[META] Feature Requests

[dani-garcia]

To avoid cluttering the issue tracker with feature requests, please comment any requests here and we'll keep a list.

When available, I've linked a related issue or comment to add context to the request.

Authentication

• [x] Support official LDAP directory-connector. There also is a 3rd party connector.
• [ ] OAuth / SSO (#94 and #1134) (Some work is done in #1955 and #2449 and #3154)
• [ ] Key-Connector support (Needs SSO) (#2583)
• [x] Allow organizations to require 2FA for their members #981 (Added via #1604)
• [x] Allow authentication using a per user generated API-Key (#1250) (Added via #2245)
• [x] Allow authentication using a per organization generated API-Key (Added via #3568)
• [x] Add Emergency Access (https://bitwarden.com/help/article/emergency-access/)
• [x] Add support for multiple account feature (#2295) (https://bitwarden.com/help/account-switching/) (Added via #2354)
• [ ] Send email on x amount invalid login attempts (https://vaultwarden.discourse.group/t/how-can-i-protect-my-vaultwarden-account-from-brute-force-attacks/3067) This could be abused as a DDoS, not sure if we want this.
• [ ] Allow login using PassKeys (Not as 2FA) (See #4250)

Database support

• [ ] Easy migration, from SQLite to other two options
  • [x] SQLite to MySQL - documented here: Migrating from SQLite to MySQL
  • [ ] MySQL to PostgreSQL
  • [x] SQLite to PostgreSQL - Documented here: Migrating from SQLite to PostgreSQL

Admin page

• [x] Allow disabling users so they can't log in, without deleting their data. (Added via #1247)
• [ ] 2FA support
• [x] Hashed secret
• [ ] one-time-email login (a.k.a. Bitwarden style)
• [x] Add option to remove 2FA devices from users (#431)
• [ ] Add option to set default cipher URL matching (#432)
• [ ] Show more user info? (organizations and their user status in them, last connected date...)
  • [x] Show organizations per user
  • [x] Show the amount of attachments
  • [x] Show the amount of chipers
  • [x] Last login date (Added via #1245)
  • [ ] Multiple other items
• [ ] Vaultwarden version info and update notification?
  • [x] Version information and updates can be found in the admin panel /admin/diagnostics
  • [ ] Notifications about several items.
  • [x] Compare time of the server/host/container and the browser with NTP.
• [ ] Keep changed settings in the form instead of reset them on input/submit error (See #4017)

Security

• [ ] Set a configurable limit for the 2FA remember token, upstream uses 30 days (Maybe use JWT?).
• [x] Lock accounts after X login failures, configurable. (Rate limiting is a better option, else this would give people with bad intentions the option to lock everybody out from the specific vault)
• [ ] Rate limiting of API requests Either by documentation using third party tools, firewall, reverse proxy etc.. Or maybe built in without to much hassel #723
• [x] Rate limiting logins both admin and vault (Added via #2165)
• [ ] Do not run the container as root user (See #4358)

Docker images

• [x] Debian based both ARM and AMD64
  • [x] SQLite
  • [x] MySQL
  • [x] PostgreSQL
  • [x] Multi Database
• [x] Alpine based images (static/musl)
  • [x] SQLite
  • [x] MySQL (Added via #2172)
  • [x] PostgreSQL (Added via #1252 and #2172)

Other

• [ ] Add XoAuth2 support to fetch the token from the SMTP Provider and refresh used by Google or Microsoft
• [ ] Verify database collation to prevent issues (See: #1182 and #1184)
• [ ] Batch all the bulk database operations in the same transaction (import ciphers, move selected ciphers, purge vault, etc.)
• [ ] Make email and U2F use the same domain-guessing used by attachments
• [x] Groups support #245 (NOTE (2022-12-15): This feature has some known issues! - Added via #2846)
• [x] Manager support (Added via #1136)
• [ ] Log rotation / management #305
• [x] Run Vaultwarden at suburl #241
• [x] Audit log #229 (Added via: #2868 )
• [x] Push notifications #126 (Added via #3304)
  • Workaround: WebSockets provide notifications in web vault and browser extensions (maybe desktop app too?)
• [x] Implement Recover and Delete:
  • calls this endpoint /api/accounts/delete-recover with {"email":"provided@email.address"} param
  • we need to generate email that will provide a link to delete the account with some token to verify email ownership
  • Workaround: Delete user from admin panel and let them create new account
• [ ] Add Custom Role support for granular control of user permissions (https://bitwarden.com/help/article/user-types-access-control/#custom-role)
• [x] Add Personal Ownership support (https://bitwarden.com/help/article/policies/#personal-ownership) (Added via #1326)
• [x] Add Organizational Admin Password Reset support (https://bitwarden.com/help/admin-reset/) (See: #1820)
• [ ] Add Bitwarden Public API endpoints (https://bitwarden.com/help/public-api/) (Needs: Org API Key support) (Partially added to support Bitwarden Directory Connector v2022.11.0)
• [x] Run WebSockets on the same port as HTTP (third-party depends on Rocket support) (See: #685 / #2917) (Added via #3404)

