[META] Feature Requests

[dani-garcia]

To avoid cluttering the issue tracker with feature requests, please comment any requests here and we'll keep a list.

When available, I've linked a related issue or comment to add context to the request.

Authentication

• [x] Support official LDAP directory-connector. There also is a 3rd party connector.
• [ ] OAuth / SSO (#94 and #1134) (Some work is done in #1955 and #2449 and #3154)
• [ ] Key-Connector support (Needs SSO) (#2583)
• [x] Allow organizations to require 2FA for their members #981 (Added via #1604)
• [x] Allow authentication using a per user generated API-Key (#1250) (Added via #2245)
• [x] Allow authentication using a per organization generated API-Key (Added via #3568)
• [x] Add Emergency Access (https://bitwarden.com/help/article/emergency-access/)
• [x] Add support for multiple account feature (#2295) (https://bitwarden.com/help/account-switching/) (Added via #2354)
• [ ] Send email on x amount invalid login attempts (https://vaultwarden.discourse.group/t/how-can-i-protect-my-vaultwarden-account-from-brute-force-attacks/3067) This could be abused as a DDoS, not sure if we want this.
• [ ] Allow login using PassKeys (Not as 2FA) (See #4250)

Database support

• [ ] Easy migration, from SQLite to other two options
  • [x] SQLite to MySQL - documented here: Migrating from SQLite to MySQL
  • [ ] MySQL to PostgreSQL
  • [x] SQLite to PostgreSQL - Documented here: Migrating from SQLite to PostgreSQL

Admin page

• [x] Allow disabling users so they can't log in, without deleting their data. (Added via #1247)
• [ ] 2FA support
• [x] Hashed secret
• [ ] one-time-email login (a.k.a. Bitwarden style)
• [x] Add option to remove 2FA devices from users (#431)
• [ ] Add option to set default cipher URL matching (#432)
• [ ] Show more user info? (organizations and their user status in them, last connected date...)
  • [x] Show organizations per user
  • [x] Show the amount of attachments
  • [x] Show the amount of chipers
  • [x] Last login date (Added via #1245)
  • [ ] Multiple other items
• [ ] Vaultwarden version info and update notification?
  • [x] Version information and updates can be found in the admin panel /admin/diagnostics
  • [ ] Notifications about several items.
  • [x] Compare time of the server/host/container and the browser with NTP.
• [ ] Keep changed settings in the form instead of reset them on input/submit error (See #4017)

Security

• [ ] Set a configurable limit for the 2FA remember token, upstream uses 30 days (Maybe use JWT?).
• [x] Lock accounts after X login failures, configurable. (Rate limiting is a better option, else this would give people with bad intentions the option to lock everybody out from the specific vault)
• [ ] Rate limiting of API requests Either by documentation using third party tools, firewall, reverse proxy etc.. Or maybe built in without to much hassel #723
• [x] Rate limiting logins both admin and vault (Added via #2165)
• [ ] Do not run the container as root user (See #4358)

Docker images

• [x] Debian based both ARM and AMD64
  • [x] SQLite
  • [x] MySQL
  • [x] PostgreSQL
  • [x] Multi Database
• [x] Alpine based images (static/musl)
  • [x] SQLite
  • [x] MySQL (Added via #2172)
  • [x] PostgreSQL (Added via #1252 and #2172)

Other

• [ ] Add XoAuth2 support to fetch the token from the SMTP Provider and refresh used by Google or Microsoft
• [ ] Verify database collation to prevent issues (See: #1182 and #1184)
• [ ] Batch all the bulk database operations in the same transaction (import ciphers, move selected ciphers, purge vault, etc.)
• [ ] Make email and U2F use the same domain-guessing used by attachments
• [x] Groups support #245 (NOTE (2022-12-15): This feature has some known issues! - Added via #2846)
• [x] Manager support (Added via #1136)
• [ ] Log rotation / management #305
• [x] Run Vaultwarden at suburl #241
• [x] Audit log #229 (Added via: #2868 )
• [x] Push notifications #126 (Added via #3304)
  • Workaround: WebSockets provide notifications in web vault and browser extensions (maybe desktop app too?)
• [x] Implement Recover and Delete:
  • calls this endpoint /api/accounts/delete-recover with {"email":"provided@email.address"} param
  • we need to generate email that will provide a link to delete the account with some token to verify email ownership
  • Workaround: Delete user from admin panel and let them create new account
• [ ] Add Custom Role support for granular control of user permissions (https://bitwarden.com/help/article/user-types-access-control/#custom-role)
• [x] Add Personal Ownership support (https://bitwarden.com/help/article/policies/#personal-ownership) (Added via #1326)
• [x] Add Organizational Admin Password Reset support (https://bitwarden.com/help/admin-reset/) (See: #1820)
• [ ] Add Bitwarden Public API endpoints (https://bitwarden.com/help/public-api/) (Needs: Org API Key support) (Partially added to support Bitwarden Directory Connector v2022.11.0)
• [x] Run WebSockets on the same port as HTTP (third-party depends on Rocket support) (See: #685 / #2917) (Added via #3404)

If anyone wants to help implementing these features, we are available here or on the matrix channel to help guide you as much as we can.

