Merge pull request #1108 from rfwatson/add-db-connections-setting

Add DATABASE_MAX_CONNS config setting

.dockerignore

@@ -3,16 +3,23 @@ target
 
 # Data folder
 data
+.env
 
 # IDE files
 .vscode
 .idea
 *.iml
 
-# Git files
-.git
-.gitignore
-
 # Documentation
+.github
 *.md
+*.txt
+*.yml
+*.yaml
 
+# Docker folders
+hooks
+tools
+
+# Web vault
+web-vault

.env

@@ -1,56 +0,0 @@
-## Bitwarden_RS Configuration File
-## Uncomment any of the following lines to change the defaults
-
-## Main data folder
-# DATA_FOLDER=data
-
-## Individual folders, these override %DATA_FOLDER%
-# DATABASE_URL=data/db.sqlite3
-# RSA_KEY_FILENAME=data/rsa_key
-# ICON_CACHE_FOLDER=data/icon_cache
-# ATTACHMENTS_FOLDER=data/attachments
-
-## Web vault settings
-# WEB_VAULT_FOLDER=web-vault/
-# WEB_VAULT_ENABLED=true
-
-## Controls the WebSocket server address and port
-# WEBSOCKET_ADDRESS=0.0.0.0
-# WEBSOCKET_PORT=3012
-
-## Controls if new users can register
-# SIGNUPS_ALLOWED=true
-
-## Use a local favicon extractor
-## Set to false to use bitwarden's official icon servers
-## Set to true to use the local version, which is not as smart,
-##   but it doesn't send the cipher domains to bitwarden's servers
-# LOCAL_ICON_EXTRACTOR=false
-
-## Controls the PBBKDF password iterations to apply on the server
-## The change only applies when the password is changed
-# PASSWORD_ITERATIONS=100000
-
-## Whether password hint should be sent into the error response when the client request it
-# SHOW_PASSWORD_HINT=true
-
-## Domain settings
-## The domain must match the address from where you access the server
-## Unless you are using U2F, or having problems with attachments not downloading, there is no need to change this
-## For U2F to work, the server must use HTTPS, you can use Let's Encrypt for free certs
-# DOMAIN=https://bw.domain.tld:8443
-
-## Rocket specific settings, check Rocket documentation to learn more
-# ROCKET_ENV=staging
-# ROCKET_ADDRESS=0.0.0.0 # Enable this to test mobile app
-# ROCKET_PORT=8000
-# ROCKET_TLS={certs="/path/to/certs.pem",key="/path/to/key.pem"}
-
-## Mail specific settings, set SMTP_HOST and SMTP_FROM to enable the mail service.
-## Note: if SMTP_USERNAME is specified, SMTP_PASSWORD is mandatory
-# SMTP_HOST=smtp.domain.tld
-# SMTP_FROM=bitwarden-rs@domain.tld
-# SMTP_PORT=587
-# SMTP_SSL=true
-# SMTP_USERNAME=username
-# SMTP_PASSWORD=password

.env.template

@@ -0,0 +1,270 @@
+## Bitwarden_RS Configuration File
+## Uncomment any of the following lines to change the defaults
+##
+## Be aware that most of these settings will be overridden if they were changed
+## in the admin interface. Those overrides are stored within DATA_FOLDER/config.json .
+
+## Main data folder
+# DATA_FOLDER=data
+
+## Database URL
+## When using SQLite, this is the path to the DB file, default to %DATA_FOLDER%/db.sqlite3
+# DATABASE_URL=data/db.sqlite3
+## When using MySQL, specify an appropriate connection URI.
+## Details: https://docs.diesel.rs/diesel/mysql/struct.MysqlConnection.html
+# DATABASE_URL=mysql://user:password@host[:port]/database_name
+## When using PostgreSQL, specify an appropriate connection URI (recommended)
+## or keyword/value connection string.
+## Details:
+## - https://docs.diesel.rs/diesel/pg/struct.PgConnection.html
+## - https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING
+# DATABASE_URL=postgresql://user:password@host[:port]/database_name
+
+## Database max connections
+## Define the size of the connection pool used for connecting to the database.
+# DATABASE_MAX_CONNS=10
+
+## Individual folders, these override %DATA_FOLDER%
+# RSA_KEY_FILENAME=data/rsa_key
+# ICON_CACHE_FOLDER=data/icon_cache
+# ATTACHMENTS_FOLDER=data/attachments
+
+## Templates data folder, by default uses embedded templates
+## Check source code to see the format
+# TEMPLATES_FOLDER=/path/to/templates
+## Automatically reload the templates for every request, slow, use only for development
+# RELOAD_TEMPLATES=false
+
+## Client IP Header, used to identify the IP of the client, defaults to "X-Client-IP"
+## Set to the string "none" (without quotes), to disable any headers and just use the remote IP
+# IP_HEADER=X-Client-IP
+
+## Cache time-to-live for successfully obtained icons, in seconds (0 is "forever")
+# ICON_CACHE_TTL=2592000
+## Cache time-to-live for icons which weren't available, in seconds (0 is "forever")
+# ICON_CACHE_NEGTTL=259200
+
+## Web vault settings
+# WEB_VAULT_FOLDER=web-vault/
+# WEB_VAULT_ENABLED=true
+
+## Enables websocket notifications
+# WEBSOCKET_ENABLED=false
+
+## Controls the WebSocket server address and port
+# WEBSOCKET_ADDRESS=0.0.0.0
+# WEBSOCKET_PORT=3012
+
+## Enable extended logging, which shows timestamps and targets in the logs
+# EXTENDED_LOGGING=true
+
+## Timestamp format used in extended logging.
+## Format specifiers: https://docs.rs/chrono/latest/chrono/format/strftime
+# LOG_TIMESTAMP_FORMAT="%Y-%m-%d %H:%M:%S.%3f"
+
+## Logging to file
+## It's recommended to also set 'ROCKET_CLI_COLORS=off'
+# LOG_FILE=/path/to/log
+
+## Logging to Syslog
+## This requires extended logging
+## It's recommended to also set 'ROCKET_CLI_COLORS=off'
+# USE_SYSLOG=false
+
+## Log level
+## Change the verbosity of the log output
+## Valid values are "trace", "debug", "info", "warn", "error" and "off"
+## Setting it to "trace" or "debug" would also show logs for mounted
+## routes and static file, websocket and alive requests
+# LOG_LEVEL=Info
+
+## Enable WAL for the DB
+## Set to false to avoid enabling WAL during startup.
+## Note that if the DB already has WAL enabled, you will also need to disable WAL in the DB,
+## this setting only prevents bitwarden_rs from automatically enabling it on start.
+## Please read project wiki page about this setting first before changing the value as it can
+## cause performance degradation or might render  the service unable to start.
+# ENABLE_DB_WAL=true
+
+## Database connection retries
+## Number of times to retry the database connection during startup, with 1 second delay between each retry, set to 0 to retry indefinitely
+# DB_CONNECTION_RETRIES=15
+
+## Disable icon downloading
+## Set to true to disable icon downloading, this would still serve icons from $ICON_CACHE_FOLDER,
+## but it won't produce any external network request. Needs to set $ICON_CACHE_TTL to 0,
+## otherwise it will delete them and they won't be downloaded again.
+# DISABLE_ICON_DOWNLOAD=false
+
+## Icon download timeout
+## Configure the timeout value when downloading the favicons.
+## The default is 10 seconds, but this could be to low on slower network connections
+# ICON_DOWNLOAD_TIMEOUT=10
+
+## Icon blacklist Regex
+## Any domains or IPs that match this regex won't be fetched by the icon service.
+## Useful to hide other servers in the local network. Check the WIKI for more details
+# ICON_BLACKLIST_REGEX=192\.168\.1\.[0-9].*^
+
+## Any IP which is not defined as a global IP will be blacklisted.
+## Useful to secure your internal environment: See https://en.wikipedia.org/wiki/Reserved_IP_addresses for a list of IPs which it will block
+# ICON_BLACKLIST_NON_GLOBAL_IPS=true
+
+## Disable 2FA remember
+## Enabling this would force the users to use a second factor to login every time.
+## Note that the checkbox would still be present, but ignored.
+# DISABLE_2FA_REMEMBER=false
+
+## Maximum attempts before an email token is reset and a new email will need to be sent.
+# EMAIL_ATTEMPTS_LIMIT=3
+
+## Token expiration time
+## Maximum time in seconds a token is valid. The time the user has to open email client and copy token.
+# EMAIL_EXPIRATION_TIME=600
+
+## Email token size
+## Number of digits in an email token (min: 6, max: 19).
+## Note that the Bitwarden clients are hardcoded to mention 6 digit codes regardless of this setting!
+# EMAIL_TOKEN_SIZE=6
+
+## Controls if new users can register
+# SIGNUPS_ALLOWED=true
+
+## Controls if new users need to verify their email address upon registration
+## Note that setting this option to true prevents logins until the email address has been verified!
+## The welcome email will include a verification link, and login attempts will periodically
+## trigger another verification email to be sent.
+# SIGNUPS_VERIFY=false
+
+## If SIGNUPS_VERIFY is set to true, this limits how many seconds after the last time
+## an email verification link has been sent another verification email will be sent
+# SIGNUPS_VERIFY_RESEND_TIME=3600
+
+## If SIGNUPS_VERIFY is set to true, this limits how many times an email verification
+## email will be re-sent upon an attempted login.
+# SIGNUPS_VERIFY_RESEND_LIMIT=6
+
+## Controls if new users from a list of comma-separated domains can register
+## even if SIGNUPS_ALLOWED is set to false
+# SIGNUPS_DOMAINS_WHITELIST=example.com,example.net,example.org
+
+## Controls which users can create new orgs.
+## Blank or 'all' means all users can create orgs (this is the default):
+# ORG_CREATION_USERS=
+## 'none' means no users can create orgs:
+# ORG_CREATION_USERS=none
+## A comma-separated list means only those users can create orgs:
+# ORG_CREATION_USERS=admin1@example.com,admin2@example.com
+
+## Token for the admin interface, preferably use a long random string
+## One option is to use 'openssl rand -base64 48'
+## If not set, the admin panel is disabled
+# ADMIN_TOKEN=Vy2VyYTTsKPv8W5aEOWUbB/Bt3DEKePbHmI4m9VcemUMS2rEviDowNAFqYi1xjmp
+
+## Enable this to bypass the admin panel security. This option is only
+## meant to be used with the use of a separate auth layer in front
+# DISABLE_ADMIN_TOKEN=false
+
+## Invitations org admins to invite users, even when signups are disabled
+# INVITATIONS_ALLOWED=true
+## Name shown in the invitation emails that don't come from a specific organization
+# INVITATION_ORG_NAME=Bitwarden_RS
+
+## Per-organization attachment limit (KB)
+## Limit in kilobytes for an organization attachments, once the limit is exceeded it won't be possible to upload more
+# ORG_ATTACHMENT_LIMIT=
+## Per-user attachment limit (KB).
+## Limit in kilobytes for a users attachments, once the limit is exceeded it won't be possible to upload more
+# USER_ATTACHMENT_LIMIT=
+
+
+## Controls the PBBKDF password iterations to apply on the server
+## The change only applies when the password is changed
+# PASSWORD_ITERATIONS=100000
+
+## Whether password hint should be sent into the error response when the client request it
+# SHOW_PASSWORD_HINT=true
+
+## Domain settings
+## The domain must match the address from where you access the server
+## It's recommended to configure this value, otherwise certain functionality might not work,
+## like attachment downloads, email links and U2F.
+## For U2F to work, the server must use HTTPS, you can use Let's Encrypt for free certs
+# DOMAIN=https://bw.domain.tld:8443
+
+## Allowed iframe ancestors (Know the risks!)
+## https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
+## Allows other domains to embed the web vault into an iframe, useful for embedding into secure intranets
+## This adds the configured value to the 'Content-Security-Policy' headers 'frame-ancestors' value.
+## Multiple values must be separated with a whitespace.
+# ALLOWED_IFRAME_ANCESTORS=
+
+## Yubico (Yubikey) Settings
+## Set your Client ID and Secret Key for Yubikey OTP
+## You can generate it here: https://upgrade.yubico.com/getapikey/
+## You can optionally specify a custom OTP server
+# YUBICO_CLIENT_ID=11111
+# YUBICO_SECRET_KEY=AAAAAAAAAAAAAAAAAAAAAAAA
+# YUBICO_SERVER=http://yourdomain.com/wsapi/2.0/verify
+
+## Duo Settings
+## You need to configure all options to enable global Duo support, otherwise users would need to configure it themselves
+## Create an account and protect an application as mentioned in this link (only the first step, not the rest):
+## https://help.bitwarden.com/article/setup-two-step-login-duo/#create-a-duo-security-account
+## Then set the following options, based on the values obtained from the last step:
+# DUO_IKEY=<Integration Key>
+# DUO_SKEY=<Secret Key>
+# DUO_HOST=<API Hostname>
+## After that, you should be able to follow the rest of the guide linked above,
+## ignoring the fields that ask for the values that you already configured beforehand.
+
+## Authenticator Settings
+## Disable authenticator time drifted codes to be valid.
+## TOTP codes of the previous and next 30 seconds will be invalid
+##
+## According to the RFC6238 (https://tools.ietf.org/html/rfc6238),
+## we allow by default the TOTP code which was valid one step back and one in the future.
+## This can however allow attackers to be a bit more lucky with there attempts because there are 3 valid codes.
+## You can disable this, so that only the current TOTP Code is allowed.
+## Keep in mind that when a sever drifts out of time, valid codes could be marked as invalid.
+## In any case, if a code has been used it can not be used again, also codes which predates it will be invalid.
+# AUTHENTICATOR_DISABLE_TIME_DRIFT = false
+
+## Rocket specific settings, check Rocket documentation to learn more
+# ROCKET_ENV=staging
+# ROCKET_ADDRESS=0.0.0.0 # Enable this to test mobile app
+# ROCKET_PORT=8000
+# ROCKET_TLS={certs="/path/to/certs.pem",key="/path/to/key.pem"}
+
+## Mail specific settings, set SMTP_HOST and SMTP_FROM to enable the mail service.
+## To make sure the email links are pointing to the correct host, set the DOMAIN variable.
+## Note: if SMTP_USERNAME is specified, SMTP_PASSWORD is mandatory
+# SMTP_HOST=smtp.domain.tld
+# SMTP_FROM=bitwarden-rs@domain.tld
+# SMTP_FROM_NAME=Bitwarden_RS
+# SMTP_PORT=587
+# SMTP_SSL=true          # (Explicit) - This variable by default configures Explicit STARTTLS, it will upgrade an insecure connection to a secure one. Unless SMTP_EXPLICIT_TLS is set to true.
+# SMTP_EXPLICIT_TLS=true # (Implicit) - N.B. This variable configures Implicit TLS. It's currently mislabelled (see bug #851) - SMTP_SSL Needs to be set to true for this option to work.
+# SMTP_USERNAME=username
+# SMTP_PASSWORD=password
+# SMTP_TIMEOUT=15
+
+## Defaults for SSL is "Plain" and "Login" and nothing for Non-SSL connections.
+## Possible values: ["Plain", "Login", "Xoauth2"].
+## Multiple options need to be separated by a comma ','.
+# SMTP_AUTH_MECHANISM="Plain"
+
+## Server name sent during the SMTP HELO
+## By default this value should be is on the machine's hostname,
+## but might need to be changed in case it trips some anti-spam filters
+# HELO_NAME=
+
+## Require new device emails. When a user logs in an email is required to be sent.
+## If sending the email fails the login attempt will fail!!
+# REQUIRE_DEVICE_EMAIL=false
+
+## HIBP Api Key
+## HaveIBeenPwned API Key, request it here: https://haveibeenpwned.com/API/Key
+# HIBP_API_KEY=
+
+# vim: syntax=ini

.github/FUNDING.yml

@@ -0,0 +1,2 @@
+github: dani-garcia
+custom: ["https://paypal.me/DaniGG"]

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,42 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+<!--
+Please fill out the following template to make solving your problem easier and faster for us.
+This is only a guideline. If you think that parts are unneccessary for your issue, feel free to remove them.
+
+Remember to hide/obfuscate personal and confidential information, 
+such as names, global IP/DNS adresses and especially passwords, if neccessary.
+-->
+
+### Subject of the issue
+<!-- Describe your issue here.-->
+
+### Your environment
+<!-- The version number, obtained from the logs or the admin page -->
+* Bitwarden_rs version: 
+<!-- How the server was installed: Docker image / package / built from source -->
+* Install method: 
+* Clients used: <!-- if applicable -->
+* Reverse proxy and version: <!-- if applicable -->
+* Version of mysql/postgresql: <!-- if applicable -->
+* Other relevant information: 
+
+### Steps to reproduce
+<!-- Tell us how to reproduce this issue. What parameters did you set (differently from the defaults)
+and how did you start bitwarden_rs? -->
+
+### Expected behaviour
+<!-- Tell us what should happen -->
+
+### Actual behaviour
+<!-- Tell us what happens instead -->
+
+### Relevant logs
+<!-- Share some logfiles, screenshots or output of relevant programs with us. -->

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,11 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: better for forum
+assignees: ''
+
+---
+
+# Please submit all your feature requests to the forum
+Link: https://bitwardenrs.discourse.group/c/feature-requests

.github/ISSUE_TEMPLATE/help-with-installation-configuration.md

@@ -0,0 +1,11 @@
+---
+name: Help with installation/configuration
+about: Any questions about the setup of bitwarden_rs
+title: ''
+labels: better for forum
+assignees: ''
+
+---
+
+# Please submit all your third party help requests to the forum
+Link: https://bitwardenrs.discourse.group/c/help

.github/ISSUE_TEMPLATE/help-with-proxy-database-nas-setup.md

@@ -0,0 +1,11 @@
+---
+name: Help with proxy/database/NAS setup
+about: Any questions about third party software
+title: ''
+labels: better for forum
+assignees: ''
+
+---
+
+# Please submit all your third party help requests to the forum
+Link: https://bitwardenrs.discourse.group/c/third-party-help

.github/workflows/workspace.yml

@@ -0,0 +1,148 @@
+name: Workflow
+
+on:
+  push:
+    paths-ignore:
+      - "**.md"
+  #pull_request:
+  #  paths-ignore:
+  #    - "**.md"
+
+jobs:
+  build:
+    name: Build
+    strategy:
+      fail-fast: false
+      matrix:
+        db-backend: [sqlite, mysql, postgresql]
+        target:
+          - x86_64-unknown-linux-gnu
+          # - x86_64-unknown-linux-musl
+          # - x86_64-apple-darwin
+          # - x86_64-pc-windows-msvc
+        include:
+          - target: x86_64-unknown-linux-gnu
+            os: ubuntu-latest
+            ext:
+          # - target: x86_64-unknown-linux-musl
+          #   os: ubuntu-latest
+          #   ext:
+          # - target: x86_64-apple-darwin
+          #   os: macOS-latest
+          #   ext:
+          # - target: x86_64-pc-windows-msvc
+          #   os: windows-latest
+          #   ext: .exe
+    runs-on: ${{ matrix.os }}
+    steps:
+    - uses: actions/checkout@v1
+
+    # - name: Cache choco cache
+    #   uses: actions/cache@v1.0.3
+    #   if: matrix.os == 'windows-latest'
+    #   with:
+    #     path: ~\AppData\Local\Temp\chocolatey
+    #     key: ${{ runner.os }}-choco-cache-${{ matrix.db-backend }}
+
+    - name: Cache vcpkg installed
+      uses: actions/cache@v1.0.3
+      if: matrix.os == 'windows-latest'
+      with:
+        path: $VCPKG_ROOT/installed
+        key: ${{ runner.os }}-vcpkg-cache-${{ matrix.db-backend }}
+      env:
+        VCPKG_ROOT: 'C:\vcpkg'
+
+    - name: Cache vcpkg downloads
+      uses: actions/cache@v1.0.3
+      if: matrix.os == 'windows-latest'
+      with:
+        path: $VCPKG_ROOT/downloads
+        key: ${{ runner.os }}-vcpkg-cache-${{ matrix.db-backend }}
+      env:
+        VCPKG_ROOT: 'C:\vcpkg'
+
+    # - name: Cache homebrew
+    #   uses: actions/cache@v1.0.3
+    #   if: matrix.os == 'macOS-latest'
+    #   with:
+    #     path: ~/Library/Caches/Homebrew
+    #     key: ${{ runner.os }}-brew-cache
+
+    # - name: Cache apt
+    #   uses: actions/cache@v1.0.3
+    #   if: matrix.os == 'ubuntu-latest'
+    #   with:
+    #     path: /var/cache/apt/archives
+    #     key: ${{ runner.os }}-apt-cache
+
+    # Install dependencies
+    - name: Install dependencies macOS
+      run: brew update; brew install openssl sqlite libpq mysql
+      if: matrix.os == 'macOS-latest'
+
+    - name: Install dependencies Ubuntu
+      run: sudo apt-get update && sudo apt-get install --no-install-recommends openssl sqlite libpq-dev libmysql++-dev
+      if: matrix.os == 'ubuntu-latest'
+
+    - name: Install dependencies Windows
+      run: vcpkg integrate install; vcpkg install sqlite3:x64-windows openssl:x64-windows libpq:x64-windows libmysql:x64-windows
+      if: matrix.os == 'windows-latest'
+      env:
+        VCPKG_ROOT: 'C:\vcpkg'
+    # End Install dependencies
+
+    # Install rust nightly toolchain
+    - name: Cache cargo registry
+      uses: actions/cache@v1.0.3
+      with:
+        path: ~/.cargo/registry
+        key: ${{ runner.os }}-${{matrix.db-backend}}-cargo-registry-${{ hashFiles('**/Cargo.lock') }}
+    - name: Cache cargo index
+      uses: actions/cache@v1.0.3
+      with:
+        path: ~/.cargo/git
+        key: ${{ runner.os }}-${{matrix.db-backend}}-cargo-index-${{ hashFiles('**/Cargo.lock') }}
+    - name: Cache cargo build
+      uses: actions/cache@v1.0.3
+      with:
+        path: target
+        key: ${{ runner.os }}-${{matrix.db-backend}}-cargo-build-target-${{ hashFiles('**/Cargo.lock') }}
+
+    - name: Install latest nightly
+      uses: actions-rs/toolchain@v1.0.5
+      with:
+        # Uses rust-toolchain to determine version
+        profile: minimal
+        target: ${{ matrix.target }}
+
+    # Build
+    - name: Build Win
+      if: matrix.os == 'windows-latest'
+      run: cargo.exe build --features ${{ matrix.db-backend }} --release --target ${{ matrix.target }}
+      env:
+        RUSTFLAGS: -Ctarget-feature=+crt-static
+        VCPKG_ROOT: 'C:\vcpkg'
+
+    - name: Build macOS / Ubuntu
+      if: matrix.os == 'macOS-latest' || matrix.os == 'ubuntu-latest'
+      run: cargo build --verbose --features ${{ matrix.db-backend }} --release --target ${{ matrix.target }}
+
+    # Test
+    - name: Run tests
+      run: cargo test --features ${{ matrix.db-backend }}
+
+    # Upload & Release
+    - name: Upload artifact
+      uses: actions/upload-artifact@v1.0.0
+      with:
+        name: bitwarden_rs-${{ matrix.db-backend }}-${{ matrix.target }}${{ matrix.ext }}
+        path: target/${{ matrix.target }}/release/bitwarden_rs${{ matrix.ext }}
+
+    - name: Release
+      uses: Shopify/upload-to-release@1.0.0
+      if: startsWith(github.ref, 'refs/tags/')
+      with:
+        name: bitwarden_rs-${{ matrix.db-backend }}-${{ matrix.target }}${{ matrix.ext }}
+        path: target/${{ matrix.target }}/release/bitwarden_rs${{ matrix.ext }}
+        repo-token: ${{ secrets.GITHUB_TOKEN }}

.gitignore

@@ -10,7 +10,7 @@ data
 *.iml
 
 # Environment file
-# .env
+.env
 
 # Web vault
-web-vault
+web-vault

.hadolint.yaml

@@ -0,0 +1,7 @@
+ignored:
+  # disable explicit version for apt install
+  - DL3008
+  # disable explicit version for apk install
+  - DL3018
+trustedRegistries:
+  - docker.io

