Merge pull request #1270 from BlackDex/update-ci

Updated Github Actions, Fixed Dockerfile
2024-06-02 09:32:34 +00:00 · 2020-12-17 18:22:46 +01:00 · 2020-12-16 19:31:39 +01:00 · 2020-12-15 22:23:12 +01:00 · 2020-12-14 20:56:31 +01:00 · 2020-12-14 19:58:23 +01:00
176 changed files with 37405 additions and 7546 deletions
--- a/.dockerignore
+++ b/.dockerignore
@ -3,6 +3,7 @@ target

 # Data folder
 data
+.env

 # IDE files
 .vscode
@ -10,5 +11,15 @@ data
 *.iml

 # Documentation
+.github
 *.md
+*.txt
+*.yml
+*.yaml

+# Docker folders
+hooks
+tools
+
+# Web vault
+web-vault
--- a/.env.template
+++ b/.env.template
@ -1,14 +1,28 @@
 ## Bitwarden_RS Configuration File
 ## Uncomment any of the following lines to change the defaults
+##
+## Be aware that most of these settings will be overridden if they were changed
+## in the admin interface. Those overrides are stored within DATA_FOLDER/config.json .

 ## Main data folder
 # DATA_FOLDER=data

 ## Database URL
 ## When using SQLite, this is the path to the DB file, default to %DATA_FOLDER%/db.sqlite3
-## When using MySQL, this it is the URL to the DB, including username and password:
-## Format: mysql://[user[:password]@]host/database_name
 # DATABASE_URL=data/db.sqlite3
+## When using MySQL, specify an appropriate connection URI.
+## Details: https://docs.diesel.rs/diesel/mysql/struct.MysqlConnection.html
+# DATABASE_URL=mysql://user:password@host[:port]/database_name
+## When using PostgreSQL, specify an appropriate connection URI (recommended)
+## or keyword/value connection string.
+## Details:
+## - https://docs.diesel.rs/diesel/pg/struct.PgConnection.html
+## - https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING
+# DATABASE_URL=postgresql://user:password@host[:port]/database_name
+
+## Database max connections
+## Define the size of the connection pool used for connecting to the database.
+# DATABASE_MAX_CONNS=10

 ## Individual folders, these override %DATA_FOLDER%
 # RSA_KEY_FILENAME=data/rsa_key
@ -21,6 +35,10 @@
 ## Automatically reload the templates for every request, slow, use only for development
 # RELOAD_TEMPLATES=false

+## Client IP Header, used to identify the IP of the client, defaults to "X-Client-IP"
+## Set to the string "none" (without quotes), to disable any headers and just use the remote IP
+# IP_HEADER=X-Client-IP
+
 ## Cache time-to-live for successfully obtained icons, in seconds (0 is "forever")
 # ICON_CACHE_TTL=2592000
 ## Cache time-to-live for icons which weren't available, in seconds (0 is "forever")
@ -37,14 +55,14 @@
 # WEBSOCKET_ADDRESS=0.0.0.0
 # WEBSOCKET_PORT=3012

-## Enable extended logging
-## This shows timestamps and allows logging to file and to syslog
-### To enable logging to file, use the LOG_FILE env variable
-### To enable syslog, use the USE_SYSLOG env variable
+## Enable extended logging, which shows timestamps and targets in the logs
 # EXTENDED_LOGGING=true

+## Timestamp format used in extended logging.
+## Format specifiers: https://docs.rs/chrono/latest/chrono/format/strftime
+# LOG_TIMESTAMP_FORMAT="%Y-%m-%d %H:%M:%S.%3f"
+
 ## Logging to file
-## This requires extended logging
 ## It's recommended to also set 'ROCKET_CLI_COLORS=off'
 # LOG_FILE=/path/to/log

@ -56,7 +74,8 @@
 ## Log level
 ## Change the verbosity of the log output
 ## Valid values are "trace", "debug", "info", "warn", "error" and "off"
-## This requires extended logging
+## Setting it to "trace" or "debug" would also show logs for mounted
+## routes and static file, websocket and alive requests
 # LOG_LEVEL=Info

 ## Enable WAL for the DB
@ -67,6 +86,10 @@
 ## cause performance degradation or might render  the service unable to start.
 # ENABLE_DB_WAL=true

+## Database connection retries
+## Number of times to retry the database connection during startup, with 1 second delay between each retry, set to 0 to retry indefinitely
+# DB_CONNECTION_RETRIES=15
+
 ## Disable icon downloading
 ## Set to true to disable icon downloading, this would still serve icons from $ICON_CACHE_FOLDER,
 ## but it won't produce any external network request. Needs to set $ICON_CACHE_TTL to 0,
@ -81,10 +104,11 @@
 ## Icon blacklist Regex
 ## Any domains or IPs that match this regex won't be fetched by the icon service.
 ## Useful to hide other servers in the local network. Check the WIKI for more details
-# ICON_BLACKLIST_REGEX=192\.168\.1\.[0-9].*^
+## NOTE: Always enclose this regex withing single quotes!
+# ICON_BLACKLIST_REGEX='^(192\.168\.0\.[0-9]+|192\.168\.1\.[0-9]+)$'

 ## Any IP which is not defined as a global IP will be blacklisted.
-## Usefull to secure your internal environment: See https://en.wikipedia.org/wiki/Reserved_IP_addresses for a list of IPs which it will block
+## Useful to secure your internal environment: See https://en.wikipedia.org/wiki/Reserved_IP_addresses for a list of IPs which it will block
 # ICON_BLACKLIST_NON_GLOBAL_IPS=true

 ## Disable 2FA remember
@ -92,17 +116,68 @@
 ## Note that the checkbox would still be present, but ignored.
 # DISABLE_2FA_REMEMBER=false

+## Maximum attempts before an email token is reset and a new email will need to be sent.
+# EMAIL_ATTEMPTS_LIMIT=3
+
+## Token expiration time
+## Maximum time in seconds a token is valid. The time the user has to open email client and copy token.
+# EMAIL_EXPIRATION_TIME=600
+
+## Email token size
+## Number of digits in an email token (min: 6, max: 19).
+## Note that the Bitwarden clients are hardcoded to mention 6 digit codes regardless of this setting!
+# EMAIL_TOKEN_SIZE=6
+
 ## Controls if new users can register
 # SIGNUPS_ALLOWED=true

+## Controls if new users need to verify their email address upon registration
+## Note that setting this option to true prevents logins until the email address has been verified!
+## The welcome email will include a verification link, and login attempts will periodically
+## trigger another verification email to be sent.
+# SIGNUPS_VERIFY=false
+
+## If SIGNUPS_VERIFY is set to true, this limits how many seconds after the last time
+## an email verification link has been sent another verification email will be sent
+# SIGNUPS_VERIFY_RESEND_TIME=3600
+
+## If SIGNUPS_VERIFY is set to true, this limits how many times an email verification
+## email will be re-sent upon an attempted login.
+# SIGNUPS_VERIFY_RESEND_LIMIT=6
+
+## Controls if new users from a list of comma-separated domains can register
+## even if SIGNUPS_ALLOWED is set to false
+# SIGNUPS_DOMAINS_WHITELIST=example.com,example.net,example.org
+
+## Controls which users can create new orgs.
+## Blank or 'all' means all users can create orgs (this is the default):
+# ORG_CREATION_USERS=
+## 'none' means no users can create orgs:
+# ORG_CREATION_USERS=none
+## A comma-separated list means only those users can create orgs:
+# ORG_CREATION_USERS=admin1@example.com,admin2@example.com
+
 ## Token for the admin interface, preferably use a long random string
 ## One option is to use 'openssl rand -base64 48'
 ## If not set, the admin panel is disabled
 # ADMIN_TOKEN=Vy2VyYTTsKPv8W5aEOWUbB/Bt3DEKePbHmI4m9VcemUMS2rEviDowNAFqYi1xjmp
+
+## Enable this to bypass the admin panel security. This option is only
+## meant to be used with the use of a separate auth layer in front
 # DISABLE_ADMIN_TOKEN=false

 ## Invitations org admins to invite users, even when signups are disabled
 # INVITATIONS_ALLOWED=true
+## Name shown in the invitation emails that don't come from a specific organization
+# INVITATION_ORG_NAME=Bitwarden_RS
+
+## Per-organization attachment limit (KB)
+## Limit in kilobytes for an organization attachments, once the limit is exceeded it won't be possible to upload more
+# ORG_ATTACHMENT_LIMIT=
+## Per-user attachment limit (KB).
+## Limit in kilobytes for a users attachments, once the limit is exceeded it won't be possible to upload more
+# USER_ATTACHMENT_LIMIT=
+

 ## Controls the PBBKDF password iterations to apply on the server
 ## The change only applies when the password is changed
@ -118,6 +193,13 @@
 ## For U2F to work, the server must use HTTPS, you can use Let's Encrypt for free certs
 # DOMAIN=https://bw.domain.tld:8443

+## Allowed iframe ancestors (Know the risks!)
+## https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
+## Allows other domains to embed the web vault into an iframe, useful for embedding into secure intranets
+## This adds the configured value to the 'Content-Security-Policy' headers 'frame-ancestors' value.
+## Multiple values must be separated with a whitespace.
+# ALLOWED_IFRAME_ANCESTORS=
+
 ## Yubico (Yubikey) Settings
 ## Set your Client ID and Secret Key for Yubikey OTP
 ## You can generate it here: https://upgrade.yubico.com/getapikey/
@ -137,6 +219,18 @@
 ## After that, you should be able to follow the rest of the guide linked above,
 ## ignoring the fields that ask for the values that you already configured beforehand.

+## Authenticator Settings
+## Disable authenticator time drifted codes to be valid.
+## TOTP codes of the previous and next 30 seconds will be invalid
+##
+## According to the RFC6238 (https://tools.ietf.org/html/rfc6238),
+## we allow by default the TOTP code which was valid one step back and one in the future.
+## This can however allow attackers to be a bit more lucky with there attempts because there are 3 valid codes.
+## You can disable this, so that only the current TOTP Code is allowed.
+## Keep in mind that when a sever drifts out of time, valid codes could be marked as invalid.
+## In any case, if a code has been used it can not be used again, also codes which predates it will be invalid.
+# AUTHENTICATOR_DISABLE_TIME_DRIFT = false
+
 ## Rocket specific settings, check Rocket documentation to learn more
 # ROCKET_ENV=staging
 # ROCKET_ADDRESS=0.0.0.0 # Enable this to test mobile app
@ -149,8 +243,45 @@
 # SMTP_HOST=smtp.domain.tld
 # SMTP_FROM=bitwarden-rs@domain.tld
 # SMTP_FROM_NAME=Bitwarden_RS
-# SMTP_PORT=587
-# SMTP_SSL=true
+# SMTP_PORT=587          # Ports 587 (submission) and 25 (smtp) are standard without encryption and with encryption via STARTTLS (Explicit TLS). Port 465 is outdated and used with Implicit TLS.
+# SMTP_SSL=true          # (Explicit) - This variable by default configures Explicit STARTTLS, it will upgrade an insecure connection to a secure one. Unless SMTP_EXPLICIT_TLS is set to true. Either port 587 or 25 are default.
+# SMTP_EXPLICIT_TLS=true # (Implicit) - N.B. This variable configures Implicit TLS. It's currently mislabelled (see bug #851) - SMTP_SSL Needs to be set to true for this option to work. Usually port 465 is used here.
 # SMTP_USERNAME=username
 # SMTP_PASSWORD=password
+# SMTP_TIMEOUT=15
+
+## Defaults for SSL is "Plain" and "Login" and nothing for Non-SSL connections.
+## Possible values: ["Plain", "Login", "Xoauth2"].
+## Multiple options need to be separated by a comma ','.
 # SMTP_AUTH_MECHANISM="Plain"
+
+## Server name sent during the SMTP HELO
+## By default this value should be is on the machine's hostname,
+## but might need to be changed in case it trips some anti-spam filters
+# HELO_NAME=
+
+## SMTP debugging
+## When set to true this will output very detailed SMTP messages.
+## WARNING: This could contain sensitive information like passwords and usernames! Only enable this during troubleshooting!
+# SMTP_DEBUG=false
+
+## Accept Invalid Hostnames
+## DANGEROUS: This option introduces significant vulnerabilities to man-in-the-middle attacks!
+## Only use this as a last resort if you are not able to use a valid certificate.
+# SMTP_ACCEPT_INVALID_HOSTNAMES=false
+
+## Accept Invalid Certificates
+## DANGEROUS: This option introduces significant vulnerabilities to man-in-the-middle attacks!
+## Only use this as a last resort if you are not able to use a valid certificate.
+## If the Certificate is valid but the hostname doesn't match, please use SMTP_ACCEPT_INVALID_HOSTNAMES instead.
+# SMTP_ACCEPT_INVALID_CERTS=false
+
+## Require new device emails. When a user logs in an email is required to be sent.
+## If sending the email fails the login attempt will fail!!
+# REQUIRE_DEVICE_EMAIL=false
+
+## HIBP Api Key
+## HaveIBeenPwned API Key, request it here: https://haveibeenpwned.com/API/Key
+# HIBP_API_KEY=
+
+# vim: syntax=ini
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@ -0,0 +1,2 @@
+github: dani-garcia
+custom: ["https://paypal.me/DaniGG"]
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@ -0,0 +1,51 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ''
+labels: ''
+assignees: ''
+
+---
+<!--
+     # ###
+     NOTE: Please update to the latest version of bitwarden_rs before reporting an issue!
+     This saves you and us a lot of time and troubleshooting.
+     See: https://github.com/dani-garcia/bitwarden_rs/issues/1180
+     # ###
+-->
+
+
+<!--
+Please fill out the following template to make solving your problem easier and faster for us.
+This is only a guideline. If you think that parts are unnecessary for your issue, feel free to remove them.
+
+Remember to hide/obfuscate personal and confidential information,
+such as names, global IP/DNS addresses and especially passwords, if necessary.
+-->
+
+### Subject of the issue
+<!-- Describe your issue here.-->
+
+### Your environment
+<!-- The version number, obtained from the logs or the admin diagnostics page -->
+<!-- Remember to check your issue on the latest version first! -->
+* Bitwarden_rs version:
+<!-- How the server was installed: Docker image / package / built from source -->
+* Install method:
+* Clients used: <!-- if applicable -->
+* Reverse proxy and version: <!-- if applicable -->
+* Version of mysql/postgresql: <!-- if applicable -->
+* Other relevant information:
+
+### Steps to reproduce
+<!-- Tell us how to reproduce this issue. What parameters did you set (differently from the defaults)
+and how did you start bitwarden_rs? -->
+
+### Expected behaviour
+<!-- Tell us what should happen -->
+
+### Actual behaviour
+<!-- Tell us what happens instead -->
+
+### Relevant logs
+<!-- Share some logfiles, screenshots or output of relevant programs with us. -->
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@ -0,0 +1,11 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: better for forum
+assignees: ''
+
+---
+
+# Please submit all your feature requests to the forum
+Link: https://bitwardenrs.discourse.group/c/feature-requests
--- a/.github/ISSUE_TEMPLATE/help-with-installation-configuration.md
+++ b/.github/ISSUE_TEMPLATE/help-with-installation-configuration.md
@ -0,0 +1,11 @@
+---
+name: Help with installation/configuration
+about: Any questions about the setup of bitwarden_rs
+title: ''
+labels: better for forum
+assignees: ''
+
+---
+
+# Please submit all your third party help requests to the forum
+Link: https://bitwardenrs.discourse.group/c/help
--- a/.github/ISSUE_TEMPLATE/help-with-proxy-database-nas-setup.md
+++ b/.github/ISSUE_TEMPLATE/help-with-proxy-database-nas-setup.md
@ -0,0 +1,11 @@
+---
+name: Help with proxy/database/NAS setup
+about: Any questions about third party software
+title: ''
+labels: better for forum
+assignees: ''
+
+---
+
+# Please submit all your third party help requests to the forum
+Link: https://bitwardenrs.discourse.group/c/third-party-help
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -0,0 +1,125 @@
+name: Build
+
+on:
+  push:
+    # Ignore when there are only changes done too one of these paths
+    paths-ignore:
+      - "**.md"
+      - "**.txt"
+      - "azure-pipelines.yml"
+      - "docker/**"
+      - "hooks/**"
+      - "tools/**"
+
+jobs:
+  build:
+    strategy:
+      fail-fast: false
+      matrix:
+        channel:
+          - nightly
+          # - stable
+        target-triple:
+          - x86_64-unknown-linux-gnu
+          # - x86_64-unknown-linux-musl
+        include:
+          - target-triple: x86_64-unknown-linux-gnu
+            host-triple: x86_64-unknown-linux-gnu
+            features: "sqlite,mysql,postgresql"
+            channel: nightly
+            os: ubuntu-18.04
+            ext:
+          # - target-triple: x86_64-unknown-linux-gnu
+          #   host-triple: x86_64-unknown-linux-gnu
+          #   features: "sqlite,mysql,postgresql"
+          #   channel: stable
+          #   os: ubuntu-18.04
+          #   ext:
+          # - target-triple: x86_64-unknown-linux-musl
+          #   host-triple: x86_64-unknown-linux-gnu
+          #   features: "sqlite,postgresql"
+          #   channel: nightly
+          #   os: ubuntu-18.04
+          #   ext:
+          # - target-triple: x86_64-unknown-linux-musl
+          #   host-triple: x86_64-unknown-linux-gnu
+          #   features: "sqlite,postgresql"
+          #   channel: stable
+          #   os: ubuntu-18.04
+          #   ext:
+
+    name: Building ${{ matrix.channel }}-${{ matrix.target-triple }}
+    runs-on: ${{ matrix.os }}
+    steps:
+      # Checkout the repo
+      - name: Checkout
+        uses: actions/checkout@v2
+      # End Checkout the repo
+
+
+      # Install musl-tools when needed
+      - name: Install musl tools
+        run: sudo apt-get update && sudo apt-get install -y --no-install-recommends musl-dev musl-tools cmake
+        if: matrix.target-triple == 'x86_64-unknown-linux-musl'
+      # End Install musl-tools when needed
+
+
+      # Install dependencies
+      - name: Install dependencies Ubuntu
+        run: sudo apt-get update && sudo apt-get install -y --no-install-recommends openssl sqlite build-essential libmariadb-dev-compat libpq-dev libssl-dev pkgconf
+        if: startsWith( matrix.os, 'ubuntu' )
+      # End Install dependencies
+
+
+      # Enable Rust Caching
+      - uses: Swatinem/rust-cache@v1
+      # End Enable Rust Caching
+
+
+      # Uses the rust-toolchain file to determine version
+      - name: 'Install ${{ matrix.channel }}-${{ matrix.host-triple }} for target: ${{ matrix.target-triple }}'
+        uses: actions-rs/toolchain@v1
+        with:
+          profile: minimal
+          target: ${{ matrix.target-triple }}
+      # End Uses the rust-toolchain file to determine version
+
+
+      # Run cargo tests (In release mode to speed up cargo build afterwards)
+      - name: '`cargo test --release --features ${{ matrix.features }} --target ${{ matrix.target-triple }}`'
+        uses: actions-rs/cargo@v1
+        with:
+          command: test
+          args: --release --features ${{ matrix.features }} --target ${{ matrix.target-triple }}
+      # End Run cargo tests
+
+
+      # Build the binary
+      - name: '`cargo build --release --features ${{ matrix.features }} --target ${{ matrix.target-triple }}`'
+        uses: actions-rs/cargo@v1
+        with:
+          command: build
+          args: --release --features ${{ matrix.features }} --target ${{ matrix.target-triple }}
+      # End Build the binary
+
+
+      # Upload artifact to Github Actions
+      - name: Upload artifact
+        uses: actions/upload-artifact@v2
+        with:
+          name: bitwarden_rs-${{ matrix.target-triple }}${{ matrix.ext }}
+          path: target/${{ matrix.target-triple }}/release/bitwarden_rs${{ matrix.ext }}
+      # End Upload artifact to Github Actions
+
+
+      ## This is not used at the moment
+      ## We could start using this when we can build static binaries
+      # Upload to github actions release
+      # - name: Release
+      #   uses: Shopify/upload-to-release@1
+      #   if: startsWith(github.ref, 'refs/tags/')
+      #   with:
+      #     name: bitwarden_rs-${{ matrix.target-triple }}${{ matrix.ext }}
+      #     path: target/${{ matrix.target-triple }}/release/bitwarden_rs${{ matrix.ext }}
+      #     repo-token: ${{ secrets.GITHUB_TOKEN }}
+      # End Upload to github actions release
--- a/.github/workflows/hadolint.yml
+++ b/.github/workflows/hadolint.yml
@ -0,0 +1,34 @@
+name: Hadolint
+
+on:
+  pull_request:
+    # Ignore when there are only changes done too one of these paths
+    paths:
+      - "docker/**"
+
+jobs:
+  hadolint:
+    name: Validate Dockerfile syntax
+    runs-on: ubuntu-20.04
+    steps:
+      # Checkout the repo
+      - name: Checkout
+        uses: actions/checkout@v2
+      # End Checkout the repo
+
+
+      # Download hadolint
+      - name: Download hadolint
+        shell: bash
+        run: |
+          sudo curl -L https://github.com/hadolint/hadolint/releases/download/v$HADOLINT_VERSION/hadolint-$(uname -s)-$(uname -m) -o /usr/local/bin/hadolint && \
+          sudo chmod +x /usr/local/bin/hadolint
+        env:
+          HADOLINT_VERSION: 1.19.0
+      # End Download hadolint
+
+      # Test Dockerfiles
+      - name: Run hadolint
+        shell: bash
+        run:  git ls-files --exclude='docker/*/Dockerfile*' --ignored | xargs hadolint
+      # End Test Dockerfiles
--- a/.travis.yml
+++ b/.travis.yml
@ -1,20 +0,0 @@
-dist: xenial
-
-env:
-  global:
-    - HADOLINT_VERSION=1.17.1
-
-language: rust
-rust: nightly
-cache: cargo
-
-before_install:
-  - sudo curl -L https://github.com/hadolint/hadolint/releases/download/v$HADOLINT_VERSION/hadolint-$(uname -s)-$(uname -m) -o /usr/local/bin/hadolint
-  - sudo chmod +rx /usr/local/bin/hadolint
-
-# Nothing to install
-install: true
-script:
- git ls-files --exclude='Dockerfile*' --ignored | xargs --max-lines=1 hadolint
- cargo build --features "sqlite"
- cargo build --features "mysql"
--- a/Cargo.lock
+++ b/Cargo.lock
--- a/Cargo.toml
+++ b/Cargo.toml
@ -14,8 +14,14 @@ build = "build.rs"
 # Empty to keep compatibility, prefer to set USE_SYSLOG=true
 enable_syslog = []
 mysql = ["diesel/mysql", "diesel_migrations/mysql"]
-postgresql = ["diesel/postgres", "diesel_migrations/postgres", "openssl"]
+postgresql = ["diesel/postgres", "diesel_migrations/postgres"]
 sqlite = ["diesel/sqlite", "diesel_migrations/sqlite", "libsqlite3-sys"]
+# Enable to use a vendored and statically linked openssl
+vendored_openssl = ["openssl/vendored"]
+
+# Enable unstable features, requires nightly
+# Currently only used to enable rusts official ip support
+unstable = []

 [target."cfg(not(windows))".dependencies]
 syslog = "4.0.1"
@ -26,96 +32,106 @@ rocket = { version = "0.5.0-dev", features = ["tls"], default-features = false }
 rocket_contrib = "0.5.0-dev"

 # HTTP client
-reqwest = "0.9.20"
+reqwest = { version = "0.10.10", features = ["blocking", "json"] }

 # multipart/form-data support
-multipart = { version = "0.16.1", features = ["server"], default-features = false }
+multipart = { version = "0.17.0", features = ["server"], default-features = false }

 # WebSockets library
-ws = "0.9.0"
+ws = { version = "0.10.0", package = "parity-ws" }

 # MessagePack library
-rmpv = "0.4.1"
+rmpv = "0.4.6"

 # Concurrent hashmap implementation
 chashmap = "2.2.2"

 # A generic serialization/deserialization framework
-serde = "1.0.101"
-serde_derive = "1.0.101"
-serde_json = "1.0.40"
+serde = "1.0.118"
+serde_derive = "1.0.118"
+serde_json = "1.0.60"

 # Logging
-log = "0.4.8"
-fern = { version = "0.5.8", features = ["syslog-4"] }
+log = "0.4.11"
+fern = { version = "0.6.0", features = ["syslog-4"] }

 # A safe, extensible ORM and Query builder
-diesel = { version = "1.4.2", features = [ "chrono", "r2d2"] }
+diesel = { version = "1.4.5", features = [ "chrono", "r2d2"] }
 diesel_migrations = "1.4.0"

-# Bundled SQLite                                           
-libsqlite3-sys = { version = "0.12.0", features = ["bundled"], optional = true }
+# Bundled SQLite
+libsqlite3-sys = { version = "0.18.0", features = ["bundled"], optional = true }

-# Crypto library
-ring = "0.14.6"
+# Crypto-related libraries
+rand = "0.7.3"
+ring = "0.16.19"

 # UUID generation
-uuid = { version = "0.7.4", features = ["v4"] }
+uuid = { version = "0.8.1", features = ["v4"] }

-# Date and time library for Rust
-chrono = "0.4.9"
+# Date and time libraries
+chrono = "0.4.19"
+chrono-tz = "0.5.3"
+time = "0.2.23"

 # TOTP library
 oath = "0.10.2"

 # Data encoding library
-data-encoding = "2.1.2"
+data-encoding = "2.3.1"

 # JWT library
-jsonwebtoken = "6.0.1"
+jsonwebtoken = "7.2.0"

 # U2F library
-u2f = "0.1.6"
+u2f = "0.2.0"

 # Yubico Library
-yubico = { version = "0.6.1", features = ["online", "online-tokio"], default-features = false }
+yubico = { version = "0.9.1", features = ["online-tokio"], default-features = false }

 # A `dotenv` implementation for Rust
-dotenv = { version = "0.14.1", default-features = false }
+dotenv = { version = "0.15.0", default-features = false }

-# Lazy static macro
-lazy_static = "1.4.0"
-
-# More derives
-derive_more = "0.15.0"
+# Lazy initialization
+once_cell = "1.5.2"

 # Numerical libraries
-num-traits = "0.2.8"
-num-derive = "0.2.5"
+num-traits = "0.2.14"
+num-derive = "0.3.3"

 # Email libraries
-lettre = "0.9.2"
-lettre_email = "0.9.2"
-native-tls = "0.2.3"
-quoted_printable = "0.4.1"
+lettre = { version = "0.10.0-alpha.4", features = ["smtp-transport", "builder", "serde", "native-tls", "hostname", "tracing"], default-features = false }
+newline-converter = "0.1.0"

 # Template library
-handlebars = "2.0.2"
+handlebars = { version = "3.5.1", features = ["dir_source"] }

 # For favicon extraction from main website
-soup = "0.4.1"
-regex = "1.3.1"
+soup = "0.5.0"
+regex = "1.4.2"
+data-url = "0.1.0"

-# Required for SSL support for PostgreSQL
-openssl = { version = "0.10.24", optional = true }
+# Used by U2F, JWT and Postgres
+openssl = "0.10.31"

 # URL encoding library
 percent-encoding = "2.1.0"
+# Punycode conversion
+idna = "0.2.0"
+
+# CLI argument parsing
+structopt = "0.3.21"
+
+# Logging panics to logfile instead stderr only
+backtrace = "0.3.55"
+
+# Macro ident concatenation
+paste = "1.0.4"

 [patch.crates-io]
-# Add support for Timestamp type
-rmp = { git = 'https://github.com/3Hren/msgpack-rust', rev = 'd6c6c672e470341207ed9feb69b56322b5597a11' }
-
 # Use newest ring
-rocket = { git = 'https://github.com/SergioBenitez/Rocket', rev = 'dbcb0a75b9556763ac3ab708f40c8f8ed75f1a1e' }
-rocket_contrib = { git = 'https://github.com/SergioBenitez/Rocket', rev = 'dbcb0a75b9556763ac3ab708f40c8f8ed75f1a1e' }
+rocket = { git = 'https://github.com/SergioBenitez/Rocket', rev = '263e39b5b429de1913ce7e3036575a7b4d88b6d7' }
+rocket_contrib = { git = 'https://github.com/SergioBenitez/Rocket', rev = '263e39b5b429de1913ce7e3036575a7b4d88b6d7' }
+
+# For favicon extraction from main website
+data-url = { git = 'https://github.com/servo/rust-url', package="data-url", rev = '540ede02d0771824c0c80ff9f57fe8eff38b1291' }
--- a/2
+++ b/2
@ -1 +1 @@
-docker/amd64/sqlite/Dockerfile
+docker/amd64/Dockerfile
--- a/README.md
+++ b/README.md
@ -13,7 +13,7 @@ Image is based on [Rust implementation of Bitwarden API](https://github.com/dani

 **This project is not associated with the [Bitwarden](https://bitwarden.com/) project nor 8bit Solutions LLC.**

-#### ⚠️**IMPORTANT**⚠️: When using this server, please report any Bitwarden related bug-reports or suggestions [here](https://github.com/dani-garcia/bitwarden_rs/issues/new), regardless of whatever clients you are using (mobile, desktop, browser...). DO NOT use the official support channels.
+#### ⚠️**IMPORTANT**⚠️: When using this server, please report any bugs or suggestions to us directly (look at the bottom of this page for ways to get in touch), regardless of whatever clients you are using (mobile, desktop, browser...). DO NOT use the official support channels.

