Fix Org Import duplicate collections (#5200 )

This fixes an issue with collections be duplicated same as was an issue with folders. Also made some optimizations by using HashSet where possible and device the Vec/Hash capacity. And instead of passing objects only use the UUID which was the only value we needed. Also found an issue with importing a personal export via the Org import where folders are used. Since Org's do not use folder we needed to clear those out, same as Bitwarden does. Fixes #5193 Signed-off-by: BlackDex <black.dex@gmail.com>
Support SSH keys on desktop 2024.12 (#5187 )
2025-09-10 18:55:57 +03:00 · 2024-11-17 21:33:23 +01:00 · 2024-11-15 18:38:16 +01:00 · 2024-11-15 11:25:51 +01:00 · 2024-11-13 19:19:19 +01:00 · 2024-11-12 21:22:25 +01:00
32 changed files with 1121 additions and 519 deletions
--- a/.env.template
+++ b/.env.template
@@ -280,12 +280,13 @@
 ## The default for new users. If changed, it will be updated during login for existing users.
 # PASSWORD_ITERATIONS=600000
-## Controls whether users can set password hints. This setting applies globally to all users.
+## Controls whether users can set or show password hints. This setting applies globally to all users.
 # PASSWORD_HINTS_ALLOWED=true
 ## Controls whether a password hint should be shown directly in the web page if
-## SMTP service is not configured. Not recommended for publicly-accessible instances
+## SMTP service is not configured and password hints are allowed.
-## as this provides unauthenticated access to potentially sensitive data.
+## Not recommended for publicly-accessible instances because this provides
 ## unauthenticated access to potentially sensitive data.
 # SHOW_PASSWORD_HINT=false
 #########################
@@ -347,7 +348,10 @@
 ## - "autofill-overlay": Add an overlay menu to form fields for quick access to credentials.
 ## - "autofill-v2": Use the new autofill implementation.
 ## - "browser-fileless-import": Directly import credentials from other providers without a file.
 ## - "extension-refresh": Temporarily enable the new extension design until general availability (should be used with the beta Chrome extension)
 ## - "fido2-vault-credentials": Enable the use of FIDO2 security keys as second factor.
 ## - "ssh-key-vault-item": Enable the creation and use of SSH key vault items. (Needs clients >=2024.12.0)
 ## - "ssh-agent": Enable SSH agent support on Desktop. (Needs desktop >=2024.12.0)
 # EXPERIMENTAL_CLIENT_FEATURE_FLAGS=fido2-vault-credentials
 ## Require new device emails. When a user logs in an email is required to be sent.
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -55,9 +55,9 @@ dependencies = [
 [[package]]
 name = "allocator-api2"
-version = "0.2.18"
+version = "0.2.19"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5c6cb57a04249c6480766f7f7cef5467412af1490f8d1e243141daddada3264f"
+checksum = "611cc2ae7d2e242c457e4be7f97036b8ad9ca152b499f53faf99b1ed8fc2553f"
 [[package]]
 name = "android-tzdata"
@@ -111,9 +111,9 @@ dependencies = [
 [[package]]
 name = "async-compression"
-version = "0.4.14"
+version = "0.4.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "998282f8f49ccd6116b0ed8a4de0fbd3151697920e7c7533416d6e25e76434a7"
+checksum = "0cb8f1d480b0ea3783ab015936d2a55c87e219676f0c0b7dec61494043f21857"
 dependencies = [
 "brotli",
 "flate2",
@@ -153,9 +153,9 @@ dependencies = [
 [[package]]
 name = "async-io"
-version = "2.3.4"
+version = "2.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "444b0228950ee6501b3568d3c93bf1176a1fdbc3b758dcd9475046d30f4dc7e8"
+checksum = "43a2b323ccce0a1d90b449fd71f2a06ca7faa7c54c2751f06c9bd851fc061059"
 dependencies = [
 "async-lock",
 "cfg-if",
@@ -352,9 +352,9 @@ checksum = "8c3c1a368f70d6cf7302d78f8f7093da241fb8e8807c05cc9e51a125895a6d5b"
 [[package]]
 name = "bigdecimal"
-version = "0.4.5"
+version = "0.4.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "51d712318a27c7150326677b321a5fa91b55f6d9034ffd67f20319e147d40cee"
+checksum = "8f850665a0385e070b64c38d2354e6c104c8479c59868d1e48a0c13ee2c7a1c1"
 dependencies = [
 "autocfg",
 "libm",
@@ -441,9 +441,9 @@ checksum = "79296716171880943b8470b5f8d03aa55eb2e645a4874bdbb28adb49162e012c"
 [[package]]
 name = "bytemuck"
-version = "1.18.0"
+version = "1.19.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "94bbb0ad554ad961ddc5da507a12a29b14e4ae5bda06b19f575a3e6079d2e2ae"
+checksum = "8334215b81e418a0a7bdb8ef0849474f40bb10c8b71f1c4ed315cff49f32494d"
 [[package]]
 name = "byteorder"
@@ -453,15 +453,15 @@ checksum = "1fd0f2584146f6f2ef48085050886acf353beff7305ebd1ae69500e27c67f64b"
 [[package]]
 name = "bytes"
-version = "1.7.2"
+version = "1.8.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "428d9aa8fbc0670b7b8d6030a7fadd0f86151cae55e4dbbece15f3780a3dfaf3"
+checksum = "9ac0150caa2ae65ca5bd83f25c7de183dea78d4d366469f148435e2acfbad0da"
 [[package]]
 name = "cached"
-version = "0.53.1"
+version = "0.54.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b4d73155ae6b28cf5de4cfc29aeb02b8a1c6dab883cb015d15cd514e42766846"
+checksum = "9718806c4a2fe9e8a56fd736f97b340dd10ed1be8ed733ed50449f351dc33cae"
 dependencies = [
 "ahash",
 "async-trait",
@@ -495,9 +495,9 @@ checksum = "ade8366b8bd5ba243f0a58f036cc0ca8a2f069cff1a2351ef1cac6b083e16fc0"
 [[package]]
 name = "cc"
-version = "1.1.29"
+version = "1.1.37"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "58e804ac3194a48bb129643eb1d62fcc20d18c6b8c181704489353d13120bcd1"
+checksum = "40545c26d092346d8a8dab71ee48e7685a7a9cba76e634790c215b41a4a7b4cf"
 dependencies = [
 "shlex",
 ]
@@ -552,6 +552,12 @@ dependencies = [
 "stacker",
 ]
 [[package]]
 name = "codemap"
 version = "0.1.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b9e769b5c8c8283982a987c6e948e540254f1058d5a74b8794914d4ef5fc2a24"
 [[package]]
 name = "concurrent-queue"
 version = "2.5.0"
@@ -574,12 +580,13 @@ dependencies = [
 [[package]]
 name = "cookie_store"
-version = "0.21.0"
+version = "0.21.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4934e6b7e8419148b6ef56950d277af8561060b56afd59e2aadf98b59fce6baa"
+checksum = "2eac901828f88a5241ee0600950ab981148a18f2f756900ffba1b125ca6a3ef9"
 dependencies = [
 "cookie",
- "idna 0.5.0",
+ "document-features",
 "idna 1.0.3",
 "log",
 "publicsuffix",
 "serde",
@@ -685,19 +692,6 @@ dependencies = [
 "syn",
 ]
 [[package]]
 name = "dashmap"
 version = "5.5.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "978747c1d849a7d2ee5e8adc0159961c48fb7e5db2f06af6723b80123bb53856"
 dependencies = [
 "cfg-if",
 "hashbrown 0.14.5",
 "lock_api",
 "once_cell",
 "parking_lot_core",
 ]
 [[package]]
 name = "dashmap"
 version = "6.1.0"
@@ -855,6 +849,15 @@ dependencies = [
 "syn",
 ]
 [[package]]
 name = "document-features"
 version = "0.2.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "cb6969eaabd2421f8a2775cfd2471a2b634372b4a25d41e3bd647b79912850a0"
 dependencies = [
 "litrs",
 ]
 [[package]]
 name = "dotenvy"
 version = "0.15.7"
@@ -902,9 +905,9 @@ dependencies = [
 [[package]]
 name = "encoding_rs"
-version = "0.8.34"
+version = "0.8.35"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b45de904aa0b010bce2ab45264d0631681847fa7b6f2eaa7dab7619943bc4f59"
+checksum = "75030f3c4f45dafd7586dd6780965a8c7e8e285a5ecb86713e63a79c5b2766f3"
 dependencies = [
 "cfg-if",
 ]
@@ -975,15 +978,15 @@ dependencies = [
 [[package]]
 name = "fastrand"
-version = "2.1.1"
+version = "2.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e8c02a5121d4ea3eb16a80748c74f5549a5665e4c21333c6098f283870fbdea6"
+checksum = "486f806e73c5707928240ddc295403b1b93c96a02038563881c4a2fd84b81ac4"
 [[package]]
 name = "fern"
-version = "0.6.2"
+version = "0.7.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d9f0c14694cbd524c8720dd69b0e3179344f04ebb5f90f2e4a440c6ea3b2f1ee"
+checksum = "69ff9c9d5fb3e6da8ac2f77ab76fe7e8087d512ce095200f8f29ac5b656cf6dc"
 dependencies = [
 "libc",
 "log",
@@ -1095,9 +1098,9 @@ checksum = "9e5c1b78ca4aae1ac06c48a526a655760685149f0d465d21f37abfe57ce075c6"
 [[package]]
 name = "futures-lite"
-version = "2.3.0"
+version = "2.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "52527eb5074e35e9339c6b4e8d12600c7128b68fb25dcb9fa9dec18f7c25f3a5"
+checksum = "cef40d21ae2c515b51041df9ed313ed21e572df340ea58a922a0aefe7e8891a1"
 dependencies = [
 "fastrand",
 "futures-core",
@@ -1215,14 +1218,15 @@ dependencies = [
 [[package]]
 name = "governor"
-version = "0.6.3"
+version = "0.7.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "68a7f542ee6b35af73b06abc0dad1c1bae89964e4e253bc4b587b91c9637867b"
+checksum = "0746aa765db78b521451ef74221663b57ba595bf83f75d0ce23cc09447c8139f"
 dependencies = [
 "cfg-if",
- "dashmap 5.5.3",
+ "dashmap",
- "futures",
+ "futures-sink",
 "futures-timer",
 "futures-util",
 "no-std-compat",
 "nonzero_ext",
 "parking_lot",
@@ -1233,6 +1237,19 @@ dependencies = [
 "spinning_top",
 ]
 [[package]]
 name = "grass_compiler"
 version = "0.13.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2d9e3df7f0222ce5184154973d247c591d9aadc28ce7a73c6cd31100c9facff6"
 dependencies = [
 "codemap",
 "indexmap",
 "lasso",
 "once_cell",
 "phf",
 ]
 [[package]]
 name = "h2"
 version = "0.3.26"
@@ -1279,11 +1296,12 @@ checksum = "1b43ede17f21864e81be2fa654110bf1e793774238d86ef8555c37e6519c0403"
 [[package]]
 name = "handlebars"
-version = "6.1.0"
+version = "6.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ce25b617d1375ef96eeb920ae717e3da34a02fc979fe632c75128350f9e1f74a"
+checksum = "fd4ccde012831f9a071a637b0d4e31df31c0f6c525784b35ae76a9ac6bc1e315"
 dependencies = [
 "log",
 "num-order",
 "pest",
 "pest_derive",
 "serde",
@@ -1304,9 +1322,9 @@ dependencies = [
 [[package]]
 name = "hashbrown"
-version = "0.15.0"
+version = "0.15.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1e087f84d4f86bf4b218b927129862374b72199ae7d8657835f1e89000eea4fb"
+checksum = "3a9bfc1af68b1726ea47d3d5109de126281def866b33970e10fbab11b5dafab3"
 [[package]]
 name = "heck"
@@ -1413,9 +1431,9 @@ dependencies = [
 [[package]]
 name = "html5gum"
-version = "0.5.7"
+version = "0.6.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4c4e556171a058ba117bbe88b059fb37b6289023e007d2903ea6dca3a3cbff14"
+checksum = "91b361633dcc40096d01de35ed535b6089be91880be47b6fd8f560497af7f716"
 dependencies = [
 "jetscii",
 ]
@@ -1490,9 +1508,9 @@ checksum = "df3b46402a9d5adb4c86a0cf463f42e19994e3ee891101b1841f30a545cb49a9"
 [[package]]
 name = "hyper"
-version = "0.14.30"
+version = "0.14.31"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a152ddd61dfaec7273fe8419ab357f33aee0d914c5f4efbf0d96fa749eea5ec9"
+checksum = "8c08302e8fa335b151b788c775ff56e7a03ae64ff85c548ee820fecb70356e85"
 dependencies = [
 "bytes",
 "futures-channel",
@@ -1514,9 +1532,9 @@ dependencies = [
 [[package]]
 name = "hyper"
-version = "1.4.1"
+version = "1.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "50dfd22e0e76d0f662d429a5f80fcaf3855009297eab6a0a9f8543834744ba05"
+checksum = "bbbff0a806a4728c99295b254c8838933b5b082d75e3cb70c8dab21fdfbcfa9a"
 dependencies = [
 "bytes",
 "futures-channel",
@@ -1540,9 +1558,9 @@ checksum = "08afdbb5c31130e3034af566421053ab03787c640246a446327f550d11bcb333"
 dependencies = [
 "futures-util",
 "http 1.1.0",
- "hyper 1.4.1",
+ "hyper 1.5.0",
 "hyper-util",
- "rustls 0.23.14",
+ "rustls 0.23.16",
 "rustls-pki-types",
 "tokio",
 "tokio-rustls 0.26.0",
@@ -1556,7 +1574,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d6183ddfa99b85da61a140bea0efc93fdf56ceaa041b37d553518030827f9905"
 dependencies = [
 "bytes",
- "hyper 0.14.30",
+ "hyper 0.14.31",
 "native-tls",
 "tokio",
 "tokio-native-tls",
@@ -1570,7 +1588,7 @@ checksum = "70206fc6890eaca9fde8a0bf71caa2ddfc9fe045ac9e5c70df101a7dbde866e0"
 dependencies = [
 "bytes",
 "http-body-util",
- "hyper 1.4.1",
+ "hyper 1.5.0",
 "hyper-util",
 "native-tls",
 "tokio",
@@ -1580,16 +1598,16 @@ dependencies = [
 [[package]]
 name = "hyper-util"
-version = "0.1.9"
+version = "0.1.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "41296eb09f183ac68eec06e03cdbea2e759633d4067b2f6552fc2e009bcad08b"
+checksum = "df2dcfbe0677734ab2f3ffa7fa7bfd4706bfdc1ef393f2ee30184aed67e631b4"
 dependencies = [
 "bytes",
 "futures-channel",
 "futures-util",
 "http 1.1.0",
 "http-body 1.0.1",
- "hyper 1.4.1",
+ "hyper 1.5.0",
 "pin-project-lite",
 "socket2",
 "tokio",
@@ -1766,24 +1784,23 @@ dependencies = [
 [[package]]
 name = "idna"
-version = "0.5.0"
+version = "1.0.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "634d9b1461af396cad843f47fdba5597a4f9e6ddd4bfb6ff5d85028c25cb12f6"
+checksum = "686f825264d630750a544639377bae737628043f20d38bbc029e8f29ea968a7e"
 dependencies = [
- "unicode-bidi",
+ "idna_adapter",
- "unicode-normalization",
+ "smallvec",
 "utf8_iter",
 ]
 [[package]]
-name = "idna"
+name = "idna_adapter"
-version = "1.0.2"
+version = "1.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bd69211b9b519e98303c015e21a007e293db403b6c85b9b124e133d25e242cdd"
+checksum = "daca1df1c957320b2cf139ac61e7bd64fed304c5040df000a745aa1de3b4ef71"
 dependencies = [
 "icu_normalizer",
 "icu_properties",
 "smallvec",
 "utf8_iter",
 ]
 [[package]]
@@ -1793,7 +1810,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "707907fe3c25f5424cce2cb7e1cbcafee6bdbe735ca90ef77c29e84591e5b9da"
 dependencies = [
 "equivalent",
- "hashbrown 0.15.0",
+ "hashbrown 0.15.1",
 "serde",
 ]
@@ -1888,6 +1905,15 @@ dependencies = [
 "log",
 ]
 [[package]]
 name = "lasso"
 version = "0.7.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6e14eda50a3494b3bf7b9ce51c52434a761e383d7238ce1dd5dcec2fbc13e9fb"
 dependencies = [
 "hashbrown 0.14.5",
 ]
 [[package]]
 name = "lazy_static"
 version = "1.5.0"
@@ -1896,9 +1922,9 @@ checksum = "bbd2bcb4c963f2ddae06a2efc7e9f3591312473c50c6685e1f298068316e66fe"
 [[package]]
 name = "lettre"
-version = "0.11.9"
+version = "0.11.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "69f204773bab09b150320ea1c83db41dc6ee606a4bc36dc1f43005fe7b58ce06"
+checksum = "0161e452348e399deb685ba05e55ee116cae9410f4f51fe42d597361444521d9"
 dependencies = [
 "async-std",
 "async-trait",
@@ -1911,7 +1937,7 @@ dependencies = [
 "futures-util",
 "hostname 0.4.0",
 "httpdate",
- "idna 1.0.2",
+ "idna 1.0.3",
 "mime",
 "native-tls",
 "nom",
@@ -1927,15 +1953,15 @@ dependencies = [
 [[package]]
 name = "libc"
-version = "0.2.159"
+version = "0.2.162"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "561d97a539a36e26a9a5fad1ea11a3039a67714694aaa379433e580854bc3dc5"
+checksum = "18d287de67fe55fd7e1581fe933d965a5a9477b38e949cfa9f8574ef01506398"
 [[package]]
 name = "libm"
-version = "0.2.8"
+version = "0.2.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4ec2a862134d2a7d32d7983ddcdd1c4923530833c9f2ea1a44fc5fa473989058"
+checksum = "8355be11b20d696c8f18f6cc018c4e372165b1fa8126cef092399c9951984ffa"
 [[package]]
 name = "libmimalloc-sys"
@@ -1976,6 +2002,12 @@ version = "0.7.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "643cb0b8d4fcc284004d5fd0d67ccf61dfffadb7f75e1e71bc420f4688a3a704"
 [[package]]
 name = "litrs"
 version = "0.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b4ce301924b7887e9d637144fdade93f9dfff9b60981d4ac161db09720d39aa5"
 [[package]]
 name = "lock_api"
 version = "0.4.12"
@@ -2217,6 +2249,21 @@ dependencies = [
 "num-traits",
 ]
 [[package]]
 name = "num-modular"
 version = "0.6.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "17bb261bf36fa7d83f4c294f834e91256769097b3cb505d44831e0a179ac647f"
 [[package]]
 name = "num-order"
 version = "1.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "537b596b97c40fcf8056d153049eb22f481c17ebce72a513ec9286e4986d1bb6"
 dependencies = [
 "num-modular",
 ]
 [[package]]
 name = "num-traits"
 version = "0.2.19"
@@ -2262,9 +2309,9 @@ checksum = "1261fe7e33c73b354eab43b1273a57c8f967d0391e80353e51f764ac02cf6775"
 [[package]]
 name = "openssl"
-version = "0.10.66"
+version = "0.10.68"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9529f4786b70a3e8c61e11179af17ab6188ad8d0ded78c5529441ed39d4bd9c1"
+checksum = "6174bc48f102d208783c2c84bf931bb75927a617866870de8a4ea85597f871f5"
 dependencies = [
 "bitflags 2.6.0",
 "cfg-if",
@@ -2294,18 +2341,18 @@ checksum = "ff011a302c396a5197692431fc1948019154afc178baf7d8e37367442a4601cf"
 [[package]]
 name = "openssl-src"
-version = "300.3.2+3.3.2"
+version = "300.4.0+3.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a211a18d945ef7e648cc6e0058f4c548ee46aab922ea203e0d30e966ea23647b"
