Add scaffolding for email confirmation / account merging

.github/workflows/check-api-for-breaking-changes.yml

@@ -5,7 +5,6 @@ on:
     types: [opened, synchronize]
     paths:
       - "backend/src/server/routes/**"
-      - "backend/src/ee/routes/**"
 
 jobs:
   check-be-api-changes:

.github/workflows/release_build_infisical_cli.yml

@@ -1,64 +1,60 @@
 name: Build and release CLI
 
 on:
-    push:
-        # run only against tags
-        tags:
-            - "infisical-cli/v*.*.*"
+  push:
+    # run only against tags
+    tags:
+      - "infisical-cli/v*.*.*"
 
 permissions:
-    contents: write
-    # packages: write
-    # issues: write
-jobs:
-    cli-integration-tests:
-        name: Run tests before deployment
-        uses: ./.github/workflows/run-cli-tests.yml
+  contents: write
+  # packages: write
+  # issues: write
 
-    goreleaser:
-        runs-on: ubuntu-20.04
-        needs: [cli-integration-tests]
-        steps:
-            - uses: actions/checkout@v3
-              with:
-                  fetch-depth: 0
-            - name: 🐋 Login to Docker Hub
-              uses: docker/login-action@v2
-              with:
-                  username: ${{ secrets.DOCKERHUB_USERNAME }}
-                  password: ${{ secrets.DOCKERHUB_TOKEN }}
-            - name: 🔧 Set up Docker Buildx
-              uses: docker/setup-buildx-action@v2
-            - run: git fetch --force --tags
-            - run: echo "Ref name ${{github.ref_name}}"
-            - uses: actions/setup-go@v3
-              with:
-                  go-version: ">=1.19.3"
-                  cache: true
-                  cache-dependency-path: cli/go.sum
-            - name: libssl1.1 => libssl1.0-dev for OSXCross
-              run: |
-                  echo 'deb http://security.ubuntu.com/ubuntu bionic-security main' | sudo tee -a /etc/apt/sources.list
-                  sudo apt update && apt-cache policy libssl1.0-dev
-                  sudo apt-get install libssl1.0-dev
-            - name: OSXCross for CGO Support
-              run: |
-                  mkdir ../../osxcross
-                  git clone https://github.com/plentico/osxcross-target.git ../../osxcross/target
-            - uses: goreleaser/goreleaser-action@v4
-              with:
-                  distribution: goreleaser-pro
-                  version: latest
-                  args: release --clean
-              env:
-                  GITHUB_TOKEN: ${{ secrets.GO_RELEASER_GITHUB_TOKEN }}
-                  POSTHOG_API_KEY_FOR_CLI: ${{ secrets.POSTHOG_API_KEY_FOR_CLI }}
-                  FURY_TOKEN: ${{ secrets.FURYPUSHTOKEN }}
-                  AUR_KEY: ${{ secrets.AUR_KEY }}
-                  GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
-            - uses: actions/setup-python@v4
-            - run: pip install --upgrade cloudsmith-cli
-            - name: Publish to CloudSmith
-              run: sh cli/upload_to_cloudsmith.sh
-              env:
-                  CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
+jobs:
+  goreleaser:
+    runs-on: ubuntu-20.04
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: 🐋 Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: 🔧 Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - run: git fetch --force --tags
+      - run: echo "Ref name ${{github.ref_name}}"
+      - uses: actions/setup-go@v3
+        with:
+          go-version: ">=1.19.3"
+          cache: true
+          cache-dependency-path: cli/go.sum
+      - name: libssl1.1 => libssl1.0-dev for OSXCross
+        run: |
+          echo 'deb http://security.ubuntu.com/ubuntu bionic-security main' | sudo tee -a /etc/apt/sources.list
+          sudo apt update && apt-cache policy libssl1.0-dev
+          sudo apt-get install libssl1.0-dev
+      - name: OSXCross for CGO Support
+        run: |
+          mkdir ../../osxcross
+          git clone https://github.com/plentico/osxcross-target.git ../../osxcross/target
+      - uses: goreleaser/goreleaser-action@v4
+        with:
+          distribution: goreleaser-pro
+          version: latest
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GO_RELEASER_GITHUB_TOKEN }}
+          POSTHOG_API_KEY_FOR_CLI: ${{ secrets.POSTHOG_API_KEY_FOR_CLI }}
+          FURY_TOKEN: ${{ secrets.FURYPUSHTOKEN }}
+          AUR_KEY: ${{ secrets.AUR_KEY }}
+          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
+      - uses: actions/setup-python@v4
+      - run: pip install --upgrade cloudsmith-cli
+      - name: Publish to CloudSmith
+        run: sh cli/upload_to_cloudsmith.sh
+        env:
+          CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}

.github/workflows/run-cli-tests.yml

@@ -1,34 +0,0 @@
-name: Go CLI Tests
-
-on:
-    pull_request:
-        types: [opened, synchronize]
-        paths:
-            - "cli/**"
-
-    workflow_call:
-
-jobs:
-    test:
-        defaults:
-            run:
-                working-directory: ./cli
-        runs-on: ubuntu-latest
-
-        steps:
-            - uses: actions/checkout@v4
-            - name: Setup Go
-              uses: actions/setup-go@v4
-              with:
-                  go-version: "1.21.x"
-            - name: Install dependencies
-              run: go get .
-            - name: Test with the Go CLI
-              env:
-                  CLI_TESTS_UA_CLIENT_ID: ${{ secrets.CLI_TESTS_UA_CLIENT_ID }}
-                  CLI_TESTS_UA_CLIENT_SECRET: ${{ secrets.CLI_TESTS_UA_CLIENT_SECRET }}
-                  CLI_TESTS_SERVICE_TOKEN: ${{ secrets.CLI_TESTS_SERVICE_TOKEN }}
-                  CLI_TESTS_PROJECT_ID: ${{ secrets.CLI_TESTS_PROJECT_ID }}
-                  CLI_TESTS_ENV_SLUG: ${{ secrets.CLI_TESTS_ENV_SLUG }}
-
-              run: go test -v -count=1 ./test

.gitignore

@@ -67,5 +67,3 @@ yarn-error.log*
 frontend-build
 
 *.tgz
-cli/infisical-merge
-cli/test/infisical-merge

backend/.eslintrc.js

@@ -23,17 +23,16 @@ module.exports = {
   root: true,
   overrides: [
     {
-      files: ["./e2e-test/**/*", "./src/db/migrations/**/*"],
+      files: ["./e2e-test/**/*"],
       rules: {
         "@typescript-eslint/no-unsafe-member-access": "off",
         "@typescript-eslint/no-unsafe-assignment": "off",
         "@typescript-eslint/no-unsafe-argument": "off",
         "@typescript-eslint/no-unsafe-return": "off",
-        "@typescript-eslint/no-unsafe-call": "off"
+        "@typescript-eslint/no-unsafe-call": "off",
       }
     }
   ],
-
   rules: {
     "@typescript-eslint/no-empty-function": "off",
     "@typescript-eslint/no-unsafe-enum-comparison": "off",

backend/e2e-test/routes/v3/secrets.spec.ts

@@ -942,113 +942,6 @@ describe.each([{ auth: AuthMode.JWT }, { auth: AuthMode.IDENTITY_ACCESS_TOKEN }]
       const secrets = await getSecrets(seedData1.environment.slug, path);
       expect(secrets).toEqual([]);
     });
-
-    test.each(testRawSecrets)("Bulk create secret raw in path $path", async ({ path, secret }) => {
-      const createSecretReqBody = {
-        projectSlug: seedData1.project.slug,
-        environment: seedData1.environment.slug,
-        secretPath: path,
-        secrets: [
-          {
-            secretKey: secret.key,
-            secretValue: secret.value,
-            secretComment: secret.comment
-          }
-        ]
-      };
-      const createSecRes = await testServer.inject({
-        method: "POST",
-        url: `/api/v3/secrets/batch/raw`,
-        headers: {
-          authorization: `Bearer ${authToken}`
-        },
-        body: createSecretReqBody
-      });
-      expect(createSecRes.statusCode).toBe(200);
-      const createdSecretPayload = JSON.parse(createSecRes.payload);
-      expect(createdSecretPayload).toHaveProperty("secrets");
-
-      // fetch secrets
-      const secrets = await getSecrets(seedData1.environment.slug, path);
-      expect(secrets).toEqual(
-        expect.arrayContaining([
-          expect.objectContaining({
-            key: secret.key,
-            value: secret.value,
-            type: SecretType.Shared
-          })
-        ])
-      );
-
-      await deleteRawSecret({ path, key: secret.key });
-    });
-
-    test.each(testRawSecrets)("Bulk update secret raw in path $path", async ({ secret, path }) => {
-      await createRawSecret({ path, ...secret });
-      const updateSecretReqBody = {
-        projectSlug: seedData1.project.slug,
-        environment: seedData1.environment.slug,
-        secretPath: path,
-        secrets: [
-          {
-            secretValue: "new-value",
-            secretKey: secret.key
-          }
-        ]
-      };
-      const updateSecRes = await testServer.inject({
-        method: "PATCH",
-        url: `/api/v3/secrets/batch/raw`,
-        headers: {
-          authorization: `Bearer ${authToken}`
-        },
-        body: updateSecretReqBody
-      });
-      expect(updateSecRes.statusCode).toBe(200);
-      const updatedSecretPayload = JSON.parse(updateSecRes.payload);
-      expect(updatedSecretPayload).toHaveProperty("secrets");
-
-      // fetch secrets
-      const secrets = await getSecrets(seedData1.environment.slug, path);
-      expect(secrets).toEqual(
-        expect.arrayContaining([
-          expect.objectContaining({
-            key: secret.key,
-            value: "new-value",
-            version: 2,
-            type: SecretType.Shared
-          })
-        ])
-      );
-
-      await deleteRawSecret({ path, key: secret.key });
-    });
-
-    test.each(testRawSecrets)("Bulk delete secret raw in path $path", async ({ path, secret }) => {
-      await createRawSecret({ path, ...secret });
-
-      const deletedSecretReqBody = {
-        projectSlug: seedData1.project.slug,
-        environment: seedData1.environment.slug,
-        secretPath: path,
-        secrets: [{ secretKey: secret.key }]
-      };
-      const deletedSecRes = await testServer.inject({
-        method: "DELETE",
-        url: `/api/v3/secrets/batch/raw`,
-        headers: {
-          authorization: `Bearer ${authToken}`
-        },
-        body: deletedSecretReqBody
-      });
-      expect(deletedSecRes.statusCode).toBe(200);
-      const deletedSecretPayload = JSON.parse(deletedSecRes.payload);
-      expect(deletedSecretPayload).toHaveProperty("secrets");
-
-      // fetch secrets
-      const secrets = await getSecrets(seedData1.environment.slug, path);
-      expect(secrets).toEqual([]);
-    });
   }
 );
 

