feat: add archiving functionality for ciphers

- Introduced `archive` and `unarchive` endpoints in the API for ciphers. - Implemented bulk archiving and unarchiving of ciphers in the vault. - Updated the storage schema to include `archived_at` timestamps for ciphers. - Enhanced user interface to support archiving actions in the vault. - Added necessary translations for archive-related actions. - Updated user and device models to accommodate new fields related to archiving.
2026-06-20 21:00:41 +00:00 · 2026-03-23 01:10:48 +08:00
parent b50673f7d9
commit f7b5534cd0
28 changed files with 1179 additions and 106 deletions
@@ -75,6 +75,16 @@ function jwtSecretUnsafeReason(env: Env): 'missing' | 'default' | 'too_short' |
  return null;
 }

+async function verifyUserSecret(
+  auth: AuthService,
+  user: User,
+  secret: string | null | undefined
+): Promise<boolean> {
+  const normalized = String(secret || '').trim();
+  if (!normalized) return false;
+  return auth.verifyPassword(normalized, user.masterPasswordHash, user.email);
+}
+
 function toProfile(user: User, env: Env): ProfileResponse {
  void env;
  return {
@@ -98,6 +108,7 @@ function toProfile(user: User, env: Env): ProfileResponse {
    forcePasswordReset: false,
    avatarColor: null,
    creationDate: user.createdAt,
+    verifyDevices: user.verifyDevices,
    role: user.role,
    status: user.status,
    object: 'profile',
@@ -194,6 +205,7 @@ export async function handleRegister(request: Request, env: Env): Promise<Respon
    securityStamp: generateUUID(),
    role: 'user',
    status: 'active',
+    verifyDevices: true,
    totpSecret: null,
    totpRecoveryCode: null,
    createdAt: now,
@@ -363,6 +375,40 @@ export async function handleUpdateProfile(request: Request, env: Env, userId: st
  return jsonResponse(toProfile(user, env));
 }

+// PUT/POST /api/accounts/verify-devices
+export async function handleSetVerifyDevices(request: Request, env: Env, userId: string): Promise<Response> {
+  const storage = new StorageService(env.DB);
+  const auth = new AuthService(env);
+  const user = await storage.getUserById(userId);
+  if (!user) return errorResponse('User not found', 404);
+
+  let body: {
+    secret?: string;
+    masterPasswordHash?: string;
+    verifyDevices?: boolean;
+  };
+  try {
+    body = await request.json();
+  } catch {
+    return errorResponse('Invalid JSON', 400);
+  }
+
+  if (typeof body.verifyDevices !== 'boolean') {
+    return errorResponse('verifyDevices must be true or false', 400);
+  }
+
+  const verified = await verifyUserSecret(auth, user, body.secret || body.masterPasswordHash);
+  if (!verified) {
+    return errorResponse('User verification failed.', 400);
+  }
+
+  user.verifyDevices = body.verifyDevices;
+  user.updatedAt = new Date().toISOString();
+  await storage.saveUser(user);
+
+  return new Response(null, { status: 200 });
+}
+
 // POST /api/accounts/keys
 export async function handleSetKeys(request: Request, env: Env, userId: string): Promise<Response> {
  const storage = new StorageService(env.DB);
@@ -26,6 +26,31 @@ function getAliasedProp(source: any, aliases: string[]): { present: boolean; val
  return { present: false, value: undefined };
 }

