Update web-vault to 2022.10.0 and dependencies

Merge branch 'stefan0xC-check-data-folder-permissions'
Update CSP for DuckDuckGo email forwarding
2025-09-10 10:45:57 +03:00 · 2022-10-14 18:21:01 +02:00 · 2022-10-14 17:56:48 +02:00 · 2022-10-14 17:56:42 +02:00 · 2022-10-14 17:56:42 +02:00 · 2022-10-14 17:56:42 +02:00
68 changed files with 11975 additions and 11283 deletions
--- a/.env.template
+++ b/.env.template
@@ -43,6 +43,7 @@
 # ICON_CACHE_FOLDER=data/icon_cache
 # ATTACHMENTS_FOLDER=data/attachments
 # SENDS_FOLDER=data/sends
+# TMP_FOLDER=data/tmp

 ## Templates data folder, by default uses embedded templates
 ## Check source code to see the format
@@ -116,12 +117,10 @@
 # LOG_TIMESTAMP_FORMAT="%Y-%m-%d %H:%M:%S.%3f"

 ## Logging to file
-## It's recommended to also set 'ROCKET_CLI_COLORS=off'
 # LOG_FILE=/path/to/log

 ## Logging to Syslog
 ## This requires extended logging
-## It's recommended to also set 'ROCKET_CLI_COLORS=off'
 # USE_SYSLOG=false

 ## Log level
@@ -246,6 +245,10 @@
 ## Name shown in the invitation emails that don't come from a specific organization
 # INVITATION_ORG_NAME=Vaultwarden

+## The number of hours after which an organization invite token, emergency access invite token,
+## email verification token and deletion request token will expire (must be at least 1)
+# INVITATION_EXPIRATION_HOURS=120
+
 ## Per-organization attachment storage limit (KB)
 ## Max kilobytes of attachment storage allowed per organization.
 ## When this limit is reached, organization members will not be allowed to upload further attachments for ciphers owned by that organization.
@@ -271,6 +274,9 @@
 ## The change only applies when the password is changed
 # PASSWORD_ITERATIONS=100000

+## Controls whether users can set password hints. This setting applies globally to all users.
+# PASSWORD_HINTS_ALLOWED=true
+
 ## Controls whether a password hint should be shown directly in the web page if
 ## SMTP service is not configured. Not recommended for publicly-accessible instances
 ## as this provides unauthenticated access to potentially sensitive data.
@@ -281,7 +287,7 @@
 ## It's recommended to configure this value, otherwise certain functionality might not work,
 ## like attachment downloads, email links and U2F.
 ## For U2F to work, the server must use HTTPS, you can use Let's Encrypt for free certs
-# DOMAIN=https://bw.domain.tld:8443
+# DOMAIN=https://vw.domain.tld:8443

 ## Allowed iframe ancestors (Know the risks!)
 ## https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -8,7 +8,6 @@ on:
      - "migrations/**"
      - "Cargo.*"
      - "build.rs"
-      - "diesel.toml"
      - "rust-toolchain"
  pull_request:
    paths:
@@ -17,11 +16,11 @@ on:
      - "migrations/**"
      - "Cargo.*"
      - "build.rs"
-      - "diesel.toml"
      - "rust-toolchain"

 jobs:
  build:
+    runs-on: ubuntu-20.04
    # Make warnings errors, this is to prevent warnings slipping through.
    # This is done globally to prevent rebuilds when the RUSTFLAGS env variable changes.
    env:
@@ -30,118 +29,172 @@ jobs:
      fail-fast: false
      matrix:
        channel:
-          - stable
-        target-triple:
-          - x86_64-unknown-linux-gnu
+          - "rust-toolchain" # The version defined in rust-toolchain
+          - "msrv" # The supported MSRV
        include:
-          - target-triple: x86_64-unknown-linux-gnu
-            host-triple: x86_64-unknown-linux-gnu
-            features: [sqlite,mysql,postgresql,enable_mimalloc] # Remember to update the `cargo test` to match the amount of features
-            channel: stable
-            os: ubuntu-20.04
-            ext: ""
+          - channel: "msrv"
+            version: "1.60.0"
+
+    name: Build and Test ${{ matrix.channel }}

-    name: Building ${{ matrix.channel }}-${{ matrix.target-triple }}
-    runs-on: ${{ matrix.os }}
    steps:
      # Checkout the repo
-      - name: Checkout
+      - name: "Checkout"
        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3.0.2
      # End Checkout the repo

-
-      # Install musl-tools when needed
-      - name: Install musl tools
-        run: sudo apt-get update && sudo apt-get install -y --no-install-recommends musl-dev musl-tools cmake
-        if: matrix.target-triple == 'x86_64-unknown-linux-musl'
-      # End Install musl-tools when needed
-
-
      # Install dependencies
-      - name: Install dependencies Ubuntu
-        run: sudo apt-get update && sudo apt-get install -y --no-install-recommends openssl sqlite build-essential libmariadb-dev-compat libpq-dev libssl-dev pkgconf
-        if: startsWith( matrix.os, 'ubuntu' )
+      - name: "Install dependencies Ubuntu"
+        run: sudo apt-get update && sudo apt-get install -y --no-install-recommends openssl sqlite build-essential libmariadb-dev-compat libpq-dev libssl-dev pkg-config
      # End Install dependencies


-      # Enable Rust Caching
-      - uses: Swatinem/rust-cache@842ef286fff290e445b90b4002cc9807c3669641 # v1.3.0
-      # End Enable Rust Caching
-
-
      # Uses the rust-toolchain file to determine version
-      - name: 'Install ${{ matrix.channel }}-${{ matrix.host-triple }} for target: ${{ matrix.target-triple }}'
+      - name: "Install rust-toolchain version"
        uses: actions-rs/toolchain@b2417cde72dcf67f306c0ae8e0828a81bf0b189f # v1.0.6
+        if: ${{ matrix.channel == 'rust-toolchain' }}
        with:
          profile: minimal
-          target: ${{ matrix.target-triple }}
          components: clippy, rustfmt
      # End Uses the rust-toolchain file to determine version


+      # Install the MSRV channel to be used
+      - name: "Install MSRV version"
+        uses: actions-rs/toolchain@b2417cde72dcf67f306c0ae8e0828a81bf0b189f # v1.0.6
+        if: ${{ matrix.channel != 'rust-toolchain' }}
+        with:
+          profile: minimal
+          override: true
+          toolchain: ${{ matrix.version }}
+      # End Install the MSRV channel to be used
+
+
+      # Enable Rust Caching
+      - uses: Swatinem/rust-cache@6720f05bc48b77f96918929a9019fb2203ff71f8 # v2.0.0
+      # End Enable Rust Caching
+
+
+      # Show environment
+      - name: "Show environment"
+        run: |
+          rustc -vV
+          cargo -vV
+      # End Show environment
+
+
      # Run cargo tests (In release mode to speed up future builds)
      # First test all features together, afterwards test them separately.
-      - name: "`cargo test --release --features ${{ join(matrix.features, ',') }} --target ${{ matrix.target-triple }}`"
+      - name: "test features: sqlite,mysql,postgresql,enable_mimalloc"
+        id: test_sqlite_mysql_postgresql_mimalloc
        uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3
+        if: $${{ always() }}
        with:
          command: test
-          args: --release --features ${{ join(matrix.features, ',') }} --target ${{ matrix.target-triple }}
-      # Test single features
-      # 0: sqlite
-      - name: "`cargo test --release --features ${{ matrix.features[0] }} --target ${{ matrix.target-triple }}`"
+          args: --release --features sqlite,mysql,postgresql,enable_mimalloc
+
+      - name: "test features: sqlite,mysql,postgresql"
+        id: test_sqlite_mysql_postgresql
        uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3
+        if: $${{ always() }}
        with:
          command: test
-          args: --release --features ${{ matrix.features[0] }} --target ${{ matrix.target-triple }}
-        if: ${{ matrix.features[0] != '' }}
-      # 1: mysql
-      - name: "`cargo test --release --features ${{ matrix.features[1] }} --target ${{ matrix.target-triple }}`"
+          args: --release --features sqlite,mysql,postgresql
+
+      - name: "test features: sqlite"
+        id: test_sqlite
        uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3
+        if: $${{ always() }}
        with:
          command: test
-          args: --release --features ${{ matrix.features[1] }} --target ${{ matrix.target-triple }}
-        if: ${{ matrix.features[1] != '' }}
-      # 2: postgresql
-      - name: "`cargo test --release --features ${{ matrix.features[2] }} --target ${{ matrix.target-triple }}`"
+          args: --release --features sqlite
+
+      - name: "test features: mysql"
+        id: test_mysql
        uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3
+        if: $${{ always() }}
        with:
          command: test
-          args: --release --features ${{ matrix.features[2] }} --target ${{ matrix.target-triple }}
-        if: ${{ matrix.features[2] != '' }}
+          args: --release --features mysql
+
+      - name: "test features: postgresql"
+        id: test_postgresql
+        uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3
+        if: $${{ always() }}
+        with:
+          command: test
+          args: --release --features postgresql
      # End Run cargo tests


      # Run cargo clippy, and fail on warnings (In release mode to speed up future builds)
-      - name: "`cargo clippy --release --features ${{ join(matrix.features, ',') }} --target ${{ matrix.target-triple }}`"
+      - name: "clippy features: sqlite,mysql,postgresql,enable_mimalloc"
+        id: clippy
        uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3
+        if: ${{ always() && matrix.channel == 'rust-toolchain' }}
        with:
          command: clippy
-          args: --release --features ${{ join(matrix.features, ',') }} --target ${{ matrix.target-triple }} -- -D warnings
+          args: --release --features sqlite,mysql,postgresql,enable_mimalloc -- -D warnings
      # End Run cargo clippy


-      # Run cargo fmt
-      - name: '`cargo fmt`'
+      # Run cargo fmt (Only run on rust-toolchain defined version)
+      - name: "check formatting"
+        id: formatting
        uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3
+        if: ${{ always() && matrix.channel == 'rust-toolchain' }}
        with:
          command: fmt
          args: --all -- --check
      # End Run cargo fmt


-      # Build the binary
-      - name: "`cargo build --release --features ${{ join(matrix.features, ',') }} --target ${{ matrix.target-triple }}`"
+      # Check for any previous failures, if there are stop, else continue.
+      # This is useful so all test/clippy/fmt actions are done, and they can all be addressed
+      - name: "Some checks failed"
+        if: ${{ failure() }}
+        run: |
+          echo "### :x: Checks Failed!" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "|Job|Status|" >> $GITHUB_STEP_SUMMARY
+          echo "|---|------|" >> $GITHUB_STEP_SUMMARY
+          echo "|test (sqlite,mysql,postgresql,enable_mimalloc)|${{ steps.test_sqlite_mysql_postgresql_mimalloc.outcome }}|" >> $GITHUB_STEP_SUMMARY
+          echo "|test (sqlite,mysql,postgresql)|${{ steps.test_sqlite_mysql_postgresql.outcome }}|" >> $GITHUB_STEP_SUMMARY
+          echo "|test (sqlite)|${{ steps.test_sqlite.outcome }}|" >> $GITHUB_STEP_SUMMARY
+          echo "|test (mysql)|${{ steps.test_mysql.outcome }}|" >> $GITHUB_STEP_SUMMARY
+          echo "|test (postgresql)|${{ steps.test_postgresql.outcome }}|" >> $GITHUB_STEP_SUMMARY
+          echo "|clippy (sqlite,mysql,postgresql,enable_mimalloc)|${{ steps.clippy.outcome }}|" >> $GITHUB_STEP_SUMMARY
+          echo "|fmt|${{ steps.formatting.outcome }}|" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "Please check the failed jobs and fix where needed." >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          exit 1
+
+
+      # Check for any previous failures, if there are stop, else continue.
+      # This is useful so all test/clippy/fmt actions are done, and they can all be addressed
+      - name: "All checks passed"
+        if: ${{ success() }}
+        run: |
+          echo "### :tada: Checks Passed!" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+
+
+      # Build the binary to upload to the artifacts
+      - name: "build features: sqlite,mysql,postgresql"
        uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3
+        if: ${{ matrix.channel == 'rust-toolchain' }}
        with:
          command: build
-          args: --release --features ${{ join(matrix.features, ',') }} --target ${{ matrix.target-triple }}
+          args: --release --features sqlite,mysql,postgresql
      # End Build the binary


      # Upload artifact to Github Actions
-      - name: Upload artifact
+      - name: "Upload artifact"
        uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
+        if: ${{ matrix.channel == 'rust-toolchain' }}
        with:
-          name: vaultwarden-${{ matrix.target-triple }}${{ matrix.ext }}
-          path: target/${{ matrix.target-triple }}/release/vaultwarden${{ matrix.ext }}
+          name: vaultwarden
+          path: target/release/vaultwarden
      # End Upload artifact to Github Actions
--- a/.github/workflows/hadolint.yml
+++ b/.github/workflows/hadolint.yml
@@ -1,13 +1,9 @@
 name: Hadolint

-on:
-  push:
-    paths:
-      - "docker/**"
-
-  pull_request:
-    paths:
-      - "docker/**"
+on: [
+      push,
+      pull_request
+    ]

 jobs:
  hadolint:
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,7 +1,7 @@
 ---
 repos:
 -   repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.2.0
+    rev: v4.3.0
    hooks:
    - id: check-yaml
    - id: check-json
@@ -26,7 +26,8 @@ repos:
      entry: cargo test
      language: system
      args: ["--features", "sqlite,mysql,postgresql,enable_mimalloc", "--"]
-      types: [rust]
+      types_or: [rust, file]
+      files: (Cargo.toml|Cargo.lock|.*\.rs$)
      pass_filenames: false
    - id: cargo-clippy
      name: cargo clippy
@@ -34,5 +35,6 @@ repos:
      entry: cargo clippy
      language: system
      args: ["--features", "sqlite,mysql,postgresql,enable_mimalloc", "--", "-D", "warnings"]
-      types: [rust]
+      types_or: [rust, file]
+      files: (Cargo.toml|Cargo.lock|.*\.rs$)
      pass_filenames: false
--- a/Cargo.lock
+++ b/Cargo.lock
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -3,7 +3,7 @@ name = "vaultwarden"
 version = "1.0.0"
 authors = ["Daniel García <dani-garcia@users.noreply.github.com>"]
 edition = "2021"
-rust-version = "1.60"
+rust-version = "1.60.0"
 resolver = "2"

 repository = "https://github.com/dani-garcia/vaultwarden"
@@ -37,15 +37,15 @@ syslog = "6.0.1" # Needs to be v4 until fern is updated
 # Logging
 log = "0.4.17"
 fern = { version = "0.6.1", features = ["syslog-6"] }
-tracing = { version = "0.1.34", features = ["log"] } # Needed to have lettre and webauthn-rs trace logging to work
+tracing = { version = "0.1.37", features = ["log"] } # Needed to have lettre and webauthn-rs trace logging to work

-backtrace = "0.3.65" # Logging panics to logfile instead stderr only
+backtrace = "0.3.66" # Logging panics to logfile instead stderr only

 # A `dotenv` implementation for Rust
-dotenvy = { version = "0.15.1", default-features = false }
+dotenvy = { version = "0.15.5", default-features = false }

 # Lazy initialization
-once_cell = "1.10.0"
+once_cell = "1.15.0"

 # Numerical libraries
 num-traits = "0.2.15"
@@ -55,17 +55,17 @@ num-derive = "0.3.3"
 rocket = { version = "0.5.0-rc.2", features = ["tls", "json"], default-features = false }

 # WebSockets libraries
-ws = { version = "0.11.1", package = "parity-ws" }
+tokio-tungstenite = "0.17.2"
 rmpv = "1.0.0" # MessagePack library
-chashmap = "2.2.2" # Concurrent hashmap implementation
+dashmap = "5.4.0"

 # Async futures
-futures = "0.3.21"
-tokio = { version = "1.18.2", features = ["rt-multi-thread", "fs", "io-util", "parking_lot", "time"] }
+futures = "0.3.24"
+tokio = { version = "1.21.2", features = ["rt-multi-thread", "fs", "io-util", "parking_lot", "time"] }

 # A generic serialization/deserialization framework
-serde = { version = "1.0.137", features = ["derive"] }
-serde_json = "1.0.81"
+serde = { version = "1.0.145", features = ["derive"] }
+serde_json = "1.0.86"

 # A safe, extensible ORM and Query builder
 diesel = { version = "1.4.8", features = ["chrono", "r2d2"] }
@@ -75,28 +75,28 @@ diesel_migrations = "1.4.0"
 libsqlite3-sys = { version = "0.22.2", features = ["bundled"], optional = true }

 # Crypto-related libraries
-rand = "0.8.5"
+rand = { version = "0.8.5", features = ["small_rng"] }
 ring = "0.16.20"

 # UUID generation
-uuid = { version = "1.0.0", features = ["v4"] }
+uuid = { version = "1.2.1", features = ["v4"] }

 # Date and time libraries
-chrono = { version = "0.4.19", features = ["clock", "serde"], default-features = false }
-chrono-tz = "0.6.1"
-time = "0.3.9"
+chrono = { version = "0.4.22", features = ["clock", "serde"], default-features = false }
+chrono-tz = "0.6.3"
+time = "0.3.15"

 # Job scheduler
-job_scheduler = "1.2.1"
+job_scheduler_ng = "2.0.2"

 # Data encoding library Hex/Base32/Base64
 data-encoding = "2.3.2"

 # JWT library
-jsonwebtoken = "8.1.0"
+jsonwebtoken = "8.1.1"

 # TOTP library
-totp-lite = "1.0.3"
+totp-lite = "2.0.0"

 # Yubico Library
 yubico = { version = "0.11.0", features = ["online-tokio"], default-features = false }
@@ -105,55 +105,51 @@ yubico = { version = "0.11.0", features = ["online-tokio"], default-features = f
 webauthn-rs = "0.3.2"

 # Handling of URL's for WebAuthn
-url = "2.2.2"
+url = "2.3.1"

-# Email libraries
-idna = "0.2.3" # Punycode conversion
-lettre = { version = "0.10.0-rc.6", features = ["smtp-transport", "builder", "serde", "native-tls", "hostname", "tracing"], default-features = false }
-percent-encoding = "2.1.0" # URL encoding library used for URL's in the emails
+# Email librariese-Base, Update crates and small change.
+lettre = { version = "0.10.1", features = ["smtp-transport", "builder", "serde", "tokio1-native-tls", "hostname", "tracing", "tokio1"], default-features = false }
+percent-encoding = "2.2.0" # URL encoding library used for URL's in the emails

 # Template library
-handlebars = { version = "4.2.2", features = ["dir_source"] }
+handlebars = { version = "4.3.5", features = ["dir_source"] }

 # HTTP client
-reqwest = { version = "0.11.10", features = ["stream", "json", "gzip", "brotli", "socks", "cookies", "trust-dns"] }
+reqwest = { version = "0.11.12", features = ["stream", "json", "gzip", "brotli", "socks", "cookies", "trust-dns"] }

 # For favicon extraction from main website
-html5gum = "0.4.0"
-regex = { version = "1.5.5", features = ["std", "perf", "unicode-perl"], default-features = false }
-data-url = "0.1.1"
-bytes = "1.1.0"
-cached = "0.34.0"
+html5gum = "0.5.2"
+regex = { version = "1.6.0", features = ["std", "perf", "unicode-perl"], default-features = false }
+data-url = "0.2.0"
+bytes = "1.2.1"
+cached = "0.39.0"

 # Used for custom short lived cookie jar during favicon extraction
-cookie = "0.16.0"
-cookie_store = "0.16.0"
+cookie = "0.16.1"
+cookie_store = "0.17.0"

 # Used by U2F, JWT and Postgres
-openssl = "0.10.40"
+openssl = "0.10.42"

 # CLI argument parsing
-pico-args = "0.4.2"
+pico-args = "0.5.0"

 # Macro ident concatenation
-paste = "1.0.7"
-governor = "0.4.2"
+paste = "1.0.9"
+governor = "0.5.0"

 # Capture CTRL+C
-ctrlc = { version = "3.2.2", features = ["termination"] }
+ctrlc = { version = "3.2.3", features = ["termination"] }

 # Allow overriding the default memory allocator
 # Mainly used for the musl builds, since the default musl malloc is very slow
-mimalloc = { version = "0.1.29", features = ["secure"], default-features = false, optional = true }
+mimalloc = { version = "0.1.30", features = ["secure"], default-features = false, optional = true }

 [patch.crates-io]
-# The maintainer of the `job_scheduler` crate doesn't seem to have responded
-# to any issues or PRs for almost a year (as of April 2021). This hopefully
-# temporary fork updates Cargo.toml to use more up-to-date dependencies.
-# In particular, `cron` has since implemented parsing of some common syntax
-# that wasn't previously supported (https://github.com/zslayton/cron/pull/64).
-# 2022-05-04: Forked/Updated the job_scheduler again use the latest dependencies and some fixes.
-job_scheduler = { git = 'https://github.com/BlackDex/job_scheduler', rev = '9100fc596a083fd9c0b560f8f11f108e0a19d07e' }
+# Using a patched version of multer-rs (Used by Rocket) to fix attachment/send file uploads
+# Issue: https://github.com/dani-garcia/vaultwarden/issues/2644
+# Patch: https://github.com/BlackDex/multer-rs/commit/477d16b7fa0f361b5c2a5ba18a5b28bec6d26a8a
+multer = { git = "https://github.com/BlackDex/multer-rs", rev = "477d16b7fa0f361b5c2a5ba18a5b28bec6d26a8a" }

 # Strip debuginfo from the release builds
 # Also enable thin LTO for some optimizations
--- a/README.md
+++ b/README.md
@@ -7,12 +7,12 @@
 [![Docker Pulls](https://img.shields.io/docker/pulls/vaultwarden/server.svg)](https://hub.docker.com/r/vaultwarden/server)
 [![Dependency Status](https://deps.rs/repo/github/dani-garcia/vaultwarden/status.svg)](https://deps.rs/repo/github/dani-garcia/vaultwarden)
 [![GitHub Release](https://img.shields.io/github/release/dani-garcia/vaultwarden.svg)](https://github.com/dani-garcia/vaultwarden/releases/latest)
-[![GPL-3.0 Licensed](https://img.shields.io/github/license/dani-garcia/vaultwarden.svg)](https://github.com/dani-garcia/vaultwarden/blob/master/LICENSE.txt)
+[![GPL-3.0 Licensed](https://img.shields.io/github/license/dani-garcia/vaultwarden.svg)](https://github.com/dani-garcia/vaultwarden/blob/main/LICENSE.txt)
 [![Matrix Chat](https://img.shields.io/matrix/vaultwarden:matrix.org.svg?logo=matrix)](https://matrix.to/#/#vaultwarden:matrix.org)

 Image is based on [Rust implementation of Bitwarden API](https://github.com/dani-garcia/vaultwarden).

-**This project is not associated with the [Bitwarden](https://bitwarden.com/) project nor 8bit Solutions LLC.**
+**This project is not associated with the [Bitwarden](https://bitwarden.com/) project nor Bitwarden, Inc.**

 #### ⚠️**IMPORTANT**⚠️: When using this server, please report any bugs or suggestions to us directly (look at the bottom of this page for ways to get in touch), regardless of whatever clients you are using (mobile, desktop, browser...). DO NOT use the official support channels.

--- a/docker/Dockerfile.j2
+++ b/docker/Dockerfile.j2
@@ -3,23 +3,23 @@
 # This file was generated using a Jinja2 template.
 # Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.

-{% set build_stage_base_image = "rust:1.61-bullseye" %}
+{% set build_stage_base_image = "rust:1.64-bullseye" %}
 {% if "alpine" in target_file %}
 {%   if "amd64" in target_file %}
-{%     set build_stage_base_image = "blackdex/rust-musl:x86_64-musl-stable-1.61.0" %}
-{%     set runtime_stage_base_image = "alpine:3.15" %}
+{%     set build_stage_base_image = "blackdex/rust-musl:x86_64-musl-stable-1.64.0" %}
+{%     set runtime_stage_base_image = "alpine:3.16" %}
 {%     set package_arch_target = "x86_64-unknown-linux-musl" %}
 {%   elif "armv7" in target_file %}
-{%     set build_stage_base_image = "blackdex/rust-musl:armv7-musleabihf-stable-1.61.0" %}
-{%     set runtime_stage_base_image = "balenalib/armv7hf-alpine:3.15" %}
+{%     set build_stage_base_image = "blackdex/rust-musl:armv7-musleabihf-stable-1.64.0" %}
+{%     set runtime_stage_base_image = "balenalib/armv7hf-alpine:3.16" %}
 {%     set package_arch_target = "armv7-unknown-linux-musleabihf" %}
 {%   elif "armv6" in target_file %}
-{%     set build_stage_base_image = "blackdex/rust-musl:arm-musleabi-stable-1.61.0" %}
-{%     set runtime_stage_base_image = "balenalib/rpi-alpine:3.15" %}
+{%     set build_stage_base_image = "blackdex/rust-musl:arm-musleabi-stable-1.64.0" %}
+{%     set runtime_stage_base_image = "balenalib/rpi-alpine:3.16" %}
 {%     set package_arch_target = "arm-unknown-linux-musleabi" %}
 {%   elif "arm64" in target_file %}
-{%     set build_stage_base_image = "blackdex/rust-musl:aarch64-musl-stable-1.61.0" %}
-{%     set runtime_stage_base_image = "balenalib/aarch64-alpine:3.15" %}
+{%     set build_stage_base_image = "blackdex/rust-musl:aarch64-musl-stable-1.64.0" %}
+{%     set runtime_stage_base_image = "balenalib/aarch64-alpine:3.16" %}
 {%     set package_arch_target = "aarch64-unknown-linux-musl" %}
 {%   endif %}
 {% elif "amd64" in target_file %}
@@ -59,8 +59,8 @@
 # 	https://docs.docker.com/develop/develop-images/multistage-build/
 # 	https://whitfin.io/speeding-up-rust-docker-builds/
 ####################### VAULT BUILD IMAGE  #######################
-{% set vault_version = "2.28.1" %}
-{% set vault_image_digest = "sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5" %}
+{% set vault_version = "v2022.10.0" %}
+{% set vault_image_digest = "sha256:8e8405d252bb6ecc7d59d90e9ba9dde09f35c1b6858371274c67c3e0a6f14a80" %}
 # The web-vault digest specifies a particular web-vault build on Docker Hub.
 # Using the digest instead of the tag name provides better security,
 # as the digest of an image is immutable, whereas a tag name can later
@@ -70,13 +70,13 @@
 # - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
 #   click the tag name to view the digest of the image it currently points to.
 # - From the command line:
-#     $ docker pull vaultwarden/web-vault:v{{ vault_version }}
-#     $ docker image inspect --format "{{ '{{' }}.RepoDigests}}" vaultwarden/web-vault:v{{ vault_version }}
+#     $ docker pull vaultwarden/web-vault:{{ vault_version }}
+#     $ docker image inspect --format "{{ '{{' }}.RepoDigests}}" vaultwarden/web-vault:{{ vault_version }}
 #     [vaultwarden/web-vault@{{ vault_image_digest }}]
 #
 # - Conversely, to get the tag name from the digest:
 #     $ docker image inspect --format "{{ '{{' }}.RepoTags}}" vaultwarden/web-vault@{{ vault_image_digest }}
-#     [vaultwarden/web-vault:v{{ vault_version }}]
+#     [vaultwarden/web-vault:{{ vault_version }}]
 #
 FROM vaultwarden/web-vault@{{ vault_image_digest }} as vault

@@ -93,12 +93,6 @@ ENV DEBIAN_FRONTEND=noninteractive \
    CARGO_HOME="/root/.cargo" \
    USER="root"

-{# {% if "alpine" not in target_file and "buildx" in target_file %}
-# Debian based Buildx builds can use some special apt caching to speedup building.
-# By default Debian based images have some rules to keep docker builds clean, we need to remove this.
-# See: https://hub.docker.com/r/docker/dockerfile
-RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache
-{% endif %} #}

 # Create CARGO_HOME folder and don't download rust docs
 RUN {{ mount_rust_cache -}} mkdir -pv "${CARGO_HOME}" \
@@ -212,7 +206,6 @@ RUN mkdir /data \
        openssl \
        tzdata \
        curl \
-        dumb-init \
        ca-certificates
 {% else %}
    && apt-get update && apt-get install -y \
@@ -220,13 +213,20 @@ RUN mkdir /data \
    openssl \
    ca-certificates \
    curl \
-    dumb-init \
    libmariadb-dev-compat \
    libpq5 \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/*
 {% endif %}

+{% if "armv6" in target_file and "alpine" not in target_file %}
+# In the Balena Bullseye images for armv6/rpi-debian there is a missing symlink.
+# This symlink was there in the buster images, and for some reason this is needed.
+# hadolint ignore=DL3059
+RUN ln -v -s /lib/ld-linux-armhf.so.3 /lib/ld-linux.so.3
+
+{% endif -%}
+
 {% if "amd64" not in target_file %}
 # hadolint ignore=DL3059
 RUN [ "cross-build-end" ]
@@ -251,10 +251,4 @@ COPY docker/start.sh /start.sh

 HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]

-# Configures the startup!
-# We should be able to remove the dumb-init now with Rocket 0.5
-# But the balenalib images have some issues with there entry.sh
-# See: https://github.com/balena-io-library/base-images/issues/735
-# Lets keep using dumb-init for now, since that is working fine.
-ENTRYPOINT ["/usr/bin/dumb-init", "--"]
 CMD ["/start.sh"]
--- a/docker/amd64/Dockerfile
+++ b/docker/amd64/Dockerfile
@@ -16,18 +16,18 @@
 # - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
 #   click the tag name to view the digest of the image it currently points to.
 # - From the command line:
-#     $ docker pull vaultwarden/web-vault:v2.28.1
-#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2.28.1
-#     [vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5]
+#     $ docker pull vaultwarden/web-vault:v2022.10.0
+#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2022.10.0
+#     [vaultwarden/web-vault@sha256:8e8405d252bb6ecc7d59d90e9ba9dde09f35c1b6858371274c67c3e0a6f14a80]
 #
 # - Conversely, to get the tag name from the digest:
-#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5
-#     [vaultwarden/web-vault:v2.28.1]
+#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:8e8405d252bb6ecc7d59d90e9ba9dde09f35c1b6858371274c67c3e0a6f14a80
+#     [vaultwarden/web-vault:v2022.10.0]
 #
-FROM vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5 as vault
+FROM vaultwarden/web-vault@sha256:8e8405d252bb6ecc7d59d90e9ba9dde09f35c1b6858371274c67c3e0a6f14a80 as vault

 ########################## BUILD IMAGE  ##########################
-FROM rust:1.61-bullseye as build
+FROM rust:1.64-bullseye as build



@@ -101,7 +101,6 @@ RUN mkdir /data \
    openssl \
    ca-certificates \
    curl \
-    dumb-init \
    libmariadb-dev-compat \
    libpq5 \
    && apt-get clean \
@@ -123,10 +122,4 @@ COPY docker/start.sh /start.sh

 HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]

-# Configures the startup!
-# We should be able to remove the dumb-init now with Rocket 0.5
-# But the balenalib images have some issues with there entry.sh
-# See: https://github.com/balena-io-library/base-images/issues/735
-# Lets keep using dumb-init for now, since that is working fine.
-ENTRYPOINT ["/usr/bin/dumb-init", "--"]
 CMD ["/start.sh"]
--- a/docker/amd64/Dockerfile.alpine
+++ b/docker/amd64/Dockerfile.alpine
@@ -16,18 +16,18 @@
 # - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
 #   click the tag name to view the digest of the image it currently points to.
 # - From the command line:
-#     $ docker pull vaultwarden/web-vault:v2.28.1
-#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2.28.1
-#     [vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5]
+#     $ docker pull vaultwarden/web-vault:v2022.10.0
+#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2022.10.0
+#     [vaultwarden/web-vault@sha256:8e8405d252bb6ecc7d59d90e9ba9dde09f35c1b6858371274c67c3e0a6f14a80]
 #
 # - Conversely, to get the tag name from the digest:
-#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5
-#     [vaultwarden/web-vault:v2.28.1]
+#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:8e8405d252bb6ecc7d59d90e9ba9dde09f35c1b6858371274c67c3e0a6f14a80
+#     [vaultwarden/web-vault:v2022.10.0]
 #
-FROM vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5 as vault
+FROM vaultwarden/web-vault@sha256:8e8405d252bb6ecc7d59d90e9ba9dde09f35c1b6858371274c67c3e0a6f14a80 as vault

 ########################## BUILD IMAGE  ##########################
-FROM blackdex/rust-musl:x86_64-musl-stable-1.61.0 as build
+FROM blackdex/rust-musl:x86_64-musl-stable-1.64.0 as build



@@ -81,7 +81,7 @@ RUN cargo build --features ${DB} --release --target=x86_64-unknown-linux-musl
 ######################## RUNTIME IMAGE  ########################
 # Create a new stage with a minimal image
 # because we already have a binary built
-FROM alpine:3.15
+FROM alpine:3.16

 ENV ROCKET_PROFILE="release" \
    ROCKET_ADDRESS=0.0.0.0 \
@@ -96,7 +96,6 @@ RUN mkdir /data \
        openssl \
        tzdata \
        curl \
-        dumb-init \
        ca-certificates


@@ -115,10 +114,4 @@ COPY docker/start.sh /start.sh

 HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]

-# Configures the startup!
-# We should be able to remove the dumb-init now with Rocket 0.5
-# But the balenalib images have some issues with there entry.sh
-# See: https://github.com/balena-io-library/base-images/issues/735
-# Lets keep using dumb-init for now, since that is working fine.
-ENTRYPOINT ["/usr/bin/dumb-init", "--"]
 CMD ["/start.sh"]
--- a/docker/amd64/Dockerfile.buildx
+++ b/docker/amd64/Dockerfile.buildx
@@ -16,18 +16,18 @@
 # - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
 #   click the tag name to view the digest of the image it currently points to.
 # - From the command line:
-#     $ docker pull vaultwarden/web-vault:v2.28.1
-#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2.28.1
-#     [vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5]
+#     $ docker pull vaultwarden/web-vault:v2022.10.0
+#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2022.10.0
+#     [vaultwarden/web-vault@sha256:8e8405d252bb6ecc7d59d90e9ba9dde09f35c1b6858371274c67c3e0a6f14a80]
 #
 # - Conversely, to get the tag name from the digest:
-#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5
-#     [vaultwarden/web-vault:v2.28.1]
+#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:8e8405d252bb6ecc7d59d90e9ba9dde09f35c1b6858371274c67c3e0a6f14a80
+#     [vaultwarden/web-vault:v2022.10.0]
 #
-FROM vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5 as vault
+FROM vaultwarden/web-vault@sha256:8e8405d252bb6ecc7d59d90e9ba9dde09f35c1b6858371274c67c3e0a6f14a80 as vault

 ########################## BUILD IMAGE  ##########################
-FROM rust:1.61-bullseye as build
+FROM rust:1.64-bullseye as build



@@ -101,7 +101,6 @@ RUN mkdir /data \
    openssl \
    ca-certificates \
    curl \
-    dumb-init \
    libmariadb-dev-compat \
    libpq5 \
    && apt-get clean \
@@ -123,10 +122,4 @@ COPY docker/start.sh /start.sh

 HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]

-# Configures the startup!
-# We should be able to remove the dumb-init now with Rocket 0.5
-# But the balenalib images have some issues with there entry.sh
-# See: https://github.com/balena-io-library/base-images/issues/735
-# Lets keep using dumb-init for now, since that is working fine.
-ENTRYPOINT ["/usr/bin/dumb-init", "--"]
 CMD ["/start.sh"]
--- a/docker/amd64/Dockerfile.buildx.alpine
+++ b/docker/amd64/Dockerfile.buildx.alpine
@@ -16,18 +16,18 @@
 # - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
 #   click the tag name to view the digest of the image it currently points to.
 # - From the command line:
-#     $ docker pull vaultwarden/web-vault:v2.28.1
-#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2.28.1
-#     [vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5]
+#     $ docker pull vaultwarden/web-vault:v2022.10.0
+#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2022.10.0
+#     [vaultwarden/web-vault@sha256:8e8405d252bb6ecc7d59d90e9ba9dde09f35c1b6858371274c67c3e0a6f14a80]
 #
 # - Conversely, to get the tag name from the digest:
-#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5
-#     [vaultwarden/web-vault:v2.28.1]
+#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:8e8405d252bb6ecc7d59d90e9ba9dde09f35c1b6858371274c67c3e0a6f14a80
+#     [vaultwarden/web-vault:v2022.10.0]
 #
-FROM vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5 as vault
+FROM vaultwarden/web-vault@sha256:8e8405d252bb6ecc7d59d90e9ba9dde09f35c1b6858371274c67c3e0a6f14a80 as vault

 ########################## BUILD IMAGE  ##########################
-FROM blackdex/rust-musl:x86_64-musl-stable-1.61.0 as build
+FROM blackdex/rust-musl:x86_64-musl-stable-1.64.0 as build



@@ -81,7 +81,7 @@ RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.
 ######################## RUNTIME IMAGE  ########################
 # Create a new stage with a minimal image
 # because we already have a binary built
-FROM alpine:3.15
+FROM alpine:3.16

 ENV ROCKET_PROFILE="release" \
    ROCKET_ADDRESS=0.0.0.0 \
@@ -96,7 +96,6 @@ RUN mkdir /data \
        openssl \
        tzdata \
        curl \
-        dumb-init \
        ca-certificates


@@ -115,10 +114,4 @@ COPY docker/start.sh /start.sh

 HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]

