql")]
+        diesel::sql_query("SET FOREIGN_KEY_CHECKS = 0").execute(&connection).expect("Failed to disable Foreign Key Checks during migrations");
+        #[cfg(feature = "sqlite")]
+        diesel::sql_query("PRAGMA defer_foreign_keys = ON").execute(&connection).expect("Failed to disable Foreign Key Checks during migrations");
+
         embedded_migrations::run_with_output(&connection, &mut stdout()).expect("Can't run migrations");
     }
 }
 
-fn launch_rocket() {
-    // Create Rocket object, this stores current log level and sets it's own
+fn launch_rocket(extra_debug: bool) {
+    // Create Rocket object, this stores current log level and sets its own
     let rocket = rocket::ignite();
 
-    // If we aren't logging the mounts, we force the logging level down
-    if !CONFIG.log_mounts() {
-        log::set_max_level(log::LevelFilter::Warn);
-    }
-
-    let rocket = rocket
-        .mount("/", api::web_routes())
-        .mount("/api", api::core_routes())
-        .mount("/admin", api::admin_routes())
-        .mount("/identity", api::identity_routes())
-        .mount("/icons", api::icons_routes())
-        .mount("/notifications", api::notifications_routes());
-
-    // Force the level up for the fairings, managed state and lauch
-    if !CONFIG.log_mounts() {
-        log::set_max_level(log::LevelFilter::max());
-    }
+    let basepath = &CONFIG.domain_path();
 
+    // If adding more paths here, consider also adding them to
+    // crate::utils::LOGGED_ROUTES to make sure they appear in the log
     let rocket = rocket
+        .mount(&[basepath, "/"].concat(), api::web_routes())
+        .mount(&[basepath, "/api"].concat(), api::core_routes())
+        .mount(&[basepath, "/admin"].concat(), api::admin_routes())
+        .mount(&[basepath, "/identity"].concat(), api::identity_routes())
+        .mount(&[basepath, "/icons"].concat(), api::icons_routes())
+        .mount(&[basepath, "/notifications"].concat(), api::notifications_routes())
         .manage(db::init_pool())
         .manage(api::start_notification_server())
         .attach(util::AppHeaders())
-        .attach(util::CORS());
+        .attach(util::CORS())
+        .attach(util::BetterLogging(extra_debug));
 
     // Launch and print error if there is one
     // The launch will restore the original logging level

src/static/global_domains.json

@@ -766,5 +766,80 @@
       "askubuntu.com"
     ],
     "Excluded": false
+  },
+  {
+    "Type": 75,
+    "Domains": [
+      "netcup.de",
+      "netcup.eu",
+      "customercontrolpanel.de"
+    ],
+    "Excluded": false
+  },
+  {
+  	"Type": 76,
+  	"Domains": [
+  		"docusign.com",
+  		"docusign.net"
+  	],
+  	"Excluded": false
+  },
+  {
+  	"Type": 77,
+  	"Domains": [
+  		"envato.com",
+  		"themeforest.net",
+  		"codecanyon.net",
+  		"videohive.net",
+  		"audiojungle.net",
+  		"graphicriver.net",
+  		"photodune.net",
+  		"3docean.net"
+  	],
+  	"Excluded": false
+  },
+  {
+  	"Type": 78,
+  	"Domains": [
+  		"x10hosting.com",
+  		"x10premium.com"
+  	],
+  	"Excluded": false
+  },
+  {
+  	"Type": 79,
+  	"Domains": [
+  		"dnsomatic.com",
+  		"opendns.com",
+  		"umbrella.com"
+  	],
+  	"Excluded": false
+  },
+  {
+  	"Type": 80,
+  	"Domains": [
+  		"cagreatamerica.com",
+  		"canadaswonderland.com",
+  		"carowinds.com",
+  		"cedarfair.com",
+  		"cedarpoint.com",
+  		"dorneypark.com",
+  		"kingsdominion.com",
+  		"knotts.com",
+  		"miadventure.com",
+  		"schlitterbahn.com",
+  		"valleyfair.com",
+  		"visitkingsisland.com",
+  		"worldsoffun.com"
+  	],
+  	"Excluded": false
+  },
+  {
+  	"Type": 81,
+  	"Domains": [
+  		"ubnt.com",
+  		"ui.com"
+  	],
+  	"Excluded": false
   }
 ]

src/static/templates/admin/base.hbs

@@ -6,10 +6,10 @@
     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
     <title>Bitwarden_rs Admin Panel</title>
 
-    <link rel="stylesheet" href="/bwrs_static/bootstrap.css" />
-    <script src="/bwrs_static/bootstrap-native-v4.js"></script>
-    <script src="/bwrs_static/md5.js"></script>
-    <script src="/bwrs_static/identicon.js"></script>
+    <link rel="stylesheet" href="{{urlpath}}/bwrs_static/bootstrap.css" />
+    <script src="{{urlpath}}/bwrs_static/bootstrap-native-v4.js"></script>
+    <script src="{{urlpath}}/bwrs_static/md5.js"></script>
+    <script src="{{urlpath}}/bwrs_static/identicon.js"></script>
     <style>
         body {
             padding-top: 70px;
@@ -33,21 +33,32 @@
 </head>
 
 <body class="bg-light">
-    <nav class="navbar navbar-expand-md navbar-dark bg-dark fixed-top shadow">
+    <nav class="navbar navbar-expand-sm navbar-dark bg-dark fixed-top shadow">
         <a class="navbar-brand" href="#">Bitwarden_rs</a>
         <div class="navbar-collapse">
             <ul class="navbar-nav">
                 <li class="nav-item active">
-                    <a class="nav-link" href="/admin">Admin Panel</a>
+                    <a class="nav-link" href="{{urlpath}}/admin">Admin Panel</a>
                 </li>
                 <li class="nav-item">
-                    <a class="nav-link" href="/">Vault</a>
+                    <a class="nav-link" href="{{urlpath}}/">Vault</a>
                 </li>
             </ul>
         </div>
+
+        <ul class="navbar-nav">
             {{#if version}}
-        <div class="navbar-text">Version: {{version}}</div>
+            <li class="nav-item">
+                <span class="navbar-text mr-2">Version: {{version}}</span>
+            </li>
             {{/if}}
+
+            {{#if logged_in}}
+            <li class="nav-item">
+                <a class="nav-link" href="{{urlpath}}/admin/logout">Log Out</a>
+            </li>
+            {{/if}}
+        </ul>
     </nav>
 
     {{> (page_content) }}

src/static/templates/admin/login.hbs

@@ -14,7 +14,7 @@
 
             <form class="form-inline" method="post">
                 <input type="password" class="form-control w-50 mr-2" name="token" placeholder="Enter admin token">
-                <button type="submit" class="btn btn-primary">Save</button>
+                <button type="submit" class="btn btn-primary">Enter</button>
             </form>
         </div>
     </div>

src/static/templates/admin/page.hbs

@@ -19,7 +19,7 @@
                             <span class="d-block">{{Email}}</span>
                         </div>
                         <div class="col">
-                            <strong> Organizations:</strong>
+                            <strong> Organizations: </strong>
                             <span class="d-block">
                                 {{#each Organizations}}
                                 <span class="badge badge-primary" data-orgtype="{{Type}}">{{Name}}</span>
@@ -71,6 +71,7 @@
                 them to avoid confusion. This does not apply to the read-only section, which can only be set through the
                 environment.
             </div>
+
             <form class="form accordion" id="config-form" onsubmit="saveConfig(); return false;">
                 {{#each config}}
                 {{#if groupdoc}}
@@ -110,6 +111,17 @@
                         </div>
                         {{/if}}
                         {{/each}}
+                        {{#case group "smtp"}}
+                            <div class="form-group row pt-3 border-top" title="Send a test email to given email address">
+                                <label for="smtp-test-email" class="col-sm-3 col-form-label">Test SMTP</label>
+                                <div class="col-sm-8 input-group">
+                                    <input class="form-control" id="smtp-test-email" type="email" placeholder="Enter test email">
+                                    <div class="input-group-append">
+                                        <button type="button" class="btn btn-outline-primary" onclick="smtpTest(); return false;">Send test email</button>
+                                    </div>
+                                </div>
+                            </div>
+                        {{/case}}
                     </div>
                 </div>
                 {{/if}}
@@ -191,7 +203,10 @@
 
