Crate and GHA updates (#7081 )

Signed-off-by: BlackDex <black.dex@gmail.com>
Fix windows build issues (#7065 )
2026-06-01 00:00:15 +03:00 · 2026-04-11 20:27:07 +02:00 · 2026-04-08 15:35:18 +02:00 · 2026-04-05 22:43:58 +02:00 · 2026-04-05 22:43:06 +02:00 · 2026-04-05 22:41:14 +02:00
88 changed files with 7277 additions and 8388 deletions
@@ -183,9 +183,9 @@
 ## Defaults to every minute. Set blank to disable this job.
 # DUO_CONTEXT_PURGE_SCHEDULE="30 * * * * *"
 #
-## Cron schedule of the job that cleans sso nonce from incomplete flow
+## Cron schedule of the job that cleans sso auth from incomplete flow
 ## Defaults to daily (20 minutes after midnight). Set blank to disable this job.
-# PURGE_INCOMPLETE_SSO_NONCE="0 20 0 * * *"
+# PURGE_INCOMPLETE_SSO_AUTH="0 20 0 * * *"
 ########################
 ### General settings ###
@@ -348,7 +348,7 @@
 ## Default: 2592000 (30 days)
 # ICON_CACHE_TTL=2592000
 ## Cache time-to-live for icons which weren't available, in seconds (0 is "forever")
-## Default: 2592000 (3 days)
+## Default: 259200 (3 days)
 # ICON_CACHE_NEGTTL=259200
 ## Icon download timeout
@@ -372,15 +372,22 @@
 ## Note that clients cache the /api/config endpoint for about 1 hour and it could take some time before they are enabled or disabled!
 ##
 ## The following flags are available:
-## - "inline-menu-positioning-improvements": Enable the use of inline menu password generator and identity suggestions in the browser extension.
+## - "pm-5594-safari-account-switching": Enable account switching in Safari. (Safari >= 2026.2.0)
-## - "inline-menu-totp": Enable the use of inline menu TOTP codes in the browser extension.
+## - "ssh-agent": Enable SSH agent support on Desktop. (Desktop >= 2024.12.0)
-## - "ssh-agent": Enable SSH agent support on Desktop. (Needs desktop >=2024.12.0)
+## - "ssh-agent-v2": Enable newer SSH agent support. (Desktop >= 2026.2.1)
-## - "ssh-key-vault-item": Enable the creation and use of SSH key vault items. (Needs clients >=2024.12.0)
+## - "ssh-key-vault-item": Enable the creation and use of SSH key vault items. (Clients >= 2024.12.0)
-## - "export-attachments": Enable support for exporting attachments (Clients >=2025.4.0)
+## - "pm-25373-windows-biometrics-v2": Enable the new implementation of biometrics on Windows. (Desktop >= 2025.11.0)
-## - "anon-addy-self-host-alias": Enable configuring self-hosted Anon Addy alias generator. (Needs Android >=2025.3.0, iOS >=2025.4.0)
+## - "anon-addy-self-host-alias": Enable configuring self-hosted Anon Addy alias generator. (Android >= 2025.3.0, iOS >= 2025.4.0)
-## - "simple-login-self-host-alias": Enable configuring self-hosted Simple Login alias generator. (Needs Android >=2025.3.0, iOS >=2025.4.0)
+## - "simple-login-self-host-alias": Enable configuring self-hosted Simple Login alias generator. (Android >= 2025.3.0, iOS >= 2025.4.0)
-## - "mutual-tls": Enable the use of mutual TLS on Android (Client >= 2025.2.0)
+## - "mutual-tls": Enable the use of mutual TLS on Android (Clients >= 2025.2.0)
-# EXPERIMENTAL_CLIENT_FEATURE_FLAGS=fido2-vault-credentials
+## - "cxp-import-mobile": Enable the import via CXP on iOS (Clients >= 2025.9.2)
 ## - "cxp-export-mobile": Enable the export via CXP on iOS (Clients >= 2025.9.2)
 ## - "pm-30529-webauthn-related-origins":
 ## - "desktop-ui-migration-milestone-1": Special feature flag for desktop UI (Desktop >= 2026.2.0)
 ## - "desktop-ui-migration-milestone-2": Special feature flag for desktop UI (Desktop >= 2026.2.0)
 ## - "desktop-ui-migration-milestone-3": Special feature flag for desktop UI (Desktop >= 2026.2.0)
 ## - "desktop-ui-migration-milestone-4": Special feature flag for desktop UI (Desktop >= 2026.2.0)
 # EXPERIMENTAL_CLIENT_FEATURE_FLAGS=
 ## Require new device emails. When a user logs in an email is required to be sent.
 ## If sending the email fails the login attempt will fail!!
@@ -471,6 +478,11 @@
 ## Setting this to true will enforce the Single Org Policy to be enabled before you can enable the Reset Password policy.
 # ENFORCE_SINGLE_ORG_WITH_RESET_PW_POLICY=false
 ## Prefer IPv6 (AAAA) resolving
 ## This settings configures the DNS resolver to resolve IPv6 first, and if not available try IPv4
 ## This could be useful in IPv6 only environments.
 # DNS_PREFER_IPV6=false
 #####################################
 ### SSO settings (OpenID Connect) ###
 #####################################
@@ -1,6 +1,10 @@
 name: Build
 permissions: {}
 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true
 on:
  push:
    paths:
@@ -30,6 +34,10 @@ on:
      - "docker/DockerSettings.yaml"
      - "macros/**"
 defaults:
  run:
    shell: bash
 jobs:
  build:
    name: Build and Test ${{ matrix.channel }}
@@ -54,7 +62,7 @@ jobs:
      # Checkout the repo
      - name: "Checkout"
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
          fetch-depth: 0
@@ -63,7 +71,6 @@ jobs:
      # Determine rust-toolchain version
      - name: Init Variables
        id: toolchain
        shell: bash
        env:
          CHANNEL: ${{ matrix.channel }}
        run: |
@@ -78,32 +85,23 @@ jobs:
      # End Determine rust-toolchain version
-      # Only install the clippy and rustfmt components on the default rust-toolchain
+      - name: "Install toolchain ${{steps.toolchain.outputs.RUST_TOOLCHAIN}} as default"
      - name: "Install rust-toolchain version"
        uses: dtolnay/rust-toolchain@6d653acede28d24f02e3cd41383119e8b1b35921 # master @ Sep 16, 2025, 8:37 PM GMT+2
        if: ${{ matrix.channel == 'rust-toolchain' }}
        with:
          toolchain: "${{steps.toolchain.outputs.RUST_TOOLCHAIN}}"
          components: clippy, rustfmt
      # End Uses the rust-toolchain file to determine version
      # Install the any other channel to be used for which we do not execute clippy and rustfmt
      - name: "Install MSRV version"
        uses: dtolnay/rust-toolchain@6d653acede28d24f02e3cd41383119e8b1b35921 # master @ Sep 16, 2025, 8:37 PM GMT+2
        if: ${{ matrix.channel != 'rust-toolchain' }}
        with:
          toolchain: "${{steps.toolchain.outputs.RUST_TOOLCHAIN}}"
      # End Install the MSRV channel to be used
      # Set the current matrix toolchain version as default
      - name: "Set toolchain ${{steps.toolchain.outputs.RUST_TOOLCHAIN}} as default"
        env:
          CHANNEL: ${{ matrix.channel }}
          RUST_TOOLCHAIN: ${{steps.toolchain.outputs.RUST_TOOLCHAIN}}
        run: |
          # Remove the rust-toolchain.toml
          rm rust-toolchain.toml
-          # Set the default
+
          # Install the correct toolchain version
          rustup toolchain install "${RUST_TOOLCHAIN}" --profile minimal --no-self-update
          # If this matrix is the `rust-toolchain` flow, also install rustfmt and clippy
          if [[ "${CHANNEL}" == 'rust-toolchain' ]]; then
            rustup component add --toolchain "${RUST_TOOLCHAIN}" rustfmt clippy
          fi
          # Set as the default toolchain
          rustup default "${RUST_TOOLCHAIN}"
      # Show environment
@@ -115,7 +113,7 @@ jobs:
      # Enable Rust Caching
      - name: Rust Caching
-        uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1
+        uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1
        with:
          # Use a custom prefix-key to force a fresh start. This is sometimes needed with bigger changes.
          # Like changing the build host from Ubuntu 20.04 to 22.04 for example.
@@ -1,8 +1,16 @@
 name: Check templates
 permissions: {}
 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true
 on: [ push, pull_request ]
 defaults:
  run:
    shell: bash
 jobs:
  docker-templates:
    name: Validate docker templates
@@ -12,7 +20,7 @@ jobs:
    steps:
      # Checkout the repo
      - name: "Checkout"
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
      # End Checkout the repo
@@ -1,8 +1,15 @@
 name: Hadolint
 on: [ push, pull_request ]
 permissions: {}
 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true
 on: [ push, pull_request ]
 defaults:
  run:
    shell: bash
 jobs:
  hadolint:
@@ -13,7 +20,7 @@ jobs:
    steps:
      # Start Docker Buildx
      - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
        # https://github.com/moby/buildkit/issues/3969
        # Also set max parallelism to 2, the default of 4 breaks GitHub Actions and causes OOMKills
        with:
@@ -25,7 +32,6 @@ jobs:
      # Download hadolint - https://github.com/hadolint/hadolint/releases
      - name: Download hadolint
        shell: bash
        run: |
          sudo curl -L https://github.com/hadolint/hadolint/releases/download/v${HADOLINT_VERSION}/hadolint-$(uname -s)-$(uname -m) -o /usr/local/bin/hadolint && \
          sudo chmod +x /usr/local/bin/hadolint
@@ -34,20 +40,18 @@ jobs:
      # End Download hadolint
      # Checkout the repo
      - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
      # End Checkout the repo
      # Test Dockerfiles with hadolint
      - name: Run hadolint
        shell: bash
        run: hadolint docker/Dockerfile.{debian,alpine}
      # End Test Dockerfiles with hadolint
      # Test Dockerfiles with docker build checks
      - name: Run docker build check
        shell: bash
        run: |
          echo "Checking docker/Dockerfile.debian"
          docker build --check . -f docker/Dockerfile.debian
@@ -1,6 +1,12 @@
 name: Release
 permissions: {}
 concurrency:
  # Apply concurrency control only on the upstream repo
  group: ${{ github.repository == 'dani-garcia/vaultwarden' && format('{0}-{1}', github.workflow, github.ref) || github.run_id }}
  # Don't cancel other runs when creating a tag
  cancel-in-progress: ${{ github.ref_type == 'branch' }}
 on:
  push:
    branches:
@@ -10,56 +16,55 @@ on:
      # https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet
      - '[1-2].[0-9]+.[0-9]+'
-concurrency:
+defaults:
-  # Apply concurrency control only on the upstream repo
+  run:
-  group: ${{ github.repository == 'dani-garcia/vaultwarden' && format('{0}-{1}', github.workflow, github.ref) || github.run_id }}
+    shell: bash
-  # Don't cancel other runs when creating a tag
+
-  cancel-in-progress: ${{ github.ref_type == 'branch' }}
+# A "release" environment must be created in the repository settings
 # (Settings > Environments > New environment) with the following
 # variables and secrets configured as needed.
 #
 # Variables (only set the ones for registries you want to push to):
 #   DOCKERHUB_REPO: 'index.docker.io/<user>/<repo>'
 #   QUAY_REPO: 'quay.io/<user>/<repo>'
 #   GHCR_REPO: 'ghcr.io/<user>/<repo>'
 #
 # Secrets (only required when the corresponding *_REPO variable is set):
 #   DOCKERHUB_REPO => DOCKERHUB_USERNAME, DOCKERHUB_TOKEN
 #   QUAY_REPO      => QUAY_USERNAME, QUAY_TOKEN
 #   GITHUB_TOKEN is provided automatically
 jobs:
  docker-build:
    name: Build Vaultwarden containers
    if: ${{ github.repository == 'dani-garcia/vaultwarden' }}
    environment: 
      name: release
      deployment: false
    permissions:
      packages: write # Needed to upload packages and artifacts
      contents: read
      attestations: write # Needed to generate an artifact attestation for a build
      id-token: write # Needed to mint the OIDC token necessary to request a Sigstore signing certificate
-    runs-on: ubuntu-24.04
+    runs-on: ${{ contains(matrix.arch, 'arm') && 'ubuntu-24.04-arm' || 'ubuntu-24.04' }}
    timeout-minutes: 120
    # Start a local docker registry to extract the compiled binaries to upload as artifacts and attest them
    services:
      registry:
        image: registry@sha256:1fc7de654f2ac1247f0b67e8a459e273b0993be7d2beda1f3f56fbf1001ed3e7 # v3.0.0
        ports:
          - 5000:5000
    env:
      SOURCE_COMMIT: ${{ github.sha }}
      SOURCE_REPOSITORY_URL: "https://github.com/${{ github.repository }}"
      # The *_REPO variables need to be configured as repository variables
      # Append `/settings/variables/actions` to your repo url
      # DOCKERHUB_REPO needs to be 'index.docker.io/<user>/<repo>'
      # Check for Docker hub credentials in secrets
      HAVE_DOCKERHUB_LOGIN: ${{ vars.DOCKERHUB_REPO != '' && secrets.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '' }}
      # GHCR_REPO needs to be 'ghcr.io/<user>/<repo>'
      # Check for Github credentials in secrets
      HAVE_GHCR_LOGIN: ${{ vars.GHCR_REPO != '' && github.repository_owner != '' && secrets.GITHUB_TOKEN != '' }}
      # QUAY_REPO needs to be 'quay.io/<user>/<repo>'
      # Check for Quay.io credentials in secrets
      HAVE_QUAY_LOGIN: ${{ vars.QUAY_REPO != '' && secrets.QUAY_USERNAME != '' && secrets.QUAY_TOKEN != '' }}
    strategy:
      matrix:
        arch: ["amd64", "arm64", "arm/v7", "arm/v6"]
        base_image: ["debian","alpine"]
    steps:
      - name: Initialize QEMU binfmt support
-        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
        with:
          platforms: "arm64,arm"
      # Start Docker Buildx
      - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
        # https://github.com/moby/buildkit/issues/3969
        # Also set max parallelism to 2, the default of 4 breaks GitHub Actions and causes OOMKills
        with:
@@ -72,25 +77,24 @@ jobs:
      # Checkout the repo
      - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        # We need fetch-depth of 0 so we also get all the tag metadata
        with:
          persist-credentials: false
          fetch-depth: 0
-      # Determine Base Tags and Source Version
+      # Normalize the architecture string for use in paths and cache keys
-      - name: Determine Base Tags and Source Version
+      - name: Normalize architecture string
        shell: bash
        env:
-          REF_TYPE: ${{ github.ref_type }}
+          MATRIX_ARCH: ${{ matrix.arch }}
        run: |
-          # Check which main tag we are going to build determined by ref_type
+          # Replace slashes with nothing to create a safe string for paths/cache keys
-          if [[ "${REF_TYPE}" == "tag" ]]; then
+          NORMALIZED_ARCH="${MATRIX_ARCH//\/}"
-            echo "BASE_TAGS=latest,${GITHUB_REF#refs/*/}" | tee -a "${GITHUB_ENV}"
+          echo "NORMALIZED_ARCH=${NORMALIZED_ARCH}" | tee -a "${GITHUB_ENV}"
          elif [[ "${REF_TYPE}" == "branch" ]]; then
            echo "BASE_TAGS=testing" | tee -a "${GITHUB_ENV}"
          fi
      # Determine Source Version
      - name: Determine Source Version
        run: |
          # Get the Source Version for this release
          GIT_EXACT_TAG="$(git describe --tags --abbrev=0 --exact-match 2>/dev/null || true)"
          if [[ -n "${GIT_EXACT_TAG}" ]]; then
@@ -99,19 +103,17 @@ jobs:
              GIT_LAST_TAG="$(git describe --tags --abbrev=0)"
              echo "SOURCE_VERSION=${GIT_LAST_TAG}-${SOURCE_COMMIT:0:8}" | tee -a "${GITHUB_ENV}"
          fi
      # End Determine Base Tags
      # Login to Docker Hub
      - name: Login to Docker Hub
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
-        if: ${{ env.HAVE_DOCKERHUB_LOGIN == 'true' }}
+        if: ${{ vars.DOCKERHUB_REPO != '' }}
      - name: Add registry for DockerHub
-        if: ${{ env.HAVE_DOCKERHUB_LOGIN == 'true' }}
+        if: ${{ vars.DOCKERHUB_REPO != '' }}
        shell: bash
        env:
          DOCKERHUB_REPO: ${{ vars.DOCKERHUB_REPO }}
        run: |
@@ -119,16 +121,15 @@ jobs:
      # Login to GitHub Container Registry
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
-        if: ${{ env.HAVE_GHCR_LOGIN == 'true' }}
+        if: ${{ vars.GHCR_REPO != '' }}
      - name: Add registry for ghcr.io
-        if: ${{ env.HAVE_GHCR_LOGIN == 'true' }}
+        if: ${{ vars.GHCR_REPO != '' }}
        shell: bash
        env:
          GHCR_REPO: ${{ vars.GHCR_REPO }}
        run: |
@@ -136,64 +137,74 @@ jobs:
      # Login to Quay.io
      - name: Login to Quay.io
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          registry: quay.io
          username: ${{ secrets.QUAY_USERNAME }}
          password: ${{ secrets.QUAY_TOKEN }}
-        if: ${{ env.HAVE_QUAY_LOGIN == 'true' }}
+        if: ${{ vars.QUAY_REPO != '' }}
      - name: Add registry for Quay.io
-        if: ${{ env.HAVE_QUAY_LOGIN == 'true' }}
+        if: ${{ vars.QUAY_REPO != '' }}
        shell: bash
        env:
          QUAY_REPO: ${{ vars.QUAY_REPO }}
        run: |
          echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}${QUAY_REPO}" | tee -a "${GITHUB_ENV}"
      - name: Configure build cache from/to
        shell: bash
        env:
          GHCR_REPO: ${{ vars.GHCR_REPO }}
          BASE_IMAGE: ${{ matrix.base_image }}
          NORMALIZED_ARCH: ${{ env.NORMALIZED_ARCH }}
        run: |
          #
          # Check if there is a GitHub Container Registry Login and use it for caching
-          if [[ -n "${HAVE_GHCR_LOGIN}" ]]; then
+          if [[ -n "${GHCR_REPO}" ]]; then
-            echo "BAKE_CACHE_FROM=type=registry,ref=${GHCR_REPO}-buildcache:${BASE_IMAGE}" | tee -a "${GITHUB_ENV}"
+            echo "BAKE_CACHE_FROM=type=registry,ref=${GHCR_REPO}-buildcache:${BASE_IMAGE}-${NORMALIZED_ARCH}" | tee -a "${GITHUB_ENV}"
-            echo "BAKE_CACHE_TO=type=registry,ref=${GHCR_REPO}-buildcache:${BASE_IMAGE},compression=zstd,mode=max" | tee -a "${GITHUB_ENV}"
+            echo "BAKE_CACHE_TO=type=registry,ref=${GHCR_REPO}-buildcache:${BASE_IMAGE}-${NORMALIZED_ARCH},compression=zstd,mode=max" | tee -a "${GITHUB_ENV}"
          else
            echo "BAKE_CACHE_FROM="
            echo "BAKE_CACHE_TO="
          fi
          #
-      - name: Add localhost registry
+      - name: Generate tags
-        shell: bash
+        id: tags
        env:
          CONTAINER_REGISTRIES: "${{ env.CONTAINER_REGISTRIES }}"
        run: |
-          echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}localhost:5000/vaultwarden/server" | tee -a "${GITHUB_ENV}"
+          # Convert comma-separated list to newline-separated set commands
          TAGS=$(echo "${CONTAINER_REGISTRIES}" | tr ',' '\n' | sed "s|.*|*.tags=&|")
          # Output for use in next step
          {
            echo "TAGS<<EOF"
            echo "$TAGS"
            echo "EOF"
          } >> "$GITHUB_ENV"
      - name: Bake ${{ matrix.base_image }} containers
        id: bake_vw
-        uses: docker/bake-action@3acf805d94d93a86cce4ca44798a76464a75b88c # v6.9.0
+        uses: docker/bake-action@a66e1c87e2eca0503c343edf1d208c716d54b8a8 # v7.1.0
        env:
-          BASE_TAGS: "${{ env.BASE_TAGS }}"
+          BASE_TAGS: "${{ steps.determine-version.outputs.BASE_TAGS }}"
          SOURCE_COMMIT: "${{ env.SOURCE_COMMIT }}"
          SOURCE_VERSION: "${{ env.SOURCE_VERSION }}"
          SOURCE_REPOSITORY_URL: "${{ env.SOURCE_REPOSITORY_URL }}"
          CONTAINER_REGISTRIES: "${{ env.CONTAINER_REGISTRIES }}"
        with:
          pull: true
          push: true
          source: .
          files: docker/docker-bake.hcl
          targets: "${{ matrix.base_image }}-multi"
          set: |
            *.cache-from=${{ env.BAKE_CACHE_FROM }}
            *.cache-to=${{ env.BAKE_CACHE_TO }}
            *.platform=linux/${{ matrix.arch }}
            ${{ env.TAGS }}
            *.output=type=local,dest=./output
            *.output=type=image,push-by-digest=true,name-canonical=true,push=true
      - name: Extract digest SHA
        shell: bash
        env:
          BAKE_METADATA: ${{ steps.bake_vw.outputs.metadata }}
          BASE_IMAGE: ${{ matrix.base_image }}
@@ -201,105 +212,177 @@ jobs:
          GET_DIGEST_SHA="$(jq -r --arg base "$BASE_IMAGE" '.[$base + "-multi"]."containerimage.digest"' <<< "${BAKE_METADATA}")"
          echo "DIGEST_SHA=${GET_DIGEST_SHA}" | tee -a "${GITHUB_ENV}"
      - name: Export digest
        env:
          DIGEST_SHA: ${{ env.DIGEST_SHA }}
          RUNNER_TEMP: ${{ runner.temp }}
        run: |
          mkdir -p "${RUNNER_TEMP}"/digests
          digest="${DIGEST_SHA}"
          touch "${RUNNER_TEMP}/digests/${digest#sha256:}"
      - name: Upload digest
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: digests-${{ env.NORMALIZED_ARCH }}-${{ matrix.base_image }}
          path: ${{ runner.temp }}/digests/*
          if-no-files-found: error
          retention-days: 1
      - name: Rename binaries to match target platform
        env:
          NORMALIZED_ARCH: ${{ env.NORMALIZED_ARCH }}
        run: |
          mv ./output/vaultwarden vaultwarden-"${NORMALIZED_ARCH}"
      # Upload artifacts to Github Actions and Attest the binaries
      - name: Attest binaries
        uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
        with:
          subject-path: vaultwarden-${{ env.NORMALIZED_ARCH }}
      - name: Upload binaries as artifacts
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-${{ env.NORMALIZED_ARCH }}-${{ matrix.base_image }}
          path: vaultwarden-${{ env.NORMALIZED_ARCH }}
  merge-manifests:
    name: Merge manifests
    runs-on: ubuntu-latest
    needs: docker-build
    environment: 
      name: release
      deployment: false
    permissions:
      packages: write # Needed to upload packages and artifacts
      attestations: write # Needed to generate an artifact attestation for a build
      id-token: write # Needed to mint the OIDC token necessary to request a Sigstore signing certificate
    strategy:
      matrix:
        base_image: ["debian","alpine"]
    steps:
      - name: Download digests
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
        with:
          path: ${{ runner.temp }}/digests
          pattern: digests-*-${{ matrix.base_image }}
          merge-multiple: true
      # Login to Docker Hub
      - name: Login to Docker Hub
        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
        if: ${{ vars.DOCKERHUB_REPO != '' }}
      - name: Add registry for DockerHub
        if: ${{ vars.DOCKERHUB_REPO != '' }}
        env:
          DOCKERHUB_REPO: ${{ vars.DOCKERHUB_REPO }}
        run: |
          echo "CONTAINER_REGISTRIES=${DOCKERHUB_REPO}" | tee -a "${GITHUB_ENV}"
      # Login to GitHub Container Registry
      - name: Login to GitHub Container Registry
        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
        if: ${{ vars.GHCR_REPO != '' }}
      - name: Add registry for ghcr.io
        if: ${{ vars.GHCR_REPO != '' }}
        env:
          GHCR_REPO: ${{ vars.GHCR_REPO }}
        run: |
          echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}${GHCR_REPO}" | tee -a "${GITHUB_ENV}"
      # Login to Quay.io
      - name: Login to Quay.io
        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          registry: quay.io
          username: ${{ secrets.QUAY_USERNAME }}
          password: ${{ secrets.QUAY_TOKEN }}
        if: ${{ vars.QUAY_REPO != '' }}
      - name: Add registry for Quay.io
        if: ${{ vars.QUAY_REPO != '' }}
        env:
          QUAY_REPO: ${{ vars.QUAY_REPO }}
        run: |
          echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}${QUAY_REPO}" | tee -a "${GITHUB_ENV}"
      # Determine Base Tags
      - name: Determine Base Tags
        env:
          BASE_IMAGE_TAG: "${{ matrix.base_image != 'debian' && format('-{0}', matrix.base_image) || '' }}"
          REF_TYPE: ${{ github.ref_type }}
        run: |
          # Check which main tag we are going to build determined by ref_type
          if [[ "${REF_TYPE}" == "tag" ]]; then
            echo "BASE_TAGS=latest${BASE_IMAGE_TAG},${GITHUB_REF#refs/*/}${BASE_IMAGE_TAG}${BASE_IMAGE_TAG//-/,}" | tee -a "${GITHUB_ENV}"
          elif [[ "${REF_TYPE}" == "branch" ]]; then
            echo "BASE_TAGS=testing${BASE_IMAGE_TAG}" | tee -a "${GITHUB_ENV}"
          fi
      - name: Create manifest list, push it and extract digest SHA
        working-directory: ${{ runner.temp }}/digests
        env:
          BASE_TAGS: "${{ env.BASE_TAGS }}"
          CONTAINER_REGISTRIES: "${{ env.CONTAINER_REGISTRIES }}"
        run: |
          IFS=',' read -ra IMAGES <<< "${CONTAINER_REGISTRIES}"
          IFS=',' read -ra TAGS <<< "${BASE_TAGS}"
          TAG_ARGS=()
          for img in "${IMAGES[@]}"; do
            for tag in "${TAGS[@]}"; do
              TAG_ARGS+=("-t" "${img}:${tag}")
            done
          done
          echo "Creating manifest"
          if ! OUTPUT=$(docker buildx imagetools create \
                          "${TAG_ARGS[@]}" \
                          $(printf "${IMAGES[0]}@sha256:%s " *) 2>&1); then
            echo "Manifest creation failed"
            echo "${OUTPUT}"
            exit 1
          fi
          echo "Manifest created successfully"
          echo "${OUTPUT}"
          # Extract digest SHA for subsequent steps
          GET_DIGEST_SHA="$(echo "${OUTPUT}" | grep -oE 'sha256:[a-f0-9]{64}' | tail -1)"
          echo "DIGEST_SHA=${GET_DIGEST_SHA}" | tee -a "${GITHUB_ENV}"
      # Attest container images
      - name: Attest - docker.io - ${{ matrix.base_image }}
-        if: ${{ env.HAVE_DOCKERHUB_LOGIN == 'true' && steps.bake_vw.outputs.metadata != ''}}
+        if: ${{ vars.DOCKERHUB_REPO != '' && env.DIGEST_SHA != ''}}
-        uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
+        uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
        with:
          subject-name: ${{ vars.DOCKERHUB_REPO }}
          subject-digest: ${{ env.DIGEST_SHA }}
          push-to-registry: true
      - name: Attest - ghcr.io - ${{ matrix.base_image }}
-        if: ${{ env.HAVE_GHCR_LOGIN == 'true' && steps.bake_vw.outputs.metadata != ''}}
+        if: ${{ vars.GHCR_REPO != '' && env.DIGEST_SHA != ''}}
-        uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
+        uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
        with:
          subject-name: ${{ vars.GHCR_REPO }}
          subject-digest: ${{ env.DIGEST_SHA }}
          push-to-registry: true
      - name: Attest - quay.io - ${{ matrix.base_image }}
-        if: ${{ env.HAVE_QUAY_LOGIN == 'true' && steps.bake_vw.outputs.metadata != ''}}
+        if: ${{ vars.QUAY_REPO != '' && env.DIGEST_SHA != ''}}
-        uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
+        uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
        with:
          subject-name: ${{ vars.QUAY_REPO }}
          subject-digest: ${{ env.DIGEST_SHA }}
          push-to-registry: true
      # Extract the Alpine binaries from the containers
      - name: Extract binaries
        shell: bash
        env:
          REF_TYPE: ${{ github.ref_type }}
          BASE_IMAGE: ${{ matrix.base_image }}
        run: |
          # Check which main tag we are going to build determined by ref_type
          if [[ "${REF_TYPE}" == "tag" ]]; then
            EXTRACT_TAG="latest"
          elif [[ "${REF_TYPE}" == "branch" ]]; then
            EXTRACT_TAG="testing"
          fi
          # Check which base_image was used and append -alpine if needed
          if [[ "${BASE_IMAGE}" == "alpine" ]]; then
            EXTRACT_TAG="${EXTRACT_TAG}-alpine"
          fi
          # After each extraction the image is removed.
          # This is needed because using different platforms doesn't trigger a new pull/download
          # Extract amd64 binary
          docker create --name amd64 --platform=linux/amd64 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}"
          docker cp amd64:/vaultwarden vaultwarden-amd64-${BASE_IMAGE}
          docker rm --force amd64
          docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}"
          # Extract arm64 binary
          docker create --name arm64 --platform=linux/arm64 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}"
          docker cp arm64:/vaultwarden vaultwarden-arm64-${BASE_IMAGE}
          docker rm --force arm64
          docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}"
          # Extract armv7 binary
          docker create --name armv7 --platform=linux/arm/v7 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}"
          docker cp armv7:/vaultwarden vaultwarden-armv7-${BASE_IMAGE}
          docker rm --force armv7
          docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}"
          # Extract armv6 binary
          docker create --name armv6 --platform=linux/arm/v6 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}"
          docker cp armv6:/vaultwarden vaultwarden-armv6-${BASE_IMAGE}
          docker rm --force armv6
          docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}"
      # Upload artifacts to Github Actions and Attest the binaries
      - name: "Upload amd64 artifact ${{ matrix.base_image }}"
        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
        with:
          name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-amd64-${{ matrix.base_image }}
          path: vaultwarden-amd64-${{ matrix.base_image }}
      - name: "Upload arm64 artifact ${{ matrix.base_image }}"
        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
        with:
          name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-arm64-${{ matrix.base_image }}
          path: vaultwarden-arm64-${{ matrix.base_image }}
      - name: "Upload armv7 artifact ${{ matrix.base_image }}"
        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
        with:
          name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-armv7-${{ matrix.base_image }}
          path: vaultwarden-armv7-${{ matrix.base_image }}
      - name: "Upload armv6 artifact ${{ matrix.base_image }}"
        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
        with:
          name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-armv6-${{ matrix.base_image }}
          path: vaultwarden-armv6-${{ matrix.base_image }}
      - name: "Attest artifacts ${{ matrix.base_image }}"
        uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
        with:
          subject-path: vaultwarden-*
      # End Upload artifacts to Github Actions
@@ -1,6 +1,10 @@
 name: Cleanup
 permissions: {}
 concurrency:
  group: ${{ github.workflow }}
  cancel-in-progress: false
 on:
  workflow_dispatch:
    inputs:
@@ -1,6 +1,10 @@
 name: Trivy
 permissions: {}
 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true
 on:
  push:
    branches:
@@ -29,12 +33,12 @@ jobs:
    steps:
      - name: Checkout code
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
        env:
          TRIVY_DB_REPOSITORY: docker.io/aquasec/trivy-db:2,public.ecr.aws/aquasecurity/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2
          TRIVY_JAVA_DB_REPOSITORY: docker.io/aquasec/trivy-java-db:1,public.ecr.aws/aquasecurity/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1
@@ -46,6 +50,6 @@ jobs:
          severity: CRITICAL,HIGH
      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
+        uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
        with:
          sarif_file: 'trivy-results.sarif'
@@ -1,7 +1,11 @@
 name: Code Spell Checking
 permissions: {}
 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true
 on: [ push, pull_request ]
 permissions: {}
 jobs:
  typos:
@@ -12,11 +16,11 @@ jobs:
    steps:
      # Checkout the repo
      - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
      # End Checkout the repo
      # When this version is updated, do not forget to update this in `.pre-commit-config.yaml` too
      - name: Spell Check Repo
-        uses: crate-ci/typos@07d900b8fa1097806b8adb6391b0d3e0ac2fdea7 # v1.39.0
+        uses: crate-ci/typos@02ea592e44b3a53c302f697cddca7641cd051c3d # v1.45.0
@@ -1,4 +1,9 @@
 name: Security Analysis with zizmor
 permissions: {}
 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true
 on:
  push:
@@ -6,8 +11,6 @@ on:
  pull_request:
    branches: ["**"]
 permissions: {}
 jobs:
  zizmor:
    name: Run zizmor
@@ -16,12 +19,12 @@ jobs:
      security-events: write # To write the security report
    steps:
      - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
      - name: Run zizmor
-        uses: zizmorcore/zizmor-action@e673c3917a1aef3c65c972347ed84ccd013ecda4 # v0.2.0
+        uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
        with:
