Updated crates and made adjustments where needed.
Also removed a struct which wasn't used and the nightly compiler complained about it.
Used pinact to update GitHub Actions.
Validated GitHub Actions with zizmor.
Signed-off-by: BlackDex <black.dex@gmail.com>
* fix: resolve group permission conflicts with multiple groups
When a user belonged to multiple groups with different permissions for the
same collection, only the permissions from one group were applied instead
of combining them properly. This caused users to see incorrect access levels
when initially viewing collection items.
The fix combines permissions from all user groups by taking the most
permissive settings:
- read_only: false if ANY group allows write access
- hide_passwords: false if ANY group allows password viewing
- manage: true if ANY group allows management
This ensures users immediately see the correct permissions when opening
collection entries, matching the behavior after editing and saving.
* Update src/api/core/ciphers.rs
Co-authored-by: Mathijs van Veluw <black.dex@gmail.com>
* fix: format
* fix: restrict collection manage permissions to managers only
Prevent users from getting logged out when they have manage permissions by only allowing manage permissions for MembershipType::Manager and higher roles.
* refactor: cipher permission logic to prioritize user access
Updated permission checks to return user collection permissions if available, otherwise fallback to group permissions. Clarified comments to indicate user permissions overrule group permissions and corrected the logic for the 'manage' flag to use boolean OR instead of AND.
---------
Co-authored-by: Mathijs van Veluw <black.dex@gmail.com>
- Updated crates
- Switched to rustls instead of native-tls
Some dependency were already using rustls by default or without option.
By removing native-tls we also have just one way of working here.
Updated favicon fetching which now is able to fetch more icons.
- Use rustls instead of native-tls
This seems to work better, probably because of tls sniffing
- Use different user-agent and added several other headers
- Added SVG support. SVG Images will be sanitized first before stored or presented.
Also, a special CSP for images will be sent to prevent scripts etc.. from SVG images.
Signed-off-by: BlackDex <black.dex@gmail.com>
* Fix an issue with yubico keys not validating
When adding or updating yubico otp keys there were some issues with the validation.
Looks like the web-vault sends all keys, not only filled-in keys, which triggered a check on empty keys.
Also, we should only return filled-in keys, not the empty ones too.
Fixes#5986
Signed-off-by: BlackDex <black.dex@gmail.com>
* Use more idomatic code
Signed-off-by: BlackDex <black.dex@gmail.com>
* Use more idomatic code - take 2
Signed-off-by: BlackDex <black.dex@gmail.com>
---------
Signed-off-by: BlackDex <black.dex@gmail.com>
* make css for login-page position independent
starting with v2025.5.1 the login page will have custom classes so the
fields to be disabled can be targeted specifically without risking
side-effects
* hide buttons after cancelling login
- Some tweaks on the diagnostics layout
- Always show the latest web-vault version also when running in a container
Users can override the web-vault folder and forget
- Also updated to the latest crates.
Kinda fixes#5908
Signed-off-by: BlackDex <black.dex@gmail.com>
* Abstract file access through Apache OpenDAL
* Add AWS S3 support via OpenDAL for data files
* PR improvements
* Additional PR improvements
* Config setting comments for local/remote data locations
* WIP Sync with Upstream
WIP on syncing API Responses with upstream.
This to prevent issues with new clients, and find possible current issues like members, collections, groups etc..
Signed-off-by: BlackDex <black.dex@gmail.com>
* More API Response fixes
- Some 2fa checks
- Some org checks
- Reconfigured the experimental flags and noted which are deprecated
Also removed some hard-coded defaults.
- Updated crates
Signed-off-by: BlackDex <black.dex@gmail.com>
* Add avatar color to emergency access api
Signed-off-by: BlackDex <black.dex@gmail.com>
* Fix spelling and some crate updates
Signed-off-by: BlackDex <black.dex@gmail.com>
* Use PushId and always generate the PushId
Signed-off-by: BlackDex <black.dex@gmail.com>
* Fix clippy lints
Signed-off-by: BlackDex <black.dex@gmail.com>
* Fix several Push issues and API's
Signed-off-by: BlackDex <black.dex@gmail.com>
* Check if push_uuid is empty and generate when needed
Signed-off-by: BlackDex <black.dex@gmail.com>
* Updated some comments and removed old export format
Signed-off-by: BlackDex <black.dex@gmail.com>
* cargo update
Signed-off-by: BlackDex <black.dex@gmail.com>
* Fix bulk edit Fixes#5737
Signed-off-by: BlackDex <black.dex@gmail.com>
* Send an email when an account exists already
When you want to change your email address into an account which already exists, upstream sends an email to the existing account.