-# Configures the startup!
-# We should be able to remove the dumb-init now with Rocket 0.5
-# But the balenalib images have some issues with there entry.sh
-# See: https://github.com/balena-io-library/base-images/issues/735
-# Lets keep using dumb-init for now, since that is working fine.
-ENTRYPOINT ["/usr/bin/dumb-init", "--"]
 CMD ["/start.sh"]
--- a/docker/arm64/Dockerfile
+++ b/docker/arm64/Dockerfile
@@ -16,18 +16,18 @@
 # - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
 #   click the tag name to view the digest of the image it currently points to.
 # - From the command line:
-#     $ docker pull vaultwarden/web-vault:v2.28.1
-#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2.28.1
-#     [vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5]
+#     $ docker pull vaultwarden/web-vault:v2022.10.0
+#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2022.10.0
+#     [vaultwarden/web-vault@sha256:8e8405d252bb6ecc7d59d90e9ba9dde09f35c1b6858371274c67c3e0a6f14a80]
 #
 # - Conversely, to get the tag name from the digest:
-#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5
-#     [vaultwarden/web-vault:v2.28.1]
+#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:8e8405d252bb6ecc7d59d90e9ba9dde09f35c1b6858371274c67c3e0a6f14a80
+#     [vaultwarden/web-vault:v2022.10.0]
 #
-FROM vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5 as vault
+FROM vaultwarden/web-vault@sha256:8e8405d252bb6ecc7d59d90e9ba9dde09f35c1b6858371274c67c3e0a6f14a80 as vault

 ########################## BUILD IMAGE  ##########################
-FROM rust:1.61-bullseye as build
+FROM rust:1.64-bullseye as build



@@ -123,7 +123,6 @@ RUN mkdir /data \
    openssl \
    ca-certificates \
    curl \
-    dumb-init \
    libmariadb-dev-compat \
    libpq5 \
    && apt-get clean \
@@ -147,10 +146,4 @@ COPY docker/start.sh /start.sh

 HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]

-# Configures the startup!
-# We should be able to remove the dumb-init now with Rocket 0.5
-# But the balenalib images have some issues with there entry.sh
-# See: https://github.com/balena-io-library/base-images/issues/735
-# Lets keep using dumb-init for now, since that is working fine.
-ENTRYPOINT ["/usr/bin/dumb-init", "--"]
 CMD ["/start.sh"]
--- a/docker/arm64/Dockerfile.alpine
+++ b/docker/arm64/Dockerfile.alpine
@@ -16,18 +16,18 @@
 # - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
 #   click the tag name to view the digest of the image it currently points to.
 # - From the command line:
-#     $ docker pull vaultwarden/web-vault:v2.28.1
-#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2.28.1
-#     [vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5]
+#     $ docker pull vaultwarden/web-vault:v2022.10.0
+#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2022.10.0
+#     [vaultwarden/web-vault@sha256:8e8405d252bb6ecc7d59d90e9ba9dde09f35c1b6858371274c67c3e0a6f14a80]
 #
 # - Conversely, to get the tag name from the digest:
-#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5
-#     [vaultwarden/web-vault:v2.28.1]
+#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:8e8405d252bb6ecc7d59d90e9ba9dde09f35c1b6858371274c67c3e0a6f14a80
+#     [vaultwarden/web-vault:v2022.10.0]
 #
-FROM vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5 as vault
+FROM vaultwarden/web-vault@sha256:8e8405d252bb6ecc7d59d90e9ba9dde09f35c1b6858371274c67c3e0a6f14a80 as vault

 ########################## BUILD IMAGE  ##########################
-FROM blackdex/rust-musl:aarch64-musl-stable-1.61.0 as build
+FROM blackdex/rust-musl:aarch64-musl-stable-1.64.0 as build



@@ -81,7 +81,7 @@ RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-musl
 ######################## RUNTIME IMAGE  ########################
 # Create a new stage with a minimal image
 # because we already have a binary built
-FROM balenalib/aarch64-alpine:3.15
+FROM balenalib/aarch64-alpine:3.16

 ENV ROCKET_PROFILE="release" \
    ROCKET_ADDRESS=0.0.0.0 \
@@ -98,7 +98,6 @@ RUN mkdir /data \
        openssl \
        tzdata \
        curl \
-        dumb-init \
        ca-certificates

 # hadolint ignore=DL3059
@@ -119,10 +118,4 @@ COPY docker/start.sh /start.sh

 HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]

-# Configures the startup!
-# We should be able to remove the dumb-init now with Rocket 0.5
-# But the balenalib images have some issues with there entry.sh
-# See: https://github.com/balena-io-library/base-images/issues/735
-# Lets keep using dumb-init for now, since that is working fine.
-ENTRYPOINT ["/usr/bin/dumb-init", "--"]
 CMD ["/start.sh"]
--- a/docker/arm64/Dockerfile.buildx
+++ b/docker/arm64/Dockerfile.buildx
@@ -16,18 +16,18 @@
 # - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
 #   click the tag name to view the digest of the image it currently points to.
 # - From the command line:
-#     $ docker pull vaultwarden/web-vault:v2.28.1
-#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2.28.1
-#     [vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5]
+#     $ docker pull vaultwarden/web-vault:v2022.10.0
+#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2022.10.0
+#     [vaultwarden/web-vault@sha256:8e8405d252bb6ecc7d59d90e9ba9dde09f35c1b6858371274c67c3e0a6f14a80]
 #
 # - Conversely, to get the tag name from the digest:
-#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5
-#     [vaultwarden/web-vault:v2.28.1]
+#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:8e8405d252bb6ecc7d59d90e9ba9dde09f35c1b6858371274c67c3e0a6f14a80
+#     [vaultwarden/web-vault:v2022.10.0]
 #
-FROM vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5 as vault
+FROM vaultwarden/web-vault@sha256:8e8405d252bb6ecc7d59d90e9ba9dde09f35c1b6858371274c67c3e0a6f14a80 as vault

 ########################## BUILD IMAGE  ##########################
-FROM rust:1.61-bullseye as build
+FROM rust:1.64-bullseye as build



@@ -123,7 +123,6 @@ RUN mkdir /data \
    openssl \
    ca-certificates \
    curl \
-    dumb-init \
    libmariadb-dev-compat \
    libpq5 \
    && apt-get clean \
@@ -147,10 +146,4 @@ COPY docker/start.sh /start.sh

 HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]

-# Configures the startup!
-# We should be able to remove the dumb-init now with Rocket 0.5
-# But the balenalib images have some issues with there entry.sh
-# See: https://github.com/balena-io-library/base-images/issues/735
-# Lets keep using dumb-init for now, since that is working fine.
-ENTRYPOINT ["/usr/bin/dumb-init", "--"]
 CMD ["/start.sh"]
--- a/docker/arm64/Dockerfile.buildx.alpine
+++ b/docker/arm64/Dockerfile.buildx.alpine
@@ -16,18 +16,18 @@
 # - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
 #   click the tag name to view the digest of the image it currently points to.
 # - From the command line:
-#     $ docker pull vaultwarden/web-vault:v2.28.1
-#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2.28.1
-#     [vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5]
+#     $ docker pull vaultwarden/web-vault:v2022.10.0
+#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2022.10.0
+#     [vaultwarden/web-vault@sha256:8e8405d252bb6ecc7d59d90e9ba9dde09f35c1b6858371274c67c3e0a6f14a80]
 #
 # - Conversely, to get the tag name from the digest:
-#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5
-#     [vaultwarden/web-vault:v2.28.1]
+#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:8e8405d252bb6ecc7d59d90e9ba9dde09f35c1b6858371274c67c3e0a6f14a80
+#     [vaultwarden/web-vault:v2022.10.0]
 #
-FROM vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5 as vault
+FROM vaultwarden/web-vault@sha256:8e8405d252bb6ecc7d59d90e9ba9dde09f35c1b6858371274c67c3e0a6f14a80 as vault

 ########################## BUILD IMAGE  ##########################
-FROM blackdex/rust-musl:aarch64-musl-stable-1.61.0 as build
+FROM blackdex/rust-musl:aarch64-musl-stable-1.64.0 as build



@@ -81,7 +81,7 @@ RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.
 ######################## RUNTIME IMAGE  ########################
 # Create a new stage with a minimal image
 # because we already have a binary built
-FROM balenalib/aarch64-alpine:3.15
+FROM balenalib/aarch64-alpine:3.16

 ENV ROCKET_PROFILE="release" \
    ROCKET_ADDRESS=0.0.0.0 \
@@ -98,7 +98,6 @@ RUN mkdir /data \
        openssl \
        tzdata \
        curl \
-        dumb-init \
        ca-certificates

 # hadolint ignore=DL3059
@@ -119,10 +118,4 @@ COPY docker/start.sh /start.sh

 HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]

-# Configures the startup!
-# We should be able to remove the dumb-init now with Rocket 0.5
-# But the balenalib images have some issues with there entry.sh
-# See: https://github.com/balena-io-library/base-images/issues/735
-# Lets keep using dumb-init for now, since that is working fine.
-ENTRYPOINT ["/usr/bin/dumb-init", "--"]
 CMD ["/start.sh"]
--- a/docker/armv6/Dockerfile
+++ b/docker/armv6/Dockerfile
@@ -16,18 +16,18 @@
 # - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
 #   click the tag name to view the digest of the image it currently points to.
 # - From the command line:
-#     $ docker pull vaultwarden/web-vault:v2.28.1
-#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2.28.1
-#     [vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5]
+#     $ docker pull vaultwarden/web-vault:v2022.10.0
+#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2022.10.0
+#     [vaultwarden/web-vault@sha256:8e8405d252bb6ecc7d59d90e9ba9dde09f35c1b6858371274c67c3e0a6f14a80]
 #
 # - Conversely, to get the tag name from the digest:
-#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5
-#     [vaultwarden/web-vault:v2.28.1]
+#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:8e8405d252bb6ecc7d59d90e9ba9dde09f35c1b6858371274c67c3e0a6f14a80
+#     [vaultwarden/web-vault:v2022.10.0]
 #
-FROM vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5 as vault
+FROM vaultwarden/web-vault@sha256:8e8405d252bb6ecc7d59d90e9ba9dde09f35c1b6858371274c67c3e0a6f14a80 as vault

 ########################## BUILD IMAGE  ##########################
-FROM rust:1.61-bullseye as build
+FROM rust:1.64-bullseye as build



@@ -123,12 +123,16 @@ RUN mkdir /data \
    openssl \
    ca-certificates \
    curl \
-    dumb-init \
    libmariadb-dev-compat \
    libpq5 \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/*

+# In the Balena Bullseye images for armv6/rpi-debian there is a missing symlink.
+# This symlink was there in the buster images, and for some reason this is needed.
+# hadolint ignore=DL3059
+RUN ln -v -s /lib/ld-linux-armhf.so.3 /lib/ld-linux.so.3
+
 # hadolint ignore=DL3059
 RUN [ "cross-build-end" ]

@@ -147,10 +151,4 @@ COPY docker/start.sh /start.sh

 HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]

-# Configures the startup!
-# We should be able to remove the dumb-init now with Rocket 0.5
-# But the balenalib images have some issues with there entry.sh
-# See: https://github.com/balena-io-library/base-images/issues/735
-# Lets keep using dumb-init for now, since that is working fine.
-ENTRYPOINT ["/usr/bin/dumb-init", "--"]
 CMD ["/start.sh"]
--- a/docker/armv6/Dockerfile.alpine
+++ b/docker/armv6/Dockerfile.alpine
@@ -16,18 +16,18 @@
 # - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
 #   click the tag name to view the digest of the image it currently points to.
 # - From the command line:
-#     $ docker pull vaultwarden/web-vault:v2.28.1
-#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2.28.1
-#     [vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5]
+#     $ docker pull vaultwarden/web-vault:v2022.10.0
+#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2022.10.0
+#     [vaultwarden/web-vault@sha256:8e8405d252bb6ecc7d59d90e9ba9dde09f35c1b6858371274c67c3e0a6f14a80]
 #
 # - Conversely, to get the tag name from the digest:
-#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5
-#     [vaultwarden/web-vault:v2.28.1]
+#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:8e8405d252bb6ecc7d59d90e9ba9dde09f35c1b6858371274c67c3e0a6f14a80
+#     [vaultwarden/web-vault:v2022.10.0]
 #
-FROM vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5 as vault
+FROM vaultwarden/web-vault@sha256:8e8405d252bb6ecc7d59d90e9ba9dde09f35c1b6858371274c67c3e0a6f14a80 as vault

 ########################## BUILD IMAGE  ##########################
-FROM blackdex/rust-musl:arm-musleabi-stable-1.61.0 as build
+FROM blackdex/rust-musl:arm-musleabi-stable-1.64.0 as build



@@ -83,7 +83,7 @@ RUN cargo build --features ${DB} --release --target=arm-unknown-linux-musleabi
 ######################## RUNTIME IMAGE  ########################
 # Create a new stage with a minimal image
 # because we already have a binary built
-FROM balenalib/rpi-alpine:3.15
+FROM balenalib/rpi-alpine:3.16

 ENV ROCKET_PROFILE="release" \
    ROCKET_ADDRESS=0.0.0.0 \
@@ -100,7 +100,6 @@ RUN mkdir /data \
        openssl \
        tzdata \
        curl \
-        dumb-init \
        ca-certificates

 # hadolint ignore=DL3059
@@ -121,10 +120,4 @@ COPY docker/start.sh /start.sh

 HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]

-# Configures the startup!
-# We should be able to remove the dumb-init now with Rocket 0.5
-# But the balenalib images have some issues with there entry.sh
-# See: https://github.com/balena-io-library/base-images/issues/735
-# Lets keep using dumb-init for now, since that is working fine.
-ENTRYPOINT ["/usr/bin/dumb-init", "--"]
 CMD ["/start.sh"]
--- a/docker/armv6/Dockerfile.buildx
+++ b/docker/armv6/Dockerfile.buildx
@@ -16,18 +16,18 @@
 # - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
 #   click the tag name to view the digest of the image it currently points to.
 # - From the command line:
-#     $ docker pull vaultwarden/web-vault:v2.28.1
-#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2.28.1
-#     [vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5]
+#     $ docker pull vaultwarden/web-vault:v2022.10.0
+#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2022.10.0
+#     [vaultwarden/web-vault@sha256:8e8405d252bb6ecc7d59d90e9ba9dde09f35c1b6858371274c67c3e0a6f14a80]
 #
 # - Conversely, to get the tag name from the digest:
-#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5
-#     [vaultwarden/web-vault:v2.28.1]
+#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:8e8405d252bb6ecc7d59d90e9ba9dde09f35c1b6858371274c67c3e0a6f14a80
+#     [vaultwarden/web-vault:v2022.10.0]
 #
-FROM vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5 as vault
+FROM vaultwarden/web-vault@sha256:8e8405d252bb6ecc7d59d90e9ba9dde09f35c1b6858371274c67c3e0a6f14a80 as vault

 ########################## BUILD IMAGE  ##########################
-FROM rust:1.61-bullseye as build
+FROM rust:1.64-bullseye as build



@@ -123,12 +123,16 @@ RUN mkdir /data \
    openssl \
    ca-certificates \
    curl \
-    dumb-init \
    libmariadb-dev-compat \
    libpq5 \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/*

+# In the Balena Bullseye images for armv6/rpi-debian there is a missing symlink.
+# This symlink was there in the buster images, and for some reason this is needed.
+# hadolint ignore=DL3059
+RUN ln -v -s /lib/ld-linux-armhf.so.3 /lib/ld-linux.so.3
+
 # hadolint ignore=DL3059
 RUN [ "cross-build-end" ]

@@ -147,10 +151,4 @@ COPY docker/start.sh /start.sh

 HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]

-# Configures the startup!
-# We should be able to remove the dumb-init now with Rocket 0.5
-# But the balenalib images have some issues with there entry.sh
-# See: https://github.com/balena-io-library/base-images/issues/735
-# Lets keep using dumb-init for now, since that is working fine.
-ENTRYPOINT ["/usr/bin/dumb-init", "--"]
 CMD ["/start.sh"]
--- a/docker/armv6/Dockerfile.buildx.alpine
+++ b/docker/armv6/Dockerfile.buildx.alpine
@@ -16,18 +16,18 @@
 # - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
 #   click the tag name to view the digest of the image it currently points to.
 # - From the command line:
-#     $ docker pull vaultwarden/web-vault:v2.28.1
-#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2.28.1
-#     [vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5]
+#     $ docker pull vaultwarden/web-vault:v2022.10.0
+#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2022.10.0
+#     [vaultwarden/web-vault@sha256:8e8405d252bb6ecc7d59d90e9ba9dde09f35c1b6858371274c67c3e0a6f14a80]
 #
 # - Conversely, to get the tag name from the digest:
-#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5
-#     [vaultwarden/web-vault:v2.28.1]
+#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:8e8405d252bb6ecc7d59d90e9ba9dde09f35c1b6858371274c67c3e0a6f14a80
+#     [vaultwarden/web-vault:v2022.10.0]
 #
-FROM vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5 as vault
+FROM vaultwarden/web-vault@sha256:8e8405d252bb6ecc7d59d90e9ba9dde09f35c1b6858371274c67c3e0a6f14a80 as vault

 ########################## BUILD IMAGE  ##########################
-FROM blackdex/rust-musl:arm-musleabi-stable-1.61.0 as build
+FROM blackdex/rust-musl:arm-musleabi-stable-1.64.0 as build



@@ -83,7 +83,7 @@ RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.
 ######################## RUNTIME IMAGE  ########################
 # Create a new stage with a minimal image
 # because we already have a binary built
-FROM balenalib/rpi-alpine:3.15
+FROM balenalib/rpi-alpine:3.16

 ENV ROCKET_PROFILE="release" \
    ROCKET_ADDRESS=0.0.0.0 \
@@ -100,7 +100,6 @@ RUN mkdir /data \
        openssl \
        tzdata \
        curl \
-        dumb-init \
        ca-certificates

 # hadolint ignore=DL3059
@@ -121,10 +120,4 @@ COPY docker/start.sh /start.sh

 HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]

-# Configures the startup!
-# We should be able to remove the dumb-init now with Rocket 0.5
-# But the balenalib images have some issues with there entry.sh
-# See: https://github.com/balena-io-library/base-images/issues/735
-# Lets keep using dumb-init for now, since that is working fine.
-ENTRYPOINT ["/usr/bin/dumb-init", "--"]
 CMD ["/start.sh"]
--- a/docker/armv7/Dockerfile
+++ b/docker/armv7/Dockerfile
@@ -16,18 +16,18 @@
 # - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
 #   click the tag name to view the digest of the image it currently points to.
 # - From the command line:
-#     $ docker pull vaultwarden/web-vault:v2.28.1
-#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2.28.1
-#     [vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5]
+#     $ docker pull vaultwarden/web-vault:v2022.10.0
+#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2022.10.0
+#     [vaultwarden/web-vault@sha256:8e8405d252bb6ecc7d59d90e9ba9dde09f35c1b6858371274c67c3e0a6f14a80]
 #
 # - Conversely, to get the tag name from the digest:
-#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5
-#     [vaultwarden/web-vault:v2.28.1]
+#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:8e8405d252bb6ecc7d59d90e9ba9dde09f35c1b6858371274c67c3e0a6f14a80
+#     [vaultwarden/web-vault:v2022.10.0]
 #
-FROM vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5 as vault
+FROM vaultwarden/web-vault@sha256:8e8405d252bb6ecc7d59d90e9ba9dde09f35c1b6858371274c67c3e0a6f14a80 as vault

 ########################## BUILD IMAGE  ##########################
-FROM rust:1.61-bullseye as build
+FROM rust:1.64-bullseye as build



@@ -123,7 +123,6 @@ RUN mkdir /data \
    openssl \
    ca-certificates \
    curl \
-    dumb-init \
    libmariadb-dev-compat \
    libpq5 \
    && apt-get clean \
@@ -147,10 +146,4 @@ COPY docker/start.sh /start.sh

 HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]

-# Configures the startup!
-# We should be able to remove the dumb-init now with Rocket 0.5
-# But the balenalib images have some issues with there entry.sh
-# See: https://github.com/balena-io-library/base-images/issues/735
-# Lets keep using dumb-init for now, since that is working fine.
-ENTRYPOINT ["/usr/bin/dumb-init", "--"]
 CMD ["/start.sh"]
--- a/docker/armv7/Dockerfile.alpine
+++ b/docker/armv7/Dockerfile.alpine
@@ -16,18 +16,18 @@
 # - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
 #   click the tag name to view the digest of the image it currently points to.
 # - From the command line:
-#     $ docker pull vaultwarden/web-vault:v2.28.1
-#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2.28.1
-#     [vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5]
+#     $ docker pull vaultwarden/web-vault:v2022.10.0
+#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2022.10.0
+#     [vaultwarden/web-vault@sha256:8e8405d252bb6ecc7d59d90e9ba9dde09f35c1b6858371274c67c3e0a6f14a80]
 #
 # - Conversely, to get the tag name from the digest:
-#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5
-#     [vaultwarden/web-vault:v2.28.1]
+#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:8e8405d252bb6ecc7d59d90e9ba9dde09f35c1b6858371274c67c3e0a6f14a80
+#     [vaultwarden/web-vault:v2022.10.0]
 #
-FROM vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5 as vault
+FROM vaultwarden/web-vault@sha256:8e8405d252bb6ecc7d59d90e9ba9dde09f35c1b6858371274c67c3e0a6f14a80 as vault

 ########################## BUILD IMAGE  ##########################
-FROM blackdex/rust-musl:armv7-musleabihf-stable-1.61.0 as build
+FROM blackdex/rust-musl:armv7-musleabihf-stable-1.64.0 as build



@@ -81,7 +81,7 @@ RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-musleabi
 ######################## RUNTIME IMAGE  ########################
 # Create a new stage with a minimal image
 # because we already have a binary built
-FROM balenalib/armv7hf-alpine:3.15
+FROM balenalib/armv7hf-alpine:3.16

 ENV ROCKET_PROFILE="release" \
    ROCKET_ADDRESS=0.0.0.0 \
@@ -98,7 +98,6 @@ RUN mkdir /data \
        openssl \
        tzdata \
        curl \
-        dumb-init \
        ca-certificates

 # hadolint ignore=DL3059
@@ -119,10 +118,4 @@ COPY docker/start.sh /start.sh

 HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]

-# Configures the startup!
-# We should be able to remove the dumb-init now with Rocket 0.5
-# But the balenalib images have some issues with there entry.sh
-# See: https://github.com/balena-io-library/base-images/issues/735
-# Lets keep using dumb-init for now, since that is working fine.
-ENTRYPOINT ["/usr/bin/dumb-init", "--"]
 CMD ["/start.sh"]
--- a/docker/armv7/Dockerfile.buildx
+++ b/docker/armv7/Dockerfile.buildx
@@ -16,18 +16,18 @@
 # - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
 #   click the tag name to view the digest of the image it currently points to.
 # - From the command line:
-#     $ docker pull vaultwarden/web-vault:v2.28.1
-#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2.28.1
-#     [vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5]
+#     $ docker pull vaultwarden/web-vault:v2022.10.0
+#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2022.10.0
+#     [vaultwarden/web-vault@sha256:8e8405d252bb6ecc7d59d90e9ba9dde09f35c1b6858371274c67c3e0a6f14a80]
 #
 # - Conversely, to get the tag name from the digest:
-#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5
-#     [vaultwarden/web-vault:v2.28.1]
+#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:8e8405d252bb6ecc7d59d90e9ba9dde09f35c1b6858371274c67c3e0a6f14a80
+#     [vaultwarden/web-vault:v2022.10.0]
 #
-FROM vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5 as vault
+FROM vaultwarden/web-vault@sha256:8e8405d252bb6ecc7d59d90e9ba9dde09f35c1b6858371274c67c3e0a6f14a80 as vault

 ########################## BUILD IMAGE  ##########################
-FROM rust:1.61-bullseye as build
+FROM rust:1.64-bullseye as build



@@ -123,7 +123,6 @@ RUN mkdir /data \
    openssl \
    ca-certificates \
    curl \
-    dumb-init \
    libmariadb-dev-compat \
    libpq5 \
    && apt-get clean \
@@ -147,10 +146,4 @@ COPY docker/start.sh /start.sh

 HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]

-# Configures the startup!
-# We should be able to remove the dumb-init now with Rocket 0.5
-# But the balenalib images have some issues with there entry.sh
-# See: https://github.com/balena-io-library/base-images/issues/735
-# Lets keep using dumb-init for now, since that is working fine.
-ENTRYPOINT ["/usr/bin/dumb-init", "--"]
 CMD ["/start.sh"]
--- a/docker/armv7/Dockerfile.buildx.alpine
+++ b/docker/armv7/Dockerfile.buildx.alpine
@@ -16,18 +16,18 @@
 # - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
 #   click the tag name to view the digest of the image it currently points to.
 # - From the command line:
-#     $ docker pull vaultwarden/web-vault:v2.28.1
-#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2.28.1
-#     [vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5]
+#     $ docker pull vaultwarden/web-vault:v2022.10.0
+#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2022.10.0
+#     [vaultwarden/web-vault@sha256:8e8405d252bb6ecc7d59d90e9ba9dde09f35c1b6858371274c67c3e0a6f14a80]
 #
 # - Conversely, to get the tag name from the digest:
-#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5
-#     [vaultwarden/web-vault:v2.28.1]
+#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:8e8405d252bb6ecc7d59d90e9ba9dde09f35c1b6858371274c67c3e0a6f14a80
+#     [vaultwarden/web-vault:v2022.10.0]
 #
-FROM vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5 as vault
+FROM vaultwarden/web-vault@sha256:8e8405d252bb6ecc7d59d90e9ba9dde09f35c1b6858371274c67c3e0a6f14a80 as vault

 ########################## BUILD IMAGE  ##########################
-FROM blackdex/rust-musl:armv7-musleabihf-stable-1.61.0 as build
+FROM blackdex/rust-musl:armv7-musleabihf-stable-1.64.0 as build



@@ -81,7 +81,7 @@ RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.
 ######################## RUNTIME IMAGE  ########################
 # Create a new stage with a minimal image
 # because we already have a binary built
-FROM balenalib/armv7hf-alpine:3.15
+FROM balenalib/armv7hf-alpine:3.16

 ENV ROCKET_PROFILE="release" \
    ROCKET_ADDRESS=0.0.0.0 \
@@ -98,7 +98,6 @@ RUN mkdir /data \
        openssl \
        tzdata \
        curl \
-        dumb-init \
        ca-certificates

 # hadolint ignore=DL3059
@@ -119,10 +118,4 @@ COPY docker/start.sh /start.sh

 HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]

-# Configures the startup!
-# We should be able to remove the dumb-init now with Rocket 0.5
-# But the balenalib images have some issues with there entry.sh
-# See: https://github.com/balena-io-library/base-images/issues/735
-# Lets keep using dumb-init for now, since that is working fine.
-ENTRYPOINT ["/usr/bin/dumb-init", "--"]
 CMD ["/start.sh"]
--- a/docker/healthcheck.sh
+++ b/docker/healthcheck.sh
@@ -2,8 +2,8 @@

 # Use the value of the corresponding env var (if present),
 # or a default value otherwise.
-: ${DATA_FOLDER:="data"}
-: ${ROCKET_PORT:="80"}
+: "${DATA_FOLDER:="data"}"
+: "${ROCKET_PORT:="80"}"

 CONFIG_FILE="${DATA_FOLDER}"/config.json

--- a/docker/start.sh
+++ b/docker/start.sh
@@ -9,15 +9,15 @@ fi

 if [ -d /etc/vaultwarden.d ]; then
    for f in /etc/vaultwarden.d/*.sh; do
-        if [ -r $f ]; then
-            . $f
+        if [ -r "${f}" ]; then
+            . "${f}"
        fi
    done
 elif [ -d /etc/bitwarden_rs.d ]; then
    echo "### You are using the old /etc/bitwarden_rs.d script directory, please migrate to /etc/vaultwarden.d ###"
    for f in /etc/bitwarden_rs.d/*.sh; do
-        if [ -r $f ]; then
-            . $f
+        if [ -r "${f}" ]; then
+            . "${f}"
        fi
    done
 fi
--- a/2
+++ b/2
@@ -1 +1 @@
-stable
+1.64.0
--- a/src/api/admin.rs
+++ b/src/api/admin.rs
@@ -7,8 +7,8 @@ use rocket::serde::json::Json;
 use rocket::{
    form::Form,
    http::{Cookie, CookieJar, SameSite, Status},
-    request::{self, FlashMessage, FromRequest, Outcome, Request},
-    response::{content::RawHtml as Html, Flash, Redirect},
+    request::{self, FromRequest, Outcome, Request},
+    response::{content::RawHtml as Html, Redirect},
    Route,
 };

@@ -79,6 +79,7 @@ fn admin_disabled() -> &'static str {

 const COOKIE_NAME: &str = "VW_ADMIN";
 const ADMIN_PATH: &str = "/admin";
+const DT_FMT: &str = "%Y-%m-%d %H:%M:%S %Z";

 const BASE_TEMPLATE: &str = "admin/base";

@@ -140,10 +141,24 @@ fn admin_url(referer: Referer) -> String {
    }
 }

+#[derive(Responder)]
+enum AdminResponse {
+    #[response(status = 200)]
+    Ok(ApiResult<Html<String>>),
+    #[response(status = 401)]
+    Unauthorized(ApiResult<Html<String>>),
+    #[response(status = 429)]
+    TooManyRequests(ApiResult<Html<String>>),
+}
+
 #[get("/", rank = 2)]
-fn admin_login(flash: Option<FlashMessage<'_>>) -> ApiResult<Html<String>> {
+fn admin_login() -> ApiResult<Html<String>> {
+    render_admin_login(None)
+}
+
+fn render_admin_login(msg: Option<&str>) -> ApiResult<Html<String>> {
    // If there is an error, show it
-    let msg = flash.map(|msg| format!("{}: {}", msg.kind(), msg.message()));
+    let msg = msg.map(|msg| format!("Error: {msg}"));
    let json = json!({
        "page_content": "admin/login",
        "version": VERSION,
@@ -162,22 +177,17 @@ struct LoginForm {
 }

 #[post("/", data = "<data>")]
-fn post_admin_login(
-    data: Form<LoginForm>,
-    cookies: &CookieJar<'_>,
-    ip: ClientIp,
-    referer: Referer,
-) -> Result<Redirect, Flash<Redirect>> {
+fn post_admin_login(data: Form<LoginForm>, cookies: &CookieJar<'_>, ip: ClientIp) -> AdminResponse {
    let data = data.into_inner();

    if crate::ratelimit::check_limit_admin(&ip.ip).is_err() {
-        return Err(Flash::error(Redirect::to(admin_url(referer)), "Too many requests, try again later."));
+        return AdminResponse::TooManyRequests(render_admin_login(Some("Too many requests, try again later.")));
    }

    // If the token is invalid, redirect to login page
    if !_validate_token(&data.token) {
        error!("Invalid admin token. IP: {}", ip.ip);
-        Err(Flash::error(Redirect::to(admin_url(referer)), "Invalid admin token, please try again."))
+        AdminResponse::Unauthorized(render_admin_login(Some("Invalid admin token, please try again.")))
    } else {
        // If the token received is valid, generate JWT and save it as a cookie
        let claims = generate_admin_claims();
@@ -191,7 +201,7 @@ fn post_admin_login(
            .finish();

        cookies.add(cookie);
-        Ok(Redirect::to(admin_url(referer)))
+        AdminResponse::Ok(render_admin_page())
    }
 }

@@ -243,12 +253,16 @@ impl AdminTemplateData {
    }
 }

-#[get("/", rank = 1)]
-fn admin_page(_token: AdminToken) -> ApiResult<Html<String>> {
+fn render_admin_page() -> ApiResult<Html<String>> {
    let text = AdminTemplateData::new().render()?;
    Ok(Html(text))
 }

+#[get("/", rank = 1)]
+fn admin_page(_token: AdminToken) -> ApiResult<Html<String>> {
+    render_admin_page()
+}
+
 #[derive(Deserialize, Debug)]
 #[allow(non_snake_case)]
 struct InviteData {
@@ -275,7 +289,7 @@ async fn invite_user(data: Json<InviteData>, _token: AdminToken, conn: DbConn) -

    async fn _generate_invite(user: &User, conn: &DbConn) -> EmptyResult {
        if CONFIG.mail_enabled() {
-            mail::send_invite(&user.email, &user.uuid, None, None, &CONFIG.invitation_org_name(), None)
+            mail::send_invite(&user.email, &user.uuid, None, None, &CONFIG.invitation_org_name(), None).await
        } else {
            let invitation = Invitation::new(user.email.clone());
            invitation.save(conn).await
@@ -289,11 +303,11 @@ async fn invite_user(data: Json<InviteData>, _token: AdminToken, conn: DbConn) -
 }

 #[post("/test/smtp", data = "<data>")]
-fn test_smtp(data: Json<InviteData>, _token: AdminToken) -> EmptyResult {
+async fn test_smtp(data: Json<InviteData>, _token: AdminToken) -> EmptyResult {
    let data: InviteData = data.into_inner();

    if CONFIG.mail_enabled() {
-        mail::send_test(&data.email)
+        mail::send_test(&data.email).await
    } else {
        err!("Mail is not enabled")
    }
@@ -302,7 +316,7 @@ fn test_smtp(data: Json<InviteData>, _token: AdminToken) -> EmptyResult {
 #[get("/logout")]
 fn logout(cookies: &CookieJar<'_>, referer: Referer) -> Redirect {
    cookies.remove(Cookie::build(COOKIE_NAME, "").path(admin_path()).finish());
-    Redirect::to(admin_url(referer))
+    Redirect::temporary(admin_url(referer))
 }

 #[get("/users")]
@@ -310,7 +324,10 @@ async fn get_users_json(_token: AdminToken, conn: DbConn) -> Json<Value> {
    let users_json = stream::iter(User::get_all(&conn).await)
        .then(|u| async {
            let u = u; // Move out this single variable
-            u.to_json(&conn).await
+            let mut usr = u.to_json(&conn).await;
+            usr["UserEnabled"] = json!(u.enabled);
+            usr["CreatedAt"] = json!(format_naive_datetime_local(&u.created_at, DT_FMT));
+            usr
        })
        .collect::<Vec<Value>>()
        .await;
@@ -320,8 +337,6 @@ async fn get_users_json(_token: AdminToken, conn: DbConn) -> Json<Value> {

 #[get("/users/overview")]
 async fn users_overview(_token: AdminToken, conn: DbConn) -> ApiResult<Html<String>> {
-    const DT_FMT: &str = "%Y-%m-%d %H:%M:%S %Z";
-
    let users_json = stream::iter(User::get_all(&conn).await)
        .then(|u| async {
            let u = u; // Move out this single variable
@@ -346,9 +361,11 @@ async fn users_overview(_token: AdminToken, conn: DbConn) -> ApiResult<Html<Stri

 #[get("/users/<uuid>")]
 async fn get_user_json(uuid: String, _token: AdminToken, conn: DbConn) -> JsonResult {
-    let user = get_user_or_404(&uuid, &conn).await?;
-
-    Ok(Json(user.to_json(&conn).await))
+    let u = get_user_or_404(&uuid, &conn).await?;
+    let mut usr = u.to_json(&conn).await;
+    usr["UserEnabled"] = json!(u.enabled);
+    usr["CreatedAt"] = json!(format_naive_datetime_local(&u.created_at, DT_FMT));
+    Ok(Json(usr))
 }

 #[post("/users/<uuid>/delete")]
@@ -414,16 +431,27 @@ async fn update_user_org_type(data: Json<UserOrgTypeData>, _token: AdminToken, c
    };

    if user_to_edit.atype == UserOrgType::Owner && new_type != UserOrgType::Owner {
-        // Removing owner permmission, check that there are at least another owner
-        let num_owners =
-            UserOrganization::find_by_org_and_type(&data.org_uuid, UserOrgType::Owner as i32, &conn).await.len();
-
-        if num_owners <= 1 {
+        // Removing owner permmission, check that there is at least one other confirmed owner
+        if UserOrganization::count_confirmed_by_org_and_type(&data.org_uuid, UserOrgType::Owner, &conn).await <= 1 {
            err!("Can't change the type of the last owner")
        }
    }

-    user_to_edit.atype = new_type as i32;
+    // This check is also done at api::organizations::{accept_invite(), _confirm_invite, _activate_user(), edit_user()}, update_user_org_type
+    // It returns different error messages per function.
+    if new_type < UserOrgType::Admin {
+        match OrgPolicy::is_user_allowed(&user_to_edit.user_uuid, &user_to_edit.org_uuid, true, &conn).await {
+            Ok(_) => {}
+            Err(OrgPolicyErr::TwoFactorMissing) => {
+                err!("You cannot modify this user to this type because it has no two-step login method activated");
+            }
+            Err(OrgPolicyErr::SingleOrgEnforced) => {
+                err!("You cannot modify this user to this type because it is a member of an organization which forbids it");
+            }
+        }
+    }
+
+    user_to_edit.atype = new_type;
    user_to_edit.save(&conn).await
 }