          # intentionally not scanning the entire repository,
          # since it contains integration tests.
@@ -53,6 +53,6 @@ repos:
        - "cd docker && make"
 # When this version is updated, do not forget to update this in `.github/workflows/typos.yaml` too
 - repo: https://github.com/crate-ci/typos
-  rev: 07d900b8fa1097806b8adb6391b0d3e0ac2fdea7 # v1.39.0
+  rev: 02ea592e44b3a53c302f697cddca7641cd051c3d # v1.45.0
  hooks:
    - id: typos
@@ -1,6 +1,6 @@
 [workspace.package]
 edition = "2021"
-rust-version = "1.89.0"
+rust-version = "1.92.0"
 license = "AGPL-3.0-only"
 repository = "https://github.com/dani-garcia/vaultwarden"
 publish = false
@@ -55,9 +55,9 @@ syslog = "7.0.0"
 macros = { path = "./macros" }
 # Logging
-log = "0.4.28"
+log = "0.4.29"
 fern = { version = "0.7.1", features = ["syslog-7", "reopen-1"] }
-tracing = { version = "0.1.41", features = ["log"] } # Needed to have lettre and webauthn-rs trace logging to work
+tracing = { version = "0.1.44", features = ["log"] } # Needed to have lettre and webauthn-rs trace logging to work
 # A `dotenv` implementation for Rust
 dotenvy = { version = "0.15.7", default-features = false }
@@ -65,58 +65,59 @@ dotenvy = { version = "0.15.7", default-features = false }
 # Numerical libraries
 num-traits = "0.2.19"
 num-derive = "0.4.2"
-bigdecimal = "0.4.9"
+bigdecimal = "0.4.10"
 # Web framework
 rocket = { version = "0.5.1", features = ["tls", "json"], default-features = false }
 rocket_ws = { version ="0.1.1" }
 # WebSockets libraries
-rmpv = "1.3.0" # MessagePack library
+rmpv = "1.3.1" # MessagePack library
 # Concurrent HashMap used for WebSocket messaging and favicons
 dashmap = "6.1.0"
 # Async futures
-futures = "0.3.31"
+futures = "0.3.32"
-tokio = { version = "1.48.0", features = ["rt-multi-thread", "fs", "io-util", "parking_lot", "time", "signal", "net"] }
+tokio = { version = "1.51.1", features = ["rt-multi-thread", "fs", "io-util", "parking_lot", "time", "signal", "net"] }
-tokio-util = { version = "0.7.17", features = ["compat"]}
+tokio-util = { version = "0.7.18", features = ["compat"]}
 # A generic serialization/deserialization framework
 serde = { version = "1.0.228", features = ["derive"] }
-serde_json = "1.0.145"
+serde_json = "1.0.149"
 # A safe, extensible ORM and Query builder
-diesel = { version = "2.3.3", features = ["chrono", "r2d2", "numeric"] }
+# Currently pinned diesel to v2.3.3 as newer version break MySQL/MariaDB compatibility
-diesel_migrations = "2.3.0"
+diesel = { version = "2.3.7", features = ["chrono", "r2d2", "numeric"] }
 diesel_migrations = "2.3.1"
-derive_more = { version = "2.0.1", features = ["from", "into", "as_ref", "deref", "display"] }
+derive_more = { version = "2.1.1", features = ["from", "into", "as_ref", "deref", "display"] }
 diesel-derive-newtype = "2.1.2"
 # Bundled/Static SQLite
-libsqlite3-sys = { version = "0.35.0", features = ["bundled"], optional = true }
+libsqlite3-sys = { version = "0.36.0", features = ["bundled"], optional = true }
 # Crypto-related libraries
-rand = "0.9.2"
+rand = "0.10.1"
 ring = "0.17.14"
 subtle = "2.6.1"
 # UUID generation
-uuid = { version = "1.18.1", features = ["v4"] }
+uuid = { version = "1.23.0", features = ["v4"] }
 # Date and time libraries
-chrono = { version = "0.4.42", features = ["clock", "serde"], default-features = false }
+chrono = { version = "0.4.44", features = ["clock", "serde"], default-features = false }
 chrono-tz = "0.10.4"
-time = "0.3.44"
+time = "0.3.47"
 # Job scheduler
 job_scheduler_ng = "2.4.0"
 # Data encoding library Hex/Base32/Base64
-data-encoding = "2.9.0"
+data-encoding = "2.10.0"
 # JWT library
-jsonwebtoken = "9.3.1"
+jsonwebtoken = { version = "10.3.0", features = ["use_pem", "rust_crypto"], default-features = false }
 # TOTP library
 totp-lite = "2.0.1"
@@ -127,61 +128,61 @@ yubico = { package = "yubico_ng", version = "0.14.1", features = ["online-tokio"
 # WebAuthn libraries
 # danger-allow-state-serialisation is needed to save the state in the db
 # danger-credential-internals is needed to support U2F to Webauthn migration
-webauthn-rs = { version = "0.5.3", features = ["danger-allow-state-serialisation", "danger-credential-internals"] }
+webauthn-rs = { version = "0.5.4", features = ["danger-allow-state-serialisation", "danger-credential-internals"] }
-webauthn-rs-proto = "0.5.3"
+webauthn-rs-proto = "0.5.4"
-webauthn-rs-core = "0.5.3"
+webauthn-rs-core = "0.5.4"
 # Handling of URL's for WebAuthn and favicons
-url = "2.5.7"
+url = "2.5.8"
 # Email libraries
-lettre = { version = "0.11.19", features = ["smtp-transport", "sendmail-transport", "builder", "serde", "hostname", "tracing", "tokio1-rustls", "ring", "rustls-native-certs"], default-features = false }
+lettre = { version = "0.11.21", features = ["smtp-transport", "sendmail-transport", "builder", "serde", "hostname", "tracing", "tokio1-rustls", "ring", "rustls-native-certs"], default-features = false }
 percent-encoding = "2.3.2" # URL encoding library used for URL's in the emails
 email_address = "0.2.9"
 # HTML Template library
-handlebars = { version = "6.3.2", features = ["dir_source"] }
+handlebars = { version = "6.4.0", features = ["dir_source"] }
 # HTTP client (Used for favicons, version check, DUO and HIBP API)
-reqwest = { version = "0.12.24", features = ["rustls-tls", "rustls-tls-native-roots", "stream", "json", "deflate", "gzip", "brotli", "zstd", "socks", "cookies", "charset", "http2", "system-proxy"], default-features = false}
+reqwest = { version = "0.12.28", features = ["rustls-tls", "rustls-tls-native-roots", "stream", "json", "deflate", "gzip", "brotli", "zstd", "socks", "cookies", "charset", "http2", "system-proxy"], default-features = false}
 hickory-resolver = "0.25.2"
 # Favicon extraction libraries
-html5gum = "0.8.0"
+html5gum = "0.8.3"
-regex = { version = "1.12.2", features = ["std", "perf", "unicode-perl"], default-features = false }
+regex = { version = "1.12.3", features = ["std", "perf", "unicode-perl"], default-features = false }
 data-url = "0.3.2"
-bytes = "1.10.1"
+bytes = "1.11.1"
-svg-hush = "0.9.5"
+svg-hush = "0.9.6"
 # Cache function results (Used for version check and favicon fetching)
-cached = { version = "0.56.0", features = ["async"] }
+cached = { version = "0.59.0", features = ["async"] }
 # Used for custom short lived cookie jar during favicon extraction
 cookie = "0.18.1"
-cookie_store = "0.22.0"
+cookie_store = "0.22.1"
 # Used by U2F, JWT and PostgreSQL
-openssl = "0.10.75"
+openssl = "0.10.76"
 # CLI argument parsing
 pico-args = "0.5.0"
 # Macro ident concatenation
-pastey = "0.1.1"
+pastey = "0.2.1"
-governor = "0.10.1"
+governor = "0.10.4"
 # OIDC for SSO
-openidconnect = { version = "4.0.1", features = ["reqwest", "native-tls"] }
+openidconnect = { version = "4.0.1", features = ["reqwest", "rustls-tls"] }
-mini-moka = "0.10.3"
+moka = { version = "0.12.15", features = ["future"] }
 # Check client versions for specific features.
-semver = "1.0.27"
+semver = "1.0.28"
 # Allow overriding the default memory allocator
 # Mainly used for the musl builds, since the default musl malloc is very slow
 mimalloc = { version = "0.1.48", features = ["secure"], default-features = false, optional = true }
-which = "8.0.0"
+which = "8.0.2"
 # Argon2 library with support for the PHC format
 argon2 = "0.5.3"
@@ -193,14 +194,14 @@ rpassword = "7.4.0"
 grass_compiler = { version = "0.13.4", default-features = false }
 # File are accessed through Apache OpenDAL
-opendal = { version = "0.54.1", features = ["services-fs"], default-features = false }
+opendal = { version = "0.55.0", features = ["services-fs"], default-features = false }
 # For retrieving AWS credentials, including temporary SSO credentials
-anyhow = { version = "1.0.100", optional = true }
+anyhow = { version = "1.0.102", optional = true }
-aws-config = { version = "1.8.10", features = ["behavior-version-latest", "rt-tokio", "credentials-process", "sso"], default-features = false, optional = true }
+aws-config = { version = "1.8.15", features = ["behavior-version-latest", "rt-tokio", "credentials-process", "sso"], default-features = false, optional = true }
-aws-credential-types = { version = "1.2.9", optional = true }
+aws-credential-types = { version = "1.2.14", optional = true }
-aws-smithy-runtime-api = { version = "1.9.2", optional = true }
+aws-smithy-runtime-api = { version = "1.11.6", optional = true }
-http = { version = "1.3.1", optional = true }
+http = { version = "1.4.0", optional = true }
 reqsign = { version = "0.16.5", optional = true }
 # Strip debuginfo from the release builds
@@ -1,13 +1,13 @@
 ---
-vault_version: "v2025.10.1"
+vault_version: "v2026.2.0"
-vault_image_digest: "sha256:50662dccf4908ac2128cd44981c52fcb4e3e8dd56f21823c8d5e91267ff741fa"
+vault_image_digest: "sha256:37c8661fa59dcdfbd3baa8366b6e950ef292b15adfeff1f57812b075c1fd3447"
-# Cross Compile Docker Helper Scripts v1.8.0
+# Cross Compile Docker Helper Scripts v1.9.0
 # We use the linux/amd64 platform shell scripts since there is no difference between the different platform scripts
 # https://github.com/tonistiigi/xx | https://hub.docker.com/r/tonistiigi/xx/tags
-xx_image_digest: "sha256:add602d55daca18914838a78221f6bbe4284114b452c86a48f96d59aeb00f5c6"
+xx_image_digest: "sha256:c64defb9ed5a91eacb37f96ccc3d4cd72521c4bd18d5442905b95e2226b0e707"
-rust_version: 1.91.0 # Rust version to be used
+rust_version: 1.94.1 # Rust version to be used
 debian_version: trixie # Debian release name to be used
-alpine_version: "3.22" # Alpine version to be used
+alpine_version: "3.23" # Alpine version to be used
 # For which platforms/architectures will we try to build images
 platforms: ["linux/amd64", "linux/arm64", "linux/arm/v7", "linux/arm/v6"]
 # Determine the build images per OS/Arch
@@ -17,7 +17,6 @@ build_stage_image:
    platform: "$BUILDPLATFORM"
  alpine:
    image: "build_${TARGETARCH}${TARGETVARIANT}"
    platform: "linux/amd64" # The Alpine build images only have linux/amd64 images
    arch_image:
      amd64: "ghcr.io/blackdex/rust-musl:x86_64-musl-stable-{{rust_version}}"
      arm64: "ghcr.io/blackdex/rust-musl:aarch64-musl-stable-{{rust_version}}"
@@ -19,27 +19,27 @@
 # - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
 #   click the tag name to view the digest of the image it currently points to.
 # - From the command line:
-#     $ docker pull docker.io/vaultwarden/web-vault:v2025.10.1
+#     $ docker pull docker.io/vaultwarden/web-vault:v2026.2.0
-#     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2025.10.1
+#     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2026.2.0
-#     [docker.io/vaultwarden/web-vault@sha256:50662dccf4908ac2128cd44981c52fcb4e3e8dd56f21823c8d5e91267ff741fa]
+#     [docker.io/vaultwarden/web-vault@sha256:37c8661fa59dcdfbd3baa8366b6e950ef292b15adfeff1f57812b075c1fd3447]
 #
 # - Conversely, to get the tag name from the digest:
-#     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:50662dccf4908ac2128cd44981c52fcb4e3e8dd56f21823c8d5e91267ff741fa
+#     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:37c8661fa59dcdfbd3baa8366b6e950ef292b15adfeff1f57812b075c1fd3447
-#     [docker.io/vaultwarden/web-vault:v2025.10.1]
+#     [docker.io/vaultwarden/web-vault:v2026.2.0]
 #
-FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:50662dccf4908ac2128cd44981c52fcb4e3e8dd56f21823c8d5e91267ff741fa AS vault
+FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:37c8661fa59dcdfbd3baa8366b6e950ef292b15adfeff1f57812b075c1fd3447 AS vault
 ########################## ALPINE BUILD IMAGES ##########################
-## NOTE: The Alpine Base Images do not support other platforms then linux/amd64
+## NOTE: The Alpine Base Images do not support other platforms then linux/amd64 and linux/arm64
 ## And for Alpine we define all build images here, they will only be loaded when actually used
-FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:x86_64-musl-stable-1.91.0 AS build_amd64
+FROM --platform=$BUILDPLATFORM ghcr.io/blackdex/rust-musl:x86_64-musl-stable-1.94.1 AS build_amd64
-FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:aarch64-musl-stable-1.91.0 AS build_arm64
+FROM --platform=$BUILDPLATFORM ghcr.io/blackdex/rust-musl:aarch64-musl-stable-1.94.1 AS build_arm64
-FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:armv7-musleabihf-stable-1.91.0 AS build_armv7
+FROM --platform=$BUILDPLATFORM ghcr.io/blackdex/rust-musl:armv7-musleabihf-stable-1.94.1 AS build_armv7
-FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:arm-musleabi-stable-1.91.0 AS build_armv6
+FROM --platform=$BUILDPLATFORM ghcr.io/blackdex/rust-musl:arm-musleabi-stable-1.94.1 AS build_armv6
 ########################## BUILD IMAGE ##########################
 # hadolint ignore=DL3006
-FROM --platform=linux/amd64 build_${TARGETARCH}${TARGETVARIANT} AS build
+FROM --platform=$BUILDPLATFORM build_${TARGETARCH}${TARGETVARIANT} AS build
 ARG TARGETARCH
 ARG TARGETVARIANT
 ARG TARGETPLATFORM
@@ -127,7 +127,7 @@ RUN source /env-cargo && \
 # To uninstall: docker run --privileged --rm tonistiigi/binfmt --uninstall 'qemu-*'
 #
 # We need to add `--platform` here, because of a podman bug: https://github.com/containers/buildah/issues/4742
-FROM --platform=$TARGETPLATFORM docker.io/library/alpine:3.22
+FROM --platform=$TARGETPLATFORM docker.io/library/alpine:3.23
 ENV ROCKET_PROFILE="release" \
    ROCKET_ADDRESS=0.0.0.0 \
@@ -19,24 +19,24 @@
 # - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
 #   click the tag name to view the digest of the image it currently points to.
 # - From the command line:
-#     $ docker pull docker.io/vaultwarden/web-vault:v2025.10.1
+#     $ docker pull docker.io/vaultwarden/web-vault:v2026.2.0
-#     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2025.10.1
+#     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2026.2.0
-#     [docker.io/vaultwarden/web-vault@sha256:50662dccf4908ac2128cd44981c52fcb4e3e8dd56f21823c8d5e91267ff741fa]
+#     [docker.io/vaultwarden/web-vault@sha256:37c8661fa59dcdfbd3baa8366b6e950ef292b15adfeff1f57812b075c1fd3447]
 #
 # - Conversely, to get the tag name from the digest:
-#     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:50662dccf4908ac2128cd44981c52fcb4e3e8dd56f21823c8d5e91267ff741fa
+#     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:37c8661fa59dcdfbd3baa8366b6e950ef292b15adfeff1f57812b075c1fd3447
-#     [docker.io/vaultwarden/web-vault:v2025.10.1]
+#     [docker.io/vaultwarden/web-vault:v2026.2.0]
 #
-FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:50662dccf4908ac2128cd44981c52fcb4e3e8dd56f21823c8d5e91267ff741fa AS vault
+FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:37c8661fa59dcdfbd3baa8366b6e950ef292b15adfeff1f57812b075c1fd3447 AS vault
 ########################## Cross Compile Docker Helper Scripts ##########################
 ## We use the linux/amd64 no matter which Build Platform, since these are all bash scripts
 ## And these bash scripts do not have any significant difference if at all
-FROM --platform=linux/amd64 docker.io/tonistiigi/xx@sha256:add602d55daca18914838a78221f6bbe4284114b452c86a48f96d59aeb00f5c6 AS xx
+FROM --platform=linux/amd64 docker.io/tonistiigi/xx@sha256:c64defb9ed5a91eacb37f96ccc3d4cd72521c4bd18d5442905b95e2226b0e707 AS xx
 ########################## BUILD IMAGE ##########################
 # hadolint ignore=DL3006
-FROM --platform=$BUILDPLATFORM docker.io/library/rust:1.91.0-slim-trixie AS build
+FROM --platform=$BUILDPLATFORM docker.io/library/rust:1.94.1-slim-trixie AS build
 COPY --from=xx / /
 ARG TARGETARCH
 ARG TARGETVARIANT
@@ -51,15 +51,6 @@ ENV DEBIAN_FRONTEND=noninteractive \
    TERM=xterm-256color \
    CARGO_HOME="/root/.cargo" \
    USER="root"
 # Force the install of an older MariaDB library to prevent a Diesel panic
 # See https://github.com/dani-garcia/vaultwarden/issues/6416
 RUN echo "deb http://snapshot.debian.org/archive/debian/20250707T084701Z/ trixie main" > /etc/apt/sources.list.d/snapshot.list && \
    echo "Acquire::Check-Valid-Until false;" > etc/apt/apt.conf.d/AllowSnapshot && \
    echo 'Package: libmariadb libmariadb3 libmariadb-dev mariadb*' > /etc/apt/preferences.d/mariadb-snapshot && \
    echo 'Pin: origin "snapshot.debian.org"' >> /etc/apt/preferences.d/mariadb-snapshot && \
    echo 'Pin-Priority: 1001' >> /etc/apt/preferences.d/mariadb-snapshot
 # Install clang to get `xx-cargo` working
 # Install pkg-config to allow amd64 builds to find all libraries
 # Install git so build.rs can determine the correct version
@@ -179,14 +170,6 @@ ENV ROCKET_PROFILE="release" \
 # Create data folder and Install needed libraries
 RUN mkdir /data && \
    # Force the install of an older MariaDB library to prevent a Diesel panic
    # See https://github.com/dani-garcia/vaultwarden/issues/6416
    echo "deb http://snapshot.debian.org/archive/debian/20250707T084701Z/ trixie main" > /etc/apt/sources.list.d/snapshot.list && \
    echo "Acquire::Check-Valid-Until false;" > etc/apt/apt.conf.d/AllowSnapshot && \
    echo 'Package: libmariadb libmariadb3 libmariadb-dev mariadb*' > /etc/apt/preferences.d/mariadb-snapshot && \
    echo 'Pin: origin "snapshot.debian.org"' >> /etc/apt/preferences.d/mariadb-snapshot && \
    echo 'Pin-Priority: 1001' >> /etc/apt/preferences.d/mariadb-snapshot && \
    # Continue with normal install
    apt-get update && apt-get install -y \
        --no-install-recommends \
        ca-certificates \
@@ -19,13 +19,13 @@
 # - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
 #   click the tag name to view the digest of the image it currently points to.
 # - From the command line:
-#     $ docker pull docker.io/vaultwarden/web-vault:{{ vault_version }}
+#     $ docker pull docker.io/vaultwarden/web-vault:{{ vault_version | replace('+', '_') }}
-#     $ docker image inspect --format "{{ '{{' }}.RepoDigests}}" docker.io/vaultwarden/web-vault:{{ vault_version }}
+#     $ docker image inspect --format "{{ '{{' }}.RepoDigests}}" docker.io/vaultwarden/web-vault:{{ vault_version | replace('+', '_') }}
 #     [docker.io/vaultwarden/web-vault@{{ vault_image_digest }}]
 #
 # - Conversely, to get the tag name from the digest:
 #     $ docker image inspect --format "{{ '{{' }}.RepoTags}}" docker.io/vaultwarden/web-vault@{{ vault_image_digest }}
-#     [docker.io/vaultwarden/web-vault:{{ vault_version }}]
+#     [docker.io/vaultwarden/web-vault:{{ vault_version | replace('+', '_') }}]
 #
 FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@{{ vault_image_digest }} AS vault
@@ -36,16 +36,16 @@ FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@{{ vault_image_diges
 FROM --platform=linux/amd64 docker.io/tonistiigi/xx@{{ xx_image_digest }} AS xx
 {% elif base == "alpine" %}
 ########################## ALPINE BUILD IMAGES ##########################
-## NOTE: The Alpine Base Images do not support other platforms then linux/amd64
+## NOTE: The Alpine Base Images do not support other platforms then linux/amd64 and linux/arm64
 ## And for Alpine we define all build images here, they will only be loaded when actually used
 {% for arch in build_stage_image[base].arch_image %}
-FROM --platform={{ build_stage_image[base].platform }} {{ build_stage_image[base].arch_image[arch] }} AS build_{{ arch }}
+FROM --platform=$BUILDPLATFORM {{ build_stage_image[base].arch_image[arch] }} AS build_{{ arch }}
 {% endfor %}
 {% endif %}
 ########################## BUILD IMAGE ##########################
 # hadolint ignore=DL3006
-FROM --platform={{ build_stage_image[base].platform }} {{ build_stage_image[base].image }} AS build
+FROM --platform=$BUILDPLATFORM {{ build_stage_image[base].image }} AS build
 {% if base == "debian" %}
 COPY --from=xx / /
 {% endif %}
@@ -69,15 +69,6 @@ ENV DEBIAN_FRONTEND=noninteractive \
 {% endif %}
 {% if base == "debian" %}
 # Force the install of an older MariaDB library to prevent a Diesel panic
 # See https://github.com/dani-garcia/vaultwarden/issues/6416
 RUN echo "deb http://snapshot.debian.org/archive/debian/20250707T084701Z/ trixie main" > /etc/apt/sources.list.d/snapshot.list && \
    echo "Acquire::Check-Valid-Until false;" > etc/apt/apt.conf.d/AllowSnapshot && \
    echo 'Package: libmariadb libmariadb3 libmariadb-dev mariadb*' > /etc/apt/preferences.d/mariadb-snapshot && \
    echo 'Pin: origin "snapshot.debian.org"' >> /etc/apt/preferences.d/mariadb-snapshot && \
    echo 'Pin-Priority: 1001' >> /etc/apt/preferences.d/mariadb-snapshot
 # Install clang to get `xx-cargo` working
 # Install pkg-config to allow amd64 builds to find all libraries
 # Install git so build.rs can determine the correct version
@@ -216,14 +207,6 @@ ENV ROCKET_PROFILE="release" \
 # Create data folder and Install needed libraries
 RUN mkdir /data && \
 {% if base == "debian" %}
    # Force the install of an older MariaDB library to prevent a Diesel panic
    # See https://github.com/dani-garcia/vaultwarden/issues/6416
    echo "deb http://snapshot.debian.org/archive/debian/20250707T084701Z/ trixie main" > /etc/apt/sources.list.d/snapshot.list && \
    echo "Acquire::Check-Valid-Until false;" > etc/apt/apt.conf.d/AllowSnapshot && \
    echo 'Package: libmariadb libmariadb3 libmariadb-dev mariadb*' > /etc/apt/preferences.d/mariadb-snapshot && \
    echo 'Pin: origin "snapshot.debian.org"' >> /etc/apt/preferences.d/mariadb-snapshot && \
    echo 'Pin-Priority: 1001' >> /etc/apt/preferences.d/mariadb-snapshot && \
    # Continue with normal install
    apt-get update && apt-get install -y \
        --no-install-recommends \
        ca-certificates \
@@ -13,8 +13,8 @@ path = "src/lib.rs"
 proc-macro = true
 [dependencies]
-quote = "1.0.41"
+quote = "1.0.45"
-syn = "2.0.108"
+syn = "2.0.117"
 [lints]
 workspace = true
@@ -1,2 +1,15 @@
-ALTER TABLE sso_users DROP FOREIGN KEY `sso_users_ibfk_1`;
+-- Dynamically create DROP FOREIGN KEY
 -- Some versions of MySQL or MariaDB might fail if the key doesn't exists
 -- This checks if the key exists, and if so, will drop it.
 SET @drop_sso_fk = IF((SELECT true FROM information_schema.TABLE_CONSTRAINTS WHERE
    CONSTRAINT_SCHEMA = DATABASE() AND
    TABLE_NAME = 'sso_users' AND
    CONSTRAINT_NAME = 'sso_users_ibfk_1' AND
    CONSTRAINT_TYPE = 'FOREIGN KEY') = true,
    'ALTER TABLE sso_users DROP FOREIGN KEY sso_users_ibfk_1',
    'SELECT 1');
 PREPARE stmt FROM @drop_sso_fk;
 EXECUTE stmt;
 DEALLOCATE PREPARE stmt;
 ALTER TABLE sso_users ADD FOREIGN KEY(user_uuid) REFERENCES users(uuid) ON UPDATE CASCADE ON DELETE CASCADE;
@@ -0,0 +1,9 @@
 DROP TABLE IF EXISTS sso_auth;
 CREATE TABLE sso_nonce (
    state               VARCHAR(512) NOT NULL PRIMARY KEY,
    nonce               TEXT NOT NULL,
    verifier            TEXT,
    redirect_uri        TEXT NOT NULL,
    created_at          TIMESTAMP NOT NULL DEFAULT now()
 );
@@ -0,0 +1,12 @@
 DROP TABLE IF EXISTS sso_nonce;
 CREATE TABLE sso_auth (
    state               VARCHAR(512) NOT NULL PRIMARY KEY,
    client_challenge    TEXT NOT NULL,
    nonce               TEXT NOT NULL,
    redirect_uri        TEXT NOT NULL,
    code_response       TEXT,
    auth_response       TEXT,
    created_at          TIMESTAMP NOT NULL DEFAULT now(),
    updated_at          TIMESTAMP NOT NULL DEFAULT now()
 );
@@ -0,0 +1,9 @@
 DROP TABLE IF EXISTS sso_auth;
 CREATE TABLE sso_nonce (
    state               TEXT NOT NULL PRIMARY KEY,
    nonce               TEXT NOT NULL,
    verifier            TEXT,
    redirect_uri        TEXT NOT NULL,
    created_at          TIMESTAMP NOT NULL DEFAULT now()
 );
@@ -0,0 +1,12 @@
 DROP TABLE IF EXISTS sso_nonce;
 CREATE TABLE sso_auth (
    state               TEXT NOT NULL PRIMARY KEY,
    client_challenge    TEXT NOT NULL,
    nonce               TEXT NOT NULL,
    redirect_uri        TEXT NOT NULL,
    code_response       TEXT,
    auth_response       TEXT,
    created_at          TIMESTAMP NOT NULL DEFAULT now(),
    updated_at          TIMESTAMP NOT NULL DEFAULT now()
 );
@@ -0,0 +1,9 @@
 DROP TABLE IF EXISTS sso_auth;
 CREATE TABLE sso_nonce (
  state               TEXT NOT NULL PRIMARY KEY,
  nonce               TEXT NOT NULL,
  verifier            TEXT,
  redirect_uri        TEXT NOT NULL,
  created_at          DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP
 );
@@ -0,0 +1,12 @@
 DROP TABLE IF EXISTS sso_nonce;
 CREATE TABLE sso_auth (
    state               TEXT NOT NULL PRIMARY KEY,
    client_challenge    TEXT NOT NULL,
    nonce               TEXT NOT NULL,
    redirect_uri        TEXT NOT NULL,
    code_response       TEXT,
    auth_response       TEXT,
    created_at          DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
    updated_at          DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP
 );
@@ -1,4 +1,4 @@
 [toolchain]
-channel = "1.91.0"
+channel = "1.94.1"
 components = [ "rustfmt", "clippy" ]
 profile = "minimal"
@@ -23,7 +23,7 @@ use crate::{
        backup_sqlite, get_sql_server_version,
        models::{
            Attachment, Cipher, Collection, Device, Event, EventType, Group, Invitation, Membership, MembershipId,
-            MembershipType, OrgPolicy, OrgPolicyErr, Organization, OrganizationId, SsoUser, TwoFactor, User, UserId,
+            MembershipType, OrgPolicy, Organization, OrganizationId, SsoUser, TwoFactor, User, UserId,
        },
        DbConn, DbConnType, ACTIVE_DB_TYPE,
    },
@@ -31,8 +31,8 @@ use crate::{
    http_client::make_http_request,
    mail,
    util::{
-        container_base_image, format_naive_datetime_local, get_display_size, get_web_vault_version,
+        container_base_image, format_naive_datetime_local, get_active_web_release, get_display_size,
-        is_running_in_container, NumberOrString,
+        is_running_in_container, parse_experimental_client_feature_flags, FeatureFlagFilter, NumberOrString,
    },
    CONFIG, VERSION,
 };
@@ -472,7 +472,7 @@ async fn deauth_user(user_id: UserId, _token: AdminToken, conn: DbConn, nt: Noti
    }
    Device::delete_all_by_user(&user.uuid, &conn).await?;
-    user.reset_security_stamp();
+    user.reset_security_stamp(&conn).await?;
    user.save(&conn).await
 }
@@ -480,14 +480,15 @@ async fn deauth_user(user_id: UserId, _token: AdminToken, conn: DbConn, nt: Noti
 #[post("/users/<user_id>/disable", format = "application/json")]
 async fn disable_user(user_id: UserId, _token: AdminToken, conn: DbConn, nt: Notify<'_>) -> EmptyResult {
    let mut user = get_user_or_404(&user_id, &conn).await?;
-    Device::delete_all_by_user(&user.uuid, &conn).await?;
+    user.reset_security_stamp(&conn).await?;
    user.reset_security_stamp();
    user.enabled = false;
    let save_result = user.save(&conn).await;
    nt.send_logout(&user, None, &conn).await;
    Device::delete_all_by_user(&user.uuid, &conn).await?;
    save_result
 }
@@ -556,23 +557,9 @@ async fn update_membership_type(data: Json<MembershipTypeData>, token: AdminToke
        }
    }
    member_to_edit.atype = new_type;
    // This check is also done at api::organizations::{accept_invite, _confirm_invite, _activate_member, edit_member}, update_membership_type
-    // It returns different error messages per function.
+    OrgPolicy::check_user_allowed(&member_to_edit, "modify", &conn).await?;
    if new_type < MembershipType::Admin {
        match OrgPolicy::is_user_allowed(&member_to_edit.user_uuid, &member_to_edit.org_uuid, true, &conn).await {
            Ok(_) => {}
            Err(OrgPolicyErr::TwoFactorMissing) => {
                if CONFIG.email_2fa_auto_fallback() {
                    two_factor::email::find_and_activate_email_2fa(&member_to_edit.user_uuid, &conn).await?;
                } else {
                    err!("You cannot modify this user to this type because they have not setup 2FA");
                }
            }
            Err(OrgPolicyErr::SingleOrgEnforced) => {
                err!("You cannot modify this user to this type because it is a member of an organization which forbids it");
            }
        }
    }
    log_event(
        EventType::OrganizationUserUpdated as i32,
@@ -585,7 +572,6 @@ async fn update_membership_type(data: Json<MembershipTypeData>, token: AdminToke
    )
    .await;
    member_to_edit.atype = new_type;
    member_to_edit.save(&conn).await
 }
@@ -652,7 +638,6 @@ use cached::proc_macro::cached;
 /// Cache this function to prevent API call rate limit. Github only allows 60 requests per hour, and we use 3 here already
 /// It will cache this function for 600 seconds (10 minutes) which should prevent the exhaustion of the rate limit
 /// Any cache will be lost if Vaultwarden is restarted
 use std::time::Duration; // Needed for cached
 #[cached(time = 600, sync_writes = "default")]
 async fn get_release_info(has_http_access: bool) -> (String, String, String) {
    // If the HTTP Check failed, do not even attempt to check for new versions since we were not able to connect with github.com anyway.
@@ -704,6 +689,26 @@ async fn get_ntp_time(has_http_access: bool) -> String {
    String::from("Unable to fetch NTP time.")