+function normalizeCipherTimestamp(value: unknown): string | null {
+  if (value == null || value === '') return null;
+  const parsed = new Date(String(value));
+  if (Number.isNaN(parsed.getTime())) return null;
+  return parsed.toISOString();
+}
+
+function readCipherArchivedAt(source: any, fallback: string | null = null): string | null {
+  const archived = getAliasedProp(source, ['archivedAt', 'ArchivedAt', 'archivedDate', 'ArchivedDate']);
+  return archived.present ? normalizeCipherTimestamp(archived.value) : fallback;
+}
+
+function syncCipherComputedAliases(cipher: Cipher): Cipher {
+  cipher.archivedDate = cipher.archivedAt ?? null;
+  cipher.deletedDate = cipher.deletedAt ?? null;
+  return cipher;
+}
+
+function normalizeCipherForStorage(cipher: Cipher): Cipher {
+  cipher.login = normalizeCipherLoginForStorage(cipher.login);
+  cipher.sshKey = normalizeCipherSshKeyForCompatibility(cipher.sshKey);
+  cipher.archivedAt = normalizeCipherTimestamp(cipher.archivedAt ?? cipher.archivedDate) ?? null;
+  return syncCipherComputedAliases(cipher);
+}
+
 function looksLikeCipherString(value: unknown): boolean {
  return /^\d+\.[A-Za-z0-9+/=]+\|[A-Za-z0-9+/=]+(?:\|[A-Za-z0-9+/=]+)?$/.test(String(value || '').trim());
 }
@@ -149,7 +174,7 @@ export function cipherToResponse(
  options?: { omitFido2Credentials?: boolean }
 ): CipherResponse {
  // Strip internal-only fields that must not appear in the API response
-  const { userId, createdAt, updatedAt, deletedAt, ...passthrough } = cipher;
+  const { userId, createdAt, updatedAt, archivedAt, deletedAt, ...passthrough } = cipher;
  const normalizedLogin = normalizeCipherLoginForCompatibility((passthrough as any).login ?? null, options);
  const normalizedSshKey = normalizeCipherSshKeyForCompatibility((passthrough as any).sshKey ?? null);

@@ -163,7 +188,7 @@ export function cipherToResponse(
    creationDate: createdAt,
    revisionDate: updatedAt,
    deletedDate: deletedAt,
-    archivedDate: null,
+    archivedDate: archivedAt ?? null,
    edit: true,
    viewPassword: true,
    permissions: {
@@ -273,12 +298,12 @@ export async function handleCreateCipher(request: Request, env: Env, userId: str
    reprompt: cipherData.reprompt || 0,
    createdAt: now,
    updatedAt: now,
+    archivedAt: readCipherArchivedAt(cipherData, null),
    deletedAt: null,
  };
-  cipher.login = normalizeCipherLoginForStorage(cipher.login);
-  cipher.sshKey = normalizeCipherSshKeyForCompatibility(cipher.sshKey);
  const createFields = getAliasedProp(cipherData, ['fields', 'Fields']);
  cipher.fields = createFields.present ? (createFields.value ?? null) : (cipher.fields ?? null);
+  normalizeCipherForStorage(cipher);

  // Prevent referencing a folder owned by another user.
  if (cipher.folderId) {
@@ -331,10 +356,9 @@ export async function handleUpdateCipher(request: Request, env: Env, userId: str
    reprompt: cipherData.reprompt ?? existingCipher.reprompt,
    createdAt: existingCipher.createdAt,
    updatedAt: new Date().toISOString(),
+    archivedAt: readCipherArchivedAt(cipherData, existingCipher.archivedAt ?? null),
    deletedAt: existingCipher.deletedAt,
  };
-  cipher.login = normalizeCipherLoginForStorage(cipher.login);
-  cipher.sshKey = normalizeCipherSshKeyForCompatibility(cipher.sshKey);

  // Custom fields deletion compatibility:
  // - Accept both camelCase "fields" and PascalCase "Fields".
@@ -346,6 +370,7 @@ export async function handleUpdateCipher(request: Request, env: Env, userId: str
  } else if (request.method === 'PUT' || request.method === 'POST') {
    cipher.fields = null;
  }
+  normalizeCipherForStorage(cipher);

