Skip to content

Releases: shuaiplus/nodewarden

v1.7.2 - New Backup Providers, WebAuthn PRF, and UI Polish

Choose a tag to compare

@shuaiplus shuaiplus released this 01 Jul 05:37

Added

  1. Three new S3-compatible backup providers: Backblaze B2, Cloudflare R2, and Tigris. Each new destination comes with detailed provider-specific recommendations, storage-class guidance, and localization strings across all five supported languages. You can now back up to more services without custom scripting. Commits: 1acc31e, c3dc53b, ff85698.

  2. WebAuthn PRF (pseudorandom function) extension support. Credential creation and assertion now pass browser-compatible PRF extension requests, support excluding PRF extensions where the client doesn't need them, and handle the underlying passkey operations more robustly. This improves WebAuthn compatibility with modern browsers and password managers that rely on PRF for per-credential keys. Commits: 8942e5b, 31cfd19, 6a1a835, bf6ac7b.

  3. Backup import locking and checksum verification. Restoring a full backup now acquires an exclusive lock so concurrent imports cannot collide, and the importer verifies file checksums before applying the data. This makes disaster recovery safer when multiple admins might trigger restores. Commit: e9272ec.

  4. Fullscreen layout toggle. The web vault can now switch to fullscreen mode with a dedicated toggle button, with corresponding localization updates. Useful for kiosk-mode or presentation setups. Commit: d722815.

  5. Fill-assist API handlers. NodeWarden now implements Bitwarden-compatible credential fill-assist endpoints, letting clients fetch credentials inline via the new POST /fill-assist route. Device response types are also updated to include the fields needed by the fill-assist flow. Commit: e4215b4.

  6. Device selection and removal in SecurityDevicesPage. The security devices panel now supports selecting individual trusted devices and removing them directly from the web UI, so you no longer need to use the API to revoke a specific device. Commit: a5ad16a.

  7. Delete invalid organization invitations. Admins can now detect and remove dangling or invalid invitations from the admin panel, helping keep the invitation list clean. The API also renamed revokeInvite to deleteInvite for clearer semantics. Commits: 0d1bb19, f82dcc3.

  8. validFolderIds support in cipher responses. Sync and cipher responses now include a validFolderIds field so clients can distinguish real folders from orphaned references. The folder repository also validates folder existence more strictly. Commit: 82f968e.

  9. Pending auth request loading state. The pending login-request panel shows a refreshing indicator while fetching or updating the request list, providing clearer feedback during auth request workflows. Commit: 4378e1b.

Improved

  1. Enhanced Bitwarden CSV import with custom field and multiline support. The CSV parser now recognizes custom fields and restores their metadata correctly during import. It also preserves multiline values such as SSH private keys—previously, any line without a : delimiter was silently dropped, truncating private keys to the first line. Text fields containing newlines now survive a full export-import round-trip. Commits: 5eeaf4e, 68c42a0.

  2. Consolidated security devices UI. Device management and authorized devices sections are merged into a single coherent card on SecurityDevicesPage, and the pending-auth-requests panel has been removed from the general SettingsPage to reduce clutter. The device list also includes improved selection controls. Commit: c694f1b.

  3. Refined app-shell styles and dark mode consistency. Removed redundant global styles, cleaned up shell component spacing, and improved dark-mode visual consistency across the header, sidebar, and main content areas. Commit: 1bfb9a6.

  4. Backup and restore error messages across all locales. New error strings for backup/restore edge cases—lock failures, checksum mismatches, missing files—are now localized in all five supported languages (en, es, ru, zh-CN, zh-TW), with improved UI prompts for backup browser refresh scenarios. Commit: 4cd9ad0.

  5. Updated project wiki link and removed obsolete security scripts. The issue-template wiki link now points to the correct URL, and the old local security scanning scripts and workflows have been removed in favor of GitHub-native security automation (CodeQL, security-extra workflows). Commit: e31f82c.

  6. Security automation and dependency hardening. Added GitHub-native CodeQL and security-extra workflows, overrode a ws vulnerability, and upgraded CI actions to pinned major versions (checkout v7, setup-node v6, create-pull-request v8). Dependencies refreshed include TypeScript 6.0, @types/node 26, lucide-preact 1.x, and many others across npm and GitHub Actions. Commits: 64f26e7, 32b3d2a, 5dd9dff, 8d292ca, 5bd7dab, 99f2d7f, fb9a2ae, c87e6ac.

Fixed

  1. CSV import truncating multiline field values. parseBitwardenCsvFieldLines previously discarded any line that did not contain a : delimiter, silently dropping SSH private keys and other multiline content to only the first line. The parser now accumulates continuation lines correctly, restoring full private key content through a CSV round-trip. Commit: 68c42a0.

新增

  1. 三个新的 S3 兼容备份提供商:Backblaze B2、Cloudflare R2 和 Tigris。 每个新目标都带有详细的提供商建议、存储层级指导和五种语言的本地化字符串,无需额外脚本即可将备份扩展到更多存储服务。提交:1acc31ec3dc53bff85698

  2. WebAuthn PRF(伪随机函数)扩展支持。 创建和断言凭证时会传递浏览器兼容的 PRF 扩展请求,支持在不需要时排除 PRF 扩展,并且底层密钥操作更健壮。这改善了与依赖 PRF 做每凭据密钥派生功能的现代浏览器和密码管理器的兼容性。提交:8942e5b31cfd196a1a835bf6ac7b

  3. 备份导入加锁和校验和验证。 完整恢复备份时现在会获取独占锁,防止并发导入冲突;导入前还会验证文件校验和再应用数据。多管理员可能同时触发恢复时,该机制让灾难恢复更加安全。提交:e9272ec

  4. 全屏布局切换。 Web 保险库现在可以通过专用按钮切换全屏模式,附带对应本地化更新。适合信息亭模式或展示等场景。提交:d722815

  5. Fill-assist API 处理器。 NodeWarden 现在实现了与 Bitwarden 兼容的凭据填充辅助端点,客户端可以通过新的 POST /fill-assist 路由内联获取凭据。设备响应类型也补上了 fill-assist 流程需要的字段。提交:e4215b4