 <script>
     function reload() { window.location.reload(); }
-    function msg(text) { alert(text); reload(); }
+    function msg(text, reload_page = true) {
+        text && alert(text);
+        reload_page && reload();
+    }
     function identicon(email) {
         const data = new Identicon(md5(email), { size: 48, format: 'svg' });
         return "data:image/svg+xml;base64," + data.toString();
@@ -206,26 +221,37 @@
         }
         return false;
     }
-    function _post(url, successMsg, errMsg, body) {
+    function _post(url, successMsg, errMsg, body, reload_page = true) {
         fetch(url, {
             method: 'POST',
             body: body,
             mode: "same-origin",
             credentials: "same-origin",
             headers: { "Content-Type": "application/json" }
-        }).then(e => {
-            if (e.ok) { return msg(successMsg); }
-            e.json().then(json => {
-                const msg = json ? json.ErrorModel.Message : "Unknown error";
-                msg(errMsg + ": " + msg);
+        }).then( resp => {
+            if (resp.ok) { msg(successMsg, reload_page); return Promise.reject({error: false}); }
+            respStatus = resp.status;
+            respStatusText = resp.statusText;
+            return resp.text();
+        }).then( respText => {
+            try {
+                const respJson = JSON.parse(respText);
+                return respJson ? respJson.ErrorModel.Message : "Unknown error";
+            } catch (e) {
+                return Promise.reject({body:respStatus + ' - ' + respStatusText, error: true});
+            }
+        }).then( apiMsg => {
+            msg(errMsg + "\n" + apiMsg, reload_page);
+        }).catch( e => {
+            if (e.error === false) { return true; }
+            else { msg(errMsg + "\n" + e.body, reload_page); }
         });
-        }).catch(e => { msg(errMsg + ": Unknown error") });
     }
     function deleteUser(id, mail) {
         var input_mail = prompt("To delete user '" + mail + "', please type the email below")
         if (input_mail != null) {
             if (input_mail == mail) {
-                _post("/admin/users/" + id + "/delete",
+                _post("{{urlpath}}/admin/users/" + id + "/delete",
                     "User deleted correctly",
                     "Error deleting user");
             } else {
@@ -235,19 +261,19 @@
         return false;
     }
     function remove2fa(id) {
-        _post("/admin/users/" + id + "/remove-2fa",
+        _post("{{urlpath}}/admin/users/" + id + "/remove-2fa",
             "2FA removed correctly",
             "Error removing 2FA");
         return false;
     }
     function deauthUser(id) {
-        _post("/admin/users/" + id + "/deauth",
+        _post("{{urlpath}}/admin/users/" + id + "/deauth",
             "Sessions deauthorized correctly",
             "Error deauthorizing sessions");
         return false;
     }
     function updateRevisions() {
-        _post("/admin/users/update_revision",
+        _post("{{urlpath}}/admin/users/update_revision",
             "Success, clients will sync next time they connect",
             "Error forcing clients to sync");
         return false;
@@ -256,10 +282,18 @@
         inv = document.getElementById("email-invite");
         data = JSON.stringify({ "email": inv.value });
         inv.value = "";
-        _post("/admin/invite/", "User invited correctly",
+        _post("{{urlpath}}/admin/invite/", "User invited correctly",
             "Error inviting user", data);
         return false;
     }
+    function smtpTest() {
+        test_email = document.getElementById("smtp-test-email");
+        data = JSON.stringify({ "email": test_email.value });
+        _post("{{urlpath}}/admin/test/smtp/",
+            "SMTP Test email sent correctly",
+            "Error sending SMTP test email", data, false);
+        return false;
+    }
     function getFormData() {
         let data = {};
 
@@ -278,7 +312,7 @@
     }
     function saveConfig() {
         data = JSON.stringify(getFormData());
-        _post("/admin/config/", "Config saved correctly",
+        _post("{{urlpath}}/admin/config/", "Config saved correctly",
             "Error saving config", data);
         return false;
     }
@@ -286,7 +320,7 @@
         var input = prompt("This will remove all user configurations, and restore the defaults and the " +
             "values set by the environment. This operation could be dangerous. Type 'DELETE' to proceed:");
         if (input === "DELETE") {
-            _post("/admin/config/delete",
+            _post("{{urlpath}}/admin/config/delete",
                 "Config deleted correctly",
                 "Error deleting config");
         } else {
@@ -296,9 +330,9 @@
         return false;
     }
     function backupDatabase() {
-        _post("/admin/config/backup_db",
+        _post("{{urlpath}}/admin/config/backup_db",
             "Backup created successfully",
-            "Error creating backup");
+            "Error creating backup", null, false);
         return false;
     }
     function masterCheck(check_id, inputs_query) {

src/static/templates/email/change_email.hbs

@@ -0,0 +1,6 @@
+Your Email Change
+<!---------------->
+<html>
+<p>To finalize changing your email address enter the following code in web vault: <b>{{token}}</b></p>
+<p>If you did not try to change an email address, you can safely ignore this email.</p>
+</html>

src/static/templates/email/change_email.html.hbs

@@ -0,0 +1,129 @@
+Your Email Change
+<!---------------->
+<html xmlns="http://www.w3.org/1999/xhtml" xmlns="http://www.w3.org/1999/xhtml" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
+   <head>
+      <meta name="viewport" content="width=device-width" />
+      <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+      <title>Bitwarden_rs</title>
+   </head>
+   <body style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; height: 100%; line-height: 25px; width: 100% !important;" bgcolor="#f6f6f6">
+      <style type="text/css">
+          body {
+         margin: 0;
+         font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;
+         box-sizing: border-box;
+         font-size: 16px;
+         color: #333;
+         line-height: 25px;
+         -webkit-font-smoothing: antialiased;
+         -webkit-text-size-adjust: none;
+         }
+         body * {
+         margin: 0;
+         font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;
+         box-sizing: border-box;
+         font-size: 16px;
+         color: #333;
+         line-height: 25px;
+         -webkit-font-smoothing: antialiased;
+         -webkit-text-size-adjust: none;
+         }
+         img {
+         max-width: 100%;
+         border: none;
+         }
+         body {
+         -webkit-font-smoothing: antialiased;
+         -webkit-text-size-adjust: none;
+         width: 100% !important;
+         height: 100%;
+         line-height: 25px;
+         }
+         body {
+         background-color: #f6f6f6;
+         }
+         @media only screen and (max-width: 600px) {
+         body {
+         padding: 0 !important;
+         }
+         .container {
+         padding: 0 !important;
+         width: 100% !important;
+         }
+         .container-table {
+         padding: 0 !important;
+         width: 100% !important;
+         }
+         .content {
+         padding: 0 0 10px 0 !important;
+         }
+         .content-wrap {
+         padding: 10px !important;
+         }
+         .invoice {
+         width: 100% !important;
+         }
+         .main {
+         border-right: none !important;
+         border-left: none !important;
+         border-radius: 0 !important;
+         }
+         .logo {
+         padding-top: 10px !important;
+         }
+         .footer {
+         margin-top: 10px !important;
+         }
+         .indented {
+         padding-left: 10px;
+         }
+         }
+      </style>
+      <table class="body-wrap" cellpadding="0" cellspacing="0" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; width: 100%;" bgcolor="#f6f6f6">
+         <tr style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
+            <td valign="middle" class="aligncenter middle logo" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; padding: 20px 0 10px;" align="center">
+                <img src="{{url}}/bwrs_static/logo-gray.png" alt="" width="250" height="39" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; border: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; max-width: 100%;" />
+            </td>
+         </tr>
+         <tr style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
+            <td class="container" align="center" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; clear: both !important; color: #333; display: block !important; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0 auto; max-width: 600px !important; width: 600px;" valign="top">
+               <table cellpadding="0" cellspacing="0" class="container-table" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; clear: both !important; color: #333; display: block !important; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0 auto; max-width: 600px !important; width: 600px;">
+                  <tr style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
+                     <td class="content" align="center" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; display: block; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 0; line-height: 0; margin: 0 auto; max-width: 600px; padding-bottom: 20px;" valign="top">
+                        <table class="main" width="100%" cellpadding="0" cellspacing="0" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; margin: 0; -webkit-text-size-adjust: none; border: 1px solid #e9e9e9; border-radius: 3px;" bgcolor="white">
+                           <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+                              <td class="content-wrap" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 20px; -webkit-text-size-adjust: none;" valign="top">
+                                 <table width="100%" cellpadding="0" cellspacing="0" style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+                                    <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+                                       <td class="content-block" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0 0 10px; -webkit-text-size-adjust: none; text-align: center;" valign="top" align="center">
+                                          To finalize changing your email address enter the following code in web vault: <b style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">{{token}}</b>
+                                       </td>
+                                    </tr>
+                                    <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+                                       <td class="content-block last" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0; -webkit-text-size-adjust: none; text-align: center;" valign="top" align="center">
+                                         If you did not try to change an email address, you can safely ignore this email. 
+                                       </td>
+                                    </tr>
+                                 </table>
+                              </td>
+                           </tr>
+                        </table>
+                        <table class="footer" cellpadding="0" cellspacing="0" width="100%" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; clear: both; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; width: 100%;">
+                           <tr style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
+                              <td class="aligncenter social-icons" align="center" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; padding: 15px 0 0 0;" valign="top">
+                                 <table cellpadding="0" cellspacing="0" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0 auto;">
+                                    <tr style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
+                                        <td style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; padding: 0 10px;" valign="top"><a href="https://github.com/dani-garcia/bitwarden_rs" target="_blank" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; text-decoration: underline;"><img src="{{url}}/bwrs_static/mail-github.png" alt="GitHub" width="30" height="30" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; border: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; max-width: 100%;" /></a></td>
+                                    </tr>
+                                 </table>
+                              </td>
+                           </tr>
+                        </table>
+                     </td>
+                  </tr>
+               </table>
+            </td>
+         </tr>
+      </table>
+   </body>
+</html>

src/static/templates/email/delete_account.hbs

@@ -0,0 +1,12 @@
+Delete Your Account
+<!---------------->
+<html>
+<p>
+click the link below to delete your account.
+<br>
+<br>
+<a href="{{url}}/#/verify-recover-delete?userId={{user_id}}&token={{token}}&email={{email}}">
+Delete Your Account</a>
+</p>
+<p>If you did not request this email to delete your account, you can safely ignore this email.</p>
+</html>

src/static/templates/email/delete_account.html.hbs

@@ -0,0 +1,137 @@
+Delete Your Account
+<!---------------->
+<html xmlns="http://www.w3.org/1999/xhtml" xmlns="http://www.w3.org/1999/xhtml" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
+   <head>
+      <meta name="viewport" content="width=device-width" />
+      <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+      <title>Bitwarden_rs</title>
+   </head>
+   <body style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; height: 100%; line-height: 25px; width: 100% !important;" bgcolor="#f6f6f6">
+      <style type="text/css">
+          body {
+         margin: 0;
+         font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;
+         box-sizing: border-box;
+         font-size: 16px;
+         color: #333;
+         line-height: 25px;
+         -webkit-font-smoothing: antialiased;
+         -webkit-text-size-adjust: none;
+         }
+         body * {
+         margin: 0;
+         font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;
+         box-sizing: border-box;
+         font-size: 16px;
+         color: #333;
+         line-height: 25px;
+         -webkit-font-smoothing: antialiased;
+         -webkit-text-size-adjust: none;
+         }
+         img {
+         max-width: 100%;
+         border: none;
+         }
+         body {
+         -webkit-font-smoothing: antialiased;
+         -webkit-text-size-adjust: none;
+         width: 100% !important;
+         height: 100%;
+         line-height: 25px;
+         }
+         body {
+         background-color: #f6f6f6;
+         }
+         @media only screen and (max-width: 600px) {
+         body {
+         padding: 0 !important;
+         }
+         .container {
+         padding: 0 !important;
+         width: 100% !important;
+         }
+         .container-table {
+         padding: 0 !important;
+         width: 100% !important;
+         }
+         .content {
+         padding: 0 0 10px 0 !important;
+         }
+         .content-wrap {
+         padding: 10px !important;
+         }
+         .invoice {
+         width: 100% !important;
+         }
+         .main {
+         border-right: none !important;
+         border-left: none !important;
+         border-radius: 0 !important;
+         }
+         .logo {
+         padding-top: 10px !important;
+         }
+         .footer {
+         margin-top: 10px !important;
+         }
+         .indented {
+         padding-left: 10px;
+         }
+         }
+      </style>
+      <table class="body-wrap" cellpadding="0" cellspacing="0" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; width: 100%;" bgcolor="#f6f6f6">
+         <tr style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
+            <td valign="middle" class="aligncenter middle logo" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; padding: 20px 0 10px;" align="center">
+                <img src="{{url}}/bwrs_static/logo-gray.png" alt="" width="250" height="39" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; border: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; max-width: 100%;" />
+            </td>
+         </tr>
+         <tr style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
+            <td class="container" align="center" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; clear: both !important; color: #333; display: block !important; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0 auto; max-width: 600px !important; width: 600px;" valign="top">
+               <table cellpadding="0" cellspacing="0" class="container-table" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; clear: both !important; color: #333; display: block !important; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0 auto; max-width: 600px !important; width: 600px;">
+                  <tr style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
+                     <td class="content" align="center" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; display: block; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 0; line-height: 0; margin: 0 auto; max-width: 600px; padding-bottom: 20px;" valign="top">
+                        <table class="main" width="100%" cellpadding="0" cellspacing="0" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; margin: 0; -webkit-text-size-adjust: none; border: 1px solid #e9e9e9; border-radius: 3px;" bgcolor="white">
+                           <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+                              <td class="content-wrap" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 20px; -webkit-text-size-adjust: none;" valign="top">
+                                 <table width="100%" cellpadding="0" cellspacing="0" style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+                                    <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+                                       <td class="content-block" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0 0 10px; -webkit-text-size-adjust: none; text-align: center;" valign="top" align="center">
+                                          click the link below to delete your account.
+                                       </td>
+                                    </tr>
+                                    <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+                                       <td class="content-block" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0 0 10px; -webkit-text-size-adjust: none; text-align: center;" valign="top" align="center">
+                                          <a href="{{url}}/#/verify-recover-delete?userId={{user_id}}&token={{token}}&email={{email}}"
+                                             clicktracking=off target="_blank" style="color: #ffffff; text-decoration: none; text-align: center; cursor: pointer; display: inline-block; border-radius: 5px; background-color: #3c8dbc; border-color: #3c8dbc; border-style: solid; border-width: 10px 20px; margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+                                          Delete Your Account
+                                          </a>
+                                       </td>
+                                    </tr>
+                                    <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+                                       <td class="content-block last" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0; -webkit-text-size-adjust: none; text-align: center;" valign="top" align="center">
+                                          If you did not request this email to delete your account, you can safely ignore this email.
+                                       </td>
+                                    </tr>
+                                 </table>
+                              </td>
+                           </tr>
+                        </table>
+                        <table class="footer" cellpadding="0" cellspacing="0" width="100%" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; clear: both; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; width: 100%;">
+                           <tr style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
+                              <td class="aligncenter social-icons" align="center" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; padding: 15px 0 0 0;" valign="top">
+                                 <table cellpadding="0" cellspacing="0" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0 auto;">
+                                    <tr style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
+                                        <td style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; padding: 0 10px;" valign="top"><a href="https://github.com/dani-garcia/bitwarden_rs" target="_blank" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; text-decoration: underline;"><img src="{{url}}/bwrs_static/mail-github.png" alt="GitHub" width="30" height="30" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; border: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; max-width: 100%;" /></a></td>
+                                    </tr>
+                                 </table>
+                              </td>
+                           </tr>
+                        </table>
+                     </td>
+                  </tr>
+               </table>
+            </td>
+         </tr>
+      </table>
+   </body>
+</html>