  // Prevent referencing a folder owned by another user.
  if (cipher.folderId) {
@@ -376,6 +401,7 @@ export async function handleDeleteCipher(request: Request, env: Env, userId: str
  // Soft delete
  cipher.deletedAt = new Date().toISOString();
  cipher.updatedAt = cipher.deletedAt;
+  syncCipherComputedAliases(cipher);
  await storage.saveCipher(cipher);
  const revisionDate = await storage.updateRevisionDate(userId);
  await notifyVaultSyncForRequest(request, env, userId, revisionDate);
@@ -441,6 +467,7 @@ export async function handleRestoreCipher(request: Request, env: Env, userId: st

  cipher.deletedAt = null;
  cipher.updatedAt = new Date().toISOString();
+  syncCipherComputedAliases(cipher);
  await storage.saveCipher(cipher);
  const revisionDate = await storage.updateRevisionDate(userId);
  await notifyVaultSyncForRequest(request, env, userId, revisionDate);
@@ -479,6 +506,7 @@ export async function handlePartialUpdateCipher(request: Request, env: Env, user
    cipher.favorite = body.favorite;
  }
  cipher.updatedAt = new Date().toISOString();
+  syncCipherComputedAliases(cipher);

  await storage.saveCipher(cipher);
  const revisionDate = await storage.updateRevisionDate(userId);
@@ -519,6 +547,131 @@ export async function handleBulkMoveCiphers(request: Request, env: Env, userId:
  return new Response(null, { status: 204 });
 }

+async function buildCipherListResponse(
+  request: Request,
+  storage: StorageService,
+  userId: string,
+  ids: string[]
+): Promise<Response> {
+  const ciphers = await storage.getCiphersByIds(ids, userId);
+  const attachmentsByCipher = await storage.getAttachmentsByCipherIds(ciphers.map((cipher) => cipher.id));
+  const omitFido2Credentials = shouldOmitPasskeysForResponse(request);
+
+  return jsonResponse({
+    data: ciphers.map((cipher) =>
+      cipherToResponse(cipher, attachmentsByCipher.get(cipher.id) || [], {
+        omitFido2Credentials,
+      })
+    ),
+    object: 'list',
+    continuationToken: null,
+  });
+}
+
+function parseCipherIdList(body: { ids?: unknown }): string[] | null {
+  if (!Array.isArray(body.ids)) return null;
+  return Array.from(new Set(body.ids.map((id) => String(id || '').trim()).filter(Boolean)));
+}
+
+// PUT/POST /api/ciphers/:id/archive
+export async function handleArchiveCipher(request: Request, env: Env, userId: string, id: string): Promise<Response> {
+  const storage = new StorageService(env.DB);
+  const cipher = await storage.getCipher(id);
+
+  if (!cipher || cipher.userId !== userId) {
+    return errorResponse('Cipher not found', 404);
+  }
+  if (cipher.deletedAt) {
+    return errorResponse('Cannot archive a deleted cipher', 400);
+  }
+
+  cipher.archivedAt = new Date().toISOString();
+  cipher.updatedAt = cipher.archivedAt;
+  normalizeCipherForStorage(cipher);
+  await storage.saveCipher(cipher);
+  const revisionDate = await storage.updateRevisionDate(userId);
+  await notifyVaultSyncForRequest(request, env, userId, revisionDate);
+
+  const attachments = await storage.getAttachmentsByCipher(cipher.id);
+  return jsonResponse(
+    cipherToResponse(cipher, attachments, {
+      omitFido2Credentials: shouldOmitPasskeysForResponse(request),
+    })
+  );
+}
+
+// PUT/POST /api/ciphers/:id/unarchive
+export async function handleUnarchiveCipher(request: Request, env: Env, userId: string, id: string): Promise<Response> {
+  const storage = new StorageService(env.DB);
+  const cipher = await storage.getCipher(id);
+
+  if (!cipher || cipher.userId !== userId) {
+    return errorResponse('Cipher not found', 404);
+  }
+
+  cipher.archivedAt = null;
+  cipher.updatedAt = new Date().toISOString();
+  normalizeCipherForStorage(cipher);
+  await storage.saveCipher(cipher);
+  const revisionDate = await storage.updateRevisionDate(userId);
+  await notifyVaultSyncForRequest(request, env, userId, revisionDate);
+
+  const attachments = await storage.getAttachmentsByCipher(cipher.id);
+  return jsonResponse(
+    cipherToResponse(cipher, attachments, {
+      omitFido2Credentials: shouldOmitPasskeysForResponse(request),
+    })
+  );
+}
+
+// PUT/POST /api/ciphers/archive
+export async function handleBulkArchiveCiphers(request: Request, env: Env, userId: string): Promise<Response> {
+  const storage = new StorageService(env.DB);
+
+  let body: { ids?: unknown };
+  try {
+    body = await request.json();
+  } catch {
+    return errorResponse('Invalid JSON', 400);
+  }
+
+  const ids = parseCipherIdList(body);
+  if (!ids) {
+    return errorResponse('ids array is required', 400);
+  }
+
+  const revisionDate = await storage.bulkArchiveCiphers(ids, userId);
+  if (revisionDate) {
+    await notifyVaultSyncForRequest(request, env, userId, revisionDate);
+  }
+
+  return buildCipherListResponse(request, storage, userId, ids);
+}
+
+// PUT/POST /api/ciphers/unarchive
+export async function handleBulkUnarchiveCiphers(request: Request, env: Env, userId: string): Promise<Response> {
+  const storage = new StorageService(env.DB);
+
+  let body: { ids?: unknown };
+  try {
+    body = await request.json();
+  } catch {
+    return errorResponse('Invalid JSON', 400);
+  }
+
+  const ids = parseCipherIdList(body);
+  if (!ids) {
+    return errorResponse('ids array is required', 400);
+  }
+
+  const revisionDate = await storage.bulkUnarchiveCiphers(ids, userId);
+  if (revisionDate) {
+    await notifyVaultSyncForRequest(request, env, userId, revisionDate);
+  }
+
+  return buildCipherListResponse(request, storage, userId, ids);
+}
+
 // POST /api/ciphers/delete - Bulk soft delete
 export async function handleBulkDeleteCiphers(request: Request, env: Env, userId: string): Promise<Response> {
  const storage = new StorageService(env.DB);
@@ -1,3 +1,4 @@
+import type { Device, DevicePendingAuthRequest, DeviceResponse, ProtectedDeviceResponse as ProtectedDeviceWireResponse } from '../types';
 import { Env } from '../types';
 import { getOnlineUserDevices, notifyUserLogout } from '../durable/notifications-hub';
 import { StorageService } from '../services/storage';
@@ -5,6 +6,101 @@ import { errorResponse, jsonResponse } from '../utils/response';
 import { readKnownDeviceProbe } from '../utils/device';
 import { generateUUID } from '../utils/uuid';