  6. 安全设备页的设备选择与删除。 设备面板现在支持在 Web UI 中直接选择单个可信设备并移除,无需通过 API 手动撤销指定设备。提交:a5ad16a

  7. 删除无效邀请码。 管理员现在可以在管理面板中检测并删除悬空或无效的邀请,保持邀请列表整洁。API 也将 revokeInvite 改名为 deleteInvite,语义更清晰。提交:0d1bb19f82dcc3

  8. 密码条目响应增加 validFolderIds。 同步和密码条目响应现在包含 validFolderIds 字段,方便客户端区分真实文件夹和孤立引用;文件夹存储也加强了对文件夹存在性的校验。提交:82f968e

  9. 待处理认证请求的加载状态。 待处理的登录请求面板现在会在获取或更新请求列表时显示刷新指示器,为认证请求操作提供更清晰的反馈。提交:4378e1b

改进

  1. 增强的 Bitwarden CSV 导入——自定义字段和多行支持。 CSV 解析器现在可以识别自定义字段并在导入时正确恢复其元数据。同时保留了 SSH 私钥等多行值——之前任何不带 : 分隔符的行都会被丢弃,导致私钥只保留第一行。包含换行符的文本字段现在可以完整通过导出-导入周期。提交:5eeaf4e68c42a0

  2. 整合安全设备界面。 设备管理和已授权设备两个部分合并为 SecurityDevicesPage 上的一个统一卡片;待处理认证请求面板从 SettingsPage 中移除以减少杂乱。设备列表也改进了选择操作。提交:c694f1b

  3. 精简应用外壳样式与暗色模式一致性。 移除了冗余全局样式,清理了外壳组件间距,改善了头部、侧边栏和主内容区在暗色模式下的视觉一致性。提交:1bfb9a6

  4. 备份/恢复错误消息全语言本地化。 备份/恢复边界场景(加锁失败、校验和不匹配、文件缺失)的新错误字符串已在五种支持语言(en、es、ru、zh-CN、zh-TW)中完成本地化,同时改进了备份浏览器刷新场景下的界面提示。提交:4cd9ad0

  5. 更新项目 Wiki 链接并移除过时安全脚本。 议题模板中的 Wiki 链接已指向正确 URL;老旧的本地安全扫描脚本和工作流已移除,改用 GitHub 原生安全自动化(CodeQL、security-extra 工作流)。提交:e31f82c

  6. 安全自动化和依赖加固。 新增 GitHub 原生 CodeQL 和 security-extra 工作流;覆盖了 ws ...

Read more

v1.7.1 Security Hardening Update

Choose a tag to compare

@shuaiplus shuaiplus released this 23 Jun 17:59

Thanks to GN998 for responsibly reporting security issues addressed in this release.

Improved

  1. Stronger security defaults. NodeWarden now applies more conservative handling around sensitive authentication, backup, and file-delivery flows while keeping existing clients compatible. Upgrade is recommended for all deployments. Commits: 7279668, 850fe0f, a2a8f1c, 23b23f3.

Fixed

  1. High-priority security fixes. This release closes multiple reported security issues across sensitive server-side flows. Commits: 7279668, 850fe0f, a2a8f1c, 23b23f3.

  2. Security dependency overrides. Package overrides were added for selected transitive dependencies so installs resolve to patched versions where applicable. Commit: 0daad46.


感谢 GN998 发现并提交了本次发布中修复的安全问题。

改进

  1. 更稳妥的安全默认行为。 NodeWarden 对敏感认证、备份和文件响应流程采用了更保守的处理方式,同时保持现有客户端兼容。建议所有部署尽快升级。提交:7279668850fe0fa2a8f1c23b23f3

修复

  1. 高优先级安全修复。 本次发布修复了多项已报告的安全问题,覆盖敏感服务端流程和响应加固。提交:7279668850fe0fa2a8f1c23b23f3

  2. 安全依赖覆盖。 为部分传递依赖添加了版本覆盖,让安装时尽可能解析到已修复版本。提交:0daad46

v1.7.0 - Faster Multi-Device Sync, Mobile Push, and a Smoother Vault

Choose a tag to compare

@shuaiplus shuaiplus released this 22 Jun 17:41

v1.7.0 - Faster Multi-Device Sync, Mobile Push, and a Smoother Vault

Added

  1. Resource-level realtime sync. NodeWarden now sends Bitwarden-style notifications for cipher, folder, and Send create, update, and delete events. The web app can refresh only the affected resource instead of reloading the full vault every time, and state-changing operations such as attachment uploads, attachment deletes, public Send access counts, and Send file downloads also emit the right updates. Commits: fe0c66c, 42b765b, 045b23f, 46ba8b9, f096681.

  2. Bitwarden mobile push relay support. Devices can now store push_uuid and push_token, register or unregister through the Bitwarden push relay, and receive mobile push notifications when vault resources change. The database schema includes the new push fields and indexes needed to detect push-capable devices. Commit: 79ed7c9.

  3. Bitwarden CSV export. The web app can now export a Bitwarden-compatible CSV file alongside the existing JSON, encrypted JSON, and attachment ZIP formats. Multiple login URIs are serialized safely, and non-login item types such as cards, identities, and SSH keys are preserved as clearly as possible in field text. Commits: b024226, a06cb0e.

  4. More duplicate detection modes. Duplicate search can now compare exact item content, login site plus credentials, username plus password, or password alone. Duplicate groups are color-coded, and the mobile vault UI includes the new duplicate mode selector and improved filter controls. Commits: 7b3be2c, b444c0f.

  5. S3 addressing style selection. Backup destinations can now choose between path-style and virtual-hosted-style S3 URLs, improving compatibility with more S3-compatible providers and self-hosted object storage. Commit: a818316.

Improved

  1. Web vault updates feel immediate. Creating, editing, deleting, archiving, restoring, and moving items; creating or deleting folders; and creating, updating, or deleting Sends now update the local encrypted snapshot, decrypted lists, and revision timestamp directly. This reduces visible lag after successful actions and makes cached vault validation work better with resource-level sync. Commits: 42b765b, 045b23f.

