Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix trailing slash not getting removed from domain #3228

Merged
merged 8 commits into from
Feb 12, 2023

Conversation

BlockListed
Copy link
Contributor

Bitwarden send won't work if the domain includes a trailing slash. This should be documented, as it may lead to confusion among users.

Vaultwarden send won't work if the domain includes a trailing slash.
This should be documented, as it may lead to confusion amoung users.
@BlackDex
Copy link
Collaborator

BlackDex commented Feb 7, 2023

Could you explain what is the issue? Because it works just fine for me, with, without a / at the end. Same goes for using port numbers or sub-path, or a combination, and all with or without a trailing /.

@BlockListed
Copy link
Contributor Author

BlockListed commented Feb 7, 2023

Could you explain what is the issue? Because it works just fine for me, with, without a / at the end. Same goes for using port numbers or sub-path, or a combination, and all with or without a trailing /.

If you have a trailing slash, the download link for the send has two slashes after the URL https://your.domain.with.trailing//api/sends/..., which caused issues with CSP for me yesterday. So I thought it may be useful to document.

@BlackDex
Copy link
Collaborator

BlackDex commented Feb 7, 2023

But, as just mentioned, i tested it, and it doesn't happen for me at all.
How do you change the DOMAIN, just via env? or an other way?

@BlackDex
Copy link
Collaborator

BlackDex commented Feb 7, 2023

What version of Vaultwarden are you using?

@BlockListed
Copy link
Contributor Author

BlockListed commented Feb 7, 2023

In the admin panel, if you set a domain with a trailing slash (general settings -> domain url), the /sends/<send_id>/access/file/<file_id> handler will return a url with two slashes after the domain, https://your.domain.with.trailing//api/sends/.... This issues seems to stem from the fact the the Host parameter doesn't remove the trailing slash.
https://github.com/dani-garcia/vaultwarden/blob/main/src/auth.rs#L278

#[rocket::async_trait]
impl<'r> FromRequest<'r> for Host {
    type Error = &'static str;

    async fn from_request(request: &'r Request<'_>) -> Outcome<Self, Self::Error> {
        let headers = request.headers();

        // Get host
        let host = if CONFIG.domain_set() {
            // Current logic
            CONFIG.domain()
            
            // Possible fix
            CONFIG.domain().trim_end_matches("/")
        } else {
            ...
    }
}

@BlockListed
Copy link
Contributor Author

BlockListed commented Feb 7, 2023

What version of Vaultwarden are you using?

My web interface is Version 2022.12.0, but reading the code suggests, that the issue may still exist.
I have to do something else now, so can't check my server version.

@BlackDex
Copy link
Collaborator

BlackDex commented Feb 7, 2023

In the later versions of the web-vault they have changed the endpoint if I'm correct.
So this issue shouldn't be there anymore.

What happens with attachments then?

@BlockListed
Copy link
Contributor Author

In the later versions of the web-vault they have changed the endpoint if I'm correct. So this issue shouldn't be there anymore.

What happens with attachments then?

I checked and I am running the newest version, but that's beside the point. In my other comment (#3228 (comment)) I'm pretty sure I showed how this issue is present in the current master branch.

@BlockListed BlockListed changed the title Change description of domain configuration Fix trailing slash not getting removed from domain Feb 7, 2023
@BlackDex
Copy link
Collaborator

BlackDex commented Feb 7, 2023

But, i can't reproduce it at all!, i can use

  • https://vaultwarden.domain.tld/
  • https://vaultwarden.domain.tld
  • https://vaultwarden.domain.tld:8080/
  • https://vaultwarden.domain.tld:8080
  • https://vaultwarden.domain.tld/sub-path
  • https://vaultwarden.domain.tld/sub-path/
  • https://vaultwarden.domain.tld:8080/sub-path/
  • https://vaultwarden.domain.tld:8080/sub-path

And they all work just fine!

@BlackDex
Copy link
Collaborator

BlackDex commented Feb 7, 2023

See if you can reproduce it with the testing tagged image and if that solves your issue. Because if so, then it is already fixed in a not yet released latest image.