@@ -487,41 +515,13 @@ async fn has_http_access() -> bool {
    }
 }

-#[get("/diagnostics")]
-async fn diagnostics(_token: AdminToken, ip_header: IpHeader, conn: DbConn) -> ApiResult<Html<String>> {
-    use crate::util::read_file_string;
-    use chrono::prelude::*;
-    use std::net::ToSocketAddrs;
-
-    // Get current running versions
-    let web_vault_version: WebVaultVersion =
-        match read_file_string(&format!("{}/{}", CONFIG.web_vault_folder(), "vw-version.json")) {
-            Ok(s) => serde_json::from_str(&s)?,
-            _ => match read_file_string(&format!("{}/{}", CONFIG.web_vault_folder(), "version.json")) {
-                Ok(s) => serde_json::from_str(&s)?,
-                _ => WebVaultVersion {
-                    version: String::from("Version file missing"),
-                },
-            },
-        };
-
-    // Execute some environment checks
-    let running_within_docker = is_running_in_docker();
-    let has_http_access = has_http_access().await;
-    let uses_proxy = env::var_os("HTTP_PROXY").is_some()
-        || env::var_os("http_proxy").is_some()
-        || env::var_os("HTTPS_PROXY").is_some()
-        || env::var_os("https_proxy").is_some();
-
-    // Check if we are able to resolve DNS entries
-    let dns_resolved = match ("github.com", 0).to_socket_addrs().map(|mut i| i.next()) {
-        Ok(Some(a)) => a.ip().to_string(),
-        _ => "Could not resolve domain name.".to_string(),
-    };
-
+use cached::proc_macro::cached;
+/// Cache this function to prevent API call rate limit. Github only allows 60 requests per hour, and we use 3 here already.
+/// It will cache this function for 300 seconds (5 minutes) which should prevent the exhaustion of the rate limit.
+#[cached(time = 300, sync_writes = true)]
+async fn get_release_info(has_http_access: bool, running_within_docker: bool) -> (String, String, String) {
    // If the HTTP Check failed, do not even attempt to check for new versions since we were not able to connect with github.com anyway.
-    // TODO: Maybe we need to cache this using a LazyStatic or something. Github only allows 60 requests per hour, and we use 3 here already.
-    let (latest_release, latest_commit, latest_web_build) = if has_http_access {
+    if has_http_access {
        (
            match get_github_api::<GitRelease>("https://api.github.com/repos/dani-garcia/vaultwarden/releases/latest")
                .await
@@ -554,8 +554,43 @@ async fn diagnostics(_token: AdminToken, ip_header: IpHeader, conn: DbConn) -> A
        )
    } else {
        ("-".to_string(), "-".to_string(), "-".to_string())
+    }
+}
+
+#[get("/diagnostics")]
+async fn diagnostics(_token: AdminToken, ip_header: IpHeader, conn: DbConn) -> ApiResult<Html<String>> {
+    use chrono::prelude::*;
+    use std::net::ToSocketAddrs;
+
+    // Get current running versions
+    let web_vault_version: WebVaultVersion =
+        match std::fs::read_to_string(&format!("{}/{}", CONFIG.web_vault_folder(), "vw-version.json")) {
+            Ok(s) => serde_json::from_str(&s)?,
+            _ => match std::fs::read_to_string(&format!("{}/{}", CONFIG.web_vault_folder(), "version.json")) {
+                Ok(s) => serde_json::from_str(&s)?,
+                _ => WebVaultVersion {
+                    version: String::from("Version file missing"),
+                },
+            },
+        };
+
+    // Execute some environment checks
+    let running_within_docker = is_running_in_docker();
+    let has_http_access = has_http_access().await;
+    let uses_proxy = env::var_os("HTTP_PROXY").is_some()
+        || env::var_os("http_proxy").is_some()
+        || env::var_os("HTTPS_PROXY").is_some()
+        || env::var_os("https_proxy").is_some();
+
+    // Check if we are able to resolve DNS entries
+    let dns_resolved = match ("github.com", 0).to_socket_addrs().map(|mut i| i.next()) {
+        Ok(Some(a)) => a.ip().to_string(),
+        _ => "Could not resolve domain name.".to_string(),
    };

+    let (latest_release, latest_commit, latest_web_build) =
+        get_release_info(has_http_access, running_within_docker).await;
+
    let ip_header_name = match &ip_header.0 {
        Some(h) => h,
        _ => "",
--- a/src/api/core/accounts.rs
+++ b/src/api/core/accounts.rs
@@ -62,11 +62,42 @@ struct KeysData {
    PublicKey: String,
 }

+/// Trims whitespace from password hints, and converts blank password hints to `None`.
+fn clean_password_hint(password_hint: &Option<String>) -> Option<String> {
+    match password_hint {
+        None => None,
+        Some(h) => match h.trim() {
+            "" => None,
+            ht => Some(ht.to_string()),
+        },
+    }
+}
+
+fn enforce_password_hint_setting(password_hint: &Option<String>) -> EmptyResult {
+    if password_hint.is_some() && !CONFIG.password_hints_allowed() {
+        err!("Password hints have been disabled by the administrator. Remove the hint and try again.");
+    }
+    Ok(())
+}
+
 #[post("/accounts/register", data = "<data>")]
-async fn register(data: JsonUpcase<RegisterData>, conn: DbConn) -> EmptyResult {
+async fn register(data: JsonUpcase<RegisterData>, conn: DbConn) -> JsonResult {
    let data: RegisterData = data.into_inner().data;
    let email = data.Email.to_lowercase();

+    // Check if the length of the username exceeds 50 characters (Same is Upstream Bitwarden)
+    // This also prevents issues with very long usernames causing to large JWT's. See #2419
+    if let Some(ref name) = data.Name {
+        if name.len() > 50 {
+            err!("The field Name must be a string with a maximum length of 50.");
+        }
+    }
+
+    // Check against the password hint setting here so if it fails, the user
+    // can retry without losing their invitation below.
+    let password_hint = clean_password_hint(&data.MasterPasswordHint);
+    enforce_password_hint_setting(&password_hint)?;
+
    let mut user = match User::find_by_mail(&email, &conn).await {
        Some(user) => {
            if !user.password_hash.is_empty() {
@@ -123,16 +154,13 @@ async fn register(data: JsonUpcase<RegisterData>, conn: DbConn) -> EmptyResult {

    user.set_password(&data.MasterPasswordHash, None);
    user.akey = data.Key;
+    user.password_hint = password_hint;

    // Add extra fields if present
    if let Some(name) = data.Name {
        user.name = name;
    }

-    if let Some(hint) = data.MasterPasswordHint {
-        user.password_hint = Some(hint);
-    }
-
    if let Some(keys) = data.Keys {
        user.private_key = Some(keys.EncryptedPrivateKey);
        user.public_key = Some(keys.PublicKey);
@@ -140,17 +168,21 @@ async fn register(data: JsonUpcase<RegisterData>, conn: DbConn) -> EmptyResult {

    if CONFIG.mail_enabled() {
        if CONFIG.signups_verify() {
-            if let Err(e) = mail::send_welcome_must_verify(&user.email, &user.uuid) {
+            if let Err(e) = mail::send_welcome_must_verify(&user.email, &user.uuid).await {
                error!("Error sending welcome email: {:#?}", e);
            }

            user.last_verifying_at = Some(user.created_at);
-        } else if let Err(e) = mail::send_welcome(&user.email) {
+        } else if let Err(e) = mail::send_welcome(&user.email).await {
            error!("Error sending welcome email: {:#?}", e);
        }
    }

-    user.save(&conn).await
+    user.save(&conn).await?;
+    Ok(Json(json!({
+      "Object": "register",
+      "CaptchaBypassToken": "",
+    })))
 }

 #[get("/accounts/profile")]
@@ -176,13 +208,17 @@ async fn put_profile(data: JsonUpcase<ProfileData>, headers: Headers, conn: DbCo
 async fn post_profile(data: JsonUpcase<ProfileData>, headers: Headers, conn: DbConn) -> JsonResult {
    let data: ProfileData = data.into_inner().data;

-    let mut user = headers.user;
+    // Check if the length of the username exceeds 50 characters (Same is Upstream Bitwarden)
+    // This also prevents issues with very long usernames causing to large JWT's. See #2419
+    if data.Name.len() > 50 {
+        err!("The field Name must be a string with a maximum length of 50.");
+    }

+    let mut user = headers.user;
    user.name = data.Name;
-    user.password_hint = match data.MasterPasswordHint {
-        Some(ref h) if h.is_empty() => None,
-        _ => data.MasterPasswordHint,
-    };
+    user.password_hint = clean_password_hint(&data.MasterPasswordHint);
+    enforce_password_hint_setting(&user.password_hint)?;
+
    user.save(&conn).await?;
    Ok(Json(user.to_json(&conn).await))
 }
@@ -384,7 +420,7 @@ async fn post_email_token(data: JsonUpcase<EmailTokenData>, headers: Headers, co
    let token = crypto::generate_email_token(6);

    if CONFIG.mail_enabled() {
-        if let Err(e) = mail::send_change_email(&data.NewEmail, &token) {
+        if let Err(e) = mail::send_change_email(&data.NewEmail, &token).await {
            error!("Error sending change-email email: {:#?}", e);
        }
    }
@@ -453,14 +489,14 @@ async fn post_email(data: JsonUpcase<ChangeEmailData>, headers: Headers, conn: D
 }

 #[post("/accounts/verify-email")]
-fn post_verify_email(headers: Headers) -> EmptyResult {
+async fn post_verify_email(headers: Headers) -> EmptyResult {
    let user = headers.user;

    if !CONFIG.mail_enabled() {
        err!("Cannot verify email address");
    }

-    if let Err(e) = mail::send_verify_email(&user.email, &user.uuid) {
+    if let Err(e) = mail::send_verify_email(&user.email, &user.uuid).await {
        error!("Error sending verify_email email: {:#?}", e);
    }

@@ -512,7 +548,7 @@ async fn post_delete_recover(data: JsonUpcase<DeleteRecoverData>, conn: DbConn)

    if CONFIG.mail_enabled() {
        if let Some(user) = User::find_by_mail(&data.Email, &conn).await {
-            if let Err(e) = mail::send_delete_account(&user.email, &user.uuid) {
+            if let Err(e) = mail::send_delete_account(&user.email, &user.uuid).await {
                error!("Error sending delete account email: {:#?}", e);
            }
        }
@@ -612,7 +648,7 @@ async fn password_hint(data: JsonUpcase<PasswordHintData>, conn: DbConn) -> Empt
        Some(user) => {
            let hint: Option<String> = user.password_hint;
            if CONFIG.mail_enabled() {
-                mail::send_password_hint(email, hint)?;
+                mail::send_password_hint(email, hint).await?;
                Ok(())
            } else if let Some(hint) = hint {
                err!(format!("Your password hint is: {}", hint));
--- a/src/api/core/ciphers.rs
+++ b/src/api/core/ciphers.rs
@@ -1,6 +1,7 @@
 use std::collections::{HashMap, HashSet};

 use chrono::{NaiveDateTime, Utc};
+use futures::{stream, stream::StreamExt};
 use rocket::fs::TempFile;
 use rocket::serde::json::Json;
 use rocket::{
@@ -17,7 +18,7 @@ use crate::{
    CONFIG,
 };

-use futures::{stream, stream::StreamExt};
+use super::folders::FolderData;

 pub fn routes() -> Vec<Route> {
    // Note that many routes have an `admin` variant; this seems to be
@@ -104,7 +105,7 @@ async fn sync(data: SyncData, headers: Headers, conn: DbConn) -> Json<Value> {
    // Get all ciphers which are visible by the user
    let ciphers = Cipher::find_by_user_visible(&headers.user.uuid, &conn).await;

-    let cipher_sync_data = CipherSyncData::new(&headers.user.uuid, &ciphers, &conn).await;
+    let cipher_sync_data = CipherSyncData::new(&headers.user.uuid, &ciphers, CipherSyncType::User, &conn).await;

    // Lets generate the ciphers_json using all the gathered info
    let ciphers_json: Vec<Value> = stream::iter(ciphers)
@@ -154,7 +155,7 @@ async fn sync(data: SyncData, headers: Headers, conn: DbConn) -> Json<Value> {
 #[get("/ciphers")]
 async fn get_ciphers(headers: Headers, conn: DbConn) -> Json<Value> {
    let ciphers = Cipher::find_by_user_visible(&headers.user.uuid, &conn).await;
-    let cipher_sync_data = CipherSyncData::new(&headers.user.uuid, &ciphers, &conn).await;
+    let cipher_sync_data = CipherSyncData::new(&headers.user.uuid, &ciphers, CipherSyncType::User, &conn).await;

    let ciphers_json = stream::iter(ciphers)
        .then(|c| async {
@@ -212,7 +213,7 @@ pub struct CipherData {
    Card = 3,
    Identity = 4
    */
-    pub Type: i32, // TODO: Change this to NumberOrString
+    pub Type: i32,
    pub Name: String,
    Notes: Option<String>,
    Fields: Option<Value>,
@@ -229,8 +230,9 @@ pub struct CipherData {
    PasswordHistory: Option<Value>,

    // These are used during key rotation
+    // 'Attachments' is unused, contains map of {id: filename}
    #[serde(rename = "Attachments")]
-    _Attachments: Option<Value>, // Unused, contains map of {id: filename}
+    _Attachments: Option<Value>,
    Attachments2: Option<HashMap<String, Attachments2Data>>,

    // The revision datetime (in ISO 8601 format) of the client's local copy
@@ -326,7 +328,7 @@ async fn enforce_personal_ownership_policy(data: Option<&CipherData>, headers: &
    if data.is_none() || data.unwrap().OrganizationId.is_none() {
        let user_uuid = &headers.user.uuid;
        let policy_type = OrgPolicyType::PersonalOwnership;
-        if OrgPolicy::is_applicable_to_user(user_uuid, policy_type, conn).await {
+        if OrgPolicy::is_applicable_to_user(user_uuid, policy_type, None, conn).await {
            err!("Due to an Enterprise Policy, you are restricted from saving items to your personal vault.")
        }
    }
@@ -464,14 +466,12 @@ pub async fn update_cipher_from_data(
    cipher.set_favorite(data.Favorite, &headers.user.uuid, conn).await?;

    if ut != UpdateType::None {
-        nt.send_cipher_update(ut, cipher, &cipher.update_users_revision(conn).await);
+        nt.send_cipher_update(ut, cipher, &cipher.update_users_revision(conn).await).await;
    }

    Ok(())
 }

-use super::folders::FolderData;
-
 #[derive(Deserialize)]
 #[allow(non_snake_case)]
 struct ImportData {
@@ -527,7 +527,7 @@ async fn post_ciphers_import(

    let mut user = headers.user;
    user.update_revision(&conn).await?;
-    nt.send_user_update(UpdateType::Vault, &user);
+    nt.send_user_update(UpdateType::Vault, &user).await;
    Ok(())
 }

@@ -913,8 +913,8 @@ async fn save_attachment(
    // In the v2 API, the attachment record has already been created,
    // so the size limit needs to be adjusted to account for that.
    let size_adjust = match &attachment {
-        None => 0,                     // Legacy API
-        Some(a) => a.file_size as i64, // v2 API
+        None => 0,                         // Legacy API
+        Some(a) => i64::from(a.file_size), // v2 API
    };

    let size_limit = if let Some(ref user_uuid) = cipher.user_uuid {
@@ -947,6 +947,19 @@ async fn save_attachment(

    let mut data = data.into_inner();

+    // There is a bug regarding uploading attachments/sends using the Mobile clients
+    // See: https://github.com/dani-garcia/vaultwarden/issues/2644 && https://github.com/bitwarden/mobile/issues/2018
+    // This has been fixed via a PR: https://github.com/bitwarden/mobile/pull/2031, but hasn't landed in a new release yet.
+    // On the vaultwarden side this is temporarily fixed by using a custom multer library
+    // See: https://github.com/dani-garcia/vaultwarden/pull/2675
+    // In any case we will match TempFile::File and not TempFile::Buffered, since Buffered will alter the contents.
+    if let TempFile::Buffered {
+        content: _,
+    } = &data.data
+    {
+        err!("Error reading attachment data. Please try an other client.");
+    }
+
    if let Some(size_limit) = size_limit {
        if data.data.len() > size_limit {
            err!("Attachment storage limit exceeded with this file");
@@ -998,9 +1011,11 @@ async fn save_attachment(
        attachment.save(&conn).await.expect("Error saving attachment");
    }

-    data.data.persist_to(file_path).await?;
+    if let Err(_err) = data.data.persist_to(&file_path).await {
+        data.data.move_copy_to(file_path).await?
+    }

-    nt.send_cipher_update(UpdateType::CipherUpdate, &cipher, &cipher.update_users_revision(&conn).await);
+    nt.send_cipher_update(UpdateType::CipherUpdate, &cipher, &cipher.update_users_revision(&conn).await).await;

    Ok((cipher, conn))
 }
@@ -1266,7 +1281,7 @@ async fn move_cipher_selected(
        // Move cipher
        cipher.move_to_folder(data.FolderId.clone(), &user_uuid, &conn).await?;

-        nt.send_cipher_update(UpdateType::CipherUpdate, &cipher, &[user_uuid.clone()]);
+        nt.send_cipher_update(UpdateType::CipherUpdate, &cipher, &[user_uuid.clone()]).await;
    }

    Ok(())
@@ -1313,7 +1328,7 @@ async fn delete_all(
                Some(user_org) => {
                    if user_org.atype == UserOrgType::Owner {
                        Cipher::delete_all_by_organization(&org_data.org_id, &conn).await?;
-                        nt.send_user_update(UpdateType::Vault, &user);
+                        nt.send_user_update(UpdateType::Vault, &user).await;
                        Ok(())
                    } else {
                        err!("You don't have permission to purge the organization vault");
@@ -1334,7 +1349,7 @@ async fn delete_all(
            }

            user.update_revision(&conn).await?;
-            nt.send_user_update(UpdateType::Vault, &user);
+            nt.send_user_update(UpdateType::Vault, &user).await;
            Ok(())
        }
    }
@@ -1359,10 +1374,10 @@ async fn _delete_cipher_by_uuid(
    if soft_delete {
        cipher.deleted_at = Some(Utc::now().naive_utc());
        cipher.save(conn).await?;
-        nt.send_cipher_update(UpdateType::CipherUpdate, &cipher, &cipher.update_users_revision(conn).await);
+        nt.send_cipher_update(UpdateType::CipherUpdate, &cipher, &cipher.update_users_revision(conn).await).await;
    } else {
        cipher.delete(conn).await?;
-        nt.send_cipher_update(UpdateType::CipherDelete, &cipher, &cipher.update_users_revision(conn).await);
+        nt.send_cipher_update(UpdateType::CipherDelete, &cipher, &cipher.update_users_revision(conn).await).await;
    }

    Ok(())
@@ -1407,7 +1422,7 @@ async fn _restore_cipher_by_uuid(uuid: &str, headers: &Headers, conn: &DbConn, n
    cipher.deleted_at = None;
    cipher.save(conn).await?;

-    nt.send_cipher_update(UpdateType::CipherUpdate, &cipher, &cipher.update_users_revision(conn).await);
+    nt.send_cipher_update(UpdateType::CipherUpdate, &cipher, &cipher.update_users_revision(conn).await).await;
    Ok(Json(cipher.to_json(&headers.host, &headers.user.uuid, None, conn).await))
 }

@@ -1469,7 +1484,7 @@ async fn _delete_cipher_attachment_by_id(

    // Delete attachment
    attachment.delete(conn).await?;
-    nt.send_cipher_update(UpdateType::CipherUpdate, &cipher, &cipher.update_users_revision(conn).await);
+    nt.send_cipher_update(UpdateType::CipherUpdate, &cipher, &cipher.update_users_revision(conn).await).await;
    Ok(())
 }

@@ -1486,25 +1501,39 @@ pub struct CipherSyncData {
    pub user_collections: HashMap<String, CollectionUser>,
 }

+pub enum CipherSyncType {
+    User,
+    Organization,
+}
+
 impl CipherSyncData {
-    pub async fn new(user_uuid: &str, ciphers: &Vec<Cipher>, conn: &DbConn) -> Self {
+    pub async fn new(user_uuid: &str, ciphers: &Vec<Cipher>, sync_type: CipherSyncType, conn: &DbConn) -> Self {
        // Generate a list of Cipher UUID's to be used during a query filter with an eq_any.
-        let cipher_uuids = stream::iter(ciphers).map(|c| c.uuid.to_string()).collect::<Vec<String>>().await;
+        let cipher_uuids = stream::iter(ciphers).map(|c| c.uuid.clone()).collect::<Vec<String>>().await;
+
+        let mut cipher_folders: HashMap<String, String> = HashMap::new();
+        let mut cipher_favorites: HashSet<String> = HashSet::new();
+        match sync_type {
+            // User Sync supports Folders and Favorits
+            CipherSyncType::User => {
+                // Generate a HashMap with the Cipher UUID as key and the Folder UUID as value
+                cipher_folders = stream::iter(FolderCipher::find_by_user(user_uuid, conn).await).collect().await;
+
+                // Generate a HashSet of all the Cipher UUID's which are marked as favorite
+                cipher_favorites =
+                    stream::iter(Favorite::get_all_cipher_uuid_by_user(user_uuid, conn).await).collect().await;
+            }
+            // Organization Sync does not support Folders and Favorits.
+            // If these are set, it will cause issues in the web-vault.
+            CipherSyncType::Organization => {}
+        }

        // Generate a list of Cipher UUID's containing a Vec with one or more Attachment records
        let mut cipher_attachments: HashMap<String, Vec<Attachment>> = HashMap::new();
        for attachment in Attachment::find_all_by_ciphers(&cipher_uuids, conn).await {
-            cipher_attachments.entry(attachment.cipher_uuid.to_string()).or_default().push(attachment);
+            cipher_attachments.entry(attachment.cipher_uuid.clone()).or_default().push(attachment);
        }

-        // Generate a HashMap with the Cipher UUID as key and the Folder UUID as value
-        let cipher_folders: HashMap<String, String> =
-            stream::iter(FolderCipher::find_by_user(user_uuid, conn).await).collect().await;
-
-        // Generate a HashSet of all the Cipher UUID's which are marked as favorite
-        let cipher_favorites: HashSet<String> =
-            stream::iter(Favorite::get_all_cipher_uuid_by_user(user_uuid, conn).await).collect().await;
-
        // Generate a HashMap with the Cipher UUID as key and one or more Collection UUID's
        let mut cipher_collections: HashMap<String, Vec<String>> = HashMap::new();
        for (cipher, collection) in Cipher::get_collections_with_cipher_by_user(user_uuid, conn).await {
@@ -1514,14 +1543,14 @@ impl CipherSyncData {
        // Generate a HashMap with the Organization UUID as key and the UserOrganization record
        let user_organizations: HashMap<String, UserOrganization> =
            stream::iter(UserOrganization::find_by_user(user_uuid, conn).await)
-                .map(|uo| (uo.org_uuid.to_string(), uo))
+                .map(|uo| (uo.org_uuid.clone(), uo))
                .collect()
                .await;

        // Generate a HashMap with the User_Collections UUID as key and the CollectionUser record
        let user_collections: HashMap<String, CollectionUser> =
            stream::iter(CollectionUser::find_by_user(user_uuid, conn).await)
-                .map(|uc| (uc.collection_uuid.to_string(), uc))
+                .map(|uc| (uc.collection_uuid.clone(), uc))
                .collect()
                .await;

--- a/src/api/core/emergency_access.rs
+++ b/src/api/core/emergency_access.rs
@@ -5,7 +5,10 @@ use serde_json::Value;
 use std::borrow::Borrow;

 use crate::{
-    api::{core::CipherSyncData, EmptyResult, JsonResult, JsonUpcase, NumberOrString},
+    api::{
+        core::{CipherSyncData, CipherSyncType},
+        EmptyResult, JsonResult, JsonUpcase, NumberOrString,
+    },
    auth::{decode_emergency_access_invite, Headers},
    db::{models::*, DbConn, DbPool},
    mail, CONFIG,
@@ -248,13 +251,14 @@ async fn send_invite(data: JsonUpcase<EmergencyAccessInviteData>, headers: Heade
            Some(new_emergency_access.uuid),
            Some(grantor_user.name.clone()),
            Some(grantor_user.email),
-        )?;
+        )
+        .await?;
    } else {
        // Automatically mark user as accepted if no email invites
        match User::find_by_mail(&email, &conn).await {
            Some(user) => {
                match accept_invite_process(user.uuid, new_emergency_access.uuid, Some(email), conn.borrow()).await {
-                    Ok(v) => (v),
+                    Ok(v) => v,
                    Err(e) => err!(e.to_string()),
                }
            }
@@ -301,7 +305,8 @@ async fn resend_invite(emer_id: String, headers: Headers, conn: DbConn) -> Empty
            Some(emergency_access.uuid),
            Some(grantor_user.name.clone()),
            Some(grantor_user.email),
-        )?;
+        )
+        .await?;
    } else {
        if Invitation::find_by_mail(&email, &conn).await.is_none() {
            let invitation = Invitation::new(email);
@@ -312,7 +317,7 @@ async fn resend_invite(emer_id: String, headers: Headers, conn: DbConn) -> Empty
        match accept_invite_process(grantee_user.uuid, emergency_access.uuid, emergency_access.email, conn.borrow())
            .await
        {
-            Ok(v) => (v),
+            Ok(v) => v,
            Err(e) => err!(e.to_string()),
        }
    }
@@ -358,12 +363,12 @@ async fn accept_invite(emer_id: String, data: JsonUpcase<AcceptData>, conn: DbCo
        && (claims.grantor_email.is_some() && grantor_user.email == claims.grantor_email.unwrap())
    {
        match accept_invite_process(grantee_user.uuid.clone(), emer_id, Some(grantee_user.email.clone()), &conn).await {
-            Ok(v) => (v),
+            Ok(v) => v,
            Err(e) => err!(e.to_string()),
        }

        if CONFIG.mail_enabled() {
-            mail::send_emergency_access_invite_accepted(&grantor_user.email, &grantee_user.email)?;
+            mail::send_emergency_access_invite_accepted(&grantor_user.email, &grantee_user.email).await?;
        }

        Ok(())
@@ -446,7 +451,7 @@ async fn confirm_emergency_access(
        emergency_access.save(&conn).await?;

        if CONFIG.mail_enabled() {
-            mail::send_emergency_access_invite_confirmed(&grantee_user.email, &grantor_user.name)?;
+            mail::send_emergency_access_invite_confirmed(&grantee_user.email, &grantor_user.name).await?;
        }
        Ok(Json(emergency_access.to_json()))
    } else {
@@ -492,7 +497,8 @@ async fn initiate_emergency_access(emer_id: String, headers: Headers, conn: DbCo
            &initiating_user.name,
            emergency_access.get_type_as_str(),
            &emergency_access.wait_time_days.clone().to_string(),
-        )?;
+        )
+        .await?;
    }
    Ok(Json(emergency_access.to_json()))
 }
@@ -528,7 +534,7 @@ async fn approve_emergency_access(emer_id: String, headers: Headers, conn: DbCon
        emergency_access.save(&conn).await?;

        if CONFIG.mail_enabled() {
-            mail::send_emergency_access_recovery_approved(&grantee_user.email, &grantor_user.name)?;
+            mail::send_emergency_access_recovery_approved(&grantee_user.email, &grantor_user.name).await?;
        }
        Ok(Json(emergency_access.to_json()))
    } else {
@@ -568,7 +574,7 @@ async fn reject_emergency_access(emer_id: String, headers: Headers, conn: DbConn
        emergency_access.save(&conn).await?;

        if CONFIG.mail_enabled() {
-            mail::send_emergency_access_recovery_rejected(&grantee_user.email, &grantor_user.name)?;
+            mail::send_emergency_access_recovery_rejected(&grantee_user.email, &grantor_user.name).await?;
        }
        Ok(Json(emergency_access.to_json()))
    } else {
@@ -596,7 +602,8 @@ async fn view_emergency_access(emer_id: String, headers: Headers, conn: DbConn)
    }

    let ciphers = Cipher::find_owned_by_user(&emergency_access.grantor_uuid, &conn).await;
-    let cipher_sync_data = CipherSyncData::new(&emergency_access.grantor_uuid, &ciphers, &conn).await;
+    let cipher_sync_data =
+        CipherSyncData::new(&emergency_access.grantor_uuid, &ciphers, CipherSyncType::User, &conn).await;

    let ciphers_json = stream::iter(ciphers)
        .then(|c| async {
@@ -754,7 +761,7 @@ pub async fn emergency_request_timeout_job(pool: DbPool) {
        for mut emer in emergency_access_list {
            if emer.recovery_initiated_at.is_some()
                && Utc::now().naive_utc()
-                    >= emer.recovery_initiated_at.unwrap() + Duration::days(emer.wait_time_days as i64)
+                    >= emer.recovery_initiated_at.unwrap() + Duration::days(i64::from(emer.wait_time_days))
            {
                emer.status = EmergencyAccessStatus::RecoveryApproved as i32;
                emer.save(&conn).await.expect("Cannot save emergency access on job");
@@ -775,9 +782,11 @@ pub async fn emergency_request_timeout_job(pool: DbPool) {
                        &grantee_user.name.clone(),
                        emer.get_type_as_str(),
                    )
+                    .await
                    .expect("Error on sending email");

                    mail::send_emergency_access_recovery_approved(&grantee_user.email, &grantor_user.name.clone())
+                        .await
                        .expect("Error on sending email");
                }
            }
@@ -803,7 +812,7 @@ pub async fn emergency_notification_reminder_job(pool: DbPool) {
        for mut emer in emergency_access_list {
            if (emer.recovery_initiated_at.is_some()
                && Utc::now().naive_utc()
-                    >= emer.recovery_initiated_at.unwrap() + Duration::days((emer.wait_time_days as i64) - 1))
+                    >= emer.recovery_initiated_at.unwrap() + Duration::days((i64::from(emer.wait_time_days)) - 1))
                && (emer.last_notification_at.is_none()
                    || (emer.last_notification_at.is_some()
                        && Utc::now().naive_utc() >= emer.last_notification_at.unwrap() + Duration::days(1)))
@@ -827,6 +836,7 @@ pub async fn emergency_notification_reminder_job(pool: DbPool) {
                        emer.get_type_as_str(),
                        &emer.wait_time_days.to_string(), // TODO(jjlin): This should be the number of days left.
                    )
+                    .await
                    .expect("Error on sending email");
                }
            }
--- a/src/api/core/folders.rs
+++ b/src/api/core/folders.rs
@@ -50,7 +50,7 @@ async fn post_folders(data: JsonUpcase<FolderData>, headers: Headers, conn: DbCo
    let mut folder = Folder::new(headers.user.uuid, data.Name);

    folder.save(&conn).await?;
-    nt.send_folder_update(UpdateType::FolderCreate, &folder);
+    nt.send_folder_update(UpdateType::FolderCreate, &folder).await;

    Ok(Json(folder.to_json()))
 }
@@ -88,7 +88,7 @@ async fn put_folder(
    folder.name = data.Name;

    folder.save(&conn).await?;
-    nt.send_folder_update(UpdateType::FolderUpdate, &folder);
+    nt.send_folder_update(UpdateType::FolderUpdate, &folder).await;

    Ok(Json(folder.to_json()))
 }
@@ -112,6 +112,6 @@ async fn delete_folder(uuid: String, headers: Headers, conn: DbConn, nt: Notify<
    // Delete the actual folder entry
    folder.delete(&conn).await?;

-    nt.send_folder_update(UpdateType::FolderDelete, &folder);
+    nt.send_folder_update(UpdateType::FolderDelete, &folder).await;
    Ok(())
 }
--- a/src/api/core/mod.rs
+++ b/src/api/core/mod.rs
@@ -7,7 +7,7 @@ mod sends;
 pub mod two_factor;

 pub use ciphers::purge_trashed_ciphers;
-pub use ciphers::CipherSyncData;
+pub use ciphers::{CipherSyncData, CipherSyncType};
 pub use emergency_access::{emergency_notification_reminder_job, emergency_request_timeout_job};
 pub use sends::purge_sends;
 pub use two_factor::send_incomplete_2fa_notifications;
@@ -16,7 +16,7 @@ pub fn routes() -> Vec<Route> {
    let mut device_token_routes = routes![clear_device_token, put_device_token];
    let mut eq_domains_routes = routes![get_eq_domains, post_eq_domains, put_eq_domains];
    let mut hibp_routes = routes![hibp_breach];
-    let mut meta_routes = routes![alive, now, version];
+    let mut meta_routes = routes![alive, now, version, config];

    let mut routes = Vec::new();
    routes.append(&mut accounts::routes());
@@ -38,6 +38,7 @@ pub fn routes() -> Vec<Route> {
 // Move this somewhere else
 //
 use rocket::serde::json::Json;
+use rocket::Catcher;
 use rocket::Route;
 use serde_json::Value;

@@ -200,3 +201,38 @@ pub fn now() -> Json<String> {
 fn version() -> Json<&'static str> {
    Json(crate::VERSION.unwrap_or_default())
 }
+
+#[get("/config")]
+fn config() -> Json<Value> {
+    let domain = crate::CONFIG.domain();
+    Json(json!({
+        "version": crate::VERSION,
+        "gitHash": option_env!("GIT_REV"),
+        "server": {
+          "name": "Vaultwarden",
+          "url": "https://github.com/dani-garcia/vaultwarden"
+        },
+        "environment": {
+          "vault": domain,
+          "api": format!("{domain}/api"),
+          "identity": format!("{domain}/identity"),
+          "notifications": format!("{domain}/notifications"),
+          "sso": "",
+        },
+    }))
+}
+
+pub fn catchers() -> Vec<Catcher> {
+    catchers![api_not_found]
+}
+
+#[catch(404)]
+fn api_not_found() -> Json<Value> {
+    Json(json!({
+        "error": {
+            "code": 404,
+            "reason": "Not Found",
+            "description": "The requested resource could not be found."
+        }
+    }))
+}
--- a/src/api/core/organizations.rs
+++ b/src/api/core/organizations.rs
@@ -5,12 +5,14 @@ use serde_json::Value;

 use crate::{
    api::{
-        core::CipherSyncData, EmptyResult, JsonResult, JsonUpcase, JsonUpcaseVec, Notify, NumberOrString, PasswordData,
-        UpdateType,
+        core::{CipherSyncData, CipherSyncType},
+        EmptyResult, JsonResult, JsonUpcase, JsonUpcaseVec, Notify, NumberOrString, PasswordData, UpdateType,
    },
    auth::{decode_invite, AdminHeaders, Headers, ManagerHeaders, ManagerHeadersLoose, OwnerHeaders},
    db::{models::*, DbConn},
-    mail, CONFIG,
+    mail,
+    util::convert_json_key_lcase_first,
+    CONFIG,
 };

 use futures::{stream, stream::StreamExt};
@@ -61,6 +63,15 @@ pub fn routes() -> Vec<Route> {
        import,
        post_org_keys,
        bulk_public_keys,
+        deactivate_organization_user,
+        bulk_deactivate_organization_user,
+        revoke_organization_user,
+        bulk_revoke_organization_user,
+        activate_organization_user,
+        bulk_activate_organization_user,
+        restore_organization_user,
+        bulk_restore_organization_user,
+        get_org_export
    ]
 }

@@ -107,7 +118,7 @@ async fn create_organization(headers: Headers, data: JsonUpcase<OrgData>, conn:
    if !CONFIG.is_org_creation_allowed(&headers.user.email) {
        err!("User not allowed to create organizations")
    }
-    if OrgPolicy::is_applicable_to_user(&headers.user.uuid, OrgPolicyType::SingleOrg, &conn).await {
+    if OrgPolicy::is_applicable_to_user(&headers.user.uuid, OrgPolicyType::SingleOrg, None, &conn).await {
        err!(
            "You may not create an organization. You belong to an organization which has a policy that prohibits you from being a member of any other organization."
        )
@@ -172,13 +183,10 @@ async fn leave_organization(org_id: String, headers: Headers, conn: DbConn) -> E
    match UserOrganization::find_by_user_and_org(&headers.user.uuid, &org_id, &conn).await {
        None => err!("User not part of organization"),
        Some(user_org) => {
-            if user_org.atype == UserOrgType::Owner {
-                let num_owners =
-                    UserOrganization::find_by_org_and_type(&org_id, UserOrgType::Owner as i32, &conn).await.len();
-
-                if num_owners <= 1 {
-                    err!("The last owner can't leave")
-                }
+            if user_org.atype == UserOrgType::Owner
+                && UserOrganization::count_confirmed_by_org_and_type(&org_id, UserOrgType::Owner, &conn).await <= 1
+            {
+                err!("The last owner can't leave")
            }

            user_org.delete(&conn).await
@@ -241,15 +249,19 @@ async fn get_user_collections(headers: Headers, conn: DbConn) -> Json<Value> {

 #[get("/organizations/<org_id>/collections")]
 async fn get_org_collections(org_id: String, _headers: ManagerHeadersLoose, conn: DbConn) -> Json<Value> {
-    Json(json!({
+    Json(_get_org_collections(&org_id, &conn).await)
+}
+
+async fn _get_org_collections(org_id: &str, conn: &DbConn) -> Value {
+    json!({
        "Data":
-            Collection::find_by_organization(&org_id, &conn).await
+            Collection::find_by_organization(org_id, conn).await
            .iter()
            .map(Collection::to_json)
            .collect::<Value>(),
        "Object": "list",
        "ContinuationToken": null,
-    }))
+    })
 }

 #[post("/organizations/<org_id>/collections", data = "<data>")]
@@ -486,22 +498,26 @@ struct OrgIdData {

 #[get("/ciphers/organization-details?<data..>")]
 async fn get_org_details(data: OrgIdData, headers: Headers, conn: DbConn) -> Json<Value> {
-    let ciphers = Cipher::find_by_org(&data.organization_id, &conn).await;
-    let cipher_sync_data = CipherSyncData::new(&headers.user.uuid, &ciphers, &conn).await;
+    Json(_get_org_details(&data.organization_id, &headers.host, &headers.user.uuid, &conn).await)
+}
+
+async fn _get_org_details(org_id: &str, host: &str, user_uuid: &str, conn: &DbConn) -> Value {
+    let ciphers = Cipher::find_by_org(org_id, conn).await;
+    let cipher_sync_data = CipherSyncData::new(user_uuid, &ciphers, CipherSyncType::Organization, conn).await;

    let ciphers_json = stream::iter(ciphers)
        .then(|c| async {
            let c = c; // Move out this single variable
-            c.to_json(&headers.host, &headers.user.uuid, Some(&cipher_sync_data), &conn).await
+            c.to_json(host, user_uuid, Some(&cipher_sync_data), conn).await
        })
        .collect::<Vec<Value>>()
        .await;

-    Json(json!({
+    json!({
      "Data": ciphers_json,
      "Object": "list",
      "ContinuationToken": null,
-    }))
+    })
 }

 #[get("/organizations/<org_id>/users")]
@@ -652,7 +668,8 @@ async fn send_invite(org_id: String, data: JsonUpcase<InviteData>, headers: Admi
                Some(new_user.uuid),
                &org_name,
                Some(headers.user.email.clone()),
-            )?;
+            )
+            .await?;
        }
    }

@@ -732,7 +749,8 @@ async fn _reinvite_user(org_id: &str, user_org: &str, invited_by_email: &str, co
            Some(user_org.uuid),
            &org_name,
            Some(invited_by_email.to_string()),
-        )?;
+        )
+        .await?;
    } else {
        let invitation = Invitation::new(user.email);
        invitation.save(conn).await?;
@@ -747,17 +765,16 @@ struct AcceptData {
    Token: String,
 }

