[META] Feature Requests

[dani-garcia]

To avoid cluttering the issue tracker with feature requests, please comment any requests here and we'll keep a list.

When available, I've linked a related issue or comment to add context to the request.

Authentication

• Support official LDAP directory-connector. There also is a 3rd party connector.
• OAuth / SSO (Enable user SSO access using OAuth #94 and Push new docker image to support SSO #1134) (Some work is done in OIDC SSO Re: Issue #246 #1955 and OIDC SSO #2449 and Sso Support based off existing PR's #3154)
• Key-Connector support (Needs SSO) (Feature Request: key-connector for master-passwordless SSO #2583)
• Allow organizations to require 2FA for their members Organization Two-step Login #981 (Added via Two-step login organization policy enforcement - Resolves dani-garcia/bitwarden_rs#981 #1604)
• Allow authentication using a per user generated API-Key (Cannot create API Key - An unexpected error has occurred - 404 Not Found #1250) (Added via Add support for API keys #2245)
• Allow authentication using a per organization generated API-Key (Added via Implement the Organization API Key support for the new Directory Connector v2022 #3568)
• Add Emergency Access (https://bitwarden.com/help/article/emergency-access/)
• Add support for multiple account feature (Login session expired with account switching #2295) (https://bitwarden.com/help/account-switching/) (Added via Update login API code and update crates to fix CVE #2354)
• Send email on x amount invalid login attempts (https://vaultwarden.discourse.group/t/how-can-i-protect-my-vaultwarden-account-from-brute-force-attacks/3067) This could be abused as a DDoS, not sure if we want this.
• Allow login using PassKeys (Not as 2FA) (See Support log in and decrypt with passkeys #4250)

Database support

• Easy migration, from SQLite to other two options
  • SQLite to MySQL - documented here: Migrating from SQLite to MySQL
  • MySQL to PostgreSQL
  • SQLite to PostgreSQL - Documented here: Migrating from SQLite to PostgreSQL

Admin page

• Allow disabling users so they can't log in, without deleting their data. (Added via Implement admin ability to enable/disable users #1247)
• 2FA support
• Hashed secret
• one-time-email login (a.k.a. Bitwarden style)
• Add option to remove 2FA devices from users (What happens if I lose my Yubikey? #431)
• Add option to set default cipher URL matching ([Feature Request] Allow pre-defining user settings and disabling some #432)
• Show more user info? (organizations and their user status in them, last connected date...)
  • Show organizations per user
  • Show the amount of attachments
  • Show the amount of chipers
  • Last login date (Added via Show last active it on admin users page #1245)
  • Multiple other items
• Vaultwarden version info and update notification?
  • Version information and updates can be found in the admin panel /admin/diagnostics
  • Notifications about several items.
  • Compare time of the server/host/container and the browser with NTP.
• Keep changed settings in the form instead of reset them on input/submit error (See Unsaved Settings get discarded #4017)

Security

• Set a configurable limit for the 2FA remember token, upstream uses 30 days (Maybe use JWT?).
• Lock accounts after X login failures, configurable. (Rate limiting is a better option, else this would give people with bad intentions the option to lock everybody out from the specific vault)
• Rate limiting of API requests
  Either by documentation using third party tools, firewall, reverse proxy etc.. Or maybe built in without to much hassel Add rate limiting to the API #723
• Rate limiting logins both admin and vault (Added via Basic ratelimit for user login (including 2FA) and admin login #2165)
• Do not run the container as root user (See Deployment vaultwarden (in cluster main) violates 'Process with UID 0' Policy #4358)

Docker images

• Debian based both ARM and AMD64
  • SQLite
  • MySQL
  • PostgreSQL
  • Multi Database
• Alpine based images (static/musl)
  • SQLite
  • MySQL (Added via Support all DB's for Alpine and Debian #2172)
  • PostgreSQL (Added via Updated dependencies and Dockerfiles #1252 and Support all DB's for Alpine and Debian #2172)

Other

• Add XoAuth2 support to fetch the token from the SMTP Provider and refresh used by Google or Microsoft
• Verify database collation to prevent issues (See: Database migration to 1.17.0 fails on mariadb #1182 and Update to 1.17.0 fails - Bitwarden RS Mysql-Backend #1184)
• Batch all the bulk database operations in the same transaction (import ciphers, move selected ciphers, purge vault, etc.)
• Make email and U2F use the same domain-guessing used by attachments
• Groups support Support for groups #245 (NOTE (2022-12-15): This feature has some known issues! - Added via Group support | applied .diff #2846)
• Manager support (Added via Org managers can't create or manage collections #1136)
• Log rotation / management Question: Is the log file periodically deleted? #305
• Run Vaultwarden at suburl Run locally at suburl #241
• Audit log Audit Log #229 (Added via: Add Organizational event logging feature #2868 )
• Push notifications add support for push notifications on changes #126 (Added via feat: Implement Push Notifications sync #3304)
  • Workaround: WebSockets provide notifications in web vault and browser extensions (maybe desktop app too?)
• Implement Recover and Delete:
  • calls this endpoint /api/accounts/delete-recover with {"email":"provided@email.address"} param
  • we need to generate email that will provide a link to delete the account with some token to verify email ownership
  • Workaround: Delete user from admin panel and let them create new account
• Add Custom Role support for granular control of user permissions (https://bitwarden.com/help/article/user-types-access-control/#custom-role)
• Add Personal Ownership support (https://bitwarden.com/help/article/policies/#personal-ownership) (Added via Add support for the Personal Ownership policy #1326)
• Add Organizational Admin Password Reset support (https://bitwarden.com/help/admin-reset/) (See: Enterprise Admin password reset #1820)
• Add Bitwarden Public API endpoints (https://bitwarden.com/help/public-api/) (Needs: Org API Key support)
  (Partially added to support Bitwarden Directory Connector v2022.11.0)
• Run WebSockets on the same port as HTTP (third-party depends on Rocket support) (See: Run websocket server on same port as other HTTP serving #685 / Run websocket server on same port as other HTTP serving #2917) (Added via WebSockets via Rocket's Upgrade connection #3404)

If anyone wants to help implementing these features, we are available here or on the matrix channel to help guide you as much as we can.