 ---

@ -21,14 +21,13 @@ Image is based on [Rust implementation of Bitwarden API](https://github.com/dani

 Basically full implementation of Bitwarden API is provided including:

- * Basic single user functionality
 * Organizations support
 * Attachments
 * Vault API support
 * Serving the static files for Vault interface
 * Website icons API
 * Authenticator and U2F support
- * YubiKey OTP
+ * YubiKey and Duo support

 ## Installation
 Pull the docker image and mount a volume from the host for persistent storage:
@ -49,7 +48,14 @@ If you have an available domain name, you can get HTTPS certificates with [Let's
 See the [bitwarden_rs wiki](https://github.com/dani-garcia/bitwarden_rs/wiki) for more information on how to configure and run the bitwarden_rs server.

 ## Get in touch
+To ask a question, offer suggestions or new features or to get help configuring or installing the software, please [use the forum](https://bitwardenrs.discourse.group/).

-To ask an question, [raising an issue](https://github.com/dani-garcia/bitwarden_rs/issues/new) is fine, also please report any bugs spotted here.
+If you spot any bugs or crashes with bitwarden_rs itself, please [create an issue](https://github.com/dani-garcia/bitwarden_rs/issues/). Make sure there aren't any similar issues open, though!

 If you prefer to chat, we're usually hanging around at [#bitwarden_rs:matrix.org](https://matrix.to/#/#bitwarden_rs:matrix.org) room on Matrix. Feel free to join us!
+
+### Sponsors
+Thanks for your contribution to the project!
+
+- [@ChonoN](https://github.com/ChonoN)
+- [@themightychris](https://github.com/themightychris)
--- a/azure-pipelines.yml
+++ b/azure-pipelines.yml
@ -1,25 +1,22 @@
 pool:
-  vmImage: 'Ubuntu-16.04'
+  vmImage: 'Ubuntu-18.04'

 steps:
 - script: |
    ls -la
-    curl https://sh.rustup.rs -sSf | sh -s -- -y --default-toolchain $(cat rust-toolchain)
+    curl https://sh.rustup.rs -sSf | sh -s -- -y --default-toolchain $(cat rust-toolchain) --profile=minimal
    echo "##vso[task.prependpath]$HOME/.cargo/bin"
  displayName: 'Install Rust'

 - script: |
    sudo apt-get update
-    sudo apt-get install -y libmysql++-dev
-  displayName: Install libmysql
+    sudo apt-get install -y --no-install-recommends build-essential libmariadb-dev-compat libpq-dev libssl-dev pkgconf
+  displayName: 'Install build libraries.'

 - script: |
    rustc -Vv
    cargo -V
  displayName: Query rust and cargo versions

- script : cargo build --features "sqlite"
-  displayName: 'Build project with sqlite backend'
-
- script : cargo build --features "mysql"
-  displayName: 'Build project with mysql backend'
+- script : cargo test --features "sqlite,mysql,postgresql"
+  displayName: 'Test project with sqlite, mysql and postgresql backends'
--- a/build.rs
+++ b/build.rs
@ -1,17 +1,24 @@
 use std::process::Command;
+use std::env;

-fn main() {
-    #[cfg(all(feature = "sqlite", feature = "mysql"))]
-    compile_error!("Can't enable both sqlite and mysql at the same time");
-    #[cfg(all(feature = "sqlite", feature = "postgresql"))]
-    compile_error!("Can't enable both sqlite and postgresql at the same time");
-    #[cfg(all(feature = "mysql", feature = "postgresql"))]
-    compile_error!("Can't enable both mysql and postgresql at the same time");
+fn main() { 
+    // This allow using #[cfg(sqlite)] instead of #[cfg(feature = "sqlite")], which helps when trying to add them through macros
+    #[cfg(feature = "sqlite")]
+    println!("cargo:rustc-cfg=sqlite");
+    #[cfg(feature = "mysql")]
+    println!("cargo:rustc-cfg=mysql");
+    #[cfg(feature = "postgresql")]
+    println!("cargo:rustc-cfg=postgresql");

    #[cfg(not(any(feature = "sqlite", feature = "mysql", feature = "postgresql")))]
    compile_error!("You need to enable one DB backend. To build with previous defaults do: cargo build --features sqlite");
-
-    read_git_info().ok();
+    
+    if let Ok(version) = env::var("BWRS_VERSION") {
+        println!("cargo:rustc-env=BWRS_VERSION={}", version);
+        println!("cargo:rustc-env=CARGO_PKG_VERSION={}", version);
+    } else {
+        read_git_info().ok();
+    }
 }

 fn run(args: &[&str]) -> Result<String, std::io::Error> {
@ -54,14 +61,16 @@ fn read_git_info() -> Result<(), std::io::Error> {
    } else {
        format!("{}-{}", last_tag, rev_short)
    };
-    println!("cargo:rustc-env=GIT_VERSION={}", version);
+    
+    println!("cargo:rustc-env=BWRS_VERSION={}", version);
+    println!("cargo:rustc-env=CARGO_PKG_VERSION={}", version);

    // To access these values, use:
    //    env!("GIT_EXACT_TAG")
    //    env!("GIT_LAST_TAG")
    //    env!("GIT_BRANCH")
    //    env!("GIT_REV")
-    //    env!("GIT_VERSION")
+    //    env!("BWRS_VERSION")

    Ok(())
 }
--- a/docker/Dockerfile.j2
+++ b/docker/Dockerfile.j2
@ -0,0 +1,263 @@
+# This file was generated using a Jinja2 template.
+# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfile's.
+
+{% set build_stage_base_image = "rust:1.48" %}
+{% if "alpine" in target_file %}
+{%   if "amd64" in target_file %}
+{%     set build_stage_base_image = "clux/muslrust:nightly-2020-11-22" %}
+{%     set runtime_stage_base_image = "alpine:3.12" %}
+{%     set package_arch_target = "x86_64-unknown-linux-musl" %}
+{%   elif "arm32v7" in target_file %}
+{%     set build_stage_base_image = "messense/rust-musl-cross:armv7-musleabihf" %}
+{%     set runtime_stage_base_image = "balenalib/armv7hf-alpine:3.12" %}
+{%     set package_arch_target = "armv7-unknown-linux-musleabihf" %}
+{%   endif %}
+{% elif "amd64" in target_file %}
+{%   set runtime_stage_base_image = "debian:buster-slim" %}
+{% elif "arm64v8" in target_file %}
+{%   set runtime_stage_base_image = "balenalib/aarch64-debian:buster" %}
+{%   set package_arch_name = "arm64" %}
+{%   set package_arch_target = "aarch64-unknown-linux-gnu" %}
+{%   set package_cross_compiler = "aarch64-linux-gnu" %}
+{% elif "arm32v6" in target_file %}
+{%   set runtime_stage_base_image = "balenalib/rpi-debian:buster" %}
+{%   set package_arch_name = "armel" %}
+{%   set package_arch_target = "arm-unknown-linux-gnueabi" %}
+{%   set package_cross_compiler = "arm-linux-gnueabi" %}
+{% elif "arm32v7" in target_file %}
+{%   set runtime_stage_base_image = "balenalib/armv7hf-debian:buster" %}
+{%   set package_arch_name = "armhf" %}
+{%   set package_arch_target = "armv7-unknown-linux-gnueabihf" %}
+{%   set package_cross_compiler = "arm-linux-gnueabihf" %}
+{% endif %}
+{% if package_arch_name is defined %}
+{%   set package_arch_prefix = ":" + package_arch_name %}
+{% else %}
+{%   set package_arch_prefix = "" %}
+{% endif %}
+{% if package_arch_target is defined %}
+{%   set package_arch_target_param = " --target=" + package_arch_target %}
+{% else %}
+{%   set package_arch_target_param = "" %}
+{% endif %}
+# Using multistage build:
+# 	https://docs.docker.com/develop/develop-images/multistage-build/
+# 	https://whitfin.io/speeding-up-rust-docker-builds/
+####################### VAULT BUILD IMAGE  #######################
+{% set vault_image_hash = "sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0" %}
+{% raw %}
+#  This hash is extracted from the docker web-vault builds and it's preferred over a simple tag because it's immutable.
+#  It can be viewed in multiple ways:
+#  - From the https://hub.docker.com/repository/docker/bitwardenrs/web-vault/tags page, click the tag name and the digest should be there.
+#  - From the console, with the following commands:
+#      docker pull bitwardenrs/web-vault:v2.17.1
+#      docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.17.1
+#
+#  - To do the opposite, and get the tag from the hash, you can do:
+#      docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0
+{% endraw %}
+FROM bitwardenrs/web-vault@{{ vault_image_hash }} as vault
+
+########################## BUILD IMAGE  ##########################
+FROM {{ build_stage_base_image }} as build
+
+{% if "alpine" in target_file %}
+{%   if "amd64" in target_file %}
+# Alpine-based AMD64 (musl) does not support mysql/mariadb during compile time.
+ARG DB=sqlite,postgresql
+{%     set features = "sqlite,postgresql" %}
+{%   else %}
+# Alpine-based ARM (musl) only supports sqlite during compile time.
+ARG DB=sqlite
+{%     set features = "sqlite" %}
+{%   endif %}
+{% else %}
+# Debian-based builds support multidb
+ARG DB=sqlite,mysql,postgresql
+{%   set features = "sqlite,mysql,postgresql" %}
+{% endif %}
+
+# Build time options to avoid dpkg warnings and help with reproducible builds.
+ENV DEBIAN_FRONTEND=noninteractive LANG=C.UTF-8 TZ=UTC TERM=xterm-256color
+
+# Don't download rust docs
+RUN rustup set profile minimal
+
+{% if "alpine" in target_file %}
+ENV USER "root"
+ENV RUSTFLAGS='-C link-arg=-s'
+{% elif "arm" in target_file %}
+# Install required build libs for {{ package_arch_name }} architecture.
+# To compile both mysql and postgresql we need some extra packages for both host arch and target arch
+RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \
+        /etc/apt/sources.list.d/deb-src.list \
+    && dpkg --add-architecture {{ package_arch_name }} \
+    && apt-get update \
+    && apt-get install -y \
+        --no-install-recommends \
+        libssl-dev{{ package_arch_prefix }} \
+        libc6-dev{{ package_arch_prefix }} \
+        libpq5{{ package_arch_prefix }} \
+        libpq-dev \
+        libmariadb-dev{{ package_arch_prefix }} \
+        libmariadb-dev-compat{{ package_arch_prefix }}
+
+RUN apt-get update \
+    && apt-get install -y \
+        --no-install-recommends \
+        gcc-{{ package_cross_compiler }} \
+    && mkdir -p ~/.cargo \
+    && echo '[target.{{ package_arch_target }}]' >> ~/.cargo/config \
+    && echo 'linker = "{{ package_cross_compiler }}-gcc"' >> ~/.cargo/config \
+    && echo 'rustflags = ["-L/usr/lib/{{ package_cross_compiler }}"]' >> ~/.cargo/config
+
+ENV CARGO_HOME "/root/.cargo"
+ENV USER "root"
+{% endif -%}
+
+{% if "amd64" in target_file and "alpine" not in target_file %}
+# Install DB packages
+RUN apt-get update && apt-get install -y \
+    --no-install-recommends \
+    libmariadb-dev{{ package_arch_prefix }} \
+    libpq-dev{{ package_arch_prefix }} \
+    && rm -rf /var/lib/apt/lists/*
+{% endif %}
+
+# Creates a dummy project used to grab dependencies
+RUN USER=root cargo new --bin /app
+WORKDIR /app
+
+# Copies over *only* your manifests and build files
+COPY ./Cargo.* ./
+COPY ./rust-toolchain ./rust-toolchain
+COPY ./build.rs ./build.rs
+
+{% if "alpine" not in target_file %}
+{%   if "arm" in target_file %}
+# NOTE: This should be the last apt-get/dpkg for this stage, since after this it will fail because of broken dependencies.
+# For Diesel-RS migrations_macros to compile with MySQL/MariaDB we need to do some magic.
+# We at least need libmariadb3:amd64 installed for the x86_64 version of libmariadb.so (client)
+# We also need the libmariadb-dev-compat:amd64 but it can not be installed together with the {{ package_arch_prefix }} version.
+# What we can do is a force install, because nothing important is overlapping each other.
+RUN apt-get install -y --no-install-recommends libmariadb3:amd64 && \
+    apt-get download libmariadb-dev-compat:amd64 && \
+    dpkg --force-all -i ./libmariadb-dev-compat*.deb && \
+    rm -rvf ./libmariadb-dev-compat*.deb
+
+# For Diesel-RS migrations_macros to compile with PostgreSQL we need to do some magic.
+# The libpq5{{ package_arch_prefix }} package seems to not provide a symlink to libpq.so.5 with the name libpq.so.
+# This is only provided by the libpq-dev package which can't be installed for both arch at the same time.
+# Without this specific file the ld command will fail and compilation fails with it.
+RUN ln -sfnr /usr/lib/{{ package_cross_compiler }}/libpq.so.5 /usr/lib/{{ package_cross_compiler }}/libpq.so
+
+ENV CC_{{ package_arch_target | replace("-", "_") }}="/usr/bin/{{ package_cross_compiler }}-gcc"
+ENV CROSS_COMPILE="1"
+ENV OPENSSL_INCLUDE_DIR="/usr/include/{{ package_cross_compiler }}"
+ENV OPENSSL_LIB_DIR="/usr/lib/{{ package_cross_compiler }}"
+{%   endif -%}
+{% endif %}
+{% if package_arch_target is defined %}
+RUN rustup target add {{ package_arch_target }}
+{% endif %}
+
+# Builds your dependencies and removes the
+# dummy project, except the target folder
+# This folder contains the compiled dependencies
+RUN cargo build --features ${DB} --release{{ package_arch_target_param }}
+RUN find . -not -path "./target*" -delete
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+# Make sure that we actually build the project
+RUN touch src/main.rs
+
+# Builds again, this time it'll just be
+# your actual source files being built
+RUN cargo build --features ${DB} --release{{ package_arch_target_param }}
+{% if "alpine" in target_file %}
+{%   if "arm32v7" in target_file %}
+RUN musl-strip target/{{ package_arch_target }}/release/bitwarden_rs
+{%   endif %}
+{% endif %}
+
+######################## RUNTIME IMAGE  ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+FROM {{ runtime_stage_base_image }}
+
+ENV ROCKET_ENV "staging"
+ENV ROCKET_PORT=80
+ENV ROCKET_WORKERS=10
+{% if "alpine" in runtime_stage_base_image %}
+ENV SSL_CERT_DIR=/etc/ssl/certs
+{% endif %}
+
+{% if "amd64" not in target_file %}
+RUN [ "cross-build-start" ]
+
+{% endif %}
+# Install needed libraries
+{% if "alpine" in runtime_stage_base_image %}
+RUN apk add --no-cache \
+        openssl \
+        curl \
+{%   if "sqlite" in features %}
+        sqlite \
+{%   endif %}
+{%   if "mysql" in features %}
+        mariadb-connector-c \
+{%   endif %}
+{%   if "postgresql" in features %}
+        postgresql-libs \
+{%   endif %}
+        ca-certificates
+{% else %}
+RUN apt-get update && apt-get install -y \
+    --no-install-recommends \
+    openssl \
+    ca-certificates \
+    curl \
+    sqlite3 \
+    libmariadb-dev-compat \
+    libpq5 \
+    && rm -rf /var/lib/apt/lists/*
+{% endif %}
+{% if "alpine" in target_file and "arm32v7" in target_file %}
+RUN apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/community catatonit
+{% endif %}
+
+RUN mkdir /data
+{% if "amd64" not in target_file %}
+
+RUN [ "cross-build-end" ]
+
+{% endif %}
+VOLUME /data
+EXPOSE 80
+EXPOSE 3012
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+COPY Rocket.toml .
+COPY --from=vault /web-vault ./web-vault
+{% if package_arch_target is defined %}
+COPY --from=build /app/target/{{ package_arch_target }}/release/bitwarden_rs .
+{% else %}
+COPY --from=build /app/target/release/bitwarden_rs .
+{% endif %}
+
+COPY docker/healthcheck.sh /healthcheck.sh
+COPY docker/start.sh /start.sh
+
+HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
+
+# Configures the startup!
+WORKDIR /
+{% if "alpine" in target_file and "arm32v7" in target_file %}
+CMD ["catatonit", "/start.sh"]
+{% else %}
+CMD ["/start.sh"]
+{% endif %}
--- a/docker/Makefile
+++ b/docker/Makefile
@ -0,0 +1,9 @@
+OBJECTS := $(shell find -mindepth 2 -name 'Dockerfile*')
+
+all: $(OBJECTS)
+
+%/Dockerfile: Dockerfile.j2 render_template
+	./render_template "$<" "{\"target_file\":\"$@\"}" > "$@"
+
+%/Dockerfile.alpine: Dockerfile.j2 render_template
+	./render_template "$<" "{\"target_file\":\"$@\"}" > "$@"
--- a/docker/README.md
+++ b/docker/README.md
@ -0,0 +1,3 @@
+The arch-specific directory names follow the arch identifiers used by the Docker official images:
+
+https://github.com/docker-library/official-images/blob/master/README.md#architectures-other-than-amd64
--- a/docker/aarch64/mysql/Dockerfile
+++ b/docker/aarch64/mysql/Dockerfile
@ -1,106 +0,0 @@
-# Using multistage build: 
-# 	https://docs.docker.com/develop/develop-images/multistage-build/
-# 	https://whitfin.io/speeding-up-rust-docker-builds/
-####################### VAULT BUILD IMAGE  #######################
-FROM alpine:3.10 as vault
-
-ENV VAULT_VERSION "v2.12.0"
-
-ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
-
-RUN apk add --no-cache --upgrade \
-    curl \
-    tar
-
-RUN mkdir /web-vault
-WORKDIR /web-vault
-
-SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
-
-RUN curl -L $URL | tar xz
-RUN ls
-
-########################## BUILD IMAGE  ##########################
-# We need to use the Rust build image, because
-# we need the Rust compiler and Cargo tooling
-FROM rust:1.36 as build
-
-# set mysql backend
-ARG DB=mysql
-
-RUN apt-get update \
-    && apt-get install -y \
-        --no-install-recommends \
-        gcc-aarch64-linux-gnu \
-    && mkdir -p ~/.cargo \
-    && echo '[target.aarch64-unknown-linux-gnu]' >> ~/.cargo/config \
-    && echo 'linker = "aarch64-linux-gnu-gcc"' >> ~/.cargo/config
-
-ENV CARGO_HOME "/root/.cargo"
-ENV USER "root"
-
-WORKDIR /app
-
-# Prepare openssl arm64 libs
-RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \
-        /etc/apt/sources.list.d/deb-src.list \
-    && dpkg --add-architecture arm64 \
-    && apt-get update \
-    && apt-get install -y \
-        --no-install-recommends \
-        libssl-dev:arm64 \
-        libc6-dev:arm64 \
-        libmariadb-dev:arm64
-
-ENV CC_aarch64_unknown_linux_gnu="/usr/bin/aarch64-linux-gnu-gcc"
-ENV CROSS_COMPILE="1"
-ENV OPENSSL_INCLUDE_DIR="/usr/include/aarch64-linux-gnu"
-ENV OPENSSL_LIB_DIR="/usr/lib/aarch64-linux-gnu"
-
-# Copies the complete project
-# To avoid copying unneeded files, use .dockerignore
-COPY . .
-
-# Build
-RUN rustup target add aarch64-unknown-linux-gnu
-RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu -v
-
-######################## RUNTIME IMAGE  ########################
-# Create a new stage with a minimal image
-# because we already have a binary built
-FROM balenalib/aarch64-debian:stretch
-
-ENV ROCKET_ENV "staging"
-ENV ROCKET_PORT=80
-ENV ROCKET_WORKERS=10
-
-RUN [ "cross-build-start" ]
-
-# Install needed libraries
-RUN apt-get update && apt-get install -y \
-    --no-install-recommends \
-    openssl \
-    ca-certificates \
-    curl \
-    libmariadbclient-dev \
- && rm -rf /var/lib/apt/lists/*
-
-RUN mkdir /data
-
-RUN [ "cross-build-end" ]  
-
-VOLUME /data
-EXPOSE 80
-
-# Copies the files from the context (Rocket.toml file and web-vault)
-# and the binary from the "build" stage to the current stage
-COPY Rocket.toml .
-COPY --from=vault /web-vault ./web-vault
-COPY --from=build /app/target/aarch64-unknown-linux-gnu/release/bitwarden_rs .
-
-COPY docker/healthcheck.sh ./healthcheck.sh
-
-HEALTHCHECK --interval=30s --timeout=3s CMD sh healthcheck.sh || exit 1
-
-# Configures the startup!
-CMD ["./bitwarden_rs"]
--- a/docker/aarch64/sqlite/Dockerfile
+++ b/docker/aarch64/sqlite/Dockerfile
@ -1,106 +0,0 @@
-# Using multistage build: 
-# 	https://docs.docker.com/develop/develop-images/multistage-build/
-# 	https://whitfin.io/speeding-up-rust-docker-builds/
-####################### VAULT BUILD IMAGE  #######################
-FROM alpine:3.10 as vault
-
-ENV VAULT_VERSION "v2.12.0"
-
-ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
-
-RUN apk add --no-cache --upgrade \
-    curl \
-    tar
-
-RUN mkdir /web-vault
-WORKDIR /web-vault
-
-SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
-
-RUN curl -L $URL | tar xz
-RUN ls
-
-########################## BUILD IMAGE  ##########################
-# We need to use the Rust build image, because
-# we need the Rust compiler and Cargo tooling
-FROM rust:1.36 as build
-
-# set sqlite as default for DB ARG for backward comaptibility
-ARG DB=sqlite
-
-RUN apt-get update \
-    && apt-get install -y \
-        --no-install-recommends \
-        gcc-aarch64-linux-gnu \
-    && mkdir -p ~/.cargo \
-    && echo '[target.aarch64-unknown-linux-gnu]' >> ~/.cargo/config \
-    && echo 'linker = "aarch64-linux-gnu-gcc"' >> ~/.cargo/config
-
-ENV CARGO_HOME "/root/.cargo"
-ENV USER "root"
-
-WORKDIR /app
-
-# Prepare openssl arm64 libs
-RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \
-        /etc/apt/sources.list.d/deb-src.list \
-    && dpkg --add-architecture arm64 \
-    && apt-get update \
-    && apt-get install -y \
-        --no-install-recommends \
-        libssl-dev:arm64 \
-        libc6-dev:arm64 \
-        libmariadb-dev:arm64
-
-ENV CC_aarch64_unknown_linux_gnu="/usr/bin/aarch64-linux-gnu-gcc"
-ENV CROSS_COMPILE="1"
-ENV OPENSSL_INCLUDE_DIR="/usr/include/aarch64-linux-gnu"
-ENV OPENSSL_LIB_DIR="/usr/lib/aarch64-linux-gnu"
-
-# Copies the complete project
-# To avoid copying unneeded files, use .dockerignore
-COPY . .
-
-# Build
-RUN rustup target add aarch64-unknown-linux-gnu
-RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu -v
-
-######################## RUNTIME IMAGE  ########################
-# Create a new stage with a minimal image
-# because we already have a binary built
-FROM balenalib/aarch64-debian:stretch
-
-ENV ROCKET_ENV "staging"
-ENV ROCKET_PORT=80
-ENV ROCKET_WORKERS=10
-
-RUN [ "cross-build-start" ]
-
-# Install needed libraries
-RUN apt-get update && apt-get install -y \
-    --no-install-recommends \
-    openssl \
-    ca-certificates \
-    curl \
-    sqlite3 \
- && rm -rf /var/lib/apt/lists/*
-
-RUN mkdir /data
-
-RUN [ "cross-build-end" ]  
-
-VOLUME /data
-EXPOSE 80
-
-# Copies the files from the context (Rocket.toml file and web-vault)
-# and the binary from the "build" stage to the current stage
-COPY Rocket.toml .
-COPY --from=vault /web-vault ./web-vault
-COPY --from=build /app/target/aarch64-unknown-linux-gnu/release/bitwarden_rs .
-
-COPY docker/healthcheck.sh ./healthcheck.sh
-
-HEALTHCHECK --interval=30s --timeout=3s CMD sh healthcheck.sh || exit 1
-
-# Configures the startup!
-CMD ["./bitwarden_rs"]
--- a/docker/amd64/postgresql/Dockerfile
+++ b/docker/amd64/postgresql/Dockerfile
@ -1,47 +1,43 @@
-# Using multistage build: 
+# This file was generated using a Jinja2 template.
+# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfile's.
+
+# Using multistage build:
 # 	https://docs.docker.com/develop/develop-images/multistage-build/
 # 	https://whitfin.io/speeding-up-rust-docker-builds/
 ####################### VAULT BUILD IMAGE  #######################
-FROM alpine:3.10 as vault

-ENV VAULT_VERSION "v2.12.0"
-
-ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
-
-RUN apk add --no-cache --upgrade \
-    curl \
-    tar
-
-RUN mkdir /web-vault
-WORKDIR /web-vault
-
-SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
-
-RUN curl -L $URL | tar xz
-RUN ls
+#  This hash is extracted from the docker web-vault builds and it's preferred over a simple tag because it's immutable.
+#  It can be viewed in multiple ways:
+#  - From the https://hub.docker.com/repository/docker/bitwardenrs/web-vault/tags page, click the tag name and the digest should be there.
+#  - From the console, with the following commands:
+#      docker pull bitwardenrs/web-vault:v2.17.1
+#      docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.17.1
+#
+#  - To do the opposite, and get the tag from the hash, you can do:
+#      docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0
+FROM bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0 as vault

 ########################## BUILD IMAGE  ##########################
-# We need to use the Rust build image, because
-# we need the Rust compiler and Cargo tooling
-FROM rust:1.36 as build
+FROM rust:1.48 as build

-# set mysql backend
-ARG DB=postgresql
+# Debian-based builds support multidb
+ARG DB=sqlite,mysql,postgresql

-# Using bundled SQLite, no need to install it
-# RUN apt-get update && apt-get install -y\
-#    --no-install-recommends \
-#    sqlite3\
-# && rm -rf /var/lib/apt/lists/*
+# Build time options to avoid dpkg warnings and help with reproducible builds.
+ENV DEBIAN_FRONTEND=noninteractive LANG=C.UTF-8 TZ=UTC TERM=xterm-256color

-# Install MySQL package
+# Don't download rust docs
+RUN rustup set profile minimal
+
+# Install DB packages
 RUN apt-get update && apt-get install -y \
    --no-install-recommends \
+    libmariadb-dev \
    libpq-dev \
    && rm -rf /var/lib/apt/lists/*

 # Creates a dummy project used to grab dependencies
-RUN USER=root cargo new --bin app
+RUN USER=root cargo new --bin /app
 WORKDIR /app

 # Copies over *only* your manifests and build files
@ -49,6 +45,7 @@ COPY ./Cargo.* ./
 COPY ./rust-toolchain ./rust-toolchain
 COPY ./build.rs ./build.rs

+
 # Builds your dependencies and removes the
 # dummy project, except the target folder
 # This folder contains the compiled dependencies
@ -69,7 +66,7 @@ RUN cargo build --features ${DB} --release
 ######################## RUNTIME IMAGE  ########################
 # Create a new stage with a minimal image
 # because we already have a binary built
-FROM debian:stretch-slim
+FROM debian:buster-slim

 ENV ROCKET_ENV "staging"
 ENV ROCKET_PORT=80
@ -82,6 +79,7 @@ RUN apt-get update && apt-get install -y \
    ca-certificates \
    curl \
    sqlite3 \
+    libmariadb-dev-compat \
    libpq5 \
    && rm -rf /var/lib/apt/lists/*

@ -94,11 +92,14 @@ EXPOSE 3012
 # and the binary from the "build" stage to the current stage
 COPY Rocket.toml .
 COPY --from=vault /web-vault ./web-vault
-COPY --from=build app/target/release/bitwarden_rs .
+COPY --from=build /app/target/release/bitwarden_rs .

