Misc organization fixes (#6867)

- Update Rust to v1.93.1
- Updated all the crates
  Adjust changes needed for the newer `rand` crate
- Updated GitHub Actions

Signed-off-by: BlackDex <black.dex@gmail.com>

.github/workflows/build.yml

@@ -1,6 +1,10 @@
 name: Build
 permissions: {}
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 on:
   push:
     paths:
@@ -30,6 +34,10 @@ on:
       - "docker/DockerSettings.yaml"
       - "macros/**"
 
+defaults:
+  run:
+    shell: bash
+
 jobs:
   build:
     name: Build and Test ${{ matrix.channel }}
@@ -63,7 +71,6 @@ jobs:
       # Determine rust-toolchain version
       - name: Init Variables
         id: toolchain
-        shell: bash
         env:
           CHANNEL: ${{ matrix.channel }}
         run: |
@@ -80,7 +87,7 @@ jobs:
 
       # Only install the clippy and rustfmt components on the default rust-toolchain
       - name: "Install rust-toolchain version"
-        uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561 # master @ Dec 16, 2025, 6:11 PM GMT+1
+        uses: dtolnay/rust-toolchain@efa25f7f19611383d5b0ccf2d1c8914531636bf9 # master @ Feb 13, 2026, 3:46 AM GMT+1
         if: ${{ matrix.channel == 'rust-toolchain' }}
         with:
           toolchain: "${{steps.toolchain.outputs.RUST_TOOLCHAIN}}"
@@ -90,7 +97,7 @@ jobs:
 
       # Install the any other channel to be used for which we do not execute clippy and rustfmt
       - name: "Install MSRV version"
-        uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561 # master @ Dec 16, 2025, 6:11 PM GMT+1
+        uses: dtolnay/rust-toolchain@efa25f7f19611383d5b0ccf2d1c8914531636bf9 # master @ Feb 13, 2026, 3:46 AM GMT+1
         if: ${{ matrix.channel != 'rust-toolchain' }}
         with:
           toolchain: "${{steps.toolchain.outputs.RUST_TOOLCHAIN}}"

.github/workflows/check-templates.yml

@@ -1,8 +1,16 @@
 name: Check templates
 permissions: {}
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 on: [ push, pull_request ]
 
+defaults:
+  run:
+    shell: bash
+
 jobs:
   docker-templates:
     name: Validate docker templates

.github/workflows/hadolint.yml

@@ -1,8 +1,15 @@
 name: Hadolint
-
-on: [ push, pull_request ]
 permissions: {}
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+on: [ push, pull_request ]
+
+defaults:
+  run:
+    shell: bash
 
 jobs:
   hadolint:
@@ -25,7 +32,6 @@ jobs:
 
       # Download hadolint - https://github.com/hadolint/hadolint/releases
       - name: Download hadolint
-        shell: bash
         run: |
           sudo curl -L https://github.com/hadolint/hadolint/releases/download/v${HADOLINT_VERSION}/hadolint-$(uname -s)-$(uname -m) -o /usr/local/bin/hadolint && \
           sudo chmod +x /usr/local/bin/hadolint
@@ -41,13 +47,11 @@ jobs:
 
       # Test Dockerfiles with hadolint
       - name: Run hadolint
-        shell: bash
         run: hadolint docker/Dockerfile.{debian,alpine}
       # End Test Dockerfiles with hadolint
 
       # Test Dockerfiles with docker build checks
       - name: Run docker build check
-        shell: bash
         run: |
           echo "Checking docker/Dockerfile.debian"
           docker build --check . -f docker/Dockerfile.debian

.github/workflows/release.yml

@@ -1,6 +1,12 @@
 name: Release
 permissions: {}
 
+concurrency:
+  # Apply concurrency control only on the upstream repo
+  group: ${{ github.repository == 'dani-garcia/vaultwarden' && format('{0}-{1}', github.workflow, github.ref) || github.run_id }}
+  # Don't cancel other runs when creating a tag
+  cancel-in-progress: ${{ github.ref_type == 'branch' }}
+
 on:
   push:
     branches:
@@ -10,12 +16,6 @@ on:
       # https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet
       - '[1-2].[0-9]+.[0-9]+'
 
-concurrency:
-  # Apply concurrency control only on the upstream repo
-  group: ${{ github.repository == 'dani-garcia/vaultwarden' && format('{0}-{1}', github.workflow, github.ref) || github.run_id }}
-  # Don't cancel other runs when creating a tag
-  cancel-in-progress: ${{ github.ref_type == 'branch' }}
-
 defaults:
   run:
     shell: bash
@@ -102,7 +102,7 @@ jobs:
 
       # Login to Docker Hub
       - name: Login to Docker Hub
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -117,7 +117,7 @@ jobs:
 
       # Login to GitHub Container Registry
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
@@ -133,7 +133,7 @@ jobs:
 
       # Login to Quay.io
       - name: Login to Quay.io
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
         with:
           registry: quay.io
           username: ${{ secrets.QUAY_USERNAME }}
@@ -233,7 +233,7 @@ jobs:
 
       # Upload artifacts to Github Actions and Attest the binaries
       - name: Attest binaries
-        uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3.1.0
+        uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0
         with:
           subject-path: vaultwarden-${{ env.NORMALIZED_ARCH }}
 
@@ -265,7 +265,7 @@ jobs:
 
       # Login to Docker Hub
       - name: Login to Docker Hub
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -280,7 +280,7 @@ jobs:
 
       # Login to GitHub Container Registry
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
@@ -296,7 +296,7 @@ jobs:
 
       # Login to Quay.io
       - name: Login to Quay.io
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
         with:
           registry: quay.io
           username: ${{ secrets.QUAY_USERNAME }}
@@ -313,45 +313,43 @@ jobs:
       # Determine Base Tags
       - name: Determine Base Tags
         env:
+          BASE_IMAGE_TAG: "${{ matrix.base_image != 'debian' && format('-{0}', matrix.base_image) || '' }}"
           REF_TYPE: ${{ github.ref_type }}
         run: |
           # Check which main tag we are going to build determined by ref_type
           if [[ "${REF_TYPE}" == "tag" ]]; then
-            echo "BASE_TAGS=latest,${GITHUB_REF#refs/*/}" | tee -a "${GITHUB_ENV}"
+            echo "BASE_TAGS=latest${BASE_IMAGE_TAG},${GITHUB_REF#refs/*/}${BASE_IMAGE_TAG}${BASE_IMAGE_TAG//-/,}" | tee -a "${GITHUB_ENV}"
           elif [[ "${REF_TYPE}" == "branch" ]]; then
-            echo "BASE_TAGS=testing" | tee -a "${GITHUB_ENV}"
+            echo "BASE_TAGS=testing${BASE_IMAGE_TAG}" | tee -a "${GITHUB_ENV}"
           fi
 
       - name: Create manifest list, push it and extract digest SHA
         working-directory: ${{ runner.temp }}/digests
         env:
-          BASE_IMAGE_TAG: "${{ matrix.base_image != 'debian' && format('-{0}', matrix.base_image) || '' }}"
           BASE_TAGS: "${{ env.BASE_TAGS }}"
           CONTAINER_REGISTRIES: "${{ env.CONTAINER_REGISTRIES }}"
         run: |
-          set +e
           IFS=',' read -ra IMAGES <<< "${CONTAINER_REGISTRIES}"
           IFS=',' read -ra TAGS <<< "${BASE_TAGS}"
+
+          TAG_ARGS=()
           for img in "${IMAGES[@]}"; do
             for tag in "${TAGS[@]}"; do
-              echo "Creating manifest for ${img}:${tag}${BASE_IMAGE_TAG}"
-
-              OUTPUT=$(docker buildx imagetools create \
-                -t "${img}:${tag}${BASE_IMAGE_TAG}" \
-                $(printf "${img}@sha256:%s " *) 2>&1)
-              STATUS=$?
-
-              if [ ${STATUS} -ne 0 ]; then
-                echo "Manifest creation failed for ${img}:${tag}${BASE_IMAGE_TAG}"
-                echo "${OUTPUT}"
-              exit ${STATUS}
-              fi
-
-              echo "Manifest created for ${img}:${tag}${BASE_IMAGE_TAG}"
-              echo "${OUTPUT}"
+              TAG_ARGS+=("-t" "${img}:${tag}")
             done
           done
-          set -e
+
+          echo "Creating manifest"
+          if ! OUTPUT=$(docker buildx imagetools create \
+                          "${TAG_ARGS[@]}" \
+                          $(printf "${IMAGES[0]}@sha256:%s " *) 2>&1); then
+            echo "Manifest creation failed"
+            echo "${OUTPUT}"
+            exit 1
+          fi
+
+          echo "Manifest created successfully"
+          echo "${OUTPUT}"
 
           # Extract digest SHA for subsequent steps
           GET_DIGEST_SHA="$(echo "${OUTPUT}" | grep -oE 'sha256:[a-f0-9]{64}' | tail -1)"
@@ -360,7 +358,7 @@ jobs:
       # Attest container images
       - name: Attest - docker.io - ${{ matrix.base_image }}
         if: ${{ env.HAVE_DOCKERHUB_LOGIN == 'true' && env.DIGEST_SHA != ''}}
-        uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3.1.0
+        uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0
         with:
           subject-name: ${{ vars.DOCKERHUB_REPO }}
           subject-digest: ${{ env.DIGEST_SHA }}
@@ -368,7 +366,7 @@ jobs:
 
       - name: Attest - ghcr.io - ${{ matrix.base_image }}
         if: ${{ env.HAVE_GHCR_LOGIN == 'true' && env.DIGEST_SHA != ''}}
-        uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3.1.0
+        uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0
         with:
           subject-name: ${{ vars.GHCR_REPO }}
           subject-digest: ${{ env.DIGEST_SHA }}
@@ -376,7 +374,7 @@ jobs:
 
       - name: Attest - quay.io - ${{ matrix.base_image }}
         if: ${{ env.HAVE_QUAY_LOGIN == 'true' && env.DIGEST_SHA != ''}}
-        uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3.1.0
+        uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0
         with:
           subject-name: ${{ vars.QUAY_REPO }}
           subject-digest: ${{ env.DIGEST_SHA }}

.github/workflows/releasecache-cleanup.yml

@@ -1,6 +1,10 @@
 name: Cleanup
 permissions: {}
 
+concurrency:
+  group: ${{ github.workflow }}
+  cancel-in-progress: false
+
 on:
   workflow_dispatch:
     inputs:

.github/workflows/trivy.yml

@@ -1,6 +1,10 @@
 name: Trivy
 permissions: {}
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 on:
   push:
     branches:
@@ -34,7 +38,7 @@ jobs:
           persist-credentials: false
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
+        uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284 # 0.34.0
         env:
           TRIVY_DB_REPOSITORY: docker.io/aquasec/trivy-db:2,public.ecr.aws/aquasecurity/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2
           TRIVY_JAVA_DB_REPOSITORY: docker.io/aquasec/trivy-java-db:1,public.ecr.aws/aquasecurity/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1
@@ -46,6 +50,6 @@ jobs:
           severity: CRITICAL,HIGH
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
+        uses: github/codeql-action/upload-sarif@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3
         with:
           sarif_file: 'trivy-results.sarif'

.github/workflows/typos.yml

@@ -1,7 +1,11 @@
 name: Code Spell Checking
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
 
 on: [ push, pull_request ]
-permissions: {}
 
 jobs:
   typos:
@@ -19,4 +23,4 @@ jobs:
 
       # When this version is updated, do not forget to update this in `.pre-commit-config.yaml` too
       - name: Spell Check Repo
-        uses: crate-ci/typos@2d0ce569feab1f8752f1dde43cc2f2aa53236e06 # v1.40.0
+        uses: crate-ci/typos@57b11c6b7e54c402ccd9cda953f1072ec4f78e33 # v1.43.5

.github/workflows/zizmor.yml

@@ -1,4 +1,9 @@
 name: Security Analysis with zizmor
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
 
 on:
   push:
@@ -6,8 +11,6 @@ on:
   pull_request:
     branches: ["**"]
 
-permissions: {}
-
 jobs:
   zizmor:
     name: Run zizmor
@@ -21,7 +24,7 @@ jobs:
           persist-credentials: false
 
       - name: Run zizmor
-        uses: zizmorcore/zizmor-action@e639db99335bc9038abc0e066dfcd72e23d26fb4 # v0.3.0
+        uses: zizmorcore/zizmor-action@0dce2577a4760a2749d8cfb7a84b7d5585ebcb7d # v0.5.0
         with:
           # intentionally not scanning the entire repository,
           # since it contains integration tests.

