summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2024-11-17Fix Org Import duplicate collections (#5200)1.32.5Mathijs van Veluw
This fixes an issue with collections be duplicated same as was an issue with folders. Also made some optimizations by using HashSet where possible and device the Vec/Hash capacity. And instead of passing objects only use the UUID which was the only value we needed. Also found an issue with importing a personal export via the Org import where folders are used. Since Org's do not use folder we needed to clear those out, same as Bitwarden does. Fixes #5193 Signed-off-by: BlackDex <[email protected]>
2024-11-15Support SSH keys on desktop 2024.12 (#5187)Daniel García
* Support SSH keys on desktop 2024.12 * Document flags in .env.template * Validate key rotation contents
2024-11-15Some more authrequest changes (#5188)Daniel García
2024-11-13don't infer manage permission for groups (#5190)Stefan Melmuk
the web-vault v2024.6.2 currently cannot deal with manage permission so instead of relying on the org user type this should just default to false
2024-11-12fix password hint check (#5189)Stefan Melmuk
* fix password hint check don't show password hints if you have disabled the hints with PASSWORD_HINTS_ALLOWED=false or if you have not configured mail and opted into showing password hints * update descriptions for pw hints options
2024-11-12Remove auth-request deletion (#5184)Mathijs van Veluw
2FA is needed to login even when using login-with-device. If the user didn't saved the 2FA token they still need to provide this. We deleted the auth-request after validation the request, but before 2FA was triggered. Removing the deletion of this record from that point as it will get cleaned-up automatically anyways. Signed-off-by: BlackDex <[email protected]>
2024-11-12fix hibp username encoding and pw hint check (#5180)Mathijs van Veluw
* fix hibp username encoding Signed-off-by: BlackDex <[email protected]> * Fix password-hint check Signed-off-by: BlackDex <[email protected]> --------- Signed-off-by: BlackDex <[email protected]>
2024-11-11Add dynamic CSS support (#4940)Mathijs van Veluw
* Add dynamic CSS support Together with https://github.com/dani-garcia/bw_web_builds/pull/180 this PR will add support for dynamic CSS changes. For example, we could hide the register link if signups are not allowed. In the future show or hide the SSO button depending on if it is enabled or not. There also is a special `user.vaultwarden.scss` file so that users can add custom CSS without the need to modify the default (static) changes. This will prevent future changes from not being applied and still have the custom user changes to be added. Also added a special redirect when someone goes directly to `/index.html` as that might cause issues with loading other scripts and files. Signed-off-by: BlackDex <[email protected]> * Add versions and fallback to built-in - Add both Vaultwarden and web-vault versions to the css_options. - Fallback to the inner templates if rendering or compiling the scss fails. This ensures the basics are always working even if someone breaks the templates. Signed-off-by: BlackDex <[email protected]> * Fix fallback code to actually work The fallback now works by using an alternative `reg!` macro. This adds an extra template register which prefixes the template with `fallback_`. Signed-off-by: BlackDex <[email protected]> * Updated the wiki link in the user template --------- Signed-off-by: BlackDex <[email protected]>
2024-11-11More authrequest fixes (#5176)Daniel García
2024-11-11Fix if logic error (#5171)Mathijs van Veluw
Fixing a logical error in an if statement where we used `&&` which should have been `||`. Signed-off-by: BlackDex <[email protected]>
2024-11-10Limit HIBP to authed users1.32.4Daniel García
2024-11-10Update crates and fix several issuesBlackDex
Signed-off-by: BlackDex <[email protected]>
2024-11-02Update README (#5153)Mathijs van Veluw
Updating the Readme to be more modern and more clear. Added and moved several shields/badges and changed some default colors to have a better contrast. Added a Disclaimer section. Closes #4901 Closes #4930 Closes #4931 Closes #5024 Co-authored-by: ipitio <[email protected]> Co-authored-by: Robert Schütz <[email protected]> Co-authored-by: Yonas Yanfa <[email protected]> Co-authored-by: KUSUMA RUSHIKESH <[email protected]>
2024-10-24Update crates and fix Mail issue (#5125)1.32.3Mathijs van Veluw
- Updated all the crates Including in this update is an update from lettre, which solves an issue with some specific SMTP mail providers.
2024-10-21Add documentation for the `extension-refresh` feature flag (#5112)Daniel
2024-10-19Hide user name on invite status (#5110)Mathijs van Veluw
A possible user disclosure when you invite an user into an organization which already has an account on the same instance. This was because we always returned the user's name. To prevent this, this PR only returns the user's name if the status is accepted or higher, else we will return null. This is the same as Bitwarden does. Resolves a reported issue. Also resolved a new `nightly` reported clippy regarding a regex within a loop.