-COPY docker/healthcheck.sh ./healthcheck.sh
+COPY docker/healthcheck.sh /healthcheck.sh
+COPY docker/start.sh /start.sh

-HEALTHCHECK --interval=30s --timeout=3s CMD sh healthcheck.sh || exit 1
+HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]

 # Configures the startup!
-CMD ["./bitwarden_rs"]
+WORKDIR /
+CMD ["/start.sh"]
+
--- a/docker/amd64/Dockerfile.alpine
+++ b/docker/amd64/Dockerfile.alpine
@ -0,0 +1,100 @@
+# This file was generated using a Jinja2 template.
+# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfile's.
+
+# Using multistage build:
+# 	https://docs.docker.com/develop/develop-images/multistage-build/
+# 	https://whitfin.io/speeding-up-rust-docker-builds/
+####################### VAULT BUILD IMAGE  #######################
+
+#  This hash is extracted from the docker web-vault builds and it's preferred over a simple tag because it's immutable.
+#  It can be viewed in multiple ways:
+#  - From the https://hub.docker.com/repository/docker/bitwardenrs/web-vault/tags page, click the tag name and the digest should be there.
+#  - From the console, with the following commands:
+#      docker pull bitwardenrs/web-vault:v2.17.1
+#      docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.17.1
+#
+#  - To do the opposite, and get the tag from the hash, you can do:
+#      docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0
+FROM bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0 as vault
+
+########################## BUILD IMAGE  ##########################
+FROM clux/muslrust:nightly-2020-11-22 as build
+
+# Alpine-based AMD64 (musl) does not support mysql/mariadb during compile time.
+ARG DB=sqlite,postgresql
+
+# Build time options to avoid dpkg warnings and help with reproducible builds.
+ENV DEBIAN_FRONTEND=noninteractive LANG=C.UTF-8 TZ=UTC TERM=xterm-256color
+
+# Don't download rust docs
+RUN rustup set profile minimal
+
+ENV USER "root"
+ENV RUSTFLAGS='-C link-arg=-s'
+
+# Creates a dummy project used to grab dependencies
+RUN USER=root cargo new --bin /app
+WORKDIR /app
+
+# Copies over *only* your manifests and build files
+COPY ./Cargo.* ./
+COPY ./rust-toolchain ./rust-toolchain
+COPY ./build.rs ./build.rs
+
+RUN rustup target add x86_64-unknown-linux-musl
+
+# Builds your dependencies and removes the
+# dummy project, except the target folder
+# This folder contains the compiled dependencies
+RUN cargo build --features ${DB} --release --target=x86_64-unknown-linux-musl
+RUN find . -not -path "./target*" -delete
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+# Make sure that we actually build the project
+RUN touch src/main.rs
+
+# Builds again, this time it'll just be
+# your actual source files being built
+RUN cargo build --features ${DB} --release --target=x86_64-unknown-linux-musl
+
+######################## RUNTIME IMAGE  ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+FROM alpine:3.12
+
+ENV ROCKET_ENV "staging"
+ENV ROCKET_PORT=80
+ENV ROCKET_WORKERS=10
+ENV SSL_CERT_DIR=/etc/ssl/certs
+
+# Install needed libraries
+RUN apk add --no-cache \
+        openssl \
+        curl \
+        sqlite \
+        postgresql-libs \
+        ca-certificates
+
+RUN mkdir /data
+VOLUME /data
+EXPOSE 80
+EXPOSE 3012
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+COPY Rocket.toml .
+COPY --from=vault /web-vault ./web-vault
+COPY --from=build /app/target/x86_64-unknown-linux-musl/release/bitwarden_rs .
+
+COPY docker/healthcheck.sh /healthcheck.sh
+COPY docker/start.sh /start.sh
+
+HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
+
+# Configures the startup!
+WORKDIR /
+CMD ["/start.sh"]
+
--- a/docker/amd64/mysql/Dockerfile
+++ b/docker/amd64/mysql/Dockerfile
@ -1,103 +0,0 @@
-# Using multistage build: 
-# 	https://docs.docker.com/develop/develop-images/multistage-build/
-# 	https://whitfin.io/speeding-up-rust-docker-builds/
-####################### VAULT BUILD IMAGE  #######################
-FROM alpine:3.10 as vault
-
-ENV VAULT_VERSION "v2.12.0"
-
-ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
-
-RUN apk add --no-cache --upgrade \
-    curl \
-    tar
-
-RUN mkdir /web-vault
-WORKDIR /web-vault
-
-SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
-
-RUN curl -L $URL | tar xz
-RUN ls
-
-########################## BUILD IMAGE  ##########################
-# We need to use the Rust build image, because
-# we need the Rust compiler and Cargo tooling
-FROM rust:1.36 as build
-
-# set mysql backend
-ARG DB=mysql
-
-# Using bundled SQLite, no need to install it
-# RUN apt-get update && apt-get install -y\
-#    --no-install-recommends \
-#    sqlite3\
-# && rm -rf /var/lib/apt/lists/*
-
-# Install MySQL package
-RUN apt-get update && apt-get install -y \
-    --no-install-recommends \
-    libmariadb-dev \
-    && rm -rf /var/lib/apt/lists/*
-
-# Creates a dummy project used to grab dependencies
-RUN USER=root cargo new --bin app
-WORKDIR /app
-
-# Copies over *only* your manifests and build files
-COPY ./Cargo.* ./
-COPY ./rust-toolchain ./rust-toolchain
-COPY ./build.rs ./build.rs
-
-# Builds your dependencies and removes the
-# dummy project, except the target folder
-# This folder contains the compiled dependencies
-RUN cargo build --features ${DB} --release
-RUN find . -not -path "./target*" -delete
-
-# Copies the complete project
-# To avoid copying unneeded files, use .dockerignore
-COPY . .
-
-# Make sure that we actually build the project
-RUN touch src/main.rs
-
-# Builds again, this time it'll just be
-# your actual source files being built
-RUN cargo build --features ${DB} --release
-
-######################## RUNTIME IMAGE  ########################
-# Create a new stage with a minimal image
-# because we already have a binary built
-FROM debian:stretch-slim
-
-ENV ROCKET_ENV "staging"
-ENV ROCKET_PORT=80
-ENV ROCKET_WORKERS=10
-
-# Install needed libraries
-RUN apt-get update && apt-get install -y \
-    --no-install-recommends \
-    openssl \
-    ca-certificates \
-    curl \
-    libmariadbclient-dev \
-    && rm -rf /var/lib/apt/lists/*
-
-RUN mkdir /data
-VOLUME /data
-EXPOSE 80
-EXPOSE 3012
-
-# Copies the files from the context (Rocket.toml file and web-vault)
-# and the binary from the "build" stage to the current stage
-COPY Rocket.toml .
-COPY --from=vault /web-vault ./web-vault
-COPY --from=build app/target/release/bitwarden_rs .
-
-COPY docker/healthcheck.sh ./healthcheck.sh
-
-HEALTHCHECK --interval=30s --timeout=3s CMD sh healthcheck.sh || exit 1
-
-# Configures the startup!
-CMD ["./bitwarden_rs"]
--- a/docker/amd64/mysql/Dockerfile.alpine
+++ b/docker/amd64/mysql/Dockerfile.alpine
@ -1,85 +0,0 @@
-# Using multistage build: 
-# 	https://docs.docker.com/develop/develop-images/multistage-build/
-# 	https://whitfin.io/speeding-up-rust-docker-builds/
-####################### VAULT BUILD IMAGE  #######################
-FROM alpine:3.10 as vault
-
-ENV VAULT_VERSION "v2.12.0"
-
-ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
-
-RUN apk add --no-cache --upgrade \
-    curl \
-    tar
-
-RUN mkdir /web-vault
-WORKDIR /web-vault
-
-SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
-
-RUN curl -L $URL | tar xz
-RUN ls
-
-########################## BUILD IMAGE  ##########################
-# Musl build image for statically compiled binary
-FROM clux/muslrust:nightly-2019-07-08 as build
-
-# set mysql backend
-ARG DB=mysql
-
-ENV USER "root"
-
-# Install needed libraries
-RUN apt-get update && apt-get install -y \
-    --no-install-recommends \
-    libmysqlclient-dev \
-    && rm -rf /var/lib/apt/lists/*
-
-WORKDIR /app
-
-# Copies the complete project
-# To avoid copying unneeded files, use .dockerignore
-COPY . .
-
-RUN rustup target add x86_64-unknown-linux-musl
-
-# Make sure that we actually build the project
-RUN touch src/main.rs
-
-# Build
-RUN cargo build --features ${DB} --release
-
-######################## RUNTIME IMAGE  ########################
-# Create a new stage with a minimal image
-# because we already have a binary built
-FROM alpine:3.10
-
-ENV ROCKET_ENV "staging"
-ENV ROCKET_PORT=80
-ENV ROCKET_WORKERS=10
-ENV SSL_CERT_DIR=/etc/ssl/certs
-
-# Install needed libraries
-RUN apk add --no-cache \
-        openssl \
-        mariadb-connector-c \
-        curl \
-        ca-certificates
-
-RUN mkdir /data
-VOLUME /data
-EXPOSE 80
-EXPOSE 3012
-
-# Copies the files from the context (Rocket.toml file and web-vault)
-# and the binary from the "build" stage to the current stage
-COPY Rocket.toml .
-COPY --from=vault /web-vault ./web-vault
-COPY --from=build /app/target/x86_64-unknown-linux-musl/release/bitwarden_rs .
-
-COPY docker/healthcheck.sh ./healthcheck.sh
-
-HEALTHCHECK --interval=30s --timeout=3s CMD sh healthcheck.sh || exit 1
-
-# Configures the startup!
-CMD ["./bitwarden_rs"]
--- a/docker/amd64/postgresql/Dockerfile.alpine
+++ b/docker/amd64/postgresql/Dockerfile.alpine
@ -1,86 +0,0 @@
-# Using multistage build: 
-# 	https://docs.docker.com/develop/develop-images/multistage-build/
-# 	https://whitfin.io/speeding-up-rust-docker-builds/
-####################### VAULT BUILD IMAGE  #######################
-FROM alpine:3.10 as vault
-
-ENV VAULT_VERSION "v2.12.0"
-
-ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
-
-RUN apk add --no-cache --upgrade \
-    curl \
-    tar
-
-RUN mkdir /web-vault
-WORKDIR /web-vault
-
-SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
-
-RUN curl -L $URL | tar xz
-RUN ls
-
-########################## BUILD IMAGE  ##########################
-# Musl build image for statically compiled binary
-FROM clux/muslrust:nightly-2019-07-08 as build
-
-# set mysql backend
-ARG DB=postgresql
-
-ENV USER "root"
-
-# Install needed libraries
-RUN apt-get update && apt-get install -y \
-    --no-install-recommends \
-    libpq-dev \
-    && rm -rf /var/lib/apt/lists/*
-
-WORKDIR /app
-
-# Copies the complete project
-# To avoid copying unneeded files, use .dockerignore
-COPY . .
-
-RUN rustup target add x86_64-unknown-linux-musl
-
-# Make sure that we actually build the project
-RUN touch src/main.rs
-
-# Build
-RUN cargo build --features ${DB} --release
-
-######################## RUNTIME IMAGE  ########################
-# Create a new stage with a minimal image
-# because we already have a binary built
-FROM alpine:3.10
-
-ENV ROCKET_ENV "staging"
-ENV ROCKET_PORT=80
-ENV ROCKET_WORKERS=10
-ENV SSL_CERT_DIR=/etc/ssl/certs
-
-# Install needed libraries
-RUN apk add --no-cache \
-        openssl \
-        postgresql-libs \
-        curl \
-        sqlite \
-        ca-certificates
-
-RUN mkdir /data
-VOLUME /data
-EXPOSE 80
-EXPOSE 3012
-
-# Copies the files from the context (Rocket.toml file and web-vault)
-# and the binary from the "build" stage to the current stage
-COPY Rocket.toml .
-COPY --from=vault /web-vault ./web-vault
-COPY --from=build /app/target/x86_64-unknown-linux-musl/release/bitwarden_rs .
-
-COPY docker/healthcheck.sh ./healthcheck.sh
-
-HEALTHCHECK --interval=30s --timeout=3s CMD sh healthcheck.sh || exit 1
-
-# Configures the startup!
-CMD ["./bitwarden_rs"]
--- a/docker/amd64/sqlite/Dockerfile
+++ b/docker/amd64/sqlite/Dockerfile
@ -1,103 +0,0 @@
-# Using multistage build: 
-# 	https://docs.docker.com/develop/develop-images/multistage-build/
-# 	https://whitfin.io/speeding-up-rust-docker-builds/
-####################### VAULT BUILD IMAGE  #######################
-FROM alpine:3.10 as vault
-
-ENV VAULT_VERSION "v2.12.0"
-
-ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
-
-RUN apk add --no-cache --upgrade \
-    curl \
-    tar
-
-RUN mkdir /web-vault
-WORKDIR /web-vault
-
-SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
-
-RUN curl -L $URL | tar xz
-RUN ls
-
-########################## BUILD IMAGE  ##########################
-# We need to use the Rust build image, because
-# we need the Rust compiler and Cargo tooling
-FROM rust:1.36 as build
-
-# set sqlite as default for DB ARG for backward comaptibility
-ARG DB=sqlite
-
-# Using bundled SQLite, no need to install it
-# RUN apt-get update && apt-get install -y\
-#    --no-install-recommends \
-#    sqlite3 \
-# && rm -rf /var/lib/apt/lists/*
-
-# Install MySQL package
-RUN apt-get update && apt-get install -y \
-    --no-install-recommends \
-    libmariadb-dev \
-    && rm -rf /var/lib/apt/lists/*
-
-# Creates a dummy project used to grab dependencies
-RUN USER=root cargo new --bin app
-WORKDIR /app
-
-# Copies over *only* your manifests and build files
-COPY ./Cargo.* ./
-COPY ./rust-toolchain ./rust-toolchain
-COPY ./build.rs ./build.rs
-
-# Builds your dependencies and removes the
-# dummy project, except the target folder
-# This folder contains the compiled dependencies
-RUN cargo build --features ${DB} --release
-RUN find . -not -path "./target*" -delete
-
-# Copies the complete project
-# To avoid copying unneeded files, use .dockerignore
-COPY . .
-
-# Make sure that we actually build the project
-RUN touch src/main.rs
-
-# Builds again, this time it'll just be
-# your actual source files being built
-RUN cargo build --features ${DB} --release
-
-######################## RUNTIME IMAGE  ########################
-# Create a new stage with a minimal image
-# because we already have a binary built
-FROM debian:stretch-slim
-
-ENV ROCKET_ENV "staging"
-ENV ROCKET_PORT=80
-ENV ROCKET_WORKERS=10
-
-# Install needed libraries
-RUN apt-get update && apt-get install -y \
-    --no-install-recommends \
-    openssl \
-    ca-certificates \
-    curl \
-    sqlite3 \
-    && rm -rf /var/lib/apt/lists/*
-
-RUN mkdir /data
-VOLUME /data
-EXPOSE 80
-EXPOSE 3012
-
-# Copies the files from the context (Rocket.toml file and web-vault)
-# and the binary from the "build" stage to the current stage
-COPY Rocket.toml .
-COPY --from=vault /web-vault ./web-vault
-COPY --from=build app/target/release/bitwarden_rs .
-
-COPY docker/healthcheck.sh ./healthcheck.sh
-
-HEALTHCHECK --interval=30s --timeout=3s CMD sh healthcheck.sh || exit 1
-
-# Configures the startup!
-CMD ["./bitwarden_rs"]
--- a/docker/amd64/sqlite/Dockerfile.alpine
+++ b/docker/amd64/sqlite/Dockerfile.alpine
@ -1,86 +0,0 @@
-# Using multistage build: 
-# 	https://docs.docker.com/develop/develop-images/multistage-build/
-# 	https://whitfin.io/speeding-up-rust-docker-builds/
-####################### VAULT BUILD IMAGE  #######################
-FROM alpine:3.10 as vault
-
-ENV VAULT_VERSION "v2.12.0"
-
-ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
-
-RUN apk add --no-cache --upgrade \
-    curl \
-    tar
-
-RUN mkdir /web-vault
-WORKDIR /web-vault
-
-SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
-
-RUN curl -L $URL | tar xz
-RUN ls
-
-########################## BUILD IMAGE  ##########################
-# Musl build image for statically compiled binary
-FROM clux/muslrust:nightly-2019-07-08 as build
-
-# set sqlite as default for DB ARG for backward comaptibility
-ARG DB=sqlite
-
-ENV USER "root"
-
-# Install needed libraries
-RUN apt-get update && apt-get install -y \
-    --no-install-recommends \
-    libmysqlclient-dev \
-    && rm -rf /var/lib/apt/lists/*
-
-WORKDIR /app
-
-# Copies the complete project
-# To avoid copying unneeded files, use .dockerignore
-COPY . .
-
-RUN rustup target add x86_64-unknown-linux-musl
-
-# Make sure that we actually build the project
-RUN touch src/main.rs
-
-# Build
-RUN cargo build --features ${DB} --release
-
-######################## RUNTIME IMAGE  ########################
-# Create a new stage with a minimal image
-# because we already have a binary built
-FROM alpine:3.10
-
-ENV ROCKET_ENV "staging"
-ENV ROCKET_PORT=80
-ENV ROCKET_WORKERS=10
-ENV SSL_CERT_DIR=/etc/ssl/certs
-
-# Install needed libraries
-RUN apk add --no-cache \
-        openssl \
-        curl \
-        sqlite \
-        ca-certificates
-
-RUN mkdir /data
-VOLUME /data
-EXPOSE 80
-EXPOSE 3012
-
-# Copies the files from the context (Rocket.toml file and web-vault)
-# and the binary from the "build" stage to the current stage
-COPY Rocket.toml .
-COPY --from=vault /web-vault ./web-vault
-COPY --from=build /app/target/x86_64-unknown-linux-musl/release/bitwarden_rs .
-
-COPY docker/healthcheck.sh ./healthcheck.sh
-
-HEALTHCHECK --interval=30s --timeout=3s CMD sh healthcheck.sh || exit 1
-
-
-# Configures the startup!
-CMD ["./bitwarden_rs"]
--- a/docker/arm32v6/Dockerfile
+++ b/docker/arm32v6/Dockerfile
@ -0,0 +1,151 @@
+# This file was generated using a Jinja2 template.
+# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfile's.
+
+# Using multistage build:
+# 	https://docs.docker.com/develop/develop-images/multistage-build/
+# 	https://whitfin.io/speeding-up-rust-docker-builds/
+####################### VAULT BUILD IMAGE  #######################
+
+#  This hash is extracted from the docker web-vault builds and it's preferred over a simple tag because it's immutable.
+#  It can be viewed in multiple ways:
+#  - From the https://hub.docker.com/repository/docker/bitwardenrs/web-vault/tags page, click the tag name and the digest should be there.
+#  - From the console, with the following commands:
+#      docker pull bitwardenrs/web-vault:v2.17.1
+#      docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.17.1
+#
+#  - To do the opposite, and get the tag from the hash, you can do:
+#      docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0
+FROM bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0 as vault
+
+########################## BUILD IMAGE  ##########################
+FROM rust:1.48 as build
+
+# Debian-based builds support multidb
+ARG DB=sqlite,mysql,postgresql
+
+# Build time options to avoid dpkg warnings and help with reproducible builds.
+ENV DEBIAN_FRONTEND=noninteractive LANG=C.UTF-8 TZ=UTC TERM=xterm-256color
+
+# Don't download rust docs
+RUN rustup set profile minimal
+
+# Install required build libs for armel architecture.
+# To compile both mysql and postgresql we need some extra packages for both host arch and target arch
+RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \
+        /etc/apt/sources.list.d/deb-src.list \
+    && dpkg --add-architecture armel \
+    && apt-get update \
+    && apt-get install -y \
+        --no-install-recommends \
+        libssl-dev:armel \
+        libc6-dev:armel \
+        libpq5:armel \
+        libpq-dev \
+        libmariadb-dev:armel \
+        libmariadb-dev-compat:armel
+
+RUN apt-get update \
+    && apt-get install -y \
+        --no-install-recommends \
+        gcc-arm-linux-gnueabi \
+    && mkdir -p ~/.cargo \
+    && echo '[target.arm-unknown-linux-gnueabi]' >> ~/.cargo/config \
+    && echo 'linker = "arm-linux-gnueabi-gcc"' >> ~/.cargo/config \
+    && echo 'rustflags = ["-L/usr/lib/arm-linux-gnueabi"]' >> ~/.cargo/config
+
+ENV CARGO_HOME "/root/.cargo"
+ENV USER "root"
+
+# Creates a dummy project used to grab dependencies
+RUN USER=root cargo new --bin /app
+WORKDIR /app
+
+# Copies over *only* your manifests and build files
+COPY ./Cargo.* ./
+COPY ./rust-toolchain ./rust-toolchain
+COPY ./build.rs ./build.rs
+
+# NOTE: This should be the last apt-get/dpkg for this stage, since after this it will fail because of broken dependencies.
+# For Diesel-RS migrations_macros to compile with MySQL/MariaDB we need to do some magic.
+# We at least need libmariadb3:amd64 installed for the x86_64 version of libmariadb.so (client)
+# We also need the libmariadb-dev-compat:amd64 but it can not be installed together with the :armel version.
+# What we can do is a force install, because nothing important is overlapping each other.
+RUN apt-get install -y --no-install-recommends libmariadb3:amd64 && \
+    apt-get download libmariadb-dev-compat:amd64 && \
+    dpkg --force-all -i ./libmariadb-dev-compat*.deb && \
+    rm -rvf ./libmariadb-dev-compat*.deb
+
+# For Diesel-RS migrations_macros to compile with PostgreSQL we need to do some magic.
+# The libpq5:armel package seems to not provide a symlink to libpq.so.5 with the name libpq.so.
+# This is only provided by the libpq-dev package which can't be installed for both arch at the same time.
+# Without this specific file the ld command will fail and compilation fails with it.
+RUN ln -sfnr /usr/lib/arm-linux-gnueabi/libpq.so.5 /usr/lib/arm-linux-gnueabi/libpq.so
+
+ENV CC_arm_unknown_linux_gnueabi="/usr/bin/arm-linux-gnueabi-gcc"
+ENV CROSS_COMPILE="1"
+ENV OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabi"
+ENV OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabi"
+RUN rustup target add arm-unknown-linux-gnueabi
+
+# Builds your dependencies and removes the
+# dummy project, except the target folder
+# This folder contains the compiled dependencies
+RUN cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi
+RUN find . -not -path "./target*" -delete
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+# Make sure that we actually build the project
+RUN touch src/main.rs
+
+# Builds again, this time it'll just be
+# your actual source files being built
+RUN cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi
+
+######################## RUNTIME IMAGE  ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+FROM balenalib/rpi-debian:buster
+
+ENV ROCKET_ENV "staging"
+ENV ROCKET_PORT=80
+ENV ROCKET_WORKERS=10
+
+RUN [ "cross-build-start" ]
+
+# Install needed libraries
+RUN apt-get update && apt-get install -y \
+    --no-install-recommends \
+    openssl \
+    ca-certificates \
+    curl \
+    sqlite3 \
+    libmariadb-dev-compat \
+    libpq5 \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN mkdir /data
+
+RUN [ "cross-build-end" ]
+
+VOLUME /data
+EXPOSE 80
+EXPOSE 3012
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+COPY Rocket.toml .
+COPY --from=vault /web-vault ./web-vault
+COPY --from=build /app/target/arm-unknown-linux-gnueabi/release/bitwarden_rs .
+
+COPY docker/healthcheck.sh /healthcheck.sh
+COPY docker/start.sh /start.sh
+
+HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
+
+# Configures the startup!
+WORKDIR /
+CMD ["/start.sh"]
+
--- a/docker/arm32v7/Dockerfile
+++ b/docker/arm32v7/Dockerfile
@ -0,0 +1,151 @@
+# This file was generated using a Jinja2 template.
+# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfile's.
+
+# Using multistage build:
+# 	https://docs.docker.com/develop/develop-images/multistage-build/
+# 	https://whitfin.io/speeding-up-rust-docker-builds/
+####################### VAULT BUILD IMAGE  #######################
+
+#  This hash is extracted from the docker web-vault builds and it's preferred over a simple tag because it's immutable.
+#  It can be viewed in multiple ways:
+#  - From the https://hub.docker.com/repository/docker/bitwardenrs/web-vault/tags page, click the tag name and the digest should be there.
+#  - From the console, with the following commands:
+#      docker pull bitwardenrs/web-vault:v2.17.1
+#      docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.17.1
+#
+#  - To do the opposite, and get the tag from the hash, you can do:
+#      docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0
+FROM bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0 as vault
+
+########################## BUILD IMAGE  ##########################
+FROM rust:1.48 as build
+
+# Debian-based builds support multidb
+ARG DB=sqlite,mysql,postgresql
+
+# Build time options to avoid dpkg warnings and help with reproducible builds.
+ENV DEBIAN_FRONTEND=noninteractive LANG=C.UTF-8 TZ=UTC TERM=xterm-256color
+
+# Don't download rust docs
+RUN rustup set profile minimal
+
+# Install required build libs for armhf architecture.
+# To compile both mysql and postgresql we need some extra packages for both host arch and target arch
+RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \
+        /etc/apt/sources.list.d/deb-src.list \
+    && dpkg --add-architecture armhf \
+    && apt-get update \
+    && apt-get install -y \
+        --no-install-recommends \
+        libssl-dev:armhf \
+        libc6-dev:armhf \
+        libpq5:armhf \
+        libpq-dev \
+        libmariadb-dev:armhf \
+        libmariadb-dev-compat:armhf
+
+RUN apt-get update \
+    && apt-get install -y \
+        --no-install-recommends \
+        gcc-arm-linux-gnueabihf \
+    && mkdir -p ~/.cargo \
+    && echo '[target.armv7-unknown-linux-gnueabihf]' >> ~/.cargo/config \
+    && echo 'linker = "arm-linux-gnueabihf-gcc"' >> ~/.cargo/config \
+    && echo 'rustflags = ["-L/usr/lib/arm-linux-gnueabihf"]' >> ~/.cargo/config
+
+ENV CARGO_HOME "/root/.cargo"
+ENV USER "root"
+
+# Creates a dummy project used to grab dependencies
+RUN USER=root cargo new --bin /app
+WORKDIR /app
+
+# Copies over *only* your manifests and build files