.pre-commit-config.yaml

@@ -53,6 +53,6 @@ repos:
         - "cd docker && make"
 # When this version is updated, do not forget to update this in `.github/workflows/typos.yaml` too
 - repo: https://github.com/crate-ci/typos
-  rev: 2d0ce569feab1f8752f1dde43cc2f2aa53236e06 # v1.40.0
+  rev: 57b11c6b7e54c402ccd9cda953f1072ec4f78e33 # v1.43.5
   hooks:
     - id: typos

Cargo.toml

@@ -1,6 +1,6 @@
 [workspace.package]
 edition = "2021"
-rust-version = "1.90.0"
+rust-version = "1.91.0"
 license = "AGPL-3.0-only"
 repository = "https://github.com/dani-garcia/vaultwarden"
 publish = false
@@ -65,30 +65,30 @@ dotenvy = { version = "0.15.7", default-features = false }
 # Numerical libraries
 num-traits = "0.2.19"
 num-derive = "0.4.2"
-bigdecimal = "0.4.9"
+bigdecimal = "0.4.10"
 
 # Web framework
 rocket = { version = "0.5.1", features = ["tls", "json"], default-features = false }
 rocket_ws = { version ="0.1.1" }
 
 # WebSockets libraries
-rmpv = "1.3.0" # MessagePack library
+rmpv = "1.3.1" # MessagePack library
 
 # Concurrent HashMap used for WebSocket messaging and favicons
 dashmap = "6.1.0"
 
 # Async futures
-futures = "0.3.31"
-tokio = { version = "1.48.0", features = ["rt-multi-thread", "fs", "io-util", "parking_lot", "time", "signal", "net"] }
-tokio-util = { version = "0.7.17", features = ["compat"]}
+futures = "0.3.32"
+tokio = { version = "1.49.0", features = ["rt-multi-thread", "fs", "io-util", "parking_lot", "time", "signal", "net"] }
+tokio-util = { version = "0.7.18", features = ["compat"]}
 
 # A generic serialization/deserialization framework
 serde = { version = "1.0.228", features = ["derive"] }
-serde_json = "1.0.145"
+serde_json = "1.0.149"
 
 # A safe, extensible ORM and Query builder
 # Currently pinned diesel to v2.3.3 as newer version break MySQL/MariaDB compatibility
-diesel = { version = "2.3.5", features = ["chrono", "r2d2", "numeric"] }
+diesel = { version = "2.3.6", features = ["chrono", "r2d2", "numeric"] }
 diesel_migrations = "2.3.1"
 
 derive_more = { version = "2.1.1", features = ["from", "into", "as_ref", "deref", "display"] }
@@ -98,26 +98,26 @@ diesel-derive-newtype = "2.1.2"
 libsqlite3-sys = { version = "0.35.0", features = ["bundled"], optional = true }
 
 # Crypto-related libraries
-rand = "0.9.2"
+rand = "0.10.0"
 ring = "0.17.14"
 subtle = "2.6.1"
 
 # UUID generation
-uuid = { version = "1.19.0", features = ["v4"] }
+uuid = { version = "1.21.0", features = ["v4"] }
 
 # Date and time libraries
-chrono = { version = "0.4.42", features = ["clock", "serde"], default-features = false }
+chrono = { version = "0.4.43", features = ["clock", "serde"], default-features = false }
 chrono-tz = "0.10.4"
-time = "0.3.44"
+time = "0.3.47"
 
 # Job scheduler
 job_scheduler_ng = "2.4.0"
 
 # Data encoding library Hex/Base32/Base64
-data-encoding = "2.9.0"
+data-encoding = "2.10.0"
 
 # JWT library
-jsonwebtoken = { version = "10.2.0", features = ["use_pem", "rust_crypto"], default-features = false }
+jsonwebtoken = { version = "10.3.0", features = ["use_pem", "rust_crypto"], default-features = false }
 
 # TOTP library
 totp-lite = "2.0.1"
@@ -133,7 +133,7 @@ webauthn-rs-proto = "0.5.4"
 webauthn-rs-core = "0.5.4"
 
 # Handling of URL's for WebAuthn and favicons
-url = "2.5.7"
+url = "2.5.8"
 
 # Email libraries
 lettre = { version = "0.11.19", features = ["smtp-transport", "sendmail-transport", "builder", "serde", "hostname", "tracing", "tokio1-rustls", "ring", "rustls-native-certs"], default-features = false }
@@ -141,7 +141,7 @@ percent-encoding = "2.3.2" # URL encoding library used for URL's in the emails
 email_address = "0.2.9"
 
 # HTML Template library
-handlebars = { version = "6.3.2", features = ["dir_source"] }
+handlebars = { version = "6.4.0", features = ["dir_source"] }
 
 # HTTP client (Used for favicons, version check, DUO and HIBP API)
 reqwest = { version = "0.12.28", features = ["rustls-tls", "rustls-tls-native-roots", "stream", "json", "deflate", "gzip", "brotli", "zstd", "socks", "cookies", "charset", "http2", "system-proxy"], default-features = false}
@@ -149,17 +149,17 @@ hickory-resolver = "0.25.2"
 
 # Favicon extraction libraries
 html5gum = "0.8.3"
-regex = { version = "1.12.2", features = ["std", "perf", "unicode-perl"], default-features = false }
+regex = { version = "1.12.3", features = ["std", "perf", "unicode-perl"], default-features = false }
 data-url = "0.3.2"
-bytes = "1.11.0"
-svg-hush = "0.9.5"
+bytes = "1.11.1"
+svg-hush = "0.9.6"
 
 # Cache function results (Used for version check and favicon fetching)
 cached = { version = "0.56.0", features = ["async"] }
 
 # Used for custom short lived cookie jar during favicon extraction
 cookie = "0.18.1"
-cookie_store = "0.22.0"
+cookie_store = "0.22.1"
 
 # Used by U2F, JWT and PostgreSQL
 openssl = "0.10.75"
@@ -172,7 +172,7 @@ pastey = "0.2.1"
 governor = "0.10.4"
 
 # OIDC for SSO
-openidconnect = { version = "4.0.1", features = ["reqwest", "native-tls"] }
+openidconnect = { version = "4.0.1", features = ["reqwest", "rustls-tls"] }
 mini-moka = "0.10.3"
 
 # Check client versions for specific features.
@@ -197,10 +197,10 @@ grass_compiler = { version = "0.13.4", default-features = false }
 opendal = { version = "0.55.0", features = ["services-fs"], default-features = false }
 
 # For retrieving AWS credentials, including temporary SSO credentials
-anyhow = { version = "1.0.100", optional = true }
-aws-config = { version = "1.8.12", features = ["behavior-version-latest", "rt-tokio", "credentials-process", "sso"], default-features = false, optional = true }
-aws-credential-types = { version = "1.2.11", optional = true }
-aws-smithy-runtime-api = { version = "1.9.3", optional = true }
+anyhow = { version = "1.0.101", optional = true }
+aws-config = { version = "1.8.14", features = ["behavior-version-latest", "rt-tokio", "credentials-process", "sso"], default-features = false, optional = true }
+aws-credential-types = { version = "1.2.13", optional = true }
+aws-smithy-runtime-api = { version = "1.11.5", optional = true }
 http = { version = "1.4.0", optional = true }
 reqsign = { version = "0.16.5", optional = true }
 

docker/DockerSettings.yaml

@@ -1,11 +1,11 @@
 ---
-vault_version: "v2025.12.0"
-vault_image_digest: "sha256:bb7303efafdb7e2b41bee2c772e14f67676ae2c9047bd7bba80d3544d4162613"
+vault_version: "v2026.1.1"
+vault_image_digest: "sha256:062fcf0d5dc37247dae61b0ee1ba5d20f9296e290d7ad1f6114ea5888f5738a7"
 # Cross Compile Docker Helper Scripts v1.9.0
 # We use the linux/amd64 platform shell scripts since there is no difference between the different platform scripts
 # https://github.com/tonistiigi/xx | https://hub.docker.com/r/tonistiigi/xx/tags
 xx_image_digest: "sha256:c64defb9ed5a91eacb37f96ccc3d4cd72521c4bd18d5442905b95e2226b0e707"
-rust_version: 1.92.0 # Rust version to be used
+rust_version: 1.93.1 # Rust version to be used
 debian_version: trixie # Debian release name to be used
 alpine_version: "3.23" # Alpine version to be used
 # For which platforms/architectures will we try to build images

docker/Dockerfile.alpine

@@ -19,23 +19,23 @@
 # - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
 #   click the tag name to view the digest of the image it currently points to.
 # - From the command line:
-#     $ docker pull docker.io/vaultwarden/web-vault:v2025.12.0
-#     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2025.12.0
-#     [docker.io/vaultwarden/web-vault@sha256:bb7303efafdb7e2b41bee2c772e14f67676ae2c9047bd7bba80d3544d4162613]
+#     $ docker pull docker.io/vaultwarden/web-vault:v2026.1.1
+#     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2026.1.1
+#     [docker.io/vaultwarden/web-vault@sha256:062fcf0d5dc37247dae61b0ee1ba5d20f9296e290d7ad1f6114ea5888f5738a7]
 #
 # - Conversely, to get the tag name from the digest:
-#     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:bb7303efafdb7e2b41bee2c772e14f67676ae2c9047bd7bba80d3544d4162613
-#     [docker.io/vaultwarden/web-vault:v2025.12.0]
+#     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:062fcf0d5dc37247dae61b0ee1ba5d20f9296e290d7ad1f6114ea5888f5738a7
+#     [docker.io/vaultwarden/web-vault:v2026.1.1]
 #
-FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:bb7303efafdb7e2b41bee2c772e14f67676ae2c9047bd7bba80d3544d4162613 AS vault
+FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:062fcf0d5dc37247dae61b0ee1ba5d20f9296e290d7ad1f6114ea5888f5738a7 AS vault
 
 ########################## ALPINE BUILD IMAGES ##########################
 ## NOTE: The Alpine Base Images do not support other platforms then linux/amd64 and linux/arm64
 ## And for Alpine we define all build images here, they will only be loaded when actually used
-FROM --platform=$BUILDPLATFORM ghcr.io/blackdex/rust-musl:x86_64-musl-stable-1.92.0 AS build_amd64
-FROM --platform=$BUILDPLATFORM ghcr.io/blackdex/rust-musl:aarch64-musl-stable-1.92.0 AS build_arm64
-FROM --platform=$BUILDPLATFORM ghcr.io/blackdex/rust-musl:armv7-musleabihf-stable-1.92.0 AS build_armv7
-FROM --platform=$BUILDPLATFORM ghcr.io/blackdex/rust-musl:arm-musleabi-stable-1.92.0 AS build_armv6
+FROM --platform=$BUILDPLATFORM ghcr.io/blackdex/rust-musl:x86_64-musl-stable-1.93.1 AS build_amd64
+FROM --platform=$BUILDPLATFORM ghcr.io/blackdex/rust-musl:aarch64-musl-stable-1.93.1 AS build_arm64
+FROM --platform=$BUILDPLATFORM ghcr.io/blackdex/rust-musl:armv7-musleabihf-stable-1.93.1 AS build_armv7
+FROM --platform=$BUILDPLATFORM ghcr.io/blackdex/rust-musl:arm-musleabi-stable-1.93.1 AS build_armv6
 
 ########################## BUILD IMAGE ##########################
 # hadolint ignore=DL3006

docker/Dockerfile.debian

@@ -19,15 +19,15 @@
 # - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
 #   click the tag name to view the digest of the image it currently points to.
 # - From the command line:
-#     $ docker pull docker.io/vaultwarden/web-vault:v2025.12.0
-#     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2025.12.0
-#     [docker.io/vaultwarden/web-vault@sha256:bb7303efafdb7e2b41bee2c772e14f67676ae2c9047bd7bba80d3544d4162613]
+#     $ docker pull docker.io/vaultwarden/web-vault:v2026.1.1
+#     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2026.1.1
+#     [docker.io/vaultwarden/web-vault@sha256:062fcf0d5dc37247dae61b0ee1ba5d20f9296e290d7ad1f6114ea5888f5738a7]
 #
 # - Conversely, to get the tag name from the digest:
-#     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:bb7303efafdb7e2b41bee2c772e14f67676ae2c9047bd7bba80d3544d4162613
-#     [docker.io/vaultwarden/web-vault:v2025.12.0]
+#     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:062fcf0d5dc37247dae61b0ee1ba5d20f9296e290d7ad1f6114ea5888f5738a7
+#     [docker.io/vaultwarden/web-vault:v2026.1.1]
 #
-FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:bb7303efafdb7e2b41bee2c772e14f67676ae2c9047bd7bba80d3544d4162613 AS vault
+FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:062fcf0d5dc37247dae61b0ee1ba5d20f9296e290d7ad1f6114ea5888f5738a7 AS vault
 
 ########################## Cross Compile Docker Helper Scripts ##########################
 ## We use the linux/amd64 no matter which Build Platform, since these are all bash scripts
@@ -36,7 +36,7 @@ FROM --platform=linux/amd64 docker.io/tonistiigi/xx@sha256:c64defb9ed5a91eacb37f
 
 ########################## BUILD IMAGE ##########################
 # hadolint ignore=DL3006
-FROM --platform=$BUILDPLATFORM docker.io/library/rust:1.92.0-slim-trixie AS build
+FROM --platform=$BUILDPLATFORM docker.io/library/rust:1.93.1-slim-trixie AS build
 COPY --from=xx / /
 ARG TARGETARCH
 ARG TARGETVARIANT

docker/Dockerfile.j2

@@ -19,13 +19,13 @@
 # - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
 #   click the tag name to view the digest of the image it currently points to.
 # - From the command line:
-#     $ docker pull docker.io/vaultwarden/web-vault:{{ vault_version }}
-#     $ docker image inspect --format "{{ '{{' }}.RepoDigests}}" docker.io/vaultwarden/web-vault:{{ vault_version }}
+#     $ docker pull docker.io/vaultwarden/web-vault:{{ vault_version | replace('+', '_') }}
+#     $ docker image inspect --format "{{ '{{' }}.RepoDigests}}" docker.io/vaultwarden/web-vault:{{ vault_version | replace('+', '_') }}
 #     [docker.io/vaultwarden/web-vault@{{ vault_image_digest }}]
 #
 # - Conversely, to get the tag name from the digest:
 #     $ docker image inspect --format "{{ '{{' }}.RepoTags}}" docker.io/vaultwarden/web-vault@{{ vault_image_digest }}
-#     [docker.io/vaultwarden/web-vault:{{ vault_version }}]
+#     [docker.io/vaultwarden/web-vault:{{ vault_version | replace('+', '_') }}]
 #
 FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@{{ vault_image_digest }} AS vault
 

macros/Cargo.toml

@@ -13,8 +13,8 @@ path = "src/lib.rs"
 proc-macro = true
 
 [dependencies]
-quote = "1.0.42"
-syn = "2.0.111"
+quote = "1.0.44"
+syn = "2.0.114"
 