+checksum = "a709e02f2b4aca747929cca5ed248880847c650233cf8b8cdc48f40aaf4898a6"
 dependencies = [
 "cc",
 ]
 [[package]]
 name = "openssl-sys"
-version = "0.9.103"
+version = "0.9.104"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7f9e8deee91df40a943c71b917e5874b951d32a802526c85721ce3b776c929d6"
+checksum = "45abf306cbf99debc8195b66b7346498d7b10c210de50418b5ccd7ceba08c741"
 dependencies = [
 "cc",
 "libc",
@@ -2416,9 +2463,9 @@ checksum = "e3148f5046208a5d56bcfc03053e3ca6334e51da8dfb19b6cdc8b306fae3283e"
 [[package]]
 name = "pest"
-version = "2.7.13"
+version = "2.7.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fdbef9d1d47087a895abd220ed25eb4ad973a5e26f6a4367b038c25e28dfc2d9"
+checksum = "879952a81a83930934cbf1786752d6dedc3b1f29e8f8fb2ad1d0a36f377cf442"
 dependencies = [
 "memchr",
 "thiserror",
@@ -2427,9 +2474,9 @@ dependencies = [
 [[package]]
 name = "pest_derive"
-version = "2.7.13"
+version = "2.7.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4d3a6e3394ec80feb3b6393c725571754c6188490265c61aaf260810d6b95aa0"
+checksum = "d214365f632b123a47fd913301e14c946c61d1c183ee245fa76eb752e59a02dd"
 dependencies = [
 "pest",
 "pest_generator",
@@ -2437,9 +2484,9 @@ dependencies = [
 [[package]]
 name = "pest_generator"
-version = "2.7.13"
+version = "2.7.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "94429506bde1ca69d1b5601962c73f4172ab4726571a59ea95931218cb0e930e"
+checksum = "eb55586734301717aea2ac313f50b2eb8f60d2fc3dc01d190eefa2e625f60c4e"
 dependencies = [
 "pest",
 "pest_meta",
@@ -2450,9 +2497,9 @@ dependencies = [
 [[package]]
 name = "pest_meta"
-version = "2.7.13"
+version = "2.7.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ac8a071862e93690b6e34e9a5fb8e33ff3734473ac0245b27232222c4906a33f"
+checksum = "b75da2a70cf4d9cb76833c990ac9cd3923c9a8905a8929789ce347c84564d03d"
 dependencies = [
 "once_cell",
 "pest",
@@ -2465,6 +2512,7 @@ version = "0.11.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ade2d8b8f33c7333b51bcf0428d37e217e9f32192ae4772156f65063b8ce03dc"
 dependencies = [
 "phf_macros",
 "phf_shared",
 ]
@@ -2488,6 +2536,19 @@ dependencies = [
 "rand",
 ]
 [[package]]
 name = "phf_macros"
 version = "0.11.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3444646e286606587e49f3bcf1679b8cef1dc2c5ecc29ddacaffc305180d464b"
 dependencies = [
 "phf_generator",
 "phf_shared",
 "proc-macro2",
 "quote",
 "syn",
 ]
 [[package]]
 name = "phf_shared"
 version = "0.11.2"
@@ -2505,9 +2566,9 @@ checksum = "5be167a7af36ee22fe3115051bc51f6e6c7054c9348e28deb4f49bd6f705a315"
 [[package]]
 name = "pin-project-lite"
-version = "0.2.14"
+version = "0.2.15"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bda66fc9667c18cb2758a2ac84d1167245054bcf85d5d1aaa6923f45801bdd02"
+checksum = "915a1e146535de9163f3987b8944ed8cf49a18bb0056bcebcdcece385cece4ff"
 [[package]]
 name = "pin-utils"
@@ -2534,9 +2595,9 @@ checksum = "953ec861398dccce10c670dfeaf3ec4911ca479e9c02154b3a215178c5f566f2"
 [[package]]
 name = "polling"
-version = "3.7.3"
+version = "3.7.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cc2790cd301dec6cd3b7a025e4815cf825724a51c98dccfe6a3e55f05ffb6511"
+checksum = "a604568c3202727d1507653cb121dbd627a58684eb09a820fd746bee38b4442f"
 dependencies = [
 "cfg-if",
 "concurrent-queue",
@@ -2579,9 +2640,9 @@ dependencies = [
 [[package]]
 name = "proc-macro2"
-version = "1.0.87"
+version = "1.0.89"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b3e4daa0dcf6feba26f985457cdf104d4b4256fc5a09547140f3631bb076b19a"
+checksum = "f139b0662de085916d1fb67d2b4169d1addddda1919e696f3252b740b629986e"
 dependencies = [
 "unicode-ident",
 ]
@@ -2741,9 +2802,9 @@ dependencies = [
 [[package]]
 name = "regex"
-version = "1.11.0"
+version = "1.11.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "38200e5ee88914975b69f657f0801b6f6dccafd44fd9326302a4aaeecfacb1d8"
+checksum = "b544ef1b4eac5dc2db33ea63606ae9ffcfac26c1416a2806ae0bf5f56b201191"
 dependencies = [
 "aho-corasick",
 "memchr",
@@ -2808,7 +2869,7 @@ dependencies = [
 "h2 0.3.26",
 "http 0.2.12",
 "http-body 0.4.6",
- "hyper 0.14.30",
+ "hyper 0.14.31",
 "hyper-tls 0.5.0",
 "ipnet",
 "js-sys",
@@ -2836,9 +2897,9 @@ dependencies = [
 [[package]]
 name = "reqwest"
-version = "0.12.8"
+version = "0.12.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f713147fbe92361e52392c73b8c9e48c04c6625bce969ef54dc901e58e042a7b"
+checksum = "a77c62af46e79de0a562e1a9849205ffcb7fc1238876e9bd743357570e04046f"
 dependencies = [
 "async-compression",
 "base64 0.22.1",
@@ -2852,7 +2913,7 @@ dependencies = [
 "http 1.1.0",
 "http-body 1.0.1",
 "http-body-util",
- "hyper 1.4.1",
+ "hyper 1.5.0",
 "hyper-rustls",
 "hyper-tls 0.6.0",
 "hyper-util",
@@ -2994,7 +3055,7 @@ dependencies = [
 "either",
 "futures",
 "http 0.2.12",
- "hyper 0.14.30",
+ "hyper 0.14.31",
 "indexmap",
 "log",
 "memchr",
@@ -3053,9 +3114,9 @@ checksum = "719b953e2095829ee67db738b3bfa9fa368c94900df327b3f07fe6e794d2fe1f"
 [[package]]
 name = "rustix"
-version = "0.38.37"
+version = "0.38.40"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8acb788b847c24f28525660c4d7758620a7210875711f79e7f663cc152726811"
+checksum = "99e4ea3e1cdc4b559b8e5650f9c8e5998e3e5c1343b4eaf034565f32318d63c0"
 dependencies = [
 "bitflags 2.6.0",
 "errno",
@@ -3078,9 +3139,9 @@ dependencies = [
 [[package]]
 name = "rustls"
-version = "0.23.14"
+version = "0.23.16"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "415d9944693cb90382053259f89fbb077ea730ad7273047ec63b19bc9b160ba8"
+checksum = "eee87ff5d9b36712a58574e12e9f0ea80f915a5b0ac518d322b24a465617925e"
 dependencies = [
 "once_cell",
 "rustls-pki-types",
@@ -3109,9 +3170,9 @@ dependencies = [
 [[package]]
 name = "rustls-pki-types"
-version = "1.9.0"
+version = "1.10.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0e696e35370c65c9c541198af4543ccd580cf17fc25d8e05c5a242b202488c55"
+checksum = "16f1201b3c9a7ee8039bcadc17b7e605e2945b27eee7631788c1bd2b0643674b"
 [[package]]
 name = "rustls-webpki"
@@ -3136,9 +3197,9 @@ dependencies = [
 [[package]]
 name = "rustversion"
-version = "1.0.17"
+version = "1.0.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "955d28af4278de8121b7ebeb796b6a45735dc01436d898801014aced2773a3d6"
+checksum = "0e819f2bc632f285be6d7cd36e25940d45b2391dd6d9b939e79de557f7014248"
 [[package]]
 name = "ryu"
@@ -3210,9 +3271,9 @@ dependencies = [
 [[package]]
 name = "security-framework-sys"
-version = "2.12.0"
+version = "2.12.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ea4a292869320c0272d7bc55a5a6aafaff59b4f63404a003887b679a2e05b4b6"
+checksum = "fa39c7303dc58b5543c94d22c1766b0d31f2ee58306363ea622b10bbc075eaa2"
 dependencies = [
 "core-foundation-sys",
 "libc",
@@ -3226,9 +3287,9 @@ checksum = "61697e0a1c7e512e84a621326239844a24d8207b4669b41bc18b32ea5cbf988b"
 [[package]]
 name = "serde"
-version = "1.0.210"
+version = "1.0.214"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c8e3592472072e6e22e0a54d5904d9febf8508f65fb8552499a1abc7d1078c3a"
+checksum = "f55c3193aca71c12ad7890f1785d2b73e1b9f63a0bbc353c08ef26fe03fc56b5"
 dependencies = [
 "serde_derive",
 ]
@@ -3245,9 +3306,9 @@ dependencies = [
 [[package]]
 name = "serde_derive"
-version = "1.0.210"
+version = "1.0.214"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "243902eda00fad750862fc144cea25caca5e20d615af0a81bee94ca738f1df1f"
+checksum = "de523f781f095e28fa605cdce0f8307e451cc0fd14e2eb4cd2e98a355b147766"
 dependencies = [
 "proc-macro2",
 "quote",
@@ -3256,9 +3317,9 @@ dependencies = [
 [[package]]
 name = "serde_json"
-version = "1.0.128"
+version = "1.0.132"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6ff5456707a1de34e7e37f2a6fd3d3f808c318259cbd01ab6377795054b483d8"
+checksum = "d726bfaff4b320266d395898905d0eba0345aae23b54aee3a737e260fd46db03"
 dependencies = [
 "itoa",
 "memchr",
@@ -3452,9 +3513,9 @@ checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292"
 [[package]]
 name = "syn"
-version = "2.0.79"
+version = "2.0.87"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "89132cd0bf050864e1d38dc3bbc07a0eb8e7530af26344d3d2bbbef83499f590"
+checksum = "25aa4ce346d03a6dcd68dd8b4010bcb74e54e62c90c573f394c46eae99aba32d"
 dependencies = [
 "proc-macro2",
 "quote",
@@ -3544,9 +3605,9 @@ dependencies = [
 [[package]]
 name = "tempfile"
-version = "3.13.0"
+version = "3.14.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f0f2c9fc62d0beef6951ccffd757e241266a2c833136efbe35af6cd2567dca5b"
+checksum = "28cce251fcbc87fac86a866eeb0d6c2d536fc16d06f184bb61aeae11aa4cee0c"
 dependencies = [
 "cfg-if",
 "fastrand",
@@ -3557,18 +3618,18 @@ dependencies = [
 [[package]]
 name = "thiserror"
-version = "1.0.64"
+version = "1.0.69"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d50af8abc119fb8bb6dbabcfa89656f46f84aa0ac7688088608076ad2b459a84"
+checksum = "b6aaf5339b578ea85b50e080feb250a3e8ae8cfcdff9a461c9ec2904bc923f52"
 dependencies = [
 "thiserror-impl",
 ]
 [[package]]
 name = "thiserror-impl"
-version = "1.0.64"
+version = "1.0.69"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "08904e7672f5eb876eaaf87e0ce17857500934f4981c4a0ab2b4aa98baac7fc3"
+checksum = "4fee6c4efc90059e10f81e6d42c60a18f76588c3d74cb83a0b242a2b6c7504c1"
 dependencies = [
 "proc-macro2",
 "quote",
@@ -3654,9 +3715,9 @@ checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20"
 [[package]]
 name = "tokio"
-version = "1.40.0"
+version = "1.41.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e2b070231665d27ad9ec9b8df639893f46727666c6767db40317fbe920a5d998"
+checksum = "22cfb5bee7a6a52939ca9224d6ac897bb669134078daa8735560897f69de4d33"
 dependencies = [
 "backtrace",
 "bytes",
@@ -3707,7 +3768,7 @@ version = "0.26.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0c7bc40d0e5a97695bb96e27995cd3a08538541b0a846f65bba7a359f36700d4"
 dependencies = [
- "rustls 0.23.14",
+ "rustls 0.23.16",
 "rustls-pki-types",
 "tokio",
 ]
@@ -3965,12 +4026,12 @@ checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1"
 [[package]]
 name = "url"
-version = "2.5.2"
+version = "2.5.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "22784dbdf76fdde8af1aeda5622b546b422b6fc585325248a2bf9f5e41e94d6c"
+checksum = "8d157f1b96d14500ffdc1f10ba712e780825526c03d9a49b4d0324b0d9113ada"
 dependencies = [
 "form_urlencoded",
- "idna 0.5.0",
+ "idna 1.0.3",
 "percent-encoding",
 "serde",
 ]
@@ -3995,9 +4056,9 @@ checksum = "b6c140620e7ffbb22c2dee59cafe6084a59b5ffc27a8859a5f0d494b5d52b6be"
 [[package]]
 name = "uuid"
-version = "1.10.0"
+version = "1.11.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "81dfa00651efa65069b0b6b651f4aaa31ba9e3c3ce0137aaad053604ee7e0314"
+checksum = "f8c5f0a0af699448548ad1a2fbf920fb4bee257eae39953ba95cb84891a0446a"
 dependencies = [
 "getrandom",
 ]
@@ -4010,9 +4071,9 @@ checksum = "830b7e5d4d90034032940e4ace0d9a9a057e7a45cd94e6c007832e39edb82f6d"
 [[package]]
 name = "value-bag"
-version = "1.9.0"
+version = "1.10.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5a84c137d37ab0142f0f2ddfe332651fdbf252e7b7dbb4e67b6c1f1b2e925101"
+checksum = "3ef4c4aa54d5d05a279399bfa921ec387b7aba77caf7a682ae8d86785b8fdad2"
 [[package]]
 name = "vaultwarden"
@@ -4026,7 +4087,7 @@ dependencies = [
 "chrono-tz",
 "cookie",
 "cookie_store",
- "dashmap 6.1.0",
+ "dashmap",
 "data-encoding",
 "data-url",
 "diesel",
@@ -4037,6 +4098,7 @@ dependencies = [
 "fern",
 "futures",
 "governor",
 "grass_compiler",
 "handlebars",
 "hickory-resolver",
 "html5gum",
@@ -4055,7 +4117,7 @@ dependencies = [
 "pico-args",
 "rand",
 "regex",
- "reqwest 0.12.8",
+ "reqwest 0.12.9",
 "ring",
 "rmpv",
 "rocket",
@@ -4182,9 +4244,9 @@ checksum = "65fc09f10666a9f147042251e0dda9c18f166ff7de300607007e96bdebc1068d"
 [[package]]
 name = "wasm-streams"
-version = "0.4.1"
+version = "0.4.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4e072d4e72f700fb3443d8fe94a39315df013eef1104903cdb0a2abd322bbecd"
+checksum = "15053d8d85c7eccdbefef60f06769760a563c7f0a9d6902a13d35c7800b0ad65"
 dependencies = [
 "futures-util",
 "js-sys",
@@ -4234,9 +4296,9 @@ dependencies = [
 [[package]]
 name = "which"
-version = "6.0.3"
+version = "7.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b4ee928febd44d98f2f459a4a79bd4d928591333a494a10a868418ac1b39cf1f"
+checksum = "c9cad3279ade7346b96e38731a641d7343dd6a53d55083dd54eadfa5a1b38c6b"
 dependencies = [
 "either",
 "home",
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -3,7 +3,7 @@ name = "vaultwarden"
 version = "1.0.0"
 authors = ["Daniel García <dani-garcia@users.noreply.github.com>"]
 edition = "2021"
-rust-version = "1.79.0"
+rust-version = "1.80.0"
 resolver = "2"
 repository = "https://github.com/dani-garcia/vaultwarden"
@@ -41,7 +41,7 @@ syslog = "6.1.1"
 [dependencies]
 # Logging
 log = "0.4.22"
-fern = { version = "0.6.2", features = ["syslog-6", "reopen-1"] }
+fern = { version = "0.7.0", features = ["syslog-6", "reopen-1"] }
 tracing = { version = "0.1.40", features = ["log"] } # Needed to have lettre and webauthn-rs trace logging to work
 # A `dotenv` implementation for Rust
@@ -53,7 +53,7 @@ once_cell = "1.20.2"
 # Numerical libraries
 num-traits = "0.2.19"
 num-derive = "0.4.2"
-bigdecimal = "0.4.5"
+bigdecimal = "0.4.6"
 # Web framework
 rocket = { version = "0.5.1", features = ["tls", "json"], default-features = false }
@@ -67,11 +67,11 @@ dashmap = "6.1.0"
 # Async futures
 futures = "0.3.31"
-tokio = { version = "1.40.0", features = ["rt-multi-thread", "fs", "io-util", "parking_lot", "time", "signal", "net"] }
+tokio = { version = "1.41.1", features = ["rt-multi-thread", "fs", "io-util", "parking_lot", "time", "signal", "net"] }
 # A generic serialization/deserialization framework
-serde = { version = "1.0.210", features = ["derive"] }
+serde = { version = "1.0.214", features = ["derive"] }
-serde_json = "1.0.128"
+serde_json = "1.0.132"
 # A safe, extensible ORM and Query builder
 diesel = { version = "2.2.4", features = ["chrono", "r2d2", "numeric"] }
@@ -86,7 +86,7 @@ rand = { version = "0.8.5", features = ["small_rng"] }
 ring = "0.17.8"
 # UUID generation
-uuid = { version = "1.10.0", features = ["v4"] }
+uuid = { version = "1.11.0", features = ["v4"] }
 # Date and time libraries
 chrono = { version = "0.4.38", features = ["clock", "serde"], default-features = false }
@@ -112,42 +112,42 @@ yubico = { version = "0.11.0", features = ["online-tokio"], default-features = f
 webauthn-rs = "0.3.2"
 # Handling of URL's for WebAuthn and favicons
-url = "2.5.2"
+url = "2.5.3"
 # Email libraries
-lettre = { version = "0.11.9", features = ["smtp-transport", "sendmail-transport", "builder", "serde", "tokio1-native-tls", "hostname", "tracing", "tokio1"], default-features = false }
+lettre = { version = "0.11.10", features = ["smtp-transport", "sendmail-transport", "builder", "serde", "tokio1-native-tls", "hostname", "tracing", "tokio1"], default-features = false }
 percent-encoding = "2.3.1" # URL encoding library used for URL's in the emails
 email_address = "0.2.9"
 # HTML Template library
-handlebars = { version = "6.1.0", features = ["dir_source"] }
+handlebars = { version = "6.2.0", features = ["dir_source"] }
 # HTTP client (Used for favicons, version check, DUO and HIBP API)
-reqwest = { version = "0.12.8", features = ["native-tls-alpn", "stream", "json", "gzip", "brotli", "socks", "cookies"] }
+reqwest = { version = "0.12.9", features = ["native-tls-alpn", "stream", "json", "gzip", "brotli", "socks", "cookies"] }
 hickory-resolver = "0.24.1"
 # Favicon extraction libraries
-html5gum = "0.5.7"
+html5gum = "0.6.1"
-regex = { version = "1.11.0", features = ["std", "perf", "unicode-perl"], default-features = false }
+regex = { version = "1.11.1", features = ["std", "perf", "unicode-perl"], default-features = false }
 data-url = "0.3.1"
-bytes = "1.7.2"
+bytes = "1.8.0"
 # Cache function results (Used for version check and favicon fetching)
-cached = { version = "0.53.1", features = ["async"] }
+cached = { version = "0.54.0", features = ["async"] }
 # Used for custom short lived cookie jar during favicon extraction
 cookie = "0.18.1"
-cookie_store = "0.21.0"
+cookie_store = "0.21.1"
 # Used by U2F, JWT and PostgreSQL
-openssl = "0.10.66"
+openssl = "0.10.68"
 # CLI argument parsing
 pico-args = "0.5.0"
 # Macro ident concatenation
 paste = "1.0.15"
-governor = "0.6.3"
+governor = "0.7.0"