Lets do the same.
Kinda fixes#5630
Signed-off-by: BlackDex <black.dex@gmail.com>
* Update 2fa removal/revoke email
Signed-off-by: BlackDex <black.dex@gmail.com>
* Allow col managers to import
This commit adds functionality to allow users with manage access to a collection, or managers with all access to import into an organization.
Fixes#5592
Signed-off-by: BlackDex <black.dex@gmail.com>
* Filter deprected flags and only return active flags
Signed-off-by: BlackDex <black.dex@gmail.com>
* Fix grammer
Signed-off-by: BlackDex <black.dex@gmail.com>
* Rename Small to Compact
Signed-off-by: BlackDex <black.dex@gmail.com>
* Rebase with upstream and fix conflicts
Signed-off-by: BlackDex <black.dex@gmail.com>
---------
Signed-off-by: BlackDex <black.dex@gmail.com>
- Updated Backend Admin dependencies
- Fixed NTP time by using CloudFlare trace - Fixes#5797
- Fixed web-vault version check = Fixes#5761
- Fixed an issue with the css not hiding the 'Create Account' link.
There were no braces around the function call.
Also added a hide for newer web-vault versions as it still causes confusion with the cached /api/config.
Signed-off-by: BlackDex <black.dex@gmail.com>
- Updated web-vault to v2025.5.0
- Updated Rust to v1.87.0
- Updated all the crates
- Replaced yubico with yubico_ng
- Fixed several new (nightly) clippy lints
Signed-off-by: BlackDex <black.dex@gmail.com>
* Update email.rs
Add ip_src on logs when email 2fa token is invalid or not available
Changes for fail2ban purposes
* Update email.rs
removed current_time
* fix: compile error
---------
Co-authored-by: setsecurity <set.ghost@gmail.com>
Updated all the crates to the latest version.
We can unpin mimalloc, since the musl issues have been fixed
Also fix a RUSTSEC https://osv.dev/vulnerability/RUSTSEC-2025-0023 for tokio
Fixed some clippy lints reported by nightly.
Ensure lints and are also run on the macro crate.
This resulted in some lints being triggered, which I fixed.
Updated some GHA uses.
Signed-off-by: BlackDex <black.dex@gmail.com>
- Updated crates
Pinned mimalloc, since it has issues with musl
- Updated web-vault to v2025.3.1
- Updated bootstrap
Signed-off-by: BlackDex <black.dex@gmail.com>
- Added a new org policy
- Some new lint fixes
- Crate updates
Switched to `pastey`, since `paste` is unmaintained.
Signed-off-by: BlackDex <black.dex@gmail.com>
Because we were using the `has_full_access()` function we did not returned assigned collections for an owner/admin even if the did not have the `access_all` flag set.
This commit will change that to use the `access_all` flag instead, and return assigned collections too.
While saving a member and having it assigned collections would still save those rights, and it was also visible in the collection management, it wasn't at the member it self.
So, it did work, but was not visible.
Fixes#5554Fixes#5555
Signed-off-by: BlackDex <black.dex@gmail.com>
* Fix icon redirect not working on desktop
We also need to exclude the header in case we do an external_icon call.
Fixes#5535
Signed-off-by: BlackDex <black.dex@gmail.com>
* Add informational comments to the icon_external function
Signed-off-by: BlackDex <black.dex@gmail.com>
* Fix spelling/grammar
Signed-off-by: BlackDex <black.dex@gmail.com>
---------
Signed-off-by: BlackDex <black.dex@gmail.com>
* Allow all manager to create collections again
This commit checks if the member is a manager or better, and if so allows it to createCollections.
We actually check if it is less then a Manager, since the `limitCollectionCreation` should be set to false to allow it and true to prevent.
This should fix an issue discussed in #5484
Signed-off-by: BlackDex <black.dex@gmail.com>
* Fix some small issues
Signed-off-by: BlackDex <black.dex@gmail.com>
---------
Signed-off-by: BlackDex <black.dex@gmail.com>
* add additional event_types
* use correct event_type when leaving an org
* use correct event type when deleting a user
* also correctly log auth requests
* add correct membership info to event log
* Security fixes for admin and sendmail
Because the Vaultwarden Admin Backend endpoints did not validated the Content-Type during a request, it was possible to update settings via CSRF. But, this was only possible if there was no `ADMIN_TOKEN` set at all. To make sure these environments are also safe I added the needed content-type checks at the functions.
