bitwarden · Hinton · Aug 22, 2025 · May 26, 2025 · May 26, 2025 · May 26, 2025
@@ -143,6 +143,7 @@ mod tests {
     use crate::{
         key_management::SymmetricKeyId,
         mobile::crypto::{AuthRequestMethod, InitUserCryptoMethod, InitUserCryptoRequest},
+        UserId,
     };
 
     #[test]
@@ -243,7 +244,7 @@ mod tests {
         new_device
             .crypto()
             .initialize_user_crypto(InitUserCryptoRequest {
-                user_id: Some(uuid::Uuid::new_v4()),
+                user_id: Some(UserId::new_v4()),
                 kdf_params: kdf,
                 email: email.to_owned(),
                 private_key: private_key.to_owned(),

@@ -5,7 +5,6 @@ use bitwarden_crypto::{EncString, KeyDecryptable, SymmetricCryptoKey};
 use chrono::Utc;
 use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
-use uuid::Uuid;
 
 use super::LoginError;
 use crate::{
@@ -17,7 +16,7 @@ use crate::{
     client::{LoginMethod, ServiceAccountLoginMethod},
     require,
     secrets_manager::state::{self, ClientState},
-    Client,
+    Client, OrganizationId,
 };
 
 pub(crate) async fn login_access_token(
@@ -36,7 +35,7 @@ pub(crate) async fn login_access_token(
                 .set_login_method(LoginMethod::ServiceAccount(
                     ServiceAccountLoginMethod::AccessToken {
                         access_token,
-                        organization_id,
+                        organization_id: organization_id.into(),
                         state_file: Some(state_file.to_path_buf()),
                     },
                 ));
@@ -118,7 +117,7 @@ fn load_tokens_from_state(
     client: &Client,
     state_file: &Path,
     access_token: &AccessToken,
-) -> Result<Uuid, LoginError> {
+) -> Result<OrganizationId, LoginError> {
     let client_state = state::get(state_file, access_token)?;
 
     let token: JwtToken = client_state.token.parse()?;
@@ -127,7 +126,7 @@ fn load_tokens_from_state(
         let time_till_expiration = (token.exp as i64) - Utc::now().timestamp();
 
         if time_till_expiration > 0 {
-            let organization_id: Uuid = organization_id
+            let organization_id: OrganizationId = organization_id
                 .parse()
                 .map_err(|_| LoginError::InvalidOrganizationId)?;
             let encryption_key = SymmetricCryptoKey::try_from(client_state.encryption_key)?;

@@ -3,7 +3,9 @@ use bitwarden_crypto::{AsymmetricCryptoKey, KeyStore, SymmetricCryptoKey};
 use bitwarden_crypto::{EncString, UnsignedSharedKey};
 use bitwarden_error::bitwarden_error;
 use thiserror::Error;
-use uuid::Uuid;
+
+#[cfg(any(feature = "secrets", feature = "internal"))]
+use crate::OrganizationId;
 
 use crate::{
     error::UserIdAlreadySetError,
@@ -85,21 +87,21 @@ impl EncryptionSettings {
     /// This is used only for logging in Secrets Manager with an access token
     #[cfg(feature = "secrets")]
     pub(crate) fn new_single_org_key(
-        organization_id: Uuid,
+        organization_id: OrganizationId,
         key: SymmetricCryptoKey,
         store: &KeyStore<KeyIds>,
     ) {
         // FIXME: [PM-18098] When this is part of crypto we won't need to use deprecated methods
         #[allow(deprecated)]
         store
             .context_mut()
-            .set_symmetric_key(SymmetricKeyId::Organization(organization_id), key)
+            .set_symmetric_key(SymmetricKeyId::Organization(organization_id.into()), key)
             .expect("Mutable context");
     }
 