+COPY ./Cargo.* ./
+COPY ./rust-toolchain ./rust-toolchain
+COPY ./build.rs ./build.rs
+
+# NOTE: This should be the last apt-get/dpkg for this stage, since after this it will fail because of broken dependencies.
+# For Diesel-RS migrations_macros to compile with MySQL/MariaDB we need to do some magic.
+# We at least need libmariadb3:amd64 installed for the x86_64 version of libmariadb.so (client)
+# We also need the libmariadb-dev-compat:amd64 but it can not be installed together with the :armhf version.
+# What we can do is a force install, because nothing important is overlapping each other.
+RUN apt-get install -y --no-install-recommends libmariadb3:amd64 && \
+    apt-get download libmariadb-dev-compat:amd64 && \
+    dpkg --force-all -i ./libmariadb-dev-compat*.deb && \
+    rm -rvf ./libmariadb-dev-compat*.deb
+
+# For Diesel-RS migrations_macros to compile with PostgreSQL we need to do some magic.
+# The libpq5:armhf package seems to not provide a symlink to libpq.so.5 with the name libpq.so.
+# This is only provided by the libpq-dev package which can't be installed for both arch at the same time.
+# Without this specific file the ld command will fail and compilation fails with it.
+RUN ln -sfnr /usr/lib/arm-linux-gnueabihf/libpq.so.5 /usr/lib/arm-linux-gnueabihf/libpq.so
+
+ENV CC_armv7_unknown_linux_gnueabihf="/usr/bin/arm-linux-gnueabihf-gcc"
+ENV CROSS_COMPILE="1"
+ENV OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabihf"
+ENV OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabihf"
+RUN rustup target add armv7-unknown-linux-gnueabihf
+
+# Builds your dependencies and removes the
+# dummy project, except the target folder
+# This folder contains the compiled dependencies
+RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf
+RUN find . -not -path "./target*" -delete
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+# Make sure that we actually build the project
+RUN touch src/main.rs
+
+# Builds again, this time it'll just be
+# your actual source files being built
+RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf
+
+######################## RUNTIME IMAGE  ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+FROM balenalib/armv7hf-debian:buster
+
+ENV ROCKET_ENV "staging"
+ENV ROCKET_PORT=80
+ENV ROCKET_WORKERS=10
+
+RUN [ "cross-build-start" ]
+
+# Install needed libraries
+RUN apt-get update && apt-get install -y \
+    --no-install-recommends \
+    openssl \
+    ca-certificates \
+    curl \
+    sqlite3 \
+    libmariadb-dev-compat \
+    libpq5 \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN mkdir /data
+
+RUN [ "cross-build-end" ]
+
+VOLUME /data
+EXPOSE 80
+EXPOSE 3012
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+COPY Rocket.toml .
+COPY --from=vault /web-vault ./web-vault
+COPY --from=build /app/target/armv7-unknown-linux-gnueabihf/release/bitwarden_rs .
+
+COPY docker/healthcheck.sh /healthcheck.sh
+COPY docker/start.sh /start.sh
+
+HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
+
+# Configures the startup!
+WORKDIR /
+CMD ["/start.sh"]
+
--- a/docker/arm32v7/Dockerfile.alpine
+++ b/docker/arm32v7/Dockerfile.alpine
@ -0,0 +1,106 @@
+# This file was generated using a Jinja2 template.
+# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfile's.
+
+# Using multistage build:
+# 	https://docs.docker.com/develop/develop-images/multistage-build/
+# 	https://whitfin.io/speeding-up-rust-docker-builds/
+####################### VAULT BUILD IMAGE  #######################
+
+#  This hash is extracted from the docker web-vault builds and it's preferred over a simple tag because it's immutable.
+#  It can be viewed in multiple ways:
+#  - From the https://hub.docker.com/repository/docker/bitwardenrs/web-vault/tags page, click the tag name and the digest should be there.
+#  - From the console, with the following commands:
+#      docker pull bitwardenrs/web-vault:v2.17.1
+#      docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.17.1
+#
+#  - To do the opposite, and get the tag from the hash, you can do:
+#      docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0
+FROM bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0 as vault
+
+########################## BUILD IMAGE  ##########################
+FROM messense/rust-musl-cross:armv7-musleabihf as build
+
+# Alpine-based ARM (musl) only supports sqlite during compile time.
+ARG DB=sqlite
+
+# Build time options to avoid dpkg warnings and help with reproducible builds.
+ENV DEBIAN_FRONTEND=noninteractive LANG=C.UTF-8 TZ=UTC TERM=xterm-256color
+
+# Don't download rust docs
+RUN rustup set profile minimal
+
+ENV USER "root"
+ENV RUSTFLAGS='-C link-arg=-s'
+
+# Creates a dummy project used to grab dependencies
+RUN USER=root cargo new --bin /app
+WORKDIR /app
+
+# Copies over *only* your manifests and build files
+COPY ./Cargo.* ./
+COPY ./rust-toolchain ./rust-toolchain
+COPY ./build.rs ./build.rs
+
+RUN rustup target add armv7-unknown-linux-musleabihf
+
+# Builds your dependencies and removes the
+# dummy project, except the target folder
+# This folder contains the compiled dependencies
+RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-musleabihf
+RUN find . -not -path "./target*" -delete
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+# Make sure that we actually build the project
+RUN touch src/main.rs
+
+# Builds again, this time it'll just be
+# your actual source files being built
+RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-musleabihf
+RUN musl-strip target/armv7-unknown-linux-musleabihf/release/bitwarden_rs
+
+######################## RUNTIME IMAGE  ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+FROM balenalib/armv7hf-alpine:3.12
+
+ENV ROCKET_ENV "staging"
+ENV ROCKET_PORT=80
+ENV ROCKET_WORKERS=10
+ENV SSL_CERT_DIR=/etc/ssl/certs
+
+RUN [ "cross-build-start" ]
+
+# Install needed libraries
+RUN apk add --no-cache \
+        openssl \
+        curl \
+        sqlite \
+        ca-certificates
+RUN apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/community catatonit
+
+RUN mkdir /data
+
+RUN [ "cross-build-end" ]
+
+VOLUME /data
+EXPOSE 80
+EXPOSE 3012
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+COPY Rocket.toml .
+COPY --from=vault /web-vault ./web-vault
+COPY --from=build /app/target/armv7-unknown-linux-musleabihf/release/bitwarden_rs .
+
+COPY docker/healthcheck.sh /healthcheck.sh
+COPY docker/start.sh /start.sh
+
+HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
+
+# Configures the startup!
+WORKDIR /
+CMD ["catatonit", "/start.sh"]
+
--- a/docker/arm64v8/Dockerfile
+++ b/docker/arm64v8/Dockerfile
@ -0,0 +1,151 @@
+# This file was generated using a Jinja2 template.
+# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfile's.
+
+# Using multistage build:
+# 	https://docs.docker.com/develop/develop-images/multistage-build/
+# 	https://whitfin.io/speeding-up-rust-docker-builds/
+####################### VAULT BUILD IMAGE  #######################
+
+#  This hash is extracted from the docker web-vault builds and it's preferred over a simple tag because it's immutable.
+#  It can be viewed in multiple ways:
+#  - From the https://hub.docker.com/repository/docker/bitwardenrs/web-vault/tags page, click the tag name and the digest should be there.
+#  - From the console, with the following commands:
+#      docker pull bitwardenrs/web-vault:v2.17.1
+#      docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.17.1
+#
+#  - To do the opposite, and get the tag from the hash, you can do:
+#      docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0
+FROM bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0 as vault
+
+########################## BUILD IMAGE  ##########################
+FROM rust:1.48 as build
+
+# Debian-based builds support multidb
+ARG DB=sqlite,mysql,postgresql
+
+# Build time options to avoid dpkg warnings and help with reproducible builds.
+ENV DEBIAN_FRONTEND=noninteractive LANG=C.UTF-8 TZ=UTC TERM=xterm-256color
+
+# Don't download rust docs
+RUN rustup set profile minimal
+
+# Install required build libs for arm64 architecture.
+# To compile both mysql and postgresql we need some extra packages for both host arch and target arch
+RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \
+        /etc/apt/sources.list.d/deb-src.list \
+    && dpkg --add-architecture arm64 \
+    && apt-get update \
+    && apt-get install -y \
+        --no-install-recommends \
+        libssl-dev:arm64 \
+        libc6-dev:arm64 \
+        libpq5:arm64 \
+        libpq-dev \
+        libmariadb-dev:arm64 \
+        libmariadb-dev-compat:arm64
+
+RUN apt-get update \
+    && apt-get install -y \
+        --no-install-recommends \
+        gcc-aarch64-linux-gnu \
+    && mkdir -p ~/.cargo \
+    && echo '[target.aarch64-unknown-linux-gnu]' >> ~/.cargo/config \
+    && echo 'linker = "aarch64-linux-gnu-gcc"' >> ~/.cargo/config \
+    && echo 'rustflags = ["-L/usr/lib/aarch64-linux-gnu"]' >> ~/.cargo/config
+
+ENV CARGO_HOME "/root/.cargo"
+ENV USER "root"
+
+# Creates a dummy project used to grab dependencies
+RUN USER=root cargo new --bin /app
+WORKDIR /app
+
+# Copies over *only* your manifests and build files
+COPY ./Cargo.* ./
+COPY ./rust-toolchain ./rust-toolchain
+COPY ./build.rs ./build.rs
+
+# NOTE: This should be the last apt-get/dpkg for this stage, since after this it will fail because of broken dependencies.
+# For Diesel-RS migrations_macros to compile with MySQL/MariaDB we need to do some magic.
+# We at least need libmariadb3:amd64 installed for the x86_64 version of libmariadb.so (client)
+# We also need the libmariadb-dev-compat:amd64 but it can not be installed together with the :arm64 version.
+# What we can do is a force install, because nothing important is overlapping each other.
+RUN apt-get install -y --no-install-recommends libmariadb3:amd64 && \
+    apt-get download libmariadb-dev-compat:amd64 && \
+    dpkg --force-all -i ./libmariadb-dev-compat*.deb && \
+    rm -rvf ./libmariadb-dev-compat*.deb
+
+# For Diesel-RS migrations_macros to compile with PostgreSQL we need to do some magic.
+# The libpq5:arm64 package seems to not provide a symlink to libpq.so.5 with the name libpq.so.
+# This is only provided by the libpq-dev package which can't be installed for both arch at the same time.
+# Without this specific file the ld command will fail and compilation fails with it.
+RUN ln -sfnr /usr/lib/aarch64-linux-gnu/libpq.so.5 /usr/lib/aarch64-linux-gnu/libpq.so
+
+ENV CC_aarch64_unknown_linux_gnu="/usr/bin/aarch64-linux-gnu-gcc"
+ENV CROSS_COMPILE="1"
+ENV OPENSSL_INCLUDE_DIR="/usr/include/aarch64-linux-gnu"
+ENV OPENSSL_LIB_DIR="/usr/lib/aarch64-linux-gnu"
+RUN rustup target add aarch64-unknown-linux-gnu
+
+# Builds your dependencies and removes the
+# dummy project, except the target folder
+# This folder contains the compiled dependencies
+RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu
+RUN find . -not -path "./target*" -delete
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+# Make sure that we actually build the project
+RUN touch src/main.rs
+
+# Builds again, this time it'll just be
+# your actual source files being built
+RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu
+
+######################## RUNTIME IMAGE  ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+FROM balenalib/aarch64-debian:buster
+
+ENV ROCKET_ENV "staging"
+ENV ROCKET_PORT=80
+ENV ROCKET_WORKERS=10
+
+RUN [ "cross-build-start" ]
+
+# Install needed libraries
+RUN apt-get update && apt-get install -y \
+    --no-install-recommends \
+    openssl \
+    ca-certificates \
+    curl \
+    sqlite3 \
+    libmariadb-dev-compat \
+    libpq5 \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN mkdir /data
+
+RUN [ "cross-build-end" ]
+
+VOLUME /data
+EXPOSE 80
+EXPOSE 3012
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+COPY Rocket.toml .
+COPY --from=vault /web-vault ./web-vault
+COPY --from=build /app/target/aarch64-unknown-linux-gnu/release/bitwarden_rs .
+
+COPY docker/healthcheck.sh /healthcheck.sh
+COPY docker/start.sh /start.sh
+
+HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
+
+# Configures the startup!
+WORKDIR /
+CMD ["/start.sh"]
+
--- a/docker/armv6/mysql/Dockerfile
+++ b/docker/armv6/mysql/Dockerfile
@ -1,106 +0,0 @@
-# Using multistage build: 
-# 	https://docs.docker.com/develop/develop-images/multistage-build/
-# 	https://whitfin.io/speeding-up-rust-docker-builds/
-####################### VAULT BUILD IMAGE  #######################
-FROM alpine:3.10 as vault
-
-ENV VAULT_VERSION "v2.12.0"
-
-ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
-
-RUN apk add --no-cache --upgrade \
-    curl \
-    tar
-
-RUN mkdir /web-vault
-WORKDIR /web-vault
-
-SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
-
-RUN curl -L $URL | tar xz
-RUN ls
-
-########################## BUILD IMAGE  ##########################
-# We need to use the Rust build image, because
-# we need the Rust compiler and Cargo tooling
-FROM rust:1.36 as build
-
-# set mysql backend
-ARG DB=mysql
-
-RUN apt-get update \
-    && apt-get install -y \
-        --no-install-recommends \
-        gcc-arm-linux-gnueabi \
-    && mkdir -p ~/.cargo \
-    && echo '[target.arm-unknown-linux-gnueabi]' >> ~/.cargo/config \
-    && echo 'linker = "arm-linux-gnueabi-gcc"' >> ~/.cargo/config
-
-ENV CARGO_HOME "/root/.cargo"
-ENV USER "root"
-
-WORKDIR /app
-
-# Prepare openssl armel libs
-RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \
-        /etc/apt/sources.list.d/deb-src.list \
-    && dpkg --add-architecture armel \
-    && apt-get update \
-    && apt-get install -y \
-        --no-install-recommends \
-        libssl-dev:armel \
-        libc6-dev:armel \
-        libmariadb-dev:armel
-
-ENV CC_arm_unknown_linux_gnueabi="/usr/bin/arm-linux-gnueabi-gcc"
-ENV CROSS_COMPILE="1"
-ENV OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabi"
-ENV OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabi"
-
-# Copies the complete project
-# To avoid copying unneeded files, use .dockerignore
-COPY . .
-
-# Build
-RUN rustup target add arm-unknown-linux-gnueabi
-RUN cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi -v
-
-######################## RUNTIME IMAGE  ########################
-# Create a new stage with a minimal image
-# because we already have a binary built
-FROM balenalib/rpi-debian:stretch
-
-ENV ROCKET_ENV "staging"
-ENV ROCKET_PORT=80
-ENV ROCKET_WORKERS=10
-
-RUN [ "cross-build-start" ]
-
-# Install needed libraries
-RUN apt-get update && apt-get install -y \
-    --no-install-recommends \
-    openssl \
-    ca-certificates \
-    curl \
-    libmariadbclient-dev \
-    && rm -rf /var/lib/apt/lists/*
-
-RUN mkdir /data
-
-RUN [ "cross-build-end" ]  
-
-VOLUME /data
-EXPOSE 80
-
-# Copies the files from the context (Rocket.toml file and web-vault)
-# and the binary from the "build" stage to the current stage
-COPY Rocket.toml .
-COPY --from=vault /web-vault ./web-vault
-COPY --from=build /app/target/arm-unknown-linux-gnueabi/release/bitwarden_rs .
-
-COPY docker/healthcheck.sh ./healthcheck.sh
-
-HEALTHCHECK --interval=30s --timeout=3s CMD sh healthcheck.sh || exit 1
-
-# Configures the startup!
-CMD ["./bitwarden_rs"]
--- a/docker/armv6/sqlite/Dockerfile
+++ b/docker/armv6/sqlite/Dockerfile
@ -1,106 +0,0 @@
-# Using multistage build: 
-# 	https://docs.docker.com/develop/develop-images/multistage-build/
-# 	https://whitfin.io/speeding-up-rust-docker-builds/
-####################### VAULT BUILD IMAGE  #######################
-FROM alpine:3.10 as vault
-
-ENV VAULT_VERSION "v2.12.0"
-
-ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
-
-RUN apk add --no-cache --upgrade \
-    curl \
-    tar
-
-RUN mkdir /web-vault
-WORKDIR /web-vault
-
-SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
-
-RUN curl -L $URL | tar xz
-RUN ls
-
-########################## BUILD IMAGE  ##########################
-# We need to use the Rust build image, because
-# we need the Rust compiler and Cargo tooling
-FROM rust:1.36 as build
-
-# set sqlite as default for DB ARG for backward comaptibility
-ARG DB=sqlite
-
-RUN apt-get update \
-    && apt-get install -y \
-        --no-install-recommends \
-        gcc-arm-linux-gnueabi \
-    && mkdir -p ~/.cargo \
-    && echo '[target.arm-unknown-linux-gnueabi]' >> ~/.cargo/config \
-    && echo 'linker = "arm-linux-gnueabi-gcc"' >> ~/.cargo/config
-
-ENV CARGO_HOME "/root/.cargo"
-ENV USER "root"
-
-WORKDIR /app
-
-# Prepare openssl armel libs
-RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \
-        /etc/apt/sources.list.d/deb-src.list \
-    && dpkg --add-architecture armel \
-    && apt-get update \
-    && apt-get install -y \
-        --no-install-recommends \
-        libssl-dev:armel \
-        libc6-dev:armel \
-        libmariadb-dev:armel
-
-ENV CC_arm_unknown_linux_gnueabi="/usr/bin/arm-linux-gnueabi-gcc"
-ENV CROSS_COMPILE="1"
-ENV OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabi"
-ENV OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabi"
-
-# Copies the complete project
-# To avoid copying unneeded files, use .dockerignore
-COPY . .
-
-# Build
-RUN rustup target add arm-unknown-linux-gnueabi
-RUN cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi -v
-
-######################## RUNTIME IMAGE  ########################
-# Create a new stage with a minimal image
-# because we already have a binary built
-FROM balenalib/rpi-debian:stretch
-
-ENV ROCKET_ENV "staging"
-ENV ROCKET_PORT=80
-ENV ROCKET_WORKERS=10
-
-RUN [ "cross-build-start" ]
-
-# Install needed libraries
-RUN apt-get update && apt-get install -y \
-    --no-install-recommends \
-    openssl \
-    ca-certificates \
-    curl \
-    sqlite3 \
-    && rm -rf /var/lib/apt/lists/*
-
-RUN mkdir /data
-
-RUN [ "cross-build-end" ]  
-
-VOLUME /data
-EXPOSE 80
-
-# Copies the files from the context (Rocket.toml file and web-vault)
-# and the binary from the "build" stage to the current stage
-COPY Rocket.toml .
-COPY --from=vault /web-vault ./web-vault
-COPY --from=build /app/target/arm-unknown-linux-gnueabi/release/bitwarden_rs .
-
-COPY docker/healthcheck.sh ./healthcheck.sh
-
-HEALTHCHECK --interval=30s --timeout=3s CMD sh healthcheck.sh || exit 1
-
-# Configures the startup!
-CMD ["./bitwarden_rs"]
--- a/docker/armv7/mysql/Dockerfile
+++ b/docker/armv7/mysql/Dockerfile
@ -1,107 +0,0 @@
-# Using multistage build: 
-# 	https://docs.docker.com/develop/develop-images/multistage-build/
-# 	https://whitfin.io/speeding-up-rust-docker-builds/
-####################### VAULT BUILD IMAGE  #######################
-FROM alpine:3.10 as vault
-
-ENV VAULT_VERSION "v2.12.0"
-
-ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
-
-RUN apk add --no-cache --upgrade \
-    curl \
-    tar
-
-RUN mkdir /web-vault
-WORKDIR /web-vault
-
-SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
-
-RUN curl -L $URL | tar xz
-RUN ls
-
-########################## BUILD IMAGE  ##########################
-# We need to use the Rust build image, because
-# we need the Rust compiler and Cargo tooling
-FROM rust:1.36 as build
-
-# set mysql backend
-ARG DB=mysql
-
-RUN apt-get update \
-    && apt-get install -y \
-        --no-install-recommends \
-        gcc-arm-linux-gnueabihf \
-    && mkdir -p ~/.cargo \
-    && echo '[target.armv7-unknown-linux-gnueabihf]' >> ~/.cargo/config \
-    && echo 'linker = "arm-linux-gnueabihf-gcc"' >> ~/.cargo/config
-
-ENV CARGO_HOME "/root/.cargo"
-ENV USER "root"
-
-WORKDIR /app
-
-# Prepare openssl armhf libs
-RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \
-        /etc/apt/sources.list.d/deb-src.list \
-    && dpkg --add-architecture armhf \
-    && apt-get update \
-    && apt-get install -y \
-        --no-install-recommends \
-        libssl-dev:armhf \
-        libc6-dev:armhf \
-        libmariadb-dev:armhf
-
-
-ENV CC_armv7_unknown_linux_gnueabihf="/usr/bin/arm-linux-gnueabihf-gcc"
-ENV CROSS_COMPILE="1"
-ENV OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabihf"
-ENV OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabihf"
-
-# Copies the complete project
-# To avoid copying unneeded files, use .dockerignore
-COPY . .
-
-# Build
-RUN rustup target add armv7-unknown-linux-gnueabihf
-RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf -v
-
-######################## RUNTIME IMAGE  ########################
-# Create a new stage with a minimal image
-# because we already have a binary built
-FROM balenalib/armv7hf-debian:stretch
-
-ENV ROCKET_ENV "staging"
-ENV ROCKET_PORT=80
-ENV ROCKET_WORKERS=10
-
-RUN [ "cross-build-start" ]
-
-# Install needed libraries
-RUN apt-get update && apt-get install -y \
-    --no-install-recommends \
-    openssl \
-    ca-certificates \
-    curl \
-    libmariadbclient-dev \
-    && rm -rf /var/lib/apt/lists/*
-
-RUN mkdir /data
-
-RUN [ "cross-build-end" ]  
-
-VOLUME /data
-EXPOSE 80
-
-# Copies the files from the context (Rocket.toml file and web-vault)
-# and the binary from the "build" stage to the current stage
-COPY Rocket.toml .
-COPY --from=vault /web-vault ./web-vault
-COPY --from=build /app/target/armv7-unknown-linux-gnueabihf/release/bitwarden_rs .
-
-COPY docker/healthcheck.sh ./healthcheck.sh
-
-HEALTHCHECK --interval=30s --timeout=3s CMD sh healthcheck.sh || exit 1
-
-# Configures the startup!
-CMD ["./bitwarden_rs"]
--- a/docker/armv7/sqlite/Dockerfile
+++ b/docker/armv7/sqlite/Dockerfile
@ -1,106 +0,0 @@
-# Using multistage build: 
-# 	https://docs.docker.com/develop/develop-images/multistage-build/
-# 	https://whitfin.io/speeding-up-rust-docker-builds/
-####################### VAULT BUILD IMAGE  #######################
-FROM alpine:3.10 as vault
-
-ENV VAULT_VERSION "v2.12.0"
-
-ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
-
-RUN apk add --no-cache --upgrade \
-    curl \
-    tar
-
-RUN mkdir /web-vault
-WORKDIR /web-vault
-
-SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
-
-RUN curl -L $URL | tar xz
-RUN ls
-
-########################## BUILD IMAGE  ##########################
-# We need to use the Rust build image, because
-# we need the Rust compiler and Cargo tooling
-FROM rust:1.36 as build
-
-# set sqlite as default for DB ARG for backward comaptibility
-ARG DB=sqlite
-
-RUN apt-get update \
-    && apt-get install -y \
-        --no-install-recommends \
-        gcc-arm-linux-gnueabihf \
-    && mkdir -p ~/.cargo \
-    && echo '[target.armv7-unknown-linux-gnueabihf]' >> ~/.cargo/config \
-    && echo 'linker = "arm-linux-gnueabihf-gcc"' >> ~/.cargo/config
-
-ENV CARGO_HOME "/root/.cargo"
-ENV USER "root"
-
-WORKDIR /app
-
-# Prepare openssl armhf libs
-RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \
-        /etc/apt/sources.list.d/deb-src.list \
-    && dpkg --add-architecture armhf \
-    && apt-get update \
-    && apt-get install -y \
-        --no-install-recommends \
-        libssl-dev:armhf \
-        libc6-dev:armhf \
-        libmariadb-dev:armhf
-
-ENV CC_armv7_unknown_linux_gnueabihf="/usr/bin/arm-linux-gnueabihf-gcc"
-ENV CROSS_COMPILE="1"
-ENV OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabihf"
-ENV OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabihf"
-
-# Copies the complete project
-# To avoid copying unneeded files, use .dockerignore
-COPY . .
-
-# Build
-RUN rustup target add armv7-unknown-linux-gnueabihf
-RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf -v
-
-######################## RUNTIME IMAGE  ########################
-# Create a new stage with a minimal image
-# because we already have a binary built
-FROM balenalib/armv7hf-debian:stretch
-
-ENV ROCKET_ENV "staging"
-ENV ROCKET_PORT=80
-ENV ROCKET_WORKERS=10
-
-RUN [ "cross-build-start" ]
-
-# Install needed libraries
-RUN apt-get update && apt-get install -y \
-    --no-install-recommends \
-    openssl \
-    ca-certificates \
-    curl \
-    sqlite3 \
-    && rm -rf /var/lib/apt/lists/*
-
-RUN mkdir /data
-
-RUN [ "cross-build-end" ]  
-
-VOLUME /data
-EXPOSE 80
-
-# Copies the files from the context (Rocket.toml file and web-vault)
-# and the binary from the "build" stage to the current stage
-COPY Rocket.toml .
-COPY --from=vault /web-vault ./web-vault
-COPY --from=build /app/target/armv7-unknown-linux-gnueabihf/release/bitwarden_rs .
-
-COPY docker/healthcheck.sh ./healthcheck.sh
-
-HEALTHCHECK --interval=30s --timeout=3s CMD sh healthcheck.sh || exit 1
-
-# Configures the startup!
-CMD ["./bitwarden_rs"]
--- a/docker/healthcheck.sh
+++ b/docker/healthcheck.sh
@ -1,8 +1,53 @@
-#!/usr/bin/env sh
+#!/bin/sh

-if [ -z "$ROCKET_TLS"]
-then
-  curl --fail http://localhost:${ROCKET_PORT:-"80"}/alive || exit 1
-else
-  curl --insecure --fail https://localhost:${ROCKET_PORT:-"80"}/alive || exit 1
-fi
+# Use the value of the corresponding env var (if present),
+# or a default value otherwise.
+: ${DATA_FOLDER:="data"}
+: ${ROCKET_PORT:="80"}
+
+CONFIG_FILE="${DATA_FOLDER}"/config.json
+
+# Given a config key, return the corresponding config value from the
+# config file. If the key doesn't exist, return an empty string.
+get_config_val() {
+    local key="$1"
+    # Extract a line of the form:
+    #   "domain": "https://bw.example.com/path",
+    grep "\"${key}\":" "${CONFIG_FILE}" |
+    # To extract just the value (https://bw.example.com/path), delete:
+    # (1) everything up to and including the first ':',
+    # (2) whitespace and '"' from the front,
+    # (3) ',' and '"' from the back.
+    sed -e 's/[^:]\+://' -e 's/^[ "]\+//' -e 's/[,"]\+$//'
+}
+
+# Extract the base path from a domain URL. For example:
+# - `` -> ``
+# - `https://bw.example.com` -> ``
+# - `https://bw.example.com/` -> ``
+# - `https://bw.example.com/path` -> `/path`
+# - `https://bw.example.com/multi/path` -> `/multi/path`
+get_base_path() {
+    echo "$1" |
+    # Delete:
+    # (1) everything up to and including '://',
+    # (2) everything up to '/',
+    # (3) trailing '/' from the back.
+    sed -e 's|.*://||' -e 's|[^/]\+||' -e 's|/*$||'
+}
+
+# Read domain URL from config.json, if present.
+if [ -r "${CONFIG_FILE}" ]; then
+    domain="$(get_config_val 'domain')"
+    if [ -n "${domain}" ]; then
+        # config.json 'domain' overrides the DOMAIN env var.
+        DOMAIN="${domain}"
+    fi
+fi
+
+base_path="$(get_base_path "${DOMAIN}")"
+if [ -n "${ROCKET_TLS}" ]; then
+    s='s'
+fi
+curl --insecure --fail --silent --show-error \
+     "http${s}://localhost:${ROCKET_PORT}${base_path}/alive" || exit 1
--- a/docker/render_template
+++ b/docker/render_template
@ -0,0 +1,17 @@
+#!/usr/bin/env python3
+
+import os, argparse, json
+
+import jinja2
+
+args_parser = argparse.ArgumentParser()
+args_parser.add_argument('template_file', help='Jinja2 template file to render.')
+args_parser.add_argument('render_vars', help='JSON-encoded data to pass to the templating engine.')
+cli_args = args_parser.parse_args()
+
+render_vars = json.loads(cli_args.render_vars)
+environment = jinja2.Environment(
+	loader=jinja2.FileSystemLoader(os.getcwd()),
+	trim_blocks=True,
+)
+print(environment.get_template(cli_args.template_file).render(render_vars))
--- a/docker/start.sh
+++ b/docker/start.sh
@ -0,0 +1,15 @@
+#!/bin/sh
+
+if [ -r /etc/bitwarden_rs.sh ]; then
+    . /etc/bitwarden_rs.sh
+fi
+
+if [ -d /etc/bitwarden_rs.d ]; then
+    for f in /etc/bitwarden_rs.d/*.sh; do
+        if [ -r $f ]; then
+            . $f
+        fi
+    done
+fi
+
+exec /bitwarden_rs "${@}"
--- a/hooks/README.md
+++ b/hooks/README.md
@ -0,0 +1,20 @@
+The hooks in this directory are used to create multi-arch images using Docker Hub automated builds.
+
+Docker Hub hooks provide these predefined [environment variables](https://docs.docker.com/docker-hub/builds/advanced/#environment-variables-for-building-and-testing):
+
+* `SOURCE_BRANCH`: the name of the branch or the tag that is currently being tested.
+* `SOURCE_COMMIT`: the SHA1 hash of the commit being tested.
+* `COMMIT_MSG`: the message from the commit being tested and built.
+* `DOCKER_REPO`: the name of the Docker repository being built.
+* `DOCKERFILE_PATH`: the dockerfile currently being built.
+* `DOCKER_TAG`: the Docker repository tag being built.
+* `IMAGE_NAME`: the name and tag of the Docker repository being built. (This variable is a combination of `DOCKER_REPO:DOCKER_TAG`.)
+
+The current multi-arch image build relies on the original bitwarden_rs Dockerfiles, which use cross-compilation for architectures other than `amd64`, and don't yet support all arch/database/OS combinations. However, cross-compilation is much faster than QEMU-based builds (e.g., using `docker buildx`). This situation may need to be revisited at some point.
+
+## References
+
+* https://docs.docker.com/docker-hub/builds/advanced/
+* https://docs.docker.com/engine/reference/commandline/manifest/
+* https://www.docker.com/blog/multi-arch-build-and-images-the-simple-way/
+* https://success.docker.com/article/how-do-i-authenticate-with-the-v2-api
--- a/hooks/arches.sh
+++ b/hooks/arches.sh
@ -0,0 +1,19 @@
+# The default Debian-based images support these arches for all database connections
+#
+# Other images (Alpine-based) currently
+# support only a subset of these.
+arches=(
+    amd64
+    arm32v6
+    arm32v7
+    arm64v8
+)
+
+if [[ "${DOCKER_TAG}" == *alpine ]]; then
+    # The Alpine build currently only works for amd64.
+    os_suffix=.alpine
+    arches=(
+        amd64
+        arm32v7
+    )
+fi
--- a/hooks/build
+++ b/hooks/build
@ -0,0 +1,14 @@
+#!/bin/bash
+
+echo ">>> Building images..."
+
+source ./hooks/arches.sh
+
+set -ex
+
+for arch in "${arches[@]}"; do
+    docker build \
+           -t "${DOCKER_REPO}:${DOCKER_TAG}-${arch}" \
+           -f docker/${arch}/Dockerfile${os_suffix} \
+           .
+done
--- a/hooks/push
+++ b/hooks/push
@ -0,0 +1,117 @@
+#!/bin/bash
+
+echo ">>> Pushing images..."
+
+export DOCKER_CLI_EXPERIMENTAL=enabled
+
+declare -A annotations=(
+    [amd64]="--os linux --arch amd64"
+    [arm32v6]="--os linux --arch arm --variant v6"
+    [arm32v7]="--os linux --arch arm --variant v7"
+    [arm64v8]="--os linux --arch arm64 --variant v8"
+)
+
+source ./hooks/arches.sh
+
+set -ex
+
+declare -A images
+for arch in ${arches[@]}; do
+    images[$arch]="${DOCKER_REPO}:${DOCKER_TAG}-${arch}"
+done
+
+# Push the images that were just built; manifest list creation fails if the
+# images (manifests) referenced don't already exist in the Docker registry.
+for image in "${images[@]}"; do
+    docker push "${image}"
+done
+
+manifest_lists=("${DOCKER_REPO}:${DOCKER_TAG}")
+
+# If the Docker tag starts with a version number, assume the latest release is
+# being pushed. Add an extra manifest (`latest` or `alpine`, as appropriate)
+# to make it easier for users to track the latest release.
+if [[ "${DOCKER_TAG}" =~ ^[0-9]+\.[0-9]+\.[0-9]+ ]]; then
+    if [[ "${DOCKER_TAG}" == *alpine ]]; then
+        manifest_lists+=(${DOCKER_REPO}:alpine)
+    else
+        manifest_lists+=(${DOCKER_REPO}:latest)
+
+        # Add an extra `latest-arm32v6` tag; Docker can't seem to properly
+        # auto-select that image on Armv6 platforms like Raspberry Pi 1 and Zero
+        # (https://github.com/moby/moby/issues/41017).
+        #
+        # Add this tag only for the SQLite image, as the MySQL and PostgreSQL
+        # builds don't currently work on non-amd64 arches.
+        #
+        # TODO: Also add an `alpine-arm32v6` tag if multi-arch support for
+        # Alpine-based bitwarden_rs images is implemented before this Docker
+        # issue is fixed.
+        if [[ ${DOCKER_REPO} == *server ]]; then
+            docker tag "${DOCKER_REPO}:${DOCKER_TAG}-arm32v6" "${DOCKER_REPO}:latest-arm32v6"
+            docker push "${DOCKER_REPO}:latest-arm32v6"
+        fi
+    fi
+fi
+
+for manifest_list in "${manifest_lists[@]}"; do
+    # Create the (multi-arch) manifest list of arch-specific images.
+    docker manifest create ${manifest_list} ${images[@]}
+
+    # Make sure each image manifest is annotated with the correct arch info.
+    # Docker does not auto-detect the arch of each cross-compiled image, so
+    # everything would appear as `linux/amd64` otherwise.
+    for arch in "${arches[@]}"; do
+        docker manifest annotate ${annotations[$arch]} ${manifest_list} ${images[$arch]}
+    done
+
+    # Push the manifest list.
+    docker manifest push --purge ${manifest_list}
+done
+
+# Avoid logging credentials and tokens.
+set +ex
+
+# Delete the arch-specific tags, if credentials for doing so are available.
+# Note that `DOCKER_PASSWORD` must be the actual user password. Passing a JWT
+# obtained using a personal access token results in a 403 error with
+# {"detail": "access to the resource is forbidden with personal access token"}
+if [[ -z "${DOCKER_USERNAME}" || -z "${DOCKER_PASSWORD}" ]]; then
+    exit 0
+fi
+
+# Given a JSON input on stdin, extract the string value associated with the
+# specified key. This avoids an extra dependency on a tool like `jq`.
+extract() {
+    local key="$1"
+    # Extract "<key>":"<val>" (assumes key/val won't contain double quotes).
+    # The colon may have whitespace on either side.
+    grep -o "\"${key}\"[[:space:]]*:[[:space:]]*\"[^\"]\+\"" |
+    # Extract just <val> by deleting the last '"', and then greedily deleting
+    # everything up to '"'.
+    sed -e 's/"$//' -e 's/.*"//'
+}
+
+echo ">>> Getting API token..."
+jwt=$(curl -sS -X POST \
+           -H "Content-Type: application/json" \
+           -d "{\"username\":\"${DOCKER_USERNAME}\",\"password\": \"${DOCKER_PASSWORD}\"}" \
+           "https://hub.docker.com/v2/users/login" |
+      extract 'token')
+
+# Strip the registry portion from `index.docker.io/user/repo`.
+repo="${DOCKER_REPO#*/}"
+
+for arch in ${arches[@]}; do
+    # Don't delete the `arm32v6` tag; Docker can't seem to properly
+    # auto-select that image on Armv6 platforms like Raspberry Pi 1 and Zero
+    # (https://github.com/moby/moby/issues/41017).
+    if [[ ${arch} == 'arm32v6' ]]; then
+        continue
+    fi
+    tag="${DOCKER_TAG}-${arch}"
+    echo ">>> Deleting '${repo}:${tag}'..."
+    curl -sS -X DELETE \
+         -H "Authorization: Bearer ${jwt}" \
+         "https://hub.docker.com/v2/repositories/${repo}/tags/${tag}/"
+done
--- a/migrations/mysql/2019-10-10-083032_add_column_to_twofactor/down.sql
+++ b/migrations/mysql/2019-10-10-083032_add_column_to_twofactor/down.sql
--- a/migrations/mysql/2019-10-10-083032_add_column_to_twofactor/up.sql
+++ b/migrations/mysql/2019-10-10-083032_add_column_to_twofactor/up.sql
@ -0,0 +1 @@
+ALTER TABLE twofactor ADD COLUMN last_used INTEGER NOT NULL DEFAULT 0;
--- a/migrations/mysql/2019-11-17-011009_add_email_verification/down.sql
+++ b/migrations/mysql/2019-11-17-011009_add_email_verification/down.sql
@ -0,0 +1 @@
+
--- a/migrations/mysql/2019-11-17-011009_add_email_verification/up.sql
+++ b/migrations/mysql/2019-11-17-011009_add_email_verification/up.sql
@ -0,0 +1,5 @@
+ALTER TABLE users ADD COLUMN verified_at DATETIME DEFAULT NULL;
+ALTER TABLE users ADD COLUMN last_verifying_at DATETIME DEFAULT NULL;
+ALTER TABLE users ADD COLUMN login_verify_count INTEGER NOT NULL DEFAULT 0;
+ALTER TABLE users ADD COLUMN email_new VARCHAR(255) DEFAULT NULL;
+ALTER TABLE users ADD COLUMN email_new_token VARCHAR(16) DEFAULT NULL;
--- a/migrations/mysql/2020-03-13-205045_add_policy_table/down.sql
+++ b/migrations/mysql/2020-03-13-205045_add_policy_table/down.sql
@ -0,0 +1 @@
+DROP TABLE org_policies;
--- a/migrations/mysql/2020-03-13-205045_add_policy_table/up.sql
+++ b/migrations/mysql/2020-03-13-205045_add_policy_table/up.sql
@ -0,0 +1,9 @@
+CREATE TABLE org_policies (
+  uuid      CHAR(36) NOT NULL PRIMARY KEY,
+  org_uuid  CHAR(36) NOT NULL REFERENCES organizations (uuid),
+  atype     INTEGER  NOT NULL,
+  enabled   BOOLEAN  NOT NULL,
+  data      TEXT     NOT NULL,
+
+  UNIQUE (org_uuid, atype)
+);
--- a/migrations/mysql/2020-04-09-235005_add_cipher_delete_date/down.sql
+++ b/migrations/mysql/2020-04-09-235005_add_cipher_delete_date/down.sql
@ -0,0 +1 @@
+
--- a/migrations/mysql/2020-04-09-235005_add_cipher_delete_date/up.sql
+++ b/migrations/mysql/2020-04-09-235005_add_cipher_delete_date/up.sql
@ -0,0 +1,3 @@
+ALTER TABLE ciphers
+    ADD COLUMN
+    deleted_at DATETIME;
--- a/migrations/mysql/2020-07-01-214531_add_hide_passwords/down.sql
+++ b/migrations/mysql/2020-07-01-214531_add_hide_passwords/down.sql
--- a/migrations/mysql/2020-07-01-214531_add_hide_passwords/up.sql
+++ b/migrations/mysql/2020-07-01-214531_add_hide_passwords/up.sql
@ -0,0 +1,2 @@
+ALTER TABLE users_collections
+ADD COLUMN hide_passwords BOOLEAN NOT NULL DEFAULT FALSE;
--- a/migrations/mysql/2020-08-02-025025_add_favorites_table/down.sql
+++ b/migrations/mysql/2020-08-02-025025_add_favorites_table/down.sql
@ -0,0 +1,13 @@
+ALTER TABLE ciphers
+ADD COLUMN favorite BOOLEAN NOT NULL DEFAULT FALSE;
+
+-- Transfer favorite status for user-owned ciphers.
+UPDATE ciphers
+SET favorite = TRUE
+WHERE EXISTS (
+  SELECT * FROM favorites
+  WHERE favorites.user_uuid = ciphers.user_uuid
+    AND favorites.cipher_uuid = ciphers.uuid
+);
+
+DROP TABLE favorites;
--- a/migrations/mysql/2020-08-02-025025_add_favorites_table/up.sql
+++ b/migrations/mysql/2020-08-02-025025_add_favorites_table/up.sql
@ -0,0 +1,16 @@
+CREATE TABLE favorites (
+  user_uuid   CHAR(36) NOT NULL REFERENCES users(uuid),
+  cipher_uuid CHAR(36) NOT NULL REFERENCES ciphers(uuid),
+
+  PRIMARY KEY (user_uuid, cipher_uuid)
+);
+
+-- Transfer favorite status for user-owned ciphers.
+INSERT INTO favorites(user_uuid, cipher_uuid)
+SELECT user_uuid, uuid
+FROM ciphers
+WHERE favorite = TRUE
+  AND user_uuid IS NOT NULL;
+
+ALTER TABLE ciphers
+DROP COLUMN favorite;
--- a/migrations/mysql/2020-11-30-224000_add_user_enabled/down.sql
+++ b/migrations/mysql/2020-11-30-224000_add_user_enabled/down.sql
--- a/migrations/mysql/2020-11-30-224000_add_user_enabled/up.sql
+++ b/migrations/mysql/2020-11-30-224000_add_user_enabled/up.sql
@ -0,0 +1 @@
+ALTER TABLE users ADD COLUMN enabled BOOLEAN NOT NULL DEFAULT 1;
--- a/migrations/mysql/2020-12-09-173101_add_stamp_exception/down.sql
+++ b/migrations/mysql/2020-12-09-173101_add_stamp_exception/down.sql
--- a/migrations/mysql/2020-12-09-173101_add_stamp_exception/up.sql
+++ b/migrations/mysql/2020-12-09-173101_add_stamp_exception/up.sql
@ -0,0 +1 @@
+ALTER TABLE users ADD COLUMN stamp_exception TEXT DEFAULT NULL;
--- a/migrations/postgresql/2019-10-10-083032_add_column_to_twofactor/down.sql
+++ b/migrations/postgresql/2019-10-10-083032_add_column_to_twofactor/down.sql
--- a/migrations/postgresql/2019-10-10-083032_add_column_to_twofactor/up.sql
+++ b/migrations/postgresql/2019-10-10-083032_add_column_to_twofactor/up.sql
@ -0,0 +1 @@
+ALTER TABLE twofactor ADD COLUMN last_used INTEGER NOT NULL DEFAULT 0;
--- a/migrations/postgresql/2019-11-17-011009_add_email_verification/down.sql
+++ b/migrations/postgresql/2019-11-17-011009_add_email_verification/down.sql
@ -0,0 +1 @@
+
--- a/migrations/postgresql/2019-11-17-011009_add_email_verification/up.sql
+++ b/migrations/postgresql/2019-11-17-011009_add_email_verification/up.sql
@ -0,0 +1,5 @@
+ALTER TABLE users ADD COLUMN verified_at TIMESTAMP DEFAULT NULL;
+ALTER TABLE users ADD COLUMN last_verifying_at TIMESTAMP DEFAULT NULL;
+ALTER TABLE users ADD COLUMN login_verify_count INTEGER NOT NULL DEFAULT 0;
+ALTER TABLE users ADD COLUMN email_new VARCHAR(255) DEFAULT NULL;
+ALTER TABLE users ADD COLUMN email_new_token VARCHAR(16) DEFAULT NULL;
--- a/migrations/postgresql/2020-03-13-205045_add_policy_table/down.sql
+++ b/migrations/postgresql/2020-03-13-205045_add_policy_table/down.sql
@ -0,0 +1 @@
+DROP TABLE org_policies;
--- a/migrations/postgresql/2020-03-13-205045_add_policy_table/up.sql
+++ b/migrations/postgresql/2020-03-13-205045_add_policy_table/up.sql
@ -0,0 +1,9 @@
+CREATE TABLE org_policies (
+  uuid      CHAR(36) NOT NULL PRIMARY KEY,
+  org_uuid  CHAR(36) NOT NULL REFERENCES organizations (uuid),
+  atype     INTEGER  NOT NULL,
+  enabled   BOOLEAN  NOT NULL,
+  data      TEXT     NOT NULL,
+  
+  UNIQUE (org_uuid, atype)
+);
--- a/migrations/postgresql/2020-04-09-235005_add_cipher_delete_date/down.sql
+++ b/migrations/postgresql/2020-04-09-235005_add_cipher_delete_date/down.sql
@ -0,0 +1 @@
+
--- a/migrations/postgresql/2020-04-09-235005_add_cipher_delete_date/up.sql
+++ b/migrations/postgresql/2020-04-09-235005_add_cipher_delete_date/up.sql
@ -0,0 +1,3 @@
+ALTER TABLE ciphers
+    ADD COLUMN
+    deleted_at TIMESTAMP;
--- a/migrations/postgresql/2020-07-01-214531_add_hide_passwords/down.sql
+++ b/migrations/postgresql/2020-07-01-214531_add_hide_passwords/down.sql
--- a/migrations/postgresql/2020-07-01-214531_add_hide_passwords/up.sql
+++ b/migrations/postgresql/2020-07-01-214531_add_hide_passwords/up.sql
@ -0,0 +1,2 @@
+ALTER TABLE users_collections
+ADD COLUMN hide_passwords BOOLEAN NOT NULL DEFAULT FALSE;
--- a/migrations/postgresql/2020-08-02-025025_add_favorites_table/down.sql
+++ b/migrations/postgresql/2020-08-02-025025_add_favorites_table/down.sql
@ -0,0 +1,13 @@
+ALTER TABLE ciphers
+ADD COLUMN favorite BOOLEAN NOT NULL DEFAULT FALSE;
+
+-- Transfer favorite status for user-owned ciphers.
+UPDATE ciphers
+SET favorite = TRUE
+WHERE EXISTS (
+  SELECT * FROM favorites
+  WHERE favorites.user_uuid = ciphers.user_uuid
+    AND favorites.cipher_uuid = ciphers.uuid
+);
+
+DROP TABLE favorites;
--- a/migrations/postgresql/2020-08-02-025025_add_favorites_table/up.sql
+++ b/migrations/postgresql/2020-08-02-025025_add_favorites_table/up.sql
@ -0,0 +1,16 @@
+CREATE TABLE favorites (
+  user_uuid   VARCHAR(40) NOT NULL REFERENCES users(uuid),
+  cipher_uuid VARCHAR(40) NOT NULL REFERENCES ciphers(uuid),
+
+  PRIMARY KEY (user_uuid, cipher_uuid)
+);
+
+-- Transfer favorite status for user-owned ciphers.
+INSERT INTO favorites(user_uuid, cipher_uuid)
+SELECT user_uuid, uuid
+FROM ciphers
+WHERE favorite = TRUE
+  AND user_uuid IS NOT NULL;
+
+ALTER TABLE ciphers
+DROP COLUMN favorite;
--- a/migrations/postgresql/2020-11-30-224000_add_user_enabled/down.sql
+++ b/migrations/postgresql/2020-11-30-224000_add_user_enabled/down.sql
--- a/migrations/postgresql/2020-11-30-224000_add_user_enabled/up.sql
+++ b/migrations/postgresql/2020-11-30-224000_add_user_enabled/up.sql
@ -0,0 +1 @@
+ALTER TABLE users ADD COLUMN enabled BOOLEAN NOT NULL DEFAULT true;
--- a/migrations/postgresql/2020-12-09-173101_add_stamp_exception/down.sql
+++ b/migrations/postgresql/2020-12-09-173101_add_stamp_exception/down.sql
--- a/migrations/postgresql/2020-12-09-173101_add_stamp_exception/up.sql
+++ b/migrations/postgresql/2020-12-09-173101_add_stamp_exception/up.sql
@ -0,0 +1 @@
+ALTER TABLE users ADD COLUMN stamp_exception TEXT DEFAULT NULL;
--- a/migrations/sqlite/2019-10-10-083032_add_column_to_twofactor/down.sql
+++ b/migrations/sqlite/2019-10-10-083032_add_column_to_twofactor/down.sql
--- a/migrations/sqlite/2019-10-10-083032_add_column_to_twofactor/up.sql
+++ b/migrations/sqlite/2019-10-10-083032_add_column_to_twofactor/up.sql
@ -0,0 +1 @@
+ALTER TABLE twofactor ADD COLUMN last_used INTEGER NOT NULL DEFAULT 0;
--- a/migrations/sqlite/2019-11-17-011009_add_email_verification/down.sql
+++ b/migrations/sqlite/2019-11-17-011009_add_email_verification/down.sql
@ -0,0 +1 @@
+
--- a/migrations/sqlite/2019-11-17-011009_add_email_verification/up.sql
+++ b/migrations/sqlite/2019-11-17-011009_add_email_verification/up.sql
@ -0,0 +1,5 @@
+ALTER TABLE users ADD COLUMN verified_at DATETIME DEFAULT NULL;
+ALTER TABLE users ADD COLUMN last_verifying_at DATETIME DEFAULT NULL;
+ALTER TABLE users ADD COLUMN login_verify_count INTEGER NOT NULL DEFAULT 0;
+ALTER TABLE users ADD COLUMN email_new TEXT DEFAULT NULL;
+ALTER TABLE users ADD COLUMN email_new_token TEXT DEFAULT NULL;
--- a/migrations/sqlite/2020-03-13-205045_add_policy_table/down.sql
+++ b/migrations/sqlite/2020-03-13-205045_add_policy_table/down.sql
@ -0,0 +1 @@
+DROP TABLE org_policies;
--- a/migrations/sqlite/2020-03-13-205045_add_policy_table/up.sql
+++ b/migrations/sqlite/2020-03-13-205045_add_policy_table/up.sql
@ -0,0 +1,9 @@
+CREATE TABLE org_policies (
+  uuid      TEXT     NOT NULL PRIMARY KEY,
+  org_uuid  TEXT     NOT NULL REFERENCES organizations (uuid),
+  atype     INTEGER  NOT NULL,
+  enabled   BOOLEAN  NOT NULL,
+  data      TEXT     NOT NULL,
+
+  UNIQUE (org_uuid, atype)
+);
--- a/migrations/sqlite/2020-04-09-235005_add_cipher_delete_date/down.sql
+++ b/migrations/sqlite/2020-04-09-235005_add_cipher_delete_date/down.sql
@ -0,0 +1 @@
+
--- a/migrations/sqlite/2020-04-09-235005_add_cipher_delete_date/up.sql
+++ b/migrations/sqlite/2020-04-09-235005_add_cipher_delete_date/up.sql
@ -0,0 +1,3 @@
+ALTER TABLE ciphers
+    ADD COLUMN
+    deleted_at DATETIME;
--- a/migrations/sqlite/2020-07-01-214531_add_hide_passwords/down.sql
+++ b/migrations/sqlite/2020-07-01-214531_add_hide_passwords/down.sql
--- a/migrations/sqlite/2020-07-01-214531_add_hide_passwords/up.sql
+++ b/migrations/sqlite/2020-07-01-214531_add_hide_passwords/up.sql
@ -0,0 +1,2 @@
+ALTER TABLE users_collections
+ADD COLUMN hide_passwords BOOLEAN NOT NULL DEFAULT 0; -- FALSE
--- a/migrations/sqlite/2020-08-02-025025_add_favorites_table/down.sql
+++ b/migrations/sqlite/2020-08-02-025025_add_favorites_table/down.sql
@ -0,0 +1,13 @@
+ALTER TABLE ciphers
+ADD COLUMN favorite BOOLEAN NOT NULL DEFAULT 0; -- FALSE
+
+-- Transfer favorite status for user-owned ciphers.
+UPDATE ciphers
+SET favorite = 1
+WHERE EXISTS (
+  SELECT * FROM favorites
+  WHERE favorites.user_uuid = ciphers.user_uuid
+    AND favorites.cipher_uuid = ciphers.uuid
+);
+
+DROP TABLE favorites;
--- a/migrations/sqlite/2020-08-02-025025_add_favorites_table/up.sql
+++ b/migrations/sqlite/2020-08-02-025025_add_favorites_table/up.sql
@ -0,0 +1,71 @@
+CREATE TABLE favorites (
+  user_uuid   TEXT NOT NULL REFERENCES users(uuid),
+  cipher_uuid TEXT NOT NULL REFERENCES ciphers(uuid),
+
+  PRIMARY KEY (user_uuid, cipher_uuid)
+);
+
+-- Transfer favorite status for user-owned ciphers.
+INSERT INTO favorites(user_uuid, cipher_uuid)
+SELECT user_uuid, uuid
+FROM ciphers
+WHERE favorite = 1
+  AND user_uuid IS NOT NULL;
+
+-- Drop the `favorite` column from the `ciphers` table, using the 12-step
+-- procedure from <https://www.sqlite.org/lang_altertable.html#altertabrename>.
+-- Note that some steps aren't applicable and are omitted.
+
+-- 1. If foreign key constraints are enabled, disable them using PRAGMA foreign_keys=OFF.
+--
+-- Diesel runs each migration in its own transaction. `PRAGMA foreign_keys`
+-- is a no-op within a transaction, so this step must be done outside of this
+-- file, before starting the Diesel migrations.
+
+-- 2. Start a transaction.
+--
+-- Diesel already runs each migration in its own transaction.
+
+-- 4. Use CREATE TABLE to construct a new table "new_X" that is in the
+--    desired revised format of table X. Make sure that the name "new_X" does
+--    not collide with any existing table name, of course.
+
+CREATE TABLE new_ciphers(
+  uuid              TEXT     NOT NULL PRIMARY KEY,
+  created_at        DATETIME NOT NULL,
+  updated_at        DATETIME NOT NULL,
+  user_uuid         TEXT     REFERENCES users(uuid),
+  organization_uuid TEXT     REFERENCES organizations(uuid),
+  atype             INTEGER  NOT NULL,
+  name              TEXT     NOT NULL,
+  notes             TEXT,
+  fields            TEXT,
+  data              TEXT     NOT NULL,
+  password_history  TEXT,
+  deleted_at        DATETIME
+);
+
+-- 5. Transfer content from X into new_X using a statement like:
+--    INSERT INTO new_X SELECT ... FROM X.
+
+INSERT INTO new_ciphers(uuid, created_at, updated_at, user_uuid, organization_uuid, atype,
+                        name, notes, fields, data, password_history, deleted_at)
+SELECT uuid, created_at, updated_at, user_uuid, organization_uuid, atype,
+       name, notes, fields, data, password_history, deleted_at
+FROM ciphers;
+
+-- 6. Drop the old table X: DROP TABLE X.
+
+DROP TABLE ciphers;
+
+-- 7. Change the name of new_X to X using: ALTER TABLE new_X RENAME TO X.
+
+ALTER TABLE new_ciphers RENAME TO ciphers;
+
+-- 11. Commit the transaction started in step 2.
+
+-- 12. If foreign keys constraints were originally enabled, reenable them now.
+--
+-- `PRAGMA foreign_keys` is scoped to a database connection, and Diesel
+-- migrations are run in a separate database connection that is closed once
+-- the migrations finish.
--- a/migrations/sqlite/2020-11-30-224000_add_user_enabled/down.sql
+++ b/migrations/sqlite/2020-11-30-224000_add_user_enabled/down.sql
--- a/migrations/sqlite/2020-11-30-224000_add_user_enabled/up.sql
+++ b/migrations/sqlite/2020-11-30-224000_add_user_enabled/up.sql
@ -0,0 +1 @@
+ALTER TABLE users ADD COLUMN enabled BOOLEAN NOT NULL DEFAULT 1;
--- a/migrations/sqlite/2020-12-09-173101_add_stamp_exception/down.sql
+++ b/migrations/sqlite/2020-12-09-173101_add_stamp_exception/down.sql
--- a/migrations/sqlite/2020-12-09-173101_add_stamp_exception/up.sql
+++ b/migrations/sqlite/2020-12-09-173101_add_stamp_exception/up.sql
@ -0,0 +1 @@
+ALTER TABLE users ADD COLUMN stamp_exception TEXT DEFAULT NULL;
--- a/2
+++ b/2
@ -1 +1 @@
-nightly-2019-08-27
+nightly-2020-11-22
--- a/rustfmt.toml
+++ b/rustfmt.toml
@ -1 +1,2 @@
+version = "Two"
 max_width = 120
--- a/src/api/admin.rs
+++ b/src/api/admin.rs
@ -1,44 +1,61 @@
+use once_cell::sync::Lazy;
+use serde::de::DeserializeOwned;
 use serde_json::Value;
 use std::process::Command;

