During the refactoring done in #5320 there has a buggy slipped through which changed a uuid.
This commit fixes this, and also made some vars pass by reference.
Fixes #5377
Signed-off-by: BlackDex <black.dex@gmail.com>
* rename membership
rename UserOrganization to Membership to clarify the relation
and prevent confusion whether something refers to a member(ship) or user
* use newtype pattern
* implement custom derive macro IdFromParam
* add UuidFromParam macro for UUIDs
* add macros to Docker build
Co-authored-by: dfunkt <dfunkt@users.noreply.github.com>
---------
Co-authored-by: dfunkt <dfunkt@users.noreply.github.com>
* Prevent new users/members when invite fails
Currently when a (new) user gets invited as a member to an org, and SMTP is enabled, but sending the invite fails, the user is still created.
They will only not have received a mail, and admins/owners need to re-invite the member again.
Since the dialog window still keeps on-top when this fails, it kinda invites to click try again, but that will fail in mentioning the user is already a member.
To prevent this weird flow, this commit will delete the user, invite and member if sending the mail failed.
This allows the inviter to try again if there was a temporary hiccup for example, or contact the server admin and does not leave stray users/members around.
Fixes #5349
Signed-off-by: BlackDex <black.dex@gmail.com>
* Adjust deleting records
Signed-off-by: BlackDex <black.dex@gmail.com>
---------
Signed-off-by: BlackDex <black.dex@gmail.com>
The new web-vault seems to call an extra endpoint, which looks like it is only used when passkeys can be used for login.
Since we do not support this (yet), we can just return an empty data object.
Signed-off-by: BlackDex <black.dex@gmail.com>
* Add partial role support for manager only
- Add the custom role which replaces the manager role
- Added mini-details endpoint used by v2024.11.1
These changes try to add the custom role in such a way that it stays compatible with the older manager role.
It will convert a manager role into a custom role, and if a manager has `access-all` rights, it will enable the correct custom roles.
Upon saving it will convert these back to the old format.
What this does is making sure you are able to revert back to an older version of Vaultwarden without issues.
This way we can support newer web-vault's and still be compatible with a previous Vaultwarden version if needed.
In the future this needs to be changed to full role support though.
Fixed the 2FA hide CSS since the order of options has changed
Signed-off-by: BlackDex <black.dex@gmail.com>
* Fix hide passkey login
Signed-off-by: BlackDex <black.dex@gmail.com>
* Fix hide create account
Signed-off-by: BlackDex <black.dex@gmail.com>
* Small changes for v2024.12.0
Signed-off-by: BlackDex <black.dex@gmail.com>
* Fix hide create account link
Signed-off-by: BlackDex <black.dex@gmail.com>
* Add pre-release web-vault
Signed-off-by: BlackDex <black.dex@gmail.com>
* Rename function to mention swapping uuid's
Signed-off-by: BlackDex <black.dex@gmail.com>
---------
Signed-off-by: BlackDex <black.dex@gmail.com>
- Refactored several code to use more modern syntax
- Made some checks a bit more strict
- Updated crates
Signed-off-by: BlackDex <black.dex@gmail.com>
* Some Backend Admin fixes and updates
- Updated datatables
- Added a `X-Robots-Tags` header to prevent indexing
- Modified some layout settings
- Added Websocket check to diagnostics
- Added Security Header checks to diagnostics
- Added Error page response checks to diagnostics
- Modifed support string layout a bit
Signed-off-by: BlackDex <black.dex@gmail.com>
* Some small fixes
Signed-off-by: BlackDex <black.dex@gmail.com>
---------
Signed-off-by: BlackDex <black.dex@gmail.com>
The `reprompt` value somehow sometimes has a value of `4`.
This isn't a valid value, and doesn't cause issues with other clients, but the native clients are more strict.
This commit fixes this by validating the value before storing and returning.
Signed-off-by: BlackDex <black.dex@gmail.com>
* Update Rust and crates
- Updated Rust to v1.83.0
- Updated MSRV to v1.82.0 (Needed for html5gum crate)
- Updated icon fetching code to match new html5gum version
- Updated workflows
- Enabled edition 2024 clippy lints
Nightly reports some clippy hints, but that would be too much to change in this PR i think.
Signed-off-by: BlackDex <black.dex@gmail.com>
* Some additional updates
- Patch fern to allow syslog-7 feature
- Fixed diesel logger which was broken because of the sqlite backup feature
Refactored the sqlite backup because of this
- Added a build workflow test to include the query_logger feature
Signed-off-by: BlackDex <black.dex@gmail.com>
* Also patch yubico-rs and latest updates
Signed-off-by: BlackDex <black.dex@gmail.com>
---------
Signed-off-by: BlackDex <black.dex@gmail.com>
The new native mobile clients seem to use PascalCase for the push payload.
Also the date/time could cause issues.
This PR fixes this by formatting the date/time correctly and use PascalCase for the payload key's
I now receive cipher updates and login-with-device requests again.
Fixes #5182
Signed-off-by: BlackDex <black.dex@gmail.com>
This fixes an issue with collections be duplicated same as was an issue with folders.
Also made some optimizations by using HashSet where possible and device the Vec/Hash capacity.
And instead of passing objects only use the UUID which was the only value we needed.
Also found an issue with importing a personal export via the Org import where folders are used.
Since Org's do not use folder we needed to clear those out, same as Bitwarden does.
Fixes #5193
Signed-off-by: BlackDex <black.dex@gmail.com>
* fix password hint check
don't show password hints if you have disabled the hints with
PASSWORD_HINTS_ALLOWED=false or if you have not configured mail and
opted into showing password hints
* update descriptions for pw hints options
2FA is needed to login even when using login-with-device.
If the user didn't saved the 2FA token they still need to provide this.
We deleted the auth-request after validation the request, but before 2FA was triggered.
Removing the deletion of this record from that point as it will get cleaned-up automatically anyways.
Signed-off-by: BlackDex <black.dex@gmail.com>
* Add dynamic CSS support
Together with https://github.com/dani-garcia/bw_web_builds/pull/180 this PR will add support for dynamic CSS changes.
For example, we could hide the register link if signups are not allowed.
In the future show or hide the SSO button depending on if it is enabled or not.
There also is a special `user.vaultwarden.scss` file so that users can add custom CSS without the need to modify the default (static) changes.
This will prevent future changes from not being applied and still have the custom user changes to be added.
Also added a special redirect when someone goes directly to `/index.html` as that might cause issues with loading other scripts and files.
Signed-off-by: BlackDex <black.dex@gmail.com>
* Add versions and fallback to built-in
- Add both Vaultwarden and web-vault versions to the css_options.
- Fallback to the inner templates if rendering or compiling the scss fails.
This ensures the basics are always working even if someone breaks the templates.
Signed-off-by: BlackDex <black.dex@gmail.com>
* Fix fallback code to actually work
The fallback now works by using an alternative `reg!` macro.
This adds an extra template register which prefixes the template with `fallback_`.
Signed-off-by: BlackDex <black.dex@gmail.com>
* Updated the wiki link in the user template
---------
Signed-off-by: BlackDex <black.dex@gmail.com>
- Fixed collection management to be usable from the Password Manager UI
- Checked and brought in-to-sync with upstream several json responses
- Fixed a small issue with the `fields` response when it was empty
Signed-off-by: BlackDex <black.dex@gmail.com>
Ever since we changed to pass the full url as a template value handlebars now html-encodes this.
This causes issues with the plain/text mails, but it also could potentially cause issues with the text/html templates.
This PR encloses the template values inside triple braces `{{{ }}}` which prevents html-encoding.
Since the URL is generated via the `url` crate the values are percent-encoded anyway.
Fixes #5097
Signed-off-by: BlackDex <black.dex@gmail.com>
* Fix collections not editable by managers
Since a newer version of the web-vault we use manager were not able to create sub collections anymore.
This was because of some missing details in the response of some json objects.
This commit fixes this by using the `to_json_details` instead of the `to_json`
Fixes #5066
Fixes #5044
* Update crates and GitHub Actions
- Updated all the crates
- Updated all the GHA dependencies
- Configured the trivy workflow to only run on the main repo and not on forks
Also selected a random new scheduled date so it will not run at the same time as all other forks.
The two changes should help running this scan every day without failing, and also prevent the same for new or updated forks.
* Add extra linting
Added extra linting for some code styles.
Also added the Rust Edition 2024 lints.
Closes #4974
Signed-off-by: BlackDex <black.dex@gmail.com>
* Adjusted according to comments
Signed-off-by: BlackDex <black.dex@gmail.com>
---------
Signed-off-by: BlackDex <black.dex@gmail.com>
* Avoid keyword collision with gen in Rust 2024
* Include new api/config setting to disable user registration, not yet used by clients
* Actually qualify CONFIG
* Add a CLI feature to backup the SQLite DB
Many users request to add the sqlite3 binary to the container image.