backend/package-lock.json

@@ -35,7 +35,6 @@
         "axios-retry": "^4.0.0",
         "bcrypt": "^5.1.1",
         "bullmq": "^5.3.3",
-        "cassandra-driver": "^4.7.2",
         "dotenv": "^16.4.1",
         "fastify": "^4.26.0",
         "fastify-plugin": "^4.5.1",
@@ -48,11 +47,10 @@
         "libsodium-wrappers": "^0.7.13",
         "lodash.isequal": "^4.5.0",
         "ms": "^2.1.3",
-        "mysql2": "^3.9.4",
+        "mysql2": "^3.9.1",
         "nanoid": "^5.0.4",
         "nodemailer": "^6.9.9",
         "ora": "^7.0.1",
-        "oracledb": "^6.4.0",
         "passport-github": "^1.1.0",
         "passport-gitlab2": "^5.0.0",
         "passport-google-oauth20": "^2.0.0",
@@ -1710,22 +1708,6 @@
         "node": ">=12"
       }
     },
-    "node_modules/@esbuild/aix-ppc64": {
-      "version": "0.20.2",
-      "resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.20.2.tgz",
-      "integrity": "sha512-D+EBOJHXdNZcLJRBkhENNG8Wji2kgc9AZ9KiPr1JuZjsNtyHzrsfLRrY0tk2H2aoFu6RANO1y1iPPUCDYWkb5g==",
-      "cpu": [
-        "ppc64"
-      ],
-      "dev": true,
-      "optional": true,
-      "os": [
-        "aix"
-      ],
-      "engines": {
-        "node": ">=12"
-      }
-    },
     "node_modules/@esbuild/android-arm": {
       "version": "0.18.20",
       "resolved": "https://registry.npmjs.org/@esbuild/android-arm/-/android-arm-0.18.20.tgz",
@@ -3180,9 +3162,9 @@
       }
     },
     "node_modules/@rollup/rollup-android-arm-eabi": {
-      "version": "4.14.3",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm-eabi/-/rollup-android-arm-eabi-4.14.3.tgz",
-      "integrity": "sha512-X9alQ3XM6I9IlSlmC8ddAvMSyG1WuHk5oUnXGw+yUBs3BFoTizmG1La/Gr8fVJvDWAq+zlYTZ9DBgrlKRVY06g==",
+      "version": "4.8.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm-eabi/-/rollup-android-arm-eabi-4.8.0.tgz",
+      "integrity": "sha512-zdTObFRoNENrdPpnTNnhOljYIcOX7aI7+7wyrSpPFFIOf/nRdedE6IYsjaBE7tjukphh1tMTojgJ7p3lKY8x6Q==",
       "cpu": [
         "arm"
       ],
@@ -3193,9 +3175,9 @@
       ]
     },
     "node_modules/@rollup/rollup-android-arm64": {
-      "version": "4.14.3",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm64/-/rollup-android-arm64-4.14.3.tgz",
-      "integrity": "sha512-eQK5JIi+POhFpzk+LnjKIy4Ks+pwJ+NXmPxOCSvOKSNRPONzKuUvWE+P9JxGZVxrtzm6BAYMaL50FFuPe0oWMQ==",
+      "version": "4.8.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm64/-/rollup-android-arm64-4.8.0.tgz",
+      "integrity": "sha512-aiItwP48BiGpMFS9Znjo/xCNQVwTQVcRKkFKsO81m8exrGjHkCBDvm9PHay2kpa8RPnZzzKcD1iQ9KaLY4fPQQ==",
       "cpu": [
         "arm64"
       ],
@@ -3206,9 +3188,9 @@
       ]
     },
     "node_modules/@rollup/rollup-darwin-arm64": {
-      "version": "4.14.3",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-arm64/-/rollup-darwin-arm64-4.14.3.tgz",
-      "integrity": "sha512-Od4vE6f6CTT53yM1jgcLqNfItTsLt5zE46fdPaEmeFHvPs5SjZYlLpHrSiHEKR1+HdRfxuzXHjDOIxQyC3ptBA==",
+      "version": "4.8.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-arm64/-/rollup-darwin-arm64-4.8.0.tgz",
+      "integrity": "sha512-zhNIS+L4ZYkYQUjIQUR6Zl0RXhbbA0huvNIWjmPc2SL0cB1h5Djkcy+RZ3/Bwszfb6vgwUvcVJYD6e6Zkpsi8g==",
       "cpu": [
         "arm64"
       ],
@@ -3219,9 +3201,9 @@
       ]
     },
     "node_modules/@rollup/rollup-darwin-x64": {
-      "version": "4.14.3",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-x64/-/rollup-darwin-x64-4.14.3.tgz",
-      "integrity": "sha512-0IMAO21axJeNIrvS9lSe/PGthc8ZUS+zC53O0VhF5gMxfmcKAP4ESkKOCwEi6u2asUrt4mQv2rjY8QseIEb1aw==",
+      "version": "4.8.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-x64/-/rollup-darwin-x64-4.8.0.tgz",
+      "integrity": "sha512-A/FAHFRNQYrELrb/JHncRWzTTXB2ticiRFztP4ggIUAfa9Up1qfW8aG2w/mN9jNiZ+HB0t0u0jpJgFXG6BfRTA==",
       "cpu": [
         "x64"
       ],
@@ -3232,22 +3214,9 @@
       ]
     },
     "node_modules/@rollup/rollup-linux-arm-gnueabihf": {
-      "version": "4.14.3",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm-gnueabihf/-/rollup-linux-arm-gnueabihf-4.14.3.tgz",
-      "integrity": "sha512-ge2DC7tHRHa3caVEoSbPRJpq7azhG+xYsd6u2MEnJ6XzPSzQsTKyXvh6iWjXRf7Rt9ykIUWHtl0Uz3T6yXPpKw==",
-      "cpu": [
-        "arm"
-      ],
-      "dev": true,
-      "optional": true,
-      "os": [
-        "linux"
-      ]
-    },
-    "node_modules/@rollup/rollup-linux-arm-musleabihf": {
-      "version": "4.14.3",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm-musleabihf/-/rollup-linux-arm-musleabihf-4.14.3.tgz",
-      "integrity": "sha512-ljcuiDI4V3ySuc7eSk4lQ9wU8J8r8KrOUvB2U+TtK0TiW6OFDmJ+DdIjjwZHIw9CNxzbmXY39wwpzYuFDwNXuw==",
+      "version": "4.8.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm-gnueabihf/-/rollup-linux-arm-gnueabihf-4.8.0.tgz",
+      "integrity": "sha512-JsidBnh3p2IJJA4/2xOF2puAYqbaczB3elZDT0qHxn362EIoIkq7hrR43Xa8RisgI6/WPfvb2umbGsuvf7E37A==",
       "cpu": [
         "arm"
       ],
@@ -3258,9 +3227,9 @@
       ]
     },
     "node_modules/@rollup/rollup-linux-arm64-gnu": {
-      "version": "4.14.3",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-gnu/-/rollup-linux-arm64-gnu-4.14.3.tgz",
-      "integrity": "sha512-Eci2us9VTHm1eSyn5/eEpaC7eP/mp5n46gTRB3Aar3BgSvDQGJZuicyq6TsH4HngNBgVqC5sDYxOzTExSU+NjA==",
+      "version": "4.8.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-gnu/-/rollup-linux-arm64-gnu-4.8.0.tgz",
+      "integrity": "sha512-hBNCnqw3EVCkaPB0Oqd24bv8SklETptQWcJz06kb9OtiShn9jK1VuTgi7o4zPSt6rNGWQOTDEAccbk0OqJmS+g==",
       "cpu": [
         "arm64"
       ],
@@ -3271,9 +3240,9 @@
       ]
     },
     "node_modules/@rollup/rollup-linux-arm64-musl": {
-      "version": "4.14.3",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-musl/-/rollup-linux-arm64-musl-4.14.3.tgz",
-      "integrity": "sha512-UrBoMLCq4E92/LCqlh+blpqMz5h1tJttPIniwUgOFJyjWI1qrtrDhhpHPuFxULlUmjFHfloWdixtDhSxJt5iKw==",
+      "version": "4.8.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-musl/-/rollup-linux-arm64-musl-4.8.0.tgz",
+      "integrity": "sha512-Fw9ChYfJPdltvi9ALJ9wzdCdxGw4wtq4t1qY028b2O7GwB5qLNSGtqMsAel1lfWTZvf4b6/+4HKp0GlSYg0ahA==",
       "cpu": [
         "arm64"
       ],
@@ -3283,23 +3252,10 @@
         "linux"
       ]
     },
-    "node_modules/@rollup/rollup-linux-powerpc64le-gnu": {
-      "version": "4.14.3",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-powerpc64le-gnu/-/rollup-linux-powerpc64le-gnu-4.14.3.tgz",
-      "integrity": "sha512-5aRjvsS8q1nWN8AoRfrq5+9IflC3P1leMoy4r2WjXyFqf3qcqsxRCfxtZIV58tCxd+Yv7WELPcO9mY9aeQyAmw==",
-      "cpu": [
-        "ppc64"
-      ],
-      "dev": true,
-      "optional": true,
-      "os": [
-        "linux"
-      ]
-    },
     "node_modules/@rollup/rollup-linux-riscv64-gnu": {
-      "version": "4.14.3",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-riscv64-gnu/-/rollup-linux-riscv64-gnu-4.14.3.tgz",
-      "integrity": "sha512-sk/Qh1j2/RJSX7FhEpJn8n0ndxy/uf0kI/9Zc4b1ELhqULVdTfN6HL31CDaTChiBAOgLcsJ1sgVZjWv8XNEsAQ==",
+      "version": "4.8.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-riscv64-gnu/-/rollup-linux-riscv64-gnu-4.8.0.tgz",
+      "integrity": "sha512-BH5xIh7tOzS9yBi8dFrCTG8Z6iNIGWGltd3IpTSKp6+pNWWO6qy8eKoRxOtwFbMrid5NZaidLYN6rHh9aB8bEw==",
       "cpu": [
         "riscv64"
       ],
@@ -3309,23 +3265,10 @@
         "linux"
       ]
     },
-    "node_modules/@rollup/rollup-linux-s390x-gnu": {
-      "version": "4.14.3",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-s390x-gnu/-/rollup-linux-s390x-gnu-4.14.3.tgz",
-      "integrity": "sha512-jOO/PEaDitOmY9TgkxF/TQIjXySQe5KVYB57H/8LRP/ux0ZoO8cSHCX17asMSv3ruwslXW/TLBcxyaUzGRHcqg==",
-      "cpu": [
-        "s390x"
-      ],
-      "dev": true,
-      "optional": true,
-      "os": [
-        "linux"
-      ]
-    },
     "node_modules/@rollup/rollup-linux-x64-gnu": {
-      "version": "4.14.3",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-gnu/-/rollup-linux-x64-gnu-4.14.3.tgz",
-      "integrity": "sha512-8ybV4Xjy59xLMyWo3GCfEGqtKV5M5gCSrZlxkPGvEPCGDLNla7v48S662HSGwRd6/2cSneMQWiv+QzcttLrrOA==",
+      "version": "4.8.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-gnu/-/rollup-linux-x64-gnu-4.8.0.tgz",
+      "integrity": "sha512-PmvAj8k6EuWiyLbkNpd6BLv5XeYFpqWuRvRNRl80xVfpGXK/z6KYXmAgbI4ogz7uFiJxCnYcqyvZVD0dgFog7Q==",
       "cpu": [
         "x64"
       ],
@@ -3336,9 +3279,9 @@
       ]
     },
     "node_modules/@rollup/rollup-linux-x64-musl": {
-      "version": "4.14.3",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-musl/-/rollup-linux-x64-musl-4.14.3.tgz",
-      "integrity": "sha512-s+xf1I46trOY10OqAtZ5Rm6lzHre/UiLA1J2uOhCFXWkbZrJRkYBPO6FhvGfHmdtQ3Bx793MNa7LvoWFAm93bg==",
+      "version": "4.8.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-musl/-/rollup-linux-x64-musl-4.8.0.tgz",
+      "integrity": "sha512-mdxnlW2QUzXwY+95TuxZ+CurrhgrPAMveDWI97EQlA9bfhR8tw3Pt7SUlc/eSlCNxlWktpmT//EAA8UfCHOyXg==",
       "cpu": [
         "x64"
       ],
@@ -3349,9 +3292,9 @@
       ]
     },
     "node_modules/@rollup/rollup-win32-arm64-msvc": {
-      "version": "4.14.3",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-arm64-msvc/-/rollup-win32-arm64-msvc-4.14.3.tgz",
-      "integrity": "sha512-+4h2WrGOYsOumDQ5S2sYNyhVfrue+9tc9XcLWLh+Kw3UOxAvrfOrSMFon60KspcDdytkNDh7K2Vs6eMaYImAZg==",
+      "version": "4.8.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-arm64-msvc/-/rollup-win32-arm64-msvc-4.8.0.tgz",
+      "integrity": "sha512-ge7saUz38aesM4MA7Cad8CHo0Fyd1+qTaqoIo+Jtk+ipBi4ATSrHWov9/S4u5pbEQmLjgUjB7BJt+MiKG2kzmA==",
       "cpu": [
         "arm64"
       ],
@@ -3362,9 +3305,9 @@
       ]
     },
     "node_modules/@rollup/rollup-win32-ia32-msvc": {
-      "version": "4.14.3",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-ia32-msvc/-/rollup-win32-ia32-msvc-4.14.3.tgz",
-      "integrity": "sha512-T1l7y/bCeL/kUwh9OD4PQT4aM7Bq43vX05htPJJ46RTI4r5KNt6qJRzAfNfM+OYMNEVBWQzR2Gyk+FXLZfogGw==",
+      "version": "4.8.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-ia32-msvc/-/rollup-win32-ia32-msvc-4.8.0.tgz",
+      "integrity": "sha512-p9E3PZlzurhlsN5h9g7zIP1DnqKXJe8ZUkFwAazqSvHuWfihlIISPxG9hCHCoA+dOOspL/c7ty1eeEVFTE0UTw==",
       "cpu": [
         "ia32"
       ],
@@ -3375,9 +3318,9 @@
       ]
     },
     "node_modules/@rollup/rollup-win32-x64-msvc": {
-      "version": "4.14.3",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-x64-msvc/-/rollup-win32-x64-msvc-4.14.3.tgz",
-      "integrity": "sha512-/BypzV0H1y1HzgYpxqRaXGBRqfodgoBBCcsrujT6QRcakDQdfU+Lq9PENPh5jB4I44YWq+0C2eHsHya+nZY1sA==",
+      "version": "4.8.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-x64-msvc/-/rollup-win32-x64-msvc-4.8.0.tgz",
+      "integrity": "sha512-kb4/auKXkYKqlUYTE8s40FcJIj5soOyRLHKd4ugR0dCq0G2EfcF54eYcfQiGkHzjidZ40daB4ulsFdtqNKZtBg==",
       "cpu": [
         "x64"
       ],
@@ -4566,15 +4509,6 @@
         "@types/lodash": "*"
       }
     },
-    "node_modules/@types/long": {
-      "version": "5.0.0",
-      "resolved": "https://registry.npmjs.org/@types/long/-/long-5.0.0.tgz",
-      "integrity": "sha512-eQs9RsucA/LNjnMoJvWG/nXa7Pot/RbBzilF/QRIU/xRl+0ApxrSUFsV5lmf01SvSlqMzJ7Zwxe440wmz2SJGA==",
-      "deprecated": "This is a stub types definition. long provides its own type definitions, so you do not need this installed.",
-      "dependencies": {
-        "long": "*"
-      }
-    },
     "node_modules/@types/mime": {
       "version": "1.3.5",
       "resolved": "https://registry.npmjs.org/@types/mime/-/mime-1.3.5.tgz",
@@ -5323,14 +5257,6 @@
         "node": ">=0.4.0"
       }
     },
-    "node_modules/adm-zip": {
-      "version": "0.5.12",
-      "resolved": "https://registry.npmjs.org/adm-zip/-/adm-zip-0.5.12.tgz",
-      "integrity": "sha512-6TVU49mK6KZb4qG6xWaaM4C7sA/sgUMLy/JYMOzkcp3BvVLpW0fXDFQiIzAuxFCt/2+xD7fNIiPFAoLZPhVNLQ==",
-      "engines": {
-        "node": ">=6.0"
-      }
-    },
     "node_modules/agent-base": {
       "version": "6.0.2",
       "resolved": "https://registry.npmjs.org/agent-base/-/agent-base-6.0.2.tgz",
@@ -5990,12 +5916,12 @@
       }
     },
     "node_modules/body-parser": {
-      "version": "1.20.2",
-      "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-1.20.2.tgz",
-      "integrity": "sha512-ml9pReCu3M61kGlqoTm2umSXTlRTuGTx0bfYj+uIUKKYycG5NtSbeetV3faSU6R7ajOPw0g/J1PvK4qNy7s5bA==",
+      "version": "1.20.1",
+      "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-1.20.1.tgz",
+      "integrity": "sha512-jWi7abTbYwajOytWCQc37VulmWiRae5RyTpaCyDcS5/lMdtwSz5lOpDE67srw/HYe35f1z3fDQw+3txg7gNtWw==",
       "dependencies": {
         "bytes": "3.1.2",
-        "content-type": "~1.0.5",
+        "content-type": "~1.0.4",
         "debug": "2.6.9",
         "depd": "2.0.0",
         "destroy": "1.2.0",
@@ -6003,7 +5929,7 @@
         "iconv-lite": "0.4.24",
         "on-finished": "2.4.1",
         "qs": "6.11.0",
-        "raw-body": "2.5.2",
+        "raw-body": "2.5.1",
         "type-is": "~1.6.18",
         "unpipe": "1.0.0"
       },
@@ -6208,20 +6134,6 @@
         "node": ">=6"
       }
     },
-    "node_modules/cassandra-driver": {
-      "version": "4.7.2",
-      "resolved": "https://registry.npmjs.org/cassandra-driver/-/cassandra-driver-4.7.2.tgz",
-      "integrity": "sha512-gwl1DeYvL8Wy3i1GDMzFtpUg5G473fU7EnHFZj7BUtdLB7loAfgZgB3zBhROc9fbaDSUDs6YwOPPojS5E1kbSA==",
-      "dependencies": {
-        "@types/long": "~5.0.0",
-        "@types/node": ">=8",
-        "adm-zip": "~0.5.10",
-        "long": "~5.2.3"
-      },
-      "engines": {
-        "node": ">=16"
-      }
-    },
     "node_modules/chai": {
       "version": "4.4.1",
       "resolved": "https://registry.npmjs.org/chai/-/chai-4.4.1.tgz",
@@ -7467,16 +7379,16 @@
       }
     },
     "node_modules/express": {
-      "version": "4.19.2",
-      "resolved": "https://registry.npmjs.org/express/-/express-4.19.2.tgz",
-      "integrity": "sha512-5T6nhjsT+EOMzuck8JjBHARTHfMht0POzlA60WV2pMD3gyXw2LZnZ+ueGdNxG+0calOJcWKbpFcuzLZ91YWq9Q==",
+      "version": "4.18.2",
+      "resolved": "https://registry.npmjs.org/express/-/express-4.18.2.tgz",
+      "integrity": "sha512-5/PsL6iGPdfQ/lKM1UuielYgv3BUoJfz1aUwU9vHZ+J7gyvwdQXFEBIEIaxeGf0GIcreATNyBExtalisDbuMqQ==",
       "dependencies": {
         "accepts": "~1.3.8",
         "array-flatten": "1.1.1",
-        "body-parser": "1.20.2",
+        "body-parser": "1.20.1",
         "content-disposition": "0.5.4",
         "content-type": "~1.0.4",
-        "cookie": "0.6.0",
+        "cookie": "0.5.0",
         "cookie-signature": "1.0.6",
         "debug": "2.6.9",
         "depd": "2.0.0",
@@ -7507,14 +7419,6 @@
         "node": ">= 0.10.0"
       }
     },
-    "node_modules/express/node_modules/cookie": {
-      "version": "0.6.0",
-      "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.6.0.tgz",
-      "integrity": "sha512-U71cyTamuh1CRNCfpGY6to28lxvNwPG4Guz/EVjgf3Jmzv0vlDp1atT9eS5dDjMYHucpHbWns6Lwf3BKz6svdw==",
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
     "node_modules/express/node_modules/cookie-signature": {
       "version": "1.0.6",
       "resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.6.tgz",
@@ -7845,9 +7749,9 @@
       "dev": true
     },
     "node_modules/follow-redirects": {
-      "version": "1.15.6",
-      "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.6.tgz",
-      "integrity": "sha512-wWN62YITEaOpSK584EZXJafH1AGpO8RVgElfkuXbTOrPX4fIfOyEpW/CsiNd8JdYrAoOvafRTOEnvsO++qCqFA==",
+      "version": "1.15.4",
+      "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.4.tgz",
+      "integrity": "sha512-Cr4D/5wlrb0z9dgERpUL3LrmPKVDsETIJhaCMeDfuFYcqa5bldGV6wBsAN6X/vxlXQtFBMrXdXxdL8CbDTGniw==",
       "funding": [
         {
           "type": "individual",
@@ -9855,9 +9759,9 @@
       }
     },
     "node_modules/mysql2": {
-      "version": "3.9.4",
-      "resolved": "https://registry.npmjs.org/mysql2/-/mysql2-3.9.4.tgz",
-      "integrity": "sha512-OEESQuwxMza803knC1YSt7NMuc1BrK9j7gZhCSs2WAyxr1vfiI7QLaLOKTh5c9SWGz98qVyQUbK8/WckevNQhg==",
+      "version": "3.9.1",
+      "resolved": "https://registry.npmjs.org/mysql2/-/mysql2-3.9.1.tgz",
+      "integrity": "sha512-3njoWAAhGBYy0tWBabqUQcLtczZUxrmmtc2vszQUekg3kTJyZ5/IeLC3Fo04u6y6Iy5Sba7pIIa2P/gs8D3ZeQ==",
       "dependencies": {
         "denque": "^2.1.0",
         "generate-function": "^2.3.1",
@@ -10327,15 +10231,6 @@
         "url": "https://github.com/sponsors/sindresorhus"
       }
     },
-    "node_modules/oracledb": {
-      "version": "6.4.0",
-      "resolved": "https://registry.npmjs.org/oracledb/-/oracledb-6.4.0.tgz",
-      "integrity": "sha512-TJI08qzQlf/l7T49VojP9BoQpjEr14NXZmpSzzcLrbNs7qSl0QA/Mc9gGiEdkg5WmwH0wqUjtMC7jlf1WamlYA==",
-      "hasInstallScript": true,
-      "engines": {
-        "node": ">=14.6"
-      }
-    },
     "node_modules/p-limit": {
       "version": "3.1.0",
       "resolved": "https://registry.npmjs.org/p-limit/-/p-limit-3.1.0.tgz",
@@ -10923,9 +10818,9 @@
       }
     },
     "node_modules/postcss": {
-      "version": "8.4.38",
-      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.38.tgz",
-      "integrity": "sha512-Wglpdk03BSfXkHoQa3b/oulrotAkwrlLDRSOb9D0bN86FdRyE9lppSp33aHNPgBa0JKCoB+drFLZkQoRRYae5A==",
+      "version": "8.4.32",
+      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.32.tgz",
+      "integrity": "sha512-D/kj5JNu6oo2EIy+XL/26JEDTlIbB8hw85G8StOE6L74RQAVVP5rej6wxCNqyMbR4RkPfqvezVbPw81Ngd6Kcw==",
       "dev": true,
       "funding": [
         {
@@ -10944,7 +10839,7 @@
       "dependencies": {
         "nanoid": "^3.3.7",
         "picocolors": "^1.0.0",
-        "source-map-js": "^1.2.0"
+        "source-map-js": "^1.0.2"
       },
       "engines": {
         "node": "^10 || ^12 || >=14"
@@ -11339,9 +11234,9 @@
       }
     },
     "node_modules/raw-body": {
-      "version": "2.5.2",
-      "resolved": "https://registry.npmjs.org/raw-body/-/raw-body-2.5.2.tgz",
-      "integrity": "sha512-8zGqypfENjCIqGhgXToC8aB2r7YrBX+AQAfIPs/Mlk+BtPTztOvTS01NRW/3Eh60J+a48lt8qsCzirQ6loCVfA==",
+      "version": "2.5.1",
+      "resolved": "https://registry.npmjs.org/raw-body/-/raw-body-2.5.1.tgz",
+      "integrity": "sha512-qqJBtEyVgS0ZmPGdCFPWJ3FreoqvG4MVQln/kCgF7Olq95IbOp0/BWyMwbdtn4VTvkM8Y7khCQ2Xgk/tcrCXig==",
       "dependencies": {
         "bytes": "3.1.2",
         "http-errors": "2.0.0",
@@ -11616,13 +11511,10 @@
       }
     },
     "node_modules/rollup": {
-      "version": "4.14.3",
-      "resolved": "https://registry.npmjs.org/rollup/-/rollup-4.14.3.tgz",
-      "integrity": "sha512-ag5tTQKYsj1bhrFC9+OEWqb5O6VYgtQDO9hPDBMmIbePwhfSr+ExlcU741t8Dhw5DkPCQf6noz0jb36D6W9/hw==",
+      "version": "4.8.0",
+      "resolved": "https://registry.npmjs.org/rollup/-/rollup-4.8.0.tgz",
+      "integrity": "sha512-NpsklK2fach5CdI+PScmlE5R4Ao/FSWtF7LkoIrHDxPACY/xshNasPsbpG0VVHxUTbf74tJbVT4PrP8JsJ6ZDA==",
       "dev": true,
-      "dependencies": {
-        "@types/estree": "1.0.5"
-      },
       "bin": {
         "rollup": "dist/bin/rollup"
       },
@@ -11631,22 +11523,19 @@
         "npm": ">=8.0.0"
       },
       "optionalDependencies": {
-        "@rollup/rollup-android-arm-eabi": "4.14.3",
-        "@rollup/rollup-android-arm64": "4.14.3",
-        "@rollup/rollup-darwin-arm64": "4.14.3",
-        "@rollup/rollup-darwin-x64": "4.14.3",
-        "@rollup/rollup-linux-arm-gnueabihf": "4.14.3",
-        "@rollup/rollup-linux-arm-musleabihf": "4.14.3",
-        "@rollup/rollup-linux-arm64-gnu": "4.14.3",
-        "@rollup/rollup-linux-arm64-musl": "4.14.3",
-        "@rollup/rollup-linux-powerpc64le-gnu": "4.14.3",
-        "@rollup/rollup-linux-riscv64-gnu": "4.14.3",
-        "@rollup/rollup-linux-s390x-gnu": "4.14.3",
-        "@rollup/rollup-linux-x64-gnu": "4.14.3",
-        "@rollup/rollup-linux-x64-musl": "4.14.3",
-        "@rollup/rollup-win32-arm64-msvc": "4.14.3",
-        "@rollup/rollup-win32-ia32-msvc": "4.14.3",
-        "@rollup/rollup-win32-x64-msvc": "4.14.3",
+        "@rollup/rollup-android-arm-eabi": "4.8.0",
+        "@rollup/rollup-android-arm64": "4.8.0",
+        "@rollup/rollup-darwin-arm64": "4.8.0",
+        "@rollup/rollup-darwin-x64": "4.8.0",
+        "@rollup/rollup-linux-arm-gnueabihf": "4.8.0",
+        "@rollup/rollup-linux-arm64-gnu": "4.8.0",
+        "@rollup/rollup-linux-arm64-musl": "4.8.0",
+        "@rollup/rollup-linux-riscv64-gnu": "4.8.0",
+        "@rollup/rollup-linux-x64-gnu": "4.8.0",
+        "@rollup/rollup-linux-x64-musl": "4.8.0",
+        "@rollup/rollup-win32-arm64-msvc": "4.8.0",
+        "@rollup/rollup-win32-ia32-msvc": "4.8.0",
+        "@rollup/rollup-win32-x64-msvc": "4.8.0",
         "fsevents": "~2.3.2"
       }
     },
@@ -11998,9 +11887,9 @@
       }
     },
     "node_modules/source-map-js": {
-      "version": "1.2.0",
-      "resolved": "https://registry.npmjs.org/source-map-js/-/source-map-js-1.2.0.tgz",
-      "integrity": "sha512-itJW8lvSA0TXEphiRoawsCksnlf8SyvmFzIhltqAHluXd88pkCd+cXJVHTDwdCr0IzwptSm035IHQktUu1QUMg==",
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/source-map-js/-/source-map-js-1.0.2.tgz",
+      "integrity": "sha512-R0XvVJ9WusLiqTCEiGCmICCMplcCkIwwR11mOSD9CR5u+IXYdiseeEuXCVAjS54zqwkLcPNnmU4OeJ6tUrWhDw==",
       "dev": true,
       "engines": {
         "node": ">=0.10.0"
@@ -12360,9 +12249,9 @@
       }
     },
     "node_modules/tar": {
-      "version": "6.2.1",
-      "resolved": "https://registry.npmjs.org/tar/-/tar-6.2.1.tgz",
-      "integrity": "sha512-DZ4yORTwrbTj/7MZYq2w+/ZFdI6OZ/f9SFHR+71gIVUZhOQPHzVCLpvRnPgyaMpfWxxk/4ONva3GQSyNIKRv6A==",
+      "version": "6.2.0",
+      "resolved": "https://registry.npmjs.org/tar/-/tar-6.2.0.tgz",
+      "integrity": "sha512-/Wo7DcT0u5HUV486xg675HtjNd3BXZ6xDbzsCUZPt5iw8bTQ63bP0Raut3mvro9u+CUyq7YQd8Cx55fsZXxqLQ==",
       "dependencies": {
         "chownr": "^2.0.0",
         "fs-minipass": "^2.0.0",
@@ -13558,14 +13447,14 @@
       }
     },
     "node_modules/vite": {
-      "version": "5.2.9",
-      "resolved": "https://registry.npmjs.org/vite/-/vite-5.2.9.tgz",
-      "integrity": "sha512-uOQWfuZBlc6Y3W/DTuQ1Sr+oIXWvqljLvS881SVmAj00d5RdgShLcuXWxseWPd4HXwiYBFW/vXHfKFeqj9uQnw==",
+      "version": "5.0.12",
+      "resolved": "https://registry.npmjs.org/vite/-/vite-5.0.12.tgz",
+      "integrity": "sha512-4hsnEkG3q0N4Tzf1+t6NdN9dg/L3BM+q8SWgbSPnJvrgH2kgdyzfVJwbR1ic69/4uMJJ/3dqDZZE5/WwqW8U1w==",
       "dev": true,
       "dependencies": {
-        "esbuild": "^0.20.1",
-        "postcss": "^8.4.38",
-        "rollup": "^4.13.0"
+        "esbuild": "^0.19.3",
+        "postcss": "^8.4.32",
+        "rollup": "^4.2.0"
       },
       "bin": {
         "vite": "bin/vite.js"
@@ -13700,9 +13589,9 @@
       "dev": true
     },
     "node_modules/vite/node_modules/@esbuild/android-arm": {
-      "version": "0.20.2",
-      "resolved": "https://registry.npmjs.org/@esbuild/android-arm/-/android-arm-0.20.2.tgz",
-      "integrity": "sha512-t98Ra6pw2VaDhqNWO2Oph2LXbz/EJcnLmKLGBJwEwXX/JAN83Fym1rU8l0JUWK6HkIbWONCSSatf4sf2NBRx/w==",
+      "version": "0.19.9",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-arm/-/android-arm-0.19.9.tgz",
+      "integrity": "sha512-jkYjjq7SdsWuNI6b5quymW0oC83NN5FdRPuCbs9HZ02mfVdAP8B8eeqLSYU3gb6OJEaY5CQabtTFbqBf26H3GA==",
       "cpu": [
         "arm"
       ],
@@ -13716,9 +13605,9 @@
       }
     },
     "node_modules/vite/node_modules/@esbuild/android-arm64": {
-      "version": "0.20.2",
-      "resolved": "https://registry.npmjs.org/@esbuild/android-arm64/-/android-arm64-0.20.2.tgz",
-      "integrity": "sha512-mRzjLacRtl/tWU0SvD8lUEwb61yP9cqQo6noDZP/O8VkwafSYwZ4yWy24kan8jE/IMERpYncRt2dw438LP3Xmg==",
+      "version": "0.19.9",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-arm64/-/android-arm64-0.19.9.tgz",
+      "integrity": "sha512-q4cR+6ZD0938R19MyEW3jEsMzbb/1rulLXiNAJQADD/XYp7pT+rOS5JGxvpRW8dFDEfjW4wLgC/3FXIw4zYglQ==",
       "cpu": [
         "arm64"
       ],
@@ -13732,9 +13621,9 @@
       }
     },
     "node_modules/vite/node_modules/@esbuild/android-x64": {
-      "version": "0.20.2",
-      "resolved": "https://registry.npmjs.org/@esbuild/android-x64/-/android-x64-0.20.2.tgz",
-      "integrity": "sha512-btzExgV+/lMGDDa194CcUQm53ncxzeBrWJcncOBxuC6ndBkKxnHdFJn86mCIgTELsooUmwUm9FkhSp5HYu00Rg==",
+      "version": "0.19.9",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-x64/-/android-x64-0.19.9.tgz",
+      "integrity": "sha512-KOqoPntWAH6ZxDwx1D6mRntIgZh9KodzgNOy5Ebt9ghzffOk9X2c1sPwtM9P+0eXbefnDhqYfkh5PLP5ULtWFA==",
       "cpu": [
         "x64"
       ],
@@ -13748,9 +13637,9 @@
       }
     },
     "node_modules/vite/node_modules/@esbuild/darwin-arm64": {
-      "version": "0.20.2",
-      "resolved": "https://registry.npmjs.org/@esbuild/darwin-arm64/-/darwin-arm64-0.20.2.tgz",
-      "integrity": "sha512-4J6IRT+10J3aJH3l1yzEg9y3wkTDgDk7TSDFX+wKFiWjqWp/iCfLIYzGyasx9l0SAFPT1HwSCR+0w/h1ES/MjA==",
+      "version": "0.19.9",
+      "resolved": "https://registry.npmjs.org/@esbuild/darwin-arm64/-/darwin-arm64-0.19.9.tgz",
+      "integrity": "sha512-KBJ9S0AFyLVx2E5D8W0vExqRW01WqRtczUZ8NRu+Pi+87opZn5tL4Y0xT0mA4FtHctd0ZgwNoN639fUUGlNIWw==",
       "cpu": [
         "arm64"
       ],
@@ -13764,9 +13653,9 @@
       }
     },
     "node_modules/vite/node_modules/@esbuild/darwin-x64": {
-      "version": "0.20.2",
-      "resolved": "https://registry.npmjs.org/@esbuild/darwin-x64/-/darwin-x64-0.20.2.tgz",
-      "integrity": "sha512-tBcXp9KNphnNH0dfhv8KYkZhjc+H3XBkF5DKtswJblV7KlT9EI2+jeA8DgBjp908WEuYll6pF+UStUCfEpdysA==",
+      "version": "0.19.9",
+      "resolved": "https://registry.npmjs.org/@esbuild/darwin-x64/-/darwin-x64-0.19.9.tgz",
+      "integrity": "sha512-vE0VotmNTQaTdX0Q9dOHmMTao6ObjyPm58CHZr1UK7qpNleQyxlFlNCaHsHx6Uqv86VgPmR4o2wdNq3dP1qyDQ==",
       "cpu": [
         "x64"
       ],
@@ -13780,9 +13669,9 @@
       }
     },
     "node_modules/vite/node_modules/@esbuild/freebsd-arm64": {
-      "version": "0.20.2",
-      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-arm64/-/freebsd-arm64-0.20.2.tgz",
-      "integrity": "sha512-d3qI41G4SuLiCGCFGUrKsSeTXyWG6yem1KcGZVS+3FYlYhtNoNgYrWcvkOoaqMhwXSMrZRl69ArHsGJ9mYdbbw==",
+      "version": "0.19.9",
+      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-arm64/-/freebsd-arm64-0.19.9.tgz",
+      "integrity": "sha512-uFQyd/o1IjiEk3rUHSwUKkqZwqdvuD8GevWF065eqgYfexcVkxh+IJgwTaGZVu59XczZGcN/YMh9uF1fWD8j1g==",
       "cpu": [
         "arm64"
       ],
@@ -13796,9 +13685,9 @@
       }
     },
     "node_modules/vite/node_modules/@esbuild/freebsd-x64": {
-      "version": "0.20.2",
-      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-x64/-/freebsd-x64-0.20.2.tgz",
-      "integrity": "sha512-d+DipyvHRuqEeM5zDivKV1KuXn9WeRX6vqSqIDgwIfPQtwMP4jaDsQsDncjTDDsExT4lR/91OLjRo8bmC1e+Cw==",
+      "version": "0.19.9",
+      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-x64/-/freebsd-x64-0.19.9.tgz",
+      "integrity": "sha512-WMLgWAtkdTbTu1AWacY7uoj/YtHthgqrqhf1OaEWnZb7PQgpt8eaA/F3LkV0E6K/Lc0cUr/uaVP/49iE4M4asA==",
       "cpu": [
         "x64"
       ],
@@ -13812,9 +13701,9 @@
       }
     },
     "node_modules/vite/node_modules/@esbuild/linux-arm": {
-      "version": "0.20.2",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm/-/linux-arm-0.20.2.tgz",
-      "integrity": "sha512-VhLPeR8HTMPccbuWWcEUD1Az68TqaTYyj6nfE4QByZIQEQVWBB8vup8PpR7y1QHL3CpcF6xd5WVBU/+SBEvGTg==",
+      "version": "0.19.9",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm/-/linux-arm-0.19.9.tgz",
+      "integrity": "sha512-C/ChPohUYoyUaqn1h17m/6yt6OB14hbXvT8EgM1ZWaiiTYz7nWZR0SYmMnB5BzQA4GXl3BgBO1l8MYqL/He3qw==",
       "cpu": [
         "arm"
       ],
@@ -13828,9 +13717,9 @@
       }
     },
     "node_modules/vite/node_modules/@esbuild/linux-arm64": {
-      "version": "0.20.2",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm64/-/linux-arm64-0.20.2.tgz",
-      "integrity": "sha512-9pb6rBjGvTFNira2FLIWqDk/uaf42sSyLE8j1rnUpuzsODBq7FvpwHYZxQ/It/8b+QOS1RYfqgGFNLRI+qlq2A==",
+      "version": "0.19.9",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm64/-/linux-arm64-0.19.9.tgz",
+      "integrity": "sha512-PiPblfe1BjK7WDAKR1Cr9O7VVPqVNpwFcPWgfn4xu0eMemzRp442hXyzF/fSwgrufI66FpHOEJk0yYdPInsmyQ==",
       "cpu": [
         "arm64"
       ],
@@ -13844,9 +13733,9 @@
       }
     },
     "node_modules/vite/node_modules/@esbuild/linux-ia32": {
-      "version": "0.20.2",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-ia32/-/linux-ia32-0.20.2.tgz",
-      "integrity": "sha512-o10utieEkNPFDZFQm9CoP7Tvb33UutoJqg3qKf1PWVeeJhJw0Q347PxMvBgVVFgouYLGIhFYG0UGdBumROyiig==",
+      "version": "0.19.9",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-ia32/-/linux-ia32-0.19.9.tgz",
+      "integrity": "sha512-f37i/0zE0MjDxijkPSQw1CO/7C27Eojqb+r3BbHVxMLkj8GCa78TrBZzvPyA/FNLUMzP3eyHCVkAopkKVja+6Q==",
       "cpu": [
         "ia32"
       ],
@@ -13860,9 +13749,9 @@
       }
     },
     "node_modules/vite/node_modules/@esbuild/linux-loong64": {
-      "version": "0.20.2",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-loong64/-/linux-loong64-0.20.2.tgz",
-      "integrity": "sha512-PR7sp6R/UC4CFVomVINKJ80pMFlfDfMQMYynX7t1tNTeivQ6XdX5r2XovMmha/VjR1YN/HgHWsVcTRIMkymrgQ==",
+      "version": "0.19.9",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-loong64/-/linux-loong64-0.19.9.tgz",
+      "integrity": "sha512-t6mN147pUIf3t6wUt3FeumoOTPfmv9Cc6DQlsVBpB7eCpLOqQDyWBP1ymXn1lDw4fNUSb/gBcKAmvTP49oIkaA==",
       "cpu": [
         "loong64"
       ],
@@ -13876,9 +13765,9 @@
       }
     },
     "node_modules/vite/node_modules/@esbuild/linux-mips64el": {
-      "version": "0.20.2",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-mips64el/-/linux-mips64el-0.20.2.tgz",
-      "integrity": "sha512-4BlTqeutE/KnOiTG5Y6Sb/Hw6hsBOZapOVF6njAESHInhlQAghVVZL1ZpIctBOoTFbQyGW+LsVYZ8lSSB3wkjA==",
+      "version": "0.19.9",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-mips64el/-/linux-mips64el-0.19.9.tgz",
+      "integrity": "sha512-jg9fujJTNTQBuDXdmAg1eeJUL4Jds7BklOTkkH80ZgQIoCTdQrDaHYgbFZyeTq8zbY+axgptncko3v9p5hLZtw==",
       "cpu": [
         "mips64el"
       ],
@@ -13892,9 +13781,9 @@
       }
     },
     "node_modules/vite/node_modules/@esbuild/linux-ppc64": {
-      "version": "0.20.2",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-ppc64/-/linux-ppc64-0.20.2.tgz",
-      "integrity": "sha512-rD3KsaDprDcfajSKdn25ooz5J5/fWBylaaXkuotBDGnMnDP1Uv5DLAN/45qfnf3JDYyJv/ytGHQaziHUdyzaAg==",
+      "version": "0.19.9",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-ppc64/-/linux-ppc64-0.19.9.tgz",
+      "integrity": "sha512-tkV0xUX0pUUgY4ha7z5BbDS85uI7ABw3V1d0RNTii7E9lbmV8Z37Pup2tsLV46SQWzjOeyDi1Q7Wx2+QM8WaCQ==",
       "cpu": [
         "ppc64"
       ],
@@ -13908,9 +13797,9 @@
       }
     },
     "node_modules/vite/node_modules/@esbuild/linux-riscv64": {
-      "version": "0.20.2",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-riscv64/-/linux-riscv64-0.20.2.tgz",
-      "integrity": "sha512-snwmBKacKmwTMmhLlz/3aH1Q9T8v45bKYGE3j26TsaOVtjIag4wLfWSiZykXzXuE1kbCE+zJRmwp+ZbIHinnVg==",
+      "version": "0.19.9",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-riscv64/-/linux-riscv64-0.19.9.tgz",
+      "integrity": "sha512-DfLp8dj91cufgPZDXr9p3FoR++m3ZJ6uIXsXrIvJdOjXVREtXuQCjfMfvmc3LScAVmLjcfloyVtpn43D56JFHg==",
       "cpu": [
         "riscv64"
       ],
@@ -13924,9 +13813,9 @@
       }
     },
     "node_modules/vite/node_modules/@esbuild/linux-s390x": {
-      "version": "0.20.2",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-s390x/-/linux-s390x-0.20.2.tgz",
-      "integrity": "sha512-wcWISOobRWNm3cezm5HOZcYz1sKoHLd8VL1dl309DiixxVFoFe/o8HnwuIwn6sXre88Nwj+VwZUvJf4AFxkyrQ==",
+      "version": "0.19.9",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-s390x/-/linux-s390x-0.19.9.tgz",
+      "integrity": "sha512-zHbglfEdC88KMgCWpOl/zc6dDYJvWGLiUtmPRsr1OgCViu3z5GncvNVdf+6/56O2Ca8jUU+t1BW261V6kp8qdw==",
       "cpu": [
         "s390x"
       ],
@@ -13940,9 +13829,9 @@
       }
     },
     "node_modules/vite/node_modules/@esbuild/linux-x64": {
-      "version": "0.20.2",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-0.20.2.tgz",
-      "integrity": "sha512-1MdwI6OOTsfQfek8sLwgyjOXAu+wKhLEoaOLTjbijk6E2WONYpH9ZU2mNtR+lZ2B4uwr+usqGuVfFT9tMtGvGw==",
+      "version": "0.19.9",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-0.19.9.tgz",
+      "integrity": "sha512-JUjpystGFFmNrEHQnIVG8hKwvA2DN5o7RqiO1CVX8EN/F/gkCjkUMgVn6hzScpwnJtl2mPR6I9XV1oW8k9O+0A==",
       "cpu": [
         "x64"
       ],
@@ -13956,9 +13845,9 @@
       }
     },
     "node_modules/vite/node_modules/@esbuild/netbsd-x64": {
-      "version": "0.20.2",
-      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-x64/-/netbsd-x64-0.20.2.tgz",
-      "integrity": "sha512-K8/DhBxcVQkzYc43yJXDSyjlFeHQJBiowJ0uVL6Tor3jGQfSGHNNJcWxNbOI8v5k82prYqzPuwkzHt3J1T1iZQ==",
+      "version": "0.19.9",
+      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-x64/-/netbsd-x64-0.19.9.tgz",
+      "integrity": "sha512-GThgZPAwOBOsheA2RUlW5UeroRfESwMq/guy8uEe3wJlAOjpOXuSevLRd70NZ37ZrpO6RHGHgEHvPg1h3S1Jug==",
       "cpu": [
         "x64"
       ],
@@ -13972,9 +13861,9 @@
       }
     },
     "node_modules/vite/node_modules/@esbuild/openbsd-x64": {
-      "version": "0.20.2",
-      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-x64/-/openbsd-x64-0.20.2.tgz",
-      "integrity": "sha512-eMpKlV0SThJmmJgiVyN9jTPJ2VBPquf6Kt/nAoo6DgHAoN57K15ZghiHaMvqjCye/uU4X5u3YSMgVBI1h3vKrQ==",
+      "version": "0.19.9",
+      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-x64/-/openbsd-x64-0.19.9.tgz",
+      "integrity": "sha512-Ki6PlzppaFVbLnD8PtlVQfsYw4S9n3eQl87cqgeIw+O3sRr9IghpfSKY62mggdt1yCSZ8QWvTZ9jo9fjDSg9uw==",
       "cpu": [
         "x64"
       ],
@@ -13988,9 +13877,9 @@
       }
     },
     "node_modules/vite/node_modules/@esbuild/sunos-x64": {
-      "version": "0.20.2",
-      "resolved": "https://registry.npmjs.org/@esbuild/sunos-x64/-/sunos-x64-0.20.2.tgz",
-      "integrity": "sha512-2UyFtRC6cXLyejf/YEld4Hajo7UHILetzE1vsRcGL3earZEW77JxrFjH4Ez2qaTiEfMgAXxfAZCm1fvM/G/o8w==",
+      "version": "0.19.9",
+      "resolved": "https://registry.npmjs.org/@esbuild/sunos-x64/-/sunos-x64-0.19.9.tgz",
+      "integrity": "sha512-MLHj7k9hWh4y1ddkBpvRj2b9NCBhfgBt3VpWbHQnXRedVun/hC7sIyTGDGTfsGuXo4ebik2+3ShjcPbhtFwWDw==",
       "cpu": [
         "x64"
       ],
@@ -14004,9 +13893,9 @@
       }
     },
     "node_modules/vite/node_modules/@esbuild/win32-arm64": {
-      "version": "0.20.2",
-      "resolved": "https://registry.npmjs.org/@esbuild/win32-arm64/-/win32-arm64-0.20.2.tgz",
-      "integrity": "sha512-GRibxoawM9ZCnDxnP3usoUDO9vUkpAxIIZ6GQI+IlVmr5kP3zUq+l17xELTHMWTWzjxa2guPNyrpq1GWmPvcGQ==",
+      "version": "0.19.9",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-arm64/-/win32-arm64-0.19.9.tgz",
+      "integrity": "sha512-GQoa6OrQ8G08guMFgeXPH7yE/8Dt0IfOGWJSfSH4uafwdC7rWwrfE6P9N8AtPGIjUzdo2+7bN8Xo3qC578olhg==",
       "cpu": [
         "arm64"
       ],
@@ -14020,9 +13909,9 @@
       }
     },
     "node_modules/vite/node_modules/@esbuild/win32-ia32": {
-      "version": "0.20.2",
-      "resolved": "https://registry.npmjs.org/@esbuild/win32-ia32/-/win32-ia32-0.20.2.tgz",
-      "integrity": "sha512-HfLOfn9YWmkSKRQqovpnITazdtquEW8/SoHW7pWpuEeguaZI4QnCRW6b+oZTztdBnZOS2hqJ6im/D5cPzBTTlQ==",
+      "version": "0.19.9",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-ia32/-/win32-ia32-0.19.9.tgz",
+      "integrity": "sha512-UOozV7Ntykvr5tSOlGCrqU3NBr3d8JqPes0QWN2WOXfvkWVGRajC+Ym0/Wj88fUgecUCLDdJPDF0Nna2UK3Qtg==",
       "cpu": [
         "ia32"
       ],
@@ -14036,9 +13925,9 @@
       }
     },
     "node_modules/vite/node_modules/@esbuild/win32-x64": {
-      "version": "0.20.2",
-      "resolved": "https://registry.npmjs.org/@esbuild/win32-x64/-/win32-x64-0.20.2.tgz",
-      "integrity": "sha512-N49X4lJX27+l9jbLKSqZ6bKNjzQvHaT8IIFUy+YIqmXQdjYCToGWwOItDrfby14c78aDd5NHQl29xingXfCdLQ==",
+      "version": "0.19.9",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-x64/-/win32-x64-0.19.9.tgz",
+      "integrity": "sha512-oxoQgglOP7RH6iasDrhY+R/3cHrfwIDvRlT4CGChflq6twk8iENeVvMJjmvBb94Ik1Z+93iGO27err7w6l54GQ==",
       "cpu": [
         "x64"
       ],
@@ -14052,9 +13941,9 @@
       }
     },
     "node_modules/vite/node_modules/esbuild": {
-      "version": "0.20.2",
-      "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.20.2.tgz",
-      "integrity": "sha512-WdOOppmUNU+IbZ0PaDiTst80zjnrOkyJNHoKupIcVyU8Lvla3Ugx94VzkQ32Ijqd7UhHJy75gNWDMUekcrSJ6g==",
+      "version": "0.19.9",
+      "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.19.9.tgz",
+      "integrity": "sha512-U9CHtKSy+EpPsEBa+/A2gMs/h3ylBC0H0KSqIg7tpztHerLi6nrrcoUJAkNCEPumx8yJ+Byic4BVwHgRbN0TBg==",
       "dev": true,
       "hasInstallScript": true,
       "bin": {
@@ -14064,29 +13953,28 @@
         "node": ">=12"
       },
       "optionalDependencies": {
-        "@esbuild/aix-ppc64": "0.20.2",
-        "@esbuild/android-arm": "0.20.2",
-        "@esbuild/android-arm64": "0.20.2",
-        "@esbuild/android-x64": "0.20.2",
-        "@esbuild/darwin-arm64": "0.20.2",
-        "@esbuild/darwin-x64": "0.20.2",
-        "@esbuild/freebsd-arm64": "0.20.2",
-        "@esbuild/freebsd-x64": "0.20.2",
-        "@esbuild/linux-arm": "0.20.2",
-        "@esbuild/linux-arm64": "0.20.2",
-        "@esbuild/linux-ia32": "0.20.2",
-        "@esbuild/linux-loong64": "0.20.2",
-        "@esbuild/linux-mips64el": "0.20.2",
-        "@esbuild/linux-ppc64": "0.20.2",
-        "@esbuild/linux-riscv64": "0.20.2",
-        "@esbuild/linux-s390x": "0.20.2",
-        "@esbuild/linux-x64": "0.20.2",
-        "@esbuild/netbsd-x64": "0.20.2",
-        "@esbuild/openbsd-x64": "0.20.2",
-        "@esbuild/sunos-x64": "0.20.2",
-        "@esbuild/win32-arm64": "0.20.2",
-        "@esbuild/win32-ia32": "0.20.2",
-        "@esbuild/win32-x64": "0.20.2"
+        "@esbuild/android-arm": "0.19.9",
+        "@esbuild/android-arm64": "0.19.9",
+        "@esbuild/android-x64": "0.19.9",
+        "@esbuild/darwin-arm64": "0.19.9",
+        "@esbuild/darwin-x64": "0.19.9",
+        "@esbuild/freebsd-arm64": "0.19.9",
+        "@esbuild/freebsd-x64": "0.19.9",
+        "@esbuild/linux-arm": "0.19.9",
+        "@esbuild/linux-arm64": "0.19.9",
+        "@esbuild/linux-ia32": "0.19.9",
+        "@esbuild/linux-loong64": "0.19.9",
+        "@esbuild/linux-mips64el": "0.19.9",
+        "@esbuild/linux-ppc64": "0.19.9",
+        "@esbuild/linux-riscv64": "0.19.9",
+        "@esbuild/linux-s390x": "0.19.9",
+        "@esbuild/linux-x64": "0.19.9",
+        "@esbuild/netbsd-x64": "0.19.9",
+        "@esbuild/openbsd-x64": "0.19.9",
+        "@esbuild/sunos-x64": "0.19.9",
+        "@esbuild/win32-arm64": "0.19.9",
+        "@esbuild/win32-ia32": "0.19.9",
+        "@esbuild/win32-x64": "0.19.9"
       }
     },
     "node_modules/vitest": {

