Helm

Fix: Silent integration errors

backend/package-lock.json

@@ -6459,12 +6459,12 @@
       }
     },
     "node_modules/braces": {
-      "version": "3.0.2",
-      "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.2.tgz",
-      "integrity": "sha512-b8um+L1RzM3WDSzvhm6gIz1yfTbBt6YTlcEKAvsmqCZZFw46z626lVj9j1yEPW33H5H+lBQpZMP1k8l+78Ha0A==",
+      "version": "3.0.3",
+      "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.3.tgz",
+      "integrity": "sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==",
       "dev": true,
       "dependencies": {
-        "fill-range": "^7.0.1"
+        "fill-range": "^7.1.1"
       },
       "engines": {
         "node": ">=8"
@@ -8115,9 +8115,9 @@
       }
     },
     "node_modules/fill-range": {
-      "version": "7.0.1",
-      "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.0.1.tgz",
-      "integrity": "sha512-qOo9F+dMUmC2Lcb4BbVvnKJxTPjCm+RRpe4gDuGrzkL7mEVl/djYSu2OdQ2Pa302N4oqkSg9ir6jaLWJ2USVpQ==",
+      "version": "7.1.1",
+      "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.1.1.tgz",
+      "integrity": "sha512-YsGpe3WHLK8ZYi4tWDg2Jy3ebRz2rXowDxnld4bkQB00cc/1Zw9AWnC0i9ztDJitivtQvaI9KaLyKrc+hBW0yg==",
       "dev": true,
       "dependencies": {
         "to-regex-range": "^5.0.1"

backend/src/lib/api-docs/constants.ts

@@ -508,12 +508,27 @@ export const SECRET_TAGS = {
   LIST: {
     projectId: "The ID of the project to list tags from."
   },
+  GET_TAG_BY_ID: {
+    projectId: "The ID of the project to get tags from.",
+    tagId: "The ID of the tag to get details"
+  },
+  GET_TAG_BY_SLUG: {
+    projectId: "The ID of the project to get tags from.",
+    tagSlug: "The slug of the tag to get details"
+  },
   CREATE: {
     projectId: "The ID of the project to create the tag in.",
     name: "The name of the tag to create.",
     slug: "The slug of the tag to create.",
     color: "The color of the tag to create."
   },
+  UPDATE: {
+    projectId: "The ID of the project to update the tag in.",
+    tagId: "The ID of the tag to get details",
+    name: "The name of the tag to update.",
+    slug: "The slug of the tag to update.",
+    color: "The color of the tag to update."
+  },
   DELETE: {
     tagId: "The ID of the tag to delete.",
     projectId: "The ID of the project to delete the tag from."

backend/src/lib/errors/index.ts

@@ -59,6 +59,18 @@ export class BadRequestError extends Error {
   }
 }
 
+export class NotFoundError extends Error {
+  name: string;
+
+  error: unknown;
+
+  constructor({ name, error, message }: { message?: string; name?: string; error?: unknown }) {
+    super(message ?? "The requested entity is not found");
+    this.name = name || "NotFound";
+    this.error = error;
+  }
+}
+
 export class DisableRotationErrors extends Error {
   name: string;
 

backend/src/server/plugins/error-handler.ts

@@ -6,6 +6,7 @@ import {
   BadRequestError,
   DatabaseError,
   InternalServerError,
+  NotFoundError,
   ScimRequestError,
   UnauthorizedError
 } from "@app/lib/errors";
@@ -15,6 +16,8 @@ export const fastifyErrHandler = fastifyPlugin(async (server: FastifyZodProvider
     req.log.error(error);
     if (error instanceof BadRequestError) {
       void res.status(400).send({ statusCode: 400, message: error.message, error: error.name });
+    } else if (error instanceof NotFoundError) {
+      void res.status(404).send({ statusCode: 404, message: error.message, error: error.name });
     } else if (error instanceof UnauthorizedError) {
       void res.status(403).send({ statusCode: 403, message: error.message, error: error.name });
     } else if (error instanceof DatabaseError || error instanceof InternalServerError) {

backend/src/server/routes/v1/project-membership-router.ts

@@ -309,4 +309,32 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
       return { membership };
     }
   });
+
+  server.route({
+    method: "DELETE",
+    url: "/:workspaceId/leave",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      params: z.object({
+        workspaceId: z.string().trim()
+      }),
+      response: {
+        200: z.object({
+          membership: ProjectMembershipsSchema
+        })
+      }
+    },
+
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const membership = await server.services.projectMembership.leaveProject({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        projectId: req.params.workspaceId
+      });
+      return { membership };
+    }
+  });
 };

backend/src/server/routes/v1/secret-tag-router.ts

@@ -36,6 +36,67 @@ export const registerSecretTagRouter = async (server: FastifyZodProvider) => {
     }
   });
 
