mirrored/vaultwarden
1
0
Fork 1
Spiegel von https://github.com/dani-garcia/vaultwarden.git synchronisiert 2025-01-30 09:58:57 +01:00
Code Issues Releases Aktivität
vaultwarden/Cargo.toml

281 Zeilen
8,3 KiB
TOML
Originalformat Normale Ansicht Verlauf

rename membership and adopt newtype pattern (#5320) * rename membership rename UserOrganization to Membership to clarify the relation and prevent confusion whether something refers to a member(ship) or user * use newtype pattern * implement custom derive macro IdFromParam * add UuidFromParam macro for UUIDs * add macros to Docker build Co-authored-by: dfunkt <dfunkt@users.noreply.github.com> --------- Co-authored-by: dfunkt <dfunkt@users.noreply.github.com>
2025-01-09 18:37:23 +01:00
workspace = { members = ["macros"] }
First working version
2018-02-10 01:00:55 +01:00
[package]
Project renaming
2021-04-27 23:18:32 +02:00
name = "vaultwarden"
Bump up version to 1.0.0
2018-08-21 21:21:54 +01:00
version = "1.0.0"
First working version
2018-02-10 01:00:55 +01:00
authors = ["Daniel García <dani-garcia@users.noreply.github.com>"]
Macro recursion decrease and other optimizations - Decreased `recursion_limit` from 512 to 87 Mainly done by optimizing the config macro's. This fixes an issue with the rust-analyzer which doesn't go beyond 128 - Removed Regex for masking sensitive values and replaced it with a map() This is much faster then using a Regex. - Refactored the get_support_json macro's - All items above also lowered the binary size and possibly compile-time - Removed `_conn: DbConn` from several functions, these caused unnecessary database connections for functions who didn't used that at all - Decreased json response for `/plans` - Updated libraries and where needed some code changes This also fixes some rare issues with SMTP https://github.com/lettre/lettre/issues/678 - Using Rust 2021 instead of 2018 - Updated rust nightly
2021-11-05 19:18:54 +01:00
edition = "2021"
build: raise msrv (1.83.0) rust toolchain (1.84.0) (#5374) * build: raise msrv (1.83.0) rust toolchain (1.84.0) * build: also update docker images
2025-01-10 20:34:48 +01:00
rust-version = "1.83.0"
Update dependencies and ser cargo resolver to version 2 ahead of 2021 edition
2021-09-22 20:26:48 +02:00
resolver = "2"
First working version
2018-02-10 01:00:55 +01:00
Project renaming
2021-04-27 23:18:32 +02:00
repository = "https://github.com/dani-garcia/vaultwarden"
Add build script to get some Git info to later show in admin panel, and add some metadata to Cargo.toml
2018-12-30 00:04:22 +01:00
readme = "README.md"
Re-License Vaultwarden to AGPLv3 This commit prepares Vaultwarden for the Re-Licensing to AGPLv3 Solves #2450
2022-06-16 15:13:10 +02:00
license = "AGPL-3.0-only"
Add build script to get some Git info to later show in admin panel, and add some metadata to Cargo.toml
2018-12-30 00:04:22 +01:00
publish = false
build = "build.rs"
Implemented proper logging, with support for file logging, timestamp and syslog (this last one is untested)
2018-12-06 20:35:25 +01:00
[features]
Update to rocket 0.5 and made code async, missing updating all db calls, that are currently blocking
2021-11-07 18:53:39 +01:00
# default = ["sqlite"]
With the latest fern, syslog can be a config option instead of a build flag
2019-03-29 20:27:20 +01:00
# Empty to keep compatibility, prefer to set USE_SYSLOG=true
enable_syslog = []
re-added sqlite check_db code, cleanup
2019-05-27 22:58:52 +02:00
mysql = ["diesel/mysql", "diesel_migrations/mysql"]
Update u2f to 0.2, which requires OpenSSL but also might solve the problems we've had with certificates. The rust image doesn't need installing curl or tar, so removed. Also collapsed ENV lines.
2020-01-18 20:09:52 +01:00
postgresql = ["diesel/postgres", "diesel_migrations/postgres"]
Update crates (GHSA-wq9x-qwcq-mmgf) (#4889) - Updated crates - Fixed MSRV to actually be N-2 - Changed some features to use the `dep:` prefix. This is needed for edition-2024 anyway although that will be a while before we can use that. Signed-off-by: BlackDex <black.dex@gmail.com>
2024-08-23 22:06:11 +02:00
sqlite = ["diesel/sqlite", "diesel_migrations/sqlite", "dep:libsqlite3-sys"]
Add `vendored_openssl` feature. This feature enables the `vendored` feature from the `openssl` crate and build a statically linked version of openssl.
2020-09-25 23:23:13 +02:00
# Enable to use a vendored and statically linked openssl
vendored_openssl = ["openssl/vendored"]
Several updates and fixes - Removed all `thread::sleep` and use `tokio::time::sleep` now. This solves an issue with updating to Bullseye ( Resolves #1998 ) - Updated all Debian images to Bullseye - Added MiMalloc feature and enabled it by default for Alpine based images This increases performance for the Alpine images because the default memory allocator for MUSL based binaries isn't that fast - Updated `dotenv` to `dotenvy` a maintained and updated fork - Fixed an issue with a newer jslib (not fully released yet) That version uses a different endpoint for `prelogin` Resolves #2378 )
2022-03-20 18:51:24 +01:00
# Enable MiMalloc memory allocator to replace the default malloc
# This can improve performance for Alpine builds
Update crates (GHSA-wq9x-qwcq-mmgf) (#4889) - Updated crates - Fixed MSRV to actually be N-2 - Changed some features to use the `dep:` prefix. This is needed for edition-2024 anyway although that will be a while before we can use that. Signed-off-by: BlackDex <black.dex@gmail.com>
2024-08-23 22:06:11 +02:00
enable_mimalloc = ["dep:mimalloc"]
Add dev-only query logging support This PR adds query logging support as an optional feature. It is only allowed during development/debug builds, and will abort when used during a `--release` build. For this feature to be fully activated you also need to se an environment variable `QUERY_LOGGER=1` to activate the debug log-level for this crate, else there will be no output. The reason for this PR is that sometimes it is useful to be able to see the generated queries, like when debugging an issue, or trying to optimize a query. Currently i always added this code when needed, but having this a part of the code could benifit other developers too who maybe need this.
2022-12-03 18:25:59 +01:00
# This is a development dependency, and should only be used during development!
# It enables the usage of the diesel_logger crate, which is able to output the generated queries.
# You also need to set an env variable `QUERY_LOGGER=1` to fully activate this so you do not have to re-compile
# if you want to turn off the logging for a specific run.
Update crates (GHSA-wq9x-qwcq-mmgf) (#4889) - Updated crates - Fixed MSRV to actually be N-2 - Changed some features to use the `dep:` prefix. This is needed for edition-2024 anyway although that will be a while before we can use that. Signed-off-by: BlackDex <black.dex@gmail.com>
2024-08-23 22:06:11 +02:00
query_logger = ["dep:diesel_logger"]
Implemented proper logging, with support for file logging, timestamp and syslog (this last one is untested)
2018-12-06 20:35:25 +01:00
Replace IP support in preparation for compiling on stable, included some tests to check that the code matches the unstable implementation
2020-07-14 23:44:01 +02:00
# Enable unstable features, requires nightly
Updated lettre (and other crates) and workflow. General: - Updated several dependancies Lettre: - Updateded lettere and the workflow - Changed encoding to base64 - Convert unix newlines to dos newlines for e-mails. - Created custom e-mail boundary (auto generated could cause errors) Tested the e-mails sent using several clients (Linux, Windows, MacOS, Web). Run msglint (https://tools.ietf.org/tools/msglint/) on the generated e-mails until all errors were gone. Lettre has changed quite some stuff compared between alpha.1 and alpha.2, i haven't noticed any issues sending e-mails during my tests.
2020-09-11 23:52:20 +02:00
# Currently only used to enable rusts official ip support
Replace IP support in preparation for compiling on stable, included some tests to check that the code matches the unstable implementation
2020-07-14 23:44:01 +02:00
unstable = []
Fix compiling for Windows targets (#5053) The `unix::signal` was also included during Windows compilations. This of course will not work. Fix this by only including it for `unix` targets. Also changed all other conditional compilation options to use `cfg(unix)` instead of `cfg(not(windows))`. The latter may also include `wasm` for example, or any other future target family. This way we will only match `unix` Fixes #5052
2024-10-06 13:49:00 +02:00
[target."cfg(unix)".dependencies]
Update async to prepare for main merge - Changed nightly to stable in Dockerfile and Workflow - Updated Dockerfile to use stable and updated ENV's - Removed 0.0.0.0 as default addr it now uses ROCKET_ADDRESS or the default - Updated Github Workflow actions to the latest versions - Updated Hadolint version - Re-orderd the Cargo.toml file a bit and put libs together which are linked - Updated some libs - Updated .dockerignore file
2022-02-07 22:26:22 +01:00
# Logging
Update Rust and crates (#5248) * Update Rust and crates - Updated Rust to v1.83.0 - Updated MSRV to v1.82.0 (Needed for html5gum crate) - Updated icon fetching code to match new html5gum version - Updated workflows - Enabled edition 2024 clippy lints Nightly reports some clippy hints, but that would be too much to change in this PR i think. Signed-off-by: BlackDex <black.dex@gmail.com> * Some additional updates - Patch fern to allow syslog-7 feature - Fixed diesel logger which was broken because of the sqlite backup feature Refactored the sqlite backup because of this - Added a build workflow test to include the query_logger feature Signed-off-by: BlackDex <black.dex@gmail.com> * Also patch yubico-rs and latest updates Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com>
2024-12-05 22:10:59 +01:00
syslog = "7.0.0"
Make the syslog crate non-optional when available
2019-04-02 22:35:22 +02:00
First working version
2018-02-10 01:00:55 +01:00
[dependencies]
rename membership and adopt newtype pattern (#5320) * rename membership rename UserOrganization to Membership to clarify the relation and prevent confusion whether something refers to a member(ship) or user * use newtype pattern * implement custom derive macro IdFromParam * add UuidFromParam macro for UUIDs * add macros to Docker build Co-authored-by: dfunkt <dfunkt@users.noreply.github.com> --------- Co-authored-by: dfunkt <dfunkt@users.noreply.github.com>
2025-01-09 18:37:23 +01:00
macros = { path = "./macros" }
Update async to prepare for main merge - Changed nightly to stable in Dockerfile and Workflow - Updated Dockerfile to use stable and updated ENV's - Removed 0.0.0.0 as default addr it now uses ROCKET_ADDRESS or the default - Updated Github Workflow actions to the latest versions - Updated Hadolint version - Re-orderd the Cargo.toml file a bit and put libs together which are linked - Updated some libs - Updated .dockerignore file
2022-02-07 22:26:22 +01:00