This could cause some users who have scripts which uses cURL for example to adjust there commands to provide the correct headers.
By using a crafted favicon and having access to the Admin Backend an attacker could run custom commands on the host/container where Vaultwarden is running on. The main issue here is that we allowed the sendmail binary name/path to be changed. To mitigate this we removed this configuration item and only then `sendmail` binary as a name can be used.
This could cause some issues where the `sendmail` binary is not in the `$PATH` and thus not able to be started. In these cases the admins should make sure `$PATH` is set correctly or create a custom shell script or symlink at a location which is in the `$PATH`.
Added an extra security header and adjusted the CSP to be more strict by setting `default-src` to `none` and added the needed missing specific policies.
Also created a general email validation function which does some more checking to catch invalid email address not found by the email_address crate.
Signed-off-by: BlackDex <black.dex@gmail.com>
* Fix security issue with organizationId validation
Because of a invalid check/validation of the OrganizationId which most of the time is located in the path but sometimes provided as a URL Parameter, the parameter overruled the path ID during the Guard checks.
This resulted in someone being able to execute commands as an Admin or Owner of the OrganizationId fetched from the parameter, but the API endpoints then used the OrganizationId located in the path instead.
This commit fixes the extraction of the OrganizationId in the Guard and also added some extra validations of this OrgId in several functions.
Also added an extra `OrgMemberHeaders` which can be used to only allow access to organization endpoints which should only be accessible by members of that org.
Signed-off-by: BlackDex <black.dex@gmail.com>
* Update server version in config endpoint
Updated the server version reported to the clients to `2025.1.0`.
This should make Vaultwarden future proof for the newer clients released by Bitwarden.
Signed-off-by: BlackDex <black.dex@gmail.com>
* Fix and adjust build workflow
The build workflow had an issue with some `if` checks.
For one they had two `$` signs, and it is not recommended to use `always()` since canceling a workflow does not cancel those calls.
Using `!cancelled()` is the preferred way.
Signed-off-by: BlackDex <black.dex@gmail.com>
* Update crates
Signed-off-by: BlackDex <black.dex@gmail.com>
* Allow sendmail to be configurable
This reverts a previous change which removed the sendmail to be configurable.
We now set the config to be read-only, and omit all read-only values from being stored during a save action from the admin interface.
Signed-off-by: BlackDex <black.dex@gmail.com>
* Add more org_id checks
Added more org_id checks at all functions which use the org_id in there path.
Signed-off-by: BlackDex <black.dex@gmail.com>
---------
Signed-off-by: BlackDex <black.dex@gmail.com>
* Add manage role for collections and groups
This commit will add the manage role/column to collections and groups.
We need this to allow users part of a collection either directly or via groups to be able to delete ciphers.
Without this, they are only able to either edit or view them when using new clients, since these check the manage role.
Still trying to keep it compatible with previous versions and able to revert to an older Vaultwarden version and the `access_all` feature of the older installations.
In a future version we should really check and fix these rights and create some kind of migration step to also remove the `access_all` feature and convert that to a `manage` option.
But this commit at least creates the base for this already.
This should resolve#5367
Signed-off-by: BlackDex <black.dex@gmail.com>
* Fix an issue with access_all
If owners or admins do not have the `access_all` flag set, in case they do not want to see all collection on the password manager view, they didn't see any collections at all anymore.
This should fix that they are still able to view all the collections and have access to it.
Signed-off-by: BlackDex <black.dex@gmail.com>
---------
Signed-off-by: BlackDex <black.dex@gmail.com>
During the refactoring done in #5320 there has a buggy slipped through which changed a uuid.
This commit fixes this, and also made some vars pass by reference.
Fixes#5377
Signed-off-by: BlackDex <black.dex@gmail.com>
* rename membership
rename UserOrganization to Membership to clarify the relation
and prevent confusion whether something refers to a member(ship) or user
* use newtype pattern
* implement custom derive macro IdFromParam
* add UuidFromParam macro for UUIDs
* add macros to Docker build
Co-authored-by: dfunkt <dfunkt@users.noreply.github.com>
---------
Co-authored-by: dfunkt <dfunkt@users.noreply.github.com>
* Prevent new users/members when invite fails
Currently when a (new) user gets invited as a member to an org, and SMTP is enabled, but sending the invite fails, the user is still created.
They will only not have received a mail, and admins/owners need to re-invite the member again.
Since the dialog window still keeps on-top when this fails, it kinda invites to click try again, but that will fail in mentioning the user is already a member.