+  server.route({
+    method: "GET",
+    url: "/:projectId/tags/:tagId",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        projectId: z.string().trim().describe(SECRET_TAGS.GET_TAG_BY_ID.projectId),
+        tagId: z.string().trim().describe(SECRET_TAGS.GET_TAG_BY_ID.tagId)
+      }),
+      response: {
+        200: z.object({
+          workspaceTag: SecretTagsSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const workspaceTag = await server.services.secretTag.getTagById({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        id: req.params.tagId
+      });
+      return { workspaceTag };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/:projectId/tags/slug/:tagSlug",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        projectId: z.string().trim().describe(SECRET_TAGS.GET_TAG_BY_SLUG.projectId),
+        tagSlug: z.string().trim().describe(SECRET_TAGS.GET_TAG_BY_SLUG.tagSlug)
+      }),
+      response: {
+        200: z.object({
+          workspaceTag: SecretTagsSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const workspaceTag = await server.services.secretTag.getTagBySlug({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        slug: req.params.tagSlug,
+        projectId: req.params.projectId
+      });
+      return { workspaceTag };
+    }
+  });
+
   server.route({
     method: "POST",
     url: "/:projectId/tags",
@@ -71,6 +132,42 @@ export const registerSecretTagRouter = async (server: FastifyZodProvider) => {
     }
   });
 
+  server.route({
+    method: "PATCH",
+    url: "/:projectId/tags/:tagId",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      params: z.object({
+        projectId: z.string().trim().describe(SECRET_TAGS.UPDATE.projectId),
+        tagId: z.string().trim().describe(SECRET_TAGS.UPDATE.tagId)
+      }),
+      body: z.object({
+        name: z.string().trim().describe(SECRET_TAGS.UPDATE.name),
+        slug: z.string().trim().describe(SECRET_TAGS.UPDATE.slug),
+        color: z.string().trim().describe(SECRET_TAGS.UPDATE.color)
+      }),
+      response: {
+        200: z.object({
+          workspaceTag: SecretTagsSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const workspaceTag = await server.services.secretTag.updateTag({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.body,
+        id: req.params.tagId
+      });
+      return { workspaceTag };
+    }
+  });
+
   server.route({
     method: "DELETE",
     url: "/:projectId/tags/:tagId",

backend/src/server/routes/v3/secret-router.ts

@@ -8,7 +8,7 @@ import {
   SecretType,
   ServiceTokenScopes
 } from "@app/db/schemas";
-import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { EventType, UserAgentType } from "@app/ee/services/audit-log/audit-log-types";
 import { RAW_SECRETS, SECRETS } from "@app/lib/api-docs";
 import { BadRequestError } from "@app/lib/errors";
 import { removeTrailingSlash } from "@app/lib/fn";
@@ -259,18 +259,20 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         }
       });
 
-      await server.services.telemetry.sendPostHogEvents({
-        event: PostHogEventTypes.SecretPulled,
-        distinctId: getTelemetryDistinctId(req),
-        properties: {
-          numberOfSecrets: secrets.length,
-          workspaceId,
-          environment,
-          secretPath: req.query.secretPath,
-          channel: getUserAgentType(req.headers["user-agent"]),
-          ...req.auditLogInfo
-        }
-      });
+      if (getUserAgentType(req.headers["user-agent"]) !== UserAgentType.K8_OPERATOR) {
+        await server.services.telemetry.sendPostHogEvents({
+          event: PostHogEventTypes.SecretPulled,
+          distinctId: getTelemetryDistinctId(req),
+          properties: {
+            numberOfSecrets: secrets.length,
+            workspaceId,
+            environment,
+            secretPath: req.query.secretPath,
+            channel: getUserAgentType(req.headers["user-agent"]),
+            ...req.auditLogInfo
+          }
+        });
+      }
       return { secrets, imports };
     }
   });
@@ -367,18 +369,20 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         }
       });
 