# Logging
Org fixes (#5438) * Security fixes for admin and sendmail Because the Vaultwarden Admin Backend endpoints did not validated the Content-Type during a request, it was possible to update settings via CSRF. But, this was only possible if there was no `ADMIN_TOKEN` set at all. To make sure these environments are also safe I added the needed content-type checks at the functions. This could cause some users who have scripts which uses cURL for example to adjust there commands to provide the correct headers. By using a crafted favicon and having access to the Admin Backend an attacker could run custom commands on the host/container where Vaultwarden is running on. The main issue here is that we allowed the sendmail binary name/path to be changed. To mitigate this we removed this configuration item and only then `sendmail` binary as a name can be used. This could cause some issues where the `sendmail` binary is not in the `$PATH` and thus not able to be started. In these cases the admins should make sure `$PATH` is set correctly or create a custom shell script or symlink at a location which is in the `$PATH`. Added an extra security header and adjusted the CSP to be more strict by setting `default-src` to `none` and added the needed missing specific policies. Also created a general email validation function which does some more checking to catch invalid email address not found by the email_address crate. Signed-off-by: BlackDex <black.dex@gmail.com> * Fix security issue with organizationId validation Because of a invalid check/validation of the OrganizationId which most of the time is located in the path but sometimes provided as a URL Parameter, the parameter overruled the path ID during the Guard checks. This resulted in someone being able to execute commands as an Admin or Owner of the OrganizationId fetched from the parameter, but the API endpoints then used the OrganizationId located in the path instead. This commit fixes the extraction of the OrganizationId in the Guard and also added some extra validations of this OrgId in several functions. Also added an extra `OrgMemberHeaders` which can be used to only allow access to organization endpoints which should only be accessible by members of that org. Signed-off-by: BlackDex <black.dex@gmail.com> * Update server version in config endpoint Updated the server version reported to the clients to `2025.1.0`. This should make Vaultwarden future proof for the newer clients released by Bitwarden. Signed-off-by: BlackDex <black.dex@gmail.com> * Fix and adjust build workflow The build workflow had an issue with some `if` checks. For one they had two `$` signs, and it is not recommended to use `always()` since canceling a workflow does not cancel those calls. Using `!cancelled()` is the preferred way. Signed-off-by: BlackDex <black.dex@gmail.com> * Update crates Signed-off-by: BlackDex <black.dex@gmail.com> * Allow sendmail to be configurable This reverts a previous change which removed the sendmail to be configurable. We now set the config to be read-only, and omit all read-only values from being stored during a save action from the admin interface. Signed-off-by: BlackDex <black.dex@gmail.com> * Add more org_id checks Added more org_id checks at all functions which use the org_id in there path. Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com>
2025-01-25 01:32:09 +01:00
log = "0.4.25"
Use updated fern instead of patch (#5298) Signed-off-by: BlackDex <black.dex@gmail.com>
2024-12-15 23:13:29 +01:00
fern = { version = "0.7.1", features = ["syslog-7", "reopen-1"] }
Update Rust and crates (#5248) * Update Rust and crates - Updated Rust to v1.83.0 - Updated MSRV to v1.82.0 (Needed for html5gum crate) - Updated icon fetching code to match new html5gum version - Updated workflows - Enabled edition 2024 clippy lints Nightly reports some clippy hints, but that would be too much to change in this PR i think. Signed-off-by: BlackDex <black.dex@gmail.com> * Some additional updates - Patch fern to allow syslog-7 feature - Fixed diesel logger which was broken because of the sqlite backup feature Refactored the sqlite backup because of this - Added a build workflow test to include the query_logger feature Signed-off-by: BlackDex <black.dex@gmail.com> * Also patch yubico-rs and latest updates Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com>
2024-12-05 22:10:59 +01:00
tracing = { version = "0.1.41", features = ["log"] } # Needed to have lettre and webauthn-rs trace logging to work
Improve sync speed and updated dep. versions Improved sync speed by resolving the N+1 query issues. Solves #1402 and Solves #1453 With this change there is just one query done to retreive all the important data, and matching is done in-code/memory. With a very large database the sync time went down about 3 times. Also updated misc crates and Github Actions versions.
2022-05-04 21:13:05 +02:00
Update async to prepare for main merge - Changed nightly to stable in Dockerfile and Workflow - Updated Dockerfile to use stable and updated ENV's - Removed 0.0.0.0 as default addr it now uses ROCKET_ADDRESS or the default - Updated Github Workflow actions to the latest versions - Updated Hadolint version - Re-orderd the Cargo.toml file a bit and put libs together which are linked - Updated some libs - Updated .dockerignore file
2022-02-07 22:26:22 +01:00
# A `dotenv` implementation for Rust
Update web vault to v2023.3.0 and dependencies
2023-03-22 21:30:07 +01:00
dotenvy = { version = "0.15.7", default-features = false }
Updated icon fetching and crates. - Updated some crates - Updated icon fetching code: + Use a cookie jar and set Max-Age to 2 minutes for all cookies + Locate the base href tag to fix some locations + Changed User-Agent (Helps on some sites to get HTML instead of JS) + Reduced HTML code limit from 512KB to 384KB + Allow some large icons higer-up in the sort + Allow GIF images + Ignore cookie_store and hyper::client debug messages
2021-05-16 15:29:13 +02:00
Update async to prepare for main merge - Changed nightly to stable in Dockerfile and Workflow - Updated Dockerfile to use stable and updated ENV's - Removed 0.0.0.0 as default addr it now uses ROCKET_ADDRESS or the default - Updated Github Workflow actions to the latest versions - Updated Hadolint version - Re-orderd the Cargo.toml file a bit and put libs together which are linked - Updated some libs - Updated .dockerignore file
2022-02-07 22:26:22 +01:00
# Lazy initialization
Updates and collection management fixes (#5072) * Fix collections not editable by managers Since a newer version of the web-vault we use manager were not able to create sub collections anymore. This was because of some missing details in the response of some json objects. This commit fixes this by using the `to_json_details` instead of the `to_json` Fixes #5066 Fixes #5044 * Update crates and GitHub Actions - Updated all the crates - Updated all the GHA dependencies - Configured the trivy workflow to only run on the main repo and not on forks Also selected a random new scheduled date so it will not run at the same time as all other forks. The two changes should help running this scan every day without failing, and also prevent the same for new or updated forks.
2024-10-11 18:42:40 +02:00
once_cell = "1.20.2"
First working version
2018-02-10 01:00:55 +01:00
Update async to prepare for main merge - Changed nightly to stable in Dockerfile and Workflow - Updated Dockerfile to use stable and updated ENV's - Removed 0.0.0.0 as default addr it now uses ROCKET_ADDRESS or the default - Updated Github Workflow actions to the latest versions - Updated Hadolint version - Re-orderd the Cargo.toml file a bit and put libs together which are linked - Updated some libs - Updated .dockerignore file
2022-02-07 22:26:22 +01:00
# Numerical libraries
Update Rust, crates and web-vault (#4558) * Update Rust and crates - Updated Rust to v1.78.0 - Updated crates * Update web-vault to v2024.5.0
2024-05-19 20:30:34 +02:00
num-traits = "0.2.19"
Update Rust, crates and web-vault (#4328) - Updated Rust to v1.76.0 - Updated crates - Updated web-vault to v2024.1.2b - Fixed some Clippy lints - Moved lint check configuration Cargo.toml - Fixed issue with Reset Password Enrollment when logged-in via device
2024-02-08 22:16:29 +01:00
num-derive = "0.4.2"
Update crates (#5268) - fixes CVE-2024-12224
2024-12-10 18:59:28 +02:00
bigdecimal = "0.4.7"
Update async to prepare for main merge - Changed nightly to stable in Dockerfile and Workflow - Updated Dockerfile to use stable and updated ENV's - Removed 0.0.0.0 as default addr it now uses ROCKET_ADDRESS or the default - Updated Github Workflow actions to the latest versions - Updated Hadolint version - Re-orderd the Cargo.toml file a bit and put libs together which are linked - Updated some libs - Updated .dockerignore file
2022-02-07 22:26:22 +01:00
# Web framework
Update crates (#4587) - Update crates including rocket and rocket_ws
2024-05-25 15:14:19 +02:00
rocket = { version = "0.5.1", features = ["tls", "json"], default-features = false }
rocket_ws = { version ="0.1.1" }
Initial version of websockets notification support. For now only folder notifications are sent (create, rename, delete). The notifications are only tested between two web-vault sessions in different browsers, mobile apps and browser extensions are untested. The websocket server is exposed in port 3012, while the rocket server is exposed in another port (8000 by default). To make notifications work, both should be accessible in the same port, which requires a reverse proxy. My testing is done with Caddy server, and the following config: ``` localhost { # The negotiation endpoint is also proxied to Rocket proxy /notifications/hub/negotiate 0.0.0.0:8000 { transparent } # Notifications redirected to the websockets server proxy /notifications/hub 0.0.0.0:3012 { websocket } # Proxy the Root directory to Rocket proxy / 0.0.0.0:8000 { transparent } } ``` This exposes the service in port 2015.
2018-08-30 17:43:46 +02:00
Update async to prepare for main merge - Changed nightly to stable in Dockerfile and Workflow - Updated Dockerfile to use stable and updated ENV's - Removed 0.0.0.0 as default addr it now uses ROCKET_ADDRESS or the default - Updated Github Workflow actions to the latest versions - Updated Hadolint version - Re-orderd the Cargo.toml file a bit and put libs together which are linked - Updated some libs - Updated .dockerignore file
2022-02-07 22:26:22 +01:00
# WebSockets libraries
Update Rust, crates and web-vault (#4558) * Update Rust and crates - Updated Rust to v1.78.0 - Updated crates * Update web-vault to v2024.5.0
2024-05-19 20:30:34 +02:00
rmpv = "1.3.0" # MessagePack library
Updated Rust and crates - Updated Rust to v1.67.0 - Updated all crates except for `cookies` and `webauthn`
2023-02-08 17:13:14 +01:00
# Concurrent HashMap used for WebSocket messaging and favicons
Update Rust version & crates (#4928)
2024-09-07 11:39:29 +03:00
dashmap = "6.1.0"
Initial version of websockets notification support. For now only folder notifications are sent (create, rename, delete). The notifications are only tested between two web-vault sessions in different browsers, mobile apps and browser extensions are untested. The websocket server is exposed in port 3012, while the rocket server is exposed in another port (8000 by default). To make notifications work, both should be accessible in the same port, which requires a reverse proxy. My testing is done with Caddy server, and the following config: ``` localhost { # The negotiation endpoint is also proxied to Rocket proxy /notifications/hub/negotiate 0.0.0.0:8000 { transparent } # Notifications redirected to the websockets server proxy /notifications/hub 0.0.0.0:3012 { websocket } # Proxy the Root directory to Rocket proxy / 0.0.0.0:8000 { transparent } } ``` This exposes the service in port 2015.
2018-08-30 17:43:46 +02:00
Update async to prepare for main merge - Changed nightly to stable in Dockerfile and Workflow - Updated Dockerfile to use stable and updated ENV's - Removed 0.0.0.0 as default addr it now uses ROCKET_ADDRESS or the default - Updated Github Workflow actions to the latest versions - Updated Hadolint version - Re-orderd the Cargo.toml file a bit and put libs together which are linked - Updated some libs - Updated .dockerignore file
2022-02-07 22:26:22 +01:00
# Async futures
Updates and collection management fixes (#5072) * Fix collections not editable by managers Since a newer version of the web-vault we use manager were not able to create sub collections anymore. This was because of some missing details in the response of some json objects. This commit fixes this by using the `to_json_details` instead of the `to_json` Fixes #5066 Fixes #5044 * Update crates and GitHub Actions - Updated all the crates - Updated all the GHA dependencies - Configured the trivy workflow to only run on the main repo and not on forks Also selected a random new scheduled date so it will not run at the same time as all other forks. The two changes should help running this scan every day without failing, and also prevent the same for new or updated forks.
