Skip to content

v1.7.2 - New Backup Providers, WebAuthn PRF, and UI Polish

Latest

Choose a tag to compare

@shuaiplus shuaiplus released this 01 Jul 05:37

Added

  1. Three new S3-compatible backup providers: Backblaze B2, Cloudflare R2, and Tigris. Each new destination comes with detailed provider-specific recommendations, storage-class guidance, and localization strings across all five supported languages. You can now back up to more services without custom scripting. Commits: 1acc31e, c3dc53b, ff85698.

  2. WebAuthn PRF (pseudorandom function) extension support. Credential creation and assertion now pass browser-compatible PRF extension requests, support excluding PRF extensions where the client doesn't need them, and handle the underlying passkey operations more robustly. This improves WebAuthn compatibility with modern browsers and password managers that rely on PRF for per-credential keys. Commits: 8942e5b, 31cfd19, 6a1a835, bf6ac7b.

  3. Backup import locking and checksum verification. Restoring a full backup now acquires an exclusive lock so concurrent imports cannot collide, and the importer verifies file checksums before applying the data. This makes disaster recovery safer when multiple admins might trigger restores. Commit: e9272ec.

  4. Fullscreen layout toggle. The web vault can now switch to fullscreen mode with a dedicated toggle button, with corresponding localization updates. Useful for kiosk-mode or presentation setups. Commit: d722815.

  5. Fill-assist API handlers. NodeWarden now implements Bitwarden-compatible credential fill-assist endpoints, letting clients fetch credentials inline via the new POST /fill-assist route. Device response types are also updated to include the fields needed by the fill-assist flow. Commit: e4215b4.

  6. Device selection and removal in SecurityDevicesPage. The security devices panel now supports selecting individual trusted devices and removing them directly from the web UI, so you no longer need to use the API to revoke a specific device. Commit: a5ad16a.

  7. Delete invalid organization invitations. Admins can now detect and remove dangling or invalid invitations from the admin panel, helping keep the invitation list clean. The API also renamed revokeInvite to deleteInvite for clearer semantics. Commits: 0d1bb19, f82dcc3.

  8. validFolderIds support in cipher responses. Sync and cipher responses now include a validFolderIds field so clients can distinguish real folders from orphaned references. The folder repository also validates folder existence more strictly. Commit: 82f968e.

  9. Pending auth request loading state. The pending login-request panel shows a refreshing indicator while fetching or updating the request list, providing clearer feedback during auth request workflows. Commit: 4378e1b.

Improved

  1. Enhanced Bitwarden CSV import with custom field and multiline support. The CSV parser now recognizes custom fields and restores their metadata correctly during import. It also preserves multiline values such as SSH private keys—previously, any line without a : delimiter was silently dropped, truncating private keys to the first line. Text fields containing newlines now survive a full export-import round-trip. Commits: 5eeaf4e, 68c42a0.

  2. Consolidated security devices UI. Device management and authorized devices sections are merged into a single coherent card on SecurityDevicesPage, and the pending-auth-requests panel has been removed from the general SettingsPage to reduce clutter. The device list also includes improved selection controls. Commit: c694f1b.

  3. Refined app-shell styles and dark mode consistency. Removed redundant global styles, cleaned up shell component spacing, and improved dark-mode visual consistency across the header, sidebar, and main content areas. Commit: 1bfb9a6.

  4. Backup and restore error messages across all locales. New error strings for backup/restore edge cases—lock failures, checksum mismatches, missing files—are now localized in all five supported languages (en, es, ru, zh-CN, zh-TW), with improved UI prompts for backup browser refresh scenarios. Commit: 4cd9ad0.

  5. Updated project wiki link and removed obsolete security scripts. The issue-template wiki link now points to the correct URL, and the old local security scanning scripts and workflows have been removed in favor of GitHub-native security automation (CodeQL, security-extra workflows). Commit: e31f82c.

  6. Security automation and dependency hardening. Added GitHub-native CodeQL and security-extra workflows, overrode a ws vulnerability, and upgraded CI actions to pinned major versions (checkout v7, setup-node v6, create-pull-request v8). Dependencies refreshed include TypeScript 6.0, @types/node 26, lucide-preact 1.x, and many others across npm and GitHub Actions. Commits: 64f26e7, 32b3d2a, 5dd9dff, 8d292ca, 5bd7dab, 99f2d7f, fb9a2ae, c87e6ac.

Fixed

  1. CSV import truncating multiline field values. parseBitwardenCsvFieldLines previously discarded any line that did not contain a : delimiter, silently dropping SSH private keys and other multiline content to only the first line. The parser now accumulates continuation lines correctly, restoring full private key content through a CSV round-trip. Commit: 68c42a0.

