Test dylint

.dockerignore

@@ -5,7 +5,6 @@
 !.git
 !docker/healthcheck.sh
 !docker/start.sh
-!macros
 !migrations
 !src
 

.env.template

@@ -15,14 +15,6 @@
 ####################
 
 ## Main data folder
-## This can be a path to local folder or a path to an external location
-## depending on features enabled at build time. Possible external locations:
-##
-## - AWS S3 Bucket (via `s3` feature): s3://bucket-name/path/to/folder
-##
-## When using an external location, make sure to set TMP_FOLDER,
-## TEMPLATES_FOLDER, and DATABASE_URL to local paths and/or a remote database
-## location.
 # DATA_FOLDER=data
 
 ## Individual folders, these override %DATA_FOLDER%
@@ -30,13 +22,10 @@
 # ICON_CACHE_FOLDER=data/icon_cache
 # ATTACHMENTS_FOLDER=data/attachments
 # SENDS_FOLDER=data/sends
-
-## Temporary folder used for storing temporary file uploads
-## Must be a local path.
 # TMP_FOLDER=data/tmp
 
-## HTML template overrides data folder
-## Must be a local path.
+## Templates data folder, by default uses embedded templates
+## Check source code to see the format
 # TEMPLATES_FOLDER=data/templates
 ## Automatically reload the templates for every request, slow, use only for development
 # RELOAD_TEMPLATES=false
@@ -50,9 +39,7 @@
 #########################
 
 ## Database URL
-## When using SQLite, this is the path to the DB file, and it defaults to
-## %DATA_FOLDER%/db.sqlite3. If DATA_FOLDER is set to an external location, this
-## must be set to a local sqlite3 file path.
+## When using SQLite, this is the path to the DB file, default to %DATA_FOLDER%/db.sqlite3
 # DATABASE_URL=data/db.sqlite3
 ## When using MySQL, specify an appropriate connection URI.
 ## Details: https://docs.diesel.rs/2.1.x/diesel/mysql/struct.MysqlConnection.html
@@ -80,16 +67,8 @@
 ## Timeout when acquiring database connection
 # DATABASE_TIMEOUT=30
 
-## Database idle timeout
-## Timeout in seconds before idle connections to the database are closed.
-# DATABASE_IDLE_TIMEOUT=600
-
-## Database min connections
-## Define the minimum size of the connection pool used for connecting to the database.
-# DATABASE_MIN_CONNS=2
-
 ## Database max connections
-## Define the maximum size of the connection pool used for connecting to the database.
+## Define the size of the connection pool used for connecting to the database.
 # DATABASE_MAX_CONNS=10
 
 ## Database connection initialization
@@ -138,7 +117,7 @@
 ## and are always in terms of UTC time (regardless of your local time zone settings).
 ##
 ## The schedule format is a bit different from crontab as crontab does not contains seconds.
-## You can test the format here: https://crontab.guru, but remove the first digit!
+## You can test the the format here: https://crontab.guru, but remove the first digit!
 ## SEC  MIN   HOUR   DAY OF MONTH    MONTH   DAY OF WEEK
 ## "0   30   9,12,15     1,15       May-Aug  Mon,Wed,Fri"
 ## "0   30     *          *            *          *     "
@@ -182,10 +161,6 @@
 ## Cron schedule of the job that cleans expired Duo contexts from the database. Does nothing if Duo MFA is disabled or set to use the legacy iframe prompt.
 ## Defaults to every minute. Set blank to disable this job.
 # DUO_CONTEXT_PURGE_SCHEDULE="30 * * * * *"
-#
-## Cron schedule of the job that cleans sso auth from incomplete flow
-## Defaults to daily (20 minutes after midnight). Set blank to disable this job.
-# PURGE_INCOMPLETE_SSO_AUTH="0 20 0 * * *"
 
 ########################
 ### General settings ###
@@ -254,8 +229,7 @@
 # SIGNUPS_ALLOWED=true
 
 ## Controls if new users need to verify their email address upon registration
-## On new client versions, this will require the user to verify their email at signup time.
-## On older clients, it will require the user to verify their email before they can log in.
+## Note that setting this option to true prevents logins until the email address has been verified!
 ## The welcome email will include a verification link, and login attempts will periodically
 ## trigger another verification email to be sent.
 # SIGNUPS_VERIFY=false
@@ -285,7 +259,7 @@
 ## A comma-separated list means only those users can create orgs:
 # ORG_CREATION_USERS=admin1@example.com,admin2@example.com
 
-## Allows org admins to invite users, even when signups are disabled
+## Invitations org admins to invite users, even when signups are disabled
 # INVITATIONS_ALLOWED=true
 ## Name shown in the invitation emails that don't come from a specific organization
 # INVITATION_ORG_NAME=Vaultwarden
@@ -306,13 +280,12 @@
 ## The default for new users. If changed, it will be updated during login for existing users.
 # PASSWORD_ITERATIONS=600000
 
-## Controls whether users can set or show password hints. This setting applies globally to all users.
+## Controls whether users can set password hints. This setting applies globally to all users.
 # PASSWORD_HINTS_ALLOWED=true
 
 ## Controls whether a password hint should be shown directly in the web page if
-## SMTP service is not configured and password hints are allowed.
-## Not recommended for publicly-accessible instances because this provides
-## unauthenticated access to potentially sensitive data.
+## SMTP service is not configured. Not recommended for publicly-accessible instances
+## as this provides unauthenticated access to potentially sensitive data.
 # SHOW_PASSWORD_HINT=false
 
 #########################
@@ -348,46 +321,35 @@
 ## Default: 2592000 (30 days)
 # ICON_CACHE_TTL=2592000
 ## Cache time-to-live for icons which weren't available, in seconds (0 is "forever")
-## Default: 259200 (3 days)
+## Default: 2592000 (3 days)
 # ICON_CACHE_NEGTTL=259200
 
 ## Icon download timeout
 ## Configure the timeout value when downloading the favicons.
-## The default is 10 seconds, but this could be too low on slower network connections
+## The default is 10 seconds, but this could be to low on slower network connections
 # ICON_DOWNLOAD_TIMEOUT=10
 
 ## Block HTTP domains/IPs by Regex
 ## Any domains or IPs that match this regex won't be fetched by the internal HTTP client.
 ## Useful to hide other servers in the local network. Check the WIKI for more details
-## NOTE: Always enclose this regex within single quotes!
+## NOTE: Always enclose this regex withing single quotes!
 # HTTP_REQUEST_BLOCK_REGEX='^(192\.168\.0\.[0-9]+|192\.168\.1\.[0-9]+)$'
 
-## Enabling this will cause the internal HTTP client to refuse to connect to any non-global IP address.
+## Enabling this will cause the internal HTTP client to refuse to connect to any non global IP address.
 ## Useful to secure your internal environment: See https://en.wikipedia.org/wiki/Reserved_IP_addresses for a list of IPs which it will block
 # HTTP_REQUEST_BLOCK_NON_GLOBAL_IPS=true
 
 ## Client Settings
 ## Enable experimental feature flags for clients.
 ## This is a comma-separated list of flags, e.g. "flag1,flag2,flag3".
-## Note that clients cache the /api/config endpoint for about 1 hour and it could take some time before they are enabled or disabled!
 ##
 ## The following flags are available:
-## - "pm-5594-safari-account-switching": Enable account switching in Safari. (Safari >= 2026.2.0)
-## - "ssh-agent": Enable SSH agent support on Desktop. (Desktop >= 2024.12.0)
-## - "ssh-agent-v2": Enable newer SSH agent support. (Desktop >= 2026.2.1)
-## - "ssh-key-vault-item": Enable the creation and use of SSH key vault items. (Clients >= 2024.12.0)
-## - "pm-25373-windows-biometrics-v2": Enable the new implementation of biometrics on Windows. (Desktop >= 2025.11.0)
-## - "anon-addy-self-host-alias": Enable configuring self-hosted Anon Addy alias generator. (Android >= 2025.3.0, iOS >= 2025.4.0)
-## - "simple-login-self-host-alias": Enable configuring self-hosted Simple Login alias generator. (Android >= 2025.3.0, iOS >= 2025.4.0)
-## - "mutual-tls": Enable the use of mutual TLS on Android (Clients >= 2025.2.0)
-## - "cxp-import-mobile": Enable the import via CXP on iOS (Clients >= 2025.9.2)
-## - "cxp-export-mobile": Enable the export via CXP on iOS (Clients >= 2025.9.2)
-## - "pm-30529-webauthn-related-origins":
-## - "desktop-ui-migration-milestone-1": Special feature flag for desktop UI (Desktop >= 2026.2.0)
-## - "desktop-ui-migration-milestone-2": Special feature flag for desktop UI (Desktop >= 2026.2.0)
-## - "desktop-ui-migration-milestone-3": Special feature flag for desktop UI (Desktop >= 2026.2.0)
-## - "desktop-ui-migration-milestone-4": Special feature flag for desktop UI (Desktop >= 2026.2.0)
-# EXPERIMENTAL_CLIENT_FEATURE_FLAGS=
+## - "autofill-overlay": Add an overlay menu to form fields for quick access to credentials.
+## - "autofill-v2": Use the new autofill implementation.
+## - "browser-fileless-import": Directly import credentials from other providers without a file.
+## - "extension-refresh": Temporarily enable the new extension design until general availability (should be used with the beta Chrome extension)
+## - "fido2-vault-credentials": Enable the use of FIDO2 security keys as second factor.
+# EXPERIMENTAL_CLIENT_FEATURE_FLAGS=fido2-vault-credentials
 
 ## Require new device emails. When a user logs in an email is required to be sent.
 ## If sending the email fails the login attempt will fail!!
@@ -445,14 +407,6 @@
 ## Multiple values must be separated with a whitespace.
 # ALLOWED_IFRAME_ANCESTORS=
 
-## Allowed connect-src (Know the risks!)
-## https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src
-## Allows other domains to URLs which can be loaded using script interfaces like the Forwarded email alias feature
-## This adds the configured value to the 'Content-Security-Policy' headers 'connect-src' value.
-## Multiple values must be separated with a whitespace. And only HTTPS values are allowed.
-## Example: "https://my-addy-io.domain.tld https://my-simplelogin.domain.tld"
-# ALLOWED_CONNECT_SRC=""
-
 ## Number of seconds, on average, between login requests from the same IP address before rate limiting kicks in.
 # LOGIN_RATELIMIT_SECONDS=60
 ## Allow a burst of requests of up to this size, while maintaining the average indicated by `LOGIN_RATELIMIT_SECONDS`.
@@ -478,60 +432,6 @@
 ## Setting this to true will enforce the Single Org Policy to be enabled before you can enable the Reset Password policy.
 # ENFORCE_SINGLE_ORG_WITH_RESET_PW_POLICY=false
 
-## Prefer IPv6 (AAAA) resolving
-## This settings configures the DNS resolver to resolve IPv6 first, and if not available try IPv4
-## This could be useful in IPv6 only environments.
-# DNS_PREFER_IPV6=false
-
-#####################################
-### SSO settings (OpenID Connect) ###
-#####################################
-
-## Controls whether users can login using an OpenID Connect identity provider
-# SSO_ENABLED=false
-
-## Prevent users from logging in directly without going through SSO
-# SSO_ONLY=false
-
-## On SSO Signup if a user with a matching email already exists make the association
-# SSO_SIGNUPS_MATCH_EMAIL=true
-
-## Allow unknown email verification status. Allowing this with `SSO_SIGNUPS_MATCH_EMAIL=true` open potential account takeover.
-# SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION=false
-
-## Base URL of the OIDC server (auto-discovery is used)
-##  - Should not include the `/.well-known/openid-configuration` part and no trailing `/`
-##  - ${SSO_AUTHORITY}/.well-known/openid-configuration should return a json document: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse
-# SSO_AUTHORITY=https://auth.example.com
-
-## Authorization request scopes. Optional SSO scopes, override if email and profile are not enough (`openid` is implicit).
-# SSO_SCOPES="email profile"
-
-## Additional authorization url parameters (ex: to obtain a `refresh_token` with Google Auth).
-# SSO_AUTHORIZE_EXTRA_PARAMS="access_type=offline&prompt=consent"
-
-## Activate PKCE for the Auth Code flow.
-# SSO_PKCE=true
-
-## Regex for additional trusted Id token audience (by default only the client_id is trusted).
-# SSO_AUDIENCE_TRUSTED='^$'
-
-## Set your Client ID and Client Key
-# SSO_CLIENT_ID=11111
-# SSO_CLIENT_SECRET=AAAAAAAAAAAAAAAAAAAAAAAA
-
-## Optional Master password policy (minComplexity=[0-4]), `enforceOnLogin` is not supported at the moment.
-# SSO_MASTER_PASSWORD_POLICY='{"enforceOnLogin":false,"minComplexity":3,"minLength":12,"requireLower":false,"requireNumbers":false,"requireSpecial":false,"requireUpper":false}'
-
-## Use sso only for authentication not the session lifecycle
-# SSO_AUTH_ONLY_NOT_SESSION=false
-
-## Client cache for discovery endpoint. Duration in seconds (0 to disable).
-# SSO_CLIENT_CACHE_EXPIRATION=0
-
-## Log all the tokens, LOG_LEVEL=debug is required
-# SSO_DEBUG_TOKENS=false
-
 ########################
 ### MFA/2FA settings ###
 ########################
@@ -574,7 +474,7 @@
 ## Maximum attempts before an email token is reset and a new email will need to be sent.
 # EMAIL_ATTEMPTS_LIMIT=3
 ##
-## Setup email 2FA on registration regardless of any organization policy
+## Setup email 2FA regardless of any organization policy
 # EMAIL_2FA_ENFORCE_ON_VERIFIED_INVITE=false
 ## Automatically setup email 2FA as fallback provider when needed
 # EMAIL_2FA_AUTO_FALLBACK=false
@@ -591,7 +491,7 @@
 ##
 ## According to the RFC6238 (https://tools.ietf.org/html/rfc6238),
 ## we allow by default the TOTP code which was valid one step back and one in the future.
-## This can however allow attackers to be a bit more lucky with their attempts because there are 3 valid codes.
+## This can however allow attackers to be a bit more lucky with there attempts because there are 3 valid codes.
 ## You can disable this, so that only the current TOTP Code is allowed.
 ## Keep in mind that when a sever drifts out of time, valid codes could be marked as invalid.
 ## In any case, if a code has been used it can not be used again, also codes which predates it will be invalid.
@@ -631,7 +531,7 @@
 # SMTP_AUTH_MECHANISM=
 
 ## Server name sent during the SMTP HELO
-## By default this value should be the machine's hostname,
+## By default this value should be is on the machine's hostname,
 ## but might need to be changed in case it trips some anti-spam filters
 # HELO_NAME=
 

.gitattributes

@@ -1,2 +1,3 @@
 # Ignore vendored scripts in GitHub stats
 src/static/scripts/* linguist-vendored
+

.github/CODEOWNERS

@@ -1,6 +1,3 @@
 /.github @dani-garcia @BlackDex
-/.github/** @dani-garcia @BlackDex
 /.github/CODEOWNERS @dani-garcia @BlackDex
-/.github/ISSUE_TEMPLATE/** @dani-garcia @BlackDex
 /.github/workflows/** @dani-garcia @BlackDex
-/SECURITY.md @dani-garcia @BlackDex

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -8,30 +8,15 @@ body:
       value: |
         Thanks for taking the time to fill out this bug report!
 
-        Please **do not** submit feature requests or ask for help on how to configure Vaultwarden here!
+        Please *do not* submit feature requests or ask for help on how to configure Vaultwarden here.
 
         The [GitHub Discussions](https://github.com/dani-garcia/vaultwarden/discussions/) has sections for Questions and Ideas.
 
-        Our [Wiki](https://github.com/dani-garcia/vaultwarden/wiki/) has topics on how to configure Vaultwarden.
-
         Also, make sure you are running [![GitHub Release](https://img.shields.io/github/release/dani-garcia/vaultwarden.svg)](https://github.com/dani-garcia/vaultwarden/releases/latest) of Vaultwarden!
+        And search for existing open or closed issues or discussions regarding your topic before posting.
 