 # Check client versions for specific features.
 semver = "1.0.23"
@@ -155,7 +155,7 @@ semver = "1.0.23"
 # Allow overriding the default memory allocator
 # Mainly used for the musl builds, since the default musl malloc is very slow
 mimalloc = { version = "0.1.43", features = ["secure"], default-features = false, optional = true }
-which = "6.0.3"
+which = "7.0.0"
 # Argon2 library with support for the PHC format
 argon2 = "0.5.3"
@@ -163,6 +163,9 @@ argon2 = "0.5.3"
 # Reading a password from the cli for generating the Argon2id ADMIN_TOKEN
 rpassword = "7.3.1"
 # Loading a dynamic CSS Stylesheet
 grass_compiler = { version = "0.13.4", default-features = false }
 # Strip debuginfo from the release builds
 # The symbols are the provide better panic traces
 # Also enable fat LTO and use 1 codegen unit for optimizations
--- a/README.md
+++ b/README.md
@@ -1,102 +1,144 @@
-### Alternative implementation of the Bitwarden server API written in Rust and compatible with [upstream Bitwarden clients](https://bitwarden.com/download/)*, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal.
+![Vaultwarden Logo](./resources/vaultwarden-logo-auto.svg)
-📢 Note: This project was known as Bitwarden_RS and has been renamed to separate itself from the official Bitwarden server in the hopes of avoiding confusion and trademark/branding issues. Please see [#1642](https://github.com/dani-garcia/vaultwarden/discussions/1642) for more explanation.
+An alternative server implementation of the Bitwarden Client API, written in Rust and compatible with [official Bitwarden clients](https://bitwarden.com/download/) [[disclaimer](#disclaimer)], perfect for self-hosted deployment where running the official resource-heavy service might not be ideal.
 ---
 [![Build](https://github.com/dani-garcia/vaultwarden/actions/workflows/build.yml/badge.svg)](https://github.com/dani-garcia/vaultwarden/actions/workflows/build.yml)
 [![ghcr.io](https://img.shields.io/badge/ghcr.io-download-blue)](https://github.com/dani-garcia/vaultwarden/pkgs/container/vaultwarden)
 [![Docker Pulls](https://img.shields.io/docker/pulls/vaultwarden/server.svg)](https://hub.docker.com/r/vaultwarden/server)
 [![Quay.io](https://img.shields.io/badge/Quay.io-download-blue)](https://quay.io/repository/vaultwarden/server)
 [![Dependency Status](https://deps.rs/repo/github/dani-garcia/vaultwarden/status.svg)](https://deps.rs/repo/github/dani-garcia/vaultwarden)
 [![GitHub Release](https://img.shields.io/github/release/dani-garcia/vaultwarden.svg)](https://github.com/dani-garcia/vaultwarden/releases/latest)
 [![AGPL-3.0 Licensed](https://img.shields.io/github/license/dani-garcia/vaultwarden.svg)](https://github.com/dani-garcia/vaultwarden/blob/main/LICENSE.txt)
 [![Matrix Chat](https://img.shields.io/matrix/vaultwarden:matrix.org.svg?logo=matrix)](https://matrix.to/#/#vaultwarden:matrix.org)
-Image is based on [Rust implementation of Bitwarden API](https://github.com/dani-garcia/vaultwarden).
+[![GitHub Release](https://img.shields.io/github/release/dani-garcia/vaultwarden.svg?style=for-the-badge&logo=vaultwarden&color=005AA4)](https://github.com/dani-garcia/vaultwarden/releases/latest)
 [![ghcr.io Pulls](https://img.shields.io/badge/dynamic/json?style=for-the-badge&logo=github&logoColor=fff&color=005AA4&url=https%3A%2F%2Fipitio.github.io%2Fbackage%2Fdani-garcia%2Fvaultwarden%2Fvaultwarden.json&query=%24.downloads&label=ghcr.io%20pulls&cacheSeconds=14400)](https://github.com/dani-garcia/vaultwarden/pkgs/container/vaultwarden)
 [![Docker Pulls](https://img.shields.io/docker/pulls/vaultwarden/server.svg?style=for-the-badge&logo=docker&logoColor=fff&color=005AA4&label=docker.io%20pulls)](https://hub.docker.com/r/vaultwarden/server)
 [![Quay.io](https://img.shields.io/badge/quay.io-download-005AA4?style=for-the-badge&logo=redhat&cacheSeconds=14400)](https://quay.io/repository/vaultwarden/server) <br>
 [![Contributors](https://img.shields.io/github/contributors-anon/dani-garcia/vaultwarden.svg?style=flat-square&logo=vaultwarden&color=005AA4)](https://github.com/dani-garcia/vaultwarden/graphs/contributors)
 [![Forks](https://img.shields.io/github/forks/dani-garcia/vaultwarden.svg?style=flat-square&logo=github&logoColor=fff&color=005AA4)](https://github.com/dani-garcia/vaultwarden/network/members)
 [![Stars](https://img.shields.io/github/stars/dani-garcia/vaultwarden.svg?style=flat-square&logo=github&logoColor=fff&color=005AA4)](https://github.com/dani-garcia/vaultwarden/stargazers)
 [![Issues Open](https://img.shields.io/github/issues/dani-garcia/vaultwarden.svg?style=flat-square&logo=github&logoColor=fff&color=005AA4&cacheSeconds=300)](https://github.com/dani-garcia/vaultwarden/issues)
 [![Issues Closed](https://img.shields.io/github/issues-closed/dani-garcia/vaultwarden.svg?style=flat-square&logo=github&logoColor=fff&color=005AA4&cacheSeconds=300)](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue+is%3Aclosed)
 [![AGPL-3.0 Licensed](https://img.shields.io/github/license/dani-garcia/vaultwarden.svg?style=flat-square&logo=vaultwarden&color=944000&cacheSeconds=14400)](https://github.com/dani-garcia/vaultwarden/blob/main/LICENSE.txt) <br>
 [![Dependency Status](https://img.shields.io/badge/dynamic/xml?url=https%3A%2F%2Fdeps.rs%2Frepo%2Fgithub%2Fdani-garcia%2Fvaultwarden%2Fstatus.svg&query=%2F*%5Blocal-name()%3D'svg'%5D%2F*%5Blocal-name()%3D'g'%5D%5B2%5D%2F*%5Blocal-name()%3D'text'%5D%5B4%5D&style=flat-square&logo=rust&label=dependencies&color=005AA4)](https://deps.rs/repo/github/dani-garcia/vaultwarden)
 [![GHA Release](https://img.shields.io/github/actions/workflow/status/dani-garcia/vaultwarden/release.yml?style=flat-square&logo=github&logoColor=fff&label=Release%20Workflow)](https://github.com/dani-garcia/vaultwarden/actions/workflows/release.yml)
 [![GHA Build](https://img.shields.io/github/actions/workflow/status/dani-garcia/vaultwarden/build.yml?style=flat-square&logo=github&logoColor=fff&label=Build%20Workflow)](https://github.com/dani-garcia/vaultwarden/actions/workflows/build.yml) <br>
 [![Matrix Chat](https://img.shields.io/matrix/vaultwarden:matrix.org.svg?style=flat-square&logo=matrix&logoColor=fff&color=953B00&cacheSeconds=14400)](https://matrix.to/#/#vaultwarden:matrix.org)
 [![GitHub Discussions](https://img.shields.io/github/discussions/dani-garcia/vaultwarden?style=flat-square&logo=github&logoColor=fff&color=953B00&cacheSeconds=300)](https://github.com/dani-garcia/vaultwarden/discussions)
 [![Discourse Discussions](https://img.shields.io/discourse/topics?server=https%3A%2F%2Fvaultwarden.discourse.group%2F&style=flat-square&logo=discourse&color=953B00)](https://vaultwarden.discourse.group/)
-**This project is not associated with the [Bitwarden](https://bitwarden.com/) project nor Bitwarden, Inc.**
+> [!IMPORTANT]
 > **When using this server, please report any bugs or suggestions directly to us (see [Get in touch](#get-in-touch)), regardless of whatever clients you are using (mobile, desktop, browser...). DO NOT use the official Bitwarden support channels.**
-#### ⚠️**IMPORTANT**⚠️: When using this server, please report any bugs or suggestions to us directly (look at the bottom of this page for ways to get in touch), regardless of whatever clients you are using (mobile, desktop, browser...). DO NOT use the official support channels.
+<br>
 ---
 ## Features
-Basically full implementation of Bitwarden API is provided including:
+A nearly complete implementation of the Bitwarden Client API is provided, including:
- * Organizations support
+ * [Personal Vault](https://bitwarden.com/help/managing-items/)
- * Attachments and Send
+ * [Send](https://bitwarden.com/help/about-send/)
- * Vault API support
+ * [Attachments](https://bitwarden.com/help/attachments/)
- * Serving the static files for Vault interface
+ * [Website icons](https://bitwarden.com/help/website-icons/)
- * Website icons API
+ * [Personal API Key](https://bitwarden.com/help/personal-api-key/)
- * Authenticator and U2F support
+ * [Organizations](https://bitwarden.com/help/getting-started-organizations/)
- * YubiKey and Duo support
+   - [Collections](https://bitwarden.com/help/about-collections/),
- * Emergency Access
+     [Password Sharing](https://bitwarden.com/help/sharing/),
     [Member Roles](https://bitwarden.com/help/user-types-access-control/),
     [Groups](https://bitwarden.com/help/about-groups/),
     [Event Logs](https://bitwarden.com/help/event-logs/),
     [Admin Password Reset](https://bitwarden.com/help/admin-reset/),
     [Directory Connector](https://bitwarden.com/help/directory-sync/),
     [Policies](https://bitwarden.com/help/policies/)
 * [Multi/Two Factor Authentication](https://bitwarden.com/help/bitwarden-field-guide-two-step-login/)
   - [Authenticator](https://bitwarden.com/help/setup-two-step-login-authenticator/),
     [Email](https://bitwarden.com/help/setup-two-step-login-email/),
     [FIDO2 WebAuthn](https://bitwarden.com/help/setup-two-step-login-fido/),
     [YubiKey](https://bitwarden.com/help/setup-two-step-login-yubikey/),
     [Duo](https://bitwarden.com/help/setup-two-step-login-duo/)
 * [Emergency Access](https://bitwarden.com/help/emergency-access/)
 * [Vaultwarden Admin Backend](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page)
 * [Modified Web Vault client](https://github.com/dani-garcia/bw_web_builds) (Bundled within our containers)
-## Installation
+<br>
 Pull the docker image and mount a volume from the host for persistent storage:
 ```sh
 docker pull vaultwarden/server:latest
 docker run -d --name vaultwarden -v /vw-data/:/data/ --restart unless-stopped -p 80:80 vaultwarden/server:latest
 ```
 This will preserve any persistent data under /vw-data/, you can adapt the path to whatever suits you.
 **IMPORTANT**: Most modern web browsers disallow the use of Web Crypto APIs in insecure contexts. In this case, you might get an error like `Cannot read property 'importKey'`. To solve this problem, you need to access the web vault via HTTPS or localhost.
 This can be configured in [vaultwarden directly](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-HTTPS) or using a third-party reverse proxy ([some examples](https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples)).
 If you have an available domain name, you can get HTTPS certificates with [Let's Encrypt](https://letsencrypt.org/), or you can generate self-signed certificates with utilities like [mkcert](https://github.com/FiloSottile/mkcert). Some proxies automatically do this step, like Caddy (see examples linked above).
 ## Usage
-See the [vaultwarden wiki](https://github.com/dani-garcia/vaultwarden/wiki) for more information on how to configure and run the vaultwarden server.
+
 > [!IMPORTANT]
 > Most modern web browsers disallow the use of Web Crypto APIs in insecure contexts. In this case, you might get an error like `Cannot read property 'importKey'`. To solve this problem, you need to access the web vault via HTTPS or localhost.
 >
 >This can be configured in [Vaultwarden directly](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-HTTPS) or using a third-party reverse proxy ([some examples](https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples)).
 >
 >If you have an available domain name, you can get HTTPS certificates with [Let's Encrypt](https://letsencrypt.org/), or you can generate self-signed certificates with utilities like [mkcert](https://github.com/FiloSottile/mkcert). Some proxies automatically do this step, like Caddy or Traefik (see examples linked above).
 > [!TIP]
 >**For more detailed examples on how to install, use and configure Vaultwarden you can check our [Wiki](https://github.com/dani-garcia/vaultwarden/wiki).**
 The main way to use Vaultwarden is via our container images which are published to [ghcr.io](https://github.com/dani-garcia/vaultwarden/pkgs/container/vaultwarden), [docker.io](https://hub.docker.com/r/vaultwarden/server) and [quay.io](https://quay.io/repository/vaultwarden/server).
 There are also [community driven packages](https://github.com/dani-garcia/vaultwarden/wiki/Third-party-packages) which can be used, but those might be lagging behind the latest version or might deviate in the way Vaultwarden is configured, as described in our [Wiki](https://github.com/dani-garcia/vaultwarden/wiki).
 ### Docker/Podman CLI
 Pull the container image and mount a volume from the host for persistent storage.<br>
 You can replace `docker` with `podman` if you prefer to use podman.
 ```shell
 docker pull vaultwarden/server:latest
 docker run --detach --name vaultwarden \
  --env DOMAIN="https://vw.domain.tld" \
  --volume /vw-data/:/data/ \
  --restart unless-stopped \
  --publish 80:80 \
  vaultwarden/server:latest
 ```
 This will preserve any persistent data under `/vw-data/`, you can adapt the path to whatever suits you.
 ### Docker Compose
 To use Docker compose you need to create a `compose.yaml` which will hold the configuration to run the Vaultwarden container.
 ```yaml
 services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: unless-stopped
    environment:
      DOMAIN: "https://vw.domain.tld"
    volumes:
      - ./vw-data/:/data/
    ports:
      - 80:80
 ```
 <br>
 ## Get in touch
 To ask a question, offer suggestions or new features or to get help configuring or installing the software, please use [GitHub Discussions](https://github.com/dani-garcia/vaultwarden/discussions) or [the forum](https://vaultwarden.discourse.group/).
-If you spot any bugs or crashes with vaultwarden itself, please [create an issue](https://github.com/dani-garcia/vaultwarden/issues/). Make sure you are on the latest version and there aren't any similar issues open, though!
+Have a question, suggestion or need help? Join our community on [Matrix](https://matrix.to/#/#vaultwarden:matrix.org), [GitHub Discussions](https://github.com/dani-garcia/vaultwarden/discussions) or [Discourse Forums](https://vaultwarden.discourse.group/).
-If you prefer to chat, we're usually hanging around at [#vaultwarden:matrix.org](https://matrix.to/#/#vaultwarden:matrix.org) room on Matrix. Feel free to join us!
+Encountered a bug or crash? Please search our issue tracker and discussions to see if it's already been reported. If not, please [start a new discussion](https://github.com/dani-garcia/vaultwarden/discussions) or [create a new issue](https://github.com/dani-garcia/vaultwarden/issues/). Ensure you're using the latest version of Vaultwarden and there aren't any similar issues open or closed!
 <br>
 ## Contributors
 ### Sponsors
 Thanks for your contribution to the project!
-<!--
+[![Contributors Count](https://img.shields.io/github/contributors-anon/dani-garcia/vaultwarden?style=for-the-badge&logo=vaultwarden&color=005AA4)](https://github.com/dani-garcia/vaultwarden/graphs/contributors)<br>
-<table>
+[![Contributors Avatars](https://contributors-img.web.app/image?repo=dani-garcia/vaultwarden)](https://github.com/dani-garcia/vaultwarden/graphs/contributors)
  <tr>
    <td align="center">
      <a href="https://github.com/username">
        <img src="https://avatars.githubusercontent.com/u/725423?s=75&v=4" width="75px;" alt="username"/>
        <br />
        <sub><b>username</b></sub>
      </a>
  </td>
  </tr>
 </table>
-<br/>
+<br>
 -->
-<table>
+## Disclaimer
-  <tr>
+
-    <td align="center">
+**This project is not associated with [Bitwarden](https://bitwarden.com/) or Bitwarden, Inc.**
-       <a href="https://github.com/themightychris" style="width: 75px">
+
-        <sub><b>Chris Alfano</b></sub>
+However, one of the active maintainers for Vaultwarden is employed by Bitwarden and is allowed to contribute to the project on their own time. These contributions are independent of Bitwarden and are reviewed by other maintainers.
-      </a>
+
-    </td>
+The maintainers work together to set the direction for the project, focusing on serving the self-hosting community, including individuals, families, and small organizations, while ensuring the project's sustainability.
-  </tr>
+
-  <tr>
+**Please note:** We cannot be held liable for any data loss that may occur while using Vaultwarden. This includes passwords, attachments, and other information handled by the application. We highly recommend performing regular backups of your files and database. However, should you experience data loss, we encourage you to contact us immediately.