2024-10-19Add `extension-refresh` feature flag (#5106)Daniel
- in case people want to try out the new extension design
2024-10-18Fix collection management and match some json output (#5095)Mathijs van Veluw
- Fixed collection management to be usable from the Password Manager UI - Checked and brought in-to-sync with upstream several json responses - Fixed a small issue with the `fields` response when it was empty Signed-off-by: BlackDex <[email protected]>
2024-10-18Update Rust to 1.82.0 (#5099)Daniel
- raise MSRV to 1.80.0 - also update the crates
2024-10-18Fix org invite url being html encoded (#5100)Mathijs van Veluw
Ever since we changed to pass the full url as a template value handlebars now html-encodes this. This causes issues with the plain/text mails, but it also could potentially cause issues with the text/html templates. This PR encloses the template values inside triple braces `{{{ }}}` which prevents html-encoding. Since the URL is generated via the `url` crate the values are percent-encoded anyway. Fixes #5097 Signed-off-by: BlackDex <[email protected]>
2024-10-13Fix field type to actually be hidden (#5082)Mathijs van Veluw
In an oversight i forgot to set the type to a hidden type if converting the int was not possible. This fixes that. Signed-off-by: BlackDex <[email protected]>
2024-10-13Fix iOS sync by converting field types to int (#5081)Mathijs van Veluw
It seems the iOS clients are not able to handle the `type` key within the `fields` array when they are of the type string. All other clients seem to handle this just fine though. This PR fixes this by validating it is a number, if this is not the case, try to convert the string to a number, or return the default of `1`. `1` is used as this is the type `hidden` and should prevent accidental data disclosure. Fixes #5069 Possibly Fixes #5016 Possibly Fixes #5002 Signed-off-by: BlackDex <[email protected]>
2024-10-11Fix `--version` from failing without config (#5055)1.32.2Mathijs van Veluw
* Fix `--version` from failing without config Since we added the option to show the web-vault version also when running `--version` this causes the config to always be validated. While this is not very bad in general, it could cause the command to quit during the config validation, and not show the version, but also errors. This is probably not very useful for this specific command, unlike the `--backup` for example. To fix this, and preventing the config from being validated, i added an AtomicBool to check if we need to validate the config on first load. This prevents errors, and will just show the Vaultwarden version, and if possible the web-vault version too. Fixes #5046 Signed-off-by: BlackDex <[email protected]> * Adjusted the code bsaed upon review Signed-off-by: BlackDex <[email protected]> --------- Signed-off-by: BlackDex <[email protected]>
2024-10-11Updates and collection management fixes (#5072)Mathijs van Veluw
* Fix collections not editable by managers Since a newer version of the web-vault we use manager were not able to create sub collections anymore. This was because of some missing details in the response of some json objects. This commit fixes this by using the `to_json_details` instead of the `to_json` Fixes #5066 Fixes #5044 * Update crates and GitHub Actions - Updated all the crates - Updated all the GHA dependencies - Configured the trivy workflow to only run on the main repo and not on forks Also selected a random new scheduled date so it will not run at the same time as all other forks. The two changes should help running this scan every day without failing, and also prevent the same for new or updated forks.
2024-10-06Fix compiling for Windows targets (#5053)Mathijs van Veluw
The `unix::signal` was also included during Windows compilations. This of course will not work. Fix this by only including it for `unix` targets. Also changed all other conditional compilation options to use `cfg(unix)` instead of `cfg(not(windows))`. The latter may also include `wasm` for example, or any other future target family. This way we will only match `unix` Fixes #5052
2024-09-23Add extra linting (#4977)1.32.1Mathijs van Veluw
* Add extra linting Added extra linting for some code styles. Also added the Rust Edition 2024 lints. Closes #4974 Signed-off-by: BlackDex <[email protected]> * Adjusted according to comments Signed-off-by: BlackDex <[email protected]> --------- Signed-off-by: BlackDex <[email protected]>
2024-09-20Fix keyword collision in Rust 2024 and add new api/config value (#4975)Daniel García
* Avoid keyword collision with gen in Rust 2024 * Include new api/config setting to disable user registration, not yet used by clients * Actually qualify CONFIG
2024-09-20Fix encrypted lastUsedDate (#4972)Mathijs van Veluw
It appears that some password histories have an encrypted value on the `lastUsedDate` Instead of only checking if it is a string, also check if it is a valid RFC Date/Time String. If not, set it also to epoch 0. Signed-off-by: BlackDex <[email protected]>
2024-09-20Fix Device Type column for 2FA migration (#4971)Mathijs van Veluw
2024-09-19remove backtics from postgresql migrations (#4968)Stefan Melmuk
2024-09-18Actually use Device Type for mails (#4916)Daniel
- match Bitwarden behaviour - add a different segment in mails for Device Name
2024-09-18fix 2fa policy check on registration (#4956)Stefan Melmuk
2024-09-18Fix Pw History null dates (#4966)Mathijs van Veluw
It seemed to have been possible to have `null` date values. This PR fixes this by setting the epoch start date if either the date does not exists or is not a string. This should solve sync issues with the new native mobile clients. Fixes https://github.com/dani-garcia/vaultwarden/pull/4932#issuecomment-2357581292 Signed-off-by: BlackDex <[email protected]>