 [lints]
 workspace = true

rust-toolchain.toml

@@ -1,4 +1,4 @@
 [toolchain]
-channel = "1.92.0"
+channel = "1.93.1"
 components = [ "rustfmt", "clippy" ]
 profile = "minimal"

src/api/admin.rs

@@ -31,7 +31,7 @@ use crate::{
     http_client::make_http_request,
     mail,
     util::{
-        container_base_image, format_naive_datetime_local, get_display_size, get_web_vault_version,
+        container_base_image, format_naive_datetime_local, get_active_web_release, get_display_size,
         is_running_in_container, NumberOrString,
     },
     CONFIG, VERSION,
@@ -689,6 +689,26 @@ async fn get_ntp_time(has_http_access: bool) -> String {
     String::from("Unable to fetch NTP time.")
 }
 
+fn web_vault_compare(active: &str, latest: &str) -> i8 {
+    use semver::Version;
+    use std::cmp::Ordering;
+
+    let active_semver = Version::parse(active).unwrap_or_else(|e| {
+        warn!("Unable to parse active web-vault version '{active}': {e}");
+        Version::parse("2025.1.1").unwrap()
+    });
+    let latest_semver = Version::parse(latest).unwrap_or_else(|e| {
+        warn!("Unable to parse latest web-vault version '{latest}': {e}");
+        Version::parse("2025.1.1").unwrap()
+    });
+
+    match active_semver.cmp(&latest_semver) {
+        Ordering::Less => -1,
+        Ordering::Equal => 0,
+        Ordering::Greater => 1,
+    }
+}
+
 #[get("/diagnostics")]
 async fn diagnostics(_token: AdminToken, ip_header: IpHeader, conn: DbConn) -> ApiResult<Html<String>> {
     use chrono::prelude::*;
@@ -708,32 +728,21 @@ async fn diagnostics(_token: AdminToken, ip_header: IpHeader, conn: DbConn) -> A
         _ => "Unable to resolve domain name.".to_string(),
     };
 
-    let (latest_release, latest_commit, latest_web_build) = get_release_info(has_http_access).await;
+    let (latest_vw_release, latest_vw_commit, latest_web_release) = get_release_info(has_http_access).await;
+    let active_web_release = get_active_web_release();
+    let web_vault_compare = web_vault_compare(&active_web_release, &latest_web_release);
 
     let ip_header_name = &ip_header.0.unwrap_or_default();
 
-    // Get current running versions
-    let web_vault_version = get_web_vault_version();
-
-    // Check if the running version is newer than the latest stable released version
-    let web_vault_pre_release = if let Ok(web_ver_match) = semver::VersionReq::parse(&format!(">{latest_web_build}")) {
-        web_ver_match.matches(
-            &semver::Version::parse(&web_vault_version).unwrap_or_else(|_| semver::Version::parse("2025.1.1").unwrap()),
-        )
-    } else {
-        error!("Unable to parse latest_web_build: '{latest_web_build}'");
-        false
-    };
-
     let diagnostics_json = json!({
         "dns_resolved": dns_resolved,
         "current_release": VERSION,
-        "latest_release": latest_release,
-        "latest_commit": latest_commit,
+        "latest_release": latest_vw_release,
+        "latest_commit": latest_vw_commit,
         "web_vault_enabled": &CONFIG.web_vault_enabled(),
-        "web_vault_version": web_vault_version,
-        "latest_web_build": latest_web_build,
-        "web_vault_pre_release": web_vault_pre_release,
+        "active_web_release": active_web_release,
+        "latest_web_release": latest_web_release,
+        "web_vault_compare": web_vault_compare,
         "running_within_container": running_within_container,
         "container_base_image": if running_within_container { container_base_image() } else { "Not applicable" },
         "has_http_access": has_http_access,
@@ -844,3 +853,32 @@ impl<'r> FromRequest<'r> for AdminToken {
         })
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn validate_web_vault_compare() {
+        // web_vault_compare(active, latest)
+        // Test normal versions
+        assert!(web_vault_compare("2025.12.0", "2025.12.1") == -1);
+        assert!(web_vault_compare("2025.12.1", "2025.12.1") == 0);
+        assert!(web_vault_compare("2025.12.2", "2025.12.1") == 1);
+
+        // Test patched/+build.n versions
+        // Newer latest version
+        assert!(web_vault_compare("2025.12.0+build.1", "2025.12.1") == -1);
+        assert!(web_vault_compare("2025.12.1", "2025.12.1+build.1") == -1);
+        assert!(web_vault_compare("2025.12.0+build.1", "2025.12.1+build.1") == -1);
+        assert!(web_vault_compare("2025.12.1+build.1", "2025.12.1+build.2") == -1);
+        // Equal versions
+        assert!(web_vault_compare("2025.12.1+build.1", "2025.12.1+build.1") == 0);
+        assert!(web_vault_compare("2025.12.2+build.2", "2025.12.2+build.2") == 0);
+        // Newer active version
+        assert!(web_vault_compare("2025.12.1+build.1", "2025.12.1") == 1);
+        assert!(web_vault_compare("2025.12.2", "2025.12.1+build.1") == 1);
+        assert!(web_vault_compare("2025.12.2+build.1", "2025.12.1+build.1") == 1);
+        assert!(web_vault_compare("2025.12.1+build.3", "2025.12.1+build.2") == 1);
+    }
+}

src/api/core/accounts.rs

@@ -33,7 +33,6 @@ use rocket::{
 
 pub fn routes() -> Vec<rocket::Route> {
     routes![
-        register,
         profile,
         put_profile,
         post_profile,
@@ -168,11 +167,6 @@ async fn is_email_2fa_required(member_id: Option<MembershipId>, conn: &DbConn) -
     false
 }
 
-#[post("/accounts/register", data = "<data>")]
-async fn register(data: Json<RegisterData>, conn: DbConn) -> JsonResult {
-    _register(data, false, conn).await
-}
-
 pub async fn _register(data: Json<RegisterData>, email_verification: bool, conn: DbConn) -> JsonResult {
     let mut data: RegisterData = data.into_inner();
     let email = data.email.to_lowercase();
@@ -1199,10 +1193,9 @@ async fn password_hint(data: Json<PasswordHintData>, conn: DbConn) -> EmptyResul
                 // There is still a timing side channel here in that the code
                 // paths that send mail take noticeably longer than ones that
                 // don't. Add a randomized sleep to mitigate this somewhat.
-                use rand::{rngs::SmallRng, Rng, SeedableRng};
-                let mut rng = SmallRng::from_os_rng();
-                let delta: i32 = 100;
-                let sleep_ms = (1_000 + rng.random_range(-delta..=delta)) as u64;
+                use rand::{rngs::SmallRng, RngExt};
+                let mut rng: SmallRng = rand::make_rng();
+                let sleep_ms = rng.random_range(900..=1100) as u64;
                 tokio::time::sleep(tokio::time::Duration::from_millis(sleep_ms)).await;
                 Ok(())
             } else {
@@ -1704,6 +1697,6 @@ pub async fn purge_auth_requests(pool: DbPool) {
     if let Ok(conn) = pool.get().await {
         AuthRequest::purge_expired_auth_requests(&conn).await;
     } else {
-        error!("Failed to get DB connection while purging trashed ciphers")
+        error!("Failed to get DB connection while purging auth requests")
     }
 }

src/api/core/ciphers.rs

@@ -715,9 +715,13 @@ async fn put_cipher_partial(
     let data: PartialCipherData = data.into_inner();
 
     let Some(cipher) = Cipher::find_by_uuid(&cipher_id, &conn).await else {
-        err!("Cipher doesn't exist")
+        err!("Cipher does not exist")
     };
 
+    if !cipher.is_accessible_to_user(&headers.user.uuid, &conn).await {
+        err!("Cipher does not exist", "Cipher is not accessible for the current user")
+    }
+
     if let Some(ref folder_id) = data.folder_id {
         if Folder::find_by_uuid_and_user(folder_id, &headers.user.uuid, &conn).await.is_none() {
             err!("Invalid folder", "Folder does not exist or belongs to another user");

src/api/core/organizations.rs

@@ -36,12 +36,9 @@ pub fn routes() -> Vec<Route> {
         get_org_collections_details,
         get_org_collection_detail,
         get_collection_users,
-        put_collection_users,
         put_organization,
         post_organization,
         post_organization_collections,
-        delete_organization_collection_member,
-        post_organization_collection_delete_member,
         post_bulk_access_collections,
         post_organization_collection_update,
         put_organization_collection_update,
@@ -64,28 +61,20 @@ pub fn routes() -> Vec<Route> {
         put_member,
         delete_member,
         bulk_delete_member,
-        post_delete_member,
         post_org_import,
         list_policies,
         list_policies_token,
         get_master_password_policy,
         get_policy,
         put_policy,
-        get_organization_tax,
+        put_policy_vnext,
         get_plans,
-        get_plans_all,
-        get_plans_tax_rates,
-        import,
         post_org_keys,
         get_organization_keys,
         get_organization_public_key,
         bulk_public_keys,
-        deactivate_member,
-        bulk_deactivate_members,
         revoke_member,
         bulk_revoke_members,
-        activate_member,
-        bulk_activate_members,
         restore_member,
         bulk_restore_members,
         get_groups,
@@ -100,10 +89,6 @@ pub fn routes() -> Vec<Route> {
         bulk_delete_groups,
         get_group_members,
         put_group_members,
-        get_user_groups,
-        post_user_groups,
-        put_user_groups,
-        delete_group_member,
         post_delete_group_member,
         put_reset_password_enrollment,
         get_reset_password_details,
@@ -380,6 +365,11 @@ async fn get_org_collections(org_id: OrganizationId, headers: ManagerHeadersLoos
     if org_id != headers.membership.org_uuid {
         err!("Organization not found", "Organization id's do not match");
     }
+
+    if !headers.membership.has_full_access() {
+        err_code!("Resource not found.", "User does not have full access", rocket::http::Status::NotFound.code);
+    }
+
     Ok(Json(json!({
         "data": _get_org_collections(&org_id, &conn).await,
         "object": "list",
@@ -392,7 +382,6 @@ async fn get_org_collections_details(org_id: OrganizationId, headers: ManagerHea
     if org_id != headers.membership.org_uuid {
         err!("Organization not found", "Organization id's do not match");
     }
-    let mut data = Vec::new();
 
     let Some(member) = Membership::find_by_user_and_org(&headers.user.uuid, &org_id, &conn).await else {
         err!("User is not part of organization")
@@ -424,6 +413,7 @@ async fn get_org_collections_details(org_id: OrganizationId, headers: ManagerHea
         })
         .collect();
 
+    let mut data = Vec::new();
     for col in Collection::find_by_organization(&org_id, &conn).await {
         // check whether the current user has access to the given collection
         let assigned = has_full_access_to_org
@@ -566,6 +556,10 @@ async fn post_bulk_access_collections(
             err!("Collection not found")
         };
 
+        if !collection.is_manageable_by_user(&headers.membership.user_uuid, &conn).await {
+            err!("Collection not found", "The current user isn't a manager for this collection")
+        }
+
         // update collection modification date
         collection.save(&conn).await?;
 
@@ -682,43 +676,6 @@ async fn post_organization_collection_update(
     Ok(Json(collection.to_json_details(&headers.user.uuid, None, &conn).await))
 }
 
-#[delete("/organizations/<org_id>/collections/<col_id>/user/<member_id>")]
-async fn delete_organization_collection_member(
-    org_id: OrganizationId,
-    col_id: CollectionId,
-    member_id: MembershipId,
-    headers: AdminHeaders,
-    conn: DbConn,
-) -> EmptyResult {
-    if org_id != headers.org_id {
-        err!("Organization not found", "Organization id's do not match");
-    }
-    let Some(collection) = Collection::find_by_uuid_and_org(&col_id, &org_id, &conn).await else {
-        err!("Collection not found", "Collection does not exist or does not belong to this organization")
-    };
-
-    match Membership::find_by_uuid_and_org(&member_id, &org_id, &conn).await {
-        None => err!("User not found in organization"),
-        Some(member) => {
-            match CollectionUser::find_by_collection_and_user(&collection.uuid, &member.user_uuid, &conn).await {
-                None => err!("User not assigned to collection"),
-                Some(col_user) => col_user.delete(&conn).await,
-            }
-        }
-    }
-}
-
-#[post("/organizations/<org_id>/collections/<col_id>/delete-user/<member_id>")]
-async fn post_organization_collection_delete_member(
-    org_id: OrganizationId,
-    col_id: CollectionId,
-    member_id: MembershipId,
-    headers: AdminHeaders,
-    conn: DbConn,
-) -> EmptyResult {
-    delete_organization_collection_member(org_id, col_id, member_id, headers, conn).await
-}
-
 async fn _delete_organization_collection(
     org_id: &OrganizationId,
     col_id: &CollectionId,
@@ -887,41 +844,6 @@ async fn get_collection_users(
     Ok(Json(json!(member_list)))
 }
 