-    <td align="center">
+
-      <a href="https://github.com/numberly" style="width: 75px">
+<br>
-        <sub><b>Numberly</b></sub>
+
-      </a>
+## Bitwarden_RS
-    </td>
+
-  </tr>
+This project was known as Bitwarden_RS and has been renamed to separate itself from the official Bitwarden server in the hopes of avoiding confusion and trademark/branding issues.<br>
-  <tr>
+Please see [#1642 - v1.21.0 release and project rename to Vaultwarden](https://github.com/dani-garcia/vaultwarden/discussions/1642) for more explanation.
    <td align="center">
      <a href="https://github.com/IQ333777" style="width: 75px">
        <sub><b>IQ333777</b></sub>
      </a>
    </td>
  </tr>
 </table>
--- a/docker/DockerSettings.yaml
+++ b/docker/DockerSettings.yaml
@@ -5,7 +5,7 @@ vault_image_digest: "sha256:409ab328ca931439cb916b388a4bb784bd44220717aaf74cf716
 # We use the linux/amd64 platform shell scripts since there is no difference between the different platform scripts
 # https://github.com/tonistiigi/xx | https://hub.docker.com/r/tonistiigi/xx/tags
 xx_image_digest: "sha256:1978e7a58a1777cb0ef0dde76bad60b7914b21da57cfa88047875e4f364297aa"
-rust_version: 1.81.0 # Rust version to be used
+rust_version: 1.82.0 # Rust version to be used
 debian_version: bookworm # Debian release name to be used
 alpine_version: "3.20" # Alpine version to be used
 # For which platforms/architectures will we try to build images
--- a/docker/Dockerfile.alpine
+++ b/docker/Dockerfile.alpine
@@ -32,10 +32,10 @@ FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:409ab328ca931
 ########################## ALPINE BUILD IMAGES ##########################
 ## NOTE: The Alpine Base Images do not support other platforms then linux/amd64
 ## And for Alpine we define all build images here, they will only be loaded when actually used
-FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:x86_64-musl-stable-1.81.0 AS build_amd64
+FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:x86_64-musl-stable-1.82.0 AS build_amd64
-FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:aarch64-musl-stable-1.81.0 AS build_arm64
+FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:aarch64-musl-stable-1.82.0 AS build_arm64
-FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:armv7-musleabihf-stable-1.81.0 AS build_armv7
+FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:armv7-musleabihf-stable-1.82.0 AS build_armv7
-FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:arm-musleabi-stable-1.81.0 AS build_armv6
+FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:arm-musleabi-stable-1.82.0 AS build_armv6
 ########################## BUILD IMAGE ##########################
 # hadolint ignore=DL3006
--- a/docker/Dockerfile.debian
+++ b/docker/Dockerfile.debian
@@ -36,7 +36,7 @@ FROM --platform=linux/amd64 docker.io/tonistiigi/xx@sha256:1978e7a58a1777cb0ef0d
 ########################## BUILD IMAGE ##########################
 # hadolint ignore=DL3006
-FROM --platform=$BUILDPLATFORM docker.io/library/rust:1.81.0-slim-bookworm AS build
+FROM --platform=$BUILDPLATFORM docker.io/library/rust:1.82.0-slim-bookworm AS build
 COPY --from=xx / /
 ARG TARGETARCH
 ARG TARGETVARIANT
--- a/resources/vaultwarden-logo-auto.svg
+++ b/resources/vaultwarden-logo-auto.svg
@@ -0,0 +1,78 @@
 <svg width="1365.8256" height="280.48944" version="1.1" viewBox="0 0 1365.8255 280.48944" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
 <style>
@media (prefers-color-scheme: dark) {
  svg { -webkit-filter:invert(0.90); filter:invert(0.90); }
 }</style>
 <title>Vaultwarden Logo</title>
 <defs>
 <mask id="d">
 <rect x="-60" y="-60" width="120" height="120" fill="#fff"/>
 <circle id="b" cy="-40" r="3"/>
 <use transform="rotate(72)" xlink:href="#b"/>
 <use transform="rotate(144)" xlink:href="#b"/>
 <use transform="rotate(216)" xlink:href="#b"/>
 <use transform="rotate(-72)" xlink:href="#b"/>
 </mask>
 </defs>
 <g transform="translate(-10.708266,-9.2965379)" aria-label="aultwarden">
 <path d="m371.55338 223.43649-5.76172-14.84375h-0.78125q-7.51953 9.47266-15.52735 13.1836-7.91015 3.61328-20.70312 3.61328-15.72266 0-24.80469-8.98438-8.98437-8.98437-8.98437-25.58593 0-17.38282 12.10937-25.58594 12.20703-8.30078 36.71875-9.17969l18.94531-0.58594v-4.78515q0-16.60157-16.99218-16.60157-13.08594 0-30.76172 7.91016l-9.86328-20.11719q18.84765-9.86328 41.79687-9.86328 21.97266 0 33.69141 9.57031 11.71875 9.57032 11.71875 29.10157v72.7539zm-8.78907-50.58593-11.52343 0.39062q-12.98829 0.39063-19.33594 4.6875-6.34766 4.29688-6.34766 13.08594 0 12.59765 14.45313 12.59765 10.35156 0 16.5039-5.95703 6.25-5.95703 6.25-15.82031zm137.59766 50.58593-4.00391-13.96484h-1.5625q-4.78515 7.61719-13.57422 11.81641-8.78906 4.10156-20.01953 4.10156-19.23828 0-29.0039-10.25391-9.76563-10.35156-9.76563-29.6875v-71.1914h29.78516v63.76953q0 11.8164 4.19922 17.77343 4.19922 5.85938 13.3789 5.85938 12.5 0 18.06641-8.30078 5.56641-8.39844 5.56641-27.73438v-51.36718h29.78515v109.17968zm83.88672 0h-29.78516v-151.953122h29.78516zm77.24609-21.77734q7.8125 0 18.75-3.41797v22.16797q-11.13281 4.98047-27.34375 4.98047-17.87109 0-26.07422-8.98438-8.10547-9.08203-8.10547-27.14843v-52.63672h-14.25781v-12.59766l16.40625-9.96094 8.59375-23.046872h19.04297v23.242192h30.56641v22.36328h-30.56641v52.63672q0 6.34765 3.51563 9.375 3.61328 3.02734 9.47265 3.02734z"/>
 <path d="m791.27994 223.43649-19.62891-62.79297q-1.85547-5.76171-6.93359-26.17187h-0.78125q-3.90625 17.08984-6.83594 26.36719l-20.21484 62.59765h-18.75l-29.19922-107.03125h16.99219q10.35156 40.33203 15.72265 61.42578 5.46875 21.09375 6.25 28.41797h0.78125q1.07422-5.5664 3.41797-14.35547 2.44141-8.88671 4.19922-14.0625l19.62891-61.42578h17.57812l19.14063 61.42578q5.46875 16.79688 7.42187 28.22266h0.78125q0.39063-3.51562 2.05078-10.83984 1.75781-7.32422 20.41016-78.8086h16.79687l-29.58984 107.03125zm133.98437 0-3.22265-15.23437h-0.78125q-8.00782 10.05859-16.01563 13.67187-7.91015 3.51563-19.82422 3.51563-15.91797 0-25-8.20313-8.98437-8.20312-8.98437-23.33984 0-32.42188 51.85547-33.98438l18.16406-0.58593v-6.64063q0-12.59765-5.46875-18.55469-5.37109-6.05468-17.28516-6.05468-13.3789 0-30.27343 8.20312l-4.98047-12.40234q7.91015-4.29688 17.28515-6.73828 9.47266-2.44141 18.94532-2.44141 19.14062 0 28.32031 8.49609 9.27734 8.4961 9.27734 27.2461v73.04687zm-36.62109-11.42578q15.13672 0 23.73047-8.30078 8.6914-8.30078 8.6914-23.24219v-9.66797l-16.21093 0.6836q-19.33594 0.68359-27.92969 6.05469-8.49609 5.27343-8.49609 16.5039 0 8.78906 5.27343 13.37891 5.3711 4.58984 14.94141 4.58984zm130.85938-97.55859q7.1289 0 12.793 1.17187l-2.2461 15.03907q-6.6407-1.46485-11.7188-1.46485-12.9883 0-22.26561 10.54688-9.17968 10.54687-9.17968 26.26953v57.42187h-16.21094v-107.03125h13.37891l1.85546 19.82422h0.78125q5.95704-10.44922 14.35551-16.11328 8.3984-5.66406 18.457-5.66406zm101.6602 94.6289h-0.879q-11.2304 16.3086-33.5937 16.3086-20.9961 0-32.7148-14.35547-11.6211-14.35547-11.6211-40.82031 0-26.46485 11.7187-41.11328 11.7188-14.64844 32.6172-14.64844 21.7773 0 33.3984 15.82031h1.2696l-0.6836-7.71484-0.3907-7.51953v-43.554692h16.211v151.953122h-13.1836zm-32.4219 2.73438q16.6015 0 24.0234-8.98438 7.5195-9.08203 7.5195-29.19921v-3.41797q0-22.75391-7.6171-32.42188-7.5196-9.76562-24.1211-9.76562-14.2578 0-21.875 11.13281-7.5196 11.03516-7.5196 31.25 0 20.50781 7.5196 30.95703 7.5195 10.44922 22.0703 10.44922zm127.3437 13.57422q-23.7304 0-37.5-14.45313-13.6718-14.45312-13.6718-40.13672 0-25.8789 12.6953-41.11328 12.7929-15.23437 34.2773-15.23437 20.1172 0 31.8359 13.28125 11.7188 13.18359 11.7188 34.86328v10.25391h-73.7305q0.4883 18.84765 9.4727 28.61328 9.082 9.76562 25.4883 9.76562 17.2851 0 34.1797-7.22656v14.45312q-8.5938 3.71094-16.3086 5.27344-7.6172 1.66016-18.4571 1.66016zm-4.3945-97.36328q-12.8906 0-20.6055 8.39843-7.6172 8.39844-8.9843 23.24219h55.957q0-15.33203-6.836-23.4375-6.8359-8.20312-19.5312-8.20312zm144.6289 95.41015v-69.23828q0-13.08594-5.957-19.53125-5.9571-6.44531-18.6524-6.44531-16.7968 0-24.6093 9.08203t-7.8125 29.98047v56.15234h-16.211v-107.03125h13.1836l2.6367 14.64844h0.7813q4.9804-7.91016 13.9648-12.20703 8.9844-4.39453 20.0196-4.39453 19.3359 0 29.1015 9.375 9.7656 9.27734 9.7656 29.78515v69.82422z"/>
 </g>
 <g transform="translate(-10.708266,-9.2965379)">
 <g id="e" transform="matrix(2.6712834,0,0,2.6712834,150.95027,149.53854)">
 <g id="f" mask="url(#d)">
 <path d="m-31.1718-33.813208 26.496029 74.188883h9.3515399l26.49603-74.188883h-9.767164l-16.728866 47.588948q-1.662496 4.571864-2.805462 8.624198-1.142966 3.948427-1.870308 7.585137-.72734199-3.63671-1.8703079-7.689043-1.142966-4.052334-2.805462-8.728104l-16.624959-47.381136z" stroke="#000" stroke-width="4.51171"/>
 <circle transform="scale(-1,1)" r="43" fill="none" stroke="#000" stroke-width="9"/>
 <g id="g" transform="scale(-1,1)">
 <polygon id="a" points="46 -3 46 3 51 0" stroke="#000" stroke-linejoin="round" stroke-width="3"/>
 <use transform="rotate(11.25)" xlink:href="#a"/>
 <use transform="rotate(22.5)" xlink:href="#a"/>
 <use transform="rotate(33.75)" xlink:href="#a"/>
 <use transform="rotate(45)" xlink:href="#a"/>
 <use transform="rotate(56.25)" xlink:href="#a"/>
 <use transform="rotate(67.5)" xlink:href="#a"/>
 <use transform="rotate(78.75)" xlink:href="#a"/>
 <use transform="rotate(90)" xlink:href="#a"/>
 <use transform="rotate(101.25)" xlink:href="#a"/>
 <use transform="rotate(112.5)" xlink:href="#a"/>
 <use transform="rotate(123.75)" xlink:href="#a"/>
 <use transform="rotate(135)" xlink:href="#a"/>
 <use transform="rotate(146.25)" xlink:href="#a"/>
 <use transform="rotate(157.5)" xlink:href="#a"/>
 <use transform="rotate(168.75)" xlink:href="#a"/>
 <use transform="scale(-1)" xlink:href="#a"/>
 <use transform="rotate(191.25)" xlink:href="#a"/>
 <use transform="rotate(202.5)" xlink:href="#a"/>
 <use transform="rotate(213.75)" xlink:href="#a"/>
 <use transform="rotate(225)" xlink:href="#a"/>
 <use transform="rotate(236.25)" xlink:href="#a"/>
 <use transform="rotate(247.5)" xlink:href="#a"/>
 <use transform="rotate(258.75)" xlink:href="#a"/>
 <use transform="rotate(-90)" xlink:href="#a"/>
 <use transform="rotate(-78.75)" xlink:href="#a"/>
 <use transform="rotate(-67.5)" xlink:href="#a"/>
 <use transform="rotate(-56.25)" xlink:href="#a"/>
 <use transform="rotate(-45)" xlink:href="#a"/>
 <use transform="rotate(-33.75)" xlink:href="#a"/>
 <use transform="rotate(-22.5)" xlink:href="#a"/>
 <use transform="rotate(-11.25)" xlink:href="#a"/>
 </g>
 <g id="h" transform="scale(-1,1)">
 <polygon id="c" points="7 -42 -7 -42 0 -35" stroke="#000" stroke-linejoin="round" stroke-width="6"/>
 <use transform="rotate(72)" xlink:href="#c"/>
 <use transform="rotate(144)" xlink:href="#c"/>
 <use transform="rotate(216)" xlink:href="#c"/>
 <use transform="rotate(-72)" xlink:href="#c"/>
 </g>
 </g>
 <mask>
 <rect x="-60" y="-60" width="120" height="120" fill="#fff"/>
 <circle cy="-40" r="3"/>
 <use transform="rotate(72)" xlink:href="#b"/>
 <use transform="rotate(144)" xlink:href="#b"/>
 <use transform="rotate(216)" xlink:href="#b"/>
 <use transform="rotate(-72)" xlink:href="#b"/>
 </mask>
 </g>
 </g>
 </svg>
--- a/rust-toolchain.toml
+++ b/rust-toolchain.toml
@@ -1,4 +1,4 @@
 [toolchain]
-channel = "1.81.0"
+channel = "1.82.0"
 components = [ "rustfmt", "clippy" ]
 profile = "minimal"
--- a/src/api/core/accounts.rs
+++ b/src/api/core/accounts.rs
@@ -1,5 +1,7 @@
 use std::collections::HashSet;
 use crate::db::DbPool;
-use chrono::{SecondsFormat, Utc};
+use chrono::Utc;
 use rocket::serde::json::Json;
 use serde_json::Value;
@@ -13,7 +15,7 @@ use crate::{
    crypto,
    db::{models::*, DbConn},
    mail,
-    util::NumberOrString,
+    util::{format_date, NumberOrString},
    CONFIG,
 };
@@ -477,6 +479,60 @@ struct KeyData {
    private_key: String,
 }
 fn validate_keydata(
    data: &KeyData,
    existing_ciphers: &[Cipher],
    existing_folders: &[Folder],
    existing_emergency_access: &[EmergencyAccess],
    existing_user_orgs: &[UserOrganization],
    existing_sends: &[Send],
 ) -> EmptyResult {
    // Check that we're correctly rotating all the user's ciphers
    let existing_cipher_ids = existing_ciphers.iter().map(|c| c.uuid.as_str()).collect::<HashSet<_>>();
    let provided_cipher_ids = data
        .ciphers
        .iter()
        .filter(|c| c.organization_id.is_none())
        .filter_map(|c| c.id.as_deref())
        .collect::<HashSet<_>>();
    if !provided_cipher_ids.is_superset(&existing_cipher_ids) {
        err!("All existing ciphers must be included in the rotation")
    }
    // Check that we're correctly rotating all the user's folders
    let existing_folder_ids = existing_folders.iter().map(|f| f.uuid.as_str()).collect::<HashSet<_>>();
    let provided_folder_ids = data.folders.iter().filter_map(|f| f.id.as_deref()).collect::<HashSet<_>>();
    if !provided_folder_ids.is_superset(&existing_folder_ids) {
        err!("All existing folders must be included in the rotation")
    }
    // Check that we're correctly rotating all the user's emergency access keys
    let existing_emergency_access_ids =
        existing_emergency_access.iter().map(|ea| ea.uuid.as_str()).collect::<HashSet<_>>();
    let provided_emergency_access_ids =
        data.emergency_access_keys.iter().map(|ea| ea.id.as_str()).collect::<HashSet<_>>();
    if !provided_emergency_access_ids.is_superset(&existing_emergency_access_ids) {
        err!("All existing emergency access keys must be included in the rotation")
    }
    // Check that we're correctly rotating all the user's reset password keys
    let existing_reset_password_ids = existing_user_orgs.iter().map(|uo| uo.org_uuid.as_str()).collect::<HashSet<_>>();
    let provided_reset_password_ids =
        data.reset_password_keys.iter().map(|rp| rp.organization_id.as_str()).collect::<HashSet<_>>();
    if !provided_reset_password_ids.is_superset(&existing_reset_password_ids) {
        err!("All existing reset password keys must be included in the rotation")
    }
    // Check that we're correctly rotating all the user's sends
    let existing_send_ids = existing_sends.iter().map(|s| s.uuid.as_str()).collect::<HashSet<_>>();
    let provided_send_ids = data.sends.iter().filter_map(|s| s.id.as_deref()).collect::<HashSet<_>>();
    if !provided_send_ids.is_superset(&existing_send_ids) {
        err!("All existing sends must be included in the rotation")
    }
    Ok(())
 }
 #[post("/accounts/key", data = "<data>")]
 async fn post_rotatekey(data: Json<KeyData>, headers: Headers, mut conn: DbConn, nt: Notify<'_>) -> EmptyResult {
    // TODO: See if we can wrap everything within a SQL Transaction. If something fails it should revert everything.
@@ -494,20 +550,35 @@ async fn post_rotatekey(data: Json<KeyData>, headers: Headers, mut conn: DbConn,
    let user_uuid = &headers.user.uuid;
    // TODO: Ideally we'd do everything after this point in a single transaction.
    let mut existing_ciphers = Cipher::find_owned_by_user(user_uuid, &mut conn).await;
    let mut existing_folders = Folder::find_by_user(user_uuid, &mut conn).await;
    let mut existing_emergency_access = EmergencyAccess::find_all_by_grantor_uuid(user_uuid, &mut conn).await;
    let mut existing_user_orgs = UserOrganization::find_by_user(user_uuid, &mut conn).await;
    // We only rotate the reset password key if it is set.
    existing_user_orgs.retain(|uo| uo.reset_password_key.is_some());
    let mut existing_sends = Send::find_by_user(user_uuid, &mut conn).await;
    validate_keydata(
        &data,
        &existing_ciphers,
        &existing_folders,
        &existing_emergency_access,
        &existing_user_orgs,
        &existing_sends,
    )?;
    // Update folder data
    for folder_data in data.folders {
        // Skip `null` folder id entries.