  2. Better Bitwarden client compatibility. Profile and sync responses now include fields such as organizationsNew, policiesNew, and V2UpgradeToken; /api/accounts/keys supports GET; password change and password verification accept newer authenticationData and unlockData request shapes; and device routes work with both /api/devices and /devices. Cipher responses also preserve stored edit, viewPassword, and permissions flags instead of resetting them. Commits: add921b, f9fe532.

  3. Cleaner mobile and narrow-screen UI. Topbar controls, network status, theme switching, and lock buttons now share more consistent sizing and styling. The vault list search, sorting, filtering, create button, and bulk selection toolbar are more compact on mobile, and mobile filter menus can switch between all items, favorites, archive, trash, duplicates, types, and folders. Commits: 7e0406f, 16bde22, cd2ec82, c1f5795.

  4. More tolerant TOTP handling. TOTP codes are grouped more naturally for 5-digit, 6-digit, 8-digit, and other lengths, and the TOTP list no longer overflows narrow screens because of fixed column widths. otpauth:// parsing is also more tolerant of unusual parameter encoding, with more stable Steam-code detection. Commits: 9e0908f, d5c2ab2.

  5. Less jumpy network status. The web app no longer switches offline after one short failed probe. It uses a longer timeout, waits for repeated failures, and lets normal API successes or failures update the network state, reducing false offline unlock fallbacks when the service is reachable but slow. Commit: b4dfb04.

  6. More complete backups. Full instance backups now include trusted two-factor device tokens and restore them during import. The importer validates token ownership, device identifiers, expiration times, and duplicates, so remembered two-factor devices can survive a full migration. Commit: f6169b7.

Fixed

  1. Realtime notification correctness. Resource notification type numbers now match Bitwarden semantics, while NodeWarden-specific device status and backup progress notifications use internal values to avoid conflicts with official Send update types. SignalR MessagePack invocations now include streamIds, pending auth request notifications refresh the login request list, and the web app ignores notifications sent by the current device to avoid redundant refreshes. Commits: fe0c66c, 9a21504, 4900de0.

  2. Attachment and Send download details. Public attachment and Send file downloads now include Content-Disposition filenames and X-Content-Type-Options: nosniff, making browser downloads keep better filenames and reducing content sniffing issues. Attachment delete responses now include both uppercase and lowercase field forms for broader client compatibility. Commit: add921b.

  3. Deleted item and bulk action edge cases. Vault paging now detects deleted items from both database columns and older JSON payload fields, preventing old deleted items from appearing in the normal vault list. Bulk archive skips deleted items, and duplicate detection now uses decrypted password history instead of encrypted stored text. Commits: add921b, b444c0f.

  4. Export, dialog, and toast polish. CSV export now escapes login URIs correctly inside a single CSV cell; some dialog dismissal behavior is more stable; login and unlock success toasts are less noisy; and the toast close button now uses a styled SVG icon. Commits: b024226, a06cb0e, 8f2704f, 907126d.

  5. S3 backup URL construction. Virtual-hosted-style backup operations now use the bucket.endpoint form for upload, download, delete, and existence checks, while avoiding duplicate bucket names when the endpoint already includes the bucket. Path-style mode keeps the existing endpoint/bucket behavior. Commit: a818316.


新增

  1. 资源级实时同步。 NodeWarden 现在会按 Bitwarden 风格发送密码条目、文件夹、Send 的新增、更新和删除通知。Web 端收到通知后可以只刷新受影响的资源,而不是每次都重新同步整个保险库;附件上传、附件删除、公开 Send 访问计数、Send 文件下载等会改变状态的操作,也会触发对应更新。提交:fe0c66c42b765b045b23f46ba8b9f096681

  2. Bitwarden 移动端推送中继支持。 设备现在可以保存 push_uuidpush_token,通过 Bitwarden push relay 注册或注销,并在保险库资源变化时尝试接收移动端推送。数据库结构也补上了推送字段和索引,用于识别哪些设备可以被推送。提交:79ed7c9

  3. Bitwarden CSV 导出。 除了原有 JSON、加密 JSON 和带附件 ZIP 导出,现在 Web 端可以直接导出 Bitwarden 兼容 CSV。多个登录 URI 会按 CSV 规则安全序列化,卡片、身份、SSH Key 等非登录类型也会尽量保留到字段文本中,方便迁移或人工整理。提交:b024226a06cb0e

  4. 更多重复项检测模式。 重复项现在可以按完全一致、登录站点加凭据、用户名加密码、单独密码等方式判断。重复组会用颜色辅助区分,移动端保险库也补上了重复项模式选择和更完整的筛选入口。提交:7b3be2cb444c0f

  5. S3 地址样式选择。 远程备份目标现在可以选择 path-style 或 virtual-hosted-style,兼容更多 S3 服务和自建对象存储。提交:a818316

改进

  1. Web 保险库操作反馈更及时。 创建、编辑、删除、归档、恢复、移动条目,创建或删除文件夹,以及创建、更新、删除 Send 时,前端会直接更新本地加密快照、解密列表和修订时间。这样操作成功后列表更快跟上,也让资源级同步下的本地缓存校验更稳定。提交:42b765b045b23f

  2. Bitwarden 客户端兼容性更好。 账户资料和同步响应补齐了 organizationsNewpoliciesNewV2UpgradeToken 等字段;/api/accounts/keys 支持 GET;改密和校验密码接口兼容较新的 authenticationDataunlockData 请求结构;设备路由同时兼容 /api/devices/devices。密码条目响应也会保留已存储的 edit、`vi...

Read more

v1.6.1 Approve Trusted Device & 2FA Enhancements

Choose a tag to compare

@shuaiplus shuaiplus released this 12 Jun 08:50

NodeWarden Release Notes

1.6.1

Released on 2026-06-12.

Added

  • Added device login approval system allowing users to approve login requests from new devices through existing authenticated sessions, enhancing security for cross-device authentication workflows.
  • Added device fingerprint phrase generation using a comprehensive wordlist for human-readable device verification.
  • Added pending authentication requests panel in the web interface for managing incoming device login approval requests.
  • Added authentication request approval dialog with device details and fingerprint verification.
  • Added loading skeleton components for improved perceived performance during data loading states.
  • Added two-factor authentication endpoints (/two-factor/get-authenticator, /two-factor/authenticator) for enhanced 2FA management.
  • Added compatibility validation for cipher fields during import operations to ensure data integrity across different Bitwarden client versions.

Improved

  • Improved two-factor authentication response handling to better align with Bitwarden Identity server specifications, ensuring seamless compatibility with official Bitwarden clients.
  • Improved date and time formatting in settings page with dedicated formatDateTime utility function for consistent timestamp display.
  • Improved cipher update logic to preserve additional fields and maintain compatibility during cross-client synchronization.
  • Improved notification hub with better WebSocket message handling and authentication request notifications.
  • Improved authenticated routes with dedicated authentication request management endpoints.

Fixed

  • Fixed two-factor authentication response format inconsistencies that could affect client compatibility.
  • Fixed cipher field validation during import to prevent data loss when migrating from other password managers.
  • Fixed date display formatting issues in device management and settings pages.

Full Changelog: v1.6.0...v1.6.1


NodeWarden 更新日志

1.6.1

发布日期:2026-06-12

新增

  • 新增设备登录批准系统,允许用户通过已认证的会话批准来自新设备的登录请求,增强跨设备身份验证工作流的安全性。
  • 新增设备指纹短语生成功能,使用完整的词汇表生成易于人类识别的设备验证码。
  • 新增 Web 界面中的待处理身份验证请求面板,用于管理传入的设备登录批准请求。
  • 新增身份验证请求批准对话框,显示设备详情和指纹验证信息。
  • 新增加载骨架屏组件,改善数据加载期间的用户体验。
  • 新增两步验证端点 (/two-factor/get-authenticator/two-factor/authenticator),增强 2FA 管理功能。
  • 新增导入操作期间的密码条目字段兼容性验证,确保在不同 Bitwarden 客户端版本之间的数据完整性。

改进

  • 改进两步验证响应处理,更好地符合 Bitwarden Identity 服务器规范,确保与官方 Bitwarden 客户端的无缝兼容。
  • 改进设置页面的日期和时间格式化,使用专用的 formatDateTime 工具函数实现一致的时间戳显示。
  • 改进密码条目更新逻辑,在跨客户端同步期间保留额外字段并保持兼容性。
  • 改进通知中心,优化 WebSocket 消息处理和身份验证请求通知。
  • 改进已认证路由,新增专用的身份验证请求管理端点。

修复

  • 修复两步验证响应格式不一致问题,该问题可能影响客户端兼容性。
  • 修复导入期间的密码条目字段验证,防止从其他密码管理器迁移时的数据丢失。
  • 修复设备管理和设置页面中的日期显示格式问题。

完整更新记录: v1.6.0...v1.6.1

v1.6.0 PWA Offline Access & Passkey Unlock

Choose a tag to compare

@shuaiplus shuaiplus released this 10 Jun 09:11

NodeWarden Release Notes

1.6.0

Released on 2026-06-10.

Added

  • Added PWA (Progressive Web App) support with offline vault access, installable web client, and offline unlock capabilities for previously unlocked vaults.
  • Added Passkey-based offline unlock using PRF (Pseudo-Random Function) extension for secure offline authentication without requiring master password entry.
  • Added Passkey account-level functionality with improved registration, management, and unlock workflows, including persistent offline unlock records.
  • Added BackupTransferRunner Durable Object for managing large backup restore operations with progress tracking and attachment download coordination.
  • Added remote backup restore functionality with attachment download support and progress indication.
  • Added KeePass CSV import format support for broader password manager migration compatibility.
  • Added device permanent trust functionality allowing users to skip two-factor authentication on trusted devices.
  • Added user and device cache invalidation in AuthService for improved security and session management.
  • Added comprehensive logging system for better debugging and monitoring.
  • Added restore functionality for deleted vault items with corresponding UI updates.
  • Added cipher ID inclusion in search text for enhanced vault search capabilities.
  • Added change password URI support and improved attachment metadata handling.

Improved

  • Improved offline PWA resilience with better caching strategies, Service Worker lifecycle management, and offline state detection.
  • Improved cipher handling with URI checksum repair, repairable URI support, and automatic cipher edit time preservation during repairs.
  • Improved cipher key encryption compatibility for 2026.4.x clients with streamlined key handling and secure note support.
  • Improved cipher login data structure with normalized URI handling and enhanced import format support.
  • Improved password verification to support legacy client hash formats for backward compatibility.
  • Improved SSH key handling with Ed25519 support and proper PEM formatting.
  • Improved TOTP settings UI with better layout, status indication, and visual clarity.
  • Improved mobile responsiveness across management routes, table layouts, and form interactions.
  • Improved deployment workflow with idempotent KV deployment and streamlined configuration commands.
  • Improved lock timeout retrieval by handling null and empty values more gracefully.
  • Improved scrollbar styles and dark mode compatibility across the web interface.
  • Improved authorized devices table layout and styling for better readability.
  • Improved search functionality UI with better positioning and hover effects.

Fixed

  • Fixed offline unlock record persistence during Passkey PRF login to ensure proper offline authentication state.
  • Fixed cipher edit time preservation during automatic URI repair operations.
  • Fixed initial i18n render crash on authentication pages.
  • Fixed cipher login URI normalization and handling for better cross-client compatibility.
  • Fixed cipher key encryption handling for mixed encryption scenarios and legacy data.
  • Fixed password hashing server hash prefix handling for proper verification.
  • Fixed login identifier construction in two-factor recovery and token handling flows.
  • Fixed IP-scoped password login lockout to prevent brute force attacks.
  • Fixed device validation logic in refresh token handling for improved security.
  • Fixed content length validation and timeout handling for icon fetching operations.
  • Fixed lock timeout retrieval edge cases with null and empty value handling.
  • Fixed input padding across forms and responsive styles for consistent layout.
  • Fixed deployment commands to ensure proper build sequence and KV namespace setup.

Other

  • Removed unused TOTP_SECRET from environment bindings.
  • Removed unused change password handling functions from public routes.
  • Removed optional portable admin checks in backup settings for simplified logic.
  • Removed unused saveRefreshTokenRecord parameter from token handling.
  • Added .tmp-bitwarden-clients/ to .gitignore for cleaner repository state.
  • Updated README with enhanced PWA and Passkey feature descriptions.