backend/package.json

@@ -96,7 +96,6 @@
     "axios-retry": "^4.0.0",
     "bcrypt": "^5.1.1",
     "bullmq": "^5.3.3",
-    "cassandra-driver": "^4.7.2",
     "dotenv": "^16.4.1",
     "fastify": "^4.26.0",
     "fastify-plugin": "^4.5.1",
@@ -109,11 +108,10 @@
     "libsodium-wrappers": "^0.7.13",
     "lodash.isequal": "^4.5.0",
     "ms": "^2.1.3",
-    "mysql2": "^3.9.4",
+    "mysql2": "^3.9.1",
     "nanoid": "^5.0.4",
     "nodemailer": "^6.9.9",
     "ora": "^7.0.1",
-    "oracledb": "^6.4.0",
     "passport-github": "^1.1.0",
     "passport-gitlab2": "^5.0.0",
     "passport-google-oauth20": "^2.0.0",

backend/src/db/migrations/20240405000045_org-memberships-unique-constraint.ts

@@ -42,7 +42,6 @@ export async function up(knex: Knex): Promise<void> {
   await knex.transaction(async (tx) => {
     const duplicateRows = await tx(TableName.OrgMembership)
       .select("userId", "orgId") // Select the userId and orgId so we can group by them
-      .whereNotNull("userId") // Ensure that the userId is not null
       .count("* as cnt") // Count the number of rows for each userId and orgId, so we can make sure there are more than 1 row (a duplicate)
       .groupBy("userId", "orgId")
       .havingRaw("count(*) > ?", [1]); // Using havingRaw for direct SQL expressions

backend/src/db/migrations/20240414192520_drop-role-roleid-project-membership.ts

@@ -1,47 +0,0 @@
-import { Knex } from "knex";
-
-import { ProjectMembershipRole, TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const doesProjectRoleFieldExist = await knex.schema.hasColumn(TableName.ProjectMembership, "role");
-  const doesProjectRoleIdFieldExist = await knex.schema.hasColumn(TableName.ProjectMembership, "roleId");
-  await knex.schema.alterTable(TableName.ProjectMembership, (t) => {
-    if (doesProjectRoleFieldExist) t.dropColumn("roleId");
-    if (doesProjectRoleIdFieldExist) t.dropColumn("role");
-  });
-
-  const doesIdentityProjectRoleFieldExist = await knex.schema.hasColumn(TableName.IdentityProjectMembership, "role");
-  const doesIdentityProjectRoleIdFieldExist = await knex.schema.hasColumn(
-    TableName.IdentityProjectMembership,
-    "roleId"
-  );
-  await knex.schema.alterTable(TableName.IdentityProjectMembership, (t) => {
-    if (doesIdentityProjectRoleFieldExist) t.dropColumn("roleId");
-    if (doesIdentityProjectRoleIdFieldExist) t.dropColumn("role");
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const doesProjectRoleFieldExist = await knex.schema.hasColumn(TableName.ProjectMembership, "role");
-  const doesProjectRoleIdFieldExist = await knex.schema.hasColumn(TableName.ProjectMembership, "roleId");
-  await knex.schema.alterTable(TableName.ProjectMembership, (t) => {
-    if (!doesProjectRoleFieldExist) t.string("role").defaultTo(ProjectMembershipRole.Member);
-    if (!doesProjectRoleIdFieldExist) {
-      t.uuid("roleId");
-      t.foreign("roleId").references("id").inTable(TableName.ProjectRoles);
-    }
-  });
-
-  const doesIdentityProjectRoleFieldExist = await knex.schema.hasColumn(TableName.IdentityProjectMembership, "role");
-  const doesIdentityProjectRoleIdFieldExist = await knex.schema.hasColumn(
-    TableName.IdentityProjectMembership,
-    "roleId"
-  );
-  await knex.schema.alterTable(TableName.IdentityProjectMembership, (t) => {
-    if (!doesIdentityProjectRoleFieldExist) t.string("role").defaultTo(ProjectMembershipRole.Member);
-    if (!doesIdentityProjectRoleIdFieldExist) {
-      t.uuid("roleId");
-      t.foreign("roleId").references("id").inTable(TableName.ProjectRoles);
-    }
-  });
-}

backend/src/db/migrations/20240417032913_pending-group-addition.ts

@@ -1,15 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  await knex.schema.alterTable(TableName.UserGroupMembership, (t) => {
-    t.boolean("isPending").notNullable().defaultTo(false);
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.alterTable(TableName.UserGroupMembership, (t) => {
-    t.dropColumn("isPending");
-  });
-}

backend/src/db/schemas/identity-project-memberships.ts

@@ -9,6 +9,8 @@ import { TImmutableDBKeys } from "./models";
 
 export const IdentityProjectMembershipsSchema = z.object({
   id: z.string().uuid(),
+  role: z.string(),
+  roleId: z.string().uuid().nullable().optional(),
   projectId: z.string(),
   identityId: z.string().uuid(),
   createdAt: z.date(),

backend/src/db/schemas/project-memberships.ts

@@ -9,10 +9,12 @@ import { TImmutableDBKeys } from "./models";
 
 export const ProjectMembershipsSchema = z.object({
   id: z.string().uuid(),
+  role: z.string(),
   createdAt: z.date(),
   updatedAt: z.date(),
   userId: z.string().uuid(),
-  projectId: z.string()
+  projectId: z.string(),
+  roleId: z.string().uuid().nullable().optional()
 });
 
 export type TProjectMemberships = z.infer<typeof ProjectMembershipsSchema>;

backend/src/db/schemas/user-group-membership.ts

@@ -12,8 +12,7 @@ export const UserGroupMembershipSchema = z.object({
   userId: z.string().uuid(),
   groupId: z.string().uuid(),
   createdAt: z.date(),
-  updatedAt: z.date(),
-  isPending: z.boolean().default(false)
+  updatedAt: z.date()
 });
 
 export type TUserGroupMembership = z.infer<typeof UserGroupMembershipSchema>;

backend/src/db/schemas/users.ts

@@ -21,7 +21,8 @@ export const UsersSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date(),
   isGhost: z.boolean().default(false),
-  username: z.string()
+  username: z.string(),
+  isEmailVerified: z.boolean().default(false).nullable().optional()
 });
 
 export type TUsers = z.infer<typeof UsersSchema>;

backend/src/db/seeds/1-user.ts

@@ -29,6 +29,7 @@ export async function seed(knex: Knex): Promise<void> {
         lastName: "",
         authMethods: [AuthMethod.EMAIL],
         isAccepted: true,
+        isEmailVerified: true,
         isMfaEnabled: false,
         mfaMethods: null,
         devices: null

backend/src/db/seeds/3-project.ts

@@ -33,7 +33,8 @@ export async function seed(knex: Knex): Promise<void> {
   const projectMembership = await knex(TableName.ProjectMembership)
     .insert({
       projectId: project.id,
-      userId: seedData1.id
+      userId: seedData1.id,
+      role: ProjectMembershipRole.Admin
     })
     .returning("*");
   await knex(TableName.ProjectUserMembershipRole).insert({

backend/src/db/seeds/4-machine-identity.ts

@@ -78,7 +78,8 @@ export async function seed(knex: Knex): Promise<void> {
   const identityProjectMembership = await knex(TableName.IdentityProjectMembership)
     .insert({
       identityId: seedData1.machineIdentity.id,
-      projectId: seedData1.project.id
+      projectId: seedData1.project.id,
+      role: ProjectMembershipRole.Admin
     })
     .returning("*");
 

backend/src/ee/routes/v1/project-role-router.ts

@@ -157,13 +157,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
       response: {
         200: z.object({
           data: z.object({
-            membership: ProjectMembershipsSchema.extend({
-              roles: z
-                .object({
-                  role: z.string()
-                })
-                .array()
-            }),
+            membership: ProjectMembershipsSchema,
             permissions: z.any().array()
           })
         })

backend/src/ee/routes/v1/project-router.ts

@@ -3,7 +3,7 @@ import { z } from "zod";
 import { AuditLogsSchema, SecretSnapshotsSchema } from "@app/db/schemas";
 import { EventType, UserAgentType } from "@app/ee/services/audit-log/audit-log-types";
 import { AUDIT_LOGS, PROJECTS } from "@app/lib/api-docs";
-import { getLastMidnightDateISO, removeTrailingSlash } from "@app/lib/fn";
+import { removeTrailingSlash } from "@app/lib/fn";
 import { readLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -19,6 +19,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
       description: "Return project secret snapshots ids",
       security: [
         {
+          apiKeyAuth: [],
           bearerAuth: []
         }
       ],
@@ -96,7 +97,8 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
       description: "Return audit logs",
       security: [
         {
-          bearerAuth: []
+          bearerAuth: [],
+          apiKeyAuth: []
         }
       ],
       params: z.object({
@@ -143,7 +145,6 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
         actorAuthMethod: req.permission.authMethod,
         projectId: req.params.workspaceId,
         ...req.query,
-        startDate: req.query.endDate || getLastMidnightDateISO(),
         auditLogActor: req.query.actor,
         actor: req.permission.type
       });

backend/src/ee/routes/v1/scim-router.ts

@@ -220,7 +220,8 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
             })
           )
           .optional(),
-        // displayName: z.string().trim(),
+        externalId: z.string().trim(),
+        displayName: z.string().trim(),
         active: z.boolean()
       }),
       response: {
@@ -249,11 +250,12 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
       const primaryEmail = req.body.emails?.find((email) => email.primary)?.value;
 
       const user = await req.server.services.scim.createScimUser({
+        orgId: req.permission.orgId,
         username: req.body.userName,
         email: primaryEmail,
         firstName: req.body.name.givenName,
         lastName: req.body.name.familyName,
-        orgId: req.permission.orgId
+        externalId: req.body.externalId
       });
 
       return user;
@@ -289,28 +291,14 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
       body: z.object({
         schemas: z.array(z.string()),
         displayName: z.string().trim(),
-        members: z
-          .array(
-            z.object({
-              value: z.string(),
-              display: z.string()
-            })
-          )
-          .optional() // okta-specific
+        members: z.array(z.any()).length(0).optional() // okta-specific
       }),
       response: {
         200: z.object({
           schemas: z.array(z.string()),
           id: z.string().trim(),
           displayName: z.string().trim(),
-          members: z
-            .array(
-              z.object({
-                value: z.string(),
-                display: z.string()
-              })
-            )
-            .optional(),
+          members: z.array(z.any()).length(0),
           meta: z.object({
             resourceType: z.string().trim()
           })
@@ -320,8 +308,8 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
     onRequest: verifyAuth([AuthMode.SCIM_TOKEN]),
     handler: async (req) => {
       const group = await req.server.services.scim.createScimGroup({
-        orgId: req.permission.orgId,
-        ...req.body
+        displayName: req.body.displayName,
+        orgId: req.permission.orgId
       });
 
       return group;
@@ -416,10 +404,10 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
         displayName: z.string().trim(),
         members: z.array(
           z.object({
-            value: z.string(), // infisical userId
+            value: z.string(),
             display: z.string()
           })
-        ) // note: is this where members are added to group?
+        )
       }),
       response: {
         200: z.object({
@@ -443,7 +431,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
       const group = await req.server.services.scim.updateScimGroupNamePut({
         groupId: req.params.groupId,
         orgId: req.permission.orgId,
-        ...req.body
+        displayName: req.body.displayName
       });
 
       return group;

backend/src/ee/routes/v1/snapshot-router.ts

@@ -69,6 +69,7 @@ export const registerSnapshotRouter = async (server: FastifyZodProvider) => {
       description: "Roll back project secrets to those captured in a secret snapshot version.",
       security: [
         {
+          apiKeyAuth: [],
           bearerAuth: []
         }
       ],

backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-service.ts

@@ -249,7 +249,7 @@ export const dynamicSecretLeaseServiceFactory = ({
 
     if ((revokeResponse as { error?: Error })?.error) {
       const { error } = revokeResponse as { error?: Error };
-      logger.error(error?.message, "Failed to revoke lease");
+      logger.error("Failed to revoke lease", { error: error?.message });
       const deletedDynamicSecretLease = await dynamicSecretLeaseDAL.updateById(dynamicSecretLease.id, {
         status: DynamicSecretLeaseStatus.FailedDeletion,
         statusDetails: error?.message?.slice(0, 255)

backend/src/ee/services/dynamic-secret/providers/cassandra.ts

@@ -1,125 +0,0 @@
-import cassandra from "cassandra-driver";
-import handlebars from "handlebars";
-import { customAlphabet } from "nanoid";
-import { z } from "zod";
-
-import { BadRequestError } from "@app/lib/errors";
-import { alphaNumericNanoId } from "@app/lib/nanoid";
-
-import { DynamicSecretCassandraSchema, TDynamicProviderFns } from "./models";
-
-const generatePassword = (size = 48) => {
-  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*$#";
-  return customAlphabet(charset, 48)(size);
-};
-
-const generateUsername = () => {
-  return alphaNumericNanoId(32);
-};
-
-export const CassandraProvider = (): TDynamicProviderFns => {
-  const validateProviderInputs = async (inputs: unknown) => {
-    const providerInputs = await DynamicSecretCassandraSchema.parseAsync(inputs);
-    if (providerInputs.host === "localhost" || providerInputs.host === "127.0.0.1") {
-      throw new BadRequestError({ message: "Invalid db host" });
-    }
-
-    return providerInputs;
-  };
-
-  const getClient = async (providerInputs: z.infer<typeof DynamicSecretCassandraSchema>) => {
-    const sslOptions = providerInputs.ca ? { rejectUnauthorized: false, ca: providerInputs.ca } : undefined;
-    const client = new cassandra.Client({
-      sslOptions,
-      protocolOptions: {
-        port: providerInputs.port
-      },
-      credentials: {
-        username: providerInputs.username,
-        password: providerInputs.password
-      },
-      keyspace: providerInputs.keyspace,
-      localDataCenter: providerInputs?.localDataCenter,
-      contactPoints: providerInputs.host.split(",").filter(Boolean)
-    });
-    return client;
-  };
-
-  const validateConnection = async (inputs: unknown) => {
-    const providerInputs = await validateProviderInputs(inputs);
-    const client = await getClient(providerInputs);
-
-    const isConnected = await client.execute("SELECT * FROM system_schema.keyspaces").then(() => true);
-    await client.shutdown();
-    return isConnected;
-  };
-
-  const create = async (inputs: unknown, expireAt: number) => {
-    const providerInputs = await validateProviderInputs(inputs);
-    const client = await getClient(providerInputs);
-
-    const username = generateUsername();
-    const password = generatePassword();
-    const { keyspace } = providerInputs;
-    const expiration = new Date(expireAt).toISOString();
-
-    const creationStatement = handlebars.compile(providerInputs.creationStatement, { noEscape: true })({
-      username,
-      password,
-      expiration,
-      keyspace
-    });
-
-    const queries = creationStatement.toString().split(";").filter(Boolean);
-    for (const query of queries) {
-      // eslint-disable-next-line
-      await client.execute(query);
-    }
-    await client.shutdown();
-
-    return { entityId: username, data: { DB_USERNAME: username, DB_PASSWORD: password } };
-  };
-
-  const revoke = async (inputs: unknown, entityId: string) => {
-    const providerInputs = await validateProviderInputs(inputs);
-    const client = await getClient(providerInputs);
-
-    const username = entityId;
-    const { keyspace } = providerInputs;
-
-    const revokeStatement = handlebars.compile(providerInputs.revocationStatement)({ username, keyspace });
-    const queries = revokeStatement.toString().split(";").filter(Boolean);
-    for (const query of queries) {
-      // eslint-disable-next-line
-      await client.execute(query);
-    }
-    await client.shutdown();
-    return { entityId: username };
-  };
-
-  const renew = async (inputs: unknown, entityId: string, expireAt: number) => {
-    const providerInputs = await validateProviderInputs(inputs);
-    const client = await getClient(providerInputs);
-
-    const username = entityId;
-    const expiration = new Date(expireAt).toISOString();
-    const { keyspace } = providerInputs;
-
-    const renewStatement = handlebars.compile(providerInputs.revocationStatement)({ username, keyspace, expiration });
-    const queries = renewStatement.toString().split(";").filter(Boolean);
-    for (const query of queries) {
-      // eslint-disable-next-line
-      await client.execute(query);
-    }
-    await client.shutdown();
-    return { entityId: username };
-  };
-
-  return {
-    validateProviderInputs,
-    validateConnection,
-    create,
-    revoke,
-    renew
-  };
-};

backend/src/ee/services/dynamic-secret/providers/index.ts

@@ -1,8 +1,6 @@
-import { CassandraProvider } from "./cassandra";
 import { DynamicSecretProviders } from "./models";
 import { SqlDatabaseProvider } from "./sql-database";
 
 export const buildDynamicSecretProviders = () => ({
-  [DynamicSecretProviders.SqlDatabase]: SqlDatabaseProvider(),
-  [DynamicSecretProviders.Cassandra]: CassandraProvider()
+  [DynamicSecretProviders.SqlDatabase]: SqlDatabaseProvider()
 });

backend/src/ee/services/dynamic-secret/providers/models.ts

@@ -1,9 +1,7 @@
 import { z } from "zod";
 
 export enum SqlProviders {
-  Postgres = "postgres",
-  MySQL = "mysql2",
-  Oracle = "oracledb"
+  Postgres = "postgres"
 }
 
 export const DynamicSecretSqlDBSchema = z.object({
@@ -15,31 +13,16 @@ export const DynamicSecretSqlDBSchema = z.object({
   password: z.string(),
   creationStatement: z.string(),
   revocationStatement: z.string(),
-  renewStatement: z.string().optional(),
-  ca: z.string().optional()
-});
-
-export const DynamicSecretCassandraSchema = z.object({
-  host: z.string().toLowerCase(),
-  port: z.number(),
-  localDataCenter: z.string().min(1),
-  keyspace: z.string().optional(),
-  username: z.string(),
-  password: z.string(),
-  creationStatement: z.string(),
-  revocationStatement: z.string(),
-  renewStatement: z.string().optional(),
+  renewStatement: z.string(),
   ca: z.string().optional()
 });
 
 export enum DynamicSecretProviders {
-  SqlDatabase = "sql-database",
-  Cassandra = "cassandra"
+  SqlDatabase = "sql-database"
 }
 
 export const DynamicSecretProviderSchema = z.discriminatedUnion("type", [
-  z.object({ type: z.literal(DynamicSecretProviders.SqlDatabase), inputs: DynamicSecretSqlDBSchema }),
-  z.object({ type: z.literal(DynamicSecretProviders.Cassandra), inputs: DynamicSecretCassandraSchema })
+  z.object({ type: z.literal(DynamicSecretProviders.SqlDatabase), inputs: DynamicSecretSqlDBSchema })
 ]);
 
 export type TDynamicProviderFns = {

backend/src/ee/services/dynamic-secret/providers/sql-database.ts

@@ -8,46 +8,31 @@ import { BadRequestError } from "@app/lib/errors";
 import { getDbConnectionHost } from "@app/lib/knex";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 
-import { DynamicSecretSqlDBSchema, SqlProviders, TDynamicProviderFns } from "./models";
+import { DynamicSecretSqlDBSchema, TDynamicProviderFns } from "./models";
 
 const EXTERNAL_REQUEST_TIMEOUT = 10 * 1000;
 
-const generatePassword = (provider: SqlProviders) => {
-  // oracle has limit of 48 password length
-  const size = provider === SqlProviders.Oracle ? 30 : 48;
-
+const generatePassword = (size?: number) => {
   const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*$#";
   return customAlphabet(charset, 48)(size);
 };
 
-const generateUsername = (provider: SqlProviders) => {
-  // For oracle, the client assumes everything is upper case when not using quotes around the password
-  if (provider === SqlProviders.Oracle) return alphaNumericNanoId(32).toUpperCase();
-
-  return alphaNumericNanoId(32);
-};
-
 export const SqlDatabaseProvider = (): TDynamicProviderFns => {
   const validateProviderInputs = async (inputs: unknown) => {
     const appCfg = getConfig();
-    const isCloud = Boolean(appCfg.LICENSE_SERVER_KEY); // quick and dirty way to check if its cloud or not
     const dbHost = appCfg.DB_HOST || getDbConnectionHost(appCfg.DB_CONNECTION_URI);
 
     const providerInputs = await DynamicSecretSqlDBSchema.parseAsync(inputs);
     if (
-      isCloud &&
       // localhost
-      // internal ips
-      (providerInputs.host === "host.docker.internal" ||
-        providerInputs.host.match(/^10\.\d+\.\d+\.\d+/) ||
-        providerInputs.host.match(/^192\.168\.\d+\.\d+/))
-    )
-      throw new BadRequestError({ message: "Invalid db host" });
-    if (
       providerInputs.host === "localhost" ||
       providerInputs.host === "127.0.0.1" ||
       // database infisical uses
-      dbHost === providerInputs.host
+      dbHost === providerInputs.host ||
+      // internal ips
+      providerInputs.host === "host.docker.internal" ||
+      providerInputs.host.match(/^10\.\d+\.\d+\.\d+/) ||
+      providerInputs.host.match(/^192\.168\.\d+\.\d+/)
     )
       throw new BadRequestError({ message: "Invalid db host" });
     return providerInputs;
@@ -63,10 +48,10 @@ export const SqlDatabaseProvider = (): TDynamicProviderFns => {
         host: providerInputs.host,
         user: providerInputs.username,
         password: providerInputs.password,
+        connectionTimeoutMillis: EXTERNAL_REQUEST_TIMEOUT,
         ssl,
         pool: { min: 0, max: 1 }
-      },
-      acquireConnectionTimeout: EXTERNAL_REQUEST_TIMEOUT
+      }
     });
     return db;
   };
@@ -74,10 +59,10 @@ export const SqlDatabaseProvider = (): TDynamicProviderFns => {
   const validateConnection = async (inputs: unknown) => {
     const providerInputs = await validateProviderInputs(inputs);
     const db = await getClient(providerInputs);
-    // oracle needs from keyword
-    const testStatement = providerInputs.client === SqlProviders.Oracle ? "SELECT 1 FROM DUAL" : "SELECT 1";
-
-    const isConnected = await db.raw(testStatement).then(() => true);
+    const isConnected = await db
+      .raw("SELECT NOW()")
+      .then(() => true)
+      .catch(() => false);
     await db.destroy();
     return isConnected;
   };
@@ -86,25 +71,17 @@ export const SqlDatabaseProvider = (): TDynamicProviderFns => {
     const providerInputs = await validateProviderInputs(inputs);
     const db = await getClient(providerInputs);
 
-    const username = generateUsername(providerInputs.client);
-    const password = generatePassword(providerInputs.client);
-    const { database } = providerInputs;
+    const username = alphaNumericNanoId(32);
+    const password = generatePassword();
     const expiration = new Date(expireAt).toISOString();
 
     const creationStatement = handlebars.compile(providerInputs.creationStatement, { noEscape: true })({
       username,
       password,
-      expiration,
-      database
+      expiration
     });
 
-    const queries = creationStatement.toString().split(";").filter(Boolean);
-    await db.transaction(async (tx) => {
-      for (const query of queries) {
-        // eslint-disable-next-line
-        await tx.raw(query);
-      }
-    });
+    await db.raw(creationStatement.toString());
     await db.destroy();
     return { entityId: username, data: { DB_USERNAME: username, DB_PASSWORD: password } };
   };
@@ -114,16 +91,9 @@ export const SqlDatabaseProvider = (): TDynamicProviderFns => {
     const db = await getClient(providerInputs);
 
     const username = entityId;
-    const { database } = providerInputs;
 
-    const revokeStatement = handlebars.compile(providerInputs.revocationStatement)({ username, database });
-    const queries = revokeStatement.toString().split(";").filter(Boolean);
-    await db.transaction(async (tx) => {
-      for (const query of queries) {
-        // eslint-disable-next-line
-        await tx.raw(query);
-      }
-    });
+    const revokeStatement = handlebars.compile(providerInputs.revocationStatement)({ username });
+    await db.raw(revokeStatement);
 
     await db.destroy();
     return { entityId: username };
@@ -135,18 +105,9 @@ export const SqlDatabaseProvider = (): TDynamicProviderFns => {
 
     const username = entityId;
     const expiration = new Date(expireAt).toISOString();
-    const { database } = providerInputs;
 
-    const renewStatement = handlebars.compile(providerInputs.renewStatement)({ username, expiration, database });
-    if (renewStatement) {
-      const queries = renewStatement.toString().split(";").filter(Boolean);
-      await db.transaction(async (tx) => {
-        for (const query of queries) {
-          // eslint-disable-next-line
-          await tx.raw(query);
-        }
-      });
-    }
+    const renewStatement = handlebars.compile(providerInputs.renewStatement)({ username, expiration });
+    await db.raw(renewStatement);
 
     await db.destroy();
     return { entityId: username };

backend/src/ee/services/group/group-dal.ts

@@ -59,6 +59,32 @@ export const groupDALFactory = (db: TDbClient) => {
     }
   };
 
+  const countAllGroupMembers = async ({ orgId, groupId }: { orgId: string; groupId: string }) => {
+    try {
+      interface CountResult {
+        count: string;
+      }
+
+      const doc = await db<CountResult>(TableName.OrgMembership)
+        .where(`${TableName.OrgMembership}.orgId`, orgId)
+        .join(TableName.Users, `${TableName.OrgMembership}.userId`, `${TableName.Users}.id`)
+        .leftJoin(TableName.UserGroupMembership, function () {
+          this.on(`${TableName.UserGroupMembership}.userId`, "=", `${TableName.Users}.id`).andOn(
+            `${TableName.UserGroupMembership}.groupId`,
+            "=",
+            db.raw("?", [groupId])
+          );
+        })
+        .where({ isGhost: false })
+        .count(`${TableName.Users}.id`)
+        .first();
+
+      return parseInt((doc?.count as string) || "0", 10);
+    } catch (err) {
+      throw new DatabaseError({ error: err, name: "Count all group members" });
+    }
+  };
+
   // special query
   const findAllGroupMembers = async ({
     orgId,
@@ -124,6 +150,7 @@ export const groupDALFactory = (db: TDbClient) => {
   return {
     findGroups,
     findByOrgId,
+    countAllGroupMembers,
     findAllGroupMembers,
     ...groupOrm
   };

backend/src/ee/services/group/group-fns.ts

@@ -1,454 +0,0 @@
-import { Knex } from "knex";
-
-import { SecretKeyEncoding, TUsers } from "@app/db/schemas";
-import { decryptAsymmetric, encryptAsymmetric, infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
-import { BadRequestError, ScimRequestError } from "@app/lib/errors";
-
-import {
-  TAddUsersToGroup,
-  TAddUsersToGroupByUserIds,
-  TConvertPendingGroupAdditionsToGroupMemberships,
-  TRemoveUsersFromGroupByUserIds
-} from "./group-types";
-
-const addAcceptedUsersToGroup = async ({
-  userIds,
-  group,
-  userGroupMembershipDAL,
-  userDAL,
-  groupProjectDAL,
-  projectKeyDAL,
-  projectDAL,
-  projectBotDAL,
-  tx
-}: TAddUsersToGroup) => {
-  console.log("addAcceptedUsersToGroup args: ", {
-    userIds,
-    group
-  });
-  const users = await userDAL.findUserEncKeyByUserIdsBatch(
-    {
-      userIds
-    },
-    tx
-  );
-
-  await userGroupMembershipDAL.insertMany(
-    users.map((user) => ({
-      userId: user.userId,
-      groupId: group.id,
-      isPending: false
-    })),
-    tx
-  );
-
-  // check which projects the group is part of
-  const projectIds = Array.from(
-    new Set(
-      (
-        await groupProjectDAL.find(
-          {
-            groupId: group.id
-          },
-          { tx }
-        )
-      ).map((gp) => gp.projectId)
-    )
-  );
-
-  const keys = await projectKeyDAL.find(
-    {
-      $in: {
-        projectId: projectIds,
-        receiverId: users.map((u) => u.id)
-      }
-    },
-    { tx }
-  );
-
-  const userKeysSet = new Set(keys.map((k) => `${k.projectId}-${k.receiverId}`));
-
-  for await (const projectId of projectIds) {
-    const usersToAddProjectKeyFor = users.filter((u) => !userKeysSet.has(`${projectId}-${u.userId}`));
-
-    if (usersToAddProjectKeyFor.length) {
-      // there are users who need to be shared keys
-      // process adding bulk users to projects for each project individually
-      const ghostUser = await projectDAL.findProjectGhostUser(projectId, tx);
-
-      if (!ghostUser) {
-        throw new BadRequestError({
-          message: "Failed to find sudo user"
-        });
-      }
-
-      const ghostUserLatestKey = await projectKeyDAL.findLatestProjectKey(ghostUser.id, projectId, tx);
-
-      if (!ghostUserLatestKey) {
-        throw new BadRequestError({
-          message: "Failed to find sudo user latest key"
-        });
-      }
-
-      const bot = await projectBotDAL.findOne({ projectId }, tx);
-
-      if (!bot) {
-        throw new BadRequestError({
-          message: "Failed to find bot"
-        });
-      }
-
-      const botPrivateKey = infisicalSymmetricDecrypt({
-        keyEncoding: bot.keyEncoding as SecretKeyEncoding,
-        iv: bot.iv,
-        tag: bot.tag,
-        ciphertext: bot.encryptedPrivateKey
-      });
-
-      const plaintextProjectKey = decryptAsymmetric({
-        ciphertext: ghostUserLatestKey.encryptedKey,
-        nonce: ghostUserLatestKey.nonce,
-        publicKey: ghostUserLatestKey.sender.publicKey,
-        privateKey: botPrivateKey
-      });
-
-      const projectKeysToAdd = usersToAddProjectKeyFor.map((user) => {
-        const { ciphertext: encryptedKey, nonce } = encryptAsymmetric(
-          plaintextProjectKey,
-          user.publicKey,
-          botPrivateKey
-        );
-        return {
-          encryptedKey,
-          nonce,
-          senderId: ghostUser.id,
-          receiverId: user.userId,
-          projectId
-        };
-      });
-
-      await projectKeyDAL.insertMany(projectKeysToAdd, tx);
-    }
-  }
-};
-
-/**
- * Add users with user ids [userIds] to group [group].
- * - Users may or may not have finished completing their accounts; this function will
- * handle both adding users to groups directly and via pending group additions.
- * @param {group} group - group to add user(s) to
- * @param {string[]} userIds - id(s) of user(s) to add to group
- */
-export const addUsersToGroupByUserIds = async ({
-  group,
-  userIds,
-  userDAL,
-  userGroupMembershipDAL,
-  orgDAL,
-  groupProjectDAL,
-  projectKeyDAL,
-  projectDAL,
-  projectBotDAL,
-  tx: outerTx
-}: TAddUsersToGroupByUserIds) => {
-  const processAddition = async (tx: Knex) => {
-    const foundMembers = await userDAL.find(
-      {
-        $in: {
-          id: userIds
-        }
-      },
-      { tx }
-    );
-
-    const foundMembersIdsSet = new Set(foundMembers.map((member) => member.id));
-
-    const isCompleteMatch = userIds.every((userId) => foundMembersIdsSet.has(userId));
-
-    if (!isCompleteMatch) {
-      throw new ScimRequestError({
-        detail: "Members not found",
-        status: 404
-      });
-    }
-
-    // check if user(s) group membership(s) already exists
-    const existingUserGroupMemberships = await userGroupMembershipDAL.find(
-      {
-        groupId: group.id,
-        $in: {
-          userId: userIds
-        }
-      },
-      { tx }
-    );
-
-    if (existingUserGroupMemberships.length) {
-      throw new BadRequestError({
-        message: `User(s) are already part of the group ${group.slug}`
-      });
-    }
-
-    // check if all user(s) are part of the organization
-    const existingUserOrgMemberships = await orgDAL.findMembership(
-      {
-        orgId: group.orgId,
-        $in: {
-          userId: userIds
-        }
-      },
-      { tx }
-    );
-
-    const existingUserOrgMembershipsUserIdsSet = new Set(existingUserOrgMemberships.map((u) => u.userId));
-
-    userIds.forEach((userId) => {
-      if (!existingUserOrgMembershipsUserIdsSet.has(userId))
-        throw new BadRequestError({
-          message: `User with id ${userId} is not part of the organization`
-        });
-    });
-
-    const membersToAddToGroupNonPending: TUsers[] = [];
-    const membersToAddToGroupPending: TUsers[] = [];
-
-    foundMembers.forEach((member) => {
-      if (member.isAccepted) {
-        // add accepted member to group
-        membersToAddToGroupNonPending.push(member);
-      } else {
-        // add incomplete member to pending group addition
-        membersToAddToGroupPending.push(member);
-      }
-    });
-
-    if (membersToAddToGroupNonPending.length) {
-      await addAcceptedUsersToGroup({
-        userIds: membersToAddToGroupNonPending.map((member) => member.id),
-        group,
-        userDAL,
-        userGroupMembershipDAL,
-        groupProjectDAL,
-        projectKeyDAL,
-        projectDAL,
-        projectBotDAL,
-        tx
-      });
-    }
-
-    if (membersToAddToGroupPending.length) {
-      await userGroupMembershipDAL.insertMany(
-        membersToAddToGroupPending.map((member) => ({
-          userId: member.id,
-          groupId: group.id,
-          isPending: true
-        })),
-        tx
-      );
-    }
-
-    return membersToAddToGroupNonPending.concat(membersToAddToGroupPending);
-  };
-
-  if (outerTx) {
-    return processAddition(outerTx);
-  }
-  return userDAL.transaction(async (tx) => {
-    return processAddition(tx);
-  });
-};
-
-/**
- * Remove users with user ids [userIds] from group [group].
- * - Users may be part of the group (non-pending + pending);
- * this function will handle both cases.
- * @param {group} group - group to remove user(s) from
- * @param {string[]} userIds - id(s) of user(s) to remove from group
- */
-export const removeUsersFromGroupByUserIds = async ({
-  group,
-  userIds,
-  userDAL,
-  userGroupMembershipDAL,
-  groupProjectDAL,
-  projectKeyDAL,
-  tx: outerTx
-}: TRemoveUsersFromGroupByUserIds) => {
-  const processRemoval = async (tx: Knex) => {
-    const foundMembers = await userDAL.find({
-      $in: {
-        id: userIds
-      }
-    });
-
-    const foundMembersIdsSet = new Set(foundMembers.map((member) => member.id));
-
-    const isCompleteMatch = userIds.every((userId) => foundMembersIdsSet.has(userId));
-
-    if (!isCompleteMatch) {
-      throw new ScimRequestError({
-        detail: "Members not found",
-        status: 404
-      });
-    }
-
-    // check if user group membership already exists
-    const existingUserGroupMemberships = await userGroupMembershipDAL.find(
-      {
-        groupId: group.id,
-        $in: {
-          userId: userIds
-        }
-      },
-      { tx }
-    );
-
-    const existingUserGroupMembershipsUserIdsSet = new Set(existingUserGroupMemberships.map((u) => u.userId));
-
-    userIds.forEach((userId) => {
-      if (!existingUserGroupMembershipsUserIdsSet.has(userId))
-        throw new BadRequestError({
-          message: `User(s) are not part of the group ${group.slug}`
-        });
-    });
-
-    const membersToRemoveFromGroupNonPending: TUsers[] = [];
-    const membersToRemoveFromGroupPending: TUsers[] = [];
-
-    foundMembers.forEach((member) => {
-      if (member.isAccepted) {
-        // remove accepted member from group
-        membersToRemoveFromGroupNonPending.push(member);
-      } else {
-        // remove incomplete member from pending group addition
-        membersToRemoveFromGroupPending.push(member);
-      }
-    });
-
-    if (membersToRemoveFromGroupNonPending.length) {
-      // check which projects the group is part of
-      const projectIds = Array.from(
-        new Set(
-          (
-            await groupProjectDAL.find(
-              {
-                groupId: group.id
-              },
-              { tx }
-            )
-          ).map((gp) => gp.projectId)
-        )
-      );
-
-      // TODO: this part can be optimized
-      for await (const userId of userIds) {
-        const t = await userGroupMembershipDAL.filterProjectsByUserMembership(userId, group.id, projectIds, tx);
-        const projectsToDeleteKeyFor = projectIds.filter((p) => !t.has(p));
-
-        if (projectsToDeleteKeyFor.length) {
-          await projectKeyDAL.delete(
-            {
-              receiverId: userId,
-              $in: {
-                projectId: projectsToDeleteKeyFor
-              }
-            },
-            tx
-          );
-        }
-
-        await userGroupMembershipDAL.delete(
-          {
-            groupId: group.id,
-            userId
-          },
-          tx
-        );
-      }
-    }
-
-    if (membersToRemoveFromGroupPending.length) {
-      await userGroupMembershipDAL.delete({
-        groupId: group.id,
-        $in: {
-          userId: membersToRemoveFromGroupPending.map((member) => member.id)
-        }
-      });
-    }
-
-    return membersToRemoveFromGroupNonPending.concat(membersToRemoveFromGroupPending);
-  };
-
-  if (outerTx) {
-    return processRemoval(outerTx);
-  }
-  return userDAL.transaction(async (tx) => {
-    return processRemoval(tx);
-  });
-};
-
-/**
- * Convert pending group additions for users with ids [userIds] to group memberships.
- * @param {string[]} userIds - id(s) of user(s) to try to convert pending group additions to group memberships
- */
-export const convertPendingGroupAdditionsToGroupMemberships = async ({
-  userIds,
-  userDAL,
-  userGroupMembershipDAL,
-  groupProjectDAL,
-  projectKeyDAL,
-  projectDAL,
-  projectBotDAL,
-  tx: outerTx
-}: TConvertPendingGroupAdditionsToGroupMemberships) => {
-  const processConversion = async (tx: Knex) => {
-    const users = await userDAL.find(
-      {
-        $in: {
-          id: userIds
-        }
-      },
-      { tx }
-    );
-
-    const usersUserIdsSet = new Set(users.map((u) => u.id));
-    userIds.forEach((userId) => {
-      if (!usersUserIdsSet.has(userId)) {
-        throw new BadRequestError({
-          message: `Failed to find user with id ${userId}`
-        });
-      }
-    });
-
-    users.forEach((user) => {
-      if (!user.isAccepted) {
-        throw new BadRequestError({
-          message: `Failed to convert pending group additions to group memberships for user ${user.username} because they have not confirmed their account`
-        });
-      }
-    });
-
-    const pendingGroupAdditions = await userGroupMembershipDAL.deletePendingUserGroupMembershipsByUserIds(userIds, tx);
-
-    for await (const pendingGroupAddition of pendingGroupAdditions) {
-      await addAcceptedUsersToGroup({
-        userIds: [pendingGroupAddition.user.id],
-        group: pendingGroupAddition.group,
-        userDAL,
-        userGroupMembershipDAL,
-        groupProjectDAL,
-        projectKeyDAL,
-        projectDAL,
-        projectBotDAL,
-        tx
-      });
-    }
-  };
-
-  if (outerTx) {
-    return processConversion(outerTx);
-  }
-  return userDAL.transaction(async (tx) => {
-    await processConversion(tx);
-  });
-};

backend/src/ee/services/group/group-service.ts

@@ -1,22 +1,22 @@
 import { ForbiddenError } from "@casl/ability";
 import slugify from "@sindresorhus/slugify";
 
-import { OrgMembershipRole, TOrgRoles } from "@app/db/schemas";
+import { OrgMembershipRole, SecretKeyEncoding, TOrgRoles } from "@app/db/schemas";
 import { isAtLeastAsPrivileged } from "@app/lib/casl";
+import { decryptAsymmetric, encryptAsymmetric, infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
 import { BadRequestError, ForbiddenRequestError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
-import { TGroupProjectDALFactory } from "@app/services/group-project/group-project-dal";
-import { TOrgDALFactory } from "@app/services/org/org-dal";
-import { TProjectDALFactory } from "@app/services/project/project-dal";
-import { TProjectBotDALFactory } from "@app/services/project-bot/project-bot-dal";
-import { TProjectKeyDALFactory } from "@app/services/project-key/project-key-dal";
-import { TUserDALFactory } from "@app/services/user/user-dal";
 
+import { TGroupProjectDALFactory } from "../../../services/group-project/group-project-dal";
+import { TOrgDALFactory } from "../../../services/org/org-dal";
+import { TProjectDALFactory } from "../../../services/project/project-dal";
+import { TProjectBotDALFactory } from "../../../services/project-bot/project-bot-dal";
+import { TProjectKeyDALFactory } from "../../../services/project-key/project-key-dal";
+import { TUserDALFactory } from "../../../services/user/user-dal";
 import { TLicenseServiceFactory } from "../license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "../permission/org-permission";
 import { TPermissionServiceFactory } from "../permission/permission-service";
 import { TGroupDALFactory } from "./group-dal";
-import { addUsersToGroupByUserIds, removeUsersFromGroupByUserIds } from "./group-fns";
 import {
   TAddUserToGroupDTO,
   TCreateGroupDTO,
@@ -28,17 +28,20 @@ import {
 import { TUserGroupMembershipDALFactory } from "./user-group-membership-dal";
 
 type TGroupServiceFactoryDep = {
-  userDAL: Pick<TUserDALFactory, "find" | "findUserEncKeyByUserIdsBatch" | "transaction" | "findOne">;
-  groupDAL: Pick<TGroupDALFactory, "create" | "findOne" | "update" | "delete" | "findAllGroupMembers">;
+  userDAL: Pick<TUserDALFactory, "findOne" | "findUserEncKeyByUsername">;
+  groupDAL: Pick<
+    TGroupDALFactory,
+    "create" | "findOne" | "update" | "delete" | "findAllGroupMembers" | "countAllGroupMembers"
+  >;
   groupProjectDAL: Pick<TGroupProjectDALFactory, "find">;
-  orgDAL: Pick<TOrgDALFactory, "findMembership" | "countAllOrgMembers">;
+  orgDAL: Pick<TOrgDALFactory, "findMembership">;
   userGroupMembershipDAL: Pick<
     TUserGroupMembershipDALFactory,
-    "findOne" | "delete" | "filterProjectsByUserMembership" | "transaction" | "insertMany" | "find"
+    "findOne" | "create" | "delete" | "filterProjectsByUserMembership"
   >;
   projectDAL: Pick<TProjectDALFactory, "findProjectGhostUser">;
   projectBotDAL: Pick<TProjectBotDALFactory, "findOne">;
-  projectKeyDAL: Pick<TProjectKeyDALFactory, "find" | "delete" | "findLatestProjectKey" | "insertMany">;
+  projectKeyDAL: Pick<TProjectKeyDALFactory, "find" | "create" | "delete" | "findLatestProjectKey">;
   permissionService: Pick<TPermissionServiceFactory, "getOrgPermission" | "getOrgPermissionByRole">;
   licenseService: Pick<TLicenseServiceFactory, "getPlan">;
 };
@@ -224,9 +227,12 @@ export const groupServiceFactory = ({
       username
     });
 
-    const count = await orgDAL.countAllOrgMembers(group.orgId);
+    const totalCount = await groupDAL.countAllGroupMembers({
+      orgId: group.orgId,
+      groupId: group.id
+    });
 
-    return { users, totalCount: count };
+    return { users, totalCount };
   };
 
   const addUserToGroup = async ({
@@ -266,22 +272,111 @@ export const groupServiceFactory = ({
     if (!hasRequiredPriviledges)
       throw new ForbiddenRequestError({ message: "Failed to add user to more privileged group" });
 
-    const user = await userDAL.findOne({ username });
-    if (!user) throw new BadRequestError({ message: `Failed to find user with username ${username}` });
-
-    const users = await addUsersToGroupByUserIds({
-      group,
-      userIds: [user.id],
-      userDAL,
-      userGroupMembershipDAL,
-      orgDAL,
-      groupProjectDAL,
-      projectKeyDAL,
-      projectDAL,
-      projectBotDAL
+    // get user with username
+    const user = await userDAL.findUserEncKeyByUsername({
+      username
     });
 
-    return users[0];
+    if (!user)
+      throw new BadRequestError({
+        message: `Failed to find user with username ${username}`
+      });
+
+    // check if user group membership already exists
+    const existingUserGroupMembership = await userGroupMembershipDAL.findOne({
+      groupId: group.id,
+      userId: user.userId
+    });
+
+    if (existingUserGroupMembership)
+      throw new BadRequestError({
+        message: `User ${username} is already part of the group ${groupSlug}`
+      });
+
+    // check if user is even part of the organization
+    const existingUserOrgMembership = await orgDAL.findMembership({
+      userId: user.userId,
+      orgId: actorOrgId
+    });
+
+    if (!existingUserOrgMembership)
+      throw new BadRequestError({
+        message: `User ${username} is not part of the organization`
+      });
+
+    await userGroupMembershipDAL.create({
+      userId: user.userId,
+      groupId: group.id
+    });
+
+    // check which projects the group is part of
+    const projectIds = (
+      await groupProjectDAL.find({
+        groupId: group.id
+      })
+    ).map((gp) => gp.projectId);
+
+    const keys = await projectKeyDAL.find({
+      receiverId: user.userId,
+      $in: {
+        projectId: projectIds
+      }
+    });
+
+    const keysSet = new Set(keys.map((k) => k.projectId));
+    const projectsToAddKeyFor = projectIds.filter((p) => !keysSet.has(p));
+
+    for await (const projectId of projectsToAddKeyFor) {
+      const ghostUser = await projectDAL.findProjectGhostUser(projectId);
+
+      if (!ghostUser) {
+        throw new BadRequestError({
+          message: "Failed to find sudo user"
+        });
+      }
+
+      const ghostUserLatestKey = await projectKeyDAL.findLatestProjectKey(ghostUser.id, projectId);
+
+      if (!ghostUserLatestKey) {
+        throw new BadRequestError({
+          message: "Failed to find sudo user latest key"
+        });
+      }
+
+      const bot = await projectBotDAL.findOne({ projectId });
+
+      if (!bot) {
+        throw new BadRequestError({
+          message: "Failed to find bot"
+        });
+      }
+
+      const botPrivateKey = infisicalSymmetricDecrypt({
+        keyEncoding: bot.keyEncoding as SecretKeyEncoding,
+        iv: bot.iv,
+        tag: bot.tag,
+        ciphertext: bot.encryptedPrivateKey
+      });
+
+      const plaintextProjectKey = decryptAsymmetric({
+        ciphertext: ghostUserLatestKey.encryptedKey,
+        nonce: ghostUserLatestKey.nonce,
+        publicKey: ghostUserLatestKey.sender.publicKey,
+        privateKey: botPrivateKey
+      });
+
+      const { ciphertext: encryptedKey, nonce } = encryptAsymmetric(plaintextProjectKey, user.publicKey, botPrivateKey);
+
+      await projectKeyDAL.create({
+        encryptedKey,
+        nonce,
+        senderId: ghostUser.id,
+        receiverId: user.userId,
+        projectId
+      });
+    }
+
+    return user;
   };
 
   const removeUserFromGroup = async ({
@@ -321,19 +416,51 @@ export const groupServiceFactory = ({
     if (!hasRequiredPriviledges)
       throw new ForbiddenRequestError({ message: "Failed to delete user from more privileged group" });
 
-    const user = await userDAL.findOne({ username });
-    if (!user) throw new BadRequestError({ message: `Failed to find user with username ${username}` });
-
-    const users = await removeUsersFromGroupByUserIds({
-      group,
-      userIds: [user.id],
-      userDAL,
-      userGroupMembershipDAL,
-      groupProjectDAL,
-      projectKeyDAL
+    const user = await userDAL.findOne({
+      username
     });
 
-    return users[0];
+    if (!user)
+      throw new BadRequestError({
+        message: `Failed to find user with username ${username}`
+      });
+
+    // check if user group membership already exists
+    const existingUserGroupMembership = await userGroupMembershipDAL.findOne({
+      groupId: group.id,
+      userId: user.id
+    });
+
+    if (!existingUserGroupMembership)
+      throw new BadRequestError({
+        message: `User ${username} is not part of the group ${groupSlug}`
+      });
+
+    const projectIds = (
+      await groupProjectDAL.find({
+        groupId: group.id
+      })
+    ).map((gp) => gp.projectId);
+
+    const t = await userGroupMembershipDAL.filterProjectsByUserMembership(user.id, group.id, projectIds);
+
+    const projectsToDeleteKeyFor = projectIds.filter((p) => !t.has(p));
+
+    if (projectsToDeleteKeyFor.length) {
+      await projectKeyDAL.delete({
+        receiverId: user.id,
+        $in: {
+          projectId: projectsToDeleteKeyFor
+        }
+      });
+    }
+
+    await userGroupMembershipDAL.delete({
+      groupId: group.id,
+      userId: user.id
+    });
+
+    return user;
   };
 
   return {

backend/src/ee/services/group/group-types.ts

@@ -1,14 +1,4 @@
-import { Knex } from "knex";
-
-import { TGroups } from "@app/db/schemas";
-import { TUserGroupMembershipDALFactory } from "@app/ee/services/group/user-group-membership-dal";
 import { TGenericPermission } from "@app/lib/types";
-import { TGroupProjectDALFactory } from "@app/services/group-project/group-project-dal";
-import { TOrgDALFactory } from "@app/services/org/org-dal";
-import { TProjectDALFactory } from "@app/services/project/project-dal";
-import { TProjectBotDALFactory } from "@app/services/project-bot/project-bot-dal";
-import { TProjectKeyDALFactory } from "@app/services/project-key/project-key-dal";
-import { TUserDALFactory } from "@app/services/user/user-dal";
 
 export type TCreateGroupDTO = {
   name: string;
@@ -45,54 +35,3 @@ export type TRemoveUserFromGroupDTO = {
   groupSlug: string;
   username: string;
 } & TGenericPermission;
-
-// group fns types
-
-export type TAddUsersToGroup = {
-  userIds: string[];
-  group: TGroups;
-  userDAL: Pick<TUserDALFactory, "findUserEncKeyByUserIdsBatch">;
-  userGroupMembershipDAL: Pick<TUserGroupMembershipDALFactory, "find" | "transaction" | "insertMany">;
-  groupProjectDAL: Pick<TGroupProjectDALFactory, "find">;
-  projectKeyDAL: Pick<TProjectKeyDALFactory, "find" | "findLatestProjectKey" | "insertMany">;
-  projectDAL: Pick<TProjectDALFactory, "findProjectGhostUser">;
-  projectBotDAL: Pick<TProjectBotDALFactory, "findOne">;
-  tx: Knex;
-};
-
-export type TAddUsersToGroupByUserIds = {
-  group: TGroups;
-  userIds: string[];
-  userDAL: Pick<TUserDALFactory, "find" | "findUserEncKeyByUserIdsBatch" | "transaction">;
-  userGroupMembershipDAL: Pick<TUserGroupMembershipDALFactory, "find" | "transaction" | "insertMany">;
-  orgDAL: Pick<TOrgDALFactory, "findMembership">;
-  groupProjectDAL: Pick<TGroupProjectDALFactory, "find">;
-  projectKeyDAL: Pick<TProjectKeyDALFactory, "find" | "findLatestProjectKey" | "insertMany">;
-  projectDAL: Pick<TProjectDALFactory, "findProjectGhostUser">;
-  projectBotDAL: Pick<TProjectBotDALFactory, "findOne">;
-  tx?: Knex;
-};
-
-export type TRemoveUsersFromGroupByUserIds = {
-  group: TGroups;
-  userIds: string[];
-  userDAL: Pick<TUserDALFactory, "find" | "transaction">;
-  userGroupMembershipDAL: Pick<TUserGroupMembershipDALFactory, "find" | "filterProjectsByUserMembership" | "delete">;
-  groupProjectDAL: Pick<TGroupProjectDALFactory, "find">;
-  projectKeyDAL: Pick<TProjectKeyDALFactory, "delete">;
-  tx?: Knex;
-};
-
-export type TConvertPendingGroupAdditionsToGroupMemberships = {
-  userIds: string[];
-  userDAL: Pick<TUserDALFactory, "findUserEncKeyByUserIdsBatch" | "transaction" | "find" | "findById">;
-  userGroupMembershipDAL: Pick<
-    TUserGroupMembershipDALFactory,
-    "find" | "transaction" | "insertMany" | "deletePendingUserGroupMembershipsByUserIds"
-  >;
-  groupProjectDAL: Pick<TGroupProjectDALFactory, "find">;
-  projectKeyDAL: Pick<TProjectKeyDALFactory, "find" | "findLatestProjectKey" | "insertMany">;
-  projectDAL: Pick<TProjectDALFactory, "findProjectGhostUser">;
-  projectBotDAL: Pick<TProjectBotDALFactory, "findOne">;
-  tx?: Knex;
-};

backend/src/ee/services/group/user-group-membership-dal.ts

@@ -1,5 +1,3 @@
-import { Knex } from "knex";
-
 import { TDbClient } from "@app/db";
 import { TableName, TUserEncryptionKeys } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
@@ -16,28 +14,24 @@ export const userGroupMembershipDALFactory = (db: TDbClient) => {
    * - The user is a member of a group that is a member of the project, excluding projects that they are part of
    * through the group with id [groupId].
    */
-  const filterProjectsByUserMembership = async (userId: string, groupId: string, projectIds: string[], tx?: Knex) => {
-    try {
-      const userProjectMemberships: string[] = await (tx || db)(TableName.ProjectMembership)
-        .where(`${TableName.ProjectMembership}.userId`, userId)
-        .whereIn(`${TableName.ProjectMembership}.projectId`, projectIds)
-        .pluck(`${TableName.ProjectMembership}.projectId`);
+  const filterProjectsByUserMembership = async (userId: string, groupId: string, projectIds: string[]) => {
+    const userProjectMemberships: string[] = await db(TableName.ProjectMembership)
+      .where(`${TableName.ProjectMembership}.userId`, userId)
+      .whereIn(`${TableName.ProjectMembership}.projectId`, projectIds)
+      .pluck(`${TableName.ProjectMembership}.projectId`);
 
-      const userGroupMemberships: string[] = await (tx || db)(TableName.UserGroupMembership)
-        .where(`${TableName.UserGroupMembership}.userId`, userId)
-        .whereNot(`${TableName.UserGroupMembership}.groupId`, groupId)
-        .join(
-          TableName.GroupProjectMembership,
-          `${TableName.UserGroupMembership}.groupId`,
-          `${TableName.GroupProjectMembership}.groupId`
-        )
-        .whereIn(`${TableName.GroupProjectMembership}.projectId`, projectIds)
-        .pluck(`${TableName.GroupProjectMembership}.projectId`);
+    const userGroupMemberships: string[] = await db(TableName.UserGroupMembership)
+      .where(`${TableName.UserGroupMembership}.userId`, userId)
+      .whereNot(`${TableName.UserGroupMembership}.groupId`, groupId)
+      .join(
+        TableName.GroupProjectMembership,
+        `${TableName.UserGroupMembership}.groupId`,
+        `${TableName.GroupProjectMembership}.groupId`
+      )
+      .whereIn(`${TableName.GroupProjectMembership}.projectId`, projectIds)
+      .pluck(`${TableName.GroupProjectMembership}.projectId`);
 
-      return new Set(userProjectMemberships.concat(userGroupMemberships));
-    } catch (error) {
-      throw new DatabaseError({ error, name: "Filter projects by user membership" });
-    }
+    return new Set(userProjectMemberships.concat(userGroupMemberships));
   };
 
   // special query
@@ -51,7 +45,7 @@ export const userGroupMembershipDALFactory = (db: TDbClient) => {
         )
         .join(TableName.Users, `${TableName.UserGroupMembership}.userId`, `${TableName.Users}.id`)
         .where(`${TableName.GroupProjectMembership}.projectId`, projectId)
-        .whereIn(`${TableName.Users}.username`, usernames)
+        .whereIn(`${TableName.Users}.username`, usernames) // TODO: pluck usernames
         .pluck(`${TableName.Users}.id`);
 
       return usernameDocs;
@@ -61,7 +55,7 @@ export const userGroupMembershipDALFactory = (db: TDbClient) => {
   };
 
   /**
-   * Return list of completed/accepted users that are part of the group with id [groupId]
+   * Return list of users that are part of the group with id [groupId]
    * that have not yet been added individually to project with id [projectId].
    *
    * Note: Filters out users that are part of other groups in the project.
@@ -69,19 +63,18 @@ export const userGroupMembershipDALFactory = (db: TDbClient) => {
    * @param projectId
    * @returns
    */
-  const findGroupMembersNotInProject = async (groupId: string, projectId: string, tx?: Knex) => {
+  const findGroupMembersNotInProject = async (groupId: string, projectId: string) => {
     try {
       // get list of groups in the project with id [projectId]
       // that that are not the group with id [groupId]
-      const groups: string[] = await (tx || db)(TableName.GroupProjectMembership)
+      const groups: string[] = await db(TableName.GroupProjectMembership)
         .where(`${TableName.GroupProjectMembership}.projectId`, projectId)
         .whereNot(`${TableName.GroupProjectMembership}.groupId`, groupId)
         .pluck(`${TableName.GroupProjectMembership}.groupId`);
 
       // main query
-      const members = await (tx || db)(TableName.UserGroupMembership)
+      const members = await db(TableName.UserGroupMembership)
         .where(`${TableName.UserGroupMembership}.groupId`, groupId)
-        .where(`${TableName.UserGroupMembership}.isPending`, false)
         .join(TableName.Users, `${TableName.UserGroupMembership}.userId`, `${TableName.Users}.id`)
         .leftJoin(TableName.ProjectMembership, function () {
           this.on(`${TableName.Users}.id`, "=", `${TableName.ProjectMembership}.userId`).andOn(
@@ -123,49 +116,10 @@ export const userGroupMembershipDALFactory = (db: TDbClient) => {
     }
   };
 
-  const deletePendingUserGroupMembershipsByUserIds = async (userIds: string[], tx?: Knex) => {
-    try {
-      const members = await (tx || db)(TableName.UserGroupMembership)
-        .whereIn(`${TableName.UserGroupMembership}.userId`, userIds)
-        .where(`${TableName.UserGroupMembership}.isPending`, true)
-        .join(TableName.Groups, `${TableName.UserGroupMembership}.groupId`, `${TableName.Groups}.id`)
-        .join(TableName.Users, `${TableName.UserGroupMembership}.userId`, `${TableName.Users}.id`);
-
-      await userGroupMembershipOrm.delete(
-        {
-          $in: {
-            userId: userIds
-          }
-        },
-        tx
-      );
-
-      return members.map(({ userId, username, groupId, orgId, name, slug, role, roleId }) => ({
-        user: {
-          id: userId,
-          username
-        },
-        group: {
-          id: groupId,
-          orgId,
-          name,
-          slug,
-          role,
-          roleId,
-          createdAt: new Date(),
-          updatedAt: new Date()
-        }
-      }));
-    } catch (error) {
-      throw new DatabaseError({ error, name: "Delete pending user group memberships by user ids" });
-    }
-  };
-
   return {
     ...userGroupMembershipOrm,
     filterProjectsByUserMembership,
     findUserGroupMembershipsInProject,
-    findGroupMembersNotInProject,
-    deletePendingUserGroupMembershipsByUserIds
+    findGroupMembersNotInProject
   };
 };

backend/src/ee/services/license/licence-fns.ts

@@ -24,10 +24,10 @@ export const getDefaultOnPremFeatures = (): TFeatureSet => ({
   customAlerts: false,
   auditLogs: false,
   auditLogsRetentionDays: 0,
-  samlSSO: false,
-  scim: false,
+  samlSSO: true,
+  scim: true,
   ldap: false,
-  groups: false,
+  groups: true,
   status: null,
   trial_end: null,
   has_used_trial: true,

backend/src/ee/services/license/license-types.ts

@@ -40,10 +40,10 @@ export type TFeatureSet = {
   customAlerts: false;
   auditLogs: false;
   auditLogsRetentionDays: 0;
-  samlSSO: false;
-  scim: false;
+  samlSSO: true;
+  scim: true;
   ldap: false;
-  groups: false;
+  groups: true;
   status: null;
   trial_end: null;
   has_used_trial: true;

backend/src/ee/services/permission/permission-dal.ts

@@ -72,6 +72,7 @@ export const permissionDALFactory = (db: TDbClient) => {
         .select(selectAllTableCols(TableName.GroupProjectMembershipRole))
         .select(
           db.ref("id").withSchema(TableName.GroupProjectMembership).as("membershipId"),
+          // TODO(roll-forward-migration): remove this field when we drop this in next migration after a week
           db.ref("createdAt").withSchema(TableName.GroupProjectMembership).as("membershipCreatedAt"),
           db.ref("updatedAt").withSchema(TableName.GroupProjectMembership).as("membershipUpdatedAt"),
           db.ref("projectId").withSchema(TableName.GroupProjectMembership),
@@ -104,6 +105,7 @@ export const permissionDALFactory = (db: TDbClient) => {
         .select(selectAllTableCols(TableName.ProjectUserMembershipRole))
         .select(
           db.ref("id").withSchema(TableName.ProjectMembership).as("membershipId"),
+          // TODO(roll-forward-migration): remove this field when we drop this in next migration after a week
           db.ref("createdAt").withSchema(TableName.ProjectMembership).as("membershipCreatedAt"),
           db.ref("updatedAt").withSchema(TableName.ProjectMembership).as("membershipUpdatedAt"),
           db.ref("projectId").withSchema(TableName.ProjectMembership),
@@ -129,10 +131,11 @@ export const permissionDALFactory = (db: TDbClient) => {
       const permission = sqlNestRelationships({
         data: docs,
         key: "projectId",
-        parentMapper: ({ orgId, orgAuthEnforced, membershipId, membershipCreatedAt, membershipUpdatedAt }) => ({
+        parentMapper: ({ orgId, orgAuthEnforced, membershipId, membershipCreatedAt, membershipUpdatedAt, role }) => ({
           orgId,
           orgAuthEnforced,
           userId,
+          role,
           id: membershipId,
           projectId,
           createdAt: membershipCreatedAt,
@@ -176,10 +179,18 @@ export const permissionDALFactory = (db: TDbClient) => {
         ? sqlNestRelationships({
             data: groupDocs,
             key: "projectId",
-            parentMapper: ({ orgId, orgAuthEnforced, membershipId, membershipCreatedAt, membershipUpdatedAt }) => ({
+            parentMapper: ({
+              orgId,
+              orgAuthEnforced,
+              membershipId,
+              membershipCreatedAt,
+              membershipUpdatedAt,
+              role
+            }) => ({
               orgId,
               orgAuthEnforced,
               userId,
+              role,
               id: membershipId,
               projectId,
               createdAt: membershipCreatedAt,
@@ -259,6 +270,7 @@ export const permissionDALFactory = (db: TDbClient) => {
         .select(
           db.ref("id").withSchema(TableName.IdentityProjectMembership).as("membershipId"),
           db.ref("orgId").withSchema(TableName.Project).as("orgId"), // Now you can select orgId from Project
+          db.ref("role").withSchema(TableName.IdentityProjectMembership).as("oldRoleField"),
           db.ref("createdAt").withSchema(TableName.IdentityProjectMembership).as("membershipCreatedAt"),
           db.ref("updatedAt").withSchema(TableName.IdentityProjectMembership).as("membershipUpdatedAt"),
           db.ref("slug").withSchema(TableName.ProjectRoles).as("customRoleSlug"),
@@ -287,10 +299,11 @@ export const permissionDALFactory = (db: TDbClient) => {
       const permission = sqlNestRelationships({
         data: docs,
         key: "membershipId",
-        parentMapper: ({ membershipId, membershipCreatedAt, membershipUpdatedAt, orgId }) => ({
+        parentMapper: ({ membershipId, membershipCreatedAt, membershipUpdatedAt, oldRoleField, orgId }) => ({
           id: membershipId,
           identityId,
           projectId,
+          role: oldRoleField,
           createdAt: membershipCreatedAt,
           updatedAt: membershipUpdatedAt,
           orgId,

backend/src/ee/services/scim/scim-service.ts

@@ -4,23 +4,19 @@ import jwt from "jsonwebtoken";
 
 import { OrgMembershipRole, OrgMembershipStatus, TableName, TGroups } from "@app/db/schemas";
 import { TGroupDALFactory } from "@app/ee/services/group/group-dal";
-import { addUsersToGroupByUserIds, removeUsersFromGroupByUserIds } from "@app/ee/services/group/group-fns";
-import { TUserGroupMembershipDALFactory } from "@app/ee/services/group/user-group-membership-dal";
 import { TScimDALFactory } from "@app/ee/services/scim/scim-dal";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, ScimRequestError, UnauthorizedError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { TOrgPermission } from "@app/lib/types";
 import { AuthMethod, AuthTokenType } from "@app/services/auth/auth-type";
-import { TGroupProjectDALFactory } from "@app/services/group-project/group-project-dal";
 import { TOrgDALFactory } from "@app/services/org/org-dal";
 import { deleteOrgMembership } from "@app/services/org/org-fns";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
-import { TProjectBotDALFactory } from "@app/services/project-bot/project-bot-dal";
-import { TProjectKeyDALFactory } from "@app/services/project-key/project-key-dal";
 import { TProjectMembershipDALFactory } from "@app/services/project-membership/project-membership-dal";
 import { SmtpTemplates, TSmtpService } from "@app/services/smtp/smtp-service";
 import { TUserDALFactory } from "@app/services/user/user-dal";
+import { TUserAliasDALFactory } from "@app/services/user-alias/user-alias-dal";
 
 import { TLicenseServiceFactory } from "../license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "../permission/org-permission";
@@ -47,21 +43,15 @@ import {
 
 type TScimServiceFactoryDep = {
   scimDAL: Pick<TScimDALFactory, "create" | "find" | "findById" | "deleteById">;
-  userDAL: Pick<TUserDALFactory, "find" | "findOne" | "create" | "transaction" | "findUserEncKeyByUserIdsBatch">;
+  userDAL: Pick<TUserDALFactory, "findOne" | "create" | "transaction">;
+  userAliasDAL: Pick<TUserAliasDALFactory, "create">;
   orgDAL: Pick<
     TOrgDALFactory,
     "createMembership" | "findById" | "findMembership" | "deleteMembershipById" | "transaction"
   >;
-  projectDAL: Pick<TProjectDALFactory, "find" | "findProjectGhostUser">;
+  projectDAL: Pick<TProjectDALFactory, "find">;
   projectMembershipDAL: Pick<TProjectMembershipDALFactory, "find" | "delete">;
-  groupDAL: Pick<
-    TGroupDALFactory,
-    "create" | "findOne" | "findAllGroupMembers" | "update" | "delete" | "findGroups" | "transaction"
-  >;
-  groupProjectDAL: Pick<TGroupProjectDALFactory, "find">;
-  userGroupMembershipDAL: TUserGroupMembershipDALFactory; // TODO: Pick
-  projectKeyDAL: Pick<TProjectKeyDALFactory, "find" | "findLatestProjectKey" | "insertMany" | "delete">;
-  projectBotDAL: Pick<TProjectBotDALFactory, "findOne">;
+  groupDAL: Pick<TGroupDALFactory, "create" | "findOne" | "findAllGroupMembers" | "update" | "delete" | "findGroups">;
   licenseService: Pick<TLicenseServiceFactory, "getPlan">;
   permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
   smtpService: TSmtpService;
@@ -77,10 +67,6 @@ export const scimServiceFactory = ({
   projectDAL,
   projectMembershipDAL,
   groupDAL,
-  groupProjectDAL,
-  userGroupMembershipDAL,
-  projectKeyDAL,
-  projectBotDAL,
   permissionService,
   smtpService
 }: TScimServiceFactoryDep) => {
@@ -247,7 +233,7 @@ export const scimServiceFactory = ({
     });
   };
 
-  const createScimUser = async ({ username, email, firstName, lastName, orgId }: TCreateScimUserDTO) => {
+  const createScimUser = async ({ orgId, username, email, firstName, lastName }: TCreateScimUserDTO) => {
     const org = await orgDAL.findById(orgId);
 
     if (!org)
@@ -528,7 +514,7 @@ export const scimServiceFactory = ({
     });
   };
 
-  const createScimGroup = async ({ displayName, orgId, members }: TCreateScimGroupDTO) => {
+  const createScimGroup = async ({ displayName, orgId }: TCreateScimGroupDTO) => {
     const plan = await licenseService.getPlan(orgId);
     if (!plan.groups)
       throw new BadRequestError({
@@ -536,7 +522,6 @@ export const scimServiceFactory = ({
       });
 
     const org = await orgDAL.findById(orgId);
-
     if (!org) {
       throw new ScimRequestError({
         detail: "Organization Not Found",
@@ -550,44 +535,17 @@ export const scimServiceFactory = ({
         status: 403
       });
 
