Misc organization fixes (#6867)

- Update Rust to v1.93.1
- Updated all the crates
  Adjust changes needed for the newer `rand` crate
- Updated GitHub Actions

Signed-off-by: BlackDex <black.dex@gmail.com>

.github/workflows/build.yml

@@ -87,7 +87,7 @@ jobs:
 
       # Only install the clippy and rustfmt components on the default rust-toolchain
       - name: "Install rust-toolchain version"
-        uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561 # master @ Dec 16, 2025, 6:11 PM GMT+1
+        uses: dtolnay/rust-toolchain@efa25f7f19611383d5b0ccf2d1c8914531636bf9 # master @ Feb 13, 2026, 3:46 AM GMT+1
         if: ${{ matrix.channel == 'rust-toolchain' }}
         with:
           toolchain: "${{steps.toolchain.outputs.RUST_TOOLCHAIN}}"
@@ -97,7 +97,7 @@ jobs:
 
       # Install the any other channel to be used for which we do not execute clippy and rustfmt
       - name: "Install MSRV version"
-        uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561 # master @ Dec 16, 2025, 6:11 PM GMT+1
+        uses: dtolnay/rust-toolchain@efa25f7f19611383d5b0ccf2d1c8914531636bf9 # master @ Feb 13, 2026, 3:46 AM GMT+1
         if: ${{ matrix.channel != 'rust-toolchain' }}
         with:
           toolchain: "${{steps.toolchain.outputs.RUST_TOOLCHAIN}}"

.github/workflows/trivy.yml

@@ -38,7 +38,7 @@ jobs:
           persist-credentials: false
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
+        uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284 # 0.34.0
         env:
           TRIVY_DB_REPOSITORY: docker.io/aquasec/trivy-db:2,public.ecr.aws/aquasecurity/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2
           TRIVY_JAVA_DB_REPOSITORY: docker.io/aquasec/trivy-java-db:1,public.ecr.aws/aquasecurity/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1
@@ -50,6 +50,6 @@ jobs:
           severity: CRITICAL,HIGH
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4.32.2
+        uses: github/codeql-action/upload-sarif@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3
         with:
           sarif_file: 'trivy-results.sarif'

.github/workflows/typos.yml

@@ -23,4 +23,4 @@ jobs:
 
       # When this version is updated, do not forget to update this in `.pre-commit-config.yaml` too
       - name: Spell Check Repo
-        uses: crate-ci/typos@9066e9940a8a05b98fb4733c62a726f83c9e57f8 # v1.43.3
+        uses: crate-ci/typos@57b11c6b7e54c402ccd9cda953f1072ec4f78e33 # v1.43.5

.pre-commit-config.yaml

@@ -53,6 +53,6 @@ repos:
         - "cd docker && make"
 # When this version is updated, do not forget to update this in `.github/workflows/typos.yaml` too
 - repo: https://github.com/crate-ci/typos
-  rev: 9066e9940a8a05b98fb4733c62a726f83c9e57f8 # v1.43.3
+  rev: 57b11c6b7e54c402ccd9cda953f1072ec4f78e33 # v1.43.5
   hooks:
     - id: typos

Cargo.lock

@@ -16,7 +16,7 @@ checksum = "b169f7a6d4742236a0a00c541b845991d0ac43e546831af1249753ab4c3aa3a0"
 dependencies = [
  "cfg-if",
  "cipher",
- "cpufeatures",
+ "cpufeatures 0.2.17",
 ]
 
 [[package]]
@@ -93,7 +93,7 @@ checksum = "3c3610892ee6e0cbce8ae2700349fcf8f98adb0dbfbee85aec3c9179d29cc072"
 dependencies = [
  "base64ct",
  "blake2",
- "cpufeatures",
+ "cpufeatures 0.2.17",
  "password-hash",
 ]
 
@@ -173,9 +173,9 @@ dependencies = [
 
 [[package]]
 name = "async-executor"
-version = "1.13.3"
+version = "1.14.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "497c00e0fd83a72a79a39fcbd8e3e2f055d6f6c7e025f3b3d91f4f8e76527fb8"
+checksum = "c96bf972d85afc50bf5ab8fe2d54d1586b4e0b46c97c50a0c9e71e2f7bcd812a"
 dependencies = [
  "async-task",
  "concurrent-queue",
@@ -360,9 +360,9 @@ checksum = "c08606f8c3cbf4ce6ec8e28fb0014a2c086708fe954eaa885384a6165172e7e8"
 
 [[package]]
 name = "aws-config"
-version = "1.8.13"
+version = "1.8.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c456581cb3c77fafcc8c67204a70680d40b61112d6da78c77bd31d945b65f1b5"
+checksum = "8a8fc176d53d6fe85017f230405e3255cedb4a02221cb55ed6d76dccbbb099b2"
 dependencies = [
  "aws-credential-types",
  "aws-runtime",
@@ -390,9 +390,9 @@ dependencies = [
 
 [[package]]
 name = "aws-credential-types"
-version = "1.2.11"
+version = "1.2.13"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3cd362783681b15d136480ad555a099e82ecd8e2d10a841e14dfd0078d67fee3"
+checksum = "6d203b0bf2626dcba8665f5cd0871d7c2c0930223d6b6be9097592fea21242d0"
 dependencies = [
  "aws-smithy-async",
  "aws-smithy-runtime-api",
@@ -402,9 +402,9 @@ dependencies = [
 
 [[package]]
 name = "aws-runtime"
-version = "1.6.0"
+version = "1.7.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c635c2dc792cb4a11ce1a4f392a925340d1bdf499289b5ec1ec6810954eb43f5"
+checksum = "ede2ddc593e6c8acc6ce3358c28d6677a6dc49b65ba4b37a2befe14a11297e75"
 dependencies = [
  "aws-credential-types",
  "aws-sigv4",
@@ -415,6 +415,7 @@ dependencies = [
  "aws-smithy-types",
  "aws-types",
  "bytes",
+ "bytes-utils",
  "fastrand",
  "http 1.4.0",
  "http-body 1.0.1",
@@ -426,9 +427,9 @@ dependencies = [
 
 [[package]]
 name = "aws-sdk-sso"
-version = "1.93.0"
+version = "1.95.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9dcb38bb33fc0a11f1ffc3e3e85669e0a11a37690b86f77e75306d8f369146a0"
+checksum = "00c5ff27c6ba2cbd95e6e26e2e736676fdf6bcf96495b187733f521cfe4ce448"
 dependencies = [
  "aws-credential-types",
  "aws-runtime",
@@ -450,9 +451,9 @@ dependencies = [
 
 [[package]]
 name = "aws-sdk-ssooidc"
-version = "1.95.0"
+version = "1.97.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2ada8ffbea7bd1be1f53df1dadb0f8fdb04badb13185b3321b929d1ee3caad09"
+checksum = "4d186f1e5a3694a188e5a0640b3115ccc6e084d104e16fd6ba968dca072ffef8"
 dependencies = [
  "aws-credential-types",
  "aws-runtime",
@@ -474,9 +475,9 @@ dependencies = [
 
 [[package]]
 name = "aws-sdk-sts"
-version = "1.97.0"
+version = "1.99.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e6443ccadc777095d5ed13e21f5c364878c9f5bad4e35187a6cdbd863b0afcad"
+checksum = "9acba7c62f3d4e2408fa998a3a8caacd8b9a5b5549cf36e2372fbdae329d5449"
 dependencies = [
  "aws-credential-types",
  "aws-runtime",
@@ -499,9 +500,9 @@ dependencies = [
 
 [[package]]
 name = "aws-sigv4"
-version = "1.3.8"
+version = "1.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "efa49f3c607b92daae0c078d48a4571f599f966dce3caee5f1ea55c4d9073f99"
+checksum = "37411f8e0f4bea0c3ca0958ce7f18f6439db24d555dbd809787262cd00926aa9"
 dependencies = [
  "aws-credential-types",
  "aws-smithy-http",
@@ -521,9 +522,9 @@ dependencies = [
 
 [[package]]
 name = "aws-smithy-async"
-version = "1.2.11"
+version = "1.2.13"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "52eec3db979d18cb807fc1070961cc51d87d069abe9ab57917769687368a8c6c"
+checksum = "5cc50d0f63e714784b84223abd7abbc8577de8c35d699e0edd19f0a88a08ae13"
 dependencies = [
  "futures-util",
  "pin-project-lite",
@@ -532,9 +533,9 @@ dependencies = [
 
 [[package]]
 name = "aws-smithy-http"
-version = "0.63.3"
+version = "0.63.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "630e67f2a31094ffa51b210ae030855cb8f3b7ee1329bdd8d085aaf61e8b97fc"
+checksum = "d619373d490ad70966994801bc126846afaa0d1ee920697a031f0cf63f2568e7"
 dependencies = [
  "aws-smithy-runtime-api",
  "aws-smithy-types",
@@ -553,27 +554,27 @@ dependencies = [
 