        // See: https://github.com/bitwarden/clients/issues/8453
        if let Some(folder_id) = folder_data.id {
-            let mut saved_folder = match Folder::find_by_uuid(&folder_id, &mut conn).await {
+            let saved_folder = match existing_folders.iter_mut().find(|f| f.uuid == folder_id) {
                Some(folder) => folder,
                None => err!("Folder doesn't exist"),
            };
            if &saved_folder.user_uuid != user_uuid {
                err!("The folder is not owned by the user")
            }
            saved_folder.name = folder_data.name;
            saved_folder.save(&mut conn).await?
        }
@@ -515,9 +586,8 @@ async fn post_rotatekey(data: Json<KeyData>, headers: Headers, mut conn: DbConn,
    // Update emergency access data
    for emergency_access_data in data.emergency_access_keys {
-        let mut saved_emergency_access =
+        let saved_emergency_access =
-            match EmergencyAccess::find_by_uuid_and_grantor_uuid(&emergency_access_data.id, user_uuid, &mut conn).await
+            match existing_emergency_access.iter_mut().find(|ea| ea.uuid == emergency_access_data.id) {
            {
                Some(emergency_access) => emergency_access,
                None => err!("Emergency access doesn't exist or is not owned by the user"),
            };
@@ -528,13 +598,11 @@ async fn post_rotatekey(data: Json<KeyData>, headers: Headers, mut conn: DbConn,
    // Update reset password data
    for reset_password_data in data.reset_password_keys {
-        let mut user_org =
+        let user_org = match existing_user_orgs.iter_mut().find(|uo| uo.org_uuid == reset_password_data.organization_id)
-            match UserOrganization::find_by_user_and_org(user_uuid, &reset_password_data.organization_id, &mut conn)
+        {
-                .await
+            Some(reset_password) => reset_password,
-            {
+            None => err!("Reset password doesn't exist"),
-                Some(reset_password) => reset_password,
+        };
                None => err!("Reset password doesn't exist"),
            };
        user_org.reset_password_key = Some(reset_password_data.reset_password_key);
        user_org.save(&mut conn).await?
@@ -542,12 +610,12 @@ async fn post_rotatekey(data: Json<KeyData>, headers: Headers, mut conn: DbConn,
    // Update send data
    for send_data in data.sends {
-        let mut send = match Send::find_by_uuid(send_data.id.as_ref().unwrap(), &mut conn).await {
+        let send = match existing_sends.iter_mut().find(|s| &s.uuid == send_data.id.as_ref().unwrap()) {
            Some(send) => send,
            None => err!("Send doesn't exist"),
        };
-        update_send_from_data(&mut send, send_data, &headers, &mut conn, &nt, UpdateType::None).await?;
+        update_send_from_data(send, send_data, &headers, &mut conn, &nt, UpdateType::None).await?;
    }
    // Update cipher data
@@ -555,20 +623,15 @@ async fn post_rotatekey(data: Json<KeyData>, headers: Headers, mut conn: DbConn,
    for cipher_data in data.ciphers {
        if cipher_data.organization_id.is_none() {
-            let mut saved_cipher = match Cipher::find_by_uuid(cipher_data.id.as_ref().unwrap(), &mut conn).await {
+            let saved_cipher = match existing_ciphers.iter_mut().find(|c| &c.uuid == cipher_data.id.as_ref().unwrap()) {
                Some(cipher) => cipher,
                None => err!("Cipher doesn't exist"),
            };
            if saved_cipher.user_uuid.as_ref().unwrap() != user_uuid {
                err!("The cipher is not owned by the user")
            }
            // Prevent triggering cipher updates via WebSockets by settings UpdateType::None
            // The user sessions are invalidated because all the ciphers were re-encrypted and thus triggering an update could cause issues.
            // We force the users to logout after the user has been saved to try and prevent these issues.
-            update_cipher_from_data(&mut saved_cipher, cipher_data, &headers, None, &mut conn, &nt, UpdateType::None)
+            update_cipher_from_data(saved_cipher, cipher_data, &headers, None, &mut conn, &nt, UpdateType::None).await?
                .await?
        }
    }
@@ -842,7 +905,7 @@ struct PasswordHintData {
 #[post("/accounts/password-hint", data = "<data>")]
 async fn password_hint(data: Json<PasswordHintData>, mut conn: DbConn) -> EmptyResult {
-    if !CONFIG.mail_enabled() && !CONFIG.show_password_hint() {
+    if !CONFIG.password_hints_allowed() || (!CONFIG.mail_enabled() && !CONFIG.show_password_hint()) {
        err!("This server is not configured to provide password hints.");
    }
@@ -901,14 +964,12 @@ pub async fn _prelogin(data: Json<PreloginData>, mut conn: DbConn) -> Json<Value
        None => (User::CLIENT_KDF_TYPE_DEFAULT, User::CLIENT_KDF_ITER_DEFAULT, None, None),
    };
-    let result = json!({
+    Json(json!({
        "kdf": kdf_type,
        "kdfIterations": kdf_iter,
        "kdfMemory": kdf_mem,
        "kdfParallelism": kdf_para,
-    });
+    }))
    Json(result)
 }
 // https://github.com/bitwarden/server/blob/master/src/Api/Models/Request/Accounts/SecretVerificationRequestModel.cs
@@ -1084,14 +1145,15 @@ struct AuthRequestRequest {
    device_identifier: String,
    email: String,
    public_key: String,
-    #[serde(alias = "type")]
+    // Not used for now
-    _type: i32,
+    // #[serde(alias = "type")]
    // _type: i32,
 }
 #[post("/auth-requests", data = "<data>")]
 async fn post_auth_request(
    data: Json<AuthRequestRequest>,
-    headers: ClientHeaders,
+    client_headers: ClientHeaders,
    mut conn: DbConn,
    nt: Notify<'_>,
 ) -> JsonResult {
@@ -1099,16 +1161,20 @@ async fn post_auth_request(
    let user = match User::find_by_mail(&data.email, &mut conn).await {
        Some(user) => user,
-        None => {
+        None => err!("AuthRequest doesn't exist", "User not found"),
            err!("AuthRequest doesn't exist")
        }
    };
    // Validate device uuid and type
    match Device::find_by_uuid_and_user(&data.device_identifier, &user.uuid, &mut conn).await {
        Some(device) if device.atype == client_headers.device_type => {}
        _ => err!("AuthRequest doesn't exist", "Device verification failed"),
    }
    let mut auth_request = AuthRequest::new(
        user.uuid.clone(),
        data.device_identifier.clone(),
-        headers.device_type,
+        client_headers.device_type,
-        headers.ip.ip.to_string(),
+        client_headers.ip.ip.to_string(),
        data.access_code,
        data.public_key,
    );
@@ -1123,7 +1189,7 @@ async fn post_auth_request(
        "requestIpAddress": auth_request.request_ip,
        "key": null,
        "masterPasswordHash": null,
-        "creationDate": auth_request.creation_date.and_utc().to_rfc3339_opts(SecondsFormat::Micros, true),
+        "creationDate": format_date(&auth_request.creation_date),
        "responseDate": null,
        "requestApproved": false,
        "origin": CONFIG.domain_origin(),
@@ -1132,33 +1198,31 @@ async fn post_auth_request(
 }
 #[get("/auth-requests/<uuid>")]
-async fn get_auth_request(uuid: &str, mut conn: DbConn) -> JsonResult {
+async fn get_auth_request(uuid: &str, headers: Headers, mut conn: DbConn) -> JsonResult {
    let auth_request = match AuthRequest::find_by_uuid(uuid, &mut conn).await {
        Some(auth_request) => auth_request,
-        None => {
+        None => err!("AuthRequest doesn't exist", "Record not found"),
            err!("AuthRequest doesn't exist")
        }
    };
-    let response_date_utc = auth_request
+    if headers.user.uuid != auth_request.user_uuid {
-        .response_date
+        err!("AuthRequest doesn't exist", "User uuid's do not match")
-        .map(|response_date| response_date.and_utc().to_rfc3339_opts(SecondsFormat::Micros, true));
+    }
-    Ok(Json(json!(
+    let response_date_utc = auth_request.response_date.map(|response_date| format_date(&response_date));
-        {
+
-            "id": uuid,
+    Ok(Json(json!({
-            "publicKey": auth_request.public_key,
+        "id": uuid,
-            "requestDeviceType": DeviceType::from_i32(auth_request.device_type).to_string(),
+        "publicKey": auth_request.public_key,
-            "requestIpAddress": auth_request.request_ip,
+        "requestDeviceType": DeviceType::from_i32(auth_request.device_type).to_string(),
-            "key": auth_request.enc_key,
+        "requestIpAddress": auth_request.request_ip,
-            "masterPasswordHash": auth_request.master_password_hash,
+        "key": auth_request.enc_key,
-            "creationDate": auth_request.creation_date.and_utc().to_rfc3339_opts(SecondsFormat::Micros, true),
+        "masterPasswordHash": auth_request.master_password_hash,
-            "responseDate": response_date_utc,
+        "creationDate": format_date(&auth_request.creation_date),
-            "requestApproved": auth_request.approved,
+        "responseDate": response_date_utc,
-            "origin": CONFIG.domain_origin(),
+        "requestApproved": auth_request.approved,
-            "object":"auth-request"
+        "origin": CONFIG.domain_origin(),
-        }
+        "object":"auth-request"
-    )))
+    })))
 }
 #[derive(Debug, Deserialize)]
@@ -1174,6 +1238,7 @@ struct AuthResponseRequest {
 async fn put_auth_request(
    uuid: &str,
    data: Json<AuthResponseRequest>,
    headers: Headers,
    mut conn: DbConn,
    ant: AnonymousNotify<'_>,
    nt: Notify<'_>,
@@ -1181,75 +1246,84 @@ async fn put_auth_request(
    let data = data.into_inner();
    let mut auth_request: AuthRequest = match AuthRequest::find_by_uuid(uuid, &mut conn).await {
        Some(auth_request) => auth_request,
-        None => {
+        None => err!("AuthRequest doesn't exist", "Record not found"),
            err!("AuthRequest doesn't exist")
        }
    };
-    auth_request.approved = Some(data.request_approved);
+    if headers.user.uuid != auth_request.user_uuid {
-    auth_request.enc_key = Some(data.key);
+        err!("AuthRequest doesn't exist", "User uuid's do not match")
    auth_request.master_password_hash = data.master_password_hash;
    auth_request.response_device_id = Some(data.device_identifier.clone());
    auth_request.save(&mut conn).await?;
    if auth_request.approved.unwrap_or(false) {
        ant.send_auth_response(&auth_request.user_uuid, &auth_request.uuid).await;
        nt.send_auth_response(&auth_request.user_uuid, &auth_request.uuid, data.device_identifier, &mut conn).await;
    }
-    let response_date_utc = auth_request
+    if auth_request.approved.is_some() {
-        .response_date
+        err!("An authentication request with the same device already exists")
-        .map(|response_date| response_date.and_utc().to_rfc3339_opts(SecondsFormat::Micros, true));
+    }
-    Ok(Json(json!(
+    let response_date = Utc::now().naive_utc();
-        {
+    let response_date_utc = format_date(&response_date);
-            "id": uuid,
+
-            "publicKey": auth_request.public_key,
+    if data.request_approved {
-            "requestDeviceType": DeviceType::from_i32(auth_request.device_type).to_string(),
+        auth_request.approved = Some(data.request_approved);
-            "requestIpAddress": auth_request.request_ip,
+        auth_request.enc_key = Some(data.key);
-            "key": auth_request.enc_key,
+        auth_request.master_password_hash = data.master_password_hash;
-            "masterPasswordHash": auth_request.master_password_hash,
+        auth_request.response_device_id = Some(data.device_identifier.clone());
-            "creationDate": auth_request.creation_date.and_utc().to_rfc3339_opts(SecondsFormat::Micros, true),
+        auth_request.response_date = Some(response_date);
-            "responseDate": response_date_utc,
+        auth_request.save(&mut conn).await?;
-            "requestApproved": auth_request.approved,
+
-            "origin": CONFIG.domain_origin(),
+        ant.send_auth_response(&auth_request.user_uuid, &auth_request.uuid).await;
-            "object":"auth-request"
+        nt.send_auth_response(&auth_request.user_uuid, &auth_request.uuid, data.device_identifier, &mut conn).await;
-        }
+    } else {
-    )))
+        // If denied, there's no reason to keep the request
        auth_request.delete(&mut conn).await?;
    }
    Ok(Json(json!({
        "id": uuid,
        "publicKey": auth_request.public_key,
        "requestDeviceType": DeviceType::from_i32(auth_request.device_type).to_string(),
        "requestIpAddress": auth_request.request_ip,
        "key": auth_request.enc_key,
        "masterPasswordHash": auth_request.master_password_hash,
        "creationDate": format_date(&auth_request.creation_date),
        "responseDate": response_date_utc,
        "requestApproved": auth_request.approved,
        "origin": CONFIG.domain_origin(),
        "object":"auth-request"
    })))
 }
 #[get("/auth-requests/<uuid>/response?<code>")]
-async fn get_auth_request_response(uuid: &str, code: &str, mut conn: DbConn) -> JsonResult {
+async fn get_auth_request_response(
    uuid: &str,
    code: &str,
    client_headers: ClientHeaders,
    mut conn: DbConn,
 ) -> JsonResult {
    let auth_request = match AuthRequest::find_by_uuid(uuid, &mut conn).await {
        Some(auth_request) => auth_request,
-        None => {
+        None => err!("AuthRequest doesn't exist", "User not found"),
            err!("AuthRequest doesn't exist")
        }
    };
-    if !auth_request.check_access_code(code) {
+    if auth_request.device_type != client_headers.device_type
-        err!("Access code invalid doesn't exist")
+        || auth_request.request_ip != client_headers.ip.ip.to_string()
        || !auth_request.check_access_code(code)
    {
        err!("AuthRequest doesn't exist", "Invalid device, IP or code")
    }
-    let response_date_utc = auth_request
+    let response_date_utc = auth_request.response_date.map(|response_date| format_date(&response_date));
        .response_date
        .map(|response_date| response_date.and_utc().to_rfc3339_opts(SecondsFormat::Micros, true));
-    Ok(Json(json!(
+    Ok(Json(json!({
-        {
+        "id": uuid,
-            "id": uuid,
+        "publicKey": auth_request.public_key,
-            "publicKey": auth_request.public_key,
+        "requestDeviceType": DeviceType::from_i32(auth_request.device_type).to_string(),
-            "requestDeviceType": DeviceType::from_i32(auth_request.device_type).to_string(),
+        "requestIpAddress": auth_request.request_ip,
-            "requestIpAddress": auth_request.request_ip,
+        "key": auth_request.enc_key,
-            "key": auth_request.enc_key,
+        "masterPasswordHash": auth_request.master_password_hash,
-            "masterPasswordHash": auth_request.master_password_hash,
+        "creationDate": format_date(&auth_request.creation_date),
-            "creationDate": auth_request.creation_date.and_utc().to_rfc3339_opts(SecondsFormat::Micros, true),
+        "responseDate": response_date_utc,
-            "responseDate": response_date_utc,
+        "requestApproved": auth_request.approved,
-            "requestApproved": auth_request.approved,
+        "origin": CONFIG.domain_origin(),
-            "origin": CONFIG.domain_origin(),
+        "object":"auth-request"
-            "object":"auth-request"
+    })))
        }
    )))
 }
 #[get("/auth-requests")]
@@ -1261,7 +1335,7 @@ async fn get_auth_requests(headers: Headers, mut conn: DbConn) -> JsonResult {
            .iter()
            .filter(|request| request.approved.is_none())
            .map(|request| {
-            let response_date_utc = request.response_date.map(|response_date| response_date.and_utc().to_rfc3339_opts(SecondsFormat::Micros, true));
+            let response_date_utc = request.response_date.map(|response_date| format_date(&response_date));
            json!({
                "id": request.uuid,
@@ -1270,7 +1344,7 @@ async fn get_auth_requests(headers: Headers, mut conn: DbConn) -> JsonResult {
                "requestIpAddress": request.request_ip,
                "key": request.enc_key,
                "masterPasswordHash": request.master_password_hash,
-                "creationDate": request.creation_date.and_utc().to_rfc3339_opts(SecondsFormat::Micros, true),
+                "creationDate": format_date(&request.creation_date),
                "responseDate": response_date_utc,
                "requestApproved": request.approved,
                "origin": CONFIG.domain_origin(),
--- a/src/api/core/ciphers.rs
+++ b/src/api/core/ciphers.rs
@@ -10,6 +10,7 @@ use rocket::{
 };
 use serde_json::Value;
 use crate::auth::ClientVersion;
 use crate::util::NumberOrString;
 use crate::{
    api::{self, core::log_event, EmptyResult, JsonResult, Notify, PasswordOrOtpData, UpdateType},
@@ -104,11 +105,27 @@ struct SyncData {
 }
 #[get("/sync?<data..>")]
-async fn sync(data: SyncData, headers: Headers, mut conn: DbConn) -> Json<Value> {
+async fn sync(
    data: SyncData,
    headers: Headers,
    client_version: Option<ClientVersion>,
    mut conn: DbConn,
 ) -> Json<Value> {
    let user_json = headers.user.to_json(&mut conn).await;
    // Get all ciphers which are visible by the user
-    let ciphers = Cipher::find_by_user_visible(&headers.user.uuid, &mut conn).await;
+    let mut ciphers = Cipher::find_by_user_visible(&headers.user.uuid, &mut conn).await;
    // Filter out SSH keys if the client version is less than 2024.12.0
    let show_ssh_keys = if let Some(client_version) = client_version {
        let ver_match = semver::VersionReq::parse(">=2024.12.0").unwrap();
        ver_match.matches(&client_version.0)
    } else {
        false
    };
    if !show_ssh_keys {
        ciphers.retain(|c| c.atype != 5);
    }
    let cipher_sync_data = CipherSyncData::new(&headers.user.uuid, CipherSyncType::User, &mut conn).await;
@@ -150,7 +167,6 @@ async fn sync(data: SyncData, headers: Headers, mut conn: DbConn) -> Json<Value>
        "ciphers": ciphers_json,
        "domains": domains_json,
        "sends": sends_json,
        "unofficialServer": true,
        "object": "sync"
    }))
 }
@@ -206,7 +222,7 @@ pub struct CipherData {
    // Id is optional as it is included only in bulk share
    pub id: Option<String>,
    // Folder id is not included in import
-    folder_id: Option<String>,
+    pub folder_id: Option<String>,
    // TODO: Some of these might appear all the time, no need for Option
    #[serde(alias = "organizationID")]
    pub organization_id: Option<String>,
@@ -217,7 +233,8 @@ pub struct CipherData {
    Login = 1,
    SecureNote = 2,
    Card = 3,
-    Identity = 4
+    Identity = 4,
    SshKey = 5
    */
    pub r#type: i32,
    pub name: String,
@@ -229,6 +246,7 @@ pub struct CipherData {
    secure_note: Option<Value>,
    card: Option<Value>,
    identity: Option<Value>,
    ssh_key: Option<Value>,
    favorite: Option<bool>,
    reprompt: Option<i32>,
@@ -470,6 +488,7 @@ pub async fn update_cipher_from_data(
        2 => data.secure_note,
        3 => data.card,
        4 => data.identity,
        5 => data.ssh_key,
        _ => err!("Invalid type"),
    };
@@ -566,11 +585,11 @@ async fn post_ciphers_import(
    Cipher::validate_cipher_data(&data.ciphers)?;
    // Read and create the folders
-    let existing_folders: Vec<String> =
+    let existing_folders: HashSet<Option<String>> =
-        Folder::find_by_user(&headers.user.uuid, &mut conn).await.into_iter().map(|f| f.uuid).collect();
+        Folder::find_by_user(&headers.user.uuid, &mut conn).await.into_iter().map(|f| Some(f.uuid)).collect();
    let mut folders: Vec<String> = Vec::with_capacity(data.folders.len());
    for folder in data.folders.into_iter() {
-        let folder_uuid = if folder.id.is_some() && existing_folders.contains(folder.id.as_ref().unwrap()) {
+        let folder_uuid = if existing_folders.contains(&folder.id) {
            folder.id.unwrap()
        } else {
            let mut new_folder = Folder::new(headers.user.uuid.clone(), folder.name);
@@ -582,8 +601,8 @@ async fn post_ciphers_import(
    }
    // Read the relations between folders and ciphers
    // Ciphers can only be in one folder at the same time
    let mut relations_map = HashMap::with_capacity(data.folder_relationships.len());
    for relation in data.folder_relationships {
        relations_map.insert(relation.key, relation.value);
    }
--- a/src/api/core/mod.rs
+++ b/src/api/core/mod.rs
@@ -135,12 +135,13 @@ async fn put_eq_domains(data: Json<EquivDomainData>, headers: Headers, conn: DbC
 }
 #[get("/hibp/breach?<username>")]
-async fn hibp_breach(username: &str) -> JsonResult {
+async fn hibp_breach(username: &str, _headers: Headers) -> JsonResult {
-    let url = format!(
+    let username: String = url::form_urlencoded::byte_serialize(username.as_bytes()).collect();
        "https://haveibeenpwned.com/api/v3/breachedaccount/{username}?truncateResponse=false&includeUnverified=false"
    );
    if let Some(api_key) = crate::CONFIG.hibp_api_key() {
        let url = format!(
            "https://haveibeenpwned.com/api/v3/breachedaccount/{username}?truncateResponse=false&includeUnverified=false"
        );
        let res = make_http_request(Method::GET, &url)?.header("hibp-api-key", api_key).send().await?;
        // If we get a 404, return a 404, it means no breached accounts
--- a/src/api/core/organizations.rs
+++ b/src/api/core/organizations.rs
@@ -9,9 +9,8 @@ use crate::{
        core::{log_event, two_factor, CipherSyncData, CipherSyncType},
        EmptyResult, JsonResult, Notify, PasswordOrOtpData, UpdateType,
    },
-    auth::{decode_invite, AdminHeaders, Headers, ManagerHeaders, ManagerHeadersLoose, OwnerHeaders},
+    auth::{decode_invite, AdminHeaders, ClientVersion, Headers, ManagerHeaders, ManagerHeadersLoose, OwnerHeaders},
    db::{models::*, DbConn},
    error::Error,
    mail,
    util::{convert_json_key_lcase_first, NumberOrString},
    CONFIG,
@@ -127,6 +126,7 @@ struct NewCollectionData {
    name: String,
    groups: Vec<NewCollectionObjectData>,
    users: Vec<NewCollectionObjectData>,
    id: Option<String>,
    external_id: Option<String>,
 }
@@ -363,6 +363,7 @@ async fn get_org_collections_details(org_id: &str, headers: ManagerHeadersLoose,
        json_object["users"] = json!(users);
        json_object["groups"] = json!(groups);
        json_object["object"] = json!("collectionAccessDetails");
        json_object["unmanaged"] = json!(false);
        data.push(json_object)
    }
@@ -872,20 +873,19 @@ async fn send_invite(org_id: &str, data: Json<InviteData>, headers: AdminHeaders
    }
    for email in data.emails.iter() {
        let email = email.to_lowercase();
        let mut user_org_status = UserOrgStatus::Invited as i32;
-        let user = match User::find_by_mail(&email, &mut conn).await {
+        let user = match User::find_by_mail(email, &mut conn).await {
            None => {
                if !CONFIG.invitations_allowed() {
                    err!(format!("User does not exist: {email}"))
                }
-                if !CONFIG.is_email_domain_allowed(&email) {
+                if !CONFIG.is_email_domain_allowed(email) {
                    err!("Email domain not eligible for invitations")
                }
                if !CONFIG.mail_enabled() {
-                    let invitation = Invitation::new(&email);
+                    let invitation = Invitation::new(email);
                    invitation.save(&mut conn).await?;
                }
@@ -1598,40 +1598,43 @@ async fn post_org_import(
    // TODO: See if we can optimize the whole cipher adding/importing and prevent duplicate code and checks.
