Filter deprected flags and only return active flags

Signed-off-by: BlackDex <black.dex@gmail.com>

.env.template

@@ -344,21 +344,17 @@
 ## Client Settings
 ## Enable experimental feature flags for clients.
 ## This is a comma-separated list of flags, e.g. "flag1,flag2,flag3".
+## Note that clients cache the /api/config endpoint for about 1 hour and it could take some time before they are enabled or disabled!
 ##
 ## The following flags are available:
-## - "autofill-overlay": Add an overlay menu to form fields for quick access to credentials.
-## - "autofill-v2": Use the new autofill implementation.
-## - "browser-fileless-import": Directly import credentials from other providers without a file.
-## - "extension-refresh": Temporarily enable the new extension design until general availability (should be used with the beta Chrome extension)
-## - "fido2-vault-credentials": Enable the use of FIDO2 security keys as second factor.
 ## - "inline-menu-positioning-improvements": Enable the use of inline menu password generator and identity suggestions in the browser extension.
-## - "ssh-key-vault-item": Enable the creation and use of SSH key vault items. (Needs clients >=2024.12.0)
+## - "inline-menu-totp": Enable the use of inline menu TOTP codes in the browser extension.
 ## - "ssh-agent": Enable SSH agent support on Desktop. (Needs desktop >=2024.12.0)
+## - "ssh-key-vault-item": Enable the creation and use of SSH key vault items. (Needs clients >=2024.12.0)
+## - "export-attachments": Enable support for exporting attachments (Clients >=2025.4.0)
 ## - "anon-addy-self-host-alias": Enable configuring self-hosted Anon Addy alias generator. (Needs Android >=2025.3.0, iOS >=2025.4.0)
 ## - "simple-login-self-host-alias": Enable configuring self-hosted Simple Login alias generator. (Needs Android >=2025.3.0, iOS >=2025.4.0)
 ## - "mutual-tls": Enable the use of mutual TLS on Android (Client >= 2025.2.0)
-## - "export-attachments": Enable support for exporting attachments (Clients >=2025.4.0)
-## - "inline-menu-totp": Enable the use of inline menu TOTP codes in the browser extension.
 # EXPERIMENTAL_CLIENT_FEATURE_FLAGS=fido2-vault-credentials
 
 ## Require new device emails. When a user logs in an email is required to be sent.

src/api/core/mod.rs

@@ -206,9 +206,7 @@ fn config() -> Json<Value> {
     // iOS (v2025.4.0): https://github.com/bitwarden/ios/blob/956e05db67344c912e3a1b8cb2609165d67da1c9/BitwardenShared/Core/Platform/Models/Enum/FeatureFlag.swift#L7
     let mut feature_states =
         parse_experimental_client_feature_flags(&crate::CONFIG.experimental_client_feature_flags());
-    // Force the new key rotation feature
     feature_states.insert("duo-redirect".to_string(), true);
-
     feature_states.insert("email-verification".to_string(), true);
     feature_states.insert("unauth-ui-refresh".to_string(), true);
 
@@ -218,7 +216,7 @@ fn config() -> Json<Value> {
         // We should make sure that we keep this updated when we support the new server features
         // Version history:
         // - Individual cipher key encryption: 2024.2.0
-        "version": "2025.1.0",
+        "version": "2025.4.0",
         "gitHash": option_env!("GIT_REV"),
         "server": {
           "name": "Vaultwarden",

src/config.rs

@@ -833,19 +833,13 @@ fn validate_config(cfg: &ConfigItems) -> Result<(), Error> {
         }
     }
 
-    // TODO: deal with deprecated flags so they can be removed from this list, cf. #4263
     // Server (v2025.5.0): https://github.com/bitwarden/server/blob/4a7db112a0952c6df8bacf36c317e9c4e58c3651/src/Core/Constants.cs#L102
     // Client (v2025.5.0): https://github.com/bitwarden/clients/blob/9df8a3cc50ed45f52513e62c23fcc8a4b745f078/libs/common/src/enums/feature-flag.enum.ts#L10
     // Android (v2025.4.0): https://github.com/bitwarden/android/blob/bee09de972c3870de0d54a0067996be473ec55c7/app/src/main/java/com/x8bit/bitwarden/data/platform/manager/model/FlagKey.kt#L27
     // iOS (v2025.4.0): https://github.com/bitwarden/ios/blob/956e05db67344c912e3a1b8cb2609165d67da1c9/BitwardenShared/Core/Platform/Models/Enum/FeatureFlag.swift#L7
+    //
+    // NOTE: Move deprecated flags to the utils::parse_experimental_client_feature_flags() DEPRECATED_FLAGS const!
     const KNOWN_FLAGS: &[&str] = &[
-        // Start Deprecated
-        "autofill-overlay",
-        "autofill-v2",
-        "browser-fileless-import",
-        "extension-refresh",
-        "fido2-vault-credentials",
-        // End Deprecated
         // Autofill Team
         "inline-menu-positioning-improvements",
         "inline-menu-totp",
@@ -858,7 +852,6 @@ fn validate_config(cfg: &ConfigItems) -> Result<(), Error> {
         "anon-addy-self-host-alias",
         "simple-login-self-host-alias",
         "mutual-tls",
-        "export-attachments",
     ];
     let configured_flags = parse_experimental_client_feature_flags(&cfg.experimental_client_feature_flags);
     let invalid_flags: Vec<_> = configured_flags.keys().filter(|flag| !KNOWN_FLAGS.contains(&flag.as_str())).collect();

src/util.rs

@@ -752,11 +752,15 @@ pub fn convert_json_key_lcase_first(src_json: Value) -> Value {
 
 /// Parses the experimental client feature flags string into a HashMap.
 pub fn parse_experimental_client_feature_flags(experimental_client_feature_flags: &str) -> HashMap<String, bool> {
+    // These flags could still be configured, but are deprecated and not used anymore
+    // To prevent old installations from starting filter these out and not error out
+    const DEPRECATED_FLAGS: &[&str] =
+        &["autofill-overlay", "autofill-v2", "browser-fileless-import", "extension-refresh", "fido2-vault-credentials"];
     experimental_client_feature_flags
         .split(',')
         .filter_map(|f| {
             let flag = f.trim();
-            if !flag.is_empty() {
+            if !flag.is_empty() && !DEPRECATED_FLAGS.contains(&flag) {
                 return Some((flag.to_owned(), true));
             }
             None