Improve API response formatting and structure in handlers

src/handlers/attachments.ts

@@ -1,8 +1,9 @@
-import { Env, Attachment, Cipher } from '../types';
+import { Env, Attachment } from '../types';
 import { StorageService } from '../services/storage';
 import { jsonResponse, errorResponse } from '../utils/response';
 import { generateUUID } from '../utils/uuid';
 import { createFileDownloadToken, verifyFileDownloadToken } from '../utils/jwt';
+import { cipherToResponse } from './ciphers';
 
 // Format file size to human readable
 function formatSize(bytes: number): string {
@@ -80,7 +81,7 @@ export async function handleCreateAttachment(
     attachmentId: attachmentId,
     url: `/api/ciphers/${cipherId}/attachment/${attachmentId}`,
     fileUploadType: 0, // Direct upload
-    cipherResponse: formatCipherResponse(updatedCipher!, attachments),
+    cipherResponse: cipherToResponse(updatedCipher!, attachments),
   });
 }
 
@@ -295,55 +296,10 @@ export async function handleDeleteAttachment(
   const attachments = await storage.getAttachmentsByCipher(cipherId);
 
   return jsonResponse({
-    cipher: formatCipherResponse(updatedCipher!, attachments),
+    cipher: cipherToResponse(updatedCipher!, attachments),
   });
 }
 
-// Helper: Format cipher response with attachments
-function formatCipherResponse(cipher: Cipher, attachments: Attachment[]): any {
-  return {
-    id: cipher.id,
-    organizationId: null,
-    folderId: cipher.folderId,
-    type: Number(cipher.type) || 1,
-    name: cipher.name,
-    notes: cipher.notes,
-    favorite: cipher.favorite,
-    login: cipher.login,
-    card: cipher.card,
-    identity: cipher.identity,
-    secureNote: cipher.secureNote,
-    sshKey: cipher.sshKey,
-    fields: cipher.fields,
-    passwordHistory: cipher.passwordHistory,
-    reprompt: cipher.reprompt,
-    organizationUseTotp: false,
-    creationDate: cipher.createdAt,
-    revisionDate: cipher.updatedAt,
-    deletedDate: cipher.deletedAt,
-    archivedDate: null,
-    edit: true,
-    viewPassword: true,
-    permissions: {
-      delete: true,
-      restore: true,
-    },
-    object: 'cipher',
-    collectionIds: [],
-    attachments: attachments.length > 0 ? attachments.map(a => ({
-      id: a.id,
-      fileName: a.fileName,
-      size: Number(a.size) || 0,
-      sizeName: a.sizeName,
-      key: a.key,
-      url: `/api/ciphers/${a.cipherId}/attachment/${a.id}`,
-      object: 'attachment',
-    })) : null,
-    key: cipher.key,
-    encryptedFor: null,
-  };
-}
-
 // Delete all attachments for a cipher (used when deleting cipher)
 export async function deleteAllAttachmentsForCipher(
   env: Env,

src/handlers/ciphers.ts

@@ -5,7 +5,7 @@ import { generateUUID } from '../utils/uuid';
 import { deleteAllAttachmentsForCipher } from './attachments';
 
 // Format attachments for API response
-function formatAttachments(attachments: Attachment[]): any[] | null {
+export function formatAttachments(attachments: Attachment[]): any[] | null {
   if (attachments.length === 0) return null;
   return attachments.map(a => ({
     id: a.id,
@@ -19,7 +19,7 @@ function formatAttachments(attachments: Attachment[]): any[] | null {
 }
 
 // Convert internal cipher to API response format
-function cipherToResponse(cipher: Cipher, attachments: Attachment[] = []): CipherResponse {
+export function cipherToResponse(cipher: Cipher, attachments: Attachment[] = []): CipherResponse {
   return {
     id: cipher.id,
     organizationId: null,

src/handlers/folders.ts

@@ -62,6 +62,7 @@ export async function handleCreateFolder(request: Request, env: Env, userId: str
   };
 
   await storage.saveFolder(folder);
+  await storage.updateRevisionDate(userId);
 
   return jsonResponse(folderToResponse(folder), 200);
 }
@@ -88,6 +89,7 @@ export async function handleUpdateFolder(request: Request, env: Env, userId: str
   folder.updatedAt = new Date().toISOString();
 