@BlockListed
Copy link
Contributor Author

BlockListed commented Feb 7, 2023

See if you can reproduce it with the testing tagged image and if that solves your issue. Because if so, then it is already fixed in a not yet released latest image.

I managed to show it returning a URL with two slashes in this video. I know the download didn't fail, but I have experienced the double-slashing causing some issues with CSP and I hope we can agree, that it's not intended behavior. The commits I added would fix this issue.

@BlackDex
Copy link
Collaborator

BlackDex commented Feb 7, 2023

See if you can reproduce it with the testing tagged image and if that solves your issue. Because if so, then it is already fixed in a not yet released latest image.

I managed to show it returning a URL with two slashes in this video. I know the download didn't fail, but I have experienced the double-slashing causing some issues with CSP and I hope we can agree, that it's not intended behavior. The commits I added would fix this issue.

Ok, i see the double slashes there indeed. But then comes my next question. How does that causes a CSP issue?
Do you provide your own CSP? Because the CSP provided by Vaultwarden is working just fine out of the box.
If you provide your own CSP that could causes issues with some features of Bitwarden or maybe in the future.
The same goes for origin headers etc...

@BlackDex
Copy link
Collaborator

BlackDex commented Feb 7, 2023

And, besides it having a slash there, i think we should rather solve this in a better way then adjusting the comments. Always trimming a slash is maybe not the best solution.

And there is still an item open to better handle the HOST for items like send, attachments and 2fa where possible. Which i my self didn't had any time for to look at.

@BlockListed
Copy link
Contributor Author

BlockListed commented Feb 7, 2023

And, besides it having a slash there, i think we should rather solve this in a better way then adjusting the comments. Always trimming a slash is maybe not the best solution.

And there is still an item open to better handle the HOST for items like send, attachments and 2fa where possible. Which i my self didn't had any time for to look at.

Where is the item you mentioned?
Also I would say, that a host header / value, should never have a trailing slash, maybe it should log a warning if there is a trailing slash, but still fix it. I know it's a little hacky having it in the host function, but I don't know if there's a way to have it directly in the configuration system.

@BlackDex
Copy link
Collaborator

BlackDex commented Feb 7, 2023

The issue is this one: #2690
It currently doesn't support multiple domains, also for some security reasons of course, just always blindingly using the HOST could be a security issue in my eyes.

Further, maybe we should add a different function to get a parsed domain, which uses domain_origin and domain_path.
Also, parsing or modifying could be done during the config load, which then prevents a trim or whatever being done on every request which causes a new memory allocation and more processing time.

There are maybe some more optimizations to be done there, but as mentioned, i haven't had time my self yet to really dive into it.

@BlockListed
Copy link
Contributor Author

BlockListed commented Feb 7, 2023

We could use a domain "allow list" instead of a domain URL, which would alleviate some security concerns and be identical for a user, using a correct configuration, to the current system.

I think parsing could be done at request time, since the trim itself doesn't need another allocation (the current implementation always allocates/clones the domain). I only created a new string, because the Host struct requires a string and I didn't want to deal with changing so much.

But that should maybe be done in a different PR.

@BlockListed
Copy link
Contributor Author

After thinking about it, why shouldn't we remove the trailing slash. For the domain URL ,it's perfectly normal to have a trailing slash, but for a host it's not really intended. The backup method grabs the domain part from the Host header, which according to MDN shouldn't have a trailing slash. Removing a trailing slash should therefor be acceptable, since we're translating from a format which allows trailing slashes, to one which does not. Removing the trailling slash in the Host struct makes the most sense, since the domain is used to derive other values, which will result in a much greater surface for bugs.

@BlackDex
Copy link
Collaborator

BlackDex commented Feb 7, 2023

Again, if removing, then i would suggest to do something like that during the config parse run, and not with every request.
Why do extra work in one location if it probably is best if it is removed from all places where this variable is being used?

Then it would be much better to have this done within the config code, and all locations using CONFIG.domain() are fixed instantly.

