bring back tags to secret version

feat(folders): resolved auth issues and added the env dropdown change…

.dockerignore

@@ -0,0 +1,2 @@
+backend/node_modules
+frontend/node_modules

.env.example

@@ -9,6 +9,7 @@ JWT_SIGNUP_SECRET=3679e04ca949f914c03332aaaeba805a
 JWT_REFRESH_SECRET=5f2f3c8f0159068dc2bbb3a652a716ff
 JWT_AUTH_SECRET=4be6ba5602e0fa0ac6ac05c3cd4d247f
 JWT_SERVICE_SECRET=f32f716d70a42c5703f4656015e76200
+JWT_PROVIDER_AUTH_SECRET=f32f716d70a42c5703f4656015e76201
 
 # JWT lifetime
 # Optional lifetimes for JWT tokens expressed in seconds or a string 
@@ -16,6 +17,7 @@ JWT_SERVICE_SECRET=f32f716d70a42c5703f4656015e76200
 JWT_AUTH_LIFETIME=
 JWT_REFRESH_LIFETIME=
 JWT_SIGNUP_LIFETIME=
+JWT_PROVIDER_AUTH_LIFETIME=
 
 # MongoDB
 # Backend will connect to the MongoDB instance at connection string MONGO_URL which can either be a ref
@@ -66,3 +68,6 @@ STRIPE_PRODUCT_STARTER=
 STRIPE_PRODUCT_TEAM=
 STRIPE_PRODUCT_PRO=
 NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=
+
+CLIENT_ID_GOOGLE=
+CLIENT_SECRET_GOOGLE=

.github/resources/docker-compose.be-test.yml

@@ -13,6 +13,7 @@ services:
       - MONGO_URL=mongodb://test:example@mongo:27017/?authSource=admin
       - MONGO_USERNAME=test
       - MONGO_PASSWORD=example
+      - ENCRYPTION_KEY=a984ecdf82ec779e55dbcc21303a900f
     networks:
       - infisical-test
 

.github/workflows/check-be-pull-request.yml

@@ -13,6 +13,7 @@ jobs:
   check-be-pr:
     name: Check
     runs-on: ubuntu-latest
+    timeout-minutes: 15
 
     steps:
       - name: ☁️ Checkout source
@@ -26,17 +27,17 @@ jobs:
       - name: 📦 Install dependencies
         run: npm ci --only-production
         working-directory: backend
-      - name: 🧪 Run tests
-        run: npm run test:ci
-        working-directory: backend
-      - name: 📁 Upload test results
-        uses: actions/upload-artifact@v3
-        if: always()
-        with:
-          name: be-test-results
-          path: |
-            ./backend/reports
-            ./backend/coverage
+      # - name: 🧪 Run tests
+      #   run: npm run test:ci
+      #   working-directory: backend
+      # - name: 📁 Upload test results
+      #   uses: actions/upload-artifact@v3
+      #   if: always()
+      #   with:
+      #     name: be-test-results
+      #     path: |
+      #       ./backend/reports
+      #       ./backend/coverage
       - name: 🏗️ Run build
         run: npm run build
         working-directory: backend

.github/workflows/check-fe-pull-request.yml

@@ -2,40 +2,35 @@ name: Check Frontend Pull Request
 
 on:
   pull_request:
-    types: [ opened, synchronize ]
+    types: [opened, synchronize]
     paths:
-      - 'frontend/**'
-      - '!frontend/README.md'
-      - '!frontend/.*'
-      - 'frontend/.eslintrc.js'
-
+      - "frontend/**"
+      - "!frontend/README.md"
+      - "!frontend/.*"
+      - "frontend/.eslintrc.js"
 
 jobs:
-
   check-fe-pr:
     name: Check
     runs-on: ubuntu-latest
+    timeout-minutes: 15
 
     steps:
-      -
-        name: ☁️ Checkout source
+      - name: ☁️ Checkout source
         uses: actions/checkout@v3
-      -
-        name: 🔧 Setup Node 16
+      - name: 🔧 Setup Node 16
         uses: actions/setup-node@v3
         with:
-          node-version: '16'
-          cache: 'npm'
+          node-version: "16"
+          cache: "npm"
           cache-dependency-path: frontend/package-lock.json
-      -
-        name: 📦 Install dependencies
+      - name: 📦 Install dependencies
         run: npm ci --only-production --ignore-scripts
         working-directory: frontend
       # -
       #   name: 🧪 Run tests
       #   run: npm run test:ci
       #   working-directory: frontend
-      -
-        name: 🏗️ Run build
+      - name: 🏗️ Run build
         run: npm run build
         working-directory: frontend

.goreleaser.yaml

@@ -15,13 +15,12 @@ monorepo:
   tag_prefix: infisical-cli/
   dir: cli
 
-env:
-  - POSTHOG_API_KEY_FOR_CLI={{ .Env.POSTHOG_API_KEY_FOR_CLI }}
-
 builds:
   - id: darwin-build
     binary: infisical
-    ldflags: -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
+    ldflags:
+      - -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
+      - -X github.com/Infisical/infisical-merge/packages/telemetry.POSTHOG_API_KEY_FOR_CLI={{ .Env.POSTHOG_API_KEY_FOR_CLI }}
     flags:
       - -trimpath
     env:
@@ -39,7 +38,9 @@ builds:
     env:
       - CGO_ENABLED=0
     binary: infisical
-    ldflags: -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
+    ldflags:
+      - -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
+      - -X github.com/Infisical/infisical-merge/packages/telemetry.POSTHOG_API_KEY_FOR_CLI={{ .Env.POSTHOG_API_KEY_FOR_CLI }}
     flags:
       - -trimpath
     goos:

.husky/pre-commit

@@ -3,3 +3,5 @@
 . "$(dirname -- "$0")/_/husky.sh"
 
 npx lint-staged
+
+infisical scan git-changes --staged -v

.infisicalignore

@@ -0,0 +1 @@
+.github/resources/docker-compose.be-test.yml:generic-api-key:16

Dockerfile.standalone-infisical

@@ -77,7 +77,7 @@ RUN npm ci --only-production
 COPY --from=backend-build /app .
 
 # Production stage
-FROM node:14-alpine AS production
+FROM node:16-alpine AS production
 
 WORKDIR / 
 

README.md

@@ -7,7 +7,7 @@
 </p>
 
 <h4 align="center">
-  <a href="https://join.slack.com/t/infisical-users/shared_invite/zt-1kdbk07ro-RtoyEt_9E~fyzGo_xQYP6g">Slack</a> |
+  <a href="https://join.slack.com/t/infisical-users/shared_invite/zt-1wehzfnzn-1aMo5JcGENJiNAC2SD8Jlg">Slack</a> |
   <a href="https://infisical.com/">Infisical Cloud</a> |
   <a href="https://infisical.com/docs/self-hosting/overview">Self-Hosting</a> |
   <a href="https://infisical.com/docs/documentation/getting-started/introduction">Docs</a> |
@@ -25,9 +25,9 @@
     <img src="https://img.shields.io/github/commit-activity/m/infisical/infisical" alt="git commit activity" />
   </a>
   <a href="https://cloudsmith.io/~infisical/repos/">
-    <img src="https://img.shields.io/badge/Downloads-150.8k-orange" alt="Cloudsmith downloads" />
+    <img src="https://img.shields.io/badge/Downloads-240.2k-orange" alt="Cloudsmith downloads" />
   </a>
-  <a href="https://join.slack.com/t/infisical-users/shared_invite/zt-1kdbk07ro-RtoyEt_9E~fyzGo_xQYP6g">
+  <a href="https://join.slack.com/t/infisical-users/shared_invite/zt-1wehzfnzn-1aMo5JcGENJiNAC2SD8Jlg">
     <img src="https://img.shields.io/badge/chat-on%20Slack-blueviolet" alt="Slack community channel" />
   </a>
   <a href="https://twitter.com/infisical">
@@ -55,7 +55,7 @@ We're on a mission to make secret management more accessible to everyone, not ju
 -   **[Audit logs](https://infisical.com/docs/documentation/platform/audit-logs)** to record every action taken in a project
 -   **Role-based Access Controls** per environment
 -   [**Simple on-premise deployments** to AWS and Digital Ocean](https://infisical.com/docs/self-hosting/overview)
-- [**2FA**](https://infisical.com/docs/documentation/platform/mfa) with more options coming soon
+-   [**Secret Scanning**](https://infisical.com/docs/cli/scanning-overview)
 
 And much more.
 
@@ -69,7 +69,9 @@ The fastest and most reliable way to get started with Infisical is signing up fo
 
 ### Deploy Infisical on premise
 
-Deployment options: [AWS EC2](https://infisical.com/docs/self-hosting/overview), [Kubernetes](https://infisical.com/docs/self-hosting/overview), and [more](https://infisical.com/docs/self-hosting/overview).
+<a href="https://infisical.com/docs/self-hosting/deployment-options/digital-ocean-marketplace"><img src=".github/images/do-k8-install-btn.png" width="200"/></a> <a href="https://infisical.com/docs/self-hosting/deployment-options/aws-ec2"><img src=".github/images/deploy-aws-button.png" width="150" width="300" /></a>
+
+View all [deployment options](https://infisical.com/docs/self-hosting/overview)
 
 ### Run Infisical locally
 
@@ -89,6 +91,24 @@ git clone https://github.com/Infisical/infisical && cd infisical && copy .env.ex
 
 Create an account at `http://localhost:80`
 
+### Scan and prevent secret leaks 
+On top managing secrets with Infisical, you can also scan for over 140+ secret types in your files, directories and git repositories. 
+
+To scan your full git history, run:
+
+```
+infisical scan --verbose
+```
+
+Install pre commit hook to scan each commit before you push to your repository 
+
+```
+infisical scan install --pre-commit-hook
+```
+
+Lean about Infisical's code scanning feature [here](https://infisical.com/docs/cli/scanning-overview) 
+
+
 ## Open-source vs. paid
 
 This repo available under the [MIT expat license](https://github.com/Infisical/infisical/blob/main/LICENSE), with the exception of the `ee` directory which will contain premium enterprise features requiring a Infisical license in the future. 
@@ -108,12 +128,12 @@ Whether it's big or small, we love contributions. Check out our guide to see how
 Not sure where to get started? You can:
 
 -   [Book a free, non-pressure pairing sessions with one of our teammates](mailto:tony@infisical.com?subject=Pairing%20session&body=I'd%20like%20to%20do%20a%20pairing%20session!)!
--   Join our <a href="https://join.slack.com/t/infisical-users/shared_invite/zt-1kdbk07ro-RtoyEt_9E~fyzGo_xQYP6g">Slack</a>, and ask us any questions there.
+-   Join our <a href="https://join.slack.com/t/infisical-users/shared_invite/zt-1wehzfnzn-1aMo5JcGENJiNAC2SD8Jlg">Slack</a>, and ask us any questions there.
 
 ## Resources
 
 - [Docs](https://infisical.com/docs/documentation/getting-started/introduction) for comprehensive documentation and guides
-- [Slack](https://join.slack.com/t/infisical-users/shared_invite/zt-1kdbk07ro-RtoyEt_9E~fyzGo_xQYP6g) for discussion with the community and Infisical team.
+- [Slack](https://join.slack.com/t/infisical-users/shared_invite/zt-1wehzfnzn-1aMo5JcGENJiNAC2SD8Jlg) for discussion with the community and Infisical team.
 - [GitHub](https://github.com/Infisical/infisical) for code, issues, and pull requests
 - [Twitter](https://twitter.com/infisical) for fast news
 - [YouTube](https://www.youtube.com/@infisical5306) for videos on secret management

backend/package.json

@@ -24,16 +24,21 @@
     "express-validator": "^6.14.2",
     "handlebars": "^4.7.7",
     "helmet": "^5.1.1",
-    "infisical-node": "^1.1.3",
+    "infisical-node": "^1.2.1",
     "js-yaml": "^4.1.0",
     "jsonwebtoken": "^9.0.0",
     "jsrp": "^0.2.4",
     "libsodium-wrappers": "^0.7.10",
     "lodash": "^4.17.21",
     "mongoose": "^6.10.5",
+    "node-cache": "^5.1.2",
+    "nanoid": "^3.3.6",
     "nodemailer": "^6.8.0",
+    "passport": "^0.6.0",
+    "passport-google-oauth20": "^2.0.0",
     "posthog-node": "^2.6.0",
     "query-string": "^7.1.3",
+    "rate-limit-mongo": "^2.3.2",
     "request-ip": "^3.3.0",
     "rimraf": "^3.0.2",
     "stripe": "^10.7.0",
@@ -86,6 +91,7 @@
     "@types/lodash": "^4.14.191",
     "@types/node": "^18.11.3",
     "@types/nodemailer": "^6.4.6",
+    "@types/passport": "^1.0.12",
     "@types/supertest": "^2.0.12",
     "@types/swagger-jsdoc": "^6.0.1",
     "@types/swagger-ui-express": "^4.1.3",

backend/src/config/index.ts

@@ -1,12 +1,19 @@
 import InfisicalClient from 'infisical-node';
 
-const client = new InfisicalClient({
+export const client = new InfisicalClient({
   token: process.env.INFISICAL_TOKEN!
 });
 
 export const getPort = async () => (await client.getSecret('PORT')).secretValue || 4000;
-export const getInviteOnlySignup = async () => (await client.getSecret('INVITE_ONLY_SIGNUP')).secretValue == undefined ? false : (await client.getSecret('INVITE_ONLY_SIGNUP')).secretValue;
-export const getEncryptionKey = async () => (await client.getSecret('ENCRYPTION_KEY')).secretValue;
+export const getEncryptionKey = async () => {
+  const secretValue = (await client.getSecret('ENCRYPTION_KEY')).secretValue;
+  return secretValue === '' ? undefined : secretValue;
+}
+export const getRootEncryptionKey = async () => {
+  const secretValue = (await client.getSecret('ROOT_ENCRYPTION_KEY')).secretValue; 
+  return secretValue === '' ? undefined : secretValue;
+}
+export const getInviteOnlySignup = async () => (await client.getSecret('INVITE_ONLY_SIGNUP')).secretValue === 'true'
 export const getSaltRounds = async () => parseInt((await client.getSecret('SALT_ROUNDS')).secretValue) || 10;
 export const getJwtAuthLifetime = async () => (await client.getSecret('JWT_AUTH_LIFETIME')).secretValue || '10d';
 export const getJwtAuthSecret = async () => (await client.getSecret('JWT_AUTH_SECRET')).secretValue;
@@ -16,6 +23,8 @@ export const getJwtRefreshLifetime = async () => (await client.getSecret('JWT_RE
 export const getJwtRefreshSecret = async () => (await client.getSecret('JWT_REFRESH_SECRET')).secretValue;
 export const getJwtServiceSecret = async () => (await client.getSecret('JWT_SERVICE_SECRET')).secretValue;
 export const getJwtSignupLifetime = async () => (await client.getSecret('JWT_SIGNUP_LIFETIME')).secretValue || '15m';
+export const getJwtProviderAuthSecret = async () => (await client.getSecret('JWT_PROVIDER_AUTH_SECRET')).secretValue;
+export const getJwtProviderAuthLifetime = async () => (await client.getSecret('JWT_PROVIDER_AUTH_LIFETIME')).secretValue || '15m';
 export const getJwtSignupSecret = async () => (await client.getSecret('JWT_SIGNUP_SECRET')).secretValue;
 export const getMongoURL = async () => (await client.getSecret('MONGO_URL')).secretValue;
 export const getNodeEnv = async () => (await client.getSecret('NODE_ENV')).secretValue || 'production';
@@ -27,12 +36,14 @@ export const getClientIdVercel = async () => (await client.getSecret('CLIENT_ID_
 export const getClientIdNetlify = async () => (await client.getSecret('CLIENT_ID_NETLIFY')).secretValue;
 export const getClientIdGitHub = async () => (await client.getSecret('CLIENT_ID_GITHUB')).secretValue;
 export const getClientIdGitLab = async () => (await client.getSecret('CLIENT_ID_GITLAB')).secretValue;
+export const getClientIdGoogle = async () => (await client.getSecret('CLIENT_ID_GOOGLE')).secretValue;
 export const getClientSecretAzure = async () => (await client.getSecret('CLIENT_SECRET_AZURE')).secretValue;
 export const getClientSecretHeroku = async () => (await client.getSecret('CLIENT_SECRET_HEROKU')).secretValue;
 export const getClientSecretVercel = async () => (await client.getSecret('CLIENT_SECRET_VERCEL')).secretValue;
 export const getClientSecretNetlify = async () => (await client.getSecret('CLIENT_SECRET_NETLIFY')).secretValue;
 export const getClientSecretGitHub = async () => (await client.getSecret('CLIENT_SECRET_GITHUB')).secretValue;
 export const getClientSecretGitLab = async () => (await client.getSecret('CLIENT_SECRET_GITLAB')).secretValue;
+export const getClientSecretGoogle = async () => (await client.getSecret('CLIENT_SECRET_GOOGLE')).secretValue;
 export const getClientSlugVercel = async () => (await client.getSecret('CLIENT_SLUG_VERCEL')).secretValue;
 export const getPostHogHost = async () => (await client.getSecret('POSTHOG_HOST')).secretValue || 'https://app.posthog.com';
 export const getPostHogProjectApiKey = async () => (await client.getSecret('POSTHOG_PROJECT_API_KEY')).secretValue || 'phc_nSin8j5q2zdhpFDI1ETmFNUIuTG4DwKVyIigrY10XiE';
@@ -45,12 +56,25 @@ export const getSmtpUsername = async () => (await client.getSecret('SMTP_USERNAM
 export const getSmtpPassword = async () => (await client.getSecret('SMTP_PASSWORD')).secretValue;
 export const getSmtpFromAddress = async () => (await client.getSecret('SMTP_FROM_ADDRESS')).secretValue;
 export const getSmtpFromName = async () => (await client.getSecret('SMTP_FROM_NAME')).secretValue || 'Infisical';
+
+export const getLicenseKey = async () => {
+  const secretValue = (await client.getSecret('LICENSE_KEY')).secretValue;
+  return secretValue === '' ? undefined : secretValue;
+}
+export const getLicenseServerKey = async () => {
+  const secretValue = (await client.getSecret('LICENSE_SERVER_KEY')).secretValue;
+  return secretValue === '' ? undefined : secretValue;
+}
+export const getLicenseServerUrl = async () => (await client.getSecret('LICENSE_SERVER_URL')).secretValue || 'https://portal.infisical.com';
+
+// TODO: deprecate from here
 export const getStripeProductStarter = async () => (await client.getSecret('STRIPE_PRODUCT_STARTER')).secretValue;
 export const getStripeProductPro = async () => (await client.getSecret('STRIPE_PRODUCT_PRO')).secretValue;
 export const getStripeProductTeam = async () => (await client.getSecret('STRIPE_PRODUCT_TEAM')).secretValue;
 export const getStripePublishableKey = async () => (await client.getSecret('STRIPE_PUBLISHABLE_KEY')).secretValue;
 export const getStripeSecretKey = async () => (await client.getSecret('STRIPE_SECRET_KEY')).secretValue;
 export const getStripeWebhookSecret = async () => (await client.getSecret('STRIPE_WEBHOOK_SECRET')).secretValue;
+
 export const getTelemetryEnabled = async () => (await client.getSecret('TELEMETRY_ENABLED')).secretValue !== 'false' && true;
 export const getLoopsApiKey = async () => (await client.getSecret('LOOPS_API_KEY')).secretValue;
 export const getSmtpConfigured = async () => (await client.getSecret('SMTP_HOST')).secretValue == '' || (await client.getSecret('SMTP_HOST')).secretValue == undefined ? false : true

backend/src/config/request.ts

@@ -1,10 +1,24 @@
 import axios from 'axios';
 import axiosRetry from 'axios-retry';
+import {
+  getLicenseServerKeyAuthToken,
+  setLicenseServerKeyAuthToken,
+  getLicenseKeyAuthToken,
+  setLicenseKeyAuthToken
+} from './storage';
+import {
+  getLicenseKey,
+  getLicenseServerKey, 
+  getLicenseServerUrl
+} from './index';
 
-const axiosInstance = axios.create();
+// should have JWT to interact with the license server
+export const licenseServerKeyRequest = axios.create();
+export const licenseKeyRequest = axios.create();
+export const standardRequest = axios.create();
 
 // add retry functionality to the axios instance
-axiosRetry(axiosInstance, {
+axiosRetry(standardRequest, {
   retries: 3,
   retryDelay: axiosRetry.exponentialDelay, // exponential back-off delay between retries
   retryCondition: (error) => {
@@ -13,4 +27,98 @@ axiosRetry(axiosInstance, {
   },
 });
 
-export default axiosInstance;
+export const refreshLicenseServerKeyToken = async () => {
+  const licenseServerKey = await getLicenseServerKey();
+  const licenseServerUrl = await getLicenseServerUrl();
+
+  const { data: { token } } = await standardRequest.post(
+    `${licenseServerUrl}/api/auth/v1/license-server-login`, {},
+    {
+      headers: {
+        'X-API-KEY': licenseServerKey
+      }
+    }
+  );
+
+  setLicenseServerKeyAuthToken(token);
+
+  return token;
+}
+
+export const refreshLicenseKeyToken = async () => {
+  const licenseKey = await getLicenseKey();
+  const licenseServerUrl = await getLicenseServerUrl();
+
+  const { data: { token } } = await standardRequest.post(
+    `${licenseServerUrl}/api/auth/v1/license-login`, {},
+    {
+      headers: {
+        'X-API-KEY': licenseKey
+      }
+    }
+  );
+
+  setLicenseKeyAuthToken(token);
+
+  return token;
+}
+
+licenseServerKeyRequest.interceptors.request.use((config) => {
+  const token = getLicenseServerKeyAuthToken();
+
+  if (token && config.headers) {
+      // eslint-disable-next-line no-param-reassign
+      config.headers.Authorization = `Bearer ${token}`;
+  }
+  return config;
+}, (err) => {
+  return Promise.reject(err);
+});
+
+licenseServerKeyRequest.interceptors.response.use((response) => {
+  return response
+}, async function (err) {
+  const originalRequest = err.config;
+  
+  if (err.response.status === 401 && !originalRequest._retry) {
+    originalRequest._retry = true;
+    
+    // refresh
+    const token = await refreshLicenseServerKeyToken();            
+    
+    axios.defaults.headers.common['Authorization'] = 'Bearer ' + token;
+    return licenseServerKeyRequest(originalRequest);
+  }
+
+  return Promise.reject(err);
+});
+
+licenseKeyRequest.interceptors.request.use((config) => {
+  const token = getLicenseKeyAuthToken();
+
+  if (token && config.headers) {
+      // eslint-disable-next-line no-param-reassign
+      config.headers.Authorization = `Bearer ${token}`;
+  }
+  return config;
+}, (err) => {
+  return Promise.reject(err);
+});
+
+licenseKeyRequest.interceptors.response.use((response) => {
+  return response
+}, async function (err) {
+  const originalRequest = err.config;
+  
+  if (err.response.status === 401 && !originalRequest._retry) {
+    originalRequest._retry = true;
+    
+    // refresh
+    const token = await refreshLicenseKeyToken();            
+    
+    axios.defaults.headers.common['Authorization'] = 'Bearer ' + token;
+    return licenseKeyRequest(originalRequest);
+  }
+
+  return Promise.reject(err);
+});

backend/src/config/storage.ts

@@ -0,0 +1,30 @@
+const MemoryLicenseServerKeyTokenStorage = () => {
+    let authToken: string;
+  
+    return {
+      setToken: (token: string) => {
+        authToken = token;
+      },
+      getToken: () => authToken
+    };
+};
+
+const MemoryLicenseKeyTokenStorage = () => {
+    let authToken: string;
+  
+    return {
+      setToken: (token: string) => {
+        authToken = token;
+      },
+      getToken: () => authToken
+    };
+};
+
+const licenseServerTokenStorage = MemoryLicenseServerKeyTokenStorage();
+const licenseTokenStorage = MemoryLicenseKeyTokenStorage();
+
+export const getLicenseServerKeyAuthToken = licenseServerTokenStorage.getToken;
+export const setLicenseServerKeyAuthToken = licenseServerTokenStorage.setToken;
+
+export const getLicenseKeyAuthToken = licenseTokenStorage.getToken;
+export const setLicenseKeyAuthToken = licenseTokenStorage.setToken;

backend/src/controllers/v1/authController.ts

@@ -267,3 +267,7 @@ export const getNewToken = async (req: Request, res: Response) => {
     });
   }
 };
+
+export const handleAuthProviderCallback = (req: Request, res: Response) => {
+  res.redirect(`/login/provider/success?token=${encodeURIComponent(req.providerAuthToken)}`);
+}

backend/src/controllers/v1/integrationAuthController.ts

@@ -5,7 +5,7 @@ import {
 	IntegrationAuth,
 	Bot 
 } from '../../models';
-import { INTEGRATION_SET, getIntegrationOptions as getIntegrationOptionsFunc } from '../../variables';
+import { ALGORITHM_AES_256_GCM, ENCODING_SCHEME_UTF8, INTEGRATION_SET, getIntegrationOptions as getIntegrationOptionsFunc } from '../../variables';
 import { IntegrationService } from '../../services';
 import {
 	getApps, 
@@ -16,7 +16,7 @@ import {
 	INTEGRATION_VERCEL_API_URL,
 	INTEGRATION_RAILWAY_API_URL
 } from '../../variables';
-import request from '../../config/request';
+import { standardRequest } from '../../config/request';
 
 /***
  * Return integration authorization with id [integrationAuthId]
@@ -129,7 +129,9 @@ export const saveIntegrationAccessToken = async (
             integration
         }, {
             workspace: new Types.ObjectId(workspaceId),
-            integration
+            integration,
+			algorithm: ALGORITHM_AES_256_GCM,
+			keyEncoding: ENCODING_SCHEME_UTF8
 		}, {
             new: true,
             upsert: true
@@ -229,7 +231,7 @@ export const getIntegrationAuthVercelBranches = async (req: Request, res: Respon
 	let branches: string[] = [];
 	
 	if (appId && appId !== '') {
-		const { data }: { data: VercelBranch[] } = await request.get(
+		const { data }: { data: VercelBranch[] } = await standardRequest.get(
 			`${INTEGRATION_VERCEL_API_URL}/v1/integrations/git-branches`,
 			{
 				params,
@@ -292,7 +294,7 @@ export const getIntegrationAuthRailwayEnvironments = async (req: Request, res: R
 			projectId: appId
 		}
 		
-		const { data: { data: { environments: { edges } } } } = await request.post(INTEGRATION_RAILWAY_API_URL, {
+		const { data: { data: { environments: { edges } } } } = await standardRequest.post(INTEGRATION_RAILWAY_API_URL, {
 			query,
 			variables,
 		}, {
@@ -372,7 +374,7 @@ export const getIntegrationAuthRailwayServices = async (req: Request, res: Respo
 			id: appId
 		}
 		
-		const { data: { data: { project: { services: { edges } } } } } = await request.post(INTEGRATION_RAILWAY_API_URL, {
+		const { data: { data: { project: { services: { edges } } } } } = await standardRequest.post(INTEGRATION_RAILWAY_API_URL, {
 			query,
 			variables
 		}, {

backend/src/controllers/v1/membershipOrgController.ts

@@ -135,6 +135,7 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {
 			}
 
 			if (!inviteeMembershipOrg) {
+				
 				await new MembershipOrg({
 					user: invitee,
 					inviteEmail: inviteeEmail,
@@ -246,6 +247,10 @@ export const verifyUserToOrganization = async (req: Request, res: Response) => {
 			// membership can be approved and redirected to login/dashboard
 			membershipOrg.status = ACCEPTED;
 			await membershipOrg.save();
+			
+			await updateSubscriptionOrgQuantity({
+				organizationId
+			});
 
 			return res.status(200).send({
 				message: 'Successfully verified email',

backend/src/controllers/v1/secretsFolderController.ts

@@ -1,107 +1,218 @@
-import { Request, Response } from 'express';
-import { Secret } from '../../models';
-import Folder from '../../models/folder';
-import { BadRequestError } from '../../utils/errors';
-import { ROOT_FOLDER_PATH, getFolderPath, getParentPath, normalizePath, validateFolderName } from '../../utils/folder';
-import { ADMIN, MEMBER } from '../../variables';
-import { validateMembership } from '../../helpers/membership';
+import { Request, Response } from "express";
+import { Secret } from "../../models";
+import Folder from "../../models/folder";
+import { BadRequestError } from "../../utils/errors";
+import {
+  appendFolder,
+  deleteFolderById,
+  getAllFolderIds,
+  searchByFolderIdWithDir,
+  searchByFolderId,
+  validateFolderName,
+  generateFolderId,
+  getParentFromFolderId,
+} from "../../services/FolderService";
+import { ADMIN, MEMBER } from "../../variables";
+import { validateMembership } from "../../helpers/membership";
+import { FolderVersion } from "../../ee/models";
+import { EESecretService } from "../../ee/services";
 
 // TODO
 // verify workspace id/environment
 export const createFolder = async (req: Request, res: Response) => {
-  const { workspaceId, environment, folderName, parentFolderId } = req.body
+  const { workspaceId, environment, folderName, parentFolderId } = req.body;
   if (!validateFolderName(folderName)) {
-    throw BadRequestError({ message: "Folder name cannot contain spaces. Only underscore and dashes" })
+    throw BadRequestError({
+      message: "Folder name cannot contain spaces. Only underscore and dashes",
+    });
   }
 
-  if (parentFolderId) {
-    const parentFolder = await Folder.find({ environment: environment, workspace: workspaceId, id: parentFolderId });
-    if (!parentFolder) {
-      throw BadRequestError({ message: "The parent folder doesn't exist" })
-    }
-  }
-
-  let completePath = await getFolderPath(parentFolderId)
-  if (completePath == ROOT_FOLDER_PATH) {
-    completePath = ""
-  }
-
-  const currentFolderPath = completePath + "/" + folderName // construct new path with current folder to be created
-  const normalizedCurrentPath = normalizePath(currentFolderPath)
-  const normalizedParentPath = getParentPath(normalizedCurrentPath)
-
-  const existingFolder = await Folder.findOne({
-    name: folderName,
+  const folders = await Folder.findOne({
     workspace: workspaceId,
-    environment: environment,
-    parent: parentFolderId,
-    path: normalizedCurrentPath
+    environment,
+  }).lean();
+  // space has no folders initialized
+  if (!folders) {
+    const id = generateFolderId();
+    const folder = new Folder({
+      workspace: workspaceId,
+      environment,
+      nodes: {
+        id: "root",
+        name: "root",
+        version: 1,
+        children: [{ id, name: folderName, children: [], version: 1 }],
+      },
+    });
+    await folder.save();
+    const folderVersion = new FolderVersion({
+      workspace: workspaceId,
+      environment,
+      nodes: folder.nodes,
+    });
+    await folderVersion.save();
+    await EESecretService.takeSecretSnapshot({
+      workspaceId,
+      environment,
+    });
+    return res.json({ folder: { id, name: folderName } });
+  }
+
+  const folder = appendFolder(folders.nodes, { folderName, parentFolderId });
+  await Folder.findByIdAndUpdate(folders._id, folders);
+
+  const parentFolder = searchByFolderId(folders.nodes, parentFolderId);
+  const folderVersion = new FolderVersion({
+    workspace: workspaceId,
+    environment,
+    nodes: parentFolder,
+  });
+  await folderVersion.save();
+
+  await EESecretService.takeSecretSnapshot({
+    workspaceId,
+    environment,
+    folderId: parentFolderId,
   });
 
-  if (existingFolder) {
-    return res.json(existingFolder)
+  return res.json({ folder });
+};
+
+export const updateFolderById = async (req: Request, res: Response) => {
+  const { folderId } = req.params;
+  const { name, workspaceId, environment } = req.body;
+
+  const folders = await Folder.findOne({ workspace: workspaceId, environment });
+  if (!folders) {
+    throw BadRequestError({ message: "The folder doesn't exist" });
   }
 
-  const newFolder = new Folder({
-    name: folderName,
-    workspace: workspaceId,
-    environment: environment,
-    parent: parentFolderId,
-    path: normalizedCurrentPath,
-    parentPath: normalizedParentPath
+  // check that user is a member of the workspace
+  await validateMembership({
+    userId: req.user._id.toString(),
+    workspaceId,
+    acceptedRoles: [ADMIN, MEMBER],
   });
 
-  await newFolder.save();
+  const parentFolder = getParentFromFolderId(folders.nodes, folderId);
+  if (!parentFolder) {
+    throw BadRequestError({ message: "The folder doesn't exist" });
+  }
+  const folder = parentFolder.children.find(({ id }) => id === folderId);
+  if (!folder) {
+    throw BadRequestError({ message: "The folder doesn't exist" });
+  }
 
-  return res.json(newFolder)
-}
+  parentFolder.version += 1;
+  folder.name = name;
+
+  await Folder.findByIdAndUpdate(folders._id, folders);
+  const folderVersion = new FolderVersion({
+    workspace: workspaceId,
+    environment,
+    nodes: parentFolder,
+  });
+  await folderVersion.save();
+
+  await EESecretService.takeSecretSnapshot({
+    workspaceId,
+    environment,
+    folderId: parentFolder.id,
+  });
+
+  return res.json({
+    message: "Successfully updated folder",
+    folder: { name: folder.name, id: folder.id },
+  });
+};
 
 export const deleteFolder = async (req: Request, res: Response) => {
-  const { folderId } = req.params
-  const queue: any[] = [folderId];
+  const { folderId } = req.params;
+  const { workspaceId, environment } = req.body;
 
-  const folder = await Folder.findById(folderId);
-  if (!folder) {
-    throw BadRequestError({ message: "The folder doesn't exist" })
+  const folders = await Folder.findOne({ workspace: workspaceId, environment });
+  if (!folders) {
+    throw BadRequestError({ message: "The folder doesn't exist" });
   }
 
   // check that user is a member of the workspace
   await validateMembership({
     userId: req.user._id.toString(),
-    workspaceId: folder.workspace as any,
-    acceptedRoles: [ADMIN, MEMBER]
+    workspaceId,
+    acceptedRoles: [ADMIN, MEMBER],
   });
 