新增

  1. 三个新的 S3 兼容备份提供商:Backblaze B2、Cloudflare R2 和 Tigris。 每个新目标都带有详细的提供商建议、存储层级指导和五种语言的本地化字符串,无需额外脚本即可将备份扩展到更多存储服务。提交:1acc31ec3dc53bff85698

  2. WebAuthn PRF(伪随机函数)扩展支持。 创建和断言凭证时会传递浏览器兼容的 PRF 扩展请求,支持在不需要时排除 PRF 扩展,并且底层密钥操作更健壮。这改善了与依赖 PRF 做每凭据密钥派生功能的现代浏览器和密码管理器的兼容性。提交:8942e5b31cfd196a1a835bf6ac7b

  3. 备份导入加锁和校验和验证。 完整恢复备份时现在会获取独占锁,防止并发导入冲突;导入前还会验证文件校验和再应用数据。多管理员可能同时触发恢复时,该机制让灾难恢复更加安全。提交:e9272ec

  4. 全屏布局切换。 Web 保险库现在可以通过专用按钮切换全屏模式,附带对应本地化更新。适合信息亭模式或展示等场景。提交:d722815

  5. Fill-assist API 处理器。 NodeWarden 现在实现了与 Bitwarden 兼容的凭据填充辅助端点,客户端可以通过新的 POST /fill-assist 路由内联获取凭据。设备响应类型也补上了 fill-assist 流程需要的字段。提交:e4215b4

  6. 安全设备页的设备选择与删除。 设备面板现在支持在 Web UI 中直接选择单个可信设备并移除,无需通过 API 手动撤销指定设备。提交:a5ad16a

  7. 删除无效邀请码。 管理员现在可以在管理面板中检测并删除悬空或无效的邀请,保持邀请列表整洁。API 也将 revokeInvite 改名为 deleteInvite,语义更清晰。提交:0d1bb19f82dcc3

  8. 密码条目响应增加 validFolderIds。 同步和密码条目响应现在包含 validFolderIds 字段,方便客户端区分真实文件夹和孤立引用;文件夹存储也加强了对文件夹存在性的校验。提交:82f968e

  9. 待处理认证请求的加载状态。 待处理的登录请求面板现在会在获取或更新请求列表时显示刷新指示器,为认证请求操作提供更清晰的反馈。提交:4378e1b

改进

  1. 增强的 Bitwarden CSV 导入——自定义字段和多行支持。 CSV 解析器现在可以识别自定义字段并在导入时正确恢复其元数据。同时保留了 SSH 私钥等多行值——之前任何不带 : 分隔符的行都会被丢弃,导致私钥只保留第一行。包含换行符的文本字段现在可以完整通过导出-导入周期。提交:5eeaf4e68c42a0

  2. 整合安全设备界面。 设备管理和已授权设备两个部分合并为 SecurityDevicesPage 上的一个统一卡片;待处理认证请求面板从 SettingsPage 中移除以减少杂乱。设备列表也改进了选择操作。提交:c694f1b

  3. 精简应用外壳样式与暗色模式一致性。 移除了冗余全局样式,清理了外壳组件间距,改善了头部、侧边栏和主内容区在暗色模式下的视觉一致性。提交:1bfb9a6

  4. 备份/恢复错误消息全语言本地化。 备份/恢复边界场景(加锁失败、校验和不匹配、文件缺失)的新错误字符串已在五种支持语言(en、es、ru、zh-CN、zh-TW)中完成本地化,同时改进了备份浏览器刷新场景下的界面提示。提交:4cd9ad0

  5. 更新项目 Wiki 链接并移除过时安全脚本。 议题模板中的 Wiki 链接已指向正确 URL;老旧的本地安全扫描脚本和工作流已移除,改用 GitHub 原生安全自动化(CodeQL、security-extra 工作流)。提交:e31f82c

  6. 安全自动化和依赖加固。 新增 GitHub 原生 CodeQL 和 security-extra 工作流;覆盖了 ws 的已知漏洞;将 CI Action 升级到钉死的主要版本(checkout v7、setup-node v6、create-pull-request v8)。依赖升级包括 TypeScript 6.0、@types/node 26、lucide-preact 1.x,以及 npm 和 GitHub Actions 的多项更新。提交:64f26e732b3d2a5dd9dff8d292ca5bd7dab99f2d7ffb9a2aec87e6ac

修复

  1. CSV 导入截断多行字段值。 parseBitwardenCsvFieldLines 之前会丢弃任何不包含 : 分隔符的行,导致 SSH 私钥等多行内容被静默截断为仅第一行。解析器现已正确累积后续行,使私钥等完整内容能够通过 CSV 导出-导入周期完好保留。提交:68c42a0