@BlockListed
Copy link
Contributor Author

Again, if removing, then i would suggest to do something like that during the config parse run, and not with every request. Why do extra work in one location if it probably is best if it is removed from all places where this variable is being used?

Then it would be much better to have this done within the config code, and all locations using CONFIG.domain() are fixed instantly.

I'm just wondering, fix the trailing slash with a warning or deny domains with trailing slashes in validate_config()?

@BlackDex
Copy link
Collaborator

BlackDex commented Feb 7, 2023

Again, if removing, then i would suggest to do something like that during the config parse run, and not with every request. Why do extra work in one location if it probably is best if it is removed from all places where this variable is being used?
Then it would be much better to have this done within the config code, and all locations using CONFIG.domain() are fixed instantly.

I'm just wondering, fix the trailing slash with a warning or deny domains with trailing slashes in validate_config()?

Fix it automatically for them. Just sanitize it I think

@BlockListed
Copy link
Contributor Author

Other similar things are being fixed in the build() method of ConfigBuilder, so I am gonna decide to implement these fixes there.

config.signups_domains_whitelist = config.signups_domains_whitelist.trim().to_lowercase();
config.org_creation_users = config.org_creation_users.trim().to_lowercase();

@BlockListed BlockListed force-pushed the fix-domain-description branch from 2a2ed98 to 5d1c11c Compare February 7, 2023 17:42
@BlockListed
Copy link
Contributor Author

BlockListed commented Feb 7, 2023

It should be fine now. The domain simply gets sanitized and the trailing slash gets removed. I decided to not pop the slash off in-place, because the readability of the trim feels better and a single allocation at startup won't kill us.

@dani-garcia dani-garcia merged commit e301fe1 into dani-garcia:main Feb 12, 2023
Stackclash referenced this pull request in Stackclash/home-cluster May 25, 2023
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [vaultwarden/server](https://togithub.com/dani-garcia/vaultwarden) |
minor | `1.27.0` -> `1.28.1` |

---

### Release Notes

<details>
<summary>dani-garcia/vaultwarden</summary>

###
[`v1.28.1`](https://togithub.com/dani-garcia/vaultwarden/releases/tag/1.28.1)

[Compare
Source](https://togithub.com/dani-garcia/vaultwarden/compare/1.28.0...1.28.1)

#### What's Changed

- Decode knowndevice `X-Request-Email` as base64url with no padding by
[@&#8203;jjlin](https://togithub.com/jjlin) in
[https://github.com/dani-garcia/vaultwarden/pull/3376](https://togithub.com/dani-garcia/vaultwarden/pull/3376)
- Fix abort on password reset mail error by
[@&#8203;BlackDex](https://togithub.com/BlackDex) in
[https://github.com/dani-garcia/vaultwarden/pull/3390](https://togithub.com/dani-garcia/vaultwarden/pull/3390)
- support `/users/<uuid>/invite/resend` admin api by
[@&#8203;nikolaevn](https://togithub.com/nikolaevn) in
[https://github.com/dani-garcia/vaultwarden/pull/3397](https://togithub.com/dani-garcia/vaultwarden/pull/3397)
- always return KdfMemory and KdfParallelism by
[@&#8203;stefan0xC](https://togithub.com/stefan0xC) in
[https://github.com/dani-garcia/vaultwarden/pull/3398](https://togithub.com/dani-garcia/vaultwarden/pull/3398)
- Fix sending out multiple websocket notifications by
[@&#8203;BlackDex](https://togithub.com/BlackDex) in
[https://github.com/dani-garcia/vaultwarden/pull/3405](https://togithub.com/dani-garcia/vaultwarden/pull/3405)
- Revert setcap, update rust and crates by
[@&#8203;BlackDex](https://togithub.com/BlackDex) in
[https://github.com/dani-garcia/vaultwarden/pull/3403](https://togithub.com/dani-garcia/vaultwarden/pull/3403)