+function normalizeIdentifier(value: string | null | undefined): string {
+  return String(value || '').trim();
+}
+
+function buildDevicePendingAuthRequest(value?: { id?: string | null; creationDate?: string | null } | null): DevicePendingAuthRequest | null {
+  if (!value?.id || !value.creationDate) return null;
+  return {
+    id: String(value.id),
+    creationDate: String(value.creationDate),
+  };
+}
+
+function isTrustedDevice(device: Pick<Device, 'encryptedUserKey' | 'encryptedPublicKey'>): boolean {
+  return !!(device.encryptedUserKey && device.encryptedPublicKey);
+}
+
+function buildDeviceResponse(device: Device): DeviceResponse {
+  const response = {
+    Id: device.deviceIdentifier,
+    id: device.deviceIdentifier,
+    UserId: device.userId,
+    userId: device.userId,
+    Name: device.name,
+    name: device.name,
+    Identifier: device.deviceIdentifier,
+    identifier: device.deviceIdentifier,
+    Type: device.type,
+    type: device.type,
+    CreationDate: device.createdAt,
+    creationDate: device.createdAt,
+    RevisionDate: device.updatedAt,
+    revisionDate: device.updatedAt,
+    IsTrusted: isTrustedDevice(device),
+    isTrusted: isTrustedDevice(device),
+    EncryptedUserKey: device.encryptedUserKey,
+    encryptedUserKey: device.encryptedUserKey,
+    EncryptedPublicKey: device.encryptedPublicKey,
+    encryptedPublicKey: device.encryptedPublicKey,
+    DevicePendingAuthRequest: buildDevicePendingAuthRequest(device.devicePendingAuthRequest),
+    devicePendingAuthRequest: buildDevicePendingAuthRequest(device.devicePendingAuthRequest),
+    object: 'device',
+  };
+  return response as DeviceResponse;
+}
+
+function buildProtectedDeviceResponse(device: Device): ProtectedDeviceWireResponse {
+  const response = {
+    Id: device.deviceIdentifier,
+    id: device.deviceIdentifier,
+    Name: device.name,
+    name: device.name,
+    Identifier: device.deviceIdentifier,
+    identifier: device.deviceIdentifier,
+    Type: device.type,
+    type: device.type,
+    CreationDate: device.createdAt,
+    creationDate: device.createdAt,
+    EncryptedUserKey: device.encryptedUserKey,
+    encryptedUserKey: device.encryptedUserKey,
+    EncryptedPublicKey: device.encryptedPublicKey,
+    encryptedPublicKey: device.encryptedPublicKey,
+    object: 'protectedDevice',
+  };
+  return response as ProtectedDeviceWireResponse;
+}
+
+function parseKeysBody(body: any, fallback?: Device): {
+  encryptedUserKey?: string | null;
+  encryptedPublicKey?: string | null;
+  encryptedPrivateKey?: string | null;
+} {
+  return {
+    encryptedUserKey:
+      Object.prototype.hasOwnProperty.call(body || {}, 'encryptedUserKey')
+        ? body?.encryptedUserKey ?? null
+        : fallback?.encryptedUserKey ?? null,
+    encryptedPublicKey:
+      Object.prototype.hasOwnProperty.call(body || {}, 'encryptedPublicKey')
+        ? body?.encryptedPublicKey ?? null
+        : fallback?.encryptedPublicKey ?? null,
+    encryptedPrivateKey:
+      Object.prototype.hasOwnProperty.call(body || {}, 'encryptedPrivateKey')
+        ? body?.encryptedPrivateKey ?? null
+        : fallback?.encryptedPrivateKey ?? null,
+  };
+}
+
+async function readJsonBody(request: Request): Promise<any> {
+  try {
+    return await request.json();
+  } catch {
+    return null;
+  }
+}
+
 // GET /api/devices/knowndevice
 // Compatible with Bitwarden/Vaultwarden behavior:
 // - X-Request-Email: base64url(email) without padding
@@ -28,20 +124,42 @@ export async function handleGetDevices(request: Request, env: Env, userId: strin
  const devices = await storage.getDevicesByUserId(userId);

