* update webauthn to 0.5
* add basic migration impl
* fix clippy warnings
* clear up `COSEKeyType::EC_OKP` case
* fix TODOs
* use same timeout as in webauthn 0.3 impl
* fix: clippy warnings and formatting
* Update Cargo.toml
Co-authored-by: Daniel <daniel.barabasa@gmail.com>
* Update src/api/core/two_factor/webauthn.rs
Co-authored-by: Daniel <daniel.barabasa@gmail.com>
* Update src/api/core/two_factor/webauthn.rs
Co-authored-by: Daniel <daniel.barabasa@gmail.com>
* Update src/api/core/two_factor/webauthn.rs
Co-authored-by: Daniel <daniel.barabasa@gmail.com>
* regenerate Cargo.lock
* Use securitykey methods
* use CredentialsV3 from webauthn-rs instead of own webauthn_0_3 module
* fix cargo fmt issue
---------
Co-authored-by: Helmut K. C. Tessarek <tessarek@evermeet.cx>
Co-authored-by: Daniel <daniel.barabasa@gmail.com>
Co-authored-by: Daniel García <dani-garcia@users.noreply.github.com>
* Add SSO functionality using OpenID Connect
Co-authored-by: Pablo Ovelleiro Corral <mail@pablo.tools>
Co-authored-by: Stuart Heap <sheap13@gmail.com>
Co-authored-by: Alex Moore <skiepp@my-dockerfarm.cloud>
Co-authored-by: Brian Munro <brian.alexander.munro@gmail.com>
Co-authored-by: Jacques B. <timshel@github.com>
* Improvements and error handling
* Stop rolling device token
* Add playwright tests
* Activate PKCE by default
* Ensure result order when searching for sso_user
* add SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION
* Toggle SSO button in scss
* Base64 encode state before sending it to providers
* Prevent disabled User from SSO login
* Review fixes
* Remove unused UserOrganization.invited_by_email
* Split SsoUser::find_by_identifier_or_email
* api::Accounts::verify_password add the policy even if it's ignored
* Disable signups if SSO_ONLY is activated
* Add verifiedDate to organizations::get_org_domain_sso_details
* Review fixes
* Remove OrganizationId guard from get_master_password_policy
* Add wrapper type OIDCCode OIDCState OIDCIdentifier
* Membership::confirm_user_invitations fix and tests
* Allow set-password only if account is unitialized
* Review fixes
* Prevent accepting another user invitation
* Log password change event on SSO account creation
* Unify master password policy resolution
* Upgrade openidconnect to 4.0.0
* Revert "Remove unused UserOrganization.invited_by_email"
This reverts commit 548e19995e141314af98a10d170ea7371f02fab4.
* Process org enrollment in accounts::post_set_password
* Improve tests
* Pass the claim invited_by_email in case it was not in db
* Add Slack configuration hints
* Fix playwright tests
* Skip broken tests
* Add sso identifier in admin user panel
* Remove duplicate expiration check, add a log
* Augment mobile refresh_token validity
* Rauthy configuration hints
* Fix playwright tests
* Playwright upgrade and conf improvement
* Playwright tests improvements
* 2FA email and device creation change
* Fix and improve Playwright tests
* Minor improvements
* Fix enforceOnLogin org policies
* Run playwright sso tests against correct db
* PKCE should now work with Zitadel
* Playwright upgrade maildev to use MailBuffer.expect
* Upgrades playwright tests deps
* Check email_verified in id_token and user_info
* Add sso verified endpoint for v2025.6.0
* Fix playwright tests
* Create a separate sso_client
* Upgrade openidconnect to 4.0.1
* Server settings for login fields toggle
* Use only css for login fields
* Fix playwright test
* Review fix
* More review fix
* Perform same checks when setting kdf
---------
Co-authored-by: Felix Eckhofer <felix@eckhofer.com>
Co-authored-by: Pablo Ovelleiro Corral <mail@pablo.tools>
Co-authored-by: Stuart Heap <sheap13@gmail.com>
Co-authored-by: Alex Moore <skiepp@my-dockerfarm.cloud>
Co-authored-by: Brian Munro <brian.alexander.munro@gmail.com>
Co-authored-by: Jacques B. <timshel@github.com>
Co-authored-by: Timshel <timshel@480s>
This issue mostly arises when push is enabled, but it also overloaded websocket connections.