         Be sure to check and validate the Vaultwarden Admin Diagnostics (`/admin/diagnostics`) page for any errors!
         See here [how to enable the admin page](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page).
-
-        > [!IMPORTANT]
-        > ## :bangbang: Search for existing **Closed _AND_ Open** [Issues](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue%20) **_AND_** [Discussions](https://github.com/dani-garcia/vaultwarden/discussions?discussions_q=) regarding your topic before posting! :bangbang:
-  #
-  - type: checkboxes
-    id: checklist
-    attributes:
-      label: Prerequisites
-      description: Please confirm you have completed the following before submitting an issue!
-      options:
-        - label: I have searched the existing **Closed _AND_ Open** [Issues](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue%20) **_AND_** [Discussions](https://github.com/dani-garcia/vaultwarden/discussions?discussions_q=)
-          required: true
-        - label: I have searched and read the [documentation](https://github.com/dani-garcia/vaultwarden/wiki/)
-          required: true
   #
   - id: support-string
     type: textarea
@@ -51,7 +36,7 @@ body:
     attributes:
       label: Vaultwarden Build Version
       description: What version of Vaultwarden are you running?
-      placeholder: ex. v1.34.0 or v1.34.1-53f58b14
+      placeholder: ex. v1.31.0 or v1.32.0-3466a804
     validations:
       required: true
   #
@@ -82,7 +67,7 @@ body:
     attributes:
       label: Reverse Proxy
       description: Are you using a reverse proxy, if so which and what version?
-      placeholder: ex. nginx 1.29.0, caddy 2.10.0, traefik 3.4.4, haproxy 3.2
+      placeholder: ex. nginx 1.26.2, caddy 2.8.4, traefik 3.1.2, haproxy 3.0
     validations:
       required: true
   #
@@ -130,7 +115,7 @@ body:
     attributes:
       label: Client Version
       description: What version(s) of the client(s) are you seeing the problem on?
-      placeholder: ex. CLI v2025.7.0, Firefox 140 - v2025.6.1
+      placeholder: ex. CLI v2024.7.2, Firefox 130 - v2024.7.0
   #
   - id: reproduce
     type: textarea

.github/workflows/build.yml

@@ -1,9 +1,4 @@
 name: Build
-permissions: {}
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true
 
 on:
   push:
@@ -18,8 +13,6 @@ on:
       - "diesel.toml"
       - "docker/Dockerfile.j2"
       - "docker/DockerSettings.yaml"
-      - "macros/**"
-
   pull_request:
     paths:
       - ".github/workflows/build.yml"
@@ -32,21 +25,16 @@ on:
       - "diesel.toml"
       - "docker/Dockerfile.j2"
       - "docker/DockerSettings.yaml"
-      - "macros/**"
-
-defaults:
-  run:
-    shell: bash
 
 jobs:
   build:
-    name: Build and Test ${{ matrix.channel }}
-    runs-on: ubuntu-24.04
+    # We use Ubuntu 22.04 here because this matches the library versions used within the Debian docker containers
+    runs-on: ubuntu-22.04
     timeout-minutes: 120
     # Make warnings errors, this is to prevent warnings slipping through.
     # This is done globally to prevent rebuilds when the RUSTFLAGS env variable changes.
     env:
-      RUSTFLAGS: "-Dwarnings"
+      RUSTFLAGS: "-D warnings"
     strategy:
       fail-fast: false
       matrix:
@@ -54,55 +42,62 @@ jobs:
           - "rust-toolchain" # The version defined in rust-toolchain
           - "msrv" # The supported MSRV
 
+    name: Build and Test ${{ matrix.channel }}
+
     steps:
+      # Checkout the repo
+      - name: "Checkout"
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1
+      # End Checkout the repo
+
+
       # Install dependencies
       - name: "Install dependencies Ubuntu"
         run: sudo apt-get update && sudo apt-get install -y --no-install-recommends openssl build-essential libmariadb-dev-compat libpq-dev libssl-dev pkg-config
       # End Install dependencies
 
-      # Checkout the repo
-      - name: "Checkout"
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-          fetch-depth: 0
-      # End Checkout the repo
 
       # Determine rust-toolchain version
       - name: Init Variables
         id: toolchain
-        env:
-          CHANNEL: ${{ matrix.channel }}
+        shell: bash
         run: |
-          if [[ "${CHANNEL}" == 'rust-toolchain' ]]; then
-            RUST_TOOLCHAIN="$(grep -m1 -oP 'channel.*"(\K.*?)(?=")' rust-toolchain.toml)"
-          elif [[ "${CHANNEL}" == 'msrv' ]]; then
-            RUST_TOOLCHAIN="$(grep -m1 -oP 'rust-version\s.*"(\K.*?)(?=")' Cargo.toml)"
+          if [[ "${{ matrix.channel }}" == 'rust-toolchain' ]]; then
+            RUST_TOOLCHAIN="$(grep -oP 'channel.*"(\K.*?)(?=")' rust-toolchain.toml)"
+          elif [[ "${{ matrix.channel }}" == 'msrv' ]]; then
+            RUST_TOOLCHAIN="$(grep -oP 'rust-version.*"(\K.*?)(?=")' Cargo.toml)"
           else
-            RUST_TOOLCHAIN="${CHANNEL}"
+            RUST_TOOLCHAIN="${{ matrix.channel }}"
           fi
           echo "RUST_TOOLCHAIN=${RUST_TOOLCHAIN}" | tee -a "${GITHUB_OUTPUT}"
       # End Determine rust-toolchain version
 
 
-      - name: "Install toolchain ${{steps.toolchain.outputs.RUST_TOOLCHAIN}} as default"
-        env:
-          CHANNEL: ${{ matrix.channel }}
-          RUST_TOOLCHAIN: ${{steps.toolchain.outputs.RUST_TOOLCHAIN}}
+      # Only install the clippy and rustfmt components on the default rust-toolchain
+      - name: "Install rust-toolchain version"
+        uses: dtolnay/rust-toolchain@7b1c307e0dcbda6122208f10795a713336a9b35a # master @ Aug 8, 2024, 7:36 PM GMT+2
+        if: ${{ matrix.channel == 'rust-toolchain' }}
+        with:
+          toolchain: "${{steps.toolchain.outputs.RUST_TOOLCHAIN}}"
+          components: clippy, rustfmt
+      # End Uses the rust-toolchain file to determine version
+
+
+      # Install the any other channel to be used for which we do not execute clippy and rustfmt
+      - name: "Install MSRV version"
+        uses: dtolnay/rust-toolchain@7b1c307e0dcbda6122208f10795a713336a9b35a # master @ Aug 8, 2024, 7:36 PM GMT+2
+        if: ${{ matrix.channel != 'rust-toolchain' }}
+        with:
+          toolchain: "${{steps.toolchain.outputs.RUST_TOOLCHAIN}}"
+      # End Install the MSRV channel to be used
+
+      # Set the current matrix toolchain version as default
+      - name: "Set toolchain ${{steps.toolchain.outputs.RUST_TOOLCHAIN}} as default"
         run: |
           # Remove the rust-toolchain.toml
           rm rust-toolchain.toml
-
-          # Install the correct toolchain version
-          rustup toolchain install "${RUST_TOOLCHAIN}" --profile minimal --no-self-update
-
-          # If this matrix is the `rust-toolchain` flow, also install rustfmt and clippy
-          if [[ "${CHANNEL}" == 'rust-toolchain' ]]; then
-            rustup component add --toolchain "${RUST_TOOLCHAIN}" rustfmt clippy
-          fi
-
-          # Set as the default toolchain
-          rustup default "${RUST_TOOLCHAIN}"
+          # Set the default
+          rustup default ${{steps.toolchain.outputs.RUST_TOOLCHAIN}}
 
       # Show environment
       - name: "Show environment"
@@ -112,68 +107,61 @@ jobs:
       # End Show environment
 
       # Enable Rust Caching
-      - name: Rust Caching
-        uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1
+      - uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84 # v2.7.3
         with:
           # Use a custom prefix-key to force a fresh start. This is sometimes needed with bigger changes.
           # Like changing the build host from Ubuntu 20.04 to 22.04 for example.
           # Only update when really needed! Use a <year>.<month>[.<inc>] format.
-          prefix-key: "v2025.09-rust"
+          prefix-key: "v2023.07-rust"
       # End Enable Rust Caching
 
       # Run cargo tests
       # First test all features together, afterwards test them separately.
-      - name: "test features: sqlite,mysql,postgresql,enable_mimalloc,s3"
-        id: test_sqlite_mysql_postgresql_mimalloc_s3
-        if: ${{ !cancelled() }}
-        run: |
-          cargo test --profile ci --features sqlite,mysql,postgresql,enable_mimalloc,s3
-
       - name: "test features: sqlite,mysql,postgresql,enable_mimalloc"
         id: test_sqlite_mysql_postgresql_mimalloc
-        if: ${{ !cancelled() }}
+        if: $${{ always() }}
         run: |
-          cargo test --profile ci --features sqlite,mysql,postgresql,enable_mimalloc
+          cargo test --features sqlite,mysql,postgresql,enable_mimalloc
 
       - name: "test features: sqlite,mysql,postgresql"
         id: test_sqlite_mysql_postgresql
-        if: ${{ !cancelled() }}
+        if: $${{ always() }}
         run: |
-          cargo test --profile ci --features sqlite,mysql,postgresql
+          cargo test --features sqlite,mysql,postgresql
 
       - name: "test features: sqlite"
         id: test_sqlite
-        if: ${{ !cancelled() }}
+        if: $${{ always() }}
         run: |
-          cargo test --profile ci --features sqlite
+          cargo test --features sqlite
 
       - name: "test features: mysql"
         id: test_mysql
-        if: ${{ !cancelled() }}
+        if: $${{ always() }}
         run: |
-          cargo test --profile ci --features mysql
+          cargo test --features mysql
 
       - name: "test features: postgresql"
         id: test_postgresql
-        if: ${{ !cancelled() }}
+        if: $${{ always() }}
         run: |
-          cargo test --profile ci --features postgresql
+          cargo test --features postgresql
       # End Run cargo tests
 
 
       # Run cargo clippy, and fail on warnings
-      - name: "clippy features: sqlite,mysql,postgresql,enable_mimalloc,s3"
+      - name: "clippy features: sqlite,mysql,postgresql,enable_mimalloc"
         id: clippy
-        if: ${{ !cancelled() && matrix.channel == 'rust-toolchain' }}
+        if: ${{ always() && matrix.channel == 'rust-toolchain' }}
         run: |
-          cargo clippy --profile ci --features sqlite,mysql,postgresql,enable_mimalloc,s3
+          cargo clippy --features sqlite,mysql,postgresql,enable_mimalloc -- -D warnings
       # End Run cargo clippy
 
 
       # Run cargo fmt (Only run on rust-toolchain defined version)
       - name: "check formatting"
         id: formatting
-        if: ${{ !cancelled() && matrix.channel == 'rust-toolchain' }}
+        if: ${{ always() && matrix.channel == 'rust-toolchain' }}
         run: |
           cargo fmt --all -- --check
       # End Run cargo fmt
@@ -183,31 +171,21 @@ jobs:
       # This is useful so all test/clippy/fmt actions are done, and they can all be addressed
       - name: "Some checks failed"
         if: ${{ failure() }}
-        env:
-          TEST_DB_M_S3: ${{ steps.test_sqlite_mysql_postgresql_mimalloc_s3.outcome }}
-          TEST_DB_M: ${{ steps.test_sqlite_mysql_postgresql_mimalloc.outcome }}
-          TEST_DB: ${{ steps.test_sqlite_mysql_postgresql.outcome }}
-          TEST_SQLITE: ${{ steps.test_sqlite.outcome }}
-          TEST_MYSQL: ${{ steps.test_mysql.outcome }}
-          TEST_POSTGRESQL: ${{ steps.test_postgresql.outcome }}
-          CLIPPY: ${{ steps.clippy.outcome }}
-          FMT: ${{ steps.formatting.outcome }}
         run: |
-          echo "### :x: Checks Failed!" >> "${GITHUB_STEP_SUMMARY}"
-          echo "" >> "${GITHUB_STEP_SUMMARY}"
-          echo "|Job|Status|" >> "${GITHUB_STEP_SUMMARY}"
-          echo "|---|------|" >> "${GITHUB_STEP_SUMMARY}"
-          echo "|test (sqlite,mysql,postgresql,enable_mimalloc,s3)|${TEST_DB_M_S3}|" >> "${GITHUB_STEP_SUMMARY}"
-          echo "|test (sqlite,mysql,postgresql,enable_mimalloc)|${TEST_DB_M}|" >> "${GITHUB_STEP_SUMMARY}"
-          echo "|test (sqlite,mysql,postgresql)|${TEST_DB}|" >> "${GITHUB_STEP_SUMMARY}"
-          echo "|test (sqlite)|${TEST_SQLITE}|" >> "${GITHUB_STEP_SUMMARY}"
-          echo "|test (mysql)|${TEST_MYSQL}|" >> "${GITHUB_STEP_SUMMARY}"
-          echo "|test (postgresql)|${TEST_POSTGRESQL}|" >> "${GITHUB_STEP_SUMMARY}"
-          echo "|clippy (sqlite,mysql,postgresql,enable_mimalloc,s3)|${CLIPPY}|" >> "${GITHUB_STEP_SUMMARY}"
-          echo "|fmt|${FMT}|" >> "${GITHUB_STEP_SUMMARY}"
-          echo "" >> "${GITHUB_STEP_SUMMARY}"
-          echo "Please check the failed jobs and fix where needed." >> "${GITHUB_STEP_SUMMARY}"
-          echo "" >> "${GITHUB_STEP_SUMMARY}"
+          echo "### :x: Checks Failed!" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "|Job|Status|" >> $GITHUB_STEP_SUMMARY
+          echo "|---|------|" >> $GITHUB_STEP_SUMMARY
+          echo "|test (sqlite,mysql,postgresql,enable_mimalloc)|${{ steps.test_sqlite_mysql_postgresql_mimalloc.outcome }}|" >> $GITHUB_STEP_SUMMARY
+          echo "|test (sqlite,mysql,postgresql)|${{ steps.test_sqlite_mysql_postgresql.outcome }}|" >> $GITHUB_STEP_SUMMARY
+          echo "|test (sqlite)|${{ steps.test_sqlite.outcome }}|" >> $GITHUB_STEP_SUMMARY
+          echo "|test (mysql)|${{ steps.test_mysql.outcome }}|" >> $GITHUB_STEP_SUMMARY
+          echo "|test (postgresql)|${{ steps.test_postgresql.outcome }}|" >> $GITHUB_STEP_SUMMARY
+          echo "|clippy (sqlite,mysql,postgresql,enable_mimalloc)|${{ steps.clippy.outcome }}|" >> $GITHUB_STEP_SUMMARY
+          echo "|fmt|${{ steps.formatting.outcome }}|" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "Please check the failed jobs and fix where needed." >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
           exit 1
 
 
@@ -216,5 +194,5 @@ jobs:
       - name: "All checks passed"
         if: ${{ success() }}
         run: |
-          echo "### :tada: Checks Passed!" >> "${GITHUB_STEP_SUMMARY}"
-          echo "" >> "${GITHUB_STEP_SUMMARY}"
+          echo "### :tada: Checks Passed!" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY

.github/workflows/check-templates.yml

@@ -1,35 +0,0 @@
-name: Check templates
-permissions: {}
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true
-
-on: [ push, pull_request ]
-
-defaults:
-  run:
-    shell: bash
-
-jobs:
-  docker-templates:
-    name: Validate docker templates
-    runs-on: ubuntu-24.04
-    timeout-minutes: 30
-
-    steps:
-      # Checkout the repo
-      - name: "Checkout"
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-      # End Checkout the repo
-
-      - name: Run make to rebuild templates
-        working-directory: docker
-        run: make
-
-      - name: Check for unstaged changes
-        working-directory: docker
-        run: git diff --exit-code
-        continue-on-error: false

.github/workflows/hadolint.yml

@@ -1,26 +1,24 @@
 name: Hadolint
-permissions: {}
 
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true
-
-on: [ push, pull_request ]
-
-defaults:
-  run:
-    shell: bash
+on: [
+      push,
+      pull_request
+    ]
 
 jobs:
   hadolint:
     name: Validate Dockerfile syntax
     runs-on: ubuntu-24.04
     timeout-minutes: 30
-
     steps:
+      # Checkout the repo
+      - name: Checkout
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1
+      # End Checkout the repo
+
       # Start Docker Buildx
       - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
         # https://github.com/moby/buildkit/issues/3969
         # Also set max parallelism to 2, the default of 4 breaks GitHub Actions and causes OOMKills
         with:
@@ -32,26 +30,23 @@ jobs:
 
       # Download hadolint - https://github.com/hadolint/hadolint/releases
       - name: Download hadolint
+        shell: bash
         run: |
           sudo curl -L https://github.com/hadolint/hadolint/releases/download/v${HADOLINT_VERSION}/hadolint-$(uname -s)-$(uname -m) -o /usr/local/bin/hadolint && \
           sudo chmod +x /usr/local/bin/hadolint
         env:
-          HADOLINT_VERSION: 2.14.0
+          HADOLINT_VERSION: 2.12.0
       # End Download hadolint
-      # Checkout the repo
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-      # End Checkout the repo
 
       # Test Dockerfiles with hadolint
       - name: Run hadolint
+        shell: bash
         run: hadolint docker/Dockerfile.{debian,alpine}
       # End Test Dockerfiles with hadolint
 
       # Test Dockerfiles with docker build checks
       - name: Run docker build check
+        shell: bash
         run: |
           echo "Checking docker/Dockerfile.debian"
           docker build --check . -f docker/Dockerfile.debian

.github/workflows/release.yml

@@ -1,11 +1,4 @@
 name: Release
-permissions: {}
-
-concurrency:
-  # Apply concurrency control only on the upstream repo
-  group: ${{ github.repository == 'dani-garcia/vaultwarden' && format('{0}-{1}', github.workflow, github.ref) || github.run_id }}
-  # Don't cancel other runs when creating a tag
-  cancel-in-progress: ${{ github.ref_type == 'branch' }}
 
 on:
   push:
@@ -13,88 +6,90 @@ on:
       - main
 
     tags:
-      # https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet
-      - '[1-2].[0-9]+.[0-9]+'
-
-defaults:
-  run:
-    shell: bash
-
-# A "release" environment must be created in the repository settings
-# (Settings > Environments > New environment) with the following
-# variables and secrets configured as needed.
-#
-# Variables (only set the ones for registries you want to push to):
-#   DOCKERHUB_REPO: 'index.docker.io/<user>/<repo>'
-#   QUAY_REPO: 'quay.io/<user>/<repo>'
-#   GHCR_REPO: 'ghcr.io/<user>/<repo>'
-#
-# Secrets (only required when the corresponding *_REPO variable is set):
-#   DOCKERHUB_REPO => DOCKERHUB_USERNAME, DOCKERHUB_TOKEN
-#   QUAY_REPO      => QUAY_USERNAME, QUAY_TOKEN
-#   GITHUB_TOKEN is provided automatically
+      - '*'
 
 jobs:
-  docker-build:
-    name: Build Vaultwarden containers
+  # https://github.com/marketplace/actions/skip-duplicate-actions
+  # Some checks to determine if we need to continue with building a new docker.
+  # We will skip this check if we are creating a tag, because that has the same hash as a previous run already.
+  skip_check:
+    runs-on: ubuntu-24.04
     if: ${{ github.repository == 'dani-garcia/vaultwarden' }}
-    environment: 
-      name: release
-      deployment: false
-    permissions:
-      packages: write # Needed to upload packages and artifacts
-      contents: read
-      attestations: write # Needed to generate an artifact attestation for a build
-      id-token: write # Needed to mint the OIDC token necessary to request a Sigstore signing certificate
-    runs-on: ${{ contains(matrix.arch, 'arm') && 'ubuntu-24.04-arm' || 'ubuntu-24.04' }}
+    outputs:
+      should_skip: ${{ steps.skip_check.outputs.should_skip }}
+    steps:
+      - name: Skip Duplicates Actions
+        id: skip_check
+        uses: fkirc/skip-duplicate-actions@f75f66ce1886f00957d99748a42c724f4330bdcf # v5.3.1
+        with:
+          cancel_others: 'true'
+        # Only run this when not creating a tag
+        if: ${{ github.ref_type == 'branch' }}
+
+  docker-build:
+    runs-on: ubuntu-24.04
     timeout-minutes: 120
+    needs: skip_check
+    if: ${{ needs.skip_check.outputs.should_skip != 'true' && github.repository == 'dani-garcia/vaultwarden' }}
+    # Start a local docker registry to extract the final Alpine static build binaries
+    services:
+      registry:
+        image: registry:2
+        ports:
+          - 5000:5000
     env:
       SOURCE_COMMIT: ${{ github.sha }}
       SOURCE_REPOSITORY_URL: "https://github.com/${{ github.repository }}"
+      # The *_REPO variables need to be configured as repository variables
+      # Append `/settings/variables/actions` to your repo url
+      # DOCKERHUB_REPO needs to be 'index.docker.io/<user>/<repo>'
+      # Check for Docker hub credentials in secrets
+      HAVE_DOCKERHUB_LOGIN: ${{ vars.DOCKERHUB_REPO != '' && secrets.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '' }}
+      # GHCR_REPO needs to be 'ghcr.io/<user>/<repo>'
+      # Check for Github credentials in secrets
+      HAVE_GHCR_LOGIN: ${{ vars.GHCR_REPO != '' && github.repository_owner != '' && secrets.GITHUB_TOKEN != '' }}
+      # QUAY_REPO needs to be 'quay.io/<user>/<repo>'
+      # Check for Quay.io credentials in secrets
+      HAVE_QUAY_LOGIN: ${{ vars.QUAY_REPO != '' && secrets.QUAY_USERNAME != '' && secrets.QUAY_TOKEN != '' }}
     strategy:
       matrix:
-        arch: ["amd64", "arm64", "arm/v7", "arm/v6"]
         base_image: ["debian","alpine"]
 
     steps:
+      # Checkout the repo
+      - name: Checkout
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1
+        with:
+          fetch-depth: 0
+
       - name: Initialize QEMU binfmt support
-        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
+        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
         with:
           platforms: "arm64,arm"
 