If anyone wants to help implementing these features, we are available here or on the matrix channel to help guide you as much as we can.

[dani-garcia]

We have the /alive endpoint that could be used to handle that check:

HEALTHCHECK CMD curl -sf http://localhost/alive || exit 1

We’d also have to handle the case where HTTPS is enabled though.

[tckb]

I would love to see a native backup and restore solution. currently, I am running this on k8s and it would be pretty cool to have a native backup cron of sorts running in bg

[ViViDboarder]

@tckb there are other containers you could attach to Bitwarden_rs for backups. I'm using images that I built for Duplicity and Restic for doing exactly what you're talking about.

• ViViDboarder/docker-restic-cron
• ViViDboarder/docker-duplicity-cron

Both allow you to set up cron schedule for both backups and verification. They also allow automatically restoring when the data directory is empty. Backing up a database requires a pre-backup and a post restore script.

Here's the gist of it in a gist of it... https://gist.github.com/ViViDboarder/aa480ac3411f359df80376023bc4e987

To make things simpler, I should probably have tagged images for backing up sqlite and mysql with scripts bundled.

[tckb]

thanks for the cue! @ViViDboarder I am thinking of setting up a k8s cron job. and container which does the backup. the k8s cron is especially makes easy to change the schedule in demand w/o needing to the build image.

[ViViDboarder]

@tckb wow. I really ought to switch to k8s, hah. That's super handy.

I've been using Dockron to get something similar (cron schedules to update my ddns and renew certs), but I had already built the self contained backup images. The one advantage to the all-in-one images that I shared is that it contains restoration as well. If just running backups on cron, you won't be able to automate restoration should you re-deploy on a different host. You may not care so much about this though.

With the embedded cron images linked, you don't actually have to rebuild the image to change schedule, just update the env variable and restart the container. The Dockerfile and image are only built to add the sqlite executable.

[tckb]

@ViViDboarder that looks interesting, are you running it in swarm? btw, http://duplicity.nongnu.org looks pretty good fit for something I am searching. Which provider are you using for storage?

[ViViDboarder]

@tckb for now just Docker Compose directly on each host and I use Ansible to orchestrate.

I'm using Backblaze B2 for storage. It's convenient and affordable. Both Duplicity and Restic support many backends though.

[ntimo]

I would like to suggest to add a configurable rate limit to the API https://github.com/dani-garcia/bitwarden_rs/issues/723.

[tckb]

@ntimo you an have rate limiting on the proxy. I have it configured via Nginx proxy

[ntimo]

@tckb Yes you could do it with a reverse proxy, but I personally think it would be better if the API would handle this by itself.

[ajwstevens]

Hello, I was wondering if it's possible to search through the securenotes? I think this is possible in upstream: https://help.bitwarden.com/article/searching-vault/ In bitwarden_rs I made a secure note with the string "imanager' in it. When i search through the vault I would like that note to pop up.

[dani-garcia]

@ajwstevens That works for me but you need to use the special syntax:

>notes:imanager

You might need to add asterisks as wildcards:

>notes:*imanager*

It's all documented in the section Advanced searches of the link you posted.

[cedricroijakkers]

Hi all, I would like to request a new feature: audit trail logging. Allow the possibility (with an environment variable) to log which user is accessing a password in an organisation. For auditability, we would like to see when somebody is creating, modifying, or reading a password in an organisation. No need to log access to a private password, but for shared passwords in an organisation, we would like to keep an audit trail of access, in case of abuse.