-      await server.services.telemetry.sendPostHogEvents({
-        event: PostHogEventTypes.SecretPulled,
-        distinctId: getTelemetryDistinctId(req),
-        properties: {
-          numberOfSecrets: 1,
-          workspaceId: secret.workspace,
-          environment,
-          secretPath: req.query.secretPath,
-          channel: getUserAgentType(req.headers["user-agent"]),
-          ...req.auditLogInfo
-        }
-      });
+      if (getUserAgentType(req.headers["user-agent"]) !== UserAgentType.K8_OPERATOR) {
+        await server.services.telemetry.sendPostHogEvents({
+          event: PostHogEventTypes.SecretPulled,
+          distinctId: getTelemetryDistinctId(req),
+          properties: {
+            numberOfSecrets: 1,
+            workspaceId: secret.workspace,
+            environment,
+            secretPath: req.query.secretPath,
+            channel: getUserAgentType(req.headers["user-agent"]),
+            ...req.auditLogInfo
+          }
+        });
+      }
       return { secret };
     }
   });
@@ -723,24 +727,22 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
       });
 
       // TODO: Move to telemetry plugin
-      let shouldRecordK8Event = false;
-      if (req.headers["user-agent"] === "k8-operatoer") {
-        const randomNumber = Math.random();
-        if (randomNumber > 0.95) {
-          shouldRecordK8Event = true;
-        }
-      }
+      // let shouldRecordK8Event = false;
+      // if (req.headers["user-agent"] === "k8-operatoer") {
+      //   const randomNumber = Math.random();
+      //   if (randomNumber > 0.95) {
+      //     shouldRecordK8Event = true;
+      //   }
+      // }
 
       const shouldCapture =
-        req.query.workspaceId !== "650e71fbae3e6c8572f436d4" &&
-        (req.headers["user-agent"] !== "k8-operator" || shouldRecordK8Event);
-      const approximateNumberTotalSecrets = secrets.length * 20;
+        req.query.workspaceId !== "650e71fbae3e6c8572f436d4" && req.headers["user-agent"] !== "k8-operator";
       if (shouldCapture) {
         await server.services.telemetry.sendPostHogEvents({
           event: PostHogEventTypes.SecretPulled,
           distinctId: getTelemetryDistinctId(req),
           properties: {
-            numberOfSecrets: shouldRecordK8Event ? approximateNumberTotalSecrets : secrets.length,
+            numberOfSecrets: secrets.length,
             workspaceId: req.query.workspaceId,
             environment: req.query.environment,
             secretPath: req.query.secretPath,
@@ -817,18 +819,20 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         }
       });
 
-      await server.services.telemetry.sendPostHogEvents({
-        event: PostHogEventTypes.SecretPulled,
-        distinctId: getTelemetryDistinctId(req),
-        properties: {
-          numberOfSecrets: 1,
-          workspaceId: req.query.workspaceId,
-          environment: req.query.environment,
-          secretPath: req.query.secretPath,
-          channel: getUserAgentType(req.headers["user-agent"]),
-          ...req.auditLogInfo
-        }
-      });
+      if (getUserAgentType(req.headers["user-agent"]) !== UserAgentType.K8_OPERATOR) {
+        await server.services.telemetry.sendPostHogEvents({
+          event: PostHogEventTypes.SecretPulled,
+          distinctId: getTelemetryDistinctId(req),
+          properties: {
+            numberOfSecrets: 1,
+            workspaceId: req.query.workspaceId,
+            environment: req.query.environment,
+            secretPath: req.query.secretPath,
+            channel: getUserAgentType(req.headers["user-agent"]),
+            ...req.auditLogInfo
+          }
+        });
+      }
       return { secret };
     }
   });

backend/src/services/project-membership/project-membership-service.ts

@@ -36,6 +36,7 @@ import {
   TDeleteProjectMembershipsDTO,
   TGetProjectMembershipByUsernameDTO,
   TGetProjectMembershipDTO,
+  TLeaveProjectDTO,
   TUpdateProjectMembershipDTO
 } from "./project-membership-types";
 import { TProjectUserMembershipRoleDALFactory } from "./project-user-membership-role-dal";
@@ -531,6 +532,53 @@ export const projectMembershipServiceFactory = ({
     return memberships;
   };
 