-#[post("/organizations/<_org_id>/users/<_org_user_id>/accept", data = "<data>")]
+#[post("/organizations/<org_id>/users/<_org_user_id>/accept", data = "<data>")]
 async fn accept_invite(
-    _org_id: String,
+    org_id: String,
    _org_user_id: String,
    data: JsonUpcase<AcceptData>,
    conn: DbConn,
 ) -> EmptyResult {
    // The web-vault passes org_id and org_user_id in the URL, but we are just reading them from the JWT instead
    let data: AcceptData = data.into_inner().data;
-    let token = &data.Token;
-    let claims = decode_invite(token)?;
+    let claims = decode_invite(&data.Token)?;

    match User::find_by_mail(&claims.email, &conn).await {
        Some(_) => {
@@ -773,46 +790,20 @@ async fn accept_invite(
                    err!("User already accepted the invitation")
                }

-                let user_twofactor_disabled = TwoFactor::find_by_user(&user_org.user_uuid, &conn).await.is_empty();
-
-                let policy = OrgPolicyType::TwoFactorAuthentication as i32;
-                let org_twofactor_policy_enabled =
-                    match OrgPolicy::find_by_org_and_type(&user_org.org_uuid, policy, &conn).await {
-                        Some(p) => p.enabled,
-                        None => false,
-                    };
-
-                if org_twofactor_policy_enabled && user_twofactor_disabled {
-                    err!("You cannot join this organization until you enable two-step login on your user account.")
-                }
-
-                // Enforce Single Organization Policy of organization user is trying to join
-                let single_org_policy_enabled =
-                    match OrgPolicy::find_by_org_and_type(&user_org.org_uuid, OrgPolicyType::SingleOrg as i32, &conn)
-                        .await
-                    {
-                        Some(p) => p.enabled,
-                        None => false,
-                    };
-                if single_org_policy_enabled && user_org.atype < UserOrgType::Admin {
-                    let is_member_of_another_org = UserOrganization::find_any_state_by_user(&user_org.user_uuid, &conn)
-                        .await
-                        .into_iter()
-                        .filter(|uo| uo.org_uuid != user_org.org_uuid)
-                        .count()
-                        > 1;
-                    if is_member_of_another_org {
-                        err!("You may not join this organization until you leave or remove all other organizations.")
+                // This check is also done at accept_invite(), _confirm_invite, _activate_user(), edit_user(), admin::update_user_org_type
+                // It returns different error messages per function.
+                if user_org.atype < UserOrgType::Admin {
+                    match OrgPolicy::is_user_allowed(&user_org.user_uuid, &org_id, false, &conn).await {
+                        Ok(_) => {}
+                        Err(OrgPolicyErr::TwoFactorMissing) => {
+                            err!("You cannot join this organization until you enable two-step login on your user account");
+                        }
+                        Err(OrgPolicyErr::SingleOrgEnforced) => {
+                            err!("You cannot join this organization because you are a member of an organization which forbids it");
+                        }
                    }
                }

-                // Enforce Single Organization Policy of other organizations user is a member of
-                if OrgPolicy::is_applicable_to_user(&user_org.user_uuid, OrgPolicyType::SingleOrg, &conn).await {
-                    err!(
-                        "You cannot join this organization because you are a member of an organization which forbids it"
-                    )
-                }
-
                user_org.status = UserOrgStatus::Accepted as i32;
                user_org.save(&conn).await?;
            }
@@ -830,10 +821,10 @@ async fn accept_invite(
        };
        if let Some(invited_by_email) = &claims.invited_by_email {
            // User was invited to an organization, so they must be confirmed manually after acceptance
-            mail::send_invite_accepted(&claims.email, invited_by_email, &org_name)?;
+            mail::send_invite_accepted(&claims.email, invited_by_email, &org_name).await?;
        } else {
            // User was invited from /admin, so they are automatically confirmed
-            mail::send_invite_confirmed(&claims.email, &org_name)?;
+            mail::send_invite_confirmed(&claims.email, &org_name).await?;
        }
    }

@@ -916,6 +907,20 @@ async fn _confirm_invite(
        err!("User in invalid state")
    }

+    // This check is also done at accept_invite(), _confirm_invite, _activate_user(), edit_user(), admin::update_user_org_type
+    // It returns different error messages per function.
+    if user_to_confirm.atype < UserOrgType::Admin {
+        match OrgPolicy::is_user_allowed(&user_to_confirm.user_uuid, org_id, true, conn).await {
+            Ok(_) => {}
+            Err(OrgPolicyErr::TwoFactorMissing) => {
+                err!("You cannot confirm this user because it has no two-step login method activated");
+            }
+            Err(OrgPolicyErr::SingleOrgEnforced) => {
+                err!("You cannot confirm this user because it is a member of an organization which forbids it");
+            }
+        }
+    }
+
    user_to_confirm.status = UserOrgStatus::Confirmed as i32;
    user_to_confirm.akey = key.to_string();

@@ -928,7 +933,7 @@ async fn _confirm_invite(
            Some(user) => user.email,
            None => err!("Error looking up user."),
        };
-        mail::send_invite_confirmed(&address, &org_name)?;
+        mail::send_invite_confirmed(&address, &org_name).await?;
    }

    user_to_confirm.save(conn).await
@@ -994,15 +999,30 @@ async fn edit_user(
        err!("Only Owners can edit Owner users")
    }

-    if user_to_edit.atype == UserOrgType::Owner && new_type != UserOrgType::Owner {
-        // Removing owner permmission, check that there are at least another owner
-        let num_owners = UserOrganization::find_by_org_and_type(&org_id, UserOrgType::Owner as i32, &conn).await.len();
-
-        if num_owners <= 1 {
+    if user_to_edit.atype == UserOrgType::Owner
+        && new_type != UserOrgType::Owner
+        && user_to_edit.status == UserOrgStatus::Confirmed as i32
+    {
+        // Removing owner permission, check that there is at least one other confirmed owner
+        if UserOrganization::count_confirmed_by_org_and_type(&org_id, UserOrgType::Owner, &conn).await <= 1 {
            err!("Can't delete the last owner")
        }
    }

+    // This check is also done at accept_invite(), _confirm_invite, _activate_user(), edit_user(), admin::update_user_org_type
+    // It returns different error messages per function.
+    if new_type < UserOrgType::Admin {
+        match OrgPolicy::is_user_allowed(&user_to_edit.user_uuid, &org_id, true, &conn).await {
+            Ok(_) => {}
+            Err(OrgPolicyErr::TwoFactorMissing) => {
+                err!("You cannot modify this user to this type because it has no two-step login method activated");
+            }
+            Err(OrgPolicyErr::SingleOrgEnforced) => {
+                err!("You cannot modify this user to this type because it is a member of an organization which forbids it");
+            }
+        }
+    }
+
    user_to_edit.access_all = data.AccessAll;
    user_to_edit.atype = new_type as i32;

@@ -1080,11 +1100,9 @@ async fn _delete_user(org_id: &str, org_user_id: &str, headers: &AdminHeaders, c
        err!("Only Owners can delete Admins or Owners")
    }

-    if user_to_delete.atype == UserOrgType::Owner {
-        // Removing owner, check that there are at least another owner
-        let num_owners = UserOrganization::find_by_org_and_type(org_id, UserOrgType::Owner as i32, conn).await.len();
-
-        if num_owners <= 1 {
+    if user_to_delete.atype == UserOrgType::Owner && user_to_delete.status == UserOrgStatus::Confirmed as i32 {
+        // Removing owner, check that there is at least one other confirmed owner
+        if UserOrganization::count_confirmed_by_org_and_type(org_id, UserOrgType::Owner, conn).await <= 1 {
            err!("Can't delete the last owner")
        }
    }
@@ -1253,7 +1271,7 @@ async fn get_policy(org_id: String, pol_type: i32, _headers: AdminHeaders, conn:
        None => err!("Invalid or unsupported policy type"),
    };

-    let policy = match OrgPolicy::find_by_org_and_type(&org_id, pol_type, &conn).await {
+    let policy = match OrgPolicy::find_by_org_and_type(&org_id, pol_type_enum, &conn).await {
        Some(p) => p,
        None => OrgPolicy::new(org_id, pol_type_enum, "{}".to_string()),
    };
@@ -1281,15 +1299,16 @@ async fn put_policy(

    let pol_type_enum = match OrgPolicyType::from_i32(pol_type) {
        Some(pt) => pt,
-        None => err!("Invalid policy type"),
+        None => err!("Invalid or unsupported policy type"),
    };

-    // If enabling the TwoFactorAuthentication policy, remove this org's members that do have 2FA
+    // When enabling the TwoFactorAuthentication policy, remove this org's members that do have 2FA
    if pol_type_enum == OrgPolicyType::TwoFactorAuthentication && data.enabled {
        for member in UserOrganization::find_by_org(&org_id, &conn).await.into_iter() {
            let user_twofactor_disabled = TwoFactor::find_by_user(&member.user_uuid, &conn).await.is_empty();

            // Policy only applies to non-Owner/non-Admin members who have accepted joining the org
+            // Invited users still need to accept the invite and will get an error when they try to accept the invite.
            if user_twofactor_disabled
                && member.atype < UserOrgType::Admin
                && member.status != UserOrgStatus::Invited as i32
@@ -1298,40 +1317,36 @@ async fn put_policy(
                    let org = Organization::find_by_uuid(&member.org_uuid, &conn).await.unwrap();
                    let user = User::find_by_uuid(&member.user_uuid, &conn).await.unwrap();

-                    mail::send_2fa_removed_from_org(&user.email, &org.name)?;
+                    mail::send_2fa_removed_from_org(&user.email, &org.name).await?;
                }
                member.delete(&conn).await?;
            }
        }
    }

-    // If enabling the SingleOrg policy, remove this org's members that are members of other orgs
+    // When enabling the SingleOrg policy, remove this org's members that are members of other orgs
    if pol_type_enum == OrgPolicyType::SingleOrg && data.enabled {
        for member in UserOrganization::find_by_org(&org_id, &conn).await.into_iter() {
            // Policy only applies to non-Owner/non-Admin members who have accepted joining the org
-            if member.atype < UserOrgType::Admin && member.status != UserOrgStatus::Invited as i32 {
-                let is_member_of_another_org = UserOrganization::find_any_state_by_user(&member.user_uuid, &conn)
-                    .await
-                    .into_iter()
-                    // Other UserOrganization's where they have accepted being a member of
-                    .filter(|uo| uo.uuid != member.uuid && uo.status != UserOrgStatus::Invited as i32)
-                    .count()
-                    > 1;
+            // Exclude invited and revoked users when checking for this policy.
+            // Those users will not be allowed to accept or be activated because of the policy checks done there.
+            // We check if the count is larger then 1, because it includes this organization also.
+            if member.atype < UserOrgType::Admin
+                && member.status != UserOrgStatus::Invited as i32
+                && UserOrganization::count_accepted_and_confirmed_by_user(&member.user_uuid, &conn).await > 1
+            {
+                if CONFIG.mail_enabled() {
+                    let org = Organization::find_by_uuid(&member.org_uuid, &conn).await.unwrap();
+                    let user = User::find_by_uuid(&member.user_uuid, &conn).await.unwrap();

-                if is_member_of_another_org {
-                    if CONFIG.mail_enabled() {
-                        let org = Organization::find_by_uuid(&member.org_uuid, &conn).await.unwrap();
-                        let user = User::find_by_uuid(&member.user_uuid, &conn).await.unwrap();
-
-                        mail::send_single_org_removed_from_org(&user.email, &org.name)?;
-                    }
-                    member.delete(&conn).await?;
+                    mail::send_single_org_removed_from_org(&user.email, &org.name).await?;
                }
+                member.delete(&conn).await?;
            }
        }
    }

-    let mut policy = match OrgPolicy::find_by_org_and_type(&org_id, pol_type, &conn).await {
+    let mut policy = match OrgPolicy::find_by_org_and_type(&org_id, pol_type_enum, &conn).await {
        Some(p) => p,
        None => OrgPolicy::new(org_id, pol_type_enum, "{}".to_string()),
    };
@@ -1354,7 +1369,7 @@ fn get_organization_tax(org_id: String, _headers: Headers) -> Json<Value> {
 }

 #[get("/plans")]
-fn get_plans(_headers: Headers) -> Json<Value> {
+fn get_plans() -> Json<Value> {
    // Respond with a minimal json just enough to allow the creation of an new organization.
    Json(json!({
        "Object": "list",
@@ -1462,7 +1477,8 @@ async fn import(org_id: String, data: JsonUpcase<OrgImportData>, headers: Header
                        Some(new_org_user.uuid),
                        &org_name,
                        Some(headers.user.email.clone()),
-                    )?;
+                    )
+                    .await?;
                }
            }
        }
@@ -1470,7 +1486,7 @@ async fn import(org_id: String, data: JsonUpcase<OrgImportData>, headers: Header

    // If this flag is enabled, any user that isn't provided in the Users list will be removed (by default they will be kept unless they have Deleted == true)
    if data.OverwriteExisting {
-        for user_org in UserOrganization::find_by_org_and_type(&org_id, UserOrgType::User as i32, &conn).await {
+        for user_org in UserOrganization::find_by_org_and_type(&org_id, UserOrgType::User, &conn).await {
            if let Some(user_email) = User::find_by_uuid(&user_org.user_uuid, &conn).await.map(|u| u.email) {
                if !data.Users.iter().any(|u| u.Email == user_email) {
                    user_org.delete(&conn).await?;
@@ -1481,3 +1497,226 @@ async fn import(org_id: String, data: JsonUpcase<OrgImportData>, headers: Header

    Ok(())
 }
+
+// Pre web-vault v2022.9.x endpoint
+#[put("/organizations/<org_id>/users/<org_user_id>/deactivate")]
+async fn deactivate_organization_user(
+    org_id: String,
+    org_user_id: String,
+    headers: AdminHeaders,
+    conn: DbConn,
+) -> EmptyResult {
+    _revoke_organization_user(&org_id, &org_user_id, &headers, &conn).await
+}
+
+// Pre web-vault v2022.9.x endpoint
+#[put("/organizations/<org_id>/users/deactivate", data = "<data>")]
+async fn bulk_deactivate_organization_user(
+    org_id: String,
+    data: JsonUpcase<Value>,
+    headers: AdminHeaders,
+    conn: DbConn,
+) -> Json<Value> {
+    bulk_revoke_organization_user(org_id, data, headers, conn).await
+}
+
+#[put("/organizations/<org_id>/users/<org_user_id>/revoke")]
+async fn revoke_organization_user(
+    org_id: String,
+    org_user_id: String,
+    headers: AdminHeaders,
+    conn: DbConn,
+) -> EmptyResult {
+    _revoke_organization_user(&org_id, &org_user_id, &headers, &conn).await
+}
+
+#[put("/organizations/<org_id>/users/revoke", data = "<data>")]
+async fn bulk_revoke_organization_user(
+    org_id: String,
+    data: JsonUpcase<Value>,
+    headers: AdminHeaders,
+    conn: DbConn,
+) -> Json<Value> {
+    let data = data.into_inner().data;
+
+    let mut bulk_response = Vec::new();
+    match data["Ids"].as_array() {
+        Some(org_users) => {
+            for org_user_id in org_users {
+                let org_user_id = org_user_id.as_str().unwrap_or_default();
+                let err_msg = match _revoke_organization_user(&org_id, org_user_id, &headers, &conn).await {
+                    Ok(_) => String::from(""),
+                    Err(e) => format!("{:?}", e),
+                };
+
+                bulk_response.push(json!(
+                    {
+                        "Object": "OrganizationUserBulkResponseModel",
+                        "Id": org_user_id,
+                        "Error": err_msg
+                    }
+                ));
+            }
+        }
+        None => error!("No users to revoke"),
+    }
+
+    Json(json!({
+        "Data": bulk_response,
+        "Object": "list",
+        "ContinuationToken": null
+    }))
+}
+
+async fn _revoke_organization_user(
+    org_id: &str,
+    org_user_id: &str,
+    headers: &AdminHeaders,
+    conn: &DbConn,
+) -> EmptyResult {
+    match UserOrganization::find_by_uuid_and_org(org_user_id, org_id, conn).await {
+        Some(mut user_org) if user_org.status > UserOrgStatus::Revoked as i32 => {
+            if user_org.user_uuid == headers.user.uuid {
+                err!("You cannot revoke yourself")
+            }
+            if user_org.atype == UserOrgType::Owner && headers.org_user_type != UserOrgType::Owner {
+                err!("Only owners can revoke other owners")
+            }
+            if user_org.atype == UserOrgType::Owner
+                && UserOrganization::count_confirmed_by_org_and_type(org_id, UserOrgType::Owner, conn).await <= 1
+            {
+                err!("Organization must have at least one confirmed owner")
+            }
+
+            user_org.revoke();
+            user_org.save(conn).await?;
+        }
+        Some(_) => err!("User is already revoked"),
+        None => err!("User not found in organization"),
+    }
+    Ok(())
+}
+
+// Pre web-vault v2022.9.x endpoint
+#[put("/organizations/<org_id>/users/<org_user_id>/activate")]
+async fn activate_organization_user(
+    org_id: String,
+    org_user_id: String,
+    headers: AdminHeaders,
+    conn: DbConn,
+) -> EmptyResult {
+    _restore_organization_user(&org_id, &org_user_id, &headers, &conn).await
+}
+
+// Pre web-vault v2022.9.x endpoint
+#[put("/organizations/<org_id>/users/activate", data = "<data>")]
+async fn bulk_activate_organization_user(
+    org_id: String,
+    data: JsonUpcase<Value>,
+    headers: AdminHeaders,
+    conn: DbConn,
+) -> Json<Value> {
+    bulk_restore_organization_user(org_id, data, headers, conn).await
+}
+
+#[put("/organizations/<org_id>/users/<org_user_id>/restore")]
+async fn restore_organization_user(
+    org_id: String,
+    org_user_id: String,
+    headers: AdminHeaders,
+    conn: DbConn,
+) -> EmptyResult {
+    _restore_organization_user(&org_id, &org_user_id, &headers, &conn).await
+}
+
+#[put("/organizations/<org_id>/users/restore", data = "<data>")]
+async fn bulk_restore_organization_user(
+    org_id: String,
+    data: JsonUpcase<Value>,
+    headers: AdminHeaders,
+    conn: DbConn,
+) -> Json<Value> {
+    let data = data.into_inner().data;
+
+    let mut bulk_response = Vec::new();
+    match data["Ids"].as_array() {
+        Some(org_users) => {
+            for org_user_id in org_users {
+                let org_user_id = org_user_id.as_str().unwrap_or_default();
+                let err_msg = match _restore_organization_user(&org_id, org_user_id, &headers, &conn).await {
+                    Ok(_) => String::from(""),
+                    Err(e) => format!("{:?}", e),
+                };
+
+                bulk_response.push(json!(
+                    {
+                        "Object": "OrganizationUserBulkResponseModel",
+                        "Id": org_user_id,
+                        "Error": err_msg
+                    }
+                ));
+            }
+        }
+        None => error!("No users to restore"),
+    }
+
+    Json(json!({
+        "Data": bulk_response,
+        "Object": "list",
+        "ContinuationToken": null
+    }))
+}
+
+async fn _restore_organization_user(
+    org_id: &str,
+    org_user_id: &str,
+    headers: &AdminHeaders,
+    conn: &DbConn,
+) -> EmptyResult {
+    match UserOrganization::find_by_uuid_and_org(org_user_id, org_id, conn).await {
+        Some(mut user_org) if user_org.status < UserOrgStatus::Accepted as i32 => {
+            if user_org.user_uuid == headers.user.uuid {
+                err!("You cannot restore yourself")
+            }
+            if user_org.atype == UserOrgType::Owner && headers.org_user_type != UserOrgType::Owner {
+                err!("Only owners can restore other owners")
+            }
+
+            // This check is also done at accept_invite(), _confirm_invite, _activate_user(), edit_user(), admin::update_user_org_type
+            // It returns different error messages per function.
+            if user_org.atype < UserOrgType::Admin {
+                match OrgPolicy::is_user_allowed(&user_org.user_uuid, org_id, false, conn).await {
+                    Ok(_) => {}
+                    Err(OrgPolicyErr::TwoFactorMissing) => {
+                        err!("You cannot restore this user because it has no two-step login method activated");
+                    }
+                    Err(OrgPolicyErr::SingleOrgEnforced) => {
+                        err!("You cannot restore this user because it is a member of an organization which forbids it");
+                    }
+                }
+            }
+
+            user_org.restore();
+            user_org.save(conn).await?;
+        }
+        Some(_) => err!("User is already active"),
+        None => err!("User not found in organization"),
+    }
+    Ok(())
+}
+
+// This is a new function active since the v2022.9.x clients.
+// It combines the previous two calls done before.
+// We call those two functions here and combine them our selfs.
+//
+// NOTE: It seems clients can't handle uppercase-first keys!!
+//       We need to convert all keys so they have the first character to be a lowercase.
+//       Else the export will be just an empty JSON file.
+#[get("/organizations/<org_id>/export")]
+async fn get_org_export(org_id: String, headers: AdminHeaders, conn: DbConn) -> Json<Value> {
+    // Also both main keys here need to be lowercase, else the export will fail.
+    Json(json!({
+        "collections": convert_json_key_lcase_first(_get_org_collections(&org_id, &conn).await),
+        "ciphers": convert_json_key_lcase_first(_get_org_details(&org_id, &headers.host, &headers.user.uuid, &conn).await),
+    }))
+}
--- a/src/api/core/sends.rs
+++ b/src/api/core/sends.rs
@@ -17,6 +17,9 @@ use crate::{

 const SEND_INACCESSIBLE_MSG: &str = "Send does not exist or is no longer available";

+// The max file size allowed by Bitwarden clients and add an extra 5% to avoid issues
+const SIZE_525_MB: u64 = 550_502_400;
+
 pub fn routes() -> Vec<rocket::Route> {
    routes![
        get_sends,
@@ -28,7 +31,9 @@ pub fn routes() -> Vec<rocket::Route> {
        put_send,
        delete_send,
        put_remove_password,
-        download_send
+        download_send,
+        post_send_file_v2,
+        post_send_file_v2_data
    ]
 }

@@ -58,6 +63,7 @@ struct SendData {
    Notes: Option<String>,
    Text: Option<Value>,
    File: Option<Value>,
+    FileLength: Option<NumberOrString>,
 }

 /// Enforces the `Disable Send` policy. A non-owner/admin user belonging to
@@ -70,8 +76,9 @@ struct SendData {
 /// controls this policy globally.
 async fn enforce_disable_send_policy(headers: &Headers, conn: &DbConn) -> EmptyResult {
    let user_uuid = &headers.user.uuid;
-    let policy_type = OrgPolicyType::DisableSend;
-    if !CONFIG.sends_allowed() || OrgPolicy::is_applicable_to_user(user_uuid, policy_type, conn).await {
+    if !CONFIG.sends_allowed()
+        || OrgPolicy::is_applicable_to_user(user_uuid, OrgPolicyType::DisableSend, None, conn).await
+    {
        err!("Due to an Enterprise Policy, you are only able to delete an existing Send.")
    }
    Ok(())
@@ -95,7 +102,7 @@ async fn enforce_disable_hide_email_policy(data: &SendData, headers: &Headers, c
    Ok(())
 }

-async fn create_send(data: SendData, user_uuid: String) -> ApiResult<Send> {
+fn create_send(data: SendData, user_uuid: String) -> ApiResult<Send> {
    let data_val = if data.Type == SendType::Text as i32 {
        data.Text
    } else if data.Type == SendType::File as i32 {
@@ -117,7 +124,7 @@ async fn create_send(data: SendData, user_uuid: String) -> ApiResult<Send> {
        );
    }

-    let mut send = Send::new(data.Type, data.Name, data_str, data.Key, data.DeletionDate.naive_utc()).await;
+    let mut send = Send::new(data.Type, data.Name, data_str, data.Key, data.DeletionDate.naive_utc());
    send.user_uuid = Some(user_uuid);
    send.notes = data.Notes;
    send.max_access_count = match data.MaxAccessCount {
@@ -171,9 +178,9 @@ async fn post_send(data: JsonUpcase<SendData>, headers: Headers, conn: DbConn, n
        err!("File sends should use /api/sends/file")
    }

-    let mut send = create_send(data, headers.user.uuid).await?;
+    let mut send = create_send(data, headers.user.uuid)?;
    send.save(&conn).await?;
-    nt.send_send_update(UpdateType::SyncSendCreate, &send, &send.update_users_revision(&conn).await);
+    nt.send_send_update(UpdateType::SyncSendCreate, &send, &send.update_users_revision(&conn).await).await;

    Ok(Json(send.to_json()))
 }
@@ -184,6 +191,14 @@ struct UploadData<'f> {
    data: TempFile<'f>,
 }

+#[derive(FromForm)]
+struct UploadDataV2<'f> {
+    data: TempFile<'f>,
+}
+
+// @deprecated Mar 25 2021: This method has been deprecated in favor of direct uploads (v2).
+// This method still exists to support older clients, probably need to remove it sometime.
+// Upstream: https://github.com/bitwarden/server/blob/d0c793c95181dfb1b447eb450f85ba0bfd7ef643/src/Api/Controllers/SendsController.cs#L164-L167
 #[post("/sends/file", format = "multipart/form-data", data = "<data>")]
 async fn post_send_file(data: Form<UploadData<'_>>, headers: Headers, conn: DbConn, nt: Notify<'_>) -> JsonResult {
    enforce_disable_send_policy(&headers, &conn).await?;
@@ -196,9 +211,6 @@ async fn post_send_file(data: Form<UploadData<'_>>, headers: Headers, conn: DbCo

    enforce_disable_hide_email_policy(&model, &headers, &conn).await?;

-    // Get the file length and add an extra 5% to avoid issues
-    const SIZE_525_MB: u64 = 550_502_400;
-
    let size_limit = match CONFIG.user_attachment_limit() {
        Some(0) => err!("File uploads are disabled"),
        Some(limit_kb) => {
@@ -211,11 +223,24 @@ async fn post_send_file(data: Form<UploadData<'_>>, headers: Headers, conn: DbCo
        None => SIZE_525_MB,
    };

-    let mut send = create_send(model, headers.user.uuid).await?;
+    let mut send = create_send(model, headers.user.uuid)?;
    if send.atype != SendType::File as i32 {
        err!("Send content is not a file");
    }

+    // There is a bug regarding uploading attachments/sends using the Mobile clients
+    // See: https://github.com/dani-garcia/vaultwarden/issues/2644 && https://github.com/bitwarden/mobile/issues/2018
+    // This has been fixed via a PR: https://github.com/bitwarden/mobile/pull/2031, but hasn't landed in a new release yet.
+    // On the vaultwarden side this is temporarily fixed by using a custom multer library
+    // See: https://github.com/dani-garcia/vaultwarden/pull/2675
+    // In any case we will match TempFile::File and not TempFile::Buffered, since Buffered will alter the contents.
+    if let TempFile::Buffered {
+        content: _,
+    } = &data
+    {
+        err!("Error reading send file data. Please try an other client.");
+    }
+
    let size = data.len();
    if size > size_limit {
        err!("Attachment storage limit exceeded with this file");
@@ -225,7 +250,10 @@ async fn post_send_file(data: Form<UploadData<'_>>, headers: Headers, conn: DbCo
    let folder_path = tokio::fs::canonicalize(&CONFIG.sends_folder()).await?.join(&send.uuid);
    let file_path = folder_path.join(&file_id);
    tokio::fs::create_dir_all(&folder_path).await?;
-    data.persist_to(&file_path).await?;
+
+    if let Err(_err) = data.persist_to(&file_path).await {
+        data.move_copy_to(file_path).await?
+    }

    let mut data_value: Value = serde_json::from_str(&send.data)?;
    if let Some(o) = data_value.as_object_mut() {
@@ -237,11 +265,110 @@ async fn post_send_file(data: Form<UploadData<'_>>, headers: Headers, conn: DbCo

    // Save the changes in the database
    send.save(&conn).await?;
-    nt.send_send_update(UpdateType::SyncSendUpdate, &send, &send.update_users_revision(&conn).await);
+    nt.send_send_update(UpdateType::SyncSendCreate, &send, &send.update_users_revision(&conn).await).await;

    Ok(Json(send.to_json()))
 }

+// Upstream: https://github.com/bitwarden/server/blob/d0c793c95181dfb1b447eb450f85ba0bfd7ef643/src/Api/Controllers/SendsController.cs#L190
+#[post("/sends/file/v2", data = "<data>")]
+async fn post_send_file_v2(data: JsonUpcase<SendData>, headers: Headers, conn: DbConn) -> JsonResult {
+    enforce_disable_send_policy(&headers, &conn).await?;
+
+    let data = data.into_inner().data;
+
+    if data.Type != SendType::File as i32 {
+        err!("Send content is not a file");
+    }
+
+    enforce_disable_hide_email_policy(&data, &headers, &conn).await?;
+
+    let file_length = match &data.FileLength {
+        Some(m) => Some(m.into_i32()?),
+        _ => None,
+    };
+
+    let size_limit = match CONFIG.user_attachment_limit() {
+        Some(0) => err!("File uploads are disabled"),
+        Some(limit_kb) => {
+            let left = (limit_kb * 1024) - Attachment::size_by_user(&headers.user.uuid, &conn).await;
+            if left <= 0 {
+                err!("Attachment storage limit reached! Delete some attachments to free up space")
+            }
+            std::cmp::Ord::max(left as u64, SIZE_525_MB)
+        }
+        None => SIZE_525_MB,
+    };
+
+    if file_length.is_some() && file_length.unwrap() as u64 > size_limit {
+        err!("Attachment storage limit exceeded with this file");
+    }
+
+    let mut send = create_send(data, headers.user.uuid)?;
+
+    let file_id = crate::crypto::generate_send_id();
+
+    let mut data_value: Value = serde_json::from_str(&send.data)?;
+    if let Some(o) = data_value.as_object_mut() {
+        o.insert(String::from("Id"), Value::String(file_id.clone()));
+        o.insert(String::from("Size"), Value::Number(file_length.unwrap().into()));
+        o.insert(String::from("SizeName"), Value::String(crate::util::get_display_size(file_length.unwrap())));
+    }
+    send.data = serde_json::to_string(&data_value)?;
+    send.save(&conn).await?;
+
+    Ok(Json(json!({
+        "fileUploadType": 0, // 0 == Direct | 1 == Azure
+        "object": "send-fileUpload",
+        "url": format!("/sends/{}/file/{}", send.uuid, file_id),
+        "sendResponse": send.to_json()
+    })))
+}
+
+// https://github.com/bitwarden/server/blob/d0c793c95181dfb1b447eb450f85ba0bfd7ef643/src/Api/Controllers/SendsController.cs#L243
+#[post("/sends/<send_uuid>/file/<file_id>", format = "multipart/form-data", data = "<data>")]
+async fn post_send_file_v2_data(
+    send_uuid: String,
+    file_id: String,
+    data: Form<UploadDataV2<'_>>,
+    headers: Headers,
+    conn: DbConn,
+    nt: Notify<'_>,
+) -> EmptyResult {
+    enforce_disable_send_policy(&headers, &conn).await?;
+
+    let mut data = data.into_inner();
+
+    // There is a bug regarding uploading attachments/sends using the Mobile clients
+    // See: https://github.com/dani-garcia/vaultwarden/issues/2644 && https://github.com/bitwarden/mobile/issues/2018
+    // This has been fixed via a PR: https://github.com/bitwarden/mobile/pull/2031, but hasn't landed in a new release yet.
+    // On the vaultwarden side this is temporarily fixed by using a custom multer library
+    // See: https://github.com/dani-garcia/vaultwarden/pull/2675
+    // In any case we will match TempFile::File and not TempFile::Buffered, since Buffered will alter the contents.
+    if let TempFile::Buffered {
+        content: _,
+    } = &data.data
+    {
+        err!("Error reading attachment data. Please try an other client.");
+    }
+
+    if let Some(send) = Send::find_by_uuid(&send_uuid, &conn).await {
+        let folder_path = tokio::fs::canonicalize(&CONFIG.sends_folder()).await?.join(&send_uuid);
+        let file_path = folder_path.join(&file_id);
+        tokio::fs::create_dir_all(&folder_path).await?;
+
+        if let Err(_err) = data.data.persist_to(&file_path).await {
+            data.data.move_copy_to(file_path).await?
+        }
+
+        nt.send_send_update(UpdateType::SyncSendCreate, &send, &send.update_users_revision(&conn).await).await;
+    } else {
+        err!("Send not found. Unable to save the file.");
+    }
+
+    Ok(())
+}
+
 #[derive(Deserialize)]
 #[allow(non_snake_case)]
 pub struct SendAccessData {
@@ -418,7 +545,7 @@ async fn put_send(
    }

    send.save(&conn).await?;
-    nt.send_send_update(UpdateType::SyncSendUpdate, &send, &send.update_users_revision(&conn).await);
+    nt.send_send_update(UpdateType::SyncSendUpdate, &send, &send.update_users_revision(&conn).await).await;

    Ok(Json(send.to_json()))
 }
@@ -435,7 +562,7 @@ async fn delete_send(id: String, headers: Headers, conn: DbConn, nt: Notify<'_>)
    }

    send.delete(&conn).await?;
-    nt.send_send_update(UpdateType::SyncSendDelete, &send, &send.update_users_revision(&conn).await);
+    nt.send_send_update(UpdateType::SyncSendDelete, &send, &send.update_users_revision(&conn).await).await;

    Ok(())
 }
@@ -455,7 +582,7 @@ async fn put_remove_password(id: String, headers: Headers, conn: DbConn, nt: Not

    send.set_password(None);
    send.save(&conn).await?;
-    nt.send_send_update(UpdateType::SyncSendUpdate, &send, &send.update_users_revision(&conn).await);
+    nt.send_send_update(UpdateType::SyncSendUpdate, &send, &send.update_users_revision(&conn).await).await;

    Ok(Json(send.to_json()))
 }
--- a/src/api/core/two_factor/authenticator.rs
+++ b/src/api/core/two_factor/authenticator.rs
@@ -139,7 +139,7 @@ pub async fn validate_totp_code(
    // The amount of steps back and forward in time
    // Also check if we need to disable time drifted TOTP codes.
    // If that is the case, we set the steps to 0 so only the current TOTP is valid.
-    let steps = !CONFIG.authenticator_disable_time_drift() as i64;
+    let steps = i64::from(!CONFIG.authenticator_disable_time_drift());

    // Get the current system time in UNIX Epoch (UTC)
    let current_time = chrono::Utc::now();
@@ -154,7 +154,7 @@ pub async fn validate_totp_code(
        let generated = totp_custom::<Sha1>(30, 6, &decoded_secret, time);

        // Check the the given code equals the generated and if the time_step is larger then the one last used.
-        if generated == totp_code && time_step > twofactor.last_used as i64 {
+        if generated == totp_code && time_step > i64::from(twofactor.last_used) {
            // If the step does not equals 0 the time is drifted either server or client side.
            if step != 0 {
                warn!("TOTP Time drift detected. The step offset is {}", step);
@@ -165,7 +165,7 @@ pub async fn validate_totp_code(
            twofactor.last_used = time_step as i32;
            twofactor.save(conn).await?;
            return Ok(());
-        } else if generated == totp_code && time_step <= twofactor.last_used as i64 {
+        } else if generated == totp_code && time_step <= i64::from(twofactor.last_used) {
            warn!("This TOTP or a TOTP code within {} steps back or forward has already been used!", steps);
            err!(format!("Invalid TOTP code! Server time: {} IP: {}", current_time.format("%F %T UTC"), ip.ip));
        }
--- a/src/api/core/two_factor/email.rs
+++ b/src/api/core/two_factor/email.rs
@@ -66,7 +66,7 @@ pub async fn send_token(user_uuid: &str, conn: &DbConn) -> EmptyResult {
    twofactor.data = twofactor_data.to_json();
    twofactor.save(conn).await?;

-    mail::send_token(&twofactor_data.email, &twofactor_data.last_token.map_res("Token is empty")?)?;
+    mail::send_token(&twofactor_data.email, &twofactor_data.last_token.map_res("Token is empty")?).await?;

    Ok(())
 }
@@ -132,7 +132,7 @@ async fn send_email(data: JsonUpcase<SendEmailData>, headers: Headers, conn: DbC
    let twofactor = TwoFactor::new(user.uuid, TwoFactorType::EmailVerificationChallenge, twofactor_data.to_json());
    twofactor.save(&conn).await?;

-    mail::send_token(&twofactor_data.email, &twofactor_data.last_token.map_res("Token is empty")?)?;
+    mail::send_token(&twofactor_data.email, &twofactor_data.last_token.map_res("Token is empty")?).await?;

    Ok(())
 }
--- a/src/api/core/two_factor/mod.rs
+++ b/src/api/core/two_factor/mod.rs
@@ -19,7 +19,14 @@ pub mod webauthn;
 pub mod yubikey;

 pub fn routes() -> Vec<Route> {
-    let mut routes = routes![get_twofactor, get_recover, recover, disable_twofactor, disable_twofactor_put,];
+    let mut routes = routes![
+        get_twofactor,
+        get_recover,
+        recover,
+        disable_twofactor,
+        disable_twofactor_put,
+        get_device_verification_settings,
+    ];

    routes.append(&mut authenticator::routes());
    routes.append(&mut duo::routes());
@@ -138,7 +145,7 @@ async fn disable_twofactor(data: JsonUpcase<DisableTwoFactorData>, headers: Head
            if user_org.atype < UserOrgType::Admin {
                if CONFIG.mail_enabled() {
                    let org = Organization::find_by_uuid(&user_org.org_uuid, &conn).await.unwrap();
-                    mail::send_2fa_removed_from_org(&user.email, &org.name)?;
+                    mail::send_2fa_removed_from_org(&user.email, &org.name).await?;
                }
                user_org.delete(&conn).await?;
            }
@@ -183,7 +190,26 @@ pub async fn send_incomplete_2fa_notifications(pool: DbPool) {
            user.email, login.ip_address
        );
        mail::send_incomplete_2fa_login(&user.email, &login.ip_address, &login.login_time, &login.device_name)
+            .await
            .expect("Error sending incomplete 2FA email");
        login.delete(&conn).await.expect("Error deleting incomplete 2FA record");
    }
 }
+
+// This function currently is just a dummy and the actual part is not implemented yet.
+// This also prevents 404 errors.
+//
+// See the following Bitwarden PR's regarding this feature.
+// https://github.com/bitwarden/clients/pull/2843
+// https://github.com/bitwarden/clients/pull/2839
+// https://github.com/bitwarden/server/pull/2016
+//
+// The HTML part is hidden via the CSS patches done via the bw_web_build repo
+#[get("/two-factor/get-device-verification-settings")]
+fn get_device_verification_settings(_headers: Headers, _conn: DbConn) -> Json<Value> {
+    Json(json!({
+        "isDeviceVerificationSectionEnabled":false,
+        "unknownDeviceVerificationEnabled":false,
+        "object":"deviceVerificationSettings"
+    }))
+}
--- a/src/api/core/two_factor/yubikey.rs
+++ b/src/api/core/two_factor/yubikey.rs
@@ -147,7 +147,7 @@ async fn activate_yubikey(data: JsonUpcase<EnableYubikeyData>, headers: Headers,
        verify_yubikey_otp(yubikey.to_owned()).map_res("Invalid Yubikey OTP provided")?;
    }

