Cached config operations

Update lockfile (#6600 )
Add wrapped named variants to UserDecryptionOptions (#6598 )
2026-05-31 16:00:14 +03:00 · 2025-12-28 23:44:50 +01:00 · 2025-12-28 01:07:17 +01:00 · 2025-12-27 23:35:04 +01:00 · 2025-12-23 16:27:53 +01:00 · 2025-12-23 16:26:28 +01:00
61 changed files with 1865 additions and 1453 deletions
@@ -183,9 +183,9 @@
 ## Defaults to every minute. Set blank to disable this job.
 # DUO_CONTEXT_PURGE_SCHEDULE="30 * * * * *"
 #
-## Cron schedule of the job that cleans sso nonce from incomplete flow
+## Cron schedule of the job that cleans sso auth from incomplete flow
 ## Defaults to daily (20 minutes after midnight). Set blank to disable this job.
-# PURGE_INCOMPLETE_SSO_NONCE="0 20 0 * * *"
+# PURGE_INCOMPLETE_SSO_AUTH="0 20 0 * * *"

 ########################
 ### General settings ###
@@ -348,7 +348,7 @@
 ## Default: 2592000 (30 days)
 # ICON_CACHE_TTL=2592000
 ## Cache time-to-live for icons which weren't available, in seconds (0 is "forever")
-## Default: 2592000 (3 days)
+## Default: 259200 (3 days)
 # ICON_CACHE_NEGTTL=259200

 ## Icon download timeout
@@ -472,6 +472,11 @@
 ## Setting this to true will enforce the Single Org Policy to be enabled before you can enable the Reset Password policy.
 # ENFORCE_SINGLE_ORG_WITH_RESET_PW_POLICY=false

+## Prefer IPv6 (AAAA) resolving
+## This settings configures the DNS resolver to resolve IPv6 first, and if not available try IPv4
+## This could be useful in IPv6 only environments.
+# DNS_PREFER_IPV6=false
+
 #####################################
 ### SSO settings (OpenID Connect) ###
 #####################################
@@ -54,7 +54,7 @@ jobs:

      # Checkout the repo
      - name: "Checkout"
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 #v6.0.0
        with:
          persist-credentials: false
          fetch-depth: 0
@@ -80,7 +80,7 @@ jobs:

      # Only install the clippy and rustfmt components on the default rust-toolchain
      - name: "Install rust-toolchain version"
-        uses: dtolnay/rust-toolchain@6d653acede28d24f02e3cd41383119e8b1b35921 # master @ Sep 16, 2025, 8:37 PM GMT+2
+        uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561 # master @ Dec 16, 2025, 6:11 PM GMT+1
        if: ${{ matrix.channel == 'rust-toolchain' }}
        with:
          toolchain: "${{steps.toolchain.outputs.RUST_TOOLCHAIN}}"
@@ -90,7 +90,7 @@ jobs:

      # Install the any other channel to be used for which we do not execute clippy and rustfmt
      - name: "Install MSRV version"
-        uses: dtolnay/rust-toolchain@6d653acede28d24f02e3cd41383119e8b1b35921 # master @ Sep 16, 2025, 8:37 PM GMT+2
+        uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561 # master @ Dec 16, 2025, 6:11 PM GMT+1
        if: ${{ matrix.channel != 'rust-toolchain' }}
        with:
          toolchain: "${{steps.toolchain.outputs.RUST_TOOLCHAIN}}"
@@ -115,7 +115,7 @@ jobs:

      # Enable Rust Caching
      - name: Rust Caching
-        uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1
+        uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2
        with:
          # Use a custom prefix-key to force a fresh start. This is sometimes needed with bigger changes.
          # Like changing the build host from Ubuntu 20.04 to 22.04 for example.
@@ -12,7 +12,7 @@ jobs:
    steps:
      # Checkout the repo
      - name: "Checkout"
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 #v6.0.0
        with:
          persist-credentials: false
      # End Checkout the repo
@@ -13,7 +13,7 @@ jobs:
    steps:
      # Start Docker Buildx
      - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
        # https://github.com/moby/buildkit/issues/3969
        # Also set max parallelism to 2, the default of 4 breaks GitHub Actions and causes OOMKills
        with:
@@ -34,7 +34,7 @@ jobs:
      # End Download hadolint
      # Checkout the repo
      - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 #v6.0.0
        with:
          persist-credentials: false
      # End Checkout the repo
@@ -16,6 +16,23 @@ concurrency:
  # Don't cancel other runs when creating a tag
  cancel-in-progress: ${{ github.ref_type == 'branch' }}

+defaults:
+  run:
+    shell: bash
+
+env:
+  # The *_REPO variables need to be configured as repository variables
+  # Append `/settings/variables/actions` to your repo url
+  # DOCKERHUB_REPO needs to be 'index.docker.io/<user>/<repo>'
+  # Check for Docker hub credentials in secrets
+  HAVE_DOCKERHUB_LOGIN: ${{ vars.DOCKERHUB_REPO != '' && secrets.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '' }}
+  # GHCR_REPO needs to be 'ghcr.io/<user>/<repo>'
+  # Check for Github credentials in secrets
+  HAVE_GHCR_LOGIN: ${{ vars.GHCR_REPO != '' && github.repository_owner != '' && secrets.GITHUB_TOKEN != '' }}
+  # QUAY_REPO needs to be 'quay.io/<user>/<repo>'
+  # Check for Quay.io credentials in secrets
+  HAVE_QUAY_LOGIN: ${{ vars.QUAY_REPO != '' && secrets.QUAY_USERNAME != '' && secrets.QUAY_TOKEN != '' }}
+
 jobs:
  docker-build:
    name: Build Vaultwarden containers
@@ -25,30 +42,14 @@ jobs:
      contents: read
      attestations: write # Needed to generate an artifact attestation for a build
      id-token: write # Needed to mint the OIDC token necessary to request a Sigstore signing certificate
-    runs-on: ubuntu-24.04
+    runs-on: ${{ contains(matrix.arch, 'arm') && 'ubuntu-24.04-arm' || 'ubuntu-24.04' }}
    timeout-minutes: 120
-    # Start a local docker registry to extract the compiled binaries to upload as artifacts and attest them
-    services:
-      registry:
-        image: registry@sha256:1fc7de654f2ac1247f0b67e8a459e273b0993be7d2beda1f3f56fbf1001ed3e7 # v3.0.0
-        ports:
-          - 5000:5000
    env:
      SOURCE_COMMIT: ${{ github.sha }}
      SOURCE_REPOSITORY_URL: "https://github.com/${{ github.repository }}"
-      # The *_REPO variables need to be configured as repository variables
-      # Append `/settings/variables/actions` to your repo url
-      # DOCKERHUB_REPO needs to be 'index.docker.io/<user>/<repo>'
-      # Check for Docker hub credentials in secrets
-      HAVE_DOCKERHUB_LOGIN: ${{ vars.DOCKERHUB_REPO != '' && secrets.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '' }}
-      # GHCR_REPO needs to be 'ghcr.io/<user>/<repo>'
-      # Check for Github credentials in secrets
-      HAVE_GHCR_LOGIN: ${{ vars.GHCR_REPO != '' && github.repository_owner != '' && secrets.GITHUB_TOKEN != '' }}
-      # QUAY_REPO needs to be 'quay.io/<user>/<repo>'
-      # Check for Quay.io credentials in secrets
-      HAVE_QUAY_LOGIN: ${{ vars.QUAY_REPO != '' && secrets.QUAY_USERNAME != '' && secrets.QUAY_TOKEN != '' }}
    strategy:
      matrix:
+        arch: ["amd64", "arm64", "arm/v7", "arm/v6"]
        base_image: ["debian","alpine"]

    steps:
@@ -59,7 +60,7 @@ jobs:

      # Start Docker Buildx
      - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
        # https://github.com/moby/buildkit/issues/3969
        # Also set max parallelism to 2, the default of 4 breaks GitHub Actions and causes OOMKills
        with:
@@ -72,25 +73,24 @@ jobs:

      # Checkout the repo
      - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 #v6.0.0
        # We need fetch-depth of 0 so we also get all the tag metadata
        with:
          persist-credentials: false
          fetch-depth: 0

-      # Determine Base Tags and Source Version
-      - name: Determine Base Tags and Source Version
-        shell: bash
+      # Normalize the architecture string for use in paths and cache keys
+      - name: Normalize architecture string
        env:
-          REF_TYPE: ${{ github.ref_type }}
+          MATRIX_ARCH: ${{ matrix.arch }}
        run: |
-          # Check which main tag we are going to build determined by ref_type
-          if [[ "${REF_TYPE}" == "tag" ]]; then
-            echo "BASE_TAGS=latest,${GITHUB_REF#refs/*/}" | tee -a "${GITHUB_ENV}"
-          elif [[ "${REF_TYPE}" == "branch" ]]; then
-            echo "BASE_TAGS=testing" | tee -a "${GITHUB_ENV}"
-          fi
+          # Replace slashes with nothing to create a safe string for paths/cache keys
+          NORMALIZED_ARCH="${MATRIX_ARCH//\/}"
+          echo "NORMALIZED_ARCH=${NORMALIZED_ARCH}" | tee -a "${GITHUB_ENV}"

+      # Determine Source Version
+      - name: Determine Source Version
+        run: |
          # Get the Source Version for this release
          GIT_EXACT_TAG="$(git describe --tags --abbrev=0 --exact-match 2>/dev/null || true)"
          if [[ -n "${GIT_EXACT_TAG}" ]]; then
@@ -99,7 +99,6 @@ jobs:
              GIT_LAST_TAG="$(git describe --tags --abbrev=0)"
              echo "SOURCE_VERSION=${GIT_LAST_TAG}-${SOURCE_COMMIT:0:8}" | tee -a "${GITHUB_ENV}"
          fi
-      # End Determine Base Tags

      # Login to Docker Hub
      - name: Login to Docker Hub
@@ -111,7 +110,6 @@ jobs:

      - name: Add registry for DockerHub
        if: ${{ env.HAVE_DOCKERHUB_LOGIN == 'true' }}
-        shell: bash
        env:
          DOCKERHUB_REPO: ${{ vars.DOCKERHUB_REPO }}
        run: |
@@ -128,7 +126,6 @@ jobs:

      - name: Add registry for ghcr.io
        if: ${{ env.HAVE_GHCR_LOGIN == 'true' }}
-        shell: bash
        env:
          GHCR_REPO: ${{ vars.GHCR_REPO }}
        run: |
@@ -145,55 +142,65 @@ jobs:

      - name: Add registry for Quay.io
        if: ${{ env.HAVE_QUAY_LOGIN == 'true' }}
-        shell: bash
        env:
          QUAY_REPO: ${{ vars.QUAY_REPO }}
        run: |
          echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}${QUAY_REPO}" | tee -a "${GITHUB_ENV}"

      - name: Configure build cache from/to
-        shell: bash
        env:
          GHCR_REPO: ${{ vars.GHCR_REPO }}
          BASE_IMAGE: ${{ matrix.base_image }}
+          NORMALIZED_ARCH: ${{ env.NORMALIZED_ARCH }}
        run: |
          #
          # Check if there is a GitHub Container Registry Login and use it for caching
          if [[ -n "${HAVE_GHCR_LOGIN}" ]]; then
-            echo "BAKE_CACHE_FROM=type=registry,ref=${GHCR_REPO}-buildcache:${BASE_IMAGE}" | tee -a "${GITHUB_ENV}"
-            echo "BAKE_CACHE_TO=type=registry,ref=${GHCR_REPO}-buildcache:${BASE_IMAGE},compression=zstd,mode=max" | tee -a "${GITHUB_ENV}"
+            echo "BAKE_CACHE_FROM=type=registry,ref=${GHCR_REPO}-buildcache:${BASE_IMAGE}-${NORMALIZED_ARCH}" | tee -a "${GITHUB_ENV}"
+            echo "BAKE_CACHE_TO=type=registry,ref=${GHCR_REPO}-buildcache:${BASE_IMAGE}-${NORMALIZED_ARCH},compression=zstd,mode=max" | tee -a "${GITHUB_ENV}"
          else
            echo "BAKE_CACHE_FROM="
            echo "BAKE_CACHE_TO="
          fi
          #

-      - name: Add localhost registry
-        shell: bash
+      - name: Generate tags
+        id: tags
+        env:
+          CONTAINER_REGISTRIES: "${{ env.CONTAINER_REGISTRIES }}"
        run: |
-          echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}localhost:5000/vaultwarden/server" | tee -a "${GITHUB_ENV}"
+          # Convert comma-separated list to newline-separated set commands
+          TAGS=$(echo "${CONTAINER_REGISTRIES}" | tr ',' '\n' | sed "s|.*|*.tags=&|")
+
+          # Output for use in next step
+          {
+            echo "TAGS<<EOF"
+            echo "$TAGS"
+            echo "EOF"
+          } >> "$GITHUB_ENV"

      - name: Bake ${{ matrix.base_image }} containers
        id: bake_vw
-        uses: docker/bake-action@3acf805d94d93a86cce4ca44798a76464a75b88c # v6.9.0
+        uses: docker/bake-action@5be5f02ff8819ecd3092ea6b2e6261c31774f2b4 # v6.10.0
        env:
-          BASE_TAGS: "${{ env.BASE_TAGS }}"
+          BASE_TAGS: "${{ steps.determine-version.outputs.BASE_TAGS }}"
          SOURCE_COMMIT: "${{ env.SOURCE_COMMIT }}"
          SOURCE_VERSION: "${{ env.SOURCE_VERSION }}"
          SOURCE_REPOSITORY_URL: "${{ env.SOURCE_REPOSITORY_URL }}"
-          CONTAINER_REGISTRIES: "${{ env.CONTAINER_REGISTRIES }}"
        with:
          pull: true
-          push: true
          source: .
          files: docker/docker-bake.hcl
          targets: "${{ matrix.base_image }}-multi"
          set: |
            *.cache-from=${{ env.BAKE_CACHE_FROM }}
            *.cache-to=${{ env.BAKE_CACHE_TO }}
+            *.platform=linux/${{ matrix.arch }}
+            ${{ env.TAGS }}
+            *.output=type=local,dest=./output
+            *.output=type=image,push-by-digest=true,name-canonical=true,push=true

      - name: Extract digest SHA
-        shell: bash
        env:
          BAKE_METADATA: ${{ steps.bake_vw.outputs.metadata }}
          BASE_IMAGE: ${{ matrix.base_image }}
@@ -201,105 +208,176 @@ jobs:
          GET_DIGEST_SHA="$(jq -r --arg base "$BASE_IMAGE" '.[$base + "-multi"]."containerimage.digest"' <<< "${BAKE_METADATA}")"
          echo "DIGEST_SHA=${GET_DIGEST_SHA}" | tee -a "${GITHUB_ENV}"

+      - name: Export digest
+        env:
+          DIGEST_SHA: ${{ env.DIGEST_SHA }}
+          RUNNER_TEMP: ${{ runner.temp }}
+        run: |
+          mkdir -p "${RUNNER_TEMP}"/digests
+          digest="${DIGEST_SHA}"
+          touch "${RUNNER_TEMP}/digests/${digest#sha256:}"
+
+      - name: Upload digest
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        with:
+          name: digests-${{ env.NORMALIZED_ARCH }}-${{ matrix.base_image }}
+          path: ${{ runner.temp }}/digests/*
+          if-no-files-found: error
+          retention-days: 1
+
+      - name: Rename binaries to match target platform
+        env:
+          NORMALIZED_ARCH: ${{ env.NORMALIZED_ARCH }}
+        run: |
+          mv ./output/vaultwarden vaultwarden-"${NORMALIZED_ARCH}"
+
+      # Upload artifacts to Github Actions and Attest the binaries
+      - name: Attest binaries
+        uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3.1.0
+        with:
+          subject-path: vaultwarden-${{ env.NORMALIZED_ARCH }}
+
+      - name: Upload binaries as artifacts
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        with:
+          name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-${{ env.NORMALIZED_ARCH }}-${{ matrix.base_image }}
+          path: vaultwarden-${{ env.NORMALIZED_ARCH }}
+
+  merge-manifests:
+    name: Merge manifests
+    runs-on: ubuntu-latest
+    needs: docker-build
+    permissions:
+      packages: write # Needed to upload packages and artifacts
+      attestations: write # Needed to generate an artifact attestation for a build
+      id-token: write # Needed to mint the OIDC token necessary to request a Sigstore signing certificate
+    strategy:
+      matrix:
+        base_image: ["debian","alpine"]
+
+    steps:
+      - name: Download digests
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        with:
+          path: ${{ runner.temp }}/digests
+          pattern: digests-*-${{ matrix.base_image }}
+          merge-multiple: true
+
+      # Login to Docker Hub
+      - name: Login to Docker Hub
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+        if: ${{ env.HAVE_DOCKERHUB_LOGIN == 'true' }}
+
+      - name: Add registry for DockerHub
+        if: ${{ env.HAVE_DOCKERHUB_LOGIN == 'true' }}
+        env:
+          DOCKERHUB_REPO: ${{ vars.DOCKERHUB_REPO }}
+        run: |
+          echo "CONTAINER_REGISTRIES=${DOCKERHUB_REPO}" | tee -a "${GITHUB_ENV}"
+
+      # Login to GitHub Container Registry
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+        if: ${{ env.HAVE_GHCR_LOGIN == 'true' }}
+
+      - name: Add registry for ghcr.io
+        if: ${{ env.HAVE_GHCR_LOGIN == 'true' }}
+        env:
+          GHCR_REPO: ${{ vars.GHCR_REPO }}
+        run: |
+          echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}${GHCR_REPO}" | tee -a "${GITHUB_ENV}"
+
+      # Login to Quay.io
+      - name: Login to Quay.io
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAY_USERNAME }}
+          password: ${{ secrets.QUAY_TOKEN }}
+        if: ${{ env.HAVE_QUAY_LOGIN == 'true' }}
+
+      - name: Add registry for Quay.io
+        if: ${{ env.HAVE_QUAY_LOGIN == 'true' }}
+        env:
+          QUAY_REPO: ${{ vars.QUAY_REPO }}
+        run: |
+          echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}${QUAY_REPO}" | tee -a "${GITHUB_ENV}"
+
+      # Determine Base Tags
+      - name: Determine Base Tags
+        env:
+          REF_TYPE: ${{ github.ref_type }}
+        run: |
+          # Check which main tag we are going to build determined by ref_type
+          if [[ "${REF_TYPE}" == "tag" ]]; then
+            echo "BASE_TAGS=latest,${GITHUB_REF#refs/*/}" | tee -a "${GITHUB_ENV}"
+          elif [[ "${REF_TYPE}" == "branch" ]]; then
+            echo "BASE_TAGS=testing" | tee -a "${GITHUB_ENV}"
+          fi
+
+      - name: Create manifest list, push it and extract digest SHA
+        working-directory: ${{ runner.temp }}/digests
+        env:
+          BASE_IMAGE_TAG: "${{ matrix.base_image != 'debian' && format('-{0}', matrix.base_image) || '' }}"
+          BASE_TAGS: "${{ env.BASE_TAGS }}"
+          CONTAINER_REGISTRIES: "${{ env.CONTAINER_REGISTRIES }}"
+        run: |
+          set +e
+          IFS=',' read -ra IMAGES <<< "${CONTAINER_REGISTRIES}"
+          IFS=',' read -ra TAGS <<< "${BASE_TAGS}"
+          for img in "${IMAGES[@]}"; do
+            for tag in "${TAGS[@]}"; do
+              echo "Creating manifest for ${img}:${tag}${BASE_IMAGE_TAG}"
+
+              OUTPUT=$(docker buildx imagetools create \
+                -t "${img}:${tag}${BASE_IMAGE_TAG}" \
+                $(printf "${img}@sha256:%s " *) 2>&1)
+              STATUS=$?
+
+              if [ ${STATUS} -ne 0 ]; then
+                echo "Manifest creation failed for ${img}:${tag}${BASE_IMAGE_TAG}"
+                echo "${OUTPUT}"
+              exit ${STATUS}
+              fi
+
+              echo "Manifest created for ${img}:${tag}${BASE_IMAGE_TAG}"
+              echo "${OUTPUT}"
+            done
+          done
+          set -e
+
+          # Extract digest SHA for subsequent steps
+          GET_DIGEST_SHA="$(echo "${OUTPUT}" | grep -oE 'sha256:[a-f0-9]{64}' | tail -1)"
+          echo "DIGEST_SHA=${GET_DIGEST_SHA}" | tee -a "${GITHUB_ENV}"
+
      # Attest container images
      - name: Attest - docker.io - ${{ matrix.base_image }}
-        if: ${{ env.HAVE_DOCKERHUB_LOGIN == 'true' && steps.bake_vw.outputs.metadata != ''}}
-        uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
+        if: ${{ env.HAVE_DOCKERHUB_LOGIN == 'true' && env.DIGEST_SHA != ''}}
+        uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3.1.0
        with:
          subject-name: ${{ vars.DOCKERHUB_REPO }}
          subject-digest: ${{ env.DIGEST_SHA }}
          push-to-registry: true