+  const leaveProject = async ({ projectId, actorId, actor }: TLeaveProjectDTO) => {
+    if (actor !== ActorType.USER) {
+      throw new BadRequestError({ message: "Only users can leave projects" });
+    }
+
+    const project = await projectDAL.findById(projectId);
+    if (!project) throw new BadRequestError({ message: "Project not found" });
+
+    if (project.version !== ProjectVersion.V2) {
+      throw new BadRequestError({
+        message: "Please ask your project administrator to upgrade the project before leaving."
+      });
+    }
+
+    const projectMembers = await projectMembershipDAL.findAllProjectMembers(projectId);
+
+    if (!projectMembers?.length) {
+      throw new BadRequestError({ message: "Failed to find project members" });
+    }
+
+    if (projectMembers.length < 2) {
+      throw new BadRequestError({ message: "You cannot leave the project as you are the only member" });
+    }
+
+    const adminMembers = projectMembers.filter(
+      (member) => member.roles.map((r) => r.role).includes("admin") && member.userId !== actorId
+    );
+    if (!adminMembers.length) {
+      throw new BadRequestError({
+        message: "You cannot leave the project as you are the only admin. Promote another user to admin before leaving."
+      });
+    }
+
+    const deletedMembership = (
+      await projectMembershipDAL.delete({
+        projectId: project.id,
+        userId: actorId
+      })
+    )?.[0];
+
+    if (!deletedMembership) {
+      throw new BadRequestError({ message: "Failed to leave project" });
+    }
+
+    return deletedMembership;
+  };
+
   return {
     getProjectMemberships,
     getProjectMembershipByUsername,
@@ -538,6 +586,7 @@ export const projectMembershipServiceFactory = ({
     addUsersToProjectNonE2EE,
     deleteProjectMemberships,
     deleteProjectMembership, // TODO: Remove this
-    addUsersToProject
+    addUsersToProject,
+    leaveProject
   };
 };

backend/src/services/project-membership/project-membership-types.ts

@@ -1,6 +1,7 @@
 import { TProjectPermission } from "@app/lib/types";
 
 export type TGetProjectMembershipDTO = TProjectPermission;
+export type TLeaveProjectDTO = Omit<TProjectPermission, "actorOrgId" | "actorAuthMethod">;
 export enum ProjectUserMembershipTemporaryMode {
   Relative = "relative"
 }

backend/src/services/secret-tag/secret-tag-service.ts

@@ -2,10 +2,17 @@ import { ForbiddenError } from "@casl/ability";
 
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
-import { BadRequestError } from "@app/lib/errors";
+import { BadRequestError, NotFoundError } from "@app/lib/errors";
 
 import { TSecretTagDALFactory } from "./secret-tag-dal";
-import { TCreateTagDTO, TDeleteTagDTO, TListProjectTagsDTO } from "./secret-tag-types";
+import {
+  TCreateTagDTO,
+  TDeleteTagDTO,
+  TGetTagByIdDTO,
+  TGetTagBySlugDTO,
+  TListProjectTagsDTO,
+  TUpdateTagDTO
+} from "./secret-tag-types";
 
 type TSecretTagServiceFactoryDep = {
   secretTagDAL: TSecretTagDALFactory;
@@ -48,6 +55,28 @@ export const secretTagServiceFactory = ({ secretTagDAL, permissionService }: TSe
     return newTag;
   };
 
+  const updateTag = async ({ actorId, actor, actorOrgId, actorAuthMethod, id, name, color, slug }: TUpdateTagDTO) => {
+    const tag = await secretTagDAL.findById(id);
+    if (!tag) throw new BadRequestError({ message: "Tag doesn't exist" });
+
+    if (slug) {
+      const existingTag = await secretTagDAL.findOne({ slug, projectId: tag.projectId });
+      if (existingTag && existingTag.id !== tag.id) throw new BadRequestError({ message: "Tag already exist" });
+    }
+
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      tag.projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Tags);
+
+    const updatedTag = await secretTagDAL.updateById(tag.id, { name, color, slug });
+    return updatedTag;
+  };
+
   const deleteTag = async ({ actorId, actor, actorOrgId, actorAuthMethod, id }: TDeleteTagDTO) => {
     const tag = await secretTagDAL.findById(id);
     if (!tag) throw new BadRequestError({ message: "Tag doesn't exist" });
@@ -65,6 +94,38 @@ export const secretTagServiceFactory = ({ secretTagDAL, permissionService }: TSe
     return deletedTag;
   };
 
+  const getTagById = async ({ actorId, actor, actorOrgId, actorAuthMethod, id }: TGetTagByIdDTO) => {
+    const tag = await secretTagDAL.findById(id);
+    if (!tag) throw new NotFoundError({ message: "Tag doesn't exist" });
+
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      tag.projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Tags);
+
+    return tag;
+  };
+
+  const getTagBySlug = async ({ actorId, actor, actorOrgId, actorAuthMethod, slug, projectId }: TGetTagBySlugDTO) => {
+    const tag = await secretTagDAL.findOne({ projectId, slug });
+    if (!tag) throw new NotFoundError({ message: "Tag doesn't exist" });
+
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      tag.projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Tags);
+
+    return tag;
+  };
+
   const getProjectTags = async ({ actor, actorId, actorOrgId, actorAuthMethod, projectId }: TListProjectTagsDTO) => {
     const { permission } = await permissionService.getProjectPermission(
       actor,
@@ -79,5 +140,5 @@ export const secretTagServiceFactory = ({ secretTagDAL, permissionService }: TSe
     return tags;
   };
 
-  return { createTag, deleteTag, getProjectTags };
+  return { createTag, deleteTag, getProjectTags, getTagById, getTagBySlug, updateTag };
 };

backend/src/services/secret-tag/secret-tag-types.ts

@@ -6,6 +6,21 @@ export type TCreateTagDTO = {
   slug: string;
 } & TProjectPermission;
 
+export type TUpdateTagDTO = {
+  id: string;
+  name?: string;
+  slug?: string;
+  color?: string;
+} & Omit<TProjectPermission, "projectId">;
+
+export type TGetTagByIdDTO = {
+  id: string;
+} & Omit<TProjectPermission, "projectId">;
+
+export type TGetTagBySlugDTO = {
+  slug: string;
+} & TProjectPermission;
+
 export type TDeleteTagDTO = {
   id: string;
 } & Omit<TProjectPermission, "projectId">;

docs/api-reference/endpoints/secret-tags/get-by-id.mdx

@@ -0,0 +1,4 @@
+---
+title: "Get By ID"
+openapi: "GET /api/v1/workspace/{projectId}/tags/{tagId}"
+---

docs/api-reference/endpoints/secret-tags/get-by-slug.mdx

@@ -0,0 +1,4 @@
+---
+title: "Get By Slug"
+openapi: "GET /api/v1/workspace/{projectId}/tags/slug/{tagSlug}"
+---

docs/api-reference/endpoints/secret-tags/update.mdx

@@ -0,0 +1,4 @@
+---
+title: "Update"
+openapi: "PATCH /api/v1/workspace/{projectId}/tags/{tagId}"
+---

docs/mint.json

@@ -505,7 +505,10 @@
           "group": "Secret Tags",
           "pages": [
             "api-reference/endpoints/secret-tags/list",
+            "api-reference/endpoints/secret-tags/get-by-id",
+            "api-reference/endpoints/secret-tags/get-by-slug",
             "api-reference/endpoints/secret-tags/create",
+            "api-reference/endpoints/secret-tags/update",
             "api-reference/endpoints/secret-tags/delete"
           ]
         },

frontend/src/components/v2/LeaveProjectModal/LeaveProjectModal.tsx

@@ -0,0 +1,104 @@
+import { useEffect, useState } from "react";
+
+import { useToggle } from "@app/hooks";
+
+import { Button } from "../Button";
+import { FormControl } from "../FormControl";
+import { Input } from "../Input";
+import { Modal, ModalClose, ModalContent } from "../Modal";
+
+type Props = {
+  deleteKey: string;
+  title: string;
+  onLeaveApproved: () => Promise<void>;
+  onClose?: () => void;
+  onChange?: (isOpen: boolean) => void;
+  isOpen?: boolean;
+  subTitle?: string;
+  buttonText?: string;
+};
+
+export const LeaveProjectModal = ({
+  isOpen,
+  onClose,
+  onChange,
+  deleteKey,
+  onLeaveApproved,
+  title,
+  subTitle,
+  buttonText = "Leave Project"
+}: Props): JSX.Element => {
+  const [inputData, setInputData] = useState("");
+  const [isLoading, setIsLoading] = useToggle();
+
+  useEffect(() => {
+    setInputData("");
+  }, [isOpen]);
+
+  const onDelete = async () => {
+    setIsLoading.on();
+    try {
+      await onLeaveApproved();
+    } catch {
+      setIsLoading.off();
+    } finally {
+      setIsLoading.off();
+    }
+  };
+
+  return (
+    <Modal
+      isOpen={isOpen}
+      onOpenChange={(isOpenState) => {
+        setInputData("");
+        if (onChange) onChange(isOpenState);
+      }}
+    >
+      <ModalContent
+        title={title}
+        subTitle={subTitle}
+        footerContent={
+          <div className="mx-2 flex items-center">
+            <Button
+              className="mr-4"
+              colorSchema="danger"
+              isDisabled={!(deleteKey === inputData) || isLoading}
+              onClick={onDelete}
+              isLoading={isLoading}
+            >
+              {buttonText}
+            </Button>
+            <ModalClose asChild>
+              <Button variant="plain" colorSchema="secondary" onClick={onClose}>
+                Cancel
+              </Button>
+            </ModalClose>{" "}
+          </div>
+        }
+        onClose={onClose}
+      >
+        <form
+          onSubmit={(evt) => {
+            evt.preventDefault();
+            if (deleteKey === inputData) onDelete();
+          }}
+        >
+          <FormControl
+            label={
+              <div className="break-words pb-2 text-sm">
+                Type <span className="font-bold">{deleteKey}</span> to leave the project
+              </div>
+            }
+            className="mb-0"
+          >
+            <Input
+              value={inputData}
+              onChange={(e) => setInputData(e.target.value)}
+              placeholder="Type to confirm..."
+            />
+          </FormControl>
+        </form>
+      </ModalContent>
+    </Modal>
+  );
+};

