Merge pull request #585 from ViViDboarder/mail-auth-over-insecure

Allow explicitly defined smtp auth mechansim
Remove unecessary clone
2025-09-10 10:45:57 +03:00 · 2019-08-27 20:21:23 +02:00 · 2019-08-27 10:40:38 -07:00 · 2019-08-23 16:22:14 -07:00 · 2019-08-21 17:13:06 +02:00 · 2019-08-20 23:53:00 +02:00
126 changed files with 8705 additions and 4319 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -9,10 +9,6 @@ data
 .idea
 *.iml

-# Git files
-.git
-.gitignore
-
 # Documentation
 *.md

--- a/.env
+++ b/.env
@@ -1,75 +0,0 @@
-## Bitwarden_RS Configuration File
-## Uncomment any of the following lines to change the defaults
-
-## Main data folder
-# DATA_FOLDER=data
-
-## Individual folders, these override %DATA_FOLDER%
-# DATABASE_URL=data/db.sqlite3
-# RSA_KEY_FILENAME=data/rsa_key
-# ICON_CACHE_FOLDER=data/icon_cache
-# ATTACHMENTS_FOLDER=data/attachments
-
-## Web vault settings
-# WEB_VAULT_FOLDER=web-vault/
-# WEB_VAULT_ENABLED=true
-
-## Controls the WebSocket server address and port
-# WEBSOCKET_ADDRESS=0.0.0.0
-# WEBSOCKET_PORT=3012
-
-## Enable extended logging
-## This shows timestamps and allows logging to file and to syslog
-### To enable logging to file, use the LOG_FILE env variable
-### To enable syslog, you need to compile with `cargo build --features=enable_syslog'
-# EXTENDED_LOGGING=true
-
-## Logging to file
-## This requires extended logging
-## It's recommended to also set 'ROCKET_CLI_COLORS=off'
-# LOG_FILE=/path/to/log
-
-## Controls if new users can register
-# SIGNUPS_ALLOWED=true
-
-## Use a local favicon extractor
-## Set to false to use bitwarden's official icon servers
-## Set to true to use the local version, which is not as smart,
-##   but it doesn't send the cipher domains to bitwarden's servers
-# LOCAL_ICON_EXTRACTOR=false
-
-## Controls the PBBKDF password iterations to apply on the server
-## The change only applies when the password is changed
-# PASSWORD_ITERATIONS=100000
-
-## Whether password hint should be sent into the error response when the client request it
-# SHOW_PASSWORD_HINT=true
-
-## Domain settings
-## The domain must match the address from where you access the server
-## Unless you are using U2F, or having problems with attachments not downloading, there is no need to change this
-## For U2F to work, the server must use HTTPS, you can use Let's Encrypt for free certs
-# DOMAIN=https://bw.domain.tld:8443
-
-## Yubico (Yubikey) Settings
-## Set your Client ID and Secret Key for Yubikey OTP
-## You can generate it here: https://upgrade.yubico.com/getapikey/
-## You can optionally specify a custom OTP server
-# YUBICO_CLIENT_ID=11111
-# YUBICO_SECRET_KEY=AAAAAAAAAAAAAAAAAAAAAAAA
-# YUBICO_SERVER=http://yourdomain.com/wsapi/2.0/verify
-
-## Rocket specific settings, check Rocket documentation to learn more
-# ROCKET_ENV=staging
-# ROCKET_ADDRESS=0.0.0.0 # Enable this to test mobile app
-# ROCKET_PORT=8000
-# ROCKET_TLS={certs="/path/to/certs.pem",key="/path/to/key.pem"}
-
-## Mail specific settings, set SMTP_HOST and SMTP_FROM to enable the mail service.
-## Note: if SMTP_USERNAME is specified, SMTP_PASSWORD is mandatory
-# SMTP_HOST=smtp.domain.tld
-# SMTP_FROM=bitwarden-rs@domain.tld
-# SMTP_PORT=587
-# SMTP_SSL=true
-# SMTP_USERNAME=username
-# SMTP_PASSWORD=password
--- a/.env.template
+++ b/.env.template
@@ -0,0 +1,152 @@
+## Bitwarden_RS Configuration File
+## Uncomment any of the following lines to change the defaults
+
+## Main data folder
+# DATA_FOLDER=data
+
+## Database URL
+## When using SQLite, this is the path to the DB file, default to %DATA_FOLDER%/db.sqlite3
+## When using MySQL, this it is the URL to the DB, including username and password:
+## Format: mysql://[user[:password]@]host/database_name
+# DATABASE_URL=data/db.sqlite3
+
+## Individual folders, these override %DATA_FOLDER%
+# RSA_KEY_FILENAME=data/rsa_key
+# ICON_CACHE_FOLDER=data/icon_cache
+# ATTACHMENTS_FOLDER=data/attachments
+
+## Templates data folder, by default uses embedded templates
+## Check source code to see the format
+# TEMPLATES_FOLDER=/path/to/templates
+## Automatically reload the templates for every request, slow, use only for development
+# RELOAD_TEMPLATES=false
+
+## Cache time-to-live for successfully obtained icons, in seconds (0 is "forever")
+# ICON_CACHE_TTL=2592000
+## Cache time-to-live for icons which weren't available, in seconds (0 is "forever")
+# ICON_CACHE_NEGTTL=259200
+
+## Web vault settings
+# WEB_VAULT_FOLDER=web-vault/
+# WEB_VAULT_ENABLED=true
+
+## Enables websocket notifications
+# WEBSOCKET_ENABLED=false
+
+## Controls the WebSocket server address and port
+# WEBSOCKET_ADDRESS=0.0.0.0
+# WEBSOCKET_PORT=3012
+
+## Enable extended logging
+## This shows timestamps and allows logging to file and to syslog
+### To enable logging to file, use the LOG_FILE env variable
+### To enable syslog, use the USE_SYSLOG env variable
+# EXTENDED_LOGGING=true
+
+## Logging to file
+## This requires extended logging
+## It's recommended to also set 'ROCKET_CLI_COLORS=off'
+# LOG_FILE=/path/to/log
+
+## Logging to Syslog
+## This requires extended logging
+## It's recommended to also set 'ROCKET_CLI_COLORS=off'
+# USE_SYSLOG=false
+
+## Log level
+## Change the verbosity of the log output
+## Valid values are "trace", "debug", "info", "warn", "error" and "off"
+## This requires extended logging
+# LOG_LEVEL=Info
+
+## Enable WAL for the DB
+## Set to false to avoid enabling WAL during startup.
+## Note that if the DB already has WAL enabled, you will also need to disable WAL in the DB,
+## this setting only prevents bitwarden_rs from automatically enabling it on start.
+## Please read project wiki page about this setting first before changing the value as it can
+## cause performance degradation or might render  the service unable to start.
+# ENABLE_DB_WAL=true
+
+## Disable icon downloading
+## Set to true to disable icon downloading, this would still serve icons from $ICON_CACHE_FOLDER,
+## but it won't produce any external network request. Needs to set $ICON_CACHE_TTL to 0,
+## otherwise it will delete them and they won't be downloaded again.
+# DISABLE_ICON_DOWNLOAD=false
+
+## Icon download timeout
+## Configure the timeout value when downloading the favicons.
+## The default is 10 seconds, but this could be to low on slower network connections
+# ICON_DOWNLOAD_TIMEOUT=10
+
+## Icon blacklist Regex
+## Any domains or IPs that match this regex won't be fetched by the icon service.
+## Useful to hide other servers in the local network. Check the WIKI for more details
+# ICON_BLACKLIST_REGEX=192\.168\.1\.[0-9].*^
+
+## Disable 2FA remember
+## Enabling this would force the users to use a second factor to login every time.
+## Note that the checkbox would still be present, but ignored.
+# DISABLE_2FA_REMEMBER=false
+
+## Controls if new users can register
+# SIGNUPS_ALLOWED=true
+
+## Token for the admin interface, preferably use a long random string
+## One option is to use 'openssl rand -base64 48'
+## If not set, the admin panel is disabled
+# ADMIN_TOKEN=Vy2VyYTTsKPv8W5aEOWUbB/Bt3DEKePbHmI4m9VcemUMS2rEviDowNAFqYi1xjmp
+# DISABLE_ADMIN_TOKEN=false
+
+## Invitations org admins to invite users, even when signups are disabled
+# INVITATIONS_ALLOWED=true
+
+## Controls the PBBKDF password iterations to apply on the server
+## The change only applies when the password is changed
+# PASSWORD_ITERATIONS=100000
+
+## Whether password hint should be sent into the error response when the client request it
+# SHOW_PASSWORD_HINT=true
+
+## Domain settings
+## The domain must match the address from where you access the server
+## It's recommended to configure this value, otherwise certain functionality might not work,
+## like attachment downloads, email links and U2F.
+## For U2F to work, the server must use HTTPS, you can use Let's Encrypt for free certs
+# DOMAIN=https://bw.domain.tld:8443
+
+## Yubico (Yubikey) Settings
+## Set your Client ID and Secret Key for Yubikey OTP
+## You can generate it here: https://upgrade.yubico.com/getapikey/
+## You can optionally specify a custom OTP server
+# YUBICO_CLIENT_ID=11111
+# YUBICO_SECRET_KEY=AAAAAAAAAAAAAAAAAAAAAAAA
+# YUBICO_SERVER=http://yourdomain.com/wsapi/2.0/verify
+
+## Duo Settings
+## You need to configure all options to enable global Duo support, otherwise users would need to configure it themselves
+## Create an account and protect an application as mentioned in this link (only the first step, not the rest):
+## https://help.bitwarden.com/article/setup-two-step-login-duo/#create-a-duo-security-account
+## Then set the following options, based on the values obtained from the last step:
+# DUO_IKEY=<Integration Key>
+# DUO_SKEY=<Secret Key>
+# DUO_HOST=<API Hostname>
+## After that, you should be able to follow the rest of the guide linked above,
+## ignoring the fields that ask for the values that you already configured beforehand.
+
+## Rocket specific settings, check Rocket documentation to learn more
+# ROCKET_ENV=staging
+# ROCKET_ADDRESS=0.0.0.0 # Enable this to test mobile app
+# ROCKET_PORT=8000
+# ROCKET_TLS={certs="/path/to/certs.pem",key="/path/to/key.pem"}
+
+## Mail specific settings, set SMTP_HOST and SMTP_FROM to enable the mail service.
+## To make sure the email links are pointing to the correct host, set the DOMAIN variable.
+## Note: if SMTP_USERNAME is specified, SMTP_PASSWORD is mandatory
+# SMTP_HOST=smtp.domain.tld
+# SMTP_FROM=bitwarden-rs@domain.tld
+# SMTP_FROM_NAME=Bitwarden_RS
+# SMTP_PORT=587
+# SMTP_SSL=true
+# SMTP_USERNAME=username
+# SMTP_PASSWORD=password
+# SMTP_AUTH_MECHANISM="Plain"
--- a/.gitignore
+++ b/.gitignore
@@ -10,7 +10,7 @@ data
 *.iml

 # Environment file
-# .env
+.env

 # Web vault
-web-vault
+web-vault
--- a/.hadolint.yaml
+++ b/.hadolint.yaml
@@ -0,0 +1,7 @@
+ignored:
+  # disable explicit version for apt install
+  - DL3008
+  # disable explicit version for apk install
+  - DL3018
+trustedRegistries:
+  - docker.io
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,9 +1,20 @@
-# Copied from Rocket's .travis.yml
+dist: xenial
+
+env:
+  global:
+    - HADOLINT_VERSION=1.17.1
+
 language: rust
-sudo: required # so we get a VM with higher specs
-dist: trusty # so we get a VM with higher specs
+rust: nightly
 cache: cargo
-rust:
- nightly
+
+before_install:
+  - sudo curl -L https://github.com/hadolint/hadolint/releases/download/v$HADOLINT_VERSION/hadolint-$(uname -s)-$(uname -m) -o /usr/local/bin/hadolint
+  - sudo chmod +rx /usr/local/bin/hadolint
+
+# Nothing to install
+install: true
 script:
- cargo build --verbose --all-features
+- git ls-files --exclude='Dockerfile*' --ignored | xargs --max-lines=1 hadolint
+- cargo build --features "sqlite"
+- cargo build --features "mysql"
--- a/BUILD.md
+++ b/BUILD.md
@@ -1,77 +0,0 @@
-# Build instructions
-
-## Dependencies
- `Rust nightly` (strongly recommended to use [rustup](https://rustup.rs/))
- `OpenSSL` (should be available in path, install through your system's package manager or use the [prebuilt binaries](https://wiki.openssl.org/index.php/Binaries))
- `NodeJS` (only when compiling the web-vault, install through your system's package manager or use the [prebuilt binaries](https://nodejs.org/en/download/))
-
-
-## Run/Compile
-```sh
-# Compile and run
-cargo run --release
-# or just compile (binary located in target/release/bitwarden_rs)
-cargo build --release
-```
-
-When run, the server is accessible in [http://localhost:80](http://localhost:80).
-
-### Install the web-vault
-A compiled version of the web vault can be downloaded from [dani-garcia/bw_web_builds](https://github.com/dani-garcia/bw_web_builds/releases).
-
-If you prefer to compile it manually, follow these steps:
-
-*Note: building the Vault needs ~1.5GB of RAM. On systems like a RaspberryPI with 1GB or less, please [enable swapping](https://www.tecmint.com/create-a-linux-swap-file/) or build it on a more powerful machine and copy the directory from there. This much memory is only needed for building it, running bitwarden_rs with vault needs only about 10MB of RAM.*
-
- Clone the git repository at [bitwarden/web](https://github.com/bitwarden/web) and checkout the latest release tag (e.g. v2.1.1):
-```sh
-# clone the repository
-git clone https://github.com/bitwarden/web.git web-vault
-cd web-vault
-# switch to the latest tag
-git checkout "$(git tag | tail -n1)"
-```
-
- Apply the patch file from `docker/set-vault-baseurl.patch`:
-```sh
-# In the Vault repository directory
-git apply /path/to/bitwarden_rs/docker/set-vault-baseurl.patch
-```
-
- Then, build the Vault:
-
-```sh
-npm run sub:init
-npm install
-npm run dist
-```
-
-Finally copy the contents of the `build` folder into the `bitwarden_rs/web-vault` folder.
-
-# Configuration
-The available configuration options are documented in the default `.env` file, and they can be modified by uncommenting the desired options in that file or by setting their respective environment variables. Look at the README file for the main configuration options available.
-
-Note: the environment variables override the values set in the `.env` file.
-
-## How to recreate database schemas (for developers)
-Install diesel-cli with cargo:
-```sh
-cargo install diesel_cli --no-default-features --features sqlite-bundled
-```
-
-Make sure that the correct path to the database is in the `.env` file.
-
-If you want to modify the schemas, create a new migration with:
-```
-diesel migration generate <name>
-```
-
-Modify the *.sql files, making sure that any changes are reverted in the down.sql file.
-
-Apply the migrations and save the generated schemas as follows:
-```sh
-diesel migration redo
-
-# This step should be done automatically when using diesel-cli > 1.3.0
-# diesel print-schema > src/db/schema.rs
-```
--- a/Cargo.lock
+++ b/Cargo.lock
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -4,98 +4,114 @@ version = "1.0.0"
 authors = ["Daniel García <dani-garcia@users.noreply.github.com>"]
 edition = "2018"

+repository = "https://github.com/dani-garcia/bitwarden_rs"
+readme = "README.md"
+license = "GPL-3.0-only"
+publish = false
+build = "build.rs"
+
 [features]
-enable_syslog = ["syslog", "fern/syslog-4"]
+# Empty to keep compatibility, prefer to set USE_SYSLOG=true
+enable_syslog = []
+mysql = ["diesel/mysql", "diesel_migrations/mysql"]
+sqlite = ["diesel/sqlite", "diesel_migrations/sqlite", "libsqlite3-sys"]
+
+[target."cfg(not(windows))".dependencies]
+syslog = "4.0.1"

 [dependencies]
 # Web framework for nightly with a focus on ease-of-use, expressibility, and speed.
-rocket = { version = "0.4.0", features = ["tls"], default-features = false }
-rocket_contrib = "0.4.0"
+rocket = { version = "0.5.0-dev", features = ["tls"], default-features = false }
+rocket_contrib = "0.5.0-dev"

 # HTTP client
-reqwest = "0.9.5"
+reqwest = "0.9.19"

 # multipart/form-data support
-multipart = "0.15.4"
+multipart = { version = "0.16.1", features = ["server"], default-features = false }

 # WebSockets library
-ws = "0.7.9"
+ws = "0.9.0"

 # MessagePack library
 rmpv = "0.4.0"

 # Concurrent hashmap implementation
-chashmap = "2.2.0"
+chashmap = "2.2.2"

 # A generic serialization/deserialization framework
-serde = "1.0.82"
-serde_derive = "1.0.82"
-serde_json = "1.0.33"
+serde = "1.0.99"
+serde_derive = "1.0.99"
+serde_json = "1.0.40"

 # Logging
-log = "0.4.6"
-fern = "0.5.7"
-syslog = { version = "4.0.1", optional = true }
+log = "0.4.8"
+fern = { version = "0.5.8", features = ["syslog-4"] }

 # A safe, extensible ORM and Query builder
-diesel = { version = "1.3.3", features = ["sqlite", "chrono", "r2d2"] }
-diesel_migrations = { version = "1.3.0", features = ["sqlite"] }
+diesel = { version = "1.4.2", features = [ "chrono", "r2d2"] }
+diesel_migrations = "1.4.0"

-# Bundled SQLite
-libsqlite3-sys = { version = "0.9.3", features = ["bundled"] }
+# Bundled SQLite                                           
+libsqlite3-sys = { version = "0.12.0", features = ["bundled"], optional = true }

 # Crypto library
-ring = { version = "0.13.5", features = ["rsa_signing"] }
+ring = "0.14.6"

 # UUID generation
-uuid = { version = "0.7.1", features = ["v4"] }
+uuid = { version = "0.7.4", features = ["v4"] }

 # Date and time library for Rust
-chrono = "0.4.6"
+chrono = "0.4.7"

 # TOTP library
 oath = "0.10.2"

 # Data encoding library
-data-encoding = "2.1.1"
+data-encoding = "2.1.2"

 # JWT library
-jsonwebtoken = "5.0.1"
+jsonwebtoken = "6.0.1"

 # U2F library
-u2f = "0.1.2"
+u2f = "0.1.6"

 # Yubico Library
-yubico = { version = "=0.4.0", features = ["online"], default-features = false }
+yubico = { version = "0.6.1", features = ["online", "online-tokio"], default-features = false }

 # A `dotenv` implementation for Rust
-dotenv = { version = "0.13.0", default-features = false }
+dotenv = { version = "0.14.1", default-features = false }

 # Lazy static macro
-lazy_static = { version = "1.2.0", features = ["nightly"] }
+lazy_static = "1.3.0"
+
+# More derives
+derive_more = "0.15.0"

 # Numerical libraries
-num-traits = "0.2.6"
-num-derive = "0.2.3"
+num-traits = "0.2.8"
+num-derive = "0.2.5"

 # Email libraries
-lettre = "0.9.0"
-lettre_email = "0.9.0"
-native-tls = "0.2.2"
+lettre = "0.9.2"
+lettre_email = "0.9.2"
+native-tls = "0.2.3"
+quoted_printable = "0.4.1"

-# Number encoding library
-byteorder = "1.2.7"
+# Template library
+handlebars = "2.0.1"
+
+# For favicon extraction from main website
+soup = "0.4.1"
+regex = "1.2.1"
+
+# URL encoding library
+percent-encoding = "2.1.0"

 [patch.crates-io]
 # Add support for Timestamp type
 rmp = { git = 'https://github.com/dani-garcia/msgpack-rust' }

-# Use new native_tls version 0.2
-lettre = { git = 'https://github.com/lettre/lettre', rev = 'c988b1760ad81' }
-lettre_email = { git = 'https://github.com/lettre/lettre', rev = 'c988b1760ad81' }
-
-# Version 0.1.2 from crates.io lacks a commit that fixes a certificate error
-u2f = { git = 'https://github.com/wisespace-io/u2f-rs', rev = '75b9fa5afb4c5' }
-
-# Allows optional libusb support
-yubico = { git = 'https://github.com/dani-garcia/yubico-rs' }
+# Use newest ring
+rocket = { git = 'https://github.com/SergioBenitez/Rocket', rev = 'dbcb0a75b9556763ac3ab708f40c8f8ed75f1a1e' }
+rocket_contrib = { git = 'https://github.com/SergioBenitez/Rocket', rev = 'dbcb0a75b9556763ac3ab708f40c8f8ed75f1a1e' }
--- a/86
+++ b/86
@@ -1,86 +0,0 @@
-# Using multistage build: 
-# 	https://docs.docker.com/develop/develop-images/multistage-build/
-# 	https://whitfin.io/speeding-up-rust-docker-builds/
-####################### VAULT BUILD IMAGE  #######################
-FROM alpine as vault
-
-ENV VAULT_VERSION "v2.7.1"
-
-ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
-
-RUN apk add --update-cache --upgrade \
-    curl \
-    tar
-
-RUN mkdir /web-vault
-WORKDIR /web-vault
-
-RUN curl -L $URL | tar xz
-RUN ls
-
-########################## BUILD IMAGE  ##########################
-# We need to use the Rust build image, because
-# we need the Rust compiler and Cargo tooling
-FROM rust as build
-
-# Using bundled SQLite, no need to install it
-# RUN apt-get update && apt-get install -y\
-#    sqlite3\
-#    --no-install-recommends\
-# && rm -rf /var/lib/apt/lists/*
-
-# Creates a dummy project used to grab dependencies
-RUN USER=root cargo new --bin app
-WORKDIR /app
-
-# Copies over *only* your manifests and vendored dependencies
-COPY ./Cargo.* ./
-COPY ./rust-toolchain ./rust-toolchain
-
-# Builds your dependencies and removes the
-# dummy project, except the target folder
-# This folder contains the compiled dependencies
-RUN cargo build --release
-RUN find . -not -path "./target*" -delete
-
-# Copies the complete project
-# To avoid copying unneeded files, use .dockerignore
-COPY . .
-
-# Make sure that we actually build the project
-RUN touch src/main.rs
-
-# Builds again, this time it'll just be
-# your actual source files being built
-RUN cargo build --release
-
-######################## RUNTIME IMAGE  ########################
-# Create a new stage with a minimal image
-# because we already have a binary built
-FROM debian:stretch-slim
-
-ENV ROCKET_ENV "staging"
-ENV ROCKET_PORT=80
-ENV ROCKET_WORKERS=10
-
-# Install needed libraries
-RUN apt-get update && apt-get install -y\
-    openssl\
-    ca-certificates\
-    --no-install-recommends\
- && rm -rf /var/lib/apt/lists/*
-
-RUN mkdir /data
-VOLUME /data
-EXPOSE 80
-EXPOSE 3012
-
-# Copies the files from the context (env file and web-vault)
-# and the binary from the "build" stage to the current stage
-COPY .env .
-COPY Rocket.toml .
-COPY --from=vault /web-vault ./web-vault
-COPY --from=build app/target/release/bitwarden_rs .
-
-# Configures the startup!
-CMD ./bitwarden_rs
--- a/1
+++ b/1
@@ -0,0 +1 @@
+docker/amd64/sqlite/Dockerfile
--- a/PROXY.md
+++ b/PROXY.md
@@ -1,94 +0,0 @@
-# Proxy examples
-
-In this document, `<SERVER>` refers to the IP or domain where bitwarden_rs is accessible from. If both the proxy and bitwarden_rs are running in the same system, simply use `localhost`.
-The ports proxied by default are `80` for the web server and `3012` for the WebSocket server. The proxies are configured to listen in port `443` with HTTPS enabled, which is recommended.
-
-When using a proxy, it's preferrable to configure HTTPS at the proxy level and not at the application level, this way the WebSockets connection is also secured.
-
-## Caddy
-
-```nginx
-localhost:443 {
-    # The negotiation endpoint is also proxied to Rocket
-    proxy /notifications/hub/negotiate <SERVER>:80 {
-        transparent
-    }
-    
-    # Notifications redirected to the websockets server
-    proxy /notifications/hub <SERVER>:3012 {
-        websocket
-    }
-    
-    # Proxy the Root directory to Rocket
-    proxy / <SERVER>:80 {
-        transparent
-    }
-
-    tls ${SSLCERTIFICATE} ${SSLKEY}
-}
-```
-
-## Nginx (by shauder)
-```nginx
-server {
-  listen 443 ssl http2;
-  server_name vault.*;
-  
-  # Specify SSL config if using a shared one.
-  #include conf.d/ssl/ssl.conf;
-  
-  location / {
-    proxy_pass http://<SERVER>:80;
-  }
-  
-  location /notifications/hub {
-    proxy_pass http://<SERVER>:3012;
-    proxy_set_header Upgrade $http_upgrade;
-    proxy_set_header Connection "upgrade";
-  }
-  
-  location /notifications/hub/negotiate {
-    proxy_pass http://<SERVER>:80;
-  }
-}
-```
-
-## Apache (by fbartels)
-```apache
-<VirtualHost *:443>
-    SSLEngine on
-    ServerName bitwarden.$hostname.$domainname
-
-    SSLCertificateFile ${SSLCERTIFICATE}
-    SSLCertificateKeyFile ${SSLKEY}
-    SSLCACertificateFile ${SSLCA}
-    ${SSLCHAIN}
-
-    ErrorLog \${APACHE_LOG_DIR}/bitwarden-error.log
-    CustomLog \${APACHE_LOG_DIR}/bitwarden-access.log combined
-
-    RewriteEngine On
-    RewriteCond %{HTTP:Upgrade} =websocket [NC]
-    RewriteRule /(.*)           ws://<SERVER>:3012/$1 [P,L]
-
-    ProxyPass / http://<SERVER>:80/
-
-    ProxyPreserveHost On
-    ProxyRequests Off
-</VirtualHost>
-```
-
-## Traefik (docker-compose example)
-```traefik
-    labels:
-      - 'traefik.frontend.rule=Host:vault.example.local'
-      - 'traefik.docker.network=traefik'
-      - 'traefik.port=80'
-      - 'traefik.enable=true'
-      - 'traefik.web.frontend.rule=Host:vault.example.local'
-      - 'traefik.web.port=80'
-      - 'traefik.hub.frontend.rule=Path:/notifications/hub'
-      - 'traefik.hub.port=3012'
-      - 'traefik.negotiate.frontend.rule=Path:/notifications/hub/negotiate'
-      - 'traefik.negotiate.port=80'
-```
--- a/README.md
+++ b/README.md
@@ -3,69 +3,20 @@
 ---

 [![Travis Build Status](https://travis-ci.org/dani-garcia/bitwarden_rs.svg?branch=master)](https://travis-ci.org/dani-garcia/bitwarden_rs)
+[![Docker Pulls](https://img.shields.io/docker/pulls/bitwardenrs/server.svg)](https://hub.docker.com/r/bitwardenrs/server)
 [![Dependency Status](https://deps.rs/repo/github/dani-garcia/bitwarden_rs/status.svg)](https://deps.rs/repo/github/dani-garcia/bitwarden_rs)
 [![GitHub Release](https://img.shields.io/github/release/dani-garcia/bitwarden_rs.svg)](https://github.com/dani-garcia/bitwarden_rs/releases/latest)
 [![GPL-3.0 Licensed](https://img.shields.io/github/license/dani-garcia/bitwarden_rs.svg)](https://github.com/dani-garcia/bitwarden_rs/blob/master/LICENSE.txt)
-[![Matrix Chat](https://matrix.to/img/matrix-badge.svg)](https://matrix.to/#/#bitwarden_rs:matrix.org)
+[![Matrix Chat](https://img.shields.io/matrix/bitwarden_rs:matrix.org.svg?logo=matrix)](https://matrix.to/#/#bitwarden_rs:matrix.org)

 Image is based on [Rust implementation of Bitwarden API](https://github.com/dani-garcia/bitwarden_rs).

-_*Note, that this project is not associated with the [Bitwarden](https://bitwarden.com/) project nor 8bit Solutions LLC._
+**This project is not associated with the [Bitwarden](https://bitwarden.com/) project nor 8bit Solutions LLC.**
+
+#### ⚠️**IMPORTANT**⚠️: When using this server, please report any Bitwarden related bug-reports or suggestions [here](https://github.com/dani-garcia/bitwarden_rs/issues/new), regardless of whatever clients you are using (mobile, desktop, browser...). DO NOT use the official support channels.

 ---

-**Table of contents**
-
- [Features](#features)
- [Missing features](#missing-features)
- [Docker image usage](#docker-image-usage)
-  - [Starting a container](#starting-a-container)
-  - [Updating the bitwarden image](#updating-the-bitwarden-image)
- [Configuring bitwarden service](#configuring-bitwarden-service)
-  - [Disable registration of new users](#disable-registration-of-new-users)
-  - [Disable invitations](#disable-invitations)
-  - [Configure server administrator](#configure-server-administrator)
-  - [Enabling HTTPS](#enabling-https)
-  - [Enabling WebSocket notifications](#enabling-websocket-notifications)
-  - [Enabling U2F authentication](#enabling-u2f-authentication)
-  - [Enabling YubiKey OTP authentication](#enabling-yubikey-otp-authentication)
-  - [Changing persistent data location](#changing-persistent-data-location)
-    - [/data prefix:](#data-prefix)
-    - [database name and location](#database-name-and-location)
-    - [attachments location](#attachments-location)
-    - [icons cache](#icons-cache)
-  - [Changing the API request size limit](#changing-the-api-request-size-limit)
-  - [Changing the number of workers](#changing-the-number-of-workers)
-  - [SMTP configuration](#smtp-configuration)
-  - [Password hint display](#password-hint-display)
-  - [Disabling or overriding the Vault interface hosting](#disabling-or-overriding-the-vault-interface-hosting)
-  - [Other configuration](#other-configuration)
-  - [Fail2Ban Setup](#fail2ban-setup)
-    - [Logging Failed Login Attempts to Syslog](#logging-failed-login-attempts-to-syslog)
-    - [Fail2Ban Filter](#fail2ban-filter)
-    - [Fail2Ban Jail](#fail2ban-jail)
-    - [Testing Fail2Ban](#testing-fail2ban)
-  - [Running with systemd-docker](#running-with-systemd-docker)
-    - [Setting environment variables](#setting-environment-variables)
-    - [Running the service](#running-the-service)
- [Building your own image](#building-your-own-image)
- [Building binary](#building-binary)
- [Available packages](#available-packages)
-  - [Arch Linux](#arch-linux)
- [Kubernetes deployment](#kubernetes-deployment)
- [Backing up your vault](#backing-up-your-vault)
-  - [1. the sqlite3 database](#1-the-sqlite3-database)
-  - [2. the attachments folder](#2-the-attachments-folder)
-  - [3. the key files](#3-the-key-files)
-  - [4. Icon Cache](#4-icon-cache)
- [Running the server with non-root user](#running-the-server-with-non-root-user)
- [Differences from upstream API implementation](#differences-from-upstream-api-implementation)
-  - [Changing user email](#changing-user-email)
-  - [Creating organization](#creating-organization)
-  - [Inviting users into organization](#inviting-users-into-organization)
-  - [Running on unencrypted connection](#running-on-unencrypted-connection)
- [Get in touch](#get-in-touch)
-
 ## Features

 Basically full implementation of Bitwarden API is provided including:
@@ -79,609 +30,23 @@ Basically full implementation of Bitwarden API is provided including:
 * Authenticator and U2F support
 * YubiKey OTP

-## Missing features
-* Email confirmation
-* Other two-factor systems:
-  * Duo
-  * Email codes
-
-## Docker image usage
-
-### Starting a container
-
-The persistent data is stored under /data inside the container, so the only requirement for persistent deployment using Docker is to mount persistent volume at the path:
-
-```
-docker run -d --name bitwarden -v /bw-data/:/data/ -p 80:80 mprasil/bitwarden:latest
-```
-
-This will preserve any persistent data under `/bw-data/`, you can adapt the path to whatever suits you.
-
-The service will be exposed on port 80.
-
-### Updating the bitwarden image
-
-Updating is straightforward, you just make sure to preserve the mounted volume. If you used the bind-mounted path as in the example above, you just need to `pull` the latest image, `stop` and `rm` the current container and then start a new one the same way as before:
+## Installation
+Pull the docker image and mount a volume from the host for persistent storage:

 ```sh
-# Pull the latest version
-docker pull mprasil/bitwarden:latest
-
-# Stop and remove the old container
-docker stop bitwarden
-docker rm bitwarden
-
-# Start new container with the data mounted
-docker run -d --name bitwarden -v /bw-data/:/data/ -p 80:80 mprasil/bitwarden:latest
+docker pull bitwardenrs/server:latest
+docker run -d --name bitwarden -v /bw-data/:/data/ -p 80:80 bitwardenrs/server:latest
 ```
-Then visit [http://localhost:80](http://localhost:80)
+This will preserve any persistent data under /bw-data/, you can adapt the path to whatever suits you.

-In case you didn't bind mount the volume for persistent data, you need an intermediate step where you preserve the data with an intermediate container:
+**IMPORTANT**: Some web browsers, like Chrome, disallow the use of Web Crypto APIs in insecure contexts. In this case, you might get an error like `Cannot read property 'importKey'`. To solve this problem, you need to access the web vault from HTTPS. 

-```sh
-# Pull the latest version
-docker pull mprasil/bitwarden:latest
+This can be configured in [bitwarden_rs directly](https://github.com/dani-garcia/bitwarden_rs/wiki/Enabling-HTTPS) or using a third-party reverse proxy ([some examples](https://github.com/dani-garcia/bitwarden_rs/wiki/Proxy-examples)).

-# Create intermediate container to preserve data
-docker run --volumes-from bitwarden --name bitwarden_data busybox true
+If you have an available domain name, you can get HTTPS certificates with [Let's Encrypt](https://letsencrypt.org/), or you can generate self-signed certificates with utilities like [mkcert](https://github.com/FiloSottile/mkcert). Some proxies automatically do this step, like Caddy (see examples linked above).