#### New Contributors

- [@&#8203;nikolaevn](https://togithub.com/nikolaevn) made their first
contribution in
[https://github.com/dani-garcia/vaultwarden/pull/3397](https://togithub.com/dani-garcia/vaultwarden/pull/3397)

**Full Changelog**:
dani-garcia/vaultwarden@1.28.0...1.28.1

###
[`v1.28.0`](https://togithub.com/dani-garcia/vaultwarden/releases/tag/1.28.0)

[Compare
Source](https://togithub.com/dani-garcia/vaultwarden/compare/1.27.0...1.28.0)

#### Major changes

- The project has changed license to the
[**AGPLv3**](https://togithub.com/dani-garcia/vaultwarden/blob/main/LICENSE.txt).
If you're hosting a Vaultwarden instance, you now have a requirement to
distribute the Vaultwarden source code to your users if they request it.
The source code, and any changes you have made, need to be under the
same AGPLv3 license. If you simply use our code without modifications,
just pointing them to this repository is enough.
- Added support for **Argon2** key derivation on the clients. To enable
it for your account, make sure all your clients are using version
v2023.2.0 or greater, then go to account settings > security > keys, and
change the algorithm from PBKDF2 to Argon2id.
- Added support for **Argon2** key derivation for the admin page token.
To update your admin token to use it, [check the
wiki](https://togithub.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page#secure-the-admin_token)
- New **alternative registries** for the docker images are available (In
**BETA** for now):
- **Github Container Registry**: https://ghcr.io/dani-garcia/vaultwarden
    -   **Quay**: https://quay.io/vaultwarden/server