src/static/templates/email/invite_accepted.hbs

@@ -3,6 +3,6 @@ Invitation accepted
 <html>
 <p>
     Your invitation for <b>{{email}}</b> to join <b>{{org_name}}</b> was accepted.
-    Please <a href="{{url}}">log in</a> to the bitwarden_rs server and confirm them from the organization management page.
+    Please <a href="{{url}}/">log in</a> to the bitwarden_rs server and confirm them from the organization management page.
 </p>
 </html>

src/static/templates/email/invite_accepted.html.hbs

@@ -101,7 +101,7 @@ Invitation accepted
                                     </tr>
                                     <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
                                        <td class="content-block" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0 0 10px; -webkit-text-size-adjust: none;" valign="top">
-                                          Please <a href="{{url}}">log in</a> to the bitwarden_rs server and confirm them from the organization management page.
+                                          Please <a href="{{url}}/">log in</a> to the bitwarden_rs server and confirm them from the organization management page.
                                        </td>
                                     </tr>
                                     <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">

src/static/templates/email/invite_confirmed.hbs

@@ -3,6 +3,6 @@ Invitation to {{org_name}} confirmed
 <html>
 <p>
     Your invitation to join <b>{{org_name}}</b> was confirmed.
-    It will now appear under the Organizations the next time you <a href="{{url}}">log in</a> to the web vault.
+    It will now appear under the Organizations the next time you <a href="{{url}}/">log in</a> to the web vault.
 </p>
 </html>

src/static/templates/email/invite_confirmed.html.hbs

@@ -102,7 +102,7 @@ Invitation to {{org_name}} confirmed
                                     <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
                                        <td class="content-block last" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0; -webkit-text-size-adjust: none;" valign="top">
                                           Any collections and logins being shared with you by this organization will now appear in your Bitwarden vault. <br>
-                                          <a href="{{url}}">Log in</a>
+                                          <a href="{{url}}/">Log in</a>
                                        </td>
                                     </tr>
                                  </table>

src/static/templates/email/new_device_logged_in.hbs

@@ -9,6 +9,6 @@ New Device Logged In From {{device}}
    Device Type: {{device}}
 
    You can deauthorize all devices that have access to your account from the
-    <a href="{{url}}">web vault</a> under Settings > My Account > Deauthorize Sessions.
+    <a href="{{url}}/">web vault</a> under Settings > My Account > Deauthorize Sessions.
 </p>
 </html>

src/static/templates/email/new_device_logged_in.html.hbs

@@ -116,7 +116,7 @@ New Device Logged In From {{device}}
                                     </tr>
                                     <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
                                        <td class="content-block last" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0; -webkit-text-size-adjust: none;" valign="top">
-                                           You can deauthorize all devices that have access to your account from the <a href="{{url}}">web vault</a> under Settings > My Account > Deauthorize Sessions.
+                                           You can deauthorize all devices that have access to your account from the <a href="{{url}}/">web vault</a> under Settings > My Account > Deauthorize Sessions.
                                        </td>
                                     </tr>
                                  </table>

src/static/templates/email/pw_hint_none.hbs

@@ -1,3 +1,7 @@
-Sorry, you have no password hint...
+Your master password hint
 <!---------------->
-Sorry, you have not specified any password hint...
+You (or someone) recently requested your master password hint. Unfortunately, your account does not have a master password hint.
+
+If you cannot remember your master password, there is no way to recover your data. The only option to gain access to your account again is to <a href="{{url}}/#/recover-delete">delete the account</a> so that you can register again and start over. All data associated with your account will be deleted.
+
+If you did not request your master password hint you can safely ignore this email.

src/static/templates/email/pw_hint_none.html.hbs

@@ -99,6 +99,11 @@ Sorry, you have no password hint...
                                           You (or someone) recently requested your master password hint. Unfortunately, your account does not have a master password hint. <br style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;" />
                                        </td>
                                     </tr>
+                                    <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+                                       <td class="content-block last" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0; -webkit-text-size-adjust: none;" valign="top">
+                                          If you cannot remember your master password, there is no way to recover your data. The only option to gain access to your account again is to <a href="{{url}}/#/recover-delete">delete the account</a> so that you can register again and start over. All data associated with your account will be deleted.
+                                       </td>
+                                    </tr>
                                     <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
                                        <td class="content-block last" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0; -webkit-text-size-adjust: none;" valign="top">
                                           If you did not request your master password hint you can safely ignore this email.

src/static/templates/email/pw_hint_some.hbs

@@ -3,6 +3,8 @@ Your master password hint
 You (or someone) recently requested your master password hint.
 
 Your hint is: "{{hint}}"
-Log in: <a href="{{url}}">Web Vault</a>
+Log in: <a href="{{url}}/">Web Vault</a>
+
+If you cannot remember your master password, there is no way to recover your data. The only option to gain access to your account again is to <a href="{{url}}/#/recover-delete">delete the account</a> so that you can register again and start over. All data associated with your account will be deleted.
 
 If you did not request your master password hint you can safely ignore this email.

src/static/templates/email/pw_hint_some.html.hbs

@@ -102,7 +102,12 @@ Your master password hint
                                     <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
                                        <td class="content-block" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0 0 10px; -webkit-text-size-adjust: none;" valign="top">
                                           Your hint is: "{{hint}}"<br style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;" />
-                                          Log in: <a href="{{url}}">Web Vault</a>
+                                          Log in: <a href="{{url}}/">Web Vault</a>
+                                       </td>
+                                    </tr>
+                                    <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+                                       <td class="content-block last" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0; -webkit-text-size-adjust: none;" valign="top">
+                                          If you cannot remember your master password, there is no way to recover your data. The only option to gain access to your account again is to <a href="{{url}}/#/recover-delete">delete the account</a> so that you can register again and start over. All data associated with your account will be deleted.
                                        </td>
                                     </tr>
                                     <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">

src/static/templates/email/smtp_test.hbs

@@ -0,0 +1,8 @@
+Bitwarden_rs SMTP Test
+<!---------------->
+<html>
+<p>
+This is a test email to verify the SMTP configuration for <a href="{{url}}">{{url}}</a>.
+</p>
+<p>When you can read this email it is probably configured correctly.</p>
+</html>

src/static/templates/email/smtp_test.html.hbs

@@ -0,0 +1,129 @@
+Bitwarden_rs SMTP Test
+<!---------------->
+<html xmlns="http://www.w3.org/1999/xhtml" xmlns="http://www.w3.org/1999/xhtml" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
+   <head>
+      <meta name="viewport" content="width=device-width" />
+      <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+      <title>Bitwarden_rs</title>
+   </head>
+   <body style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; height: 100%; line-height: 25px; width: 100% !important;" bgcolor="#f6f6f6">
+      <style type="text/css">
+          body {
+         margin: 0;
+         font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;
+         box-sizing: border-box;
+         font-size: 16px;
+         color: #333;
+         line-height: 25px;
+         -webkit-font-smoothing: antialiased;
+         -webkit-text-size-adjust: none;
+         }
+         body * {
+         margin: 0;
+         font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;
+         box-sizing: border-box;
+         font-size: 16px;
+         color: #333;
+         line-height: 25px;
+         -webkit-font-smoothing: antialiased;
+         -webkit-text-size-adjust: none;
+         }
+         img {
+         max-width: 100%;
+         border: none;
+         }
+         body {
+         -webkit-font-smoothing: antialiased;
+         -webkit-text-size-adjust: none;
+         width: 100% !important;
+         height: 100%;
+         line-height: 25px;
+         }
+         body {
+         background-color: #f6f6f6;
+         }
+         @media only screen and (max-width: 600px) {
+         body {
+         padding: 0 !important;
+         }
+         .container {
+         padding: 0 !important;
+         width: 100% !important;
+         }
+         .container-table {
+         padding: 0 !important;
+         width: 100% !important;
+         }
+         .content {
+         padding: 0 0 10px 0 !important;
+         }
+         .content-wrap {
+         padding: 10px !important;
+         }
+         .invoice {
+         width: 100% !important;
+         }
+         .main {
+         border-right: none !important;
+         border-left: none !important;
+         border-radius: 0 !important;
+         }
+         .logo {
+         padding-top: 10px !important;
+         }
+         .footer {
+         margin-top: 10px !important;
+         }
+         .indented {
+         padding-left: 10px;
+         }
+         }
+      </style>
+      <table class="body-wrap" cellpadding="0" cellspacing="0" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; width: 100%;" bgcolor="#f6f6f6">
+         <tr style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
+            <td valign="middle" class="aligncenter middle logo" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; padding: 20px 0 10px;" align="center">
+                <img src="{{url}}/bwrs_static/logo-gray.png" alt="" width="250" height="39" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; border: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; max-width: 100%;" />
+            </td>
+         </tr>
+         <tr style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
+            <td class="container" align="center" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; clear: both !important; color: #333; display: block !important; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0 auto; max-width: 600px !important; width: 600px;" valign="top">
+               <table cellpadding="0" cellspacing="0" class="container-table" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; clear: both !important; color: #333; display: block !important; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0 auto; max-width: 600px !important; width: 600px;">
+                  <tr style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
+                     <td class="content" align="center" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; display: block; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 0; line-height: 0; margin: 0 auto; max-width: 600px; padding-bottom: 20px;" valign="top">
+                        <table class="main" width="100%" cellpadding="0" cellspacing="0" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; margin: 0; -webkit-text-size-adjust: none; border: 1px solid #e9e9e9; border-radius: 3px;" bgcolor="white">
+                           <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+                              <td class="content-wrap" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 20px; -webkit-text-size-adjust: none;" valign="top">
+                                 <table width="100%" cellpadding="0" cellspacing="0" style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+                                    <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+                                       <td class="content-block" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0 0 10px; -webkit-text-size-adjust: none; text-align: center;" valign="top" align="center">
+                                          This is a test email to verify the SMTP configuration for <a href="{{url}}">{{url}}</a>.
+                                       </td>
+                                    </tr>
+                                    <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+                                       <td class="content-block last" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0; -webkit-text-size-adjust: none; text-align: center;" valign="top" align="center">
+                                          When you can read this email it is probably configured correctly.
+                                       </td>
+                                    </tr>
+                                 </table>
+                              </td>
+                           </tr>
+                        </table>
+                        <table class="footer" cellpadding="0" cellspacing="0" width="100%" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; clear: both; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; width: 100%;">
+                           <tr style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
+                              <td class="aligncenter social-icons" align="center" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; padding: 15px 0 0 0;" valign="top">
+                                 <table cellpadding="0" cellspacing="0" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0 auto;">
+                                    <tr style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
+                                        <td style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; padding: 0 10px;" valign="top"><a href="https://github.com/dani-garcia/bitwarden_rs" target="_blank" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; text-decoration: underline;"><img src="{{url}}/bwrs_static/mail-github.png" alt="GitHub" width="30" height="30" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; border: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; max-width: 100%;" /></a></td>
+                                    </tr>
+                                 </table>
+                              </td>
+                           </tr>
+                        </table>
+                     </td>
+                  </tr>
+               </table>
+            </td>
+         </tr>
+      </table>
+   </body>
+</html>

src/static/templates/email/verify_email.hbs

@@ -0,0 +1,12 @@
+Verify Your Email
+<!---------------->
+<html>
+<p>
+Verify this email address for your account by clicking the link below.
+<br>
+<br>
+<a href="{{url}}/#/verify-email/?userId={{user_id}}&token={{token}}">
+Verify Email Address Now</a>
+</p>
+<p>If you did not request to verify your account, you can safely ignore this email.</p>
+</html>