frontend/src/components/v2/LeaveProjectModal/index.tsx

@@ -0,0 +1 @@
+export { LeaveProjectModal } from "./LeaveProjectModal";

frontend/src/hooks/api/workspace/index.tsx

@@ -1,6 +1,7 @@
 export {
   useAddGroupToWorkspace,
   useDeleteGroupFromWorkspace,
+  useLeaveProject,
   useUpdateGroupWorkspaceRole
 } from "./mutations";
 export {
@@ -30,4 +31,5 @@ export {
   useUpdateIdentityWorkspaceRole,
   useUpdateUserWorkspaceRole,
   useUpdateWsEnvironment,
-  useUpgradeProject} from "./queries";
+  useUpgradeProject
+} from "./queries";

frontend/src/hooks/api/workspace/mutations.tsx

@@ -62,3 +62,15 @@ export const useDeleteGroupFromWorkspace = () => {
     }
   });
 };
+
+export const useLeaveProject = () => {
+  const queryClient = useQueryClient();
+  return useMutation<{}, {}, { workspaceId: string }>({
+    mutationFn: ({ workspaceId }) => {
+      return apiRequest.delete(`/api/v1/workspace/${workspaceId}/leave`);
+    },
+    onSuccess: () => {
+      queryClient.invalidateQueries(workspaceKeys.getAllUserWorkspace);
+    }
+  });
+};

frontend/src/pages/signupinvite.tsx

@@ -75,7 +75,12 @@ export default function SignupInvite() {
   // Verifies if the information that the users entered (name, workspace) is there, and if the password matched the criteria.
   const signupErrorCheck = async () => {
     setIsLoading(true);
-    let errorCheck = false;
+
+    let errorCheck = await checkPassword({
+      password,
+      setErrors
+    });
+
     if (!firstName) {
       setFirstNameError(true);
       errorCheck = true;
@@ -89,11 +94,6 @@ export default function SignupInvite() {
       setLastNameError(false);
     }
 
-    errorCheck = await checkPassword({
-      password,
-      setErrors
-    });
-
     if (!errorCheck) {
       // Generate a random pair of a public and a private key
       const pair = nacl.box.keyPair();

frontend/src/views/Settings/ProjectSettingsPage/components/DeleteProjectSection/DeleteProjectSection.tsx

@@ -1,29 +1,52 @@
+import { useMemo } from "react";
 import { useRouter } from "next/router";
 
 import { createNotification } from "@app/components/notifications";
 import { ProjectPermissionCan } from "@app/components/permissions";
 import { Button, DeleteActionModal } from "@app/components/v2";
+import { LeaveProjectModal } from "@app/components/v2/LeaveProjectModal";
 import {
   ProjectPermissionActions,
   ProjectPermissionSub,
   useOrganization,
+  useProjectPermission,
   useWorkspace
 } from "@app/context";
 import { useToggle } from "@app/hooks";
-import { useDeleteWorkspace } from "@app/hooks/api";
+import { useDeleteWorkspace, useGetWorkspaceUsers, useLeaveProject } from "@app/hooks/api";
 import { usePopUp } from "@app/hooks/usePopUp";
 