To prevent this weird flow, this commit will delete the user, invite and member if sending the mail failed.
This allows the inviter to try again if there was a temporary hiccup for example, or contact the server admin and does not leave stray users/members around.
Fixes#5349
Signed-off-by: BlackDex <black.dex@gmail.com>
* Adjust deleting records
Signed-off-by: BlackDex <black.dex@gmail.com>
---------
Signed-off-by: BlackDex <black.dex@gmail.com>
The new web-vault seems to call an extra endpoint, which looks like it is only used when passkeys can be used for login.
Since we do not support this (yet), we can just return an empty data object.
Signed-off-by: BlackDex <black.dex@gmail.com>
* Add partial role support for manager only
- Add the custom role which replaces the manager role
- Added mini-details endpoint used by v2024.11.1
These changes try to add the custom role in such a way that it stays compatible with the older manager role.
It will convert a manager role into a custom role, and if a manager has `access-all` rights, it will enable the correct custom roles.
Upon saving it will convert these back to the old format.
What this does is making sure you are able to revert back to an older version of Vaultwarden without issues.
This way we can support newer web-vault's and still be compatible with a previous Vaultwarden version if needed.
In the future this needs to be changed to full role support though.
Fixed the 2FA hide CSS since the order of options has changed
Signed-off-by: BlackDex <black.dex@gmail.com>
* Fix hide passkey login
Signed-off-by: BlackDex <black.dex@gmail.com>
* Fix hide create account
Signed-off-by: BlackDex <black.dex@gmail.com>
* Small changes for v2024.12.0
Signed-off-by: BlackDex <black.dex@gmail.com>
* Fix hide create account link
Signed-off-by: BlackDex <black.dex@gmail.com>
* Add pre-release web-vault
Signed-off-by: BlackDex <black.dex@gmail.com>
* Rename function to mention swapping uuid's
Signed-off-by: BlackDex <black.dex@gmail.com>
---------
Signed-off-by: BlackDex <black.dex@gmail.com>
* Refactor the uri match change
Refactored the uri match fix to also convert numbers within a string to an int.
If it fails it will be null.
Signed-off-by: BlackDex <black.dex@gmail.com>
* Fix ssh-key sync issues
If any of the mandatory ssh-key json data values are not a string or are an empty string, this will break the mobile clients.
This commit fixes this by checking if any of the values are missing or invalid and converts the json data to `null`.
It will ensure the clients can sync and show the vault.
Fixes#5343Fixes#5322
Signed-off-by: BlackDex <black.dex@gmail.com>
---------
Signed-off-by: BlackDex <black.dex@gmail.com>
Bitwarden allows to use self-hosted forwarded email services.
But for this to work you need to add custom URL's to the `connect-src` CSP entry.
This commit allows setting this and checks if the URL starts with `https://` else it will abort loading.
Fixes#5290
Signed-off-by: BlackDex <black.dex@gmail.com>
- Refactored several code to use more modern syntax
- Made some checks a bit more strict
- Updated crates
Signed-off-by: BlackDex <black.dex@gmail.com>
* Some Backend Admin fixes and updates
- Updated datatables
- Added a `X-Robots-Tags` header to prevent indexing
- Modified some layout settings
- Added Websocket check to diagnostics
- Added Security Header checks to diagnostics
- Added Error page response checks to diagnostics
- Modifed support string layout a bit
Signed-off-by: BlackDex <black.dex@gmail.com>
* Some small fixes
Signed-off-by: BlackDex <black.dex@gmail.com>
---------
Signed-off-by: BlackDex <black.dex@gmail.com>
The `reprompt` value somehow sometimes has a value of `4`.
This isn't a valid value, and doesn't cause issues with other clients, but the native clients are more strict.
This commit fixes this by validating the value before storing and returning.
Signed-off-by: BlackDex <black.dex@gmail.com>
* Update Rust and crates
- Updated Rust to v1.83.0
- Updated MSRV to v1.82.0 (Needed for html5gum crate)
- Updated icon fetching code to match new html5gum version
- Updated workflows
- Enabled edition 2024 clippy lints
Nightly reports some clippy hints, but that would be too much to change in this PR i think.
Signed-off-by: BlackDex <black.dex@gmail.com>
* Some additional updates
- Patch fern to allow syslog-7 feature
- Fixed diesel logger which was broken because of the sqlite backup feature
Refactored the sqlite backup because of this
- Added a build workflow test to include the query_logger feature
Signed-off-by: BlackDex <black.dex@gmail.com>
* Also patch yubico-rs and latest updates
Signed-off-by: BlackDex <black.dex@gmail.com>
---------
Signed-off-by: BlackDex <black.dex@gmail.com>
With web-vault v2024.6.2 and lower, if a user has access-all rights either as an org-member or via a group it shouldn't return individual collections.