2024-10-11 18:42:40 +02:00
futures = "0.3.31"
Org fixes (#5438) * Security fixes for admin and sendmail Because the Vaultwarden Admin Backend endpoints did not validated the Content-Type during a request, it was possible to update settings via CSRF. But, this was only possible if there was no `ADMIN_TOKEN` set at all. To make sure these environments are also safe I added the needed content-type checks at the functions. This could cause some users who have scripts which uses cURL for example to adjust there commands to provide the correct headers. By using a crafted favicon and having access to the Admin Backend an attacker could run custom commands on the host/container where Vaultwarden is running on. The main issue here is that we allowed the sendmail binary name/path to be changed. To mitigate this we removed this configuration item and only then `sendmail` binary as a name can be used. This could cause some issues where the `sendmail` binary is not in the `$PATH` and thus not able to be started. In these cases the admins should make sure `$PATH` is set correctly or create a custom shell script or symlink at a location which is in the `$PATH`. Added an extra security header and adjusted the CSP to be more strict by setting `default-src` to `none` and added the needed missing specific policies. Also created a general email validation function which does some more checking to catch invalid email address not found by the email_address crate. Signed-off-by: BlackDex <black.dex@gmail.com> * Fix security issue with organizationId validation Because of a invalid check/validation of the OrganizationId which most of the time is located in the path but sometimes provided as a URL Parameter, the parameter overruled the path ID during the Guard checks. This resulted in someone being able to execute commands as an Admin or Owner of the OrganizationId fetched from the parameter, but the API endpoints then used the OrganizationId located in the path instead. This commit fixes the extraction of the OrganizationId in the Guard and also added some extra validations of this OrgId in several functions. Also added an extra `OrgMemberHeaders` which can be used to only allow access to organization endpoints which should only be accessible by members of that org. Signed-off-by: BlackDex <black.dex@gmail.com> * Update server version in config endpoint Updated the server version reported to the clients to `2025.1.0`. This should make Vaultwarden future proof for the newer clients released by Bitwarden. Signed-off-by: BlackDex <black.dex@gmail.com> * Fix and adjust build workflow The build workflow had an issue with some `if` checks. For one they had two `$` signs, and it is not recommended to use `always()` since canceling a workflow does not cancel those calls. Using `!cancelled()` is the preferred way. Signed-off-by: BlackDex <black.dex@gmail.com> * Update crates Signed-off-by: BlackDex <black.dex@gmail.com> * Allow sendmail to be configurable This reverts a previous change which removed the sendmail to be configurable. We now set the config to be read-only, and omit all read-only values from being stored during a save action from the admin interface. Signed-off-by: BlackDex <black.dex@gmail.com> * Add more org_id checks Added more org_id checks at all functions which use the org_id in there path. Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com>
2025-01-25 01:32:09 +01:00
tokio = { version = "1.43.0", features = ["rt-multi-thread", "fs", "io-util", "parking_lot", "time", "signal", "net"] }
Initial version of websockets notification support. For now only folder notifications are sent (create, rename, delete). The notifications are only tested between two web-vault sessions in different browsers, mobile apps and browser extensions are untested. The websocket server is exposed in port 3012, while the rocket server is exposed in another port (8000 by default). To make notifications work, both should be accessible in the same port, which requires a reverse proxy. My testing is done with Caddy server, and the following config: ``` localhost { # The negotiation endpoint is also proxied to Rocket proxy /notifications/hub/negotiate 0.0.0.0:8000 { transparent } # Notifications redirected to the websockets server proxy /notifications/hub 0.0.0.0:3012 { websocket } # Proxy the Root directory to Rocket proxy / 0.0.0.0:8000 { transparent } } ``` This exposes the service in port 2015.
2018-08-30 17:43:46 +02:00
First working version
2018-02-10 01:00:55 +01:00
# A generic serialization/deserialization framework
Update crates and GHA (#5346) - Updated crates to the latest version - Updated GitHub Actions to the latest version Signed-off-by: BlackDex <black.dex@gmail.com>
2025-01-04 19:02:15 +01:00
serde = { version = "1.0.217", features = ["derive"] }
Org fixes (#5438) * Security fixes for admin and sendmail Because the Vaultwarden Admin Backend endpoints did not validated the Content-Type during a request, it was possible to update settings via CSRF. But, this was only possible if there was no `ADMIN_TOKEN` set at all. To make sure these environments are also safe I added the needed content-type checks at the functions. This could cause some users who have scripts which uses cURL for example to adjust there commands to provide the correct headers. By using a crafted favicon and having access to the Admin Backend an attacker could run custom commands on the host/container where Vaultwarden is running on. The main issue here is that we allowed the sendmail binary name/path to be changed. To mitigate this we removed this configuration item and only then `sendmail` binary as a name can be used. This could cause some issues where the `sendmail` binary is not in the `$PATH` and thus not able to be started. In these cases the admins should make sure `$PATH` is set correctly or create a custom shell script or symlink at a location which is in the `$PATH`. Added an extra security header and adjusted the CSP to be more strict by setting `default-src` to `none` and added the needed missing specific policies. Also created a general email validation function which does some more checking to catch invalid email address not found by the email_address crate. Signed-off-by: BlackDex <black.dex@gmail.com> * Fix security issue with organizationId validation Because of a invalid check/validation of the OrganizationId which most of the time is located in the path but sometimes provided as a URL Parameter, the parameter overruled the path ID during the Guard checks. This resulted in someone being able to execute commands as an Admin or Owner of the OrganizationId fetched from the parameter, but the API endpoints then used the OrganizationId located in the path instead. This commit fixes the extraction of the OrganizationId in the Guard and also added some extra validations of this OrgId in several functions. Also added an extra `OrgMemberHeaders` which can be used to only allow access to organization endpoints which should only be accessible by members of that org. Signed-off-by: BlackDex <black.dex@gmail.com> * Update server version in config endpoint Updated the server version reported to the clients to `2025.1.0`. This should make Vaultwarden future proof for the newer clients released by Bitwarden. Signed-off-by: BlackDex <black.dex@gmail.com> * Fix and adjust build workflow The build workflow had an issue with some `if` checks. For one they had two `$` signs, and it is not recommended to use `always()` since canceling a workflow does not cancel those calls. Using `!cancelled()` is the preferred way. Signed-off-by: BlackDex <black.dex@gmail.com> * Update crates Signed-off-by: BlackDex <black.dex@gmail.com> * Allow sendmail to be configurable This reverts a previous change which removed the sendmail to be configurable. We now set the config to be read-only, and omit all read-only values from being stored during a save action from the admin interface. Signed-off-by: BlackDex <black.dex@gmail.com> * Add more org_id checks Added more org_id checks at all functions which use the org_id in there path. Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com>
2025-01-25 01:32:09 +01:00
serde_json = "1.0.137"
Implemented proper logging, with support for file logging, timestamp and syslog (this last one is untested)
2018-12-06 20:35:25 +01:00
First working version
2018-02-10 01:00:55 +01:00
# A safe, extensible ORM and Query builder
Update Rust and crates (#5248) * Update Rust and crates - Updated Rust to v1.83.0 - Updated MSRV to v1.82.0 (Needed for html5gum crate) - Updated icon fetching code to match new html5gum version - Updated workflows - Enabled edition 2024 clippy lints Nightly reports some clippy hints, but that would be too much to change in this PR i think. Signed-off-by: BlackDex <black.dex@gmail.com> * Some additional updates - Patch fern to allow syslog-7 feature - Fixed diesel logger which was broken because of the sqlite backup feature Refactored the sqlite backup because of this - Added a build workflow test to include the query_logger feature Signed-off-by: BlackDex <black.dex@gmail.com> * Also patch yubico-rs and latest updates Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com>
2024-12-05 22:10:59 +01:00
diesel = { version = "2.2.6", features = ["chrono", "r2d2", "numeric"] }
Update crates, web-vault and GHA (#4648) - Updated all crates including Diesel and the new mysqlclient-sys - Updated the MSRV to v1.78 as that is what Diesel mandates - Added the mimalloc crate as a patch for now to fix armv6 static builds This probably makes #4606 possible - Updated web-vault to v2024.5.1 - Updated GitHub Actions Fixed an issue with the localhost images for extracting the musl binaries.
2024-06-19 13:06:58 +02:00
diesel_migrations = "2.2.0"
Update Rust and crates (#5248) * Update Rust and crates - Updated Rust to v1.83.0 - Updated MSRV to v1.82.0 (Needed for html5gum crate) - Updated icon fetching code to match new html5gum version - Updated workflows - Enabled edition 2024 clippy lints Nightly reports some clippy hints, but that would be too much to change in this PR i think. Signed-off-by: BlackDex <black.dex@gmail.com> * Some additional updates - Patch fern to allow syslog-7 feature - Fixed diesel logger which was broken because of the sqlite backup feature Refactored the sqlite backup because of this - Added a build workflow test to include the query_logger feature Signed-off-by: BlackDex <black.dex@gmail.com> * Also patch yubico-rs and latest updates Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com>
2024-12-05 22:10:59 +01:00
diesel_logger = { version = "0.4.0", optional = true }
initial mysql support
2019-05-26 23:02:41 +02:00
rename membership and adopt newtype pattern (#5320) * rename membership rename UserOrganization to Membership to clarify the relation and prevent confusion whether something refers to a member(ship) or user * use newtype pattern * implement custom derive macro IdFromParam * add UuidFromParam macro for UUIDs * add macros to Docker build Co-authored-by: dfunkt <dfunkt@users.noreply.github.com> --------- Co-authored-by: dfunkt <dfunkt@users.noreply.github.com>
2025-01-09 18:37:23 +01:00
derive_more = { version = "1.0.0", features = ["from", "into", "as_ref", "deref", "display"] }
diesel-derive-newtype = "2.1.2"
Updated Rust and crates - Updated Rust to v1.67.0 - Updated all crates except for `cookies` and `webauthn`
2023-02-08 17:13:14 +01:00
# Bundled/Static SQLite
Update crates (GHSA-wq9x-qwcq-mmgf) (#4889) - Updated crates - Fixed MSRV to actually be N-2 - Changed some features to use the `dep:` prefix. This is needed for edition-2024 anyway although that will be a while before we can use that. Signed-off-by: BlackDex <black.dex@gmail.com>
2024-08-23 22:06:11 +02:00
libsqlite3-sys = { version = "0.30.1", features = ["bundled"], optional = true }
Update dependencies and bundle SQLite with the program, so we have one less dependency to install separately
2018-05-07 21:33:54 +02:00
Generate tokens more simply and uniformly
2020-08-22 16:07:53 -07:00
# Crypto-related libraries
Re-Base, Update crates and small change.