    Cipher::validate_cipher_data(&data.ciphers)?;
-    let mut collections = Vec::new();
+    let existing_collections: HashSet<Option<String>> =
        Collection::find_by_organization(&org_id, &mut conn).await.into_iter().map(|c| (Some(c.uuid))).collect();
    let mut collections: Vec<String> = Vec::with_capacity(data.collections.len());
    for coll in data.collections {
-        let collection = Collection::new(org_id.clone(), coll.name, coll.external_id);
+        let collection_uuid = if existing_collections.contains(&coll.id) {
-        if collection.save(&mut conn).await.is_err() {
+            coll.id.unwrap()
            collections.push(Err(Error::new("Failed to create Collection", "Failed to create Collection")));
        } else {
-            collections.push(Ok(collection));
+            let new_collection = Collection::new(org_id.clone(), coll.name, coll.external_id);
-        }
+            new_collection.save(&mut conn).await?;
            new_collection.uuid
        };
        collections.push(collection_uuid);
    }
    // Read the relations between collections and ciphers
-    let mut relations = Vec::new();
+    // Ciphers can be in multiple collections at the same time
    let mut relations = Vec::with_capacity(data.collection_relationships.len());
    for relation in data.collection_relationships {
        relations.push((relation.key, relation.value));
    }
    let headers: Headers = headers.into();
-    let mut ciphers = Vec::new();
+    let mut ciphers: Vec<String> = Vec::with_capacity(data.ciphers.len());
-    for cipher_data in data.ciphers {
+    for mut cipher_data in data.ciphers {
        // Always clear folder_id's via an organization import
        cipher_data.folder_id = None;
        let mut cipher = Cipher::new(cipher_data.r#type, cipher_data.name.clone());
        update_cipher_from_data(&mut cipher, cipher_data, &headers, None, &mut conn, &nt, UpdateType::None).await.ok();
-        ciphers.push(cipher);
+        ciphers.push(cipher.uuid);
    }
    // Assign the collections
    for (cipher_index, coll_index) in relations {
-        let cipher_id = &ciphers[cipher_index].uuid;
+        let cipher_id = &ciphers[cipher_index];
-        let coll = &collections[coll_index];
+        let coll_id = &collections[coll_index];
        let coll_id = match coll {
            Ok(coll) => coll.uuid.as_str(),
            Err(_) => err!("Failed to assign to collection"),
        };
        CollectionCipher::save(cipher_id, coll_id, &mut conn).await?;
    }
@@ -2305,14 +2308,14 @@ async fn _restore_organization_user(
 }
 #[get("/organizations/<org_id>/groups")]
-async fn get_groups(org_id: &str, headers: ManagerHeadersLoose, mut conn: DbConn) -> JsonResult {
+async fn get_groups(org_id: &str, _headers: ManagerHeadersLoose, mut conn: DbConn) -> JsonResult {
    let groups: Vec<Value> = if CONFIG.org_groups_enabled() {
        // Group::find_by_organization(&org_id, &mut conn).await.iter().map(Group::to_json).collect::<Value>()
        let groups = Group::find_by_organization(org_id, &mut conn).await;
        let mut groups_json = Vec::with_capacity(groups.len());
        for g in groups {
-            groups_json.push(g.to_json_details(&headers.org_user.atype, &mut conn).await)
+            groups_json.push(g.to_json_details(&mut conn).await)
        }
        groups_json
    } else {
@@ -2500,7 +2503,7 @@ async fn add_update_group(
 }
 #[get("/organizations/<_org_id>/groups/<group_id>/details")]
-async fn get_group_details(_org_id: &str, group_id: &str, headers: AdminHeaders, mut conn: DbConn) -> JsonResult {
+async fn get_group_details(_org_id: &str, group_id: &str, _headers: AdminHeaders, mut conn: DbConn) -> JsonResult {
    if !CONFIG.org_groups_enabled() {
        err!("Group support is disabled");
    }
@@ -2510,7 +2513,7 @@ async fn get_group_details(_org_id: &str, group_id: &str, headers: AdminHeaders,
        _ => err!("Group could not be found!"),
    };
-    Ok(Json(group.to_json_details(&(headers.org_user_type as i32), &mut conn).await))
+    Ok(Json(group.to_json_details(&mut conn).await))
 }
 #[post("/organizations/<org_id>/groups/<group_id>/delete")]
@@ -2999,18 +3002,20 @@ async fn put_reset_password_enrollment(
 //       We need to convert all keys so they have the first character to be a lowercase.
 //       Else the export will be just an empty JSON file.
 #[get("/organizations/<org_id>/export")]
-async fn get_org_export(org_id: &str, headers: AdminHeaders, mut conn: DbConn) -> Json<Value> {
+async fn get_org_export(
-    use semver::{Version, VersionReq};
+    org_id: &str,
-
+    headers: AdminHeaders,
    client_version: Option<ClientVersion>,
    mut conn: DbConn,
 ) -> Json<Value> {
    // Since version v2023.1.0 the format of the export is different.
    // Also, this endpoint was created since v2022.9.0.
    // Therefore, we will check for any version smaller then v2023.1.0 and return a different response.
    // If we can't determine the version, we will use the latest default v2023.1.0 and higher.
    // https://github.com/bitwarden/server/blob/9ca93381ce416454734418c3a9f99ab49747f1b6/src/Api/Controllers/OrganizationExportController.cs#L44
-    let use_list_response_model = if let Some(client_version) = headers.client_version {
+    let use_list_response_model = if let Some(client_version) = client_version {
-        let ver_match = VersionReq::parse("<2023.1.0").unwrap();
+        let ver_match = semver::VersionReq::parse("<2023.1.0").unwrap();
-        let client_version = Version::parse(&client_version).unwrap();
+        ver_match.matches(&client_version.0)
        ver_match.matches(&client_version)
    } else {
        false
    };
--- a/src/api/core/two_factor/duo_oidc.rs
+++ b/src/api/core/two_factor/duo_oidc.rs
@@ -211,10 +211,7 @@ impl DuoClient {
            nonce,
        };
-        let token = match self.encode_duo_jwt(jwt_payload) {
+        let token = self.encode_duo_jwt(jwt_payload)?;
            Ok(token) => token,
            Err(e) => return Err(e),
        };
        let authz_endpoint = format!("https://{}/oauth/v1/authorize", self.api_host);
        let mut auth_url = match Url::parse(authz_endpoint.as_str()) {
--- a/src/api/identity.rs
+++ b/src/api/identity.rs
@@ -120,16 +120,8 @@ async fn _refresh_login(data: ConnectData, conn: &mut DbConn) -> JsonResult {
        "expires_in": expires_in,
        "token_type": "Bearer",
        "refresh_token": device.refresh_token,
        "Key": user.akey,
        "PrivateKey": user.private_key,
        "Kdf": user.client_kdf_type,
        "KdfIterations": user.client_kdf_iter,
        "KdfMemory": user.client_kdf_memory,
        "KdfParallelism": user.client_kdf_parallelism,
        "ResetMasterPassword": false, // TODO: according to official server seems something like: user.password_hash.is_empty(), but would need testing
        "scope": scope,
        "unofficialServer": true,
    });
    Ok(Json(result))
@@ -173,20 +165,22 @@ async fn _password_login(
    // Set the user_uuid here to be passed back used for event logging.
    *user_uuid = Some(user.uuid.clone());
-    // Check password
+    // Check if the user is disabled
-    let password = data.password.as_ref().unwrap();
+    if !user.enabled {
-    if let Some(auth_request_uuid) = data.auth_request.clone() {
+        err!(
-        if let Some(auth_request) = AuthRequest::find_by_uuid(auth_request_uuid.as_str(), conn).await {
+            "This user has been disabled",
-            if !auth_request.check_access_code(password) {
+            format!("IP: {}. Username: {}.", ip.ip, username),
-                err!(
+            ErrorEvent {
-                    "Username or access code is incorrect. Try again",
+                event: EventType::UserFailedLogIn
                    format!("IP: {}. Username: {}.", ip.ip, username),
                    ErrorEvent {
                        event: EventType::UserFailedLogIn,
                    }
                )
            }
-        } else {
+        )
    }
    let password = data.password.as_ref().unwrap();
    // If we get an auth request, we don't check the user's password, but the access code of the auth request
    if let Some(ref auth_request_uuid) = data.auth_request {
        let Some(auth_request) = AuthRequest::find_by_uuid(auth_request_uuid.as_str(), conn).await else {
            err!(
                "Auth request not found. Try again.",
                format!("IP: {}. Username: {}.", ip.ip, username),
@@ -194,6 +188,24 @@ async fn _password_login(
                    event: EventType::UserFailedLogIn,
                }
            )
        };
        let expiration_time = auth_request.creation_date + chrono::Duration::minutes(5);
        let request_expired = Utc::now().naive_utc() >= expiration_time;
        if auth_request.user_uuid != user.uuid
            || !auth_request.approved.unwrap_or(false)
            || request_expired
            || ip.ip.to_string() != auth_request.request_ip
            || !auth_request.check_access_code(password)
        {
            err!(
                "Username or access code is incorrect. Try again",
                format!("IP: {}. Username: {}.", ip.ip, username),
                ErrorEvent {
                    event: EventType::UserFailedLogIn,
                }
            )
        }
    } else if !user.check_valid_password(password) {
        err!(
@@ -205,8 +217,8 @@ async fn _password_login(
        )
    }
-    // Change the KDF Iterations
+    // Change the KDF Iterations (only when not logging in with an auth request)
-    if user.password_iterations != CONFIG.password_iterations() {
+    if data.auth_request.is_none() && user.password_iterations != CONFIG.password_iterations() {
        user.password_iterations = CONFIG.password_iterations();
        user.set_password(password, None, false, None);
@@ -215,17 +227,6 @@ async fn _password_login(
        }
    }
    // Check if the user is disabled
    if !user.enabled {
        err!(
            "This user has been disabled",
            format!("IP: {}. Username: {}.", ip.ip, username),
            ErrorEvent {
                event: EventType::UserFailedLogIn
            }
        )
    }
    let now = Utc::now().naive_utc();
    if user.verified_at.is_none() && CONFIG.mail_enabled() && CONFIG.signups_verify() {
@@ -342,7 +343,6 @@ async fn _password_login(
        "MasterPasswordPolicy": master_password_policy,
        "scope": scope,
        "unofficialServer": true,
        "UserDecryptionOptions": {
            "HasMasterPassword": !user.password_hash.is_empty(),
            "Object": "userDecryptionOptions"
@@ -461,9 +461,8 @@ async fn _user_api_key_login(
        "KdfIterations": user.client_kdf_iter,
        "KdfMemory": user.client_kdf_memory,
        "KdfParallelism": user.client_kdf_parallelism,
-        "ResetMasterPassword": false, // TODO: Same as above
+        "ResetMasterPassword": false, // TODO: according to official server seems something like: user.password_hash.is_empty(), but would need testing
        "scope": "api",
        "unofficialServer": true,
    });
    Ok(Json(result))
@@ -495,7 +494,6 @@ async fn _organization_api_key_login(data: ConnectData, conn: &mut DbConn, ip: &
        "expires_in": 3600,
        "token_type": "Bearer",
        "scope": "api.organization",
        "unofficialServer": true,
    })))
 }
--- a/src/api/web.rs
+++ b/src/api/web.rs
@@ -1,13 +1,20 @@
 use once_cell::sync::Lazy;
 use std::path::{Path, PathBuf};
-use rocket::{fs::NamedFile, http::ContentType, response::content::RawHtml as Html, serde::json::Json, Catcher, Route};
+use rocket::{
    fs::NamedFile,
    http::ContentType,
    response::{content::RawCss as Css, content::RawHtml as Html, Redirect},
    serde::json::Json,
    Catcher, Route,
 };
 use serde_json::Value;
 use crate::{
    api::{core::now, ApiResult, EmptyResult},
    auth::decode_file_download,
    error::Error,
-    util::{Cached, SafeString},
+    util::{get_web_vault_version, Cached, SafeString},
    CONFIG,
 };
@@ -16,7 +23,7 @@ pub fn routes() -> Vec<Route> {
    // crate::utils::LOGGED_ROUTES to make sure they appear in the log
    let mut routes = routes![attachments, alive, alive_head, static_files];
    if CONFIG.web_vault_enabled() {
-        routes.append(&mut routes![web_index, web_index_head, app_id, web_files]);
+        routes.append(&mut routes![web_index, web_index_direct, web_index_head, app_id, web_files, vaultwarden_css]);
    }
    #[cfg(debug_assertions)]
@@ -45,11 +52,101 @@ fn not_found() -> ApiResult<Html<String>> {
    Ok(Html(text))
 }
 #[get("/css/vaultwarden.css")]
 fn vaultwarden_css() -> Cached<Css<String>> {
    // Configure the web-vault version as an integer so it can be used as a comparison smaller or greater then.
    // The default is based upon the version since this feature is added.
    static WEB_VAULT_VERSION: Lazy<u32> = Lazy::new(|| {
        let re = regex::Regex::new(r"(\d{4})\.(\d{1,2})\.(\d{1,2})").unwrap();
        let vault_version = get_web_vault_version();
        let (major, minor, patch) = match re.captures(&vault_version) {
            Some(c) if c.len() == 4 => (
                c.get(1).unwrap().as_str().parse().unwrap(),
                c.get(2).unwrap().as_str().parse().unwrap(),
                c.get(3).unwrap().as_str().parse().unwrap(),
            ),
            _ => (2024, 6, 2),
        };
        format!("{major}{minor:02}{patch:02}").parse::<u32>().unwrap()
    });
    // Configure the Vaultwarden version as an integer so it can be used as a comparison smaller or greater then.