 [[package]]
 name = "aws-smithy-json"
-version = "0.62.3"
+version = "0.62.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3cb96aa208d62ee94104645f7b2ecaf77bf27edf161590b6224bfbac2832f979"
+checksum = "27b3a779093e18cad88bbae08dc4261e1d95018c4c5b9356a52bcae7c0b6e9bb"
 dependencies = [
  "aws-smithy-types",
 ]
 
 [[package]]
 name = "aws-smithy-observability"
-version = "0.2.4"
+version = "0.2.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c0a46543fbc94621080b3cf553eb4cbbdc41dd9780a30c4756400f0139440a1d"
+checksum = "4d3f39d5bb871aaf461d59144557f16d5927a5248a983a40654d9cf3b9ba183b"
 dependencies = [
  "aws-smithy-runtime-api",
 ]
 
 [[package]]
 name = "aws-smithy-query"
-version = "0.60.13"
+version = "0.60.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0cebbddb6f3a5bd81553643e9c7daf3cc3dc5b0b5f398ac668630e8a84e6fff0"
+checksum = "05f76a580e3d8f8961e5d48763214025a2af65c2fa4cd1fb7f270a0e107a71b0"
 dependencies = [
  "aws-smithy-types",
  "urlencoding",
@@ -581,9 +582,9 @@ dependencies = [
 
 [[package]]
 name = "aws-smithy-runtime"
-version = "1.10.0"
+version = "1.10.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f3df87c14f0127a0d77eb261c3bc45d5b4833e2a1f63583ebfb728e4852134ee"
+checksum = "22ccf7f6eba8b2dcf8ce9b74806c6c185659c311665c4bf8d6e71ebd454db6bf"
 dependencies = [
  "aws-smithy-async",
  "aws-smithy-http",
@@ -605,9 +606,9 @@ dependencies = [
 
 [[package]]
 name = "aws-smithy-runtime-api"
-version = "1.11.3"
+version = "1.11.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "49952c52f7eebb72ce2a754d3866cc0f87b97d2a46146b79f80f3a93fb2b3716"
+checksum = "b4af6e5def28be846479bbeac55aa4603d6f7986fc5da4601ba324dd5d377516"
 dependencies = [
  "aws-smithy-async",
  "aws-smithy-types",
@@ -622,9 +623,9 @@ dependencies = [
 
 [[package]]
 name = "aws-smithy-types"
-version = "1.4.3"
+version = "1.4.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3b3a26048eeab0ddeba4b4f9d51654c79af8c3b32357dc5f336cee85ab331c33"
+checksum = "8ca2734c16913a45343b37313605d84e7d8b34a4611598ce1d25b35860a2bed3"
 dependencies = [
  "base64-simd",
  "bytes",
@@ -645,18 +646,18 @@ dependencies = [
 
 [[package]]
 name = "aws-smithy-xml"
-version = "0.60.13"
+version = "0.60.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "11b2f670422ff42bf7065031e72b45bc52a3508bd089f743ea90731ca2b6ea57"
+checksum = "b53543b4b86ed43f051644f704a98c7291b3618b67adf057ee77a366fa52fcaa"
 dependencies = [
  "xmlparser",
 ]
 
 [[package]]
 name = "aws-types"
-version = "1.3.11"
+version = "1.3.13"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1d980627d2dd7bfc32a3c025685a033eeab8d365cc840c631ef59d1b8f428164"
+checksum = "0470cc047657c6e286346bdf10a8719d26efd6a91626992e0e64481e44323e96"
 dependencies = [
  "aws-credential-types",
  "aws-smithy-async",
@@ -743,9 +744,9 @@ checksum = "383d29d513d8764dcdc42ea295d979eb99c3c9f00607b3692cf68a431f7dca72"
 
 [[package]]
 name = "bitflags"
-version = "2.10.0"
+version = "2.11.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "812e12b5285cc515a9c72a5c1d3b6d46a19dac5acfef5265968c166106e31dd3"
+checksum = "843867be96c8daad0d758b57df9392b6d8d271134fce549de6ce169ff98a92af"
 
 [[package]]
 name = "blake2"
@@ -926,9 +927,9 @@ dependencies = [
 
 [[package]]
 name = "cc"
-version = "1.2.55"
+version = "1.2.56"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "47b26a0954ae34af09b50f0de26458fa95369a0d478d8236d3f93082b219bd29"
+checksum = "aebf35691d1bfb0ac386a69bac2fde4dd276fb618cf8bf4f5318fe285e821bb2"
 dependencies = [
  "find-msvc-tools",
  "jobserver",
@@ -948,6 +949,17 @@ version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "613afe47fcd5fac7ccf1db93babcb082c5994d996f20b8b159f2ad1658eb5724"
 
+[[package]]
+name = "chacha20"
+version = "0.10.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6f8d983286843e49675a4b7a2d174efe136dc93a18d69130dd18198a6c167601"
+dependencies = [
+ "cfg-if",
+ "cpufeatures 0.3.0",
+ "rand_core 0.10.0",
+]
+
 [[package]]
 name = "chrono"
 version = "0.4.43"
@@ -1075,9 +1087,9 @@ dependencies = [
 
 [[package]]
 name = "cookie_store"
-version = "0.22.0"
+version = "0.22.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3fc4bff745c9b4c7fb1e97b25d13153da2bc7796260141df62378998d070207f"
+checksum = "15b2c103cf610ec6cae3da84a766285b42fd16aad564758459e6ecf128c75206"
 dependencies = [
  "cookie",
  "document-features",
@@ -1126,6 +1138,15 @@ dependencies = [
  "libc",
 ]
 
+[[package]]
+name = "cpufeatures"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8b2a41393f66f16b0823bb79094d54ac5fbd34ab292ddafb9a0456ac9f87d201"
+dependencies = [
+ "libc",
+]
+
 [[package]]
 name = "crc32c"
 version = "0.6.8"
@@ -1220,7 +1241,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "97fb8b7c4503de7d6ae7b42ab72a5a59857b4c937ec27a3d4539dba95b5ab2be"
 dependencies = [
  "cfg-if",
- "cpufeatures",
+ "cpufeatures 0.2.17",
  "curve25519-dalek-derive",
  "digest",
  "fiat-crypto",
@@ -1376,9 +1397,9 @@ dependencies = [
 
 [[package]]
 name = "deranged"
-version = "0.5.5"
+version = "0.5.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ececcb659e7ba858fb4f10388c250a7252eb0a27373f1a72b8748afdd248e587"
+checksum = "cc3dc5ad92c2e2d1c193bbbbdf2ea477cb81331de4f3103f267ca18368b988c4"
 dependencies = [
  "powerfmt",
  "serde_core",
@@ -1885,9 +1906,9 @@ dependencies = [
 
 [[package]]
 name = "futures"
-version = "0.3.31"
+version = "0.3.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "65bc07b1a8bc7c85c5f2e110c476c7389b4554ba72af57d8445ea63a576b0876"
+checksum = "8b147ee9d1f6d097cef9ce628cd2ee62288d963e16fb287bd9286455b241382d"
 dependencies = [
  "futures-channel",
  "futures-core",
@@ -1900,9 +1921,9 @@ dependencies = [
 
 [[package]]
 name = "futures-channel"
-version = "0.3.31"
+version = "0.3.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2dff15bf788c671c1934e366d07e30c1814a8ef514e1af724a602e8a2fbe1b10"
+checksum = "07bbe89c50d7a535e539b8c17bc0b49bdb77747034daa8087407d655f3f7cc1d"
 dependencies = [
  "futures-core",
  "futures-sink",
@@ -1910,15 +1931,15 @@ dependencies = [
 
 [[package]]
 name = "futures-core"
-version = "0.3.31"
+version = "0.3.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "05f29059c0c2090612e8d742178b0580d2dc940c837851ad723096f87af6663e"
+checksum = "7e3450815272ef58cec6d564423f6e755e25379b217b0bc688e295ba24df6b1d"
 
 [[package]]
 name = "futures-executor"
-version = "0.3.31"
+version = "0.3.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1e28d1d997f585e54aebc3f97d39e72338912123a67330d723fdbb564d646c9f"
+checksum = "baf29c38818342a3b26b5b923639e7b1f4a61fc5e76102d4b1981c6dc7a7579d"
 dependencies = [
  "futures-core",
  "futures-task",
@@ -1927,9 +1948,9 @@ dependencies = [
 
 [[package]]
 name = "futures-io"
-version = "0.3.31"
+version = "0.3.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9e5c1b78ca4aae1ac06c48a526a655760685149f0d465d21f37abfe57ce075c6"
+checksum = "cecba35d7ad927e23624b22ad55235f2239cfa44fd10428eecbeba6d6a717718"
 
 [[package]]
 name = "futures-lite"
@@ -1946,9 +1967,9 @@ dependencies = [
 
 [[package]]
 name = "futures-macro"
-version = "0.3.31"
+version = "0.3.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "162ee34ebcb7c64a8abebc059ce0fee27c2262618d7b60ed8faf72fef13c3650"
+checksum = "e835b70203e41293343137df5c0664546da5745f82ec9b84d40be8336958447b"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -1957,15 +1978,15 @@ dependencies = [
 
 [[package]]
 name = "futures-sink"
-version = "0.3.31"
+version = "0.3.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e575fab7d1e0dcb8d0c7bcf9a63ee213816ab51902e6d244a95819acacf1d4f7"
+checksum = "c39754e157331b013978ec91992bde1ac089843443c49cbc7f46150b0fad0893"
 
 [[package]]
 name = "futures-task"
-version = "0.3.31"
+version = "0.3.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f90f7dce0722e95104fcb095585910c0977252f286e354b5e3bd38902cd99988"
+checksum = "037711b3d59c33004d3856fbdc83b99d4ff37a24768fa1be9ce3538a1cde4393"
 
 [[package]]
 name = "futures-timer"
@@ -1975,9 +1996,9 @@ checksum = "f288b0a4f20f9a56b5d1da57e2227c661b7b16168e2f72365f57b63326e29b24"
 
 [[package]]
 name = "futures-util"
-version = "0.3.31"
+version = "0.3.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9fa08315bb612088cc391249efdc3bc77536f16c91f6cf495e6fbe85b20a4a81"
+checksum = "389ca41296e6190b48053de0321d02a77f32f8a5d2461dd38762c0593805c6d6"
 dependencies = [
  "futures-channel",
  "futures-core",
@@ -1987,7 +2008,6 @@ dependencies = [
  "futures-task",
  "memchr",
  "pin-project-lite",
- "pin-utils",
  "slab",
 ]
 
@@ -2051,6 +2071,7 @@ dependencies = [
  "cfg-if",
  "libc",
  "r-efi",
+ "rand_core 0.10.0",
  "wasip2",
  "wasip3",
 ]
@@ -2446,22 +2467,6 @@ dependencies = [
  "webpki-roots",
 ]
 
-[[package]]
-name = "hyper-tls"
-version = "0.6.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "70206fc6890eaca9fde8a0bf71caa2ddfc9fe045ac9e5c70df101a7dbde866e0"
-dependencies = [
- "bytes",
- "http-body-util",
- "hyper 1.8.1",
- "hyper-util",
- "native-tls",
- "tokio",
- "tokio-native-tls",
- "tower-service",
-]
-
 [[package]]
 name = "hyper-util"
 version = "0.1.20"
@@ -2726,9 +2731,9 @@ checksum = "47f142fe24a9c9944451e8349de0a56af5f3e7226dc46f3ed4d4ecc0b85af75e"
 
 [[package]]
 name = "jiff"
-version = "0.2.19"
+version = "0.2.20"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d89a5b5e10d5a9ad6e5d1f4bd58225f655d6fe9767575a5e8ac5a6fe64e04495"
+checksum = "c867c356cc096b33f4981825ab281ecba3db0acefe60329f044c1789d94c6543"
 dependencies = [
  "jiff-static",
  "jiff-tzdb-platform",
@@ -2741,9 +2746,9 @@ dependencies = [
 
 [[package]]
 name = "jiff-static"
-version = "0.2.19"
+version = "0.2.20"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ff7a39c8862fc1369215ccf0a8f12dd4598c7f6484704359f0351bd617034dbf"
+checksum = "f7946b4325269738f270bb55b3c19ab5c5040525f83fd625259422a9d25d9be5"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -2901,9 +2906,9 @@ dependencies = [
 
 [[package]]
 name = "libc"
-version = "0.2.181"
+version = "0.2.182"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "459427e2af2b9c839b132acb702a1c654d95e10f8c326bfc2ad11310e458b1c5"
+checksum = "6800badb6cb2082ffd7b6a67e6125bb39f18782f793520caee8cb8846be06112"
 
 [[package]]
 name = "libm"
@@ -3029,7 +3034,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "36c791ecdf977c99f45f23280405d7723727470f6689a5e6dbf513ac547ae10d"
 dependencies = [
  "serde",
- "toml 0.9.11+spec-1.1.0",
+ "toml 0.9.12+spec-1.1.0",
 ]
 
 [[package]]
@@ -3147,23 +3152,6 @@ dependencies = [
  "vcpkg",
 ]
 
-[[package]]
-name = "native-tls"
-version = "0.2.14"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "87de3442987e9dbec73158d5c715e7ad9072fda936bb03d19d7fa10e00520f0e"
-dependencies = [
- "libc",
- "log",
- "openssl",
- "openssl-probe 0.1.6",
- "openssl-sys",
- "schannel",
- "security-framework 2.11.1",
- "security-framework-sys",
- "tempfile",
-]
-
 [[package]]
 name = "nom"
 version = "7.1.3"
@@ -3439,12 +3427,6 @@ dependencies = [
  "syn",
 ]
 
-[[package]]
-name = "openssl-probe"
-version = "0.1.6"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d05e27ee213611ffe7d6348b942e8f942b37114c00cc03cec254295a4a17852e"
-
 [[package]]
 name = "openssl-probe"
 version = "0.2.1"
@@ -4099,6 +4081,17 @@ dependencies = [
  "rand_core 0.9.5",
 ]
 
+[[package]]
+name = "rand"
+version = "0.10.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bc266eb313df6c5c09c1c7b1fbe2510961e5bcd3add930c1e31f7ed9da0feff8"
+dependencies = [
+ "chacha20",
+ "getrandom 0.4.1",
+ "rand_core 0.10.0",
+]
+
 [[package]]
 name = "rand_chacha"
 version = "0.3.1"
@@ -4137,6 +4130,12 @@ dependencies = [
  "getrandom 0.3.4",
 ]
 
+[[package]]
+name = "rand_core"
+version = "0.10.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0c8d0fd677905edcbeedbf2edb6494d676f0e98d54d5cf9bda0b061cb8fb8aba"
+
 [[package]]
 name = "raw-cpuid"
 version = "11.6.0"
@@ -4274,12 +4273,10 @@ dependencies = [
  "http-body-util",
  "hyper 1.8.1",
  "hyper-rustls",
- "hyper-tls",
  "hyper-util",
  "js-sys",
  "log",
  "mime",
- "native-tls",
  "percent-encoding",
  "pin-project-lite",
  "quinn",
@@ -4291,7 +4288,6 @@ dependencies = [
  "serde_urlencoded",
  "sync_wrapper",
  "tokio",
- "tokio-native-tls",
  "tokio-rustls 0.26.4",
  "tokio-util",
  "tower",
@@ -4580,10 +4576,10 @@ version = "0.8.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "612460d5f7bea540c490b2b6395d8e34a953e52b491accd6c86c8164c5932a63"
 dependencies = [
- "openssl-probe 0.2.1",
+ "openssl-probe",
  "rustls-pki-types",
  "schannel",
- "security-framework 3.5.1",
+ "security-framework",
 ]
 
 [[package]]
@@ -4747,22 +4743,9 @@ dependencies = [
 
 [[package]]
 name = "security-framework"
-version = "2.11.1"
+version = "3.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "897b2245f0b511c87893af39b033e5ca9cce68824c4d7e7630b5a1d339658d02"
-dependencies = [
- "bitflags",
- "core-foundation 0.9.4",
- "core-foundation-sys",
- "libc",
- "security-framework-sys",
-]
-
-[[package]]
-name = "security-framework"
-version = "3.5.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b3297343eaf830f66ede390ea39da1d462b6b0c1b000f420d0a83f898bbbe6ef"
+checksum = "d17b898a6d6948c3a8ee4372c17cb384f90d2e6e912ef00895b14fd7ab54ec38"
 dependencies = [
  "bitflags",
  "core-foundation 0.10.1",
@@ -4773,9 +4756,9 @@ dependencies = [
 
 [[package]]
 name = "security-framework-sys"
-version = "2.15.0"
+version = "2.16.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cc1f0cbffaac4852523ce30d8bd3c5cdc873501d96ff467ca09b6767bb8cd5c0"
+checksum = "321c8673b092a9a42605034a9879d73cb79101ed5fd117bc9a597b89b4e9e61a"
 dependencies = [
  "core-foundation-sys",
  "libc",
@@ -4942,7 +4925,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e3bf829a2d51ab4a5ddf1352d8470c140cadc8301b2ae1789db023f01cedd6ba"
 dependencies = [
  "cfg-if",
- "cpufeatures",
+ "cpufeatures 0.2.17",
  "digest",
 ]
 