src/static/templates/email/verify_email.html.hbs

@@ -0,0 +1,137 @@
+Verify Your Email
+<!---------------->
+<html xmlns="http://www.w3.org/1999/xhtml" xmlns="http://www.w3.org/1999/xhtml" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
+   <head>
+      <meta name="viewport" content="width=device-width" />
+      <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+      <title>Bitwarden_rs</title>
+   </head>
+   <body style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; height: 100%; line-height: 25px; width: 100% !important;" bgcolor="#f6f6f6">
+      <style type="text/css">
+          body {
+         margin: 0;
+         font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;
+         box-sizing: border-box;
+         font-size: 16px;
+         color: #333;
+         line-height: 25px;
+         -webkit-font-smoothing: antialiased;
+         -webkit-text-size-adjust: none;
+         }
+         body * {
+         margin: 0;
+         font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;
+         box-sizing: border-box;
+         font-size: 16px;
+         color: #333;
+         line-height: 25px;
+         -webkit-font-smoothing: antialiased;
+         -webkit-text-size-adjust: none;
+         }
+         img {
+         max-width: 100%;
+         border: none;
+         }
+         body {
+         -webkit-font-smoothing: antialiased;
+         -webkit-text-size-adjust: none;
+         width: 100% !important;
+         height: 100%;
+         line-height: 25px;
+         }
+         body {
+         background-color: #f6f6f6;
+         }
+         @media only screen and (max-width: 600px) {
+         body {
+         padding: 0 !important;
+         }
+         .container {
+         padding: 0 !important;
+         width: 100% !important;
+         }
+         .container-table {
+         padding: 0 !important;
+         width: 100% !important;
+         }
+         .content {
+         padding: 0 0 10px 0 !important;
+         }
+         .content-wrap {
+         padding: 10px !important;
+         }
+         .invoice {
+         width: 100% !important;
+         }
+         .main {
+         border-right: none !important;
+         border-left: none !important;
+         border-radius: 0 !important;
+         }
+         .logo {
+         padding-top: 10px !important;
+         }
+         .footer {
+         margin-top: 10px !important;
+         }
+         .indented {
+         padding-left: 10px;
+         }
+         }
+      </style>
+      <table class="body-wrap" cellpadding="0" cellspacing="0" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; width: 100%;" bgcolor="#f6f6f6">
+         <tr style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
+            <td valign="middle" class="aligncenter middle logo" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; padding: 20px 0 10px;" align="center">
+                <img src="{{url}}/bwrs_static/logo-gray.png" alt="" width="250" height="39" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; border: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; max-width: 100%;" />
+            </td>
+         </tr>
+         <tr style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
+            <td class="container" align="center" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; clear: both !important; color: #333; display: block !important; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0 auto; max-width: 600px !important; width: 600px;" valign="top">
+               <table cellpadding="0" cellspacing="0" class="container-table" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; clear: both !important; color: #333; display: block !important; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0 auto; max-width: 600px !important; width: 600px;">
+                  <tr style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
+                     <td class="content" align="center" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; display: block; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 0; line-height: 0; margin: 0 auto; max-width: 600px; padding-bottom: 20px;" valign="top">
+                        <table class="main" width="100%" cellpadding="0" cellspacing="0" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; margin: 0; -webkit-text-size-adjust: none; border: 1px solid #e9e9e9; border-radius: 3px;" bgcolor="white">
+                           <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+                              <td class="content-wrap" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 20px; -webkit-text-size-adjust: none;" valign="top">
+                                 <table width="100%" cellpadding="0" cellspacing="0" style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+                                    <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+                                       <td class="content-block" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0 0 10px; -webkit-text-size-adjust: none; text-align: center;" valign="top" align="center">
+                                          Verify this email address for your account by clicking the link below.
+                                       </td>
+                                    </tr>
+                                    <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+                                       <td class="content-block" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0 0 10px; -webkit-text-size-adjust: none; text-align: center;" valign="top" align="center">
+                                          <a href="{{url}}/#/verify-email/?userId={{user_id}}&token={{token}}"
+                                             clicktracking=off target="_blank" style="color: #ffffff; text-decoration: none; text-align: center; cursor: pointer; display: inline-block; border-radius: 5px; background-color: #3c8dbc; border-color: #3c8dbc; border-style: solid; border-width: 10px 20px; margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+                                          Verify Email Address Now
+                                          </a>
+                                       </td>
+                                    </tr>
+                                    <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+                                       <td class="content-block last" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0; -webkit-text-size-adjust: none; text-align: center;" valign="top" align="center">
+                                          If you did not request to verify your account, you can safely ignore this email.
+                                       </td>
+                                    </tr>
+                                 </table>
+                              </td>
+                           </tr>
+                        </table>
+                        <table class="footer" cellpadding="0" cellspacing="0" width="100%" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; clear: both; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; width: 100%;">
+                           <tr style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
+                              <td class="aligncenter social-icons" align="center" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; padding: 15px 0 0 0;" valign="top">
+                                 <table cellpadding="0" cellspacing="0" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0 auto;">
+                                    <tr style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
+                                        <td style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; padding: 0 10px;" valign="top"><a href="https://github.com/dani-garcia/bitwarden_rs" target="_blank" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; text-decoration: underline;"><img src="{{url}}/bwrs_static/mail-github.png" alt="GitHub" width="30" height="30" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; border: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; max-width: 100%;" /></a></td>
+                                    </tr>
+                                 </table>
+                              </td>
+                           </tr>
+                        </table>
+                     </td>
+                  </tr>
+               </table>
+            </td>
+         </tr>
+      </table>
+   </body>
+</html>

src/static/templates/email/welcome.hbs

@@ -0,0 +1,8 @@
+Welcome
+<!---------------->
+<html>
+<p>
+Thank you for creating an account at <a href="{{url}}/">{{url}}</a>. You may now log in with your new account.
+</p>
+<p>If you did not request to create an account, you can safely ignore this email.</p>
+</html>

src/static/templates/email/welcome.html.hbs

@@ -0,0 +1,129 @@
+Welcome
+<!---------------->
+<html xmlns="http://www.w3.org/1999/xhtml" xmlns="http://www.w3.org/1999/xhtml" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
+   <head>
+      <meta name="viewport" content="width=device-width" />
+      <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+      <title>Bitwarden_rs</title>
+   </head>
+   <body style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; height: 100%; line-height: 25px; width: 100% !important;" bgcolor="#f6f6f6">
+      <style type="text/css">
+          body {
+         margin: 0;
+         font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;
+         box-sizing: border-box;
+         font-size: 16px;
+         color: #333;
+         line-height: 25px;
+         -webkit-font-smoothing: antialiased;
+         -webkit-text-size-adjust: none;
+         }
+         body * {
+         margin: 0;
+         font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;
+         box-sizing: border-box;
+         font-size: 16px;
+         color: #333;
+         line-height: 25px;
+         -webkit-font-smoothing: antialiased;
+         -webkit-text-size-adjust: none;
+         }
+         img {
+         max-width: 100%;
+         border: none;
+         }
+         body {
+         -webkit-font-smoothing: antialiased;
+         -webkit-text-size-adjust: none;
+         width: 100% !important;
+         height: 100%;
+         line-height: 25px;
+         }
+         body {
+         background-color: #f6f6f6;
+         }
+         @media only screen and (max-width: 600px) {
+         body {
+         padding: 0 !important;
+         }
+         .container {
+         padding: 0 !important;
+         width: 100% !important;
+         }
+         .container-table {
+         padding: 0 !important;
+         width: 100% !important;
+         }
+         .content {
+         padding: 0 0 10px 0 !important;
+         }
+         .content-wrap {
+         padding: 10px !important;
+         }
+         .invoice {
+         width: 100% !important;
+         }
+         .main {
+         border-right: none !important;
+         border-left: none !important;
+         border-radius: 0 !important;
+         }
+         .logo {
+         padding-top: 10px !important;
+         }
+         .footer {
+         margin-top: 10px !important;
+         }
+         .indented {
+         padding-left: 10px;
+         }
+         }
+      </style>
+      <table class="body-wrap" cellpadding="0" cellspacing="0" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; width: 100%;" bgcolor="#f6f6f6">
+         <tr style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
+            <td valign="middle" class="aligncenter middle logo" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; padding: 20px 0 10px;" align="center">
+                <img src="{{url}}/bwrs_static/logo-gray.png" alt="" width="250" height="39" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; border: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; max-width: 100%;" />
+            </td>
+         </tr>
+         <tr style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
+            <td class="container" align="center" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; clear: both !important; color: #333; display: block !important; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0 auto; max-width: 600px !important; width: 600px;" valign="top">
+               <table cellpadding="0" cellspacing="0" class="container-table" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; clear: both !important; color: #333; display: block !important; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0 auto; max-width: 600px !important; width: 600px;">
+                  <tr style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
+                     <td class="content" align="center" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; display: block; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 0; line-height: 0; margin: 0 auto; max-width: 600px; padding-bottom: 20px;" valign="top">
+                        <table class="main" width="100%" cellpadding="0" cellspacing="0" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; margin: 0; -webkit-text-size-adjust: none; border: 1px solid #e9e9e9; border-radius: 3px;" bgcolor="white">
+                           <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+                              <td class="content-wrap" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 20px; -webkit-text-size-adjust: none;" valign="top">
+                                 <table width="100%" cellpadding="0" cellspacing="0" style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+                                    <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+                                       <td class="content-block" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0 0 10px; -webkit-text-size-adjust: none; text-align: center;" valign="top" align="center">
+                                          Thank you for creating an account at <a href="{{url}}/">{{url}}</a>. You may now log in with your new account.
+                                       </td>
+                                    </tr>
+                                    <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+                                       <td class="content-block last" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0; -webkit-text-size-adjust: none; text-align: center;" valign="top" align="center">
+                                          If you did not request to create an account, you can safely ignore this email.
+                                       </td>
+                                    </tr>
+                                 </table>
+                              </td>
+                           </tr>
+                        </table>
+                        <table class="footer" cellpadding="0" cellspacing="0" width="100%" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; clear: both; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; width: 100%;">
+                           <tr style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
+                              <td class="aligncenter social-icons" align="center" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; padding: 15px 0 0 0;" valign="top">
+                                 <table cellpadding="0" cellspacing="0" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0 auto;">
+                                    <tr style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
+                                        <td style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; padding: 0 10px;" valign="top"><a href="https://github.com/dani-garcia/bitwarden_rs" target="_blank" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; text-decoration: underline;"><img src="{{url}}/bwrs_static/mail-github.png" alt="GitHub" width="30" height="30" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; border: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; max-width: 100%;" /></a></td>
+                                    </tr>
+                                 </table>
+                              </td>
+                           </tr>
+                        </table>
+                     </td>
+                  </tr>
+               </table>
+            </td>
+         </tr>
+      </table>
+   </body>
+</html>