-use rocket::http::{Cookie, Cookies, SameSite};
-use rocket::request::{self, FlashMessage, Form, FromRequest, Request};
-use rocket::response::{content::Html, Flash, Redirect};
-use rocket::{Outcome, Route};
+use rocket::{
+    http::{Cookie, Cookies, SameSite},
+    request::{self, FlashMessage, Form, FromRequest, Outcome, Request},
+    response::{content::Html, Flash, Redirect},
+    Route,
+};
 use rocket_contrib::json::Json;

-use crate::api::{ApiResult, EmptyResult, JsonResult};
-use crate::auth::{decode_admin, encode_jwt, generate_admin_claims, ClientIp};
-use crate::config::ConfigBuilder;
-use crate::db::{backup_database, models::*, DbConn};
-use crate::error::Error;
-use crate::mail;
-use crate::CONFIG;
+use crate::{
+    api::{ApiResult, EmptyResult, JsonResult},
+    auth::{decode_admin, encode_jwt, generate_admin_claims, ClientIp},
+    config::ConfigBuilder,
+    db::{backup_database, models::*, DbConn, DbConnType},
+    error::{Error, MapResult},
+    mail,
+    util::{get_display_size, format_naive_datetime_local},
+    CONFIG,
+};

 pub fn routes() -> Vec<Route> {
-    if CONFIG.admin_token().is_none() && !CONFIG.disable_admin_token() {
+    if !CONFIG.disable_admin_token() && !CONFIG.is_admin_token_set() {
        return routes![admin_disabled];
    }

    routes![
        admin_login,
-        get_users,
+        get_users_json,
        post_admin_login,
        admin_page,
        invite_user,
+        logout,
        delete_user,
        deauth_user,
+        disable_user,
+        enable_user,
        remove_2fa,
        update_revision_users,
        post_config,
        delete_config,
        backup_db,
+        test_smtp,
+        users_overview,
+        organizations_overview,
+        diagnostics,
    ]
 }

-lazy_static! {
-    static ref CAN_BACKUP: bool = cfg!(feature = "sqlite") && Command::new("sqlite3").arg("-version").status().is_ok();
-}
+static CAN_BACKUP: Lazy<bool> = Lazy::new(|| {
+    DbConnType::from_url(&CONFIG.database_url())
+        .map(|t| t == DbConnType::sqlite)
+        .unwrap_or(false)
+        && Command::new("sqlite3").arg("-version").status().is_ok()
+});

 #[get("/")]
 fn admin_disabled() -> &'static str {
@ -49,13 +66,48 @@ const COOKIE_NAME: &str = "BWRS_ADMIN";
 const ADMIN_PATH: &str = "/admin";

 const BASE_TEMPLATE: &str = "admin/base";
-const VERSION: Option<&str> = option_env!("GIT_VERSION");
+const VERSION: Option<&str> = option_env!("BWRS_VERSION");
+
+fn admin_path() -> String {
+    format!("{}{}", CONFIG.domain_path(), ADMIN_PATH)
+}
+
+struct Referer(Option<String>);
+
+impl<'a, 'r> FromRequest<'a, 'r> for Referer {
+    type Error = ();
+
+    fn from_request(request: &'a Request<'r>) -> request::Outcome<Self, Self::Error> {
+        Outcome::Success(Referer(request.headers().get_one("Referer").map(str::to_string)))
+    }
+}
+
+/// Used for `Location` response headers, which must specify an absolute URI
+/// (see https://tools.ietf.org/html/rfc2616#section-14.30).
+fn admin_url(referer: Referer) -> String {
+    // If we get a referer use that to make it work when, DOMAIN is not set
+    if let Some(mut referer) = referer.0 {
+        if let Some(start_index) = referer.find(ADMIN_PATH) {
+            referer.truncate(start_index + ADMIN_PATH.len());
+            return referer;
+        }
+    }
+
+    if CONFIG.domain_set() {
+        // Don't use CONFIG.domain() directly, since the user may want to keep a
+        // trailing slash there, particularly when running under a subpath.
+        format!("{}{}{}", CONFIG.domain_origin(), CONFIG.domain_path(), ADMIN_PATH)
+    } else {
+        // Last case, when no referer or domain set, technically invalid but better than nothing
+        ADMIN_PATH.to_string()
+    }
+}

 #[get("/", rank = 2)]
 fn admin_login(flash: Option<FlashMessage>) -> ApiResult<Html<String>> {
    // If there is an error, show it
    let msg = flash.map(|msg| format!("{}: {}", msg.name(), msg.msg()));
-    let json = json!({"page_content": "admin/login", "version": VERSION, "error": msg});
+    let json = json!({"page_content": "admin/login", "version": VERSION, "error": msg, "urlpath": CONFIG.domain_path()});

    // Return the page
    let text = CONFIG.render_template(BASE_TEMPLATE, &json)?;
@ -68,14 +120,19 @@ struct LoginForm {
 }

 #[post("/", data = "<data>")]
-fn post_admin_login(data: Form<LoginForm>, mut cookies: Cookies, ip: ClientIp) -> Result<Redirect, Flash<Redirect>> {
+fn post_admin_login(
+    data: Form<LoginForm>,
+    mut cookies: Cookies,
+    ip: ClientIp,
+    referer: Referer,
+) -> Result<Redirect, Flash<Redirect>> {
    let data = data.into_inner();

    // If the token is invalid, redirect to login page
    if !_validate_token(&data.token) {
        error!("Invalid admin token. IP: {}", ip.ip);
        Err(Flash::error(
-            Redirect::to(ADMIN_PATH),
+            Redirect::to(admin_url(referer)),
            "Invalid admin token, please try again.",
        ))
    } else {
@ -84,14 +141,14 @@ fn post_admin_login(data: Form<LoginForm>, mut cookies: Cookies, ip: ClientIp) -
        let jwt = encode_jwt(&claims);

        let cookie = Cookie::build(COOKIE_NAME, jwt)
-            .path(ADMIN_PATH)
-            .max_age(chrono::Duration::minutes(20))
+            .path(admin_path())
+            .max_age(time::Duration::minutes(20))
            .same_site(SameSite::Strict)
            .http_only(true)
            .finish();

        cookies.add(cookie);
-        Ok(Redirect::to(ADMIN_PATH))
+        Ok(Redirect::to(admin_url(referer)))
    }
 }

@ -106,19 +163,69 @@ fn _validate_token(token: &str) -> bool {
 struct AdminTemplateData {
    page_content: String,
    version: Option<&'static str>,
-    users: Vec<Value>,
+    users: Option<Vec<Value>>,
+    organizations: Option<Vec<Value>>,
+    diagnostics: Option<Value>,
    config: Value,
    can_backup: bool,
+    logged_in: bool,
+    urlpath: String,
 }

 impl AdminTemplateData {
-    fn new(users: Vec<Value>) -> Self {
+    fn new() -> Self {
        Self {
-            page_content: String::from("admin/page"),
+            page_content: String::from("admin/settings"),
            version: VERSION,
-            users,
            config: CONFIG.prepare_json(),
            can_backup: *CAN_BACKUP,
+            logged_in: true,
+            urlpath: CONFIG.domain_path(),
+            users: None,
+            organizations: None,
+            diagnostics: None,
+        }
+    }
+
+    fn users(users: Vec<Value>) -> Self {
+        Self {
+            page_content: String::from("admin/users"),
+            version: VERSION,
+            users: Some(users),
+            config: CONFIG.prepare_json(),
+            can_backup: *CAN_BACKUP,
+            logged_in: true,
+            urlpath: CONFIG.domain_path(),
+            organizations: None,
+            diagnostics: None,
+        }
+    }
+
+    fn organizations(organizations: Vec<Value>) -> Self {
+        Self {
+            page_content: String::from("admin/organizations"),
+            version: VERSION,
+            organizations: Some(organizations),
+            config: CONFIG.prepare_json(),
+            can_backup: *CAN_BACKUP,
+            logged_in: true,
+            urlpath: CONFIG.domain_path(),
+            users: None,
+            diagnostics: None,
+        }
+    }
+
+    fn diagnostics(diagnostics: Value) -> Self {
+        Self {
+            page_content: String::from("admin/diagnostics"),
+            version: VERSION,
+            organizations: None,
+            config: CONFIG.prepare_json(),
+            can_backup: *CAN_BACKUP,
+            logged_in: true,
+            urlpath: CONFIG.domain_path(),
+            users: None,
+            diagnostics: Some(diagnostics),
        }
    }

@ -128,11 +235,8 @@ impl AdminTemplateData {
 }

 #[get("/", rank = 1)]
-fn admin_page(_token: AdminToken, conn: DbConn) -> ApiResult<Html<String>> {
-    let users = User::get_all(&conn);
-    let users_json: Vec<Value> = users.iter().map(|u| u.to_json(&conn)).collect();
-
-    let text = AdminTemplateData::new(users_json).render()?;
+fn admin_page(_token: AdminToken, _conn: DbConn) -> ApiResult<Html<String>> {
+    let text = AdminTemplateData::new().render()?;
    Ok(Html(text))
 }

@ -150,60 +254,101 @@ fn invite_user(data: Json<InviteData>, _token: AdminToken, conn: DbConn) -> Empt
        err!("User already exists")
    }

-    if !CONFIG.invitations_allowed() {
-        err!("Invitations are not allowed")
-    }
-
    let mut user = User::new(email);
    user.save(&conn)?;

    if CONFIG.mail_enabled() {
-        let org_name = "bitwarden_rs";
-        mail::send_invite(&user.email, &user.uuid, None, None, &org_name, None)
+        mail::send_invite(&user.email, &user.uuid, None, None, &CONFIG.invitation_org_name(), None)
    } else {
        let invitation = Invitation::new(data.email);
        invitation.save(&conn)
    }
 }

+#[post("/test/smtp", data = "<data>")]
+fn test_smtp(data: Json<InviteData>, _token: AdminToken) -> EmptyResult {
+    let data: InviteData = data.into_inner();
+
+    if CONFIG.mail_enabled() {
+        mail::send_test(&data.email)
+    } else {
+        err!("Mail is not enabled")
+    }
+}
+
+#[get("/logout")]
+fn logout(mut cookies: Cookies, referer: Referer) -> Result<Redirect, ()> {
+    cookies.remove(Cookie::named(COOKIE_NAME));
+    Ok(Redirect::to(admin_url(referer)))
+}
+
 #[get("/users")]
-fn get_users(_token: AdminToken, conn: DbConn) -> JsonResult {
+fn get_users_json(_token: AdminToken, conn: DbConn) -> JsonResult {
    let users = User::get_all(&conn);
    let users_json: Vec<Value> = users.iter().map(|u| u.to_json(&conn)).collect();

    Ok(Json(Value::Array(users_json)))
 }

+#[get("/users/overview")]
+fn users_overview(_token: AdminToken, conn: DbConn) -> ApiResult<Html<String>> {
+    let users = User::get_all(&conn);
+    let dt_fmt = "%Y-%m-%d %H:%M:%S %Z";
+    let users_json: Vec<Value> = users.iter()
+        .map(|u| {
+            let mut usr = u.to_json(&conn);
+            usr["cipher_count"] = json!(Cipher::count_owned_by_user(&u.uuid, &conn));
+            usr["attachment_count"] = json!(Attachment::count_by_user(&u.uuid, &conn));
+            usr["attachment_size"] = json!(get_display_size(Attachment::size_by_user(&u.uuid, &conn) as i32));
+            usr["user_enabled"] = json!(u.enabled);
+            usr["created_at"] = json!(format_naive_datetime_local(&u.created_at, dt_fmt));
+            usr["last_active"] = match u.last_active(&conn) {
+                Some(dt) => json!(format_naive_datetime_local(&dt, dt_fmt)),
+                None => json!("Never")
+            };
+            usr
+    }).collect();
+
+    let text = AdminTemplateData::users(users_json).render()?;
+    Ok(Html(text))
+}
+
 #[post("/users/<uuid>/delete")]
 fn delete_user(uuid: String, _token: AdminToken, conn: DbConn) -> EmptyResult {
-    let user = match User::find_by_uuid(&uuid, &conn) {
-        Some(user) => user,
-        None => err!("User doesn't exist"),
-    };
-
+    let user = User::find_by_uuid(&uuid, &conn).map_res("User doesn't exist")?;
    user.delete(&conn)
 }

 #[post("/users/<uuid>/deauth")]
 fn deauth_user(uuid: String, _token: AdminToken, conn: DbConn) -> EmptyResult {
-    let mut user = match User::find_by_uuid(&uuid, &conn) {
-        Some(user) => user,
-        None => err!("User doesn't exist"),
-    };
-
+    let mut user = User::find_by_uuid(&uuid, &conn).map_res("User doesn't exist")?;
    Device::delete_all_by_user(&user.uuid, &conn)?;
    user.reset_security_stamp();

    user.save(&conn)
 }

+#[post("/users/<uuid>/disable")]
+fn disable_user(uuid: String, _token: AdminToken, conn: DbConn) -> EmptyResult {
+    let mut user = User::find_by_uuid(&uuid, &conn).map_res("User doesn't exist")?;
+    Device::delete_all_by_user(&user.uuid, &conn)?;
+    user.reset_security_stamp();
+    user.enabled = false;
+
+    user.save(&conn)
+}
+
+#[post("/users/<uuid>/enable")]
+fn enable_user(uuid: String, _token: AdminToken, conn: DbConn) -> EmptyResult {
+    let mut user = User::find_by_uuid(&uuid, &conn).map_res("User doesn't exist")?;
+    user.enabled = true;
+
+    user.save(&conn)
+}
+
 #[post("/users/<uuid>/remove-2fa")]
 fn remove_2fa(uuid: String, _token: AdminToken, conn: DbConn) -> EmptyResult {
-    let mut user = match User::find_by_uuid(&uuid, &conn) {
-        Some(user) => user,
-        None => err!("User doesn't exist"),
-    };
-
+    let mut user = User::find_by_uuid(&uuid, &conn).map_res("User doesn't exist")?;
    TwoFactor::delete_all_by_user(&user.uuid, &conn)?;
    user.totp_recover = None;
    user.save(&conn)
@ -214,6 +359,109 @@ fn update_revision_users(_token: AdminToken, conn: DbConn) -> EmptyResult {
    User::update_all_revisions(&conn)
 }

+#[get("/organizations/overview")]
+fn organizations_overview(_token: AdminToken, conn: DbConn) -> ApiResult<Html<String>> {
+    let organizations = Organization::get_all(&conn);
+    let organizations_json: Vec<Value> = organizations.iter().map(|o| {
+            let mut org = o.to_json();
+            org["user_count"] = json!(UserOrganization::count_by_org(&o.uuid, &conn));
+            org["cipher_count"] = json!(Cipher::count_by_org(&o.uuid, &conn));
+            org["attachment_count"] = json!(Attachment::count_by_org(&o.uuid, &conn));
+            org["attachment_size"] = json!(get_display_size(Attachment::size_by_org(&o.uuid, &conn) as i32));
+            org
+    }).collect();
+
+    let text = AdminTemplateData::organizations(organizations_json).render()?;
+    Ok(Html(text))
+}
+
+#[derive(Deserialize)]
+struct WebVaultVersion {
+    version: String,
+}
+
+#[derive(Deserialize)]
+struct GitRelease {
+    tag_name: String,
+}
+
+#[derive(Deserialize)]
+struct GitCommit {
+    sha: String,
+}
+
+fn get_github_api<T: DeserializeOwned>(url: &str) -> Result<T, Error> {
+    use reqwest::{blocking::Client, header::USER_AGENT};
+    use std::time::Duration;
+    let github_api = Client::builder().build()?;
+
+    Ok(
+        github_api.get(url)
+        .timeout(Duration::from_secs(10))
+        .header(USER_AGENT, "Bitwarden_RS")
+        .send()?
+        .error_for_status()?
+        .json::<T>()?
+    )
+}
+
+#[get("/diagnostics")]
+fn diagnostics(_token: AdminToken, _conn: DbConn) -> ApiResult<Html<String>> {
+    use std::net::ToSocketAddrs;
+    use chrono::prelude::*;
+    use crate::util::read_file_string;
+
+    let vault_version_path = format!("{}/{}", CONFIG.web_vault_folder(), "version.json");
+    let vault_version_str = read_file_string(&vault_version_path)?;
+    let web_vault_version: WebVaultVersion = serde_json::from_str(&vault_version_str)?;
+
+    let github_ips = ("github.com", 0).to_socket_addrs().map(|mut i| i.next());
+    let (dns_resolved, dns_ok) = match github_ips {
+        Ok(Some(a)) => (a.ip().to_string(), true),
+        _ => ("Could not resolve domain name.".to_string(), false),
+    };
+
+    // If the DNS Check failed, do not even attempt to check for new versions since we were not able to resolve github.com
+    let (latest_release, latest_commit, latest_web_build) = if dns_ok {
+        (
+            match get_github_api::<GitRelease>("https://api.github.com/repos/dani-garcia/bitwarden_rs/releases/latest") {
+                Ok(r) => r.tag_name,
+                _ => "-".to_string()
+            },
+            match get_github_api::<GitCommit>("https://api.github.com/repos/dani-garcia/bitwarden_rs/commits/master") {
+                Ok(mut c) => {
+                    c.sha.truncate(8);
+                    c.sha
+            },
+                _ => "-".to_string()
+            },
+            match get_github_api::<GitRelease>("https://api.github.com/repos/dani-garcia/bw_web_builds/releases/latest") {
+                Ok(r) => r.tag_name.trim_start_matches('v').to_string(),
+                _ => "-".to_string()
+            },
+        )
+    } else {
+        ("-".to_string(), "-".to_string(), "-".to_string())
+    };
+
+    // Run the date check as the last item right before filling the json.
+    // This should ensure that the time difference between the browser and the server is as minimal as possible.
+    let dt = Utc::now();
+    let server_time = dt.format("%Y-%m-%d %H:%M:%S UTC").to_string();
+
+    let diagnostics_json = json!({
+        "dns_resolved": dns_resolved,
+        "server_time": server_time,
+        "web_vault_version": web_vault_version.version,
+        "latest_release": latest_release,
+        "latest_commit": latest_commit,
+        "latest_web_build": latest_web_build,
+    });
+
+    let text = AdminTemplateData::diagnostics(diagnostics_json).render()?;
+    Ok(Html(text))
+}
+
 #[post("/config", data = "<data>")]
 fn post_config(data: Json<ConfigBuilder>, _token: AdminToken) -> EmptyResult {
    let data: ConfigBuilder = data.into_inner();
--- a/src/api/core/accounts.rs
+++ b/src/api/core/accounts.rs
@ -1,17 +1,15 @@
+use chrono::Utc;
 use rocket_contrib::json::Json;

-use crate::db::models::*;
-use crate::db::DbConn;
+use crate::{
+    api::{EmptyResult, JsonResult, JsonUpcase, Notify, NumberOrString, PasswordData, UpdateType},
+    auth::{decode_delete, decode_invite, decode_verify_email, Headers},
+    crypto,
+    db::{models::*, DbConn},
+    mail, CONFIG,
+};

-use crate::api::{EmptyResult, JsonResult, JsonUpcase, Notify, NumberOrString, PasswordData, UpdateType};
-use crate::auth::{decode_invite, Headers};
-use crate::mail;
-
-use crate::CONFIG;
-
-use rocket::Route;
-
-pub fn routes() -> Vec<Route> {
+pub fn routes() -> Vec<rocket::Route> {
    routes![
        register,
        profile,
@ -25,11 +23,16 @@ pub fn routes() -> Vec<Route> {
        post_sstamp,
        post_email_token,
        post_email,
+        post_verify_email,
+        post_verify_email_token,
+        post_delete_recover,
+        post_delete_recover_token,
        delete_account,
        post_delete_account,
        revision_date,
        password_hint,
        prelogin,
+        verify_password,
    ]
 }

@ -62,7 +65,11 @@ fn register(data: JsonUpcase<RegisterData>, conn: DbConn) -> EmptyResult {
    let mut user = match User::find_by_mail(&data.Email, &conn) {
        Some(user) => {
            if !user.password_hash.is_empty() {
-                err!("User already exists")
+                if CONFIG.is_signup_allowed(&data.Email) {
+                    err!("User already exists")
+                } else {
+                    err!("Registration not allowed or user already exists")
+                }
            }

            if let Some(token) = data.Token {
@ -79,17 +86,20 @@ fn register(data: JsonUpcase<RegisterData>, conn: DbConn) -> EmptyResult {
                }

                user
-            } else if CONFIG.signups_allowed() {
+            } else if CONFIG.is_signup_allowed(&data.Email) {
                err!("Account with this email already exists")
            } else {
-                err!("Registration not allowed")
+                err!("Registration not allowed or user already exists")
            }
        }
        None => {
-            if CONFIG.signups_allowed() || Invitation::take(&data.Email, &conn) {
+            // Order is important here; the invitation check must come first
+            // because the bitwarden_rs admin can invite anyone, regardless
+            // of other signup restrictions.
+            if Invitation::take(&data.Email, &conn) || CONFIG.is_signup_allowed(&data.Email) {
                User::new(data.Email.clone())
            } else {
-                err!("Registration not allowed")
+                err!("Registration not allowed or user already exists")
            }
        }
    };
@ -105,7 +115,7 @@ fn register(data: JsonUpcase<RegisterData>, conn: DbConn) -> EmptyResult {
        user.client_kdf_type = client_kdf_type;
    }

-    user.set_password(&data.MasterPasswordHash);
+    user.set_password(&data.MasterPasswordHash, None);
    user.akey = data.Key;

    // Add extra fields if present
@ -122,6 +132,20 @@ fn register(data: JsonUpcase<RegisterData>, conn: DbConn) -> EmptyResult {
        user.public_key = Some(keys.PublicKey);
    }

+    if CONFIG.mail_enabled() {
+        if CONFIG.signups_verify() {
+            if let Err(e) = mail::send_welcome_must_verify(&user.email, &user.uuid) {
+                error!("Error sending welcome email: {:#?}", e);
+            }
+
+            user.last_verifying_at = Some(user.created_at);
+        } else {
+            if let Err(e) = mail::send_welcome(&user.email) {
+                error!("Error sending welcome email: {:#?}", e);
+            }
+        }
+    }
+
    user.save(&conn)
 }

@ -183,7 +207,12 @@ fn post_keys(data: JsonUpcase<KeysData>, headers: Headers, conn: DbConn) -> Json
    user.public_key = Some(data.PublicKey);

    user.save(&conn)?;
-    Ok(Json(user.to_json(&conn)))
+
+    Ok(Json(json!({
+        "PrivateKey": user.private_key,
+        "PublicKey": user.public_key,
+        "Object":"keys"
+    })))
 }

 #[derive(Deserialize)]
@ -203,7 +232,7 @@ fn post_password(data: JsonUpcase<ChangePassData>, headers: Headers, conn: DbCon
        err!("Invalid password")
    }

-    user.set_password(&data.NewMasterPasswordHash);
+    user.set_password(&data.NewMasterPasswordHash, Some("post_rotatekey"));
    user.akey = data.Key;
    user.save(&conn)
 }
@ -230,7 +259,7 @@ fn post_kdf(data: JsonUpcase<ChangeKdfData>, headers: Headers, conn: DbConn) ->

    user.client_kdf_iter = data.KdfIterations;
    user.client_kdf_type = data.Kdf;
-    user.set_password(&data.NewMasterPasswordHash);
+    user.set_password(&data.NewMasterPasswordHash, None);
    user.akey = data.Key;
    user.save(&conn)
 }
@ -309,6 +338,7 @@ fn post_rotatekey(data: JsonUpcase<KeyData>, headers: Headers, conn: DbConn, nt:
    user.akey = data.Key;
    user.private_key = Some(data.PrivateKey);
    user.reset_security_stamp();
+    user.reset_stamp_exception();

    user.save(&conn)
 }
@ -337,8 +367,9 @@ struct EmailTokenData {
 #[post("/accounts/email-token", data = "<data>")]
 fn post_email_token(data: JsonUpcase<EmailTokenData>, headers: Headers, conn: DbConn) -> EmptyResult {
    let data: EmailTokenData = data.into_inner().data;
+    let mut user = headers.user;

-    if !headers.user.check_valid_password(&data.MasterPasswordHash) {
+    if !user.check_valid_password(&data.MasterPasswordHash) {
        err!("Invalid password")
    }

@ -346,7 +377,21 @@ fn post_email_token(data: JsonUpcase<EmailTokenData>, headers: Headers, conn: Db
        err!("Email already in use");
    }

-    Ok(())
+    if !CONFIG.is_email_domain_allowed(&data.NewEmail) {
+        err!("Email domain not allowed");
+    }
+
+    let token = crypto::generate_token(6)?;
+
+    if CONFIG.mail_enabled() {
+        if let Err(e) = mail::send_change_email(&data.NewEmail, &token) {
+            error!("Error sending change-email email: {:#?}", e);
+        }
+    }
+
+    user.email_new = Some(data.NewEmail);
+    user.email_new_token = Some(token);
+    user.save(&conn)
 }

 #[derive(Deserialize)]
@ -357,8 +402,7 @@ struct ChangeEmailData {

    Key: String,
    NewMasterPasswordHash: String,
-    #[serde(rename = "Token")]
-    _Token: NumberOrString,
+    Token: NumberOrString,
 }

 #[post("/accounts/email", data = "<data>")]
@ -374,14 +418,142 @@ fn post_email(data: JsonUpcase<ChangeEmailData>, headers: Headers, conn: DbConn)
        err!("Email already in use");
    }

-    user.email = data.NewEmail;
+    match user.email_new {
+        Some(ref val) => {
+            if val != &data.NewEmail {
+                err!("Email change mismatch");
+            }
+        }
+        None => err!("No email change pending"),
+    }