       # Start Docker Buildx
       - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
         # https://github.com/moby/buildkit/issues/3969
         # Also set max parallelism to 2, the default of 4 breaks GitHub Actions and causes OOMKills
         with:
-          cache-binary: false
           buildkitd-config-inline: |
             [worker.oci]
               max-parallelism = 2
           driver-opts: |
             network=host
 
-      # Checkout the repo
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        # We need fetch-depth of 0 so we also get all the tag metadata
-        with:
-          persist-credentials: false
-          fetch-depth: 0
-
-      # Normalize the architecture string for use in paths and cache keys
-      - name: Normalize architecture string
-        env:
-          MATRIX_ARCH: ${{ matrix.arch }}
+      # Determine Base Tags and Source Version
+      - name: Determine Base Tags and Source Version
+        shell: bash
         run: |
-          # Replace slashes with nothing to create a safe string for paths/cache keys
-          NORMALIZED_ARCH="${MATRIX_ARCH//\/}"
-          echo "NORMALIZED_ARCH=${NORMALIZED_ARCH}" | tee -a "${GITHUB_ENV}"
+          # Check which main tag we are going to build determined by github.ref_type
+          if [[ "${{ github.ref_type }}" == "tag" ]]; then
+            echo "BASE_TAGS=latest,${GITHUB_REF#refs/*/}" | tee -a "${GITHUB_ENV}"
+          elif [[ "${{ github.ref_type }}" == "branch" ]]; then
+            echo "BASE_TAGS=testing" | tee -a "${GITHUB_ENV}"
+          fi
 
-      # Determine Source Version
-      - name: Determine Source Version
-        run: |
           # Get the Source Version for this release
           GIT_EXACT_TAG="$(git describe --tags --abbrev=0 --exact-match 2>/dev/null || true)"
           if [[ -n "${GIT_EXACT_TAG}" ]]; then
@@ -103,286 +98,155 @@ jobs:
               GIT_LAST_TAG="$(git describe --tags --abbrev=0)"
               echo "SOURCE_VERSION=${GIT_LAST_TAG}-${SOURCE_COMMIT:0:8}" | tee -a "${GITHUB_ENV}"
           fi
+      # End Determine Base Tags
 
       # Login to Docker Hub
       - name: Login to Docker Hub
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
-        if: ${{ vars.DOCKERHUB_REPO != '' }}
+        if: ${{ env.HAVE_DOCKERHUB_LOGIN == 'true' }}
 
       - name: Add registry for DockerHub
-        if: ${{ vars.DOCKERHUB_REPO != '' }}
-        env:
-          DOCKERHUB_REPO: ${{ vars.DOCKERHUB_REPO }}
+        if: ${{ env.HAVE_DOCKERHUB_LOGIN == 'true' }}
+        shell: bash
         run: |
-          echo "CONTAINER_REGISTRIES=${DOCKERHUB_REPO}" | tee -a "${GITHUB_ENV}"
+          echo "CONTAINER_REGISTRIES=${{ vars.DOCKERHUB_REPO }}" | tee -a "${GITHUB_ENV}"
 
       # Login to GitHub Container Registry
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
-        if: ${{ vars.GHCR_REPO != '' }}
+        if: ${{ env.HAVE_GHCR_LOGIN == 'true' }}
 
       - name: Add registry for ghcr.io
-        if: ${{ vars.GHCR_REPO != '' }}
-        env:
-          GHCR_REPO: ${{ vars.GHCR_REPO }}
+        if: ${{ env.HAVE_GHCR_LOGIN == 'true' }}
+        shell: bash
         run: |
-          echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}${GHCR_REPO}" | tee -a "${GITHUB_ENV}"
+          echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}${{ vars.GHCR_REPO }}" | tee -a "${GITHUB_ENV}"
 
       # Login to Quay.io
       - name: Login to Quay.io
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           registry: quay.io
           username: ${{ secrets.QUAY_USERNAME }}
           password: ${{ secrets.QUAY_TOKEN }}
-        if: ${{ vars.QUAY_REPO != '' }}
+        if: ${{ env.HAVE_QUAY_LOGIN == 'true' }}
 
       - name: Add registry for Quay.io
-        if: ${{ vars.QUAY_REPO != '' }}
-        env:
-          QUAY_REPO: ${{ vars.QUAY_REPO }}
+        if: ${{ env.HAVE_QUAY_LOGIN == 'true' }}
+        shell: bash
         run: |
-          echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}${QUAY_REPO}" | tee -a "${GITHUB_ENV}"
+          echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}${{ vars.QUAY_REPO }}" | tee -a "${GITHUB_ENV}"
 
       - name: Configure build cache from/to
-        env:
-          GHCR_REPO: ${{ vars.GHCR_REPO }}
-          BASE_IMAGE: ${{ matrix.base_image }}
-          NORMALIZED_ARCH: ${{ env.NORMALIZED_ARCH }}
+        shell: bash
         run: |
           #
           # Check if there is a GitHub Container Registry Login and use it for caching
-          if [[ -n "${GHCR_REPO}" ]]; then
-            echo "BAKE_CACHE_FROM=type=registry,ref=${GHCR_REPO}-buildcache:${BASE_IMAGE}-${NORMALIZED_ARCH}" | tee -a "${GITHUB_ENV}"
-            echo "BAKE_CACHE_TO=type=registry,ref=${GHCR_REPO}-buildcache:${BASE_IMAGE}-${NORMALIZED_ARCH},compression=zstd,mode=max" | tee -a "${GITHUB_ENV}"
+          if [[ -n "${HAVE_GHCR_LOGIN}" ]]; then
+            echo "BAKE_CACHE_FROM=type=registry,ref=${{ vars.GHCR_REPO }}-buildcache:${{ matrix.base_image }}" | tee -a "${GITHUB_ENV}"
+            echo "BAKE_CACHE_TO=type=registry,ref=${{ vars.GHCR_REPO }}-buildcache:${{ matrix.base_image }},compression=zstd,mode=max" | tee -a "${GITHUB_ENV}"
           else
             echo "BAKE_CACHE_FROM="
             echo "BAKE_CACHE_TO="
           fi
           #
 
-      - name: Generate tags
-        id: tags
-        env:
-          CONTAINER_REGISTRIES: "${{ env.CONTAINER_REGISTRIES }}"
+      - name: Add localhost registry
+        if: ${{ matrix.base_image == 'alpine' }}
+        shell: bash
         run: |
-          # Convert comma-separated list to newline-separated set commands
-          TAGS=$(echo "${CONTAINER_REGISTRIES}" | tr ',' '\n' | sed "s|.*|*.tags=&|")
-
-          # Output for use in next step
-          {
-            echo "TAGS<<EOF"
-            echo "$TAGS"
-            echo "EOF"
-          } >> "$GITHUB_ENV"
+          echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}localhost:5000/vaultwarden/server" | tee -a "${GITHUB_ENV}"
 
       - name: Bake ${{ matrix.base_image }} containers
-        id: bake_vw
-        uses: docker/bake-action@a66e1c87e2eca0503c343edf1d208c716d54b8a8 # v7.1.0
+        uses: docker/bake-action@2e3d19baedb14545e5d41222653874f25d5b4dfb # v5.10.0
         env:
-          BASE_TAGS: "${{ steps.determine-version.outputs.BASE_TAGS }}"
+          BASE_TAGS: "${{ env.BASE_TAGS }}"
           SOURCE_COMMIT: "${{ env.SOURCE_COMMIT }}"
           SOURCE_VERSION: "${{ env.SOURCE_VERSION }}"
           SOURCE_REPOSITORY_URL: "${{ env.SOURCE_REPOSITORY_URL }}"
+          CONTAINER_REGISTRIES: "${{ env.CONTAINER_REGISTRIES }}"
         with:
           pull: true
-          source: .
+          push: true
           files: docker/docker-bake.hcl
           targets: "${{ matrix.base_image }}-multi"
           set: |
             *.cache-from=${{ env.BAKE_CACHE_FROM }}
             *.cache-to=${{ env.BAKE_CACHE_TO }}
-            *.platform=linux/${{ matrix.arch }}
-            ${{ env.TAGS }}
-            *.output=type=local,dest=./output
-            *.output=type=image,push-by-digest=true,name-canonical=true,push=true
 
-      - name: Extract digest SHA
-        env:
-          BAKE_METADATA: ${{ steps.bake_vw.outputs.metadata }}
-          BASE_IMAGE: ${{ matrix.base_image }}
+
+      # Extract the Alpine binaries from the containers
+      - name: Extract binaries
+        if: ${{ matrix.base_image == 'alpine' }}
+        shell: bash
         run: |
-          GET_DIGEST_SHA="$(jq -r --arg base "$BASE_IMAGE" '.[$base + "-multi"]."containerimage.digest"' <<< "${BAKE_METADATA}")"
-          echo "DIGEST_SHA=${GET_DIGEST_SHA}" | tee -a "${GITHUB_ENV}"
-
-      - name: Export digest
-        env:
-          DIGEST_SHA: ${{ env.DIGEST_SHA }}
-          RUNNER_TEMP: ${{ runner.temp }}
-        run: |
-          mkdir -p "${RUNNER_TEMP}"/digests
-          digest="${DIGEST_SHA}"
-          touch "${RUNNER_TEMP}/digests/${digest#sha256:}"
-
-      - name: Upload digest
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
-        with:
-          name: digests-${{ env.NORMALIZED_ARCH }}-${{ matrix.base_image }}
-          path: ${{ runner.temp }}/digests/*
-          if-no-files-found: error
-          retention-days: 1
-
-      - name: Rename binaries to match target platform
-        env:
-          NORMALIZED_ARCH: ${{ env.NORMALIZED_ARCH }}
-        run: |
-          mv ./output/vaultwarden vaultwarden-"${NORMALIZED_ARCH}"
-
-      # Upload artifacts to Github Actions and Attest the binaries
-      - name: Attest binaries
-        uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
-        with:
-          subject-path: vaultwarden-${{ env.NORMALIZED_ARCH }}
-
-      - name: Upload binaries as artifacts
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
-        with:
-          name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-${{ env.NORMALIZED_ARCH }}-${{ matrix.base_image }}
-          path: vaultwarden-${{ env.NORMALIZED_ARCH }}
-
-  merge-manifests:
-    name: Merge manifests
-    runs-on: ubuntu-latest
-    needs: docker-build
-    environment: 
-      name: release
-      deployment: false
-    permissions:
-      packages: write # Needed to upload packages and artifacts
-      attestations: write # Needed to generate an artifact attestation for a build
-      id-token: write # Needed to mint the OIDC token necessary to request a Sigstore signing certificate
-    strategy:
-      matrix:
-        base_image: ["debian","alpine"]
-
-    steps:
-      - name: Download digests
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
-        with:
-          path: ${{ runner.temp }}/digests
-          pattern: digests-*-${{ matrix.base_image }}
-          merge-multiple: true
-
-      # Login to Docker Hub
-      - name: Login to Docker Hub
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-        if: ${{ vars.DOCKERHUB_REPO != '' }}
-
-      - name: Add registry for DockerHub
-        if: ${{ vars.DOCKERHUB_REPO != '' }}
-        env:
-          DOCKERHUB_REPO: ${{ vars.DOCKERHUB_REPO }}
-        run: |
-          echo "CONTAINER_REGISTRIES=${DOCKERHUB_REPO}" | tee -a "${GITHUB_ENV}"
-
-      # Login to GitHub Container Registry
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-        if: ${{ vars.GHCR_REPO != '' }}
-
-      - name: Add registry for ghcr.io
-        if: ${{ vars.GHCR_REPO != '' }}
-        env:
-          GHCR_REPO: ${{ vars.GHCR_REPO }}
-        run: |
-          echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}${GHCR_REPO}" | tee -a "${GITHUB_ENV}"
-
-      # Login to Quay.io
-      - name: Login to Quay.io
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
-        with:
-          registry: quay.io
-          username: ${{ secrets.QUAY_USERNAME }}
-          password: ${{ secrets.QUAY_TOKEN }}
-        if: ${{ vars.QUAY_REPO != '' }}
-
-      - name: Add registry for Quay.io
-        if: ${{ vars.QUAY_REPO != '' }}
-        env:
-          QUAY_REPO: ${{ vars.QUAY_REPO }}
-        run: |
-          echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}${QUAY_REPO}" | tee -a "${GITHUB_ENV}"
-
-      # Determine Base Tags
-      - name: Determine Base Tags
-        env:
-          BASE_IMAGE_TAG: "${{ matrix.base_image != 'debian' && format('-{0}', matrix.base_image) || '' }}"
-          REF_TYPE: ${{ github.ref_type }}
-        run: |
-          # Check which main tag we are going to build determined by ref_type
-          if [[ "${REF_TYPE}" == "tag" ]]; then
-            echo "BASE_TAGS=latest${BASE_IMAGE_TAG},${GITHUB_REF#refs/*/}${BASE_IMAGE_TAG}${BASE_IMAGE_TAG//-/,}" | tee -a "${GITHUB_ENV}"
-          elif [[ "${REF_TYPE}" == "branch" ]]; then
-            echo "BASE_TAGS=testing${BASE_IMAGE_TAG}" | tee -a "${GITHUB_ENV}"
+          # Check which main tag we are going to build determined by github.ref_type
+          if [[ "${{ github.ref_type }}" == "tag" ]]; then
+            EXTRACT_TAG="latest"
+          elif [[ "${{ github.ref_type }}" == "branch" ]]; then
+            EXTRACT_TAG="testing"
           fi
 
-      - name: Create manifest list, push it and extract digest SHA
-        working-directory: ${{ runner.temp }}/digests
-        env:
-          BASE_TAGS: "${{ env.BASE_TAGS }}"
-          CONTAINER_REGISTRIES: "${{ env.CONTAINER_REGISTRIES }}"
-        run: |
-          IFS=',' read -ra IMAGES <<< "${CONTAINER_REGISTRIES}"
-          IFS=',' read -ra TAGS <<< "${BASE_TAGS}"
+          # After each extraction the image is removed.
+          # This is needed because using different platforms doesn't trigger a new pull/download
 
-          TAG_ARGS=()
-          for img in "${IMAGES[@]}"; do
-            for tag in "${TAGS[@]}"; do
-              TAG_ARGS+=("-t" "${img}:${tag}")
-            done
-          done
+          # Extract amd64 binary
+          docker create --name amd64 --platform=linux/amd64 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine"
+          docker cp amd64:/vaultwarden vaultwarden-amd64
+          docker rm --force amd64
+          docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine"
 
-          echo "Creating manifest"
-          if ! OUTPUT=$(docker buildx imagetools create \
-                          "${TAG_ARGS[@]}" \
-                          $(printf "${IMAGES[0]}@sha256:%s " *) 2>&1); then
-            echo "Manifest creation failed"
-            echo "${OUTPUT}"
-            exit 1
-          fi
+          # Extract arm64 binary
+          docker create --name arm64 --platform=linux/arm64 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine"
+          docker cp arm64:/vaultwarden vaultwarden-arm64
+          docker rm --force arm64
+          docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine"
 
-          echo "Manifest created successfully"
-          echo "${OUTPUT}"
+          # Extract armv7 binary
+          docker create --name armv7 --platform=linux/arm/v7 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine"
+          docker cp armv7:/vaultwarden vaultwarden-armv7
+          docker rm --force armv7
+          docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine"
 
-          # Extract digest SHA for subsequent steps
-          GET_DIGEST_SHA="$(echo "${OUTPUT}" | grep -oE 'sha256:[a-f0-9]{64}' | tail -1)"
-          echo "DIGEST_SHA=${GET_DIGEST_SHA}" | tee -a "${GITHUB_ENV}"
+          # Extract armv6 binary
+          docker create --name armv6 --platform=linux/arm/v6 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine"
+          docker cp armv6:/vaultwarden vaultwarden-armv6
+          docker rm --force armv6
+          docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine"
 