  return jsonResponse({
-    data: devices.map(device => ({
-      id: device.deviceIdentifier,
-      name: device.name,
-      identifier: device.deviceIdentifier,
-      type: device.type,
-      creationDate: device.createdAt,
-      revisionDate: device.updatedAt,
-      object: 'device',
-    })),
+    data: devices.map((device) => buildDeviceResponse(device)),
    object: 'list',
    continuationToken: null,
  });
 }

+// GET /api/devices/identifier/:deviceIdentifier
+export async function handleGetDeviceByIdentifier(
+  request: Request,
+  env: Env,
+  userId: string,
+  deviceIdentifier: string
+): Promise<Response> {
+  void request;
+  const normalized = normalizeIdentifier(deviceIdentifier);
+  if (!normalized) return errorResponse('Invalid device identifier', 400);
+
+  const storage = new StorageService(env.DB);
+  const device = await storage.getDevice(userId, normalized);
+  if (!device) {
+    return errorResponse('Device not found', 404);
+  }
+
+  return jsonResponse(buildDeviceResponse(device));
+}
+
+// GET /api/devices/:deviceIdentifier
+export async function handleGetDevice(
+  request: Request,
+  env: Env,
+  userId: string,
+  deviceIdentifier: string
+): Promise<Response> {
+  return handleGetDeviceByIdentifier(request, env, userId, deviceIdentifier);
+}
+
 // GET /api/devices/authorized
 // Returns known devices together with active 2FA remember-token expiry.
 export async function handleGetAuthorizedDevices(request: Request, env: Env, userId: string): Promise<Response> {
@@ -64,12 +182,7 @@ export async function handleGetAuthorizedDevices(request: Request, env: Env, use
    knownIdentifiers.add(device.deviceIdentifier);
    const trustedInfo = trustedByIdentifier.get(device.deviceIdentifier);
    return {
-      id: device.deviceIdentifier,
-      name: device.name,
-      identifier: device.deviceIdentifier,
-      type: device.type,
-      creationDate: device.createdAt,
-      revisionDate: device.updatedAt,
+      ...buildDeviceResponse(device),
      online: onlineSet.has(device.deviceIdentifier),
      trusted: !!trustedInfo,
      trustedTokenCount: trustedInfo?.tokenCount || 0,
@@ -80,13 +193,22 @@ export async function handleGetAuthorizedDevices(request: Request, env: Env, use