-    let yubikey_ids: Vec<String> = yubikeys.into_iter().map(|x| (&x[..12]).to_owned()).collect();
+    let yubikey_ids: Vec<String> = yubikeys.into_iter().map(|x| (x[..12]).to_owned()).collect();

    let yubikey_metadata = YubikeyMetadata {
        Keys: yubikey_ids,
--- a/src/api/icons.rs
+++ b/src/api/icons.rs
@@ -1,5 +1,4 @@
 use std::{
-    collections::HashMap,
    net::IpAddr,
    sync::Arc,
    time::{Duration, SystemTime},
@@ -18,10 +17,9 @@ use tokio::{
    fs::{create_dir_all, remove_file, symlink_metadata, File},
    io::{AsyncReadExt, AsyncWriteExt},
    net::lookup_host,
-    sync::RwLock,
 };

-use html5gum::{Emitter, EndTag, InfallibleTokenizer, Readable, StartTag, StringReader, Tokenizer};
+use html5gum::{Emitter, EndTag, HtmlString, InfallibleTokenizer, Readable, StartTag, StringReader, Tokenizer};

 use crate::{
    error::Error,
@@ -32,10 +30,7 @@ use crate::{
 pub fn routes() -> Vec<Route> {
    match CONFIG.icon_service().as_str() {
        "internal" => routes![icon_internal],
-        "bitwarden" => routes![icon_bitwarden],
-        "duckduckgo" => routes![icon_duckduckgo],
-        "google" => routes![icon_google],
-        _ => routes![icon_custom],
+        _ => routes![icon_external],
    }
 }

@@ -53,7 +48,7 @@ static CLIENT: Lazy<Client> = Lazy::new(|| {

    // Reuse the client between requests
    let client = get_reqwest_client_builder()
-        .cookie_provider(cookie_store.clone())
+        .cookie_provider(Arc::clone(&cookie_store))
        .timeout(Duration::from_secs(CONFIG.icon_download_timeout()))
        .default_headers(default_headers.clone());

@@ -76,10 +71,10 @@ static CLIENT: Lazy<Client> = Lazy::new(|| {
 static ICON_SIZE_REGEX: Lazy<Regex> = Lazy::new(|| Regex::new(r"(?x)(\d+)\D*(\d+)").unwrap());

 // Special HashMap which holds the user defined Regex to speedup matching the regex.
-static ICON_BLACKLIST_REGEX: Lazy<RwLock<HashMap<String, Regex>>> = Lazy::new(|| RwLock::new(HashMap::new()));
+static ICON_BLACKLIST_REGEX: Lazy<dashmap::DashMap<String, Regex>> = Lazy::new(dashmap::DashMap::new);

 async fn icon_redirect(domain: &str, template: &str) -> Option<Redirect> {
-    if !is_valid_domain(domain).await {
+    if !is_valid_domain(domain) {
        warn!("Invalid domain: {}", domain);
        return None;
    }
@@ -102,30 +97,15 @@ async fn icon_redirect(domain: &str, template: &str) -> Option<Redirect> {
 }

 #[get("/<domain>/icon.png")]
-async fn icon_custom(domain: String) -> Option<Redirect> {
-    icon_redirect(&domain, &CONFIG.icon_service()).await
-}
-
-#[get("/<domain>/icon.png")]
-async fn icon_bitwarden(domain: String) -> Option<Redirect> {
-    icon_redirect(&domain, "https://icons.bitwarden.net/{}/icon.png").await
-}
-
-#[get("/<domain>/icon.png")]
-async fn icon_duckduckgo(domain: String) -> Option<Redirect> {
-    icon_redirect(&domain, "https://icons.duckduckgo.com/ip3/{}.ico").await
-}
-
-#[get("/<domain>/icon.png")]
-async fn icon_google(domain: String) -> Option<Redirect> {
-    icon_redirect(&domain, "https://www.google.com/s2/favicons?domain={}&sz=32").await
+async fn icon_external(domain: String) -> Option<Redirect> {
+    icon_redirect(&domain, &CONFIG._icon_service_url()).await
 }

 #[get("/<domain>/icon.png")]
 async fn icon_internal(domain: String) -> Cached<(ContentType, Vec<u8>)> {
    const FALLBACK_ICON: &[u8] = include_bytes!("../static/images/fallback-icon.png");

-    if !is_valid_domain(&domain).await {
+    if !is_valid_domain(&domain) {
        warn!("Invalid domain: {}", domain);
        return Cached::ttl(
            (ContentType::new("image", "png"), FALLBACK_ICON.to_vec()),
@@ -146,7 +126,7 @@ async fn icon_internal(domain: String) -> Cached<(ContentType, Vec<u8>)> {
 ///
 /// This does some manual checks and makes use of Url to do some basic checking.
 /// domains can't be larger then 63 characters (not counting multiple subdomains) according to the RFC's, but we limit the total size to 255.
-async fn is_valid_domain(domain: &str) -> bool {
+fn is_valid_domain(domain: &str) -> bool {
    const ALLOWED_CHARS: &str = "_-.";

    // If parsing the domain fails using Url, it will not work with reqwest.
@@ -280,6 +260,7 @@ mod tests {

 use cached::proc_macro::cached;
 #[cached(key = "String", convert = r#"{ domain.to_string() }"#, size = 16, time = 60)]
+#[allow(clippy::unused_async)] // This is needed because cached causes a false-positive here.
 async fn is_domain_blacklisted(domain: &str) -> bool {
    if CONFIG.icon_blacklist_non_global_ips() {
        if let Ok(s) = lookup_host((domain, 0)).await {
@@ -293,32 +274,25 @@ async fn is_domain_blacklisted(domain: &str) -> bool {
    }

    if let Some(blacklist) = CONFIG.icon_blacklist_regex() {
-        let mut regex_hashmap = ICON_BLACKLIST_REGEX.read().await;
-
        // Use the pre-generate Regex stored in a Lazy HashMap if there's one, else generate it.
-        let regex = if let Some(regex) = regex_hashmap.get(&blacklist) {
-            regex
+        let is_match = if let Some(regex) = ICON_BLACKLIST_REGEX.get(&blacklist) {
+            regex.is_match(domain)
        } else {
-            drop(regex_hashmap);
-
-            let mut regex_hashmap_write = ICON_BLACKLIST_REGEX.write().await;
            // Clear the current list if the previous key doesn't exists.
            // To prevent growing of the HashMap after someone has changed it via the admin interface.
-            if regex_hashmap_write.len() >= 1 {
-                regex_hashmap_write.clear();
+            if ICON_BLACKLIST_REGEX.len() >= 1 {
+                ICON_BLACKLIST_REGEX.clear();
            }

            // Generate the regex to store in too the Lazy Static HashMap.
-            let blacklist_regex = Regex::new(&blacklist);
-            regex_hashmap_write.insert(blacklist.to_string(), blacklist_regex.unwrap());
-            drop(regex_hashmap_write);
+            let blacklist_regex = Regex::new(&blacklist).unwrap();
+            let is_match = blacklist_regex.is_match(domain);
+            ICON_BLACKLIST_REGEX.insert(blacklist.clone(), blacklist_regex);

-            regex_hashmap = ICON_BLACKLIST_REGEX.read().await;
-            regex_hashmap.get(&blacklist).unwrap()
+            is_match
        };

-        // Use the pre-generate Regex stored in a Lazy HashMap.
-        if regex.is_match(domain) {
+        if is_match {
            debug!("Blacklisted domain: {} matched ICON_BLACKLIST_REGEX", domain);
            return true;
        }
@@ -335,7 +309,7 @@ async fn get_icon(domain: &str) -> Option<(Vec<u8>, String)> {
    }

    if let Some(icon) = get_cached_icon(&path).await {
-        let icon_type = match get_icon_type(&icon).await {
+        let icon_type = match get_icon_type(&icon) {
            Some(x) => x,
            _ => "x-icon",
        };
@@ -425,7 +399,7 @@ impl Icon {
    }
 }

-async fn get_favicons_node(
+fn get_favicons_node(
    dom: InfallibleTokenizer<StringReader<'_>, FaviconEmitter>,
    icons: &mut Vec<Icon>,
    url: &url::Url,
@@ -442,7 +416,7 @@ async fn get_favicons_node(
    for token in dom {
        match token {
            FaviconToken::StartTag(tag) => {
-                if tag.name == TAG_LINK
+                if *tag.name == TAG_LINK
                    && tag.attributes.contains_key(ATTR_REL)
                    && tag.attributes.contains_key(ATTR_HREF)
                {
@@ -452,7 +426,7 @@ async fn get_favicons_node(
                    if rel_value.contains("icon") && !rel_value.contains("mask-icon") {
                        icon_tags.push(tag);
                    }
-                } else if tag.name == TAG_BASE && tag.attributes.contains_key(ATTR_HREF) {
+                } else if *tag.name == TAG_BASE && tag.attributes.contains_key(ATTR_HREF) {
                    let href = std::str::from_utf8(tag.attributes.get(ATTR_HREF).unwrap()).unwrap_or_default();
                    debug!("Found base href: {href}");
                    base_url = match base_url.join(href) {
@@ -462,7 +436,7 @@ async fn get_favicons_node(
                }
            }
            FaviconToken::EndTag(tag) => {
-                if tag.name == TAG_HEAD {
+                if *tag.name == TAG_HEAD {
                    break;
                }
            }
@@ -477,7 +451,7 @@ async fn get_favicons_node(
                } else {
                    ""
                };
-                let priority = get_icon_priority(full_href.as_str(), sizes).await;
+                let priority = get_icon_priority(full_href.as_str(), sizes);
                icons.push(Icon::new(priority, full_href.to_string()));
            }
        };
@@ -521,7 +495,7 @@ async fn get_icon_url(domain: &str) -> Result<IconUrlResult, Error> {
                    tld = domain_parts.next_back().unwrap(),
                    base = domain_parts.next_back().unwrap()
                );
-                if is_valid_domain(&base_domain).await {
+                if is_valid_domain(&base_domain) {
                    let sslbase = format!("https://{base_domain}");
                    let httpbase = format!("http://{base_domain}");
                    debug!("[get_icon_url]: Trying without subdomains '{base_domain}'");
@@ -532,7 +506,7 @@ async fn get_icon_url(domain: &str) -> Result<IconUrlResult, Error> {
            // When the domain is not an IP, and has less then 2 dots, try to add www. infront of it.
            } else if is_ip.is_err() && domain.matches('.').count() < 2 {
                let www_domain = format!("www.{domain}");
-                if is_valid_domain(&www_domain).await {
+                if is_valid_domain(&www_domain) {
                    let sslwww = format!("https://{www_domain}");
                    let httpwww = format!("http://{www_domain}");
                    debug!("[get_icon_url]: Trying with www. prefix '{www_domain}'");
@@ -564,7 +538,7 @@ async fn get_icon_url(domain: &str) -> Result<IconUrlResult, Error> {
        let limited_reader = stream_to_bytes_limit(content, 384 * 1024).await?.to_vec();

        let dom = Tokenizer::new_with_emitter(limited_reader.to_reader(), FaviconEmitter::default()).infallible();
-        get_favicons_node(dom, &mut iconlist, &url).await;
+        get_favicons_node(dom, &mut iconlist, &url);
    } else {
        // Add the default favicon.ico to the list with just the given domain
        iconlist.push(Icon::new(35, format!("{ssldomain}/favicon.ico")));
@@ -612,12 +586,12 @@ async fn get_page_with_referer(url: &str, referer: &str) -> Result<Response, Err
 ///
 /// # Example
 /// ```
-/// priority1 = get_icon_priority("http://example.com/path/to/a/favicon.png", "32x32").await;
-/// priority2 = get_icon_priority("https://example.com/path/to/a/favicon.ico", "").await;
+/// priority1 = get_icon_priority("http://example.com/path/to/a/favicon.png", "32x32");
+/// priority2 = get_icon_priority("https://example.com/path/to/a/favicon.ico", "");
 /// ```
-async fn get_icon_priority(href: &str, sizes: &str) -> u8 {
+fn get_icon_priority(href: &str, sizes: &str) -> u8 {
    // Check if there is a dimension set
-    let (width, height) = parse_sizes(sizes).await;
+    let (width, height) = parse_sizes(sizes);

    // Check if there is a size given
    if width != 0 && height != 0 {
@@ -659,11 +633,11 @@ async fn get_icon_priority(href: &str, sizes: &str) -> u8 {
 ///
 /// # Example
 /// ```
-/// let (width, height) = parse_sizes("64x64").await; // (64, 64)
-/// let (width, height) = parse_sizes("x128x128").await; // (128, 128)
-/// let (width, height) = parse_sizes("32").await; // (0, 0)
+/// let (width, height) = parse_sizes("64x64"); // (64, 64)
+/// let (width, height) = parse_sizes("x128x128"); // (128, 128)
+/// let (width, height) = parse_sizes("32"); // (0, 0)
 /// ```
-async fn parse_sizes(sizes: &str) -> (u16, u16) {
+fn parse_sizes(sizes: &str) -> (u16, u16) {
    let mut width: u16 = 0;
    let mut height: u16 = 0;

@@ -707,7 +681,7 @@ async fn download_icon(domain: &str) -> Result<(Bytes, Option<&str>), Error> {
                    // Also check if the size is atleast 67 bytes, which seems to be the smallest png i could create
                    if body.len() >= 67 {
                        // Check if the icon type is allowed, else try an icon from the list.
-                        icon_type = get_icon_type(&body).await;
+                        icon_type = get_icon_type(&body);
                        if icon_type.is_none() {
                            debug!("Icon from {} data:image uri, is not a valid image type", domain);
                            continue;
@@ -725,7 +699,7 @@ async fn download_icon(domain: &str) -> Result<(Bytes, Option<&str>), Error> {
                    buffer = stream_to_bytes_limit(res, 5120 * 1024).await?; // 5120KB/5MB for each icon max (Same as icons.bitwarden.net)

                    // Check if the icon type is allowed, else try an icon from the list.
-                    icon_type = get_icon_type(&buffer).await;
+                    icon_type = get_icon_type(&buffer);
                    if icon_type.is_none() {
                        buffer.clear();
                        debug!("Icon from {}, is not a valid image type", icon.href);
@@ -760,7 +734,7 @@ async fn save_icon(path: &str, icon: &[u8]) {
    }
 }

-async fn get_icon_type(bytes: &[u8]) -> Option<&'static str> {
+fn get_icon_type(bytes: &[u8]) -> Option<&'static str> {
    match bytes {
        [137, 80, 78, 71, ..] => Some("png"),
        [0, 0, 1, 0, ..] => Some("x-icon"),
@@ -839,17 +813,18 @@ impl reqwest::cookie::CookieStore for Jar {
 /// Therefor parsing the HTML content is faster.
 use std::collections::{BTreeSet, VecDeque};

+#[derive(Debug)]
 enum FaviconToken {
    StartTag(StartTag),
    EndTag(EndTag),
 }

-#[derive(Default)]
+#[derive(Default, Debug)]
 struct FaviconEmitter {
    current_token: Option<FaviconToken>,
-    last_start_tag: Vec<u8>,
-    current_attribute: Option<(Vec<u8>, Vec<u8>)>,
-    seen_attributes: BTreeSet<Vec<u8>>,
+    last_start_tag: HtmlString,
+    current_attribute: Option<(HtmlString, HtmlString)>,
+    seen_attributes: BTreeSet<HtmlString>,
    emitted_tokens: VecDeque<FaviconToken>,
 }

@@ -896,18 +871,38 @@ impl Emitter for FaviconEmitter {
        self.seen_attributes.clear();
    }

-    fn emit_current_tag(&mut self) {
+    fn emit_current_tag(&mut self) -> Option<html5gum::State> {
        self.flush_current_attribute();
        let mut token = self.current_token.take().unwrap();
+        let mut emit = false;
        match token {
-            FaviconToken::EndTag(_) => {
+            FaviconToken::EndTag(ref mut tag) => {
+                // Always clean seen attributes
                self.seen_attributes.clear();
+
+                // Only trigger an emit for the </head> tag.
+                // This is matched, and will break the for-loop.
+                if *tag.name == b"head" {
+                    emit = true;
+                }
            }
            FaviconToken::StartTag(ref mut tag) => {
-                self.set_last_start_tag(Some(&tag.name));
+                // Only trriger an emit for <link> and <base> tags.
+                // These are the only tags we want to parse.
+                if *tag.name == b"link" || *tag.name == b"base" {
+                    self.set_last_start_tag(Some(&tag.name));
+                    emit = true;
+                } else {
+                    self.set_last_start_tag(None);
+                }
            }
        }
-        self.emit_token(token);
+
+        // Only emit the tags we want to parse.
+        if emit {
+            self.emit_token(token);
+        }
+        None
    }

    fn push_tag_name(&mut self, s: &[u8]) {
@@ -930,7 +925,7 @@ impl Emitter for FaviconEmitter {

    fn init_attribute(&mut self) {
        self.flush_current_attribute();
-        self.current_attribute = Some((Vec::new(), Vec::new()));
+        self.current_attribute = Some(Default::default());
    }

    fn push_attribute_name(&mut self, s: &[u8]) {
--- a/src/api/identity.rs
+++ b/src/api/identity.rs
@@ -135,7 +135,7 @@ async fn _password_login(data: ConnectData, conn: DbConn, ip: &ClientIp) -> Json
                    error!("Error updating user: {:#?}", e);
                }

-                if let Err(e) = mail::send_verify_email(&user.email, &user.uuid) {
+                if let Err(e) = mail::send_verify_email(&user.email, &user.uuid).await {
                    error!("Error auto-sending email verification email: {:#?}", e);
                }
            }
@@ -150,7 +150,7 @@ async fn _password_login(data: ConnectData, conn: DbConn, ip: &ClientIp) -> Json
    let twofactor_token = twofactor_auth(&user.uuid, &data, &mut device, ip, &conn).await?;

    if CONFIG.mail_enabled() && new_device {
-        if let Err(e) = mail::send_new_device_logged_in(&user.email, &ip.ip.to_string(), &now, &device.name) {
+        if let Err(e) = mail::send_new_device_logged_in(&user.email, &ip.ip.to_string(), &now, &device.name).await {
            error!("Error sending new device email: {:#?}", e);

            if CONFIG.require_device_email() {
@@ -225,7 +225,7 @@ async fn _api_key_login(data: ConnectData, conn: DbConn, ip: &ClientIp) -> JsonR

    if CONFIG.mail_enabled() && new_device {
        let now = Utc::now().naive_utc();
-        if let Err(e) = mail::send_new_device_logged_in(&user.email, &ip.ip.to_string(), &now, &device.name) {
+        if let Err(e) = mail::send_new_device_logged_in(&user.email, &ip.ip.to_string(), &now, &device.name).await {
            error!("Error sending new device email: {:#?}", e);

            if CONFIG.require_device_email() {
--- a/src/api/mod.rs
+++ b/src/api/mod.rs
@@ -10,6 +10,7 @@ use serde_json::Value;

 pub use crate::api::{
    admin::routes as admin_routes,
+    core::catchers as core_catchers,
    core::purge_sends,
    core::purge_trashed_ciphers,
    core::routes as core_routes,
@@ -19,6 +20,7 @@ pub use crate::api::{
    identity::routes as identity_routes,
    notifications::routes as notifications_routes,
    notifications::{start_notification_server, Notify, UpdateType},
+    web::catchers as web_catchers,
    web::routes as web_routes,
 };
 use crate::util;
--- a/src/api/notifications.rs
+++ b/src/api/notifications.rs
@@ -1,19 +1,41 @@
-use std::sync::atomic::{AtomicBool, Ordering};
+use std::{
+    net::SocketAddr,
+    sync::{
+        atomic::{AtomicBool, Ordering},
+        Arc,
+    },
+    time::Duration,
+};

-use rocket::serde::json::Json;
-use rocket::Route;
+use chrono::NaiveDateTime;
+use futures::{SinkExt, StreamExt};
+use rmpv::Value;
+use rocket::{serde::json::Json, Route};
 use serde_json::Value as JsonValue;
+use tokio::{
+    net::{TcpListener, TcpStream},
+    sync::mpsc::Sender,
+};
+use tokio_tungstenite::{
+    accept_hdr_async,
+    tungstenite::{handshake, Message},
+};

-use crate::{api::EmptyResult, auth::Headers, Error, CONFIG};
+use crate::{
+    api::EmptyResult,
+    auth::Headers,
+    db::models::{Cipher, Folder, Send, User},
+    Error, CONFIG,
+};

 pub fn routes() -> Vec<Route> {
    routes![negotiate, websockets_err]
 }

-static SHOW_WEBSOCKETS_MSG: AtomicBool = AtomicBool::new(true);
-
 #[get("/hub")]
 fn websockets_err() -> EmptyResult {
+    static SHOW_WEBSOCKETS_MSG: AtomicBool = AtomicBool::new(true);
+
    if CONFIG.websocket_enabled()
        && SHOW_WEBSOCKETS_MSG.compare_exchange(true, false, Ordering::Relaxed, Ordering::Relaxed).is_ok()
    {
@@ -55,19 +77,6 @@ fn negotiate(_headers: Headers) -> Json<JsonValue> {
 //
 // Websockets server
 //
-use std::io;
-use std::sync::Arc;
-use std::thread;
-
-use ws::{self, util::Token, Factory, Handler, Handshake, Message, Sender};
-
-use chashmap::CHashMap;
-use chrono::NaiveDateTime;
-use serde_json::from_str;
-
-use crate::db::models::{Cipher, Folder, Send, User};
-
-use rmpv::Value;

 fn serialize(val: Value) -> Vec<u8> {
    use rmpv::encode::write_value;
@@ -118,192 +127,49 @@ fn convert_option<T: Into<Value>>(option: Option<T>) -> Value {
    }
 }

-// Server WebSocket handler
-pub struct WsHandler {
-    out: Sender,
-    user_uuid: Option<String>,
-    users: WebSocketUsers,
-}
-
 const RECORD_SEPARATOR: u8 = 0x1e;
 const INITIAL_RESPONSE: [u8; 3] = [0x7b, 0x7d, RECORD_SEPARATOR]; // {, }, <RS>

-#[derive(Deserialize)]
-struct InitialMessage {
-    protocol: String,
+#[derive(Deserialize, Copy, Clone, Eq, PartialEq)]
+struct InitialMessage<'a> {
+    protocol: &'a str,
    version: i32,
 }

-const PING_MS: u64 = 15_000;
-const PING: Token = Token(1);
-
-const ACCESS_TOKEN_KEY: &str = "access_token=";
-
-impl WsHandler {
-    fn err(&self, msg: &'static str) -> ws::Result<()> {
-        self.out.close(ws::CloseCode::Invalid)?;
-
-        // We need to specifically return an IO error so ws closes the connection
-        let io_error = io::Error::from(io::ErrorKind::InvalidData);
-        Err(ws::Error::new(ws::ErrorKind::Io(io_error), msg))
-    }
-
-    fn get_request_token(&self, hs: Handshake) -> Option<String> {
-        use std::str::from_utf8;
-
-        // Verify we have a token header
-        if let Some(header_value) = hs.request.header("Authorization") {
-            if let Ok(converted) = from_utf8(header_value) {
-                if let Some(token_part) = converted.split("Bearer ").nth(1) {
-                    return Some(token_part.into());
-                }
-            }
-        };
-
-        // Otherwise verify the query parameter value
-        let path = hs.request.resource();
-        if let Some(params) = path.split('?').nth(1) {
-            let params_iter = params.split('&').take(1);
-            for val in params_iter {
-                if let Some(stripped) = val.strip_prefix(ACCESS_TOKEN_KEY) {
-                    return Some(stripped.into());
-                }
-            }
-        };
-
-        None
-    }
-}
-
-impl Handler for WsHandler {
-    fn on_open(&mut self, hs: Handshake) -> ws::Result<()> {
-        // Path == "/notifications/hub?id=<id>==&access_token=<access_token>"
-        //
-        // We don't use `id`, and as of around 2020-03-25, the official clients
-        // no longer seem to pass `id` (only `access_token`).
-
-        // Get user token from header or query parameter
-        let access_token = match self.get_request_token(hs) {
-            Some(token) => token,
-            _ => return self.err("Missing access token"),
-        };
-
-        // Validate the user
-        use crate::auth;
-        let claims = match auth::decode_login(access_token.as_str()) {
-            Ok(claims) => claims,
-            Err(_) => return self.err("Invalid access token provided"),
-        };
-
-        // Assign the user to the handler
-        let user_uuid = claims.sub;
-        self.user_uuid = Some(user_uuid.clone());
-
-        // Add the current Sender to the user list
-        let handler_insert = self.out.clone();
-        let handler_update = self.out.clone();
-
-        self.users.map.upsert(user_uuid, || vec![handler_insert], |ref mut v| v.push(handler_update));
-
-        // Schedule a ping to keep the connection alive
-        self.out.timeout(PING_MS, PING)
-    }
-
-    fn on_message(&mut self, msg: Message) -> ws::Result<()> {
-        if let Message::Text(text) = msg.clone() {
-            let json = &text[..text.len() - 1]; // Remove last char
-
-            if let Ok(InitialMessage {
-                protocol,
-                version,
-            }) = from_str::<InitialMessage>(json)
-            {
-                if &protocol == "messagepack" && version == 1 {
-                    return self.out.send(&INITIAL_RESPONSE[..]); // Respond to initial message
-                }
-            }
-        }
-
-        // If it's not the initial message, just echo the message
-        self.out.send(msg)
-    }
-
-    fn on_timeout(&mut self, event: Token) -> ws::Result<()> {
-        if event == PING {
-            // send ping
-            self.out.send(create_ping())?;
-
-            // reschedule the timeout
-            self.out.timeout(PING_MS, PING)
-        } else {
-            Ok(())
-        }
-    }
-}
-
-struct WsFactory {
-    pub users: WebSocketUsers,
-}
-
-impl WsFactory {
-    pub fn init() -> Self {
-        WsFactory {
-            users: WebSocketUsers {
-                map: Arc::new(CHashMap::new()),
-            },
-        }
-    }
-}
-
-impl Factory for WsFactory {
-    type Handler = WsHandler;
-
-    fn connection_made(&mut self, out: Sender) -> Self::Handler {
-        WsHandler {
-            out,
-            user_uuid: None,
-            users: self.users.clone(),
-        }
-    }
-
-    fn connection_lost(&mut self, handler: Self::Handler) {
-        // Remove handler
-        if let Some(user_uuid) = &handler.user_uuid {
-            if let Some(mut user_conn) = self.users.map.get_mut(user_uuid) {
-                if let Some(pos) = user_conn.iter().position(|x| x == &handler.out) {
-                    user_conn.remove(pos);
-                }
-            }
-        }
-    }
-}
+static INITIAL_MESSAGE: InitialMessage<'static> = InitialMessage {
+    protocol: "messagepack",
+    version: 1,
+};

+// We attach the UUID to the sender so we can differentiate them when we need to remove them from the Vec
+type UserSenders = (uuid::Uuid, Sender<Message>);
 #[derive(Clone)]
 pub struct WebSocketUsers {
-    map: Arc<CHashMap<String, Vec<Sender>>>,
+    map: Arc<dashmap::DashMap<String, Vec<UserSenders>>>,
 }

 impl WebSocketUsers {
-    fn send_update(&self, user_uuid: &str, data: &[u8]) -> ws::Result<()> {
-        if let Some(user) = self.map.get(user_uuid) {
-            for sender in user.iter() {
-                sender.send(data)?;
+    async fn send_update(&self, user_uuid: &str, data: &[u8]) {
+        if let Some(user) = self.map.get(user_uuid).map(|v| v.clone()) {
+            for (_, sender) in user.iter() {
+                if sender.send(Message::binary(data)).await.is_err() {
+                    // TODO: Delete from map here too?
+                }
            }
        }
-        Ok(())
    }

    // NOTE: The last modified date needs to be updated before calling these methods
-    pub fn send_user_update(&self, ut: UpdateType, user: &User) {
+    pub async fn send_user_update(&self, ut: UpdateType, user: &User) {
        let data = create_update(
            vec![("UserId".into(), user.uuid.clone().into()), ("Date".into(), serialize_date(user.updated_at))],
            ut,
        );

-        self.send_update(&user.uuid, &data).ok();
+        self.send_update(&user.uuid, &data).await;
    }

-    pub fn send_folder_update(&self, ut: UpdateType, folder: &Folder) {
+    pub async fn send_folder_update(&self, ut: UpdateType, folder: &Folder) {
        let data = create_update(
            vec![
                ("Id".into(), folder.uuid.clone().into()),
@@ -313,10 +179,10 @@ impl WebSocketUsers {
            ut,
        );

-        self.send_update(&folder.user_uuid, &data).ok();
+        self.send_update(&folder.user_uuid, &data).await;
    }

-    pub fn send_cipher_update(&self, ut: UpdateType, cipher: &Cipher, user_uuids: &[String]) {
+    pub async fn send_cipher_update(&self, ut: UpdateType, cipher: &Cipher, user_uuids: &[String]) {
        let user_uuid = convert_option(cipher.user_uuid.clone());
        let org_uuid = convert_option(cipher.organization_uuid.clone());

@@ -332,11 +198,11 @@ impl WebSocketUsers {
        );

        for uuid in user_uuids {
-            self.send_update(uuid, &data).ok();
+            self.send_update(uuid, &data).await;
        }
    }

-    pub fn send_send_update(&self, ut: UpdateType, send: &Send, user_uuids: &[String]) {
+    pub async fn send_send_update(&self, ut: UpdateType, send: &Send, user_uuids: &[String]) {
        let user_uuid = convert_option(send.user_uuid.clone());

        let data = create_update(
@@ -349,7 +215,7 @@ impl WebSocketUsers {
        );

        for uuid in user_uuids {
-            self.send_update(uuid, &data).ok();
+            self.send_update(uuid, &data).await;
        }
    }
 }
@@ -392,7 +258,7 @@ fn create_ping() -> Vec<u8> {
 }

 #[allow(dead_code)]
-#[derive(PartialEq)]
+#[derive(Eq, PartialEq)]
 pub enum UpdateType {
    CipherUpdate = 0,
    CipherCreate = 1,
@@ -416,27 +282,145 @@ pub enum UpdateType {
    None = 100,
 }

-use rocket::State;
-pub type Notify<'a> = &'a State<WebSocketUsers>;
+pub type Notify<'a> = &'a rocket::State<WebSocketUsers>;

 pub fn start_notification_server() -> WebSocketUsers {
-    let factory = WsFactory::init();
-    let users = factory.users.clone();
+    let users = WebSocketUsers {
+        map: Arc::new(dashmap::DashMap::new()),
+    };

    if CONFIG.websocket_enabled() {
-        thread::spawn(move || {
-            let mut settings = ws::Settings::default();
-            settings.max_connections = 500;
-            settings.queue_size = 2;
-            settings.panic_on_internal = false;
+        let users2 = users.clone();
+        tokio::spawn(async move {
+            let addr = (CONFIG.websocket_address(), CONFIG.websocket_port());
+            info!("Starting WebSockets server on {}:{}", addr.0, addr.1);
+            let listener = TcpListener::bind(addr).await.expect("Can't listen on websocket port");

-            let ws = ws::Builder::new().with_settings(settings).build(factory).unwrap();
-            CONFIG.set_ws_shutdown_handle(ws.broadcaster());
-            ws.listen((CONFIG.websocket_address().as_str(), CONFIG.websocket_port())).unwrap();
+            let (shutdown_tx, mut shutdown_rx) = tokio::sync::oneshot::channel::<()>();
+            CONFIG.set_ws_shutdown_handle(shutdown_tx);

-            warn!("WS Server stopped!");
+            loop {
+                tokio::select! {
+                    Ok((stream, addr)) = listener.accept() => {
+                        tokio::spawn(handle_connection(stream, users2.clone(), addr));
+                    }
+
+                    _ = &mut shutdown_rx => {
+                        break;
+                    }
+                }
+            }
+
+            info!("Shutting down WebSockets server!")
        });
    }

    users
 }
+
+async fn handle_connection(stream: TcpStream, users: WebSocketUsers, addr: SocketAddr) -> Result<(), Error> {
+    let mut user_uuid: Option<String> = None;
+
+    info!("Accepting WS connection from {addr}");
+
+    // Accept connection, do initial handshake, validate auth token and get the user ID
+    use handshake::server::{Request, Response};
+    let mut stream = accept_hdr_async(stream, |req: &Request, res: Response| {
+        if let Some(token) = get_request_token(req) {
+            if let Ok(claims) = crate::auth::decode_login(&token) {
+                user_uuid = Some(claims.sub);
+                return Ok(res);
+            }
+        }
+        Err(Response::builder().status(401).body(None).unwrap())
+    })
+    .await?;
+
+    let user_uuid = user_uuid.expect("User UUID should be set after the handshake");
+
+    // Add a channel to send messages to this client to the map
+    let entry_uuid = uuid::Uuid::new_v4();
+    let (tx, mut rx) = tokio::sync::mpsc::channel(100);
+    users.map.entry(user_uuid.clone()).or_default().push((entry_uuid, tx));
+
+    let mut interval = tokio::time::interval(Duration::from_secs(15));
+    loop {
+        tokio::select! {
+            res = stream.next() =>  {
+                match res {
+                    Some(Ok(message)) => {
+                        // Respond to any pings
+                        if let Message::Ping(ping) = message {
+                            if stream.send(Message::Pong(ping)).await.is_err() {
+                                break;
+                            }
+                            continue;
+                        } else if let Message::Pong(_) = message {
+                            /* Ignored */
+                            continue;
+                        }
+
+                        // We should receive an initial message with the protocol and version, and we will reply to it
+                        if let Message::Text(ref message) = message {
+                            let msg = message.strip_suffix(RECORD_SEPARATOR as char).unwrap_or(message);
+
+                            if serde_json::from_str(msg).ok() == Some(INITIAL_MESSAGE) {
+                                stream.send(Message::binary(INITIAL_RESPONSE)).await?;
+                                continue;
+                            }
+                        }
+
+                        // Just echo anything else the client sends
+                        if stream.send(message).await.is_err() {
+                            break;
+                        }
+                    }
+                    _ => break,
+                }
+            }
+
+            res = rx.recv() => {
+                match res {
+                    Some(res) => {
+                        if stream.send(res).await.is_err() {
+                            break;
+                        }
+                    },
+                    None => break,
+                }
+            }
+
+            _= interval.tick() => {
+                if stream.send(Message::Ping(create_ping())).await.is_err() {
+                    break;
+                }
+            }
+        }
+    }
+
+    info!("Closing WS connection from {addr}");
+
+    //  Delete from map
+    users.map.entry(user_uuid).or_default().retain(|(uuid, _)| uuid != &entry_uuid);
+    Ok(())
+}
+
+fn get_request_token(req: &handshake::server::Request) -> Option<String> {
+    const ACCESS_TOKEN_KEY: &str = "access_token=";
+
+    if let Some(Ok(auth)) = req.headers().get("Authorization").map(|a| a.to_str()) {
+        if let Some(token_part) = auth.strip_prefix("Bearer ") {
+            return Some(token_part.to_owned());
+        }
+    }
+
+    if let Some(params) = req.uri().query() {
+        let params_iter = params.split('&').take(1);
+        for val in params_iter {
+            if let Some(stripped) = val.strip_prefix(ACCESS_TOKEN_KEY) {
+                return Some(stripped.to_owned());
+            }
+        }
+    }
+    None
+}
--- a/src/api/web.rs
+++ b/src/api/web.rs
@@ -1,7 +1,7 @@
 use std::path::{Path, PathBuf};

 use rocket::serde::json::Json;
-use rocket::{fs::NamedFile, http::ContentType, Route};
+use rocket::{fs::NamedFile, http::ContentType, Catcher, Route};
 use serde_json::Value;

 use crate::{
@@ -21,6 +21,19 @@ pub fn routes() -> Vec<Route> {
    }
 }

+pub fn catchers() -> Vec<Catcher> {
+    if CONFIG.web_vault_enabled() {
+        catchers![not_found]
+    } else {
+        catchers![]
+    }
+}
+
+#[catch(404)]
+async fn not_found() -> Cached<Option<NamedFile>> {
+    Cached::short(NamedFile::open(Path::new(&CONFIG.web_vault_folder()).join("404.html")).await.ok(), false)
+}
+
 #[get("/")]
 async fn web_index() -> Cached<Option<NamedFile>> {
    Cached::short(NamedFile::open(Path::new(&CONFIG.web_vault_folder()).join("index.html")).await.ok(), false)
@@ -88,8 +101,8 @@ fn static_files(filename: String) -> Result<(ContentType, &'static [u8]), Error>
        "identicon.js" => Ok((ContentType::JavaScript, include_bytes!("../static/scripts/identicon.js"))),
        "datatables.js" => Ok((ContentType::JavaScript, include_bytes!("../static/scripts/datatables.js"))),
        "datatables.css" => Ok((ContentType::CSS, include_bytes!("../static/scripts/datatables.css"))),
-        "jquery-3.6.0.slim.js" => {
-            Ok((ContentType::JavaScript, include_bytes!("../static/scripts/jquery-3.6.0.slim.js")))
+        "jquery-3.6.1.slim.js" => {
+            Ok((ContentType::JavaScript, include_bytes!("../static/scripts/jquery-3.6.1.slim.js")))
        }
        _ => err!(format!("Static file not found: {}", filename)),
    }
--- a/src/auth.rs
+++ b/src/auth.rs
@@ -1,19 +1,14 @@
-//
 // JWT Handling
 //
 use chrono::{Duration, Utc};
 use num_traits::FromPrimitive;
 use once_cell::sync::Lazy;

