2992 Commits

This Branch

This Branch

All Branches

Author	SHA1	Message	Date
Mathijs van Veluw	235cf88231	Fix 2FA Remember to actually be 30 days (#6929) ... Currently we always regenerate the 2FA Remember token, and always send that back to the client. This is not the correct way, and in turn causes the remember token to never expire. While this might be convenient, it is not really safe. This commit changes the 2FA Remember Tokens from random string to a JWT. This JWT has a lifetime of 30 days and is validated per device & user combination. This does mean that once this commit is merged, and users are using this version, all their remember tokens will be invalidated. From my point of view this isn't a bad thing, since those tokens should have expired already. Only users who recently checked the remember checkbox within 30 days have to login again, but that is a minor inconvenience I think. Signed-off-by: BlackDex <black.dex@gmail.com>	2026-03-23 23:12:07 +01:00
Daniel García	c0a78dd55a	Use protected CI environment (#7004)	2026-03-23 22:25:03 +01:00
Mathijs van Veluw	711bb53d3d	Update crates and GHA (#6980) ... Updated all crates which are possible. Updated all GitHub Actions to their latest version. There was a supply-chain attack on the trivy action to which we were not exposed since we were using pinned sha hashes. The latest version v0.35.0 is not vulnerable and that version will be used with this commit. Also removed `dtolnay/rust-toolchain` as suggested by zizmor and adjusted the way to install the correct toolchain. Since this GitHub Action did not used any version tagging, it was also cumbersome to update. Signed-off-by: BlackDex <black.dex@gmail.com>	2026-03-23 21:26:11 +01:00
Mathijs van Veluw	650defac75	Update Feature Flags (#6981) ... * Update Feature Flags Added new feature flags which could be supported without issues. Removed all deprecated feature flags and only match supported flags. Do not error on invalid flags during load, but do on config save via admin interface. During load it will print a `WARNING`, this is to prevent breaking setups when flags are removed, but are still configured. There are no feature flags anymore currently needed to be set by default, so those are removed now. Signed-off-by: BlackDex <black.dex@gmail.com> * Adjust code a bit and add Diagnostics check Signed-off-by: BlackDex <black.dex@gmail.com> * Update .env template Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com>	2026-03-23 21:21:21 +01:00
Mathijs van Veluw	2b3736802d	Fix email header base64 padding (#6961) ... Newer versions of the Bitwarden client use Base64 with padding. Since this is not a streaming string, but a defined length, we can just strip the `=` chars. Fixes #6960 Signed-off-by: BlackDex <black.dex@gmail.com>	2026-03-17 17:01:32 +01:00
Mathijs van Veluw	9c7df6412c	Fix apikey login (#6922) ... The API Key login needs some extra JSON return key's, same as password login. Fixes #6912 Signed-off-by: BlackDex <black.dex@gmail.com>	2026-03-09 21:13:27 +01:00
Daniel	065c1f2cd5	Fix checkout action version (#6921) ... - wasn't getting picked up when updating action due to being formatted as `#v6.0.0` instead of `# v6.0.0`	2026-03-09 19:35:14 +01:00
Daniel García	1a1d7f578a	Support new desktop origin on CORS (#6920)	2026-03-09 19:14:28 +01:00
Mathijs van Veluw	2b16a05e54	Misc updates and fixes (#6910) ... * Fix collection details response Signed-off-by: BlackDex <black.dex@gmail.com> * Misc updates and fixes - Some clippy fixes - Crate updates - Updated Rust to v1.94.0 - Updated all GitHub Actions - Updated web-vault v2026.2.0 Signed-off-by: BlackDex <black.dex@gmail.com> * Remove commented out code --------- Signed-off-by: BlackDex <black.dex@gmail.com> Co-authored-by: Daniel García <dani-garcia@users.noreply.github.com>	2026-03-09 18:38:22 +01:00