     #[cfg(feature = "internal")]
     pub(crate) fn set_org_keys(
-        org_enc_keys: Vec<(Uuid, UnsignedSharedKey)>,
+        org_enc_keys: Vec<(OrganizationId, UnsignedSharedKey)>,
         store: &KeyStore<KeyIds>,
     ) -> Result<(), EncryptionSettingsError> {
         let mut ctx = store.context_mut();
@@ -121,7 +123,7 @@ impl EncryptionSettings {
         for (org_id, org_enc_key) in org_enc_keys {
             ctx.decapsulate_key_unsigned(
                 AsymmetricKeyId::UserPrivateKey,
-                SymmetricKeyId::Organization(org_id),
+                SymmetricKeyId::Organization(org_id.into()),
                 &org_enc_key,
             )?;
         }

@@ -6,7 +6,6 @@ use bitwarden_crypto::SymmetricCryptoKey;
 #[cfg(feature = "internal")]
 use bitwarden_crypto::{EncString, Kdf, MasterKey, PinKey, UnsignedSharedKey};
 use chrono::Utc;
-use uuid::Uuid;
 
 #[cfg(feature = "secrets")]
 use super::login_method::ServiceAccountLoginMethod;
@@ -15,13 +14,14 @@ use crate::{
     client::{encryption_settings::EncryptionSettings, login_method::LoginMethod},
     error::UserIdAlreadySetError,
     key_management::KeyIds,
-    DeviceType,
+    DeviceType, UserId,
 };
 #[cfg(feature = "internal")]
 use crate::{
     client::encryption_settings::EncryptionSettingsError,
     client::{flags::Flags, login_method::UserLoginMethod},
     error::NotAuthenticatedError,
+    OrganizationId,
 };
 
 #[derive(Debug, Clone)]
@@ -45,7 +45,7 @@ pub(crate) struct Tokens {
 
 #[derive(Debug)]
 pub struct InternalClient {
-    pub(crate) user_id: OnceLock<Uuid>,
+    pub(crate) user_id: OnceLock<UserId>,
     pub(crate) tokens: RwLock<Tokens>,
     pub(crate) login_method: RwLock<Option<Arc<LoginMethod>>>,
 
@@ -83,7 +83,7 @@ impl InternalClient {
             .clone()
     }
 
-    pub fn get_access_token_organization(&self) -> Option<Uuid> {
+    pub fn get_access_token_organization(&self) -> Option<OrganizationId> {
         match self
             .login_method
             .read()
@@ -174,11 +174,11 @@ impl InternalClient {
         &self.key_store
     }
 
-    pub fn init_user_id(&self, user_id: Uuid) -> Result<(), UserIdAlreadySetError> {
+    pub fn init_user_id(&self, user_id: UserId) -> Result<(), UserIdAlreadySetError> {
         self.user_id.set(user_id).map_err(|_| UserIdAlreadySetError)
     }
 
-    pub fn get_user_id(&self) -> Option<Uuid> {
+    pub fn get_user_id(&self) -> Option<UserId> {
         self.user_id.get().copied()
     }
 
@@ -220,17 +220,23 @@ impl InternalClient {
     #[cfg(feature = "secrets")]
     pub(crate) fn initialize_crypto_single_org_key(
         &self,
-        organization_id: Uuid,
+        organization_id: OrganizationId,
         key: SymmetricCryptoKey,
     ) {
-        EncryptionSettings::new_single_org_key(organization_id, key, &self.key_store);
+        EncryptionSettings::new_single_org_key(organization_id.into(), key, &self.key_store);
     }
 
     #[cfg(feature = "internal")]
     pub fn initialize_org_crypto(
         &self,
-        org_keys: Vec<(Uuid, UnsignedSharedKey)>,
+        org_keys: Vec<(OrganizationId, UnsignedSharedKey)>,
     ) -> Result<(), EncryptionSettingsError> {
-        EncryptionSettings::set_org_keys(org_keys, &self.key_store)
+        EncryptionSettings::set_org_keys(
+            org_keys
+                .into_iter()
+                .map(|(id, key)| (id.into(), key))
+                .collect(),
+            &self.key_store,
+        )
     }
 }
@@ -1,12 +1,10 @@
 #[cfg(feature = "secrets")]
 use std::path::PathBuf;
 
-use bitwarden_crypto::Kdf;
-#[cfg(feature = "secrets")]
-use uuid::Uuid;
-
 #[cfg(feature = "secrets")]
 use crate::auth::AccessToken;
+use crate::OrganizationId;
+use bitwarden_crypto::Kdf;
 
 #[derive(Debug)]
 pub(crate) enum LoginMethod {
@@ -40,7 +38,7 @@ pub(crate) enum UserLoginMethod {
 pub(crate) enum ServiceAccountLoginMethod {
     AccessToken {
         access_token: AccessToken,
-        organization_id: Uuid,
+        organization_id: OrganizationId,
         state_file: Option<PathBuf>,
     },
 }
@@ -8,7 +8,7 @@ use crate::{
         initialize_org_crypto, initialize_user_crypto, InitOrgCryptoRequest, InitUserCryptoMethod,
         InitUserCryptoRequest,
     },
-    Client,
+    Client, UserId,
 };
 
 impl Client {
@@ -117,7 +117,7 @@ pub struct TestAccount {
 pub fn test_bitwarden_com_account() -> TestAccount {
     TestAccount {
         user: InitUserCryptoRequest {
-            user_id: Some(uuid::uuid!("060000fb-0922-4dd3-b170-6e15cb5df8c8")),
+            user_id: Some(UserId::new(uuid::uuid!("060000fb-0922-4dd3-b170-6e15cb5df8c8"))),
             kdf_params: Kdf::PBKDF2 {
                 iterations: 600_000.try_into().unwrap(),
             },
@@ -175,7 +175,7 @@ pub fn test_bitwarden_com_account() -> TestAccount {
 pub fn test_legacy_user_key_account() -> TestAccount {
     TestAccount {
         user: InitUserCryptoRequest {
-            user_id: Some(uuid::uuid!("060000fb-0922-4dd3-b170-6e15cb5df8c8")),
+            user_id: Some(UserId::new(uuid::uuid!("060000fb-0922-4dd3-b170-6e15cb5df8c8"))),
             kdf_params: Kdf::PBKDF2 {
                 iterations: 600_000.try_into().unwrap(),
             },

@@ -1,3 +1,4 @@
-use bitwarden_uuid::uuid;
+use bitwarden_uuid::uuid_newtype;
 
-uuid!(pub OrganizationId);
+uuid_newtype!(pub OrganizationId);
+uuid_newtype!(pub UserId);
diff --git a/crates/bitwarden-core/src/mobile/crypto.rs b/crates/bitwarden-core/src/mobile/crypto.rs
@@ -18,7 +18,7 @@ use {tsify_next::Tsify, wasm_bindgen::prelude::*};
 use crate::{
     client::{encryption_settings::EncryptionSettingsError, LoginMethod, UserLoginMethod},
     key_management::SymmetricKeyId,
-    Client, NotAuthenticatedError, VaultLockedError, WrongPasswordError,
+    Client, NotAuthenticatedError, OrganizationId, UserId, VaultLockedError, WrongPasswordError,
 };
 
 /// Catch all error for mobile crypto operations.
@@ -39,7 +39,7 @@ pub enum MobileCryptoError {
 #[cfg_attr(feature = "uniffi", derive(uniffi::Record))]
 #[cfg_attr(feature = "wasm", derive(Tsify), tsify(into_wasm_abi, from_wasm_abi))]
 pub struct InitUserCryptoRequest {
-    pub user_id: Option<uuid::Uuid>,
+    pub user_id: Option<UserId>,
     /// The user's KDF parameters, as received from the prelogin request
     pub kdf_params: Kdf,
     /// The user's email address
@@ -232,7 +232,7 @@ pub async fn initialize_user_crypto(
 #[cfg_attr(feature = "wasm", derive(Tsify), tsify(into_wasm_abi, from_wasm_abi))]
 pub struct InitOrgCryptoRequest {
     /// The encryption keys for all the organizations the user is a part of
-    pub organization_keys: HashMap<uuid::Uuid, UnsignedSharedKey>,
+    pub organization_keys: HashMap<OrganizationId, UnsignedSharedKey>,
 }
 
 /// Initialize the user's organizational cryptographic state.
@@ -569,7 +569,7 @@ mod tests {
         initialize_user_crypto(
             & client,
             InitUserCryptoRequest {
-                user_id: Some(uuid::Uuid::new_v4()),
+                user_id: Some(UserId::new_v4()),
                 kdf_params: kdf.clone(),
                 email: "[email protected]".into(),
                 private_key: priv_key.to_owned(),
@@ -589,7 +589,7 @@ mod tests {
         initialize_user_crypto(
             &client2,
             InitUserCryptoRequest {
-                user_id: Some(uuid::Uuid::new_v4()),
+                user_id: Some(UserId::new_v4()),
                 kdf_params: kdf.clone(),
                 email: "[email protected]".into(),
                 private_key: priv_key.to_owned(),
@@ -645,7 +645,7 @@ mod tests {
         initialize_user_crypto(
             & client,
             InitUserCryptoRequest {
-                user_id: Some(uuid::Uuid::new_v4()),
+                user_id: Some(UserId::new_v4()),
                 kdf_params: Kdf::PBKDF2 {
                     iterations: 100_000.try_into().unwrap(),
                 },
@@ -667,7 +667,7 @@ mod tests {
         initialize_user_crypto(
             &client2,
             InitUserCryptoRequest {
-                user_id: Some(uuid::Uuid::new_v4()),
+                user_id: Some(UserId::new_v4()),
                 kdf_params: Kdf::PBKDF2 {
                     iterations: 100_000.try_into().unwrap(),
                 },
@@ -710,7 +710,7 @@ mod tests {
         initialize_user_crypto(
             &client3,
             InitUserCryptoRequest {
-                user_id: Some(uuid::Uuid::new_v4()),
+                user_id: Some(UserId::new_v4()),
                 kdf_params: Kdf::PBKDF2 {
                     iterations: 100_000.try_into().unwrap(),
                 },

@@ -8,7 +8,7 @@ async fn test_register_initialize_crypto() {
 
     use bitwarden_core::{
         mobile::crypto::{InitUserCryptoMethod, InitUserCryptoRequest},
-        Client,
+        Client, UserId,
     };
     use bitwarden_crypto::Kdf;
 
@@ -29,7 +29,7 @@ async fn test_register_initialize_crypto() {
     client
         .crypto()
         .initialize_user_crypto(InitUserCryptoRequest {
-            user_id: Some(uuid::Uuid::new_v4()),
+            user_id: Some(UserId::new_v4()),
             kdf_params: kdf,
             email: email.to_owned(),
             private_key: register_response.keys.private.to_string(),

@@ -1,7 +1,7 @@
 use std::fmt;
 
 use bitwarden_vault::{
-    CipherRepromptType, CipherView, Fido2CredentialFullView, LoginUriView, UriMatchType,
+    CipherRepromptType, CipherView, Fido2CredentialFullView, FolderId, LoginUriView, UriMatchType,
 };
 use chrono::{DateTime, Utc};
 use uuid::Uuid;
@@ -117,7 +117,7 @@ impl From<ImportingCipher> for CipherView {
         Self {
             id: None,
             organization_id: None,
-            folder_id: value.folder_id,
+            folder_id: value.folder_id.map(FolderId::new),
             collection_ids: vec![],
             key: None,
             name: value.name,