 }
 fn web_vault_compare(active: &str, latest: &str) -> i8 {
    use semver::Version;
    use std::cmp::Ordering;
    let active_semver = Version::parse(active).unwrap_or_else(|e| {
        warn!("Unable to parse active web-vault version '{active}': {e}");
        Version::parse("2025.1.1").unwrap()
    });
    let latest_semver = Version::parse(latest).unwrap_or_else(|e| {
        warn!("Unable to parse latest web-vault version '{latest}': {e}");
        Version::parse("2025.1.1").unwrap()
    });
    match active_semver.cmp(&latest_semver) {
        Ordering::Less => -1,
        Ordering::Equal => 0,
        Ordering::Greater => 1,
    }
 }
 #[get("/diagnostics")]
 async fn diagnostics(_token: AdminToken, ip_header: IpHeader, conn: DbConn) -> ApiResult<Html<String>> {
    use chrono::prelude::*;
@@ -723,32 +728,28 @@ async fn diagnostics(_token: AdminToken, ip_header: IpHeader, conn: DbConn) -> A
        _ => "Unable to resolve domain name.".to_string(),
    };
-    let (latest_release, latest_commit, latest_web_build) = get_release_info(has_http_access).await;
+    let (latest_vw_release, latest_vw_commit, latest_web_release) = get_release_info(has_http_access).await;
    let active_web_release = get_active_web_release();
    let web_vault_compare = web_vault_compare(&active_web_release, &latest_web_release);
    let ip_header_name = &ip_header.0.unwrap_or_default();
-    // Get current running versions
+    let invalid_feature_flags: Vec<String> = parse_experimental_client_feature_flags(
-    let web_vault_version = get_web_vault_version();
+        &CONFIG.experimental_client_feature_flags(),
-
+        FeatureFlagFilter::InvalidOnly,
-    // Check if the running version is newer than the latest stable released version
+    )
-    let web_vault_pre_release = if let Ok(web_ver_match) = semver::VersionReq::parse(&format!(">{latest_web_build}")) {
+    .into_keys()
-        web_ver_match.matches(
+    .collect();
            &semver::Version::parse(&web_vault_version).unwrap_or_else(|_| semver::Version::parse("2025.1.1").unwrap()),
        )
    } else {
        error!("Unable to parse latest_web_build: '{latest_web_build}'");
        false
    };
    let diagnostics_json = json!({
        "dns_resolved": dns_resolved,
        "current_release": VERSION,
-        "latest_release": latest_release,
+        "latest_release": latest_vw_release,
-        "latest_commit": latest_commit,
+        "latest_commit": latest_vw_commit,
        "web_vault_enabled": &CONFIG.web_vault_enabled(),
-        "web_vault_version": web_vault_version,
+        "active_web_release": active_web_release,
-        "latest_web_build": latest_web_build,
+        "latest_web_release": latest_web_release,
-        "web_vault_pre_release": web_vault_pre_release,
+        "web_vault_compare": web_vault_compare,
        "running_within_container": running_within_container,
        "container_base_image": if running_within_container { container_base_image() } else { "Not applicable" },
        "has_http_access": has_http_access,
@@ -762,6 +763,7 @@ async fn diagnostics(_token: AdminToken, ip_header: IpHeader, conn: DbConn) -> A
        "db_version": get_sql_server_version(&conn).await,
        "admin_url": format!("{}/diagnostics", admin_url()),
        "overrides": &CONFIG.get_overrides().join(", "),
        "invalid_feature_flags": invalid_feature_flags,
        "host_arch": env::consts::ARCH,
        "host_os":  env::consts::OS,
        "tz_env": env::var("TZ").unwrap_or_default(),
@@ -859,3 +861,32 @@ impl<'r> FromRequest<'r> for AdminToken {
        })
    }
 }
 #[cfg(test)]
 mod tests {
    use super::*;
    #[test]
    fn validate_web_vault_compare() {
        // web_vault_compare(active, latest)
        // Test normal versions
        assert!(web_vault_compare("2025.12.0", "2025.12.1") == -1);
        assert!(web_vault_compare("2025.12.1", "2025.12.1") == 0);
        assert!(web_vault_compare("2025.12.2", "2025.12.1") == 1);
        // Test patched/+build.n versions
        // Newer latest version
        assert!(web_vault_compare("2025.12.0+build.1", "2025.12.1") == -1);
        assert!(web_vault_compare("2025.12.1", "2025.12.1+build.1") == -1);
        assert!(web_vault_compare("2025.12.0+build.1", "2025.12.1+build.1") == -1);
        assert!(web_vault_compare("2025.12.1+build.1", "2025.12.1+build.2") == -1);
        // Equal versions
        assert!(web_vault_compare("2025.12.1+build.1", "2025.12.1+build.1") == 0);
        assert!(web_vault_compare("2025.12.2+build.2", "2025.12.2+build.2") == 0);
        // Newer active version
        assert!(web_vault_compare("2025.12.1+build.1", "2025.12.1") == 1);
        assert!(web_vault_compare("2025.12.2", "2025.12.1+build.1") == 1);
        assert!(web_vault_compare("2025.12.2+build.1", "2025.12.1+build.1") == 1);
        assert!(web_vault_compare("2025.12.1+build.3", "2025.12.1+build.2") == 1);
    }
 }
@@ -22,7 +22,7 @@ use crate::{
        DbConn,
    },
    mail,
-    util::{format_date, NumberOrString},
+    util::{deser_opt_nonempty_str, format_date, NumberOrString},
    CONFIG,
 };
@@ -33,7 +33,6 @@ use rocket::{
 pub fn routes() -> Vec<rocket::Route> {
    routes![
        register,
        profile,
        put_profile,
        post_profile,
@@ -66,6 +65,7 @@ pub fn routes() -> Vec<rocket::Route> {
        put_device_token,
        put_clear_device_token,
        post_clear_device_token,
        get_tasks,
        post_auth_request,
        get_auth_request,
        put_auth_request,
@@ -106,7 +106,6 @@ pub struct RegisterData {
    name: Option<String>,
    #[allow(dead_code)]
    organization_user_id: Option<MembershipId>,
    // Used only from the register/finish endpoint
@@ -167,11 +166,6 @@ async fn is_email_2fa_required(member_id: Option<MembershipId>, conn: &DbConn) -
    false
 }
 #[post("/accounts/register", data = "<data>")]
 async fn register(data: Json<RegisterData>, conn: DbConn) -> JsonResult {
    _register(data, false, conn).await
 }
 pub async fn _register(data: Json<RegisterData>, email_verification: bool, conn: DbConn) -> JsonResult {
    let mut data: RegisterData = data.into_inner();
    let email = data.email.to_lowercase();
@@ -301,7 +295,7 @@ pub async fn _register(data: Json<RegisterData>, email_verification: bool, conn:
    set_kdf_data(&mut user, &data.kdf)?;
-    user.set_password(&data.master_password_hash, Some(data.key), true, None);
+    user.set_password(&data.master_password_hash, Some(data.key), true, None, &conn).await?;
    user.password_hint = password_hint;
    // Add extra fields if present
@@ -369,7 +363,9 @@ async fn post_set_password(data: Json<SetPasswordData>, headers: Headers, conn:
        Some(data.key),
        false,
        Some(vec![String::from("revision_date")]), // We need to allow revision-date to use the old security_timestamp
-    );
+        &conn,
    )
    .await?;
    user.password_hint = password_hint;
    if let Some(keys) = data.keys {
@@ -378,15 +374,13 @@ async fn post_set_password(data: Json<SetPasswordData>, headers: Headers, conn:
    }
    if let Some(identifier) = data.org_identifier {
-        if identifier != crate::sso::FAKE_IDENTIFIER {
+        if identifier != crate::sso::FAKE_IDENTIFIER && identifier != crate::api::admin::FAKE_ADMIN_UUID {
-            let org = match Organization::find_by_uuid(&identifier.into(), &conn).await {
+            let Some(org) = Organization::find_by_uuid(&identifier.into(), &conn).await else {
-                None => err!("Failed to retrieve the associated organization"),
+                err!("Failed to retrieve the associated organization")
                Some(org) => org,
            };
-            let membership = match Membership::find_by_user_and_org(&user.uuid, &org.uuid, &conn).await {
+            let Some(membership) = Membership::find_by_user_and_org(&user.uuid, &org.uuid, &conn).await else {
-                None => err!("Failed to retrieve the invitation"),
+                err!("Failed to retrieve the invitation")
                Some(org) => org,
            };
            accept_org_invite(&user, membership, None, &conn).await?;
@@ -405,8 +399,8 @@ async fn post_set_password(data: Json<SetPasswordData>, headers: Headers, conn:
    user.save(&conn).await?;
    Ok(Json(json!({
-      "Object": "set-password",
+      "object": "set-password",
-      "CaptchaBypassToken": "",
+      "captchaBypassToken": "",
    })))
 }
@@ -537,14 +531,16 @@ async fn post_password(data: Json<ChangePassData>, headers: Headers, conn: DbCon
            String::from("get_public_keys"),
            String::from("get_api_webauthn"),
        ]),
-    );
+        &conn,
    )
    .await?;
    let save_result = user.save(&conn).await;
    // Prevent logging out the client where the user requested this endpoint from.
    // If you do logout the user it will causes issues at the client side.
    // Adding the device uuid will prevent this.
-    nt.send_logout(&user, Some(headers.device.uuid.clone()), &conn).await;
+    nt.send_logout(&user, Some(&headers.device), &conn).await;
    save_result
 }
@@ -584,7 +580,6 @@ fn set_kdf_data(user: &mut User, data: &KDFData) -> EmptyResult {
    Ok(())
 }
 #[allow(dead_code)]
 #[derive(Deserialize)]
 #[serde(rename_all = "camelCase")]
 struct AuthenticationData {
@@ -593,7 +588,6 @@ struct AuthenticationData {
    master_password_authentication_hash: String,
 }
 #[allow(dead_code)]
 #[derive(Deserialize)]
 #[serde(rename_all = "camelCase")]
 struct UnlockData {
@@ -602,11 +596,12 @@ struct UnlockData {
    master_key_wrapped_user_key: String,
 }
 #[allow(dead_code)]
 #[derive(Deserialize)]
 #[serde(rename_all = "camelCase")]
 struct ChangeKdfData {
    #[allow(dead_code)]
    new_master_password_hash: String,
    #[allow(dead_code)]
    key: String,
    authentication_data: AuthenticationData,
    unlock_data: UnlockData,
@@ -638,10 +633,12 @@ async fn post_kdf(data: Json<ChangeKdfData>, headers: Headers, conn: DbConn, nt:
        Some(data.unlock_data.master_key_wrapped_user_key),
        true,
        None,
-    );
+        &conn,
    )
    .await?;
    let save_result = user.save(&conn).await;
-    nt.send_logout(&user, Some(headers.device.uuid.clone()), &conn).await;
+    nt.send_logout(&user, Some(&headers.device), &conn).await;
    save_result
 }
@@ -652,6 +649,7 @@ struct UpdateFolderData {
    // There is a bug in 2024.3.x which adds a `null` item.
    // To bypass this we allow a Option here, but skip it during the updates
    // See: https://github.com/bitwarden/clients/issues/8453
    #[serde(default, deserialize_with = "deser_opt_nonempty_str")]
    id: Option<FolderId>,
    name: String,
 }
@@ -905,14 +903,16 @@ async fn post_rotatekey(data: Json<KeyData>, headers: Headers, conn: DbConn, nt:
        Some(data.account_unlock_data.master_password_unlock_data.master_key_encrypted_user_key),
        true,
        None,
-    );
+        &conn,
    )
    .await?;
    let save_result = user.save(&conn).await;
    // Prevent logging out the client where the user requested this endpoint from.
    // If you do logout the user it will causes issues at the client side.
    // Adding the device uuid will prevent this.
-    nt.send_logout(&user, Some(headers.device.uuid.clone()), &conn).await;
+    nt.send_logout(&user, Some(&headers.device), &conn).await;
    save_result
 }
@@ -924,12 +924,13 @@ async fn post_sstamp(data: Json<PasswordOrOtpData>, headers: Headers, conn: DbCo
    data.validate(&user, true, &conn).await?;
-    Device::delete_all_by_user(&user.uuid, &conn).await?;
+    user.reset_security_stamp(&conn).await?;
    user.reset_security_stamp();
    let save_result = user.save(&conn).await;
    nt.send_logout(&user, None, &conn).await;
    Device::delete_all_by_user(&user.uuid, &conn).await?;
    save_result
 }
@@ -1047,7 +1048,7 @@ async fn post_email(data: Json<ChangeEmailData>, headers: Headers, conn: DbConn,
    user.email_new = None;
    user.email_new_token = None;
-    user.set_password(&data.new_master_password_hash, Some(data.key), true, None);
+    user.set_password(&data.new_master_password_hash, Some(data.key), true, None, &conn).await?;
    let save_result = user.save(&conn).await;
@@ -1198,10 +1199,9 @@ async fn password_hint(data: Json<PasswordHintData>, conn: DbConn) -> EmptyResul
                // There is still a timing side channel here in that the code
                // paths that send mail take noticeably longer than ones that
                // don't. Add a randomized sleep to mitigate this somewhat.
-                use rand::{rngs::SmallRng, Rng, SeedableRng};
+                use rand::{rngs::SmallRng, RngExt};
-                let mut rng = SmallRng::from_os_rng();
+                let mut rng: SmallRng = rand::make_rng();
-                let delta: i32 = 100;
+                let sleep_ms = rng.random_range(900..=1100) as u64;
                let sleep_ms = (1_000 + rng.random_range(-delta..=delta)) as u64;
                tokio::time::sleep(tokio::time::Duration::from_millis(sleep_ms)).await;
                Ok(())
            } else {
@@ -1260,7 +1260,7 @@ struct SecretVerificationRequest {
 pub async fn kdf_upgrade(user: &mut User, pwd_hash: &str, conn: &DbConn) -> ApiResult<()> {
    if user.password_iterations < CONFIG.password_iterations() {
        user.password_iterations = CONFIG.password_iterations();
-        user.set_password(pwd_hash, None, false, None);
+        user.set_password(pwd_hash, None, false, None, conn).await?;
        if let Err(e) = user.save(conn).await {
            error!("Error updating user: {e:#?}");
@@ -1334,6 +1334,11 @@ impl<'r> FromRequest<'r> for KnownDevice {
    async fn from_request(req: &'r Request<'_>) -> Outcome<Self, Self::Error> {
        let email = if let Some(email_b64) = req.headers().get_one("X-Request-Email") {
            // Bitwarden seems to send padded Base64 strings since 2026.2.1
            // Since these values are not streamed and Headers are always split by newlines
            // we can safely ignore padding here and remove any '=' appended.
            let email_b64 = email_b64.trim_end_matches('=');
            let Ok(email_bytes) = data_encoding::BASE64URL_NOPAD.decode(email_b64.as_bytes()) else {
                return Outcome::Error((Status::BadRequest, "X-Request-Email value failed to decode as base64url"));
            };
@@ -1409,7 +1414,7 @@ async fn put_device_token(device_id: DeviceId, data: Json<PushToken>, headers: H
    }
    device.push_token = Some(token);
-    if let Err(e) = device.save(&conn).await {
+    if let Err(e) = device.save(true, &conn).await {
        err!(format!("An error occurred while trying to save the device push token: {e}"));
    }
@@ -1445,6 +1450,14 @@ async fn post_clear_device_token(device_id: DeviceId, conn: DbConn) -> EmptyResu
    put_clear_device_token(device_id, conn).await
 }
 #[get("/tasks")]
 fn get_tasks(_client_headers: ClientHeaders) -> JsonResult {
    Ok(Json(json!({
        "data": [],
        "object": "list"
    })))
 }
 #[derive(Debug, Deserialize)]
 #[serde(rename_all = "camelCase")]
 struct AuthRequestRequest {
@@ -1695,6 +1708,6 @@ pub async fn purge_auth_requests(pool: DbPool) {
    if let Ok(conn) = pool.get().await {
        AuthRequest::purge_expired_auth_requests(&conn).await;
    } else {
-        error!("Failed to get DB connection while purging trashed ciphers")
+        error!("Failed to get DB connection while purging auth requests")
    }
 }
@@ -11,10 +11,10 @@ use rocket::{
 use serde_json::Value;
 use crate::auth::ClientVersion;
-use crate::util::{save_temp_file, NumberOrString};
+use crate::util::{deser_opt_nonempty_str, save_temp_file, NumberOrString};
 use crate::{
    api::{self, core::log_event, EmptyResult, JsonResult, Notify, PasswordOrOtpData, UpdateType},
-    auth::Headers,
+    auth::{Headers, OrgIdGuard, OwnerHeaders},
    config::PathType,
    crypto,
    db::{
@@ -86,7 +86,8 @@ pub fn routes() -> Vec<Route> {
        restore_cipher_put_admin,
        restore_cipher_selected,
        restore_cipher_selected_admin,
-        delete_all,
+        purge_org_vault,
        purge_personal_vault,
        move_cipher_selected,
        move_cipher_selected_put,
        put_collections2_update,
@@ -159,7 +160,28 @@ async fn sync(data: SyncData, headers: Headers, client_version: Option<ClientVer
    let domains_json = if data.exclude_domains {
        Value::Null
    } else {
-        api::core::_get_eq_domains(headers, true).into_inner()
+        api::core::_get_eq_domains(&headers, true).into_inner()
    };
    // This is very similar to the the userDecryptionOptions sent in connect/token,
    // but as of 2025-12-19 they're both using different casing conventions.
    let has_master_password = !headers.user.password_hash.is_empty();
    let master_password_unlock = if has_master_password {
        json!({
            "kdf": {
                "kdfType": headers.user.client_kdf_type,
                "iterations": headers.user.client_kdf_iter,
                "memory": headers.user.client_kdf_memory,
                "parallelism": headers.user.client_kdf_parallelism
            },
            // This field is named inconsistently and will be removed and replaced by the "wrapped" variant in the apps.
            // https://github.com/bitwarden/android/blob/release/2025.12-rc41/network/src/main/kotlin/com/bitwarden/network/model/MasterPasswordUnlockDataJson.kt#L22-L26
            "masterKeyEncryptedUserKey": headers.user.akey,
            "masterKeyWrappedUserKey": headers.user.akey,
            "salt": headers.user.email
        })
    } else {
        Value::Null
    };
    Ok(Json(json!({
@@ -170,6 +192,9 @@ async fn sync(data: SyncData, headers: Headers, client_version: Option<ClientVer
        "ciphers": ciphers_json,
        "domains": domains_json,
        "sends": sends_json,
        "userDecryption": {
            "masterPasswordUnlock": master_password_unlock,
        },
        "object": "sync"
    })))
 }
@@ -223,6 +248,7 @@ pub struct CipherData {
    // Id is optional as it is included only in bulk share
    pub id: Option<CipherId>,
    // Folder id is not included in import
    #[serde(default, deserialize_with = "deser_opt_nonempty_str")]
    pub folder_id: Option<FolderId>,
    // TODO: Some of these might appear all the time, no need for Option
    #[serde(alias = "organizationID")]
@@ -272,6 +298,7 @@ pub struct CipherData {
 #[derive(Debug, Deserialize)]
 #[serde(rename_all = "camelCase")]
 pub struct PartialCipherData {
    #[serde(default, deserialize_with = "deser_opt_nonempty_str")]
    folder_id: Option<FolderId>,
    favorite: bool,
 }
@@ -301,12 +328,6 @@ async fn post_ciphers_create(
 ) -> JsonResult {
    let mut data: ShareCipherData = data.into_inner();
    // Check if there are one more more collections selected when this cipher is part of an organization.
    // err if this is not the case before creating an empty cipher.
    if data.cipher.organization_id.is_some() && data.collection_ids.is_empty() {
        err!("You must select at least one collection.");
    }
    // This check is usually only needed in update_cipher_from_data(), but we
    // need it here as well to avoid creating an empty cipher in the call to
    // cipher.save() below.
@@ -324,7 +345,11 @@ async fn post_ciphers_create(
    // or otherwise), we can just ignore this field entirely.
    data.cipher.last_known_revision_date = None;
-    share_cipher_by_uuid(&cipher.uuid, data, &headers, &conn, &nt, None).await
+    let res = share_cipher_by_uuid(&cipher.uuid, data, &headers, &conn, &nt, None).await;
    if res.is_err() {
        cipher.delete(&conn).await?;
    }
    res
 }
 /// Called when creating a new user-owned cipher.
@@ -403,7 +428,7 @@ pub async fn update_cipher_from_data(
    let transfer_cipher = cipher.organization_uuid.is_none() && data.organization_id.is_some();
    if let Some(org_id) = data.organization_id {
-        match Membership::find_by_user_and_org(&headers.user.uuid, &org_id, conn).await {
+        match Membership::find_confirmed_by_user_and_org(&headers.user.uuid, &org_id, conn).await {
            None => err!("You don't have permission to add item to organization"),
            Some(member) => {
                if shared_to_collections.is_some()
@@ -693,9 +718,13 @@ async fn put_cipher_partial(
    let data: PartialCipherData = data.into_inner();
    let Some(cipher) = Cipher::find_by_uuid(&cipher_id, &conn).await else {
-        err!("Cipher doesn't exist")
+        err!("Cipher does not exist")
    };
    if !cipher.is_accessible_to_user(&headers.user.uuid, &conn).await {
        err!("Cipher does not exist", "Cipher is not accessible for the current user")
    }
    if let Some(ref folder_id) = data.folder_id {
        if Folder::find_by_uuid_and_user(folder_id, &headers.user.uuid, &conn).await.is_none() {
            err!("Invalid folder", "Folder does not exist or belongs to another user");
@@ -1542,6 +1571,7 @@ async fn restore_cipher_selected(
 #[derive(Deserialize)]
 #[serde(rename_all = "camelCase")]
 struct MoveCipherData {
    #[serde(default, deserialize_with = "deser_opt_nonempty_str")]
    folder_id: Option<FolderId>,
    ids: Vec<CipherId>,
 }
@@ -1616,9 +1646,51 @@ struct OrganizationIdData {
    org_id: OrganizationId,
 }
 // Use the OrgIdGuard here, to ensure there an organization id present.
 // If there is no organization id present, it should be forwarded to purge_personal_vault.
 // This guard needs to be the first argument, else OwnerHeaders will be triggered which will logout the user.
 #[post("/ciphers/purge?<organization..>", data = "<data>")]
-async fn delete_all(
+async fn purge_org_vault(
-    organization: Option<OrganizationIdData>,
+    _org_id_guard: OrgIdGuard,
    organization: OrganizationIdData,
    data: Json<PasswordOrOtpData>,
    headers: OwnerHeaders,
    conn: DbConn,
    nt: Notify<'_>,
 ) -> EmptyResult {
    if organization.org_id != headers.org_id {
        err!("Organization not found", "Organization id's do not match");
    }
    let data: PasswordOrOtpData = data.into_inner();
    let user = headers.user;
    data.validate(&user, true, &conn).await?;
    match Membership::find_confirmed_by_user_and_org(&user.uuid, &organization.org_id, &conn).await {
        Some(member) if member.atype == MembershipType::Owner => {
            Cipher::delete_all_by_organization(&organization.org_id, &conn).await?;
            nt.send_user_update(UpdateType::SyncVault, &user, &headers.device.push_uuid, &conn).await;
            log_event(
                EventType::OrganizationPurgedVault as i32,
                &organization.org_id,
                &organization.org_id,
                &user.uuid,
                headers.device.atype,
                &headers.ip.ip,
                &conn,
            )
            .await;
            Ok(())
        }
        _ => err!("You don't have permission to purge the organization vault"),
    }
 }
 #[post("/ciphers/purge", data = "<data>")]
 async fn purge_personal_vault(
    data: Json<PasswordOrOtpData>,
    headers: Headers,
    conn: DbConn,
@@ -1629,52 +1701,18 @@ async fn delete_all(
    data.validate(&user, true, &conn).await?;
-    match organization {
+    for cipher in Cipher::find_owned_by_user(&user.uuid, &conn).await {
-        Some(org_data) => {
+        cipher.delete(&conn).await?;
            // Organization ID in query params, purging organization vault
            match Membership::find_by_user_and_org(&user.uuid, &org_data.org_id, &conn).await {
                None => err!("You don't have permission to purge the organization vault"),
                Some(member) => {
                    if member.atype == MembershipType::Owner {
                        Cipher::delete_all_by_organization(&org_data.org_id, &conn).await?;
                        nt.send_user_update(UpdateType::SyncVault, &user, &headers.device.push_uuid, &conn).await;
                        log_event(
                            EventType::OrganizationPurgedVault as i32,
                            &org_data.org_id,
                            &org_data.org_id,
                            &user.uuid,
                            headers.device.atype,
                            &headers.ip.ip,
                            &conn,
                        )
                        .await;
                        Ok(())
                    } else {
                        err!("You don't have permission to purge the organization vault");
                    }
                }
            }
        }
        None => {
            // No organization ID in query params, purging user vault
            // Delete ciphers and their attachments
            for cipher in Cipher::find_owned_by_user(&user.uuid, &conn).await {
                cipher.delete(&conn).await?;
            }
            // Delete folders
            for f in Folder::find_by_user(&user.uuid, &conn).await {
                f.delete(&conn).await?;
            }
            user.update_revision(&conn).await?;
            nt.send_user_update(UpdateType::SyncVault, &user, &headers.device.push_uuid, &conn).await;
            Ok(())
        }
    }
    for f in Folder::find_by_user(&user.uuid, &conn).await {
        f.delete(&conn).await?;
    }
    user.update_revision(&conn).await?;
    nt.send_user_update(UpdateType::SyncVault, &user, &headers.device.push_uuid, &conn).await;
    Ok(())
 }
 #[derive(PartialEq)]
@@ -1954,8 +1992,11 @@ impl CipherSyncData {
        }
        // Generate a HashMap with the Organization UUID as key and the Membership record
-        let members: HashMap<OrganizationId, Membership> =
+        let members: HashMap<OrganizationId, Membership> = Membership::find_confirmed_by_user(user_id, conn)
-            Membership::find_by_user(user_id, conn).await.into_iter().map(|m| (m.org_uuid.clone(), m)).collect();
+            .await
            .into_iter()
            .map(|m| (m.org_uuid.clone(), m))
            .collect();
        // Generate a HashMap with the User_Collections UUID as key and the CollectionUser record
        let user_collections: HashMap<CollectionId, CollectionUser> = CollectionUser::find_by_user(user_id, conn)
@@ -47,24 +47,11 @@ pub fn routes() -> Vec<Route> {
 #[get("/emergency-access/trusted")]
 async fn get_contacts(headers: Headers, conn: DbConn) -> Json<Value> {
-    if !CONFIG.emergency_access_allowed() {
+    let emergency_access_list = if CONFIG.emergency_access_allowed() {
-        return Json(json!({
+        EmergencyAccess::find_all_by_grantor_uuid(&headers.user.uuid, &conn).await
-            "data": [{
+    } else {
-                "id": "",
+        Vec::new()
-                "status": 2,
+    };
                "type": 0,
                "waitTimeDays": 0,
                "granteeId": "",
                "email": "",
                "name": "NOTE: Emergency Access is disabled!",
                "object": "emergencyAccessGranteeDetails",
            }],
            "object": "list",
            "continuationToken": null
        }));
    }
    let emergency_access_list = EmergencyAccess::find_all_by_grantor_uuid(&headers.user.uuid, &conn).await;
    let mut emergency_access_list_json = Vec::with_capacity(emergency_access_list.len());
    for ea in emergency_access_list {
        if let Some(grantee) = ea.to_json_grantee_details(&conn).await {
@@ -666,7 +653,7 @@ async fn password_emergency_access(
    };
    // change grantor_user password
-    grantor_user.set_password(new_master_password_hash, Some(data.key), true, None);
+    grantor_user.set_password(new_master_password_hash, Some(data.key), true, None, &conn).await?;
    grantor_user.save(&conn).await?;
    // Disable TwoFactor providers since they will otherwise block logins
@@ -240,7 +240,7 @@ async fn _log_user_event(
    ip: &IpAddr,
    conn: &DbConn,
 ) {
-    let memberships = Membership::find_by_user(user_id, conn).await;
+    let memberships = Membership::find_confirmed_by_user(user_id, conn).await;
    let mut events: Vec<Event> = Vec::with_capacity(memberships.len() + 1); // We need an event per org and one without an org
    // Upstream saves the event also without any org_id.
@@ -8,6 +8,7 @@ use crate::{
        models::{Folder, FolderId},
        DbConn,
    },
    util::deser_opt_nonempty_str,
 };
 pub fn routes() -> Vec<rocket::Route> {
@@ -38,6 +39,7 @@ async fn get_folder(folder_id: FolderId, headers: Headers, conn: DbConn) -> Json
 #[serde(rename_all = "camelCase")]
 pub struct FolderData {
    pub name: String,
    #[serde(default, deserialize_with = "deser_opt_nonempty_str")]
    pub id: Option<FolderId>,
 }
@@ -53,13 +53,14 @@ use crate::{
    api::{EmptyResult, JsonResult, Notify, UpdateType},
    auth::Headers,
    db::{
-        models::{Membership, MembershipStatus, MembershipType, OrgPolicy, OrgPolicyErr, Organization, User},
+        models::{Membership, MembershipStatus, OrgPolicy, Organization, User},
        DbConn,
    },
    error::Error,
    http_client::make_http_request,
    mail,
-    util::parse_experimental_client_feature_flags,
+    util::{parse_experimental_client_feature_flags, FeatureFlagFilter},
    CONFIG,
 };
 #[derive(Debug, Serialize, Deserialize)]
@@ -74,11 +75,11 @@ const GLOBAL_DOMAINS: &str = include_str!("../../static/global_domains.json");
 #[get("/settings/domains")]
 fn get_eq_domains(headers: Headers) -> Json<Value> {
-    _get_eq_domains(headers, false)
+    _get_eq_domains(&headers, false)
 }
-fn _get_eq_domains(headers: Headers, no_excluded: bool) -> Json<Value> {
+fn _get_eq_domains(headers: &Headers, no_excluded: bool) -> Json<Value> {
-    let user = headers.user;
+    let user = &headers.user;
    use serde_json::from_str;
    let equivalent_domains: Vec<Vec<String>> = from_str(&user.equivalent_domains).unwrap();
@@ -136,7 +137,7 @@ async fn put_eq_domains(data: Json<EquivDomainData>, headers: Headers, conn: DbC
 #[get("/hibp/breach?<username>")]
 async fn hibp_breach(username: &str, _headers: Headers) -> JsonResult {
    let username: String = url::form_urlencoded::byte_serialize(username.as_bytes()).collect();
-    if let Some(api_key) = crate::CONFIG.hibp_api_key() {
+    if let Some(api_key) = CONFIG.hibp_api_key() {
        let url = format!(
            "https://haveibeenpwned.com/api/v3/breachedaccount/{username}?truncateResponse=false&includeUnverified=false"
        );
@@ -197,19 +198,17 @@ fn get_api_webauthn(_headers: Headers) -> Json<Value> {
 #[get("/config")]
 fn config() -> Json<Value> {
-    let domain = crate::CONFIG.domain();
+    let domain = CONFIG.domain();
    // Official available feature flags can be found here:
-    // Server (v2025.6.2): https://github.com/bitwarden/server/blob/d094be3267f2030bd0dc62106bc6871cf82682f5/src/Core/Constants.cs#L103
+    // Server (v2026.2.1): https://github.com/bitwarden/server/blob/0e42725d0837bd1c0dabd864ff621a579959744b/src/Core/Constants.cs#L135
-    // Client (web-v2025.6.1): https://github.com/bitwarden/clients/blob/747c2fd6a1c348a57a76e4a7de8128466ffd3c01/libs/common/src/enums/feature-flag.enum.ts#L12
+    // Client (v2026.2.1): https://github.com/bitwarden/clients/blob/f96380c3138291a028bdd2c7a5fee540d5c98ba5/libs/common/src/enums/feature-flag.enum.ts#L12
-    // Android (v2025.6.0): https://github.com/bitwarden/android/blob/b5b022caaad33390c31b3021b2c1205925b0e1a2/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/model/FlagKey.kt#L22
+    // Android (v2026.2.1): https://github.com/bitwarden/android/blob/6902c19c0093fa476bbf74ccaa70c9f14afbb82f/core/src/main/kotlin/com/bitwarden/core/data/manager/model/FlagKey.kt#L31
-    // iOS (v2025.6.0): https://github.com/bitwarden/ios/blob/ff06d9c6cc8da89f78f37f376495800201d7261a/BitwardenShared/Core/Platform/Models/Enum/FeatureFlag.swift#L7
+    // iOS (v2026.2.1): https://github.com/bitwarden/ios/blob/cdd9ba1770ca2ffc098d02d12cc3208e3a830454/BitwardenShared/Core/Platform/Models/Enum/FeatureFlag.swift#L7
-    let mut feature_states =
+    let feature_states = parse_experimental_client_feature_flags(
-        parse_experimental_client_feature_flags(&crate::CONFIG.experimental_client_feature_flags());
+        &CONFIG.experimental_client_feature_flags(),
-    feature_states.insert("duo-redirect".to_string(), true);
+        FeatureFlagFilter::ValidOnly,
-    feature_states.insert("email-verification".to_string(), true);
+    );
-    feature_states.insert("unauth-ui-refresh".to_string(), true);
+    // Add default feature_states here if needed, currently no features are needed by default.
    feature_states.insert("enable-pm-flight-recorder".to_string(), true);
    feature_states.insert("mobile-error-reporting".to_string(), true);
    Json(json!({
        // Note: The clients use this version to handle backwards compatibility concerns
@@ -217,14 +216,15 @@ fn config() -> Json<Value> {
        // We should make sure that we keep this updated when we support the new server features
        // Version history:
        // - Individual cipher key encryption: 2024.2.0
-        "version": "2025.6.0",
+        // - Mobile app support for MasterPasswordUnlockData: 2025.8.0
        "version": "2025.12.0",
        "gitHash": option_env!("GIT_REV"),
        "server": {
          "name": "Vaultwarden",
          "url": "https://github.com/dani-garcia/vaultwarden"
        },
        "settings": {
-            "disableUserRegistration": crate::CONFIG.is_signup_disabled()
+            "disableUserRegistration": CONFIG.is_signup_disabled()
        },
        "environment": {
          "vault": domain,
@@ -269,30 +269,15 @@ async fn accept_org_invite(
        err!("User already accepted the invitation");
    }
    // This check is also done at accept_invite, _confirm_invite, _activate_member, edit_member, admin::update_membership_type
    // It returns different error messages per function.
    if member.atype < MembershipType::Admin {
        match OrgPolicy::is_user_allowed(&member.user_uuid, &member.org_uuid, false, conn).await {
            Ok(_) => {}
            Err(OrgPolicyErr::TwoFactorMissing) => {
                if crate::CONFIG.email_2fa_auto_fallback() {
                    two_factor::email::activate_email_2fa(user, conn).await?;
                } else {
                    err!("You cannot join this organization until you enable two-step login on your user account");
                }
            }
            Err(OrgPolicyErr::SingleOrgEnforced) => {
                err!("You cannot join this organization because you are a member of an organization which forbids it");
            }
        }
    }
    member.status = MembershipStatus::Accepted as i32;
    member.reset_password_key = reset_password_key;
    // This check is also done at accept_invite, _confirm_invite, _activate_member, edit_member, admin::update_membership_type
    OrgPolicy::check_user_allowed(&member, "join", conn).await?;
    member.save(conn).await?;
-    if crate::CONFIG.mail_enabled() {
+    if CONFIG.mail_enabled() {
        let org = match Organization::find_by_uuid(&member.org_uuid, conn).await {
            Some(org) => org,
            None => err!("Organization not found."),
@@ -156,7 +156,7 @@ async fn ldap_import(data: Json<OrgImportData>, token: PublicToken, conn: DbConn
                }
            };
-            GroupUser::delete_all_by_group(&group_uuid, &conn).await?;
+            GroupUser::delete_all_by_group(&group_uuid, &org_id, &conn).await?;
            for ext_id in &group_data.member_external_ids {
                if let Some(member) = Membership::find_by_external_id_and_org(ext_id, &org_id, &conn).await {
@@ -568,7 +568,7 @@ async fn post_access_file(
 async fn download_url(host: &Host, send_id: &SendId, file_id: &SendFileId) -> Result<String, crate::Error> {
    let operator = CONFIG.opendal_operator_for_path_type(&PathType::Sends)?;
-    if operator.info().scheme() == opendal::Scheme::Fs {
+    if operator.info().scheme() == <&'static str>::from(opendal::Scheme::Fs) {
        let token_claims = crate::auth::generate_send_claims(send_id, file_id);
        let token = crate::auth::encode_jwt(&token_claims);
@@ -7,10 +7,10 @@ use crate::{
        core::{log_user_event, two_factor::_generate_recover_code},
        EmptyResult, JsonResult, PasswordOrOtpData,
    },
-    auth::Headers,
+    auth::{ClientHeaders, Headers},
    crypto,
    db::{
-        models::{DeviceId, EventType, TwoFactor, TwoFactorType, User, UserId},
+        models::{AuthRequest, AuthRequestId, DeviceId, EventType, TwoFactor, TwoFactorType, User, UserId},
        DbConn,
    },
    error::{Error, MapResult},
@@ -26,36 +26,80 @@ pub fn routes() -> Vec<Route> {
 struct SendEmailLoginData {
    #[serde(alias = "DeviceIdentifier")]
    device_identifier: DeviceId,
    #[allow(unused)]
    #[serde(alias = "Email")]
    email: Option<String>,
    #[allow(unused)]
    #[serde(alias = "MasterPasswordHash")]
    master_password_hash: Option<String>,
    auth_request_id: Option<AuthRequestId>,
    auth_request_access_code: Option<String>,
 }
 /// User is trying to login and wants to use email 2FA.
 /// Does not require Bearer token
 #[post("/two-factor/send-email-login", data = "<data>")] // JsonResult
-async fn send_email_login(data: Json<SendEmailLoginData>, conn: DbConn) -> EmptyResult {
+async fn send_email_login(data: Json<SendEmailLoginData>, client_headers: ClientHeaders, conn: DbConn) -> EmptyResult {
    let data: SendEmailLoginData = data.into_inner();
    use crate::db::models::User;
    // Get the user
    let Some(user) = User::find_by_device_id(&data.device_identifier, &conn).await else {
        err!("Cannot find user. Try again.")