-      # Attest container images
-      - name: Attest - docker.io - ${{ matrix.base_image }}
-        if: ${{ vars.DOCKERHUB_REPO != '' && env.DIGEST_SHA != ''}}
-        uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
+      # Upload artifacts to Github Actions
+      - name: "Upload amd64 artifact"
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        if: ${{ matrix.base_image == 'alpine' }}
         with:
-          subject-name: ${{ vars.DOCKERHUB_REPO }}
-          subject-digest: ${{ env.DIGEST_SHA }}
-          push-to-registry: true
+          name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-amd64
+          path: vaultwarden-amd64
 
-      - name: Attest - ghcr.io - ${{ matrix.base_image }}
-        if: ${{ vars.GHCR_REPO != '' && env.DIGEST_SHA != ''}}
-        uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
+      - name: "Upload arm64 artifact"
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        if: ${{ matrix.base_image == 'alpine' }}
         with:
-          subject-name: ${{ vars.GHCR_REPO }}
-          subject-digest: ${{ env.DIGEST_SHA }}
-          push-to-registry: true
+          name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-arm64
+          path: vaultwarden-arm64
 
-      - name: Attest - quay.io - ${{ matrix.base_image }}
-        if: ${{ vars.QUAY_REPO != '' && env.DIGEST_SHA != ''}}
-        uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
+      - name: "Upload armv7 artifact"
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        if: ${{ matrix.base_image == 'alpine' }}
         with:
-          subject-name: ${{ vars.QUAY_REPO }}
-          subject-digest: ${{ env.DIGEST_SHA }}
-          push-to-registry: true
+          name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-armv7
+          path: vaultwarden-armv7
+
+      - name: "Upload armv6 artifact"
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        if: ${{ matrix.base_image == 'alpine' }}
+        with:
+          name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-armv6
+          path: vaultwarden-armv6
+      # End Upload artifacts to Github Actions

.github/workflows/releasecache-cleanup.yml

@@ -1,10 +1,3 @@
-name: Cleanup
-permissions: {}
-
-concurrency:
-  group: ${{ github.workflow }}
-  cancel-in-progress: false
-
 on:
   workflow_dispatch:
     inputs:
@@ -16,11 +9,10 @@ on:
   schedule:
     - cron: '0 1 * * FRI'
 
+name: Cleanup
 jobs:
   releasecache-cleanup:
     name: Releasecache Cleanup
-    permissions:
-      packages: write # To be able to cleanup old caches
     runs-on: ubuntu-24.04
     continue-on-error: true
     timeout-minutes: 30

.github/workflows/trivy.yml

@@ -1,47 +1,37 @@
-name: Trivy
-permissions: {}
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true
+name: trivy
 
 on:
   push:
     branches:
       - main
-
     tags:
       - '*'
-
   pull_request:
-    branches:
-      - main
-
+    branches: [ "main" ]
   schedule:
     - cron: '08 11 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   trivy-scan:
-    # Only run this in the upstream repo and not on forks
+    # Only run this in the master repo and not on forks
     # When all forks run this at the same time, it is causing `Too Many Requests` issues
     if: ${{ github.repository == 'dani-garcia/vaultwarden' }}
-    name: Trivy Scan
-    permissions:
-      security-events: write # To write the security report
+    name: Check
     runs-on: ubuntu-24.04
     timeout-minutes: 30
-
+    permissions:
+      contents: read
+      security-events: write
+      actions: read
     steps:
       - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
-        env:
-          TRIVY_DB_REPOSITORY: docker.io/aquasec/trivy-db:2,public.ecr.aws/aquasecurity/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2
-          TRIVY_JAVA_DB_REPOSITORY: docker.io/aquasec/trivy-java-db:1,public.ecr.aws/aquasecurity/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1
+        uses: aquasecurity/trivy-action@5681af892cd0f4997658e2bacc62bd0a894cf564 # v0.27.0
         with:
           scan-type: repo
           ignore-unfixed: true
@@ -50,6 +40,6 @@ jobs:
           severity: CRITICAL,HIGH
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
+        uses: github/codeql-action/upload-sarif@2bbafcdd7fbf96243689e764c2f15d9735164f33 # v3.26.6
         with:
           sarif_file: 'trivy-results.sarif'

.github/workflows/typos.yml

@@ -1,26 +0,0 @@
-name: Code Spell Checking
-permissions: {}
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true
-
-on: [ push, pull_request ]
-
-jobs:
-  typos:
-    name: Run typos spell checking
-    runs-on: ubuntu-24.04
-    timeout-minutes: 30
-
-    steps:
-      # Checkout the repo
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-      # End Checkout the repo
-
-      # When this version is updated, do not forget to update this in `.pre-commit-config.yaml` too
-      - name: Spell Check Repo
-        uses: crate-ci/typos@7c572958218557a3272c2d6719629443b5cc26fd # v1.45.2

.github/workflows/zizmor.yml

@@ -1,31 +0,0 @@
-name: Security Analysis with zizmor
-permissions: {}
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true
-
-on:
-  push:
-    branches: ["main"]
-  pull_request:
-    branches: ["**"]
-
-jobs:
-  zizmor:
-    name: Run zizmor
-    runs-on: ubuntu-latest
-    permissions:
-      security-events: write # To write the security report
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-
-      - name: Run zizmor
-        uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
-        with:
-          # intentionally not scanning the entire repository,
-          # since it contains integration tests.
-          inputs: ./.github/

.pre-commit-config.yaml

@@ -1,60 +1,44 @@
 ---
 repos:
-  - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: 3e8a8703264a2f4a69428a0aa4dcb512790b2c8c # v6.0.0
+-   repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.6.0
     hooks:
-      - id: check-yaml
-      - id: check-json
-      - id: check-toml
-      - id: mixed-line-ending
-        args: [ "--fix=no" ]
-      - id: end-of-file-fixer
-        exclude: "(.*js$|.*css$)"
-      - id: check-case-conflict
-      - id: check-merge-conflict
-      - id: detect-private-key
-      - id: check-symlinks
-      - id: forbid-submodules
-
-  # When this version is updated, do not forget to update this in `.github/workflows/typos.yaml` too
-  - repo: https://github.com/crate-ci/typos
-    rev: 7c572958218557a3272c2d6719629443b5cc26fd # v1.45.2
+    - id: check-yaml
+    - id: check-json
+    - id: check-toml
+    - id: mixed-line-ending
+      args: ["--fix=no"]
+    - id: end-of-file-fixer
+      exclude: "(.*js$|.*css$)"
+    - id: check-case-conflict
+    - id: check-merge-conflict
+    - id: detect-private-key
+    - id: check-symlinks
+    - id: forbid-submodules
+-   repo: local
     hooks:
-      - id: typos
-
-  - repo: local
-    hooks:
-      - id: fmt
-        name: fmt
-        description: Format files with cargo fmt.
-        entry: cargo fmt
-        language: system
-        always_run: true
-        pass_filenames: false
-        args: [ "--", "--check" ]
-      - id: cargo-test
-        name: cargo test
-        description: Test the package for errors.
-        entry: cargo test
-        language: system
-        args: [ "--features", "sqlite,mysql,postgresql", "--" ]
-        types_or: [ rust, file ]
-        files: (Cargo.toml|Cargo.lock|rust-toolchain.toml|rustfmt.toml|.*\.rs$)
-        pass_filenames: false
-      - id: cargo-clippy
-        name: cargo clippy
-        description: Lint Rust sources
-        entry: cargo clippy
-        language: system
-        args: [ "--features", "sqlite,mysql,postgresql", "--", "-D", "warnings" ]
-        types_or: [ rust, file ]
-        files: (Cargo.toml|Cargo.lock|rust-toolchain.toml|rustfmt.toml|.*\.rs$)
-        pass_filenames: false
-      - id: check-docker-templates
-        name: check docker templates
-        description: Check if the Docker templates are updated
-        language: system
-        entry: sh
-        args:
-          - "-c"
-          - "cd docker && make"
+    - id: fmt
+      name: fmt
+      description: Format files with cargo fmt.
+      entry: cargo fmt
+      language: system
+      types: [rust]
+      args: ["--", "--check"]
+    - id: cargo-test
+      name: cargo test
+      description: Test the package for errors.
+      entry: cargo test
+      language: system
+      args: ["--features", "sqlite,mysql,postgresql,enable_mimalloc", "--"]
+      types_or: [rust, file]
+      files: (Cargo.toml|Cargo.lock|rust-toolchain|.*\.rs$)
+      pass_filenames: false
+    - id: cargo-clippy
+      name: cargo clippy
+      description: Lint Rust sources
+      entry: cargo clippy
+      language: system
+      args: ["--features", "sqlite,mysql,postgresql,enable_mimalloc", "--", "-D", "warnings"]
+      types_or: [rust, file]
+      files: (Cargo.toml|Cargo.lock|rust-toolchain|clippy.toml|.*\.rs$)
+      pass_filenames: false

.typos.toml

@@ -1,28 +0,0 @@
-[files]
-extend-exclude = [
-    ".git/",
-    "playwright/",
-    "*.js", # Ignore all JavaScript files
-    "!admin*.js", # Except our own JavaScript files
-]
-ignore-hidden = false
-
-[default]
-extend-ignore-re = [
-    # We use this in place of the reserved type identifier at some places
-    "typ",
-    # In SMTP it's called HELO, so ignore it
-    "(?i)helo_name",
-    "Server name sent during.+HELO",
-    # COSE Is short for CBOR Object Signing and Encryption, ignore these specific items
-    "COSEKey",
-    "COSEAlgorithm",
-    # Ignore this specific string as it's valid
-    "Ensure they are valid OTPs",
-    # This word is misspelled upstream
-    # https://github.com/bitwarden/server/blob/dff9f1cf538198819911cf2c20f8cda3307701c5/src/Notifications/HubHelpers.cs#L86
-    # https://github.com/bitwarden/clients/blob/9612a4ac45063e372a6fbe87eb253c7cb3c588fb/libs/common/src/auth/services/anonymous-hub.service.ts#L45
-    "AuthRequestResponseRecieved",
-    # Ignore Punycode/IDN tests
-    "xn--.+"
-]

Cargo.toml

@@ -1,49 +1,34 @@
-[workspace.package]
-edition = "2021"
-rust-version = "1.93.0"
-license = "AGPL-3.0-only"
-repository = "https://github.com/dani-garcia/vaultwarden"
-publish = false
-
-[workspace]
-members = ["macros"]
-
 [package]
 name = "vaultwarden"
 version = "1.0.0"
 authors = ["Daniel García <dani-garcia@users.noreply.github.com>"]
-readme = "README.md"
-build = "build.rs"
+edition = "2021"
+rust-version = "1.80.0"
 resolver = "2"
-repository.workspace = true
-edition.workspace = true
-rust-version.workspace = true
-license.workspace = true
-publish.workspace = true
+
+repository = "https://github.com/dani-garcia/vaultwarden"
+readme = "README.md"
+license = "AGPL-3.0-only"
+publish = false
+build = "build.rs"
 
 [features]
-default = [
-    # "sqlite" or "sqlite_system",
-    # "mysql",
-    # "postgresql",
-]
+# default = ["sqlite"]
 # Empty to keep compatibility, prefer to set USE_SYSLOG=true
 enable_syslog = []
-# Please enable at least one of these DB backends.
 mysql = ["diesel/mysql", "diesel_migrations/mysql"]
 postgresql = ["diesel/postgres", "diesel_migrations/postgres"]
-sqlite_system = ["diesel/sqlite", "diesel_migrations/sqlite"]
-sqlite = ["sqlite_system", "libsqlite3-sys/bundled"] # Alternative to the above, statically linked SQLite into the binary instead of dynamically.
+sqlite = ["diesel/sqlite", "diesel_migrations/sqlite", "dep:libsqlite3-sys"]
 # Enable to use a vendored and statically linked openssl
 vendored_openssl = ["openssl/vendored"]
 # Enable MiMalloc memory allocator to replace the default malloc
 # This can improve performance for Alpine builds
 enable_mimalloc = ["dep:mimalloc"]
-s3 = ["opendal/services-s3", "dep:aws-config", "dep:aws-credential-types", "dep:aws-smithy-runtime-api", "dep:anyhow", "dep:http", "dep:reqsign"]
-
-# OIDC specific features
-oidc-accept-rfc3339-timestamps = ["openidconnect/accept-rfc3339-timestamps"]
-oidc-accept-string-booleans = ["openidconnect/accept-string-booleans"]
+# This is a development dependency, and should only be used during development!
+# It enables the usage of the diesel_logger crate, which is able to output the generated queries.
+# You also need to set an env variable `QUERY_LOGGER=1` to fully activate this so you do not have to re-compile
+# if you want to turn off the logging for a specific run.
+query_logger = ["dep:diesel_logger"]
 
 # Enable unstable features, requires nightly
 # Currently only used to enable rusts official ip support
@@ -51,175 +36,157 @@ unstable = []
 
 [target."cfg(unix)".dependencies]
 # Logging
-syslog = "7.0.0"
+syslog = "6.1.1"
 
 [dependencies]
-macros = { path = "./macros" }
-
 # Logging
-log = "0.4.29"
-fern = { version = "0.7.1", features = ["syslog-7", "reopen-1"] }
-tracing = { version = "0.1.44", features = ["log"] } # Needed to have lettre and webauthn-rs trace logging to work
+log = "0.4.22"
+fern = { version = "0.7.0", features = ["syslog-6", "reopen-1"] }
+tracing = { version = "0.1.40", features = ["log"] } # Needed to have lettre and webauthn-rs trace logging to work
 
 # A `dotenv` implementation for Rust
 dotenvy = { version = "0.15.7", default-features = false }
 
+# Lazy initialization
+once_cell = "1.20.2"
+
 # Numerical libraries
 num-traits = "0.2.19"
 num-derive = "0.4.2"
-bigdecimal = "0.4.10"
+bigdecimal = "0.4.5"
 
 # Web framework
 rocket = { version = "0.5.1", features = ["tls", "json"], default-features = false }
 rocket_ws = { version ="0.1.1" }
 
 # WebSockets libraries
-rmpv = "1.3.1" # MessagePack library
+rmpv = "1.3.0" # MessagePack library
 
 # Concurrent HashMap used for WebSocket messaging and favicons
 dashmap = "6.1.0"
 
 # Async futures
-futures = "0.3.32"
-tokio = { version = "1.52.1", features = ["rt-multi-thread", "fs", "io-util", "parking_lot", "time", "signal", "net"] }
-tokio-util = { version = "0.7.18", features = ["compat"]}
+futures = "0.3.31"
+tokio = { version = "1.41.0", features = ["rt-multi-thread", "fs", "io-util", "parking_lot", "time", "signal", "net"] }
 
 # A generic serialization/deserialization framework
-serde = { version = "1.0.228", features = ["derive"] }
-serde_json = "1.0.149"
+serde = { version = "1.0.213", features = ["derive"] }
+serde_json = "1.0.132"
 
 # A safe, extensible ORM and Query builder
-# Currently pinned diesel to v2.3.3 as newer version break MySQL/MariaDB compatibility
-diesel = { version = "2.3.9", features = ["chrono", "r2d2", "numeric"] }
-diesel_migrations = "2.3.2"
+diesel = { version = "2.2.4", features = ["chrono", "r2d2", "numeric"] }
+diesel_migrations = "2.2.0"
+diesel_logger = { version = "0.3.0", optional = true }
 
-derive_more = { version = "2.1.1", features = ["from", "into", "as_ref", "deref", "display"] }
-diesel-derive-newtype = "2.1.2"
-
-# SQLite, statically bundled unless the `sqlite_system` feature is enabled
-libsqlite3-sys = { version = "0.37.0", optional = true }
+# Bundled/Static SQLite
+libsqlite3-sys = { version = "0.30.1", features = ["bundled"], optional = true }
 
 # Crypto-related libraries
-rand = "0.10.1"
-ring = "0.17.14"
-subtle = "2.6.1"
+rand = { version = "0.8.5", features = ["small_rng"] }
+ring = "0.17.8"
 
 # UUID generation
-uuid = { version = "1.23.1", features = ["v4"] }
+uuid = { version = "1.11.0", features = ["v4"] }
 
 # Date and time libraries
-chrono = { version = "0.4.44", features = ["clock", "serde"], default-features = false }
-chrono-tz = "0.10.4"
-time = "0.3.47"
+chrono = { version = "0.4.38", features = ["clock", "serde"], default-features = false }
+chrono-tz = "0.10.0"
+time = "0.3.36"
 
 # Job scheduler
-job_scheduler_ng = "2.4.0"
+job_scheduler_ng = "2.0.5"
 
 # Data encoding library Hex/Base32/Base64
-data-encoding = "2.11.0"
+data-encoding = "2.6.0"
 
 # JWT library
-jsonwebtoken = { version = "10.3.0", features = ["use_pem", "rust_crypto"], default-features = false }
+jsonwebtoken = "9.3.0"
 
 # TOTP library
 totp-lite = "2.0.1"
 
 # Yubico Library
-yubico = { package = "yubico_ng", version = "0.14.1", features = ["online-tokio"], default-features = false }
+yubico = { version = "0.11.0", features = ["online-tokio"], default-features = false }
 
 # WebAuthn libraries
-# danger-allow-state-serialisation is needed to save the state in the db
-# danger-credential-internals is needed to support U2F to Webauthn migration
-webauthn-rs = { version = "0.5.5", features = ["danger-allow-state-serialisation", "danger-credential-internals"] }
-webauthn-rs-proto = "0.5.5"
-webauthn-rs-core = "0.5.5"
+webauthn-rs = "0.3.2"
 
 # Handling of URL's for WebAuthn and favicons
-url = "2.5.8"
+url = "2.5.2"
 
 # Email libraries
-lettre = { version = "0.11.21", features = ["smtp-transport", "sendmail-transport", "builder", "serde", "hostname", "tracing", "tokio1-rustls", "ring", "rustls-native-certs"], default-features = false }
-percent-encoding = "2.3.2" # URL encoding library used for URL's in the emails
+lettre = { version = "0.11.10", features = ["smtp-transport", "sendmail-transport", "builder", "serde", "tokio1-native-tls", "hostname", "tracing", "tokio1"], default-features = false }
+percent-encoding = "2.3.1" # URL encoding library used for URL's in the emails
 email_address = "0.2.9"
 