[quthla]

What is needed for #241? Seems somebody already posted the needed changes in the corresponding issue so that could maybe be integrated?

[dani-garcia]

Yes, someone would have to check those changes, see what can be integrated into the project directly (possibly a config option for the mount point) and create the documentation on how to configure the vault, proxy, etc.

[mprasil]

@dpffxhad added it to the list

[Peneheals]

It would be great to see an (admin) feature which can help sysops to test mailing functionality. Maybe somewhere a button which can send a test e-mail to the actual user's address and which gives back a fail/success message after the action.

[mprasil]

Good idea @Peneheals, @njfox what do you think?

[p-rintz]

Would it be possible to introduce 2FA auth to the /admin panel as well?

[njfox]

Good idea @Peneheals, @njfox what do you think?

I also think that's a good idea, and it shouldn't be too difficult to implement. I can look at adding the necessary API endpoints once I find some time, or knowing @dani-garcia he'll probably get to it first

[dani-garcia]

About 2fa: To do this, we'll need to implement it separately from the already existing 2fa code. I'm not sure if for this case it's worth it to implement multiple 2fa systems, so I would think just totp and maybe email would be good enough.

That said, this would require some changes to the admin page to input the 2fa code: we can't just ask for it at the start because it changes every 30 seconds .

Edit: About the email, as a workaround, you can invite yourself to test if it works for now, but it would be great to add

[chinenual]

I am having trouble getting an Apache reverse-proxy to work in my organization. For various reasons, I can't create a new subdomain for bitwarden - i need to run it as https://my.proxy.domain/bitwarden forwarding to localhost running http on a non-standard port. However I cannot find a way to get Apache's mod_proxy to proxy from /bitwarden context to root context. For other applications I'm able to create proxies to as long as the target application uses a non-root context.

I.e. I want to do this:

https://my.proxy/bitwarden <-> http:/localhost:1234

I can get other apps to work if the internal app uses non-root context -- e.g.

https://my.proxy/acontext <-> http:/localhost:1234/anothercontext

Can bitwarden_rs be configured to listen to /bitwarden_rs or /bitwarden instead of / ? If not, can someone help in constructing apache mod_proxy / mod_rewrite rules to proxy the bitwarden_rs root context from a non-root proxy context?

[mprasil]

@chinenual see #71. The TL/DR is that while bitwarden_rs doesn't mind serving from a sub path, client apps don't support that. There was some effort modifying the Vault code to allow this, but I haven't seen anyone reporting that they got it working.

[chinenual]

Thanks @mprasil - I'll keep my eye on upstream client support and check back here if/when it's supportable.

[quthla]

@mprasil I think only the web vault needs some patching (which has already been done?)

https://github.com/dani-garcia/bitwarden_rs/issues/241#issuecomment-436373392

I changed the path in the android app and it'll correctly call api at that path.

"POST /bw/api/accounts/prelogin HTTP/1.1"

[mprasil]

Good to know @quthla, are you sure all functionality is present in the mobile client apps - like attachments. (also this probably still rules out using the official desktop app?)

[pdarcos]

Awesome project guys! +1 for Postgresql and/or MariaDB support.

[pdarcos]

Also +1 for groups support. I know you can use organiztions as a workaround but it is an unwieldy solution. Native support for groups would be fantastic.

[tcjew]

support for rqlite! Bassicly a sqlite database with synchronization support across multiple servers. As i am looking for a redundant solution

[pdarcos]

Push notifications would be cool too. I know you'd have to compile your own mobile clients for them to work but that's not such a big deal and having all your devices synced is very useful IMO.

I also like the focus on security. The option to force 2FA for all logins would make it super secure. It can be problematic letting users water down the security and effectively negating 2FA. Most people - surprisingly even informed ones - tend to choose convenience over security.

[ta-vroom]

Support for custom icons? I was able to add missing icons for locally hosted sites and I'm pretty sure you could override domain icons, but what about separate icons for multiple accounts?