    };
    if !CONFIG._enable_email_2fa() {
        err!("Email 2FA is disabled")
    }
-    send_token(&user.uuid, &conn).await?;
+    // Ratelimit the login
    crate::ratelimit::check_limit_login(&client_headers.ip.ip)?;
-    Ok(())
+    // Get the user
    let email = match &data.email {
        Some(email) if !email.is_empty() => Some(email),
        _ => None,
    };
    let master_password_hash = match &data.master_password_hash {
        Some(password_hash) if !password_hash.is_empty() => Some(password_hash),
        _ => None,
    };
    let auth_request_id = match &data.auth_request_id {
        Some(auth_request_id) if !auth_request_id.is_empty() => Some(auth_request_id),
        _ => None,
    };
    let user = if let Some(email) = email {
        let Some(user) = User::find_by_mail(email, &conn).await else {
            err!("Username or password is incorrect. Try again.")
        };
        if let Some(master_password_hash) = master_password_hash {
            // Check password
            if !user.check_valid_password(master_password_hash) {
                err!("Username or password is incorrect. Try again.")
            }
        } else if let Some(auth_request_id) = auth_request_id {
            let Some(auth_request) = AuthRequest::find_by_uuid(auth_request_id, &conn).await else {
                err!("AuthRequest doesn't exist", "User not found")
            };
            let Some(code) = &data.auth_request_access_code else {
                err!("no auth request access code")
            };
            if auth_request.device_type != client_headers.device_type
                || auth_request.request_ip != client_headers.ip.ip.to_string()
                || !auth_request.check_access_code(code)
            {
                err!("AuthRequest doesn't exist", "Invalid device, IP or code")
            }
        } else {
            err!("No password hash has been submitted.")
        }
        user
    } else {
        // SSO login only sends device id, so we get the user by the most recently used device
        let Some(user) = User::find_by_device_for_email2fa(&data.device_identifier, &conn).await else {
            err!("Username or password is incorrect. Try again.")
        };
        user
    };
    send_token(&user.uuid, &conn).await
 }
 /// Generate the token, save the data for later verification and send email to user
@@ -1,7 +1,9 @@
 use chrono::{TimeDelta, Utc};
 use data_encoding::BASE32;
 use num_traits::FromPrimitive;
 use rocket::serde::json::Json;
 use rocket::Route;
 use serde::Deserialize;
 use serde_json::Value;
 use crate::{
@@ -9,12 +11,12 @@ use crate::{
        core::{log_event, log_user_event},
        EmptyResult, JsonResult, PasswordOrOtpData,
    },
-    auth::{ClientHeaders, Headers},
+    auth::Headers,
    crypto,
    db::{
        models::{
            DeviceType, EventType, Membership, MembershipType, OrgPolicyType, Organization, OrganizationId, TwoFactor,
-            TwoFactorIncomplete, User, UserId,
+            TwoFactorIncomplete, TwoFactorType, User, UserId,
        },
        DbConn, DbPool,
    },
@@ -31,11 +33,47 @@ pub mod protected_actions;
 pub mod webauthn;
 pub mod yubikey;
 fn has_global_duo_credentials() -> bool {
    CONFIG._enable_duo() && CONFIG.duo_host().is_some() && CONFIG.duo_ikey().is_some() && CONFIG.duo_skey().is_some()
 }
 pub fn is_twofactor_provider_usable(provider_type: TwoFactorType, provider_data: Option<&str>) -> bool {
    #[derive(Deserialize)]
    struct DuoProviderData {
        host: String,
        ik: String,
        sk: String,
    }
    match provider_type {
        TwoFactorType::Authenticator => true,
        TwoFactorType::Email => CONFIG._enable_email_2fa(),
        TwoFactorType::Duo | TwoFactorType::OrganizationDuo => {
            provider_data
                .and_then(|raw| serde_json::from_str::<DuoProviderData>(raw).ok())
                .is_some_and(|duo| !duo.host.is_empty() && !duo.ik.is_empty() && !duo.sk.is_empty())
                || has_global_duo_credentials()
        }
        TwoFactorType::YubiKey => {
            CONFIG._enable_yubico() && CONFIG.yubico_client_id().is_some() && CONFIG.yubico_secret_key().is_some()
        }
        TwoFactorType::Webauthn => CONFIG.is_webauthn_2fa_supported(),
        TwoFactorType::Remember => !CONFIG.disable_2fa_remember(),
        TwoFactorType::RecoveryCode => true,
        TwoFactorType::U2f
        | TwoFactorType::U2fRegisterChallenge
        | TwoFactorType::U2fLoginChallenge
        | TwoFactorType::EmailVerificationChallenge
        | TwoFactorType::WebauthnRegisterChallenge
        | TwoFactorType::WebauthnLoginChallenge
        | TwoFactorType::ProtectedActions => false,
    }
 }
 pub fn routes() -> Vec<Route> {
    let mut routes = routes![
        get_twofactor,
        get_recover,
        recover,
        disable_twofactor,
        disable_twofactor_put,
        get_device_verification_settings,
@@ -54,7 +92,13 @@ pub fn routes() -> Vec<Route> {
 #[get("/two-factor")]
 async fn get_twofactor(headers: Headers, conn: DbConn) -> Json<Value> {
    let twofactors = TwoFactor::find_by_user(&headers.user.uuid, &conn).await;
-    let twofactors_json: Vec<Value> = twofactors.iter().map(TwoFactor::to_json_provider).collect();
+    let twofactors_json: Vec<Value> = twofactors
        .iter()
        .filter_map(|tf| {
            let provider_type = TwoFactorType::from_i32(tf.atype)?;
            is_twofactor_provider_usable(provider_type, Some(&tf.data)).then(|| TwoFactor::to_json_provider(tf))
        })
        .collect();
    Json(json!({
        "data": twofactors_json,
@@ -76,54 +120,6 @@ async fn get_recover(data: Json<PasswordOrOtpData>, headers: Headers, conn: DbCo
    })))
 }
 #[derive(Deserialize)]
 #[serde(rename_all = "camelCase")]
 struct RecoverTwoFactor {
    master_password_hash: String,
    email: String,
    recovery_code: String,
 }
 #[post("/two-factor/recover", data = "<data>")]
 async fn recover(data: Json<RecoverTwoFactor>, client_headers: ClientHeaders, conn: DbConn) -> JsonResult {
    let data: RecoverTwoFactor = data.into_inner();
    use crate::db::models::User;
    // Get the user
    let Some(mut user) = User::find_by_mail(&data.email, &conn).await else {
        err!("Username or password is incorrect. Try again.")
    };
    // Check password
    if !user.check_valid_password(&data.master_password_hash) {
        err!("Username or password is incorrect. Try again.")
    }
    // Check if recovery code is correct
    if !user.check_valid_recovery_code(&data.recovery_code) {
        err!("Recovery code is incorrect. Try again.")
    }
    // Remove all twofactors from the user
    TwoFactor::delete_all_by_user(&user.uuid, &conn).await?;
    enforce_2fa_policy(&user, &user.uuid, client_headers.device_type, &client_headers.ip.ip, &conn).await?;
    log_user_event(
        EventType::UserRecovered2fa as i32,
        &user.uuid,
        client_headers.device_type,
        &client_headers.ip.ip,
        &conn,
    )
    .await;
    // Remove the recovery code, not needed without twofactors
    user.totp_recover = None;
    user.save(&conn).await?;
    Ok(Json(Value::Object(serde_json::Map::new())))
 }
 async fn _generate_recover_code(user: &mut User, conn: &DbConn) {
    if user.totp_recover.is_none() {
        let totp_recover = crypto::encode_random_bytes::<20>(&BASE32);
@@ -108,8 +108,8 @@ impl WebauthnRegistration {
 #[post("/two-factor/get-webauthn", data = "<data>")]
 async fn get_webauthn(data: Json<PasswordOrOtpData>, headers: Headers, conn: DbConn) -> JsonResult {
-    if !CONFIG.domain_set() {
+    if !CONFIG.is_webauthn_2fa_supported() {
-        err!("`DOMAIN` environment variable is not set. Webauthn disabled")
+        err!("Configured `DOMAIN` is not compatible with Webauthn")
    }
    let data: PasswordOrOtpData = data.into_inner();
@@ -144,7 +144,7 @@ async fn generate_webauthn_challenge(data: Json<PasswordOrOtpData>, headers: Hea
    let (mut challenge, state) = WEBAUTHN.start_passkey_registration(
        Uuid::from_str(&user.uuid).expect("Failed to parse UUID"), // Should never fail
        &user.email,
-        &user.name,
+        user.display_name(),
        Some(registrations),
    )?;
@@ -438,7 +438,7 @@ pub async fn validate_webauthn_login(user_id: &UserId, response: &str, conn: &Db
    // We need to check for and update the backup_eligible flag when needed.
    // Vaultwarden did not have knowledge of this flag prior to migrating to webauthn-rs v0.5.x
    // Because of this we check the flag at runtime and update the registrations and state when needed
-    check_and_update_backup_eligible(user_id, &rsp, &mut registrations, &mut state, conn).await?;
+    let backup_flags_updated = check_and_update_backup_eligible(&rsp, &mut registrations, &mut state)?;
    let authentication_result = WEBAUTHN.finish_passkey_authentication(&rsp, &state)?;
@@ -446,7 +446,8 @@ pub async fn validate_webauthn_login(user_id: &UserId, response: &str, conn: &Db
        if ct_eq(reg.credential.cred_id(), authentication_result.cred_id()) {
            // If the cred id matches and the credential is updated, Some(true) is returned
            // In those cases, update the record, else leave it alone
-            if reg.credential.update_credential(&authentication_result) == Some(true) {
+            let credential_updated = reg.credential.update_credential(&authentication_result) == Some(true);
            if credential_updated || backup_flags_updated {
                TwoFactor::new(user_id.clone(), TwoFactorType::Webauthn, serde_json::to_string(&registrations)?)
                    .save(conn)
                    .await?;
@@ -463,13 +464,11 @@ pub async fn validate_webauthn_login(user_id: &UserId, response: &str, conn: &Db
    )
 }
-async fn check_and_update_backup_eligible(
+fn check_and_update_backup_eligible(
    user_id: &UserId,
    rsp: &PublicKeyCredential,
    registrations: &mut Vec<WebauthnRegistration>,
    state: &mut PasskeyAuthentication,
-    conn: &DbConn,
+) -> Result<bool, Error> {
 ) -> EmptyResult {
    // The feature flags from the response
    // For details see: https://www.w3.org/TR/webauthn-3/#sctn-authenticator-data
    const FLAG_BACKUP_ELIGIBLE: u8 = 0b0000_1000;
@@ -486,16 +485,7 @@ async fn check_and_update_backup_eligible(
            let rsp_id = rsp.raw_id.as_slice();
            for reg in &mut *registrations {
                if ct_eq(reg.credential.cred_id().as_slice(), rsp_id) {
                    // Try to update the key, and if needed also update the database, before the actual state check is done
                    if reg.set_backup_eligible(backup_eligible, backup_state) {
                        TwoFactor::new(
                            user_id.clone(),
                            TwoFactorType::Webauthn,
                            serde_json::to_string(&registrations)?,
                        )
                        .save(conn)
                        .await?;
                        // We also need to adjust the current state which holds the challenge used to start the authentication verification
                        // Because Vaultwarden supports multiple keys, we need to loop through the deserialized state and check which key to update
                        let mut raw_state = serde_json::to_value(&state)?;
@@ -517,11 +507,12 @@ async fn check_and_update_backup_eligible(
                        }
                        *state = serde_json::from_value(raw_state)?;
                        return Ok(true);
                    }
                    break;
                }
            }
        }
    }
-    Ok(())
+    Ok(false)
 }
@@ -82,19 +82,19 @@ static ICON_SIZE_REGEX: LazyLock<Regex> = LazyLock::new(|| Regex::new(r"(?x)(\d+
 // It is used to prevent sending a specific header which breaks icon downloads.
 // If this function needs to be renamed, also adjust the code in `util.rs`
 #[get("/<domain>/icon.png")]
-fn icon_external(domain: &str) -> Option<Redirect> {
+fn icon_external(domain: &str) -> Cached<Option<Redirect>> {
    if !is_valid_domain(domain) {
        warn!("Invalid domain: {domain}");
-        return None;
+        return Cached::ttl(None, CONFIG.icon_cache_negttl(), true);
    }
    if should_block_address(domain) {
        warn!("Blocked address: {domain}");
-        return None;
+        return Cached::ttl(None, CONFIG.icon_cache_negttl(), true);
    }
    let url = CONFIG._icon_service_url().replace("{}", domain);
-    match CONFIG.icon_redirect_code() {
+    let redir = match CONFIG.icon_redirect_code() {
        301 => Some(Redirect::moved(url)), // legacy permanent redirect
        302 => Some(Redirect::found(url)), // legacy temporary redirect
        307 => Some(Redirect::temporary(url)),
@@ -103,7 +103,8 @@ fn icon_external(domain: &str) -> Option<Redirect> {
            error!("Unexpected redirect code {}", CONFIG.icon_redirect_code());
            None
        }
-    }
+    };
    Cached::ttl(redir, CONFIG.icon_cache_ttl(), true)
 }
 #[get("/<domain>/icon.png")]
@@ -141,7 +142,7 @@ async fn icon_internal(domain: &str) -> Cached<(ContentType, Vec<u8>)> {
 /// This does some manual checks and makes use of Url to do some basic checking.
 /// domains can't be larger then 63 characters (not counting multiple subdomains) according to the RFC's, but we limit the total size to 255.
 fn is_valid_domain(domain: &str) -> bool {
-    const ALLOWED_CHARS: &str = "_-.";
+    const ALLOWED_CHARS: &str = "-.";
    // If parsing the domain fails using Url, it will not work with reqwest.
    if let Err(parse_error) = url::Url::parse(format!("https://{domain}").as_str()) {
@@ -512,13 +513,11 @@ fn parse_sizes(sizes: &str) -> (u16, u16) {
    if !sizes.is_empty() {
        match ICON_SIZE_REGEX.captures(sizes.trim()) {
-            None => {}
+            Some(dimensions) if dimensions.len() >= 3 => {
-            Some(dimensions) => {
+                width = dimensions[1].parse::<u16>().unwrap_or_default();
-                if dimensions.len() >= 3 {
+                height = dimensions[2].parse::<u16>().unwrap_or_default();
                    width = dimensions[1].parse::<u16>().unwrap_or_default();
                    height = dimensions[2].parse::<u16>().unwrap_or_default();
                }
            }
            _ => {}
        }
    }
@@ -796,8 +795,11 @@ impl Emitter for FaviconEmitter {
    fn emit_current_tag(&mut self) -> Option<html5gum::State> {
        self.flush_current_attribute(true);
        self.last_start_tag.clear();
-        if self.current_token.is_some() && !self.current_token.as_ref().unwrap().closing {
+        match &self.current_token {
-            self.last_start_tag.extend(&*self.current_token.as_ref().unwrap().tag.name);
+            Some(token) if !token.closing => {
                self.last_start_tag.extend(&*token.tag.name);
            }
            _ => {}
        }
        html5gum::naive_next_state(&self.last_start_tag)
    }
@@ -1,4 +1,4 @@
-use chrono::{NaiveDateTime, Utc};
+use chrono::Utc;
 use num_traits::FromPrimitive;
 use rocket::{
    form::{Form, FromForm},
@@ -14,7 +14,10 @@ use crate::{
        core::{
            accounts::{PreloginData, RegisterData, _prelogin, _register, kdf_upgrade},
            log_user_event,
-            two_factor::{authenticator, duo, duo_oidc, email, enforce_2fa_policy, webauthn, yubikey},
+            two_factor::{
                authenticator, duo, duo_oidc, email, enforce_2fa_policy, is_twofactor_provider_usable, webauthn,
                yubikey,
            },
        },
        master_password_policy,
        push::register_push_device,
@@ -24,14 +27,14 @@ use crate::{
    auth::{generate_organization_api_key_login_claims, AuthMethod, ClientHeaders, ClientIp, ClientVersion},
    db::{
        models::{
-            AuthRequest, AuthRequestId, Device, DeviceId, EventType, Invitation, OrganizationApiKey, OrganizationId,
+            AuthRequest, AuthRequestId, Device, DeviceId, EventType, Invitation, OIDCCodeWrapper, OrganizationApiKey,
-            SsoNonce, SsoUser, TwoFactor, TwoFactorIncomplete, TwoFactorType, User, UserId,
+            OrganizationId, SsoAuth, SsoUser, TwoFactor, TwoFactorIncomplete, TwoFactorType, User, UserId,
        },
        DbConn,
    },
    error::MapResult,
    mail, sso,
-    sso::{OIDCCode, OIDCState},
+    sso::{OIDCCode, OIDCCodeChallenge, OIDCCodeVerifier, OIDCState},
    util, CONFIG,
 };
@@ -92,6 +95,7 @@ async fn login(
        "authorization_code" if CONFIG.sso_enabled() => {
            _check_is_some(&data.client_id, "client_id cannot be blank")?;
            _check_is_some(&data.code, "code cannot be blank")?;
            _check_is_some(&data.code_verifier, "code verifier cannot be blank")?;
            _check_is_some(&data.device_identifier, "device_identifier cannot be blank")?;
            _check_is_some(&data.device_name, "device_name cannot be blank")?;
@@ -147,7 +151,7 @@ async fn _refresh_login(data: ConnectData, conn: &DbConn, ip: &ClientIp) -> Json
        }
        Ok((mut device, auth_tokens)) => {
            // Save to update `device.updated_at` to track usage and toggle new status
-            device.save(conn).await?;
+            device.save(true, conn).await?;
            let result = json!({
                "refresh_token": auth_tokens.refresh_token(),
@@ -175,17 +179,23 @@ async fn _sso_login(
    // Ratelimit the login
    crate::ratelimit::check_limit_login(&ip.ip)?;
-    let code = match data.code.as_ref() {
+    let (state, code_verifier) = match (data.code.as_ref(), data.code_verifier.as_ref()) {
-        None => err!(
+        (None, _) => err!(
            "Got no code in OIDC data",
            ErrorEvent {
                event: EventType::UserFailedLogIn
            }
        ),
-        Some(code) => code,
+        (_, None) => err!(
            "Got no code verifier in OIDC data",
            ErrorEvent {
                event: EventType::UserFailedLogIn
            }
        ),
        (Some(code), Some(code_verifier)) => (code, code_verifier.clone()),
    };
-    let user_infos = sso::exchange_code(code, conn).await?;
+    let (sso_auth, user_infos) = sso::exchange_code(state, code_verifier, conn).await?;
    let user_with_sso = match SsoUser::find_by_identifier(&user_infos.identifier, conn).await {
        None => match SsoUser::find_by_mail(&user_infos.email, conn).await {
            None => None,
@@ -248,7 +258,7 @@ async fn _sso_login(
                _ => (),
            }
-            let mut user = User::new(&user_infos.email, user_infos.user_name);
+            let mut user = User::new(&user_infos.email, user_infos.user_name.clone());
            user.verified_at = Some(now);
            user.save(conn).await?;
@@ -259,7 +269,7 @@ async fn _sso_login(
        Some((user, _)) if !user.enabled => {
            err!(
                "This user has been disabled",
-                format!("IP: {}. Username: {}.", ip.ip, user.name),
+                format!("IP: {}. Username: {}.", ip.ip, user.display_name()),
                ErrorEvent {
                    event: EventType::UserFailedLogIn
                }
@@ -267,13 +277,14 @@ async fn _sso_login(
        }
        Some((mut user, sso_user)) => {
            let mut device = get_device(&data, conn, &user).await?;
            let twofactor_token = twofactor_auth(&mut user, &data, &mut device, ip, client_version, conn).await?;
            if user.private_key.is_none() {
                // User was invited a stub was created
                user.verified_at = Some(now);
-                if let Some(user_name) = user_infos.user_name {
+                if let Some(ref user_name) = user_infos.user_name {
-                    user.name = user_name;
+                    user.name = user_name.clone();
                }
                user.save(conn).await?;
@@ -290,30 +301,13 @@ async fn _sso_login(
        }
    };
    // We passed 2FA get full user information
    let auth_user = sso::redeem(&user_infos.state, conn).await?;
    if sso_user.is_none() {
        let user_sso = SsoUser {
            user_uuid: user.uuid.clone(),
            identifier: user_infos.identifier,
        };
        user_sso.save(conn).await?;
    }
    // Set the user_uuid here to be passed back used for event logging.
    *user_id = Some(user.uuid.clone());
-    let auth_tokens = sso::create_auth_tokens(
+    // We passed 2FA get auth tokens
-        &device,
+    let auth_tokens = sso::redeem(&device, &user, data.client_id, sso_user, sso_auth, user_infos, conn).await?;
        &user,
        data.client_id,
        auth_user.refresh_token,
        auth_user.access_token,
        auth_user.expires_in,
    )?;
-    authenticated_response(&user, &mut device, auth_tokens, twofactor_token, &now, conn, ip).await
+    authenticated_response(&user, &mut device, auth_tokens, twofactor_token, conn, ip).await
 }
 async fn _password_login(
@@ -435,7 +429,7 @@ async fn _password_login(
    let auth_tokens = auth::AuthTokens::new(&device, &user, AuthMethod::Password, data.client_id);
-    authenticated_response(&user, &mut device, auth_tokens, twofactor_token, &now, conn, ip).await
+    authenticated_response(&user, &mut device, auth_tokens, twofactor_token, conn, ip).await
 }
 async fn authenticated_response(
@@ -443,12 +437,12 @@ async fn authenticated_response(
    device: &mut Device,
    auth_tokens: auth::AuthTokens,
    twofactor_token: Option<String>,
    now: &NaiveDateTime,
    conn: &DbConn,
    ip: &ClientIp,
 ) -> JsonResult {
    if CONFIG.mail_enabled() && device.is_new() {
-        if let Err(e) = mail::send_new_device_logged_in(&user.email, &ip.ip.to_string(), now, device).await {
+        let now = Utc::now().naive_utc();
        if let Err(e) = mail::send_new_device_logged_in(&user.email, &ip.ip.to_string(), &now, device).await {
            error!("Error sending new device email: {e:#?}");
            if CONFIG.require_device_email() {
@@ -468,10 +462,42 @@ async fn authenticated_response(
    }
    // Save to update `device.updated_at` to track usage and toggle new status
-    device.save(conn).await?;
+    device.save(true, conn).await?;
    let master_password_policy = master_password_policy(user, conn).await;
    let has_master_password = !user.password_hash.is_empty();
    let master_password_unlock = if has_master_password {
        json!({
            "Kdf": {
                "KdfType": user.client_kdf_type,
                "Iterations": user.client_kdf_iter,
                "Memory": user.client_kdf_memory,
                "Parallelism": user.client_kdf_parallelism
            },
            // This field is named inconsistently and will be removed and replaced by the "wrapped" variant in the apps.
            // https://github.com/bitwarden/android/blob/release/2025.12-rc41/network/src/main/kotlin/com/bitwarden/network/model/MasterPasswordUnlockDataJson.kt#L22-L26
            "MasterKeyEncryptedUserKey": user.akey,
            "MasterKeyWrappedUserKey": user.akey,
            "Salt": user.email
        })
    } else {
        Value::Null
    };
    let account_keys = if user.private_key.is_some() {
        json!({
            "publicKeyEncryptionKeyPair": {
                "wrappedPrivateKey": user.private_key,
                "publicKey": user.public_key,
                "Object": "publicKeyEncryptionKeyPair"
            },
            "Object": "privateKeys"
        })
    } else {
        Value::Null
    };
    let mut result = json!({
        "access_token": auth_tokens.access_token(),
        "expires_in": auth_tokens.expires_in(),
@@ -486,8 +512,10 @@ async fn authenticated_response(
        "ForcePasswordReset": false,
        "MasterPasswordPolicy": master_password_policy,
        "scope": auth_tokens.scope(),
        "AccountKeys": account_keys,
        "UserDecryptionOptions": {
-            "HasMasterPassword": !user.password_hash.is_empty(),
+            "HasMasterPassword": has_master_password,
            "MasterPasswordUnlock": master_password_unlock,
            "Object": "userDecryptionOptions"
        },
    });
@@ -500,7 +528,7 @@ async fn authenticated_response(
        result["TwoFactorToken"] = Value::String(token);
    }
-    info!("User {} logged in successfully. IP: {}", &user.name, ip.ip);
+    info!("User {} logged in successfully. IP: {}", user.display_name(), ip.ip);
    Ok(Json(result))
 }
@@ -585,10 +613,42 @@ async fn _user_api_key_login(
    let access_claims = auth::LoginJwtClaims::default(&device, &user, &AuthMethod::UserApiKey, data.client_id);
    // Save to update `device.updated_at` to track usage and toggle new status
-    device.save(conn).await?;
+    device.save(true, conn).await?;
    info!("User {} logged in successfully via API key. IP: {}", user.email, ip.ip);
    let has_master_password = !user.password_hash.is_empty();
    let master_password_unlock = if has_master_password {
        json!({
            "Kdf": {
                "KdfType": user.client_kdf_type,
                "Iterations": user.client_kdf_iter,
                "Memory": user.client_kdf_memory,
                "Parallelism": user.client_kdf_parallelism
            },
            // This field is named inconsistently and will be removed and replaced by the "wrapped" variant in the apps.
            // https://github.com/bitwarden/android/blob/release/2025.12-rc41/network/src/main/kotlin/com/bitwarden/network/model/MasterPasswordUnlockDataJson.kt#L22-L26
            "MasterKeyEncryptedUserKey": user.akey,
            "MasterKeyWrappedUserKey": user.akey,
            "Salt": user.email
        })
    } else {
        Value::Null
    };
    let account_keys = if user.private_key.is_some() {
        json!({
            "publicKeyEncryptionKeyPair": {
                "wrappedPrivateKey": user.private_key,
                "publicKey": user.public_key,
                "Object": "publicKeyEncryptionKeyPair"
            },
            "Object": "privateKeys"
        })
    } else {
        Value::Null
    };
    // Note: No refresh_token is returned. The CLI just repeats the
    // client_credentials login flow when the existing token expires.
    let result = json!({
@@ -603,7 +663,14 @@ async fn _user_api_key_login(
        "KdfMemory": user.client_kdf_memory,
        "KdfParallelism": user.client_kdf_parallelism,
        "ResetMasterPassword": false, // TODO: according to official server seems something like: user.password_hash.is_empty(), but would need testing
        "ForcePasswordReset": false,
        "scope": AuthMethod::UserApiKey.scope(),
        "AccountKeys": account_keys,
        "UserDecryptionOptions": {
            "HasMasterPassword": has_master_password,
            "MasterPasswordUnlock": master_password_unlock,
            "Object": "userDecryptionOptions"
        },
    });
    Ok(Json(result))
@@ -648,7 +715,12 @@ async fn get_device(data: &ConnectData, conn: &DbConn, user: &User) -> ApiResult
    // Find device or create new
    match Device::find_by_uuid_and_user(&device_id, &user.uuid, conn).await {
        Some(device) => Ok(device),
-        None => Device::new(device_id, user.uuid.clone(), device_name, device_type, conn).await,
+        None => {
            let mut device = Device::new(device_id, user.uuid.clone(), device_name, device_type);
            // save device without updating `device.updated_at`
            device.save(false, conn).await?;
            Ok(device)
        }
    }
 }
@@ -670,8 +742,24 @@ async fn twofactor_auth(
    TwoFactorIncomplete::mark_incomplete(&user.uuid, &device.uuid, &device.name, device.atype, ip, conn).await?;
-    let twofactor_ids: Vec<_> = twofactors.iter().map(|tf| tf.atype).collect();
+    let twofactor_ids: Vec<_> = twofactors
        .iter()
        .filter_map(|tf| {
            let provider_type = TwoFactorType::from_i32(tf.atype)?;
            (tf.enabled && is_twofactor_provider_usable(provider_type, Some(&tf.data))).then_some(tf.atype)
        })
        .collect();
    if twofactor_ids.is_empty() {
        err!("No enabled and usable two factor providers are available for this account")
    }
    let selected_id = data.two_factor_provider.unwrap_or(twofactor_ids[0]); // If we aren't given a two factor provider, assume the first one
    if !twofactor_ids.contains(&selected_id) {
        err_json!(
            _json_err_twofactor(&twofactor_ids, &user.uuid, data, client_version, conn).await?,
            "Invalid two factor provider"
        )
    }
    let twofactor_code = match data.two_factor_token {
        Some(ref code) => code,
@@ -688,7 +776,6 @@ async fn twofactor_auth(
    use crate::crypto::ct_eq;
    let selected_data = _selected_data(selected_twofactor);
    let mut remember = data.two_factor_remember.unwrap_or(0);
    match TwoFactorType::from_i32(selected_id) {
        Some(TwoFactorType::Authenticator) => {
@@ -720,13 +807,23 @@ async fn twofactor_auth(
        }
        Some(TwoFactorType::Remember) => {
            match device.twofactor_remember {
-                Some(ref code) if !CONFIG.disable_2fa_remember() && ct_eq(code, twofactor_code) => {
+                // When a 2FA Remember token is used, check and validate this JWT token, if it is valid, just continue
-                    remember = 1; // Make sure we also return the token here, otherwise it will only remember the first time
+                // If it is invalid we need to trigger the 2FA Login prompt
-                }
+                Some(ref token)
                    if !CONFIG.disable_2fa_remember()
                        && (ct_eq(token, twofactor_code)
                            && auth::decode_2fa_remember(twofactor_code)
                                .is_ok_and(|t| t.sub == device.uuid && t.user_uuid == user.uuid)) => {}
                _ => {
                    // Always delete the current twofactor remember token here if it exists
                    if device.twofactor_remember.is_some() {
                        device.delete_twofactor_remember();
                        // We need to save here, since we send a err_json!() which prevents saving `device` at a later stage
                        device.save(true, conn).await?;
                    }
                    err_json!(
                        _json_err_twofactor(&twofactor_ids, &user.uuid, data, client_version, conn).await?,
-                        "2FA Remember token not provided"
+                        "2FA Remember token not provided or expired"
                    )
                }
            }
@@ -757,10 +854,10 @@ async fn twofactor_auth(
    TwoFactorIncomplete::mark_complete(&user.uuid, &device.uuid, conn).await?;
    let remember = data.two_factor_remember.unwrap_or(0);
    let two_factor = if !CONFIG.disable_2fa_remember() && remember == 1 {
        Some(device.refresh_twofactor_remember())
    } else {
        device.delete_twofactor_remember();
        None
    };
    Ok(two_factor)
@@ -793,7 +890,7 @@ async fn _json_err_twofactor(
        match TwoFactorType::from_i32(*provider) {
            Some(TwoFactorType::Authenticator) => { /* Nothing to do for TOTP */ }
-            Some(TwoFactorType::Webauthn) if CONFIG.domain_set() => {
+            Some(TwoFactorType::Webauthn) if CONFIG.is_webauthn_2fa_supported() => {
                let request = webauthn::generate_webauthn_login(user_id, conn).await?;
                result["TwoFactorProviders2"][provider.to_string()] = request.0;
            }
@@ -893,6 +990,7 @@ struct RegisterVerificationData {
 #[derive(rocket::Responder)]
 enum RegisterVerificationResponse {
    #[response(status = 204)]
    NoContent(()),
    Token(Json<String>),
 }
@@ -920,12 +1018,11 @@ async fn register_verification_email(
        let user = User::find_by_mail(&data.email, &conn).await;
        if user.filter(|u| u.private_key.is_some()).is_some() {
            // There is still a timing side channel here in that the code
-            // paths that send mail take noticeably longer than ones that
+            // paths that send mail take noticeably longer than ones that don't.
-            // don't. Add a randomized sleep to mitigate this somewhat.
+            // Add a randomized sleep to mitigate this somewhat.
-            use rand::{rngs::SmallRng, Rng, SeedableRng};
+            use rand::{rngs::SmallRng, RngExt};
-            let mut rng = SmallRng::from_os_rng();
+            let mut rng: SmallRng = rand::make_rng();
-            let delta: i32 = 100;
+            let sleep_ms = rng.random_range(900..=1100) as u64;
            let sleep_ms = (1_000 + rng.random_range(-delta..=delta)) as u64;
            tokio::time::sleep(tokio::time::Duration::from_millis(sleep_ms)).await;
        } else {
            mail::send_register_verify_email(&data.email, &token).await?;
@@ -997,9 +1094,12 @@ struct ConnectData {
    two_factor_remember: Option<i32>,
    #[field(name = uncased("authrequest"))]
    auth_request: Option<AuthRequestId>,
    // Needed for authorization code
    #[field(name = uncased("code"))]
-    code: Option<String>,
+    code: Option<OIDCState>,
    #[field(name = uncased("code_verifier"))]
    code_verifier: Option<OIDCCodeVerifier>,
 }
 fn _check_is_some<T>(value: &Option<T>, msg: &str) -> EmptyResult {
    if value.is_none() {
@@ -1021,14 +1121,13 @@ fn prevalidate() -> JsonResult {
 }
 #[get("/connect/oidc-signin?<code>&<state>", rank = 1)]
-async fn oidcsignin(code: OIDCCode, state: String, conn: DbConn) -> ApiResult<Redirect> {
+async fn oidcsignin(code: OIDCCode, state: String, mut conn: DbConn) -> ApiResult<Redirect> {
-    oidcsignin_redirect(
+    _oidcsignin_redirect(
        state,
-        |decoded_state| sso::OIDCCodeWrapper::Ok {
+        OIDCCodeWrapper::Ok {
            state: decoded_state,
            code,
        },
-        &conn,
+        &mut conn,
    )
    .await
 }
@@ -1040,42 +1139,44 @@ async fn oidcsignin_error(
    state: String,
    error: String,
    error_description: Option<String>,
-    conn: DbConn,
+    mut conn: DbConn,
 ) -> ApiResult<Redirect> {
-    oidcsignin_redirect(
+    _oidcsignin_redirect(
        state,
-        |decoded_state| sso::OIDCCodeWrapper::Error {
+        OIDCCodeWrapper::Error {
            state: decoded_state,
            error,
            error_description,
        },
-        &conn,
+        &mut conn,
    )
    .await
 }
 // The state was encoded using Base64 to ensure no issue with providers.
 // iss and scope parameters are needed for redirection to work on IOS.