-# Stop and remove the old container
-docker stop bitwarden
-docker rm bitwarden
-
-# Start new container with the data mounted
-docker run -d --volumes-from bitwarden_data --name bitwarden -p 80:80 mprasil/bitwarden:latest
-
-# Optionally remove the intermediate container
-docker rm bitwarden_data
-
-# Alternatively you can keep data container around for future updates in which case you can skip last step.
-```
-
-## Configuring bitwarden service
-
-### Disable registration of new users
-
-By default new users can register, if you want to disable that, set the `SIGNUPS_ALLOWED` env variable to `false`:
-
-```sh
-docker run -d --name bitwarden \
-  -e SIGNUPS_ALLOWED=false \
-  -v /bw-data/:/data/ \
-  -p 80:80 \
-  mprasil/bitwarden:latest
-```
-Note: While users can't register on their own, they can still be invited by already registered users. Read below if you also want to disable that.
-
-### Disable invitations
-
-Even when registration is disabled, organization administrators or owners can invite users to join organization. This won't send email invitation to the users, but after they are invited, they can register with the invited email even if `SIGNUPS_ALLOWED` is actually set to `false`. You can disable this functionality completely by setting `INVITATIONS_ALLOWED` env variable to `false`:
-
-```sh
-docker run -d --name bitwarden \
-  -e SIGNUPS_ALLOWED=false \
-  -e INVITATIONS_ALLOWED=false \
-  -v /bw-data/:/data/ \
-  -p 80:80 \
-  mprasil/bitwarden:latest
-```
-### Configure server administrator
-
-**Warning:** *Never* use your regular account for the admin functionality. This is a bit of a hack using the Vault interface for something it's not intended to do and it breaks any other functionality for the account. Please set up and use separate account just for this functionality.
-
-You can configure one email account to be server administrator via the `SERVER_ADMIN_EMAIL` environment variable:
-
-```sh
-docker run -d --name bitwarden \
-  -e SERVER_ADMIN_EMAIL=admin@example.com \
-  -v /bw-data/:/data/ \
-  -p 80:80 \
-  mprasil/bitwarden:latest
-```
-
-This will give the user extra functionality and privileges to manage users on the server. In the Vault, the user will see a special (virtual) organization called `bitwarden_rs`. This organization doesn't actually exist and can't be used for most things. (can't have collections or ciphers) Instead it just contains all the users registered on the server. Deleting users from this organization will actually completely delete the user from the server. Inviting users into this organization will just invite the user so they are able to register, but will not grant any organization membership. (unlike inviting user to regular organization)
-
-You can think of the `bitwarden_rs` organization as sort of Admin interface to manage users on the server. Keep in mind that deleting user this way removes the user permanently without any way to restore the deleted data just as if user deleted their own account.
-
-### Enabling HTTPS
-To enable HTTPS, you need to configure the `ROCKET_TLS`.
-
-The values to the option must follow the format:
-```
-ROCKET_TLS={certs="/path/to/certs.pem",key="/path/to/key.pem"}
-```
-Where:
- certs: a path to a certificate chain in PEM format
- key: a path to a private key file in PEM format for the certificate in certs
-
-```sh
-docker run -d --name bitwarden \
-  -e ROCKET_TLS='{certs="/ssl/certs.pem",key="/ssl/key.pem"}' \
-  -v /ssl/keys/:/ssl/ \
-  -v /bw-data/:/data/ \
-  -p 443:80 \
-  mprasil/bitwarden:latest
-```
-Note that you need to mount ssl files and you need to forward appropriate port.
-
-Due to what is likely a certificate validation bug in Android, you need to make sure that your certificate includes the full chain of trust. In the case of certbot, this means using `fullchain.pem` instead of `cert.pem`.
-
-Softwares used for getting certs are often using symlinks. If that is the case, both locations need to be accessible to the docker container.
-
-Example: [certbot](https://certbot.eff.org/) will create a folder that contains the needed `fullchain.pem` and `privkey.pem` files in `/etc/letsencrypt/live/mydomain/`
-
-These files are symlinked to `../../archive/mydomain/privkey.pem`
-
-So to use from bitwarden container:
-
-```sh
-docker run -d --name bitwarden \
-  -e ROCKET_TLS='{certs="/ssl/live/mydomain/fullchain.pem",key="/ssl/live/mydomain/privkey.pem"}' \
-  -v /etc/letsencrypt/:/ssl/ \
-  -v /bw-data/:/data/ \
-  -p 443:80 \
-  mprasil/bitwarden:latest
-```
-### Enabling WebSocket notifications
-*Important: This does not apply to the mobile clients, which use push notifications.*
-
-To enable WebSockets notifications, an external reverse proxy is necessary, and it must be configured to do the following:
- Route the `/notifications/hub` endpoint to the WebSocket server, by default at port `3012`, making sure to pass the `Connection` and `Upgrade` headers. (Note the port can be changed with `WEBSOCKET_PORT` variable)
- Route everything else, including `/notifications/hub/negotiate`, to the standard Rocket server, by default at port `80`.
- If using Docker, you may need to map both ports with the `-p` flag
-
-Example configurations are included in the [PROXY.md](https://github.com/dani-garcia/bitwarden_rs/blob/master/PROXY.md) file.
-
-Then you need to enable WebSockets negotiation on the bitwarden_rs side by setting the `WEBSOCKET_ENABLED` variable to `true`:
-
-```sh
-docker run -d --name bitwarden \
-  -e WEBSOCKET_ENABLED=true \
-  -v /bw-data/:/data/ \
-  -p 80:80 \
-  -p 3012:3012 \
-  mprasil/bitwarden:latest
-```
-
-Note: The reason for this workaround is the lack of support for WebSockets from Rocket (though [it's a planned feature](https://github.com/SergioBenitez/Rocket/issues/90)), which forces us to launch a secondary server on a separate port.
-
-### Enabling U2F authentication
-To enable U2F authentication, you must be serving bitwarden_rs from an HTTPS domain with a valid certificate (Either using the included
-HTTPS options or with a reverse proxy). We recommend using a free certificate from Let's Encrypt.
-
-After that, you need to set the `DOMAIN` environment variable to the same address from where bitwarden_rs is being served:
-
-```sh
-docker run -d --name bitwarden \
-  -e DOMAIN=https://bw.domain.tld \
-  -v /bw-data/:/data/ \
-  -p 80:80 \
-  mprasil/bitwarden:latest
-```
-
-Note that the value has to include the `https://` and it may include a port at the end (in the format of `https://bw.domain.tld:port`) when not using `443`.
-
-### Enabling YubiKey OTP authentication
-To enable YubiKey authentication, you must set the `YUBICO_CLIENT_ID` and `YUBICO_SECRET_KEY` env variables.
-
-If `YUBICO_SERVER` is not specified, it will use the default YubiCloud servers. You can generate `YUBICO_CLIENT_ID` and `YUBICO_SECRET_KEY` for the default YubiCloud [here](https://upgrade.yubico.com/getapikey/).
-
-Note: In order to generate API keys or use a YubiKey with an OTP server, it must be registered. After configuring your key in the [YubiKey Personalization Tool](https://www.yubico.com/products/services-software/personalization-tools/use/), you can register it with the default servers [here](https://upload.yubico.com/).
-
-```sh
-docker run -d --name bitwarden \
-  -e YUBICO_CLIENT_ID=12345 \
-  -e YUBICO_SECRET_KEY=ABCDEABCDEABCDEABCDE= \
-  -v /bw-data/:/data/ \
-  -p 80:80 \
-  mprasil/bitwarden:latest
-```
-
-### Changing persistent data location
-
-#### /data prefix:
-
-By default all persistent data is saved under `/data`, you can override this path by setting the `DATA_FOLDER` env variable:
-
-```sh
-docker run -d --name bitwarden \
-  -e DATA_FOLDER=/persistent \
-  -v /bw-data/:/persistent/ \
-  -p 80:80 \
-  mprasil/bitwarden:latest
-```
-
-Notice, that you need to adapt your volume mount accordingly.
-
-#### database name and location
-
-Default is `$DATA_FOLDER/db.sqlite3`, you can change the path specifically for database using `DATABASE_URL` variable:
-
-```sh
-docker run -d --name bitwarden \
-  -e DATABASE_URL=/database/bitwarden.sqlite3 \
-  -v /bw-data/:/data/ \
-  -v /bw-database/:/database/ \
-  -p 80:80 \
-  mprasil/bitwarden:latest
-```
-
-Note, that you need to remember to mount the volume for both database and other persistent data if they are different.
-
-#### attachments location
-
-Default is `$DATA_FOLDER/attachments`, you can change the path using `ATTACHMENTS_FOLDER` variable:
-
-```sh
-docker run -d --name bitwarden \
-  -e ATTACHMENTS_FOLDER=/attachments \
-  -v /bw-data/:/data/ \
-  -v /bw-attachments/:/attachments/ \
-  -p 80:80 \
-  mprasil/bitwarden:latest
-```
-
-Note, that you need to remember to mount the volume for both attachments and other persistent data if they are different.
-
-#### icons cache
-
-Default is `$DATA_FOLDER/icon_cache`, you can change the path using `ICON_CACHE_FOLDER` variable:
-
-```sh
-docker run -d --name bitwarden \
-  -e ICON_CACHE_FOLDER=/icon_cache \
-  -v /bw-data/:/data/ \
-  -v /icon_cache/ \
-  -p 80:80 \
-  mprasil/bitwarden:latest
-```
-
-Note, that in the above example we don't mount the volume locally, which means it won't be persisted during the upgrade unless you use intermediate data container using `--volumes-from`. This will impact performance as bitwarden will have to re-download the icons on restart, but might save you from having stale icons in cache as they are not automatically cleaned.
-
-### Changing the API request size limit
-
-By default the API calls are limited to 10MB. This should be sufficient for most cases, however if you want to support large imports, this might be limiting you. On the other hand you might want to limit the request size to something smaller than that to prevent API abuse and possible DOS attack, especially if running with limited resources.
-
-To set the limit, you can use the `ROCKET_LIMITS` variable. Example here shows 10MB limit for posted json in the body (this is the default):
-
-```sh
-docker run -d --name bitwarden \
-  -e ROCKET_LIMITS={json=10485760} \
-  -v /bw-data/:/data/ \
-  -p 80:80 \
-  mprasil/bitwarden:latest
-```
-
-### Changing the number of workers
-
-When you run bitwarden_rs, it spawns `2 * <number of cpu cores>` workers to handle requests. On some systems this might lead to low number of workers and hence slow performance, so the default in the docker image is changed to spawn 10 threads. You can override this setting to increase or decrease the number of workers by setting the `ROCKET_WORKERS` variable.
-
-In the example below, we're starting with 20 workers:
-
-```sh
-docker run -d --name bitwarden \
-  -e ROCKET_WORKERS=20 \
-  -v /bw-data/:/data/ \
-  -p 80:80 \
-  mprasil/bitwarden:latest
-```
-
-### SMTP configuration
-
-You can configure bitwarden_rs to send emails via a SMTP agent:
-
-```sh
-docker run -d --name bitwarden \
-  -e SMTP_HOST=<smtp.domain.tld> \
-  -e SMTP_FROM=<bitwarden@domain.tld> \
-  -e SMTP_PORT=587 \
-  -e SMTP_SSL=true \
-  -e SMTP_USERNAME=<username> \
-  -e SMTP_PASSWORD=<password> \
-  -v /bw-data/:/data/ \
-  -p 80:80 \
-  mprasil/bitwarden:latest
-```
-
-When `SMTP_SSL` is set to `true`(this is the default), only TLSv1.1 and TLSv1.2 protocols will be accepted and `SMTP_PORT` will default to `587`. If set to `false`, `SMTP_PORT` will default to `25` and the connection won't be encrypted. This can be very insecure, use this setting only if you know what you're doing.
-
-### Password hint display
-
-Usually, password hints are sent by email. But as bitwarden_rs is made with small or personal deployment in mind, hints are also available from the password hint page, so you don't have to configure an email service. If you want to disable this feature, you can use the `SHOW_PASSWORD_HINT` variable:
-
-```sh
-docker run -d --name bitwarden \
-  -e SHOW_PASSWORD_HINT=false \
-  -v /bw-data/:/data/ \
-  -p 80:80 \
-  mprasil/bitwarden:latest
-```
-
-### Disabling or overriding the Vault interface hosting
-
-As a convenience bitwarden_rs image will also host static files for Vault web interface. You can disable this static file hosting completely by setting the WEB_VAULT_ENABLED variable.
-
-```sh
-docker run -d --name bitwarden \
-  -e WEB_VAULT_ENABLED=false \
-  -v /bw-data/:/data/ \
-  -p 80:80 \
-  mprasil/bitwarden:latest
-```
-Alternatively you can override the Vault files and provide your own static files to host. You can do that by mounting a path with your files over the `/web-vault` directory in the container. Just make sure the directory contains at least `index.html` file.
-
-```sh
-docker run -d --name bitwarden \
-  -v /path/to/static/files_directory:/web-vault \
-  -v /bw-data/:/data/ \
-  -p 80:80 \
-  mprasil/bitwarden:latest
-```
-
-Note that you can also change the path where bitwarden_rs looks for static files by providing the `WEB_VAULT_FOLDER` environment variable with the path.
-
-### Other configuration
-
-Though this is unlikely to be required in small deployment, you can fine-tune some other settings like number of workers using environment variables that are processed by [Rocket](https://rocket.rs), please see details in [documentation](https://rocket.rs/guide/configuration/#environment-variables).
-
-### Fail2Ban Setup
-
-Bitwarden_rs logs failed login attempts to stdout. We need to set this so the host OS can see these. Then we can setup Fail2Ban.
-
-#### Logging Failed Login Attempts to Syslog
-
-We need to set the logging driver to syslog so the host OS and Fail2Ban can see them.
-
-If you are using docker commands, you will need to add: `--log-driver syslog --log-opt tag=$TAG` to your command.
-
-If you are using docker-compose, add this to you yaml file:
-```
-  bitwarden:
-    logging:
-      driver: "syslog"
-      options:
-        tag: "$TAG"
-```
-With the above settings in the docker-compose file. Any failed login attempts will look like this in your syslog file:
-```
-MMM DD hh:mm:ss server-hostname $TAG[773]: [YYYY-MM-DD][hh:mm:ss][bitwarden_rs::api::identity][ERROR] Username or password is incorrect. Try again. IP: XXX.XXX.XXX.XXX. Username: email@domain.com.
-```
-You can change the '$TAG' to anything you like. Just remember it because it will be in the Fail2Ban filter.
-
-#### Fail2Ban Filter
-
-Create the filter file
-```
-sudo nano /etc/fail2ban/filter.d/bitwarden.conf
-```
-And add the following
-```
-[INCLUDES]
-before = common.conf
-
-[Definition]
-_daemon = $TAG
-failregex = ^%(__prefix_line)s.*Username or password is incorrect\. Try again\. IP: <HOST>\. Username:.*$
-ignoreregex =
-```
-Dont forget to change the '$TAG' to what you set it as from above.
-
-#### Fail2Ban Jail
-
-Now we need the jail, create the jail file
-```
-sudo nano /etc/fail2ban/jail.d/bitwarden.local
-```
-and add:
-```
-[bitwarden]
-enabled = true
-port = 80,443,8081
-filter = bitwarden
-action = iptables-allports[name=bitwarden]
-logpath = /var/log/syslog
-maxretry = 3
-bantime = 14400
-findtime = 14400
-```
-Feel free to change the options as you see fit.
-
-#### Testing Fail2Ban
-
-Now just try to login to bitwarden using any email (it doesnt have to be a valid email, just an email format)
-If it works correctly and your IP is banned, you can unban the ip by running:
-```
-sudo fail2ban-client unban XX.XX.XX.XX bitwarden
-```
-
-### Running with systemd-docker
-
-These instructions allow you to have systemd manage the lifecycle of the docker container, if you prefer.
-
-First, install the `systemd-docker` package using your system package manager.
-This is a wrapper which improves docker integration with systemd.
-
-For full instructions and configuration options, see the [GitHub repository](https://github.com/ibuildthecloud/systemd-docker).
-
-As root, create `/etc/systemd/system/bitwarden.service` using your preferred editor with the following contents:
-
-```ini
-[Unit]
-Description=Bitwarden
-After=docker.service
-Requires=docker.service
-
-[Service]
-TimeoutStartSec=0
-ExecStartPre=/usr/bin/docker pull mprasil/bitwarden:latest
-ExecStart=/usr/bin/systemd-docker --cgroups name=systemd --env run \
-  -p 8080:80 \
-  -p 8081:3012 \
-  -v /opt/bw-data:/data/ \
-  --rm --name %n mprasil/bitwarden:latest
-Restart=always
-RestartSec=10s
-Type=notify
-NotifyAccess=all
-
-[Install]
-WantedBy=multi-user.target
-```
-
-Adjust the above example as necessary. In particular, pay attention to the `-p` and `-v` options,
-as these control the port and volume bindings between the container and the host.
-
-Explanation of options which may not be self-explanatory:
-
- A `TimeoutStartSec` value of 0 stops systemd from considering the service failed
-  after waiting for the default startup time. This is required as it may take a while for the `docker pull` in `ExecStartPre` to finish.
- `ExecStartPre`: Pull the docker tag before running.
- A `Type` value of `notify` tells systemd to expect a notification from the service that it is ready.
- A `NotifyAccess` value of `all` is required by `systemd-docker`.
-
-#### Setting environment variables
-
-It's possible to directly specify environment variables in the unit file in two ways:
-
- Using an `Environment` directive in the `[Service]` block.
- Using the `-e` option of `docker`. In this case, you can omit the `--env` option shown in the example above.
-
-To verify that your environment variables are set correctly, check the output of `systemctl show bitwarden.service`
-for an `Environment` line.
-
-It's also possible to store environment variables in a separate file using the `EnvironmentFile` directive in the unit file.
-
-Systemd can source a file of the form:
-
-```shell
-Key="Value"
-```
-
-However, the systemd project does not mandate where this file should be stored. Consult your distribution's documentation for the
-best location for this file. For example, RedHat based distributions typically place these files in `/etc/sysconfig/`
-
-If you're unsure, just create a file as root in `/etc/` e.g. `/etc/bitwarden.service.conf`.
-
-In your unit file, add an `EnvironmentFile` directive in the `[Service]` block, the value being the full path to the
-file created above. Example:
-
-```ini
-[Unit]
-Description=Bitwarden
-After=docker.service
-Requires=docker.service
-
-[Service]
-EnvironmentFile=/etc/bitwarden.service.conf
-TimeoutStartSec=0
-snip-
-```
-
-#### Running the service
-
-After the above installation and configuration is complete, reload systemd using `sudo systemctl daemon-reload`.
-Then, start the Bitwarden service using `sudo systemctl start bitwarden`.
-
-To have the service start with the system, use `sudo systemctl enable bitwarden`.
-
-Verify that the container has started using `systemctl status bitwarden`.
-
-## Building your own image
-
-Clone the repository, then from the root of the repository run:
-
-```sh
-# Build the docker image:
-docker build -t bitwarden_rs .
-```
-
-## Building binary
-
-For building binary outside the Docker environment and running it locally without docker, please see [build instructions](https://github.com/dani-garcia/bitwarden_rs/blob/master/BUILD.md).
-
-## Available packages
-
-### Arch Linux
-
-Bitwarden_rs is already packaged for Archlinux thanks to @mqus. There is an [AUR package](https://aur.archlinux.org/packages/bitwarden_rs) (optionally with the [vault web interface](https://aur.archlinux.org/packages/bitwarden_rs-vault/) ) available.
-
-## Kubernetes deployment
-
-Please check the [kubernetes-bitwarden_rs](https://github.com/icicimov/kubernetes-bitwarden_rs) repository for example deployment in Kubernetes.
-It will setup a fully functional and secure `bitwarden_rs` application in Kubernetes behind [nginx-ingress-controller](https://github.com/kubernetes/ingress-nginx) and AWS [ELBv1](https://aws.amazon.com/elasticloadbalancing/features/#Details_for_Elastic_Load_Balancing_Products). It provides little bit more than just simple deployment but you can use all or just part of the manifests depending on your needs and setup.
-
-## Backing up your vault
-
-### 1. the sqlite3 database
-
-The sqlite3 database should be backed up using the proper sqlite3 backup command. This will ensure the database does not become corrupted if the backup happens during a database write.
-
-```
-mkdir $DATA_FOLDER/db-backup
-sqlite3 /$DATA_FOLDER/db.sqlite3 ".backup '/$DATA_FOLDER/db-backup/backup.sqlite3'"
-```
-
-This command can be run via a CRON job everyday, however note that it will overwrite the same `backup.sqlite3` file each time. This backup file should therefore be saved via incremental backup either using a CRON job command that appends a timestamp or from another backup app such as Duplicati. To restore simply overwrite `db.sqlite3` with `backup.sqlite3` (while bitwarden_rs is stopped).
-
-Running the above command requires sqlite3 to be installed on the docker host system. You can achieve the same result with a sqlite3 docker container using the following command.
-```
-docker run --rm --volumes-from=bitwarden bruceforce/bw_backup /backup.sh
-```
-
-You can also run a container with integrated cron daemon to automatically backup your database. See https://gitlab.com/1O/bitwarden_rs-backup for examples.
-
-### 2. the attachments folder
-
-By default, this is located in `$DATA_FOLDER/attachments`
-
-### 3. the key files
-
-This is optional, these are only used to store tokens of users currently logged in, deleting them would simply log each user out forcing them to log in again. By default, these are located in the `$DATA_FOLDER` (by default /data in the docker). There are 3 files: rsa_key.der, rsa_key.pem, rsa_key.pub.der.
-
-### 4. Icon Cache
-
-This is optional, the icon cache can re-download itself however if you have a large cache, it may take a long time. By default it is located in `$DATA_FOLDER/icon_cache`
-
-## Running the server with non-root user
-
-The root user inside the container is already pretty limited in what it can do, so the default setup should be secure enough. However if you wish to go the extra mile to avoid using root even in container, here's how you can do that:
-
-  1. Create a data folder that's owned by non-root user, so you can use that user to write persistent data. Get the user `id`. In linux you can run `stat <folder_name>` to get/verify the owner ID.
-  2. When you run the container, you need to provide the user ID as one of the parameters. Note that this needs to be in the numeric form and not the username, because docker would try to find such user-defined inside the image, which would likely not be there or it would have different ID than your local user and hence wouldn't be able to write the persistent data. This can be done with the `--user` parameter.
-  3. bitwarden_rs listens on port `80` inside the container by default, this [won't work with non-root user](https://www.w3.org/Daemon/User/Installation/PrivilegedPorts.html), because regular users aren't allowed to open port below `1024`. To overcome this, you need to configure server to listen on a different port, you can use `ROCKET_PORT` to do that.
-
-Here's sample docker run, that uses user with id `1000` and with the port redirection configured, so that inside container the service is listening on port `8080` and docker translates that to external (host) port `80`:
-
-```sh
-docker run -d --name bitwarden \
-  --user 1000 \
-  -e ROCKET_PORT=8080 \
-  -v /bw-data/:/data/ \
-  -p 80:8080 \
-  mprasil/bitwarden:latest
-```
-
-## Differences from upstream API implementation
-
-### Changing user email
-
-Because we don't have any SMTP functionality at the moment, there's no way to deliver the verification token when you try to change the email. User just needs to enter any random token to continue and the change will be applied.
-
-### Creating organization
-
-We use upstream Vault interface directly without any (significant) changes, this is why user is presented with paid options when creating organization. To create an organization, just use the free option, none of the limits apply when using bitwarden_rs as back-end API and after the organization is created it should behave like Enterprise organization.
-
-### Inviting users into organization
-
-The invited users won't get the invitation email, instead all already registered users will appear in the interface as if they already accepted the invitation. Organization admin then just needs to confirm them to be proper Organization members and to give them access to the shared secrets.
-
-Invited users, that aren't registered yet will show up in the Organization admin interface as "Invited". At the same time an invitation record is created that allows the users to register even if [user registration is disabled](#disable-registration-of-new-users). (unless you [disable this functionality](#disable-invitations)) They will automatically become "Accepted" once they register. From there Organization admin can confirm them to give them access to Organization.
-
-### Running on unencrypted connection
-
-It is strongly recommended to run bitwarden_rs service over HTTPS. However the server itself while [supporting it](#enabling-https) does not strictly require such setup. This makes it a bit easier to spin up the service in cases where you can generally trust the connection (internal and secure network, access over VPN,..) or when you want to put the service behind HTTP proxy, that will do the encryption on the proxy end.
-
-Running over HTTP is still reasonably secure provided you use really strong master password and that you avoid using web Vault over connection that is vulnerable to MITM attacks where attacker could inject javascript into your interface. However some forms of 2FA might not work in this setup and [Vault doesn't work in this configuration in Chrome](https://github.com/bitwarden/web/issues/254).
+## Usage
+See the [bitwarden_rs wiki](https://github.com/dani-garcia/bitwarden_rs/wiki) for more information on how to configure and run the bitwarden_rs server.

 ## Get in touch

--- a/azure-pipelines.yml
+++ b/azure-pipelines.yml
@@ -0,0 +1,25 @@
+pool:
+  vmImage: 'Ubuntu-16.04'
+
+steps:
+- script: |
+    ls -la
+    curl https://sh.rustup.rs -sSf | sh -s -- -y --default-toolchain $(cat rust-toolchain)
+    echo "##vso[task.prependpath]$HOME/.cargo/bin"
+  displayName: 'Install Rust'
+
+- script: |
+    sudo apt-get update
+    sudo apt-get install -y libmysql++-dev
+  displayName: Install libmysql
+
+- script: |
+    rustc -Vv
+    cargo -V
+  displayName: Query rust and cargo versions
+
+- script : cargo build --features "sqlite"
+  displayName: 'Build project with sqlite backend'
+
+- script : cargo build --features "mysql"
+  displayName: 'Build project with mysql backend'
--- a/build.rs
+++ b/build.rs
@@ -0,0 +1,63 @@
+use std::process::Command;
+
+fn main() {
+    #[cfg(all(feature = "sqlite", feature = "mysql"))]
+    compile_error!("Can't enable both backends");
+
+    #[cfg(not(any(feature = "sqlite", feature = "mysql")))]
+    compile_error!("You need to enable one DB backend. To build with previous defaults do: cargo build --features sqlite");
+
+    read_git_info().ok();
+}
+
+fn run(args: &[&str]) -> Result<String, std::io::Error> {
+    let out = Command::new(args[0]).args(&args[1..]).output()?;
+    if !out.status.success() {
+        use std::io::{Error, ErrorKind};
+        return Err(Error::new(ErrorKind::Other, "Command not successful"));
+    }
+    Ok(String::from_utf8(out.stdout).unwrap().trim().to_string())
+}
+
+/// This method reads info from Git, namely tags, branch, and revision
+fn read_git_info() -> Result<(), std::io::Error> {
+    // The exact tag for the current commit, can be empty when
+    // the current commit doesn't have an associated tag
+    let exact_tag = run(&["git", "describe", "--abbrev=0", "--tags", "--exact-match"]).ok();
+    if let Some(ref exact) = exact_tag {
+        println!("cargo:rustc-env=GIT_EXACT_TAG={}", exact);
+    }
+
+    // The last available tag, equal to exact_tag when
+    // the current commit is tagged
+    let last_tag = run(&["git", "describe", "--abbrev=0", "--tags"])?;
+    println!("cargo:rustc-env=GIT_LAST_TAG={}", last_tag);
+
+    // The current branch name
+    let branch = run(&["git", "rev-parse", "--abbrev-ref", "HEAD"])?;
+    println!("cargo:rustc-env=GIT_BRANCH={}", branch);
+
+    // The current git commit hash
+    let rev = run(&["git", "rev-parse", "HEAD"])?;
+    let rev_short = rev.get(..8).unwrap_or_default();
+    println!("cargo:rustc-env=GIT_REV={}", rev_short);
+
+    // Combined version
+    let version = if let Some(exact) = exact_tag {
+        exact
+    } else if &branch != "master" {
+        format!("{}-{} ({})", last_tag, rev_short, branch)
+    } else {
+        format!("{}-{}", last_tag, rev_short)
+    };
+    println!("cargo:rustc-env=GIT_VERSION={}", version);
+
+    // To access these values, use:
+    //    env!("GIT_EXACT_TAG")
+    //    env!("GIT_LAST_TAG")
+    //    env!("GIT_BRANCH")
+    //    env!("GIT_REV")
+    //    env!("GIT_VERSION")
+
+    Ok(())
+}
--- a/docker/aarch64/mysql/Dockerfile
+++ b/docker/aarch64/mysql/Dockerfile
@@ -2,29 +2,35 @@
 # 	https://docs.docker.com/develop/develop-images/multistage-build/
 # 	https://whitfin.io/speeding-up-rust-docker-builds/
 ####################### VAULT BUILD IMAGE  #######################
-FROM alpine as vault
+FROM alpine:3.10 as vault

-ENV VAULT_VERSION "v2.7.1"
+ENV VAULT_VERSION "v2.11.0"

 ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"

-RUN apk add --update-cache --upgrade \
+RUN apk add --no-cache --upgrade \
    curl \
    tar

 RUN mkdir /web-vault
 WORKDIR /web-vault

+SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
+
 RUN curl -L $URL | tar xz
 RUN ls

 ########################## BUILD IMAGE  ##########################
 # We need to use the Rust build image, because
 # we need the Rust compiler and Cargo tooling
-FROM rust as build
+FROM rust:1.36 as build
+
+# set mysql backend
+ARG DB=mysql

 RUN apt-get update \
    && apt-get install -y \
+        --no-install-recommends \
        gcc-aarch64-linux-gnu \
    && mkdir -p ~/.cargo \
    && echo '[target.aarch64-unknown-linux-gnu]' >> ~/.cargo/config \
@@ -41,8 +47,10 @@ RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \
    && dpkg --add-architecture arm64 \
    && apt-get update \
    && apt-get install -y \
+        --no-install-recommends \
        libssl-dev:arm64 \
-        libc6-dev:arm64
+        libc6-dev:arm64 \
+        libmariadb-dev:arm64

 ENV CC_aarch64_unknown_linux_gnu="/usr/bin/aarch64-linux-gnu-gcc"
 ENV CROSS_COMPILE="1"
@@ -55,7 +63,7 @@ COPY . .

 # Build
 RUN rustup target add aarch64-unknown-linux-gnu
-RUN cargo build --release --target=aarch64-unknown-linux-gnu -v
+RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu -v

 ######################## RUNTIME IMAGE  ########################
 # Create a new stage with a minimal image
@@ -69,10 +77,11 @@ ENV ROCKET_WORKERS=10
 RUN [ "cross-build-start" ]

 # Install needed libraries
-RUN apt-get update && apt-get install -y\
-    openssl\
-    ca-certificates\
-    --no-install-recommends\
+RUN apt-get update && apt-get install -y \
+    --no-install-recommends \
+    openssl \
+    ca-certificates \
+    libmariadbclient-dev \
 && rm -rf /var/lib/apt/lists/*

 RUN mkdir /data
@@ -82,12 +91,11 @@ RUN [ "cross-build-end" ]
 VOLUME /data
 EXPOSE 80

-# Copies the files from the context (env file and web-vault)
+# Copies the files from the context (Rocket.toml file and web-vault)
 # and the binary from the "build" stage to the current stage
-COPY .env .
 COPY Rocket.toml .
 COPY --from=vault /web-vault ./web-vault
 COPY --from=build /app/target/aarch64-unknown-linux-gnu/release/bitwarden_rs .

 # Configures the startup!
-CMD ./bitwarden_rs
+CMD ["./bitwarden_rs"]
--- a/docker/aarch64/sqlite/Dockerfile
+++ b/docker/aarch64/sqlite/Dockerfile
@@ -0,0 +1,101 @@
+# Using multistage build: 
+# 	https://docs.docker.com/develop/develop-images/multistage-build/
+# 	https://whitfin.io/speeding-up-rust-docker-builds/
+####################### VAULT BUILD IMAGE  #######################
+FROM alpine:3.10 as vault
+
+ENV VAULT_VERSION "v2.11.0"
+
+ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
+
+RUN apk add --no-cache --upgrade \
+    curl \
+    tar
+
+RUN mkdir /web-vault
+WORKDIR /web-vault
+
+SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
+
+RUN curl -L $URL | tar xz
+RUN ls
+
+########################## BUILD IMAGE  ##########################
+# We need to use the Rust build image, because
+# we need the Rust compiler and Cargo tooling
+FROM rust:1.36 as build
+
+# set sqlite as default for DB ARG for backward comaptibility
+ARG DB=sqlite
+
+RUN apt-get update \
+    && apt-get install -y \
+        --no-install-recommends \
+        gcc-aarch64-linux-gnu \
+    && mkdir -p ~/.cargo \
+    && echo '[target.aarch64-unknown-linux-gnu]' >> ~/.cargo/config \
+    && echo 'linker = "aarch64-linux-gnu-gcc"' >> ~/.cargo/config
+
+ENV CARGO_HOME "/root/.cargo"
+ENV USER "root"
+
+WORKDIR /app
+
+# Prepare openssl arm64 libs
+RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \
+        /etc/apt/sources.list.d/deb-src.list \
+    && dpkg --add-architecture arm64 \
+    && apt-get update \
+    && apt-get install -y \
+        --no-install-recommends \
+        libssl-dev:arm64 \
+        libc6-dev:arm64 \
+        libmariadb-dev:arm64
+
+ENV CC_aarch64_unknown_linux_gnu="/usr/bin/aarch64-linux-gnu-gcc"
+ENV CROSS_COMPILE="1"
+ENV OPENSSL_INCLUDE_DIR="/usr/include/aarch64-linux-gnu"
+ENV OPENSSL_LIB_DIR="/usr/lib/aarch64-linux-gnu"
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+# Build
+RUN rustup target add aarch64-unknown-linux-gnu
+RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu -v
+
+######################## RUNTIME IMAGE  ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+FROM balenalib/aarch64-debian:stretch
+
+ENV ROCKET_ENV "staging"
+ENV ROCKET_PORT=80
+ENV ROCKET_WORKERS=10
+
+RUN [ "cross-build-start" ]
+
+# Install needed libraries
+RUN apt-get update && apt-get install -y \
+    --no-install-recommends \
+    openssl \
+    ca-certificates \
+    libmariadbclient-dev \
+ && rm -rf /var/lib/apt/lists/*
+
+RUN mkdir /data
+
+RUN [ "cross-build-end" ]  
+
+VOLUME /data
+EXPOSE 80
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+COPY Rocket.toml .
+COPY --from=vault /web-vault ./web-vault
+COPY --from=build /app/target/aarch64-unknown-linux-gnu/release/bitwarden_rs .
+
+# Configures the startup!
+CMD ["./bitwarden_rs"]
--- a/docker/amd64/mysql/Dockerfile
+++ b/docker/amd64/mysql/Dockerfile
@@ -0,0 +1,98 @@
+# Using multistage build: 
+# 	https://docs.docker.com/develop/develop-images/multistage-build/
+# 	https://whitfin.io/speeding-up-rust-docker-builds/
+####################### VAULT BUILD IMAGE  #######################
+FROM alpine:3.10 as vault
+
+ENV VAULT_VERSION "v2.11.0"
+
+ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
+
+RUN apk add --no-cache --upgrade \
+    curl \
+    tar
+
+RUN mkdir /web-vault
+WORKDIR /web-vault
+
+SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
+
+RUN curl -L $URL | tar xz
+RUN ls
+
+########################## BUILD IMAGE  ##########################
+# We need to use the Rust build image, because
+# we need the Rust compiler and Cargo tooling
+FROM rust:1.36 as build
+
+# set mysql backend
+ARG DB=mysql
+
+# Using bundled SQLite, no need to install it
+# RUN apt-get update && apt-get install -y\
+#    --no-install-recommends \
+#    sqlite3\
+# && rm -rf /var/lib/apt/lists/*
+
+# Install MySQL package
+RUN apt-get update && apt-get install -y \
+    --no-install-recommends \
+    libmariadb-dev \
+    && rm -rf /var/lib/apt/lists/*
+
+# Creates a dummy project used to grab dependencies
+RUN USER=root cargo new --bin app
+WORKDIR /app
+
+# Copies over *only* your manifests and build files
+COPY ./Cargo.* ./
+COPY ./rust-toolchain ./rust-toolchain
+COPY ./build.rs ./build.rs
+
+# Builds your dependencies and removes the
+# dummy project, except the target folder
+# This folder contains the compiled dependencies
+RUN cargo build --features ${DB} --release
+RUN find . -not -path "./target*" -delete
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+# Make sure that we actually build the project
+RUN touch src/main.rs
+
+# Builds again, this time it'll just be
+# your actual source files being built
+RUN cargo build --features ${DB} --release
+
+######################## RUNTIME IMAGE  ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+FROM debian:stretch-slim
+
+ENV ROCKET_ENV "staging"
+ENV ROCKET_PORT=80
+ENV ROCKET_WORKERS=10
+
+# Install needed libraries
+RUN apt-get update && apt-get install -y \
+    --no-install-recommends \
+    openssl \
+    ca-certificates \
+    libmariadbclient-dev \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN mkdir /data
+VOLUME /data
+EXPOSE 80
+EXPOSE 3012
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+COPY Rocket.toml .
+COPY --from=vault /web-vault ./web-vault
+COPY --from=build app/target/release/bitwarden_rs .
+
+# Configures the startup!
+CMD ["./bitwarden_rs"]
--- a/docker/amd64/mysql/Dockerfile.alpine
+++ b/docker/amd64/mysql/Dockerfile.alpine
@@ -2,28 +2,39 @@
 # 	https://docs.docker.com/develop/develop-images/multistage-build/
 # 	https://whitfin.io/speeding-up-rust-docker-builds/
 ####################### VAULT BUILD IMAGE  #######################
-FROM alpine as vault
+FROM alpine:3.10 as vault

-ENV VAULT_VERSION "v2.7.1"
+ENV VAULT_VERSION "v2.11.0"

 ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"

-RUN apk add --update-cache --upgrade \
+RUN apk add --no-cache --upgrade \
    curl \
    tar

 RUN mkdir /web-vault
 WORKDIR /web-vault

+SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
+
 RUN curl -L $URL | tar xz
 RUN ls

 ########################## BUILD IMAGE  ##########################
 # Musl build image for statically compiled binary
-FROM clux/muslrust:nightly-2018-12-01 as build
+FROM clux/muslrust:nightly-2019-07-08 as build
+
+# set mysql backend
+ARG DB=mysql

 ENV USER "root"

+# Install needed libraries
+RUN apt-get update && apt-get install -y \
+    --no-install-recommends \
+    libmysqlclient-dev \
+    && rm -rf /var/lib/apt/lists/*
+
 WORKDIR /app

 # Copies the complete project
@@ -32,13 +43,16 @@ COPY . .

 RUN rustup target add x86_64-unknown-linux-musl

+# Make sure that we actually build the project
+RUN touch src/main.rs
+
 # Build
-RUN cargo build --release
+RUN cargo build --features ${DB} --release

 ######################## RUNTIME IMAGE  ########################
 # Create a new stage with a minimal image
 # because we already have a binary built
-FROM alpine:3.8
+FROM alpine:3.10

 ENV ROCKET_ENV "staging"
 ENV ROCKET_PORT=80
@@ -46,22 +60,21 @@ ENV ROCKET_WORKERS=10
 ENV SSL_CERT_DIR=/etc/ssl/certs

 # Install needed libraries
-RUN apk add \
-        openssl\
-        ca-certificates \
-    && rm /var/cache/apk/*
+RUN apk add --no-cache \
+        openssl \
+        mariadb-connector-c \
+        ca-certificates

 RUN mkdir /data
 VOLUME /data
 EXPOSE 80
 EXPOSE 3012

-# Copies the files from the context (env file and web-vault)
+# Copies the files from the context (Rocket.toml file and web-vault)
 # and the binary from the "build" stage to the current stage
-COPY .env .
 COPY Rocket.toml .
 COPY --from=vault /web-vault ./web-vault
 COPY --from=build /app/target/x86_64-unknown-linux-musl/release/bitwarden_rs .