-    user.set_password(&data.NewMasterPasswordHash);
+    if CONFIG.mail_enabled() {
+        // Only check the token if we sent out an email...
+        match user.email_new_token {
+            Some(ref val) => {
+                if *val != data.Token.into_string() {
+                    err!("Token mismatch");
+                }
+            }
+            None => err!("No email change pending"),
+        }
+        user.verified_at = Some(Utc::now().naive_utc());
+    } else {
+        user.verified_at = None;
+    }
+
+    user.email = data.NewEmail;
+    user.email_new = None;
+    user.email_new_token = None;
+
+    user.set_password(&data.NewMasterPasswordHash, None);
    user.akey = data.Key;

    user.save(&conn)
 }

+#[post("/accounts/verify-email")]
+fn post_verify_email(headers: Headers, _conn: DbConn) -> EmptyResult {
+    let user = headers.user;
+
+    if !CONFIG.mail_enabled() {
+        err!("Cannot verify email address");
+    }
+
+    if let Err(e) = mail::send_verify_email(&user.email, &user.uuid) {
+        error!("Error sending verify_email email: {:#?}", e);
+    }
+
+    Ok(())
+}
+
+#[derive(Deserialize)]
+#[allow(non_snake_case)]
+struct VerifyEmailTokenData {
+    UserId: String,
+    Token: String,
+}
+
+#[post("/accounts/verify-email-token", data = "<data>")]
+fn post_verify_email_token(data: JsonUpcase<VerifyEmailTokenData>, conn: DbConn) -> EmptyResult {
+    let data: VerifyEmailTokenData = data.into_inner().data;
+
+    let mut user = match User::find_by_uuid(&data.UserId, &conn) {
+        Some(user) => user,
+        None => err!("User doesn't exist"),
+    };
+
+    let claims = match decode_verify_email(&data.Token) {
+        Ok(claims) => claims,
+        Err(_) => err!("Invalid claim"),
+    };
+    if claims.sub != user.uuid {
+        err!("Invalid claim");
+    }
+    user.verified_at = Some(Utc::now().naive_utc());
+    user.last_verifying_at = None;
+    user.login_verify_count = 0;
+    if let Err(e) = user.save(&conn) {
+        error!("Error saving email verification: {:#?}", e);
+    }
+
+    Ok(())
+}
+
+#[derive(Deserialize)]
+#[allow(non_snake_case)]
+struct DeleteRecoverData {
+    Email: String,
+}
+
+#[post("/accounts/delete-recover", data = "<data>")]
+fn post_delete_recover(data: JsonUpcase<DeleteRecoverData>, conn: DbConn) -> EmptyResult {
+    let data: DeleteRecoverData = data.into_inner().data;
+
+    let user = User::find_by_mail(&data.Email, &conn);
+
+    if CONFIG.mail_enabled() {
+        if let Some(user) = user {
+            if let Err(e) = mail::send_delete_account(&user.email, &user.uuid) {
+                error!("Error sending delete account email: {:#?}", e);
+            }
+        }
+        Ok(())
+    } else {
+        // We don't support sending emails, but we shouldn't allow anybody
+        // to delete accounts without at least logging in... And if the user
+        // cannot remember their password then they will need to contact
+        // the administrator to delete it...
+        err!("Please contact the administrator to delete your account");
+    }
+}
+
+#[derive(Deserialize)]
+#[allow(non_snake_case)]
+struct DeleteRecoverTokenData {
+    UserId: String,
+    Token: String,
+}
+
+#[post("/accounts/delete-recover-token", data = "<data>")]
+fn post_delete_recover_token(data: JsonUpcase<DeleteRecoverTokenData>, conn: DbConn) -> EmptyResult {
+    let data: DeleteRecoverTokenData = data.into_inner().data;
+
+    let user = match User::find_by_uuid(&data.UserId, &conn) {
+        Some(user) => user,
+        None => err!("User doesn't exist"),
+    };
+
+    let claims = match decode_delete(&data.Token) {
+        Ok(claims) => claims,
+        Err(_) => err!("Invalid claim"),
+    };
+    if claims.sub != user.uuid {
+        err!("Invalid claim");
+    }
+    user.delete(&conn)
+}
+
 #[post("/accounts/delete", data = "<data>")]
 fn post_delete_account(data: JsonUpcase<PasswordData>, headers: Headers, conn: DbConn) -> EmptyResult {
    delete_account(data, headers, conn)
@ -453,3 +625,20 @@ fn prelogin(data: JsonUpcase<PreloginData>, conn: DbConn) -> JsonResult {
        "KdfIterations": kdf_iter
    })))
 }
+#[derive(Deserialize)]
+#[allow(non_snake_case)]
+struct VerifyPasswordData {
+    MasterPasswordHash: String,
+}
+
+#[post("/accounts/verify-password", data = "<data>")]
+fn verify_password(data: JsonUpcase<VerifyPasswordData>, headers: Headers, _conn: DbConn) -> EmptyResult {
+    let data: VerifyPasswordData = data.into_inner().data;
+    let user = headers.user;
+
+    if !user.check_valid_password(&data.MasterPasswordHash) {
+        err!("Invalid password")
+    }
+
+    Ok(())
+}
--- a/src/api/core/ciphers.rs
+++ b/src/api/core/ciphers.rs
@ -1,28 +1,33 @@
 use std::collections::{HashMap, HashSet};
 use std::path::Path;

-use rocket::http::ContentType;
-use rocket::{request::Form, Data, Route};
-
+use chrono::{NaiveDateTime, Utc};
+use rocket::{http::ContentType, request::Form, Data, Route};
 use rocket_contrib::json::Json;
 use serde_json::Value;

-use multipart::server::save::SavedData;
-use multipart::server::{Multipart, SaveResult};
-
 use data_encoding::HEXLOWER;
+use multipart::server::{save::SavedData, Multipart, SaveResult};

-use crate::db::models::*;
-use crate::db::DbConn;
-
-use crate::crypto;
-
-use crate::api::{self, EmptyResult, JsonResult, JsonUpcase, Notify, PasswordData, UpdateType};
-use crate::auth::Headers;
-
-use crate::CONFIG;
+use crate::{
+    api::{self, EmptyResult, JsonResult, JsonUpcase, Notify, PasswordData, UpdateType},
+    auth::Headers,
+    crypto,
+    db::{models::*, DbConn},
+    CONFIG,
+};

 pub fn routes() -> Vec<Route> {
+    // Note that many routes have an `admin` variant; this seems to be
+    // because the stored procedure that upstream Bitwarden uses to determine
+    // whether the user can edit a cipher doesn't take into account whether
+    // the user is an org owner/admin. The `admin` variant first checks
+    // whether the user is an owner/admin of the relevant org, and if so,
+    // allows the operation unconditionally.
+    //
+    // bitwarden_rs factors in the org owner/admin status as part of
+    // determining the write accessibility of a cipher, so most
+    // admin/non-admin implementations can be shared.
    routes![
        sync,
        get_ciphers,
@ -44,15 +49,24 @@ pub fn routes() -> Vec<Route> {
        post_cipher_admin,
        post_cipher_share,
        put_cipher_share,
-        put_cipher_share_seleted,
+        put_cipher_share_selected,
        post_cipher,
        put_cipher,
        delete_cipher_post,
        delete_cipher_post_admin,
+        delete_cipher_put,
+        delete_cipher_put_admin,
        delete_cipher,
        delete_cipher_admin,
        delete_cipher_selected,
        delete_cipher_selected_post,
+        delete_cipher_selected_put,
+        delete_cipher_selected_admin,
+        delete_cipher_selected_post_admin,
+        delete_cipher_selected_put_admin,
+        restore_cipher_put,
+        restore_cipher_put_admin,
+        restore_cipher_selected,
        delete_all,
        move_cipher_selected,
        move_cipher_selected_put,
@ -79,7 +93,10 @@ fn sync(data: Form<SyncData>, headers: Headers, conn: DbConn) -> JsonResult {
    let collections = Collection::find_by_user_uuid(&headers.user.uuid, &conn);
    let collections_json: Vec<Value> = collections.iter().map(Collection::to_json).collect();

-    let ciphers = Cipher::find_by_user(&headers.user.uuid, &conn);
+    let policies = OrgPolicy::find_by_user(&headers.user.uuid, &conn);
+    let policies_json: Vec<Value> = policies.iter().map(OrgPolicy::to_json).collect();
+
+    let ciphers = Cipher::find_by_user_visible(&headers.user.uuid, &conn);
    let ciphers_json: Vec<Value> = ciphers
        .iter()
        .map(|c| c.to_json(&headers.host, &headers.user.uuid, &conn))
@ -88,13 +105,14 @@ fn sync(data: Form<SyncData>, headers: Headers, conn: DbConn) -> JsonResult {
    let domains_json = if data.exclude_domains {
        Value::Null
    } else {
-        api::core::get_eq_domains(headers).unwrap().into_inner()
+        api::core::_get_eq_domains(headers, true).unwrap().into_inner()
    };

    Ok(Json(json!({
        "Profile": user_json,
        "Folders": folders_json,
        "Collections": collections_json,
+        "Policies": policies_json,
        "Ciphers": ciphers_json,
        "Domains": domains_json,
        "Object": "sync"
@ -103,7 +121,7 @@ fn sync(data: Form<SyncData>, headers: Headers, conn: DbConn) -> JsonResult {

 #[get("/ciphers")]
 fn get_ciphers(headers: Headers, conn: DbConn) -> JsonResult {
-    let ciphers = Cipher::find_by_user(&headers.user.uuid, &conn);
+    let ciphers = Cipher::find_by_user_visible(&headers.user.uuid, &conn);

    let ciphers_json: Vec<Value> = ciphers
        .iter()
@ -177,6 +195,14 @@ pub struct CipherData {
    #[serde(rename = "Attachments")]
    _Attachments: Option<Value>, // Unused, contains map of {id: filename}
    Attachments2: Option<HashMap<String, Attachments2Data>>,
+
+    // The revision datetime (in ISO 8601 format) of the client's local copy
+    // of the cipher. This is used to prevent a client from updating a cipher
+    // when it doesn't have the latest version, as that can result in data
+    // loss. It's not an error when no value is provided; this can happen
+    // when using older client versions, or if the operation doesn't involve
+    // updating an existing cipher.
+    LastKnownRevisionDate: Option<String>,
 }

 #[derive(Deserialize, Debug)]
@ -186,22 +212,35 @@ pub struct Attachments2Data {
    Key: String,
 }

+/// Called when an org admin clones an org cipher.
 #[post("/ciphers/admin", data = "<data>")]
 fn post_ciphers_admin(data: JsonUpcase<ShareCipherData>, headers: Headers, conn: DbConn, nt: Notify) -> JsonResult {
-    let data: ShareCipherData = data.into_inner().data;
+    post_ciphers_create(data, headers, conn, nt)
+}
+
+/// Called when creating a new org-owned cipher, or cloning a cipher (whether
+/// user- or org-owned). When cloning a cipher to a user-owned cipher,
+/// `organizationId` is null.
+#[post("/ciphers/create", data = "<data>")]
+fn post_ciphers_create(data: JsonUpcase<ShareCipherData>, headers: Headers, conn: DbConn, nt: Notify) -> JsonResult {
+    let mut data: ShareCipherData = data.into_inner().data;

    let mut cipher = Cipher::new(data.Cipher.Type, data.Cipher.Name.clone());
    cipher.user_uuid = Some(headers.user.uuid.clone());
    cipher.save(&conn)?;

+    // When cloning a cipher, the Bitwarden clients seem to set this field
+    // based on the cipher being cloned (when creating a new cipher, it's set
+    // to null as expected). However, `cipher.created_at` is initialized to
+    // the current time, so the stale data check will end up failing down the
+    // line. Since this function only creates new ciphers (whether by cloning
+    // or otherwise), we can just ignore this field entirely.
+    data.Cipher.LastKnownRevisionDate = None;
+
    share_cipher_by_uuid(&cipher.uuid, data, &headers, &conn, &nt)
 }

-#[post("/ciphers/create", data = "<data>")]
-fn post_ciphers_create(data: JsonUpcase<ShareCipherData>, headers: Headers, conn: DbConn, nt: Notify) -> JsonResult {
-    post_ciphers_admin(data, headers, conn, nt)
-}
-
+/// Called when creating a new user-owned cipher.
 #[post("/ciphers", data = "<data>")]
 fn post_ciphers(data: JsonUpcase<CipherData>, headers: Headers, conn: DbConn, nt: Notify) -> JsonResult {
    let data: CipherData = data.into_inner().data;
@ -221,6 +260,17 @@ pub fn update_cipher_from_data(
    nt: &Notify,
    ut: UpdateType,
 ) -> EmptyResult {
+    // Check that the client isn't updating an existing cipher with stale data.
+    if let Some(dt) = data.LastKnownRevisionDate {
+        match NaiveDateTime::parse_from_str(&dt, "%+") { // ISO 8601 format
+            Err(err) =>
+                warn!("Error parsing LastKnownRevisionDate '{}': {}", dt, err),
+            Ok(dt) if cipher.updated_at.signed_duration_since(dt).num_seconds() > 1 =>
+                err!("The client copy of this cipher is out of date. Resync the client and try again."),
+            Ok(_) => (),
+        }
+    }
+
    if cipher.organization_uuid.is_some() && cipher.organization_uuid != data.OrganizationId {
        err!("Organization mismatch. Please resync the client before updating the cipher")
    }
@ -264,7 +314,10 @@ pub fn update_cipher_from_data(
            };

            if saved_att.cipher_uuid != cipher.uuid {
-                err!("Attachment is not owned by the cipher")
+                // Warn and break here since cloning ciphers provides attachment data but will not be cloned.
+                // If we error out here it will break the whole cloning and causes empty ciphers to appear.
+                warn!("Attachment is not owned by the cipher");
+                break;
            }

            saved_att.akey = Some(attachment.Key);
@ -296,7 +349,6 @@ pub fn update_cipher_from_data(
    type_data["PasswordHistory"] = data.PasswordHistory.clone().unwrap_or(Value::Null);
    // TODO: ******* Backwards compat end **********

-    cipher.favorite = data.Favorite.unwrap_or(false);
    cipher.name = data.Name;
    cipher.notes = data.Notes;
    cipher.fields = data.Fields.map(|f| f.to_string());
@ -305,6 +357,7 @@ pub fn update_cipher_from_data(

    cipher.save(&conn)?;
    cipher.move_to_folder(data.FolderId, &headers.user.uuid, &conn)?;
+    cipher.set_favorite(data.Favorite, &headers.user.uuid, &conn)?;

    if ut != UpdateType::None {
        nt.send_cipher_update(ut, &cipher, &cipher.update_users_revision(&conn));
@ -367,6 +420,7 @@ fn post_ciphers_import(data: JsonUpcase<ImportData>, headers: Headers, conn: DbC
    Ok(())
 }

+/// Called when an org admin modifies an existing org cipher.
 #[put("/ciphers/<uuid>/admin", data = "<data>")]
 fn put_cipher_admin(
    uuid: String,
@ -403,6 +457,11 @@ fn put_cipher(uuid: String, data: JsonUpcase<CipherData>, headers: Headers, conn
        None => err!("Cipher doesn't exist"),
    };

+    // TODO: Check if only the folder ID or favorite status is being changed.
+    // These are per-user properties that technically aren't part of the
+    // cipher itself, so the user shouldn't need write access to change these.
+    // Interestingly, upstream Bitwarden doesn't properly handle this either.
+
    if !cipher.is_write_accessible_to_user(&headers.user.uuid, &conn) {
        err!("Cipher is not write accessible")
    }
@ -536,7 +595,7 @@ struct ShareSelectedCipherData {
 }

 #[put("/ciphers/share", data = "<data>")]
-fn put_cipher_share_seleted(
+fn put_cipher_share_selected(
    data: JsonUpcase<ShareSelectedCipherData>,
    headers: Headers,
    conn: DbConn,
@ -599,10 +658,13 @@ fn share_cipher_by_uuid(
        None => err!("Cipher doesn't exist"),
    };

+    let mut shared_to_collection = false;
+
    match data.Cipher.OrganizationId.clone() {
-        None => err!("Organization id not provided"),
+        // If we don't get an organization ID, we don't do anything
+        // No error because this is used when using the Clone functionality
+        None => {}
        Some(organization_uuid) => {
-            let mut shared_to_collection = false;
            for uuid in &data.CollectionIds {
                match Collection::find_by_uuid_and_org(uuid, &organization_uuid, &conn) {
                    None => err!("Invalid collection ID provided"),
@ -616,19 +678,20 @@ fn share_cipher_by_uuid(
                    }
                }
            }
-            update_cipher_from_data(
-                &mut cipher,
-                data.Cipher,
-                &headers,
-                shared_to_collection,
-                &conn,
-                &nt,
-                UpdateType::CipherUpdate,
-            )?;
-
-            Ok(Json(cipher.to_json(&headers.host, &headers.user.uuid, &conn)))
        }
-    }
+    };
+
+    update_cipher_from_data(
+        &mut cipher,
+        data.Cipher,
+        &headers,
+        shared_to_collection,
+        &conn,
+        &nt,
+        UpdateType::CipherUpdate,
+    )?;
+
+    Ok(Json(cipher.to_json(&headers.host, &headers.user.uuid, &conn)))
 }

 #[post("/ciphers/<uuid>/attachment", format = "multipart/form-data", data = "<data>")]
@ -642,20 +705,49 @@ fn post_attachment(
 ) -> JsonResult {
    let cipher = match Cipher::find_by_uuid(&uuid, &conn) {
        Some(cipher) => cipher,
-        None => err!("Cipher doesn't exist"),
+        None => err_discard!("Cipher doesn't exist", data),
    };

    if !cipher.is_write_accessible_to_user(&headers.user.uuid, &conn) {
-        err!("Cipher is not write accessible")
+        err_discard!("Cipher is not write accessible", data)
    }

    let mut params = content_type.params();
    let boundary_pair = params.next().expect("No boundary provided");
    let boundary = boundary_pair.1;

+    let size_limit = if let Some(ref user_uuid) = cipher.user_uuid {
+        match CONFIG.user_attachment_limit() {
+            Some(0) => err_discard!("Attachments are disabled", data),
+            Some(limit_kb) => {
+                let left = (limit_kb * 1024) - Attachment::size_by_user(user_uuid, &conn);
+                if left <= 0 {
+                    err_discard!("Attachment size limit reached! Delete some files to open space", data)
+                }
+                Some(left as u64)
+            }
+            None => None,
+        }
+    } else if let Some(ref org_uuid) = cipher.organization_uuid {
+        match CONFIG.org_attachment_limit() {
+            Some(0) => err_discard!("Attachments are disabled", data),
+            Some(limit_kb) => {
+                let left = (limit_kb * 1024) - Attachment::size_by_org(org_uuid, &conn);
+                if left <= 0 {
+                    err_discard!("Attachment size limit reached! Delete some files to open space", data)
+                }
+                Some(left as u64)
+            }
+            None => None,
+        }
+    } else {
+        err_discard!("Cipher is neither owned by a user nor an organization", data);
+    };
+
    let base_path = Path::new(&CONFIG.attachments_folder()).join(&cipher.uuid);

    let mut attachment_key = None;
+    let mut error = None;

    Multipart::with_body(data.open(), boundary)
        .foreach_entry(|mut field| {
@ -674,18 +766,21 @@ fn post_attachment(
                    let file_name = HEXLOWER.encode(&crypto::get_random(vec![0; 10]));
                    let path = base_path.join(&file_name);

-                    let size = match field.data.save().memory_threshold(0).size_limit(None).with_path(path) {
+                    let size = match field.data.save().memory_threshold(0).size_limit(size_limit).with_path(path.clone()) {
                        SaveResult::Full(SavedData::File(_, size)) => size as i32,
                        SaveResult::Full(other) => {
-                            error!("Attachment is not a file: {:?}", other);
+                            std::fs::remove_file(path).ok();
+                            error = Some(format!("Attachment is not a file: {:?}", other));
                            return;
                        }
                        SaveResult::Partial(_, reason) => {
-                            error!("Partial result: {:?}", reason);
+                            std::fs::remove_file(path).ok();
+                            error = Some(format!("Attachment size limit exceeded with this file: {:?}", reason));
                            return;
                        }
                        SaveResult::Error(e) => {
-                            error!("Error: {:?}", e);
+                            std::fs::remove_file(path).ok();
+                            error = Some(format!("Error: {:?}", e));
                            return;
                        }
                    };
@ -699,6 +794,10 @@ fn post_attachment(
        })
        .expect("Error processing multipart data");

+    if let Some(ref e) = error {
+        err!(e);
+    }
+
    nt.send_cipher_update(UpdateType::CipherUpdate, &cipher, &cipher.update_users_revision(&conn));

    Ok(Json(cipher.to_json(&headers.host, &headers.user.uuid, &conn)))
@ -716,11 +815,7 @@ fn post_attachment_admin(
    post_attachment(uuid, data, content_type, headers, conn, nt)
 }

-#[post(
-    "/ciphers/<uuid>/attachment/<attachment_id>/share",
-    format = "multipart/form-data",
-    data = "<data>"
-)]
+#[post("/ciphers/<uuid>/attachment/<attachment_id>/share", format = "multipart/form-data", data = "<data>")]
 fn post_attachment_share(
    uuid: String,
    attachment_id: String,
@ -774,50 +869,79 @@ fn delete_attachment_admin(

 #[post("/ciphers/<uuid>/delete")]
 fn delete_cipher_post(uuid: String, headers: Headers, conn: DbConn, nt: Notify) -> EmptyResult {
-    _delete_cipher_by_uuid(&uuid, &headers, &conn, &nt)
+    _delete_cipher_by_uuid(&uuid, &headers, &conn, false, &nt)
 }

 #[post("/ciphers/<uuid>/delete-admin")]
 fn delete_cipher_post_admin(uuid: String, headers: Headers, conn: DbConn, nt: Notify) -> EmptyResult {
-    _delete_cipher_by_uuid(&uuid, &headers, &conn, &nt)
+    _delete_cipher_by_uuid(&uuid, &headers, &conn, false, &nt)
+}
+
+#[put("/ciphers/<uuid>/delete")]
+fn delete_cipher_put(uuid: String, headers: Headers, conn: DbConn, nt: Notify) -> EmptyResult {
+    _delete_cipher_by_uuid(&uuid, &headers, &conn, true, &nt)
+}
+
+#[put("/ciphers/<uuid>/delete-admin")]
+fn delete_cipher_put_admin(uuid: String, headers: Headers, conn: DbConn, nt: Notify) -> EmptyResult {
+    _delete_cipher_by_uuid(&uuid, &headers, &conn, true, &nt)
 }

 #[delete("/ciphers/<uuid>")]
 fn delete_cipher(uuid: String, headers: Headers, conn: DbConn, nt: Notify) -> EmptyResult {
-    _delete_cipher_by_uuid(&uuid, &headers, &conn, &nt)
+    _delete_cipher_by_uuid(&uuid, &headers, &conn, false, &nt)
 }

 #[delete("/ciphers/<uuid>/admin")]
 fn delete_cipher_admin(uuid: String, headers: Headers, conn: DbConn, nt: Notify) -> EmptyResult {
-    _delete_cipher_by_uuid(&uuid, &headers, &conn, &nt)
+    _delete_cipher_by_uuid(&uuid, &headers, &conn, false, &nt)
 }

 #[delete("/ciphers", data = "<data>")]
 fn delete_cipher_selected(data: JsonUpcase<Value>, headers: Headers, conn: DbConn, nt: Notify) -> EmptyResult {
-    let data: Value = data.into_inner().data;
-
-    let uuids = match data.get("Ids") {
-        Some(ids) => match ids.as_array() {
-            Some(ids) => ids.iter().filter_map(Value::as_str),
-            None => err!("Posted ids field is not an array"),
-        },
-        None => err!("Request missing ids field"),
-    };
-
-    for uuid in uuids {
-        if let error @ Err(_) = _delete_cipher_by_uuid(uuid, &headers, &conn, &nt) {
-            return error;
-        };
-    }
-
-    Ok(())
+    _delete_multiple_ciphers(data, headers, conn, false, nt)
 }

 #[post("/ciphers/delete", data = "<data>")]
 fn delete_cipher_selected_post(data: JsonUpcase<Value>, headers: Headers, conn: DbConn, nt: Notify) -> EmptyResult {
+    _delete_multiple_ciphers(data, headers, conn, false, nt)
+}
+
+#[put("/ciphers/delete", data = "<data>")]
+fn delete_cipher_selected_put(data: JsonUpcase<Value>, headers: Headers, conn: DbConn, nt: Notify) -> EmptyResult {
+    _delete_multiple_ciphers(data, headers, conn, true, nt) // soft delete
+}
+
+#[delete("/ciphers/admin", data = "<data>")]
+fn delete_cipher_selected_admin(data: JsonUpcase<Value>, headers: Headers, conn: DbConn, nt: Notify) -> EmptyResult {
    delete_cipher_selected(data, headers, conn, nt)
 }

+#[post("/ciphers/delete-admin", data = "<data>")]
+fn delete_cipher_selected_post_admin(data: JsonUpcase<Value>, headers: Headers, conn: DbConn, nt: Notify) -> EmptyResult {
+    delete_cipher_selected_post(data, headers, conn, nt)
+}
+
+#[put("/ciphers/delete-admin", data = "<data>")]
+fn delete_cipher_selected_put_admin(data: JsonUpcase<Value>, headers: Headers, conn: DbConn, nt: Notify) -> EmptyResult {
+    delete_cipher_selected_put(data, headers, conn, nt)
+}
+
+#[put("/ciphers/<uuid>/restore")]
+fn restore_cipher_put(uuid: String, headers: Headers, conn: DbConn, nt: Notify) -> EmptyResult {
+    _restore_cipher_by_uuid(&uuid, &headers, &conn, &nt)
+}
+
+#[put("/ciphers/<uuid>/restore-admin")]
+fn restore_cipher_put_admin(uuid: String, headers: Headers, conn: DbConn, nt: Notify) -> EmptyResult {
+    _restore_cipher_by_uuid(&uuid, &headers, &conn, &nt)
+}
+
+#[put("/ciphers/restore", data = "<data>")]
+fn restore_cipher_selected(data: JsonUpcase<Value>, headers: Headers, conn: DbConn, nt: Notify) -> EmptyResult {
+    _restore_multiple_ciphers(data, headers, conn, nt)
+}
+
 #[derive(Deserialize)]
 #[allow(non_snake_case)]
 struct MoveCipherData {
@ -929,8 +1053,8 @@ fn delete_all(
    }
 }

-fn _delete_cipher_by_uuid(uuid: &str, headers: &Headers, conn: &DbConn, nt: &Notify) -> EmptyResult {
-    let cipher = match Cipher::find_by_uuid(&uuid, &conn) {
+fn _delete_cipher_by_uuid(uuid: &str, headers: &Headers, conn: &DbConn, soft_delete: bool, nt: &Notify) -> EmptyResult {
+    let mut cipher = match Cipher::find_by_uuid(&uuid, &conn) {
        Some(cipher) => cipher,
        None => err!("Cipher doesn't exist"),
    };
@ -939,8 +1063,72 @@ fn _delete_cipher_by_uuid(uuid: &str, headers: &Headers, conn: &DbConn, nt: &Not
        err!("Cipher can't be deleted by user")
    }

-    cipher.delete(&conn)?;
-    nt.send_cipher_update(UpdateType::CipherDelete, &cipher, &cipher.update_users_revision(&conn));
+    if soft_delete {
+        cipher.deleted_at = Some(Utc::now().naive_utc());
+        cipher.save(&conn)?;
+        nt.send_cipher_update(UpdateType::CipherUpdate, &cipher, &cipher.update_users_revision(&conn));
+    } else {
+        cipher.delete(&conn)?;
+        nt.send_cipher_update(UpdateType::CipherDelete, &cipher, &cipher.update_users_revision(&conn));
+    }
+
+    Ok(())
+}
+
+fn _delete_multiple_ciphers(data: JsonUpcase<Value>, headers: Headers, conn: DbConn, soft_delete: bool, nt: Notify) -> EmptyResult {
+    let data: Value = data.into_inner().data;
+
+    let uuids = match data.get("Ids") {
+        Some(ids) => match ids.as_array() {
+            Some(ids) => ids.iter().filter_map(Value::as_str),
+            None => err!("Posted ids field is not an array"),
+        },
+        None => err!("Request missing ids field"),
+    };
+
+    for uuid in uuids {
+        if let error @ Err(_) = _delete_cipher_by_uuid(uuid, &headers, &conn, soft_delete, &nt) {
+            return error;
+        };
+    }
+
+    Ok(())
+}
+
+fn _restore_cipher_by_uuid(uuid: &str, headers: &Headers, conn: &DbConn, nt: &Notify) -> EmptyResult {
+    let mut cipher = match Cipher::find_by_uuid(&uuid, &conn) {
+        Some(cipher) => cipher,
+        None => err!("Cipher doesn't exist"),
+    };
+
+    if !cipher.is_write_accessible_to_user(&headers.user.uuid, &conn) {
+        err!("Cipher can't be restored by user")
+    }
+
+    cipher.deleted_at = None;
+    cipher.save(&conn)?;
+
+    nt.send_cipher_update(UpdateType::CipherUpdate, &cipher, &cipher.update_users_revision(&conn));
+    Ok(())
+}
+
+fn _restore_multiple_ciphers(data: JsonUpcase<Value>, headers: Headers, conn: DbConn, nt: Notify) -> EmptyResult {
+    let data: Value = data.into_inner().data;
+
+    let uuids = match data.get("Ids") {
+        Some(ids) => match ids.as_array() {
+            Some(ids) => ids.iter().filter_map(Value::as_str),
+            None => err!("Posted ids field is not an array"),
+        },
+        None => err!("Request missing ids field"),
+    };
+
+    for uuid in uuids {
+        if let error @ Err(_) = _restore_cipher_by_uuid(uuid, &headers, &conn, &nt) {
+            return error;
+        };
+    }
+
    Ok(())
 }

--- a/src/api/core/folders.rs
+++ b/src/api/core/folders.rs
@ -1,15 +1,13 @@
 use rocket_contrib::json::Json;
 use serde_json::Value;

-use crate::db::models::*;
-use crate::db::DbConn;
+use crate::{
+    api::{EmptyResult, JsonResult, JsonUpcase, Notify, UpdateType},
+    auth::Headers,
+    db::{models::*, DbConn},
+};