-async fn oidcsignin_redirect(
+// We pass the state as the code to get it back later on.
 async fn _oidcsignin_redirect(
    base64_state: String,
-    wrapper: impl FnOnce(OIDCState) -> sso::OIDCCodeWrapper,
+    code_response: OIDCCodeWrapper,
-    conn: &DbConn,
+    conn: &mut DbConn,
 ) -> ApiResult<Redirect> {
    let state = sso::decode_state(&base64_state)?;
    let code = sso::encode_code_claims(wrapper(state.clone()));
-    let nonce = match SsoNonce::find(&state, conn).await {
+    let mut sso_auth = match SsoAuth::find(&state, conn).await {
-        Some(n) => n,
+        None => err!(format!("Cannot retrieve sso_auth for {state}")),
-        None => err!(format!("Failed to retrieve redirect_uri with {state}")),
+        Some(sso_auth) => sso_auth,
    };
    sso_auth.code_response = Some(code_response);
    sso_auth.updated_at = Utc::now().naive_utc();
    sso_auth.save(conn).await?;
-    let mut url = match url::Url::parse(&nonce.redirect_uri) {
+    let mut url = match url::Url::parse(&sso_auth.redirect_uri) {
        Ok(url) => url,
-        Err(err) => err!(format!("Failed to parse redirect uri ({}): {err}", nonce.redirect_uri)),
+        Err(err) => err!(format!("Failed to parse redirect uri ({}): {err}", sso_auth.redirect_uri)),
    };
    url.query_pairs_mut()
-        .append_pair("code", &code)
+        .append_pair("code", &state)
        .append_pair("state", &state)
        .append_pair("scope", &AuthMethod::Sso.scope())
        .append_pair("iss", &CONFIG.domain());
@@ -1098,10 +1199,8 @@ struct AuthorizeData {
    #[allow(unused)]
    scope: Option<String>,
    state: OIDCState,
-    #[allow(unused)]
+    code_challenge: OIDCCodeChallenge,
-    code_challenge: Option<String>,
+    code_challenge_method: String,
    #[allow(unused)]
    code_challenge_method: Option<String>,
    #[allow(unused)]
    response_mode: Option<String>,
    #[allow(unused)]
@@ -1118,10 +1217,16 @@ async fn authorize(data: AuthorizeData, conn: DbConn) -> ApiResult<Redirect> {
        client_id,
        redirect_uri,
        state,
        code_challenge,
        code_challenge_method,
        ..
    } = data;
-    let auth_url = sso::authorize_url(state, &client_id, &redirect_uri, conn).await?;
+    if code_challenge_method != "S256" {
        err!("Unsupported code challenge method");
    }
    let auth_url = sso::authorize_url(state, code_challenge, &client_id, &redirect_uri, conn).await?;
    Ok(Redirect::temporary(String::from(auth_url)))
 }
@@ -47,6 +47,7 @@ pub type EmptyResult = ApiResult<()>;
 #[derive(Deserialize)]
 #[serde(rename_all = "camelCase")]
 struct PasswordOrOtpData {
    #[serde(alias = "MasterPasswordHash")]
    master_password_hash: Option<String>,
    otp: Option<String>,
 }
@@ -358,15 +358,16 @@ impl WebSocketUsers {
        }
    }
-    pub async fn send_logout(&self, user: &User, acting_device_id: Option<DeviceId>, conn: &DbConn) {
+    pub async fn send_logout(&self, user: &User, acting_device: Option<&Device>, conn: &DbConn) {
        // Skip any processing if both WebSockets and Push are not active
        if *NOTIFICATIONS_DISABLED {
            return;
        }
        let acting_device_id = acting_device.map(|d| d.uuid.clone());
        let data = create_update(
            vec![("UserId".into(), user.uuid.to_string().into()), ("Date".into(), serialize_date(user.updated_at))],
            UpdateType::LogOut,
-            acting_device_id.clone(),
+            acting_device_id,
        );
        if CONFIG.enable_websocket() {
@@ -374,7 +375,7 @@ impl WebSocketUsers {
        }
        if CONFIG.push_enabled() {
-            push_logout(user, acting_device_id.clone(), conn).await;
+            push_logout(user, acting_device, conn).await;
        }
    }
@@ -13,7 +13,7 @@ use tokio::sync::RwLock;
 use crate::{
    api::{ApiResult, EmptyResult, UpdateType},
    db::{
-        models::{AuthRequestId, Cipher, Device, DeviceId, Folder, PushId, Send, User, UserId},
+        models::{AuthRequestId, Cipher, Device, Folder, PushId, Send, User, UserId},
        DbConn,
    },
    http_client::make_http_request,
@@ -128,7 +128,7 @@ pub async fn register_push_device(device: &mut Device, conn: &DbConn) -> EmptyRe
        err!(format!("An error occurred while proceeding registration of a device: {e}"));
    }
-    if let Err(e) = device.save(conn).await {
+    if let Err(e) = device.save(true, conn).await {
        err!(format!("An error occurred while trying to save the (registered) device push uuid: {e}"));
    }
@@ -188,15 +188,13 @@ pub async fn push_cipher_update(ut: UpdateType, cipher: &Cipher, device: &Device
    }
 }
-pub async fn push_logout(user: &User, acting_device_id: Option<DeviceId>, conn: &DbConn) {
+pub async fn push_logout(user: &User, acting_device: Option<&Device>, conn: &DbConn) {
    let acting_device_id: Value = acting_device_id.map(|v| v.to_string().into()).unwrap_or_else(|| Value::Null);
    if Device::check_user_has_push_device(&user.uuid, conn).await {
        tokio::task::spawn(send_to_push_relay(json!({
            "userId": user.uuid,
            "organizationId": (),
-            "deviceId": acting_device_id,
+            "deviceId": acting_device.and_then(|d| d.push_uuid.as_ref()),
-            "identifier": acting_device_id,
+            "identifier": acting_device.map(|d| &d.uuid),
            "type": UpdateType::LogOut as i32,
            "payload": {
                "userId": user.uuid,
@@ -60,11 +60,13 @@ fn vaultwarden_css() -> Cached<Css<String>> {
        "mail_2fa_enabled": CONFIG._enable_email_2fa(),
        "mail_enabled": CONFIG.mail_enabled(),
        "sends_allowed": CONFIG.sends_allowed(),
        "remember_2fa_disabled": CONFIG.disable_2fa_remember(),
        "password_hints_allowed": CONFIG.password_hints_allowed(),
        "signup_disabled": CONFIG.is_signup_disabled(),
        "sso_enabled": CONFIG.sso_enabled(),
        "sso_only": CONFIG.sso_enabled() && CONFIG.sso_only(),
        "yubico_enabled": CONFIG._enable_yubico() && CONFIG.yubico_client_id().is_some() && CONFIG.yubico_secret_key().is_some(),
        "webauthn_2fa_supported": CONFIG.is_webauthn_2fa_supported(),
        "yubico_enabled": CONFIG._enable_yubico() && CONFIG.yubico_client_id().is_some() && CONFIG.yubico_secret_key().is_some(),
    });
    let scss = match CONFIG.render_template("scss/vaultwarden.scss", &css_options) {
@@ -238,8 +240,8 @@ pub fn static_files(filename: &str) -> Result<(ContentType, &'static [u8]), Erro
        "jdenticon-3.3.0.js" => Ok((ContentType::JavaScript, include_bytes!("../static/scripts/jdenticon-3.3.0.js"))),
        "datatables.js" => Ok((ContentType::JavaScript, include_bytes!("../static/scripts/datatables.js"))),
        "datatables.css" => Ok((ContentType::CSS, include_bytes!("../static/scripts/datatables.css"))),
-        "jquery-3.7.1.slim.js" => {
+        "jquery-4.0.0.slim.js" => {
-            Ok((ContentType::JavaScript, include_bytes!("../static/scripts/jquery-3.7.1.slim.js")))
+            Ok((ContentType::JavaScript, include_bytes!("../static/scripts/jquery-4.0.0.slim.js")))
        }
        _ => err!(format!("Static file not found: {filename}")),
    }
@@ -46,6 +46,7 @@ static JWT_FILE_DOWNLOAD_ISSUER: LazyLock<String> =
    LazyLock::new(|| format!("{}|file_download", CONFIG.domain_origin()));
 static JWT_REGISTER_VERIFY_ISSUER: LazyLock<String> =
    LazyLock::new(|| format!("{}|register_verify", CONFIG.domain_origin()));
 static JWT_2FA_REMEMBER_ISSUER: LazyLock<String> = LazyLock::new(|| format!("{}|2faremember", CONFIG.domain_origin()));
 static PRIVATE_RSA_KEY: OnceLock<EncodingKey> = OnceLock::new();
 static PUBLIC_RSA_KEY: OnceLock<DecodingKey> = OnceLock::new();
@@ -160,6 +161,10 @@ pub fn decode_register_verify(token: &str) -> Result<RegisterVerifyClaims, Error
    decode_jwt(token, JWT_REGISTER_VERIFY_ISSUER.to_string())
 }
 pub fn decode_2fa_remember(token: &str) -> Result<TwoFactorRememberClaims, Error> {
    decode_jwt(token, JWT_2FA_REMEMBER_ISSUER.to_string())
 }
 #[derive(Debug, Serialize, Deserialize)]
 pub struct LoginJwtClaims {
    // Not before
@@ -440,6 +445,31 @@ pub fn generate_register_verify_claims(email: String, name: Option<String>, veri
    }
 }
 #[derive(Serialize, Deserialize)]
 pub struct TwoFactorRememberClaims {
    // Not before
    pub nbf: i64,
    // Expiration time
    pub exp: i64,
    // Issuer
    pub iss: String,
    // Subject
    pub sub: DeviceId,
    // UserId
    pub user_uuid: UserId,
 }
 pub fn generate_2fa_remember_claims(device_uuid: DeviceId, user_uuid: UserId) -> TwoFactorRememberClaims {
    let time_now = Utc::now();
    TwoFactorRememberClaims {
        nbf: time_now.timestamp(),
        exp: (time_now + TimeDelta::try_days(30).unwrap()).timestamp(),
        iss: JWT_2FA_REMEMBER_ISSUER.to_string(),
        sub: device_uuid,
        user_uuid,
    }
 }
 #[derive(Debug, Serialize, Deserialize)]
 pub struct BasicJwtClaims {
    // Not before
@@ -674,10 +704,9 @@ pub struct OrgHeaders {
 impl OrgHeaders {
    fn is_member(&self) -> bool {
-        // NOTE: we don't care about MembershipStatus at the moment because this is only used
+        // Only allow not revoked members, we can not use the Confirmed status here
-        // where an invited, accepted or confirmed user is expected if this ever changes or
+        // as some endpoints can be triggered by invited users during joining
-        // if from_i32 is changed to return Some(Revoked) this check needs to be changed accordingly
+        self.membership_status != MembershipStatus::Revoked && self.membership_type >= MembershipType::User
        self.membership_type >= MembershipType::User
    }
    fn is_confirmed_and_admin(&self) -> bool {
        self.membership_status == MembershipStatus::Confirmed && self.membership_type >= MembershipType::Admin
@@ -690,6 +719,36 @@ impl OrgHeaders {
    }
 }
 // org_id is usually the second path param ("/organizations/<org_id>"),
 // but there are cases where it is a query value.
 // First check the path, if this is not a valid uuid, try the query values.
 fn get_org_id(request: &Request<'_>) -> Option<OrganizationId> {
    if let Some(Ok(org_id)) = request.param::<OrganizationId>(1) {
        Some(org_id)
    } else if let Some(Ok(org_id)) = request.query_value::<OrganizationId>("organizationId") {
        Some(org_id)
    } else {
        None
    }
 }
 // Special Guard to ensure that there is an organization id present
 // If there is no org id trigger the Outcome::Forward.
 // This is useful for endpoints which work for both organization and personal vaults, like purge.
 pub struct OrgIdGuard;
 #[rocket::async_trait]
 impl<'r> FromRequest<'r> for OrgIdGuard {
    type Error = &'static str;
    async fn from_request(request: &'r Request<'_>) -> Outcome<Self, Self::Error> {
        match get_org_id(request) {
            Some(_) => Outcome::Success(OrgIdGuard),
            None => Outcome::Forward(rocket::http::Status::NotFound),
        }
    }
 }
 #[rocket::async_trait]
 impl<'r> FromRequest<'r> for OrgHeaders {
    type Error = &'static str;
@@ -697,18 +756,8 @@ impl<'r> FromRequest<'r> for OrgHeaders {
    async fn from_request(request: &'r Request<'_>) -> Outcome<Self, Self::Error> {
        let headers = try_outcome!(Headers::from_request(request).await);
-        // org_id is usually the second path param ("/organizations/<org_id>"),
+        // Extract the org_id from the request
-        // but there are cases where it is a query value.
+        let url_org_id = get_org_id(request);
        // First check the path, if this is not a valid uuid, try the query values.
        let url_org_id: Option<OrganizationId> = {
            if let Some(Ok(org_id)) = request.param::<OrganizationId>(1) {
                Some(org_id)
            } else if let Some(Ok(org_id)) = request.query_value::<OrganizationId>("organizationId") {
                Some(org_id)
            } else {
                None
            }
        };
        match url_org_id {
            Some(org_id) if uuid::Uuid::parse_str(&org_id).is_ok() => {
@@ -826,7 +875,7 @@ impl<'r> FromRequest<'r> for ManagerHeaders {
                        _ => err_handler!("Error getting DB"),
                    };
-                    if !Collection::can_access_collection(&headers.membership, &col_id, &conn).await {
+                    if !Collection::is_coll_manageable_by_user(&col_id, &headers.membership.user_uuid, &conn).await {
                        err_handler!("The current user isn't a manager for this collection")
                    }
                }
@@ -908,8 +957,8 @@ impl ManagerHeaders {
            if uuid::Uuid::parse_str(col_id.as_ref()).is_err() {
                err!("Collection Id is malformed!");
            }
-            if !Collection::can_access_collection(&h.membership, col_id, conn).await {
+            if !Collection::is_coll_manageable_by_user(col_id, &h.membership.user_uuid, conn).await {
-                err!("You don't have access to all collections!");
+                err!("Collection not found", "The current user isn't a manager for this collection")
            }
        }
@@ -1210,8 +1259,20 @@ pub async fn refresh_tokens(
 ) -> ApiResult<(Device, AuthTokens)> {
    let refresh_claims = match decode_refresh(refresh_token) {
        Err(err) => {
-            debug!("Failed to decode {} refresh_token: {refresh_token}", ip.ip);
+            error!("Failed to decode {} refresh_token: {refresh_token}: {err:?}", ip.ip);
-            err_silent!(format!("Impossible to read refresh_token: {}", err.message()))
+            //err_silent!(format!("Impossible to read refresh_token: {}", err.message()))
            // If the token failed to decode, it was probably one of the old style tokens that was just a Base64 string.
            // We can generate a claim for them for backwards compatibility. Note that the password refresh claims don't
            // check expiration or issuer, so they're not included here.
            RefreshJwtClaims {
                nbf: 0,
                exp: 0,
                iss: String::new(),
                sub: AuthMethod::Password,
                device_token: refresh_token.into(),
                token: None,
            }
        }
        Ok(claims) => claims,
    };
@@ -1223,7 +1284,7 @@ pub async fn refresh_tokens(
    };
    // Save to update `updated_at`.
-    device.save(conn).await?;
+    device.save(true, conn).await?;
    let user = match User::find_by_uuid(&device.user_uuid, conn).await {
        None => err!("Impossible to find user"),
@@ -14,7 +14,10 @@ use serde::de::{self, Deserialize, Deserializer, MapAccess, Visitor};
 use crate::{
    error::Error,
-    util::{get_env, get_env_bool, get_web_vault_version, is_valid_email, parse_experimental_client_feature_flags},
+    util::{
        get_active_web_release, get_env, get_env_bool, is_valid_email, parse_experimental_client_feature_flags,
        FeatureFlagFilter,
    },
 };
 static CONFIG_FILE: LazyLock<String> = LazyLock::new(|| {
@@ -564,9 +567,9 @@ make_config! {
        /// Duo Auth context cleanup schedule |> Cron schedule of the job that cleans expired Duo contexts from the database. Does nothing if Duo MFA is disabled or set to use the legacy iframe prompt.
        /// Defaults to once every minute. Set blank to disable this job.
        duo_context_purge_schedule:   String, false,  def,    "30 * * * * *".to_string();
-        /// Purge incomplete SSO nonce. |> Cron schedule of the job that cleans leftover nonce in db due to incomplete SSO login.
+        /// Purge incomplete SSO auth. |> Cron schedule of the job that cleans leftover auth in db due to incomplete SSO login.
        /// Defaults to daily. Set blank to disable this job.
-        purge_incomplete_sso_nonce: String, false,  def,   "0 20 0 * * *".to_string();
+        purge_incomplete_sso_auth: String, false,  def,   "0 20 0 * * *".to_string();
    },
    /// General settings
@@ -789,6 +792,10 @@ make_config! {
        /// Bitwarden enforces this by default. In Vaultwarden we encouraged to use multiple organizations because groups were not available.
        /// Setting this to true will enforce the Single Org Policy to be enabled before you can enable the Reset Password policy.
        enforce_single_org_with_reset_pw_policy: bool, false, def, false;
        /// Prefer IPv6 (AAAA) resolving |> This settings configures the DNS resolver to resolve IPv6 first, and if not available try IPv4
        /// This could be useful in IPv6 only environments.
        dns_prefer_ipv6: bool, true, def, false;
    },
    /// OpenID Connect SSO settings
@@ -916,7 +923,7 @@ make_config! {
    },
 }
-fn validate_config(cfg: &ConfigItems) -> Result<(), Error> {
+fn validate_config(cfg: &ConfigItems, on_update: bool) -> Result<(), Error> {
    // Validate connection URL is valid and DB feature is enabled
    #[cfg(sqlite)]
    {
@@ -1022,32 +1029,17 @@ fn validate_config(cfg: &ConfigItems) -> Result<(), Error> {
        }
    }
-    // Server (v2025.6.2): https://github.com/bitwarden/server/blob/d094be3267f2030bd0dc62106bc6871cf82682f5/src/Core/Constants.cs#L103
+    let invalid_flags =
-    // Client (web-v2025.6.1): https://github.com/bitwarden/clients/blob/747c2fd6a1c348a57a76e4a7de8128466ffd3c01/libs/common/src/enums/feature-flag.enum.ts#L12
+        parse_experimental_client_feature_flags(&cfg.experimental_client_feature_flags, FeatureFlagFilter::InvalidOnly);
    // Android (v2025.6.0): https://github.com/bitwarden/android/blob/b5b022caaad33390c31b3021b2c1205925b0e1a2/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/model/FlagKey.kt#L22
    // iOS (v2025.6.0): https://github.com/bitwarden/ios/blob/ff06d9c6cc8da89f78f37f376495800201d7261a/BitwardenShared/Core/Platform/Models/Enum/FeatureFlag.swift#L7
    //
    // NOTE: Move deprecated flags to the utils::parse_experimental_client_feature_flags() DEPRECATED_FLAGS const!
    const KNOWN_FLAGS: &[&str] = &[
        // Autofill Team
        "inline-menu-positioning-improvements",
        "inline-menu-totp",
        "ssh-agent",
        // Key Management Team
        "ssh-key-vault-item",
        // Tools
        "export-attachments",
        // Mobile Team
        "anon-addy-self-host-alias",
        "simple-login-self-host-alias",
        "mutual-tls",
    ];
    let configured_flags = parse_experimental_client_feature_flags(&cfg.experimental_client_feature_flags);
    let invalid_flags: Vec<_> = configured_flags.keys().filter(|flag| !KNOWN_FLAGS.contains(&flag.as_str())).collect();
    if !invalid_flags.is_empty() {
-        err!(format!("Unrecognized experimental client feature flags: {invalid_flags:?}.\n\n\
+        let feature_flags_error = format!("Unrecognized experimental client feature flags: {:?}.\n\
                     Please ensure all feature flags are spelled correctly and that they are supported in this version.\n\
-                     Supported flags: {KNOWN_FLAGS:?}"));
+                     Supported flags: {:?}\n", invalid_flags, SUPPORTED_FEATURE_FLAGS);
        if on_update {
            err!(feature_flags_error);
        } else {
            println!("[WARNING] {feature_flags_error}");
        }
    }
    const MAX_FILESIZE_KB: i64 = i64::MAX >> 10;
@@ -1320,12 +1312,16 @@ fn generate_smtp_img_src(embed_images: bool, domain: &str) -> String {
    if embed_images {
        "cid:".to_string()
    } else {
-        format!("{domain}/vw_static/")
+        // normalize base_url
        let base_url = domain.trim_end_matches('/');
        format!("{base_url}/vw_static/")
    }
 }
 fn generate_sso_callback_path(domain: &str) -> String {
-    format!("{domain}/identity/connect/oidc-signin")
+    // normalize base_url
    let base_url = domain.trim_end_matches('/');
    format!("{base_url}/identity/connect/oidc-signin")
 }
 /// Generate the correct URL for the icon service.
@@ -1462,6 +1458,35 @@ pub enum PathType {
    RsaKey,
 }
 // Official available feature flags can be found here:
 // Server (v2026.2.1): https://github.com/bitwarden/server/blob/0e42725d0837bd1c0dabd864ff621a579959744b/src/Core/Constants.cs#L135
 // Client (v2026.2.1): https://github.com/bitwarden/clients/blob/f96380c3138291a028bdd2c7a5fee540d5c98ba5/libs/common/src/enums/feature-flag.enum.ts#L12
 // Android (v2026.2.1): https://github.com/bitwarden/android/blob/6902c19c0093fa476bbf74ccaa70c9f14afbb82f/core/src/main/kotlin/com/bitwarden/core/data/manager/model/FlagKey.kt#L31
 // iOS (v2026.2.1): https://github.com/bitwarden/ios/blob/cdd9ba1770ca2ffc098d02d12cc3208e3a830454/BitwardenShared/Core/Platform/Models/Enum/FeatureFlag.swift#L7
 pub const SUPPORTED_FEATURE_FLAGS: &[&str] = &[
    // Architecture
    "desktop-ui-migration-milestone-1",
    "desktop-ui-migration-milestone-2",
    "desktop-ui-migration-milestone-3",
    "desktop-ui-migration-milestone-4",
    // Auth Team
    "pm-5594-safari-account-switching",
    // Autofill Team
    "ssh-agent",
    "ssh-agent-v2",
    // Key Management Team
    "ssh-key-vault-item",
    "pm-25373-windows-biometrics-v2",
    // Mobile Team
    "anon-addy-self-host-alias",
    "simple-login-self-host-alias",
    "mutual-tls",
    "cxp-import-mobile",
    "cxp-export-mobile",
    // Platform Team
    "pm-30529-webauthn-related-origins",
 ];
 impl Config {
    pub async fn load() -> Result<Self, Error> {
        // Loading from env and file
@@ -1475,7 +1500,7 @@ impl Config {
        // Fill any missing with defaults
        let config = builder.build();
        if !SKIP_CONFIG_VALIDATION.load(Ordering::Relaxed) {
-            validate_config(&config)?;
+            validate_config(&config, false)?;
        }
        Ok(Config {
@@ -1511,7 +1536,7 @@ impl Config {
            let env = &self.inner.read().unwrap()._env;
            env.merge(&builder, false, &mut overrides).build()
        };
-        validate_config(&config)?;
+        validate_config(&config, true)?;
        // Save both the user and the combined config
        {
@@ -1840,7 +1865,7 @@ fn to_json<'reg, 'rc>(
 // Configure the web-vault version as an integer so it can be used as a comparison smaller or greater then.
 // The default is based upon the version since this feature is added.
 static WEB_VAULT_VERSION: LazyLock<semver::Version> = LazyLock::new(|| {
-    let vault_version = get_web_vault_version();
+    let vault_version = get_active_web_release();
    // Use a single regex capture to extract version components
    let re = regex::Regex::new(r"(\d{4})\.(\d{1,2})\.(\d{1,2})").unwrap();
    re.captures(&vault_version)
@@ -55,13 +55,13 @@ pub fn encode_random_bytes<const N: usize>(e: &Encoding) -> String {
 /// Generates a random string over a specified alphabet.
 pub fn get_random_string(alphabet: &[u8], num_chars: usize) -> String {
    // Ref: https://rust-lang-nursery.github.io/rust-cookbook/algorithms/randomness.html
-    use rand::Rng;
+    use rand::RngExt;
    let mut rng = rand::rng();
    (0..num_chars)
        .map(|_| {
            let i = rng.random_range(0..alphabet.len());
-            alphabet[i] as char
+            char::from(alphabet[i])
        })
        .collect()
 }
@@ -337,6 +337,46 @@ macro_rules! db_run {
    };
 }
 // Write all ToSql<Text, DB> and FromSql<Text, DB> given a serializable/deserializable type.
 #[macro_export]
 macro_rules! impl_FromToSqlText {
    ($name:ty) => {
        #[cfg(mysql)]
        impl ToSql<Text, diesel::mysql::Mysql> for $name {
            fn to_sql<'b>(&'b self, out: &mut Output<'b, '_, diesel::mysql::Mysql>) -> diesel::serialize::Result {
                serde_json::to_writer(out, self).map(|_| diesel::serialize::IsNull::No).map_err(Into::into)
            }
        }
        #[cfg(postgresql)]
        impl ToSql<Text, diesel::pg::Pg> for $name {
            fn to_sql<'b>(&'b self, out: &mut Output<'b, '_, diesel::pg::Pg>) -> diesel::serialize::Result {
                serde_json::to_writer(out, self).map(|_| diesel::serialize::IsNull::No).map_err(Into::into)
            }
        }
        #[cfg(sqlite)]
        impl ToSql<Text, diesel::sqlite::Sqlite> for $name {
            fn to_sql<'b>(&'b self, out: &mut Output<'b, '_, diesel::sqlite::Sqlite>) -> diesel::serialize::Result {
                serde_json::to_string(self).map_err(Into::into).map(|str| {
                    out.set_value(str);
                    diesel::serialize::IsNull::No
                })
            }
        }
        impl<DB: diesel::backend::Backend> FromSql<Text, DB> for $name
        where
            String: FromSql<Text, DB>,
        {
            fn from_sql(bytes: DB::RawValue<'_>) -> diesel::deserialize::Result<Self> {
                <String as FromSql<Text, DB>>::from_sql(bytes)
                    .and_then(|str| serde_json::from_str(&str).map_err(Into::into))
            }
        }
    };
 }
 pub mod schema;
 // Reexport the models, needs to be after the macros are defined so it can access them
@@ -347,7 +387,6 @@ pub mod models;
 #[cfg(sqlite)]
 pub fn backup_sqlite() -> Result<String, Error> {
    use diesel::Connection;
    use std::{fs::File, io::Write};
    let db_url = CONFIG.database_url();
    if DbConnType::from_url(&CONFIG.database_url()).map(|t| t == DbConnType::Sqlite).unwrap_or(false) {
@@ -361,16 +400,13 @@ pub fn backup_sqlite() -> Result<String, Error> {
            .to_string_lossy()
            .into_owned();
-        match File::create(backup_file.clone()) {
+        diesel::sql_query("VACUUM INTO ?")
-            Ok(mut f) => {
+            .bind::<diesel::sql_types::Text, _>(&backup_file)
-                let serialized_db = conn.serialize_database_to_buffer();
+            .execute(&mut conn)
-                f.write_all(serialized_db.as_slice()).expect("Error writing SQLite backup");
+            .map(|_| ())
-                Ok(backup_file)
+            .map_res("VACUUM INTO failed")?;
-            }
+
-            Err(e) => {
+        Ok(backup_file)
                err_silent!(format!("Unable to save SQLite backup: {e:?}"))
            }
        }
    } else {
        err_silent!("The database type is not SQLite. Backups only works for SQLite databases")
    }
@@ -46,7 +46,7 @@ impl Attachment {
    pub async fn get_url(&self, host: &str) -> Result<String, crate::Error> {
        let operator = CONFIG.opendal_operator_for_path_type(&PathType::Attachments)?;
-        if operator.info().scheme() == opendal::Scheme::Fs {
+        if operator.info().scheme() == <&'static str>::from(opendal::Scheme::Fs) {
            let token = encode_jwt(&generate_file_download_claims(self.cipher_uuid.clone(), self.id.clone()));
            Ok(format!("{host}/attachments/{}/{}?token={token}", self.cipher_uuid, self.id))
        } else {
@@ -177,7 +177,9 @@ impl AuthRequest {
    }
    pub async fn purge_expired_auth_requests(conn: &DbConn) {
-        let expiry_time = Utc::now().naive_utc() - chrono::TimeDelta::try_minutes(5).unwrap(); //after 5 minutes, clients reject the request
+        // delete auth requests older than 15 minutes which is functionally equivalent to upstream:
        // https://github.com/bitwarden/server/blob/f8ee2270409f7a13125cd414c450740af605a175/src/Sql/dbo/Auth/Stored%20Procedures/AuthRequest_DeleteIfExpired.sql
        let expiry_time = Utc::now().naive_utc() - chrono::TimeDelta::try_minutes(15).unwrap();
        for auth_request in Self::find_created_before(&expiry_time, conn).await {
            auth_request.delete(conn).await.ok();
        }
@@ -559,7 +559,7 @@ impl Cipher {
                if let Some(cached_member) = cipher_sync_data.members.get(org_uuid) {
                    return cached_member.has_full_access();
                }
-            } else if let Some(member) = Membership::find_by_user_and_org(user_uuid, org_uuid, conn).await {
+            } else if let Some(member) = Membership::find_confirmed_by_user_and_org(user_uuid, org_uuid, conn).await {
                return member.has_full_access();
            }
        }
@@ -668,10 +668,12 @@ impl Cipher {
            ciphers::table
                .filter(ciphers::uuid.eq(&self.uuid))
                .inner_join(ciphers_collections::table.on(
-                    ciphers::uuid.eq(ciphers_collections::cipher_uuid)))
+                    ciphers::uuid.eq(ciphers_collections::cipher_uuid)
                ))
                .inner_join(users_collections::table.on(
                    ciphers_collections::collection_uuid.eq(users_collections::collection_uuid)
-                        .and(users_collections::user_uuid.eq(user_uuid))))
+                        .and(users_collections::user_uuid.eq(user_uuid))
                ))
                .select((users_collections::read_only, users_collections::hide_passwords, users_collections::manage))
                .load::<(bool, bool, bool)>(conn)
                .expect("Error getting user access restrictions")
@@ -697,6 +699,9 @@ impl Cipher {
                .inner_join(users_organizations::table.on(
                    users_organizations::uuid.eq(groups_users::users_organizations_uuid)
                ))
                .inner_join(groups::table.on(groups::uuid.eq(collections_groups::groups_uuid)
                    .and(groups::organizations_uuid.eq(users_organizations::org_uuid))
                ))
                .filter(users_organizations::user_uuid.eq(user_uuid))
                .select((collections_groups::read_only, collections_groups::hide_passwords, collections_groups::manage))
                .load::<(bool, bool, bool)>(conn)
@@ -795,28 +800,28 @@ impl Cipher {
                let mut query = ciphers::table
                    .left_join(ciphers_collections::table.on(
                            ciphers::uuid.eq(ciphers_collections::cipher_uuid)
-                            ))
+                    ))
                    .left_join(users_organizations::table.on(
-                            ciphers::organization_uuid.eq(users_organizations::org_uuid.nullable())
+                        ciphers::organization_uuid.eq(users_organizations::org_uuid.nullable())
                            .and(users_organizations::user_uuid.eq(user_uuid))
                            .and(users_organizations::status.eq(MembershipStatus::Confirmed as i32))
-                            ))
+                    ))
                    .left_join(users_collections::table.on(
-                            ciphers_collections::collection_uuid.eq(users_collections::collection_uuid)
+                        ciphers_collections::collection_uuid.eq(users_collections::collection_uuid)
                            // Ensure that users_collections::user_uuid is NULL for unconfirmed users.