      - name: Attest - ghcr.io - ${{ matrix.base_image }}
-        if: ${{ env.HAVE_GHCR_LOGIN == 'true' && steps.bake_vw.outputs.metadata != ''}}
-        uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
+        if: ${{ env.HAVE_GHCR_LOGIN == 'true' && env.DIGEST_SHA != ''}}
+        uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3.1.0
        with:
          subject-name: ${{ vars.GHCR_REPO }}
          subject-digest: ${{ env.DIGEST_SHA }}
          push-to-registry: true

      - name: Attest - quay.io - ${{ matrix.base_image }}
-        if: ${{ env.HAVE_QUAY_LOGIN == 'true' && steps.bake_vw.outputs.metadata != ''}}
-        uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
+        if: ${{ env.HAVE_QUAY_LOGIN == 'true' && env.DIGEST_SHA != ''}}
+        uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3.1.0
        with:
          subject-name: ${{ vars.QUAY_REPO }}
          subject-digest: ${{ env.DIGEST_SHA }}
          push-to-registry: true
-
-
-      # Extract the Alpine binaries from the containers
-      - name: Extract binaries
-        shell: bash
-        env:
-          REF_TYPE: ${{ github.ref_type }}
-          BASE_IMAGE: ${{ matrix.base_image }}
-        run: |
-          # Check which main tag we are going to build determined by ref_type
-          if [[ "${REF_TYPE}" == "tag" ]]; then
-            EXTRACT_TAG="latest"
-          elif [[ "${REF_TYPE}" == "branch" ]]; then
-            EXTRACT_TAG="testing"
-          fi
-
-          # Check which base_image was used and append -alpine if needed
-          if [[ "${BASE_IMAGE}" == "alpine" ]]; then
-            EXTRACT_TAG="${EXTRACT_TAG}-alpine"
-          fi
-
-          # After each extraction the image is removed.
-          # This is needed because using different platforms doesn't trigger a new pull/download
-
-          # Extract amd64 binary
-          docker create --name amd64 --platform=linux/amd64 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}"
-          docker cp amd64:/vaultwarden vaultwarden-amd64-${BASE_IMAGE}
-          docker rm --force amd64
-          docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}"
-
-          # Extract arm64 binary
-          docker create --name arm64 --platform=linux/arm64 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}"
-          docker cp arm64:/vaultwarden vaultwarden-arm64-${BASE_IMAGE}
-          docker rm --force arm64
-          docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}"
-
-          # Extract armv7 binary
-          docker create --name armv7 --platform=linux/arm/v7 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}"
-          docker cp armv7:/vaultwarden vaultwarden-armv7-${BASE_IMAGE}
-          docker rm --force armv7
-          docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}"
-
-          # Extract armv6 binary
-          docker create --name armv6 --platform=linux/arm/v6 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}"
-          docker cp armv6:/vaultwarden vaultwarden-armv6-${BASE_IMAGE}
-          docker rm --force armv6
-          docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}"
-
-      # Upload artifacts to Github Actions and Attest the binaries
-      - name: "Upload amd64 artifact ${{ matrix.base_image }}"
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
-        with:
-          name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-amd64-${{ matrix.base_image }}
-          path: vaultwarden-amd64-${{ matrix.base_image }}
-
-      - name: "Upload arm64 artifact ${{ matrix.base_image }}"
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
-        with:
-          name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-arm64-${{ matrix.base_image }}
-          path: vaultwarden-arm64-${{ matrix.base_image }}
-
-      - name: "Upload armv7 artifact ${{ matrix.base_image }}"
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
-        with:
-          name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-armv7-${{ matrix.base_image }}
-          path: vaultwarden-armv7-${{ matrix.base_image }}
-
-      - name: "Upload armv6 artifact ${{ matrix.base_image }}"
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
-        with:
-          name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-armv6-${{ matrix.base_image }}
-          path: vaultwarden-armv6-${{ matrix.base_image }}
-
-      - name: "Attest artifacts ${{ matrix.base_image }}"
-        uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
-        with:
-          subject-path: vaultwarden-*
-      # End Upload artifacts to Github Actions
@@ -29,7 +29,7 @@ jobs:

    steps:
      - name: Checkout code
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 #v6.0.0
        with:
          persist-credentials: false

@@ -46,6 +46,6 @@ jobs:
          severity: CRITICAL,HIGH

      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
+        uses: github/codeql-action/upload-sarif@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
        with:
          sarif_file: 'trivy-results.sarif'
@@ -12,11 +12,11 @@ jobs:
    steps:
      # Checkout the repo
      - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 #v6.0.0
        with:
          persist-credentials: false
      # End Checkout the repo

      # When this version is updated, do not forget to update this in `.pre-commit-config.yaml` too
      - name: Spell Check Repo
-        uses: crate-ci/typos@07d900b8fa1097806b8adb6391b0d3e0ac2fdea7 # v1.39.0
+        uses: crate-ci/typos@2d0ce569feab1f8752f1dde43cc2f2aa53236e06 # v1.40.0
@@ -16,12 +16,12 @@ jobs:
      security-events: write # To write the security report
    steps:
      - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 #v6.0.0
        with:
          persist-credentials: false

      - name: Run zizmor
-        uses: zizmorcore/zizmor-action@e673c3917a1aef3c65c972347ed84ccd013ecda4 # v0.2.0
+        uses: zizmorcore/zizmor-action@e639db99335bc9038abc0e066dfcd72e23d26fb4 # v0.3.0
        with:
          # intentionally not scanning the entire repository,
          # since it contains integration tests.
@@ -53,6 +53,6 @@ repos:
        - "cd docker && make"
 # When this version is updated, do not forget to update this in `.github/workflows/typos.yaml` too
 - repo: https://github.com/crate-ci/typos
-  rev: 07d900b8fa1097806b8adb6391b0d3e0ac2fdea7 # v1.39.0
+  rev: 2d0ce569feab1f8752f1dde43cc2f2aa53236e06 # v1.40.0
  hooks:
    - id: typos
@@ -1,6 +1,6 @@
 [workspace.package]
 edition = "2021"
-rust-version = "1.89.0"
+rust-version = "1.90.0"
 license = "AGPL-3.0-only"
 repository = "https://github.com/dani-garcia/vaultwarden"
 publish = false
@@ -55,9 +55,9 @@ syslog = "7.0.0"
 macros = { path = "./macros" }

 # Logging
-log = "0.4.28"
+log = "0.4.29"
 fern = { version = "0.7.1", features = ["syslog-7", "reopen-1"] }
-tracing = { version = "0.1.41", features = ["log"] } # Needed to have lettre and webauthn-rs trace logging to work
+tracing = { version = "0.1.44", features = ["log"] } # Needed to have lettre and webauthn-rs trace logging to work

 # A `dotenv` implementation for Rust
 dotenvy = { version = "0.15.7", default-features = false }
@@ -87,10 +87,11 @@ serde = { version = "1.0.228", features = ["derive"] }
 serde_json = "1.0.145"

 # A safe, extensible ORM and Query builder
-diesel = { version = "2.3.3", features = ["chrono", "r2d2", "numeric"] }
-diesel_migrations = "2.3.0"
+# Currently pinned diesel to v2.3.3 as newer version break MySQL/MariaDB compatibility
+diesel = { version = "2.3.5", features = ["chrono", "r2d2", "numeric"] }
+diesel_migrations = "2.3.1"

-derive_more = { version = "2.0.1", features = ["from", "into", "as_ref", "deref", "display"] }
+derive_more = { version = "2.1.1", features = ["from", "into", "as_ref", "deref", "display"] }
 diesel-derive-newtype = "2.1.2"

 # Bundled/Static SQLite
@@ -102,7 +103,7 @@ ring = "0.17.14"
 subtle = "2.6.1"

 # UUID generation
-uuid = { version = "1.18.1", features = ["v4"] }
+uuid = { version = "1.19.0", features = ["v4"] }

 # Date and time libraries
 chrono = { version = "0.4.42", features = ["clock", "serde"], default-features = false }
@@ -116,7 +117,7 @@ job_scheduler_ng = "2.4.0"
 data-encoding = "2.9.0"

 # JWT library
-jsonwebtoken = "9.3.1"
+jsonwebtoken = { version = "10.2.0", features = ["use_pem", "rust_crypto"], default-features = false }

 # TOTP library
 totp-lite = "2.0.1"
@@ -127,9 +128,9 @@ yubico = { package = "yubico_ng", version = "0.14.1", features = ["online-tokio"
 # WebAuthn libraries
 # danger-allow-state-serialisation is needed to save the state in the db
 # danger-credential-internals is needed to support U2F to Webauthn migration
-webauthn-rs = { version = "0.5.3", features = ["danger-allow-state-serialisation", "danger-credential-internals"] }
-webauthn-rs-proto = "0.5.3"
-webauthn-rs-core = "0.5.3"
+webauthn-rs = { version = "0.5.4", features = ["danger-allow-state-serialisation", "danger-credential-internals"] }
+webauthn-rs-proto = "0.5.4"
+webauthn-rs-core = "0.5.4"

 # Handling of URL's for WebAuthn and favicons
 url = "2.5.7"
@@ -143,14 +144,14 @@ email_address = "0.2.9"
 handlebars = { version = "6.3.2", features = ["dir_source"] }

 # HTTP client (Used for favicons, version check, DUO and HIBP API)
-reqwest = { version = "0.12.24", features = ["rustls-tls", "rustls-tls-native-roots", "stream", "json", "deflate", "gzip", "brotli", "zstd", "socks", "cookies", "charset", "http2", "system-proxy"], default-features = false}
+reqwest = { version = "0.12.28", features = ["rustls-tls", "rustls-tls-native-roots", "stream", "json", "deflate", "gzip", "brotli", "zstd", "socks", "cookies", "charset", "http2", "system-proxy"], default-features = false}
 hickory-resolver = "0.25.2"

 # Favicon extraction libraries
-html5gum = "0.8.0"
+html5gum = "0.8.3"
 regex = { version = "1.12.2", features = ["std", "perf", "unicode-perl"], default-features = false }
 data-url = "0.3.2"
-bytes = "1.10.1"
+bytes = "1.11.0"
 svg-hush = "0.9.5"

 # Cache function results (Used for version check and favicon fetching)
@@ -167,8 +168,8 @@ openssl = "0.10.75"
 pico-args = "0.5.0"

 # Macro ident concatenation
-pastey = "0.1.1"
-governor = "0.10.1"
+pastey = "0.2.1"
+governor = "0.10.4"

 # OIDC for SSO
 openidconnect = { version = "4.0.1", features = ["reqwest", "native-tls"] }
@@ -193,14 +194,14 @@ rpassword = "7.4.0"
 grass_compiler = { version = "0.13.4", default-features = false }

 # File are accessed through Apache OpenDAL
-opendal = { version = "0.54.1", features = ["services-fs"], default-features = false }
+opendal = { version = "0.55.0", features = ["services-fs"], default-features = false }

 # For retrieving AWS credentials, including temporary SSO credentials
 anyhow = { version = "1.0.100", optional = true }
-aws-config = { version = "1.8.10", features = ["behavior-version-latest", "rt-tokio", "credentials-process", "sso"], default-features = false, optional = true }
-aws-credential-types = { version = "1.2.9", optional = true }
-aws-smithy-runtime-api = { version = "1.9.2", optional = true }
-http = { version = "1.3.1", optional = true }
+aws-config = { version = "1.8.12", features = ["behavior-version-latest", "rt-tokio", "credentials-process", "sso"], default-features = false, optional = true }
+aws-credential-types = { version = "1.2.11", optional = true }
+aws-smithy-runtime-api = { version = "1.9.3", optional = true }
+http = { version = "1.4.0", optional = true }
 reqsign = { version = "0.16.5", optional = true }

 # Strip debuginfo from the release builds
@@ -1,13 +1,13 @@
 ---
-vault_version: "v2025.10.1"
-vault_image_digest: "sha256:50662dccf4908ac2128cd44981c52fcb4e3e8dd56f21823c8d5e91267ff741fa"
-# Cross Compile Docker Helper Scripts v1.8.0
+vault_version: "v2025.12.0"
+vault_image_digest: "sha256:bb7303efafdb7e2b41bee2c772e14f67676ae2c9047bd7bba80d3544d4162613"
+# Cross Compile Docker Helper Scripts v1.9.0
 # We use the linux/amd64 platform shell scripts since there is no difference between the different platform scripts
 # https://github.com/tonistiigi/xx | https://hub.docker.com/r/tonistiigi/xx/tags
-xx_image_digest: "sha256:add602d55daca18914838a78221f6bbe4284114b452c86a48f96d59aeb00f5c6"
-rust_version: 1.91.0 # Rust version to be used
+xx_image_digest: "sha256:c64defb9ed5a91eacb37f96ccc3d4cd72521c4bd18d5442905b95e2226b0e707"
+rust_version: 1.92.0 # Rust version to be used
 debian_version: trixie # Debian release name to be used
-alpine_version: "3.22" # Alpine version to be used
+alpine_version: "3.23" # Alpine version to be used
 # For which platforms/architectures will we try to build images
 platforms: ["linux/amd64", "linux/arm64", "linux/arm/v7", "linux/arm/v6"]
 # Determine the build images per OS/Arch
@@ -17,7 +17,6 @@ build_stage_image:
    platform: "$BUILDPLATFORM"
  alpine:
    image: "build_${TARGETARCH}${TARGETVARIANT}"
-    platform: "linux/amd64" # The Alpine build images only have linux/amd64 images
    arch_image:
      amd64: "ghcr.io/blackdex/rust-musl:x86_64-musl-stable-{{rust_version}}"
      arm64: "ghcr.io/blackdex/rust-musl:aarch64-musl-stable-{{rust_version}}"
@@ -19,27 +19,27 @@
 # - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
 #   click the tag name to view the digest of the image it currently points to.
 # - From the command line:
-#     $ docker pull docker.io/vaultwarden/web-vault:v2025.10.1
-#     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2025.10.1
-#     [docker.io/vaultwarden/web-vault@sha256:50662dccf4908ac2128cd44981c52fcb4e3e8dd56f21823c8d5e91267ff741fa]
+#     $ docker pull docker.io/vaultwarden/web-vault:v2025.12.0
+#     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2025.12.0
+#     [docker.io/vaultwarden/web-vault@sha256:bb7303efafdb7e2b41bee2c772e14f67676ae2c9047bd7bba80d3544d4162613]
 #
 # - Conversely, to get the tag name from the digest:
-#     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:50662dccf4908ac2128cd44981c52fcb4e3e8dd56f21823c8d5e91267ff741fa
-#     [docker.io/vaultwarden/web-vault:v2025.10.1]
+#     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:bb7303efafdb7e2b41bee2c772e14f67676ae2c9047bd7bba80d3544d4162613
+#     [docker.io/vaultwarden/web-vault:v2025.12.0]
 #
-FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:50662dccf4908ac2128cd44981c52fcb4e3e8dd56f21823c8d5e91267ff741fa AS vault
+FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:bb7303efafdb7e2b41bee2c772e14f67676ae2c9047bd7bba80d3544d4162613 AS vault

 ########################## ALPINE BUILD IMAGES ##########################
-## NOTE: The Alpine Base Images do not support other platforms then linux/amd64
+## NOTE: The Alpine Base Images do not support other platforms then linux/amd64 and linux/arm64
 ## And for Alpine we define all build images here, they will only be loaded when actually used
-FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:x86_64-musl-stable-1.91.0 AS build_amd64
-FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:aarch64-musl-stable-1.91.0 AS build_arm64
-FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:armv7-musleabihf-stable-1.91.0 AS build_armv7
-FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:arm-musleabi-stable-1.91.0 AS build_armv6
+FROM --platform=$BUILDPLATFORM ghcr.io/blackdex/rust-musl:x86_64-musl-stable-1.92.0 AS build_amd64
+FROM --platform=$BUILDPLATFORM ghcr.io/blackdex/rust-musl:aarch64-musl-stable-1.92.0 AS build_arm64
+FROM --platform=$BUILDPLATFORM ghcr.io/blackdex/rust-musl:armv7-musleabihf-stable-1.92.0 AS build_armv7
+FROM --platform=$BUILDPLATFORM ghcr.io/blackdex/rust-musl:arm-musleabi-stable-1.92.0 AS build_armv6

 ########################## BUILD IMAGE ##########################
 # hadolint ignore=DL3006
-FROM --platform=linux/amd64 build_${TARGETARCH}${TARGETVARIANT} AS build
+FROM --platform=$BUILDPLATFORM build_${TARGETARCH}${TARGETVARIANT} AS build
 ARG TARGETARCH
 ARG TARGETVARIANT
 ARG TARGETPLATFORM
@@ -127,7 +127,7 @@ RUN source /env-cargo && \
 # To uninstall: docker run --privileged --rm tonistiigi/binfmt --uninstall 'qemu-*'
 #
 # We need to add `--platform` here, because of a podman bug: https://github.com/containers/buildah/issues/4742
-FROM --platform=$TARGETPLATFORM docker.io/library/alpine:3.22
+FROM --platform=$TARGETPLATFORM docker.io/library/alpine:3.23

 ENV ROCKET_PROFILE="release" \
    ROCKET_ADDRESS=0.0.0.0 \
@@ -19,24 +19,24 @@
 # - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
 #   click the tag name to view the digest of the image it currently points to.
 # - From the command line:
-#     $ docker pull docker.io/vaultwarden/web-vault:v2025.10.1
-#     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2025.10.1
-#     [docker.io/vaultwarden/web-vault@sha256:50662dccf4908ac2128cd44981c52fcb4e3e8dd56f21823c8d5e91267ff741fa]
+#     $ docker pull docker.io/vaultwarden/web-vault:v2025.12.0
+#     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2025.12.0
+#     [docker.io/vaultwarden/web-vault@sha256:bb7303efafdb7e2b41bee2c772e14f67676ae2c9047bd7bba80d3544d4162613]
 #
 # - Conversely, to get the tag name from the digest:
-#     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:50662dccf4908ac2128cd44981c52fcb4e3e8dd56f21823c8d5e91267ff741fa
-#     [docker.io/vaultwarden/web-vault:v2025.10.1]
+#     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:bb7303efafdb7e2b41bee2c772e14f67676ae2c9047bd7bba80d3544d4162613
+#     [docker.io/vaultwarden/web-vault:v2025.12.0]
 #
-FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:50662dccf4908ac2128cd44981c52fcb4e3e8dd56f21823c8d5e91267ff741fa AS vault
+FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:bb7303efafdb7e2b41bee2c772e14f67676ae2c9047bd7bba80d3544d4162613 AS vault