This isn't really ideal as that might bring in other dependencies and will only bloat the image.
There main reason is to create a backup of the database.
While there already was a feature within the admin interface to do so (or by using the admin API call), this might not be easy.
This PR adds several ways to generate a backup.
1. By calling the Vaultwarden binary with the `backup` command like:
- `/vaultwarden backup`
- `docker exec -it vaultwarden /vaultwarden backup`
2. By sending the USR1 signal to the running process like:
- `kill -s USR1 $(pidof vaultwarden)
- `killall -s USR1 vaultwarden)
This should help users to more easily create backups of there SQLite database.
Also added the Web-Vault version number when using `-v/--version` to the output.
Signed-off-by: BlackDex <black.dex@gmail.com>
* Spelling and small adjustments
Signed-off-by: BlackDex <black.dex@gmail.com>
---------
Signed-off-by: BlackDex <black.dex@gmail.com>
* Allow enforcing Single Org with pw reset policy
Bitwarden only allows the Reset Password policy to be set when the Single Org policy is enabled already.
This PR adds a check so that this can be enforced when a config option is enabled.
Since Vaultwarden encouraged to use multiple orgs when groups were not available yet we should not enable this by default now.
This might be something to do in the future.
When enabled, it will prevent the Reset Password policy to be enabled if the Single Org policy is not enabled.
It will also prevent the Single Org policy to be disabled if the Reset Password policy is enabled.
Fixes #4855
Signed-off-by: BlackDex <black.dex@gmail.com>
* Removed some extra if checks
Signed-off-by: BlackDex <black.dex@gmail.com>
---------
Signed-off-by: BlackDex <black.dex@gmail.com>
* Allow Org Master-Pw policy enforcement
We didn't returned the master password policy for the user.
If the `Require existing members to change their passwords` check was enabled this should trigger the login to show a change password dialog.
All the master password policies are merged into one during the login response and it will contain the max values and all `true` values which are set by all the different orgs if a user is an accepted member.
Fixes #4507
Signed-off-by: BlackDex <black.dex@gmail.com>
* Use .reduce instead of .fold
Signed-off-by: BlackDex <black.dex@gmail.com>
---------
Signed-off-by: BlackDex <black.dex@gmail.com>
Fixed an issue with login with device for the new Bitwrden Beta clients.
They seem to not support ISO8601 milli date/time, only micro.
Also updated the device display names to match Upstream and added the
CLI devices which were missing.
Signed-off-by: BlackDex <black.dex@gmail.com>
Since the change to camelCase variables the error messages in the
Vaultwarden Admin were not shown correctly anymore.
This PR fixes this by changing the case of the json key's.
Also updated the save and delete of the config to provide a more
descriptive error instead of only `Io` or which ever other error might
occure.
Fixes #4834
The web-vault v2024.6.2 we use needs some extra information to allow
managers to actually be able to manage collections.
The v2024.6.2 web-vault has somewhat of a mixture of the newer roles and
older manager roles. To at least fix this for the web-vault we bundle
these changes will make the manager able to manage.
For future web-vaults we would need a lot more changes to be done to fix
this in a better way though.
Fixes #4844
The URL crate treats `https://domain.tld/path` differently then
`https://domain.tld/path/` the latter will make sure a `.join()` will
append the given path instead of using the base as a relative path.
Fixes #4858
- All users were able to request organizational details from any org,
even if they were not a member (anymore).
Now it will check if that user is a member of the org or not.
- The `/organization/<uuid>/keys` endpoint returned also the private keys.
This should not be the case. Also, according to the upstream server
code the endpoint changed, but the clients do not seem to use it.
I added it anyway just in case they will in the future.
- Also require a valid login before being able to retreve those org
keys. Upstream does not do this, but i see no reason why not.
Fixes: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39925
* Update crates, web-vault and fixes
- Updated crates
- Updated web-vault to v2024.6.2
This version is currently the latest version compatible with our API implementation.
For newer versions we need more code updates to make it compatible.
Thanks to @stefan0xC this version fixes #4628
- Added a small fix to prevent errors in the Vaultwarden and Client logs.
The v2024.6.2 web-vault calls an endpoint with invalid arguments.
If this happens we ignore the call and just return an Ok.
- Added the bulk-collection endpoint (Though not yet available in v2024.6.2)
Fixes #4628
* Prevent bulk remove collections to work