-    const newGroup = await groupDAL.transaction(async (tx) => {
-      const group = await groupDAL.create(
-        {
-          name: displayName,
-          slug: slugify(`${displayName}-${alphaNumericNanoId(4)}`),
-          orgId,
-          role: OrgMembershipRole.NoAccess
-        },
-        tx
-      );
-
-      if (members && members.length) {
-        const newMembers = await addUsersToGroupByUserIds({
-          group,
-          userIds: members.map((member) => member.value),
-          userDAL,
-          userGroupMembershipDAL,
-          orgDAL,
-          groupProjectDAL,
-          projectKeyDAL,
-          projectDAL,
-          projectBotDAL,
-          tx
-        });
-
-        return { group, newMembers };
-      }
-
-      return { group, newMembers: [] };
+    const group = await groupDAL.create({
+      name: displayName,
+      slug: slugify(`${displayName}-${alphaNumericNanoId(4)}`),
+      orgId,
+      role: OrgMembershipRole.NoAccess
     });
 
     return buildScimGroup({
-      groupId: newGroup.group.id,
-      name: newGroup.group.name,
-      members: newGroup.newMembers.map((member) => ({
-        value: member.id,
-        display: `${member.firstName} ${member.lastName}`
-      }))
+      groupId: group.id,
+      name: group.name,
+      members: []
     });
   };
 
@@ -627,7 +585,7 @@ export const scimServiceFactory = ({
     });
   };
 
-  const updateScimGroupNamePut = async ({ groupId, orgId, displayName, members }: TUpdateScimGroupNamePutDTO) => {
+  const updateScimGroupNamePut = async ({ groupId, orgId, displayName }: TUpdateScimGroupNamePutDTO) => {
     const plan = await licenseService.getPlan(orgId);
     if (!plan.groups)
       throw new BadRequestError({
@@ -648,82 +606,27 @@ export const scimServiceFactory = ({
         status: 403
       });
 
-    const updatedGroup = await groupDAL.transaction(async (tx) => {
-      const [group] = await groupDAL.update(
-        {
-          id: groupId,
-          orgId
-        },
-        {
-          name: displayName
-        }
-      );
-
-      if (!group) {
-        throw new ScimRequestError({
-          detail: "Group Not Found",
-          status: 404
-        });
+    const [group] = await groupDAL.update(
+      {
+        id: groupId,
+        orgId
+      },
+      {
+        name: displayName
       }
+    );
 
-      if (members) {
-        const membersIdsSet = new Set(members.map((member) => member.value));
-
-        const directMemberUserIds = (
-          await userGroupMembershipDAL.find({
-            groupId: group.id,
-            isPending: false
-          })
-        ).map((membership) => membership.userId);
-
-        const pendingGroupAdditionsUserIds = (
-          await userGroupMembershipDAL.find({
-            groupId: group.id,
-            isPending: true
-          })
-        ).map((pendingGroupAddition) => pendingGroupAddition.userId);
-
-        const allMembersUserIds = directMemberUserIds.concat(pendingGroupAdditionsUserIds);
-        const allMembersUserIdsSet = new Set(allMembersUserIds);
-
-        const toAddUserIds = members.filter((member) => !allMembersUserIdsSet.has(member.value));
-        const toRemoveUserIds = allMembersUserIds.filter((userId) => !membersIdsSet.has(userId));
-
-        if (toAddUserIds.length) {
-          await addUsersToGroupByUserIds({
-            group,
-            userIds: toAddUserIds.map((member) => member.value),
-            userDAL,
-            userGroupMembershipDAL,
-            orgDAL,
-            groupProjectDAL,
-            projectKeyDAL,
-            projectDAL,
-            projectBotDAL,
-            tx
-          });
-        }
-
-        if (toRemoveUserIds.length) {
-          await removeUsersFromGroupByUserIds({
-            group,
-            userIds: toRemoveUserIds,
-            userDAL,
-            userGroupMembershipDAL,
-            groupProjectDAL,
-            projectKeyDAL,
-            tx
-          });
-        }
-      }
-
-      return group;
-    });
+    if (!group) {
+      throw new ScimRequestError({
+        detail: "Group Not Found",
+        status: 404
+      });
+    }
 
     return buildScimGroup({
-      groupId: updatedGroup.id,
-      name: updatedGroup.name,
-      members
+      groupId: group.id,
+      name: group.name,
+      members: []
     });
   };
 
@@ -736,7 +639,6 @@ export const scimServiceFactory = ({
       });
 
     const org = await orgDAL.findById(orgId);
-
     if (!org) {
       throw new ScimRequestError({
         detail: "Organization Not Found",

backend/src/ee/services/scim/scim-types.ts

@@ -37,6 +37,7 @@ export type TCreateScimUserDTO = {
   firstName: string;
   lastName: string;
   orgId: string;
+  externalId: string;
 };
 
 export type TUpdateScimUserDTO = {
@@ -81,11 +82,6 @@ export type TListScimGroups = {
 export type TCreateScimGroupDTO = {
   displayName: string;
   orgId: string;
-  members?: {
-    // TODO: account for members with value and display (is this optional?)
-    value: string;
-    display: string;
-  }[];
 };
 
 export type TGetScimGroupDTO = {
@@ -97,10 +93,6 @@ export type TUpdateScimGroupNamePutDTO = {
   groupId: string;
   orgId: string;
   displayName: string;
-  members: {
-    value: string;
-    display: string;
-  }[];
 };
 
 export type TUpdateScimGroupNamePatchDTO = {

backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue-fn.ts

@@ -90,20 +90,16 @@ export const secretRotationDbFn = async ({
   const appCfg = getConfig();
 
   const ssl = ca ? { rejectUnauthorized: false, ca } : undefined;
-  const isCloud = Boolean(appCfg.LICENSE_SERVER_KEY); // quick and dirty way to check if its cloud or not
   const dbHost = appCfg.DB_HOST || getDbConnectionHost(appCfg.DB_CONNECTION_URI);
-
-  if (
-    isCloud &&
-    // internal ips
-    (host === "host.docker.internal" || host.match(/^10\.\d+\.\d+\.\d+/) || host.match(/^192\.168\.\d+\.\d+/))
-  )
-    throw new Error("Invalid db host");
   if (
     host === "localhost" ||
     host === "127.0.0.1" ||
     // database infisical uses
-    dbHost === host
+    dbHost === host ||
+    // internal ips
+    host === "host.docker.internal" ||
+    host.match(/^10\.\d+\.\d+\.\d+/) ||
+    host.match(/^192\.168\.\d+\.\d+/)
   )
     throw new Error("Invalid db host");
 

backend/src/ee/services/secret-snapshot/secret-snapshot-service.ts

@@ -1,4 +1,4 @@
-import { ForbiddenError, subject } from "@casl/ability";
+import { ForbiddenError } from "@casl/ability";
 
 import { TableName, TSecretTagJunctionInsert } from "@app/db/schemas";
 import { BadRequestError, InternalServerError } from "@app/lib/errors";
@@ -23,7 +23,6 @@ import {
 import { TSnapshotDALFactory } from "./snapshot-dal";
 import { TSnapshotFolderDALFactory } from "./snapshot-folder-dal";
 import { TSnapshotSecretDALFactory } from "./snapshot-secret-dal";
-import { getFullFolderPath } from "./snapshot-service-fns";
 
 type TSecretSnapshotServiceFactoryDep = {
   snapshotDAL: TSnapshotDALFactory;
@@ -34,7 +33,7 @@ type TSecretSnapshotServiceFactoryDep = {
   secretDAL: Pick<TSecretDALFactory, "delete" | "insertMany">;
   secretTagDAL: Pick<TSecretTagDALFactory, "saveTagsToSecret">;
   secretVersionTagDAL: Pick<TSecretVersionTagDALFactory, "insertMany">;
-  folderDAL: Pick<TSecretFolderDALFactory, "findById" | "findBySecretPath" | "delete" | "insertMany" | "find">;
+  folderDAL: Pick<TSecretFolderDALFactory, "findById" | "findBySecretPath" | "delete" | "insertMany">;
   permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
   licenseService: Pick<TLicenseServiceFactory, "isValidLicense">;
 };
@@ -72,12 +71,6 @@ export const secretSnapshotServiceFactory = ({
     );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
 
-    // We need to check if the user has access to the secrets in the folder. If we don't do this, a user could theoretically access snapshot secret values even if they don't have read access to the secrets in the folder.
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Read,
-      subject(ProjectPermissionSub.Secrets, { environment, secretPath: path })
-    );
-
     const folder = await folderDAL.findBySecretPath(projectId, environment, path);
     if (!folder) throw new BadRequestError({ message: "Folder not found" });
 
@@ -105,12 +98,6 @@ export const secretSnapshotServiceFactory = ({
     );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
 
-    // We need to check if the user has access to the secrets in the folder. If we don't do this, a user could theoretically access snapshot secret values even if they don't have read access to the secrets in the folder.
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Read,
-      subject(ProjectPermissionSub.Secrets, { environment, secretPath: path })
-    );
-
     const folder = await folderDAL.findBySecretPath(projectId, environment, path);
     if (!folder) throw new BadRequestError({ message: "Folder not found" });
 
@@ -129,19 +116,6 @@ export const secretSnapshotServiceFactory = ({
       actorOrgId
     );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
-
-    const fullFolderPath = await getFullFolderPath({
-      folderDAL,
-      folderId: snapshot.folderId,
-      envId: snapshot.environment.id
-    });
-
-    // We need to check if the user has access to the secrets in the folder. If we don't do this, a user could theoretically access snapshot secret values even if they don't have read access to the secrets in the folder.
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Read,
-      subject(ProjectPermissionSub.Secrets, { environment: snapshot.environment.slug, secretPath: fullFolderPath })
-    );
-
     return snapshot;
   };
 

backend/src/ee/services/secret-snapshot/snapshot-dal.ts

@@ -101,7 +101,6 @@ export const snapshotDALFactory = (db: TDbClient) => {
         key: "snapshotId",
         parentMapper: ({
           snapshotId: id,
-          folderId,
           projectId,
           envId,
           envSlug,
@@ -110,7 +109,6 @@ export const snapshotDALFactory = (db: TDbClient) => {
           snapshotUpdatedAt: updatedAt
         }) => ({
           id,
-          folderId,
           projectId,
           createdAt,
           updatedAt,

backend/src/ee/services/secret-snapshot/snapshot-service-fns.ts

@@ -1,28 +0,0 @@
-import { TSecretFolderDALFactory } from "@app/services/secret-folder/secret-folder-dal";
-
-type GetFullFolderPath = {
-  folderDAL: Pick<TSecretFolderDALFactory, "findById" | "find">; // Added findAllInEnv
-  folderId: string;
-  envId: string;
-};
-
-export const getFullFolderPath = async ({ folderDAL, folderId, envId }: GetFullFolderPath): Promise<string> => {
-  // Helper function to remove duplicate slashes
-  const removeDuplicateSlashes = (path: string) => path.replace(/\/{2,}/g, "/");
-
-  // Fetch all folders at once based on environment ID to avoid multiple queries
-  const folders = await folderDAL.find({ envId });
-  const folderMap = new Map(folders.map((folder) => [folder.id, folder]));
-
-  const buildPath = (currFolderId: string): string => {
-    const folder = folderMap.get(currFolderId);
-    if (!folder) return "";
-    const folderPathSegment = !folder.parentId && folder.name === "root" ? "/" : `/${folder.name}`;
-    if (folder.parentId) {
-      return removeDuplicateSlashes(`${buildPath(folder.parentId)}${folderPathSegment}`);
-    }
-    return removeDuplicateSlashes(folderPathSegment);
-  };
-
-  return buildPath(folderId);
-};

backend/src/lib/api-docs/constants.ts

@@ -282,7 +282,6 @@ export const RAW_SECRETS = {
   },
   CREATE: {
     secretName: "The name of the secret to create.",
-    projectSlug: "The slug of the project to create the secret in.",
     environment: "The slug of the environment to create the secret in.",
     secretComment: "Attach a comment to the secret.",
     secretPath: "The path to create the secret in.",
@@ -302,13 +301,11 @@ export const RAW_SECRETS = {
   },
   UPDATE: {
     secretName: "The name of the secret to update.",
-    secretComment: "Update comment to the secret.",
     environment: "The slug of the environment where the secret is located.",
     secretPath: "The path of the secret to update",
     secretValue: "The new value of the secret.",
     skipMultilineEncoding: "Skip multiline encoding for the secret value.",
     type: "The type of the secret to update.",
-    projectSlug: "The slug of the project to update the secret in.",
     workspaceId: "The ID of the project to update the secret in."
   },
   DELETE: {
@@ -316,7 +313,6 @@ export const RAW_SECRETS = {
     environment: "The slug of the environment where the secret is located.",
     secretPath: "The path of the secret.",
     type: "The type of the secret to delete.",
-    projectSlug: "The slug of the project to delete the secret in.",
     workspaceId: "The ID of the project where the secret is located."
   }
 } as const;
@@ -589,13 +585,11 @@ export const INTEGRATION = {
     region: "AWS region to sync secrets to.",
     scope: "Scope of the provider. Used by Github, Qovery",
     metadata: {
-      secretPrefix: "The prefix for the saved secret. Used by GCP.",
-      secretSuffix: "The suffix for the saved secret. Used by GCP.",
-      initialSyncBehavoir: "Type of syncing behavoir with the integration.",
-      shouldAutoRedeploy: "Used by Render to trigger auto deploy.",
-      secretGCPLabel: "The label for GCP secrets.",
-      secretAWSTag: "The tags for AWS secrets.",
-      kmsKeyId: "The ID of the encryption key from AWS KMS."
+      secretPrefix: "The prefix for the saved secret. Used by GCP",
+      secretSuffix: "The suffix for the saved secret. Used by GCP",
+      initialSyncBehavoir: "Type of syncing behavoir with the integration",
+      shouldAutoRedeploy: "Used by Render to trigger auto deploy",
+      secretGCPLabel: "The label for the GCP secrets"
     }
   },
   UPDATE: {

backend/src/lib/fn/dates.ts

@@ -1,2 +0,0 @@
-export const getLastMidnightDateISO = (last = 1) =>
-  `${new Date(new Date().setDate(new Date().getDate() - last)).toISOString().slice(0, 10)}T00:00:00Z`;

backend/src/lib/fn/index.ts

@@ -2,6 +2,5 @@
 // Full credits goes to https://github.com/rayapps to those functions
 // Code taken to keep in in house and to adjust somethings for our needs
 export * from "./array";
-export * from "./dates";
 export * from "./object";
 export * from "./string";

backend/src/server/config/rateLimiter.ts

@@ -41,8 +41,8 @@ export const secretsLimit: RateLimitOptions = {
 };
 
 export const authRateLimit: RateLimitOptions = {
-  timeWindow: 60 * 1000,
-  max: 60,
+  timeWindow: 5 * 60 * 1000,
+  max: 30,
   keyGenerator: (req) => req.realIp
 };
 

backend/src/server/plugins/swagger.ts

@@ -30,6 +30,12 @@ export const fastifySwagger = fp(async (fastify) => {
             scheme: "bearer",
             bearerFormat: "JWT",
             description: "An access token in Infisical"
+          },
+          apiKeyAuth: {
+            type: "apiKey",
+            in: "header",
+            name: "X-API-Key",
+            description: "An API Key in Infisical"
           }
         }
       }

backend/src/server/routes/index.ts

@@ -286,14 +286,11 @@ export const registerRoutes = async (
     licenseService,
     scimDAL,
     userDAL,
+    userAliasDAL,
     orgDAL,
     projectDAL,
     projectMembershipDAL,
     groupDAL,
-    groupProjectDAL,
-    userGroupMembershipDAL,
-    projectKeyDAL,
-    projectBotDAL,
     permissionService,
     smtpService
   });
@@ -319,7 +316,14 @@ export const registerRoutes = async (
   });
 
   const tokenService = tokenServiceFactory({ tokenDAL: authTokenDAL, userDAL });
-  const userService = userServiceFactory({ userDAL });
+  const userService = userServiceFactory({
+    userDAL,
+    orgDAL,
+    projectMembershipDAL,
+    projectUserMembershipRoleDAL,
+    tokenService,
+    smtpService
+  });
   const loginService = authLoginServiceFactory({ userDAL, smtpService, tokenService, orgDAL, tokenDAL: authTokenDAL });
   const passwordService = authPaswordServiceFactory({
     tokenService,
@@ -348,11 +352,6 @@ export const registerRoutes = async (
     smtpService,
     authDAL,
     userDAL,
-    userGroupMembershipDAL,
-    projectKeyDAL,
-    projectDAL,
-    projectBotDAL,
-    groupProjectDAL,
     orgDAL,
     orgService,
     licenseService

backend/src/server/routes/v1/integration-auth-router.ts

@@ -511,39 +511,6 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
     }
   });
 
-  server.route({
-    method: "GET",
-    url: "/:integrationAuthId/aws-secrets-manager/kms-keys",
-    config: {
-      rateLimit: readLimit
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    schema: {
-      params: z.object({
-        integrationAuthId: z.string().trim()
-      }),
-      querystring: z.object({
-        region: z.string().trim()
-      }),
-      response: {
-        200: z.object({
-          kmsKeys: z.object({ id: z.string(), alias: z.string() }).array()
-        })
-      }
-    },
-    handler: async (req) => {
-      const kmsKeys = await server.services.integrationAuth.getAwsKmsKeys({
-        actorId: req.permission.id,
-        actor: req.permission.type,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        id: req.params.integrationAuthId,
-        region: req.query.region
-      });
-      return { kmsKeys };
-    }
-  });
-
   server.route({
     method: "GET",
     url: "/:integrationAuthId/qovery/projects",

backend/src/server/routes/v1/integration-router.ts

@@ -56,19 +56,9 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
                 labelValue: z.string()
               })
               .optional()
-              .describe(INTEGRATION.CREATE.metadata.secretGCPLabel),
-            secretAWSTag: z
-              .array(
-                z.object({
-                  key: z.string(),
-                  value: z.string()
-                })
-              )
-              .optional()
-              .describe(INTEGRATION.CREATE.metadata.secretAWSTag),
-            kmsKeyId: z.string().optional().describe(INTEGRATION.CREATE.metadata.kmsKeyId)
+              .describe(INTEGRATION.CREATE.metadata.secretGCPLabel)
           })
-          .default({})
+          .optional()
       }),
       response: {
         200: z.object({

backend/src/server/routes/v1/project-env-router.ts

@@ -18,7 +18,8 @@ export const registerProjectEnvRouter = async (server: FastifyZodProvider) => {
       description: "Create environment",
       security: [
         {
-          bearerAuth: []
+          bearerAuth: [],
+          apiKeyAuth: []
         }
       ],
       params: z.object({
@@ -76,7 +77,8 @@ export const registerProjectEnvRouter = async (server: FastifyZodProvider) => {
       description: "Update environment",
       security: [
         {
-          bearerAuth: []
+          bearerAuth: [],
+          apiKeyAuth: []
         }
       ],
       params: z.object({
@@ -142,7 +144,8 @@ export const registerProjectEnvRouter = async (server: FastifyZodProvider) => {
       description: "Delete environment",
       security: [
         {
-          bearerAuth: []
+          bearerAuth: [],
+          apiKeyAuth: []
         }
       ],
       params: z.object({

backend/src/server/routes/v1/project-membership-router.ts

@@ -26,7 +26,8 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
       description: "Return project user memberships",
       security: [
         {
-          bearerAuth: []
+          bearerAuth: [],
+          apiKeyAuth: []
         }
       ],
       params: z.object({
@@ -34,28 +35,31 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
       }),
       response: {
         200: z.object({
-          memberships: ProjectMembershipsSchema.extend({
-            user: UsersSchema.pick({
-              email: true,
-              firstName: true,
-              lastName: true,
-              id: true
-            }).merge(UserEncryptionKeysSchema.pick({ publicKey: true })),
-            roles: z.array(
+          memberships: ProjectMembershipsSchema.omit({ role: true })
+            .merge(
               z.object({
-                id: z.string(),
-                role: z.string(),
-                customRoleId: z.string().optional().nullable(),
-                customRoleName: z.string().optional().nullable(),
-                customRoleSlug: z.string().optional().nullable(),
-                isTemporary: z.boolean(),
-                temporaryMode: z.string().optional().nullable(),
-                temporaryRange: z.string().nullable().optional(),
-                temporaryAccessStartTime: z.date().nullable().optional(),
-                temporaryAccessEndTime: z.date().nullable().optional()
+                user: UsersSchema.pick({
+                  email: true,
+                  firstName: true,
+                  lastName: true,
+                  id: true
+                }).merge(UserEncryptionKeysSchema.pick({ publicKey: true })),
+                roles: z.array(
+                  z.object({
+                    id: z.string(),
+                    role: z.string(),
+                    customRoleId: z.string().optional().nullable(),
+                    customRoleName: z.string().optional().nullable(),
+                    customRoleSlug: z.string().optional().nullable(),
+                    isTemporary: z.boolean(),
+                    temporaryMode: z.string().optional().nullable(),
+                    temporaryRange: z.string().nullable().optional(),
+                    temporaryAccessStartTime: z.date().nullable().optional(),
+                    temporaryAccessEndTime: z.date().nullable().optional()
+                  })
+                )
               })
             )
-          })
             .omit({ createdAt: true, updatedAt: true })
             .array()
         })
@@ -138,7 +142,8 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
       description: "Update project user membership",
       security: [
         {
-          bearerAuth: []
+          bearerAuth: [],
+          apiKeyAuth: []
         }
       ],
       params: z.object({
@@ -211,7 +216,8 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
       description: "Delete project user membership",
       security: [
         {
-          bearerAuth: []
+          bearerAuth: [],
+          apiKeyAuth: []
         }
       ],
       params: z.object({

backend/src/server/routes/v1/project-router.ts

@@ -70,29 +70,32 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
       }),
       response: {
         200: z.object({
-          users: ProjectMembershipsSchema.extend({
-            user: UsersSchema.pick({
-              email: true,
-              username: true,
-              firstName: true,
-              lastName: true,
-              id: true
-            }).merge(UserEncryptionKeysSchema.pick({ publicKey: true })),
-            roles: z.array(
+          users: ProjectMembershipsSchema.omit({ role: true })
+            .merge(
               z.object({
-                id: z.string(),
-                role: z.string(),
-                customRoleId: z.string().optional().nullable(),
-                customRoleName: z.string().optional().nullable(),
-                customRoleSlug: z.string().optional().nullable(),
-                isTemporary: z.boolean(),
-                temporaryMode: z.string().optional().nullable(),
-                temporaryRange: z.string().nullable().optional(),
-                temporaryAccessStartTime: z.date().nullable().optional(),
-                temporaryAccessEndTime: z.date().nullable().optional()
+                user: UsersSchema.pick({
+                  username: true,
+                  email: true,
+                  firstName: true,
+                  lastName: true,
+                  id: true
+                }).merge(UserEncryptionKeysSchema.pick({ publicKey: true })),
+                roles: z.array(
+                  z.object({
+                    id: z.string(),
+                    role: z.string(),
+                    customRoleId: z.string().optional().nullable(),
+                    customRoleName: z.string().optional().nullable(),
+                    customRoleSlug: z.string().optional().nullable(),
+                    isTemporary: z.boolean(),
+                    temporaryMode: z.string().optional().nullable(),
+                    temporaryRange: z.string().nullable().optional(),
+                    temporaryAccessStartTime: z.date().nullable().optional(),
+                    temporaryAccessEndTime: z.date().nullable().optional()
+                  })
+                )
               })
             )
-          })
             .omit({ createdAt: true, updatedAt: true })
             .array()
         })
@@ -138,12 +141,6 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
       rateLimit: readLimit
     },
     schema: {
-      description: "Get project",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
       params: z.object({
         workspaceId: z.string().trim().describe(PROJECTS.GET.workspaceId)
       }),
@@ -176,12 +173,6 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
       rateLimit: writeLimit
     },
     schema: {
-      description: "Delete project",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
       params: z.object({
         workspaceId: z.string().trim().describe(PROJECTS.DELETE.workspaceId)
       }),
@@ -251,12 +242,6 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
       rateLimit: writeLimit
     },
     schema: {
-      description: "Update project",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
       params: z.object({
         workspaceId: z.string().trim().describe(PROJECTS.UPDATE.workspaceId)
       }),

backend/src/server/routes/v1/secret-folder-router.ts

@@ -19,7 +19,8 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
       description: "Create folders",
       security: [
         {
-          bearerAuth: []
+          bearerAuth: [],
+          apiKeyAuth: []
         }
       ],
       body: z.object({
@@ -75,7 +76,8 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
       description: "Update folder",
       security: [
         {
-          bearerAuth: []
+          bearerAuth: [],
+          apiKeyAuth: []
         }
       ],
       params: z.object({
@@ -138,7 +140,8 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
       description: "Delete a folder",
       security: [
         {
-          bearerAuth: []
+          bearerAuth: [],
+          apiKeyAuth: []
         }
       ],
       params: z.object({
@@ -197,7 +200,8 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
       description: "Get folders",
       security: [
         {
-          bearerAuth: []
+          bearerAuth: [],
+          apiKeyAuth: []
         }
       ],
       querystring: z.object({

backend/src/server/routes/v1/secret-import-router.ts

@@ -19,7 +19,8 @@ export const registerSecretImportRouter = async (server: FastifyZodProvider) =>
       description: "Create secret imports",
       security: [
         {
-          bearerAuth: []
+          bearerAuth: [],
+          apiKeyAuth: []
         }
       ],
       body: z.object({
@@ -83,7 +84,8 @@ export const registerSecretImportRouter = async (server: FastifyZodProvider) =>
       description: "Update secret imports",
       security: [
         {
-          bearerAuth: []
+          bearerAuth: [],
+          apiKeyAuth: []
         }
       ],
       params: z.object({
@@ -157,7 +159,8 @@ export const registerSecretImportRouter = async (server: FastifyZodProvider) =>
       description: "Delete secret imports",
       security: [
         {
-          bearerAuth: []
+          bearerAuth: [],
+          apiKeyAuth: []
         }
       ],
       params: z.object({
@@ -220,7 +223,8 @@ export const registerSecretImportRouter = async (server: FastifyZodProvider) =>
       description: "Get secret imports",
       security: [
         {
-          bearerAuth: []
+          bearerAuth: [],
+          apiKeyAuth: []
         }
       ],
       querystring: z.object({

backend/src/server/routes/v2/identity-org-router.ts

@@ -18,7 +18,8 @@ export const registerIdentityOrgRouter = async (server: FastifyZodProvider) => {
       description: "Return organization identity memberships",
       security: [
         {
-          bearerAuth: []
+          bearerAuth: [],
+          apiKeyAuth: []
         }
       ],
       params: z.object({