   await storage.saveFolder(folder);
+  await storage.updateRevisionDate(userId);
 
   return jsonResponse(folderToResponse(folder));
 }
@@ -102,6 +104,7 @@ export async function handleDeleteFolder(request: Request, env: Env, userId: str
   }
 
   await storage.deleteFolder(id, userId);
+  await storage.updateRevisionDate(userId);
 
   return new Response(null, { status: 204 });
 }

src/handlers/identity.ts

@@ -28,8 +28,8 @@ export async function handleToken(request: Request, env: Env): Promise<Response>
     const passwordHash = body.password;
 
     if (!email || !passwordHash) {
-  // Bitwarden clients expect OAuth-style error fields.
-  return identityErrorResponse('Email and password are required', 'invalid_request', 400);
+      // Bitwarden clients expect OAuth-style error fields.
+      return identityErrorResponse('Email and password are required', 'invalid_request', 400);
     }
 
     const user = await storage.getUser(email);
@@ -93,7 +93,9 @@ export async function handleToken(request: Request, env: Env): Promise<Response>
             Parallelism: user.kdfParallelism || null,
           },
           MasterKeyEncryptedUserKey: user.key,
+          MasterKeyWrappedUserKey: user.key,
           Salt: email, // email is already lowercased above
+          Object: 'masterPasswordUnlock',
         },
       },
     };
@@ -144,7 +146,9 @@ export async function handleToken(request: Request, env: Env): Promise<Response>
             Parallelism: user.kdfParallelism || null,
           },
           MasterKeyEncryptedUserKey: user.key,
+          MasterKeyWrappedUserKey: user.key,
           Salt: user.email.toLowerCase(),
+          Object: 'masterPasswordUnlock',
         },
       },
     };

src/handlers/setupRegisterPage.ts

@@ -192,16 +192,16 @@ const registerPageHTML = `<!DOCTYPE html>
         <div class="mark" aria-label="NodeWarden">NW</div>
         <div class="title">
           <h1 id="t_app">NodeWarden</h1>
-          <p id="t_tag">部署在 Cloudflare Workers 上的 Bitwarden 兼容服务端。</p>
+          <p id="t_tag">Minimal Bitwarden-compatible server on Cloudflare Workers.</p>
         </div>
       </div>
 
       <div class="muted" id="t_intro" style="font-size: 13px; line-height: 1.7;">
-        创建第一个账号完成初始化，然后用任意 Bitwarden 官方客户端登录。
+        Create your first account to finish setup. Then use any official Bitwarden client to sign in.
       </div>
 
       <div style="height: 14px"></div>
-      <h2 id="t_setup">初始化</h2>
+      <h2 id="t_setup">Setup</h2>
 
       <div id="message" class="message"></div>
 

src/handlers/sync.ts

@@ -1,20 +1,7 @@
-import { Env, SyncResponse, CipherResponse, FolderResponse, ProfileResponse, Attachment } from '../types';
+import { Env, SyncResponse, CipherResponse, FolderResponse, ProfileResponse } from '../types';
 import { StorageService } from '../services/storage';
 import { jsonResponse, errorResponse } from '../utils/response';
-
-// Format attachments for API response
-function formatAttachments(attachments: Attachment[]): any[] | null {
-  if (attachments.length === 0) return null;
-  return attachments.map(a => ({
-    id: a.id,
-    fileName: a.fileName,
-    size: Number(a.size) || 0,  // Android expects Int, not String
-    sizeName: a.sizeName,
-    key: a.key,
-    url: `/api/ciphers/${a.cipherId}/attachment/${a.id}`,  // Android requires non-null url!
-    object: 'attachment',
-  }));
-}
+import { cipherToResponse } from './ciphers';
 
