Key rotation was changed since 2024.1.x.
Multiple other items were added to be rotated like password-reset and emergency-access data to be part of just one POST instead of having multiple.
See: https://github.com/dani-garcia/bw_web_builds/pull/157
- Updated Rust to v1.77.0
- Updated several crates
The `reqwest` update included `trust-dns` > `hickory-dns` changes.
Also, `reqwest` v0.12 is not working correctly for us, that is something to investigate.
- Fixed a new clippy warning
- Updated sqlite crate
- Updated chrono crate
The latter needed a lot of changes done, mostly `Duration` to `TimeDelta`.
And some changes on how to use Naive.
* Fix#3624: fix manager permission within groups
* Query returns UUID only
* Fix issue when user is manager and in a group having access to all collections
* optimize condition check
* fix(groups): renaming and optimizations
* fix: wrong organization group membership detection
* Simplify group membership check
Co-authored-by: Stefan Melmuk <509385+stefan0xC@users.noreply.github.com>
* Remove unused statement
* improve check if the user has access via groups
instead of returning the two lists of member ids and later checking if
they contain the uuid of the current user, we really only care if
the current user has full access via a group or if they have
access to a given collection via a group
* improve comments for get_org_collections_details
* small refactor to make it easier to review
* fix(groups): query full access via group only when necessary
Co-authored-by: Mathijs van Veluw <black.dex@gmail.com>
* chore(fmt): apply rustfmt
---------
Co-authored-by: Stefan Melmuk <509385+stefan0xC@users.noreply.github.com>
Co-authored-by: Stefan Melmuk <stefan.melmuk@gmail.com>
Co-authored-by: Mathijs van Veluw <black.dex@gmail.com>
* Remove custom WebSocket code
Remove our custom WebSocket code and only use the Rocket code.
Removed all options in regards to WebSockets
Added a new option `WEBSOCKET_DISABLED` which defaults too `false`.
This can be used to disable WebSockets if you really do not want to use it.
* Addressed remarks given and some updates
- Addressed comments given during review
- Updated crates, including Rocket to the latest merged v0.5 changes
- Removed an extra header which should not be sent for websocket connections
* Updated suggestions and crates
- Addressed the suggestions
- Updated Rocket to latest rc4
Also made the needed code changes
- Updated all other crates
Pinned `openssl` and `openssl-sys`
---------
Co-authored-by: Daniel García <dani-garcia@users.noreply.github.com>
- Update all crates
- Update GHA
- Update Global Domains script to use main instead of master
Also fixed some Python linting warnings
- Updated Admin JS and CSS libraries
* fix: update env template for systemd compatibility
Adjust env template to ensure compatibility with systemd's EnvironmentFile parsing, which only recognizes line-starting comment symbols.
* Refactor SMTP and Rocket settings in .env.template
- Simplify the SMTP_SECURITY and SMTP_PORT options by providing a list of choices and default values
- Clarify the ROCKET_PORT default value depending on the environment (Docker or not)
- Updated Rust to v1.76.0
- Updated crates
- Updated web-vault to v2024.1.2b
- Fixed some Clippy lints
- Moved lint check configuration Cargo.toml
- Fixed issue with Reset Password Enrollment when logged-in via device
Also check if we are running within a Kubernetes environment.
These do not always run using Docker or Podman of course.
Also renamed all the functions and variables to use `container` instead
of `docker`.
It seems Debian based images see the `.env` file in the `pwd` path, but
sourcing it via `. .env` breaks. It does work if you provide the full
path `/.env`. Changed the default to `/.env`.
Alpine does not have an issue with both ways.
* update env template to fit the config.rs
* Categorize env template settings
* Fix a wrong setting
* Fix wrong icon redirect code
* Fix ICON_DOWNLOAD_TIMEOUT default value
Co-authored-by: Daniel <daniel.barabasa@gmail.com>
* Move related settings together.
Merge Yubikey, Duo, Email 2FA sections into one.
Other minor fixes.
* Minor fix of some settings position
* Add some comment
* Minor fix.
---------
Co-authored-by: Daniel <daniel.barabasa@gmail.com>
save the push token of new device even if push notifications are not
enabled and provide a way to register the push device at login
unregister device if there already is a push token saved unless the
new token has already been registered.
also the `unregister_push_device` function used the wrong argument
cf. 08d380900b/src/Core/Services/Implementations/RelayPushRegistrationService.cs (L43)
* enforce 2fa policy on removal of second factor
users should be revoked when their second factors are removed.
we want to revoke users so they don't have to be invited again and
organization admins and owners are aware that they no longer have
access.
we make an exception for non-confirmed users to speed up the invitation
process as they would have to be restored before they can accept their
invitation or be confirmed.
if email is enabled, invited users have to add a second factor before
they can accept the invitation to an organization with 2fa policy.
and if it is not enabled that check is done when confirming the user.
* use &str instead of String in log_event()
* enforce the 2fa policy on login
if a user doesn't have a second factor check if they are in an
organization that has the 2fa policy enabled to revoke their access
* Allow customizing the featureStates
Use a comma separated list of features to enable using the FEATURE_FLAGS env variable
* Move feature flag parsing to util
* Fix formatting
* Update supported feature flags
* Rename feature_flags to experimental_client_feature_flags
Additionally, use a caret (^) instead of an exclamation mark (!) to disable features
* Fix formatting issue.
* Add documentation to env template
* Remove functionality to disable feature flags
* Fix JSON key for feature states
* Convert error to warning when feature flag is unrecognized
* Simplify parsing of feature flags
* Fix default value of feature flags in env template
* Fix formatting
There was an error in the single org policy check to determine how many
users there are in an org. The `or` check was at the wrong location in
the DSL.
This is now fixed.
Fixes#4205
OpenWRT is a project which builds and distributes firmware for
embedded devies like routers, access points, and so on. These
devices are usually very limited in terms of storage. Therefore,
optimizing binaries for size at the cost of execution speed is
usually desired.
This PR adds an additional build-target, namely "release-micro",
which implements several parameters which optimize in favor of
binary size.
The following parameters were chosen:
- opt-level "z": Optimize for size with disabled loop vectorization
- strip "symbols": Strip debuginfo and symbols from binary
- lto "fat": Enable link-time optimizations across all crates
- codegen-units 1: Disable parallelization of code generation to
allow for additional optimizations
- panic "abort": Abort on Panic() instead of unwinding
All these build parameters significantly reduce the binary size
from >40MB to <15MB - the actual amount depends on the target
architecture.
We would like to upstream this new build target to keep our build
environment simple. Other projects which deploy vaultwarden on
size-constrained environments may benefit from this change too.
Signed-off-by: Christian Lachner <gladiac@gmail.com>
Mathijs van Veluw
Stefan Melmuk
Daniel García
guangwu
Matlink
gzfrozen
Jacques B
Helmut K. C. Tessarek
Krapp
one230six
Calvin Li
seiuneko
dependabot[bot]
THONY
Matlink
Philipp Kolberg
Chris