                            .and(users_organizations::user_uuid.eq(users_collections::user_uuid))
-                            ))
+                    ))
                    .left_join(groups_users::table.on(
-                            groups_users::users_organizations_uuid.eq(users_organizations::uuid)
+                        groups_users::users_organizations_uuid.eq(users_organizations::uuid)
-                            ))
+                    ))
-                    .left_join(groups::table.on(
+                    .left_join(groups::table.on(groups::uuid.eq(groups_users::groups_uuid)
-                            groups::uuid.eq(groups_users::groups_uuid)
+                        // Ensure that group and membership belong to the same org
-                            ))
+                        .and(groups::organizations_uuid.eq(users_organizations::org_uuid))
                    ))
                    .left_join(collections_groups::table.on(
-                            collections_groups::collections_uuid.eq(ciphers_collections::collection_uuid).and(
+                        collections_groups::collections_uuid.eq(ciphers_collections::collection_uuid)
-                                collections_groups::groups_uuid.eq(groups::uuid)
+                            .and(collections_groups::groups_uuid.eq(groups::uuid))
-                                )
+                    ))
                            ))
                    .filter(ciphers::user_uuid.eq(user_uuid)) // Cipher owner
                    .or_filter(users_organizations::access_all.eq(true)) // access_all in org
                    .or_filter(users_collections::user_uuid.eq(user_uuid)) // Access to collection
@@ -986,7 +991,9 @@ impl Cipher {
                    .left_join(groups_users::table.on(
                        groups_users::users_organizations_uuid.eq(users_organizations::uuid)
                    ))
-                    .left_join(groups::table.on(groups::uuid.eq(groups_users::groups_uuid)))
+                    .left_join(groups::table.on(groups::uuid.eq(groups_users::groups_uuid)
                        .and(groups::organizations_uuid.eq(users_organizations::org_uuid))
                    ))
                    .left_join(collections_groups::table.on(
                        collections_groups::collections_uuid.eq(ciphers_collections::collection_uuid)
                        .and(collections_groups::groups_uuid.eq(groups::uuid))
@@ -1047,7 +1054,9 @@ impl Cipher {
                    .left_join(groups_users::table.on(
                        groups_users::users_organizations_uuid.eq(users_organizations::uuid)
                    ))
-                    .left_join(groups::table.on(groups::uuid.eq(groups_users::groups_uuid)))
+                    .left_join(groups::table.on(groups::uuid.eq(groups_users::groups_uuid)
                        .and(groups::organizations_uuid.eq(users_organizations::org_uuid))
                    ))
                    .left_join(collections_groups::table.on(
                        collections_groups::collections_uuid.eq(ciphers_collections::collection_uuid)
                        .and(collections_groups::groups_uuid.eq(groups::uuid))
@@ -1115,8 +1124,8 @@ impl Cipher {
            .left_join(groups_users::table.on(
                groups_users::users_organizations_uuid.eq(users_organizations::uuid)
            ))
-            .left_join(groups::table.on(
+            .left_join(groups::table.on(groups::uuid.eq(groups_users::groups_uuid)
-                groups::uuid.eq(groups_users::groups_uuid)
+                .and(groups::organizations_uuid.eq(users_organizations::org_uuid))
            ))
            .left_join(collections_groups::table.on(
                collections_groups::collections_uuid.eq(ciphers_collections::collection_uuid).and(
@@ -191,7 +191,7 @@ impl Collection {
        self.update_users_revision(conn).await;
        CollectionCipher::delete_all_by_collection(&self.uuid, conn).await?;
        CollectionUser::delete_all_by_collection(&self.uuid, conn).await?;
-        CollectionGroup::delete_all_by_collection(&self.uuid, conn).await?;
+        CollectionGroup::delete_all_by_collection(&self.uuid, &self.org_uuid, conn).await?;
        db_run! { conn: {
            diesel::delete(collections::table.filter(collections::uuid.eq(self.uuid)))
@@ -239,8 +239,8 @@ impl Collection {
                .left_join(groups_users::table.on(
                    groups_users::users_organizations_uuid.eq(users_organizations::uuid)
                ))
-                .left_join(groups::table.on(
+                .left_join(groups::table.on(groups::uuid.eq(groups_users::groups_uuid)
-                    groups::uuid.eq(groups_users::groups_uuid)
+                    .and(groups::organizations_uuid.eq(users_organizations::org_uuid))
                ))
                .left_join(collections_groups::table.on(
                    collections_groups::groups_uuid.eq(groups_users::groups_uuid).and(
@@ -355,8 +355,8 @@ impl Collection {
                .left_join(groups_users::table.on(
                    groups_users::users_organizations_uuid.eq(users_organizations::uuid)
                ))
-                .left_join(groups::table.on(
+                .left_join(groups::table.on(groups::uuid.eq(groups_users::groups_uuid)
-                    groups::uuid.eq(groups_users::groups_uuid)
+                    .and(groups::organizations_uuid.eq(users_organizations::org_uuid))
                ))
                .left_join(collections_groups::table.on(
                    collections_groups::groups_uuid.eq(groups_users::groups_uuid).and(
@@ -422,8 +422,8 @@ impl Collection {
                    .left_join(groups_users::table.on(
                        groups_users::users_organizations_uuid.eq(users_organizations::uuid)
                    ))
-                    .left_join(groups::table.on(
+                    .left_join(groups::table.on(groups::uuid.eq(groups_users::groups_uuid)
-                        groups::uuid.eq(groups_users::groups_uuid)
+                        .and(groups::organizations_uuid.eq(users_organizations::org_uuid))
                    ))
                    .left_join(collections_groups::table.on(
                        collections_groups::groups_uuid.eq(groups_users::groups_uuid)
@@ -484,8 +484,8 @@ impl Collection {
            .left_join(groups_users::table.on(
                groups_users::users_organizations_uuid.eq(users_organizations::uuid)
            ))
-            .left_join(groups::table.on(
+            .left_join(groups::table.on(groups::uuid.eq(groups_users::groups_uuid)
-                groups::uuid.eq(groups_users::groups_uuid)
+                .and(groups::organizations_uuid.eq(users_organizations::org_uuid))
            ))
            .left_join(collections_groups::table.on(
                collections_groups::groups_uuid.eq(groups_users::groups_uuid).and(
@@ -513,7 +513,8 @@ impl Collection {
        }}
    }
-    pub async fn is_manageable_by_user(&self, user_uuid: &UserId, conn: &DbConn) -> bool {
+    pub async fn is_coll_manageable_by_user(uuid: &CollectionId, user_uuid: &UserId, conn: &DbConn) -> bool {
        let uuid = uuid.to_string();
        let user_uuid = user_uuid.to_string();
        db_run! { conn: {
            collections::table
@@ -530,17 +531,17 @@ impl Collection {
            .left_join(groups_users::table.on(
                groups_users::users_organizations_uuid.eq(users_organizations::uuid)
            ))
-            .left_join(groups::table.on(
+            .left_join(groups::table.on(groups::uuid.eq(groups_users::groups_uuid)
-                groups::uuid.eq(groups_users::groups_uuid)
+                .and(groups::organizations_uuid.eq(users_organizations::org_uuid))
            ))
            .left_join(collections_groups::table.on(
                collections_groups::groups_uuid.eq(groups_users::groups_uuid).and(
                    collections_groups::collections_uuid.eq(collections::uuid)
                )
            ))
-            .filter(collections::uuid.eq(&self.uuid))
+            .filter(collections::uuid.eq(&uuid))
            .filter(
-                users_collections::collection_uuid.eq(&self.uuid).and(users_collections::manage.eq(true)).or(// Directly accessed collection
+                users_collections::collection_uuid.eq(&uuid).and(users_collections::manage.eq(true)).or(// Directly accessed collection
                    users_organizations::access_all.eq(true).or( // access_all in Organization
                        users_organizations::atype.le(MembershipType::Admin as i32) // Org admin or owner
                )).or(
@@ -558,6 +559,10 @@ impl Collection {
            .unwrap_or(0) != 0
        }}
    }
    pub async fn is_manageable_by_user(&self, user_uuid: &UserId, conn: &DbConn) -> bool {
        Self::is_coll_manageable_by_user(&self.uuid, user_uuid, conn).await
    }
 }
 /// Database methods
@@ -1,6 +1,6 @@
 use chrono::{NaiveDateTime, Utc};
-use data_encoding::{BASE64, BASE64URL};
+use data_encoding::BASE64URL;
 use derive_more::{Display, From};
 use serde_json::Value;
@@ -35,6 +35,30 @@ pub struct Device {
 /// Local methods
 impl Device {
    pub fn new(uuid: DeviceId, user_uuid: UserId, name: String, atype: i32) -> Self {
        let now = Utc::now().naive_utc();
        Self {
            uuid,
            created_at: now,
            updated_at: now,
            user_uuid,
            name,
            atype,
            push_uuid: Some(PushId(get_uuid())),
            push_token: None,
            refresh_token: Device::generate_refresh_token(),
            twofactor_remember: None,
        }
    }
    #[inline(always)]
    pub fn generate_refresh_token() -> String {
        crypto::encode_random_bytes::<64>(&BASE64URL)
    }
    pub fn to_json(&self) -> Value {
        json!({
            "id": self.uuid,
@@ -48,10 +72,13 @@ impl Device {
    }
    pub fn refresh_twofactor_remember(&mut self) -> String {
-        let twofactor_remember = crypto::encode_random_bytes::<180>(&BASE64);
+        use crate::auth::{encode_jwt, generate_2fa_remember_claims};
        self.twofactor_remember = Some(twofactor_remember.clone());
-        twofactor_remember
+        let two_factor_remember_claim = generate_2fa_remember_claims(self.uuid.clone(), self.user_uuid.clone());
        let two_factor_remember_string = encode_jwt(&two_factor_remember_claim);
        self.twofactor_remember = Some(two_factor_remember_string.clone());
        two_factor_remember_string
    }
    pub fn delete_twofactor_remember(&mut self) {
@@ -110,38 +137,21 @@ impl DeviceWithAuthRequest {
 }
 use crate::db::DbConn;
-use crate::api::{ApiResult, EmptyResult};
+use crate::api::EmptyResult;
 use crate::error::MapResult;
 /// Database methods
 impl Device {
-    pub async fn new(uuid: DeviceId, user_uuid: UserId, name: String, atype: i32, conn: &DbConn) -> ApiResult<Device> {
+    pub async fn save(&mut self, update_time: bool, conn: &DbConn) -> EmptyResult {
-        let now = Utc::now().naive_utc();
+        if update_time {
            self.updated_at = Utc::now().naive_utc();
        }
        let device = Self {
            uuid,
            created_at: now,
            updated_at: now,
            user_uuid,
            name,
            atype,
            push_uuid: Some(PushId(get_uuid())),
            push_token: None,
            refresh_token: crypto::encode_random_bytes::<64>(&BASE64URL),
            twofactor_remember: None,
        };
        device.inner_save(conn).await.map(|()| device)
    }
    async fn inner_save(&self, conn: &DbConn) -> EmptyResult {
        db_run! { conn:
            sqlite, mysql {
                crate::util::retry(||
                    diesel::replace_into(devices::table)
-                        .values(self)
+                        .values(&*self)
                        .execute(conn),
                    10,
                ).map_res("Error saving device")
@@ -149,10 +159,10 @@ impl Device {
            postgresql {
                crate::util::retry(||
                    diesel::insert_into(devices::table)
-                        .values(self)
+                        .values(&*self)
                        .on_conflict((devices::uuid, devices::user_uuid))
                        .do_update()
-                        .set(self)
+                        .set(&*self)
                        .execute(conn),
                    10,
                ).map_res("Error saving device")
@@ -160,12 +170,6 @@ impl Device {
        }
    }
    // Should only be called after user has passed authentication
    pub async fn save(&mut self, conn: &DbConn) -> EmptyResult {
        self.updated_at = Utc::now().naive_utc();
        self.inner_save(conn).await
    }
    pub async fn delete_all_by_user(user_uuid: &UserId, conn: &DbConn) -> EmptyResult {
        db_run! { conn: {
            diesel::delete(devices::table.filter(devices::user_uuid.eq(user_uuid)))
@@ -261,6 +265,17 @@ impl Device {
            .unwrap_or(0) != 0
        }}
    }
    pub async fn rotate_refresh_tokens_by_user(user_uuid: &UserId, conn: &DbConn) -> EmptyResult {
        // Generate a new token per device.
        // We cannot do a single UPDATE with one value because each device needs a unique token.
        let devices = Self::find_by_user(user_uuid, conn).await;
        for mut device in devices {
            device.refresh_token = Device::generate_refresh_token();
            device.save(false, conn).await?;
        }
        Ok(())
    }
 }
 #[derive(Display)]
@@ -1,6 +1,6 @@
 use super::{CollectionId, Membership, MembershipId, OrganizationId, User, UserId};
 use crate::api::EmptyResult;
-use crate::db::schema::{collections_groups, groups, groups_users, users_organizations};
+use crate::db::schema::{collections, collections_groups, groups, groups_users, users_organizations};
 use crate::db::DbConn;
 use crate::error::MapResult;
 use chrono::{NaiveDateTime, Utc};
@@ -81,7 +81,7 @@ impl Group {
        // If both read_only and hide_passwords are false, then manage should be true
        // You can't have an entry with read_only and manage, or hide_passwords and manage
        // Or an entry with everything to false
-        let collections_groups: Vec<Value> = CollectionGroup::find_by_group(&self.uuid, conn)
+        let collections_groups: Vec<Value> = CollectionGroup::find_by_group(&self.uuid, &self.organizations_uuid, conn)
            .await
            .iter()
            .map(|entry| {
@@ -191,7 +191,7 @@ impl Group {
    pub async fn delete_all_by_organization(org_uuid: &OrganizationId, conn: &DbConn) -> EmptyResult {
        for group in Self::find_by_organization(org_uuid, conn).await {
-            group.delete(conn).await?;
+            group.delete(org_uuid, conn).await?;
        }
        Ok(())
    }
@@ -246,8 +246,8 @@ impl Group {
                .inner_join(users_organizations::table.on(
                    users_organizations::uuid.eq(groups_users::users_organizations_uuid)
                ))
-                .inner_join(groups::table.on(
+                .inner_join(groups::table.on(groups::uuid.eq(groups_users::groups_uuid)
-                    groups::uuid.eq(groups_users::groups_uuid)
+                    .and(groups::organizations_uuid.eq(users_organizations::org_uuid))
                ))
                .filter(users_organizations::user_uuid.eq(user_uuid))
                .filter(groups::access_all.eq(true))
@@ -276,9 +276,9 @@ impl Group {
        }}
    }
-    pub async fn delete(&self, conn: &DbConn) -> EmptyResult {
+    pub async fn delete(&self, org_uuid: &OrganizationId, conn: &DbConn) -> EmptyResult {
-        CollectionGroup::delete_all_by_group(&self.uuid, conn).await?;
+        CollectionGroup::delete_all_by_group(&self.uuid, org_uuid, conn).await?;
-        GroupUser::delete_all_by_group(&self.uuid, conn).await?;
+        GroupUser::delete_all_by_group(&self.uuid, org_uuid, conn).await?;
        db_run! { conn: {
            diesel::delete(groups::table.filter(groups::uuid.eq(&self.uuid)))
@@ -306,8 +306,8 @@ impl Group {
 }
 impl CollectionGroup {
-    pub async fn save(&mut self, conn: &DbConn) -> EmptyResult {
+    pub async fn save(&mut self, org_uuid: &OrganizationId, conn: &DbConn) -> EmptyResult {
-        let group_users = GroupUser::find_by_group(&self.groups_uuid, conn).await;
+        let group_users = GroupUser::find_by_group(&self.groups_uuid, org_uuid, conn).await;
        for group_user in group_users {
            group_user.update_user_revision(conn).await;
        }
@@ -365,10 +365,19 @@ impl CollectionGroup {
        }
    }
-    pub async fn find_by_group(group_uuid: &GroupId, conn: &DbConn) -> Vec<Self> {
+    pub async fn find_by_group(group_uuid: &GroupId, org_uuid: &OrganizationId, conn: &DbConn) -> Vec<Self> {
        db_run! { conn: {
            collections_groups::table
                .inner_join(groups::table.on(
                    groups::uuid.eq(collections_groups::groups_uuid)
                ))
                .inner_join(collections::table.on(
                    collections::uuid.eq(collections_groups::collections_uuid)
                        .and(collections::org_uuid.eq(groups::organizations_uuid))
                ))
                .filter(collections_groups::groups_uuid.eq(group_uuid))
                .filter(collections::org_uuid.eq(org_uuid))
                .select(collections_groups::all_columns)
                .load::<Self>(conn)
                .expect("Error loading collection groups")
        }}
@@ -383,6 +392,13 @@ impl CollectionGroup {
                .inner_join(users_organizations::table.on(
                    users_organizations::uuid.eq(groups_users::users_organizations_uuid)
                ))
                .inner_join(groups::table.on(groups::uuid.eq(collections_groups::groups_uuid)
                    .and(groups::organizations_uuid.eq(users_organizations::org_uuid))
                ))
                .inner_join(collections::table.on(
                    collections::uuid.eq(collections_groups::collections_uuid)
                        .and(collections::org_uuid.eq(groups::organizations_uuid))
                ))
                .filter(users_organizations::user_uuid.eq(user_uuid))
                .select(collections_groups::all_columns)
                .load::<Self>(conn)
@@ -394,14 +410,20 @@ impl CollectionGroup {
        db_run! { conn: {
            collections_groups::table
                .filter(collections_groups::collections_uuid.eq(collection_uuid))
                .inner_join(collections::table.on(
                    collections::uuid.eq(collections_groups::collections_uuid)
                ))
                .inner_join(groups::table.on(groups::uuid.eq(collections_groups::groups_uuid)
                    .and(groups::organizations_uuid.eq(collections::org_uuid))
                ))
                .select(collections_groups::all_columns)
                .load::<Self>(conn)
                .expect("Error loading collection groups")
        }}
    }
-    pub async fn delete(&self, conn: &DbConn) -> EmptyResult {
+    pub async fn delete(&self, org_uuid: &OrganizationId, conn: &DbConn) -> EmptyResult {
-        let group_users = GroupUser::find_by_group(&self.groups_uuid, conn).await;
+        let group_users = GroupUser::find_by_group(&self.groups_uuid, org_uuid, conn).await;
        for group_user in group_users {
            group_user.update_user_revision(conn).await;
        }
@@ -415,8 +437,8 @@ impl CollectionGroup {
        }}
    }
-    pub async fn delete_all_by_group(group_uuid: &GroupId, conn: &DbConn) -> EmptyResult {
+    pub async fn delete_all_by_group(group_uuid: &GroupId, org_uuid: &OrganizationId, conn: &DbConn) -> EmptyResult {
-        let group_users = GroupUser::find_by_group(group_uuid, conn).await;
+        let group_users = GroupUser::find_by_group(group_uuid, org_uuid, conn).await;
        for group_user in group_users {
            group_user.update_user_revision(conn).await;
        }
@@ -429,10 +451,14 @@ impl CollectionGroup {
        }}
    }
-    pub async fn delete_all_by_collection(collection_uuid: &CollectionId, conn: &DbConn) -> EmptyResult {
+    pub async fn delete_all_by_collection(
        collection_uuid: &CollectionId,
        org_uuid: &OrganizationId,
        conn: &DbConn,
    ) -> EmptyResult {
        let collection_assigned_to_groups = CollectionGroup::find_by_collection(collection_uuid, conn).await;
        for collection_assigned_to_group in collection_assigned_to_groups {
-            let group_users = GroupUser::find_by_group(&collection_assigned_to_group.groups_uuid, conn).await;
+            let group_users = GroupUser::find_by_group(&collection_assigned_to_group.groups_uuid, org_uuid, conn).await;
            for group_user in group_users {
                group_user.update_user_revision(conn).await;
            }
@@ -494,10 +520,19 @@ impl GroupUser {
        }
    }
-    pub async fn find_by_group(group_uuid: &GroupId, conn: &DbConn) -> Vec<Self> {
+    pub async fn find_by_group(group_uuid: &GroupId, org_uuid: &OrganizationId, conn: &DbConn) -> Vec<Self> {
        db_run! { conn: {
            groups_users::table
                .inner_join(groups::table.on(
                    groups::uuid.eq(groups_users::groups_uuid)
                ))
                .inner_join(users_organizations::table.on(
                    users_organizations::uuid.eq(groups_users::users_organizations_uuid)
                        .and(users_organizations::org_uuid.eq(groups::organizations_uuid))
                ))
                .filter(groups_users::groups_uuid.eq(group_uuid))
                .filter(groups::organizations_uuid.eq(org_uuid))
                .select(groups_users::all_columns)
                .load::<Self>(conn)
                .expect("Error loading group users")
        }}
@@ -522,6 +557,13 @@ impl GroupUser {
                .inner_join(collections_groups::table.on(
                    collections_groups::groups_uuid.eq(groups_users::groups_uuid)
                ))
                .inner_join(groups::table.on(
                    groups::uuid.eq(groups_users::groups_uuid)
                ))
                .inner_join(collections::table.on(
                    collections::uuid.eq(collections_groups::collections_uuid)
                        .and(collections::org_uuid.eq(groups::organizations_uuid))
                ))
                .filter(collections_groups::collections_uuid.eq(collection_uuid))
                .filter(groups_users::users_organizations_uuid.eq(member_uuid))
                .count()
@@ -575,8 +617,8 @@ impl GroupUser {
        }}
    }
-    pub async fn delete_all_by_group(group_uuid: &GroupId, conn: &DbConn) -> EmptyResult {
+    pub async fn delete_all_by_group(group_uuid: &GroupId, org_uuid: &OrganizationId, conn: &DbConn) -> EmptyResult {
-        let group_users = GroupUser::find_by_group(group_uuid, conn).await;
+        let group_users = GroupUser::find_by_group(group_uuid, org_uuid, conn).await;
        for group_user in group_users {
            group_user.update_user_revision(conn).await;
        }
@@ -11,7 +11,7 @@ mod group;
 mod org_policy;
 mod organization;
 mod send;
-mod sso_nonce;
+mod sso_auth;
 mod two_factor;
 mod two_factor_duo_context;
 mod two_factor_incomplete;
@@ -27,7 +27,7 @@ pub use self::event::{Event, EventType};
 pub use self::favorite::Favorite;
 pub use self::folder::{Folder, FolderCipher, FolderId};
 pub use self::group::{CollectionGroup, Group, GroupId, GroupUser};
-pub use self::org_policy::{OrgPolicy, OrgPolicyErr, OrgPolicyId, OrgPolicyType};
+pub use self::org_policy::{OrgPolicy, OrgPolicyId, OrgPolicyType};
 pub use self::organization::{
    Membership, MembershipId, MembershipStatus, MembershipType, OrgApiKeyId, Organization, OrganizationApiKey,
    OrganizationId,
@@ -36,7 +36,7 @@ pub use self::send::{
    id::{SendFileId, SendId},
    Send, SendType,
 };
-pub use self::sso_nonce::SsoNonce;
+pub use self::sso_auth::{OIDCAuthenticatedUser, OIDCCodeWrapper, SsoAuth};
 pub use self::two_factor::{TwoFactor, TwoFactorType};
 pub use self::two_factor_duo_context::TwoFactorDuoContext;
 pub use self::two_factor_incomplete::TwoFactorIncomplete;
@@ -2,10 +2,12 @@ use derive_more::{AsRef, From};
 use serde::Deserialize;
 use serde_json::Value;
 use crate::api::core::two_factor;
 use crate::api::EmptyResult;
 use crate::db::schema::{org_policies, users_organizations};
 use crate::db::DbConn;
 use crate::error::MapResult;
 use crate::CONFIG;
 use diesel::prelude::*;
 use super::{Membership, MembershipId, MembershipStatus, MembershipType, OrganizationId, TwoFactor, UserId};
@@ -40,6 +42,10 @@ pub enum OrgPolicyType {
    // FreeFamiliesSponsorshipPolicy = 13,
    RemoveUnlockWithPin = 14,
    RestrictedItemTypes = 15,
    UriMatchDefaults = 16,
    // AutotypeDefaultSetting = 17, // Not supported yet
    // AutoConfirm = 18, // Not supported (not implemented yet)
    // BlockClaimedDomainAccountCreation = 19, // Not supported (Not AGPLv3 Licensed)
 }
 // https://github.com/bitwarden/server/blob/9ebe16587175b1c0e9208f84397bb75d0d595510/src/Core/AdminConsole/Models/Data/Organizations/Policies/SendOptionsPolicyData.cs#L5
@@ -58,14 +64,6 @@ pub struct ResetPasswordDataModel {
    pub auto_enroll_enabled: bool,
 }
 pub type OrgPolicyResult = Result<(), OrgPolicyErr>;
 #[derive(Debug)]
 pub enum OrgPolicyErr {
    TwoFactorMissing,
    SingleOrgEnforced,
 }
 /// Local methods
 impl OrgPolicy {
    pub fn new(org_uuid: OrganizationId, atype: OrgPolicyType, enabled: bool, data: String) -> Self {
@@ -271,7 +269,7 @@ impl OrgPolicy {
                continue;
            }
-            if let Some(user) = Membership::find_by_user_and_org(user_uuid, &policy.org_uuid, conn).await {
+            if let Some(user) = Membership::find_confirmed_by_user_and_org(user_uuid, &policy.org_uuid, conn).await {
                if user.atype < MembershipType::Admin {
                    return true;
                }
@@ -280,31 +278,35 @@ impl OrgPolicy {
        false
    }
-    pub async fn is_user_allowed(
+    pub async fn check_user_allowed(m: &Membership, action: &str, conn: &DbConn) -> EmptyResult {
-        user_uuid: &UserId,
+        if m.atype < MembershipType::Admin && m.status > (MembershipStatus::Invited as i32) {
-        org_uuid: &OrganizationId,
+            // Enforce TwoFactor/TwoStep login
-        exclude_current_org: bool,
+            if let Some(p) = Self::find_by_org_and_type(&m.org_uuid, OrgPolicyType::TwoFactorAuthentication, conn).await
-        conn: &DbConn,
+            {
-    ) -> OrgPolicyResult {
+                if p.enabled && TwoFactor::find_by_user(&m.user_uuid, conn).await.is_empty() {
-        // Enforce TwoFactor/TwoStep login
+                    if CONFIG.email_2fa_auto_fallback() {
-        if TwoFactor::find_by_user(user_uuid, conn).await.is_empty() {
+                        two_factor::email::find_and_activate_email_2fa(&m.user_uuid, conn).await?;
-            match Self::find_by_org_and_type(org_uuid, OrgPolicyType::TwoFactorAuthentication, conn).await {
+                    } else {
-                Some(p) if p.enabled => {
+                        err!(format!("Cannot {} because 2FA is required (membership {})", action, m.uuid));
-                    return Err(OrgPolicyErr::TwoFactorMissing);
+                    }
                }
-                _ => {}
+            }
            };
        }
-        // Enforce Single Organization Policy of other organizations user is a member of
+            // Check if the user is part of another Organization with SingleOrg activated
-        // This check here needs to exclude this current org-id, else an accepted user can not be confirmed.
+            if Self::is_applicable_to_user(&m.user_uuid, OrgPolicyType::SingleOrg, Some(&m.org_uuid), conn).await {
-        let exclude_org = if exclude_current_org {
+                err!(format!(
-            Some(org_uuid)
+                    "Cannot {} because another organization policy forbids it (membership {})",
-        } else {
+                    action, m.uuid
-            None
+                ));
-        };
+            }
-        if Self::is_applicable_to_user(user_uuid, OrgPolicyType::SingleOrg, exclude_org, conn).await {
+
-            return Err(OrgPolicyErr::SingleOrgEnforced);
+            if let Some(p) = Self::find_by_org_and_type(&m.org_uuid, OrgPolicyType::SingleOrg, conn).await {
                if p.enabled
                    && Membership::count_accepted_and_confirmed_by_user(&m.user_uuid, &m.org_uuid, conn).await > 0
                {
                    err!(format!("Cannot {} because the organization policy forbids being part of other organization (membership {})", action, m.uuid));
                }
            }
        }
        Ok(())
@@ -330,7 +332,7 @@ impl OrgPolicy {
        for policy in
            OrgPolicy::find_confirmed_by_user_and_active_policy(user_uuid, OrgPolicyType::SendOptions, conn).await
        {
-            if let Some(user) = Membership::find_by_user_and_org(user_uuid, &policy.org_uuid, conn).await {
+            if let Some(user) = Membership::find_confirmed_by_user_and_org(user_uuid, &policy.org_uuid, conn).await {
                if user.atype < MembershipType::Admin {
                    match serde_json::from_str::<SendOptionsPolicyData>(&policy.data) {
                        Ok(opts) => {
@@ -514,7 +514,8 @@ impl Membership {
            "familySponsorshipValidUntil": null,
            "familySponsorshipToDelete": null,
            "accessSecretsManager": false,
-            "limitCollectionCreation": self.atype < MembershipType::Manager, // If less then a manager return true, to limit collection creations
+            // limit collection creation to managers with access_all permission to prevent issues
            "limitCollectionCreation": self.atype < MembershipType::Manager || !self.access_all,
            "limitCollectionDeletion": true,
            "limitItemDeletion": false,
            "allowAdminAccessToAllCollectionItems": true,
@@ -883,10 +884,15 @@ impl Membership {
        }}
    }
-    pub async fn count_accepted_and_confirmed_by_user(user_uuid: &UserId, conn: &DbConn) -> i64 {
+    pub async fn count_accepted_and_confirmed_by_user(
        user_uuid: &UserId,
        excluded_org: &OrganizationId,
        conn: &DbConn,
    ) -> i64 {
        db_run! { conn: {
            users_organizations::table
                .filter(users_organizations::user_uuid.eq(user_uuid))
                .filter(users_organizations::org_uuid.ne(excluded_org))
                .filter(users_organizations::status.eq(MembershipStatus::Accepted as i32).or(users_organizations::status.eq(MembershipStatus::Confirmed as i32)))
                .count()
                .first::<i64>(conn)
@@ -1068,7 +1074,9 @@ impl Membership {
            .left_join(collections_groups::table.on(
                collections_groups::groups_uuid.eq(groups_users::groups_uuid)
            ))
-            .left_join(groups::table.on(groups::uuid.eq(groups_users::groups_uuid)))
+            .left_join(groups::table.on(groups::uuid.eq(groups_users::groups_uuid)
                .and(groups::organizations_uuid.eq(users_organizations::org_uuid))
            ))
            .left_join(ciphers_collections::table.on(
                    ciphers_collections::collection_uuid.eq(collections_groups::collections_uuid).and(ciphers_collections::cipher_uuid.eq(&cipher_uuid))
@@ -46,6 +46,16 @@ pub enum SendType {
    File = 1,
 }
 enum SendAuthType {
    #[allow(dead_code)]
    // Send requires email OTP verification
    Email = 0, // Not yet supported by Vaultwarden
    // Send requires a password
    Password = 1,
    // Send requires no auth
    None = 2,
 }
 impl Send {
    pub fn new(atype: i32, name: String, data: String, akey: String, deletion_date: NaiveDateTime) -> Self {
        let now = Utc::now().naive_utc();
@@ -145,6 +155,7 @@ impl Send {
            "maxAccessCount": self.max_access_count,
            "accessCount": self.access_count,
            "password": self.password_hash.as_deref().map(|h| BASE64URL_NOPAD.encode(h)),
            "authType": if self.password_hash.is_some() { SendAuthType::Password as i32 } else { SendAuthType::None as i32 },
            "disabled": self.disabled,
            "hideEmail": self.hide_email,
@@ -0,0 +1,134 @@
 use chrono::{NaiveDateTime, Utc};
 use std::time::Duration;
 use crate::api::EmptyResult;
 use crate::db::schema::sso_auth;
 use crate::db::{DbConn, DbPool};
 use crate::error::MapResult;
 use crate::sso::{OIDCCode, OIDCCodeChallenge, OIDCIdentifier, OIDCState, SSO_AUTH_EXPIRATION};
 use diesel::deserialize::FromSql;
 use diesel::expression::AsExpression;
 use diesel::prelude::*;
 use diesel::serialize::{Output, ToSql};
 use diesel::sql_types::Text;
 #[derive(AsExpression, Clone, Debug, Serialize, Deserialize, FromSqlRow)]
 #[diesel(sql_type = Text)]
 pub enum OIDCCodeWrapper {
    Ok {
        code: OIDCCode,
    },
    Error {
        error: String,
        error_description: Option<String>,
    },
 }
 impl_FromToSqlText!(OIDCCodeWrapper);
 #[derive(AsExpression, Clone, Debug, Serialize, Deserialize, FromSqlRow)]
 #[diesel(sql_type = Text)]
 pub struct OIDCAuthenticatedUser {
    pub refresh_token: Option<String>,
    pub access_token: String,
    pub expires_in: Option<Duration>,
    pub identifier: OIDCIdentifier,
    pub email: String,
    pub email_verified: Option<bool>,
    pub user_name: Option<String>,
 }
 impl_FromToSqlText!(OIDCAuthenticatedUser);
 #[derive(Identifiable, Queryable, Insertable, AsChangeset, Selectable)]
 #[diesel(table_name = sso_auth)]
 #[diesel(treat_none_as_null = true)]
 #[diesel(primary_key(state))]
 pub struct SsoAuth {
    pub state: OIDCState,
    pub client_challenge: OIDCCodeChallenge,
    pub nonce: String,
    pub redirect_uri: String,
    pub code_response: Option<OIDCCodeWrapper>,
    pub auth_response: Option<OIDCAuthenticatedUser>,
    pub created_at: NaiveDateTime,
    pub updated_at: NaiveDateTime,
 }
 /// Local methods
 impl SsoAuth {
    pub fn new(state: OIDCState, client_challenge: OIDCCodeChallenge, nonce: String, redirect_uri: String) -> Self {
        let now = Utc::now().naive_utc();
        SsoAuth {
            state,
            client_challenge,
            nonce,
            redirect_uri,
            created_at: now,
            updated_at: now,
            code_response: None,
            auth_response: None,
        }
    }
 }
 /// Database methods
 impl SsoAuth {
    pub async fn save(&self, conn: &DbConn) -> EmptyResult {
        db_run! { conn:
            mysql {
                diesel::insert_into(sso_auth::table)
                    .values(self)
                    .on_conflict(diesel::dsl::DuplicatedKeys)
                    .do_update()
                    .set(self)
                    .execute(conn)
                    .map_res("Error saving SSO auth")
            }
            postgresql, sqlite {
                diesel::insert_into(sso_auth::table)
                    .values(self)
                    .on_conflict(sso_auth::state)
                    .do_update()
                    .set(self)
                    .execute(conn)
                    .map_res("Error saving SSO auth")
            }
        }
    }
    pub async fn find(state: &OIDCState, conn: &DbConn) -> Option<Self> {
        let oldest = Utc::now().naive_utc() - *SSO_AUTH_EXPIRATION;
        db_run! { conn: {
            sso_auth::table
                .filter(sso_auth::state.eq(state))
                .filter(sso_auth::created_at.ge(oldest))
                .first::<Self>(conn)
                .ok()
        }}
    }
    pub async fn delete(self, conn: &DbConn) -> EmptyResult {
        db_run! {conn: {
            diesel::delete(sso_auth::table.filter(sso_auth::state.eq(self.state)))
                .execute(conn)
                .map_res("Error deleting sso_auth")
        }}
    }
    pub async fn delete_expired(pool: DbPool) -> EmptyResult {
        debug!("Purging expired sso_auth");
        if let Ok(conn) = pool.get().await {
            let oldest = Utc::now().naive_utc() - *SSO_AUTH_EXPIRATION;
            db_run! { conn: {
                diesel::delete(sso_auth::table.filter(sso_auth::created_at.lt(oldest)))
                    .execute(conn)
                    .map_res("Error deleting expired SSO nonce")
            }}
        } else {
            err!("Failed to get DB connection while purging expired sso_auth")
        }
    }
 }
@@ -1,87 +0,0 @@
 use chrono::{NaiveDateTime, Utc};
 use crate::api::EmptyResult;
 use crate::db::schema::sso_nonce;
 use crate::db::{DbConn, DbPool};
 use crate::error::MapResult;
 use crate::sso::{OIDCState, NONCE_EXPIRATION};
 use diesel::prelude::*;
 #[derive(Identifiable, Queryable, Insertable)]
 #[diesel(table_name = sso_nonce)]
 #[diesel(primary_key(state))]
 pub struct SsoNonce {
    pub state: OIDCState,
    pub nonce: String,
    pub verifier: Option<String>,
    pub redirect_uri: String,
    pub created_at: NaiveDateTime,
 }
 /// Local methods
 impl SsoNonce {
    pub fn new(state: OIDCState, nonce: String, verifier: Option<String>, redirect_uri: String) -> Self {
        let now = Utc::now().naive_utc();
        SsoNonce {
            state,
            nonce,
            verifier,
            redirect_uri,
            created_at: now,
        }
    }
 }
 /// Database methods
 impl SsoNonce {
    pub async fn save(&self, conn: &DbConn) -> EmptyResult {
        db_run! { conn:
            sqlite, mysql {
                diesel::replace_into(sso_nonce::table)
                    .values(self)
                    .execute(conn)
                    .map_res("Error saving SSO nonce")
            }
            postgresql {
                diesel::insert_into(sso_nonce::table)
                    .values(self)
                    .execute(conn)
                    .map_res("Error saving SSO nonce")
            }
        }
    }
    pub async fn delete(state: &OIDCState, conn: &DbConn) -> EmptyResult {
        db_run! { conn: {
            diesel::delete(sso_nonce::table.filter(sso_nonce::state.eq(state)))
                .execute(conn)
                .map_res("Error deleting SSO nonce")
        }}
    }
    pub async fn find(state: &OIDCState, conn: &DbConn) -> Option<Self> {
        let oldest = Utc::now().naive_utc() - *NONCE_EXPIRATION;
        db_run! { conn: {
            sso_nonce::table
                .filter(sso_nonce::state.eq(state))
                .filter(sso_nonce::created_at.ge(oldest))
                .first::<Self>(conn)
                .ok()
        }}
    }
    pub async fn delete_expired(pool: DbPool) -> EmptyResult {
        debug!("Purging expired sso_nonce");
        if let Ok(conn) = pool.get().await {
            let oldest = Utc::now().naive_utc() - *NONCE_EXPIRATION;
            db_run! { conn: {
                diesel::delete(sso_nonce::table.filter(sso_nonce::created_at.lt(oldest)))
                    .execute(conn)
                    .map_res("Error deleting expired SSO nonce")
            }}
        } else {
            err!("Failed to get DB connection while purging expired sso_nonce")
        }
    }
 }
@@ -20,7 +20,6 @@ pub struct TwoFactor {
    pub last_used: i64,
 }
 #[allow(dead_code)]
 #[derive(num_derive::FromPrimitive)]
 pub enum TwoFactorType {
    Authenticator = 0,
@@ -1,4 +1,4 @@
-use crate::db::schema::{devices, invitations, sso_users, users};
+use crate::db::schema::{invitations, sso_users, twofactor_incomplete, users};
 use chrono::{NaiveDateTime, TimeDelta, Utc};
 use derive_more::{AsRef, Deref, Display, From};
 use diesel::prelude::*;
@@ -10,8 +10,7 @@ use super::{
 use crate::{
    api::EmptyResult,
    crypto,
-    db::models::DeviceId,
+    db::{models::DeviceId, DbConn},
    db::DbConn,
    error::MapResult,
    sso::OIDCIdentifier,
    util::{format_date, get_uuid, retry},
@@ -186,13 +185,14 @@ impl User {
    ///   These routes are able to use the previous stamp id for the next 2 minutes.