phoeagon	c6e9948984	Add cxp-import-mobile and cxp-export-mobile: feature flags on mobile (#6853) ... Co-authored-by: Daniel García <dani-garcia@users.noreply.github.com>	2026-03-09 18:21:23 +01:00
Timshel	ecdb18fcde	Add 30s cache to SSO exchange_refresh_token (#6866) ... Co-authored-by: Timshel <timshel@users.noreply.github.com>	2026-03-09 18:10:06 +01:00
pasarenicu	df25d316d6	Add Webauthn related origins flag to known flags. (#6900) ... support pm-30529-webauthn-related-origins flag	2026-03-09 18:06:41 +01:00
Chris Kruger	747286dccd	fix: add ForcePasswordReset to api key login (#6904)	2026-03-09 18:04:17 +01:00
DerPlayer2001	e60105411b	Feat(config): add feature flag for Safari account switching (#6891) ... This enables the use of the Feature from this PR https://github.com/bitwarden/clients/pull/18339	2026-03-09 17:57:10 +01:00
Ken Watanabe	937857a0bc	Merge commit from fork ... * Fix WebAuthn backup flag update before signature verification * fix format rust file * Add test for migration update * Remove webauthn test	2026-03-09 17:50:21 +01:00
Stefan Melmuk	ba55191676	apply policies only to confirmed members (#6892)	2026-03-04 06:58:39 +01:00
Mathijs van Veluw	c555f7d198	Misc organization fixes (#6867)	2026-02-23 21:52:44 +01:00
proofofcopilot	74819b95bd	fix(send_invite): add orgSsoIdentifier if sso_only is enabled (#6824)	2026-02-23 20:28:12 +01:00
Stefan Melmuk	da2af3d362	hide remember 2fa token (#6852)	2026-02-23 20:27:40 +01:00
Mathijs van Veluw	1583fe4af3	Update Rust and Crates and GHA (#6843) ... - Update Rust to v1.93.1 - Updated all the crates Adjust changes needed for the newer `rand` crate - Updated GitHub Actions Signed-off-by: BlackDex <black.dex@gmail.com>	2026-02-18 00:17:20 +01:00
Mathijs van Veluw	36f0620fd1	Fix org-details issue (#6811) ... Fix an issue where it was possible for users who were not eligible to access all org ciphers to be able to download and extract the encrypted contents. Only Managers with full access and Admins and Owners should be able to access this endpoint. This change will block and prevent access for other users. Signed-off-by: BlackDex <black.dex@gmail.com>	2026-02-10 20:34:30 +01:00
Mathijs van Veluw	3cd2d4afe7	Update crates and web-vault (#6810) ... Signed-off-by: BlackDex <black.dex@gmail.com>	2026-02-10 20:24:35 +01:00
Mathijs van Veluw	d09c45bb63	Misc updates, crates, rust, js, gha, vault (#6799)	2026-02-08 19:24:20 +01:00
Stefan Melmuk	feecfb20da	fix error message for purging auth requests (#6776)	2026-02-01 22:35:55 +01:00
Timshel	347279a12c	Empty AccountKeys when no private key (#6761) ... Co-authored-by: Timshel <timshel@users.noreply.github.com>	2026-02-01 22:35:22 +01:00
Helmut K. C. Tessarek	7f65a254b3	refactor: improve tooltips in diagnostics page (#6765) ... The term "seems to" is used too loosely in many of the tooltips, but in these 2 instances it is wrong wording. An update is either available or not. If there is no update, one could argue that "seems to" is valid, since the Internet could be down to check for a new version. But in this situation the update is availble. It is impossible that an update seems to be available.	2026-02-01 22:35:03 +01:00
Mathijs van Veluw	cc80f689ed	Update crates, web-vault, js, workflows (#6749) ... - Updated all crates - Updated web-vault to v2025.12.2 - Updated all JavaScript files - Updated all GitHub Action Workflows Also added the `concurrency` option to all workflows. Signed-off-by: BlackDex <black.dex@gmail.com>	2026-01-22 23:40:39 +01:00
Stefan Melmuk	4737192853	fix email as 2fa with auth requests (#6736) ... * fix email as 2fa with auth requests * increase expiry time of auth_requests to 15 minutes	2026-01-22 23:25:11 +01:00
Stefan Melmuk	0c6817cb4e	hide password hints via CSS (#6726)	2026-01-18 15:25:20 +01:00