@@ -4953,7 +4936,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a7507d819769d01a365ab707794a4084392c824f54a7a6a7862f8c3d0892b283"
 dependencies = [
  "cfg-if",
- "cpufeatures",
+ "cpufeatures 0.2.17",
  "digest",
 ]
 
@@ -5010,9 +4993,9 @@ checksum = "e320a6c5ad31d271ad523dcf3ad13e2767ad8b1cb8f047f75a8aeaf8da139da2"
 
 [[package]]
 name = "simple_asn1"
-version = "0.6.3"
+version = "0.6.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "297f631f50729c8c99b84667867963997ec0b50f32b2a7dbcab828ef0541e8bb"
+checksum = "0d585997b0ac10be3c5ee635f1bab02d512760d14b7c468801ac8a01d9ae5f1d"
 dependencies = [
  "num-bigint",
  "num-traits",
@@ -5161,23 +5144,22 @@ checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292"
 
 [[package]]
 name = "svg-hush"
-version = "0.9.5"
+version = "0.9.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8d647e9386e34dd750ba80bdb7dae2a2c50b78338515ffeb9fa7bdd3ef803bf2"
+checksum = "929223e80cdcec0482207576ea09692dd71b2b559057fc172e292ecec9a97559"
 dependencies = [
  "base64 0.22.1",
  "data-url",
- "once_cell",
  "quick-error",
  "url",
- "xml-rs",
+ "xml",
 ]
 
 [[package]]
 name = "syn"
-version = "2.0.114"
+version = "2.0.116"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d4d107df263a3013ef9b1879b0df87d706ff80f65a86ea879bd9c31f9b307c2a"
+checksum = "3df424c70518695237746f84cede799c9c58fcb37450d7b23716568cc8bc69cb"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -5409,16 +5391,6 @@ dependencies = [
  "syn",
 ]
 
-[[package]]
-name = "tokio-native-tls"
-version = "0.3.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bbae76ab933c85776efabc971569dd6119c580d8f5d448769dec1764bf796ef2"
-dependencies = [
- "native-tls",
- "tokio",
-]
-
 [[package]]
 name = "tokio-rustls"
 version = "0.24.1"
@@ -5490,9 +5462,9 @@ dependencies = [
 
 [[package]]
 name = "toml"
-version = "0.9.11+spec-1.1.0"
+version = "0.9.12+spec-1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f3afc9a848309fe1aaffaed6e1546a7a14de1f935dc9d89d32afd9a44bab7c46"
+checksum = "cf92845e79fc2e2def6a5d828f0801e29a2f8acc037becc5ab08595c7d5e9863"
 dependencies = [
  "serde_core",
  "serde_spanned 1.0.4",
@@ -5535,9 +5507,9 @@ dependencies = [
 
 [[package]]
 name = "toml_parser"
-version = "1.0.6+spec-1.1.0"
+version = "1.0.9+spec-1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a3198b4b0a8e11f09dd03e133c0280504d0801269e9afa46362ffde1cbeebf44"
+checksum = "702d4415e08923e7e1ef96cd5727c0dfed80b4d2fa25db9647fe5eb6f7c5a4c4"
 dependencies = [
  "winnow 0.7.14",
 ]
@@ -5742,9 +5714,9 @@ checksum = "dbc4bc3a9f746d862c45cb89d705aa10f187bb96c76001afab07a0d35ce60142"
 
 [[package]]
 name = "unicode-ident"
-version = "1.0.23"
+version = "1.0.24"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "537dd038a89878be9b64dd4bd1b260315c1bb94f4d784956b81e27a088d9a09e"
+checksum = "e6e4313cd5fcd3dad5cafa179702e2b244f760991f45397d14d4ebf38247da75"
 
 [[package]]
 name = "unicode-segmentation"
@@ -5797,11 +5769,11 @@ checksum = "b6c140620e7ffbb22c2dee59cafe6084a59b5ffc27a8859a5f0d494b5d52b6be"
 
 [[package]]
 name = "uuid"
-version = "1.20.0"
+version = "1.21.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ee48d38b119b0cd71fe4141b30f5ba9c7c5d9f4e7a3a8b4a674e4b6ef789976f"
+checksum = "b672338555252d43fd2240c714dc444b8c6fb0a5c5335e65a07bba7742735ddb"
 dependencies = [
- "getrandom 0.3.4",
+ "getrandom 0.4.1",
  "js-sys",
  "serde_core",
  "wasm-bindgen",
@@ -5868,7 +5840,7 @@ dependencies = [
  "pastey 0.2.1",
  "percent-encoding",
  "pico-args",
- "rand 0.9.2",
+ "rand 0.10.0",
  "regex",
  "reqsign",
  "reqwest",
@@ -6665,10 +6637,10 @@ dependencies = [
 ]
 
 [[package]]
-name = "xml-rs"
-version = "0.8.28"
+name = "xml"
+version = "1.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3ae8337f8a065cfc972643663ea4279e04e7256de865aa66fe25cec5fb912d3f"
+checksum = "b8aa498d22c9bbaf482329839bc5620c46be275a19a812e9a22a2b07529a642a"
 
 [[package]]
 name = "xmlparser"
@@ -6806,9 +6778,9 @@ dependencies = [
 
 [[package]]
 name = "zmij"
-version = "1.0.20"
+version = "1.0.21"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4de98dfa5d5b7fef4ee834d0073d560c9ca7b6c46a71d058c48db7960f8cfaf7"
+checksum = "b8848ee67ecc8aedbaf3e4122217aff892639231befc6a1b58d29fff4c2cabaa"
 
 [[package]]
 name = "zstd"

Cargo.toml

@@ -78,7 +78,7 @@ rmpv = "1.3.1" # MessagePack library
 dashmap = "6.1.0"
 
 # Async futures
-futures = "0.3.31"
+futures = "0.3.32"
 tokio = { version = "1.49.0", features = ["rt-multi-thread", "fs", "io-util", "parking_lot", "time", "signal", "net"] }
 tokio-util = { version = "0.7.18", features = ["compat"]}
 
@@ -98,12 +98,12 @@ diesel-derive-newtype = "2.1.2"
 libsqlite3-sys = { version = "0.35.0", features = ["bundled"], optional = true }
 
 # Crypto-related libraries
-rand = "0.9.2"
+rand = "0.10.0"
 ring = "0.17.14"
 subtle = "2.6.1"
 
 # UUID generation
-uuid = { version = "1.20.0", features = ["v4"] }
+uuid = { version = "1.21.0", features = ["v4"] }
 
 # Date and time libraries
 chrono = { version = "0.4.43", features = ["clock", "serde"], default-features = false }
@@ -152,14 +152,14 @@ html5gum = "0.8.3"
 regex = { version = "1.12.3", features = ["std", "perf", "unicode-perl"], default-features = false }
 data-url = "0.3.2"
 bytes = "1.11.1"
-svg-hush = "0.9.5"
+svg-hush = "0.9.6"
 
 # Cache function results (Used for version check and favicon fetching)
 cached = { version = "0.56.0", features = ["async"] }
 
 # Used for custom short lived cookie jar during favicon extraction
 cookie = "0.18.1"
-cookie_store = "0.22.0"
+cookie_store = "0.22.1"
 
 # Used by U2F, JWT and PostgreSQL
 openssl = "0.10.75"
@@ -172,7 +172,7 @@ pastey = "0.2.1"
 governor = "0.10.4"
 
 # OIDC for SSO
-openidconnect = { version = "4.0.1", features = ["reqwest", "native-tls"] }
+openidconnect = { version = "4.0.1", features = ["reqwest", "rustls-tls"] }
 mini-moka = "0.10.3"
 
 # Check client versions for specific features.
@@ -198,9 +198,9 @@ opendal = { version = "0.55.0", features = ["services-fs"], default-features = f
 