 # HTML Template library
-handlebars = { version = "6.4.0", features = ["dir_source"] }
+handlebars = { version = "6.1.0", features = ["dir_source"] }
 
 # HTTP client (Used for favicons, version check, DUO and HIBP API)
-reqwest = { version = "0.12.28", features = ["rustls-tls", "rustls-tls-native-roots", "stream", "json", "deflate", "gzip", "brotli", "zstd", "socks", "cookies", "charset", "http2", "system-proxy"], default-features = false}
-hickory-resolver = "0.26.1"
+reqwest = { version = "0.12.8", features = ["native-tls-alpn", "stream", "json", "gzip", "brotli", "socks", "cookies"] }
+hickory-resolver = "0.24.1"
 
 # Favicon extraction libraries
-html5gum = "0.8.3"
-regex = { version = "1.12.3", features = ["std", "perf", "unicode-perl"], default-features = false }
-data-url = "0.3.2"
-bytes = "1.11.1"
-svg-hush = "0.9.6"
+html5gum = "0.5.7"
+regex = { version = "1.11.0", features = ["std", "perf", "unicode-perl"], default-features = false }
+data-url = "0.3.1"
+bytes = "1.8.0"
 
 # Cache function results (Used for version check and favicon fetching)
-cached = { version = "0.59.0", features = ["async"] }
+cached = { version = "0.53.1", features = ["async"] }
 
 # Used for custom short lived cookie jar during favicon extraction
 cookie = "0.18.1"
-cookie_store = "0.22.1"
+cookie_store = "0.21.0"
 
 # Used by U2F, JWT and PostgreSQL
-openssl = "0.10.78"
+openssl = "0.10.68"
 
 # CLI argument parsing
 pico-args = "0.5.0"
 
 # Macro ident concatenation
-pastey = "0.2.2"
-governor = "0.10.4"
-
-# OIDC for SSO
-openidconnect = { version = "4.0.1", features = ["reqwest", "rustls-tls"] }
-moka = { version = "0.12.15", features = ["future"] }
+paste = "1.0.15"
+governor = "0.7.0"
 
 # Check client versions for specific features.
-semver = "1.0.28"
+semver = "1.0.23"
 
 # Allow overriding the default memory allocator
 # Mainly used for the musl builds, since the default musl malloc is very slow
-mimalloc = { version = "0.1.50", features = ["secure"], default-features = false, optional = true }
-
-which = "8.0.2"
+mimalloc = { version = "0.1.43", features = ["secure"], default-features = false, optional = true }
+which = "6.0.3"
 
 # Argon2 library with support for the PHC format
 argon2 = "0.5.3"
 
 # Reading a password from the cli for generating the Argon2id ADMIN_TOKEN
-rpassword = "7.5.1"
-
-# Loading a dynamic CSS Stylesheet
-grass_compiler = { version = "0.13.4", default-features = false }
-
-# File are accessed through Apache OpenDAL
-opendal = { version = "0.55.0", features = ["services-fs"], default-features = false }
-
-# For retrieving AWS credentials, including temporary SSO credentials
-anyhow = { version = "1.0.102", optional = true }
-aws-config = { version = "1.8.16", features = ["behavior-version-latest", "rt-tokio", "credentials-process", "sso"], default-features = false, optional = true }
-aws-credential-types = { version = "1.2.14", optional = true }
-aws-smithy-runtime-api = { version = "1.12.0", optional = true }
-http = { version = "1.4.0", optional = true }
-reqsign = { version = "0.16.5", optional = true }
+rpassword = "7.3.1"
 
 # Strip debuginfo from the release builds
-# The debug symbols are to provide better panic traces
+# The symbols are the provide better panic traces
 # Also enable fat LTO and use 1 codegen unit for optimizations
 [profile.release]
 strip = "debuginfo"
 lto = "fat"
 codegen-units = 1
-debug = false
+
+# A little bit of a speedup
+[profile.dev]
+split-debuginfo = "unpacked"
+
+# Always build argon2 using opt-level 3
+# This is a huge speed improvement during testing
+[profile.dev.package.argon2]
+opt-level = 3
 
 # Optimize for size
 [profile.release-micro]
 inherits = "release"
-strip = "symbols"
 opt-level = "z"
+strip = "symbols"
+lto = "fat"
+codegen-units = 1
 panic = "abort"
 
 # Profile for systems with low resources
@@ -230,51 +197,23 @@ strip = "symbols"
 lto = "thin"
 codegen-units = 16
 
-# Used for profiling and debugging like valgrind or heaptrack
-# Inherits release to be sure all optimizations have been done
-[profile.dbg]
-inherits = "release"
-strip = "none"
-split-debuginfo = "off"
-debug = "full"
-
-# A little bit of a speedup for generic building
-[profile.dev]
-split-debuginfo = "unpacked"
-debug = "line-tables-only"
-
-# Used for CI builds to improve compile time
-[profile.ci]
-inherits = "dev"
-debug = false
-debug-assertions = false
-strip = "symbols"
-panic = "abort"
-
-# Always build argon2 using opt-level 3
-# This is a huge speed improvement during testing
-[profile.dev.package.argon2]
-opt-level = 3
-
 # Linting config
 # https://doc.rust-lang.org/rustc/lints/groups.html
-[workspace.lints.rust]
+[lints.rust]
 # Forbid
 unsafe_code = "forbid"
 non_ascii_idents = "forbid"
 
 # Deny
 deprecated_in_future = "deny"
-deprecated_safe = { level = "deny", priority = -1 }
 future_incompatible = { level = "deny", priority = -1 }
 keyword_idents = { level = "deny", priority = -1 }
 let_underscore = { level = "deny", priority = -1 }
-nonstandard_style = { level = "deny", priority = -1 }
 noop_method_call = "deny"
 refining_impl_trait = { level = "deny", priority = -1 }
 rust_2018_idioms = { level = "deny", priority = -1 }
 rust_2021_compatibility = { level = "deny", priority = -1 }
-rust_2024_compatibility = { level = "deny", priority = -1 }
+# rust_2024_compatibility = { level = "deny", priority = -1 } # Enable once we are at MSRV 1.81.0
 single_use_lifetimes = "deny"
 trivial_casts = "deny"
 trivial_numeric_casts = "deny"
@@ -283,32 +222,23 @@ unused_import_braces = "deny"
 unused_lifetimes = "deny"
 unused_qualifications = "deny"
 variant_size_differences = "deny"
-# Allow the following lints since these cause issues with Rust v1.84.0 or newer
-# Building Vaultwarden with Rust v1.85.0 with edition 2024 also works without issues
-edition_2024_expr_fragment_specifier = "allow" # Once changed to Rust 2024 this should be removed and macro's should be validated again
-if_let_rescope = "allow"
-tail_expr_drop_order = "allow"
+# The lints below are part of the rust_2024_compatibility group
+static-mut-refs = "deny"
+unsafe-op-in-unsafe-fn = "deny"
 
 # https://rust-lang.github.io/rust-clippy/stable/index.html
-[workspace.lints.clippy]
+[lints.clippy]
 # Warn
 dbg_macro = "warn"
 todo = "warn"
 
-# Ignore/Allow
-result_large_err = "allow"
-
 # Deny
-branches_sharing_code = "deny"
 case_sensitive_file_extension_comparisons = "deny"
 cast_lossless = "deny"
 clone_on_ref_ptr = "deny"
-duration_suboptimal_units = "deny"
 equatable_if_let = "deny"
-excessive_precision = "deny"
 filter_map_next = "deny"
 float_cmp_const = "deny"
-implicit_clone = "deny"
 inefficient_to_string = "deny"
 iter_on_empty_collections = "deny"
 iter_on_single_items = "deny"
@@ -317,24 +247,18 @@ macro_use_imports = "deny"
 manual_assert = "deny"
 manual_instant_elapsed = "deny"
 manual_string_new = "deny"
+match_on_vec_items = "deny"
 match_wildcard_for_single_variants = "deny"
 mem_forget = "deny"
-needless_borrow = "deny"
-needless_collect = "deny"
 needless_continue = "deny"
 needless_lifetimes = "deny"
 option_option = "deny"
-redundant_clone = "deny"
-ref_option = "deny"
 string_add_assign = "deny"
+string_to_string = "deny"
 unnecessary_join = "deny"
 unnecessary_self_imports = "deny"
 unnested_or_patterns = "deny"
 unused_async = "deny"
 unused_self = "deny"
-useless_let_if_seq = "deny"
 verbose_file_reads = "deny"
 zero_sized_map_values = "deny"
-
-[lints]
-workspace = true

README.md

@@ -59,22 +59,19 @@ A nearly complete implementation of the Bitwarden Client API is provided, includ
 ## Usage
 
 > [!IMPORTANT]
-> The web-vault requires the use of HTTPS and a secure context for the [Web Crypto API](https://developer.mozilla.org/en-US/docs/Web/API/Web_Crypto_API). <br>
-> That means it will only work if you [enable HTTPS](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-HTTPS). <br>
-> We also suggest to use a [reverse proxy](https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples).
-
-The recommended way to install and use Vaultwarden is via our container images which are published to [ghcr.io](https://github.com/dani-garcia/vaultwarden/pkgs/container/vaultwarden), [docker.io](https://hub.docker.com/r/vaultwarden/server) and [quay.io](https://quay.io/repository/vaultwarden/server).
-See [which container image to use](https://github.com/dani-garcia/vaultwarden/wiki/Which-container-image-to-use) for an explanation of the provided tags.
-
-There are also [community driven packages](https://github.com/dani-garcia/vaultwarden/wiki/Third-party-packages) which can be used, but those might be lagging behind the latest version or might deviate in the way Vaultwarden is configured, as described in our [Wiki](https://github.com/dani-garcia/vaultwarden/wiki).
-
-Alternatively, you can also [build Vaultwarden](https://github.com/dani-garcia/vaultwarden/wiki/Building-binary) yourself.
-
-While Vaultwarden is based upon the [Rocket web framework](https://rocket.rs) which has built-in support for TLS our recommendation would be that you setup a reverse proxy (see [proxy examples](https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples)).
+> Most modern web browsers disallow the use of Web Crypto APIs in insecure contexts. In this case, you might get an error like `Cannot read property 'importKey'`. To solve this problem, you need to access the web vault via HTTPS or localhost.
+>
+>This can be configured in [Vaultwarden directly](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-HTTPS) or using a third-party reverse proxy ([some examples](https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples)).
+>
+>If you have an available domain name, you can get HTTPS certificates with [Let's Encrypt](https://letsencrypt.org/), or you can generate self-signed certificates with utilities like [mkcert](https://github.com/FiloSottile/mkcert). Some proxies automatically do this step, like Caddy or Traefik (see examples linked above).
 
 > [!TIP]
 >**For more detailed examples on how to install, use and configure Vaultwarden you can check our [Wiki](https://github.com/dani-garcia/vaultwarden/wiki).**
 
+The main way to use Vaultwarden is via our container images which are published to [ghcr.io](https://github.com/dani-garcia/vaultwarden/pkgs/container/vaultwarden), [docker.io](https://hub.docker.com/r/vaultwarden/server) and [quay.io](https://quay.io/repository/vaultwarden/server).
+
+There are also [community driven packages](https://github.com/dani-garcia/vaultwarden/wiki/Third-party-packages) which can be used, but those might be lagging behind the latest version or might deviate in the way Vaultwarden is configured, as described in our [Wiki](https://github.com/dani-garcia/vaultwarden/wiki).
+
 ### Docker/Podman CLI
 
 Pull the container image and mount a volume from the host for persistent storage.<br>
@@ -86,7 +83,7 @@ docker run --detach --name vaultwarden \
   --env DOMAIN="https://vw.domain.tld" \
   --volume /vw-data/:/data/ \
   --restart unless-stopped \
-  --publish 127.0.0.1:8000:80 \
+  --publish 80:80 \
   vaultwarden/server:latest
 ```
 
@@ -107,7 +104,7 @@ services:
     volumes:
       - ./vw-data/:/data/
     ports:
-      - 127.0.0.1:8000:80
+      - 80:80
 ```
 
 <br>

SECURITY.md

@@ -21,7 +21,7 @@ notify us. We welcome working with you to resolve the issue promptly. Thanks in
 The following bug classes are out-of scope:
 
 - Bugs that are already reported on Vaultwarden's issue tracker (https://github.com/dani-garcia/vaultwarden/issues)
-- Bugs that are not part of Vaultwarden, like on the web-vault or mobile and desktop clients. These issues need to be reported in the respective project issue tracker at https://github.com/bitwarden to which we are not associated
+- Bugs that are not part of Vaultwarden, like on the the web-vault or mobile and desktop clients. These issues need to be reported in the respective project issue tracker at https://github.com/bitwarden to which we are not associated
 - Issues in an upstream software dependency (ex: Rust, or External Libraries) which are already reported to the upstream maintainer
 - Attacks requiring physical access to a user's device
 - Issues related to software or protocols not under Vaultwarden's control

build.rs

@@ -2,27 +2,27 @@ use std::env;
 use std::process::Command;
 
 fn main() {
-    // These allow using e.g. #[cfg(mysql)] instead of #[cfg(feature = "mysql")], which helps when trying to add them through macros
-    #[cfg(feature = "sqlite_system")] // The `sqlite` feature implies this one.
+    // This allow using #[cfg(sqlite)] instead of #[cfg(feature = "sqlite")], which helps when trying to add them through macros
+    #[cfg(feature = "sqlite")]
     println!("cargo:rustc-cfg=sqlite");
     #[cfg(feature = "mysql")]
     println!("cargo:rustc-cfg=mysql");
     #[cfg(feature = "postgresql")]
     println!("cargo:rustc-cfg=postgresql");
-    #[cfg(not(any(feature = "sqlite_system", feature = "mysql", feature = "postgresql")))]
+    #[cfg(feature = "query_logger")]
+    println!("cargo:rustc-cfg=query_logger");
+
+    #[cfg(not(any(feature = "sqlite", feature = "mysql", feature = "postgresql")))]
     compile_error!(
         "You need to enable one DB backend. To build with previous defaults do: cargo build --features sqlite"
     );
 
-    #[cfg(feature = "s3")]
-    println!("cargo:rustc-cfg=s3");
-
     // Use check-cfg to let cargo know which cfg's we define,
     // and avoid warnings when they are used in the code.
     println!("cargo::rustc-check-cfg=cfg(sqlite)");
     println!("cargo::rustc-check-cfg=cfg(mysql)");
     println!("cargo::rustc-check-cfg=cfg(postgresql)");
-    println!("cargo::rustc-check-cfg=cfg(s3)");
+    println!("cargo::rustc-check-cfg=cfg(query_logger)");
 
     // Rerun when these paths are changed.
     // Someone could have checked-out a tag or specific commit, but no other files changed.
@@ -31,6 +31,9 @@ fn main() {
     println!("cargo:rerun-if-changed=.git/index");
     println!("cargo:rerun-if-changed=.git/refs/tags");
 
+    #[cfg(all(not(debug_assertions), feature = "query_logger"))]
+    compile_error!("Query Logging is only allowed during development, it is not intended for production usage!");
+
     // Support $BWRS_VERSION for legacy compatibility, but default to $VW_VERSION.
     // If neither exist, read from git.
     let maybe_vaultwarden_version =
@@ -45,8 +48,8 @@ fn main() {
 fn run(args: &[&str]) -> Result<String, std::io::Error> {
     let out = Command::new(args[0]).args(&args[1..]).output()?;
     if !out.status.success() {
-        use std::io::Error;
-        return Err(Error::other("Command not successful"));
+        use std::io::{Error, ErrorKind};
+        return Err(Error::new(ErrorKind::Other, "Command not successful"));
     }
     Ok(String::from_utf8(out.stdout).unwrap().trim().to_string())
 }

diesel.toml

@@ -2,4 +2,4 @@
 # see diesel.rs/guides/configuring-diesel-cli
 
 [print_schema]
-file = "src/db/schema.rs"
+file = "src/db/schema.rs"

docker/DockerSettings.yaml

@@ -1,13 +1,13 @@
 ---
-vault_version: "v2026.4.1"
-vault_image_digest: "sha256:ca2a4251c4e63c9ad428262b4dd452789a1b9f6fce71da351e93dceed0d2edbe"
-# Cross Compile Docker Helper Scripts v1.9.0
+vault_version: "v2024.6.2c"
+vault_image_digest: "sha256:409ab328ca931439cb916b388a4bb784bd44220717aaf74cf71620c23e34fc2b"
+# Cross Compile Docker Helper Scripts v1.5.0
 # We use the linux/amd64 platform shell scripts since there is no difference between the different platform scripts
 # https://github.com/tonistiigi/xx | https://hub.docker.com/r/tonistiigi/xx/tags
-xx_image_digest: "sha256:c64defb9ed5a91eacb37f96ccc3d4cd72521c4bd18d5442905b95e2226b0e707"
-rust_version: 1.95.0 # Rust version to be used
-debian_version: trixie # Debian release name to be used
-alpine_version: "3.23" # Alpine version to be used
+xx_image_digest: "sha256:1978e7a58a1777cb0ef0dde76bad60b7914b21da57cfa88047875e4f364297aa"
+rust_version: 1.82.0 # Rust version to be used
+debian_version: bookworm # Debian release name to be used
+alpine_version: "3.20" # Alpine version to be used
 # For which platforms/architectures will we try to build images
 platforms: ["linux/amd64", "linux/arm64", "linux/arm/v7", "linux/arm/v6"]
 # Determine the build images per OS/Arch
@@ -17,6 +17,7 @@ build_stage_image:
     platform: "$BUILDPLATFORM"
   alpine:
     image: "build_${TARGETARCH}${TARGETVARIANT}"
+    platform: "linux/amd64" # The Alpine build images only have linux/amd64 images
     arch_image:
       amd64: "ghcr.io/blackdex/rust-musl:x86_64-musl-stable-{{rust_version}}"
       arm64: "ghcr.io/blackdex/rust-musl:aarch64-musl-stable-{{rust_version}}"

docker/Dockerfile.alpine

@@ -19,27 +19,27 @@
 # - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
 #   click the tag name to view the digest of the image it currently points to.
 # - From the command line:
-#     $ docker pull docker.io/vaultwarden/web-vault:v2026.4.1
-#     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2026.4.1
-#     [docker.io/vaultwarden/web-vault@sha256:ca2a4251c4e63c9ad428262b4dd452789a1b9f6fce71da351e93dceed0d2edbe]
+#     $ docker pull docker.io/vaultwarden/web-vault:v2024.6.2c
+#     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2024.6.2c
+#     [docker.io/vaultwarden/web-vault@sha256:409ab328ca931439cb916b388a4bb784bd44220717aaf74cf71620c23e34fc2b]
 #
 # - Conversely, to get the tag name from the digest:
-#     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:ca2a4251c4e63c9ad428262b4dd452789a1b9f6fce71da351e93dceed0d2edbe
-#     [docker.io/vaultwarden/web-vault:v2026.4.1]
+#     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:409ab328ca931439cb916b388a4bb784bd44220717aaf74cf71620c23e34fc2b
+#     [docker.io/vaultwarden/web-vault:v2024.6.2c]
 #
-FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:ca2a4251c4e63c9ad428262b4dd452789a1b9f6fce71da351e93dceed0d2edbe AS vault
+FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:409ab328ca931439cb916b388a4bb784bd44220717aaf74cf71620c23e34fc2b AS vault
 