 # Configures the startup!
-CMD ./bitwarden_rs
+CMD ["./bitwarden_rs"]
--- a/docker/amd64/sqlite/Dockerfile
+++ b/docker/amd64/sqlite/Dockerfile
@@ -0,0 +1,98 @@
+# Using multistage build: 
+# 	https://docs.docker.com/develop/develop-images/multistage-build/
+# 	https://whitfin.io/speeding-up-rust-docker-builds/
+####################### VAULT BUILD IMAGE  #######################
+FROM alpine:3.10 as vault
+
+ENV VAULT_VERSION "v2.11.0"
+
+ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
+
+RUN apk add --no-cache --upgrade \
+    curl \
+    tar
+
+RUN mkdir /web-vault
+WORKDIR /web-vault
+
+SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
+
+RUN curl -L $URL | tar xz
+RUN ls
+
+########################## BUILD IMAGE  ##########################
+# We need to use the Rust build image, because
+# we need the Rust compiler and Cargo tooling
+FROM rust:1.36 as build
+
+# set sqlite as default for DB ARG for backward comaptibility
+ARG DB=sqlite
+
+# Using bundled SQLite, no need to install it
+# RUN apt-get update && apt-get install -y\
+#    --no-install-recommends \
+#    sqlite3 \
+# && rm -rf /var/lib/apt/lists/*
+
+# Install MySQL package
+RUN apt-get update && apt-get install -y \
+    --no-install-recommends \
+    libmariadb-dev \
+    && rm -rf /var/lib/apt/lists/*
+
+# Creates a dummy project used to grab dependencies
+RUN USER=root cargo new --bin app
+WORKDIR /app
+
+# Copies over *only* your manifests and build files
+COPY ./Cargo.* ./
+COPY ./rust-toolchain ./rust-toolchain
+COPY ./build.rs ./build.rs
+
+# Builds your dependencies and removes the
+# dummy project, except the target folder
+# This folder contains the compiled dependencies
+RUN cargo build --features ${DB} --release
+RUN find . -not -path "./target*" -delete
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+# Make sure that we actually build the project
+RUN touch src/main.rs
+
+# Builds again, this time it'll just be
+# your actual source files being built
+RUN cargo build --features ${DB} --release
+
+######################## RUNTIME IMAGE  ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+FROM debian:stretch-slim
+
+ENV ROCKET_ENV "staging"
+ENV ROCKET_PORT=80
+ENV ROCKET_WORKERS=10
+
+# Install needed libraries
+RUN apt-get update && apt-get install -y \
+    --no-install-recommends \
+    openssl \
+    ca-certificates \
+    libmariadbclient-dev \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN mkdir /data
+VOLUME /data
+EXPOSE 80
+EXPOSE 3012
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+COPY Rocket.toml .
+COPY --from=vault /web-vault ./web-vault
+COPY --from=build app/target/release/bitwarden_rs .
+
+# Configures the startup!
+CMD ["./bitwarden_rs"]
--- a/docker/amd64/sqlite/Dockerfile.alpine
+++ b/docker/amd64/sqlite/Dockerfile.alpine
@@ -0,0 +1,80 @@
+# Using multistage build: 
+# 	https://docs.docker.com/develop/develop-images/multistage-build/
+# 	https://whitfin.io/speeding-up-rust-docker-builds/
+####################### VAULT BUILD IMAGE  #######################
+FROM alpine:3.10 as vault
+
+ENV VAULT_VERSION "v2.11.0"
+
+ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
+
+RUN apk add --no-cache --upgrade \
+    curl \
+    tar
+
+RUN mkdir /web-vault
+WORKDIR /web-vault
+
+SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
+
+RUN curl -L $URL | tar xz
+RUN ls
+
+########################## BUILD IMAGE  ##########################
+# Musl build image for statically compiled binary
+FROM clux/muslrust:nightly-2019-07-08 as build
+
+# set sqlite as default for DB ARG for backward comaptibility
+ARG DB=sqlite
+
+ENV USER "root"
+
+# Install needed libraries
+RUN apt-get update && apt-get install -y \
+    --no-install-recommends \
+    libmysqlclient-dev \
+    && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /app
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+RUN rustup target add x86_64-unknown-linux-musl
+
+# Make sure that we actually build the project
+RUN touch src/main.rs
+
+# Build
+RUN cargo build --features ${DB} --release
+
+######################## RUNTIME IMAGE  ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+FROM alpine:3.10
+
+ENV ROCKET_ENV "staging"
+ENV ROCKET_PORT=80
+ENV ROCKET_WORKERS=10
+ENV SSL_CERT_DIR=/etc/ssl/certs
+
+# Install needed libraries
+RUN apk add --no-cache \
+        openssl \
+        mariadb-connector-c \
+        ca-certificates
+
+RUN mkdir /data
+VOLUME /data
+EXPOSE 80
+EXPOSE 3012
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+COPY Rocket.toml .
+COPY --from=vault /web-vault ./web-vault
+COPY --from=build /app/target/x86_64-unknown-linux-musl/release/bitwarden_rs .
+
+# Configures the startup!
+CMD ["./bitwarden_rs"]
--- a/docker/armv6/mysql/Dockerfile
+++ b/docker/armv6/mysql/Dockerfile
@@ -0,0 +1,101 @@
+# Using multistage build: 
+# 	https://docs.docker.com/develop/develop-images/multistage-build/
+# 	https://whitfin.io/speeding-up-rust-docker-builds/
+####################### VAULT BUILD IMAGE  #######################
+FROM alpine:3.10 as vault
+
+ENV VAULT_VERSION "v2.11.0"
+
+ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
+
+RUN apk add --no-cache --upgrade \
+    curl \
+    tar
+
+RUN mkdir /web-vault
+WORKDIR /web-vault
+
+SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
+
+RUN curl -L $URL | tar xz
+RUN ls
+
+########################## BUILD IMAGE  ##########################
+# We need to use the Rust build image, because
+# we need the Rust compiler and Cargo tooling
+FROM rust:1.36 as build
+
+# set mysql backend
+ARG DB=mysql
+
+RUN apt-get update \
+    && apt-get install -y \
+        --no-install-recommends \
+        gcc-arm-linux-gnueabi \
+    && mkdir -p ~/.cargo \
+    && echo '[target.arm-unknown-linux-gnueabi]' >> ~/.cargo/config \
+    && echo 'linker = "arm-linux-gnueabi-gcc"' >> ~/.cargo/config
+
+ENV CARGO_HOME "/root/.cargo"
+ENV USER "root"
+
+WORKDIR /app
+
+# Prepare openssl armel libs
+RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \
+        /etc/apt/sources.list.d/deb-src.list \
+    && dpkg --add-architecture armel \
+    && apt-get update \
+    && apt-get install -y \
+        --no-install-recommends \
+        libssl-dev:armel \
+        libc6-dev:armel \
+        libmariadb-dev:armel
+
+ENV CC_arm_unknown_linux_gnueabi="/usr/bin/arm-linux-gnueabi-gcc"
+ENV CROSS_COMPILE="1"
+ENV OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabi"
+ENV OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabi"
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+# Build
+RUN rustup target add arm-unknown-linux-gnueabi
+RUN cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi -v
+
+######################## RUNTIME IMAGE  ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+FROM balenalib/rpi-debian:stretch
+
+ENV ROCKET_ENV "staging"
+ENV ROCKET_PORT=80
+ENV ROCKET_WORKERS=10
+
+RUN [ "cross-build-start" ]
+
+# Install needed libraries
+RUN apt-get update && apt-get install -y \
+    --no-install-recommends \
+    openssl \
+    ca-certificates \
+    libmariadbclient-dev \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN mkdir /data
+
+RUN [ "cross-build-end" ]  
+
+VOLUME /data
+EXPOSE 80
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+COPY Rocket.toml .
+COPY --from=vault /web-vault ./web-vault
+COPY --from=build /app/target/arm-unknown-linux-gnueabi/release/bitwarden_rs .
+
+# Configures the startup!
+CMD ["./bitwarden_rs"]
--- a/docker/armv6/sqlite/Dockerfile
+++ b/docker/armv6/sqlite/Dockerfile
@@ -0,0 +1,101 @@
+# Using multistage build: 
+# 	https://docs.docker.com/develop/develop-images/multistage-build/
+# 	https://whitfin.io/speeding-up-rust-docker-builds/
+####################### VAULT BUILD IMAGE  #######################
+FROM alpine:3.10 as vault
+
+ENV VAULT_VERSION "v2.11.0"
+
+ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
+
+RUN apk add --no-cache --upgrade \
+    curl \
+    tar
+
+RUN mkdir /web-vault
+WORKDIR /web-vault
+
+SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
+
+RUN curl -L $URL | tar xz
+RUN ls
+
+########################## BUILD IMAGE  ##########################
+# We need to use the Rust build image, because
+# we need the Rust compiler and Cargo tooling
+FROM rust:1.36 as build
+
+# set sqlite as default for DB ARG for backward comaptibility
+ARG DB=sqlite
+
+RUN apt-get update \
+    && apt-get install -y \
+        --no-install-recommends \
+        gcc-arm-linux-gnueabi \
+    && mkdir -p ~/.cargo \
+    && echo '[target.arm-unknown-linux-gnueabi]' >> ~/.cargo/config \
+    && echo 'linker = "arm-linux-gnueabi-gcc"' >> ~/.cargo/config
+
+ENV CARGO_HOME "/root/.cargo"
+ENV USER "root"
+
+WORKDIR /app
+
+# Prepare openssl armel libs
+RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \
+        /etc/apt/sources.list.d/deb-src.list \
+    && dpkg --add-architecture armel \
+    && apt-get update \
+    && apt-get install -y \
+        --no-install-recommends \
+        libssl-dev:armel \
+        libc6-dev:armel \
+        libmariadb-dev:armel
+
+ENV CC_arm_unknown_linux_gnueabi="/usr/bin/arm-linux-gnueabi-gcc"
+ENV CROSS_COMPILE="1"
+ENV OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabi"
+ENV OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabi"
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+# Build
+RUN rustup target add arm-unknown-linux-gnueabi
+RUN cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi -v
+
+######################## RUNTIME IMAGE  ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+FROM balenalib/rpi-debian:stretch
+
+ENV ROCKET_ENV "staging"
+ENV ROCKET_PORT=80
+ENV ROCKET_WORKERS=10
+
+RUN [ "cross-build-start" ]
+
+# Install needed libraries
+RUN apt-get update && apt-get install -y \
+    --no-install-recommends \
+    openssl \
+    ca-certificates \
+    libmariadbclient-dev \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN mkdir /data
+
+RUN [ "cross-build-end" ]  
+
+VOLUME /data
+EXPOSE 80
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+COPY Rocket.toml .
+COPY --from=vault /web-vault ./web-vault
+COPY --from=build /app/target/arm-unknown-linux-gnueabi/release/bitwarden_rs .
+
+# Configures the startup!
+CMD ["./bitwarden_rs"]
--- a/docker/armv7/mysql/Dockerfile
+++ b/docker/armv7/mysql/Dockerfile
@@ -2,29 +2,35 @@
 # 	https://docs.docker.com/develop/develop-images/multistage-build/
 # 	https://whitfin.io/speeding-up-rust-docker-builds/
 ####################### VAULT BUILD IMAGE  #######################
-FROM alpine as vault
+FROM alpine:3.10 as vault

-ENV VAULT_VERSION "v2.7.1"
+ENV VAULT_VERSION "v2.11.0"

 ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"

-RUN apk add --update-cache --upgrade \
+RUN apk add --no-cache --upgrade \
    curl \
    tar

 RUN mkdir /web-vault
 WORKDIR /web-vault

+SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
+
 RUN curl -L $URL | tar xz
 RUN ls

 ########################## BUILD IMAGE  ##########################
 # We need to use the Rust build image, because
 # we need the Rust compiler and Cargo tooling
-FROM rust as build
+FROM rust:1.36 as build
+
+# set mysql backend
+ARG DB=mysql

 RUN apt-get update \
    && apt-get install -y \
+        --no-install-recommends \
        gcc-arm-linux-gnueabihf \
    && mkdir -p ~/.cargo \
    && echo '[target.armv7-unknown-linux-gnueabihf]' >> ~/.cargo/config \
@@ -41,8 +47,11 @@ RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \
    && dpkg --add-architecture armhf \
    && apt-get update \
    && apt-get install -y \
+        --no-install-recommends \
        libssl-dev:armhf \
-        libc6-dev:armhf
+        libc6-dev:armhf \
+        libmariadb-dev:armhf
+

 ENV CC_armv7_unknown_linux_gnueabihf="/usr/bin/arm-linux-gnueabihf-gcc"
 ENV CROSS_COMPILE="1"
@@ -55,7 +64,7 @@ COPY . .

 # Build
 RUN rustup target add armv7-unknown-linux-gnueabihf
-RUN cargo build --release --target=armv7-unknown-linux-gnueabihf -v
+RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf -v

 ######################## RUNTIME IMAGE  ########################
 # Create a new stage with a minimal image
@@ -69,11 +78,12 @@ ENV ROCKET_WORKERS=10
 RUN [ "cross-build-start" ]

 # Install needed libraries
-RUN apt-get update && apt-get install -y\
-    openssl\
-    ca-certificates\
-    --no-install-recommends\
- && rm -rf /var/lib/apt/lists/*
+RUN apt-get update && apt-get install -y \
+    --no-install-recommends \
+    openssl \
+    ca-certificates \
+    libmariadbclient-dev \
+    && rm -rf /var/lib/apt/lists/*

 RUN mkdir /data

@@ -82,12 +92,11 @@ RUN [ "cross-build-end" ]
 VOLUME /data
 EXPOSE 80

-# Copies the files from the context (env file and web-vault)
+# Copies the files from the context (Rocket.toml file and web-vault)
 # and the binary from the "build" stage to the current stage
-COPY .env .
 COPY Rocket.toml .
 COPY --from=vault /web-vault ./web-vault
 COPY --from=build /app/target/armv7-unknown-linux-gnueabihf/release/bitwarden_rs .

 # Configures the startup!
-CMD ./bitwarden_rs
+CMD ["./bitwarden_rs"]
--- a/docker/armv7/sqlite/Dockerfile
+++ b/docker/armv7/sqlite/Dockerfile
@@ -0,0 +1,101 @@
+# Using multistage build: 
+# 	https://docs.docker.com/develop/develop-images/multistage-build/
+# 	https://whitfin.io/speeding-up-rust-docker-builds/
+####################### VAULT BUILD IMAGE  #######################
+FROM alpine:3.10 as vault
+
+ENV VAULT_VERSION "v2.11.0"
+
+ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
+
+RUN apk add --no-cache --upgrade \
+    curl \
+    tar
+
+RUN mkdir /web-vault
+WORKDIR /web-vault
+
+SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
+
+RUN curl -L $URL | tar xz
+RUN ls
+
+########################## BUILD IMAGE  ##########################
+# We need to use the Rust build image, because
+# we need the Rust compiler and Cargo tooling
+FROM rust:1.36 as build
+
+# set sqlite as default for DB ARG for backward comaptibility
+ARG DB=sqlite
+
+RUN apt-get update \
+    && apt-get install -y \
+        --no-install-recommends \
+        gcc-arm-linux-gnueabihf \
+    && mkdir -p ~/.cargo \
+    && echo '[target.armv7-unknown-linux-gnueabihf]' >> ~/.cargo/config \
+    && echo 'linker = "arm-linux-gnueabihf-gcc"' >> ~/.cargo/config
+
+ENV CARGO_HOME "/root/.cargo"
+ENV USER "root"
+
+WORKDIR /app
+
+# Prepare openssl armhf libs
+RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \
+        /etc/apt/sources.list.d/deb-src.list \
+    && dpkg --add-architecture armhf \
+    && apt-get update \
+    && apt-get install -y \
+        --no-install-recommends \
+        libssl-dev:armhf \
+        libc6-dev:armhf \
+        libmariadb-dev:armhf
+
+ENV CC_armv7_unknown_linux_gnueabihf="/usr/bin/arm-linux-gnueabihf-gcc"
+ENV CROSS_COMPILE="1"
+ENV OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabihf"
+ENV OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabihf"
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+# Build
+RUN rustup target add armv7-unknown-linux-gnueabihf
+RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf -v
+
+######################## RUNTIME IMAGE  ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+FROM balenalib/armv7hf-debian:stretch
+
+ENV ROCKET_ENV "staging"
+ENV ROCKET_PORT=80
+ENV ROCKET_WORKERS=10
+
+RUN [ "cross-build-start" ]
+
+# Install needed libraries
+RUN apt-get update && apt-get install -y \
+    --no-install-recommends \
+    openssl \
+    ca-certificates \
+    libmariadbclient-dev \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN mkdir /data
+
+RUN [ "cross-build-end" ]  
+
+VOLUME /data
+EXPOSE 80
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+COPY Rocket.toml .
+COPY --from=vault /web-vault ./web-vault
+COPY --from=build /app/target/armv7-unknown-linux-gnueabihf/release/bitwarden_rs .
+
+# Configures the startup!
+CMD ["./bitwarden_rs"]
--- a/docker/set-vault-baseurl.patch
+++ b/docker/set-vault-baseurl.patch
@@ -1,27 +0,0 @@
--- a/src/app/services/services.module.ts
-+++ b/src/app/services/services.module.ts
-@@ -120,20 +120,16 @@ const notificationsService = new NotificationsService(userService, syncService,
- const environmentService = new EnvironmentService(apiService, storageService, notificationsService);
- const auditService = new AuditService(cryptoFunctionService, apiService);
- 
-const analytics = new Analytics(window, () => platformUtilsService.isDev() || platformUtilsService.isSelfHost(),
-+const analytics = new Analytics(window, () => platformUtilsService.isDev() || platformUtilsService.isSelfHost() || true,
-     platformUtilsService, storageService, appIdService);
- containerService.attachToWindow(window);
- 
- export function initFactory(): Function {
-     return async () => {
-         await (storageService as HtmlStorageService).init();
-        const isDev = platformUtilsService.isDev();
-        if (!isDev && platformUtilsService.isSelfHost()) {
-            environmentService.baseUrl = window.location.origin;
-        } else {
-            environmentService.notificationsUrl = isDev ? 'http://localhost:61840' :
-                'https://notifications.bitwarden.com'; // window.location.origin + '/notifications';
-        }
-+        const isDev = false;
-+        environmentService.baseUrl = window.location.origin;
-+        environmentService.notificationsUrl = window.location.origin + '/notifications';
-         apiService.setUrls({
-             base: isDev ? null : window.location.origin,
-             api: isDev ? 'http://localhost:4000' : null,
--- a/migrations/mysql/2018-01-14-171611_create_tables/down.sql
+++ b/migrations/mysql/2018-01-14-171611_create_tables/down.sql
--- a/migrations/mysql/2018-01-14-171611_create_tables/up.sql
+++ b/migrations/mysql/2018-01-14-171611_create_tables/up.sql
@@ -0,0 +1,62 @@
+CREATE TABLE users (
+  uuid                CHAR(36) NOT NULL PRIMARY KEY,
+  created_at          DATETIME NOT NULL,
+  updated_at          DATETIME NOT NULL,
+  email               VARCHAR(255) NOT NULL UNIQUE,
+  name                TEXT     NOT NULL,
+  password_hash       BLOB     NOT NULL,
+  salt                BLOB     NOT NULL,
+  password_iterations INTEGER  NOT NULL,
+  password_hint       TEXT,
+  `key`               TEXT     NOT NULL,
+  private_key         TEXT,
+  public_key          TEXT,
+  totp_secret         TEXT,
+  totp_recover        TEXT,
+  security_stamp      TEXT     NOT NULL,
+  equivalent_domains  TEXT     NOT NULL,
+  excluded_globals    TEXT     NOT NULL
+);
+
+CREATE TABLE devices (
+  uuid          CHAR(36) NOT NULL PRIMARY KEY,
+  created_at    DATETIME NOT NULL,
+  updated_at    DATETIME NOT NULL,
+  user_uuid     CHAR(36) NOT NULL REFERENCES users (uuid),
+  name          TEXT     NOT NULL,
+  type          INTEGER  NOT NULL,
+  push_token    TEXT,
+  refresh_token TEXT     NOT NULL
+);
+
+CREATE TABLE ciphers (
+  uuid              CHAR(36) NOT NULL PRIMARY KEY,
+  created_at        DATETIME NOT NULL,
+  updated_at        DATETIME NOT NULL,
+  user_uuid         CHAR(36) NOT NULL REFERENCES users (uuid),
+  folder_uuid       CHAR(36) REFERENCES folders (uuid),
+  organization_uuid CHAR(36),
+  type              INTEGER  NOT NULL,
+  name              TEXT     NOT NULL,
+  notes             TEXT,
+  fields            TEXT,
+  data              TEXT     NOT NULL,
+  favorite          BOOLEAN  NOT NULL
+);
+
+CREATE TABLE attachments (
+  id          CHAR(36) NOT NULL PRIMARY KEY,
+  cipher_uuid CHAR(36) NOT NULL REFERENCES ciphers (uuid),
+  file_name   TEXT    NOT NULL,
+  file_size   INTEGER NOT NULL
+
+);
+
+CREATE TABLE folders (
+  uuid       CHAR(36) NOT NULL PRIMARY KEY,
+  created_at DATETIME NOT NULL,
+  updated_at DATETIME NOT NULL,
+  user_uuid  CHAR(36) NOT NULL REFERENCES users (uuid),
+  name       TEXT     NOT NULL
+);
+  
--- a/migrations/mysql/2018-02-17-205753_create_collections_and_orgs/down.sql
+++ b/migrations/mysql/2018-02-17-205753_create_collections_and_orgs/down.sql
--- a/migrations/mysql/2018-02-17-205753_create_collections_and_orgs/up.sql
+++ b/migrations/mysql/2018-02-17-205753_create_collections_and_orgs/up.sql
@@ -0,0 +1,30 @@
+CREATE TABLE collections (
+  uuid     VARCHAR(40) NOT NULL PRIMARY KEY,
+  org_uuid VARCHAR(40) NOT NULL REFERENCES organizations (uuid),
+  name     TEXT NOT NULL
+);
+
+CREATE TABLE organizations (
+  uuid          VARCHAR(40) NOT NULL PRIMARY KEY,
+  name          TEXT NOT NULL,
+  billing_email TEXT NOT NULL
+);
+
+CREATE TABLE users_collections (
+  user_uuid       CHAR(36) NOT NULL REFERENCES users (uuid),
+  collection_uuid CHAR(36) NOT NULL REFERENCES collections (uuid),
+  PRIMARY KEY (user_uuid, collection_uuid)
+);
+
+CREATE TABLE users_organizations (
+  uuid       CHAR(36) NOT NULL PRIMARY KEY,
+  user_uuid  CHAR(36) NOT NULL REFERENCES users (uuid),
+  org_uuid   CHAR(36) NOT NULL REFERENCES organizations (uuid),
+
+  access_all BOOLEAN NOT NULL,
+  `key`      TEXT    NOT NULL,
+  status     INTEGER NOT NULL,
+  type       INTEGER NOT NULL,
+
+  UNIQUE (user_uuid, org_uuid)
+);
--- a/migrations/mysql/2018-04-27-155151_create_users_ciphers/down.sql
+++ b/migrations/mysql/2018-04-27-155151_create_users_ciphers/down.sql
--- a/migrations/mysql/2018-04-27-155151_create_users_ciphers/up.sql
+++ b/migrations/mysql/2018-04-27-155151_create_users_ciphers/up.sql
@@ -0,0 +1,34 @@
+ALTER TABLE ciphers RENAME TO oldCiphers;
+
+CREATE TABLE ciphers (
+  uuid              CHAR(36) NOT NULL PRIMARY KEY,
+  created_at        DATETIME NOT NULL,
+  updated_at        DATETIME NOT NULL,
+  user_uuid         CHAR(36) REFERENCES users (uuid), -- Make this optional
+  organization_uuid CHAR(36) REFERENCES organizations (uuid), -- Add reference to orgs table
+  -- Remove folder_uuid
+  type              INTEGER  NOT NULL,
+  name              TEXT     NOT NULL,
+  notes             TEXT,
+  fields            TEXT,
+  data              TEXT     NOT NULL,
+  favorite          BOOLEAN  NOT NULL
+);
+
+CREATE TABLE folders_ciphers (
+  cipher_uuid CHAR(36) NOT NULL REFERENCES ciphers (uuid),
+  folder_uuid CHAR(36) NOT NULL REFERENCES folders (uuid),
+
+  PRIMARY KEY (cipher_uuid, folder_uuid)
+);
+
+INSERT INTO ciphers (uuid, created_at, updated_at, user_uuid, organization_uuid, type, name, notes, fields, data, favorite) 
+SELECT uuid, created_at, updated_at, user_uuid, organization_uuid, type, name, notes, fields, data, favorite FROM oldCiphers;
+
+INSERT INTO folders_ciphers (cipher_uuid, folder_uuid)
+SELECT uuid, folder_uuid FROM oldCiphers WHERE folder_uuid IS NOT NULL;
+
+
+DROP TABLE oldCiphers;
+
+ALTER TABLE users_collections ADD COLUMN read_only BOOLEAN NOT NULL DEFAULT 0; -- False
--- a/migrations/mysql/2018-05-08-161616_create_collection_cipher_map/down.sql
+++ b/migrations/mysql/2018-05-08-161616_create_collection_cipher_map/down.sql
--- a/migrations/mysql/2018-05-08-161616_create_collection_cipher_map/up.sql
+++ b/migrations/mysql/2018-05-08-161616_create_collection_cipher_map/up.sql
@@ -0,0 +1,5 @@
+CREATE TABLE ciphers_collections (
+  cipher_uuid       CHAR(36) NOT NULL REFERENCES ciphers (uuid),
+  collection_uuid CHAR(36) NOT NULL REFERENCES collections (uuid),
+  PRIMARY KEY (cipher_uuid, collection_uuid)
+);
--- a/migrations/mysql/2018-05-25-232323_update_attachments_reference/down.sql
+++ b/migrations/mysql/2018-05-25-232323_update_attachments_reference/down.sql
--- a/migrations/mysql/2018-05-25-232323_update_attachments_reference/up.sql
+++ b/migrations/mysql/2018-05-25-232323_update_attachments_reference/up.sql
@@ -0,0 +1,14 @@
+ALTER TABLE attachments RENAME TO oldAttachments;
+
+CREATE TABLE attachments (
+  id          CHAR(36) NOT NULL PRIMARY KEY,
+  cipher_uuid CHAR(36) NOT NULL REFERENCES ciphers (uuid),
+  file_name   TEXT    NOT NULL,
+  file_size   INTEGER NOT NULL
+
+);
+
+INSERT INTO attachments (id, cipher_uuid, file_name, file_size) 
+SELECT id, cipher_uuid, file_name, file_size FROM oldAttachments;
+
+DROP TABLE oldAttachments;
--- a/migrations/mysql/2018-06-01-112529_update_devices_twofactor_remember/down.sql
+++ b/migrations/mysql/2018-06-01-112529_update_devices_twofactor_remember/down.sql
--- a/migrations/mysql/2018-06-01-112529_update_devices_twofactor_remember/up.sql
+++ b/migrations/mysql/2018-06-01-112529_update_devices_twofactor_remember/up.sql
--- a/migrations/mysql/2018-07-11-181453_create_u2f_twofactor/down.sql
+++ b/migrations/mysql/2018-07-11-181453_create_u2f_twofactor/down.sql
--- a/migrations/mysql/2018-07-11-181453_create_u2f_twofactor/up.sql
+++ b/migrations/mysql/2018-07-11-181453_create_u2f_twofactor/up.sql
@@ -0,0 +1,15 @@
+CREATE TABLE twofactor (
+  uuid      CHAR(36) NOT NULL PRIMARY KEY,
+  user_uuid CHAR(36) NOT NULL REFERENCES users (uuid),
+  type      INTEGER  NOT NULL,
+  enabled   BOOLEAN  NOT NULL,
+  data      TEXT     NOT NULL,
+
+  UNIQUE (user_uuid, type)
+);
+
+
+INSERT INTO twofactor (uuid, user_uuid, type, enabled, data) 
+SELECT UUID(), uuid, 0, 1, u.totp_secret FROM users u where u.totp_secret IS NOT NULL;
+
+UPDATE users SET totp_secret = NULL; -- Instead of recreating the table, just leave the columns empty
--- a/migrations/mysql/2018-08-27-172114_update_ciphers/down.sql
+++ b/migrations/mysql/2018-08-27-172114_update_ciphers/down.sql
--- a/migrations/mysql/2018-08-27-172114_update_ciphers/up.sql
+++ b/migrations/mysql/2018-08-27-172114_update_ciphers/up.sql
--- a/migrations/mysql/2018-09-10-111213_add_invites/down.sql
+++ b/migrations/mysql/2018-09-10-111213_add_invites/down.sql
--- a/migrations/mysql/2018-09-10-111213_add_invites/up.sql
+++ b/migrations/mysql/2018-09-10-111213_add_invites/up.sql
@@ -0,0 +1,3 @@
+CREATE TABLE invitations (
+    email   VARCHAR(255) NOT NULL PRIMARY KEY
+);
--- a/migrations/mysql/2018-09-19-144557_add_kdf_columns/down.sql
+++ b/migrations/mysql/2018-09-19-144557_add_kdf_columns/down.sql
--- a/migrations/mysql/2018-09-19-144557_add_kdf_columns/up.sql
+++ b/migrations/mysql/2018-09-19-144557_add_kdf_columns/up.sql
--- a/migrations/mysql/2018-11-27-152651_add_att_key_columns/down.sql
+++ b/migrations/mysql/2018-11-27-152651_add_att_key_columns/down.sql
--- a/migrations/mysql/2018-11-27-152651_add_att_key_columns/up.sql
+++ b/migrations/mysql/2018-11-27-152651_add_att_key_columns/up.sql
@@ -0,0 +1,3 @@
+ALTER TABLE attachments
+    ADD COLUMN
+    `key` TEXT;
--- a/migrations/mysql/2019-05-26-216651_rename_key_and_type_columns/down.sql
+++ b/migrations/mysql/2019-05-26-216651_rename_key_and_type_columns/down.sql
@@ -0,0 +1,7 @@
+ALTER TABLE attachments CHANGE COLUMN akey `key` TEXT;
+ALTER TABLE ciphers CHANGE COLUMN atype type INTEGER NOT NULL;
+ALTER TABLE devices CHANGE COLUMN atype type INTEGER NOT NULL;
+ALTER TABLE twofactor CHANGE COLUMN atype type INTEGER NOT NULL;
+ALTER TABLE users CHANGE COLUMN akey `key` TEXT;
+ALTER TABLE users_organizations CHANGE COLUMN akey `key` TEXT;
+ALTER TABLE users_organizations CHANGE COLUMN atype type INTEGER NOT NULL;
--- a/migrations/mysql/2019-05-26-216651_rename_key_and_type_columns/up.sql
+++ b/migrations/mysql/2019-05-26-216651_rename_key_and_type_columns/up.sql
@@ -0,0 +1,7 @@
+ALTER TABLE attachments CHANGE COLUMN `key` akey TEXT;
+ALTER TABLE ciphers CHANGE COLUMN type atype INTEGER NOT NULL;
+ALTER TABLE devices CHANGE COLUMN type atype INTEGER NOT NULL;
+ALTER TABLE twofactor CHANGE COLUMN type atype INTEGER NOT NULL;
+ALTER TABLE users CHANGE COLUMN `key` akey TEXT;
+ALTER TABLE users_organizations CHANGE COLUMN `key` akey TEXT;
+ALTER TABLE users_organizations CHANGE COLUMN type atype INTEGER NOT NULL;
--- a/migrations/sqlite/2018-01-14-171611_create_tables/down.sql
+++ b/migrations/sqlite/2018-01-14-171611_create_tables/down.sql
@@ -0,0 +1,9 @@
+DROP TABLE users;
+
+DROP TABLE devices;
+
+DROP TABLE ciphers;
+
+DROP TABLE attachments;
+
+DROP TABLE folders;
--- a/migrations/sqlite/2018-01-14-171611_create_tables/up.sql
+++ b/migrations/sqlite/2018-01-14-171611_create_tables/up.sql
--- a/migrations/sqlite/2018-02-17-205753_create_collections_and_orgs/down.sql
+++ b/migrations/sqlite/2018-02-17-205753_create_collections_and_orgs/down.sql
@@ -0,0 +1,8 @@
+DROP TABLE collections;
+
+DROP TABLE organizations;
+
+
+DROP TABLE users_collections;
+
+DROP TABLE users_organizations;
--- a/migrations/sqlite/2018-02-17-205753_create_collections_and_orgs/up.sql
+++ b/migrations/sqlite/2018-02-17-205753_create_collections_and_orgs/up.sql
--- a/migrations/sqlite/2018-04-27-155151_create_users_ciphers/down.sql
+++ b/migrations/sqlite/2018-04-27-155151_create_users_ciphers/down.sql
--- a/migrations/sqlite/2018-04-27-155151_create_users_ciphers/up.sql
+++ b/migrations/sqlite/2018-04-27-155151_create_users_ciphers/up.sql
--- a/migrations/sqlite/2018-05-08-161616_create_collection_cipher_map/down.sql
+++ b/migrations/sqlite/2018-05-08-161616_create_collection_cipher_map/down.sql
@@ -0,0 +1 @@
+DROP TABLE ciphers_collections;
--- a/migrations/sqlite/2018-05-08-161616_create_collection_cipher_map/up.sql
+++ b/migrations/sqlite/2018-05-08-161616_create_collection_cipher_map/up.sql
--- a/migrations/sqlite/2018-05-25-232323_update_attachments_reference/down.sql
+++ b/migrations/sqlite/2018-05-25-232323_update_attachments_reference/down.sql
--- a/migrations/sqlite/2018-05-25-232323_update_attachments_reference/up.sql
+++ b/migrations/sqlite/2018-05-25-232323_update_attachments_reference/up.sql
--- a/migrations/sqlite/2018-06-01-112529_update_devices_twofactor_remember/down.sql
+++ b/migrations/sqlite/2018-06-01-112529_update_devices_twofactor_remember/down.sql
@@ -0,0 +1 @@
+-- This file should undo anything in `up.sql`
--- a/migrations/sqlite/2018-06-01-112529_update_devices_twofactor_remember/up.sql
+++ b/migrations/sqlite/2018-06-01-112529_update_devices_twofactor_remember/up.sql
@@ -0,0 +1,3 @@
+ALTER TABLE devices
+    ADD COLUMN
+    twofactor_remember TEXT;
--- a/migrations/sqlite/2018-07-11-181453_create_u2f_twofactor/down.sql
+++ b/migrations/sqlite/2018-07-11-181453_create_u2f_twofactor/down.sql
@@ -0,0 +1,8 @@
+UPDATE users
+SET totp_secret = (
+    SELECT twofactor.data FROM twofactor
+    WHERE twofactor.type = 0 
+    AND twofactor.user_uuid = users.uuid
+);
+
+DROP TABLE twofactor;
--- a/migrations/sqlite/2018-07-11-181453_create_u2f_twofactor/up.sql
+++ b/migrations/sqlite/2018-07-11-181453_create_u2f_twofactor/up.sql
--- a/migrations/sqlite/2018-08-27-172114_update_ciphers/down.sql
+++ b/migrations/sqlite/2018-08-27-172114_update_ciphers/down.sql
--- a/migrations/sqlite/2018-08-27-172114_update_ciphers/up.sql
+++ b/migrations/sqlite/2018-08-27-172114_update_ciphers/up.sql
@@ -0,0 +1,3 @@
+ALTER TABLE ciphers
+    ADD COLUMN
+    password_history TEXT;
--- a/migrations/sqlite/2018-09-10-111213_add_invites/down.sql
+++ b/migrations/sqlite/2018-09-10-111213_add_invites/down.sql
@@ -0,0 +1 @@
+DROP TABLE invitations;
--- a/migrations/sqlite/2018-09-10-111213_add_invites/up.sql
+++ b/migrations/sqlite/2018-09-10-111213_add_invites/up.sql
--- a/migrations/sqlite/2018-09-19-144557_add_kdf_columns/down.sql
+++ b/migrations/sqlite/2018-09-19-144557_add_kdf_columns/down.sql
--- a/migrations/sqlite/2018-09-19-144557_add_kdf_columns/up.sql
+++ b/migrations/sqlite/2018-09-19-144557_add_kdf_columns/up.sql
@@ -0,0 +1,7 @@
+ALTER TABLE users
+    ADD COLUMN
+    client_kdf_type INTEGER NOT NULL DEFAULT 0; -- PBKDF2
+
+ALTER TABLE users
+    ADD COLUMN
+    client_kdf_iter INTEGER NOT NULL DEFAULT 5000;
--- a/migrations/sqlite/2018-11-27-152651_add_att_key_columns/down.sql
+++ b/migrations/sqlite/2018-11-27-152651_add_att_key_columns/down.sql
--- a/migrations/sqlite/2018-11-27-152651_add_att_key_columns/up.sql
+++ b/migrations/sqlite/2018-11-27-152651_add_att_key_columns/up.sql
--- a/migrations/sqlite/2019-05-26-216651_rename_key_and_type_columns/down.sql
+++ b/migrations/sqlite/2019-05-26-216651_rename_key_and_type_columns/down.sql
@@ -0,0 +1,7 @@
+ALTER TABLE attachments RENAME COLUMN akey TO key;
+ALTER TABLE ciphers RENAME COLUMN atype TO type;
+ALTER TABLE devices RENAME COLUMN atype TO type;
+ALTER TABLE twofactor RENAME COLUMN atype TO type;
+ALTER TABLE users RENAME COLUMN akey TO key;
+ALTER TABLE users_organizations RENAME COLUMN akey TO key;
+ALTER TABLE users_organizations RENAME COLUMN atype TO type;
--- a/migrations/sqlite/2019-05-26-216651_rename_key_and_type_columns/up.sql
+++ b/migrations/sqlite/2019-05-26-216651_rename_key_and_type_columns/up.sql
@@ -0,0 +1,7 @@
+ALTER TABLE attachments RENAME COLUMN key TO akey;
+ALTER TABLE ciphers RENAME COLUMN type TO atype;
+ALTER TABLE devices RENAME COLUMN type TO atype;
+ALTER TABLE twofactor RENAME COLUMN type TO atype;
+ALTER TABLE users RENAME COLUMN key TO akey;
+ALTER TABLE users_organizations RENAME COLUMN key TO akey;
+ALTER TABLE users_organizations RENAME COLUMN type TO atype;
--- a/2
+++ b/2
@@ -1 +1 @@
-nightly-2018-12-01
+nightly-2019-08-18
--- a/rustfmt.toml
+++ b/rustfmt.toml
@@ -0,0 +1 @@
+max_width = 120
--- a/src/api/admin.rs
+++ b/src/api/admin.rs
@@ -0,0 +1,268 @@
+use serde_json::Value;
+use std::process::Command;
+
+use rocket::http::{Cookie, Cookies, SameSite};
+use rocket::request::{self, FlashMessage, Form, FromRequest, Request};
+use rocket::response::{content::Html, Flash, Redirect};
+use rocket::{Outcome, Route};
+use rocket_contrib::json::Json;
+
+use crate::api::{ApiResult, EmptyResult, JsonResult};
+use crate::auth::{decode_admin, encode_jwt, generate_admin_claims, ClientIp};
+use crate::config::ConfigBuilder;
+use crate::db::{backup_database, models::*, DbConn};
+use crate::error::Error;
+use crate::mail;
+use crate::CONFIG;
+
+pub fn routes() -> Vec<Route> {
+    if CONFIG.admin_token().is_none() && !CONFIG.disable_admin_token() {
+        return routes![admin_disabled];
+    }
+
+    routes![
+        admin_login,
+        get_users,
+        post_admin_login,
+        admin_page,
+        invite_user,
+        delete_user,
+        deauth_user,
+        remove_2fa,
+        update_revision_users,
+        post_config,
+        delete_config,
+        backup_db,
+    ]
+}
+
+lazy_static! {
+    static ref CAN_BACKUP: bool = cfg!(feature = "sqlite") && Command::new("sqlite").arg("-version").status().is_ok();
+}
+
+#[get("/")]
+fn admin_disabled() -> &'static str {
+    "The admin panel is disabled, please configure the 'ADMIN_TOKEN' variable to enable it"
+}
+
+const COOKIE_NAME: &str = "BWRS_ADMIN";
+const ADMIN_PATH: &str = "/admin";
+
+const BASE_TEMPLATE: &str = "admin/base";
+const VERSION: Option<&str> = option_env!("GIT_VERSION");
+
+#[get("/", rank = 2)]
+fn admin_login(flash: Option<FlashMessage>) -> ApiResult<Html<String>> {
+    // If there is an error, show it
+    let msg = flash.map(|msg| format!("{}: {}", msg.name(), msg.msg()));
+    let json = json!({"page_content": "admin/login", "version": VERSION, "error": msg});
+
+    // Return the page
+    let text = CONFIG.render_template(BASE_TEMPLATE, &json)?;
+    Ok(Html(text))
+}
+
+#[derive(FromForm)]
+struct LoginForm {
+    token: String,
+}
+
+#[post("/", data = "<data>")]
+fn post_admin_login(data: Form<LoginForm>, mut cookies: Cookies, ip: ClientIp) -> Result<Redirect, Flash<Redirect>> {
+    let data = data.into_inner();
+
+    // If the token is invalid, redirect to login page
+    if !_validate_token(&data.token) {
+        error!("Invalid admin token. IP: {}", ip.ip);
+        Err(Flash::error(
+            Redirect::to(ADMIN_PATH),
+            "Invalid admin token, please try again.",
+        ))
+    } else {
+        // If the token received is valid, generate JWT and save it as a cookie
+        let claims = generate_admin_claims();
+        let jwt = encode_jwt(&claims);
+
+        let cookie = Cookie::build(COOKIE_NAME, jwt)
+            .path(ADMIN_PATH)
+            .max_age(chrono::Duration::minutes(20))
+            .same_site(SameSite::Strict)
+            .http_only(true)
+            .finish();
+
+        cookies.add(cookie);
+        Ok(Redirect::to(ADMIN_PATH))
+    }
+}
+
+fn _validate_token(token: &str) -> bool {
+    match CONFIG.admin_token().as_ref() {
+        None => false,
+        Some(t) => crate::crypto::ct_eq(t.trim(), token.trim()),
+    }
+}
+
+#[derive(Serialize)]
+struct AdminTemplateData {
+    page_content: String,
+    version: Option<&'static str>,
+    users: Vec<Value>,
+    config: Value,
+    can_backup: bool,
+}
+
+impl AdminTemplateData {
+    fn new(users: Vec<Value>) -> Self {
+        Self {
+            page_content: String::from("admin/page"),
+            version: VERSION,
+            users,
+            config: CONFIG.prepare_json(),
+            can_backup: *CAN_BACKUP,
+        }
+    }
+
+    fn render(self) -> Result<String, Error> {
+        CONFIG.render_template(BASE_TEMPLATE, &self)
+    }
+}
+
+#[get("/", rank = 1)]
+fn admin_page(_token: AdminToken, conn: DbConn) -> ApiResult<Html<String>> {
+    let users = User::get_all(&conn);
+    let users_json: Vec<Value> = users.iter().map(|u| u.to_json(&conn)).collect();
+
+    let text = AdminTemplateData::new(users_json).render()?;
+    Ok(Html(text))
+}
+
+#[derive(Deserialize, Debug)]
+#[allow(non_snake_case)]
+struct InviteData {
+    email: String,
+}
+
+#[post("/invite", data = "<data>")]
+fn invite_user(data: Json<InviteData>, _token: AdminToken, conn: DbConn) -> EmptyResult {
+    let data: InviteData = data.into_inner();
+    let email = data.email.clone();
+    if User::find_by_mail(&data.email, &conn).is_some() {
+        err!("User already exists")
+    }
+
+    if !CONFIG.invitations_allowed() {
+        err!("Invitations are not allowed")
+    }
+
+    let mut user = User::new(email);
+    user.save(&conn)?;
+
+    if CONFIG.mail_enabled() {
+        let org_name = "bitwarden_rs";
+        mail::send_invite(&user.email, &user.uuid, None, None, &org_name, None)
+    } else {
+        let invitation = Invitation::new(data.email);
+        invitation.save(&conn)
+    }
+}
+
+#[get("/users")]
+fn get_users(_token: AdminToken, conn: DbConn) -> JsonResult {
+    let users = User::get_all(&conn);
+    let users_json: Vec<Value> = users.iter().map(|u| u.to_json(&conn)).collect();
+
+    Ok(Json(Value::Array(users_json)))
+}
+
+#[post("/users/<uuid>/delete")]
+fn delete_user(uuid: String, _token: AdminToken, conn: DbConn) -> EmptyResult {
+    let user = match User::find_by_uuid(&uuid, &conn) {
+        Some(user) => user,
+        None => err!("User doesn't exist"),
+    };
+
+    user.delete(&conn)
+}
+
+#[post("/users/<uuid>/deauth")]
+fn deauth_user(uuid: String, _token: AdminToken, conn: DbConn) -> EmptyResult {
+    let mut user = match User::find_by_uuid(&uuid, &conn) {
+        Some(user) => user,
+        None => err!("User doesn't exist"),
+    };
+
+    Device::delete_all_by_user(&user.uuid, &conn)?;
+    user.reset_security_stamp();
+
+    user.save(&conn)
+}
+
+#[post("/users/<uuid>/remove-2fa")]
+fn remove_2fa(uuid: String, _token: AdminToken, conn: DbConn) -> EmptyResult {
+    let mut user = match User::find_by_uuid(&uuid, &conn) {
+        Some(user) => user,
+        None => err!("User doesn't exist"),
+    };
+
+    TwoFactor::delete_all_by_user(&user.uuid, &conn)?;
+    user.totp_recover = None;
+    user.save(&conn)
+}
+
+#[post("/users/update_revision")]
+fn update_revision_users(_token: AdminToken, conn: DbConn) -> EmptyResult {
+    User::update_all_revisions(&conn)
+}
+
+#[post("/config", data = "<data>")]
+fn post_config(data: Json<ConfigBuilder>, _token: AdminToken) -> EmptyResult {
+    let data: ConfigBuilder = data.into_inner();
+    CONFIG.update_config(data)
+}
+
+#[post("/config/delete")]
+fn delete_config(_token: AdminToken) -> EmptyResult {
+    CONFIG.delete_user_config()
+}
+
+#[post("/config/backup_db")]
+fn backup_db(_token: AdminToken) -> EmptyResult {
+    if *CAN_BACKUP {
+        backup_database()
+    } else {
+        err!("Can't back up current DB (either it's not SQLite or the 'sqlite' binary is not present)");
+    }
+}
+
+pub struct AdminToken {}
+
+impl<'a, 'r> FromRequest<'a, 'r> for AdminToken {
+    type Error = &'static str;
+
+    fn from_request(request: &'a Request<'r>) -> request::Outcome<Self, Self::Error> {
+        if CONFIG.disable_admin_token() {
+            Outcome::Success(AdminToken {})
+        } else {
+            let mut cookies = request.cookies();
+
+            let access_token = match cookies.get(COOKIE_NAME) {
+                Some(cookie) => cookie.value(),
+                None => return Outcome::Forward(()), // If there is no cookie, redirect to login
+            };
+
+            let ip = match request.guard::<ClientIp>() {
+                Outcome::Success(ip) => ip.ip,
+                _ => err_handler!("Error getting Client IP"),
+            };
+
+            if decode_admin(access_token).is_err() {
+                // Remove admin cookie
+                cookies.remove(Cookie::named(COOKIE_NAME));
+                error!("Invalid or expired admin JWT. IP: {}.", ip);
+                return Outcome::Forward(());
+            }
+
+            Outcome::Success(AdminToken {})
+        }
+    }
+}
--- a/src/api/core/accounts.rs
+++ b/src/api/core/accounts.rs
@@ -3,13 +3,13 @@ use rocket_contrib::json::Json;
 use crate::db::models::*;
 use crate::db::DbConn;