src/static/templates/email/welcome_must_verify.hbs

@@ -0,0 +1,12 @@
+Welcome
+<!---------------->
+<html>
+<p>
+Thank you for creating an account at <a href="{{url}}/">{{url}}</a>. Before you can login with your new account, you must verify this email address by clicking the link below.
+<br>
+<br>
+<a href="{{url}}/#/verify-email/?userId={{user_id}}&token={{token}}">
+Verify Email Address Now</a>
+</p>
+<p>If you did not request to create an account, you can safely ignore this email.</p>
+</html>

src/static/templates/email/welcome_must_verify.html.hbs

@@ -0,0 +1,137 @@
+Welcome
+<!---------------->
+<html xmlns="http://www.w3.org/1999/xhtml" xmlns="http://www.w3.org/1999/xhtml" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
+   <head>
+      <meta name="viewport" content="width=device-width" />
+      <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+      <title>Bitwarden_rs</title>
+   </head>
+   <body style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; height: 100%; line-height: 25px; width: 100% !important;" bgcolor="#f6f6f6">
+      <style type="text/css">
+          body {
+         margin: 0;
+         font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;
+         box-sizing: border-box;
+         font-size: 16px;
+         color: #333;
+         line-height: 25px;
+         -webkit-font-smoothing: antialiased;
+         -webkit-text-size-adjust: none;
+         }
+         body * {
+         margin: 0;
+         font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;
+         box-sizing: border-box;
+         font-size: 16px;
+         color: #333;
+         line-height: 25px;
+         -webkit-font-smoothing: antialiased;
+         -webkit-text-size-adjust: none;
+         }
+         img {
+         max-width: 100%;
+         border: none;
+         }
+         body {
+         -webkit-font-smoothing: antialiased;
+         -webkit-text-size-adjust: none;
+         width: 100% !important;
+         height: 100%;
+         line-height: 25px;
+         }
+         body {
+         background-color: #f6f6f6;
+         }
+         @media only screen and (max-width: 600px) {
+         body {
+         padding: 0 !important;
+         }
+         .container {
+         padding: 0 !important;
+         width: 100% !important;
+         }
+         .container-table {
+         padding: 0 !important;
+         width: 100% !important;
+         }
+         .content {
+         padding: 0 0 10px 0 !important;
+         }
+         .content-wrap {
+         padding: 10px !important;
+         }
+         .invoice {
+         width: 100% !important;
+         }
+         .main {
+         border-right: none !important;
+         border-left: none !important;
+         border-radius: 0 !important;
+         }
+         .logo {
+         padding-top: 10px !important;
+         }
+         .footer {
+         margin-top: 10px !important;
+         }
+         .indented {
+         padding-left: 10px;
+         }
+         }
+      </style>
+      <table class="body-wrap" cellpadding="0" cellspacing="0" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; width: 100%;" bgcolor="#f6f6f6">
+         <tr style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
+            <td valign="middle" class="aligncenter middle logo" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; padding: 20px 0 10px;" align="center">
+                <img src="{{url}}/bwrs_static/logo-gray.png" alt="" width="250" height="39" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; border: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; max-width: 100%;" />
+            </td>
+         </tr>
+         <tr style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
+            <td class="container" align="center" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; clear: both !important; color: #333; display: block !important; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0 auto; max-width: 600px !important; width: 600px;" valign="top">
+               <table cellpadding="0" cellspacing="0" class="container-table" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; clear: both !important; color: #333; display: block !important; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0 auto; max-width: 600px !important; width: 600px;">
+                  <tr style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
+                     <td class="content" align="center" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; display: block; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 0; line-height: 0; margin: 0 auto; max-width: 600px; padding-bottom: 20px;" valign="top">
+                        <table class="main" width="100%" cellpadding="0" cellspacing="0" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; margin: 0; -webkit-text-size-adjust: none; border: 1px solid #e9e9e9; border-radius: 3px;" bgcolor="white">
+                           <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+                              <td class="content-wrap" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 20px; -webkit-text-size-adjust: none;" valign="top">
+                                 <table width="100%" cellpadding="0" cellspacing="0" style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+                                    <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+                                       <td class="content-block" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0 0 10px; -webkit-text-size-adjust: none; text-align: center;" valign="top" align="center">
+                                          Thank you for creating an account at <a href="{{url}}/">{{url}}</a>. Before you can login with your new account, you must verify this email address by clicking the link below.
+                                       </td>
+                                    </tr>
+                                    <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+                                       <td class="content-block" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0 0 10px; -webkit-text-size-adjust: none; text-align: center;" valign="top" align="center">
+                                          <a href="{{url}}/#/verify-email/?userId={{user_id}}&token={{token}}"
+                                             clicktracking=off target="_blank" style="color: #ffffff; text-decoration: none; text-align: center; cursor: pointer; display: inline-block; border-radius: 5px; background-color: #3c8dbc; border-color: #3c8dbc; border-style: solid; border-width: 10px 20px; margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+                                          Verify Email Address Now
+                                          </a>
+                                       </td>
+                                    </tr>
+                                    <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+                                       <td class="content-block last" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0; -webkit-text-size-adjust: none; text-align: center;" valign="top" align="center">
+                                          If you did not request to create an account, you can safely ignore this email.
+                                       </td>
+                                    </tr>
+                                 </table>
+                              </td>
+                           </tr>
+                        </table>
+                        <table class="footer" cellpadding="0" cellspacing="0" width="100%" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; clear: both; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; width: 100%;">
+                           <tr style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
+                              <td class="aligncenter social-icons" align="center" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; padding: 15px 0 0 0;" valign="top">
+                                 <table cellpadding="0" cellspacing="0" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0 auto;">
+                                    <tr style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0;">
+                                        <td style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; padding: 0 10px;" valign="top"><a href="https://github.com/dani-garcia/bitwarden_rs" target="_blank" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; box-sizing: border-box; color: #999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin: 0; text-decoration: underline;"><img src="{{url}}/bwrs_static/mail-github.png" alt="GitHub" width="30" height="30" style="-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; border: none; box-sizing: border-box; color: #333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 25px; margin: 0; max-width: 100%;" /></a></td>
+                                    </tr>
+                                 </table>
+                              </td>
+                           </tr>
+                        </table>
+                     </td>
+                  </tr>
+               </table>
+            </td>
+         </tr>
+      </table>
+   </body>
+</html>

src/util.rs

@@ -2,11 +2,13 @@
 // Web Headers and caching
 //
 use rocket::fairing::{Fairing, Info, Kind};
+use rocket::http::{ContentType, Header, HeaderMap, Method, Status};
 use rocket::response::{self, Responder};
-use rocket::{Request, Response};
-use rocket::http::{Header, HeaderMap, ContentType, Method, Status};
+use rocket::{Data, Request, Response, Rocket};
 use std::io::Cursor;
 
