-
-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[META] Feature Requests #246
Comments
What is needed for #241? Seems somebody already posted the needed changes in the corresponding issue so that could maybe be integrated? |
Yes, someone would have to check those changes, see what can be integrated into the project directly (possibly a config option for the mount point) and create the documentation on how to configure the vault, proxy, etc. |
@dpffxhad added it to the list |
It would be great to see an (admin) feature which can help sysops to test mailing functionality. Maybe somewhere a button which can send a test e-mail to the actual user's address and which gives back a fail/success message after the action. |
Good idea @Peneheals, @njfox what do you think? |
Would it be possible to introduce 2FA auth to the /admin panel as well? |
I also think that's a good idea, and it shouldn't be too difficult to implement. I can look at adding the necessary API endpoints once I find some time, or knowing @dani-garcia he'll probably get to it first |
About 2fa: That said, this would require some changes to the admin page to input the 2fa code: we can't just ask for it at the start because it changes every 30 seconds . Edit: About the email, as a workaround, you can invite yourself to test if it works for now, but it would be great to add |
I am having trouble getting an Apache reverse-proxy to work in my organization. For various reasons, I can't create a new subdomain for bitwarden - i need to run it as https://my.proxy.domain/bitwarden forwarding to localhost running http on a non-standard port. However I cannot find a way to get Apache's mod_proxy to proxy from /bitwarden context to root context. For other applications I'm able to create proxies to as long as the target application uses a non-root context. I.e. I want to do this: https://my.proxy/bitwarden <-> http:/localhost:1234 I can get other apps to work if the internal app uses non-root context -- e.g. https://my.proxy/acontext <-> http:/localhost:1234/anothercontext Can bitwarden_rs be configured to listen to /bitwarden_rs or /bitwarden instead of / ? If not, can someone help in constructing apache mod_proxy / mod_rewrite rules to proxy the bitwarden_rs root context from a non-root proxy context? |
@chinenual see #71. The TL/DR is that while bitwarden_rs doesn't mind serving from a sub path, client apps don't support that. There was some effort modifying the Vault code to allow this, but I haven't seen anyone reporting that they got it working. |
Thanks @mprasil - I'll keep my eye on upstream client support and check back here if/when it's supportable. |
@mprasil I think only the web vault needs some patching (which has already been done?) I changed the path in the android app and it'll correctly call api at that path. "POST /bw/api/accounts/prelogin HTTP/1.1" |
Good to know @quthla, are you sure all functionality is present in the mobile client apps - like attachments. (also this probably still rules out using the official desktop app?) |
Any one down to help with pointers? :) @ibotty to start theres an oauth module for rust here: https://docs.rs/crate/oauth2/4.1.0 |
It would be nice to have a container config that bundled a proxy so that we could have an all-in-one container that provides static content hosting + the web application + websockets. |
Hi, I first have to say in my two days investigating opensource passwordmanagers for my company vaultwarden is clearly in the lead right now, I have compared it to Passbolt and PSONO, we are a small company but secure passwords and password management is getting more and more important. Considering company Passwords and sharing them with users added to the company there are currently two options for normal Users: "hide passwords" and "read only". The other option is similar, but eventually easier to implement, keep everything as is but prevent normal users from accessing organizations recycle bin, this way it is not possible for a user to completely remove an entry. Managers/Admins would have 30days to recover deleted entries. Maybe I have missed something and what I am requesting is already possible in some way, if so I´d be happy for some pointers :). MfG/Best regards |
Likely not to be implemented @Miarka24. Use database backups. |
Well backups are the bread and butter of course, but having this option wouldn´t hurt. |
Seeing as you mentioned backups... I assume it is almost by definition impossible to carefully restore individual passwords from a backup, because they are all so nicely encrypted you wouldn't even know which is which, never mind which to restore? How about restoring individual users and/or organizations one at a time? ... but even then, presumably "restore entire user to a point in time" with obvious risk of losing ones that were added after the backup as well? |
@Miarka24 @NoseyNick. Point 2, depending on what rights you give people to the org. You can give them read only access, while they can still share passwords and use them they can't delete them for an org. Building both options into Vaultwarden would require significant work and new special options on the server side which we try to minimize as much as possible to keep as close as possible to Bitwarden. Regarding restoring separate entries, that is in theorie possible, as long as the security keys aren't changed of the org, or for users, if they didn't rotated there key or changed there password. Having backups is probably the best thing to do. You can just start a separate Vaultwarden container using the backup and try to find it. |
Aha! Hadn't occurred to me but really good point, and certainly sounds easier than meddling with individual database records and stuff. Thanks! |
@BlackDex But regardless, if this project is set up to follow bitwarden closely, I will respect that and hope bitwarden will introduce something similar in the future. |
Live sync for iOS devices please. |
I am a bit against that. Because that could be used as a DoS feature. If i know your username and your host, i will just try random passwords and bam your account is locked. I would suggest to use something like Fail2Ban, or some kind of WAF provided by the reverse proxy. |