[ptman]

@cedricroijakkers I would like that too, but think about how bitwarden works and how this would be possible. Since the passwords are synced to different devices, what forces a client to report to the server what local operations have occured?

[cedricroijakkers]

@ptman Forgive the ignorant bliss, I'm only just starting to learn the architecture of Bitwarden, but I noticed that when opening a password in an organsation, the decription key is being downloaded from the server. Would that be a possibility?

[ptman]

@cedricroijakkers you probably know more than me already. I just drew conclusions from there being a sync instead of each access going to the server

[nakermann1973]

Hi - I would like to suggest a new feature

Allow attachments to be stored in the database, instead of on the filesystem. This would make backups of the data easier, by only backup up the database, and would also allow clustering/redundancy of the server, by not having to rely on local storage.

[Nonobis]

Hi, Could you add an automatic export of Key/Data as encrypted/compressed file to a targeted folder ? For example, export to a folder backuped in cloud, if data is crypted it's not a problem.

Better if server crash :)

[yelch]

First of all: Thank you very much! I am using the docker image on a synology with reverse proxy, letencrypt and everything (incl. push-updates) is working very well!

I have a few questions/feature requests:

Backup Could you let us specify a backup location and add automated backups (daily/weekly) in the admin interface. Fantastic would be a backup plan option like 'keep daily for 30 days / weekly for 6 months / monthly for a year.

Folders What folders are needed/possible to specify. Are there only the ones specified in the Read-only section?

Customisation Is there a dark theme planned? If I change the web-vault folder, how can I customize the interface? Is it possbile to create child-themes?

[mprasil]

@yelch I think the Backup is somewhat inappropriate name for what should really be called DB dump. To have scheduled backups and to have some form of rotation is a functionality that your backup software should do, not a password management server.

There are couple interesting projects doing some automation around bitwarden_rs backups that are linked from our wiki, but generally speaking most backup software offers some form of such functionality.

[SuNNjek]

Hi, I'm wondering if it would be possible to build an ARM Docker image with Postgres enabled? I tried generating the Dockerfile for it, but the build fails with the linker saying it can't find libpq even though it should be installed according to the Dockerfile 😕

[PrivatePuffin]

@SuNNjek Try checking in the docker itself if the image is actually there. Somethings you need a different reference for different platforms for certain libraries.

Something like this top open a console inside the docker image: Docker exec $image /bin/bash

[T-bond]

Hi, Would it be possible to get an Alpine version from the bitwardenrs/server-postgresql docker image (as the main bitwardenrs/server variant has it already)?

[alfonsrv]

Please add the ability to export and manage organizations more in-depth. A user forgot his password and I cannot delete him because he's the owner of an organization. Also when exporting user stores, organizations cannot be optionally exported.

Also, is it possible to actually sync LDAP user passwords / authenticate users via LDAP or is this not viable due to security concerns, e.g. the way stores are en-/decrypted?

[stanelie]

I too would like a way to authenticate against LDAP. As I understant it, the bitwarden_rs_ldap is only there to invite people from your ldap tree to your bitwarden_rs instance.

[ViViDboarder]

It is not possible to use LDAP as the sole form of authentication without sacrificing client side decryption. At least not without completely rewriting the client applications.

I don't know if there are examples of password managers doing LDAP auth out in the wild. Even enterprise solutions like LastPass use LDAP only for provisioning/deprovisioning. https://www.lastpass.com/enterprise/directory-integration

[PrivatePuffin]

@stanelie be aware you don't even actually "authenticate" against the bitwarden server afaik. You authenticate your password in the client against a local datablob (recieved from the server), the result of which is used to authorise you access to your data on the server.

In contrast with LDAP the Bitwarden server never actually does the authentication itself. So yes, what @ViViDboarder says: it would require a whole redesign, which would make it loose it's unique features compared to something like Nextcloud Passwords.

[stanelie]

Thanks for kindly taking the time to explain that.

[jhf2442]

Hi,

hope this is the right place to issue my wishes regarding the password checking tools (weak, exposed, reused etc) :-) or is this something that should be reported to upstream "official" BW codebase ?