-#[put("/organizations/<org_id>/collections/<col_id>/users", data = "<data>")]
-async fn put_collection_users(
-    org_id: OrganizationId,
-    col_id: CollectionId,
-    data: Json<Vec<CollectionMembershipData>>,
-    headers: ManagerHeaders,
-    conn: DbConn,
-) -> EmptyResult {
-    if org_id != headers.org_id {
-        err!("Organization not found", "Organization id's do not match");
-    }
-    // Get org and collection, check that collection is from org
-    if Collection::find_by_uuid_and_org(&col_id, &org_id, &conn).await.is_none() {
-        err!("Collection not found in Organization")
-    }
-
-    // Delete all the user-collections
-    CollectionUser::delete_all_by_collection(&col_id, &conn).await?;
-
-    // And then add all the received ones (except if the user has access_all)
-    for d in data.iter() {
-        let Some(user) = Membership::find_by_uuid_and_org(&d.id, &org_id, &conn).await else {
-            err!("User is not part of organization")
-        };
-
-        if user.access_all {
-            continue;
-        }
-
-        CollectionUser::save(&user.user_uuid, &col_id, d.read_only, d.hide_passwords, d.manage, &conn).await?;
-    }
-
-    Ok(())
-}
-
 #[derive(FromForm)]
 struct OrgIdData {
     #[field(name = "organizationId")]
@@ -929,11 +851,15 @@ struct OrgIdData {
 }
 
 #[get("/ciphers/organization-details?<data..>")]
-async fn get_org_details(data: OrgIdData, headers: OrgMemberHeaders, conn: DbConn) -> JsonResult {
+async fn get_org_details(data: OrgIdData, headers: ManagerHeadersLoose, conn: DbConn) -> JsonResult {
     if data.organization_id != headers.membership.org_uuid {
         err_code!("Resource not found.", "Organization id's do not match", rocket::http::Status::NotFound.code);
     }
 
+    if !headers.membership.has_full_access() {
+        err_code!("Resource not found.", "User does not have full access", rocket::http::Status::NotFound.code);
+    }
+
     Ok(Json(json!({
         "data": _get_org_details(&data.organization_id, &headers.host, &headers.user.uuid, &conn).await?,
         "object": "list",
@@ -1715,17 +1641,6 @@ async fn delete_member(
     _delete_member(&org_id, &member_id, &headers, &conn, &nt).await
 }
 
-#[post("/organizations/<org_id>/users/<member_id>/delete")]
-async fn post_delete_member(
-    org_id: OrganizationId,
-    member_id: MembershipId,
-    headers: AdminHeaders,
-    conn: DbConn,
-    nt: Notify<'_>,
-) -> EmptyResult {
-    _delete_member(&org_id, &member_id, &headers, &conn, &nt).await
-}
-
 async fn _delete_member(
     org_id: &OrganizationId,
     member_id: &MembershipId,
@@ -2178,14 +2093,26 @@ async fn put_policy(
     Ok(Json(policy.to_json()))
 }
 
-#[allow(unused_variables)]
-#[get("/organizations/<org_id>/tax")]
-fn get_organization_tax(org_id: OrganizationId, _headers: Headers) -> Json<Value> {
-    // Prevent a 404 error, which also causes Javascript errors.
-    // Upstream sends "Only allowed when not self hosted." As an error message.
-    // If we do the same it will also output this to the log, which is overkill.
-    // An empty list/data also works fine.
-    Json(_empty_data_json())
+#[derive(Deserialize)]
+struct PolicyDataVnext {
+    policy: PolicyData,
+    // Ignore metadata for now as we do not yet support this
+    // "metadata": {
+    //     "defaultUserCollectionName": "2.xx|xx==|xx="
+    // }
+}
+
+#[put("/organizations/<org_id>/policies/<pol_type>/vnext", data = "<data>")]
+async fn put_policy_vnext(
+    org_id: OrganizationId,
+    pol_type: i32,
+    data: Json<PolicyDataVnext>,
+    headers: AdminHeaders,
+    conn: DbConn,
+) -> JsonResult {
+    let data: PolicyDataVnext = data.into_inner();
+    let policy: PolicyData = data.policy;
+    put_policy(org_id, pol_type, Json(policy), headers, conn).await
 }
 
 #[get("/plans")]
@@ -2216,17 +2143,6 @@ fn get_plans() -> Json<Value> {
     }))
 }
 
-#[get("/plans/all")]
-fn get_plans_all() -> Json<Value> {
-    get_plans()
-}
-
-#[get("/plans/sales-tax-rates")]
-fn get_plans_tax_rates(_headers: Headers) -> Json<Value> {
-    // Prevent a 404 error, which also causes Javascript errors.
-    Json(_empty_data_json())
-}
-
 #[get("/organizations/<_org_id>/billing/metadata")]
 fn get_billing_metadata(_org_id: OrganizationId, _headers: Headers) -> Json<Value> {
     // Prevent a 404 error, which also causes Javascript errors.
@@ -2251,174 +2167,12 @@ fn _empty_data_json() -> Value {
     })
 }
 
-#[derive(Deserialize, Debug)]
-#[serde(rename_all = "camelCase")]
-struct OrgImportGroupData {
-    #[allow(dead_code)]
-    name: String, // "GroupName"
-    #[allow(dead_code)]
-    external_id: String, // "cn=GroupName,ou=Groups,dc=example,dc=com"
-    #[allow(dead_code)]
-    users: Vec<String>, // ["uid=user,ou=People,dc=example,dc=com"]
-}
-
-#[derive(Deserialize, Debug)]
-#[serde(rename_all = "camelCase")]
-struct OrgImportUserData {
-    email: String, // "user@maildomain.net"
-    #[allow(dead_code)]
-    external_id: String, // "uid=user,ou=People,dc=example,dc=com"
-    deleted: bool,
-}
-
-#[derive(Deserialize, Debug)]
-#[serde(rename_all = "camelCase")]
-struct OrgImportData {
-    #[allow(dead_code)]
-    groups: Vec<OrgImportGroupData>,
-    overwrite_existing: bool,
-    users: Vec<OrgImportUserData>,
-}
-
-/// This function seems to be deprecated
-/// It is only used with older directory connectors
-/// TODO: Cleanup Tech debt
-#[post("/organizations/<org_id>/import", data = "<data>")]
-async fn import(org_id: OrganizationId, data: Json<OrgImportData>, headers: Headers, conn: DbConn) -> EmptyResult {
-    let data = data.into_inner();
-
-    // TODO: Currently we aren't storing the externalId's anywhere, so we also don't have a way
-    // to differentiate between auto-imported users and manually added ones.
-    // This means that this endpoint can end up removing users that were added manually by an admin,
-    // as opposed to upstream which only removes auto-imported users.
-
-    // User needs to be admin or owner to use the Directory Connector
-    match Membership::find_by_user_and_org(&headers.user.uuid, &org_id, &conn).await {
-        Some(member) if member.atype >= MembershipType::Admin => { /* Okay, nothing to do */ }
-        Some(_) => err!("User has insufficient permissions to use Directory Connector"),
-        None => err!("User not part of organization"),
-    };
-
-    for user_data in &data.users {
-        if user_data.deleted {
-            // If user is marked for deletion and it exists, delete it
-            if let Some(member) = Membership::find_by_email_and_org(&user_data.email, &org_id, &conn).await {
-                log_event(
-                    EventType::OrganizationUserRemoved as i32,
-                    &member.uuid,
-                    &org_id,
-                    &headers.user.uuid,
-                    headers.device.atype,
-                    &headers.ip.ip,
-                    &conn,
-                )
-                .await;
-
-                member.delete(&conn).await?;
-            }
-
-        // If user is not part of the organization, but it exists
-        } else if Membership::find_by_email_and_org(&user_data.email, &org_id, &conn).await.is_none() {
-            if let Some(user) = User::find_by_mail(&user_data.email, &conn).await {
-                let member_status = if CONFIG.mail_enabled() {
-                    MembershipStatus::Invited as i32
-                } else {
-                    MembershipStatus::Accepted as i32 // Automatically mark user as accepted if no email invites
-                };
-
-                let mut new_member =
-                    Membership::new(user.uuid.clone(), org_id.clone(), Some(headers.user.email.clone()));
-                new_member.access_all = false;
-                new_member.atype = MembershipType::User as i32;
-                new_member.status = member_status;
-
-                if CONFIG.mail_enabled() {
-                    let org_name = match Organization::find_by_uuid(&org_id, &conn).await {
-                        Some(org) => org.name,
-                        None => err!("Error looking up organization"),
-                    };
-
-                    mail::send_invite(
-                        &user,
-                        org_id.clone(),
-                        new_member.uuid.clone(),
-                        &org_name,
-                        Some(headers.user.email.clone()),
-                    )
-                    .await?;
-                }
-
-                // Save the member after sending an email
-                // If sending fails the member will not be saved to the database, and will not result in the admin needing to reinvite the users manually
-                new_member.save(&conn).await?;
-
-                log_event(
-                    EventType::OrganizationUserInvited as i32,
-                    &new_member.uuid,
-                    &org_id,
-                    &headers.user.uuid,
-                    headers.device.atype,
-                    &headers.ip.ip,
-                    &conn,
-                )
-                .await;
-            }
-        }
-    }
-
-    // If this flag is enabled, any user that isn't provided in the Users list will be removed (by default they will be kept unless they have Deleted == true)
-    if data.overwrite_existing {
-        for member in Membership::find_by_org_and_type(&org_id, MembershipType::User, &conn).await {
-            if let Some(user_email) = User::find_by_uuid(&member.user_uuid, &conn).await.map(|u| u.email) {
-                if !data.users.iter().any(|u| u.email == user_email) {
-                    log_event(
-                        EventType::OrganizationUserRemoved as i32,
-                        &member.uuid,
-                        &org_id,
-                        &headers.user.uuid,
-                        headers.device.atype,
-                        &headers.ip.ip,
-                        &conn,
-                    )
-                    .await;
-
-                    member.delete(&conn).await?;
-                }
-            }
-        }
-    }
-
-    Ok(())
-}
-
-// Pre web-vault v2022.9.x endpoint
-#[put("/organizations/<org_id>/users/<member_id>/deactivate")]
-async fn deactivate_member(
-    org_id: OrganizationId,
-    member_id: MembershipId,
-    headers: AdminHeaders,
-    conn: DbConn,
-) -> EmptyResult {
-    _revoke_member(&org_id, &member_id, &headers, &conn).await
-}
-
 #[derive(Deserialize, Debug)]
 #[serde(rename_all = "camelCase")]
 struct BulkRevokeMembershipIds {
     ids: Option<Vec<MembershipId>>,
 }
 
-// Pre web-vault v2022.9.x endpoint
-#[put("/organizations/<org_id>/users/deactivate", data = "<data>")]
-async fn bulk_deactivate_members(
-    org_id: OrganizationId,
-    data: Json<BulkRevokeMembershipIds>,
-    headers: AdminHeaders,
-    conn: DbConn,
-) -> JsonResult {
-    bulk_revoke_members(org_id, data, headers, conn).await
-}
-
 #[put("/organizations/<org_id>/users/<member_id>/revoke")]
 async fn revoke_member(
     org_id: OrganizationId,
@@ -2512,28 +2266,6 @@ async fn _revoke_member(
     Ok(())
 }
 
-// Pre web-vault v2022.9.x endpoint
-#[put("/organizations/<org_id>/users/<member_id>/activate")]
-async fn activate_member(
-    org_id: OrganizationId,
-    member_id: MembershipId,
-    headers: AdminHeaders,
-    conn: DbConn,
-) -> EmptyResult {
-    _restore_member(&org_id, &member_id, &headers, &conn).await
-}
-
-// Pre web-vault v2022.9.x endpoint
-#[put("/organizations/<org_id>/users/activate", data = "<data>")]
-async fn bulk_activate_members(
-    org_id: OrganizationId,
-    data: Json<BulkMembershipIds>,
-    headers: AdminHeaders,
-    conn: DbConn,
-) -> JsonResult {
-    bulk_restore_members(org_id, data, headers, conn).await
-}
-
 #[put("/organizations/<org_id>/users/<member_id>/restore")]
 async fn restore_member(
     org_id: OrganizationId,
@@ -3002,88 +2734,6 @@ async fn put_group_members(
     Ok(())
 }
 