-use jsonwebtoken::{self, Algorithm, DecodingKey, EncodingKey, Header};
+use jsonwebtoken::{self, errors::ErrorKind, Algorithm, DecodingKey, EncodingKey, Header};
 use serde::de::DeserializeOwned;
 use serde::ser::Serialize;

-use crate::{
-    error::{Error, MapResult},
-    util::read_file,
-    CONFIG,
-};
+use crate::{error::Error, CONFIG};

 const JWT_ALGORITHM: Algorithm = Algorithm::RS256;

@@ -30,13 +25,13 @@ static JWT_ADMIN_ISSUER: Lazy<String> = Lazy::new(|| format!("{}|admin", CONFIG.
 static JWT_SEND_ISSUER: Lazy<String> = Lazy::new(|| format!("{}|send", CONFIG.domain_origin()));

 static PRIVATE_RSA_KEY_VEC: Lazy<Vec<u8>> = Lazy::new(|| {
-    read_file(&CONFIG.private_rsa_key()).unwrap_or_else(|e| panic!("Error loading private RSA Key.\n{}", e))
+    std::fs::read(&CONFIG.private_rsa_key()).unwrap_or_else(|e| panic!("Error loading private RSA Key.\n{}", e))
 });
 static PRIVATE_RSA_KEY: Lazy<EncodingKey> = Lazy::new(|| {
    EncodingKey::from_rsa_pem(&PRIVATE_RSA_KEY_VEC).unwrap_or_else(|e| panic!("Error decoding private RSA Key.\n{}", e))
 });
 static PUBLIC_RSA_KEY_VEC: Lazy<Vec<u8>> = Lazy::new(|| {
-    read_file(&CONFIG.public_rsa_key()).unwrap_or_else(|e| panic!("Error loading public RSA Key.\n{}", e))
+    std::fs::read(&CONFIG.public_rsa_key()).unwrap_or_else(|e| panic!("Error loading public RSA Key.\n{}", e))
 });
 static PUBLIC_RSA_KEY: Lazy<DecodingKey> = Lazy::new(|| {
    DecodingKey::from_rsa_pem(&PUBLIC_RSA_KEY_VEC).unwrap_or_else(|e| panic!("Error decoding public RSA Key.\n{}", e))
@@ -62,7 +57,15 @@ fn decode_jwt<T: DeserializeOwned>(token: &str, issuer: String) -> Result<T, Err
    validation.set_issuer(&[issuer]);

    let token = token.replace(char::is_whitespace, "");
-    jsonwebtoken::decode(&token, &PUBLIC_RSA_KEY, &validation).map(|d| d.claims).map_res("Error decoding JWT")
+    match jsonwebtoken::decode(&token, &PUBLIC_RSA_KEY, &validation) {
+        Ok(d) => Ok(d.claims),
+        Err(err) => match *err.kind() {
+            ErrorKind::InvalidToken => err!("Token is invalid"),
+            ErrorKind::InvalidIssuer => err!("Issuer is invalid"),
+            ErrorKind::ExpiredSignature => err!("Token has expired"),
+            _ => err!("Error decoding JWT"),
+        },
+    }
 }

 pub fn decode_login(token: &str) -> Result<LoginJwtClaims, Error> {
@@ -149,9 +152,10 @@ pub fn generate_invite_claims(
    invited_by_email: Option<String>,
 ) -> InviteJwtClaims {
    let time_now = Utc::now().naive_utc();
+    let expire_hours = i64::from(CONFIG.invitation_expiration_hours());
    InviteJwtClaims {
        nbf: time_now.timestamp(),
-        exp: (time_now + Duration::days(5)).timestamp(),
+        exp: (time_now + Duration::hours(expire_hours)).timestamp(),
        iss: JWT_INVITE_ISSUER.to_string(),
        sub: uuid,
        email,
@@ -186,9 +190,10 @@ pub fn generate_emergency_access_invite_claims(
    grantor_email: Option<String>,
 ) -> EmergencyAccessInviteJwtClaims {
    let time_now = Utc::now().naive_utc();
+    let expire_hours = i64::from(CONFIG.invitation_expiration_hours());
    EmergencyAccessInviteJwtClaims {
        nbf: time_now.timestamp(),
-        exp: (time_now + Duration::days(5)).timestamp(),
+        exp: (time_now + Duration::hours(expire_hours)).timestamp(),
        iss: JWT_EMERGENCY_ACCESS_INVITE_ISSUER.to_string(),
        sub: uuid,
        email,
@@ -212,9 +217,10 @@ pub struct BasicJwtClaims {

 pub fn generate_delete_claims(uuid: String) -> BasicJwtClaims {
    let time_now = Utc::now().naive_utc();
+    let expire_hours = i64::from(CONFIG.invitation_expiration_hours());
    BasicJwtClaims {
        nbf: time_now.timestamp(),
-        exp: (time_now + Duration::days(5)).timestamp(),
+        exp: (time_now + Duration::hours(expire_hours)).timestamp(),
        iss: JWT_DELETE_ISSUER.to_string(),
        sub: uuid,
    }
@@ -222,9 +228,10 @@ pub fn generate_delete_claims(uuid: String) -> BasicJwtClaims {

 pub fn generate_verify_email_claims(uuid: String) -> BasicJwtClaims {
    let time_now = Utc::now().naive_utc();
+    let expire_hours = i64::from(CONFIG.invitation_expiration_hours());
    BasicJwtClaims {
        nbf: time_now.timestamp(),
-        exp: (time_now + Duration::days(5)).timestamp(),
+        exp: (time_now + Duration::hours(expire_hours)).timestamp(),
        iss: JWT_VERIFYEMAIL_ISSUER.to_string(),
        sub: uuid,
    }
--- a/src/config.rs
+++ b/src/config.rs
@@ -37,7 +37,7 @@ macro_rules! make_config {

        struct Inner {
            rocket_shutdown_handle: Option<rocket::Shutdown>,
-            ws_shutdown_handle: Option<ws::Sender>,
+            ws_shutdown_handle: Option<tokio::sync::oneshot::Sender<()>>,

            templates: Handlebars<'static>,
            config: ConfigItems,
@@ -91,8 +91,7 @@ macro_rules! make_config {
            }

            fn from_file(path: &str) -> Result<Self, Error> {
-                use crate::util::read_file_string;
-                let config_str = read_file_string(path)?;
+                let config_str = std::fs::read_to_string(path)?;
                serde_json::from_str(&config_str).map_err(Into::into)
            }

@@ -431,11 +430,16 @@ make_config! {
        org_creation_users:     String, true,   def,    "".to_string();
        /// Allow invitations |> Controls whether users can be invited by organization admins, even when signups are otherwise disabled
        invitations_allowed:    bool,   true,   def,    true;
+        /// Invitation token expiration time (in hours) |> The number of hours after which an organization invite token, emergency access invite token,
+        /// email verification token and deletion request token will expire (must be at least 1)
+        invitation_expiration_hours: u32, false, def, 120;
        /// Allow emergency access |> Controls whether users can enable emergency access to their accounts. This setting applies globally to all users.
        emergency_access_allowed:    bool,   true,   def,    true;
        /// Password iterations |> Number of server-side passwords hashing iterations.
        /// The changes only apply when a user changes their password. Not recommended to lower the value
        password_iterations:    i32,    true,   def,    100_000;
+        /// Allow password hints |> Controls whether users can set password hints. This setting applies globally to all users.
+        password_hints_allowed: bool,   true,   def,    true;
        /// Show password hint |> Controls whether a password hint should be shown directly in the web page
        /// if SMTP service is not configured. Not recommended for publicly-accessible instances as this
        /// provides unauthenticated access to potentially sensitive data.
@@ -462,6 +466,10 @@ make_config! {
        /// service is set, an icon request to Vaultwarden will return an HTTP redirect to the
        /// corresponding icon at the external service.
        icon_service:           String, false,  def,    "internal".to_string();
+        /// Internal
+        _icon_service_url:      String, false,  gen,    |c| generate_icon_service_url(&c.icon_service);
+        /// Internal
+        _icon_service_csp:      String, false,  gen,    |c| generate_icon_service_csp(&c.icon_service, &c._icon_service_url);
        /// Icon redirect code |> The HTTP status code to use for redirects to an external icon service.
        /// The supported codes are 301 (legacy permanent), 302 (legacy temporary), 307 (temporary), and 308 (permanent).
        /// Temporary redirects are useful while testing different icon services, but once a service
@@ -721,6 +729,10 @@ fn validate_config(cfg: &ConfigItems) -> Result<(), Error> {
        _ => err!("Only HTTP 301/302 and 307/308 redirects are supported"),
    }

+    if cfg.invitation_expiration_hours < 1 {
+        err!("`INVITATION_EXPIRATION_HOURS` has a minimum duration of 1 hour")
+    }
+
    Ok(())
 }

@@ -747,6 +759,34 @@ fn extract_url_path(url: &str) -> String {
    }
 }

+/// Generate the correct URL for the icon service.
+/// This will be used within icons.rs to call the external icon service.
+fn generate_icon_service_url(icon_service: &str) -> String {
+    match icon_service {
+        "internal" => "".to_string(),
+        "bitwarden" => "https://icons.bitwarden.net/{}/icon.png".to_string(),
+        "duckduckgo" => "https://icons.duckduckgo.com/ip3/{}.ico".to_string(),
+        "google" => "https://www.google.com/s2/favicons?domain={}&sz=32".to_string(),
+        _ => icon_service.to_string(),
+    }
+}
+
+/// Generate the CSP string needed to allow redirected icon fetching
+fn generate_icon_service_csp(icon_service: &str, icon_service_url: &str) -> String {
+    // We split on the first '{', since that is the variable delimiter for an icon service URL.
+    // Everything up until the first '{' should be fixed and can be used as an CSP string.
+    let csp_string = match icon_service_url.split_once('{') {
+        Some((c, _)) => c.to_string(),
+        None => "".to_string(),
+    };
+
+    // Because Google does a second redirect to there gstatic.com domain, we need to add an extra csp string.
+    match icon_service {
+        "google" => csp_string + " https://*.gstatic.com/favicon",
+        _ => csp_string,
+    }
+}
+
 /// Convert the old SMTP_SSL and SMTP_EXPLICIT_TLS options
 fn smtp_convert_deprecated_ssl_options(smtp_ssl: Option<bool>, smtp_explicit_tls: Option<bool>) -> String {
    if smtp_explicit_tls.is_some() || smtp_ssl.is_some() {
@@ -948,19 +988,17 @@ impl Config {
        self.inner.write().unwrap().rocket_shutdown_handle = Some(handle);
    }

-    pub fn set_ws_shutdown_handle(&self, handle: ws::Sender) {
+    pub fn set_ws_shutdown_handle(&self, handle: tokio::sync::oneshot::Sender<()>) {
        self.inner.write().unwrap().ws_shutdown_handle = Some(handle);
    }

    pub fn shutdown(&self) {
-        if let Ok(c) = self.inner.read() {
-            if let Some(handle) = c.ws_shutdown_handle.clone() {
-                handle.shutdown().ok();
+        if let Ok(mut c) = self.inner.write() {
+            if let Some(handle) = c.ws_shutdown_handle.take() {
+                handle.send(()).ok();
            }
-            // Wait a bit before stopping the web server
-            tokio::runtime::Handle::current()
-                .block_on(async move { tokio::time::sleep(tokio::time::Duration::from_secs(1)).await });
-            if let Some(handle) = c.rocket_shutdown_handle.clone() {
+
+            if let Some(handle) = c.rocket_shutdown_handle.take() {
                handle.notify();
            }
        }
@@ -1060,12 +1098,11 @@ fn js_escape_helper<'reg, 'rc>(
    _rc: &mut RenderContext<'reg, 'rc>,
    out: &mut dyn Output,
 ) -> HelperResult {
-    let param = h.param(0).ok_or_else(|| RenderError::new("Param not found for helper \"js_escape\""))?;
+    let param = h.param(0).ok_or_else(|| RenderError::new("Param not found for helper \"jsesc\""))?;

    let no_quote = h.param(1).is_some();

-    let value =
-        param.value().as_str().ok_or_else(|| RenderError::new("Param for helper \"js_escape\" is not a String"))?;
+    let value = param.value().as_str().ok_or_else(|| RenderError::new("Param for helper \"jsesc\" is not a String"))?;

    let mut escaped_value = value.replace('\\', "").replace('\'', "\\x22").replace('\"', "\\x27");
    if !no_quote {
--- a/src/db/models/cipher.rs
+++ b/src/db/models/cipher.rs
@@ -160,6 +160,7 @@ impl Cipher {
            "Object": "cipherDetails",
            "Id": self.uuid,
            "Type": self.atype,
+            "CreationDate": format_date(&self.created_at),
            "RevisionDate": format_date(&self.updated_at),
            "DeletedDate": self.deleted_at.map_or(Value::Null, |d| Value::String(format_date(&d))),
            "FolderId": if let Some(cipher_sync_data) = cipher_sync_data { cipher_sync_data.cipher_folders.get(&self.uuid).map(|c| c.to_string() ) } else { self.get_folder_uuid(user_uuid, conn).await },
--- a/src/db/models/device.rs
+++ b/src/db/models/device.rs
@@ -87,11 +87,11 @@ impl Device {
            nbf: time_now.timestamp(),
            exp: (time_now + *DEFAULT_VALIDITY).timestamp(),
            iss: JWT_LOGIN_ISSUER.to_string(),
-            sub: user.uuid.to_string(),
+            sub: user.uuid.clone(),

            premium: true,
-            name: user.name.to_string(),
-            email: user.email.to_string(),
+            name: user.name.clone(),
+            email: user.email.clone(),
            email_verified: !CONFIG.mail_enabled() || user.verified_at.is_some(),

            orgowner,
@@ -99,8 +99,8 @@ impl Device {
            orguser,
            orgmanager,

-            sstamp: user.security_stamp.to_string(),
-            device: self.uuid.to_string(),
+            sstamp: user.security_stamp.clone(),
+            device: self.uuid.clone(),
            scope,
            amr: vec!["Application".into()],
        };
--- a/src/db/models/mod.rs
+++ b/src/db/models/mod.rs
@@ -19,7 +19,7 @@ pub use self::device::Device;
 pub use self::emergency_access::{EmergencyAccess, EmergencyAccessStatus, EmergencyAccessType};
 pub use self::favorite::Favorite;
 pub use self::folder::{Folder, FolderCipher};
-pub use self::org_policy::{OrgPolicy, OrgPolicyType};
+pub use self::org_policy::{OrgPolicy, OrgPolicyErr, OrgPolicyType};
 pub use self::organization::{Organization, UserOrgStatus, UserOrgType, UserOrganization};
 pub use self::send::{Send, SendType};
 pub use self::two_factor::{TwoFactor, TwoFactorType};
--- a/src/db/models/org_policy.rs
+++ b/src/db/models/org_policy.rs
@@ -6,7 +6,7 @@ use crate::db::DbConn;
 use crate::error::MapResult;
 use crate::util::UpCase;

-use super::{UserOrgStatus, UserOrgType, UserOrganization};
+use super::{TwoFactor, UserOrgStatus, UserOrgType, UserOrganization};

 db_object! {
    #[derive(Identifiable, Queryable, Insertable, AsChangeset)]
@@ -21,25 +21,37 @@ db_object! {
    }
 }

-#[derive(Copy, Clone, PartialEq, num_derive::FromPrimitive)]
+// https://github.com/bitwarden/server/blob/b86a04cef9f1e1b82cf18e49fc94e017c641130c/src/Core/Enums/PolicyType.cs
+#[derive(Copy, Clone, Eq, PartialEq, num_derive::FromPrimitive)]
 pub enum OrgPolicyType {
    TwoFactorAuthentication = 0,
    MasterPassword = 1,
    PasswordGenerator = 2,
    SingleOrg = 3,
-    // RequireSso = 4, // Not currently supported.
+    // RequireSso = 4, // Not supported
    PersonalOwnership = 5,
    DisableSend = 6,
    SendOptions = 7,
+    // ResetPassword = 8, // Not supported
+    // MaximumVaultTimeout = 9, // Not supported (Not AGPLv3 Licensed)
+    // DisablePersonalVaultExport = 10, // Not supported (Not AGPLv3 Licensed)
 }

-// https://github.com/bitwarden/server/blob/master/src/Core/Models/Data/SendOptionsPolicyData.cs
+// https://github.com/bitwarden/server/blob/5cbdee137921a19b1f722920f0fa3cd45af2ef0f/src/Core/Models/Data/Organizations/Policies/SendOptionsPolicyData.cs
 #[derive(Deserialize)]
 #[allow(non_snake_case)]
 pub struct SendOptionsPolicyData {
    pub DisableHideEmail: bool,
 }

+pub type OrgPolicyResult = Result<(), OrgPolicyErr>;
+
+#[derive(Debug)]
+pub enum OrgPolicyErr {
+    TwoFactorMissing,
+    SingleOrgEnforced,
+}
+
 /// Local methods
 impl OrgPolicy {
    pub fn new(org_uuid: String, atype: OrgPolicyType, data: String) -> Self {
@@ -160,11 +172,11 @@ impl OrgPolicy {
        }}
    }

-    pub async fn find_by_org_and_type(org_uuid: &str, atype: i32, conn: &DbConn) -> Option<Self> {
+    pub async fn find_by_org_and_type(org_uuid: &str, policy_type: OrgPolicyType, conn: &DbConn) -> Option<Self> {
        db_run! { conn: {
            org_policies::table
                .filter(org_policies::org_uuid.eq(org_uuid))
-                .filter(org_policies::atype.eq(atype))
+                .filter(org_policies::atype.eq(policy_type as i32))
                .first::<OrgPolicyDb>(conn)
                .ok()
                .from_db()
@@ -179,40 +191,128 @@ impl OrgPolicy {
        }}
    }

+    pub async fn find_accepted_and_confirmed_by_user_and_active_policy(
+        user_uuid: &str,
+        policy_type: OrgPolicyType,
+        conn: &DbConn,
+    ) -> Vec<Self> {
+        db_run! { conn: {
+            org_policies::table
+                .inner_join(
+                    users_organizations::table.on(
+                        users_organizations::org_uuid.eq(org_policies::org_uuid)
+                            .and(users_organizations::user_uuid.eq(user_uuid)))
+                )
+                .filter(
+                    users_organizations::status.eq(UserOrgStatus::Accepted as i32)
+                )
+                .or_filter(
+                    users_organizations::status.eq(UserOrgStatus::Confirmed as i32)
+                )
+                .filter(org_policies::atype.eq(policy_type as i32))
+                .filter(org_policies::enabled.eq(true))
+                .select(org_policies::all_columns)
+                .load::<OrgPolicyDb>(conn)
+                .expect("Error loading org_policy")
+                .from_db()
+        }}
+    }
+
+    pub async fn find_confirmed_by_user_and_active_policy(
+        user_uuid: &str,
+        policy_type: OrgPolicyType,
+        conn: &DbConn,
+    ) -> Vec<Self> {
+        db_run! { conn: {
+            org_policies::table
+                .inner_join(
+                    users_organizations::table.on(
+                        users_organizations::org_uuid.eq(org_policies::org_uuid)
+                            .and(users_organizations::user_uuid.eq(user_uuid)))
+                )
+                .filter(
+                    users_organizations::status.eq(UserOrgStatus::Confirmed as i32)
+                )
+                .filter(org_policies::atype.eq(policy_type as i32))
+                .filter(org_policies::enabled.eq(true))
+                .select(org_policies::all_columns)
+                .load::<OrgPolicyDb>(conn)
+                .expect("Error loading org_policy")
+                .from_db()
+        }}
+    }
+
    /// Returns true if the user belongs to an org that has enabled the specified policy type,
    /// and the user is not an owner or admin of that org. This is only useful for checking
    /// applicability of policy types that have these particular semantics.
-    pub async fn is_applicable_to_user(user_uuid: &str, policy_type: OrgPolicyType, conn: &DbConn) -> bool {
-        // TODO: Should check confirmed and accepted users
-        for policy in OrgPolicy::find_confirmed_by_user(user_uuid, conn).await {
-            if policy.enabled && policy.has_type(policy_type) {
-                let org_uuid = &policy.org_uuid;
-                if let Some(user) = UserOrganization::find_by_user_and_org(user_uuid, org_uuid, conn).await {
-                    if user.atype < UserOrgType::Admin {
-                        return true;
-                    }
+    pub async fn is_applicable_to_user(
+        user_uuid: &str,
+        policy_type: OrgPolicyType,
+        exclude_org_uuid: Option<&str>,
+        conn: &DbConn,
+    ) -> bool {
+        for policy in
+            OrgPolicy::find_accepted_and_confirmed_by_user_and_active_policy(user_uuid, policy_type, conn).await
+        {
+            // Check if we need to skip this organization.
+            if exclude_org_uuid.is_some() && exclude_org_uuid.unwrap() == policy.org_uuid {
+                continue;
+            }
+
+            if let Some(user) = UserOrganization::find_by_user_and_org(user_uuid, &policy.org_uuid, conn).await {
+                if user.atype < UserOrgType::Admin {
+                    return true;
                }
            }
        }
        false
    }

+    pub async fn is_user_allowed(
+        user_uuid: &str,
+        org_uuid: &str,
+        exclude_current_org: bool,
+        conn: &DbConn,
+    ) -> OrgPolicyResult {
+        // Enforce TwoFactor/TwoStep login
+        if TwoFactor::find_by_user(user_uuid, conn).await.is_empty() {
+            match Self::find_by_org_and_type(org_uuid, OrgPolicyType::TwoFactorAuthentication, conn).await {
+                Some(p) if p.enabled => {
+                    return Err(OrgPolicyErr::TwoFactorMissing);
+                }
+                _ => {}
+            };
+        }
+
+        // Enforce Single Organization Policy of other organizations user is a member of
+        // This check here needs to exclude this current org-id, else an accepted user can not be confirmed.
+        let exclude_org = if exclude_current_org {
+            Some(org_uuid)
+        } else {
+            None
+        };
+        if Self::is_applicable_to_user(user_uuid, OrgPolicyType::SingleOrg, exclude_org, conn).await {
+            return Err(OrgPolicyErr::SingleOrgEnforced);
+        }
+
+        Ok(())
+    }
+
    /// Returns true if the user belongs to an org that has enabled the `DisableHideEmail`
    /// option of the `Send Options` policy, and the user is not an owner or admin of that org.
    pub async fn is_hide_email_disabled(user_uuid: &str, conn: &DbConn) -> bool {
-        for policy in OrgPolicy::find_confirmed_by_user(user_uuid, conn).await {
-            if policy.enabled && policy.has_type(OrgPolicyType::SendOptions) {
-                let org_uuid = &policy.org_uuid;
-                if let Some(user) = UserOrganization::find_by_user_and_org(user_uuid, org_uuid, conn).await {
-                    if user.atype < UserOrgType::Admin {
-                        match serde_json::from_str::<UpCase<SendOptionsPolicyData>>(&policy.data) {
-                            Ok(opts) => {
-                                if opts.data.DisableHideEmail {
-                                    return true;
-                                }
+        for policy in
+            OrgPolicy::find_confirmed_by_user_and_active_policy(user_uuid, OrgPolicyType::SendOptions, conn).await
+        {
+            if let Some(user) = UserOrganization::find_by_user_and_org(user_uuid, &policy.org_uuid, conn).await {
+                if user.atype < UserOrgType::Admin {
+                    match serde_json::from_str::<UpCase<SendOptionsPolicyData>>(&policy.data) {
+                        Ok(opts) => {
+                            if opts.data.DisableHideEmail {
+                                return true;
                            }
-                            _ => error!("Failed to deserialize policy data: {}", policy.data),
                        }
+                        _ => error!("Failed to deserialize SendOptionsPolicyData: {}", policy.data),
                    }
                }
            }
--- a/src/db/models/organization.rs
+++ b/src/db/models/organization.rs
@@ -31,7 +31,9 @@ db_object! {
    }
 }

+// https://github.com/bitwarden/server/blob/b86a04cef9f1e1b82cf18e49fc94e017c641130c/src/Core/Enums/OrganizationUserStatusType.cs
 pub enum UserOrgStatus {
+    Revoked = -1,
    Invited = 0,
    Accepted = 1,
    Confirmed = 2,
@@ -133,26 +135,29 @@ impl Organization {
            public_key,
        }
    }
-
+    // https://github.com/bitwarden/server/blob/13d1e74d6960cf0d042620b72d85bf583a4236f7/src/Api/Models/Response/Organizations/OrganizationResponseModel.cs
    pub fn to_json(&self) -> Value {
        json!({
            "Id": self.uuid,
            "Identifier": null, // not supported by us
            "Name": self.name,
            "Seats": 10, // The value doesn't matter, we don't check server-side
+            // "MaxAutoscaleSeats": null, // The value doesn't matter, we don't check server-side
            "MaxCollections": 10, // The value doesn't matter, we don't check server-side
            "MaxStorageGb": 10, // The value doesn't matter, we don't check server-side
            "Use2fa": true,
            "UseDirectory": false, // Is supported, but this value isn't checked anywhere (yet)
-            "UseEvents": false, // not supported by us
-            "UseGroups": false, // not supported by us
+            "UseEvents": false, // Not supported
+            "UseGroups": false, // Not supported
            "UseTotp": true,
            "UsePolicies": true,
-            "UseSso": false, // We do not support SSO
+            // "UseScim": false, // Not supported (Not AGPLv3 Licensed)
+            "UseSso": false, // Not supported
+            // "UseKeyConnector": false, // Not supported
            "SelfHost": true,
-            "UseApi": false, // not supported by us
+            "UseApi": false, // Not supported
            "HasPublicAndPrivateKeys": self.private_key.is_some() && self.public_key.is_some(),
-            "ResetPasswordEnrolled": false, // not supported by us
+            "UseResetPassword": false, // Not supported

            "BusinessName": null,
            "BusinessAddress1": null,
@@ -170,6 +175,12 @@ impl Organization {
    }
 }

+// Used to either subtract or add to the current status
+// The number 128 should be fine, it is well within the range of an i32
+// The same goes for the database where we only use INTEGER (the same as an i32)
+// It should also provide enough room for 100+ types, which i doubt will ever happen.
+static ACTIVATE_REVOKE_DIFF: i32 = 128;
+
 impl UserOrganization {
    pub fn new(user_uuid: String, org_uuid: String) -> Self {
        Self {
@@ -184,6 +195,18 @@ impl UserOrganization {
            atype: UserOrgType::User as i32,
        }
    }
+
+    pub fn restore(&mut self) {
+        if self.status < UserOrgStatus::Accepted as i32 {
+            self.status += ACTIVATE_REVOKE_DIFF;
+        }
+    }
+
+    pub fn revoke(&mut self) {
+        if self.status > UserOrgStatus::Revoked as i32 {
+            self.status -= ACTIVATE_REVOKE_DIFF;
+        }
+    }
 }

 use crate::db::DbConn;
@@ -265,9 +288,10 @@ impl UserOrganization {
    pub async fn to_json(&self, conn: &DbConn) -> Value {
        let org = Organization::find_by_uuid(&self.org_uuid, conn).await.unwrap();

+        // https://github.com/bitwarden/server/blob/13d1e74d6960cf0d042620b72d85bf583a4236f7/src/Api/Models/Response/ProfileOrganizationResponseModel.cs
        json!({
            "Id": self.org_uuid,
-            "Identifier": null, // not supported by us
+            "Identifier": null, // Not supported
            "Name": org.name,
            "Seats": 10, // The value doesn't matter, we don't check server-side
            "MaxCollections": 10, // The value doesn't matter, we don't check server-side
@@ -275,44 +299,48 @@ impl UserOrganization {

            "Use2fa": true,
            "UseDirectory": false, // Is supported, but this value isn't checked anywhere (yet)
-            "UseEvents": false, // not supported by us
-            "UseGroups": false, // not supported by us
+            "UseEvents": false, // Not supported
+            "UseGroups": false, // Not supported
            "UseTotp": true,
+            // "UseScim": false, // Not supported (Not AGPLv3 Licensed)
            "UsePolicies": true,
-            "UseApi": false, // not supported by us
+            "UseApi": false, // Not supported
            "SelfHost": true,
            "HasPublicAndPrivateKeys": org.private_key.is_some() && org.public_key.is_some(),
-            "ResetPasswordEnrolled": false, // not supported by us
-            "SsoBound": false, // We do not support SSO
-            "UseSso": false, // We do not support SSO
-            // TODO: Add support for Business Portal
-            // Upstream is moving Policies and SSO management outside of the web-vault to /portal
-            // For now they still have that code also in the web-vault, but they will remove it at some point.
-            // https://github.com/bitwarden/server/tree/master/bitwarden_license/src/
-            "UseBusinessPortal": false, // Disable BusinessPortal Button
+            "ResetPasswordEnrolled": false, // Not supported
+            "SsoBound": false, // Not supported
+            "UseSso": false, // Not supported
            "ProviderId": null,
            "ProviderName": null,
+            // "KeyConnectorEnabled": false,
+            // "KeyConnectorUrl": null,

            // TODO: Add support for Custom User Roles
            // See: https://bitwarden.com/help/article/user-types-access-control/#custom-role
            // "Permissions": {
-            //     "AccessBusinessPortal": false,
-            //     "AccessEventLogs": false,
+            //     "AccessEventLogs": false, // Not supported
            //     "AccessImportExport": false,
            //     "AccessReports": false,
            //     "ManageAllCollections": false,
+            //     "CreateNewCollections": false,
+            //     "EditAnyCollection": false,
+            //     "DeleteAnyCollection": false,
            //     "ManageAssignedCollections": false,
+            //     "editAssignedCollections": false,
+            //     "deleteAssignedCollections": false,
            //     "ManageCiphers": false,
-            //     "ManageGroups": false,
+            //     "ManageGroups": false, // Not supported
            //     "ManagePolicies": false,
-            //     "ManageResetPassword": false,
-            //     "ManageSso": false,
+            //     "ManageResetPassword": false, // Not supported
+            //     "ManageSso": false, // Not supported
            //     "ManageUsers": false,
+            //     "ManageScim": false, // Not supported (Not AGPLv3 Licensed)
            // },

            "MaxStorageGb": 10, // The value doesn't matter, we don't check server-side

            // These are per user
+            "UserId": self.user_uuid,
            "Key": self.akey,
            "Status": self.status,
            "Type": self.atype,
@@ -325,13 +353,21 @@ impl UserOrganization {
    pub async fn to_json_user_details(&self, conn: &DbConn) -> Value {
        let user = User::find_by_uuid(&self.user_uuid, conn).await.unwrap();

+        // Because BitWarden want the status to be -1 for revoked users we need to catch that here.
+        // We subtract/add a number so we can restore/activate the user to it's previouse state again.
+        let status = if self.status < UserOrgStatus::Revoked as i32 {
+            UserOrgStatus::Revoked as i32
+        } else {
+            self.status
+        };
+
        json!({
            "Id": self.uuid,
            "UserId": self.user_uuid,
            "Name": user.name,
            "Email": user.email,

-            "Status": self.status,
+            "Status": status,
            "Type": self.atype,
            "AccessAll": self.access_all,

@@ -365,11 +401,19 @@ impl UserOrganization {
                .collect()
        };

+        // Because BitWarden want the status to be -1 for revoked users we need to catch that here.
+        // We subtract/add a number so we can restore/activate the user to it's previouse state again.
+        let status = if self.status < UserOrgStatus::Revoked as i32 {
+            UserOrgStatus::Revoked as i32
+        } else {
+            self.status
+        };
+
        json!({
            "Id": self.uuid,
            "UserId": self.user_uuid,

-            "Status": self.status,
+            "Status": status,
            "Type": self.atype,
            "AccessAll": self.access_all,
            "Collections": coll_uuids,
@@ -507,6 +551,18 @@ impl UserOrganization {
        }}
    }

+    pub async fn count_accepted_and_confirmed_by_user(user_uuid: &str, conn: &DbConn) -> i64 {
+        db_run! { conn: {
+            users_organizations::table
+                .filter(users_organizations::user_uuid.eq(user_uuid))
+                .filter(users_organizations::status.eq(UserOrgStatus::Accepted as i32))
+                .or_filter(users_organizations::status.eq(UserOrgStatus::Confirmed as i32))
+                .count()
+                .first::<i64>(conn)
+                .unwrap_or(0)
+        }}
+    }
+
    pub async fn find_by_org(org_uuid: &str, conn: &DbConn) -> Vec<Self> {
        db_run! { conn: {
            users_organizations::table
@@ -527,16 +583,28 @@ impl UserOrganization {
        }}
    }

-    pub async fn find_by_org_and_type(org_uuid: &str, atype: i32, conn: &DbConn) -> Vec<Self> {
+    pub async fn find_by_org_and_type(org_uuid: &str, atype: UserOrgType, conn: &DbConn) -> Vec<Self> {
        db_run! { conn: {
            users_organizations::table
                .filter(users_organizations::org_uuid.eq(org_uuid))
-                .filter(users_organizations::atype.eq(atype))
+                .filter(users_organizations::atype.eq(atype as i32))
                .load::<UserOrganizationDb>(conn)
                .expect("Error loading user organizations").from_db()
        }}
    }

+    pub async fn count_confirmed_by_org_and_type(org_uuid: &str, atype: UserOrgType, conn: &DbConn) -> i64 {
+        db_run! { conn: {
+            users_organizations::table
+                .filter(users_organizations::org_uuid.eq(org_uuid))
+                .filter(users_organizations::atype.eq(atype as i32))
+                .filter(users_organizations::status.eq(UserOrgStatus::Confirmed as i32))
+                .count()
+                .first::<i64>(conn)
+                .unwrap_or(0)
+        }}
+    }
+
    pub async fn find_by_user_and_org(user_uuid: &str, org_uuid: &str, conn: &DbConn) -> Option<Self> {
        db_run! { conn: {
            users_organizations::table
--- a/src/db/models/send.rs
+++ b/src/db/models/send.rs
@@ -45,7 +45,7 @@ pub enum SendType {
 }

 impl Send {
-    pub async fn new(atype: i32, name: String, data: String, akey: String, deletion_date: NaiveDateTime) -> Self {
+    pub fn new(atype: i32, name: String, data: String, akey: String, deletion_date: NaiveDateTime) -> Self {
        let now = Utc::now().naive_utc();

        Self {
--- a/src/db/models/user.rs
+++ b/src/db/models/user.rs
@@ -171,7 +171,7 @@ impl User {
    pub fn set_stamp_exception(&mut self, route_exception: Vec<String>) {
        let stamp_exception = UserStampException {
            routes: route_exception,
-            security_stamp: self.security_stamp.to_string(),
+            security_stamp: self.security_stamp.clone(),
            expire: (Utc::now().naive_utc() + Duration::minutes(2)).timestamp(),
        };
        self.stamp_exception = Some(serde_json::to_string(&stamp_exception).unwrap_or_default());
@@ -275,11 +275,11 @@ impl User {

    pub async fn delete(self, conn: &DbConn) -> EmptyResult {
        for user_org in UserOrganization::find_confirmed_by_user(&self.uuid, conn).await {
-            if user_org.atype == UserOrgType::Owner {
-                let owner_type = UserOrgType::Owner as i32;
-                if UserOrganization::find_by_org_and_type(&user_org.org_uuid, owner_type, conn).await.len() <= 1 {
-                    err!("Can't delete last owner")
-                }
+            if user_org.atype == UserOrgType::Owner
+                && UserOrganization::count_confirmed_by_org_and_type(&user_org.org_uuid, UserOrgType::Owner, conn).await
+                    <= 1
+            {
+                err!("Can't delete last owner")
            }
        }

--- a/src/error.rs
+++ b/src/error.rs
@@ -49,6 +49,7 @@ use rocket::error::Error as RocketErr;
 use serde_json::{Error as SerdeErr, Value};
 use std::io::Error as IoErr;
 use std::time::SystemTimeError as TimeErr;
+use tokio_tungstenite::tungstenite::Error as TungstError;
 use webauthn_rs::error::WebauthnError as WebauthnErr;
 use yubico::yubicoerror::YubicoError as YubiErr;

@@ -88,6 +89,7 @@ make_error! {
    DieselCon(DieselConErr): _has_source, _api_error,
    DieselMig(DieselMigErr): _has_source, _api_error,
    Webauthn(WebauthnErr):   _has_source, _api_error,
+    WebSocket(TungstError):  _has_source, _api_error,
 }

 impl std::fmt::Debug for Error {
--- a/src/mail.rs
+++ b/src/mail.rs
@@ -4,11 +4,11 @@ use chrono::NaiveDateTime;
 use percent_encoding::{percent_encode, NON_ALPHANUMERIC};

 use lettre::{
-    message::{header, Mailbox, Message, MultiPart, SinglePart},
+    message::{Mailbox, Message, MultiPart},
    transport::smtp::authentication::{Credentials, Mechanism as SmtpAuthMechanism},
    transport::smtp::client::{Tls, TlsParameters},
    transport::smtp::extension::ClientId,
-    Address, SmtpTransport, Transport,
+    Address, AsyncSmtpTransport, AsyncTransport, Tokio1Executor,
 };

 use crate::{
@@ -21,11 +21,11 @@ use crate::{
    CONFIG,
 };

-fn mailer() -> SmtpTransport {
+fn mailer() -> AsyncSmtpTransport<Tokio1Executor> {
    use std::time::Duration;
    let host = CONFIG.smtp_host().unwrap();

-    let smtp_client = SmtpTransport::builder_dangerous(host.as_str())
+    let smtp_client = AsyncSmtpTransport::<Tokio1Executor>::builder_dangerous(host.as_str())
        .port(CONFIG.smtp_port())
        .timeout(Some(Duration::from_secs(CONFIG.smtp_timeout())));

@@ -110,7 +110,7 @@ fn get_template(template_name: &str, data: &serde_json::Value) -> Result<(String
    Ok((subject, body))
 }

-pub fn send_password_hint(address: &str, hint: Option<String>) -> EmptyResult {
+pub async fn send_password_hint(address: &str, hint: Option<String>) -> EmptyResult {
    let template_name = if hint.is_some() {
        "email/pw_hint_some"
    } else {
@@ -119,10 +119,10 @@ pub fn send_password_hint(address: &str, hint: Option<String>) -> EmptyResult {

    let (subject, body_html, body_text) = get_text(template_name, json!({ "hint": hint, "url": CONFIG.domain() }))?;

-    send_email(address, &subject, body_html, body_text)
+    send_email(address, &subject, body_html, body_text).await
 }

-pub fn send_delete_account(address: &str, uuid: &str) -> EmptyResult {
+pub async fn send_delete_account(address: &str, uuid: &str) -> EmptyResult {
    let claims = generate_delete_claims(uuid.to_string());
    let delete_token = encode_jwt(&claims);

@@ -136,10 +136,10 @@ pub fn send_delete_account(address: &str, uuid: &str) -> EmptyResult {
        }),
    )?;

-    send_email(address, &subject, body_html, body_text)
+    send_email(address, &subject, body_html, body_text).await
 }

-pub fn send_verify_email(address: &str, uuid: &str) -> EmptyResult {
+pub async fn send_verify_email(address: &str, uuid: &str) -> EmptyResult {
    let claims = generate_verify_email_claims(uuid.to_string());
    let verify_email_token = encode_jwt(&claims);

@@ -153,10 +153,10 @@ pub fn send_verify_email(address: &str, uuid: &str) -> EmptyResult {
        }),
    )?;

-    send_email(address, &subject, body_html, body_text)
+    send_email(address, &subject, body_html, body_text).await
 }

-pub fn send_welcome(address: &str) -> EmptyResult {
+pub async fn send_welcome(address: &str) -> EmptyResult {
    let (subject, body_html, body_text) = get_text(
        "email/welcome",
        json!({
@@ -164,10 +164,10 @@ pub fn send_welcome(address: &str) -> EmptyResult {
        }),
    )?;

-    send_email(address, &subject, body_html, body_text)
+    send_email(address, &subject, body_html, body_text).await
 }

-pub fn send_welcome_must_verify(address: &str, uuid: &str) -> EmptyResult {
+pub async fn send_welcome_must_verify(address: &str, uuid: &str) -> EmptyResult {
    let claims = generate_verify_email_claims(uuid.to_string());
    let verify_email_token = encode_jwt(&claims);

@@ -180,10 +180,10 @@ pub fn send_welcome_must_verify(address: &str, uuid: &str) -> EmptyResult {
        }),
    )?;

-    send_email(address, &subject, body_html, body_text)
+    send_email(address, &subject, body_html, body_text).await
 }

-pub fn send_2fa_removed_from_org(address: &str, org_name: &str) -> EmptyResult {
+pub async fn send_2fa_removed_from_org(address: &str, org_name: &str) -> EmptyResult {
    let (subject, body_html, body_text) = get_text(
        "email/send_2fa_removed_from_org",
        json!({
@@ -192,10 +192,10 @@ pub fn send_2fa_removed_from_org(address: &str, org_name: &str) -> EmptyResult {
        }),
    )?;

-    send_email(address, &subject, body_html, body_text)
+    send_email(address, &subject, body_html, body_text).await
 }

-pub fn send_single_org_removed_from_org(address: &str, org_name: &str) -> EmptyResult {
+pub async fn send_single_org_removed_from_org(address: &str, org_name: &str) -> EmptyResult {
    let (subject, body_html, body_text) = get_text(
        "email/send_single_org_removed_from_org",
        json!({
@@ -204,10 +204,10 @@ pub fn send_single_org_removed_from_org(address: &str, org_name: &str) -> EmptyR
        }),
    )?;

-    send_email(address, &subject, body_html, body_text)
+    send_email(address, &subject, body_html, body_text).await
 }

-pub fn send_invite(
+pub async fn send_invite(
    address: &str,
    uuid: &str,
    org_id: Option<String>,
@@ -236,10 +236,10 @@ pub fn send_invite(
        }),
    )?;

-    send_email(address, &subject, body_html, body_text)
+    send_email(address, &subject, body_html, body_text).await
 }

-pub fn send_emergency_access_invite(
+pub async fn send_emergency_access_invite(
    address: &str,
    uuid: &str,
    emer_id: Option<String>,
@@ -267,10 +267,10 @@ pub fn send_emergency_access_invite(
        }),
    )?;

-    send_email(address, &subject, body_html, body_text)
+    send_email(address, &subject, body_html, body_text).await
 }

-pub fn send_emergency_access_invite_accepted(address: &str, grantee_email: &str) -> EmptyResult {
+pub async fn send_emergency_access_invite_accepted(address: &str, grantee_email: &str) -> EmptyResult {
    let (subject, body_html, body_text) = get_text(
        "email/emergency_access_invite_accepted",
        json!({
@@ -279,10 +279,10 @@ pub fn send_emergency_access_invite_accepted(address: &str, grantee_email: &str)
        }),
    )?;

-    send_email(address, &subject, body_html, body_text)
+    send_email(address, &subject, body_html, body_text).await
 }

-pub fn send_emergency_access_invite_confirmed(address: &str, grantor_name: &str) -> EmptyResult {
+pub async fn send_emergency_access_invite_confirmed(address: &str, grantor_name: &str) -> EmptyResult {
    let (subject, body_html, body_text) = get_text(
        "email/emergency_access_invite_confirmed",
        json!({
@@ -291,10 +291,10 @@ pub fn send_emergency_access_invite_confirmed(address: &str, grantor_name: &str)
        }),
    )?;

-    send_email(address, &subject, body_html, body_text)
+    send_email(address, &subject, body_html, body_text).await
 }

-pub fn send_emergency_access_recovery_approved(address: &str, grantor_name: &str) -> EmptyResult {
+pub async fn send_emergency_access_recovery_approved(address: &str, grantor_name: &str) -> EmptyResult {
    let (subject, body_html, body_text) = get_text(
        "email/emergency_access_recovery_approved",
        json!({
@@ -303,10 +303,10 @@ pub fn send_emergency_access_recovery_approved(address: &str, grantor_name: &str
        }),
    )?;

-    send_email(address, &subject, body_html, body_text)
+    send_email(address, &subject, body_html, body_text).await
 }

-pub fn send_emergency_access_recovery_initiated(
+pub async fn send_emergency_access_recovery_initiated(
    address: &str,
    grantee_name: &str,
    atype: &str,
@@ -322,10 +322,10 @@ pub fn send_emergency_access_recovery_initiated(
        }),
    )?;

-    send_email(address, &subject, body_html, body_text)
+    send_email(address, &subject, body_html, body_text).await
 }

-pub fn send_emergency_access_recovery_reminder(
+pub async fn send_emergency_access_recovery_reminder(
    address: &str,
    grantee_name: &str,
    atype: &str,
@@ -341,10 +341,10 @@ pub fn send_emergency_access_recovery_reminder(
        }),
    )?;

-    send_email(address, &subject, body_html, body_text)
+    send_email(address, &subject, body_html, body_text).await
 }

-pub fn send_emergency_access_recovery_rejected(address: &str, grantor_name: &str) -> EmptyResult {
+pub async fn send_emergency_access_recovery_rejected(address: &str, grantor_name: &str) -> EmptyResult {
    let (subject, body_html, body_text) = get_text(
        "email/emergency_access_recovery_rejected",
        json!({
@@ -353,10 +353,10 @@ pub fn send_emergency_access_recovery_rejected(address: &str, grantor_name: &str
        }),
    )?;

-    send_email(address, &subject, body_html, body_text)
+    send_email(address, &subject, body_html, body_text).await
 }

-pub fn send_emergency_access_recovery_timed_out(address: &str, grantee_name: &str, atype: &str) -> EmptyResult {
+pub async fn send_emergency_access_recovery_timed_out(address: &str, grantee_name: &str, atype: &str) -> EmptyResult {
    let (subject, body_html, body_text) = get_text(
        "email/emergency_access_recovery_timed_out",
        json!({
@@ -366,10 +366,10 @@ pub fn send_emergency_access_recovery_timed_out(address: &str, grantee_name: &st
        }),
    )?;

-    send_email(address, &subject, body_html, body_text)
+    send_email(address, &subject, body_html, body_text).await
 }

-pub fn send_invite_accepted(new_user_email: &str, address: &str, org_name: &str) -> EmptyResult {
+pub async fn send_invite_accepted(new_user_email: &str, address: &str, org_name: &str) -> EmptyResult {
    let (subject, body_html, body_text) = get_text(
        "email/invite_accepted",
        json!({
@@ -379,10 +379,10 @@ pub fn send_invite_accepted(new_user_email: &str, address: &str, org_name: &str)
        }),
    )?;

-    send_email(address, &subject, body_html, body_text)
+    send_email(address, &subject, body_html, body_text).await
 }

-pub fn send_invite_confirmed(address: &str, org_name: &str) -> EmptyResult {
+pub async fn send_invite_confirmed(address: &str, org_name: &str) -> EmptyResult {
    let (subject, body_html, body_text) = get_text(
        "email/invite_confirmed",
        json!({
@@ -391,10 +391,10 @@ pub fn send_invite_confirmed(address: &str, org_name: &str) -> EmptyResult {
        }),
    )?;

-    send_email(address, &subject, body_html, body_text)
+    send_email(address, &subject, body_html, body_text).await
 }

-pub fn send_new_device_logged_in(address: &str, ip: &str, dt: &NaiveDateTime, device: &str) -> EmptyResult {
+pub async fn send_new_device_logged_in(address: &str, ip: &str, dt: &NaiveDateTime, device: &str) -> EmptyResult {
    use crate::util::upcase_first;
    let device = upcase_first(device);

@@ -409,10 +409,10 @@ pub fn send_new_device_logged_in(address: &str, ip: &str, dt: &NaiveDateTime, de
        }),
    )?;

-    send_email(address, &subject, body_html, body_text)
+    send_email(address, &subject, body_html, body_text).await
 }

-pub fn send_incomplete_2fa_login(address: &str, ip: &str, dt: &NaiveDateTime, device: &str) -> EmptyResult {
+pub async fn send_incomplete_2fa_login(address: &str, ip: &str, dt: &NaiveDateTime, device: &str) -> EmptyResult {
    use crate::util::upcase_first;
    let device = upcase_first(device);

@@ -428,10 +428,10 @@ pub fn send_incomplete_2fa_login(address: &str, ip: &str, dt: &NaiveDateTime, de
        }),
    )?;

-    send_email(address, &subject, body_html, body_text)
+    send_email(address, &subject, body_html, body_text).await
 }

-pub fn send_token(address: &str, token: &str) -> EmptyResult {
+pub async fn send_token(address: &str, token: &str) -> EmptyResult {
    let (subject, body_html, body_text) = get_text(
        "email/twofactor_email",
        json!({
@@ -440,10 +440,10 @@ pub fn send_token(address: &str, token: &str) -> EmptyResult {
        }),
    )?;

-    send_email(address, &subject, body_html, body_text)
+    send_email(address, &subject, body_html, body_text).await
 }

-pub fn send_change_email(address: &str, token: &str) -> EmptyResult {
+pub async fn send_change_email(address: &str, token: &str) -> EmptyResult {
    let (subject, body_html, body_text) = get_text(
        "email/change_email",
        json!({
@@ -452,10 +452,10 @@ pub fn send_change_email(address: &str, token: &str) -> EmptyResult {
        }),
    )?;

-    send_email(address, &subject, body_html, body_text)
+    send_email(address, &subject, body_html, body_text).await
 }

-pub fn send_test(address: &str) -> EmptyResult {
+pub async fn send_test(address: &str) -> EmptyResult {
    let (subject, body_html, body_text) = get_text(
        "email/smtp_test",
        json!({
@@ -463,43 +463,19 @@ pub fn send_test(address: &str) -> EmptyResult {
        }),
    )?;

-    send_email(address, &subject, body_html, body_text)
+    send_email(address, &subject, body_html, body_text).await
 }

-fn send_email(address: &str, subject: &str, body_html: String, body_text: String) -> EmptyResult {
-    let address_split: Vec<&str> = address.rsplitn(2, '@').collect();
-    if address_split.len() != 2 {
-        err!("Invalid email address (no @)");
-    }
-
-    let domain_puny = match idna::domain_to_ascii_strict(address_split[0]) {
-        Ok(d) => d,
-        Err(_) => err!("Can't convert email domain to ASCII representation"),
-    };
-
-    let address = format!("{}@{}", address_split[1], domain_puny);
-
-    let html = SinglePart::builder()
-        // We force Base64 encoding because in the past we had issues with different encodings.
-        .header(header::ContentTransferEncoding::Base64)
-        .header(header::ContentType::TEXT_HTML)
-        .body(body_html);
-
-    let text = SinglePart::builder()
-        // We force Base64 encoding because in the past we had issues with different encodings.
-        .header(header::ContentTransferEncoding::Base64)
-        .header(header::ContentType::TEXT_PLAIN)
-        .body(body_text);
-
+async fn send_email(address: &str, subject: &str, body_html: String, body_text: String) -> EmptyResult {
    let smtp_from = &CONFIG.smtp_from();
    let email = Message::builder()
        .message_id(Some(format!("<{}@{}>", crate::util::get_uuid(), smtp_from.split('@').collect::<Vec<&str>>()[1])))
-        .to(Mailbox::new(None, Address::from_str(&address)?))
+        .to(Mailbox::new(None, Address::from_str(address)?))
        .from(Mailbox::new(Some(CONFIG.smtp_from_name()), Address::from_str(smtp_from)?))
        .subject(subject)
-        .multipart(MultiPart::alternative().singlepart(text).singlepart(html))?;
+        .multipart(MultiPart::alternative_plain_html(body_text, body_html))?;

-    match mailer().send(&email) {
+    match mailer().send(email).await {
        Ok(_) => Ok(()),
        // Match some common errors and make them more user friendly
        Err(e) => {
--- a/src/main.rs
+++ b/src/main.rs
@@ -1,6 +1,30 @@
-#![forbid(unsafe_code)]
-#![warn(rust_2018_idioms)]
-#![warn(rust_2021_compatibility)]
+#![forbid(unsafe_code, non_ascii_idents)]
+#![deny(
+    rust_2018_idioms,
+    rust_2021_compatibility,
+    noop_method_call,
+    pointer_structural_match,
+    trivial_casts,
+    trivial_numeric_casts,
+    unused_import_braces,
+    clippy::cast_lossless,
+    clippy::clone_on_ref_ptr,
+    clippy::equatable_if_let,
+    clippy::float_cmp_const,
+    clippy::inefficient_to_string,
+    clippy::linkedlist,
+    clippy::macro_use_imports,
+    clippy::manual_assert,
+    clippy::match_wildcard_for_single_variants,
+    clippy::mem_forget,
+    clippy::string_add_assign,
+    clippy::string_to_string,
+    clippy::unnecessary_join,
+    clippy::unnecessary_self_imports,
+    clippy::unused_async,
+    clippy::verbose_file_reads,
+    clippy::zero_sized_map_values
+)]
 #![cfg_attr(feature = "unstable", feature(ip))]
 // The recursion_limit is mainly triggered by the json!() macro.
 // The more key/value pairs there are the more recursion occurs.
@@ -37,6 +61,11 @@ use std::{
    thread,
 };

+use tokio::{
+    fs::File,
+    io::{AsyncBufReadExt, BufReader},
+};
+
 #[macro_use]
 mod error;
 mod api;
@@ -65,7 +94,7 @@ async fn main() -> Result<(), Error> {

    let extra_debug = matches!(level, LF::Trace | LF::Debug);

-    check_data_folder();
+    check_data_folder().await;
    check_rsa_keys().unwrap_or_else(|_| {
        error!("Error creating keys, exiting...");
        exit(1);
@@ -145,15 +174,13 @@ fn init_logging(level: log::LevelFilter) -> Result<(), fern::InitError> {
        // Hide failed to close stream messages
        .level_for("hyper::server", log::LevelFilter::Warn)
        // Silence rocket logs
-        .level_for("_", log::LevelFilter::Off)
+        .level_for("_", log::LevelFilter::Warn)
        .level_for("rocket::launch", log::LevelFilter::Error)
        .level_for("rocket::launch_", log::LevelFilter::Error)
        .level_for("rocket::rocket", log::LevelFilter::Warn)
        .level_for("rocket::server", log::LevelFilter::Warn)
        .level_for("rocket::fairing::fairings", log::LevelFilter::Warn)
        .level_for("rocket::shield::shield", log::LevelFilter::Warn)
-        // Never show html5ever and hyper::proto logs, too noisy
-        .level_for("html5ever", log::LevelFilter::Off)
        .level_for("hyper::proto", log::LevelFilter::Off)
        .level_for("hyper::client", log::LevelFilter::Off)
        // Prevent cookie_store logs
@@ -264,7 +291,7 @@ fn create_dir(path: &str, description: &str) {
    create_dir_all(path).expect(&err_msg);
 }

-fn check_data_folder() {
+async fn check_data_folder() {
    let data_folder = &CONFIG.data_folder();
    let path = Path::new(data_folder);
    if !path.exists() {
@@ -276,6 +303,57 @@ fn check_data_folder() {
        }
        exit(1);
    }
+    if !path.is_dir() {
+        error!("Data folder '{}' is not a directory.", data_folder);
+        exit(1);
+    }
+
+    if is_running_in_docker()
+        && std::env::var("I_REALLY_WANT_VOLATILE_STORAGE").is_err()
+        && !docker_data_folder_is_persistent(data_folder).await
+    {
+        error!(
+            "No persistent volume!\n\
+            ########################################################################################\n\
+            # It looks like you did not configure a persistent volume!                             #\n\
+            # This will result in permanent data loss when the container is removed or updated!    #\n\
+            # If you really want to use volatile storage set `I_REALLY_WANT_VOLATILE_STORAGE=true` #\n\
+            ########################################################################################\n"
+        );
+        exit(1);
+    }
+}
+
+/// Detect when using Docker or Podman the DATA_FOLDER is either a bind-mount or a volume created manually.
+/// If not created manually, then the data will not be persistent.
+/// A none persistent volume in either Docker or Podman is represented by a 64 alphanumerical string.
+/// If we detect this string, we will alert about not having a persistent self defined volume.
+/// This probably means that someone forgot to add `-v /path/to/vaultwarden_data/:/data`
+async fn docker_data_folder_is_persistent(data_folder: &str) -> bool {
+    if let Ok(mountinfo) = File::open("/proc/self/mountinfo").await {
+        // Since there can only be one mountpoint to the DATA_FOLDER
+        // We do a basic check for this mountpoint surrounded by a space.
+        let data_folder_match = if data_folder.starts_with('/') {
+            format!(" {data_folder} ")
+        } else {
+            format!(" /{data_folder} ")
+        };
+        let mut lines = BufReader::new(mountinfo).lines();
+        while let Some(line) = lines.next_line().await.unwrap_or_default() {
+            // Only execute a regex check if we find the base match
+            if line.contains(&data_folder_match) {
+                let re = regex::Regex::new(r"/volumes/[a-z0-9]{64}/_data /").unwrap();
+                if re.is_match(&line) {
+                    return false;
+                }
+                // If we did found a match for the mountpoint, but not the regex, then still stop searching.
+                break;
+            }
+        }
+    }
+    // In all other cases, just assume a true.
+    // This is just an informative check to try and prevent data loss.
+    true
 }

 fn check_rsa_keys() -> Result<(), crate::error::Error> {
@@ -292,7 +370,7 @@ fn check_rsa_keys() -> Result<(), crate::error::Error> {
    }

    if !util::file_exists(&pub_path) {
-        let rsa_key = openssl::rsa::Rsa::private_key_from_pem(&util::read_file(&priv_path)?)?;
+        let rsa_key = openssl::rsa::Rsa::private_key_from_pem(&std::fs::read(&priv_path)?)?;

        let pub_key = rsa_key.public_key_to_pem()?;
        crate::util::write_file(&pub_path, &pub_key)?;
@@ -351,6 +429,8 @@ async fn launch_rocket(pool: db::DbPool, extra_debug: bool) -> Result<(), Error>
        .mount([basepath, "/identity"].concat(), api::identity_routes())
        .mount([basepath, "/icons"].concat(), api::icons_routes())
        .mount([basepath, "/notifications"].concat(), api::notifications_routes())
+        .register([basepath, "/"].concat(), api::web_catchers())
+        .register([basepath, "/api"].concat(), api::core_catchers())
        .manage(pool)
        .manage(api::start_notification_server())
        .attach(util::AppHeaders())
@@ -383,7 +463,7 @@ async fn schedule_jobs(pool: db::DbPool) {
    thread::Builder::new()
        .name("job-scheduler".to_string())
        .spawn(move || {
-            use job_scheduler::{Job, JobScheduler};
+            use job_scheduler_ng::{Job, JobScheduler};
            let _runtime_guard = runtime.enter();

            let mut sched = JobScheduler::new();
--- a/src/static/global_domains.json
+++ b/src/static/global_domains.json
@@ -328,6 +328,7 @@
    "Type": 33,
    "Domains": [
      "healthcare.gov",
+      "cuidadodesalud.gov",
      "cms.gov"
    ],
    "Excluded": false
@@ -902,6 +903,7 @@
  {
    "Type": 85,
    "Domains": [
+      "proton.me",
      "protonmail.com",
      "protonvpn.com"
    ],
--- a/src/static/scripts/bootstrap-native.js
+++ b/src/static/scripts/bootstrap-native.js
--- a/src/static/scripts/bootstrap.css
+++ b/src/static/scripts/bootstrap.css
--- a/src/static/scripts/datatables.css
+++ b/src/static/scripts/datatables.css
@@ -4,13 +4,175 @@
 *
 * To rebuild or modify this file with the latest versions of the included
 * software please visit:
- *   https://datatables.net/download/#bs5/dt-1.11.5
+ *   https://datatables.net/download/#bs5/dt-1.12.1
 *
 * Included libraries:
- *   DataTables 1.11.5
+ *   DataTables 1.12.1
 */

@charset "UTF-8";
+table.dataTable td.dt-control {
+  text-align: center;
+  cursor: pointer;
+}
+table.dataTable td.dt-control:before {
+  height: 1em;
+  width: 1em;
+  margin-top: -9px;
+  display: inline-block;
+  color: white;
+  border: 0.15em solid white;
+  border-radius: 1em;
+  box-shadow: 0 0 0.2em #444;
+  box-sizing: content-box;
+  text-align: center;
+  text-indent: 0 !important;
+  font-family: "Courier New", Courier, monospace;
+  line-height: 1em;
+  content: "+";
+  background-color: #31b131;
+}
+table.dataTable tr.dt-hasChild td.dt-control:before {
+  content: "-";
+  background-color: #d33333;
+}
+
+table.dataTable thead > tr > th.sorting, table.dataTable thead > tr > th.sorting_asc, table.dataTable thead > tr > th.sorting_desc, table.dataTable thead > tr > th.sorting_asc_disabled, table.dataTable thead > tr > th.sorting_desc_disabled,
+table.dataTable thead > tr > td.sorting,
+table.dataTable thead > tr > td.sorting_asc,
+table.dataTable thead > tr > td.sorting_desc,
+table.dataTable thead > tr > td.sorting_asc_disabled,
+table.dataTable thead > tr > td.sorting_desc_disabled {
+  cursor: pointer;
+  position: relative;
+  padding-right: 26px;
+}
+table.dataTable thead > tr > th.sorting:before, table.dataTable thead > tr > th.sorting:after, table.dataTable thead > tr > th.sorting_asc:before, table.dataTable thead > tr > th.sorting_asc:after, table.dataTable thead > tr > th.sorting_desc:before, table.dataTable thead > tr > th.sorting_desc:after, table.dataTable thead > tr > th.sorting_asc_disabled:before, table.dataTable thead > tr > th.sorting_asc_disabled:after, table.dataTable thead > tr > th.sorting_desc_disabled:before, table.dataTable thead > tr > th.sorting_desc_disabled:after,
+table.dataTable thead > tr > td.sorting:before,
+table.dataTable thead > tr > td.sorting:after,
+table.dataTable thead > tr > td.sorting_asc:before,
+table.dataTable thead > tr > td.sorting_asc:after,
+table.dataTable thead > tr > td.sorting_desc:before,
+table.dataTable thead > tr > td.sorting_desc:after,
+table.dataTable thead > tr > td.sorting_asc_disabled:before,
+table.dataTable thead > tr > td.sorting_asc_disabled:after,
+table.dataTable thead > tr > td.sorting_desc_disabled:before,
+table.dataTable thead > tr > td.sorting_desc_disabled:after {
+  position: absolute;
+  display: block;
+  opacity: 0.125;
+  right: 10px;
+  line-height: 9px;
+  font-size: 0.9em;
+}
+table.dataTable thead > tr > th.sorting:before, table.dataTable thead > tr > th.sorting_asc:before, table.dataTable thead > tr > th.sorting_desc:before, table.dataTable thead > tr > th.sorting_asc_disabled:before, table.dataTable thead > tr > th.sorting_desc_disabled:before,
+table.dataTable thead > tr > td.sorting:before,
+table.dataTable thead > tr > td.sorting_asc:before,
+table.dataTable thead > tr > td.sorting_desc:before,
+table.dataTable thead > tr > td.sorting_asc_disabled:before,
+table.dataTable thead > tr > td.sorting_desc_disabled:before {
+  bottom: 50%;
+  content: "▴";
+}
+table.dataTable thead > tr > th.sorting:after, table.dataTable thead > tr > th.sorting_asc:after, table.dataTable thead > tr > th.sorting_desc:after, table.dataTable thead > tr > th.sorting_asc_disabled:after, table.dataTable thead > tr > th.sorting_desc_disabled:after,
+table.dataTable thead > tr > td.sorting:after,
+table.dataTable thead > tr > td.sorting_asc:after,
+table.dataTable thead > tr > td.sorting_desc:after,
+table.dataTable thead > tr > td.sorting_asc_disabled:after,
+table.dataTable thead > tr > td.sorting_desc_disabled:after {
+  top: 50%;
+  content: "▾";
+}
+table.dataTable thead > tr > th.sorting_asc:before, table.dataTable thead > tr > th.sorting_desc:after,
+table.dataTable thead > tr > td.sorting_asc:before,
+table.dataTable thead > tr > td.sorting_desc:after {
+  opacity: 0.6;
+}
+table.dataTable thead > tr > th.sorting_desc_disabled:after, table.dataTable thead > tr > th.sorting_asc_disabled:before,
+table.dataTable thead > tr > td.sorting_desc_disabled:after,
+table.dataTable thead > tr > td.sorting_asc_disabled:before {
+  display: none;
+}
+table.dataTable thead > tr > th:active,
+table.dataTable thead > tr > td:active {
+  outline: none;
+}
+
+div.dataTables_scrollBody table.dataTable thead > tr > th:before, div.dataTables_scrollBody table.dataTable thead > tr > th:after,
+div.dataTables_scrollBody table.dataTable thead > tr > td:before,
+div.dataTables_scrollBody table.dataTable thead > tr > td:after {
+  display: none;
+}
+
+div.dataTables_processing {
+  position: absolute;
+  top: 50%;
+  left: 50%;
+  width: 200px;
+  margin-left: -100px;
+  margin-top: -26px;
+  text-align: center;
+  padding: 2px;
+}
+div.dataTables_processing > div:last-child {
+  position: relative;
+  width: 80px;
+  height: 15px;
+  margin: 1em auto;
+}
+div.dataTables_processing > div:last-child > div {
+  position: absolute;
+  top: 0;
+  width: 13px;
+  height: 13px;
+  border-radius: 50%;
+  background: rgba(13, 110, 253, 0.9);
+  animation-timing-function: cubic-bezier(0, 1, 1, 0);
+}
+div.dataTables_processing > div:last-child > div:nth-child(1) {
+  left: 8px;
+  animation: datatables-loader-1 0.6s infinite;
+}
+div.dataTables_processing > div:last-child > div:nth-child(2) {
+  left: 8px;
+  animation: datatables-loader-2 0.6s infinite;
+}
+div.dataTables_processing > div:last-child > div:nth-child(3) {
+  left: 32px;
+  animation: datatables-loader-2 0.6s infinite;
+}
+div.dataTables_processing > div:last-child > div:nth-child(4) {
+  left: 56px;
+  animation: datatables-loader-3 0.6s infinite;
+}
+
+@keyframes datatables-loader-1 {
+  0% {
+    transform: scale(0);
+  }
+  100% {
+    transform: scale(1);
+  }
+}
+@keyframes datatables-loader-3 {
+  0% {
+    transform: scale(1);
+  }
+  100% {
+    transform: scale(0);
+  }
+}
+@keyframes datatables-loader-2 {
+  0% {
+    transform: translate(0, 0);
+  }
+  100% {
+    transform: translate(24px, 0);
+  }
+}
+table.dataTable.nowrap th, table.dataTable.nowrap td {
+  white-space: nowrap;
+}
 table.dataTable th.dt-left,
 table.dataTable td.dt-left {
  text-align: left;
@@ -32,6 +194,12 @@ table.dataTable th.dt-nowrap,
 table.dataTable td.dt-nowrap {
  white-space: nowrap;
 }
+table.dataTable thead th,
+table.dataTable thead td,
+table.dataTable tfoot th,
+table.dataTable tfoot td {
+  text-align: left;
+}
 table.dataTable thead th.dt-head-left,
 table.dataTable thead td.dt-head-left,
 table.dataTable tfoot th.dt-head-left,
@@ -82,31 +250,6 @@ table.dataTable tbody th.dt-body-nowrap,
 table.dataTable tbody td.dt-body-nowrap {
  white-space: nowrap;
 }
-table.dataTable td.dt-control {
-  text-align: center;
-  cursor: pointer;
-}
-table.dataTable td.dt-control:before {
-  height: 1em;
-  width: 1em;
-  margin-top: -9px;
-  display: inline-block;
-  color: white;
-  border: 0.15em solid white;
-  border-radius: 1em;
-  box-shadow: 0 0 0.2em #444;
-  box-sizing: content-box;
-  text-align: center;
-  text-indent: 0 !important;
-  font-family: "Courier New", Courier, monospace;
-  line-height: 1em;
-  content: "+";
-  background-color: #31b131;
-}
-table.dataTable tr.dt-hasChild td.dt-control:before {
-  content: "-";
-  background-color: #d33333;
-}

 /*! Bootstrap 5 integration for DataTables
 *
@@ -134,6 +277,28 @@ table.dataTable.nowrap th,
 table.dataTable.nowrap td {
  white-space: nowrap;
 }
+table.dataTable.table-striped > tbody > tr:nth-of-type(2n+1) > * {
+  box-shadow: none;
+}
+table.dataTable > tbody > tr {
+  background-color: transparent;
+}
+table.dataTable > tbody > tr.selected > * {
+  box-shadow: inset 0 0 0 9999px rgba(13, 110, 253, 0.9);
+  color: white;
+}
+table.dataTable.table-striped > tbody > tr.odd > * {
+  box-shadow: inset 0 0 0 9999px rgba(0, 0, 0, 0.05);
+}
+table.dataTable.table-striped > tbody > tr.odd.selected > * {
+  box-shadow: inset 0 0 0 9999px rgba(13, 110, 253, 0.95);
+}
+table.dataTable.table-hover > tbody > tr:hover > * {
+  box-shadow: inset 0 0 0 9999px rgba(0, 0, 0, 0.075);
+}
+table.dataTable.table-hover > tbody > tr.selected:hover > * {
+  box-shadow: inset 0 0 0 9999px rgba(13, 110, 253, 0.975);
+}

 div.dataTables_wrapper div.dataTables_length label {
  font-weight: normal;
@@ -170,71 +335,6 @@ div.dataTables_wrapper div.dataTables_paginate ul.pagination {
  white-space: nowrap;
  justify-content: flex-end;
 }
-div.dataTables_wrapper div.dataTables_processing {
-  position: absolute;
-  top: 50%;
-  left: 50%;
-  width: 200px;
-  margin-left: -100px;
-  margin-top: -26px;
-  text-align: center;
-  padding: 1em 0;
-}
-
-table.dataTable > thead > tr > th:active,
-table.dataTable > thead > tr > td:active {
-  outline: none;
-}
-table.dataTable > thead > tr > th:not(.sorting_disabled),
-table.dataTable > thead > tr > td:not(.sorting_disabled) {
-  padding-right: 30px;
-}
-table.dataTable > thead .sorting,
-table.dataTable > thead .sorting_asc,
-table.dataTable > thead .sorting_desc,
-table.dataTable > thead .sorting_asc_disabled,
-table.dataTable > thead .sorting_desc_disabled {
-  cursor: pointer;
-  position: relative;
-}
-table.dataTable > thead .sorting:before, table.dataTable > thead .sorting:after,
-table.dataTable > thead .sorting_asc:before,
-table.dataTable > thead .sorting_asc:after,
-table.dataTable > thead .sorting_desc:before,
-table.dataTable > thead .sorting_desc:after,
-table.dataTable > thead .sorting_asc_disabled:before,
-table.dataTable > thead .sorting_asc_disabled:after,
-table.dataTable > thead .sorting_desc_disabled:before,
-table.dataTable > thead .sorting_desc_disabled:after {
-  position: absolute;
-  bottom: 0.5em;
-  display: block;
-  opacity: 0.3;
-}
-table.dataTable > thead .sorting:before,
-table.dataTable > thead .sorting_asc:before,
-table.dataTable > thead .sorting_desc:before,
-table.dataTable > thead .sorting_asc_disabled:before,
-table.dataTable > thead .sorting_desc_disabled:before {
-  right: 1em;
-  content: "↑";
-}
-table.dataTable > thead .sorting:after,
-table.dataTable > thead .sorting_asc:after,
-table.dataTable > thead .sorting_desc:after,
-table.dataTable > thead .sorting_asc_disabled:after,
-table.dataTable > thead .sorting_desc_disabled:after {
-  right: 0.5em;
-  content: "↓";
-}
-table.dataTable > thead .sorting_asc:before,
-table.dataTable > thead .sorting_desc:after {
-  opacity: 1;
-}
-table.dataTable > thead .sorting_asc_disabled:before,
-table.dataTable > thead .sorting_desc_disabled:after {
-  opacity: 0;
-}

 div.dataTables_scrollHead table.dataTable {
  margin-bottom: 0 !important;
@@ -280,17 +380,6 @@ div.dataTables_wrapper div.dataTables_paginate {
 table.dataTable.table-sm > thead > tr > th:not(.sorting_disabled) {
  padding-right: 20px;
 }
-table.dataTable.table-sm .sorting:before,
-table.dataTable.table-sm .sorting_asc:before,
-table.dataTable.table-sm .sorting_desc:before {
-  top: 5px;
-  right: 0.85em;
-}
-table.dataTable.table-sm .sorting:after,
-table.dataTable.table-sm .sorting_asc:after,
-table.dataTable.table-sm .sorting_desc:after {
-  top: 5px;
-}

 table.table-bordered.dataTable {
  border-right-width: 0;
@@ -332,11 +421,4 @@ div.table-responsive > div.dataTables_wrapper > div.row > div[class^=col-]:last-
  padding-right: 0;
 }

-table.dataTable.table-striped > tbody > tr:nth-of-type(2n+1) {
-  --bs-table-accent-bg: transparent;
-}
-table.dataTable.table-striped > tbody > tr.odd {
-  --bs-table-accent-bg: var(--bs-table-striped-bg);
-}
-

--- a/src/static/scripts/datatables.js
+++ b/src/static/scripts/datatables.js
--- a/src/static/scripts/jquery-3.6.1.slim.js
+++ b/src/static/scripts/jquery-3.6.1.slim.js
@@ -1,5 +1,5 @@
 /*!
- * jQuery JavaScript Library v3.6.0 -ajax,-ajax/jsonp,-ajax/load,-ajax/script,-ajax/var/location,-ajax/var/nonce,-ajax/var/rquery,-ajax/xhr,-manipulation/_evalUrl,-deprecated/ajax-event-alias,-effects,-effects/Tween,-effects/animatedSelector
+ * jQuery JavaScript Library v3.6.1 -ajax,-ajax/jsonp,-ajax/load,-ajax/script,-ajax/var/location,-ajax/var/nonce,-ajax/var/rquery,-ajax/xhr,-manipulation/_evalUrl,-deprecated/ajax-event-alias,-effects,-effects/Tween,-effects/animatedSelector
 * https://jquery.com/
 *
 * Includes Sizzle.js
@@ -9,7 +9,7 @@
 * Released under the MIT license
 * https://jquery.org/license
 *
- * Date: 2021-03-02T17:08Z
+ * Date: 2022-08-26T17:52Z
 */
 ( function( global, factory ) {

@@ -23,7 +23,7 @@
 		// (such as Node.js), expose a factory as module.exports.
 		// This accentuates the need for the creation of a real `window`.
 		// e.g. var jQuery = require("jquery")(window);
-		// See ticket #14549 for more info.
+		// See ticket trac-14549 for more info.
 		module.exports = global.document ?
 			factory( global, true ) :
 			function( w ) {
@@ -151,7 +151,7 @@ function toType( obj ) {


 var
-	version = "3.6.0 -ajax,-ajax/jsonp,-ajax/load,-ajax/script,-ajax/var/location,-ajax/var/nonce,-ajax/var/rquery,-ajax/xhr,-manipulation/_evalUrl,-deprecated/ajax-event-alias,-effects,-effects/Tween,-effects/animatedSelector",
+	version = "3.6.1 -ajax,-ajax/jsonp,-ajax/load,-ajax/script,-ajax/var/location,-ajax/var/nonce,-ajax/var/rquery,-ajax/xhr,-manipulation/_evalUrl,-deprecated/ajax-event-alias,-effects,-effects/Tween,-effects/animatedSelector",