2022-06-04 15:13:10 +02:00
rand = { version = "0.8.5", features = ["small_rng"] }
Update crates, GHA and a Python/JS scripts (#4357) - Update all crates - Update GHA - Update Global Domains script to use main instead of master Also fixed some Python linting warnings - Updated Admin JS and CSS libraries
2024-02-25 23:26:46 +01:00
ring = "0.17.8"
First working version
2018-02-10 01:00:55 +01:00
# UUID generation
Org fixes (#5438) * Security fixes for admin and sendmail Because the Vaultwarden Admin Backend endpoints did not validated the Content-Type during a request, it was possible to update settings via CSRF. But, this was only possible if there was no `ADMIN_TOKEN` set at all. To make sure these environments are also safe I added the needed content-type checks at the functions. This could cause some users who have scripts which uses cURL for example to adjust there commands to provide the correct headers. By using a crafted favicon and having access to the Admin Backend an attacker could run custom commands on the host/container where Vaultwarden is running on. The main issue here is that we allowed the sendmail binary name/path to be changed. To mitigate this we removed this configuration item and only then `sendmail` binary as a name can be used. This could cause some issues where the `sendmail` binary is not in the `$PATH` and thus not able to be started. In these cases the admins should make sure `$PATH` is set correctly or create a custom shell script or symlink at a location which is in the `$PATH`. Added an extra security header and adjusted the CSP to be more strict by setting `default-src` to `none` and added the needed missing specific policies. Also created a general email validation function which does some more checking to catch invalid email address not found by the email_address crate. Signed-off-by: BlackDex <black.dex@gmail.com> * Fix security issue with organizationId validation Because of a invalid check/validation of the OrganizationId which most of the time is located in the path but sometimes provided as a URL Parameter, the parameter overruled the path ID during the Guard checks. This resulted in someone being able to execute commands as an Admin or Owner of the OrganizationId fetched from the parameter, but the API endpoints then used the OrganizationId located in the path instead. This commit fixes the extraction of the OrganizationId in the Guard and also added some extra validations of this OrgId in several functions. Also added an extra `OrgMemberHeaders` which can be used to only allow access to organization endpoints which should only be accessible by members of that org. Signed-off-by: BlackDex <black.dex@gmail.com> * Update server version in config endpoint Updated the server version reported to the clients to `2025.1.0`. This should make Vaultwarden future proof for the newer clients released by Bitwarden. Signed-off-by: BlackDex <black.dex@gmail.com> * Fix and adjust build workflow The build workflow had an issue with some `if` checks. For one they had two `$` signs, and it is not recommended to use `always()` since canceling a workflow does not cancel those calls. Using `!cancelled()` is the preferred way. Signed-off-by: BlackDex <black.dex@gmail.com> * Update crates Signed-off-by: BlackDex <black.dex@gmail.com> * Allow sendmail to be configurable This reverts a previous change which removed the sendmail to be configurable. We now set the config to be read-only, and omit all read-only values from being stored during a save action from the admin interface. Signed-off-by: BlackDex <black.dex@gmail.com> * Add more org_id checks Added more org_id checks at all functions which use the org_id in there path. Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com>
2025-01-25 01:32:09 +01:00
uuid = { version = "1.12.1", features = ["v4"] }
First working version
2018-02-10 01:00:55 +01:00
Use local time in email notifications for new device logins In this implementation, the `TZ` environment variable must be set in order for the formatted output to use a more user-friendly time zone abbreviation (e.g., `UTC`). Otherwise, the output uses the time zone's UTC offset (e.g., `+00:00`).
2020-07-07 21:30:18 -07:00
# Date and time libraries
Update crates (#5268) - fixes CVE-2024-12224
2024-12-10 18:59:28 +02:00
chrono = { version = "0.4.39", features = ["clock", "serde"], default-features = false }
Org fixes (#5438) * Security fixes for admin and sendmail Because the Vaultwarden Admin Backend endpoints did not validated the Content-Type during a request, it was possible to update settings via CSRF. But, this was only possible if there was no `ADMIN_TOKEN` set at all. To make sure these environments are also safe I added the needed content-type checks at the functions. This could cause some users who have scripts which uses cURL for example to adjust there commands to provide the correct headers. By using a crafted favicon and having access to the Admin Backend an attacker could run custom commands on the host/container where Vaultwarden is running on. The main issue here is that we allowed the sendmail binary name/path to be changed. To mitigate this we removed this configuration item and only then `sendmail` binary as a name can be used. This could cause some issues where the `sendmail` binary is not in the `$PATH` and thus not able to be started. In these cases the admins should make sure `$PATH` is set correctly or create a custom shell script or symlink at a location which is in the `$PATH`. Added an extra security header and adjusted the CSP to be more strict by setting `default-src` to `none` and added the needed missing specific policies. Also created a general email validation function which does some more checking to catch invalid email address not found by the email_address crate. Signed-off-by: BlackDex <black.dex@gmail.com> * Fix security issue with organizationId validation Because of a invalid check/validation of the OrganizationId which most of the time is located in the path but sometimes provided as a URL Parameter, the parameter overruled the path ID during the Guard checks. This resulted in someone being able to execute commands as an Admin or Owner of the OrganizationId fetched from the parameter, but the API endpoints then used the OrganizationId located in the path instead. This commit fixes the extraction of the OrganizationId in the Guard and also added some extra validations of this OrgId in several functions. Also added an extra `OrgMemberHeaders` which can be used to only allow access to organization endpoints which should only be accessible by members of that org. Signed-off-by: BlackDex <black.dex@gmail.com> * Update server version in config endpoint Updated the server version reported to the clients to `2025.1.0`. This should make Vaultwarden future proof for the newer clients released by Bitwarden. Signed-off-by: BlackDex <black.dex@gmail.com> * Fix and adjust build workflow The build workflow had an issue with some `if` checks. For one they had two `$` signs, and it is not recommended to use `always()` since canceling a workflow does not cancel those calls. Using `!cancelled()` is the preferred way. Signed-off-by: BlackDex <black.dex@gmail.com> * Update crates Signed-off-by: BlackDex <black.dex@gmail.com> * Allow sendmail to be configurable This reverts a previous change which removed the sendmail to be configurable. We now set the config to be read-only, and omit all read-only values from being stored during a save action from the admin interface. Signed-off-by: BlackDex <black.dex@gmail.com> * Add more org_id checks Added more org_id checks at all functions which use the org_id in there path. Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com>
2025-01-25 01:32:09 +01:00
chrono-tz = "0.10.1"
Update Rust and crates (#5248) * Update Rust and crates - Updated Rust to v1.83.0 - Updated MSRV to v1.82.0 (Needed for html5gum crate) - Updated icon fetching code to match new html5gum version - Updated workflows - Enabled edition 2024 clippy lints Nightly reports some clippy hints, but that would be too much to change in this PR i think. Signed-off-by: BlackDex <black.dex@gmail.com> * Some additional updates - Patch fern to allow syslog-7 feature - Fixed diesel logger which was broken because of the sqlite backup feature Refactored the sqlite backup because of this - Added a build workflow test to include the query_logger feature Signed-off-by: BlackDex <black.dex@gmail.com> * Also patch yubico-rs and latest updates Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com>
2024-12-05 22:10:59 +01:00
time = "0.3.37"
First working version
2018-02-10 01:00:55 +01:00
Add a generic job scheduler Also rewrite deletion of old sends using the job scheduler.
2021-04-02 20:16:49 -07:00
# Job scheduler
Update Crate and Rust (#4522) * Update Crate and Rust - Updated all crates - Updated Rust to the latest patch version * Updated GitHub Actions
2024-04-27 00:53:42 +02:00
job_scheduler_ng = "2.0.5"
Add a generic job scheduler Also rewrite deletion of old sends using the job scheduler.
2021-04-02 20:16:49 -07:00
Update async to prepare for main merge - Changed nightly to stable in Dockerfile and Workflow - Updated Dockerfile to use stable and updated ENV's - Removed 0.0.0.0 as default addr it now uses ROCKET_ADDRESS or the default - Updated Github Workflow actions to the latest versions - Updated Hadolint version - Re-orderd the Cargo.toml file a bit and put libs together which are linked - Updated some libs - Updated .dockerignore file
2022-02-07 22:26:22 +01:00
# Data encoding library Hex/Base32/Base64
Org fixes (#5438) * Security fixes for admin and sendmail Because the Vaultwarden Admin Backend endpoints did not validated the Content-Type during a request, it was possible to update settings via CSRF. But, this was only possible if there was no `ADMIN_TOKEN` set at all. To make sure these environments are also safe I added the needed content-type checks at the functions. This could cause some users who have scripts which uses cURL for example to adjust there commands to provide the correct headers. By using a crafted favicon and having access to the Admin Backend an attacker could run custom commands on the host/container where Vaultwarden is running on. The main issue here is that we allowed the sendmail binary name/path to be changed. To mitigate this we removed this configuration item and only then `sendmail` binary as a name can be used. This could cause some issues where the `sendmail` binary is not in the `$PATH` and thus not able to be started. In these cases the admins should make sure `$PATH` is set correctly or create a custom shell script or symlink at a location which is in the `$PATH`. Added an extra security header and adjusted the CSP to be more strict by setting `default-src` to `none` and added the needed missing specific policies. Also created a general email validation function which does some more checking to catch invalid email address not found by the email_address crate. Signed-off-by: BlackDex <black.dex@gmail.com> * Fix security issue with organizationId validation Because of a invalid check/validation of the OrganizationId which most of the time is located in the path but sometimes provided as a URL Parameter, the parameter overruled the path ID during the Guard checks. This resulted in someone being able to execute commands as an Admin or Owner of the OrganizationId fetched from the parameter, but the API endpoints then used the OrganizationId located in the path instead. This commit fixes the extraction of the OrganizationId in the Guard and also added some extra validations of this OrgId in several functions. Also added an extra `OrgMemberHeaders` which can be used to only allow access to organization endpoints which should only be accessible by members of that org. Signed-off-by: BlackDex <black.dex@gmail.com> * Update server version in config endpoint Updated the server version reported to the clients to `2025.1.0`. This should make Vaultwarden future proof for the newer clients released by Bitwarden. Signed-off-by: BlackDex <black.dex@gmail.com> * Fix and adjust build workflow The build workflow had an issue with some `if` checks. For one they had two `$` signs, and it is not recommended to use `always()` since canceling a workflow does not cancel those calls. Using `!cancelled()` is the preferred way. Signed-off-by: BlackDex <black.dex@gmail.com> * Update crates Signed-off-by: BlackDex <black.dex@gmail.com> * Allow sendmail to be configurable This reverts a previous change which removed the sendmail to be configurable. We now set the config to be read-only, and omit all read-only values from being stored during a save action from the admin interface. Signed-off-by: BlackDex <black.dex@gmail.com> * Add more org_id checks Added more org_id checks at all functions which use the org_id in there path. Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com>
2025-01-25 01:32:09 +01:00
data-encoding = "2.7.0"
First working version
2018-02-10 01:00:55 +01:00
# JWT library
Update Rust and crates (#4445) - Updated Rust to v1.77.0 - Updated several crates The `reqwest` update included `trust-dns` > `hickory-dns` changes. Also, `reqwest` v0.12 is not working correctly for us, that is something to investigate. - Fixed a new clippy warning
2024-03-23 15:40:34 +01:00
jsonwebtoken = "9.3.0"
First working version
2018-02-10 01:00:55 +01:00
Update async to prepare for main merge - Changed nightly to stable in Dockerfile and Workflow - Updated Dockerfile to use stable and updated ENV's - Removed 0.0.0.0 as default addr it now uses ROCKET_ADDRESS or the default - Updated Github Workflow actions to the latest versions - Updated Hadolint version - Re-orderd the Cargo.toml file a bit and put libs together which are linked - Updated some libs - Updated .dockerignore file
2022-02-07 22:26:22 +01:00
# TOTP library
Update crates (#4074) * Remove another header for websocket connections * Fix small bake issue * Update crates Updated crates and adjusted code where needed. One major update is Rocket rc4, no need anymore (again) for crates.io patching. The only item still pending is openssl/openssl-sys for which we need to wait if https://github.com/sfackler/rust-openssl/pull/2094 will be merged. If, then we can remove the pinned versions for the openssl crate.