Full Changelog: v1.5.2...v1.6.0

NodeWarden 更新日志

1.6.0

发布日期:2026-06-10

新增

  • 新增 PWA(渐进式 Web 应用)支持,实现离线访问保险库、可安装的 Web 客户端,以及已解锁保险库的离线解锁能力。
  • 新增基于 Passkey 的离线解锁功能,使用 PRF(伪随机函数)扩展实现安全的离线身份验证,无需输入主密码。
  • 新增 Passkey 账户级功能,改进注册、管理和解锁工作流,包括持久化离线解锁记录。
  • 新增 BackupTransferRunner Durable Object,用于管理大型备份还原操作,支持进度跟踪和附件下载协调。
  • 新增远程备份还原功能,支持附件下载和进度指示。
  • 新增 KeePass CSV 导入格式支持,提升密码管理器迁移兼容性。
  • 新增设备永久信任功能,允许用户在受信任设备上跳过两步验证。
  • 新增 AuthService 中的用户和设备缓存失效机制,改进安全性和会话管理。
  • 新增完整的日志系统,便于调试和监控。
  • 新增已删除保险库项目的恢复功能,并更新相应的 UI。
  • 新增保险库项目 ID 在搜索文本中的包含,增强搜索能力。
  • 新增更改密码 URI 支持,改进附件元数据处理。

改进

  • 改进离线 PWA 韧性,优化缓存策略、Service Worker 生命周期管理和离线状态检测。
  • 改进密码条目处理,支持 URI 校验和修复、可修复 URI 支持,以及修复期间自动保留编辑时间。
  • 改进密码条目密钥加密兼容性,支持 2026.4.x 客户端,优化密钥处理和安全笔记支持。
  • 改进密码条目登录数据结构,规范化 URI 处理,增强导入格式支持。
  • 改进密码验证,支持旧版客户端哈希格式,提升向后兼容性。
  • 改进 SSH 密钥处理,支持 Ed25519 和正确的 PEM 格式化。
  • 改进 TOTP 设置 UI,优化布局、状态指示和视觉清晰度。
  • 改进移动端响应式设计,覆盖管理路由、表格布局和表单交互。
  • 改进部署工作流,实现幂等的 KV 部署和简化的配置命令。
  • 改进锁定超时获取逻辑,更优雅地处理空值和空字符串。
  • 改进滚动条样式和暗色模式兼容性。
  • 改进已授权设备表格布局和样式,提升可读性。
  • 改进搜索功能 UI,优化定位和悬停效果。

修复

  • 修复 Passkey PRF 登录期间的离线解锁记录持久化问题,确保正确的离线身份验证状态。
  • 修复自动 URI 修复操作期间的密码条目编辑时间保留问题。
  • 修复认证页面上的初始 i18n 渲染崩溃。
  • 修复密码条目登录 URI 规范化和处理,提升跨客户端兼容性。
  • 修复混合加密场景和旧数据的密码条目密钥加密处理。
  • 修复密码哈希服务器哈希前缀处理,确保正确验证。
  • 修复两步验证恢复和令牌处理流程中的登录标识符构造。
  • 修复基于 IP 的密码登录锁定,防止暴力破解攻击。
  • 修复刷新令牌处理中的设备验证逻辑,提升安全性。
  • 修复图标获取操作的内容长度验证和超时处理。
  • 修复锁定超时获取边界情况,处理空值和空字符串。
  • 修复表单和响应式样式中的输入填充,实现一致的布局。
  • 修复部署命令,确保正确的构建顺序和 KV 命名空间设置。

其他

  • 从环境绑定中移除未使用的 TOTP_SECRET。
  • 从公共路由中移除未使用的更改密码处理函数。
  • 移除备份设置中的可选便携管理员检查,简化逻辑。
  • 从令牌处理中移除未使用的 saveRefreshTokenRecord 参数。
  • 添加 .tmp-bitwarden-clients/.gitignore,保持仓库整洁。
  • 更新 README,增强 PWA 和 Passkey 功能描述。

完整更新记录: v1.5.2...v1.6.0

v1.5.2 Domain Rules, Safer Backups, Navigation & UI Polish

Choose a tag to compare

@shuaiplus shuaiplus released this 11 May 16:11

NodeWarden Release Notes

1.5.2

Released on 2026-05-11.

Added

  • Added equivalent-domain management with Bitwarden-compatible global rules, custom rule editing, per-user exclusions, domain normalization, and a dedicated domain rules page in the web app.
  • Added bundled Bitwarden global equivalent-domain data, a custom global-domain extension file, and a sync script/workflow for refreshing domain rules.
  • Added domain settings to full backup export and restore, including validation for domain settings ownership and duplicate user rows.
  • Added portable backup-settings export support so backup destination settings can be included safely without exporting runtime-only lock state.
  • Added navigation layout options with collapsible groups and localized labels for switching between sidebar layouts.
  • Added payment card brand assets and card-brand selection/detection in the vault editor.
  • Added registration invite-code awareness to the web bootstrap flow, requiring invite codes after the first account exists.

Improved

  • Improved website icon loading with better upstream fallback order, default-icon rejection, client-side load state tracking, timeouts, and temporary error caching.
  • Improved vault editing by replacing drag-and-drop website ordering with explicit move up/down controls and by using larger text areas for custom-field values.
  • Improved TOTP code ordering by removing manual drag reorder behavior and relying on stable alphabetical sorting.
  • Improved authenticated workspace loading by preloading domain-rule pages in the background and tuning resource priority/chunk behavior.
  • Improved backup recommendation, sensitive-action, admin invite, mobile detail sheet, vault overflow, and management-page styling for a cleaner cross-device UI.
  • Improved development and deployment scripts so dev, dev:kv, deploy, and deploy:kv build the web app before starting or publishing the Worker.
  • Improved documentation and contributor workflow with updated README links, contribution guidelines, and a pull request template.

Fixed

  • Fixed stale password visibility and browser history state by resetting them when switching selected vault items.
  • Fixed website icon failures that could stay stuck or show generic upstream placeholders as real site icons.
  • Fixed backup export contents so user API keys are not included in exported instance archives.
  • Fixed backup restore/import counts and validation to include domain settings consistently.
  • Fixed mobile and compact-layout spacing issues in settings, backup, vault detail, and sensitive-action panels.