• I have some passwords which are weak and will remain like this forever. Example : the PIN of my credit card. Same applies for some reused passwords. Would be good to have the possibility to tag them as "waived", eg by adding a custom field. This would make the whole list cleaner as it would only display the passwords I really need to take care of
• on the list of weak passwords, it would be good to be able to sort on the weakness column, to get really weak passwords listed first - they would potentially require the most attention
• on the list of reused passwords... how to get the list of passwords sharing the same entry ? I mean if there's written "reused 2 times", how to find the other entry ? Possibly adding a popup when hovering over the "reused 2 times" label ?

Many thanks

[PrivatePuffin]

@jhf2442

• This is formost a client side (UI) issue from Bitwarden, only after Bitwarden themselves adds this feature should/could it be added to bitwarden_rs. Bitwarden_rs doesn't maintain the clientside codebase.

• This is client side only, if bitwarden adds this to the client side code, it would auto-magically also be fixed when using bitwarden_rs

• Again client side only, not something related to bitwarden_rs.

Please be aware bitwarden_rs is ONLY the server side of the application. Simply put it only does the lookups in the database for the client. Everything you see and touch is mostly not a API query (Simply put: database related).

Simply put: If it grabs new data (passwords, username etc) it does a api query to the server, so in those cases its both client side (it does something you can view and interact with) and server side (it gets data). In cases where it just sorts data differently its either just client side or a combination. (depending on coding preferences) In cases where it's just showing weither a password is bad or not (You already have the data, just checking if its good), it's just client side.

If something has a client-side part, it can't be fixed by bitwarden_rs. As soon as bitwarden implements it it will/can be ported to bitwarden_rs.

(Yes I know this is a simplification of the API, but it's the most easy form to explain it in such a way a non-coder should be able to justify weither something is Client or Server side)

[jhf2442]

@Ornias1993 thanks for the extensive reply - Server-side API would have been enough :-)

I've submitted my feature requests on the pertaining forum at the bitwarden website ... looks like the 2nd one (sorting the weak passwords per status) was already filed last month !

In case people want to upvote these topics :

• https://community.bitwarden.com/t/waiving-weak-exposed-reused-passwords/10625
• https://community.bitwarden.com/t/weak-passwords-sorting/10005
• https://community.bitwarden.com/t/find-out-which-passwords-are-the-same/10626

[alfonsrv]

Regarding LDAP – but why wouldn't this work? We can still hold the password as is in the client application. A workflow could look like this:

1. Get username + password from login form; password is sent to server
2. Bitwarden server authenticates password against LDAP (which basically simply returns True/False for a given Username/Password combination)
3. If password is authenticated against LDAP successfully, authenticate password against internal database. If they don't match, initiate password change process (this would require the ability to change a password without having to decrypt the keys using the previous one, which could lead to the only security issue in this chain)
4. Proceed business as usual

Where am I going wrong? The added LDAP auth step doesn't require rewriting the client as far as I can tell(?)

[ViViDboarder]

@alfonsrv biggest reason is password change.

You have to maintain two passwords, which will require a client change.

[alfonsrv]

@ViViDboarder right. So an option could be a fallback interface. It could trigger as soon as authentication succeeds and bitwarden_rs realizes it cannot decrypt the keys properly, redirecting to a rudimentary interface – much like the /admin – requiring a user to input both the old and new password, in order to also facilitate the password change on the bitwarden_rs side.

[mprasil]

Where am I going wrong?

@alfonsrv I think you're ignoring the core feature of Bitwarden - client side encryption. Client does not send password as entered to the server, it sends just derived key. (which is non-reversible) So the actual password never touches server.

Which also means the server can't re-encrypt anything as it does not know the password.

[ViViDboarder]

@alfonsrv yes. That’s then two passwords anyway. Today, nothing stops you from changing your Bitwarden password to your LDAP password.

This was discussed earlier (in this thread or another), but Bitwarden_rs is only a server. We use the upstream clients. If Bitwarden proper adds this kind of functionality into their clients, we could do the same.

But again, I find it unlikely for the reasons mentioned earlier.

[PrivatePuffin]

@mprasil Indeed, the whole idea is based on a flawed interprentation of how Bitwarden works:

1. "password is sent to server" Which it isn't.

2. "Bitwarden server authenticates" Which it doesn't, authentication is client side, authorisation is (partly) server side.

3. "If password is authenticated against LDAP successfully" Nice and all, but the server has no authority weither you are or aren't authencitated, so neither would LDAP.

What could work: In theory it would be possible to let some form of middleware propagate any LDAP password changes to Bitwarden (but not visa versa). But that middleware wouldn't be part of Bitwarden_rs as it goes out-of-scope aka it goes against the core design philosophy of bitwarden. Simply put: The bitwarden is designed around: The server never recieves or handles your password.

It would also require client side changes (for example hiding the password change options within bitwarden), which would also be out of scope for bitwarden_rs

Using the bitwarden API, you could however very well make a form of middleware thats server agnostic. It would however be a seperate github project.

[mprasil]

@Ornias1993 yeah you could implement something outside bitwarden, but at that stage you might be better to just use something else that doesn't do client side encryption.

[jjlin]

FWIW, LastPass has a somewhat complex solution for this, though AFAICT, it's not for AD/LDAP per se. I doubt anything like this would get implemented in upstream Bitwarden anytime soon, though.

See the "LastPass Federated Login Services" section:

https://enterprise.lastpass.com/wp-content/uploads/LastPass-Technical-Whitepaper-3.pdf

[alfonsrv]

@mprasil Indeed, the whole idea is based on a flawed interprentation of how Bitwarden works:

Whoa, easy there. Indeed it was probably naive to assume it would work in a traditional web-app way; should've checked the REST calls earlier – pardon me. Would have been awesome to see it integrated – especially in order to provide a uniform logon experience across an AD infrastructure where convenient management and storage of logins against 3rd party platforms is very relevant, but I agree an LDAP implementation it is likely out of scope given what I know now.

edit: However, not sure how the derived key verification works, but why not let the AD server reply with a similar challenge for verification? If worst comes to worst, there's a "feature" in AD where you can store passwords reversible. Obviously not ideal, but could get the job done, no?

[PrivatePuffin]

In order to provide a uniform logon experience across an AD infrastructure where convenient management and storage of logins against 3rd party platforms is very relevant

Ofcoarse those things are awesome, but lets be realistic: Bitwarden is not meant nor designed to work with centralised user management.

If you want LDAP user control, maybe look at Nextcloud Passwords (although the mobile os support sucks for it), however: as it supports nextcloud user mangement it would support the feature you want :)

[PrivatePuffin]

but why not let the AD server reply with a similar challenge for verification

In that case you need quite complex middleware and my previously proposed middleware solution would be simpler/cleaner.

What you are saying is basically "Why can't I rewrite Bitwarden for LDAP?"... If you have the time and energy you could ofcorase write something that accepts the bitwarden API using LDAP. But it would require MASSIVE redesign if you would take bitwarden_rs as basis.

[ViViDboarder]

@alfonsrv something similar to what is in the whitepaper that @jjlin posted could do the trick, but that's a complete architecture change for auth. Client and server.

The whitepaper essentially describes what @Ornias1993 is suggesting. A middleware that they use to interface with AD.

[PrivatePuffin]

@ViViDboarder Addition: It would also come with a WHOLE host of potential additional security issues that need to be taken care of, so it for sure not anywhere close to "easy".

I would dare to say it might even be harder than writhing bitwarden_rs from scratch.

[repomaa]

API Docs! Since not even the official bitwarden server implementation maintains any type of api documentation, it'd be very cool if bitwarden_rs did. It would help alot when developing 3rd party applications. While the routes and payloads aren't that complicated the response data is. It'd be great to have detailed type information about the returned data.

[ndanyluk]

Would it be possible to make use of Docker Manifest Lists for a multi-arch image? I do this for all of my images, but I use Travis to automate the builds. For example, I push images to separate repos for each arch (i.e. ndanyluk/prometheus-armv6, ndanyluk/prometheus-amd64) then tag them and push a manifest list to the main repo (in the prometheus example, ndanyluk/prometheus)

[Skeen]

This PR https://github.com/diesel-rs/diesel/pull/1884 has been merged, which could enable PostgreSQL support, by changing replace_into calls into upsert calls.

[goetzk]

Support for SAML would be really good, but I appreciate the extra code to carry might be too much. If there is another supported auth method we could use as an adaptor to SAML I'm interested in hearing about that too.

[ptman]

@goetzk SAML has many of the same problems as LDAP

[goetzk]

Being able to disable users rather than delete them would be really handy. In my case I'm considering writing a (Python) Requests script to create users but if deleting them is the only option that sounds a bit dangerous to script for the exit part of the journey.