2024-09-13fix invitation link via /admin (#4950)Stefan Melmuk
2024-09-10Fix collection update from native client (#4937)Mathijs van Veluw
2024-09-09Fix sync with new native clients (#4932)Mathijs van Veluw
2024-09-07Update Rust version & crates (#4928)Daniel
2024-09-01Add orgUserHasExistingUser parameters to org invite (#4827)Timshel
2024-09-01Update web-vault, crates and gha (#4909)Mathijs van Veluw
- Updated the web-vault to fix an issue with personal export. Thanks to @stefan0xC for patching this. Fixes #4875 - Updated crates to there latest version - Updated the GitHub Actions - Updated the xx image to the latest version Signed-off-by: BlackDex <[email protected]>
2024-09-01Add a CLI feature to backup the SQLite DB (#4906)Mathijs van Veluw
* Add a CLI feature to backup the SQLite DB Many users request to add the sqlite3 binary to the container image. This isn't really ideal as that might bring in other dependencies and will only bloat the image. There main reason is to create a backup of the database. While there already was a feature within the admin interface to do so (or by using the admin API call), this might not be easy. This PR adds several ways to generate a backup. 1. By calling the Vaultwarden binary with the `backup` command like: - `/vaultwarden backup` - `docker exec -it vaultwarden /vaultwarden backup` 2. By sending the USR1 signal to the running process like: - `kill -s USR1 $(pidof vaultwarden) - `killall -s USR1 vaultwarden) This should help users to more easily create backups of there SQLite database. Also added the Web-Vault version number when using `-v/--version` to the output. Signed-off-by: BlackDex <[email protected]> * Spelling and small adjustments Signed-off-by: BlackDex <[email protected]> --------- Signed-off-by: BlackDex <[email protected]>
2024-08-30Allow enforcing Single Org with pw reset policy (#4903)Mathijs van Veluw
* Allow enforcing Single Org with pw reset policy Bitwarden only allows the Reset Password policy to be set when the Single Org policy is enabled already. This PR adds a check so that this can be enforced when a config option is enabled. Since Vaultwarden encouraged to use multiple orgs when groups were not available yet we should not enable this by default now. This might be something to do in the future. When enabled, it will prevent the Reset Password policy to be enabled if the Single Org policy is not enabled. It will also prevent the Single Org policy to be disabled if the Reset Password policy is enabled. Fixes #4855 Signed-off-by: BlackDex <[email protected]> * Removed some extra if checks Signed-off-by: BlackDex <[email protected]> --------- Signed-off-by: BlackDex <[email protected]>
2024-08-27Allow Org Master-Pw policy enforcement (#4899)Mathijs van Veluw
* Allow Org Master-Pw policy enforcement We didn't returned the master password policy for the user. If the `Require existing members to change their passwords` check was enabled this should trigger the login to show a change password dialog. All the master password policies are merged into one during the login response and it will contain the max values and all `true` values which are set by all the different orgs if a user is an accepted member. Fixes #4507 Signed-off-by: BlackDex <[email protected]> * Use .reduce instead of .fold Signed-off-by: BlackDex <[email protected]> --------- Signed-off-by: BlackDex <[email protected]>
2024-08-27Allow custom umask setting (#4896)Mathijs van Veluw
To provide a way to add more security regarding file/folder permissions this PR adds a way to allow setting a custom `UMASK` variable. This allows people to set a more secure default like only allowing the owner the the process/container to read/write files and folders. Examples: - `UMASK=022` File: 644 | Folder: 755 (Default of the containers) This means Owner read/write and group/world read-only - `UMASK=027` File: 640 | Folder: 750 This means Owner read/write, group read-only, world no access - `UMASK=077` File: 600 | Folder: 700 This measn Owner read/write and group/world no access resolves #4571 Signed-off-by: BlackDex <[email protected]>
2024-08-24Updated security readme (#4892)Mathijs van Veluw
Update the security readme with a new GPG security key and some small other changes. Signed-off-by: BlackDex <[email protected]>
2024-08-23Update crates (GHSA-wq9x-qwcq-mmgf) (#4889)Mathijs van Veluw
- Updated crates - Fixed MSRV to actually be N-2 - Changed some features to use the `dep:` prefix. This is needed for edition-2024 anyway although that will be a while before we can use that. Signed-off-by: BlackDex <[email protected]>
2024-08-23Update issue template (#4882)Mathijs van Veluw
Updated the issue template a bit regarding some remarks in the previous pr. Also made it so that collapsing all items will show all the specific item id's instead of there types. Easy for editiing :). Signed-off-by: BlackDex <[email protected]>
2024-08-22Remove `version` from server config info (#4885)philomathic_life
2024-08-21Switch to Whitelisting in .dockerignore (#4856)Timshel
2024-08-21Fix Login with device (#4878)Mathijs van Veluw
Fixed an issue with login with device for the new Bitwrden Beta clients. They seem to not support ISO8601 milli date/time, only micro. Also updated the device display names to match Upstream and added the CLI devices which were missing. Signed-off-by: BlackDex <[email protected]>
2024-08-21remove overzealous sanity check (#4879)Stefan Melmuk
when cloning an item from an organization to the personal vault the client sends the collection id of the cloned item