2023-11-15 10:41:14 +01:00
totp-lite = "2.0.1"
Implemented U2F, refactored Two Factor authentication, registering U2F device and authentication should work. Works on Chrome on MacOS with a virtual device.
2018-07-12 21:46:50 +02:00
Adds yubico-rs library dep
2018-11-15 18:34:17 -07:00
# Yubico Library
Update Rust and crates (#5248) * Update Rust and crates - Updated Rust to v1.83.0 - Updated MSRV to v1.82.0 (Needed for html5gum crate) - Updated icon fetching code to match new html5gum version - Updated workflows - Enabled edition 2024 clippy lints Nightly reports some clippy hints, but that would be too much to change in this PR i think. Signed-off-by: BlackDex <black.dex@gmail.com> * Some additional updates - Patch fern to allow syslog-7 feature - Fixed diesel logger which was broken because of the sqlite backup feature Refactored the sqlite backup because of this - Added a build workflow test to include the query_logger feature Signed-off-by: BlackDex <black.dex@gmail.com> * Also patch yubico-rs and latest updates Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com>
2024-12-05 22:10:59 +01:00
yubico = { version = "0.12.0", features = ["online-tokio"], default-features = false }
Adds yubico-rs library dep
2018-11-15 18:34:17 -07:00
Remove u2f implementation For a while now WebAuthn has replaced u2f. And since web-vault v2.27.0 the connector files for u2f have been removed. Also, on the official bitwarden server the endpoint to `/two-factor/get-u2f` results in a 404. - Removed all u2f code except the migration code from u2f to WebAuthn
2022-03-27 17:25:04 +02:00
# WebAuthn libraries
Update async to prepare for main merge - Changed nightly to stable in Dockerfile and Workflow - Updated Dockerfile to use stable and updated ENV's - Removed 0.0.0.0 as default addr it now uses ROCKET_ADDRESS or the default - Updated Github Workflow actions to the latest versions - Updated Hadolint version - Re-orderd the Cargo.toml file a bit and put libs together which are linked - Updated some libs - Updated .dockerignore file
2022-02-07 22:26:22 +01:00
webauthn-rs = "0.3.2"
First working version
2018-02-10 01:00:55 +01:00
Updated Rust and crates - Updated Rust to v1.67.0 - Updated all crates except for `cookies` and `webauthn`
2023-02-08 17:13:14 +01:00
# Handling of URL's for WebAuthn and favicons
Update Rust and crates (#5248) * Update Rust and crates - Updated Rust to v1.83.0 - Updated MSRV to v1.82.0 (Needed for html5gum crate) - Updated icon fetching code to match new html5gum version - Updated workflows - Enabled edition 2024 clippy lints Nightly reports some clippy hints, but that would be too much to change in this PR i think. Signed-off-by: BlackDex <black.dex@gmail.com> * Some additional updates - Patch fern to allow syslog-7 feature - Fixed diesel logger which was broken because of the sqlite backup feature Refactored the sqlite backup because of this - Added a build workflow test to include the query_logger feature Signed-off-by: BlackDex <black.dex@gmail.com> * Also patch yubico-rs and latest updates Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com>
2024-12-05 22:10:59 +01:00
url = "2.5.4"
Implemented U2F, refactored Two Factor authentication, registering U2F device and authentication should work. Works on Chrome on MacOS with a virtual device.
2018-07-12 21:46:50 +02:00
Updated Rust and crates - Updated Rust to v1.67.0 - Updated all crates except for `cookies` and `webauthn`
2023-02-08 17:13:14 +01:00
# Email libraries
Update crates (#5268) - fixes CVE-2024-12224
2024-12-10 18:59:28 +02:00
lettre = { version = "0.11.11", features = ["smtp-transport", "sendmail-transport", "builder", "serde", "tokio1-native-tls", "hostname", "tracing", "tokio1"], default-features = false }
Update Rust, Crates, Profile and Actions (#4126) - Updated Rust to v1.74.0 - Updated all crates (where possible) - Changed release profile to use * fat lto * 1 codegen-unit This should optimize a bit for speed and a lot for size ~15MB smaller - Updated Github actions to use caching for the bake process - Added a schedule to clean the cache every week to prevent stale Debian/Alpine base images - During the release action, the Alpine/static binaries are added as artifects. Later we could also automatically add them to the releases maybe. - Added CODEWONERS to prevent unchecked changes to github actions workflows
2023-12-04 20:26:11 +01:00
percent-encoding = "2.3.1" # URL encoding library used for URL's in the emails
Update crates, web-vault and fixes (#4823) * Update crates, web-vault and fixes - Updated crates - Updated web-vault to v2024.6.2 This version is currently the latest version compatible with our API implementation. For newer versions we need more code updates to make it compatible. Thanks to @stefan0xC this version fixes #4628 - Added a small fix to prevent errors in the Vaultwarden and Client logs. The v2024.6.2 web-vault calls an endpoint with invalid arguments. If this happens we ignore the call and just return an Ok. - Added the bulk-collection endpoint (Though not yet available in v2024.6.2) Fixes #4628 * Prevent bulk remove collections to work
2024-08-07 22:46:03 +02:00
email_address = "0.2.9"
SMTP integration, send password hint by email.
2018-08-15 08:32:19 +02:00
Updated Rust and crates - Updated Rust to v1.67.0 - Updated all crates except for `cookies` and `webauthn`
2023-02-08 17:13:14 +01:00
# HTML Template library
Update crates and web-vault to v2025.1.0 (#5368) - Updated the web-vault to use v2025.1.0 (pre-release) - Updated crates Signed-off-by: BlackDex <black.dex@gmail.com>
2025-01-08 18:14:08 +01:00
handlebars = { version = "6.3.0", features = ["dir_source"] }
Initial stab at templates
2019-01-13 01:39:29 +01:00
Updated Rust and crates - Updated Rust to v1.67.0 - Updated all crates except for `cookies` and `webauthn`
2023-02-08 17:13:14 +01:00
# HTTP client (Used for favicons, version check, DUO and HIBP API)
Update crates and GHA (#5346) - Updated crates to the latest version - Updated GitHub Actions to the latest version Signed-off-by: BlackDex <black.dex@gmail.com>
2025-01-04 19:02:15 +01:00
reqwest = { version = "0.12.12", features = ["native-tls-alpn", "stream", "json", "gzip", "brotli", "socks", "cookies"] }
Update crates (#5268) - fixes CVE-2024-12224
2024-12-10 18:59:28 +02:00
hickory-resolver = "0.24.2"
Update async to prepare for main merge - Changed nightly to stable in Dockerfile and Workflow - Updated Dockerfile to use stable and updated ENV's - Removed 0.0.0.0 as default addr it now uses ROCKET_ADDRESS or the default - Updated Github Workflow actions to the latest versions - Updated Hadolint version - Re-orderd the Cargo.toml file a bit and put libs together which are linked - Updated some libs - Updated .dockerignore file
2022-02-07 22:26:22 +01:00
Updated Rust and crates - Updated Rust to v1.67.0 - Updated all crates except for `cookies` and `webauthn`
2023-02-08 17:13:14 +01:00
# Favicon extraction libraries
Update Rust and crates (#5248) * Update Rust and crates - Updated Rust to v1.83.0 - Updated MSRV to v1.82.0 (Needed for html5gum crate) - Updated icon fetching code to match new html5gum version - Updated workflows - Enabled edition 2024 clippy lints Nightly reports some clippy hints, but that would be too much to change in this PR i think. Signed-off-by: BlackDex <black.dex@gmail.com> * Some additional updates - Patch fern to allow syslog-7 feature - Fixed diesel logger which was broken because of the sqlite backup feature Refactored the sqlite backup because of this - Added a build workflow test to include the query_logger feature Signed-off-by: BlackDex <black.dex@gmail.com> * Also patch yubico-rs and latest updates Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com>
2024-12-05 22:10:59 +01:00
html5gum = "0.7.0"
Update crates and fix several issues Signed-off-by: BlackDex <black.dex@gmail.com>
2024-11-09 19:58:10 +01:00
regex = { version = "1.11.1", features = ["std", "perf", "unicode-perl"], default-features = false }
Update Rust, Crates, Profile and Actions (#4126) - Updated Rust to v1.74.0 - Updated all crates (where possible) - Changed release profile to use * fat lto * 1 codegen-unit This should optimize a bit for speed and a lot for size ~15MB smaller - Updated Github actions to use caching for the bake process - Added a schedule to clean the cache every week to prevent stale Debian/Alpine base images - During the release action, the Alpine/static binaries are added as artifects. Later we could also automatically add them to the releases maybe. - Added CODEWONERS to prevent unchecked changes to github actions workflows
2023-12-04 20:26:11 +01:00
data-url = "0.3.1"
Update Rust and crates (#5248) * Update Rust and crates - Updated Rust to v1.83.0 - Updated MSRV to v1.82.0 (Needed for html5gum crate) - Updated icon fetching code to match new html5gum version - Updated workflows - Enabled edition 2024 clippy lints Nightly reports some clippy hints, but that would be too much to change in this PR i think. Signed-off-by: BlackDex <black.dex@gmail.com> * Some additional updates - Patch fern to allow syslog-7 feature - Fixed diesel logger which was broken because of the sqlite backup feature Refactored the sqlite backup because of this - Added a build workflow test to include the query_logger feature Signed-off-by: BlackDex <black.dex@gmail.com> * Also patch yubico-rs and latest updates Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com>
2024-12-05 22:10:59 +01:00
bytes = "1.9.0"
Updated Rust and crates - Updated Rust to v1.67.0 - Updated all crates except for `cookies` and `webauthn`
2023-02-08 17:13:14 +01:00
# Cache function results (Used for version check and favicon fetching)
Update crates and fix several issues Signed-off-by: BlackDex <black.dex@gmail.com>
2024-11-09 19:58:10 +01:00
cached = { version = "0.54.0", features = ["async"] }
Update async to prepare for main merge - Changed nightly to stable in Dockerfile and Workflow - Updated Dockerfile to use stable and updated ENV's - Removed 0.0.0.0 as default addr it now uses ROCKET_ADDRESS or the default - Updated Github Workflow actions to the latest versions - Updated Hadolint version - Re-orderd the Cargo.toml file a bit and put libs together which are linked - Updated some libs - Updated .dockerignore file
2022-02-07 22:26:22 +01:00
# Used for custom short lived cookie jar during favicon extraction
Update crates and some Clippy fixes (#4475) - Updated all crates including reqwest - Fixed some clippy lints reported by nightly Rust
2024-04-06 13:55:10 +02:00
cookie = "0.18.1"
Update crates and fix several issues Signed-off-by: BlackDex <black.dex@gmail.com>
2024-11-09 19:58:10 +01:00
cookie_store = "0.21.1"
Added better favicon downloader.