 # For retrieving AWS credentials, including temporary SSO credentials
 anyhow = { version = "1.0.101", optional = true }
-aws-config = { version = "1.8.13", features = ["behavior-version-latest", "rt-tokio", "credentials-process", "sso"], default-features = false, optional = true }
-aws-credential-types = { version = "1.2.11", optional = true }
-aws-smithy-runtime-api = { version = "1.11.3", optional = true }
+aws-config = { version = "1.8.14", features = ["behavior-version-latest", "rt-tokio", "credentials-process", "sso"], default-features = false, optional = true }
+aws-credential-types = { version = "1.2.13", optional = true }
+aws-smithy-runtime-api = { version = "1.11.5", optional = true }
 http = { version = "1.4.0", optional = true }
 reqsign = { version = "0.16.5", optional = true }
 

docker/DockerSettings.yaml

@@ -5,7 +5,7 @@ vault_image_digest: "sha256:062fcf0d5dc37247dae61b0ee1ba5d20f9296e290d7ad1f6114e
 # We use the linux/amd64 platform shell scripts since there is no difference between the different platform scripts
 # https://github.com/tonistiigi/xx | https://hub.docker.com/r/tonistiigi/xx/tags
 xx_image_digest: "sha256:c64defb9ed5a91eacb37f96ccc3d4cd72521c4bd18d5442905b95e2226b0e707"
-rust_version: 1.93.0 # Rust version to be used
+rust_version: 1.93.1 # Rust version to be used
 debian_version: trixie # Debian release name to be used
 alpine_version: "3.23" # Alpine version to be used
 # For which platforms/architectures will we try to build images

docker/Dockerfile.alpine

@@ -32,10 +32,10 @@ FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:062fcf0d5dc37
 ########################## ALPINE BUILD IMAGES ##########################
 ## NOTE: The Alpine Base Images do not support other platforms then linux/amd64 and linux/arm64
 ## And for Alpine we define all build images here, they will only be loaded when actually used
-FROM --platform=$BUILDPLATFORM ghcr.io/blackdex/rust-musl:x86_64-musl-stable-1.93.0 AS build_amd64
-FROM --platform=$BUILDPLATFORM ghcr.io/blackdex/rust-musl:aarch64-musl-stable-1.93.0 AS build_arm64
-FROM --platform=$BUILDPLATFORM ghcr.io/blackdex/rust-musl:armv7-musleabihf-stable-1.93.0 AS build_armv7
-FROM --platform=$BUILDPLATFORM ghcr.io/blackdex/rust-musl:arm-musleabi-stable-1.93.0 AS build_armv6
+FROM --platform=$BUILDPLATFORM ghcr.io/blackdex/rust-musl:x86_64-musl-stable-1.93.1 AS build_amd64
+FROM --platform=$BUILDPLATFORM ghcr.io/blackdex/rust-musl:aarch64-musl-stable-1.93.1 AS build_arm64
+FROM --platform=$BUILDPLATFORM ghcr.io/blackdex/rust-musl:armv7-musleabihf-stable-1.93.1 AS build_armv7
+FROM --platform=$BUILDPLATFORM ghcr.io/blackdex/rust-musl:arm-musleabi-stable-1.93.1 AS build_armv6
 
 ########################## BUILD IMAGE ##########################
 # hadolint ignore=DL3006

docker/Dockerfile.debian

@@ -36,7 +36,7 @@ FROM --platform=linux/amd64 docker.io/tonistiigi/xx@sha256:c64defb9ed5a91eacb37f
 
 ########################## BUILD IMAGE ##########################
 # hadolint ignore=DL3006
-FROM --platform=$BUILDPLATFORM docker.io/library/rust:1.93.0-slim-trixie AS build
+FROM --platform=$BUILDPLATFORM docker.io/library/rust:1.93.1-slim-trixie AS build
 COPY --from=xx / /
 ARG TARGETARCH
 ARG TARGETVARIANT

rust-toolchain.toml

@@ -1,4 +1,4 @@
 [toolchain]
-channel = "1.93.0"
+channel = "1.93.1"
 components = [ "rustfmt", "clippy" ]
 profile = "minimal"

src/api/core/accounts.rs

@@ -33,7 +33,6 @@ use rocket::{
 
 pub fn routes() -> Vec<rocket::Route> {
     routes![
-        register,
         profile,
         put_profile,
         post_profile,
@@ -168,11 +167,6 @@ async fn is_email_2fa_required(member_id: Option<MembershipId>, conn: &DbConn) -
     false
 }
 
-#[post("/accounts/register", data = "<data>")]
-async fn register(data: Json<RegisterData>, conn: DbConn) -> JsonResult {
-    _register(data, false, conn).await
-}
-
 pub async fn _register(data: Json<RegisterData>, email_verification: bool, conn: DbConn) -> JsonResult {
     let mut data: RegisterData = data.into_inner();
     let email = data.email.to_lowercase();
@@ -1199,10 +1193,9 @@ async fn password_hint(data: Json<PasswordHintData>, conn: DbConn) -> EmptyResul
                 // There is still a timing side channel here in that the code
                 // paths that send mail take noticeably longer than ones that
                 // don't. Add a randomized sleep to mitigate this somewhat.
-                use rand::{rngs::SmallRng, Rng, SeedableRng};
-                let mut rng = SmallRng::from_os_rng();
-                let delta: i32 = 100;
-                let sleep_ms = (1_000 + rng.random_range(-delta..=delta)) as u64;
+                use rand::{rngs::SmallRng, RngExt};
+                let mut rng: SmallRng = rand::make_rng();
+                let sleep_ms = rng.random_range(900..=1100) as u64;
                 tokio::time::sleep(tokio::time::Duration::from_millis(sleep_ms)).await;
                 Ok(())
             } else {

src/api/core/ciphers.rs

@@ -715,9 +715,13 @@ async fn put_cipher_partial(
     let data: PartialCipherData = data.into_inner();
 
     let Some(cipher) = Cipher::find_by_uuid(&cipher_id, &conn).await else {
-        err!("Cipher doesn't exist")
+        err!("Cipher does not exist")
     };
 
+    if !cipher.is_accessible_to_user(&headers.user.uuid, &conn).await {
+        err!("Cipher does not exist", "Cipher is not accessible for the current user")
+    }
+
     if let Some(ref folder_id) = data.folder_id {
         if Folder::find_by_uuid_and_user(folder_id, &headers.user.uuid, &conn).await.is_none() {
             err!("Invalid folder", "Folder does not exist or belongs to another user");

src/api/core/organizations.rs

@@ -36,12 +36,9 @@ pub fn routes() -> Vec<Route> {
         get_org_collections_details,
         get_org_collection_detail,
         get_collection_users,
-        put_collection_users,
         put_organization,
         post_organization,
         post_organization_collections,
-        delete_organization_collection_member,
-        post_organization_collection_delete_member,
         post_bulk_access_collections,
         post_organization_collection_update,
         put_organization_collection_update,
@@ -64,28 +61,20 @@ pub fn routes() -> Vec<Route> {
         put_member,
         delete_member,
         bulk_delete_member,
-        post_delete_member,
         post_org_import,
         list_policies,
         list_policies_token,
         get_master_password_policy,
         get_policy,
         put_policy,
-        get_organization_tax,
+        put_policy_vnext,
         get_plans,
-        get_plans_all,
-        get_plans_tax_rates,
-        import,
         post_org_keys,
         get_organization_keys,
         get_organization_public_key,
         bulk_public_keys,
-        deactivate_member,
-        bulk_deactivate_members,
         revoke_member,
         bulk_revoke_members,
-        activate_member,
-        bulk_activate_members,
         restore_member,
         bulk_restore_members,
         get_groups,
@@ -100,10 +89,6 @@ pub fn routes() -> Vec<Route> {
         bulk_delete_groups,
         get_group_members,
         put_group_members,
-        get_user_groups,
-        post_user_groups,
-        put_user_groups,
-        delete_group_member,
         post_delete_group_member,
         put_reset_password_enrollment,
         get_reset_password_details,
@@ -380,6 +365,11 @@ async fn get_org_collections(org_id: OrganizationId, headers: ManagerHeadersLoos
     if org_id != headers.membership.org_uuid {
         err!("Organization not found", "Organization id's do not match");
     }
+
+    if !headers.membership.has_full_access() {
+        err_code!("Resource not found.", "User does not have full access", rocket::http::Status::NotFound.code);
+    }
+
     Ok(Json(json!({
         "data": _get_org_collections(&org_id, &conn).await,
         "object": "list",
@@ -392,7 +382,6 @@ async fn get_org_collections_details(org_id: OrganizationId, headers: ManagerHea
     if org_id != headers.membership.org_uuid {
         err!("Organization not found", "Organization id's do not match");
     }
-    let mut data = Vec::new();
 
     let Some(member) = Membership::find_by_user_and_org(&headers.user.uuid, &org_id, &conn).await else {
         err!("User is not part of organization")
@@ -424,6 +413,7 @@ async fn get_org_collections_details(org_id: OrganizationId, headers: ManagerHea
         })
         .collect();
 
+    let mut data = Vec::new();
     for col in Collection::find_by_organization(&org_id, &conn).await {
         // check whether the current user has access to the given collection
         let assigned = has_full_access_to_org
@@ -566,6 +556,10 @@ async fn post_bulk_access_collections(
             err!("Collection not found")
         };
 
+        if !collection.is_manageable_by_user(&headers.membership.user_uuid, &conn).await {
+            err!("Collection not found", "The current user isn't a manager for this collection")
+        }
+
         // update collection modification date
         collection.save(&conn).await?;
 