-use crate::api::{EmptyResult, JsonResult, JsonUpcase, Notify, UpdateType};
-use crate::auth::Headers;
-
-use rocket::Route;
-
-pub fn routes() -> Vec<Route> {
+pub fn routes() -> Vec<rocket::Route> {
    routes![
        get_folders,
        get_folder,
@ -50,7 +48,6 @@ fn get_folder(uuid: String, headers: Headers, conn: DbConn) -> JsonResult {

 #[derive(Deserialize)]
 #[allow(non_snake_case)]
-
 pub struct FolderData {
    pub Name: String,
 }
@ -59,7 +56,7 @@ pub struct FolderData {
 fn post_folders(data: JsonUpcase<FolderData>, headers: Headers, conn: DbConn, nt: Notify) -> JsonResult {
    let data: FolderData = data.into_inner().data;

-    let mut folder = Folder::new(headers.user.uuid.clone(), data.Name);
+    let mut folder = Folder::new(headers.user.uuid, data.Name);

    folder.save(&conn)?;
    nt.send_folder_update(UpdateType::FolderCreate, &folder);
--- a/src/api/core/mod.rs
+++ b/src/api/core/mod.rs
@ -2,7 +2,7 @@ mod accounts;
 mod ciphers;
 mod folders;
 mod organizations;
-pub(crate) mod two_factor;
+pub mod two_factor;

 pub fn routes() -> Vec<Route> {
    let mut mod_routes = routes![
@ -29,14 +29,15 @@ pub fn routes() -> Vec<Route> {
 // Move this somewhere else
 //
 use rocket::Route;
-
 use rocket_contrib::json::Json;
 use serde_json::Value;

-use crate::api::{EmptyResult, JsonResult, JsonUpcase};
-use crate::auth::Headers;
-use crate::db::DbConn;
-use crate::error::Error;
+use crate::{
+    api::{EmptyResult, JsonResult, JsonUpcase},
+    auth::Headers,
+    db::DbConn,
+    error::Error,
+};

 #[put("/devices/identifier/<uuid>/clear-token")]
 fn clear_device_token(uuid: String) -> EmptyResult {
@ -81,6 +82,10 @@ const GLOBAL_DOMAINS: &str = include_str!("../../static/global_domains.json");

 #[get("/settings/domains")]
 fn get_eq_domains(headers: Headers) -> JsonResult {
+    _get_eq_domains(headers, false)
+}
+
+fn _get_eq_domains(headers: Headers, no_excluded: bool) -> JsonResult {
    let user = headers.user;
    use serde_json::from_str;

@ -93,6 +98,10 @@ fn get_eq_domains(headers: Headers) -> JsonResult {
        global.Excluded = excluded_globals.contains(&global.Type);
    }

+    if no_excluded {
+        globals.retain(|g| !g.Excluded);
+    }
+
    Ok(Json(json!({
        "EquivalentDomains": equivalent_domains,
        "GlobalEquivalentDomains": globals,
@ -138,10 +147,12 @@ fn hibp_breach(username: String) -> JsonResult {
        username
    );

-    use reqwest::{header::USER_AGENT, Client};
+    use reqwest::{blocking::Client, header::USER_AGENT};

    if let Some(api_key) = crate::CONFIG.hibp_api_key() {
-        let res = Client::new()
+        let hibp_client = Client::builder().build()?;
+
+        let res = hibp_client
            .get(&url)
            .header(USER_AGENT, user_agent)
            .header("hibp-api-key", api_key)
@ -156,9 +167,17 @@ fn hibp_breach(username: String) -> JsonResult {
        Ok(Json(value))
    } else {
        Ok(Json(json!([{
-            "title": "--- Error! ---",
-            "description": "HaveIBeenPwned API key not set! Go to https://haveibeenpwned.com/API/Key",
-            "logopath": "/bwrs_static/error-x.svg"
+            "Name": "HaveIBeenPwned",
+            "Title": "Manual HIBP Check",
+            "Domain": "haveibeenpwned.com",
+            "BreachDate": "2019-08-18T00:00:00Z",
+            "AddedDate": "2019-08-18T00:00:00Z",
+            "Description": format!("Go to: <a href=\"https://haveibeenpwned.com/account/{account}\" target=\"_blank\" rel=\"noopener\">https://haveibeenpwned.com/account/{account}</a> for a manual check.<br/><br/>HaveIBeenPwned API key not set!<br/>Go to <a href=\"https://haveibeenpwned.com/API/Key\" target=\"_blank\" rel=\"noopener\">https://haveibeenpwned.com/API/Key</a> to purchase an API key from HaveIBeenPwned.<br/><br/>", account=username),
+            "LogoPath": "bwrs_static/hibp.png",
+            "PwnCount": 0,
+            "DataClasses": [
+                "Error - No API key set!"
+            ]
        }])))
    }
 }
--- a/src/api/core/organizations.rs
+++ b/src/api/core/organizations.rs
@ -1,16 +1,14 @@
-use rocket::request::Form;
-use rocket::Route;
+use num_traits::FromPrimitive;
+use rocket::{request::Form, Route};
 use rocket_contrib::json::Json;
 use serde_json::Value;

-use crate::api::{
-    EmptyResult, JsonResult, JsonUpcase, JsonUpcaseVec, Notify, NumberOrString, PasswordData, UpdateType,
+use crate::{
+    api::{EmptyResult, JsonResult, JsonUpcase, JsonUpcaseVec, Notify, NumberOrString, PasswordData, UpdateType},
+    auth::{decode_invite, AdminHeaders, Headers, OwnerHeaders, ManagerHeaders, ManagerHeadersLoose},
+    db::{models::*, DbConn},
+    mail, CONFIG,
 };
-use crate::auth::{decode_invite, AdminHeaders, Headers, OwnerHeaders};
-use crate::db::models::*;
-use crate::db::DbConn;
-use crate::mail;
-use crate::CONFIG;

 pub fn routes() -> Vec<Route> {
    routes![
@ -45,6 +43,11 @@ pub fn routes() -> Vec<Route> {
        delete_user,
        post_delete_user,
        post_org_import,
+        list_policies,
+        list_policies_token,
+        get_policy,
+        put_policy,
+        get_plans,
    ]
 }

@ -74,10 +77,14 @@ struct NewCollectionData {

 #[post("/organizations", data = "<data>")]
 fn create_organization(headers: Headers, data: JsonUpcase<OrgData>, conn: DbConn) -> JsonResult {
+    if !CONFIG.is_org_creation_allowed(&headers.user.email) {
+        err!("User not allowed to create organizations")
+    }
+
    let data: OrgData = data.into_inner().data;

    let org = Organization::new(data.Name, data.BillingEmail);
-    let mut user_org = UserOrganization::new(headers.user.uuid.clone(), org.uuid.clone());
+    let mut user_org = UserOrganization::new(headers.user.uuid, org.uuid.clone());
    let collection = Collection::new(org.uuid.clone(), data.CollectionName);

    user_org.akey = data.Key;
@ -210,7 +217,7 @@ fn get_org_collections(org_id: String, _headers: AdminHeaders, conn: DbConn) ->
 #[post("/organizations/<org_id>/collections", data = "<data>")]
 fn post_organization_collections(
    org_id: String,
-    _headers: AdminHeaders,
+    headers: ManagerHeadersLoose,
    data: JsonUpcase<NewCollectionData>,
    conn: DbConn,
 ) -> JsonResult {
@ -221,9 +228,22 @@ fn post_organization_collections(
        None => err!("Can't find organization details"),
    };

-    let collection = Collection::new(org.uuid.clone(), data.Name);
+    // Get the user_organization record so that we can check if the user has access to all collections.
+    let user_org = match UserOrganization::find_by_user_and_org(&headers.user.uuid, &org_id, &conn) {
+        Some(u) => u,
+        None => err!("User is not part of organization"),
+    };
+
+    let collection = Collection::new(org.uuid, data.Name);
    collection.save(&conn)?;

+    // If the user doesn't have access to all collections, only in case of a Manger,
+    // then we need to save the creating user uuid (Manager) to the users_collection table.
+    // Else the user will not have access to his own created collection.
+    if !user_org.access_all {
+        CollectionUser::save(&headers.user.uuid, &collection.uuid, false, false, &conn)?;
+    }
+
    Ok(Json(collection.to_json()))
 }

@ -231,7 +251,7 @@ fn post_organization_collections(
 fn put_organization_collection_update(
    org_id: String,
    col_id: String,
-    headers: AdminHeaders,
+    headers: ManagerHeaders,
    data: JsonUpcase<NewCollectionData>,
    conn: DbConn,
 ) -> JsonResult {
@ -242,7 +262,7 @@ fn put_organization_collection_update(
 fn post_organization_collection_update(
    org_id: String,
    col_id: String,
-    _headers: AdminHeaders,
+    _headers: ManagerHeaders,
    data: JsonUpcase<NewCollectionData>,
    conn: DbConn,
 ) -> JsonResult {
@ -262,7 +282,7 @@ fn post_organization_collection_update(
        err!("Collection is not owned by organization");
    }

-    collection.name = data.Name.clone();
+    collection.name = data.Name;
    collection.save(&conn)?;

    Ok(Json(collection.to_json()))
@ -310,7 +330,7 @@ fn post_organization_collection_delete_user(
 }

 #[delete("/organizations/<org_id>/collections/<col_id>")]
-fn delete_organization_collection(org_id: String, col_id: String, _headers: AdminHeaders, conn: DbConn) -> EmptyResult {
+fn delete_organization_collection(org_id: String, col_id: String, _headers: ManagerHeaders, conn: DbConn) -> EmptyResult {
    match Collection::find_by_uuid(&col_id, &conn) {
        None => err!("Collection not found"),
        Some(collection) => {
@ -334,7 +354,7 @@ struct DeleteCollectionData {
 fn post_organization_collection_delete(
    org_id: String,
    col_id: String,
-    headers: AdminHeaders,
+    headers: ManagerHeaders,
    _data: JsonUpcase<DeleteCollectionData>,
    conn: DbConn,
 ) -> EmptyResult {
@ -342,7 +362,7 @@ fn post_organization_collection_delete(
 }

 #[get("/organizations/<org_id>/collections/<coll_id>/details")]
-fn get_org_collection_detail(org_id: String, coll_id: String, headers: AdminHeaders, conn: DbConn) -> JsonResult {
+fn get_org_collection_detail(org_id: String, coll_id: String, headers: ManagerHeaders, conn: DbConn) -> JsonResult {
    match Collection::find_by_uuid_and_user(&coll_id, &headers.user.uuid, &conn) {
        None => err!("Collection not found"),
        Some(collection) => {
@ -356,7 +376,7 @@ fn get_org_collection_detail(org_id: String, coll_id: String, headers: AdminHead
 }

 #[get("/organizations/<org_id>/collections/<coll_id>/users")]
-fn get_collection_users(org_id: String, coll_id: String, _headers: AdminHeaders, conn: DbConn) -> JsonResult {
+fn get_collection_users(org_id: String, coll_id: String, _headers: ManagerHeaders, conn: DbConn) -> JsonResult {
    // Get org and collection, check that collection is from org
    let collection = match Collection::find_by_uuid_and_org(&coll_id, &org_id, &conn) {
        None => err!("Collection not found in Organization"),
@ -369,7 +389,7 @@ fn get_collection_users(org_id: String, coll_id: String, _headers: AdminHeaders,
        .map(|col_user| {
            UserOrganization::find_by_user_and_org(&col_user.user_uuid, &org_id, &conn)
                .unwrap()
-                .to_json_collection_user_details(col_user.read_only)
+                .to_json_user_access_restrictions(&col_user)
        })
        .collect();

@ -381,7 +401,7 @@ fn put_collection_users(
    org_id: String,
    coll_id: String,
    data: JsonUpcaseVec<CollectionData>,
-    _headers: AdminHeaders,
+    _headers: ManagerHeaders,
    conn: DbConn,
 ) -> EmptyResult {
    // Get org and collection, check that collection is from org
@ -403,7 +423,9 @@ fn put_collection_users(
            continue;
        }

-        CollectionUser::save(&user.user_uuid, &coll_id, d.ReadOnly, &conn)?;
+        CollectionUser::save(&user.user_uuid, &coll_id,
+                             d.ReadOnly, d.HidePasswords,
+                             &conn)?;
    }

    Ok(())
@ -431,7 +453,7 @@ fn get_org_details(data: Form<OrgIdData>, headers: Headers, conn: DbConn) -> Jso
 }

 #[get("/organizations/<org_id>/users")]
-fn get_org_users(org_id: String, _headers: AdminHeaders, conn: DbConn) -> JsonResult {
+fn get_org_users(org_id: String, _headers: ManagerHeadersLoose, conn: DbConn) -> JsonResult {
    let users = UserOrganization::find_by_org(&org_id, &conn);
    let users_json: Vec<Value> = users.iter().map(|c| c.to_json_user_details(&conn)).collect();

@ -447,6 +469,7 @@ fn get_org_users(org_id: String, _headers: AdminHeaders, conn: DbConn) -> JsonRe
 struct CollectionData {
    Id: String,
    ReadOnly: bool,
+    HidePasswords: bool,
 }

 #[derive(Deserialize)]
@ -480,7 +503,11 @@ fn send_invite(org_id: String, data: JsonUpcase<InviteData>, headers: AdminHeade
        let user = match User::find_by_mail(&email, &conn) {
            None => {
                if !CONFIG.invitations_allowed() {
-                    err!(format!("User email does not exist: {}", email))
+                    err!(format!("User does not exist: {}", email))
+                }
+
+                if !CONFIG.is_email_domain_allowed(&email) {
+                    err!("Email domain not eligible for invitations")
                }

                if !CONFIG.mail_enabled() {
@ -514,7 +541,9 @@ fn send_invite(org_id: String, data: JsonUpcase<InviteData>, headers: AdminHeade
                match Collection::find_by_uuid_and_org(&col.Id, &org_id, &conn) {
                    None => err!("Collection not found in Organization"),
                    Some(collection) => {
-                        CollectionUser::save(&user.uuid, &collection.uuid, col.ReadOnly, &conn)?;
+                        CollectionUser::save(&user.uuid, &collection.uuid,
+                                             col.ReadOnly, col.HidePasswords,
+                                             &conn)?;
                    }
                }
            }
@ -581,7 +610,7 @@ fn reinvite_user(org_id: String, user_org: String, headers: AdminHeaders, conn:
            Some(headers.user.email),
        )?;
    } else {
-        let invitation = Invitation::new(user.email.clone());
+        let invitation = Invitation::new(user.email);
        invitation.save(&conn)?;
    }

@ -769,7 +798,9 @@ fn edit_user(
            match Collection::find_by_uuid_and_org(&col.Id, &org_id, &conn) {
                None => err!("Collection not found in Organization"),
                Some(collection) => {
-                    CollectionUser::save(&user_to_edit.user_uuid, &collection.uuid, col.ReadOnly, &conn)?;
+                    CollectionUser::save(&user_to_edit.user_uuid, &collection.uuid,
+                                         col.ReadOnly, col.HidePasswords,
+                                         &conn)?;
                }
            }
        }
@ -830,22 +861,13 @@ struct RelationsData {
 fn post_org_import(
    query: Form<OrgIdData>,
    data: JsonUpcase<ImportData>,
-    headers: Headers,
+    headers: AdminHeaders,
    conn: DbConn,
    nt: Notify,
 ) -> EmptyResult {
    let data: ImportData = data.into_inner().data;
    let org_id = query.into_inner().organization_id;

-    let org_user = match UserOrganization::find_by_user_and_org(&headers.user.uuid, &org_id, &conn) {
-        Some(user) => user,
-        None => err!("User is not part of the organization"),
-    };
-
-    if org_user.atype < UserOrgType::Admin {
-        err!("Only admins or owners can import into an organization")
-    }
-
    // Read and create the collections
    let collections: Vec<_> = data
        .Collections
@ -866,6 +888,8 @@ fn post_org_import(
        relations.push((relation.Key, relation.Value));
    }

+    let headers: Headers = headers.into();
+
    // Read and create the ciphers
    let ciphers: Vec<_> = data
        .Ciphers
@ -901,3 +925,135 @@ fn post_org_import(
    let mut user = headers.user;
    user.update_revision(&conn)
 }
+
+#[get("/organizations/<org_id>/policies")]
+fn list_policies(org_id: String, _headers: AdminHeaders, conn: DbConn) -> JsonResult {
+    let policies = OrgPolicy::find_by_org(&org_id, &conn);
+    let policies_json: Vec<Value> = policies.iter().map(OrgPolicy::to_json).collect();
+
+    Ok(Json(json!({
+        "Data": policies_json,
+        "Object": "list",
+        "ContinuationToken": null
+    })))
+}
+
+#[get("/organizations/<org_id>/policies/token?<token>")]
+fn list_policies_token(org_id: String, token: String, conn: DbConn) -> JsonResult {
+    let invite = crate::auth::decode_invite(&token)?;
+
+    let invite_org_id = match invite.org_id {
+        Some(invite_org_id) => invite_org_id,
+        None => err!("Invalid token"),
+    };
+
+    if invite_org_id != org_id {
+        err!("Token doesn't match request organization");
+    }
+
+    // TODO: We receive the invite token as ?token=<>, validate it contains the org id
+    let policies = OrgPolicy::find_by_org(&org_id, &conn);
+    let policies_json: Vec<Value> = policies.iter().map(OrgPolicy::to_json).collect();
+
+    Ok(Json(json!({
+        "Data": policies_json,
+        "Object": "list",
+        "ContinuationToken": null
+    })))
+}
+
+#[get("/organizations/<org_id>/policies/<pol_type>")]
+fn get_policy(org_id: String, pol_type: i32, _headers: AdminHeaders, conn: DbConn) -> JsonResult {
+    let pol_type_enum = match OrgPolicyType::from_i32(pol_type) {
+        Some(pt) => pt,
+        None => err!("Invalid policy type"),
+    };
+
+    let policy = match OrgPolicy::find_by_org_and_type(&org_id, pol_type, &conn) {
+        Some(p) => p,
+        None => OrgPolicy::new(org_id, pol_type_enum, "{}".to_string()),
+    };
+
+    Ok(Json(policy.to_json()))
+}
+
+#[derive(Deserialize)]
+struct PolicyData {
+    enabled: bool,
+    #[serde(rename = "type")]
+    _type: i32,
+    data: Value,
+}
+
+#[put("/organizations/<org_id>/policies/<pol_type>", data = "<data>")]
+fn put_policy(org_id: String, pol_type: i32, data: Json<PolicyData>, _headers: AdminHeaders, conn: DbConn) -> JsonResult {
+    let data: PolicyData = data.into_inner();
+
+    let pol_type_enum = match OrgPolicyType::from_i32(pol_type) {
+        Some(pt) => pt,
+        None => err!("Invalid policy type"),
+    };
+
+    let mut policy = match OrgPolicy::find_by_org_and_type(&org_id, pol_type, &conn) {
+        Some(p) => p,
+        None => OrgPolicy::new(org_id, pol_type_enum, "{}".to_string()),
+    };
+
+    policy.enabled = data.enabled;
+    policy.data = serde_json::to_string(&data.data)?;
+    policy.save(&conn)?;
+
+    Ok(Json(policy.to_json()))
+}
+
+#[get("/plans")]
+fn get_plans(_headers: Headers, _conn: DbConn) -> JsonResult {
+    Ok(Json(json!({
+        "Object": "list",
+        "Data": [
+        {
+            "Object": "plan",
+            "Type": 0,
+            "Product": 0,
+            "Name": "Free",
+            "IsAnnual": false,
+            "NameLocalizationKey": "planNameFree",
+            "DescriptionLocalizationKey": "planDescFree",
+            "CanBeUsedByBusiness": false,
+            "BaseSeats": 2,
+            "BaseStorageGb": null,
+            "MaxCollections": 2,
+            "MaxUsers": 2,
+            "HasAdditionalSeatsOption": false,
+            "MaxAdditionalSeats": null,
+            "HasAdditionalStorageOption": false,
+            "MaxAdditionalStorage": null,
+            "HasPremiumAccessOption": false,
+            "TrialPeriodDays": null,
+            "HasSelfHost": false,
+            "HasPolicies": false,
+            "HasGroups": false,
+            "HasDirectory": false,
+            "HasEvents": false,
+            "HasTotp": false,
+            "Has2fa": false,
+            "HasApi": false,
+            "HasSso": false,
+            "UsersGetPremium": false,
+            "UpgradeSortOrder": -1,
+            "DisplaySortOrder": -1,
+            "LegacyYear": null,
+            "Disabled": false,
+            "StripePlanId": null,
+            "StripeSeatPlanId": null,
+            "StripeStoragePlanId": null,
+            "StripePremiumAccessPlanId": null,
+            "BasePrice": 0.0,
+            "SeatPrice": 0.0,
+            "AdditionalStoragePricePerGb": 0.0,
+            "PremiumAccessOptionPrice": 0.0
+            }
+        ],
+        "ContinuationToken": null
+    })))
+}
--- a/src/api/core/two_factor/authenticator.rs
+++ b/src/api/core/two_factor/authenticator.rs
@ -2,15 +2,20 @@ use data_encoding::BASE32;
 use rocket::Route;
 use rocket_contrib::json::Json;

-use crate::api::core::two_factor::_generate_recover_code;
-use crate::api::{EmptyResult, JsonResult, JsonUpcase, NumberOrString, PasswordData};
-use crate::auth::Headers;
-use crate::crypto;
-use crate::db::{
-    models::{TwoFactor, TwoFactorType},
-    DbConn,
+use crate::{
+    api::{
+        core::two_factor::_generate_recover_code, EmptyResult, JsonResult, JsonUpcase, NumberOrString, PasswordData,
+    },
+    auth::{ClientIp, Headers},
+    crypto,
+    db::{
+        models::{TwoFactor, TwoFactorType},
+        DbConn,
+    },
 };

+pub use crate::config::CONFIG;
+
 pub fn routes() -> Vec<Route> {
    routes![
        generate_authenticator,
@ -18,6 +23,7 @@ pub fn routes() -> Vec<Route> {
        activate_authenticator_put,
    ]
 }
+
 #[post("/two-factor/get-authenticator", data = "<data>")]
 fn generate_authenticator(data: JsonUpcase<PasswordData>, headers: Headers, conn: DbConn) -> JsonResult {
    let data: PasswordData = data.into_inner().data;
@ -51,7 +57,12 @@ struct EnableAuthenticatorData {
 }

 #[post("/two-factor/authenticator", data = "<data>")]
-fn activate_authenticator(data: JsonUpcase<EnableAuthenticatorData>, headers: Headers, conn: DbConn) -> JsonResult {
+fn activate_authenticator(
+    data: JsonUpcase<EnableAuthenticatorData>,
+    headers: Headers,
+    ip: ClientIp,
+    conn: DbConn,
+) -> JsonResult {
    let data: EnableAuthenticatorData = data.into_inner().data;
    let password_hash = data.MasterPasswordHash;
    let key = data.Key;
@ -73,14 +84,10 @@ fn activate_authenticator(data: JsonUpcase<EnableAuthenticatorData>, headers: He
        err!("Invalid key length")
    }

-    let type_ = TwoFactorType::Authenticator;
-    let twofactor = TwoFactor::new(user.uuid.clone(), type_, key.to_uppercase());
-
-    // Validate the token provided with the key
-    validate_totp_code(token, &twofactor.data)?;
+    // Validate the token provided with the key, and save new twofactor
+    validate_totp_code(&user.uuid, token, &key.to_uppercase(), &ip, &conn)?;

    _generate_recover_code(&mut user, &conn);
-    twofactor.save(&conn)?;

    Ok(Json(json!({
        "Enabled": true,
@ -90,31 +97,88 @@ fn activate_authenticator(data: JsonUpcase<EnableAuthenticatorData>, headers: He
 }

 #[put("/two-factor/authenticator", data = "<data>")]
-fn activate_authenticator_put(data: JsonUpcase<EnableAuthenticatorData>, headers: Headers, conn: DbConn) -> JsonResult {
-    activate_authenticator(data, headers, conn)
+fn activate_authenticator_put(
+    data: JsonUpcase<EnableAuthenticatorData>,
+    headers: Headers,
+    ip: ClientIp,
+    conn: DbConn,
+) -> JsonResult {
+    activate_authenticator(data, headers, ip, conn)
 }

-pub fn validate_totp_code_str(totp_code: &str, secret: &str) -> EmptyResult {
+pub fn validate_totp_code_str(
+    user_uuid: &str,
+    totp_code: &str,
+    secret: &str,
+    ip: &ClientIp,
+    conn: &DbConn,
+) -> EmptyResult {
    let totp_code: u64 = match totp_code.parse() {
        Ok(code) => code,
        _ => err!("TOTP code is not a number"),
    };

-    validate_totp_code(totp_code, secret)
+    validate_totp_code(user_uuid, totp_code, secret, ip, &conn)
 }

-pub fn validate_totp_code(totp_code: u64, secret: &str) -> EmptyResult {
-    use oath::{totp_raw_now, HashType};
+pub fn validate_totp_code(user_uuid: &str, totp_code: u64, secret: &str, ip: &ClientIp, conn: &DbConn) -> EmptyResult {
+    use oath::{totp_raw_custom_time, HashType};

    let decoded_secret = match BASE32.decode(secret.as_bytes()) {
        Ok(s) => s,
        Err(_) => err!("Invalid TOTP secret"),
    };

-    let generated = totp_raw_now(&decoded_secret, 6, 0, 30, &HashType::SHA1);
-    if generated != totp_code {
-        err!("Invalid TOTP code");
+    let mut twofactor = match TwoFactor::find_by_user_and_type(&user_uuid, TwoFactorType::Authenticator as i32, &conn) {
+        Some(tf) => tf,
+        _ => TwoFactor::new(user_uuid.to_string(), TwoFactorType::Authenticator, secret.to_string()),
+    };
+
+    // Get the current system time in UNIX Epoch (UTC)
+    let current_time = chrono::Utc::now();
+    let current_timestamp = current_time.timestamp();
+
+    // The amount of steps back and forward in time
+    // Also check if we need to disable time drifted TOTP codes.
+    // If that is the case, we set the steps to 0 so only the current TOTP is valid.
+    let steps: i64 = if CONFIG.authenticator_disable_time_drift() { 0 } else { 1 };
+
+    for step in -steps..=steps {
+        let time_step = current_timestamp / 30i64 + step;
+        // We need to calculate the time offsite and cast it as an i128.
+        // Else we can't do math with it on a default u64 variable.
+        let time = (current_timestamp + step * 30i64) as u64;
+        let generated = totp_raw_custom_time(&decoded_secret, 6, 0, 30, time, &HashType::SHA1);
+
+        // Check the the given code equals the generated and if the time_step is larger then the one last used.
+        if generated == totp_code && time_step > twofactor.last_used as i64 {
+            // If the step does not equals 0 the time is drifted either server or client side.
+            if step != 0 {
+                info!("TOTP Time drift detected. The step offset is {}", step);
+            }
+
+            // Save the last used time step so only totp time steps higher then this one are allowed.
+            // This will also save a newly created twofactor if the code is correct.
+            twofactor.last_used = time_step as i32;
+            twofactor.save(&conn)?;
+            return Ok(());
+        } else if generated == totp_code && time_step <= twofactor.last_used as i64 {
+            warn!(
+                "This or a TOTP code within {} steps back and forward has already been used!",
+                steps
+            );
+            err!(format!(
+                "Invalid TOTP code! Server time: {} IP: {}",
+                current_time.format("%F %T UTC"),
+                ip.ip
+            ));
+        }
    }

-    Ok(())
+    // Else no valide code received, deny access
+    err!(format!(
+        "Invalid TOTP code! Server time: {} IP: {}",
+        current_time.format("%F %T UTC"),
+        ip.ip
+    ));
 }
--- a/Show More
+++ b/Show More
				`@ -0,0 +1 @@`
				`ALTER TABLE twofactor ADD COLUMN last_used INTEGER NOT NULL DEFAULT 0;`
				`@ -0,0 +1 @@`
				`ALTER TABLE users ADD COLUMN enabled BOOLEAN NOT NULL DEFAULT 1;`
				`@ -0,0 +1 @@`
				`ALTER TABLE users ADD COLUMN stamp_exception TEXT DEFAULT NULL;`