backend/src/server/routes/v2/organization-router.ts

@@ -17,7 +17,8 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
       description: "Return organization user memberships",
       security: [
         {
-          bearerAuth: []
+          bearerAuth: [],
+          apiKeyAuth: []
         }
       ],
       params: z.object({
@@ -44,6 +45,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY, AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
       if (req.auth.actor !== ActorType.USER) return;
+
       const users = await server.services.org.findAllOrgMembers(
         req.permission.id,
         req.params.organizationId,
@@ -64,7 +66,8 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
       description: "Return projects in organization that user is part of",
       security: [
         {
-          bearerAuth: []
+          bearerAuth: [],
+          apiKeyAuth: []
         }
       ],
       params: z.object({
@@ -112,7 +115,8 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
       description: "Update organization user memberships",
       security: [
         {
-          bearerAuth: []
+          bearerAuth: [],
+          apiKeyAuth: []
         }
       ],
       params: z.object({
@@ -154,7 +158,8 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
       description: "Delete organization user memberships",
       security: [
         {
-          bearerAuth: []
+          bearerAuth: [],
+          apiKeyAuth: []
         }
       ],
       params: z.object({

backend/src/server/routes/v2/project-membership-router.ts

@@ -15,12 +15,6 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
       rateLimit: writeLimit
     },
     schema: {
-      description: "Invite members to project",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
       params: z.object({
         projectId: z.string().describe(PROJECTS.INVITE_MEMBER.projectId)
       }),
@@ -70,15 +64,10 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
       rateLimit: writeLimit
     },
     schema: {
-      description: "Remove members from project",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
       params: z.object({
         projectId: z.string().describe(PROJECTS.REMOVE_MEMBER.projectId)
       }),
+
       body: z.object({
         emails: z.string().email().array().default([]).describe(PROJECTS.REMOVE_MEMBER.emails),
         usernames: z.string().array().default([]).describe(PROJECTS.REMOVE_MEMBER.usernames)

backend/src/server/routes/v2/project-router.ts

@@ -36,6 +36,11 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
     },
     schema: {
       description: "Return encrypted project key",
+      security: [
+        {
+          apiKeyAuth: []
+        }
+      ],
       params: z.object({
         workspaceId: z.string().trim().describe(PROJECTS.GET_KEY.workspaceId)
       }),
@@ -144,12 +149,6 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
       rateLimit: creationLimit
     },
     schema: {
-      description: "Create a new project",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
       body: z.object({
         projectName: z.string().trim().describe(PROJECTS.CREATE.projectName),
         slug: z
@@ -201,12 +200,6 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
       rateLimit: writeLimit
     },
     schema: {
-      description: "Delete project",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
       params: z.object({
         slug: slugSchema.describe("The slug of the project to delete.")
       }),

backend/src/server/routes/v2/user-router.ts

@@ -2,11 +2,93 @@ import { z } from "zod";
 
 import { AuthTokenSessionsSchema, OrganizationsSchema, UserEncryptionKeysSchema, UsersSchema } from "@app/db/schemas";
 import { ApiKeysSchema } from "@app/db/schemas/api-keys";
-import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { authRateLimit, readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMethod, AuthMode } from "@app/services/auth/auth-type";
 
 export const registerUserRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    method: "POST",
+    url: "/me/emails/code",
+    config: {
+      rateLimit: authRateLimit
+    },
+    schema: {
+      response: {
+        200: z.object({})
+      }
+    },
+    preHandler: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      await server.services.user.sendEmailVerificationCode(req.permission.id);
+      return {};
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/me/emails/verify",
+    config: {
+      rateLimit: authRateLimit
+    },
+    schema: {
+      body: z.object({
+        code: z.string().trim()
+      }),
+      response: {
+        200: z.object({})
+      }
+    },
+    preHandler: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      await server.services.user.verifyEmailVerificationCode(req.permission.id, req.body.code);
+      return {};
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/me/users/same-email",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      response: {
+        200: z.object({
+          users: UsersSchema.array()
+        })
+      }
+    },
+    preHandler: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const users = await server.services.user.listUsersWithSameEmail(req.permission.id);
+      return {
+        users
+      };
+    }
+  });
+
+  // server.route({ // TODO(dangtony98)
+  //   method: "POST",
+  //   url: "/me/users/merge",
+  //   config: {
+  //     rateLimit: authRateLimit
+  //   },
+  //   schema: {
+  //     body: z.object({
+  //       username: z.string().trim()
+  //     }),
+  //     response: {
+  //       200: z.object({})
+  //     }
+  //   },
+  //   preHandler: verifyAuth([AuthMode.JWT]),
+  //   handler: async (req) => {
+  //     console.log("POST /me/users/merge req.body: ", req.body);
+  //     return {};
+  //   }
+  // });
+
   server.route({
     method: "PATCH",
     url: "/me/mfa",
@@ -85,6 +167,11 @@ export const registerUserRouter = async (server: FastifyZodProvider) => {
     },
     schema: {
       description: "Return organizations that current user is part of",
+      security: [
+        {
+          apiKeyAuth: []
+        }
+      ],
       response: {
         200: z.object({
           organizations: OrganizationsSchema.array()
@@ -212,6 +299,11 @@ export const registerUserRouter = async (server: FastifyZodProvider) => {
     },
     schema: {
       description: "Retrieve the current user on the request",
+      security: [
+        {
+          apiKeyAuth: []
+        }
+      ],
       response: {
         200: z.object({
           user: UsersSchema.merge(UserEncryptionKeysSchema.omit({ verifier: true }))

backend/src/server/routes/v3/secret-router.ts

@@ -158,7 +158,8 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
       description: "List secrets",
       security: [
         {
-          bearerAuth: []
+          bearerAuth: [],
+          apiKeyAuth: []
         }
       ],
       querystring: z.object({
@@ -279,7 +280,8 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
       description: "Get a secret by name",
       security: [
         {
-          bearerAuth: []
+          bearerAuth: [],
+          apiKeyAuth: []
         }
       ],
       params: z.object({
@@ -373,7 +375,8 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
       description: "Create secret",
       security: [
         {
-          bearerAuth: []
+          bearerAuth: [],
+          apiKeyAuth: []
         }
       ],
       params: z.object({
@@ -461,7 +464,8 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
       description: "Update secret",
       security: [
         {
-          bearerAuth: []
+          bearerAuth: [],
+          apiKeyAuth: []
         }
       ],
       params: z.object({
@@ -546,7 +550,8 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
       description: "Delete secret",
       security: [
         {
-          bearerAuth: []
+          bearerAuth: [],
+          apiKeyAuth: []
         }
       ],
       params: z.object({
@@ -1656,263 +1661,4 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
       return { secrets };
     }
   });
-
-  server.route({
-    method: "POST",
-    url: "/batch/raw",
-    config: {
-      rateLimit: secretsLimit
-    },
-    schema: {
-      description: "Create many secrets",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      body: z.object({
-        projectSlug: z.string().trim().describe(RAW_SECRETS.CREATE.projectSlug),
-        environment: z.string().trim().describe(RAW_SECRETS.CREATE.environment),
-        secretPath: z
-          .string()
-          .trim()
-          .default("/")
-          .transform(removeTrailingSlash)
-          .describe(RAW_SECRETS.CREATE.secretPath),
-        secrets: z
-          .object({
-            secretKey: z.string().trim().describe(RAW_SECRETS.CREATE.secretName),
-            secretValue: z
-              .string()
-              .transform((val) => (val.at(-1) === "\n" ? `${val.trim()}\n` : val.trim()))
-              .describe(RAW_SECRETS.CREATE.secretValue),
-            secretComment: z.string().trim().optional().default("").describe(RAW_SECRETS.CREATE.secretComment),
-            skipMultilineEncoding: z.boolean().optional().describe(RAW_SECRETS.CREATE.skipMultilineEncoding)
-          })
-          .array()
-          .min(1)
-      }),
-      response: {
-        200: z.object({
-          secrets: secretRawSchema.array()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY, AuthMode.SERVICE_TOKEN, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const { environment, projectSlug, secretPath, secrets: inputSecrets } = req.body;
-
-      const secrets = await server.services.secret.createManySecretsRaw({
-        actorId: req.permission.id,
-        actor: req.permission.type,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        secretPath,
-        environment,
-        projectSlug,
-        secrets: inputSecrets
-      });
-
-      await server.services.auditLog.createAuditLog({
-        projectId: secrets[0].workspace,
-        ...req.auditLogInfo,
-        event: {
-          type: EventType.CREATE_SECRETS,
-          metadata: {
-            environment: req.body.environment,
-            secretPath: req.body.secretPath,
-            secrets: secrets.map((secret, i) => ({
-              secretId: secret.id,
-              secretKey: inputSecrets[i].secretKey,
-              secretVersion: secret.version
-            }))
-          }
-        }
-      });
-
-      await server.services.telemetry.sendPostHogEvents({
-        event: PostHogEventTypes.SecretCreated,
-        distinctId: getTelemetryDistinctId(req),
-        properties: {
-          numberOfSecrets: secrets.length,
-          workspaceId: secrets[0].workspace,
-          environment: req.body.environment,
-          secretPath: req.body.secretPath,
-          channel: getUserAgentType(req.headers["user-agent"]),
-          ...req.auditLogInfo
-        }
-      });
-      return { secrets };
-    }
-  });
-
-  server.route({
-    method: "PATCH",
-    url: "/batch/raw",
-    config: {
-      rateLimit: secretsLimit
-    },
-    schema: {
-      description: "Update many secrets",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      body: z.object({
-        projectSlug: z.string().trim().describe(RAW_SECRETS.UPDATE.projectSlug),
-        environment: z.string().trim().describe(RAW_SECRETS.UPDATE.environment),
-        secretPath: z
-          .string()
-          .trim()
-          .default("/")
-          .transform(removeTrailingSlash)
-          .describe(RAW_SECRETS.UPDATE.secretPath),
-        secrets: z
-          .object({
-            secretKey: z.string().trim().describe(RAW_SECRETS.UPDATE.secretName),
-            secretValue: z
-              .string()
-              .transform((val) => (val.at(-1) === "\n" ? `${val.trim()}\n` : val.trim()))
-              .describe(RAW_SECRETS.UPDATE.secretValue),
-            secretComment: z.string().trim().optional().describe(RAW_SECRETS.UPDATE.secretComment),
-            skipMultilineEncoding: z.boolean().optional().describe(RAW_SECRETS.UPDATE.skipMultilineEncoding)
-          })
-          .array()
-          .min(1)
-      }),
-      response: {
-        200: z.object({
-          secrets: secretRawSchema.array()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY, AuthMode.SERVICE_TOKEN, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const { environment, projectSlug, secretPath, secrets: inputSecrets } = req.body;
-      const secrets = await server.services.secret.updateManySecretsRaw({
-        actorId: req.permission.id,
-        actor: req.permission.type,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        secretPath,
-        environment,
-        projectSlug,
-        secrets: inputSecrets
-      });
-
-      await server.services.auditLog.createAuditLog({
-        projectId: secrets[0].workspace,
-        ...req.auditLogInfo,
-        event: {
-          type: EventType.UPDATE_SECRETS,
-          metadata: {
-            environment: req.body.environment,
-            secretPath: req.body.secretPath,
-            secrets: secrets.map((secret, i) => ({
-              secretId: secret.id,
-              secretKey: inputSecrets[i].secretKey,
-              secretVersion: secret.version
-            }))
-          }
-        }
-      });
-
-      await server.services.telemetry.sendPostHogEvents({
-        event: PostHogEventTypes.SecretUpdated,
-        distinctId: getTelemetryDistinctId(req),
-        properties: {
-          numberOfSecrets: secrets.length,
-          workspaceId: secrets[0].workspace,
-          environment: req.body.environment,
-          secretPath: req.body.secretPath,
-          channel: getUserAgentType(req.headers["user-agent"]),
-          ...req.auditLogInfo
-        }
-      });
-      return { secrets };
-    }
-  });
-
-  server.route({
-    method: "DELETE",
-    url: "/batch/raw",
-    config: {
-      rateLimit: secretsLimit
-    },
-    schema: {
-      description: "Delete many secrets",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      body: z.object({
-        projectSlug: z.string().trim().describe(RAW_SECRETS.DELETE.projectSlug),
-        environment: z.string().trim().describe(RAW_SECRETS.DELETE.environment),
-        secretPath: z
-          .string()
-          .trim()
-          .default("/")
-          .transform(removeTrailingSlash)
-          .describe(RAW_SECRETS.DELETE.secretPath),
-        secrets: z
-          .object({
-            secretKey: z.string().trim().describe(RAW_SECRETS.DELETE.secretName)
-          })
-          .array()
-          .min(1)
-      }),
-      response: {
-        200: z.object({
-          secrets: secretRawSchema.array()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY, AuthMode.SERVICE_TOKEN, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const { environment, projectSlug, secretPath, secrets: inputSecrets } = req.body;
-      const secrets = await server.services.secret.deleteManySecretsRaw({
-        actorId: req.permission.id,
-        actor: req.permission.type,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        environment,
-        projectSlug,
-        secretPath,
-        secrets: inputSecrets
-      });
-
-      await server.services.auditLog.createAuditLog({
-        projectId: secrets[0].workspace,
-        ...req.auditLogInfo,
-        event: {
-          type: EventType.DELETE_SECRETS,
-          metadata: {
-            environment: req.body.environment,
-            secretPath: req.body.secretPath,
-            secrets: secrets.map((secret, i) => ({
-              secretId: secret.id,
-              secretKey: inputSecrets[i].secretKey,
-              secretVersion: secret.version
-            }))
-          }
-        }
-      });
-
-      await server.services.telemetry.sendPostHogEvents({
-        event: PostHogEventTypes.SecretDeleted,
-        distinctId: getTelemetryDistinctId(req),
-        properties: {
-          numberOfSecrets: secrets.length,
-          workspaceId: secrets[0].workspace,
-          environment: req.body.environment,
-          secretPath: req.body.secretPath,
-          channel: getUserAgentType(req.headers["user-agent"]),
-          ...req.auditLogInfo
-        }
-      });
-      return { secrets };
-    }
-  });
 };

backend/src/services/auth-token/auth-token-service.ts

@@ -27,6 +27,11 @@ export const getTokenConfig = (tokenType: TokenType) => {
       const expiresAt = new Date(new Date().getTime() + 86400000);
       return { token, expiresAt };
     }
+    case TokenType.TOKEN_EMAIL_VERIFICATION: {
+      const token = crypto.randomBytes(16).toString("hex");
+      const expiresAt = new Date(new Date().getTime() + 300000);
+      return { token, expiresAt };
+    }
     case TokenType.TOKEN_EMAIL_MFA: {
       // generate random 6-digit code
       const token = String(crypto.randomInt(10 ** 5, 10 ** 6 - 1));

backend/src/services/auth-token/auth-token-types.ts

@@ -1,5 +1,6 @@
 export enum TokenType {
   TOKEN_EMAIL_CONFIRMATION = "emailConfirmation",
+  TOKEN_EMAIL_VERIFICATION = "emailVerification", // unverified -> verified email
   TOKEN_EMAIL_MFA = "emailMfa",
   TOKEN_EMAIL_ORG_INVITATION = "organizationInvitation",
   TOKEN_EMAIL_PASSWORD_RESET = "passwordReset"

backend/src/services/auth/auth-signup-service.ts

@@ -1,16 +1,10 @@
 import jwt from "jsonwebtoken";
 
 import { OrgMembershipStatus } from "@app/db/schemas";
-import { convertPendingGroupAdditionsToGroupMemberships } from "@app/ee/services/group/group-fns";
-import { TUserGroupMembershipDALFactory } from "@app/ee/services/group/user-group-membership-dal";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
 import { isDisposableEmail } from "@app/lib/validator";
-import { TGroupProjectDALFactory } from "@app/services/group-project/group-project-dal";
-import { TProjectDALFactory } from "@app/services/project/project-dal";
-import { TProjectBotDALFactory } from "@app/services/project-bot/project-bot-dal";
-import { TProjectKeyDALFactory } from "@app/services/project-key/project-key-dal";
 
 import { TAuthTokenServiceFactory } from "../auth-token/auth-token-service";
 import { TokenType } from "../auth-token/auth-token-types";
@@ -26,14 +20,6 @@ import { AuthMethod, AuthTokenType } from "./auth-type";
 type TAuthSignupDep = {
   authDAL: TAuthDALFactory;
   userDAL: TUserDALFactory;
-  userGroupMembershipDAL: Pick<
-    TUserGroupMembershipDALFactory,
-    "find" | "transaction" | "insertMany" | "deletePendingUserGroupMembershipsByUserIds"
-  >;
-  projectKeyDAL: Pick<TProjectKeyDALFactory, "find" | "findLatestProjectKey" | "insertMany">;
-  projectDAL: Pick<TProjectDALFactory, "findProjectGhostUser">;
-  projectBotDAL: Pick<TProjectBotDALFactory, "findOne">;
-  groupProjectDAL: Pick<TGroupProjectDALFactory, "find">;
   orgService: Pick<TOrgServiceFactory, "createOrganization">;
   orgDAL: TOrgDALFactory;
   tokenService: TAuthTokenServiceFactory;
@@ -45,11 +31,6 @@ export type TAuthSignupFactory = ReturnType<typeof authSignupServiceFactory>;
 export const authSignupServiceFactory = ({
   authDAL,
   userDAL,
-  userGroupMembershipDAL,
-  projectKeyDAL,
-  projectDAL,
-  projectBotDAL,
-  groupProjectDAL,
   tokenService,
   smtpService,
   orgService,
@@ -79,7 +60,7 @@ export const authSignupServiceFactory = ({
     });
 
     await smtpService.sendMail({
-      template: SmtpTemplates.EmailVerification,
+      template: SmtpTemplates.SignupEmailVerification,
       subjectLine: "Infisical confirmation code",
       recipients: [email],
       substitutions: {
@@ -148,7 +129,16 @@ export const authSignupServiceFactory = ({
     }
 
     const updateduser = await authDAL.transaction(async (tx) => {
-      const us = await userDAL.updateById(user.id, { firstName, lastName, isAccepted: true }, tx);
+      const us = await userDAL.updateById(
+        user.id,
+        {
+          firstName,
+          lastName,
+          isAccepted: true,
+          isEmailVerified: true
+        },
+        tx
+      );
       if (!us) throw new Error("User not found");
       const userEncKey = await userDAL.upsertUserEncryptionKey(
         us.id,
@@ -187,16 +177,6 @@ export const authSignupServiceFactory = ({
     const uniqueOrgId = [...new Set(updatedMembersips.map(({ orgId }) => orgId))];
     await Promise.allSettled(uniqueOrgId.map((orgId) => licenseService.updateSubscriptionOrgMemberCount(orgId)));
 
-    await convertPendingGroupAdditionsToGroupMemberships({
-      userIds: [user.id],
-      userDAL,
-      userGroupMembershipDAL,
-      groupProjectDAL,
-      projectKeyDAL,
-      projectDAL,
-      projectBotDAL
-    });
-
     const tokenSession = await tokenService.getUserTokenSession({
       userAgent,
       ip,
@@ -272,7 +252,16 @@ export const authSignupServiceFactory = ({
       });
 
     const updateduser = await authDAL.transaction(async (tx) => {
-      const us = await userDAL.updateById(user.id, { firstName, lastName, isAccepted: true }, tx);
+      const us = await userDAL.updateById(
+        user.id,
+        {
+          firstName,
+          lastName,
+          isAccepted: true,
+          isEmailVerified: true
+        },
+        tx
+      );
       if (!us) throw new Error("User not found");
       const userEncKey = await userDAL.upsertUserEncryptionKey(
         us.id,
@@ -299,17 +288,6 @@ export const authSignupServiceFactory = ({
       const uniqueOrgId = [...new Set(updatedMembersips.map(({ orgId }) => orgId))];
       await Promise.allSettled(uniqueOrgId.map((orgId) => licenseService.updateSubscriptionOrgMemberCount(orgId)));
 
-      await convertPendingGroupAdditionsToGroupMemberships({
-        userIds: [user.id],
-        userDAL,
-        userGroupMembershipDAL,
-        groupProjectDAL,
-        projectKeyDAL,
-        projectDAL,
-        projectBotDAL,
-        tx
-      });
-
       return { info: us, key: userEncKey };
     });
 

backend/src/services/group-project/group-project-service.ts

@@ -32,7 +32,7 @@ type TGroupProjectServiceFactoryDep = {
     TGroupProjectMembershipRoleDALFactory,
     "create" | "transaction" | "insertMany" | "delete"
   >;
-  userGroupMembershipDAL: Pick<TUserGroupMembershipDALFactory, "findGroupMembersNotInProject">;
+  userGroupMembershipDAL: TUserGroupMembershipDALFactory;
   projectDAL: Pick<TProjectDALFactory, "findOne" | "findProjectGhostUser">;
   projectKeyDAL: Pick<TProjectKeyDALFactory, "findLatestProjectKey" | "delete" | "insertMany" | "transaction">;
   projectRoleDAL: Pick<TProjectRoleDALFactory, "find">;
@@ -116,69 +116,68 @@ export const groupProjectServiceFactory = ({
         },
         tx
       );
-
-      // share project key with users in group that have not
-      // individually been added to the project and that are not part of
-      // other groups that are in the project
-      const groupMembers = await userGroupMembershipDAL.findGroupMembersNotInProject(group.id, project.id, tx);
-
-      if (groupMembers.length) {
-        const ghostUser = await projectDAL.findProjectGhostUser(project.id, tx);
-
-        if (!ghostUser) {
-          throw new BadRequestError({
-            message: "Failed to find sudo user"
-          });
-        }
-
-        const ghostUserLatestKey = await projectKeyDAL.findLatestProjectKey(ghostUser.id, project.id, tx);
-
-        if (!ghostUserLatestKey) {
-          throw new BadRequestError({
-            message: "Failed to find sudo user latest key"
-          });
-        }
-
-        const bot = await projectBotDAL.findOne({ projectId: project.id }, tx);
-
-        if (!bot) {
-          throw new BadRequestError({
-            message: "Failed to find bot"
-          });
-        }
-
-        const botPrivateKey = infisicalSymmetricDecrypt({
-          keyEncoding: bot.keyEncoding as SecretKeyEncoding,
-          iv: bot.iv,
-          tag: bot.tag,
-          ciphertext: bot.encryptedPrivateKey
-        });
-
-        const plaintextProjectKey = decryptAsymmetric({
-          ciphertext: ghostUserLatestKey.encryptedKey,
-          nonce: ghostUserLatestKey.nonce,
-          publicKey: ghostUserLatestKey.sender.publicKey,
-          privateKey: botPrivateKey
-        });
-
-        const projectKeyData = groupMembers.map(({ user: { publicKey, id } }) => {
-          const { ciphertext: encryptedKey, nonce } = encryptAsymmetric(plaintextProjectKey, publicKey, botPrivateKey);
-
-          return {
-            encryptedKey,
-            nonce,
-            senderId: ghostUser.id,
-            receiverId: id,
-            projectId: project.id
-          };
-        });
-
-        await projectKeyDAL.insertMany(projectKeyData, tx);
-      }
-
       return groupProjectMembership;
     });
 
+    // share project key with users in group that have not
+    // individually been added to the project and that are not part of
+    // other groups that are in the project
+    const groupMembers = await userGroupMembershipDAL.findGroupMembersNotInProject(group.id, project.id);
+
+    if (groupMembers.length) {
+      const ghostUser = await projectDAL.findProjectGhostUser(project.id);
+
+      if (!ghostUser) {
+        throw new BadRequestError({
+          message: "Failed to find sudo user"
+        });
+      }
+
+      const ghostUserLatestKey = await projectKeyDAL.findLatestProjectKey(ghostUser.id, project.id);
+
+      if (!ghostUserLatestKey) {
+        throw new BadRequestError({
+          message: "Failed to find sudo user latest key"
+        });
+      }
+
+      const bot = await projectBotDAL.findOne({ projectId: project.id });
+
+      if (!bot) {
+        throw new BadRequestError({
+          message: "Failed to find bot"
+        });
+      }
+
+      const botPrivateKey = infisicalSymmetricDecrypt({
+        keyEncoding: bot.keyEncoding as SecretKeyEncoding,
+        iv: bot.iv,
+        tag: bot.tag,
+        ciphertext: bot.encryptedPrivateKey
+      });
+
+      const plaintextProjectKey = decryptAsymmetric({
+        ciphertext: ghostUserLatestKey.encryptedKey,
+        nonce: ghostUserLatestKey.nonce,
+        publicKey: ghostUserLatestKey.sender.publicKey,
+        privateKey: botPrivateKey
+      });
+
+      const projectKeyData = groupMembers.map(({ user: { publicKey, id } }) => {
+        const { ciphertext: encryptedKey, nonce } = encryptAsymmetric(plaintextProjectKey, publicKey, botPrivateKey);
+
+        return {
+          encryptedKey,
+          nonce,
+          senderId: ghostUser.id,
+          receiverId: id,
+          projectId: project.id
+        };
+      });
+
+      await projectKeyDAL.insertMany(projectKeyData);
+    }
+
     return projectGroup;
   };
 
@@ -288,26 +287,20 @@ export const groupProjectServiceFactory = ({
     );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Groups);
 
-    const deletedProjectGroup = await groupProjectDAL.transaction(async (tx) => {
-      const groupMembers = await userGroupMembershipDAL.findGroupMembersNotInProject(group.id, project.id, tx);
+    const groupMembers = await userGroupMembershipDAL.findGroupMembersNotInProject(group.id, project.id);
 
-      if (groupMembers.length) {
-        await projectKeyDAL.delete(
-          {
-            projectId: project.id,
-            $in: {
-              receiverId: groupMembers.map(({ user: { id } }) => id)
-            }
-          },
-          tx
-        );
-      }
+    if (groupMembers.length) {
+      await projectKeyDAL.delete({
+        projectId: project.id,
+        $in: {
+          receiverId: groupMembers.map(({ user: { id } }) => id)
+        }
+      });
+    }
 
-      const [projectGroup] = await groupProjectDAL.delete({ groupId: group.id, projectId: project.id }, tx);
-      return projectGroup;
-    });
+    const [deletedGroup] = await groupProjectDAL.delete({ groupId: group.id, projectId: project.id });
 