Other

  • Removed unused drag-and-drop dependencies after replacing the related UI flows.
  • Added search-index and robots controls for safer crawler behavior.

Full Changelog: v1.5.1...v1.5.2

NodeWarden 更新日志

1.5.2

发布日期:2026-05-11

新增

  • 新增等效域名管理,支持兼容 Bitwarden 的全局规则、自定义规则编辑、按用户排除、域名归一化,以及独立的域名规则页面。
  • 新增内置 Bitwarden 全局等效域名数据、自定义全局域名扩展文件,以及用于刷新域名规则的同步脚本和工作流。
  • 新增完整备份中的域名设置导出与还原,并校验域名设置所属用户和重复用户行。
  • 新增可移植备份设置导出能力,备份目标设置可以安全进入备份,同时不会导出运行时锁状态。
  • 新增导航布局选项,支持折叠分组,并补充多语言文案。
  • 新增支付卡品牌图标资源,以及保险库编辑器中的卡品牌检测与选择。
  • 新增注册邀请码感知逻辑,首个账户之后注册会要求邀请码。

改进

  • 改进网站图标加载,优化上游 fallback 顺序、默认图标识别、前端加载状态、超时处理和临时错误缓存。
  • 改进保险库编辑体验,用上移/下移按钮替代网址拖拽排序,并将自定义字段值改为更适合长内容的文本框。
  • 改进 TOTP 页面排序,移除手动拖拽排序,改为稳定的字母排序。
  • 改进已登录工作区加载,后台预加载域名规则页面,并调整资源优先级和分包策略。
  • 改进备份推荐、敏感操作、管理员邀请、移动端详情页、保险库溢出显示和管理页面样式,使跨设备界面更简洁统一。
  • 改进开发和部署脚本,devdev:kvdeploydeploy:kv 会先构建前端再启动或发布 Worker。
  • 改进文档和协作流程,更新 README 链接、贡献指南和 PR 模板。

修复

  • 修复切换保险库条目后密码可见状态和浏览器历史状态残留的问题。
  • 修复网站图标加载失败后可能卡住,或把上游通用占位图当成真实站点图标的问题。
  • 修复完整备份导出内容,确保用户 API key 不会被导出到实例备份中。
  • 修复备份还原/导入统计与校验,使域名设置能够被一致处理。
  • 修复设置、备份、保险库详情和敏感操作面板在移动端与紧凑布局下的间距问题。

其他

  • 移除拖拽排序相关流程替换后不再使用的 drag-and-drop 依赖。
  • 新增搜索索引和 robots 控制,减少不需要的爬虫索引。

完整更新记录: v1.5.1...v1.5.2

v1.5.1 Adds Demo mode, TOTP QR scanning, and Send improvements

Choose a tag to compare

@shuaiplus shuaiplus released this 04 May 14:08

NodeWarden Release Notes

1.5.1

Released on 2026-05-04.

Added

  • Added an isolated Cloudflare Pages Demo build with sample vault data, Demo login/unlock, sample Sends, demo admin users, authorized devices, backup settings, and remote-restore simulation.
  • Added TOTP QR code scanning in the vault editor, supporting camera and image-file scanning.
  • Added a more complete 404 page for unknown routes and unavailable public Sends.

Improved

  • Improved app startup, route normalization, hash-route handling, public route fallback, and Send link behavior.
  • Improved public Send pages, including key validation, 404 handling, text copy, Demo rendering, and Demo file downloads.
  • Improved vault caching, authenticated request refresh handling, icon loading, and client-side icon caching.
  • Improved admin, device management, vault list/detail pages, mobile layout, loading states, empty states, error states, and retry experience.
  • Expanded localization coverage for Demo, Send, 404, loading, and management-page text.

Fixed

  • Fixed stale user/device validation when cached auth records no longer match token security stamps.
  • Fixed several form and vault-detail visual issues, including identity-field completeness, item icon display, and mobile spacing.

Full Changelog: v1.5.0...v1.5.1


NodeWarden 更新日志

1.5.1

发布日期:2026-05-04

新增

  • 新增独立的 Cloudflare Pages Demo 构建,内置示例密码库、Demo 登录/解锁、示例 Send、管理员用户、授权设备、备份设置与远端还原模拟。
  • 新增保险库编辑器 TOTP 二维码扫描,支持摄像头和图片文件扫描。
  • 新增更完整的 404 页面,用于未知路由和不可用的公开 Send。

改进

  • 优化应用启动、路由归一化、hash 路由、公开路由 fallback 和 Send 链接行为。
  • 优化公开 Send 页面,包括密钥校验、404 处理、文本复制、Demo 展示和 Demo 文件下载。
  • 优化保险库缓存、认证请求刷新、图标加载和前端图标缓存。
  • 优化管理员、设备管理、保险库列表/详情、移动端布局、加载态、空状态、错误和重试体验。
  • 补充 Demo、Send、404、加载态和管理页面相关多语言文案。

修复

  • 修复用户或设备缓存过期时的认证校验问题。
  • 修复若干表单和保险库详情视觉问题,包括身份字段完整性、条目图标展示和移动端间距。

完整更新记录: v1.5.0...v1.5.1

v1.5.0 improves Bitwarden compatibility, vault performance, backup reliability, and multilingual support.

Choose a tag to compare

@shuaiplus shuaiplus released this 30 Apr 21:31

Release Notes

v1.5.0 - 2026-05-01

v1.5.0 improves Bitwarden compatibility, vault performance, backup reliability, and multilingual support.

Compatibility

  • Added Bitwarden-style personal API Key support in Settings. Users can view/copy/rotate the key after master-password verification, and POST /identity/connect/token now accepts client_credentials with client_id=user.<id>. Resolves #121.
  • Fixed Bitwarden Android 2026.4.0 sync/decrypt failures caused by invalid legacy EncString values, especially type 0 with 1 parts payloads from old or malformed encrypted fields. Resolves #209.
  • Hardened sync response normalization for encrypted names, notes, login URIs, cards, identities, custom fields, password history, SSH keys, FIDO2 credentials, and attachments so official clients receive fewer malformed cipher sub-objects.
  • Added excludeSends sync support and improved revision-date loading for lighter client refreshes.

