1.30.1

This is a minor release to fix some issues with the Login with device feature, and restore the alpine docker tag that was missing on the latest release.

⚠️ Note: The WebSockets service for live sync has been integrated in the main HTTP server, which means simpler proxy setups that don't require a separate rule to redirect WS traffic to port 3012. Please check the updated examples in the wiki. It's recommended to migrate to this new setup as using the old server on port 3012 is deprecated, won't receive new features and will be removed in a future release.

What's Changed

• Fix missing alpine tag during buildx bake by @BlackDex in #4043
• Disable autofill-v2 by @BlackDex in #4056
• Add Protected Actions Check by @BlackDex in #4067
• Update crates by @BlackDex in #4074

Full Changelog: 1.30.0...1.30.1

1.30.0

⚠️ Note: The WebSockets service for live sync has been integrated in the main HTTP server, which means simpler proxy setups that don't require a separate rule to redirect WS traffic to port 3012. Please check the updated examples in the wiki. It's recommended to migrate to this new setup as using the old server on port 3012 is deprecated, won't receive new features and will be removed in a future release.

Major changes and New Features

• Added passkey support, allowing the browser extensions to store and use your passkeys, make sure the extension is updated to version 2023.10.0 or newer for passkey support.
• Updated web vault to 2023.10.0.
• Fixed crashes in ARMv6 devices
• Fixed crashes when trying to create/edit a cipher in the mobile applications.

What's Changed

• Update Rust and Crates by @BlackDex in #3808
• update web-vault to v2023.8.2 by @stefan0xC in #3821
• Fix Login With Device without MasterPassword by @BlackDex in #3831
• Update GitHub Workflow by @BlackDex in #3910
• Fix arm builds by @BlackDex in #3911
• Fix typos by @tuhanayim in #3959
• csp: rename anonaddy.com to addy.io by @stefan0xC in #3950
• filter handlebars logs by @stefan0xC in #3859
• Remove unnecessary variable clone by @mvalois in #3981
• README.md: Fix grammar nit by @AndreasHGK in #3965
• Fix small issues by @BlackDex in #3964
• Adds LastActive on /admin/users API route by @mvalois in #3951
• Reopen log file on SIGHUP by @tobiasmboelz in #3909
• Fix External ID not set during DC Sync by @BlackDex in #3804
• New config option disable email change by @admav in #3986
• 2FA Confirmation Code Email subject line change to fix triggering Google spam blocker by @aureateflux in #3572
• Implement cipher key encryption by @dani-garcia in #3990
• Container building changes by @BlackDex in #3958
• Fix issue with MariaDB/MySQL migrations by @BlackDex in #3994
• feat: Working passkeys storage by @GeekCornerGH in #4025
• ci: add trivy workflow by @mightyBroccoli in #3997
• Fix importing Bitwarden exports by @BlackDex in #4030

New Contributors

• @tuhanayim made their first contribution in #3959
• @mvalois made their first contribution in #3981
• @AndreasHGK made their first contribution in #3965
• @tobiasmboelz made their first contribution in #3909
• @admav made their first contribution in #3986
• @aureateflux made their first contribution in #3572
• @mightyBroccoli made their first contribution in #3997

Full Changelog: 1.29.2...1.30.0

1.29.2

Minor release to fix an issue forcing user to set amaster password when logging in even when it's already set

What's Changed

• Fix .env.template file by @BlackDex in #3734
• Fix UserOrg status during LDAP Import by @BlackDex in #3740
• Update images to Bookworm and PQ15 and Rust v1.71 by @BlackDex in #3573
• Implement "login with device" by @quexten in #3592
• chore: Bump web vault to v2023.7.1 and bump Rust by @GeekCornerGH in #3769
• Optimized Favicon downloading by @BlackDex in #3751
• add UserDecryptionOptions to login response by @stefan0xC in #3813
• add new secretsmanager plan for web-v2023.8.x by @stefan0xC in #3797
• Allow Authorization header for Web Sockets by @BlackDex in #3806
• Update admin interface by @BlackDex in #3730

Full Changelog: 1.29.1...1.29.2

1.29.1

Minor release to fix some issues with organization API key generation when using PostgreSQL