 ########################## ALPINE BUILD IMAGES ##########################
-## NOTE: The Alpine Base Images do not support other platforms then linux/amd64 and linux/arm64
+## NOTE: The Alpine Base Images do not support other platforms then linux/amd64
 ## And for Alpine we define all build images here, they will only be loaded when actually used
-FROM --platform=$BUILDPLATFORM ghcr.io/blackdex/rust-musl:x86_64-musl-stable-1.95.0 AS build_amd64
-FROM --platform=$BUILDPLATFORM ghcr.io/blackdex/rust-musl:aarch64-musl-stable-1.95.0 AS build_arm64
-FROM --platform=$BUILDPLATFORM ghcr.io/blackdex/rust-musl:armv7-musleabihf-stable-1.95.0 AS build_armv7
-FROM --platform=$BUILDPLATFORM ghcr.io/blackdex/rust-musl:arm-musleabi-stable-1.95.0 AS build_armv6
+FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:x86_64-musl-stable-1.82.0 AS build_amd64
+FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:aarch64-musl-stable-1.82.0 AS build_arm64
+FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:armv7-musleabihf-stable-1.82.0 AS build_armv7
+FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:arm-musleabi-stable-1.82.0 AS build_armv6
 
 ########################## BUILD IMAGE ##########################
 # hadolint ignore=DL3006
-FROM --platform=$BUILDPLATFORM build_${TARGETARCH}${TARGETVARIANT} AS build
+FROM --platform=linux/amd64 build_${TARGETARCH}${TARGETVARIANT} AS build
 ARG TARGETARCH
 ARG TARGETVARIANT
 ARG TARGETPLATFORM
@@ -53,9 +53,9 @@ ENV DEBIAN_FRONTEND=noninteractive \
     TERM=xterm-256color \
     CARGO_HOME="/root/.cargo" \
     USER="root" \
-    # Use PostgreSQL v17 during Alpine/MUSL builds instead of the default v16
-    # Debian Trixie uses libpq v17
-    PQ_LIB_DIR="/usr/local/musl/pq17/lib"
+    # Use PostgreSQL v15 during Alpine/MUSL builds instead of the default v11
+    # Debian Bookworm already contains libpq v15
+    PQ_LIB_DIR="/usr/local/musl/pq15/lib"
 
 
 # Create CARGO_HOME folder and don't download rust docs
@@ -76,7 +76,6 @@ RUN source /env-cargo && \
 
 # Copies over *only* your manifests and build files
 COPY ./Cargo.* ./rust-toolchain.toml ./build.rs ./
-COPY ./macros ./macros
 
 ARG CARGO_PROFILE=release
 
@@ -127,7 +126,7 @@ RUN source /env-cargo && \
 # To uninstall: docker run --privileged --rm tonistiigi/binfmt --uninstall 'qemu-*'
 #
 # We need to add `--platform` here, because of a podman bug: https://github.com/containers/buildah/issues/4742
-FROM --platform=$TARGETPLATFORM docker.io/library/alpine:3.23
+FROM --platform=$TARGETPLATFORM docker.io/library/alpine:3.20
 
 ENV ROCKET_PROFILE="release" \
     ROCKET_ADDRESS=0.0.0.0 \

docker/Dockerfile.debian

@@ -19,24 +19,24 @@
 # - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
 #   click the tag name to view the digest of the image it currently points to.
 # - From the command line:
-#     $ docker pull docker.io/vaultwarden/web-vault:v2026.4.1
-#     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2026.4.1
-#     [docker.io/vaultwarden/web-vault@sha256:ca2a4251c4e63c9ad428262b4dd452789a1b9f6fce71da351e93dceed0d2edbe]
+#     $ docker pull docker.io/vaultwarden/web-vault:v2024.6.2c
+#     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2024.6.2c
+#     [docker.io/vaultwarden/web-vault@sha256:409ab328ca931439cb916b388a4bb784bd44220717aaf74cf71620c23e34fc2b]
 #
 # - Conversely, to get the tag name from the digest:
-#     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:ca2a4251c4e63c9ad428262b4dd452789a1b9f6fce71da351e93dceed0d2edbe
-#     [docker.io/vaultwarden/web-vault:v2026.4.1]
+#     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:409ab328ca931439cb916b388a4bb784bd44220717aaf74cf71620c23e34fc2b
+#     [docker.io/vaultwarden/web-vault:v2024.6.2c]
 #
-FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:ca2a4251c4e63c9ad428262b4dd452789a1b9f6fce71da351e93dceed0d2edbe AS vault
+FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:409ab328ca931439cb916b388a4bb784bd44220717aaf74cf71620c23e34fc2b AS vault
 
 ########################## Cross Compile Docker Helper Scripts ##########################
 ## We use the linux/amd64 no matter which Build Platform, since these are all bash scripts
 ## And these bash scripts do not have any significant difference if at all
-FROM --platform=linux/amd64 docker.io/tonistiigi/xx@sha256:c64defb9ed5a91eacb37f96ccc3d4cd72521c4bd18d5442905b95e2226b0e707 AS xx
+FROM --platform=linux/amd64 docker.io/tonistiigi/xx@sha256:1978e7a58a1777cb0ef0dde76bad60b7914b21da57cfa88047875e4f364297aa AS xx
 
 ########################## BUILD IMAGE ##########################
 # hadolint ignore=DL3006
-FROM --platform=$BUILDPLATFORM docker.io/library/rust:1.95.0-slim-trixie AS build
+FROM --platform=$BUILDPLATFORM docker.io/library/rust:1.82.0-slim-bookworm AS build
 COPY --from=xx / /
 ARG TARGETARCH
 ARG TARGETVARIANT
@@ -51,6 +51,7 @@ ENV DEBIAN_FRONTEND=noninteractive \
     TERM=xterm-256color \
     CARGO_HOME="/root/.cargo" \
     USER="root"
+
 # Install clang to get `xx-cargo` working
 # Install pkg-config to allow amd64 builds to find all libraries
 # Install git so build.rs can determine the correct version
@@ -67,11 +68,15 @@ RUN apt-get update && \
     xx-apt-get install -y \
         --no-install-recommends \
         gcc \
+        libmariadb3 \
         libpq-dev \
         libpq5 \
         libssl-dev \
-        libmariadb-dev \
         zlib1g-dev && \
+    # Force install arch dependend mariadb dev packages
+    # Installing them the normal way breaks several other packages (again)
+    apt-get download "libmariadb-dev-compat:$(xx-info debian-arch)" "libmariadb-dev:$(xx-info debian-arch)" && \
+    dpkg --force-all -i ./libmariadb-dev*.deb && \
     # Run xx-cargo early, since it sometimes seems to break when run at a later stage
     echo "export CARGO_TARGET=$(xx-cargo --print-target-triple)" >> /env-cargo
 
@@ -84,24 +89,24 @@ RUN USER=root cargo new --bin /app
 WORKDIR /app
 
 # Environment variables for Cargo on Debian based builds
-ARG TARGET_PKG_CONFIG_PATH
+ARG ARCH_OPENSSL_LIB_DIR \
+    ARCH_OPENSSL_INCLUDE_DIR
 
 RUN source /env-cargo && \
     if xx-info is-cross ; then \
+        # Some special variables if needed to override some build paths
+        if [[ -n "${ARCH_OPENSSL_LIB_DIR}" && -n "${ARCH_OPENSSL_INCLUDE_DIR}" ]]; then \
+            echo "export $(echo "${CARGO_TARGET}" | tr '[:lower:]' '[:upper:]' | tr - _)_OPENSSL_LIB_DIR=${ARCH_OPENSSL_LIB_DIR}" >> /env-cargo && \
+            echo "export $(echo "${CARGO_TARGET}" | tr '[:lower:]' '[:upper:]' | tr - _)_OPENSSL_INCLUDE_DIR=${ARCH_OPENSSL_INCLUDE_DIR}" >> /env-cargo ; \
+        fi && \
         # We can't use xx-cargo since that uses clang, which doesn't work for our libraries.
         # Because of this we generate the needed environment variables here which we can load in the needed steps.
         echo "export CC_$(echo "${CARGO_TARGET}" | tr '[:upper:]' '[:lower:]' | tr - _)=/usr/bin/$(xx-info)-gcc" >> /env-cargo && \
         echo "export CARGO_TARGET_$(echo "${CARGO_TARGET}" | tr '[:lower:]' '[:upper:]' | tr - _)_LINKER=/usr/bin/$(xx-info)-gcc" >> /env-cargo && \
+        echo "export PKG_CONFIG=/usr/bin/$(xx-info)-pkg-config" >> /env-cargo && \
         echo "export CROSS_COMPILE=1" >> /env-cargo && \
-        echo "export PKG_CONFIG_ALLOW_CROSS=1" >> /env-cargo && \
-        # For some architectures `xx-info` returns a triple which doesn't matches the path on disk
-        # In those cases you can override this by setting the `TARGET_PKG_CONFIG_PATH` build-arg
-        if [[ -n "${TARGET_PKG_CONFIG_PATH}" ]]; then \
-            echo "export TARGET_PKG_CONFIG_PATH=${TARGET_PKG_CONFIG_PATH}" >> /env-cargo ; \
-        else \
-            echo "export PKG_CONFIG_PATH=/usr/lib/$(xx-info)/pkgconfig" >> /env-cargo ; \
-        fi && \
-        echo "# End of env-cargo" >> /env-cargo ; \
+        echo "export OPENSSL_INCLUDE_DIR=/usr/include/$(xx-info)" >> /env-cargo && \
+        echo "export OPENSSL_LIB_DIR=/usr/lib/$(xx-info)" >> /env-cargo ; \
     fi && \
     # Output the current contents of the file
     cat /env-cargo
@@ -111,7 +116,6 @@ RUN source /env-cargo && \
 
 # Copies over *only* your manifests and build files
 COPY ./Cargo.* ./rust-toolchain.toml ./build.rs ./
-COPY ./macros ./macros
 
 ARG CARGO_PROFILE=release
 
@@ -161,7 +165,7 @@ RUN source /env-cargo && \
 # To uninstall: docker run --privileged --rm tonistiigi/binfmt --uninstall 'qemu-*'
 #
 # We need to add `--platform` here, because of a podman bug: https://github.com/containers/buildah/issues/4742
-FROM --platform=$TARGETPLATFORM docker.io/library/debian:trixie-slim
+FROM --platform=$TARGETPLATFORM docker.io/library/debian:bookworm-slim
 
 ENV ROCKET_PROFILE="release" \
     ROCKET_ADDRESS=0.0.0.0 \
@@ -174,7 +178,7 @@ RUN mkdir /data && \
         --no-install-recommends \
         ca-certificates \
         curl \
-        libmariadb3 \
+        libmariadb-dev-compat \
         libpq5 \
         openssl && \
     apt-get clean && \

docker/Dockerfile.j2

@@ -19,13 +19,13 @@
 # - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
 #   click the tag name to view the digest of the image it currently points to.
 # - From the command line:
-#     $ docker pull docker.io/vaultwarden/web-vault:{{ vault_version | replace('+', '_') }}
-#     $ docker image inspect --format "{{ '{{' }}.RepoDigests}}" docker.io/vaultwarden/web-vault:{{ vault_version | replace('+', '_') }}
+#     $ docker pull docker.io/vaultwarden/web-vault:{{ vault_version }}
+#     $ docker image inspect --format "{{ '{{' }}.RepoDigests}}" docker.io/vaultwarden/web-vault:{{ vault_version }}
 #     [docker.io/vaultwarden/web-vault@{{ vault_image_digest }}]
 #
 # - Conversely, to get the tag name from the digest:
 #     $ docker image inspect --format "{{ '{{' }}.RepoTags}}" docker.io/vaultwarden/web-vault@{{ vault_image_digest }}
-#     [docker.io/vaultwarden/web-vault:{{ vault_version | replace('+', '_') }}]
+#     [docker.io/vaultwarden/web-vault:{{ vault_version }}]
 #
 FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@{{ vault_image_digest }} AS vault
 
@@ -36,16 +36,16 @@ FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@{{ vault_image_diges
 FROM --platform=linux/amd64 docker.io/tonistiigi/xx@{{ xx_image_digest }} AS xx
 {% elif base == "alpine" %}
 ########################## ALPINE BUILD IMAGES ##########################
-## NOTE: The Alpine Base Images do not support other platforms then linux/amd64 and linux/arm64
+## NOTE: The Alpine Base Images do not support other platforms then linux/amd64
 ## And for Alpine we define all build images here, they will only be loaded when actually used
 {% for arch in build_stage_image[base].arch_image %}
-FROM --platform=$BUILDPLATFORM {{ build_stage_image[base].arch_image[arch] }} AS build_{{ arch }}
+FROM --platform={{ build_stage_image[base].platform }} {{ build_stage_image[base].arch_image[arch] }} AS build_{{ arch }}
 {% endfor %}
 {% endif %}
 
 ########################## BUILD IMAGE ##########################
 # hadolint ignore=DL3006
-FROM --platform=$BUILDPLATFORM {{ build_stage_image[base].image }} AS build
+FROM --platform={{ build_stage_image[base].platform }} {{ build_stage_image[base].image }} AS build
 {% if base == "debian" %}
 COPY --from=xx / /
 {% endif %}
@@ -63,12 +63,13 @@ ENV DEBIAN_FRONTEND=noninteractive \
     CARGO_HOME="/root/.cargo" \
     USER="root"
 {%- if base == "alpine" %} \
-    # Use PostgreSQL v17 during Alpine/MUSL builds instead of the default v16
-    # Debian Trixie uses libpq v17
-    PQ_LIB_DIR="/usr/local/musl/pq17/lib"
+    # Use PostgreSQL v15 during Alpine/MUSL builds instead of the default v11
+    # Debian Bookworm already contains libpq v15
+    PQ_LIB_DIR="/usr/local/musl/pq15/lib"
 {% endif %}
 
 {% if base == "debian" %}
+
 # Install clang to get `xx-cargo` working
 # Install pkg-config to allow amd64 builds to find all libraries
 # Install git so build.rs can determine the correct version
@@ -85,11 +86,15 @@ RUN apt-get update && \
     xx-apt-get install -y \
         --no-install-recommends \
         gcc \
+        libmariadb3 \
         libpq-dev \
         libpq5 \
         libssl-dev \
-        libmariadb-dev \
         zlib1g-dev && \
+    # Force install arch dependend mariadb dev packages
+    # Installing them the normal way breaks several other packages (again)
+    apt-get download "libmariadb-dev-compat:$(xx-info debian-arch)" "libmariadb-dev:$(xx-info debian-arch)" && \
+    dpkg --force-all -i ./libmariadb-dev*.deb && \
     # Run xx-cargo early, since it sometimes seems to break when run at a later stage
     echo "export CARGO_TARGET=$(xx-cargo --print-target-triple)" >> /env-cargo
 {% endif %}
@@ -104,24 +109,24 @@ WORKDIR /app
 
 {% if base == "debian" %}
 # Environment variables for Cargo on Debian based builds
-ARG TARGET_PKG_CONFIG_PATH
+ARG ARCH_OPENSSL_LIB_DIR \
+    ARCH_OPENSSL_INCLUDE_DIR
 
 RUN source /env-cargo && \
     if xx-info is-cross ; then \
+        # Some special variables if needed to override some build paths
+        if [[ -n "${ARCH_OPENSSL_LIB_DIR}" && -n "${ARCH_OPENSSL_INCLUDE_DIR}" ]]; then \
+            echo "export $(echo "${CARGO_TARGET}" | tr '[:lower:]' '[:upper:]' | tr - _)_OPENSSL_LIB_DIR=${ARCH_OPENSSL_LIB_DIR}" >> /env-cargo && \
+            echo "export $(echo "${CARGO_TARGET}" | tr '[:lower:]' '[:upper:]' | tr - _)_OPENSSL_INCLUDE_DIR=${ARCH_OPENSSL_INCLUDE_DIR}" >> /env-cargo ; \
+        fi && \
         # We can't use xx-cargo since that uses clang, which doesn't work for our libraries.
         # Because of this we generate the needed environment variables here which we can load in the needed steps.
         echo "export CC_$(echo "${CARGO_TARGET}" | tr '[:upper:]' '[:lower:]' | tr - _)=/usr/bin/$(xx-info)-gcc" >> /env-cargo && \
         echo "export CARGO_TARGET_$(echo "${CARGO_TARGET}" | tr '[:lower:]' '[:upper:]' | tr - _)_LINKER=/usr/bin/$(xx-info)-gcc" >> /env-cargo && \
+        echo "export PKG_CONFIG=/usr/bin/$(xx-info)-pkg-config" >> /env-cargo && \
         echo "export CROSS_COMPILE=1" >> /env-cargo && \
-        echo "export PKG_CONFIG_ALLOW_CROSS=1" >> /env-cargo && \
-        # For some architectures `xx-info` returns a triple which doesn't matches the path on disk
-        # In those cases you can override this by setting the `TARGET_PKG_CONFIG_PATH` build-arg
-        if [[ -n "${TARGET_PKG_CONFIG_PATH}" ]]; then \
-            echo "export TARGET_PKG_CONFIG_PATH=${TARGET_PKG_CONFIG_PATH}" >> /env-cargo ; \
-        else \
-            echo "export PKG_CONFIG_PATH=/usr/lib/$(xx-info)/pkgconfig" >> /env-cargo ; \
-        fi && \
-        echo "# End of env-cargo" >> /env-cargo ; \
+        echo "export OPENSSL_INCLUDE_DIR=/usr/include/$(xx-info)" >> /env-cargo && \
+        echo "export OPENSSL_LIB_DIR=/usr/lib/$(xx-info)" >> /env-cargo ; \
     fi && \
     # Output the current contents of the file
     cat /env-cargo
@@ -138,7 +143,6 @@ RUN source /env-cargo && \
 
 # Copies over *only* your manifests and build files
 COPY ./Cargo.* ./rust-toolchain.toml ./build.rs ./
-COPY ./macros ./macros
 
 ARG CARGO_PROFILE=release
 
@@ -211,7 +215,7 @@ RUN mkdir /data && \
         --no-install-recommends \
         ca-certificates \
         curl \
-        libmariadb3 \
+        libmariadb-dev-compat \
         libpq5 \
         openssl && \
     apt-get clean && \

docker/README.md

@@ -46,7 +46,7 @@ There also is an option to use an other docker container to provide support for
 ```bash
 # To install and activate
 docker run --privileged --rm tonistiigi/binfmt --install arm64,arm
-# To uninstall
+# To unistall
 docker run --privileged --rm tonistiigi/binfmt --uninstall 'qemu-*'
 ```
 
@@ -116,7 +116,7 @@ docker/bake.sh
 ```
 
 You can append both `alpine` and `debian` with `-amd64`, `-arm64`, `-armv7` or `-armv6`, which will trigger a build for that specific platform.<br>
-This will also append those values to the tag so you can see the built container when running `docker images`.
+This will also append those values to the tag so you can see the builded container when running `docker images`.
 
 You can also append extra arguments after the target if you want. This can be useful for example to print what bake will use.
 ```bash
@@ -162,7 +162,7 @@ You can append extra arguments after the target if you want. This can be useful
 
 For the podman builds you can, just like the `bake.sh` script, also append the architecture to build for that specific platform.<br>
 
-### Testing podman built images
+### Testing podman builded images
 
 The command to start a podman built container is almost the same as for the docker/bake built containers. The images start with `localhost/`, so you need to prepend that.
 

docker/docker-bake.hcl

@@ -17,7 +17,7 @@ variable "SOURCE_REPOSITORY_URL" {
   default = null
 }
 
-// The commit hash of the current commit this build was triggered on
+// The commit hash of of the current commit this build was triggered on
 variable "SOURCE_COMMIT" {
   default = null
 }
@@ -133,7 +133,8 @@ target "debian-386" {
   platforms = ["linux/386"]
   tags = generate_tags("", "-386")
   args = {
-    TARGET_PKG_CONFIG_PATH = "/usr/lib/i386-linux-gnu/pkgconfig"
+    ARCH_OPENSSL_LIB_DIR = "/usr/lib/i386-linux-gnu"
+    ARCH_OPENSSL_INCLUDE_DIR = "/usr/include/i386-linux-gnu"
   }
 }
 
@@ -141,12 +142,20 @@ target "debian-ppc64le" {
   inherits = ["debian"]
   platforms = ["linux/ppc64le"]
   tags = generate_tags("", "-ppc64le")
+  args = {
+    ARCH_OPENSSL_LIB_DIR = "/usr/lib/powerpc64le-linux-gnu"
+    ARCH_OPENSSL_INCLUDE_DIR = "/usr/include/powerpc64le-linux-gnu"
+  }
 }
 
 target "debian-s390x" {
   inherits = ["debian"]
   platforms = ["linux/s390x"]
   tags = generate_tags("", "-s390x")
+  args = {
+    ARCH_OPENSSL_LIB_DIR = "/usr/lib/s390x-linux-gnu"
+    ARCH_OPENSSL_INCLUDE_DIR = "/usr/include/s390x-linux-gnu"
+  }
 }
 // ==== End of unsupported Debian architecture targets ===
 

dylint.toml

@@ -0,0 +1,2 @@
+[workspace.metadata.dylint]
+libraries = [{ path = "dylints/*" }]

dylints/README.md

@@ -0,0 +1,7 @@
+# How to run Lints
+
+```sh
+cargo install cargo-dylint dylint-link
+
+RUSTFLAGS="-Aunreachable_patterns" cargo dylint --all -- --features sqlite
+```

dylints/non_authenticated_routes/.cargo/config.toml

@@ -0,0 +1,2 @@
+[target.'cfg(all())']
+linker = "dylint-link"

dylints/non_authenticated_routes/.gitignore

@@ -0,0 +1 @@
+/target

dylints/non_authenticated_routes/Cargo.toml

@@ -0,0 +1,20 @@
+[package]
+name = "non_authenticated_routes"
+version = "0.1.0"
+authors = ["authors go here"]
+description = "description goes here"
+edition = "2021"
+publish = false
+
+[lib]
+crate-type = ["cdylib"]
+
+[dependencies]
+clippy_utils = { git = "https://github.com/rust-lang/rust-clippy", rev = "4f0e46b74dbc8441daf084b6f141a7fe414672a2" }
+dylint_linting = "3.2.1"
+
+[dev-dependencies]
+dylint_testing = "3.2.1"
+
+[package.metadata.rust-analyzer]
+rustc_private = true

dylints/non_authenticated_routes/rust-toolchain

@@ -0,0 +1,3 @@
+[toolchain]
+channel = "nightly-2024-11-09"
+components = ["llvm-tools-preview", "rustc-dev"]

dylints/non_authenticated_routes/src/lib.rs

@@ -0,0 +1,167 @@
+#![feature(rustc_private)]
+#![feature(let_chains)]
+
+extern crate rustc_arena;
+extern crate rustc_ast;
+extern crate rustc_ast_pretty;
+extern crate rustc_attr;
+extern crate rustc_data_structures;
+extern crate rustc_errors;
+extern crate rustc_hir;
+extern crate rustc_hir_pretty;
+extern crate rustc_index;
+extern crate rustc_infer;
+extern crate rustc_lexer;
+extern crate rustc_middle;
+extern crate rustc_mir_dataflow;
+extern crate rustc_parse;
+extern crate rustc_span;
+extern crate rustc_target;
+extern crate rustc_trait_selection;
+
+use clippy_utils::diagnostics::span_lint;
+use rustc_hir::{def_id::DefId, Item, ItemKind, QPath, TyKind};
+use rustc_lint::{LateContext, LateLintPass};
+use rustc_span::{symbol::Ident, Span, Symbol};
+
+dylint_linting::impl_late_lint! {
+    /// ### What it does
+    ///
+    /// ### Why is this bad?
+    ///
+    /// ### Known problems
+    /// Remove if none.
+    ///
+    /// ### Example
+    /// ```rust
+    /// // example code where a warning is issued
+    /// ```
+    /// Use instead:
+    /// ```rust
+    /// // example code that does not raise a warning
+    /// ```
+    pub NON_AUTHENTICATED_ROUTES,
+    Warn,
+    "description goes here",
+    NonAuthenticatedRoutes::default()
+}
+
+#[derive(Default)]
+pub struct NonAuthenticatedRoutes {
+    last_function_item: Option<(Ident, Span, bool)>,
+}
+
+// Collect all the attribute macros that are applied to the given span
+fn attr_def_ids(mut span: rustc_span::Span) -> Vec<(DefId, Symbol, Option<DefId>)> {
+    use rustc_span::hygiene::{walk_chain, ExpnKind, MacroKind};
+    use rustc_span::{ExpnData, SyntaxContext};
+
+    let mut def_ids = Vec::new();
+    while span.ctxt() != SyntaxContext::root() {
+        if let ExpnData {
+            kind: ExpnKind::Macro(MacroKind::Attr, macro_symbol),
+            macro_def_id: Some(def_id),
+            parent_module,
+            ..
+        } = span.ctxt().outer_expn_data()
+        {
+            def_ids.push((def_id, macro_symbol, parent_module));
+        }
+        span = walk_chain(span, SyntaxContext::root());
+    }
+    def_ids
+}
+
+const ROCKET_MACRO_EXCEPTIONS: [(&str, &str); 1] = [("rocket::catch", "catch")];
+
+const VALID_AUTH_HEADERS: [&str; 6] = [
+    "auth::Headers",
+    "auth::OrgHeaders",
+    "auth::AdminHeaders",
+    "auth::ManagerHeaders",
+    "auth::ManagerHeadersLoose",
+    "auth::OwnerHeaders",
+];
+
+impl<'tcx> LateLintPass<'tcx> for NonAuthenticatedRoutes {
+    fn check_item(&mut self, cx: &LateContext<'tcx>, item: &'tcx Item) {
+        if let ItemKind::Fn(sig, ..) = item.kind {
+            let mut has_auth_headers = false;
+
+            for input in sig.decl.inputs {
+                let TyKind::Path(QPath::Resolved(_, path)) = input.kind else {
+                    continue;
+                };
+
+                for seg in path.segments {
+                    if let Some(def_id) = seg.res.opt_def_id() {
+                        let def = cx.tcx.def_path_str(def_id);
+                        if VALID_AUTH_HEADERS.contains(&def.as_str()) {
+                            has_auth_headers = true;
+                        }
+                    }
+                }
+            }
+
+            self.last_function_item = Some((item.ident, sig.span, has_auth_headers));
+            return;
+        }
+
+        let ItemKind::Struct(_data, _generics) = item.kind else {
+            return;
+        };
+
+        let def_ids = attr_def_ids(item.span);
+
+        let mut is_rocket_route = false;
+
+        for (def_id, sym, parent) in &def_ids {
+            let def_id = cx.tcx.def_path_str(*def_id);
+            let sym = sym.as_str();
+            let parent = parent.map(|parent| cx.tcx.def_path_str(parent));
+
+            if ROCKET_MACRO_EXCEPTIONS.contains(&(&def_id, sym)) {
+                is_rocket_route = false;
+                break;
+            }
+
+            if def_id.starts_with("rocket::") || parent.as_deref() == Some("rocket_codegen") {
+                is_rocket_route = true;
+                break;
+            }
+        }
+
+        if !is_rocket_route {
+            return;
+        }
+
+        let Some((func_ident, func_span, has_auth_headers)) = self.last_function_item.take() else {
+            span_lint(cx, NON_AUTHENTICATED_ROUTES, item.span, "No function found before the expanded route");
+            return;
+        };
+
+        if func_ident != item.ident {
+            span_lint(
+                cx,
+                NON_AUTHENTICATED_ROUTES,
+                item.span,
+                "The function before the expanded route does not match the route",
+            );
+            return;
+        }
+
+        if !has_auth_headers {
+            span_lint(
+                cx,
+                NON_AUTHENTICATED_ROUTES,
+                func_span,
+                "This Rocket route does not have any authentication headers",
+            );
+        }
+    }
+}
+
+#[test]
+fn ui() {
+    dylint_testing::ui_test(env!("CARGO_PKG_NAME"), "ui");
+}

dylints/non_authenticated_routes/ui/main.rs

@@ -0,0 +1 @@
+fn main() {}

macros/Cargo.toml

@@ -1,20 +0,0 @@
-[package]
-name = "macros"
-version = "0.1.0"
-repository.workspace = true
-edition.workspace = true
-rust-version.workspace = true
-license.workspace = true
-publish.workspace = true
-
-[lib]
-name = "macros"
-path = "src/lib.rs"
-proc-macro = true
-
-[dependencies]
-quote = "1.0.45"
-syn = "2.0.117"
-
-[lints]
-workspace = true

macros/src/lib.rs

@@ -1,56 +0,0 @@
-use proc_macro::TokenStream;
-use quote::quote;
-
-#[proc_macro_derive(UuidFromParam)]
-pub fn derive_uuid_from_param(input: TokenStream) -> TokenStream {
-    let ast = syn::parse(input).unwrap();
-
-    impl_derive_uuid_macro(&ast)
-}
-
-fn impl_derive_uuid_macro(ast: &syn::DeriveInput) -> TokenStream {
-    let name = &ast.ident;
-    let gen_derive = quote! {
-        #[automatically_derived]
-        impl<'r> rocket::request::FromParam<'r> for #name {
-            type Error = ();
-
-            #[inline(always)]
-            fn from_param(param: &'r str) -> Result<Self, Self::Error> {
-                if uuid::Uuid::parse_str(param).is_ok() {
-                    Ok(Self(param.to_string()))
-                } else {
-                    Err(())
-                }
-            }
-        }
-    };
-    gen_derive.into()
-}
-
-#[proc_macro_derive(IdFromParam)]
-pub fn derive_id_from_param(input: TokenStream) -> TokenStream {
-    let ast = syn::parse(input).unwrap();
-
-    impl_derive_safestring_macro(&ast)
-}
-
-fn impl_derive_safestring_macro(ast: &syn::DeriveInput) -> TokenStream {
-    let name = &ast.ident;
-    let gen_derive = quote! {
-        #[automatically_derived]
-        impl<'r> rocket::request::FromParam<'r> for #name {
-            type Error = ();
-
-            #[inline(always)]
-            fn from_param(param: &'r str) -> Result<Self, Self::Error> {
-                if param.chars().all(|c| matches!(c, 'a'..='z' | 'A'..='Z' |'0'..='9' | '-')) {
-                    Ok(Self(param.to_string()))
-                } else {
-                    Err(())
-                }
-            }
-        }
-    };
-    gen_derive.into()
-}

migrations/mysql/2023-09-10-133000_add_sso/down.sql

@@ -1 +0,0 @@
-DROP TABLE sso_nonce;

migrations/mysql/2023-09-10-133000_add_sso/up.sql

@@ -1,4 +0,0 @@
-CREATE TABLE sso_nonce (
-  nonce               CHAR(36) NOT NULL PRIMARY KEY,
-  created_at          DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP
-);

migrations/mysql/2023-09-14-133000_add_users_organizations_invited_by_email/down.sql

@@ -1 +0,0 @@
-ALTER TABLE users_organizations DROP COLUMN invited_by_email;

migrations/mysql/2023-09-14-133000_add_users_organizations_invited_by_email/up.sql

@@ -1 +0,0 @@
-ALTER TABLE users_organizations ADD COLUMN invited_by_email TEXT DEFAULT NULL;

migrations/mysql/2024-02-14-170000_add_state_to_sso_nonce/down.sql

@@ -1,6 +0,0 @@
-DROP TABLE IF EXISTS sso_nonce;
-
-CREATE TABLE sso_nonce (
-  nonce               CHAR(36) NOT NULL PRIMARY KEY,
-  created_at          DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP
-);

migrations/mysql/2024-02-14-170000_add_state_to_sso_nonce/up.sql

@@ -1,8 +0,0 @@
-DROP TABLE IF EXISTS sso_nonce;
-
-CREATE TABLE sso_nonce (
-	state               VARCHAR(512) NOT NULL PRIMARY KEY,
-  	nonce               TEXT NOT NULL,
-  	redirect_uri 		TEXT NOT NULL,
-  	created_at          TIMESTAMP NOT NULL DEFAULT now()
-);

migrations/mysql/2024-02-26-170000_add_pkce_to_sso_nonce/down.sql

@@ -1,8 +0,0 @@
-DROP TABLE IF EXISTS sso_nonce;
-
-CREATE TABLE sso_nonce (
-    state               VARCHAR(512) NOT NULL PRIMARY KEY,
-    nonce               TEXT NOT NULL,
-    redirect_uri        TEXT NOT NULL,
-    created_at          TIMESTAMP NOT NULL DEFAULT now()
-);

migrations/mysql/2024-02-26-170000_add_pkce_to_sso_nonce/up.sql

@@ -1,9 +0,0 @@
-DROP TABLE IF EXISTS sso_nonce;
-
-CREATE TABLE sso_nonce (
-    state               VARCHAR(512) NOT NULL PRIMARY KEY,
-  	nonce               TEXT NOT NULL,
-    verifier            TEXT,
-  	redirect_uri 		TEXT NOT NULL,
-  	created_at          TIMESTAMP NOT NULL DEFAULT now()
-);

migrations/mysql/2024-03-06-170000_add_sso_users/down.sql

@@ -1 +0,0 @@
-DROP TABLE IF EXISTS sso_users;

migrations/mysql/2024-03-06-170000_add_sso_users/up.sql

@@ -1,7 +0,0 @@
-CREATE TABLE sso_users (
-  user_uuid           CHAR(36) NOT NULL PRIMARY KEY,
-  identifier          VARCHAR(768) NOT NULL UNIQUE,
-  created_at          TIMESTAMP NOT NULL DEFAULT now(),
-
-  FOREIGN KEY(user_uuid) REFERENCES users(uuid)
-);

migrations/mysql/2024-03-13-170000_sso_users_cascade/up.sql

@@ -1,15 +0,0 @@
--- Dynamically create DROP FOREIGN KEY
--- Some versions of MySQL or MariaDB might fail if the key doesn't exists
--- This checks if the key exists, and if so, will drop it.
-SET @drop_sso_fk = IF((SELECT true FROM information_schema.TABLE_CONSTRAINTS WHERE
-    CONSTRAINT_SCHEMA = DATABASE() AND
-    TABLE_NAME = 'sso_users' AND
-    CONSTRAINT_NAME = 'sso_users_ibfk_1' AND
-    CONSTRAINT_TYPE = 'FOREIGN KEY') = true,
-    'ALTER TABLE sso_users DROP FOREIGN KEY sso_users_ibfk_1',
-    'SELECT 1');
-PREPARE stmt FROM @drop_sso_fk;
-EXECUTE stmt;
-DEALLOCATE PREPARE stmt;
-
-ALTER TABLE sso_users ADD FOREIGN KEY(user_uuid) REFERENCES users(uuid) ON UPDATE CASCADE ON DELETE CASCADE;

migrations/mysql/2025-01-09-172300_add_manage/up.sql

@@ -1,5 +0,0 @@
-ALTER TABLE users_collections
-ADD COLUMN manage BOOLEAN NOT NULL DEFAULT FALSE;
-
-ALTER TABLE collections_groups
-ADD COLUMN manage BOOLEAN NOT NULL DEFAULT FALSE;

migrations/mysql/2025-08-20-120000_sso_nonce_to_auth/down.sql

@@ -1,9 +0,0 @@
-DROP TABLE IF EXISTS sso_auth;
-
-CREATE TABLE sso_nonce (
-    state               VARCHAR(512) NOT NULL PRIMARY KEY,
-    nonce               TEXT NOT NULL,
-    verifier            TEXT,
-    redirect_uri        TEXT NOT NULL,
-    created_at          TIMESTAMP NOT NULL DEFAULT now()
-);

migrations/mysql/2025-08-20-120000_sso_nonce_to_auth/up.sql

@@ -1,12 +0,0 @@
-DROP TABLE IF EXISTS sso_nonce;
-
-CREATE TABLE sso_auth (
-    state               VARCHAR(512) NOT NULL PRIMARY KEY,
-    client_challenge    TEXT NOT NULL,
-    nonce               TEXT NOT NULL,
-    redirect_uri        TEXT NOT NULL,
-    code_response       TEXT,
-    auth_response       TEXT,
-    created_at          TIMESTAMP NOT NULL DEFAULT now(),
-    updated_at          TIMESTAMP NOT NULL DEFAULT now()
-);

migrations/mysql/2026-03-09-005927_add_archives/down.sql

@@ -1 +0,0 @@
-DROP TABLE IF EXISTS archives;

migrations/mysql/2026-03-09-005927_add_archives/up.sql

@@ -1,10 +0,0 @@
-DROP TABLE IF EXISTS archives;
-
-CREATE TABLE archives (
-    user_uuid   CHAR(36) NOT NULL,
-    cipher_uuid CHAR(36) NOT NULL,
-    archived_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
-    PRIMARY KEY (user_uuid, cipher_uuid),
-    FOREIGN KEY (user_uuid) REFERENCES users (uuid) ON DELETE CASCADE,
-    FOREIGN KEY (cipher_uuid) REFERENCES ciphers (uuid) ON DELETE CASCADE
-);

migrations/mysql/2026-04-25-120000_sso_auth_binding/down.sql

@@ -1 +0,0 @@
-ALTER TABLE sso_auth DROP COLUMN binding_hash;

migrations/mysql/2026-04-25-120000_sso_auth_binding/up.sql

@@ -1 +0,0 @@
-ALTER TABLE sso_auth ADD COLUMN binding_hash TEXT;

migrations/postgresql/2023-09-10-133000_add_sso/down.sql

@@ -1 +0,0 @@
-DROP TABLE sso_nonce;

migrations/postgresql/2023-09-10-133000_add_sso/up.sql

@@ -1,4 +0,0 @@
-CREATE TABLE sso_nonce (
-  nonce               CHAR(36) NOT NULL PRIMARY KEY,
-  created_at          TIMESTAMP NOT NULL DEFAULT now()
-);

migrations/postgresql/2023-09-14-133000_add_users_organizations_invited_by_email/down.sql

@@ -1 +0,0 @@
-ALTER TABLE users_organizations DROP COLUMN invited_by_email;

migrations/postgresql/2023-09-14-133000_add_users_organizations_invited_by_email/up.sql

@@ -1 +0,0 @@
-ALTER TABLE users_organizations ADD COLUMN invited_by_email TEXT DEFAULT NULL;

migrations/postgresql/2024-02-14-170000_add_state_to_sso_nonce/down.sql

@@ -1,6 +0,0 @@
-DROP TABLE sso_nonce;
-
-CREATE TABLE sso_nonce (
-  nonce               CHAR(36) NOT NULL PRIMARY KEY,
-  created_at          TIMESTAMP NOT NULL DEFAULT now()
-);

migrations/postgresql/2024-02-14-170000_add_state_to_sso_nonce/up.sql

@@ -1,8 +0,0 @@
-DROP TABLE sso_nonce;
-
-CREATE TABLE sso_nonce (
-	state               TEXT NOT NULL PRIMARY KEY,
-  	nonce               TEXT NOT NULL,
-  	redirect_uri 		TEXT NOT NULL,
-  	created_at          TIMESTAMP NOT NULL DEFAULT now()
-);

migrations/postgresql/2024-02-26-170000_add_pkce_to_sso_nonce/down.sql

@@ -1,8 +0,0 @@
-DROP TABLE IF EXISTS sso_nonce;
-
-CREATE TABLE sso_nonce (
-    state               TEXT NOT NULL PRIMARY KEY,
-    nonce               TEXT NOT NULL,
-    redirect_uri        TEXT NOT NULL,
-    created_at          TIMESTAMP NOT NULL DEFAULT now()
-);

migrations/postgresql/2024-02-26-170000_add_pkce_to_sso_nonce/up.sql

@@ -1,9 +0,0 @@
-DROP TABLE IF EXISTS sso_nonce;
-
-CREATE TABLE sso_nonce (
-    state               TEXT NOT NULL PRIMARY KEY,
-    nonce               TEXT NOT NULL,
-    verifier            TEXT,
-    redirect_uri        TEXT NOT NULL,
-    created_at          TIMESTAMP NOT NULL DEFAULT now()
-);

migrations/postgresql/2024-03-06-170000_add_sso_users/down.sql

@@ -1 +0,0 @@
-DROP TABLE IF EXISTS sso_users;

migrations/postgresql/2024-03-06-170000_add_sso_users/up.sql

@@ -1,7 +0,0 @@
-CREATE TABLE sso_users (
-  user_uuid           CHAR(36) NOT NULL PRIMARY KEY,
-  identifier          TEXT NOT NULL UNIQUE,
-  created_at          TIMESTAMP NOT NULL DEFAULT now(),
-
-  FOREIGN KEY(user_uuid) REFERENCES users(uuid)
-);

migrations/postgresql/2024-03-13-170000_sso_users_cascade/up.sql

@@ -1,3 +0,0 @@
-ALTER TABLE sso_users
-  DROP CONSTRAINT "sso_users_user_uuid_fkey",
-  ADD CONSTRAINT "sso_users_user_uuid_fkey" FOREIGN KEY(user_uuid) REFERENCES users(uuid) ON UPDATE CASCADE ON DELETE CASCADE;

migrations/postgresql/2025-01-09-172300_add_manage/up.sql

@@ -1,5 +0,0 @@
-ALTER TABLE users_collections
-ADD COLUMN manage BOOLEAN NOT NULL DEFAULT FALSE;
-
-ALTER TABLE collections_groups
-ADD COLUMN manage BOOLEAN NOT NULL DEFAULT FALSE;

migrations/postgresql/2025-08-20-120000_sso_nonce_to_auth/down.sql

@@ -1,9 +0,0 @@
-DROP TABLE IF EXISTS sso_auth;
-
-CREATE TABLE sso_nonce (
-    state               TEXT NOT NULL PRIMARY KEY,
-    nonce               TEXT NOT NULL,
-    verifier            TEXT,
-    redirect_uri        TEXT NOT NULL,
-    created_at          TIMESTAMP NOT NULL DEFAULT now()
-);

migrations/postgresql/2025-08-20-120000_sso_nonce_to_auth/up.sql

@@ -1,12 +0,0 @@
-DROP TABLE IF EXISTS sso_nonce;
-
-CREATE TABLE sso_auth (
-    state               TEXT NOT NULL PRIMARY KEY,
-    client_challenge    TEXT NOT NULL,
-    nonce               TEXT NOT NULL,
-    redirect_uri        TEXT NOT NULL,
-    code_response       TEXT,
-    auth_response       TEXT,
-    created_at          TIMESTAMP NOT NULL DEFAULT now(),
-    updated_at          TIMESTAMP NOT NULL DEFAULT now()
-);

migrations/postgresql/2026-03-09-005927_add_archives/down.sql

@@ -1 +0,0 @@
-DROP TABLE IF EXISTS archives;

migrations/postgresql/2026-03-09-005927_add_archives/up.sql

@@ -1,8 +0,0 @@
-DROP TABLE IF EXISTS archives;
-
-CREATE TABLE archives (
-    user_uuid   CHAR(36) NOT NULL REFERENCES users (uuid) ON DELETE CASCADE,
-    cipher_uuid CHAR(36) NOT NULL REFERENCES ciphers (uuid) ON DELETE CASCADE,
-    archived_at TIMESTAMP NOT NULL DEFAULT now(),
-    PRIMARY KEY (user_uuid, cipher_uuid)
-);

migrations/postgresql/2026-04-25-120000_sso_auth_binding/down.sql

@@ -1 +0,0 @@
-ALTER TABLE sso_auth DROP COLUMN binding_hash;

migrations/postgresql/2026-04-25-120000_sso_auth_binding/up.sql

@@ -1 +0,0 @@
-ALTER TABLE sso_auth ADD COLUMN binding_hash TEXT;

migrations/sqlite/2023-09-10-133000_add_sso/down.sql

@@ -1 +0,0 @@
-DROP TABLE sso_nonce;

migrations/sqlite/2023-09-10-133000_add_sso/up.sql

@@ -1,4 +0,0 @@
-CREATE TABLE sso_nonce (
-  nonce               CHAR(36) NOT NULL PRIMARY KEY,
-  created_at          DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP
-);

migrations/sqlite/2023-09-14-133000_add_users_organizations_invited_by_email/down.sql

@@ -1 +0,0 @@
-ALTER TABLE users_organizations DROP COLUMN invited_by_email;

migrations/sqlite/2023-09-14-133000_add_users_organizations_invited_by_email/up.sql

@@ -1 +0,0 @@
-ALTER TABLE users_organizations ADD COLUMN invited_by_email TEXT DEFAULT NULL;

migrations/sqlite/2024-02-14-170000_add_state_to_sso_nonce/down.sql

@@ -1,6 +0,0 @@
-DROP TABLE sso_nonce;
-
-CREATE TABLE sso_nonce (
-  nonce               CHAR(36) NOT NULL PRIMARY KEY,
-  created_at          DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP
-);

migrations/sqlite/2024-02-14-170000_add_state_to_sso_nonce/up.sql

@@ -1,8 +0,0 @@
-DROP TABLE sso_nonce;
-
-CREATE TABLE sso_nonce (
-  state               TEXT NOT NULL PRIMARY KEY,
-  nonce               TEXT NOT NULL,
-  redirect_uri        TEXT NOT NULL,
-  created_at          DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP
-);

migrations/sqlite/2024-02-26-170000_add_pkce_to_sso_nonce/down.sql

@@ -1,8 +0,0 @@
-DROP TABLE IF EXISTS sso_nonce;
-
-CREATE TABLE sso_nonce (
-  state               TEXT NOT NULL PRIMARY KEY,
-  nonce               TEXT NOT NULL,
-  redirect_uri        TEXT NOT NULL,
-  created_at          DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP
-);

migrations/sqlite/2024-02-26-170000_add_pkce_to_sso_nonce/up.sql

@@ -1,9 +0,0 @@
-DROP TABLE IF EXISTS sso_nonce;
-
-CREATE TABLE sso_nonce (
-  state               TEXT NOT NULL PRIMARY KEY,
-  nonce               TEXT NOT NULL,
-  verifier            TEXT,
-  redirect_uri        TEXT NOT NULL,
-  created_at          DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP
-);

migrations/sqlite/2024-03-06-170000_add_sso_users/down.sql

@@ -1 +0,0 @@
-DROP TABLE IF EXISTS sso_users;

migrations/sqlite/2024-03-06-170000_add_sso_users/up.sql

@@ -1,7 +0,0 @@
-CREATE TABLE sso_users (
-  user_uuid           CHAR(36) NOT NULL PRIMARY KEY,
-  identifier          TEXT NOT NULL UNIQUE,
-  created_at          TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
-
-  FOREIGN KEY(user_uuid) REFERENCES users(uuid)
-);

migrations/sqlite/2024-03-13_170000_sso_userscascade/up.sql

@@ -1,9 +0,0 @@
-DROP TABLE IF EXISTS sso_users;
-
-CREATE TABLE sso_users (
-  user_uuid           CHAR(36) NOT NULL PRIMARY KEY,
-  identifier          TEXT NOT NULL UNIQUE,
-  created_at          TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
-
-  FOREIGN KEY(user_uuid) REFERENCES users(uuid) ON UPDATE CASCADE ON DELETE CASCADE
-);

migrations/sqlite/2025-01-09-172300_add_manage/up.sql

@@ -1,5 +0,0 @@
-ALTER TABLE users_collections
-ADD COLUMN manage BOOLEAN NOT NULL DEFAULT 0; -- FALSE
-
-ALTER TABLE collections_groups
-ADD COLUMN manage BOOLEAN NOT NULL DEFAULT 0; -- FALSE

migrations/sqlite/2025-08-20-120000_sso_nonce_to_auth/down.sql

@@ -1,9 +0,0 @@
-DROP TABLE IF EXISTS sso_auth;
-
-CREATE TABLE sso_nonce (
-  state               TEXT NOT NULL PRIMARY KEY,
-  nonce               TEXT NOT NULL,
-  verifier            TEXT,
-  redirect_uri        TEXT NOT NULL,
-  created_at          DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP
-);

migrations/sqlite/2025-08-20-120000_sso_nonce_to_auth/up.sql

@@ -1,12 +0,0 @@
-DROP TABLE IF EXISTS sso_nonce;
-
-CREATE TABLE sso_auth (
-    state               TEXT NOT NULL PRIMARY KEY,
-    client_challenge    TEXT NOT NULL,
-    nonce               TEXT NOT NULL,
-    redirect_uri        TEXT NOT NULL,
-    code_response       TEXT,
-    auth_response       TEXT,
-    created_at          DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
-    updated_at          DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP
-);

migrations/sqlite/2026-03-09-005927_add_archives/down.sql

@@ -1 +0,0 @@
-DROP TABLE IF EXISTS archives;

migrations/sqlite/2026-03-09-005927_add_archives/up.sql

@@ -1,8 +0,0 @@
-DROP TABLE IF EXISTS archives;
-
-CREATE TABLE archives (
-    user_uuid   CHAR(36) NOT NULL REFERENCES users (uuid) ON DELETE CASCADE,
-    cipher_uuid CHAR(36) NOT NULL REFERENCES ciphers (uuid) ON DELETE CASCADE,
-    archived_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
-    PRIMARY KEY (user_uuid, cipher_uuid)
-);

migrations/sqlite/2026-04-25-120000_sso_auth_binding/down.sql

@@ -1 +0,0 @@
-ALTER TABLE sso_auth DROP COLUMN binding_hash;

migrations/sqlite/2026-04-25-120000_sso_auth_binding/up.sql

@@ -1 +0,0 @@
-ALTER TABLE sso_auth ADD COLUMN binding_hash TEXT;

playwright/.env.template

@@ -1,64 +0,0 @@
-#################################
-### Conf to run dev instances ###
-#################################
-ENV=dev
-DC_ENV_FILE=.env
-COMPOSE_IGNORE_ORPHANS=True
-DOCKER_BUILDKIT=1
-
-################
-# Users Config #
-################
-TEST_USER=test
-TEST_USER_PASSWORD=${TEST_USER}
-TEST_USER_MAIL=${TEST_USER}@yopmail.com
-
-TEST_USER2=test2
-TEST_USER2_PASSWORD=${TEST_USER2}
-TEST_USER2_MAIL=${TEST_USER2}@yopmail.com
-
-TEST_USER3=test3
-TEST_USER3_PASSWORD=${TEST_USER3}
-TEST_USER3_MAIL=${TEST_USER3}@yopmail.com
-
-###################
-# Keycloak Config #
-###################
-KEYCLOAK_ADMIN=admin
-KEYCLOAK_ADMIN_PASSWORD=${KEYCLOAK_ADMIN}
-KC_HTTP_HOST=127.0.0.1
-KC_HTTP_PORT=8080
-
-# Script parameters (use Keycloak and Vaultwarden config too)
-TEST_REALM=test
-DUMMY_REALM=dummy
-DUMMY_AUTHORITY=http://${KC_HTTP_HOST}:${KC_HTTP_PORT}/realms/${DUMMY_REALM}
-
-######################
-# Vaultwarden Config #
-######################
-ROCKET_ADDRESS=0.0.0.0
-ROCKET_PORT=8000
-DOMAIN=http://localhost:${ROCKET_PORT}
-LOG_LEVEL=info,oidcwarden::sso=debug
-I_REALLY_WANT_VOLATILE_STORAGE=true
-
-SSO_ENABLED=true
-SSO_ONLY=false
-SSO_CLIENT_ID=warden
-SSO_CLIENT_SECRET=warden
-SSO_AUTHORITY=http://${KC_HTTP_HOST}:${KC_HTTP_PORT}/realms/${TEST_REALM}
-
-SMTP_HOST=127.0.0.1
-SMTP_PORT=1025
-SMTP_SECURITY=off
-SMTP_TIMEOUT=5
-SMTP_FROM=vaultwarden@test
-SMTP_FROM_NAME=Vaultwarden
-
-########################################################
-# DUMMY values for docker-compose to stop bothering us #
-########################################################
-MARIADB_PORT=3305
-MYSQL_PORT=3307
-POSTGRES_PORT=5432

playwright/.gitignore

@@ -1,6 +0,0 @@
-logs
-node_modules/
-/test-results/
-/playwright-report/
-/playwright/.cache/
-temp