Update Chart.yaml

Make secret type field configurable

.env.example

@@ -1,24 +1,12 @@
 # Keys
 # Required key for platform encryption/decryption ops
-# THIS IS A SAMPLE ENCRYPTION KEY AND SHOULD NOT BE USED FOR PRODUCTION
+# THIS IS A SAMPLE ENCRYPTION KEY AND SHOULD NEVER BE USED FOR PRODUCTION
 ENCRYPTION_KEY=6c1fe4e407b8911c104518103505b218
 
 # JWT
 # Required secrets to sign JWT tokens
-JWT_SIGNUP_SECRET=3679e04ca949f914c03332aaaeba805a
-JWT_REFRESH_SECRET=5f2f3c8f0159068dc2bbb3a652a716ff
-JWT_AUTH_SECRET=4be6ba5602e0fa0ac6ac05c3cd4d247f
-JWT_SERVICE_SECRET=f32f716d70a42c5703f4656015e76200
-JWT_SERVICE_TOKEN_SECRET=f32f716d70a42c5703f4656015e76200
-JWT_PROVIDER_AUTH_SECRET=f32f716d70a42c5703f4656015e76201
-
-# JWT lifetime
-# Optional lifetimes for JWT tokens expressed in seconds or a string 
-# describing a time span (e.g. 60, "2 days", "10h", "7d")
-JWT_AUTH_LIFETIME=
-JWT_REFRESH_LIFETIME=
-JWT_SIGNUP_LIFETIME=
-JWT_PROVIDER_AUTH_LIFETIME=
+# THIS IS A SAMPLE AUTH_SECRET KEY AND SHOULD NEVER BE USED FOR PRODUCTION
+AUTH_SECRET=5lrMXKKWCVocS/uerPsl7V+TX/aaUaI7iDkgl3tSmLE=
 
 # MongoDB
 # Backend will connect to the MongoDB instance at connection string MONGO_URL which can either be a ref
@@ -68,5 +56,12 @@ SENTRY_DSN=
 POSTHOG_HOST=
 POSTHOG_PROJECT_API_KEY=
 
-CLIENT_ID_GOOGLE=
-CLIENT_SECRET_GOOGLE=
+# SSO-specific variables
+CLIENT_ID_GOOGLE_LOGIN=
+CLIENT_SECRET_GOOGLE_LOGIN=
+
+CLIENT_ID_GITHUB_LOGIN=
+CLIENT_SECRET_GITHUB_LOGIN=
+
+CLIENT_ID_GITLAB_LOGIN=
+CLIENT_SECRET_GITLAB_LOGIN=

backend/package.json

@@ -6,11 +6,13 @@
     "@godaddy/terminus": "^4.12.0",
     "@node-saml/passport-saml": "^4.0.4",
     "@octokit/rest": "^19.0.5",
-    "@sentry/node": "^7.49.0",
+    "@sentry/node": "^7.77.0",
     "@sentry/tracing": "^7.48.0",
+    "@serdnam/pino-cloudwatch-transport": "^1.0.4",
     "@types/crypto-js": "^4.1.1",
     "@types/libsodium-wrappers": "^0.7.10",
     "@ucast/mongo2js": "^1.3.4",
+    "ajv": "^8.12.0",
     "argon2": "^0.30.3",
     "aws-sdk": "^2.1364.0",
     "axios": "^1.3.5",
@@ -19,7 +21,7 @@
     "bigint-conversion": "^2.4.0",
     "cookie-parser": "^1.4.6",
     "cors": "^2.8.5",
-    "crypto-js": "^4.1.1",
+    "crypto-js": "^4.2.0",
     "dotenv": "^16.0.1",
     "express": "^4.18.1",
     "express-async-errors": "^3.1.1",
@@ -29,20 +31,25 @@
     "helmet": "^5.1.1",
     "infisical-node": "^1.2.1",
     "ioredis": "^5.3.2",
+    "jmespath": "^0.16.0",
     "js-yaml": "^4.1.0",
     "jsonwebtoken": "^9.0.0",
     "jsrp": "^0.2.4",
     "libsodium-wrappers": "^0.7.10",
     "lodash": "^4.17.21",
-    "mongodb": "^5.7.0",
     "mongoose": "^7.4.1",
+    "mysql2": "^3.6.2",
     "nanoid": "^3.3.6",
     "node-cache": "^5.1.2",
     "nodemailer": "^6.8.0",
+    "ora": "^5.4.1",
     "passport": "^0.6.0",
     "passport-github": "^1.1.0",
     "passport-gitlab2": "^5.0.0",
     "passport-google-oauth20": "^2.0.0",
+    "pg": "^8.11.3",
+    "pino": "^8.16.1",
+    "pino-http": "^8.5.1",
     "posthog-node": "^2.6.0",
     "probot": "^12.3.1",
     "query-string": "^7.1.3",
@@ -53,16 +60,19 @@
     "tweetnacl-util": "^0.15.1",
     "typescript": "^4.9.3",
     "utility-types": "^3.10.0",
-    "winston": "^3.8.2",
-    "winston-loki": "^6.0.6",
     "zod": "^3.22.3"
   },
+  "overrides": {
+    "rate-limit-mongo": {
+      "mongodb": "5.8.0"
+    }
+  },
   "name": "infisical-api",
   "version": "1.0.0",
   "main": "src/index.js",
   "scripts": {
     "start": "node build/index.js",
-    "dev": "nodemon",
+    "dev": "nodemon index.js",
     "swagger-autogen": "node ./swagger/index.ts",
     "build": "rimraf ./build && tsc && cp -R ./src/templates ./build && cp -R ./src/data ./build",
     "lint": "eslint . --ext .ts",
@@ -87,6 +97,8 @@
   "devDependencies": {
     "@jest/globals": "^29.3.1",
     "@posthog/plugin-scaffold": "^1.3.4",
+    "@swc/core": "^1.3.99",
+    "@swc/helpers": "^0.5.3",
     "@types/bcrypt": "^5.0.0",
     "@types/bcryptjs": "^2.4.2",
     "@types/bull": "^4.10.0",
@@ -94,12 +106,15 @@
     "@types/cors": "^2.8.12",
     "@types/express": "^4.17.14",
     "@types/jest": "^29.5.0",
+    "@types/jmespath": "^0.15.1",
     "@types/jsonwebtoken": "^8.5.9",
     "@types/lodash": "^4.14.191",
     "@types/node": "^18.11.3",
     "@types/nodemailer": "^6.4.6",
     "@types/passport": "^1.0.12",
+    "@types/pg": "^8.10.7",
     "@types/picomatch": "^2.3.0",
+    "@types/pino": "^7.0.5",
     "@types/supertest": "^2.0.12",
     "@types/swagger-jsdoc": "^6.0.1",
     "@types/swagger-ui-express": "^4.1.3",
@@ -113,6 +128,8 @@
     "jest-junit": "^15.0.0",
     "nodemon": "^2.0.19",
     "npm": "^8.19.3",
+    "pino-pretty": "^10.2.3",
+    "regenerator-runtime": "^0.14.0",
     "smee-client": "^1.2.3",
     "supertest": "^6.3.3",
     "swagger-autogen": "^2.23.5",

backend/src/bootstrap.ts

@@ -0,0 +1,43 @@
+import ora from "ora";
+import nodemailer from "nodemailer";
+import { getSmtpHost, getSmtpPort } from "./config";
+import { logger } from "./utils/logging";
+import mongoose from "mongoose";
+import { redisClient } from "./services/RedisService";
+
+type BootstrapOpt = {
+  transporter: nodemailer.Transporter;
+};
+
+export const bootstrap = async ({ transporter }: BootstrapOpt) => {
+  const spinner = ora().start();
+  spinner.info("Checking configurations...");
+  spinner.info("Testing smtp connection");
+
+  await transporter
+    .verify()
+    .then(async () => {
+      spinner.succeed("SMTP successfully connected");
+    })
+    .catch(async (err) => {
+      spinner.fail(`SMTP - Failed to connect to ${await getSmtpHost()}:${await getSmtpPort()}`);
+      logger.error(err);
+    });
+
+  spinner.info("Testing mongodb connection");
+  if (mongoose.connection.readyState !== mongoose.ConnectionStates.connected) {
+    spinner.fail("Mongo DB - Failed to connect");
+  } else {
+    spinner.succeed("Mongodb successfully connected");
+  }
+
+  spinner.info("Testing redis connection");
+  const redisPing = await redisClient?.ping();
+  if (!redisPing) {
+    spinner.fail("Redis - Failed to connect");
+  } else {
+    spinner.succeed("Redis successfully connected");
+  }
+
+  spinner.stop();
+};

backend/src/config/index.ts

@@ -3,104 +3,171 @@ import { GITLAB_URL } from "../variables";
 import InfisicalClient from "infisical-node";
 
 export const client = new InfisicalClient({
-  token: process.env.INFISICAL_TOKEN!,
+  token: process.env.INFISICAL_TOKEN!
 });
 
 export const getPort = async () => (await client.getSecret("PORT")).secretValue || 4000;
 export const getEncryptionKey = async () => {
   const secretValue = (await client.getSecret("ENCRYPTION_KEY")).secretValue;
   return secretValue === "" ? undefined : secretValue;
-}
+};
 export const getRootEncryptionKey = async () => {
   const secretValue = (await client.getSecret("ROOT_ENCRYPTION_KEY")).secretValue;
   return secretValue === "" ? undefined : secretValue;
-}
-export const getInviteOnlySignup = async () => (await client.getSecret("INVITE_ONLY_SIGNUP")).secretValue === "true"
-export const getSaltRounds = async () => parseInt((await client.getSecret("SALT_ROUNDS")).secretValue) || 10;
-export const getJwtAuthLifetime = async () => (await client.getSecret("JWT_AUTH_LIFETIME")).secretValue || "10d";
-export const getJwtAuthSecret = async () => (await client.getSecret("JWT_AUTH_SECRET")).secretValue;
-export const getJwtMfaLifetime = async () => (await client.getSecret("JWT_MFA_LIFETIME")).secretValue || "5m";
-export const getJwtMfaSecret = async () => (await client.getSecret("JWT_MFA_LIFETIME")).secretValue || "5m";
-export const getJwtRefreshLifetime = async () => (await client.getSecret("JWT_REFRESH_LIFETIME")).secretValue || "90d";
-export const getJwtRefreshSecret = async () => (await client.getSecret("JWT_REFRESH_SECRET")).secretValue;
-export const getJwtServiceSecret = async () => (await client.getSecret("JWT_SERVICE_SECRET")).secretValue;
-export const getJwtSignupLifetime = async () => (await client.getSecret("JWT_SIGNUP_LIFETIME")).secretValue || "15m";
-export const getJwtProviderAuthSecret = async () => (await client.getSecret("JWT_PROVIDER_AUTH_SECRET")).secretValue;
-export const getJwtProviderAuthLifetime = async () => (await client.getSecret("JWT_PROVIDER_AUTH_LIFETIME")).secretValue || "15m";
-export const getJwtSignupSecret = async () => (await client.getSecret("JWT_SIGNUP_SECRET")).secretValue;
-export const getJwtServiceTokenSecret = async () => (await client.getSecret("JWT_SERVICE_TOKEN_SECRET")).secretValue;
+};
+export const getInviteOnlySignup = async () =>
+  (await client.getSecret("INVITE_ONLY_SIGNUP")).secretValue === "true";
+export const getSaltRounds = async () =>
+  parseInt((await client.getSecret("SALT_ROUNDS")).secretValue) || 10;
+export const getAuthSecret = async () =>
+  (await client.getSecret("JWT_AUTH_SECRET")).secretValue ??
+  (await client.getSecret("AUTH_SECRET")).secretValue;
+export const getJwtAuthLifetime = async () =>
+  (await client.getSecret("JWT_AUTH_LIFETIME")).secretValue || "10d";
+export const getJwtMfaLifetime = async () =>
+  (await client.getSecret("JWT_MFA_LIFETIME")).secretValue || "5m";
+export const getJwtRefreshLifetime = async () =>
+  (await client.getSecret("JWT_REFRESH_LIFETIME")).secretValue || "90d";
+export const getJwtServiceSecret = async () =>
+  (await client.getSecret("JWT_SERVICE_SECRET")).secretValue; // TODO: deprecate (related to ST V1)
+export const getJwtSignupLifetime = async () =>
+  (await client.getSecret("JWT_SIGNUP_LIFETIME")).secretValue || "15m";
+export const getJwtProviderAuthLifetime = async () =>
+  (await client.getSecret("JWT_PROVIDER_AUTH_LIFETIME")).secretValue || "15m";
 export const getMongoURL = async () => (await client.getSecret("MONGO_URL")).secretValue;
-export const getNodeEnv = async () => (await client.getSecret("NODE_ENV")).secretValue || "production";
-export const getVerboseErrorOutput = async () => (await client.getSecret("VERBOSE_ERROR_OUTPUT")).secretValue === "true" && true;
+export const getNodeEnv = async () =>
+  (await client.getSecret("NODE_ENV")).secretValue || "production";
+export const getVerboseErrorOutput = async () =>
+  (await client.getSecret("VERBOSE_ERROR_OUTPUT")).secretValue === "true" && true;
 export const getLokiHost = async () => (await client.getSecret("LOKI_HOST")).secretValue;
 export const getClientIdAzure = async () => (await client.getSecret("CLIENT_ID_AZURE")).secretValue;
-export const getClientIdHeroku = async () => (await client.getSecret("CLIENT_ID_HEROKU")).secretValue;
-export const getClientIdVercel = async () => (await client.getSecret("CLIENT_ID_VERCEL")).secretValue;
-export const getClientIdNetlify = async () => (await client.getSecret("CLIENT_ID_NETLIFY")).secretValue;
-export const getClientIdGitHub = async () => (await client.getSecret("CLIENT_ID_GITHUB")).secretValue;
-export const getClientIdGitLab = async () => (await client.getSecret("CLIENT_ID_GITLAB")).secretValue;
-export const getClientIdBitBucket = async () => (await client.getSecret("CLIENT_ID_BITBUCKET")).secretValue;
-export const getClientIdGCPSecretManager = async () => (await client.getSecret("CLIENT_ID_GCP_SECRET_MANAGER")).secretValue;
-export const getClientSecretAzure = async () => (await client.getSecret("CLIENT_SECRET_AZURE")).secretValue;
-export const getClientSecretHeroku = async () => (await client.getSecret("CLIENT_SECRET_HEROKU")).secretValue;
-export const getClientSecretVercel = async () => (await client.getSecret("CLIENT_SECRET_VERCEL")).secretValue;
-export const getClientSecretNetlify = async () => (await client.getSecret("CLIENT_SECRET_NETLIFY")).secretValue;
-export const getClientSecretGitHub = async () => (await client.getSecret("CLIENT_SECRET_GITHUB")).secretValue;
-export const getClientSecretGitLab = async () => (await client.getSecret("CLIENT_SECRET_GITLAB")).secretValue;
-export const getClientSecretBitBucket = async () => (await client.getSecret("CLIENT_SECRET_BITBUCKET")).secretValue;
-export const getClientSecretGCPSecretManager = async () => (await client.getSecret("CLIENT_SECRET_GCP_SECRET_MANAGER")).secretValue;
-export const getClientSlugVercel = async () => (await client.getSecret("CLIENT_SLUG_VERCEL")).secretValue;
+export const getClientIdHeroku = async () =>
+  (await client.getSecret("CLIENT_ID_HEROKU")).secretValue;
+export const getClientIdVercel = async () =>
+  (await client.getSecret("CLIENT_ID_VERCEL")).secretValue;
+export const getClientIdNetlify = async () =>
+  (await client.getSecret("CLIENT_ID_NETLIFY")).secretValue;
+export const getClientIdGitHub = async () =>
+  (await client.getSecret("CLIENT_ID_GITHUB")).secretValue;
+export const getClientIdGitLab = async () =>
+  (await client.getSecret("CLIENT_ID_GITLAB")).secretValue;
+export const getClientIdBitBucket = async () =>
+  (await client.getSecret("CLIENT_ID_BITBUCKET")).secretValue;
+export const getClientIdGCPSecretManager = async () =>
+  (await client.getSecret("CLIENT_ID_GCP_SECRET_MANAGER")).secretValue;
+export const getClientSecretAzure = async () =>
+  (await client.getSecret("CLIENT_SECRET_AZURE")).secretValue;
+export const getClientSecretHeroku = async () =>
+  (await client.getSecret("CLIENT_SECRET_HEROKU")).secretValue;
+export const getClientSecretVercel = async () =>
+  (await client.getSecret("CLIENT_SECRET_VERCEL")).secretValue;
+export const getClientSecretNetlify = async () =>
+  (await client.getSecret("CLIENT_SECRET_NETLIFY")).secretValue;
+export const getClientSecretGitHub = async () =>
+  (await client.getSecret("CLIENT_SECRET_GITHUB")).secretValue;
+export const getClientSecretGitLab = async () =>
+  (await client.getSecret("CLIENT_SECRET_GITLAB")).secretValue;
+export const getClientSecretBitBucket = async () =>
+  (await client.getSecret("CLIENT_SECRET_BITBUCKET")).secretValue;
+export const getClientSecretGCPSecretManager = async () =>
+  (await client.getSecret("CLIENT_SECRET_GCP_SECRET_MANAGER")).secretValue;
+export const getClientSlugVercel = async () =>
+  (await client.getSecret("CLIENT_SLUG_VERCEL")).secretValue;
 
-export const getClientIdGoogleLogin = async () => (await client.getSecret("CLIENT_ID_GOOGLE_LOGIN")).secretValue;
-export const getClientSecretGoogleLogin = async () => (await client.getSecret("CLIENT_SECRET_GOOGLE_LOGIN")).secretValue;
-export const getClientIdGitHubLogin = async () => (await client.getSecret("CLIENT_ID_GITHUB_LOGIN")).secretValue;
-export const getClientSecretGitHubLogin = async () => (await client.getSecret("CLIENT_SECRET_GITHUB_LOGIN")).secretValue;
-export const getClientIdGitLabLogin = async () => (await client.getSecret("CLIENT_ID_GITLAB_LOGIN")).secretValue;
-export const getClientSecretGitLabLogin = async () => (await client.getSecret("CLIENT_SECRET_GITLAB_LOGIN")).secretValue;
-export const getUrlGitLabLogin = async () => (await client.getSecret("URL_GITLAB_LOGIN")).secretValue || GITLAB_URL;
+export const getClientIdGoogleLogin = async () =>
+  (await client.getSecret("CLIENT_ID_GOOGLE_LOGIN")).secretValue;
+export const getClientSecretGoogleLogin = async () =>
+  (await client.getSecret("CLIENT_SECRET_GOOGLE_LOGIN")).secretValue;
+export const getClientIdGitHubLogin = async () =>
+  (await client.getSecret("CLIENT_ID_GITHUB_LOGIN")).secretValue;
+export const getClientSecretGitHubLogin = async () =>
+  (await client.getSecret("CLIENT_SECRET_GITHUB_LOGIN")).secretValue;
+export const getClientIdGitLabLogin = async () =>
+  (await client.getSecret("CLIENT_ID_GITLAB_LOGIN")).secretValue;
+export const getClientSecretGitLabLogin = async () =>
+  (await client.getSecret("CLIENT_SECRET_GITLAB_LOGIN")).secretValue;
+export const getUrlGitLabLogin = async () =>
+  (await client.getSecret("URL_GITLAB_LOGIN")).secretValue || GITLAB_URL;
 
-export const getPostHogHost = async () => (await client.getSecret("POSTHOG_HOST")).secretValue || "https://app.posthog.com";
-export const getPostHogProjectApiKey = async () => (await client.getSecret("POSTHOG_PROJECT_API_KEY")).secretValue || "phc_nSin8j5q2zdhpFDI1ETmFNUIuTG4DwKVyIigrY10XiE";
+export const getAwsCloudWatchLog = async () => {
+  const logGroupName =
+    (await client.getSecret("AWS_CLOUDWATCH_LOG_GROUP_NAME")).secretValue || "infisical-log-stream";
+  const region = (await client.getSecret("AWS_CLOUDWATCH_LOG_REGION")).secretValue;
+  const accessKeyId = (await client.getSecret("AWS_CLOUDWATCH_LOG_ACCESS_KEY_ID")).secretValue;
+  const accessKeySecret = (await client.getSecret("AWS_CLOUDWATCH_LOG_ACCESS_KEY_SECRET"))
+    .secretValue;
+  const interval = parseInt(
+    (await client.getSecret("AWS_CLOUDWATCH_LOG_INTERVAL")).secretValue || 1000,
+    10
+  );
+  if (!region || !accessKeyId || !accessKeySecret) return;
+  return { logGroupName, region, accessKeySecret, accessKeyId, interval };
+};
+
+export const getPostHogHost = async () =>
+  (await client.getSecret("POSTHOG_HOST")).secretValue || "https://app.posthog.com";
+export const getPostHogProjectApiKey = async () =>
+  (await client.getSecret("POSTHOG_PROJECT_API_KEY")).secretValue ||
+  "phc_nSin8j5q2zdhpFDI1ETmFNUIuTG4DwKVyIigrY10XiE";
 export const getSentryDSN = async () => (await client.getSecret("SENTRY_DSN")).secretValue;
 export const getSiteURL = async () => (await client.getSecret("SITE_URL")).secretValue;
 export const getSmtpHost = async () => (await client.getSecret("SMTP_HOST")).secretValue;
-export const getSmtpSecure = async () => (await client.getSecret("SMTP_SECURE")).secretValue === "true" || false;
-export const getSmtpPort = async () => parseInt((await client.getSecret("SMTP_PORT")).secretValue) || 587;
+export const getSmtpSecure = async () =>
+  (await client.getSecret("SMTP_SECURE")).secretValue === "true" || false;
+export const getSmtpPort = async () =>
+  parseInt((await client.getSecret("SMTP_PORT")).secretValue) || 587;
 export const getSmtpUsername = async () => (await client.getSecret("SMTP_USERNAME")).secretValue;
 export const getSmtpPassword = async () => (await client.getSecret("SMTP_PASSWORD")).secretValue;
-export const getSmtpFromAddress = async () => (await client.getSecret("SMTP_FROM_ADDRESS")).secretValue;
-export const getSmtpFromName = async () => (await client.getSecret("SMTP_FROM_NAME")).secretValue || "Infisical";
+export const getSmtpFromAddress = async () =>
+  (await client.getSecret("SMTP_FROM_ADDRESS")).secretValue;
+export const getSmtpFromName = async () =>
+  (await client.getSecret("SMTP_FROM_NAME")).secretValue || "Infisical";
 
-export const getSecretScanningWebhookProxy = async () => (await client.getSecret("SECRET_SCANNING_WEBHOOK_PROXY")).secretValue;
-export const getSecretScanningWebhookSecret = async () => (await client.getSecret("SECRET_SCANNING_WEBHOOK_SECRET")).secretValue;
-export const getSecretScanningGitAppId = async () => (await client.getSecret("SECRET_SCANNING_GIT_APP_ID")).secretValue;
-export const getSecretScanningPrivateKey = async () => (await client.getSecret("SECRET_SCANNING_PRIVATE_KEY")).secretValue;
+export const getSecretScanningWebhookProxy = async () =>
+  (await client.getSecret("SECRET_SCANNING_WEBHOOK_PROXY")).secretValue;
+export const getSecretScanningWebhookSecret = async () =>
+  (await client.getSecret("SECRET_SCANNING_WEBHOOK_SECRET")).secretValue;
+export const getSecretScanningGitAppId = async () =>
+  (await client.getSecret("SECRET_SCANNING_GIT_APP_ID")).secretValue;
+export const getSecretScanningPrivateKey = async () =>
+  (await client.getSecret("SECRET_SCANNING_PRIVATE_KEY")).secretValue;
 
 export const getRedisUrl = async () => (await client.getSecret("REDIS_URL")).secretValue;
+export const getIsInfisicalCloud = async () =>
+  (await client.getSecret("INFISICAL_CLOUD")).secretValue === "true";
 
 export const getLicenseKey = async () => {
   const secretValue = (await client.getSecret("LICENSE_KEY")).secretValue;
   return secretValue === "" ? undefined : secretValue;
-}
+};
 export const getLicenseServerKey = async () => {
   const secretValue = (await client.getSecret("LICENSE_SERVER_KEY")).secretValue;
   return secretValue === "" ? undefined : secretValue;
-}
-export const getLicenseServerUrl = async () => (await client.getSecret("LICENSE_SERVER_URL")).secretValue || "https://portal.infisical.com";
+};
+export const getLicenseServerUrl = async () =>
+  (await client.getSecret("LICENSE_SERVER_URL")).secretValue || "https://portal.infisical.com";
 
-export const getTelemetryEnabled = async () => (await client.getSecret("TELEMETRY_ENABLED")).secretValue !== "false" && true;
+export const getTelemetryEnabled = async () =>
+  (await client.getSecret("TELEMETRY_ENABLED")).secretValue !== "false" && true;
 export const getLoopsApiKey = async () => (await client.getSecret("LOOPS_API_KEY")).secretValue;
-export const getSmtpConfigured = async () => (await client.getSecret("SMTP_HOST")).secretValue == "" || (await client.getSecret("SMTP_HOST")).secretValue == undefined ? false : true
+export const getSmtpConfigured = async () =>
+  (await client.getSecret("SMTP_HOST")).secretValue == "" ||
+  (await client.getSecret("SMTP_HOST")).secretValue == undefined
+    ? false
+    : true;
 export const getHttpsEnabled = async () => {
   if ((await getNodeEnv()) != "production") {
     // no https for anything other than prod
-    return false
+    return false;
   }
 
-  if ((await client.getSecret("HTTPS_ENABLED")).secretValue == undefined || (await client.getSecret("HTTPS_ENABLED")).secretValue == "") {
+  if (
+    (await client.getSecret("HTTPS_ENABLED")).secretValue == undefined ||
+    (await client.getSecret("HTTPS_ENABLED")).secretValue == ""
+  ) {
     // default when no value present
-    return true
+    return true;
   }
 
-  return (await client.getSecret("HTTPS_ENABLED")).secretValue === "true" && true
-}
+  return (await client.getSecret("HTTPS_ENABLED")).secretValue === "true" && true;
+};

backend/src/config/serverConfig.ts

@@ -0,0 +1,24 @@
+import { IServerConfig, ServerConfig } from "../models/serverConfig";
+
+let serverConfig: IServerConfig;
+
+export const serverConfigInit = async () => {
+  const cfg = await ServerConfig.findOne({});
+  if (!cfg) {
+    const cfg = new ServerConfig();
+    await cfg.save();
+    serverConfig = cfg;
+  } else {
+    serverConfig = cfg;
+  }
+  return serverConfig;
+};
+
+export const getServerConfig = () => serverConfig;
+
+export const updateServerConfig = async (data: Partial<IServerConfig>) => {
+  const cfg = await ServerConfig.findByIdAndUpdate(serverConfig._id, data, { new: true });
+  if (!cfg) throw new Error("Failed to update server config");
+  serverConfig = cfg;
+  return serverConfig;
+};

backend/src/controllers/v1/adminController.ts

@@ -0,0 +1,100 @@
+import { Request, Response } from "express";
+import { getHttpsEnabled } from "../../config";
+import { getServerConfig, updateServerConfig as setServerConfig } from "../../config/serverConfig";
+import { initializeDefaultOrg, issueAuthTokens } from "../../helpers";
+import { validateRequest } from "../../helpers/validation";
+import { User } from "../../models";
+import { TelemetryService } from "../../services";
+import { BadRequestError, UnauthorizedRequestError } from "../../utils/errors";
+import * as reqValidator from "../../validation/admin";
+
+export const getServerConfigInfo = (_req: Request, res: Response) => {
+  const config = getServerConfig();
+  return res.send({ config });
+};
+
+export const updateServerConfig = async (req: Request, res: Response) => {
+  const {
+    body: { allowSignUp }
+  } = await validateRequest(reqValidator.UpdateServerConfigV1, req);
+  const config = await setServerConfig({ allowSignUp });
+  return res.send({ config });
+};
+
+export const adminSignUp = async (req: Request, res: Response) => {
+  const cfg = getServerConfig();
+  if (cfg.initialized) throw UnauthorizedRequestError({ message: "Admin has been created" });
+  const {
+    body: {
+      email,
+      publicKey,
+      salt,
+      lastName,
+      verifier,
+      firstName,
+      protectedKey,
+      protectedKeyIV,
+      protectedKeyTag,
+      encryptedPrivateKey,
+      encryptedPrivateKeyIV,
+      encryptedPrivateKeyTag
+    }
+  } = await validateRequest(reqValidator.SignupV1, req);
+  let user = await User.findOne({ email });
+  if (user) throw BadRequestError({ message: "User already exist" });
+  user = new User({
+    email,
+    firstName,
+    lastName,
+    encryptionVersion: 2,
+    protectedKey,
+    protectedKeyIV,
+    protectedKeyTag,
+    publicKey,
+    encryptedPrivateKey,
+    iv: encryptedPrivateKeyIV,
+    tag: encryptedPrivateKeyTag,
+    salt,
+    verifier,
+    superAdmin: true
+  });
+  await user.save();
+  await initializeDefaultOrg({ organizationName: "Admin Org", user });
+
+  await setServerConfig({ initialized: true });
+
+  // issue tokens
+  const tokens = await issueAuthTokens({
+    userId: user._id,
+    ip: req.realIP,
+    userAgent: req.headers["user-agent"] ?? ""
+  });
+
+  const token = tokens.token;
+
+  const postHogClient = await TelemetryService.getPostHogClient();
+  if (postHogClient) {
+    postHogClient.capture({
+      event: "admin initialization",
+      properties: {
+        email: user.email,
+        lastName,
+        firstName
+      }
+    });
+  }
+
+  // store (refresh) token in httpOnly cookie
+  res.cookie("jid", tokens.refreshToken, {
+    httpOnly: true,
+    path: "/",
+    sameSite: "strict",
+    secure: await getHttpsEnabled()
+  });
+
+  return res.status(200).send({
+    message: "Successfully set up admin account",
+    user,
+    token
+  });
+};

backend/src/controllers/v1/authController.ts

@@ -6,25 +6,30 @@ const jsrp = require("jsrp");
 import { LoginSRPDetail, TokenVersion, User } from "../../models";
 import { clearTokens, createToken, issueAuthTokens } from "../../helpers/auth";
 import { checkUserDevice } from "../../helpers/user";
-import { ACTION_LOGIN, ACTION_LOGOUT } from "../../variables";
+import { AuthTokenType } from "../../variables";
 import { BadRequestError, UnauthorizedRequestError } from "../../utils/errors";
-import { EELogService } from "../../ee/services";
-import { getUserAgentType } from "../../utils/posthog";
 import {
+  getAuthSecret,
   getHttpsEnabled,
-  getJwtAuthLifetime,
-  getJwtAuthSecret,
-  getJwtRefreshSecret
+  getJwtAuthLifetime
 } from "../../config";
 import { ActorType } from "../../ee/models";
 import { validateRequest } from "../../helpers/validation";
 import * as reqValidator from "../../validation/auth";
 
 declare module "jsonwebtoken" {
+  export interface AuthnJwtPayload extends jwt.JwtPayload {
+    authTokenType: AuthTokenType;
+  }
   export interface UserIDJwtPayload extends jwt.JwtPayload {
     userId: string;
     refreshVersion?: number;
   }
+  export interface ServiceRefreshTokenJwtPayload extends jwt.JwtPayload {
+    serviceTokenDataId: string;
+    authTokenType: string;
+    tokenVersion: number;
+  }
 }
 
 /**
@@ -134,19 +139,6 @@ export const login2 = async (req: Request, res: Response) => {
           secure: await getHttpsEnabled()
         });
 
-        const loginAction = await EELogService.createAction({
-          name: ACTION_LOGIN,
-          userId: user._id
-        });
-
-        loginAction &&
-          (await EELogService.createLog({
-            userId: user._id,
-            actions: [loginAction],
-            channel: getUserAgentType(req.headers["user-agent"]),
-            ipAddress: req.realIP
-          }));
-
         // return (access) token in response
         return res.status(200).send({
           token: tokens.token,
@@ -183,19 +175,6 @@ export const logout = async (req: Request, res: Response) => {
     secure: (await getHttpsEnabled()) as boolean
   });
 
-  const logoutAction = await EELogService.createAction({
-    name: ACTION_LOGOUT,
-    userId: req.user._id
-  });
-
-  logoutAction &&
-    (await EELogService.createLog({
-      userId: req.user._id,
-      actions: [logoutAction],
-      channel: getUserAgentType(req.headers["user-agent"]),
-      ipAddress: req.realIP
-    }));
-
   return res.status(200).send({
     message: "Successfully logged out."
   });
@@ -238,6 +217,7 @@ export const checkAuth = async (req: Request, res: Response) => {
  * @returns
  */
 export const getNewToken = async (req: Request, res: Response) => {
+
   const refreshToken = req.cookies.jid;
 
   if (!refreshToken)
@@ -245,7 +225,9 @@ export const getNewToken = async (req: Request, res: Response) => {
       message: "Failed to find refresh token in request cookies"
     });
 
-  const decodedToken = <jwt.UserIDJwtPayload>jwt.verify(refreshToken, await getJwtRefreshSecret());
+  const decodedToken = <jwt.UserIDJwtPayload>jwt.verify(refreshToken, await getAuthSecret());
+  
+  if (decodedToken.authTokenType !== AuthTokenType.REFRESH_TOKEN) throw UnauthorizedRequestError();
 
   const user = await User.findOne({
     _id: decodedToken.userId
@@ -268,12 +250,13 @@ export const getNewToken = async (req: Request, res: Response) => {
 
   const token = createToken({
     payload: {
+      authTokenType: AuthTokenType.ACCESS_TOKEN,
       userId: decodedToken.userId,
       tokenVersionId: tokenVersion._id.toString(),
       accessVersion: tokenVersion.refreshVersion
     },
     expiresIn: await getJwtAuthLifetime(),
-    secret: await getJwtAuthSecret()
+    secret: await getAuthSecret()
   });
 
   return res.status(200).send({

backend/src/controllers/v1/botController.ts

@@ -7,7 +7,7 @@ import * as reqValidator from "../../validation/bot";
 import {
   ProjectPermissionActions,
   ProjectPermissionSub,
-  getUserProjectPermissions
+  getAuthDataProjectPermissions
 } from "../../ee/services/ProjectRoleService";
 import { ForbiddenError } from "@casl/ability";
 import { BadRequestError } from "../../utils/errors";
@@ -28,7 +28,11 @@ export const getBotByWorkspaceId = async (req: Request, res: Response) => {
   const {
     params: { workspaceId }
   } = await validateRequest(reqValidator.GetBotByWorkspaceIdV1, req);
-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Read,
     ProjectPermissionSub.Integrations
@@ -70,7 +74,11 @@ export const setBotActiveState = async (req: Request, res: Response) => {
   }
   const userId = req.user._id;
 
-  const { permission } = await getUserProjectPermissions(userId, bot.workspace.toString());
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: bot.workspace
+  });
+
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Edit,
     ProjectPermissionSub.Integrations

backend/src/controllers/v1/index.ts

@@ -16,6 +16,8 @@ import * as workspaceController from "./workspaceController";
 import * as secretScanningController from "./secretScanningController";
 import * as webhookController from "./webhookController";
 import * as secretImpsController from "./secretImpsController";
+import * as adminController from "./adminController";
+
 export {
   authController,
   botController,
@@ -34,5 +36,6 @@ export {
   workspaceController,
   secretScanningController,
   webhookController,
-  secretImpsController
+  secretImpsController,
+  adminController
 };

backend/src/controllers/v1/integrationAuthController.ts

@@ -10,6 +10,7 @@ import {
   ALGORITHM_AES_256_GCM,
   ENCODING_SCHEME_UTF8,
   INTEGRATION_BITBUCKET_API_URL,
+  INTEGRATION_CHECKLY_API_URL,
   INTEGRATION_GCP_SECRET_MANAGER,
   INTEGRATION_NORTHFLANK_API_URL,
   INTEGRATION_QOVERY_API_URL,
@@ -24,11 +25,10 @@ import * as reqValidator from "../../validation/integrationAuth";
 import {
   ProjectPermissionActions,
   ProjectPermissionSub,
-  getUserProjectPermissions
+  getAuthDataProjectPermissions
 } from "../../ee/services/ProjectRoleService";
 import { ForbiddenError } from "@casl/ability";
 import { getIntegrationAuthAccessHelper } from "../../helpers";
-import { ObjectId } from "mongodb";
 
 /***
  * Return integration authorization with id [integrationAuthId]
@@ -40,15 +40,15 @@ export const getIntegrationAuth = async (req: Request, res: Response) => {
 
   const integrationAuth = await IntegrationAuth.findById(integrationAuthId);
 
-  if (!integrationAuth)
-    return res.status(400).send({
-      message: "Failed to find integration authorization"
-    });
+  if (!integrationAuth) return res.status(400).send({
+    message: "Failed to find integration authorization"
+  });
+
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: integrationAuth.workspace
+  });
 
-  const { permission } = await getUserProjectPermissions(
-    req.user._id,
-    integrationAuth.workspace.toString()
-  );
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Read,
     ProjectPermissionSub.Integrations
@@ -79,7 +79,11 @@ export const oAuthExchange = async (req: Request, res: Response) => {
   } = await validateRequest(reqValidator.OauthExchangeV1, req);
   if (!INTEGRATION_SET.has(integration)) throw new Error("Failed to validate integration");
 
-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+  
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Create,
     ProjectPermissionSub.Integrations
@@ -131,7 +135,11 @@ export const saveIntegrationToken = async (req: Request, res: Response) => {
     body: { workspaceId, integration, url, accessId, namespace, accessToken, refreshToken }
   } = await validateRequest(reqValidator.SaveIntegrationAccessTokenV1, req);
 
-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Create,
     ProjectPermissionSub.Integrations
@@ -222,13 +230,14 @@ export const getIntegrationAuthApps = async (req: Request, res: Response) => {
 
   // TODO(akhilmhdh): remove class -> static function path and makes these into reusable independent functions
   const { integrationAuth, accessToken, accessId } = await getIntegrationAuthAccessHelper({
-    integrationAuthId: new ObjectId(integrationAuthId)
+    integrationAuthId: new Types.ObjectId(integrationAuthId)
+  });
+  
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: integrationAuth.workspace
   });
 
-  const { permission } = await getUserProjectPermissions(
-    req.user._id,
-    integrationAuth.workspace.toString()
-  );
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Read,
     ProjectPermissionSub.Integrations
@@ -260,13 +269,14 @@ export const getIntegrationAuthTeams = async (req: Request, res: Response) => {
 
   // TODO(akhilmhdh): remove class -> static function path and makes these into reusable independent functions
   const { integrationAuth, accessToken } = await getIntegrationAuthAccessHelper({
-    integrationAuthId: new ObjectId(integrationAuthId)
+    integrationAuthId: new Types.ObjectId(integrationAuthId)
+  });
+
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: integrationAuth.workspace
   });
 
-  const { permission } = await getUserProjectPermissions(
-    req.user._id,
-    integrationAuth.workspace.toString()
-  );
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Read,
     ProjectPermissionSub.Integrations
@@ -296,13 +306,14 @@ export const getIntegrationAuthVercelBranches = async (req: Request, res: Respon
 
   // TODO(akhilmhdh): remove class -> static function path and makes these into reusable independent functions
   const { integrationAuth, accessToken } = await getIntegrationAuthAccessHelper({
-    integrationAuthId: new ObjectId(integrationAuthId)
+    integrationAuthId: new Types.ObjectId(integrationAuthId)
   });
 
-  const { permission } = await getUserProjectPermissions(
-    req.user._id,
-    integrationAuth.workspace.toString()
-  );
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: integrationAuth.workspace
+  });
+  
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Read,
     ProjectPermissionSub.Integrations
@@ -345,6 +356,60 @@ export const getIntegrationAuthVercelBranches = async (req: Request, res: Respon
   });
 };
 
+/**
+ * Return list of Checkly groups for a specific user
+ * @param req
+ * @param res
+ */
+export const getIntegrationAuthChecklyGroups = async (req: Request, res: Response) => {
+  const {
+    params: { integrationAuthId },
+    query: { accountId }
+  } = await validateRequest(reqValidator.GetIntegrationAuthChecklyGroupsV1, req);
+  
+  const { integrationAuth, accessToken } = await getIntegrationAuthAccessHelper({
+    integrationAuthId: new Types.ObjectId(integrationAuthId)
+  });
+
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: integrationAuth.workspace
+  });
+  
+  ForbiddenError.from(permission).throwUnlessCan(
+    ProjectPermissionActions.Read,
+    ProjectPermissionSub.Integrations
+  );
+
+  interface ChecklyGroup {
+    id: number;
+    name: string;
+  }
+  
+  if (accountId && accountId !== "") {
+    const { data }: { data: ChecklyGroup[] } = (
+      await standardRequest.get(`${INTEGRATION_CHECKLY_API_URL}/v1/check-groups`, {
+          headers: {
+              Authorization: `Bearer ${accessToken}`,
+              Accept: "application/json",
+              "X-Checkly-Account": accountId
+          }
+      })
+    );
+    
+    return res.status(200).send({
+      groups: data.map((g: ChecklyGroup) => ({
+        name: g.name,
+        groupId: g.id,
+      }))
+    });
+  }
+
+  return res.status(200).send({
+    groups: []
+  });
+}
+
 /**
  * Return list of Qovery Orgs for a specific user
  * @param req
@@ -357,13 +422,14 @@ export const getIntegrationAuthQoveryOrgs = async (req: Request, res: Response)
 
   // TODO(akhilmhdh): remove class -> static function path and makes these into reusable independent functions
   const { integrationAuth, accessToken } = await getIntegrationAuthAccessHelper({
-    integrationAuthId: new ObjectId(integrationAuthId)
+    integrationAuthId: new Types.ObjectId(integrationAuthId)
+  });
+
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: integrationAuth.workspace
   });
 
-  const { permission } = await getUserProjectPermissions(
-    req.user._id,
-    integrationAuth.workspace.toString()
-  );
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Read,
     ProjectPermissionSub.Integrations
@@ -409,13 +475,14 @@ export const getIntegrationAuthQoveryProjects = async (req: Request, res: Respon
   
   // TODO(akhilmhdh): remove class -> static function path and makes these into reusable independent functions
   const { integrationAuth, accessToken } = await getIntegrationAuthAccessHelper({
-    integrationAuthId: new ObjectId(integrationAuthId)
+    integrationAuthId: new Types.ObjectId(integrationAuthId)
+  });
+
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: integrationAuth.workspace
   });
 