 // GET /api/sync
 export async function handleSync(request: Request, env: Env, userId: string): Promise<Response> {
@@ -57,40 +44,8 @@ export async function handleSync(request: Request, env: Env, userId: string): Pr
   const cipherResponses: CipherResponse[] = [];
   for (const cipher of ciphers) {
     const attachments = await storage.getAttachmentsByCipher(cipher.id);
-    cipherResponses.push({
-      id: cipher.id,
-      organizationId: null,
-      folderId: cipher.folderId,
-      type: Number(cipher.type) || 1,
-      name: cipher.name,
-      notes: cipher.notes,
-      favorite: cipher.favorite,
-      login: cipher.login,
-      card: cipher.card,
-      identity: cipher.identity,
-      secureNote: cipher.secureNote,
-      sshKey: cipher.sshKey,
-      fields: cipher.fields,
-      passwordHistory: cipher.passwordHistory,
-      reprompt: cipher.reprompt,
-      organizationUseTotp: false,
-      creationDate: cipher.createdAt,
-      revisionDate: cipher.updatedAt,
-      deletedDate: cipher.deletedAt,
-      archivedDate: null,
-      edit: true,
-      viewPassword: true,
-      permissions: {
-        delete: true,
-        restore: true,
-      },
-      object: 'cipher',
-      collectionIds: [],
-      attachments: formatAttachments(attachments),
-      key: cipher.key,
-      encryptedFor: null,
-    });
-  };
+    cipherResponses.push(cipherToResponse(cipher, attachments));
+  }
 
   // Build folder responses
   const folderResponses: FolderResponse[] = folders.map(folder => ({
@@ -112,6 +67,7 @@ export async function handleSync(request: Request, env: Env, userId: string): Pr
     },
     policies: [],
     sends: [],
+    // PascalCase for desktop/browser clients
     UserDecryptionOptions: {
       HasMasterPassword: true,
       Object: 'userDecryptionOptions',
@@ -123,7 +79,23 @@ export async function handleSync(request: Request, env: Env, userId: string): Pr
           Parallelism: user.kdfParallelism || null,
         },
         MasterKeyEncryptedUserKey: user.key,
+        MasterKeyWrappedUserKey: user.key,
         Salt: user.email,
+        Object: 'masterPasswordUnlock',
+      },
+    },
+    // camelCase for Android client (SyncResponseJson uses @SerialName("userDecryption"))
+    userDecryption: {
+      masterPasswordUnlock: {
+        kdf: {
+          kdfType: user.kdfType,
+          iterations: user.kdfIterations,
+          memory: user.kdfMemory || null,
+          parallelism: user.kdfParallelism || null,
+        },
+        masterKeyWrappedUserKey: user.key,
+        masterKeyEncryptedUserKey: user.key,
+        salt: user.email,
       },
     },
     object: 'sync',

src/index.ts

@@ -2,7 +2,9 @@ import { Env } from './types';
 import { handleRequest } from './router';
 import { StorageService } from './services/storage';
 
-// Global flag to track if database has been initialized in this worker instance
+// Per-isolate flag. Each Worker isolate may have its own copy of this flag,
+// but initializeDatabase() is idempotent (uses CREATE TABLE IF NOT EXISTS),
+// so redundant calls are harmless and fast (single SELECT check).
 let dbInitialized = false;
 
 export default {

src/router.ts

@@ -200,7 +200,7 @@ export async function handleRequest(request: Request, env: Env): Promise<Respons
     const userId = payload.sub;
 
     // API rate limiting for authenticated requests
-  const rateLimit = new RateLimitService(env.DB);
+    const rateLimit = new RateLimitService(env.DB);
     const clientId = getClientIdentifier(request);
     const rateLimitCheck = await rateLimit.checkApiRateLimit(userId + ':' + clientId);
     

src/services/auth.ts

@@ -6,7 +6,7 @@ export class AuthService {
   private storage: StorageService;
 
   constructor(private env: Env) {
-  this.storage = new StorageService(env.DB);
+    this.storage = new StorageService(env.DB);
   }
 
   // Verify password hash (compare with stored hash)

src/services/storage.ts

@@ -10,6 +10,9 @@ export class StorageService {
   constructor(private db: D1Database) {}
 
   // --- Database initialization ---
+  // Idempotent auto-init for environments where D1 migrations have not been applied
+  // (e.g. one-click deploy). Mirrors the schema in migrations/0001_init.sql —
+  // keep both in sync when changing the schema.
   