#### What's Changed

- Remove patched multer-rs by
[@&#8203;manofthepeace](https://togithub.com/manofthepeace) in
[https://github.com/dani-garcia/vaultwarden/pull/2968](https://togithub.com/dani-garcia/vaultwarden/pull/2968)
- Removed unsafe-inline JS from CSP and other fixes by
[@&#8203;BlackDex](https://togithub.com/BlackDex) in
[https://github.com/dani-garcia/vaultwarden/pull/3058](https://togithub.com/dani-garcia/vaultwarden/pull/3058)
- Validate YUBICO_SERVER string
([#&#8203;3003](https://togithub.com/dani-garcia/vaultwarden/issues/3003))
by [@&#8203;BlackDex](https://togithub.com/BlackDex) in
[https://github.com/dani-garcia/vaultwarden/pull/3059](https://togithub.com/dani-garcia/vaultwarden/pull/3059)
- Log message to stderr if LOG_FILE is not writable by
[@&#8203;pjsier](https://togithub.com/pjsier) in
[https://github.com/dani-garcia/vaultwarden/pull/3061](https://togithub.com/dani-garcia/vaultwarden/pull/3061)
- Update WebSocket Notifications by
[@&#8203;BlackDex](https://togithub.com/BlackDex) in
[https://github.com/dani-garcia/vaultwarden/pull/3076](https://togithub.com/dani-garcia/vaultwarden/pull/3076)
- Optimize config loading messages by
[@&#8203;BlackDex](https://togithub.com/BlackDex) in
[https://github.com/dani-garcia/vaultwarden/pull/3092](https://togithub.com/dani-garcia/vaultwarden/pull/3092)
- Percent-encode org_name in links by
[@&#8203;am97](https://togithub.com/am97) in
[https://github.com/dani-garcia/vaultwarden/pull/3093](https://togithub.com/dani-garcia/vaultwarden/pull/3093)
- Fix failing large note imports by
[@&#8203;BlackDex](https://togithub.com/BlackDex) in
[https://github.com/dani-garcia/vaultwarden/pull/3087](https://togithub.com/dani-garcia/vaultwarden/pull/3087)
- Change `text/plain` API responses to `application/json` by
[@&#8203;jjlin](https://togithub.com/jjlin) in
[https://github.com/dani-garcia/vaultwarden/pull/3124](https://togithub.com/dani-garcia/vaultwarden/pull/3124)
- Remove `shrink-to-fit=no` from viewport-meta-tag by
[@&#8203;redwerkz](https://togithub.com/redwerkz) in
[https://github.com/dani-garcia/vaultwarden/pull/3126](https://togithub.com/dani-garcia/vaultwarden/pull/3126)
- Update dependencies and MSRV by
[@&#8203;BlackDex](https://togithub.com/BlackDex) in
[https://github.com/dani-garcia/vaultwarden/pull/3128](https://togithub.com/dani-garcia/vaultwarden/pull/3128)
- Resolve uninlined_format_args clippy warnings by
[@&#8203;BlackDex](https://togithub.com/BlackDex) in
[https://github.com/dani-garcia/vaultwarden/pull/3065](https://togithub.com/dani-garcia/vaultwarden/pull/3065)
- Update Rust to v1.66.1 to patch CVE by
[@&#8203;BlackDex](https://togithub.com/BlackDex) in
[https://github.com/dani-garcia/vaultwarden/pull/3136](https://togithub.com/dani-garcia/vaultwarden/pull/3136)
- Fix remaining inline format by
[@&#8203;BlackDex](https://togithub.com/BlackDex) in
[https://github.com/dani-garcia/vaultwarden/pull/3130](https://togithub.com/dani-garcia/vaultwarden/pull/3130)
- Use more modern meta tag for charset encoding by
[@&#8203;redwerkz](https://togithub.com/redwerkz) in
[https://github.com/dani-garcia/vaultwarden/pull/3131](https://togithub.com/dani-garcia/vaultwarden/pull/3131)
- fix (2fa.directory): Allow api.2fa.directory, and remove 2fa.directory
by [@&#8203;GeekCornerGH](https://togithub.com/GeekCornerGH) in
[https://github.com/dani-garcia/vaultwarden/pull/3132](https://togithub.com/dani-garcia/vaultwarden/pull/3132)
- Optimize CipherSyncData for very large vaults by
[@&#8203;BlackDex](https://togithub.com/BlackDex) in
[https://github.com/dani-garcia/vaultwarden/pull/3133](https://togithub.com/dani-garcia/vaultwarden/pull/3133)
- Add avatar color support by
[@&#8203;BlackDex](https://togithub.com/BlackDex) in
[https://github.com/dani-garcia/vaultwarden/pull/3134](https://togithub.com/dani-garcia/vaultwarden/pull/3134)
- Add MFA icon to org member overview by
[@&#8203;BlackDex](https://togithub.com/BlackDex) in