For customizing icons, in /data/icon_cache you can change the icons. Icons for missing domains have a .miss extension. Copy a png file to that directory without the .miss extension and it should render normally in the vault.

[dani-garcia]

To support custom icons per cipher instead of as it is (per domain) we would probably need the clients to support them. As a possible workaround, you could create a fake invalid URL for the first URL field, like -mycustomicon1.com and use the other URL fields for the actual URL. With that you could move your custom icon to /data/icon_cache/-mycustomicon1.com.png and it should work.

Note that if you are going to keep custom icons, you should set ICON_CACHE_TTL to 0 to disable the server from renewing them in 30 days.

[mprasil]

To expand on what @dani-garcia said above, the icons API isn't authenticated. The client just asks icon for a domain and that's all information we'll get. This is why we don't know which user is requesting the icons.

[ThiefMaster]

It would be nice to have the "new device logged in" emails like in the original service:

Your Bitwarden account was just logged into from a new device.

Date: Thursday, March 21, 2019 at 3:28 PM UTC IP Address: 1.2.3.4 Device Type: Windows

You can deauthorize all devices that have access to your account from the web vault under Settings > My Account > Deauthorize Sessions.

[ThiefMaster]

Push notifications would be cool too. I know you'd have to compile your own mobile clients for them to work but that's not such a big deal and having all your devices synced is very useful IMO.

Why can't they use the push.bitwarden.com push proxy instead of requiring people to compile their own apps? If you consider it unethical, just add a statement that people should buy premium before enabling it.

[mprasil]

@ThiefMaster is there some information about how this endpoint can be used? I've got the impression that there are some credentials needed.

[ThiefMaster]

It looks like all you need is a key from https://bitwarden.com/host/

https://github.com/bitwarden/server/blob/255855887b2463478ec93133bee301c61a18b517/src/Core/Services/Implementations/RelayPushRegistrationService.cs#L23

[Kovah]

Hello there. First of all many thanks for this implementation of Bitwarden! 💯 Everything is working fine but I would like to ask for two smaller things:

• ability to change the application name (currently Bitwarden_rs) to my own name
• ability to set the default language for new users.

Both would be quite helpful to get (non-english speaking) family members to use Bitwarden. (If it's possible already I would like to know how, couldn't find any options for this.)

[mprasil]

ability to change the application name (currently Bitwarden_rs) to my own name

Not sure if I follow you there @Kovah. Where would you like to change this? The only place I can think of are the emails - you can provide your own translated templates there.

ability to set the default language for new users

I don't think this saved or provided by the server anywhere. The setting is saved client side and as far as I know the default follows your system settings.

[dani-garcia]

The users return a hardcoded Culture value of en-US at the moment, but I'm not sure if that affects the clients.

[Kovah]

you can provide your own translated templates there.

Where would I do that? Also, it's on the login pages. Would be nice to have the own name there.

About the language thing: this would be only needed for the login page / registration form. Just tested this by changing my system language and it's set automatically. So nothing to do here. :)

[mprasil]

Ah so you're talking about Bitwarden, not bitwarden_rs? I think you might need to recompile the vault code with your changes patched in to do that. We just use more-less direct code from upstream for that part. If you decide to do that, you can point to your version of vault via WEB_VAULT_FOLDER.

As for the templates, you can see the built-in ones here. You can modify them and mount them somewhere inside the container and then point TEMPLATES_FOLDER there.

[ViViDboarder]

LDAP syncing has been added to the wiki: https://github.com/dani-garcia/bitwarden_rs/wiki/Syncing-users-from-LDAP

[mprasil]

Can we mark the LDAP thing done or is there something else that needs to be done?

[ImNtReal]

Does the LDAP Synching feature simply lookup users in a LDAP directory, and send them invitation e-mails? What I was hoping for was using LDAP as an authentication backend, so that users have the same credentials to login to bitwarden_rs as they do everything else on my network that uses LDAP for authentication.

[dani-garcia]

@mprasil I think we can at mark it as done, but indicate that the official ldap connector app is not supported, maybe we can add that as a separate feature.

@ImNtReal Yes, that's exactly the same thing the upstream connector app does, it just adds and removes users, but the users need to exist beforehand. I'm not sure how LDAP works internally but I imagine the passwords are hashed, so we don't have a way to get their current password to create them an account.

[mprasil]

@dani-garcia I've updated the issue and added a sub-task to support the official thing. Although right now @ViViDboarder's solution is probably covering most of the functionality..