-use crate::api::{EmptyResult, JsonResult, JsonUpcase, NumberOrString, PasswordData, UpdateType, WebSocketUsers};
-use crate::auth::Headers;
+use crate::api::{EmptyResult, JsonResult, JsonUpcase, Notify, NumberOrString, PasswordData, UpdateType};
+use crate::auth::{decode_invite, Headers};
 use crate::mail;

 use crate::CONFIG;

-use rocket::{Route, State};
+use rocket::Route;

 pub fn routes() -> Vec<Route> {
    routes![
@@ -44,6 +44,8 @@ struct RegisterData {
    MasterPasswordHash: String,
    MasterPasswordHint: Option<String>,
    Name: Option<String>,
+    Token: Option<String>,
+    OrganizationUserId: Option<String>,
 }

 #[derive(Deserialize, Debug)]
@@ -59,29 +61,42 @@ fn register(data: JsonUpcase<RegisterData>, conn: DbConn) -> EmptyResult {

    let mut user = match User::find_by_mail(&data.Email, &conn) {
        Some(user) => {
-            if Invitation::take(&data.Email, &conn) {
+            if !user.password_hash.is_empty() {
+                err!("User already exists")
+            }
+
+            if let Some(token) = data.Token {
+                let claims = decode_invite(&token)?;
+                if claims.email == data.Email {
+                    user
+                } else {
+                    err!("Registration email does not match invite email")
+                }
+            } else if Invitation::take(&data.Email, &conn) {
                for mut user_org in UserOrganization::find_invited_by_user(&user.uuid, &conn).iter_mut() {
                    user_org.status = UserOrgStatus::Accepted as i32;
-                    if user_org.save(&conn).is_err() {
-                        err!("Failed to accept user to organization")
-                    }
+                    user_org.save(&conn)?;
                }
+
                user
-            } else if CONFIG.signups_allowed {
+            } else if CONFIG.signups_allowed() {
                err!("Account with this email already exists")
            } else {
                err!("Registration not allowed")
            }
        }
        None => {
-            if CONFIG.signups_allowed || Invitation::take(&data.Email, &conn) {
-                User::new(data.Email)
+            if CONFIG.signups_allowed() || Invitation::take(&data.Email, &conn) {
+                User::new(data.Email.clone())
            } else {
                err!("Registration not allowed")
            }
        }
    };

+    // Make sure we don't leave a lingering invitation.
+    Invitation::take(&data.Email, &conn);
+
    if let Some(client_kdf_iter) = data.KdfIterations {
        user.client_kdf_iter = client_kdf_iter;
    }
@@ -91,7 +106,7 @@ fn register(data: JsonUpcase<RegisterData>, conn: DbConn) -> EmptyResult {
    }

    user.set_password(&data.MasterPasswordHash);
-    user.key = data.Key;
+    user.akey = data.Key;

    // Add extra fields if present
    if let Some(name) = data.Name {
@@ -107,10 +122,7 @@ fn register(data: JsonUpcase<RegisterData>, conn: DbConn) -> EmptyResult {
        user.public_key = Some(keys.PublicKey);
    }

-    match user.save(&conn) {
-        Ok(()) => Ok(()),
-        Err(_) => err!("Failed to save user"),
-    }
+    user.save(&conn)
 }

 #[get("/accounts/profile")]
@@ -143,10 +155,8 @@ fn post_profile(data: JsonUpcase<ProfileData>, headers: Headers, conn: DbConn) -
        Some(ref h) if h.is_empty() => None,
        _ => data.MasterPasswordHint,
    };
-    match user.save(&conn) {
-        Ok(()) => Ok(Json(user.to_json(&conn))),
-        Err(_) => err!("Failed to save user profile"),
-    }
+    user.save(&conn)?;
+    Ok(Json(user.to_json(&conn)))
 }

 #[get("/users/<uuid>/public-key")]
@@ -172,10 +182,8 @@ fn post_keys(data: JsonUpcase<KeysData>, headers: Headers, conn: DbConn) -> Json
    user.private_key = Some(data.EncryptedPrivateKey);
    user.public_key = Some(data.PublicKey);

-    match user.save(&conn) {
-        Ok(()) => Ok(Json(user.to_json(&conn))),
-        Err(_) => err!("Failed to save the user's keys"),
-    }
+    user.save(&conn)?;
+    Ok(Json(user.to_json(&conn)))
 }

 #[derive(Deserialize)]
@@ -196,11 +204,8 @@ fn post_password(data: JsonUpcase<ChangePassData>, headers: Headers, conn: DbCon
    }

    user.set_password(&data.NewMasterPasswordHash);
-    user.key = data.Key;
-    match user.save(&conn) {
-        Ok(()) => Ok(()),
-        Err(_) => err!("Failed to save password"),
-    }
+    user.akey = data.Key;
+    user.save(&conn)
 }

 #[derive(Deserialize)]
@@ -226,11 +231,8 @@ fn post_kdf(data: JsonUpcase<ChangeKdfData>, headers: Headers, conn: DbConn) ->
    user.client_kdf_iter = data.KdfIterations;
    user.client_kdf_type = data.Kdf;
    user.set_password(&data.NewMasterPasswordHash);
-    user.key = data.Key;
-    match user.save(&conn) {
-        Ok(()) => Ok(()),
-        Err(_) => err!("Failed to save password settings"),
-    }
+    user.akey = data.Key;
+    user.save(&conn)
 }

 #[derive(Deserialize)]
@@ -253,7 +255,7 @@ struct KeyData {
 }

 #[post("/accounts/key", data = "<data>")]
-fn post_rotatekey(data: JsonUpcase<KeyData>, headers: Headers, conn: DbConn, ws: State<WebSocketUsers>) -> EmptyResult {
+fn post_rotatekey(data: JsonUpcase<KeyData>, headers: Headers, conn: DbConn, nt: Notify) -> EmptyResult {
    let data: KeyData = data.into_inner().data;

    if !headers.user.check_valid_password(&data.MasterPasswordHash) {
@@ -274,9 +276,7 @@ fn post_rotatekey(data: JsonUpcase<KeyData>, headers: Headers, conn: DbConn, ws:
        }

        saved_folder.name = folder_data.Name;
-        if saved_folder.save(&conn).is_err() {
-            err!("Failed to save folder")
-        }
+        saved_folder.save(&conn)?
    }

    // Update cipher data
@@ -292,21 +292,25 @@ fn post_rotatekey(data: JsonUpcase<KeyData>, headers: Headers, conn: DbConn, ws:
            err!("The cipher is not owned by the user")
        }

-        update_cipher_from_data(&mut saved_cipher, cipher_data, &headers, false, &conn, &ws, UpdateType::SyncCipherUpdate)?
+        update_cipher_from_data(
+            &mut saved_cipher,
+            cipher_data,
+            &headers,
+            false,
+            &conn,
+            &nt,
+            UpdateType::CipherUpdate,
+        )?
    }

    // Update user data
    let mut user = headers.user;

-    user.key = data.Key;
+    user.akey = data.Key;
    user.private_key = Some(data.PrivateKey);
    user.reset_security_stamp();

-    if user.save(&conn).is_err() {
-        err!("Failed modify user key");
-    }
-
-    Ok(())
+    user.save(&conn)
 }

 #[post("/accounts/security-stamp", data = "<data>")]
@@ -318,11 +322,9 @@ fn post_sstamp(data: JsonUpcase<PasswordData>, headers: Headers, conn: DbConn) -
        err!("Invalid password")
    }

+    Device::delete_all_by_user(&user.uuid, &conn)?;
    user.reset_security_stamp();
-    match user.save(&conn) {
-        Ok(()) => Ok(()),
-        Err(_) => err!("Failed to reset security stamp"),
-    }
+    user.save(&conn)
 }

 #[derive(Deserialize)]
@@ -375,12 +377,9 @@ fn post_email(data: JsonUpcase<ChangeEmailData>, headers: Headers, conn: DbConn)
    user.email = data.NewEmail;

    user.set_password(&data.NewMasterPasswordHash);
-    user.key = data.Key;
+    user.akey = data.Key;

-    match user.save(&conn) {
-        Ok(()) => Ok(()),
-        Err(_) => err!("Failed to save email address"),
-    }
+    user.save(&conn)
 }

 #[post("/accounts/delete", data = "<data>")]
@@ -397,10 +396,7 @@ fn delete_account(data: JsonUpcase<PasswordData>, headers: Headers, conn: DbConn
        err!("Invalid password")
    }

-    match user.delete(&conn) {
-        Ok(()) => Ok(()),
-        Err(_) => err!("Failed deleting user account, are you the only owner of some organization?"),
-    }
+    user.delete(&conn)
 }

 #[get("/accounts/revision-date")]
@@ -424,11 +420,9 @@ fn password_hint(data: JsonUpcase<PasswordHintData>, conn: DbConn) -> EmptyResul
        None => return Ok(()),
    };

-    if let Some(ref mail_config) = CONFIG.mail {
-        if let Err(e) = mail::send_password_hint(&data.Email, hint, mail_config) {
-            err!(format!("There have been a problem sending the email: {}", e));
-        }
-    } else if CONFIG.show_password_hint {
+    if CONFIG.mail_enabled() {
+        mail::send_password_hint(&data.Email, hint)?;
+    } else if CONFIG.show_password_hint() {
        if let Some(hint) = hint {
            err!(format!("Your password hint is: {}", &hint));
        } else {
--- a/src/api/core/ciphers.rs
+++ b/src/api/core/ciphers.rs
--- a/src/api/core/folders.rs
+++ b/src/api/core/folders.rs
@@ -1,11 +1,10 @@
-use rocket::State;
 use rocket_contrib::json::Json;
 use serde_json::Value;

-use crate::db::DbConn;
 use crate::db::models::*;
+use crate::db::DbConn;

-use crate::api::{JsonResult, EmptyResult, JsonUpcase, WebSocketUsers, UpdateType};
+use crate::api::{EmptyResult, JsonResult, JsonUpcase, Notify, UpdateType};
 use crate::auth::Headers;

 use rocket::Route;
@@ -26,7 +25,7 @@ pub fn routes() -> Vec<Route> {
 fn get_folders(headers: Headers, conn: DbConn) -> JsonResult {
    let folders = Folder::find_by_user(&headers.user.uuid, &conn);

-    let folders_json: Vec<Value> = folders.iter().map(|c| c.to_json()).collect();
+    let folders_json: Vec<Value> = folders.iter().map(Folder::to_json).collect();

    Ok(Json(json!({
      "Data": folders_json,
@@ -39,7 +38,7 @@ fn get_folders(headers: Headers, conn: DbConn) -> JsonResult {
 fn get_folder(uuid: String, headers: Headers, conn: DbConn) -> JsonResult {
    let folder = match Folder::find_by_uuid(&uuid, &conn) {
        Some(folder) => folder,
-        _ => err!("Invalid folder")
+        _ => err!("Invalid folder"),
    };

    if folder.user_uuid != headers.user.uuid {
@@ -53,35 +52,33 @@ fn get_folder(uuid: String, headers: Headers, conn: DbConn) -> JsonResult {
 #[allow(non_snake_case)]

 pub struct FolderData {
-    pub Name: String
+    pub Name: String,
 }

 #[post("/folders", data = "<data>")]
-fn post_folders(data: JsonUpcase<FolderData>, headers: Headers, conn: DbConn, ws: State<WebSocketUsers>) -> JsonResult {
+fn post_folders(data: JsonUpcase<FolderData>, headers: Headers, conn: DbConn, nt: Notify) -> JsonResult {
    let data: FolderData = data.into_inner().data;

    let mut folder = Folder::new(headers.user.uuid.clone(), data.Name);

-    if folder.save(&conn).is_err() {
-        err!("Failed to save folder")
-    }
-    ws.send_folder_update(UpdateType::SyncFolderCreate, &folder);
+    folder.save(&conn)?;
+    nt.send_folder_update(UpdateType::FolderCreate, &folder);

    Ok(Json(folder.to_json()))
 }

 #[post("/folders/<uuid>", data = "<data>")]
-fn post_folder(uuid: String, data: JsonUpcase<FolderData>, headers: Headers, conn: DbConn, ws: State<WebSocketUsers>) -> JsonResult {
-    put_folder(uuid, data, headers, conn, ws)
+fn post_folder(uuid: String, data: JsonUpcase<FolderData>, headers: Headers, conn: DbConn, nt: Notify) -> JsonResult {
+    put_folder(uuid, data, headers, conn, nt)
 }

 #[put("/folders/<uuid>", data = "<data>")]
-fn put_folder(uuid: String, data: JsonUpcase<FolderData>, headers: Headers, conn: DbConn, ws: State<WebSocketUsers>) -> JsonResult {
+fn put_folder(uuid: String, data: JsonUpcase<FolderData>, headers: Headers, conn: DbConn, nt: Notify) -> JsonResult {
    let data: FolderData = data.into_inner().data;

    let mut folder = match Folder::find_by_uuid(&uuid, &conn) {
        Some(folder) => folder,
-        _ => err!("Invalid folder")
+        _ => err!("Invalid folder"),
    };

    if folder.user_uuid != headers.user.uuid {
@@ -90,24 +87,22 @@ fn put_folder(uuid: String, data: JsonUpcase<FolderData>, headers: Headers, conn

    folder.name = data.Name;

-    if folder.save(&conn).is_err() {
-        err!("Failed to save folder")
-    }
-    ws.send_folder_update(UpdateType::SyncFolderUpdate, &folder);
+    folder.save(&conn)?;
+    nt.send_folder_update(UpdateType::FolderUpdate, &folder);

    Ok(Json(folder.to_json()))
 }

 #[post("/folders/<uuid>/delete")]
-fn delete_folder_post(uuid: String, headers: Headers, conn: DbConn, ws: State<WebSocketUsers>) -> EmptyResult {
-    delete_folder(uuid, headers, conn, ws)
+fn delete_folder_post(uuid: String, headers: Headers, conn: DbConn, nt: Notify) -> EmptyResult {
+    delete_folder(uuid, headers, conn, nt)
 }

 #[delete("/folders/<uuid>")]
-fn delete_folder(uuid: String, headers: Headers, conn: DbConn, ws: State<WebSocketUsers>) -> EmptyResult {
+fn delete_folder(uuid: String, headers: Headers, conn: DbConn, nt: Notify) -> EmptyResult {
    let folder = match Folder::find_by_uuid(&uuid, &conn) {
        Some(folder) => folder,
-        _ => err!("Invalid folder")
+        _ => err!("Invalid folder"),
    };

    if folder.user_uuid != headers.user.uuid {
@@ -115,11 +110,8 @@ fn delete_folder(uuid: String, headers: Headers, conn: DbConn, ws: State<WebSock
    }

    // Delete the actual folder entry
-    match folder.delete(&conn) {
-        Ok(()) => {
-            ws.send_folder_update(UpdateType::SyncFolderDelete, &folder);
-            Ok(())
-        }
-        Err(_) => err!("Failed deleting folder")
-    }
+    folder.delete(&conn)?;
+
+    nt.send_folder_update(UpdateType::FolderDelete, &folder);
+    Ok(())
 }
--- a/src/api/core/mod.rs
+++ b/src/api/core/mod.rs
@@ -8,10 +8,10 @@ pub fn routes() -> Vec<Route> {
    let mut mod_routes = routes![
        clear_device_token,
        put_device_token,
-
        get_eq_domains,
        post_eq_domains,
        put_eq_domains,
+        hibp_breach,
    ];

    let mut routes = Vec::new();
@@ -25,18 +25,18 @@ pub fn routes() -> Vec<Route> {
    routes
 }

-///
-/// Move this somewhere else
-///
+//
+// Move this somewhere else
+//
 use rocket::Route;

 use rocket_contrib::json::Json;
 use serde_json::Value;

-use crate::db::DbConn;
-
 use crate::api::{EmptyResult, JsonResult, JsonUpcase};
 use crate::auth::Headers;
+use crate::db::DbConn;
+use crate::error::Error;

 #[put("/devices/identifier/<uuid>/clear-token")]
 fn clear_device_token(uuid: String) -> EmptyResult {
@@ -63,7 +63,7 @@ fn put_device_token(uuid: String, data: JsonUpcase<Value>, headers: Headers) ->
    Ok(Json(json!({
        "Id": headers.device.uuid,
        "Name": headers.device.name,
-        "Type": headers.device.type_,
+        "Type": headers.device.atype,
        "Identifier": headers.device.uuid,
        "CreationDate": crate::util::format_date(&headers.device.created_at),
    })))
@@ -77,7 +77,7 @@ struct GlobalDomain {
    Excluded: bool,
 }

-const GLOBAL_DOMAINS: &str = include_str!("global_domains.json");
+const GLOBAL_DOMAINS: &str = include_str!("../../static/global_domains.json");

 #[get("/settings/domains")]
 fn get_eq_domains(headers: Headers) -> JsonResult {
@@ -117,16 +117,48 @@ fn post_eq_domains(data: JsonUpcase<EquivDomainData>, headers: Headers, conn: Db
    let mut user = headers.user;
    use serde_json::to_string;

-    user.excluded_globals = to_string(&excluded_globals).unwrap_or("[]".to_string());
-    user.equivalent_domains = to_string(&equivalent_domains).unwrap_or("[]".to_string());
+    user.excluded_globals = to_string(&excluded_globals).unwrap_or_else(|_| "[]".to_string());
+    user.equivalent_domains = to_string(&equivalent_domains).unwrap_or_else(|_| "[]".to_string());

-    match user.save(&conn) {
-        Ok(()) => Ok(Json(json!({}))),
-        Err(_) => err!("Failed to save user"),
-    }
+    user.save(&conn)?;
+
+    Ok(Json(json!({})))
 }

 #[put("/settings/domains", data = "<data>")]
 fn put_eq_domains(data: JsonUpcase<EquivDomainData>, headers: Headers, conn: DbConn) -> JsonResult {
    post_eq_domains(data, headers, conn)
 }
+
+#[get("/hibp/breach?<username>")]
+fn hibp_breach(username: String) -> JsonResult {
+    let user_agent = "Bitwarden_RS";
+    let url = format!(
+        "https://haveibeenpwned.com/api/v3/breachedaccount/{}?truncateResponse=false&includeUnverified=false",
+        username
+    );
+
+    use reqwest::{header::USER_AGENT, Client};
+
+    if let Some(api_key) = crate::CONFIG.hibp_api_key() {
+        let res = Client::new()
+            .get(&url)
+            .header(USER_AGENT, user_agent)
+            .header("hibp-api-key", api_key)
+            .send()?;
+
+        // If we get a 404, return a 404, it means no breached accounts
+        if res.status() == 404 {
+            return Err(Error::empty().with_code(404));
+        }
+
+        let value: Value = res.error_for_status()?.json()?;
+        Ok(Json(value))
+    } else {
+        Ok(Json(json!([{
+            "title": "--- Error! ---",
+            "description": "HaveIBeenPwned API key not set! Go to https://haveibeenpwned.com/API/Key",
+            "logopath": "/bwrs_images/error-x.svg"
+        }])))
+    }
+}
--- a/src/api/core/organizations.rs
+++ b/src/api/core/organizations.rs
--- a/src/api/core/two_factor.rs
+++ b/src/api/core/two_factor.rs
--- a/src/api/icons.rs
+++ b/src/api/icons.rs
@@ -1,25 +1,74 @@
+use std::fs::{create_dir_all, remove_file, symlink_metadata, File};
 use std::io::prelude::*;
-use std::fs::{create_dir_all, File};
+use std::time::{Duration, SystemTime};

-use rocket::Route;
-use rocket::response::Content;
 use rocket::http::ContentType;
+use rocket::response::Content;
+use rocket::Route;

-use reqwest;
+use reqwest::{header::HeaderMap, Client, Response};

+use rocket::http::Cookie;
+
+use regex::Regex;
+use soup::prelude::*;
+
+use crate::error::Error;
 use crate::CONFIG;

 pub fn routes() -> Vec<Route> {
    routes![icon]
 }

+const FALLBACK_ICON: &[u8; 344] = include_bytes!("../static/fallback-icon.png");
+
+const ALLOWED_CHARS: &str = "_-.";
+
+lazy_static! {
+    // Reuse the client between requests
+    static ref CLIENT: Client = Client::builder()
+        .use_sys_proxy()
+        .gzip(true)
+        .timeout(Duration::from_secs(CONFIG.icon_download_timeout()))
+        .default_headers(_header_map())
+        .build()
+        .unwrap();
+}
+
+fn is_valid_domain(domain: &str) -> bool {
+    // Don't allow empty or too big domains or path traversal
+    if domain.is_empty() || domain.len() > 255 || domain.contains("..") {
+        return false;
+    }
+
+    // Only alphanumeric or specific characters
+    for c in domain.chars() {
+        if !c.is_alphanumeric() && !ALLOWED_CHARS.contains(c) {
+            return false;
+        }
+    }
+
+    true
+}
+
 #[get("/<domain>/icon.png")]
 fn icon(domain: String) -> Content<Vec<u8>> {
    let icon_type = ContentType::new("image", "x-icon");

-    // Validate the domain to avoid directory traversal attacks
-    if domain.contains('/') || domain.contains("..") {
-        return Content(icon_type, get_fallback_icon());
+    if !is_valid_domain(&domain) {
+        warn!("Invalid domain: {:#?}", domain);
+        return Content(icon_type, FALLBACK_ICON.to_vec());
+    }
+
+    if let Some(blacklist) = CONFIG.icon_blacklist_regex() {
+        info!("Icon blacklist enabled: {:#?}", blacklist);
+
+        let regex = Regex::new(&blacklist).expect("Valid Regex");
+
+        if regex.is_match(&domain) {
+            warn!("Blacklisted domain: {:#?}", domain);
+            return Content(icon_type, FALLBACK_ICON.to_vec());
+        }
    }

    let icon = get_icon(&domain);
@@ -27,29 +76,42 @@ fn icon(domain: String) -> Content<Vec<u8>> {
    Content(icon_type, icon)
 }

-fn get_icon (domain: &str) -> Vec<u8> {
-    let path = format!("{}/{}.png", CONFIG.icon_cache_folder, domain);
+fn get_icon(domain: &str) -> Vec<u8> {
+    let path = format!("{}/{}.png", CONFIG.icon_cache_folder(), domain);

    if let Some(icon) = get_cached_icon(&path) {
        return icon;
    }

-    let url = get_icon_url(&domain);
+    if CONFIG.disable_icon_download() {
+        return FALLBACK_ICON.to_vec();
+    }

    // Get the icon, or fallback in case of error
-    match download_icon(&url) {
+    match download_icon(&domain) {
        Ok(icon) => {
            save_icon(&path, &icon);
            icon
-        },
+        }
        Err(e) => {
            error!("Error downloading icon: {:?}", e);
-            get_fallback_icon()
+            mark_negcache(&path);
+            FALLBACK_ICON.to_vec()
        }
    }
 }

 fn get_cached_icon(path: &str) -> Option<Vec<u8>> {
+    // Check for expiration of negatively cached copy
+    if icon_is_negcached(path) {
+        return Some(FALLBACK_ICON.to_vec());
+    }
+
+    // Check for expiration of successfully cached copy
+    if icon_is_expired(path) {
+        return None;
+    }
+
    // Try to read the cached icon, and return it if it exists
    if let Ok(mut f) = File::open(path) {
        let mut buffer = Vec::new();
@@ -62,51 +124,271 @@ fn get_cached_icon(path: &str) -> Option<Vec<u8>> {
    None
 }

-fn get_icon_url(domain: &str) -> String {
-    if CONFIG.local_icon_extractor {
-        format!("http://{}/favicon.ico", domain)
-    } else {
-        format!("https://icons.bitwarden.com/{}/icon.png", domain)
+fn file_is_expired(path: &str, ttl: u64) -> Result<bool, Error> {
+    let meta = symlink_metadata(path)?;
+    let modified = meta.modified()?;
+    let age = SystemTime::now().duration_since(modified)?;
+
+    Ok(ttl > 0 && ttl <= age.as_secs())
+}
+
+fn icon_is_negcached(path: &str) -> bool {
+    let miss_indicator = path.to_owned() + ".miss";
+    let expired = file_is_expired(&miss_indicator, CONFIG.icon_cache_negttl());
+
+    match expired {
+        // No longer negatively cached, drop the marker
+        Ok(true) => {
+            if let Err(e) = remove_file(&miss_indicator) {
+                error!("Could not remove negative cache indicator for icon {:?}: {:?}", path, e);
+            }
+            false
+        }
+        // The marker hasn't expired yet.
+        Ok(false) => true,
+        // The marker is missing or inaccessible in some way.
+        Err(_) => false,
    }
 }

-fn download_icon(url: &str) -> Result<Vec<u8>, reqwest::Error> {
-    info!("Downloading icon for {}...", url);
-    let mut res = reqwest::get(url)?;
+fn mark_negcache(path: &str) {
+    let miss_indicator = path.to_owned() + ".miss";
+    File::create(&miss_indicator).expect("Error creating negative cache marker");
+}

-    res = res.error_for_status()?;
+fn icon_is_expired(path: &str) -> bool {
+    let expired = file_is_expired(path, CONFIG.icon_cache_ttl());
+    expired.unwrap_or(true)
+}

-    let mut buffer: Vec<u8> = vec![];
-    res.copy_to(&mut buffer)?;
+#[derive(Debug)]
+struct Icon {
+    priority: u8,
+    href: String,
+}
+
+impl Icon {
+    fn new(priority: u8, href: String) -> Self {
+        Self { href, priority }
+    }
+}
+
+/// Returns a Result/Tuple which holds a Vector IconList and a string which holds the cookies from the last response.
+/// There will always be a result with a string which will contain https://example.com/favicon.ico and an empty string for the cookies.
+/// This does not mean that that location does exists, but it is the default location browser use.
+///
+/// # Argument
+/// * `domain` - A string which holds the domain with extension.
+///
+/// # Example
+/// ```
+/// let (mut iconlist, cookie_str) = get_icon_url("github.com")?;
+/// let (mut iconlist, cookie_str) = get_icon_url("gitlab.com")?;
+/// ```
+fn get_icon_url(domain: &str) -> Result<(Vec<Icon>, String), Error> {
+    // Default URL with secure and insecure schemes
+    let ssldomain = format!("https://{}", domain);
+    let httpdomain = format!("http://{}", domain);
+
+    // Create the iconlist
+    let mut iconlist: Vec<Icon> = Vec::new();
+
+    // Create the cookie_str to fill it all the cookies from the response
+    // These cookies can be used to request/download the favicon image.
+    // Some sites have extra security in place with for example XSRF Tokens.
+    let mut cookie_str = String::new();
+
+    let resp = get_page(&ssldomain).or_else(|_| get_page(&httpdomain));
+    if let Ok(content) = resp {
+        // Extract the URL from the respose in case redirects occured (like @ gitlab.com)
+        let url = content.url().clone();
+        let raw_cookies = content.headers().get_all("set-cookie");
+        cookie_str = raw_cookies
+            .iter()
+            .filter_map(|raw_cookie| raw_cookie.to_str().ok())
+            .map(|cookie_str| {
+                if let Ok(cookie) = Cookie::parse(cookie_str) {
+                    format!("{}={}; ", cookie.name(), cookie.value())
+                } else {
+                    String::new()
+                }
+            })
+            .collect::<String>();
+
+        // Add the default favicon.ico to the list with the domain the content responded from.
+        iconlist.push(Icon::new(35, url.join("/favicon.ico").unwrap().into_string()));
+
+        let soup = Soup::from_reader(content)?;
+        // Search for and filter
+        let favicons = soup
+            .tag("link")
+            .attr("rel", Regex::new(r"icon$|apple.*icon")?) // Only use icon rels
+            .attr("href", Regex::new(r"(?i)\w+\.(jpg|jpeg|png|ico)(\?.*)?$")?) // Only allow specific extensions
+            .find_all();
+
+        // Loop through all the found icons and determine it's priority
+        for favicon in favicons {
+            let sizes = favicon.get("sizes");
+            let href = favicon.get("href").expect("Missing href");
+            let full_href = url.join(&href).unwrap().into_string();
+
+            let priority = get_icon_priority(&full_href, sizes);
+
+            iconlist.push(Icon::new(priority, full_href))
+        }
+    } else {
+        // Add the default favicon.ico to the list with just the given domain
+        iconlist.push(Icon::new(35, format!("{}/favicon.ico", ssldomain)));
+    }
+
+    // Sort the iconlist by priority
+    iconlist.sort_by_key(|x| x.priority);
+
+    // There always is an icon in the list, so no need to check if it exists, and just return the first one
+    Ok((iconlist, cookie_str))
+}
+
+fn get_page(url: &str) -> Result<Response, Error> {
+    get_page_with_cookies(url, "")
+}
+
+fn get_page_with_cookies(url: &str, cookie_str: &str) -> Result<Response, Error> {
+    CLIENT
+        .get(url)
+        .header("cookie", cookie_str)
+        .send()?
+        .error_for_status()
+        .map_err(Into::into)
+}
+
+/// Returns a Integer with the priority of the type of the icon which to prefer.
+/// The lower the number the better.
+///
+/// # Arguments
+/// * `href`  - A string which holds the href value or relative path.
+/// * `sizes` - The size of the icon if available as a <width>x<height> value like 32x32.
+///
+/// # Example
+/// ```
+/// priority1 = get_icon_priority("http://example.com/path/to/a/favicon.png", "32x32");
+/// priority2 = get_icon_priority("https://example.com/path/to/a/favicon.ico", "");
+/// ```
+fn get_icon_priority(href: &str, sizes: Option<String>) -> u8 {
+    // Check if there is a dimension set
+    let (width, height) = parse_sizes(sizes);
+
+    // Check if there is a size given
+    if width != 0 && height != 0 {
+        // Only allow square dimensions
+        if width == height {
+            // Change priority by given size
+            if width == 32 {
+                1
+            } else if width == 64 {
+                2
+            } else if width >= 24 && width <= 128 {
+                3
+            } else if width == 16 {
+                4
+            } else {
+                5
+            }
+        // There are dimensions available, but the image is not a square
+        } else {
+            200
+        }
+    } else {
+        // Change priority by file extension
+        if href.ends_with(".png") {
+            10
+        } else if href.ends_with(".jpg") || href.ends_with(".jpeg") {
+            20
+        } else {
+            30
+        }
+    }
+}
+
+/// Returns a Tuple with the width and hight as a seperate value extracted from the sizes attribute
+/// It will return 0 for both values if no match has been found.
+///
+/// # Arguments
+/// * `sizes` - The size of the icon if available as a <width>x<height> value like 32x32.
+///
+/// # Example
+/// ```
+/// let (width, height) = parse_sizes("64x64"); // (64, 64)
+/// let (width, height) = parse_sizes("x128x128"); // (128, 128)
+/// let (width, height) = parse_sizes("32"); // (0, 0)
+/// ```
+fn parse_sizes(sizes: Option<String>) -> (u16, u16) {
+    let mut width: u16 = 0;
+    let mut height: u16 = 0;
+
+    if let Some(sizes) = sizes {
+        match Regex::new(r"(?x)(\d+)\D*(\d+)").unwrap().captures(sizes.trim()) {
+            None => {}
+            Some(dimensions) => {
+                if dimensions.len() >= 3 {
+                    width = dimensions[1].parse::<u16>().unwrap_or_default();
+                    height = dimensions[2].parse::<u16>().unwrap_or_default();
+                }
+            }
+        }
+    }
+
+    (width, height)
+}
+
+fn download_icon(domain: &str) -> Result<Vec<u8>, Error> {
+    let (iconlist, cookie_str) = get_icon_url(&domain)?;
+
+    let mut buffer = Vec::new();
+
+    for icon in iconlist.iter().take(5) {
+        match get_page_with_cookies(&icon.href, &cookie_str) {
+            Ok(mut res) => {
+                info!("Downloaded icon from {}", icon.href);
+                res.copy_to(&mut buffer)?;
+                break;
+            }
+            Err(_) => info!("Download failed for {}", icon.href),
+        };
+    }
+
+    if buffer.is_empty() {
+        err!("Empty response")
+    }

    Ok(buffer)
 }

 fn save_icon(path: &str, icon: &[u8]) {
-    create_dir_all(&CONFIG.icon_cache_folder).expect("Error creating icon cache");
+    create_dir_all(&CONFIG.icon_cache_folder()).expect("Error creating icon cache");

    if let Ok(mut f) = File::create(path) {
        f.write_all(icon).expect("Error writing icon file");
    };
 }

-const FALLBACK_ICON_URL: &str = "https://raw.githubusercontent.com/bitwarden/web/master/src/images/fa-globe.png";
+fn _header_map() -> HeaderMap {
+    // Set some default headers for the request.
+    // Use a browser like user-agent to make sure most websites will return there correct website.
+    use reqwest::header::*;

-fn get_fallback_icon() -> Vec<u8> {
-    let path = format!("{}/default.png", CONFIG.icon_cache_folder);
-    
-    if let Some(icon) = get_cached_icon(&path) {
-        return icon;
+    macro_rules! headers {
+        ($( $name:ident : $value:literal),+ $(,)? ) => {
+            let mut headers = HeaderMap::new();
+            $( headers.insert($name, HeaderValue::from_static($value)); )+
+            headers
+        };
    }

-    match download_icon(FALLBACK_ICON_URL) {
-        Ok(icon) => {
-            save_icon(&path, &icon);
-            icon
-        },
-        Err(e) => {
-            error!("Error downloading fallback icon: {:?}", e);
-            vec![]
-        }
+    headers! {
+        USER_AGENT: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299",
+        ACCEPT_LANGUAGE: "en-US,en;q=0.8",
+        CACHE_CONTROL: "no-cache",
+        PRAGMA: "no-cache",
+        ACCEPT: "text/html,application/xhtml+xml,application/xml; q=0.9,image/webp,image/apng,*/*;q=0.8",
    }
 }
--- a/src/api/identity.rs
+++ b/src/api/identity.rs
@@ -9,12 +9,14 @@ use num_traits::FromPrimitive;
 use crate::db::models::*;
 use crate::db::DbConn;

-use crate::util::{self, JsonMap};
+use crate::util;

 use crate::api::{ApiResult, EmptyResult, JsonResult};

 use crate::auth::ClientIp;

+use crate::mail;
+
 use crate::CONFIG;

 pub fn routes() -> Vec<Route> {
@@ -61,17 +63,16 @@ fn _refresh_login(data: ConnectData, conn: DbConn) -> JsonResult {
    let orgs = UserOrganization::find_by_user(&user.uuid, &conn);

    let (access_token, expires_in) = device.refresh_tokens(&user, orgs);
-    match device.save(&conn) {
-        Ok(()) => Ok(Json(json!({
-            "access_token": access_token,
-            "expires_in": expires_in,
-            "token_type": "Bearer",
-            "refresh_token": device.refresh_token,
-            "Key": user.key,
-            "PrivateKey": user.private_key,
-        }))),
-        Err(e) => err!("Failed to add device to user", e),
-    }
+
+    device.save(&conn)?;
+    Ok(Json(json!({
+        "access_token": access_token,
+        "expires_in": expires_in,
+        "token_type": "Bearer",
+        "refresh_token": device.refresh_token,
+        "Key": user.akey,
+        "PrivateKey": user.private_key,
+    })))
 }

 fn _password_login(data: ConnectData, conn: DbConn, ip: ClientIp) -> JsonResult {
@@ -85,59 +86,49 @@ fn _password_login(data: ConnectData, conn: DbConn, ip: ClientIp) -> JsonResult
    let username = data.username.as_ref().unwrap();
    let user = match User::find_by_mail(username, &conn) {
        Some(user) => user,
-        None => err!(format!(
-            "Username or password is incorrect. Try again. IP: {}. Username: {}.",
-            ip.ip, username
-        )),
+        None => err!(
+            "Username or password is incorrect. Try again",
+            format!("IP: {}. Username: {}.", ip.ip, username)
+        ),
    };

    // Check password
    let password = data.password.as_ref().unwrap();
    if !user.check_valid_password(password) {
-        err!(format!(
-            "Username or password is incorrect. Try again. IP: {}. Username: {}.",
-            ip.ip, username
-        ))
+        err!(
+            "Username or password is incorrect. Try again",
+            format!("IP: {}. Username: {}.", ip.ip, username)
+        )
    }

-    // On iOS, device_type sends "iOS", on others it sends a number
-    let device_type = util::try_parse_string(data.device_type.as_ref()).unwrap_or(0);
-    let device_id = data.device_identifier.clone().expect("No device id provided");
-    let device_name = data.device_name.clone().expect("No device name provided");
+    let (mut device, new_device) = get_device(&data, &conn, &user);

-    // Find device or create new
-    let mut device = match Device::find_by_uuid(&device_id, &conn) {
-        Some(device) => {
-            // Check if owned device, and recreate if not
-            if device.user_uuid != user.uuid {
-                info!("Device exists but is owned by another user. The old device will be discarded");
-                Device::new(device_id, user.uuid.clone(), device_name, device_type)
-            } else {
-                device
+    let twofactor_token = twofactor_auth(&user.uuid, &data, &mut device, &conn)?;
+
+    if CONFIG.mail_enabled() && new_device {
+        if let Err(e) = mail::send_new_device_logged_in(&user.email, &ip.ip.to_string(), &device.updated_at, &device.name) {
+            error!("Error sending new device email: {:#?}", e);
+
+            if CONFIG.require_device_email() {
+                err!("Could not send login notification email. Please contact your administrator.")
            }
        }
-        None => Device::new(device_id, user.uuid.clone(), device_name, device_type),
-    };
-
-    let twofactor_token = twofactor_auth(&user.uuid, &data.clone(), &mut device, &conn)?;
+    }

    // Common
    let user = User::find_by_uuid(&device.user_uuid, &conn).unwrap();
    let orgs = UserOrganization::find_by_user(&user.uuid, &conn);

    let (access_token, expires_in) = device.refresh_tokens(&user, orgs);
-    if let Err(e) = device.save(&conn) {
-        err!("Failed to add device to user", e)
-    }
+    device.save(&conn)?;

    let mut result = json!({
        "access_token": access_token,
        "expires_in": expires_in,
        "token_type": "Bearer",
        "refresh_token": device.refresh_token,
-        "Key": user.key,
+        "Key": user.akey,
        "PrivateKey": user.private_key,
-        //"TwoFactorToken": "11122233333444555666777888999"
    });

    if let Some(token) = twofactor_token {
@@ -148,67 +139,82 @@ fn _password_login(data: ConnectData, conn: DbConn, ip: ClientIp) -> JsonResult
    Ok(Json(result))
 }

-fn twofactor_auth(user_uuid: &str, data: &ConnectData, device: &mut Device, conn: &DbConn) -> ApiResult<Option<String>> {
-    let twofactors_raw = TwoFactor::find_by_user(user_uuid, conn);
-    // Remove u2f challenge twofactors (impl detail)
-    let twofactors: Vec<_> = twofactors_raw.iter().filter(|tf| tf.type_ < 1000).collect();
+/// Retrieves an existing device or creates a new device from ConnectData and the User
+fn get_device(data: &ConnectData, conn: &DbConn, user: &User) -> (Device, bool) {
+    // On iOS, device_type sends "iOS", on others it sends a number
+    let device_type = util::try_parse_string(data.device_type.as_ref()).unwrap_or(0);
+    let device_id = data.device_identifier.clone().expect("No device id provided");
+    let device_name = data.device_name.clone().expect("No device name provided");

-    let providers: Vec<_> = twofactors.iter().map(|tf| tf.type_).collect();
+    let mut new_device = false;
+    // Find device or create new
+    let device = match Device::find_by_uuid(&device_id, &conn) {
+        Some(device) => {
+            // Check if owned device, and recreate if not
+            if device.user_uuid != user.uuid {
+                info!("Device exists but is owned by another user. The old device will be discarded");
+                new_device = true;
+                Device::new(device_id, user.uuid.clone(), device_name, device_type)
+            } else {
+                device
+            }
+        }
+        None => {
+            new_device = true;
+            Device::new(device_id, user.uuid.clone(), device_name, device_type)
+        }
+    };
+
+    (device, new_device)
+}
+
+fn twofactor_auth(
+    user_uuid: &str,
+    data: &ConnectData,
+    device: &mut Device,
+    conn: &DbConn,
+) -> ApiResult<Option<String>> {
+    let twofactors = TwoFactor::find_by_user(user_uuid, conn);

    // No twofactor token if twofactor is disabled
    if twofactors.is_empty() {
        return Ok(None);
    }

-    let provider = data.two_factor_provider.unwrap_or(providers[0]); // If we aren't given a two factor provider, asume the first one
+    let twofactor_ids: Vec<_> = twofactors.iter().map(|tf| tf.atype).collect();
+    let selected_id = data.two_factor_provider.unwrap_or(twofactor_ids[0]); // If we aren't given a two factor provider, asume the first one

    let twofactor_code = match data.two_factor_token {
        Some(ref code) => code,
-        None => err_json!(_json_err_twofactor(&providers, user_uuid, conn)?),
+        None => err_json!(_json_err_twofactor(&twofactor_ids, user_uuid, conn)?),
    };

-    let twofactor = twofactors.iter().filter(|tf| tf.type_ == provider).nth(0);
+    let selected_twofactor = twofactors.into_iter().filter(|tf| tf.atype == selected_id).nth(0);
+
+    use crate::api::core::two_factor as _tf;
+    use crate::crypto::ct_eq;
+
+    let selected_data = _selected_data(selected_twofactor);
+    let mut remember = data.two_factor_remember.unwrap_or(0);
+
+    match TwoFactorType::from_i32(selected_id) {
+        Some(TwoFactorType::Authenticator) => _tf::validate_totp_code_str(twofactor_code, &selected_data?)?,
+        Some(TwoFactorType::U2f) => _tf::validate_u2f_login(user_uuid, twofactor_code, conn)?,
+        Some(TwoFactorType::YubiKey) => _tf::validate_yubikey_login(twofactor_code, &selected_data?)?,
+        Some(TwoFactorType::Duo) => _tf::validate_duo_login(data.username.as_ref().unwrap(), twofactor_code, conn)?,

-    match TwoFactorType::from_i32(provider) {
        Some(TwoFactorType::Remember) => {
            match device.twofactor_remember {
-                Some(ref remember) if remember == twofactor_code => return Ok(None), // No twofactor token needed here
-                _ => err_json!(_json_err_twofactor(&providers, user_uuid, conn)?),
+                Some(ref code) if !CONFIG.disable_2fa_remember() && ct_eq(code, twofactor_code) => {
+                    remember = 1; // Make sure we also return the token here, otherwise it will only remember the first time
+                }
+                _ => err_json!(_json_err_twofactor(&twofactor_ids, user_uuid, conn)?),
            }
        }
-
-        Some(TwoFactorType::Authenticator) => {
-            let twofactor = match twofactor {
-                Some(tf) => tf,
-                None => err!("TOTP not enabled"),
-            };
-
-            let totp_code: u64 = match twofactor_code.parse() {
-                Ok(code) => code,
-                _ => err!("Invalid TOTP code"),
-            };
-
-            if !twofactor.check_totp_code(totp_code) {
-                err_json!(_json_err_twofactor(&providers, user_uuid, conn)?)
-            }
-        }
-
-        Some(TwoFactorType::U2f) => {
-            use crate::api::core::two_factor;
-
-            two_factor::validate_u2f_login(user_uuid, &twofactor_code, conn)?;
-        }
-
-        Some(TwoFactorType::YubiKey) => {
-            use crate::api::core::two_factor;
-
-            two_factor::validate_yubikey_login(user_uuid, twofactor_code, conn)?;
-        }
-
        _ => err!("Invalid two factor provider"),
    }

-    if data.two_factor_remember.unwrap_or(0) == 1 {
+    if !CONFIG.disable_2fa_remember() && remember == 1 {
        Ok(Some(device.refresh_twofactor_remember()))
    } else {
        device.delete_twofactor_remember();
@@ -216,6 +222,13 @@ fn twofactor_auth(user_uuid: &str, data: &ConnectData, device: &mut Device, conn
    }
 }

+fn _selected_data(tf: Option<TwoFactor>) -> ApiResult<String> {
+    match tf {
+        Some(tf) => Ok(tf.data),
+        None => err!("Two factor doesn't exist"),
+    }
+}
+
 fn _json_err_twofactor(providers: &[i32], user_uuid: &str, conn: &DbConn) -> ApiResult<Value> {
    use crate::api::core::two_factor;

@@ -232,40 +245,51 @@ fn _json_err_twofactor(providers: &[i32], user_uuid: &str, conn: &DbConn) -> Api
        match TwoFactorType::from_i32(*provider) {
            Some(TwoFactorType::Authenticator) => { /* Nothing to do for TOTP */ }

-            Some(TwoFactorType::U2f) if CONFIG.domain_set => {
+            Some(TwoFactorType::U2f) if CONFIG.domain_set() => {
                let request = two_factor::generate_u2f_login(user_uuid, conn)?;
                let mut challenge_list = Vec::new();

                for key in request.registered_keys {
-                    let mut challenge_map = JsonMap::new();
-
-                    challenge_map.insert("appId".into(), Value::String(request.app_id.clone()));
-                    challenge_map.insert("challenge".into(), Value::String(request.challenge.clone()));
-                    challenge_map.insert("version".into(), Value::String(key.version));
-                    challenge_map.insert("keyHandle".into(), Value::String(key.key_handle.unwrap_or_default()));
-
-                    challenge_list.push(Value::Object(challenge_map));
+                    challenge_list.push(json!({
+                        "appId": request.app_id,
+                        "challenge": request.challenge,
+                        "version": key.version,
+                        "keyHandle": key.key_handle,
+                    }));
                }

-                let mut map = JsonMap::new();
-                use serde_json;
                let challenge_list_str = serde_json::to_string(&challenge_list).unwrap();

-                map.insert("Challenges".into(), Value::String(challenge_list_str));
-                result["TwoFactorProviders2"][provider.to_string()] = Value::Object(map);
+                result["TwoFactorProviders2"][provider.to_string()] = json!({
+                    "Challenges": challenge_list_str,
+                });
            }

-            Some(TwoFactorType::YubiKey) => {
-                let twofactor = match TwoFactor::find_by_user_and_type(user_uuid, TwoFactorType::YubiKey as i32, &conn) {
+            Some(TwoFactorType::Duo) => {
+                let email = match User::find_by_uuid(user_uuid, &conn) {
+                    Some(u) => u.email,
+                    None => err!("User does not exist"),
+                };
+
+                let (signature, host) = two_factor::generate_duo_signature(&email, conn)?;
+
+                result["TwoFactorProviders2"][provider.to_string()] = json!({
+                    "Host": host,
+                    "Signature": signature,
+                });
+            }
+
+            Some(tf_type @ TwoFactorType::YubiKey) => {
+                let twofactor = match TwoFactor::find_by_user_and_type(user_uuid, tf_type as i32, &conn) {
                    Some(tf) => tf,
                    None => err!("No YubiKey devices registered"),
                };

-                let yubikey_metadata: two_factor::YubikeyMetadata = serde_json::from_str(&twofactor.data).expect("Can't parse Yubikey Metadata");
+                let yubikey_metadata: two_factor::YubikeyMetadata = serde_json::from_str(&twofactor.data)?;

-                let mut map = JsonMap::new();
-                map.insert("Nfc".into(), Value::Bool(yubikey_metadata.Nfc));
-                result["TwoFactorProviders2"][provider.to_string()] = Value::Object(map);
+                result["TwoFactorProviders2"][provider.to_string()] = json!({
+                    "Nfc": yubikey_metadata.Nfc,
+                })
            }

            _ => {}
--- a/src/api/mod.rs
+++ b/src/api/mod.rs
@@ -1,33 +1,35 @@
+mod admin;
 pub(crate) mod core;
 mod icons;
 mod identity;
-mod web;
 mod notifications;
+mod web;

+pub use self::admin::routes as admin_routes;
 pub use self::core::routes as core_routes;
 pub use self::icons::routes as icons_routes;
 pub use self::identity::routes as identity_routes;
-pub use self::web::routes as web_routes;
 pub use self::notifications::routes as notifications_routes;
-pub use self::notifications::{start_notification_server, WebSocketUsers, UpdateType};
+pub use self::notifications::{start_notification_server, Notify, UpdateType};
+pub use self::web::routes as web_routes;

-use rocket::response::status::BadRequest;
 use rocket_contrib::json::Json;
 use serde_json::Value;

 // Type aliases for API methods results
-type ApiResult<T> = Result<T, BadRequest<Json<Value>>>;
-type JsonResult = ApiResult<Json<Value>>;
-type EmptyResult = ApiResult<()>;
+type ApiResult<T> = Result<T, crate::error::Error>;
+pub type JsonResult = ApiResult<Json<Value>>;
+pub type EmptyResult = ApiResult<()>;

 use crate::util;
 type JsonUpcase<T> = Json<util::UpCase<T>>;
+type JsonUpcaseVec<T> = Json<Vec<util::UpCase<T>>>;

 // Common structs representing JSON data received
 #[derive(Deserialize)]
 #[allow(non_snake_case)]
 struct PasswordData {
-    MasterPasswordHash: String
+    MasterPasswordHash: String,
 }

 #[derive(Deserialize, Debug, Clone)]
@@ -41,14 +43,17 @@ impl NumberOrString {
    fn into_string(self) -> String {
        match self {
            NumberOrString::Number(n) => n.to_string(),
-            NumberOrString::String(s) => s
+            NumberOrString::String(s) => s,
        }
    }

-    fn into_i32(self) -> Option<i32> {
+    fn into_i32(self) -> ApiResult<i32> {
+        use std::num::ParseIntError as PIE;
        match self {
-            NumberOrString::Number(n) => Some(n),
-            NumberOrString::String(s) => s.parse().ok()
-        }  
+            NumberOrString::Number(n) => Ok(n),
+            NumberOrString::String(s) => s
+                .parse()
+                .map_err(|e: PIE| crate::Error::new("Can't convert to number", e.to_string())),
+        }
    }
 }
--- a/src/api/notifications.rs
+++ b/src/api/notifications.rs
@@ -14,7 +14,7 @@ pub fn routes() -> Vec<Route> {

 #[get("/hub")]
 fn websockets_err() -> JsonResult {
-    err!("'/notifications/hub' should be proxied towards the websocket server, otherwise notifications will not work. Go to the README for more info.")
+    err!("'/notifications/hub' should be proxied to the websocket server or notifications won't work. Go to the README for more info.")
 }

 #[post("/hub/negotiate")]
@@ -25,7 +25,7 @@ fn negotiate(_headers: Headers, _conn: DbConn) -> JsonResult {
    let conn_id = BASE64URL.encode(&crypto::get_random(vec![0u8; 16]));
    let mut available_transports: Vec<JsonValue> = Vec::new();

-    if CONFIG.websocket_enabled {
+    if CONFIG.websocket_enabled() {
        available_transports.push(json!({"transport":"WebSockets", "transferFormats":["Text","Binary"]}));
    }

@@ -40,9 +40,9 @@ fn negotiate(_headers: Headers, _conn: DbConn) -> JsonResult {
    })))
 }

-///
-/// Websockets server
-///
+//
+// Websockets server
+//
 use std::sync::Arc;
 use std::thread;

@@ -88,15 +88,10 @@ fn serialize(val: Value) -> Vec<u8> {

 fn serialize_date(date: NaiveDateTime) -> Value {
    let seconds: i64 = date.timestamp();
-    let nanos: i64 = date.timestamp_subsec_nanos() as i64;
+    let nanos: i64 = date.timestamp_subsec_nanos().into();
    let timestamp = nanos << 34 | seconds;

-    use byteorder::{BigEndian, WriteBytesExt};
-
-    let mut bs = [0u8; 8];
-    bs.as_mut()
-        .write_i64::<BigEndian>(timestamp)
-        .expect("Unable to write");
+    let bs = timestamp.to_be_bytes();

    // -1 is Timestamp
    // https://github.com/msgpack/msgpack/blob/master/spec.md#timestamp-extension-type
@@ -140,14 +135,9 @@ impl Handler for WSHandler {

        // Validate the user
        use crate::auth;
-        let claims = match auth::decode_jwt(access_token) {
+        let claims = match auth::decode_login(access_token) {
            Ok(claims) => claims,
-            Err(_) => {
-                return Err(ws::Error::new(
-                    ws::ErrorKind::Internal,
-                    "Invalid access token provided",
-                ))
-            }
+            Err(_) => return Err(ws::Error::new(ws::ErrorKind::Internal, "Invalid access token provided")),
        };

        // Assign the user to the handler
@@ -158,11 +148,9 @@ impl Handler for WSHandler {
        let handler_insert = self.out.clone();
        let handler_update = self.out.clone();

-        self.users.map.upsert(
-            user_uuid,
-            || vec![handler_insert],
-            |ref mut v| v.push(handler_update),
-        );
+        self.users
+            .map
+            .upsert(user_uuid, || vec![handler_insert], |ref mut v| v.push(handler_update));

        // Schedule a ping to keep the connection alive
        self.out.timeout(PING_MS, PING)
@@ -238,11 +226,11 @@ impl Factory for WSFactory {

 #[derive(Clone)]
 pub struct WebSocketUsers {
-    pub map: Arc<CHashMap<String, Vec<Sender>>>,
+    map: Arc<CHashMap<String, Vec<Sender>>>,
 }

 impl WebSocketUsers {
-    fn send_update(&self, user_uuid: &String, data: &[u8]) -> ws::Result<()> {
+    fn send_update(&self, user_uuid: &str, data: &[u8]) -> ws::Result<()> {
        if let Some(user) = self.map.get(user_uuid) {
            for sender in user.iter() {
                sender.send(data)?;
@@ -252,7 +240,6 @@ impl WebSocketUsers {
    }

    // NOTE: The last modified date needs to be updated before calling these methods
-    #[allow(dead_code)]
    pub fn send_user_update(&self, ut: UpdateType, user: &User) {
        let data = create_update(
            vec![
@@ -262,7 +249,7 @@ impl WebSocketUsers {
            ut,
        );

-        self.send_update(&user.uuid.clone(), &data).ok();
+        self.send_update(&user.uuid, &data).ok();
    }

    pub fn send_folder_update(&self, ut: UpdateType, folder: &Folder) {
@@ -337,32 +324,38 @@ fn create_ping() -> Vec<u8> {
 }

 #[allow(dead_code)]
+#[derive(PartialEq)]
 pub enum UpdateType {
-    SyncCipherUpdate = 0,
-    SyncCipherCreate = 1,
-    SyncLoginDelete = 2,
-    SyncFolderDelete = 3,
-    SyncCiphers = 4,
+    CipherUpdate = 0,
+    CipherCreate = 1,
+    LoginDelete = 2,
+    FolderDelete = 3,
+    Ciphers = 4,

-    SyncVault = 5,
-    SyncOrgKeys = 6,
-    SyncFolderCreate = 7,
-    SyncFolderUpdate = 8,
-    SyncCipherDelete = 9,
+    Vault = 5,
+    OrgKeys = 6,
+    FolderCreate = 7,
+    FolderUpdate = 8,
+    CipherDelete = 9,
    SyncSettings = 10,

    LogOut = 11,
+
+    None = 100,
 }

+use rocket::State;
+pub type Notify<'a> = State<'a, WebSocketUsers>;
+
 pub fn start_notification_server() -> WebSocketUsers {
    let factory = WSFactory::init();
    let users = factory.users.clone();

-    if CONFIG.websocket_enabled {
+    if CONFIG.websocket_enabled() {
        thread::spawn(move || {
            WebSocket::new(factory)
                .unwrap()
-                .listen(&CONFIG.websocket_url)
+                .listen((CONFIG.websocket_address().as_str(), CONFIG.websocket_port()))
                .unwrap();
        });
    }
--- a/src/api/web.rs
+++ b/src/api/web.rs
@@ -1,77 +1,61 @@
 use std::io;
 use std::path::{Path, PathBuf};

-use rocket::request::Request;
-use rocket::response::{self, NamedFile, Responder};
+use rocket::http::ContentType;
 use rocket::response::content::Content;
-use rocket::http::{ContentType, Status};
+use rocket::response::NamedFile;
 use rocket::Route;
 use rocket_contrib::json::Json;
 use serde_json::Value;

+use crate::util::Cached;
+use crate::error::Error;
 use crate::CONFIG;

 pub fn routes() -> Vec<Route> {
-    if CONFIG.web_vault_enabled {
-        routes![web_index, app_id, web_files, attachments, alive]
+    if CONFIG.web_vault_enabled() {
+        routes![web_index, app_id, web_files, attachments, alive, images]
    } else {
        routes![attachments, alive]
    }
 }

-// TODO: Might want to use in memory cache: https://github.com/hgzimmerman/rocket-file-cache
 #[get("/")]
-fn web_index() -> WebHeaders<io::Result<NamedFile>> {
-    web_files("index.html".into())
+fn web_index() -> Cached<io::Result<NamedFile>> {
+    Cached::short(NamedFile::open(
+        Path::new(&CONFIG.web_vault_folder()).join("index.html"),
+    ))
 }

 #[get("/app-id.json")]
-fn app_id() -> WebHeaders<Content<Json<Value>>> {
+fn app_id() -> Cached<Content<Json<Value>>> {
    let content_type = ContentType::new("application", "fido.trusted-apps+json");

-    WebHeaders(Content(content_type, Json(json!({
-    "trustedFacets": [
-        {
-        "version": { "major": 1, "minor": 0 },
-        "ids": [
-            &CONFIG.domain,
-            "ios:bundle-id:com.8bit.bitwarden",
-            "android:apk-key-hash:dUGFzUzf3lmHSLBDBIv+WaFyZMI" ]
-        }]
-    }))))
+    Cached::long(Content(
+        content_type,
+        Json(json!({
+        "trustedFacets": [
+            {
+            "version": { "major": 1, "minor": 0 },
+            "ids": [
+                &CONFIG.domain(),
+                "ios:bundle-id:com.8bit.bitwarden",
+                "android:apk-key-hash:dUGFzUzf3lmHSLBDBIv+WaFyZMI" ]
+            }]
+        })),
+    ))
 }

-#[get("/<p..>", rank = 1)] // Only match this if the other routes don't match
-fn web_files(p: PathBuf) -> WebHeaders<io::Result<NamedFile>> {
-    WebHeaders(NamedFile::open(Path::new(&CONFIG.web_vault_folder).join(p)))
-}
-
-struct WebHeaders<R>(R);
-
-impl<'r, R: Responder<'r>> Responder<'r> for WebHeaders<R> {
-    fn respond_to(self, req: &Request) -> response::Result<'r> {
-        match self.0.respond_to(req) {
-            Ok(mut res) => {
-                res.set_raw_header("Referrer-Policy", "same-origin");
-                res.set_raw_header("X-Frame-Options", "SAMEORIGIN");
-                res.set_raw_header("X-Content-Type-Options", "nosniff");
-                res.set_raw_header("X-XSS-Protection", "1; mode=block");
-
-                Ok(res)
-            },
-            Err(_) => {
-                Err(Status::NotFound)
-            }
-        } 
-    }
+#[get("/<p..>", rank = 10)] // Only match this if the other routes don't match
+fn web_files(p: PathBuf) -> Cached<io::Result<NamedFile>> {
+    Cached::long(NamedFile::open(Path::new(&CONFIG.web_vault_folder()).join(p)))
 }