What's Changed

• Fix Org API Key generation on PosgreSQL by @BlackDex in #3678
• feat: Add support for forwardemail by @GeekCornerGH in #3686
• Fix some external_id issues by @BlackDex in #3690
• Remove debug code during attachment download by @BlackDex in #3704

Full Changelog: 1.29.0...1.29.1

1.29.0

Major changes and New Features

• WebSocket notifications now work via the default HTTP port. No need for WEBSOCKET_ENABLED and a separate port anymore.
  The proxy examples still need to be updated for this. Support for the old websockets port 3012 will remain for the time being.
• Mobile Client push notification support, see #3304 thanks @GeekCornerGH!
• Web-Vault updated to v2023.5.0 (v2023.5.1 does not add any improvements for us)
• The latest Bitwarden Directory Connector can be used now (v2022.11.0)
• Storing passkeys is supported, though the clients are not yet released. So, it might be we need to make some changes once they are released.
  See: #3593, thanks @GeekCornerGH!

What's Changed

• check if reset password policy is enabled by @stefan0xC in #3427
• WebSockets via Rocket's Upgrade connection by @BlackDex in #3404
• Several config and admin interface fixes by @BlackDex in #3436
• Fixed missing footer_text and a few inconsistencies in email templates by @kennymc-c in #3439
• Small update to Rocket WebSockets by @BlackDex in #3440
• inline static rsa keys by @vilgotf in #3475
• Update Rust and Crates by @BlackDex in #3469
• Change String to &str for all Rocket functions and some other fixes by @BlackDex in #3491
• Use Rocket v0.5 branch to fix endpoints by @BlackDex in #3502
• Use fully qualified image names in Dockerfile by @gitouche-sur-osm in #3505
• policy data should be null not an empty object by @stefan0xC in #3513
• update web-vault to v2023.4.2 by @stefan0xC in #3522
• Sync global_domains.json (Pinterest) by @jjlin in #3532
• Prevent 401 on main admin page by @BlackDex in #3547
• Update crates and GH Workflow by @BlackDex in #3548
• Fix collection change ws notifications by @BlackDex in #3546
• Update Rust and Crates by @tessus in #3563
• feat: Implement Push Notifications sync by @GeekCornerGH in #3304
• Implement the Organization API Key support for the new Directory Connector v2022 by @BlackDex in #3568
• Add mobile push device filter to non-null push uuid by @quexten in #3578
• Update crates and workflow by @BlackDex in #3603
• Add group import on invite by @farodin91 in #3606
• Fix send access regression by @BlackDex in #3608
• feat: Support for storing passkeys in the vault by @GeekCornerGH in #3593
• add user to collection during creation by @farodin91 in #3609
• Updated docker run command by @DenuxPlays in #3620
• Added-External_id for Collections by @fashberg in #3623
• fix missing password check while manual reset password enrollment by @sirux88 in #3632
• Update crates and small clippy fix by @BlackDex in #3649
• fix version when compiled at a specific commit by @tessus in #3651
• Fix org creation regresion by @BlackDex in #3659

New Contributors

• @kennymc-c made their first contribution in #3439
• @vilgotf made their first contribution in #3475
• @gitouche-sur-osm made their first contribution in #3505
• @quexten made their first contribution in #3578
• @DenuxPlays made their first contribution in #3620
• @fashberg made their first contribution in #3623

Full Changelog: 1.28.1...1.29.0

1.28.1

What's Changed

• Decode knowndevice X-Request-Email as base64url with no padding by @jjlin in #3376
• Fix abort on password reset mail error by @BlackDex in #3390
• support /users/<uuid>/invite/resend admin api by @nikolaevn in #3397
• always return KdfMemory and KdfParallelism by @stefan0xC in #3398
• Fix sending out multiple websocket notifications by @BlackDex in #3405
• Revert setcap, update rust and crates by @BlackDex in #3403