Web Vault

  • Fixed the vault list mouse-wheel jumping/flickering issue by stabilizing virtual-list scroll state. Resolves #199.
  • Added a Duplicates view and improved duplicate detection around login username, password, and URI combinations instead of relying on full item equality. Addresses #130 and partially addresses #157.
  • Added folder sorting by name, created time, or updated time, with the choice saved locally. Partially addresses #203.
  • Added drag-and-drop ordering for vault URI rows and TOTP entries.
  • Added local vault/key caching and worker-based decryption helpers to reduce repeated decryption work and improve large-vault loading.

Import, Export, and Backup

  • Improved 1Password CSV/1PIF/1PUX import for categories, URLs, usernames, passwords, custom fields, notes, and password history.
  • Improved browser/CSV import handling for URI and TOTP extraction, and preserved source item IDs so attachments and NodeWarden JSON exports can map back to newly created ciphers. Related to #120.
  • Remote backup runs are now serialized with a runner lease and heartbeat: manual and scheduled backups no longer overlap, an in-progress run blocks another run from starting, and missed scheduled windows are picked up after the current run. Also cleaned up S3 naming and runtime-state updates. Fixes the backup reliability issue tracked in #182.

UI, i18n, and Project

  • Added selectable web UI languages and split locale files for English, Simplified Chinese, Traditional Chinese, Spanish, and Russian. Resolves #208.
  • Made vault sync/logout notifications non-blocking with waitUntil, reducing write API latency. Resolves #204 via PR #205.
  • Updated favicon, app icons, SVG logo assets, wordmark styling, mobile layout, loading states, and dark-mode polish.
  • Updated version metadata to 1.5.0 in package.json, package-lock.json, and shared/app-version.ts.

中文

v1.5.0 主要提升 Bitwarden 兼容性、密码库性能、备份可靠性和多语言支持。

兼容性

  • 新增 Bitwarden 风格个人 API Key。设置页支持主密码验证后查看、复制、轮换,POST /identity/connect/token 支持 client_credentialsclient_id=user.<id>。解决 #121
  • 修复 Bitwarden Android 2026.4.0 因无效旧 EncString 导致同步/解密失败的问题,尤其是 type 0 with 1 parts 这类旧字段或异常加密字段。解决 #209
  • 加固 sync 响应规范化,覆盖加密名称、备注、登录 URI、银行卡、身份信息、自定义字段、密码历史、SSH Key、FIDO2 凭据和附件,减少官方客户端解析到异常子对象的概率。
  • 新增 excludeSends 同步参数,并优化 revision-date 加载,降低客户端刷新成本。

网页版密码库

  • 修复密码库列表鼠标滚动闪跳问题,通过稳定虚拟列表滚动状态避免反复跳动。解决 #199
  • 新增“重复项”视图,并改进用户名、密码、URI 组合的重复项判断,不再只依赖整个条目完全相同。覆盖 #130,部分覆盖 #157
  • 新增文件夹按名称、创建时间、修改时间排序,并在本地保存选择。部分覆盖 #203
  • 支持密码库网址行和 TOTP 条目拖拽排序。
  • 新增本地 vault/key 缓存和 worker 解密辅助,减少重复解密,改善大密码库加载体验。

导入、导出和备份

  • 改进 1Password CSV/1PIF/1PUX 导入,覆盖分类、网址、用户名、密码、自定义字段、备注和密码历史。
  • 改进浏览器/CSV 导入中的 URI、TOTP 提取,并保留来源条目 ID,便于附件和 NodeWarden JSON 导出映射到新创建的 cipher。关联 #120
  • 远程备份现在会串行执行:通过运行租约和心跳避免手动备份、定时备份并发重叠;已有备份运行中时不会再启动另一轮,定时任务错过的窗口会在当前备份结束后补扫。同时统一 S3 命名并改进运行状态记录,修复 #182 跟踪的备份可靠性问题。

UI、多语言和项目

  • 新增网页版语言选择,并拆分英文、简体中文、繁体中文、西班牙语、俄语语言包。解决 #208
  • vault 同步/登出通知改为 waitUntil 后台发送,降低写入接口延迟。通过 PR #205 解决 #204
  • 更新 favicon、应用图标、SVG Logo、wordmark、移动端布局、加载状态和暗色模式细节。
  • 已将 package.jsonpackage-lock.jsonshared/app-version.ts 版本号更新为 1.5.0

v1.4.6 Fix new mobile attachment compatibility

Choose a tag to compare

@shuaiplus shuaiplus released this 25 Apr 08:05

Release Notes

v1.4.6 - 2026-04-25

v1.4.6 focuses on Bitwarden mobile attachment compatibility, session security controls, and a broad web UI/style system cleanup.

New Features

Session Security

  • Added configurable automatic vault locking with timeout options.
  • Added session timeout behavior controls so users can choose whether an idle timeout locks the vault or logs out.
  • Added unlock handling improvements so a locked local session can return to the vault without a full login when the session is still valid.

Web UI & Design System

  • Added Tailwind CSS, PostCSS, and a Tailwind configuration as the base for the next stage of frontend styling.
  • Refactored large parts of the web UI toward shared utility classes and a more unified design system.
  • Improved mobile layout behavior by expanding the mobile breakpoint to 1180px.

Compatibility & Fixes

Attachments

  • Fixed old attachment compatibility with newer Bitwarden Android clients, including Android 2026.4.0.
  • Added a protected attachment metadata repair API so old encrypted attachment metadata can be corrected without deleting the attachment record.
  • Improved web attachment download recovery for legacy attachment formats:
    • Attachment keys wrapped with the current item key.
    • Attachment keys wrapped with the older user key.
    • Legacy files encrypted directly with item or user keys.
  • When the web vault successfully decrypts an old attachment, it now repairs the metadata for future official-client syncs; for legacy user-key encrypted blobs, it re-encrypts the blob into the compatible format.
  • Fixed cases where old encrypted attachment filenames appeared as raw 2.iv|cipher|mac strings in the web UI.