 #[get("/attachments/<uuid>/<file..>")]
 fn attachments(uuid: String, file: PathBuf) -> io::Result<NamedFile> {
-    NamedFile::open(Path::new(&CONFIG.attachments_folder).join(uuid).join(file))
+    NamedFile::open(Path::new(&CONFIG.attachments_folder()).join(uuid).join(file))
 }

-
 #[get("/alive")]
 fn alive() -> Json<String> {
    use crate::util::format_date;
@@ -79,3 +63,13 @@ fn alive() -> Json<String> {

    Json(format_date(&Utc::now().naive_utc()))
 }
+
+#[get("/bwrs_images/<filename>")]
+fn images(filename: String) -> Result<Content<&'static [u8]>, Error> {
+    match filename.as_ref() {
+        "mail-github.png" => Ok(Content(ContentType::PNG, include_bytes!("../static/images/mail-github.png"))),
+        "logo-gray.png" => Ok(Content(ContentType::PNG, include_bytes!("../static/images/logo-gray.png"))),
+        "error-x.svg" => Ok(Content(ContentType::SVG, include_bytes!("../static/images/error-x.svg"))),
+        _ => err!("Image not found"),
+    }
+}
--- a/src/auth.rs
+++ b/src/auth.rs
@@ -1,63 +1,73 @@
-///
-/// JWT Handling
-///
+//
+// JWT Handling
+//
 use crate::util::read_file;
-use chrono::Duration;
+use chrono::{Duration, Utc};

 use jsonwebtoken::{self, Algorithm, Header};
+use serde::de::DeserializeOwned;
 use serde::ser::Serialize;

+use crate::error::{Error, MapResult};
 use crate::CONFIG;

 const JWT_ALGORITHM: Algorithm = Algorithm::RS256;

 lazy_static! {
    pub static ref DEFAULT_VALIDITY: Duration = Duration::hours(2);
-    pub static ref JWT_ISSUER: String = CONFIG.domain.clone();
-
    static ref JWT_HEADER: Header = Header::new(JWT_ALGORITHM);
-
-    static ref PRIVATE_RSA_KEY: Vec<u8> = match read_file(&CONFIG.private_rsa_key) {
+    pub static ref JWT_LOGIN_ISSUER: String = format!("{}|login", CONFIG.domain());
+    pub static ref JWT_INVITE_ISSUER: String = format!("{}|invite", CONFIG.domain());
+    pub static ref JWT_ADMIN_ISSUER: String = format!("{}|admin", CONFIG.domain());
+    static ref PRIVATE_RSA_KEY: Vec<u8> = match read_file(&CONFIG.private_rsa_key()) {
        Ok(key) => key,
-        Err(e) => panic!("Error loading private RSA Key from {}\n Error: {}", CONFIG.private_rsa_key, e)
+        Err(e) => panic!("Error loading private RSA Key.\n Error: {}", e),
    };
-
-    static ref PUBLIC_RSA_KEY: Vec<u8> = match read_file(&CONFIG.public_rsa_key) {
+    static ref PUBLIC_RSA_KEY: Vec<u8> = match read_file(&CONFIG.public_rsa_key()) {
        Ok(key) => key,
-        Err(e) => panic!("Error loading public RSA Key from {}\n Error: {}", CONFIG.public_rsa_key, e)
+        Err(e) => panic!("Error loading public RSA Key.\n Error: {}", e),
    };
 }

 pub fn encode_jwt<T: Serialize>(claims: &T) -> String {
    match jsonwebtoken::encode(&JWT_HEADER, claims, &PRIVATE_RSA_KEY) {
        Ok(token) => token,
-        Err(e) => panic!("Error encoding jwt {}", e)
+        Err(e) => panic!("Error encoding jwt {}", e),
    }
 }

-pub fn decode_jwt(token: &str) -> Result<JWTClaims, String> {
+fn decode_jwt<T: DeserializeOwned>(token: &str, issuer: String) -> Result<T, Error> {
    let validation = jsonwebtoken::Validation {
        leeway: 30, // 30 seconds
        validate_exp: true,
-        validate_iat: false, // IssuedAt is the same as NotBefore
        validate_nbf: true,
        aud: None,
-        iss: Some(JWT_ISSUER.clone()),
+        iss: Some(issuer),
        sub: None,
        algorithms: vec![JWT_ALGORITHM],
    };

-    match jsonwebtoken::decode(token, &PUBLIC_RSA_KEY, &validation) {
-        Ok(decoded) => Ok(decoded.claims),
-        Err(msg) => {
-            error!("Error validating jwt - {:#?}", msg);
-            Err(msg.to_string())
-        }
-    }
+    let token = token.replace(char::is_whitespace, "");
+
+    jsonwebtoken::decode(&token, &PUBLIC_RSA_KEY, &validation)
+        .map(|d| d.claims)
+        .map_res("Error decoding JWT")
+}
+
+pub fn decode_login(token: &str) -> Result<LoginJWTClaims, Error> {
+    decode_jwt(token, JWT_LOGIN_ISSUER.to_string())
+}
+
+pub fn decode_invite(token: &str) -> Result<InviteJWTClaims, Error> {
+    decode_jwt(token, JWT_INVITE_ISSUER.to_string())
+}
+
+pub fn decode_admin(token: &str) -> Result<AdminJWTClaims, Error> {
+    decode_jwt(token, JWT_ADMIN_ISSUER.to_string())
 }

 #[derive(Debug, Serialize, Deserialize)]
-pub struct JWTClaims {
+pub struct LoginJWTClaims {
    // Not before
    pub nbf: i64,
    // Expiration time
@@ -87,14 +97,73 @@ pub struct JWTClaims {
    pub amr: Vec<String>,
 }

-///
-/// Bearer token authentication
-///
-use rocket::Outcome;
-use rocket::request::{self, Request, FromRequest};
+#[derive(Debug, Serialize, Deserialize)]
+pub struct InviteJWTClaims {
+    // Not before
+    pub nbf: i64,
+    // Expiration time
+    pub exp: i64,
+    // Issuer
+    pub iss: String,
+    // Subject
+    pub sub: String,

+    pub email: String,
+    pub org_id: Option<String>,
+    pub user_org_id: Option<String>,
+    pub invited_by_email: Option<String>,
+}
+
+pub fn generate_invite_claims(
+    uuid: String,
+    email: String,
+    org_id: Option<String>,
+    org_user_id: Option<String>,
+    invited_by_email: Option<String>,
+) -> InviteJWTClaims {
+    let time_now = Utc::now().naive_utc();
+    InviteJWTClaims {
+        nbf: time_now.timestamp(),
+        exp: (time_now + Duration::days(5)).timestamp(),
+        iss: JWT_INVITE_ISSUER.to_string(),
+        sub: uuid.clone(),
+        email: email.clone(),
+        org_id: org_id.clone(),
+        user_org_id: org_user_id.clone(),
+        invited_by_email: invited_by_email.clone(),
+    }
+}
+
+#[derive(Debug, Serialize, Deserialize)]
+pub struct AdminJWTClaims {
+    // Not before
+    pub nbf: i64,
+    // Expiration time
+    pub exp: i64,
+    // Issuer
+    pub iss: String,
+    // Subject
+    pub sub: String,
+}
+
+pub fn generate_admin_claims() -> AdminJWTClaims {
+    let time_now = Utc::now().naive_utc();
+    AdminJWTClaims {
+        nbf: time_now.timestamp(),
+        exp: (time_now + Duration::minutes(20)).timestamp(),
+        iss: JWT_ADMIN_ISSUER.to_string(),
+        sub: "admin_panel".to_string(),
+    }
+}
+
+//
+// Bearer token authentication
+//
+use rocket::request::{self, FromRequest, Request};
+use rocket::Outcome;
+
+use crate::db::models::{Device, User, UserOrgStatus, UserOrgType, UserOrganization};
 use crate::db::DbConn;
-use crate::db::models::{User, Organization, UserOrganization, UserOrgType, UserOrgStatus, Device};

 pub struct Headers {
    pub host: String,
@@ -109,11 +178,11 @@ impl<'a, 'r> FromRequest<'a, 'r> for Headers {
        let headers = request.headers();

        // Get host
-        let host = if CONFIG.domain_set {
-            CONFIG.domain.clone()
+        let host = if CONFIG.domain_set() {
+            CONFIG.domain()
        } else if let Some(referer) = headers.get_one("Referer") {
            referer.to_string()
-        } else {   
+        } else {
            // Try to guess from the headers
            use std::env;

@@ -137,7 +206,7 @@ impl<'a, 'r> FromRequest<'a, 'r> for Headers {
        };

        // Get access_token
-        let access_token: &str = match request.headers().get_one("Authorization") {
+        let access_token: &str = match headers.get_one("Authorization") {
            Some(a) => match a.rsplit("Bearer ").next() {
                Some(split) => split,
                None => err_handler!("No access token provided"),
@@ -146,9 +215,9 @@ impl<'a, 'r> FromRequest<'a, 'r> for Headers {
        };

        // Check JWT token is valid and get device and user from it
-        let claims: JWTClaims = match decode_jwt(access_token) {
+        let claims = match decode_login(access_token) {
            Ok(claims) => claims,
-            Err(_) => err_handler!("Invalid claim")
+            Err(_) => err_handler!("Invalid claim"),
        };

        let device_uuid = claims.device;
@@ -156,17 +225,17 @@ impl<'a, 'r> FromRequest<'a, 'r> for Headers {

        let conn = match request.guard::<DbConn>() {
            Outcome::Success(conn) => conn,
-            _ => err_handler!("Error getting DB")
+            _ => err_handler!("Error getting DB"),
        };

        let device = match Device::find_by_uuid(&device_uuid, &conn) {
            Some(device) => device,
-            None => err_handler!("Invalid device id")
+            None => err_handler!("Invalid device id"),
        };

        let user = match User::find_by_uuid(&user_uuid, &conn) {
            Some(user) => user,
-            None => err_handler!("Device has no user associated")
+            None => err_handler!("Device has no user associated"),
        };

        if user.security_stamp != claims.sstamp {
@@ -197,10 +266,11 @@ impl<'a, 'r> FromRequest<'a, 'r> for OrgHeaders {
                    Some(Ok(org_id)) => {
                        let conn = match request.guard::<DbConn>() {
                            Outcome::Success(conn) => conn,
-                            _ => err_handler!("Error getting DB")
+                            _ => err_handler!("Error getting DB"),
                        };

-                        let org_user = match UserOrganization::find_by_user_and_org(&headers.user.uuid, &org_id, &conn) {
+                        let user = headers.user;
+                        let org_user = match UserOrganization::find_by_user_and_org(&user.uuid, &org_id, &conn) {
                            Some(user) => {
                                if user.status == UserOrgStatus::Confirmed as i32 {
                                    user
@@ -208,28 +278,23 @@ impl<'a, 'r> FromRequest<'a, 'r> for OrgHeaders {
                                    err_handler!("The current user isn't confirmed member of the organization")
                                }
                            }
-                            None => {
-                                if headers.user.is_server_admin() && org_id == Organization::VIRTUAL_ID {
-                                    UserOrganization::new_virtual(headers.user.uuid.clone(), UserOrgType::Owner, UserOrgStatus::Confirmed)
-                                } else {
-                                    err_handler!("The current user isn't member of the organization")
-                                }
-                            }
+                            None => err_handler!("The current user isn't member of the organization"),
                        };

-                        Outcome::Success(Self{
+                        Outcome::Success(Self {
                            host: headers.host,
                            device: headers.device,
-                            user: headers.user,
-                            org_user_type: { 
-                                if let Some(org_usr_type) = UserOrgType::from_i32(org_user.type_) {
+                            user,
+                            org_user_type: {
+                                if let Some(org_usr_type) = UserOrgType::from_i32(org_user.atype) {
                                    org_usr_type
-                                } else { // This should only happen if the DB is corrupted
+                                } else {
+                                    // This should only happen if the DB is corrupted
                                    err_handler!("Unknown user type in the database")
                                }
                            },
                        })
-                    },
+                    }
                    _ => err_handler!("Error getting the organization id"),
                }
            }
@@ -295,9 +360,9 @@ impl<'a, 'r> FromRequest<'a, 'r> for OwnerHeaders {
    }
 }

-///
-/// Client IP address detection
-///
+//
+// Client IP address detection
+//
 use std::net::IpAddr;

 pub struct ClientIp {
--- a/src/config.rs
+++ b/src/config.rs
@@ -0,0 +1,605 @@
+use std::process::exit;
+use std::sync::RwLock;
+
+use crate::error::Error;
+use crate::util::get_env;
+
+lazy_static! {
+    pub static ref CONFIG: Config = Config::load().unwrap_or_else(|e| {
+        println!("Error loading config:\n\t{:?}\n", e);
+        exit(12)
+    });
+    pub static ref CONFIG_FILE: String = {
+        let data_folder = get_env("DATA_FOLDER").unwrap_or_else(|| String::from("data"));
+        get_env("CONFIG_FILE").unwrap_or_else(|| format!("{}/config.json", data_folder))
+    };
+}
+
+pub type Pass = String;
+
+macro_rules! make_config {
+    ($(
+        $(#[doc = $groupdoc:literal])?
+        $group:ident $(: $group_enabled:ident)? {
+        $(
+            $(#[doc = $doc:literal])+
+            $name:ident : $ty:ty, $editable:literal, $none_action:ident $(, $default:expr)?;
+        )+},
+    )+) => {
+        pub struct Config { inner: RwLock<Inner> }
+
+        struct Inner {
+            templates: Handlebars,
+            config: ConfigItems,
+
+            _env: ConfigBuilder,
+            _usr: ConfigBuilder,
+        }
+
+        #[derive(Debug, Clone, Default, Deserialize, Serialize)]
+        pub struct ConfigBuilder {
+            $($(
+                #[serde(skip_serializing_if = "Option::is_none")]
+                $name: Option<$ty>,
+            )+)+
+        }
+
+        impl ConfigBuilder {
+            fn from_env() -> Self {
+                dotenv::from_path(".env").ok();
+
+                let mut builder = ConfigBuilder::default();
+                $($(
+                    builder.$name = get_env(&stringify!($name).to_uppercase());
+                )+)+
+
+                builder
+            }
+
+            fn from_file(path: &str) -> Result<Self, Error> {
+                use crate::util::read_file_string;
+                let config_str = read_file_string(path)?;
+                serde_json::from_str(&config_str).map_err(Into::into)
+            }
+
+            /// Merges the values of both builders into a new builder.
+            /// If both have the same element, `other` wins.
+            fn merge(&self, other: &Self, show_overrides: bool) -> Self {
+                let mut overrides = Vec::new();
+                let mut builder = self.clone();
+                $($(
+                    if let v @Some(_) = &other.$name {
+                        builder.$name = v.clone();
+
+                        if self.$name.is_some() {
+                            overrides.push(stringify!($name).to_uppercase());
+                        }
+                    }
+                )+)+
+
+                if show_overrides && !overrides.is_empty() {
+                    // We can't use warn! here because logging isn't setup yet.
+                    println!("[WARNING] The following environment variables are being overriden by the config file,");
+                    println!("[WARNING] please use the admin panel to make changes to them:");
+                    println!("[WARNING] {}\n", overrides.join(", "));
+                }
+
+                builder
+            }
+
+            /// Returns a new builder with all the elements from self,
+            /// except those that are equal in both sides
+            fn _remove(&self, other: &Self) -> Self {
+                let mut builder = ConfigBuilder::default();
+                $($(
+                    if &self.$name != &other.$name {
+                        builder.$name = self.$name.clone();
+                    }
+
+                )+)+
+                builder
+            }
+
+            fn build(&self) -> ConfigItems {
+                let mut config = ConfigItems::default();
+                let _domain_set = self.domain.is_some();
+                $($(
+                    config.$name = make_config!{ @build self.$name.clone(), &config, $none_action, $($default)? };
+                )+)+
+                config.domain_set = _domain_set;
+
+                config
+            }
+        }
+
+        #[derive(Debug, Clone, Default)]
+        pub struct ConfigItems { $($(pub $name: make_config!{@type $ty, $none_action}, )+)+ }
+
+        #[allow(unused)]
+        impl Config {
+            $($(
+                pub fn $name(&self) -> make_config!{@type $ty, $none_action} {
+                    self.inner.read().unwrap().config.$name.clone()
+                }
+            )+)+
+
+            pub fn prepare_json(&self) -> serde_json::Value {
+                let (def, cfg) = {
+                    let inner = &self.inner.read().unwrap();
+                    (inner._env.build(), inner.config.clone())
+                };
+
+
+                fn _get_form_type(rust_type: &str) -> &'static str {
+                    match rust_type {
+                        "Pass" => "password",
+                        "String" => "text",
+                        "bool" => "checkbox",
+                        _ => "number"
+                    }
+                }
+
+                fn _get_doc(doc: &str) -> serde_json::Value {
+                    let mut split = doc.split("|>").map(str::trim);
+                    json!({
+                        "name": split.next(),
+                        "description": split.next()
+                    })
+                }
+
+                json!([ $({
+                    "group": stringify!($group),
+                    "grouptoggle": stringify!($($group_enabled)?),
+                    "groupdoc": make_config!{ @show $($groupdoc)? },
+                    "elements": [
+                    $( {
+                        "editable": $editable,
+                        "name": stringify!($name),
+                        "value": cfg.$name,
+                        "default": def.$name,
+                        "type":  _get_form_type(stringify!($ty)),
+                        "doc": _get_doc(concat!($($doc),+)),
+                    }, )+
+                    ]}, )+ ])
+            }
+        }
+    };
+
+    // Group or empty string
+    ( @show ) => { "" };
+    ( @show $lit:literal ) => { $lit };
+
+    // Wrap the optionals in an Option type
+    ( @type $ty:ty, option) => { Option<$ty> };
+    ( @type $ty:ty, $id:ident) => { $ty };
+
+    // Generate the values depending on none_action
+    ( @build $value:expr, $config:expr, option, ) => { $value };
+    ( @build $value:expr, $config:expr, def, $default:expr ) => { $value.unwrap_or($default) };
+    ( @build $value:expr, $config:expr, auto, $default_fn:expr ) => {{
+        match $value {
+            Some(v) => v,
+            None => {
+                let f: &dyn Fn(&ConfigItems) -> _ = &$default_fn;
+                f($config)
+            }
+        }
+    }};
+}
+
+//STRUCTURE:
+// /// Short description (without this they won't appear on the list)
+// group {
+//   /// Friendly Name |> Description (Optional)
+//   name: type, is_editable, none_action, <default_value (Optional)>
+// }
+//
+// Where none_action applied when the value wasn't provided and can be:
+//  def:    Use a default value
+//  auto:   Value is auto generated based on other values
+//  option: Value is optional
+make_config! {
+    folders {
+        ///  Data folder |> Main data folder
+        data_folder:            String, false,  def,    "data".to_string();
+        /// Database URL
+        database_url:           String, false,  auto,   |c| format!("{}/{}", c.data_folder, "db.sqlite3");
+        /// Icon cache folder
+        icon_cache_folder:      String, false,  auto,   |c| format!("{}/{}", c.data_folder, "icon_cache");
+        /// Attachments folder
+        attachments_folder:     String, false,  auto,   |c| format!("{}/{}", c.data_folder, "attachments");
+        /// Templates folder
+        templates_folder:       String, false,  auto,   |c| format!("{}/{}", c.data_folder, "templates");
+        /// Session JWT key
+        rsa_key_filename:       String, false,  auto,   |c| format!("{}/{}", c.data_folder, "rsa_key");
+        /// Web vault folder
+        web_vault_folder:       String, false,  def,    "web-vault/".to_string();
+    },
+    ws {
+        /// Enable websocket notifications
+        websocket_enabled:      bool,   false,  def,    false;
+        /// Websocket address
+        websocket_address:      String, false,  def,    "0.0.0.0".to_string();
+        /// Websocket port
+        websocket_port:         u16,    false,  def,    3012;
+    },
+
+    /// General settings
+    settings {
+        /// Domain URL |> This needs to be set to the URL used to access the server, including 'http[s]://'
+        /// and port, if it's different than the default. Some server functions don't work correctly without this value
+        domain:                 String, true,   def,    "http://localhost".to_string();
+        /// Domain Set |> Indicates if the domain is set by the admin. Otherwise the default will be used.
+        domain_set:             bool,   false,  def,    false;
+        /// Enable web vault
+        web_vault_enabled:      bool,   false,  def,    true;
+
+        /// HIBP Api Key |> HaveIBeenPwned API Key, request it here: https://haveibeenpwned.com/API/Key
+        hibp_api_key:           Pass,   true,   option;
+
+        /// Disable icon downloads |> Set to true to disable icon downloading, this would still serve icons from
+        /// $ICON_CACHE_FOLDER, but it won't produce any external network request. Needs to set $ICON_CACHE_TTL to 0,
+        /// otherwise it will delete them and they won't be downloaded again.
+        disable_icon_download:  bool,   true,   def,    false;
+        /// Allow new signups |> Controls if new users can register. Note that while this is disabled, users could still be invited
+        signups_allowed:        bool,   true,   def,    true;
+        /// Allow invitations |> Controls whether users can be invited by organization admins, even when signups are disabled
+        invitations_allowed:    bool,   true,   def,    true;
+        /// Password iterations |> Number of server-side passwords hashing iterations.
+        /// The changes only apply when a user changes their password. Not recommended to lower the value
+        password_iterations:    i32,    true,   def,    100_000;
+        /// Show password hints |> Controls if the password hint should be shown directly in the web page.
+        /// Otherwise, if email is disabled, there is no way to see the password hint
+        show_password_hint:     bool,   true,   def,    true;
+
+        /// Admin page token |> The token used to authenticate in this very same page. Changing it here won't deauthorize the current session
+        admin_token:            Pass,   true,   option;
+    },
+
+    /// Advanced settings
+    advanced {
+        /// Positive icon cache expiry |> Number of seconds to consider that an already cached icon is fresh. After this period, the icon will be redownloaded
+        icon_cache_ttl:         u64,    true,   def,    2_592_000;
+        /// Negative icon cache expiry |> Number of seconds before trying to download an icon that failed again.
+        icon_cache_negttl:      u64,    true,   def,    259_200;
+        /// Icon download timeout |> Number of seconds when to stop attempting to download an icon.
+        icon_download_timeout:  u64,    true,   def,    10;
+        /// Icon blacklist Regex |> Any domains or IPs that match this regex won't be fetched by the icon service.
+        /// Useful to hide other servers in the local network. Check the WIKI for more details
+        icon_blacklist_regex:   String, true,   option;
+
+        /// Disable Two-Factor remember |> Enabling this would force the users to use a second factor to login every time.
+        /// Note that the checkbox would still be present, but ignored.
+        disable_2fa_remember:   bool,   true,   def,    false;
+
+        /// Require new device emails |> When a user logs in an email is required to be sent.
+        /// If sending the email fails the login attempt will fail.
+        require_device_email:   bool,   true,   def,     false;
+
+        /// Reload templates (Dev) |> When this is set to true, the templates get reloaded with every request.
+        /// ONLY use this during development, as it can slow down the server
+        reload_templates:       bool,   true,   def,    false;
+
+        /// Log routes at launch (Dev)
+        log_mounts:             bool,   true,   def,    false;
+        /// Enable extended logging
+        extended_logging:       bool,   false,  def,    true;
+        /// Enable the log to output to Syslog
+        use_syslog:             bool,   false,  def,    false;
+        /// Log file path
+        log_file:               String, false,  option;
+        /// Log level
+        log_level:              String, false,  def,    "Info".to_string();
+
+        /// Enable DB WAL |> Turning this off might lead to worse performance, but might help if using bitwarden_rs on some exotic filesystems,
+        /// that do not support WAL. Please make sure you read project wiki on the topic before changing this setting.
+        enable_db_wal:          bool,   false,  def,    true;
+
+        /// Disable Admin Token (Know the risks!) |> Disables the Admin Token for the admin page so you may use your own auth in-front
+        disable_admin_token:    bool,   true,   def,    false;
+    },
+
+    /// Yubikey settings
+    yubico: _enable_yubico {
+        /// Enabled
+        _enable_yubico:         bool,   true,   def,     true;
+        /// Client ID
+        yubico_client_id:       String, true,   option;
+        /// Secret Key
+        yubico_secret_key:      Pass,   true,   option;
+        /// Server
+        yubico_server:          String, true,   option;
+    },
+
+    /// Global Duo settings (Note that users can override them)
+    duo: _enable_duo {
+        /// Enabled
+        _enable_duo:            bool,   true,   def,     false;
+        /// Integration Key
+        duo_ikey:               String, true,   option;
+        /// Secret Key
+        duo_skey:               Pass,   true,   option;
+        /// Host
+        duo_host:               String, true,   option;
+        /// Application Key (generated automatically)
+        _duo_akey:              Pass,   false,  option;
+    },
+
+    /// SMTP Email Settings
+    smtp: _enable_smtp {
+        /// Enabled
+        _enable_smtp:           bool,   true,   def,     true;
+        /// Host
+        smtp_host:              String, true,   option;
+        /// Enable SSL
+        smtp_ssl:               bool,   true,   def,     true;
+        /// Use explicit TLS |> Enabling this would force the use of an explicit TLS connection, instead of upgrading an insecure one with STARTTLS
+        smtp_explicit_tls:      bool,   true,   def,     false;
+        /// Port
+        smtp_port:              u16,    true,   auto,    |c| if c.smtp_explicit_tls {465} else if c.smtp_ssl {587} else {25};
+        /// From Address
+        smtp_from:              String, true,   def,     String::new();
+        /// From Name
+        smtp_from_name:         String, true,   def,     "Bitwarden_RS".to_string();
+        /// Username
+        smtp_username:          String, true,   option;
+        /// Password
+        smtp_password:          Pass,   true,   option;
+        /// Json form auth mechanism |> Defaults for ssl is "Plain" and "Login" and nothing for non-ssl connections. Possible values: ["Plain", "Login", "Xoauth2"]
+        smtp_auth_mechanism:    String, true,   option;
+    },
+}
+
+fn validate_config(cfg: &ConfigItems) -> Result<(), Error> {
+    if let Some(ref token) = cfg.admin_token {
+        if token.trim().is_empty() {
+            err!("`ADMIN_TOKEN` is enabled but has an empty value. To enable the admin page without token, use `DISABLE_ADMIN_TOKEN`")
+        }
+    }
+
+    if (cfg.duo_host.is_some() || cfg.duo_ikey.is_some() || cfg.duo_skey.is_some())
+        && !(cfg.duo_host.is_some() && cfg.duo_ikey.is_some() && cfg.duo_skey.is_some())
+    {
+        err!("All Duo options need to be set for global Duo support")
+    }
+
+    if cfg.yubico_client_id.is_some() != cfg.yubico_secret_key.is_some() {
+        err!("Both `YUBICO_CLIENT_ID` and `YUBICO_SECRET_KEY` need to be set for Yubikey OTP support")
+    }
+
+    if cfg.smtp_host.is_some() == cfg.smtp_from.is_empty() {
+        err!("Both `SMTP_HOST` and `SMTP_FROM` need to be set for email support")
+    }
+
+    if cfg.smtp_username.is_some() != cfg.smtp_password.is_some() {
+        err!("Both `SMTP_USERNAME` and `SMTP_PASSWORD` need to be set to enable email authentication")
+    }
+
+    Ok(())
+}
+
+impl Config {
+    pub fn load() -> Result<Self, Error> {
+        // Loading from env and file
+        let _env = ConfigBuilder::from_env();
+        let _usr = ConfigBuilder::from_file(&CONFIG_FILE).unwrap_or_default();
+
+        // Create merged config, config file overwrites env
+        let builder = _env.merge(&_usr, true);
+
+        // Fill any missing with defaults
+        let config = builder.build();
+        validate_config(&config)?;
+
+        Ok(Config {
+            inner: RwLock::new(Inner {
+                templates: load_templates(&config.templates_folder),
+                config,
+                _env,
+                _usr,
+            }),
+        })
+    }
+
+    pub fn update_config(&self, other: ConfigBuilder) -> Result<(), Error> {
+        // Remove default values
+        //let builder = other.remove(&self.inner.read().unwrap()._env);
+
+        // TODO: Remove values that are defaults, above only checks those set by env and not the defaults
+        let builder = other;
+
+        // Serialize now before we consume the builder
+        let config_str = serde_json::to_string_pretty(&builder)?;
+
+        // Prepare the combined config
+        let config = {
+            let env = &self.inner.read().unwrap()._env;
+            env.merge(&builder, false).build()
+        };
+        validate_config(&config)?;
+
+        // Save both the user and the combined config
+        {
+            let mut writer = self.inner.write().unwrap();
+            writer.config = config;
+            writer._usr = builder;
+        }
+
+        //Save to file
+        use std::{fs::File, io::Write};
+        let mut file = File::create(&*CONFIG_FILE)?;
+        file.write_all(config_str.as_bytes())?;
+
+        Ok(())
+    }
+
+    pub fn update_config_partial(&self, other: ConfigBuilder) -> Result<(), Error> {
+        let builder = {
+            let usr = &self.inner.read().unwrap()._usr;
+            usr.merge(&other, false)
+        };
+        self.update_config(builder)
+    }
+
+    pub fn delete_user_config(&self) -> Result<(), Error> {
+        crate::util::delete_file(&CONFIG_FILE)?;
+
+        // Empty user config
+        let usr = ConfigBuilder::default();
+
+        // Config now is env + defaults
+        let config = {
+            let env = &self.inner.read().unwrap()._env;
+            env.build()
+        };
+
+        // Save configs
+        {
+            let mut writer = self.inner.write().unwrap();
+            writer.config = config;
+            writer._usr = usr;
+        }
+
+        Ok(())
+    }
+
+    pub fn private_rsa_key(&self) -> String {
+        format!("{}.der", CONFIG.rsa_key_filename())
+    }
+    pub fn private_rsa_key_pem(&self) -> String {
+        format!("{}.pem", CONFIG.rsa_key_filename())
+    }
+    pub fn public_rsa_key(&self) -> String {
+        format!("{}.pub.der", CONFIG.rsa_key_filename())
+    }
+    pub fn mail_enabled(&self) -> bool {
+        let inner = &self.inner.read().unwrap().config;
+        inner._enable_smtp && inner.smtp_host.is_some()
+    }
+
+    pub fn get_duo_akey(&self) -> String {
+        if let Some(akey) = self._duo_akey() {
+            akey
+        } else {
+            let akey = crate::crypto::get_random_64();
+            let akey_s = data_encoding::BASE64.encode(&akey);
+
+            // Save the new value
+            let mut builder = ConfigBuilder::default();
+            builder._duo_akey = Some(akey_s.clone());
+            self.update_config_partial(builder).ok();
+
+            akey_s
+        }
+    }
+
+    pub fn render_template<T: serde::ser::Serialize>(
+        &self,
+        name: &str,
+        data: &T,
+    ) -> Result<String, crate::error::Error> {
+        if CONFIG.reload_templates() {
+            warn!("RELOADING TEMPLATES");
+            let hb = load_templates(CONFIG.templates_folder().as_ref());
+            hb.render(name, data).map_err(Into::into)
+        } else {
+            let hb = &CONFIG.inner.read().unwrap().templates;
+            hb.render(name, data).map_err(Into::into)
+        }
+    }
+}
+
+use handlebars::{
+    Context, Handlebars, Helper, HelperDef, HelperResult, Output, RenderContext, RenderError, Renderable,
+};
+
+fn load_templates(path: &str) -> Handlebars {
+    let mut hb = Handlebars::new();
+    // Error on missing params
+    hb.set_strict_mode(true);
+    // Register helpers
+    hb.register_helper("case", Box::new(CaseHelper));
+    hb.register_helper("jsesc", Box::new(JsEscapeHelper));
+
+    macro_rules! reg {
+        ($name:expr) => {{
+            let template = include_str!(concat!("static/templates/", $name, ".hbs"));
+            hb.register_template_string($name, template).unwrap();
+        }};
+        ($name:expr, $ext:expr) => {{
+            reg!($name);
+            reg!(concat!($name, $ext));
+        }};
+    }
+
+    // First register default templates here
+    reg!("email/invite_accepted", ".html");
+    reg!("email/invite_confirmed", ".html");
+    reg!("email/new_device_logged_in", ".html");
+    reg!("email/pw_hint_none", ".html");
+    reg!("email/pw_hint_some", ".html");
+    reg!("email/send_org_invite", ".html");
+
+    reg!("admin/base");
+    reg!("admin/login");
+    reg!("admin/page");
+
+    // And then load user templates to overwrite the defaults
+    // Use .hbs extension for the files
+    // Templates get registered with their relative name
+    hb.register_templates_directory(".hbs", path).unwrap();
+
+    hb
+}
+
+pub struct CaseHelper;
+
+impl HelperDef for CaseHelper {
+    fn call<'reg: 'rc, 'rc>(
+        &self,
+        h: &Helper<'reg, 'rc>,
+        r: &'reg Handlebars,
+        ctx: &Context,
+        rc: &mut RenderContext<'reg>,
+        out: &mut dyn Output,
+    ) -> HelperResult {
+        let param = h
+            .param(0)
+            .ok_or_else(|| RenderError::new("Param not found for helper \"case\""))?;
+        let value = param.value().clone();
+
+        if h.params().iter().skip(1).any(|x| x.value() == &value) {
+            h.template().map(|t| t.render(r, ctx, rc, out)).unwrap_or(Ok(()))
+        } else {
+            Ok(())
+        }
+    }
+}
+
+pub struct JsEscapeHelper;
+
+impl HelperDef for JsEscapeHelper {
+    fn call<'reg: 'rc, 'rc>(
+        &self,
+        h: &Helper<'reg, 'rc>,
+        _: &'reg Handlebars,
+        _: &Context,
+        _: &mut RenderContext<'reg>,
+        out: &mut dyn Output,
+    ) -> HelperResult {
+        let param = h
+            .param(0)
+            .ok_or_else(|| RenderError::new("Param not found for helper \"js_escape\""))?;
+
+        let value = param
+            .value()
+            .as_str()
+            .ok_or_else(|| RenderError::new("Param for helper \"js_escape\" is not a String"))?;
+
+        let escaped_value = value.replace('\\', "").replace('\'', "\\x22").replace('\"', "\\x27");
+        let quoted_value = format!("&quot;{}&quot;", escaped_value);
+
+        out.write(&quoted_value)?;
+        Ok(())
+    }
+}
--- a/src/crypto.rs
+++ b/src/crypto.rs
@@ -1,8 +1,9 @@
-///
-/// PBKDF2 derivation
-///
+//
+// PBKDF2 derivation
+//

-use ring::{digest, pbkdf2};
+use ring::{digest, hmac, pbkdf2};
+use std::num::NonZeroU32;

 static DIGEST_ALG: &digest::Algorithm = &digest::SHA256;
 const OUTPUT_LEN: usize = digest::SHA256_OUTPUT_LEN;
@@ -10,18 +11,32 @@ const OUTPUT_LEN: usize = digest::SHA256_OUTPUT_LEN;
 pub fn hash_password(secret: &[u8], salt: &[u8], iterations: u32) -> Vec<u8> {
    let mut out = vec![0u8; OUTPUT_LEN]; // Initialize array with zeros

+    let iterations = NonZeroU32::new(iterations).expect("Iterations can't be zero");
    pbkdf2::derive(DIGEST_ALG, iterations, salt, secret, &mut out);

    out
 }

 pub fn verify_password_hash(secret: &[u8], salt: &[u8], previous: &[u8], iterations: u32) -> bool {
+    let iterations = NonZeroU32::new(iterations).expect("Iterations can't be zero");
    pbkdf2::verify(DIGEST_ALG, iterations, salt, secret, previous).is_ok()
 }