   async initializeDatabase(): Promise<void> {
     // Check if database is already initialized by looking for the config table
@@ -245,8 +248,8 @@ CREATE INDEX IF NOT EXISTS idx_api_rate_window ON api_rate_limits(window_start);
   // --- Ciphers ---
 
   async getCipher(id: string): Promise<Cipher | null> {
-  const row = await this.db.prepare('SELECT data FROM ciphers WHERE id = ?').bind(id).first<{ data: string }>();
-  return row?.data ? (JSON.parse(row.data) as Cipher) : null;
+    const row = await this.db.prepare('SELECT data FROM ciphers WHERE id = ?').bind(id).first<{ data: string }>();
+    return row?.data ? (JSON.parse(row.data) as Cipher) : null;
   }
 
   async saveCipher(cipher: Cipher): Promise<void> {
@@ -282,7 +285,7 @@ CREATE INDEX IF NOT EXISTS idx_api_rate_window ON api_rate_limits(window_start);
   }
 
   async getAllCiphers(userId: string): Promise<Cipher[]> {
-  const res = await this.db.prepare('SELECT data FROM ciphers WHERE user_id = ? ORDER BY updated_at DESC').bind(userId).all<{ data: string }>();
+    const res = await this.db.prepare('SELECT data FROM ciphers WHERE user_id = ? ORDER BY updated_at DESC').bind(userId).all<{ data: string }>();
     return (res.results || []).map(r => JSON.parse(r.data) as Cipher);
   }
 
@@ -416,10 +419,10 @@ CREATE INDEX IF NOT EXISTS idx_api_rate_window ON api_rate_limits(window_start);
   }
 
   async removeAttachmentFromCipher(cipherId: string, attachmentId: string): Promise<void> {
-  // No-op: schema uses NOT NULL cipher_id.
-  // Callers always delete attachment row afterwards, so this method is kept for compatibility only.
-  void cipherId;
-  void attachmentId;
+    // No-op: schema uses NOT NULL cipher_id.
+    // Callers always delete attachment row afterwards, so this method is kept for compatibility only.
+    void cipherId;
+    void attachmentId;
   }
 
   async deleteAllAttachmentsByCipher(cipherId: string): Promise<void> {

src/types/index.ts

@@ -149,7 +149,7 @@ export interface Folder {
 export interface JWTPayload {
   sub: string;      // user id
   email: string;
-  name: string;
+  name: string | null;
   email_verified: boolean; // required by mobile client
   amr: string[];    // authentication methods reference - required by mobile client
   sstamp: string;   // security stamp - invalidates token when user changes password
@@ -170,13 +170,16 @@ export interface MasterPasswordUnlockKdf {
 export interface MasterPasswordUnlock {
   Kdf: MasterPasswordUnlockKdf;
   MasterKeyEncryptedUserKey: string;
+  MasterKeyWrappedUserKey: string;
   Salt: string;
+  Object: string;
 }
 
 export interface UserDecryptionOptions {
   HasMasterPassword: boolean;
   Object: string;
-  MasterPasswordUnlock?: MasterPasswordUnlock;
+  // Bitwarden Android 2026.1.x expects this to exist; missing it breaks unlock when the vault is empty.
+  MasterPasswordUnlock: MasterPasswordUnlock;
 }
 
 // API Response types
@@ -273,6 +276,21 @@ export interface SyncResponse {
   domains: any;
   policies: any[];
   sends: any[];
+  // PascalCase for desktop/browser clients
   UserDecryptionOptions: UserDecryptionOptions | null;
+  // camelCase for Android client (SyncResponseJson uses @SerialName("userDecryption"))
+  userDecryption: {
+    masterPasswordUnlock: {
+      kdf: {
+        kdfType: number;
+        iterations: number;
+        memory: number | null;
+        parallelism: number | null;
+      };
+      masterKeyWrappedUserKey: string;
+      masterKeyEncryptedUserKey: string;
+      salt: string;
+    } | null;
+  } | null;
   object: string;
 }

src/utils/jwtSecretConfig.ts

@@ -1,7 +0,0 @@
-// Shared config related to JWT secret bootstrapping / safety checks.
-// Keep this in one place so handlers don't duplicate the sample value.
-
-// IMPORTANT:
-// This is a *sample* secret value used in `.dev.vars.example`.
-// If the runtime JWT_SECRET equals this value, we treat it as unsafe.
-export const DEFAULT_DEV_SECRET = 'Enter-your-JWT-key-here-at-least-32-characters';