We would send a notification on every deleted cipher, which could be up-to 500 items.
If push is enabled, it could overload the Push servers, and it would return a 429 error.
This PR fixes this by not sending out a message on every single cipher during a multi delete actions.
It will send a single push message to sync the vault once finished.
The only caveat here is that there seems to be a bug with the mobile clients which ignores these global sync notifications.
But, preventing a 429, which could cause a long term block of the sending server by the push servers, this is probably the best way, and, it is the same as Bitwarden it self does.
Fixes#4693
Signed-off-by: BlackDex <black.dex@gmail.com>
Updated crates and made adjustments where needed.
Also removed a struct which wasn't used and the nightly compiler complained about it.
Used pinact to update GitHub Actions.
Validated GitHub Actions with zizmor.
Signed-off-by: BlackDex <black.dex@gmail.com>
* fix: resolve group permission conflicts with multiple groups
When a user belonged to multiple groups with different permissions for the
same collection, only the permissions from one group were applied instead
of combining them properly. This caused users to see incorrect access levels
when initially viewing collection items.
The fix combines permissions from all user groups by taking the most
permissive settings:
- read_only: false if ANY group allows write access
- hide_passwords: false if ANY group allows password viewing
- manage: true if ANY group allows management
This ensures users immediately see the correct permissions when opening
collection entries, matching the behavior after editing and saving.
* Update src/api/core/ciphers.rs
Co-authored-by: Mathijs van Veluw <black.dex@gmail.com>
* fix: format
* fix: restrict collection manage permissions to managers only
Prevent users from getting logged out when they have manage permissions by only allowing manage permissions for MembershipType::Manager and higher roles.
* refactor: cipher permission logic to prioritize user access
Updated permission checks to return user collection permissions if available, otherwise fallback to group permissions. Clarified comments to indicate user permissions overrule group permissions and corrected the logic for the 'manage' flag to use boolean OR instead of AND.
---------
Co-authored-by: Mathijs van Veluw <black.dex@gmail.com>
- Updated all the crates, which probably fixes#5959
- Updated all the workflows and tested it with zizmor
Also added zizmor as a workflow it self.
- Updated the issue template to better mention to search first.
Signed-off-by: BlackDex <black.dex@gmail.com>
- Updated crates
- Switched to rustls instead of native-tls
Some dependency were already using rustls by default or without option.
By removing native-tls we also have just one way of working here.
Updated favicon fetching which now is able to fetch more icons.
- Use rustls instead of native-tls
This seems to work better, probably because of tls sniffing
- Use different user-agent and added several other headers
- Added SVG support. SVG Images will be sanitized first before stored or presented.
Also, a special CSP for images will be sent to prevent scripts etc.. from SVG images.
Signed-off-by: BlackDex <black.dex@gmail.com>
* Fix an issue with yubico keys not validating
When adding or updating yubico otp keys there were some issues with the validation.
Looks like the web-vault sends all keys, not only filled-in keys, which triggered a check on empty keys.
Also, we should only return filled-in keys, not the empty ones too.
Fixes#5986
Signed-off-by: BlackDex <black.dex@gmail.com>
* Use more idomatic code
Signed-off-by: BlackDex <black.dex@gmail.com>
* Use more idomatic code - take 2
Signed-off-by: BlackDex <black.dex@gmail.com>
---------
Signed-off-by: BlackDex <black.dex@gmail.com>
* make css for login-page position independent
starting with v2025.5.1 the login page will have custom classes so the
fields to be disabled can be targeted specifically without risking
side-effects
* hide buttons after cancelling login
- Some tweaks on the diagnostics layout
- Always show the latest web-vault version also when running in a container
Users can override the web-vault folder and forget
- Also updated to the latest crates.