    ///   After these 2 minutes this stamp will expire.
    ///
-    pub fn set_password(
+    pub async fn set_password(
        &mut self,
        password: &str,
        new_key: Option<String>,
        reset_security_stamp: bool,
        allow_next_route: Option<Vec<String>>,
-    ) {
+        conn: &DbConn,
    ) -> EmptyResult {
        self.password_hash = crypto::hash_password(password.as_bytes(), &self.salt, self.password_iterations as u32);
        if let Some(route) = allow_next_route {
@@ -204,12 +204,15 @@ impl User {
        }
        if reset_security_stamp {
-            self.reset_security_stamp()
+            self.reset_security_stamp(conn).await?;
        }
        Ok(())
    }
-    pub fn reset_security_stamp(&mut self) {
+    pub async fn reset_security_stamp(&mut self, conn: &DbConn) -> EmptyResult {
        self.security_stamp = get_uuid();
        Device::rotate_refresh_tokens_by_user(&self.uuid, conn).await?;
        Ok(())
    }
    /// Set the stamp_exception to only allow a subsequent request matching a specific route using the current security-stamp.
@@ -232,6 +235,15 @@ impl User {
    pub fn reset_stamp_exception(&mut self) {
        self.stamp_exception = None;
    }
    pub fn display_name(&self) -> &str {
        // default to email if name is empty
        if !&self.name.is_empty() {
            &self.name
        } else {
            &self.email
        }
    }
 }
 /// Database methods
@@ -387,15 +399,18 @@ impl User {
        }}
    }
-    pub async fn find_by_device_id(device_uuid: &DeviceId, conn: &DbConn) -> Option<Self> {
+    pub async fn find_by_device_for_email2fa(device_uuid: &DeviceId, conn: &DbConn) -> Option<Self> {
-        db_run! { conn: {
+        if let Some(user_uuid) = db_run! ( conn: {
-            users::table
+            twofactor_incomplete::table
-                .inner_join(devices::table.on(devices::user_uuid.eq(users::uuid)))
+                .filter(twofactor_incomplete::device_uuid.eq(device_uuid))
-                .filter(devices::uuid.eq(device_uuid))
+                .order_by(twofactor_incomplete::login_time.desc())
-                .select(users::all_columns)
+                .select(twofactor_incomplete::user_uuid)
-                .first::<Self>(conn)
+                .first::<UserId>(conn)
                .ok()
-        }}
+        }) {
            return Self::find_by_uuid(&user_uuid, conn).await;
        }
        None
    }
    pub async fn get_all(conn: &DbConn) -> Vec<(Self, Option<SsoUser>)> {
@@ -256,12 +256,15 @@ table! {
 }
 table! {
-    sso_nonce (state) {
+    sso_auth (state) {
        state -> Text,
        client_challenge -> Text,
        nonce -> Text,
        verifier -> Nullable<Text>,
        redirect_uri -> Text,
        code_response -> Nullable<Text>,
        auth_response -> Nullable<Text>,
        created_at -> Timestamp,
        updated_at -> Timestamp,
    }
 }
@@ -185,7 +185,10 @@ impl CustomDnsResolver {
    fn new() -> Arc<Self> {
        match TokioResolver::builder(TokioConnectionProvider::default()) {
-            Ok(builder) => {
+            Ok(mut builder) => {
                if CONFIG.dns_prefer_ipv6() {
                    builder.options_mut().ip_strategy = hickory_resolver::config::LookupIpStrategy::Ipv6thenIpv4;
                }
                let resolver = builder.build();
                Arc::new(Self::Hickory(Arc::new(resolver)))
            }
@@ -302,10 +302,10 @@ pub async fn send_invite(
            .append_pair("organizationUserId", &member_id)
            .append_pair("token", &invite_token);
-        if CONFIG.sso_enabled() {
+        if CONFIG.sso_enabled() && CONFIG.sso_only() {
            query_params.append_pair("orgUserHasExistingUser", "false");
            query_params.append_pair("orgSsoIdentifier", &org_id);
-        } else if user.private_key.is_some() {
+        }
        if user.private_key.is_some() {
            query_params.append_pair("orgUserHasExistingUser", "true");
        }
    }
@@ -705,7 +705,7 @@ async fn send_with_selected_transport(email: Message) -> EmptyResult {
 }
 async fn send_email(address: &str, subject: &str, body_html: String, body_text: String) -> EmptyResult {
-    let smtp_from = &CONFIG.smtp_from();
+    let smtp_from = Address::from_str(&CONFIG.smtp_from())?;
    let body = if CONFIG.smtp_embed_images() {
        let logo_gray_body = Body::new(crate::api::static_files("logo-gray.png").unwrap().1.to_vec());
@@ -727,9 +727,9 @@ async fn send_email(address: &str, subject: &str, body_html: String, body_text:
    };
    let email = Message::builder()
-        .message_id(Some(format!("<{}@{}>", crate::util::get_uuid(), smtp_from.split('@').collect::<Vec<&str>>()[1])))
+        .message_id(Some(format!("<{}@{}>", crate::util::get_uuid(), smtp_from.domain())))
        .to(Mailbox::new(None, Address::from_str(address)?))
-        .from(Mailbox::new(Some(CONFIG.smtp_from_name()), Address::from_str(smtp_from)?))
+        .from(Mailbox::new(Some(CONFIG.smtp_from_name()), smtp_from))
        .subject(subject)
        .multipart(body)?;
@@ -126,7 +126,7 @@ fn parse_args() {
        exit(0);
    } else if pargs.contains(["-v", "--version"]) {
        config::SKIP_CONFIG_VALIDATION.store(true, Ordering::Relaxed);
-        let web_vault_version = util::get_web_vault_version();
+        let web_vault_version = util::get_active_web_release();
        println!("Vaultwarden {version}");
        println!("Web-Vault {web_vault_version}");
        exit(0);
@@ -246,8 +246,8 @@ fn init_logging() -> Result<log::LevelFilter, Error> {
                    .split(',')
                    .collect::<Vec<&str>>()
                    .into_iter()
-                    .flat_map(|s| match s.split('=').collect::<Vec<&str>>()[..] {
+                    .flat_map(|s| match s.split_once('=') {
-                        [log, lvl_str] => log::LevelFilter::from_str(lvl_str).ok().map(|lvl| (log, lvl)),
+                        Some((log, lvl_str)) => log::LevelFilter::from_str(lvl_str).ok().map(|lvl| (log, lvl)),
                        _ => None,
                    })
                    .collect()
@@ -558,6 +558,12 @@ async fn launch_rocket(pool: db::DbPool, extra_debug: bool) -> Result<(), Error>
    let basepath = &CONFIG.domain_path();
    let mut config = rocket::Config::from(rocket::Config::figment());
    // We install our own signal handlers below; disable Rocket's built-in handlers
    config.shutdown.ctrlc = false;
    #[cfg(unix)]
    config.shutdown.signals.clear();
    config.temp_dir = canonicalize(CONFIG.tmp_folder()).unwrap().into();
    config.cli_colors = false; // Make sure Rocket does not color any values for logging.
    config.limits = Limits::new()
@@ -589,11 +595,7 @@ async fn launch_rocket(pool: db::DbPool, extra_debug: bool) -> Result<(), Error>
    CONFIG.set_rocket_shutdown_handle(instance.shutdown());
-    tokio::spawn(async move {
+    spawn_shutdown_signal_handler();
        tokio::signal::ctrl_c().await.expect("Error setting Ctrl-C handler");
        info!("Exiting Vaultwarden!");
        CONFIG.shutdown();
    });
    #[cfg(all(unix, sqlite))]
    {
@@ -621,6 +623,35 @@ async fn launch_rocket(pool: db::DbPool, extra_debug: bool) -> Result<(), Error>
    Ok(())
 }
 #[cfg(unix)]
 fn spawn_shutdown_signal_handler() {
    tokio::spawn(async move {
        use tokio::signal::unix::signal;
        let mut sigint = signal(SignalKind::interrupt()).expect("Error setting SIGINT handler");
        let mut sigterm = signal(SignalKind::terminate()).expect("Error setting SIGTERM handler");
        let mut sigquit = signal(SignalKind::quit()).expect("Error setting SIGQUIT handler");
        let signal_name = tokio::select! {
            _ = sigint.recv() => "SIGINT",
            _ = sigterm.recv() => "SIGTERM",
            _ = sigquit.recv() => "SIGQUIT",
        };
        info!("Received {signal_name}, initiating graceful shutdown");
        CONFIG.shutdown();
    });
 }
 #[cfg(not(unix))]
 fn spawn_shutdown_signal_handler() {
    tokio::spawn(async move {
        tokio::signal::ctrl_c().await.expect("Error setting Ctrl-C handler");
        info!("Received Ctrl-C, initiating graceful shutdown");
        CONFIG.shutdown();
    });
 }
 fn schedule_jobs(pool: db::DbPool) {
    if CONFIG.job_poll_interval_ms() == 0 {
        info!("Job scheduler disabled.");
@@ -699,10 +730,10 @@ fn schedule_jobs(pool: db::DbPool) {
                }));
            }
-            // Purge sso nonce from incomplete flow (default to daily at 00h20).
+            // Purge sso auth from incomplete flow (default to daily at 00h20).
-            if !CONFIG.purge_incomplete_sso_nonce().is_empty() {
+            if !CONFIG.purge_incomplete_sso_auth().is_empty() {
-                sched.add(Job::new(CONFIG.purge_incomplete_sso_nonce().parse().unwrap(), || {
+                sched.add(Job::new(CONFIG.purge_incomplete_sso_auth().parse().unwrap(), || {
-                    runtime.spawn(db::models::SsoNonce::delete_expired(pool.clone()));
+                    runtime.spawn(db::models::SsoAuth::delete_expired(pool.clone()));
                }));
            }
@@ -1,8 +1,7 @@
 use std::{sync::LazyLock, time::Duration};
 use chrono::Utc;
-use derive_more::{AsRef, Deref, Display, From};
+use derive_more::{AsRef, Deref, Display, From, Into};
 use mini_moka::sync::Cache;
 use regex::Regex;
 use url::Url;
@@ -11,7 +10,7 @@ use crate::{
    auth,
    auth::{AuthMethod, AuthTokens, TokenWrapper, BW_EXPIRATION, DEFAULT_REFRESH_VALIDITY},
    db::{
-        models::{Device, SsoNonce, User},
+        models::{Device, OIDCAuthenticatedUser, OIDCCodeWrapper, SsoAuth, SsoUser, User},
        DbConn,
    },
    sso_client::Client,
@@ -20,12 +19,10 @@ use crate::{
 pub static FAKE_IDENTIFIER: &str = "VW_DUMMY_IDENTIFIER_FOR_OIDC";
 static AC_CACHE: LazyLock<Cache<OIDCState, AuthenticatedUser>> =
    LazyLock::new(|| Cache::builder().max_capacity(1000).time_to_live(Duration::from_secs(10 * 60)).build());
 static SSO_JWT_ISSUER: LazyLock<String> = LazyLock::new(|| format!("{}|sso", CONFIG.domain_origin()));
-pub static NONCE_EXPIRATION: LazyLock<chrono::Duration> = LazyLock::new(|| chrono::TimeDelta::try_minutes(10).unwrap());
+pub static SSO_AUTH_EXPIRATION: LazyLock<chrono::Duration> =
    LazyLock::new(|| chrono::TimeDelta::try_minutes(10).unwrap());
 #[derive(
    Clone,
@@ -47,6 +44,47 @@ pub static NONCE_EXPIRATION: LazyLock<chrono::Duration> = LazyLock::new(|| chron
 #[from(forward)]
 pub struct OIDCCode(String);
 #[derive(
    Clone,
    Debug,
    Default,
    DieselNewType,
    FromForm,
    PartialEq,
    Eq,
    Hash,
    Serialize,
    Deserialize,
    AsRef,
    Deref,
    Display,
    From,
    Into,
 )]
 #[deref(forward)]
 #[into(owned)]
 pub struct OIDCCodeChallenge(String);
 #[derive(
    Clone,
    Debug,
    Default,
    DieselNewType,
    FromForm,
    PartialEq,
    Eq,
    Hash,
    Serialize,
    Deserialize,
    AsRef,
    Deref,
    Display,
    Into,
 )]
 #[deref(forward)]
 #[into(owned)]
 pub struct OIDCCodeVerifier(String);
 #[derive(
    Clone,
    Debug,
@@ -91,40 +129,6 @@ pub fn encode_ssotoken_claims() -> String {
    auth::encode_jwt(&claims)
 }
 #[derive(Debug, Serialize, Deserialize)]
 pub enum OIDCCodeWrapper {
    Ok {
        state: OIDCState,
        code: OIDCCode,
    },
    Error {
        state: OIDCState,
        error: String,
        error_description: Option<String>,
    },
 }
 #[derive(Debug, Serialize, Deserialize)]
 struct OIDCCodeClaims {
    // Expiration time
    pub exp: i64,
    // Issuer
    pub iss: String,
    pub code: OIDCCodeWrapper,
 }
 pub fn encode_code_claims(code: OIDCCodeWrapper) -> String {
    let time_now = Utc::now();
    let claims = OIDCCodeClaims {
        exp: (time_now + chrono::TimeDelta::try_minutes(5).unwrap()).timestamp(),
        iss: SSO_JWT_ISSUER.to_string(),
        code,
    };
    auth::encode_jwt(&claims)
 }
 #[derive(Clone, Debug, Serialize, Deserialize)]
 struct BasicTokenClaims {
    iat: Option<i64>,
@@ -132,6 +136,12 @@ struct BasicTokenClaims {
    exp: i64,
 }
 #[derive(Deserialize)]
 struct BasicTokenClaimsValidation {
    exp: u64,
    iss: String,
 }
 impl BasicTokenClaims {
    fn nbf(&self) -> i64 {
        self.nbf.or(self.iat).unwrap_or_else(|| Utc::now().timestamp())
@@ -139,13 +149,23 @@ impl BasicTokenClaims {
 }
 fn decode_token_claims(token_name: &str, token: &str) -> ApiResult<BasicTokenClaims> {
-    let mut validation = jsonwebtoken::Validation::default();
+    // We need to manually validate this token, since `insecure_decode` does not do this
-    validation.set_issuer(&[CONFIG.sso_authority()]);
+    match jsonwebtoken::dangerous::insecure_decode::<BasicTokenClaimsValidation>(token) {
-    validation.insecure_disable_signature_validation();
+        Ok(btcv) => {
-    validation.validate_aud = false;
+            let now = jsonwebtoken::get_current_timestamp();
            let validate_claim = btcv.claims;
            // Validate the exp in the claim with a leeway of 60 seconds, same as jsonwebtoken does
            if validate_claim.exp < now - 60 {
                err_silent!(format!("Expired Signature for base token claim from {token_name}"))
            }
            if validate_claim.iss.ne(&CONFIG.sso_authority()) {
                err_silent!(format!("Invalid Issuer for base token claim from {token_name}"))
            }
-    match jsonwebtoken::decode(token, &jsonwebtoken::DecodingKey::from_secret(&[]), &validation) {
+            // All is validated and ok, lets decode again using the wanted struct
-        Ok(btc) => Ok(btc.claims),
+            let btc = jsonwebtoken::dangerous::insecure_decode::<BasicTokenClaims>(token).unwrap();
            Ok(btc.claims)
        }
        Err(err) => err_silent!(format!("Failed to decode basic token claims from {token_name}: {err}")),
    }
 }
@@ -162,9 +182,14 @@ pub fn decode_state(base64_state: &str) -> ApiResult<OIDCState> {
    Ok(state)
 }
 // The `nonce` allow to protect against replay attacks
 // redirect_uri from: https://github.com/bitwarden/server/blob/main/src/Identity/IdentityServer/ApiClient.cs
-pub async fn authorize_url(state: OIDCState, client_id: &str, raw_redirect_uri: &str, conn: DbConn) -> ApiResult<Url> {
+pub async fn authorize_url(
    state: OIDCState,
    client_challenge: OIDCCodeChallenge,
    client_id: &str,
    raw_redirect_uri: &str,
    conn: DbConn,
 ) -> ApiResult<Url> {
    let redirect_uri = match client_id {
        "web" | "browser" => format!("{}/sso-connector.html", CONFIG.domain()),
        "desktop" | "mobile" => "bitwarden://sso-callback".to_string(),
@@ -178,8 +203,8 @@ pub async fn authorize_url(state: OIDCState, client_id: &str, raw_redirect_uri:
        _ => err!(format!("Unsupported client {client_id}")),
    };
-    let (auth_url, nonce) = Client::authorize_url(state, redirect_uri).await?;
+    let (auth_url, sso_auth) = Client::authorize_url(state, client_challenge, redirect_uri).await?;
-    nonce.save(&conn).await?;
+    sso_auth.save(&conn).await?;
    Ok(auth_url)
 }
@@ -209,78 +234,45 @@ impl OIDCIdentifier {
    }
 }
 #[derive(Clone, Debug)]
 pub struct AuthenticatedUser {
    pub refresh_token: Option<String>,
    pub access_token: String,
    pub expires_in: Option<Duration>,
    pub identifier: OIDCIdentifier,
    pub email: String,
    pub email_verified: Option<bool>,
    pub user_name: Option<String>,
 }
 #[derive(Clone, Debug)]
 pub struct UserInformation {
    pub state: OIDCState,
    pub identifier: OIDCIdentifier,
    pub email: String,
    pub email_verified: Option<bool>,
    pub user_name: Option<String>,
 }
 async fn decode_code_claims(code: &str, conn: &DbConn) -> ApiResult<(OIDCCode, OIDCState)> {
    match auth::decode_jwt::<OIDCCodeClaims>(code, SSO_JWT_ISSUER.to_string()) {
        Ok(code_claims) => match code_claims.code {
            OIDCCodeWrapper::Ok {
                state,
                code,
            } => Ok((code, state)),
            OIDCCodeWrapper::Error {
                state,
                error,
                error_description,
            } => {
                if let Err(err) = SsoNonce::delete(&state, conn).await {
                    error!("Failed to delete database sso_nonce using {state}: {err}")
                }
                err!(format!(
                    "SSO authorization failed: {error}, {}",
                    error_description.as_ref().unwrap_or(&String::new())
                ))
            }
        },
        Err(err) => err!(format!("Failed to decode code wrapper: {err}")),
    }
 }
 // During the 2FA flow we will
 //  - retrieve the user information and then only discover he needs 2FA.
-//  - second time we will rely on the `AC_CACHE` since the `code` has already been exchanged.
+//  - second time we will rely on `SsoAuth.auth_response` since the `code` has already been exchanged.
-// The `nonce` will ensure that the user is authorized only once.
+// The `SsoAuth` will ensure that the user is authorized only once.
-// We return only the `UserInformation` to force calling `redeem` to obtain the `refresh_token`.
+pub async fn exchange_code(
-pub async fn exchange_code(wrapped_code: &str, conn: &DbConn) -> ApiResult<UserInformation> {
+    state: &OIDCState,
    client_verifier: OIDCCodeVerifier,
    conn: &DbConn,
 ) -> ApiResult<(SsoAuth, OIDCAuthenticatedUser)> {
    use openidconnect::OAuth2TokenResponse;
-    let (code, state) = decode_code_claims(wrapped_code, conn).await?;
+    let mut sso_auth = match SsoAuth::find(state, conn).await {
        None => err!(format!("Invalid state cannot retrieve sso auth")),
        Some(sso_auth) => sso_auth,
    };
-    if let Some(authenticated_user) = AC_CACHE.get(&state) {
+    if let Some(authenticated_user) = sso_auth.auth_response.clone() {
-        return Ok(UserInformation {
+        return Ok((sso_auth, authenticated_user));
            state,
            identifier: authenticated_user.identifier,
            email: authenticated_user.email,
            email_verified: authenticated_user.email_verified,
            user_name: authenticated_user.user_name,
        });
    }
-    let nonce = match SsoNonce::find(&state, conn).await {
+    let code = match sso_auth.code_response.clone() {
-        None => err!(format!("Invalid state cannot retrieve nonce")),
+        Some(OIDCCodeWrapper::Ok {
-        Some(nonce) => nonce,
+            code,
        }) => code.clone(),
        Some(OIDCCodeWrapper::Error {
            error,
            error_description,
        }) => {
            sso_auth.delete(conn).await?;
            err!(format!("SSO authorization failed: {error}, {}", error_description.as_ref().unwrap_or(&String::new())))
        }
        None => {
            sso_auth.delete(conn).await?;
            err!("Missing authorization provider return");
        }
    };
    let client = Client::cached().await?;
-    let (token_response, id_claims) = client.exchange_code(code, nonce).await?;
+    let (token_response, id_claims) = client.exchange_code(code, client_verifier, &sso_auth).await?;
    let user_info = client.user_info(token_response.access_token().to_owned()).await?;
@@ -300,7 +292,7 @@ pub async fn exchange_code(wrapped_code: &str, conn: &DbConn) -> ApiResult<UserI
    let identifier = OIDCIdentifier::new(id_claims.issuer(), id_claims.subject());
-    let authenticated_user = AuthenticatedUser {
+    let authenticated_user = OIDCAuthenticatedUser {
        refresh_token: refresh_token.cloned(),
        access_token: token_response.access_token().secret().clone(),
        expires_in: token_response.expires_in(),
@@ -311,29 +303,49 @@ pub async fn exchange_code(wrapped_code: &str, conn: &DbConn) -> ApiResult<UserI
    };
    debug!("Authenticated user {authenticated_user:?}");
    sso_auth.auth_response = Some(authenticated_user.clone());
    sso_auth.updated_at = Utc::now().naive_utc();
    sso_auth.save(conn).await?;
-    AC_CACHE.insert(state.clone(), authenticated_user);
+    Ok((sso_auth, authenticated_user))
    Ok(UserInformation {
        state,
        identifier,
        email,
        email_verified,
        user_name,
    })
 }
-// User has passed 2FA flow we can delete `nonce` and clear the cache.
+// User has passed 2FA flow we can delete auth info from database
-pub async fn redeem(state: &OIDCState, conn: &DbConn) -> ApiResult<AuthenticatedUser> {
+pub async fn redeem(
-    if let Err(err) = SsoNonce::delete(state, conn).await {
+    device: &Device,
-        error!("Failed to delete database sso_nonce using {state}: {err}")
+    user: &User,
    client_id: Option<String>,
    sso_user: Option<SsoUser>,
    sso_auth: SsoAuth,
    auth_user: OIDCAuthenticatedUser,
    conn: &DbConn,
 ) -> ApiResult<AuthTokens> {
    sso_auth.delete(conn).await?;
    if sso_user.is_none() {
        let user_sso = SsoUser {
            user_uuid: user.uuid.clone(),
            identifier: auth_user.identifier.clone(),
        };
        user_sso.save(conn).await?;
    }
-    if let Some(au) = AC_CACHE.get(state) {
+    if !CONFIG.sso_auth_only_not_session() {
-        AC_CACHE.invalidate(state);
+        let now = Utc::now();
-        Ok(au)
+
        let (ap_nbf, ap_exp) =
            match (decode_token_claims("access_token", &auth_user.access_token), auth_user.expires_in) {
                (Ok(ap), _) => (ap.nbf(), ap.exp),
                (Err(_), Some(exp)) => (now.timestamp(), (now + exp).timestamp()),
                _ => err!("Non jwt access_token and empty expires_in"),
            };
        let access_claims =
            auth::LoginJwtClaims::new(device, user, ap_nbf, ap_exp, AuthMethod::Sso.scope_vec(), client_id, now);
        _create_auth_tokens(device, auth_user.refresh_token, access_claims, auth_user.access_token)
    } else {
-        err!("Failed to retrieve user info from sso cache")
+        Ok(AuthTokens::new(device, user, AuthMethod::Sso, client_id))
    }
 }
@@ -1,21 +1,25 @@
 use std::{borrow::Cow, sync::LazyLock, time::Duration};
 use mini_moka::sync::Cache;
 use openidconnect::{core::*, reqwest, *};
 use regex::Regex;
 use url::Url;
 use crate::{
    api::{ApiResult, EmptyResult},
-    db::models::SsoNonce,
+    db::models::SsoAuth,
-    sso::{OIDCCode, OIDCState},
+    sso::{OIDCCode, OIDCCodeChallenge, OIDCCodeVerifier, OIDCState},
    CONFIG,
 };
 static CLIENT_CACHE_KEY: LazyLock<String> = LazyLock::new(|| "sso-client".to_string());
-static CLIENT_CACHE: LazyLock<Cache<String, Client>> = LazyLock::new(|| {
+static CLIENT_CACHE: LazyLock<moka::sync::Cache<String, Client>> = LazyLock::new(|| {
-    Cache::builder().max_capacity(1).time_to_live(Duration::from_secs(CONFIG.sso_client_cache_expiration())).build()
+    moka::sync::Cache::builder()
        .max_capacity(1)
        .time_to_live(Duration::from_secs(CONFIG.sso_client_cache_expiration()))
        .build()
 });
 static REFRESH_CACHE: LazyLock<moka::future::Cache<String, Result<RefreshTokenResponse, String>>> =
    LazyLock::new(|| moka::future::Cache::builder().max_capacity(1000).time_to_live(Duration::from_secs(30)).build());
 /// OpenID Connect Core client.
 pub type CustomClient = openidconnect::Client<
@@ -38,6 +42,8 @@ pub type CustomClient = openidconnect::Client<
    EndpointSet,
 >;
 pub type RefreshTokenResponse = (Option<String>, String, Option<Duration>);
 #[derive(Clone)]
 pub struct Client {
    pub http_client: reqwest::Client,
@@ -107,7 +113,11 @@ impl Client {
    }
    // The `state` is encoded using base64 to ensure no issue with providers (It contains the Organization identifier).
-    pub async fn authorize_url(state: OIDCState, redirect_uri: String) -> ApiResult<(Url, SsoNonce)> {
+    pub async fn authorize_url(
        state: OIDCState,
        client_challenge: OIDCCodeChallenge,
        redirect_uri: String,
    ) -> ApiResult<(Url, SsoAuth)> {
        let scopes = CONFIG.sso_scopes_vec().into_iter().map(Scope::new);
        let base64_state = data_encoding::BASE64.encode(state.to_string().as_bytes());
@@ -122,22 +132,21 @@ impl Client {
            .add_scopes(scopes)
            .add_extra_params(CONFIG.sso_authorize_extra_params_vec());
-        let verifier = if CONFIG.sso_pkce() {
+        if CONFIG.sso_pkce() {
-            let (pkce_challenge, pkce_verifier) = PkceCodeChallenge::new_random_sha256();
+            auth_req = auth_req
-            auth_req = auth_req.set_pkce_challenge(pkce_challenge);
+                .add_extra_param::<&str, String>("code_challenge", client_challenge.clone().into())
-            Some(pkce_verifier.into_secret())
+                .add_extra_param("code_challenge_method", "S256");
-        } else {
+        }
            None
        };
        let (auth_url, _, nonce) = auth_req.url();
-        Ok((auth_url, SsoNonce::new(state, nonce.secret().clone(), verifier, redirect_uri)))
+        Ok((auth_url, SsoAuth::new(state, client_challenge, nonce.secret().clone(), redirect_uri)))
    }
    pub async fn exchange_code(
        &self,
        code: OIDCCode,
-        nonce: SsoNonce,
+        client_verifier: OIDCCodeVerifier,
        sso_auth: &SsoAuth,
    ) -> ApiResult<(
        StandardTokenResponse<
            IdTokenFields<
@@ -155,17 +164,21 @@ impl Client {
        let mut exchange = self.core_client.exchange_code(oidc_code);
        let verifier = PkceCodeVerifier::new(client_verifier.into());
        if CONFIG.sso_pkce() {
-            match nonce.verifier {
+            exchange = exchange.set_pkce_verifier(verifier);
-                None => err!(format!("Missing verifier in the DB nonce table")),
+        } else {
-                Some(secret) => exchange = exchange.set_pkce_verifier(PkceCodeVerifier::new(secret)),
+            let challenge = PkceCodeChallenge::from_code_verifier_sha256(&verifier);
            if challenge.as_str() != String::from(sso_auth.client_challenge.clone()) {
                err!(format!("PKCE client challenge failed"))
                // Might need to notify admin ? how ?
            }
        }
        match exchange.request_async(&self.http_client).await {
            Err(err) => err!(format!("Failed to contact token endpoint: {:?}", err)),
            Ok(token_response) => {
-                let oidc_nonce = Nonce::new(nonce.nonce);
+                let oidc_nonce = Nonce::new(sso_auth.nonce.clone());
                let id_token = match token_response.extra_fields().id_token() {
                    None => err!("Token response did not contain an id_token"),
@@ -224,23 +237,29 @@ impl Client {
        verifier
    }
-    pub async fn exchange_refresh_token(
+    pub async fn exchange_refresh_token(refresh_token: String) -> ApiResult<RefreshTokenResponse> {
-        refresh_token: String,
+        let client = Client::cached().await?;
-    ) -> ApiResult<(Option<String>, String, Option<Duration>)> {
+
        REFRESH_CACHE
            .get_with(refresh_token.clone(), async move { client._exchange_refresh_token(refresh_token).await })
            .await
            .map_err(Into::into)
    }
    async fn _exchange_refresh_token(&self, refresh_token: String) -> Result<RefreshTokenResponse, String> {
        let rt = RefreshToken::new(refresh_token);
-        let client = Client::cached().await?;
+        match self.core_client.exchange_refresh_token(&rt).request_async(&self.http_client).await {
-        let token_response =
+            Err(err) => {
-            match client.core_client.exchange_refresh_token(&rt).request_async(&client.http_client).await {
+                error!("Request to exchange_refresh_token endpoint failed: {err}");
-                Err(err) => err!(format!("Request to exchange_refresh_token endpoint failed: {:?}", err)),
+                Err(format!("Request to exchange_refresh_token endpoint failed: {err}"))
-                Ok(token_response) => token_response,
+            }
-            };
+            Ok(token_response) => Ok((
-
+                token_response.refresh_token().map(|token| token.secret().clone()),
-        Ok((
+                token_response.access_token().secret().clone(),
-            token_response.refresh_token().map(|token| token.secret().clone()),
+                token_response.expires_in(),
-            token_response.access_token().secret().clone(),
+            )),
-            token_response.expires_in(),
+        }
        ))
    }
 }
@@ -111,7 +111,8 @@
      "microsoftstore.com",
      "xbox.com",
      "azure.com",
-      "windowsazure.com"
+      "windowsazure.com",
      "cloud.microsoft"
    ],
    "excluded": false
  },
@@ -971,5 +972,13 @@
      "pinterest.se"
    ],
    "excluded": false
  },
  {
    "type": 91,
    "domains": [
      "twitter.com",
      "x.com"
    ],
    "excluded": false
  }
 ]
@@ -58,3 +58,20 @@ img {
 .abbr-badge {
    cursor: help;
 }
 .theme-icon,
 .theme-icon-active {
    display: inline-flex;
    flex: 0 0 1.75em;
    justify-content: center;
 }
 .theme-icon svg,
 .theme-icon-active svg {
    width: 1.25em;
    height: 1.25em;
    min-width: 1.25em;
    min-height: 1.25em;
    display: block;
    overflow: visible;
 }
@@ -1,6 +1,6 @@
 "use strict";
 /* eslint-env es2017, browser */
-/* exported BASE_URL, _post */
+/* exported BASE_URL, _post _delete */
 function getBaseUrl() {
    // If the base URL is `https://vaultwarden.example.com/base/path/admin/`,
@@ -106,7 +106,11 @@ const showActiveTheme = (theme, focus = false) => {
    const themeSwitcherText = document.querySelector("#bd-theme-text");
    const activeThemeIcon = document.querySelector(".theme-icon-active use");
    const btnToActive = document.querySelector(`[data-bs-theme-value="${theme}"]`);
-    const svgOfActiveBtn = btnToActive.querySelector("span use").textContent;
+    if (!btnToActive) {
        return;
    }
    const btnIconUse = btnToActive ? btnToActive.querySelector("[data-theme-icon-use]") : null;
    const iconHref = btnIconUse ? btnIconUse.getAttribute("href") || btnIconUse.getAttribute("xlink:href") : null;
    document.querySelectorAll("[data-bs-theme-value]").forEach(element => {
        element.classList.remove("active");
@@ -115,7 +119,12 @@ const showActiveTheme = (theme, focus = false) => {
    btnToActive.classList.add("active");
    btnToActive.setAttribute("aria-pressed", "true");
-    activeThemeIcon.textContent = svgOfActiveBtn;
+
    if (iconHref && activeThemeIcon) {
        activeThemeIcon.setAttribute("href", iconHref);
        activeThemeIcon.setAttribute("xlink:href", iconHref);
    }
    const themeSwitcherLabel = `${themeSwitcherText.textContent} (${btnToActive.dataset.bsThemeValue})`;
    themeSwitcher.setAttribute("aria-label", themeSwitcherLabel);
@@ -29,7 +29,7 @@ function isValidIp(ip) {
    return ipv4Regex.test(ip) || ipv6Regex.test(ip);
 }
-function checkVersions(platform, installed, latest, commit=null, pre_release=false) {
+function checkVersions(platform, installed, latest, commit=null, compare_order=0) {
    if (installed === "-" || latest === "-") {
        document.getElementById(`${platform}-failed`).classList.remove("d-none");
        return;
@@ -37,7 +37,7 @@ function checkVersions(platform, installed, latest, commit=null, pre_release=fal
    // Only check basic versions, no commit revisions
    if (commit === null || installed.indexOf("-") === -1) {
-        if (platform === "web" && pre_release === true) {
+        if (platform === "web" && compare_order === 1) {
            document.getElementById(`${platform}-prerelease`).classList.remove("d-none");
        } else if (installed == latest) {
            document.getElementById(`${platform}-success`).classList.remove("d-none");
@@ -83,7 +83,7 @@ async function generateSupportString(event, dj) {
    let supportString = "### Your environment (Generated via diagnostics page)\n\n";
    supportString += `* Vaultwarden version: v${dj.current_release}\n`;
-    supportString += `* Web-vault version: v${dj.web_vault_version}\n`;
+    supportString += `* Web-vault version: v${dj.active_web_release}\n`;
    supportString += `* OS/Arch: ${dj.host_os}/${dj.host_arch}\n`;
    supportString += `* Running within a container: ${dj.running_within_container} (Base: ${dj.container_base_image})\n`;
    supportString += `* Database type: ${dj.db_type}\n`;
@@ -109,6 +109,9 @@ async function generateSupportString(event, dj) {
        supportString += "* Websocket Check: disabled\n";
    }
    supportString += `* HTTP Response Checks: ${httpResponseCheck}\n`;
    if (dj.invalid_feature_flags != "") {
        supportString += `* Invalid feature flags: true\n`;
    }
    const jsonResponse = await fetch(`${BASE_URL}/admin/diagnostics/config`, {
        "headers": { "Accept": "application/json" }
@@ -128,6 +131,10 @@ async function generateSupportString(event, dj) {
        supportString += `\n**Environment settings which are overridden:** ${dj.overrides}\n`;
    }
    if (dj.invalid_feature_flags != "") {
        supportString += `\n**Invalid feature flags:** ${dj.invalid_feature_flags}\n`;
    }
    // Add http response check messages if they exists
    if (httpResponseCheck === false) {
        supportString += "\n**Failed HTTP Checks:**\n";
@@ -208,9 +215,9 @@ function initVersionCheck(dj) {
    }
    checkVersions("server", serverInstalled, serverLatest, serverLatestCommit);
-    const webInstalled = dj.web_vault_version;
+    const webInstalled = dj.active_web_release;
-    const webLatest = dj.latest_web_build;
+    const webLatest = dj.latest_web_release;
-    checkVersions("web", webInstalled, webLatest, null, dj.web_vault_pre_release);
+    checkVersions("web", webInstalled, webLatest, null, dj.web_vault_compare);
 }
 function checkDns(dns_resolved) {
@@ -1,6 +1,6 @@
 "use strict";
 /* eslint-env es2017, browser, jquery */
-/* global _post:readable, BASE_URL:readable, reload:readable, jdenticon:readable */
+/* global _post:readable, _delete:readable BASE_URL:readable, reload:readable, jdenticon:readable */
 function deleteUser(event) {
    event.preventDefault();
@@ -1,5 +1,5 @@
 /*!