New Contributors

• @nikolaevn made their first contribution in #3397

Full Changelog: 1.28.0...1.28.1

1.28.0

Major changes

• The project has changed license to the AGPLv3. If you're hosting a Vaultwarden instance, you now have a requirement to distribute the Vaultwarden source code to your users if they request it. The source code, and any changes you have made, need to be under the same AGPLv3 license. If you simply use our code without modifications, just pointing them to this repository is enough.
• Added support for Argon2 key derivation on the clients. To enable it for your account, make sure all your clients are using version v2023.2.0 or greater, then go to account settings > security > keys, and change the algorithm from PBKDF2 to Argon2id.
• Added support for Argon2 key derivation for the admin page token. To update your admin token to use it, check the wiki
• New alternative registries for the docker images are available (In BETA for now):
  • Github Container Registry: https://ghcr.io/dani-garcia/vaultwarden
  • Quay: https://quay.io/vaultwarden/server

What's Changed

• Remove patched multer-rs by @manofthepeace in #2968
• Removed unsafe-inline JS from CSP and other fixes by @BlackDex in #3058
• Validate YUBICO_SERVER string (#3003) by @BlackDex in #3059
• Log message to stderr if LOG_FILE is not writable by @pjsier in #3061
• Update WebSocket Notifications by @BlackDex in #3076
• Optimize config loading messages by @BlackDex in #3092
• Percent-encode org_name in links by @am97 in #3093
• Fix failing large note imports by @BlackDex in #3087
• Change text/plain API responses to application/json by @jjlin in #3124
• Remove shrink-to-fit=no from viewport-meta-tag by @redwerkz in #3126
• Update dependencies and MSRV by @BlackDex in #3128
• Resolve uninlined_format_args clippy warnings by @BlackDex in #3065
• Update Rust to v1.66.1 to patch CVE by @BlackDex in #3136
• Fix remaining inline format by @BlackDex in #3130
• Use more modern meta tag for charset encoding by @redwerkz in #3131
• fix (2fa.directory): Allow api.2fa.directory, and remove 2fa.directory by @GeekCornerGH in #3132
• Optimize CipherSyncData for very large vaults by @BlackDex in #3133
• Add avatar color support by @BlackDex in #3134
• Add MFA icon to org member overview by @BlackDex in #3135
• Minor refactoring concering user.setpassword by @sirux88 in #3139
• Validate note sizes on key-rotation. by @BlackDex in #3157
• Update KDF Configuration and processing by @BlackDex in #3163
• Remove arm32v6-specific tag by @jjlin in #3164
• Re-License Vaultwarden to AGPLv3 by @BlackDex in #2561
• Admin password reset by @sirux88 in #3116
• "Spell-Jacking" mitigation ~ prevent sensitive data leak … by @dlehammer in #3145
• Allow listening on privileged ports (below 1024) as non-root by @jjlin in #3170
• don't nullify key when editing emergency access by @stefan0xC in #3215
• Fix trailing slash not getting removed from domain by @BlockListed in #3228
• Generate distinct log messages for regex vs. IP blacklisting. by @kpfleming in #3231
• allow editing/unhiding by group by @farodin91 in #3108
• Fix Javascript issue on non sqlite databases by @BlackDex in #3167
• add argon2 kdf fields by @tessus in #3210
• add support for system mta though sendmail by @soruh in #3147
• Updated Rust and crates by @BlackDex in #3234
• docs: add build status badge in readme by @R3DRUN3 in #3245
• Validate all needed fields for client API login by @BlackDex in #3251
• Fix Organization delete when groups are configured by @BlackDex in #3252
• Fix Collection Read Only access for groups by @Misterbabou in #3254
• Make the admin session lifetime adjustable by @mittler-works in #3262
• Add function to fetch user by email address by @mittler-works in #3263
• Fix vault item display in org vault view by @jjlin in #3277
• Add confirmation for removing 2FA and deauthing sessions in admin panel by @JCBird1012 in #3282
• Some Admin Interface updates by @BlackDex in #3288
• Fix the web-vault v2023.2.0 API calls by @BlackDex in #3281
• Fix confirmation for removing 2FA and deauthing sessions in admin panel by @dpinse in #3290
• Admin token Argon2 hashing support by @BlackDex in #3289
• Add HEAD routes to avoid spurious error messages by @jjlin in #3307
• Fix web-vault Member UI show/edit/save by @BlackDex in #3315
• Upd Crates, Rust, MSRV, GHA and remove Backtrace by @BlackDex in #3310
• Add support for /api/devices/knowndevice with HTTP header params by @jjlin in #3329
• Update Rust, MSRV and Crates by @BlackDex in #3348
• Merge ClientIp with Headers. by @BlackDex in #3332
• add endpoints to bulk delete collections/groups by @stefan0xC in #3354
• Add support for Quay.io and GHCR.io as registries by @BlackDex in #3363
• Some small fixes and updates by @BlackDex in #3366
• Update web vault to v2023.3.0 by @dani-garcia