    // The default is based upon the version since this feature is added.
    static VW_VERSION: Lazy<u32> = Lazy::new(|| {
        let re = regex::Regex::new(r"(\d{1})\.(\d{1,2})\.(\d{1,2})").unwrap();
        let vw_version = crate::VERSION.unwrap_or("1.32.1");
        let (major, minor, patch) = match re.captures(vw_version) {
            Some(c) if c.len() == 4 => (
                c.get(1).unwrap().as_str().parse().unwrap(),
                c.get(2).unwrap().as_str().parse().unwrap(),
                c.get(3).unwrap().as_str().parse().unwrap(),
            ),
            _ => (1, 32, 1),
        };
        format!("{major}{minor:02}{patch:02}").parse::<u32>().unwrap()
    });
    let css_options = json!({
        "web_vault_version": *WEB_VAULT_VERSION,
        "vw_version": *VW_VERSION,
        "signup_disabled": !CONFIG.signups_allowed() && CONFIG.signups_domains_whitelist().is_empty(),
        "mail_enabled": CONFIG.mail_enabled(),
        "yubico_enabled": CONFIG._enable_yubico() && (CONFIG.yubico_client_id().is_some() == CONFIG.yubico_secret_key().is_some()),
        "emergency_access_allowed": CONFIG.emergency_access_allowed(),
        "sends_allowed": CONFIG.sends_allowed(),
        "load_user_scss": true,
    });
    let scss = match CONFIG.render_template("scss/vaultwarden.scss", &css_options) {
        Ok(t) => t,
        Err(e) => {
            // Something went wrong loading the template. Use the fallback
            warn!("Loading scss/vaultwarden.scss.hbs or scss/user.vaultwarden.scss.hbs failed. {e}");
            CONFIG
                .render_fallback_template("scss/vaultwarden.scss", &css_options)
                .expect("Fallback scss/vaultwarden.scss.hbs to render")
        }
    };
    let css = match grass_compiler::from_string(
        scss,
        &grass_compiler::Options::default().style(grass_compiler::OutputStyle::Compressed),
    ) {
        Ok(css) => css,
        Err(e) => {
            // Something went wrong compiling the scss. Use the fallback
            warn!("Compiling the Vaultwarden SCSS styles failed. {e}");
            let mut css_options = css_options;
            css_options["load_user_scss"] = json!(false);
            let scss = CONFIG
                .render_fallback_template("scss/vaultwarden.scss", &css_options)
                .expect("Fallback scss/vaultwarden.scss.hbs to render");
            grass_compiler::from_string(
                scss,
                &grass_compiler::Options::default().style(grass_compiler::OutputStyle::Compressed),
            )
            .expect("SCSS to compile")
        }
    };
    // Cache for one day should be enough and not too much
    Cached::ttl(Css(css), 86_400, false)
 }
 #[get("/")]
 async fn web_index() -> Cached<Option<NamedFile>> {
    Cached::short(NamedFile::open(Path::new(&CONFIG.web_vault_folder()).join("index.html")).await.ok(), false)
 }
 // Make sure that `/index.html` redirect to actual domain path.
 // If not, this might cause issues with the web-vault
 #[get("/index.html")]
 fn web_index_direct() -> Redirect {
    Redirect::to(format!("{}/", CONFIG.domain_path()))
 }
 #[head("/")]
 fn web_index_head() -> EmptyResult {
    // Add an explicit HEAD route to prevent uptime monitoring services from
--- a/src/auth.rs
+++ b/src/auth.rs
@@ -615,7 +615,6 @@ pub struct AdminHeaders {
    pub device: Device,
    pub user: User,
    pub org_user_type: UserOrgType,
    pub client_version: Option<String>,
    pub ip: ClientIp,
 }
@@ -625,14 +624,12 @@ impl<'r> FromRequest<'r> for AdminHeaders {
    async fn from_request(request: &'r Request<'_>) -> Outcome<Self, Self::Error> {
        let headers = try_outcome!(OrgHeaders::from_request(request).await);
        let client_version = request.headers().get_one("Bitwarden-Client-Version").map(String::from);
        if headers.org_user_type >= UserOrgType::Admin {
            Outcome::Success(Self {
                host: headers.host,
                device: headers.device,
                user: headers.user,
                org_user_type: headers.org_user_type,
                client_version,
                ip: headers.ip,
            })
        } else {
@@ -900,3 +897,24 @@ impl<'r> FromRequest<'r> for WsAccessTokenHeader {
        })
    }
 }
 pub struct ClientVersion(pub semver::Version);
 #[rocket::async_trait]
 impl<'r> FromRequest<'r> for ClientVersion {
    type Error = &'static str;
    async fn from_request(request: &'r Request<'_>) -> Outcome<Self, Self::Error> {
        let headers = request.headers();
        let Some(version) = headers.get_one("Bitwarden-Client-Version") else {
            err_handler!("No Bitwarden-Client-Version header provided")
        };
        let Ok(version) = semver::Version::parse(version) else {
            err_handler!("Invalid Bitwarden-Client-Version header provided")
        };
        Outcome::Success(ClientVersion(version))
    }
 }
--- a/src/config.rs
+++ b/src/config.rs
@@ -497,11 +497,11 @@ make_config! {
        /// Password iterations |> Number of server-side passwords hashing iterations for the password hash.
        /// The default for new users. If changed, it will be updated during login for existing users.
        password_iterations:    i32,    true,   def,    600_000;
-        /// Allow password hints |> Controls whether users can set password hints. This setting applies globally to all users.
+        /// Allow password hints |> Controls whether users can set or show password hints. This setting applies globally to all users.
        password_hints_allowed: bool,   true,   def,    true;
-        /// Show password hint |> Controls whether a password hint should be shown directly in the web page
+        /// Show password hint (Know the risks!) |> Controls whether a password hint should be shown directly in the web page
-        /// if SMTP service is not configured. Not recommended for publicly-accessible instances as this
+        /// if SMTP service is not configured and password hints are allowed. Not recommended for publicly-accessible instances
-        /// provides unauthenticated access to potentially sensitive data.
+        /// because this provides unauthenticated access to potentially sensitive data.
        show_password_hint:     bool,   true,   def,    false;
        /// Admin token/Argon2 PHC |> The plain text token or Argon2 PHC string used to authenticate in this very same page. Changing it here will not deauthorize the current session!
@@ -811,8 +811,15 @@ fn validate_config(cfg: &ConfigItems) -> Result<(), Error> {
    }
    // TODO: deal with deprecated flags so they can be removed from this list, cf. #4263
-    const KNOWN_FLAGS: &[&str] =
+    const KNOWN_FLAGS: &[&str] = &[
-        &["autofill-overlay", "autofill-v2", "browser-fileless-import", "fido2-vault-credentials"];
+        "autofill-overlay",
        "autofill-v2",
        "browser-fileless-import",
        "extension-refresh",
        "fido2-vault-credentials",
        "ssh-key-vault-item",
        "ssh-agent",
    ];
    let configured_flags = parse_experimental_client_feature_flags(&cfg.experimental_client_feature_flags);
    let invalid_flags: Vec<_> = configured_flags.keys().filter(|flag| !KNOWN_FLAGS.contains(&flag.as_str())).collect();
    if !invalid_flags.is_empty() {
@@ -1269,11 +1276,16 @@ impl Config {
            let hb = load_templates(CONFIG.templates_folder());
            hb.render(name, data).map_err(Into::into)
        } else {
-            let hb = &CONFIG.inner.read().unwrap().templates;
+            let hb = &self.inner.read().unwrap().templates;
            hb.render(name, data).map_err(Into::into)
        }
    }
    pub fn render_fallback_template<T: serde::ser::Serialize>(&self, name: &str, data: &T) -> Result<String, Error> {
        let hb = &self.inner.read().unwrap().templates;
        hb.render(&format!("fallback_{name}"), data).map_err(Into::into)
    }
    pub fn set_rocket_shutdown_handle(&self, handle: rocket::Shutdown) {
        self.inner.write().unwrap().rocket_shutdown_handle = Some(handle);
    }
@@ -1312,6 +1324,11 @@ where
            reg!($name);
            reg!(concat!($name, $ext));
        }};
        (@withfallback $name:expr) => {{
            let template = include_str!(concat!("static/templates/", $name, ".hbs"));
            hb.register_template_string($name, template).unwrap();
            hb.register_template_string(concat!("fallback_", $name), template).unwrap();
        }};
    }
    // First register default templates here
@@ -1355,6 +1372,9 @@ where
    reg!("404");
    reg!(@withfallback "scss/vaultwarden.scss");
    reg!("scss/user.vaultwarden.scss");
    // And then load user templates to overwrite the defaults
    // Use .hbs extension for the files
    // Templates get registered with their relative name
--- a/src/db/models/cipher.rs
+++ b/src/db/models/cipher.rs
@@ -1,6 +1,6 @@
 use crate::util::LowerCase;
 use crate::CONFIG;
-use chrono::{DateTime, NaiveDateTime, TimeDelta, Utc};
+use chrono::{NaiveDateTime, TimeDelta, Utc};
 use serde_json::Value;
 use super::{
@@ -30,7 +30,8 @@ db_object! {
        Login = 1,
        SecureNote = 2,
        Card = 3,
-        Identity = 4
+        Identity = 4,
        SshKey = 5
        */
        pub atype: i32,
        pub name: String,
@@ -176,7 +177,27 @@ impl Cipher {
                    .inspect_err(|e| warn!("Error parsing fields {e:?} for {}", self.uuid))
                    .ok()
            })
-            .map(|d| d.into_iter().map(|d| d.data).collect())
+            .map(|d| {
                d.into_iter()
                    .map(|mut f| {
                        // Check if the `type` key is a number, strings break some clients
                        // The fallback type is the hidden type `1`. this should prevent accidental data disclosure
                        // If not try to convert the string value to a number and fallback to `1`
                        // If it is both not a number and not a string, fallback to `1`
                        match f.data.get("type") {
                            Some(t) if t.is_number() => {}
                            Some(t) if t.is_string() => {
                                let type_num = &t.as_str().unwrap_or("1").parse::<u8>().unwrap_or(1);
                                f.data["type"] = json!(type_num);
                            }
                            _ => {
                                f.data["type"] = json!(1);
                            }
                        }
                        f.data
                    })
                    .collect()
            })
            .unwrap_or_default();
        let password_history_json: Vec<_> = self
@@ -196,11 +217,13 @@ impl Cipher {
                        Some(p) if p.is_string() => Some(d.data),
                        _ => None,
                    })
-                    .map(|d| match d.get("lastUsedDate").and_then(|l| l.as_str()) {
+                    .map(|mut d| match d.get("lastUsedDate").and_then(|l| l.as_str()) {
-                        Some(l) if DateTime::parse_from_rfc3339(l).is_ok() => d,
+                        Some(l) => {
                            d["lastUsedDate"] = json!(crate::util::validate_and_format_date(l));
                            d
                        }
                        _ => {
-                            let mut d = d;
+                            d["lastUsedDate"] = json!("1970-01-01T00:00:00.000000Z");
                            d["lastUsedDate"] = json!("1970-01-01T00:00:00.000Z");
                            d
                        }
                    })
@@ -244,7 +267,7 @@ impl Cipher {
        // NOTE: This was marked as *Backwards Compatibility Code*, but as of January 2021 this is still being used by upstream
        // data_json should always contain the following keys with every atype
-        data_json["fields"] = Value::Array(fields_json.clone());
+        data_json["fields"] = json!(fields_json);
        data_json["name"] = json!(self.name);
        data_json["notes"] = json!(self.notes);
        data_json["passwordHistory"] = Value::Array(password_history_json.clone());
@@ -297,6 +320,7 @@ impl Cipher {
            "secureNote": null,
            "card": null,
            "identity": null,
            "sshKey": null,
        });
        // These values are only needed for user/default syncs
@@ -325,6 +349,7 @@ impl Cipher {
            2 => "secureNote",
            3 => "card",
            4 => "identity",
            5 => "sshKey",
            _ => panic!("Wrong type"),
        };
--- a/src/db/models/collection.rs
+++ b/src/db/models/collection.rs
@@ -81,8 +81,8 @@ impl Collection {
        let (read_only, hide_passwords, can_manage) = if let Some(cipher_sync_data) = cipher_sync_data {
            match cipher_sync_data.user_organizations.get(&self.org_uuid) {
                // Only for Manager types Bitwarden returns true for the can_manage option
-                // Owners and Admins always have false, but they can manage all collections anyway
+                // Owners and Admins always have true
-                Some(uo) if uo.has_full_access() => (false, false, uo.atype == UserOrgType::Manager),
+                Some(uo) if uo.has_full_access() => (false, false, uo.atype >= UserOrgType::Manager),
                Some(uo) => {
                    // Only let a manager manage collections when the have full read/write access
                    let is_manager = uo.atype == UserOrgType::Manager;
@@ -98,7 +98,7 @@ impl Collection {
            }
        } else {
            match UserOrganization::find_confirmed_by_user_and_org(user_uuid, &self.org_uuid, conn).await {
-                Some(ou) if ou.has_full_access() => (false, false, ou.atype == UserOrgType::Manager),
+                Some(ou) if ou.has_full_access() => (false, false, ou.atype >= UserOrgType::Manager),
                Some(ou) => {
                    let is_manager = ou.atype == UserOrgType::Manager;
                    let read_only = !self.is_writable_by_user(user_uuid, conn).await;
--- a/src/db/models/group.rs
+++ b/src/db/models/group.rs
@@ -1,4 +1,4 @@
-use super::{User, UserOrgType, UserOrganization};
+use super::{User, UserOrganization};
 use crate::api::EmptyResult;
 use crate::db::DbConn;
 use crate::error::MapResult;
@@ -73,7 +73,7 @@ impl Group {
        })
    }
-    pub async fn to_json_details(&self, user_org_type: &i32, conn: &mut DbConn) -> Value {
+    pub async fn to_json_details(&self, conn: &mut DbConn) -> Value {
        let collections_groups: Vec<Value> = CollectionGroup::find_by_group(&self.uuid, conn)
            .await
            .iter()
@@ -82,7 +82,7 @@ impl Group {
                    "id": entry.collections_uuid,
                    "readOnly": entry.read_only,
                    "hidePasswords": entry.hide_passwords,
-                    "manage": *user_org_type == UserOrgType::Manager && !entry.read_only && !entry.hide_passwords
+                    "manage": false
                })
            })
            .collect();
--- a/src/db/models/organization.rs
+++ b/src/db/models/organization.rs
@@ -161,7 +161,6 @@ impl Organization {
            "identifier": null, // not supported by us
            "name": self.name,
            "seats": null,
            "maxAutoscaleSeats": null,
            "maxCollections": null,
            "maxStorageGb": i16::MAX, // The value doesn't matter, we don't check server-side
            "use2fa": true,
@@ -233,6 +232,14 @@ impl UserOrganization {
        false
    }
    /// Return the status of the user in an unrevoked state
    pub fn get_unrevoked_status(&self) -> i32 {
        if self.status <= UserOrgStatus::Revoked as i32 {
            return self.status + ACTIVATE_REVOKE_DIFF;
        }
        self.status
    }
    pub fn set_external_id(&mut self, external_id: Option<String>) -> bool {
        //Check if external id is empty. We don't want to have
        //empty strings in the database
@@ -374,7 +381,6 @@ impl UserOrganization {
            "identifier": null, // Not supported
            "name": org.name,
            "seats": null,
            "maxAutoscaleSeats": null,
            "maxCollections": null,
            "usersGetPremium": true,
            "use2fa": true,
@@ -411,7 +417,7 @@ impl UserOrganization {
            "familySponsorshipValidUntil": null,
            "familySponsorshipToDelete": null,
            "accessSecretsManager": false,
-            "limitCollectionCreationDeletion": true,
+            "limitCollectionCreationDeletion": false, // This should be set to true only when we can handle roles like createNewCollections
            "allowAdminAccessToAllCollectionItems": true,
            "flexibleCollections": false,
@@ -477,7 +483,7 @@ impl UserOrganization {
                .into_iter()
                .filter_map(|c| {
                    let (read_only, hide_passwords, can_manage) = if self.has_full_access() {
-                        (false, false, self.atype == UserOrgType::Manager)
+                        (false, false, self.atype >= UserOrgType::Manager)
                    } else if let Some(cu) = cu.get(&c.uuid) {
                        (
                            cu.read_only,
@@ -526,7 +532,7 @@ impl UserOrganization {
        json!({
            "id": self.uuid,
            "userId": self.user_uuid,
-            "name": user.name,
+            "name": if self.get_unrevoked_status() >= UserOrgStatus::Accepted as i32 { Some(user.name) } else { None },
            "email": user.email,
            "externalId": self.external_id,
            "avatarColor": user.avatar_color,
--- a/src/db/models/user.rs
+++ b/src/db/models/user.rs
@@ -1,3 +1,4 @@
 use crate::util::{format_date, get_uuid, retry};
 use chrono::{NaiveDateTime, TimeDelta, Utc};
 use serde_json::Value;
@@ -90,7 +91,7 @@ impl User {
        let email = email.to_lowercase();
        Self {
-            uuid: crate::util::get_uuid(),
+            uuid: get_uuid(),
            enabled: true,
            created_at: now,
            updated_at: now,
@@ -107,7 +108,7 @@ impl User {
            salt: crypto::get_random_bytes::<64>().to_vec(),
            password_iterations: CONFIG.password_iterations(),
-            security_stamp: crate::util::get_uuid(),
+            security_stamp: get_uuid(),
            stamp_exception: None,
            password_hint: None,
@@ -188,7 +189,7 @@ impl User {
    }
    pub fn reset_security_stamp(&mut self) {
-        self.security_stamp = crate::util::get_uuid();
+        self.security_stamp = get_uuid();
    }
    /// Set the stamp_exception to only allow a subsequent request matching a specific route using the current security-stamp.