-#[get("/organizations/<org_id>/users/<member_id>/groups")]
-async fn get_user_groups(
-    org_id: OrganizationId,
-    member_id: MembershipId,
-    headers: AdminHeaders,
-    conn: DbConn,
-) -> JsonResult {
-    if org_id != headers.org_id {
-        err!("Organization not found", "Organization id's do not match");
-    }
-    if !CONFIG.org_groups_enabled() {
-        err!("Group support is disabled");
-    }
-
-    if Membership::find_by_uuid_and_org(&member_id, &org_id, &conn).await.is_none() {
-        err!("User could not be found!")
-    };
-
-    let user_groups: Vec<GroupId> =
-        GroupUser::find_by_member(&member_id, &conn).await.iter().map(|entry| entry.groups_uuid.clone()).collect();
-
-    Ok(Json(json!(user_groups)))
-}
-
-#[derive(Deserialize)]
-#[serde(rename_all = "camelCase")]
-struct OrganizationUserUpdateGroupsRequest {
-    group_ids: Vec<GroupId>,
-}
-
-#[post("/organizations/<org_id>/users/<member_id>/groups", data = "<data>")]
-async fn post_user_groups(
-    org_id: OrganizationId,
-    member_id: MembershipId,
-    data: Json<OrganizationUserUpdateGroupsRequest>,
-    headers: AdminHeaders,
-    conn: DbConn,
-) -> EmptyResult {
-    put_user_groups(org_id, member_id, data, headers, conn).await
-}
-
-#[put("/organizations/<org_id>/users/<member_id>/groups", data = "<data>")]
-async fn put_user_groups(
-    org_id: OrganizationId,
-    member_id: MembershipId,
-    data: Json<OrganizationUserUpdateGroupsRequest>,
-    headers: AdminHeaders,
-    conn: DbConn,
-) -> EmptyResult {
-    if org_id != headers.org_id {
-        err!("Organization not found", "Organization id's do not match");
-    }
-    if !CONFIG.org_groups_enabled() {
-        err!("Group support is disabled");
-    }
-
-    if Membership::find_by_uuid_and_org(&member_id, &org_id, &conn).await.is_none() {
-        err!("User could not be found or does not belong to the organization.");
-    }
-
-    GroupUser::delete_all_by_member(&member_id, &conn).await?;
-
-    let assigned_group_ids = data.into_inner();
-    for assigned_group_id in assigned_group_ids.group_ids {
-        let mut group_user = GroupUser::new(assigned_group_id.clone(), member_id.clone());
-        group_user.save(&conn).await?;
-    }
-
-    log_event(
-        EventType::OrganizationUserUpdatedGroups as i32,
-        &member_id,
-        &org_id,
-        &headers.user.uuid,
-        headers.device.atype,
-        &headers.ip.ip,
-        &conn,
-    )
-    .await;
-
-    Ok(())
-}
-
 #[post("/organizations/<org_id>/groups/<group_id>/delete-user/<member_id>")]
 async fn post_delete_group_member(
     org_id: OrganizationId,
@@ -3091,17 +2741,6 @@ async fn post_delete_group_member(
     member_id: MembershipId,
     headers: AdminHeaders,
     conn: DbConn,
-) -> EmptyResult {
-    delete_group_member(org_id, group_id, member_id, headers, conn).await
-}
-
-#[delete("/organizations/<org_id>/groups/<group_id>/users/<member_id>")]
-async fn delete_group_member(
-    org_id: OrganizationId,
-    group_id: GroupId,
-    member_id: MembershipId,
-    headers: AdminHeaders,
-    conn: DbConn,
 ) -> EmptyResult {
     if org_id != headers.org_id {
         err!("Organization not found", "Organization id's do not match");
@@ -3207,7 +2846,7 @@ async fn put_reset_password(
 
     // Sending email before resetting password to ensure working email configuration and the resulting
     // user notification. Also this might add some protection against security flaws and misuse
-    if let Err(e) = mail::send_admin_reset_password(&user.email, &user.name, &org.name).await {
+    if let Err(e) = mail::send_admin_reset_password(&user.email, user.display_name(), &org.name).await {
         err!(format!("Error sending user reset password email: {e:#?}"));
     }
 

src/api/core/two_factor/email.rs

@@ -7,10 +7,10 @@ use crate::{
         core::{log_user_event, two_factor::_generate_recover_code},
         EmptyResult, JsonResult, PasswordOrOtpData,
     },
-    auth::Headers,
+    auth::{ClientHeaders, Headers},
     crypto,
     db::{
-        models::{DeviceId, EventType, TwoFactor, TwoFactorType, User, UserId},
+        models::{AuthRequest, AuthRequestId, DeviceId, EventType, TwoFactor, TwoFactorType, User, UserId},
         DbConn,
     },
     error::{Error, MapResult},
@@ -30,35 +30,63 @@ struct SendEmailLoginData {
     email: Option<String>,
     #[serde(alias = "MasterPasswordHash")]
     master_password_hash: Option<String>,
+    auth_request_id: Option<AuthRequestId>,
+    auth_request_access_code: Option<String>,
 }
 
 /// User is trying to login and wants to use email 2FA.
 /// Does not require Bearer token
 #[post("/two-factor/send-email-login", data = "<data>")] // JsonResult
-async fn send_email_login(data: Json<SendEmailLoginData>, conn: DbConn) -> EmptyResult {
+async fn send_email_login(data: Json<SendEmailLoginData>, client_headers: ClientHeaders, conn: DbConn) -> EmptyResult {
     let data: SendEmailLoginData = data.into_inner();
 
     if !CONFIG._enable_email_2fa() {
         err!("Email 2FA is disabled")
     }
 
+    // Ratelimit the login
+    crate::ratelimit::check_limit_login(&client_headers.ip.ip)?;
+
     // Get the user
     let email = match &data.email {
         Some(email) if !email.is_empty() => Some(email),
         _ => None,
     };
-    let user = if let Some(email) = email {
-        let Some(master_password_hash) = &data.master_password_hash else {
-            err!("No password hash has been submitted.")
-        };
+    let master_password_hash = match &data.master_password_hash {
+        Some(password_hash) if !password_hash.is_empty() => Some(password_hash),
+        _ => None,
+    };
+    let auth_request_id = match &data.auth_request_id {
+        Some(auth_request_id) if !auth_request_id.is_empty() => Some(auth_request_id),
+        _ => None,
+    };
 
+    let user = if let Some(email) = email {
         let Some(user) = User::find_by_mail(email, &conn).await else {
             err!("Username or password is incorrect. Try again.")
         };
 
-        // Check password
-        if !user.check_valid_password(master_password_hash) {
-            err!("Username or password is incorrect. Try again.")
+        if let Some(master_password_hash) = master_password_hash {
+            // Check password
+            if !user.check_valid_password(master_password_hash) {
+                err!("Username or password is incorrect. Try again.")
+            }
+        } else if let Some(auth_request_id) = auth_request_id {
+            let Some(auth_request) = AuthRequest::find_by_uuid(auth_request_id, &conn).await else {
+                err!("AuthRequest doesn't exist", "User not found")
+            };
+            let Some(code) = &data.auth_request_access_code else {
+                err!("no auth request access code")
+            };
+
+            if auth_request.device_type != client_headers.device_type
+                || auth_request.request_ip != client_headers.ip.ip.to_string()
+                || !auth_request.check_access_code(code)
+            {
+                err!("AuthRequest doesn't exist", "Invalid device, IP or code")
+            }
+        } else {
+            err!("No password hash has been submitted.")
         }
 
         user

src/api/core/two_factor/mod.rs

@@ -9,7 +9,7 @@ use crate::{
         core::{log_event, log_user_event},
         EmptyResult, JsonResult, PasswordOrOtpData,
     },
-    auth::{ClientHeaders, Headers},
+    auth::Headers,
     crypto,
     db::{
         models::{
@@ -35,7 +35,6 @@ pub fn routes() -> Vec<Route> {
     let mut routes = routes![
         get_twofactor,
         get_recover,
-        recover,
         disable_twofactor,
         disable_twofactor_put,
         get_device_verification_settings,
@@ -76,54 +75,6 @@ async fn get_recover(data: Json<PasswordOrOtpData>, headers: Headers, conn: DbCo
     })))
 }
 
-#[derive(Deserialize)]
-#[serde(rename_all = "camelCase")]
-struct RecoverTwoFactor {
-    master_password_hash: String,
-    email: String,
-    recovery_code: String,
-}
-
-#[post("/two-factor/recover", data = "<data>")]
-async fn recover(data: Json<RecoverTwoFactor>, client_headers: ClientHeaders, conn: DbConn) -> JsonResult {
-    let data: RecoverTwoFactor = data.into_inner();
-
-    use crate::db::models::User;
-
-    // Get the user
-    let Some(mut user) = User::find_by_mail(&data.email, &conn).await else {
-        err!("Username or password is incorrect. Try again.")
-    };
-
-    // Check password
-    if !user.check_valid_password(&data.master_password_hash) {
-        err!("Username or password is incorrect. Try again.")
-    }
-
-    // Check if recovery code is correct
-    if !user.check_valid_recovery_code(&data.recovery_code) {
-        err!("Recovery code is incorrect. Try again.")
-    }
-
-    // Remove all twofactors from the user
-    TwoFactor::delete_all_by_user(&user.uuid, &conn).await?;
-    enforce_2fa_policy(&user, &user.uuid, client_headers.device_type, &client_headers.ip.ip, &conn).await?;
-
-    log_user_event(
-        EventType::UserRecovered2fa as i32,
-        &user.uuid,
-        client_headers.device_type,
-        &client_headers.ip.ip,
-        &conn,
-    )
-    .await;
-
-    // Remove the recovery code, not needed without twofactors
-    user.totp_recover = None;
-    user.save(&conn).await?;
-    Ok(Json(Value::Object(serde_json::Map::new())))
-}
-
 async fn _generate_recover_code(user: &mut User, conn: &DbConn) {
     if user.totp_recover.is_none() {
         let totp_recover = crypto::encode_random_bytes::<20>(&BASE32);

src/api/core/two_factor/webauthn.rs

@@ -144,7 +144,7 @@ async fn generate_webauthn_challenge(data: Json<PasswordOrOtpData>, headers: Hea
     let (mut challenge, state) = WEBAUTHN.start_passkey_registration(
         Uuid::from_str(&user.uuid).expect("Failed to parse UUID"), // Should never fail
         &user.email,
-        &user.name,
+        user.display_name(),
         Some(registrations),
     )?;
 

src/api/identity.rs

@@ -266,7 +266,7 @@ async fn _sso_login(
         Some((user, _)) if !user.enabled => {
             err!(
                 "This user has been disabled",
-                format!("IP: {}. Username: {}.", ip.ip, user.name),
+                format!("IP: {}. Username: {}.", ip.ip, user.display_name()),
                 ErrorEvent {
                     event: EventType::UserFailedLogIn
                 }
@@ -482,14 +482,18 @@ async fn authenticated_response(
         Value::Null
     };
 
-    let account_keys = json!({
-        "publicKeyEncryptionKeyPair": {
-            "wrappedPrivateKey": user.private_key,
-            "publicKey": user.public_key,
-            "Object": "publicKeyEncryptionKeyPair"
-        },
-        "Object": "privateKeys"
-    });
+    let account_keys = if user.private_key.is_some() {
+        json!({
+            "publicKeyEncryptionKeyPair": {
+                "wrappedPrivateKey": user.private_key,
+                "publicKey": user.public_key,
+                "Object": "publicKeyEncryptionKeyPair"
+            },
+            "Object": "privateKeys"
+        })
+    } else {
+        Value::Null
+    };
 
     let mut result = json!({
         "access_token": auth_tokens.access_token(),
@@ -521,7 +525,7 @@ async fn authenticated_response(
         result["TwoFactorToken"] = Value::String(token);
     }
 
-    info!("User {} logged in successfully. IP: {}", &user.name, ip.ip);
+    info!("User {} logged in successfully. IP: {}", user.display_name(), ip.ip);
     Ok(Json(result))
 }
 
@@ -610,6 +614,25 @@ async fn _user_api_key_login(
 
     info!("User {} logged in successfully via API key. IP: {}", user.email, ip.ip);
 
+    let has_master_password = !user.password_hash.is_empty();
+    let master_password_unlock = if has_master_password {
+        json!({
+            "Kdf": {
+                "KdfType": user.client_kdf_type,
+                "Iterations": user.client_kdf_iter,
+                "Memory": user.client_kdf_memory,
+                "Parallelism": user.client_kdf_parallelism
+            },
+            // This field is named inconsistently and will be removed and replaced by the "wrapped" variant in the apps.
+            // https://github.com/bitwarden/android/blob/release/2025.12-rc41/network/src/main/kotlin/com/bitwarden/network/model/MasterPasswordUnlockDataJson.kt#L22-L26
+            "MasterKeyEncryptedUserKey": user.akey,
+            "MasterKeyWrappedUserKey": user.akey,
+            "Salt": user.email
+        })
+    } else {
+        Value::Null
+    };
+
     // Note: No refresh_token is returned. The CLI just repeats the
     // client_credentials login flow when the existing token expires.
     let result = json!({
@@ -625,6 +648,11 @@ async fn _user_api_key_login(
         "KdfParallelism": user.client_kdf_parallelism,
         "ResetMasterPassword": false, // TODO: according to official server seems something like: user.password_hash.is_empty(), but would need testing
         "scope": AuthMethod::UserApiKey.scope(),
+        "UserDecryptionOptions": {
+            "HasMasterPassword": has_master_password,
+            "MasterPasswordUnlock": master_password_unlock,
+            "Object": "userDecryptionOptions"
+        },
     });
 
     Ok(Json(result))
@@ -919,6 +947,7 @@ struct RegisterVerificationData {
 
 #[derive(rocket::Responder)]
 enum RegisterVerificationResponse {
+    #[response(status = 204)]
     NoContent(()),
     Token(Json<String>),
 }
@@ -946,12 +975,11 @@ async fn register_verification_email(
         let user = User::find_by_mail(&data.email, &conn).await;
         if user.filter(|u| u.private_key.is_some()).is_some() {
             // There is still a timing side channel here in that the code
-            // paths that send mail take noticeably longer than ones that
-            // don't. Add a randomized sleep to mitigate this somewhat.
-            use rand::{rngs::SmallRng, Rng, SeedableRng};
-            let mut rng = SmallRng::from_os_rng();
-            let delta: i32 = 100;
-            let sleep_ms = (1_000 + rng.random_range(-delta..=delta)) as u64;
+            // paths that send mail take noticeably longer than ones that don't.
+            // Add a randomized sleep to mitigate this somewhat.
+            use rand::{rngs::SmallRng, RngExt};
+            let mut rng: SmallRng = rand::make_rng();
+            let sleep_ms = rng.random_range(900..=1100) as u64;
             tokio::time::sleep(tokio::time::Duration::from_millis(sleep_ms)).await;
         } else {
             mail::send_register_verify_email(&data.email, &token).await?;

src/api/mod.rs

@@ -47,6 +47,7 @@ pub type EmptyResult = ApiResult<()>;
 #[derive(Deserialize)]
 #[serde(rename_all = "camelCase")]
 struct PasswordOrOtpData {
+    #[serde(alias = "MasterPasswordHash")]
     master_password_hash: Option<String>,
     otp: Option<String>,
 }

src/api/web.rs

@@ -60,11 +60,13 @@ fn vaultwarden_css() -> Cached<Css<String>> {
         "mail_2fa_enabled": CONFIG._enable_email_2fa(),
         "mail_enabled": CONFIG.mail_enabled(),
         "sends_allowed": CONFIG.sends_allowed(),
+        "remember_2fa_disabled": CONFIG.disable_2fa_remember(),
+        "password_hints_allowed": CONFIG.password_hints_allowed(),
         "signup_disabled": CONFIG.is_signup_disabled(),
         "sso_enabled": CONFIG.sso_enabled(),
         "sso_only": CONFIG.sso_enabled() && CONFIG.sso_only(),
-        "yubico_enabled": CONFIG._enable_yubico() && CONFIG.yubico_client_id().is_some() && CONFIG.yubico_secret_key().is_some(),
         "webauthn_2fa_supported": CONFIG.is_webauthn_2fa_supported(),
+        "yubico_enabled": CONFIG._enable_yubico() && CONFIG.yubico_client_id().is_some() && CONFIG.yubico_secret_key().is_some(),
     });
 
     let scss = match CONFIG.render_template("scss/vaultwarden.scss", &css_options) {
@@ -238,8 +240,8 @@ pub fn static_files(filename: &str) -> Result<(ContentType, &'static [u8]), Erro
         "jdenticon-3.3.0.js" => Ok((ContentType::JavaScript, include_bytes!("../static/scripts/jdenticon-3.3.0.js"))),
         "datatables.js" => Ok((ContentType::JavaScript, include_bytes!("../static/scripts/datatables.js"))),
         "datatables.css" => Ok((ContentType::CSS, include_bytes!("../static/scripts/datatables.css"))),
-        "jquery-3.7.1.slim.js" => {
-            Ok((ContentType::JavaScript, include_bytes!("../static/scripts/jquery-3.7.1.slim.js")))
+        "jquery-4.0.0.slim.js" => {
+            Ok((ContentType::JavaScript, include_bytes!("../static/scripts/jquery-4.0.0.slim.js")))
         }
         _ => err!(format!("Static file not found: {filename}")),
     }

src/auth.rs

@@ -826,7 +826,7 @@ impl<'r> FromRequest<'r> for ManagerHeaders {
                         _ => err_handler!("Error getting DB"),
                     };
 
-                    if !Collection::can_access_collection(&headers.membership, &col_id, &conn).await {
+                    if !Collection::is_coll_manageable_by_user(&col_id, &headers.membership.user_uuid, &conn).await {
                         err_handler!("The current user isn't a manager for this collection")
                     }
                 }
@@ -908,8 +908,8 @@ impl ManagerHeaders {
             if uuid::Uuid::parse_str(col_id.as_ref()).is_err() {
                 err!("Collection Id is malformed!");
             }
-            if !Collection::can_access_collection(&h.membership, col_id, conn).await {
-                err!("You don't have access to all collections!");
+            if !Collection::is_coll_manageable_by_user(col_id, &h.membership.user_uuid, conn).await {
+                err!("Collection not found", "The current user isn't a manager for this collection")
             }
         }
 
@@ -1210,8 +1210,20 @@ pub async fn refresh_tokens(
 ) -> ApiResult<(Device, AuthTokens)> {
     let refresh_claims = match decode_refresh(refresh_token) {
         Err(err) => {
-            debug!("Failed to decode {} refresh_token: {refresh_token}", ip.ip);
-            err_silent!(format!("Impossible to read refresh_token: {}", err.message()))
+            error!("Failed to decode {} refresh_token: {refresh_token}: {err:?}", ip.ip);
+            //err_silent!(format!("Impossible to read refresh_token: {}", err.message()))
+
+            // If the token failed to decode, it was probably one of the old style tokens that was just a Base64 string.
+            // We can generate a claim for them for backwards compatibility. Note that the password refresh claims don't
+            // check expiration or issuer, so they're not included here.
+            RefreshJwtClaims {
+                nbf: 0,
+                exp: 0,
+                iss: String::new(),
+                sub: AuthMethod::Password,
+                device_token: refresh_token.into(),
+                token: None,
+            }
         }
         Ok(claims) => claims,
     };

src/config.rs

@@ -14,7 +14,7 @@ use serde::de::{self, Deserialize, Deserializer, MapAccess, Visitor};
 
 use crate::{
     error::Error,
-    util::{get_env, get_env_bool, get_web_vault_version, is_valid_email, parse_experimental_client_feature_flags},
+    util::{get_active_web_release, get_env, get_env_bool, is_valid_email, parse_experimental_client_feature_flags},
 };
 
 static CONFIG_FILE: LazyLock<String> = LazyLock::new(|| {
@@ -1325,12 +1325,16 @@ fn generate_smtp_img_src(embed_images: bool, domain: &str) -> String {
     if embed_images {
         "cid:".to_string()
     } else {
-        format!("{domain}/vw_static/")
+        // normalize base_url
+        let base_url = domain.trim_end_matches('/');
+        format!("{base_url}/vw_static/")
     }
 }
 
 fn generate_sso_callback_path(domain: &str) -> String {
-    format!("{domain}/identity/connect/oidc-signin")
+    // normalize base_url
+    let base_url = domain.trim_end_matches('/');
+    format!("{base_url}/identity/connect/oidc-signin")
 }
 
 /// Generate the correct URL for the icon service.
@@ -1845,7 +1849,7 @@ fn to_json<'reg, 'rc>(
 // Configure the web-vault version as an integer so it can be used as a comparison smaller or greater then.
 // The default is based upon the version since this feature is added.
 static WEB_VAULT_VERSION: LazyLock<semver::Version> = LazyLock::new(|| {
-    let vault_version = get_web_vault_version();
+    let vault_version = get_active_web_release();
     // Use a single regex capture to extract version components
     let re = regex::Regex::new(r"(\d{4})\.(\d{1,2})\.(\d{1,2})").unwrap();
     re.captures(&vault_version)

src/crypto.rs

@@ -55,13 +55,13 @@ pub fn encode_random_bytes<const N: usize>(e: &Encoding) -> String {
 /// Generates a random string over a specified alphabet.
 pub fn get_random_string(alphabet: &[u8], num_chars: usize) -> String {
     // Ref: https://rust-lang-nursery.github.io/rust-cookbook/algorithms/randomness.html
-    use rand::Rng;
+    use rand::RngExt;
     let mut rng = rand::rng();
 
     (0..num_chars)
         .map(|_| {
             let i = rng.random_range(0..alphabet.len());
-            alphabet[i] as char
+            char::from(alphabet[i])
         })
         .collect()
 }

src/db/models/auth_request.rs

@@ -177,7 +177,9 @@ impl AuthRequest {
     }
 
     pub async fn purge_expired_auth_requests(conn: &DbConn) {
-        let expiry_time = Utc::now().naive_utc() - chrono::TimeDelta::try_minutes(5).unwrap(); //after 5 minutes, clients reject the request
+        // delete auth requests older than 15 minutes which is functionally equivalent to upstream:
+        // https://github.com/bitwarden/server/blob/f8ee2270409f7a13125cd414c450740af605a175/src/Sql/dbo/Auth/Stored%20Procedures/AuthRequest_DeleteIfExpired.sql
+        let expiry_time = Utc::now().naive_utc() - chrono::TimeDelta::try_minutes(15).unwrap();
         for auth_request in Self::find_created_before(&expiry_time, conn).await {
             auth_request.delete(conn).await.ok();
         }

src/db/models/collection.rs

@@ -513,7 +513,8 @@ impl Collection {
         }}
     }
 
-    pub async fn is_manageable_by_user(&self, user_uuid: &UserId, conn: &DbConn) -> bool {
+    pub async fn is_coll_manageable_by_user(uuid: &CollectionId, user_uuid: &UserId, conn: &DbConn) -> bool {
+        let uuid = uuid.to_string();
         let user_uuid = user_uuid.to_string();
         db_run! { conn: {
             collections::table
@@ -538,9 +539,9 @@ impl Collection {
                     collections_groups::collections_uuid.eq(collections::uuid)
                 )
             ))
-            .filter(collections::uuid.eq(&self.uuid))
+            .filter(collections::uuid.eq(&uuid))
             .filter(
-                users_collections::collection_uuid.eq(&self.uuid).and(users_collections::manage.eq(true)).or(// Directly accessed collection
+                users_collections::collection_uuid.eq(&uuid).and(users_collections::manage.eq(true)).or(// Directly accessed collection
                     users_organizations::access_all.eq(true).or( // access_all in Organization
                         users_organizations::atype.le(MembershipType::Admin as i32) // Org admin or owner
                 )).or(
@@ -558,6 +559,10 @@ impl Collection {
             .unwrap_or(0) != 0
         }}
     }
+
+    pub async fn is_manageable_by_user(&self, user_uuid: &UserId, conn: &DbConn) -> bool {
+        Self::is_coll_manageable_by_user(&self.uuid, user_uuid, conn).await
+    }
 }
 
 /// Database methods

src/db/models/user.rs

@@ -231,6 +231,15 @@ impl User {
     pub fn reset_stamp_exception(&mut self) {
         self.stamp_exception = None;
     }
+
+    pub fn display_name(&self) -> &str {
+        // default to email if name is empty
+        if !&self.name.is_empty() {
+            &self.name
+        } else {
+            &self.email
+        }
+    }
 }
 
 /// Database methods

src/mail.rs

@@ -302,10 +302,10 @@ pub async fn send_invite(
             .append_pair("organizationUserId", &member_id)
             .append_pair("token", &invite_token);
 
-        if CONFIG.sso_enabled() {
-            query_params.append_pair("orgUserHasExistingUser", "false");
+        if CONFIG.sso_enabled() && CONFIG.sso_only() {
             query_params.append_pair("orgSsoIdentifier", &org_id);
-        } else if user.private_key.is_some() {
+        }
+        if user.private_key.is_some() {
             query_params.append_pair("orgUserHasExistingUser", "true");
         }
     }

src/main.rs

@@ -126,7 +126,7 @@ fn parse_args() {
         exit(0);
     } else if pargs.contains(["-v", "--version"]) {
         config::SKIP_CONFIG_VALIDATION.store(true, Ordering::Relaxed);
-        let web_vault_version = util::get_web_vault_version();
+        let web_vault_version = util::get_active_web_release();
         println!("Vaultwarden {version}");
         println!("Web-Vault {web_vault_version}");
         exit(0);

src/static/scripts/admin_diagnostics.js

@@ -29,7 +29,7 @@ function isValidIp(ip) {
     return ipv4Regex.test(ip) || ipv6Regex.test(ip);
 }
 
-function checkVersions(platform, installed, latest, commit=null, pre_release=false) {
+function checkVersions(platform, installed, latest, commit=null, compare_order=0) {
     if (installed === "-" || latest === "-") {
         document.getElementById(`${platform}-failed`).classList.remove("d-none");
         return;
@@ -37,7 +37,7 @@ function checkVersions(platform, installed, latest, commit=null, pre_release=fal
 
     // Only check basic versions, no commit revisions
     if (commit === null || installed.indexOf("-") === -1) {
-        if (platform === "web" && pre_release === true) {
+        if (platform === "web" && compare_order === 1) {
             document.getElementById(`${platform}-prerelease`).classList.remove("d-none");
         } else if (installed == latest) {
             document.getElementById(`${platform}-success`).classList.remove("d-none");
@@ -83,7 +83,7 @@ async function generateSupportString(event, dj) {
     let supportString = "### Your environment (Generated via diagnostics page)\n\n";
 
     supportString += `* Vaultwarden version: v${dj.current_release}\n`;
-    supportString += `* Web-vault version: v${dj.web_vault_version}\n`;
+    supportString += `* Web-vault version: v${dj.active_web_release}\n`;
     supportString += `* OS/Arch: ${dj.host_os}/${dj.host_arch}\n`;
     supportString += `* Running within a container: ${dj.running_within_container} (Base: ${dj.container_base_image})\n`;
     supportString += `* Database type: ${dj.db_type}\n`;
@@ -208,9 +208,9 @@ function initVersionCheck(dj) {
     }
     checkVersions("server", serverInstalled, serverLatest, serverLatestCommit);
 
-    const webInstalled = dj.web_vault_version;
-    const webLatest = dj.latest_web_build;
-    checkVersions("web", webInstalled, webLatest, null, dj.web_vault_pre_release);
+    const webInstalled = dj.active_web_release;
+    const webLatest = dj.latest_web_release;
+    checkVersions("web", webInstalled, webLatest, null, dj.web_vault_compare);
 }
 
 function checkDns(dns_resolved) {

src/static/scripts/datatables.css

@@ -4,10 +4,10 @@
  *
  * To rebuild or modify this file with the latest versions of the included
  * software please visit:
- *   https://datatables.net/download/#bs5/dt-2.3.5
+ *   https://datatables.net/download/#bs5/dt-2.3.7
  *
  * Included libraries:
- *   DataTables 2.3.5
+ *   DataTables 2.3.7
  */
 