2019-01-27 15:39:19 +01:00
Updated Rust and crates - Updated Rust to v1.67.0 - Updated all crates except for `cookies` and `webauthn`
2023-02-08 17:13:14 +01:00
# Used by U2F, JWT and PostgreSQL
Update Rust to 1.82.0 (#5099) - raise MSRV to 1.80.0 - also update the crates
2024-10-18 21:34:31 +03:00
openssl = "0.10.68"
Adds support for PostgreSQL which resolves #87 and is mentioned in #246. This includes migrations as well as Dockerfile's for amd64. The biggest change is that replace_into isn't supported by Diesel for the PostgreSQL backend, instead requiring the use of on_conflict. This unfortunately requires a branch for save() on all of the models currently using replace_into.
2019-09-12 16:12:22 -04:00
Added command line flags for help and version Signed-off-by: zethra <benaagoldberg@gmail.com>
2020-03-02 14:57:06 -05:00
# CLI argument parsing
Update pico-args
2022-06-04 19:16:36 +02:00
pico-args = "0.5.0"
Added command line flags for help and version Signed-off-by: zethra <benaagoldberg@gmail.com>
2020-03-02 14:57:06 -05:00
Add support for multiple simultaneous database features by using macros. Diesel requires the following changes: - Separate connection and pool types per connection, the generate_connections! macro generates an enum with a variant per db type - Separate migrations and schemas, these were always imported as one type depending on db feature, now they are all imported under different module names - Separate model objects per connection, the db_object! macro generates one object for each connection with the diesel macros, a generic object, and methods to convert between the connection-specific and the generic ones - Separate connection queries, the db_run! macro allows writing only one that gets compiled for all databases or multiple ones
2020-08-18 17:15:44 +02:00
# Macro ident concatenation
Update Rust, crates and web-vault (#4558) * Update Rust and crates - Updated Rust to v1.78.0 - Updated crates * Update web-vault to v2024.5.0
2024-05-19 20:30:34 +02:00
paste = "1.0.15"
Use updated fern instead of patch (#5298) Signed-off-by: BlackDex <black.dex@gmail.com>
2024-12-15 23:13:29 +01:00
governor = "0.8.0"
Add support for multiple simultaneous database features by using macros. Diesel requires the following changes: - Separate connection and pool types per connection, the generate_connections! macro generates an enum with a variant per db type - Separate migrations and schemas, these were always imported as one type depending on db feature, now they are all imported under different module names - Separate model objects per connection, the db_object! macro generates one object for each connection with the diesel macros, a generic object, and methods to convert between the connection-specific and the generic ones - Separate connection queries, the db_run! macro allows writing only one that gets compiled for all databases or multiple ones
2020-08-18 17:15:44 +02:00
Support Org Export for v2022.11 clients Since v2022.9.x the org export uses a different endpoint. But, since v2022.11.x this endpoint will return a different format. See: https://github.com/bitwarden/clients/pull/3641 and https://github.com/bitwarden/server/pull/2316 To support both version in the case of users having an older client either web-vault or cli this PR checks the version and responds using the correct format. If no version can be determined it will use the new format as a default.
2022-11-07 17:13:34 +01:00
# Check client versions for specific features.
Org fixes (#5438) * Security fixes for admin and sendmail Because the Vaultwarden Admin Backend endpoints did not validated the Content-Type during a request, it was possible to update settings via CSRF. But, this was only possible if there was no `ADMIN_TOKEN` set at all. To make sure these environments are also safe I added the needed content-type checks at the functions. This could cause some users who have scripts which uses cURL for example to adjust there commands to provide the correct headers. By using a crafted favicon and having access to the Admin Backend an attacker could run custom commands on the host/container where Vaultwarden is running on. The main issue here is that we allowed the sendmail binary name/path to be changed. To mitigate this we removed this configuration item and only then `sendmail` binary as a name can be used. This could cause some issues where the `sendmail` binary is not in the `$PATH` and thus not able to be started. In these cases the admins should make sure `$PATH` is set correctly or create a custom shell script or symlink at a location which is in the `$PATH`. Added an extra security header and adjusted the CSP to be more strict by setting `default-src` to `none` and added the needed missing specific policies. Also created a general email validation function which does some more checking to catch invalid email address not found by the email_address crate. Signed-off-by: BlackDex <black.dex@gmail.com> * Fix security issue with organizationId validation Because of a invalid check/validation of the OrganizationId which most of the time is located in the path but sometimes provided as a URL Parameter, the parameter overruled the path ID during the Guard checks. This resulted in someone being able to execute commands as an Admin or Owner of the OrganizationId fetched from the parameter, but the API endpoints then used the OrganizationId located in the path instead. This commit fixes the extraction of the OrganizationId in the Guard and also added some extra validations of this OrgId in several functions. Also added an extra `OrgMemberHeaders` which can be used to only allow access to organization endpoints which should only be accessible by members of that org. Signed-off-by: BlackDex <black.dex@gmail.com> * Update server version in config endpoint Updated the server version reported to the clients to `2025.1.0`. This should make Vaultwarden future proof for the newer clients released by Bitwarden. Signed-off-by: BlackDex <black.dex@gmail.com> * Fix and adjust build workflow The build workflow had an issue with some `if` checks. For one they had two `$` signs, and it is not recommended to use `always()` since canceling a workflow does not cancel those calls. Using `!cancelled()` is the preferred way. Signed-off-by: BlackDex <black.dex@gmail.com> * Update crates Signed-off-by: BlackDex <black.dex@gmail.com> * Allow sendmail to be configurable This reverts a previous change which removed the sendmail to be configurable. We now set the config to be read-only, and omit all read-only values from being stored during a save action from the admin interface. Signed-off-by: BlackDex <black.dex@gmail.com> * Add more org_id checks Added more org_id checks at all functions which use the org_id in there path. Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com>
2025-01-25 01:32:09 +01:00
semver = "1.0.25"
Support Org Export for v2022.11 clients Since v2022.9.x the org export uses a different endpoint. But, since v2022.11.x this endpoint will return a different format. See: https://github.com/bitwarden/clients/pull/3641 and https://github.com/bitwarden/server/pull/2316 To support both version in the case of users having an older client either web-vault or cli this PR checks the version and responds using the correct format. If no version can be determined it will use the new format as a default.
2022-11-07 17:13:34 +01:00
Several updates and fixes - Removed all `thread::sleep` and use `tokio::time::sleep` now. This solves an issue with updating to Bullseye ( Resolves #1998 ) - Updated all Debian images to Bullseye - Added MiMalloc feature and enabled it by default for Alpine based images This increases performance for the Alpine images because the default memory allocator for MUSL based binaries isn't that fast - Updated `dotenv` to `dotenvy` a maintained and updated fork - Fixed an issue with a newer jslib (not fully released yet) That version uses a different endpoint for `prelogin` Resolves #2378 )
2022-03-20 18:51:24 +01:00
# Allow overriding the default memory allocator
# Mainly used for the musl builds, since the default musl malloc is very slow
Update crates and web-vault (#4714) - Updated the crates Removed the patch for mimalloc - Updated the web-vault to v2024.5.1b The reason for not updating to v2024.6.x is that there are several items not working correctly or need some more research.
2024-07-08 23:27:48 +02:00
mimalloc = { version = "0.1.43", features = ["secure"], default-features = false, optional = true }
Update crates and GHA (#5346) - Updated crates to the latest version - Updated GitHub Actions to the latest version Signed-off-by: BlackDex <black.dex@gmail.com>
2025-01-04 19:02:15 +01:00
which = "7.0.1"
Several updates and fixes - Removed all `thread::sleep` and use `tokio::time::sleep` now. This solves an issue with updating to Bullseye ( Resolves #1998 ) - Updated all Debian images to Bullseye - Added MiMalloc feature and enabled it by default for Alpine based images This increases performance for the Alpine images because the default memory allocator for MUSL based binaries isn't that fast - Updated `dotenv` to `dotenvy` a maintained and updated fork - Fixed an issue with a newer jslib (not fully released yet) That version uses a different endpoint for `prelogin` Resolves #2378 )
2022-03-20 18:51:24 +01:00
Admin token Argon2 hashing support Added support for Argon2 hashing support for the `ADMIN_TOKEN` instead of only supporting a plain text string. The hash must be a PHC string which can be generated via the `argon2` CLI **or** via the also built-in hash command in Vaultwarden. You can simply run `vaultwarden hash` to generate a hash based upon a password the user provides them self. Added a warning during startup and within the admin settings panel is the `ADMIN_TOKEN` is not an Argon2 hash. Within the admin environment a user can ignore that warning and it will not be shown for at least 30 days. After that the warning will appear again unless the `ADMIN_TOKEN` has be converted to an Argon2 hash. I have also tested this on my RaspberryPi 2b and there the `Bitwarden` preset takes almost 4.5 seconds to generate/verify the Argon2 hash. Using the `OWASP` preset it is below 1 second, which I think should be fine for low-graded hardware. If it is needed people could use lower memory settings, but in those cases I even doubt Vaultwarden it self would run. They can always use the `argon2` CLI and generate a faster hash.
2023-02-28 23:09:51 +01:00
# Argon2 library with support for the PHC format
Update crates, web-vault and GHA (#4275) - Update GitHub Actions - Updated crates - Updated web-vault to v2024.1.2
2024-01-26 20:19:53 +01:00
argon2 = "0.5.3"
Admin token Argon2 hashing support Added support for Argon2 hashing support for the `ADMIN_TOKEN` instead of only supporting a plain text string. The hash must be a PHC string which can be generated via the `argon2` CLI **or** via the also built-in hash command in Vaultwarden. You can simply run `vaultwarden hash` to generate a hash based upon a password the user provides them self. Added a warning during startup and within the admin settings panel is the `ADMIN_TOKEN` is not an Argon2 hash. Within the admin environment a user can ignore that warning and it will not be shown for at least 30 days. After that the warning will appear again unless the `ADMIN_TOKEN` has be converted to an Argon2 hash. I have also tested this on my RaspberryPi 2b and there the `Bitwarden` preset takes almost 4.5 seconds to generate/verify the Argon2 hash. Using the `OWASP` preset it is below 1 second, which I think should be fine for low-graded hardware. If it is needed people could use lower memory settings, but in those cases I even doubt Vaultwarden it self would run. They can always use the `argon2` CLI and generate a faster hash.
2023-02-28 23:09:51 +01:00
# Reading a password from the cli for generating the Argon2id ADMIN_TOKEN
Update crates (#4074) * Remove another header for websocket connections * Fix small bake issue * Update crates Updated crates and adjusted code where needed. One major update is Rocket rc4, no need anymore (again) for crates.io patching. The only item still pending is openssl/openssl-sys for which we need to wait if https://github.com/sfackler/rust-openssl/pull/2094 will be merged. If, then we can remove the pinned versions for the openssl crate.