[https://github.com/dani-garcia/vaultwarden/pull/3135](https://togithub.com/dani-garcia/vaultwarden/pull/3135)
- Minor refactoring concering user.setpassword by
[@&#8203;sirux88](https://togithub.com/sirux88) in
[https://github.com/dani-garcia/vaultwarden/pull/3139](https://togithub.com/dani-garcia/vaultwarden/pull/3139)
- Validate note sizes on key-rotation. by
[@&#8203;BlackDex](https://togithub.com/BlackDex) in
[https://github.com/dani-garcia/vaultwarden/pull/3157](https://togithub.com/dani-garcia/vaultwarden/pull/3157)
- Update KDF Configuration and processing by
[@&#8203;BlackDex](https://togithub.com/BlackDex) in
[https://github.com/dani-garcia/vaultwarden/pull/3163](https://togithub.com/dani-garcia/vaultwarden/pull/3163)
- Remove `arm32v6`-specific tag by
[@&#8203;jjlin](https://togithub.com/jjlin) in
[https://github.com/dani-garcia/vaultwarden/pull/3164](https://togithub.com/dani-garcia/vaultwarden/pull/3164)
- Re-License Vaultwarden to AGPLv3 by
[@&#8203;BlackDex](https://togithub.com/BlackDex) in
[https://github.com/dani-garcia/vaultwarden/pull/2561](https://togithub.com/dani-garcia/vaultwarden/pull/2561)
- Admin password reset by
[@&#8203;sirux88](https://togithub.com/sirux88) in
[https://github.com/dani-garcia/vaultwarden/pull/3116](https://togithub.com/dani-garcia/vaultwarden/pull/3116)
- "Spell-Jacking" mitigation ~ prevent sensitive data leak … by
[@&#8203;dlehammer](https://togithub.com/dlehammer) in
[https://github.com/dani-garcia/vaultwarden/pull/3145](https://togithub.com/dani-garcia/vaultwarden/pull/3145)
- Allow listening on privileged ports (below 1024) as non-root by
[@&#8203;jjlin](https://togithub.com/jjlin) in
[https://github.com/dani-garcia/vaultwarden/pull/3170](https://togithub.com/dani-garcia/vaultwarden/pull/3170)
- don't nullify key when editing emergency access by
[@&#8203;stefan0xC](https://togithub.com/stefan0xC) in
[https://github.com/dani-garcia/vaultwarden/pull/3215](https://togithub.com/dani-garcia/vaultwarden/pull/3215)
- Fix trailing slash not getting removed from domain by
[@&#8203;BlockListed](https://togithub.com/BlockListed) in
[https://github.com/dani-garcia/vaultwarden/pull/3228](https://togithub.com/dani-garcia/vaultwarden/pull/3228)
- Generate distinct log messages for regex vs. IP blacklisting. by
[@&#8203;kpfleming](https://togithub.com/kpfleming) in
[https://github.com/dani-garcia/vaultwarden/pull/3231](https://togithub.com/dani-garcia/vaultwarden/pull/3231)
- allow editing/unhiding by group by
[@&#8203;farodin91](https://togithub.com/farodin91) in
[https://github.com/dani-garcia/vaultwarden/pull/3108](https://togithub.com/dani-garcia/vaultwarden/pull/3108)
- Fix Javascript issue on non sqlite databases by
[@&#8203;BlackDex](https://togithub.com/BlackDex) in
[https://github.com/dani-garcia/vaultwarden/pull/3167](https://togithub.com/dani-garcia/vaultwarden/pull/3167)
- add argon2 kdf fields by [@&#8203;tessus](https://togithub.com/tessus)
in
[https://github.com/dani-garcia/vaultwarden/pull/3210](https://togithub.com/dani-garcia/vaultwarden/pull/3210)
- add support for system mta though sendmail by
[@&#8203;soruh](https://togithub.com/soruh) in
[https://github.com/dani-garcia/vaultwarden/pull/3147](https://togithub.com/dani-garcia/vaultwarden/pull/3147)
- Updated Rust and crates by
[@&#8203;BlackDex](https://togithub.com/BlackDex) in
[https://github.com/dani-garcia/vaultwarden/pull/3234](https://togithub.com/dani-garcia/vaultwarden/pull/3234)
- docs: add build status badge in readme by
[@&#8203;R3DRUN3](https://togithub.com/R3DRUN3) in
[https://github.com/dani-garcia/vaultwarden/pull/3245](https://togithub.com/dani-garcia/vaultwarden/pull/3245)
- Validate all needed fields for client API login by
[@&#8203;BlackDex](https://togithub.com/BlackDex) in
[https://github.com/dani-garcia/vaultwarden/pull/3251](https://togithub.com/dani-garcia/vaultwarden/pull/3251)
- Fix Organization delete when groups are configured by
[@&#8203;BlackDex](https://togithub.com/BlackDex) in
[https://github.com/dani-garcia/vaultwarden/pull/3252](https://togithub.com/dani-garcia/vaultwarden/pull/3252)