This probably needs to be changed with newer versions which do not support the `access-all` feature anymore and work with manage.
But with the current version this should solve access right issues.
Fixes#5212
Signed-off-by: BlackDex <black.dex@gmail.com>
The new native mobile clients seem to use PascalCase for the push payload.
Also the date/time could cause issues.
This PR fixes this by formatting the date/time correctly and use PascalCase for the payload key's
I now receive cipher updates and login-with-device requests again.
Fixes#5182
Signed-off-by: BlackDex <black.dex@gmail.com>
This fixes an issue with collections be duplicated same as was an issue with folders.
Also made some optimizations by using HashSet where possible and device the Vec/Hash capacity.
And instead of passing objects only use the UUID which was the only value we needed.
Also found an issue with importing a personal export via the Org import where folders are used.
Since Org's do not use folder we needed to clear those out, same as Bitwarden does.
Fixes#5193
Signed-off-by: BlackDex <black.dex@gmail.com>
* fix password hint check
don't show password hints if you have disabled the hints with
PASSWORD_HINTS_ALLOWED=false or if you have not configured mail and
opted into showing password hints
* update descriptions for pw hints options
2FA is needed to login even when using login-with-device.
If the user didn't saved the 2FA token they still need to provide this.
We deleted the auth-request after validation the request, but before 2FA was triggered.
Removing the deletion of this record from that point as it will get cleaned-up automatically anyways.
Signed-off-by: BlackDex <black.dex@gmail.com>
* Add dynamic CSS support
Together with https://github.com/dani-garcia/bw_web_builds/pull/180 this PR will add support for dynamic CSS changes.
For example, we could hide the register link if signups are not allowed.
In the future show or hide the SSO button depending on if it is enabled or not.
There also is a special `user.vaultwarden.scss` file so that users can add custom CSS without the need to modify the default (static) changes.
This will prevent future changes from not being applied and still have the custom user changes to be added.
Also added a special redirect when someone goes directly to `/index.html` as that might cause issues with loading other scripts and files.
Signed-off-by: BlackDex <black.dex@gmail.com>
* Add versions and fallback to built-in
- Add both Vaultwarden and web-vault versions to the css_options.
- Fallback to the inner templates if rendering or compiling the scss fails.
This ensures the basics are always working even if someone breaks the templates.
Signed-off-by: BlackDex <black.dex@gmail.com>
* Fix fallback code to actually work
The fallback now works by using an alternative `reg!` macro.
This adds an extra template register which prefixes the template with `fallback_`.
Signed-off-by: BlackDex <black.dex@gmail.com>
* Updated the wiki link in the user template
---------
Signed-off-by: BlackDex <black.dex@gmail.com>
A possible user disclosure when you invite an user into an organization which already has an account on the same instance.
This was because we always returned the user's name.
To prevent this, this PR only returns the user's name if the status is accepted or higher, else we will return null.
This is the same as Bitwarden does.
Resolves a reported issue.
Also resolved a new `nightly` reported clippy regarding a regex within a loop.
- Fixed collection management to be usable from the Password Manager UI
- Checked and brought in-to-sync with upstream several json responses
- Fixed a small issue with the `fields` response when it was empty
Signed-off-by: BlackDex <black.dex@gmail.com>
Ever since we changed to pass the full url as a template value handlebars now html-encodes this.
This causes issues with the plain/text mails, but it also could potentially cause issues with the text/html templates.
This PR encloses the template values inside triple braces `{{{ }}}` which prevents html-encoding.
Since the URL is generated via the `url` crate the values are percent-encoded anyway.
Fixes#5097
Signed-off-by: BlackDex <black.dex@gmail.com>
In an oversight i forgot to set the type to a hidden type if converting the int was not possible.
This fixes that.
Signed-off-by: BlackDex <black.dex@gmail.com>
It seems the iOS clients are not able to handle the `type` key within the `fields` array when they are of the type string.
All other clients seem to handle this just fine though.
This PR fixes this by validating it is a number, if this is not the case, try to convert the string to a number, or return the default of `1`.
`1` is used as this is the type `hidden` and should prevent accidental data disclosure.
Fixes#5069
Possibly Fixes#5016
Possibly Fixes#5002
Signed-off-by: BlackDex <black.dex@gmail.com>