 	// Define a local copy of jQuery
 	jQuery = function( selector, context ) {
@@ -3129,8 +3129,8 @@ jQuery.fn.extend( {
 var rootjQuery,

 	// A simple way to check for HTML strings
-	// Prioritize #id over <tag> to avoid XSS via location.hash (#9521)
-	// Strict HTML recognition (#11290: must start with <)
+	// Prioritize #id over <tag> to avoid XSS via location.hash (trac-9521)
+	// Strict HTML recognition (trac-11290: must start with <)
 	// Shortcut simple #id case for speed
 	rquickExpr = /^(?:\s*(<[\w\W]+>)[^>]*|#([\w-]+))$/,

@@ -4087,7 +4087,7 @@ jQuery.extend( {
 	isReady: false,

 	// A counter to track how many items to wait for before
-	// the ready event fires. See #6781
+	// the ready event fires. See trac-6781
 	readyWait: 1,

 	// Handle when the DOM is ready
@@ -4215,7 +4215,7 @@ function fcamelCase( _all, letter ) {

 // Convert dashed to camelCase; used by the css and data modules
 // Support: IE <=9 - 11, Edge 12 - 15
-// Microsoft forgot to hump their vendor prefix (#9572)
+// Microsoft forgot to hump their vendor prefix (trac-9572)
 function camelCase( string ) {
 	return string.replace( rmsPrefix, "ms-" ).replace( rdashAlpha, fcamelCase );
 }
@@ -4251,7 +4251,7 @@ Data.prototype = {
 			value = {};

 			// We can accept data for non-element nodes in modern browsers,
-			// but we should not, see #8335.
+			// but we should not, see trac-8335.
 			// Always return an empty object.
 			if ( acceptData( owner ) ) {

@@ -4490,7 +4490,7 @@ jQuery.fn.extend( {
 					while ( i-- ) {

 						// Support: IE 11 only
-						// The attrs elements can be null (#14894)
+						// The attrs elements can be null (trac-14894)
 						if ( attrs[ i ] ) {
 							name = attrs[ i ].name;
 							if ( name.indexOf( "data-" ) === 0 ) {
@@ -4913,9 +4913,9 @@ var rscriptType = ( /^$|^module$|\/(?:java|ecma)script/i );
 		input = document.createElement( "input" );

 	// Support: Android 4.0 - 4.3 only
-	// Check state lost if the name is set (#11217)
+	// Check state lost if the name is set (trac-11217)
 	// Support: Windows Web Apps (WWA)
-	// `name` and `type` must use .setAttribute for WWA (#14901)
+	// `name` and `type` must use .setAttribute for WWA (trac-14901)
 	input.setAttribute( "type", "radio" );
 	input.setAttribute( "checked", "checked" );
 	input.setAttribute( "name", "t" );
@@ -4939,7 +4939,7 @@ var rscriptType = ( /^$|^module$|\/(?:java|ecma)script/i );
 } )();


-// We have to close these tags to support XHTML (#13200)
+// We have to close these tags to support XHTML (trac-13200)
 var wrapMap = {

 	// XHTML parsers do not magically insert elements in the
@@ -4965,7 +4965,7 @@ if ( !support.option ) {
 function getAll( context, tag ) {

 	// Support: IE <=9 - 11 only
-	// Use typeof to avoid zero-argument method invocation on host objects (#15151)
+	// Use typeof to avoid zero-argument method invocation on host objects (trac-15151)
 	var ret;

 	if ( typeof context.getElementsByTagName !== "undefined" ) {
@@ -5048,7 +5048,7 @@ function buildFragment( elems, context, scripts, selection, ignored ) {
 				// Remember the top-level container
 				tmp = fragment.firstChild;

-				// Ensure the created nodes are orphaned (#12392)
+				// Ensure the created nodes are orphaned (trac-12392)
 				tmp.textContent = "";
 			}
 		}
@@ -5469,15 +5469,15 @@ jQuery.event = {

 			for ( ; cur !== this; cur = cur.parentNode || this ) {

-				// Don't check non-elements (#13208)
-				// Don't process clicks on disabled elements (#6911, #8165, #11382, #11764)
+				// Don't check non-elements (trac-13208)
+				// Don't process clicks on disabled elements (trac-6911, trac-8165, trac-11382, trac-11764)
 				if ( cur.nodeType === 1 && !( event.type === "click" && cur.disabled === true ) ) {
 					matchedHandlers = [];
 					matchedSelectors = {};
 					for ( i = 0; i < delegateCount; i++ ) {
 						handleObj = handlers[ i ];

-						// Don't conflict with Object.prototype properties (#13203)
+						// Don't conflict with Object.prototype properties (trac-13203)
 						sel = handleObj.selector + " ";

 						if ( matchedSelectors[ sel ] === undefined ) {
@@ -5731,7 +5731,7 @@ jQuery.Event = function( src, props ) {

 		// Create target properties
 		// Support: Safari <=6 - 7 only
-		// Target should not be a text node (#504, #13143)
+		// Target should not be a text node (trac-504, trac-13143)
 		this.target = ( src.target && src.target.nodeType === 3 ) ?
 			src.target.parentNode :
 			src.target;
@@ -5854,10 +5854,10 @@ jQuery.each( { focus: "focusin", blur: "focusout" }, function( type, delegateTyp
 			return true;
 		},

-		// Suppress native focus or blur as it's already being fired
-		// in leverageNative.
-		_default: function() {
-			return true;
+		// Suppress native focus or blur if we're currently inside
+		// a leveraged native-event stack
+		_default: function( event ) {
+			return dataPriv.get( event.target, type );
 		},

 		delegateType: delegateType
@@ -5956,7 +5956,8 @@ var

 	// checked="checked" or checked
 	rchecked = /checked\s*(?:[^=]|=\s*.checked.)/i,
-	rcleanScript = /^\s*<!(?:\[CDATA\[|--)|(?:\]\]|--)>\s*$/g;
+
+	rcleanScript = /^\s*<!\[CDATA\[|\]\]>\s*$/g;

 // Prefer a tbody over its parent table for containing new rows
 function manipulationTarget( elem, content ) {
@@ -6070,7 +6071,7 @@ function domManip( collection, args, callback, ignored ) {

 			// Use the original fragment for the last item
 			// instead of the first because it can end up
-			// being emptied incorrectly in certain situations (#8070).
+			// being emptied incorrectly in certain situations (trac-8070).
 			for ( ; i < l; i++ ) {
 				node = fragment;

@@ -6111,6 +6112,12 @@ function domManip( collection, args, callback, ignored ) {
 								}, doc );
 							}
 						} else {
+
+							// Unwrap a CDATA section containing script contents. This shouldn't be
+							// needed as in XML documents they're already not visible when
+							// inspecting element contents and in HTML documents they have no
+							// meaning but we're preserving that logic for backwards compatibility.
+							// This will be removed completely in 4.0. See gh-4904.
 							DOMEval( node.textContent.replace( rcleanScript, "" ), node, doc );
 						}
 					}
@@ -6393,9 +6400,12 @@ jQuery.each( {
 } );
 var rnumnonpx = new RegExp( "^(" + pnum + ")(?!px)[a-z%]+$", "i" );

+var rcustomProp = /^--/;
+
+
 var getStyles = function( elem ) {

-		// Support: IE <=11 only, Firefox <=30 (#15098, #14150)
+		// Support: IE <=11 only, Firefox <=30 (trac-15098, trac-14150)
 		// IE throws on elements created in popups
 		// FF meanwhile throws on frame elements through "defaultView.getComputedStyle"
 		var view = elem.ownerDocument.defaultView;
@@ -6430,6 +6440,15 @@ var swap = function( elem, options, callback ) {

 var rboxStyle = new RegExp( cssExpand.join( "|" ), "i" );

+var whitespace = "[\\x20\\t\\r\\n\\f]";
+
+
+var rtrimCSS = new RegExp(
+	"^" + whitespace + "+|((?:^|[^\\\\])(?:\\\\.)*)" + whitespace + "+$",
+	"g"
+);
+
+


 ( function() {
@@ -6495,7 +6514,7 @@ var rboxStyle = new RegExp( cssExpand.join( "|" ), "i" );
 	}

 	// Support: IE <=9 - 11 only
-	// Style of cloned element affects source element cloned (#8908)
+	// Style of cloned element affects source element cloned (trac-8908)
 	div.style.backgroundClip = "content-box";
 	div.cloneNode( true ).style.backgroundClip = "";
 	support.clearCloneStyle = div.style.backgroundClip === "content-box";
@@ -6575,6 +6594,7 @@ var rboxStyle = new RegExp( cssExpand.join( "|" ), "i" );

 function curCSS( elem, name, computed ) {
 	var width, minWidth, maxWidth, ret,
+		isCustomProp = rcustomProp.test( name ),

 		// Support: Firefox 51+
 		// Retrieving style before computed somehow
@@ -6585,11 +6605,22 @@ function curCSS( elem, name, computed ) {
 	computed = computed || getStyles( elem );

 	// getPropertyValue is needed for:
-	//   .css('filter') (IE 9 only, #12537)
-	//   .css('--customProperty) (#3144)
+	//   .css('filter') (IE 9 only, trac-12537)
+	//   .css('--customProperty) (gh-3144)
 	if ( computed ) {
 		ret = computed.getPropertyValue( name ) || computed[ name ];

+		// trim whitespace for custom property (issue gh-4926)
+		if ( isCustomProp ) {
+
+			// rtrim treats U+000D CARRIAGE RETURN and U+000C FORM FEED
+			// as whitespace while CSS does not, but this is not a problem
+			// because CSS preprocessing replaces them with U+000A LINE FEED
+			// (which *is* CSS whitespace)
+			// https://www.w3.org/TR/css-syntax-3/#input-preprocessing
+			ret = ret.replace( rtrimCSS, "$1" );
+		}
+
 		if ( ret === "" && !isAttached( elem ) ) {
 			ret = jQuery.style( elem, name );
 		}
@@ -6685,7 +6716,6 @@ var
 	// except "table", "table-cell", or "table-caption"
 	// See here for display values: https://developer.mozilla.org/en-US/docs/CSS/display
 	rdisplayswap = /^(none|table(?!-c[ea]).+)/,
-	rcustomProp = /^--/,
 	cssShow = { position: "absolute", visibility: "hidden", display: "block" },
 	cssNormalTransform = {
 		letterSpacing: "0",
@@ -6921,15 +6951,15 @@ jQuery.extend( {
 		if ( value !== undefined ) {
 			type = typeof value;

-			// Convert "+=" or "-=" to relative numbers (#7345)
+			// Convert "+=" or "-=" to relative numbers (trac-7345)
 			if ( type === "string" && ( ret = rcssNum.exec( value ) ) && ret[ 1 ] ) {
 				value = adjustCSS( elem, name, ret );

-				// Fixes bug #9237
+				// Fixes bug trac-9237
 				type = "number";
 			}

-			// Make sure that null and NaN values aren't set (#7116)
+			// Make sure that null and NaN values aren't set (trac-7116)
 			if ( value == null || value !== value ) {
 				return;
 			}
@@ -7149,7 +7179,6 @@ jQuery.fn.extend( {


 // Based off of the plugin by Clint Helfers, with permission.
-// https://web.archive.org/web/20100324014747/http://blindsignals.com/index.php/2009/07/jquery-delay/
 jQuery.fn.delay = function( time, type ) {
 	time = jQuery.fx ? jQuery.fx.speeds[ time ] || time : time;
 	type = type || "fx";
@@ -7374,8 +7403,7 @@ jQuery.extend( {
 				// Support: IE <=9 - 11 only
 				// elem.tabIndex doesn't always return the
 				// correct value when it hasn't been explicitly set
-				// https://web.archive.org/web/20141116233347/http://fluidproject.org/blog/2008/01/09/getting-setting-and-removing-tabindex-values-with-javascript/
-				// Use proper attribute retrieval(#12072)
+				// Use proper attribute retrieval (trac-12072)
 				var tabindex = jQuery.find.attr( elem, "tabindex" );

 				if ( tabindex ) {
@@ -7479,8 +7507,7 @@ function classesToArray( value ) {

 jQuery.fn.extend( {
 	addClass: function( value ) {
-		var classes, elem, cur, curValue, clazz, j, finalValue,
-			i = 0;
+		var classNames, cur, curValue, className, i, finalValue;

 		if ( isFunction( value ) ) {
 			return this.each( function( j ) {
@@ -7488,36 +7515,35 @@ jQuery.fn.extend( {
 			} );
 		}

-		classes = classesToArray( value );
+		classNames = classesToArray( value );

-		if ( classes.length ) {
-			while ( ( elem = this[ i++ ] ) ) {
-				curValue = getClass( elem );
-				cur = elem.nodeType === 1 && ( " " + stripAndCollapse( curValue ) + " " );
+		if ( classNames.length ) {
+			return this.each( function() {
+				curValue = getClass( this );
+				cur = this.nodeType === 1 && ( " " + stripAndCollapse( curValue ) + " " );

 				if ( cur ) {
-					j = 0;
-					while ( ( clazz = classes[ j++ ] ) ) {
-						if ( cur.indexOf( " " + clazz + " " ) < 0 ) {
-							cur += clazz + " ";
+					for ( i = 0; i < classNames.length; i++ ) {
+						className = classNames[ i ];
+						if ( cur.indexOf( " " + className + " " ) < 0 ) {
+							cur += className + " ";
 						}
 					}

 					// Only assign if different to avoid unneeded rendering.
 					finalValue = stripAndCollapse( cur );
 					if ( curValue !== finalValue ) {
-						elem.setAttribute( "class", finalValue );
+						this.setAttribute( "class", finalValue );
 					}
 				}
-			}
+			} );
 		}

 		return this;
 	},

 	removeClass: function( value ) {
-		var classes, elem, cur, curValue, clazz, j, finalValue,
-			i = 0;
+		var classNames, cur, curValue, className, i, finalValue;

 		if ( isFunction( value ) ) {
 			return this.each( function( j ) {
@@ -7529,45 +7555,42 @@ jQuery.fn.extend( {
 			return this.attr( "class", "" );
 		}

-		classes = classesToArray( value );
+		classNames = classesToArray( value );

-		if ( classes.length ) {
-			while ( ( elem = this[ i++ ] ) ) {
-				curValue = getClass( elem );
+		if ( classNames.length ) {
+			return this.each( function() {
+				curValue = getClass( this );

 				// This expression is here for better compressibility (see addClass)
-				cur = elem.nodeType === 1 && ( " " + stripAndCollapse( curValue ) + " " );
+				cur = this.nodeType === 1 && ( " " + stripAndCollapse( curValue ) + " " );

 				if ( cur ) {
-					j = 0;
-					while ( ( clazz = classes[ j++ ] ) ) {
+					for ( i = 0; i < classNames.length; i++ ) {
+						className = classNames[ i ];

 						// Remove *all* instances
-						while ( cur.indexOf( " " + clazz + " " ) > -1 ) {
-							cur = cur.replace( " " + clazz + " ", " " );
+						while ( cur.indexOf( " " + className + " " ) > -1 ) {
+							cur = cur.replace( " " + className + " ", " " );
 						}
 					}

 					// Only assign if different to avoid unneeded rendering.
 					finalValue = stripAndCollapse( cur );
 					if ( curValue !== finalValue ) {
-						elem.setAttribute( "class", finalValue );
+						this.setAttribute( "class", finalValue );
 					}
 				}
-			}
+			} );
 		}

 		return this;
 	},

 	toggleClass: function( value, stateVal ) {
-		var type = typeof value,
+		var classNames, className, i, self,
+			type = typeof value,
 			isValidValue = type === "string" || Array.isArray( value );

-		if ( typeof stateVal === "boolean" && isValidValue ) {
-			return stateVal ? this.addClass( value ) : this.removeClass( value );
-		}
-
 		if ( isFunction( value ) ) {
 			return this.each( function( i ) {
 				jQuery( this ).toggleClass(
@@ -7577,17 +7600,20 @@ jQuery.fn.extend( {
 			} );
 		}

-		return this.each( function() {
-			var className, i, self, classNames;
+		if ( typeof stateVal === "boolean" && isValidValue ) {
+			return stateVal ? this.addClass( value ) : this.removeClass( value );
+		}

+		classNames = classesToArray( value );
+
+		return this.each( function() {
 			if ( isValidValue ) {

 				// Toggle individual class names
-				i = 0;
 				self = jQuery( this );
-				classNames = classesToArray( value );

-				while ( ( className = classNames[ i++ ] ) ) {
+				for ( i = 0; i < classNames.length; i++ ) {
+					className = classNames[ i ];

 					// Check each className given, space separated list
 					if ( self.hasClass( className ) ) {
@@ -7721,7 +7747,7 @@ jQuery.extend( {
 					val :

 					// Support: IE <=10 - 11 only
-					// option.text throws exceptions (#14686, #14858)
+					// option.text throws exceptions (trac-14686, trac-14858)
 					// Strip and collapse whitespace
 					// https://html.spec.whatwg.org/#strip-and-collapse-whitespace
 					stripAndCollapse( jQuery.text( elem ) );
@@ -7748,7 +7774,7 @@ jQuery.extend( {
 					option = options[ i ];

 					// Support: IE <=9 only
-					// IE8-9 doesn't update selected after form reset (#2551)
+					// IE8-9 doesn't update selected after form reset (trac-2551)
 					if ( ( option.selected || i === index ) &&

 							// Don't return options that are disabled or in a disabled optgroup
@@ -7891,8 +7917,8 @@ jQuery.extend( jQuery.event, {
 			return;
 		}

-		// Determine event propagation path in advance, per W3C events spec (#9951)
-		// Bubble up to document, then to window; watch for a global ownerDocument var (#9724)
+		// Determine event propagation path in advance, per W3C events spec (trac-9951)
+		// Bubble up to document, then to window; watch for a global ownerDocument var (trac-9724)
 		if ( !onlyHandlers && !special.noBubble && !isWindow( elem ) ) {

 			bubbleType = special.delegateType || type;
@@ -7944,7 +7970,7 @@ jQuery.extend( jQuery.event, {
 				acceptData( elem ) ) {

 				// Call a native DOM method on the target with the same name as the event.
-				// Don't do default actions on window, that's where global variables be (#6170)
+				// Don't do default actions on window, that's where global variables be (trac-6170)
 				if ( ontype && isFunction( elem[ type ] ) && !isWindow( elem ) ) {

 					// Don't re-trigger an onFOO event when we call its FOO() method
@@ -8654,7 +8680,9 @@ jQuery.each(

 // Support: Android <=4.0 only
 // Make sure we trim BOM and NBSP
-var rtrim = /^[\s\uFEFF\xA0]+|[\s\uFEFF\xA0]+$/g;
+// Require that the "whitespace run" starts from a non-whitespace
+// to avoid O(N^2) behavior when the engine would try matching "\s+$" at each space position.
+var rtrim = /^[\s\uFEFF\xA0]+|([^\s\uFEFF\xA0])[\s\uFEFF\xA0]+$/g;

 // Bind a function to a context, optionally partially applying any
 // arguments.
@@ -8721,7 +8749,7 @@ jQuery.isNumeric = function( obj ) {
 jQuery.trim = function( text ) {
 	return text == null ?
 		"" :
-		( text + "" ).replace( rtrim, "" );
+		( text + "" ).replace( rtrim, "$1" );
 };


@@ -8769,8 +8797,8 @@ jQuery.noConflict = function( deep ) {
 };

 // Expose jQuery and $ identifiers, even in AMD
-// (#7102#comment:10, https://github.com/jquery/jquery/pull/557)
-// and CommonJS for browser emulators (#13566)
+// (trac-7102#comment:10, https://github.com/jquery/jquery/pull/557)
+// and CommonJS for browser emulators (trac-13566)
 if ( typeof noGlobal === "undefined" ) {
 	window.jQuery = window.$ = jQuery;
 }
--- a/src/static/templates/admin/base.hbs
+++ b/src/static/templates/admin/base.hbs
@@ -20,6 +20,13 @@
            width: auto;
            margin: -5px 0 0 0;
        }
+        /* Special alert-row class to use Bootstrap v5.2+ variable colors */
+        .alert-row {
+            --bs-alert-border: 1px solid var(--bs-alert-border-color);
+            color: var(--bs-alert-color);
+            background-color: var(--bs-alert-bg);
+            border: var(--bs-alert-border);
+        }
    </style>
    <script src="{{urlpath}}/vw_static/identicon.js"></script>
    <script>
--- a/src/static/templates/admin/diagnostics.hbs
+++ b/src/static/templates/admin/diagnostics.hbs
@@ -140,8 +140,8 @@
                        <span><b>Server:</b> {{page_data.server_time_local}}</span>
                    </dd>
                    <dt class="col-sm-5">Date & Time (UTC)
-                        <span class="badge bg-success d-none" id="time-success" title="Time offsets seem to be correct.">Ok</span>
-                        <span class="badge bg-danger d-none" id="time-warning" title="Time offsets are too mouch at drift.">Error</span>
+                        <span class="badge bg-success d-none" id="time-success" title="Server and browser times are within 30 seconds of each other.">Ok</span>
+                        <span class="badge bg-danger d-none" id="time-warning" title="Server and browser times are more than 30 seconds apart.">Error</span>
                    </dt>
                    <dd class="col-sm-7">
                        <span id="time-server" class="d-block"><b>Server:</b> <span id="time-server-string">{{page_data.server_time}}</span></span>
@@ -151,7 +151,7 @@
                    <dt class="col-sm-5">Domain configuration
                        <span class="badge bg-success d-none" id="domain-success" title="The domain variable matches the browser location and seems to be configured correctly.">Match</span>
                        <span class="badge bg-danger d-none" id="domain-warning" title="The domain variable does not match the browser location.&#013;&#010;The domain variable does not seem to be configured correctly.&#013;&#010;Some features may not work as expected!">No Match</span>
-                        <span class="badge bg-success d-none" id="https-success" title="Configurued to use HTTPS">HTTPS</span>
+                        <span class="badge bg-success d-none" id="https-success" title="Configured to use HTTPS">HTTPS</span>
                        <span class="badge bg-danger d-none" id="https-warning" title="Not configured to use HTTPS.&#013;&#010;Some features may not work as expected!">No HTTPS</span>
                    </dt>
                    <dd class="col-sm-7">
@@ -168,8 +168,8 @@
                <dl class="row">
                    <dd class="col-sm-12">
                        If you need support please check the following links first before you create a new issue:
-                         <a href="https://vaultwarden.discourse.group/" target="_blank" rel="noreferrer">Vaultwarden Forum</a>
-                         | <a href="https://github.com/dani-garcia/vaultwarden/discussions" target="_blank" rel="noreferrer">Github Discussions</a>
+                         <a href="https://vaultwarden.discourse.group/" target="_blank" rel="noreferrer noopener">Vaultwarden Forum</a>
+                         | <a href="https://github.com/dani-garcia/vaultwarden/discussions" target="_blank" rel="noreferrer noopener">Github Discussions</a>
                    </dd>
                </dl>
                <dl class="row">
--- a/src/static/templates/admin/organizations.hbs
+++ b/src/static/templates/admin/organizations.hbs
@@ -49,7 +49,7 @@
 </main>

 <link rel="stylesheet" href="{{urlpath}}/vw_static/datatables.css" />
-<script src="{{urlpath}}/vw_static/jquery-3.6.0.slim.js"></script>
+<script src="{{urlpath}}/vw_static/jquery-3.6.1.slim.js"></script>
 <script src="{{urlpath}}/vw_static/datatables.js"></script>
 <script>
    'use strict';
--- a/src/static/templates/admin/settings.hbs
+++ b/src/static/templates/admin/settings.hbs
@@ -5,7 +5,7 @@
            <div class="small text-white mb-3">
                <span class="font-weight-bolder">NOTE:</span> The settings here override the environment variables. Once saved, it's recommended to stop setting them to avoid confusion.<br>
                This does not apply to the read-only section, which can only be set via environment variables.<br>
-                Settings which are overridden are shown with <span class="is-overridden-true">double underscores</span>.
+                Settings which are overridden are shown with <span class="is-overridden-true alert-row px-1">a yellow colored background</span>.
            </div>

            <form class="form needs-validation" id="config-form" onsubmit="saveConfig(); return false;" novalidate>
@@ -16,7 +16,7 @@
                    <div id="g_{{group}}" class="card-body collapse">
                        {{#each elements}}
                        {{#if editable}}
-                        <div class="row my-2 align-items-center is-overridden-{{overridden}}" title="[{{name}}] {{doc.description}}">
+                        <div class="row my-2 align-items-center is-overridden-{{overridden}} alert-row" title="[{{name}}] {{doc.description}}">
                            {{#case type "text" "number" "password"}}
                            <label for="input_{{name}}" class="col-sm-3 col-form-label">{{doc.name}}</label>
                            <div class="col-sm-8">
@@ -71,16 +71,25 @@
                        {{#each config}}
                        {{#each elements}}
                        {{#unless editable}}
-                        <div class="row my-2 align-items-center" title="[{{name}}] {{doc.description}}">
+                        <div class="row my-2 align-items-center alert-row" title="[{{name}}] {{doc.description}}">
                            {{#case type "text" "number" "password"}}
                            <label for="input_{{name}}" class="col-sm-3 col-form-label">{{doc.name}}</label>
                            <div class="col-sm-8">
                                <div class="input-group">
-                                <input readonly class="form-control" id="input_{{name}}" type="{{type}}"
-                                    value="{{value}}" {{#if default}} placeholder="Default: {{default}}" {{/if}}>
-                                {{#case type "password"}}
+                                {{!--
+                                      Also set the database_url input as password here.
+                                      If we would set it to password in config.rs it will not be character masked for the support string.
+                                      And sometimes this is more useful for providing support than just 3 asterisk.
+                                --}}
+                                {{#if (eq name "database_url")}}
+                                    <input readonly class="form-control" id="input_{{name}}" type="password" value="{{value}}" {{#if default}} placeholder="Default: {{default}}" {{/if}}>
                                    <button class="btn btn-outline-secondary" type="button" onclick="toggleVis('input_{{name}}');">Show/hide</button>
-                                {{/case}}
+                                {{else}}
+                                    <input readonly class="form-control" id="input_{{name}}" type="{{type}}" value="{{value}}" {{#if default}} placeholder="Default: {{default}}" {{/if}}>
+                                    {{#case type "password"}}
+                                    <button class="btn btn-outline-secondary" type="button" onclick="toggleVis('input_{{name}}');">Show/hide</button>
+                                    {{/case}}
+                                {{/if}}
                                </div>
                            </div>
                            {{/case}}
@@ -113,7 +122,7 @@
                            This does not include any configuration or file attachment data that may
                            also be needed to fully restore a vaultwarden instance. For details on
                            how to perform complete backups, refer to the wiki page on
-                            <a href="https://github.com/dani-garcia/vaultwarden/wiki/Backing-up-your-vault">backups</a>.
+                            <a href="https://github.com/dani-garcia/vaultwarden/wiki/Backing-up-your-vault" target="_blank" rel="noopener noreferrer">backups</a>.
                        </div>
                        <button type="button" class="btn btn-primary" onclick="backupDatabase();">Backup Database</button>
                    </div>
@@ -134,7 +143,9 @@
    }

    .is-overridden-true {
-        text-decoration: underline double;
+        --bs-alert-color: #664d03;
+        --bs-alert-bg: #fff3cd;
+        --bs-alert-border-color: #ffecb5;
    }
 </style>

@@ -238,19 +249,45 @@
        return Array.from(form).some(el => 'origValue' in el.dataset && ( el.dataset.origValue !== el.value));
    }

-    // Trigger Form Change Detection
+    // This function will prevent submitting a from when someone presses enter.
+    function preventFormSubmitOnEnter(form) {
+        form.onkeypress = function(e) {
+            let key = e.charCode || e.keyCode || 0;
+            if (key == 13) {
+                e.preventDefault();
+            }
+        }
+    }
+
+    // Initialize Form Change Detection
    const config_form = document.getElementById('config-form');
    initChangeDetection(config_form);
+    // Prevent enter to submitting the form and save the config.
+    // Users need to really click on save, this also to prevent accidental submits.
+    preventFormSubmitOnEnter(config_form);
+
+    // This function will hook into the smtp-test-email input field and will call the smtpTest() function when enter is pressed.
+    function submitTestEmailOnEnter() {
+        const smtp_test_email_input = document.getElementById('smtp-test-email');
+        smtp_test_email_input.onkeypress = function(e) {
+            let key = e.charCode || e.keyCode || 0;
+            if (key == 13) {
+                e.preventDefault();
+                smtpTest();
+            }
+        }
+    }
+    submitTestEmailOnEnter();

    // Colorize some settings which are high risk
-    const risk_items = document.getElementsByClassName('col-form-label');
-    function colorRiskSettings(risk_el) {
-        Array.from(risk_el).forEach((el) => {
+    function colorRiskSettings() {
+        const risk_items = document.getElementsByClassName('col-form-label');
+        Array.from(risk_items).forEach((el) => {
            if (el.innerText.toLowerCase().includes('risks') ) {
                el.parentElement.className += ' alert-danger'
            }
        });
    }
-    colorRiskSettings(risk_items);
+    colorRiskSettings();

 </script>
--- a/src/static/templates/admin/users.hbs
+++ b/src/static/templates/admin/users.hbs
@@ -136,7 +136,7 @@
 </main>

 <link rel="stylesheet" href="{{urlpath}}/vw_static/datatables.css" />
-<script src="{{urlpath}}/vw_static/jquery-3.6.0.slim.js"></script>
+<script src="{{urlpath}}/vw_static/jquery-3.6.1.slim.js"></script>
 <script src="{{urlpath}}/vw_static/datatables.js"></script>
 <script>
    'use strict';
--- a/src/util.rs
+++ b/src/util.rs
@@ -1,7 +1,7 @@
 //
 // Web Headers and caching
 //
-use std::io::Cursor;
+use std::io::{Cursor, ErrorKind};

 use rocket::{
    fairing::{Fairing, Info, Kind},
@@ -29,21 +29,72 @@ impl Fairing for AppHeaders {
        }
    }

-    async fn on_response<'r>(&self, _req: &'r Request<'_>, res: &mut Response<'r>) {
-        res.set_raw_header("Permissions-Policy", "accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), sync-xhr=(self \"https://haveibeenpwned.com\" \"https://2fa.directory\"), usb=(), vr=()");
+    async fn on_response<'r>(&self, req: &'r Request<'_>, res: &mut Response<'r>) {
+        res.set_raw_header("Permissions-Policy", "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=()");
        res.set_raw_header("Referrer-Policy", "same-origin");
-        res.set_raw_header("X-Frame-Options", "SAMEORIGIN");
        res.set_raw_header("X-Content-Type-Options", "nosniff");
        // Obsolete in modern browsers, unsafe (XS-Leak), and largely replaced by CSP
        res.set_raw_header("X-XSS-Protection", "0");
-        let csp = format!(
+
+        let req_uri_path = req.uri().path();
+
+        // Do not send the Content-Security-Policy (CSP) Header and X-Frame-Options for the *-connector.html files.
+        // This can cause issues when some MFA requests needs to open a popup or page within the clients like WebAuthn, or Duo.
+        // This is the same behaviour as upstream Bitwarden.
+        if !req_uri_path.ends_with("connector.html") {
+            // Check if we are requesting an admin page, if so, allow unsafe-inline for scripts.
+            // TODO: In the future maybe we need to see if we can generate a sha256 hash or have no scripts inline at all.
+            let admin_path = format!("{}/admin", CONFIG.domain_path());
+            let mut script_src = "";
+            if req_uri_path.starts_with(admin_path.as_str()) {
+                script_src = " 'unsafe-inline'";
+            }
+
+            // # Frame Ancestors:
            // Chrome Web Store: https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb
            // Edge Add-ons: https://microsoftedge.microsoft.com/addons/detail/bitwarden-free-password/jbkfoedolllekgbhcbcoahefnbanhhlh?hl=en-US
            // Firefox Browser Add-ons: https://addons.mozilla.org/en-US/firefox/addon/bitwarden-password-manager/
-            "frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh moz-extension://* {};",
-            CONFIG.allowed_iframe_ancestors()
-        );
-        res.set_raw_header("Content-Security-Policy", csp);
+            // # img/child/frame src:
+            // Have I Been Pwned and Gravator to allow those calls to work.
+            // # Connect src:
+            // Leaked Passwords check: api.pwnedpasswords.com
+            // 2FA/MFA Site check: 2fa.directory
+            // # Mail Relay: https://bitwarden.com/blog/add-privacy-and-security-using-email-aliases-with-bitwarden/
+            // app.simplelogin.io, app.anonaddy.com, api.fastmail.com, quack.duckduckgo.com
+            let csp = format!(
+                "default-src 'self'; \
+                object-src 'self' blob:; \
+                script-src 'self'{script_src}; \
+                style-src 'self' 'unsafe-inline'; \
+                child-src 'self' https://*.duosecurity.com https://*.duofederal.com; \
+                frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; \
+                frame-ancestors 'self' \
+                  chrome-extension://nngceckbapebfimnlniiiahkandclblb \
+                  chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh \
+                  moz-extension://* \
+                  {allowed_iframe_ancestors}; \
+                img-src 'self' data: \
+                  https://haveibeenpwned.com/ \
+                  https://www.gravatar.com \
+                  {icon_service_csp}; \
+                connect-src 'self' \
+                  https://api.pwnedpasswords.com/range/ \
+                  https://2fa.directory/api/ \
+                  https://app.simplelogin.io/api/ \
+                  https://app.anonaddy.com/api/ \
+                  https://api.fastmail.com/ \
+                  https://quack.duckduckgo.com/api/email/ \
+                  ;\
+                ",
+                icon_service_csp = CONFIG._icon_service_csp(),
+                allowed_iframe_ancestors = CONFIG.allowed_iframe_ancestors()
+            );
+            res.set_raw_header("Content-Security-Policy", csp);
+            res.set_raw_header("X-Frame-Options", "SAMEORIGIN");
+        } else {
+            // It looks like this header get's set somewhere else also, make sure this is not sent for these files, it will cause MFA issues.
+            res.remove_header("X-Frame-Options");
+        }

        // Disable cache unless otherwise specified
        if !res.headers().contains("cache-control") {
@@ -265,7 +316,7 @@ impl Fairing for BetterLogging {
 //
 use std::{
    fs::{self, File},
-    io::{Read, Result as IOResult},
+    io::Result as IOResult,
    path::Path,
 };

@@ -273,32 +324,23 @@ pub fn file_exists(path: &str) -> bool {
    Path::new(path).exists()
 }

-pub fn read_file(path: &str) -> IOResult<Vec<u8>> {
-    let mut contents: Vec<u8> = Vec::new();
-
-    let mut file = File::open(Path::new(path))?;
-    file.read_to_end(&mut contents)?;
-
-    Ok(contents)
-}
-
 pub fn write_file(path: &str, content: &[u8]) -> Result<(), crate::error::Error> {
    use std::io::Write;
-    let mut f = File::create(path)?;
+    let mut f = match File::create(path) {
+        Ok(file) => file,
+        Err(e) => {
+            if e.kind() == ErrorKind::PermissionDenied {
+                error!("Can't create '{}': Permission denied", path);
+            }
+            return Err(From::from(e));
+        }
+    };
+
    f.write_all(content)?;
    f.flush()?;
    Ok(())
 }

-pub fn read_file_string(path: &str) -> IOResult<String> {
-    let mut contents = String::new();
-
-    let mut file = File::open(Path::new(path))?;
-    file.read_to_string(&mut contents)?;
-
-    Ok(contents)
-}
-
 pub fn delete_file(path: &str) -> IOResult<()> {
    let res = fs::remove_file(path);

@@ -339,6 +381,7 @@ pub fn get_uuid() -> String {

 use std::str::FromStr;

+#[inline]
 pub fn upcase_first(s: &str) -> String {
    let mut c = s.chars();
    match c.next() {
@@ -347,6 +390,15 @@ pub fn upcase_first(s: &str) -> String {
    }
 }

+#[inline]
+pub fn lcase_first(s: &str) -> String {
+    let mut c = s.chars();
+    match c.next() {
+        None => String::new(),
+        Some(f) => f.to_lowercase().collect::<String>() + c.as_str(),
+    }
+}
+
 pub fn try_parse_string<S, T>(string: Option<S>) -> Option<T>
 where
    S: AsRef<str>,
@@ -632,3 +684,46 @@ pub fn get_reqwest_client_builder() -> ClientBuilder {
    headers.insert(header::USER_AGENT, header::HeaderValue::from_static("Vaultwarden"));
    Client::builder().default_headers(headers).timeout(Duration::from_secs(10))
 }
+
+pub fn convert_json_key_lcase_first(src_json: Value) -> Value {
+    match src_json {
+        Value::Array(elm) => {
+            let mut new_array: Vec<Value> = Vec::with_capacity(elm.len());
+
+            for obj in elm {
+                new_array.push(convert_json_key_lcase_first(obj));
+            }
+            Value::Array(new_array)
+        }
+
+        Value::Object(obj) => {
+            let mut json_map = JsonMap::new();
+            for (key, value) in obj.iter() {
+                match (key, value) {
+                    (key, Value::Object(elm)) => {
+                        let inner_value = convert_json_key_lcase_first(Value::Object(elm.clone()));
+                        json_map.insert(lcase_first(key), inner_value);
+                    }
+
+                    (key, Value::Array(elm)) => {
+                        let mut inner_array: Vec<Value> = Vec::with_capacity(elm.len());
+
+                        for inner_obj in elm {
+                            inner_array.push(convert_json_key_lcase_first(inner_obj.clone()));
+                        }
+
+                        json_map.insert(lcase_first(key), Value::Array(inner_array));
+                    }
+
+                    (key, value) => {
+                        json_map.insert(lcase_first(key), value.clone());
+                    }
+                }
+            }
+
+            Value::Object(json_map)
+        }
+
+        value => value,
+    }
+}
@@ -1 +1 @@
 stable
 .64.0