[RomanHargrave]

I'm not sure how LDAP works internally but I imagine the passwords are hashed, so we don't have a way to get their current password to create them an account.

Correct, and in most directory configurations I do not believe you will be able to retrieve the hashes.

One way to deal with the want to authenticate users via directory works much like Bitwarden works today, requiring a user-held secret to decrypt the vault -

• Upon a new user signing in successfully, the password they entered is used to generate the vault key.

• To handle password changes, if a user signs in successfully but the derived key does not match that which was used to encrypt their vault, they would be asked to enter their old password and the vault would be re-encrypted in the same manner that a password change works now.

Unfortunately, implementing this would break compatibility with Bitwarden.

[kennylevinsen]

Unfortunately, implementing this would break compatibility with Bitwarden.

We could contribute equivalent functionality upstream, in order to keep us in sync. It would also aid upstream in obtaining proper directory support.

[bremensaki]

Is there a way to override the default organisation name from "bitwarden_rs" in the invitation emails that I'm missing, or is this something that'd be covered under the "better email templates" list item?

[mprasil]

@bremensaki You can provide your own template for emails, would that work for you?

[KreativeKrise]

It would be nice to implement the possibility to use docker secrets, e.g. for the ADMIN_TOKEN environment variable. Here you will find a nice article how you could implement it: https://medium.com/@adrian.gheorghe.dev/using-docker-secrets-in-your-environment-variables-7a0609659aab

[mprasil]

@KreativeKrise, makes me wonder if we can just create symlink from /.env that is read at startup to /run/secrets/bitwarden_rs_secrets. We'd add something like this into the Dockerfile:

RUN ln -s /run/secrets/bitwarden_rs_secrets /.env

If there's no secret the service starts as usual, if you mount your own .env file, it will override the symlink, so that is still going to work as expected. Now to create the docker secrets, you'd do something like:

docker secret create bitwarden_rs_secrets - <<EOF
ADMIN_TOKEN=somelongrandomtoken
SMTP_PASSWORD=smtpserverpass
EOF

basically adding all passwords into one docker secret. That way there's no need for startup wrapper script, that we might want to then drop somehow if we want to go for distroless based image.

[ViViDboarder]

@KreativeKrise can't you already store your configuration in a file and mount that using Docker Secrets?

Also you can do what that blog suggests already without an upstream patch. This is one of the cool things about how Docker layers work.

The CMD in the Dockerfile is set to just run the bitwarden executable. So you could build your own Dockerfile that looks something like this:

Disclaimer: I haven't tested this, there may be small errors, but the gist is the same

FROM bitwardenrs/server:latest
COPY entrypoint.sh /
ENTRYPOINT /entrypoint.sh

Where entrypoint.sh is something like:

#! /bin/bash
source /run/secrets/bitwarden_rs_secrets
exec $@

And your secrets file is something like:

export ADMIN_TOKEN=myadmintoken

[Pschittt]

Here a few features requests :

• implement password history
• create a script/tool for backing up or export directly from sqlite database to an encrypted archive. (To prepare if someday our own instance of bitwarden_rs is no more available, can't be reinstalled, and have only sqlite db backup).

[mprasil]

@Pschittt

1) this is already present unless I misunderstand you here: 2) There was some discusion about it in #504 - the outcome essentially is to export your passwords with something like bitwarden-cli. I can't really imagine a scenario where you have sqlite backup, but don't have bitwarden_rs. I mean something had to create that sqlite DB right? As absolute worst case paranoid scenario, you can always backup bitwarden_rs docker image (docker save) as an fallback? It's quite small.

[Pschittt]

@mprasil

1. Indeed ! I didn't see it. You can forget the feature request ;)
2. The idea was to be able to retrieve it without running a bitwarden_rs platform.

[mprasil]

@Pschittt as for 2) see #504, there isn't much we can do server side as most of the data is client-side encrypted. There are some ideas how to achieve this, but it would most likely be external project rather than being part of bitwarden_rs.

[stripe4]

An option not to show organization credentials in "My Vault". Currently it's difficult to separate my private credentials from organization ones. Ability to add picture logos to organizations.

[mprasil]

@stripe4 I think both of these will need to be implemented on the client side, so you need to make the request upstream. (In their forums)

[onggie]

Hi, are we likely to see the support of the official director connector any time soon?

[dani-garcia]

It would depend on a third party helping with a PR, as I don't have neither the knowlege nor a server to work with LDAP.

[H3npi]

it would be awesome to implement a simple Healthcheck to the Dockerfile.