 ########################## Cross Compile Docker Helper Scripts ##########################
 ## We use the linux/amd64 no matter which Build Platform, since these are all bash scripts
 ## And these bash scripts do not have any significant difference if at all
-FROM --platform=linux/amd64 docker.io/tonistiigi/xx@sha256:add602d55daca18914838a78221f6bbe4284114b452c86a48f96d59aeb00f5c6 AS xx
+FROM --platform=linux/amd64 docker.io/tonistiigi/xx@sha256:c64defb9ed5a91eacb37f96ccc3d4cd72521c4bd18d5442905b95e2226b0e707 AS xx

 ########################## BUILD IMAGE ##########################
 # hadolint ignore=DL3006
-FROM --platform=$BUILDPLATFORM docker.io/library/rust:1.91.0-slim-trixie AS build
+FROM --platform=$BUILDPLATFORM docker.io/library/rust:1.92.0-slim-trixie AS build
 COPY --from=xx / /
 ARG TARGETARCH
 ARG TARGETVARIANT
@@ -51,15 +51,6 @@ ENV DEBIAN_FRONTEND=noninteractive \
    TERM=xterm-256color \
    CARGO_HOME="/root/.cargo" \
    USER="root"
-
-# Force the install of an older MariaDB library to prevent a Diesel panic
-# See https://github.com/dani-garcia/vaultwarden/issues/6416
-RUN echo "deb http://snapshot.debian.org/archive/debian/20250707T084701Z/ trixie main" > /etc/apt/sources.list.d/snapshot.list && \
-    echo "Acquire::Check-Valid-Until false;" > etc/apt/apt.conf.d/AllowSnapshot && \
-    echo 'Package: libmariadb libmariadb3 libmariadb-dev mariadb*' > /etc/apt/preferences.d/mariadb-snapshot && \
-    echo 'Pin: origin "snapshot.debian.org"' >> /etc/apt/preferences.d/mariadb-snapshot && \
-    echo 'Pin-Priority: 1001' >> /etc/apt/preferences.d/mariadb-snapshot
-
 # Install clang to get `xx-cargo` working
 # Install pkg-config to allow amd64 builds to find all libraries
 # Install git so build.rs can determine the correct version
@@ -179,14 +170,6 @@ ENV ROCKET_PROFILE="release" \

 # Create data folder and Install needed libraries
 RUN mkdir /data && \
-    # Force the install of an older MariaDB library to prevent a Diesel panic
-    # See https://github.com/dani-garcia/vaultwarden/issues/6416
-    echo "deb http://snapshot.debian.org/archive/debian/20250707T084701Z/ trixie main" > /etc/apt/sources.list.d/snapshot.list && \
-    echo "Acquire::Check-Valid-Until false;" > etc/apt/apt.conf.d/AllowSnapshot && \
-    echo 'Package: libmariadb libmariadb3 libmariadb-dev mariadb*' > /etc/apt/preferences.d/mariadb-snapshot && \
-    echo 'Pin: origin "snapshot.debian.org"' >> /etc/apt/preferences.d/mariadb-snapshot && \
-    echo 'Pin-Priority: 1001' >> /etc/apt/preferences.d/mariadb-snapshot && \
-    # Continue with normal install
    apt-get update && apt-get install -y \
        --no-install-recommends \
        ca-certificates \
@@ -36,16 +36,16 @@ FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@{{ vault_image_diges
 FROM --platform=linux/amd64 docker.io/tonistiigi/xx@{{ xx_image_digest }} AS xx
 {% elif base == "alpine" %}
 ########################## ALPINE BUILD IMAGES ##########################
-## NOTE: The Alpine Base Images do not support other platforms then linux/amd64
+## NOTE: The Alpine Base Images do not support other platforms then linux/amd64 and linux/arm64
 ## And for Alpine we define all build images here, they will only be loaded when actually used
 {% for arch in build_stage_image[base].arch_image %}
-FROM --platform={{ build_stage_image[base].platform }} {{ build_stage_image[base].arch_image[arch] }} AS build_{{ arch }}
+FROM --platform=$BUILDPLATFORM {{ build_stage_image[base].arch_image[arch] }} AS build_{{ arch }}
 {% endfor %}
 {% endif %}

 ########################## BUILD IMAGE ##########################
 # hadolint ignore=DL3006
-FROM --platform={{ build_stage_image[base].platform }} {{ build_stage_image[base].image }} AS build
+FROM --platform=$BUILDPLATFORM {{ build_stage_image[base].image }} AS build
 {% if base == "debian" %}
 COPY --from=xx / /
 {% endif %}
@@ -69,15 +69,6 @@ ENV DEBIAN_FRONTEND=noninteractive \
 {% endif %}

 {% if base == "debian" %}
-
-# Force the install of an older MariaDB library to prevent a Diesel panic
-# See https://github.com/dani-garcia/vaultwarden/issues/6416
-RUN echo "deb http://snapshot.debian.org/archive/debian/20250707T084701Z/ trixie main" > /etc/apt/sources.list.d/snapshot.list && \
-    echo "Acquire::Check-Valid-Until false;" > etc/apt/apt.conf.d/AllowSnapshot && \
-    echo 'Package: libmariadb libmariadb3 libmariadb-dev mariadb*' > /etc/apt/preferences.d/mariadb-snapshot && \
-    echo 'Pin: origin "snapshot.debian.org"' >> /etc/apt/preferences.d/mariadb-snapshot && \
-    echo 'Pin-Priority: 1001' >> /etc/apt/preferences.d/mariadb-snapshot
-
 # Install clang to get `xx-cargo` working
 # Install pkg-config to allow amd64 builds to find all libraries
 # Install git so build.rs can determine the correct version
@@ -216,14 +207,6 @@ ENV ROCKET_PROFILE="release" \
 # Create data folder and Install needed libraries
 RUN mkdir /data && \
 {% if base == "debian" %}
-    # Force the install of an older MariaDB library to prevent a Diesel panic
-    # See https://github.com/dani-garcia/vaultwarden/issues/6416
-    echo "deb http://snapshot.debian.org/archive/debian/20250707T084701Z/ trixie main" > /etc/apt/sources.list.d/snapshot.list && \
-    echo "Acquire::Check-Valid-Until false;" > etc/apt/apt.conf.d/AllowSnapshot && \
-    echo 'Package: libmariadb libmariadb3 libmariadb-dev mariadb*' > /etc/apt/preferences.d/mariadb-snapshot && \
-    echo 'Pin: origin "snapshot.debian.org"' >> /etc/apt/preferences.d/mariadb-snapshot && \
-    echo 'Pin-Priority: 1001' >> /etc/apt/preferences.d/mariadb-snapshot && \
-    # Continue with normal install
    apt-get update && apt-get install -y \
        --no-install-recommends \
        ca-certificates \
@@ -13,8 +13,8 @@ path = "src/lib.rs"
 proc-macro = true

 [dependencies]
-quote = "1.0.41"
-syn = "2.0.108"
+quote = "1.0.42"
+syn = "2.0.111"

 [lints]
 workspace = true
@@ -1,2 +1,15 @@
-ALTER TABLE sso_users DROP FOREIGN KEY `sso_users_ibfk_1`;
+-- Dynamically create DROP FOREIGN KEY
+-- Some versions of MySQL or MariaDB might fail if the key doesn't exists
+-- This checks if the key exists, and if so, will drop it.
+SET @drop_sso_fk = IF((SELECT true FROM information_schema.TABLE_CONSTRAINTS WHERE
+    CONSTRAINT_SCHEMA = DATABASE() AND
+    TABLE_NAME = 'sso_users' AND
+    CONSTRAINT_NAME = 'sso_users_ibfk_1' AND
+    CONSTRAINT_TYPE = 'FOREIGN KEY') = true,
+    'ALTER TABLE sso_users DROP FOREIGN KEY sso_users_ibfk_1',
+    'SELECT 1');
+PREPARE stmt FROM @drop_sso_fk;
+EXECUTE stmt;
+DEALLOCATE PREPARE stmt;
+
 ALTER TABLE sso_users ADD FOREIGN KEY(user_uuid) REFERENCES users(uuid) ON UPDATE CASCADE ON DELETE CASCADE;
@@ -0,0 +1,9 @@
+DROP TABLE IF EXISTS sso_auth;
+
+CREATE TABLE sso_nonce (
+    state               VARCHAR(512) NOT NULL PRIMARY KEY,
+    nonce               TEXT NOT NULL,
+    verifier            TEXT,
+    redirect_uri        TEXT NOT NULL,
+    created_at          TIMESTAMP NOT NULL DEFAULT now()
+);
@@ -0,0 +1,12 @@
+DROP TABLE IF EXISTS sso_nonce;
+
+CREATE TABLE sso_auth (
+    state               VARCHAR(512) NOT NULL PRIMARY KEY,
+    client_challenge    TEXT NOT NULL,
+    nonce               TEXT NOT NULL,
+    redirect_uri        TEXT NOT NULL,
+    code_response       TEXT,
+    auth_response       TEXT,
+    created_at          TIMESTAMP NOT NULL DEFAULT now(),
+    updated_at          TIMESTAMP NOT NULL DEFAULT now()
+);
@@ -0,0 +1,9 @@
+DROP TABLE IF EXISTS sso_auth;
+
+CREATE TABLE sso_nonce (
+    state               TEXT NOT NULL PRIMARY KEY,
+    nonce               TEXT NOT NULL,
+    verifier            TEXT,
+    redirect_uri        TEXT NOT NULL,
+    created_at          TIMESTAMP NOT NULL DEFAULT now()
+);
@@ -0,0 +1,12 @@
+DROP TABLE IF EXISTS sso_nonce;
+
+CREATE TABLE sso_auth (
+    state               TEXT NOT NULL PRIMARY KEY,
+    client_challenge    TEXT NOT NULL,
+    nonce               TEXT NOT NULL,
+    redirect_uri        TEXT NOT NULL,
+    code_response       TEXT,
+    auth_response       TEXT,
+    created_at          TIMESTAMP NOT NULL DEFAULT now(),
+    updated_at          TIMESTAMP NOT NULL DEFAULT now()
+);
@@ -0,0 +1,9 @@
+DROP TABLE IF EXISTS sso_auth;
+
+CREATE TABLE sso_nonce (
+  state               TEXT NOT NULL PRIMARY KEY,
+  nonce               TEXT NOT NULL,
+  verifier            TEXT,
+  redirect_uri        TEXT NOT NULL,
+  created_at          DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP
+);
@@ -0,0 +1,12 @@
+DROP TABLE IF EXISTS sso_nonce;
+
+CREATE TABLE sso_auth (
+    state               TEXT NOT NULL PRIMARY KEY,
+    client_challenge    TEXT NOT NULL,
+    nonce               TEXT NOT NULL,
+    redirect_uri        TEXT NOT NULL,
+    code_response       TEXT,
+    auth_response       TEXT,
+    created_at          DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    updated_at          DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP
+);
@@ -1,4 +1,4 @@
 [toolchain]
-channel = "1.91.0"
+channel = "1.92.0"
 components = [ "rustfmt", "clippy" ]
 profile = "minimal"
@@ -23,7 +23,7 @@ use crate::{
        backup_sqlite, get_sql_server_version,
        models::{
            Attachment, Cipher, Collection, Device, Event, EventType, Group, Invitation, Membership, MembershipId,
-            MembershipType, OrgPolicy, OrgPolicyErr, Organization, OrganizationId, SsoUser, TwoFactor, User, UserId,
+            MembershipType, OrgPolicy, Organization, OrganizationId, SsoUser, TwoFactor, User, UserId,
        },
        DbConn, DbConnType, ACTIVE_DB_TYPE,
    },
@@ -556,23 +556,9 @@ async fn update_membership_type(data: Json<MembershipTypeData>, token: AdminToke
        }
    }

+    member_to_edit.atype = new_type;
    // This check is also done at api::organizations::{accept_invite, _confirm_invite, _activate_member, edit_member}, update_membership_type
-    // It returns different error messages per function.
-    if new_type < MembershipType::Admin {
-        match OrgPolicy::is_user_allowed(&member_to_edit.user_uuid, &member_to_edit.org_uuid, true, &conn).await {
-            Ok(_) => {}
-            Err(OrgPolicyErr::TwoFactorMissing) => {
-                if CONFIG.email_2fa_auto_fallback() {
-                    two_factor::email::find_and_activate_email_2fa(&member_to_edit.user_uuid, &conn).await?;
-                } else {
-                    err!("You cannot modify this user to this type because they have not setup 2FA");
-                }
-            }
-            Err(OrgPolicyErr::SingleOrgEnforced) => {
-                err!("You cannot modify this user to this type because it is a member of an organization which forbids it");
-            }
-        }
-    }
+    OrgPolicy::check_user_allowed(&member_to_edit, "modify", &conn).await?;

    log_event(
        EventType::OrganizationUserUpdated as i32,
@@ -585,7 +571,6 @@ async fn update_membership_type(data: Json<MembershipTypeData>, token: AdminToke
    )
    .await;

-    member_to_edit.atype = new_type;
    member_to_edit.save(&conn).await
 }

@@ -66,6 +66,7 @@ pub fn routes() -> Vec<rocket::Route> {
        put_device_token,
        put_clear_device_token,
        post_clear_device_token,
+        get_tasks,
        post_auth_request,
        get_auth_request,
        put_auth_request,
@@ -378,7 +379,7 @@ async fn post_set_password(data: Json<SetPasswordData>, headers: Headers, conn:
    }

    if let Some(identifier) = data.org_identifier {
-        if identifier != crate::sso::FAKE_IDENTIFIER {
+        if identifier != crate::sso::FAKE_IDENTIFIER && identifier != crate::api::admin::FAKE_ADMIN_UUID {
            let org = match Organization::find_by_uuid(&identifier.into(), &conn).await {
                None => err!("Failed to retrieve the associated organization"),
                Some(org) => org,
@@ -405,8 +406,8 @@ async fn post_set_password(data: Json<SetPasswordData>, headers: Headers, conn:
    user.save(&conn).await?;

    Ok(Json(json!({
-      "Object": "set-password",
-      "CaptchaBypassToken": "",
+      "object": "set-password",
+      "captchaBypassToken": "",
    })))
 }

@@ -1409,7 +1410,7 @@ async fn put_device_token(device_id: DeviceId, data: Json<PushToken>, headers: H
    }

    device.push_token = Some(token);
-    if let Err(e) = device.save(&conn).await {
+    if let Err(e) = device.save(true, &conn).await {
        err!(format!("An error occurred while trying to save the device push token: {e}"));
    }

@@ -1445,6 +1446,14 @@ async fn post_clear_device_token(device_id: DeviceId, conn: DbConn) -> EmptyResu
    put_clear_device_token(device_id, conn).await
 }

+#[get("/tasks")]
+fn get_tasks(_client_headers: ClientHeaders) -> JsonResult {
+    Ok(Json(json!({
+        "data": [],
+        "object": "list"
+    })))
+}
+
 #[derive(Debug, Deserialize)]
 #[serde(rename_all = "camelCase")]
 struct AuthRequestRequest {
@@ -159,7 +159,28 @@ async fn sync(data: SyncData, headers: Headers, client_version: Option<ClientVer
    let domains_json = if data.exclude_domains {
        Value::Null
    } else {
-        api::core::_get_eq_domains(headers, true).into_inner()
+        api::core::_get_eq_domains(&headers, true).into_inner()
+    };
+
+    // This is very similar to the the userDecryptionOptions sent in connect/token,
+    // but as of 2025-12-19 they're both using different casing conventions.
+    let has_master_password = !headers.user.password_hash.is_empty();
+    let master_password_unlock = if has_master_password {
+        json!({
+            "kdf": {
+                "kdfType": headers.user.client_kdf_type,
+                "iterations": headers.user.client_kdf_iter,
+                "memory": headers.user.client_kdf_memory,
+                "parallelism": headers.user.client_kdf_parallelism
+            },
+            // This field is named inconsistently and will be removed and replaced by the "wrapped" variant in the apps.
+            // https://github.com/bitwarden/android/blob/release/2025.12-rc41/network/src/main/kotlin/com/bitwarden/network/model/MasterPasswordUnlockDataJson.kt#L22-L26
+            "masterKeyEncryptedUserKey": headers.user.akey,
+            "masterKeyWrappedUserKey": headers.user.akey,
+            "salt": headers.user.email
+        })
+    } else {
+        Value::Null
    };

    Ok(Json(json!({
@@ -170,6 +191,9 @@ async fn sync(data: SyncData, headers: Headers, client_version: Option<ClientVer
        "ciphers": ciphers_json,
        "domains": domains_json,
        "sends": sends_json,
+        "userDecryption": {
+            "masterPasswordUnlock": master_password_unlock,
+        },
        "object": "sync"
    })))
 }
@@ -301,12 +325,6 @@ async fn post_ciphers_create(
 ) -> JsonResult {
    let mut data: ShareCipherData = data.into_inner();

-    // Check if there are one more more collections selected when this cipher is part of an organization.
-    // err if this is not the case before creating an empty cipher.
-    if data.cipher.organization_id.is_some() && data.collection_ids.is_empty() {
-        err!("You must select at least one collection.");
-    }
-
    // This check is usually only needed in update_cipher_from_data(), but we
    // need it here as well to avoid creating an empty cipher in the call to
    // cipher.save() below.
@@ -324,7 +342,11 @@ async fn post_ciphers_create(
    // or otherwise), we can just ignore this field entirely.
    data.cipher.last_known_revision_date = None;

-    share_cipher_by_uuid(&cipher.uuid, data, &headers, &conn, &nt, None).await
+    let res = share_cipher_by_uuid(&cipher.uuid, data, &headers, &conn, &nt, None).await;
+    if res.is_err() {
+        cipher.delete(&conn).await?;
+    }
+    res
 }

 /// Called when creating a new user-owned cipher.
@@ -53,7 +53,7 @@ use crate::{
    api::{EmptyResult, JsonResult, Notify, UpdateType},
    auth::Headers,
    db::{
-        models::{Membership, MembershipStatus, MembershipType, OrgPolicy, OrgPolicyErr, Organization, User},
+        models::{Membership, MembershipStatus, OrgPolicy, Organization, User},
        DbConn,
    },
    error::Error,
@@ -74,11 +74,11 @@ const GLOBAL_DOMAINS: &str = include_str!("../../static/global_domains.json");

 #[get("/settings/domains")]
 fn get_eq_domains(headers: Headers) -> Json<Value> {
-    _get_eq_domains(headers, false)
+    _get_eq_domains(&headers, false)
 }

-fn _get_eq_domains(headers: Headers, no_excluded: bool) -> Json<Value> {
-    let user = headers.user;
+fn _get_eq_domains(headers: &Headers, no_excluded: bool) -> Json<Value> {
+    let user = &headers.user;
    use serde_json::from_str;

    let equivalent_domains: Vec<Vec<String>> = from_str(&user.equivalent_domains).unwrap();
@@ -217,7 +217,8 @@ fn config() -> Json<Value> {
        // We should make sure that we keep this updated when we support the new server features
        // Version history:
        // - Individual cipher key encryption: 2024.2.0
-        "version": "2025.6.0",
+        // - Mobile app support for MasterPasswordUnlockData: 2025.8.0
+        "version": "2025.12.0",
        "gitHash": option_env!("GIT_REV"),
        "server": {
          "name": "Vaultwarden",
@@ -269,27 +270,12 @@ async fn accept_org_invite(
        err!("User already accepted the invitation");
    }

-    // This check is also done at accept_invite, _confirm_invite, _activate_member, edit_member, admin::update_membership_type
-    // It returns different error messages per function.
-    if member.atype < MembershipType::Admin {
-        match OrgPolicy::is_user_allowed(&member.user_uuid, &member.org_uuid, false, conn).await {
-            Ok(_) => {}
-            Err(OrgPolicyErr::TwoFactorMissing) => {
-                if crate::CONFIG.email_2fa_auto_fallback() {
-                    two_factor::email::activate_email_2fa(user, conn).await?;
-                } else {
-                    err!("You cannot join this organization until you enable two-step login on your user account");
-                }
-            }
-            Err(OrgPolicyErr::SingleOrgEnforced) => {
-                err!("You cannot join this organization because you are a member of an organization which forbids it");
-            }
-        }
-    }
-
    member.status = MembershipStatus::Accepted as i32;
    member.reset_password_key = reset_password_key;