 export const DeleteProjectSection = () => {
   const router = useRouter();
-  
+
   const { popUp, handlePopUpOpen, handlePopUpClose, handlePopUpToggle } = usePopUp([
-    "deleteWorkspace"
+    "deleteWorkspace",
+    "leaveWorkspace"
   ] as const);
 
   const { currentOrg } = useOrganization();
+  const { hasProjectRole, membership } = useProjectPermission();
   const { currentWorkspace } = useWorkspace();
   const [isDeleting, setIsDeleting] = useToggle();
+  const [isLeaving, setIsLeaving] = useToggle();
   const deleteWorkspace = useDeleteWorkspace();
+  const leaveProject = useLeaveProject();
+  const { data: members, isLoading: isMembersLoading } = useGetWorkspaceUsers(
+    currentWorkspace?.id || ""
+  );
+
+  // If isNoAccessMember is true, then the user can't read the workspace members. So we need to handle this case separately.
+  const isNoAccessMember = hasProjectRole("no-access");
+
+  const isOnlyAdminMember = useMemo(() => {
+    if (!members || !membership || !hasProjectRole("admin")) return false;
+
+    const adminMembers = members.filter(
+      (member) => member.roles.map((r) => r.role).includes("admin") && member.id !== membership.id // exclude the current user
+    );
+
+    return !adminMembers.length;
+  }, [members, membership]);
 
   const handleDeleteWorkspaceSubmit = async () => {
     setIsDeleting.on();
@@ -53,23 +76,97 @@ export const DeleteProjectSection = () => {
     }
   };
 
+  const handleLeaveWorkspaceSubmit = async () => {
+    console.log({
+      currentWorkspace,
+      currentOrg,
+      members,
+      isNoAccessMember,
+      membership
+    });
+
+    try {
+      setIsLeaving.on();
+
+      if (!currentWorkspace?.id || !currentOrg?.id) return;
+
+      // If there's no members, and the user has access to read members, something went wrong.
+      if (!members && !isNoAccessMember) return;
+
+      // If the user has elevated permissions and can read members:
+      if (!isNoAccessMember) {
+        if (!members) return;
+
+        if (members.length < 2) {
+          createNotification({
+            text: "You can't leave the project as you are the only member",
+            type: "error"
+          });
+          return;
+        }
+        // If the user has access to read members, and there's less than 1 admin member excluding the current user, they can't leave the project.
+        if (isOnlyAdminMember) {
+          createNotification({
+            text: "You can't leave a project with no admin members left. Promote another member to admin first.",
+            type: "error"
+          });
+          return;
+        }
+      }
+
+      // If it's actually a no-access member, then we don't really care about the members.
+
+      await leaveProject.mutateAsync({
+        workspaceId: currentWorkspace.id
+      });
+
+      router.push(`/org/${currentOrg.id}/overview`);
+    } catch (err) {
+      console.error(err);
+      createNotification({
+        text: "Failed to leave project",
+        type: "error"
+      });
+    } finally {
+      setIsLeaving.off();
+    }
+  };
+
   return (
     <div className="mb-6 rounded-lg border border-mineshaft-600 bg-mineshaft-900 p-4">
       <p className="mb-4 text-xl font-semibold text-mineshaft-100">Danger Zone</p>
-      <ProjectPermissionCan I={ProjectPermissionActions.Delete} a={ProjectPermissionSub.Workspace}>
-        {(isAllowed) => (
+      <div className="space-x-4">
+        <ProjectPermissionCan
+          I={ProjectPermissionActions.Delete}
+          a={ProjectPermissionSub.Workspace}
+        >
+          {(isAllowed) => (
+            <Button
+              isLoading={isDeleting}
+              isDisabled={!isAllowed || isDeleting}
+              colorSchema="danger"
+              variant="outline_bg"
+              type="submit"
+              onClick={() => handlePopUpOpen("deleteWorkspace")}
+            >
+              {`Delete ${currentWorkspace?.name}`}
+            </Button>
+          )}
+        </ProjectPermissionCan>
+        {!isOnlyAdminMember && (
           <Button
-            isLoading={isDeleting}
-            isDisabled={!isAllowed || isDeleting}
+            disabled={isMembersLoading || (members && members?.length < 2)}
+            isLoading={isLeaving}
             colorSchema="danger"
             variant="outline_bg"
             type="submit"
-            onClick={() => handlePopUpOpen("deleteWorkspace")}
+            onClick={() => handlePopUpOpen("leaveWorkspace")}
           >
-            {`Delete ${currentWorkspace?.name}`}
+            {`Leave ${currentWorkspace?.name}`}
           </Button>
         )}
-      </ProjectPermissionCan>
+      </div>
+
       <DeleteActionModal
         isOpen={popUp.deleteWorkspace.isOpen}
         title="Are you sure want to delete this project?"
@@ -79,6 +176,16 @@ export const DeleteProjectSection = () => {
         buttonText="Delete Project"
         onDeleteApproved={handleDeleteWorkspaceSubmit}
       />
+
+      <LeaveProjectModal
+        isOpen={popUp.leaveWorkspace.isOpen}
+        title="Are you sure want to leave this project?"
+        subTitle={`If you leave ${currentWorkspace?.name} you will lose access to the project and it's contents.`}
+        onChange={(isOpen) => handlePopUpToggle("leaveWorkspace", isOpen)}
+        deleteKey="confirm"
+        buttonText="Leave Project"
+        onLeaveApproved={handleLeaveWorkspaceSubmit}
+      />
     </div>
   );
 };