  for (const row of trusted) {
    if (knownIdentifiers.has(row.deviceIdentifier)) continue;
-    data.push({
-      id: row.deviceIdentifier,
+    const placeholderDevice: Device = {
+      userId,
+      deviceIdentifier: row.deviceIdentifier,
      name: 'Unknown device',
-      identifier: row.deviceIdentifier,
      type: 14,
-      creationDate: '',
-      revisionDate: '',
+      sessionStamp: '',
+      encryptedUserKey: null,
+      encryptedPublicKey: null,
+      encryptedPrivateKey: null,
+      devicePendingAuthRequest: null,
+      createdAt: '',
+      updatedAt: '',
+    };
+    data.push({
+      ...buildDeviceResponse(placeholderDevice),
+      isTrusted: true,
      online: onlineSet.has(row.deviceIdentifier),
      trusted: true,
      trustedTokenCount: row.tokenCount,
@@ -166,6 +288,138 @@ export async function handleDeleteAllDevices(request: Request, env: Env, userId:
  return jsonResponse({ success: true, removedTrusted, removedSessions: removedSessions ?? 0, removedDevices });
 }

+// PUT/POST /api/devices/identifier/:deviceIdentifier/keys
+export async function handleUpdateDeviceKeys(
+  request: Request,
+  env: Env,
+  userId: string,
+  deviceIdentifier: string
+): Promise<Response> {
+  const normalized = normalizeIdentifier(deviceIdentifier);
+  if (!normalized) return errorResponse('Invalid device identifier', 400);
+
+  const body = await readJsonBody(request);
+  const storage = new StorageService(env.DB);
+  const device = await storage.getDevice(userId, normalized);
+  if (!device) {
+    return errorResponse('Device not found', 404);
+  }
+
+  const updated = await storage.updateDeviceKeys(userId, normalized, parseKeysBody(body, device));
+  if (!updated) {
+    return errorResponse('Device not found', 404);
+  }
+
+  const nextDevice = await storage.getDevice(userId, normalized);
+  return jsonResponse(buildDeviceResponse(nextDevice || device));
+}
+
+// POST /api/devices/update-trust
+export async function handleUpdateDeviceTrust(
+  request: Request,
+  env: Env,
+  userId: string
+): Promise<Response> {
+  const body = await readJsonBody(request);
+  const storage = new StorageService(env.DB);
+  const currentDeviceIdentifier =
+    normalizeIdentifier(request.headers.get('Device-Identifier')) ||
+    normalizeIdentifier(request.headers.get('X-Device-Identifier'));
+
+  const updates: Array<{
+    deviceIdentifier: string;
+    keys: {
+      encryptedUserKey?: string | null;
+      encryptedPublicKey?: string | null;
+      encryptedPrivateKey?: string | null;
+    };
+  }> = [];
+
+  if (currentDeviceIdentifier && body?.currentDevice) {
+    updates.push({
+      deviceIdentifier: currentDeviceIdentifier,
+      keys: parseKeysBody(body.currentDevice, await storage.getDevice(userId, currentDeviceIdentifier) || undefined),
+    });
+  }
+
+  if (Array.isArray(body?.otherDevices)) {
+    for (const item of body.otherDevices) {
+      const deviceIdentifier = normalizeIdentifier(item?.deviceId);
+      if (!deviceIdentifier) continue;
+      updates.push({
+        deviceIdentifier,
+        keys: parseKeysBody(item, await storage.getDevice(userId, deviceIdentifier) || undefined),
+      });
+    }
+  }
+
+  let updatedCount = 0;
+  for (const update of updates) {