- Fix Collection Read Only access for groups by
[@&#8203;Misterbabou](https://togithub.com/Misterbabou) in
[https://github.com/dani-garcia/vaultwarden/pull/3254](https://togithub.com/dani-garcia/vaultwarden/pull/3254)
- Make the admin session lifetime adjustable by
[@&#8203;mittler-works](https://togithub.com/mittler-works) in
[https://github.com/dani-garcia/vaultwarden/pull/3262](https://togithub.com/dani-garcia/vaultwarden/pull/3262)
- Add function to fetch user by email address by
[@&#8203;mittler-works](https://togithub.com/mittler-works) in
[https://github.com/dani-garcia/vaultwarden/pull/3263](https://togithub.com/dani-garcia/vaultwarden/pull/3263)
- Fix vault item display in org vault view by
[@&#8203;jjlin](https://togithub.com/jjlin) in
[https://github.com/dani-garcia/vaultwarden/pull/3277](https://togithub.com/dani-garcia/vaultwarden/pull/3277)
- Add confirmation for removing 2FA and deauthing sessions in admin
panel by [@&#8203;JCBird1012](https://togithub.com/JCBird1012) in
[https://github.com/dani-garcia/vaultwarden/pull/3282](https://togithub.com/dani-garcia/vaultwarden/pull/3282)
- Some Admin Interface updates by
[@&#8203;BlackDex](https://togithub.com/BlackDex) in
[https://github.com/dani-garcia/vaultwarden/pull/3288](https://togithub.com/dani-garcia/vaultwarden/pull/3288)
- Fix the web-vault v2023.2.0 API calls by
[@&#8203;BlackDex](https://togithub.com/BlackDex) in
[https://github.com/dani-garcia/vaultwarden/pull/3281](https://togithub.com/dani-garcia/vaultwarden/pull/3281)
- Fix confirmation for removing 2FA and deauthing sessions in admin
panel by [@&#8203;dpinse](https://togithub.com/dpinse) in
[https://github.com/dani-garcia/vaultwarden/pull/3290](https://togithub.com/dani-garcia/vaultwarden/pull/3290)
- Admin token Argon2 hashing support by
[@&#8203;BlackDex](https://togithub.com/BlackDex) in
[https://github.com/dani-garcia/vaultwarden/pull/3289](https://togithub.com/dani-garcia/vaultwarden/pull/3289)
- Add HEAD routes to avoid spurious error messages by
[@&#8203;jjlin](https://togithub.com/jjlin) in
[https://github.com/dani-garcia/vaultwarden/pull/3307](https://togithub.com/dani-garcia/vaultwarden/pull/3307)
- Fix web-vault Member UI show/edit/save by
[@&#8203;BlackDex](https://togithub.com/BlackDex) in
[https://github.com/dani-garcia/vaultwarden/pull/3315](https://togithub.com/dani-garcia/vaultwarden/pull/3315)
- Upd Crates, Rust, MSRV, GHA and remove Backtrace by
[@&#8203;BlackDex](https://togithub.com/BlackDex) in
[https://github.com/dani-garcia/vaultwarden/pull/3310](https://togithub.com/dani-garcia/vaultwarden/pull/3310)
- Add support for `/api/devices/knowndevice` with HTTP header params by
[@&#8203;jjlin](https://togithub.com/jjlin) in
[https://github.com/dani-garcia/vaultwarden/pull/3329](https://togithub.com/dani-garcia/vaultwarden/pull/3329)
- Update Rust, MSRV and Crates by
[@&#8203;BlackDex](https://togithub.com/BlackDex) in
[https://github.com/dani-garcia/vaultwarden/pull/3348](https://togithub.com/dani-garcia/vaultwarden/pull/3348)
- Merge ClientIp with Headers. by
[@&#8203;BlackDex](https://togithub.com/BlackDex) in
[https://github.com/dani-garcia/vaultwarden/pull/3332](https://togithub.com/dani-garcia/vaultwarden/pull/3332)
- add endpoints to bulk delete collections/groups by
[@&#8203;stefan0xC](https://togithub.com/stefan0xC) in
[https://github.com/dani-garcia/vaultwarden/pull/3354](https://togithub.com/dani-garcia/vaultwarden/pull/3354)
- Add support for Quay.io and GHCR.io as registries by
[@&#8203;BlackDex](https://togithub.com/BlackDex) in
[https://github.com/dani-garcia/vaultwarden/pull/3363](https://togithub.com/dani-garcia/vaultwarden/pull/3363)
- Some small fixes and updates by
[@&#8203;BlackDex](https://togithub.com/BlackDex) in
[https://github.com/dani-garcia/vaultwarden/pull/3366](https://togithub.com/dani-garcia/vaultwarden/pull/3366)
- Update web vault to v2023.3.0 by
[@&#8203;dani-garcia](https://togithub.com/dani-garcia)