-  const { permission } = await getUserProjectPermissions(
-    req.user._id,
-    integrationAuth.workspace.toString()
-  );
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Read,
     ProjectPermissionSub.Integrations
@@ -470,13 +537,14 @@ export const getIntegrationAuthQoveryEnvironments = async (req: Request, res: Re
 
   // TODO(akhilmhdh): remove class -> static function path and makes these into reusable independent functions
   const { integrationAuth, accessToken } = await getIntegrationAuthAccessHelper({
-    integrationAuthId: new ObjectId(integrationAuthId)
+    integrationAuthId: new Types.ObjectId(integrationAuthId)
+  });
+
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: integrationAuth.workspace
   });
 
-  const { permission } = await getUserProjectPermissions(
-    req.user._id,
-    integrationAuth.workspace.toString()
-  );
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Read,
     ProjectPermissionSub.Integrations
@@ -531,13 +599,14 @@ export const getIntegrationAuthQoveryApps = async (req: Request, res: Response)
 
   // TODO(akhilmhdh): remove class -> static function path and makes these into reusable independent functions
   const { integrationAuth, accessToken } = await getIntegrationAuthAccessHelper({
-    integrationAuthId: new ObjectId(integrationAuthId)
+    integrationAuthId: new Types.ObjectId(integrationAuthId)
   });
 
-  const { permission } = await getUserProjectPermissions(
-    req.user._id,
-    integrationAuth.workspace.toString()
-  );
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: integrationAuth.workspace
+  });
+  
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Read,
     ProjectPermissionSub.Integrations
@@ -592,13 +661,14 @@ export const getIntegrationAuthQoveryContainers = async (req: Request, res: Resp
 
   // TODO(akhilmhdh): remove class -> static function path and makes these into reusable independent functions
   const { integrationAuth, accessToken } = await getIntegrationAuthAccessHelper({
-    integrationAuthId: new ObjectId(integrationAuthId)
+    integrationAuthId: new Types.ObjectId(integrationAuthId)
   });
 
-  const { permission } = await getUserProjectPermissions(
-    req.user._id,
-    integrationAuth.workspace.toString()
-  );
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: integrationAuth.workspace
+  });
+  
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Read,
     ProjectPermissionSub.Integrations
@@ -653,13 +723,14 @@ export const getIntegrationAuthQoveryJobs = async (req: Request, res: Response)
 
   // TODO(akhilmhdh): remove class -> static function path and makes these into reusable independent functions
   const { integrationAuth, accessToken } = await getIntegrationAuthAccessHelper({
-    integrationAuthId: new ObjectId(integrationAuthId)
+    integrationAuthId: new Types.ObjectId(integrationAuthId)
+  });
+
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: integrationAuth.workspace
   });
 
-  const { permission } = await getUserProjectPermissions(
-    req.user._id,
-    integrationAuth.workspace.toString()
-  );
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Read,
     ProjectPermissionSub.Integrations
@@ -715,13 +786,14 @@ export const getIntegrationAuthRailwayEnvironments = async (req: Request, res: R
 
   // TODO(akhilmhdh): remove class -> static function path and makes these into reusable independent functions
   const { integrationAuth, accessToken } = await getIntegrationAuthAccessHelper({
-    integrationAuthId: new ObjectId(integrationAuthId)
+    integrationAuthId: new Types.ObjectId(integrationAuthId)
   });
 
-  const { permission } = await getUserProjectPermissions(
-    req.user._id,
-    integrationAuth.workspace.toString()
-  );
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: integrationAuth.workspace
+  });
+  
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Read,
     ProjectPermissionSub.Integrations
@@ -808,13 +880,14 @@ export const getIntegrationAuthRailwayServices = async (req: Request, res: Respo
 
   // TODO(akhilmhdh): remove class -> static function path and makes these into reusable independent functions
   const { integrationAuth, accessToken } = await getIntegrationAuthAccessHelper({
-    integrationAuthId: new ObjectId(integrationAuthId)
+    integrationAuthId: new Types.ObjectId(integrationAuthId)
+  });
+
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: integrationAuth.workspace
   });
 
-  const { permission } = await getUserProjectPermissions(
-    req.user._id,
-    integrationAuth.workspace.toString()
-  );
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Read,
     ProjectPermissionSub.Integrations
@@ -932,13 +1005,14 @@ export const getIntegrationAuthBitBucketWorkspaces = async (req: Request, res: R
 
   // TODO(akhilmhdh): remove class -> static function path and makes these into reusable independent functions
   const { integrationAuth, accessToken } = await getIntegrationAuthAccessHelper({
-    integrationAuthId: new ObjectId(integrationAuthId)
+    integrationAuthId: new Types.ObjectId(integrationAuthId)
+  });
+
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: integrationAuth.workspace
   });
 
-  const { permission } = await getUserProjectPermissions(
-    req.user._id,
-    integrationAuth.workspace.toString()
-  );
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Read,
     ProjectPermissionSub.Integrations
@@ -988,13 +1062,14 @@ export const getIntegrationAuthNorthflankSecretGroups = async (req: Request, res
 
   // TODO(akhilmhdh): remove class -> static function path and makes these into reusable independent functions
   const { integrationAuth, accessToken } = await getIntegrationAuthAccessHelper({
-    integrationAuthId: new ObjectId(integrationAuthId)
+    integrationAuthId: new Types.ObjectId(integrationAuthId)
   });
 
-  const { permission } = await getUserProjectPermissions(
-    req.user._id,
-    integrationAuth.workspace.toString()
-  );
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: integrationAuth.workspace
+  });
+  
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Read,
     ProjectPermissionSub.Integrations
@@ -1076,13 +1151,14 @@ export const getIntegrationAuthTeamCityBuildConfigs = async (req: Request, res:
   
   // TODO(akhilmhdh): remove class -> static function path and makes these into reusable independent functions
   const { integrationAuth, accessToken } = await getIntegrationAuthAccessHelper({
-    integrationAuthId: new ObjectId(integrationAuthId)
+    integrationAuthId: new Types.ObjectId(integrationAuthId)
+  });
+
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: integrationAuth.workspace
   });
 
-  const { permission } = await getUserProjectPermissions(
-    req.user._id,
-    integrationAuth.workspace.toString()
-  );
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Read,
     ProjectPermissionSub.Integrations
@@ -1145,13 +1221,14 @@ export const deleteIntegrationAuth = async (req: Request, res: Response) => {
 
   // TODO(akhilmhdh): remove class -> static function path and makes these into reusable independent functions
   const { integrationAuth, accessToken } = await getIntegrationAuthAccessHelper({
-    integrationAuthId: new ObjectId(integrationAuthId)
+    integrationAuthId: new Types.ObjectId(integrationAuthId)
   });
 
-  const { permission } = await getUserProjectPermissions(
-    req.user._id,
-    integrationAuth.workspace.toString()
-  );
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: integrationAuth.workspace
+  });
+  
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Delete,
     ProjectPermissionSub.Integrations

backend/src/controllers/v1/integrationController.ts

@@ -13,7 +13,7 @@ import * as reqValidator from "../../validation/integration";
 import {
   ProjectPermissionActions,
   ProjectPermissionSub,
-  getUserProjectPermissions
+  getAuthDataProjectPermissions
 } from "../../ee/services/ProjectRoleService";
 import { ForbiddenError } from "@casl/ability";
 
@@ -51,11 +51,12 @@ export const createIntegration = async (req: Request, res: Response) => {
     );
 
   if (!integrationAuth) throw BadRequestError({ message: "Integration auth not found" });
-
-  const { permission } = await getUserProjectPermissions(
-    req.user._id,
-    integrationAuth.workspace._id.toString()
-  );
+  
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: integrationAuth.workspace._id
+  });
+  
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Create,
     ProjectPermissionSub.Integrations
@@ -164,10 +165,11 @@ export const updateIntegration = async (req: Request, res: Response) => {
   const integration = await Integration.findById(integrationId);
   if (!integration) throw BadRequestError({ message: "Integration not found" });
 
-  const { permission } = await getUserProjectPermissions(
-    req.user._id,
-    integration.workspace.toString()
-  );
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: integration.workspace
+  });
+
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Edit,
     ProjectPermissionSub.Integrations
@@ -234,10 +236,11 @@ export const deleteIntegration = async (req: Request, res: Response) => {
   const integration = await Integration.findById(integrationId);
   if (!integration) throw BadRequestError({ message: "Integration not found" });
 
-  const { permission } = await getUserProjectPermissions(
-    req.user._id,
-    integration.workspace.toString()
-  );
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: integration.workspace
+  });
+
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Delete,
     ProjectPermissionSub.Integrations
@@ -285,7 +288,11 @@ export const manualSync = async (req: Request, res: Response) => {
     body: { workspaceId, environment }
   } = await validateRequest(reqValidator.ManualSyncV1, req);
 
-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+  
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Edit,
     ProjectPermissionSub.Integrations

backend/src/controllers/v1/keyController.ts

@@ -9,7 +9,7 @@ import * as reqValidator from "../../validation/key";
 import {
   ProjectPermissionActions,
   ProjectPermissionSub,
-  getUserProjectPermissions
+  getAuthDataProjectPermissions
 } from "../../ee/services/ProjectRoleService";
 import { ForbiddenError } from "@casl/ability";
 
@@ -26,7 +26,11 @@ export const uploadKey = async (req: Request, res: Response) => {
     body: { key }
   } = await validateRequest(reqValidator.UploadKeyV1, req);
 
-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+  
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Edit,
     ProjectPermissionSub.Member

backend/src/controllers/v1/membershipController.ts

@@ -12,7 +12,7 @@ import * as reqValidator from "../../validation/membership";
 import {
   ProjectPermissionActions,
   ProjectPermissionSub,
-  getUserProjectPermissions
+  getAuthDataProjectPermissions
 } from "../../ee/services/ProjectRoleService";
 import { ForbiddenError } from "@casl/ability";
 import { BadRequestError } from "../../utils/errors";
@@ -63,11 +63,12 @@ export const deleteMembership = async (req: Request, res: Response) => {
   if (!membershipToDelete) {
     throw new Error("Failed to delete workspace membership that doesn't exist");
   }
-
-  const { permission } = await getUserProjectPermissions(
-    req.user._id,
-    membershipToDelete.workspace.toString()
-  );
+  
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: membershipToDelete.workspace
+  });
+  
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Delete,
     ProjectPermissionSub.Member
@@ -118,10 +119,11 @@ export const changeMembershipRole = async (req: Request, res: Response) => {
     throw new Error("Failed to find membership to change role");
   }
 
-  const { permission } = await getUserProjectPermissions(
-    req.user._id,
-    membershipToChangeRole.workspace.toString()
-  );
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: membershipToChangeRole.workspace
+  });
+  
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Edit,
     ProjectPermissionSub.Member
@@ -191,7 +193,12 @@ export const inviteUserToWorkspace = async (req: Request, res: Response) => {
     params: { workspaceId },
     body: { email }
   } = await validateRequest(InviteUserToWorkspaceV1, req);
-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+  
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Create,
     ProjectPermissionSub.Member

backend/src/controllers/v1/membershipOrgController.ts

@@ -8,11 +8,11 @@ import { updateSubscriptionOrgQuantity } from "../../helpers/organization";
 import { sendMail } from "../../helpers/nodemailer";
 import { TokenService } from "../../services";
 import { EELicenseService } from "../../ee/services";
-import { ACCEPTED, INVITED, MEMBER, TOKEN_EMAIL_ORG_INVITATION } from "../../variables";
+import { ACCEPTED, AuthTokenType, INVITED, MEMBER, TOKEN_EMAIL_ORG_INVITATION } from "../../variables";
 import * as reqValidator from "../../validation/membershipOrg";
 import {
+  getAuthSecret,
   getJwtSignupLifetime,
-  getJwtSignupSecret,
   getSiteURL,
   getSmtpConfigured
 } from "../../config";
@@ -272,10 +272,11 @@ export const verifyUserToOrganization = async (req: Request, res: Response) => {
   // generate temporary signup token
   const token = createToken({
     payload: {
+      authTokenType: AuthTokenType.SIGNUP_TOKEN,
       userId: user._id.toString()
     },
     expiresIn: await getJwtSignupLifetime(),
-    secret: await getJwtSignupSecret()
+    secret: await getAuthSecret()
   });
 
   return res.status(200).send({

backend/src/controllers/v1/passwordController.ts

@@ -5,12 +5,12 @@ import * as bigintConversion from "bigint-conversion";
 import { BackupPrivateKey, LoginSRPDetail, User } from "../../models";
 import { clearTokens, createToken, sendMail } from "../../helpers";
 import { TokenService } from "../../services";
-import { TOKEN_EMAIL_PASSWORD_RESET } from "../../variables";
+import { AuthTokenType, TOKEN_EMAIL_PASSWORD_RESET } from "../../variables";
 import { BadRequestError } from "../../utils/errors";
 import {
+  getAuthSecret,
   getHttpsEnabled,
   getJwtSignupLifetime,
-  getJwtSignupSecret,
   getSiteURL
 } from "../../config";
 import { ActorType } from "../../ee/models";
@@ -88,10 +88,11 @@ export const emailPasswordResetVerify = async (req: Request, res: Response) => {
   // generate temporary password-reset token
   const token = createToken({
     payload: {
+      authTokenType: AuthTokenType.SIGNUP_TOKEN,
       userId: user._id.toString()
     },
     expiresIn: await getJwtSignupLifetime(),
-    secret: await getJwtSignupSecret()
+    secret: await getAuthSecret()
   });
 
   return res.status(200).send({

backend/src/controllers/v1/secretImpsController.ts

@@ -1,4 +1,6 @@
+
 import { Request, Response } from "express";
+import { Types } from "mongoose";
 import { isValidScope } from "../../helpers";
 import { Folder, IServiceTokenData, SecretImport, ServiceTokenData } from "../../models";
 import { getAllImportedSecrets } from "../../services/SecretImportService";
@@ -15,14 +17,14 @@ import * as reqValidator from "../../validation/secretImports";
 import {
   ProjectPermissionActions,
   ProjectPermissionSub,
-  getUserProjectPermissions
+  getAuthDataProjectPermissions
 } from "../../ee/services/ProjectRoleService";
 import { ForbiddenError, subject } from "@casl/ability";
 
 export const createSecretImp = async (req: Request, res: Response) => {
   /* 
     #swagger.summary = 'Create secret import'
-    #swagger.description = 'Create a new secret import for a specified workspace and environment'
+    #swagger.description = 'Create secret import'
 
     #swagger.requestBody = {
         content: {
@@ -32,36 +34,36 @@ export const createSecretImp = async (req: Request, res: Response) => {
                     "properties": {
                         "workspaceId": {
                             "type": "string",
-                            "description": "ID of the workspace where the secret import will be created",
+                            "description": "ID of workspace where to create secret import",
                             "example": "someWorkspaceId"
                         },
                         "environment": {
                             "type": "string",
-                            "description": "Environment to import to",
-                            "example": "production"
+                            "description": "Slug of environment where to create secret import",
+                            "example": "dev"
                         },
-                        "folderId": {
+                        "directory": {
                             "type": "string",
-                            "description": "Folder ID. Use root for the root folder.",
-                            "example": "my_folder"
+                            "description": "Path where to create secret import like / or /foo/bar. Default is /",
+                            "example": "/foo/bar"
                         },
                         "secretImport": {
                             "type": "object",
                             "properties": {
                               "environment": {
                                 "type": "string",
-                                "description": "Import from environment",
+                                "description": "Slug of environment to import from",
                                 "example": "development"
                               },
                               "secretPath": {
                                 "type": "string",
-                                "description": "Import from secret path",
+                                "description": "Path where to import from like / or /foo/bar.",
                                 "example": "/user/oauth"
                               }
                             }
                         }
                     },
-                    "required": ["workspaceId", "environment", "folderName"]
+                    "required": ["workspaceId", "environment", "directory", "secretImport"]
                 }
             }
         }
@@ -105,7 +107,11 @@ export const createSecretImp = async (req: Request, res: Response) => {
       throw UnauthorizedRequestError({ message: "Folder Permission Denied" });
     }
   } else {
-    const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+    const { permission } = await getAuthDataProjectPermissions({
+      authData: req.authData,
+      workspaceId: new Types.ObjectId(workspaceId)
+    });
+    
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Create,
       subject(ProjectPermissionSub.Secrets, { environment, secretPath: directory })
@@ -206,12 +212,12 @@ export const createSecretImp = async (req: Request, res: Response) => {
  */
 export const updateSecretImport = async (req: Request, res: Response) => {
   /*
-    #swagger.summary = 'Update a secret import'
-    #swagger.description = 'Updates an existing secret import based on the provided ID and new import details'
+    #swagger.summary = 'Update secret import'
+    #swagger.description = 'Update secret import'
 
     #swagger.parameters['id'] = {
         in: 'path',
-        description: 'ID of the secret import to be updated',
+        description: 'ID of secret import to update',
         required: true,
         type: 'string',
         example: 'import12345'
@@ -225,19 +231,19 @@ export const updateSecretImport = async (req: Request, res: Response) => {
                     "properties": {
                         "secretImports": {
                             "type": "array",
-                            "description": "List of new secret imports",
+                            "description": "List of secret imports to update to",
                             "items": {
                                 "type": "object",
                                 "properties": {
                                     "environment": {
                                         "type": "string",
-                                        "description": "Environment of the secret import",
-                                        "example": "production"
+                                        "description": "Slug of environment to import from",
+                                        "example": "dev"
                                     },
                                     "secretPath": {
                                         "type": "string",
-                                        "description": "Path of the secret import",
-                                        "example": "/path/to/secret"
+                                        "description": "Path where to import secrets from like / or /foo/bar",
+                                        "example": "/foo/bar"
                                     }
                                 },
                                 "required": ["environment", "secretPath"]
@@ -313,10 +319,11 @@ export const updateSecretImport = async (req: Request, res: Response) => {
     }
   } else {
     // non token entry check
-    const { permission } = await getUserProjectPermissions(
-      req.user._id,
-      importSecDoc.workspace.toString()
-    );
+    const { permission } = await getAuthDataProjectPermissions({
+      authData: req.authData,
+      workspaceId: importSecDoc.workspace
+    });
+    
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Edit,
       subject(ProjectPermissionSub.Secrets, {
@@ -364,7 +371,7 @@ export const deleteSecretImport = async (req: Request, res: Response) => {
 
     #swagger.parameters['id'] = {
         in: 'path',
-        description: 'ID of the secret import',
+        description: 'ID of parent secret import document from which to delete secret import',
         required: true,
         type: 'string',
         example: '12345abcde'
@@ -378,12 +385,12 @@ export const deleteSecretImport = async (req: Request, res: Response) => {
                     "properties": {
                         "secretImportEnv": {
                             "type": "string",
-                            "description": "Import from environment",
+                            "description": "Slug of environment of import to delete",
                             "example": "someWorkspaceId"
                         },
                         "secretImportPath": {
                             "type": "string",
-                            "description": "Import from secret path",
+                            "description": "Path like / or /foo/bar of import to delete",
                             "example": "production"
                         }
                     },
@@ -442,10 +449,11 @@ export const deleteSecretImport = async (req: Request, res: Response) => {
       throw UnauthorizedRequestError({ message: "Folder Permission Denied" });
     }
   } else {
-    const { permission } = await getUserProjectPermissions(
-      req.user._id,
-      importSecDoc.workspace.toString()
-    );
+    const { permission } = await getAuthDataProjectPermissions({
+      authData: req.authData,
+      workspaceId: importSecDoc.workspace
+    });
+    
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Delete,
       subject(ProjectPermissionSub.Secrets, {
@@ -489,12 +497,12 @@ export const deleteSecretImport = async (req: Request, res: Response) => {
  */
 export const getSecretImports = async (req: Request, res: Response) => {
   /*
-    #swagger.summary = 'Retrieve secret imports'
-    #swagger.description = 'Fetches the secret imports based on the workspaceId, environment, and folderId'
+    #swagger.summary = 'Get secret imports'
+    #swagger.description = 'Get secret imports'
 
     #swagger.parameters['workspaceId'] = {
         in: 'query',
-        description: 'ID of the workspace of secret imports to get',
+        description: 'ID of workspace where to get secret imports from',
         required: true,
         type: 'string',
         example: 'workspace12345'
@@ -502,15 +510,15 @@ export const getSecretImports = async (req: Request, res: Response) => {
 
     #swagger.parameters['environment'] = {
         in: 'query',
-        description: 'Environment of secret imports to get',
+        description: 'Slug of environment where to get secret imports from',
         required: true,
         type: 'string',
         example: 'production'
     }
 
-    #swagger.parameters['folderId'] = {
+    #swagger.parameters['directory'] = {
         in: 'query',
-        description: 'ID of the folder containing the secret imports. Default: root',
+        description: 'Path where to get secret imports from like / or /foo/bar. Default is /',
         required: false,
         type: 'string',
         example: 'folder12345'
@@ -524,8 +532,7 @@ export const getSecretImports = async (req: Request, res: Response) => {
                     "type": "object",
                     "properties": {
                         "secretImport": {
-                            "type": "object",
-                            "description": "Details of a secret import"
+                          $ref: '#/definitions/SecretImport'
                         }
                     }
                 }
@@ -551,7 +558,11 @@ export const getSecretImports = async (req: Request, res: Response) => {
       throw UnauthorizedRequestError({ message: "Folder Permission Denied" });
     }
   } else {
-    const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+    const { permission } = await getAuthDataProjectPermissions({
+      authData: req.authData,
+      workspaceId: new Types.ObjectId(workspaceId)
+    });
+
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Read,
       subject(ProjectPermissionSub.Secrets, {
@@ -605,7 +616,11 @@ export const getAllSecretsFromImport = async (req: Request, res: Response) => {
       throw UnauthorizedRequestError({ message: "Folder Permission Denied" });
     }
   } else {
-    const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+    const { permission } = await getAuthDataProjectPermissions({
+      authData: req.authData,
+      workspaceId: new Types.ObjectId(workspaceId)
+    });
+    
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Read,
       subject(ProjectPermissionSub.Secrets, {
@@ -658,10 +673,11 @@ export const getAllSecretsFromImport = async (req: Request, res: Response) => {
     permissionCheckFn = (env: string, secPath: string) =>
       isValidScope(req.authData.authPayload as IServiceTokenData, env, secPath);
   } else {
-    const { permission } = await getUserProjectPermissions(
-      req.user._id,
-      importSecDoc.workspace.toString()
-    );
+    const { permission } = await getAuthDataProjectPermissions({
+      authData: req.authData,
+      workspaceId: importSecDoc.workspace
+    });
+    
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Read,
       subject(ProjectPermissionSub.Secrets, {

backend/src/controllers/v1/secretsFolderController.ts

@@ -17,7 +17,7 @@ import {
 import {
   ProjectPermissionActions,
   ProjectPermissionSub,
-  getUserProjectPermissions
+  getAuthDataProjectPermissions
 } from "../../ee/services/ProjectRoleService";
 import { BadRequestError, UnauthorizedRequestError } from "../../utils/errors";
 import * as reqValidator from "../../validation/folders";
@@ -27,11 +27,12 @@ const ERR_FOLDER_NOT_FOUND = BadRequestError({ message: "The folder doesn't exis
 // verify workspace id/environment
 export const createFolder = async (req: Request, res: Response) => {
   /* 
-    #swagger.summary = 'Create a folder'
-    #swagger.description = 'Create a new folder in a specified workspace and environment'
+    #swagger.summary = 'Create folder'
+    #swagger.description = 'Create folder'
     
     #swagger.security = [{
-        "apiKeyAuth": []
+        "apiKeyAuth": [],
+        "bearerAuth": []
     }]
 
     #swagger.requestBody = {
@@ -42,23 +43,23 @@ export const createFolder = async (req: Request, res: Response) => {
                     "properties": {
                         "workspaceId": {
                             "type": "string",
-                            "description": "ID of the workspace where the folder will be created",
+                            "description": "ID of the workspace where to create folder",
                             "example": "someWorkspaceId"
                         },
                         "environment": {
                             "type": "string",
-                            "description": "Environment where the folder will reside",
+                            "description": "Slug of environment where to create folder",
                             "example": "production"
                         },
                         "folderName": {
                             "type": "string",
-                            "description": "Name of the folder to be created",
+                            "description": "Name of folder to create",
                             "example": "my_folder"
                         },
-                        "parentFolderId": {
+                        "directory": {
                             "type": "string",
-                            "description": "ID of the parent folder under which this folder will be created. If not specified, it will be created at the root level.",
-                            "example": "someParentFolderId"
+                            "description": "Path where to create folder like / or /foo/bar. Default is /",
+                            "example": "/foo/bar"
                         }
                     },
                     "required": ["workspaceId", "environment", "folderName"]
@@ -78,14 +79,21 @@ export const createFolder = async (req: Request, res: Response) => {
                             "properties": {
                                 "id": {
                                     "type": "string",
+                                    "description": "ID of folder",
                                     "example": "someFolderId"
                                 },
                                 "name": {
                                     "type": "string",
+                                    "description": "Name of folder",
                                     "example": "my_folder"
+                                },
+                                "version": {
+                                    "type": "number",
+                                    "description": "Version of folder",
+                                    "example": 1
                                 }
                             },
-                            "description": "Details of the created folder"
+                            "description": "Details of created folder"
                         }
                     }
                 }
@@ -117,7 +125,11 @@ export const createFolder = async (req: Request, res: Response) => {
     }
   } else {
     // user check
-    const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+    const { permission } = await getAuthDataProjectPermissions({
+      authData: req.authData,
+      workspaceId: new Types.ObjectId(workspaceId)
+    });
+
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Create,
       subject(ProjectPermissionSub.Secrets, { environment, secretPath: directory })
@@ -219,18 +231,18 @@ export const createFolder = async (req: Request, res: Response) => {
  */
 export const updateFolderById = async (req: Request, res: Response) => {
   /* 
-    #swagger.summary = 'Update a folder by ID'
-    #swagger.description = 'Update the name of a folder in a specified workspace and environment by its ID'
+    #swagger.summary = 'Update folder'
+    #swagger.description = 'Update folder'
     
     #swagger.security = [{
-        "apiKeyAuth": []
+        "apiKeyAuth": [],
+        "bearerAuth": []
     }]
 
-    #swagger.parameters['folderId'] = {
-        "description": "ID of the folder to be updated",
+    #swagger.parameters['folderName'] = {
+        "description": "Name of folder to update",
         "required": true,
-        "type": "string",
-        "in": "path"
+        "type": "string"
     }
 
     #swagger.requestBody = {
@@ -241,18 +253,23 @@ export const updateFolderById = async (req: Request, res: Response) => {
                     "properties": {
                         "workspaceId": {
                             "type": "string",
-                            "description": "ID of the workspace where the folder is located",
+                            "description": "ID of workspace where to update folder",
                             "example": "someWorkspaceId"
                         },
                         "environment": {
                             "type": "string",
-                            "description": "Environment where the folder is located",
+                            "description": "Slug of environment where to update folder",
                             "example": "production"
                         },
                         "name": {
                             "type": "string",
-                            "description": "New name for the folder",
+                            "description": "Name of folder to update to",
                             "example": "updated_folder_name"
+                        },
+                        "directory": {
+                            "type": "string",
+                            "description": "Path where to update folder like / or /foo/bar. Default is /",
+                            "example": "/foo/bar"
                         }
                     },
                     "required": ["workspaceId", "environment", "name"]
@@ -269,6 +286,7 @@ export const updateFolderById = async (req: Request, res: Response) => {
                     "properties": {
                         "message": {
                             "type": "string",
+                            "description": "Success message",
                             "example": "Successfully updated folder"
                         },
                         "folder": {
@@ -276,11 +294,13 @@ export const updateFolderById = async (req: Request, res: Response) => {
                             "properties": {
                                 "name": {
                                     "type": "string",
+                                    "description": "Name of updated folder",
                                     "example": "updated_folder_name"
                                 },
                                 "id": {
                                     "type": "string",
-                                    "example": "someFolderId"
+                                    "description": "ID of created folder",
+                                    "example": "abc123"
                                 }
                             },
                             "description": "Details of the updated folder"
@@ -316,7 +336,11 @@ export const updateFolderById = async (req: Request, res: Response) => {
       throw UnauthorizedRequestError({ message: "Folder Permission Denied" });
     }
   } else {
-    const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+    const { permission } = await getAuthDataProjectPermissions({
+      authData: req.authData,
+      workspaceId: new Types.ObjectId(workspaceId)
+    });
+  
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Edit,
       subject(ProjectPermissionSub.Secrets, { environment, secretPath: directory })
@@ -387,15 +411,16 @@ export const updateFolderById = async (req: Request, res: Response) => {
  */
 export const deleteFolder = async (req: Request, res: Response) => {
   /* 
-    #swagger.summary = 'Delete a folder by ID'
-    #swagger.description = 'Delete the specified folder from a specified workspace and environment using its ID'
+    #swagger.summary = 'Delete folder'
+    #swagger.description = 'Delete folder'
     
     #swagger.security = [{
-        "apiKeyAuth": []
+        "apiKeyAuth": [],
+        "bearerAuth": []
     }]
 
-    #swagger.parameters['folderId'] = {
-        "description": "ID of the folder to be deleted",
+    #swagger.parameters['folderName'] = {
+        "description": "Name of folder to delete",
         "required": true,
         "type": "string",
         "in": "path"
@@ -409,13 +434,18 @@ export const deleteFolder = async (req: Request, res: Response) => {
                     "properties": {
                         "workspaceId": {
                             "type": "string",
-                            "description": "ID of the workspace where the folder is located",
+                            "description": "ID of the workspace where to delete folder",
                             "example": "someWorkspaceId"
                         },
                         "environment": {
                             "type": "string",
-                            "description": "Environment where the folder is located",
+                            "description": "Slug of environment where to delete folder",
                             "example": "production"
+                        },
+                        "directory": {
+                            "type": "string",
+                            "description": "Path where to delete folder like / or /foo/bar. Default is /",
+                            "example": "/foo/bar"
                         }
                     },
                     "required": ["workspaceId", "environment"]
@@ -432,6 +462,7 @@ export const deleteFolder = async (req: Request, res: Response) => {
                     "properties": {
                         "message": {
                             "type": "string",
+                            "description": "Success message",
                             "example": "successfully deleted folders"
                         },
                         "folders": {
@@ -441,15 +472,17 @@ export const deleteFolder = async (req: Request, res: Response) => {
                                 "properties": {
                                     "id": {
                                         "type": "string",
-                                        "example": "someFolderId"
+                                        "description": "ID of deleted folder",
+                                        "example": "abc123"
                                     },
                                     "name": {
                                         "type": "string",
+                                        "description": "Name of deleted folder",
                                         "example": "someFolderName"
                                     }
                                 }
                             },
-                            "description": "List of IDs and names of the deleted folders"
+                            "description": "List of IDs and names of deleted folders"
                         }
                     }
                 }
@@ -477,7 +510,11 @@ export const deleteFolder = async (req: Request, res: Response) => {
     }
   } else {
     // check that user is a member of the workspace
-    const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+    const { permission } = await getAuthDataProjectPermissions({
+      authData: req.authData,
+      workspaceId: new Types.ObjectId(workspaceId)
+    });
+
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Delete,
       subject(ProjectPermissionSub.Secrets, { environment, secretPath: directory })
@@ -540,43 +577,37 @@ export const deleteFolder = async (req: Request, res: Response) => {
 
 /**
  * Get folders for workspace with id [workspaceId] and environment [environment]
- * considering [parentFolderId] and [parentFolderPath]
+ * considering directory/path [directory]
  * @param req
  * @param res
  * @returns
  */
 export const getFolders = async (req: Request, res: Response) => {
   /*
-    #swagger.summary = 'Retrieve folders based on specific conditions'
-    #swagger.description = 'Fetches folders from the specified workspace and environment, optionally providing either a parentFolderId or a parentFolderPath to narrow down results'
+    #swagger.summary = 'Get folders'
+    #swagger.description = 'Get folders'
     
     #swagger.security = [{
-        "apiKeyAuth": []
+        "apiKeyAuth": [],
+        "bearerAuth": []
     }]
 
     #swagger.parameters['workspaceId'] = {
-        "description": "ID of the workspace from which the folders are to be fetched",
+        "description": "ID of the workspace where to get folders from",
         "required": true,
         "type": "string",
         "in": "query"
     }
 
     #swagger.parameters['environment'] = {
-        "description": "Environment where the folder is located",
+        "description": "Slug of environment where to get folders from",
         "required": true,
         "type": "string",
         "in": "query"
     }
 
-    #swagger.parameters['parentFolderId'] = {
-        "description": "ID of the parent folder",
-        "required": false,
-        "type": "string",
-        "in": "query"
-    }
-
-    #swagger.parameters['parentFolderPath'] = {
-        "description": "Path of the parent folder, like /folder1/folder2",
+    #swagger.parameters['directory'] = {
+        "description": "Path where to get fodlers from like / or /foo/bar. Default is /",
         "required": false,
         "type": "string",
         "in": "query"
@@ -604,23 +635,6 @@ export const getFolders = async (req: Request, res: Response) => {
                                 }
                             },
                             "description": "List of folders"
-                        },
-                        "dir": {
-                            "type": "array",
-                            "items": {
-                                "type": "object",
-                                "properties": {
-                                    "name": {
-                                        "type": "string",
-                                        "example": "parentFolderName"
-                                    },
-                                    "id": {
-                                        "type": "string",
-                                        "example": "parentFolderId"
-                                    }
-                                }
-                            },
-                            "description": "List of directories"
                         }
                     }
                 }
@@ -647,7 +661,10 @@ export const getFolders = async (req: Request, res: Response) => {
     }
   } else {
     // check that user is a member of the workspace
-    await getUserProjectPermissions(req.user._id, workspaceId);
+    await getAuthDataProjectPermissions({
+      authData: req.authData,
+      workspaceId: new Types.ObjectId(workspaceId)
+    });
   }
 
   const folders = await Folder.findOne({ workspace: workspaceId, environment });

backend/src/controllers/v1/signupController.ts

@@ -2,16 +2,15 @@ import { Request, Response } from "express";
 import { AuthMethod, User } from "../../models";
 import { checkEmailVerification, sendEmailVerification } from "../../helpers/signup";
 import { createToken } from "../../helpers/auth";
-import { BadRequestError } from "../../utils/errors";
 import {
-  getInviteOnlySignup,
+  getAuthSecret,
   getJwtSignupLifetime,
-  getJwtSignupSecret,
   getSmtpConfigured
 } from "../../config";
 import { validateUserEmail } from "../../validation";
 import { validateRequest } from "../../helpers/validation";
 import * as reqValidator from "../../validation/auth";
+import { AuthTokenType } from "../../variables";
 
 /**
  * Signup step 1: Initialize account for user under email [email] and send a verification code
@@ -67,16 +66,6 @@ export const verifyEmailSignup = async (req: Request, res: Response) => {
     });
   }
 
-  if (await getInviteOnlySignup()) {
-    // Only one user can create an account without being invited. The rest need to be invited in order to make an account
-    const userCount = await User.countDocuments({});
-    if (userCount != 0) {
-      throw BadRequestError({
-        message: "New user sign ups are not allowed at this time. You must be invited to sign up."
-      });
-    }
-  }
-
   // verify email
   if (await getSmtpConfigured()) {
     await checkEmailVerification({
@@ -95,10 +84,11 @@ export const verifyEmailSignup = async (req: Request, res: Response) => {
   // generate temporary signup token
   const token = createToken({
     payload: {
+      authTokenType: AuthTokenType.SIGNUP_TOKEN,
       userId: user._id.toString()
     },
     expiresIn: await getJwtSignupLifetime(),
-    secret: await getJwtSignupSecret()
+    secret: await getAuthSecret()
   });
 
   return res.status(200).send({

backend/src/controllers/v1/webhookController.ts

@@ -1,27 +1,36 @@
 import { Request, Response } from "express";
 import { Types } from "mongoose";
-import { client, getRootEncryptionKey } from "../../config";
+import { client, getEncryptionKey, getRootEncryptionKey } from "../../config";
 import { Webhook } from "../../models";
 import { getWebhookPayload, triggerWebhookRequest } from "../../services/WebhookService";
 import { BadRequestError, ResourceNotFoundError } from "../../utils/errors";
 import { EEAuditLogService } from "../../ee/services";
 import { EventType } from "../../ee/models";
-import { ALGORITHM_AES_256_GCM, ENCODING_SCHEME_BASE64 } from "../../variables";
+import {
+  ALGORITHM_AES_256_GCM,
+  ENCODING_SCHEME_BASE64,
+  ENCODING_SCHEME_UTF8
+} from "../../variables";
 import { validateRequest } from "../../helpers/validation";
 import * as reqValidator from "../../validation/webhooks";
 import {
   ProjectPermissionActions,
   ProjectPermissionSub,
-  getUserProjectPermissions
+  getAuthDataProjectPermissions
 } from "../../ee/services/ProjectRoleService";
 import { ForbiddenError } from "@casl/ability";
+import { encryptSymmetric128BitHexKeyUTF8 } from "../../utils/crypto";
 
 export const createWebhook = async (req: Request, res: Response) => {
   const {
     body: { webhookUrl, webhookSecretKey, environment, workspaceId, secretPath }
   } = await validateRequest(reqValidator.CreateWebhookV1, req);
 
-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+  
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Create,
     ProjectPermissionSub.Webhooks
@@ -31,17 +40,31 @@ export const createWebhook = async (req: Request, res: Response) => {
     workspace: workspaceId,
     environment,
     secretPath,
-    url: webhookUrl,
-    algorithm: ALGORITHM_AES_256_GCM,
-    keyEncoding: ENCODING_SCHEME_BASE64
+    url: webhookUrl
   });
 
   if (webhookSecretKey) {
+    const encryptionKey = await getEncryptionKey();
     const rootEncryptionKey = await getRootEncryptionKey();
-    const { ciphertext, iv, tag } = client.encryptSymmetric(webhookSecretKey, rootEncryptionKey);
-    webhook.iv = iv;
-    webhook.tag = tag;
-    webhook.encryptedSecretKey = ciphertext;
+
+    if (rootEncryptionKey) {
+      const { ciphertext, iv, tag } = client.encryptSymmetric(webhookSecretKey, rootEncryptionKey);
+      webhook.iv = iv;
+      webhook.tag = tag;
+      webhook.encryptedSecretKey = ciphertext;
+      webhook.algorithm = ALGORITHM_AES_256_GCM;
+      webhook.keyEncoding = ENCODING_SCHEME_BASE64;
+    } else if (encryptionKey) {
+      const { ciphertext, iv, tag } = encryptSymmetric128BitHexKeyUTF8({
+        plaintext: webhookSecretKey,
+        key: encryptionKey
+      });
+      webhook.iv = iv;
+      webhook.tag = tag;
+      webhook.encryptedSecretKey = ciphertext;
+      webhook.algorithm = ALGORITHM_AES_256_GCM;
+      webhook.keyEncoding = ENCODING_SCHEME_UTF8;
+    }
   }
 
   await webhook.save();
@@ -79,11 +102,11 @@ export const updateWebhook = async (req: Request, res: Response) => {
   if (!webhook) {
     throw BadRequestError({ message: "Webhook not found!!" });
   }
-
-  const { permission } = await getUserProjectPermissions(
-    req.user._id,
-    webhook.workspace.toString()
-  );
+  
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: webhook.workspace
+  });
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Edit,
     ProjectPermissionSub.Webhooks
@@ -127,10 +150,11 @@ export const deleteWebhook = async (req: Request, res: Response) => {
     throw ResourceNotFoundError({ message: "Webhook not found!!" });
   }
 
-  const { permission } = await getUserProjectPermissions(
-    req.user._id,
-    webhook.workspace.toString()
-  );
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: webhook.workspace
+  });
+
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Delete,
     ProjectPermissionSub.Webhooks
@@ -174,10 +198,11 @@ export const testWebhook = async (req: Request, res: Response) => {
     throw BadRequestError({ message: "Webhook not found!!" });
   }
 
-  const { permission } = await getUserProjectPermissions(
-    req.user._id,
-    webhook.workspace.toString()
-  );
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: webhook.workspace
+  });
+
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Read,
     ProjectPermissionSub.Webhooks
@@ -217,8 +242,12 @@ export const listWebhooks = async (req: Request, res: Response) => {
   const {
     query: { environment, workspaceId, secretPath }
   } = await validateRequest(reqValidator.ListWebhooksV1, req);
-
-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+  
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Read,
     ProjectPermissionSub.Webhooks

backend/src/controllers/v1/workspaceController.ts

@@ -25,7 +25,7 @@ import * as reqValidator from "../../validation";
 import {
   ProjectPermissionActions,
   ProjectPermissionSub,
-  getUserProjectPermissions
+  getAuthDataProjectPermissions
 } from "../../ee/services/ProjectRoleService";
 
 /**
@@ -39,7 +39,11 @@ export const getWorkspacePublicKeys = async (req: Request, res: Response) => {
     params: { workspaceId }
   } = await validateRequest(reqValidator.GetWorkspacePublicKeysV1, req);
 
-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+  
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Read,
     ProjectPermissionSub.Member
@@ -72,7 +76,11 @@ export const getWorkspaceMemberships = async (req: Request, res: Response) => {
     params: { workspaceId }
   } = await validateRequest(reqValidator.GetWorkspaceMembershipsV1, req);
 
-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Read,
     ProjectPermissionSub.Member
@@ -195,7 +203,11 @@ export const deleteWorkspace = async (req: Request, res: Response) => {
     params: { workspaceId }
   } = await validateRequest(reqValidator.DeleteWorkspaceV1, req);
 
-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+  
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Delete,
     ProjectPermissionSub.Workspace
@@ -223,7 +235,11 @@ export const changeWorkspaceName = async (req: Request, res: Response) => {
     body: { name }
   } = await validateRequest(reqValidator.ChangeWorkspaceNameV1, req);
 
-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Edit,
     ProjectPermissionSub.Workspace
@@ -257,7 +273,12 @@ export const getWorkspaceIntegrations = async (req: Request, res: Response) => {
   const {
     params: { workspaceId }
   } = await validateRequest(reqValidator.GetWorkspaceIntegrationsV1, req);
-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Read,
     ProjectPermissionSub.Integrations
@@ -283,7 +304,11 @@ export const getWorkspaceIntegrationAuthorizations = async (req: Request, res: R
     params: { workspaceId }
   } = await validateRequest(reqValidator.GetWorkspaceIntegrationAuthorizationsV1, req);
 
-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Read,
     ProjectPermissionSub.Integrations
@@ -309,7 +334,11 @@ export const getWorkspaceServiceTokens = async (req: Request, res: Response) =>
     params: { workspaceId }
   } = await validateRequest(reqValidator.GetWorkspaceServiceTokensV1, req);
 