.travis.yml

@@ -1,7 +1,21 @@
-# Copied from Rocket's .travis.yml
+dist: xenial
+
+env:
+  global:
+    - HADOLINT_VERSION=1.17.1
+
 language: rust
-sudo: required # so we get a VM with higher specs
-dist: trusty # so we get a VM with higher specs
+rust: nightly
 cache: cargo
-rust:
-- nightly
+
+before_install:
+  - sudo curl -L https://github.com/hadolint/hadolint/releases/download/v$HADOLINT_VERSION/hadolint-$(uname -s)-$(uname -m) -o /usr/local/bin/hadolint
+  - sudo chmod +rx /usr/local/bin/hadolint
+  - rustup set profile minimal
+
+# Nothing to install
+install: true
+script:
+- git ls-files --exclude='Dockerfile*' --ignored | xargs --max-lines=1 hadolint
+- cargo test --features "sqlite"
+- cargo test --features "mysql"

BUILD.md

@@ -1,70 +0,0 @@
-# Build instructions
-
-## Dependencies
-- `Rust nightly` (strongly recommended to use [rustup](https://rustup.rs/))
-- `OpenSSL` (should be available in path, install through your system's package manager or use the [prebuilt binaries](https://wiki.openssl.org/index.php/Binaries))
-- `NodeJS` (required to build the web-vault, (install through your system's package manager or use the [prebuilt binaries](https://nodejs.org/en/download/))
-
-
-## Run/Compile
-```sh
-# Compile and run
-cargo run
-# or just compile (binary located in target/release/bitwarden_rs)
-cargo build --release
-```
-
-When run, the server is accessible in [http://localhost:80](http://localhost:80).
-
-### Install the web-vault
-Clone the git repository at [bitwarden/web](https://github.com/bitwarden/web) and checkout the latest release tag (e.g. v2.1.1):
-```sh
-# clone the repository
-git clone https://github.com/bitwarden/web.git web-vault
-cd web-vault
-# switch to the latest tag
-git checkout "$(git tag | tail -n1)"
-```
-
-Apply the patch file from `docker/set-vault-baseurl.patch`:
-```sh
-# In the Vault repository directory
-git apply /path/to/bitwarden_rs/docker/set-vault-baseurl.patch
-```
-
-Then, build the Vault:
-```sh
-npm run sub:init
-npm install
-npm run dist
-```
-
-Finally copy the contents of the `build` folder into the `bitwarden_rs/web-vault` folder.
-
-# Configuration
-The available configuration options are documented in the default `.env` file, and they can be modified by uncommenting the desired options in that file or by setting their respective environment variables. Look at the README file for the main configuration options available.
-
-Note: the environment variables override the values set in the `.env` file.
-
-## How to recreate database schemas (for developers)
-Install diesel-cli with cargo:
-```sh
-cargo install diesel_cli --no-default-features --features sqlite-bundled
-```
-
-Make sure that the correct path to the database is in the `.env` file.
-
-If you want to modify the schemas, create a new migration with:
-```
-diesel migration generate <name>
-```
-
-Modify the *.sql files, making sure that any changes are reverted in the down.sql file.
-
-Apply the migrations and save the generated schemas as follows:
-```sh
-diesel migration redo
-
-# This step should be done automatically when using diesel-cli > 1.3.0
-# diesel print-schema > src/db/schema.rs
-```

Cargo.toml

@@ -2,85 +2,136 @@
 name = "bitwarden_rs"
 version = "1.0.0"
 authors = ["Daniel García <dani-garcia@users.noreply.github.com>"]
+edition = "2018"
+
+repository = "https://github.com/dani-garcia/bitwarden_rs"
+readme = "README.md"
+license = "GPL-3.0-only"
+publish = false
+build = "build.rs"
+
+[features]
+# Empty to keep compatibility, prefer to set USE_SYSLOG=true
+enable_syslog = []
+mysql = ["diesel/mysql", "diesel_migrations/mysql"]
+postgresql = ["diesel/postgres", "diesel_migrations/postgres"]
+sqlite = ["diesel/sqlite", "diesel_migrations/sqlite", "libsqlite3-sys"]
+# Enable to use a vendored and statically linked openssl
+vendored_openssl = ["openssl/vendored"]
+
+# Enable unstable features, requires nightly
+# Currently only used to enable rusts official ip support
+unstable = []
+
+[target."cfg(not(windows))".dependencies]
+syslog = "4.0.1"
 
 [dependencies]
 # Web framework for nightly with a focus on ease-of-use, expressibility, and speed.
-rocket = { version = "0.3.17", features = ["tls"] }
-rocket_codegen = "0.3.17"
-rocket_contrib = "0.3.17"
+rocket = { version = "0.5.0-dev", features = ["tls"], default-features = false }
+rocket_contrib = "0.5.0-dev"
 
 # HTTP client
-reqwest = "0.9.2"
+reqwest = { version = "0.10.8", features = ["blocking", "json"] }
 
 # multipart/form-data support
-multipart = "0.15.3"
+multipart = { version = "0.17.0", features = ["server"], default-features = false }
 
 # WebSockets library
-ws = "0.7.8"
+ws = "0.9.1"
 
 # MessagePack library
-rmpv = "0.4.0"
+rmpv = "0.4.5"
 
 # Concurrent hashmap implementation
-chashmap = "2.2.0"
+chashmap = "2.2.2"
 
 # A generic serialization/deserialization framework
-serde = "1.0.79"
-serde_derive = "1.0.79"
-serde_json = "1.0.31"
+serde = "1.0.115"
+serde_derive = "1.0.115"
+serde_json = "1.0.57"
+
+# Logging
+log = "0.4.11"
+fern = { version = "0.6.0", features = ["syslog-4"] }
 
 # A safe, extensible ORM and Query builder
-diesel = { version = "1.3.3", features = ["sqlite", "chrono", "r2d2"] }
-diesel_migrations = { version = "1.3.0", features = ["sqlite"] }
+diesel = { version = "1.4.5", features = [ "chrono", "r2d2"] }
+diesel_migrations = "1.4.0"
 
 # Bundled SQLite
-libsqlite3-sys = { version = "0.9.3", features = ["bundled"] }
+libsqlite3-sys = { version = "0.18.0", features = ["bundled"], optional = true }
 
-# Crypto library
-ring = { version = "= 0.11.0", features = ["rsa_signing"] }
+# Crypto-related libraries
+rand = "0.7.3"
+ring = "0.16.15"
 
 # UUID generation
-uuid = { version = "0.7.1", features = ["v4"] }
+uuid = { version = "0.8.1", features = ["v4"] }
 
-# Date and time library for Rust
-chrono = "0.4.6"
+# Date and time libraries
+chrono = "0.4.15"
+chrono-tz = "0.5.3"
+time = "0.2.18"
 
 # TOTP library
 oath = "0.10.2"
 
 # Data encoding library
-data-encoding = "2.1.1"
+data-encoding = "2.3.0"
 
 # JWT library
-jsonwebtoken = "= 4.0.1"
+jsonwebtoken = "7.2.0"
 
 # U2F library
-u2f = "0.1.2"
+u2f = "0.2.0"
+
+# Yubico Library
+yubico = { version = "0.9.1", features = ["online-tokio"], default-features = false }
 
 # A `dotenv` implementation for Rust
-dotenv = { version = "0.13.0", default-features = false }
+dotenv = { version = "0.15.0", default-features = false }
 
-# Lazy static macro
-lazy_static = "1.1.0"
+# Lazy initialization
+once_cell = "1.4.1"
 
 # Numerical libraries
-num-traits = "0.2.6"
-num-derive = "0.2.3"
+num-traits = "0.2.12"
+num-derive = "0.3.2"
 
 # Email libraries
-lettre = "0.9.0"
-lettre_email = "0.9.0"
-native-tls = "0.2.1"
+lettre = { version = "0.10.0-alpha.2", features = ["smtp-transport", "builder", "serde", "native-tls", "hostname"], default-features = false }
+newline-converter = "0.1.0"
 
-# Number encoding library
-byteorder = "1.2.6"
+# Template library
+handlebars = { version = "3.4.0", features = ["dir_source"] }
+
+# For favicon extraction from main website
+soup = "0.5.0"
+regex = "1.3.9"
+data-url = "0.1.0"
+
+# Used by U2F, JWT and Postgres
+openssl = "0.10.30"
+
+# URL encoding library
+percent-encoding = "2.1.0"
+# Punycode conversion
+idna = "0.2.0"
+
+# CLI argument parsing
+structopt = "0.3.17"
+
+# Logging panics to logfile instead stderr only
+backtrace = "0.3.50"
+
+# Macro ident concatenation
+paste = "1.0.0"
 
 [patch.crates-io]
- # Make jwt use ring 0.11, to match rocket
-jsonwebtoken = { path = "libs/jsonwebtoken" }
-rmp = { git = 'https://github.com/dani-garcia/msgpack-rust' }
-lettre = { git = 'https://github.com/lettre/lettre', rev = 'c988b1760ad81' }
-lettre_email = { git = 'https://github.com/lettre/lettre', rev = 'c988b1760ad81' }
+# Use newest ring
+rocket = { git = 'https://github.com/SergioBenitez/Rocket', rev = '1010f6a2a88fac899dec0cd2f642156908038a53' }
+rocket_contrib = { git = 'https://github.com/SergioBenitez/Rocket', rev = '1010f6a2a88fac899dec0cd2f642156908038a53' }
 
-# Version 0.1.2 from crates.io lacks a commit that fixes a certificate error
-u2f = { git = 'https://github.com/wisespace-io/u2f-rs', rev = '193de35093a44' }
+# For favicon extraction from main website
+data-url = { git = 'https://github.com/servo/rust-url', package="data-url", rev = '7f1bd6ce1c2fde599a757302a843a60e714c5f72' }

Dockerfile

@@ -1,89 +0,0 @@
-# Using multistage build: 
-# 	https://docs.docker.com/develop/develop-images/multistage-build/
-# 	https://whitfin.io/speeding-up-rust-docker-builds/
-####################### VAULT BUILD IMAGE  #######################
-FROM node:8-alpine as vault
-
-ENV VAULT_VERSION "v2.4.0"
-
-ENV URL "https://github.com/bitwarden/web.git"
-
-RUN apk add --update-cache --upgrade \
-    curl \
-    git \
-    tar
-
-RUN git clone -b $VAULT_VERSION --depth 1 $URL web-build
-WORKDIR /web-build
-
-COPY /docker/set-vault-baseurl.patch /web-build/    
-RUN git apply set-vault-baseurl.patch
-
-RUN npm run sub:init && npm install
-
-RUN npm run dist \
-    && mv build /web-vault
-
-########################## BUILD IMAGE  ##########################
-# We need to use the Rust build image, because
-# we need the Rust compiler and Cargo tooling
-FROM rust as build
-
-# Using bundled SQLite, no need to install it
-# RUN apt-get update && apt-get install -y\
-#    sqlite3\
-#    --no-install-recommends\
-# && rm -rf /var/lib/apt/lists/*
-
-# Creates a dummy project used to grab dependencies
-RUN USER=root cargo new --bin app
-WORKDIR /app
-
-# Copies over *only* your manifests and vendored dependencies
-COPY ./Cargo.* ./
-COPY ./libs ./libs
-COPY ./rust-toolchain ./rust-toolchain
-
-# Builds your dependencies and removes the
-# dummy project, except the target folder
-# This folder contains the compiled dependencies
-RUN cargo build --release
-RUN find . -not -path "./target*" -delete
-
-# Copies the complete project
-# To avoid copying unneeded files, use .dockerignore
-COPY . .
-
-# Builds again, this time it'll just be
-# your actual source files being built
-RUN cargo build --release
-
-######################## RUNTIME IMAGE  ########################
-# Create a new stage with a minimal image
-# because we already have a binary built
-FROM debian:stretch-slim
-
-ENV ROCKET_ENV "staging"
-ENV ROCKET_WORKERS=10
-
-# Install needed libraries
-RUN apt-get update && apt-get install -y\
-    openssl\
-    ca-certificates\
-    --no-install-recommends\
- && rm -rf /var/lib/apt/lists/*
-
-RUN mkdir /data
-VOLUME /data
-EXPOSE 80
-EXPOSE 3012
-
-# Copies the files from the context (env file and web-vault)
-# and the binary from the "build" stage to the current stage
-COPY .env .
-COPY Rocket.toml .
-COPY --from=vault /web-vault ./web-vault
-COPY --from=build app/target/release/bitwarden_rs .
-
-# Configures the startup!
-CMD ./bitwarden_rs

Dockerfile

@@ -0,0 +1 @@
+docker/amd64/Dockerfile

Dockerfile.aarch64

@@ -1,112 +0,0 @@
-# Using multistage build: 
-# 	https://docs.docker.com/develop/develop-images/multistage-build/
-# 	https://whitfin.io/speeding-up-rust-docker-builds/
-####################### VAULT BUILD IMAGE  #######################
-FROM node:8-alpine as vault
-
-ENV VAULT_VERSION "v2.4.0"
-
-ENV URL "https://github.com/bitwarden/web.git"
-
-RUN apk add --update-cache --upgrade \
-    curl \
-    git \
-    tar
-
-RUN git clone -b $VAULT_VERSION --depth 1 $URL web-build
-WORKDIR /web-build
-
-COPY /docker/set-vault-baseurl.patch /web-build/    
-RUN git apply set-vault-baseurl.patch
-
-RUN npm run sub:init && npm install
-
-RUN npm run dist \
-    && mv build /web-vault
-
-########################## BUILD IMAGE  ##########################
-# We need to use the Rust build image, because
-# we need the Rust compiler and Cargo tooling
-FROM rust as build
-
-RUN apt-get update \
-    && apt-get install -y \
-        gcc-aarch64-linux-gnu \
-    && mkdir -p ~/.cargo \
-    && echo '[target.aarch64-unknown-linux-gnu]' >> ~/.cargo/config \
-    && echo 'linker = "aarch64-linux-gnu-gcc"' >> ~/.cargo/config
-
-ENV CARGO_HOME "/root/.cargo"
-ENV USER "root"
-
-# Creates a dummy project used to grab dependencies
-RUN USER=root cargo new --bin app
-WORKDIR /app
-
-# Copies over *only* your manifests and vendored dependencies
-COPY ./Cargo.* ./
-COPY ./libs ./libs
-COPY ./rust-toolchain ./rust-toolchain
-
-# Prepare openssl arm64 libs
-RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \
-        /etc/apt/sources.list.d/deb-src.list \
-    && dpkg --add-architecture arm64 \
-    && apt-get update \
-    && apt-get install -y \
-        libssl-dev:arm64 \
-        libc6-dev:arm64
-
-ENV CC_aarch64_unknown_linux_gnu="/usr/bin/aarch64-linux-gnu-gcc"
-ENV CROSS_COMPILE="1"
-ENV OPENSSL_INCLUDE_DIR="/usr/include/aarch64-linux-gnu"
-ENV OPENSSL_LIB_DIR="/usr/lib/aarch64-linux-gnu"
-
-# Builds your dependencies and removes the
-# dummy project, except the target folder
-# This folder contains the compiled dependencies
-RUN rustup target add aarch64-unknown-linux-gnu
-RUN cargo build --release --target=aarch64-unknown-linux-gnu -v
-RUN find . -not -path "./target*" -delete
-
-# Copies the complete project
-# To avoid copying unneeded files, use .dockerignore
-COPY . .
-
-# Builds again, this time it'll just be
-# your actual source files being built
-RUN cargo build --release --target=aarch64-unknown-linux-gnu -v
-
-######################## RUNTIME IMAGE  ########################
-# Create a new stage with a minimal image
-# because we already have a binary built
-FROM balenalib/aarch64-debian:stretch
-
-ENV ROCKET_ENV "staging"
-ENV ROCKET_WORKERS=10
-
-RUN [ "cross-build-start" ]
-
-# Install needed libraries
-RUN apt-get update && apt-get install -y\
-    openssl\
-    ca-certificates\
-    --no-install-recommends\
- && rm -rf /var/lib/apt/lists/*
-
-RUN mkdir /data
-
-RUN [ "cross-build-end" ]  
-
-VOLUME /data
-EXPOSE 80
-
-# Copies the files from the context (env file and web-vault)
-# and the binary from the "build" stage to the current stage
-COPY .env .
-COPY Rocket.toml .
-COPY --from=vault /web-vault ./web-vault
-COPY --from=build /app/target/aarch64-unknown-linux-gnu/release/bitwarden_rs .
-
-# Configures the startup!
-CMD ./bitwarden_rs

Dockerfile.alpine

@@ -1,81 +0,0 @@
-# Using multistage build: 
-# 	https://docs.docker.com/develop/develop-images/multistage-build/
-# 	https://whitfin.io/speeding-up-rust-docker-builds/
-####################### VAULT BUILD IMAGE  #######################
-FROM node:8-alpine as vault
-
-ENV VAULT_VERSION "v2.4.0"
-
-ENV URL "https://github.com/bitwarden/web.git"
-
-RUN apk add --update-cache --upgrade \
-    curl \
-    git \
-    tar
-
-RUN git clone -b $VAULT_VERSION --depth 1 $URL web-build
-WORKDIR /web-build
-
-COPY /docker/set-vault-baseurl.patch /web-build/    
-RUN git apply set-vault-baseurl.patch
-
-RUN npm run sub:init && npm install
-
-RUN npm run dist \
-    && mv build /web-vault
-
-########################## BUILD IMAGE  ##########################
-# Musl build image for statically compiled binary
-FROM clux/muslrust:nightly-2018-08-24 as build
-
-# Creates a dummy project used to grab dependencies
-RUN USER=root cargo init --bin
-
-# Copies over *only* your manifests and vendored dependencies
-COPY ./Cargo.* ./
-COPY ./libs ./libs
-COPY ./rust-toolchain ./rust-toolchain
-
-# Builds your dependencies and removes the
-# dummy project, except the target folder
-# This folder contains the compiled dependencies
-RUN cargo build --release
-RUN find . -not -path "./target*" -delete
-
-# Copies the complete project
-# To avoid copying unneeded files, use .dockerignore
-COPY . .
-
-# Builds again, this time it'll just be
-# your actual source files being built
-RUN cargo build --release
-
-######################## RUNTIME IMAGE  ########################
-# Create a new stage with a minimal image
-# because we already have a binary built
-FROM alpine:3.8
-
-ENV ROCKET_ENV "staging"
-ENV ROCKET_WORKERS=10
-ENV SSL_CERT_DIR=/etc/ssl/certs
-
-# Install needed libraries
-RUN apk add \
-        openssl\
-        ca-certificates \
-    && rm /var/cache/apk/*
-
-RUN mkdir /data
-VOLUME /data
-EXPOSE 80
-EXPOSE 3012
-
-# Copies the files from the context (env file and web-vault)
-# and the binary from the "build" stage to the current stage
-COPY .env .
-COPY Rocket.toml .
-COPY --from=vault /web-vault ./web-vault
-COPY --from=build /volume/target/x86_64-unknown-linux-musl/release/bitwarden_rs .
-
-# Configures the startup!
-CMD ./bitwarden_rs

Dockerfile.armv7

@@ -1,112 +0,0 @@
-# Using multistage build: 
-# 	https://docs.docker.com/develop/develop-images/multistage-build/
-# 	https://whitfin.io/speeding-up-rust-docker-builds/
-####################### VAULT BUILD IMAGE  #######################
-FROM node:8-alpine as vault
-
-ENV VAULT_VERSION "v2.4.0"
-
-ENV URL "https://github.com/bitwarden/web.git"
-
-RUN apk add --update-cache --upgrade \
-    curl \
-    git \
-    tar
-
-RUN git clone -b $VAULT_VERSION --depth 1 $URL web-build
-WORKDIR /web-build
-
-COPY /docker/set-vault-baseurl.patch /web-build/    
-RUN git apply set-vault-baseurl.patch
-
-RUN npm run sub:init && npm install
-
-RUN npm run dist \
-    && mv build /web-vault
-
-########################## BUILD IMAGE  ##########################
-# We need to use the Rust build image, because
-# we need the Rust compiler and Cargo tooling
-FROM rust as build
-
-RUN apt-get update \
-    && apt-get install -y \
-        gcc-arm-linux-gnueabihf \
-    && mkdir -p ~/.cargo \
-    && echo '[target.armv7-unknown-linux-gnueabihf]' >> ~/.cargo/config \
-    && echo 'linker = "arm-linux-gnueabihf-gcc"' >> ~/.cargo/config
-
-ENV CARGO_HOME "/root/.cargo"
-ENV USER "root"
-
-# Creates a dummy project used to grab dependencies
-RUN USER=root cargo new --bin app
-WORKDIR /app
-
-# Copies over *only* your manifests and vendored dependencies
-COPY ./Cargo.* ./
-COPY ./libs ./libs
-COPY ./rust-toolchain ./rust-toolchain
-
-# Prepare openssl armhf libs
-RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \
-        /etc/apt/sources.list.d/deb-src.list \
-    && dpkg --add-architecture armhf \
-    && apt-get update \
-    && apt-get install -y \
-        libssl-dev:armhf \
-        libc6-dev:armhf
-
-ENV CC_armv7_unknown_linux_gnueabihf="/usr/bin/arm-linux-gnueabihf-gcc"
-ENV CROSS_COMPILE="1"
-ENV OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabihf"
-ENV OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabihf"
-
-# Builds your dependencies and removes the
-# dummy project, except the target folder
-# This folder contains the compiled dependencies
-RUN rustup target add armv7-unknown-linux-gnueabihf
-RUN cargo build --release --target=armv7-unknown-linux-gnueabihf -v
-RUN find . -not -path "./target*" -delete
-
-# Copies the complete project
-# To avoid copying unneeded files, use .dockerignore
-COPY . .
-
-# Builds again, this time it'll just be
-# your actual source files being built
-RUN cargo build --release --target=armv7-unknown-linux-gnueabihf -v
-
-######################## RUNTIME IMAGE  ########################
-# Create a new stage with a minimal image
-# because we already have a binary built
-FROM balenalib/armv7hf-debian:stretch
-
-ENV ROCKET_ENV "staging"
-ENV ROCKET_WORKERS=10
-
-RUN [ "cross-build-start" ]
-
-# Install needed libraries
-RUN apt-get update && apt-get install -y\
-    openssl\
-    ca-certificates\
-    --no-install-recommends\
- && rm -rf /var/lib/apt/lists/*
-
-RUN mkdir /data
-
-RUN [ "cross-build-end" ]  
-
-VOLUME /data
-EXPOSE 80
-
-# Copies the files from the context (env file and web-vault)
-# and the binary from the "build" stage to the current stage
-COPY .env .
-COPY Rocket.toml .
-COPY --from=vault /web-vault ./web-vault
-COPY --from=build /app/target/armv7-unknown-linux-gnueabihf/release/bitwarden_rs .
-
-# Configures the startup!
-CMD ./bitwarden_rs

PROXY.md

@@ -1,94 +0,0 @@
-# Proxy examples
-
-In this document, `<SERVER>` refers to the IP or domain where bitwarden_rs is accessible from. If both the proxy and bitwarden_rs are running in the same system, simply use `localhost`.
-The ports proxied by default are `80` for the web server and `3012` for the WebSocket server. The proxies are configured to listen in port `443` with HTTPS enabled, which is recommended.
-
-When using a proxy, it's preferrable to configure HTTPS at the proxy level and not at the application level, this way the WebSockets connection is also secured.
-
-## Caddy
-
-```nginx
-localhost:443 {
-    # The negotiation endpoint is also proxied to Rocket
-    proxy /notifications/hub/negotiate <SERVER>:80 {
-        transparent
-    }
-    
-    # Notifications redirected to the websockets server
-    proxy /notifications/hub <SERVER>:3012 {
-        websocket
-    }
-    
-    # Proxy the Root directory to Rocket
-    proxy / <SERVER>:80 {
-        transparent
-    }
-
-    tls ${SSLCERTIFICATE} ${SSLKEY}
-}
-```
-
-## Nginx (by shauder)
-```nginx
-server {
-  listen 443 ssl http2;
-  server_name vault.*;
-  
-  # Specify SSL config if using a shared one.
-  #include conf.d/ssl/ssl.conf;
-  
-  location / {
-    proxy_pass http://<SERVER>:80;
-  }
-  
-  location /notifications/hub {
-    proxy_pass http://<SERVER>:3012;
-    proxy_set_header Upgrade $http_upgrade;
-    proxy_set_header Connection "upgrade";
-  }
-  
-  location /notifications/hub/negotiate {
-    proxy_pass http://<SERVER>:80;
-  }
-}
-```
-
-## Apache (by fbartels)
-```apache
-<VirtualHost *:443>
-    SSLEngine on
-    ServerName bitwarden.$hostname.$domainname
-
-    SSLCertificateFile ${SSLCERTIFICATE}
-    SSLCertificateKeyFile ${SSLKEY}
-    SSLCACertificateFile ${SSLCA}
-    ${SSLCHAIN}
-
-    ErrorLog \${APACHE_LOG_DIR}/bitwarden-error.log
-    CustomLog \${APACHE_LOG_DIR}/bitwarden-access.log combined
-
-    RewriteEngine On
-    RewriteCond %{HTTP:Upgrade} =websocket [NC]
-    RewriteRule /(.*)           ws://<SERVER>:3012/$1 [P,L]
-
-    ProxyPass / http://<SERVER>:80/
-
-    ProxyPreserveHost On
-    ProxyRequests Off
-</VirtualHost>
-```
-
-## Traefik (docker-compose example)
-```traefik
-    labels:
-      - 'traefik.frontend.rule=Host:vault.example.local'
-      - 'traefik.docker.network=traefik'
-      - 'traefik.port=80'
-      - 'traefik.enable=true'
-      - 'traefik.web.frontend.rule=Host:vault.example.local'
-      - 'traefik.web.port=80'
-      - 'traefik.hub.frontend.rule=Path:/notifications/hub'
-      - 'traefik.hub.port=3012'
-      - 'traefik.negotiate.frontend.rule=Path:/notifications/hub/negotiate'
-      - 'traefik.negotiate.port=80'
-```

README.md

@@ -3,493 +3,59 @@
 ---
 
 [![Travis Build Status](https://travis-ci.org/dani-garcia/bitwarden_rs.svg?branch=master)](https://travis-ci.org/dani-garcia/bitwarden_rs)
+[![Docker Pulls](https://img.shields.io/docker/pulls/bitwardenrs/server.svg)](https://hub.docker.com/r/bitwardenrs/server)
 [![Dependency Status](https://deps.rs/repo/github/dani-garcia/bitwarden_rs/status.svg)](https://deps.rs/repo/github/dani-garcia/bitwarden_rs)
 [![GitHub Release](https://img.shields.io/github/release/dani-garcia/bitwarden_rs.svg)](https://github.com/dani-garcia/bitwarden_rs/releases/latest)
 [![GPL-3.0 Licensed](https://img.shields.io/github/license/dani-garcia/bitwarden_rs.svg)](https://github.com/dani-garcia/bitwarden_rs/blob/master/LICENSE.txt)
-[![Matrix Chat](https://matrix.to/img/matrix-badge.svg)](https://matrix.to/#/#bitwarden_rs:matrix.org)
+[![Matrix Chat](https://img.shields.io/matrix/bitwarden_rs:matrix.org.svg?logo=matrix)](https://matrix.to/#/#bitwarden_rs:matrix.org)
 
 Image is based on [Rust implementation of Bitwarden API](https://github.com/dani-garcia/bitwarden_rs).
 
-_*Note, that this project is not associated with the [Bitwarden](https://bitwarden.com/) project nor 8bit Solutions LLC._
+**This project is not associated with the [Bitwarden](https://bitwarden.com/) project nor 8bit Solutions LLC.**
+
+#### ⚠️**IMPORTANT**⚠️: When using this server, please report any bugs or suggestions to us directly (look at the bottom of this page for ways to get in touch), regardless of whatever clients you are using (mobile, desktop, browser...). DO NOT use the official support channels.
 
 ---
 
-**Table of contents**
-
-- [Features](#features)
-- [Missing features](#missing-features)
-- [Docker image usage](#docker-image-usage)
-  - [Starting a container](#starting-a-container)
-  - [Updating the bitwarden image](#updating-the-bitwarden-image)
-- [Configuring bitwarden service](#configuring-bitwarden-service)
-  - [Disable registration of new users](#disable-registration-of-new-users)
-  - [Disable invitations](#disable-invitations)
-  - [Configure server administrator](#configure-server-administrator)
-  - [Enabling HTTPS](#enabling-https)
-  - [Enabling WebSocket notifications](#enabling-websocket-notifications)
-  - [Enabling U2F authentication](#enabling-u2f-authentication)
-  - [Changing persistent data location](#changing-persistent-data-location)
-    - [/data prefix:](#data-prefix)
-    - [database name and location](#database-name-and-location)
-    - [attachments location](#attachments-location)
-    - [icons cache](#icons-cache)
-  - [Changing the API request size limit](#changing-the-api-request-size-limit)
-  - [Changing the number of workers](#changing-the-number-of-workers)
-  - [SMTP configuration](#smtp-configuration)
-  - [Password hint display](#password-hint-display)
-  - [Disabling or overriding the Vault interface hosting](#disabling-or-overriding-the-vault-interface-hosting)
-  - [Other configuration](#other-configuration)
-- [Building your own image](#building-your-own-image)
-- [Building binary](#building-binary)
-- [Available packages](#available-packages)
-  - [Arch Linux](#arch-linux)
-- [Kubernetes deployment](#kubernetes-deployment)
-- [Backing up your vault](#backing-up-your-vault)
-  - [1. the sqlite3 database](#1-the-sqlite3-database)
-  - [2. the attachments folder](#2-the-attachments-folder)
-  - [3. the key files](#3-the-key-files)
-  - [4. Icon Cache](#4-icon-cache)
-- [Running the server with non-root user](#running-the-server-with-non-root-user)
-- [Differences from upstream API implementation](#differences-from-upstream-api-implementation)
-  - [Changing user email](#changing-user-email)
-  - [Creating organization](#creating-organization)
-  - [Inviting users into organization](#inviting-users-into-organization)
-  - [Running on unencrypted connection](#running-on-unencrypted-connection)
-- [Get in touch](#get-in-touch)
-
 ## Features
 
 Basically full implementation of Bitwarden API is provided including:
 
- * Basic single user functionality
  * Organizations support
  * Attachments
- * Vault API support 
+ * Vault API support
  * Serving the static files for Vault interface
  * Website icons API
  * Authenticator and U2F support
- 
-## Missing features
-* Email confirmation
-* Other two-factor systems:
-  * YubiKey OTP (if your key supports U2F, you can use that)
-  * Duo
-  * Email codes
+ * YubiKey and Duo support
 
-## Docker image usage
-
-### Starting a container
-
-The persistent data is stored under /data inside the container, so the only requirement for persistent deployment using Docker is to mount persistent volume at the path:
-
-```
-docker run -d --name bitwarden -v /bw-data/:/data/ -p 80:80 mprasil/bitwarden:latest
-```
-
-This will preserve any persistent data under `/bw-data/`, you can adapt the path to whatever suits you.
-
-The service will be exposed on port 80.
-
-### Updating the bitwarden image
-
-Updating is straightforward, you just make sure to preserve the mounted volume. If you used the bind-mounted path as in the example above, you just need to `pull` the latest image, `stop` and `rm` the current container and then start a new one the same way as before:
+## Installation
+Pull the docker image and mount a volume from the host for persistent storage:
 
 ```sh
-# Pull the latest version
-docker pull mprasil/bitwarden:latest
-
-# Stop and remove the old container
-docker stop bitwarden
-docker rm bitwarden
-
-# Start new container with the data mounted
-docker run -d --name bitwarden -v /bw-data/:/data/ -p 80:80 mprasil/bitwarden:latest
+docker pull bitwardenrs/server:latest
+docker run -d --name bitwarden -v /bw-data/:/data/ -p 80:80 bitwardenrs/server:latest
 ```
-Then visit [http://localhost:80](http://localhost:80)
+This will preserve any persistent data under /bw-data/, you can adapt the path to whatever suits you.
 
-In case you didn't bind mount the volume for persistent data, you need an intermediate step where you preserve the data with an intermediate container:
+**IMPORTANT**: Some web browsers, like Chrome, disallow the use of Web Crypto APIs in insecure contexts. In this case, you might get an error like `Cannot read property 'importKey'`. To solve this problem, you need to access the web vault from HTTPS. 
 
-```sh
-# Pull the latest version
-docker pull mprasil/bitwarden:latest
+This can be configured in [bitwarden_rs directly](https://github.com/dani-garcia/bitwarden_rs/wiki/Enabling-HTTPS) or using a third-party reverse proxy ([some examples](https://github.com/dani-garcia/bitwarden_rs/wiki/Proxy-examples)).
 
-# Create intermediate container to preserve data
-docker run --volumes-from bitwarden --name bitwarden_data busybox true
+If you have an available domain name, you can get HTTPS certificates with [Let's Encrypt](https://letsencrypt.org/), or you can generate self-signed certificates with utilities like [mkcert](https://github.com/FiloSottile/mkcert). Some proxies automatically do this step, like Caddy (see examples linked above).
 
-# Stop and remove the old container
-docker stop bitwarden
-docker rm bitwarden
-
-# Start new container with the data mounted
-docker run -d --volumes-from bitwarden_data --name bitwarden -p 80:80 mprasil/bitwarden:latest
-
-# Optionally remove the intermediate container
-docker rm bitwarden_data
-
-# Alternatively you can keep data container around for future updates in which case you can skip last step.
-```
-
-## Configuring bitwarden service
-
-### Disable registration of new users
-
-By default new users can register, if you want to disable that, set the `SIGNUPS_ALLOWED` env variable to `false`:
-
-```sh
-docker run -d --name bitwarden \
-  -e SIGNUPS_ALLOWED=false \
-  -v /bw-data/:/data/ \
-  -p 80:80 \
-  mprasil/bitwarden:latest
-```
-Note: While users can't register on their own, they can still be invited by already registered users. Read below if you also want to disable that.
-
-### Disable invitations
-
-Even when registration is disabled, organization administrators or owners can invite users to join organization. This won't send email invitation to the users, but after they are invited, they can register with the invited email even if `SIGNUPS_ALLOWED` is actually set to `false`. You can disable this functionality completely by setting `INVITATIONS_ALLOWED` env variable to `false`:
-
-```sh
-docker run -d --name bitwarden \
-  -e SIGNUPS_ALLOWED=false \
-  -e INVITATIONS_ALLOWED=false \
-  -v /bw-data/:/data/ \
-  -p 80:80 \
-  mprasil/bitwarden:latest
-```
-### Configure server administrator
-
-**Warning:** *Never* use your regular account for the admin functionality. This is a bit of a hack using the Vault interface for something it's not intended to do and it breaks any other functionality for the account. Please set up and use separate account just for this functionality.
-
-You can configure one email account to be server administrator via the `SERVER_ADMIN_EMAIL` environment variable:
-
-```sh
-docker run -d --name bitwarden \
-  -e SERVER_ADMIN_EMAIL=admin@example.com \
-  -v /bw-data/:/data/ \
-  -p 80:80 \
-  mprasil/bitwarden:latest
-```
-
-This will give the user extra functionality and privileges to manage users on the server. In the Vault, the user will see a special (virtual) organization called `bitwarden_rs`. This organization doesn't actually exist and can't be used for most things. (can't have collections or ciphers) Instead it just contains all the users registered on the server. Deleting users from this organization will actually completely delete the user from the server. Inviting users into this organization will just invite the user so they are able to register, but will not grant any organization membership. (unlike inviting user to regular organization)
-
-You can think of the `bitwarden_rs` organization as sort of Admin interface to manage users on the server. Keep in mind that deleting user this way removes the user permanently without any way to restore the deleted data just as if user deleted their own account.
-
-### Enabling HTTPS
-To enable HTTPS, you need to configure the `ROCKET_TLS`.
-
-The values to the option must follow the format:
-```
-ROCKET_TLS={certs="/path/to/certs.pem",key="/path/to/key.pem"}
-```
-Where:
-- certs: a path to a certificate chain in PEM format
-- key: a path to a private key file in PEM format for the certificate in certs
-
-```sh
-docker run -d --name bitwarden \
-  -e ROCKET_TLS='{certs="/ssl/certs.pem",key="/ssl/key.pem"}' \
-  -v /ssl/keys/:/ssl/ \
-  -v /bw-data/:/data/ \
-  -p 443:80 \
-  mprasil/bitwarden:latest
-```
-Note that you need to mount ssl files and you need to forward appropriate port.
-
-Due to what is likely a certificate validation bug in Android, you need to make sure that your certificate includes the full chain of trust. In the case of certbot, this means using `fullchain.pem` instead of `cert.pem`.
-
-Softwares used for getting certs are often using symlinks. If that is the case, both locations need to be accessible to the docker container.
-
-Example: [certbot](https://certbot.eff.org/) will create a folder that contains the needed `fullchain.pem` and `privkey.pem` files in `/etc/letsencrypt/live/mydomain/`
-
-These files are symlinked to `../../archive/mydomain/privkey.pem`
-
-So to use from bitwarden container:
-
-```sh
-docker run -d --name bitwarden \
-  -e ROCKET_TLS='{certs="/ssl/live/mydomain/fullchain.pem",key="/ssl/live/mydomain/privkey.pem"}' \
-  -v /etc/letsencrypt/:/ssl/ \
-  -v /bw-data/:/data/ \
-  -p 443:80 \
-  mprasil/bitwarden:latest
-```
-### Enabling WebSocket notifications
-*Important: This does not apply to the mobile clients, which use push notifications.*
-
-To enable WebSockets notifications, an external reverse proxy is necessary, and it must be configured to do the following:
-- Route the `/notifications/hub` endpoint to the WebSocket server, by default at port `3012`, making sure to pass the `Connection` and `Upgrade` headers. (Note the port can be changed with `WEBSOCKET_PORT` variable)
-- Route everything else, including `/notifications/hub/negotiate`, to the standard Rocket server, by default at port `80`.
-- If using Docker, you may need to map both ports with the `-p` flag
-
-Example configurations are included in the [PROXY.md](https://github.com/dani-garcia/bitwarden_rs/blob/master/PROXY.md) file.
-
-Then you need to enable WebSockets negotiation on the bitwarden_rs side by setting the `WEBSOCKET_ENABLED` variable to `true`:
-
-```sh
-docker run -d --name bitwarden \
-  -e WEBSOCKET_ENABLED=true \
-  -v /bw-data/:/data/ \
-  -p 80:80 \
-  -p 3012:3012 \
-  mprasil/bitwarden:latest
-```
-
-Note: The reason for this workaround is the lack of support for WebSockets from Rocket (though [it's a planned feature](https://github.com/SergioBenitez/Rocket/issues/90)), which forces us to launch a secondary server on a separate port.
-
-### Enabling U2F authentication
-To enable U2F authentication, you must be serving bitwarden_rs from an HTTPS domain with a valid certificate (Either using the included
-HTTPS options or with a reverse proxy). We recommend using a free certificate from Let's Encrypt.
-
-After that, you need to set the `DOMAIN` environment variable to the same address from where bitwarden_rs is being served:
-
-```sh
-docker run -d --name bitwarden \
-  -e DOMAIN=https://bw.domain.tld \
-  -v /bw-data/:/data/ \
-  -p 80:80 \
-  mprasil/bitwarden:latest
-```
-
-Note that the value has to include the `https://` and it may include a port at the end (in the format of `https://bw.domain.tld:port`) when not using `443`.
-
-### Changing persistent data location
-
-#### /data prefix:
-
-By default all persistent data is saved under `/data`, you can override this path by setting the `DATA_FOLDER` env variable:
-
-```sh
-docker run -d --name bitwarden \
-  -e DATA_FOLDER=/persistent \
-  -v /bw-data/:/persistent/ \
-  -p 80:80 \
-  mprasil/bitwarden:latest
-```
-
-Notice, that you need to adapt your volume mount accordingly.
-
-#### database name and location
-
-Default is `$DATA_FOLDER/db.sqlite3`, you can change the path specifically for database using `DATABASE_URL` variable:
-
-```sh
-docker run -d --name bitwarden \
-  -e DATABASE_URL=/database/bitwarden.sqlite3 \
-  -v /bw-data/:/data/ \
-  -v /bw-database/:/database/ \
-  -p 80:80 \
-  mprasil/bitwarden:latest
-```
-
-Note, that you need to remember to mount the volume for both database and other persistent data if they are different.
-
-#### attachments location
-
-Default is `$DATA_FOLDER/attachments`, you can change the path using `ATTACHMENTS_FOLDER` variable:
-
-```sh
-docker run -d --name bitwarden \
-  -e ATTACHMENTS_FOLDER=/attachments \
-  -v /bw-data/:/data/ \
-  -v /bw-attachments/:/attachments/ \
-  -p 80:80 \
-  mprasil/bitwarden:latest
-```
-
-Note, that you need to remember to mount the volume for both attachments and other persistent data if they are different.
-
-#### icons cache
-
-Default is `$DATA_FOLDER/icon_cache`, you can change the path using `ICON_CACHE_FOLDER` variable:
-
-```sh
-docker run -d --name bitwarden \
-  -e ICON_CACHE_FOLDER=/icon_cache \
-  -v /bw-data/:/data/ \
-  -v /icon_cache/ \
-  -p 80:80 \
-  mprasil/bitwarden:latest
-```
-
-Note, that in the above example we don't mount the volume locally, which means it won't be persisted during the upgrade unless you use intermediate data container using `--volumes-from`. This will impact performance as bitwarden will have to re-download the icons on restart, but might save you from having stale icons in cache as they are not automatically cleaned.
-
-### Changing the API request size limit
-
-By default the API calls are limited to 10MB. This should be sufficient for most cases, however if you want to support large imports, this might be limiting you. On the other hand you might want to limit the request size to something smaller than that to prevent API abuse and possible DOS attack, especially if running with limited resources.
-
-To set the limit, you can use the `ROCKET_LIMITS` variable. Example here shows 10MB limit for posted json in the body (this is the default):
-
-```sh
-docker run -d --name bitwarden \
-  -e ROCKET_LIMITS={json=10485760} \
-  -v /bw-data/:/data/ \
-  -p 80:80 \
-  mprasil/bitwarden:latest
-```
-
-### Changing the number of workers
-
-When you run bitwarden_rs, it spawns `2 * <number of cpu cores>` workers to handle requests. On some systems this might lead to low number of workers and hence slow performance, so the default in the docker image is changed to spawn 10 threads. You can override this setting to increase or decrease the number of workers by setting the `ROCKET_WORKERS` variable.
-
-In the example below, we're starting with 20 workers:
-
-```sh
-docker run -d --name bitwarden \
-  -e ROCKET_WORKERS=20 \
-  -v /bw-data/:/data/ \
-  -p 80:80 \
-  mprasil/bitwarden:latest
-```
-
-### SMTP configuration
-
-You can configure bitwarden_rs to send emails via a SMTP agent:
-
-```sh
-docker run -d --name bitwarden \
-  -e SMTP_HOST=<smtp.domain.tld> \
-  -e SMTP_FROM=<bitwarden@domain.tld> \
-  -e SMTP_PORT=587 \
-  -e SMTP_SSL=true \
-  -e SMTP_USERNAME=<username> \
-  -e SMTP_PASSWORD=<password> \
-  -v /bw-data/:/data/ \
-  -p 80:80 \
-  mprasil/bitwarden:latest
-```
-  
-When `SMTP_SSL` is set to `true`(this is the default), only TLSv1.1 and TLSv1.2 protocols will be accepted and `SMTP_PORT` will default to `587`. If set to `false`, `SMTP_PORT` will default to `25` and the connection won't be encrypted. This can be very insecure, use this setting only if you know what you're doing.
-
-### Password hint display
-
-Usually, password hints are sent by email. But as bitwarden_rs is made with small or personal deployment in mind, hints are also available from the password hint page, so you don't have to configure an email service. If you want to disable this feature, you can use the `SHOW_PASSWORD_HINT` variable:
-
-```sh
-docker run -d --name bitwarden \
-  -e SHOW_PASSWORD_HINT=false \
-  -v /bw-data/:/data/ \
-  -p 80:80 \
-  mprasil/bitwarden:latest
-```
-
-### Disabling or overriding the Vault interface hosting
-
-As a convenience bitwarden_rs image will also host static files for Vault web interface. You can disable this static file hosting completely by setting the WEB_VAULT_ENABLED variable.
-
-```sh
-docker run -d --name bitwarden \
-  -e WEB_VAULT_ENABLED=false \
-  -v /bw-data/:/data/ \
-  -p 80:80 \
-  mprasil/bitwarden:latest
-```
-Alternatively you can override the Vault files and provide your own static files to host. You can do that by mounting a path with your files over the `/web-vault` directory in the container. Just make sure the directory contains at least `index.html` file.
-
-```sh
-docker run -d --name bitwarden \
-  -v /path/to/static/files_directory:/web-vault \
-  -v /bw-data/:/data/ \
-  -p 80:80 \
-  mprasil/bitwarden:latest
-``` 
-
-Note that you can also change the path where bitwarden_rs looks for static files by providing the `WEB_VAULT_FOLDER` environment variable with the path.
-
-### Other configuration
-
-Though this is unlikely to be required in small deployment, you can fine-tune some other settings like number of workers using environment variables that are processed by [Rocket](https://rocket.rs), please see details in [documentation](https://rocket.rs/guide/configuration/#environment-variables).
-
-## Building your own image
-
-Clone the repository, then from the root of the repository run:
-
-```sh
-# Build the docker image:
-docker build -t bitwarden_rs .
-```
-
-## Building binary
-
-For building binary outside the Docker environment and running it locally without docker, please see [build instructions](https://github.com/dani-garcia/bitwarden_rs/blob/master/BUILD.md).
-
-## Available packages
-
-### Arch Linux
-
-Bitwarden_rs is already packaged for Archlinux thanks to @mqus. There is an [AUR package](https://aur.archlinux.org/packages/bitwarden_rs) (optionally with the [vault web interface](https://aur.archlinux.org/packages/bitwarden_rs-vault/) ) available.
-
-## Kubernetes deployment
-
-Please check the [kubernetes-bitwarden_rs](https://github.com/icicimov/kubernetes-bitwarden_rs) repository for example deployment in Kubernetes.
-It will setup a fully functional and secure `bitwarden_rs` application in Kubernetes behind [nginx-ingress-controller](https://github.com/kubernetes/ingress-nginx) and AWS [ELBv1](https://aws.amazon.com/elasticloadbalancing/features/#Details_for_Elastic_Load_Balancing_Products). It provides little bit more than just simple deployment but you can use all or just part of the manifests depending on your needs and setup.
-
-## Backing up your vault
-
-### 1. the sqlite3 database
-
-The sqlite3 database should be backed up using the proper sqlite3 backup command. This will ensure the database does not become corrupted if the backup happens during a database write.
-
-```
-sqlite3 /$DATA_FOLDER/db.sqlite3 ".backup '/$DATA_FOLDER/db-backup/backup.sqlite3'"
-```
-
-This command can be run via a CRON job everyday, however note that it will overwrite the same `backup.sqlite3` file each time. This backup file should therefore be saved via incremental backup either using a CRON job command that appends a timestamp or from another backup app such as Duplicati. To restore simply overwrite `db.sqlite3` with `backup.sqlite3` (while bitwarden_rs is stopped).
- 
-### 2. the attachments folder
-
-By default, this is located in `$DATA_FOLDER/attachments`
-
-### 3. the key files
-
-This is optional, these are only used to store tokens of users currently logged in, deleting them would simply log each user out forcing them to log in again. By default, these are located in the `$DATA_FOLDER` (by default /data in the docker). There are 3 files: rsa_key.der, rsa_key.pem, rsa_key.pub.der.
-
-### 4. Icon Cache
-
-This is optional, the icon cache can re-download itself however if you have a large cache, it may take a long time. By default it is located in `$DATA_FOLDER/icon_cache`
-
-## Running the server with non-root user
-
-The root user inside the container is already pretty limited in what it can do, so the default setup should be secure enough. However if you wish to go the extra mile to avoid using root even in container, here's how you can do that:
-
-  1. Create a data folder that's owned by non-root user, so you can use that user to write persistent data. Get the user `id`. In linux you can run `stat <folder_name>` to get/verify the owner ID.
-  2. When you run the container, you need to provide the user ID as one of the parameters. Note that this needs to be in the numeric form and not the username, because docker would try to find such user-defined inside the image, which would likely not be there or it would have different ID than your local user and hence wouldn't be able to write the persistent data. This can be done with the `--user` parameter.
-  3. bitwarden_rs listens on port `80` inside the container by default, this [won't work with non-root user](https://www.w3.org/Daemon/User/Installation/PrivilegedPorts.html), because regular users aren't allowed to open port below `1024`. To overcome this, you need to configure server to listen on a different port, you can use `ROCKET_PORT` to do that.
-
-Here's sample docker run, that uses user with id `1000` and with the port redirection configured, so that inside container the service is listening on port `8080` and docker translates that to external (host) port `80`:
-
-```sh
-docker run -d --name bitwarden \
-  --user 1000 \
-  -e ROCKET_PORT=8080 \
-  -v /bw-data/:/data/ \
-  -p 80:8080 \
-  mprasil/bitwarden:latest
-```
-
-## Differences from upstream API implementation
-
-### Changing user email
-
-Because we don't have any SMTP functionality at the moment, there's no way to deliver the verification token when you try to change the email. User just needs to enter any random token to continue and the change will be applied.
-
-### Creating organization
-
-We use upstream Vault interface directly without any (significant) changes, this is why user is presented with paid options when creating organization. To create an organization, just use the free option, none of the limits apply when using bitwarden_rs as back-end API and after the organization is created it should behave like Enterprise organization.
-
-### Inviting users into organization
-
-The invited users won't get the invitation email, instead all already registered users will appear in the interface as if they already accepted the invitation. Organization admin then just needs to confirm them to be proper Organization members and to give them access to the shared secrets.
-
-Invited users, that aren't registered yet will show up in the Organization admin interface as "Invited". At the same time an invitation record is created that allows the users to register even if [user registration is disabled](#disable-registration-of-new-users). (unless you [disable this functionality](#disable-invitations)) They will automatically become "Accepted" once they register. From there Organization admin can confirm them to give them access to Organization.
-
-### Running on unencrypted connection
-
-It is strongly recommended to run bitwarden_rs service over HTTPS. However the server itself while [supporting it](#enabling-https) does not strictly require such setup. This makes it a bit easier to spin up the service in cases where you can generally trust the connection (internal and secure network, access over VPN,..) or when you want to put the service behind HTTP proxy, that will do the encryption on the proxy end.
-
-Running over HTTP is still reasonably secure provided you use really strong master password and that you avoid using web Vault over connection that is vulnerable to MITM attacks where attacker could inject javascript into your interface. However some forms of 2FA might not work in this setup and [Vault doesn't work in this configuration in Chrome](https://github.com/bitwarden/web/issues/254).
+## Usage
+See the [bitwarden_rs wiki](https://github.com/dani-garcia/bitwarden_rs/wiki) for more information on how to configure and run the bitwarden_rs server.
 
 ## Get in touch
+To ask a question, offer suggestions or new features or to get help configuring or installing the software, please [use the forum](https://bitwardenrs.discourse.group/).
 
-To ask an question, [raising an issue](https://github.com/dani-garcia/bitwarden_rs/issues/new) is fine, also please report any bugs spotted here.
+If you spot any bugs or crashes with bitwarden_rs itself, please [create an issue](https://github.com/dani-garcia/bitwarden_rs/issues/). Make sure there aren't any similar issues open, though!
 
 If you prefer to chat, we're usually hanging around at [#bitwarden_rs:matrix.org](https://matrix.to/#/#bitwarden_rs:matrix.org) room on Matrix. Feel free to join us!
+
+### Sponsors
+Thanks for your contribution to the project!
+
+- [@ChonoN](https://github.com/ChonoN)
+- [@themightychris](https://github.com/themightychris)

azure-pipelines.yml

@@ -0,0 +1,25 @@
+pool:
+  vmImage: 'Ubuntu-16.04'
+
+steps:
+- script: |
+    ls -la
+    curl https://sh.rustup.rs -sSf | sh -s -- -y --default-toolchain $(cat rust-toolchain) --profile=minimal
+    echo "##vso[task.prependpath]$HOME/.cargo/bin"
+  displayName: 'Install Rust'
+
+- script: |
+    sudo apt-get update
+    sudo apt-get install -y libmysql++-dev
+  displayName: Install libmysql
+
+- script: |
+    rustc -Vv
+    cargo -V
+  displayName: Query rust and cargo versions
+
+- script : cargo test --features "sqlite"
+  displayName: 'Test project with sqlite backend'
+
+- script : cargo test --features "mysql"
+  displayName: 'Test project with mysql backend'

build.rs

@@ -0,0 +1,76 @@
+use std::process::Command;
+use std::env;
+
+fn main() { 
+    // This allow using #[cfg(sqlite)] instead of #[cfg(feature = "sqlite")], which helps when trying to add them through macros
+    #[cfg(feature = "sqlite")]
+    println!("cargo:rustc-cfg=sqlite");
+    #[cfg(feature = "mysql")]
+    println!("cargo:rustc-cfg=mysql");
+    #[cfg(feature = "postgresql")]
+    println!("cargo:rustc-cfg=postgresql");
+
+    #[cfg(not(any(feature = "sqlite", feature = "mysql", feature = "postgresql")))]
+    compile_error!("You need to enable one DB backend. To build with previous defaults do: cargo build --features sqlite");
+    
+    if let Ok(version) = env::var("BWRS_VERSION") {
+        println!("cargo:rustc-env=BWRS_VERSION={}", version);
+        println!("cargo:rustc-env=CARGO_PKG_VERSION={}", version);
+    } else {
+        read_git_info().ok();
+    }
+}
+
+fn run(args: &[&str]) -> Result<String, std::io::Error> {
+    let out = Command::new(args[0]).args(&args[1..]).output()?;
+    if !out.status.success() {
+        use std::io::{Error, ErrorKind};
+        return Err(Error::new(ErrorKind::Other, "Command not successful"));
+    }
+    Ok(String::from_utf8(out.stdout).unwrap().trim().to_string())
+}
+
+/// This method reads info from Git, namely tags, branch, and revision
+fn read_git_info() -> Result<(), std::io::Error> {
+    // The exact tag for the current commit, can be empty when
+    // the current commit doesn't have an associated tag
+    let exact_tag = run(&["git", "describe", "--abbrev=0", "--tags", "--exact-match"]).ok();
+    if let Some(ref exact) = exact_tag {
+        println!("cargo:rustc-env=GIT_EXACT_TAG={}", exact);
+    }
+
+    // The last available tag, equal to exact_tag when
+    // the current commit is tagged
+    let last_tag = run(&["git", "describe", "--abbrev=0", "--tags"])?;
+    println!("cargo:rustc-env=GIT_LAST_TAG={}", last_tag);
+
+    // The current branch name
+    let branch = run(&["git", "rev-parse", "--abbrev-ref", "HEAD"])?;
+    println!("cargo:rustc-env=GIT_BRANCH={}", branch);
+
+    // The current git commit hash
+    let rev = run(&["git", "rev-parse", "HEAD"])?;
+    let rev_short = rev.get(..8).unwrap_or_default();
+    println!("cargo:rustc-env=GIT_REV={}", rev_short);
+
+    // Combined version
+    let version = if let Some(exact) = exact_tag {
+        exact
+    } else if &branch != "master" {
+        format!("{}-{} ({})", last_tag, rev_short, branch)
+    } else {
+        format!("{}-{}", last_tag, rev_short)
+    };
+    
+    println!("cargo:rustc-env=BWRS_VERSION={}", version);
+    println!("cargo:rustc-env=CARGO_PKG_VERSION={}", version);
+
+    // To access these values, use:
+    //    env!("GIT_EXACT_TAG")
+    //    env!("GIT_LAST_TAG")
+    //    env!("GIT_BRANCH")
+    //    env!("GIT_REV")
+    //    env!("BWRS_VERSION")
+
+    Ok(())
+}

docker/Dockerfile.j2

@@ -0,0 +1,333 @@
+# This file was generated using a Jinja2 template.
+# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfile's.
+
+{% set build_stage_base_image = "rust:1.46" %}
+{% if "alpine" in target_file %}
+{%   if "amd64" in target_file %}
+{%     set build_stage_base_image = "clux/muslrust:nightly-2020-10-02" %}
+{%     set runtime_stage_base_image = "alpine:3.12" %}
+{%     set package_arch_name = "" %}
+{%   elif "arm32v7" in target_file %}
+{%     set build_stage_base_image = "messense/rust-musl-cross:armv7-musleabihf" %}
+{%     set runtime_stage_base_image = "balenalib/armv7hf-alpine:3.12" %}
+{%     set package_arch_name = "" %}
+{%   endif %}
+{% elif "amd64" in target_file %}
+{%   set runtime_stage_base_image = "debian:buster-slim" %}
+{%   set package_arch_name = "" %}
+{% elif "arm64v8" in target_file %}
+{%   set runtime_stage_base_image = "balenalib/aarch64-debian:buster" %}
+{%   set package_arch_name = "arm64" %}
+{% elif "arm32v6" in target_file %}
+{%   set runtime_stage_base_image = "balenalib/rpi-debian:buster" %}
+{%   set package_arch_name = "armel" %}
+{% elif "arm32v7" in target_file %}
+{%   set runtime_stage_base_image = "balenalib/armv7hf-debian:buster" %}
+{%   set package_arch_name = "armhf" %}
+{% endif %}
+{% set package_arch_prefix = ":" + package_arch_name %}
+{% if package_arch_name == "" %}
+{%   set package_arch_prefix = "" %}
+{% endif %}
+# Using multistage build:
+# 	https://docs.docker.com/develop/develop-images/multistage-build/
+# 	https://whitfin.io/speeding-up-rust-docker-builds/
+####################### VAULT BUILD IMAGE  #######################
+{% set vault_image_hash = "sha256:e40228f94cead5e50af6575fb39850a002dad146dab6836e5da5663e6d214303" %}
+{% raw %}
+#  This hash is extracted from the docker web-vault builds and it's preferred over a simple tag because it's immutable.
+#  It can be viewed in multiple ways:
+#  - From the https://hub.docker.com/repository/docker/bitwardenrs/web-vault/tags page, click the tag name and the digest should be there.
+#  - From the console, with the following commands:
+#      docker pull bitwardenrs/web-vault:v2.16.1
+#      docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.16.1
+#
+#  - To do the opposite, and get the tag from the hash, you can do:
+#      docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:e40228f94cead5e50af6575fb39850a002dad146dab6836e5da5663e6d214303
+{% endraw %}
+FROM bitwardenrs/web-vault@{{ vault_image_hash }} as vault
+
+########################## BUILD IMAGE  ##########################
+FROM {{ build_stage_base_image }} as build
+
+{% if "alpine" in target_file %}
+# Alpine only works on SQlite
+ARG DB=sqlite
+
+{% else %}
+# Debian-based builds support multidb
+ARG DB=sqlite,mysql,postgresql
+
+{% endif %}
+# Build time options to avoid dpkg warnings and help with reproducible builds.
+ENV DEBIAN_FRONTEND=noninteractive LANG=C.UTF-8 TZ=UTC TERM=xterm-256color
+
+# Don't download rust docs
+RUN rustup set profile minimal
+
+{% if "alpine" in target_file %}
+ENV USER "root"
+ENV RUSTFLAGS='-C link-arg=-s'
+
+{% elif "arm" in target_file %}
+# Install required build libs for {{ package_arch_name }} architecture.
+# To compile both mysql and postgresql we need some extra packages for both host arch and target arch
+RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \
+        /etc/apt/sources.list.d/deb-src.list \
+    && dpkg --add-architecture {{ package_arch_name }} \
+    && apt-get update \
+    && apt-get install -y \
+        --no-install-recommends \
+        libssl-dev{{ package_arch_prefix }} \
+        libc6-dev{{ package_arch_prefix }} \
+        libpq5{{ package_arch_prefix }} \
+        libpq-dev \
+        libmariadb-dev{{ package_arch_prefix }} \
+        libmariadb-dev-compat{{ package_arch_prefix }}
+
+{% endif -%}
+{% if "arm64v8" in target_file %}
+RUN apt-get update \
+    && apt-get install -y \
+        --no-install-recommends \
+        gcc-aarch64-linux-gnu \
+    && mkdir -p ~/.cargo \
+    && echo '[target.aarch64-unknown-linux-gnu]' >> ~/.cargo/config \
+    && echo 'linker = "aarch64-linux-gnu-gcc"' >> ~/.cargo/config \
+    && echo 'rustflags = ["-L/usr/lib/aarch64-linux-gnu"]' >> ~/.cargo/config
+
+ENV CARGO_HOME "/root/.cargo"
+ENV USER "root"
+{% elif "arm32v6" in target_file %}
+RUN apt-get update \
+    && apt-get install -y \
+        --no-install-recommends \
+        gcc-arm-linux-gnueabi \
+    && mkdir -p ~/.cargo \
+    && echo '[target.arm-unknown-linux-gnueabi]' >> ~/.cargo/config \
+    && echo 'linker = "arm-linux-gnueabi-gcc"' >> ~/.cargo/config \
+    && echo 'rustflags = ["-L/usr/lib/arm-linux-gnueabi"]' >> ~/.cargo/config
+
+ENV CARGO_HOME "/root/.cargo"
+ENV USER "root"
+{% elif "arm32v7" in target_file and "alpine" not in target_file %}
+RUN apt-get update \
+    && apt-get install -y \
+        --no-install-recommends \
+        gcc-arm-linux-gnueabihf \
+    && mkdir -p ~/.cargo \
+    && echo '[target.armv7-unknown-linux-gnueabihf]' >> ~/.cargo/config \
+    && echo 'linker = "arm-linux-gnueabihf-gcc"' >> ~/.cargo/config \
+    && echo 'rustflags = ["-L/usr/lib/arm-linux-gnueabihf"]' >> ~/.cargo/config
+
+ENV CARGO_HOME "/root/.cargo"
+ENV USER "root"
+{% endif %}
+{% if "amd64" in target_file and "alpine" not in target_file %}
+# Install DB packages
+RUN apt-get update && apt-get install -y \
+    --no-install-recommends \
+    libmariadb-dev{{ package_arch_prefix }} \
+    libpq-dev{{ package_arch_prefix }} \
+    && rm -rf /var/lib/apt/lists/*
+{% endif %}
+
+# Creates a dummy project used to grab dependencies
+RUN USER=root cargo new --bin /app
+WORKDIR /app
+
+# Copies over *only* your manifests and build files
+COPY ./Cargo.* ./
+COPY ./rust-toolchain ./rust-toolchain
+COPY ./build.rs ./build.rs
+
+{% if "alpine" not in target_file %}
+{%   if "arm" in target_file %}
+# NOTE: This should be the last apt-get/dpkg for this stage, since after this it will fail because of broken dependencies.
+# For Diesel-RS migrations_macros to compile with MySQL/MariaDB we need to do some magic.
+# We at least need libmariadb3:amd64 installed for the x86_64 version of libmariadb.so (client)
+# We also need the libmariadb-dev-compat:amd64 but it can not be installed together with the {{ package_arch_prefix }} version.
+# What we can do is a force install, because nothing important is overlapping each other.
+RUN apt-get install -y libmariadb3:amd64 && \
+    mkdir -pv /tmp/dpkg && \
+    cd /tmp/dpkg && \
+    apt-get download libmariadb-dev-compat:amd64 && \
+    dpkg --force-all -i *.deb && \
+    rm -rf /tmp/dpkg
+
+# For Diesel-RS migrations_macros to compile with PostgreSQL we need to do some magic.
+# The libpq5{{ package_arch_prefix }} package seems to not provide a symlink to libpq.so.5 with the name libpq.so.
+# This is only provided by the libpq-dev package which can't be installed for both arch at the same time.
+# Without this specific file the ld command will fail and compilation fails with it.
+{%   endif -%}
+{%   if "arm64v8" in target_file %}
+RUN ln -sfnr /usr/lib/aarch64-linux-gnu/libpq.so.5 /usr/lib/aarch64-linux-gnu/libpq.so
+
+ENV CC_aarch64_unknown_linux_gnu="/usr/bin/aarch64-linux-gnu-gcc"
+ENV CROSS_COMPILE="1"
+ENV OPENSSL_INCLUDE_DIR="/usr/include/aarch64-linux-gnu"
+ENV OPENSSL_LIB_DIR="/usr/lib/aarch64-linux-gnu"
+RUN rustup target add aarch64-unknown-linux-gnu
+{%   elif "arm32v6" in target_file %}
+RUN ln -sfnr /usr/lib/arm-linux-gnueabi/libpq.so.5 /usr/lib/arm-linux-gnueabi/libpq.so
+
+ENV CC_arm_unknown_linux_gnueabi="/usr/bin/arm-linux-gnueabi-gcc"
+ENV CROSS_COMPILE="1"
+ENV OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabi"
+ENV OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabi"
+RUN rustup target add arm-unknown-linux-gnueabi
+{%   elif "arm32v7" in target_file %}
+RUN ln -sfnr /usr/lib/arm-linux-gnueabihf/libpq.so.5 /usr/lib/arm-linux-gnueabihf/libpq.so
+
+ENV CC_armv7_unknown_linux_gnueabihf="/usr/bin/arm-linux-gnueabihf-gcc"
+ENV CROSS_COMPILE="1"
+ENV OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabihf"
+ENV OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabihf"
+RUN rustup target add armv7-unknown-linux-gnueabihf
+{%   endif -%}
+{% else -%}
+{%   if "amd64" in target_file %}
+RUN rustup target add x86_64-unknown-linux-musl
+{%   elif "arm32v7" in target_file %}
+RUN rustup target add armv7-unknown-linux-musleabihf
+{%   endif %}
+{% endif %}
+
+# Builds your dependencies and removes the
+# dummy project, except the target folder
+# This folder contains the compiled dependencies
+{% if "alpine" in target_file %}
+{%   if "amd64" in target_file %}
+RUN cargo build --features ${DB} --release --target=x86_64-unknown-linux-musl
+{%   elif "arm32v7" in target_file %}
+RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-musleabihf
+{%   endif %}
+{% elif "alpine" not in target_file %}
+{%   if "amd64" in target_file %}
+RUN cargo build --features ${DB} --release
+{%   elif "arm64v8" in target_file %}
+RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu
+{%   elif "arm32v6" in target_file %}
+RUN cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi
+{%   elif "arm32v7" in target_file %}
+RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf
+{%   endif %}
+{% endif %}
+RUN find . -not -path "./target*" -delete
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+# Make sure that we actually build the project
+RUN touch src/main.rs
+
+# Builds again, this time it'll just be
+# your actual source files being built
+{% if "alpine" in target_file %}
+{%   if "amd64" in target_file %}
+RUN cargo build --features ${DB} --release --target=x86_64-unknown-linux-musl
+{%   elif "arm32v7" in target_file %}
+RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-musleabihf
+RUN musl-strip target/armv7-unknown-linux-musleabihf/release/bitwarden_rs
+{%   endif %}
+{% elif "alpine" not in target_file %}
+{%   if "amd64" in target_file %}
+RUN cargo build --features ${DB} --release
+{%   elif "arm64v8" in target_file %}
+RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu
+{%   elif "arm32v6" in target_file %}
+RUN cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi
+{%   elif "arm32v7" in target_file %}
+RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf
+{%   endif %}
+{% endif %}
+
+######################## RUNTIME IMAGE  ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+FROM {{ runtime_stage_base_image }}
+
+ENV ROCKET_ENV "staging"
+ENV ROCKET_PORT=80
+ENV ROCKET_WORKERS=10
+{% if "alpine" in runtime_stage_base_image %}
+ENV SSL_CERT_DIR=/etc/ssl/certs
+{% endif %}
+
+{% if "amd64" not in target_file %}
+RUN [ "cross-build-start" ]
+
+{% endif %}
+# Install needed libraries
+{% if "alpine" in runtime_stage_base_image %}
+RUN apk add --no-cache \
+        openssl \
+        curl \
+{%   if "sqlite" in target_file %}
+        sqlite \
+{%   elif "mysql" in target_file %}
+        mariadb-connector-c \
+{%   elif "postgresql" in target_file %}
+        postgresql-libs \
+{%   endif %}
+        ca-certificates
+{% else %}
+RUN apt-get update && apt-get install -y \
+    --no-install-recommends \
+    openssl \
+    ca-certificates \
+    curl \
+    sqlite3 \
+    libmariadb-dev-compat \
+    libpq5 \
+    && rm -rf /var/lib/apt/lists/*
+{% endif %}
+{% if "alpine" in target_file and "arm32v7" in target_file %}
+RUN apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/community catatonit
+{% endif %}
+
+RUN mkdir /data
+{% if "amd64" not in target_file %}
+
+RUN [ "cross-build-end" ]
+
+{% endif %}
+VOLUME /data
+EXPOSE 80
+EXPOSE 3012
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+COPY Rocket.toml .
+COPY --from=vault /web-vault ./web-vault
+{% if "alpine" in target_file %}
+{%   if "amd64" in target_file %}
+COPY --from=build /app/target/x86_64-unknown-linux-musl/release/bitwarden_rs .
+{%   elif "arm32v7" in target_file %}
+COPY --from=build /app/target/armv7-unknown-linux-musleabihf/release/bitwarden_rs .
+{%   endif %}
+{% elif "alpine" not in target_file %}
+{%   if "arm64v8" in target_file %}
+COPY --from=build /app/target/aarch64-unknown-linux-gnu/release/bitwarden_rs .
+{%   elif "arm32v6" in target_file %}
+COPY --from=build /app/target/arm-unknown-linux-gnueabi/release/bitwarden_rs .
+{%   elif "arm32v7" in target_file %}
+COPY --from=build /app/target/armv7-unknown-linux-gnueabihf/release/bitwarden_rs .
+{%   else %}
+COPY --from=build app/target/release/bitwarden_rs .
+{%   endif %}
+{% endif %}
+
+COPY docker/healthcheck.sh /healthcheck.sh
+COPY docker/start.sh /start.sh
+
+HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
+
+# Configures the startup!
+WORKDIR /
+{% if "alpine" in target_file and "arm32v7" in target_file %}
+CMD ["catatonit", "/start.sh"]
+{% else %}
+CMD ["/start.sh"]
+{% endif %}

docker/Makefile

@@ -0,0 +1,9 @@
+OBJECTS := $(shell find -mindepth 2 -name 'Dockerfile*')
+
+all: $(OBJECTS)
+
+%/Dockerfile: Dockerfile.j2 render_template
+	./render_template "$<" "{\"target_file\":\"$@\"}" > "$@"
+
+%/Dockerfile.alpine: Dockerfile.j2 render_template
+	./render_template "$<" "{\"target_file\":\"$@\"}" > "$@"

docker/README.md

@@ -0,0 +1,3 @@
+The arch-specific directory names follow the arch identifiers used by the Docker official images:
+
+https://github.com/docker-library/official-images/blob/master/README.md#architectures-other-than-amd64

docker/amd64/Dockerfile

@@ -0,0 +1,105 @@
+# This file was generated using a Jinja2 template.
+# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfile's.
+
+# Using multistage build:
+# 	https://docs.docker.com/develop/develop-images/multistage-build/
+# 	https://whitfin.io/speeding-up-rust-docker-builds/
+####################### VAULT BUILD IMAGE  #######################
+
+#  This hash is extracted from the docker web-vault builds and it's preferred over a simple tag because it's immutable.
+#  It can be viewed in multiple ways:
+#  - From the https://hub.docker.com/repository/docker/bitwardenrs/web-vault/tags page, click the tag name and the digest should be there.
+#  - From the console, with the following commands:
+#      docker pull bitwardenrs/web-vault:v2.16.1
+#      docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.16.1
+#
+#  - To do the opposite, and get the tag from the hash, you can do:
+#      docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:e40228f94cead5e50af6575fb39850a002dad146dab6836e5da5663e6d214303
+FROM bitwardenrs/web-vault@sha256:e40228f94cead5e50af6575fb39850a002dad146dab6836e5da5663e6d214303 as vault
+
+########################## BUILD IMAGE  ##########################
+FROM rust:1.46 as build
+
+# Debian-based builds support multidb
+ARG DB=sqlite,mysql,postgresql
+
+# Build time options to avoid dpkg warnings and help with reproducible builds.
+ENV DEBIAN_FRONTEND=noninteractive LANG=C.UTF-8 TZ=UTC TERM=xterm-256color
+
+# Don't download rust docs
+RUN rustup set profile minimal
+
+# Install DB packages
+RUN apt-get update && apt-get install -y \
+    --no-install-recommends \
+    libmariadb-dev \
+    libpq-dev \
+    && rm -rf /var/lib/apt/lists/*
+
+# Creates a dummy project used to grab dependencies
+RUN USER=root cargo new --bin /app
+WORKDIR /app
+
+# Copies over *only* your manifests and build files
+COPY ./Cargo.* ./
+COPY ./rust-toolchain ./rust-toolchain
+COPY ./build.rs ./build.rs
+
+
+# Builds your dependencies and removes the
+# dummy project, except the target folder
+# This folder contains the compiled dependencies
+RUN cargo build --features ${DB} --release
+RUN find . -not -path "./target*" -delete
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+# Make sure that we actually build the project
+RUN touch src/main.rs
+
+# Builds again, this time it'll just be
+# your actual source files being built
+RUN cargo build --features ${DB} --release
+
+######################## RUNTIME IMAGE  ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+FROM debian:buster-slim
+
+ENV ROCKET_ENV "staging"
+ENV ROCKET_PORT=80
+ENV ROCKET_WORKERS=10
+
+# Install needed libraries
+RUN apt-get update && apt-get install -y \
+    --no-install-recommends \
+    openssl \
+    ca-certificates \
+    curl \
+    sqlite3 \
+    libmariadb-dev-compat \
+    libpq5 \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN mkdir /data
+VOLUME /data
+EXPOSE 80
+EXPOSE 3012
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+COPY Rocket.toml .
+COPY --from=vault /web-vault ./web-vault
+COPY --from=build app/target/release/bitwarden_rs .
+
+COPY docker/healthcheck.sh /healthcheck.sh
+COPY docker/start.sh /start.sh
+
+HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
+
+# Configures the startup!
+WORKDIR /
+CMD ["/start.sh"]
+

docker/amd64/Dockerfile.alpine

@@ -0,0 +1,99 @@
+# This file was generated using a Jinja2 template.
+# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfile's.
+
+# Using multistage build:
+# 	https://docs.docker.com/develop/develop-images/multistage-build/
+# 	https://whitfin.io/speeding-up-rust-docker-builds/
+####################### VAULT BUILD IMAGE  #######################
+
+#  This hash is extracted from the docker web-vault builds and it's preferred over a simple tag because it's immutable.
+#  It can be viewed in multiple ways:
+#  - From the https://hub.docker.com/repository/docker/bitwardenrs/web-vault/tags page, click the tag name and the digest should be there.
+#  - From the console, with the following commands:
+#      docker pull bitwardenrs/web-vault:v2.16.1
+#      docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.16.1
+#
+#  - To do the opposite, and get the tag from the hash, you can do:
+#      docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:e40228f94cead5e50af6575fb39850a002dad146dab6836e5da5663e6d214303
+FROM bitwardenrs/web-vault@sha256:e40228f94cead5e50af6575fb39850a002dad146dab6836e5da5663e6d214303 as vault
+
+########################## BUILD IMAGE  ##########################
+FROM clux/muslrust:nightly-2020-10-02 as build
+
+# Alpine only works on SQlite
+ARG DB=sqlite
+
+# Build time options to avoid dpkg warnings and help with reproducible builds.
+ENV DEBIAN_FRONTEND=noninteractive LANG=C.UTF-8 TZ=UTC TERM=xterm-256color
+
+# Don't download rust docs
+RUN rustup set profile minimal
+
+ENV USER "root"
+ENV RUSTFLAGS='-C link-arg=-s'
+
+
+# Creates a dummy project used to grab dependencies
+RUN USER=root cargo new --bin /app
+WORKDIR /app
+
+# Copies over *only* your manifests and build files
+COPY ./Cargo.* ./
+COPY ./rust-toolchain ./rust-toolchain
+COPY ./build.rs ./build.rs
+
+RUN rustup target add x86_64-unknown-linux-musl
+
+# Builds your dependencies and removes the
+# dummy project, except the target folder
+# This folder contains the compiled dependencies
+RUN cargo build --features ${DB} --release --target=x86_64-unknown-linux-musl
+RUN find . -not -path "./target*" -delete
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+# Make sure that we actually build the project
+RUN touch src/main.rs
+
+# Builds again, this time it'll just be
+# your actual source files being built
+RUN cargo build --features ${DB} --release --target=x86_64-unknown-linux-musl
+
+######################## RUNTIME IMAGE  ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+FROM alpine:3.12
+
+ENV ROCKET_ENV "staging"
+ENV ROCKET_PORT=80
+ENV ROCKET_WORKERS=10
+ENV SSL_CERT_DIR=/etc/ssl/certs
+
+# Install needed libraries
+RUN apk add --no-cache \
+        openssl \
+        curl \
+        ca-certificates
+
+RUN mkdir /data
+VOLUME /data
+EXPOSE 80
+EXPOSE 3012
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+COPY Rocket.toml .
+COPY --from=vault /web-vault ./web-vault
+COPY --from=build /app/target/x86_64-unknown-linux-musl/release/bitwarden_rs .
+
+COPY docker/healthcheck.sh /healthcheck.sh
+COPY docker/start.sh /start.sh
+
+HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
+
+# Configures the startup!
+WORKDIR /
+CMD ["/start.sh"]
+

docker/arm32v6/Dockerfile

@@ -0,0 +1,153 @@
+# This file was generated using a Jinja2 template.
+# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfile's.
+
+# Using multistage build:
+# 	https://docs.docker.com/develop/develop-images/multistage-build/
+# 	https://whitfin.io/speeding-up-rust-docker-builds/
+####################### VAULT BUILD IMAGE  #######################
+
+#  This hash is extracted from the docker web-vault builds and it's preferred over a simple tag because it's immutable.
+#  It can be viewed in multiple ways:
+#  - From the https://hub.docker.com/repository/docker/bitwardenrs/web-vault/tags page, click the tag name and the digest should be there.
+#  - From the console, with the following commands:
+#      docker pull bitwardenrs/web-vault:v2.16.1
+#      docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.16.1
+#
+#  - To do the opposite, and get the tag from the hash, you can do:
+#      docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:e40228f94cead5e50af6575fb39850a002dad146dab6836e5da5663e6d214303
+FROM bitwardenrs/web-vault@sha256:e40228f94cead5e50af6575fb39850a002dad146dab6836e5da5663e6d214303 as vault
+
+########################## BUILD IMAGE  ##########################
+FROM rust:1.46 as build
+
+# Debian-based builds support multidb
+ARG DB=sqlite,mysql,postgresql
+
+# Build time options to avoid dpkg warnings and help with reproducible builds.
+ENV DEBIAN_FRONTEND=noninteractive LANG=C.UTF-8 TZ=UTC TERM=xterm-256color
+
+# Don't download rust docs
+RUN rustup set profile minimal
+
+# Install required build libs for armel architecture.
+# To compile both mysql and postgresql we need some extra packages for both host arch and target arch
+RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \
+        /etc/apt/sources.list.d/deb-src.list \
+    && dpkg --add-architecture armel \
+    && apt-get update \
+    && apt-get install -y \
+        --no-install-recommends \
+        libssl-dev:armel \
+        libc6-dev:armel \
+        libpq5:armel \
+        libpq-dev \
+        libmariadb-dev:armel \
+        libmariadb-dev-compat:armel
+
+RUN apt-get update \
+    && apt-get install -y \
+        --no-install-recommends \
+        gcc-arm-linux-gnueabi \
+    && mkdir -p ~/.cargo \
+    && echo '[target.arm-unknown-linux-gnueabi]' >> ~/.cargo/config \
+    && echo 'linker = "arm-linux-gnueabi-gcc"' >> ~/.cargo/config \
+    && echo 'rustflags = ["-L/usr/lib/arm-linux-gnueabi"]' >> ~/.cargo/config
+
+ENV CARGO_HOME "/root/.cargo"
+ENV USER "root"
+
+# Creates a dummy project used to grab dependencies
+RUN USER=root cargo new --bin /app
+WORKDIR /app
+
+# Copies over *only* your manifests and build files
+COPY ./Cargo.* ./
+COPY ./rust-toolchain ./rust-toolchain
+COPY ./build.rs ./build.rs
+
+# NOTE: This should be the last apt-get/dpkg for this stage, since after this it will fail because of broken dependencies.
+# For Diesel-RS migrations_macros to compile with MySQL/MariaDB we need to do some magic.
+# We at least need libmariadb3:amd64 installed for the x86_64 version of libmariadb.so (client)
+# We also need the libmariadb-dev-compat:amd64 but it can not be installed together with the :armel version.
+# What we can do is a force install, because nothing important is overlapping each other.
+RUN apt-get install -y libmariadb3:amd64 && \
+    mkdir -pv /tmp/dpkg && \
+    cd /tmp/dpkg && \
+    apt-get download libmariadb-dev-compat:amd64 && \
+    dpkg --force-all -i *.deb && \
+    rm -rf /tmp/dpkg
+
+# For Diesel-RS migrations_macros to compile with PostgreSQL we need to do some magic.
+# The libpq5:armel package seems to not provide a symlink to libpq.so.5 with the name libpq.so.
+# This is only provided by the libpq-dev package which can't be installed for both arch at the same time.
+# Without this specific file the ld command will fail and compilation fails with it.
+RUN ln -sfnr /usr/lib/arm-linux-gnueabi/libpq.so.5 /usr/lib/arm-linux-gnueabi/libpq.so
+
+ENV CC_arm_unknown_linux_gnueabi="/usr/bin/arm-linux-gnueabi-gcc"
+ENV CROSS_COMPILE="1"
+ENV OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabi"
+ENV OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabi"
+RUN rustup target add arm-unknown-linux-gnueabi
+
+# Builds your dependencies and removes the
+# dummy project, except the target folder
+# This folder contains the compiled dependencies
+RUN cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi
+RUN find . -not -path "./target*" -delete
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+# Make sure that we actually build the project
+RUN touch src/main.rs
+
+# Builds again, this time it'll just be
+# your actual source files being built
+RUN cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi
+
+######################## RUNTIME IMAGE  ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+FROM balenalib/rpi-debian:buster
+
+ENV ROCKET_ENV "staging"
+ENV ROCKET_PORT=80
+ENV ROCKET_WORKERS=10
+
+RUN [ "cross-build-start" ]
+
+# Install needed libraries
+RUN apt-get update && apt-get install -y \
+    --no-install-recommends \
+    openssl \
+    ca-certificates \
+    curl \
+    sqlite3 \
+    libmariadb-dev-compat \
+    libpq5 \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN mkdir /data
+
+RUN [ "cross-build-end" ]
+
+VOLUME /data
+EXPOSE 80
+EXPOSE 3012
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+COPY Rocket.toml .
+COPY --from=vault /web-vault ./web-vault
+COPY --from=build /app/target/arm-unknown-linux-gnueabi/release/bitwarden_rs .
+
+COPY docker/healthcheck.sh /healthcheck.sh
+COPY docker/start.sh /start.sh
+
+HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
+
+# Configures the startup!
+WORKDIR /
+CMD ["/start.sh"]
+

docker/arm32v7/Dockerfile

@@ -0,0 +1,153 @@
+# This file was generated using a Jinja2 template.
+# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfile's.
+
+# Using multistage build:
+# 	https://docs.docker.com/develop/develop-images/multistage-build/
+# 	https://whitfin.io/speeding-up-rust-docker-builds/
+####################### VAULT BUILD IMAGE  #######################
+
+#  This hash is extracted from the docker web-vault builds and it's preferred over a simple tag because it's immutable.
+#  It can be viewed in multiple ways:
+#  - From the https://hub.docker.com/repository/docker/bitwardenrs/web-vault/tags page, click the tag name and the digest should be there.
+#  - From the console, with the following commands:
+#      docker pull bitwardenrs/web-vault:v2.16.1
+#      docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.16.1
+#
+#  - To do the opposite, and get the tag from the hash, you can do:
+#      docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:e40228f94cead5e50af6575fb39850a002dad146dab6836e5da5663e6d214303
+FROM bitwardenrs/web-vault@sha256:e40228f94cead5e50af6575fb39850a002dad146dab6836e5da5663e6d214303 as vault
+
+########################## BUILD IMAGE  ##########################
+FROM rust:1.46 as build
+
+# Debian-based builds support multidb
+ARG DB=sqlite,mysql,postgresql
+
+# Build time options to avoid dpkg warnings and help with reproducible builds.
+ENV DEBIAN_FRONTEND=noninteractive LANG=C.UTF-8 TZ=UTC TERM=xterm-256color
+
+# Don't download rust docs
+RUN rustup set profile minimal
+
+# Install required build libs for armhf architecture.
+# To compile both mysql and postgresql we need some extra packages for both host arch and target arch
+RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \
+        /etc/apt/sources.list.d/deb-src.list \
+    && dpkg --add-architecture armhf \
+    && apt-get update \
+    && apt-get install -y \
+        --no-install-recommends \
+        libssl-dev:armhf \
+        libc6-dev:armhf \
+        libpq5:armhf \
+        libpq-dev \
+        libmariadb-dev:armhf \
+        libmariadb-dev-compat:armhf
+
+RUN apt-get update \
+    && apt-get install -y \
+        --no-install-recommends \
+        gcc-arm-linux-gnueabihf \
+    && mkdir -p ~/.cargo \
+    && echo '[target.armv7-unknown-linux-gnueabihf]' >> ~/.cargo/config \
+    && echo 'linker = "arm-linux-gnueabihf-gcc"' >> ~/.cargo/config \
+    && echo 'rustflags = ["-L/usr/lib/arm-linux-gnueabihf"]' >> ~/.cargo/config
+
+ENV CARGO_HOME "/root/.cargo"
+ENV USER "root"
+
+# Creates a dummy project used to grab dependencies
+RUN USER=root cargo new --bin /app
+WORKDIR /app
+
+# Copies over *only* your manifests and build files
+COPY ./Cargo.* ./
+COPY ./rust-toolchain ./rust-toolchain
+COPY ./build.rs ./build.rs
+
+# NOTE: This should be the last apt-get/dpkg for this stage, since after this it will fail because of broken dependencies.
+# For Diesel-RS migrations_macros to compile with MySQL/MariaDB we need to do some magic.
+# We at least need libmariadb3:amd64 installed for the x86_64 version of libmariadb.so (client)
+# We also need the libmariadb-dev-compat:amd64 but it can not be installed together with the :armhf version.
+# What we can do is a force install, because nothing important is overlapping each other.
+RUN apt-get install -y libmariadb3:amd64 && \
+    mkdir -pv /tmp/dpkg && \
+    cd /tmp/dpkg && \
+    apt-get download libmariadb-dev-compat:amd64 && \
+    dpkg --force-all -i *.deb && \
+    rm -rf /tmp/dpkg
+
+# For Diesel-RS migrations_macros to compile with PostgreSQL we need to do some magic.
+# The libpq5:armhf package seems to not provide a symlink to libpq.so.5 with the name libpq.so.
+# This is only provided by the libpq-dev package which can't be installed for both arch at the same time.
+# Without this specific file the ld command will fail and compilation fails with it.
+RUN ln -sfnr /usr/lib/arm-linux-gnueabihf/libpq.so.5 /usr/lib/arm-linux-gnueabihf/libpq.so
+
+ENV CC_armv7_unknown_linux_gnueabihf="/usr/bin/arm-linux-gnueabihf-gcc"
+ENV CROSS_COMPILE="1"
+ENV OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabihf"
+ENV OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabihf"
+RUN rustup target add armv7-unknown-linux-gnueabihf
+
+# Builds your dependencies and removes the
+# dummy project, except the target folder
+# This folder contains the compiled dependencies
+RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf
+RUN find . -not -path "./target*" -delete
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+# Make sure that we actually build the project
+RUN touch src/main.rs
+
+# Builds again, this time it'll just be
+# your actual source files being built
+RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf
+
+######################## RUNTIME IMAGE  ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+FROM balenalib/armv7hf-debian:buster
+
+ENV ROCKET_ENV "staging"
+ENV ROCKET_PORT=80
+ENV ROCKET_WORKERS=10
+
+RUN [ "cross-build-start" ]
+
+# Install needed libraries
+RUN apt-get update && apt-get install -y \
+    --no-install-recommends \
+    openssl \
+    ca-certificates \
+    curl \
+    sqlite3 \
+    libmariadb-dev-compat \
+    libpq5 \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN mkdir /data
+
+RUN [ "cross-build-end" ]
+
+VOLUME /data
+EXPOSE 80
+EXPOSE 3012
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+COPY Rocket.toml .
+COPY --from=vault /web-vault ./web-vault
+COPY --from=build /app/target/armv7-unknown-linux-gnueabihf/release/bitwarden_rs .
+
+COPY docker/healthcheck.sh /healthcheck.sh
+COPY docker/start.sh /start.sh
+
+HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
+
+# Configures the startup!
+WORKDIR /
+CMD ["/start.sh"]
+

docker/arm32v7/Dockerfile.alpine

@@ -0,0 +1,106 @@
+# This file was generated using a Jinja2 template.
+# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfile's.
+
+# Using multistage build:
+# 	https://docs.docker.com/develop/develop-images/multistage-build/
+# 	https://whitfin.io/speeding-up-rust-docker-builds/
+####################### VAULT BUILD IMAGE  #######################
+
+#  This hash is extracted from the docker web-vault builds and it's preferred over a simple tag because it's immutable.
+#  It can be viewed in multiple ways:
+#  - From the https://hub.docker.com/repository/docker/bitwardenrs/web-vault/tags page, click the tag name and the digest should be there.
+#  - From the console, with the following commands:
+#      docker pull bitwardenrs/web-vault:v2.16.1
+#      docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.16.1
+#
+#  - To do the opposite, and get the tag from the hash, you can do:
+#      docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:e40228f94cead5e50af6575fb39850a002dad146dab6836e5da5663e6d214303
+FROM bitwardenrs/web-vault@sha256:e40228f94cead5e50af6575fb39850a002dad146dab6836e5da5663e6d214303 as vault
+
+########################## BUILD IMAGE  ##########################
+FROM messense/rust-musl-cross:armv7-musleabihf as build
+
+# Alpine only works on SQlite
+ARG DB=sqlite
+
+# Build time options to avoid dpkg warnings and help with reproducible builds.
+ENV DEBIAN_FRONTEND=noninteractive LANG=C.UTF-8 TZ=UTC TERM=xterm-256color
+
+# Don't download rust docs
+RUN rustup set profile minimal
+
+ENV USER "root"
+ENV RUSTFLAGS='-C link-arg=-s'
+
+
+# Creates a dummy project used to grab dependencies
+RUN USER=root cargo new --bin /app
+WORKDIR /app
+
+# Copies over *only* your manifests and build files
+COPY ./Cargo.* ./
+COPY ./rust-toolchain ./rust-toolchain
+COPY ./build.rs ./build.rs
+
+RUN rustup target add armv7-unknown-linux-musleabihf
+
+# Builds your dependencies and removes the
+# dummy project, except the target folder
+# This folder contains the compiled dependencies
+RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-musleabihf
+RUN find . -not -path "./target*" -delete
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+# Make sure that we actually build the project
+RUN touch src/main.rs
+
+# Builds again, this time it'll just be
+# your actual source files being built
+RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-musleabihf
+RUN musl-strip target/armv7-unknown-linux-musleabihf/release/bitwarden_rs
+
+######################## RUNTIME IMAGE  ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+FROM balenalib/armv7hf-alpine:3.12
+
+ENV ROCKET_ENV "staging"
+ENV ROCKET_PORT=80
+ENV ROCKET_WORKERS=10
+ENV SSL_CERT_DIR=/etc/ssl/certs
+
+RUN [ "cross-build-start" ]
+
+# Install needed libraries
+RUN apk add --no-cache \
+        openssl \
+        curl \
+        ca-certificates
+RUN apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/community catatonit
+
+RUN mkdir /data
+
+RUN [ "cross-build-end" ]
+
+VOLUME /data
+EXPOSE 80
+EXPOSE 3012
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+COPY Rocket.toml .
+COPY --from=vault /web-vault ./web-vault
+COPY --from=build /app/target/armv7-unknown-linux-musleabihf/release/bitwarden_rs .
+
+COPY docker/healthcheck.sh /healthcheck.sh
+COPY docker/start.sh /start.sh
+
+HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
+
+# Configures the startup!
+WORKDIR /
+CMD ["catatonit", "/start.sh"]
+

docker/arm64v8/Dockerfile

@@ -0,0 +1,153 @@
+# This file was generated using a Jinja2 template.
+# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfile's.
+
+# Using multistage build:
+# 	https://docs.docker.com/develop/develop-images/multistage-build/
+# 	https://whitfin.io/speeding-up-rust-docker-builds/
+####################### VAULT BUILD IMAGE  #######################
+
+#  This hash is extracted from the docker web-vault builds and it's preferred over a simple tag because it's immutable.
+#  It can be viewed in multiple ways:
+#  - From the https://hub.docker.com/repository/docker/bitwardenrs/web-vault/tags page, click the tag name and the digest should be there.
+#  - From the console, with the following commands:
+#      docker pull bitwardenrs/web-vault:v2.16.1
+#      docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.16.1
+#
+#  - To do the opposite, and get the tag from the hash, you can do:
+#      docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:e40228f94cead5e50af6575fb39850a002dad146dab6836e5da5663e6d214303
+FROM bitwardenrs/web-vault@sha256:e40228f94cead5e50af6575fb39850a002dad146dab6836e5da5663e6d214303 as vault
+
+########################## BUILD IMAGE  ##########################
+FROM rust:1.46 as build
+
+# Debian-based builds support multidb
+ARG DB=sqlite,mysql,postgresql
+
+# Build time options to avoid dpkg warnings and help with reproducible builds.
+ENV DEBIAN_FRONTEND=noninteractive LANG=C.UTF-8 TZ=UTC TERM=xterm-256color
+
+# Don't download rust docs
+RUN rustup set profile minimal
+
+# Install required build libs for arm64 architecture.
+# To compile both mysql and postgresql we need some extra packages for both host arch and target arch
+RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \
+        /etc/apt/sources.list.d/deb-src.list \
+    && dpkg --add-architecture arm64 \
+    && apt-get update \
+    && apt-get install -y \
+        --no-install-recommends \
+        libssl-dev:arm64 \
+        libc6-dev:arm64 \
+        libpq5:arm64 \
+        libpq-dev \
+        libmariadb-dev:arm64 \
+        libmariadb-dev-compat:arm64
+
+RUN apt-get update \
+    && apt-get install -y \
+        --no-install-recommends \
+        gcc-aarch64-linux-gnu \
+    && mkdir -p ~/.cargo \
+    && echo '[target.aarch64-unknown-linux-gnu]' >> ~/.cargo/config \
+    && echo 'linker = "aarch64-linux-gnu-gcc"' >> ~/.cargo/config \
+    && echo 'rustflags = ["-L/usr/lib/aarch64-linux-gnu"]' >> ~/.cargo/config
+
+ENV CARGO_HOME "/root/.cargo"
+ENV USER "root"
+
+# Creates a dummy project used to grab dependencies
+RUN USER=root cargo new --bin /app
+WORKDIR /app
+
+# Copies over *only* your manifests and build files
+COPY ./Cargo.* ./
+COPY ./rust-toolchain ./rust-toolchain
+COPY ./build.rs ./build.rs
+
+# NOTE: This should be the last apt-get/dpkg for this stage, since after this it will fail because of broken dependencies.
+# For Diesel-RS migrations_macros to compile with MySQL/MariaDB we need to do some magic.
+# We at least need libmariadb3:amd64 installed for the x86_64 version of libmariadb.so (client)
+# We also need the libmariadb-dev-compat:amd64 but it can not be installed together with the :arm64 version.
+# What we can do is a force install, because nothing important is overlapping each other.
+RUN apt-get install -y libmariadb3:amd64 && \
+    mkdir -pv /tmp/dpkg && \
+    cd /tmp/dpkg && \
+    apt-get download libmariadb-dev-compat:amd64 && \
+    dpkg --force-all -i *.deb && \
+    rm -rf /tmp/dpkg
+
+# For Diesel-RS migrations_macros to compile with PostgreSQL we need to do some magic.
+# The libpq5:arm64 package seems to not provide a symlink to libpq.so.5 with the name libpq.so.
+# This is only provided by the libpq-dev package which can't be installed for both arch at the same time.
+# Without this specific file the ld command will fail and compilation fails with it.
+RUN ln -sfnr /usr/lib/aarch64-linux-gnu/libpq.so.5 /usr/lib/aarch64-linux-gnu/libpq.so
+
+ENV CC_aarch64_unknown_linux_gnu="/usr/bin/aarch64-linux-gnu-gcc"
+ENV CROSS_COMPILE="1"
+ENV OPENSSL_INCLUDE_DIR="/usr/include/aarch64-linux-gnu"
+ENV OPENSSL_LIB_DIR="/usr/lib/aarch64-linux-gnu"
+RUN rustup target add aarch64-unknown-linux-gnu
+
+# Builds your dependencies and removes the
+# dummy project, except the target folder
+# This folder contains the compiled dependencies
+RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu
+RUN find . -not -path "./target*" -delete
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+# Make sure that we actually build the project
+RUN touch src/main.rs
+
+# Builds again, this time it'll just be
+# your actual source files being built
+RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu
+
+######################## RUNTIME IMAGE  ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+FROM balenalib/aarch64-debian:buster
+
+ENV ROCKET_ENV "staging"
+ENV ROCKET_PORT=80
+ENV ROCKET_WORKERS=10
+
+RUN [ "cross-build-start" ]
+
+# Install needed libraries
+RUN apt-get update && apt-get install -y \
+    --no-install-recommends \
+    openssl \
+    ca-certificates \
+    curl \
+    sqlite3 \
+    libmariadb-dev-compat \
+    libpq5 \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN mkdir /data
+
+RUN [ "cross-build-end" ]
+
+VOLUME /data
+EXPOSE 80
+EXPOSE 3012
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+COPY Rocket.toml .
+COPY --from=vault /web-vault ./web-vault
+COPY --from=build /app/target/aarch64-unknown-linux-gnu/release/bitwarden_rs .
+
+COPY docker/healthcheck.sh /healthcheck.sh
+COPY docker/start.sh /start.sh
+
+HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
+
+# Configures the startup!
+WORKDIR /
+CMD ["/start.sh"]
+

docker/healthcheck.sh

@@ -0,0 +1,53 @@
+#!/bin/sh
+
+# Use the value of the corresponding env var (if present),
+# or a default value otherwise.
+: ${DATA_FOLDER:="data"}
+: ${ROCKET_PORT:="80"}
+
+CONFIG_FILE="${DATA_FOLDER}"/config.json
+
+# Given a config key, return the corresponding config value from the
+# config file. If the key doesn't exist, return an empty string.
+get_config_val() {
+    local key="$1"
+    # Extract a line of the form:
+    #   "domain": "https://bw.example.com/path",
+    grep "\"${key}\":" "${CONFIG_FILE}" |
+    # To extract just the value (https://bw.example.com/path), delete:
+    # (1) everything up to and including the first ':',
+    # (2) whitespace and '"' from the front,
+    # (3) ',' and '"' from the back.
+    sed -e 's/[^:]\+://' -e 's/^[ "]\+//' -e 's/[,"]\+$//'
+}
+
+# Extract the base path from a domain URL. For example:
+# - `` -> ``
+# - `https://bw.example.com` -> ``
+# - `https://bw.example.com/` -> ``
+# - `https://bw.example.com/path` -> `/path`
+# - `https://bw.example.com/multi/path` -> `/multi/path`
+get_base_path() {
+    echo "$1" |
+    # Delete:
+    # (1) everything up to and including '://',
+    # (2) everything up to '/',
+    # (3) trailing '/' from the back.
+    sed -e 's|.*://||' -e 's|[^/]\+||' -e 's|/*$||'
+}
+
+# Read domain URL from config.json, if present.
+if [ -r "${CONFIG_FILE}" ]; then
+    domain="$(get_config_val 'domain')"
+    if [ -n "${domain}" ]; then
+        # config.json 'domain' overrides the DOMAIN env var.
+        DOMAIN="${domain}"
+    fi
+fi
+
+base_path="$(get_base_path "${DOMAIN}")"
+if [ -n "${ROCKET_TLS}" ]; then
+    s='s'
+fi
+curl --insecure --fail --silent --show-error \
+     "http${s}://localhost:${ROCKET_PORT}${base_path}/alive" || exit 1

docker/render_template

@@ -0,0 +1,17 @@
+#!/usr/bin/env python3
+
+import os, argparse, json
+
+import jinja2
+
+args_parser = argparse.ArgumentParser()
+args_parser.add_argument('template_file', help='Jinja2 template file to render.')
+args_parser.add_argument('render_vars', help='JSON-encoded data to pass to the templating engine.')
+cli_args = args_parser.parse_args()
+
+render_vars = json.loads(cli_args.render_vars)
+environment = jinja2.Environment(
+	loader=jinja2.FileSystemLoader(os.getcwd()),
+	trim_blocks=True,
+)
+print(environment.get_template(cli_args.template_file).render(render_vars))

docker/set-vault-baseurl.patch

@@ -1,27 +0,0 @@
---- a/src/app/services/services.module.ts
-+++ b/src/app/services/services.module.ts
-@@ -120,20 +120,16 @@ const notificationsService = new NotificationsService(userService, syncService,
- const environmentService = new EnvironmentService(apiService, storageService, notificationsService);
- const auditService = new AuditService(cryptoFunctionService, apiService);
- 
--const analytics = new Analytics(window, () => platformUtilsService.isDev() || platformUtilsService.isSelfHost(),
-+const analytics = new Analytics(window, () => platformUtilsService.isDev() || platformUtilsService.isSelfHost() || true,
-     platformUtilsService, storageService, appIdService);
- containerService.attachToWindow(window);
- 
- export function initFactory(): Function {
-     return async () => {
-         await (storageService as HtmlStorageService).init();
--        const isDev = platformUtilsService.isDev();
--        if (!isDev && platformUtilsService.isSelfHost()) {
--            environmentService.baseUrl = window.location.origin;
--        } else {
--            environmentService.notificationsUrl = isDev ? 'http://localhost:61840' :
--                'https://notifications.bitwarden.com'; // window.location.origin + '/notifications';
--        }
-+        const isDev = false;
-+        environmentService.baseUrl = window.location.origin;
-+        environmentService.notificationsUrl = window.location.origin + '/notifications';
-         apiService.setUrls({
-             base: isDev ? null : window.location.origin,
-             api: isDev ? 'http://localhost:4000' : null,

docker/start.sh

@@ -0,0 +1,15 @@
+#!/bin/sh
+
+if [ -r /etc/bitwarden_rs.sh ]; then
+    . /etc/bitwarden_rs.sh
+fi
+
+if [ -d /etc/bitwarden_rs.d ]; then
+    for f in /etc/bitwarden_rs.d/*.sh; do
+        if [ -r $f ]; then
+            . $f
+        fi
+    done
+fi
+
+exec /bitwarden_rs "${@}"

hooks/README.md

@@ -0,0 +1,20 @@
+The hooks in this directory are used to create multi-arch images using Docker Hub automated builds.
+
+Docker Hub hooks provide these predefined [environment variables](https://docs.docker.com/docker-hub/builds/advanced/#environment-variables-for-building-and-testing):
+
+* `SOURCE_BRANCH`: the name of the branch or the tag that is currently being tested.
+* `SOURCE_COMMIT`: the SHA1 hash of the commit being tested.
+* `COMMIT_MSG`: the message from the commit being tested and built.
+* `DOCKER_REPO`: the name of the Docker repository being built.
+* `DOCKERFILE_PATH`: the dockerfile currently being built.
+* `DOCKER_TAG`: the Docker repository tag being built.
+* `IMAGE_NAME`: the name and tag of the Docker repository being built. (This variable is a combination of `DOCKER_REPO:DOCKER_TAG`.)
+
+The current multi-arch image build relies on the original bitwarden_rs Dockerfiles, which use cross-compilation for architectures other than `amd64`, and don't yet support all arch/database/OS combinations. However, cross-compilation is much faster than QEMU-based builds (e.g., using `docker buildx`). This situation may need to be revisited at some point.
+
+## References
+
+* https://docs.docker.com/docker-hub/builds/advanced/
+* https://docs.docker.com/engine/reference/commandline/manifest/
+* https://www.docker.com/blog/multi-arch-build-and-images-the-simple-way/
+* https://success.docker.com/article/how-do-i-authenticate-with-the-v2-api

hooks/arches.sh

@@ -0,0 +1,19 @@
+# The default Debian-based images support these arches for all database connections
+#
+# Other images (Alpine-based) currently
+# support only a subset of these.
+arches=(
+    amd64
+    arm32v6
+    arm32v7
+    arm64v8
+)
+
+if [[ "${DOCKER_TAG}" == *alpine ]]; then
+    # The Alpine build currently only works for amd64.
+    os_suffix=.alpine
+    arches=(
+        amd64
+        arm32v7
+    )
+fi

hooks/build

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+echo ">>> Building images..."
+
+source ./hooks/arches.sh
+
+set -ex
+
+for arch in "${arches[@]}"; do
+    docker build \
+           -t "${DOCKER_REPO}:${DOCKER_TAG}-${arch}" \
+           -f docker/${arch}/Dockerfile${os_suffix} \
+           .
+done

hooks/push

@@ -0,0 +1,117 @@
+#!/bin/bash
+
+echo ">>> Pushing images..."
+
+export DOCKER_CLI_EXPERIMENTAL=enabled
+
+declare -A annotations=(
+    [amd64]="--os linux --arch amd64"
+    [arm32v6]="--os linux --arch arm --variant v6"
+    [arm32v7]="--os linux --arch arm --variant v7"
+    [arm64v8]="--os linux --arch arm64 --variant v8"
+)
+
+source ./hooks/arches.sh
+
+set -ex
+
+declare -A images
+for arch in ${arches[@]}; do
+    images[$arch]="${DOCKER_REPO}:${DOCKER_TAG}-${arch}"
+done
+
+# Push the images that were just built; manifest list creation fails if the
+# images (manifests) referenced don't already exist in the Docker registry.
+for image in "${images[@]}"; do
+    docker push "${image}"
+done
+
+manifest_lists=("${DOCKER_REPO}:${DOCKER_TAG}")
+
+# If the Docker tag starts with a version number, assume the latest release is
+# being pushed. Add an extra manifest (`latest` or `alpine`, as appropriate)
+# to make it easier for users to track the latest release.
+if [[ "${DOCKER_TAG}" =~ ^[0-9]+\.[0-9]+\.[0-9]+ ]]; then
+    if [[ "${DOCKER_TAG}" == *alpine ]]; then
+        manifest_lists+=(${DOCKER_REPO}:alpine)
+    else
+        manifest_lists+=(${DOCKER_REPO}:latest)
+
+        # Add an extra `latest-arm32v6` tag; Docker can't seem to properly
+        # auto-select that image on Armv6 platforms like Raspberry Pi 1 and Zero
+        # (https://github.com/moby/moby/issues/41017).
+        #
+        # Add this tag only for the SQLite image, as the MySQL and PostgreSQL
+        # builds don't currently work on non-amd64 arches.
+        #
+        # TODO: Also add an `alpine-arm32v6` tag if multi-arch support for
+        # Alpine-based bitwarden_rs images is implemented before this Docker
+        # issue is fixed.
+        if [[ ${DOCKER_REPO} == *server ]]; then
+            docker tag "${DOCKER_REPO}:${DOCKER_TAG}-arm32v6" "${DOCKER_REPO}:latest-arm32v6"
+            docker push "${DOCKER_REPO}:latest-arm32v6"
+        fi
+    fi
+fi
+
+for manifest_list in "${manifest_lists[@]}"; do
+    # Create the (multi-arch) manifest list of arch-specific images.
+    docker manifest create ${manifest_list} ${images[@]}
+
+    # Make sure each image manifest is annotated with the correct arch info.
+    # Docker does not auto-detect the arch of each cross-compiled image, so
+    # everything would appear as `linux/amd64` otherwise.
+    for arch in "${arches[@]}"; do
+        docker manifest annotate ${annotations[$arch]} ${manifest_list} ${images[$arch]}
+    done
+
+    # Push the manifest list.
+    docker manifest push --purge ${manifest_list}
+done
+
+# Avoid logging credentials and tokens.
+set +ex
+
+# Delete the arch-specific tags, if credentials for doing so are available.
+# Note that `DOCKER_PASSWORD` must be the actual user password. Passing a JWT
+# obtained using a personal access token results in a 403 error with
+# {"detail": "access to the resource is forbidden with personal access token"}
+if [[ -z "${DOCKER_USERNAME}" || -z "${DOCKER_PASSWORD}" ]]; then
+    exit 0
+fi
+
+# Given a JSON input on stdin, extract the string value associated with the
+# specified key. This avoids an extra dependency on a tool like `jq`.
+extract() {
+    local key="$1"
+    # Extract "<key>":"<val>" (assumes key/val won't contain double quotes).
+    # The colon may have whitespace on either side.
+    grep -o "\"${key}\"[[:space:]]*:[[:space:]]*\"[^\"]\+\"" |
+    # Extract just <val> by deleting the last '"', and then greedily deleting
+    # everything up to '"'.
+    sed -e 's/"$//' -e 's/.*"//'
+}
+
+echo ">>> Getting API token..."
+jwt=$(curl -sS -X POST \
+           -H "Content-Type: application/json" \
+           -d "{\"username\":\"${DOCKER_USERNAME}\",\"password\": \"${DOCKER_PASSWORD}\"}" \
+           "https://hub.docker.com/v2/users/login" |
+      extract 'token')
+
+# Strip the registry portion from `index.docker.io/user/repo`.
+repo="${DOCKER_REPO#*/}"
+
+for arch in ${arches[@]}; do
+    # Don't delete the `arm32v6` tag; Docker can't seem to properly
+    # auto-select that image on Armv6 platforms like Raspberry Pi 1 and Zero
+    # (https://github.com/moby/moby/issues/41017).
+    if [[ ${arch} == 'arm32v6' ]]; then
+        continue
+    fi
+    tag="${DOCKER_TAG}-${arch}"
+    echo ">>> Deleting '${repo}:${tag}'..."
+    curl -sS -X DELETE \
+         -H "Authorization: Bearer ${jwt}" \
+         "https://hub.docker.com/v2/repositories/${repo}/tags/${tag}/"
+done

libs/jsonwebtoken/Cargo.toml

@@ -1,20 +0,0 @@
-[package]
-name = "jsonwebtoken"
-version = "4.0.1"
-authors = ["Vincent Prouillet <prouillet.vincent@gmail.com>"]
-license = "MIT"
-readme = "README.md"
-description = "Create and parse JWT in a strongly typed way."
-homepage = "https://github.com/Keats/rust-jwt"
-repository = "https://github.com/Keats/rust-jwt"
-keywords = ["jwt", "web", "api", "token", "json"]
-
-[dependencies]
-error-chain = { version = "0.11", default-features = false }
-serde_json = "1.0"
-serde_derive = "1.0"
-serde = "1.0"
-ring = { version = "0.11.0", features = ["rsa_signing", "dev_urandom_fallback"] }
-base64 = "0.9"
-untrusted = "0.5"
-chrono = "0.4"

libs/jsonwebtoken/LICENSE

@@ -1,21 +0,0 @@
-The MIT License (MIT)
-
-Copyright (c) 2015 Vincent Prouillet
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.

libs/jsonwebtoken/src/crypto.rs

@@ -1,120 +0,0 @@
-use std::sync::Arc;
-
-use base64;
-use ring::{rand, digest, hmac, signature};
-use ring::constant_time::verify_slices_are_equal;
-use untrusted;
-
-use errors::{Result, ErrorKind};
-
-
-/// The algorithms supported for signing/verifying
-#[derive(Debug, PartialEq, Copy, Clone, Serialize, Deserialize)]
-pub enum Algorithm {
-    /// HMAC using SHA-256
-    HS256,
-    /// HMAC using SHA-384
-    HS384,
-    /// HMAC using SHA-512
-    HS512,
-
-    /// RSASSA-PKCS1-v1_5 using SHA-256
-    RS256,
-    /// RSASSA-PKCS1-v1_5 using SHA-384
-    RS384,
-    /// RSASSA-PKCS1-v1_5 using SHA-512
-    RS512,
-}
-
-/// The actual HS signing + encoding
-fn sign_hmac(alg: &'static digest::Algorithm, key: &[u8], signing_input: &str) -> Result<String> {
-    let signing_key = hmac::SigningKey::new(alg, key);
-    let digest = hmac::sign(&signing_key, signing_input.as_bytes());
-
-    Ok(
-        base64::encode_config::<hmac::Signature>(&digest, base64::URL_SAFE_NO_PAD)
-    )
-}
-
-/// The actual RSA signing + encoding
-/// Taken from Ring doc https://briansmith.org/rustdoc/ring/signature/index.html
-fn sign_rsa(alg: Algorithm, key: &[u8], signing_input: &str) -> Result<String> {
-    let ring_alg = match alg {
-        Algorithm::RS256 => &signature::RSA_PKCS1_SHA256,
-        Algorithm::RS384 => &signature::RSA_PKCS1_SHA384,
-        Algorithm::RS512 => &signature::RSA_PKCS1_SHA512,
-        _ => unreachable!(),
-    };
-
-    let key_pair = Arc::new(
-        signature::RSAKeyPair::from_der(untrusted::Input::from(key))
-            .map_err(|_| ErrorKind::InvalidKey)?
-    );
-    let mut signing_state = signature::RSASigningState::new(key_pair)
-        .map_err(|_| ErrorKind::InvalidKey)?;
-    let mut signature = vec![0; signing_state.key_pair().public_modulus_len()];
-    let rng = rand::SystemRandom::new();
-    signing_state.sign(ring_alg, &rng, signing_input.as_bytes(), &mut signature)
-        .map_err(|_| ErrorKind::InvalidKey)?;
-
-    Ok(
-        base64::encode_config::<[u8]>(&signature, base64::URL_SAFE_NO_PAD)
-    )
-}
-
-/// Take the payload of a JWT, sign it using the algorithm given and return
-/// the base64 url safe encoded of the result.
-///
-/// Only use this function if you want to do something other than JWT.
-pub fn sign(signing_input: &str, key: &[u8], algorithm: Algorithm) -> Result<String> {
-    match algorithm {
-        Algorithm::HS256 => sign_hmac(&digest::SHA256, key, signing_input),
-        Algorithm::HS384 => sign_hmac(&digest::SHA384, key, signing_input),
-        Algorithm::HS512 => sign_hmac(&digest::SHA512, key, signing_input),
-
-        Algorithm::RS256 | Algorithm::RS384 | Algorithm::RS512 => sign_rsa(algorithm, key, signing_input),
-//        TODO: if PKCS1 is made prublic, remove the line above and uncomment below
-//        Algorithm::RS256 => sign_rsa(&signature::RSA_PKCS1_SHA256, key, signing_input),
-//        Algorithm::RS384 => sign_rsa(&signature::RSA_PKCS1_SHA384, key, signing_input),
-//        Algorithm::RS512 => sign_rsa(&signature::RSA_PKCS1_SHA512, key, signing_input),
-    }
-}
-
-/// See Ring RSA docs for more details
-fn verify_rsa(alg: &signature::RSAParameters, signature: &str, signing_input: &str, key: &[u8]) -> Result<bool> {
-    let signature_bytes = base64::decode_config(signature, base64::URL_SAFE_NO_PAD)?;
-    let public_key_der = untrusted::Input::from(key);
-    let message = untrusted::Input::from(signing_input.as_bytes());
-    let expected_signature = untrusted::Input::from(signature_bytes.as_slice());
-
-    let res = signature::verify(alg, public_key_der, message, expected_signature);
-
-    Ok(res.is_ok())
-}
-
-/// Compares the signature given with a re-computed signature for HMAC or using the public key
-/// for RSA.
-///
-/// Only use this function if you want to do something other than JWT.
-///
-/// `signature` is the signature part of a jwt (text after the second '.')
-///
-/// `signing_input` is base64(header) + "." + base64(claims)
-pub fn verify(signature: &str, signing_input: &str, key: &[u8], algorithm: Algorithm) -> Result<bool> {
-    match algorithm {
-        Algorithm::HS256 | Algorithm::HS384 | Algorithm::HS512 => {
-            // we just re-sign the data with the key and compare if they are equal
-            let signed = sign(signing_input, key, algorithm)?;
-            Ok(verify_slices_are_equal(signature.as_ref(), signed.as_ref()).is_ok())
-        },
-        Algorithm::RS256 => verify_rsa(&signature::RSA_PKCS1_2048_8192_SHA256, signature, signing_input, key),
-        Algorithm::RS384 => verify_rsa(&signature::RSA_PKCS1_2048_8192_SHA384, signature, signing_input, key),
-        Algorithm::RS512 => verify_rsa(&signature::RSA_PKCS1_2048_8192_SHA512, signature, signing_input, key),
-    }
-}
-
-impl Default for Algorithm {
-    fn default() -> Self {
-        Algorithm::HS256
-    }
-}

libs/jsonwebtoken/src/errors.rs

@@ -1,68 +0,0 @@
-use base64;
-use serde_json;
-use ring;
-
-error_chain! {
-    errors {
-        /// When a token doesn't have a valid JWT shape
-        InvalidToken {
-            description("invalid token")
-            display("Invalid token")
-        }
-        /// When the signature doesn't match
-        InvalidSignature {
-            description("invalid signature")
-            display("Invalid signature")
-        }
-        /// When the secret given is not a valid RSA key
-        InvalidKey {
-            description("invalid key")
-            display("Invalid Key")
-        }
-
-        // Validation error
-
-        /// When a token’s `exp` claim indicates that it has expired
-        ExpiredSignature {
-            description("expired signature")
-            display("Expired Signature")
-        }
-        /// When a token’s `iss` claim does not match the expected issuer
-        InvalidIssuer {
-            description("invalid issuer")
-            display("Invalid Issuer")
-        }
-        /// When a token’s `aud` claim does not match one of the expected audience values
-        InvalidAudience {
-            description("invalid audience")
-            display("Invalid Audience")
-        }
-        /// When a token’s `aud` claim does not match one of the expected audience values
-        InvalidSubject {
-            description("invalid subject")
-            display("Invalid Subject")
-        }
-        /// When a token’s `iat` claim is in the future
-        InvalidIssuedAt {
-            description("invalid issued at")
-            display("Invalid Issued At")
-        }
-        /// When a token’s nbf claim represents a time in the future
-        ImmatureSignature {
-            description("immature signature")
-            display("Immature Signature")
-        }
-        /// When the algorithm in the header doesn't match the one passed to `decode`
-        InvalidAlgorithm {
-            description("Invalid algorithm")
-            display("Invalid Algorithm")
-        }
-    }
-
-    foreign_links {
-        Unspecified(ring::error::Unspecified) #[doc = "An error happened while signing/verifying a token with RSA"];
-        Base64(base64::DecodeError) #[doc = "An error happened while decoding some base64 text"];
-        Json(serde_json::Error) #[doc = "An error happened while serializing/deserializing JSON"];
-        Utf8(::std::string::FromUtf8Error) #[doc = "An error happened while trying to convert the result of base64 decoding to a String"];
-    }
-}

libs/jsonwebtoken/src/header.rs

@@ -1,64 +0,0 @@
-use crypto::Algorithm;
-
-
-/// A basic JWT header, the alg defaults to HS256 and typ is automatically
-/// set to `JWT`. All the other fields are optional.
-#[derive(Debug, Clone, PartialEq, Serialize, Deserialize)]
-pub struct Header {
-    /// The type of JWS: it can only be "JWT" here
-    ///
-    /// Defined in [RFC7515#4.1.9](https://tools.ietf.org/html/rfc7515#section-4.1.9).
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub typ: Option<String>,
-    /// The algorithm used
-    ///
-    /// Defined in [RFC7515#4.1.1](https://tools.ietf.org/html/rfc7515#section-4.1.1).
-    pub alg: Algorithm,
-    /// Content type
-    ///
-    /// Defined in [RFC7519#5.2](https://tools.ietf.org/html/rfc7519#section-5.2).
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub cty: Option<String>,
-    /// JSON Key URL
-    ///
-    /// Defined in [RFC7515#4.1.2](https://tools.ietf.org/html/rfc7515#section-4.1.2).
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub jku: Option<String>,
-    /// Key ID
-    ///
-    /// Defined in [RFC7515#4.1.4](https://tools.ietf.org/html/rfc7515#section-4.1.4).
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub kid: Option<String>,
-    /// X.509 URL
-    ///
-    /// Defined in [RFC7515#4.1.5](https://tools.ietf.org/html/rfc7515#section-4.1.5).
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub x5u: Option<String>,
-    /// X.509 certificate thumbprint
-    ///
-    /// Defined in [RFC7515#4.1.7](https://tools.ietf.org/html/rfc7515#section-4.1.7).
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub x5t: Option<String>,
-}
-
-impl Header {
-    /// Returns a JWT header with the algorithm given
-    pub fn new(algorithm: Algorithm) -> Header {
-        Header {
-            typ: Some("JWT".to_string()),
-            alg: algorithm,
-            cty: None,
-            jku: None,
-            kid: None,
-            x5u: None,
-            x5t: None,
-        }
-    }
-}
-
-impl Default for Header {
-    /// Returns a JWT header using the default Algorithm, HS256
-    fn default() -> Self {
-        Header::new(Algorithm::default())
-    }
-}

libs/jsonwebtoken/src/lib.rs

@@ -1,142 +0,0 @@
-//! Create and parses JWT (JSON Web Tokens)
-//!
-//! Documentation:  [stable](https://docs.rs/jsonwebtoken/)
-#![recursion_limit = "300"]
-#![deny(missing_docs)]
-#![allow(unused_doc_comments)]
-#![allow(renamed_and_removed_lints)]
-
-#[macro_use]
-extern crate error_chain;
-#[macro_use]
-extern crate serde_derive;
-extern crate serde_json;
-extern crate serde;
-extern crate base64;
-extern crate ring;
-extern crate untrusted;
-extern crate chrono;
-
-/// All the errors, generated using error-chain
-pub mod errors;
-mod header;
-mod crypto;
-mod serialization;
-mod validation;
-
-pub use header::Header;
-pub use crypto::{
-    Algorithm,
-    sign,
-    verify,
-};
-pub use validation::Validation;
-pub use serialization::TokenData;
-
-
-use serde::de::DeserializeOwned;
-use serde::ser::Serialize;
-
-use errors::{Result, ErrorKind};
-use serialization::{from_jwt_part, from_jwt_part_claims, to_jwt_part};
-use validation::{validate};
-
-
-/// Encode the header and claims given and sign the payload using the algorithm from the header and the key
-///
-/// ```rust,ignore
-/// #[macro_use]
-/// extern crate serde_derive;
-/// use jsonwebtoken::{encode, Algorithm, Header};
-///
-/// /// #[derive(Debug, Serialize, Deserialize)]
-/// struct Claims {
-///    sub: String,
-///    company: String
-/// }
-///
-/// let my_claims = Claims {
-///     sub: "b@b.com".to_owned(),
-///     company: "ACME".to_owned()
-/// };
-///
-/// // my_claims is a struct that implements Serialize
-/// // This will create a JWT using HS256 as algorithm
-/// let token = encode(&Header::default(), &my_claims, "secret".as_ref()).unwrap();
-/// ```
-pub fn encode<T: Serialize>(header: &Header, claims: &T, key: &[u8]) -> Result<String> {
-    let encoded_header = to_jwt_part(&header)?;
-    let encoded_claims = to_jwt_part(&claims)?;
-    let signing_input = [encoded_header.as_ref(), encoded_claims.as_ref()].join(".");
-    let signature = sign(&*signing_input, key.as_ref(), header.alg)?;
-
-    Ok([signing_input, signature].join("."))
-}
-
-/// Used in decode: takes the result of a rsplit and ensure we only get 2 parts
-/// Errors if we don't
-macro_rules! expect_two {
-    ($iter:expr) => {{
-        let mut i = $iter;
-        match (i.next(), i.next(), i.next()) {
-            (Some(first), Some(second), None) => (first, second),
-            _ => return Err(ErrorKind::InvalidToken.into())
-        }
-    }}
-}
-
-/// Decode a token into a struct containing 2 fields: `claims` and `header`.
-///
-/// If the token or its signature is invalid or the claims fail validation, it will return an error.
-///
-/// ```rust,ignore
-/// #[macro_use]
-/// extern crate serde_derive;
-/// use jsonwebtoken::{decode, Validation, Algorithm};
-///
-/// #[derive(Debug, Serialize, Deserialize)]
-/// struct Claims {
-///    sub: String,
-///    company: String
-/// }
-///
-/// let token = "a.jwt.token".to_string();
-/// // Claims is a struct that implements Deserialize
-/// let token_data = decode::<Claims>(&token, "secret", &Validation::new(Algorithm::HS256));
-/// ```
-pub fn decode<T: DeserializeOwned>(token: &str, key: &[u8], validation: &Validation) -> Result<TokenData<T>> {
-    let (signature, signing_input) = expect_two!(token.rsplitn(2, '.'));
-    let (claims, header) = expect_two!(signing_input.rsplitn(2, '.'));
-    let header: Header = from_jwt_part(header)?;
-
-    if !verify(signature, signing_input, key, header.alg)? {
-        return Err(ErrorKind::InvalidSignature.into());
-    }
-
-    if !validation.algorithms.contains(&header.alg) {
-        return Err(ErrorKind::InvalidAlgorithm.into());
-    }
-
-    let (decoded_claims, claims_map): (T, _)  = from_jwt_part_claims(claims)?;
-
-    validate(&claims_map, validation)?;
-
-    Ok(TokenData { header: header, claims: decoded_claims })
-}
-
-/// Decode a token and return the Header. This is not doing any kind of validation: it is meant to be
-/// used when you don't know which `alg` the token is using and want to find out.
-///
-/// If the token has an invalid format, it will return an error.
-///
-/// ```rust,ignore
-/// use jsonwebtoken::decode_header;
-///
-/// let token = "a.jwt.token".to_string();
-/// let header = decode_header(&token);
-/// ```
-pub fn decode_header(token: &str) -> Result<Header> {
-    let (_, signing_input) = expect_two!(token.rsplitn(2, '.'));
-    let (_, header) = expect_two!(signing_input.rsplitn(2, '.'));
-    from_jwt_part(header)
-}

libs/jsonwebtoken/src/serialization.rs

@@ -1,42 +0,0 @@
-use base64;
-use serde::de::DeserializeOwned;
-use serde::ser::Serialize;
-use serde_json::{from_str, to_string, Value};
-use serde_json::map::Map;
-
-use errors::{Result};
-use header::Header;
-
-
-/// The return type of a successful call to decode
-#[derive(Debug)]
-pub struct TokenData<T> {
-    /// The decoded JWT header
-    pub header: Header,
-    /// The decoded JWT claims
-    pub claims: T
-}
-
-/// Serializes to JSON and encodes to base64
-pub fn to_jwt_part<T: Serialize>(input: &T) -> Result<String> {
-    let encoded = to_string(input)?;
-    Ok(base64::encode_config(encoded.as_bytes(), base64::URL_SAFE_NO_PAD))
-}
-
-/// Decodes from base64 and deserializes from JSON to a struct
-pub fn from_jwt_part<B: AsRef<str>, T: DeserializeOwned>(encoded: B) -> Result<T> {
-    let decoded = base64::decode_config(encoded.as_ref(), base64::URL_SAFE_NO_PAD)?;
-    let s = String::from_utf8(decoded)?;
-
-    Ok(from_str(&s)?)
-}
-
-/// Decodes from base64 and deserializes from JSON to a struct AND a hashmap
-pub fn from_jwt_part_claims<B: AsRef<str>, T: DeserializeOwned>(encoded: B) -> Result<(T, Map<String, Value>)> {
-    let decoded = base64::decode_config(encoded.as_ref(), base64::URL_SAFE_NO_PAD)?;
-    let s = String::from_utf8(decoded)?;
-
-    let claims: T = from_str(&s)?;
-    let map: Map<_,_> = from_str(&s)?;
-    Ok((claims, map))
-}

libs/jsonwebtoken/src/validation.rs

@@ -1,377 +0,0 @@
-use chrono::Utc;
-use serde::ser::Serialize;
-use serde_json::{Value, from_value, to_value};
-use serde_json::map::Map;
-
-use errors::{Result, ErrorKind};
-use crypto::Algorithm;
-
-
-/// Contains the various validations that are applied after decoding a token.
-///
-/// All time validation happen on UTC timestamps.
-///
-/// ```rust
-/// use jsonwebtoken::Validation;
-///
-/// // Default value
-/// let validation = Validation::default();
-///
-/// // Changing one parameter
-/// let mut validation = Validation {leeway: 60, ..Default::default()};
-///
-/// // Setting audience
-/// let mut validation = Validation::default();
-/// validation.set_audience(&"Me"); // string
-/// validation.set_audience(&["Me", "You"]); // array of strings
-/// ```
-#[derive(Debug, Clone, PartialEq)]
-pub struct Validation {
-    /// Add some leeway (in seconds) to the `exp`, `iat` and `nbf` validation to
-    /// account for clock skew.
-    ///
-    /// Defaults to `0`.
-    pub leeway: i64,
-    /// Whether to validate the `exp` field.
-    ///
-    /// It will return an error if the time in the `exp` field is past.
-    ///
-    /// Defaults to `true`.
-    pub validate_exp: bool,
-    /// Whether to validate the `iat` field.
-    ///
-    /// It will return an error if the time in the `iat` field is in the future.
-    ///
-    /// Defaults to `true`.
-    pub validate_iat: bool,
-    /// Whether to validate the `nbf` field.
-    ///
-    /// It will return an error if the current timestamp is before the time in the `nbf` field.
-    ///
-    /// Defaults to `true`.
-    pub validate_nbf: bool,
-    /// If it contains a value, the validation will check that the `aud` field is the same as the
-    /// one provided and will error otherwise.
-    /// Since `aud` can be either a String or a Vec<String> in the JWT spec, you will need to use
-    /// the [set_audience](struct.Validation.html#method.set_audience) method to set it.
-    ///
-    /// Defaults to `None`.
-    pub aud: Option<Value>,
-    /// If it contains a value, the validation will check that the `iss` field is the same as the
-    /// one provided and will error otherwise.
-    ///
-    /// Defaults to `None`.
-    pub iss: Option<String>,
-    /// If it contains a value, the validation will check that the `sub` field is the same as the
-    /// one provided and will error otherwise.
-    ///
-    /// Defaults to `None`.
-    pub sub: Option<String>,
-    /// If it contains a value, the validation will check that the `alg` of the header is contained
-    /// in the ones provided and will error otherwise.
-    ///
-    /// Defaults to `vec![Algorithm::HS256]`.
-    pub algorithms: Vec<Algorithm>,
-}
-
-impl Validation {
-    /// Create a default validation setup allowing the given alg
-    pub fn new(alg: Algorithm) -> Validation {
-        let mut validation = Validation::default();
-        validation.algorithms = vec![alg];
-        validation
-    }
-
-    /// Since `aud` can be either a String or an array of String in the JWT spec, this method will take
-    /// care of serializing the value.
-    pub fn set_audience<T: Serialize>(&mut self, audience: &T) {
-        self.aud = Some(to_value(audience).unwrap());
-    }
-}
-
-impl Default for Validation {
-    fn default() -> Validation {
-        Validation {
-            leeway: 0,
-
-            validate_exp: true,
-            validate_iat: true,
-            validate_nbf: true,
-
-            iss: None,
-            sub: None,
-            aud: None,
-
-            algorithms: vec![Algorithm::HS256],
-        }
-    }
-}
-
-
-
-pub fn validate(claims: &Map<String, Value>, options: &Validation) -> Result<()> {
-    let now = Utc::now().timestamp();
-
-    if let Some(iat) = claims.get("iat") {
-        if options.validate_iat && from_value::<i64>(iat.clone())? > now + options.leeway {
-            return Err(ErrorKind::InvalidIssuedAt.into());
-        }
-    }
-
-    if let Some(exp) = claims.get("exp") {
-        if options.validate_exp && from_value::<i64>(exp.clone())? < now - options.leeway {
-            return Err(ErrorKind::ExpiredSignature.into());
-        }
-    }
-
-    if let Some(nbf) = claims.get("nbf") {
-        if options.validate_nbf && from_value::<i64>(nbf.clone())? > now + options.leeway {
-            return Err(ErrorKind::ImmatureSignature.into());
-        }
-    }
-
-    if let Some(iss) = claims.get("iss") {
-        if let Some(ref correct_iss) = options.iss {
-            if from_value::<String>(iss.clone())? != *correct_iss {
-                return Err(ErrorKind::InvalidIssuer.into());
-            }
-        }
-    }
-
-    if let Some(sub) = claims.get("sub") {
-        if let Some(ref correct_sub) = options.sub {
-            if from_value::<String>(sub.clone())? != *correct_sub {
-                return Err(ErrorKind::InvalidSubject.into());
-            }
-        }
-    }
-
-    if let Some(aud) = claims.get("aud") {
-        if let Some(ref correct_aud) = options.aud {
-            if aud != correct_aud {
-                return Err(ErrorKind::InvalidAudience.into());
-            }
-        }
-    }
-
-    Ok(())
-}
-
-
-#[cfg(test)]
-mod tests {
-    use serde_json::{to_value};
-    use serde_json::map::Map;
-    use chrono::Utc;
-
-    use super::{validate, Validation};
-
-    use errors::ErrorKind;
-
-    #[test]
-    fn iat_in_past_ok() {
-        let mut claims = Map::new();
-        claims.insert("iat".to_string(), to_value(Utc::now().timestamp() - 10000).unwrap());
-        let res = validate(&claims, &Validation::default());
-        assert!(res.is_ok());
-    }
-
-    #[test]
-    fn iat_in_future_fails() {
-        let mut claims = Map::new();
-        claims.insert("iat".to_string(), to_value(Utc::now().timestamp() + 100000).unwrap());
-        let res = validate(&claims, &Validation::default());
-        assert!(res.is_err());
-
-        match res.unwrap_err().kind() {
-            &ErrorKind::InvalidIssuedAt => (),
-            _ => assert!(false),
-        };
-    }
-
-    #[test]
-    fn iat_in_future_but_in_leeway_ok() {
-        let mut claims = Map::new();
-        claims.insert("iat".to_string(), to_value(Utc::now().timestamp() + 50).unwrap());
-        let validation = Validation {
-            leeway: 1000 * 60,
-            ..Default::default()
-        };
-        let res = validate(&claims, &validation);
-        assert!(res.is_ok());
-    }
-
-    #[test]
-    fn exp_in_future_ok() {
-        let mut claims = Map::new();
-        claims.insert("exp".to_string(), to_value(Utc::now().timestamp() + 10000).unwrap());
-        let res = validate(&claims, &Validation::default());
-        assert!(res.is_ok());
-    }
-
-    #[test]
-    fn exp_in_past_fails() {
-        let mut claims = Map::new();
-        claims.insert("exp".to_string(), to_value(Utc::now().timestamp() - 100000).unwrap());
-        let res = validate(&claims, &Validation::default());
-        assert!(res.is_err());
-
-        match res.unwrap_err().kind() {
-            &ErrorKind::ExpiredSignature => (),
-            _ => assert!(false),
-        };
-    }
-
-    #[test]
-    fn exp_in_past_but_in_leeway_ok() {
-        let mut claims = Map::new();
-        claims.insert("exp".to_string(), to_value(Utc::now().timestamp() - 500).unwrap());
-        let validation = Validation {
-            leeway: 1000 * 60,
-            ..Default::default()
-        };
-        let res = validate(&claims, &validation);
-        assert!(res.is_ok());
-    }
-
-    #[test]
-    fn nbf_in_past_ok() {
-        let mut claims = Map::new();
-        claims.insert("nbf".to_string(), to_value(Utc::now().timestamp() - 10000).unwrap());
-        let res = validate(&claims, &Validation::default());
-        assert!(res.is_ok());
-    }
-
-    #[test]
-    fn nbf_in_future_fails() {
-        let mut claims = Map::new();
-        claims.insert("nbf".to_string(), to_value(Utc::now().timestamp() + 100000).unwrap());
-        let res = validate(&claims, &Validation::default());
-        assert!(res.is_err());
-
-        match res.unwrap_err().kind() {
-            &ErrorKind::ImmatureSignature => (),
-            _ => assert!(false),
-        };
-    }
-
-    #[test]
-    fn nbf_in_future_but_in_leeway_ok() {
-        let mut claims = Map::new();
-        claims.insert("nbf".to_string(), to_value(Utc::now().timestamp() + 500).unwrap());
-        let validation = Validation {
-            leeway: 1000 * 60,
-            ..Default::default()
-        };
-        let res = validate(&claims, &validation);
-        assert!(res.is_ok());
-    }
-
-    #[test]
-    fn iss_ok() {
-        let mut claims = Map::new();
-        claims.insert("iss".to_string(), to_value("Keats").unwrap());
-        let validation = Validation {
-            iss: Some("Keats".to_string()),
-            ..Default::default()
-        };
-        let res = validate(&claims, &validation);
-        assert!(res.is_ok());
-    }
-
-    #[test]
-    fn iss_not_matching_fails() {
-        let mut claims = Map::new();
-        claims.insert("iss".to_string(), to_value("Hacked").unwrap());
-        let validation = Validation {
-            iss: Some("Keats".to_string()),
-            ..Default::default()
-        };
-        let res = validate(&claims, &validation);
-        assert!(res.is_err());
-
-        match res.unwrap_err().kind() {
-            &ErrorKind::InvalidIssuer => (),
-            _ => assert!(false),
-        };
-    }
-
-    #[test]
-    fn sub_ok() {
-        let mut claims = Map::new();
-        claims.insert("sub".to_string(), to_value("Keats").unwrap());
-        let validation = Validation {
-            sub: Some("Keats".to_string()),
-            ..Default::default()
-        };
-        let res = validate(&claims, &validation);
-        assert!(res.is_ok());
-    }
-
-    #[test]
-    fn sub_not_matching_fails() {
-        let mut claims = Map::new();
-        claims.insert("sub".to_string(), to_value("Hacked").unwrap());
-        let validation = Validation {
-            sub: Some("Keats".to_string()),
-            ..Default::default()
-        };
-        let res = validate(&claims, &validation);
-        assert!(res.is_err());
-
-        match res.unwrap_err().kind() {
-            &ErrorKind::InvalidSubject => (),
-            _ => assert!(false),
-        };
-    }
-
-    #[test]
-    fn aud_string_ok() {
-        let mut claims = Map::new();
-        claims.insert("aud".to_string(), to_value("Everyone").unwrap());
-        let mut validation = Validation::default();
-        validation.set_audience(&"Everyone");
-        let res = validate(&claims, &validation);
-        assert!(res.is_ok());
-    }
-
-    #[test]
-    fn aud_array_of_string_ok() {
-        let mut claims = Map::new();
-        claims.insert("aud".to_string(), to_value(["UserA", "UserB"]).unwrap());
-        let mut validation = Validation::default();
-        validation.set_audience(&["UserA", "UserB"]);
-        let res = validate(&claims, &validation);
-        assert!(res.is_ok());
-    }
-
-    #[test]
-    fn aud_type_mismatch_fails() {
-        let mut claims = Map::new();
-        claims.insert("aud".to_string(), to_value("Everyone").unwrap());
-        let mut validation = Validation::default();
-        validation.set_audience(&["UserA", "UserB"]);
-        let res = validate(&claims, &validation);
-        assert!(res.is_err());
-
-        match res.unwrap_err().kind() {
-            &ErrorKind::InvalidAudience => (),
-            _ => assert!(false),
-        };
-    }
-
-    #[test]
-    fn aud_correct_type_not_matching_fails() {
-        let mut claims = Map::new();
-        claims.insert("aud".to_string(), to_value("Everyone").unwrap());
-        let mut validation = Validation::default();
-        validation.set_audience(&"None");
-        let res = validate(&claims, &validation);
-        assert!(res.is_err());
-
-        match res.unwrap_err().kind() {
-            &ErrorKind::InvalidAudience => (),
-            _ => assert!(false),
-        };
-    }
-}

migrations/mysql/2018-01-14-171611_create_tables/up.sql

@@ -0,0 +1,62 @@
+CREATE TABLE users (
+  uuid                CHAR(36) NOT NULL PRIMARY KEY,
+  created_at          DATETIME NOT NULL,
+  updated_at          DATETIME NOT NULL,
+  email               VARCHAR(255) NOT NULL UNIQUE,
+  name                TEXT     NOT NULL,
+  password_hash       BLOB     NOT NULL,
+  salt                BLOB     NOT NULL,
+  password_iterations INTEGER  NOT NULL,
+  password_hint       TEXT,
+  `key`               TEXT     NOT NULL,
+  private_key         TEXT,
+  public_key          TEXT,
+  totp_secret         TEXT,
+  totp_recover        TEXT,
+  security_stamp      TEXT     NOT NULL,
+  equivalent_domains  TEXT     NOT NULL,
+  excluded_globals    TEXT     NOT NULL
+);
+
+CREATE TABLE devices (
+  uuid          CHAR(36) NOT NULL PRIMARY KEY,
+  created_at    DATETIME NOT NULL,
+  updated_at    DATETIME NOT NULL,
+  user_uuid     CHAR(36) NOT NULL REFERENCES users (uuid),
+  name          TEXT     NOT NULL,
+  type          INTEGER  NOT NULL,
+  push_token    TEXT,
+  refresh_token TEXT     NOT NULL
+);
+
+CREATE TABLE ciphers (
+  uuid              CHAR(36) NOT NULL PRIMARY KEY,
+  created_at        DATETIME NOT NULL,
+  updated_at        DATETIME NOT NULL,
+  user_uuid         CHAR(36) NOT NULL REFERENCES users (uuid),
+  folder_uuid       CHAR(36) REFERENCES folders (uuid),
+  organization_uuid CHAR(36),
+  type              INTEGER  NOT NULL,
+  name              TEXT     NOT NULL,
+  notes             TEXT,
+  fields            TEXT,
+  data              TEXT     NOT NULL,
+  favorite          BOOLEAN  NOT NULL
+);
+
+CREATE TABLE attachments (
+  id          CHAR(36) NOT NULL PRIMARY KEY,
+  cipher_uuid CHAR(36) NOT NULL REFERENCES ciphers (uuid),
+  file_name   TEXT    NOT NULL,
+  file_size   INTEGER NOT NULL
+
+);
+
+CREATE TABLE folders (
+  uuid       CHAR(36) NOT NULL PRIMARY KEY,
+  created_at DATETIME NOT NULL,
+  updated_at DATETIME NOT NULL,
+  user_uuid  CHAR(36) NOT NULL REFERENCES users (uuid),
+  name       TEXT     NOT NULL
+);
+  

migrations/mysql/2018-02-17-205753_create_collections_and_orgs/up.sql

@@ -0,0 +1,30 @@
+CREATE TABLE collections (
+  uuid     VARCHAR(40) NOT NULL PRIMARY KEY,
+  org_uuid VARCHAR(40) NOT NULL REFERENCES organizations (uuid),
+  name     TEXT NOT NULL
+);
+
+CREATE TABLE organizations (
+  uuid          VARCHAR(40) NOT NULL PRIMARY KEY,
+  name          TEXT NOT NULL,
+  billing_email TEXT NOT NULL
+);
+
+CREATE TABLE users_collections (
+  user_uuid       CHAR(36) NOT NULL REFERENCES users (uuid),
+  collection_uuid CHAR(36) NOT NULL REFERENCES collections (uuid),
+  PRIMARY KEY (user_uuid, collection_uuid)
+);
+
+CREATE TABLE users_organizations (
+  uuid       CHAR(36) NOT NULL PRIMARY KEY,
+  user_uuid  CHAR(36) NOT NULL REFERENCES users (uuid),
+  org_uuid   CHAR(36) NOT NULL REFERENCES organizations (uuid),
+
+  access_all BOOLEAN NOT NULL,
+  `key`      TEXT    NOT NULL,
+  status     INTEGER NOT NULL,
+  type       INTEGER NOT NULL,
+
+  UNIQUE (user_uuid, org_uuid)
+);

migrations/mysql/2018-04-27-155151_create_users_ciphers/up.sql

@@ -0,0 +1,34 @@
+ALTER TABLE ciphers RENAME TO oldCiphers;
+
+CREATE TABLE ciphers (
+  uuid              CHAR(36) NOT NULL PRIMARY KEY,
+  created_at        DATETIME NOT NULL,
+  updated_at        DATETIME NOT NULL,
+  user_uuid         CHAR(36) REFERENCES users (uuid), -- Make this optional
+  organization_uuid CHAR(36) REFERENCES organizations (uuid), -- Add reference to orgs table
+  -- Remove folder_uuid
+  type              INTEGER  NOT NULL,
+  name              TEXT     NOT NULL,
+  notes             TEXT,
+  fields            TEXT,
+  data              TEXT     NOT NULL,
+  favorite          BOOLEAN  NOT NULL
+);
+
+CREATE TABLE folders_ciphers (
+  cipher_uuid CHAR(36) NOT NULL REFERENCES ciphers (uuid),
+  folder_uuid CHAR(36) NOT NULL REFERENCES folders (uuid),
+
+  PRIMARY KEY (cipher_uuid, folder_uuid)
+);
+
+INSERT INTO ciphers (uuid, created_at, updated_at, user_uuid, organization_uuid, type, name, notes, fields, data, favorite) 
+SELECT uuid, created_at, updated_at, user_uuid, organization_uuid, type, name, notes, fields, data, favorite FROM oldCiphers;
+
+INSERT INTO folders_ciphers (cipher_uuid, folder_uuid)
+SELECT uuid, folder_uuid FROM oldCiphers WHERE folder_uuid IS NOT NULL;
+
+
+DROP TABLE oldCiphers;
+
+ALTER TABLE users_collections ADD COLUMN read_only BOOLEAN NOT NULL DEFAULT 0; -- False

migrations/mysql/2018-05-08-161616_create_collection_cipher_map/up.sql

@@ -0,0 +1,5 @@
+CREATE TABLE ciphers_collections (
+  cipher_uuid       CHAR(36) NOT NULL REFERENCES ciphers (uuid),
+  collection_uuid CHAR(36) NOT NULL REFERENCES collections (uuid),
+  PRIMARY KEY (cipher_uuid, collection_uuid)
+);

migrations/mysql/2018-05-25-232323_update_attachments_reference/up.sql

@@ -0,0 +1,14 @@
+ALTER TABLE attachments RENAME TO oldAttachments;
+
+CREATE TABLE attachments (
+  id          CHAR(36) NOT NULL PRIMARY KEY,
+  cipher_uuid CHAR(36) NOT NULL REFERENCES ciphers (uuid),
+  file_name   TEXT    NOT NULL,
+  file_size   INTEGER NOT NULL
+
+);
+
+INSERT INTO attachments (id, cipher_uuid, file_name, file_size) 
+SELECT id, cipher_uuid, file_name, file_size FROM oldAttachments;
+
+DROP TABLE oldAttachments;

migrations/mysql/2018-07-11-181453_create_u2f_twofactor/up.sql

@@ -0,0 +1,15 @@
+CREATE TABLE twofactor (
+  uuid      CHAR(36) NOT NULL PRIMARY KEY,
+  user_uuid CHAR(36) NOT NULL REFERENCES users (uuid),
+  type      INTEGER  NOT NULL,
+  enabled   BOOLEAN  NOT NULL,
+  data      TEXT     NOT NULL,
+
+  UNIQUE (user_uuid, type)
+);
+
+
+INSERT INTO twofactor (uuid, user_uuid, type, enabled, data) 
+SELECT UUID(), uuid, 0, 1, u.totp_secret FROM users u where u.totp_secret IS NOT NULL;
+
+UPDATE users SET totp_secret = NULL; -- Instead of recreating the table, just leave the columns empty

migrations/mysql/2018-09-10-111213_add_invites/up.sql

@@ -0,0 +1,3 @@
+CREATE TABLE invitations (
+    email   VARCHAR(255) NOT NULL PRIMARY KEY
+);

migrations/mysql/2018-09-19-144557_add_kdf_columns/up.sql

@@ -4,4 +4,4 @@ ALTER TABLE users
 
 ALTER TABLE users
     ADD COLUMN
-    client_kdf_iter INTEGER NOT NULL DEFAULT 5000;
+    client_kdf_iter INTEGER NOT NULL DEFAULT 100000;

migrations/mysql/2018-11-27-152651_add_att_key_columns/up.sql

@@ -0,0 +1,3 @@
+ALTER TABLE attachments
+    ADD COLUMN
+    `key` TEXT;

migrations/mysql/2019-05-26-216651_rename_key_and_type_columns/down.sql

@@ -0,0 +1,7 @@
+ALTER TABLE attachments CHANGE COLUMN akey `key` TEXT;
+ALTER TABLE ciphers CHANGE COLUMN atype type INTEGER NOT NULL;
+ALTER TABLE devices CHANGE COLUMN atype type INTEGER NOT NULL;
+ALTER TABLE twofactor CHANGE COLUMN atype type INTEGER NOT NULL;
+ALTER TABLE users CHANGE COLUMN akey `key` TEXT;
+ALTER TABLE users_organizations CHANGE COLUMN akey `key` TEXT;
+ALTER TABLE users_organizations CHANGE COLUMN atype type INTEGER NOT NULL;

migrations/mysql/2019-05-26-216651_rename_key_and_type_columns/up.sql

@@ -0,0 +1,7 @@
+ALTER TABLE attachments CHANGE COLUMN `key` akey TEXT;
+ALTER TABLE ciphers CHANGE COLUMN type atype INTEGER NOT NULL;
+ALTER TABLE devices CHANGE COLUMN type atype INTEGER NOT NULL;
+ALTER TABLE twofactor CHANGE COLUMN type atype INTEGER NOT NULL;
+ALTER TABLE users CHANGE COLUMN `key` akey TEXT;
+ALTER TABLE users_organizations CHANGE COLUMN `key` akey TEXT;
+ALTER TABLE users_organizations CHANGE COLUMN type atype INTEGER NOT NULL;

migrations/mysql/2019-10-10-083032_add_column_to_twofactor/up.sql

@@ -0,0 +1 @@
+ALTER TABLE twofactor ADD COLUMN last_used INTEGER NOT NULL DEFAULT 0;

migrations/mysql/2019-11-17-011009_add_email_verification/down.sql

@@ -0,0 +1 @@
+

migrations/mysql/2019-11-17-011009_add_email_verification/up.sql

@@ -0,0 +1,5 @@
+ALTER TABLE users ADD COLUMN verified_at DATETIME DEFAULT NULL;
+ALTER TABLE users ADD COLUMN last_verifying_at DATETIME DEFAULT NULL;
+ALTER TABLE users ADD COLUMN login_verify_count INTEGER NOT NULL DEFAULT 0;
+ALTER TABLE users ADD COLUMN email_new VARCHAR(255) DEFAULT NULL;
+ALTER TABLE users ADD COLUMN email_new_token VARCHAR(16) DEFAULT NULL;

migrations/mysql/2020-03-13-205045_add_policy_table/down.sql

@@ -0,0 +1 @@
+DROP TABLE org_policies;

migrations/mysql/2020-03-13-205045_add_policy_table/up.sql

@@ -0,0 +1,9 @@
+CREATE TABLE org_policies (
+  uuid      CHAR(36) NOT NULL PRIMARY KEY,
+  org_uuid  CHAR(36) NOT NULL REFERENCES organizations (uuid),
+  atype     INTEGER  NOT NULL,
+  enabled   BOOLEAN  NOT NULL,
+  data      TEXT     NOT NULL,
+
+  UNIQUE (org_uuid, atype)
+);

migrations/mysql/2020-04-09-235005_add_cipher_delete_date/down.sql

@@ -0,0 +1 @@
+

migrations/mysql/2020-04-09-235005_add_cipher_delete_date/up.sql

@@ -0,0 +1,3 @@
+ALTER TABLE ciphers
+    ADD COLUMN
+    deleted_at DATETIME;

migrations/mysql/2020-07-01-214531_add_hide_passwords/up.sql

@@ -0,0 +1,2 @@
+ALTER TABLE users_collections
+ADD COLUMN hide_passwords BOOLEAN NOT NULL DEFAULT FALSE;

migrations/mysql/2020-08-02-025025_add_favorites_table/down.sql

@@ -0,0 +1,13 @@
+ALTER TABLE ciphers
+ADD COLUMN favorite BOOLEAN NOT NULL DEFAULT FALSE;
+
+-- Transfer favorite status for user-owned ciphers.
+UPDATE ciphers
+SET favorite = TRUE
+WHERE EXISTS (
+  SELECT * FROM favorites
+  WHERE favorites.user_uuid = ciphers.user_uuid
+    AND favorites.cipher_uuid = ciphers.uuid
+);
+
+DROP TABLE favorites;

migrations/mysql/2020-08-02-025025_add_favorites_table/up.sql

@@ -0,0 +1,16 @@
+CREATE TABLE favorites (
+  user_uuid   CHAR(36) NOT NULL REFERENCES users(uuid),
+  cipher_uuid CHAR(36) NOT NULL REFERENCES ciphers(uuid),
+
+  PRIMARY KEY (user_uuid, cipher_uuid)
+);
+
+-- Transfer favorite status for user-owned ciphers.
+INSERT INTO favorites(user_uuid, cipher_uuid)
+SELECT user_uuid, uuid
+FROM ciphers
+WHERE favorite = TRUE
+  AND user_uuid IS NOT NULL;
+
+ALTER TABLE ciphers
+DROP COLUMN favorite;

migrations/postgresql/2019-09-12-100000_create_tables/down.sql

@@ -0,0 +1,13 @@
+DROP TABLE devices;
+DROP TABLE attachments;
+DROP TABLE users_collections;
+DROP TABLE users_organizations;
+DROP TABLE folders_ciphers;
+DROP TABLE ciphers_collections;
+DROP TABLE twofactor;
+DROP TABLE invitations;
+DROP TABLE collections;
+DROP TABLE folders;
+DROP TABLE ciphers;
+DROP TABLE users;
+DROP TABLE organizations;

migrations/postgresql/2019-09-12-100000_create_tables/up.sql

@@ -0,0 +1,121 @@
+CREATE TABLE users (
+  uuid                CHAR(36) NOT NULL PRIMARY KEY,
+  created_at          TIMESTAMP NOT NULL,
+  updated_at          TIMESTAMP NOT NULL,
+  email               VARCHAR(255) NOT NULL UNIQUE,
+  name                TEXT     NOT NULL,
+  password_hash       BYTEA     NOT NULL,
+  salt                BYTEA     NOT NULL,
+  password_iterations INTEGER  NOT NULL,
+  password_hint       TEXT,
+  akey                TEXT     NOT NULL,
+  private_key         TEXT,
+  public_key          TEXT,
+  totp_secret         TEXT,
+  totp_recover        TEXT,
+  security_stamp      TEXT     NOT NULL,
+  equivalent_domains  TEXT     NOT NULL,
+  excluded_globals    TEXT     NOT NULL,
+  client_kdf_type     INTEGER NOT NULL DEFAULT 0,
+  client_kdf_iter INTEGER NOT NULL DEFAULT 100000
+);
+
+CREATE TABLE devices (
+  uuid          CHAR(36) NOT NULL PRIMARY KEY,
+  created_at    TIMESTAMP NOT NULL,
+  updated_at    TIMESTAMP NOT NULL,
+  user_uuid     CHAR(36) NOT NULL REFERENCES users (uuid),
+  name          TEXT     NOT NULL,
+  atype         INTEGER  NOT NULL,
+  push_token    TEXT,
+  refresh_token TEXT     NOT NULL,
+  twofactor_remember TEXT
+);
+
+CREATE TABLE organizations (
+  uuid          VARCHAR(40) NOT NULL PRIMARY KEY,
+  name          TEXT NOT NULL,
+  billing_email TEXT NOT NULL
+);
+
+CREATE TABLE ciphers (
+  uuid              CHAR(36) NOT NULL PRIMARY KEY,
+  created_at        TIMESTAMP NOT NULL,
+  updated_at        TIMESTAMP NOT NULL,
+  user_uuid         CHAR(36) REFERENCES users (uuid),
+  organization_uuid CHAR(36) REFERENCES organizations (uuid),
+  atype             INTEGER  NOT NULL,
+  name              TEXT     NOT NULL,
+  notes             TEXT,
+  fields            TEXT,
+  data              TEXT     NOT NULL,
+  favorite          BOOLEAN  NOT NULL,
+  password_history  TEXT
+);
+
+CREATE TABLE attachments (
+  id          CHAR(36) NOT NULL PRIMARY KEY,
+  cipher_uuid CHAR(36) NOT NULL REFERENCES ciphers (uuid),
+  file_name   TEXT    NOT NULL,
+  file_size   INTEGER NOT NULL,
+  akey        TEXT
+);
+
+CREATE TABLE folders (
+  uuid       CHAR(36) NOT NULL PRIMARY KEY,
+  created_at TIMESTAMP NOT NULL,
+  updated_at TIMESTAMP NOT NULL,
+  user_uuid  CHAR(36) NOT NULL REFERENCES users (uuid),
+  name       TEXT     NOT NULL
+);
+
+CREATE TABLE collections (
+  uuid     VARCHAR(40) NOT NULL PRIMARY KEY,
+  org_uuid VARCHAR(40) NOT NULL REFERENCES organizations (uuid),
+  name     TEXT NOT NULL
+);
+
+CREATE TABLE users_collections (
+  user_uuid       CHAR(36) NOT NULL REFERENCES users (uuid),
+  collection_uuid CHAR(36) NOT NULL REFERENCES collections (uuid),
+  read_only       BOOLEAN NOT NULL DEFAULT false,
+  PRIMARY KEY (user_uuid, collection_uuid)
+);
+
+CREATE TABLE users_organizations (
+  uuid       CHAR(36) NOT NULL PRIMARY KEY,
+  user_uuid  CHAR(36) NOT NULL REFERENCES users (uuid),
+  org_uuid   CHAR(36) NOT NULL REFERENCES organizations (uuid),
+
+  access_all BOOLEAN NOT NULL,
+  akey       TEXT    NOT NULL,
+  status     INTEGER NOT NULL,
+  atype      INTEGER NOT NULL,
+
+  UNIQUE (user_uuid, org_uuid)
+);
+
+CREATE TABLE folders_ciphers (
+  cipher_uuid CHAR(36) NOT NULL REFERENCES ciphers (uuid),
+  folder_uuid CHAR(36) NOT NULL REFERENCES folders (uuid),
+  PRIMARY KEY (cipher_uuid, folder_uuid)
+);
+
+CREATE TABLE ciphers_collections (
+  cipher_uuid       CHAR(36) NOT NULL REFERENCES ciphers (uuid),
+  collection_uuid CHAR(36) NOT NULL REFERENCES collections (uuid),
+  PRIMARY KEY (cipher_uuid, collection_uuid)
+);
+
+CREATE TABLE twofactor (
+  uuid      CHAR(36) NOT NULL PRIMARY KEY,
+  user_uuid CHAR(36) NOT NULL REFERENCES users (uuid),
+  atype     INTEGER  NOT NULL,
+  enabled   BOOLEAN  NOT NULL,
+  data      TEXT     NOT NULL,
+  UNIQUE (user_uuid, atype)
+);
+
+CREATE TABLE invitations (
+    email   VARCHAR(255) NOT NULL PRIMARY KEY
+);

migrations/postgresql/2019-09-16-150000_fix_attachments/down.sql

@@ -0,0 +1,26 @@
+ALTER TABLE attachments ALTER COLUMN id TYPE CHAR(36);
+ALTER TABLE attachments ALTER COLUMN cipher_uuid TYPE CHAR(36);
+ALTER TABLE users ALTER COLUMN uuid TYPE CHAR(36);
+ALTER TABLE users ALTER COLUMN email TYPE VARCHAR(255);
+ALTER TABLE devices ALTER COLUMN uuid TYPE CHAR(36);
+ALTER TABLE devices ALTER COLUMN user_uuid TYPE CHAR(36);
+ALTER TABLE organizations ALTER COLUMN uuid TYPE CHAR(40);
+ALTER TABLE ciphers ALTER COLUMN uuid TYPE CHAR(36);
+ALTER TABLE ciphers ALTER COLUMN user_uuid TYPE CHAR(36);
+ALTER TABLE ciphers ALTER COLUMN organization_uuid TYPE CHAR(36);
+ALTER TABLE folders ALTER COLUMN uuid TYPE CHAR(36);
+ALTER TABLE folders ALTER COLUMN user_uuid TYPE CHAR(36);
+ALTER TABLE collections ALTER COLUMN uuid TYPE CHAR(40);
+ALTER TABLE collections ALTER COLUMN org_uuid TYPE CHAR(40);
+ALTER TABLE users_collections ALTER COLUMN user_uuid TYPE CHAR(36);
+ALTER TABLE users_collections ALTER COLUMN collection_uuid TYPE CHAR(36);
+ALTER TABLE users_organizations ALTER COLUMN uuid TYPE CHAR(36);
+ALTER TABLE users_organizations ALTER COLUMN user_uuid TYPE CHAR(36);
+ALTER TABLE users_organizations ALTER COLUMN org_uuid TYPE CHAR(36);
+ALTER TABLE folders_ciphers ALTER COLUMN cipher_uuid TYPE CHAR(36);
+ALTER TABLE folders_ciphers ALTER COLUMN folder_uuid TYPE CHAR(36);
+ALTER TABLE ciphers_collections ALTER COLUMN cipher_uuid TYPE CHAR(36);
+ALTER TABLE ciphers_collections ALTER COLUMN collection_uuid TYPE CHAR(36);
+ALTER TABLE twofactor ALTER COLUMN uuid TYPE CHAR(36);
+ALTER TABLE twofactor ALTER COLUMN user_uuid TYPE CHAR(36);
+ALTER TABLE invitations ALTER COLUMN email TYPE VARCHAR(255);

migrations/postgresql/2019-09-16-150000_fix_attachments/up.sql

@@ -0,0 +1,27 @@
+-- Switch from CHAR() types to VARCHAR() types to avoid padding issues.
+ALTER TABLE attachments ALTER COLUMN id TYPE TEXT;
+ALTER TABLE attachments ALTER COLUMN cipher_uuid TYPE VARCHAR(40);
+ALTER TABLE users ALTER COLUMN uuid TYPE VARCHAR(40);
+ALTER TABLE users ALTER COLUMN email TYPE TEXT;
+ALTER TABLE devices ALTER COLUMN uuid TYPE VARCHAR(40);
+ALTER TABLE devices ALTER COLUMN user_uuid TYPE VARCHAR(40);
+ALTER TABLE organizations ALTER COLUMN uuid TYPE VARCHAR(40);
+ALTER TABLE ciphers ALTER COLUMN uuid TYPE VARCHAR(40);
+ALTER TABLE ciphers ALTER COLUMN user_uuid TYPE VARCHAR(40);
+ALTER TABLE ciphers ALTER COLUMN organization_uuid TYPE VARCHAR(40);
+ALTER TABLE folders ALTER COLUMN uuid TYPE VARCHAR(40);
+ALTER TABLE folders ALTER COLUMN user_uuid TYPE VARCHAR(40);
+ALTER TABLE collections ALTER COLUMN uuid TYPE VARCHAR(40);
+ALTER TABLE collections ALTER COLUMN org_uuid TYPE VARCHAR(40);
+ALTER TABLE users_collections ALTER COLUMN user_uuid TYPE VARCHAR(40);
+ALTER TABLE users_collections ALTER COLUMN collection_uuid TYPE VARCHAR(40);
+ALTER TABLE users_organizations ALTER COLUMN uuid TYPE VARCHAR(40);
+ALTER TABLE users_organizations ALTER COLUMN user_uuid TYPE VARCHAR(40);
+ALTER TABLE users_organizations ALTER COLUMN org_uuid TYPE VARCHAR(40);
+ALTER TABLE folders_ciphers ALTER COLUMN cipher_uuid TYPE VARCHAR(40);
+ALTER TABLE folders_ciphers ALTER COLUMN folder_uuid TYPE VARCHAR(40);
+ALTER TABLE ciphers_collections ALTER COLUMN cipher_uuid TYPE VARCHAR(40);
+ALTER TABLE ciphers_collections ALTER COLUMN collection_uuid TYPE VARCHAR(40);
+ALTER TABLE twofactor ALTER COLUMN uuid TYPE VARCHAR(40);
+ALTER TABLE twofactor ALTER COLUMN user_uuid TYPE VARCHAR(40);
+ALTER TABLE invitations ALTER COLUMN email TYPE TEXT;

migrations/postgresql/2019-10-10-083032_add_column_to_twofactor/up.sql

@@ -0,0 +1 @@
+ALTER TABLE twofactor ADD COLUMN last_used INTEGER NOT NULL DEFAULT 0;

migrations/postgresql/2019-11-17-011009_add_email_verification/down.sql

@@ -0,0 +1 @@
+

migrations/postgresql/2019-11-17-011009_add_email_verification/up.sql

@@ -0,0 +1,5 @@
+ALTER TABLE users ADD COLUMN verified_at TIMESTAMP DEFAULT NULL;
+ALTER TABLE users ADD COLUMN last_verifying_at TIMESTAMP DEFAULT NULL;
+ALTER TABLE users ADD COLUMN login_verify_count INTEGER NOT NULL DEFAULT 0;
+ALTER TABLE users ADD COLUMN email_new VARCHAR(255) DEFAULT NULL;
+ALTER TABLE users ADD COLUMN email_new_token VARCHAR(16) DEFAULT NULL;

migrations/postgresql/2020-03-13-205045_add_policy_table/down.sql

@@ -0,0 +1 @@
+DROP TABLE org_policies;

migrations/postgresql/2020-03-13-205045_add_policy_table/up.sql

@@ -0,0 +1,9 @@
+CREATE TABLE org_policies (
+  uuid      CHAR(36) NOT NULL PRIMARY KEY,
+  org_uuid  CHAR(36) NOT NULL REFERENCES organizations (uuid),
+  atype     INTEGER  NOT NULL,
+  enabled   BOOLEAN  NOT NULL,
+  data      TEXT     NOT NULL,
+  
+  UNIQUE (org_uuid, atype)
+);

migrations/postgresql/2020-04-09-235005_add_cipher_delete_date/down.sql

@@ -0,0 +1 @@
+

migrations/postgresql/2020-04-09-235005_add_cipher_delete_date/up.sql

@@ -0,0 +1,3 @@
+ALTER TABLE ciphers
+    ADD COLUMN
+    deleted_at TIMESTAMP;

migrations/postgresql/2020-07-01-214531_add_hide_passwords/up.sql

@@ -0,0 +1,2 @@
+ALTER TABLE users_collections
+ADD COLUMN hide_passwords BOOLEAN NOT NULL DEFAULT FALSE;

migrations/postgresql/2020-08-02-025025_add_favorites_table/down.sql

@@ -0,0 +1,13 @@
+ALTER TABLE ciphers
+ADD COLUMN favorite BOOLEAN NOT NULL DEFAULT FALSE;
+
+-- Transfer favorite status for user-owned ciphers.
+UPDATE ciphers
+SET favorite = TRUE
+WHERE EXISTS (
+  SELECT * FROM favorites
+  WHERE favorites.user_uuid = ciphers.user_uuid
+    AND favorites.cipher_uuid = ciphers.uuid
+);
+
+DROP TABLE favorites;