 :root {
@@ -88,42 +88,42 @@ table.dataTable thead > tr > th:active,
 table.dataTable thead > tr > td:active {
   outline: none;
 }
-table.dataTable thead > tr > th.dt-orderable-asc span.dt-column-order:before, table.dataTable thead > tr > th.dt-ordering-asc span.dt-column-order:before,
-table.dataTable thead > tr > td.dt-orderable-asc span.dt-column-order:before,
-table.dataTable thead > tr > td.dt-ordering-asc span.dt-column-order:before {
+table.dataTable thead > tr > th.dt-orderable-asc .dt-column-order:before, table.dataTable thead > tr > th.dt-ordering-asc .dt-column-order:before,
+table.dataTable thead > tr > td.dt-orderable-asc .dt-column-order:before,
+table.dataTable thead > tr > td.dt-ordering-asc .dt-column-order:before {
   position: absolute;
   display: block;
   bottom: 50%;
   content: "\25B2";
   content: "\25B2"/"";
 }
-table.dataTable thead > tr > th.dt-orderable-desc span.dt-column-order:after, table.dataTable thead > tr > th.dt-ordering-desc span.dt-column-order:after,
-table.dataTable thead > tr > td.dt-orderable-desc span.dt-column-order:after,
-table.dataTable thead > tr > td.dt-ordering-desc span.dt-column-order:after {
+table.dataTable thead > tr > th.dt-orderable-desc .dt-column-order:after, table.dataTable thead > tr > th.dt-ordering-desc .dt-column-order:after,
+table.dataTable thead > tr > td.dt-orderable-desc .dt-column-order:after,
+table.dataTable thead > tr > td.dt-ordering-desc .dt-column-order:after {
   position: absolute;
   display: block;
   top: 50%;
   content: "\25BC";
   content: "\25BC"/"";
 }
-table.dataTable thead > tr > th.dt-orderable-asc span.dt-column-order, table.dataTable thead > tr > th.dt-orderable-desc span.dt-column-order, table.dataTable thead > tr > th.dt-ordering-asc span.dt-column-order, table.dataTable thead > tr > th.dt-ordering-desc span.dt-column-order,
-table.dataTable thead > tr > td.dt-orderable-asc span.dt-column-order,
-table.dataTable thead > tr > td.dt-orderable-desc span.dt-column-order,
-table.dataTable thead > tr > td.dt-ordering-asc span.dt-column-order,
-table.dataTable thead > tr > td.dt-ordering-desc span.dt-column-order {
+table.dataTable thead > tr > th.dt-orderable-asc .dt-column-order, table.dataTable thead > tr > th.dt-orderable-desc .dt-column-order, table.dataTable thead > tr > th.dt-ordering-asc .dt-column-order, table.dataTable thead > tr > th.dt-ordering-desc .dt-column-order,
+table.dataTable thead > tr > td.dt-orderable-asc .dt-column-order,
+table.dataTable thead > tr > td.dt-orderable-desc .dt-column-order,
+table.dataTable thead > tr > td.dt-ordering-asc .dt-column-order,
+table.dataTable thead > tr > td.dt-ordering-desc .dt-column-order {
   position: relative;
   width: 12px;
-  height: 24px;
+  height: 20px;
 }
-table.dataTable thead > tr > th.dt-orderable-asc span.dt-column-order:before, table.dataTable thead > tr > th.dt-orderable-asc span.dt-column-order:after, table.dataTable thead > tr > th.dt-orderable-desc span.dt-column-order:before, table.dataTable thead > tr > th.dt-orderable-desc span.dt-column-order:after, table.dataTable thead > tr > th.dt-ordering-asc span.dt-column-order:before, table.dataTable thead > tr > th.dt-ordering-asc span.dt-column-order:after, table.dataTable thead > tr > th.dt-ordering-desc span.dt-column-order:before, table.dataTable thead > tr > th.dt-ordering-desc span.dt-column-order:after,
-table.dataTable thead > tr > td.dt-orderable-asc span.dt-column-order:before,
-table.dataTable thead > tr > td.dt-orderable-asc span.dt-column-order:after,
-table.dataTable thead > tr > td.dt-orderable-desc span.dt-column-order:before,
-table.dataTable thead > tr > td.dt-orderable-desc span.dt-column-order:after,
-table.dataTable thead > tr > td.dt-ordering-asc span.dt-column-order:before,
-table.dataTable thead > tr > td.dt-ordering-asc span.dt-column-order:after,
-table.dataTable thead > tr > td.dt-ordering-desc span.dt-column-order:before,
-table.dataTable thead > tr > td.dt-ordering-desc span.dt-column-order:after {
+table.dataTable thead > tr > th.dt-orderable-asc .dt-column-order:before, table.dataTable thead > tr > th.dt-orderable-asc .dt-column-order:after, table.dataTable thead > tr > th.dt-orderable-desc .dt-column-order:before, table.dataTable thead > tr > th.dt-orderable-desc .dt-column-order:after, table.dataTable thead > tr > th.dt-ordering-asc .dt-column-order:before, table.dataTable thead > tr > th.dt-ordering-asc .dt-column-order:after, table.dataTable thead > tr > th.dt-ordering-desc .dt-column-order:before, table.dataTable thead > tr > th.dt-ordering-desc .dt-column-order:after,
+table.dataTable thead > tr > td.dt-orderable-asc .dt-column-order:before,
+table.dataTable thead > tr > td.dt-orderable-asc .dt-column-order:after,
+table.dataTable thead > tr > td.dt-orderable-desc .dt-column-order:before,
+table.dataTable thead > tr > td.dt-orderable-desc .dt-column-order:after,
+table.dataTable thead > tr > td.dt-ordering-asc .dt-column-order:before,
+table.dataTable thead > tr > td.dt-ordering-asc .dt-column-order:after,
+table.dataTable thead > tr > td.dt-ordering-desc .dt-column-order:before,
+table.dataTable thead > tr > td.dt-ordering-desc .dt-column-order:after {
   left: 0;
   opacity: 0.125;
   line-height: 9px;
@@ -140,15 +140,15 @@ table.dataTable thead > tr > td.dt-orderable-desc:hover {
   outline: 2px solid rgba(0, 0, 0, 0.05);
   outline-offset: -2px;
 }
-table.dataTable thead > tr > th.dt-ordering-asc span.dt-column-order:before, table.dataTable thead > tr > th.dt-ordering-desc span.dt-column-order:after,
-table.dataTable thead > tr > td.dt-ordering-asc span.dt-column-order:before,
-table.dataTable thead > tr > td.dt-ordering-desc span.dt-column-order:after {
+table.dataTable thead > tr > th.dt-ordering-asc .dt-column-order:before, table.dataTable thead > tr > th.dt-ordering-desc .dt-column-order:after,
+table.dataTable thead > tr > td.dt-ordering-asc .dt-column-order:before,
+table.dataTable thead > tr > td.dt-ordering-desc .dt-column-order:after {
   opacity: 0.6;
 }
-table.dataTable thead > tr > th.dt-orderable-none:not(.dt-ordering-asc, .dt-ordering-desc) span.dt-column-order:empty, table.dataTable thead > tr > th.sorting_desc_disabled span.dt-column-order:after, table.dataTable thead > tr > th.sorting_asc_disabled span.dt-column-order:before,
-table.dataTable thead > tr > td.dt-orderable-none:not(.dt-ordering-asc, .dt-ordering-desc) span.dt-column-order:empty,
-table.dataTable thead > tr > td.sorting_desc_disabled span.dt-column-order:after,
-table.dataTable thead > tr > td.sorting_asc_disabled span.dt-column-order:before {
+table.dataTable thead > tr > th.dt-orderable-none:not(.dt-ordering-asc, .dt-ordering-desc) .dt-column-order:empty, table.dataTable thead > tr > th.sorting_desc_disabled .dt-column-order:after, table.dataTable thead > tr > th.sorting_asc_disabled .dt-column-order:before,
+table.dataTable thead > tr > td.dt-orderable-none:not(.dt-ordering-asc, .dt-ordering-desc) .dt-column-order:empty,
+table.dataTable thead > tr > td.sorting_desc_disabled .dt-column-order:after,
+table.dataTable thead > tr > td.sorting_asc_disabled .dt-column-order:before {
   display: none;
 }
 table.dataTable thead > tr > th:active,
@@ -169,24 +169,24 @@ table.dataTable tfoot > tr > td div.dt-column-footer {
   align-items: var(--dt-header-align-items);
   gap: 4px;
 }
-table.dataTable thead > tr > th div.dt-column-header span.dt-column-title,
-table.dataTable thead > tr > th div.dt-column-footer span.dt-column-title,
-table.dataTable thead > tr > td div.dt-column-header span.dt-column-title,
-table.dataTable thead > tr > td div.dt-column-footer span.dt-column-title,
-table.dataTable tfoot > tr > th div.dt-column-header span.dt-column-title,
-table.dataTable tfoot > tr > th div.dt-column-footer span.dt-column-title,
-table.dataTable tfoot > tr > td div.dt-column-header span.dt-column-title,
-table.dataTable tfoot > tr > td div.dt-column-footer span.dt-column-title {
+table.dataTable thead > tr > th div.dt-column-header .dt-column-title,
+table.dataTable thead > tr > th div.dt-column-footer .dt-column-title,
+table.dataTable thead > tr > td div.dt-column-header .dt-column-title,
+table.dataTable thead > tr > td div.dt-column-footer .dt-column-title,
+table.dataTable tfoot > tr > th div.dt-column-header .dt-column-title,
+table.dataTable tfoot > tr > th div.dt-column-footer .dt-column-title,
+table.dataTable tfoot > tr > td div.dt-column-header .dt-column-title,
+table.dataTable tfoot > tr > td div.dt-column-footer .dt-column-title {
   flex-grow: 1;
 }
-table.dataTable thead > tr > th div.dt-column-header span.dt-column-title:empty,
-table.dataTable thead > tr > th div.dt-column-footer span.dt-column-title:empty,
-table.dataTable thead > tr > td div.dt-column-header span.dt-column-title:empty,
-table.dataTable thead > tr > td div.dt-column-footer span.dt-column-title:empty,
-table.dataTable tfoot > tr > th div.dt-column-header span.dt-column-title:empty,
-table.dataTable tfoot > tr > th div.dt-column-footer span.dt-column-title:empty,
-table.dataTable tfoot > tr > td div.dt-column-header span.dt-column-title:empty,
-table.dataTable tfoot > tr > td div.dt-column-footer span.dt-column-title:empty {
+table.dataTable thead > tr > th div.dt-column-header .dt-column-title:empty,
+table.dataTable thead > tr > th div.dt-column-footer .dt-column-title:empty,
+table.dataTable thead > tr > td div.dt-column-header .dt-column-title:empty,
+table.dataTable thead > tr > td div.dt-column-footer .dt-column-title:empty,
+table.dataTable tfoot > tr > th div.dt-column-header .dt-column-title:empty,
+table.dataTable tfoot > tr > th div.dt-column-footer .dt-column-title:empty,
+table.dataTable tfoot > tr > td div.dt-column-header .dt-column-title:empty,
+table.dataTable tfoot > tr > td div.dt-column-footer .dt-column-title:empty {
   display: none;
 }
 
@@ -588,16 +588,16 @@ table.dataTable.table-sm > thead > tr td.dt-ordering-asc,
 table.dataTable.table-sm > thead > tr td.dt-ordering-desc {
   padding-right: 0.25rem;
 }
-table.dataTable.table-sm > thead > tr th.dt-orderable-asc span.dt-column-order, table.dataTable.table-sm > thead > tr th.dt-orderable-desc span.dt-column-order, table.dataTable.table-sm > thead > tr th.dt-ordering-asc span.dt-column-order, table.dataTable.table-sm > thead > tr th.dt-ordering-desc span.dt-column-order,
-table.dataTable.table-sm > thead > tr td.dt-orderable-asc span.dt-column-order,
-table.dataTable.table-sm > thead > tr td.dt-orderable-desc span.dt-column-order,
-table.dataTable.table-sm > thead > tr td.dt-ordering-asc span.dt-column-order,
-table.dataTable.table-sm > thead > tr td.dt-ordering-desc span.dt-column-order {
+table.dataTable.table-sm > thead > tr th.dt-orderable-asc .dt-column-order, table.dataTable.table-sm > thead > tr th.dt-orderable-desc .dt-column-order, table.dataTable.table-sm > thead > tr th.dt-ordering-asc .dt-column-order, table.dataTable.table-sm > thead > tr th.dt-ordering-desc .dt-column-order,
+table.dataTable.table-sm > thead > tr td.dt-orderable-asc .dt-column-order,
+table.dataTable.table-sm > thead > tr td.dt-orderable-desc .dt-column-order,
+table.dataTable.table-sm > thead > tr td.dt-ordering-asc .dt-column-order,
+table.dataTable.table-sm > thead > tr td.dt-ordering-desc .dt-column-order {
   right: 0.25rem;
 }
-table.dataTable.table-sm > thead > tr th.dt-type-date span.dt-column-order, table.dataTable.table-sm > thead > tr th.dt-type-numeric span.dt-column-order,
-table.dataTable.table-sm > thead > tr td.dt-type-date span.dt-column-order,
-table.dataTable.table-sm > thead > tr td.dt-type-numeric span.dt-column-order {
+table.dataTable.table-sm > thead > tr th.dt-type-date .dt-column-order, table.dataTable.table-sm > thead > tr th.dt-type-numeric .dt-column-order,
+table.dataTable.table-sm > thead > tr td.dt-type-date .dt-column-order,
+table.dataTable.table-sm > thead > tr td.dt-type-numeric .dt-column-order {
   left: 0.25rem;
 }
 
@@ -606,7 +606,8 @@ div.dt-scroll-head table.table-bordered {
 }
 
 div.table-responsive > div.dt-container > div.row {
-  margin: 0;
+  margin-left: 0;
+  margin-right: 0;
 }
 div.table-responsive > div.dt-container > div.row > div[class^=col-]:first-child {
   padding-left: 0;

src/static/scripts/datatables.js

@@ -4,13 +4,13 @@
  *
  * To rebuild or modify this file with the latest versions of the included
  * software please visit:
- *   https://datatables.net/download/#bs5/dt-2.3.5
+ *   https://datatables.net/download/#bs5/dt-2.3.7
  *
  * Included libraries:
- *   DataTables 2.3.5
+ *   DataTables 2.3.7
  */
 