@@ -682,43 +676,6 @@ async fn post_organization_collection_update(
     Ok(Json(collection.to_json_details(&headers.user.uuid, None, &conn).await))
 }
 
-#[delete("/organizations/<org_id>/collections/<col_id>/user/<member_id>")]
-async fn delete_organization_collection_member(
-    org_id: OrganizationId,
-    col_id: CollectionId,
-    member_id: MembershipId,
-    headers: AdminHeaders,
-    conn: DbConn,
-) -> EmptyResult {
-    if org_id != headers.org_id {
-        err!("Organization not found", "Organization id's do not match");
-    }
-    let Some(collection) = Collection::find_by_uuid_and_org(&col_id, &org_id, &conn).await else {
-        err!("Collection not found", "Collection does not exist or does not belong to this organization")
-    };
-
-    match Membership::find_by_uuid_and_org(&member_id, &org_id, &conn).await {
-        None => err!("User not found in organization"),
-        Some(member) => {
-            match CollectionUser::find_by_collection_and_user(&collection.uuid, &member.user_uuid, &conn).await {
-                None => err!("User not assigned to collection"),
-                Some(col_user) => col_user.delete(&conn).await,
-            }
-        }
-    }
-}
-
-#[post("/organizations/<org_id>/collections/<col_id>/delete-user/<member_id>")]
-async fn post_organization_collection_delete_member(
-    org_id: OrganizationId,
-    col_id: CollectionId,
-    member_id: MembershipId,
-    headers: AdminHeaders,
-    conn: DbConn,
-) -> EmptyResult {
-    delete_organization_collection_member(org_id, col_id, member_id, headers, conn).await
-}
-
 async fn _delete_organization_collection(
     org_id: &OrganizationId,
     col_id: &CollectionId,
@@ -887,41 +844,6 @@ async fn get_collection_users(
     Ok(Json(json!(member_list)))
 }
 
-#[put("/organizations/<org_id>/collections/<col_id>/users", data = "<data>")]
-async fn put_collection_users(
-    org_id: OrganizationId,
-    col_id: CollectionId,
-    data: Json<Vec<CollectionMembershipData>>,
-    headers: ManagerHeaders,
-    conn: DbConn,
-) -> EmptyResult {
-    if org_id != headers.org_id {
-        err!("Organization not found", "Organization id's do not match");
-    }
-    // Get org and collection, check that collection is from org
-    if Collection::find_by_uuid_and_org(&col_id, &org_id, &conn).await.is_none() {
-        err!("Collection not found in Organization")
-    }
-
-    // Delete all the user-collections
-    CollectionUser::delete_all_by_collection(&col_id, &conn).await?;
-
-    // And then add all the received ones (except if the user has access_all)
-    for d in data.iter() {
-        let Some(user) = Membership::find_by_uuid_and_org(&d.id, &org_id, &conn).await else {
-            err!("User is not part of organization")
-        };
-
-        if user.access_all {
-            continue;
-        }
-
-        CollectionUser::save(&user.user_uuid, &col_id, d.read_only, d.hide_passwords, d.manage, &conn).await?;
-    }
-
-    Ok(())
-}
-
 #[derive(FromForm)]
 struct OrgIdData {
     #[field(name = "organizationId")]
@@ -1719,17 +1641,6 @@ async fn delete_member(
     _delete_member(&org_id, &member_id, &headers, &conn, &nt).await
 }
 
-#[post("/organizations/<org_id>/users/<member_id>/delete")]
-async fn post_delete_member(
-    org_id: OrganizationId,
-    member_id: MembershipId,
-    headers: AdminHeaders,
-    conn: DbConn,
-    nt: Notify<'_>,
-) -> EmptyResult {
-    _delete_member(&org_id, &member_id, &headers, &conn, &nt).await
-}
-
 async fn _delete_member(
     org_id: &OrganizationId,
     member_id: &MembershipId,
@@ -2182,14 +2093,26 @@ async fn put_policy(
     Ok(Json(policy.to_json()))
 }
 
-#[allow(unused_variables)]
-#[get("/organizations/<org_id>/tax")]
-fn get_organization_tax(org_id: OrganizationId, _headers: Headers) -> Json<Value> {
-    // Prevent a 404 error, which also causes Javascript errors.
-    // Upstream sends "Only allowed when not self hosted." As an error message.
-    // If we do the same it will also output this to the log, which is overkill.
-    // An empty list/data also works fine.
-    Json(_empty_data_json())
+#[derive(Deserialize)]
+struct PolicyDataVnext {
+    policy: PolicyData,
+    // Ignore metadata for now as we do not yet support this
+    // "metadata": {
+    //     "defaultUserCollectionName": "2.xx|xx==|xx="
+    // }
+}
+
+#[put("/organizations/<org_id>/policies/<pol_type>/vnext", data = "<data>")]
+async fn put_policy_vnext(
+    org_id: OrganizationId,
+    pol_type: i32,
+    data: Json<PolicyDataVnext>,
+    headers: AdminHeaders,
+    conn: DbConn,
+) -> JsonResult {
+    let data: PolicyDataVnext = data.into_inner();
+    let policy: PolicyData = data.policy;
+    put_policy(org_id, pol_type, Json(policy), headers, conn).await
 }
 
 #[get("/plans")]
@@ -2220,17 +2143,6 @@ fn get_plans() -> Json<Value> {
     }))
 }
 
-#[get("/plans/all")]
-fn get_plans_all() -> Json<Value> {
-    get_plans()
-}
-
-#[get("/plans/sales-tax-rates")]
-fn get_plans_tax_rates(_headers: Headers) -> Json<Value> {
-    // Prevent a 404 error, which also causes Javascript errors.
-    Json(_empty_data_json())
-}
-
 #[get("/organizations/<_org_id>/billing/metadata")]
 fn get_billing_metadata(_org_id: OrganizationId, _headers: Headers) -> Json<Value> {
     // Prevent a 404 error, which also causes Javascript errors.
@@ -2255,174 +2167,12 @@ fn _empty_data_json() -> Value {
     })
 }
 