#### New Contributors

- [@&#8203;manofthepeace](https://togithub.com/manofthepeace) made their
first contribution in
[https://github.com/dani-garcia/vaultwarden/pull/2968](https://togithub.com/dani-garcia/vaultwarden/pull/2968)
- [@&#8203;pjsier](https://togithub.com/pjsier) made their first
contribution in
[https://github.com/dani-garcia/vaultwarden/pull/3061](https://togithub.com/dani-garcia/vaultwarden/pull/3061)
- [@&#8203;am97](https://togithub.com/am97) made their first
contribution in
[https://github.com/dani-garcia/vaultwarden/pull/3093](https://togithub.com/dani-garcia/vaultwarden/pull/3093)
- [@&#8203;redwerkz](https://togithub.com/redwerkz) made their first
contribution in
[https://github.com/dani-garcia/vaultwarden/pull/3126](https://togithub.com/dani-garcia/vaultwarden/pull/3126)
- [@&#8203;sirux88](https://togithub.com/sirux88) made their first
contribution in
[https://github.com/dani-garcia/vaultwarden/pull/3139](https://togithub.com/dani-garcia/vaultwarden/pull/3139)
- [@&#8203;dlehammer](https://togithub.com/dlehammer) made their first
contribution in
[https://github.com/dani-garcia/vaultwarden/pull/3145](https://togithub.com/dani-garcia/vaultwarden/pull/3145)
- [@&#8203;BlockListed](https://togithub.com/BlockListed) made their
first contribution in
[https://github.com/dani-garcia/vaultwarden/pull/3228](https://togithub.com/dani-garcia/vaultwarden/pull/3228)
- [@&#8203;kpfleming](https://togithub.com/kpfleming) made their first
contribution in
[https://github.com/dani-garcia/vaultwarden/pull/3231](https://togithub.com/dani-garcia/vaultwarden/pull/3231)
- [@&#8203;farodin91](https://togithub.com/farodin91) made their first
contribution in
[https://github.com/dani-garcia/vaultwarden/pull/3108](https://togithub.com/dani-garcia/vaultwarden/pull/3108)
- [@&#8203;soruh](https://togithub.com/soruh) made their first
contribution in
[https://github.com/dani-garcia/vaultwarden/pull/3147](https://togithub.com/dani-garcia/vaultwarden/pull/3147)
- [@&#8203;R3DRUN3](https://togithub.com/R3DRUN3) made their first
contribution in
[https://github.com/dani-garcia/vaultwarden/pull/3245](https://togithub.com/dani-garcia/vaultwarden/pull/3245)
- [@&#8203;Misterbabou](https://togithub.com/Misterbabou) made their
first contribution in
[https://github.com/dani-garcia/vaultwarden/pull/3254](https://togithub.com/dani-garcia/vaultwarden/pull/3254)
- [@&#8203;mittler-works](https://togithub.com/mittler-works) made their
first contribution in
[https://github.com/dani-garcia/vaultwarden/pull/3262](https://togithub.com/dani-garcia/vaultwarden/pull/3262)
- [@&#8203;JCBird1012](https://togithub.com/JCBird1012) made their first
contribution in
[https://github.com/dani-garcia/vaultwarden/pull/3282](https://togithub.com/dani-garcia/vaultwarden/pull/3282)
- [@&#8203;dpinse](https://togithub.com/dpinse) made their first
contribution in
[https://github.com/dani-garcia/vaultwarden/pull/3290](https://togithub.com/dani-garcia/vaultwarden/pull/3290)

**Full Changelog**:
dani-garcia/vaultwarden@1.27.0...1.28.0

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "on saturday" (UTC), Automerge - At
any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://app.renovatebot.com/dashboard#github/RickCoxDev/home-cluster).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNS43OS4xIiwidXBkYXRlZEluVmVyIjoiMzUuNzkuMSIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants