vaultwarden/Cargo.toml
BlackDex de157b2654
Admin token Argon2 hashing support
Added support for Argon2 hashing support for the `ADMIN_TOKEN` instead
of only supporting a plain text string.

The hash must be a PHC string which can be generated via the `argon2`
CLI **or** via the also built-in hash command in Vaultwarden.

You can simply run `vaultwarden hash` to generate a hash based upon a
password the user provides them self.

Added a warning during startup and within the admin settings panel is
the `ADMIN_TOKEN` is not an Argon2 hash.

Within the admin environment a user can ignore that warning and it will
not be shown for at least 30 days. After that the warning will appear
again unless the `ADMIN_TOKEN` has be converted to an Argon2 hash.

I have also tested this on my RaspberryPi 2b and there the `Bitwarden`
preset takes almost 4.5 seconds to generate/verify the Argon2 hash.

Using the `OWASP` preset it is below 1 second, which I think should be
fine for low-graded hardware. If it is needed people could use lower
memory settings, but in those cases I even doubt Vaultwarden it self
would run. They can always use the `argon2` CLI and generate a faster hash.
2023-03-04 16:15:30 +01:00

176 lines
5.3 KiB
TOML

[package]
name = "vaultwarden"
version = "1.0.0"
authors = ["Daniel García <dani-garcia@users.noreply.github.com>"]
edition = "2021"
rust-version = "1.61.0"
resolver = "2"
repository = "https://github.com/dani-garcia/vaultwarden"
readme = "README.md"
license = "AGPL-3.0-only"
publish = false
build = "build.rs"
[features]
# default = ["sqlite"]
# Empty to keep compatibility, prefer to set USE_SYSLOG=true
enable_syslog = []
mysql = ["diesel/mysql", "diesel_migrations/mysql"]
postgresql = ["diesel/postgres", "diesel_migrations/postgres"]
sqlite = ["diesel/sqlite", "diesel_migrations/sqlite", "libsqlite3-sys"]
# Enable to use a vendored and statically linked openssl
vendored_openssl = ["openssl/vendored"]
# Enable MiMalloc memory allocator to replace the default malloc
# This can improve performance for Alpine builds
enable_mimalloc = ["mimalloc"]
# This is a development dependency, and should only be used during development!
# It enables the usage of the diesel_logger crate, which is able to output the generated queries.
# You also need to set an env variable `QUERY_LOGGER=1` to fully activate this so you do not have to re-compile
# if you want to turn off the logging for a specific run.
query_logger = ["diesel_logger"]
# Enable unstable features, requires nightly
# Currently only used to enable rusts official ip support
unstable = []
[target."cfg(not(windows))".dependencies]
# Logging
syslog = "6.0.1" # Needs to be v4 until fern is updated
[dependencies]
# Logging
log = "0.4.17"
fern = { version = "0.6.1", features = ["syslog-6"] }
tracing = { version = "0.1.37", features = ["log"] } # Needed to have lettre and webauthn-rs trace logging to work
backtrace = "0.3.67" # Logging panics to logfile instead stderr only
# A `dotenv` implementation for Rust
dotenvy = { version = "0.15.6", default-features = false }
# Lazy initialization
once_cell = "1.17.1"
# Numerical libraries
num-traits = "0.2.15"
num-derive = "0.3.3"
# Web framework
rocket = { version = "0.5.0-rc.2", features = ["tls", "json"], default-features = false }
# WebSockets libraries
tokio-tungstenite = "0.18.0"
rmpv = "1.0.0" # MessagePack library
# Concurrent HashMap used for WebSocket messaging and favicons
dashmap = "5.4.0"
# Async futures
futures = "0.3.26"
tokio = { version = "1.25.0", features = ["rt-multi-thread", "fs", "io-util", "parking_lot", "time", "signal"] }
# A generic serialization/deserialization framework
serde = { version = "1.0.152", features = ["derive"] }
serde_json = "1.0.93"
# A safe, extensible ORM and Query builder
diesel = { version = "2.0.3", features = ["chrono", "r2d2"] }
diesel_migrations = "2.0.0"
diesel_logger = { version = "0.2.0", optional = true }
# Bundled/Static SQLite
libsqlite3-sys = { version = "0.25.2", features = ["bundled"], optional = true }
# Crypto-related libraries
rand = { version = "0.8.5", features = ["small_rng"] }
ring = "0.16.20"
# UUID generation
uuid = { version = "1.3.0", features = ["v4"] }
# Date and time libraries
chrono = { version = "0.4.23", features = ["clock", "serde"], default-features = false }
chrono-tz = "0.8.1"
time = "0.3.19"
# Job scheduler
job_scheduler_ng = "2.0.4"
# Data encoding library Hex/Base32/Base64
data-encoding = "2.3.3"
# JWT library
jsonwebtoken = "8.2.0"
# TOTP library
totp-lite = "2.0.0"
# Yubico Library
yubico = { version = "0.11.0", features = ["online-tokio"], default-features = false }
# WebAuthn libraries
webauthn-rs = "0.3.2"
# Handling of URL's for WebAuthn and favicons
url = "2.3.1"
# Email libraries
lettre = { version = "0.10.3", features = ["smtp-transport", "sendmail-transport", "builder", "serde", "tokio1-native-tls", "hostname", "tracing", "tokio1"], default-features = false }
percent-encoding = "2.2.0" # URL encoding library used for URL's in the emails
email_address = "0.2.4"
# HTML Template library
handlebars = { version = "4.3.6", features = ["dir_source"] }
# HTTP client (Used for favicons, version check, DUO and HIBP API)
reqwest = { version = "0.11.14", features = ["stream", "json", "gzip", "brotli", "socks", "cookies", "trust-dns"] }
# Favicon extraction libraries
html5gum = "0.5.2"
regex = { version = "1.7.1", features = ["std", "perf", "unicode-perl"], default-features = false }
data-url = "0.2.0"
bytes = "1.4.0"
# Cache function results (Used for version check and favicon fetching)
cached = "0.42.0"
# Used for custom short lived cookie jar during favicon extraction
cookie = "0.16.2"
cookie_store = "0.19.0"
# Used by U2F, JWT and PostgreSQL
openssl = "0.10.45"
# CLI argument parsing
pico-args = "0.5.0"
# Macro ident concatenation
paste = "1.0.11"
governor = "0.5.1"
# Check client versions for specific features.
semver = "1.0.16"
# Allow overriding the default memory allocator
# Mainly used for the musl builds, since the default musl malloc is very slow
mimalloc = { version = "0.1.34", features = ["secure"], default-features = false, optional = true }
which = "4.4.0"
# Argon2 library with support for the PHC format
argon2 = "0.5.0-pre.0"
# Reading a password from the cli for generating the Argon2id ADMIN_TOKEN
rpassword = "7.2"
# Strip debuginfo from the release builds
# Also enable thin LTO for some optimizations
[profile.release]
strip = "debuginfo"
lto = "thin"
# Always build argon2 using opt-level 3
# This is a huge speed improvement during testing
[profile.dev.package.argon2]
opt-level = 3