2023-11-15 10:41:14 +01:00
rpassword = "7.3.1"
WebSockets via Rocket's Upgrade connection This PR implements a (not yet fully released) new feature of Rocket which allows WebSockets/Upgrade connections. No more need for multiple ports to be opened for Vaultwarden. No explicit need for a reverse proxy to get WebSockets to work (Although I still suggest to use a reverse proxy). - Using a git revision for Rocket, since `rocket_ws` is not yet released. - Updated other crates as well. - Added a connection guard to clear the WS connection from the Users list. Fixes #685 Fixes #2917 Fixes #1424
2023-03-30 17:18:59 +02:00
Add dynamic CSS support (#4940) * Add dynamic CSS support Together with https://github.com/dani-garcia/bw_web_builds/pull/180 this PR will add support for dynamic CSS changes. For example, we could hide the register link if signups are not allowed. In the future show or hide the SSO button depending on if it is enabled or not. There also is a special `user.vaultwarden.scss` file so that users can add custom CSS without the need to modify the default (static) changes. This will prevent future changes from not being applied and still have the custom user changes to be added. Also added a special redirect when someone goes directly to `/index.html` as that might cause issues with loading other scripts and files. Signed-off-by: BlackDex <black.dex@gmail.com> * Add versions and fallback to built-in - Add both Vaultwarden and web-vault versions to the css_options. - Fallback to the inner templates if rendering or compiling the scss fails. This ensures the basics are always working even if someone breaks the templates. Signed-off-by: BlackDex <black.dex@gmail.com> * Fix fallback code to actually work The fallback now works by using an alternative `reg!` macro. This adds an extra template register which prefixes the template with `fallback_`. Signed-off-by: BlackDex <black.dex@gmail.com> * Updated the wiki link in the user template --------- Signed-off-by: BlackDex <black.dex@gmail.com>
2024-11-11 20:14:04 +01:00
# Loading a dynamic CSS Stylesheet
grass_compiler = { version = "0.13.4", default-features = false }
Update Rust and crates (#5248) * Update Rust and crates - Updated Rust to v1.83.0 - Updated MSRV to v1.82.0 (Needed for html5gum crate) - Updated icon fetching code to match new html5gum version - Updated workflows - Enabled edition 2024 clippy lints Nightly reports some clippy hints, but that would be too much to change in this PR i think. Signed-off-by: BlackDex <black.dex@gmail.com> * Some additional updates - Patch fern to allow syslog-7 feature - Fixed diesel logger which was broken because of the sqlite backup feature Refactored the sqlite backup because of this - Added a build workflow test to include the query_logger feature Signed-off-by: BlackDex <black.dex@gmail.com> * Also patch yubico-rs and latest updates Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com>
2024-12-05 22:10:59 +01:00
[patch.crates-io]
# Patch yubico to remove duplicate crates of older versions
yubico = { git = "https://github.com/BlackDex/yubico-rs", rev = "00df14811f58155c0f02e3ab10f1570ed3e115c6" }
Favicon, SMTP and misc updates Favicon: - Replaced HTML tokenizer, much faster now. - Caching the domain blacklist function. - Almost all functions are async now. - Fixed bug on minimizing data to parse - Changed maximum icon download size to 5MB to match Bitwarden - Added `apple-touch-icon.png` as a second fallback besides `favicon.ico` SMTP: - Deprecated SMTP_SSL and SMTP_EXPLICIT_TLS, replaced with SMTP_SECURITY Misc: - Fixed issue when `resolv.conf` contains errors and trust-dns panics (Fixes #2283) - Updated Javscript and CSS files for admin interface - Fixed an issue with the /admin interface which did not cleared the login cookie correctly - Prevent websocket notifications during org import, this caused a lot of traffic, and slowed down the import. This is also the same as Bitwarden which does not trigger this refresh via websockets. Rust: - Updated to use v1.59 - Use the new `strip` option and enabled to strip `debuginfo` - Enabled `lto` with `thin` - Removed the strip RUN from the alpine armv7, this is now done automatically
2022-02-22 20:48:00 +01:00
# Strip debuginfo from the release builds
Update Rust, Crates, Profile and Actions (#4126) - Updated Rust to v1.74.0 - Updated all crates (where possible) - Changed release profile to use * fat lto * 1 codegen-unit This should optimize a bit for speed and a lot for size ~15MB smaller - Updated Github actions to use caching for the bake process - Added a schedule to clean the cache every week to prevent stale Debian/Alpine base images - During the release action, the Alpine/static binaries are added as artifects. Later we could also automatically add them to the releases maybe. - Added CODEWONERS to prevent unchecked changes to github actions workflows
2023-12-04 20:26:11 +01:00
# The symbols are the provide better panic traces
# Also enable fat LTO and use 1 codegen unit for optimizations
Favicon, SMTP and misc updates Favicon: - Replaced HTML tokenizer, much faster now. - Caching the domain blacklist function. - Almost all functions are async now. - Fixed bug on minimizing data to parse - Changed maximum icon download size to 5MB to match Bitwarden - Added `apple-touch-icon.png` as a second fallback besides `favicon.ico` SMTP: - Deprecated SMTP_SSL and SMTP_EXPLICIT_TLS, replaced with SMTP_SECURITY Misc: - Fixed issue when `resolv.conf` contains errors and trust-dns panics (Fixes #2283) - Updated Javscript and CSS files for admin interface - Fixed an issue with the /admin interface which did not cleared the login cookie correctly - Prevent websocket notifications during org import, this caused a lot of traffic, and slowed down the import. This is also the same as Bitwarden which does not trigger this refresh via websockets. Rust: - Updated to use v1.59 - Use the new `strip` option and enabled to strip `debuginfo` - Enabled `lto` with `thin` - Removed the strip RUN from the alpine armv7, this is now done automatically
2022-02-22 20:48:00 +01:00
[profile.release]
strip = "debuginfo"
Update Rust, Crates, Profile and Actions (#4126) - Updated Rust to v1.74.0 - Updated all crates (where possible) - Changed release profile to use * fat lto * 1 codegen-unit This should optimize a bit for speed and a lot for size ~15MB smaller - Updated Github actions to use caching for the bake process - Added a schedule to clean the cache every week to prevent stale Debian/Alpine base images - During the release action, the Alpine/static binaries are added as artifects. Later we could also automatically add them to the releases maybe. - Added CODEWONERS to prevent unchecked changes to github actions workflows
2023-12-04 20:26:11 +01:00
lto = "fat"
codegen-units = 1
Admin token Argon2 hashing support Added support for Argon2 hashing support for the `ADMIN_TOKEN` instead of only supporting a plain text string. The hash must be a PHC string which can be generated via the `argon2` CLI **or** via the also built-in hash command in Vaultwarden. You can simply run `vaultwarden hash` to generate a hash based upon a password the user provides them self. Added a warning during startup and within the admin settings panel is the `ADMIN_TOKEN` is not an Argon2 hash. Within the admin environment a user can ignore that warning and it will not be shown for at least 30 days. After that the warning will appear again unless the `ADMIN_TOKEN` has be converted to an Argon2 hash. I have also tested this on my RaspberryPi 2b and there the `Bitwarden` preset takes almost 4.5 seconds to generate/verify the Argon2 hash. Using the `OWASP` preset it is below 1 second, which I think should be fine for low-graded hardware. If it is needed people could use lower memory settings, but in those cases I even doubt Vaultwarden it self would run. They can always use the `argon2` CLI and generate a faster hash.
2023-02-28 23:09:51 +01:00
Upd Crates, Rust, MSRV, GHA and remove Backtrace - Changed MSRV to v1.65. Discussed this with @dani-garcia, and we will support **N-2**. This is/will be the same as for the `time` crate we use. Also updated the wiki regarding this https://github.com/dani-garcia/vaultwarden/wiki/Building-binary - Removed backtrace crate in favor of `std::backtrace` stable since v1.65 - Updated Rust to v1.67.1 - Updated all the crates - Updated the GHA action versions - Adjusted the GHA MSRV build to extract the MSRV from `Cargo.toml`
2023-03-04 19:18:38 +01:00
# A little bit of a speedup
[profile.dev]
split-debuginfo = "unpacked"
Container building changes (#3958) * WIP: Container building changes * Small updates - Updated to rust 1.73.0 - Updated crates - Updated documentation - Added a bake.sh script to make baking easier * Update GitHub Actions Workflow - Updated workflow to use qemu and buildx bake In the future i would like to extract the alpine based binaries and add them as artifacts to the release. * Address review remarks and small updates - Addressed review remarks - Added `podman-bake.sh` script to build Vaultwarden with podman - Updated README - Updated crates - Added `VW_VERSION` support - Added annotations - Updated web-vault to v2023.9.1
2023-10-23 00:18:38 +02:00
# Always build argon2 using opt-level 3
# This is a huge speed improvement during testing
[profile.dev.package.argon2]
opt-level = 3
Add additional build target which optimizes for size (#4096) OpenWRT is a project which builds and distributes firmware for embedded devies like routers, access points, and so on. These devices are usually very limited in terms of storage. Therefore, optimizing binaries for size at the cost of execution speed is usually desired. This PR adds an additional build-target, namely "release-micro", which implements several parameters which optimize in favor of binary size. The following parameters were chosen: - opt-level "z": Optimize for size with disabled loop vectorization - strip "symbols": Strip debuginfo and symbols from binary - lto "fat": Enable link-time optimizations across all crates - codegen-units 1: Disable parallelization of code generation to allow for additional optimizations - panic "abort": Abort on Panic() instead of unwinding All these build parameters significantly reduce the binary size from >40MB to <15MB - the actual amount depends on the target architecture. We would like to upstream this new build target to keep our build environment simple. Other projects which deploy vaultwarden on size-constrained environments may benefit from this change too. Signed-off-by: Christian Lachner <gladiac@gmail.com>
2023-12-18 21:46:53 +01:00
# Optimize for size
[profile.release-micro]
inherits = "release"
opt-level = "z"
strip = "symbols"
lto = "fat"
codegen-units = 1
panic = "abort"
Update Rust, crates and web-vault (#4328) - Updated Rust to v1.76.0 - Updated crates - Updated web-vault to v2024.1.2b - Fixed some Clippy lints - Moved lint check configuration Cargo.toml - Fixed issue with Reset Password Enrollment when logged-in via device
2024-02-08 22:16:29 +01:00
# Profile for systems with low resources
# It will use less resources during build
[profile.release-low]
inherits = "release"
strip = "symbols"
lto = "thin"
Change the codegen-units for low resources (#4336) It seems (as disscusses here #4320) a single codegen unit makes it still crash. This sets it to the default 16 Rust uses for the release profile.
2024-02-10 13:04:08 +01:00
codegen-units = 16
Update Rust, crates and web-vault (#4328) - Updated Rust to v1.76.0 - Updated crates - Updated web-vault to v2024.1.2b - Fixed some Clippy lints - Moved lint check configuration Cargo.toml - Fixed issue with Reset Password Enrollment when logged-in via device
2024-02-08 22:16:29 +01:00
# Linting config
Add extra linting (#4977) * Add extra linting Added extra linting for some code styles. Also added the Rust Edition 2024 lints. Closes #4974 Signed-off-by: BlackDex <black.dex@gmail.com> * Adjusted according to comments Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com>
2024-09-23 20:25:32 +02:00
# https://doc.rust-lang.org/rustc/lints/groups.html
Update Rust, crates and web-vault (#4328) - Updated Rust to v1.76.0 - Updated crates - Updated web-vault to v2024.1.2b - Fixed some Clippy lints - Moved lint check configuration Cargo.toml - Fixed issue with Reset Password Enrollment when logged-in via device
2024-02-08 22:16:29 +01:00
[lints.rust]
# Forbid
unsafe_code = "forbid"
non_ascii_idents = "forbid"
# Deny
Add extra linting (#4977) * Add extra linting Added extra linting for some code styles. Also added the Rust Edition 2024 lints. Closes #4974 Signed-off-by: BlackDex <black.dex@gmail.com> * Adjusted according to comments Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com>
2024-09-23 20:25:32 +02:00
deprecated_in_future = "deny"
Update crates and some Clippy fixes (#4475) - Updated all crates including reqwest - Fixed some clippy lints reported by nightly Rust
2024-04-06 13:55:10 +02:00
future_incompatible = { level = "deny", priority = -1 }
Add extra linting (#4977) * Add extra linting Added extra linting for some code styles. Also added the Rust Edition 2024 lints. Closes #4974 Signed-off-by: BlackDex <black.dex@gmail.com> * Adjusted according to comments Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com>
2024-09-23 20:25:32 +02:00
keyword_idents = { level = "deny", priority = -1 }
let_underscore = { level = "deny", priority = -1 }
Update Rust, crates and web-vault (#4328) - Updated Rust to v1.76.0 - Updated crates - Updated web-vault to v2024.1.2b - Fixed some Clippy lints - Moved lint check configuration Cargo.toml - Fixed issue with Reset Password Enrollment when logged-in via device
2024-02-08 22:16:29 +01:00
noop_method_call = "deny"
Add extra linting (#4977) * Add extra linting Added extra linting for some code styles. Also added the Rust Edition 2024 lints. Closes #4974 Signed-off-by: BlackDex <black.dex@gmail.com> * Adjusted according to comments Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com>
2024-09-23 20:25:32 +02:00
refining_impl_trait = { level = "deny", priority = -1 }
Update crates and some Clippy fixes (#4475) - Updated all crates including reqwest - Fixed some clippy lints reported by nightly Rust
2024-04-06 13:55:10 +02:00
rust_2018_idioms = { level = "deny", priority = -1 }
rust_2021_compatibility = { level = "deny", priority = -1 }
Update Rust and crates (#5248) * Update Rust and crates - Updated Rust to v1.83.0 - Updated MSRV to v1.82.0 (Needed for html5gum crate) - Updated icon fetching code to match new html5gum version - Updated workflows - Enabled edition 2024 clippy lints Nightly reports some clippy hints, but that would be too much to change in this PR i think. Signed-off-by: BlackDex <black.dex@gmail.com> * Some additional updates - Patch fern to allow syslog-7 feature - Fixed diesel logger which was broken because of the sqlite backup feature Refactored the sqlite backup because of this - Added a build workflow test to include the query_logger feature Signed-off-by: BlackDex <black.dex@gmail.com> * Also patch yubico-rs and latest updates Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com>
2024-12-05 22:10:59 +01:00
rust_2024_compatibility = { level = "deny", priority = -1 }
edition_2024_expr_fragment_specifier = "allow" # Once changed to Rust 2024 this should be removed and macro's should be validated again
Add extra linting (#4977) * Add extra linting Added extra linting for some code styles. Also added the Rust Edition 2024 lints. Closes #4974 Signed-off-by: BlackDex <black.dex@gmail.com> * Adjusted according to comments Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com>
2024-09-23 20:25:32 +02:00
single_use_lifetimes = "deny"
Update Rust, crates and web-vault (#4328) - Updated Rust to v1.76.0 - Updated crates - Updated web-vault to v2024.1.2b - Fixed some Clippy lints - Moved lint check configuration Cargo.toml - Fixed issue with Reset Password Enrollment when logged-in via device
2024-02-08 22:16:29 +01:00
trivial_casts = "deny"
trivial_numeric_casts = "deny"
Update crates and some Clippy fixes (#4475) - Updated all crates including reqwest - Fixed some clippy lints reported by nightly Rust
2024-04-06 13:55:10 +02:00
unused = { level = "deny", priority = -1 }
Update Rust, crates and web-vault (#4328) - Updated Rust to v1.76.0 - Updated crates - Updated web-vault to v2024.1.2b - Fixed some Clippy lints - Moved lint check configuration Cargo.toml - Fixed issue with Reset Password Enrollment when logged-in via device
2024-02-08 22:16:29 +01:00
unused_import_braces = "deny"
unused_lifetimes = "deny"
Add extra linting (#4977) * Add extra linting Added extra linting for some code styles. Also added the Rust Edition 2024 lints. Closes #4974 Signed-off-by: BlackDex <black.dex@gmail.com> * Adjusted according to comments Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com>
2024-09-23 20:25:32 +02:00
unused_qualifications = "deny"
variant_size_differences = "deny"
Allow building with Rust v1.84.0 or newer (#5371)
2025-01-09 12:33:02 +01:00
# Allow the following lints since these cause issues with Rust v1.84.0 or newer
# Building Vaultwarden with Rust v1.85.0 and edition 2024 also works without issues
if_let_rescope = "allow"
tail_expr_drop_order = "allow"
Update Rust, crates and web-vault (#4328) - Updated Rust to v1.76.0 - Updated crates - Updated web-vault to v2024.1.2b - Fixed some Clippy lints - Moved lint check configuration Cargo.toml - Fixed issue with Reset Password Enrollment when logged-in via device
2024-02-08 22:16:29 +01:00
Add extra linting (#4977) * Add extra linting Added extra linting for some code styles. Also added the Rust Edition 2024 lints. Closes #4974 Signed-off-by: BlackDex <black.dex@gmail.com> * Adjusted according to comments Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com>
2024-09-23 20:25:32 +02:00
# https://rust-lang.github.io/rust-clippy/stable/index.html
Update Rust, crates and web-vault (#4328) - Updated Rust to v1.76.0 - Updated crates - Updated web-vault to v2024.1.2b - Fixed some Clippy lints - Moved lint check configuration Cargo.toml - Fixed issue with Reset Password Enrollment when logged-in via device
2024-02-08 22:16:29 +01:00
[lints.clippy]
Add extra linting (#4977) * Add extra linting Added extra linting for some code styles. Also added the Rust Edition 2024 lints. Closes #4974 Signed-off-by: BlackDex <black.dex@gmail.com> * Adjusted according to comments Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com>
2024-09-23 20:25:32 +02:00
# Warn
dbg_macro = "warn"
todo = "warn"
Update Rust, crates and web-vault (#4328) - Updated Rust to v1.76.0 - Updated crates - Updated web-vault to v2024.1.2b - Fixed some Clippy lints - Moved lint check configuration Cargo.toml - Fixed issue with Reset Password Enrollment when logged-in via device
2024-02-08 22:16:29 +01:00
# Deny
Add extra linting (#4977) * Add extra linting Added extra linting for some code styles. Also added the Rust Edition 2024 lints. Closes #4974 Signed-off-by: BlackDex <black.dex@gmail.com> * Adjusted according to comments Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com>
2024-09-23 20:25:32 +02:00
case_sensitive_file_extension_comparisons = "deny"
Update Rust, crates and web-vault (#4328) - Updated Rust to v1.76.0 - Updated crates - Updated web-vault to v2024.1.2b - Fixed some Clippy lints - Moved lint check configuration Cargo.toml - Fixed issue with Reset Password Enrollment when logged-in via device
2024-02-08 22:16:29 +01:00
cast_lossless = "deny"
clone_on_ref_ptr = "deny"
equatable_if_let = "deny"
Add extra linting (#4977) * Add extra linting Added extra linting for some code styles. Also added the Rust Edition 2024 lints. Closes #4974 Signed-off-by: BlackDex <black.dex@gmail.com> * Adjusted according to comments Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com>
2024-09-23 20:25:32 +02:00
filter_map_next = "deny"
Update Rust, crates and web-vault (#4328) - Updated Rust to v1.76.0 - Updated crates - Updated web-vault to v2024.1.2b - Fixed some Clippy lints - Moved lint check configuration Cargo.toml - Fixed issue with Reset Password Enrollment when logged-in via device
2024-02-08 22:16:29 +01:00
float_cmp_const = "deny"
inefficient_to_string = "deny"
iter_on_empty_collections = "deny"
iter_on_single_items = "deny"
linkedlist = "deny"
macro_use_imports = "deny"
manual_assert = "deny"
manual_instant_elapsed = "deny"
manual_string_new = "deny"
Add extra linting (#4977) * Add extra linting Added extra linting for some code styles. Also added the Rust Edition 2024 lints. Closes #4974 Signed-off-by: BlackDex <black.dex@gmail.com> * Adjusted according to comments Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com>
2024-09-23 20:25:32 +02:00
match_on_vec_items = "deny"
Update Rust, crates and web-vault (#4328) - Updated Rust to v1.76.0 - Updated crates - Updated web-vault to v2024.1.2b - Fixed some Clippy lints - Moved lint check configuration Cargo.toml - Fixed issue with Reset Password Enrollment when logged-in via device
2024-02-08 22:16:29 +01:00
match_wildcard_for_single_variants = "deny"
mem_forget = "deny"
Add extra linting (#4977) * Add extra linting Added extra linting for some code styles. Also added the Rust Edition 2024 lints. Closes #4974 Signed-off-by: BlackDex <black.dex@gmail.com> * Adjusted according to comments Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com>
2024-09-23 20:25:32 +02:00
needless_continue = "deny"
Update Rust, crates and web-vault (#4328) - Updated Rust to v1.76.0 - Updated crates - Updated web-vault to v2024.1.2b - Fixed some Clippy lints - Moved lint check configuration Cargo.toml - Fixed issue with Reset Password Enrollment when logged-in via device
2024-02-08 22:16:29 +01:00
needless_lifetimes = "deny"
Add extra linting (#4977) * Add extra linting Added extra linting for some code styles. Also added the Rust Edition 2024 lints. Closes #4974 Signed-off-by: BlackDex <black.dex@gmail.com> * Adjusted according to comments Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com>
2024-09-23 20:25:32 +02:00
option_option = "deny"
Update Rust, crates and web-vault (#4328) - Updated Rust to v1.76.0 - Updated crates - Updated web-vault to v2024.1.2b - Fixed some Clippy lints - Moved lint check configuration Cargo.toml - Fixed issue with Reset Password Enrollment when logged-in via device
2024-02-08 22:16:29 +01:00
string_add_assign = "deny"
string_to_string = "deny"
unnecessary_join = "deny"
unnecessary_self_imports = "deny"
Add extra linting (#4977) * Add extra linting Added extra linting for some code styles. Also added the Rust Edition 2024 lints. Closes #4974 Signed-off-by: BlackDex <black.dex@gmail.com> * Adjusted according to comments Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com>
2024-09-23 20:25:32 +02:00
unnested_or_patterns = "deny"
Update Rust, crates and web-vault (#4328) - Updated Rust to v1.76.0 - Updated crates - Updated web-vault to v2024.1.2b - Fixed some Clippy lints - Moved lint check configuration Cargo.toml - Fixed issue with Reset Password Enrollment when logged-in via device
2024-02-08 22:16:29 +01:00
unused_async = "deny"
Add extra linting (#4977) * Add extra linting Added extra linting for some code styles. Also added the Rust Edition 2024 lints. Closes #4974 Signed-off-by: BlackDex <black.dex@gmail.com> * Adjusted according to comments Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com>
2024-09-23 20:25:32 +02:00
unused_self = "deny"
Update Rust, crates and web-vault (#4328) - Updated Rust to v1.76.0 - Updated crates - Updated web-vault to v2024.1.2b - Fixed some Clippy lints - Moved lint check configuration Cargo.toml - Fixed issue with Reset Password Enrollment when logged-in via device
2024-02-08 22:16:29 +01:00
verbose_file_reads = "deny"
zero_sized_map_values = "deny"
Permalink kopieren