-#[derive(Deserialize, Debug)]
-#[serde(rename_all = "camelCase")]
-struct OrgImportGroupData {
-    #[allow(dead_code)]
-    name: String, // "GroupName"
-    #[allow(dead_code)]
-    external_id: String, // "cn=GroupName,ou=Groups,dc=example,dc=com"
-    #[allow(dead_code)]
-    users: Vec<String>, // ["uid=user,ou=People,dc=example,dc=com"]
-}
-
-#[derive(Deserialize, Debug)]
-#[serde(rename_all = "camelCase")]
-struct OrgImportUserData {
-    email: String, // "user@maildomain.net"
-    #[allow(dead_code)]
-    external_id: String, // "uid=user,ou=People,dc=example,dc=com"
-    deleted: bool,
-}
-
-#[derive(Deserialize, Debug)]
-#[serde(rename_all = "camelCase")]
-struct OrgImportData {
-    #[allow(dead_code)]
-    groups: Vec<OrgImportGroupData>,
-    overwrite_existing: bool,
-    users: Vec<OrgImportUserData>,
-}
-
-/// This function seems to be deprecated
-/// It is only used with older directory connectors
-/// TODO: Cleanup Tech debt
-#[post("/organizations/<org_id>/import", data = "<data>")]
-async fn import(org_id: OrganizationId, data: Json<OrgImportData>, headers: Headers, conn: DbConn) -> EmptyResult {
-    let data = data.into_inner();
-
-    // TODO: Currently we aren't storing the externalId's anywhere, so we also don't have a way
-    // to differentiate between auto-imported users and manually added ones.
-    // This means that this endpoint can end up removing users that were added manually by an admin,
-    // as opposed to upstream which only removes auto-imported users.
-
-    // User needs to be admin or owner to use the Directory Connector
-    match Membership::find_by_user_and_org(&headers.user.uuid, &org_id, &conn).await {
-        Some(member) if member.atype >= MembershipType::Admin => { /* Okay, nothing to do */ }
-        Some(_) => err!("User has insufficient permissions to use Directory Connector"),
-        None => err!("User not part of organization"),
-    };
-
-    for user_data in &data.users {
-        if user_data.deleted {
-            // If user is marked for deletion and it exists, delete it
-            if let Some(member) = Membership::find_by_email_and_org(&user_data.email, &org_id, &conn).await {
-                log_event(
-                    EventType::OrganizationUserRemoved as i32,
-                    &member.uuid,
-                    &org_id,
-                    &headers.user.uuid,
-                    headers.device.atype,
-                    &headers.ip.ip,
-                    &conn,
-                )
-                .await;
-
-                member.delete(&conn).await?;
-            }
-
-        // If user is not part of the organization, but it exists
-        } else if Membership::find_by_email_and_org(&user_data.email, &org_id, &conn).await.is_none() {
-            if let Some(user) = User::find_by_mail(&user_data.email, &conn).await {
-                let member_status = if CONFIG.mail_enabled() {
-                    MembershipStatus::Invited as i32
-                } else {
-                    MembershipStatus::Accepted as i32 // Automatically mark user as accepted if no email invites
-                };
-
-                let mut new_member =
-                    Membership::new(user.uuid.clone(), org_id.clone(), Some(headers.user.email.clone()));
-                new_member.access_all = false;
-                new_member.atype = MembershipType::User as i32;
-                new_member.status = member_status;
-
-                if CONFIG.mail_enabled() {
-                    let org_name = match Organization::find_by_uuid(&org_id, &conn).await {
-                        Some(org) => org.name,
-                        None => err!("Error looking up organization"),
-                    };
-
-                    mail::send_invite(
-                        &user,
-                        org_id.clone(),
-                        new_member.uuid.clone(),
-                        &org_name,
-                        Some(headers.user.email.clone()),
-                    )
-                    .await?;
-                }
-
-                // Save the member after sending an email
-                // If sending fails the member will not be saved to the database, and will not result in the admin needing to reinvite the users manually
-                new_member.save(&conn).await?;
-
-                log_event(
-                    EventType::OrganizationUserInvited as i32,
-                    &new_member.uuid,
-                    &org_id,
-                    &headers.user.uuid,
-                    headers.device.atype,
-                    &headers.ip.ip,
-                    &conn,
-                )
-                .await;
-            }
-        }
-    }
-
-    // If this flag is enabled, any user that isn't provided in the Users list will be removed (by default they will be kept unless they have Deleted == true)
-    if data.overwrite_existing {
-        for member in Membership::find_by_org_and_type(&org_id, MembershipType::User, &conn).await {
-            if let Some(user_email) = User::find_by_uuid(&member.user_uuid, &conn).await.map(|u| u.email) {
-                if !data.users.iter().any(|u| u.email == user_email) {
-                    log_event(
-                        EventType::OrganizationUserRemoved as i32,
-                        &member.uuid,
-                        &org_id,
-                        &headers.user.uuid,
-                        headers.device.atype,
-                        &headers.ip.ip,
-                        &conn,
-                    )
-                    .await;
-
-                    member.delete(&conn).await?;
-                }
-            }
-        }
-    }
-
-    Ok(())
-}
-
-// Pre web-vault v2022.9.x endpoint
-#[put("/organizations/<org_id>/users/<member_id>/deactivate")]
-async fn deactivate_member(
-    org_id: OrganizationId,
-    member_id: MembershipId,
-    headers: AdminHeaders,
-    conn: DbConn,
-) -> EmptyResult {
-    _revoke_member(&org_id, &member_id, &headers, &conn).await
-}
-
 #[derive(Deserialize, Debug)]
 #[serde(rename_all = "camelCase")]
 struct BulkRevokeMembershipIds {
     ids: Option<Vec<MembershipId>>,
 }
 
-// Pre web-vault v2022.9.x endpoint
-#[put("/organizations/<org_id>/users/deactivate", data = "<data>")]
-async fn bulk_deactivate_members(
-    org_id: OrganizationId,
-    data: Json<BulkRevokeMembershipIds>,
-    headers: AdminHeaders,
-    conn: DbConn,
-) -> JsonResult {
-    bulk_revoke_members(org_id, data, headers, conn).await
-}
-
 #[put("/organizations/<org_id>/users/<member_id>/revoke")]
 async fn revoke_member(
     org_id: OrganizationId,
@@ -2516,28 +2266,6 @@ async fn _revoke_member(
     Ok(())
 }
 
-// Pre web-vault v2022.9.x endpoint
-#[put("/organizations/<org_id>/users/<member_id>/activate")]
-async fn activate_member(
-    org_id: OrganizationId,
-    member_id: MembershipId,
-    headers: AdminHeaders,
-    conn: DbConn,
-) -> EmptyResult {
-    _restore_member(&org_id, &member_id, &headers, &conn).await
-}
-
-// Pre web-vault v2022.9.x endpoint
-#[put("/organizations/<org_id>/users/activate", data = "<data>")]
-async fn bulk_activate_members(
-    org_id: OrganizationId,
-    data: Json<BulkMembershipIds>,
-    headers: AdminHeaders,
-    conn: DbConn,
-) -> JsonResult {
-    bulk_restore_members(org_id, data, headers, conn).await
-}
-
 #[put("/organizations/<org_id>/users/<member_id>/restore")]
 async fn restore_member(
     org_id: OrganizationId,
@@ -3006,88 +2734,6 @@ async fn put_group_members(
     Ok(())
 }
 
-#[get("/organizations/<org_id>/users/<member_id>/groups")]
-async fn get_user_groups(
-    org_id: OrganizationId,
-    member_id: MembershipId,
-    headers: AdminHeaders,
-    conn: DbConn,
-) -> JsonResult {
-    if org_id != headers.org_id {
-        err!("Organization not found", "Organization id's do not match");
-    }
-    if !CONFIG.org_groups_enabled() {
-        err!("Group support is disabled");
-    }
-
-    if Membership::find_by_uuid_and_org(&member_id, &org_id, &conn).await.is_none() {
-        err!("User could not be found!")
-    };
-
-    let user_groups: Vec<GroupId> =
-        GroupUser::find_by_member(&member_id, &conn).await.iter().map(|entry| entry.groups_uuid.clone()).collect();
-
-    Ok(Json(json!(user_groups)))
-}
-
-#[derive(Deserialize)]
-#[serde(rename_all = "camelCase")]
-struct OrganizationUserUpdateGroupsRequest {
-    group_ids: Vec<GroupId>,
-}
-
-#[post("/organizations/<org_id>/users/<member_id>/groups", data = "<data>")]
-async fn post_user_groups(
-    org_id: OrganizationId,
-    member_id: MembershipId,
-    data: Json<OrganizationUserUpdateGroupsRequest>,
-    headers: AdminHeaders,
-    conn: DbConn,
-) -> EmptyResult {
-    put_user_groups(org_id, member_id, data, headers, conn).await
-}
-
-#[put("/organizations/<org_id>/users/<member_id>/groups", data = "<data>")]
-async fn put_user_groups(
-    org_id: OrganizationId,
-    member_id: MembershipId,
-    data: Json<OrganizationUserUpdateGroupsRequest>,
-    headers: AdminHeaders,
-    conn: DbConn,
-) -> EmptyResult {
-    if org_id != headers.org_id {
-        err!("Organization not found", "Organization id's do not match");
-    }
-    if !CONFIG.org_groups_enabled() {
-        err!("Group support is disabled");
-    }
-
-    if Membership::find_by_uuid_and_org(&member_id, &org_id, &conn).await.is_none() {
-        err!("User could not be found or does not belong to the organization.");
-    }
-
-    GroupUser::delete_all_by_member(&member_id, &conn).await?;
-
-    let assigned_group_ids = data.into_inner();
-    for assigned_group_id in assigned_group_ids.group_ids {
-        let mut group_user = GroupUser::new(assigned_group_id.clone(), member_id.clone());
-        group_user.save(&conn).await?;
-    }
-
-    log_event(
-        EventType::OrganizationUserUpdatedGroups as i32,
-        &member_id,
-        &org_id,
-        &headers.user.uuid,
-        headers.device.atype,
-        &headers.ip.ip,
-        &conn,
-    )
-    .await;
-
-    Ok(())
-}
-
 #[post("/organizations/<org_id>/groups/<group_id>/delete-user/<member_id>")]
 async fn post_delete_group_member(
     org_id: OrganizationId,
@@ -3095,17 +2741,6 @@ async fn post_delete_group_member(
     member_id: MembershipId,
     headers: AdminHeaders,
     conn: DbConn,
-) -> EmptyResult {
-    delete_group_member(org_id, group_id, member_id, headers, conn).await
-}
-
-#[delete("/organizations/<org_id>/groups/<group_id>/users/<member_id>")]
-async fn delete_group_member(
-    org_id: OrganizationId,
-    group_id: GroupId,
-    member_id: MembershipId,
-    headers: AdminHeaders,
-    conn: DbConn,
 ) -> EmptyResult {
     if org_id != headers.org_id {
         err!("Organization not found", "Organization id's do not match");

src/api/core/two_factor/email.rs

@@ -44,6 +44,9 @@ async fn send_email_login(data: Json<SendEmailLoginData>, client_headers: Client
         err!("Email 2FA is disabled")
     }
 