New Contributors

• @manofthepeace made their first contribution in #2968
• @pjsier made their first contribution in #3061
• @am97 made their first contribution in #3093
• @redwerkz made their first contribution in #3126
• @sirux88 made their first contribution in #3139
• @dlehammer made their first contribution in #3145
• @BlockListed made their first contribution in #3228
• @kpfleming made their first contribution in #3231
• @farodin91 made their first contribution in #3108
• @soruh made their first contribution in #3147
• @R3DRUN3 made their first contribution in #3245
• @Misterbabou made their first contribution in #3254
• @mittler-works made their first contribution in #3262
• @JCBird1012 made their first contribution in #3282
• @dpinse made their first contribution in #3290

Full Changelog: 1.27.0...1.28.0

1.27.0

New features

Event logs for organizations

With this feature enabled, actions occurring inside an organization will be recorded in a log, viewable by organization admins and owners. Check the official documentation to learn more: https://bitwarden.com/help/event-logs/ (Note that the Public API is not yet implemented, so the events are only viewable in the Web Vault)

To enable this feature, set ORG_EVENTS_ENABLED=true. By default all events will be stored indefinitely, if you want to limit that, you can use the EVENTS_DAYS_RETAIN option. You can also tune the cleanup schedule with EVENT_CLEANUP_SCHEDULE.

Group support (beta)

Enables the creation and use of groups inside an organization. At the moment this is in beta because there are some known issues (#2989). Still, the more this feature is tested, the faster we will be able to stabilize it.

To enable this feature, set ORG_GROUPS_ENABLED=true, make sure to make proper backups of your instance before hand.

What's Changed

• Group support | applied .diff by @MFijak in #2846
• Add Organizational event logging feature by @BlackDex in #2868
• Updated web vault to 2022.12.0 by @dani-garcia
• Update diesel to 2.0.2 by @dani-garcia in #2724
• Limit Cipher Note encrypted string size by @BlackDex in #2945
• fix invitations of new users when mail is disabled by @stefan0xC in #2773
• attach images in email by @stefan0xC in #2784
• allow registration without invite link by @stefan0xC in #2799
• Fix master password hint update not working. by @BlackDex in #2834
• Sync global_domains.json by @jjlin in #2840
• verify email on registration by invite by @stefan0xC in #2804
• Take ROCKET_ADDRESS into account in the Docker healthcheck by @jjlin in #2844
• Update github workflows by @BlackDex in #2852
• feat: Bump web-vault to v2022.10.1 by @GeekCornerGH in #2859
• Update Rust version, deps and workflow by @BlackDex in #2888
• Add /devices/knowndevice endpoint by @BlackDex in #2893
• fix: removed a double space by @GeekCornerGH in #2894
• Support Org Export for v2022.11 clients by @BlackDex in #2899
• Use constant size generic parameter for random bytes generation by @samueltardieu in #2910
• Update config comment to reflect rfc8314. by @skid9000 in #2911
• Set "Bypass admin page security" as read-only by @BlackDex in #2918
• Fully remove DuckDuckGo email service. by @BlackDex in #2919
• Added missing register endpoint to identity by @BlackDex in #2920
• Prevent DNS leak when icon regex is configured by @BlackDex in #2921
• Update settings description by @karbobc in #2928
• allow managers to set groups of a collection by @stefan0xC in #2933
• Update Vaultwarden Logo's by @BlackDex in #2940
• check if sqlite folder exists by @stefan0xC in #2873
• redirect to admin login page when forward fails by @stefan0xC in #2886
• Cleanups and Fixes for Emergency Access by @BlackDex in #2936
• Update dependencies for Rust and Admin interface. by @BlackDex in #2941
• Fix admin repost warning. by @BlackDex in #2953
• Add dev-only query logging support by @BlackDex in #2954
• Fix managers and groups link by @BlackDex in #2947
• use a custom 404 page by @stefan0xC in #2948
• Increase privacy of masked config by @BlackDex in #2963
• Improve comments by @tessus in #2969
• use black favicon for /admin by @tessus in #2970
• Remove ctrlc crate and some updates by @BlackDex in #2971
• Fix org export (again) by @BlackDex in #2973
• Revert collection queries back to left_join by @BlackDex in #2976
• Fix recover-2fa not working. by @BlackDex in #2994
• Disable groups by default and Some optimizations by @BlackDex in #2995
• Fix a panic during Yubikey register/login by @BlackDex in #3006

New Contributors

• @MFijak made their first contribution in #2846
• @GeekCornerGH made their first contribution in #2859
• @samueltardieu made their first contribution in #2910
• @skid9000 made their first contribution in #2911
• @karbobc made their first contribution in #2928
• @tessus made their first contribution in #2969

Full Changelog: 1.26.0...1.27.0

1.26.0

What's Changed

• Updated web vault to v2022.10.0
• Fix uploads from mobile clients (and dep updates) by @BlackDex in #2675
• Update deps and Alpine image by @BlackDex in #2665
• Add support for send v2 API endpoints by @BlackDex in #2756
• External Links | Optimize behavior by @Fvbor in #2693
• Add Org user revoke feature by @BlackDex in #2698
• Change the handling of login errors. by @BlackDex in #2729
• Added support for web-vault v2022.9 by @BlackDex in #2732
• add not_found catcher for 404 errors by @stefan0xC in #2768
• Fix issue 2737, unable to create org by @BlackDex in #2738
• Rename/Fix revoke/restore endpoints by @BlackDex in #2739
• Update CSP for DuckDuckGo email forwarding by @jjlin in #2812
• check if data folder is a writable directory by @stefan0xC in #2811
• Update build workflow by @BlackDex in #2744
• fix: tooltip typo by @djbrownbear in #2746
• Update libraries and Rust version by @BlackDex in #2758
• Fix organization vault export by @BlackDex in #2765
• allow the removal of non-confirmed owners by @stefan0xC in #2772
• v2022.9.2 expects a json response while registering by @stefan0xC in #2803
• make invitation expiration time configurable by @stefan0xC in #2805
• return more descriptive JWT validation messages by @stefan0xC in #2806
• Add CreationDate to cipher response JSON by @jjlin in #2813
• fix link of license badge by @stefan0xC in #2816

New Contributors

• @Fvbor made their first contribution in #2693
• @djbrownbear made their first contribution in #2746
• @stefan0xC made their first contribution in #2768

Full Changelog: 1.25.2...1.26.0

1.25.2

⚠️ Reminder: If you are still using the bitwardenrs/server* Docker images, you need to migrate to the new vaultwarden image. Check #1642 for an explanation. The old images will not receive any new updates any longer.

Important

An incompatibility between the format in which some Bitwarden clients upload attachments and sends could lead to those uploads being silently corrupted. We believe this is occurring only when using the mobile clients and only on the latest vaultwarden 1.25.1.
To mitigate this issue, we're releasing this quick patch to make any upload that could lead to a corrupted file explicitly return an error, notifying the user of the problem.
We recommend updating as soon as possible, and checking that any recently uploaded attachments can be downloaded and opened correctly (The corrupted uploads will return an error when downloading or download a very small file).

We've also fixed the docker volume check added in 1.25.1, if you previously needed to set I_REALLY_WANT_VOLATILE_STORAGE=true to start the container, please try again without it, and open an issue if it still won't start.

What's Changed

• Fix persistent folder check within containers by @BlackDex in #2631
• Mitigate attachment/send upload issues by @BlackDex in #2650
• Fix issue with CSP and icon redirects by @BlackDex in #2624
• Update build workflow for CI by @BlackDex in #2632

Full Changelog: 1.25.1...1.25.2