Kinda fixes#5908
Signed-off-by: BlackDex <black.dex@gmail.com>
* Abstract file access through Apache OpenDAL
* Add AWS S3 support via OpenDAL for data files
* PR improvements
* Additional PR improvements
* Config setting comments for local/remote data locations
* WIP Sync with Upstream
WIP on syncing API Responses with upstream.
This to prevent issues with new clients, and find possible current issues like members, collections, groups etc..
Signed-off-by: BlackDex <black.dex@gmail.com>
* More API Response fixes
- Some 2fa checks
- Some org checks
- Reconfigured the experimental flags and noted which are deprecated
Also removed some hard-coded defaults.
- Updated crates
Signed-off-by: BlackDex <black.dex@gmail.com>
* Add avatar color to emergency access api
Signed-off-by: BlackDex <black.dex@gmail.com>
* Fix spelling and some crate updates
Signed-off-by: BlackDex <black.dex@gmail.com>
* Use PushId and always generate the PushId
Signed-off-by: BlackDex <black.dex@gmail.com>
* Fix clippy lints
Signed-off-by: BlackDex <black.dex@gmail.com>
* Fix several Push issues and API's
Signed-off-by: BlackDex <black.dex@gmail.com>
* Check if push_uuid is empty and generate when needed
Signed-off-by: BlackDex <black.dex@gmail.com>
* Updated some comments and removed old export format
Signed-off-by: BlackDex <black.dex@gmail.com>
* cargo update
Signed-off-by: BlackDex <black.dex@gmail.com>
* Fix bulk edit Fixes#5737
Signed-off-by: BlackDex <black.dex@gmail.com>
* Send an email when an account exists already
When you want to change your email address into an account which already exists, upstream sends an email to the existing account.
Lets do the same.
Kinda fixes#5630
Signed-off-by: BlackDex <black.dex@gmail.com>
* Update 2fa removal/revoke email
Signed-off-by: BlackDex <black.dex@gmail.com>
* Allow col managers to import
This commit adds functionality to allow users with manage access to a collection, or managers with all access to import into an organization.
Fixes#5592
Signed-off-by: BlackDex <black.dex@gmail.com>
* Filter deprected flags and only return active flags
Signed-off-by: BlackDex <black.dex@gmail.com>
* Fix grammer
Signed-off-by: BlackDex <black.dex@gmail.com>
* Rename Small to Compact
Signed-off-by: BlackDex <black.dex@gmail.com>
* Rebase with upstream and fix conflicts
Signed-off-by: BlackDex <black.dex@gmail.com>
---------
Signed-off-by: BlackDex <black.dex@gmail.com>
- Updated Backend Admin dependencies
- Fixed NTP time by using CloudFlare trace - Fixes#5797
- Fixed web-vault version check = Fixes#5761
- Fixed an issue with the css not hiding the 'Create Account' link.
There were no braces around the function call.
Also added a hide for newer web-vault versions as it still causes confusion with the cached /api/config.
Signed-off-by: BlackDex <black.dex@gmail.com>
- Updated web-vault to v2025.5.0
- Updated Rust to v1.87.0
- Updated all the crates
- Replaced yubico with yubico_ng
- Fixed several new (nightly) clippy lints
Signed-off-by: BlackDex <black.dex@gmail.com>
* Update email.rs
Add ip_src on logs when email 2fa token is invalid or not available
Changes for fail2ban purposes
* Update email.rs
removed current_time
* fix: compile error
---------
Co-authored-by: setsecurity <set.ghost@gmail.com>
zUnixorn
Daniel García
Timshel
Mathijs van Veluw
Stefan Melmuk
Richy
Daniel
mountdisk
Chase Douglas
Nick Grimshaw
moodejb123
Helmut K. C. Tessarek
Josh