-  * Bootstrap v5.3.7 (https://getbootstrap.com/)
+  * Bootstrap v5.3.8 (https://getbootstrap.com/)
  * Copyright 2011-2025 The Bootstrap Authors (https://github.com/twbs/bootstrap/graphs/contributors)
  * Licensed under MIT (https://github.com/twbs/bootstrap/blob/main/LICENSE)
  */
@@ -647,7 +647,7 @@
   * Constants
   */
-  const VERSION = '5.3.7';
+  const VERSION = '5.3.8';
  /**
   * Class definition
@@ -3690,9 +3690,6 @@
      this._element.setAttribute('aria-expanded', 'false');
      Manipulator.removeDataAttribute(this._menu, 'popper');
      EventHandler.trigger(this._element, EVENT_HIDDEN$5, relatedTarget);
      // Explicitly return focus to the trigger element
      this._element.focus();
    }
    _getConfig(config) {
      config = super._getConfig(config);
@@ -1,6 +1,6 @@
@charset "UTF-8";
 /*!
- * Bootstrap  v5.3.7 (https://getbootstrap.com/)
+ * Bootstrap  v5.3.8 (https://getbootstrap.com/)
 * Copyright 2011-2025 The Bootstrap Authors
 * Licensed under MIT (https://github.com/twbs/bootstrap/blob/main/LICENSE)
 */
@@ -547,6 +547,10 @@ legend + * {
  -webkit-appearance: textfield;
  outline-offset: -2px;
 }
 [type=search]::-webkit-search-cancel-button {
  cursor: pointer;
  filter: grayscale(1);
 }
 /* rtl:raw:
 [type="tel"],
@@ -6208,6 +6212,7 @@ textarea.form-control-lg {
 .spinner-grow,
 .spinner-border {
  display: inline-block;
  flex-shrink: 0;
  width: var(--bs-spinner-width);
  height: var(--bs-spinner-height);
  vertical-align: var(--bs-spinner-vertical-align);
@@ -4,20 +4,21 @@
 *
 * To rebuild or modify this file with the latest versions of the included
 * software please visit:
- *   https://datatables.net/download/#bs5/dt-2.3.2
+ *   https://datatables.net/download/#bs5/dt-2.3.7
 *
 * Included libraries:
- *   DataTables 2.3.2
+ *   DataTables 2.3.7
 */
 :root {
  --dt-row-selected: 13, 110, 253;
  --dt-row-selected-text: 255, 255, 255;
-  --dt-row-selected-link: 9, 10, 11;
+  --dt-row-selected-link: 228, 228, 228;
  --dt-row-stripe: 0, 0, 0;
  --dt-row-hover: 0, 0, 0;
  --dt-column-ordering: 0, 0, 0;
  --dt-header-align-items: center;
  --dt-header-vertical-align: middle;
  --dt-html-background: white;
 }
 :root.dark {
@@ -87,42 +88,42 @@ table.dataTable thead > tr > th:active,
 table.dataTable thead > tr > td:active {
  outline: none;
 }
-table.dataTable thead > tr > th.dt-orderable-asc span.dt-column-order:before, table.dataTable thead > tr > th.dt-ordering-asc span.dt-column-order:before,
+table.dataTable thead > tr > th.dt-orderable-asc .dt-column-order:before, table.dataTable thead > tr > th.dt-ordering-asc .dt-column-order:before,
-table.dataTable thead > tr > td.dt-orderable-asc span.dt-column-order:before,
+table.dataTable thead > tr > td.dt-orderable-asc .dt-column-order:before,
-table.dataTable thead > tr > td.dt-ordering-asc span.dt-column-order:before {
+table.dataTable thead > tr > td.dt-ordering-asc .dt-column-order:before {
  position: absolute;
  display: block;
  bottom: 50%;
  content: "\25B2";
  content: "\25B2"/"";
 }
-table.dataTable thead > tr > th.dt-orderable-desc span.dt-column-order:after, table.dataTable thead > tr > th.dt-ordering-desc span.dt-column-order:after,
+table.dataTable thead > tr > th.dt-orderable-desc .dt-column-order:after, table.dataTable thead > tr > th.dt-ordering-desc .dt-column-order:after,
-table.dataTable thead > tr > td.dt-orderable-desc span.dt-column-order:after,
+table.dataTable thead > tr > td.dt-orderable-desc .dt-column-order:after,
-table.dataTable thead > tr > td.dt-ordering-desc span.dt-column-order:after {
+table.dataTable thead > tr > td.dt-ordering-desc .dt-column-order:after {
  position: absolute;
  display: block;
  top: 50%;
  content: "\25BC";
  content: "\25BC"/"";
 }
-table.dataTable thead > tr > th.dt-orderable-asc span.dt-column-order, table.dataTable thead > tr > th.dt-orderable-desc span.dt-column-order, table.dataTable thead > tr > th.dt-ordering-asc span.dt-column-order, table.dataTable thead > tr > th.dt-ordering-desc span.dt-column-order,
+table.dataTable thead > tr > th.dt-orderable-asc .dt-column-order, table.dataTable thead > tr > th.dt-orderable-desc .dt-column-order, table.dataTable thead > tr > th.dt-ordering-asc .dt-column-order, table.dataTable thead > tr > th.dt-ordering-desc .dt-column-order,
-table.dataTable thead > tr > td.dt-orderable-asc span.dt-column-order,
+table.dataTable thead > tr > td.dt-orderable-asc .dt-column-order,
-table.dataTable thead > tr > td.dt-orderable-desc span.dt-column-order,
+table.dataTable thead > tr > td.dt-orderable-desc .dt-column-order,
-table.dataTable thead > tr > td.dt-ordering-asc span.dt-column-order,
+table.dataTable thead > tr > td.dt-ordering-asc .dt-column-order,
-table.dataTable thead > tr > td.dt-ordering-desc span.dt-column-order {
+table.dataTable thead > tr > td.dt-ordering-desc .dt-column-order {
  position: relative;
  width: 12px;
  height: 20px;
 }
-table.dataTable thead > tr > th.dt-orderable-asc span.dt-column-order:before, table.dataTable thead > tr > th.dt-orderable-asc span.dt-column-order:after, table.dataTable thead > tr > th.dt-orderable-desc span.dt-column-order:before, table.dataTable thead > tr > th.dt-orderable-desc span.dt-column-order:after, table.dataTable thead > tr > th.dt-ordering-asc span.dt-column-order:before, table.dataTable thead > tr > th.dt-ordering-asc span.dt-column-order:after, table.dataTable thead > tr > th.dt-ordering-desc span.dt-column-order:before, table.dataTable thead > tr > th.dt-ordering-desc span.dt-column-order:after,
+table.dataTable thead > tr > th.dt-orderable-asc .dt-column-order:before, table.dataTable thead > tr > th.dt-orderable-asc .dt-column-order:after, table.dataTable thead > tr > th.dt-orderable-desc .dt-column-order:before, table.dataTable thead > tr > th.dt-orderable-desc .dt-column-order:after, table.dataTable thead > tr > th.dt-ordering-asc .dt-column-order:before, table.dataTable thead > tr > th.dt-ordering-asc .dt-column-order:after, table.dataTable thead > tr > th.dt-ordering-desc .dt-column-order:before, table.dataTable thead > tr > th.dt-ordering-desc .dt-column-order:after,
-table.dataTable thead > tr > td.dt-orderable-asc span.dt-column-order:before,
+table.dataTable thead > tr > td.dt-orderable-asc .dt-column-order:before,
-table.dataTable thead > tr > td.dt-orderable-asc span.dt-column-order:after,
+table.dataTable thead > tr > td.dt-orderable-asc .dt-column-order:after,
-table.dataTable thead > tr > td.dt-orderable-desc span.dt-column-order:before,
+table.dataTable thead > tr > td.dt-orderable-desc .dt-column-order:before,
-table.dataTable thead > tr > td.dt-orderable-desc span.dt-column-order:after,
+table.dataTable thead > tr > td.dt-orderable-desc .dt-column-order:after,
-table.dataTable thead > tr > td.dt-ordering-asc span.dt-column-order:before,
+table.dataTable thead > tr > td.dt-ordering-asc .dt-column-order:before,
-table.dataTable thead > tr > td.dt-ordering-asc span.dt-column-order:after,
+table.dataTable thead > tr > td.dt-ordering-asc .dt-column-order:after,
-table.dataTable thead > tr > td.dt-ordering-desc span.dt-column-order:before,
+table.dataTable thead > tr > td.dt-ordering-desc .dt-column-order:before,
-table.dataTable thead > tr > td.dt-ordering-desc span.dt-column-order:after {
+table.dataTable thead > tr > td.dt-ordering-desc .dt-column-order:after {
  left: 0;
  opacity: 0.125;
  line-height: 9px;
@@ -139,14 +140,15 @@ table.dataTable thead > tr > td.dt-orderable-desc:hover {
  outline: 2px solid rgba(0, 0, 0, 0.05);
  outline-offset: -2px;
 }
-table.dataTable thead > tr > th.dt-ordering-asc span.dt-column-order:before, table.dataTable thead > tr > th.dt-ordering-desc span.dt-column-order:after,
+table.dataTable thead > tr > th.dt-ordering-asc .dt-column-order:before, table.dataTable thead > tr > th.dt-ordering-desc .dt-column-order:after,
-table.dataTable thead > tr > td.dt-ordering-asc span.dt-column-order:before,
+table.dataTable thead > tr > td.dt-ordering-asc .dt-column-order:before,
-table.dataTable thead > tr > td.dt-ordering-desc span.dt-column-order:after {
+table.dataTable thead > tr > td.dt-ordering-desc .dt-column-order:after {
  opacity: 0.6;
 }
-table.dataTable thead > tr > th.sorting_desc_disabled span.dt-column-order:after, table.dataTable thead > tr > th.sorting_asc_disabled span.dt-column-order:before,
+table.dataTable thead > tr > th.dt-orderable-none:not(.dt-ordering-asc, .dt-ordering-desc) .dt-column-order:empty, table.dataTable thead > tr > th.sorting_desc_disabled .dt-column-order:after, table.dataTable thead > tr > th.sorting_asc_disabled .dt-column-order:before,
-table.dataTable thead > tr > td.sorting_desc_disabled span.dt-column-order:after,
+table.dataTable thead > tr > td.dt-orderable-none:not(.dt-ordering-asc, .dt-ordering-desc) .dt-column-order:empty,
-table.dataTable thead > tr > td.sorting_asc_disabled span.dt-column-order:before {
+table.dataTable thead > tr > td.sorting_desc_disabled .dt-column-order:after,
 table.dataTable thead > tr > td.sorting_asc_disabled .dt-column-order:before {
  display: none;
 }
 table.dataTable thead > tr > th:active,
@@ -167,24 +169,24 @@ table.dataTable tfoot > tr > td div.dt-column-footer {
  align-items: var(--dt-header-align-items);
  gap: 4px;
 }
-table.dataTable thead > tr > th div.dt-column-header span.dt-column-title,
+table.dataTable thead > tr > th div.dt-column-header .dt-column-title,
-table.dataTable thead > tr > th div.dt-column-footer span.dt-column-title,
+table.dataTable thead > tr > th div.dt-column-footer .dt-column-title,
-table.dataTable thead > tr > td div.dt-column-header span.dt-column-title,
+table.dataTable thead > tr > td div.dt-column-header .dt-column-title,
-table.dataTable thead > tr > td div.dt-column-footer span.dt-column-title,
+table.dataTable thead > tr > td div.dt-column-footer .dt-column-title,
-table.dataTable tfoot > tr > th div.dt-column-header span.dt-column-title,
+table.dataTable tfoot > tr > th div.dt-column-header .dt-column-title,
-table.dataTable tfoot > tr > th div.dt-column-footer span.dt-column-title,
+table.dataTable tfoot > tr > th div.dt-column-footer .dt-column-title,
-table.dataTable tfoot > tr > td div.dt-column-header span.dt-column-title,
+table.dataTable tfoot > tr > td div.dt-column-header .dt-column-title,
-table.dataTable tfoot > tr > td div.dt-column-footer span.dt-column-title {
+table.dataTable tfoot > tr > td div.dt-column-footer .dt-column-title {
  flex-grow: 1;
 }
-table.dataTable thead > tr > th div.dt-column-header span.dt-column-title:empty,
+table.dataTable thead > tr > th div.dt-column-header .dt-column-title:empty,
-table.dataTable thead > tr > th div.dt-column-footer span.dt-column-title:empty,
+table.dataTable thead > tr > th div.dt-column-footer .dt-column-title:empty,
-table.dataTable thead > tr > td div.dt-column-header span.dt-column-title:empty,
+table.dataTable thead > tr > td div.dt-column-header .dt-column-title:empty,
-table.dataTable thead > tr > td div.dt-column-footer span.dt-column-title:empty,
+table.dataTable thead > tr > td div.dt-column-footer .dt-column-title:empty,
-table.dataTable tfoot > tr > th div.dt-column-header span.dt-column-title:empty,
+table.dataTable tfoot > tr > th div.dt-column-header .dt-column-title:empty,
-table.dataTable tfoot > tr > th div.dt-column-footer span.dt-column-title:empty,
+table.dataTable tfoot > tr > th div.dt-column-footer .dt-column-title:empty,
-table.dataTable tfoot > tr > td div.dt-column-header span.dt-column-title:empty,
+table.dataTable tfoot > tr > td div.dt-column-header .dt-column-title:empty,
-table.dataTable tfoot > tr > td div.dt-column-footer span.dt-column-title:empty {
+table.dataTable tfoot > tr > td div.dt-column-footer .dt-column-title:empty {
  display: none;
 }
@@ -340,6 +342,7 @@ table.dataTable thead td,
 table.dataTable tfoot th,
 table.dataTable tfoot td {
  text-align: left;
  vertical-align: var(--dt-header-vertical-align);
 }
 table.dataTable thead th.dt-head-left,
 table.dataTable thead td.dt-head-left,
@@ -422,10 +425,6 @@ table.dataTable tbody td.dt-body-nowrap {
  white-space: nowrap;
 }
 :root {
  --dt-header-align-items: flex-end;
 }
 /*! Bootstrap 5 integration for DataTables
 *
 * ©2020 SpryMedia Ltd, all rights reserved.
@@ -453,7 +452,7 @@ table.table.dataTable > tbody > tr.selected > * {
  color: rgb(var(--dt-row-selected-text));
 }
 table.table.dataTable > tbody > tr.selected a {
-  color: rgb(9, 10, 11);
+  color: rgb(228, 228, 228);
  color: rgb(var(--dt-row-selected-link));
 }
 table.table.dataTable.table-striped > tbody > tr:nth-of-type(2n+1) > * {
@@ -589,16 +588,16 @@ table.dataTable.table-sm > thead > tr td.dt-ordering-asc,
 table.dataTable.table-sm > thead > tr td.dt-ordering-desc {
  padding-right: 0.25rem;
 }
-table.dataTable.table-sm > thead > tr th.dt-orderable-asc span.dt-column-order, table.dataTable.table-sm > thead > tr th.dt-orderable-desc span.dt-column-order, table.dataTable.table-sm > thead > tr th.dt-ordering-asc span.dt-column-order, table.dataTable.table-sm > thead > tr th.dt-ordering-desc span.dt-column-order,
+table.dataTable.table-sm > thead > tr th.dt-orderable-asc .dt-column-order, table.dataTable.table-sm > thead > tr th.dt-orderable-desc .dt-column-order, table.dataTable.table-sm > thead > tr th.dt-ordering-asc .dt-column-order, table.dataTable.table-sm > thead > tr th.dt-ordering-desc .dt-column-order,
-table.dataTable.table-sm > thead > tr td.dt-orderable-asc span.dt-column-order,
+table.dataTable.table-sm > thead > tr td.dt-orderable-asc .dt-column-order,
-table.dataTable.table-sm > thead > tr td.dt-orderable-desc span.dt-column-order,
+table.dataTable.table-sm > thead > tr td.dt-orderable-desc .dt-column-order,
-table.dataTable.table-sm > thead > tr td.dt-ordering-asc span.dt-column-order,
+table.dataTable.table-sm > thead > tr td.dt-ordering-asc .dt-column-order,
-table.dataTable.table-sm > thead > tr td.dt-ordering-desc span.dt-column-order {
+table.dataTable.table-sm > thead > tr td.dt-ordering-desc .dt-column-order {
  right: 0.25rem;
 }
-table.dataTable.table-sm > thead > tr th.dt-type-date span.dt-column-order, table.dataTable.table-sm > thead > tr th.dt-type-numeric span.dt-column-order,
+table.dataTable.table-sm > thead > tr th.dt-type-date .dt-column-order, table.dataTable.table-sm > thead > tr th.dt-type-numeric .dt-column-order,
-table.dataTable.table-sm > thead > tr td.dt-type-date span.dt-column-order,
+table.dataTable.table-sm > thead > tr td.dt-type-date .dt-column-order,
-table.dataTable.table-sm > thead > tr td.dt-type-numeric span.dt-column-order {
+table.dataTable.table-sm > thead > tr td.dt-type-numeric .dt-column-order {
  left: 0.25rem;
 }
@@ -607,7 +606,8 @@ div.dt-scroll-head table.table-bordered {
 }
 div.table-responsive > div.dt-container > div.row {
-  margin: 0;
+  margin-left: 0;
  margin-right: 0;
 }
 div.table-responsive > div.dt-container > div.row > div[class^=col-]:first-child {
  padding-left: 0;
@@ -11,6 +11,21 @@
    <script src="{{urlpath}}/vw_static/admin.js"></script>
 </head>
 <body>
    <svg xmlns="http://www.w3.org/2000/svg" class="d-none">
        <symbol id="vw-icon-sun" viewBox="0 0 24 24">
            <circle cx="12" cy="12" r="5" fill="currentColor"/>
            <g stroke="currentColor" stroke-linecap="round" stroke-width="1.5">
                <path d="M12 2v3M12 19v3M4.22 4.22l2.12 2.12M17.66 17.66l2.12 2.12M2 12h3M19 12h3M4.22 19.78l2.12-2.12M17.66 6.34l2.12-2.12"/>
            </g>
        </symbol>
        <symbol id="vw-icon-moon" viewBox="0 0 24 24">
            <path fill="currentColor" stroke-width=".8" d="M18.4 17.8A9 8.6 0 0 1 13 2a10.5 10 0 1 0 9 14.4 9.4 9 0 0 1-3.6 1.4"/>
        </symbol>
        <symbol id="vw-icon-auto" viewBox="0 0 24 24">
            <circle cx="12" cy="12" r="9" fill="none" stroke="currentColor" stroke-width="1.5"/>
            <path fill="currentColor" d="M12 3a9 9 0 1 1 0 18Z"/>
        </symbol>
    </svg>
    <nav class="navbar navbar-expand-md navbar-dark bg-dark mb-4 shadow fixed-top">
        <div class="container-xl">
            <a class="navbar-brand" href="{{urlpath}}/admin"><img class="vaultwarden-icon" src="{{urlpath}}/vw_static/vaultwarden-icon.png" alt="V">aultwarden Admin</a>
@@ -39,14 +54,16 @@
                    </li>
                </ul>
-                <ul class="navbar-nav">
+                <ul class="navbar-nav mx-3">
                    <li class="nav-item dropdown">
                        <button
                            class="btn btn-link nav-link py-0 px-0 px-md-2 dropdown-toggle d-flex align-items-center"
                            id="bd-theme" type="button" aria-expanded="false" data-bs-toggle="dropdown"
                            data-bs-display="static" aria-label="Toggle theme (auto)">
                            <span class="my-1 fs-4 theme-icon-active">
-                                <use>&#9775;</use>
+                                <svg class="vw-theme-icon" focusable="false" aria-hidden="true">
                                    <use data-theme-icon-use href="#vw-icon-auto"></use>
                                </svg>
                            </span>
                            <span class="d-md-none ms-2" id="bd-theme-text">Toggle theme</span>
                        </button>
@@ -55,7 +72,9 @@
                                <button type="button" class="dropdown-item d-flex align-items-center"
                                    data-bs-theme-value="light" aria-pressed="false">
                                    <span class="me-2 fs-4 theme-icon">
-                                        <use>&#9728;</use>
+                                        <svg class="vw-theme-icon" focusable="false" aria-hidden="true">
                                            <use data-theme-icon-use href="#vw-icon-sun"></use>
                                        </svg>
                                    </span>
                                    Light
                                </button>
@@ -64,7 +83,9 @@
                                <button type="button" class="dropdown-item d-flex align-items-center"
                                    data-bs-theme-value="dark" aria-pressed="false">
                                    <span class="me-2 fs-4 theme-icon">
-                                        <use>&starf;</use>
+                                        <svg class="vw-theme-icon" focusable="false" aria-hidden="true">
                                            <use data-theme-icon-use href="#vw-icon-moon"></use>
                                        </svg>
                                    </span>
                                    Dark
                                </button>
@@ -73,7 +94,9 @@
                                <button type="button" class="dropdown-item d-flex align-items-center active"
                                    data-bs-theme-value="auto" aria-pressed="true">
                                    <span class="me-2 fs-4 theme-icon">
-                                        <use>&#9775;</use>
+                                        <svg class="vw-theme-icon" focusable="false" aria-hidden="true">
                                            <use data-theme-icon-use href="#vw-icon-auto"></use>
                                        </svg>
                                    </span>
                                    Auto
                                </button>
@@ -8,7 +8,7 @@
                <dl class="row">
                    <dt class="col-sm-5">Server Installed
                        <span class="badge bg-success d-none abbr-badge" id="server-success" title="Latest version is installed.">Ok</span>
-                        <span class="badge bg-warning text-dark d-none abbr-badge" id="server-warning" title="There seems to be an update available.">Update</span>
+                        <span class="badge bg-warning text-dark d-none abbr-badge" id="server-warning" title="An update is available.">Update</span>
                        <span class="badge bg-info text-dark d-none abbr-badge" id="server-branch" title="This is a branched version.">Branched</span>
                    </dt>
                    <dd class="col-sm-7">
@@ -23,17 +23,17 @@
                    {{#if page_data.web_vault_enabled}}
                    <dt class="col-sm-5">Web Installed
                        <span class="badge bg-success d-none abbr-badge" id="web-success" title="Latest version is installed.">Ok</span>
-                        <span class="badge bg-warning text-dark d-none abbr-badge" id="web-warning" title="There seems to be an update available.">Update</span>
+                        <span class="badge bg-warning text-dark d-none abbr-badge" id="web-warning" title="An update is available.">Update</span>
-                        <span class="badge bg-info text-dark d-none abbr-badge" id="web-prerelease" title="You seem to be using a pre-release version.">Pre-Release</span>
+                        <span class="badge bg-info text-dark d-none abbr-badge" id="web-prerelease" title="You are using a pre-release version.">Pre-Release</span>
                    </dt>
                    <dd class="col-sm-7">
-                        <span id="web-installed">{{page_data.web_vault_version}}</span>
+                        <span id="web-installed">{{page_data.active_web_release}}</span>
                    </dd>
                    <dt class="col-sm-5">Web Latest
                        <span class="badge bg-secondary d-none abbr-badge" id="web-failed" title="Unable to determine latest version.">Unknown</span>
                    </dt>
                    <dd class="col-sm-7">
-                        <span id="web-latest">{{page_data.latest_web_build}}</span>
+                        <span id="web-latest">{{page_data.latest_web_release}}</span>
                    </dd>
                    {{/if}}
                    {{#unless page_data.web_vault_enabled}}
@@ -194,6 +194,14 @@
                    <dd class="col-sm-7">
                        <span id="http-response-errors" class="d-block"></span>
                    </dd>
                    {{#if page_data.invalid_feature_flags}}
                    <dt class="col-sm-5">Invalid Feature Flags
                        <span class="badge bg-warning text-dark abbr-badge" id="feature-flag-warning" title="Some feature flags are invalid or outdated!">Warning</span>
                    </dt>
                    <dd class="col-sm-7">
                        <span id="feature-flags" class="d-block"><b>Flags:</b> <span id="feature-flags-string">{{page_data.invalid_feature_flags}}</span></span>
                    </dd>
                    {{/if}}
                </dl>
            </div>
        </div>
@@ -59,7 +59,7 @@
 </main>
 <link rel="stylesheet" href="{{urlpath}}/vw_static/datatables.css" />
-<script src="{{urlpath}}/vw_static/jquery-3.7.1.slim.js"></script>
+<script src="{{urlpath}}/vw_static/jquery-4.0.0.slim.js"></script>
 <script src="{{urlpath}}/vw_static/datatables.js"></script>
 <script src="{{urlpath}}/vw_static/admin_organizations.js"></script>
 <script src="{{urlpath}}/vw_static/jdenticon-3.3.0.js"></script>
@@ -153,7 +153,7 @@
 </main>
 <link rel="stylesheet" href="{{urlpath}}/vw_static/datatables.css" />
-<script src="{{urlpath}}/vw_static/jquery-3.7.1.slim.js"></script>
+<script src="{{urlpath}}/vw_static/jquery-4.0.0.slim.js"></script>
 <script src="{{urlpath}}/vw_static/datatables.js"></script>
 <script src="{{urlpath}}/vw_static/admin_users.js"></script>
 <script src="{{urlpath}}/vw_static/jdenticon-3.3.0.js"></script>
@@ -1,4 +1,4 @@
-You have been removed from {{{org_name}}}
+Your access to {{{org_name}}} has been revoked
 <!---------------->
-Your user account has been removed from the *{{org_name}}* organization because you are a part of another organization. The {{org_name}} organization has enabled a policy that prevents users from being a part of multiple organizations. Before you can re-join this organization you need to leave all other organizations or join with a different account.
+Your access to the *{{org_name}}* organization has been revoked because you are a part of another organization. The {{org_name}} organization has enabled a policy that prevents users from being a part of multiple organizations. Before your access can be restored you need to leave all other organizations or join with a different account.
 {{> email/email_footer_text }}
@@ -1,10 +1,10 @@
-You have been removed from {{{org_name}}}
+Your access to {{{org_name}}} has been revoked
 <!---------------->
 {{> email/email_header }}
 <table width="100%" cellpadding="0" cellspacing="0" style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
   <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
      <td class="content-block" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0 0 10px; -webkit-text-size-adjust: none; text-align: center;" valign="top" align="center">
-         Your user account has been removed from the <b style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">{{org_name}}</b> organization because you are a part of another organization. The {{org_name}} organization has enabled a policy that prevents users from being a part of multiple organizations. Before you can re-join this organization you need to leave all other organizations or join with a different account.
+         Your access to the <b style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">{{org_name}}</b> organization has been revoked because you are a part of another organization. The {{org_name}} organization has enabled a policy that prevents users from being a part of multiple organizations. Before your access can be restored you need to leave all other organizations or join with a different account.
      </td>
   </tr>
 </table>
@@ -158,6 +158,13 @@ app-root a[routerlink="/signup"] {
 {{/if}}
 {{/if}}
 {{#if remember_2fa_disabled}}
 /* Hide checkbox to remember 2FA token for 30 days */
 app-two-factor-auth > form > bit-form-control {
  @extend %vw-hide;
 }
 {{/if}}
 {{#unless mail_2fa_enabled}}
 /* Hide `Email` 2FA if mail is not enabled */
 .providers-2fa-1 {
@@ -192,6 +199,19 @@ bit-nav-item[route="sends"] {
  @extend %vw-hide;
 }
 {{/unless}}
 {{#unless password_hints_allowed}}
 /* Hide password hints if not allowed */
 a[routerlink="/hint"],
 {{#if (webver "<2025.12.2")}}
 app-change-password > form > .form-group:nth-child(5),
 auth-input-password > form > bit-form-field:nth-child(4) {
 {{else}}
 .vw-password-hint {
 {{/if}}
  @extend %vw-hide;
 }
 {{/unless}}
 /**** End Dynamic Vaultwarden Changes ****/
 /**** Include a special user stylesheet for custom changes ****/
 {{#if load_user_scss}}
@@ -16,7 +16,10 @@ use tokio::{
    time::{sleep, Duration},
 };
-use crate::{config::PathType, CONFIG};
+use crate::{
    config::{PathType, SUPPORTED_FEATURE_FLAGS},
    CONFIG,
 };
 pub struct AppHeaders();
@@ -153,9 +156,11 @@ impl Cors {
    fn get_allowed_origin(headers: &HeaderMap<'_>) -> Option<String> {
        let origin = Cors::get_header(headers, "Origin");
        let safari_extension_origin = "file://";
        let desktop_custom_file_origin = "bw-desktop-file://bundle";
        if origin == CONFIG.domain_origin()
            || origin == safari_extension_origin
            || origin == desktop_custom_file_origin
            || (CONFIG.sso_enabled() && origin == CONFIG.sso_authority())
        {
            Some(origin)
@@ -531,7 +536,7 @@ struct WebVaultVersion {
    version: String,
 }
-pub fn get_web_vault_version() -> String {
+pub fn get_active_web_release() -> String {
    let version_files = [
        format!("{}/vw-version.json", CONFIG.web_vault_folder()),
        format!("{}/version.json", CONFIG.web_vault_folder()),
@@ -629,6 +634,21 @@ fn _process_key(key: &str) -> String {
    }
 }
 pub fn deser_opt_nonempty_str<'de, D, T>(deserializer: D) -> Result<Option<T>, D::Error>
 where
    D: Deserializer<'de>,
    T: From<String>,
 {
    use serde::Deserialize;
    Ok(Option::<String>::deserialize(deserializer)?.and_then(|s| {
        if s.is_empty() {
            None
        } else {
            Some(T::from(s))
        }
    }))
 }
 #[derive(Clone, Debug, Deserialize)]
 #[serde(untagged)]
 pub enum NumberOrString {
@@ -763,21 +783,28 @@ pub fn convert_json_key_lcase_first(src_json: Value) -> Value {
    }
 }
 pub enum FeatureFlagFilter {
    #[allow(dead_code)]
    Unfiltered,
    ValidOnly,
    InvalidOnly,
 }
 /// Parses the experimental client feature flags string into a HashMap.
-pub fn parse_experimental_client_feature_flags(experimental_client_feature_flags: &str) -> HashMap<String, bool> {
+pub fn parse_experimental_client_feature_flags(
-    // These flags could still be configured, but are deprecated and not used anymore
+    experimental_client_feature_flags: &str,
-    // To prevent old installations from starting filter these out and not error out
+    filter_mode: FeatureFlagFilter,
-    const DEPRECATED_FLAGS: &[&str] =
+) -> HashMap<String, bool> {
        &["autofill-overlay", "autofill-v2", "browser-fileless-import", "extension-refresh", "fido2-vault-credentials"];
    experimental_client_feature_flags
        .split(',')
-        .filter_map(|f| {
+        .map(str::trim)
-            let flag = f.trim();
+        .filter(|flag| !flag.is_empty())
-            if !flag.is_empty() && !DEPRECATED_FLAGS.contains(&flag) {
+        .filter(|flag| match filter_mode {
-                return Some((flag.to_owned(), true));
+            FeatureFlagFilter::Unfiltered => true,
-            }
+            FeatureFlagFilter::ValidOnly => SUPPORTED_FEATURE_FLAGS.contains(flag),
-            None
+            FeatureFlagFilter::InvalidOnly => !SUPPORTED_FEATURE_FLAGS.contains(flag),
        })
        .map(|flag| (flag.to_owned(), true))
        .collect()
 }
@@ -79,3 +79,4 @@ for name, domain_list in domain_lists.items():
 # Write out the global domains JSON file.
 with open(file=OUTPUT_FILE, mode='w', encoding='utf-8') as f:
    json.dump(global_domains, f, indent=2)
    f.write("\n")