-/*! DataTables 2.3.5
+/*! DataTables 2.3.7
  * © SpryMedia Ltd - datatables.net/license
  */
 
@@ -186,7 +186,7 @@
 				"sDestroyWidth": $this[0].style.width,
 				"sInstance":     sId,
 				"sTableId":      sId,
-				colgroup: $('<colgroup>').prependTo(this),
+				colgroup: $('<colgroup>'),
 				fastData: function (row, column, type) {
 					return _fnGetCellData(oSettings, row, column, type);
 				}
@@ -259,6 +259,7 @@
 				"orderHandler",
 				"titleRow",
 				"typeDetect",
+				"columnTitleTag",
 				[ "iCookieDuration", "iStateDuration" ], // backwards compat
 				[ "oSearch", "oPreviousSearch" ],
 				[ "aoSearchCols", "aoPreSearchCols" ],
@@ -423,7 +424,7 @@
 			
 			if ( oSettings.caption ) {
 				if ( caption.length === 0 ) {
-					caption = $('<caption/>').appendTo( $this );
+					caption = $('<caption/>').prependTo( $this );
 				}
 			
 				caption.html( oSettings.caption );
@@ -436,6 +437,14 @@
 				oSettings.captionNode = caption[0];
 			}
 			
+			// Place the colgroup element in the correct location for the HTML structure
+			if (caption.length) {
+				oSettings.colgroup.insertAfter(caption);
+			}
+			else {
+				oSettings.colgroup.prependTo(oSettings.nTable);
+			}
+			
 			if ( thead.length === 0 ) {
 				thead = $('<thead/>').appendTo($this);
 			}
@@ -516,7 +525,7 @@
 		 *
 		 *  @type string
 		 */
-		builder: "bs5/dt-2.3.5",
+		builder: "bs5/dt-2.3.7",
 	
 		/**
 		 * Buttons. For use with the Buttons extension for DataTables. This is
@@ -1292,7 +1301,7 @@
 	};
 	
 	// Replaceable function in api.util
-	var _stripHtml = function (input) {
+	var _stripHtml = function (input, replacement) {
 		if (! input || typeof input !== 'string') {
 			return input;
 		}
@@ -1304,7 +1313,7 @@
 	
 		var previous;
 	
-		input = input.replace(_re_html, ''); // Complete tags
+		input = input.replace(_re_html, replacement || ''); // Complete tags
 	
 		// Safety for incomplete script tag - use do / while to ensure that
 		// we get all instances
@@ -1769,7 +1778,7 @@
 			}
 		},
 	
-		stripHtml: function (mixed) {
+		stripHtml: function (mixed, replacement) {
 			var type = typeof mixed;
 	
 			if (type === 'function') {
@@ -1777,7 +1786,7 @@
 				return;
 			}
 			else if (type === 'string') {
-				return _stripHtml(mixed);
+				return _stripHtml(mixed, replacement);
 			}
 			return mixed;
 		},
@@ -3379,7 +3388,7 @@
 						colspan++;
 					}
 	
-					var titleSpan = $('span.dt-column-title', cell);
+					var titleSpan = $('.dt-column-title', cell);
 	
 					structure[row][column] = {
 						cell: cell,
@@ -4093,8 +4102,8 @@
 						}
 	
 						// Wrap the column title so we can write to it in future
-						if ( $('span.dt-column-title', cell).length === 0) {
-							$('<span>')
+						if ( $('.dt-column-title', cell).length === 0) {
+							$(document.createElement(settings.columnTitleTag))
 								.addClass('dt-column-title')
 								.append(cell.childNodes)
 								.appendTo(cell);
@@ -4105,9 +4114,9 @@
 							isHeader &&
 							jqCell.filter(':not([data-dt-order=disable])').length !== 0 &&
 							jqCell.parent(':not([data-dt-order=disable])').length !== 0 &&
-							$('span.dt-column-order', cell).length === 0
+							$('.dt-column-order', cell).length === 0
 						) {
-							$('<span>')
+							$(document.createElement(settings.columnTitleTag))
 								.addClass('dt-column-order')
 								.appendTo(cell);
 						}
@@ -4116,7 +4125,7 @@
 						// layout for those elements
 						var headerFooter = isHeader ? 'header' : 'footer';
 	
-						if ( $('span.dt-column-' + headerFooter, cell).length === 0) {
+						if ( $('div.dt-column-' + headerFooter, cell).length === 0) {
 							$('<div>')
 								.addClass('dt-column-' + headerFooter)
 								.append(cell.childNodes)
@@ -4273,6 +4282,10 @@
 		// Custom Ajax option to submit the parameters as a JSON string
 		if (baseAjax.submitAs === 'json' && typeof data === 'object') {
 			baseAjax.data = JSON.stringify(data);
+	
+			if (!baseAjax.contentType) {
+				baseAjax.contentType = 'application/json; charset=utf-8';
+			}
 		}
 	
 		if (typeof ajax === 'function') {
@@ -5531,7 +5544,7 @@
 					var autoClass = _ext.type.className[column.sType];
 					var padding = column.sContentPadding || (scrollX ? '-' : '');
 					var text = longest + padding;
-					var insert = longest.indexOf('<') === -1
+					var insert = longest.indexOf('<') === -1 && longest.indexOf('&') === -1
 						? document.createTextNode(text)
 						: text
 	
@@ -5719,15 +5732,20 @@
 					.replace(/id=".*?"/g, '')
 					.replace(/name=".*?"/g, '');
 	
-				var s = _stripHtml(cellString)
+				// Don't want Javascript at all in these calculation cells.
+				cellString = cellString.replace(/<script.*?<\/script>/gi, ' ');
+	
+				var noHtml = _stripHtml(cellString, ' ')
 					.replace( /&nbsp;/g, ' ' );
 		
+				// The length is calculated on the text only, but we keep the HTML
+				// in the string so it can be used in the calculation table
 				collection.push({
-					str: s,
-					len: s.length
+					str: cellString,
+					len: noHtml.length
 				});
 	
-				allStrings.push(s);
+				allStrings.push(noHtml);
 			}
 	
 			// Order and then cut down to the size we need
@@ -8782,7 +8800,7 @@
 			// Automatic - find the _last_ unique cell from the top that is not empty (last for
 			// backwards compatibility)
 			for (var i=0 ; i<header.length ; i++) {
-				if (header[i][column].unique && $('span.dt-column-title', header[i][column].cell).text()) {
+				if (header[i][column].unique && $('.dt-column-title', header[i][column].cell).text()) {
 					target = i;
 				}
 			}
@@ -8878,6 +8896,10 @@
 								return null;
 							}
 	
+							if (col.responsiveVisible === false) {
+								return null;
+							}
+	
 							// Selector
 							if (match[1]) {
 								return $(nodes[idx]).filter(match[1]).length > 0 ? idx : null;
@@ -9089,7 +9111,7 @@
 				title = undefined;
 			}
 	
-			var span = $('span.dt-column-title', this.column(column).header(row));
+			var span = $('.dt-column-title', this.column(column).header(row));
 	
 			if (title !== undefined) {
 				span.html(title);
@@ -10263,8 +10285,8 @@
 	
 	// Needed for header and footer, so pulled into its own function
 	function cleanHeader(node, className) {
-		$(node).find('span.dt-column-order').remove();
-		$(node).find('span.dt-column-title').each(function () {
+		$(node).find('.dt-column-order').remove();
+		$(node).find('.dt-column-title').each(function () {
 			var title = $(this).html();
 			$(this).parent().parent().append(title);
 			$(this).remove();
@@ -10282,7 +10304,7 @@
 	 *  @type string
 	 *  @default Version number
 	 */
-	DataTable.version = "2.3.5";
+	DataTable.version = "2.3.7";
 	
 	/**
 	 * Private data store, containing all of the settings objects that are
@@ -11450,7 +11472,10 @@
 		iDeferLoading: null,
 	
 		/** Event listeners */
-		on: null
+		on: null,
+	
+		/** Title wrapper element type */
+		columnTitleTag: 'span'
 	};
 	
 	_fnHungarianMap( DataTable.defaults );
@@ -12414,7 +12439,10 @@
 		orderHandler: true,
 	
 		/** Title row indicator */
-		titleRow: null
+		titleRow: null,
+	
+		/** Title wrapper element type */
+		columnTitleTag: 'span'
 	};
 	
 	/**

src/static/templates/admin/diagnostics.hbs

@@ -8,7 +8,7 @@
                 <dl class="row">
                     <dt class="col-sm-5">Server Installed
                         <span class="badge bg-success d-none abbr-badge" id="server-success" title="Latest version is installed.">Ok</span>
-                        <span class="badge bg-warning text-dark d-none abbr-badge" id="server-warning" title="There seems to be an update available.">Update</span>
+                        <span class="badge bg-warning text-dark d-none abbr-badge" id="server-warning" title="An update is available.">Update</span>
                         <span class="badge bg-info text-dark d-none abbr-badge" id="server-branch" title="This is a branched version.">Branched</span>
                     </dt>
                     <dd class="col-sm-7">
@@ -23,17 +23,17 @@
                     {{#if page_data.web_vault_enabled}}
                     <dt class="col-sm-5">Web Installed
                         <span class="badge bg-success d-none abbr-badge" id="web-success" title="Latest version is installed.">Ok</span>
-                        <span class="badge bg-warning text-dark d-none abbr-badge" id="web-warning" title="There seems to be an update available.">Update</span>
-                        <span class="badge bg-info text-dark d-none abbr-badge" id="web-prerelease" title="You seem to be using a pre-release version.">Pre-Release</span>
+                        <span class="badge bg-warning text-dark d-none abbr-badge" id="web-warning" title="An update is available.">Update</span>
+                        <span class="badge bg-info text-dark d-none abbr-badge" id="web-prerelease" title="You are using a pre-release version.">Pre-Release</span>
                     </dt>
                     <dd class="col-sm-7">
-                        <span id="web-installed">{{page_data.web_vault_version}}</span>
+                        <span id="web-installed">{{page_data.active_web_release}}</span>
                     </dd>
                     <dt class="col-sm-5">Web Latest
                         <span class="badge bg-secondary d-none abbr-badge" id="web-failed" title="Unable to determine latest version.">Unknown</span>
                     </dt>
                     <dd class="col-sm-7">
-                        <span id="web-latest">{{page_data.latest_web_build}}</span>
+                        <span id="web-latest">{{page_data.latest_web_release}}</span>
                     </dd>
                     {{/if}}
                     {{#unless page_data.web_vault_enabled}}

src/static/templates/admin/organizations.hbs

@@ -59,7 +59,7 @@
 </main>
 
 <link rel="stylesheet" href="{{urlpath}}/vw_static/datatables.css" />
-<script src="{{urlpath}}/vw_static/jquery-3.7.1.slim.js"></script>
+<script src="{{urlpath}}/vw_static/jquery-4.0.0.slim.js"></script>
 <script src="{{urlpath}}/vw_static/datatables.js"></script>
 <script src="{{urlpath}}/vw_static/admin_organizations.js"></script>
 <script src="{{urlpath}}/vw_static/jdenticon-3.3.0.js"></script>

src/static/templates/admin/users.hbs

@@ -153,7 +153,7 @@
 </main>
 
 <link rel="stylesheet" href="{{urlpath}}/vw_static/datatables.css" />
-<script src="{{urlpath}}/vw_static/jquery-3.7.1.slim.js"></script>
+<script src="{{urlpath}}/vw_static/jquery-4.0.0.slim.js"></script>
 <script src="{{urlpath}}/vw_static/datatables.js"></script>
 <script src="{{urlpath}}/vw_static/admin_users.js"></script>
 <script src="{{urlpath}}/vw_static/jdenticon-3.3.0.js"></script>

src/static/templates/scss/vaultwarden.scss.hbs

@@ -158,6 +158,13 @@ app-root a[routerlink="/signup"] {
 {{/if}}
 {{/if}}
 
+{{#if remember_2fa_disabled}}
+/* Hide checkbox to remember 2FA token for 30 days */
+app-two-factor-auth > form > bit-form-control {
+  @extend %vw-hide;
+}
+{{/if}}
+
 {{#unless mail_2fa_enabled}}
 /* Hide `Email` 2FA if mail is not enabled */
 .providers-2fa-1 {
@@ -192,6 +199,19 @@ bit-nav-item[route="sends"] {
   @extend %vw-hide;
 }
 {{/unless}}
+
+{{#unless password_hints_allowed}}
+/* Hide password hints if not allowed */
+a[routerlink="/hint"],
+{{#if (webver "<2025.12.2")}}
+app-change-password > form > .form-group:nth-child(5),
+auth-input-password > form > bit-form-field:nth-child(4) {
+{{else}}
+.vw-password-hint {
+{{/if}}
+  @extend %vw-hide;
+}
+{{/unless}}
 /**** End Dynamic Vaultwarden Changes ****/
 /**** Include a special user stylesheet for custom changes ****/
 {{#if load_user_scss}}

src/util.rs

@@ -531,7 +531,7 @@ struct WebVaultVersion {
     version: String,
 }
 
-pub fn get_web_vault_version() -> String {
+pub fn get_active_web_release() -> String {
     let version_files = [
         format!("{}/vw-version.json", CONFIG.web_vault_folder()),
         format!("{}/version.json", CONFIG.web_vault_folder()),