-  while (queue.length > 0) {
-    const currentFolderId = queue.shift();
+  const delOp = deleteFolderById(folders.nodes, folderId);
+  if (!delOp) {
+    throw BadRequestError({ message: "The folder doesn't exist" });
+  }
+  const { deletedNode: delFolder, parent: parentFolder } = delOp;
 
-    const childFolders = await Folder.find({ parent: currentFolderId });
-    for (const childFolder of childFolders) {
-      queue.push(childFolder._id);
-    }
+  parentFolder.version += 1;
+  const delFolderIds = getAllFolderIds(delFolder);
 
-    await Secret.deleteMany({ folder: currentFolderId });
-
-    await Folder.deleteOne({ _id: currentFolderId });
+  await Folder.findByIdAndUpdate(folders._id, folders);
+  const folderVersion = new FolderVersion({
+    workspace: workspaceId,
+    environment,
+    nodes: parentFolder,
+  });
+  await folderVersion.save();
+  if (delFolderIds.length) {
+    await Secret.deleteMany({
+      folder: { $in: delFolderIds.map(({ id }) => id) },
+      workspace: workspaceId,
+      environment,
+    });
   }
 
-  res.send()
-}
+  await EESecretService.takeSecretSnapshot({
+    workspaceId,
+    environment,
+    folderId: parentFolder.id,
+  });
+
+  res.send({ message: "successfully deleted folders", folders: delFolderIds });
+};
 
 // TODO: validate workspace
-export const getFolderById = async (req: Request, res: Response) => {
-  const { folderId } = req.params
+export const getFolders = async (req: Request, res: Response) => {
+  const { workspaceId, environment, parentFolderId } = req.query as {
+    workspaceId: string;
+    environment: string;
+    parentFolderId?: string;
+  };
 
-  const folder = await Folder.findById(folderId);
-  if (!folder) {
-    throw BadRequestError({ message: "The folder doesn't exist" })
+  const folders = await Folder.findOne({ workspace: workspaceId, environment });
+  if (!folders) {
+    res.send({ folders: [], dir: [] });
+    return;
   }
+
   // check that user is a member of the workspace
   await validateMembership({
     userId: req.user._id.toString(),
-    workspaceId: folder.workspace as any,
-    acceptedRoles: [ADMIN, MEMBER]
+    workspaceId,
+    acceptedRoles: [ADMIN, MEMBER],
   });
 
-  res.send({ folder })
-}
+  if (!parentFolderId) {
+    const rootFolders = folders.nodes.children.map(({ id, name }) => ({
+      id,
+      name,
+    }));
+    res.send({ folders: rootFolders });
+    return;
+  }
+
+  const folderBySearch = searchByFolderIdWithDir(folders.nodes, parentFolderId);
+  if (!folderBySearch) {
+    throw BadRequestError({ message: "The folder doesn't exist" });
+  }
+  const { folder, dir } = folderBySearch;
+
+  res.send({
+    folders: folder.children.map(({ id, name }) => ({ id, name })),
+    dir,
+  });
+};

backend/src/controllers/v1/signupController.ts

@@ -21,14 +21,6 @@ export const beginEmailSignup = async (req: Request, res: Response) => {
 	try {
 		email = req.body.email;
 
-		if (await getInviteOnlySignup()) {
-			// Only one user can create an account without being invited. The rest need to be invited in order to make an account
-			const userCount = await User.countDocuments({})
-			if (userCount != 0) {
-				throw BadRequestError({ message: "New user sign ups are not allowed at this time. You must be invited to sign up." })
-			}
-		}
-
 		const user = await User.findOne({ email }).select('+publicKey');
 		if (user && user?.publicKey) {
 			// case: user has already completed account
@@ -47,7 +39,7 @@ export const beginEmailSignup = async (req: Request, res: Response) => {
 			error: 'Failed to send email verification code'
 		});
 	}
-
+	
 	return res.status(200).send({
 		message: `Sent an email verification code to ${email}`
 	});
@@ -74,6 +66,14 @@ export const verifyEmailSignup = async (req: Request, res: Response) => {
 			});
 		}
 
+		if (await getInviteOnlySignup()) {
+			// Only one user can create an account without being invited. The rest need to be invited in order to make an account
+			const userCount = await User.countDocuments({})
+			if (userCount != 0) {
+				throw BadRequestError({ message: "New user sign ups are not allowed at this time. You must be invited to sign up." })
+			}
+		}
+
 		// verify email
 		if (await getSmtpConfigured()) {
 			await checkEmailVerification({

backend/src/controllers/v2/authController.ts

@@ -288,6 +288,8 @@ export const verifyMfaToken = async (req: Request, res: Response) => {
 
   if (!user) throw new Error('Failed to find user');
 
+  await LoginSRPDetail.deleteOne({ userId: user.id })
+
   await checkUserDevice({
     user,
     ip: req.ip,

backend/src/controllers/v2/secretController.ts

@@ -6,7 +6,7 @@ import { CreateSecretRequestBody, ModifySecretRequestBody, SanitizedSecretForCre
 const { ValidationError } = mongoose.Error;
 import { BadRequestError, InternalServerError, UnauthorizedRequestError, ValidationError as RouteValidationError } from '../../utils/errors';
 import { AnyBulkWriteOperation } from 'mongodb';
-import { SECRET_PERSONAL, SECRET_SHARED } from "../../variables";
+import { ALGORITHM_AES_256_GCM, ENCODING_SCHEME_UTF8, SECRET_PERSONAL, SECRET_SHARED } from "../../variables";
 import { TelemetryService } from '../../services';
 import { User } from "../../models";
 import { AccountNotFoundError } from '../../utils/errors';
@@ -36,7 +36,9 @@ export const createSecret = async (req: Request, res: Response) => {
     workspace: new Types.ObjectId(workspaceId),
     environment,
     type: secretToCreate.type,
-    user: new Types.ObjectId(req.user._id)
+    user: new Types.ObjectId(req.user._id),
+    algorithm: ALGORITHM_AES_256_GCM,
+    keyEncoding: ENCODING_SCHEME_UTF8
   }
 
 
@@ -92,7 +94,9 @@ export const createSecrets = async (req: Request, res: Response) => {
       workspace: new Types.ObjectId(workspaceId),
       environment,
       type: rawSecret.type,
-      user: new Types.ObjectId(req.user._id)
+      user: new Types.ObjectId(req.user._id),
+      algorithm: ALGORITHM_AES_256_GCM,
+      keyEncoding: ENCODING_SCHEME_UTF8
     }
 
     sanitizedSecretesToCreate.push(safeUpdateFields)

backend/src/controllers/v2/signupController.ts

@@ -7,8 +7,9 @@ import {
 } from '../../helpers/signup';
 import { issueAuthTokens } from '../../helpers/auth';
 import { INVITED, ACCEPTED } from '../../variables';
-import request from '../../config/request';
+import { standardRequest } from '../../config/request';
 import { getLoopsApiKey, getHttpsEnabled } from '../../config';
+import { updateSubscriptionOrgQuantity } from '../../helpers/organization';
 
 /**
  * Complete setting up user by adding their personal and auth information as part of the
@@ -87,6 +88,19 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
 			user
 		});
 
+		// update organization membership statuses that are
+		// invited to completed with user attached
+		const membershipsToUpdate = await MembershipOrg.find({
+			inviteEmail: email,
+			status: INVITED
+		});
+		
+		membershipsToUpdate.forEach(async (membership) => {
+			await updateSubscriptionOrgQuantity({
+				organizationId: membership.organization.toString()
+			});
+		});
+
 		// update organization membership statuses that are
 		// invited to completed with user attached
 		await MembershipOrg.updateMany(
@@ -109,7 +123,7 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
 
 		// sending a welcome email to new users
 		if (await getLoopsApiKey()) {
-			await request.post("https://app.loops.so/api/v1/events/send", {
+			await standardRequest.post("https://app.loops.so/api/v1/events/send", {
 				"email": email,
 				"eventName": "Sign Up",
 				"firstName": firstName,
@@ -206,9 +220,20 @@ export const completeAccountInvite = async (req: Request, res: Response) => {
 
 		if (!user)
 			throw new Error('Failed to complete account for non-existent user');
-
+		
 		// update organization membership statuses that are
 		// invited to completed with user attached
+		const membershipsToUpdate = await MembershipOrg.find({
+			inviteEmail: email,
+			status: INVITED
+		});
+		
+		membershipsToUpdate.forEach(async (membership) => {
+			await updateSubscriptionOrgQuantity({
+				organizationId: membership.organization.toString()
+			});
+		});
+
 		await MembershipOrg.updateMany(
 			{
 				inviteEmail: email,

backend/src/controllers/v3/authController.ts

@@ -0,0 +1,260 @@
+/* eslint-disable @typescript-eslint/no-var-requires */
+import { Request, Response } from 'express';
+import jwt from 'jsonwebtoken';
+import * as Sentry from '@sentry/node';
+import * as bigintConversion from 'bigint-conversion';
+const jsrp = require('jsrp');
+import { User, LoginSRPDetail } from '../../models';
+import { issueAuthTokens, createToken, validateProviderAuthToken } from '../../helpers/auth';
+import { checkUserDevice } from '../../helpers/user';
+import { sendMail } from '../../helpers/nodemailer';
+import { TokenService } from '../../services';
+import { EELogService } from '../../ee/services';
+import { BadRequestError, InternalServerError } from '../../utils/errors';
+import {
+    TOKEN_EMAIL_MFA,
+    ACTION_LOGIN
+} from '../../variables';
+import { getChannelFromUserAgent } from '../../utils/posthog'; // TODO: move this
+import {
+    getJwtMfaLifetime,
+    getJwtMfaSecret,
+    getHttpsEnabled,
+} from '../../config';
+import { AuthProvider } from '../../models/user';
+
+declare module 'jsonwebtoken' {
+    export interface ProviderAuthJwtPayload extends jwt.JwtPayload {
+        userId: string;
+        email: string;
+        authProvider: AuthProvider;
+        isUserCompleted: boolean,
+    }
+}
+
+/**
+ * Log in user step 1: Return [salt] and [serverPublicKey] as part of step 1 of SRP protocol
+ * @param req
+ * @param res
+ * @returns
+ */
+export const login1 = async (req: Request, res: Response) => {
+    try {
+        const {
+            email,
+            providerAuthToken,
+            clientPublicKey
+        }: {
+            email: string;
+            clientPublicKey: string,
+            providerAuthToken?: string;
+        } = req.body;
+
+        const user = await User.findOne({
+            email,
+        }).select('+salt +verifier');
+
+        if (!user) throw new Error('Failed to find user');
+
+        if (user.authProvider) {
+            await validateProviderAuthToken({
+                email,
+                user,
+                providerAuthToken,
+            })
+        }
+
+        const server = new jsrp.server();
+        server.init(
+            {
+                salt: user.salt,
+                verifier: user.verifier
+            },
+            async () => {
+                // generate server-side public key
+                const serverPublicKey = server.getPublicKey();
+                await LoginSRPDetail.findOneAndReplace({
+                    email: email
+                }, {
+                    email,
+                    userId: user.id,
+                    clientPublicKey: clientPublicKey,
+                    serverBInt: bigintConversion.bigintToBuf(server.bInt),
+                }, { upsert: true, returnNewDocument: false });
+
+                return res.status(200).send({
+                    serverPublicKey,
+                    salt: user.salt
+                });
+            }
+        );
+    } catch (err) {
+        Sentry.setUser(null);
+        Sentry.captureException(err);
+        return res.status(400).send({
+            message: 'Failed to start authentication process'
+        });
+    }
+};
+
+/**
+ * Log in user step 2: complete step 2 of SRP protocol and return token and their (encrypted)
+ * private key
+ * @param req
+ * @param res
+ * @returns
+ */
+export const login2 = async (req: Request, res: Response) => {
+    try {
+
+        if (!req.headers['user-agent']) throw InternalServerError({ message: 'User-Agent header is required' });
+
+        const { email, clientProof, providerAuthToken } = req.body;
+
+        const user = await User.findOne({
+            email,
+        }).select('+salt +verifier +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag +publicKey +encryptedPrivateKey +iv +tag');
+
+        if (!user) throw new Error('Failed to find user');
+
+        if (user.authProvider) {
+            await validateProviderAuthToken({
+                email,
+                user,
+                providerAuthToken,
+            })
+        }
+
+        const loginSRPDetail = await LoginSRPDetail.findOneAndDelete({ email: email })
+
+        if (!loginSRPDetail) {
+            return BadRequestError(Error("Failed to find login details for SRP"))
+        }
+
+        const server = new jsrp.server();
+        server.init(
+            {
+                salt: user.salt,
+                verifier: user.verifier,
+                b: loginSRPDetail.serverBInt
+            },
+            async () => {
+                server.setClientPublicKey(loginSRPDetail.clientPublicKey);
+
+                // compare server and client shared keys
+                if (server.checkClientProof(clientProof)) {
+
+                    if (user.isMfaEnabled) {
+                        // case: user has MFA enabled
+
+                        // generate temporary MFA token
+                        const token = createToken({
+                            payload: {
+                                userId: user._id.toString()
+                            },
+                            expiresIn: await getJwtMfaLifetime(),
+                            secret: await getJwtMfaSecret()
+                        });
+
+                        const code = await TokenService.createToken({
+                            type: TOKEN_EMAIL_MFA,
+                            email
+                        });
+
+                        // send MFA code [code] to [email]
+                        await sendMail({
+                            template: 'emailMfa.handlebars',
+                            subjectLine: 'Infisical MFA code',
+                            recipients: [user.email],
+                            substitutions: {
+                                code
+                            }
+                        });
+
+                        return res.status(200).send({
+                            mfaEnabled: true,
+                            token
+                        });
+                    }
+
+                    await checkUserDevice({
+                        user,
+                        ip: req.ip,
+                        userAgent: req.headers['user-agent'] ?? ''
+                    });
+
+                    // issue tokens
+                    const tokens = await issueAuthTokens({ userId: user._id.toString() });
+
+                    // store (refresh) token in httpOnly cookie
+                    res.cookie('jid', tokens.refreshToken, {
+                        httpOnly: true,
+                        path: '/',
+                        sameSite: 'strict',
+                        secure: await getHttpsEnabled()
+                    });
+
+                    // case: user does not have MFA enablgged
+                    // return (access) token in response
+
+                    interface ResponseData {
+                        mfaEnabled: boolean;
+                        encryptionVersion: any;
+                        protectedKey?: string;
+                        protectedKeyIV?: string;
+                        protectedKeyTag?: string;
+                        token: string;
+                        publicKey?: string;
+                        encryptedPrivateKey?: string;
+                        iv?: string;
+                        tag?: string;
+                    }
+
+                    const response: ResponseData = {
+                        mfaEnabled: false,
+                        encryptionVersion: user.encryptionVersion,
+                        token: tokens.token,
+                        publicKey: user.publicKey,
+                        encryptedPrivateKey: user.encryptedPrivateKey,
+                        iv: user.iv,
+                        tag: user.tag
+                    }
+
+                    if (
+                        user?.protectedKey &&
+                        user?.protectedKeyIV &&
+                        user?.protectedKeyTag
+                    ) {
+                        response.protectedKey = user.protectedKey;
+                        response.protectedKeyIV = user.protectedKeyIV
+                        response.protectedKeyTag = user.protectedKeyTag;
+                    }
+
+                    const loginAction = await EELogService.createAction({
+                        name: ACTION_LOGIN,
+                        userId: user._id
+                    });
+
+                    loginAction && await EELogService.createLog({
+                        userId: user._id,
+                        actions: [loginAction],
+                        channel: getChannelFromUserAgent(req.headers['user-agent']),
+                        ipAddress: req.ip
+                    });
+
+                    return res.status(200).send(response);
+                }
+
+                return res.status(400).send({
+                    message: 'Failed to authenticate. Try again?'
+                });
+            }
+        );
+    } catch (err) {
+        Sentry.setUser(null);
+        Sentry.captureException(err);
+        return res.status(400).send({
+            message: 'Failed to authenticate. Try again?'
+        });
+    }
+};

backend/src/controllers/v3/index.ts

@@ -1,7 +1,11 @@
 import * as secretsController from './secretsController';
 import * as workspacesController from './workspacesController';
+import * as authController from './authController';
+import * as signupController from './signupController';
 
 export {
+    authController,
     secretsController,
-    workspacesController
-}
+    signupController,
+    workspacesController,
+}

backend/src/controllers/v3/signupController.ts

@@ -0,0 +1,192 @@
+import jwt from 'jsonwebtoken';
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import { User, MembershipOrg } from '../../models';
+import { completeAccount } from '../../helpers/user';
+import {
+	initializeDefaultOrg
+} from '../../helpers/signup';
+import { issueAuthTokens, validateProviderAuthToken } from '../../helpers/auth';
+import { INVITED, ACCEPTED } from '../../variables';
+import { standardRequest } from '../../config/request';
+import { getLoopsApiKey, getHttpsEnabled, getJwtSignupSecret } from '../../config';
+import { BadRequestError } from '../../utils/errors';
+import { TelemetryService } from '../../services';
+
+/**
+ * Complete setting up user by adding their personal and auth information as part of the
+ * signup flow
+ * @param req
+ * @param res
+ * @returns
+ */
+export const completeAccountSignup = async (req: Request, res: Response) => {
+	let user, token, refreshToken;
+	try {
+		const {
+			email,
+			firstName,
+			lastName,
+			protectedKey,
+			protectedKeyIV,
+			protectedKeyTag,
+			publicKey,
+			encryptedPrivateKey,
+			encryptedPrivateKeyIV,
+			encryptedPrivateKeyTag,
+			salt,
+			verifier,
+			organizationName,
+			providerAuthToken,
+			attributionSource,
+		}: {
+			email: string;
+			firstName: string;
+			lastName: string;
+			protectedKey: string;
+			protectedKeyIV: string;
+			protectedKeyTag: string;
+			publicKey: string;
+			encryptedPrivateKey: string;
+			encryptedPrivateKeyIV: string;
+			encryptedPrivateKeyTag: string;
+			salt: string;
+			verifier: string;
+			organizationName: string;
+			providerAuthToken?: string;
+			attributionSource?: string;
+		} = req.body;
+
+		user = await User.findOne({ email });
+
+		if (!user || (user && user?.publicKey)) {
+			// case 1: user doesn't exist.
+			// case 2: user has already completed account
+			return res.status(403).send({
+				error: 'Failed to complete account for complete user'
+			});
+		}
+
+		if (providerAuthToken) {
+			await validateProviderAuthToken({
+				email,
+				providerAuthToken,
+				user,
+			});
+		} else {
+			const [AUTH_TOKEN_TYPE, AUTH_TOKEN_VALUE] = <[string, string]>req.headers['authorization']?.split(' ', 2) ?? [null, null]
+			if (AUTH_TOKEN_TYPE === null) {
+				throw BadRequestError({ message: `Missing Authorization Header in the request header.` });
+			}
+			if (AUTH_TOKEN_TYPE.toLowerCase() !== 'bearer') {
+				throw BadRequestError({ message: `The provided authentication type '${AUTH_TOKEN_TYPE}' is not supported.` })
+			}
+			if (AUTH_TOKEN_VALUE === null) {
+				throw BadRequestError({
+					message: 'Missing Authorization Body in the request header',
+				})
+			}
+
+			const decodedToken = <jwt.UserIDJwtPayload>(
+				jwt.verify(AUTH_TOKEN_VALUE, await getJwtSignupSecret())
+			);
+
+			if (decodedToken.userId !== user.id) {
+				throw BadRequestError();
+			}
+		}
+
+		// complete setting up user's account
+		user = await completeAccount({
+			userId: user._id.toString(),
+			firstName,
+			lastName,
+			encryptionVersion: 2,
+			protectedKey,
+			protectedKeyIV,
+			protectedKeyTag,
+			publicKey,
+			encryptedPrivateKey,
+			encryptedPrivateKeyIV,
+			encryptedPrivateKeyTag,
+			salt,
+			verifier
+		});
+
+		if (!user)
+			throw new Error('Failed to complete account for non-existent user'); // ensure user is non-null
+
+		// initialize default organization and workspace
+		await initializeDefaultOrg({
+			organizationName,
+			user
+		});
+
+		// update organization membership statuses that are
+		// invited to completed with user attached
+		await MembershipOrg.updateMany(
+			{
+				inviteEmail: email,
+				status: INVITED
+			},
+			{
+				user,
+				status: ACCEPTED
+			}
+		);
+
+		// issue tokens
+		const tokens = await issueAuthTokens({
+			userId: user._id.toString()
+		});
+
+		token = tokens.token;
+
+		// sending a welcome email to new users
+		if (await getLoopsApiKey()) {
+			await standardRequest.post("https://app.loops.so/api/v1/events/send", {
+				"email": email,
+				"eventName": "Sign Up",
+				"firstName": firstName,
+				"lastName": lastName
+			}, {
+				headers: {
+					"Accept": "application/json",
+					"Authorization": "Bearer " + (await getLoopsApiKey())
+				},
+			});
+		}
+
+		// store (refresh) token in httpOnly cookie
+		res.cookie('jid', tokens.refreshToken, {
+			httpOnly: true,
+			path: '/',
+			sameSite: 'strict',
+			secure: await getHttpsEnabled()
+		});
+
+		const postHogClient = await TelemetryService.getPostHogClient();
+		if (postHogClient) {
+			postHogClient.capture({
+				event: 'User Signed Up',
+				distinctId: email,
+				properties: {
+					email,
+					attributionSource
+				}
+			});
+		}
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to complete account setup'
+		});
+	}
+
+	return res.status(200).send({
+		message: 'Successfully set up account',
+		user,
+		token
+	});
+};

backend/src/ee/controllers/v1/cloudProductsController.ts

@@ -0,0 +1,34 @@
+import * as Sentry from '@sentry/node';
+import { Request, Response } from 'express';
+import { EELicenseService } from '../../services';
+import { getLicenseServerUrl } from '../../../config';
+import { licenseServerKeyRequest } from '../../../config/request';
+
+/**
+ * Return available cloud product information.
+ * Note: Nicely formatted to easily construct a table from
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getCloudProducts = async (req: Request, res: Response) => {
+    try {
+        const billingCycle = req.query['billing-cycle'] as string;
+
+        if (EELicenseService.instanceType === 'cloud') {
+            const { data } = await licenseServerKeyRequest.get(
+                `${await getLicenseServerUrl()}/api/license-server/v1/cloud-products?billing-cycle=${billingCycle}`
+            ); 
+
+            return res.status(200).send(data);
+        }
+    } catch (err) {
+        Sentry.setUser({ email: req.user.email });
+        Sentry.captureException(err);
+    }
+    
+    return res.status(200).send({
+        head: [],
+        rows: []
+    });
+}

backend/src/ee/controllers/v1/index.ts

@@ -1,15 +1,19 @@
 import * as stripeController from './stripeController';
 import * as secretController from './secretController';
 import * as secretSnapshotController from './secretSnapshotController';
+import * as organizationsController from './organizationsController';
 import * as workspaceController from './workspaceController';
 import * as actionController from './actionController';
 import * as membershipController from './membershipController';
+import * as cloudProductsController from './cloudProductsController';
 
 export {
     stripeController,
     secretController,
     secretSnapshotController,
+    organizationsController,
     workspaceController,
     actionController,
-    membershipController
+    membershipController,
+    cloudProductsController
 }

backend/src/ee/controllers/v1/organizationsController.ts

@@ -0,0 +1,83 @@
+import { Request, Response } from 'express';
+import { getLicenseServerUrl } from '../../../config';
+import { licenseServerKeyRequest } from '../../../config/request';
+import { EELicenseService } from '../../services';
+
+/**
+ * Return the organization's current plan and allowed feature set
+ */
+export const getOrganizationPlan = async (req: Request, res: Response) => {
+    const { organizationId } = req.params;
+
+    const plan = await EELicenseService.getOrganizationPlan(organizationId);
+
+    return res.status(200).send({
+        plan,
+    });
+}
+
+/**
+ * Update the organization plan to product with id [productId]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const updateOrganizationPlan = async (req: Request, res: Response) => {
+    const {
+        productId
+    } = req.body;
+
+    const { data  } = await licenseServerKeyRequest.patch(
+        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/cloud-plan`,
+        {
+            productId
+        }
+    ); 
+    
+    return res.status(200).send(data);
+}
+
+/**
+ * Return the organization's payment methods on file
+ */
+export const getOrganizationPmtMethods = async (req: Request, res: Response) => {
+    const { data: { pmtMethods } } = await licenseServerKeyRequest.get(
+        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/billing-details/payment-methods`
+    );
+
+    return res.status(200).send({
+        pmtMethods
+    }); 
+}
+
+/**
+ * Return a Stripe session URL to add payment method for organization
+ */
+export const addOrganizationPmtMethod = async (req: Request, res: Response) => {
+    const {
+        success_url,
+        cancel_url
+    } = req.body;
+    
+    const { data: { url } } = await licenseServerKeyRequest.post(
+        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/billing-details/payment-methods`,
+        {
+            success_url,
+            cancel_url
+        }
+    );
+    
+    return res.status(200).send({
+        url
+    }); 
+}
+
+export const deleteOrganizationPmtMethod = async (req: Request, res: Response) => {
+    const { pmtMethodId } = req.params;
+
+    const { data } = await licenseServerKeyRequest.delete(
+        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/billing-details/payment-methods/${pmtMethodId}`,
+    );
+        
+    return res.status(200).send(data);
+}

backend/src/ee/controllers/v1/secretController.ts

@@ -1,16 +1,16 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import { Secret } from '../../../models';
-import { SecretVersion } from '../../models';
-import { EESecretService } from '../../services';
+import { Request, Response } from "express";
+import * as Sentry from "@sentry/node";
+import { Secret } from "../../../models";
+import { SecretVersion } from "../../models";
+import { EESecretService } from "../../services";
 
 /**
  * Return secret versions for secret with id [secretId]
- * @param req 
- * @param res 
+ * @param req
+ * @param res
  */
- export const getSecretVersions = async (req: Request, res: Response) => {
-	/* 
+export const getSecretVersions = async (req: Request, res: Response) => {
+  /* 
     #swagger.summary = 'Return secret versions'
     #swagger.description = 'Return secret versions'
     
@@ -55,41 +55,43 @@ import { EESecretService } from '../../services';
         }
     }   
     */
-	let secretVersions;
-	try {
-		const { secretId } = req.params;
+  let secretVersions;
+  try {
+    const { secretId, workspaceId, environment, folderId } = req.params;
 
-		const offset: number = parseInt(req.query.offset as string);
-		const limit: number = parseInt(req.query.limit as string);
-		
-		secretVersions = await SecretVersion.find({
-			secret: secretId
-		})
-		.sort({ createdAt: -1 })
-		.skip(offset)
-		.limit(limit);
+    const offset: number = parseInt(req.query.offset as string);
+    const limit: number = parseInt(req.query.limit as string);
 
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get secret versions'
-		});
-	}
-	
-	return res.status(200).send({
-		secretVersions
-	});
-}
+    secretVersions = await SecretVersion.find({
+      secret: secretId,
+      workspace: workspaceId,
+      environment,
+      folder: folderId,
+    })
+      .sort({ createdAt: -1 })
+      .skip(offset)
+      .limit(limit);
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to get secret versions",
+    });
+  }
+
+  return res.status(200).send({
+    secretVersions,
+  });
+};
 
 /**
  * Roll back secret with id [secretId] to version [version]
- * @param req 
- * @param res 
- * @returns 
+ * @param req
+ * @param res
+ * @returns
  */
 export const rollbackSecretVersion = async (req: Request, res: Response) => {
-	/* 
+  /* 
     #swagger.summary = 'Roll back secret to a version.'
     #swagger.description = 'Roll back secret to a version.'
     
@@ -137,91 +139,101 @@ export const rollbackSecretVersion = async (req: Request, res: Response) => {
         }
     }   
     */
-	let secret;
-	try {
-		const { secretId } = req.params;
-		const { version } = req.body;
-		
-		// validate secret version
-		const oldSecretVersion = await SecretVersion.findOne({
-			secret: secretId,
-			version
-		}).select('+secretBlindIndex')
-		
-		if (!oldSecretVersion) throw new Error('Failed to find secret version');
-		
-		const {
-			workspace,
-			type,
-			user,
-			environment,
-			secretBlindIndex,
-			secretKeyCiphertext,
-			secretKeyIV,
-			secretKeyTag,
-			secretValueCiphertext,
-			secretValueIV,
-			secretValueTag,
-		} = oldSecretVersion;
-		
-		// update secret
-		secret = await Secret.findByIdAndUpdate(
-			secretId,
-			{
-				$inc: {
-					version: 1
-				},
-				workspace,
-				type,
-				user,
-				environment,
-				...(secretBlindIndex ? { secretBlindIndex } : {}),
-				secretKeyCiphertext,
-				secretKeyIV,
-				secretKeyTag,
-				secretValueCiphertext,
-				secretValueIV,
-				secretValueTag,
-			},
-			{
-				new: true
-			}
-		);
-		
-		if (!secret) throw new Error('Failed to find and update secret');
+  let secret;
+  try {
+    const { secretId } = req.params;
+    const { version } = req.body;
 
-		// add new secret version
-		await new SecretVersion({
-			secret: secretId,
-			version: secret.version,
-			workspace,
-			type,
-			user,
-			environment,
-			isDeleted: false,
-			...(secretBlindIndex ? { secretBlindIndex } : {}),
-			secretKeyCiphertext,
-			secretKeyIV,
-			secretKeyTag,
-			secretValueCiphertext,
-			secretValueIV,
-			secretValueTag
-		}).save();
-		
-		// take secret snapshot
-		await EESecretService.takeSecretSnapshot({
-			workspaceId: secret.workspace
-		});
-		
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to roll back secret version'
-		});
-	}
-	
-	return res.status(200).send({
-		secret
-	});
-}
+    // validate secret version
+    const oldSecretVersion = await SecretVersion.findOne({
+      secret: secretId,
+      version,
+    }).select("+secretBlindIndex");
+
+    if (!oldSecretVersion) throw new Error("Failed to find secret version");
+
+    const {
+      workspace,
+      type,
+      user,
+      environment,
+      secretBlindIndex,
+      secretKeyCiphertext,
+      secretKeyIV,
+      secretKeyTag,
+      secretValueCiphertext,
+      secretValueIV,
+      secretValueTag,
+      folder,
+      algorithm,
+      keyEncoding,
+    } = oldSecretVersion;
+
+    // update secret
+    secret = await Secret.findByIdAndUpdate(
+      secretId,
+      {
+        $inc: {
+          version: 1,
+        },
+        workspace,
+        type,
+        user,
+        environment,
+        ...(secretBlindIndex ? { secretBlindIndex } : {}),
+        secretKeyCiphertext,
+        secretKeyIV,
+        secretKeyTag,
+        secretValueCiphertext,
+        secretValueIV,
+        secretValueTag,
+        folderId: folder,
+        algorithm,
+        keyEncoding,
+      },
+      {
+        new: true,
+      }
+    );
+
+    if (!secret) throw new Error("Failed to find and update secret");
+
+    // add new secret version
+    await new SecretVersion({
+      secret: secretId,
+      version: secret.version,
+      workspace,
+      type,
+      user,
+      environment,
+      isDeleted: false,
+      ...(secretBlindIndex ? { secretBlindIndex } : {}),
+      secretKeyCiphertext,
+      secretKeyIV,
+      secretKeyTag,
+      secretValueCiphertext,
+      secretValueIV,
+      secretValueTag,
+      folder,
+      algorithm,
+      keyEncoding,
+    }).save();
+
+    // take secret snapshot
+    await EESecretService.takeSecretSnapshot({
+      workspaceId: secret.workspace,
+      environment,
+      folderId: folder,
+    });
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to roll back secret version",
+    });
+  }
+
+  return res.status(200).send({
+    secret,
+  });
+};

backend/src/ee/controllers/v1/secretSnapshotController.ts

@@ -1,33 +1,54 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import { SecretSnapshot } from '../../models';
+import { Request, Response } from "express";
+import * as Sentry from "@sentry/node";
+import {
+  ISecretVersion,
+  SecretSnapshot,
+  TFolderRootVersionSchema,
+} from "../../models";
 
 /**
  * Return secret snapshot with id [secretSnapshotId]
- * @param req 
- * @param res 
- * @returns 
+ * @param req
+ * @param res
+ * @returns
  */
 export const getSecretSnapshot = async (req: Request, res: Response) => {
-    let secretSnapshot;
-    try {
-        const { secretSnapshotId } = req.params;
+  let secretSnapshot;
+  try {
+    const { secretSnapshotId } = req.params;
 
-        secretSnapshot = await SecretSnapshot
-            .findById(secretSnapshotId)
-            .populate('secretVersions');
-        
-        if (!secretSnapshot) throw new Error('Failed to find secret snapshot');
+    secretSnapshot = await SecretSnapshot.findById(secretSnapshotId)
+      .lean()
+      .populate<{ secretVersions: ISecretVersion[] }>({
+        path: 'secretVersions',
+        populate: {
+          path: 'tags',
+          model: 'Tag'
+        }
+      })
+      .populate<{ folderVersion: TFolderRootVersionSchema }>("folderVersion");
 
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get secret snapshot'
-		});
-    }
-    
-    return res.status(200).send({
-        secretSnapshot
+    if (!secretSnapshot) throw new Error("Failed to find secret snapshot");
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to get secret snapshot",
     });
-}
+  }
+  const folderId = secretSnapshot.folderId;
+  // to show only the folder required secrets
+  secretSnapshot.secretVersions = secretSnapshot.secretVersions.filter(
+    ({ folder }) => folder === folderId
+  );
+
+  secretSnapshot.folderVersion =
+    secretSnapshot?.folderVersion?.nodes?.children?.map(({ id, name }) => ({
+      id,
+      name,
+    })) as any;
+
+  return res.status(200).send({
+    secretSnapshot,
+  });
+};

backend/src/ee/controllers/v1/workspaceController.ts

@@ -1,25 +1,30 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import { Types } from 'mongoose';
+import { Request, Response } from "express";
+import * as Sentry from "@sentry/node";
+import { PipelineStage, Types } from "mongoose";
+import { Secret } from "../../../models";
 import {
-	Secret
-} from '../../../models';
-import { 
-	SecretSnapshot,
-	Log,
-	SecretVersion,
-	ISecretVersion
-} from '../../models';
-import { EESecretService } from '../../services';
-import { getLatestSecretVersionIds } from '../../helpers/secretVersion';
+  SecretSnapshot,
+  Log,
+  SecretVersion,
+  ISecretVersion,
+  FolderVersion,
+  TFolderRootVersionSchema,
+} from "../../models";
+import { EESecretService } from "../../services";
+import { getLatestSecretVersionIds } from "../../helpers/secretVersion";
+import Folder, { TFolderSchema } from "../../../models/folder";
+import { searchByFolderId } from "../../../services/FolderService";
 
 /**
  * Return secret snapshots for workspace with id [workspaceId]
- * @param req 
- * @param res 
+ * @param req
+ * @param res
  */
- export const getWorkspaceSecretSnapshots = async (req: Request, res: Response) => {
-	/* 
+export const getWorkspaceSecretSnapshots = async (
+  req: Request,
+  res: Response
+) => {
+  /* 
     #swagger.summary = 'Return project secret snapshot ids'
     #swagger.description = 'Return project secret snapshots ids'
     
@@ -64,66 +69,78 @@ import { getLatestSecretVersionIds } from '../../helpers/secretVersion';
         }
     }
     */
-	let secretSnapshots;
-	try {
-		const { workspaceId } = req.params;
+  let secretSnapshots;
+  try {
+    const { workspaceId } = req.params;
+    const { environment, folderId } = req.query;
 
-		const offset: number = parseInt(req.query.offset as string);
-		const limit: number = parseInt(req.query.limit as string);
-		
-		secretSnapshots = await SecretSnapshot.find({
-			workspace: workspaceId
-		})
-		.sort({ createdAt: -1 })
-		.skip(offset)
-		.limit(limit);
+    const offset: number = parseInt(req.query.offset as string);
+    const limit: number = parseInt(req.query.limit as string);
 
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get secret snapshots'
-		});
-	}
-	
-	return res.status(200).send({
-		secretSnapshots
-	});
-}
+    secretSnapshots = await SecretSnapshot.find({
+      workspace: workspaceId,
+      environment,
+      folderId: folderId || "root",
+    })
+      .sort({ createdAt: -1 })
+      .skip(offset)
+      .limit(limit);
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to get secret snapshots",
+    });
+  }
+
+  return res.status(200).send({
+    secretSnapshots,
+  });
+};
 
 /**
  * Return count of secret snapshots for workspace with id [workspaceId]
- * @param req 
- * @param res 
+ * @param req
+ * @param res
  */
-export const getWorkspaceSecretSnapshotsCount = async (req: Request, res: Response) => {
-	let count;
-	try {
-		const { workspaceId } = req.params;
-		count = await SecretSnapshot.countDocuments({
-			workspace: workspaceId
-		});
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to count number of secret snapshots'
-		});
-	}
-	
-	return res.status(200).send({
-		count
-	});
-}
+export const getWorkspaceSecretSnapshotsCount = async (
+  req: Request,
+  res: Response
+) => {
+  let count;
+  try {
+    const { workspaceId } = req.params;
+    const { environment, folderId } = req.query;
+
+    count = await SecretSnapshot.countDocuments({
+      workspace: workspaceId,
+      environment,
+      folderId: folderId || "root",
+    });
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to count number of secret snapshots",
+    });
+  }
+
+  return res.status(200).send({
+    count,
+  });
+};
 
 /**
  * Rollback secret snapshot with id [secretSnapshotId] to version [version]
- * @param req 
- * @param res 
- * @returns 
+ * @param req
+ * @param res
+ * @returns
  */
-export const rollbackWorkspaceSecretSnapshot = async (req: Request, res: Response) => {
-	/* 
+export const rollbackWorkspaceSecretSnapshot = async (
+  req: Request,
+  res: Response
+) => {
+  /* 
     #swagger.summary = 'Roll back project secrets to those captured in a secret snapshot version.'
     #swagger.description = 'Roll back project secrets to those captured in a secret snapshot version.'
     