+    // Ratelimit the login
+    crate::ratelimit::check_limit_login(&client_headers.ip.ip)?;
+
     // Get the user
     let email = match &data.email {
         Some(email) if !email.is_empty() => Some(email),

src/api/core/two_factor/mod.rs

@@ -9,7 +9,7 @@ use crate::{
         core::{log_event, log_user_event},
         EmptyResult, JsonResult, PasswordOrOtpData,
     },
-    auth::{ClientHeaders, Headers},
+    auth::Headers,
     crypto,
     db::{
         models::{
@@ -35,7 +35,6 @@ pub fn routes() -> Vec<Route> {
     let mut routes = routes![
         get_twofactor,
         get_recover,
-        recover,
         disable_twofactor,
         disable_twofactor_put,
         get_device_verification_settings,
@@ -76,54 +75,6 @@ async fn get_recover(data: Json<PasswordOrOtpData>, headers: Headers, conn: DbCo
     })))
 }
 
-#[derive(Deserialize)]
-#[serde(rename_all = "camelCase")]
-struct RecoverTwoFactor {
-    master_password_hash: String,
-    email: String,
-    recovery_code: String,
-}
-
-#[post("/two-factor/recover", data = "<data>")]
-async fn recover(data: Json<RecoverTwoFactor>, client_headers: ClientHeaders, conn: DbConn) -> JsonResult {
-    let data: RecoverTwoFactor = data.into_inner();
-
-    use crate::db::models::User;
-
-    // Get the user
-    let Some(mut user) = User::find_by_mail(&data.email, &conn).await else {
-        err!("Username or password is incorrect. Try again.")
-    };
-
-    // Check password
-    if !user.check_valid_password(&data.master_password_hash) {
-        err!("Username or password is incorrect. Try again.")
-    }
-
-    // Check if recovery code is correct
-    if !user.check_valid_recovery_code(&data.recovery_code) {
-        err!("Recovery code is incorrect. Try again.")
-    }
-
-    // Remove all twofactors from the user
-    TwoFactor::delete_all_by_user(&user.uuid, &conn).await?;
-    enforce_2fa_policy(&user, &user.uuid, client_headers.device_type, &client_headers.ip.ip, &conn).await?;
-
-    log_user_event(
-        EventType::UserRecovered2fa as i32,
-        &user.uuid,
-        client_headers.device_type,
-        &client_headers.ip.ip,
-        &conn,
-    )
-    .await;
-
-    // Remove the recovery code, not needed without twofactors
-    user.totp_recover = None;
-    user.save(&conn).await?;
-    Ok(Json(Value::Object(serde_json::Map::new())))
-}
-
 async fn _generate_recover_code(user: &mut User, conn: &DbConn) {
     if user.totp_recover.is_none() {
         let totp_recover = crypto::encode_random_bytes::<20>(&BASE32);

src/api/identity.rs

@@ -975,12 +975,11 @@ async fn register_verification_email(
         let user = User::find_by_mail(&data.email, &conn).await;
         if user.filter(|u| u.private_key.is_some()).is_some() {
             // There is still a timing side channel here in that the code
-            // paths that send mail take noticeably longer than ones that
-            // don't. Add a randomized sleep to mitigate this somewhat.
-            use rand::{rngs::SmallRng, Rng, SeedableRng};
-            let mut rng = SmallRng::from_os_rng();
-            let delta: i32 = 100;
-            let sleep_ms = (1_000 + rng.random_range(-delta..=delta)) as u64;
+            // paths that send mail take noticeably longer than ones that don't.
+            // Add a randomized sleep to mitigate this somewhat.
+            use rand::{rngs::SmallRng, RngExt};
+            let mut rng: SmallRng = rand::make_rng();
+            let sleep_ms = rng.random_range(900..=1100) as u64;
             tokio::time::sleep(tokio::time::Duration::from_millis(sleep_ms)).await;
         } else {
             mail::send_register_verify_email(&data.email, &token).await?;

src/api/web.rs

@@ -60,6 +60,7 @@ fn vaultwarden_css() -> Cached<Css<String>> {
         "mail_2fa_enabled": CONFIG._enable_email_2fa(),
         "mail_enabled": CONFIG.mail_enabled(),
         "sends_allowed": CONFIG.sends_allowed(),
+        "remember_2fa_disabled": CONFIG.disable_2fa_remember(),
         "password_hints_allowed": CONFIG.password_hints_allowed(),
         "signup_disabled": CONFIG.is_signup_disabled(),
         "sso_enabled": CONFIG.sso_enabled(),

src/auth.rs

@@ -826,7 +826,7 @@ impl<'r> FromRequest<'r> for ManagerHeaders {
                         _ => err_handler!("Error getting DB"),
                     };
 
-                    if !Collection::can_access_collection(&headers.membership, &col_id, &conn).await {
+                    if !Collection::is_coll_manageable_by_user(&col_id, &headers.membership.user_uuid, &conn).await {
                         err_handler!("The current user isn't a manager for this collection")
                     }
                 }
@@ -908,8 +908,8 @@ impl ManagerHeaders {
             if uuid::Uuid::parse_str(col_id.as_ref()).is_err() {
                 err!("Collection Id is malformed!");
             }
-            if !Collection::can_access_collection(&h.membership, col_id, conn).await {
-                err!("You don't have access to all collections!");
+            if !Collection::is_coll_manageable_by_user(col_id, &h.membership.user_uuid, conn).await {
+                err!("Collection not found", "The current user isn't a manager for this collection")
             }
         }
 

src/crypto.rs

@@ -55,13 +55,13 @@ pub fn encode_random_bytes<const N: usize>(e: &Encoding) -> String {
 /// Generates a random string over a specified alphabet.
 pub fn get_random_string(alphabet: &[u8], num_chars: usize) -> String {
     // Ref: https://rust-lang-nursery.github.io/rust-cookbook/algorithms/randomness.html
-    use rand::Rng;
+    use rand::RngExt;
     let mut rng = rand::rng();
 
     (0..num_chars)
         .map(|_| {
             let i = rng.random_range(0..alphabet.len());
-            alphabet[i] as char
+            char::from(alphabet[i])
         })
         .collect()
 }

src/db/models/collection.rs

@@ -513,7 +513,8 @@ impl Collection {
         }}
     }
 
-    pub async fn is_manageable_by_user(&self, user_uuid: &UserId, conn: &DbConn) -> bool {
+    pub async fn is_coll_manageable_by_user(uuid: &CollectionId, user_uuid: &UserId, conn: &DbConn) -> bool {
+        let uuid = uuid.to_string();
         let user_uuid = user_uuid.to_string();
         db_run! { conn: {
             collections::table
@@ -538,9 +539,9 @@ impl Collection {
                     collections_groups::collections_uuid.eq(collections::uuid)
                 )
             ))
-            .filter(collections::uuid.eq(&self.uuid))
+            .filter(collections::uuid.eq(&uuid))
             .filter(
-                users_collections::collection_uuid.eq(&self.uuid).and(users_collections::manage.eq(true)).or(// Directly accessed collection
+                users_collections::collection_uuid.eq(&uuid).and(users_collections::manage.eq(true)).or(// Directly accessed collection
                     users_organizations::access_all.eq(true).or( // access_all in Organization
                         users_organizations::atype.le(MembershipType::Admin as i32) // Org admin or owner
                 )).or(
@@ -558,6 +559,10 @@ impl Collection {
             .unwrap_or(0) != 0
         }}
     }
+
+    pub async fn is_manageable_by_user(&self, user_uuid: &UserId, conn: &DbConn) -> bool {
+        Self::is_coll_manageable_by_user(&self.uuid, user_uuid, conn).await
+    }
 }
 
 /// Database methods

src/mail.rs

@@ -302,10 +302,10 @@ pub async fn send_invite(
             .append_pair("organizationUserId", &member_id)
             .append_pair("token", &invite_token);
 
-        if CONFIG.sso_enabled() {
-            query_params.append_pair("orgUserHasExistingUser", "false");
+        if CONFIG.sso_enabled() && CONFIG.sso_only() {
             query_params.append_pair("orgSsoIdentifier", &org_id);
-        } else if user.private_key.is_some() {
+        }
+        if user.private_key.is_some() {
             query_params.append_pair("orgUserHasExistingUser", "true");
         }
     }

src/static/templates/scss/vaultwarden.scss.hbs

@@ -158,6 +158,13 @@ app-root a[routerlink="/signup"] {
 {{/if}}
 {{/if}}
 
+{{#if remember_2fa_disabled}}
+/* Hide checkbox to remember 2FA token for 30 days */
+app-two-factor-auth > form > bit-form-control {
+  @extend %vw-hide;
+}
+{{/if}}
+
 {{#unless mail_2fa_enabled}}
 /* Hide `Email` 2FA if mail is not enabled */
 .providers-2fa-1 {