TOTP & Icons

  • Refactored TOTP code state management and refresh behavior.
  • Improved TOTP and vault list icon loading states.
  • Hardened icon host decoding so malformed icon host values no longer throw during public routing.
  • Improved icon error handling and visual loading behavior.

Dialogs & Layout

  • Improved confirmation dialog focus management and accessibility behavior.
  • Fixed an incorrect dialog card width value that could break overlay layout.
  • Improved list icon layering and opacity during loading.

UI / UX Improvements

  • Consolidated motion, form, shell, management, vault, and overlay styles.
  • Removed deprecated reduced-motion stylesheet handling and folded motion behavior into the main style system.
  • Updated color tokens for better contrast and more consistent light/dark presentation.
  • Cleaned up Send, public Send, Settings, Vault, device management, and TOTP page styling for more consistent spacing and responsive behavior.

中文

v1.4.6 主要修复新版 Bitwarden 移动端附件兼容问题,并补齐会话安全控制,同时对网页端样式系统做了一轮较大的整理。

新增

会话安全

  • 新增自动锁定密码库能力,可配置闲置超时时间。
  • 新增会话超时动作设置,可选择超时后锁定密码库或直接退出登录。
  • 优化锁定后的解锁流程:在会话仍有效时,可以通过主密码解锁回到密码库,无需完整重新登录。

网页端与设计系统

  • 新增 Tailwind CSS、PostCSS 与 Tailwind 配置,为后续前端样式统一打基础。
  • 将大量网页端样式迁移到更统一的工具类与设计系统结构。
  • 将移动端布局断点调整为 1180px,改善中等宽度屏幕下的导航和列表体验。

兼容性与修复

附件

  • 修复旧附件在新版 Bitwarden Android 客户端中的下载解密兼容问题,包括 Android 2026.4.0
  • 新增受保护的附件元数据修复 API,可在不删除附件记录的前提下修正旧附件的加密元数据。
  • 网页端附件下载现在会兼容多种历史格式:
    • attachment key 由当前 item key 包裹。
    • attachment key 由旧 user key 包裹。
    • 文件本体直接由 item key 或 user key 加密的旧格式。
  • 网页端一旦成功解密旧附件,会自动修复元数据,方便后续官方客户端同步和下载;对旧 user-key 加密的 blob,会重新加密为兼容格式后覆盖原 blob。
  • 修复旧附件文件名在网页端显示为 2.iv|cipher|mac 原始密文的问题。

TOTP 与图标

  • 重构 TOTP 动态码状态管理和刷新逻辑。
  • 改进 TOTP 页面和密码库列表图标的加载状态。
  • 加固图标主机名解码逻辑,避免异常 URL 编码导致公开路由报错。
  • 改进图标加载失败时的视觉状态和兜底行为。

弹窗与布局

  • 改进确认弹窗的焦点管理和无障碍体验。
  • 修复弹窗卡片宽度误写为 5000px 导致布局异常的问题。
  • 优化列表图标加载时的透明度与层级表现。

UI / UX 改进

  • 统一整理 motion、form、shell、management、vault、overlay 等样式模块。
  • 移除旧的独立 reduced-motion 样式表,将动效策略合并到主样式系统。
  • 更新颜色 token,提高对比度并统一明暗主题表现。
  • 优化 Send、公开 Send、设置、密码库、设备管理和 TOTP 页面在间距、响应式和整体视觉上的一致性。

v1.4.5 API key support

Choose a tag to compare

@shuaiplus shuaiplus released this 23 Apr 15:34

NodeWarden Release Notes

1.4.5

Released on 2026-04-23.

Added

  • Added personal API key support for Bitwarden-compatible CLI authentication, including backend storage, account settings management, and Bitwarden-style client_credentials login flow.
  • Added API key view and rotate actions in account settings, with an official-style credential dialog that includes client_id, client_secret, scope, and grant_type, plus per-field copy actions.
  • Updated branding assets with refreshed icons and the new NodeWarden wordmark.

Improved

  • Improved API key dialog guidance to better match the official Bitwarden presentation and explain CLI usage more clearly.
  • Improved app shell, vault list, standalone layout, and responsive styling across the web interface.
  • Improved compatibility for Bitwarden-style API key routes by supporting official /api/accounts/api-key and /api/accounts/rotate-api-key paths.

Fixed

  • Fixed API key authentication security by validating client_secret against the stored user API key before issuing tokens.
  • Fixed API key rotation so that existing refresh-token sessions are invalidated immediately after rotation.
  • Fixed first-user creation SQL after the API key schema update.
  • Fixed backup import and export compatibility for the new api_key user field.
  • Removed unused dark-theme select styles.

Other

  • Merged #200 for API key support and follow-up hardening.

Full Changelog: v1.4.4...v1.4.5

NodeWarden 更新日志

1.4.5

发布日期:2026-04-23

新增

  • 新增个人 API 密钥支持,可用于兼容 Bitwarden CLI 的身份验证流程,包含后端存储、账户设置管理与 Bitwarden 风格的 client_credentials 登录能力。
  • 在账户设置中新增 API 密钥查看与轮换操作,并提供更接近官方 Bitwarden 风格的凭据弹窗,展示 client_idclient_secretscopegrant_type,且支持逐项复制。
  • 更新品牌资源,包含新的图标与 NodeWarden 字标。

改进

  • 改进 API 密钥弹窗说明文案,使其更贴近官方 Bitwarden 展示方式,并更清楚地说明 CLI 使用场景。
  • 改进应用外壳、保险库列表、独立页面布局与整体响应式样式表现。
  • 改进 Bitwarden API 密钥路由兼容性,支持官方 /api/accounts/api-key/api/accounts/rotate-api-key 路径。

修复

  • 修复 API 密钥认证安全问题,确保签发令牌前会校验 client_secret 与已保存的用户 API 密钥是否匹配。
  • 修复 API 密钥轮换后旧 refresh token 会话仍可继续使用的问题,轮换后立即失效。
  • 修复 API 密钥 schema 更新后首个用户创建 SQL 的问题。
  • 修复备份导入导出对新增 api_key 用户字段的兼容性。
  • 移除未使用的暗色主题 select 样式。

其他

  • 合并 #200,引入 API 密钥支持及后续加固修复。

完整更新记录: v1.4.4...v1.4.5