-///
-/// Random values
-///
+//
+// HMAC
+//
+pub fn hmac_sign(key: &str, data: &str) -> String {
+    use data_encoding::HEXLOWER;
+
+    let key = hmac::SigningKey::new(&digest::SHA1, key.as_bytes());
+    let signature = hmac::sign(&key, data.as_bytes());
+
+    HEXLOWER.encode(signature.as_ref())
+}
+
+//
+// Random values
+//

 pub fn get_random_64() -> Vec<u8> {
    get_random(vec![0u8; 64])
@@ -30,7 +45,18 @@ pub fn get_random_64() -> Vec<u8> {
 pub fn get_random(mut array: Vec<u8>) -> Vec<u8> {
    use ring::rand::{SecureRandom, SystemRandom};

-    SystemRandom::new().fill(&mut array).expect("Error generating random values");
+    SystemRandom::new()
+        .fill(&mut array)
+        .expect("Error generating random values");

    array
 }
+
+//
+// Constant time compare
+//
+pub fn ct_eq<T: AsRef<[u8]>, U: AsRef<[u8]>>(a: T, b: U) -> bool {
+    use ring::constant_time::verify_slices_are_equal;
+
+    verify_slices_are_equal(a.as_ref(), b.as_ref()).is_ok()
+}
--- a/src/db/mod.rs
+++ b/src/db/mod.rs
@@ -1,39 +1,63 @@
 use std::ops::Deref;

-use diesel::{Connection as DieselConnection, ConnectionError};
-use diesel::sqlite::SqliteConnection;
 use diesel::r2d2;
 use diesel::r2d2::ConnectionManager;
+use diesel::{Connection as DieselConnection, ConnectionError};

 use rocket::http::Status;
 use rocket::request::{self, FromRequest};
 use rocket::{Outcome, Request, State};

+use crate::error::Error;
+use chrono::prelude::*;
+use std::process::Command;
+
 use crate::CONFIG;

 /// An alias to the database connection used
-type Connection = SqliteConnection;
+#[cfg(feature = "sqlite")]
+type Connection = diesel::sqlite::SqliteConnection;
+#[cfg(feature = "mysql")]
+type Connection = diesel::mysql::MysqlConnection;

-/// An alias to the type for a pool of Diesel SQLite connections.
+/// An alias to the type for a pool of Diesel connections.
 type Pool = r2d2::Pool<ConnectionManager<Connection>>;

 /// Connection request guard type: a wrapper around an r2d2 pooled connection.
 pub struct DbConn(pub r2d2::PooledConnection<ConnectionManager<Connection>>);

-pub mod schema;
 pub mod models;
+#[cfg(feature = "sqlite")]
+#[path = "schemas/sqlite/schema.rs"]
+pub mod schema;
+#[cfg(feature = "mysql")]
+#[path = "schemas/mysql/schema.rs"]
+pub mod schema;

 /// Initializes a database pool.
 pub fn init_pool() -> Pool {
-    let manager = ConnectionManager::new(&*CONFIG.database_url);
+    let manager = ConnectionManager::new(CONFIG.database_url());

-    r2d2::Pool::builder()
-        .build(manager)
-        .expect("Failed to create pool")
+    r2d2::Pool::builder().build(manager).expect("Failed to create pool")
 }

 pub fn get_connection() -> Result<Connection, ConnectionError> {
-    Connection::establish(&CONFIG.database_url)
+    Connection::establish(&CONFIG.database_url())
+}
+
+/// Creates a back-up of the database using sqlite3
+pub fn backup_database() -> Result<(), Error> {
+    let now: DateTime<Utc> = Utc::now();
+    let file_date = now.format("%Y%m%d").to_string();
+    let backup_command: String = format!("{}{}{}", ".backup 'db_", file_date, ".sqlite3'");
+
+    Command::new("sqlite3")
+        .current_dir("./data")
+        .args(&["db.sqlite3", &backup_command])
+        .output()
+        .expect("Can't open database, sqlite3 is not available, make sure it's installed and available on the PATH");
+
+    Ok(())
 }

 /// Attempts to retrieve a single connection from the managed database pool. If
@@ -46,7 +70,7 @@ impl<'a, 'r> FromRequest<'a, 'r> for DbConn {
        let pool = request.guard::<State<Pool>>()?;
        match pool.get() {
            Ok(conn) => Outcome::Success(DbConn(conn)),
-            Err(_) => Outcome::Failure((Status::ServiceUnavailable, ()))
+            Err(_) => Outcome::Failure((Status::ServiceUnavailable, ())),
        }
    }
 }
--- a/src/db/models/attachment.rs
+++ b/src/db/models/attachment.rs
@@ -12,7 +12,7 @@ pub struct Attachment {
    pub cipher_uuid: String,
    pub file_name: String,
    pub file_size: i32,
-    pub key: Option<String>
+    pub akey: Option<String>,
 }

 /// Local methods
@@ -23,12 +23,12 @@ impl Attachment {
            cipher_uuid,
            file_name,
            file_size,
-            key: None
+            akey: None,
        }
    }

    pub fn get_file_path(&self) -> String {
-        format!("{}/{}/{}", CONFIG.attachments_folder, self.cipher_uuid, self.id)
+        format!("{}/{}/{}", CONFIG.attachments_folder(), self.cipher_uuid, self.id)
    }

    pub fn to_json(&self, host: &str) -> Value {
@@ -43,40 +43,41 @@ impl Attachment {
            "FileName": self.file_name,
            "Size": self.file_size.to_string(),
            "SizeName": display_size,
-            "Key": self.key,
+            "Key": self.akey,
            "Object": "attachment"
        })
    }
 }

+use crate::db::schema::attachments;
+use crate::db::DbConn;
 use diesel;
 use diesel::prelude::*;
-use crate::db::DbConn;
-use crate::db::schema::attachments;
+
+use crate::api::EmptyResult;
+use crate::error::MapResult;

 /// Database methods
 impl Attachment {
-    pub fn save(&self, conn: &DbConn) -> QueryResult<()> {
+    pub fn save(&self, conn: &DbConn) -> EmptyResult {
        diesel::replace_into(attachments::table)
            .values(self)
            .execute(&**conn)
-            .and(Ok(()))
+            .map_res("Error saving attachment")
    }

-    pub fn delete(self, conn: &DbConn) -> QueryResult<()> {
+    pub fn delete(self, conn: &DbConn) -> EmptyResult {
        crate::util::retry(
-            || {
-                diesel::delete(attachments::table.filter(attachments::id.eq(&self.id)))
-                    .execute(&**conn)
-            },
+            || diesel::delete(attachments::table.filter(attachments::id.eq(&self.id))).execute(&**conn),
            10,
-        )?;
+        )
+        .map_res("Error deleting attachment")?;

-        crate::util::delete_file(&self.get_file_path());
+        crate::util::delete_file(&self.get_file_path())?;
        Ok(())
    }

-    pub fn delete_all_by_cipher(cipher_uuid: &str, conn: &DbConn) -> QueryResult<()> {
+    pub fn delete_all_by_cipher(cipher_uuid: &str, conn: &DbConn) -> EmptyResult {
        for attachment in Attachment::find_by_cipher(&cipher_uuid, &conn) {
            attachment.delete(&conn)?;
        }
@@ -84,20 +85,25 @@ impl Attachment {
    }

    pub fn find_by_id(id: &str, conn: &DbConn) -> Option<Self> {
+        let id = id.to_lowercase();
+
        attachments::table
            .filter(attachments::id.eq(id))
-            .first::<Self>(&**conn).ok()
+            .first::<Self>(&**conn)
+            .ok()
    }

    pub fn find_by_cipher(cipher_uuid: &str, conn: &DbConn) -> Vec<Self> {
        attachments::table
            .filter(attachments::cipher_uuid.eq(cipher_uuid))
-            .load::<Self>(&**conn).expect("Error loading attachments")
+            .load::<Self>(&**conn)
+            .expect("Error loading attachments")
    }

    pub fn find_by_ciphers(cipher_uuids: Vec<String>, conn: &DbConn) -> Vec<Self> {
        attachments::table
            .filter(attachments::cipher_uuid.eq_any(cipher_uuids))
-            .load::<Self>(&**conn).expect("Error loading attachments")
+            .load::<Self>(&**conn)
+            .expect("Error loading attachments")
    }
 }
--- a/src/db/models/cipher.rs
+++ b/src/db/models/cipher.rs
@@ -1,7 +1,9 @@
 use chrono::{NaiveDateTime, Utc};
 use serde_json::Value;

-use super::{User, Organization, Attachment, FolderCipher, CollectionCipher, UserOrganization, UserOrgType, UserOrgStatus};
+use super::{
+    Attachment, CollectionCipher, FolderCipher, Organization, User, UserOrgStatus, UserOrgType, UserOrganization,
+};

 #[derive(Debug, Identifiable, Queryable, Insertable, Associations)]
 #[table_name = "ciphers"]
@@ -22,7 +24,7 @@ pub struct Cipher {
    Card = 3,
    Identity = 4
    */
-    pub type_: i32,
+    pub atype: i32,
    pub name: String,
    pub notes: Option<String>,
    pub fields: Option<String>,
@@ -35,7 +37,7 @@ pub struct Cipher {

 /// Local methods
 impl Cipher {
-    pub fn new(type_: i32, name: String) -> Self {
+    pub fn new(atype: i32, name: String) -> Self {
        let now = Utc::now().naive_utc();

        Self {
@@ -46,7 +48,7 @@ impl Cipher {
            user_uuid: None,
            organization_uuid: None,

-            type_,
+            atype,
            favorite: false,
            name,

@@ -59,35 +61,31 @@ impl Cipher {
    }
 }

+use crate::db::schema::*;
+use crate::db::DbConn;
 use diesel;
 use diesel::prelude::*;
-use crate::db::DbConn;
-use crate::db::schema::*;
+
+use crate::api::EmptyResult;
+use crate::error::MapResult;

 /// Database methods
 impl Cipher {
    pub fn to_json(&self, host: &str, user_uuid: &str, conn: &DbConn) -> Value {
-        use serde_json;
        use crate::util::format_date;
-        use super::Attachment;

        let attachments = Attachment::find_by_cipher(&self.uuid, conn);
        let attachments_json: Vec<Value> = attachments.iter().map(|c| c.to_json(host)).collect();

-        let fields_json: Value = if let Some(ref fields) = self.fields {
-            serde_json::from_str(fields).unwrap()
-        } else { Value::Null };
-        
-        let password_history_json: Value = if let Some(ref password_history) = self.password_history {
-            serde_json::from_str(password_history).unwrap()
-        } else { Value::Null };
+        let fields_json = self.fields.as_ref().and_then(|s| serde_json::from_str(s).ok()).unwrap_or(Value::Null);
+        let password_history_json = self.password_history.as_ref().and_then(|s| serde_json::from_str(s).ok()).unwrap_or(Value::Null);

-        let mut data_json: Value = serde_json::from_str(&self.data).unwrap();
+        let mut data_json: Value = serde_json::from_str(&self.data).unwrap_or(Value::Null);

        // TODO: ******* Backwards compat start **********
        // To remove backwards compatibility, just remove this entire section
        // and remove the compat code from ciphers::update_cipher_from_data
-        if self.type_ == 1 && data_json["Uris"].is_array() {
+        if self.atype == 1 && data_json["Uris"].is_array() {
            let uri = data_json["Uris"][0]["Uri"].clone();
            data_json["Uri"] = uri;
        }
@@ -95,7 +93,7 @@ impl Cipher {

        let mut json_object = json!({
            "Id": self.uuid,
-            "Type": self.type_,
+            "Type": self.atype,
            "RevisionDate": format_date(&self.updated_at),
            "FolderId": self.get_folder_uuid(&user_uuid, &conn),
            "Favorite": self.favorite,
@@ -116,7 +114,7 @@ impl Cipher {
            "PasswordHistory": password_history_json,
        });

-        let key = match self.type_ {
+        let key = match self.atype {
            1 => "Login",
            2 => "SecureNote",
            3 => "Card",
@@ -134,166 +132,163 @@ impl Cipher {
            Some(ref user_uuid) => {
                User::update_uuid_revision(&user_uuid, conn);
                user_uuids.push(user_uuid.clone())
-            },
-            None => { // Belongs to Organization, need to update affected users
+            }
+            None => {
+                // Belongs to Organization, need to update affected users
                if let Some(ref org_uuid) = self.organization_uuid {
                    UserOrganization::find_by_cipher_and_org(&self.uuid, &org_uuid, conn)
-                    .iter()
-                    .for_each(|user_org| {
-                        User::update_uuid_revision(&user_org.user_uuid, conn);
-                        user_uuids.push(user_org.user_uuid.clone())
-                    });
+                        .iter()
+                        .for_each(|user_org| {
+                            User::update_uuid_revision(&user_org.user_uuid, conn);
+                            user_uuids.push(user_org.user_uuid.clone())
+                        });
                }
            }
        };
        user_uuids
    }

-    pub fn save(&mut self, conn: &DbConn) -> QueryResult<()> {
+    pub fn save(&mut self, conn: &DbConn) -> EmptyResult {
        self.update_users_revision(conn);
        self.updated_at = Utc::now().naive_utc();

        diesel::replace_into(ciphers::table)
            .values(&*self)
            .execute(&**conn)
-            .and(Ok(()))
+            .map_res("Error saving cipher")
    }

-    pub fn delete(&self, conn: &DbConn) -> QueryResult<()> {
+    pub fn delete(&self, conn: &DbConn) -> EmptyResult {
        self.update_users_revision(conn);

        FolderCipher::delete_all_by_cipher(&self.uuid, &conn)?;
        CollectionCipher::delete_all_by_cipher(&self.uuid, &conn)?;
        Attachment::delete_all_by_cipher(&self.uuid, &conn)?;

-        diesel::delete(
-            ciphers::table.filter(
-                ciphers::uuid.eq(&self.uuid)
-            )
-        ).execute(&**conn).and(Ok(()))
+        diesel::delete(ciphers::table.filter(ciphers::uuid.eq(&self.uuid)))
+            .execute(&**conn)
+            .map_res("Error deleting cipher")
    }

-    pub fn delete_all_by_organization(org_uuid: &str, conn: &DbConn) -> QueryResult<()> {
+    pub fn delete_all_by_organization(org_uuid: &str, conn: &DbConn) -> EmptyResult {
        for cipher in Self::find_by_org(org_uuid, &conn) {
            cipher.delete(&conn)?;
        }
        Ok(())
    }

-    pub fn delete_all_by_user(user_uuid: &str, conn: &DbConn) -> QueryResult<()> {
+    pub fn delete_all_by_user(user_uuid: &str, conn: &DbConn) -> EmptyResult {
        for cipher in Self::find_owned_by_user(user_uuid, &conn) {
            cipher.delete(&conn)?;
        }
        Ok(())
    }

-    pub fn move_to_folder(&self, folder_uuid: Option<String>, user_uuid: &str, conn: &DbConn) -> Result<(), &str> {
-        match self.get_folder_uuid(&user_uuid, &conn)  {
-            None => {
-                match folder_uuid {
-                    Some(new_folder) => {
-                        self.update_users_revision(conn);
-                        let folder_cipher = FolderCipher::new(&new_folder, &self.uuid);
-                        folder_cipher.save(&conn).or(Err("Couldn't save folder setting"))
-                    },
-                    None => Ok(()) //nothing to do
-                }
+    pub fn move_to_folder(&self, folder_uuid: Option<String>, user_uuid: &str, conn: &DbConn) -> EmptyResult {
+        User::update_uuid_revision(user_uuid, &conn);
+
+        match (self.get_folder_uuid(&user_uuid, &conn), folder_uuid) {
+            // No changes
+            (None, None) => Ok(()),
+            (Some(ref old), Some(ref new)) if old == new => Ok(()),
+
+            // Add to folder
+            (None, Some(new)) => FolderCipher::new(&new, &self.uuid).save(&conn),
+
+            // Remove from folder
+            (Some(old), None) => match FolderCipher::find_by_folder_and_cipher(&old, &self.uuid, &conn) {
+                Some(old) => old.delete(&conn),
+                None => err!("Couldn't move from previous folder"),
            },
-            Some(current_folder) => {
-                match folder_uuid {
-                    Some(new_folder) => {
-                        if current_folder == new_folder {
-                            Ok(()) //nothing to do
-                        } else {
-                            self.update_users_revision(conn);
-                            match FolderCipher::find_by_folder_and_cipher(&current_folder, &self.uuid, &conn) {
-                                Some(current_folder) => {
-                                    current_folder.delete(&conn).or(Err("Failed removing old folder mapping"))
-                                },
-                                None => Ok(()) // Weird, but nothing to do
-                            }.and_then(
-                                |()| FolderCipher::new(&new_folder, &self.uuid)
-                                .save(&conn).or(Err("Couldn't save folder setting"))
-                            )
-                        }
-                    },
-                    None => {
-                        self.update_users_revision(conn);
-                        match FolderCipher::find_by_folder_and_cipher(&current_folder, &self.uuid, &conn) {
-                            Some(current_folder) => {
-                                current_folder.delete(&conn).or(Err("Failed removing old folder mapping"))
-                            },
-                            None => Err("Couldn't move from previous folder")
-                        }
-                    }
+
+            // Move to another folder
+            (Some(old), Some(new)) => {
+                if let Some(old) = FolderCipher::find_by_folder_and_cipher(&old, &self.uuid, &conn) {
+                    old.delete(&conn)?;
                }
+                FolderCipher::new(&new, &self.uuid).save(&conn)
            }
        }
    }

    pub fn is_write_accessible_to_user(&self, user_uuid: &str, conn: &DbConn) -> bool {
        ciphers::table
-        .filter(ciphers::uuid.eq(&self.uuid))
-        .left_join(users_organizations::table.on(
-            ciphers::organization_uuid.eq(users_organizations::org_uuid.nullable()).and(
-                users_organizations::user_uuid.eq(user_uuid)
+            .filter(ciphers::uuid.eq(&self.uuid))
+            .left_join(
+                users_organizations::table.on(ciphers::organization_uuid
+                    .eq(users_organizations::org_uuid.nullable())
+                    .and(users_organizations::user_uuid.eq(user_uuid))),
            )
-        ))
-        .left_join(ciphers_collections::table)
-        .left_join(users_collections::table.on(
-            ciphers_collections::collection_uuid.eq(users_collections::collection_uuid)
-        ))
-        .filter(ciphers::user_uuid.eq(user_uuid).or( // Cipher owner
-            users_organizations::access_all.eq(true).or( // access_all in Organization
-                users_organizations::type_.le(UserOrgType::Admin as i32).or( // Org admin or owner
-                    users_collections::user_uuid.eq(user_uuid).and(
-                        users_collections::read_only.eq(false) //R/W access to collection
-                    )
-                )
+            .left_join(ciphers_collections::table)
+            .left_join(
+                users_collections::table
+                    .on(ciphers_collections::collection_uuid.eq(users_collections::collection_uuid)),
            )
-        ))
-        .select(ciphers::all_columns)
-        .first::<Self>(&**conn).ok().is_some()
+            .filter(ciphers::user_uuid.eq(user_uuid).or(
+                // Cipher owner
+                users_organizations::access_all.eq(true).or(
+                    // access_all in Organization
+                    users_organizations::atype.le(UserOrgType::Admin as i32).or(
+                        // Org admin or owner
+                        users_collections::user_uuid.eq(user_uuid).and(
+                            users_collections::read_only.eq(false), //R/W access to collection
+                        ),
+                    ),
+                ),
+            ))
+            .select(ciphers::all_columns)
+            .first::<Self>(&**conn)
+            .ok()
+            .is_some()
    }

    pub fn is_accessible_to_user(&self, user_uuid: &str, conn: &DbConn) -> bool {
        ciphers::table
-        .filter(ciphers::uuid.eq(&self.uuid))
-        .left_join(users_organizations::table.on(
-            ciphers::organization_uuid.eq(users_organizations::org_uuid.nullable()).and(
-                users_organizations::user_uuid.eq(user_uuid)
+            .filter(ciphers::uuid.eq(&self.uuid))
+            .left_join(
+                users_organizations::table.on(ciphers::organization_uuid
+                    .eq(users_organizations::org_uuid.nullable())
+                    .and(users_organizations::user_uuid.eq(user_uuid))),
            )
-        ))
-        .left_join(ciphers_collections::table)
-        .left_join(users_collections::table.on(
-            ciphers_collections::collection_uuid.eq(users_collections::collection_uuid)
-        ))
-        .filter(ciphers::user_uuid.eq(user_uuid).or( // Cipher owner
-            users_organizations::access_all.eq(true).or( // access_all in Organization
-                users_organizations::type_.le(UserOrgType::Admin as i32).or( // Org admin or owner
-                    users_collections::user_uuid.eq(user_uuid) // Access to Collection
-                )
+            .left_join(ciphers_collections::table)
+            .left_join(
+                users_collections::table
+                    .on(ciphers_collections::collection_uuid.eq(users_collections::collection_uuid)),
            )
-        ))
-        .select(ciphers::all_columns)
-        .first::<Self>(&**conn).ok().is_some()
+            .filter(ciphers::user_uuid.eq(user_uuid).or(
+                // Cipher owner
+                users_organizations::access_all.eq(true).or(
+                    // access_all in Organization
+                    users_organizations::atype.le(UserOrgType::Admin as i32).or(
+                        // Org admin or owner
+                        users_collections::user_uuid.eq(user_uuid), // Access to Collection
+                    ),
+                ),
+            ))
+            .select(ciphers::all_columns)
+            .first::<Self>(&**conn)
+            .ok()
+            .is_some()
    }

    pub fn get_folder_uuid(&self, user_uuid: &str, conn: &DbConn) -> Option<String> {
-        folders_ciphers::table.inner_join(folders::table)
+        folders_ciphers::table
+            .inner_join(folders::table)
            .filter(folders::user_uuid.eq(&user_uuid))
            .filter(folders_ciphers::cipher_uuid.eq(&self.uuid))
            .select(folders_ciphers::folder_uuid)
-            .first::<String>(&**conn).ok()
+            .first::<String>(&**conn)
+            .ok()
    }

    pub fn find_by_uuid(uuid: &str, conn: &DbConn) -> Option<Self> {
        ciphers::table
            .filter(ciphers::uuid.eq(uuid))
-            .first::<Self>(&**conn).ok()
+            .first::<Self>(&**conn)
+            .ok()
    }

-    // Find all ciphers accesible to user
+    // Find all ciphers accessible to user
    pub fn find_by_user(user_uuid: &str, conn: &DbConn) -> Vec<Self> {
        ciphers::table
        .left_join(users_organizations::table.on(
@@ -303,13 +298,15 @@ impl Cipher {
                )
            )
        ))
-        .left_join(ciphers_collections::table)
+        .left_join(ciphers_collections::table.on(
+            ciphers::uuid.eq(ciphers_collections::cipher_uuid)
+        ))
        .left_join(users_collections::table.on(
            ciphers_collections::collection_uuid.eq(users_collections::collection_uuid)
        ))
        .filter(ciphers::user_uuid.eq(user_uuid).or( // Cipher owner
            users_organizations::access_all.eq(true).or( // access_all in Organization
-                users_organizations::type_.le(UserOrgType::Admin as i32).or( // Org admin or owner
+                users_organizations::atype.le(UserOrgType::Admin as i32).or( // Org admin or owner
                    users_collections::user_uuid.eq(user_uuid).and( // Access to Collection
                        users_organizations::status.eq(UserOrgStatus::Confirmed as i32)
                    )
@@ -352,12 +349,14 @@ impl Cipher {
            )
        ))
        .left_join(users_collections::table.on(
-            users_collections::collection_uuid.eq(ciphers_collections::collection_uuid)
+            users_collections::collection_uuid.eq(ciphers_collections::collection_uuid).and(
+                users_collections::user_uuid.eq(user_id)
+            )
        ))
        .filter(ciphers_collections::cipher_uuid.eq(&self.uuid))
        .filter(users_collections::user_uuid.eq(user_id).or( // User has access to collection
            users_organizations::access_all.eq(true).or( // User has access all
-                users_organizations::type_.le(UserOrgType::Admin as i32) // User is admin or owner
+                users_organizations::atype.le(UserOrgType::Admin as i32) // User is admin or owner
            )
        ))
        .select(ciphers_collections::collection_uuid)
--- a/src/db/models/collection.rs
+++ b/src/db/models/collection.rs
@@ -1,6 +1,6 @@
 use serde_json::Value;

-use super::{Organization, UserOrganization, UserOrgType, UserOrgStatus};
+use super::{Organization, UserOrgStatus, UserOrgType, UserOrganization};

 #[derive(Debug, Identifiable, Queryable, Insertable, Associations)]
 #[table_name = "collections"]
@@ -33,89 +33,101 @@ impl Collection {
    }
 }

+use crate::db::schema::*;
+use crate::db::DbConn;
 use diesel;
 use diesel::prelude::*;
-use crate::db::DbConn;
-use crate::db::schema::*;
+
+use crate::api::EmptyResult;
+use crate::error::MapResult;

 /// Database methods
 impl Collection {
-    pub fn save(&mut self, conn: &DbConn) -> QueryResult<()> {
-        // Update affected users revision
-        UserOrganization::find_by_collection_and_org(&self.uuid, &self.org_uuid, conn)
-        .iter()
-        .for_each(|user_org| {
-            User::update_uuid_revision(&user_org.user_uuid, conn);
-        });
+    pub fn save(&self, conn: &DbConn) -> EmptyResult {
+        self.update_users_revision(conn);

        diesel::replace_into(collections::table)
-        .values(&*self)
-        .execute(&**conn)
-        .and(Ok(()))
+            .values(self)
+            .execute(&**conn)
+            .map_res("Error saving collection")
    }

-    pub fn delete(self, conn: &DbConn) -> QueryResult<()> {
+    pub fn delete(self, conn: &DbConn) -> EmptyResult {
+        self.update_users_revision(conn);
        CollectionCipher::delete_all_by_collection(&self.uuid, &conn)?;
        CollectionUser::delete_all_by_collection(&self.uuid, &conn)?;

-        diesel::delete(
-            collections::table.filter(
-                collections::uuid.eq(self.uuid)
-            )
-        ).execute(&**conn).and(Ok(()))
+        diesel::delete(collections::table.filter(collections::uuid.eq(self.uuid)))
+            .execute(&**conn)
+            .map_res("Error deleting collection")
    }

-    pub fn delete_all_by_organization(org_uuid: &str, conn: &DbConn) -> QueryResult<()> {
+    pub fn delete_all_by_organization(org_uuid: &str, conn: &DbConn) -> EmptyResult {
        for collection in Self::find_by_organization(org_uuid, &conn) {
            collection.delete(&conn)?;
        }
        Ok(())
    }

+    pub fn update_users_revision(&self, conn: &DbConn) {
+        UserOrganization::find_by_collection_and_org(&self.uuid, &self.org_uuid, conn)
+            .iter()
+            .for_each(|user_org| {
+                User::update_uuid_revision(&user_org.user_uuid, conn);
+            });
+    }
+
    pub fn find_by_uuid(uuid: &str, conn: &DbConn) -> Option<Self> {
        collections::table
            .filter(collections::uuid.eq(uuid))
-            .first::<Self>(&**conn).ok()
+            .first::<Self>(&**conn)
+            .ok()
    }

    pub fn find_by_user_uuid(user_uuid: &str, conn: &DbConn) -> Vec<Self> {
-        let mut all_access_collections = users_organizations::table
-            .filter(users_organizations::user_uuid.eq(user_uuid))
-            .filter(users_organizations::status.eq(UserOrgStatus::Confirmed as i32))
-            .filter(users_organizations::access_all.eq(true))
-            .inner_join(collections::table.on(collections::org_uuid.eq(users_organizations::org_uuid)))
-            .select(collections::all_columns)
-            .load::<Self>(&**conn).expect("Error loading collections");
-
-        let mut assigned_collections = users_collections::table.inner_join(collections::table)
-            .left_join(users_organizations::table.on(
-                users_collections::user_uuid.eq(users_organizations::user_uuid)
-            ))
-            .filter(users_collections::user_uuid.eq(user_uuid))
-            .filter(users_organizations::status.eq(UserOrgStatus::Confirmed as i32))
-            .select(collections::all_columns)
-            .load::<Self>(&**conn).expect("Error loading collections");
-
-        all_access_collections.append(&mut assigned_collections);
-        all_access_collections
+        collections::table
+        .left_join(users_collections::table.on(
+            users_collections::collection_uuid.eq(collections::uuid).and(
+                users_collections::user_uuid.eq(user_uuid)
+            )
+        ))
+        .left_join(users_organizations::table.on(
+            collections::org_uuid.eq(users_organizations::org_uuid).and(
+                users_organizations::user_uuid.eq(user_uuid)
+            )
+        ))
+        .filter(
+            users_organizations::status.eq(UserOrgStatus::Confirmed as i32)
+        )
+        .filter(
+            users_collections::user_uuid.eq(user_uuid).or( // Directly accessed collection
+                users_organizations::access_all.eq(true) // access_all in Organization
+            )
+        ).select(collections::all_columns)
+        .load::<Self>(&**conn).expect("Error loading collections")
    }

    pub fn find_by_organization_and_user_uuid(org_uuid: &str, user_uuid: &str, conn: &DbConn) -> Vec<Self> {
-        Self::find_by_user_uuid(user_uuid, conn).into_iter().filter(|c| c.org_uuid == org_uuid).collect()
+        Self::find_by_user_uuid(user_uuid, conn)
+            .into_iter()
+            .filter(|c| c.org_uuid == org_uuid)
+            .collect()
    }

    pub fn find_by_organization(org_uuid: &str, conn: &DbConn) -> Vec<Self> {
        collections::table
            .filter(collections::org_uuid.eq(org_uuid))
-            .load::<Self>(&**conn).expect("Error loading collections")
+            .load::<Self>(&**conn)
+            .expect("Error loading collections")
    }

    pub fn find_by_uuid_and_org(uuid: &str, org_uuid: &str, conn: &DbConn) -> Option<Self> {
        collections::table
-        .filter(collections::uuid.eq(uuid))
-        .filter(collections::org_uuid.eq(org_uuid))
-        .select(collections::all_columns)
-        .first::<Self>(&**conn).ok()
+            .filter(collections::uuid.eq(uuid))
+            .filter(collections::org_uuid.eq(org_uuid))
+            .select(collections::all_columns)
+            .first::<Self>(&**conn)
+            .ok()
    }

    pub fn find_by_uuid_and_user(uuid: &str, user_uuid: &str, conn: &DbConn) -> Option<Self> {
@@ -134,7 +146,7 @@ impl Collection {
        .filter(
            users_collections::collection_uuid.eq(uuid).or( // Directly accessed collection
                users_organizations::access_all.eq(true).or( // access_all in Organization
-                    users_organizations::type_.le(UserOrgType::Admin as i32) // Org admin or owner
+                    users_organizations::atype.le(UserOrgType::Admin as i32) // Org admin or owner
                )
            )
        ).select(collections::all_columns)
@@ -145,22 +157,25 @@ impl Collection {
        match UserOrganization::find_by_user_and_org(&user_uuid, &self.org_uuid, &conn) {
            None => false, // Not in Org
            Some(user_org) => {
-               if user_org.access_all {
-                   true
-               } else {
-                   users_collections::table.inner_join(collections::table)
-                   .filter(users_collections::collection_uuid.eq(&self.uuid))
-                   .filter(users_collections::user_uuid.eq(&user_uuid))
-                   .filter(users_collections::read_only.eq(false))
-                   .select(collections::all_columns)
-                   .first::<Self>(&**conn).ok().is_some() // Read only or no access to collection
-               }
+                if user_org.access_all {
+                    true
+                } else {
+                    users_collections::table
+                        .inner_join(collections::table)
+                        .filter(users_collections::collection_uuid.eq(&self.uuid))
+                        .filter(users_collections::user_uuid.eq(&user_uuid))
+                        .filter(users_collections::read_only.eq(false))
+                        .select(collections::all_columns)
+                        .first::<Self>(&**conn)
+                        .ok()
+                        .is_some() // Read only or no access to collection
+                }
            }
        }
    }
 }

-use super::User; 
+use super::User;

 #[derive(Debug, Identifiable, Queryable, Insertable, Associations)]
 #[table_name = "users_collections"]
@@ -181,66 +196,74 @@ impl CollectionUser {
            .inner_join(collections::table.on(collections::uuid.eq(users_collections::collection_uuid)))
            .filter(collections::org_uuid.eq(org_uuid))
            .select(users_collections::all_columns)
-            .load::<Self>(&**conn).expect("Error loading users_collections")
+            .load::<Self>(&**conn)
+            .expect("Error loading users_collections")
    }

-    pub fn save(user_uuid: &str, collection_uuid: &str, read_only:bool, conn: &DbConn) -> QueryResult<()> {
+    pub fn save(user_uuid: &str, collection_uuid: &str, read_only: bool, conn: &DbConn) -> EmptyResult {
        User::update_uuid_revision(&user_uuid, conn);

        diesel::replace_into(users_collections::table)
-        .values((
-            users_collections::user_uuid.eq(user_uuid),
-            users_collections::collection_uuid.eq(collection_uuid),
-            users_collections::read_only.eq(read_only),
-        )).execute(&**conn).and(Ok(()))
+            .values((
+                users_collections::user_uuid.eq(user_uuid),
+                users_collections::collection_uuid.eq(collection_uuid),
+                users_collections::read_only.eq(read_only),
+            ))
+            .execute(&**conn)
+            .map_res("Error adding user to collection")
    }

-    pub fn delete(self, conn: &DbConn) -> QueryResult<()> {
+    pub fn delete(self, conn: &DbConn) -> EmptyResult {
        User::update_uuid_revision(&self.user_uuid, conn);

-        diesel::delete(users_collections::table
-        .filter(users_collections::user_uuid.eq(&self.user_uuid))
-        .filter(users_collections::collection_uuid.eq(&self.collection_uuid)))
-        .execute(&**conn).and(Ok(()))
+        diesel::delete(
+            users_collections::table
+                .filter(users_collections::user_uuid.eq(&self.user_uuid))
+                .filter(users_collections::collection_uuid.eq(&self.collection_uuid)),
+        )
+        .execute(&**conn)
+        .map_res("Error removing user from collection")
    }

    pub fn find_by_collection(collection_uuid: &str, conn: &DbConn) -> Vec<Self> {
        users_collections::table
-        .filter(users_collections::collection_uuid.eq(collection_uuid))
-        .select(users_collections::all_columns)
-        .load::<Self>(&**conn).expect("Error loading users_collections")
+            .filter(users_collections::collection_uuid.eq(collection_uuid))
+            .select(users_collections::all_columns)
+            .load::<Self>(&**conn)
+            .expect("Error loading users_collections")
    }

    pub fn find_by_collection_and_user(collection_uuid: &str, user_uuid: &str, conn: &DbConn) -> Option<Self> {
        users_collections::table
-        .filter(users_collections::collection_uuid.eq(collection_uuid))
-        .filter(users_collections::user_uuid.eq(user_uuid))
-        .select(users_collections::all_columns)
-        .first::<Self>(&**conn).ok()
-    }
-
-    pub fn delete_all_by_collection(collection_uuid: &str, conn: &DbConn) -> QueryResult<()> {
-        CollectionUser::find_by_collection(&collection_uuid, conn)
-        .iter()
-        .for_each(|collection| {
-            User::update_uuid_revision(&collection.user_uuid, conn)
-        });
-
-        diesel::delete(users_collections::table
            .filter(users_collections::collection_uuid.eq(collection_uuid))
-        ).execute(&**conn).and(Ok(()))
+            .filter(users_collections::user_uuid.eq(user_uuid))
+            .select(users_collections::all_columns)
+            .first::<Self>(&**conn)
+            .ok()
    }

-    pub fn delete_all_by_user(user_uuid: &str, conn: &DbConn) -> QueryResult<()> {
+    pub fn delete_all_by_collection(collection_uuid: &str, conn: &DbConn) -> EmptyResult {
+        CollectionUser::find_by_collection(&collection_uuid, conn)
+            .iter()
+            .for_each(|collection| {
+                User::update_uuid_revision(&collection.user_uuid, conn);
+            });
+
+        diesel::delete(users_collections::table.filter(users_collections::collection_uuid.eq(collection_uuid)))
+            .execute(&**conn)
+            .map_res("Error deleting users from collection")
+    }
+
+    pub fn delete_all_by_user(user_uuid: &str, conn: &DbConn) -> EmptyResult {
        User::update_uuid_revision(&user_uuid, conn);

-        diesel::delete(users_collections::table
-            .filter(users_collections::user_uuid.eq(user_uuid))
-        ).execute(&**conn).and(Ok(()))
+        diesel::delete(users_collections::table.filter(users_collections::user_uuid.eq(user_uuid)))
+            .execute(&**conn)
+            .map_res("Error removing user from collections")
    }
 }

-use super::Cipher; 
+use super::Cipher;

 #[derive(Debug, Identifiable, Queryable, Insertable, Associations)]
 #[table_name = "ciphers_collections"]
@@ -254,30 +277,43 @@ pub struct CollectionCipher {

 /// Database methods
 impl CollectionCipher {
-    pub fn save(cipher_uuid: &str, collection_uuid: &str, conn: &DbConn) -> QueryResult<()> {
+    pub fn save(cipher_uuid: &str, collection_uuid: &str, conn: &DbConn) -> EmptyResult {
+        Self::update_users_revision(&collection_uuid, conn);
        diesel::replace_into(ciphers_collections::table)
            .values((
                ciphers_collections::cipher_uuid.eq(cipher_uuid),
                ciphers_collections::collection_uuid.eq(collection_uuid),
-            )).execute(&**conn).and(Ok(()))
+            ))
+            .execute(&**conn)
+            .map_res("Error adding cipher to collection")
    }

-    pub fn delete(cipher_uuid: &str, collection_uuid: &str, conn: &DbConn) -> QueryResult<()> {
-        diesel::delete(ciphers_collections::table
-            .filter(ciphers_collections::cipher_uuid.eq(cipher_uuid))
-            .filter(ciphers_collections::collection_uuid.eq(collection_uuid)))
-            .execute(&**conn).and(Ok(()))
+    pub fn delete(cipher_uuid: &str, collection_uuid: &str, conn: &DbConn) -> EmptyResult {
+        Self::update_users_revision(&collection_uuid, conn);
+        diesel::delete(
+            ciphers_collections::table
+                .filter(ciphers_collections::cipher_uuid.eq(cipher_uuid))
+                .filter(ciphers_collections::collection_uuid.eq(collection_uuid)),
+        )
+        .execute(&**conn)
+        .map_res("Error deleting cipher from collection")
    }

-    pub fn delete_all_by_cipher(cipher_uuid: &str, conn: &DbConn) -> QueryResult<()> {
-        diesel::delete(ciphers_collections::table
-            .filter(ciphers_collections::cipher_uuid.eq(cipher_uuid))
-        ).execute(&**conn).and(Ok(()))
+    pub fn delete_all_by_cipher(cipher_uuid: &str, conn: &DbConn) -> EmptyResult {
+        diesel::delete(ciphers_collections::table.filter(ciphers_collections::cipher_uuid.eq(cipher_uuid)))
+            .execute(&**conn)
+            .map_res("Error removing cipher from collections")
    }

-    pub fn delete_all_by_collection(collection_uuid: &str, conn: &DbConn) -> QueryResult<()> {
-        diesel::delete(ciphers_collections::table
-            .filter(ciphers_collections::collection_uuid.eq(collection_uuid))
-        ).execute(&**conn).and(Ok(()))
+    pub fn delete_all_by_collection(collection_uuid: &str, conn: &DbConn) -> EmptyResult {
+        diesel::delete(ciphers_collections::table.filter(ciphers_collections::collection_uuid.eq(collection_uuid)))
+            .execute(&**conn)
+            .map_res("Error removing ciphers from collection")
    }
-}
+
+    pub fn update_users_revision(collection_uuid: &str, conn: &DbConn) {
+        if let Some(collection) = Collection::find_by_uuid(collection_uuid, conn) {
+            collection.update_users_revision(conn);
+        }
+    }
+}
--- a/src/db/models/device.rs
+++ b/src/db/models/device.rs
@@ -15,7 +15,7 @@ pub struct Device {

    pub name: String,
    /// https://github.com/bitwarden/core/tree/master/src/Core/Enums
-    pub type_: i32,
+    pub atype: i32,
    pub push_token: Option<String>,

    pub refresh_token: String,
@@ -25,7 +25,7 @@ pub struct Device {

 /// Local methods
 impl Device {
-    pub fn new(uuid: String, user_uuid: String, name: String, type_: i32) -> Self {
+    pub fn new(uuid: String, user_uuid: String, name: String, atype: i32) -> Self {
        let now = Utc::now().naive_utc();

        Self {
@@ -35,7 +35,7 @@ impl Device {

            user_uuid,
            name,
-            type_,
+            atype,

            push_token: None,
            refresh_token: String::new(),
@@ -44,8 +44,8 @@ impl Device {
    }

    pub fn refresh_twofactor_remember(&mut self) -> String {
-        use data_encoding::BASE64;
        use crate::crypto;
+        use data_encoding::BASE64;

        let twofactor_remember = BASE64.encode(&crypto::get_random(vec![0u8; 180]));
        self.twofactor_remember = Some(twofactor_remember.clone());
@@ -57,12 +57,11 @@ impl Device {
        self.twofactor_remember = None;
    }

-
    pub fn refresh_tokens(&mut self, user: &super::User, orgs: Vec<super::UserOrganization>) -> (String, i64) {
        // If there is no refresh token, we create one
        if self.refresh_token.is_empty() {
-            use data_encoding::BASE64URL;
            use crate::crypto;
+            use data_encoding::BASE64URL;

            self.refresh_token = BASE64URL.encode(&crypto::get_random_64());
        }
@@ -71,18 +70,18 @@ impl Device {
        let time_now = Utc::now().naive_utc();
        self.updated_at = time_now;

-        let orgowner: Vec<_> = orgs.iter().filter(|o| o.type_ == 0).map(|o| o.org_uuid.clone()).collect();
-        let orgadmin: Vec<_> = orgs.iter().filter(|o| o.type_ == 1).map(|o| o.org_uuid.clone()).collect();
-        let orguser: Vec<_> = orgs.iter().filter(|o| o.type_ == 2).map(|o| o.org_uuid.clone()).collect();
-        let orgmanager: Vec<_> = orgs.iter().filter(|o| o.type_ == 3).map(|o| o.org_uuid.clone()).collect();
+        let orgowner: Vec<_> = orgs.iter().filter(|o| o.atype == 0).map(|o| o.org_uuid.clone()).collect();
+        let orgadmin: Vec<_> = orgs.iter().filter(|o| o.atype == 1).map(|o| o.org_uuid.clone()).collect();
+        let orguser: Vec<_> = orgs.iter().filter(|o| o.atype == 2).map(|o| o.org_uuid.clone()).collect();
+        let orgmanager: Vec<_> = orgs.iter().filter(|o| o.atype == 3).map(|o| o.org_uuid.clone()).collect();


        // Create the JWT claims struct, to send to the client
-        use crate::auth::{encode_jwt, JWTClaims, DEFAULT_VALIDITY, JWT_ISSUER};
-        let claims = JWTClaims {
+        use crate::auth::{encode_jwt, LoginJWTClaims, DEFAULT_VALIDITY, JWT_LOGIN_ISSUER};
+        let claims = LoginJWTClaims {
            nbf: time_now.timestamp(),
            exp: (time_now + *DEFAULT_VALIDITY).timestamp(),
-            iss: JWT_ISSUER.to_string(),
+            iss: JWT_LOGIN_ISSUER.to_string(),
            sub: user.uuid.to_string(),

            premium: true,
@@ -105,34 +104,33 @@ impl Device {
    }
 }

+use crate::db::schema::devices;
+use crate::db::DbConn;
 use diesel;
 use diesel::prelude::*;
-use crate::db::DbConn;
-use crate::db::schema::devices;
+
+use crate::api::EmptyResult;
+use crate::error::MapResult;

 /// Database methods
 impl Device {
-    pub fn save(&mut self, conn: &DbConn) -> QueryResult<()> {
+    pub fn save(&mut self, conn: &DbConn) -> EmptyResult {
        self.updated_at = Utc::now().naive_utc();

        crate::util::retry(
-            || {
-                diesel::replace_into(devices::table)
-                    .values(&*self)
-                    .execute(&**conn)
-            },
+            || diesel::replace_into(devices::table).values(&*self).execute(&**conn),
            10,
        )
-        .and(Ok(()))
+        .map_res("Error saving device")
    }

-    pub fn delete(self, conn: &DbConn) -> QueryResult<()> {
-        diesel::delete(devices::table.filter(
-            devices::uuid.eq(self.uuid)
-        )).execute(&**conn).and(Ok(()))
+    pub fn delete(self, conn: &DbConn) -> EmptyResult {
+        diesel::delete(devices::table.filter(devices::uuid.eq(self.uuid)))
+            .execute(&**conn)
+            .map_res("Error removing device")
    }

-    pub fn delete_all_by_user(user_uuid: &str, conn: &DbConn) -> QueryResult<()> {
+    pub fn delete_all_by_user(user_uuid: &str, conn: &DbConn) -> EmptyResult {
        for device in Self::find_by_user(user_uuid, &conn) {
            device.delete(&conn)?;
        }
@@ -142,18 +140,21 @@ impl Device {
    pub fn find_by_uuid(uuid: &str, conn: &DbConn) -> Option<Self> {
        devices::table
            .filter(devices::uuid.eq(uuid))
-            .first::<Self>(&**conn).ok()
+            .first::<Self>(&**conn)
+            .ok()
    }

    pub fn find_by_refresh_token(refresh_token: &str, conn: &DbConn) -> Option<Self> {
        devices::table
            .filter(devices::refresh_token.eq(refresh_token))
-            .first::<Self>(&**conn).ok()
+            .first::<Self>(&**conn)
+            .ok()
    }

    pub fn find_by_user(user_uuid: &str, conn: &DbConn) -> Vec<Self> {
        devices::table
            .filter(devices::user_uuid.eq(user_uuid))
-            .load::<Self>(&**conn).expect("Error loading devices")
+            .load::<Self>(&**conn)
+            .expect("Error loading devices")
    }
 }
--- a/src/db/models/folder.rs
+++ b/src/db/models/folder.rs
@@ -1,7 +1,7 @@
 use chrono::{NaiveDateTime, Utc};
 use serde_json::Value;

-use super::{User, Cipher};
+use super::{Cipher, User};

 #[derive(Debug, Identifiable, Queryable, Insertable, Associations)]
 #[table_name = "folders"]
@@ -61,33 +61,36 @@ impl FolderCipher {
    }
 }

+use crate::db::schema::{folders, folders_ciphers};
+use crate::db::DbConn;
 use diesel;
 use diesel::prelude::*;
-use crate::db::DbConn;
-use crate::db::schema::{folders, folders_ciphers};
+
+use crate::api::EmptyResult;
+use crate::error::MapResult;

 /// Database methods
 impl Folder {
-    pub fn save(&mut self, conn: &DbConn) -> QueryResult<()> {
+    pub fn save(&mut self, conn: &DbConn) -> EmptyResult {
        User::update_uuid_revision(&self.user_uuid, conn);
        self.updated_at = Utc::now().naive_utc();

        diesel::replace_into(folders::table)
-            .values(&*self).execute(&**conn).and(Ok(()))
+            .values(&*self)
+            .execute(&**conn)
+            .map_res("Error saving folder")
    }

-    pub fn delete(&self, conn: &DbConn) -> QueryResult<()> {
+    pub fn delete(&self, conn: &DbConn) -> EmptyResult {
        User::update_uuid_revision(&self.user_uuid, conn);
        FolderCipher::delete_all_by_folder(&self.uuid, &conn)?;

-        diesel::delete(
-            folders::table.filter(
-                folders::uuid.eq(&self.uuid)
-            )
-        ).execute(&**conn).and(Ok(()))
+        diesel::delete(folders::table.filter(folders::uuid.eq(&self.uuid)))
+            .execute(&**conn)
+            .map_res("Error deleting folder")
    }

-    pub fn delete_all_by_user(user_uuid: &str, conn: &DbConn) -> QueryResult<()> {
+    pub fn delete_all_by_user(user_uuid: &str, conn: &DbConn) -> EmptyResult {
        for folder in Self::find_by_user(user_uuid, &conn) {
            folder.delete(&conn)?;
        }
@@ -97,52 +100,60 @@ impl Folder {
    pub fn find_by_uuid(uuid: &str, conn: &DbConn) -> Option<Self> {
        folders::table
            .filter(folders::uuid.eq(uuid))
-            .first::<Self>(&**conn).ok()
+            .first::<Self>(&**conn)
+            .ok()
    }

    pub fn find_by_user(user_uuid: &str, conn: &DbConn) -> Vec<Self> {
        folders::table
            .filter(folders::user_uuid.eq(user_uuid))
-            .load::<Self>(&**conn).expect("Error loading folders")
+            .load::<Self>(&**conn)
+            .expect("Error loading folders")
    }
 }

 impl FolderCipher {
-    pub fn save(&self, conn: &DbConn) -> QueryResult<()> {
+    pub fn save(&self, conn: &DbConn) -> EmptyResult {
        diesel::replace_into(folders_ciphers::table)
-        .values(&*self)
-        .execute(&**conn).and(Ok(()))
+            .values(&*self)
+            .execute(&**conn)
+            .map_res("Error adding cipher to folder")
    }

-    pub fn delete(self, conn: &DbConn) -> QueryResult<()> {
-        diesel::delete(folders_ciphers::table
-            .filter(folders_ciphers::cipher_uuid.eq(self.cipher_uuid))
-            .filter(folders_ciphers::folder_uuid.eq(self.folder_uuid))
-        ).execute(&**conn).and(Ok(()))
+    pub fn delete(self, conn: &DbConn) -> EmptyResult {
+        diesel::delete(
+            folders_ciphers::table
+                .filter(folders_ciphers::cipher_uuid.eq(self.cipher_uuid))
+                .filter(folders_ciphers::folder_uuid.eq(self.folder_uuid)),
+        )
+        .execute(&**conn)
+        .map_res("Error removing cipher from folder")
    }

-    pub fn delete_all_by_cipher(cipher_uuid: &str, conn: &DbConn) -> QueryResult<()> {
-        diesel::delete(folders_ciphers::table
-            .filter(folders_ciphers::cipher_uuid.eq(cipher_uuid))
-        ).execute(&**conn).and(Ok(()))
+    pub fn delete_all_by_cipher(cipher_uuid: &str, conn: &DbConn) -> EmptyResult {
+        diesel::delete(folders_ciphers::table.filter(folders_ciphers::cipher_uuid.eq(cipher_uuid)))
+            .execute(&**conn)
+            .map_res("Error removing cipher from folders")
    }

-    pub fn delete_all_by_folder(folder_uuid: &str, conn: &DbConn) -> QueryResult<()> {
-        diesel::delete(folders_ciphers::table
-            .filter(folders_ciphers::folder_uuid.eq(folder_uuid))
-        ).execute(&**conn).and(Ok(()))
+    pub fn delete_all_by_folder(folder_uuid: &str, conn: &DbConn) -> EmptyResult {
+        diesel::delete(folders_ciphers::table.filter(folders_ciphers::folder_uuid.eq(folder_uuid)))
+            .execute(&**conn)
+            .map_res("Error removing ciphers from folder")
    }

    pub fn find_by_folder_and_cipher(folder_uuid: &str, cipher_uuid: &str, conn: &DbConn) -> Option<Self> {
        folders_ciphers::table
            .filter(folders_ciphers::folder_uuid.eq(folder_uuid))
            .filter(folders_ciphers::cipher_uuid.eq(cipher_uuid))
-            .first::<Self>(&**conn).ok()
+            .first::<Self>(&**conn)
+            .ok()
    }

    pub fn find_by_folder(folder_uuid: &str, conn: &DbConn) -> Vec<Self> {
        folders_ciphers::table
            .filter(folders_ciphers::folder_uuid.eq(folder_uuid))
-            .load::<Self>(&**conn).expect("Error loading folders")
+            .load::<Self>(&**conn)
+            .expect("Error loading folders")
    }
 }
--- a/src/db/models/mod.rs
+++ b/src/db/models/mod.rs
@@ -10,10 +10,10 @@ mod two_factor;

 pub use self::attachment::Attachment;
 pub use self::cipher::Cipher;
+pub use self::collection::{Collection, CollectionCipher, CollectionUser};
 pub use self::device::Device;
 pub use self::folder::{Folder, FolderCipher};
-pub use self::user::{User, Invitation};
 pub use self::organization::Organization;
-pub use self::organization::{UserOrganization, UserOrgStatus, UserOrgType};
-pub use self::collection::{Collection, CollectionUser, CollectionCipher};
-pub use self::two_factor::{TwoFactor, TwoFactorType};
+pub use self::organization::{UserOrgStatus, UserOrgType, UserOrganization};
+pub use self::two_factor::{TwoFactor, TwoFactorType};
+pub use self::user::{Invitation, User};
--- a/src/db/models/organization.rs
+++ b/src/db/models/organization.rs
@@ -1,7 +1,7 @@
-use std::cmp::Ordering;
 use serde_json::Value;
+use std::cmp::Ordering;

-use super::{User, CollectionUser, Invitation};
+use super::{CollectionUser, User};

 #[derive(Debug, Identifiable, Queryable, Insertable)]
 #[table_name = "organizations"]
@@ -21,9 +21,9 @@ pub struct UserOrganization {
    pub org_uuid: String,

    pub access_all: bool,
-    pub key: String,
+    pub akey: String,
    pub status: i32,
-    pub type_: i32,
+    pub atype: i32,
 }

 pub enum UserOrgStatus {
@@ -32,9 +32,7 @@ pub enum UserOrgStatus {
    Confirmed = 2,
 }

-#[derive(Copy, Clone)]
-#[derive(PartialEq)]
-#[derive(Eq)]
+#[derive(Copy, Clone, PartialEq, Eq)]
 pub enum UserOrgType {
    Owner = 0,
    Admin = 1,
@@ -51,13 +49,13 @@ impl Ord for UserOrgType {
                UserOrgType::Owner => Ordering::Greater,
                UserOrgType::Admin => match other {
                    UserOrgType::Owner => Ordering::Less,
-                    _ => Ordering::Greater
+                    _ => Ordering::Greater,
                },
                UserOrgType::Manager => match other {
                    UserOrgType::Owner | UserOrgType::Admin => Ordering::Less,
-                    _ => Ordering::Greater
+                    _ => Ordering::Greater,
                },
-                UserOrgType::User => Ordering::Less
+                UserOrgType::User => Ordering::Less,
            }
        }
    }
@@ -78,7 +76,7 @@ impl PartialEq<i32> for UserOrgType {
 impl PartialOrd<i32> for UserOrgType {
    fn partial_cmp(&self, other: &i32) -> Option<Ordering> {
        if let Some(other) = Self::from_i32(*other) {
-            return Some(self.cmp(&other))
+            return Some(self.cmp(&other));
        }
        None
    }
@@ -96,7 +94,6 @@ impl PartialOrd<i32> for UserOrgType {
            _ => true,
        }
    }
-
 }

 impl PartialEq<UserOrgType> for i32 {
@@ -108,7 +105,7 @@ impl PartialEq<UserOrgType> for i32 {
 impl PartialOrd<UserOrgType> for i32 {
    fn partial_cmp(&self, other: &UserOrgType) -> Option<Ordering> {
        if let Some(self_type) = UserOrgType::from_i32(*self) {
-            return Some(self_type.cmp(other))
+            return Some(self_type.cmp(other));
        }
        None
    }
@@ -126,7 +123,6 @@ impl PartialOrd<UserOrgType> for i32 {
            _ => false,
        }
    }
-
 }

 impl UserOrgType {
@@ -149,13 +145,10 @@ impl UserOrgType {
            _ => None,
        }
    }
-
 }

 /// Local methods
 impl Organization {
-    pub const VIRTUAL_ID: &'static str = "00000000-0000-0000-0000-000000000000";
-
    pub fn new(name: String, billing_email: String) -> Self {
        Self {
            uuid: crate::util::get_uuid(),
@@ -165,14 +158,6 @@ impl Organization {
        }
    }

-    pub fn new_virtual() -> Self {
-        Self {
-            uuid: String::from(Organization::VIRTUAL_ID),
-            name: String::from("bitwarden_rs"),
-            billing_email: String::from("none@none.none")
-        }
-    }
-
    pub fn to_json(&self) -> Value {
        json!({
            "Id": self.uuid,
@@ -211,75 +196,53 @@ impl UserOrganization {
            org_uuid,

            access_all: false,
-            key: String::new(),
+            akey: String::new(),
            status: UserOrgStatus::Accepted as i32,
-            type_: UserOrgType::User as i32,
-        }
-    }
-
-    pub fn new_virtual(user_uuid: String, type_: UserOrgType, status: UserOrgStatus) -> Self {
-        Self {
-            uuid: user_uuid.clone(),
-
-            user_uuid,
-            org_uuid: String::from(Organization::VIRTUAL_ID),
-
-            access_all: true,
-            key: String::new(),
-            status: status as i32,
-            type_: type_ as i32,
+            atype: UserOrgType::User as i32,
        }
    }
 }

-
+use crate::db::schema::{ciphers_collections, organizations, users_collections, users_organizations};
+use crate::db::DbConn;
 use diesel;
 use diesel::prelude::*;
-use crate::db::DbConn;
-use crate::db::schema::{organizations, users_organizations, users_collections, ciphers_collections};
+
+use crate::api::EmptyResult;
+use crate::error::MapResult;

 /// Database methods
 impl Organization {
-    pub fn save(&mut self, conn: &DbConn) -> QueryResult<()> {
-        if self.uuid == Organization::VIRTUAL_ID {
-            return Err(diesel::result::Error::NotFound)
-        }
-
+    pub fn save(&self, conn: &DbConn) -> EmptyResult {
        UserOrganization::find_by_org(&self.uuid, conn)
-        .iter()
-        .for_each(|user_org| {
-            User::update_uuid_revision(&user_org.user_uuid, conn);
-        });
+            .iter()
+            .for_each(|user_org| {
+                User::update_uuid_revision(&user_org.user_uuid, conn);
+            });

        diesel::replace_into(organizations::table)
-            .values(&*self).execute(&**conn).and(Ok(()))
+            .values(self)
+            .execute(&**conn)
+            .map_res("Error saving organization")
    }

-    pub fn delete(self, conn: &DbConn) -> QueryResult<()> {
+    pub fn delete(self, conn: &DbConn) -> EmptyResult {
        use super::{Cipher, Collection};

-        if self.uuid == Organization::VIRTUAL_ID {
-            return Err(diesel::result::Error::NotFound)
-        }
-
        Cipher::delete_all_by_organization(&self.uuid, &conn)?;
        Collection::delete_all_by_organization(&self.uuid, &conn)?;
        UserOrganization::delete_all_by_organization(&self.uuid, &conn)?;

-        diesel::delete(
-            organizations::table.filter(
-                organizations::uuid.eq(self.uuid)
-            )
-        ).execute(&**conn).and(Ok(()))
+        diesel::delete(organizations::table.filter(organizations::uuid.eq(self.uuid)))
+            .execute(&**conn)
+            .map_res("Error saving organization")
    }

    pub fn find_by_uuid(uuid: &str, conn: &DbConn) -> Option<Self> {
-        if uuid == Organization::VIRTUAL_ID { 
-            return Some(Self::new_virtual()) 
-        };
        organizations::table
            .filter(organizations::uuid.eq(uuid))
-            .first::<Self>(&**conn).ok()
+            .first::<Self>(&**conn)
+            .ok()
    }
 }

@@ -303,9 +266,9 @@ impl UserOrganization {
            "MaxStorageGb": 10, // The value doesn't matter, we don't check server-side

            // These are per user
-            "Key": self.key,
+            "Key": self.akey,
            "Status": self.status,
-            "Type": self.type_,
+            "Type": self.atype,
            "Enabled": true,

            "Object": "profileOrganization",
@@ -322,34 +285,29 @@ impl UserOrganization {
            "Email": user.email,

            "Status": self.status,
-            "Type": self.type_,
+            "Type": self.atype,
            "AccessAll": self.access_all,

            "Object": "organizationUserUserDetails",
        })
    }

-    pub fn to_json_collection_user_details(&self, read_only: bool, conn: &DbConn) -> Value {
-        let user = User::find_by_uuid(&self.user_uuid, conn).unwrap();
-
+    pub fn to_json_collection_user_details(&self, read_only: bool) -> Value {
        json!({
-            "OrganizationUserId": self.uuid,
-            "AccessAll": self.access_all,
-            "Name": user.name,
-            "Email": user.email,
-            "Type": self.type_,
-            "Status": self.status,
-            "ReadOnly": read_only,
-            "Object": "collectionUser",
+            "Id": self.uuid,
+            "ReadOnly": read_only
        })
    }

-    pub fn to_json_details(&self, conn: &DbConn) -> Value {        
-        let coll_uuids = if self.access_all { 
+    pub fn to_json_details(&self, conn: &DbConn) -> Value {
+        let coll_uuids = if self.access_all {
            vec![] // If we have complete access, no need to fill the array
        } else {
            let collections = CollectionUser::find_by_organization_and_user_uuid(&self.org_uuid, &self.user_uuid, conn);
-            collections.iter().map(|c| json!({"Id": c.collection_uuid, "ReadOnly": c.read_only})).collect()
+            collections
+                .iter()
+                .map(|c| json!({"Id": c.collection_uuid, "ReadOnly": c.read_only}))
+                .collect()
        };

        json!({
@@ -357,7 +315,7 @@ impl UserOrganization {
            "UserId": self.user_uuid,

            "Status": self.status,
-            "Type": self.type_,
+            "Type": self.atype,
            "AccessAll": self.access_all,
            "Collections": coll_uuids,

@@ -365,39 +323,33 @@ impl UserOrganization {
        })
    }

-    pub fn save(&mut self, conn: &DbConn) -> QueryResult<()> {
-        if self.org_uuid == Organization::VIRTUAL_ID {
-            return Err(diesel::result::Error::NotFound)
-        }
+    pub fn save(&self, conn: &DbConn) -> EmptyResult {
        User::update_uuid_revision(&self.user_uuid, conn);

        diesel::replace_into(users_organizations::table)
-            .values(&*self).execute(&**conn).and(Ok(()))
+            .values(self)
+            .execute(&**conn)
+            .map_res("Error adding user to organization")
    }

-    pub fn delete(self, conn: &DbConn) -> QueryResult<()> {
-        if self.org_uuid == Organization::VIRTUAL_ID {
-            return Err(diesel::result::Error::NotFound)
-        }
+    pub fn delete(self, conn: &DbConn) -> EmptyResult {
        User::update_uuid_revision(&self.user_uuid, conn);

        CollectionUser::delete_all_by_user(&self.user_uuid, &conn)?;

-        diesel::delete(
-            users_organizations::table.filter(
-                users_organizations::uuid.eq(self.uuid)
-            )
-        ).execute(&**conn).and(Ok(()))
+        diesel::delete(users_organizations::table.filter(users_organizations::uuid.eq(self.uuid)))
+            .execute(&**conn)
+            .map_res("Error removing user from organization")
    }

-    pub fn delete_all_by_organization(org_uuid: &str, conn: &DbConn) -> QueryResult<()> {
+    pub fn delete_all_by_organization(org_uuid: &str, conn: &DbConn) -> EmptyResult {
        for user_org in Self::find_by_org(&org_uuid, &conn) {
            user_org.delete(&conn)?;
        }
        Ok(())
    }

-    pub fn delete_all_by_user(user_uuid: &str, conn: &DbConn) -> QueryResult<()> {
+    pub fn delete_all_by_user(user_uuid: &str, conn: &DbConn) -> EmptyResult {
        for user_org in Self::find_any_state_by_user(&user_uuid, &conn) {
            user_org.delete(&conn)?;
        }
@@ -405,73 +357,68 @@ impl UserOrganization {
    }

    pub fn has_full_access(self) -> bool {
-        self.access_all || self.type_ >= UserOrgType::Admin
+        self.access_all || self.atype >= UserOrgType::Admin
    }

    pub fn find_by_uuid(uuid: &str, conn: &DbConn) -> Option<Self> {
        users_organizations::table
            .filter(users_organizations::uuid.eq(uuid))
-            .first::<Self>(&**conn).ok()
+            .first::<Self>(&**conn)
+            .ok()
    }

    pub fn find_by_uuid_and_org(uuid: &str, org_uuid: &str, conn: &DbConn) -> Option<Self> {
        users_organizations::table
            .filter(users_organizations::uuid.eq(uuid))
            .filter(users_organizations::org_uuid.eq(org_uuid))
-            .first::<Self>(&**conn).ok()
+            .first::<Self>(&**conn)
+            .ok()
    }

    pub fn find_by_user(user_uuid: &str, conn: &DbConn) -> Vec<Self> {
        users_organizations::table
            .filter(users_organizations::user_uuid.eq(user_uuid))
            .filter(users_organizations::status.eq(UserOrgStatus::Confirmed as i32))
-            .load::<Self>(&**conn).unwrap_or_default()
+            .load::<Self>(&**conn)
+            .unwrap_or_default()
    }

    pub fn find_invited_by_user(user_uuid: &str, conn: &DbConn) -> Vec<Self> {
        users_organizations::table
            .filter(users_organizations::user_uuid.eq(user_uuid))
            .filter(users_organizations::status.eq(UserOrgStatus::Invited as i32))
-            .load::<Self>(&**conn).unwrap_or_default()
+            .load::<Self>(&**conn)
+            .unwrap_or_default()
    }

    pub fn find_any_state_by_user(user_uuid: &str, conn: &DbConn) -> Vec<Self> {
        users_organizations::table
            .filter(users_organizations::user_uuid.eq(user_uuid))
-            .load::<Self>(&**conn).unwrap_or_default()
+            .load::<Self>(&**conn)
+            .unwrap_or_default()
    }

    pub fn find_by_org(org_uuid: &str, conn: &DbConn) -> Vec<Self> {
-        if org_uuid == Organization::VIRTUAL_ID {
-            User::get_all(&*conn).iter().map(|user| {
-                Self::new_virtual(
-                    user.uuid.clone(),
-                    UserOrgType::User,
-                    if Invitation::find_by_mail(&user.email, &conn).is_some() {
-                        UserOrgStatus::Invited
-                    } else {
-                        UserOrgStatus::Confirmed
-                    })
-            }).collect()
-        } else {
-            users_organizations::table
-                .filter(users_organizations::org_uuid.eq(org_uuid))
-                .load::<Self>(&**conn).expect("Error loading user organizations")
-        }
-    }
-
-    pub fn find_by_org_and_type(org_uuid: &str, type_: i32, conn: &DbConn) -> Vec<Self> {
        users_organizations::table
            .filter(users_organizations::org_uuid.eq(org_uuid))
-            .filter(users_organizations::type_.eq(type_))
-            .load::<Self>(&**conn).expect("Error loading user organizations")
+            .load::<Self>(&**conn)
+            .expect("Error loading user organizations")
+    }
+
+    pub fn find_by_org_and_type(org_uuid: &str, atype: i32, conn: &DbConn) -> Vec<Self> {
+        users_organizations::table
+            .filter(users_organizations::org_uuid.eq(org_uuid))
+            .filter(users_organizations::atype.eq(atype))
+            .load::<Self>(&**conn)
+            .expect("Error loading user organizations")
    }

    pub fn find_by_user_and_org(user_uuid: &str, org_uuid: &str, conn: &DbConn) -> Option<Self> {
        users_organizations::table
            .filter(users_organizations::user_uuid.eq(user_uuid))
            .filter(users_organizations::org_uuid.eq(org_uuid))
-            .first::<Self>(&**conn).ok()
+            .first::<Self>(&**conn)
+            .ok()
    }

    pub fn find_by_cipher_and_org(cipher_uuid: &str, org_uuid: &str, conn: &DbConn) -> Vec<Self> {
@@ -508,7 +455,4 @@ impl UserOrganization {
        .select(users_organizations::all_columns)
        .load::<Self>(&**conn).expect("Error loading user organizations")
    }
-
 }
-
-
--- a/src/db/models/two_factor.rs
+++ b/src/db/models/two_factor.rs
@@ -9,13 +9,13 @@ use super::User;
 pub struct TwoFactor {
    pub uuid: String,
    pub user_uuid: String,
-    pub type_: i32,
+    pub atype: i32,
    pub enabled: bool,
    pub data: String,
 }

 #[allow(dead_code)]
-#[derive(FromPrimitive, ToPrimitive)]
+#[derive(FromPrimitive)]
 pub enum TwoFactorType {
    Authenticator = 0,
    Email = 1,
@@ -32,31 +32,16 @@ pub enum TwoFactorType {

 /// Local methods
 impl TwoFactor {
-    pub fn new(user_uuid: String, type_: TwoFactorType, data: String) -> Self {
+    pub fn new(user_uuid: String, atype: TwoFactorType, data: String) -> Self {
        Self {
            uuid: crate::util::get_uuid(),
            user_uuid,
-            type_: type_ as i32,
+            atype: atype as i32,
            enabled: true,
            data,
        }
    }

-    pub fn check_totp_code(&self, totp_code: u64) -> bool {
-        let totp_secret = self.data.as_bytes();
-
-        use data_encoding::BASE32;
-        use oath::{totp_raw_now, HashType};
-
-        let decoded_secret = match BASE32.decode(totp_secret) {
-            Ok(s) => s,
-            Err(_) => return false
-        };
-
-        let generated = totp_raw_now(&decoded_secret, 6, 0, 30, &HashType::SHA1);
-        generated == totp_code
-    }
-
    pub fn to_json(&self) -> Value {
        json!({
            "Enabled": self.enabled,
@@ -68,43 +53,54 @@ impl TwoFactor {
    pub fn to_json_list(&self) -> Value {
        json!({
            "Enabled": self.enabled,
-            "Type": self.type_,
+            "Type": self.atype,
            "Object": "twoFactorProvider"
        })
    }
 }

+use crate::db::schema::twofactor;
+use crate::db::DbConn;
 use diesel;
 use diesel::prelude::*;
-use crate::db::DbConn;
-use crate::db::schema::twofactor;
+
+use crate::api::EmptyResult;
+use crate::error::MapResult;

 /// Database methods
 impl TwoFactor {
-    pub fn save(&self, conn: &DbConn) -> QueryResult<usize> {
+    pub fn save(&self, conn: &DbConn) -> EmptyResult {
        diesel::replace_into(twofactor::table)
            .values(self)
            .execute(&**conn)
+            .map_res("Error saving twofactor")
    }

-    pub fn delete(self, conn: &DbConn) -> QueryResult<usize> {
-        diesel::delete(
-            twofactor::table.filter(
-                twofactor::uuid.eq(self.uuid)
-            )
-        ).execute(&**conn)
+    pub fn delete(self, conn: &DbConn) -> EmptyResult {
+        diesel::delete(twofactor::table.filter(twofactor::uuid.eq(self.uuid)))
+            .execute(&**conn)
+            .map_res("Error deleting twofactor")
    }

    pub fn find_by_user(user_uuid: &str, conn: &DbConn) -> Vec<Self> {
        twofactor::table
            .filter(twofactor::user_uuid.eq(user_uuid))
-            .load::<Self>(&**conn).expect("Error loading twofactor")
+            .filter(twofactor::atype.lt(1000)) // Filter implementation types
+            .load::<Self>(&**conn)
+            .expect("Error loading twofactor")
    }

-    pub fn find_by_user_and_type(user_uuid: &str, type_: i32, conn: &DbConn) -> Option<Self> {
+    pub fn find_by_user_and_type(user_uuid: &str, atype: i32, conn: &DbConn) -> Option<Self> {
        twofactor::table
            .filter(twofactor::user_uuid.eq(user_uuid))
-            .filter(twofactor::type_.eq(type_))
-            .first::<Self>(&**conn).ok()
+            .filter(twofactor::atype.eq(atype))
+            .first::<Self>(&**conn)
+            .ok()
    }
-}
+
+    pub fn delete_all_by_user(user_uuid: &str, conn: &DbConn) -> EmptyResult {
+        diesel::delete(twofactor::table.filter(twofactor::user_uuid.eq(user_uuid)))
+            .execute(&**conn)
+            .map_res("Error deleting twofactors")
+    }
+}
--- a/Show More
+++ b/Show More
				`@@ -0,0 +1 @@`
				-- This file should undo anything in `up.sql`