@@ -173,168 +190,338 @@ export const rollbackWorkspaceSecretSnapshot = async (req: Request, res: Respons
         }
     }   
     */
-	
-	let secrets;
-    try {	
-        const { workspaceId } = req.params;
-        const { version } = req.body;
-        
-		// validate secret snapshot
-		const secretSnapshot = await SecretSnapshot.findOne({
-			workspace: workspaceId,
-			version
-		}).populate<{ secretVersions: ISecretVersion[]}>({
-			path: 'secretVersions',
-			select: '+secretBlindIndex'
-		});
-        
-        if (!secretSnapshot) throw new Error('Failed to find secret snapshot');
 
-		// TODO: fix any
-		const oldSecretVersionsObj: any = secretSnapshot.secretVersions
-			.reduce((accumulator, s) => ({ 
-				...accumulator, 
-				[`${s.secret.toString()}`]: s 
-			}), {});	
-		
-		const latestSecretVersionIds = await getLatestSecretVersionIds({
-			secretIds: secretSnapshot.secretVersions.map((sv) => sv.secret)
-		});
-		
-		// TODO: fix any
-		const latestSecretVersions: any = (await SecretVersion.find({
-			_id: {
-				$in: latestSecretVersionIds.map((s) => s.versionId)
-			}
-		}, 'secret version'))
-		.reduce((accumulator, s) => ({ 
-			...accumulator, 
-			[`${s.secret.toString()}`]: s 
-		}), {});
-		
-		// delete existing secrets
-		await Secret.deleteMany({
-			workspace: workspaceId
-		});
+  let secrets;
+  try {
+    const { workspaceId } = req.params;
+    const { version, environment, folderId = "root" } = req.body;
 
-		// add secrets
-        secrets = await Secret.insertMany(
-			secretSnapshot.secretVersions.map((sv) => {
-				const secretId = sv.secret;
-				const {
-					workspace,
-					type,
-					user,
-					environment,
-					secretBlindIndex,
-					secretKeyCiphertext,
-					secretKeyIV,
-					secretKeyTag,
-					secretKeyHash,
-					secretValueCiphertext,
-					secretValueIV,
-					secretValueTag,
-					secretValueHash,
-					createdAt
-				} = oldSecretVersionsObj[secretId.toString()];
-				
-				return ({
-					_id: secretId,
-					version: latestSecretVersions[secretId.toString()].version + 1,
-					workspace,
-					type,
-					user,
-					environment,
-					secretBlindIndex: secretBlindIndex ?? undefined,
-					secretKeyCiphertext,
-					secretKeyIV,
-					secretKeyTag,
-					secretKeyHash,
-					secretValueCiphertext,
-					secretValueIV,
-					secretValueTag,
-					secretValueHash,
-					secretCommentCiphertext: '',
-					secretCommentIV: '',
-					secretCommentTag: '',
-					createdAt
-				});
-			})
-		);
-		
-		// add secret versions
-		const secretV = await SecretVersion.insertMany(
-			secrets.map(({
-				_id,
-				version,
-				workspace,
-				type,
-				user,
-				environment,
-				secretBlindIndex,
-				secretKeyCiphertext,
-				secretKeyIV,
-				secretKeyTag,
-				secretKeyHash,
-				secretValueCiphertext,
-				secretValueIV,
-				secretValueTag,
-				secretValueHash
-			}) => ({
-				_id: new Types.ObjectId(),
-				secret: _id,
-				version,
-				workspace,
-				type,
-				user,
-				environment,
-				isDeleted: false,
-				secretBlindIndex: secretBlindIndex ?? undefined,
-				secretKeyCiphertext,
-				secretKeyIV,
-				secretKeyTag,
-				secretKeyHash,
-				secretValueCiphertext,
-				secretValueIV,
-				secretValueTag,
-				secretValueHash
-			}))
-		);
-		
-		// update secret versions of restored secrets as not deleted
-		await SecretVersion.updateMany({
-			secret: {
-				$in: secretSnapshot.secretVersions.map((sv) => sv.secret)
-			}
-		}, {
-			isDeleted: false
-		});
-		
-        // take secret snapshot
-		await EESecretService.takeSecretSnapshot({
-			workspaceId: new Types.ObjectId(workspaceId)
-		});
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to roll back secret snapshot'
-		}); 
+    // validate secret snapshot
+    const secretSnapshot = await SecretSnapshot.findOne({
+      workspace: workspaceId,
+      version,
+      environment,
+      folderId: folderId,
+    })
+      .populate<{ secretVersions: ISecretVersion[] }>({
+        path: "secretVersions",
+        select: "+secretBlindIndex",
+      })
+      .populate<{ folderVersion: TFolderRootVersionSchema }>("folderVersion");
+
+    if (!secretSnapshot) throw new Error("Failed to find secret snapshot");
+
+    const snapshotFolderTree = secretSnapshot.folderVersion;
+    const latestFolderTree = await Folder.findOne({
+      workspace: workspaceId,
+      environment,
+    });
+
+    const latestFolderVersion = await FolderVersion.findOne({
+      environment,
+      workspace: workspaceId,
+      "nodes.id": folderId,
+    }).sort({ "nodes.version": -1 });
+
+    const oldSecretVersionsObj: Record<string, ISecretVersion> = {};
+    const secretIds: Types.ObjectId[] = [];
+    const folderIds: string[] = [folderId];
+
+    secretSnapshot.secretVersions.forEach((snapSecVer) => {
+      oldSecretVersionsObj[snapSecVer.secret.toString()] = snapSecVer;
+      secretIds.push(snapSecVer.secret);
+    });
+
+    // the parent node from current latest one
+    // this will be modified according to the snapshot and latest snapshots
+    const newFolderTree =
+      latestFolderTree && searchByFolderId(latestFolderTree.nodes, folderId);
+
+    if (newFolderTree) {
+      newFolderTree.children = snapshotFolderTree?.nodes?.children || [];
+      const queue = [newFolderTree];
+      // a bfs algorithm in which we take the latest snapshots of all the folders in a level
+      while (queue.length) {
+        const groupByFolderId: Record<string, TFolderSchema> = {};
+        // the original queue is popped out completely to get what ever in a level
+        // subqueue is filled with all the children thus next level folders
+        // subQueue will then be transfered to the oriinal queue
+        const subQueue: TFolderSchema[] = [];
+        // get everything inside a level
+        while (queue.length) {
+          const folder = queue.pop() as TFolderSchema;
+          folder.children.forEach((el) => {
+            folderIds.push(el.id); // push ids and data into queu
+            subQueue.push(el);
+            // to modify the original tree very fast we keep a reference object
+            // key with folder id and pointing to the various nodes
+            groupByFolderId[el.id] = el;
+          });
+        }
+        // get latest snapshots of all the folder
+        const matchWsFoldersPipeline = {
+          $match: {
+            workspace: new Types.ObjectId(workspaceId),
+            environment,
+            folderId: {
+              $in: Object.keys(groupByFolderId),
+            },
+          },
+        };
+        const sortByFolderIdAndVersion: PipelineStage = {
+          $sort: { folderId: 1, version: -1 },
+        };
+        const pickLatestVersionOfEachFolder = {
+          $group: {
+            _id: "$folderId",
+            latestVersion: { $first: "$version" },
+            doc: {
+              $first: "$$ROOT",
+            },
+          },
+        };
+        const populateSecVersion = {
+          $lookup: {
+            from: SecretVersion.collection.name,
+            localField: "doc.secretVersions",
+            foreignField: "_id",
+            as: "doc.secretVersions",
+          },
+        };
+        const populateFolderVersion = {
+          $lookup: {
+            from: FolderVersion.collection.name,
+            localField: "doc.folderVersion",
+            foreignField: "_id",
+            as: "doc.folderVersion",
+          },
+        };
+        const unwindFolderVerField = {
+          $unwind: {
+            path: "$doc.folderVersion",
+            preserveNullAndEmptyArrays: true,
+          },
+        };
+        const latestSnapshotsByFolders: Array<{ doc: typeof secretSnapshot }> =
+          await SecretSnapshot.aggregate([
+            matchWsFoldersPipeline,
+            sortByFolderIdAndVersion,
+            pickLatestVersionOfEachFolder,
+            populateSecVersion,
+            populateFolderVersion,
+            unwindFolderVerField,
+          ]);
+
+        // recursive snapshotting each level
+        latestSnapshotsByFolders.forEach((snap) => {
+          // mutate the folder tree to update the nodes to the latest version tree
+          // we are reconstructing the folder tree by latest snapshots here
+          if (groupByFolderId[snap.doc.folderId]) {
+            groupByFolderId[snap.doc.folderId].children =
+              snap.doc?.folderVersion?.nodes?.children || [];
+          }
+
+          // push all children of next level snapshots
+          if (snap.doc.folderVersion?.nodes?.children) {
+            queue.push(...snap.doc.folderVersion.nodes.children);
+          }
+
+          snap.doc.secretVersions.forEach((snapSecVer) => {
+            // record all the secrets
+            oldSecretVersionsObj[snapSecVer.secret.toString()] = snapSecVer;
+            secretIds.push(snapSecVer.secret);
+          });
+        });
+
+        queue.push(...subQueue);
+      }
     }
-    
-	return res.status(200).send({
-		secrets
-	});
-}
+
+    // TODO: fix any
+    const latestSecretVersionIds = await getLatestSecretVersionIds({
+      secretIds,
+    });
+
+    // TODO: fix any
+    const latestSecretVersions: any = (
+      await SecretVersion.find(
+        {
+          _id: {
+            $in: latestSecretVersionIds.map((s) => s.versionId),
+          },
+        },
+        "secret version"
+      )
+    ).reduce(
+      (accumulator, s) => ({
+        ...accumulator,
+        [`${s.secret.toString()}`]: s,
+      }),
+      {}
+    );
+
+    const secDelQuery: Record<string, unknown> = {
+      workspace: workspaceId,
+      environment,
+      // undefined means root thus collect all secrets
+    };
+    if (folderId !== "root" && folderIds.length)
+      secDelQuery.folder = { $in: folderIds };
+
+    // delete existing secrets
+    await Secret.deleteMany(secDelQuery);
+    await Folder.deleteOne({
+      workspace: workspaceId,
+      environment,
+    });
+
+    // add secrets
+    secrets = await Secret.insertMany(
+      Object.keys(oldSecretVersionsObj).map((sv) => {
+        const {
+          secret: secretId,
+          workspace,
+          type,
+          user,
+          environment,
+          secretBlindIndex,
+          secretKeyCiphertext,
+          secretKeyIV,
+          secretKeyTag,
+          secretValueCiphertext,
+          secretValueIV,
+          secretValueTag,
+          createdAt,
+          algorithm,
+          keyEncoding,
+          folder: secFolderId,
+        } = oldSecretVersionsObj[sv];
+
+        return {
+          _id: secretId,
+          version: latestSecretVersions[secretId.toString()].version + 1,
+          workspace,
+          type,
+          user,
+          environment,
+          secretBlindIndex: secretBlindIndex ?? undefined,
+          secretKeyCiphertext,
+          secretKeyIV,
+          secretKeyTag,
+          secretValueCiphertext,
+          secretValueIV,
+          secretValueTag,
+          secretCommentCiphertext: "",
+          secretCommentIV: "",
+          secretCommentTag: "",
+          createdAt,
+          algorithm,
+          keyEncoding,
+          folder: secFolderId,
+        };
+      })
+    );
+
+    // add secret versions
+    const secretV = await SecretVersion.insertMany(
+      secrets.map(
+        ({
+          _id,
+          version,
+          workspace,
+          type,
+          user,
+          environment,
+          secretBlindIndex,
+          secretKeyCiphertext,
+          secretKeyIV,
+          secretKeyTag,
+          secretValueCiphertext,
+          secretValueIV,
+          secretValueTag,
+          algorithm,
+          keyEncoding,
+          folder: secFolderId,
+        }) => ({
+          _id: new Types.ObjectId(),
+          secret: _id,
+          version,
+          workspace,
+          type,
+          user,
+          environment,
+          isDeleted: false,
+          secretBlindIndex: secretBlindIndex ?? undefined,
+          secretKeyCiphertext,
+          secretKeyIV,
+          secretKeyTag,
+          secretValueCiphertext,
+          secretValueIV,
+          secretValueTag,
+          algorithm,
+          keyEncoding,
+          folder: secFolderId,
+        })
+      )
+    );
+
+    if (newFolderTree && latestFolderTree) {
+      // save the updated folder tree to the present one
+      newFolderTree.version = (latestFolderVersion?.nodes?.version || 0) + 1;
+      latestFolderTree._id = new Types.ObjectId();
+      latestFolderTree.isNew = true;
+      await latestFolderTree.save();
+
+      // create new folder version
+      const newFolderVersion = new FolderVersion({
+        workspace: workspaceId,
+        environment,
+        nodes: newFolderTree,
+      });
+      await newFolderVersion.save();
+    }
+
+    // update secret versions of restored secrets as not deleted
+    await SecretVersion.updateMany(
+      {
+        secret: {
+          $in: Object.keys(oldSecretVersionsObj).map(
+            (sv) => oldSecretVersionsObj[sv].secret
+          ),
+        },
+      },
+      {
+        isDeleted: false,
+      }
+    );
+
+    // take secret snapshot
+    await EESecretService.takeSecretSnapshot({
+      workspaceId: new Types.ObjectId(workspaceId),
+      environment,
+      folderId,
+    });
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to roll back secret snapshot",
+    });
+  }
+
+  return res.status(200).send({
+    secrets,
+  });
+};
 
 /**
  * Return (audit) logs for workspace with id [workspaceId]
- * @param req 
- * @param res 
- * @returns 
+ * @param req
+ * @param res
+ * @returns
  */
 export const getWorkspaceLogs = async (req: Request, res: Response) => {
-	/* 
+  /* 
     #swagger.summary = 'Return project (audit) logs'
     #swagger.description = 'Return project (audit) logs'
     
@@ -400,43 +587,41 @@ export const getWorkspaceLogs = async (req: Request, res: Response) => {
         }
     }   
     */
-	let logs
-	try {
-		const { workspaceId } = req.params;
+  let logs;
+  try {
+    const { workspaceId } = req.params;
 
-		const offset: number = parseInt(req.query.offset as string);
-		const limit: number = parseInt(req.query.limit as string);
-		const sortBy: string = req.query.sortBy as string;
-		const userId: string = req.query.userId as string;
-		const actionNames: string = req.query.actionNames as string;
-		
-		logs = await Log.find({
-			workspace: workspaceId,
-			...( userId ? { user: userId } : {}),
-			...( 
-				actionNames 
-				? { 
-					actionNames: {
-						$in: actionNames.split(',')
-					}
-				} : {}
-			)
-		})
-		.sort({ createdAt: sortBy === 'recent' ? -1 : 1 })
-		.skip(offset)
-		.limit(limit)
-		.populate('actions')
-		.populate('user serviceAccount serviceTokenData');
+    const offset: number = parseInt(req.query.offset as string);
+    const limit: number = parseInt(req.query.limit as string);
+    const sortBy: string = req.query.sortBy as string;
+    const userId: string = req.query.userId as string;
+    const actionNames: string = req.query.actionNames as string;
 
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get workspace logs'
-		});
-	}
-	
-	return res.status(200).send({
-		logs
-	});
-}
+    logs = await Log.find({
+      workspace: workspaceId,
+      ...(userId ? { user: userId } : {}),
+      ...(actionNames
+        ? {
+            actionNames: {
+              $in: actionNames.split(","),
+            },
+          }
+        : {}),
+    })
+      .sort({ createdAt: sortBy === "recent" ? -1 : 1 })
+      .skip(offset)
+      .limit(limit)
+      .populate("actions")
+      .populate("user serviceAccount serviceTokenData");
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to get workspace logs",
+    });
+  }
+
+  return res.status(200).send({
+    logs,
+  });
+};

backend/src/ee/helpers/secret.ts

@@ -1,6 +1,11 @@
 import { Types } from "mongoose";
 import { Secret, ISecret } from "../../models";
-import { SecretSnapshot, SecretVersion, ISecretVersion } from "../models";
+import {
+  SecretSnapshot,
+  SecretVersion,
+  ISecretVersion,
+  FolderVersion,
+} from "../models";
 
 /**
  * Save a secret snapshot that is a copy of the current state of secrets in workspace with id
@@ -12,22 +17,31 @@ import { SecretSnapshot, SecretVersion, ISecretVersion } from "../models";
  */
 const takeSecretSnapshotHelper = async ({
   workspaceId,
+  environment,
+  folderId = "root",
 }: {
   workspaceId: Types.ObjectId;
+  environment: string;
+  folderId?: string;
 }) => {
+  // get all folder ids
   const secretIds = (
     await Secret.find(
       {
         workspace: workspaceId,
+        environment,
+        folder: folderId,
       },
       "_id"
-    )
+    ).lean()
   ).map((s) => s._id);
 
   const latestSecretVersions = (
     await SecretVersion.aggregate([
       {
         $match: {
+          environment,
+          workspace: new Types.ObjectId(workspaceId),
           secret: {
             $in: secretIds,
           },
@@ -45,6 +59,11 @@ const takeSecretSnapshotHelper = async ({
       },
     ]).exec()
   ).map((s) => s.versionId);
+  const latestFolderVersion = await FolderVersion.findOne({
+    environment,
+    workspace: workspaceId,
+    "nodes.id": folderId,
+  }).sort({ "nodes.version": -1 });
 
   const latestSecretSnapshot = await SecretSnapshot.findOne({
     workspace: workspaceId,
@@ -52,8 +71,11 @@ const takeSecretSnapshotHelper = async ({
 
   const secretSnapshot = await new SecretSnapshot({
     workspace: workspaceId,
+    environment,
     version: latestSecretSnapshot ? latestSecretSnapshot.version + 1 : 1,
     secretVersions: latestSecretVersions,
+    folderId,
+    folderVersion: latestFolderVersion,
   }).save();
 
   return secretSnapshot;
@@ -93,52 +115,8 @@ const markDeletedSecretVersionsHelper = async ({
   );
 };
 
-/**
- * Initialize secret versioning by setting previously unversioned
- * secrets to version 1 and begin populating secret versions.
- */
-const initSecretVersioningHelper = async () => {
-  await Secret.updateMany(
-    { version: { $exists: false } },
-    { $set: { version: 1 } }
-  );
-
-  const unversionedSecrets: ISecret[] = await Secret.aggregate([
-    {
-      $lookup: {
-        from: "secretversions",
-        localField: "_id",
-        foreignField: "secret",
-        as: "versions",
-      },
-    },
-    {
-      $match: {
-        versions: { $size: 0 },
-      },
-    },
-  ]);
-
-  if (unversionedSecrets.length > 0) {
-    await addSecretVersionsHelper({
-      secretVersions: unversionedSecrets.map(
-        (s, idx) =>
-          new SecretVersion({
-            ...s,
-            secret: s._id,
-            version: s.version ? s.version : 1,
-            isDeleted: false,
-            workspace: s.workspace,
-            environment: s.environment,
-          })
-      ),
-    });
-  }
-};
-
 export {
   takeSecretSnapshotHelper,
   addSecretVersionsHelper,
   markDeletedSecretVersionsHelper,
-  initSecretVersioningHelper,
 };

backend/src/ee/helpers/secretVersion.ts

@@ -1,92 +1,82 @@
-import { Types } from 'mongoose';
-import { SecretVersion } from '../models';
+import { Types } from "mongoose";
+import { SecretVersion } from "../models";
 
 /**
  * Return latest secret versions for secrets with ids [secretIds]
  * @param {Object} obj
  * @param {Object} obj.secretIds = ids of secrets to get latest versions for
- * @returns 
+ * @returns
  */
 const getLatestSecretVersionIds = async ({
-    secretIds
+  secretIds,
 }: {
-    secretIds: Types.ObjectId[];
+  secretIds: Types.ObjectId[];
 }) => {
-    interface LatestSecretVersionId {
-        _id: Types.ObjectId;
-        version: number;
-        versionId: Types.ObjectId;
-    }
-    
-    const latestSecretVersionIds = (await SecretVersion.aggregate([
-        {
-            $match: { 
-                secret: { 
-                    $in: secretIds 
-                } 
-            }
+  const latestSecretVersionIds = await SecretVersion.aggregate([
+    {
+      $match: {
+        secret: {
+          $in: secretIds,
         },
-        {
-            $group: {
-                _id: '$secret',
-                version: { $max: '$version' },
-                versionId: { $max: '$_id' } // id of latest secret version
-            }
-        },
-        {
-            $sort: { version: -1 }
-        }
-        ])
-        .exec());
-    
-    return latestSecretVersionIds;
-}
+      },
+    },
+    {
+      $group: {
+        _id: "$secret",
+        version: { $max: "$version" },
+        versionId: { $max: "$_id" }, // id of latest secret version
+      },
+    },
+    {
+      $sort: { version: -1 },
+    },
+  ]).exec();
+
+  return latestSecretVersionIds;
+};
 
 /**
  * Return latest [n] secret versions for secrets with ids [secretIds]
  * @param {Object} obj
  * @param {Object} obj.secretIds = ids of secrets to get latest versions for
  * @param {Number} obj.n - number of latest secret versions to return for each secret
- * @returns 
+ * @returns
  */
 const getLatestNSecretSecretVersionIds = async ({
-    secretIds,
-    n
+  secretIds,
+  n,
 }: {
-    secretIds: Types.ObjectId[];
-    n: number;
+  secretIds: Types.ObjectId[];
+  n: number;
 }) => {
-    // TODO: optimize query
-    const latestNSecretVersions = (await SecretVersion.aggregate([
-        {
-            $match: {
-            secret: {
-                $in: secretIds,
-            },
-            },
+  // TODO: optimize query
+  const latestNSecretVersions = await SecretVersion.aggregate([
+    {
+      $match: {
+        secret: {
+          $in: secretIds,
         },
-        {
-            $sort: { version: -1 },
-        },
-        {
-            $group: {
-            _id: "$secret",
-            versions: { $push: "$$ROOT" },
-            },
-        },
-        {
-            $project: {
-            _id: 0,
-            secret: "$_id",
-            versions: { $slice: ["$versions", n] },
-            },
-        }
-    ]));
-    
-    return latestNSecretVersions;
-}
+      },
+    },
+    {
+      $sort: { version: -1 },
+    },
+    {
+      $group: {
+        _id: "$secret",
+        versions: { $push: "$$ROOT" },
+      },
+    },
+    {
+      $project: {
+        _id: 0,
+        secret: "$_id",
+        versions: { $slice: ["$versions", n] },
+      },
+    },
+  ]);
 
-export {
-    getLatestSecretVersionIds,
-    getLatestNSecretSecretVersionIds
-}
+  return latestNSecretVersions;
+};
+
+export { getLatestSecretVersionIds, getLatestNSecretSecretVersionIds };

backend/src/ee/models/folderVersion.ts

@@ -0,0 +1,60 @@
+import { model, Schema, Types } from "mongoose";
+
+export type TFolderRootVersionSchema = {
+  _id: Types.ObjectId;
+  workspace: Types.ObjectId;
+  environment: string;
+  nodes: TFolderVersionSchema;
+};
+
+export type TFolderVersionSchema = {
+  id: string;
+  name: string;
+  version: number;
+  children: TFolderVersionSchema[];
+};
+
+const folderVersionSchema = new Schema<TFolderVersionSchema>({
+  id: {
+    required: true,
+    type: String,
+    default: "root",
+  },
+  name: {
+    required: true,
+    type: String,
+    default: "root",
+  },
+  version: {
+    required: true,
+    type: Number,
+    default: 1,
+  },
+});
+
+folderVersionSchema.add({ children: [folderVersionSchema] });
+
+const folderRootVersionSchema = new Schema<TFolderRootVersionSchema>(
+  {
+    workspace: {
+      type: Schema.Types.ObjectId,
+      ref: "Workspace",
+      required: true,
+    },
+    environment: {
+      type: String,
+      required: true,
+    },
+    nodes: folderVersionSchema,
+  },
+  {
+    timestamps: true,
+  }
+);
+
+const FolderVersion = model<TFolderRootVersionSchema>(
+  "FolderVersion",
+  folderRootVersionSchema
+);
+
+export default FolderVersion;

backend/src/ee/models/index.ts

@@ -1,15 +1,18 @@
-import SecretSnapshot, { ISecretSnapshot } from './secretSnapshot';
-import SecretVersion, { ISecretVersion } from './secretVersion';
-import Log, { ILog } from './log';
-import Action, { IAction } from './action';
+import SecretSnapshot, { ISecretSnapshot } from "./secretSnapshot";
+import SecretVersion, { ISecretVersion } from "./secretVersion";
+import FolderVersion, { TFolderRootVersionSchema } from "./folderVersion";
+import Log, { ILog } from "./log";
+import Action, { IAction } from "./action";
 
 export {
-    SecretSnapshot,
-    ISecretSnapshot,
-    SecretVersion,
-    ISecretVersion,
-    Log,
-    ILog,
-    Action,
-    IAction
-}
+  SecretSnapshot,
+  ISecretSnapshot,
+  SecretVersion,
+  ISecretVersion,
+  FolderVersion,
+  TFolderRootVersionSchema,
+  Log,
+  ILog,
+  Action,
+  IAction,
+};

backend/src/ee/models/secretSnapshot.ts

@@ -1,33 +1,54 @@
-import { Schema, model, Types } from 'mongoose';
+import { Schema, model, Types } from "mongoose";
 
 export interface ISecretSnapshot {
-    workspace: Types.ObjectId;
-    version: number;
-    secretVersions: Types.ObjectId[];
+  workspace: Types.ObjectId;
+  environment: string;
+  folderId: string | "root";
+  version: number;
+  secretVersions: Types.ObjectId[];
+  folderVersion: Types.ObjectId;
 }
 
 const secretSnapshotSchema = new Schema<ISecretSnapshot>(
-    {
-        workspace: {
-            type: Schema.Types.ObjectId,
-            ref: 'Workspace',
-            required: true
-        },
-        version: {
-            type: Number,
-            required: true
-        },
-        secretVersions: [{
-            type: Schema.Types.ObjectId,
-            ref: 'SecretVersion',
-            required: true
-        }]
+  {
+    workspace: {
+      type: Schema.Types.ObjectId,
+      ref: "Workspace",
+      required: true,
     },
-    {
-        timestamps: true
-    }
+    environment: {
+      type: String,
+      required: true,
+    },
+    folderId: {
+      type: String,
+      default: "root",
+    },
+    version: {
+      type: Number,
+      default: 1,
+      required: true,
+    },
+    secretVersions: [
+      {
+        type: Schema.Types.ObjectId,
+        ref: "SecretVersion",
+        required: true,
+      },
+    ],
+    folderVersion: {
+      type: Schema.Types.ObjectId,
+      ref: "FolderVersion",
+    },
+  },
+  {
+    timestamps: true,
+  }
 );
 
-const SecretSnapshot = model<ISecretSnapshot>('SecretSnapshot', secretSnapshotSchema);
+const SecretSnapshot = model<ISecretSnapshot>(
+  "SecretSnapshot",
+  secretSnapshotSchema
+);
 
-export default SecretSnapshot;
+export default SecretSnapshot;

backend/src/ee/models/secretVersion.ts

@@ -1,97 +1,132 @@
-import { Schema, model, Types } from 'mongoose';
+import { Schema, model, Types } from "mongoose";
 import {
-	SECRET_SHARED,
-	SECRET_PERSONAL,
-} from '../../variables';
+  SECRET_SHARED,
+  SECRET_PERSONAL,
+  ALGORITHM_AES_256_GCM,
+  ENCODING_SCHEME_UTF8,
+  ENCODING_SCHEME_BASE64,
+} from "../../variables";
 
 export interface ISecretVersion {
-	_id: Types.ObjectId;
-	secret: Types.ObjectId;
-	version: number;
-	workspace: Types.ObjectId; // new
-	type: string; // new
-	user?: Types.ObjectId; // new
-	environment: string; // new
-	isDeleted: boolean;
-	secretBlindIndex?: string;
-	secretKeyCiphertext: string;
-	secretKeyIV: string;
-	secretKeyTag: string;
-	secretValueCiphertext: string;
-	secretValueIV: string;
-	secretValueTag: string;
+  _id: Types.ObjectId;
+  secret: Types.ObjectId;
+  version: number;
+  workspace: Types.ObjectId; // new
+  type: string; // new
+  user?: Types.ObjectId; // new
+  environment: string; // new
+  isDeleted: boolean;
+  secretBlindIndex?: string;
+  secretKeyCiphertext: string;
+  secretKeyIV: string;
+  secretKeyTag: string;
+  secretValueCiphertext: string;
+  secretValueIV: string;
+  secretValueTag: string;
+  algorithm: "aes-256-gcm";
+  keyEncoding: "utf8" | "base64";
+  createdAt: string;
+  folder?: string;
+  tags?: string[];
 }
 
 const secretVersionSchema = new Schema<ISecretVersion>(
-	{
-		secret: { // could be deleted
-			type: Schema.Types.ObjectId,
-			ref: 'Secret',
-			required: true
-		},
-		version: {
-			type: Number,
-			default: 1,
-			required: true
-		},
-		workspace: {
-			type: Schema.Types.ObjectId,
-			ref: 'Workspace',
-			required: true
-		},
-		type: {
-			type: String,
-			enum: [SECRET_SHARED, SECRET_PERSONAL],
-			required: true
-		},
-		user: {
-			// user associated with the personal secret
-			type: Schema.Types.ObjectId,
-			ref: 'User'
-		},
-		environment: {
-			type: String,
-			required: true
-		},
-		isDeleted: { // consider removing field
-			type: Boolean,
-			default: false,
-			required: true
-		},
-		secretBlindIndex: {
-			type: String,
-			select: false
-		},
-		secretKeyCiphertext: {
-			type: String,
-			required: true
-		},
-		secretKeyIV: {
-			type: String, // symmetric
-			required: true
-		},
-		secretKeyTag: {
-			type: String, // symmetric
-			required: true
-		},
-		secretValueCiphertext: {
-			type: String,
-			required: true
-		},
-		secretValueIV: {
-			type: String, // symmetric
-			required: true
-		},
-		secretValueTag: {
-			type: String, // symmetric
-			required: true
-		}
-	},
-	{
-		timestamps: true
-	}
+  {
+    secret: {
+      // could be deleted
+      type: Schema.Types.ObjectId,
+      ref: "Secret",
+      required: true,
+    },
+    version: {
+      type: Number,
+      default: 1,
+      required: true,
+    },
+    workspace: {
+      type: Schema.Types.ObjectId,
+      ref: "Workspace",
+      required: true,
+    },
+    type: {
+      type: String,
+      enum: [SECRET_SHARED, SECRET_PERSONAL],
+      required: true,
+    },
+    user: {
+      // user associated with the personal secret
+      type: Schema.Types.ObjectId,
+      ref: "User",
+    },
+    environment: {
+      type: String,
+      required: true,
+    },
+    isDeleted: {
+      // consider removing field
+      type: Boolean,
+      default: false,
+      required: true,
+    },
+    secretBlindIndex: {
+      type: String,
+      select: false,
+    },
+    secretKeyCiphertext: {
+      type: String,
+      required: true,
+    },
+    secretKeyIV: {
+      type: String, // symmetric
+      required: true,
+    },
+    secretKeyTag: {
+      type: String, // symmetric
+      required: true,
+    },
+    secretValueCiphertext: {
+      type: String,
+      required: true,
+    },
+    secretValueIV: {
+      type: String, // symmetric
+      required: true,
+    },
+    secretValueTag: {
+      type: String, // symmetric
+      required: true,
+    },
+    algorithm: {
+      // the encryption algorithm used
+      type: String,
+      enum: [ALGORITHM_AES_256_GCM],
+      required: true,
+      default: ALGORITHM_AES_256_GCM,
+    },
+    keyEncoding: {
+      type: String,
+      enum: [ENCODING_SCHEME_UTF8, ENCODING_SCHEME_BASE64],
+      required: true,
+      default: ENCODING_SCHEME_UTF8,
+    },
+    folder: {
+      type: String,
+      required: true,
+    },
+    tags: {
+      ref: 'Tag',
+      type: [Schema.Types.ObjectId],
+      default: []
+    },
+  },
+  {
+    timestamps: true,
+  }
 );
 
-const SecretVersion = model<ISecretVersion>('SecretVersion', secretVersionSchema);
+const SecretVersion = model<ISecretVersion>(
+  "SecretVersion",
+  secretVersionSchema
+);
 
-export default SecretVersion;
+export default SecretVersion;

backend/src/ee/routes/v1/cloudProducts.ts

@@ -0,0 +1,20 @@
+import express from 'express';
+const router = express.Router();
+import {
+    requireAuth,
+    validateRequest
+} from '../../../middleware';
+import { query } from 'express-validator';
+import { cloudProductsController } from '../../controllers/v1';
+
+router.get(
+    '/',
+    requireAuth({
+		acceptedAuthModes: ['jwt', 'apiKey']
+	}),
+    query('billing-cycle').exists().isIn(['monthly', 'yearly']),
+    validateRequest,
+    cloudProductsController.getCloudProducts 
+);
+
+export default router;

backend/src/ee/routes/v1/index.ts

@@ -1,11 +1,15 @@
 import secret from './secret';
 import secretSnapshot from './secretSnapshot';
+import organizations from './organizations';
 import workspace from './workspace';
 import action from './action';
+import cloudProducts from './cloudProducts';
 
 export {
     secret,
     secretSnapshot,
+    organizations,
     workspace,
-    action
+    action,
+    cloudProducts
 }

backend/src/ee/routes/v1/organizations.ts

@@ -0,0 +1,87 @@
+import express from 'express';
+const router = express.Router();
+import {
+    requireAuth,
+    requireOrganizationAuth,
+    validateRequest
+} from '../../../middleware';
+import { param, body } from 'express-validator';
+import { organizationsController } from '../../controllers/v1';
+import {
+    OWNER, ADMIN, MEMBER, ACCEPTED
+} from '../../../variables';
+
+router.get(
+    '/:organizationId/plan',
+    requireAuth({
+		acceptedAuthModes: ['jwt', 'apiKey']
+	}),
+    requireOrganizationAuth({
+        acceptedRoles: [OWNER, ADMIN, MEMBER],
+        acceptedStatuses: [ACCEPTED]
+    }),
+    param('organizationId').exists().trim(),
+    validateRequest,
+    organizationsController.getOrganizationPlan
+);
+
+router.patch(
+    '/:organizationId/plan',
+    requireAuth({
+		acceptedAuthModes: ['jwt', 'apiKey']
+	}),
+    requireOrganizationAuth({
+        acceptedRoles: [OWNER, ADMIN, MEMBER],
+        acceptedStatuses: [ACCEPTED]
+    }),
+    param('organizationId').exists().trim(),
+    body('productId').exists().isString(),
+    validateRequest,
+    organizationsController.updateOrganizationPlan
+);
+
+router.get(
+    '/:organizationId/billing-details/payment-methods',
+    requireAuth({
+		acceptedAuthModes: ['jwt', 'apiKey']
+	}),
+    requireOrganizationAuth({
+        acceptedRoles: [OWNER, ADMIN, MEMBER],
+        acceptedStatuses: [ACCEPTED]
+    }),
+    param('organizationId').exists().trim(),
+    validateRequest,
+    organizationsController.getOrganizationPmtMethods
+);
+
+router.post(
+    '/:organizationId/billing-details/payment-methods',
+    requireAuth({
+		acceptedAuthModes: ['jwt', 'apiKey']
+	}),
+    requireOrganizationAuth({
+        acceptedRoles: [OWNER, ADMIN, MEMBER],
+        acceptedStatuses: [ACCEPTED]
+    }),
+    param('organizationId').exists().trim(),
+    body('success_url').exists().isString(),
+    body('cancel_url').exists().isString(),
+    validateRequest,
+    organizationsController.addOrganizationPmtMethod
+);
+
+router.delete(
+    '/:organizationId/billing-details/payment-methods/:pmtMethodId',
+    requireAuth({
+		acceptedAuthModes: ['jwt', 'apiKey']
+	}),
+    requireOrganizationAuth({
+        acceptedRoles: [OWNER, ADMIN, MEMBER],
+        acceptedStatuses: [ACCEPTED]
+    }),
+    param('organizationId').exists().trim(),
+    validateRequest,
+    organizationsController.deleteOrganizationPmtMethod
+);
+
+export default router;

backend/src/ee/routes/v1/secretSnapshot.ts

@@ -7,7 +7,7 @@ import {
     requireAuth,
     validateRequest
 } from '../../../middleware';
-import { param, body } from 'express-validator';
+import { param } from 'express-validator';
 import { ADMIN, MEMBER } from '../../../variables';
 import { secretSnapshotController } from '../../controllers/v1';
 

backend/src/ee/routes/v1/workspace.ts

@@ -1,76 +1,82 @@
-import express from 'express';
+import express from "express";
 const router = express.Router();
 import {
-	requireAuth,
-	requireWorkspaceAuth,
-	validateRequest
-} from '../../../middleware';
-import { param, query, body } from 'express-validator';
-import { ADMIN, MEMBER } from '../../../variables';
-import { workspaceController } from '../../controllers/v1';
+  requireAuth,
+  requireWorkspaceAuth,
+  validateRequest,
+} from "../../../middleware";
+import { param, query, body } from "express-validator";
+import { ADMIN, MEMBER } from "../../../variables";
+import { workspaceController } from "../../controllers/v1";
 
 router.get(
-	'/:workspaceId/secret-snapshots',
-	requireAuth({
-		acceptedAuthModes: ['jwt', 'apiKey']
-	}),
-	requireWorkspaceAuth({
-		acceptedRoles: [ADMIN, MEMBER],
-		locationWorkspaceId: 'params'
-	}),
-	param('workspaceId').exists().trim(),
-	query('offset').exists().isInt(),
-	query('limit').exists().isInt(),
-	validateRequest,
-	workspaceController.getWorkspaceSecretSnapshots
+  "/:workspaceId/secret-snapshots",
+  requireAuth({
+    acceptedAuthModes: ["jwt", "apiKey"],
+  }),
+  requireWorkspaceAuth({
+    acceptedRoles: [ADMIN, MEMBER],
+    locationWorkspaceId: "params",
+  }),
+  param("workspaceId").exists().trim(),
+  query("environment").isString().exists().trim(),
+  query("folderId").default("root").isString().trim(),
+  query("offset").exists().isInt(),
+  query("limit").exists().isInt(),
+  validateRequest,
+  workspaceController.getWorkspaceSecretSnapshots
 );
 
 router.get(
-	'/:workspaceId/secret-snapshots/count',
-	requireAuth({
-		acceptedAuthModes: ['jwt']
-	}),
-	requireWorkspaceAuth({
-		acceptedRoles: [ADMIN, MEMBER],
-		locationWorkspaceId: 'params'
-	}),
-	param('workspaceId').exists().trim(),
-	validateRequest,
-	workspaceController.getWorkspaceSecretSnapshotsCount
+  "/:workspaceId/secret-snapshots/count",
+  requireAuth({
+    acceptedAuthModes: ["jwt"],
+  }),
+  requireWorkspaceAuth({
+    acceptedRoles: [ADMIN, MEMBER],
+    locationWorkspaceId: "params",
+  }),
+  param("workspaceId").exists().trim(),
+  query("environment").isString().exists().trim(),
+  query("folderId").default("root").isString().trim(),
+  validateRequest,
+  workspaceController.getWorkspaceSecretSnapshotsCount
 );
 
 router.post(
-	'/:workspaceId/secret-snapshots/rollback',
-	requireAuth({
-		acceptedAuthModes: ['jwt', 'apiKey']
-	}),
-	requireWorkspaceAuth({
-		acceptedRoles: [ADMIN, MEMBER],
-		locationWorkspaceId: 'params'
-	}),
-	param('workspaceId').exists().trim(),
-	body('version').exists().isInt(),
-	validateRequest,
-	workspaceController.rollbackWorkspaceSecretSnapshot
+  "/:workspaceId/secret-snapshots/rollback",
+  requireAuth({
+    acceptedAuthModes: ["jwt", "apiKey"],
+  }),
+  requireWorkspaceAuth({
+    acceptedRoles: [ADMIN, MEMBER],
+    locationWorkspaceId: "params",
+  }),
+  param("workspaceId").exists().trim(),
+  body("environment").isString().exists().trim(),
+  query("folderId").default("root").isString().exists().trim(),
+  body("version").exists().isInt(),
+  validateRequest,
+  workspaceController.rollbackWorkspaceSecretSnapshot
 );
 
 router.get(
-	'/:workspaceId/logs',
-	requireAuth({
-		acceptedAuthModes: ['jwt', 'apiKey']
-	}),
-	requireWorkspaceAuth({
-		acceptedRoles: [ADMIN, MEMBER],
-		locationWorkspaceId: 'params'
-	}),
-	param('workspaceId').exists().trim(),
-	query('offset').exists().isInt(),
-	query('limit').exists().isInt(),
-	query('sortBy'),
-	query('userId'),
-	query('actionNames'),
-	validateRequest,
-	workspaceController.getWorkspaceLogs
+  "/:workspaceId/logs",
+  requireAuth({
+    acceptedAuthModes: ["jwt", "apiKey"],
+  }),
+  requireWorkspaceAuth({
+    acceptedRoles: [ADMIN, MEMBER],
+    locationWorkspaceId: "params",
+  }),
+  param("workspaceId").exists().trim(),
+  query("offset").exists().isInt(),
+  query("limit").exists().isInt(),
+  query("sortBy"),
+  query("userId"),
+  query("actionNames"),
+  validateRequest,
+  workspaceController.getWorkspaceLogs
 );
 
-export default router;
+export default router;

backend/src/ee/services/EELicenseService.ts

@@ -1,12 +1,133 @@
+import NodeCache from 'node-cache';
+import * as Sentry from '@sentry/node';
+import { 
+    getLicenseKey,
+    getLicenseServerKey,
+    getLicenseServerUrl
+} from '../../config';
+import { 
+    licenseKeyRequest,
+    licenseServerKeyRequest,
+    refreshLicenseServerKeyToken,
+    refreshLicenseKeyToken
+} from '../../config/request';
+import { Organization } from '../../models';
+import { OrganizationNotFoundError } from '../../utils/errors';
+
+interface FeatureSet {
+    _id: string | null;
+    slug: 'starter' | 'team' | 'pro' | 'enterprise' | null;
+    tier: number;
+    workspaceLimit: number | null;
+    workspacesUsed: number;
+    memberLimit: number | null;
+    membersUsed: number;
+    secretVersioning: boolean;
+    pitRecovery: boolean;
+    rbac: boolean;
+    customRateLimits: boolean;
+    customAlerts: boolean;
+    auditLogs: boolean;
+}
+
 /**
- * Class to handle Enterprise Edition license actions
+ * Class to handle license/plan configurations:
+ * - Infisical Cloud: Fetch and cache customer plans in [localFeatureSet]
+ * - Self-hosted regular: Use default global feature set
+ * - Self-hosted enterprise: Fetch and update global feature set
  */
 class EELicenseService {
     
-    private readonly _isLicenseValid: boolean;
+    private readonly _isLicenseValid: boolean; // TODO: deprecate
+
+    public instanceType: 'self-hosted' | 'enterprise-self-hosted' | 'cloud' = 'self-hosted';
+
+    public globalFeatureSet: FeatureSet = {
+        _id: null,
+        slug: null,
+        tier: -1,
+        workspaceLimit: null,
+        workspacesUsed: 0,
+        memberLimit: null,
+        membersUsed: 0,
+        secretVersioning: true,
+        pitRecovery: true,
+        rbac: true,
+        customRateLimits: true,
+        customAlerts: true,
+        auditLogs: false
+    }
+
+    public localFeatureSet: NodeCache;
     
-    constructor(licenseKey: string) {
+    constructor() {
         this._isLicenseValid = true;
+        this.localFeatureSet = new NodeCache({
+            stdTTL: 300
+        });
+    }
+    
+    public async getOrganizationPlan(organizationId: string): Promise<FeatureSet> {
+        try {
+            if (this.instanceType === 'cloud') {
+                const cachedPlan = this.localFeatureSet.get<FeatureSet>(organizationId);
+                if (cachedPlan) {
+                    return cachedPlan;
+                }
+
+                const organization = await Organization.findById(organizationId);
+                if (!organization) throw OrganizationNotFoundError();
+
+                const { data: { currentPlan } } = await licenseServerKeyRequest.get(
+                    `${await getLicenseServerUrl()}/api/license-server/v1/customers/${organization.customerId}/cloud-plan`
+                );
+
+                // cache fetched plan for organization
+                this.localFeatureSet.set(organizationId, currentPlan);
+
+                return currentPlan;
+            }
+        } catch (err) {
+            return this.globalFeatureSet;
+        }
+
+        return this.globalFeatureSet;
+    }
+
+    public async initGlobalFeatureSet() {
+        const licenseServerKey = await getLicenseServerKey();
+        const licenseKey = await getLicenseKey();
+
+        try {
+            if (licenseServerKey) {
+                // license server key is present -> validate it
+                const token = await refreshLicenseServerKeyToken()
+                    
+                if (token) {
+                    this.instanceType = 'cloud';
+                }
+                
+                return;
+            }
+            
+            if (licenseKey) {
+                // license key is present -> validate it
+                const token = await refreshLicenseKeyToken();
+                    
+                if (token) {
+                    const { data: { currentPlan } } = await licenseKeyRequest.get(
+                        `${await getLicenseServerUrl()}/api/license/v1/plan`
+                    );
+                    
+                    this.globalFeatureSet = currentPlan;
+                    this.instanceType = 'enterprise-self-hosted';
+                }
+            }
+        } catch (err) {
+            // case: self-hosted free
+            Sentry.setUser(null);
+            Sentry.captureException(err);
+        }
     }
 
     public get isLicenseValid(): boolean {
@@ -14,4 +135,4 @@ class EELicenseService {
     }
 }
 
-export default new EELicenseService('N/A');
+export default new EELicenseService();

backend/src/ee/services/EESecretService.ts

@@ -1,10 +1,9 @@
 import { Types } from 'mongoose';
 import { ISecretVersion } from '../models';
-import { 
-    takeSecretSnapshotHelper,
-    addSecretVersionsHelper,
-    markDeletedSecretVersionsHelper,
-    initSecretVersioningHelper
+import {
+  takeSecretSnapshotHelper,
+  addSecretVersionsHelper,
+  markDeletedSecretVersionsHelper,
 } from '../helpers/secret';
 import EELicenseService from './EELicenseService';
 
@@ -12,67 +11,65 @@ import EELicenseService from './EELicenseService';
  * Class to handle Enterprise Edition secret actions
  */
 class EESecretService {
-    
-    /**
-     * Save a secret snapshot that is a copy of the current state of secrets in workspace with id
-     * [workspaceId] under a new snapshot with incremented version under the
-     * SecretSnapshot collection.
-     * Requires a valid license key [licenseKey]
-     * @param {Object} obj
-     * @param {String} obj.workspaceId
-     * @returns {SecretSnapshot} secretSnapshot - new secret snpashot
-     */
-    static async takeSecretSnapshot({
-        workspaceId
-    }: {
-        workspaceId: Types.ObjectId;
-    }) {
-        if (!EELicenseService.isLicenseValid) return;
-        return await takeSecretSnapshotHelper({ workspaceId });
-    }
-    
-    /**
-     * Add secret versions [secretVersions] to the SecretVersion collection.
-     * @param {Object} obj
-     * @param {Object[]} obj.secretVersions
-     * @returns {SecretVersion[]} newSecretVersions - new secret versions
-     */
-    static async addSecretVersions({
-        secretVersions
-    }: {
-        secretVersions: ISecretVersion[];
-    }) {
-        if (!EELicenseService.isLicenseValid) return;
-        return await addSecretVersionsHelper({
-            secretVersions
-        });
-    }
+  /**
+   * Save a secret snapshot that is a copy of the current state of secrets in workspace with id
+   * [workspaceId] under a new snapshot with incremented version under the
+   * SecretSnapshot collection.
+   * Requires a valid license key [licenseKey]
+   * @param {Object} obj
+   * @param {String} obj.workspaceId
+   * @returns {SecretSnapshot} secretSnapshot - new secret snpashot
+   */
+  static async takeSecretSnapshot({
+    workspaceId,
+    environment,
+    folderId,
+  }: {
+    workspaceId: Types.ObjectId;
+    environment: string;
+    folderId?: string;
+  }) {
+    if (!EELicenseService.isLicenseValid) return;
+    return await takeSecretSnapshotHelper({
+      workspaceId,
+      environment,
+      folderId,
+    });
+  }
 
-    /**
-     * Mark secret versions associated with secrets with ids [secretIds]
-     * as deleted.
-     * @param {Object} obj
-     * @param {ObjectId[]} obj.secretIds - secret ids
-     */
-    static async markDeletedSecretVersions({
-        secretIds
-    }: {
-        secretIds: Types.ObjectId[];
-    }) {
-        if (!EELicenseService.isLicenseValid) return;
-        await markDeletedSecretVersionsHelper({
-            secretIds
-        });
-    }
-    
-    /**
-     * Initialize secret versioning by setting previously unversioned
-     * secrets to version 1 and begin populating secret versions.
-     */
-    static async initSecretVersioning() {
-        if (!EELicenseService.isLicenseValid) return; 
-        await initSecretVersioningHelper();
-    }
+  /**
+   * Add secret versions [secretVersions] to the SecretVersion collection.
+   * @param {Object} obj
+   * @param {Object[]} obj.secretVersions
+   * @returns {SecretVersion[]} newSecretVersions - new secret versions
+   */
+  static async addSecretVersions({
+    secretVersions,
+  }: {
+    secretVersions: ISecretVersion[];
+  }) {
+    if (!EELicenseService.isLicenseValid) return;
+    return await addSecretVersionsHelper({
+      secretVersions,
+    });
+  }
+
+  /**
+   * Mark secret versions associated with secrets with ids [secretIds]
+   * as deleted.
+   * @param {Object} obj
+   * @param {ObjectId[]} obj.secretIds - secret ids
+   */
+  static async markDeletedSecretVersions({
+    secretIds,
+  }: {
+    secretIds: Types.ObjectId[];
+  }) {
+    if (!EELicenseService.isLicenseValid) return;
+    await markDeletedSecretVersionsHelper({
+      secretIds,
+    });
+  }
 }
 
-export default EESecretService;
+export default EESecretService;

backend/src/helpers/auth.ts

@@ -19,6 +19,7 @@ import {
 import {
 	getJwtAuthLifetime,
 	getJwtAuthSecret,
+	getJwtProviderAuthSecret,
 	getJwtRefreshLifetime,
 	getJwtRefreshSecret
 } from '../config';
@@ -41,7 +42,6 @@ const validateAuthMode = ({
 	headers: { [key: string]: string | string[] | undefined },
 	acceptedAuthModes: string[]
 }) => {
-	// TODO: refactor middleware
 	const apiKey = headers['x-api-key'];
 	const authHeader = headers['authorization'];
 
@@ -318,8 +318,34 @@ const createToken = ({
 	});
 };
 
+const validateProviderAuthToken = async ({
+	email,
+	user,
+	providerAuthToken,
+}: {
+	email: string;
+	user: IUser,
+	providerAuthToken?: string;
+}) => {
+	if (!providerAuthToken) {
+		throw new Error('Invalid authentication request.');
+	}
+
+	const decodedToken = <jwt.ProviderAuthJwtPayload>(
+		jwt.verify(providerAuthToken, await getJwtProviderAuthSecret())
+	);
+	
+	if (
+		decodedToken.authProvider !== user.authProvider ||
+		decodedToken.email !== email
+	) {
+		throw new Error('Invalid authentication credentials.')
+	}
+}
+
 export {
 	validateAuthMode,
+	validateProviderAuthToken,
 	getAuthUserPayload,
 	getAuthSTDPayload,
 	getAuthSAAKPayload,

backend/src/helpers/bot.ts

@@ -4,107 +4,26 @@ import {
   BotKey,
   Secret,
   ISecret,
-  IUser,
-  User,
-  IServiceAccount,
-  ServiceAccount,
-  IServiceTokenData,
-  ServiceTokenData,
+  IUser
 } from "../models";
 import {
   generateKeyPair,
-  encryptSymmetric,
-  decryptSymmetric,
-  decryptAsymmetric,
-} from "../utils/crypto";
+  encryptSymmetric128BitHexKeyUTF8,
+  decryptSymmetric128BitHexKeyUTF8,
+  decryptAsymmetric
+} from '../utils/crypto';
 import {
   SECRET_SHARED,
-  AUTH_MODE_JWT,
-  AUTH_MODE_SERVICE_ACCOUNT,
-  AUTH_MODE_SERVICE_TOKEN,
-  AUTH_MODE_API_KEY,
+  ALGORITHM_AES_256_GCM,
+  ENCODING_SCHEME_UTF8,
+  ENCODING_SCHEME_BASE64
 } from "../variables";
-import { getEncryptionKey } from "../config";
-import { BotNotFoundError, UnauthorizedRequestError } from "../utils/errors";
-import { validateMembership } from "../helpers/membership";
-import { validateUserClientForWorkspace } from "../helpers/user";
-import { validateServiceAccountClientForWorkspace } from "../helpers/serviceAccount";
-
-/**
- * Validate authenticated clients for bot with id [botId] based
- * on any known permissions.
- * @param {Object} obj
- * @param {Object} obj.authData - authenticated client details
- * @param {Types.ObjectId} obj.botId - id of bot to validate against
- * @param {Array<'admin' | 'member'>} obj.acceptedRoles - accepted workspace roles
- */
-const validateClientForBot = async ({
-  authData,
-  botId,
-  acceptedRoles,
-}: {
-  authData: {
-    authMode: string;
-    authPayload: IUser | IServiceAccount | IServiceTokenData;
-  };
-  botId: Types.ObjectId;
-  acceptedRoles: Array<"admin" | "member">;
-}) => {
-  const bot = await Bot.findById(botId);
-
-  if (!bot) throw BotNotFoundError();
-
-  if (
-    authData.authMode === AUTH_MODE_JWT &&
-    authData.authPayload instanceof User
-  ) {
-    await validateUserClientForWorkspace({
-      user: authData.authPayload,
-      workspaceId: bot.workspace,
-      acceptedRoles,
-    });
-
-    return bot;
-  }
-
-  if (
-    authData.authMode === AUTH_MODE_SERVICE_ACCOUNT &&
-    authData.authPayload instanceof ServiceAccount
-  ) {
-    await validateServiceAccountClientForWorkspace({
-      serviceAccount: authData.authPayload,
-      workspaceId: bot.workspace,
-    });
-
-    return bot;
-  }
-
-  if (
-    authData.authMode === AUTH_MODE_SERVICE_TOKEN &&
-    authData.authPayload instanceof ServiceTokenData
-  ) {
-    throw UnauthorizedRequestError({
-      message: "Failed service token authorization for bot",
-    });
-  }
-
-  if (
-    authData.authMode === AUTH_MODE_API_KEY &&
-    authData.authPayload instanceof User
-  ) {
-    await validateUserClientForWorkspace({
-      user: authData.authPayload,
-      workspaceId: bot.workspace,
-      acceptedRoles,
-    });
-
-    return bot;
-  }
-
-  throw BotNotFoundError({
-    message: "Failed client authorization for bot",
-  });
-};
+import { 
+  getEncryptionKey, 
+  getRootEncryptionKey,
+  client
+} from "../config";
+import { InternalServerError } from "../utils/errors";
 
 /**
  * Create an inactive bot with name [name] for workspace with id [workspaceId]
@@ -119,23 +38,52 @@ const createBot = async ({
   name: string;
   workspaceId: Types.ObjectId;
 }) => {
+  const encryptionKey = await getEncryptionKey();
+  const rootEncryptionKey = await getRootEncryptionKey();
+  
   const { publicKey, privateKey } = generateKeyPair();
-  const { ciphertext, iv, tag } = encryptSymmetric({
-    plaintext: privateKey,
-    key: await getEncryptionKey(),
+  
+  if (rootEncryptionKey) {
+    const { 
+      ciphertext, 
+      iv, 
+      tag 
+    } = client.encryptSymmetric(privateKey, rootEncryptionKey);
+
+    return await new Bot({
+      name,
+      workspace: workspaceId,
+      isActive: false,
+      publicKey,
+      encryptedPrivateKey: ciphertext,
+      iv,
+      tag,
+      algorithm: ALGORITHM_AES_256_GCM,
+      keyEncoding: ENCODING_SCHEME_BASE64
+    }).save();
+  
+  } else if (encryptionKey) {
+    const { ciphertext, iv, tag } = encryptSymmetric128BitHexKeyUTF8({
+      plaintext: privateKey,
+      key: await getEncryptionKey(),
+    });
+
+    return await new Bot({
+      name,
+      workspace: workspaceId,
+      isActive: false,
+      publicKey,
+      encryptedPrivateKey: ciphertext,
+      iv,
+      tag,
+      algorithm: ALGORITHM_AES_256_GCM,
+      keyEncoding: ENCODING_SCHEME_UTF8
+    }).save();
+  }
+
+  throw InternalServerError({
+    message: 'Failed to create new bot due to missing encryption key'
   });
-
-  const bot = await new Bot({
-    name,
-    workspace: workspaceId,
-    isActive: false,
-    publicKey,
-    encryptedPrivateKey: ciphertext,
-    iv,
-    tag,
-  }).save();
-
-  return bot;
 };
 
 /**
@@ -161,14 +109,14 @@ const getSecretsHelper = async ({
   });
 
   secrets.forEach((secret: ISecret) => {
-    const secretKey = decryptSymmetric({
+    const secretKey = decryptSymmetric128BitHexKeyUTF8({
       ciphertext: secret.secretKeyCiphertext,
       iv: secret.secretKeyIV,
       tag: secret.secretKeyTag,
       key,
     });
 
-    const secretValue = decryptSymmetric({
+    const secretValue = decryptSymmetric128BitHexKeyUTF8({
       ciphertext: secret.secretValueCiphertext,
       iv: secret.secretValueIV,
       tag: secret.secretValueTag,
@@ -189,34 +137,54 @@ const getSecretsHelper = async ({
  * @returns {String} key - decrypted workspace key
  */
 const getKey = async ({ workspaceId }: { workspaceId: string }) => {
+  const encryptionKey = await getEncryptionKey();
+  const rootEncryptionKey = await getRootEncryptionKey();
+
   const botKey = await BotKey.findOne({
     workspace: workspaceId,
-  }).populate<{ sender: IUser }>("sender", "publicKey");
+  })
+  .populate<{ sender: IUser }>("sender", "publicKey");
 
   if (!botKey) throw new Error("Failed to find bot key");
 
   const bot = await Bot.findOne({
     workspace: workspaceId,
-  }).select("+encryptedPrivateKey +iv +tag");
+  }).select("+encryptedPrivateKey +iv +tag +algorithm +keyEncoding");
 
   if (!bot) throw new Error("Failed to find bot");
   if (!bot.isActive) throw new Error("Bot is not active");
 
-  const privateKeyBot = decryptSymmetric({
-    ciphertext: bot.encryptedPrivateKey,
-    iv: bot.iv,
-    tag: bot.tag,
-    key: await getEncryptionKey(),
-  });
+  if (rootEncryptionKey && bot.keyEncoding === ENCODING_SCHEME_BASE64) {
+    // case: encoding scheme is base64
+    const privateKeyBot = client.decryptSymmetric(bot.encryptedPrivateKey, rootEncryptionKey, bot.iv, bot.tag);
 
-  const key = decryptAsymmetric({
-    ciphertext: botKey.encryptedKey,
-    nonce: botKey.nonce,
-    publicKey: botKey.sender.publicKey as string,
-    privateKey: privateKeyBot,
-  });
+    return decryptAsymmetric({
+      ciphertext: botKey.encryptedKey,
+      nonce: botKey.nonce,
+      publicKey: botKey.sender.publicKey as string,
+      privateKey: privateKeyBot,
+    });
+  } else if (encryptionKey && bot.keyEncoding === ENCODING_SCHEME_UTF8) {
+    
+    // case: encoding scheme is utf8
+    const privateKeyBot = decryptSymmetric128BitHexKeyUTF8({
+      ciphertext: bot.encryptedPrivateKey,
+      iv: bot.iv,
+      tag: bot.tag,
+      key: encryptionKey
+    });
+    
+    return decryptAsymmetric({
+      ciphertext: botKey.encryptedKey,
+      nonce: botKey.nonce,
+      publicKey: botKey.sender.publicKey as string,
+      privateKey: privateKeyBot,
+    });
+  }
 
-  return key;
+  throw InternalServerError({
+    message: "Failed to obtain bot's copy of workspace key needed for bot operations"
+  });
 };
 
 /**
@@ -234,7 +202,7 @@ const encryptSymmetricHelper = async ({
   plaintext: string;
 }) => {
   const key = await getKey({ workspaceId: workspaceId.toString() });
-  const { ciphertext, iv, tag } = encryptSymmetric({
+  const { ciphertext, iv, tag } = encryptSymmetric128BitHexKeyUTF8({
     plaintext,
     key,
   });
@@ -266,7 +234,7 @@ const decryptSymmetricHelper = async ({
   tag: string;
 }) => {
   const key = await getKey({ workspaceId: workspaceId.toString() });
-  const plaintext = decryptSymmetric({
+  const plaintext = decryptSymmetric128BitHexKeyUTF8({
     ciphertext,
     iv,
     tag,
@@ -277,9 +245,8 @@ const decryptSymmetricHelper = async ({
 };
 
 export {
-  validateClientForBot,
   createBot,
   getSecretsHelper,
   encryptSymmetricHelper,
-  decryptSymmetricHelper,
+  decryptSymmetricHelper
 };

backend/src/helpers/database.ts

@@ -1,6 +1,4 @@
 import mongoose from 'mongoose';
-import { EESecretService } from '../ee/services';
-import { SecretService } from '../services';
 import { getLogger } from '../utils/logger';
 
 /**
@@ -21,9 +19,7 @@ const initDatabaseHelper = async ({
         mongoose.Schema.Types.String.checkRequired(v => typeof v === 'string');
 
         (await getLogger("database")).info("Database connection established");
-        
-        await EESecretService.initSecretVersioning();
-        await SecretService.initSecretBlindIndexDataHelper();
+
     } catch (err) {
         (await getLogger("database")).error(`Unable to establish Database connection due to the error.\n${err}`);
     }

backend/src/helpers/integration.ts

@@ -3,40 +3,20 @@ import { Types } from 'mongoose';
 import {
     Bot,
     Integration,
-    IntegrationAuth,
-    IUser,
-    User,
-    IServiceAccount,
-    ServiceAccount,
-    IServiceTokenData,
-    ServiceTokenData
+    IntegrationAuth
 } from '../models';
 import { exchangeCode, exchangeRefresh, syncSecrets } from '../integrations';
 import { BotService } from '../services';
 import {
-    AUTH_MODE_JWT,
-	AUTH_MODE_SERVICE_ACCOUNT,
-	AUTH_MODE_SERVICE_TOKEN,
-	AUTH_MODE_API_KEY,
     INTEGRATION_VERCEL,
-    INTEGRATION_NETLIFY
+    INTEGRATION_NETLIFY,
+    ALGORITHM_AES_256_GCM,
+    ENCODING_SCHEME_UTF8
 } from '../variables';
 import { 
     UnauthorizedRequestError,
-    IntegrationAuthNotFoundError,
-    IntegrationNotFoundError
 } from '../utils/errors';
 import RequestError from '../utils/requestError';
-import {
-    validateClientForIntegrationAuth 
-} from '../helpers/integrationAuth';
-import {
-    validateUserClientForWorkspace
-} from '../helpers/user';
-import {
-    validateServiceAccountClientForWorkspace
-} from '../helpers/serviceAccount';
-import { IntegrationService } from '../services';
 
 interface Update {
     workspace: string;
@@ -45,84 +25,6 @@ interface Update {
     accountId?: string;
 }
 
-/**
- * Validate authenticated clients for integration with id [integrationId] based
- * on any known permissions.
- * @param {Object} obj
- * @param {Object} obj.authData - authenticated client details
- * @param {Types.ObjectId} obj.integrationId - id of integration to validate against
- * @param {String} obj.environment - (optional) environment in workspace to validate against
- * @param {Array<'admin' | 'member'>} obj.acceptedRoles - accepted workspace roles
- * @param {String[]} obj.requiredPermissions - required permissions as part of the endpoint
- */
- const validateClientForIntegration = async ({
-    authData,
-    integrationId,
-    acceptedRoles
-}: {
-    authData: {
-		authMode: string;
-		authPayload: IUser | IServiceAccount | IServiceTokenData;
-	};
-    integrationId: Types.ObjectId;
-    acceptedRoles: Array<'admin' | 'member'>;
-}) => {
-    
-    const integration = await Integration.findById(integrationId);
-    if (!integration) throw IntegrationNotFoundError();
-
-    const integrationAuth = await IntegrationAuth
-        .findById(integration.integrationAuth)
-        .select(
-			'+refreshCiphertext +refreshIV +refreshTag +accessCiphertext +accessIV +accessTag +accessExpiresAt'
-        );
-    
-    if (!integrationAuth) throw IntegrationAuthNotFoundError();
-
-    const accessToken = (await IntegrationService.getIntegrationAuthAccess({
-        integrationAuthId: integrationAuth._id
-    })).accessToken;
-
-    if (authData.authMode === AUTH_MODE_JWT && authData.authPayload instanceof User) {
-        await validateUserClientForWorkspace({
-            user: authData.authPayload,
-            workspaceId: integration.workspace,
-            acceptedRoles
-        });
-        
-        return ({ integration, accessToken });
-    }
-    
-    if (authData.authMode === AUTH_MODE_SERVICE_ACCOUNT && authData.authPayload instanceof ServiceAccount) {
-        await validateServiceAccountClientForWorkspace({
-            serviceAccount: authData.authPayload,
-            workspaceId: integration.workspace
-        });
-        
-        return ({ integration, accessToken });
-    }
-
-    if (authData.authMode === AUTH_MODE_SERVICE_TOKEN && authData.authPayload instanceof ServiceTokenData) {
-        throw UnauthorizedRequestError({
-            message: 'Failed service token authorization for integration'
-        });
-    }
-
-    if (authData.authMode === AUTH_MODE_API_KEY && authData.authPayload instanceof User) {
-        await validateUserClientForWorkspace({
-            user: authData.authPayload,
-            workspaceId: integration.workspace,
-            acceptedRoles
-        });
-        
-        return ({ integration, accessToken });
-    }
-    
-    throw UnauthorizedRequestError({
-        message: 'Failed client authorization for integration'
-    });
-}
-
 /**
  * Perform OAuth2 code-token exchange for workspace with id [workspaceId] and integration
  * named [integration]
@@ -400,7 +302,9 @@ const setIntegrationAuthRefreshHelper = async ({
         }, {
             refreshCiphertext: obj.ciphertext,
             refreshIV: obj.iv,
-            refreshTag: obj.tag
+            refreshTag: obj.tag,
+            algorithm: ALGORITHM_AES_256_GCM,
+            keyEncoding: ENCODING_SCHEME_UTF8
         }, {
             new: true
         });
@@ -461,7 +365,9 @@ const setIntegrationAuthAccessHelper = async ({
             accessCiphertext: encryptedAccessTokenObj.ciphertext,
             accessIV: encryptedAccessTokenObj.iv,
             accessTag: encryptedAccessTokenObj.tag,
-            accessExpiresAt
+            accessExpiresAt,
+            algorithm: ALGORITHM_AES_256_GCM,
+            keyEncoding: ENCODING_SCHEME_UTF8
         }, {
             new: true
         });
@@ -475,7 +381,6 @@ const setIntegrationAuthAccessHelper = async ({
 }
 
 export {
-    validateClientForIntegration,
     handleOAuthExchangeHelper,
     syncIntegrationsHelper,
     getIntegrationAuthRefreshHelper,

backend/src/helpers/membership.ts

@@ -1,106 +1,7 @@
 import * as Sentry from '@sentry/node';
 import { Types } from 'mongoose';
-import { 
-	Membership, 
-	Key,
-	IUser,
-	User,
-	IServiceAccount,
-	ServiceAccount,
-	IServiceTokenData,
-	ServiceTokenData
-} from '../models';
-import {
-	MembershipNotFoundError,
-	BadRequestError,
-	UnauthorizedRequestError
-} from '../utils/errors';
-import {
-	AUTH_MODE_JWT,
-	AUTH_MODE_SERVICE_ACCOUNT,
-	AUTH_MODE_SERVICE_TOKEN,
-	AUTH_MODE_API_KEY
-} from '../variables';
-import {
-	validateUserClientForWorkspace
-} from '../helpers/user';
-import {
-	validateServiceAccountClientForWorkspace
-} from '../helpers/serviceAccount';
-import {
-	validateServiceTokenDataClientForWorkspace
-} from '../helpers/serviceTokenData';
-
-/**
- * Validate authenticated clients for membership with id [membershipId] based
- * on any known permissions.
- * @param {Object} obj
- * @param {Object} obj.authData - authenticated client details
- * @param {Types.ObjectId} obj.membershipId - id of membership to validate against
- * @param {Array<'admin' | 'member'>} obj.acceptedRoles - accepted workspaceRoles
- * @returns {Membership} - validated membership
- */
-const validateClientForMembership = async ({
-	authData,
-	membershipId,
-	acceptedRoles
-}: {
-	authData: {
-		authMode: string;
-		authPayload: IUser | IServiceAccount | IServiceTokenData;
-	};
-	membershipId: Types.ObjectId;
-    acceptedRoles: Array<'admin' | 'member'>;
-}) => {
-	
-	const membership = await Membership.findById(membershipId);
-	
-	if (!membership) throw MembershipNotFoundError({
-		message: 'Failed to find membership'
-	});
-
-	if (authData.authMode === AUTH_MODE_JWT && authData.authPayload instanceof User) {
-		await validateUserClientForWorkspace({
-			user: authData.authPayload,
-			workspaceId: membership.workspace,
-			acceptedRoles
-		});
-		
-		return membership;
-	}
-	
-	if (authData.authMode === AUTH_MODE_SERVICE_ACCOUNT && authData.authPayload instanceof ServiceAccount) {
-		await validateServiceAccountClientForWorkspace({
-			serviceAccount: authData.authPayload,
-			workspaceId: membership.workspace
-		});
-
-		return membership;
-	}
-	
-	if (authData.authMode === AUTH_MODE_SERVICE_TOKEN && authData.authPayload instanceof ServiceTokenData) {
-		await validateServiceTokenDataClientForWorkspace({
-			serviceTokenData: authData.authPayload,
-			workspaceId: new Types.ObjectId(membership.workspace)
-		});
-		
-		return membership;
-	}
-
-	if (authData.authMode == AUTH_MODE_API_KEY && authData.authPayload instanceof User) {
-		await validateUserClientForWorkspace({
-			user: authData.authPayload,
-			workspaceId: membership.workspace,
-			acceptedRoles 
-		});
-		
-		return membership;
-	}
-	
-	throw UnauthorizedRequestError({
-		message: 'Failed client authorization for membership'
-	});
-}
+import { Membership, Key } from '../models';
+import { MembershipNotFoundError, BadRequestError } from '../utils/errors';
 
 /**
  * Validate that user with id [userId] is a member of workspace with id [workspaceId]
@@ -111,32 +12,35 @@ const validateClientForMembership = async ({
  * @returns {Membership} membership - membership of user with id [userId] for workspace with id [workspaceId]
  */
 const validateMembership = async ({
-	userId,
-	workspaceId,
-	acceptedRoles,
+  userId,
+  workspaceId,
+  acceptedRoles,
 }: {
-	userId: Types.ObjectId;
-	workspaceId: Types.ObjectId;
-	acceptedRoles?: Array<'admin' | 'member'>;
+  userId: Types.ObjectId | string;
+  workspaceId: Types.ObjectId | string;
+  acceptedRoles?: Array<'admin' | 'member'>;
 }) => {
-	
-	const membership = await Membership.findOne({
-		user: userId,
-		workspace: workspaceId
-	}).populate("workspace");
-	
-	if (!membership) {
-		throw MembershipNotFoundError({ message: 'Failed to find workspace membership' });
-	}
-	
-	if (acceptedRoles) {
-		if (!acceptedRoles.includes(membership.role)) {
-			throw BadRequestError({ message: 'Failed authorization for membership role' });
-		}
-	}
-	
-	return membership;
-}
+  const membership = await Membership.findOne({
+    user: userId,
+    workspace: workspaceId,
+  }).populate('workspace');
+
+  if (!membership) {
+    throw MembershipNotFoundError({
+      message: 'Failed to find workspace membership',
+    });
+  }
+
+  if (acceptedRoles) {
+    if (!acceptedRoles.includes(membership.role)) {
+      throw BadRequestError({
+        message: 'Failed authorization for membership role',
+      });
+    }
+  }
+
+  return membership;
+};
 
 /**
  * Return membership matching criteria specified in query [queryObj]
@@ -144,16 +48,16 @@ const validateMembership = async ({
  * @return {Object} membership - membership
  */
 const findMembership = async (queryObj: any) => {
-	let membership;
-	try {
-		membership = await Membership.findOne(queryObj);
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to find membership');
-	}
+  let membership;
+  try {
+    membership = await Membership.findOne(queryObj);
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    throw new Error('Failed to find membership');
+  }
 
-	return membership;
+  return membership;
 };
 
 /**
@@ -165,39 +69,39 @@ const findMembership = async (queryObj: any) => {
  * @param {String[]} obj.roles - roles of users.
  */
 const addMemberships = async ({
-	userIds,
-	workspaceId,
-	roles
+  userIds,
+  workspaceId,
+  roles,
 }: {
-	userIds: string[];
-	workspaceId: string;
-	roles: string[];
+  userIds: string[];
+  workspaceId: string;
+  roles: string[];
 }): Promise<void> => {
-	try {
-		const operations = userIds.map((userId, idx) => {
-			return {
-				updateOne: {
-					filter: {
-						user: userId,
-						workspace: workspaceId,
-						role: roles[idx]
-					},
-					update: {
-						user: userId,
-						workspace: workspaceId,
-						role: roles[idx]
-					},
-					upsert: true
-				}
-			};
-		});
+  try {
+    const operations = userIds.map((userId, idx) => {
+      return {
+        updateOne: {
+          filter: {
+            user: userId,
+            workspace: workspaceId,
+            role: roles[idx],
+          },
+          update: {
+            user: userId,
+            workspace: workspaceId,
+            role: roles[idx],
+          },
+          upsert: true,
+        },
+      };
+    });
 
-		await Membership.bulkWrite(operations as any);
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to add users to workspace');
-	}
+    await Membership.bulkWrite(operations as any);
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    throw new Error('Failed to add users to workspace');
+  }
 };
 
 /**
@@ -206,33 +110,27 @@ const addMemberships = async ({
  * @param {String} obj.membershipId - id of membership to delete
  */
 const deleteMembership = async ({ membershipId }: { membershipId: string }) => {
-	let deletedMembership;
-	try {
-		deletedMembership = await Membership.findOneAndDelete({
-			_id: membershipId
-		});
+  let deletedMembership;
+  try {
+    deletedMembership = await Membership.findOneAndDelete({
+      _id: membershipId,
+    });
 
-		// delete keys associated with the membership
-		if (deletedMembership?.user) {
-			// case: membership had a registered user
-			await Key.deleteMany({
-				receiver: deletedMembership.user,
-				workspace: deletedMembership.workspace
-			});
-		}
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to delete membership');
-	}
+    // delete keys associated with the membership
+    if (deletedMembership?.user) {
+      // case: membership had a registered user
+      await Key.deleteMany({
+        receiver: deletedMembership.user,
+        workspace: deletedMembership.workspace,
+      });
+    }
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    throw new Error('Failed to delete membership');
+  }
 
-	return deletedMembership;
+  return deletedMembership;
 };
 
-export { 
-	validateClientForMembership,
-	validateMembership,
-	addMemberships, 
-	findMembership, 
-	deleteMembership 
-};
+export { validateMembership, addMemberships, findMembership, deleteMembership };

backend/src/helpers/membershipOrg.ts

@@ -3,95 +3,12 @@ import {
 	MembershipOrg, 
 	Workspace, 
 	Membership, 
-	Key,
-	IUser,
-	User,
-	IServiceAccount,
-	ServiceAccount,
-	IServiceTokenData,
-	ServiceTokenData
+	Key
 } from '../models';
 import {
 	MembershipOrgNotFoundError,
-	BadRequestError,
 	UnauthorizedRequestError
 } from '../utils/errors';
-import {
-	AUTH_MODE_JWT,
-	AUTH_MODE_SERVICE_ACCOUNT,
-	AUTH_MODE_SERVICE_TOKEN,
-	AUTH_MODE_API_KEY
-} from '../variables';
-
-/**
- * Validate authenticated clients for organization membership with id [membershipOrgId] based
- * on any known permissions.
- * @param {Object} obj
- * @param {Object} obj.authData - authenticated client details
- * @param {Types.ObjectId} obj.membershipOrgId - id of organization membership to validate against
- * @param {Array<'owner' | 'admin' | 'member'>} obj.acceptedRoles - accepted organization roles
- * @param {MembershipOrg} - validated organization membership
- */
-const validateClientForMembershipOrg = async ({
-	authData,
-	membershipOrgId,
-	acceptedRoles,
-	acceptedStatuses
-}: {
-	authData: {
-		authMode: string;
-		authPayload: IUser | IServiceAccount | IServiceTokenData;
-	};
-	membershipOrgId: Types.ObjectId;
-    acceptedRoles: Array<'owner' | 'admin' | 'member'>;
-    acceptedStatuses: Array<'invited' | 'accepted'>;
-}) => {
-	const membershipOrg = await MembershipOrg.findById(membershipOrgId);
-
-	if (!membershipOrg) throw MembershipOrgNotFoundError({
-		message: 'Failed to find organization membership '
-	});
-
-	if (authData.authMode === AUTH_MODE_JWT && authData.authPayload instanceof User) {
-		await validateMembershipOrg({
-			userId: authData.authPayload._id,
-			organizationId: membershipOrg.organization,
-			acceptedRoles,
-			acceptedStatuses
-		});
-		
-		return membershipOrg;
-	}
-
-	if (authData.authMode === AUTH_MODE_SERVICE_ACCOUNT && authData.authPayload instanceof ServiceAccount) {
-		if (!authData.authPayload.organization.equals(membershipOrg.organization)) throw UnauthorizedRequestError({
-			message: 'Failed service account client authorization for organization membership'
-		});
-		
-		return membershipOrg;
-	}
-
-	if (authData.authMode === AUTH_MODE_SERVICE_TOKEN && authData.authPayload instanceof ServiceTokenData) {
-		throw UnauthorizedRequestError({
-			message: 'Failed service account client authorization for organization membership'
-		});
-	}
-	
-	if (authData.authMode === AUTH_MODE_API_KEY && authData.authPayload instanceof User) {
-		await validateMembershipOrg({
-			userId: authData.authPayload._id,
-			organizationId: membershipOrg.organization,
-			acceptedRoles,
-			acceptedStatuses
-		});
-		
-		return membershipOrg;
-	}
-	
-	throw UnauthorizedRequestError({
-		message: 'Failed client authorization for organization membership'
-	});
-}
 
 /**
  * Validate that user with id [userId] is a member of organization with id [organizationId]
@@ -234,7 +151,6 @@ const deleteMembershipOrg = async ({
 };
 
 export {
-	validateClientForMembershipOrg,
 	validateMembershipOrg,
 	findMembershipOrg,
 	addMembershipsOrg, 

backend/src/helpers/organization.ts

@@ -1,21 +1,8 @@
 import Stripe from "stripe";
 import { Types } from "mongoose";
-import {
-  IUser,
-  User,
-  IServiceAccount,
-  ServiceAccount,
-  IServiceTokenData,
-  ServiceTokenData,
-} from "../models";
 import { Organization, MembershipOrg } from "../models";
 import {
-  ACCEPTED,
-  AUTH_MODE_JWT,
-  AUTH_MODE_SERVICE_ACCOUNT,
-  AUTH_MODE_SERVICE_TOKEN,
-  AUTH_MODE_API_KEY,
-  OWNER,
+  ACCEPTED
 } from "../variables";
 import {
   getStripeSecretKey,
@@ -24,93 +11,15 @@ import {
   getStripeProductStarter,
 } from "../config";
 import {
-  UnauthorizedRequestError,
-  OrganizationNotFoundError,
-} from "../utils/errors";
-import { validateUserClientForOrganization } from "../helpers/user";
-import { validateServiceAccountClientForOrganization } from "../helpers/serviceAccount";
-
-/**
- * Validate accepted clients for organization with id [organizationId]
- * @param {Object} obj
- * @param {Object} obj.authData - authenticated client details
- * @param {Types.ObjectId} obj.organizationId - id of organization to validate against
- */
-const validateClientForOrganization = async ({
-  authData,
-  organizationId,
-  acceptedRoles,
-  acceptedStatuses,
-}: {
-  authData: {
-    authMode: string;
-    authPayload: IUser | IServiceAccount | IServiceTokenData;
-  };
-  organizationId: Types.ObjectId;
-  acceptedRoles: Array<"owner" | "admin" | "member">;
-  acceptedStatuses: Array<"invited" | "accepted">;
-}) => {
-  const organization = await Organization.findById(organizationId);
-
-  if (!organization) {
-    throw OrganizationNotFoundError({
-      message: "Failed to find organization",
-    });
-  }
-
-  if (
-    authData.authMode === AUTH_MODE_JWT &&
-    authData.authPayload instanceof User
-  ) {
-    const membershipOrg = await validateUserClientForOrganization({
-      user: authData.authPayload,
-      organization,
-      acceptedRoles,
-      acceptedStatuses,
-    });
-
-    return { organization, membershipOrg };
-  }
-
-  if (
-    authData.authMode === AUTH_MODE_SERVICE_ACCOUNT &&
-    authData.authPayload instanceof ServiceAccount
-  ) {
-    await validateServiceAccountClientForOrganization({
-      serviceAccount: authData.authPayload,
-      organization,
-    });
-
-    return { organization };
-  }
-
-  if (
-    authData.authMode === AUTH_MODE_SERVICE_TOKEN &&
-    authData.authPayload instanceof ServiceTokenData
-  ) {
-    throw UnauthorizedRequestError({
-      message: "Failed service token authorization for organization",
-    });
-  }
-
-  if (
-    authData.authMode === AUTH_MODE_API_KEY &&
-    authData.authPayload instanceof User
-  ) {
-    const membershipOrg = await validateUserClientForOrganization({
-      user: authData.authPayload,
-      organization,
-      acceptedRoles,
-      acceptedStatuses,
-    });
-
-    return { organization, membershipOrg };
-  }
-
-  throw UnauthorizedRequestError({
-    message: "Failed client authorization for organization",
-  });
-};
+  EELicenseService
+} from '../ee/services';
+import {
+  getLicenseServerUrl
+} from '../config';
+import {
+  licenseServerKeyRequest,
+  licenseKeyRequest
+} from '../config/request';
 
 /**
  * Create an organization with name [name]
@@ -228,38 +137,44 @@ const updateSubscriptionOrgQuantity = async ({
   });
 
   if (organization && organization.customerId) {
-    const quantity = await MembershipOrg.countDocuments({
-      organization: organizationId,
-      status: ACCEPTED,
-    });
-
-    const stripe = new Stripe(await getStripeSecretKey(), {
-      apiVersion: "2022-08-01",
-    });
-
-    const subscription = (
-      await stripe.subscriptions.list({
-        customer: organization.customerId,
-      })
-    ).data[0];
-
-    stripeSubscription = await stripe.subscriptions.update(subscription.id, {
-      items: [
+    if (EELicenseService.instanceType === 'cloud') {
+      // instance of Infisical is a cloud instance
+      const quantity = await MembershipOrg.countDocuments({
+        organization: new Types.ObjectId(organizationId),
+        status: ACCEPTED,
+      });
+      
+      await licenseServerKeyRequest.patch(
+        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${organization.customerId}/cloud-plan`,
         {
-          id: subscription.items.data[0].id,
-          price: subscription.items.data[0].price.id,
-          quantity,
-        },
-      ],
-    });
+          quantity
+        }
+      );
+
+      EELicenseService.localFeatureSet.del(organizationId);
+    }
+    
+    if (EELicenseService.instanceType === 'enterprise-self-hosted') {
+      // instance of Infisical is an enterprise self-hosted instance
+      
+      const usedSeats = await MembershipOrg.countDocuments({
+        status: ACCEPTED
+      });
+
+      await licenseKeyRequest.patch(
+        `${await getLicenseServerUrl()}/api/license/v1/license`,
+        {
+          usedSeats
+        }
+      );
+    }
   }
 
   return stripeSubscription;
 };
 
 export {
-  validateClientForOrganization,
   createOrganization,
   initSubscriptionOrg,
-  updateSubscriptionOrgQuantity,
+  updateSubscriptionOrgQuantity
 };

backend/src/helpers/rateLimiter.ts

@@ -1,9 +1,16 @@
 import rateLimit from 'express-rate-limit';
+const MongoStore = require('rate-limit-mongo');
 
-// 120 requests per minute
+// 200 per minute
 const apiLimiter = rateLimit({
-  windowMs: 60 * 1000,
-  max: 240,
+  store: new MongoStore({
+    uri: process.env.MONGO_URL,
+    expireTimeMs: 1000 * 60,
+    collectionName: "expressRateRecords-apiLimiter",
+    errorHandler: console.error.bind(null, 'rate-limit-mongo')
+  }),
+  windowMs: 1000 * 60,
+  max: 200,
   standardHeaders: true,
   legacyHeaders: false,
   skip: (request) => {
@@ -14,10 +21,16 @@ const apiLimiter = rateLimit({
   }
 });
 
-// 10 requests per minute
+// 50 requests per 1 hours
 const authLimit = rateLimit({
-  windowMs: 60 * 1000,
-  max: 10,
+  store: new MongoStore({
+    uri: process.env.MONGO_URL,
+    expireTimeMs: 1000 * 60 * 60,
+    errorHandler: console.error.bind(null, 'rate-limit-mongo'),
+    collectionName: "expressRateRecords-authLimit",
+  }),
+  windowMs: 1000 * 60 * 60,
+  max: 50,
   standardHeaders: true,
   legacyHeaders: false,
   keyGenerator: (req, res) => {
@@ -25,10 +38,16 @@ const authLimit = rateLimit({
   }
 });
 
-// 10 requests per hour
+// 50 requests per 1 hour
 const passwordLimiter = rateLimit({
-  windowMs: 60 * 60 * 1000,
-  max: 10,
+  store: new MongoStore({
+    uri: process.env.MONGO_URL,
+    expireTimeMs: 1000 * 60 * 60,
+    errorHandler: console.error.bind(null, 'rate-limit-mongo'),
+    collectionName: "expressRateRecords-passwordLimiter",
+  }),
+  windowMs: 1000 * 60 * 60,
+  max: 50,
   standardHeaders: true,
   legacyHeaders: false,
   keyGenerator: (req, res) => {

backend/src/helpers/secret.ts

@@ -1,5 +1,5 @@
 import { Types } from "mongoose";
-import { Secret, ISecret, Membership } from "../models";
+import { Secret, ISecret } from "../models";
 import { EESecretService, EELogService } from "../ee/services";
 import { IAction, SecretVersion } from "../ee/models";
 import {
@@ -9,9 +9,9 @@ import {
   ACTION_UPDATE_SECRETS,
   ACTION_DELETE_SECRETS,
   ACTION_READ_SECRETS,
+  ALGORITHM_AES_256_GCM,
+  ENCODING_SCHEME_UTF8,
 } from "../variables";
-import _ from "lodash";
-import { BadRequestError, UnauthorizedRequestError } from "../utils/errors";
 
 interface V1PushSecret {
   ciphertextKey: string;
@@ -194,6 +194,8 @@ const v1PushSecrets = async ({
         secretValueIV: newSecret.ivValue,
         secretValueTag: newSecret.tagValue,
         secretValueHash: newSecret.hashValue,
+        algorithm: ALGORITHM_AES_256_GCM,
+        keyEncoding: ENCODING_SCHEME_UTF8,
       });
     }),
   });
@@ -225,6 +227,8 @@ const v1PushSecrets = async ({
             secretCommentIV: s.ivComment,
             secretCommentTag: s.tagComment,
             secretCommentHash: s.hashComment,
+            algorithm: ALGORITHM_AES_256_GCM,
+            keyEncoding: ENCODING_SCHEME_UTF8,
           };
 
           if (toAdd[idx].type === "personal") {
@@ -254,6 +258,8 @@ const v1PushSecrets = async ({
           secretValueIV,
           secretValueTag,
           secretValueHash,
+          algorithm,
+          keyEncoding,
         }) =>
           new SecretVersion({
             secret: _id,
@@ -271,6 +277,8 @@ const v1PushSecrets = async ({
             secretValueIV,
             secretValueTag,
             secretValueHash,
+            algorithm,
+            keyEncoding,
           })
       ),
     });
@@ -279,6 +287,7 @@ const v1PushSecrets = async ({
   // (EE) take a secret snapshot
   await EESecretService.takeSecretSnapshot({
     workspaceId: new Types.ObjectId(workspaceId),
+    environment,
   });
 };
 
@@ -467,6 +476,8 @@ const v2PushSecrets = async ({
         workspace: workspaceId,
         type: toAdd[idx].type,
         environment,
+        algorithm: ALGORITHM_AES_256_GCM,
+        keyEncoding: ENCODING_SCHEME_UTF8,
         ...(toAdd[idx].type === "personal" ? { user: userId } : {}),
       }))
     );
@@ -478,6 +489,8 @@ const v2PushSecrets = async ({
           ...secretDocument,
           secret: secretDocument._id,
           isDeleted: false,
+          algorithm: ALGORITHM_AES_256_GCM,
+          keyEncoding: ENCODING_SCHEME_UTF8,
         });
       }),
     });
@@ -494,6 +507,7 @@ const v2PushSecrets = async ({
   // (EE) take a secret snapshot
   await EESecretService.takeSecretSnapshot({
     workspaceId: new Types.ObjectId(workspaceId),
+    environment,
   });
 
   // (EE) create (audit) log

backend/src/helpers/user.ts

@@ -1,24 +1,8 @@
-import { Types } from 'mongoose';
 import {
 	IUser, 
-	ISecret,
-	IServiceAccount,
 	User,
-	Membership,
-	IOrganization,
-	Organization,
 } from '../models';
 import { sendMail } from './nodemailer';
-import { validateMembership } from './membership';
-import _ from 'lodash';
-import { BadRequestError, UnauthorizedRequestError } from '../utils/errors';
-import {
-	validateMembershipOrg
-} from '../helpers/membershipOrg';
-import {
-	PERMISSION_READ_SECRETS,
-	PERMISSION_WRITE_SECRETS
-} from '../variables';
 
 /**
  * Initialize a user under email [email]
@@ -26,7 +10,7 @@ import {
  * @param {String} obj.email - email of user to initialize
  * @returns {Object} user - the initialized user
  */
-const setupAccount = async ({ email }: { email: string }) => {
+export const setupAccount = async ({ email }: { email: string }) => {
   const user = await new User({
     email
   }).save();
@@ -52,7 +36,7 @@ const setupAccount = async ({ email }: { email: string }) => {
  * @param {String} obj.verifier - verifier for auth SRP
  * @returns {Object} user - the completed user
  */
-const completeAccount = async ({
+export const completeAccount = async ({
 	userId,
 	firstName,
 	lastName,
@@ -113,7 +97,7 @@ const completeAccount = async ({
  * @param {String} obj.ip - login ip address
  * @param {String} obj.userAgent - login user-agent
  */
-const checkUserDevice = async ({
+export const checkUserDevice = async ({
 	user,
 	ip,
 	userAgent
@@ -148,206 +132,4 @@ const checkUserDevice = async ({
 			}
 		}); 
 	}
-}
-
-/**
- * Validate that user (client) can access workspace
- * with id [workspaceId] and its environment [environment] with required permissions
- * [requiredPermissions]
- * @param {Object} obj
- * @param {User} obj.user - user client
- * @param {Types.ObjectId} obj.workspaceId - id of workspace to validate against
- * @param {String} environment - (optional) environment in workspace to validate against
- * @param {String[]} requiredPermissions - required permissions as part of the endpoint
- */
-const validateUserClientForWorkspace = async ({
-	user,
-	workspaceId,
-	environment,
-	acceptedRoles,
-	requiredPermissions
-}: {
-	user: IUser;
-	workspaceId: Types.ObjectId;
-	environment?: string;
-	acceptedRoles: Array<'admin' | 'member'>;
-	requiredPermissions?: string[];
-}) => {
-	
-	// validate user membership in workspace
-	const membership = await validateMembership({
-        userId: user._id,
-        workspaceId,
-		acceptedRoles
-    });
-	
-	let runningIsDisallowed = false;
-	requiredPermissions?.forEach((requiredPermission: string) => {
-		switch (requiredPermission) {
-			case PERMISSION_READ_SECRETS:
-				runningIsDisallowed = _.some(membership.deniedPermissions, { environmentSlug: environment, ability: PERMISSION_READ_SECRETS });
-				break;
-			case PERMISSION_WRITE_SECRETS:
-				runningIsDisallowed = _.some(membership.deniedPermissions, { environmentSlug: environment, ability: PERMISSION_WRITE_SECRETS });
-				break;
-			default:
-				break;
-		}
-		
-		if (runningIsDisallowed) {
-			throw UnauthorizedRequestError({
-				message: `Failed permissions authorization for workspace environment action : ${requiredPermission}`
-			});	
-		}
-	});
-	
-	return membership;
-}
-
-/**
- * Validate that user (client) can access secret [secret]
- * with required permissions [requiredPermissions]
- * @param {Object} obj
- * @param {User} obj.user - user client
- * @param {Secret[]} obj.secrets - secrets to validate against
- * @param {String[]} requiredPermissions - required permissions as part of the endpoint
- */
-const validateUserClientForSecret = async ({
-	user,
-	secret,
-	acceptedRoles,
-	requiredPermissions
-}: {
-	user: IUser;
-	secret: ISecret;
-	acceptedRoles?: Array<'admin' | 'member'>;
-	requiredPermissions?: string[];
-}) => {
-	const membership = await validateMembership({
-		userId: user._id,
-		workspaceId: secret.workspace,
-		acceptedRoles
-	});
-	
-	if (requiredPermissions?.includes(PERMISSION_WRITE_SECRETS)) {
-		const isDisallowed = _.some(membership.deniedPermissions, { environmentSlug: secret.environment, ability: PERMISSION_WRITE_SECRETS });
-
-		if (isDisallowed) {
-			throw UnauthorizedRequestError({
-				message: 'You do not have the required permissions to perform this action' 
-			});
-		}
-	}
-}
-
-/**
- * Validate that user (client) can access secrets [secrets]
- * with required permissions [requiredPermissions]
- * @param {Object} obj
- * @param {User} obj.user - user client
- * @param {Secret[]} obj.secrets - secrets to validate against
- * @param {String[]} requiredPermissions - required permissions as part of the endpoint
- */
- const validateUserClientForSecrets = async ({
-	user,
-	secrets,
-	requiredPermissions
-}: {
-	user: IUser;
-	secrets: ISecret[];
-	requiredPermissions?: string[];
-}) => {
-	
-	// TODO: add acceptedRoles?
-
-	const userMemberships = await Membership.find({ user: user._id })
-	const userMembershipById = _.keyBy(userMemberships, 'workspace');
-	const workspaceIdsSet = new Set(userMemberships.map((m) => m.workspace.toString()));
-
-	// for each secret check if the secret belongs to a workspace the user is a member of
-	secrets.forEach((secret: ISecret) => {
-		if (!workspaceIdsSet.has(secret.workspace.toString())) {
-			throw BadRequestError({
-				message: 'Failed authorization for the secret'
-			});
-		}
-
-		if (requiredPermissions?.includes(PERMISSION_WRITE_SECRETS)) {
-			const deniedMembershipPermissions = userMembershipById[secret.workspace.toString()].deniedPermissions;
-			const isDisallowed = _.some(deniedMembershipPermissions, { environmentSlug: secret.environment, ability: PERMISSION_WRITE_SECRETS });
-
-			if (isDisallowed) {
-				throw UnauthorizedRequestError({
-					message: 'You do not have the required permissions to perform this action' 
-				});
-			}
-		}
-	});
-}
-
-/**
- * Validate that user (client) can access service account [serviceAccount]
- * with required permissions [requiredPermissions]
- * @param {Object} obj
- * @param {User} obj.user - user client
- * @param {ServiceAccount} obj.serviceAccount - service account to validate against
- * @param {String[]} requiredPermissions - required permissions as part of the endpoint
- */
-const validateUserClientForServiceAccount = async ({
-	user,
-	serviceAccount,
-	requiredPermissions
-}: {
-	user: IUser;
-	serviceAccount: IServiceAccount;
-	requiredPermissions?: string[];
-}) => {
-	if (!serviceAccount.user.equals(user._id)) {
-		// case: user who created service account is not the
-		// same user that is on the request
-		await validateMembershipOrg({
-			userId: user._id,
-			organizationId: serviceAccount.organization,
-			acceptedRoles: [],
-			acceptedStatuses: []
-		});
-	}
-}
-
-/**
- * Validate that user (client) can access organization [organization]
- * @param {Object} obj
- * @param {User} obj.user - user client
- * @param {Organization} obj.organization - organization to validate against
- */
- const validateUserClientForOrganization = async ({
-	user,
-	organization,
-	acceptedRoles,
-	acceptedStatuses
-}: {
-	user: IUser;
-	organization: IOrganization;
-	acceptedRoles: Array<'owner' | 'admin' | 'member'>;
-	acceptedStatuses: Array<'invited' | 'accepted'>;
-}) => {
-	const membershipOrg = await validateMembershipOrg({
-		userId: user._id,
-		organizationId: organization._id,
-		acceptedRoles,
-		acceptedStatuses
-	});
-	
-	return membershipOrg;
-}
-
-export { 
-	setupAccount, 
-	completeAccount, 
-	checkUserDevice,
-	validateUserClientForWorkspace,
-	validateUserClientForSecrets,
-	validateUserClientForServiceAccount,
-	validateUserClientForOrganization,
-	validateUserClientForSecret
-};
+}

backend/src/helpers/workspace.ts

@@ -1,136 +1,14 @@
 import * as Sentry from '@sentry/node';
-import crypto from 'crypto';
-import { Types } from 'mongoose';
 import {
 	Workspace,
 	Bot,
 	Membership,
 	Key,
-	Secret,
-	User,
-	IUser,
-	ServiceAccountWorkspacePermission,
-	ServiceAccount,
-	IServiceAccount,
-	ServiceTokenData,
-	IServiceTokenData,
-	SecretBlindIndexData
+	Secret
 } from '../models';
 import { createBot } from '../helpers/bot';
-import { validateUserClientForWorkspace } from '../helpers/user';
-import { validateServiceAccountClientForWorkspace } from '../helpers/serviceAccount';
-import { validateServiceTokenDataClientForWorkspace } from '../helpers/serviceTokenData';
-import { validateMembership } from '../helpers/membership';
-import { UnauthorizedRequestError, WorkspaceNotFoundError } from '../utils/errors';
-import {
-	AUTH_MODE_JWT,
-	AUTH_MODE_SERVICE_ACCOUNT,
-	AUTH_MODE_SERVICE_TOKEN,
-	AUTH_MODE_API_KEY
-} from '../variables';
-import { encryptSymmetric } from '../utils/crypto';
 import { SecretService } from '../services';
 
-/**
- * Validate authenticated clients for workspace with id [workspaceId] based
- * on any known permissions.
- * @param {Object} obj
- * @param {Object} obj.authData - authenticated client details
- * @param {Types.ObjectId} obj.workspaceId - id of workspace to validate against
- * @param {String} obj.environment - (optional) environment in workspace to validate against
- * @param {Array<'admin' | 'member'>} obj.acceptedRoles - accepted workspace roles
- * @param {String[]} obj.requiredPermissions - required permissions as part of the endpoint
- */
-const validateClientForWorkspace = async ({
-	authData,
-	workspaceId,
-	environment,
-	acceptedRoles,
-	requiredPermissions,
-	requireBlindIndicesEnabled
-}: {
-	authData: {
-		authMode: string;
-		authPayload: IUser | IServiceAccount | IServiceTokenData;
-	};
-	workspaceId: Types.ObjectId;
-	environment?: string;
-	acceptedRoles: Array<'admin' | 'member'>;
-	requiredPermissions?: string[];
-	requireBlindIndicesEnabled: boolean;
-}) => {
-	
-	const workspace = await Workspace.findById(workspaceId);
-
-	if (!workspace) throw WorkspaceNotFoundError({
-		message: 'Failed to find workspace'
-	});
-
-	if (requireBlindIndicesEnabled) {
-		// case: blind indices are not enabled for secrets in this workspace
-		// (i.e. workspace was created before blind indices were introduced
-		// and no admin has enabled it)
-		
-		const secretBlindIndexData = await SecretBlindIndexData.exists({
-			workspace: new Types.ObjectId(workspaceId)
-		});
-		
-		if (!secretBlindIndexData) throw UnauthorizedRequestError({
-			message: 'Failed workspace authorization due to blind indices not being enabled'
-		});
-	}
-
-	if (authData.authMode === AUTH_MODE_JWT && authData.authPayload instanceof User) {
-		const membership = await validateUserClientForWorkspace({
-			user: authData.authPayload,
-			workspaceId,
-			environment,
-			acceptedRoles,
-			requiredPermissions
-		});
-		
-		return ({ membership });
-	}
-
-	if (authData.authMode === AUTH_MODE_SERVICE_ACCOUNT && authData.authPayload instanceof ServiceAccount) {
-		await validateServiceAccountClientForWorkspace({
-			serviceAccount: authData.authPayload,
-			workspaceId,
-			environment,
-			requiredPermissions
-		});
-		
-		return {};
-	}
-	
-	if (authData.authMode === AUTH_MODE_SERVICE_TOKEN && authData.authPayload instanceof ServiceTokenData) {
-		await validateServiceTokenDataClientForWorkspace({
-			serviceTokenData: authData.authPayload,
-			workspaceId,
-			environment,
-			requiredPermissions
-		});
-
-		return {};
-	}
-
-	if (authData.authMode === AUTH_MODE_API_KEY && authData.authPayload instanceof User) {
-		const membership = await validateUserClientForWorkspace({
-			user: authData.authPayload,
-			workspaceId,
-			environment,
-			acceptedRoles,
-			requiredPermissions
-		});
-		
-		return ({ membership });
-	}
-	
-	throw UnauthorizedRequestError({
-		message: 'Failed client authorization for workspace'
-	});
-}
-
 /**
  * Create a workspace with name [name] in organization with id [organizationId]
  * and a bot for it.
@@ -203,7 +81,6 @@ const deleteWorkspace = async ({ id }: { id: string }) => {
 };
 
 export {
-	validateClientForWorkspace,
 	createWorkspace, 
 	deleteWorkspace 
 };

backend/src/index.ts

@@ -1,189 +1,179 @@
-import mongoose from 'mongoose';
-import dotenv from 'dotenv';
+import dotenv from "dotenv";
 dotenv.config();
-import express from 'express';
-import helmet from 'helmet';
-import cors from 'cors';
-import * as Sentry from '@sentry/node';
-import { DatabaseService } from './services';
-import { setUpHealthEndpoint } from './services/health';
-import { initSmtp } from './services/smtp';
-import { TelemetryService } from './services';
-import { setTransporter } from './helpers/nodemailer';
-import { createTestUserForDevelopment } from './utils/addDevelopmentUser';
+import express from "express";
+import helmet from "helmet";
+import cors from "cors";
+import { DatabaseService } from "./services";
+import { EELicenseService } from "./ee/services";
+import { setUpHealthEndpoint } from "./services/health";
+import cookieParser from "cookie-parser";
+import swaggerUi = require("swagger-ui-express");
 // eslint-disable-next-line @typescript-eslint/no-var-requires
-const { patchRouterParam } = require('./utils/patchAsyncRoutes');
-
-import cookieParser from 'cookie-parser';
-import swaggerUi = require('swagger-ui-express');
+const swaggerFile = require("../spec.json");
 // eslint-disable-next-line @typescript-eslint/no-var-requires
-const swaggerFile = require('../spec.json');
-// eslint-disable-next-line @typescript-eslint/no-var-requires
-const requestIp = require('request-ip');
-import { apiLimiter } from './helpers/rateLimiter';
+const requestIp = require("request-ip");
+import { apiLimiter } from "./helpers/rateLimiter";
 import {
-    workspace as eeWorkspaceRouter,
-    secret as eeSecretRouter,
-    secretSnapshot as eeSecretSnapshotRouter,
-    action as eeActionRouter
-} from './ee/routes/v1';
+  workspace as eeWorkspaceRouter,
+  secret as eeSecretRouter,
+  secretSnapshot as eeSecretSnapshotRouter,
+  action as eeActionRouter,
+  organizations as eeOrganizationsRouter,
+  cloudProducts as eeCloudProductsRouter,
+} from "./ee/routes/v1";
 import {
-    signup as v1SignupRouter,
-    auth as v1AuthRouter,
-    bot as v1BotRouter,
-    organization as v1OrganizationRouter,
-    workspace as v1WorkspaceRouter,
-    membershipOrg as v1MembershipOrgRouter,
-    membership as v1MembershipRouter,
-    key as v1KeyRouter,
-    inviteOrg as v1InviteOrgRouter,
-    user as v1UserRouter,
-    userAction as v1UserActionRouter,
-    secret as v1SecretRouter,
-    serviceToken as v1ServiceTokenRouter,
-    password as v1PasswordRouter,
-    stripe as v1StripeRouter,
-    integration as v1IntegrationRouter,
-    integrationAuth as v1IntegrationAuthRouter,
-    secretsFolder as v1SecretsFolder
-} from './routes/v1';
+  signup as v1SignupRouter,
+  auth as v1AuthRouter,
+  bot as v1BotRouter,
+  organization as v1OrganizationRouter,
+  workspace as v1WorkspaceRouter,
+  membershipOrg as v1MembershipOrgRouter,
+  membership as v1MembershipRouter,
+  key as v1KeyRouter,
+  inviteOrg as v1InviteOrgRouter,
+  user as v1UserRouter,
+  userAction as v1UserActionRouter,
+  secret as v1SecretRouter,
+  serviceToken as v1ServiceTokenRouter,
+  password as v1PasswordRouter,
+  stripe as v1StripeRouter,
+  integration as v1IntegrationRouter,
+  integrationAuth as v1IntegrationAuthRouter,
+  secretsFolder as v1SecretsFolder,
+} from "./routes/v1";
 import {
-    signup as v2SignupRouter,
-    auth as v2AuthRouter,
-    users as v2UsersRouter,
-    organizations as v2OrganizationsRouter,
-    workspace as v2WorkspaceRouter,
-    secret as v2SecretRouter, // begin to phase out
-    secrets as v2SecretsRouter,
-    serviceTokenData as v2ServiceTokenDataRouter,
-    serviceAccounts as v2ServiceAccountsRouter,
-    apiKeyData as v2APIKeyDataRouter,
-    environment as v2EnvironmentRouter,
-    tags as v2TagsRouter,
-} from './routes/v2';
+  signup as v2SignupRouter,
+  auth as v2AuthRouter,
+  users as v2UsersRouter,
+  organizations as v2OrganizationsRouter,
+  workspace as v2WorkspaceRouter,
+  secret as v2SecretRouter, // begin to phase out
+  secrets as v2SecretsRouter,
+  serviceTokenData as v2ServiceTokenDataRouter,
+  serviceAccounts as v2ServiceAccountsRouter,
+  apiKeyData as v2APIKeyDataRouter,
+  environment as v2EnvironmentRouter,
+  tags as v2TagsRouter,
+} from "./routes/v2";
 import {
-    secrets as v3SecretsRouter,
-    workspaces as v3WorkspacesRouter
-} from './routes/v3';
-import { healthCheck } from './routes/status';
-import { getLogger } from './utils/logger';
-import { RouteNotFoundError } from './utils/errors';
-import { requestErrorHandler } from './middleware/requestErrorHandler';
-import {
-    getMongoURL,
-    getNodeEnv,
-    getPort,
-    getSentryDSN,
-    getSiteURL,
-    getSmtpHost
-} from './config';
+  auth as v3AuthRouter,
+  secrets as v3SecretsRouter,
+  signup as v3SignupRouter,
+  workspaces as v3WorkspacesRouter,
+} from "./routes/v3";
+import { healthCheck } from "./routes/status";
+import { getLogger } from "./utils/logger";
+import { RouteNotFoundError } from "./utils/errors";
+import { requestErrorHandler } from "./middleware/requestErrorHandler";
+import { getNodeEnv, getPort, getSiteURL } from "./config";
+import { setup } from "./utils/setup";
 
 const main = async () => {
-    TelemetryService.logTelemetryMessage();
-    setTransporter(await initSmtp());
+  await setup();
 
-    await DatabaseService.initDatabase(await getMongoURL());
-    if ((await getNodeEnv()) !== 'test') {
-        Sentry.init({
-            dsn: await getSentryDSN(),
-            tracesSampleRate: 1.0,
-            debug: await getNodeEnv() === 'production' ? false : true,
-            environment: await getNodeEnv()
-        });
-    }
+  await EELicenseService.initGlobalFeatureSet();
 
-    patchRouterParam();
-    const app = express();
-    app.enable('trust proxy');
-    app.use(express.json());
-    app.use(cookieParser());
-    app.use(
-        cors({
-            credentials: true,
-            origin: await getSiteURL()
-        })
+  const app = express();
+  app.enable("trust proxy");
+  app.use(express.json());
+  app.use(cookieParser());
+  app.use(
+    cors({
+      credentials: true,
+      origin: await getSiteURL(),
+    })
+  );
+
+  app.use(requestIp.mw());
+
+  if ((await getNodeEnv()) === "production") {
+    // enable app-wide rate-limiting + helmet security
+    // in production
+    app.disable("x-powered-by");
+    app.use(apiLimiter);
+    app.use(helmet());
+  }
+
+  // (EE) routes
+  app.use("/api/v1/secret", eeSecretRouter);
+  app.use("/api/v1/secret-snapshot", eeSecretSnapshotRouter);
+  app.use("/api/v1/workspace", eeWorkspaceRouter);
+  app.use("/api/v1/action", eeActionRouter);
+  app.use("/api/v1/organizations", eeOrganizationsRouter);
+  app.use("/api/v1/cloud-products", eeCloudProductsRouter);
+
+  // v1 routes (default)
+  app.use("/api/v1/signup", v1SignupRouter);
+  app.use("/api/v1/auth", v1AuthRouter);
+  app.use("/api/v1/bot", v1BotRouter);
+  app.use("/api/v1/user", v1UserRouter);
+  app.use("/api/v1/user-action", v1UserActionRouter);
+  app.use("/api/v1/organization", v1OrganizationRouter);
+  app.use("/api/v1/workspace", v1WorkspaceRouter);
+  app.use("/api/v1/membership-org", v1MembershipOrgRouter);
+  app.use("/api/v1/membership", v1MembershipRouter);
+  app.use("/api/v1/key", v1KeyRouter);
+  app.use("/api/v1/invite-org", v1InviteOrgRouter);
+  app.use("/api/v1/secret", v1SecretRouter); // deprecate
+  app.use("/api/v1/service-token", v1ServiceTokenRouter); // deprecate
+  app.use("/api/v1/password", v1PasswordRouter);
+  app.use("/api/v1/stripe", v1StripeRouter);
+  app.use("/api/v1/integration", v1IntegrationRouter);
+  app.use("/api/v1/integration-auth", v1IntegrationAuthRouter);
+  app.use("/api/v1/folders", v1SecretsFolder);
+
+  // v2 routes (improvements)
+  app.use("/api/v2/signup", v2SignupRouter);
+  app.use("/api/v2/auth", v2AuthRouter);
+  app.use("/api/v2/users", v2UsersRouter);
+  app.use("/api/v2/organizations", v2OrganizationsRouter);
+  app.use("/api/v2/workspace", v2EnvironmentRouter);
+  app.use("/api/v2/workspace", v2TagsRouter);
+  app.use("/api/v2/workspace", v2WorkspaceRouter);
+  app.use("/api/v2/secret", v2SecretRouter); // deprecate
+  app.use("/api/v2/secrets", v2SecretsRouter); // note: in the process of moving to v3/secrets
+  app.use("/api/v2/service-token", v2ServiceTokenDataRouter);
+  app.use("/api/v2/service-accounts", v2ServiceAccountsRouter); // new
+  app.use("/api/v2/api-key", v2APIKeyDataRouter);
+
+  // v3 routes (experimental)
+  app.use("/api/v3/auth", v3AuthRouter);
+  app.use("/api/v3/secrets", v3SecretsRouter);
+  app.use("/api/v3/workspaces", v3WorkspacesRouter);
+  app.use("/api/v3/signup", v3SignupRouter);
+
+  // api docs
+  app.use("/api-docs", swaggerUi.serve, swaggerUi.setup(swaggerFile));
+
+  // server status
+  app.use("/api", healthCheck);
+
+  //* Handle unrouted requests and respond with proper error message as well as status code
+  app.use((req, res, next) => {
+    if (res.headersSent) return next();
+    next(
+      RouteNotFoundError({
+        message: `The requested source '(${req.method})${req.url}' was not found`,
+      })
     );
+  });
 
-    app.use(requestIp.mw());
+  app.use(requestErrorHandler);
 
-    if ((await getNodeEnv()) === 'production') {
-        // enable app-wide rate-limiting + helmet security
-        // in production
-        app.disable('x-powered-by');
-        app.use(apiLimiter);
-        app.use(helmet());
-    }
+  const server = app.listen(await getPort(), async () => {
+    (await getLogger("backend-main")).info(
+      `Server started listening at port ${await getPort()}`
+    );
+  });
 
-    // (EE) routes
-    app.use('/api/v1/secret', eeSecretRouter);
-    app.use('/api/v1/secret-snapshot', eeSecretSnapshotRouter);
-    app.use('/api/v1/workspace', eeWorkspaceRouter);
-    app.use('/api/v1/action', eeActionRouter);
+  // await createTestUserForDevelopment();
+  setUpHealthEndpoint(server);
 
-    // v1 routes (default)
-    app.use('/api/v1/signup', v1SignupRouter);
-    app.use('/api/v1/auth', v1AuthRouter);
-    app.use('/api/v1/bot', v1BotRouter);
-    app.use('/api/v1/user', v1UserRouter);
-    app.use('/api/v1/user-action', v1UserActionRouter);
-    app.use('/api/v1/organization', v1OrganizationRouter);
-    app.use('/api/v1/workspace', v1WorkspaceRouter);
-    app.use('/api/v1/membership-org', v1MembershipOrgRouter);
-    app.use('/api/v1/membership', v1MembershipRouter);
-    app.use('/api/v1/key', v1KeyRouter);
-    app.use('/api/v1/invite-org', v1InviteOrgRouter);
-    app.use('/api/v1/secret', v1SecretRouter);
-    app.use('/api/v1/service-token', v1ServiceTokenRouter); // deprecated
-    app.use('/api/v1/password', v1PasswordRouter);
-    app.use('/api/v1/stripe', v1StripeRouter);
-    app.use('/api/v1/integration', v1IntegrationRouter);
-    app.use('/api/v1/integration-auth', v1IntegrationAuthRouter);
-    app.use('/api/v1/folder', v1SecretsFolder)
+  server.on("close", async () => {
+    await DatabaseService.closeDatabase();
+  });
 
-    // v2 routes (improvements)
-    app.use('/api/v2/signup', v2SignupRouter);
-    app.use('/api/v2/auth', v2AuthRouter);
-    app.use('/api/v2/users', v2UsersRouter);
-    app.use('/api/v2/organizations', v2OrganizationsRouter);
-    app.use('/api/v2/workspace', v2EnvironmentRouter);
-    app.use('/api/v2/workspace', v2TagsRouter);
-    app.use('/api/v2/workspace', v2WorkspaceRouter);
-    app.use('/api/v2/secret', v2SecretRouter); // deprecated
-    app.use('/api/v2/secrets', v2SecretsRouter);
-    app.use('/api/v2/service-token', v2ServiceTokenDataRouter); // TODO: turn into plural route
-    app.use('/api/v2/service-accounts', v2ServiceAccountsRouter); // new
-    app.use('/api/v2/api-key', v2APIKeyDataRouter);
+  return server;
+};
 
-    // v3 routes (experimental)
-    app.use('/api/v3/secrets', v3SecretsRouter);
-    app.use('/api/v3/workspaces', v3WorkspacesRouter);
-
-    // api docs 
-    app.use('/api-docs', swaggerUi.serve, swaggerUi.setup(swaggerFile))
-
-    // Server status
-    app.use('/api', healthCheck)
-
-    //* Handle unrouted requests and respond with proper error message as well as status code
-    app.use((req, res, next) => {
-        if (res.headersSent) return next();
-        next(RouteNotFoundError({ message: `The requested source '(${req.method})${req.url}' was not found` }))
-    })
-
-    app.use(requestErrorHandler)
-
-    const server = app.listen(await getPort(), async () => {
-        (await getLogger("backend-main")).info(`Server started listening at port ${await getPort()}`)
-    });
-
-    await createTestUserForDevelopment();
-    setUpHealthEndpoint(server);
-
-    server.on('close', async () => {
-        await DatabaseService.closeDatabase();
-    })
-
-    return server;
-}
-
-export default main();
+export default main();

backend/src/integrations/apps.ts

@@ -1,6 +1,6 @@
 import { Octokit } from "@octokit/rest";
 import { IIntegrationAuth } from "../models";
-import request from "../config/request";
+import { standardRequest } from "../config/request";
 import {
   INTEGRATION_AZURE_KEY_VAULT,
   INTEGRATION_AWS_PARAMETER_STORE,
@@ -134,7 +134,7 @@ const getApps = async ({
  */
 const getAppsHeroku = async ({ accessToken }: { accessToken: string }) => {
   const res = (
-    await request.get(`${INTEGRATION_HEROKU_API_URL}/apps`, {
+    await standardRequest.get(`${INTEGRATION_HEROKU_API_URL}/apps`, {
       headers: {
         Accept: "application/vnd.heroku+json; version=3",
         Authorization: `Bearer ${accessToken}`,
@@ -164,7 +164,7 @@ const getAppsVercel = async ({
   accessToken: string;
 }) => {
   const res = (
-    await request.get(`${INTEGRATION_VERCEL_API_URL}/v9/projects`, {
+    await standardRequest.get(`${INTEGRATION_VERCEL_API_URL}/v9/projects`, {
       headers: {
         Authorization: `Bearer ${accessToken}`,
         "Accept-Encoding": "application/json",
@@ -208,7 +208,7 @@ const getAppsNetlify = async ({ accessToken }: { accessToken: string }) => {
       filter: 'all'
     });
 
-    const { data } = await request.get(
+    const { data } = await standardRequest.get(
       `${INTEGRATION_NETLIFY_API_URL}/api/v1/sites`,
       {
         params,
@@ -310,7 +310,7 @@ const getAppsGithub = async ({ accessToken }: { accessToken: string }) => {
  */
 const getAppsRender = async ({ accessToken }: { accessToken: string }) => {
   const res = (
-    await request.get(`${INTEGRATION_RENDER_API_URL}/v1/services`, {
+    await standardRequest.get(`${INTEGRATION_RENDER_API_URL}/v1/services`, {
       headers: {
         Authorization: `Bearer ${accessToken}`,
         Accept: "application/json",
@@ -358,7 +358,7 @@ const getAppsRailway = async ({ accessToken }: { accessToken: string }) => {
         projects: { edges },
       },
     },
-  } = await request.post(
+  } = await standardRequest.post(
     INTEGRATION_RAILWAY_API_URL,
     {
       query,
@@ -402,7 +402,7 @@ const getAppsFlyio = async ({ accessToken }: { accessToken: string }) => {
   `;
 
   const res = (
-    await request.post(
+    await standardRequest.post(
       INTEGRATION_FLYIO_API_URL,
       {
         query,
@@ -436,7 +436,7 @@ const getAppsFlyio = async ({ accessToken }: { accessToken: string }) => {
  */
 const getAppsCircleCI = async ({ accessToken }: { accessToken: string }) => {
   const res = (
-    await request.get(`${INTEGRATION_CIRCLECI_API_URL}/v1.1/projects`, {
+    await standardRequest.get(`${INTEGRATION_CIRCLECI_API_URL}/v1.1/projects`, {
       headers: {
         "Circle-Token": accessToken,
         "Accept-Encoding": "application/json",
@@ -455,7 +455,7 @@ const getAppsCircleCI = async ({ accessToken }: { accessToken: string }) => {
 
 const getAppsTravisCI = async ({ accessToken }: { accessToken: string }) => {
   const res = (
-    await request.get(`${INTEGRATION_TRAVISCI_API_URL}/repos`, {
+    await standardRequest.get(`${INTEGRATION_TRAVISCI_API_URL}/repos`, {
       headers: {
         Authorization: `token ${accessToken}`,
         "Accept-Encoding": "application/json",
@@ -502,7 +502,7 @@ const getAppsGitlab = async ({
         per_page: String(perPage),
       });
 
-      const { data } = await request.get(
+      const { data } = await standardRequest.get(
         `${INTEGRATION_GITLAB_API_URL}/v4/groups/${teamId}/projects`,
         {
           params,
@@ -530,7 +530,7 @@ const getAppsGitlab = async ({
     // case: fetch projects for individual in GitLab
 
     const { id } = (
-      await request.get(`${INTEGRATION_GITLAB_API_URL}/v4/user`, {
+      await standardRequest.get(`${INTEGRATION_GITLAB_API_URL}/v4/user`, {
         headers: {
           Authorization: `Bearer ${accessToken}`,
           "Accept-Encoding": "application/json",
@@ -544,7 +544,7 @@ const getAppsGitlab = async ({
         per_page: String(perPage),
       });
 
-      const { data } = await request.get(
+      const { data } = await standardRequest.get(
         `${INTEGRATION_GITLAB_API_URL}/v4/users/${id}/projects`,
         {
           params,
@@ -581,7 +581,7 @@ const getAppsGitlab = async ({
  * @returns {String} apps.name - name of Supabase app
  */
 const getAppsSupabase = async ({ accessToken }: { accessToken: string }) => {
-  const { data } = await request.get(
+  const { data } = await standardRequest.get(
     `${INTEGRATION_SUPABASE_API_URL}/v1/projects`,
     {
       headers: {

backend/src/integrations/exchange.ts

@@ -1,4 +1,4 @@
-import request from "../config/request";
+import { standardRequest } from "../config/request";
 import {
   INTEGRATION_AZURE_KEY_VAULT,
   INTEGRATION_HEROKU,
@@ -142,7 +142,7 @@ const exchangeCodeAzure = async ({ code }: { code: string }) => {
   const accessExpiresAt = new Date();
 
   const res: ExchangeCodeAzureResponse = (
-    await request.post(
+    await standardRequest.post(
       INTEGRATION_AZURE_TOKEN_URL,
       new URLSearchParams({
         grant_type: "authorization_code",
@@ -178,7 +178,7 @@ const exchangeCodeHeroku = async ({ code }: { code: string }) => {
   const accessExpiresAt = new Date();
 
   const res: ExchangeCodeHerokuResponse = (
-    await request.post(
+    await standardRequest.post(
       INTEGRATION_HEROKU_TOKEN_URL,
       new URLSearchParams({
         grant_type: "authorization_code",
@@ -209,7 +209,7 @@ const exchangeCodeHeroku = async ({ code }: { code: string }) => {
  */
 const exchangeCodeVercel = async ({ code }: { code: string }) => {
   const res: ExchangeCodeVercelResponse = (
-    await request.post(
+    await standardRequest.post(
       INTEGRATION_VERCEL_TOKEN_URL,
       new URLSearchParams({
         code: code,
@@ -240,7 +240,7 @@ const exchangeCodeVercel = async ({ code }: { code: string }) => {
  */
 const exchangeCodeNetlify = async ({ code }: { code: string }) => {
   const res: ExchangeCodeNetlifyResponse = (
-    await request.post(
+    await standardRequest.post(
       INTEGRATION_NETLIFY_TOKEN_URL,
       new URLSearchParams({
         grant_type: "authorization_code",
@@ -252,14 +252,14 @@ const exchangeCodeNetlify = async ({ code }: { code: string }) => {
     )
   ).data;
 
-  const res2 = await request.get("https://api.netlify.com/api/v1/sites", {
+  const res2 = await standardRequest.get("https://api.netlify.com/api/v1/sites", {
     headers: {
       Authorization: `Bearer ${res.access_token}`,
     },
   });
 
   const res3 = (
-    await request.get("https://api.netlify.com/api/v1/accounts", {
+    await standardRequest.get("https://api.netlify.com/api/v1/accounts", {
       headers: {
         Authorization: `Bearer ${res.access_token}`,
       },
@@ -287,7 +287,7 @@ const exchangeCodeNetlify = async ({ code }: { code: string }) => {
  */
 const exchangeCodeGithub = async ({ code }: { code: string }) => {
   const res: ExchangeCodeGithubResponse = (
-    await request.get(INTEGRATION_GITHUB_TOKEN_URL, {
+    await standardRequest.get(INTEGRATION_GITHUB_TOKEN_URL, {
       params: {
         client_id: await getClientIdGitHub(),
         client_secret: await getClientSecretGitHub(),
@@ -321,7 +321,7 @@ const exchangeCodeGithub = async ({ code }: { code: string }) => {
 const exchangeCodeGitlab = async ({ code }: { code: string }) => {
   const accessExpiresAt = new Date();
   const res: ExchangeCodeGitlabResponse = (
-    await request.post(
+    await standardRequest.post(
       INTEGRATION_GITLAB_TOKEN_URL,
       new URLSearchParams({
         grant_type: "authorization_code",

backend/src/integrations/refresh.ts

@@ -1,4 +1,4 @@
-import request from "../config/request";
+import { standardRequest } from "../config/request";
 import { IIntegrationAuth } from "../models";
 import {
   INTEGRATION_AZURE_KEY_VAULT,
@@ -121,7 +121,7 @@ const exchangeRefreshAzure = async ({
   refreshToken: string;
 }) => {
   const accessExpiresAt = new Date();
-  const { data }: { data: RefreshTokenAzureResponse } = await request.post(
+  const { data }: { data: RefreshTokenAzureResponse } = await standardRequest.post(
     INTEGRATION_AZURE_TOKEN_URL,
     new URLSearchParams({
       client_id: await getClientIdAzure(),
@@ -158,7 +158,7 @@ const exchangeRefreshHeroku = async ({
     data,
   }: {
     data: RefreshTokenHerokuResponse;
-  } = await request.post(
+  } = await standardRequest.post(
     INTEGRATION_HEROKU_TOKEN_URL,
     new URLSearchParams({
       grant_type: "refresh_token",
@@ -193,7 +193,7 @@ const exchangeRefreshGitLab = async ({
     data,
   }: {
     data: RefreshTokenGitLabResponse;
-  } = await request.post(
+  } = await standardRequest.post(
     INTEGRATION_GITLAB_TOKEN_URL,
     new URLSearchParams({
       grant_type: "refresh_token",

backend/src/integrations/sync.ts

@@ -37,8 +37,7 @@ import {
   INTEGRATION_TRAVISCI_API_URL,
   INTEGRATION_SUPABASE_API_URL
 } from "../variables";
-import request from '../config/request';
-import axios from "axios";
+import { standardRequest} from '../config/request';
 
 /**
  * Sync/push [secrets] to [app] in integration named [integration]
@@ -215,7 +214,7 @@ const syncSecretsAzureKeyVault = async ({
       let result: GetAzureKeyVaultSecret[] = [];
       try {
         while (url) {
-          const res = await request.get(url, {
+          const res = await standardRequest.get(url, {
             headers: {
               Authorization: `Bearer ${accessToken}`
             }
@@ -242,7 +241,7 @@ const syncSecretsAzureKeyVault = async ({
         lastSlashIndex = getAzureKeyVaultSecret.id.lastIndexOf('/');
       }
       
-      const azureKeyVaultSecret = await request.get(`${getAzureKeyVaultSecret.id}?api-version=7.3`, {
+      const azureKeyVaultSecret = await standardRequest.get(`${getAzureKeyVaultSecret.id}?api-version=7.3`, {
         headers: {
           'Authorization': `Bearer ${accessToken}`
         }
@@ -308,7 +307,7 @@ const syncSecretsAzureKeyVault = async ({
       while (!isSecretSet && maxTries > 0) {
         // try to set secret
         try {
-          await request.put(
+          await standardRequest.put(
             `${integration.app}/secrets/${key}?api-version=7.3`,
             {
               value
@@ -325,7 +324,7 @@ const syncSecretsAzureKeyVault = async ({
         } catch (err) {
           const error: any = err;
           if (error?.response?.data?.error?.innererror?.code === 'ObjectIsDeletedButRecoverable') {
-            await request.post(
+            await standardRequest.post(
               `${integration.app}/deletedsecrets/${key}/recover?api-version=7.3`, {},
               {
                 headers: {
@@ -355,7 +354,7 @@ const syncSecretsAzureKeyVault = async ({
     
     for await (const deleteSecret of deleteSecrets) {
       const { key } = deleteSecret;
-      await request.delete(`${integration.app}/secrets/${key}?api-version=7.3`, {
+      await standardRequest.delete(`${integration.app}/secrets/${key}?api-version=7.3`, {
         headers: {
           'Authorization': `Bearer ${accessToken}`
         }
@@ -568,7 +567,7 @@ const syncSecretsHeroku = async ({
 }) => {
   try {
     const herokuSecrets = (
-      await request.get(
+      await standardRequest.get(
         `${INTEGRATION_HEROKU_API_URL}/apps/${integration.app}/config-vars`,
         {
           headers: {
@@ -586,7 +585,7 @@ const syncSecretsHeroku = async ({
       }
     });
 
-    await request.patch(
+    await standardRequest.patch(
       `${INTEGRATION_HEROKU_API_URL}/apps/${integration.app}/config-vars`,
       secrets,
       {
@@ -642,7 +641,7 @@ const syncSecretsVercel = async ({
         : {}),
     };
       
-    const vercelSecrets: VercelSecret[] = (await request.get(
+    const vercelSecrets: VercelSecret[] = (await standardRequest.get(
       `${INTEGRATION_VERCEL_API_URL}/v9/projects/${integration.app}/env`,
       {
         params,
@@ -675,7 +674,7 @@ const syncSecretsVercel = async ({
     for await (const vercelSecret of vercelSecrets) {
       if (vercelSecret.type === 'encrypted') {
         // case: secret is encrypted -> need to decrypt
-        const decryptedSecret = (await request.get(
+        const decryptedSecret = (await standardRequest.get(
             `${INTEGRATION_VERCEL_API_URL}/v9/projects/${integration.app}/env/${vercelSecret.id}`,
             {
               params,
@@ -747,7 +746,7 @@ const syncSecretsVercel = async ({
 
     // Sync/push new secrets
     if (newSecrets.length > 0) {
-      await request.post(
+      await standardRequest.post(
         `${INTEGRATION_VERCEL_API_URL}/v10/projects/${integration.app}/env`,
         newSecrets,
         {
@@ -763,7 +762,7 @@ const syncSecretsVercel = async ({
     for await (const secret of updateSecrets) {
       if (secret.type !== 'sensitive') {
         const { id, ...updatedSecret } = secret;
-        await request.patch(
+        await standardRequest.patch(
           `${INTEGRATION_VERCEL_API_URL}/v9/projects/${integration.app}/env/${secret.id}`,
           updatedSecret,
           {
@@ -778,7 +777,7 @@ const syncSecretsVercel = async ({
     }
 
     for await (const secret of deleteSecrets) {
-      await request.delete(
+      await standardRequest.delete(
         `${INTEGRATION_VERCEL_API_URL}/v9/projects/${integration.app}/env/${secret.id}`,
         {
           params,
@@ -837,7 +836,7 @@ const syncSecretsNetlify = async ({
     });
 
     const res = (
-      await request.get(
+      await standardRequest.get(
         `${INTEGRATION_NETLIFY_API_URL}/api/v1/accounts/${integrationAuth.accountId}/env`,
         {
           params: getParams,
@@ -951,7 +950,7 @@ const syncSecretsNetlify = async ({
     });
 
     if (newSecrets.length > 0) {
-      await request.post(
+      await standardRequest.post(
         `${INTEGRATION_NETLIFY_API_URL}/api/v1/accounts/${integrationAuth.accountId}/env`,
         newSecrets,
         {
@@ -966,7 +965,7 @@ const syncSecretsNetlify = async ({
 
     if (updateSecrets.length > 0) {
       updateSecrets.forEach(async (secret: NetlifySecret) => {
-        await request.patch(
+        await standardRequest.patch(
           `${INTEGRATION_NETLIFY_API_URL}/api/v1/accounts/${integrationAuth.accountId}/env/${secret.key}`,
           {
             context: secret.values[0].context,
@@ -985,7 +984,7 @@ const syncSecretsNetlify = async ({
 
     if (deleteSecrets.length > 0) {
       deleteSecrets.forEach(async (key: string) => {
-        await request.delete(
+        await standardRequest.delete(
           `${INTEGRATION_NETLIFY_API_URL}/api/v1/accounts/${integrationAuth.accountId}/env/${key}`,
           {
             params: syncParams,
@@ -1000,7 +999,7 @@ const syncSecretsNetlify = async ({
 
     if (deleteSecretValues.length > 0) {
       deleteSecretValues.forEach(async (secret: NetlifySecret) => {
-        await request.delete(
+        await standardRequest.delete(
           `${INTEGRATION_NETLIFY_API_URL}/api/v1/accounts/${integrationAuth.accountId}/env/${secret.key}/value/${secret.values[0].id}`,
           {
             params: syncParams,
@@ -1151,7 +1150,7 @@ const syncSecretsRender = async ({
   accessToken: string;
 }) => {
   try {
-    await request.put(
+    await standardRequest.put(
       `${INTEGRATION_RENDER_API_URL}/v1/services/${integration.appId}/env-vars`,
       Object.keys(secrets).map((key) => ({
         key,
@@ -1203,7 +1202,7 @@ const syncSecretsRailway = async ({
       variables: secrets
     };
 
-    await request.post(INTEGRATION_RAILWAY_API_URL, {
+    await standardRequest.post(INTEGRATION_RAILWAY_API_URL, {
       query,
       variables: {
         input,
@@ -1261,7 +1260,7 @@ const syncSecretsFlyio = async ({
       }
     `;
 
-    await request.post(INTEGRATION_FLYIO_API_URL, {
+    await standardRequest.post(INTEGRATION_FLYIO_API_URL, {
       query: SetSecrets,
       variables: {
         input: {
@@ -1296,7 +1295,7 @@ const syncSecretsFlyio = async ({
         }
     }`;
 
-    const getSecretsRes = (await request.post(INTEGRATION_FLYIO_API_URL, {
+    const getSecretsRes = (await standardRequest.post(INTEGRATION_FLYIO_API_URL, {
       query: GetSecrets,
       variables: {
         appName: integration.app,
@@ -1332,7 +1331,7 @@ const syncSecretsFlyio = async ({
         }
     }`;
 
-    await request.post(INTEGRATION_FLYIO_API_URL, {
+    await standardRequest.post(INTEGRATION_FLYIO_API_URL, {
       query: DeleteSecrets,
       variables: {
         input: {
@@ -1373,7 +1372,7 @@ const syncSecretsCircleCI = async ({
 }) => {  
   try {
     const circleciOrganizationDetail = (
-      await request.get(`${INTEGRATION_CIRCLECI_API_URL}/v2/me/collaborations`, {
+      await standardRequest.get(`${INTEGRATION_CIRCLECI_API_URL}/v2/me/collaborations`, {
         headers: {
           "Circle-Token": accessToken,
           "Accept-Encoding": "application/json",
@@ -1386,7 +1385,7 @@ const syncSecretsCircleCI = async ({
     // sync secrets to CircleCI
     Object.keys(secrets).forEach(
       async (key) =>
-        await request.post(
+        await standardRequest.post(
           `${INTEGRATION_CIRCLECI_API_URL}/v2/project/${slug}/${integration.app}/envvar`,
           {
             name: key,
@@ -1403,7 +1402,7 @@ const syncSecretsCircleCI = async ({
 
     // get secrets from CircleCI
     const getSecretsRes = (
-      await request.get(
+      await standardRequest.get(
         `${INTEGRATION_CIRCLECI_API_URL}/v2/project/${slug}/${integration.app}/envvar`,
         {
           headers: {
@@ -1417,7 +1416,7 @@ const syncSecretsCircleCI = async ({
     // delete secrets from CircleCI
     getSecretsRes.forEach(async (sec: any) => {
       if (!(sec.name in secrets)) {
-        await request.delete(
+        await standardRequest.delete(
           `${INTEGRATION_CIRCLECI_API_URL}/v2/project/${slug}/${integration.app}/envvar/${sec.name}`,
           {
             headers: {
@@ -1454,7 +1453,7 @@ const syncSecretsTravisCI = async ({
   try {
     // get secrets from travis-ci  
     const getSecretsRes = (
-      await request.get(
+      await standardRequest.get(
         `${INTEGRATION_TRAVISCI_API_URL}/settings/env_vars?repository_id=${integration.appId}`,
         {
           headers: {
@@ -1476,7 +1475,7 @@ const syncSecretsTravisCI = async ({
       if (!(key in getSecretsRes)) {
         // case: secret does not exist in travis ci
         // -> add secret
-        await request.post(
+        await standardRequest.post(
           `${INTEGRATION_TRAVISCI_API_URL}/settings/env_vars?repository_id=${integration.appId}`,
           {
             env_var: {
@@ -1495,7 +1494,7 @@ const syncSecretsTravisCI = async ({
       } else {
         // case: secret exists in travis ci
         // -> update/set secret
-        await request.patch(
+        await standardRequest.patch(
           `${INTEGRATION_TRAVISCI_API_URL}/settings/env_vars/${getSecretsRes[key].id}?repository_id=${getSecretsRes[key].repository_id}`,
           {
             env_var: {
@@ -1517,7 +1516,7 @@ const syncSecretsTravisCI = async ({
     for await (const key of Object.keys(getSecretsRes)) {
       if (!(key in secrets)){
         // delete secret
-        await request.delete(
+        await standardRequest.delete(
           `${INTEGRATION_TRAVISCI_API_URL}/settings/env_vars/${getSecretsRes[key].id}?repository_id=${getSecretsRes[key].repository_id}`,
           {
             headers: {
@@ -1560,27 +1559,42 @@ const syncSecretsGitLab = async ({
       environment_scope: string;
     }
 
-    // get secrets from gitlab
-    const getSecretsRes: GitLabSecret[] = (
-      await request.get(
-        `${INTEGRATION_GITLAB_API_URL}/v4/projects/${integration?.appId}/variables`,
-        { 
-          headers: {
-            "Authorization": `Bearer ${accessToken}`,
-            "Accept-Encoding": "application/json",
-          },
+    const getAllEnvVariables = async (integrationAppId: string, accessToken: string) => {
+      const gitLabApiUrl = `${INTEGRATION_GITLAB_API_URL}/v4/projects/${integrationAppId}/variables`;
+      const headers = {
+        "Authorization": `Bearer ${accessToken}`,
+        "Accept-Encoding": "application/json",
+      };
+    
+      let allEnvVariables: GitLabSecret[] = [];
+      let url: string | null = `${gitLabApiUrl}?per_page=100`;
+    
+      while (url) {
+        const response: any = await standardRequest.get(url, { headers });
+        allEnvVariables = [...allEnvVariables, ...response.data];
+    
+        const linkHeader = response.headers.link;
+        const nextLink = linkHeader?.split(',').find((part: string) => part.includes('rel="next"'));
+    
+        if (nextLink) {
+          url = nextLink.trim().split(';')[0].slice(1, -1);
+        } else {
+          url = null;
         }
-      )
-    )
-    .data
-    .filter((secret: GitLabSecret) => 
+      }
+    
+      return allEnvVariables;
+    };
+
+    const allEnvVariables = await getAllEnvVariables(integration?.appId, accessToken);
+    const getSecretsRes: GitLabSecret[] = allEnvVariables.filter((secret: GitLabSecret) => 
       secret.environment_scope === integration.targetEnvironment
     );
 
     for await (const key of Object.keys(secrets)) {
       const existingSecret = getSecretsRes.find((s: any) => s.key == key);
       if (!existingSecret) {
-        await request.post(
+        await standardRequest.post(
           `${INTEGRATION_GITLAB_API_URL}/v4/projects/${integration?.appId}/variables`,
           {
             key: key,
@@ -1601,7 +1615,7 @@ const syncSecretsGitLab = async ({
       } else {
         // update secret 
         if (secrets[key] !== existingSecret.value) {
-          await request.put(
+          await standardRequest.put(
             `${INTEGRATION_GITLAB_API_URL}/v4/projects/${integration?.appId}/variables/${existingSecret.key}?filter[environment_scope]=${integration.targetEnvironment}`,
             {
               ...existingSecret,
@@ -1622,7 +1636,7 @@ const syncSecretsGitLab = async ({
     // delete secrets 
     for await (const sec of getSecretsRes) {
       if (!(sec.key in secrets)) {
-        await request.delete(
+        await standardRequest.delete(
           `${INTEGRATION_GITLAB_API_URL}/v4/projects/${integration?.appId}/variables/${sec.key}?filter[environment_scope]=${integration.targetEnvironment}`,
           {
             headers: {
@@ -1632,6 +1646,7 @@ const syncSecretsGitLab = async ({
         );
       }
     }
+
   } catch (err) {
     Sentry.setUser(null);
     Sentry.captureException(err);
@@ -1657,7 +1672,7 @@ const syncSecretsSupabase = async ({
   accessToken: string;
 }) => {
   try {
-    const { data: getSecretsRes } = await request.get(
+    const { data: getSecretsRes } = await standardRequest.get(
       `${INTEGRATION_SUPABASE_API_URL}/v1/projects/${integration.appId}/secrets`,
       {
         headers: {
@@ -1677,7 +1692,7 @@ const syncSecretsSupabase = async ({
       }
     );
 
-    await request.post(
+    await standardRequest.post(
       `${INTEGRATION_SUPABASE_API_URL}/v1/projects/${integration.appId}/secrets`,
       modifiedFormatForSecretInjection,
       {
@@ -1695,7 +1710,7 @@ const syncSecretsSupabase = async ({
       }
     });
 
-    await request.delete(
+    await standardRequest.delete(
       `${INTEGRATION_SUPABASE_API_URL}/v1/projects/${integration.appId}/secrets`,
       {
         headers: {

backend/src/integrations/teams.ts

@@ -5,7 +5,7 @@ import {
     INTEGRATION_GITLAB,
     INTEGRATION_GITLAB_API_URL
 } from '../variables';
-import request from '../config/request';
+import { standardRequest } from '../config/request';
 
 interface Team {
     name: string;
@@ -56,7 +56,7 @@ const getTeamsGitLab = async ({
     accessToken: string;
 }) => {
     let teams: Team[] = [];
-    const res = (await request.get(
+    const res = (await standardRequest.get(
         `${INTEGRATION_GITLAB_API_URL}/v4/groups`,
         {
             headers: {

backend/src/interfaces/services/SecretService/index.ts

@@ -1,52 +1,54 @@
-import { Types } from 'mongoose';
-import { AuthData } from '../../middleware';
+import { Types } from "mongoose";
+import { AuthData } from "../../middleware";
 
 export interface CreateSecretParams {
-    secretName: string;
-    workspaceId: Types.ObjectId;
-    environment: string;
-    type: 'shared' | 'personal';
-    authData: AuthData;
-    secretKeyCiphertext: string;
-    secretKeyIV: string;
-    secretKeyTag: string;
-    secretValueCiphertext: string;
-    secretValueIV: string;
-    secretValueTag: string;
-    secretCommentCiphertext?: string;
-    secretCommentIV?: string;
-    secretCommentTag?: string;
+  secretName: string;
+  workspaceId: Types.ObjectId;
+  environment: string;
+  folderId?: string;
+  type: "shared" | "personal";
+  authData: AuthData;
+  secretKeyCiphertext: string;
+  secretKeyIV: string;
+  secretKeyTag: string;
+  secretValueCiphertext: string;
+  secretValueIV: string;
+  secretValueTag: string;
+  secretCommentCiphertext?: string;
+  secretCommentIV?: string;
+  secretCommentTag?: string;
 }
 
 export interface GetSecretsParams {
-    workspaceId: Types.ObjectId;
-    environment: string;
-    authData: AuthData;
+  workspaceId: Types.ObjectId;
+  environment: string;
+  authData: AuthData;
 }
 
 export interface GetSecretParams {
-    secretName: string;
-    workspaceId: Types.ObjectId;
-    environment: string;
-    type?: 'shared' | 'personal';
-    authData: AuthData;
+  secretName: string;
+  workspaceId: Types.ObjectId;
+  environment: string;
+  type?: "shared" | "personal";
+  authData: AuthData;
 }
 
 export interface UpdateSecretParams {
-    secretName: string;
-    workspaceId: Types.ObjectId;
-    environment: string;
-    type: 'shared' | 'personal',
-    authData: AuthData
-    secretValueCiphertext: string;
-    secretValueIV: string;
-    secretValueTag: string;
+  secretName: string;
+  workspaceId: Types.ObjectId;
+  environment: string;
+  type: "shared" | "personal";
+  authData: AuthData;
+  secretValueCiphertext: string;
+  secretValueIV: string;
+  secretValueTag: string;
+  folderId?: string;
 }
 
 export interface DeleteSecretParams {
-    secretName: string;
-    workspaceId: Types.ObjectId;
-    environment: string;
-    type: 'shared' | 'personal';
-    authData: AuthData;
-}
+  secretName: string;
+  workspaceId: Types.ObjectId;
+  environment: string;
+  type: "shared" | "personal";
+  authData: AuthData;
+}

backend/src/interfaces/utils/crypto.ts

@@ -0,0 +1,41 @@
+export interface IGenerateKeyPairOutput {
+    publicKey: string;
+    privateKey: string
+}
+
+export interface IEncryptAsymmetricInput {
+    plaintext: string;
+    publicKey: string;
+    privateKey: string;
+}
+
+export interface IEncryptAsymmetricOutput {
+    ciphertext: string;
+    nonce: string;
+}
+
+export interface IDecryptAsymmetricInput {
+    ciphertext: string;
+    nonce: string;
+    publicKey: string;
+    privateKey: string;
+}
+
+export interface IEncryptSymmetricInput {
+    plaintext: string;
+    key: string;
+}
+
+export interface IEncryptSymmetricOutput {
+    ciphertext: string;
+    iv: string;
+    tag: string;
+}
+
+export interface IDecryptSymmetricInput {
+    ciphertext: string;
+    iv: string;
+    tag: string;
+    key: string;
+}
+

backend/src/interfaces/utils/index.ts

@@ -0,0 +1 @@
+export * from './crypto';

backend/src/middleware/requestErrorHandler.ts

@@ -1,34 +1,45 @@
 import * as Sentry from '@sentry/node';
-import { ErrorRequestHandler } from "express";
-import { InternalServerError } from "../utils/errors";
-import { getLogger } from "../utils/logger";
-import RequestError, { LogLevel } from "../utils/requestError";
-import { getNodeEnv } from '../config';
+import { ErrorRequestHandler } from 'express';
+import { InternalServerError } from '../utils/errors';
+import { getLogger } from '../utils/logger';
+import RequestError, { LogLevel } from '../utils/requestError';
 
-export const requestErrorHandler: ErrorRequestHandler = async (error: RequestError | Error, req, res, next) => {
-    if (res.headersSent) return next();
-    if ((await getNodeEnv()) !== "production") {
-        /* eslint-disable no-console */
-        console.log(error)
-        /* eslint-enable no-console */
-    }
+export const requestErrorHandler: ErrorRequestHandler = async (
+  error: RequestError | Error,
+  req,
+  res,
+  next
+) => {
+  if (res.headersSent) return next();
 
-    //TODO: Find better way to type check for error. In current setting you need to cast type to get the functions and variables from RequestError
-    if (!(error instanceof RequestError)) {
-        error = InternalServerError({ context: { exception: error.message }, stack: error.stack });
-        (await getLogger('backend-main')).log((<RequestError>error).levelName.toLowerCase(), (<RequestError>error).message)
-    }
+  //TODO: Find better way to type check for error. In current setting you need to cast type to get the functions and variables from RequestError
+  if (!(error instanceof RequestError)) {
+    error = InternalServerError({
+      context: { exception: error.message },
+      stack: error.stack,
+    });
+    (await getLogger('backend-main')).log(
+      (<RequestError>error).levelName.toLowerCase(),
+      (<RequestError>error).message
+    );
+  }
 
-    //* Set Sentry user identification if req.user is populated
-    if (req.user !== undefined && req.user !== null) {
-        Sentry.setUser({ email: req.user.email })
-    }
-    //* Only sent error to Sentry if LogLevel is one of the following level 'ERROR', 'EMERGENCY' or 'CRITICAL'
-    //* with this we will eliminate false-positive errors like 'BadRequestError', 'UnauthorizedRequestError' and so on
-    if ([LogLevel.ERROR, LogLevel.EMERGENCY, LogLevel.CRITICAL].includes((<RequestError>error).level)) {
-        Sentry.captureException(error)
-    }
+  //* Set Sentry user identification if req.user is populated
+  if (req.user !== undefined && req.user !== null) {
+    Sentry.setUser({ email: (req.user as any).email });
+  }
+  //* Only sent error to Sentry if LogLevel is one of the following level 'ERROR', 'EMERGENCY' or 'CRITICAL'
+  //* with this we will eliminate false-positive errors like 'BadRequestError', 'UnauthorizedRequestError' and so on
+  if (
+    [LogLevel.ERROR, LogLevel.EMERGENCY, LogLevel.CRITICAL].includes(
+      (<RequestError>error).level
+    )
+  ) {
+    Sentry.captureException(error);
+  }
 
-    res.status((<RequestError>error).statusCode).json((<RequestError>error).format(req))
-    next()
-}
+  res
+    .status((<RequestError>error).statusCode)
+    .json((<RequestError>error).format(req));
+  next();
+};

backend/src/middleware/requireAuth.ts

@@ -7,9 +7,6 @@ import {
 	getAuthAPIKeyPayload,
 	getAuthSAAKPayload
 } from '../helpers/auth';
-import { 
-	UnauthorizedRequestError
-} from '../utils/errors';
 import {
 	IUser,
 	IServiceAccount,
@@ -45,7 +42,7 @@ const requireAuth = ({
 	acceptedAuthModes: string[];
 }) => {
 	return async (req: Request, res: Response, next: NextFunction) => {
-		
+
 		// validate auth token against accepted auth modes [acceptedAuthModes]
 		// and return token type [authTokenType] and value [authTokenValue]
 		const { authMode, authTokenValue } = validateAuthMode({
@@ -80,13 +77,13 @@ const requireAuth = ({
 				req.user = authPayload;
 				break;
 		}
-		
+
 		req.requestData = {
 			...req.params,
 			...req.query,
 			...req.body,
 		}
-		
+
 		req.authData = {
 			authMode,
 			authPayload, // User, ServiceAccount, ServiceTokenData
@@ -94,7 +91,7 @@ const requireAuth = ({
 			authIP: req.ip,
 			authUserAgent: req.headers['user-agent'] ?? 'other'
 		}
-		
+
 		return next();
 	}
 }

backend/src/middleware/requireBotAuth.ts

@@ -1,9 +1,6 @@
 import { Request, Response, NextFunction } from 'express';
 import { Types } from 'mongoose';
-import { Bot } from '../models';
-import { validateMembership } from '../helpers/membership';
-import { validateClientForBot } from '../helpers/bot';
-import { AccountNotFoundError } from '../utils/errors';
+import { validateClientForBot } from '../validation';
 
 type req = 'params' | 'body' | 'query';
 

backend/src/middleware/requireIntegrationAuth.ts

@@ -1,10 +1,6 @@
 import { Request, Response, NextFunction } from 'express';
 import { Types } from 'mongoose';
-import { Integration, IntegrationAuth } from '../models';
-import { IntegrationService } from '../services';
-import { validateMembership } from '../helpers/membership';
-import { validateClientForIntegration } from '../helpers/integration';
-import { IntegrationNotFoundError, UnauthorizedRequestError } from '../utils/errors';
+import { validateClientForIntegration } from '../validation';
 
 /**
  * Validate if user on request is a member of workspace with proper roles associated

backend/src/middleware/requireIntegrationAuthorizationAuth.ts

@@ -1,10 +1,6 @@
 import { Types } from 'mongoose';
 import { Request, Response, NextFunction } from 'express';
-import { IntegrationAuth, IWorkspace } from '../models';
-import { IntegrationService } from '../services';
-import { validateClientForIntegrationAuth } from '../helpers/integrationAuth';
-import { validateMembership } from '../helpers/membership';
-import { UnauthorizedRequestError } from '../utils/errors';
+import { validateClientForIntegrationAuth } from '../validation';
 
 type req = 'params' | 'body' | 'query';
 

backend/src/middleware/requireMembershipAuth.ts

@@ -1,13 +1,6 @@
 import { Types } from 'mongoose';
 import { Request, Response, NextFunction } from 'express';
-import { UnauthorizedRequestError } from '../utils/errors';
-import {
-    Membership,
-} from '../models';
-import {
-    validateClientForMembership,
-    validateMembership
-} from '../helpers/membership';
+import { validateClientForMembership } from '../validation';
 
 type req = 'params' | 'body' | 'query';
 

backend/src/middleware/requireMembershipOrgAuth.ts

@@ -1,16 +1,6 @@
 import { Types } from 'mongoose';
 import { Request, Response, NextFunction } from 'express';
-import { UnauthorizedRequestError } from '../utils/errors';
-import {
-    MembershipOrg
-} from '../models';
-import { 
-    validateClientForMembershipOrg,
-    validateMembershipOrg
-} from '../helpers/membershipOrg';
-
-
-// TODO: transform
+import { validateClientForMembershipOrg } from '../validation';
 
 type req = 'params' | 'body' | 'query';
 

backend/src/middleware/requireOrganizationAuth.ts

@@ -1,9 +1,6 @@
 import { Request, Response, NextFunction } from 'express';
 import { Types } from 'mongoose';
-import { IOrganization, MembershipOrg } from '../models';
-import { UnauthorizedRequestError, ValidationError } from '../utils/errors';
-import { validateMembershipOrg } from '../helpers/membershipOrg';
-import { validateClientForOrganization } from '../helpers/organization';
+import { validateClientForOrganization } from '../validation';
 
 type req = 'params' | 'body' | 'query';
 

backend/src/middleware/requireSecretAuth.ts

@@ -1,13 +1,6 @@
 import { Request, Response, NextFunction } from 'express';
 import { Types } from 'mongoose';
-import { UnauthorizedRequestError, SecretNotFoundError } from '../utils/errors';
-import { Secret } from '../models';
-import {
-    validateMembership
-} from '../helpers/membership';
-import {
-    validateClientForSecret
-} from '../helpers/secrets';
+import { validateClientForSecret } from '../validation';
 
 // note: used for old /v1/secret and /v2/secret routes.
 // newer /v2/secrets routes use [requireSecretsAuth] middleware with the exception

backend/src/middleware/requireSecretsAuth.ts

@@ -1,8 +1,6 @@
 import { Request, Response, NextFunction } from 'express';
 import { Types } from 'mongoose';
-import { UnauthorizedRequestError } from '../utils/errors';
-import { Secret, Membership } from '../models';
-import { validateClientForSecrets } from '../helpers/secrets';
+import { validateClientForSecrets } from '../validation';
 
 const requireSecretsAuth = ({
     acceptedRoles,

backend/src/middleware/requireServiceAccountAuth.ts

@@ -1,15 +1,6 @@
 import { Request, Response, NextFunction } from 'express';
 import { Types } from 'mongoose';
-import { ServiceAccount } from '../models';
-import {
-    ServiceAccountNotFoundError
-} from '../utils/errors';
-import {
-    validateMembershipOrg
-} from '../helpers/membershipOrg';
-import {
-    validateClientForServiceAccount
-} from '../helpers/serviceAccount';
+import { validateClientForServiceAccount } from '../validation';
 
 type req = 'params' | 'body' | 'query';
 

backend/src/middleware/requireServiceTokenDataAuth.ts

@@ -1,9 +1,6 @@
 import { Request, Response, NextFunction } from 'express';
 import { Types } from 'mongoose';
-import { ServiceToken, ServiceTokenData } from '../models';
-import { validateClientForServiceTokenData } from '../helpers/serviceTokenData';
-import { validateMembership } from '../helpers/membership';
-import { AccountNotFoundError, UnauthorizedRequestError } from '../utils/errors';
+import { validateClientForServiceTokenData } from '../validation';
 
 type req = 'params' | 'body' | 'query';
 

backend/src/middleware/requireWorkspaceAuth.ts

@@ -1,8 +1,6 @@
 import { Request, Response, NextFunction } from 'express';
 import { Types } from 'mongoose';
-import { validateMembership } from '../helpers/membership';
-import { validateClientForWorkspace } from '../helpers/workspace';
-import { UnauthorizedRequestError } from '../utils/errors';
+import { validateClientForWorkspace } from '../validation';
 
 type req = 'params' | 'body' | 'query';
 
@@ -31,7 +29,7 @@ const requireWorkspaceAuth = ({
 		const environment = locationEnvironment ? req[locationEnvironment]?.environment : undefined;
 		
 		// validate clients
-		const { membership } = await validateClientForWorkspace({
+		const { membership, workspace } = await validateClientForWorkspace({
 			authData: req.authData,
 			workspaceId: new Types.ObjectId(workspaceId),
 			environment,
@@ -43,6 +41,10 @@ const requireWorkspaceAuth = ({
 		if (membership) {
 			req.membership = membership;
 		}
+		
+		if (workspace) {
+			req.workspace = workspace;
+		}
 
 		return next();
 	};

backend/src/models/backupPrivateKey.ts

@@ -1,4 +1,9 @@
 import { Schema, model, Types } from 'mongoose';
+import { 
+	ALGORITHM_AES_256_GCM,
+	ENCODING_SCHEME_UTF8,
+	ENCODING_SCHEME_BASE64
+} from '../variables';
 
 export interface IBackupPrivateKey {
 	_id: Types.ObjectId;
@@ -7,6 +12,8 @@ export interface IBackupPrivateKey {
 	iv: string;
 	tag: string;
 	salt: string;
+	algorithm: string;
+	keyEncoding: 'base64' | 'utf8';
 	verifier: string;
 }
 
@@ -32,6 +39,19 @@ const backupPrivateKeySchema = new Schema<IBackupPrivateKey>(
 			select: false,
 			required: true
 		},
+        algorithm: { // the encryption algorithm used
+            type: String,
+            enum: [ALGORITHM_AES_256_GCM],
+            required: true
+        },
+        keyEncoding: {
+            type: String,
+            enum: [
+                ENCODING_SCHEME_UTF8,
+                ENCODING_SCHEME_BASE64
+            ],
+			required: true
+        },
 		salt: {
 			type: String,
 			select: false,

backend/src/models/bot.ts

@@ -1,4 +1,10 @@
 import { Schema, model, Types } from 'mongoose';
+import { 
+    ALGORITHM_AES_256_GCM,
+    ENCODING_SCHEME_UTF8,
+    ENCODING_SCHEME_HEX,
+    ENCODING_SCHEME_BASE64
+} from '../variables';
 
 export interface IBot {
 	_id: Types.ObjectId;
@@ -9,6 +15,8 @@ export interface IBot {
     encryptedPrivateKey: string;
     iv: string;
     tag: string;
+    algorithm: 'aes-256-gcm';
+    keyEncoding: 'base64' | 'utf8';
 }
 
 const botSchema = new Schema<IBot>(
@@ -45,6 +53,21 @@ const botSchema = new Schema<IBot>(
             type: String,
             required: true,
             select: false
+        },
+        algorithm: { // the encryption algorithm used
+            type: String,
+            enum: [ALGORITHM_AES_256_GCM],
+            required: true,
+            select: false
+        },
+        keyEncoding: {
+            type: String,
+            enum: [
+                ENCODING_SCHEME_UTF8,
+                ENCODING_SCHEME_BASE64
+            ],
+            required: true,
+            select: false
         }
 	},
 	{

backend/src/models/folder.ts

@@ -1,36 +1,56 @@
-import { Schema, Types, model } from 'mongoose';
+import { Schema, model, Types } from "mongoose";
 
-const folderSchema = new Schema({
+export type TFolderRootSchema = {
+  _id: Types.ObjectId;
+  workspace: Types.ObjectId;
+  environment: string;
+  nodes: TFolderSchema;
+};
+
+export type TFolderSchema = {
+  id: string;
+  name: string;
+  version: number;
+  children: TFolderSchema[];
+};
+
+const folderSchema = new Schema<TFolderSchema>({
+  id: {
+    required: true,
+    type: String,
+  },
+  version: {
+    required: true,
+    type: Number,
+    default: 1,
+  },
   name: {
-    type: String,
     required: true,
-  },
-  workspace: {
-    type: Schema.Types.ObjectId,
-    ref: 'Workspace',
-    required: true,
-  },
-  environment: {
     type: String,
-    required: true,
+    default: "root",
   },
-  parent: {
-    type: Schema.Types.ObjectId,
-    ref: 'Folder',
-    required: false, // optional for root folders
-  },
-  path: {
-    type: String,
-    required: true
-  },
-  parentPath: {
-    type: String,
-    required: true,
-  },
-}, {
-  timestamps: true
 });
 
-const Folder = model('Folder', folderSchema);
+folderSchema.add({ children: [folderSchema] });
 
-export default Folder;
+const folderRootSchema = new Schema<TFolderRootSchema>(
+  {
+    workspace: {
+      type: Schema.Types.ObjectId,
+      ref: "Workspace",
+      required: true,
+    },
+    environment: {
+      type: String,
+      required: true,
+    },
+    nodes: folderSchema,
+  },
+  {
+    timestamps: true,
+  }
+);
+
+const Folder = model<TFolderRootSchema>("Folder", folderRootSchema);
+
+export default Folder;

backend/src/models/index.ts

@@ -16,7 +16,7 @@ import ServiceAccountKey, { IServiceAccountKey } from './serviceAccountKey'; //
 import ServiceAccountOrganizationPermission, { IServiceAccountOrganizationPermission } from './serviceAccountOrganizationPermission'; // new
 import ServiceAccountWorkspacePermission, { IServiceAccountWorkspacePermission } from './serviceAccountWorkspacePermission'; // new
 import TokenData, { ITokenData } from './tokenData';
-import User, { IUser } from './user';
+import User,{ AuthProvider, IUser } from './user';
 import UserAction, { IUserAction } from './userAction';
 import Workspace, { IWorkspace } from './workspace';
 import ServiceTokenData, { IServiceTokenData } from './serviceTokenData';
@@ -24,6 +24,7 @@ import APIKeyData, { IAPIKeyData } from './apiKeyData';
 import LoginSRPDetail, { ILoginSRPDetail } from './loginSRPDetail';
 
 export {
+	AuthProvider,
 	BackupPrivateKey,
 	IBackupPrivateKey,
 	Bot,

backend/src/models/integration.ts

@@ -21,6 +21,7 @@ export interface IIntegration {
   workspace: Types.ObjectId;
   environment: string;
   isActive: boolean;
+  url: string;
   app: string;
   appId: string;
   owner: string;
@@ -63,6 +64,11 @@ const integrationSchema = new Schema<IIntegration>(
       type: Boolean,
       required: true,
     },
+    url: {
+      // for custom self-hosted integrations (e.g. self-hosted GitHub enterprise)
+      type: String,
+      default: null
+    },
     app: {
       // name of app in provider
       type: String,

backend/src/models/integrationAuth.ts

@@ -14,6 +14,9 @@ import {
   INTEGRATION_CIRCLECI,
   INTEGRATION_TRAVISCI,
   INTEGRATION_SUPABASE,
+  ALGORITHM_AES_256_GCM,
+  ENCODING_SCHEME_UTF8,
+  ENCODING_SCHEME_BASE64
 } from "../variables";
 
 export interface IIntegrationAuth extends Document {
@@ -31,6 +34,8 @@ export interface IIntegrationAuth extends Document {
   accessCiphertext?: string;
   accessIV?: string;
   accessTag?: string;
+  algorithm?: 'aes-256-gcm';
+  keyEncoding?: 'utf8' | 'base64';
   accessExpiresAt?: Date;
 }
 
@@ -109,6 +114,19 @@ const integrationAuthSchema = new Schema<IIntegrationAuth>(
       type: Date,
       select: false,
     },
+    algorithm: { // the encryption algorithm used
+      type: String,
+      enum: [ALGORITHM_AES_256_GCM],
+      required: true
+    },
+    keyEncoding: {
+        type: String,
+        enum: [
+            ENCODING_SCHEME_UTF8,
+            ENCODING_SCHEME_BASE64
+        ],
+        required: true
+    }
   },
   {
     timestamps: true,

backend/src/models/loginSRPDetail.ts

@@ -5,6 +5,7 @@ export interface ILoginSRPDetail {
 	clientPublicKey: string;
 	email: string;
 	serverBInt: mongoose.Schema.Types.Buffer;
+	userId: string;
 	expireAt: Date;
 }
 
@@ -16,7 +17,6 @@ const loginSRPDetailSchema = new Schema<ILoginSRPDetail>(
 		},
 		email: {
 			type: String,
-			required: true,
 			unique: true
 		},
 		serverBInt: { type: mongoose.Schema.Types.Buffer },

backend/src/models/secret.ts

@@ -1,136 +1,144 @@
-import { Schema, model, Types } from 'mongoose';
+import { Schema, model, Types } from "mongoose";
 import {
-	SECRET_SHARED,
-	SECRET_PERSONAL,
-} from '../variables';
-import { ROOT_FOLDER_PATH } from '../utils/folder';
+  SECRET_SHARED,
+  SECRET_PERSONAL,
+  ALGORITHM_AES_256_GCM,
+  ENCODING_SCHEME_UTF8,
+  ENCODING_SCHEME_BASE64,
+} from "../variables";
 
 export interface ISecret {
-	_id: Types.ObjectId;
-	version: number;
-	workspace: Types.ObjectId;
-	type: string;
-	user: Types.ObjectId;
-	environment: string;
-	secretBlindIndex?: string;
-	secretKeyCiphertext: string;
-	secretKeyIV: string;
-	secretKeyTag: string;
-	secretKeyHash: string;
-	secretValueCiphertext: string;
-	secretValueIV: string;
-	secretValueTag: string;
-	secretValueHash: string;
-	secretCommentCiphertext?: string;
-	secretCommentIV?: string;
-	secretCommentTag?: string;
-	secretCommentHash?: string;
-	tags?: string[];
-	path?: string;
-	folder?: Types.ObjectId;
+  _id: Types.ObjectId;
+  version: number;
+  workspace: Types.ObjectId;
+  type: string;
+  user: Types.ObjectId;
+  environment: string;
+  secretBlindIndex?: string;
+  secretKeyCiphertext: string;
+  secretKeyIV: string;
+  secretKeyTag: string;
+  secretKeyHash: string;
+  secretValueCiphertext: string;
+  secretValueIV: string;
+  secretValueTag: string;
+  secretValueHash: string;
+  secretCommentCiphertext?: string;
+  secretCommentIV?: string;
+  secretCommentTag?: string;
+  secretCommentHash?: string;
+  algorithm: "aes-256-gcm";
+  keyEncoding: "utf8" | "base64";
+  tags?: string[];
+  folder?: string;
 }
 
 const secretSchema = new Schema<ISecret>(
-	{
-		version: {
-			type: Number,
-			required: true,
-			default: 1
-		},
-		workspace: {
-			type: Schema.Types.ObjectId,
-			ref: 'Workspace',
-			required: true
-		},
-		type: {
-			type: String,
-			enum: [SECRET_SHARED, SECRET_PERSONAL],
-			required: true
-		},
-		user: {
-			// user associated with the personal secret
-			type: Schema.Types.ObjectId,
-			ref: 'User'
-		},
-		tags: {
-			ref: 'Tag',
-			type: [Schema.Types.ObjectId],
-			default: []
-		},
-		environment: {
-			type: String,
-			required: true
-		},
-		secretBlindIndex: {
-			type: String,
-			select: false
-		},
-		secretKeyCiphertext: {
-			type: String,
-			required: true
-		},
-		secretKeyIV: {
-			type: String, // symmetric
-			required: true
-		},
-		secretKeyTag: {
-			type: String, // symmetric
-			required: true
-		},
-		secretKeyHash: {
-			type: String
-		},
-		secretValueCiphertext: {
-			type: String,
-			required: true
-		},
-		secretValueIV: {
-			type: String, // symmetric
-			required: true
-		},
-		secretValueTag: {
-			type: String, // symmetric
-			required: true
-		},
-		secretValueHash: {
-			type: String
-		},
-		secretCommentCiphertext: {
-			type: String,
-			required: false
-		},
-		secretCommentIV: {
-			type: String, // symmetric
-			required: false
-		},
-		secretCommentTag: {
-			type: String, // symmetric
-			required: false
-		},
-		secretCommentHash: {
-			type: String,
-			required: false
-		},
-		// the full path to the secret in relation to folders
-		path: {
-			type: String,
-			required: false,
-			default: ROOT_FOLDER_PATH
-		},
-		folder: {
-			type: Schema.Types.ObjectId,
-			ref: 'Folder',
-			required: false,
-		},
-	},
-	{
-		timestamps: true
-	}
+  {
+    version: {
+      type: Number,
+      required: true,
+      default: 1,
+    },
+    workspace: {
+      type: Schema.Types.ObjectId,
+      ref: "Workspace",
+      required: true,
+    },
+    type: {
+      type: String,
+      enum: [SECRET_SHARED, SECRET_PERSONAL],
+      required: true,
+    },
+    user: {
+      // user associated with the personal secret
+      type: Schema.Types.ObjectId,
+      ref: "User",
+    },
+    tags: {
+      ref: "Tag",
+      type: [Schema.Types.ObjectId],
+      default: [],
+    },
+    environment: {
+      type: String,
+      required: true,
+    },
+    secretBlindIndex: {
+      type: String,
+      select: false,
+    },
+    secretKeyCiphertext: {
+      type: String,
+      required: true,
+    },
+    secretKeyIV: {
+      type: String, // symmetric
+      required: true,
+    },
+    secretKeyTag: {
+      type: String, // symmetric
+      required: true,
+    },
+    secretKeyHash: {
+      type: String,
+    },
+    secretValueCiphertext: {
+      type: String,
+      required: true,
+    },
+    secretValueIV: {
+      type: String, // symmetric
+      required: true,
+    },
+    secretValueTag: {
+      type: String, // symmetric
+      required: true,
+    },
+    secretValueHash: {
+      type: String,
+    },
+    secretCommentCiphertext: {
+      type: String,
+      required: false,
+    },
+    secretCommentIV: {
+      type: String, // symmetric
+      required: false,
+    },
+    secretCommentTag: {
+      type: String, // symmetric
+      required: false,
+    },
+    secretCommentHash: {
+      type: String,
+      required: false,
+    },
+    algorithm: {
+      // the encryption algorithm used
+      type: String,
+      enum: [ALGORITHM_AES_256_GCM],
+      required: true,
+      default: ALGORITHM_AES_256_GCM,
+    },
+    keyEncoding: {
+      type: String,
+      enum: [ENCODING_SCHEME_UTF8, ENCODING_SCHEME_BASE64],
+      required: true,
+      default: ENCODING_SCHEME_UTF8,
+    },
+    folder: {
+      type: String,
+      default: "root",
+    },
+  },
+  {
+    timestamps: true,
+  }
 );
 
+secretSchema.index({ tags: 1 }, { background: true });
 
-secretSchema.index({ tags: 1 }, { background: true })
-
-const Secret = model<ISecret>('Secret', secretSchema);
+const Secret = model<ISecret>("Secret", secretSchema);
 
 export default Secret;

backend/src/models/secretBlindIndexData.ts

@@ -1,4 +1,9 @@
 import { Schema, model, Types, Document } from 'mongoose';
+import { 
+    ALGORITHM_AES_256_GCM,
+    ENCODING_SCHEME_UTF8,
+    ENCODING_SCHEME_BASE64
+} from '../variables';
 
 export interface ISecretBlindIndexData extends Document {
     _id: Types.ObjectId;
@@ -6,6 +11,8 @@ export interface ISecretBlindIndexData extends Document {
     encryptedSaltCiphertext: string;
     saltIV: string;
     saltTag: string;
+    algorithm: 'aes-256-gcm';
+    keyEncoding: 'base64' | 'utf8'
 }
 
 const secretBlindIndexDataSchema = new Schema<ISecretBlindIndexData>(
@@ -15,7 +22,7 @@ const secretBlindIndexDataSchema = new Schema<ISecretBlindIndexData>(
             ref: 'Workspace',
             required: true
         },
-        encryptedSaltCiphertext: {
+        encryptedSaltCiphertext: { // TODO: make these select: false
             type: String,
             required: true
         },
@@ -26,7 +33,23 @@ const secretBlindIndexDataSchema = new Schema<ISecretBlindIndexData>(
         saltTag: {
             type: String,
             required: true
+        },
+        algorithm: {
+            type: String,
+            enum: [ALGORITHM_AES_256_GCM],
+            required: true,
+            select: false
+        },
+        keyEncoding: {
+            type: String,
+            enum: [
+                ENCODING_SCHEME_UTF8,
+                ENCODING_SCHEME_BASE64
+            ],
+            required: true,
+            select: false
         }
+
     }
 );
 

backend/src/models/user.ts

@@ -1,7 +1,13 @@
 import { Schema, model, Types, Document } from 'mongoose';
 
+export enum AuthProvider {
+	GOOGLE = 'google',
+}
+
 export interface IUser extends Document {
 	_id: Types.ObjectId;
+	authId?: string;
+	authProvider?: AuthProvider;
 	email: string;
 	firstName?: string;
 	lastName?: string;
@@ -26,9 +32,17 @@ export interface IUser extends Document {
 
 const userSchema = new Schema<IUser>(
 	{
+		authId: {
+			type: String,
+		},
+		authProvider: {
+			type: String,
+			enum: AuthProvider,
+		},
 		email: {
 			type: String,
-			required: true
+			required: true,
+			unique: true,
 		},
 		firstName: {
 			type: String

backend/src/routes/v1/auth.ts

@@ -1,6 +1,7 @@
 import express from 'express';
 const router = express.Router();
 import { body } from 'express-validator';
+import passport from 'passport';
 import { requireAuth, validateRequest } from '../../middleware';
 import { authController } from '../../controllers/v1';
 import { authLimiter } from '../../helpers/rateLimiter';
@@ -27,20 +28,37 @@ router.post( // deprecated (moved to api/v2/auth/login2)
 );
 
 router.post(
-  '/logout', 
+  '/logout',
   authLimiter,
   requireAuth({
     acceptedAuthModes: [AUTH_MODE_JWT]
-  }), 
+  }),
   authController.logout
 );
 
 router.post(
-  '/checkAuth', 
+  '/checkAuth',
   requireAuth({
     acceptedAuthModes: [AUTH_MODE_JWT]
-  }), 
+  }),
   authController.checkAuth
 );
 
+
+
+router.get(
+  '/redirect/google',
+  authLimiter,
+  passport.authenticate('google', {
+    scope: ['profile', 'email'],
+    session: false,
+  }),
+)
+
+router.get(
+  '/callback/google',
+  passport.authenticate('google', { failureRedirect: '/login/provider/error', session: false }),
+  authController.handleAuthProviderCallback,
+)
+
 export default router;

backend/src/routes/v1/index.ts

@@ -15,7 +15,7 @@ import password from './password';
 import stripe from './stripe';
 import integration from './integration';
 import integrationAuth from './integrationAuth';
-import secretsFolder from './secretsFolder'
+import secretsFolder from './secretsFolder';
 
 export {
 	signup,

backend/src/routes/v1/secretsFolder.ts

@@ -1,50 +1,70 @@
-import express, { Request, Response } from 'express';
+import express from "express";
 const router = express.Router();
 import {
   requireAuth,
   requireWorkspaceAuth,
-  validateRequest
-} from '../../middleware';
-import { body, param } from 'express-validator';
-import { createFolder, deleteFolder, getFolderById } from '../../controllers/v1/secretsFolderController';
-import { ADMIN, MEMBER } from '../../variables';
+  validateRequest,
+} from "../../middleware";
+import { body, param, query } from "express-validator";
+import {
+  createFolder,
+  deleteFolder,
+  getFolders,
+  updateFolderById,
+} from "../../controllers/v1/secretsFolderController";
+import { ADMIN, MEMBER } from "../../variables";
 
 router.post(
-  '/',
+  "/",
   requireAuth({
-    acceptedAuthModes: ['jwt']
+    acceptedAuthModes: ["jwt"],
   }),
   requireWorkspaceAuth({
     acceptedRoles: [ADMIN, MEMBER],
-    locationWorkspaceId: 'body'
+    locationWorkspaceId: "body",
   }),
-  body('workspaceId').exists(),
-  body('environment').exists(),
-  body('folderName').exists(),
-  body('parentFolderId'),
+  body("workspaceId").exists(),
+  body("environment").exists(),
+  body("folderName").exists(),
+  body("parentFolderId"),
   validateRequest,
   createFolder
 );
 
-router.delete(
-  '/:folderId',
+router.patch(
+  "/:folderId",
   requireAuth({
-    acceptedAuthModes: ['jwt']
+    acceptedAuthModes: ["jwt"],
   }),
-  param('folderId').exists(),
+  body("workspaceId").exists(),
+  body("environment").exists(),
+  param("folderId").not().isIn(["root"]).exists(),
+  validateRequest,
+  updateFolderById
+);
+
+router.delete(
+  "/:folderId",
+  requireAuth({
+    acceptedAuthModes: ["jwt"],
+  }),
+  body("workspaceId").exists(),
+  body("environment").exists(),
+  param("folderId").not().isIn(["root"]).exists(),
   validateRequest,
   deleteFolder
 );
 
 router.get(
-  '/:folderId',
+  "/",
   requireAuth({
-    acceptedAuthModes: ['jwt']
+    acceptedAuthModes: ["jwt"],
   }),
-  param('folderId').exists(),
+  query("workspaceId").exists().isString().trim(),
+  query("environment").exists().isString().trim(),
+  query("parentFolderId").optional().isString().trim(),
   validateRequest,
-  getFolderById
+  getFolders
 );
 
-
-export default router;
+export default router;

backend/src/routes/v2/secrets.ts

@@ -2,204 +2,233 @@ import express from 'express';
 const router = express.Router();
 import { Types } from 'mongoose';
 import {
-    requireAuth,
-    requireWorkspaceAuth,
-    requireSecretsAuth,
-    validateRequest
+  requireAuth,
+  requireWorkspaceAuth,
+  requireSecretsAuth,
+  validateRequest,
 } from '../../middleware';
+import { validateClientForSecrets } from '../../validation';
 import { query, body } from 'express-validator';
 import { secretsController } from '../../controllers/v2';
-import { validateClientForSecrets } from '../../helpers/secrets';
 import {
-    ADMIN,
-    MEMBER,
-    SECRET_PERSONAL,
-    SECRET_SHARED,
-    PERMISSION_READ_SECRETS,
-    PERMISSION_WRITE_SECRETS,
-    AUTH_MODE_JWT,
-    AUTH_MODE_SERVICE_ACCOUNT,
-    AUTH_MODE_SERVICE_TOKEN,
-    AUTH_MODE_API_KEY
+  ADMIN,
+  MEMBER,
+  SECRET_PERSONAL,
+  SECRET_SHARED,
+  PERMISSION_READ_SECRETS,
+  PERMISSION_WRITE_SECRETS,
+  AUTH_MODE_JWT,
+  AUTH_MODE_SERVICE_ACCOUNT,
+  AUTH_MODE_SERVICE_TOKEN,
+  AUTH_MODE_API_KEY,
 } from '../../variables';
-import {
-    BatchSecretRequest
-} from '../../types/secret';
+import { BatchSecretRequest } from '../../types/secret';
 
 router.post(
-    '/batch',
-    requireAuth({
-        acceptedAuthModes: [AUTH_MODE_JWT, AUTH_MODE_API_KEY, AUTH_MODE_SERVICE_TOKEN]
-    }),
-    requireWorkspaceAuth({
-        acceptedRoles: [ADMIN, MEMBER],
-        locationWorkspaceId: 'body'
-    }),
-    body('workspaceId').exists().isString().trim(),
-    body('environment').exists().isString().trim(),
-    body('requests')
-        .exists()
-        .custom(async (requests: BatchSecretRequest[], { req }) => {
-            if (Array.isArray(requests)) {
-                const secretIds = requests
-                    .map((request) => request.secret._id)
-                    .filter((secretId) => secretId !== undefined)
+  '/batch',
+  requireAuth({
+    acceptedAuthModes: [
+      AUTH_MODE_JWT,
+      AUTH_MODE_API_KEY,
+      AUTH_MODE_SERVICE_TOKEN,
+    ],
+  }),
+  requireWorkspaceAuth({
+    acceptedRoles: [ADMIN, MEMBER],
+    locationWorkspaceId: 'body',
+  }),
+  body('workspaceId').exists().isString().trim(),
+  body('folderId').default('root').isString().trim(),
+  body('environment').exists().isString().trim(),
+  body('requests')
+    .exists()
+    .custom(async (requests: BatchSecretRequest[], { req }) => {
+      if (Array.isArray(requests)) {
+        const secretIds = requests
+          .map((request) => request.secret._id)
+          .filter((secretId) => secretId !== undefined);
 
-                if (secretIds.length > 0) {
-                    req.secrets = await validateClientForSecrets({
-                        authData: req.authData,
-                        secretIds: secretIds.map((secretId: string) => new Types.ObjectId(secretId)),
-                        requiredPermissions: []
-                    });
-                }
-            }
-            return true;
-        }),
-    validateRequest,
-    secretsController.batchSecrets
+        if (secretIds.length > 0) {
+          req.secrets = await validateClientForSecrets({
+            authData: req.authData,
+            secretIds: secretIds.map(
+              (secretId: string) => new Types.ObjectId(secretId)
+            ),
+            requiredPermissions: [],
+          });
+        }
+      }
+      return true;
+    }),
+  validateRequest,
+  secretsController.batchSecrets
 );
 
 router.post(
-    '/',
-    body('workspaceId').exists().isString().trim(),
-    body('environment').exists().isString().trim(),
-    body('secrets')
-        .exists()
-        .custom((value) => {
-            if (Array.isArray(value)) {
-                // case: create multiple secrets
-                if (value.length === 0) throw new Error('secrets cannot be an empty array')
-                for (const secret of value) {
-                    if (
-                        !secret.type ||
-                        !(secret.type === SECRET_PERSONAL || secret.type === SECRET_SHARED) ||
-                        !secret.secretKeyCiphertext ||
-                        !secret.secretKeyIV ||
-                        !secret.secretKeyTag ||
-                        (typeof secret.secretValueCiphertext !== 'string') ||
-                        !secret.secretValueIV ||
-                        !secret.secretValueTag
-                    ) {
-                        throw new Error('secrets array must contain objects that have required secret properties');
-                    }
-                }
-            } else if (typeof value === 'object') {
-                // case: update 1 secret
-                if (
-                    !value.type ||
-                    !(value.type === SECRET_PERSONAL || value.type === SECRET_SHARED) ||
-                    !value.secretKeyCiphertext ||
-                    !value.secretKeyIV ||
-                    !value.secretKeyTag ||
-                    !value.secretValueCiphertext ||
-                    !value.secretValueIV ||
-                    !value.secretValueTag
-                ) {
-                    throw new Error('secrets object is missing required secret properties');
-                }
-            } else {
-                throw new Error('secrets must be an object or an array of objects')
-            }
+  '/',
+  body('workspaceId').exists().isString().trim(),
+  body('environment').exists().isString().trim(),
+  body('folderId').default('root').isString().trim(),
+  body('secrets')
+    .exists()
+    .custom((value) => {
+      if (Array.isArray(value)) {
+        // case: create multiple secrets
+        if (value.length === 0)
+          throw new Error('secrets cannot be an empty array');
+        for (const secret of value) {
+          if (
+            !secret.type ||
+            !(
+              secret.type === SECRET_PERSONAL || secret.type === SECRET_SHARED
+            ) ||
+            !secret.secretKeyCiphertext ||
+            !secret.secretKeyIV ||
+            !secret.secretKeyTag ||
+            typeof secret.secretValueCiphertext !== 'string' ||
+            !secret.secretValueIV ||
+            !secret.secretValueTag
+          ) {
+            throw new Error(
+              'secrets array must contain objects that have required secret properties'
+            );
+          }
+        }
+      } else if (typeof value === 'object') {
+        // case: update 1 secret
+        if (
+          !value.type ||
+          !(value.type === SECRET_PERSONAL || value.type === SECRET_SHARED) ||
+          !value.secretKeyCiphertext ||
+          !value.secretKeyIV ||
+          !value.secretKeyTag ||
+          !value.secretValueCiphertext ||
+          !value.secretValueIV ||
+          !value.secretValueTag
+        ) {
+          throw new Error(
+            'secrets object is missing required secret properties'
+          );
+        }
+      } else {
+        throw new Error('secrets must be an object or an array of objects');
+      }
 
-            return true;
-        }),
-    validateRequest,
-    requireAuth({
-        acceptedAuthModes: [AUTH_MODE_JWT, AUTH_MODE_API_KEY, AUTH_MODE_SERVICE_TOKEN]
+      return true;
     }),
-    requireWorkspaceAuth({
-        acceptedRoles: [ADMIN, MEMBER],
-        locationWorkspaceId: 'body',
-        locationEnvironment: 'body',
-        requiredPermissions: [PERMISSION_WRITE_SECRETS]
-    }),
-    secretsController.createSecrets
+  validateRequest,
+  requireAuth({
+    acceptedAuthModes: [
+      AUTH_MODE_JWT,
+      AUTH_MODE_API_KEY,
+      AUTH_MODE_SERVICE_TOKEN,
+    ],
+  }),
+  requireWorkspaceAuth({
+    acceptedRoles: [ADMIN, MEMBER],
+    locationWorkspaceId: 'body',
+    locationEnvironment: 'body',
+    requiredPermissions: [PERMISSION_WRITE_SECRETS],
+  }),
+  secretsController.createSecrets
 );
 
 router.get(
-    '/',
-    query('workspaceId').exists().trim(),
-    query('environment').exists().trim(),
-    query('tagSlugs'),
-    validateRequest,
-    requireAuth({
-        acceptedAuthModes: [AUTH_MODE_JWT, AUTH_MODE_API_KEY, AUTH_MODE_SERVICE_TOKEN, AUTH_MODE_SERVICE_ACCOUNT]
-    }),
-    requireWorkspaceAuth({
-        acceptedRoles: [ADMIN, MEMBER],
-        locationWorkspaceId: 'query',
-        locationEnvironment: 'query',
-        requiredPermissions: [PERMISSION_READ_SECRETS]
-    }),
-    secretsController.getSecrets
+  '/',
+  query('workspaceId').exists().trim(),
+  query('environment').exists().trim(),
+  query('tagSlugs'),
+  query('folderId').default('root').isString().trim(),
+  validateRequest,
+  requireAuth({
+    acceptedAuthModes: [
+      AUTH_MODE_JWT,
+      AUTH_MODE_API_KEY,
+      AUTH_MODE_SERVICE_TOKEN,
+      AUTH_MODE_SERVICE_ACCOUNT,
+    ],
+  }),
+  requireWorkspaceAuth({
+    acceptedRoles: [ADMIN, MEMBER],
+    locationWorkspaceId: 'query',
+    locationEnvironment: 'query',
+    requiredPermissions: [PERMISSION_READ_SECRETS],
+  }),
+  secretsController.getSecrets
 );
 
 router.patch(
-    '/',
-    body('secrets')
-        .exists()
-        .custom((value) => {
-            if (Array.isArray(value)) {
-                // case: update multiple secrets
-                if (value.length === 0) throw new Error('secrets cannot be an empty array')
-                for (const secret of value) {
-                    if (
-                        !secret.id
-                    ) {
-                        throw new Error('Each secret must contain a ID property');
-                    }
-                }
-            } else if (typeof value === 'object') {
-                // case: update 1 secret
-                if (
-                    !value.id
-                ) {
-                    throw new Error('secret must contain a ID property');
-                }
-            } else {
-                throw new Error('secrets must be an object or an array of objects')
-            }
+  '/',
+  body('secrets')
+    .exists()
+    .custom((value) => {
+      if (Array.isArray(value)) {
+        // case: update multiple secrets
+        if (value.length === 0)
+          throw new Error('secrets cannot be an empty array');
+        for (const secret of value) {
+          if (!secret.id) {
+            throw new Error('Each secret must contain a ID property');
+          }
+        }
+      } else if (typeof value === 'object') {
+        // case: update 1 secret
+        if (!value.id) {
+          throw new Error('secret must contain a ID property');
+        }
+      } else {
+        throw new Error('secrets must be an object or an array of objects');
+      }
 
-            return true;
-        }),
-    validateRequest,
-    requireAuth({
-        acceptedAuthModes: [AUTH_MODE_JWT, AUTH_MODE_API_KEY, AUTH_MODE_SERVICE_TOKEN]
+      return true;
     }),
-    requireSecretsAuth({
-        acceptedRoles: [ADMIN, MEMBER],
-        requiredPermissions: [PERMISSION_WRITE_SECRETS]
-    }),
-    secretsController.updateSecrets
+  validateRequest,
+  requireAuth({
+    acceptedAuthModes: [
+      AUTH_MODE_JWT,
+      AUTH_MODE_API_KEY,
+      AUTH_MODE_SERVICE_TOKEN,
+    ],
+  }),
+  requireSecretsAuth({
+    acceptedRoles: [ADMIN, MEMBER],
+    requiredPermissions: [PERMISSION_WRITE_SECRETS],
+  }),
+  secretsController.updateSecrets
 );
 
 router.delete(
-    '/',
-    body('secretIds')
-        .exists()
-        .custom((value) => {
-            // case: delete 1 secret
-            if (typeof value === 'string') return true;
+  '/',
+  body('secretIds')
+    .exists()
+    .custom((value) => {
+      // case: delete 1 secret
+      if (typeof value === 'string') return true;
 
-            if (Array.isArray(value)) {
-                // case: delete multiple secrets
-                if (value.length === 0) throw new Error('secrets cannot be an empty array');
-                return value.every((id: string) => typeof id === 'string')
-            }
+      if (Array.isArray(value)) {
+        // case: delete multiple secrets
+        if (value.length === 0)
+          throw new Error('secrets cannot be an empty array');
+        return value.every((id: string) => typeof id === 'string');
+      }
 
-            throw new Error('secretIds must be a string or an array of strings');
-        })
-        .not()
-        .isEmpty(),
-    validateRequest,
-    requireAuth({
-        acceptedAuthModes: [AUTH_MODE_JWT, AUTH_MODE_API_KEY, AUTH_MODE_SERVICE_TOKEN]
-    }),
-    requireSecretsAuth({
-        acceptedRoles: [ADMIN, MEMBER],
-        requiredPermissions: [PERMISSION_WRITE_SECRETS]
-    }),
-    secretsController.deleteSecrets
+      throw new Error('secretIds must be a string or an array of strings');
+    })
+    .not()
+    .isEmpty(),
+  validateRequest,
+  requireAuth({
+    acceptedAuthModes: [
+      AUTH_MODE_JWT,
+      AUTH_MODE_API_KEY,
+      AUTH_MODE_SERVICE_TOKEN,
+    ],
+  }),
+  requireSecretsAuth({
+    acceptedRoles: [ADMIN, MEMBER],
+    requiredPermissions: [PERMISSION_WRITE_SECRETS],
+  }),
+  secretsController.deleteSecrets
 );
 
-export default router;
+export default router;

backend/src/routes/v3/auth.ts

@@ -0,0 +1,29 @@
+import express from 'express';
+import { body } from 'express-validator';
+import { validateRequest } from '../../middleware';
+import { authController } from '../../controllers/v3';
+import { authLimiter } from '../../helpers/rateLimiter';
+
+const router = express.Router();
+
+router.post(
+    '/login1',
+    authLimiter,
+    body('email').isString().trim(),
+    body('providerAuthToken').isString().trim().optional({nullable: true}),
+    body('clientPublicKey').isString().trim().notEmpty(),
+    validateRequest,
+    authController.login1
+);
+
+router.post(
+    '/login2',
+    authLimiter,
+    body('email').isString().trim(),
+    body('providerAuthToken').isString().trim().optional({nullable: true}),
+    body('clientProof').isString().trim().notEmpty(),
+    validateRequest,
+    authController.login2
+);
+
+export default router;

backend/src/routes/v3/index.ts

@@ -1,7 +1,11 @@
+import auth from './auth';
 import secrets from './secrets';
 import workspaces from './workspaces';
+import signup from './signup';
 
 export {
+    auth,
     secrets,
-    workspaces
-}
+    signup,
+    workspaces,
+}

backend/src/routes/v3/signup.ts

@@ -0,0 +1,29 @@
+import express from 'express';
+const router = express.Router();
+import { body } from 'express-validator';
+import { signupController } from '../../controllers/v3';
+import { authLimiter } from '../../helpers/rateLimiter';
+import { validateRequest } from '../../middleware';
+
+router.post(
+    '/complete-account/signup',
+    authLimiter,
+    body('email').exists().isString().trim().notEmpty().isEmail(),
+	body('firstName').exists().isString().trim().notEmpty(),
+	body('lastName').exists().isString().trim().optional({nullable: true}),
+	body('protectedKey').exists().isString().trim().notEmpty(),
+	body('protectedKeyIV').exists().isString().trim().notEmpty(),
+	body('protectedKeyTag').exists().isString().trim().notEmpty(),
+	body('publicKey').exists().isString().trim().notEmpty(),
+	body('encryptedPrivateKey').exists().isString().trim().notEmpty(),
+	body('encryptedPrivateKeyIV').exists().isString().trim().notEmpty(),
+	body('encryptedPrivateKeyTag').exists().isString().trim().notEmpty(),
+	body('salt').exists().isString().trim().notEmpty(),
+	body('verifier').exists().isString().trim().notEmpty(),
+	body('organizationName').exists().isString().trim().notEmpty(),
+	body('providerAuthToken').isString().trim().optional({nullable: true}),
+    validateRequest,
+    signupController.completeAccountSignup,
+);
+
+export default router;

backend/src/services/FolderService.ts

@@ -0,0 +1,189 @@
+import { nanoid } from "nanoid";
+import { TFolderSchema } from "../models/folder";
+
+type TAppendFolderDTO = {
+  folderName: string;
+  parentFolderId?: string;
+};
+
+type TRenameFolderDTO = {
+  folderName: string;
+  folderId: string;
+};
+
+export const validateFolderName = (folderName: string) => {
+  const validNameRegex = /^[a-zA-Z0-9-_]+$/;
+  return validNameRegex.test(folderName);
+};
+
+export const generateFolderId = (): string => nanoid(12);
+
+// simple bfs search
+export const searchByFolderId = (
+  root: TFolderSchema,
+  folderId: string
+): TFolderSchema | undefined => {
+  const queue = [root];
+  while (queue.length) {
+    const folder = queue.pop() as TFolderSchema;
+    if (folder.id === folderId) {
+      return folder;
+    }
+    queue.push(...folder.children);
+  }
+};
+
+export const folderBfsTraversal = async (
+  root: TFolderSchema,
+  callback: (data: TFolderSchema) => void | Promise<void>
+) => {
+  const queue = [root];
+  while (queue.length) {
+    const folder = queue.pop() as TFolderSchema;
+    await callback(folder);
+    queue.push(...folder.children);
+  }
+};
+
+// bfs and then append to the folder
+const appendChild = (folders: TFolderSchema, folderName: string) => {
+  const folder = folders.children.find(({ name }) => name === folderName);
+  if (folder) {
+    throw new Error("Folder already exists");
+  }
+  const id = generateFolderId();
+  folders.version += 1;
+  folders.children.push({
+    id,
+    name: folderName,
+    children: [],
+    version: 1,
+  });
+  return { id, name: folderName };
+};
+
+// root of append child wrapper
+export const appendFolder = (
+  folders: TFolderSchema,
+  { folderName, parentFolderId }: TAppendFolderDTO
+) => {
+  const isRoot = !parentFolderId;
+
+  if (isRoot) {
+    return appendChild(folders, folderName);
+  }
+  const folder = searchByFolderId(folders, parentFolderId);
+  if (!folder) {
+    throw new Error("Parent Folder not found");
+  }
+  return appendChild(folder, folderName);
+};
+
+export const renameFolder = (
+  folders: TFolderSchema,
+  { folderName, folderId }: TRenameFolderDTO
+) => {
+  const folder = searchByFolderId(folders, folderId);
+  if (!folder) {
+    throw new Error("Folder doesn't exist");
+  }
+
+  folder.name = folderName;
+};
+
+// bfs but stops on parent folder
+// Then unmount the required child and then return both
+export const deleteFolderById = (folders: TFolderSchema, folderId: string) => {
+  const queue = [folders];
+  while (queue.length) {
+    const folder = queue.pop() as TFolderSchema;
+    const index = folder.children.findIndex(({ id }) => folderId === id);
+    if (index !== -1) {
+      const deletedFolder = folder.children.splice(index, 1);
+      return { deletedNode: deletedFolder[0], parent: folder };
+    }
+    queue.push(...folder.children);
+  }
+};
+
+// bfs but return parent of the folderID
+export const getParentFromFolderId = (
+  folders: TFolderSchema,
+  folderId: string
+) => {
+  const queue = [folders];
+  while (queue.length) {
+    const folder = queue.pop() as TFolderSchema;
+    const index = folder.children.findIndex(({ id }) => folderId === id);
+    if (index !== -1) return folder;
+
+    queue.push(...folder.children);
+  }
+};
+
+// to get all folders ids from everything from below nodes
+export const getAllFolderIds = (folders: TFolderSchema) => {
+  const folderIds: Array<{ id: string; name: string }> = [];
+  const queue = [folders];
+  while (queue.length) {
+    const folder = queue.pop() as TFolderSchema;
+    folderIds.push({ id: folder.id, name: folder.name });
+    queue.push(...folder.children);
+  }
+  return folderIds;
+};
+
+// To get the path of a folder from the root. Used for breadcrumbs
+// LOGIC: We do dfs instead if bfs
+// Each time we go down we record the current node
+// We then record the number of childs of each root node
+// When we reach leaf node or when all childs of a root node are visited
+// We remove it from path recorded by using the total child record
+export const searchByFolderIdWithDir = (
+  folders: TFolderSchema,
+  folderId: string
+) => {
+  const stack = [folders];
+  const dir: Array<{ id: string; name: string }> = [];
+  const hits: Record<string, number> = {};
+
+  while (stack.length) {
+    const folder = stack.shift() as TFolderSchema;
+    // score the hit
+    hits[folder.id] = folder.children.length;
+    const parent = dir[dir.length - 1];
+    if (parent) hits[parent.id] -= 1;
+
+    if (folder.id === folderId) {
+      dir.push({ name: folder.name, id: folder.id });
+      return { folder, dir };
+    }
+
+    if (folder.children.length) {
+      dir.push({ name: folder.name, id: folder.id });
+      stack.unshift(...folder.children);
+    } else {
+      if (!hits[parent.id]) {
+        dir.pop();
+      }
+    }
+  }
+  return;
+};
+
+// to get folder of a path given
+// Like /frontend/folder#1
+export const getFolderByPath = (folders: TFolderSchema, searchPath: string) => {
+  const path = searchPath.split("/").filter(Boolean);
+  const queue = [folders];
+  let segment: TFolderSchema | undefined;
+  while (queue.length && path.length) {
+    const folder = queue.pop();
+    const segmentPath = path.shift();
+    segment = folder?.children.find(({ name }) => name === segmentPath);
+    if (!segment) return;
+
+    queue.push(segment);
+  }
+  return segment;
+};