+    // This check is also done at accept_invite, _confirm_invite, _activate_member, edit_member, admin::update_membership_type
+    OrgPolicy::check_user_allowed(&member, "join", conn).await?;
+
    member.save(conn).await?;

    if crate::CONFIG.mail_enabled() {
@@ -15,7 +15,7 @@ use crate::{
        models::{
            Cipher, CipherId, Collection, CollectionCipher, CollectionGroup, CollectionId, CollectionUser, EventType,
            Group, GroupId, GroupUser, Invitation, Membership, MembershipId, MembershipStatus, MembershipType,
-            OrgPolicy, OrgPolicyErr, OrgPolicyType, Organization, OrganizationApiKey, OrganizationId, User, UserId,
+            OrgPolicy, OrgPolicyType, Organization, OrganizationApiKey, OrganizationId, User, UserId,
        },
        DbConn,
    },
@@ -195,8 +195,7 @@ async fn create_organization(headers: Headers, data: Json<OrgData>, conn: DbConn
    }

    let data: OrgData = data.into_inner();
-    let (private_key, public_key) = if data.keys.is_some() {
-        let keys: OrgKeyData = data.keys.unwrap();
+    let (private_key, public_key) = if let Some(keys) = data.keys {
        (Some(keys.encrypted_private_key), Some(keys.public_key))
    } else {
        (None, None)
@@ -370,9 +369,9 @@ async fn get_auto_enroll_status(identifier: &str, headers: Headers, conn: DbConn
    };

    Ok(Json(json!({
-        "Id": id,
-        "Identifier": identifier,
-        "ResetPasswordEnabled": rp_auto_enroll,
+        "id": id,
+        "identifier": identifier,
+        "resetPasswordEnabled": rp_auto_enroll,
    })))
 }

@@ -1463,27 +1462,12 @@ async fn _confirm_invite(
        err!("User in invalid state")
    }

-    // This check is also done at accept_invite, _confirm_invite, _activate_member, edit_member, admin::update_membership_type
-    // It returns different error messages per function.
-    if member_to_confirm.atype < MembershipType::Admin {
-        match OrgPolicy::is_user_allowed(&member_to_confirm.user_uuid, org_id, true, conn).await {
-            Ok(_) => {}
-            Err(OrgPolicyErr::TwoFactorMissing) => {
-                if CONFIG.email_2fa_auto_fallback() {
-                    two_factor::email::find_and_activate_email_2fa(&member_to_confirm.user_uuid, conn).await?;
-                } else {
-                    err!("You cannot confirm this user because they have not setup 2FA");
-                }
-            }
-            Err(OrgPolicyErr::SingleOrgEnforced) => {
-                err!("You cannot confirm this user because they are a member of an organization which forbids it");
-            }
-        }
-    }
-
    member_to_confirm.status = MembershipStatus::Confirmed as i32;
    member_to_confirm.akey = key.to_string();

+    // This check is also done at accept_invite, _confirm_invite, _activate_member, edit_member, admin::update_membership_type
+    OrgPolicy::check_user_allowed(&member_to_confirm, "confirm", conn).await?;
+
    log_event(
        EventType::OrganizationUserConfirmed as i32,
        &member_to_confirm.uuid,
@@ -1631,27 +1615,13 @@ async fn edit_member(
        }
    }

-    // This check is also done at accept_invite, _confirm_invite, _activate_member, edit_member, admin::update_membership_type
-    // It returns different error messages per function.
-    if new_type < MembershipType::Admin {
-        match OrgPolicy::is_user_allowed(&member_to_edit.user_uuid, &org_id, true, &conn).await {
-            Ok(_) => {}
-            Err(OrgPolicyErr::TwoFactorMissing) => {
-                if CONFIG.email_2fa_auto_fallback() {
-                    two_factor::email::find_and_activate_email_2fa(&member_to_edit.user_uuid, &conn).await?;
-                } else {
-                    err!("You cannot modify this user to this type because they have not setup 2FA");
-                }
-            }
-            Err(OrgPolicyErr::SingleOrgEnforced) => {
-                err!("You cannot modify this user to this type because they are a member of an organization which forbids it");
-            }
-        }
-    }
-
    member_to_edit.access_all = access_all;
    member_to_edit.atype = new_type as i32;

+    // This check is also done at accept_invite, _confirm_invite, _activate_member, edit_member, admin::update_membership_type
+    // We need to perform the check after changing the type since `admin` is exempt.
+    OrgPolicy::check_user_allowed(&member_to_edit, "modify", &conn).await?;
+
    // Delete all the odd collections
    for c in CollectionUser::find_by_organization_and_user_uuid(&org_id, &member_to_edit.user_uuid, &conn).await {
        c.delete(&conn).await?;
@@ -2086,8 +2056,6 @@ async fn get_policy(org_id: OrganizationId, pol_type: i32, headers: AdminHeaders
 #[derive(Deserialize)]
 struct PolicyData {
    enabled: bool,
-    #[serde(rename = "type")]
-    _type: i32,
    data: Option<Value>,
 }

@@ -2154,14 +2122,14 @@ async fn put_policy(

    // When enabling the SingleOrg policy, remove this org's members that are members of other orgs
    if pol_type_enum == OrgPolicyType::SingleOrg && data.enabled {
-        for member in Membership::find_by_org(&org_id, &conn).await.into_iter() {
+        for mut member in Membership::find_by_org(&org_id, &conn).await.into_iter() {
            // Policy only applies to non-Owner/non-Admin members who have accepted joining the org
            // Exclude invited and revoked users when checking for this policy.
            // Those users will not be allowed to accept or be activated because of the policy checks done there.
-            // We check if the count is larger then 1, because it includes this organization also.
            if member.atype < MembershipType::Admin
                && member.status != MembershipStatus::Invited as i32
-                && Membership::count_accepted_and_confirmed_by_user(&member.user_uuid, &conn).await > 1
+                && Membership::count_accepted_and_confirmed_by_user(&member.user_uuid, &member.org_uuid, &conn).await
+                    > 0
            {
                if CONFIG.mail_enabled() {
                    let org = Organization::find_by_uuid(&member.org_uuid, &conn).await.unwrap();
@@ -2181,7 +2149,8 @@ async fn put_policy(
                )
                .await;

-                member.delete(&conn).await?;
+                member.revoke();
+                member.save(&conn).await?;
            }
        }
    }
@@ -2628,25 +2597,10 @@ async fn _restore_member(
                err!("Only owners can restore other owners")
            }

-            // This check is also done at accept_invite, _confirm_invite, _activate_member, edit_member, admin::update_membership_type
-            // It returns different error messages per function.
-            if member.atype < MembershipType::Admin {
-                match OrgPolicy::is_user_allowed(&member.user_uuid, org_id, false, conn).await {
-                    Ok(_) => {}
-                    Err(OrgPolicyErr::TwoFactorMissing) => {
-                        if CONFIG.email_2fa_auto_fallback() {
-                            two_factor::email::find_and_activate_email_2fa(&member.user_uuid, conn).await?;
-                        } else {
-                            err!("You cannot restore this user because they have not setup 2FA");
-                        }
-                    }
-                    Err(OrgPolicyErr::SingleOrgEnforced) => {
-                        err!("You cannot restore this user because they are a member of an organization which forbids it");
-                    }
-                }
-            }
-
            member.restore();
+            // This check is also done at accept_invite, _confirm_invite, _activate_member, edit_member, admin::update_membership_type
+            // This check need to be done after restoring to work with the correct status
+            OrgPolicy::check_user_allowed(&member, "restore", conn).await?;
            member.save(conn).await?;

            log_event(
@@ -568,7 +568,7 @@ async fn post_access_file(
 async fn download_url(host: &Host, send_id: &SendId, file_id: &SendFileId) -> Result<String, crate::Error> {
    let operator = CONFIG.opendal_operator_for_path_type(&PathType::Sends)?;

-    if operator.info().scheme() == opendal::Scheme::Fs {
+    if operator.info().scheme() == <&'static str>::from(opendal::Scheme::Fs) {
        let token_claims = crate::auth::generate_send_claims(send_id, file_id);
        let token = crate::auth::encode_jwt(&token_claims);

@@ -26,12 +26,8 @@ pub fn routes() -> Vec<Route> {
 struct SendEmailLoginData {
    #[serde(alias = "DeviceIdentifier")]
    device_identifier: DeviceId,
-
-    #[allow(unused)]
    #[serde(alias = "Email")]
    email: Option<String>,
-
-    #[allow(unused)]
    #[serde(alias = "MasterPasswordHash")]
    master_password_hash: Option<String>,
 }
@@ -42,20 +38,40 @@ struct SendEmailLoginData {
 async fn send_email_login(data: Json<SendEmailLoginData>, conn: DbConn) -> EmptyResult {
    let data: SendEmailLoginData = data.into_inner();

-    use crate::db::models::User;
-
-    // Get the user
-    let Some(user) = User::find_by_device_id(&data.device_identifier, &conn).await else {
-        err!("Cannot find user. Try again.")
-    };
-
    if !CONFIG._enable_email_2fa() {
        err!("Email 2FA is disabled")
    }

-    send_token(&user.uuid, &conn).await?;
+    // Get the user
+    let email = match &data.email {
+        Some(email) if !email.is_empty() => Some(email),
+        _ => None,
+    };
+    let user = if let Some(email) = email {
+        let Some(master_password_hash) = &data.master_password_hash else {
+            err!("No password hash has been submitted.")
+        };

-    Ok(())
+        let Some(user) = User::find_by_mail(email, &conn).await else {
+            err!("Username or password is incorrect. Try again.")
+        };
+
+        // Check password
+        if !user.check_valid_password(master_password_hash) {
+            err!("Username or password is incorrect. Try again.")
+        }
+
+        user
+    } else {
+        // SSO login only sends device id, so we get the user by the most recently used device
+        let Some(user) = User::find_by_device_for_email2fa(&data.device_identifier, &conn).await else {
+            err!("Username or password is incorrect. Try again.")
+        };
+
+        user
+    };
+
+    send_token(&user.uuid, &conn).await
 }

 /// Generate the token, save the data for later verification and send email to user
@@ -82,19 +82,19 @@ static ICON_SIZE_REGEX: LazyLock<Regex> = LazyLock::new(|| Regex::new(r"(?x)(\d+
 // It is used to prevent sending a specific header which breaks icon downloads.
 // If this function needs to be renamed, also adjust the code in `util.rs`
 #[get("/<domain>/icon.png")]
-fn icon_external(domain: &str) -> Option<Redirect> {
+fn icon_external(domain: &str) -> Cached<Option<Redirect>> {
    if !is_valid_domain(domain) {
        warn!("Invalid domain: {domain}");
-        return None;
+        return Cached::ttl(None, CONFIG.icon_cache_negttl(), true);
    }

    if should_block_address(domain) {
        warn!("Blocked address: {domain}");
-        return None;
+        return Cached::ttl(None, CONFIG.icon_cache_negttl(), true);
    }

    let url = CONFIG._icon_service_url().replace("{}", domain);
-    match CONFIG.icon_redirect_code() {
+    let redir = match CONFIG.icon_redirect_code() {
        301 => Some(Redirect::moved(url)), // legacy permanent redirect
        302 => Some(Redirect::found(url)), // legacy temporary redirect
        307 => Some(Redirect::temporary(url)),
@@ -103,7 +103,8 @@ fn icon_external(domain: &str) -> Option<Redirect> {
            error!("Unexpected redirect code {}", CONFIG.icon_redirect_code());
            None
        }
-    }
+    };
+    Cached::ttl(redir, CONFIG.icon_cache_ttl(), true)
 }

 #[get("/<domain>/icon.png")]
@@ -141,7 +142,7 @@ async fn icon_internal(domain: &str) -> Cached<(ContentType, Vec<u8>)> {
 /// This does some manual checks and makes use of Url to do some basic checking.
 /// domains can't be larger then 63 characters (not counting multiple subdomains) according to the RFC's, but we limit the total size to 255.
 fn is_valid_domain(domain: &str) -> bool {
-    const ALLOWED_CHARS: &str = "_-.";
+    const ALLOWED_CHARS: &str = "-.";

    // If parsing the domain fails using Url, it will not work with reqwest.
    if let Err(parse_error) = url::Url::parse(format!("https://{domain}").as_str()) {
@@ -796,8 +797,11 @@ impl Emitter for FaviconEmitter {
    fn emit_current_tag(&mut self) -> Option<html5gum::State> {
        self.flush_current_attribute(true);
        self.last_start_tag.clear();
-        if self.current_token.is_some() && !self.current_token.as_ref().unwrap().closing {
-            self.last_start_tag.extend(&*self.current_token.as_ref().unwrap().tag.name);
+        match &self.current_token {
+            Some(token) if !token.closing => {
+                self.last_start_tag.extend(&*token.tag.name);
+            }
+            _ => {}
        }
        html5gum::naive_next_state(&self.last_start_tag)
    }
@@ -1,4 +1,4 @@
-use chrono::{NaiveDateTime, Utc};
+use chrono::Utc;
 use num_traits::FromPrimitive;
 use rocket::{
    form::{Form, FromForm},
@@ -24,14 +24,14 @@ use crate::{
    auth::{generate_organization_api_key_login_claims, AuthMethod, ClientHeaders, ClientIp, ClientVersion},
    db::{
        models::{
-            AuthRequest, AuthRequestId, Device, DeviceId, EventType, Invitation, OrganizationApiKey, OrganizationId,
-            SsoNonce, SsoUser, TwoFactor, TwoFactorIncomplete, TwoFactorType, User, UserId,
+            AuthRequest, AuthRequestId, Device, DeviceId, EventType, Invitation, OIDCCodeWrapper, OrganizationApiKey,
+            OrganizationId, SsoAuth, SsoUser, TwoFactor, TwoFactorIncomplete, TwoFactorType, User, UserId,
        },
        DbConn,
    },
    error::MapResult,
    mail, sso,
-    sso::{OIDCCode, OIDCState},
+    sso::{OIDCCode, OIDCCodeChallenge, OIDCCodeVerifier, OIDCState},
    util, CONFIG,
 };

@@ -92,6 +92,7 @@ async fn login(
        "authorization_code" if CONFIG.sso_enabled() => {
            _check_is_some(&data.client_id, "client_id cannot be blank")?;
            _check_is_some(&data.code, "code cannot be blank")?;
+            _check_is_some(&data.code_verifier, "code verifier cannot be blank")?;

            _check_is_some(&data.device_identifier, "device_identifier cannot be blank")?;
            _check_is_some(&data.device_name, "device_name cannot be blank")?;
@@ -147,7 +148,7 @@ async fn _refresh_login(data: ConnectData, conn: &DbConn, ip: &ClientIp) -> Json
        }
        Ok((mut device, auth_tokens)) => {
            // Save to update `device.updated_at` to track usage and toggle new status
-            device.save(conn).await?;
+            device.save(true, conn).await?;

            let result = json!({
                "refresh_token": auth_tokens.refresh_token(),
@@ -175,17 +176,23 @@ async fn _sso_login(
    // Ratelimit the login
    crate::ratelimit::check_limit_login(&ip.ip)?;

-    let code = match data.code.as_ref() {
-        None => err!(
+    let (state, code_verifier) = match (data.code.as_ref(), data.code_verifier.as_ref()) {
+        (None, _) => err!(
            "Got no code in OIDC data",
            ErrorEvent {
                event: EventType::UserFailedLogIn
            }
        ),
-        Some(code) => code,
+        (_, None) => err!(
+            "Got no code verifier in OIDC data",
+            ErrorEvent {
+                event: EventType::UserFailedLogIn
+            }
+        ),
+        (Some(code), Some(code_verifier)) => (code, code_verifier.clone()),
    };

-    let user_infos = sso::exchange_code(code, conn).await?;
+    let (sso_auth, user_infos) = sso::exchange_code(state, code_verifier, conn).await?;
    let user_with_sso = match SsoUser::find_by_identifier(&user_infos.identifier, conn).await {
        None => match SsoUser::find_by_mail(&user_infos.email, conn).await {
            None => None,
@@ -248,7 +255,7 @@ async fn _sso_login(
                _ => (),
            }

-            let mut user = User::new(&user_infos.email, user_infos.user_name);
+            let mut user = User::new(&user_infos.email, user_infos.user_name.clone());
            user.verified_at = Some(now);
            user.save(conn).await?;

@@ -267,13 +274,14 @@ async fn _sso_login(
        }
        Some((mut user, sso_user)) => {
            let mut device = get_device(&data, conn, &user).await?;
+
            let twofactor_token = twofactor_auth(&mut user, &data, &mut device, ip, client_version, conn).await?;

            if user.private_key.is_none() {
                // User was invited a stub was created
                user.verified_at = Some(now);
-                if let Some(user_name) = user_infos.user_name {
-                    user.name = user_name;
+                if let Some(ref user_name) = user_infos.user_name {
+                    user.name = user_name.clone();
                }

                user.save(conn).await?;
@@ -290,30 +298,13 @@ async fn _sso_login(
        }
    };

-    // We passed 2FA get full user information
-    let auth_user = sso::redeem(&user_infos.state, conn).await?;
-
-    if sso_user.is_none() {
-        let user_sso = SsoUser {
-            user_uuid: user.uuid.clone(),
-            identifier: user_infos.identifier,
-        };
-        user_sso.save(conn).await?;
-    }
-
    // Set the user_uuid here to be passed back used for event logging.
    *user_id = Some(user.uuid.clone());

-    let auth_tokens = sso::create_auth_tokens(
-        &device,
-        &user,
-        data.client_id,
-        auth_user.refresh_token,
-        auth_user.access_token,
-        auth_user.expires_in,
-    )?;
+    // We passed 2FA get auth tokens
+    let auth_tokens = sso::redeem(&device, &user, data.client_id, sso_user, sso_auth, user_infos, conn).await?;

-    authenticated_response(&user, &mut device, auth_tokens, twofactor_token, &now, conn, ip).await
+    authenticated_response(&user, &mut device, auth_tokens, twofactor_token, conn, ip).await
 }

 async fn _password_login(
@@ -435,7 +426,7 @@ async fn _password_login(

    let auth_tokens = auth::AuthTokens::new(&device, &user, AuthMethod::Password, data.client_id);

-    authenticated_response(&user, &mut device, auth_tokens, twofactor_token, &now, conn, ip).await
+    authenticated_response(&user, &mut device, auth_tokens, twofactor_token, conn, ip).await
 }

 async fn authenticated_response(
@@ -443,12 +434,12 @@ async fn authenticated_response(
    device: &mut Device,
    auth_tokens: auth::AuthTokens,
    twofactor_token: Option<String>,
-    now: &NaiveDateTime,
    conn: &DbConn,
    ip: &ClientIp,
 ) -> JsonResult {
    if CONFIG.mail_enabled() && device.is_new() {
-        if let Err(e) = mail::send_new_device_logged_in(&user.email, &ip.ip.to_string(), now, device).await {
+        let now = Utc::now().naive_utc();
+        if let Err(e) = mail::send_new_device_logged_in(&user.email, &ip.ip.to_string(), &now, device).await {
            error!("Error sending new device email: {e:#?}");

            if CONFIG.require_device_email() {
@@ -468,10 +459,38 @@ async fn authenticated_response(
    }

    // Save to update `device.updated_at` to track usage and toggle new status
-    device.save(conn).await?;
+    device.save(true, conn).await?;

    let master_password_policy = master_password_policy(user, conn).await;

+    let has_master_password = !user.password_hash.is_empty();
+    let master_password_unlock = if has_master_password {
+        json!({
+            "Kdf": {
+                "KdfType": user.client_kdf_type,
+                "Iterations": user.client_kdf_iter,
+                "Memory": user.client_kdf_memory,
+                "Parallelism": user.client_kdf_parallelism
+            },
+            // This field is named inconsistently and will be removed and replaced by the "wrapped" variant in the apps.
+            // https://github.com/bitwarden/android/blob/release/2025.12-rc41/network/src/main/kotlin/com/bitwarden/network/model/MasterPasswordUnlockDataJson.kt#L22-L26
+            "MasterKeyEncryptedUserKey": user.akey,
+            "MasterKeyWrappedUserKey": user.akey,
+            "Salt": user.email
+        })
+    } else {
+        Value::Null
+    };
+
+    let account_keys = json!({
+        "publicKeyEncryptionKeyPair": {
+            "wrappedPrivateKey": user.private_key,
+            "publicKey": user.public_key,
+            "Object": "publicKeyEncryptionKeyPair"
+        },
+        "Object": "privateKeys"
+    });
+
    let mut result = json!({
        "access_token": auth_tokens.access_token(),
        "expires_in": auth_tokens.expires_in(),
@@ -486,8 +505,10 @@ async fn authenticated_response(
        "ForcePasswordReset": false,
        "MasterPasswordPolicy": master_password_policy,
        "scope": auth_tokens.scope(),
+        "AccountKeys": account_keys,
        "UserDecryptionOptions": {
-            "HasMasterPassword": !user.password_hash.is_empty(),
+            "HasMasterPassword": has_master_password,
+            "MasterPasswordUnlock": master_password_unlock,
            "Object": "userDecryptionOptions"
        },
    });
@@ -585,7 +606,7 @@ async fn _user_api_key_login(
    let access_claims = auth::LoginJwtClaims::default(&device, &user, &AuthMethod::UserApiKey, data.client_id);

    // Save to update `device.updated_at` to track usage and toggle new status
-    device.save(conn).await?;
+    device.save(true, conn).await?;

    info!("User {} logged in successfully via API key. IP: {}", user.email, ip.ip);

@@ -648,7 +669,12 @@ async fn get_device(data: &ConnectData, conn: &DbConn, user: &User) -> ApiResult
    // Find device or create new
    match Device::find_by_uuid_and_user(&device_id, &user.uuid, conn).await {
        Some(device) => Ok(device),
-        None => Device::new(device_id, user.uuid.clone(), device_name, device_type, conn).await,
+        None => {
+            let mut device = Device::new(device_id, user.uuid.clone(), device_name, device_type);
+            // save device without updating `device.updated_at`
+            device.save(false, conn).await?;
+            Ok(device)
+        }
    }
 }

@@ -997,9 +1023,12 @@ struct ConnectData {
    two_factor_remember: Option<i32>,
    #[field(name = uncased("authrequest"))]
    auth_request: Option<AuthRequestId>,
+
    // Needed for authorization code
    #[field(name = uncased("code"))]
-    code: Option<String>,
+    code: Option<OIDCState>,
+    #[field(name = uncased("code_verifier"))]
+    code_verifier: Option<OIDCCodeVerifier>,
 }
 fn _check_is_some<T>(value: &Option<T>, msg: &str) -> EmptyResult {
    if value.is_none() {
@@ -1021,14 +1050,13 @@ fn prevalidate() -> JsonResult {
 }

 #[get("/connect/oidc-signin?<code>&<state>", rank = 1)]
-async fn oidcsignin(code: OIDCCode, state: String, conn: DbConn) -> ApiResult<Redirect> {
-    oidcsignin_redirect(
+async fn oidcsignin(code: OIDCCode, state: String, mut conn: DbConn) -> ApiResult<Redirect> {
+    _oidcsignin_redirect(
        state,
-        |decoded_state| sso::OIDCCodeWrapper::Ok {
-            state: decoded_state,
+        OIDCCodeWrapper::Ok {
            code,
        },
-        &conn,
+        &mut conn,
    )
    .await
 }
@@ -1040,42 +1068,44 @@ async fn oidcsignin_error(
    state: String,
    error: String,
    error_description: Option<String>,
-    conn: DbConn,
+    mut conn: DbConn,
 ) -> ApiResult<Redirect> {
-    oidcsignin_redirect(
+    _oidcsignin_redirect(
        state,
-        |decoded_state| sso::OIDCCodeWrapper::Error {
-            state: decoded_state,
+        OIDCCodeWrapper::Error {
            error,
            error_description,
        },
-        &conn,
+        &mut conn,
    )
    .await
 }

 // The state was encoded using Base64 to ensure no issue with providers.
 // iss and scope parameters are needed for redirection to work on IOS.
-async fn oidcsignin_redirect(
+// We pass the state as the code to get it back later on.
+async fn _oidcsignin_redirect(
    base64_state: String,
-    wrapper: impl FnOnce(OIDCState) -> sso::OIDCCodeWrapper,
-    conn: &DbConn,
+    code_response: OIDCCodeWrapper,
+    conn: &mut DbConn,
 ) -> ApiResult<Redirect> {
    let state = sso::decode_state(&base64_state)?;
-    let code = sso::encode_code_claims(wrapper(state.clone()));

-    let nonce = match SsoNonce::find(&state, conn).await {
-        Some(n) => n,
-        None => err!(format!("Failed to retrieve redirect_uri with {state}")),
+    let mut sso_auth = match SsoAuth::find(&state, conn).await {
+        None => err!(format!("Cannot retrieve sso_auth for {state}")),
+        Some(sso_auth) => sso_auth,
    };
+    sso_auth.code_response = Some(code_response);
+    sso_auth.updated_at = Utc::now().naive_utc();
+    sso_auth.save(conn).await?;

-    let mut url = match url::Url::parse(&nonce.redirect_uri) {
+    let mut url = match url::Url::parse(&sso_auth.redirect_uri) {
        Ok(url) => url,
-        Err(err) => err!(format!("Failed to parse redirect uri ({}): {err}", nonce.redirect_uri)),
+        Err(err) => err!(format!("Failed to parse redirect uri ({}): {err}", sso_auth.redirect_uri)),
    };

    url.query_pairs_mut()
-        .append_pair("code", &code)
+        .append_pair("code", &state)
        .append_pair("state", &state)
        .append_pair("scope", &AuthMethod::Sso.scope())
        .append_pair("iss", &CONFIG.domain());
@@ -1098,10 +1128,8 @@ struct AuthorizeData {
    #[allow(unused)]
    scope: Option<String>,
    state: OIDCState,
-    #[allow(unused)]
-    code_challenge: Option<String>,
-    #[allow(unused)]
-    code_challenge_method: Option<String>,
+    code_challenge: OIDCCodeChallenge,
+    code_challenge_method: String,
    #[allow(unused)]
    response_mode: Option<String>,
    #[allow(unused)]
@@ -1118,10 +1146,16 @@ async fn authorize(data: AuthorizeData, conn: DbConn) -> ApiResult<Redirect> {
        client_id,
        redirect_uri,
        state,
+        code_challenge,
+        code_challenge_method,
        ..
    } = data;

-    let auth_url = sso::authorize_url(state, &client_id, &redirect_uri, conn).await?;
+    if code_challenge_method != "S256" {
+        err!("Unsupported code challenge method");
+    }
+
+    let auth_url = sso::authorize_url(state, code_challenge, &client_id, &redirect_uri, conn).await?;

    Ok(Redirect::temporary(String::from(auth_url)))
 }
@@ -128,7 +128,7 @@ pub async fn register_push_device(device: &mut Device, conn: &DbConn) -> EmptyRe
        err!(format!("An error occurred while proceeding registration of a device: {e}"));
    }

-    if let Err(e) = device.save(conn).await {
+    if let Err(e) = device.save(true, conn).await {
        err!(format!("An error occurred while trying to save the (registered) device push uuid: {e}"));
    }

@@ -12,6 +12,7 @@ use serde_json::Value;
 use crate::{
    api::{core::now, ApiResult, EmptyResult},
    auth::decode_file_download,
+    config::CachedConfigOperation,
    db::models::{AttachmentId, CipherId},
    error::Error,
    util::Cached,
@@ -52,19 +53,18 @@ fn not_found() -> ApiResult<Html<String>> {
    Ok(Html(text))
 }

-#[get("/css/vaultwarden.css")]
-fn vaultwarden_css() -> Cached<Css<String>> {
+static VAULTWARDEN_CSS_CACHE: CachedConfigOperation<String> = CachedConfigOperation::new(|config| {
    let css_options = json!({
-        "emergency_access_allowed": CONFIG.emergency_access_allowed(),
+        "emergency_access_allowed": config.emergency_access_allowed(),
        "load_user_scss": true,
-        "mail_2fa_enabled": CONFIG._enable_email_2fa(),
-        "mail_enabled": CONFIG.mail_enabled(),
-        "sends_allowed": CONFIG.sends_allowed(),
-        "signup_disabled": CONFIG.is_signup_disabled(),
-        "sso_enabled": CONFIG.sso_enabled(),
-        "sso_only": CONFIG.sso_enabled() && CONFIG.sso_only(),
-        "yubico_enabled": CONFIG._enable_yubico() && CONFIG.yubico_client_id().is_some() && CONFIG.yubico_secret_key().is_some(),
-        "webauthn_2fa_supported": CONFIG.is_webauthn_2fa_supported(),
+        "mail_2fa_enabled": config._enable_email_2fa(),
+        "mail_enabled": config.mail_enabled(),
+        "sends_allowed": config.sends_allowed(),
+        "signup_disabled": config.is_signup_disabled(),
+        "sso_enabled": config.sso_enabled(),
+        "sso_only": config.sso_enabled() && config.sso_only(),
+        "yubico_enabled": config._enable_yubico() && config.yubico_client_id().is_some() && config.yubico_secret_key().is_some(),
+        "webauthn_2fa_supported": config.is_webauthn_2fa_supported(),
    });

    let scss = match CONFIG.render_template("scss/vaultwarden.scss", &css_options) {
@@ -78,7 +78,7 @@ fn vaultwarden_css() -> Cached<Css<String>> {
        }
    };

-    let css = match grass_compiler::from_string(
+    match grass_compiler::from_string(
        scss,
        &grass_compiler::Options::default().style(grass_compiler::OutputStyle::Compressed),
    ) {
@@ -97,10 +97,12 @@ fn vaultwarden_css() -> Cached<Css<String>> {
            )
            .expect("SCSS to compile")
        }
-    };
+    }
+});

-    // Cache for one day should be enough and not too much
-    Cached::ttl(Css(css), 86_400, false)
+#[get("/css/vaultwarden.css")]
+fn vaultwarden_css() -> Css<String> {
+    Css(CONFIG.cached_operation(&VAULTWARDEN_CSS_CACHE))
 }

 #[get("/")]
@@ -1223,7 +1223,7 @@ pub async fn refresh_tokens(
    };

    // Save to update `updated_at`.
-    device.save(conn).await?;
+    device.save(true, conn).await?;

    let user = match User::find_by_uuid(&device.user_uuid, conn).await {
        None => err!("Impossible to find user"),
@@ -3,7 +3,7 @@ use std::{
    fmt,
    process::exit,
    sync::{
-        atomic::{AtomicBool, Ordering},
+        atomic::{AtomicBool, AtomicUsize, Ordering},
        LazyLock, RwLock,
    },
 };
@@ -103,6 +103,7 @@ macro_rules! make_config {

        struct Inner {
            rocket_shutdown_handle: Option<rocket::Shutdown>,
+            revision: usize,

            templates: Handlebars<'static>,
            config: ConfigItems,
@@ -322,7 +323,7 @@ macro_rules! make_config {
        }

        #[derive(Clone, Default)]
-        struct ConfigItems { $($( $name: make_config! {@type $ty, $none_action}, )+)+ }
+        struct ConfigItems { $($( pub $name: make_config! {@type $ty, $none_action}, )+)+ }

        #[derive(Serialize)]
        struct ElementDoc {
@@ -564,9 +565,9 @@ make_config! {
        /// Duo Auth context cleanup schedule |> Cron schedule of the job that cleans expired Duo contexts from the database. Does nothing if Duo MFA is disabled or set to use the legacy iframe prompt.
        /// Defaults to once every minute. Set blank to disable this job.
        duo_context_purge_schedule:   String, false,  def,    "30 * * * * *".to_string();
-        /// Purge incomplete SSO nonce. |> Cron schedule of the job that cleans leftover nonce in db due to incomplete SSO login.
+        /// Purge incomplete SSO auth. |> Cron schedule of the job that cleans leftover auth in db due to incomplete SSO login.
        /// Defaults to daily. Set blank to disable this job.
-        purge_incomplete_sso_nonce: String, false,  def,   "0 20 0 * * *".to_string();
+        purge_incomplete_sso_auth: String, false,  def,   "0 20 0 * * *".to_string();
    },

    /// General settings
@@ -789,6 +790,10 @@ make_config! {
        /// Bitwarden enforces this by default. In Vaultwarden we encouraged to use multiple organizations because groups were not available.
        /// Setting this to true will enforce the Single Org Policy to be enabled before you can enable the Reset Password policy.
        enforce_single_org_with_reset_pw_policy: bool, false, def, false;
+
+        /// Prefer IPv6 (AAAA) resolving |> This settings configures the DNS resolver to resolve IPv6 first, and if not available try IPv4
+        /// This could be useful in IPv6 only environments.
+        dns_prefer_ipv6: bool, true, def, false;
    },

    /// OpenID Connect SSO settings
@@ -1463,6 +1468,23 @@ pub enum PathType {
    RsaKey,
 }

+pub struct CachedConfigOperation<T: Clone> {
+    generator: fn(&Config) -> T,
+    value_cache: RwLock<Option<T>>,
+    revision: AtomicUsize,
+}
+
+impl<T: Clone> CachedConfigOperation<T> {
+    #[allow(private_interfaces)]
+    pub const fn new(generator: fn(&Config) -> T) -> Self {
+        CachedConfigOperation {
+            generator,
+            value_cache: RwLock::new(None),
+            revision: AtomicUsize::new(0),
+        }
+    }
+}
+
 impl Config {
    pub async fn load() -> Result<Self, Error> {
        // Loading from env and file
@@ -1482,6 +1504,7 @@ impl Config {
        Ok(Config {
            inner: RwLock::new(Inner {
                rocket_shutdown_handle: None,
+                revision: 1,
                templates: load_templates(&config.templates_folder),
                config,
                _env,
@@ -1520,6 +1543,7 @@ impl Config {
            writer.config = config;
            writer._usr = builder;
            writer._overrides = overrides;
+            writer.revision += 1;
        }

        //Save to file
@@ -1538,6 +1562,51 @@ impl Config {
        self.update_config(builder, false).await
    }

+    pub async fn delete_user_config(&self) -> Result<(), Error> {
+        let operator = opendal_operator_for_path(&CONFIG_FILE_PARENT_DIR)?;
+        operator.delete(&CONFIG_FILENAME).await?;
+
+        // Empty user config
+        let usr = ConfigBuilder::default();
+
+        // Config now is env + defaults
+        let config = {
+            let env = &self.inner.read().unwrap()._env;
+            env.build()
+        };
+
+        // Save configs
+        {
+            let mut writer = self.inner.write().unwrap();
+            writer.config = config;
+            writer._usr = usr;
+            writer._overrides = Vec::new();
+            writer.revision += 1;
+        }
+
+        Ok(())
+    }
+
+    pub fn cached_operation<T: Clone>(&self, operation: &CachedConfigOperation<T>) -> T {
+        let config_revision = self.inner.read().unwrap().revision;
+        let cache_revision = operation.revision.load(Ordering::Relaxed);
+
+        // If the current revision matches the cached revision, return the cached value
+        if cache_revision == config_revision {
+            let reader = operation.value_cache.read().unwrap();
+            return reader.as_ref().unwrap().clone();
+        }
+
+        // Otherwise, compute the value, update the cache and revision, and return the new value
+        let value = (operation.generator)(&CONFIG);
+        {
+            let mut writer = operation.value_cache.write().unwrap();
+            *writer = Some(value.clone());
+            operation.revision.store(config_revision, Ordering::Relaxed);
+        }
+        value
+    }
+
    /// Tests whether an email's domain is allowed. A domain is allowed if it
    /// is in signups_domains_whitelist, or if no whitelist is set (so there
    /// are no domain restrictions in effect).
@@ -1587,33 +1656,10 @@ impl Config {
        }
    }

-    pub async fn delete_user_config(&self) -> Result<(), Error> {
-        let operator = opendal_operator_for_path(&CONFIG_FILE_PARENT_DIR)?;
-        operator.delete(&CONFIG_FILENAME).await?;
-
-        // Empty user config
-        let usr = ConfigBuilder::default();
-
-        // Config now is env + defaults
-        let config = {
-            let env = &self.inner.read().unwrap()._env;
-            env.build()
-        };
-
-        // Save configs
-        {
-            let mut writer = self.inner.write().unwrap();
-            writer.config = config;
-            writer._usr = usr;
-            writer._overrides = Vec::new();
-        }
-
-        Ok(())
-    }
-
    pub fn private_rsa_key(&self) -> String {
        format!("{}.pem", self.rsa_key_filename())
    }
+
    pub fn mail_enabled(&self) -> bool {
        let inner = &self.inner.read().unwrap().config;
        inner._enable_smtp && (inner.smtp_host.is_some() || inner.use_sendmail)
@@ -337,6 +337,46 @@ macro_rules! db_run {
    };
 }

+// Write all ToSql<Text, DB> and FromSql<Text, DB> given a serializable/deserializable type.
+#[macro_export]
+macro_rules! impl_FromToSqlText {
+    ($name:ty) => {
+        #[cfg(mysql)]
+        impl ToSql<Text, diesel::mysql::Mysql> for $name {
+            fn to_sql<'b>(&'b self, out: &mut Output<'b, '_, diesel::mysql::Mysql>) -> diesel::serialize::Result {
+                serde_json::to_writer(out, self).map(|_| diesel::serialize::IsNull::No).map_err(Into::into)
+            }
+        }
+
+        #[cfg(postgresql)]
+        impl ToSql<Text, diesel::pg::Pg> for $name {
+            fn to_sql<'b>(&'b self, out: &mut Output<'b, '_, diesel::pg::Pg>) -> diesel::serialize::Result {
+                serde_json::to_writer(out, self).map(|_| diesel::serialize::IsNull::No).map_err(Into::into)
+            }
+        }
+
+        #[cfg(sqlite)]
+        impl ToSql<Text, diesel::sqlite::Sqlite> for $name {
+            fn to_sql<'b>(&'b self, out: &mut Output<'b, '_, diesel::sqlite::Sqlite>) -> diesel::serialize::Result {
+                serde_json::to_string(self).map_err(Into::into).map(|str| {
+                    out.set_value(str);
+                    diesel::serialize::IsNull::No
+                })
+            }
+        }
+
+        impl<DB: diesel::backend::Backend> FromSql<Text, DB> for $name
+        where
+            String: FromSql<Text, DB>,
+        {
+            fn from_sql(bytes: DB::RawValue<'_>) -> diesel::deserialize::Result<Self> {
+                <String as FromSql<Text, DB>>::from_sql(bytes)
+                    .and_then(|str| serde_json::from_str(&str).map_err(Into::into))
+            }
+        }
+    };
+}
+
 pub mod schema;

 // Reexport the models, needs to be after the macros are defined so it can access them
@@ -46,7 +46,7 @@ impl Attachment {
    pub async fn get_url(&self, host: &str) -> Result<String, crate::Error> {
        let operator = CONFIG.opendal_operator_for_path_type(&PathType::Attachments)?;

-        if operator.info().scheme() == opendal::Scheme::Fs {
+        if operator.info().scheme() == <&'static str>::from(opendal::Scheme::Fs) {
            let token = encode_jwt(&generate_file_download_claims(self.cipher_uuid.clone(), self.id.clone()));
            Ok(format!("{host}/attachments/{}/{}?token={token}", self.cipher_uuid, self.id))
        } else {
@@ -35,6 +35,25 @@ pub struct Device {

 /// Local methods
 impl Device {
+    pub fn new(uuid: DeviceId, user_uuid: UserId, name: String, atype: i32) -> Self {
+        let now = Utc::now().naive_utc();
+
+        Self {
+            uuid,
+            created_at: now,
+            updated_at: now,
+
+            user_uuid,
+            name,
+            atype,
+
+            push_uuid: Some(PushId(get_uuid())),
+            push_token: None,
+            refresh_token: crypto::encode_random_bytes::<64>(&BASE64URL),
+            twofactor_remember: None,
+        }
+    }
+
    pub fn to_json(&self) -> Value {
        json!({
            "id": self.uuid,
@@ -110,38 +129,21 @@ impl DeviceWithAuthRequest {
 }
 use crate::db::DbConn;

-use crate::api::{ApiResult, EmptyResult};
+use crate::api::EmptyResult;
 use crate::error::MapResult;

 /// Database methods
 impl Device {
-    pub async fn new(uuid: DeviceId, user_uuid: UserId, name: String, atype: i32, conn: &DbConn) -> ApiResult<Device> {
-        let now = Utc::now().naive_utc();
+    pub async fn save(&mut self, update_time: bool, conn: &DbConn) -> EmptyResult {
+        if update_time {
+            self.updated_at = Utc::now().naive_utc();
+        }

-        let device = Self {
-            uuid,
-            created_at: now,
-            updated_at: now,
-
-            user_uuid,
-            name,
-            atype,
-
-            push_uuid: Some(PushId(get_uuid())),
-            push_token: None,
-            refresh_token: crypto::encode_random_bytes::<64>(&BASE64URL),
-            twofactor_remember: None,
-        };
-
-        device.inner_save(conn).await.map(|()| device)
-    }
-
-    async fn inner_save(&self, conn: &DbConn) -> EmptyResult {
        db_run! { conn:
            sqlite, mysql {
                crate::util::retry(||
                    diesel::replace_into(devices::table)
-                        .values(self)
+                        .values(&*self)
                        .execute(conn),
                    10,
                ).map_res("Error saving device")
@@ -149,10 +151,10 @@ impl Device {
            postgresql {
                crate::util::retry(||
                    diesel::insert_into(devices::table)
-                        .values(self)
+                        .values(&*self)
                        .on_conflict((devices::uuid, devices::user_uuid))
                        .do_update()
-                        .set(self)
+                        .set(&*self)
                        .execute(conn),
                    10,
                ).map_res("Error saving device")
@@ -160,12 +162,6 @@ impl Device {
        }
    }

-    // Should only be called after user has passed authentication
-    pub async fn save(&mut self, conn: &DbConn) -> EmptyResult {
-        self.updated_at = Utc::now().naive_utc();
-        self.inner_save(conn).await
-    }
-
    pub async fn delete_all_by_user(user_uuid: &UserId, conn: &DbConn) -> EmptyResult {
        db_run! { conn: {
            diesel::delete(devices::table.filter(devices::user_uuid.eq(user_uuid)))
@@ -11,7 +11,7 @@ mod group;
 mod org_policy;
 mod organization;
 mod send;
-mod sso_nonce;
+mod sso_auth;
 mod two_factor;
 mod two_factor_duo_context;
 mod two_factor_incomplete;
@@ -27,7 +27,7 @@ pub use self::event::{Event, EventType};
 pub use self::favorite::Favorite;
 pub use self::folder::{Folder, FolderCipher, FolderId};
 pub use self::group::{CollectionGroup, Group, GroupId, GroupUser};
-pub use self::org_policy::{OrgPolicy, OrgPolicyErr, OrgPolicyId, OrgPolicyType};
+pub use self::org_policy::{OrgPolicy, OrgPolicyId, OrgPolicyType};
 pub use self::organization::{
    Membership, MembershipId, MembershipStatus, MembershipType, OrgApiKeyId, Organization, OrganizationApiKey,
    OrganizationId,
@@ -36,7 +36,7 @@ pub use self::send::{
    id::{SendFileId, SendId},
    Send, SendType,
 };
-pub use self::sso_nonce::SsoNonce;
+pub use self::sso_auth::{OIDCAuthenticatedUser, OIDCCodeWrapper, SsoAuth};
 pub use self::two_factor::{TwoFactor, TwoFactorType};
 pub use self::two_factor_duo_context::TwoFactorDuoContext;
 pub use self::two_factor_incomplete::TwoFactorIncomplete;
@@ -2,10 +2,12 @@ use derive_more::{AsRef, From};
 use serde::Deserialize;
 use serde_json::Value;

+use crate::api::core::two_factor;
 use crate::api::EmptyResult;
 use crate::db::schema::{org_policies, users_organizations};
 use crate::db::DbConn;
 use crate::error::MapResult;
+use crate::CONFIG;
 use diesel::prelude::*;

 use super::{Membership, MembershipId, MembershipStatus, MembershipType, OrganizationId, TwoFactor, UserId};
@@ -40,6 +42,10 @@ pub enum OrgPolicyType {
    // FreeFamiliesSponsorshipPolicy = 13,
    RemoveUnlockWithPin = 14,
    RestrictedItemTypes = 15,
+    UriMatchDefaults = 16,
+    // AutotypeDefaultSetting = 17, // Not supported yet
+    // AutoConfirm = 18, // Not supported (not implemented yet)
+    // BlockClaimedDomainAccountCreation = 19, // Not supported (Not AGPLv3 Licensed)
 }

 // https://github.com/bitwarden/server/blob/9ebe16587175b1c0e9208f84397bb75d0d595510/src/Core/AdminConsole/Models/Data/Organizations/Policies/SendOptionsPolicyData.cs#L5
@@ -58,14 +64,6 @@ pub struct ResetPasswordDataModel {
    pub auto_enroll_enabled: bool,
 }

-pub type OrgPolicyResult = Result<(), OrgPolicyErr>;
-
-#[derive(Debug)]
-pub enum OrgPolicyErr {
-    TwoFactorMissing,
-    SingleOrgEnforced,
-}
-
 /// Local methods
 impl OrgPolicy {
    pub fn new(org_uuid: OrganizationId, atype: OrgPolicyType, enabled: bool, data: String) -> Self {
@@ -280,31 +278,35 @@ impl OrgPolicy {
        false
    }

-    pub async fn is_user_allowed(
-        user_uuid: &UserId,
-        org_uuid: &OrganizationId,
-        exclude_current_org: bool,
-        conn: &DbConn,
-    ) -> OrgPolicyResult {
-        // Enforce TwoFactor/TwoStep login
-        if TwoFactor::find_by_user(user_uuid, conn).await.is_empty() {
-            match Self::find_by_org_and_type(org_uuid, OrgPolicyType::TwoFactorAuthentication, conn).await {
-                Some(p) if p.enabled => {
-                    return Err(OrgPolicyErr::TwoFactorMissing);
+    pub async fn check_user_allowed(m: &Membership, action: &str, conn: &DbConn) -> EmptyResult {
+        if m.atype < MembershipType::Admin && m.status > (MembershipStatus::Invited as i32) {
+            // Enforce TwoFactor/TwoStep login
+            if let Some(p) = Self::find_by_org_and_type(&m.org_uuid, OrgPolicyType::TwoFactorAuthentication, conn).await
+            {
+                if p.enabled && TwoFactor::find_by_user(&m.user_uuid, conn).await.is_empty() {
+                    if CONFIG.email_2fa_auto_fallback() {
+                        two_factor::email::find_and_activate_email_2fa(&m.user_uuid, conn).await?;
+                    } else {
+                        err!(format!("Cannot {} because 2FA is required (membership {})", action, m.uuid));
+                    }
                }
-                _ => {}
-            };
-        }
+            }

-        // Enforce Single Organization Policy of other organizations user is a member of
-        // This check here needs to exclude this current org-id, else an accepted user can not be confirmed.
-        let exclude_org = if exclude_current_org {
-            Some(org_uuid)
-        } else {
-            None
-        };
-        if Self::is_applicable_to_user(user_uuid, OrgPolicyType::SingleOrg, exclude_org, conn).await {
-            return Err(OrgPolicyErr::SingleOrgEnforced);
+            // Check if the user is part of another Organization with SingleOrg activated
+            if Self::is_applicable_to_user(&m.user_uuid, OrgPolicyType::SingleOrg, Some(&m.org_uuid), conn).await {
+                err!(format!(
+                    "Cannot {} because another organization policy forbids it (membership {})",
+                    action, m.uuid
+                ));
+            }
+
+            if let Some(p) = Self::find_by_org_and_type(&m.org_uuid, OrgPolicyType::SingleOrg, conn).await {
+                if p.enabled
+                    && Membership::count_accepted_and_confirmed_by_user(&m.user_uuid, &m.org_uuid, conn).await > 0
+                {
+                    err!(format!("Cannot {} because the organization policy forbids being part of other organization (membership {})", action, m.uuid));
+                }
+            }
        }

        Ok(())
@@ -883,10 +883,15 @@ impl Membership {
        }}
    }

-    pub async fn count_accepted_and_confirmed_by_user(user_uuid: &UserId, conn: &DbConn) -> i64 {
+    pub async fn count_accepted_and_confirmed_by_user(
+        user_uuid: &UserId,
+        excluded_org: &OrganizationId,
+        conn: &DbConn,
+    ) -> i64 {
        db_run! { conn: {
            users_organizations::table
                .filter(users_organizations::user_uuid.eq(user_uuid))
+                .filter(users_organizations::org_uuid.ne(excluded_org))
                .filter(users_organizations::status.eq(MembershipStatus::Accepted as i32).or(users_organizations::status.eq(MembershipStatus::Confirmed as i32)))
                .count()
                .first::<i64>(conn)
@@ -0,0 +1,134 @@
+use chrono::{NaiveDateTime, Utc};
+use std::time::Duration;
+
+use crate::api::EmptyResult;
+use crate::db::schema::sso_auth;
+use crate::db::{DbConn, DbPool};
+use crate::error::MapResult;
+use crate::sso::{OIDCCode, OIDCCodeChallenge, OIDCIdentifier, OIDCState, SSO_AUTH_EXPIRATION};
+
+use diesel::deserialize::FromSql;
+use diesel::expression::AsExpression;
+use diesel::prelude::*;
+use diesel::serialize::{Output, ToSql};
+use diesel::sql_types::Text;
+
+#[derive(AsExpression, Clone, Debug, Serialize, Deserialize, FromSqlRow)]
+#[diesel(sql_type = Text)]
+pub enum OIDCCodeWrapper {
+    Ok {
+        code: OIDCCode,
+    },
+    Error {
+        error: String,
+        error_description: Option<String>,
+    },
+}
+
+impl_FromToSqlText!(OIDCCodeWrapper);
+
+#[derive(AsExpression, Clone, Debug, Serialize, Deserialize, FromSqlRow)]
+#[diesel(sql_type = Text)]
+pub struct OIDCAuthenticatedUser {
+    pub refresh_token: Option<String>,
+    pub access_token: String,
+    pub expires_in: Option<Duration>,
+    pub identifier: OIDCIdentifier,
+    pub email: String,
+    pub email_verified: Option<bool>,
+    pub user_name: Option<String>,
+}
+
+impl_FromToSqlText!(OIDCAuthenticatedUser);
+
+#[derive(Identifiable, Queryable, Insertable, AsChangeset, Selectable)]
+#[diesel(table_name = sso_auth)]
+#[diesel(treat_none_as_null = true)]
+#[diesel(primary_key(state))]
+pub struct SsoAuth {
+    pub state: OIDCState,
+    pub client_challenge: OIDCCodeChallenge,
+    pub nonce: String,
+    pub redirect_uri: String,
+    pub code_response: Option<OIDCCodeWrapper>,
+    pub auth_response: Option<OIDCAuthenticatedUser>,
+    pub created_at: NaiveDateTime,
+    pub updated_at: NaiveDateTime,
+}
+
+/// Local methods
+impl SsoAuth {
+    pub fn new(state: OIDCState, client_challenge: OIDCCodeChallenge, nonce: String, redirect_uri: String) -> Self {
+        let now = Utc::now().naive_utc();
+
+        SsoAuth {
+            state,
+            client_challenge,
+            nonce,
+            redirect_uri,
+            created_at: now,
+            updated_at: now,
+            code_response: None,
+            auth_response: None,
+        }
+    }
+}
+
+/// Database methods
+impl SsoAuth {
+    pub async fn save(&self, conn: &DbConn) -> EmptyResult {
+        db_run! { conn:
+            mysql {
+                diesel::insert_into(sso_auth::table)
+                    .values(self)
+                    .on_conflict(diesel::dsl::DuplicatedKeys)
+                    .do_update()
+                    .set(self)
+                    .execute(conn)
+                    .map_res("Error saving SSO auth")
+            }
+            postgresql, sqlite {
+                diesel::insert_into(sso_auth::table)
+                    .values(self)
+                    .on_conflict(sso_auth::state)
+                    .do_update()
+                    .set(self)
+                    .execute(conn)
+                    .map_res("Error saving SSO auth")
+            }
+        }
+    }
+
+    pub async fn find(state: &OIDCState, conn: &DbConn) -> Option<Self> {
+        let oldest = Utc::now().naive_utc() - *SSO_AUTH_EXPIRATION;
+        db_run! { conn: {
+            sso_auth::table
+                .filter(sso_auth::state.eq(state))
+                .filter(sso_auth::created_at.ge(oldest))
+                .first::<Self>(conn)
+                .ok()
+        }}
+    }
+
+    pub async fn delete(self, conn: &DbConn) -> EmptyResult {
+        db_run! {conn: {
+            diesel::delete(sso_auth::table.filter(sso_auth::state.eq(self.state)))
+                .execute(conn)
+                .map_res("Error deleting sso_auth")
+        }}
+    }
+
+    pub async fn delete_expired(pool: DbPool) -> EmptyResult {
+        debug!("Purging expired sso_auth");
+        if let Ok(conn) = pool.get().await {
+            let oldest = Utc::now().naive_utc() - *SSO_AUTH_EXPIRATION;
+            db_run! { conn: {
+                diesel::delete(sso_auth::table.filter(sso_auth::created_at.lt(oldest)))
+                    .execute(conn)
+                    .map_res("Error deleting expired SSO nonce")
+            }}
+        } else {
+            err!("Failed to get DB connection while purging expired sso_auth")
+        }
+    }
+}
@@ -1,87 +0,0 @@
-use chrono::{NaiveDateTime, Utc};
-
-use crate::api::EmptyResult;
-use crate::db::schema::sso_nonce;
-use crate::db::{DbConn, DbPool};
-use crate::error::MapResult;
-use crate::sso::{OIDCState, NONCE_EXPIRATION};
-use diesel::prelude::*;
-
-#[derive(Identifiable, Queryable, Insertable)]
-#[diesel(table_name = sso_nonce)]
-#[diesel(primary_key(state))]
-pub struct SsoNonce {
-    pub state: OIDCState,
-    pub nonce: String,
-    pub verifier: Option<String>,
-    pub redirect_uri: String,
-    pub created_at: NaiveDateTime,
-}
-
-/// Local methods
-impl SsoNonce {
-    pub fn new(state: OIDCState, nonce: String, verifier: Option<String>, redirect_uri: String) -> Self {
-        let now = Utc::now().naive_utc();
-
-        SsoNonce {
-            state,
-            nonce,
-            verifier,
-            redirect_uri,
-            created_at: now,
-        }
-    }
-}
-
-/// Database methods
-impl SsoNonce {
-    pub async fn save(&self, conn: &DbConn) -> EmptyResult {
-        db_run! { conn:
-            sqlite, mysql {
-                diesel::replace_into(sso_nonce::table)
-                    .values(self)
-                    .execute(conn)
-                    .map_res("Error saving SSO nonce")
-            }
-            postgresql {
-                diesel::insert_into(sso_nonce::table)
-                    .values(self)
-                    .execute(conn)
-                    .map_res("Error saving SSO nonce")
-            }
-        }
-    }
-
-    pub async fn delete(state: &OIDCState, conn: &DbConn) -> EmptyResult {
-        db_run! { conn: {
-            diesel::delete(sso_nonce::table.filter(sso_nonce::state.eq(state)))
-                .execute(conn)
-                .map_res("Error deleting SSO nonce")
-        }}
-    }
-
-    pub async fn find(state: &OIDCState, conn: &DbConn) -> Option<Self> {
-        let oldest = Utc::now().naive_utc() - *NONCE_EXPIRATION;
-        db_run! { conn: {
-            sso_nonce::table
-                .filter(sso_nonce::state.eq(state))
-                .filter(sso_nonce::created_at.ge(oldest))
-                .first::<Self>(conn)
-                .ok()
-        }}
-    }
-
-    pub async fn delete_expired(pool: DbPool) -> EmptyResult {
-        debug!("Purging expired sso_nonce");
-        if let Ok(conn) = pool.get().await {
-            let oldest = Utc::now().naive_utc() - *NONCE_EXPIRATION;
-            db_run! { conn: {
-                diesel::delete(sso_nonce::table.filter(sso_nonce::created_at.lt(oldest)))
-                    .execute(conn)
-                    .map_res("Error deleting expired SSO nonce")
-            }}
-        } else {
-            err!("Failed to get DB connection while purging expired sso_nonce")
-        }
-    }
-}
@@ -1,4 +1,4 @@
-use crate::db::schema::{devices, invitations, sso_users, users};
+use crate::db::schema::{invitations, sso_users, twofactor_incomplete, users};
 use chrono::{NaiveDateTime, TimeDelta, Utc};
 use derive_more::{AsRef, Deref, Display, From};
 use diesel::prelude::*;
@@ -10,8 +10,7 @@ use super::{
 use crate::{
    api::EmptyResult,
    crypto,
-    db::models::DeviceId,
-    db::DbConn,
+    db::{models::DeviceId, DbConn},
    error::MapResult,
    sso::OIDCIdentifier,
    util::{format_date, get_uuid, retry},
@@ -387,15 +386,18 @@ impl User {
        }}
    }

-    pub async fn find_by_device_id(device_uuid: &DeviceId, conn: &DbConn) -> Option<Self> {
-        db_run! { conn: {
-            users::table
-                .inner_join(devices::table.on(devices::user_uuid.eq(users::uuid)))
-                .filter(devices::uuid.eq(device_uuid))
-                .select(users::all_columns)
-                .first::<Self>(conn)
+    pub async fn find_by_device_for_email2fa(device_uuid: &DeviceId, conn: &DbConn) -> Option<Self> {
+        if let Some(user_uuid) = db_run! ( conn: {
+            twofactor_incomplete::table
+                .filter(twofactor_incomplete::device_uuid.eq(device_uuid))
+                .order_by(twofactor_incomplete::login_time.desc())
+                .select(twofactor_incomplete::user_uuid)
+                .first::<UserId>(conn)
                .ok()
-        }}
+        }) {
+            return Self::find_by_uuid(&user_uuid, conn).await;
+        }
+        None
    }

    pub async fn get_all(conn: &DbConn) -> Vec<(Self, Option<SsoUser>)> {
@@ -256,12 +256,15 @@ table! {
 }

 table! {
-    sso_nonce (state) {
+    sso_auth (state) {
        state -> Text,
+        client_challenge -> Text,
        nonce -> Text,
-        verifier -> Nullable<Text>,
        redirect_uri -> Text,
+        code_response -> Nullable<Text>,
+        auth_response -> Nullable<Text>,
        created_at -> Timestamp,
+        updated_at -> Timestamp,
    }
 }

@@ -185,7 +185,10 @@ impl CustomDnsResolver {

    fn new() -> Arc<Self> {
        match TokioResolver::builder(TokioConnectionProvider::default()) {
-            Ok(builder) => {
+            Ok(mut builder) => {
+                if CONFIG.dns_prefer_ipv6() {
+                    builder.options_mut().ip_strategy = hickory_resolver::config::LookupIpStrategy::Ipv6thenIpv4;
+                }
                let resolver = builder.build();
                Arc::new(Self::Hickory(Arc::new(resolver)))
            }
@@ -705,7 +705,7 @@ async fn send_with_selected_transport(email: Message) -> EmptyResult {
 }

 async fn send_email(address: &str, subject: &str, body_html: String, body_text: String) -> EmptyResult {
-    let smtp_from = &CONFIG.smtp_from();
+    let smtp_from = Address::from_str(&CONFIG.smtp_from())?;

    let body = if CONFIG.smtp_embed_images() {
        let logo_gray_body = Body::new(crate::api::static_files("logo-gray.png").unwrap().1.to_vec());
@@ -727,9 +727,9 @@ async fn send_email(address: &str, subject: &str, body_html: String, body_text:
    };

    let email = Message::builder()
-        .message_id(Some(format!("<{}@{}>", crate::util::get_uuid(), smtp_from.split('@').collect::<Vec<&str>>()[1])))
+        .message_id(Some(format!("<{}@{}>", crate::util::get_uuid(), smtp_from.domain())))
        .to(Mailbox::new(None, Address::from_str(address)?))
-        .from(Mailbox::new(Some(CONFIG.smtp_from_name()), Address::from_str(smtp_from)?))
+        .from(Mailbox::new(Some(CONFIG.smtp_from_name()), smtp_from))
        .subject(subject)
        .multipart(body)?;

@@ -246,8 +246,8 @@ fn init_logging() -> Result<log::LevelFilter, Error> {
                    .split(',')
                    .collect::<Vec<&str>>()
                    .into_iter()
-                    .flat_map(|s| match s.split('=').collect::<Vec<&str>>()[..] {
-                        [log, lvl_str] => log::LevelFilter::from_str(lvl_str).ok().map(|lvl| (log, lvl)),
+                    .flat_map(|s| match s.split_once('=') {
+                        Some((log, lvl_str)) => log::LevelFilter::from_str(lvl_str).ok().map(|lvl| (log, lvl)),
                        _ => None,
                    })
                    .collect()
@@ -699,10 +699,10 @@ fn schedule_jobs(pool: db::DbPool) {
                }));
            }

-            // Purge sso nonce from incomplete flow (default to daily at 00h20).
-            if !CONFIG.purge_incomplete_sso_nonce().is_empty() {
-                sched.add(Job::new(CONFIG.purge_incomplete_sso_nonce().parse().unwrap(), || {
-                    runtime.spawn(db::models::SsoNonce::delete_expired(pool.clone()));
+            // Purge sso auth from incomplete flow (default to daily at 00h20).
+            if !CONFIG.purge_incomplete_sso_auth().is_empty() {
+                sched.add(Job::new(CONFIG.purge_incomplete_sso_auth().parse().unwrap(), || {
+                    runtime.spawn(db::models::SsoAuth::delete_expired(pool.clone()));
                }));
            }

@@ -1,8 +1,7 @@
 use std::{sync::LazyLock, time::Duration};

 use chrono::Utc;
-use derive_more::{AsRef, Deref, Display, From};
-use mini_moka::sync::Cache;
+use derive_more::{AsRef, Deref, Display, From, Into};
 use regex::Regex;
 use url::Url;

@@ -11,7 +10,7 @@ use crate::{
    auth,
    auth::{AuthMethod, AuthTokens, TokenWrapper, BW_EXPIRATION, DEFAULT_REFRESH_VALIDITY},
    db::{
-        models::{Device, SsoNonce, User},
+        models::{Device, OIDCAuthenticatedUser, OIDCCodeWrapper, SsoAuth, SsoUser, User},
        DbConn,
    },
    sso_client::Client,
@@ -20,12 +19,10 @@ use crate::{

 pub static FAKE_IDENTIFIER: &str = "VW_DUMMY_IDENTIFIER_FOR_OIDC";

-static AC_CACHE: LazyLock<Cache<OIDCState, AuthenticatedUser>> =
-    LazyLock::new(|| Cache::builder().max_capacity(1000).time_to_live(Duration::from_secs(10 * 60)).build());
-
 static SSO_JWT_ISSUER: LazyLock<String> = LazyLock::new(|| format!("{}|sso", CONFIG.domain_origin()));

-pub static NONCE_EXPIRATION: LazyLock<chrono::Duration> = LazyLock::new(|| chrono::TimeDelta::try_minutes(10).unwrap());
+pub static SSO_AUTH_EXPIRATION: LazyLock<chrono::Duration> =
+    LazyLock::new(|| chrono::TimeDelta::try_minutes(10).unwrap());

 #[derive(
    Clone,
@@ -47,6 +44,47 @@ pub static NONCE_EXPIRATION: LazyLock<chrono::Duration> = LazyLock::new(|| chron
 #[from(forward)]
 pub struct OIDCCode(String);

+#[derive(
+    Clone,
+    Debug,
+    Default,
+    DieselNewType,
+    FromForm,
+    PartialEq,
+    Eq,
+    Hash,
+    Serialize,
+    Deserialize,
+    AsRef,
+    Deref,
+    Display,
+    From,
+    Into,
+)]
+#[deref(forward)]
+#[into(owned)]
+pub struct OIDCCodeChallenge(String);
+
+#[derive(
+    Clone,
+    Debug,
+    Default,
+    DieselNewType,
+    FromForm,
+    PartialEq,
+    Eq,
+    Hash,
+    Serialize,
+    Deserialize,
+    AsRef,
+    Deref,
+    Display,
+    Into,
+)]
+#[deref(forward)]
+#[into(owned)]
+pub struct OIDCCodeVerifier(String);
+
 #[derive(
    Clone,
    Debug,
@@ -91,40 +129,6 @@ pub fn encode_ssotoken_claims() -> String {
    auth::encode_jwt(&claims)
 }

-#[derive(Debug, Serialize, Deserialize)]
-pub enum OIDCCodeWrapper {
-    Ok {
-        state: OIDCState,
-        code: OIDCCode,
-    },
-    Error {
-        state: OIDCState,
-        error: String,
-        error_description: Option<String>,
-    },
-}
-
-#[derive(Debug, Serialize, Deserialize)]
-struct OIDCCodeClaims {
-    // Expiration time
-    pub exp: i64,
-    // Issuer
-    pub iss: String,
-
-    pub code: OIDCCodeWrapper,
-}
-
-pub fn encode_code_claims(code: OIDCCodeWrapper) -> String {
-    let time_now = Utc::now();
-    let claims = OIDCCodeClaims {
-        exp: (time_now + chrono::TimeDelta::try_minutes(5).unwrap()).timestamp(),
-        iss: SSO_JWT_ISSUER.to_string(),
-        code,
-    };
-
-    auth::encode_jwt(&claims)
-}
-
 #[derive(Clone, Debug, Serialize, Deserialize)]
 struct BasicTokenClaims {
    iat: Option<i64>,
@@ -132,6 +136,12 @@ struct BasicTokenClaims {
    exp: i64,
 }

+#[derive(Deserialize)]
+struct BasicTokenClaimsValidation {
+    exp: u64,
+    iss: String,
+}
+
 impl BasicTokenClaims {
    fn nbf(&self) -> i64 {
        self.nbf.or(self.iat).unwrap_or_else(|| Utc::now().timestamp())
@@ -139,13 +149,23 @@ impl BasicTokenClaims {
 }

 fn decode_token_claims(token_name: &str, token: &str) -> ApiResult<BasicTokenClaims> {
-    let mut validation = jsonwebtoken::Validation::default();
-    validation.set_issuer(&[CONFIG.sso_authority()]);
-    validation.insecure_disable_signature_validation();
-    validation.validate_aud = false;
+    // We need to manually validate this token, since `insecure_decode` does not do this
+    match jsonwebtoken::dangerous::insecure_decode::<BasicTokenClaimsValidation>(token) {
+        Ok(btcv) => {
+            let now = jsonwebtoken::get_current_timestamp();
+            let validate_claim = btcv.claims;
+            // Validate the exp in the claim with a leeway of 60 seconds, same as jsonwebtoken does
+            if validate_claim.exp < now - 60 {
+                err_silent!(format!("Expired Signature for base token claim from {token_name}"))
+            }
+            if validate_claim.iss.ne(&CONFIG.sso_authority()) {
+                err_silent!(format!("Invalid Issuer for base token claim from {token_name}"))
+            }

-    match jsonwebtoken::decode(token, &jsonwebtoken::DecodingKey::from_secret(&[]), &validation) {
-        Ok(btc) => Ok(btc.claims),
+            // All is validated and ok, lets decode again using the wanted struct
+            let btc = jsonwebtoken::dangerous::insecure_decode::<BasicTokenClaims>(token).unwrap();
+            Ok(btc.claims)
+        }
        Err(err) => err_silent!(format!("Failed to decode basic token claims from {token_name}: {err}")),
    }
 }
@@ -162,9 +182,14 @@ pub fn decode_state(base64_state: &str) -> ApiResult<OIDCState> {
    Ok(state)
 }

-// The `nonce` allow to protect against replay attacks
 // redirect_uri from: https://github.com/bitwarden/server/blob/main/src/Identity/IdentityServer/ApiClient.cs
-pub async fn authorize_url(state: OIDCState, client_id: &str, raw_redirect_uri: &str, conn: DbConn) -> ApiResult<Url> {
+pub async fn authorize_url(
+    state: OIDCState,
+    client_challenge: OIDCCodeChallenge,
+    client_id: &str,
+    raw_redirect_uri: &str,
+    conn: DbConn,
+) -> ApiResult<Url> {
    let redirect_uri = match client_id {
        "web" | "browser" => format!("{}/sso-connector.html", CONFIG.domain()),
        "desktop" | "mobile" => "bitwarden://sso-callback".to_string(),
@@ -178,8 +203,8 @@ pub async fn authorize_url(state: OIDCState, client_id: &str, raw_redirect_uri:
        _ => err!(format!("Unsupported client {client_id}")),
    };

-    let (auth_url, nonce) = Client::authorize_url(state, redirect_uri).await?;
-    nonce.save(&conn).await?;
+    let (auth_url, sso_auth) = Client::authorize_url(state, client_challenge, redirect_uri).await?;
+    sso_auth.save(&conn).await?;
    Ok(auth_url)
 }

@@ -209,78 +234,45 @@ impl OIDCIdentifier {
    }
 }

-#[derive(Clone, Debug)]
-pub struct AuthenticatedUser {
-    pub refresh_token: Option<String>,
-    pub access_token: String,
-    pub expires_in: Option<Duration>,
-    pub identifier: OIDCIdentifier,
-    pub email: String,
-    pub email_verified: Option<bool>,
-    pub user_name: Option<String>,
-}
-
-#[derive(Clone, Debug)]
-pub struct UserInformation {
-    pub state: OIDCState,
-    pub identifier: OIDCIdentifier,
-    pub email: String,
-    pub email_verified: Option<bool>,
-    pub user_name: Option<String>,
-}
-
-async fn decode_code_claims(code: &str, conn: &DbConn) -> ApiResult<(OIDCCode, OIDCState)> {
-    match auth::decode_jwt::<OIDCCodeClaims>(code, SSO_JWT_ISSUER.to_string()) {
-        Ok(code_claims) => match code_claims.code {
-            OIDCCodeWrapper::Ok {
-                state,
-                code,
-            } => Ok((code, state)),
-            OIDCCodeWrapper::Error {
-                state,
-                error,
-                error_description,
-            } => {
-                if let Err(err) = SsoNonce::delete(&state, conn).await {
-                    error!("Failed to delete database sso_nonce using {state}: {err}")
-                }
-                err!(format!(
-                    "SSO authorization failed: {error}, {}",
-                    error_description.as_ref().unwrap_or(&String::new())
-                ))
-            }
-        },
-        Err(err) => err!(format!("Failed to decode code wrapper: {err}")),
-    }
-}
-
 // During the 2FA flow we will
 //  - retrieve the user information and then only discover he needs 2FA.
-//  - second time we will rely on the `AC_CACHE` since the `code` has already been exchanged.
-// The `nonce` will ensure that the user is authorized only once.
-// We return only the `UserInformation` to force calling `redeem` to obtain the `refresh_token`.
-pub async fn exchange_code(wrapped_code: &str, conn: &DbConn) -> ApiResult<UserInformation> {
+//  - second time we will rely on `SsoAuth.auth_response` since the `code` has already been exchanged.
+// The `SsoAuth` will ensure that the user is authorized only once.
+pub async fn exchange_code(
+    state: &OIDCState,
+    client_verifier: OIDCCodeVerifier,
+    conn: &DbConn,
+) -> ApiResult<(SsoAuth, OIDCAuthenticatedUser)> {
    use openidconnect::OAuth2TokenResponse;

-    let (code, state) = decode_code_claims(wrapped_code, conn).await?;
+    let mut sso_auth = match SsoAuth::find(state, conn).await {
+        None => err!(format!("Invalid state cannot retrieve sso auth")),
+        Some(sso_auth) => sso_auth,
+    };

-    if let Some(authenticated_user) = AC_CACHE.get(&state) {
-        return Ok(UserInformation {
-            state,
-            identifier: authenticated_user.identifier,
-            email: authenticated_user.email,
-            email_verified: authenticated_user.email_verified,
-            user_name: authenticated_user.user_name,
-        });
+    if let Some(authenticated_user) = sso_auth.auth_response.clone() {
+        return Ok((sso_auth, authenticated_user));
    }

-    let nonce = match SsoNonce::find(&state, conn).await {
-        None => err!(format!("Invalid state cannot retrieve nonce")),
-        Some(nonce) => nonce,
+    let code = match sso_auth.code_response.clone() {
+        Some(OIDCCodeWrapper::Ok {
+            code,
+        }) => code.clone(),
+        Some(OIDCCodeWrapper::Error {
+            error,
+            error_description,
+        }) => {
+            sso_auth.delete(conn).await?;
+            err!(format!("SSO authorization failed: {error}, {}", error_description.as_ref().unwrap_or(&String::new())))
+        }
+        None => {
+            sso_auth.delete(conn).await?;
+            err!("Missing authorization provider return");
+        }
    };

    let client = Client::cached().await?;
-    let (token_response, id_claims) = client.exchange_code(code, nonce).await?;
+    let (token_response, id_claims) = client.exchange_code(code, client_verifier, &sso_auth).await?;

    let user_info = client.user_info(token_response.access_token().to_owned()).await?;

@@ -300,7 +292,7 @@ pub async fn exchange_code(wrapped_code: &str, conn: &DbConn) -> ApiResult<UserI

    let identifier = OIDCIdentifier::new(id_claims.issuer(), id_claims.subject());

-    let authenticated_user = AuthenticatedUser {
+    let authenticated_user = OIDCAuthenticatedUser {
        refresh_token: refresh_token.cloned(),
        access_token: token_response.access_token().secret().clone(),
        expires_in: token_response.expires_in(),
@@ -311,29 +303,49 @@ pub async fn exchange_code(wrapped_code: &str, conn: &DbConn) -> ApiResult<UserI
    };

    debug!("Authenticated user {authenticated_user:?}");
+    sso_auth.auth_response = Some(authenticated_user.clone());
+    sso_auth.updated_at = Utc::now().naive_utc();
+    sso_auth.save(conn).await?;

-    AC_CACHE.insert(state.clone(), authenticated_user);
-
-    Ok(UserInformation {
-        state,
-        identifier,
-        email,
-        email_verified,
-        user_name,
-    })
+    Ok((sso_auth, authenticated_user))
 }

-// User has passed 2FA flow we can delete `nonce` and clear the cache.
-pub async fn redeem(state: &OIDCState, conn: &DbConn) -> ApiResult<AuthenticatedUser> {
-    if let Err(err) = SsoNonce::delete(state, conn).await {
-        error!("Failed to delete database sso_nonce using {state}: {err}")
+// User has passed 2FA flow we can delete auth info from database
+pub async fn redeem(
+    device: &Device,
+    user: &User,
+    client_id: Option<String>,
+    sso_user: Option<SsoUser>,
+    sso_auth: SsoAuth,
+    auth_user: OIDCAuthenticatedUser,
+    conn: &DbConn,
+) -> ApiResult<AuthTokens> {
+    sso_auth.delete(conn).await?;
+
+    if sso_user.is_none() {
+        let user_sso = SsoUser {
+            user_uuid: user.uuid.clone(),
+            identifier: auth_user.identifier.clone(),
+        };
+        user_sso.save(conn).await?;
    }

-    if let Some(au) = AC_CACHE.get(state) {
-        AC_CACHE.invalidate(state);
-        Ok(au)
+    if !CONFIG.sso_auth_only_not_session() {
+        let now = Utc::now();
+
+        let (ap_nbf, ap_exp) =
+            match (decode_token_claims("access_token", &auth_user.access_token), auth_user.expires_in) {
+                (Ok(ap), _) => (ap.nbf(), ap.exp),
+                (Err(_), Some(exp)) => (now.timestamp(), (now + exp).timestamp()),
+                _ => err!("Non jwt access_token and empty expires_in"),
+            };
+
+        let access_claims =
+            auth::LoginJwtClaims::new(device, user, ap_nbf, ap_exp, AuthMethod::Sso.scope_vec(), client_id, now);
+
+        _create_auth_tokens(device, auth_user.refresh_token, access_claims, auth_user.access_token)
    } else {
-        err!("Failed to retrieve user info from sso cache")
+        Ok(AuthTokens::new(device, user, AuthMethod::Sso, client_id))
    }
 }

@@ -7,8 +7,8 @@ use url::Url;

 use crate::{
    api::{ApiResult, EmptyResult},
-    db::models::SsoNonce,
-    sso::{OIDCCode, OIDCState},
+    db::models::SsoAuth,
+    sso::{OIDCCode, OIDCCodeChallenge, OIDCCodeVerifier, OIDCState},
    CONFIG,
 };

@@ -107,7 +107,11 @@ impl Client {
    }

    // The `state` is encoded using base64 to ensure no issue with providers (It contains the Organization identifier).
-    pub async fn authorize_url(state: OIDCState, redirect_uri: String) -> ApiResult<(Url, SsoNonce)> {
+    pub async fn authorize_url(
+        state: OIDCState,
+        client_challenge: OIDCCodeChallenge,
+        redirect_uri: String,
+    ) -> ApiResult<(Url, SsoAuth)> {
        let scopes = CONFIG.sso_scopes_vec().into_iter().map(Scope::new);
        let base64_state = data_encoding::BASE64.encode(state.to_string().as_bytes());

@@ -122,22 +126,21 @@ impl Client {
            .add_scopes(scopes)
            .add_extra_params(CONFIG.sso_authorize_extra_params_vec());

-        let verifier = if CONFIG.sso_pkce() {
-            let (pkce_challenge, pkce_verifier) = PkceCodeChallenge::new_random_sha256();
-            auth_req = auth_req.set_pkce_challenge(pkce_challenge);
-            Some(pkce_verifier.into_secret())
-        } else {
-            None
-        };
+        if CONFIG.sso_pkce() {
+            auth_req = auth_req
+                .add_extra_param::<&str, String>("code_challenge", client_challenge.clone().into())
+                .add_extra_param("code_challenge_method", "S256");
+        }

        let (auth_url, _, nonce) = auth_req.url();
-        Ok((auth_url, SsoNonce::new(state, nonce.secret().clone(), verifier, redirect_uri)))
+        Ok((auth_url, SsoAuth::new(state, client_challenge, nonce.secret().clone(), redirect_uri)))
    }

    pub async fn exchange_code(
        &self,
        code: OIDCCode,
-        nonce: SsoNonce,
+        client_verifier: OIDCCodeVerifier,
+        sso_auth: &SsoAuth,
    ) -> ApiResult<(
        StandardTokenResponse<
            IdTokenFields<
@@ -155,17 +158,21 @@ impl Client {

        let mut exchange = self.core_client.exchange_code(oidc_code);