-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Read,
     ProjectPermissionSub.ServiceTokens

backend/src/controllers/v2/authController.ts

@@ -8,11 +8,9 @@ import { createToken, issueAuthTokens } from "../../helpers/auth";
 import { checkUserDevice } from "../../helpers/user";
 import { sendMail } from "../../helpers/nodemailer";
 import { TokenService } from "../../services";
-import { EELogService } from "../../ee/services";
 import { BadRequestError, InternalServerError } from "../../utils/errors";
-import { ACTION_LOGIN, TOKEN_EMAIL_MFA } from "../../variables";
-import { getUserAgentType } from "../../utils/posthog"; // TODO: move this
-import { getHttpsEnabled, getJwtMfaLifetime, getJwtMfaSecret } from "../../config";
+import { AuthTokenType, TOKEN_EMAIL_MFA } from "../../variables";
+import { getAuthSecret, getHttpsEnabled, getJwtMfaLifetime } from "../../config";
 import { validateRequest } from "../../helpers/validation";
 import * as reqValidator from "../../validation/auth";
 
@@ -109,10 +107,11 @@ export const login2 = async (req: Request, res: Response) => {
           // generate temporary MFA token
           const token = createToken({
             payload: {
+              authTokenType: AuthTokenType.MFA_TOKEN,
               userId: user._id.toString()
             },
             expiresIn: await getJwtMfaLifetime(),
-            secret: await getJwtMfaSecret()
+            secret: await getAuthSecret()
           });
 
           const code = await TokenService.createToken({
@@ -189,19 +188,6 @@ export const login2 = async (req: Request, res: Response) => {
           response.protectedKeyTag = user.protectedKeyTag;
         }
 
-        const loginAction = await EELogService.createAction({
-          name: ACTION_LOGIN,
-          userId: user._id
-        });
-
-        loginAction &&
-          (await EELogService.createLog({
-            userId: user._id,
-            actions: [loginAction],
-            channel: getUserAgentType(req.headers["user-agent"]),
-            ipAddress: req.ip
-          }));
-
         return res.status(200).send(response);
       }
 
@@ -218,20 +204,16 @@ export const login2 = async (req: Request, res: Response) => {
  * @param res
  */
 export const sendMfaToken = async (req: Request, res: Response) => {
-  const {
-    body: { email }
-  } = await validateRequest(reqValidator.SendMfaTokenV2, req);
-
   const code = await TokenService.createToken({
     type: TOKEN_EMAIL_MFA,
-    email
+    email: req.user.email
   });
 
   // send MFA code [code] to [email]
   await sendMail({
     template: "emailMfa.handlebars",
     subjectLine: "Infisical MFA code",
-    recipients: [email],
+    recipients: [req.user.email],
     substitutions: {
       code
     }
@@ -250,17 +232,17 @@ export const sendMfaToken = async (req: Request, res: Response) => {
  */
 export const verifyMfaToken = async (req: Request, res: Response) => {
   const {
-    body: { email, mfaToken }
+    body: { mfaToken }
   } = await validateRequest(reqValidator.VerifyMfaTokenV2, req);
 
   await TokenService.validateToken({
     type: TOKEN_EMAIL_MFA,
-    email,
+    email: req.user.email,
     token: mfaToken
   });
 
   const user = await User.findOne({
-    email
+    email: req.user.email
   }).select(
     "+salt +verifier +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag +publicKey +encryptedPrivateKey +iv +tag +devices"
   );
@@ -329,18 +311,5 @@ export const verifyMfaToken = async (req: Request, res: Response) => {
     resObj.protectedKeyTag = user.protectedKeyTag;
   }
 
-  const loginAction = await EELogService.createAction({
-    name: ACTION_LOGIN,
-    userId: user._id
-  });
-
-  loginAction &&
-    (await EELogService.createLog({
-      userId: user._id,
-      actions: [loginAction],
-      channel: getUserAgentType(req.headers["user-agent"]),
-      ipAddress: req.realIP
-    }));
-
   return res.status(200).send(resObj);
 };

backend/src/controllers/v2/environmentController.ts

@@ -12,18 +12,15 @@ import {
 import { EventType, SecretVersion } from "../../ee/models";
 import { EEAuditLogService, EELicenseService } from "../../ee/services";
 import { BadRequestError, WorkspaceNotFoundError } from "../../utils/errors";
-import _ from "lodash";
-import { PERMISSION_READ_SECRETS, PERMISSION_WRITE_SECRETS } from "../../variables";
 import { validateRequest } from "../../helpers/validation";
 import * as reqValidator from "../../validation/environments";
 import {
   ProjectPermissionActions,
   ProjectPermissionSub,
-  getUserProjectPermissions
+  getAuthDataProjectPermissions
 } from "../../ee/services/ProjectRoleService";
 import { ForbiddenError } from "@casl/ability";
 import { SecretImport } from "../../models";
-import { ServiceAccountWorkspacePermission } from "../../models";
 import { Webhook } from "../../models";
 
 /**
@@ -39,29 +36,16 @@ export const createWorkspaceEnvironment = async (req: Request, res: Response) =>
     #swagger.description = 'Create environment'
 
     #swagger.security = [{
-        "apiKeyAuth": []
+        "apiKeyAuth": [],
     }]
 
 	#swagger.parameters['workspaceId'] = {
-		"description": "ID of project",
+		"description": "ID of workspace where to create environment",
 		"required": true,
-		"type": "string"
+		"type": "string",
+    "in": "path"
 	}
-
-  /*
-    #swagger.summary = 'Create environment'
-    #swagger.description = 'Create environment'
-
-    #swagger.security = [{
-        "apiKeyAuth": []
-    }]
-
-	#swagger.parameters['workspaceId'] = {
-		"description": "ID of project",
-		"required": true,
-		"type": "string"
-	}
-
+  
   #swagger.requestBody = {
       content: {
           "application/json": {
@@ -70,12 +54,12 @@ export const createWorkspaceEnvironment = async (req: Request, res: Response) =>
                   "properties": {
                       "environmentName": {
                           "type": "string",
-                          "description": "Name of the environment",
+                          "description": "Name of the environment to create",
                           "example": "development"
                       },
                       "environmentSlug": {
                           "type": "string",
-                          "description": "Slug of the environment",
+                          "description": "Slug of environment to create",
                           "example": "dev-environment"
                       }
                   },
@@ -86,45 +70,53 @@ export const createWorkspaceEnvironment = async (req: Request, res: Response) =>
   }
 
   #swagger.responses[200] = {
-      content: {
-          "application/json": {
-              "schema": {
-                  "type": "object",
-                  "properties": {
-                      "message": {
-                          "type": "string",
-                          "example": "Successfully created new environment"
-                      },
-                      "workspace": {
-                          "type": "string",
-                          "example": "someWorkspaceId"
-                      },
-                      "environment": {
-                          "type": "object",
-                          "properties": {
-                              "name": {
-                                  "type": "string",
-                                  "example": "someEnvironmentName"
-                              },
-                              "slug": {
-                                  "type": "string",
-                                  "example": "someEnvironmentSlug"
-                              }
-                          }
-                      }
-                  },
-                  "description": "Response after creating a new environment"
-              }
-          }
-      }
-  }
+        content: {
+            "application/json": {
+                "schema": {
+                    "type": "object",
+                    "properties": {
+                        "message": {
+                            "type": "string",
+                            "description": "Sucess message",
+                            "example": "Successfully created environment"
+                        },
+                        "workspace": {
+                            "type": "string",
+                            "description": "ID of workspace where environment was created",
+                            "example": "abc123"
+                        },
+                        "environment": {
+                            "type": "object",
+                            "properties": {
+                                "name": {
+                                    "type": "string",
+                                    "description": "Name of created environment",
+                                    "example": "Staging"
+                                },
+                                "slug": {
+                                    "type": "string",
+                                    "description": "Slug of created environment",
+                                    "example": "staging"
+                                }
+                            }
+                        }
+                    },
+                    "description": "Details of the created environment"
+                }
+            }
+        }
+    }
   */
   const {
     params: { workspaceId },
     body: { environmentName, environmentSlug }
   } = await validateRequest(reqValidator.CreateWorkspaceEnvironmentV2, req);
 
-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+  
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Create,
     ProjectPermissionSub.Environments
@@ -201,7 +193,11 @@ export const reorderWorkspaceEnvironments = async (req: Request, res: Response)
     body: { environmentName, environmentSlug, otherEnvironmentSlug, otherEnvironmentName }
   } = await validateRequest(reqValidator.ReorderWorkspaceEnvironmentsV2, req);
 
-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Edit,
     ProjectPermissionSub.Environments
@@ -247,15 +243,19 @@ export const reorderWorkspaceEnvironments = async (req: Request, res: Response)
  */
 export const renameWorkspaceEnvironment = async (req: Request, res: Response) => {
   /*
-    #swagger.summary = 'Rename workspace environment'
-    #swagger.description = 'Rename a specific environment within a workspace'
+    #swagger.summary = 'Update environment'
+    #swagger.description = 'Update environment'
+
+    #swagger.security = [{
+        "apiKeyAuth": [],
+    }]
 
     #swagger.parameters['workspaceId'] = {
-    "description": "ID of the workspace",
-    "required": true,
-    "type": "string",
-        "in": "path"
-  }
+      "description": "ID of workspace where to update environment",
+      "required": true,
+      "type": "string",
+      "in": "path"
+    }
 
     #swagger.requestBody = {
         content: {
@@ -265,17 +265,17 @@ export const renameWorkspaceEnvironment = async (req: Request, res: Response) =>
                     "properties": {
                         "environmentName": {
                             "type": "string",
-                            "description": "New name for the environment",
+                            "description": "Name of environment to update to",
                             "example": "Staging-Renamed"
                         },
                         "environmentSlug": {
                             "type": "string",
-                            "description": "New slug for the environment",
+                            "description": "Slug of environment to update to",
                             "example": "staging-renamed"
                         },
                         "oldEnvironmentSlug": {
                             "type": "string",
-                            "description": "Current slug of the environment to rename",
+                            "description": "Current slug of environment",
                             "example": "staging-old"
                         }
                     },
@@ -293,21 +293,25 @@ export const renameWorkspaceEnvironment = async (req: Request, res: Response) =>
                     "properties": {
                         "message": {
                             "type": "string",
+                            "description": "Success message",
                             "example": "Successfully update environment"
                         },
                         "workspace": {
                             "type": "string",
-                            "example": "someWorkspaceId"
+                            "description": "ID of workspace where environment was updated",
+                            "example": "abc123"
                         },
                         "environment": {
                             "type": "object",
                             "properties": {
                                 "name": {
                                     "type": "string",
+                                    "description": "Name of updated environment",
                                     "example": "Staging-Renamed"
                                 },
                                 "slug": {
                                     "type": "string",
+                                    "description": "Slug of updated environment",
                                     "example": "staging-renamed"
                                 }
                             }
@@ -324,7 +328,11 @@ export const renameWorkspaceEnvironment = async (req: Request, res: Response) =>
     body: { environmentName, environmentSlug, oldEnvironmentSlug }
   } = await validateRequest(reqValidator.UpdateWorkspaceEnvironmentV2, req);
 
-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Edit,
     ProjectPermissionSub.Environments
@@ -400,11 +408,6 @@ export const renameWorkspaceEnvironment = async (req: Request, res: Response) =>
     { arrayFilters: [{ "element.environment": oldEnvironmentSlug }] },
   );
 
-  await ServiceAccountWorkspacePermission.updateMany(
-    { workspace: workspaceId, environment: oldEnvironmentSlug },
-    { environment: environmentSlug }
-  );
-
   await Webhook.updateMany(
     { workspace: workspaceId, environment: oldEnvironmentSlug },
     { environment: environmentSlug }
@@ -453,19 +456,19 @@ export const renameWorkspaceEnvironment = async (req: Request, res: Response) =>
  */
 export const deleteWorkspaceEnvironment = async (req: Request, res: Response) => {
   /*
-    #swagger.summary = 'Delete workspace environment'
-    #swagger.description = 'Delete a specific environment from a workspace'
+    #swagger.summary = 'Delete environment'
+    #swagger.description = 'Delete environment'
 
     #swagger.security = [{
         "apiKeyAuth": []
     }]
 
     #swagger.parameters['workspaceId'] = {
-		"description": "ID of the workspace",
-		"required": true,
-		"type": "string",
-        "in": "path"
-	}
+      "description": "ID of workspace where to delete environment",
+      "required": true,
+      "type": "string",
+      "in": "path"
+	  }
 
     #swagger.requestBody = {
         content: {
@@ -475,8 +478,8 @@ export const deleteWorkspaceEnvironment = async (req: Request, res: Response) =>
                     "properties": {
                         "environmentSlug": {
                             "type": "string",
-                            "description": "Slug of the environment to delete",
-                            "example": "dev-environment"
+                            "description": "Slug of environment to delete",
+                            "example": "dev"
                         }
                     },
                     "required": ["environmentSlug"]
@@ -493,15 +496,18 @@ export const deleteWorkspaceEnvironment = async (req: Request, res: Response) =>
                     "properties": {
                         "message": {
                             "type": "string",
+                            "description": "Success message",
                             "example": "Successfully deleted environment"
                         },
                         "workspace": {
                             "type": "string",
-                            "example": "someWorkspaceId"
+                            "description": "ID of workspace where environment was deleted",
+                            "example": "abc123"
                         },
                         "environment": {
                             "type": "string",
-                            "example": "dev-environment"
+                            "description": "Slug of deleted environment",
+                            "example": "dev"
                         }
                     },
                     "description": "Response after deleting an environment from a workspace"
@@ -515,7 +521,11 @@ export const deleteWorkspaceEnvironment = async (req: Request, res: Response) =>
     body: { environmentSlug }
   } = await validateRequest(reqValidator.DeleteWorkspaceEnvironmentV2, req);
 
-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Delete,
     ProjectPermissionSub.Environments
@@ -591,98 +601,4 @@ export const deleteWorkspaceEnvironment = async (req: Request, res: Response) =>
     workspace: workspaceId,
     environment: environmentSlug
   });
-};
-
-// TODO(akhilmhdh) after rbac this can be completely removed
-export const getAllAccessibleEnvironmentsOfWorkspace = async (req: Request, res: Response) => {
-  /*
-    #swagger.summary = 'Get all accessible environments of a workspace'
-    #swagger.description = 'Fetch all environments that the user has access to in a specified workspace'
-
-    #swagger.security = [{
-        "apiKeyAuth": []
-    }]
-
-    #swagger.parameters['workspaceId'] = {
-		"description": "ID of the workspace",
-		"required": true,
-		"type": "string",
-        "in": "path"
-	}
-
-    #swagger.responses[200] = {
-        content: {
-            "application/json": {
-                "schema": {
-                    "type": "object",
-                    "properties": {
-                        "accessibleEnvironments": {
-                            "type": "array",
-                            "items": {
-                                "type": "object",
-                                "properties": {
-                                    "name": {
-                                        "type": "string",
-                                        "example": "Development"
-                                    },
-                                    "slug": {
-                                        "type": "string",
-                                        "example": "development"
-                                    },
-                                    "isWriteDenied": {
-                                        "type": "boolean",
-                                        "example": false
-                                    },
-                                    "isReadDenied": {
-                                        "type": "boolean",
-                                        "example": false
-                                    }
-                                }
-                            }
-                        }
-                    },
-                    "description": "List of environments the user has access to in the specified workspace"
-                }
-            }
-        }
-    }
-  */
-  const {
-    params: { workspaceId }
-  } = await validateRequest(reqValidator.GetAllAccessibileEnvironmentsOfWorkspaceV2, req);
-
-  const { membership: workspacesUserIsMemberOf } = await getUserProjectPermissions(
-    req.user._id,
-    workspaceId
-  );
-
-  const accessibleEnvironments: any = [];
-  const deniedPermission = workspacesUserIsMemberOf.deniedPermissions;
-
-  const relatedWorkspace = await Workspace.findById(workspaceId);
-  if (!relatedWorkspace) {
-    throw BadRequestError();
-  }
-  relatedWorkspace.environments.forEach((environment) => {
-    const isReadBlocked = _.some(deniedPermission, {
-      environmentSlug: environment.slug,
-      ability: PERMISSION_READ_SECRETS
-    });
-    const isWriteBlocked = _.some(deniedPermission, {
-      environmentSlug: environment.slug,
-      ability: PERMISSION_WRITE_SECRETS
-    });
-    if (isReadBlocked && isWriteBlocked) {
-      return;
-    } else {
-      accessibleEnvironments.push({
-        name: environment.name,
-        slug: environment.slug,
-        isWriteDenied: isWriteBlocked,
-        isReadDenied: isReadBlocked
-      });
-    }
-  });
-
-  res.json({ accessibleEnvironments });
-};
+};

backend/src/controllers/v2/index.ts

@@ -6,20 +6,20 @@ import * as workspaceController from "./workspaceController";
 import * as serviceTokenDataController from "./serviceTokenDataController";
 import * as secretController from "./secretController";
 import * as secretsController from "./secretsController";
-import * as serviceAccountsController from "./serviceAccountsController";
 import * as environmentController from "./environmentController";
 import * as tagController from "./tagController";
+import * as membershipController from "./membershipController";
 
 export {
-    authController,
-    signupController,
-    usersController,
-    organizationsController,
-    workspaceController,
-    serviceTokenDataController,
-    secretController,
-    secretsController,
-    serviceAccountsController,
-    environmentController,
-    tagController,
-}
+  authController,
+  signupController,
+  usersController,
+  organizationsController,
+  workspaceController,
+  serviceTokenDataController,
+  secretController,
+  secretsController,
+  environmentController,
+  tagController,
+  membershipController
+};

backend/src/controllers/v2/membershipController.ts

@@ -0,0 +1,107 @@
+import { ForbiddenError } from "@casl/ability";
+import { Request, Response } from "express";
+import { Types } from "mongoose";
+
+import { getSiteURL } from "../../config";
+import { EventType } from "../../ee/models";
+import { EEAuditLogService } from "../../ee/services";
+import {
+  ProjectPermissionActions,
+  ProjectPermissionSub,
+  getAuthDataProjectPermissions
+} from "../../ee/services/ProjectRoleService";
+import { sendMail } from "../../helpers";
+import { validateRequest } from "../../helpers/validation";
+import { IUser, Key, Membership, MembershipOrg, Workspace } from "../../models";
+import { BadRequestError } from "../../utils/errors";
+import * as reqValidator from "../../validation/membership";
+import { ACCEPTED, MEMBER } from "../../variables";
+
+export const addUserToWorkspace = async (req: Request, res: Response) => {
+  const {
+    params: { workspaceId },
+    body: { members }
+  } = await validateRequest(reqValidator.AddUserToWorkspaceV2, req);
+  // check workspace
+  const workspace = await Workspace.findById(workspaceId);
+  if (!workspace) throw new Error("Failed to find workspace");
+
+  // check permission
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+  
+  ForbiddenError.from(permission).throwUnlessCan(
+    ProjectPermissionActions.Create,
+    ProjectPermissionSub.Member
+  );
+
+  // validate members are part of the organization
+  const orgMembers = await MembershipOrg.find({
+    status: ACCEPTED,
+    _id: { $in: members.map(({ orgMembershipId }) => orgMembershipId) },
+    organization: workspace.organization
+  })
+    .populate<{ user: IUser }>("user")
+    .select({ _id: 1, user: 1 })
+    .lean();
+  if (orgMembers.length !== members.length)
+    throw BadRequestError({ message: "Org member not found" });
+
+  const existingMember = await Membership.find({
+    workspace: workspaceId,
+    user: { $in: orgMembers.map(({ user }) => user) }
+  });
+  if (existingMember?.length)
+    throw BadRequestError({ message: "Some users are already part of workspace" });
+
+  await Membership.insertMany(
+    orgMembers.map(({ user }) => ({ user: user._id, workspace: workspaceId, role: MEMBER }))
+  );
+
+  const encKeyGroupedByOrgMemberId = members.reduce<Record<string, (typeof members)[number]>>(
+    (prev, curr) => ({ ...prev, [curr.orgMembershipId]: curr }),
+    {}
+  );
+  await Key.insertMany(
+    orgMembers.map(({ user, _id: id }) => ({
+      encryptedKey: encKeyGroupedByOrgMemberId[id.toString()].workspaceEncryptedKey,
+      nonce: encKeyGroupedByOrgMemberId[id.toString()].workspaceEncryptedNonce,
+      sender: req.user._id,
+      receiver: user._id,
+      workspace: workspaceId
+    }))
+  );
+
+  await sendMail({
+    template: "workspaceInvitation.handlebars",
+    subjectLine: "Infisical workspace invitation",
+    recipients: orgMembers.map(({ user }) => user.email),
+    substitutions: {
+      inviterFirstName: req.user.firstName,
+      inviterEmail: req.user.email,
+      workspaceName: workspace.name,
+      callback_url: (await getSiteURL()) + "/login"
+    }
+  });
+
+  await EEAuditLogService.createAuditLog(
+    req.authData,
+    {
+      type: EventType.ADD_BATCH_WORKSPACE_MEMBER,
+      metadata: orgMembers.map(({ user }) => ({
+        userId: user._id.toString(),
+        email: user.email
+      }))
+    },
+    {
+      workspaceId: new Types.ObjectId(workspaceId)
+    }
+  );
+
+  return res.status(200).send({
+    success: true,
+    data: orgMembers
+  });
+};

backend/src/controllers/v2/organizationsController.ts

@@ -1,25 +1,16 @@
 import { Request, Response } from "express";
 import { Types } from "mongoose";
-import { 
-  Membership, 
-  MembershipOrg, 
-  ServiceAccount, 
-  Workspace 
-} from "../../models";
+import { Membership, MembershipOrg, Workspace } from "../../models";
 import { Role } from "../../ee/models";
 import { deleteMembershipOrg } from "../../helpers/membershipOrg";
-import { 
+import {
   createOrganization as create,
   deleteOrganization,
   updateSubscriptionOrgQuantity
 } from "../../helpers/organization";
 import { addMembershipsOrg } from "../../helpers/membershipOrg";
 import { BadRequestError, UnauthorizedRequestError } from "../../utils/errors";
-import {
-  ACCEPTED,
-  ADMIN,
-  CUSTOM 
-} from "../../variables";
+import { ACCEPTED, ADMIN, CUSTOM } from "../../variables";
 import * as reqValidator from "../../validation/organization";
 import { validateRequest } from "../../helpers/validation";
 import {
@@ -156,7 +147,7 @@ export const updateOrganizationMembership = async (req: Request, res: Response)
     OrgPermissionSubjects.Member
   );
 
-  const isCustomRole = !["admin", "member", "owner"].includes(role);
+  const isCustomRole = !["admin", "member"].includes(role);
   if (isCustomRole) {
     const orgRole = await Role.findOne({ slug: role, isOrgRole: true });
     if (!orgRole) throw BadRequestError({ message: "Role not found" });
@@ -330,23 +321,6 @@ export const getOrganizationWorkspaces = async (req: Request, res: Response) =>
   });
 };
 
-/**
- * Return service accounts for organization with id [organizationId]
- * @param req
- * @param res
- */
-export const getOrganizationServiceAccounts = async (req: Request, res: Response) => {
-  const { organizationId } = req.params;
-
-  const serviceAccounts = await ServiceAccount.find({
-    organization: new Types.ObjectId(organizationId)
-  });
-
-  return res.status(200).send({
-    serviceAccounts
-  });
-};
-
 /**
  * Create new organization named [organizationName]
  * and add user as owner
@@ -354,7 +328,7 @@ export const getOrganizationServiceAccounts = async (req: Request, res: Response
  * @param res
  * @returns
  */
- export const createOrganization = async (req: Request, res: Response) => {
+export const createOrganization = async (req: Request, res: Response) => {
   const {
     body: { name }
   } = await validateRequest(reqValidator.CreateOrgv2, req);
@@ -379,27 +353,27 @@ export const getOrganizationServiceAccounts = async (req: Request, res: Response
 
 /**
  * Delete organization with id [organizationId]
- * @param req 
- * @param res 
+ * @param req
+ * @param res
  */
 export const deleteOrganizationById = async (req: Request, res: Response) => {
   const {
     params: { organizationId }
   } = await validateRequest(reqValidator.DeleteOrgv2, req);
-  
+
   const membershipOrg = await MembershipOrg.findOne({
     user: req.user._id,
     organization: new Types.ObjectId(organizationId),
     role: ADMIN
   });
-  
+
   if (!membershipOrg) throw UnauthorizedRequestError();
-  
+
   const organization = await deleteOrganization({
     organizationId: new Types.ObjectId(organizationId)
   });
-  
+
   return res.status(200).send({
     organization
   });
-}
+};

backend/src/controllers/v2/secretController.ts

@@ -11,7 +11,6 @@ import {
   ValidationError as RouteValidationError,
   UnauthorizedRequestError
 } from "../../utils/errors";
-import { AnyBulkWriteOperation } from "mongodb";
 import {
   ALGORITHM_AES_256_GCM,
   ENCODING_SCHEME_UTF8,
@@ -19,7 +18,7 @@ import {
   SECRET_SHARED
 } from "../../variables";
 import { TelemetryService } from "../../services";
-import { ISecret, Secret, User } from "../../models";
+import { Secret, User } from "../../models";
 import { AccountNotFoundError } from "../../utils/errors";
 
 /**
@@ -145,22 +144,22 @@ export const deleteSecrets = async (req: Request, res: Response) => {
   const secretsUserCanDeleteSet: Set<string> = new Set(
     secretIdsUserCanDelete.map((objectId) => objectId._id.toString())
   );
-  const deleteOperationsToPerform: AnyBulkWriteOperation<ISecret>[] = [];
 
-  let numSecretsDeleted = 0;
-  secretIdsToDelete.forEach((secretIdToDelete) => {
-    if (secretsUserCanDeleteSet.has(secretIdToDelete)) {
-      const deleteOperation = {
-        deleteOne: { filter: { _id: new Types.ObjectId(secretIdToDelete) } }
-      };
-      deleteOperationsToPerform.push(deleteOperation);
-      numSecretsDeleted++;
-    } else {
-      throw RouteValidationError({
-        message: "You cannot delete secrets that you do not have access to"
-      });
-    }
-  });
+  // Filter out IDs that user can delete and then map them to delete operations
+  const deleteOperationsToPerform = secretIdsToDelete
+    .filter(secretIdToDelete => {
+      if (!secretsUserCanDeleteSet.has(secretIdToDelete)) {
+        throw RouteValidationError({
+          message: "You cannot delete secrets that you do not have access to"
+        });
+      }
+      return true;
+    })
+    .map(secretIdToDelete => ({
+      deleteOne: { filter: { _id: new Types.ObjectId(secretIdToDelete) } }
+    }));
+
+  const numSecretsDeleted = deleteOperationsToPerform.length;
 
   await Secret.bulkWrite(deleteOperationsToPerform);
 

backend/src/controllers/v2/secretsController.ts

@@ -1,12 +1,8 @@
 import { Types } from "mongoose";
 import { Request, Response } from "express";
 import { Folder, ISecret, Secret, ServiceTokenData, Tag } from "../../models";
-import { AuditLog, EventType, IAction, SecretVersion } from "../../ee/models";
+import { AuditLog, EventType, SecretVersion } from "../../ee/models";
 import {
-  ACTION_ADD_SECRETS,
-  ACTION_DELETE_SECRETS,
-  ACTION_READ_SECRETS,
-  ACTION_UPDATE_SECRETS,
   ALGORITHM_AES_256_GCM,
   ENCODING_SCHEME_UTF8,
   K8_USER_AGENT_NAME,
@@ -15,7 +11,7 @@ import {
 import { BadRequestError, UnauthorizedRequestError } from "../../utils/errors";
 import { EventService } from "../../services";
 import { eventPushSecrets } from "../../events";
-import { EEAuditLogService, EELogService, EESecretService } from "../../ee/services";
+import { EEAuditLogService, EESecretService } from "../../ee/services";
 import { SecretService, TelemetryService } from "../../services";
 import { getUserAgentType } from "../../utils/posthog";
 import { PERMISSION_WRITE_SECRETS } from "../../variables";
@@ -43,7 +39,7 @@ import {
 import {
   ProjectPermissionActions,
   ProjectPermissionSub,
-  getUserProjectPermissions
+  getAuthDataProjectPermissions
 } from "../../ee/services/ProjectRoleService";
 import { ForbiddenError, subject } from "@casl/ability";
 
@@ -82,7 +78,6 @@ export const batchSecrets = async (req: Request, res: Response) => {
   const createSecrets: any[] = [];
   const updateSecrets: any[] = [];
   const deleteSecrets: { _id: Types.ObjectId; secretName: string }[] = [];
-  const actions: IAction[] = [];
 
   // get secret blind index salt
   const salt = await SecretService.getSecretBlindIndexSalt({
@@ -164,7 +159,11 @@ export const batchSecrets = async (req: Request, res: Response) => {
   }
   // not using service token  using auth
   if (!(req.authData.authPayload instanceof ServiceTokenData)) {
-    const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+    const { permission } = await getAuthDataProjectPermissions({
+      authData: req.authData,
+      workspaceId: new Types.ObjectId(workspaceId)
+    });
+
     if (createSecrets.length)
       ForbiddenError.from(permission).throwUnlessCan(
         ProjectPermissionActions.Create,
@@ -224,16 +223,6 @@ export const batchSecrets = async (req: Request, res: Response) => {
 
     await AuditLog.insertMany(auditLogs);
 
-    const addAction = (await EELogService.createAction({
-      name: ACTION_ADD_SECRETS,
-      userId: req.user?._id,
-      serviceAccountId: req.serviceAccount?._id,
-      serviceTokenDataId: req.serviceTokenData?._id,
-      workspaceId: new Types.ObjectId(workspaceId),
-      secretIds: createdSecrets.map((n) => n._id)
-    })) as IAction;
-    actions.push(addAction);
-
     if (postHogClient) {
       postHogClient.capture({
         event: "secrets added",
@@ -350,14 +339,6 @@ export const batchSecrets = async (req: Request, res: Response) => {
 
     await AuditLog.insertMany(auditLogs);
 
-    const updateAction = (await EELogService.createAction({
-      name: ACTION_UPDATE_SECRETS,
-      userId: req.user._id,
-      workspaceId: new Types.ObjectId(workspaceId),
-      secretIds: updatedSecrets.map((u) => u._id)
-    })) as IAction;
-    actions.push(updateAction);
-
     if (postHogClient) {
       postHogClient.capture({
         event: "secrets modified",
@@ -428,14 +409,6 @@ export const batchSecrets = async (req: Request, res: Response) => {
 
     await AuditLog.insertMany(auditLogs);
 
-    const deleteAction = (await EELogService.createAction({
-      name: ACTION_DELETE_SECRETS,
-      userId: req.user._id,
-      workspaceId: new Types.ObjectId(workspaceId),
-      secretIds: deleteSecretIds
-    })) as IAction;
-    actions.push(deleteAction);
-
     if (postHogClient) {
       postHogClient.capture({
         event: "secrets deleted",
@@ -451,17 +424,6 @@ export const batchSecrets = async (req: Request, res: Response) => {
     }
   }
 
-  if (actions.length > 0) {
-    // (EE) create (audit) log
-    await EELogService.createLog({
-      userId: req.user._id.toString(),
-      workspaceId: new Types.ObjectId(workspaceId),
-      actions,
-      channel,
-      ipAddress: req.realIP
-    });
-  }
-
   // // trigger event - push secrets
   await EventService.handleEvent({
     event: eventPushSecrets({
@@ -731,27 +693,6 @@ export const createSecrets = async (req: Request, res: Response) => {
     )
   });
 
-  const addAction = await EELogService.createAction({
-    name: ACTION_ADD_SECRETS,
-    userId: req.user?._id,
-    serviceAccountId: req.serviceAccount?._id,
-    serviceTokenDataId: req.serviceTokenData?._id,
-    workspaceId: new Types.ObjectId(workspaceId),
-    secretIds: newlyCreatedSecrets.map((n) => n._id)
-  });
-
-  // (EE) create (audit) log
-  addAction &&
-    (await EELogService.createLog({
-      userId: req.user?._id,
-      serviceAccountId: req.serviceAccount?._id,
-      serviceTokenDataId: req.serviceTokenData?._id,
-      workspaceId: new Types.ObjectId(workspaceId),
-      actions: [addAction],
-      channel,
-      ipAddress: req.realIP
-    }));
-
   // (EE) take a secret snapshot
   await EESecretService.takeSecretSnapshot({
     workspaceId: new Types.ObjectId(workspaceId),
@@ -960,22 +901,6 @@ export const getSecrets = async (req: Request, res: Response) => {
     secrets = await Secret.find(secretQuery).populate("tags");
   }
 
-  // case: client authorization is via service account
-  if (req.serviceAccount) {
-    const secretQuery: any = {
-      workspace: workspaceId,
-      environment,
-      folder: folderId,
-      user: { $exists: false } // shared secrets only from workspace
-    };
-
-    if (tagIds.length > 0) {
-      secretQuery.tags = { $in: tagIds };
-    }
-
-    secrets = await Secret.find(secretQuery).populate("tags");
-  }
-
   // TODO(akhilmhdh) - secret-imp change this to org type
   let importedSecrets: any[] = [];
   if (include_imports) {
@@ -988,28 +913,6 @@ export const getSecrets = async (req: Request, res: Response) => {
     );
   }
 
-  const channel = getUserAgentType(req.headers["user-agent"]);
-
-  const readAction = await EELogService.createAction({
-    name: ACTION_READ_SECRETS,
-    userId: req.user?._id,
-    serviceAccountId: req.serviceAccount?._id,
-    serviceTokenDataId: req.serviceTokenData?._id,
-    workspaceId: new Types.ObjectId(workspaceId as string),
-    secretIds: secrets.map((n: any) => n._id)
-  });
-
-  readAction &&
-    (await EELogService.createLog({
-      userId: req.user?._id,
-      serviceAccountId: req.serviceAccount?._id,
-      serviceTokenDataId: req.serviceTokenData?._id,
-      workspaceId: new Types.ObjectId(workspaceId as string),
-      actions: [readAction],
-      channel,
-      ipAddress: req.realIP
-    }));
-
   await EEAuditLogService.createAuditLog(
     req.authData,
     {
@@ -1247,27 +1150,6 @@ export const updateSecrets = async (req: Request, res: Response) => {
     //   });
     // }, 10000);
 
-    const updateAction = await EELogService.createAction({
-      name: ACTION_UPDATE_SECRETS,
-      userId: req.user?._id,
-      serviceAccountId: req.serviceAccount?._id,
-      serviceTokenDataId: req.serviceTokenData?._id,
-      workspaceId: new Types.ObjectId(key),
-      secretIds: workspaceSecretObj[key].map((secret: ISecret) => secret._id)
-    });
-
-    // (EE) create (audit) log
-    updateAction &&
-      (await EELogService.createLog({
-        userId: req.user?._id,
-        serviceAccountId: req.serviceAccount?._id,
-        serviceTokenDataId: req.serviceTokenData?._id,
-        workspaceId: new Types.ObjectId(key),
-        actions: [updateAction],
-        channel,
-        ipAddress: req.realIP
-      }));
-
     // (EE) take a secret snapshot
     // IMP(akhilmhdh): commented out due to unknown where the environment is
     // await EESecretService.takeSecretSnapshot({
@@ -1387,26 +1269,6 @@ export const deleteSecrets = async (req: Request, res: Response) => {
     //     workspaceId: new Types.ObjectId(key)
     //   })
     // });
-    const deleteAction = await EELogService.createAction({
-      name: ACTION_DELETE_SECRETS,
-      userId: req.user?._id,
-      serviceAccountId: req.serviceAccount?._id,
-      serviceTokenDataId: req.serviceTokenData?._id,
-      workspaceId: new Types.ObjectId(key),
-      secretIds: workspaceSecretObj[key].map((secret: ISecret) => secret._id)
-    });
-
-    // (EE) create (audit) log
-    deleteAction &&
-      (await EELogService.createLog({
-        userId: req.user?._id,
-        serviceAccountId: req.serviceAccount?._id,
-        serviceTokenDataId: req.serviceTokenData?._id,
-        workspaceId: new Types.ObjectId(key),
-        actions: [deleteAction],
-        channel,
-        ipAddress: req.realIP
-      }));
 
     // (EE) take a secret snapshot
     // IMP(akhilmhdh): Not sure how to take secretSnapshot

backend/src/controllers/v2/serviceAccountsController.ts

@@ -1,306 +0,0 @@
-import { Request, Response } from "express";
-import { Types } from "mongoose";
-import crypto from "crypto";
-import bcrypt from "bcrypt";
-import {
-    ServiceAccount,
-    ServiceAccountKey,
-    ServiceAccountOrganizationPermission,
-    ServiceAccountWorkspacePermission,
-} from "../../models";
-import {
-    CreateServiceAccountDto,
-} from "../../interfaces/serviceAccounts/dto";
-import { BadRequestError, ServiceAccountNotFoundError } from "../../utils/errors";
-import { getSaltRounds } from "../../config";
-
-/**
- * Return service account tied to the request (service account) client
- * @param req
- * @param res
- */
-export const getCurrentServiceAccount = async (req: Request, res: Response) => {
-    const serviceAccount = await ServiceAccount.findById(req.serviceAccount._id);
-
-    if (!serviceAccount) {
-        throw ServiceAccountNotFoundError({ message: "Failed to find service account" });
-    }
-
-    return res.status(200).send({
-        serviceAccount,
-    });
-}
-
-/**
- * Return service account with id [serviceAccountId]
- * @param req 
- * @param res 
- */
-export const getServiceAccountById = async (req: Request, res: Response) => {
-    const { serviceAccountId } = req.params;
-
-    const serviceAccount = await ServiceAccount.findById(serviceAccountId);
-
-    if (!serviceAccount) {
-        throw ServiceAccountNotFoundError({ message: "Failed to find service account" });
-    }
-
-    return res.status(200).send({
-        serviceAccount,
-    });
-}
-
-/**
- * Create a new service account under organization with id [organizationId]
- * that has access to workspaces [workspaces]
- * @param req 
- * @param res 
- * @returns
- */
-export const createServiceAccount = async (req: Request, res: Response) => {
-    const {
-        name,
-        organizationId,
-        publicKey,
-        expiresIn,
-    }: CreateServiceAccountDto = req.body;
-
-    let expiresAt;
-    if (expiresIn) {
-        expiresAt = new Date();
-        expiresAt.setSeconds(expiresAt.getSeconds() + expiresIn);
-    }
-
-    const secret = crypto.randomBytes(16).toString("base64");
-    const secretHash = await bcrypt.hash(secret, await getSaltRounds());
-
-    // create service account
-    const serviceAccount = await new ServiceAccount({
-        name,
-        organization: new Types.ObjectId(organizationId),
-        user: req.user,
-        publicKey,
-        lastUsed: new Date(),
-        expiresAt,
-        secretHash,
-    }).save()
-
-    const serviceAccountObj = serviceAccount.toObject();
-
-    delete (serviceAccountObj as any).secretHash;
-
-    // provision default org-level permission for service account
-    await new ServiceAccountOrganizationPermission({
-        serviceAccount: serviceAccount._id,
-    }).save();
-
-    const secretId = Buffer.from(serviceAccount._id.toString(), "hex").toString("base64");
-
-    return res.status(200).send({
-        serviceAccountAccessKey: `sa.${secretId}.${secret}`,
-        serviceAccount: serviceAccountObj,
-    });
-}
-
-/**
- * Change name of service account with id [serviceAccountId] to [name]
- * @param req 
- * @param res 
- * @returns 
- */
-export const changeServiceAccountName = async (req: Request, res: Response) => {
-    const { serviceAccountId } = req.params;
-    const { name } = req.body;
-
-    const serviceAccount = await ServiceAccount.findOneAndUpdate(
-        {
-            _id: new Types.ObjectId(serviceAccountId),
-        },
-        {
-            name,
-        },
-        {
-            new: true,
-        }
-    );
-
-    return res.status(200).send({
-        serviceAccount,
-    });
-}
-
-/**
- * Add a service account key to service account with id [serviceAccountId]
- * for workspace with id [workspaceId]
- * @param req 
- * @param res 
- * @returns 
- */
-export const addServiceAccountKey = async (req: Request, res: Response) => {
-    const {
-        workspaceId,
-        encryptedKey,
-        nonce,
-    } = req.body;
-
-    const serviceAccountKey = await new ServiceAccountKey({
-        encryptedKey,
-        nonce,
-        sender: req.user._id,
-        serviceAccount: req.serviceAccount._d,
-        workspace: new Types.ObjectId(workspaceId),
-    }).save();
-
-    return serviceAccountKey;
-}
-
-/**
- * Return workspace-level permission for service account with id [serviceAccountId]
- * @param req 
- * @param res 
- */
-export const getServiceAccountWorkspacePermissions = async (req: Request, res: Response) => {
-    const serviceAccountWorkspacePermissions = await ServiceAccountWorkspacePermission.find({
-        serviceAccount: req.serviceAccount._id,
-    }).populate("workspace");
-
-    return res.status(200).send({
-        serviceAccountWorkspacePermissions,
-    });
-}
-
-/**
- * Add a workspace permission to service account with id [serviceAccountId]
- * @param req 
- * @param res 
- */
-export const addServiceAccountWorkspacePermission = async (req: Request, res: Response) => {
-    const { serviceAccountId } = req.params;
-    const {
-        environment,
-        workspaceId,
-        read = false,
-        write = false,
-        encryptedKey,
-        nonce,
-    } = req.body;
-
-    if (!req.membership.workspace.environments.some((e: { name: string; slug: string }) => e.slug === environment)) {
-        return res.status(400).send({
-            message: "Failed to validate workspace environment",
-        });
-    }
-
-    const existingPermission = await ServiceAccountWorkspacePermission.findOne({
-        serviceAccount: new Types.ObjectId(serviceAccountId),
-        workspace: new Types.ObjectId(workspaceId),
-        environment,
-    });
-
-    if (existingPermission) throw BadRequestError({ message: "Failed to add workspace permission to service account due to already-existing " });
-
-    const serviceAccountWorkspacePermission = await new ServiceAccountWorkspacePermission({
-        serviceAccount: new Types.ObjectId(serviceAccountId),
-        workspace: new Types.ObjectId(workspaceId),
-        environment,
-        read,
-        write,
-    }).save();
-
-    const existingServiceAccountKey = await ServiceAccountKey.findOne({
-        serviceAccount: new Types.ObjectId(serviceAccountId),
-        workspace: new Types.ObjectId(workspaceId),
-    });
-
-    if (!existingServiceAccountKey) {
-        await new ServiceAccountKey({
-            encryptedKey,
-            nonce,
-            sender: req.user._id,
-            serviceAccount: new Types.ObjectId(serviceAccountId),
-            workspace: new Types.ObjectId(workspaceId),
-        }).save();
-    }
-
-    return res.status(200).send({
-        serviceAccountWorkspacePermission,
-    });
-}
-
-/**
- * Delete workspace permission from service account with id [serviceAccountId]
- * @param req 
- * @param res 
- */
-export const deleteServiceAccountWorkspacePermission = async (req: Request, res: Response) => {
-    const { serviceAccountWorkspacePermissionId } = req.params;
-    const serviceAccountWorkspacePermission = await ServiceAccountWorkspacePermission.findByIdAndDelete(serviceAccountWorkspacePermissionId);
-
-    if (serviceAccountWorkspacePermission) {
-        const { serviceAccount, workspace } = serviceAccountWorkspacePermission;
-        const count = await ServiceAccountWorkspacePermission.countDocuments({
-            serviceAccount,
-            workspace,
-        });
-
-        if (count === 0) {
-            await ServiceAccountKey.findOneAndDelete({
-                serviceAccount,
-                workspace,
-            });
-        }
-    }
-
-    return res.status(200).send({
-        serviceAccountWorkspacePermission,
-    });
-}
-
-/**
- * Delete service account with id [serviceAccountId]
- * @param req 
- * @param res 
- * @returns 
- */
-export const deleteServiceAccount = async (req: Request, res: Response) => {
-    const { serviceAccountId } = req.params;
-
-    const serviceAccount = await ServiceAccount.findByIdAndDelete(serviceAccountId);
-
-    if (serviceAccount) {
-        await ServiceAccountKey.deleteMany({
-            serviceAccount: serviceAccount._id,
-        });
-
-        await ServiceAccountOrganizationPermission.deleteMany({
-            serviceAccount: new Types.ObjectId(serviceAccountId),
-        });
-
-        await ServiceAccountWorkspacePermission.deleteMany({
-            serviceAccount: new Types.ObjectId(serviceAccountId),
-        });
-    }
-
-    return res.status(200).send({
-        serviceAccount,
-    });
-}
-
-/**
- * Return service account keys for service account with id [serviceAccountId]
- * @param req 
- * @param res 
- * @returns 
- */
-export const getServiceAccountKeys = async (req: Request, res: Response) => {
-    const workspaceId = req.query.workspaceId as string;
-
-    const serviceAccountKeys = await ServiceAccountKey.find({
-        serviceAccount: req.serviceAccount._id,
-        ...(workspaceId ? { workspace: new Types.ObjectId(workspaceId) } : {}),
-    });
-
-    return res.status(200).send({
-        serviceAccountKeys,
-    });
-}

backend/src/controllers/v2/serviceTokenDataController.ts

@@ -11,7 +11,7 @@ import * as reqValidator from "../../validation/serviceTokenData";
 import {
   ProjectPermissionActions,
   ProjectPermissionSub,
-  getUserProjectPermissions
+  getAuthDataProjectPermissions
 } from "../../ee/services/ProjectRoleService";
 import { ForbiddenError } from "@casl/ability";
 import { Types } from "mongoose";
@@ -75,7 +75,12 @@ export const createServiceTokenData = async (req: Request, res: Response) => {
   const {
     body: { workspaceId, permissions, tag, encryptedKey, scopes, name, expiresIn, iv }
   } = await validateRequest(reqValidator.CreateServiceTokenV2, req);
-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Create,
     ProjectPermissionSub.ServiceTokens
@@ -151,10 +156,11 @@ export const deleteServiceTokenData = async (req: Request, res: Response) => {
   let serviceTokenData = await ServiceTokenData.findById(serviceTokenDataId);
   if (!serviceTokenData) throw BadRequestError({ message: "Service token not found" });
 
-  const { permission } = await getUserProjectPermissions(
-    req.user._id,
-    serviceTokenData.workspace.toString()
-  );
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: serviceTokenData.workspace
+  });
+
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Delete,
     ProjectPermissionSub.ServiceTokens

backend/src/controllers/v2/tagController.ts

@@ -7,7 +7,7 @@ import { validateRequest } from "../../helpers/validation";
 import {
   ProjectPermissionActions,
   ProjectPermissionSub,
-  getUserProjectPermissions
+  getAuthDataProjectPermissions
 } from "../../ee/services/ProjectRoleService";
 import * as reqValidator from "../../validation/tags";
 
@@ -17,7 +17,11 @@ export const createWorkspaceTag = async (req: Request, res: Response) => {
     params: { workspaceId }
   } = await validateRequest(reqValidator.CreateWorkspaceTagsV2, req);
 
-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Create,
     ProjectPermissionSub.Tags
@@ -45,10 +49,11 @@ export const deleteWorkspaceTag = async (req: Request, res: Response) => {
     throw BadRequestError();
   }
 
-  const { permission } = await getUserProjectPermissions(
-    req.user._id,
-    tagFromDB.workspace.toString()
-  );
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: tagFromDB.workspace
+  });
+
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Delete,
     ProjectPermissionSub.Tags
@@ -66,7 +71,12 @@ export const getWorkspaceTags = async (req: Request, res: Response) => {
   const {
     params: { workspaceId }
   } = await validateRequest(reqValidator.GetWorkspaceTagsV2, req);
-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Read,
     ProjectPermissionSub.Tags

backend/src/controllers/v2/workspaceController.ts

@@ -16,7 +16,7 @@ import * as reqValidator from "../../validation";
 import {
   ProjectPermissionActions,
   ProjectPermissionSub,
-  getUserProjectPermissions
+  getAuthDataProjectPermissions
 } from "../../ee/services/ProjectRoleService";
 import { ForbiddenError } from "@casl/ability";
 
@@ -272,7 +272,11 @@ export const getWorkspaceMemberships = async (req: Request, res: Response) => {
     params: { workspaceId }
   } = await validateRequest(reqValidator.GetWorkspaceMembershipsV2, req);
 
-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Read,
     ProjectPermissionSub.Member
@@ -352,7 +356,11 @@ export const updateWorkspaceMembership = async (req: Request, res: Response) =>
     body: { role }
   } = await validateRequest(reqValidator.UpdateWorkspaceMembershipsV2, req);
 
-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Edit,
     ProjectPermissionSub.Member
@@ -420,7 +428,11 @@ export const deleteWorkspaceMembership = async (req: Request, res: Response) =>
     params: { workspaceId, membershipId }
   } = await validateRequest(reqValidator.DeleteWorkspaceMembershipsV2, req);
 
-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Delete,
     ProjectPermissionSub.Member
@@ -452,7 +464,11 @@ export const toggleAutoCapitalization = async (req: Request, res: Response) => {
     body: { autoCapitalization }
   } = await validateRequest(reqValidator.ToggleAutoCapitalizationV2, req);
 
-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Edit,
     ProjectPermissionSub.Settings

backend/src/controllers/v3/authController.ts

@@ -8,11 +8,9 @@ import { createToken, issueAuthTokens, validateProviderAuthToken } from "../../h
 import { checkUserDevice } from "../../helpers/user";
 import { sendMail } from "../../helpers/nodemailer";
 import { TokenService } from "../../services";
-import { EELogService } from "../../ee/services";
 import { BadRequestError, InternalServerError } from "../../utils/errors";
-import { ACTION_LOGIN, TOKEN_EMAIL_MFA } from "../../variables";
-import { getUserAgentType } from "../../utils/posthog"; // TODO: move this
-import { getHttpsEnabled, getJwtMfaLifetime, getJwtMfaSecret } from "../../config";
+import { AuthTokenType, TOKEN_EMAIL_MFA } from "../../variables";
+import { getAuthSecret, getHttpsEnabled, getJwtMfaLifetime } from "../../config";
 import { AuthMethod } from "../../models/user";
 import { validateRequest } from "../../helpers/validation";
 import * as reqValidator from "../../validation/auth";
@@ -134,10 +132,11 @@ export const login2 = async (req: Request, res: Response) => {
           // generate temporary MFA token
           const token = createToken({
             payload: {
+              authTokenType: AuthTokenType.MFA_TOKEN,
               userId: user._id.toString()
             },
             expiresIn: await getJwtMfaLifetime(),
-            secret: await getJwtMfaSecret()
+            secret: await getAuthSecret()
           });
 
           const code = await TokenService.createToken({
@@ -214,19 +213,6 @@ export const login2 = async (req: Request, res: Response) => {
           response.protectedKeyTag = user.protectedKeyTag;
         }
 
-        const loginAction = await EELogService.createAction({
-          name: ACTION_LOGIN,
-          userId: user._id
-        });
-
-        loginAction &&
-          (await EELogService.createLog({
-            userId: user._id,
-            actions: [loginAction],
-            channel: getUserAgentType(req.headers["user-agent"]),
-            ipAddress: req.realIP
-          }));
-
         return res.status(200).send(response);
       }
 

backend/src/controllers/v3/index.ts

@@ -1,9 +1,11 @@
+import * as usersController from "./usersController";
 import * as secretsController from "./secretsController";
 import * as workspacesController from "./workspacesController";
 import * as authController from "./authController";
 import * as signupController from "./signupController";
 
 export {
+    usersController,
     authController,
     secretsController,
     signupController,

backend/src/controllers/v3/signupController.ts

@@ -5,10 +5,10 @@ import { MembershipOrg, User } from "../../models";
 import { completeAccount } from "../../helpers/user";
 import { initializeDefaultOrg } from "../../helpers/signup";
 import { issueAuthTokens, validateProviderAuthToken } from "../../helpers/auth";
-import { ACCEPTED, INVITED } from "../../variables";
+import { ACCEPTED, AuthTokenType, INVITED } from "../../variables";
 import { standardRequest } from "../../config/request";
-import { getHttpsEnabled, getJwtSignupSecret, getLoopsApiKey } from "../../config";
-import { BadRequestError } from "../../utils/errors";
+import { getAuthSecret, getHttpsEnabled, getLoopsApiKey } from "../../config";
+import { BadRequestError, UnauthorizedRequestError } from "../../utils/errors";
 import { TelemetryService } from "../../services";
 import { AuthMethod } from "../../models";
 import { validateRequest } from "../../helpers/validation";
@@ -78,12 +78,11 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
       }
 
       const decodedToken = <jwt.UserIDJwtPayload>(
-        jwt.verify(AUTH_TOKEN_VALUE, await getJwtSignupSecret())
+        jwt.verify(AUTH_TOKEN_VALUE, await getAuthSecret())
       );
-
-      if (decodedToken.userId !== user.id) {
-        throw BadRequestError();
-      }
+      
+      if (decodedToken.authTokenType !== AuthTokenType.SIGNUP_TOKEN) throw UnauthorizedRequestError();
+      if (decodedToken.userId !== user.id) throw UnauthorizedRequestError();
     }
 
     // complete setting up user's account

backend/src/controllers/v3/usersController.ts

@@ -0,0 +1,18 @@
+import { Request, Response } from "express";
+import { APIKeyDataV2 } from "../../models";
+
+/**
+ * Return API keys belonging to current user.
+ * @param req
+ * @param res
+ * @returns
+ */
+export const getMyAPIKeys = async (req: Request, res: Response) => {
+    const apiKeyData = await APIKeyDataV2.find({
+        user: req.user._id
+    });
+
+    return res.status(200).send({
+        apiKeyData
+    });
+}

backend/src/controllers/v3/workspacesController.ts

@@ -1,9 +1,9 @@
 import { Request, Response } from "express";
 import { Types } from "mongoose";
 import { validateRequest } from "../../helpers/validation";
-import { Secret, ServiceTokenDataV3 } from "../../models";
+import { Membership, Secret, ServiceTokenDataV3, User } from "../../models";
 import { SecretService } from "../../services";
-import { getUserProjectPermissions } from "../../ee/services/ProjectRoleService";
+import { getAuthDataProjectPermissions } from "../../ee/services/ProjectRoleService";
 import { UnauthorizedRequestError } from "../../utils/errors";
 import * as reqValidator from "../../validation/workspace";
 
@@ -19,9 +19,22 @@ export const getWorkspaceBlindIndexStatus = async (req: Request, res: Response)
     params: { workspaceId }
   } = await validateRequest(reqValidator.GetWorkspaceBlinkIndexStatusV3, req);
 
-  const { membership } = await getUserProjectPermissions(req.user._id, workspaceId);
-  if (membership.role !== "admin")
-    throw UnauthorizedRequestError({ message: "User must be an admin" });
+  await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
+  if (req.authData.authPayload instanceof User) {
+    const membership = await Membership.findOne({
+      user: req.authData.authPayload._id,
+      workspace: new Types.ObjectId(workspaceId)
+    });
+    
+    if (!membership) throw UnauthorizedRequestError();
+
+    if (membership.role !== "admin")
+      throw UnauthorizedRequestError({ message: "User must be an admin" });
+  }
 
   const secretsWithoutBlindIndex = await Secret.countDocuments({
     workspace: new Types.ObjectId(workspaceId),
@@ -41,9 +54,22 @@ export const getWorkspaceSecrets = async (req: Request, res: Response) => {
     params: { workspaceId }
   } = await validateRequest(reqValidator.GetWorkspaceSecretsV3, req);
 
-  const { membership } = await getUserProjectPermissions(req.user._id, workspaceId);
-  if (membership.role !== "admin")
-    throw UnauthorizedRequestError({ message: "User must be an admin" });
+  await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
+  if (req.authData.authPayload instanceof User) {
+    const membership = await Membership.findOne({
+      user: req.authData.authPayload._id,
+      workspace: new Types.ObjectId(workspaceId)
+    });
+    
+    if (!membership) throw UnauthorizedRequestError();
+
+    if (membership.role !== "admin")
+      throw UnauthorizedRequestError({ message: "User must be an admin" });
+  }
 
   const secrets = await Secret.find({
     workspace: new Types.ObjectId(workspaceId)
@@ -65,9 +91,22 @@ export const nameWorkspaceSecrets = async (req: Request, res: Response) => {
     body: { secretsToUpdate }
   } = await validateRequest(reqValidator.NameWorkspaceSecretsV3, req);
 
-  const { membership } = await getUserProjectPermissions(req.user._id, workspaceId);
-  if (membership.role !== "admin")
-    throw UnauthorizedRequestError({ message: "User must be an admin" });
+  await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
+  if (req.authData.authPayload instanceof User) {
+    const membership = await Membership.findOne({
+      user: req.authData.authPayload._id,
+      workspace: new Types.ObjectId(workspaceId)
+    });
+    
+    if (!membership) throw UnauthorizedRequestError();
+
+    if (membership.role !== "admin")
+      throw UnauthorizedRequestError({ message: "User must be an admin" });
+  }
 
   // get secret blind index salt
   const salt = await SecretService.getSecretBlindIndexSalt({
@@ -109,7 +148,7 @@ export const getWorkspaceServiceTokenData = async (req: Request, res: Response)
   
   const serviceTokenData = await ServiceTokenDataV3.find({
     workspace: new Types.ObjectId(workspaceId)
-  });
+  }).populate("customRole");
   
   return res.status(200).send({
     serviceTokenData

backend/src/ee/controllers/v1/actionController.ts

@@ -1,32 +0,0 @@
-import { Request, Response } from "express";
-import { Action } from "../../models";
-import { ActionNotFoundError } from "../../../utils/errors";
-import { validateRequest } from "../../../helpers/validation";
-import * as reqValidator from "../../../validation/action";
-
-export const getAction = async (req: Request, res: Response) => {
-  let action;
-  try {
-    const {
-      params: { actionId }
-    } = await validateRequest(reqValidator.GetActionV1, req);
-
-    action = await Action.findById(actionId).populate([
-      "payload.secretVersions.oldSecretVersion",
-      "payload.secretVersions.newSecretVersion"
-    ]);
-
-    if (!action)
-      throw ActionNotFoundError({
-        message: "Failed to find action"
-      });
-  } catch (err) {
-    throw ActionNotFoundError({
-      message: "Failed to find action"
-    });
-  }
-
-  return res.status(200).send({
-    action
-  });
-};

backend/src/ee/controllers/v1/index.ts

@@ -4,12 +4,13 @@ import * as organizationsController from "./organizationsController";
 import * as ssoController from "./ssoController";
 import * as usersController from "./usersController";
 import * as workspaceController from "./workspaceController";
-import * as actionController from "./actionController";
 import * as membershipController from "./membershipController";
 import * as cloudProductsController from "./cloudProductsController";
 import * as roleController from "./roleController";
 import * as secretApprovalPolicyController from "./secretApprovalPolicyController";
 import * as secretApprovalRequestController from "./secretApprovalRequestsController";
+import * as secretRotationProviderController from "./secretRotationProviderController";
+import * as secretRotationController from "./secretRotationController";
 
 export {
   secretController,
@@ -18,10 +19,11 @@ export {
   ssoController,
   usersController,
   workspaceController,
-  actionController,
   membershipController,
   cloudProductsController,
   roleController,
   secretApprovalPolicyController,
-  secretApprovalRequestController
+  secretApprovalRequestController,
+  secretRotationProviderController,
+  secretRotationController
 };

backend/src/ee/controllers/v1/roleController.ts

@@ -1,4 +1,6 @@
 import { Request, Response } from "express";
+import { Types } from "mongoose";
+import { Membership, User } from "../../../models";
 import {
   CreateRoleSchema,
   DeleteRoleSchema,
@@ -11,7 +13,7 @@ import {
   ProjectPermissionActions,
   ProjectPermissionSub,
   adminProjectPermissions,
-  getUserProjectPermissions,
+  getAuthDataProjectPermissions,
   memberProjectPermissions,
   viewerProjectPermission
 } from "../../services/ProjectRoleService";
@@ -39,7 +41,10 @@ export const createRole = async (req: Request, res: Response) => {
       throw BadRequestError({ message: "user doesn't have the permission." });
     }
   } else {
-    const { permission } = await getUserProjectPermissions(req.user.id, workspaceId);
+    const { permission } = await getAuthDataProjectPermissions({
+      authData: req.authData,
+      workspaceId: new Types.ObjectId(workspaceId)
+    });
     if (permission.cannot(ProjectPermissionActions.Create, ProjectPermissionSub.Role)) {
       throw BadRequestError({ message: "User doesn't have the permission." });
     }
@@ -82,7 +87,11 @@ export const updateRole = async (req: Request, res: Response) => {
       throw BadRequestError({ message: "User doesn't have the org permission." });
     }
   } else {
-    const { permission } = await getUserProjectPermissions(req.user.id, workspaceId);
+    const { permission } = await getAuthDataProjectPermissions({
+      authData: req.authData,
+      workspaceId: new Types.ObjectId(workspaceId)
+    });
+
     if (permission.cannot(ProjectPermissionActions.Edit, ProjectPermissionSub.Role)) {
       throw BadRequestError({ message: "User doesn't have the workspace permission." });
     }
@@ -134,7 +143,11 @@ export const deleteRole = async (req: Request, res: Response) => {
       throw BadRequestError({ message: "User doesn't have the org permission." });
     }
   } else {
-    const { permission } = await getUserProjectPermissions(req.user.id, role.workspace.toString());
+    const { permission } = await getAuthDataProjectPermissions({
+      authData: req.authData,
+      workspaceId: role.workspace
+    });
+
     if (permission.cannot(ProjectPermissionActions.Delete, ProjectPermissionSub.Role)) {
       throw BadRequestError({ message: "User doesn't have the workspace permission." });
     }
@@ -162,7 +175,11 @@ export const getRoles = async (req: Request, res: Response) => {
       throw BadRequestError({ message: "User doesn't have the org permission." });
     }
   } else {
-    const { permission } = await getUserProjectPermissions(req.user.id, workspaceId);
+    const { permission } = await getAuthDataProjectPermissions({
+      authData: req.authData,
+      workspaceId: new Types.ObjectId(workspaceId)
+    });
+
     if (permission.cannot(ProjectPermissionActions.Read, ProjectPermissionSub.Role)) {
       throw BadRequestError({ message: "User doesn't have the workspace permission." });
     }
@@ -212,12 +229,13 @@ export const getUserPermissions = async (req: Request, res: Response) => {
   const {
     params: { orgId }
   } = await validateRequest(GetUserPermission, req);
-  
-  const { permission } = await getUserOrgPermissions(req.user._id, orgId);
+
+  const { permission, membership } = await getUserOrgPermissions(req.user._id, orgId);
 
   res.status(200).json({
     data: {
-      permissions: packRules(permission.rules)
+      permissions: packRules(permission.rules),
+      membership
     }
   });
 };
@@ -226,11 +244,24 @@ export const getUserWorkspacePermissions = async (req: Request, res: Response) =
   const {
     params: { workspaceId }
   } = await validateRequest(GetUserProjectPermission, req);
-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+  
+  let membership;
+  if (req.authData.authPayload instanceof User) {
+    membership = await Membership.findOne({
+      user: req.authData.authPayload._id,
+      workspace: new Types.ObjectId(workspaceId)
+    })
+  }
 
   res.status(200).json({
     data: {
-      permissions: packRules(permission.rules)
+      permissions: packRules(permission.rules),
+      membership
     }
   });
 };

backend/src/ee/controllers/v1/secretApprovalPolicyController.ts

@@ -1,10 +1,11 @@
+import { Types } from "mongoose";
 import { ForbiddenError, subject } from "@casl/ability";
 import { Request, Response } from "express";
 import { nanoid } from "nanoid";
 import {
   ProjectPermissionActions,
   ProjectPermissionSub,
-  getUserProjectPermissions
+  getAuthDataProjectPermissions
 } from "../../services/ProjectRoleService";
 import { validateRequest } from "../../../helpers/validation";
 import { SecretApprovalPolicy } from "../../models/secretApprovalPolicy";
@@ -19,7 +20,11 @@ export const createSecretApprovalPolicy = async (req: Request, res: Response) =>
     body: { approvals, secretPath, approvers, environment, workspaceId, name }
   } = await validateRequest(reqValidator.CreateSecretApprovalRule, req);
 
-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Create,
     ProjectPermissionSub.SecretApproval
@@ -49,10 +54,11 @@ export const updateSecretApprovalPolicy = async (req: Request, res: Response) =>
   const secretApproval = await SecretApprovalPolicy.findById(id);
   if (!secretApproval) throw ERR_SECRET_APPROVAL_NOT_FOUND;
 
-  const { permission } = await getUserProjectPermissions(
-    req.user._id,
-    secretApproval.workspace.toString()
-  );
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: secretApproval.workspace
+  });
+
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Edit,
     ProjectPermissionSub.SecretApproval
@@ -78,10 +84,11 @@ export const deleteSecretApprovalPolicy = async (req: Request, res: Response) =>
   const secretApproval = await SecretApprovalPolicy.findById(id);
   if (!secretApproval) throw ERR_SECRET_APPROVAL_NOT_FOUND;
 
-  const { permission } = await getUserProjectPermissions(
-    req.user._id,
-    secretApproval.workspace.toString()
-  );
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: secretApproval.workspace
+  });
+
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Delete,
     ProjectPermissionSub.SecretApproval
@@ -99,7 +106,11 @@ export const getSecretApprovalPolicy = async (req: Request, res: Response) => {
     query: { workspaceId }
   } = await validateRequest(reqValidator.GetSecretApprovalRuleList, req);
 
-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Read,
     ProjectPermissionSub.SecretApproval
@@ -117,7 +128,11 @@ export const getSecretApprovalPolicyOfBoard = async (req: Request, res: Response
     query: { workspaceId, environment, secretPath }
   } = await validateRequest(reqValidator.GetSecretApprovalPolicyOfABoard, req);
 
-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Read,
     subject(ProjectPermissionSub.Secrets, { secretPath, environment })

backend/src/ee/controllers/v1/secretApprovalRequestsController.ts

@@ -1,7 +1,6 @@
 import { Request, Response } from "express";
-import { getUserProjectPermissions } from "../../services/ProjectRoleService";
 import { validateRequest } from "../../../helpers/validation";
-import { Folder } from "../../../models";
+import { Folder, Membership, User } from "../../../models";
 import { ApprovalStatus, SecretApprovalRequest } from "../../models/secretApprovalRequest";
 import * as reqValidator from "../../validation/secretApprovalRequest";
 import { getFolderWithPathFromId } from "../../../services/FolderService";
@@ -17,7 +16,15 @@ export const getSecretApprovalRequestCount = async (req: Request, res: Response)
     query: { workspaceId }
   } = await validateRequest(reqValidator.getSecretApprovalRequestCount, req);
 
-  const { membership } = await getUserProjectPermissions(req.user._id, workspaceId);
+  if (!(req.authData.authPayload instanceof User)) return;
+  
+  const membership = await Membership.findOne({
+    user: req.authData.authPayload._id,
+    workspace: new Types.ObjectId(workspaceId)
+  });
+  
+  if (!membership) throw UnauthorizedRequestError();
+
   const approvalRequestCount = await SecretApprovalRequest.aggregate([
     {
       $match: {
@@ -65,7 +72,14 @@ export const getSecretApprovalRequests = async (req: Request, res: Response) =>
     query: { status, committer, workspaceId, environment, limit, offset }
   } = await validateRequest(reqValidator.getSecretApprovalRequests, req);
 
-  const { membership } = await getUserProjectPermissions(req.user._id, workspaceId);
+  if (!(req.authData.authPayload instanceof User)) return;
+  
+  const membership = await Membership.findOne({
+    user: req.authData.authPayload._id,
+    workspace: new Types.ObjectId(workspaceId)
+  });
+  
+  if (!membership) throw UnauthorizedRequestError();
 
   const query = {
     workspace: new Types.ObjectId(workspaceId),
@@ -148,10 +162,15 @@ export const getSecretApprovalRequestDetails = async (req: Request, res: Respons
   if (!secretApprovalRequest)
     throw BadRequestError({ message: "Secret approval request not found" });
 
-  const { membership } = await getUserProjectPermissions(
-    req.user._id,
-    secretApprovalRequest.workspace.toString()
-  );
+  if (!(req.authData.authPayload instanceof User)) return;
+
+  const membership = await Membership.findOne({
+    user: req.authData.authPayload._id,
+    workspace: secretApprovalRequest.workspace
+  });
+  
+  if (!membership) throw UnauthorizedRequestError();
+
   // allow to fetch only if its admin or is the committer or approver
   if (
     membership.role !== "admin" &&
@@ -190,10 +209,15 @@ export const updateSecretApprovalReviewStatus = async (req: Request, res: Respon
   if (!secretApprovalRequest)
     throw BadRequestError({ message: "Secret approval request not found" });
 
-  const { membership } = await getUserProjectPermissions(
-    req.user._id,
-    secretApprovalRequest.workspace.toString()
-  );
+  if (!(req.authData.authPayload instanceof User)) return;
+
+  const membership = await Membership.findOne({
+    user: req.authData.authPayload._id,
+    workspace: secretApprovalRequest.workspace
+  });
+  
+  if (!membership) throw UnauthorizedRequestError();
+
   if (
     membership.role !== "admin" &&
     secretApprovalRequest.committer !== membership.id &&
@@ -227,10 +251,15 @@ export const mergeSecretApprovalRequest = async (req: Request, res: Response) =>
   if (!secretApprovalRequest)
     throw BadRequestError({ message: "Secret approval request not found" });
 
-  const { membership } = await getUserProjectPermissions(
-    req.user._id,
-    secretApprovalRequest.workspace.toString()
-  );
+  if (!(req.authData.authPayload instanceof User)) return;
+
+  const membership = await Membership.findOne({
+    user: req.authData.authPayload._id,
+    workspace: secretApprovalRequest.workspace
+  });
+  
+  if (!membership) throw UnauthorizedRequestError();
+
   if (
     membership.role !== "admin" &&
     secretApprovalRequest.committer !== membership.id &&
@@ -272,10 +301,14 @@ export const updateSecretApprovalRequestStatus = async (req: Request, res: Respo
   if (!secretApprovalRequest)
     throw BadRequestError({ message: "Secret approval request not found" });
 
-  const { membership } = await getUserProjectPermissions(
-    req.user._id,
-    secretApprovalRequest.workspace.toString()
-  );
+  if (!(req.authData.authPayload instanceof User)) return;
+
+  const membership = await Membership.findOne({
+    user: req.authData.authPayload._id,
+    workspace: secretApprovalRequest.workspace
+  });
+  
+  if (!membership) throw UnauthorizedRequestError();
 
   if (
     membership.role !== "admin" &&

backend/src/ee/controllers/v1/secretController.ts

@@ -5,7 +5,7 @@ import { Folder, Secret } from "../../../models";
 import {
   ProjectPermissionActions,
   ProjectPermissionSub,
-  getUserProjectPermissions
+  getAuthDataProjectPermissions
 } from "../../services/ProjectRoleService";
 import { BadRequestError } from "../../../utils/errors";
 import * as reqValidator from "../../../validation";
@@ -74,7 +74,11 @@ export const getSecretVersions = async (req: Request, res: Response) => {
     throw BadRequestError({ message: "Failed to find secret" });
   }
 
-  const { permission } = await getUserProjectPermissions(req.user._id, secret.workspace.toString());
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: secret.workspace
+  });
+
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Read,
     ProjectPermissionSub.SecretRollback
@@ -157,10 +161,12 @@ export const rollbackSecretVersion = async (req: Request, res: Response) => {
   if (!toBeUpdatedSec) {
     throw BadRequestError({ message: "Failed to find secret" });
   }
-  const { permission } = await getUserProjectPermissions(
-    req.user._id,
-    toBeUpdatedSec.workspace.toString()
-  );
+
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: toBeUpdatedSec.workspace
+  });
+
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Create,
     ProjectPermissionSub.SecretRollback

backend/src/ee/controllers/v1/secretRotationController.ts

@@ -0,0 +1,110 @@
+import { Request, Response } from "express";
+import { Types } from "mongoose";
+import { validateRequest } from "../../../helpers/validation";
+import * as reqValidator from "../../validation/secretRotation";
+import * as secretRotationService from "../../secretRotation/service";
+import {
+  ProjectPermissionActions,
+  ProjectPermissionSub,
+  getAuthDataProjectPermissions
+} from "../../services/ProjectRoleService";
+import { ForbiddenError } from "@casl/ability";
+
+export const createSecretRotation = async (req: Request, res: Response) => {
+  const {
+    body: {
+      provider,
+      customProvider,
+      interval,
+      outputs,
+      secretPath,
+      environment,
+      workspaceId,
+      inputs
+    }
+  } = await validateRequest(reqValidator.createSecretRotationV1, req);
+
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
+  ForbiddenError.from(permission).throwUnlessCan(
+    ProjectPermissionActions.Create,
+    ProjectPermissionSub.SecretRotation
+  );
+
+  const secretRotation = await secretRotationService.createSecretRotation({
+    workspaceId,
+    inputs,
+    environment,
+    secretPath,
+    outputs,
+    interval,
+    customProvider,
+    provider
+  });
+
+  return res.send({ secretRotation });
+};
+
+export const restartSecretRotations = async (req: Request, res: Response) => {
+  const {
+    body: { id }
+  } = await validateRequest(reqValidator.restartSecretRotationV1, req);
+
+  const doc = await secretRotationService.getSecretRotationById({ id });
+
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: doc.workspace
+  });
+
+  ForbiddenError.from(permission).throwUnlessCan(
+    ProjectPermissionActions.Edit,
+    ProjectPermissionSub.SecretRotation
+  );
+
+  const secretRotation = await secretRotationService.restartSecretRotation({ id });
+  return res.send({ secretRotation });
+};
+
+export const deleteSecretRotations = async (req: Request, res: Response) => {
+  const {
+    params: { id }
+  } = await validateRequest(reqValidator.removeSecretRotationV1, req);
+
+  const doc = await secretRotationService.getSecretRotationById({ id });
+
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: doc.workspace
+  });
+
+  ForbiddenError.from(permission).throwUnlessCan(
+    ProjectPermissionActions.Delete,
+    ProjectPermissionSub.SecretRotation
+  );
+
+  const secretRotations = await secretRotationService.deleteSecretRotation({ id });
+  return res.send({ secretRotations });
+};
+
+export const getSecretRotations = async (req: Request, res: Response) => {
+  const {
+    query: { workspaceId }
+  } = await validateRequest(reqValidator.getSecretRotationV1, req);
+
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
+  ForbiddenError.from(permission).throwUnlessCan(
+    ProjectPermissionActions.Read,
+    ProjectPermissionSub.SecretRotation
+  );
+
+  const secretRotations = await secretRotationService.getSecretRotationOfWorkspace(workspaceId);
+  return res.send({ secretRotations });
+};

backend/src/ee/controllers/v1/secretRotationProviderController.ts

@@ -0,0 +1,33 @@
+import { Request, Response } from "express";
+import { Types } from "mongoose";
+import { validateRequest } from "../../../helpers/validation";
+import * as reqValidator from "../../validation/secretRotationProvider";
+import * as secretRotationProviderService from "../../secretRotation/service";
+import {
+  ProjectPermissionActions,
+  ProjectPermissionSub,
+  getAuthDataProjectPermissions
+} from "../../services/ProjectRoleService";
+import { ForbiddenError } from "@casl/ability";
+
+export const getProviderTemplates = async (req: Request, res: Response) => {
+  const {
+    params: { workspaceId }
+  } = await validateRequest(reqValidator.getSecretRotationProvidersV1, req);
+
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
+  ForbiddenError.from(permission).throwUnlessCan(
+    ProjectPermissionActions.Read,
+    ProjectPermissionSub.SecretRotation
+  );
+
+  const rotationProviderList = await secretRotationProviderService.getProviderTemplate({
+    workspaceId
+  });
+
+  return res.send(rotationProviderList);
+};

backend/src/ee/controllers/v1/secretSnapshotController.ts

@@ -4,7 +4,7 @@ import { validateRequest } from "../../../helpers/validation";
 import {
   ProjectPermissionActions,
   ProjectPermissionSub,
-  getUserProjectPermissions
+  getAuthDataProjectPermissions
 } from "../../services/ProjectRoleService";
 import * as reqValidator from "../../../validation/secretSnapshot";
 import { ISecretVersion, SecretSnapshot, TFolderRootVersionSchema } from "../../models";
@@ -33,10 +33,11 @@ export const getSecretSnapshot = async (req: Request, res: Response) => {
 
   if (!secretSnapshot) throw new Error("Failed to find secret snapshot");
 
-  const { permission } = await getUserProjectPermissions(
-    req.user._id,
-    secretSnapshot.workspace.toString()
-  );
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: secretSnapshot.workspace
+  });
+
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Read,
     ProjectPermissionSub.SecretRollback

backend/src/ee/controllers/v1/workspaceController.ts

@@ -17,7 +17,6 @@ import {
   FolderVersion,
   IPType,
   ISecretVersion,
-  Log,
   SecretSnapshot,
   SecretVersion,
   ServiceActor,
@@ -28,7 +27,6 @@ import {
 } from "../../models";
 import { EESecretService } from "../../services";
 import { getLatestSecretVersionIds } from "../../helpers/secretVersion";
-// import Folder, { TFolderSchema } from "../../../models/folder";
 import { getFolderByPath, searchByFolderId } from "../../../services/FolderService";
 import { EEAuditLogService, EELicenseService } from "../../services";
 import { extractIPDetails, isValidIpOrCidr } from "../../../utils/ip";
@@ -38,7 +36,6 @@ import {
   DeleteWorkspaceTrustedIpV1,
   GetWorkspaceAuditLogActorFilterOptsV1,
   GetWorkspaceAuditLogsV1,
-  GetWorkspaceLogsV1,
   GetWorkspaceSecretSnapshotsCountV1,
   GetWorkspaceSecretSnapshotsV1,
   GetWorkspaceTrustedIpsV1,
@@ -48,7 +45,7 @@ import {
 import {
   ProjectPermissionActions,
   ProjectPermissionSub,
-  getUserProjectPermissions
+  getAuthDataProjectPermissions
 } from "../../services/ProjectRoleService";
 import { ForbiddenError } from "@casl/ability";
 import { BadRequestError } from "../../../utils/errors";
@@ -109,7 +106,11 @@ export const getWorkspaceSecretSnapshots = async (req: Request, res: Response) =
     query: { environment, directory, offset, limit }
   } = await validateRequest(GetWorkspaceSecretSnapshotsV1, req);
 
-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Read,
     ProjectPermissionSub.SecretRollback
@@ -150,7 +151,11 @@ export const getWorkspaceSecretSnapshotsCount = async (req: Request, res: Respon
     query: { environment, directory }
   } = await validateRequest(GetWorkspaceSecretSnapshotsCountV1, req);
 
-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Read,
     ProjectPermissionSub.SecretRollback
@@ -240,7 +245,11 @@ export const rollbackWorkspaceSecretSnapshot = async (req: Request, res: Respons
     body: { directory, environment, version }
   } = await validateRequest(RollbackWorkspaceSecretSnapshotV1, req);
 
-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Create,
     ProjectPermissionSub.SecretRollback
@@ -564,128 +573,102 @@ export const rollbackWorkspaceSecretSnapshot = async (req: Request, res: Respons
 };
 
 /**
- * Return (audit) logs for workspace with id [workspaceId]
+ * Return audit logs for workspace with id [workspaceId]
  * @param req
  * @param res
- * @returns
  */
-export const getWorkspaceLogs = async (req: Request, res: Response) => {
+export const getWorkspaceAuditLogs = async (req: Request, res: Response) => {
   /* 
-    #swagger.summary = 'Return project (audit) logs'
-    #swagger.description = 'Return project (audit) logs'
+    #swagger.summary = 'Return audit logs'
+    #swagger.description = 'Return audit logs'
     
     #swagger.security = [{
-        "apiKeyAuth": []
+      "apiKeyAuth": []
     }]
 
-	#swagger.parameters['workspaceId'] = {
-		"description": "ID of project",
-		"required": true,
-		"type": "string"
-	} 
+    #swagger.parameters['workspaceId'] = {
+      "description": "ID of the workspace where to get folders from",
+      "required": true,
+      "type": "string",
+      "in": "path"
+    }
 
-	#swagger.parameters['userId'] = {
-		"description": "ID of project member",
-		"required": false,
-		"type": "string"
-	} 
+    #swagger.parameters['offset'] = {
+      "description": "Number of logs to skip before starting to return logs for pagination",
+      "required": false,
+      "type": "string"
+    }
 
-	#swagger.parameters['offset'] = {
-		"description": "Number of logs to skip",
-		"required": false,
-		"type": "string"
-	}
+    #swagger.parameters['limit'] = {
+      "description": "Maximum number of logs to return for pagination",
+      "required": false,
+      "type": "string"
+    }
 
-	#swagger.parameters['limit'] = {
-		"description": "Maximum number of logs to return",
-		"required": false,
-		"type": "string"
-	}
+   #swagger.parameters['startDate'] = {
+      "description": "Filter logs from this date in ISO-8601 format",
+      "required": false,
+      "type": "string"
+    }
 
-	#swagger.parameters['sortBy'] = {
-		"description": "Order to sort the logs by",
-		"schema": {
-			"type": "string",
-			"@enum": ["oldest", "recent"]
-		},
-		"required": false
-	}
+   #swagger.parameters['endDate'] = {
+      "description": "Filter logs till this date in ISO-8601 format",
+      "required": false,
+      "type": "string"
+    }
 
-	#swagger.parameters['actionNames'] = {
-		"description": "Names of log actions (comma-separated)",
-		"required": false,
-		"type": "string"
-	}
+    #swagger.parameters['eventType'] = {
+      "description": "Filter by type of event such as get-secrets, get-secret, create-secret, update-secret, delete-secret, etc.",
+      "required": false,
+      "type": "string",
+    }
+
+    #swagger.parameters['userAgentType'] = {
+      "description": "Filter by type of user agent such as web, cli, k8-operator, or other",
+      "required": false,
+      "type": "string",
+    }
+
+    #swagger.parameters['actor'] = {
+      "description": "Filter by actor such as user or service",
+      "required": false,
+      "type": "string"
+    }
 
     #swagger.responses[200] = {
         content: {
             "application/json": {
                 schema: { 
-					"type": "object",
-					"properties": {
-						"logs": {
-							"type": "array",
-							"items": {
-								$ref: "#/components/schemas/Log" 
-							},
-							"description": "Project logs"
-						}
-					}
+                  "type": "object",
+                  "properties": {
+                        "auditLogs": {
+                            "type": "array",
+                            "items": {
+			      $ref: "#/components/schemas/AuditLog",
+                            },
+                            "description": "List of audit log"                        
+                          },
+                  }
                 }
             }           
         }
     }   
     */
-  const {
-    query: { limit, offset, userId, sortBy, actionNames },
-    params: { workspaceId }
-  } = await validateRequest(GetWorkspaceLogsV1, req);
-
-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
-  ForbiddenError.from(permission).throwUnlessCan(
-    ProjectPermissionActions.Read,
-    ProjectPermissionSub.AuditLogs
-  );
-
-  const logs = await Log.find({
-    workspace: workspaceId,
-    ...(userId ? { user: userId } : {}),
-    ...(actionNames
-      ? {
-          actionNames: {
-            $in: actionNames.split(",")
-          }
-        }
-      : {})
-  })
-    .sort({ createdAt: sortBy === "recent" ? -1 : 1 })
-    .skip(offset)
-    .limit(limit)
-    .populate("actions")
-    .populate("user serviceAccount serviceTokenData");
-
-  return res.status(200).send({
-    logs
-  });
-};
-
-/**
- * Return audit logs for workspace with id [workspaceId]
- * @param req
- * @param res
- */
-export const getWorkspaceAuditLogs = async (req: Request, res: Response) => {
   const {
     query: { limit, offset, endDate, eventType, startDate, userAgentType, actor },
     params: { workspaceId }
   } = await validateRequest(GetWorkspaceAuditLogsV1, req);
 
-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Read,
     ProjectPermissionSub.AuditLogs
   );
-  
+
   const query = {
     workspace: new Types.ObjectId(workspaceId),
     ...(eventType
@@ -719,14 +702,9 @@ export const getWorkspaceAuditLogs = async (req: Request, res: Response) => {
         }
       : {})
   };
-
   const auditLogs = await AuditLog.find(query).sort({ createdAt: -1 }).skip(offset).limit(limit);
-
-  const totalCount = await AuditLog.countDocuments(query);
-
   return res.status(200).send({
-    auditLogs,
-    totalCount
+    auditLogs
   });
 };
 
@@ -740,7 +718,11 @@ export const getWorkspaceAuditLogActorFilterOpts = async (req: Request, res: Res
     params: { workspaceId }
   } = await validateRequest(GetWorkspaceAuditLogActorFilterOptsV1, req);
 
-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Read,
     ProjectPermissionSub.AuditLogs
@@ -774,7 +756,7 @@ export const getWorkspaceAuditLogActorFilterOpts = async (req: Request, res: Res
       name: serviceTokenData.name
     }
   }));
-  
+
   const serviceV3Actors: ServiceActorV3[] = (
     await ServiceTokenDataV3.find({
       workspace: new Types.ObjectId(workspaceId)
@@ -786,12 +768,8 @@ export const getWorkspaceAuditLogActorFilterOpts = async (req: Request, res: Res
       name: serviceTokenData.name
     }
   }));
-  
-  const actors = [
-    ...userActors, 
-    ...serviceActors,
-    ...serviceV3Actors
-  ];
+
+  const actors = [...userActors, ...serviceActors, ...serviceV3Actors];
 
   return res.status(200).send({
     actors
@@ -808,7 +786,11 @@ export const getWorkspaceTrustedIps = async (req: Request, res: Response) => {
     params: { workspaceId }
   } = await validateRequest(GetWorkspaceTrustedIpsV1, req);
 
-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Read,
     ProjectPermissionSub.IpAllowList
@@ -834,7 +816,11 @@ export const addWorkspaceTrustedIp = async (req: Request, res: Response) => {
     body: { comment, isActive, ipAddress: ip }
   } = await validateRequest(AddWorkspaceTrustedIpV1, req);
 
-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Create,
     ProjectPermissionSub.IpAllowList
@@ -900,7 +886,11 @@ export const updateWorkspaceTrustedIp = async (req: Request, res: Response) => {
     body: { ipAddress: ip, comment }
   } = await validateRequest(UpdateWorkspaceTrustedIpV1, req);
 
-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Edit,
     ProjectPermissionSub.IpAllowList
@@ -992,7 +982,11 @@ export const deleteWorkspaceTrustedIp = async (req: Request, res: Response) => {
     params: { workspaceId, trustedIpId }
   } = await validateRequest(DeleteWorkspaceTrustedIpV1, req);
 
-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
   ForbiddenError.from(permission).throwUnlessCan(
     ProjectPermissionActions.Delete,
     ProjectPermissionSub.IpAllowList

backend/src/ee/controllers/v3/apiKeyDataController.ts

@@ -0,0 +1,101 @@
+import { Request, Response } from "express";
+import { Types } from "mongoose";
+import { APIKeyDataV2 } from "../../../models/apiKeyDataV2";
+import { validateRequest } from "../../../helpers/validation";
+import { BadRequestError } from "../../../utils/errors";
+import * as reqValidator from "../../../validation";
+import { createToken } from "../../../helpers";
+import { AuthTokenType } from "../../../variables";
+import { getAuthSecret } from "../../../config";
+
+/**
+ * Create API key data v2
+ * @param req 
+ * @param res 
+ */
+export const createAPIKeyData = async (req: Request, res: Response) => {
+    const {
+        body: {
+            name
+        }
+    } = await validateRequest(reqValidator.CreateAPIKeyV3, req);
+
+    const apiKeyData = await new APIKeyDataV2({
+        name,
+        user: req.user._id,
+        usageCount: 0,
+    }).save();
+    
+    const apiKey = createToken({
+        payload: {
+            authTokenType: AuthTokenType.API_KEY,
+            apiKeyDataId: apiKeyData._id.toString(),
+            userId: req.user._id.toString()
+        },
+        secret: await getAuthSecret()
+    });
+
+    return res.status(200).send({
+        apiKeyData,
+        apiKey
+    });
+}
+
+/**
+ * Update API key data v2 with id [apiKeyDataId]
+ * @param req 
+ * @param res 
+ */
+ export const updateAPIKeyData = async (req: Request, res: Response) => {
+    const {
+        params: { apiKeyDataId },
+        body: { 
+            name, 
+        }
+    } = await validateRequest(reqValidator.UpdateAPIKeyV3, req);
+
+    const apiKeyData = await APIKeyDataV2.findOneAndUpdate(
+        {
+            _id: new Types.ObjectId(apiKeyDataId),
+            user: req.user._id
+        },
+        {
+            name
+        },
+        {
+            new: true
+        }
+    );
+    
+    if (!apiKeyData) throw BadRequestError({
+        message: "Failed to update API key"
+    });
+
+    return res.status(200).send({
+        apiKeyData
+    });
+}
+
+/**
+ * Delete API key data v2 with id [apiKeyDataId]
+ * @param req 
+ * @param res 
+ */
+ export const deleteAPIKeyData = async (req: Request, res: Response) => {
+    const {
+        params: { apiKeyDataId }
+    } = await validateRequest(reqValidator.DeleteAPIKeyV3, req);
+
+    const apiKeyData = await APIKeyDataV2.findOneAndDelete({
+        _id: new Types.ObjectId(apiKeyDataId),
+        user: req.user._id
+    });
+
+    if (!apiKeyData) throw BadRequestError({
+        message: "Failed to delete API key"
+    });
+    
+    return res.status(200).send({
+        apiKeyData
+    });
+}

backend/src/ee/controllers/v3/index.ts

@@ -1,5 +1,7 @@
 import * as serviceTokenDataController from "./serviceTokenDataController";
+import * as apiKeyDataController from "./apiKeyDataController";
 
 export {
-    serviceTokenDataController 
+    serviceTokenDataController,
+    apiKeyDataController
 }

backend/src/ee/controllers/v3/serviceTokenDataController.ts

@@ -1,3 +1,4 @@
+import jwt from "jsonwebtoken";
 import { Request, Response } from "express";
 import { Types } from "mongoose";
 import { 
@@ -7,13 +8,11 @@ import {
     ServiceTokenDataV3Key,
     Workspace
 } from "../../../models";
-import {
-    IServiceTokenV3Scope, 
-    IServiceTokenV3TrustedIp 
-} from "../../../models/serviceTokenDataV3";
+import { IServiceTokenV3TrustedIp } from "../../../models/serviceTokenDataV3";
 import {
     ActorType,
-    EventType
+    EventType,
+    Role
 } from "../../models";
 import { validateRequest } from "../../../helpers/validation";
 import * as reqValidator from "../../../validation/serviceTokenDataV3";
@@ -21,16 +20,17 @@ import { createToken } from "../../../helpers/auth";
 import {
   ProjectPermissionActions,
   ProjectPermissionSub,
-  getUserProjectPermissions
+  getAuthDataProjectPermissions
 } from "../../services/ProjectRoleService";
 import { ForbiddenError } from "@casl/ability"; 
-import { BadRequestError, ResourceNotFoundError } from "../../../utils/errors";
+import { BadRequestError, ResourceNotFoundError, UnauthorizedRequestError } from "../../../utils/errors";
 import { extractIPDetails, isValidIpOrCidr } from "../../../utils/ip";
 import { EEAuditLogService, EELicenseService } from "../../services";
-import { getJwtServiceTokenSecret } from "../../../config";
+import { getAuthSecret } from "../../../config";
+import { ADMIN, AuthTokenType, CUSTOM, MEMBER, VIEWER } from "../../../variables";
 
 /**
- * Return project key for service token
+ * Return project key for service token V3
  * @param req 
  * @param res 
  */
@@ -57,7 +57,100 @@ export const getServiceTokenDataKey = async (req: Request, res: Response) => {
 }
 
 /**
- * Create service token data
+ * Return access and refresh token as per refresh operation
+ * @param req 
+ * @param res 
+ */
+ export const refreshToken = async (req: Request, res: Response) => {
+    const {
+        body: {
+            refresh_token
+        }
+    } = await validateRequest(reqValidator.RefreshTokenV3, req);
+
+    const decodedToken = <jwt.ServiceRefreshTokenJwtPayload>(
+		jwt.verify(refresh_token, await getAuthSecret())
+	);
+    
+    if (decodedToken.authTokenType !== AuthTokenType.SERVICE_REFRESH_TOKEN) throw UnauthorizedRequestError();
+    
+    let serviceTokenData = await ServiceTokenDataV3.findOne({
+        _id: new Types.ObjectId(decodedToken.serviceTokenDataId),
+        isActive: true
+    });
+    
+    if (!serviceTokenData) throw UnauthorizedRequestError();
+
+    if (decodedToken.tokenVersion !== serviceTokenData.tokenVersion) {
+        // raise alarm
+        throw UnauthorizedRequestError();
+    }
+    
+    const response: {
+        refresh_token?: string;
+        access_token: string;
+        expires_in: number;
+        token_type: string;
+    } = {
+        refresh_token,
+        access_token: "",
+        expires_in: 0,
+        token_type: "Bearer"
+    };
+
+    if (serviceTokenData.isRefreshTokenRotationEnabled) {
+        serviceTokenData = await ServiceTokenDataV3.findByIdAndUpdate(
+            serviceTokenData._id,
+            {
+                $inc: {
+                    tokenVersion: 1
+                }
+            },
+            {
+                new: true
+            }
+        );
+        
+        if (!serviceTokenData) throw BadRequestError();
+        
+        response.refresh_token = createToken({
+            payload: {
+                serviceTokenDataId: serviceTokenData._id.toString(),
+                authTokenType: AuthTokenType.SERVICE_REFRESH_TOKEN,
+                tokenVersion: serviceTokenData.tokenVersion
+            },
+            secret: await getAuthSecret()
+        });
+    }
+
+    response.access_token = createToken({
+        payload: {
+            serviceTokenDataId: serviceTokenData._id.toString(),
+            authTokenType: AuthTokenType.SERVICE_ACCESS_TOKEN,
+            tokenVersion: serviceTokenData.tokenVersion
+        },
+        expiresIn: serviceTokenData.accessTokenTTL,
+        secret: await getAuthSecret()
+    });
+
+    response.expires_in = serviceTokenData.accessTokenTTL;
+
+    await ServiceTokenDataV3.findByIdAndUpdate(
+        serviceTokenData._id,
+        {
+            refreshTokenLastUsed: new Date(),
+            $inc: { refreshTokenUsageCount: 1 }
+        },
+        {
+            new: true
+        }
+    );
+    
+    return res.status(200).send(response);
+}
+
+/**
+ * Create service token data V3
  * @param req 
  * @param res 
  * @returns 
@@ -68,14 +161,20 @@ export const createServiceTokenData = async (req: Request, res: Response) => {
             name, 
             workspaceId, 
             publicKey, 
-            scopes,
+            role,
             trustedIps,
             expiresIn, 
+            accessTokenTTL,
+            isRefreshTokenRotationEnabled,
             encryptedKey, // for ServiceTokenDataV3Key
-            nonce // for ServiceTokenDataV3Key
+            nonce, // for ServiceTokenDataV3Key
         }
     } = await validateRequest(reqValidator.CreateServiceTokenV3, req);
-    const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+    const { permission } = await getAuthDataProjectPermissions({
+        authData: req.authData,
+        workspaceId: new Types.ObjectId(workspaceId)
+      });
+
     ForbiddenError.from(permission).throwUnlessCan(
         ProjectPermissionActions.Create,
         ProjectPermissionSub.ServiceTokens
@@ -84,6 +183,19 @@ export const createServiceTokenData = async (req: Request, res: Response) => {
     const workspace = await Workspace.findById(workspaceId);
     if (!workspace) throw BadRequestError({ message: "Workspace not found" });
 
+    const isCustomRole = ![ADMIN, MEMBER, VIEWER].includes(role);
+    
+    let customRole;
+    if (isCustomRole) {
+        customRole = await Role.findOne({
+            slug: role,
+            isOrgRole: false,
+            workspace: workspace._id
+        });
+        
+        if (!customRole) throw BadRequestError({ message: "Role not found" });
+    }
+
     const plan = await EELicenseService.getPlan(workspace.organization);
     
     // validate trusted ips
@@ -118,11 +230,16 @@ export const createServiceTokenData = async (req: Request, res: Response) => {
         user,
         workspace: new Types.ObjectId(workspaceId),
         publicKey,
-        usageCount: 0,
+        refreshTokenUsageCount: 0,
+        accessTokenUsageCount: 0,
+        tokenVersion: 1,
         trustedIps: reformattedTrustedIps,
-        scopes,
+        role: isCustomRole ? CUSTOM : role,
+        customRole,
         isActive,
-        expiresAt
+        expiresAt,
+        accessTokenTTL,
+        isRefreshTokenRotationEnabled
     }).save();
     
     await new ServiceTokenDataV3Key({
@@ -133,22 +250,23 @@ export const createServiceTokenData = async (req: Request, res: Response) => {
         workspace: new Types.ObjectId(workspaceId)
     }).save();
     
-    const token = createToken({
+    const refreshToken = createToken({
         payload: {
-            _id: serviceTokenData._id.toString()
+            serviceTokenDataId: serviceTokenData._id.toString(),
+            authTokenType: AuthTokenType.SERVICE_REFRESH_TOKEN,
+            tokenVersion: serviceTokenData.tokenVersion
         },
-        expiresIn,
-        secret: await getJwtServiceTokenSecret()
+        secret: await getAuthSecret()
     });
     
     await EEAuditLogService.createAuditLog(
         req.authData,
         {
-            type: EventType.CREATE_SERVICE_TOKEN_V3,
+            type: EventType.CREATE_SERVICE_TOKEN_V3, // TODO: update
             metadata: {
                 name,
                 isActive,
-                scopes: scopes as Array<IServiceTokenV3Scope>,
+                role,
                 trustedIps: reformattedTrustedIps as Array<IServiceTokenV3TrustedIp>,
                 expiresAt
             }
@@ -160,12 +278,12 @@ export const createServiceTokenData = async (req: Request, res: Response) => {
     
     return res.status(200).send({
         serviceTokenData,
-        serviceToken: `stv3.${token}`
+        refreshToken
     });
 }
 
 /**
- * Update service token data with id [serviceTokenDataId]
+ * Update service token V3 data with id [serviceTokenDataId]
  * @param req 
  * @param res 
  * @returns 
@@ -176,9 +294,11 @@ export const updateServiceTokenData = async (req: Request, res: Response) => {
         body: { 
             name, 
             isActive,
-            scopes,
+            role,
             trustedIps,
-            expiresIn
+            expiresIn,
+            accessTokenTTL,
+            isRefreshTokenRotationEnabled
         }
     } = await validateRequest(reqValidator.UpdateServiceTokenV3, req);
 
@@ -187,10 +307,10 @@ export const updateServiceTokenData = async (req: Request, res: Response) => {
         message: "Service token not found" 
     });
     
-    const { permission } = await getUserProjectPermissions(
-        req.user._id,
-        serviceTokenData.workspace.toString()
-    );
+    const { permission } = await getAuthDataProjectPermissions({
+        authData: req.authData,
+        workspaceId: serviceTokenData.workspace
+    });
     
     ForbiddenError.from(permission).throwUnlessCan(
         ProjectPermissionActions.Edit,
@@ -200,6 +320,20 @@ export const updateServiceTokenData = async (req: Request, res: Response) => {
     const workspace = await Workspace.findById(serviceTokenData.workspace);
     if (!workspace) throw BadRequestError({ message: "Workspace not found" });
 
+    let customRole;
+    if (role) {
+        const isCustomRole = ![ADMIN, MEMBER, VIEWER].includes(role);
+        if (isCustomRole) {
+            customRole = await Role.findOne({
+                slug: role,
+                isOrgRole: false,
+                workspace: workspace._id
+            });
+            
+            if (!customRole) throw BadRequestError({ message: "Role not found" });
+        }
+    }
+
     const plan = await EELicenseService.getPlan(workspace.organization);
 
     // validate trusted ips
@@ -231,15 +365,25 @@ export const updateServiceTokenData = async (req: Request, res: Response) => {
         {
             name,
             isActive,
-            scopes,
+            role: customRole ? CUSTOM : role,
+            ...(customRole ? {
+                customRole 
+            } : {}),
+            ...(role && !customRole ? { // non-custom role
+                $unset: {
+                    customRole: 1
+                }
+            } : {}),
             trustedIps: reformattedTrustedIps,
-            expiresAt
+            expiresAt,
+            accessTokenTTL,
+            isRefreshTokenRotationEnabled
         },
         {
             new: true
         }
     );
-    
+
     if (!serviceTokenData) throw BadRequestError({
         message: "Failed to update service token"
     });
@@ -251,7 +395,7 @@ export const updateServiceTokenData = async (req: Request, res: Response) => {
             metadata: {
                 name: serviceTokenData.name,
                 isActive,
-                scopes: scopes as Array<IServiceTokenV3Scope>,
+                role,
                 trustedIps: reformattedTrustedIps as Array<IServiceTokenV3TrustedIp>,
                 expiresAt
             }
@@ -282,10 +426,10 @@ export const deleteServiceTokenData = async (req: Request, res: Response) => {
         message: "Service token not found" 
     });
     
-    const { permission } = await getUserProjectPermissions(
-        req.user._id,
-        serviceTokenData.workspace.toString()
-    );
+    const { permission } = await getAuthDataProjectPermissions({
+        authData: req.authData,
+        workspaceId: serviceTokenData.workspace
+    });
     
     ForbiddenError.from(permission).throwUnlessCan(
         ProjectPermissionActions.Delete,
@@ -309,7 +453,7 @@ export const deleteServiceTokenData = async (req: Request, res: Response) => {
             metadata: {
                 name: serviceTokenData.name,
                 isActive: serviceTokenData.isActive,
-                scopes: serviceTokenData.scopes as Array<IServiceTokenV3Scope>,
+                role: serviceTokenData.role,
                 trustedIps: serviceTokenData.trustedIps as Array<IServiceTokenV3TrustedIp>,
                 expiresAt: serviceTokenData.expiresAt
             }

backend/src/ee/helpers/action.ts

@@ -1,195 +0,0 @@
-import { Types } from "mongoose";
-import { Action } from "../models";
-import { 
-    getLatestNSecretSecretVersionIds,
-    getLatestSecretVersionIds,
-} from "../helpers/secretVersion";
-import { 
-    ACTION_ADD_SECRETS,
-    ACTION_DELETE_SECRETS,
-    ACTION_LOGIN,
-    ACTION_LOGOUT,
-    ACTION_READ_SECRETS,
-    ACTION_UPDATE_SECRETS,
-} from "../../variables";
-
-/**
- * Create an (audit) action for updating secrets
- * @param {Object} obj
- * @param {String} obj.name - name of action
- * @param {Types.ObjectId} obj.secretIds - ids of relevant secrets
- * @returns {Action} action - new action
- */
-const createActionUpdateSecret = async ({
-    name,
-    userId,
-    serviceAccountId,
-    serviceTokenDataId,
-    workspaceId,
-    secretIds,
-}: {
-    name: string;
-    userId?: Types.ObjectId;
-    serviceAccountId?: Types.ObjectId;
-    serviceTokenDataId?: Types.ObjectId;
-    workspaceId: Types.ObjectId;
-    secretIds: Types.ObjectId[];
-}) => {
-    const latestSecretVersions = (await getLatestNSecretSecretVersionIds({
-            secretIds,
-            n: 2,
-        }))
-        .map((s) => ({
-            oldSecretVersion: s.versions[0]._id,
-            newSecretVersion: s.versions[1]._id,
-        }));
-    
-    const action = await new Action({
-        name,
-        user: userId,
-        serviceAccount: serviceAccountId,
-        serviceTokenData: serviceTokenDataId,
-        workspace: workspaceId,
-        payload: {
-            secretVersions: latestSecretVersions,
-        },
-    }).save();
-    
-    return action;
-}
-
-/**
- * Create an (audit) action for creating, reading, and deleting
- * secrets
- * @param {Object} obj
- * @param {String} obj.name - name of action
- * @param {Types.ObjectId} obj.secretIds - ids of relevant secrets
- * @returns {Action} action - new action
- */
-const createActionSecret = async ({
-    name,
-    userId,
-    serviceAccountId,
-    serviceTokenDataId,
-    workspaceId,
-    secretIds,
-}: {
-    name: string;
-    userId?: Types.ObjectId;
-    serviceAccountId?: Types.ObjectId;
-    serviceTokenDataId?: Types.ObjectId;
-    workspaceId: Types.ObjectId;
-    secretIds: Types.ObjectId[];
-}) => {
-    // case: action is adding, deleting, or reading secrets
-    // -> add new secret versions
-    const latestSecretVersions = (await getLatestSecretVersionIds({
-        secretIds,
-    }))
-    .map((s) => ({
-        newSecretVersion: s.versionId,
-    }));
-    
-   const action = await new Action({
-        name,
-        user: userId,
-        serviceAccount: serviceAccountId,
-        serviceTokenData: serviceTokenDataId,
-        workspace: workspaceId,
-        payload: {
-            secretVersions: latestSecretVersions,
-        },
-    }).save(); 
-    
-    return action;
-}
-
-/**
- * Create an (audit) action for client with id [userId],
- * [serviceAccountId], or [serviceTokenDataId]
- * @param {Object} obj 
- * @param {String} obj.name - name of action
- * @param {String} obj.userId - id of user associated with action
- * @returns 
- */
-const createActionClient = ({
-    name,
-    userId,
-    serviceAccountId,
-    serviceTokenDataId,
-}: {
-    name: string;
-    userId?: Types.ObjectId;
-    serviceAccountId?: Types.ObjectId;
-    serviceTokenDataId?: Types.ObjectId;
-}) => {
-    const action = new Action({
-        name,
-        user: userId,
-        serviceAccount: serviceAccountId,
-        serviceTokenData: serviceTokenDataId,
-    }).save();
-
-    return action; 
-}
-
-/**
- * Create an (audit) action. 
- * @param {Object} obj
- * @param {Object} obj.name - name of action
- * @param {Types.ObjectId} obj.userId - id of user associated with action
- * @param {Types.ObjectId} obj.workspaceId - id of workspace associated with action
- * @param {Types.ObjectId[]} obj.secretIds - ids of secrets associated with action
-*/
-const createActionHelper = async ({
-    name,
-    userId,
-    serviceAccountId,
-    serviceTokenDataId,
-    workspaceId,
-    secretIds,
-}: {
-    name: string;
-    userId?: Types.ObjectId;
-    serviceAccountId?: Types.ObjectId;
-    serviceTokenDataId?: Types.ObjectId;
-    workspaceId?: Types.ObjectId;
-    secretIds?: Types.ObjectId[];
-}) => {
-    let action;
-    switch (name) {
-        case ACTION_LOGIN:
-        case ACTION_LOGOUT:
-            action = await createActionClient({
-                name,
-                userId,
-            });
-            break;
-        case ACTION_ADD_SECRETS:
-        case ACTION_READ_SECRETS:
-        case ACTION_DELETE_SECRETS:
-            if (!workspaceId || !secretIds) throw new Error("Missing required params workspace id or secret ids to create action secret");
-            action = await createActionSecret({
-                name,
-                userId,
-                workspaceId,
-                secretIds,
-            });
-            break;
-        case ACTION_UPDATE_SECRETS:
-            if (!workspaceId || !secretIds) throw new Error("Missing required params workspace id or secret ids to create action secret");
-            action = await createActionUpdateSecret({
-                name,
-                userId,
-                workspaceId,
-                secretIds,
-            });
-            break;
-    }
-    
-    return action;
-}
-
-export { 
-    createActionHelper,
-};

backend/src/ee/helpers/log.ts

@@ -1,50 +0,0 @@
-import { Types } from "mongoose";
-import { 
-    IAction,
-    Log,
-} from "../models";
-
-/**
- * Create an (audit) log
- * @param {Object} obj
- * @param {Types.ObjectId} obj.userId - id of user associated with the log
- * @param {Types.ObjectId} obj.workspaceId - id of workspace associated with the log
- * @param {IAction[]} obj.actions - actions to include in log
- * @param {String} obj.channel - channel (web/cli/auto) associated with the log
- * @param {String} obj.ipAddress - ip address associated with the log
- * @returns {Log} log - new audit log
- */
-const createLogHelper = async ({
-    userId,
-    serviceAccountId,
-    serviceTokenDataId,
-    workspaceId,
-    actions,
-    channel,
-    ipAddress,
-}: {
-    userId?: Types.ObjectId;
-    serviceAccountId?: Types.ObjectId;
-    serviceTokenDataId?: Types.ObjectId;
-    workspaceId?: Types.ObjectId;
-    actions: IAction[];
-    channel: string;
-    ipAddress: string;
-}) => {
-    const log = await new Log({
-        user: userId,
-        serviceAccount: serviceAccountId,
-        serviceTokenData: serviceTokenDataId,
-        workspace: workspaceId ?? undefined,
-        actionNames: actions.map((a) => a.name),
-        actions,
-        channel,
-        ipAddress,
-    }).save();
-
-    return log;
-}
-
-export {
-    createLogHelper,
-}

backend/src/ee/middleware/index.ts

@@ -1,5 +0,0 @@
-import requireSecretSnapshotAuth from "./requireSecretSnapshotAuth";
-
-export {
-    requireSecretSnapshotAuth,
-}

backend/src/ee/middleware/requireSecretSnapshotAuth.ts

@@ -1,43 +0,0 @@
-import { NextFunction, Request, Response } from "express";
-import { SecretSnapshotNotFoundError } from "../../utils/errors";
-import { SecretSnapshot } from "../models";
-import {
-    validateMembership,
-} from "../../helpers/membership";
-
-/**
- * Validate if user on request has proper membership for secret snapshot
- * @param {Object} obj
- * @param {String[]} obj.acceptedRoles - accepted workspace roles
- * @param {String[]} obj.acceptedStatuses - accepted workspace statuses
- * @param {String[]} obj.location - location of [workspaceId] on request (e.g. params, body) for parsing
- */
-const requireSecretSnapshotAuth = ({
-    acceptedRoles,
-}: {
-    acceptedRoles: Array<"admin" | "member">;
-}) => {
-    return async (req: Request, res: Response, next: NextFunction) => {
-        const { secretSnapshotId } = req.params;
-        
-        const secretSnapshot = await SecretSnapshot.findById(secretSnapshotId);
-        
-        if (!secretSnapshot) {
-            return next(SecretSnapshotNotFoundError({
-                message: "Failed to find secret snapshot",
-            }));
-        }
-        
-        await validateMembership({
-            userId: req.user._id,
-            workspaceId: secretSnapshot.workspace,
-            acceptedRoles,
-        });
-        
-        req.secretSnapshot = secretSnapshot as any;
-
-        next();
-    }
-}
-
-export default requireSecretSnapshotAuth;

backend/src/ee/models/action.ts

@@ -1,69 +0,0 @@
-import { Schema, Types, model } from "mongoose";
-import {
-    ACTION_ADD_SECRETS,
-    ACTION_DELETE_SECRETS,
-    ACTION_LOGIN,
-    ACTION_LOGOUT,
-    ACTION_READ_SECRETS,
-    ACTION_UPDATE_SECRETS,
-} from "../../variables";
-
-export interface IAction {
-    name: string;
-    user?: Types.ObjectId,
-    serviceAccount?: Types.ObjectId,
-    serviceTokenData?: Types.ObjectId,
-    workspace?: Types.ObjectId,
-    payload?: {
-        secretVersions?: Types.ObjectId[]
-    }
-}
-
-const actionSchema = new Schema<IAction>(
-    {
-        name: {
-            type: String,
-            required: true,
-            enum: [
-                ACTION_LOGIN,
-                ACTION_LOGOUT,
-                ACTION_ADD_SECRETS,
-                ACTION_UPDATE_SECRETS,
-                ACTION_READ_SECRETS,
-                ACTION_DELETE_SECRETS,
-            ],
-        },
-        user: {
-            type: Schema.Types.ObjectId,
-            ref: "User",
-        },
-        serviceAccount: {
-            type: Schema.Types.ObjectId,
-            ref: "ServiceAccount",
-        },
-        serviceTokenData: {
-            type: Schema.Types.ObjectId,
-            ref: "ServiceTokenData",
-        },
-        workspace: {
-            type: Schema.Types.ObjectId,
-            ref: "Workspace",
-        },
-        payload: {
-            secretVersions: [{
-                oldSecretVersion: {
-                    type: Schema.Types.ObjectId,
-                    ref: "SecretVersion",
-                },
-                newSecretVersion: {
-                    type: Schema.Types.ObjectId,
-                    ref: "SecretVersion",
-                },
-            }],
-        },
-    }, {
-        timestamps: true,
-    }
-);
-
-export const Action = model<IAction>("Action", actionSchema);

backend/src/ee/models/auditLog/auditLog.ts

@@ -1,76 +1,70 @@
 import { Schema, Types, model } from "mongoose";
-import {
-    ActorType,
-    EventType,
-    UserAgentType
-} from "./enums";
-import {
-    Actor,
-    Event
-} from "./types";
+import { ActorType, EventType, UserAgentType } from "./enums";
+import { Actor, Event } from "./types";
 
 export interface IAuditLog {
-    actor: Actor;
-    organization: Types.ObjectId;
-    workspace: Types.ObjectId;
-    ipAddress: string;
-    event: Event;
-    userAgent: string;
-    userAgentType: UserAgentType;
-    expiresAt: Date;
+  actor: Actor;
+  organization: Types.ObjectId;
+  workspace: Types.ObjectId;
+  ipAddress: string;
+  event: Event;
+  userAgent: string;
+  userAgentType: UserAgentType;
+  expiresAt: Date;
 }
 
 const auditLogSchema = new Schema<IAuditLog>(
-    {
-        actor: {
-            type: {
-                type: String,
-                enum: ActorType,
-                required: true
-            },
-            metadata: {
-                type: Schema.Types.Mixed
-            }
-        },
-        organization: {
-            type: Schema.Types.ObjectId,
-            required: false
-        },
-        workspace: {
-            type: Schema.Types.ObjectId,
-            required: false
-        },
-        ipAddress: {
-            type: String,
-            required: true
-        },
-        event: {
-            type: {
-                type: String,
-                enum: EventType,
-                required: true
-            },
-            metadata: {
-                type: Schema.Types.Mixed
-            }
-        },
-        userAgent: {
-            type: String,
-            required: true
-        },
-        userAgentType: {
-            type: String,
-            enum: UserAgentType,
-            required: true
-        },
-        expiresAt: {
-            type: Date,
-            expires: 0
-        }
+  {
+    actor: {
+      type: {
+        type: String,
+        enum: ActorType,
+        required: true
+      },
+      metadata: {
+        type: Schema.Types.Mixed
+      }
     },
-    {
-        timestamps: true
+    organization: {
+      type: Schema.Types.ObjectId,
+      required: false
+    },
+    workspace: {
+      type: Schema.Types.ObjectId,
+      required: false,
+      index: true
+    },
+    ipAddress: {
+      type: String,
+      required: true
+    },
+    event: {
+      type: {
+        type: String,
+        enum: EventType,
+        required: true
+      },
+      metadata: {
+        type: Schema.Types.Mixed
+      }
+    },
+    userAgent: {
+      type: String,
+      required: true
+    },
+    userAgentType: {
+      type: String,
+      enum: UserAgentType,
+      required: true
+    },
+    expiresAt: {
+      type: Date,
+      expires: 0
     }
+  },
+  {
+    timestamps: true
+  }
 );
 
-export const AuditLog = model<IAuditLog>("AuditLog", auditLogSchema); 
+export const AuditLog = model<IAuditLog>("AuditLog", auditLogSchema);

backend/src/ee/models/auditLog/enums.ts

@@ -1,7 +1,8 @@
 export enum ActorType {
-    USER = "user",
-    SERVICE = "service",
-    SERVICE_V3 = "service-v3"
+  USER = "user",
+  SERVICE = "service",
+  SERVICE_V3 = "service-v3",
+  // Machine = "machine"
 }
 
 export enum UserAgentType {
@@ -38,6 +39,7 @@ export enum EventType {
   UPDATE_ENVIRONMENT = "update-environment",
   DELETE_ENVIRONMENT = "delete-environment",
   ADD_WORKSPACE_MEMBER = "add-workspace-member",
+  ADD_BATCH_WORKSPACE_MEMBER = "add-workspace-members",
   REMOVE_WORKSPACE_MEMBER = "remove-workspace-member",
   CREATE_FOLDER = "create-folder",
   UPDATE_FOLDER = "update-folder",

backend/src/ee/models/auditLog/types.ts

@@ -1,11 +1,5 @@
-import {
-    ActorType,
-    EventType
-} from "./enums";
-import {
-  IServiceTokenV3Scope,
-  IServiceTokenV3TrustedIp
-} from "../../../models/serviceTokenDataV3";
+import { ActorType, EventType } from "./enums";
+import { IServiceTokenV3TrustedIp } from "../../../models/serviceTokenDataV3";
 
 interface UserActorMetadata {
   userId: string;
@@ -28,14 +22,15 @@ export interface ServiceActor {
 }
 
 export interface ServiceActorV3 {
-    type: ActorType.SERVICE_V3;
-    metadata: ServiceActorMetadata;
+  type: ActorType.SERVICE_V3;
+  metadata: ServiceActorMetadata;
 }
 
-export type Actor = 
-    | UserActor
-    | ServiceActor
-    | ServiceActorV3;
+// export interface MachineActor {
+//   type: ActorType.Machine;
+// }
+
+export type Actor = UserActor | ServiceActor | ServiceActorV3;
 
 interface GetSecretsEvent {
   type: EventType.GET_SECRETS;
@@ -226,36 +221,36 @@ interface DeleteServiceTokenEvent {
 }
 
 interface CreateServiceTokenV3Event {
-    type: EventType.CREATE_SERVICE_TOKEN_V3;
-    metadata: {
-        name: string;
-        isActive: boolean;
-        scopes: Array<IServiceTokenV3Scope>;
-        trustedIps: Array<IServiceTokenV3TrustedIp>;
-        expiresAt?: Date;
-    }
+  type: EventType.CREATE_SERVICE_TOKEN_V3;
+  metadata: {
+    name: string;
+    isActive: boolean;
+    role: string;
+    trustedIps: Array<IServiceTokenV3TrustedIp>;
+    expiresAt?: Date;
+  };
 }
 
 interface UpdateServiceTokenV3Event {
-    type: EventType.UPDATE_SERVICE_TOKEN_V3;
-    metadata: {
-        name?: string;
-        isActive?: boolean;
-        scopes?: Array<IServiceTokenV3Scope>;
-        trustedIps?: Array<IServiceTokenV3TrustedIp>;
-        expiresAt?: Date;
-    }
+  type: EventType.UPDATE_SERVICE_TOKEN_V3;
+  metadata: {
+    name?: string;
+    isActive?: boolean;
+    role?: string;
+    trustedIps?: Array<IServiceTokenV3TrustedIp>;
+    expiresAt?: Date;
+  };
 }
 
 interface DeleteServiceTokenV3Event {
-    type: EventType.DELETE_SERVICE_TOKEN_V3;
-    metadata: {
-        name: string;
-        isActive: boolean;
-        scopes: Array<IServiceTokenV3Scope>;
-        expiresAt?: Date;
-        trustedIps: Array<IServiceTokenV3TrustedIp>;
-    }
+  type: EventType.DELETE_SERVICE_TOKEN_V3;
+  metadata: {
+    name: string;
+    isActive: boolean;
+    role: string;
+    expiresAt?: Date;
+    trustedIps: Array<IServiceTokenV3TrustedIp>;
+  };
 }
 
 interface CreateEnvironmentEvent {
@@ -292,6 +287,14 @@ interface AddWorkspaceMemberEvent {
   };
 }
 
+interface AddBatchWorkspaceMemberEvent {
+  type: EventType.ADD_BATCH_WORKSPACE_MEMBER;
+  metadata: Array<{
+    userId: string;
+    email: string;
+  }>;
+}
+
 interface RemoveWorkspaceMemberEvent {
   type: EventType.REMOVE_WORKSPACE_MEMBER;
   metadata: {
@@ -427,15 +430,15 @@ interface UpdateUserRole {
 }
 
 interface UpdateUserDeniedPermissions {
-    type: EventType.UPDATE_USER_WORKSPACE_DENIED_PERMISSIONS,
-    metadata: {
-        userId: string;
-        email: string;
-        deniedPermissions: {
-            environmentSlug: string;
-            ability: string;
-        }[]
-    }
+  type: EventType.UPDATE_USER_WORKSPACE_DENIED_PERMISSIONS;
+  metadata: {
+    userId: string;
+    email: string;
+    deniedPermissions: {
+      environmentSlug: string;
+      ability: string;
+    }[];
+  };
 }
 interface SecretApprovalMerge {
   type: EventType.SECRET_APPROVAL_MERGED;
@@ -499,6 +502,7 @@ export type Event =
   | UpdateEnvironmentEvent
   | DeleteEnvironmentEvent
   | AddWorkspaceMemberEvent
+  | AddBatchWorkspaceMemberEvent
   | RemoveWorkspaceMemberEvent
   | CreateFolderEvent
   | UpdateFolderEvent

backend/src/ee/models/index.ts

@@ -1,9 +1,7 @@
 export * from "./secretSnapshot";
 export * from "./secretVersion";
 export * from "./folderVersion";
-export * from "./log";
 export * from "./role";
-export * from "./action";
 export * from "./ssoConfig";
 export * from "./trustedIp";
 export * from "./auditLog";

backend/src/ee/models/log.ts

@@ -1,72 +0,0 @@
-import { Schema, Types, model } from "mongoose";
-import {
-    ACTION_ADD_SECRETS,
-    ACTION_DELETE_SECRETS,
-    ACTION_LOGIN,
-    ACTION_LOGOUT,
-    ACTION_READ_SECRETS,
-    ACTION_UPDATE_SECRETS,
-} from "../../variables";
-
-export interface ILog {
-    _id: Types.ObjectId;
-    user?: Types.ObjectId;
-    serviceAccount?: Types.ObjectId;
-    serviceTokenData?: Types.ObjectId;
-    workspace?: Types.ObjectId;
-    actionNames: string[];
-    actions: Types.ObjectId[];
-    channel: string;
-    ipAddress?: string;
-}
-
-const logSchema = new Schema<ILog>(
-    {
-        user: {
-            type: Schema.Types.ObjectId,
-            ref: "User",
-        },
-        serviceAccount: {
-            type: Schema.Types.ObjectId,
-            ref: "ServiceAccount",
-        },
-        serviceTokenData: {
-            type: Schema.Types.ObjectId,
-            ref: "ServiceTokenData",
-        },
-        workspace: {
-            type: Schema.Types.ObjectId,
-            ref: "Workspace",
-        },
-        actionNames: {
-            type: [String],
-            enum: [
-                ACTION_LOGIN,
-                ACTION_LOGOUT,
-                ACTION_ADD_SECRETS,
-                ACTION_UPDATE_SECRETS,
-                ACTION_READ_SECRETS,
-                ACTION_DELETE_SECRETS,
-            ],
-            required: true,
-        },
-        actions: [{
-            type: Schema.Types.ObjectId,
-            ref: "Action",
-            required: true,
-        }],
-        channel: {
-            type: String,
-            enum: ["web", "cli", "auto", "k8-operator", "other"],
-            required: true,
-        },
-        ipAddress: {
-            type: String,
-        },
-    }, 
-    {
-        timestamps: true,
-    }
-);
-
-export const Log = model<ILog>("Log", logSchema);

backend/src/ee/routes/v1/action.ts

@@ -1,8 +0,0 @@
-import express from "express";
-const router = express.Router();
-import { actionController } from "../../controllers/v1";
-
-// TODO: put into action controller
-router.get("/:actionId", actionController.getAction);
-
-export default router;

backend/src/ee/routes/v1/index.ts

@@ -4,12 +4,13 @@ import organizations from "./organizations";
 import sso from "./sso";
 import users from "./users";
 import workspace from "./workspace";
-import action from "./action";
 import cloudProducts from "./cloudProducts";
 import secretScanning from "./secretScanning";
 import roles from "./role";
 import secretApprovalPolicy from "./secretApprovalPolicy";
 import secretApprovalRequest from "./secretApprovalRequest";
+import secretRotationProvider from "./secretRotationProvider";
+import secretRotation from "./secretRotation";
 
 export {
   secret,
@@ -18,10 +19,11 @@ export {
   sso,
   users,
   workspace,
-  action,
   cloudProducts,
   secretScanning,
   roles,
   secretApprovalPolicy,
-  secretApprovalRequest
+  secretApprovalRequest,
+  secretRotationProvider,
+  secretRotation
 };

backend/src/ee/routes/v1/secretRotation.ts

@@ -0,0 +1,41 @@
+import express from "express";
+
+import { AuthMode } from "../../../variables";
+import { requireAuth } from "../../../middleware";
+import { secretRotationController } from "../../controllers/v1";
+
+const router = express.Router();
+
+router.post(
+  "/",
+  requireAuth({
+    acceptedAuthModes: [AuthMode.JWT]
+  }),
+  secretRotationController.createSecretRotation
+);
+
+router.post(
+  "/restart",
+  requireAuth({
+    acceptedAuthModes: [AuthMode.JWT]
+  }),
+  secretRotationController.restartSecretRotations
+);
+
+router.get(
+  "/",
+  requireAuth({
+    acceptedAuthModes: [AuthMode.JWT]
+  }),
+  secretRotationController.getSecretRotations
+);
+
+router.delete(
+  "/:id",
+  requireAuth({
+    acceptedAuthModes: [AuthMode.JWT]
+  }),
+  secretRotationController.deleteSecretRotations
+);
+
+export default router;

backend/src/ee/routes/v1/secretRotationProvider.ts

@@ -0,0 +1,17 @@
+import express from "express";
+
+import { AuthMode } from "../../../variables";
+import { requireAuth } from "../../../middleware";
+import { secretRotationProviderController } from "../../controllers/v1";
+
+const router = express.Router();
+
+router.get(
+  "/:workspaceId",
+  requireAuth({
+    acceptedAuthModes: [AuthMode.JWT]
+  }),
+  secretRotationProviderController.getProviderTemplates
+);
+
+export default router;

backend/src/ee/routes/v1/workspace.ts

@@ -28,14 +28,6 @@ router.post(
   workspaceController.rollbackWorkspaceSecretSnapshot
 );
 
-router.get(
-  "/:workspaceId/logs",
-  requireAuth({
-    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY]
-  }),
-  workspaceController.getWorkspaceLogs
-);
-
 router.get(
   "/:workspaceId/audit-logs",
   requireAuth({

backend/src/ee/routes/v3/apiKeyData.ts

@@ -0,0 +1,31 @@
+import express from "express";
+const router = express.Router();
+import { requireAuth } from "../../../middleware";
+import { AuthMode } from "../../../variables";
+import { apiKeyDataController } from "../../controllers/v3";
+
+router.post(
+    "/",
+    requireAuth({
+        acceptedAuthModes: [AuthMode.JWT]
+    }),
+    apiKeyDataController.createAPIKeyData
+);
+
+router.patch(
+    "/:apiKeyDataId",
+    requireAuth({
+        acceptedAuthModes: [AuthMode.JWT]
+    }),
+    apiKeyDataController.updateAPIKeyData
+);
+
+router.delete(
+    "/:apiKeyDataId",
+    requireAuth({
+        acceptedAuthModes: [AuthMode.JWT]
+    }),
+    apiKeyDataController.deleteAPIKeyData
+);
+
+export default router;

backend/src/ee/routes/v3/index.ts

@@ -1,5 +1,7 @@
 import serviceTokenData from "./serviceTokenData";
+import apiKeyData from "./apiKeyData";
 
 export {
-    serviceTokenData
+    serviceTokenData,
+    apiKeyData
 }

backend/src/ee/routes/v3/serviceTokenData.ts

@@ -7,11 +7,16 @@ import { serviceTokenDataController } from "../../controllers/v3";
 router.get(
   "/me/key",
   requireAuth({
-    acceptedAuthModes: [AuthMode.SERVICE_TOKEN_V3]
+    acceptedAuthModes: [AuthMode.SERVICE_ACCESS_TOKEN]
   }),
   serviceTokenDataController.getServiceTokenDataKey
 );
 
+router.post(
+  "/me/token",
+  serviceTokenDataController.refreshToken
+);
+
 router.post(
     "/",
     requireAuth({

backend/src/ee/secretRotation/models.ts

@@ -0,0 +1,91 @@
+import { Schema, model } from "mongoose";
+import {
+  ALGORITHM_AES_256_GCM,
+  ENCODING_SCHEME_BASE64,
+  ENCODING_SCHEME_UTF8
+} from "../../variables";
+import { ISecretRotation } from "./types";
+
+const secretRotationSchema = new Schema(
+  {
+    workspace: {
+      type: Schema.Types.ObjectId,
+      ref: "Workspace"
+    },
+    provider: {
+      type: String,
+      required: true
+    },
+    customProvider: {
+      type: Schema.Types.ObjectId,
+      ref: "SecretRotationProvider"
+    },
+    environment: {
+      type: String,
+      required: true
+    },
+    secretPath: {
+      type: String,
+      required: true
+    },
+    interval: {
+      type: Number,
+      required: true
+    },
+    lastRotatedAt: {
+      type: String
+    },
+    status: {
+      type: String,
+      enum: ["success", "failed"]
+    },
+    statusMessage: {
+      type: String
+    },
+    // encrypted data on input keys and secrets got
+    encryptedData: {
+      type: String,
+      select: false
+    },
+    encryptedDataIV: {
+      type: String,
+      select: false
+    },
+    encryptedDataTag: {
+      type: String,
+      select: false
+    },
+    algorithm: {
+      // the encryption algorithm used
+      type: String,
+      enum: [ALGORITHM_AES_256_GCM],
+      required: true,
+      select: false,
+      default: ALGORITHM_AES_256_GCM
+    },
+    keyEncoding: {
+      type: String,
+      enum: [ENCODING_SCHEME_UTF8, ENCODING_SCHEME_BASE64],
+      required: true,
+      select: false,
+      default: ENCODING_SCHEME_UTF8
+    },
+    outputs: [
+      {
+        key: {
+          type: String,
+          required: true
+        },
+        secret: {
+          type: Schema.Types.ObjectId,
+          ref: "Secret"
+        }
+      }
+    ]
+  },
+  {
+    timestamps: true
+  }
+);
+
+export const SecretRotation = model<ISecretRotation>("SecretRotation", secretRotationSchema);

backend/src/ee/secretRotation/queue/queue.ts

@@ -0,0 +1,288 @@
+import Queue, { Job } from "bull";
+import { client, getEncryptionKey, getRootEncryptionKey } from "../../../config";
+import { BotService, EventService, TelemetryService } from "../../../services";
+import { SecretRotation } from "../models";
+import { rotationTemplates } from "../templates";
+import {
+  ISecretRotationData,
+  ISecretRotationEncData,
+  ISecretRotationProviderTemplate,
+  TProviderFunctionTypes
+} from "../types";
+import {
+  decryptSymmetric128BitHexKeyUTF8,
+  encryptSymmetric128BitHexKeyUTF8
+} from "../../../utils/crypto";
+import { ISecret, Secret } from "../../../models";
+import { ENCODING_SCHEME_BASE64, ENCODING_SCHEME_UTF8, SECRET_SHARED } from "../../../variables";
+import { EESecretService } from "../../services";
+import { SecretVersion } from "../../models";
+import { eventPushSecrets } from "../../../events";
+import { logger } from "../../../utils/logging";
+
+import {
+  secretRotationPreSetFn,
+  secretRotationRemoveFn,
+  secretRotationSetFn,
+  secretRotationTestFn
+} from "./queue.utils";
+
+const secretRotationQueue = new Queue("secret-rotation-service", process.env.REDIS_URL as string);
+
+secretRotationQueue.process(async (job: Job) => {
+  logger.info(`secretRotationQueue.process: [rotationDocument=${job.data.rotationDocId}]`);
+  const rotationStratDocId = job.data.rotationDocId;
+  const secretRotation = await SecretRotation.findById(rotationStratDocId)
+    .select("+encryptedData +encryptedDataTag +encryptedDataIV +keyEncoding")
+    .populate<{
+      outputs: [
+        {
+          key: string;
+          secret: ISecret;
+        }
+      ];
+    }>("outputs.secret");
+
+  const infisicalRotationProvider = rotationTemplates.find(
+    ({ name }) => name === secretRotation?.provider
+  );
+
+  try {
+    if (!infisicalRotationProvider || !secretRotation)
+      throw new Error("Failed to find rotation strategy");
+
+    if (secretRotation.outputs.some(({ secret }) => !secret))
+      throw new Error("Secrets not found in dashboard");
+
+    const workspaceId = secretRotation.workspace;
+
+    // deep copy
+    const provider = JSON.parse(
+      JSON.stringify(infisicalRotationProvider)
+    ) as ISecretRotationProviderTemplate;
+
+    // decrypt user  provided inputs for secret rotation
+    const encryptionKey = await getEncryptionKey();
+    const rootEncryptionKey = await getRootEncryptionKey();
+    let decryptedData = "";
+    if (rootEncryptionKey && secretRotation.keyEncoding === ENCODING_SCHEME_BASE64) {
+      // case: encoding scheme is base64
+      decryptedData = client.decryptSymmetric(
+        secretRotation.encryptedData,
+        rootEncryptionKey,
+        secretRotation.encryptedDataIV,
+        secretRotation.encryptedDataTag
+      );
+    } else if (encryptionKey && secretRotation.keyEncoding === ENCODING_SCHEME_UTF8) {
+      // case: encoding scheme is utf8
+      decryptedData = decryptSymmetric128BitHexKeyUTF8({
+        ciphertext: secretRotation.encryptedData,
+        iv: secretRotation.encryptedDataIV,
+        tag: secretRotation.encryptedDataTag,
+        key: encryptionKey
+      });
+    }
+
+    const variables = JSON.parse(decryptedData) as ISecretRotationEncData;
+
+    // rotation set cycle
+    const newCredential: ISecretRotationData = {
+      inputs: variables.inputs,
+      outputs: {},
+      internal: {}
+    };
+    // special glue code for database
+    if (provider.template.functions.set.type === TProviderFunctionTypes.DB) {
+      const lastCred = variables.creds.at(-1);
+      if (lastCred && variables.creds.length === 1) {
+        newCredential.internal.username =
+          lastCred.internal.username === variables.inputs.username1
+            ? variables.inputs.username2
+            : variables.inputs.username1;
+      } else {
+        newCredential.internal.username = lastCred
+          ? lastCred.internal.username
+          : variables.inputs.username1;
+      }
+    }
+    if (provider.template.functions.set?.pre) {
+      secretRotationPreSetFn(provider.template.functions.set.pre, newCredential);
+    }
+    await secretRotationSetFn(provider.template.functions.set, newCredential);
+    await secretRotationTestFn(provider.template.functions.test, newCredential);
+
+    if (variables.creds.length === 2) {
+      const deleteCycleCred = variables.creds.pop();
+      if (deleteCycleCred && provider.template.functions.remove) {
+        const deleteCycleVar = { inputs: variables.inputs, ...deleteCycleCred };
+        await secretRotationRemoveFn(provider.template.functions.remove, deleteCycleVar);
+      }
+    }
+    variables.creds.unshift({ outputs: newCredential.outputs, internal: newCredential.internal });
+    const { ciphertext, iv, tag } = client.encryptSymmetric(
+      JSON.stringify(variables),
+      rootEncryptionKey
+    );
+
+    // save the rotation state
+    await SecretRotation.findByIdAndUpdate(rotationStratDocId, {
+      encryptedData: ciphertext,
+      encryptedDataIV: iv,
+      encryptedDataTag: tag,
+      status: "success",
+      statusMessage: "Rotated successfully",
+      lastRotatedAt: new Date().toUTCString()
+    });
+
+    const key = await BotService.getWorkspaceKeyWithBot({
+      workspaceId: secretRotation.workspace
+    });
+
+    const encryptedSecrets = secretRotation.outputs.map(({ key: outputKey, secret }) => ({
+      secret,
+      value: encryptSymmetric128BitHexKeyUTF8({
+        plaintext:
+          typeof newCredential.outputs[outputKey] === "object"
+            ? JSON.stringify(newCredential.outputs[outputKey])
+            : String(newCredential.outputs[outputKey]),
+        key
+      })
+    }));
+
+    // now save the secret do a bulk update
+    // can't use the updateSecret function due to various parameter required issue
+    // REFACTOR(akhilmhdh): secret module should be lot more flexible. Ability to update bulk or individually by blindIndex, by id etc
+    await Secret.bulkWrite(
+      encryptedSecrets.map(({ secret, value }) => ({
+        updateOne: {
+          filter: {
+            workspace: workspaceId,
+            environment: secretRotation.environment,
+            _id: secret._id,
+            type: SECRET_SHARED
+          },
+          update: {
+            $inc: {
+              version: 1
+            },
+            secretValueCiphertext: value.ciphertext,
+            secretValueIV: value.iv,
+            secretValueTag: value.tag
+          }
+        }
+      }))
+    );
+
+    await EESecretService.addSecretVersions({
+      secretVersions: encryptedSecrets.map(({ secret, value }) => {
+        const {
+          _id,
+          version,
+          workspace,
+          type,
+          folder,
+          secretBlindIndex,
+          secretKeyIV,
+          secretKeyTag,
+          secretKeyCiphertext,
+          skipMultilineEncoding,
+          environment,
+          algorithm,
+          keyEncoding
+        } = secret;
+
+        return new SecretVersion({
+          secret: _id,
+          version: version + 1,
+          workspace: workspace,
+          type,
+          folder,
+          environment,
+          isDeleted: false,
+          secretBlindIndex: secretBlindIndex,
+          secretKeyCiphertext: secretKeyCiphertext,
+          secretKeyIV: secretKeyIV,
+          secretKeyTag: secretKeyTag,
+          secretValueCiphertext: value.ciphertext,
+          secretValueIV: value.iv,
+          secretValueTag: value.tag,
+          algorithm,
+          keyEncoding,
+          skipMultilineEncoding
+        });
+      })
+    });
+
+    // akhilmhdh: @tony need to do something about this as its depend on authData which is not possibile in here
+    // await EEAuditLogService.createAuditLog(
+    //   {actor:ActorType.Machine},
+    //   {
+    //     type: EventType.UPDATE_SECRETS,
+    //     metadata: {
+    //       environment,
+    //       secretPath,
+    //       secrets: secretsToBeUpdated.map(({ _id, version, secretBlindIndex }) => ({
+    //         secretId: _id.toString(),
+    //         secretKey: secretBlindIndexToKey[secretBlindIndex || ""],
+    //         secretVersion: version + 1
+    //       }))
+    //     }
+    //   },
+    //   {
+    //     workspaceId
+    //   }
+    // );
+
+    const folderId = encryptedSecrets?.[0]?.secret?.folder;
+    // (EE) take a secret snapshot
+    await EESecretService.takeSecretSnapshot({
+      workspaceId,
+      environment: secretRotation.environment,
+      folderId
+    });
+
+    await EventService.handleEvent({
+      event: eventPushSecrets({
+        workspaceId: secretRotation.workspace,
+        environment: secretRotation.environment,
+        secretPath: secretRotation.secretPath
+      })
+    });
+
+    const postHogClient = await TelemetryService.getPostHogClient();
+    if (postHogClient) {
+      postHogClient.capture({
+        event: "secrets rotated",
+        properties: {
+          numberOfSecrets: encryptedSecrets.length,
+          environment: secretRotation.environment,
+          workspaceId,
+          folderId
+        }
+      });
+    }
+  } catch (err) {
+    logger.error(err);
+    await SecretRotation.findByIdAndUpdate(rotationStratDocId, {
+      status: "failed",
+      statusMessage: (err as Error).message,
+      lastRotatedAt: new Date().toUTCString()
+    });
+  }
+
+  return Promise.resolve();
+});
+
+const daysToMillisecond = (days: number) => days * 24 * 60 * 60 * 1000;
+export const startSecretRotationQueue = async (rotationDocId: string, interval: number) => {
+  // when migration to bull mq just use the option immedite to trigger repeatable immediately
+  secretRotationQueue.add({ rotationDocId }, { jobId: rotationDocId, removeOnComplete: true });
+  return secretRotationQueue.add(
+    { rotationDocId },
+    { repeat: { every: daysToMillisecond(interval) }, jobId: rotationDocId }
+  );
+};
+
+export const removeSecretRotationQueue = async (rotationDocId: string, interval: number) => {
+  return secretRotationQueue.removeRepeatable({ every: interval * 1000, jobId: rotationDocId });
+};

backend/src/ee/secretRotation/queue/queue.utils.ts

@@ -0,0 +1,179 @@
+import axios from "axios";
+import jmespath from "jmespath";
+import { customAlphabet } from "nanoid";
+import { Client as PgClient } from "pg";
+import mysql from "mysql2";
+import {
+  ISecretRotationData,
+  TAssignOp,
+  TDbProviderClients,
+  TDbProviderFunction,
+  TDirectAssignOp,
+  THttpProviderFunction,
+  TProviderFunction,
+  TProviderFunctionTypes
+} from "../types";
+const REGEX = /\${([^}]+)}/g;
+const SLUG_ALPHABETS = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
+const nanoId = customAlphabet(SLUG_ALPHABETS, 10);
+
+export const interpolate = (data: any, getValue: (key: string) => unknown) => {
+  if (!data) return;
+
+  if (typeof data === "number") return data;
+
+  if (typeof data === "string") {
+    return data.replace(REGEX, (_a, b) => getValue(b) as string);
+  }
+
+  if (typeof data === "object" && Array.isArray(data)) {
+    data.forEach((el, index) => {
+      data[index] = interpolate(el, getValue);
+    });
+  }
+
+  if (typeof data === "object") {
+    if ((data as { ref: string })?.ref) return getValue((data as { ref: string }).ref);
+    const temp = data as Record<string, unknown>; // for converting ts object to record type
+    Object.keys(temp).forEach((key) => {
+      temp[key as keyof typeof temp] = interpolate(data[key as keyof typeof temp], getValue);
+    });
+  }
+  return data;
+};
+
+const getInterpolationValue = (variables: ISecretRotationData) => (key: string) => {
+  if (key.includes("|")) {
+    const [keyword, ...arg] = key.split("|").map((el) => el.trim());
+    switch (keyword) {
+      case "random": {
+        return nanoId(parseInt(arg[0], 10));
+      }
+      default: {
+        throw Error(`Interpolation key not found - ${key}`);
+      }
+    }
+  }
+  const [type, keyName] = key.split(".").map((el) => el.trim());
+  return variables[type as keyof ISecretRotationData][keyName];
+};
+
+export const secretRotationHttpFn = async (
+  func: THttpProviderFunction,
+  variables: ISecretRotationData
+) => {
+  // string interpolation
+  const headers = interpolate(func.header, getInterpolationValue(variables));
+  const url = interpolate(func.url, getInterpolationValue(variables));
+  const body = interpolate(func.body, getInterpolationValue(variables));
+  // axios will automatically throw error if req status is not between 2xx range
+  return axios({ method: func.method, url, headers, data: body });
+};
+
+export const secretRotationDbFn = async (
+  func: TDbProviderFunction,
+  variables: ISecretRotationData
+) => {
+  const { type, client, pre, ...dbConnection } = func;
+  const { username, password, host, database, port, query, ca } = interpolate(
+    dbConnection,
+    getInterpolationValue(variables)
+  );
+  const ssl = ca ? { rejectUnauthorized: false, ca } : undefined;
+  if (host === "localhost" || host === "127.0.0.1") throw new Error("Invalid db host");
+  if (client === TDbProviderClients.Pg) {
+    const pgClient = new PgClient({ user: username, password, host, database, port, ssl });
+    await pgClient.connect();
+    const res = await pgClient.query(query);
+    await pgClient.end();
+    return res.rows[0];
+  } else if (client === TDbProviderClients.Sql) {
+    const sqlClient = mysql.createPool({
+      user: username,
+      password,
+      host,
+      database,
+      port,
+      connectionLimit: 1,
+      ssl
+    });
+    const res = await new Promise((resolve, reject) => {
+      sqlClient.query(query, (err, data) => {
+        if (err) return reject(err);
+        resolve(data);
+      });
+    });
+    await new Promise((resolve, reject) => {
+      sqlClient.end(function (err) {
+        if (err) return reject(err);
+        return resolve({});
+      });
+    });
+    return (res as any)?.[0];
+  }
+};
+
+export const secretRotationPreSetFn = (
+  op: Record<string, TDirectAssignOp>,
+  variables: ISecretRotationData
+) => {
+  const getValFn = getInterpolationValue(variables);
+  Object.entries(op || {}).forEach(([key, assignFn]) => {
+    const [type, keyName] = key.split(".") as [keyof ISecretRotationData, string];
+    variables[type][keyName] = interpolate(assignFn.value, getValFn);
+  });
+};
+
+export const secretRotationSetFn = async (
+  func: TProviderFunction,
+  variables: ISecretRotationData
+) => {
+  const getValFn = getInterpolationValue(variables);
+  // http setter
+  if (func.type === TProviderFunctionTypes.HTTP) {
+    const res = await secretRotationHttpFn(func, variables);
+    Object.entries(func.setter || {}).forEach(([key, assignFn]) => {
+      const [type, keyName] = key.split(".") as [keyof ISecretRotationData, string];
+      if (assignFn.assign === TAssignOp.JmesPath) {
+        variables[type][keyName] = jmespath.search(res.data, assignFn.path);
+      } else if (assignFn.value) {
+        variables[type][keyName] = interpolate(assignFn.value, getValFn);
+      }
+    });
+    // db setter
+  } else if (func.type === TProviderFunctionTypes.DB) {
+    const data = await secretRotationDbFn(func, variables);
+    Object.entries(func.setter || {}).forEach(([key, assignFn]) => {
+      const [type, keyName] = key.split(".") as [keyof ISecretRotationData, string];
+      if (assignFn.assign === TAssignOp.JmesPath) {
+        if (typeof data === "object") {
+          variables[type][keyName] = jmespath.search(data, assignFn.path);
+        }
+      } else if (assignFn.value) {
+        variables[type][keyName] = interpolate(assignFn.value, getValFn);
+      }
+    });
+  }
+};
+
+export const secretRotationTestFn = async (
+  func: TProviderFunction,
+  variables: ISecretRotationData
+) => {
+  if (func.type === TProviderFunctionTypes.HTTP) {
+    await secretRotationHttpFn(func, variables);
+  } else if (func.type === TProviderFunctionTypes.DB) {
+    await secretRotationDbFn(func, variables);
+  }
+};
+
+export const secretRotationRemoveFn = async (
+  func: TProviderFunction,
+  variables: ISecretRotationData
+) => {
+  if (!func) return;
+  if (func.type === TProviderFunctionTypes.HTTP) {
+    // string interpolation
+    return await secretRotationHttpFn(func, variables);
+  }
+};

backend/src/ee/secretRotation/service.ts

@@ -0,0 +1,130 @@
+import { ISecretRotationEncData, TCreateSecretRotation, TGetProviderTemplates } from "./types";
+import { rotationTemplates } from "./templates";
+import { SecretRotation } from "./models";
+import { client, getEncryptionKey, getRootEncryptionKey } from "../../config";
+import { BadRequestError } from "../../utils/errors";
+import Ajv from "ajv";
+import { removeSecretRotationQueue, startSecretRotationQueue } from "./queue/queue";
+import {
+  ALGORITHM_AES_256_GCM,
+  ENCODING_SCHEME_BASE64,
+  ENCODING_SCHEME_UTF8
+} from "../../variables";
+import { encryptSymmetric128BitHexKeyUTF8 } from "../../utils/crypto";
+
+const ajv = new Ajv({ strict: false });
+
+export const getProviderTemplate = async ({ workspaceId }: TGetProviderTemplates) => {
+  return {
+    custom: [],
+    providers: rotationTemplates
+  };
+};
+
+export const createSecretRotation = async ({
+  workspaceId,
+  secretPath,
+  environment,
+  provider,
+  interval,
+  inputs,
+  outputs
+}: TCreateSecretRotation) => {
+  const rotationTemplate = rotationTemplates.find(({ name }) => name === provider);
+  if (!rotationTemplate) throw BadRequestError({ message: "Provider not found" });
+
+  const formattedInputs: Record<string, unknown> = {};
+  Object.entries(inputs).forEach(([key, value]) => {
+    const type = rotationTemplate.template.inputs.properties[key].type;
+    if (type === "string") {
+      formattedInputs[key] = value;
+      return;
+    }
+    if (type === "integer") {
+      formattedInputs[key] = parseInt(value as string, 10);
+      return;
+    }
+    formattedInputs[key] = JSON.parse(value as string);
+  });
+  // ensure input one follows the correct schema
+  const valid = ajv.validate(rotationTemplate.template.inputs, formattedInputs);
+  if (!valid) {
+    throw BadRequestError({ message: ajv.errors?.[0].message });
+  }
+
+  const encData: Partial<ISecretRotationEncData> = {
+    inputs: formattedInputs,
+    creds: []
+  };
+
+  const secretRotation = new SecretRotation({
+    workspace: workspaceId,
+    provider,
+    environment,
+    secretPath,
+    interval,
+    outputs: Object.entries(outputs).map(([key, secret]) => ({ key, secret }))
+  });
+
+  const encryptionKey = await getEncryptionKey();
+  const rootEncryptionKey = await getRootEncryptionKey();
+
+  if (rootEncryptionKey) {
+    const { ciphertext, iv, tag } = client.encryptSymmetric(
+      JSON.stringify(encData),
+      rootEncryptionKey
+    );
+    secretRotation.encryptedDataIV = iv;
+    secretRotation.encryptedDataTag = tag;
+    secretRotation.encryptedData = ciphertext;
+    secretRotation.algorithm = ALGORITHM_AES_256_GCM;
+    secretRotation.keyEncoding = ENCODING_SCHEME_BASE64;
+  } else if (encryptionKey) {
+    const { ciphertext, iv, tag } = encryptSymmetric128BitHexKeyUTF8({
+      plaintext: JSON.stringify(encData),
+      key: encryptionKey
+    });
+    secretRotation.encryptedDataIV = iv;
+    secretRotation.encryptedDataTag = tag;
+    secretRotation.encryptedData = ciphertext;
+    secretRotation.algorithm = ALGORITHM_AES_256_GCM;
+    secretRotation.keyEncoding = ENCODING_SCHEME_UTF8;
+  }
+
+  await secretRotation.save();
+  await startSecretRotationQueue(secretRotation._id.toString(), interval);
+
+  return secretRotation;
+};
+
+export const deleteSecretRotation = async ({ id }: { id: string }) => {
+  const doc = await SecretRotation.findByIdAndRemove(id);
+  if (!doc) throw BadRequestError({ message: "Rotation not found" });
+
+  await removeSecretRotationQueue(doc._id.toString(), doc.interval);
+  return doc;
+};
+
+export const restartSecretRotation = async ({ id }: { id: string }) => {
+  const secretRotation = await SecretRotation.findById(id);
+  if (!secretRotation) throw BadRequestError({ message: "Rotation not found" });
+
+  await removeSecretRotationQueue(secretRotation._id.toString(), secretRotation.interval);
+  await startSecretRotationQueue(secretRotation._id.toString(), secretRotation.interval);
+
+  return secretRotation;
+};
+
+export const getSecretRotationById = async ({ id }: { id: string }) => {
+  const doc = await SecretRotation.findById(id);
+  if (!doc) throw BadRequestError({ message: "Rotation not found" });
+  return doc;
+};
+
+export const getSecretRotationOfWorkspace = async (workspaceId: string) => {
+  const secretRotations = await SecretRotation.find({
+    workspace: workspaceId
+  }).populate("outputs.secret");
+
+  return secretRotations;
+};

backend/src/ee/secretRotation/templates/index.ts

@@ -0,0 +1,28 @@
+import { ISecretRotationProviderTemplate } from "../types";
+import { MYSQL_TEMPLATE } from "./mysql";
+import { POSTGRES_TEMPLATE } from "./postgres";
+import { SENDGRID_TEMPLATE } from "./sendgrid";
+
+export const rotationTemplates: ISecretRotationProviderTemplate[] = [
+  {
+    name: "sendgrid",
+    title: "Twilio Sendgrid",
+    image: "sendgrid.png",
+    description: "Rotate Twilio Sendgrid API keys",
+    template: SENDGRID_TEMPLATE
+  },
+  {
+    name: "postgres",
+    title: "PostgreSQL",
+    image: "postgres.png",
+    description: "Rotate PostgreSQL/CockroachDB user credentials",
+    template: POSTGRES_TEMPLATE
+  },
+  {
+    name: "mysql",
+    title: "MySQL",
+    image: "mysql.png",
+    description: "Rotate MySQL@7/MariaDB user credentials",
+    template: MYSQL_TEMPLATE
+  }
+];

backend/src/ee/secretRotation/templates/mysql.ts

@@ -0,0 +1,83 @@
+import { TAssignOp, TDbProviderClients, TProviderFunctionTypes } from "../types";
+
+export const MYSQL_TEMPLATE = {
+  inputs: {
+    type: "object" as const,
+    properties: {
+      admin_username: { type: "string" as const },
+      admin_password: { type: "string" as const },
+      host: { type: "string" as const },
+      database: { type: "string" as const },
+      port: { type: "integer" as const, default: "3306" },
+      username1: {
+        type: "string",
+        default: "infisical-sql-user1",
+        desc: "This user must be created in your database"
+      },
+      username2: {
+        type: "string",
+        default: "infisical-sql-user2",
+        desc: "This user must be created in your database"
+      },
+      ca: { type: "string", desc: "SSL certificate for db auth(string)" }
+    },
+    required: [
+      "admin_username",
+      "admin_password",
+      "host",
+      "database",
+      "username1",
+      "username2",
+      "port"
+    ],
+    additionalProperties: false
+  },
+  outputs: {
+    db_username: { type: "string" },
+    db_password: { type: "string" }
+  },
+  internal: {
+    rotated_password: { type: "string" },
+    username: { type: "string" }
+  },
+  functions: {
+    set: {
+      type: TProviderFunctionTypes.DB as const,
+      client: TDbProviderClients.Sql,
+      username: "${inputs.admin_username}",
+      password: "${inputs.admin_password}",
+      host: "${inputs.host}",
+      database: "${inputs.database}",
+      port: "${inputs.port}",
+      ca: "${inputs.ca}",
+      query: "ALTER USER ${internal.username} IDENTIFIED BY '${internal.rotated_password}'",
+      setter: {
+        "outputs.db_username": {
+          assign: TAssignOp.Direct as const,
+          value: "${internal.username}"
+        },
+        "outputs.db_password": {
+          assign: TAssignOp.Direct as const,
+          value: "${internal.rotated_password}"
+        }
+      },
+      pre: {
+        "internal.rotated_password": {
+          assign: TAssignOp.Direct as const,
+          value: "${random | 32}"
+        }
+      }
+    },
+    test: {
+      type: TProviderFunctionTypes.DB as const,
+      client: TDbProviderClients.Sql,
+      username: "${internal.username}",
+      password: "${internal.rotated_password}",
+      host: "${inputs.host}",
+      database: "${inputs.database}",
+      port: "${inputs.port}",
+      ca: "${inputs.ca}",
+      query: "SELECT NOW()"
+    }
+  }
+};

backend/src/ee/secretRotation/templates/postgres.ts

@@ -0,0 +1,83 @@
+import { TAssignOp, TDbProviderClients, TProviderFunctionTypes } from "../types";
+
+export const POSTGRES_TEMPLATE = {
+  inputs: {
+    type: "object" as const,
+    properties: {
+      admin_username: { type: "string" as const },
+      admin_password: { type: "string" as const },
+      host: { type: "string" as const },
+      database: { type: "string" as const },
+      port: { type: "integer" as const, default: "5432" },
+      username1: {
+        type: "string",
+        default: "infisical-pg-user1",
+        desc: "This user must be created in your database"
+      },
+      username2: {
+        type: "string",
+        default: "infisical-pg-user2",
+        desc: "This user must be created in your database"
+      },
+      ca: { type: "string", desc: "SSL certificate for db auth(string)" }
+    },
+    required: [
+      "admin_username",
+      "admin_password",
+      "host",
+      "database",
+      "username1",
+      "username2",
+      "port"
+    ],
+    additionalProperties: false
+  },
+  outputs: {
+    db_username: { type: "string" },
+    db_password: { type: "string" }
+  },
+  internal: {
+    rotated_password: { type: "string" },
+    username: { type: "string" }
+  },
+  functions: {
+    set: {
+      type: TProviderFunctionTypes.DB as const,
+      client: TDbProviderClients.Pg,
+      username: "${inputs.admin_username}",
+      password: "${inputs.admin_password}",
+      host: "${inputs.host}",
+      database: "${inputs.database}",
+      port: "${inputs.port}",
+      ca: "${inputs.ca}",
+      query: "ALTER USER ${internal.username} WITH PASSWORD '${internal.rotated_password}'",
+      setter: {
+        "outputs.db_username": {
+          assign: TAssignOp.Direct as const,
+          value: "${internal.username}"
+        },
+        "outputs.db_password": {
+          assign: TAssignOp.Direct as const,
+          value: "${internal.rotated_password}"
+        }
+      },
+      pre: {
+        "internal.rotated_password": {
+          assign: TAssignOp.Direct as const,
+          value: "${random | 32}"
+        }
+      }
+    },
+    test: {
+      type: TProviderFunctionTypes.DB as const,
+      client: TDbProviderClients.Pg,
+      username: "${internal.username}",
+      password: "${internal.rotated_password}",
+      host: "${inputs.host}",
+      database: "${inputs.database}",
+      port: "${inputs.port}",
+      ca: "${inputs.ca}",
+      query: "SELECT NOW()"
+    }
+  }
+};

backend/src/ee/secretRotation/templates/sendgrid.ts

@@ -0,0 +1,63 @@
+import { TAssignOp, TProviderFunctionTypes } from "../types";
+
+export const SENDGRID_TEMPLATE = {
+  inputs: {
+    type: "object" as const,
+    properties: {
+      admin_api_key: { type: "string" as const, desc: "Sendgrid admin api key to create new keys" },
+      api_key_scopes: {
+        type: "array",
+        items: { type: "string" as const },
+        desc: "Scopes for created tokens by rotation(Array)"
+      }
+    },
+    required: ["admin_api_key", "api_key_scopes"],
+    additionalProperties: false
+  },
+  outputs: {
+    api_key: { type: "string" }
+  },
+  internal: {
+    api_key_id: { type: "string" }
+  },
+  functions: {
+    set: {
+      type: TProviderFunctionTypes.HTTP as const,
+      url: "https://api.sendgrid.com/v3/api_keys",
+      method: "POST",
+      header: {
+        Authorization: "Bearer ${inputs.admin_api_key}"
+      },
+      body: {
+        name: "infisical-${random | 16}",
+        scopes: { ref: "inputs.api_key_scopes" }
+      },
+      setter: {
+        "outputs.api_key": {
+          assign: TAssignOp.JmesPath as const,
+          path: "api_key"
+        },
+        "internal.api_key_id": {
+          assign: TAssignOp.JmesPath as const,
+          path: "api_key_id"
+        }
+      }
+    },
+    remove: {
+      type: TProviderFunctionTypes.HTTP as const,
+      url: "https://api.sendgrid.com/v3/api_keys/${internal.api_key_id}",
+      header: {
+        Authorization: "Bearer ${inputs.admin_api_key}"
+      },
+      method: "DELETE"
+    },
+    test: {
+      type: TProviderFunctionTypes.HTTP as const,
+      url: "https://api.sendgrid.com/v3/api_keys/${internal.api_key_id}",
+      header: {
+        Authorization: "Bearer ${inputs.admin_api_key}"
+      },
+      method: "GET"
+    }
+  }
+};

backend/src/ee/secretRotation/types.ts

@@ -0,0 +1,131 @@
+import { Document, Types } from "mongoose";
+
+export interface ISecretRotation extends Document {
+  _id: Types.ObjectId;
+  name: string;
+  interval: number;
+  provider: string;
+  customProvider: Types.ObjectId;
+  workspace: Types.ObjectId;
+  environment: string;
+  secretPath: string;
+  outputs: Array<{
+    key: string;
+    secret: Types.ObjectId;
+  }>;
+  status?: "success" | "failed";
+  lastRotatedAt?: string;
+  statusMessage?: string;
+  encryptedData: string;
+  encryptedDataIV: string;
+  encryptedDataTag: string;
+  algorithm: string;
+  keyEncoding: string;
+}
+
+export type ISecretRotationEncData = {
+  inputs: Record<string, unknown>;
+  creds: Array<{
+    outputs: Record<string, unknown>;
+    internal: Record<string, unknown>;
+  }>;
+};
+
+export type ISecretRotationData = {
+  inputs: Record<string, unknown>;
+  outputs: Record<string, unknown>;
+  internal: Record<string, unknown>;
+};
+
+export type ISecretRotationProviderTemplate = {
+  name: string;
+  title: string;
+  image?: string;
+  description?: string;
+  template: TProviderTemplate;
+};
+
+export enum TProviderFunctionTypes {
+  HTTP = "http",
+  DB = "database"
+}
+
+export enum TDbProviderClients {
+  // postgres, cockroack db, amazon red shift
+  Pg = "pg",
+  // mysql and maria db
+  Sql = "sql"
+}
+
+export enum TAssignOp {
+  Direct = "direct",
+  JmesPath = "jmesopath"
+}
+
+export type TJmesPathAssignOp = {
+  assign: TAssignOp.JmesPath;
+  path: string;
+};
+
+export type TDirectAssignOp = {
+  assign: TAssignOp.Direct;
+  value: string;
+};
+
+export type TAssignFunction = TJmesPathAssignOp | TDirectAssignOp;
+
+export type THttpProviderFunction = {
+  type: TProviderFunctionTypes.HTTP;
+  url: string;
+  method: string;
+  header?: Record<string, string>;
+  query?: Record<string, string>;
+  body?: Record<string, unknown>;
+  setter?: Record<string, TAssignFunction>;
+  pre?: Record<string, TDirectAssignOp>;
+};
+
+export type TDbProviderFunction = {
+  type: TProviderFunctionTypes.DB;
+  client: TDbProviderClients;
+  username: string;
+  password: string;
+  host: string;
+  database: string;
+  port: string;
+  query: string;
+  setter?: Record<string, TAssignFunction>;
+  pre?: Record<string, TDirectAssignOp>;
+};
+
+export type TProviderFunction = THttpProviderFunction | TDbProviderFunction;
+
+export type TProviderTemplate = {
+  inputs: {
+    type: "object";
+    properties: Record<string, { type: string; [x: string]: unknown; desc?: string }>;
+    required?: string[];
+  };
+  outputs: Record<string, unknown>;
+  functions: {
+    set: TProviderFunction;
+    remove?: TProviderFunction;
+    test: TProviderFunction;
+  };
+};
+
+// function type args
+export type TGetProviderTemplates = {
+  workspaceId: string;
+};
+
+export type TCreateSecretRotation = {
+  provider: string;
+  customProvider?: string;
+  workspaceId: string;
+  secretPath: string;
+  environment: string;
+  interval: number;
+  inputs: Record<string, unknown>;
+  outputs: Record<string, string>;
+};

backend/src/ee/services/EELicenseService.ts

@@ -38,6 +38,7 @@ interface FeatureSet {
     trial_end: number | null;
     has_used_trial: boolean;
     secretApproval: boolean;
+    secretRotation: boolean;
 }
 
 /**
@@ -74,7 +75,8 @@ class EELicenseService {
         status: null,
         trial_end: null,
         has_used_trial: true,
-        secretApproval: false
+        secretApproval: false,
+        secretRotation: true,
     }
 
     public localFeatureSet: NodeCache;

backend/src/ee/services/EELogService.ts

@@ -1,91 +0,0 @@
-import { Types } from "mongoose";
-import { 
-    IAction,
-} from "../models";
-import {
-    createLogHelper,
-} from "../helpers/log";
-import {
-    createActionHelper,
-} from "../helpers/action";
-import EELicenseService from "./EELicenseService";
-
-/**
- * Class to handle Enterprise Edition log actions
- */
-class EELogService {
-    /**
-     * Create an (audit) log
-     * @param {Object} obj
-     * @param {String} obj.userId - id of user associated with the log
-     * @param {String} obj.workspaceId - id of workspace associated with the log
-     * @param {Action} obj.actions - actions to include in log
-     * @param {String} obj.channel - channel (web/cli/auto) associated with the log
-     * @param {String} obj.ipAddress - ip address associated with the log
-     * @returns {Log} log - new audit log
-     */
-    static async createLog({
-        userId,
-        serviceAccountId,
-        serviceTokenDataId,
-        workspaceId,
-        actions,
-        channel,
-        ipAddress,
-    }: {
-        userId?: Types.ObjectId;
-        serviceAccountId?: Types.ObjectId;
-        serviceTokenDataId?: Types.ObjectId;
-        workspaceId?: Types.ObjectId;
-        actions: IAction[];
-        channel: string;
-        ipAddress: string;
-    }) {
-        if (!EELicenseService.isLicenseValid) return null;
-        return await createLogHelper({
-            userId,
-            serviceAccountId,
-            serviceTokenDataId,
-            workspaceId,
-            actions,
-            channel,
-            ipAddress,
-        })
-    }
-    
-    /**
-     * Create an (audit) action
-     * @param {Object} obj
-     * @param {String} obj.name - name of action
-     * @param {Types.ObjectId} obj.userId - id of user associated with the action
-     * @param {Types.ObjectId} obj.workspaceId - id of workspace associated with the action
-     * @param {ObjectId[]} obj.secretIds - ids of secrets associated with the action
-     * @returns {Action} action - new action
-     */
-    static async createAction({
-        name,
-        userId,
-        serviceAccountId,
-        serviceTokenDataId,
-        workspaceId,
-        secretIds,
-    }: {
-        name: string;
-        userId?: Types.ObjectId;
-        serviceAccountId?: Types.ObjectId;
-        serviceTokenDataId?: Types.ObjectId;
-        workspaceId?: Types.ObjectId;
-        secretIds?: Types.ObjectId[];
-    }) {
-        return await createActionHelper({
-            name,
-            userId,
-            serviceAccountId,
-            serviceTokenDataId,
-            workspaceId,
-            secretIds,
-        });
-    }
-}
-
-export default EELogService;

backend/src/ee/services/ProjectRoleService.ts

@@ -1,3 +1,4 @@
+import { Types } from "mongoose";
 import {
   AbilityBuilder,
   ForcedSubject,
@@ -6,11 +7,14 @@ import {
   buildMongoQueryMatcher,
   createMongoAbility
 } from "@casl/ability";
-import { Membership } from "../../models";
-import { IRole } from "../models/role";
-import { BadRequestError, UnauthorizedRequestError } from "../../utils/errors";
+import { UnauthorizedRequestError } from "../../utils/errors";
 import { FieldCondition, FieldInstruction, JsInterpreter } from "@ucast/mongo2js";
 import picomatch from "picomatch";
+import { AuthData } from "../../interfaces/middleware";
+import { ActorType, IRole } from "../models";
+import { Membership, ServiceTokenData, ServiceTokenDataV3 } from "../../models";
+import { ADMIN, CUSTOM, MEMBER, VIEWER } from "../../variables";
+import { checkIPAgainstBlocklist } from "../../utils/ip";
 
 const $glob: FieldInstruction<string> = {
   type: "field",
@@ -50,7 +54,8 @@ export enum ProjectPermissionSub {
   Workspace = "workspace",
   Secrets = "secrets",
   SecretRollback = "secret-rollback",
-  SecretApproval = "secret-approval"
+  SecretApproval = "secret-approval",
+  SecretRotation = "secret-rotation"
 }
 
 type SubjectFields = {
@@ -74,6 +79,7 @@ export type ProjectPermissionSet =
   | [ProjectPermissionActions, ProjectPermissionSub.Settings]
   | [ProjectPermissionActions, ProjectPermissionSub.ServiceTokens]
   | [ProjectPermissionActions, ProjectPermissionSub.SecretApproval]
+  | [ProjectPermissionActions, ProjectPermissionSub.SecretRotation]
   | [ProjectPermissionActions.Delete, ProjectPermissionSub.Workspace]
   | [ProjectPermissionActions.Edit, ProjectPermissionSub.Workspace]
   | [ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback]
@@ -92,6 +98,11 @@ const buildAdminPermission = () => {
   can(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretApproval);
   can(ProjectPermissionActions.Delete, ProjectPermissionSub.SecretApproval);
 
+  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRotation);
+  can(ProjectPermissionActions.Create, ProjectPermissionSub.SecretRotation);
+  can(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretRotation);
+  can(ProjectPermissionActions.Delete, ProjectPermissionSub.SecretRotation);
+
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
   can(ProjectPermissionActions.Create, ProjectPermissionSub.SecretRollback);
 
@@ -162,6 +173,7 @@ const buildMemberPermission = () => {
   can(ProjectPermissionActions.Delete, ProjectPermissionSub.Secrets);
 
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
+  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRotation);
 
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
   can(ProjectPermissionActions.Create, ProjectPermissionSub.SecretRollback);
@@ -214,6 +226,7 @@ const buildViewerPermission = () => {
   can(ProjectPermissionActions.Read, ProjectPermissionSub.Secrets);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
+  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRotation);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.Member);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.Role);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
@@ -230,31 +243,89 @@ const buildViewerPermission = () => {
 
 export const viewerProjectPermission = buildViewerPermission();
 
-export const getUserProjectPermissions = async (userId: string, workspaceId: string) => {
-  // TODO(akhilmhdh): speed this up by pulling from cache later
-  const membership = await Membership.findOne({
-    user: userId,
-    workspace: workspaceId
-  })
-    .populate<{
-      customRole: IRole & { permissions: RawRuleOf<MongoAbility<ProjectPermissionSet>>[] };
-    }>("customRole")
-    .exec();
+/**
+ * Return permissions for user/service pertaining to workspace with id [workspaceId]
+ * 
+ * Note: should not rely on this function for ST V2 authorization logic
+ * b/c ST V2 does not support role-based access control
+ */
+export const getAuthDataProjectPermissions = async ({
+  authData,
+  workspaceId
+}: {
+  authData: AuthData;
+  workspaceId: Types.ObjectId;
+}) => {
+  let role: "admin" | "member" | "viewer" | "custom";
+  let customRole;
+  
+  switch (authData.actor.type) {
+    case ActorType.USER: {
+      const membership = await Membership.findOne({
+        user: authData.authPayload._id,
+        workspace: workspaceId
+      })
+        .populate<{
+          customRole: IRole & { permissions: RawRuleOf<MongoAbility<ProjectPermissionSet>>[] };
+        }>("customRole")
+        .exec();
+    
+      if (!membership || (membership.role === "custom" && !membership.customRole)) {
+        throw UnauthorizedRequestError();
+      }
+      
+      role = membership.role;
+      customRole = membership.customRole;
+      break;
+    }
+    case ActorType.SERVICE: {
+      const serviceTokenData = await ServiceTokenData.findById(authData.authPayload._id);
+      if (!serviceTokenData || !serviceTokenData.workspace.equals(workspaceId)) throw UnauthorizedRequestError();
+      role = "viewer";
+      break;
+    }
+    case ActorType.SERVICE_V3: {
+      const serviceTokenData = await ServiceTokenDataV3
+        .findById(authData.authPayload._id)
+        .populate<{
+          customRole: IRole & { permissions: RawRuleOf<MongoAbility<ProjectPermissionSet>>[] };
+        }>("customRole")
+        .exec();
+        
+      if (!serviceTokenData || (serviceTokenData.role === "custom" && !serviceTokenData.customRole)) {
+        throw UnauthorizedRequestError();
+      }
 
-  if (!membership || (membership.role === "custom" && !membership.customRole)) {
-    throw UnauthorizedRequestError({ message: "User doesn't belong to organization" });
+      checkIPAgainstBlocklist({
+        ipAddress: authData.ipAddress,
+        trustedIps: serviceTokenData.trustedIps
+      });
+    
+      role = serviceTokenData.role;
+      customRole = serviceTokenData.customRole;
+      break;
+    }
+    default:
+      throw UnauthorizedRequestError();
   }
 
-  if (membership.role === "admin") return { permission: adminProjectPermissions, membership };
-  if (membership.role === "member") return { permission: memberProjectPermissions, membership };
-  if (membership.role === "viewer") return { permission: viewerProjectPermission, membership };
-
-  if (membership.role === "custom") {
-    const permission = createMongoAbility<ProjectPermissionSet>(membership.customRole.permissions, {
-      conditionsMatcher
-    });
-    return { permission, membership };
+  switch (role) {
+    case ADMIN:
+      return { permission: adminProjectPermissions };
+    case MEMBER:
+      return { permission: memberProjectPermissions };
+    case VIEWER:
+      return { permission: viewerProjectPermission };
+    case CUSTOM: {
+      if (!customRole) throw UnauthorizedRequestError();
+      return { 
+        permission: createMongoAbility<ProjectPermissionSet>(
+          customRole.permissions, 
+          { conditionsMatcher }
+        )
+      };
+    }
+    default:
+      throw UnauthorizedRequestError();
   }
-
-  throw BadRequestError({ message: "User role not found" });
-};
+}

backend/src/ee/services/index.ts

@@ -1,13 +1,11 @@
 import EELicenseService from "./EELicenseService";
 import EESecretService from "./EESecretService";
-import EELogService from "./EELogService";
 import EEAuditLogService from "./EEAuditLogService";
 import GithubSecretScanningService from "./GithubSecretScanning/GithubSecretScanningService"
 
 export {
     EELicenseService,
     EESecretService,
-    EELogService,
     EEAuditLogService,
     GithubSecretScanningService
 }

backend/src/ee/validation/secretRotation.ts

@@ -0,0 +1,32 @@
+import { z } from "zod";
+
+export const createSecretRotationV1 = z.object({
+  body: z.object({
+    workspaceId: z.string().trim(),
+    secretPath: z.string().trim(),
+    environment: z.string().trim(),
+    interval: z.number().min(1),
+    provider: z.string().trim(),
+    customProvider: z.string().trim().optional(),
+    inputs: z.record(z.unknown()),
+    outputs: z.record(z.string())
+  })
+});
+
+export const restartSecretRotationV1 = z.object({
+  body: z.object({
+    id: z.string().trim()
+  })
+});
+
+export const getSecretRotationV1 = z.object({
+  query: z.object({
+    workspaceId: z.string().trim()
+  })
+});
+
+export const removeSecretRotationV1 = z.object({
+  params: z.object({
+    id: z.string().trim()
+  })
+});

backend/src/ee/validation/secretRotationProvider.ts

@@ -0,0 +1,7 @@
+import { z } from "zod";
+
+export const getSecretRotationProvidersV1 = z.object({
+  params: z.object({
+    workspaceId: z.string()
+  })
+});

backend/src/helpers/auth.ts

@@ -1,366 +1,13 @@
-import { Request } from "express";
 import { Types } from "mongoose";
 import jwt from "jsonwebtoken";
-import bcrypt from "bcrypt";
-import {
-	APIKeyData,
-	ITokenVersion,
-	IUser,
-	ServiceTokenData,
-	ServiceTokenDataV3,
-	TokenVersion,
-	User,
-} from "../models";
-import {
-	APIKeyDataNotFoundError,
-	AccountNotFoundError,
-	BadRequestError,
-	ServiceTokenDataNotFoundError,
-	UnauthorizedRequestError,
-} from "../utils/errors";
+import { ITokenVersion, TokenVersion } from "../models";
+import { UnauthorizedRequestError } from "../utils/errors";
 import {
+	getAuthSecret,
 	getJwtAuthLifetime,
-	getJwtAuthSecret,
-	getJwtProviderAuthSecret,
-	getJwtRefreshLifetime,
-	getJwtRefreshSecret,
-	getJwtServiceTokenSecret
+	getJwtRefreshLifetime
 } from "../config";
-import {
-	AuthMode
-} from "../variables";
-import {
-	ServiceTokenAuthData,
-	ServiceTokenV3AuthData,
-	UserAuthData
-} from "../interfaces/middleware";
-
-import { ActorType } from "../ee/models";
-import { getUserAgentType } from "../utils/posthog";
-
-/**
- * 
- * @param {Object} obj
- * @param {Object} obj.headers - HTTP request headers object
- */
-export const validateAuthMode = ({
-	headers,
-	acceptedAuthModes,
-}: {
-	headers: { [key: string]: string | string[] | undefined },
-	acceptedAuthModes: AuthMode[]
-}) => {
-	
-	// TODO: update this to accept service token v3
-	
-	const apiKey = headers["x-api-key"];
-	const authHeader = headers["authorization"];
-
-	let authMode, authTokenValue;
-	if (apiKey === undefined && authHeader === undefined) {
-		// case: no auth or X-API-KEY header present
-		throw BadRequestError({ message: "Missing Authorization or X-API-KEY in request header." });
-	}
-
-	if (typeof apiKey === "string") {
-		// case: treat request authentication type as via X-API-KEY (i.e. API Key)
-		authMode = AuthMode.API_KEY;
-		authTokenValue = apiKey;
-	}
-
-	if (typeof authHeader === "string") {
-		// case: treat request authentication type as via Authorization header (i.e. either JWT or service token)
-		const [tokenType, tokenValue] = <[string, string]>authHeader.split(" ", 2) ?? [null, null]
-
-		if (tokenType === null)
-			throw BadRequestError({ message: "Missing Authorization Header in the request header." });
-		if (tokenType.toLowerCase() !== "bearer")
-			throw BadRequestError({ message: `The provided authentication type '${tokenType}' is not supported.` });
-		if (tokenValue === null)
-			throw BadRequestError({ message: "Missing Authorization Body in the request header." });
-
-		const parts = tokenValue.split(".");
-		
-		switch (parts[0]) {
-			case "st":
-				authMode = AuthMode.SERVICE_TOKEN;
-				authTokenValue = tokenValue;
-				break;
-			case "stv3":
-				authMode = AuthMode.SERVICE_TOKEN_V3;
-				authTokenValue = parts.slice(1).join(".");
-				break;
-			default:
-				authMode = AuthMode.JWT;
-				authTokenValue = tokenValue;
-		}
-	}
-
-	if (!authMode || !authTokenValue) throw BadRequestError({ message: "Missing valid Authorization or X-API-KEY in request header." });
-
-	if (!acceptedAuthModes.includes(authMode)) throw BadRequestError({ message: "The provided authentication type is not supported." });
-
-	return ({
-		authMode,
-		authTokenValue,
-	});
-}
-
-/**
- * Return user payload corresponding to JWT token [authTokenValue]
- * @param {Object} obj
- * @param {String} obj.authTokenValue - JWT token value
- * @returns {User} user - user corresponding to JWT token
- */
-export const getAuthUserPayload = async ({
-	req,
-	authTokenValue,
-}: {
-	req: Request,
-	authTokenValue: string;
-}): Promise<UserAuthData> => {
-	const decodedToken = <jwt.UserIDJwtPayload>(
-		jwt.verify(authTokenValue, await getJwtAuthSecret())
-	);
-
-	const user = await User.findOne({
-		_id: new Types.ObjectId(decodedToken.userId),
-	}).select("+publicKey +accessVersion");
-
-	if (!user) throw AccountNotFoundError({ message: "Failed to find user" });
-
-	if (!user?.publicKey) throw UnauthorizedRequestError({ message: "Failed to authenticate user with partially set up account" });
-
-	const tokenVersion = await TokenVersion.findOneAndUpdate({
-		_id: new Types.ObjectId(decodedToken.tokenVersionId),
-		user: user._id,
-	}, {
-		lastUsed: new Date(),
-	});
-
-	if (!tokenVersion) throw UnauthorizedRequestError({
-		message: "Failed to validate access token",
-	});
-
-	if (decodedToken.accessVersion !== tokenVersion.accessVersion) throw UnauthorizedRequestError({
-		message: "Failed to validate access token",
-	});
-	
-	return {
-		actor: {
-			type: ActorType.USER,
-			metadata: {
-				userId: user._id.toString(),
-				email: user.email
-			}
-		},
-		authPayload: user,
-		ipAddress: req.realIP,
-		userAgent: req.headers["user-agent"] ?? "",
-		userAgentType: getUserAgentType(req.headers["user-agent"])
-	}
-	
-	// return ({
-	// 	user,
-	// 	tokenVersionId: tokenVersion._id, // what to do with this? // move this out
-	// });
-}
-
-/**
- * Return service token data payload corresponding to service token [authTokenValue]
- * @param {Object} obj
- * @param {String} obj.authTokenValue - service token value
- * @returns {ServiceTokenData} serviceTokenData - service token data
- */
-export const getAuthSTDPayload = async ({
-	req,
-	authTokenValue,
-}: {
-	req: Request,
-	authTokenValue: string;
-}): Promise<ServiceTokenAuthData> => {
-	const [_, TOKEN_IDENTIFIER, TOKEN_SECRET] = <[string, string, string]>authTokenValue.split(".", 3);
-
-	const serviceTokenData = await ServiceTokenData
-		.findById(TOKEN_IDENTIFIER, "+secretHash +expiresAt")
-
-	if (!serviceTokenData) {
-		throw ServiceTokenDataNotFoundError({ message: "Failed to find service token data" });
-	} else if (serviceTokenData?.expiresAt && new Date(serviceTokenData.expiresAt) < new Date()) {
-		// case: service token expired
-		await ServiceTokenData.findByIdAndDelete(serviceTokenData._id);
-		throw UnauthorizedRequestError({
-			message: "Failed to authenticate expired service token",
-		});
-	}
-
-	const isMatch = await bcrypt.compare(TOKEN_SECRET, serviceTokenData.secretHash);
-	if (!isMatch) throw UnauthorizedRequestError({
-		message: "Failed to authenticate service token",
-	});
-
-	const serviceTokenDataToReturn = await ServiceTokenData
-		.findOneAndUpdate({
-			_id: new Types.ObjectId(TOKEN_IDENTIFIER),
-		}, {
-			lastUsed: new Date(),
-		}, {
-			new: true,
-		})
-		.select("+encryptedKey +iv +tag")
-
-	if (!serviceTokenDataToReturn) throw ServiceTokenDataNotFoundError({ message: "Failed to find service token data" });
-
-	return {
-		actor: {
-			type: ActorType.SERVICE,
-			metadata: {
-				serviceId: serviceTokenDataToReturn._id.toString(),
-				name: serviceTokenDataToReturn.name
-			}
-		},
-		authPayload: serviceTokenDataToReturn,
-		ipAddress: req.realIP,
-		userAgent: req.headers["user-agent"] ?? "",
-		userAgentType: getUserAgentType(req.headers["user-agent"])
-	}
-}
-
-/**
- * Return service token data V3 payload corresponding to service token [authTokenValue]
- * @param {Object} obj
- * @param {String} obj.authTokenValue - service token value
- * @returns {ServiceTokenData} serviceTokenData - service token data
- */
- export const getAuthSTDV3Payload = async ({
-	req,
-	authTokenValue,
-}: {
-	req: Request,
-	authTokenValue: string;
-}): Promise<ServiceTokenV3AuthData> => {
-	const decodedToken = <jwt.UserIDJwtPayload>(
-		jwt.verify(authTokenValue, await getJwtServiceTokenSecret())
-	);
-	
-	const serviceTokenData = await ServiceTokenDataV3.findOneAndUpdate(
-		{
-			_id: new Types.ObjectId(decodedToken._id),
-			isActive: true
-		},
-		{
-			lastUsed: new Date(),
-			$inc: { usageCount: 1 }
-		},
-		{
-			new: true
-		}
-	);
-	
-	if (!serviceTokenData) {
-		throw UnauthorizedRequestError({ 
-			message: "Failed to authenticate"
-		});
-	} else if (serviceTokenData?.expiresAt && new Date(serviceTokenData.expiresAt) < new Date()) {
-		// case: service token expired
-		await ServiceTokenDataV3.findByIdAndUpdate(
-			serviceTokenData._id,
-			{
-				isActive: false
-			},
-			{
-				new: true
-			}
-		);
-		
-		throw UnauthorizedRequestError({
-			message: "Failed to authenticate",
-		});
-	}
-
-	return {
-		actor: {
-			type: ActorType.SERVICE_V3,
-			metadata: {
-				serviceId: serviceTokenData._id.toString(),
-				name: serviceTokenData.name
-			}
-		},
-		authPayload: serviceTokenData,
-		ipAddress: req.realIP,
-		userAgent: req.headers["user-agent"] ?? "",
-		userAgentType: getUserAgentType(req.headers["user-agent"])
-	}
-}
-
-/**
- * Return API key data payload corresponding to API key [authTokenValue]
- * @param {Object} obj
- * @param {String} obj.authTokenValue - API key value
- * @returns {APIKeyData} apiKeyData - API key data
- */
-export const getAuthAPIKeyPayload = async ({
-	req,
-	authTokenValue,
-}: {
-	req: Request,
-	authTokenValue: string;
-}): Promise<UserAuthData> => {
-	const [_, TOKEN_IDENTIFIER, TOKEN_SECRET] = <[string, string, string]>authTokenValue.split(".", 3);
-
-	let apiKeyData = await APIKeyData
-		.findById(TOKEN_IDENTIFIER, "+secretHash +expiresAt")
-		.populate<{ user: IUser }>("user", "+publicKey");
-
-	if (!apiKeyData) {
-		throw APIKeyDataNotFoundError({ message: "Failed to find API key data" });
-	} else if (apiKeyData?.expiresAt && new Date(apiKeyData.expiresAt) < new Date()) {
-		// case: API key expired
-		await APIKeyData.findByIdAndDelete(apiKeyData._id);
-		throw UnauthorizedRequestError({
-			message: "Failed to authenticate expired API key",
-		});
-	}
-
-	const isMatch = await bcrypt.compare(TOKEN_SECRET, apiKeyData.secretHash);
-	if (!isMatch) throw UnauthorizedRequestError({
-		message: "Failed to authenticate API key",
-	});
-
-	apiKeyData = await APIKeyData.findOneAndUpdate({
-		_id: new Types.ObjectId(TOKEN_IDENTIFIER),
-	}, {
-		lastUsed: new Date(),
-	}, {
-		new: true,
-	});
-
-	if (!apiKeyData) {
-		throw APIKeyDataNotFoundError({ message: "Failed to find API key data" });
-	}
-
-	const user = await User.findById(apiKeyData.user).select("+publicKey");
-
-	if (!user) {
-		throw AccountNotFoundError({
-			message: "Failed to find user",
-		});
-	}
-
-	return {
-		actor: {
-			type: ActorType.USER,
-			metadata: {
-				userId: user._id.toString(),
-				email: user.email
-			}
-		},
-		authPayload: user,
-		ipAddress: req.realIP,
-		userAgent: req.headers["user-agent"] ?? "",
-		userAgentType: getUserAgentType(req.headers["user-agent"])
-	}
-}
+import { AuthTokenType } from "../variables";
 
 /**
  * Return newly issued (JWT) auth and refresh tokens to user with id [userId]
@@ -404,22 +51,24 @@ export const issueAuthTokens = async ({
 	// issue tokens
 	const token = createToken({
 		payload: {
+			authTokenType: AuthTokenType.ACCESS_TOKEN,
 			userId,
 			tokenVersionId: tokenVersion._id.toString(),
 			accessVersion: tokenVersion.accessVersion,
 		},
 		expiresIn: await getJwtAuthLifetime(),
-		secret: await getJwtAuthSecret(),
+		secret: await getAuthSecret(),
 	});
 
 	const refreshToken = createToken({
 		payload: {
+			authTokenType: AuthTokenType.REFRESH_TOKEN,
 			userId,
 			tokenVersionId: tokenVersion._id.toString(),
 			refreshVersion: tokenVersion.refreshVersion,
 		},
 		expiresIn: await getJwtRefreshLifetime(),
-		secret: await getJwtRefreshSecret(),
+		secret: await getAuthSecret(),
 	});
 
 	return {
@@ -451,7 +100,7 @@ export const clearTokens = async (tokenVersionId: Types.ObjectId): Promise<void>
  * bearer/auth, refresh, and temporary signup tokens
  * @param {Object} obj
  * @param {Object} obj.payload - payload of (JWT) token
- * @param {String} obj.secret - (JWT) secret such as [JWT_AUTH_SECRET]
+ * @param {String} obj.secret - (JWT) secret such as [AUTH_SECRET]
  * @param {String} obj.expiresIn - string describing time span such as '10h' or '7d'
  */
 export const createToken = ({
@@ -479,13 +128,16 @@ export const validateProviderAuthToken = async ({
 	email: string;
 	providerAuthToken?: string;
 }) => {
+
 	if (!providerAuthToken) {
 		throw new Error("Invalid authentication request.");
 	}
 
 	const decodedToken = <jwt.ProviderAuthJwtPayload>(
-		jwt.verify(providerAuthToken, await getJwtProviderAuthSecret())
+		jwt.verify(providerAuthToken, await getAuthSecret())
 	);
+	
+	if (decodedToken.authTokenType !== AuthTokenType.PROVIDER_TOKEN) throw UnauthorizedRequestError();
 
 	if (decodedToken.email !== email) {
 		throw new Error("Invalid authentication credentials.")

backend/src/helpers/database.ts

@@ -1,5 +1,5 @@
 import mongoose from "mongoose";
-import { getLogger } from "../utils/logger";
+import { logger } from "../utils/logging";
 
 /**
  * Initialize database connection
@@ -18,10 +18,10 @@ export const initDatabaseHelper = async ({
         // allow empty strings to pass the required validator
         mongoose.Schema.Types.String.checkRequired(v => typeof v === "string");
 
-        (await getLogger("database")).info("Database connection established");
+        logger.info("Database connection established");
 
     } catch (err) {
-        (await getLogger("database")).error(`Unable to establish Database connection due to the error.\n${err}`);
+        logger.error(err, "Unable to establish database connection");
     }
 
     return mongoose.connection;

backend/src/helpers/organization.ts

@@ -1,4 +1,4 @@
-import mongoose, { Types, mongo } from "mongoose";
+import { Types } from "mongoose";
 import { 
   Bot, 
   BotKey,
@@ -23,13 +23,11 @@ import {
   Workspace
 } from "../models";
 import {
-  Action,
   AuditLog,
   FolderVersion,
   GitAppInstallationSession,
   GitAppOrganizationInstallation,
   GitRisks,
-  Log,
   Role,
   SSOConfig,
   SecretApprovalPolicy,
@@ -55,7 +53,7 @@ import {
 import {
   createBotOrg
 } from "./botOrg";
-import { InternalServerError, ResourceNotFoundError } from "../utils/errors";
+import { ResourceNotFoundError } from "../utils/errors";
 
 /**
  * Create an organization with name [name]
@@ -111,311 +109,203 @@ export const createOrganization = async ({
  * @returns 
  */
 export const deleteOrganization = async ({
-  organizationId,
-  existingSession
+  organizationId
 }: {
   organizationId: Types.ObjectId;
-  existingSession?: mongo.ClientSession;
 }) => {
 
-  let session;
-  
-  if (existingSession) {
-    session = existingSession;
-  } else {
-    session = await mongoose.startSession(); 
-    session.startTransaction();
-  }
+  const organization = await Organization.findByIdAndDelete(
+    organizationId
+  );
 
-  try {
-    const organization = await Organization.findByIdAndDelete(
-      organizationId,
-      {
-        session
-      }
+  if (!organization) throw ResourceNotFoundError();
+  
+  await MembershipOrg.deleteMany({
+    organization: organization._id
+  });
+  
+  await BotOrg.deleteMany({
+    organization: organization._id
+  });
+  
+  await SSOConfig.deleteMany({
+    organization: organization._id
+  });
+  
+  await Role.deleteMany({
+    organization: organization._id
+  });
+
+  await IncidentContactOrg.deleteMany({
+    organization: organization._id
+  });
+  
+  await GitRisks.deleteMany({
+    organization: organization._id
+  });
+  
+  await GitAppInstallationSession.deleteMany({
+    organization: organization._id
+  });
+  
+  await GitAppOrganizationInstallation.deleteMany({
+    organization: organization._id
+  });
+
+  const workspaceIds = await Workspace.distinct("_id", {
+    organization: organization._id
+  });
+  
+  await Workspace.deleteMany({
+    organization: organization._id
+  });
+  
+  await Membership.deleteMany({
+    workspace: {
+      $in: workspaceIds
+    }
+  });
+
+  await Key.deleteMany({
+    workspace: {
+      $in: workspaceIds
+    }
+  });
+  
+  await Bot.deleteMany({
+    workspace: {
+      $in: workspaceIds
+    }
+  });
+  
+  await BotKey.deleteMany({
+    workspace: {
+      $in: workspaceIds
+    }
+  });
+
+  await SecretBlindIndexData.deleteMany({
+    workspace: {
+      $in: workspaceIds
+    }
+  });
+  
+  await Secret.deleteMany({
+    workspace: {
+      $in: workspaceIds
+    }
+  });
+  
+  await SecretVersion.deleteMany({
+    workspace: {
+      $in: workspaceIds
+    }
+  });
+
+  await SecretSnapshot.deleteMany({
+    workspace: {
+      $in: workspaceIds
+    }
+  });
+  
+  await SecretImport.deleteMany({
+    workspace: {
+      $in: workspaceIds
+    }
+  });
+
+  await Folder.deleteMany({
+    workspace: {
+      $in: workspaceIds
+    }
+  });
+
+  await FolderVersion.deleteMany({
+    workspace: {
+      $in: workspaceIds
+    }
+  });
+
+  await Webhook.deleteMany({
+    workspace: {
+      $in: workspaceIds
+    }
+  });
+
+  await TrustedIP.deleteMany({
+    workspace: {
+      $in: workspaceIds
+    }
+  });
+  
+  await Tag.deleteMany({
+    workspace: {
+      $in: workspaceIds
+    }
+  });
+
+  await IntegrationAuth.deleteMany({
+    workspace: {
+      $in: workspaceIds
+    }
+  });
+
+  await Integration.deleteMany({
+    workspace: {
+      $in: workspaceIds
+    }
+  });
+
+  await ServiceToken.deleteMany({
+    workspace: {
+      $in: workspaceIds
+    }
+  });
+
+  await ServiceTokenData.deleteMany({
+    workspace: {
+      $in: workspaceIds
+    }
+  });
+
+  await ServiceTokenDataV3.deleteMany({
+    workspace: {
+      $in: workspaceIds
+    }
+  });
+  
+  await ServiceTokenDataV3Key.deleteMany({
+    workspace: {
+      $in: workspaceIds
+    }
+  });
+
+  await AuditLog.deleteMany({
+    workspace: {
+      $in: workspaceIds
+    }
+  });
+
+  await SecretApprovalPolicy.deleteMany({
+    workspace: {
+      $in: workspaceIds
+    }
+  });
+
+  await SecretApprovalRequest.deleteMany({
+    workspace: {
+      $in: workspaceIds
+    }
+  });
+  
+  if (organization.customerId) {
+    // delete from stripe here
+    await licenseServerKeyRequest.delete(
+      `${await getLicenseServerUrl()}/api/license-server/v1/customers/${organization.customerId}`
     );
-  
-    if (!organization) throw ResourceNotFoundError();
-    
-    await MembershipOrg.deleteMany({
-      organization: organization._id
-    }, {
-      session
-    });
-    
-    await BotOrg.deleteMany({
-      organization: organization._id
-    }, {
-      session
-    });
-    
-    await SSOConfig.deleteMany({
-      organization: organization._id
-    }, {
-      session
-    });
-    
-    await Role.deleteMany({
-      organization: organization._id
-    }, {
-      session
-    });
-
-    await IncidentContactOrg.deleteMany({
-      organization: organization._id
-    }, {
-      session
-    });
-    
-    await GitRisks.deleteMany({
-      organization: organization._id
-    }, {
-      session
-    });
-    
-    await GitAppInstallationSession.deleteMany({
-      organization: organization._id
-    }, {
-      session
-    });
-    
-    await GitAppOrganizationInstallation.deleteMany({
-      organization: organization._id
-    }, {
-      session
-    });
-
-    const workspaceIds = await Workspace.distinct("_id", {
-      organization: organization._id
-    });
-    
-    await Workspace.deleteMany({
-      organization: organization._id
-    }, {
-      session
-    });
-    
-    await Membership.deleteMany({
-      workspace: {
-        $in: workspaceIds
-      }
-    }, {
-      session
-    });
-
-    await Key.deleteMany({
-      workspace: {
-        $in: workspaceIds
-      }
-    }, {
-      session
-    });
-    
-    await Bot.deleteMany({
-      workspace: {
-        $in: workspaceIds
-      }
-    }, {
-      session
-    });
-    
-    await BotKey.deleteMany({
-      workspace: {
-        $in: workspaceIds
-      }
-    }, {
-      session
-    });
-
-    await SecretBlindIndexData.deleteMany({
-      workspace: {
-        $in: workspaceIds
-      }
-    }, {
-      session
-    });
-    
-    await Secret.deleteMany({
-      workspace: {
-        $in: workspaceIds
-      }
-    }, {
-      session
-    });
-    
-    await SecretVersion.deleteMany({
-      workspace: {
-        $in: workspaceIds
-      }
-    }, {
-      session
-    });
-
-    await SecretSnapshot.deleteMany({
-      workspace: {
-        $in: workspaceIds
-      }
-    }, {
-      session
-    });
-    
-    await SecretImport.deleteMany({
-      workspace: {
-        $in: workspaceIds
-      }
-    }, {
-      session
-    });
-
-    await Folder.deleteMany({
-      workspace: {
-        $in: workspaceIds
-      }
-    }, {
-      session
-    });
-
-    await FolderVersion.deleteMany({
-      workspace: {
-        $in: workspaceIds
-      }
-    }, {
-      session
-    });
-
-    await Webhook.deleteMany({
-      workspace: {
-        $in: workspaceIds
-      }
-    }, {
-      session
-    });
-
-    await TrustedIP.deleteMany({
-      workspace: {
-        $in: workspaceIds
-      }
-    }, {
-      session
-    });
-    
-    await Tag.deleteMany({
-      workspace: {
-        $in: workspaceIds
-      }
-    }, {
-      session
-    });
-
-    await IntegrationAuth.deleteMany({
-      workspace: {
-        $in: workspaceIds
-      }
-    }, {
-      session
-    });
-
-    await Integration.deleteMany({
-      workspace: {
-        $in: workspaceIds
-      }
-    }, {
-      session
-    });
-
-    await ServiceToken.deleteMany({
-      workspace: {
-        $in: workspaceIds
-      }
-    }, {
-      session
-    });
-
-    await ServiceTokenData.deleteMany({
-      workspace: {
-        $in: workspaceIds
-      }
-    }, {
-      session
-    });
-
-    await ServiceTokenDataV3.deleteMany({
-      workspace: {
-        $in: workspaceIds
-      }
-    }, {
-      session
-    });
-    
-    await ServiceTokenDataV3Key.deleteMany({
-      workspace: {
-        $in: workspaceIds
-      }
-    }, {
-      session
-    });
-
-    await AuditLog.deleteMany({
-      workspace: {
-        $in: workspaceIds
-      }
-    }, {
-      session
-    });
-
-    await Log.deleteMany({
-      workspace: {
-        $in: workspaceIds
-      }
-    }, {
-      session
-    });
-
-    await Action.deleteMany({
-      workspace: {
-        $in: workspaceIds
-      }
-    }, {
-      session
-    });
-
-    await SecretApprovalPolicy.deleteMany({
-      workspace: {
-        $in: workspaceIds
-      }
-    }, {
-      session
-    });
-
-    await SecretApprovalRequest.deleteMany({
-      workspace: {
-        $in: workspaceIds
-      }
-    }, {
-      session
-    });
-    
-    if (organization.customerId) {
-      // delete from stripe here
-      await licenseServerKeyRequest.delete(
-        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${organization.customerId}`
-      );
-    }
-    
-    return organization;
-  } catch (err) {
-    if (!existingSession) {
-      await session.abortTransaction();
-    }
-    throw InternalServerError({
-      message: "Failed to delete organization"
-    });
-  } finally {
-    if (!existingSession) {
-      await session.commitTransaction();
-      session.endSession();
-    }
   }
+    
+  return organization;
 }
 
 /**

backend/src/helpers/reminder.ts

@@ -0,0 +1,58 @@
+import { ISecret } from "../models";
+import {
+  createRecurringSecretReminder,
+  deleteRecurringSecretReminder,
+  updateRecurringSecretReminder
+} from "../queues/reminders/sendSecretReminders";
+
+type TPartialSecret = Pick<
+  ISecret,
+  "_id" | "secretReminderRepeatDays" | "secretReminderNote" | "workspace"
+>;
+type TPartialSecretDeleteReminder = Pick<ISecret, "_id" | "secretReminderRepeatDays">;
+
+export const createReminder = async (oldSecret: TPartialSecret, newSecret: TPartialSecret) => {
+  if (oldSecret._id !== newSecret._id) {
+    throw new Error("Secret id's don't match");
+  }
+
+  if (!newSecret.secretReminderRepeatDays) {
+    throw new Error("No repeat days provided");
+  }
+
+  const secretId = oldSecret._id.toString();
+  const workspaceId = oldSecret.workspace.toString();
+
+  if (oldSecret.secretReminderRepeatDays) {
+    // This will first delete the existing recurring job, and then create a new one.
+    await updateRecurringSecretReminder({
+      workspaceId,
+      secretId,
+      repeatDays: newSecret.secretReminderRepeatDays,
+      note: newSecret.secretReminderNote
+    });
+  } else {
+    // This will create a new recurring job.
+    await createRecurringSecretReminder({
+      workspaceId,
+      secretId,
+      repeatDays: newSecret.secretReminderRepeatDays,
+      note: newSecret.secretReminderNote
+    });
+  }
+};
+
+export const deleteReminder = async (secret: TPartialSecretDeleteReminder) => {
+  if (!secret._id) {
+    throw new Error("No secret id provided");
+  }
+
+  if (!secret.secretReminderRepeatDays) {
+    throw new Error("No repeat days provided");
+  }
+
+  await deleteRecurringSecretReminder({
+    secretId: secret._id.toString(),
+    repeatDays: secret.secretReminderRepeatDays
+  });
+};

backend/src/helpers/secret.ts

@@ -1,12 +1,8 @@
 import { Types } from "mongoose";
 import { ISecret, Secret } from "../models";
-import { EELogService, EESecretService } from "../ee/services";
-import { IAction, SecretVersion } from "../ee/models";
+import { EESecretService } from "../ee/services";
+import { SecretVersion } from "../ee/models";
 import {
-  ACTION_ADD_SECRETS,
-  ACTION_DELETE_SECRETS,
-  ACTION_READ_SECRETS,
-  ACTION_UPDATE_SECRETS,
   ALGORITHM_AES_256_GCM,
   ENCODING_SCHEME_UTF8,
   SECRET_PERSONAL,
@@ -320,7 +316,6 @@ export const v2PushSecrets = async ({
   ipAddress: string;
 }): Promise<void> => {
   // TODO: clean up function and fix up types
-  const actions: IAction[] = [];
 
   // construct useful data structures
   const oldSecrets = await getSecrets({
@@ -356,15 +351,6 @@ export const v2PushSecrets = async ({
     await EESecretService.markDeletedSecretVersions({
       secretIds: toDelete,
     });
-
-    const deleteAction = await EELogService.createAction({
-      name: ACTION_DELETE_SECRETS,
-      userId: new Types.ObjectId(userId),
-      workspaceId: new Types.ObjectId(userId),
-      secretIds: toDelete,
-    });
-
-    deleteAction && actions.push(deleteAction);
   }
 
   const toUpdate = oldSecrets.filter((s) => {
@@ -451,15 +437,6 @@ export const v2PushSecrets = async ({
         };
       }),
     });
-
-    const updateAction = await EELogService.createAction({
-      name: ACTION_UPDATE_SECRETS,
-      userId: new Types.ObjectId(userId),
-      workspaceId: new Types.ObjectId(workspaceId),
-      secretIds: toUpdate.map((u) => u._id),
-    });
-
-    updateAction && actions.push(updateAction);
   }
 
   // handle adding new secrets
@@ -494,14 +471,6 @@ export const v2PushSecrets = async ({
         });
       }),
     });
-
-    const addAction = await EELogService.createAction({
-      name: ACTION_ADD_SECRETS,
-      userId: new Types.ObjectId(userId),
-      workspaceId: new Types.ObjectId(workspaceId),
-      secretIds: newSecrets.map((n) => n._id),
-    });
-    addAction && actions.push(addAction);
   }
 
   // (EE) take a secret snapshot
@@ -509,17 +478,6 @@ export const v2PushSecrets = async ({
     workspaceId: new Types.ObjectId(workspaceId),
     environment,
   });
-
-  // (EE) create (audit) log
-  if (actions.length > 0) {
-    await EELogService.createLog({
-      userId: new Types.ObjectId(userId),
-      workspaceId: new Types.ObjectId(workspaceId),
-      actions,
-      channel,
-      ipAddress,
-    });
-  }
 };
 
 /**
@@ -589,22 +547,6 @@ export const pullSecrets = async ({
     environment,
   });
 
-  const readAction = await EELogService.createAction({
-    name: ACTION_READ_SECRETS,
-    userId: new Types.ObjectId(userId),
-    workspaceId: new Types.ObjectId(workspaceId),
-    secretIds: secrets.map((n: any) => n._id),
-  });
-
-  readAction &&
-    (await EELogService.createLog({
-      userId: new Types.ObjectId(userId),
-      workspaceId: new Types.ObjectId(workspaceId),
-      actions: [readAction],
-      channel,
-      ipAddress,
-    }));
-
   return secrets;
 };
 

backend/src/helpers/secrets.ts

@@ -13,13 +13,11 @@ import {
   Folder,
   ISecret,
   IServiceTokenData,
-  IServiceTokenDataV3,
   Secret,
   SecretBlindIndexData,
   ServiceTokenData,
   TFolderRootSchema
 } from "../models";
-import { Permission } from "../models/serviceTokenDataV3";
 import { EventType, SecretVersion } from "../ee/models";
 import {
   BadRequestError,
@@ -29,10 +27,6 @@ import {
   UnauthorizedRequestError
 } from "../utils/errors";
 import {
-  ACTION_ADD_SECRETS,
-  ACTION_DELETE_SECRETS,
-  ACTION_READ_SECRETS,
-  ACTION_UPDATE_SECRETS,
   ALGORITHM_AES_256_GCM,
   ENCODING_SCHEME_BASE64,
   ENCODING_SCHEME_UTF8,
@@ -48,49 +42,13 @@ import {
 } from "../utils/crypto";
 import { TelemetryService } from "../services";
 import { client, getEncryptionKey, getRootEncryptionKey } from "../config";
-import { EEAuditLogService, EELogService, EESecretService } from "../ee/services";
-import { getAuthDataPayloadIdObj, getAuthDataPayloadUserObj } from "../utils/auth";
+import { EEAuditLogService, EESecretService } from "../ee/services";
+import { getAuthDataPayloadUserObj } from "../utils/authn/helpers";
 import { getFolderByPath, getFolderIdFromServiceToken } from "../services/FolderService";
 import picomatch from "picomatch";
 import path from "path";
 import { getAnImportedSecret } from "../services/SecretImportService";
 
-/**
- * Validate scope for service token v3
- * @param authPayload
- * @param environment
- * @param secretPath
- * @returns
- */
-export const isValidScopeV3 = ({
-  authPayload,
-  environment,
-  secretPath,
-  requiredPermissions
-}: {
-  authPayload: IServiceTokenDataV3;
-  environment: string;
-  secretPath: string;
-  requiredPermissions: Permission[];
-}) => {
-  const { scopes } = authPayload;
-
-  const validScope = scopes.find(
-    (scope) =>
-      picomatch.isMatch(secretPath, scope.secretPath, { strictSlashes: false }) &&
-      scope.environment === environment
-  );
-
-  if (
-    validScope &&
-    !requiredPermissions.every((permission) => validScope.permissions.includes(permission))
-  ) {
-    return false;
-  }
-
-  return Boolean(validScope);
-};
-
 /**
  * Validate scope for service token v2
  * @param authPayload
@@ -478,23 +436,6 @@ export const createSecretHelper = async ({
     secretVersions: [secretVersion]
   });
 
-  // (EE) create (audit) log
-  const action = await EELogService.createAction({
-    name: ACTION_ADD_SECRETS,
-    ...getAuthDataPayloadIdObj(authData),
-    workspaceId,
-    secretIds: [secret._id]
-  });
-
-  action &&
-    (await EELogService.createLog({
-      ...getAuthDataPayloadIdObj(authData),
-      workspaceId,
-      actions: [action],
-      channel: authData.userAgentType,
-      ipAddress: authData.ipAddress
-    }));
-
   await EEAuditLogService.createAuditLog(
     authData,
     {
@@ -553,14 +494,22 @@ export const getSecretsHelper = async ({
   workspaceId,
   environment,
   authData,
-  folderId,
   secretPath = "/"
 }: GetSecretsParams) => {
   let secrets: ISecret[] = [];
   // if using service token filter towards the folderId by secretpath
 
-  if (!folderId) {
-    folderId = await getFolderIdFromServiceToken(workspaceId, environment, secretPath);
+  const folders = await Folder.findOne({
+    workspace: workspaceId,
+    environment
+  });
+  let folderId = "root";
+  if (!folders && folderId !== "root") return [];
+  // get folder from folder tree
+  if (folders) {
+    const folder = getFolderByPath(folders.nodes, secretPath);
+    if (!folder) return [];
+    folderId = folder?.id;
   }
 
   // get personal secrets first
@@ -589,23 +538,6 @@ export const getSecretsHelper = async ({
       .lean()
   );
 
-  // (EE) create (audit) log
-  const action = await EELogService.createAction({
-    name: ACTION_READ_SECRETS,
-    ...getAuthDataPayloadIdObj(authData),
-    workspaceId,
-    secretIds: secrets.map((secret) => secret._id)
-  });
-
-  action &&
-    (await EELogService.createLog({
-      ...getAuthDataPayloadIdObj(authData),
-      workspaceId,
-      actions: [action],
-      channel: authData.userAgentType,
-      ipAddress: authData.ipAddress
-    }));
-
   await EEAuditLogService.createAuditLog(
     authData,
     {
@@ -642,18 +574,20 @@ export const getSecretsHelper = async ({
     const approximateForNoneCapturedEvents = secrets.length * 10;
 
     if (shouldCapture) {
-      postHogClient.capture({
-        event: "secrets pulled",
-        distinctId: await TelemetryService.getDistinctId({ authData }),
-        properties: {
-          numberOfSecrets: shouldRecordK8Event ? approximateForNoneCapturedEvents : secrets.length,
-          environment,
-          workspaceId,
-          folderId,
-          channel: authData.userAgentType,
-          userAgent: authData.userAgent
-        }
-      });
+      if (workspaceId.toString() != "650e71fbae3e6c8572f436d4") {
+        postHogClient.capture({
+          event: "secrets pulled",
+          distinctId: await TelemetryService.getDistinctId({ authData }),
+          properties: {
+            numberOfSecrets: shouldRecordK8Event ? approximateForNoneCapturedEvents : secrets.length,
+            environment,
+            workspaceId,
+            folderId,
+            channel: authData.userAgentType,
+            userAgent: authData.userAgent
+          }
+        });
+      }
     }
   }
 
@@ -717,23 +651,6 @@ export const getSecretHelper = async ({
 
   if (!secret) throw SecretNotFoundError();
 
-  // (EE) create (audit) log
-  const action = await EELogService.createAction({
-    name: ACTION_READ_SECRETS,
-    ...getAuthDataPayloadIdObj(authData),
-    workspaceId,
-    secretIds: [secret._id]
-  });
-
-  action &&
-    (await EELogService.createLog({
-      ...getAuthDataPayloadIdObj(authData),
-      workspaceId,
-      actions: [action],
-      channel: authData.userAgentType,
-      ipAddress: authData.ipAddress
-    }));
-
   await EEAuditLogService.createAuditLog(
     authData,
     {
@@ -802,6 +719,8 @@ export const updateSecretHelper = async ({
   secretValueIV,
   secretValueTag,
   secretPath,
+  secretReminderRepeatDays,
+  secretReminderNote,
   tags,
   secretCommentCiphertext,
   secretCommentIV,
@@ -866,6 +785,10 @@ export const updateSecretHelper = async ({
         secretCommentIV,
         secretCommentTag,
         secretCommentCiphertext,
+
+        secretReminderRepeatDays,
+        secretReminderNote,
+
         skipMultilineEncoding,
         secretBlindIndex: newSecretNameBlindIndex,
         secretKeyIV,
@@ -937,23 +860,6 @@ export const updateSecretHelper = async ({
     secretVersions: [secretVersion]
   });
 
-  // (EE) create (audit) log
-  const action = await EELogService.createAction({
-    name: ACTION_UPDATE_SECRETS,
-    ...getAuthDataPayloadIdObj(authData),
-    workspaceId,
-    secretIds: [secret._id]
-  });
-
-  action &&
-    (await EELogService.createLog({
-      ...getAuthDataPayloadIdObj(authData),
-      workspaceId,
-      actions: [action],
-      channel: authData.userAgentType,
-      ipAddress: authData.ipAddress
-    }));
-
   await EEAuditLogService.createAuditLog(
     authData,
     {
@@ -1081,23 +987,6 @@ export const deleteSecretHelper = async ({
     secretIds: secrets.map((secret) => secret._id)
   });
 
-  // (EE) create (audit) log
-  const action = await EELogService.createAction({
-    name: ACTION_DELETE_SECRETS,
-    ...getAuthDataPayloadIdObj(authData),
-    workspaceId,
-    secretIds: secrets.map((secret) => secret._id)
-  });
-
-  action &&
-    (await EELogService.createLog({
-      ...getAuthDataPayloadIdObj(authData),
-      workspaceId,
-      actions: [action],
-      channel: authData.userAgentType,
-      ipAddress: authData.ipAddress
-    }));
-
   await EEAuditLogService.createAuditLog(
     authData,
     {

backend/src/helpers/user.ts

@@ -1,4 +1,4 @@
-import mongoose, { Types, mongo } from "mongoose";
+import { Types } from "mongoose";
 import {
   APIKeyData, 
   BackupPrivateKey,
@@ -10,10 +10,6 @@ import {
   User,
   UserAction
 } from "../models";
-import {
-  Action,
-  Log
-} from "../ee/models";
 import { sendMail } from "./nodemailer";
 import {
   InternalServerError,
@@ -222,141 +218,84 @@ const checkDeleteUserConditions = async ({
  * @returns {User} user - deleted user
  */
 export const deleteUser = async ({
-  userId,
-  existingSession
+  userId
 }: {
   userId: Types.ObjectId;
-	existingSession?: mongo.ClientSession;
 }) => {
+
+  const user = await User.findByIdAndDelete(userId);
   
-  let session;
+  if (!user) throw ResourceNotFoundError();
+
+  await checkDeleteUserConditions({
+    userId: user._id
+  });
   
-  if (existingSession) {
-    session = existingSession;
-  } else {
-    session = await mongoose.startSession();
-    session.startTransaction();
+  await UserAction.deleteMany({
+    user: user._id
+  });
+
+  await BackupPrivateKey.deleteMany({
+    user: user._id
+  });
+
+  await APIKeyData.deleteMany({
+    user: user._id
+  });
+
+  await TokenVersion.deleteMany({
+    user: user._id
+  });
+
+  await Key.deleteMany({
+    receiver: user._id
+  });
+
+  const membershipOrgs = await MembershipOrg.find({
+    user: userId
+  });
+
+  // delete organizations where user is only member
+  for await (const membershipOrg of membershipOrgs) {
+    const memberCount = await MembershipOrg.countDocuments({
+      organization: membershipOrg.organization
+    });
+    
+    if (memberCount === 1) {
+      // organization only has 1 member (the current user)
+
+      await deleteOrganization({
+        organizationId: membershipOrg.organization
+      });
+    }
   }
 
-  try {
-    const user = await User.findByIdAndDelete(userId, {
-      session
+  const memberships = await Membership.find({
+    user: userId
+  });
+
+  // delete workspaces where user is only member
+  for await (const membership of memberships) {
+    const memberCount = await Membership.countDocuments({
+      workspace: membership.workspace
     });
     
-    if (!user) throw ResourceNotFoundError();
+    if (memberCount === 1) {
+      // workspace only has 1 member (the current user) -> delete workspace
 
-    await checkDeleteUserConditions({
-      userId: user._id
-    });
-    
-    await UserAction.deleteMany({
-      user: user._id
-    }, {
-      session
-    });
-
-    await BackupPrivateKey.deleteMany({
-      user: user._id
-    }, {
-      session
-    });
-
-    await APIKeyData.deleteMany({
-      user: user._id
-    }, {
-      session
-    });
-
-    await Action.deleteMany({
-      user: user._id
-    }, {
-      session
-    }); 
-    
-    await Log.deleteMany({
-      user: user._id
-    }, {
-      session
-    });
-
-    await TokenVersion.deleteMany({
-      user: user._id
-    });
-
-    await Key.deleteMany({
-      receiver: user._id
-    }, {
-      session
-    });
-
-    const membershipOrgs = await MembershipOrg.find({
-      user: userId
-    }, null, {
-      session
-    });
-  
-    // delete organizations where user is only member
-    for await (const membershipOrg of membershipOrgs) {
-      const memberCount = await MembershipOrg.countDocuments({
-        organization: membershipOrg.organization
+      await deleteWorkspace({
+        workspaceId: membership.workspace
       });
-      
-      if (memberCount === 1) {
-        // organization only has 1 member (the current user)
-
-        await deleteOrganization({
-          organizationId: membershipOrg.organization,
-          existingSession: session
-        });
-      }
-    }
-
-    const memberships = await Membership.find({
-      user: userId
-    }, null, {
-      session
-    });
-  
-    // delete workspaces where user is only member
-    for await (const membership of memberships) {
-      const memberCount = await Membership.countDocuments({
-        workspace: membership.workspace
-      });
-      
-      if (memberCount === 1) {
-        // workspace only has 1 member (the current user) -> delete workspace
-  
-        await deleteWorkspace({
-          workspaceId: membership.workspace,
-          existingSession: session
-        });
-      }
-    }
-    
-    await MembershipOrg.deleteMany({
-      user: userId
-    }, {
-      session
-    });
-    
-    await Membership.deleteMany({
-      user: userId
-    }, {
-      session
-    });
-
-    return user;
-  } catch (err) {
-    if (!existingSession) {
-      await session.abortTransaction();
-    }
-    throw InternalServerError({
-      message: "Failed to delete account"
-    })
-  } finally {
-    if (!existingSession) {
-      await session.commitTransaction();
-      session.endSession();
     }
   }
+  
+  await MembershipOrg.deleteMany({
+    user: userId
+  });
+  
+  await Membership.deleteMany({
+    user: userId
+  });
+
+  return user;
 }

backend/src/helpers/workspace.ts

@@ -1,4 +1,4 @@
-import mongoose, { Types, mongo } from "mongoose";
+import { Types } from "mongoose";
 import {
 	Bot,
 	BotKey,
@@ -19,11 +19,9 @@ import {
 	Workspace
 } from "../models";
 import {
-	Action,
 	AuditLog,
 	FolderVersion,
 	IPType,
-	Log,
 	SecretApprovalPolicy,
 	SecretApprovalRequest,
 	SecretSnapshot,
@@ -33,8 +31,7 @@ import {
 import { createBot } from "../helpers/bot";
 import { EELicenseService } from "../ee/services";
 import { SecretService } from "../services";
-import { 
-	InternalServerError,
+import {
 	ResourceNotFoundError
 } from "../utils/errors";
 
@@ -102,189 +99,105 @@ export const createWorkspace = async ({
  * @param {String} obj.id - id of workspace to delete
  */
 export const deleteWorkspace = async ({ 
-	workspaceId,
-	existingSession
+	workspaceId
 }: { 
 	workspaceId: Types.ObjectId;
-	existingSession?: mongo.ClientSession;
 }) => {
-
-	let session;
-
-	if (existingSession) {
-		session = existingSession;
-	} else {
-		session = await mongoose.startSession();
-		session.startTransaction();
-	}
+	const workspace = await Workspace.findByIdAndDelete(workspaceId);
 	
-	try {
-		const workspace = await Workspace.findByIdAndDelete(workspaceId, { session });
-		
-		if (!workspace) throw ResourceNotFoundError();
-		
-		await Membership.deleteMany({
-			workspace: workspace._id
-		}, {
-			session
-		});
-		
-		await Key.deleteMany({
-			workspace: workspace._id
-		}, {
-			session
-		});
-		
-		await Bot.deleteMany({
-			workspace: workspace._id
-		}, {
-			session
-		});
+	if (!workspace) throw ResourceNotFoundError();
+	
+	await Membership.deleteMany({
+		workspace: workspace._id
+	});
+	
+	await Key.deleteMany({
+		workspace: workspace._id
+	});
+	
+	await Bot.deleteMany({
+		workspace: workspace._id
+	});
 
-		await BotKey.deleteMany({
-			workspace: workspace._id
-		}, {
-			session
-		});
+	await BotKey.deleteMany({
+		workspace: workspace._id
+	});
 
-		await SecretBlindIndexData.deleteMany({
-			workspace: workspace._id
-		}, {
-			session
-		});
+	await SecretBlindIndexData.deleteMany({
+		workspace: workspace._id
+	});
 
-		await Secret.deleteMany({
-			workspace: workspace._id
-		}, {
-			session
-		});
-		
-		await SecretVersion.deleteMany({
-			workspace: workspace._id
-		}, {
-			session
-		});
+	await Secret.deleteMany({
+		workspace: workspace._id
+	});
+	
+	await SecretVersion.deleteMany({
+		workspace: workspace._id
+	});
 
-		await SecretSnapshot.deleteMany({
-			workspace: workspace._id
-		}, {
-			session
-		});
+	await SecretSnapshot.deleteMany({
+		workspace: workspace._id
+	});
 
-		await SecretImport.deleteMany({
-			workspace: workspace._id
-		}, {
-			session
-		});
+	await SecretImport.deleteMany({
+		workspace: workspace._id
+	});
 
-		await Folder.deleteMany({
-			workspace: workspace._id
-		}, {
-			session
-		});
+	await Folder.deleteMany({
+		workspace: workspace._id
+	});
 
-		await FolderVersion.deleteMany({
-			workspace: workspace._id
-		}, {
-			session
-		});
+	await FolderVersion.deleteMany({
+		workspace: workspace._id
+	});
 
-		await Webhook.deleteMany({
-			workspace: workspace._id
-		}, {
-			session
-		});
+	await Webhook.deleteMany({
+		workspace: workspace._id
+	});
 
-		await TrustedIP.deleteMany({
-			workspace: workspace._id
-		}, {
-			session
-		});
+	await TrustedIP.deleteMany({
+		workspace: workspace._id
+	});
 
-		await Tag.deleteMany({
-			workspace: workspace._id
-		}, {
-			session
-		});
+	await Tag.deleteMany({
+		workspace: workspace._id
+	});
 
-		await IntegrationAuth.deleteMany({
-			workspace: workspace._id
-		}, {
-			session
-		});
+	await IntegrationAuth.deleteMany({
+		workspace: workspace._id
+	});
 
-		await Integration.deleteMany({
-			workspace: workspace._id
-		}, {
-			session
-		});
+	await Integration.deleteMany({
+		workspace: workspace._id
+	});
 
-		await ServiceToken.deleteMany({
-			workspace: workspace._id
-		}, {
-			session
-		});
+	await ServiceToken.deleteMany({
+		workspace: workspace._id
+	});
 
-		await ServiceTokenData.deleteMany({
-			workspace: workspace._id
-		}, {
-			session
-		});
+	await ServiceTokenData.deleteMany({
+		workspace: workspace._id
+	});
 
-		await ServiceTokenDataV3.deleteMany({
-			workspace: workspace._id
-		}, {
-			session
-		});
+	await ServiceTokenDataV3.deleteMany({
+		workspace: workspace._id
+	});
 
-		await ServiceTokenDataV3Key.deleteMany({
-			workspace: workspace._id
-		}, {
-			session
-		});
+	await ServiceTokenDataV3Key.deleteMany({
+		workspace: workspace._id
+	});
 
-		await AuditLog.deleteMany({
-			workspace: workspace._id
-		}, {
-			session
-		});
+	await AuditLog.deleteMany({
+		workspace: workspace._id
+	});
 
-		await Log.deleteMany({
-			workspace: workspace._id
-		}, {
-			session
-		});
+	await SecretApprovalPolicy.deleteMany({
+		workspace: workspace._id
+	});
 
-		await Action.deleteMany({
-			workspace: workspace._id
-		}, {
-			session
-		});
-
-		await SecretApprovalPolicy.deleteMany({
-			workspace: workspace._id
-		}, {
-			session
-		});
-
-		await SecretApprovalRequest.deleteMany({
-			workspace: workspace._id
-		}, {
-			session
-		});
-		
-		return workspace;
-	} catch (err) {
-		if (!existingSession) {
-			await session.abortTransaction();
-		}
-		throw InternalServerError({
-			message: "Failed to delete organization"
-		});
-	} finally {
-		if (!existingSession) {
-			await session.commitTransaction();
-			session.endSession();
-		}
-	}
+	await SecretApprovalRequest.deleteMany({
+		workspace: workspace._id
+	});
+	
+	return workspace;
 };

backend/src/index.ts

@@ -2,9 +2,11 @@ import dotenv from "dotenv";
 dotenv.config();
 import express from "express";
 // eslint-disable-next-line @typescript-eslint/no-var-requires
-require("express-async-errors");
+import "express-async-errors";
 import helmet from "helmet";
 import cors from "cors";
+import { initLogger, logger } from "./utils/logging";
+import httpLogger from "pino-http";
 import { DatabaseService } from "./services";
 import { EELicenseService, GithubSecretScanningService } from "./ee/services";
 import { setUpHealthEndpoint } from "./services/health";
@@ -16,7 +18,6 @@ const swaggerFile = require("../spec.json");
 // eslint-disable-next-line @typescript-eslint/no-var-requires
 import { apiLimiter } from "./helpers/rateLimiter";
 import {
-  action as eeActionRouter,
   cloudProducts as eeCloudProductsRouter,
   organizations as eeOrganizationsRouter,
   sso as eeSSORouter,
@@ -25,12 +26,16 @@ import {
   users as eeUsersRouter,
   workspace as eeWorkspaceRouter,
   roles as v1RoleRouter,
-  secretApprovalPolicy as v1SecretApprovalPolicy,
-  secretApprovalRequest as v1SecretApprovalRequest,
+  secretApprovalPolicy as v1SecretApprovalPolicyRouter,
+  secretApprovalRequest as v1SecretApprovalRequestRouter,
+  secretRotation as v1SecretRotation,
+  secretRotationProvider as v1SecretRotationProviderRouter,
   secretScanning as v1SecretScanningRouter
 } from "./ee/routes/v1";
+import { apiKeyData as v3apiKeyDataRouter } from "./ee/routes/v3";
 import { serviceTokenData as v3ServiceTokenDataRouter } from "./ee/routes/v3";
 import {
+  admin as v1AdminRouter,
   auth as v1AuthRouter,
   bot as v1BotRouter,
   integrationAuth as v1IntegrationAuthRouter,
@@ -62,19 +67,22 @@ import {
   signup as v2SignupRouter,
   tags as v2TagsRouter,
   users as v2UsersRouter,
-  workspace as v2WorkspaceRouter
+  workspace as v2WorkspaceRouter,
+  membership as v2MembershipController
 } from "./routes/v2";
 import {
   auth as v3AuthRouter,
   secrets as v3SecretsRouter,
   signup as v3SignupRouter,
+  users as v3UsersRouter,
   workspaces as v3WorkspacesRouter
 } from "./routes/v3";
 import { healthCheck } from "./routes/status";
-import { getLogger } from "./utils/logger";
+// import { getLogger } from "./utils/logger";
 import { RouteNotFoundError } from "./utils/errors";
 import { requestErrorHandler } from "./middleware/requestErrorHandler";
 import {
+  getMongoURL,
   getNodeEnv,
   getPort,
   getSecretScanningGitAppId,
@@ -88,16 +96,34 @@ import { syncSecretsToThirdPartyServices } from "./queues/integrations/syncSecre
 import { githubPushEventSecretScan } from "./queues/secret-scanning/githubScanPushEvent";
 const SmeeClient = require("smee-client"); // eslint-disable-line
 import path from "path";
+import { serverConfigInit } from "./config/serverConfig";
+import { initRedis } from "./services/RedisService";
 
 let handler: null | any = null;
 
 const main = async () => {
+  await initLogger();
+
+  const port = await getPort();
+
+  // initializing the database connection + redis 
+  await initRedis()
+  await DatabaseService.initDatabase(await getMongoURL());
+  const serverCfg = await serverConfigInit();
   await setup();
 
   await EELicenseService.initGlobalFeatureSet();
 
   const app = express();
   app.enable("trust proxy");
+
+  app.use(
+    httpLogger({
+      logger,
+      autoLogging: false
+    })
+  );
+
   app.use(express.json());
   app.use(express.urlencoded({ extended: false }));
   app.use(cookieParser());
@@ -162,7 +188,7 @@ const main = async () => {
     const nextApp = new NextServer({
       dev: false,
       dir: nextJsBuildPath,
-      port: await getPort(),
+      port,
       conf,
       hostname: "local",
       customServer: false
@@ -176,15 +202,18 @@ const main = async () => {
   app.use("/api/v1/secret-snapshot", eeSecretSnapshotRouter);
   app.use("/api/v1/users", eeUsersRouter);
   app.use("/api/v1/workspace", eeWorkspaceRouter);
-  app.use("/api/v1/action", eeActionRouter);
   app.use("/api/v1/organizations", eeOrganizationsRouter);
   app.use("/api/v1/sso", eeSSORouter);
   app.use("/api/v1/cloud-products", eeCloudProductsRouter);
-  app.use("/api/v3/service-token", v3ServiceTokenDataRouter);
+  app.use("/api/v3/api-key", v3apiKeyDataRouter); // new
+  app.use("/api/v3/service-token", v3ServiceTokenDataRouter); // new
+  app.use("/api/v1/secret-rotation-providers", v1SecretRotationProviderRouter);
+  app.use("/api/v1/secret-rotations", v1SecretRotation);
 
   // v1 routes
   app.use("/api/v1/signup", v1SignupRouter);
   app.use("/api/v1/auth", v1AuthRouter);
+  app.use("/api/v1/admin", v1AdminRouter);
   app.use("/api/v1/bot", v1BotRouter);
   app.use("/api/v1/user", v1UserRouter);
   app.use("/api/v1/user-action", v1UserActionRouter);
@@ -204,28 +233,29 @@ const main = async () => {
   app.use("/api/v1/webhooks", v1WebhooksRouter);
   app.use("/api/v1/secret-imports", v1SecretImpsRouter);
   app.use("/api/v1/roles", v1RoleRouter);
-  app.use("/api/v1/secret-approvals", v1SecretApprovalPolicy);
+  app.use("/api/v1/secret-approvals", v1SecretApprovalPolicyRouter);
   app.use("/api/v1/sso", v1SSORouter);
-  app.use("/api/v1/secret-approval-requests", v1SecretApprovalRequest);
+  app.use("/api/v1/secret-approval-requests", v1SecretApprovalRequestRouter);
 
   // v2 routes (improvements)
   app.use("/api/v2/signup", v2SignupRouter);
   app.use("/api/v2/auth", v2AuthRouter);
   app.use("/api/v2/users", v2UsersRouter);
   app.use("/api/v2/organizations", v2OrganizationsRouter);
+  app.use("/api/v2/workspace", v2MembershipController);
   app.use("/api/v2/workspace", v2EnvironmentRouter);
   app.use("/api/v2/workspace", v2TagsRouter);
   app.use("/api/v2/workspace", v2WorkspaceRouter);
   app.use("/api/v2/secret", v2SecretRouter); // deprecate
   app.use("/api/v2/secrets", v2SecretsRouter); // note: in the process of moving to v3/secrets
   app.use("/api/v2/service-token", v2ServiceTokenDataRouter);
-  // app.use("/api/v2/service-accounts", v2ServiceAccountsRouter); // new
 
   // v3 routes (experimental)
   app.use("/api/v3/auth", v3AuthRouter);
   app.use("/api/v3/secrets", v3SecretsRouter);
   app.use("/api/v3/workspaces", v3WorkspacesRouter);
   app.use("/api/v3/signup", v3SignupRouter);
+  app.use("/api/v3/us", v3UsersRouter);
 
   // api docs
   app.use("/api-docs", swaggerUi.serve, swaggerUi.setup(swaggerFile));
@@ -251,8 +281,23 @@ const main = async () => {
 
   app.use(requestErrorHandler);
 
-  const server = app.listen(await getPort(), async () => {
-    (await getLogger("backend-main")).info(`Server started listening at port ${await getPort()}`);
+  const server = app.listen(port, async () => {
+    if (!serverCfg.initialized) {
+      logger.info(`Welcome to Infisical
+
+Create your Infisical administrator account at:
+http://localhost:${port}/admin/signup
+`);
+    } else {
+      logger.info(`Welcome back!
+
+To access Infisical Administrator Panel open
+http://localhost:${port}/admin
+
+To access Infisical server
+http://localhost:${port}
+`);
+    }
   });
 
   // await createTestUserForDevelopment();

backend/src/integrations/sync.ts

@@ -18,6 +18,8 @@ import {
   INTEGRATION_CIRCLECI_API_URL,
   INTEGRATION_CLOUDFLARE_PAGES,
   INTEGRATION_CLOUDFLARE_PAGES_API_URL,
+  INTEGRATION_CLOUDFLARE_WORKERS,
+  INTEGRATION_CLOUDFLARE_WORKERS_API_URL,
   INTEGRATION_CLOUD_66,
   INTEGRATION_CLOUD_66_API_URL,
   INTEGRATION_CODEFRESH,
@@ -32,6 +34,8 @@ import {
   INTEGRATION_GITLAB,
   INTEGRATION_GITLAB_API_URL,
   INTEGRATION_HASHICORP_VAULT,
+  INTEGRATION_HASURA_CLOUD,
+  INTEGRATION_HASURA_CLOUD_API_URL,
   INTEGRATION_HEROKU,
   INTEGRATION_HEROKU_API_URL,
   INTEGRATION_LARAVELFORGE,
@@ -63,6 +67,10 @@ import { Octokit } from "@octokit/rest";
 import _ from "lodash";
 import sodium from "libsodium-wrappers";
 import { standardRequest } from "../config/request";
+import {
+  ZGetTenantEnv,
+  ZUpdateTenantEnv
+} from "../validation/hasuraCloudIntegration";
 
 const getSecretKeyValuePair = (
   secrets: Record<string, { value: string | null; comment?: string } | null>
@@ -95,7 +103,7 @@ const syncSecrets = async ({
   secrets: Record<string, { value: string; comment?: string }>;
   accessId: string | null;
   accessToken: string;
-  appendices?: { prefix: string, suffix: string };
+  appendices?: { prefix: string; suffix: string };
 }) => {
   switch (integration.integration) {
     case INTEGRATION_GCP_SECRET_MANAGER:
@@ -256,6 +264,14 @@ const syncSecrets = async ({
         accessToken
       });
       break;
+    case INTEGRATION_CLOUDFLARE_WORKERS:
+      await syncSecretsCloudflareWorkers({
+        integration,
+        secrets,
+        accessId,
+        accessToken
+      });
+      break;
     case INTEGRATION_CODEFRESH:
       await syncSecretsCodefresh({
         integration,
@@ -306,6 +322,14 @@ const syncSecrets = async ({
         accessToken
       });
       break;
+
+    case INTEGRATION_HASURA_CLOUD:
+      await syncSecretsHasuraCloud({
+        integration,
+        secrets,
+        accessToken
+      });
+      break;
   }
 };
 
@@ -963,8 +987,9 @@ const syncSecretsVercel = async ({
       : {}),
     ...(integration?.path
       ? {
-        gitBranch: integration?.path
-      } : {})
+          gitBranch: integration?.path
+        }
+      : {})
   };
 
   const vercelSecrets: VercelSecret[] = (
@@ -992,7 +1017,7 @@ const syncSecretsVercel = async ({
 
     return true;
   });
-  
+
   const res: { [key: string]: VercelSecret } = {};
 
   for await (const vercelSecret of vercelSecrets) {
@@ -1352,7 +1377,7 @@ const syncSecretsGitHub = async ({
   integration: IIntegration;
   secrets: Record<string, { value: string; comment?: string }>;
   accessToken: string;
-  appendices?: { prefix: string, suffix: string };
+  appendices?: { prefix: string; suffix: string };
 }) => {
   interface GitHubRepoKey {
     key_id: string;
@@ -1395,14 +1420,23 @@ const syncSecretsGitHub = async ({
     {}
   );
 
-  encryptedSecrets = Object.keys(encryptedSecrets).reduce((result: {
-    [key: string]: GitHubSecret;
-  }, key) => {
-    if ((appendices?.prefix !== undefined ? key.startsWith(appendices?.prefix) : true) && (appendices?.suffix !== undefined ? key.endsWith(appendices?.suffix) : true)) {
-      result[key] = encryptedSecrets[key];
-    }
-    return result;
-  }, {});
+  encryptedSecrets = Object.keys(encryptedSecrets).reduce(
+    (
+      result: {
+        [key: string]: GitHubSecret;
+      },
+      key
+    ) => {
+      if (
+        (appendices?.prefix !== undefined ? key.startsWith(appendices?.prefix) : true) &&
+        (appendices?.suffix !== undefined ? key.endsWith(appendices?.suffix) : true)
+      ) {
+        result[key] = encryptedSecrets[key];
+      }
+      return result;
+    },
+    {}
+  );
 
   Object.keys(encryptedSecrets).map(async (key) => {
     if (!(key in secrets)) {
@@ -2080,7 +2114,7 @@ const syncSecretsSupabase = async ({
 };
 
 /**
- * Sync/push [secrets] to Checkly app
+ * Sync/push [secrets] to Checkly app/group
  * @param {Object} obj
  * @param {IIntegration} obj.integration - integration details
  * @param {Object} obj.secrets - secrets to push to integration (object where keys are secret keys and values are secret values)
@@ -2095,87 +2129,156 @@ const syncSecretsCheckly = async ({
   integration: IIntegration;
   secrets: Record<string, { value: string; comment?: string }>;
   accessToken: string;
-  appendices?: { prefix: string, suffix: string };
+  appendices?: { prefix: string; suffix: string };
 }) => {
-  let getSecretsRes = (
-    await standardRequest.get(`${INTEGRATION_CHECKLY_API_URL}/v1/variables`, {
-      headers: {
-        Authorization: `Bearer ${accessToken}`,
-        "Accept-Encoding": "application/json",
-        "X-Checkly-Account": integration.appId
-      }
-    })
-  ).data.reduce(
-    (obj: any, secret: any) => ({
-      ...obj,
-      [secret.key]: secret.value
-    }),
-    {}
-  );
 
-  getSecretsRes = Object.keys(getSecretsRes).reduce((result: {
-    [key: string]: string;
-  }, key) => {
-    if ((appendices?.prefix !== undefined ? key.startsWith(appendices?.prefix) : true) && (appendices?.suffix !== undefined ? key.endsWith(appendices?.suffix) : true)) {
-      result[key] = getSecretsRes[key];
-    }
-    return result;
-  }, {});
+  if (integration.targetServiceId) {
+    // sync secrets to checkly group envars
 
-  // add secrets
-  for await (const key of Object.keys(secrets)) {
-    if (!(key in getSecretsRes)) {
-      // case: secret does not exist in checkly
-      // -> add secret
-      await standardRequest.post(
-        `${INTEGRATION_CHECKLY_API_URL}/v1/variables`,
-        {
-          key,
-          value: secrets[key].value
-        },
-        {
-          headers: {
-            Authorization: `Bearer ${accessToken}`,
-            Accept: "application/json",
-            "Content-Type": "application/json",
-            "X-Checkly-Account": integration.appId
-          }
-        }
-      );
-    } else {
-      // case: secret exists in checkly
-      // -> update/set secret
-
-      if (secrets[key] !== getSecretsRes[key]) {
-        await standardRequest.put(
-          `${INTEGRATION_CHECKLY_API_URL}/v1/variables/${key}`,
-          {
-            value: secrets[key].value
-          },
-          {
-            headers: {
-              Authorization: `Bearer ${accessToken}`,
-              "Content-Type": "application/json",
-              Accept: "application/json",
-              "X-Checkly-Account": integration.appId
-            }
-          }
-        );
-      }
-    }
-  }
-
-  for await (const key of Object.keys(getSecretsRes)) {
-    if (!(key in secrets)) {
-      // delete secret
-      await standardRequest.delete(`${INTEGRATION_CHECKLY_API_URL}/v1/variables/${key}`, {
+    let getGroupSecretsRes = (
+      await standardRequest.get(`${INTEGRATION_CHECKLY_API_URL}/v1/check-groups/${integration.targetServiceId}`, {
         headers: {
           Authorization: `Bearer ${accessToken}`,
           Accept: "application/json",
           "X-Checkly-Account": integration.appId
         }
-      });
+      })
+    ).data.environmentVariables.reduce(
+      (obj: any, secret: any) => ({
+        ...obj,
+        [secret.key]: secret.value
+      }),
+      {}
+    );
+
+    getGroupSecretsRes = Object.keys(getGroupSecretsRes).reduce(
+      (
+        result: {
+          [key: string]: string;
+        },
+        key
+      ) => {
+        if (
+          (appendices?.prefix !== undefined ? key.startsWith(appendices?.prefix) : true) &&
+          (appendices?.suffix !== undefined ? key.endsWith(appendices?.suffix) : true)
+        ) {
+          result[key] = getGroupSecretsRes[key];
+        }
+        return result;
+      },
+      {}
+    );
+
+    const groupEnvironmentVariables = Object.keys(secrets).map(key => ({
+      key,
+      value: secrets[key].value
+    }));
+
+    await standardRequest.put(
+      `${INTEGRATION_CHECKLY_API_URL}/v1/check-groups/${integration.targetServiceId}`,
+      {
+        environmentVariables: groupEnvironmentVariables
+      },
+      {
+        headers: {
+          Authorization: `Bearer ${accessToken}`,
+          Accept: "application/json",
+          "X-Checkly-Account": integration.appId
+        }
+      }
+    );
+  } else {
+    // sync secrets to checkly global envars
+    
+    let getSecretsRes = (
+      await standardRequest.get(`${INTEGRATION_CHECKLY_API_URL}/v1/variables`, {
+        headers: {
+          Authorization: `Bearer ${accessToken}`,
+          "Accept-Encoding": "application/json",
+          "X-Checkly-Account": integration.appId
+        }
+      })
+    ).data.reduce(
+      (obj: any, secret: any) => ({
+        ...obj,
+        [secret.key]: secret.value
+      }),
+      {}
+    );
+  
+    getSecretsRes = Object.keys(getSecretsRes).reduce(
+      (
+        result: {
+          [key: string]: string;
+        },
+        key
+      ) => {
+        if (
+          (appendices?.prefix !== undefined ? key.startsWith(appendices?.prefix) : true) &&
+          (appendices?.suffix !== undefined ? key.endsWith(appendices?.suffix) : true)
+        ) {
+          result[key] = getSecretsRes[key];
+        }
+        return result;
+      },
+      {}
+    );
+  
+    // add secrets
+    for await (const key of Object.keys(secrets)) {
+      if (!(key in getSecretsRes)) {
+        // case: secret does not exist in checkly
+        // -> add secret
+        await standardRequest.post(
+          `${INTEGRATION_CHECKLY_API_URL}/v1/variables`,
+          {
+            key,
+            value: secrets[key].value
+          },
+          {
+            headers: {
+              Authorization: `Bearer ${accessToken}`,
+              Accept: "application/json",
+              "Content-Type": "application/json",
+              "X-Checkly-Account": integration.appId
+            }
+          }
+        );
+      } else {
+        // case: secret exists in checkly
+        // -> update/set secret
+  
+        if (secrets[key] !== getSecretsRes[key]) {
+          await standardRequest.put(
+            `${INTEGRATION_CHECKLY_API_URL}/v1/variables/${key}`,
+            {
+              value: secrets[key].value
+            },
+            {
+              headers: {
+                Authorization: `Bearer ${accessToken}`,
+                "Content-Type": "application/json",
+                Accept: "application/json",
+                "X-Checkly-Account": integration.appId
+              }
+            }
+          );
+        }
+      }
     }
+  
+    for await (const key of Object.keys(getSecretsRes)) {
+      if (!(key in secrets)) {
+        // delete secret
+        await standardRequest.delete(`${INTEGRATION_CHECKLY_API_URL}/v1/variables/${key}`, {
+          headers: {
+            Authorization: `Bearer ${accessToken}`,
+            Accept: "application/json",
+            "X-Checkly-Account": integration.appId
+          }
+        });
+      }
+    }  
   }
 };
 
@@ -2195,18 +2298,20 @@ const syncSecretsQovery = async ({
   secrets: Record<string, { value: string; comment?: string }>;
   accessToken: string;
 }) => {
-  
   const getSecretsRes = (
-    await standardRequest.get(`${INTEGRATION_QOVERY_API_URL}/${integration.scope}/${integration.appId}/environmentVariable`, {
-      headers: {
-        Authorization: `Token ${accessToken}`,
-        "Accept-Encoding": "application/json"
+    await standardRequest.get(
+      `${INTEGRATION_QOVERY_API_URL}/${integration.scope}/${integration.appId}/environmentVariable`,
+      {
+        headers: {
+          Authorization: `Token ${accessToken}`,
+          "Accept-Encoding": "application/json"
+        }
       }
-    })
+    )
   ).data.results.reduce(
     (obj: any, secret: any) => ({
       ...obj,
-      [secret.key]: {"id": secret.id, "value": secret.value}
+      [secret.key]: { id: secret.id, value: secret.value }
     }),
     {}
   );
@@ -2651,6 +2756,98 @@ const syncSecretsCloudflarePages = async ({
   );
 };
 
+/**
+ * Sync/push [secrets] to Cloudflare Workers project with name [integration.app]
+ * @param {Object} obj
+ * @param {IIntegration} obj.integration - integration details
+ * @param {Object} obj.secrets - secrets to push to integration (object where keys are secret keys and values are secret values)
+ * @param {String} obj.accessToken - API token for Cloudflare workers
+ */
+const syncSecretsCloudflareWorkers = async ({
+  integration,
+  secrets,
+  accessId,
+  accessToken
+}: {
+  integration: IIntegration;
+  secrets: Record<string, { value: string; comment?: string }>;
+  accessId: string | null;
+  accessToken: string;
+}) => {
+  // get secrets from cloudflare workers
+  const getSecretsRes = (
+    await standardRequest.get(
+      `${INTEGRATION_CLOUDFLARE_WORKERS_API_URL}/client/v4/accounts/${accessId}/workers/scripts/${integration.app}/secrets`,
+      {
+        headers: {
+          Authorization: `Bearer ${accessToken}`,
+          Accept: "application/json"
+        }
+      }
+    )
+  ).data.result;
+
+  const secretsObj: any = getSecretKeyValuePair(secrets);
+
+  for (const [key, val] of Object.entries(secretsObj)) {
+    secretsObj[key] = { type: "secret_text", value: val };
+  }
+
+  // get deleted secrets list
+  const deletedSecretKeys: string[] = [];
+  if (getSecretsRes) {
+    getSecretsRes.forEach((secretRes: any) => {
+      if (!(Object.keys(secrets).includes(secretRes.name))) {
+        deletedSecretKeys.push(secretRes.name);
+      }
+    })
+  }
+
+  deletedSecretKeys.forEach(async (secretKey) => {
+    await standardRequest.delete(
+      `${INTEGRATION_CLOUDFLARE_WORKERS_API_URL}/client/v4/accounts/${accessId}/workers/scripts/${integration.app}/secrets/${secretKey}`,
+      {
+        headers: {
+          Authorization: `Bearer ${accessToken}`,
+          Accept: "application/json"
+        }
+      }
+    );
+  });
+
+  interface ConvertedSecret {
+    name: string;
+    text: string;
+    type: string;
+  }
+
+  interface SecretsObj {
+    [key: string]: {
+      type: string;
+      value: string;
+    };
+  }
+
+  const data: ConvertedSecret[] = Object.entries(secretsObj as SecretsObj).map(([name, secret]) => ({
+    name,
+    text: secret.value,
+    type: "secret_text"
+  }));
+
+  data.forEach(async (secret) => {
+    await standardRequest.put(
+      `${INTEGRATION_CLOUDFLARE_WORKERS_API_URL}/client/v4/accounts/${accessId}/workers/scripts/${integration.app}/secrets`,
+      secret,
+      {
+        headers: {
+          Authorization: `Bearer ${accessToken}`,
+          Accept: "application/json"
+        }
+      }
+    );
+  })
+};
+
 /**
  * Sync/push [secrets] to BitBucket repo with name [integration.app]
  * @param {Object} obj
@@ -3076,4 +3273,111 @@ const syncSecretsNorthflank = async ({
   );
 };
 
+/** Sync/push [secrets] to Hasura Cloud
+ * @param {Object} obj
+ * @param {IIntegration} obj.integration - integration details
+ * @param {Object} obj.secrets - secrets to push to integration (object where keys are secret keys and values are secret values)
+ * @param {String} obj.accessToken - access token for Hasura Cloud integration
+ */
+const syncSecretsHasuraCloud = async ({
+  integration,
+  secrets,
+  accessToken
+}: {
+  integration: IIntegration;
+  secrets: Record<string, { value: string; comment?: string }>;
+  accessToken: string;
+}) => {
+  const res = await standardRequest.post(
+    INTEGRATION_HASURA_CLOUD_API_URL,
+    {
+      query:
+        "query MyQuery($tenantId: uuid!) { getTenantEnv(tenantId: $tenantId) { hash envVars } }",
+      variables: {
+        tenantId: integration.appId
+      }
+    },
+    {
+      headers: {
+        Authorization: `pat ${accessToken}`,
+        "Content-Type": "application/json"
+      }
+    }
+  );
+
+  const {
+    data: {
+      getTenantEnv: { hash, envVars }
+    }
+  } = ZGetTenantEnv.parse(res.data);
+
+  let currentHash = hash;
+
+  const secretsToUpdate = Object.keys(secrets).map((key) => {
+    return ({
+      key,
+      value: secrets[key].value
+    });
+  });
+
+  if (secretsToUpdate.length) {
+    // update secrets
+    
+    const addRequest = await standardRequest.post(
+      INTEGRATION_HASURA_CLOUD_API_URL,
+      {
+        query:
+          "mutation MyQuery($currentHash: String!, $envs: [UpdateEnvObject!]!, $tenantId: uuid!) { updateTenantEnv(currentHash: $currentHash, envs: $envs, tenantId: $tenantId) { hash envVars} }",
+        variables: {
+          currentHash,
+          envs: secretsToUpdate,
+          tenantId: integration.appId
+        }
+      },
+      {
+        headers: {
+          Authorization: `pat ${accessToken}`,
+          "Content-Type": "application/json"
+        }
+      }
+    );
+
+    const addRequestResponse = ZUpdateTenantEnv.safeParse(addRequest.data);
+    if (addRequestResponse.success) {
+      currentHash = addRequestResponse.data.data.updateTenantEnv.hash;
+    }
+  }
+  
+  const secretsToDelete = envVars.environment 
+    ? Object.keys(envVars.environment).filter((key) => !(key in secrets))
+    : [];
+    
+  if (secretsToDelete.length) {
+    await standardRequest.post(
+      INTEGRATION_HASURA_CLOUD_API_URL,
+      {
+        query: `
+        mutation deleteTenantEnv($id: uuid!, $currentHash: String!, $env: [String!]!) {
+          deleteTenantEnv(tenantId: $id, currentHash: $currentHash, deleteEnvs: $env) {
+            hash
+            envVars
+          }
+        }
+        `,
+        variables: {
+          id: integration.appId,
+          currentHash,
+          env: secretsToDelete
+        }
+      },
+      {
+        headers: {
+          Authorization: `pat ${accessToken}`,
+          "Content-Type": "application/json"
+        }
+      }
+    );
+  }
+};
+
 export { syncSecrets };

backend/src/interfaces/middleware/index.ts

@@ -1,39 +1,27 @@
 import { Types } from "mongoose";
-import {
-    IServiceTokenData,
-    IServiceTokenDataV3,
-    IUser,
-} from "../../models";
-import { 
-    ServiceActor,
-    ServiceActorV3,
-    UserActor,
-    UserAgentType
-} from "../../ee/models";
+import { IServiceTokenData, IServiceTokenDataV3, IUser } from "../../models";
+import { ServiceActor, ServiceActorV3, UserActor, UserAgentType } from "../../ee/models";
 
 interface BaseAuthData {
-    ipAddress: string;
-    userAgent: string;
-    userAgentType: UserAgentType;
-    tokenVersionId?: Types.ObjectId;
+  ipAddress: string;
+  userAgent: string;
+  userAgentType: UserAgentType;
+  tokenVersionId?: Types.ObjectId;
 }
 
 export interface UserAuthData extends BaseAuthData {
-    actor: UserActor;
-    authPayload: IUser;
+  actor: UserActor;
+  authPayload: IUser;
 }
 
 export interface ServiceTokenV3AuthData extends BaseAuthData {
-    actor: ServiceActorV3;
-    authPayload: IServiceTokenDataV3;
+  actor: ServiceActorV3;
+  authPayload: IServiceTokenDataV3;
 }
 
 export interface ServiceTokenAuthData extends BaseAuthData {
-    actor: ServiceActor;
-    authPayload: IServiceTokenData;
+  actor: ServiceActor;
+  authPayload: IServiceTokenData;
 }
 
-export type AuthData =
-    | UserAuthData
-    | ServiceTokenV3AuthData
-    | ServiceTokenAuthData;
+export type AuthData = UserAuthData | ServiceTokenV3AuthData | ServiceTokenAuthData;

backend/src/interfaces/serviceAccounts/dto/AddServiceAccountPermissionDto.ts

@@ -1,7 +0,0 @@
-interface AddServiceAccountPermissionDto {
-    name: string;
-    workspaceId?: string;
-    environment?: string;
-}
-
-export default AddServiceAccountPermissionDto;

backend/src/interfaces/serviceAccounts/dto/CreateServiceAccountDto.ts

@@ -1,8 +0,0 @@
-interface CreateServiceAccountDto {
-    organizationId: string;
-    name: string;
-    publicKey: string; 
-    expiresIn: number;
-}
-
-export default CreateServiceAccountDto;