1.14.1

• Added support for organization policies
• Added support for cloning ciphers
• Update web vault to version 2.13
• Allow the SMTP login mechanism to be provided without quotes or initial uppercase
• Updated dependencies
• Make panics loggable
• Fix errors when importing into an org or accepting invites

1.14

• Added support for running on subpath, simply add the subpath to the DOMAIN variable: DOMAIN=https://example.com/custom-path
• Attachment size limits, per-user and per-organization, set USER_ATTACHMENT_LIMIT or ORG_ATTACHMENT_LIMIT to a value in kilobytes to apply it.
• Updated U2F library which might solve some U2F certificate errors.
• Added SMTP test button in the admin page.
• Use web vault built by docker autobuild, using the hash to reference the image for extra security

---

• Now accepting y/n, True/False, 1/0 as config options that are booleans.
• Fixed error Unique constraint violation when using Two Factor and Postgres.
• Fixed error with can_signup_user that didn't allow to change the email address.
• Don't error if admin token is empty but disabled
• Now email domains are converted to punycode before sending
• Enable icons to be cached in the clients
• Added option to change invitation org name
• Enabled the sending of invitations from the admin panel, even when disabled
• Dependency updates

1.13.1

• New collapsed log messaging, filtering the useless stuff like static file accesses and removing duplicate error messages. To get a more complete logging, use a LOG_LEVEL value of debug or trace.
• Fix crash when cipher page points to huge file
• Addded config option to change client IP header, IP_HEADER, by default it's X-Client-IP for backwards compat reasons.
• Printed current server time when failing TOTP, for easy debugging
• Protected websockets server against panics
• Add a logout button on the admin page
• Add endpoint to delete specific U2F key
• Updated dependencies

1.13.0

• Implemented email verification, to disable users until the email is verified you can use SIGNUPS_VERIFY=true, default is false. There are also options to change the options for verification mail resending, check the .env.template file.
• Also implemented welcome email, change email confirmation and account deletion confirmation.
• Modified icon parsing to accept favicons using DataURLs
• Updated dependencies

1.12.0

• Improved error message when HIBP key is not set, include a link to the page.
• Added check for both the previous and next timeslots in TOTP, which is more forgiving of time mismatches (1.5 minutes now vs 30 seconds before), can be disabled setting AUTHENTICATOR_DISABLE_TIME_DRIFT=true.
• Made the domain icon blacklist be cached, improving performance.
• Recovery codes are now generated when adding email and Duo 2FA.
• Removed MySQL libraries from SQLite images.
• Added configurable SMTP timeout, and reduced the default to 15 seconds.
• Updated images to be able to be built with Podman.
• Added option to allow signups from specific domains only (SIGNUPS_DOMAINS_WHITELIST=domain.com,example.org).
• Updated web vault to fix twofactorauth.org integration.
• Updated dependencies

1.11.0

Important note: If you are using the old mprasil/bitwarden image, you need to migrate to the newer bitwardenrs/server to access the new releases, the images are compatible so you can follow the instructions on updating the image from the wiki.

• Initial support for PostgresSQL! 🎉 Currently still a bit untested and without docker images
  • To compile enable the postgresql feature (cargo build --features="postgresql")
  • Currently there are no migration guides available, but check the previous release for some tips about migrating to MySQL
• Added new icon blacklisting option, to block all non global IPs (ICON_BLACKLIST_NON_GLOBAL_IPS)
• Added SQLite binary in the SQLite images, to enable backup option
• Admin page scripts are loaded locally instead of using a CDN
• Added CORS support
• Added docker healthcheck
• Added email 2FA
• Updated web vault to 2.12.0

1.10.0

This is a big one!

Important note: If you are using the old mprasil/bitwarden image, you need to migrate to the newer bitwardenrs/server to access the new releases, the images are compatible so you can follow the instructions on updating the image from the wiki.

MySQL Support! 🎉

• To enable you need to use the bitwardenrs/server-mysql image, instead of the current one.
• If you are self compiling, enable the mysql feature (cargo build --features="mysql")
• A SQLite -> MySQL migration requires manual steps, the short version is:
  • Start the bitwarden_rs MySQL instance to generate the database tables (don't create any users). Wait until the log prints Rocket has launched from http://x.x.x.x:xx, then stop the service.
  • To move the data from SQLite to MySQL, for this you can use:
    • The sqlite and mysql command lines: #497 (comment)
    • Navicat Premium (paid): #497 (comment)
    • MySQL Workbench (untested): https://dev.mysql.com/doc/workbench/en/wb-migration-overview-supported.html

Other stuff

• Added backup option in the admin panel for the SQLite backend, remember to transfer those copies to separate drives!
  -Updated HaveIBeenPwned API to V3, which requires a paid API key: https://www.troyhunt.com/authentication-and-the-have-i-been-pwned-api/
• Added option in admin panel to remove users two factor authentication, in case of loss or bug
• Allowed explicitly defining the SMTP authentication mechanism
• Added notification email when a user logs in on a new device
• Updated web vault to 2.11.0
• Added proxy support for the icon fetching service
• Other bug fixes

1.9.1

• Fixed broken U2F in Chrome 74+
• Added images to email
• Updated dependencies

1.9.0

• Duo is now available as a 2FA option, both configurable globally and per-user
  • To enable it globally, check the .env template, and then leave the fields empty when enabling it per-user.
• Updated web vault to 2.10.0
• Added option to control the log level: LOG_LEVEL
  • Valid values from more to less noisy are "trace", "debug", "info", "warn", "error" and "off"
• Now there is no need to compile the application a different way to enable syslog support, simply set USE_SYSLOG to true.
• Now DATA_FOLDER affects CONFIG_FILE when set through the environment
• Improved endpoints for Admin API
• Other fixes

1.8.0

• Secrets are now hidden by default in the admin panel.
• Now the version is shown in the top right corner of the admin page.
• Read only settings are also shown in the admin panel, but not editable.
• Added option to admin panel to force resync users, useful after restoring an old backup.
• Implemented multiple U2F support, with custom names and compromised checks.
• Emails now also include an HTML version next to the plaintext version. It's up to the email clients which one to show now.
• Updated vault to 2.9.0
• Implemented constant time comparison for admin password and two factor remember and recover tokens.
• Added more config options:
  • Icon download timeout
  • Hide routes mount points, enabled by default
  • Disable WAL (not recommended, only for network filesystems that have problems with WAL enabled)
  • Disable Admin token (unsafe, only use when behind another authentication scheme).
  • Use wrapped TLS for email, when STARTTLS doesn't work.
  • Icon downloader domain blacklist, to block anything that might be sensitive, lik other servers in the local network.
• Updated dependencies and fixed minor bugs