+        let verifier = PkceCodeVerifier::new(client_verifier.into());
        if CONFIG.sso_pkce() {
-            match nonce.verifier {
-                None => err!(format!("Missing verifier in the DB nonce table")),
-                Some(secret) => exchange = exchange.set_pkce_verifier(PkceCodeVerifier::new(secret)),
+            exchange = exchange.set_pkce_verifier(verifier);
+        } else {
+            let challenge = PkceCodeChallenge::from_code_verifier_sha256(&verifier);
+            if challenge.as_str() != String::from(sso_auth.client_challenge.clone()) {
+                err!(format!("PKCE client challenge failed"))
+                // Might need to notify admin ? how ?
            }
        }

        match exchange.request_async(&self.http_client).await {
            Err(err) => err!(format!("Failed to contact token endpoint: {:?}", err)),
            Ok(token_response) => {
-                let oidc_nonce = Nonce::new(nonce.nonce);
+                let oidc_nonce = Nonce::new(sso_auth.nonce.clone());

                let id_token = match token_response.extra_fields().id_token() {
                    None => err!("Token response did not contain an id_token"),
@@ -1,6 +1,6 @@
 "use strict";
 /* eslint-env es2017, browser */
-/* exported BASE_URL, _post */
+/* exported BASE_URL, _post _delete */

 function getBaseUrl() {
    // If the base URL is `https://vaultwarden.example.com/base/path/admin/`,
@@ -1,6 +1,6 @@
 "use strict";
 /* eslint-env es2017, browser, jquery */
-/* global _post:readable, BASE_URL:readable, reload:readable, jdenticon:readable */
+/* global _post:readable, _delete:readable BASE_URL:readable, reload:readable, jdenticon:readable */

 function deleteUser(event) {
    event.preventDefault();
@@ -1,5 +1,5 @@
 /*!
-  * Bootstrap v5.3.7 (https://getbootstrap.com/)
+  * Bootstrap v5.3.8 (https://getbootstrap.com/)
  * Copyright 2011-2025 The Bootstrap Authors (https://github.com/twbs/bootstrap/graphs/contributors)
  * Licensed under MIT (https://github.com/twbs/bootstrap/blob/main/LICENSE)
  */
@@ -647,7 +647,7 @@
   * Constants
   */

-  const VERSION = '5.3.7';
+  const VERSION = '5.3.8';

  /**
   * Class definition
@@ -3690,9 +3690,6 @@
      this._element.setAttribute('aria-expanded', 'false');
      Manipulator.removeDataAttribute(this._menu, 'popper');
      EventHandler.trigger(this._element, EVENT_HIDDEN$5, relatedTarget);
-
-      // Explicitly return focus to the trigger element
-      this._element.focus();
    }
    _getConfig(config) {
      config = super._getConfig(config);
@@ -1,6 +1,6 @@
@charset "UTF-8";
 /*!
- * Bootstrap  v5.3.7 (https://getbootstrap.com/)
+ * Bootstrap  v5.3.8 (https://getbootstrap.com/)
 * Copyright 2011-2025 The Bootstrap Authors
 * Licensed under MIT (https://github.com/twbs/bootstrap/blob/main/LICENSE)
 */
@@ -547,6 +547,10 @@ legend + * {
  -webkit-appearance: textfield;
  outline-offset: -2px;
 }
+[type=search]::-webkit-search-cancel-button {
+  cursor: pointer;
+  filter: grayscale(1);
+}

 /* rtl:raw:
 [type="tel"],
@@ -6208,6 +6212,7 @@ textarea.form-control-lg {
 .spinner-grow,
 .spinner-border {
  display: inline-block;
+  flex-shrink: 0;
  width: var(--bs-spinner-width);
  height: var(--bs-spinner-height);
  vertical-align: var(--bs-spinner-vertical-align);
@@ -4,20 +4,21 @@
 *
 * To rebuild or modify this file with the latest versions of the included
 * software please visit:
- *   https://datatables.net/download/#bs5/dt-2.3.2
+ *   https://datatables.net/download/#bs5/dt-2.3.5
 *
 * Included libraries:
- *   DataTables 2.3.2
+ *   DataTables 2.3.5
 */

 :root {
  --dt-row-selected: 13, 110, 253;
  --dt-row-selected-text: 255, 255, 255;
-  --dt-row-selected-link: 9, 10, 11;
+  --dt-row-selected-link: 228, 228, 228;
  --dt-row-stripe: 0, 0, 0;
  --dt-row-hover: 0, 0, 0;
  --dt-column-ordering: 0, 0, 0;
  --dt-header-align-items: center;
+  --dt-header-vertical-align: middle;
  --dt-html-background: white;
 }
 :root.dark {
@@ -112,7 +113,7 @@ table.dataTable thead > tr > td.dt-ordering-asc span.dt-column-order,
 table.dataTable thead > tr > td.dt-ordering-desc span.dt-column-order {
  position: relative;
  width: 12px;
-  height: 20px;
+  height: 24px;
 }
 table.dataTable thead > tr > th.dt-orderable-asc span.dt-column-order:before, table.dataTable thead > tr > th.dt-orderable-asc span.dt-column-order:after, table.dataTable thead > tr > th.dt-orderable-desc span.dt-column-order:before, table.dataTable thead > tr > th.dt-orderable-desc span.dt-column-order:after, table.dataTable thead > tr > th.dt-ordering-asc span.dt-column-order:before, table.dataTable thead > tr > th.dt-ordering-asc span.dt-column-order:after, table.dataTable thead > tr > th.dt-ordering-desc span.dt-column-order:before, table.dataTable thead > tr > th.dt-ordering-desc span.dt-column-order:after,
 table.dataTable thead > tr > td.dt-orderable-asc span.dt-column-order:before,
@@ -144,7 +145,8 @@ table.dataTable thead > tr > td.dt-ordering-asc span.dt-column-order:before,
 table.dataTable thead > tr > td.dt-ordering-desc span.dt-column-order:after {
  opacity: 0.6;
 }
-table.dataTable thead > tr > th.sorting_desc_disabled span.dt-column-order:after, table.dataTable thead > tr > th.sorting_asc_disabled span.dt-column-order:before,
+table.dataTable thead > tr > th.dt-orderable-none:not(.dt-ordering-asc, .dt-ordering-desc) span.dt-column-order:empty, table.dataTable thead > tr > th.sorting_desc_disabled span.dt-column-order:after, table.dataTable thead > tr > th.sorting_asc_disabled span.dt-column-order:before,
+table.dataTable thead > tr > td.dt-orderable-none:not(.dt-ordering-asc, .dt-ordering-desc) span.dt-column-order:empty,
 table.dataTable thead > tr > td.sorting_desc_disabled span.dt-column-order:after,
 table.dataTable thead > tr > td.sorting_asc_disabled span.dt-column-order:before {
  display: none;
@@ -340,6 +342,7 @@ table.dataTable thead td,
 table.dataTable tfoot th,
 table.dataTable tfoot td {
  text-align: left;
+  vertical-align: var(--dt-header-vertical-align);
 }
 table.dataTable thead th.dt-head-left,
 table.dataTable thead td.dt-head-left,
@@ -422,10 +425,6 @@ table.dataTable tbody td.dt-body-nowrap {
  white-space: nowrap;
 }

-:root {
-  --dt-header-align-items: flex-end;
-}
-
 /*! Bootstrap 5 integration for DataTables
 *
 * ©2020 SpryMedia Ltd, all rights reserved.
@@ -453,7 +452,7 @@ table.table.dataTable > tbody > tr.selected > * {
  color: rgb(var(--dt-row-selected-text));
 }
 table.table.dataTable > tbody > tr.selected a {
-  color: rgb(9, 10, 11);
+  color: rgb(228, 228, 228);
  color: rgb(var(--dt-row-selected-link));
 }
 table.table.dataTable.table-striped > tbody > tr:nth-of-type(2n+1) > * {
@@ -11,26 +11,19 @@
    <script src="{{urlpath}}/vw_static/admin.js"></script>
 </head>
 <body>
-    <svg class="d-none">
+    <svg xmlns="http://www.w3.org/2000/svg" class="d-none">
        <symbol id="vw-icon-sun" viewBox="0 0 24 24">
-            <circle cx="12" cy="12" r="5" fill="currentColor"></circle>
-            <g stroke="currentColor" stroke-width="1.5" stroke-linecap="round">
-                <line x1="12" y1="2" x2="12" y2="5"></line>
-                <line x1="12" y1="19" x2="12" y2="22"></line>
-                <line x1="4.22" y1="4.22" x2="6.34" y2="6.34"></line>
-                <line x1="17.66" y1="17.66" x2="19.78" y2="19.78"></line>
-                <line x1="2" y1="12" x2="5" y2="12"></line>
-                <line x1="19" y1="12" x2="22" y2="12"></line>
-                <line x1="4.22" y1="19.78" x2="6.34" y2="17.66"></line>
-                <line x1="17.66" y1="6.34" x2="19.78" y2="4.22"></line>
+            <circle cx="12" cy="12" r="5" fill="currentColor"/>
+            <g stroke="currentColor" stroke-linecap="round" stroke-width="1.5">
+                <path d="M12 2v3M12 19v3M4.22 4.22l2.12 2.12M17.66 17.66l2.12 2.12M2 12h3M19 12h3M4.22 19.78l2.12-2.12M17.66 6.34l2.12-2.12"/>
            </g>
        </symbol>
-        <symbol id="vw-icon-moon" viewBox="0 0 32 32">
-            <path fill="currentColor" transform="translate(0,-1.2)" d="M25.2 27.3a11.2 11.2 0 0 1-6.6-20.5A13 13 0 1 0 29.6 25.5 11.6 11.6 0 0 1 25.2 27.3z"></path>
+        <symbol id="vw-icon-moon" viewBox="0 0 24 24">
+            <path fill="currentColor" stroke-width=".8" d="M18.4 17.8A9 8.6 0 0 1 13 2a10.5 10 0 1 0 9 14.4 9.4 9 0 0 1-3.6 1.4"/>
        </symbol>
        <symbol id="vw-icon-auto" viewBox="0 0 24 24">
-            <circle cx="12" cy="12" r="9" fill="none" stroke="currentColor" stroke-width="1.5"></circle>
-            <path fill="currentColor" d="M12 3a9 9 0 1 1 0 18V3z"></path>
+            <circle cx="12" cy="12" r="9" fill="none" stroke="currentColor" stroke-width="1.5"/>
+            <path fill="currentColor" d="M12 3a9 9 0 1 1 0 18Z"/>
        </symbol>
    </svg>
    <nav class="navbar navbar-expand-md navbar-dark bg-dark mb-4 shadow fixed-top">
@@ -61,7 +54,7 @@
                    </li>
                </ul>

-                <ul class="navbar-nav">
+                <ul class="navbar-nav mx-3">
                    <li class="nav-item dropdown">
                        <button
                            class="btn btn-link nav-link py-0 px-0 px-md-2 dropdown-toggle d-flex align-items-center"
@@ -1,4 +1,4 @@
-You have been removed from {{{org_name}}}
+Your access to {{{org_name}}} has been revoked
 <!---------------->
-Your user account has been removed from the *{{org_name}}* organization because you are a part of another organization. The {{org_name}} organization has enabled a policy that prevents users from being a part of multiple organizations. Before you can re-join this organization you need to leave all other organizations or join with a different account.
+Your access to the *{{org_name}}* organization has been revoked because you are a part of another organization. The {{org_name}} organization has enabled a policy that prevents users from being a part of multiple organizations. Before your access can be restored you need to leave all other organizations or join with a different account.
 {{> email/email_footer_text }}
@@ -1,10 +1,10 @@
-You have been removed from {{{org_name}}}
+Your access to {{{org_name}}} has been revoked
 <!---------------->
 {{> email/email_header }}
 <table width="100%" cellpadding="0" cellspacing="0" style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
   <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
      <td class="content-block" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0 0 10px; -webkit-text-size-adjust: none; text-align: center;" valign="top" align="center">
-         Your user account has been removed from the <b style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">{{org_name}}</b> organization because you are a part of another organization. The {{org_name}} organization has enabled a policy that prevents users from being a part of multiple organizations. Before you can re-join this organization you need to leave all other organizations or join with a different account.
+         Your access to the <b style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">{{org_name}}</b> organization has been revoked because you are a part of another organization. The {{org_name}} organization has enabled a policy that prevents users from being a part of multiple organizations. Before your access can be restored you need to leave all other organizations or join with a different account.
      </td>
   </tr>
 </table>
Author	SHA1	Message	Date
Daniel García	c28eab74dd	Cached config operations	2025-12-28 23:44:50 +01:00
Daniel García	eb2a56aea1	Update lockfile (#6600 )	2025-12-28 01:07:17 +01:00
Daniel García	a4907f3539	Add wrapped named variants to UserDecryptionOptions (#6598 )	2025-12-27 23:35:04 +01:00
Daniel	8801b47d80	Remove unnecessary output sharing between jobs (#6555 ) Split step into 2 parts, since only 1 part is needed in the build job	2025-12-23 16:27:53 +01:00
Daniel	1ae9dc4119	Simplify binary extraction (#6554 )	2025-12-23 16:26:28 +01:00
Mathijs van Veluw	02377eeac8	Update crates (#6585 ) Signed-off-by: BlackDex <black.dex@gmail.com>	2025-12-23 16:25:56 +01:00
Mathijs van Veluw	d9c75508c2	Fix posting cipher with readonly collections (#6578 ) * Fix posting cipher with readonly collections This fix will check if a collection is writeable for the user, and if not error out early instead of creating the cipher first and leaving it. It will also save some database transactions. Fixes #6562 Signed-off-by: BlackDex <black.dex@gmail.com> * Adjust code to delete on error Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com>	2025-12-21 18:51:58 +01:00
Mathijs van Veluw	0ab7784b06	Update web-vault to v2025.12.0 (#6577 ) Updated web-vault Updated one crate Signed-off-by: BlackDex <black.dex@gmail.com>	2025-12-21 00:01:30 +01:00
Daniel García	5c91058ba0	Add UserDecryptionOptions on /sync too (#6574 )	2025-12-20 00:37:46 +01:00
Mathijs van Veluw	229b58fe4e	Update crates and Rust (#6551 ) * Update crates and Rust - Updated all the crates - Updated Rust to v1.92.0 - Updated to Alpine v3.23 - Adjusted some nightly clippy lints Signed-off-by: BlackDex <black.dex@gmail.com> * Add new updates Signed-off-by: BlackDex <black.dex@gmail.com> * Updated more crates and fix mariadb Updated more crates Also removed older MariaDB library since Diesel has fixed this in the v2.3.5 version. Signed-off-by: BlackDex <black.dex@gmail.com> * Fix icon-fetch error Signed-off-by: BlackDex <black.dex@gmail.com> * Update GHA workflows Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com>	2025-12-19 17:38:13 +01:00
Daniel García	061d320c7f	Add new accountKeys and masterPasswordUnlock fields (#6572 ) * Add new accountKeys and masterPasswordUnlock fields * Fmt	2025-12-19 13:34:43 +01:00
Stefan Melmuk	2c73c6c2f2	support UriMatchDefaults policy (#6570 )	2025-12-19 12:07:58 +01:00
Daniel	b920caf285	Revert to gzip compression (#6566 ) - zstd support has been added in Docker v23 - Debian Bookworm/Bullseye ships with Docker v20.10 - Revert for now to maintain compatibility with older releases	2025-12-19 12:07:05 +01:00
Stefan Melmuk	57bdab1550	add empty /api/tasks endpoint (#6557 )	2025-12-14 15:32:21 +01:00
Daniel	b77c01b8bb	Further fixes for the release workflow (#6533 )	2025-12-07 16:07:07 +01:00
Mathijs van Veluw	9cca120fb3	Fix release workflow (#6532 )	2025-12-07 13:12:05 +01:00
Stefan Melmuk	4ad8baf7be	fix email as 2fa for sso (#6495 ) * fix email as 2fa for sso * allow saving device without updating `updated_at` * check if email is some * allow device to be saved in postgresql * use twofactor_incomplete table * no need to update device.updated_at	2025-12-06 22:22:33 +01:00
Timshel	8f689d8795	Improve sso auth flow (#6205 ) Co-authored-by: Timshel <timshel@users.noreply.github.com>	2025-12-06 22:20:04 +01:00
Timshel	2d91a9460b	Fix admin invite with SSO (#6498 ) Co-authored-by: Timshel <timshel@users.noreply.github.com>	2025-12-06 22:14:20 +01:00
Timshel	e81e6a5060	Android want response property in camelCase (#6513 ) Co-authored-by: Timshel <timshel@480s>	2025-12-06 22:13:51 +01:00
Timshel	76d0856bbe	Org.put_policy type not in body anymore (#6514 ) Co-authored-by: Timshel <timshel@480s>	2025-12-06 22:12:46 +01:00
Timshel	f0e79fd391	Iterate over tags on release (#6518 ) Co-authored-by: Timshel <timshel@480s>	2025-12-06 22:12:25 +01:00
k725	5981705375	fix: typo (#6528 )	2025-12-06 22:11:58 +01:00
Mathijs van Veluw	07569a06da	Update crates and workflows and some fixes (#6508 ) - Updated all the crates except for Diesel. Diesel is pinned at v2.3.3 since newer versions break MySQL/MariaDB. - Updated all the GHA workflows - Fixed an issue with a migration breaking on an empty MySQL/MariaDB database. Signed-off-by: BlackDex <black.dex@gmail.com>	2025-11-30 15:16:23 +01:00
Mathijs van Veluw	cb2f5741ac	Some small admin js/css updates (#6501 ) * Some small admin js/css updates - Updated JS libraries - Fixed some eslint errors - Small update on the theme icon's to be a bit smaller and better sized. Used OXVG via OXVGUI to shrink and optimze them. Probably Fixes #6493 Signed-off-by: BlackDex <black.dex@gmail.com> * Adjust the size of the moon to be more inline with the other icons Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com>	2025-11-29 22:57:57 +01:00
Mathijs van Veluw	c9d527d84f	Add option to prefer IPv6 resolving (#6494 ) This PR adds an option to prefer IPv6 resolving before IPv4. On IPv6 only systems this could be very useful, but will not solve IPv4 only domains of course. For that you need a DNS64 + NAT64 solution Fixes #6301 Signed-off-by: BlackDex <black.dex@gmail.com>	2025-11-26 01:26:10 +01:00
Mathijs van Veluw	7c7f4f5d4f	Update crates and Rust version (#6485 ) * Update crates and Rust version - Update all crates (where possible) Adjusted code where needed - Fixed some nightly clippy lints Signed-off-by: BlackDex <black.dex@gmail.com> * Fix some issues/comments Signed-off-by: BlackDex <black.dex@gmail.com> * Update some crates Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com> Co-authored-by: Daniel García <dani-garcia@users.noreply.github.com>	2025-11-23 22:03:30 +01:00
Stefan Melmuk	aad1f19b45	fix email as 2fa provider (#6473 )	2025-11-23 21:55:20 +01:00
Timshel	35e1a306f3	Fix around singleorg policy (#6247 ) Co-authored-by: Timshel <timshel@users.noreply.github.com>	2025-11-23 21:54:37 +01:00
Mathijs van Veluw	7f7b412220	Fix icon redirect caching (#6487 ) As reported in #6477, redirection of favicon's didn't allowed caching. This commit fixes this by adding the `Cached` wrapper around the response. It will use the same TTL's used for downloading icon's locally. Also removed `_` as valid domain character, these should not be used in FQDN's at all. Those only serve as special chars used in domain labels, mostly used in SRV or TXT records. Fixes #6477 Signed-off-by: BlackDex <black.dex@gmail.com>	2025-11-23 21:50:31 +01:00
Daniel	bb41f64c0a	Switch to multiple runners per arch (#6472 ) - now uses arm64 native runners for faster compilation	2025-11-23 21:48:23 +01:00