+    const ok = await storage.updateDeviceKeys(userId, update.deviceIdentifier, update.keys);
+    if (ok) updatedCount++;
+  }
+
+  return jsonResponse({ success: true, updated: updatedCount });
+}
+
+// POST /api/devices/untrust
+export async function handleUntrustDevices(
+  request: Request,
+  env: Env,
+  userId: string
+): Promise<Response> {
+  const body = await readJsonBody(request);
+  const storage = new StorageService(env.DB);
+  const devices = Array.isArray(body?.devices) ? body.devices.map((id: unknown) => normalizeIdentifier(String(id))) : [];
+  const removed = await storage.clearDeviceKeys(userId, devices);
+  for (const deviceIdentifier of devices) {
+    if (!deviceIdentifier) continue;
+    await storage.deleteTrustedTwoFactorTokensByDevice(userId, deviceIdentifier);
+  }
+  return jsonResponse({ success: true, removed });
+}
+
+// POST /api/devices/:deviceIdentifier/retrieve-keys
+export async function handleRetrieveDeviceKeys(
+  request: Request,
+  env: Env,
+  userId: string,
+  deviceIdentifier: string
+): Promise<Response> {
+  void request;
+  const normalized = normalizeIdentifier(deviceIdentifier);
+  if (!normalized) return errorResponse('Invalid device identifier', 400);
+
+  const storage = new StorageService(env.DB);
+  const device = await storage.getDevice(userId, normalized);
+  if (!device) {
+    return errorResponse('Device not found', 404);
+  }
+
+  return jsonResponse(buildProtectedDeviceResponse(device));
+}
+
+// POST /api/devices/:id/deactivate
+export async function handleDeactivateDevice(
+  request: Request,
+  env: Env,
+  userId: string,
+  deviceIdentifier: string
+): Promise<Response> {
+  void request;
+  const normalized = normalizeIdentifier(deviceIdentifier);
+  if (!normalized) return errorResponse('Invalid device identifier', 400);
+
+  const storage = new StorageService(env.DB);
+  await storage.deleteTrustedTwoFactorTokensByDevice(userId, normalized);
+  await storage.deleteRefreshTokensByDevice(userId, normalized);
+  const deleted = await storage.deleteDevice(userId, normalized);
+  if (deleted) {
+    await notifyUserLogout(env, userId, normalized);
+  }
+  return jsonResponse({ success: deleted });
+}
+
 // PUT /api/devices/identifier/{deviceIdentifier}/token
 // Bitwarden mobile reports push token updates to this endpoint.
 // NodeWarden does not implement push notifications, so accept and no-op.
@@ -182,3 +436,31 @@ export async function handleUpdateDeviceToken(
  return new Response(null, { status: 200 });
 }

+// PUT/POST /api/devices/:deviceIdentifier/web-push-auth
+export async function handleUpdateDeviceWebPushAuth(
+  request: Request,
+  env: Env,
+  userId: string,
+  deviceIdentifier: string
+): Promise<Response> {
+  void request;
+  void env;
+  void userId;
+  void deviceIdentifier;
+  return new Response(null, { status: 200 });
+}
+
+// PUT/POST /api/devices/:deviceIdentifier/clear-token
+export async function handleClearDeviceToken(
+  request: Request,
+  env: Env,
+  userId: string,
+  deviceIdentifier: string
+): Promise<Response> {
+  void request;
+  void env;
+  void userId;
+  void deviceIdentifier;
+  return new Response(null, { status: 200 });
+}
+
@@ -31,6 +31,28 @@ function resolveTotpSecret(userSecret: string | null): string | null {
  return null;
 }

+function buildPreloginResponse(
+  email: string,
+  kdfType: number,
+  kdfIterations: number,
+  kdfMemory: number | null,
+  kdfParallelism: number | null
+): Record<string, unknown> {
+  return {
+    kdf: kdfType,
+    kdfIterations,
+    kdfMemory,
+    kdfParallelism,
+    KdfSettings: {
+      KdfType: kdfType,
+      Iterations: kdfIterations,
+      Memory: kdfMemory,
+      Parallelism: kdfParallelism,
+    },
+    Salt: email.toLowerCase(),
+  };
+}
+
 function twoFactorRequiredResponse(message: string = 'Two factor required.', includeRecoveryCode: boolean = false): Response {
  const providers = includeRecoveryCode
    ? [String(TWO_FACTOR_PROVIDER_AUTHENTICATOR), TWO_FACTOR_PROVIDER_RECOVERY_CODE_RESPONSE]
@@ -426,12 +448,7 @@ export async function handlePrelogin(request: Request, env: Env): Promise<Respon
  const kdfMemory = user?.kdfMemory ?? null;
  const kdfParallelism = user?.kdfParallelism ?? null;

-  return jsonResponse({
-    kdf: kdfType,
-    kdfIterations: kdfIterations,
-    kdfMemory: kdfMemory,
-    kdfParallelism: kdfParallelism,
-  });
+  return jsonResponse(buildPreloginResponse(email, kdfType, kdfIterations, kdfMemory, kdfParallelism));
 }

 // POST /identity/connect/revocation
@@ -232,6 +232,7 @@ export async function handleCiphersImport(request: Request, env: Env, userId: st
      key: (c as any).key ?? null,
      createdAt: now,
      updatedAt: now,
+      archivedAt: null,
      deletedAt: null,
    };
    cipher.login = normalizeCipherLoginForStorage(cipher.login);
@@ -245,10 +246,10 @@ export async function handleCiphersImport(request: Request, env: Env, userId: st
      const data = JSON.stringify(cipher);
      return env.DB
        .prepare(
-          'INSERT INTO ciphers(id, user_id, type, folder_id, name, notes, favorite, data, reprompt, key, created_at, updated_at, deleted_at) ' +
-          'VALUES(?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) ' +
+          'INSERT INTO ciphers(id, user_id, type, folder_id, name, notes, favorite, data, reprompt, key, created_at, updated_at, archived_at, deleted_at) ' +
+          'VALUES(?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) ' +
          'ON CONFLICT(id) DO UPDATE SET ' +
-          'user_id=excluded.user_id, type=excluded.type, folder_id=excluded.folder_id, name=excluded.name, notes=excluded.notes, favorite=excluded.favorite, data=excluded.data, reprompt=excluded.reprompt, key=excluded.key, updated_at=excluded.updated_at, deleted_at=excluded.deleted_at'
+          'user_id=excluded.user_id, type=excluded.type, folder_id=excluded.folder_id, name=excluded.name, notes=excluded.notes, favorite=excluded.favorite, data=excluded.data, reprompt=excluded.reprompt, key=excluded.key, updated_at=excluded.updated_at, archived_at=excluded.archived_at, deleted_at=excluded.deleted_at'
        )
        .bind(
          cipher.id,
@@ -263,6 +264,7 @@ export async function handleCiphersImport(request: Request, env: Env, userId: st
          bindNull(cipher.key),
          cipher.createdAt,
          cipher.updatedAt,
+          bindNull(cipher.archivedAt),
          bindNull(cipher.deletedAt)
        );
    });
@@ -148,6 +148,7 @@ export async function handleSync(request: Request, env: Env, userId: string): Pr
    forcePasswordReset: false,
    avatarColor: null,
    creationDate: user.createdAt,
+    verifyDevices: user.verifyDevices,
    object: 'profile',
  };

@@ -180,6 +181,12 @@ export async function handleSync(request: Request, env: Env, userId: string): Pr
        },
    policies: [],
    sends: sends.map(sendToResponse),
+    UserDecryption: {
+      MasterPasswordUnlock: buildUserDecryptionOptions(user).MasterPasswordUnlock,
+      TrustedDeviceOption: null,
+      KeyConnectorOption: null,
+      Object: 'userDecryption',
+    },
    // PascalCase for desktop/browser clients
    UserDecryptionOptions: buildUserDecryptionOptions(user),
    // camelCase for Android client (SyncResponseJson uses @SerialName("userDecryption"))