Probably not going to happen in the near future. |
I am amazed at how few people recognise this. I remember a previous employer proudly announcing that your account will be locked out after 3 login failures, and you'd need to ask IT Helldesk to unlock you. "For security reasons". My immediate question was "So how long until someone writes something that fails to log in as [CEO]@[COMPANY].com every minute? This is a SECURITY feature?" Well so is the "locked safe dropped to the bottom of the mariannas trench" thing but come on! However some (extremely stoopid) regulatory frameworks require this functionality, which is presumably why upstream has implemented it. Best compromise is usually "lock for N minutes and then unlock" And in the case of [CEO]@[COMPANY].com, or anyone else @[COMPANY].com, it turns out that it doesn't need a skript kiddie to do this maliciously, just someone, almost everyone, including [CEO], to change their password but forget to update it on some email client somewhere that checks for new mail every N minutes. (Or in our case presumably the BitWarden client on their phone / laptop / other desktop) ... and THEN they learn that IP-specific fail2ban / similar is a better idea after all, so it doesn't block the devices you have updated, and almost certainly meets the same regulatory requirement. 🙈 |
I deleted my previous request, as I worded it I correctly. The ability to create nested folders and move passwords between them inside organizations would be a wonderful addition. It would also be wonderful to be able to share entire folders, not just individual entries with organizations, though that would rely on the folder capabilities. Edit: After reading other posts and comments I realize this is likely an upstream thing. They essentially have to functionally have organizations as shared vaults rather than a separate function. |
Please considering supporting the Admin Password Reset feature, including the organization policies for automatic (forceful) enrollment. |
This comment has been minimized.
This comment has been minimized.
Hi, I would like to request a feature to support deduplication of password entries. This is the major pain point for me with vaultwarden. I've imported passwords from many different browsers and sources and this has created a mess, in which I have every password duplicated about 5 times. Other pw managers like lastpass do this automatically. So far there are only workarounds to this problem e.g. https://hwrrobotics.com/2020/11/02/duplicate-password-remover-for-bitwarden/ or https://gist.github.com/giabao/f4c3de705f1d7f2c1fd0cde02e7b841d And I am not even talking about deleteting/tyding up similar entries (which would be nice), but simply removing obvious 1:1 dupes. |
That is something for the clients. See https://community.bitwarden.com/t/duplicate-removal-tool-report/648 |
This comment has been minimized.
This comment has been minimized.
Could you please add the wait-for-it script in the Dockerfile, to poll the availability of the DB? The current container stops when the DB is not available. It would be great if it could simply wait. |
@romu70 If you are using docker-compose you can configure it to have vaultwarden depend on the database container. |
@lzinga the web interface is not made by vaultwarden, it's the official one, vaultwarden simply includes it. See https://github.com/bitwarden/web and https://github.com/dani-garcia/bw_web_builds If you yourself want to hide it, use an extension like stylus. |
First of all, could this issue be converted to a discussion so that the feature request discussions can be viewed as threads. This format is so unwieldy IMO. Otherwise I have a feature request and design I would like to post for consideration: One/Two-way sync with keepass using asymmetric encryptionProblem being solvedSecurely synchronizing a user's selected passwords with a hosted keepass database. Primarily this helps with sharing passwords with users across these different infrastructures and offer the user a trusted backup plan. Design
Why the extra encryption?
Other issues it can help withDepending on which part is being tackled, partial integration of this would help with:
|
@LecrisUT there is a nice https://github.com/dani-garcia/vaultwarden/discussions/categories/ideas discussion categorie where you could have posted this of course. Maybe locking this thread and pointing people to there is a good option. It was mostly intended to serve as a single location with an overview of all requests. |
This issue is getting a bit large, and since there are discussions available for a while I'm going to lock this topic. If there are any feature's you currently miss, and are not mentioned in the first post already, please create a new post with your idea/request here: https://github.com/dani-garcia/vaultwarden/discussions/categories/ideas . Thanks for all your ideas and support! |
To avoid cluttering the issue tracker with feature requests, please comment any requests here and we'll keep a list.
When available, I've linked a related issue or comment to add context to the request.
Authentication
Database support
Admin page
/admin/diagnostics
Security
Lock accounts after X login failures, configurable.(Rate limiting is a better option, else this would give people with bad intentions the option to lock everybody out from the specific vault)Either by documentation using third party tools, firewall, reverse proxy etc.. Or maybe built in without to much hassel Add rate limiting to the API #723
Docker images
Other
/api/accounts/delete-recover
with{"email":"[email protected]"}
param(Partially added to support Bitwarden Directory Connector v2022.11.0)
third-party
depends on Rocket support) (See: Run websocket server on same port as other HTTP serving #685 / Run websocket server on same port as other HTTP serving #2917) (Added via WebSockets via Rocket's Upgrade connection #3404)If anyone wants to help implementing these features, we are available here or on the matrix channel to help guide you as much as we can.
The text was updated successfully, but these errors were encountered: