patch check for version

patch get secret by name

.github/values.yaml

@@ -19,11 +19,11 @@ infisical:
   ## @param backend.name Backend name
   ##
   name: infisical
-  replicaCount: 2
+  replicaCount: 3
   image:
-    repository: infisical/infisical
-    tag: "latest-postgres"
-    pullPolicy: IfNotPresent
+    repository: infisical/staging_infisical
+    tag: "latest"
+    pullPolicy: Always
 
   deploymentAnnotations:
     secrets.infisical.com/auto-reload: "true"

Dockerfile.standalone-infisical

@@ -104,7 +104,6 @@ ENV NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID \
 WORKDIR / 
 
 COPY --from=backend-runner /app /backend
-COPY --from=backend-runner /app/dist/services/smtp/templates /backend/dist/templates
 
 COPY --from=frontend-runner /app ./backend/frontend-build
 

README.md

@@ -33,7 +33,7 @@
     <img src="https://img.shields.io/github/commit-activity/m/infisical/infisical" alt="git commit activity" />
   </a>
   <a href="https://cloudsmith.io/~infisical/repos/">
-    <img src="https://img.shields.io/badge/Downloads-2.58M-orange" alt="Cloudsmith downloads" />
+    <img src="https://img.shields.io/badge/Downloads-6.95M-orange" alt="Cloudsmith downloads" />
   </a>
   <a href="https://infisical.com/slack">
     <img src="https://img.shields.io/badge/chat-on%20Slack-blueviolet" alt="Slack community channel" />
@@ -53,17 +53,19 @@ We're on a mission to make secret management more accessible to everyone, not ju
 
 ## Features
 
-- **[User-friendly dashboard](https://infisical.com/docs/documentation/platform/project)** to manage secrets across projects and environments (e.g. development, production, etc.)
-- **[Client SDKs](https://infisical.com/docs/sdks/overview)** to fetch secrets for your apps and infrastructure on demand
-- **[Infisical CLI](https://infisical.com/docs/cli/overview)** to fetch and inject secrets into any framework in local development
-- **[Native integrations](https://infisical.com/docs/integrations/overview)** with platforms like GitHub, Vercel, Netlify, and more
-- [**Automatic Kubernetes deployment secret reloads**](https://infisical.com/docs/documentation/getting-started/kubernetes)
-- **[Complete control over your data](https://infisical.com/docs/self-hosting/overview)** - host it yourself on any infrastructure
-- **[Secret versioning](https://infisical.com/docs/documentation/platform/secret-versioning)** and **[Point-in-Time Recovery]()** to version every secret and project state
-- **[Audit logs](https://infisical.com/docs/documentation/platform/audit-logs)** to record every action taken in a project
-- **Role-based Access Controls** per environment
-- [**Simple on-premise deployments** to AWS, Digital Ocean, and more](https://infisical.com/docs/self-hosting/overview)
-- [**Secret Scanning and Leak Prevention**](https://infisical.com/docs/cli/scanning-overview)
+- **[User-friendly dashboard](https://infisical.com/docs/documentation/platform/project)** to manage secrets across projects and environments (e.g. development, production, etc.). 
+- **[Client SDKs](https://infisical.com/docs/sdks/overview)** to fetch secrets for your apps and infrastructure on demand. 
+- **[Infisical CLI](https://infisical.com/docs/cli/overview)** to fetch and inject secrets into any framework in local development and CI/CD. 
+- **[Infisical API](https://infisical.com/docs/api-reference/overview/introduction)** to perform CRUD operation on secrets, users, projects, and any other resource in Infisical. 
+- **[Native integrations](https://infisical.com/docs/integrations/overview)** with platforms like [GitHub](https://infisical.com/docs/integrations/cicd/githubactions), [Vercel](https://infisical.com/docs/integrations/cloud/vercel), [AWS](https://infisical.com/docs/integrations/cloud/aws-secret-manager), and tools like [Terraform](https://infisical.com/docs/integrations/frameworks/terraform), [Ansible](https://infisical.com/docs/integrations/platforms/ansible), and more. 
+- **[Infisical Kubernetes operator](https://infisical.com/docs/documentation/getting-started/kubernetes)** to managed secrets in k8s, automatically reload deployments, and more.
+- **[Infisical Agent](https://infisical.com/docs/infisical-agent/overview)** to inject secrets into your applications without modifying any code logic. 
+- **[Self-hosting and on-prem](https://infisical.com/docs/self-hosting/overview)** to get complete control over your data.
+- **[Secret versioning](https://infisical.com/docs/documentation/platform/secret-versioning)** and **[Point-in-Time Recovery](https://infisical.com/docs/documentation/platform/pit-recovery)** to version every secret and project state. 
+- **[Audit logs](https://infisical.com/docs/documentation/platform/audit-logs)** to record every action taken in a project. 
+- **[Role-based Access Controls](https://infisical.com/docs/documentation/platform/role-based-access-controls)** to create permission sets on any resource in Infisica and assign those to user or machine identities. 
+- **[Simple on-premise deployments](https://infisical.com/docs/self-hosting/overview)** to AWS, Digital Ocean, and more.
+- **[Secret Scanning and Leak Prevention](https://infisical.com/docs/cli/scanning-overview)** to prevent secrets from leaking to git. 
 
 And much more.
 
@@ -115,9 +117,9 @@ Lean about Infisical's code scanning feature [here](https://infisical.com/docs/c
 
 This repo available under the [MIT expat license](https://github.com/Infisical/infisical/blob/main/LICENSE), with the exception of the `ee` directory which will contain premium enterprise features requiring a Infisical license.
 
-If you are interested in managed Infisical Cloud of self-hosted Enterprise Offering, take a look at [our website](https://infisical.com/) or [book a meeting with us](https://cal.com/vmatsiiako/infisical-demo):
+If you are interested in managed Infisical Cloud of self-hosted Enterprise Offering, take a look at [our website](https://infisical.com/) or [book a meeting with us](https://infisical.cal.com/vlad/infisical-demo):
 
-<a href="https://cal.com/vmatsiiako/infisical-demo"><img alt="Schedule a meeting" src="https://cal.com/book-with-cal-dark.svg" /></a>
+<a href="[https://infisical.cal.com/vlad/infisical-demo](https://infisical.cal.com/vlad/infisical-demo)"><img alt="Schedule a meeting" src="https://cal.com/book-with-cal-dark.svg" /></a>
 
 ## Security
 

backend/package.json

@@ -2,12 +2,12 @@
   "name": "backend",
   "version": "1.0.0",
   "description": "",
-  "main": "index.js",
+  "main": "./dist/main.mjs",
   "scripts": {
     "test": "echo \"Error: no test specified\" && exit 1",
     "dev": "tsx watch --clear-screen=false ./src/main.ts  | pino-pretty --colorize --colorizeObjects --singleLine",
     "dev:docker": "nodemon",
-    "build": "rimraf dist && tsup && cp -R ./src/lib/validator/disposable_emails.txt ./dist && cp -R ./src/services/smtp/templates ./dist",
+    "build": "tsup",
     "start": "node dist/main.mjs",
     "type:check": "tsc --noEmit",
     "lint:fix": "eslint --fix --ext js,ts ./src",
@@ -44,7 +44,13 @@
     "@types/pg": "^8.10.9",
     "@types/picomatch": "^2.3.3",
     "@types/prompt-sync": "^4.2.3",
+    "@types/resolve": "^1.20.6",
     "@types/uuid": "^9.0.7",
+    "@typescript-eslint/eslint-plugin": "^6.20.0",
+    "@typescript-eslint/parser": "^6.20.0",
+    "eslint": "^8.56.0",
+    "eslint-config-airbnb-base": "^15.0.0",
+    "eslint-config-airbnb-typescript": "^17.1.0",
     "eslint-config-prettier": "^9.1.0",
     "eslint-import-resolver-typescript": "^3.6.1",
     "eslint-plugin-import": "^2.29.1",
@@ -55,6 +61,7 @@
     "prompt-sync": "^4.2.0",
     "rimraf": "^5.0.5",
     "ts-node": "^10.9.1",
+    "tsc-alias": "^1.8.8",
     "tsconfig-paths": "^4.2.0",
     "tsup": "^8.0.1",
     "tsx": "^4.4.0",
@@ -67,6 +74,7 @@
     "@casl/ability": "^6.5.0",
     "@fastify/cookie": "^9.2.0",
     "@fastify/cors": "^8.4.1",
+    "@fastify/etag": "^5.1.0",
     "@fastify/formbody": "^7.4.0",
     "@fastify/helmet": "^11.1.1",
     "@fastify/passport": "^2.4.0",
@@ -79,8 +87,6 @@
     "@octokit/webhooks-types": "^7.3.1",
     "@serdnam/pino-cloudwatch-transport": "^1.0.4",
     "@sindresorhus/slugify": "^2.2.1",
-    "@typescript-eslint/eslint-plugin": "^6.20.0",
-    "@typescript-eslint/parser": "^6.20.0",
     "@ucast/mongo2js": "^1.3.4",
     "ajv": "^8.12.0",
     "argon2": "^0.31.2",
@@ -90,9 +96,6 @@
     "bcrypt": "^5.1.1",
     "bullmq": "^5.1.1",
     "dotenv": "^16.3.1",
-    "eslint": "^8.56.0",
-    "eslint-config-airbnb-base": "^15.0.0",
-    "eslint-config-airbnb-typescript": "^17.1.0",
     "fastify": "^4.24.3",
     "fastify-plugin": "^4.5.1",
     "handlebars": "^4.7.8",
@@ -107,7 +110,6 @@
     "nanoid": "^5.0.4",
     "node-cache": "^5.1.2",
     "nodemailer": "^6.9.7",
-    "ora": "^7.0.1",
     "passport-github": "^1.1.0",
     "passport-gitlab2": "^5.0.0",
     "passport-google-oauth20": "^2.0.0",

backend/src/db/instance.ts

@@ -1,10 +1,18 @@
 import knex from "knex";
 
 export type TDbClient = ReturnType<typeof initDbConnection>;
-export const initDbConnection = (dbConnectionUri: string) => {
+export const initDbConnection = ({ dbConnectionUri, dbRootCert }: { dbConnectionUri: string; dbRootCert?: string }) => {
   const db = knex({
     client: "pg",
-    connection: dbConnectionUri
+    connection: {
+      connectionString: dbConnectionUri,
+      ssl: dbRootCert
+        ? {
+            rejectUnauthorized: true,
+            ca: Buffer.from(dbRootCert, "base64").toString("ascii")
+          }
+        : false
+    }
   });
 
   return db;

backend/src/ee/routes/v1/saml-router.ts

@@ -79,7 +79,7 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
       // eslint-disable-next-line
       async (req, profile, cb) => {
         try {
-          const serverCfg = getServerCfg();
+          const serverCfg = await getServerCfg();
           if (!profile) throw new BadRequestError({ message: "Missing profile" });
           const { firstName } = profile;
           const email = profile?.email ?? (profile?.emailAddress as string); // emailRippling is added because in Rippling the field `email` reserved

backend/src/ee/services/audit-log/audit-log-dal.ts

@@ -38,7 +38,8 @@ export const auditLogDALFactory = (db: TDbClient) => {
           })
         )
         .limit(limit)
-        .offset(offset);
+        .offset(offset)
+        .orderBy("createdAt", "desc");
       if (startDate) {
         void sqlQuery.where("createdAt", ">=", startDate);
       }

backend/src/lib/config/env.ts

@@ -15,9 +15,11 @@ const envSchema = z
     PORT: z.coerce.number().default(4000),
     REDIS_URL: zpStr(z.string()),
     HOST: zpStr(z.string().default("localhost")),
-    DB_CONNECTION_URI: zpStr(z.string().describe("Postgres database conntection string")),
+    DB_CONNECTION_URI: zpStr(z.string().describe("Postgres database connection string")),
+    DB_ROOT_CERT: zpStr(z.string().describe("Postgres database base64-encoded CA cert").optional()),
     NODE_ENV: z.enum(["development", "test", "production"]).default("production"),
     SALT_ROUNDS: z.coerce.number().default(10),
+    INITIAL_ORGANIZATION_NAME: zpStr(z.string().optional()),
     // TODO(akhilmhdh): will be changed to one
     ENCRYPTION_KEY: zpStr(z.string().optional()),
     ROOT_ENCRYPTION_KEY: zpStr(z.string().optional()),

backend/src/main.ts

@@ -12,7 +12,11 @@ dotenv.config();
 const run = async () => {
   const logger = await initLogger();
   const appCfg = initEnvConfig(logger);
-  const db = initDbConnection(appCfg.DB_CONNECTION_URI);
+  const db = initDbConnection({
+    dbConnectionUri: appCfg.DB_CONNECTION_URI,
+    dbRootCert: appCfg.DB_ROOT_CERT
+  });
+
   const smtp = smtpServiceFactory(formatSmtpConfig());
   const queue = queueServiceFactory(appCfg.REDIS_URL);
 
@@ -36,7 +40,7 @@ const run = async () => {
     port: appCfg.PORT,
     host: appCfg.HOST,
     listenTextResolver: (address) => {
-      bootstrap();
+      void bootstrap();
       return address;
     }
   });

backend/src/server/app.ts

@@ -5,6 +5,7 @@ import type { FastifyCookieOptions } from "@fastify/cookie";
 import cookie from "@fastify/cookie";
 import type { FastifyCorsOptions } from "@fastify/cors";
 import cors from "@fastify/cors";
+import fastifyEtag from "@fastify/etag";
 import fastifyFormBody from "@fastify/formbody";
 import helmet from "@fastify/helmet";
 import type { FastifyRateLimitOptions } from "@fastify/rate-limit";
@@ -13,11 +14,10 @@ import fasitfy from "fastify";
 import { Knex } from "knex";
 import { Logger } from "pino";
 
+import { getConfig } from "@app/lib/config/env";
 import { TQueueServiceFactory } from "@app/queue";
 import { TSmtpService } from "@app/services/smtp/smtp-service";
 
-import { getConfig } from "@lib/config/env";
-
 import { globalRateLimiterCfg } from "./config/rateLimiter";
 import { fastifyErrHandler } from "./plugins/error-handler";
 import { registerExternalNextjs } from "./plugins/external-nextjs";
@@ -39,6 +39,7 @@ export const main = async ({ db, smtp, logger, queue }: TMain) => {
   const server = fasitfy({
     logger,
     trustProxy: true,
+    connectionTimeout: 30 * 1000,
     ignoreTrailingSlash: true
   }).withTypeProvider<ZodTypeProvider>();
 
@@ -50,6 +51,8 @@ export const main = async ({ db, smtp, logger, queue }: TMain) => {
       secret: appCfg.COOKIE_SECRET_SIGN_KEY
     });
 
+    await server.register(fastifyEtag);
+
     await server.register<FastifyCorsOptions>(cors, {
       credentials: true,
       origin: appCfg.SITE_URL || true
@@ -72,7 +75,7 @@ export const main = async ({ db, smtp, logger, queue }: TMain) => {
     if (appCfg.isProductionMode) {
       await server.register(registerExternalNextjs, {
         standaloneMode: appCfg.STANDALONE_MODE,
-        dir: path.join(__dirname, "../"),
+        dir: path.join(__dirname, "../../"),
         port: appCfg.PORT
       });
     }

backend/src/server/boot-strap-check.ts

@@ -12,9 +12,9 @@ type BootstrapOpt = {
   db: Knex;
 };
 
-const bootstrapCb = () => {
+const bootstrapCb = async () => {
   const appCfg = getConfig();
-  const serverCfg = getServerCfg();
+  const serverCfg = await getServerCfg();
   if (!serverCfg.initialized) {
     console.info(`Welcome to Infisical
 

backend/src/server/plugins/external-nextjs.ts

@@ -45,6 +45,9 @@ export const registerExternalNextjs = async (
     server.route({
       method: ["GET", "PUT", "PATCH", "POST", "DELETE"],
       url: "/*",
+      schema: {
+        hide: true
+      },
       handler: (req, res) =>
         nextApp
           .getRequestHandler()(req.raw, res.raw)

backend/src/server/plugins/swagger.ts

@@ -43,6 +43,7 @@ export const fastifySwagger = fp(async (fastify) => {
   });
 
   await fastify.register(swaggerUI, {
-    routePrefix: "/docs"
+    routePrefix: "/api/docs",
+    prefix: "/api/docs"
   });
 });

backend/src/server/routes/index.ts

@@ -513,9 +513,9 @@ export const registerRoutes = async (
         })
       }
     },
-    handler: () => {
+    handler: async () => {
       const cfg = getConfig();
-      const serverCfg = getServerCfg();
+      const serverCfg = await getServerCfg();
       return {
         date: new Date(),
         message: "Ok" as const,

backend/src/server/routes/v1/admin-router.ts

@@ -20,8 +20,8 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
         })
       }
     },
-    handler: () => {
-      const config = getServerCfg();
+    handler: async () => {
+      const config = await getServerCfg();
       return { config };
     }
   });
@@ -78,7 +78,7 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
     },
     handler: async (req, res) => {
       const appCfg = getConfig();
-      const serverCfg = getServerCfg();
+      const serverCfg = await getServerCfg();
       if (serverCfg.initialized)
         throw new UnauthorizedError({ name: "Admin sign up", message: "Admin has been created" });
       const { user, token } = await server.services.superAdmin.adminSignUp({

backend/src/server/routes/v1/sso-router.ts

@@ -42,7 +42,7 @@ export const registerSsoRouter = async (server: FastifyZodProvider) => {
         async (req, _accessToken, _refreshToken, profile, cb) => {
           try {
             const email = profile?.emails?.[0]?.value;
-            const serverCfg = getServerCfg();
+            const serverCfg = await getServerCfg();
             if (!email)
               throw new BadRequestError({
                 message: "Email not found",
@@ -84,7 +84,7 @@ export const registerSsoRouter = async (server: FastifyZodProvider) => {
           try {
             const ghEmails = await fetchGithubEmails(accessToken);
             const { email } = ghEmails.filter((gitHubEmail) => gitHubEmail.primary)[0];
-            const serverCfg = getServerCfg();
+            const serverCfg = await getServerCfg();
             const { isUserCompleted, providerAuthToken } = await server.services.login.oauth2Login({
               email,
               firstName: profile.displayName,
@@ -120,7 +120,7 @@ export const registerSsoRouter = async (server: FastifyZodProvider) => {
         async (req: any, _accessToken: string, _refreshToken: string, profile: any, cb: any) => {
           try {
             const email = profile.emails[0].value;
-            const serverCfg = getServerCfg();
+            const serverCfg = await getServerCfg();
             const { isUserCompleted, providerAuthToken } = await server.services.login.oauth2Login({
               email,
               firstName: profile.displayName,

backend/src/server/routes/v3/secret-router.ts

@@ -13,6 +13,7 @@ import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { CommitType } from "@app/ee/services/secret-approval-request/secret-approval-request-types";
 import { BadRequestError } from "@app/lib/errors";
 import { removeTrailingSlash } from "@app/lib/fn";
+import { getUserAgentType } from "@app/server/plugins/audit-log";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { ActorType, AuthMode } from "@app/services/auth/auth-type";
 import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";
@@ -107,6 +108,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
           workspaceId,
           environment,
           secretPath: req.query.secretPath,
+          channel: getUserAgentType(req.headers["user-agent"]),
           ...req.auditLogInfo
         }
       });
@@ -188,6 +190,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
           workspaceId,
           environment,
           secretPath: req.query.secretPath,
+          channel: getUserAgentType(req.headers["user-agent"]),
           ...req.auditLogInfo
         }
       });
@@ -255,7 +258,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
           workspaceId: req.body.workspaceId,
           environment: req.body.environment,
           secretPath: req.body.secretPath,
-
+          channel: getUserAgentType(req.headers["user-agent"]),
           ...req.auditLogInfo
         }
       });
@@ -322,7 +325,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
           workspaceId: req.body.workspaceId,
           environment: req.body.environment,
           secretPath: req.body.secretPath,
-
+          channel: getUserAgentType(req.headers["user-agent"]),
           ...req.auditLogInfo
         }
       });
@@ -384,7 +387,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
           workspaceId: req.body.workspaceId,
           environment: req.body.environment,
           secretPath: req.body.secretPath,
-
+          channel: getUserAgentType(req.headers["user-agent"]),
           ...req.auditLogInfo
         }
       });
@@ -467,18 +470,33 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         }
       });
 
-      server.services.telemetry.sendPostHogEvents({
-        event: PostHogEventTypes.SecretPulled,
-        distinctId: getDistinctId(req),
-        properties: {
-          numberOfSecrets: secrets.length,
-          workspaceId: req.query.workspaceId,
-          environment: req.query.environment,
-          secretPath: req.query.secretPath,
-
-          ...req.auditLogInfo
+      // TODO: Move to telemetry plugin
+      let shouldRecordK8Event = false;
+      if (req.headers["user-agent"] === "k8-operatoer") {
+        const randomNumber = Math.random();
+        if (randomNumber > 0.95) {
+          shouldRecordK8Event = true;
         }
-      });
+      }
+
+      const shouldCapture =
+        req.query.workspaceId !== "650e71fbae3e6c8572f436d4" &&
+        (req.headers["user-agent"] !== "k8-operator" || shouldRecordK8Event);
+      const approximateNumberTotalSecrets = secrets.length * 20;
+      if (shouldCapture) {
+        server.services.telemetry.sendPostHogEvents({
+          event: PostHogEventTypes.SecretPulled,
+          distinctId: getDistinctId(req),
+          properties: {
+            numberOfSecrets: shouldRecordK8Event ? approximateNumberTotalSecrets : secrets.length,
+            workspaceId: req.query.workspaceId,
+            environment: req.query.environment,
+            secretPath: req.query.secretPath,
+            channel: getUserAgentType(req.headers["user-agent"]),
+            ...req.auditLogInfo
+          }
+        });
+      }
 
       return { secrets, imports };
     }
@@ -550,7 +568,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
           workspaceId: req.query.workspaceId,
           environment: req.query.environment,
           secretPath: req.query.secretPath,
-
+          channel: getUserAgentType(req.headers["user-agent"]),
           ...req.auditLogInfo
         }
       });
@@ -711,7 +729,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
           workspaceId: req.body.workspaceId,
           environment: req.body.environment,
           secretPath: req.body.secretPath,
-
+          channel: getUserAgentType(req.headers["user-agent"]),
           ...req.auditLogInfo
         }
       });
@@ -890,7 +908,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
           workspaceId: req.body.workspaceId,
           environment: req.body.environment,
           secretPath: req.body.secretPath,
-
+          channel: getUserAgentType(req.headers["user-agent"]),
           ...req.auditLogInfo
         }
       });
@@ -1005,7 +1023,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
           workspaceId: req.body.workspaceId,
           environment: req.body.environment,
           secretPath: req.body.secretPath,
-
+          channel: getUserAgentType(req.headers["user-agent"]),
           ...req.auditLogInfo
         }
       });
@@ -1123,7 +1141,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
           workspaceId: req.body.workspaceId,
           environment: req.body.environment,
           secretPath: req.body.secretPath,
-
+          channel: getUserAgentType(req.headers["user-agent"]),
           ...req.auditLogInfo
         }
       });
@@ -1240,7 +1258,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
           workspaceId: req.body.workspaceId,
           environment: req.body.environment,
           secretPath: req.body.secretPath,
-
+          channel: getUserAgentType(req.headers["user-agent"]),
           ...req.auditLogInfo
         }
       });
@@ -1345,7 +1363,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
           workspaceId: req.body.workspaceId,
           environment: req.body.environment,
           secretPath: req.body.secretPath,
-
+          channel: getUserAgentType(req.headers["user-agent"]),
           ...req.auditLogInfo
         }
       });

backend/src/server/routes/v3/signup-router.ts

@@ -108,7 +108,7 @@ export const registerSignupRouter = async (server: FastifyZodProvider) => {
         }
       });
 
-      await res.setCookie("jid", refreshToken, {
+      void res.setCookie("jid", refreshToken, {
         httpOnly: true,
         path: "/",
         sameSite: "strict",
@@ -159,7 +159,7 @@ export const registerSignupRouter = async (server: FastifyZodProvider) => {
         userAgent
       });
 
-      await res.setCookie("jid", refreshToken, {
+      void res.setCookie("jid", refreshToken, {
         httpOnly: true,
         path: "/",
         sameSite: "strict",

backend/src/services/project/project-dal.ts

@@ -21,7 +21,11 @@ export const projectDALFactory = (db: TDbClient) => {
           db.ref("slug").withSchema(TableName.Environment).as("envSlug"),
           db.ref("name").withSchema(TableName.Environment).as("envName")
         )
-        .orderBy("createdAt", "asc", "last");
+        .orderBy([
+          { column: `${TableName.Project}.name`, order: "asc" },
+          { column: `${TableName.Environment}.position`, order: "asc" }
+        ]);
+
       const nestedWorkspaces = sqlNestRelationships({
         data: workspaces,
         key: "id",
@@ -102,7 +106,11 @@ export const projectDALFactory = (db: TDbClient) => {
           db.ref("id").withSchema(TableName.Environment).as("envId"),
           db.ref("slug").withSchema(TableName.Environment).as("envSlug"),
           db.ref("name").withSchema(TableName.Environment).as("envName")
-        );
+        )
+        .orderBy([
+          { column: `${TableName.Project}.name`, order: "asc" },
+          { column: `${TableName.Environment}.position`, order: "asc" }
+        ]);
       return sqlNestRelationships({
         data: workspaces,
         key: "id",

backend/src/services/secret-import/secret-import-fns.ts

@@ -25,10 +25,15 @@ export const fnSecretsFromImports = async ({
   if (!folderIds.length) {
     return [];
   }
-  const importedSecrets = await secretDAL.find({
-    $in: { folderId: folderIds },
-    type: SecretType.Shared
-  });
+  const importedSecrets = await secretDAL.find(
+    {
+      $in: { folderId: folderIds },
+      type: SecretType.Shared
+    },
+    {
+      sort: [["id", "asc"]]
+    }
+  );
 
   const importedSecsGroupByFolderId = groupBy(importedSecrets, (i) => i.folderId);
   return allowedImports.map(({ importPath, importEnv }, i) => ({

backend/src/services/secret-tag/secret-tag-service.ts

@@ -47,7 +47,7 @@ export const secretTagServiceFactory = ({ secretTagDAL, permissionService }: TSe
     const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId);
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Tags);
 
-    const tags = await secretTagDAL.find({ projectId });
+    const tags = await secretTagDAL.find({ projectId }, { sort: [["createdAt", "asc"]] });
     return tags;
   };
 

backend/src/services/secret/secret-dal.ts

@@ -86,7 +86,8 @@ export const secretDALFactory = (db: TDbClient) => {
         .select(db.ref("id").withSchema(TableName.SecretTag).as("tagId"))
         .select(db.ref("color").withSchema(TableName.SecretTag).as("tagColor"))
         .select(db.ref("slug").withSchema(TableName.SecretTag).as("tagSlug"))
-        .select(db.ref("name").withSchema(TableName.SecretTag).as("tagName"));
+        .select(db.ref("name").withSchema(TableName.SecretTag).as("tagName"))
+        .orderBy("id", "asc");
       const data = sqlNestRelationships({
         data: secs,
         key: "id",

backend/src/services/secret/secret-service.ts

@@ -537,18 +537,30 @@ export const secretServiceFactory = ({
 
     const secretBlindIndex = await interalGenSecBlindIndexByName(projectId, secretName);
 
-    const secret = await (typeof version !== undefined
+    // Case: The old python SDK uses incorrect logic https://github.com/Infisical/infisical-python/blob/main/infisical/client/infisicalclient.py#L89.
+    // Fetch secrets using service tokens cannot fetch personal secrets, only shared.
+    // The mongo backend used to correct this mistake, this line also adds it to current backend
+    // Mongo backend check: https://github.com/Infisical/infisical-mongo/blob/main/backend/src/helpers/secrets.ts#L658
+    let secretType = type;
+    if (actor === ActorType.SERVICE) {
+      logger.info(
+        `secretServiceFactory: overriding secret type for service token [projectId=${projectId}] [factoryFunctionName=getSecretByName]`
+      );
+      secretType = SecretType.Shared;
+    }
+
+    const secret = await (version === undefined
       ? secretDAL.findOne({
           folderId,
-          type,
-          userId: type === SecretType.Personal ? actorId : null,
+          type: secretType,
+          userId: secretType === SecretType.Personal ? actorId : null,
           secretBlindIndex
         })
       : secretVersionDAL
           .findOne({
             folderId,
-            type,
-            userId: type === SecretType.Personal ? actorId : null,
+            type: secretType,
+            userId: secretType === SecretType.Personal ? actorId : null,
             secretBlindIndex
           })
           .then((el) => SecretsSchema.parse({ ...el, id: el.secretId })));

backend/src/services/service-token/service-token-service.ts

@@ -117,7 +117,7 @@ export const serviceTokenServiceFactory = ({
     const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId);
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.ServiceTokens);
 
-    const tokens = await serviceTokenDAL.find({ projectId });
+    const tokens = await serviceTokenDAL.find({ projectId }, { sort: [["createdAt", "desc"]] });
     return tokens;
   };
 

backend/src/services/super-admin/super-admin-service.ts

@@ -1,4 +1,5 @@
 import { TSuperAdmin, TSuperAdminUpdate } from "@app/db/schemas";
+import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
 
 import { TAuthLoginFactory } from "../auth/auth-login-service";
@@ -17,11 +18,8 @@ type TSuperAdminServiceFactoryDep = {
 
 export type TSuperAdminServiceFactory = ReturnType<typeof superAdminServiceFactory>;
 
-let serverCfg: Readonly<TSuperAdmin>;
-export const getServerCfg = () => {
-  if (!serverCfg) throw new BadRequestError({ name: "Get server cfg", message: "Server cfg not initialized" });
-  return serverCfg;
-};
+// eslint-disable-next-line
+export let getServerCfg: () => Promise<TSuperAdmin>;
 
 export const superAdminServiceFactory = ({
   serverCfgDAL,
@@ -30,19 +28,18 @@ export const superAdminServiceFactory = ({
   orgService
 }: TSuperAdminServiceFactoryDep) => {
   const initServerCfg = async () => {
-    serverCfg = await serverCfgDAL.findOne({});
-    if (!serverCfg) {
-      const newCfg = await serverCfgDAL.create({ initialized: false, allowSignUp: true });
-      serverCfg = newCfg;
-      return newCfg;
-    }
-    return serverCfg;
+    // TODO(akhilmhdh): bad  pattern time less change this later to me itself
+    getServerCfg = () => serverCfgDAL.findOne({});
+
+    const serverCfg = await serverCfgDAL.findOne({});
+    if (serverCfg) return;
+    const newCfg = await serverCfgDAL.create({ initialized: false, allowSignUp: true });
+    return newCfg;
   };
 
   const updateServerCfg = async (data: TSuperAdminUpdate) => {
+    const serverCfg = await getServerCfg();
     const cfg = await serverCfgDAL.updateById(serverCfg.id, data);
-    serverCfg = cfg;
-    Object.freeze(serverCfg);
     return cfg;
   };
 
@@ -62,6 +59,7 @@ export const superAdminServiceFactory = ({
     ip,
     userAgent
   }: TAdminSignUpDTO) => {
+    const appCfg = getConfig();
     const existingUser = await userDAL.findOne({ email });
     if (existingUser) throw new BadRequestError({ name: "Admin sign up", message: "User already exist" });
 
@@ -95,7 +93,10 @@ export const superAdminServiceFactory = ({
       );
       return { user: newUser, enc: userEnc };
     });
-    await orgService.createOrganization(userInfo.user.id, userInfo.user.email, "Admin Org");
+
+    const initialOrganizationName = appCfg.INITIAL_ORGANIZATION_NAME ?? "Admin Org";
+
+    await orgService.createOrganization(userInfo.user.id, userInfo.user.email, initialOrganizationName);
 
     await updateServerCfg({ initialized: true });
     const token = await authService.generateUserTokens(userInfo.user, ip, userAgent);

backend/src/services/webhook/webhook-dal.ts

@@ -80,7 +80,8 @@ export const webhookDALFactory = (db: TDbClient) => {
         .select(db.ref("slug").withSchema(TableName.Environment).as("envSlug"))
         .select(db.ref("id").withSchema(TableName.Environment).as("envId"))
         .select(db.ref("projectId").withSchema(TableName.Environment))
-        .select(selectAllTableCols(TableName.Webhook));
+        .select(selectAllTableCols(TableName.Webhook))
+        .orderBy(`${TableName.Webhook}.createdAt`, "asc");
 
       return webhooks.map(({ envId, envSlug, envName, ...el }) => ({
         ...el,

backend/tsconfig.json

@@ -22,11 +22,9 @@
     "skipLibCheck": true,
     "baseUrl": ".",
     "paths": {
-      "@app/*": ["./src/*"],
-      "@lib/*": ["./src/lib/*"],
-      "@server/*": ["./src/server/*"]
+      "@app/*": ["./src/*"]
     }
   },
-  "include": ["src/**/*", "scripts/**/*", "e2e-test/**/*","./.eslintrc.js"],
+  "include": ["src/**/*", "scripts/**/*", "e2e-test/**/*", "./.eslintrc.js", "./tsup.config.js"],
   "exclude": ["node_modules"]
 }

backend/tsup.config.js

@@ -1,14 +1,73 @@
+/* eslint-disable */
+import path from "node:path";
+
+import fs from "fs/promises";
+import { replaceTscAliasPaths } from "tsc-alias";
 import { defineConfig } from "tsup";
 
+// Instead of using tsx or tsc for building, consider using tsup.
+// TSX serves as an alternative to Node.js, allowing you to build directly on the Node.js runtime.
+// Its functionality mirrors Node.js, with the only difference being the absence of a final build step. Production should ideally be launched with TSX.
+// TSC is effective for creating a final build, but it requires manual copying of all static files such as handlebars, emails, etc.
+// A significant challenge is the shift towards ESM, as more packages are adopting ESM. If the output is in CommonJS, it may lead to errors.
+// The suggested configuration offers a balance, accommodating both ESM and CommonJS requirements.
+
 export default defineConfig({
   shims: true,
+  clean: true,
+  minify: false,
+  keepNames: true,
+  splitting: false,
   format: "esm",
+  // copy the files to output
   loader: {
     ".handlebars": "copy",
-    ".md": "copy"
+    ".md": "copy",
+    ".txt": "copy"
   },
   external: ["../../../frontend/node_modules/next/dist/server/next-server.js"],
   outDir: "dist",
+  tsconfig: "./tsconfig.json",
   entry: ["./src"],
-  sourceMap: "inline"
+  sourceMap: true,
+  skipNodeModulesBundle: true,
+  esbuildPlugins: [
+    {
+      // esm directory import are not allowed
+      // /folder1 should be explicitly imported as /folder1/index.ts
+      // this plugin will append it automatically on build time to all imports
+      name: "commonjs-esm-directory-import",
+      setup(build) {
+        build.onResolve({ filter: /.*/ }, async (args) => {
+          if (args.importer) {
+            if (args.kind === "import-statement") {
+              const isRelativePath = args.path.startsWith(".");
+              const absPath = isRelativePath
+                ? path.join(args.resolveDir, args.path)
+                : path.join(args.path.replace("@app", "./src"));
+
+              const isFile = await fs
+                .stat(`${absPath}.ts`)
+                .then((el) => el.isFile)
+                .catch((err) => err.code === "ENOTDIR");
+
+              return {
+                path: isFile ? `${args.path}.mjs` : `${args.path}/index.mjs`,
+                external: true
+              };
+            }
+          }
+          return undefined;
+        });
+      }
+    }
+  ],
+  async onSuccess() {
+    // this will replace all tsconfig paths
+    await replaceTscAliasPaths({
+      configFile: "tsconfig.json",
+      watch: false,
+      outDir: "dist"
+    });
+  }
 });

docker-compose.pg.yml

@@ -34,6 +34,17 @@ services:
     volumes:
       - redis_data:/data
 
+  redis-commander:
+    container_name: infisical-dev-redis-commander
+    image: rediscommander/redis-commander
+    restart: always
+    depends_on:
+      - redis
+    environment:
+      - REDIS_HOSTS=local:redis:6379
+    ports:
+      - "8085:8081"
+
   db-test:
     profiles: ["test"]
     image: postgres:14-alpine

docs/documentation/platform/role-based-access-controls.mdx

@@ -1,6 +1,6 @@
 ---
 title: "Role-based Access Controls"
-description: "Infisical's Role-based Acccess Controls enable creating permissions for user and machine identities to restrict access to resources and the range of actions that can performed."
+description: "Infisical's Role-based Access Controls enable creating permissions for user and machine identities to restrict access to resources and the range of actions that can be performed."
 ---
 
 ### General access controls

frontend/src/views/admin/DashboardPage/DashboardPage.tsx

@@ -30,35 +30,35 @@ export const AdminDashboardPage = () => {
 
   return (
     <div className="container mx-auto max-w-7xl pb-12 text-white dark:[color-scheme:dark]">
-      <div className="mb-8">
-        <div className="mb-4 mt-6 flex flex-col items-start justify-between text-xl">
+      <div className="mx-auto mb-6 w-full max-w-7xl py-6 px-6">
+        <div className="mb-8 flex flex-col items-start justify-between text-xl">
           <h1 className="text-3xl font-semibold">Admin Dashboard</h1>
-          <p className="text-base text-bunker-300">Manage your Infisical</p>
+          <p className="text-base text-bunker-300">Manage your Infisical instance.</p>
         </div>
+        {isUserLoading || isNotAllowed ? (
+          <ContentLoader text={isNotAllowed ? "Redirecting to org page..." : undefined} />
+        ) : (
+          <div>
+            <Tabs defaultValue={TabSections.Settings}>
+              <TabList>
+                <div className="flex w-full flex-row border-b border-mineshaft-600">
+                  <Tab value={TabSections.Settings}>General</Tab>
+                </div>
+              </TabList>
+              <TabPanel value={TabSections.Settings}>
+                <div className="flex items-center space-x-4">
+                  <Switch
+                    id="disable-invite"
+                    isChecked={Boolean(config?.allowSignUp)}
+                    onCheckedChange={(isChecked) => updateServerConfig({ allowSignUp: isChecked })}
+                  />
+                  <div className="flex-grow">Enable signup or invite</div>
+                </div>
+              </TabPanel>
+            </Tabs>
+          </div>
+        )}
       </div>
-      {isUserLoading || isNotAllowed ? (
-        <ContentLoader text={isNotAllowed ? "Redirecting to org page..." : undefined} />
-      ) : (
-        <div>
-          <Tabs defaultValue={TabSections.Settings}>
-            <TabList>
-              <div className="flex w-full flex-row border-b border-mineshaft-600">
-                <Tab value={TabSections.Settings}>General</Tab>
-              </div>
-            </TabList>
-            <TabPanel value={TabSections.Settings}>
-              <div className="flex items-center space-x-4">
-                <Switch
-                  id="disable-invite"
-                  isChecked={Boolean(config?.allowSignUp)}
-                  onCheckedChange={(isChecked) => updateServerConfig({ allowSignUp: isChecked })}
-                />
-                <div className="flex-grow">Enable signup or invite</div>
-              </div>
-            </TabPanel>
-          </Tabs>
-        </div>
-      )}
     </div>
   );
 };

frontend/src/views/admin/SignUpPage/SignUpPage.tsx

@@ -61,7 +61,7 @@ export const SignUpPage = () => {
         router.push("/login");
       }
     }
-  }, [config?.initialized]);
+  }, []);
 
   const { mutateAsync: createAdminUser } = useCreateAdminUser();