helm-charts/secrets-operator/Chart.yaml

@@ -18,4 +18,4 @@ version: v0.6.1
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "v0.6.0"
+appVersion: "v0.6.1"

helm-charts/secrets-operator/values.yaml

@@ -32,7 +32,7 @@ controllerManager:
         - ALL
     image:
       repository: infisical/kubernetes-operator
-      tag: v0.6.0
+      tag: v0.6.1
     resources:
       limits:
         cpu: 500m

k8-operator/controllers/infisicalsecret_controller.go

@@ -5,11 +5,17 @@ import (
 	"fmt"
 	"time"
 
+	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
 	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/builder"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	controllerUtil "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
+	"sigs.k8s.io/controller-runtime/pkg/event"
+	"sigs.k8s.io/controller-runtime/pkg/handler"
+	"sigs.k8s.io/controller-runtime/pkg/predicate"
+	"sigs.k8s.io/controller-runtime/pkg/source"
 
 	secretsv1alpha1 "github.com/Infisical/infisical/k8-operator/api/v1alpha1"
 	"github.com/Infisical/infisical/k8-operator/packages/api"
@@ -69,6 +75,31 @@ func (r *InfisicalSecretReconciler) handleFinalizer(ctx context.Context, infisic
 	return nil
 }
 
+func (r *InfisicalSecretReconciler) handleManagedSecretDeletion(secret client.Object) []ctrl.Request {
+	var requests []ctrl.Request
+	infisicalSecrets := &secretsv1alpha1.InfisicalSecretList{}
+	err := r.List(context.Background(), infisicalSecrets)
+	if err != nil {
+		fmt.Printf("unable to list Infisical Secrets from cluster because [err=%v]", err)
+		return requests
+	}
+
+	for _, infisicalSecret := range infisicalSecrets.Items {
+		if secret.GetName() == infisicalSecret.Spec.ManagedSecretReference.SecretName &&
+			secret.GetNamespace() == infisicalSecret.Spec.ManagedSecretReference.SecretNamespace {
+			requests = append(requests, ctrl.Request{
+				NamespacedName: client.ObjectKey{
+					Namespace: infisicalSecret.Namespace,
+					Name:      infisicalSecret.Name,
+				},
+			})
+			fmt.Printf("\nManaged secret deleted in resource %s: [name=%v] [namespace=%v]\n", infisicalSecret.Name, secret.GetName(), secret.GetNamespace())
+		}
+	}
+
+	return requests
+}
+
 func (r *InfisicalSecretReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	var infisicalSecretCR secretsv1alpha1.InfisicalSecret
 	requeueTime := time.Minute // seconds
@@ -154,9 +185,18 @@ func (r *InfisicalSecretReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 	}, nil
 }
 
-// SetupWithManager sets up the controller with the Manager.
 func (r *InfisicalSecretReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		For(&secretsv1alpha1.InfisicalSecret{}).
+		Watches(
+			&source.Kind{Type: &corev1.Secret{}},
+			handler.EnqueueRequestsFromMapFunc(r.handleManagedSecretDeletion),
+			builder.WithPredicates(predicate.Funcs{
+				// Always return true to ensure we process all delete events
+				DeleteFunc: func(e event.DeleteEvent) bool {
+					return true
+				},
+			}),
+		).
 		Complete(r)
 }