+use crate::CONFIG;
+
 pub struct AppHeaders();
 
 impl Fairing for AppHeaders {
@@ -23,7 +25,7 @@ impl Fairing for AppHeaders {
         res.set_raw_header("X-Frame-Options", "SAMEORIGIN");
         res.set_raw_header("X-Content-Type-Options", "nosniff");
         res.set_raw_header("X-XSS-Protection", "1; mode=block");
-        let csp = "frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb moz-extension://*;";
+        let csp = format!("frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb moz-extension://* {};", CONFIG.allowed_iframe_ancestors());
         res.set_raw_header("Content-Security-Policy", csp);
 
         // Disable cache unless otherwise specified
@@ -55,7 +57,7 @@ impl Fairing for CORS {
     fn info(&self) -> Info {
         Info {
             name: "CORS",
-            kind: Kind::Response
+            kind: Kind::Response,
         }
     }
 
@@ -69,7 +71,7 @@ impl Fairing for CORS {
 
         if request.method() == Method::Options {
             let req_allow_headers = CORS::get_header(&req_headers, "Access-Control-Request-Headers");
-            let req_allow_method = CORS::get_header(&req_headers,"Access-Control-Request-Method");
+            let req_allow_method = CORS::get_header(&req_headers, "Access-Control-Request-Method");
 
             response.set_header(Header::new("Access-Control-Allow-Methods", req_allow_method));
             response.set_header(Header::new("Access-Control-Allow-Headers", req_allow_headers));
@@ -107,6 +109,83 @@ impl<'r, R: Responder<'r>> Responder<'r> for Cached<R> {
     }
 }
 
+// Log all the routes from the main paths list, and the attachments endpoint
+// Effectively ignores, any static file route, and the alive endpoint
+const LOGGED_ROUTES: [&str; 6] = [
+    "/api",
+    "/admin",
+    "/identity",
+    "/icons",
+    "/notifications/hub/negotiate",
+    "/attachments",
+];
+
+// Boolean is extra debug, when true, we ignore the whitelist above and also print the mounts
+pub struct BetterLogging(pub bool);
+impl Fairing for BetterLogging {
+    fn info(&self) -> Info {
+        Info {
+            name: "Better Logging",
+            kind: Kind::Launch | Kind::Request | Kind::Response,
+        }
+    }
+
+    fn on_launch(&self, rocket: &Rocket) {
+        if self.0 {
+            info!(target: "routes", "Routes loaded:");
+            let mut routes: Vec<_> = rocket.routes().collect();
+            routes.sort_by_key(|r| r.uri.path());
+            for route in routes {
+                if route.rank < 0 {
+                    info!(target: "routes", "{:<6} {}", route.method, route.uri);
+                } else {
+                    info!(target: "routes", "{:<6} {} [{}]", route.method, route.uri, route.rank);
+                }
+            }
+        }
+
+        let config = rocket.config();
+        let scheme = if config.tls_enabled() { "https" } else { "http" };
+        let addr = format!("{}://{}:{}", &scheme, &config.address, &config.port);
+        info!(target: "start", "Rocket has launched from {}", addr);
+    }
+
+    fn on_request(&self, request: &mut Request<'_>, _data: &Data) {
+        let method = request.method();
+        if !self.0 && method == Method::Options {
+            return;
+        }
+        let uri = request.uri();
+        let uri_path = uri.path();
+        // FIXME: trim_start_matches() could result in over-trimming in pathological cases;
+        // strip_prefix() would be a better option once it's stable.
+        let uri_subpath = uri_path.trim_start_matches(&CONFIG.domain_path());
+        if self.0 || LOGGED_ROUTES.iter().any(|r| uri_subpath.starts_with(r)) {
+            match uri.query() {
+                Some(q) => info!(target: "request", "{} {}?{}", method, uri_path, &q[..q.len().min(30)]),
+                None => info!(target: "request", "{} {}", method, uri_path),
+            };
+        }
+    }
+
+    fn on_response(&self, request: &Request, response: &mut Response) {
+        if !self.0 && request.method() == Method::Options {
+            return;
+        }
+        // FIXME: trim_start_matches() could result in over-trimming in pathological cases;
+        // strip_prefix() would be a better option once it's stable.
+        let uri_subpath = request.uri().path().trim_start_matches(&CONFIG.domain_path());
+        if self.0 || LOGGED_ROUTES.iter().any(|r| uri_subpath.starts_with(r)) {
+            let status = response.status();
+            if let Some(ref route) = request.route() {
+                info!(target: "response", "{} => {} {}", route, status.code, status.reason)
+            } else {
+                info!(target: "response", "{} {}", status.code, status.reason)
+            }
+        }
+    }
+}
+
 //
 // File handling
 //
@@ -148,6 +227,33 @@ pub fn delete_file(path: &str) -> IOResult<()> {
     res
 }
 
+pub struct LimitedReader<'a> {
+    reader: &'a mut dyn std::io::Read,
+    limit: usize, // In bytes
+    count: usize,
+}
+impl<'a> LimitedReader<'a> {
+    pub fn new(reader: &'a mut dyn std::io::Read, limit: usize) -> LimitedReader<'a> {
+        LimitedReader {
+            reader,
+            limit,
+            count: 0,
+        }
+    }
+}
+
+impl<'a> std::io::Read for LimitedReader<'a> {
+    fn read(&mut self, buf: &mut [u8]) -> std::io::Result<usize> {
+        self.count += buf.len();
+
+        if self.count > self.limit {
+            Ok(0) // End of the read
+        } else {
+            self.reader.read(buf)
+        }
+    }
+}
+
 const UNITS: [&str; 6] = ["bytes", "KB", "MB", "GB", "TB", "PB"];
 
 pub fn get_display_size(size: i32) -> String {
@@ -212,6 +318,17 @@ where
     try_parse_string(env::var(key))
 }
 
+const TRUE_VALUES: &[&str] = &["true", "t", "yes", "y", "1"];
+const FALSE_VALUES: &[&str] = &["false", "f", "no", "n", "0"];
+
+pub fn get_env_bool(key: &str) -> Option<bool> {
+    match env::var(key) {
+        Ok(val) if TRUE_VALUES.contains(&val.to_lowercase().as_ref()) => Some(true),
+        Ok(val) if FALSE_VALUES.contains(&val.to_lowercase().as_ref()) => Some(false),
+        _ => None,
+    }
+}
+
 //
 // Date util methods
 //