@@ -259,6 +260,7 @@ impl User {
            "forcePasswordReset": false,
            "avatarColor": self.avatar_color,
            "usesKeyConnector": false,
            "creationDate": format_date(&self.created_at),
            "object": "profile",
        })
    }
@@ -340,7 +342,7 @@ impl User {
        let updated_at = Utc::now().naive_utc();
        db_run! {conn: {
-            crate::util::retry(|| {
+            retry(|| {
                diesel::update(users::table)
                    .set(users::updated_at.eq(updated_at))
                    .execute(conn)
@@ -357,7 +359,7 @@ impl User {
    async fn _update_revision(uuid: &str, date: &NaiveDateTime, conn: &mut DbConn) -> EmptyResult {
        db_run! {conn: {
-            crate::util::retry(|| {
+            retry(|| {
                diesel::update(users::table.filter(users::uuid.eq(uuid)))
                    .set(users::updated_at.eq(date))
                    .execute(conn)
--- a/src/mail.rs
+++ b/src/mail.rs
@@ -96,7 +96,31 @@ fn smtp_transport() -> AsyncSmtpTransport<Tokio1Executor> {
    smtp_client.build()
 }
 // This will sanitize the string values by stripping all the html tags to prevent XSS and HTML Injections
 fn sanitize_data(data: &mut serde_json::Value) {
    use regex::Regex;
    use std::sync::LazyLock;
    static RE: LazyLock<Regex> = LazyLock::new(|| Regex::new(r"<[^>]+>").unwrap());
    match data {
        serde_json::Value::String(s) => *s = RE.replace_all(s, "").to_string(),
        serde_json::Value::Object(obj) => {
            for d in obj.values_mut() {
                sanitize_data(d);
            }
        }
        serde_json::Value::Array(arr) => {
            for d in arr.iter_mut() {
                sanitize_data(d);
            }
        }
        _ => {}
    }
 }
 fn get_text(template_name: &'static str, data: serde_json::Value) -> Result<(String, String, String), Error> {
    let mut data = data;
    sanitize_data(&mut data);
    let (subject_html, body_html) = get_template(&format!("{template_name}.html"), &data)?;
    let (_subject_text, body_text) = get_template(template_name, &data)?;
    Ok((subject_html, body_html, body_text))
@@ -116,6 +140,10 @@ fn get_template(template_name: &str, data: &serde_json::Value) -> Result<(String
        None => err!("Template doesn't contain body"),
    };
    if text_split.next().is_some() {
        err!("Template contains more than one body");
    }
    Ok((subject, body))
 }
@@ -259,16 +287,15 @@ pub async fn send_invite(
    }
    let query_string = match query.query() {
-        None => err!(format!("Failed to build invite URL query parameters")),
+        None => err!("Failed to build invite URL query parameters"),
        Some(query) => query,
    };
    // `url.Url` would place the anchor `#` after the query parameters
    let url = format!("{}/#/accept-organization/?{}", CONFIG.domain(), query_string);
    let (subject, body_html, body_text) = get_text(
        "email/send_org_invite",
        json!({
-            "url": url,
+            // `url.Url` would place the anchor `#` after the query parameters
            "url": format!("{}/#/accept-organization/?{}", CONFIG.domain(), query_string),
            "img_src": CONFIG._smtp_img_src(),
            "org_name": org_name,
        }),
@@ -292,17 +319,29 @@ pub async fn send_emergency_access_invite(
        String::from(grantor_email),
    );
-    let invite_token = encode_jwt(&claims);
+    // Build the query here to ensure proper escaping
    let mut query = url::Url::parse("https://query.builder").unwrap();
    {
        let mut query_params = query.query_pairs_mut();
        query_params
            .append_pair("id", emer_id)
            .append_pair("name", grantor_name)
            .append_pair("email", address)
            .append_pair("token", &encode_jwt(&claims));
    }
    let query_string = match query.query() {
        None => err!("Failed to build emergency invite URL query parameters"),
        Some(query) => query,
    };
    let (subject, body_html, body_text) = get_text(
        "email/send_emergency_access_invite",
        json!({
-            "url": CONFIG.domain(),
+            // `url.Url` would place the anchor `#` after the query parameters
            "url": format!("{}/#/accept-emergency/?{query_string}", CONFIG.domain()),
            "img_src": CONFIG._smtp_img_src(),
            "emer_id": emer_id,
            "email": percent_encode(address.as_bytes(), NON_ALPHANUMERIC).to_string(),
            "grantor_name": grantor_name,
            "token": invite_token,
        }),
    )?;
--- a/src/main.rs
+++ b/src/main.rs
@@ -516,10 +516,10 @@ async fn container_data_folder_is_persistent(data_folder: &str) -> bool {
            format!(" /{data_folder} ")
        };
        let mut lines = BufReader::new(mountinfo).lines();
        let re = regex::Regex::new(r"/volumes/[a-z0-9]{64}/_data /").unwrap();
        while let Some(line) = lines.next_line().await.unwrap_or_default() {
            // Only execute a regex check if we find the base match
            if line.contains(&data_folder_match) {
                let re = regex::Regex::new(r"/volumes/[a-z0-9]{64}/_data /").unwrap();
                if re.is_match(&line) {
                    return false;
                }
--- a/src/static/templates/email/send_emergency_access_invite.hbs
+++ b/src/static/templates/email/send_emergency_access_invite.hbs
@@ -2,7 +2,7 @@ Emergency access for {{{grantor_name}}}
 <!---------------->
 You have been invited to become an emergency contact for {{grantor_name}}. To accept this invite, click the following link:
-Click here to join: {{url}}/#/accept-emergency/?id={{emer_id}}&name={{grantor_name}}&email={{email}}&token={{token}}
+Click here to join: {{{url}}}
 If you do not wish to become an emergency contact for {{grantor_name}}, you can safely ignore this email.
 {{> email/email_footer_text }}
--- a/src/static/templates/email/send_emergency_access_invite.html.hbs
+++ b/src/static/templates/email/send_emergency_access_invite.html.hbs
@@ -9,7 +9,7 @@ Emergency access for {{{grantor_name}}}
    </tr>
    <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
       <td class="content-block" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0 0 10px; -webkit-text-size-adjust: none; text-align: center;" valign="top" align="center">
-          <a href="{{url}}/#/accept-emergency/?id={{emer_id}}&name={{grantor_name}}&email={{email}}&token={{token}}"
+          <a href="{{{url}}}"
             clicktracking=off target="_blank" style="color: #ffffff; text-decoration: none; text-align: center; cursor: pointer; display: inline-block; border-radius: 5px; background-color: #3c8dbc; border-color: #3c8dbc; border-style: solid; border-width: 10px 20px; margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
          Become emergency contact
          </a>
@@ -21,4 +21,4 @@ Emergency access for {{{grantor_name}}}
       </td>
    </tr>
 </table>
-{{> email/email_footer }}
+{{> email/email_footer }}
--- a/src/static/templates/email/send_org_invite.hbs
+++ b/src/static/templates/email/send_org_invite.hbs
@@ -3,7 +3,7 @@ Join {{{org_name}}}
 You have been invited to join the *{{org_name}}* organization.
-Click here to join: {{url}}
+Click here to join: {{{url}}}
 If you do not wish to join this organization, you can safely ignore this email.
--- a/src/static/templates/email/send_org_invite.html.hbs
+++ b/src/static/templates/email/send_org_invite.html.hbs
@@ -9,7 +9,7 @@ Join {{{org_name}}}
   </tr>
   <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
      <td class="content-block" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0 0 10px; -webkit-text-size-adjust: none; text-align: center;" valign="top" align="center">
-         <a href="{{url}}"
+         <a href="{{{url}}}"
            clicktracking=off target="_blank" style="color: #ffffff; text-decoration: none; text-align: center; cursor: pointer; display: inline-block; border-radius: 5px; background-color: #3c8dbc; border-color: #3c8dbc; border-style: solid; border-width: 10px 20px; margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
         Join Organization Now
         </a>
--- a/src/static/templates/scss/user.vaultwarden.scss.hbs
+++ b/src/static/templates/scss/user.vaultwarden.scss.hbs
@@ -0,0 +1 @@
 /* See the wiki for examples and details: https://github.com/dani-garcia/vaultwarden/wiki/Customize-Vaultwarden-CSS */
--- a/src/static/templates/scss/vaultwarden.scss.hbs
+++ b/src/static/templates/scss/vaultwarden.scss.hbs
@@ -0,0 +1,105 @@
 /**** START Static Vaultwarden changes ****/
 /* This combines all selectors extending it into one */
 %vw-hide {
  display: none !important;
 }
 /* This allows searching for the combined style in the browsers dev-tools (look into the head tag) */
 .vw-hide,
 head {
  @extend %vw-hide;
 }
 /* Hide the Subscription Page tab */
 bit-nav-item[route="settings/subscription"] {
  @extend %vw-hide;
 }
 /* Hide any link pointing to Free Bitwarden Families */
 a[href$="/settings/sponsored-families"] {
  @extend %vw-hide;
 }
 /* Hide the `Enterprise Single Sign-On` button on the login page */
 a[routerlink="/sso"] {
  @extend %vw-hide;
 }
 /* Hide Two-Factor menu in Organization settings */
 bit-nav-item[route="settings/two-factor"],
 a[href$="/settings/two-factor"] {
  @extend %vw-hide;
 }
 /* Hide Business Owned checkbox */
 app-org-info > form:nth-child(1) > div:nth-child(3) {
  @extend %vw-hide;
 }
 /* Hide the `This account is owned by a business` checkbox and label */
 #ownedBusiness,
 label[for^="ownedBusiness"] {
  @extend %vw-hide;
 }
 /* Hide the radio button and label for the `Custom` org user type */
 #userTypeCustom,
 label[for^="userTypeCustom"] {
  @extend %vw-hide;
 }
 /* Hide Business Name */
 app-org-account form div bit-form-field.tw-block:nth-child(3) {
  @extend %vw-hide;
 }
 /* Hide organization plans */
 app-organization-plans > form > bit-section:nth-child(2) {
  @extend %vw-hide;
 }
 /* Hide Device Verification form at the Two Step Login screen */
 app-security > app-two-factor-setup > form {
  @extend %vw-hide;
 }
 /**** END Static Vaultwarden Changes ****/
 /**** START Dynamic Vaultwarden Changes ****/
 {{#if signup_disabled}}
 /* Hide the register link on the login screen */
 app-frontend-layout > app-login > form > div > div > div > p {
  @extend %vw-hide;
 }
 {{/if}}
 /* Hide `Email` 2FA if mail is not enabled */
 {{#unless mail_enabled}}
 app-two-factor-setup ul.list-group.list-group-2fa li.list-group-item:nth-child(5) {
  @extend %vw-hide;
 }
 {{/unless}}
 /* Hide `YubiKey OTP security key` 2FA if it is not enabled */
 {{#unless yubico_enabled}}
 app-two-factor-setup ul.list-group.list-group-2fa li.list-group-item:nth-child(2) {
  @extend %vw-hide;
 }
 {{/unless}}
 /* Hide Emergency Access if not allowed */
 {{#unless emergency_access_allowed}}
 bit-nav-item[route="settings/emergency-access"] {
  @extend %vw-hide;
 }
 {{/unless}}
 /* Hide Sends if not allowed */
 {{#unless sends_allowed}}
 bit-nav-item[route="sends"] {
  @extend %vw-hide;
 }
 {{/unless}}
 /**** End Dynamic Vaultwarden Changes ****/
 /**** Include a special user stylesheet for custom changes ****/
 {{#if load_user_scss}}
 {{> scss/user.vaultwarden.scss }}
 {{/if}}
--- a/src/util.rs
+++ b/src/util.rs
@@ -438,13 +438,19 @@ pub fn get_env_bool(key: &str) -> Option<bool> {
 use chrono::{DateTime, Local, NaiveDateTime, TimeZone};
 // Format used by Bitwarden API
 const DATETIME_FORMAT: &str = "%Y-%m-%dT%H:%M:%S%.6fZ";
 /// Formats a UTC-offset `NaiveDateTime` in the format used by Bitwarden API
 /// responses with "date" fields (`CreationDate`, `RevisionDate`, etc.).
 pub fn format_date(dt: &NaiveDateTime) -> String {
-    dt.format(DATETIME_FORMAT).to_string()
+    dt.and_utc().to_rfc3339_opts(chrono::SecondsFormat::Micros, true)
 }
 /// Validates and formats a RFC3339 timestamp
 /// If parsing fails it will return the start of the unix datetime
 pub fn validate_and_format_date(dt: &str) -> String {
    match DateTime::parse_from_rfc3339(dt) {
        Ok(dt) => dt.to_rfc3339_opts(chrono::SecondsFormat::Micros, true),
        _ => String::from("1970-01-01T00:00:00.000000Z"),
    }
 }
 /// Formats a `DateTime<Local>` using the specified format string.
@@ -486,7 +492,7 @@ pub fn format_datetime_http(dt: &DateTime<Local>) -> String {
 }
 pub fn parse_date(date: &str) -> NaiveDateTime {
-    NaiveDateTime::parse_from_str(date, DATETIME_FORMAT).unwrap()
+    DateTime::parse_from_rfc3339(date).unwrap().naive_utc()
 }
 //
Author	SHA1	Message	Date
Mathijs van Veluw	cdfdc6ff4f	Fix Org Import duplicate collections (#5200 ) This fixes an issue with collections be duplicated same as was an issue with folders. Also made some optimizations by using HashSet where possible and device the Vec/Hash capacity. And instead of passing objects only use the UUID which was the only value we needed. Also found an issue with importing a personal export via the Org import where folders are used. Since Org's do not use folder we needed to clear those out, same as Bitwarden does. Fixes #5193 Signed-off-by: BlackDex <black.dex@gmail.com>	2024-11-17 21:33:23 +01:00
Daniel García	2393c3f3c0	Support SSH keys on desktop 2024.12 (#5187 ) * Support SSH keys on desktop 2024.12 * Document flags in .env.template * Validate key rotation contents	2024-11-15 18:38:16 +01:00
Daniel García	0d16b38a68	Some more authrequest changes (#5188 )	2024-11-15 11:25:51 +01:00
Stefan Melmuk	ff33534c07	don't infer manage permission for groups (#5190 ) the web-vault v2024.6.2 currently cannot deal with manage permission so instead of relying on the org user type this should just default to false	2024-11-13 19:19:19 +01:00
Stefan Melmuk	adb21d5c1a	fix password hint check (#5189 ) * fix password hint check don't show password hints if you have disabled the hints with PASSWORD_HINTS_ALLOWED=false or if you have not configured mail and opted into showing password hints * update descriptions for pw hints options	2024-11-12 21:22:25 +01:00
Mathijs van Veluw	e927b8aa5e	Remove auth-request deletion (#5184 ) 2FA is needed to login even when using login-with-device. If the user didn't saved the 2FA token they still need to provide this. We deleted the auth-request after validation the request, but before 2FA was triggered. Removing the deletion of this record from that point as it will get cleaned-up automatically anyways. Signed-off-by: BlackDex <black.dex@gmail.com>	2024-11-12 15:48:39 +01:00
Mathijs van Veluw	ba48ca68fc	fix hibp username encoding and pw hint check (#5180 ) * fix hibp username encoding Signed-off-by: BlackDex <black.dex@gmail.com> * Fix password-hint check Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com>	2024-11-12 11:09:28 +01:00
Mathijs van Veluw	294b429436	Add dynamic CSS support (#4940 ) * Add dynamic CSS support Together with https://github.com/dani-garcia/bw_web_builds/pull/180 this PR will add support for dynamic CSS changes. For example, we could hide the register link if signups are not allowed. In the future show or hide the SSO button depending on if it is enabled or not. There also is a special `user.vaultwarden.scss` file so that users can add custom CSS without the need to modify the default (static) changes. This will prevent future changes from not being applied and still have the custom user changes to be added. Also added a special redirect when someone goes directly to `/index.html` as that might cause issues with loading other scripts and files. Signed-off-by: BlackDex <black.dex@gmail.com> * Add versions and fallback to built-in - Add both Vaultwarden and web-vault versions to the css_options. - Fallback to the inner templates if rendering or compiling the scss fails. This ensures the basics are always working even if someone breaks the templates. Signed-off-by: BlackDex <black.dex@gmail.com> * Fix fallback code to actually work The fallback now works by using an alternative `reg!` macro. This adds an extra template register which prefixes the template with `fallback_`. Signed-off-by: BlackDex <black.dex@gmail.com> * Updated the wiki link in the user template --------- Signed-off-by: BlackDex <black.dex@gmail.com>	2024-11-11 20:14:04 +01:00
Daniel García	37c14c3c69	More authrequest fixes (#5176 )	2024-11-11 20:13:02 +01:00
Mathijs van Veluw	d0581da638	Fix if logic error (#5171 ) Fixing a logical error in an if statement where we used `&&` which should have been `\|\|`. Signed-off-by: BlackDex <black.dex@gmail.com>	2024-11-11 11:50:33 +01:00
Daniel García	38aad4f7be	Limit HIBP to authed users	2024-11-10 23:59:06 +01:00
BlackDex	20d9e885bf	Update crates and fix several issues Signed-off-by: BlackDex <black.dex@gmail.com>	2024-11-10 23:56:19 +01:00
Mathijs van Veluw	2f20ad86f9	Update README (#5153 ) Updating the Readme to be more modern and more clear. Added and moved several shields/badges and changed some default colors to have a better contrast. Added a Disclaimer section. Closes #4901 Closes #4930 Closes #4931 Closes #5024 Co-authored-by: ipitio <21136719+ipitio@users.noreply.github.com> Co-authored-by: Robert Schütz <github@dotlambda.de> Co-authored-by: Yonas Yanfa <yonas.y@gmail.com> Co-authored-by: KUSUMA RUSHIKESH <141169227+rushi-k12@users.noreply.github.com>	2024-11-02 22:20:10 +01:00
Mathijs van Veluw	33bae5fbe9	Update crates and fix Mail issue (#5125 ) - Updated all the crates Including in this update is an update from lettre, which solves an issue with some specific SMTP mail providers.	2024-10-24 19:13:20 +02:00
Daniel	f60502a17e	Add documentation for the `extension-refresh` feature flag (#5112 )	2024-10-21 00:05:11 +02:00
Mathijs van Veluw	13f4b66e62	Hide user name on invite status (#5110 ) A possible user disclosure when you invite an user into an organization which already has an account on the same instance. This was because we always returned the user's name. To prevent this, this PR only returns the user's name if the status is accepted or higher, else we will return null. This is the same as Bitwarden does. Resolves a reported issue. Also resolved a new `nightly` reported clippy regarding a regex within a loop.	2024-10-19 18:22:21 +02:00
Daniel	c967d0ddc1	Add `extension-refresh` feature flag (#5106 ) - in case people want to try out the new extension design	2024-10-19 18:21:00 +02:00
Mathijs van Veluw	ae6ed0ece8	Fix collection management and match some json output (#5095 ) - Fixed collection management to be usable from the Password Manager UI - Checked and brought in-to-sync with upstream several json responses - Fixed a small issue with the `fields` response when it was empty Signed-off-by: BlackDex <black.dex@gmail.com>	2024-10-18 20:37:32 +02:00
Daniel	b7c254eb30	Update Rust to 1.82.0 (#5099 ) - raise MSRV to 1.80.0 - also update the crates	2024-10-18 20:34:31 +02:00
Mathijs van Veluw	a47b484172	Fix org invite url being html encoded (#5100 ) Ever since we changed to pass the full url as a template value handlebars now html-encodes this. This causes issues with the plain/text mails, but it also could potentially cause issues with the text/html templates. This PR encloses the template values inside triple braces `{{{ }}}` which prevents html-encoding. Since the URL is generated via the `url` crate the values are percent-encoded anyway. Fixes #5097 Signed-off-by: BlackDex <black.dex@gmail.com>	2024-10-18 20:34:11 +02:00
Mathijs van Veluw	65629a99f0	Fix field type to actually be hidden (#5082 ) In an oversight i forgot to set the type to a hidden type if converting the int was not possible. This fixes that. Signed-off-by: BlackDex <black.dex@gmail.com>	2024-10-13 20:32:15 +02:00
Mathijs van Veluw	49c5dec9b6	Fix iOS sync by converting field types to int (#5081 ) It seems the iOS clients are not able to handle the `type` key within the `fields` array when they are of the type string. All other clients seem to handle this just fine though. This PR fixes this by validating it is a number, if this is not the case, try to convert the string to a number, or return the default of `1`. `1` is used as this is the type `hidden` and should prevent accidental data disclosure. Fixes #5069 Possibly Fixes #5016 Possibly Fixes #5002 Signed-off-by: BlackDex <black.dex@gmail.com>	2024-10-13 20:25:09 +02:00
		`@@ -0,0 +1 @@`
							`/* See the wiki for examples and details: https://github.com/dani-garcia/vaultwarden/wiki/Customize-Vaultwarden-CSS */`