Stefan Melmuk	25a71d913f	use email instead of empty name for webauhn (#6733) ... * if empty use email instead of name for webauhn * use email as display name if name is empty	2026-01-18 15:23:21 +01:00
Mathijs van Veluw	b2cd556f3e	Fix User API Key login (#6712) ... When using the latest Bitwarden CLI and logging in using the API Key, it expects some extra fields, same as for normal login. This PR adds those fields and login is possible again via API Key. Fixes #6709 Signed-off-by: BlackDex <black.dex@gmail.com>	2026-01-14 13:11:43 +01:00
Mathijs van Veluw	4352fffeec	Fix web-vault version check and update web-vault (#6686)	2026-01-09 13:21:10 +01:00
Stefan Melmuk	8d08697cf8	improve sso callback path (#6676) ... * normalize base_url for sso_callback_path * clean url when embedding images	2026-01-06 17:10:00 +00:00
Stefan Melmuk	9f1df42259	allow MasterPasswordHash for Android (#6673)	2026-01-06 14:24:05 +00:00
Stefan Melmuk	1e1f9957cd	return no content with status code 204 (#6665)	2026-01-05 18:52:24 +00:00
Stefan Melmuk	bf37657c08	update web-vault to fix org creation (#6646)	2026-01-01 16:52:11 +00:00
Daniel García	3e2cef7e8b	Try old refresh token if we fail to decode jwt (#6629)	2025-12-29 22:54:51 +01:00
Mathijs van Veluw	2af9d21158	Misc updates (#6627) ... - Update crates and toml - Update web-vault to v2025.12.1 - Update workflows Signed-off-by: BlackDex <black.dex@gmail.com>	2025-12-29 22:27:12 +01:00
Daniel	c4f6c4e63b	Re-add alpine tag (#6626) ... - fixes https://github.com/dani-garcia/vaultwarden/issues/6619 - also optimize the process while at it	2025-12-29 22:25:15 +01:00
Daniel García	eb2a56aea1	Update lockfile (#6600)	2025-12-28 01:07:17 +01:00
Daniel García	a4907f3539	Add wrapped named variants to UserDecryptionOptions (#6598)	2025-12-27 23:35:04 +01:00
Daniel	8801b47d80	Remove unnecessary output sharing between jobs (#6555) ... Split step into 2 parts, since only 1 part is needed in the build job	2025-12-23 16:27:53 +01:00
Daniel	1ae9dc4119	Simplify binary extraction (#6554)	2025-12-23 16:26:28 +01:00
Mathijs van Veluw	02377eeac8	Update crates (#6585) ... Signed-off-by: BlackDex <black.dex@gmail.com>	2025-12-23 16:25:56 +01:00
Mathijs van Veluw	d9c75508c2	Fix posting cipher with readonly collections (#6578) ... * Fix posting cipher with readonly collections This fix will check if a collection is writeable for the user, and if not error out early instead of creating the cipher first and leaving it. It will also save some database transactions. Fixes #6562 Signed-off-by: BlackDex <black.dex@gmail.com> * Adjust code to delete on error Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com>	2025-12-21 18:51:58 +01:00
Mathijs van Veluw	0ab7784b06	Update web-vault to v2025.12.0 (#6577) ... Updated web-vault Updated one crate Signed-off-by: BlackDex <black.dex@gmail.com>	2025-12-21 00:01:30 +01:00
Daniel García	5c91058ba0	Add UserDecryptionOptions on /sync too (#6574)	2025-12-20 00:37:46 +01:00
Mathijs van Veluw	229b58fe4e	Update crates and Rust (#6551) ... * Update crates and Rust - Updated all the crates - Updated Rust to v1.92.0 - Updated to Alpine v3.23 - Adjusted some nightly clippy lints Signed-off-by: BlackDex <black.dex@gmail.com> * Add new updates Signed-off-by: BlackDex <black.dex@gmail.com> * Updated more crates and fix mariadb Updated more crates Also removed older MariaDB library since Diesel has fixed this in the v2.3.5 version. Signed-off-by: BlackDex <black.dex@gmail.com> * Fix icon-fetch error Signed-off-by: BlackDex <black.dex@gmail.com> * Update GHA workflows Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com>	2025-12-19 17:38:13 +01:00
Daniel García	061d320c7f	Add new accountKeys and masterPasswordUnlock fields (#6572) ... * Add new accountKeys and masterPasswordUnlock fields * Fmt	2025-12-19 13:34:43 +01:00
Stefan Melmuk	2c73c6c2f2	support UriMatchDefaults policy (#6570)	2025-12-19 12:07:58 +01:00