-    return deletedProjectGroup;
+    return deletedGroup;
   };
 
   const listGroupsInProject = async ({

backend/src/services/identity-project/identity-project-service.ts

@@ -93,7 +93,9 @@ export const identityProjectServiceFactory = ({
       const identityProjectMembership = await identityProjectDAL.create(
         {
           identityId,
-          projectId: project.id
+          projectId: project.id,
+          role: isCustomRole ? ProjectMembershipRole.Custom : role,
+          roleId: customRole?.id
         },
         tx
       );

backend/src/services/integration-auth/integration-app-list.ts

@@ -129,55 +129,26 @@ const getAppsHeroku = async ({ accessToken }: { accessToken: string }) => {
  * Return list of names of apps for Vercel integration
  */
 const getAppsVercel = async ({ accessToken, teamId }: { teamId?: string | null; accessToken: string }) => {
-  const apps: Array<{ name: string; appId: string }> = [];
-
-  const limit = "20";
-  let hasMorePages = true;
-  let next: number | null = null;
-
-  interface Response {
-    projects: { name: string; id: string }[];
-    pagination: {
-      count: number;
-      next: number | null;
-      prev: number;
-    };
-  }
-
-  while (hasMorePages) {
-    const params: { [key: string]: string } = {
-      limit
-    };
-
-    if (teamId) {
-      params.teamId = teamId;
-    }
-
-    if (next) {
-      params.until = String(next);
-    }
-
-    const { data } = await request.get<Response>(`${IntegrationUrls.VERCEL_API_URL}/v9/projects`, {
-      params: new URLSearchParams(params),
+  const res = (
+    await request.get<{ projects: { name: string; id: string }[] }>(`${IntegrationUrls.VERCEL_API_URL}/v9/projects`, {
       headers: {
         Authorization: `Bearer ${accessToken}`,
         "Accept-Encoding": "application/json"
-      }
-    });
+      },
+      ...(teamId
+        ? {
+            params: {
+              teamId
+            }
+          }
+        : {})
+    })
+  ).data;
 
-    data.projects.forEach((a) => {
-      apps.push({
-        name: a.name,
-        appId: a.id
-      });
-    });
-
-    next = data.pagination.next;
-
-    if (data.pagination.next === null) {
-      hasMorePages = false;
-    }
-  }
+  const apps = res.projects.map((a) => ({
+    name: a.name,
+    appId: a.id
+  }));
 
   return apps;
 };

backend/src/services/integration-auth/integration-auth-service.ts

@@ -1,6 +1,5 @@
 import { ForbiddenError } from "@casl/ability";
 import { Octokit } from "@octokit/rest";
-import AWS from "aws-sdk";
 
 import { SecretEncryptionAlgo, SecretKeyEncoding, TIntegrationAuths, TIntegrationAuthsInsert } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
@@ -24,7 +23,6 @@ import {
   TGetIntegrationAuthTeamCityBuildConfigDTO,
   THerokuPipelineCoupling,
   TIntegrationAuthAppsDTO,
-  TIntegrationAuthAwsKmsKeyDTO,
   TIntegrationAuthBitbucketWorkspaceDTO,
   TIntegrationAuthChecklyGroupsDTO,
   TIntegrationAuthGithubEnvsDTO,
@@ -536,52 +534,6 @@ export const integrationAuthServiceFactory = ({
     return data.results.map(({ name, id: orgId }) => ({ name, orgId }));
   };
 
-  const getAwsKmsKeys = async ({
-    actorId,
-    actor,
-    actorOrgId,
-    actorAuthMethod,
-    id,
-    region
-  }: TIntegrationAuthAwsKmsKeyDTO) => {
-    const integrationAuth = await integrationAuthDAL.findById(id);
-    if (!integrationAuth) throw new BadRequestError({ message: "Failed to find integration" });
-
-    const { permission } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      integrationAuth.projectId,
-      actorAuthMethod,
-      actorOrgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
-    const botKey = await projectBotService.getBotKey(integrationAuth.projectId);
-    const { accessId, accessToken } = await getIntegrationAccessToken(integrationAuth, botKey);
-
-    AWS.config.update({
-      region,
-      credentials: {
-        accessKeyId: String(accessId),
-        secretAccessKey: accessToken
-      }
-    });
-    const kms = new AWS.KMS();
-
-    const aliases = await kms.listAliases({}).promise();
-    const keys = await kms.listKeys({}).promise();
-    const response = keys
-      .Keys!.map((key) => {
-        const keyAlias = aliases.Aliases!.find((alias) => key.KeyId === alias.TargetKeyId);
-        if (!keyAlias?.AliasName?.includes("alias/aws/") || keyAlias?.AliasName?.includes("alias/aws/secretsmanager")) {
-          return { id: String(key.KeyId), alias: String(keyAlias?.AliasName || key.KeyId) };
-        }
-        return { id: "null", alias: "null" };
-      })
-      .filter((elem) => elem.id !== "null");
-
-    return response;
-  };
-
   const getQoveryProjects = async ({
     actorId,
     actor,
@@ -1181,7 +1133,6 @@ export const integrationAuthServiceFactory = ({
     getIntegrationApps,
     getVercelBranches,
     getApps,
-    getAwsKmsKeys,
     getGithubOrgs,
     getGithubEnvs,
     getChecklyGroups,

backend/src/services/integration-auth/integration-auth-types.ts

@@ -63,11 +63,6 @@ export type TIntegrationAuthQoveryProjectDTO = {
   orgId: string;
 } & Omit<TProjectPermission, "projectId">;
 
-export type TIntegrationAuthAwsKmsKeyDTO = {
-  id: string;
-  region: string;
-} & Omit<TProjectPermission, "projectId">;
-
 export type TIntegrationAuthQoveryEnvironmentsDTO = {
   id: string;
 } & TProjectPermission;

backend/src/services/integration-auth/integration-sync-secret.ts

@@ -1,4 +1,3 @@
-/* eslint-disable @typescript-eslint/no-unsafe-call */
 /* eslint-disable @typescript-eslint/no-unsafe-return */
 /* eslint-disable @typescript-eslint/no-unsafe-assignment */
 /* eslint-disable @typescript-eslint/no-unsafe-argument */
@@ -458,8 +457,6 @@ const syncSecretsAWSParameterStore = async ({
   });
   ssm.config.update(config);
 
-  const metadata = z.record(z.any()).parse(integration.metadata);
-
   const params = {
     Path: integration.path as string,
     Recursive: false,
@@ -489,10 +486,7 @@ const syncSecretsAWSParameterStore = async ({
             Name: `${integration.path}${key}`,
             Type: "SecureString",
             Value: secrets[key].value,
-            // Overwrite: true,
-            Tags: metadata.secretAWSTag
-              ? metadata.secretAWSTag.map((tag: { key: string; value: string }) => ({ Key: tag.key, Value: tag.value }))
-              : []
+            Overwrite: true
           })
           .promise();
         // case: secret exists in AWS parameter store
@@ -505,7 +499,6 @@ const syncSecretsAWSParameterStore = async ({
             Type: "SecureString",
             Value: secrets[key].value,
             Overwrite: true
-            // Tags: metadata.secretAWSTag ? [{ Key: metadata.secretAWSTag.key, Value: metadata.secretAWSTag.value }] : []
           })
           .promise();
       }
@@ -544,7 +537,6 @@ const syncSecretsAWSSecretManager = async ({
 }) => {
   let secretsManager;
   const secKeyVal = getSecretKeyValuePair(secrets);
-  const metadata = z.record(z.any()).parse(integration.metadata);
   try {
     if (!accessId) return;
 
@@ -581,11 +573,7 @@ const syncSecretsAWSSecretManager = async ({
       await secretsManager.send(
         new CreateSecretCommand({
           Name: integration.app as string,
-          SecretString: JSON.stringify(secKeyVal),
-          KmsKeyId: metadata.kmsKeyId ? metadata.kmsKeyId : null,
-          Tags: metadata.secretAWSTag
-            ? metadata.secretAWSTag.map((tag: { key: string; value: string }) => ({ Key: tag.key, Value: tag.value }))
-            : []
+          SecretString: JSON.stringify(secKeyVal)
         })
       );
     }
@@ -2157,29 +2145,16 @@ const syncSecretsQovery = async ({
  * @param {String} obj.accessToken - access token for Terraform Cloud API
  */
 const syncSecretsTerraformCloud = async ({
-  createManySecretsRawFn,
-  updateManySecretsRawFn,
   integration,
   secrets,
-  accessToken,
-  integrationDAL
+  accessToken
 }: {
-  createManySecretsRawFn: (params: TCreateManySecretsRawFn) => Promise<Array<TSecrets & { _id: string }>>;
-  updateManySecretsRawFn: (params: TUpdateManySecretsRawFn) => Promise<Array<TSecrets & { _id: string }>>;
-  integration: TIntegrations & {
-    projectId: string;
-    environment: {
-      id: string;
-      name: string;
-      slug: string;
-    };
-  };
-  secrets: Record<string, { value: string; comment?: string } | null>;
+  integration: TIntegrations;
+  secrets: Record<string, { value: string; comment?: string }>;
   accessToken: string;
-  integrationDAL: Pick<TIntegrationDALFactory, "updateById">;
 }) => {
   // get secrets from Terraform Cloud
-  const terraformSecrets = (
+  const getSecretsRes = (
     await request.get<{ data: { attributes: { key: string; value: string }; id: string }[] }>(
       `${IntegrationUrls.TERRAFORM_CLOUD_API_URL}/api/v2/workspaces/${integration.appId}/vars`,
       {
@@ -2197,74 +2172,9 @@ const syncSecretsTerraformCloud = async ({
     {} as Record<string, { attributes: { key: string; value: string }; id: string }>
   );
 
-  const secretsToAdd: { [key: string]: string } = {};
-  const secretsToUpdate: { [key: string]: string } = {};
-
-  const metadata = z.record(z.any()).parse(integration.metadata);
-
-  Object.keys(terraformSecrets).forEach((key) => {
-    if (!integration.lastUsed) {
-      // first time using integration
-      // -> apply initial sync behavior
-      switch (metadata.initialSyncBehavior) {
-        case IntegrationInitialSyncBehavior.PREFER_TARGET: {
-          if (!(key in secrets)) {
-            secretsToAdd[key] = terraformSecrets[key].attributes.value;
-          } else if (secrets[key]?.value !== terraformSecrets[key].attributes.value) {
-            secretsToUpdate[key] = terraformSecrets[key].attributes.value;
-          }
-          secrets[key] = {
-            value: terraformSecrets[key].attributes.value
-          };
-          break;
-        }
-        case IntegrationInitialSyncBehavior.PREFER_SOURCE: {
-          if (!(key in secrets)) {
-            secrets[key] = {
-              value: terraformSecrets[key].attributes.value
-            };
-            secretsToAdd[key] = terraformSecrets[key].attributes.value;
-          }
-          break;
-        }
-        default: {
-          break;
-        }
-      }
-    } else if (!(key in secrets)) secrets[key] = null;
-  });
-
-  if (Object.keys(secretsToAdd).length) {
-    await createManySecretsRawFn({
-      projectId: integration.projectId,
-      environment: integration.environment.slug,
-      path: integration.secretPath,
-      secrets: Object.keys(secretsToAdd).map((key) => ({
-        secretName: key,
-        secretValue: secretsToAdd[key],
-        type: SecretType.Shared,
-        secretComment: ""
-      }))
-    });
-  }
-
-  if (Object.keys(secretsToUpdate).length) {
-    await updateManySecretsRawFn({
-      projectId: integration.projectId,
-      environment: integration.environment.slug,
-      path: integration.secretPath,
-      secrets: Object.keys(secretsToUpdate).map((key) => ({
-        secretName: key,
-        secretValue: secretsToUpdate[key],
-        type: SecretType.Shared,
-        secretComment: ""
-      }))
-    });
-  }
-
   // create or update secrets on Terraform Cloud
   for await (const key of Object.keys(secrets)) {
-    if (!(key in terraformSecrets)) {
+    if (!(key in getSecretsRes)) {
       // case: secret does not exist in Terraform Cloud
       // -> add secret
       await request.post(
@@ -2274,7 +2184,7 @@ const syncSecretsTerraformCloud = async ({
             type: "vars",
             attributes: {
               key,
-              value: secrets[key]?.value,
+              value: secrets[key].value,
               category: integration.targetService
             }
           }
@@ -2288,17 +2198,17 @@ const syncSecretsTerraformCloud = async ({
         }
       );
       // case: secret exists in Terraform Cloud
-    } else if (secrets[key]?.value !== terraformSecrets[key].attributes.value) {
+    } else if (secrets[key].value !== getSecretsRes[key].attributes.value) {
       // -> update secret
       await request.patch(
-        `${IntegrationUrls.TERRAFORM_CLOUD_API_URL}/api/v2/workspaces/${integration.appId}/vars/${terraformSecrets[key].id}`,
+        `${IntegrationUrls.TERRAFORM_CLOUD_API_URL}/api/v2/workspaces/${integration.appId}/vars/${getSecretsRes[key].id}`,
         {
           data: {
             type: "vars",
-            id: terraformSecrets[key].id,
+            id: getSecretsRes[key].id,
             attributes: {
-              ...terraformSecrets[key],
-              value: secrets[key]?.value
+              ...getSecretsRes[key],
+              value: secrets[key].value
             }
           }
         },
@@ -2313,11 +2223,11 @@ const syncSecretsTerraformCloud = async ({
     }
   }
 
-  for await (const key of Object.keys(terraformSecrets)) {
+  for await (const key of Object.keys(getSecretsRes)) {
     if (!(key in secrets)) {
       // case: delete secret
       await request.delete(
-        `${IntegrationUrls.TERRAFORM_CLOUD_API_URL}/api/v2/workspaces/${integration.appId}/vars/${terraformSecrets[key].id}`,
+        `${IntegrationUrls.TERRAFORM_CLOUD_API_URL}/api/v2/workspaces/${integration.appId}/vars/${getSecretsRes[key].id}`,
         {
           headers: {
             Authorization: `Bearer ${accessToken}`,
@@ -2328,10 +2238,6 @@ const syncSecretsTerraformCloud = async ({
       );
     }
   }
-
-  await integrationDAL.updateById(integration.id, {
-    lastUsed: new Date()
-  });
 };
 
 /**
@@ -3373,12 +3279,9 @@ export const syncIntegrationSecrets = async ({
       break;
     case Integrations.TERRAFORM_CLOUD:
       await syncSecretsTerraformCloud({
-        createManySecretsRawFn,
-        updateManySecretsRawFn,
         integration,
         secrets,
-        accessToken,
-        integrationDAL
+        accessToken
       });
       break;
     case Integrations.HASHICORP_VAULT:

backend/src/services/integration/integration-types.ts

@@ -22,11 +22,6 @@ export type TCreateIntegrationDTO = {
       labelName: string;
       labelValue: string;
     };
-    secretAWSTag?: {
-      key: string;
-      value: string;
-    }[];
-    kmsKeyId?: string;
   };
 } & Omit<TProjectPermission, "projectId">;
 

backend/src/services/org/org-dal.ts

@@ -89,25 +89,6 @@ export const orgDALFactory = (db: TDbClient) => {
     }
   };
 
-  const countAllOrgMembers = async (orgId: string) => {
-    try {
-      interface CountResult {
-        count: string;
-      }
-
-      const count = await db(TableName.OrgMembership)
-        .where(`${TableName.OrgMembership}.orgId`, orgId)
-        .count("*")
-        .join(TableName.Users, `${TableName.OrgMembership}.userId`, `${TableName.Users}.id`)
-        .where({ isGhost: false })
-        .first();
-
-      return parseInt((count as unknown as CountResult).count || "0", 10);
-    } catch (error) {
-      throw new DatabaseError({ error, name: "Count all org members" });
-    }
-  };
-
   const findOrgMembersByUsername = async (orgId: string, usernames: string[]) => {
     try {
       const members = await db(TableName.OrgMembership)
@@ -288,7 +269,6 @@ export const orgDALFactory = (db: TDbClient) => {
     ...orgOrm,
     findOrgByProjectId,
     findAllOrgMembers,
-    countAllOrgMembers,
     findOrgById,
     findAllOrgsByUserId,
     ghostUserExists,

backend/src/services/org/org-service.ts

@@ -175,7 +175,8 @@ export const orgServiceFactory = ({
         authMethods: [AuthMethod.EMAIL],
         username: email,
         email,
-        isAccepted: true
+        isAccepted: true,
+        isEmailVerified: false
       },
       tx
     );
@@ -248,7 +249,7 @@ export const orgServiceFactory = ({
       ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Scim);
     }
 
-    if (authEnforced) {
+    if (authEnforced || scimEnabled) {
       const samlCfg = await samlConfigDAL.findEnforceableSamlCfg(orgId);
       if (!samlCfg)
         throw new BadRequestError({

backend/src/services/project-membership/project-membership-service.ts

@@ -134,7 +134,8 @@ export const projectMembershipServiceFactory = ({
       const projectMemberships = await projectMembershipDAL.insertMany(
         orgMembers.map(({ userId }) => ({
           projectId,
-          userId: userId as string
+          userId: userId as string,
+          role: ProjectMembershipRole.Member
         })),
         tx
       );
@@ -266,7 +267,8 @@ export const projectMembershipServiceFactory = ({
       const projectMemberships = await projectMembershipDAL.insertMany(
         orgMembers.map(({ user }) => ({
           projectId,
-          userId: user.id
+          userId: user.id,
+          role: ProjectMembershipRole.Member
         })),
         tx
       );

backend/src/services/project/project-dal.ts

@@ -81,9 +81,9 @@ export const projectDALFactory = (db: TDbClient) => {
     }
   };
 
-  const findProjectGhostUser = async (projectId: string, tx?: Knex) => {
+  const findProjectGhostUser = async (projectId: string) => {
     try {
-      const ghostUser = await (tx || db)(TableName.ProjectMembership)
+      const ghostUser = await db(TableName.ProjectMembership)
         .where({ projectId })
         .join(TableName.Users, `${TableName.ProjectMembership}.userId`, `${TableName.Users}.id`)
         .select(selectAllTableCols(TableName.Users))

backend/src/services/project/project-queue.ts

@@ -232,7 +232,8 @@ export const projectQueueFactory = ({
         const projectMembership = await projectMembershipDAL.create(
           {
             projectId: project.id,
-            userId: ghostUser.user.id
+            userId: ghostUser.user.id,
+            role: ProjectMembershipRole.Admin
           },
           tx
         );

backend/src/services/project/project-service.ts

@@ -141,7 +141,8 @@ export const projectServiceFactory = ({
       const projectMembership = await projectMembershipDAL.create(
         {
           userId: ghostUser.user.id,
-          projectId: project.id
+          projectId: project.id,
+          role: ProjectMembershipRole.Admin
         },
         tx
       );
@@ -243,7 +244,8 @@ export const projectServiceFactory = ({
         const userProjectMembership = await projectMembershipDAL.create(
           {
             projectId: project.id,
-            userId: user.id
+            userId: user.id,
+            role: projectAdmin.projectRole
           },
           tx
         );
@@ -300,7 +302,9 @@ export const projectServiceFactory = ({
         const identityProjectMembership = await identityProjectDAL.create(
           {
             identityId: actorId,
-            projectId: project.id
+            projectId: project.id,
+            role: isCustomRole ? ProjectMembershipRole.Custom : ProjectMembershipRole.Admin,
+            roleId: customRole?.id
           },
           tx
         );

backend/src/services/secret/secret-service.ts

@@ -33,11 +33,9 @@ import { TSecretQueueFactory } from "./secret-queue";
 import {
   TAttachSecretTagsDTO,
   TCreateBulkSecretDTO,
-  TCreateManySecretRawDTO,
   TCreateSecretDTO,
   TCreateSecretRawDTO,
   TDeleteBulkSecretDTO,
-  TDeleteManySecretRawDTO,
   TDeleteSecretDTO,
   TDeleteSecretRawDTO,
   TFnSecretBlindIndexCheckV2,
@@ -48,7 +46,6 @@ import {
   TGetSecretsRawDTO,
   TGetSecretVersionsDTO,
   TUpdateBulkSecretDTO,
-  TUpdateManySecretRawDTO,
   TUpdateSecretDTO,
   TUpdateSecretRawDTO
 } from "./secret-types";
@@ -1039,143 +1036,6 @@ export const secretServiceFactory = ({
     return decryptSecretRaw(secret, botKey);
   };
 
-  const createManySecretsRaw = async ({
-    actorId,
-    projectSlug,
-    environment,
-    actor,
-    actorOrgId,
-    actorAuthMethod,
-    secretPath,
-    secrets: inputSecrets = []
-  }: TCreateManySecretRawDTO) => {
-    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
-    const projectId = project.id;
-
-    const botKey = await projectBotService.getBotKey(projectId);
-    if (!botKey) throw new BadRequestError({ message: "Project bot not found", name: "bot_not_found_error" });
-
-    const secrets = await createManySecret({
-      projectId,
-      environment,
-      path: secretPath,
-      actor,
-      actorId,
-      actorOrgId,
-      actorAuthMethod,
-      secrets: inputSecrets.map(({ secretComment, secretKey, secretValue, skipMultilineEncoding }) => {
-        const secretKeyEncrypted = encryptSymmetric128BitHexKeyUTF8(secretKey, botKey);
-        const secretValueEncrypted = encryptSymmetric128BitHexKeyUTF8(secretValue || "", botKey);
-        const secretCommentEncrypted = encryptSymmetric128BitHexKeyUTF8(secretComment || "", botKey);
-        return {
-          secretName: secretKey,
-          skipMultilineEncoding,
-          secretKeyCiphertext: secretKeyEncrypted.ciphertext,
-          secretKeyIV: secretKeyEncrypted.iv,
-          secretKeyTag: secretKeyEncrypted.tag,
-          secretValueCiphertext: secretValueEncrypted.ciphertext,
-          secretValueIV: secretValueEncrypted.iv,
-          secretValueTag: secretValueEncrypted.tag,
-          secretCommentCiphertext: secretCommentEncrypted.ciphertext,
-          secretCommentIV: secretCommentEncrypted.iv,
-          secretCommentTag: secretCommentEncrypted.tag
-        };
-      })
-    });
-
-    await snapshotService.performSnapshot(secrets[0].folderId);
-    await secretQueueService.syncSecrets({ secretPath, projectId, environment });
-
-    return secrets.map((secret) => decryptSecretRaw({ ...secret, workspace: projectId, environment }, botKey));
-  };
-
-  const updateManySecretsRaw = async ({
-    actorId,
-    projectSlug,
-    environment,
-    actor,
-    actorOrgId,
-    actorAuthMethod,
-    secretPath,
-    secrets: inputSecrets = []
-  }: TUpdateManySecretRawDTO) => {
-    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
-    const projectId = project.id;
-
-    const botKey = await projectBotService.getBotKey(projectId);
-    if (!botKey) throw new BadRequestError({ message: "Project bot not found", name: "bot_not_found_error" });
-
-    const secrets = await updateManySecret({
-      projectId,
-      environment,
-      path: secretPath,
-      actor,
-      actorId,
-      actorOrgId,
-      actorAuthMethod,
-      secrets: inputSecrets.map(({ secretComment, secretKey, secretValue, skipMultilineEncoding }) => {
-        const secretKeyEncrypted = encryptSymmetric128BitHexKeyUTF8(secretKey, botKey);
-        const secretValueEncrypted = encryptSymmetric128BitHexKeyUTF8(secretValue || "", botKey);
-        const secretCommentEncrypted = encryptSymmetric128BitHexKeyUTF8(secretComment || "", botKey);
-        return {
-          secretName: secretKey,
-          type: SecretType.Shared,
-          skipMultilineEncoding,
-          secretKeyCiphertext: secretKeyEncrypted.ciphertext,
-          secretKeyIV: secretKeyEncrypted.iv,
-          secretKeyTag: secretKeyEncrypted.tag,
-          secretValueCiphertext: secretValueEncrypted.ciphertext,
-          secretValueIV: secretValueEncrypted.iv,
-          secretValueTag: secretValueEncrypted.tag,
-          secretCommentCiphertext: secretCommentEncrypted.ciphertext,
-          secretCommentIV: secretCommentEncrypted.iv,
-          secretCommentTag: secretCommentEncrypted.tag
-        };
-      })
-    });
-
-    await snapshotService.performSnapshot(secrets[0].folderId);
-    await secretQueueService.syncSecrets({ secretPath, projectId, environment });
-
-    return secrets.map((secret) => decryptSecretRaw({ ...secret, workspace: projectId, environment }, botKey));
-  };
-
-  const deleteManySecretsRaw = async ({
-    actorId,
-    projectSlug,
-    environment,
-    actor,
-    actorOrgId,
-    actorAuthMethod,
-    secretPath,
-    secrets: inputSecrets = []
-  }: TDeleteManySecretRawDTO) => {
-    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
-    const projectId = project.id;
-
-    const botKey = await projectBotService.getBotKey(projectId);
-    if (!botKey) throw new BadRequestError({ message: "Project bot not found", name: "bot_not_found_error" });
-
-    const secrets = await deleteManySecret({
-      projectId,
-      environment,
-      path: secretPath,
-      actor,
-      actorId,
-      actorOrgId,
-      actorAuthMethod,
-      secrets: inputSecrets.map(({ secretKey }) => ({ secretName: secretKey, type: SecretType.Shared }))
-    });
-
-    await snapshotService.performSnapshot(secrets[0].folderId);
-    await secretQueueService.syncSecrets({ secretPath, projectId, environment });
-
-    return secrets.map((secret) => decryptSecretRaw({ ...secret, workspace: projectId, environment }, botKey));
-  };
-
   const getSecretVersions = async ({
     actorId,
     actor,
@@ -1420,9 +1280,6 @@ export const secretServiceFactory = ({
     createSecretRaw,
     updateSecretRaw,
     deleteSecretRaw,
-    createManySecretsRaw,
-    updateManySecretsRaw,
-    deleteManySecretsRaw,
     getSecretVersions,
     // external services function
     fnSecretBulkDelete,

backend/src/services/secret/secret-types.ts

@@ -181,39 +181,6 @@ export type TDeleteSecretRawDTO = TProjectPermission & {
   type: SecretType;
 };
 
-export type TCreateManySecretRawDTO = Omit<TProjectPermission, "projectId"> & {
-  secretPath: string;
-  projectSlug: string;
-  environment: string;
-  secrets: {
-    secretKey: string;
-    secretValue: string;
-    secretComment?: string;
-    skipMultilineEncoding?: boolean;
-  }[];
-};
-
-export type TUpdateManySecretRawDTO = Omit<TProjectPermission, "projectId"> & {
-  secretPath: string;
-  projectSlug: string;
-  environment: string;
-  secrets: {
-    secretKey: string;
-    secretValue: string;
-    secretComment?: string;
-    skipMultilineEncoding?: boolean;
-  }[];
-};
-
-export type TDeleteManySecretRawDTO = Omit<TProjectPermission, "projectId"> & {
-  secretPath: string;
-  projectSlug: string;
-  environment: string;
-  secrets: {
-    secretKey: string;
-  }[];
-};
-
 export type TGetSecretVersionsDTO = Omit<TProjectPermission, "projectId"> & {
   limit?: number;
   offset?: number;

backend/src/services/smtp/smtp-service.ts

@@ -17,6 +17,7 @@ export type TSmtpSendMail = {
 export type TSmtpService = ReturnType<typeof smtpServiceFactory>;
 
 export enum SmtpTemplates {
+  SignupEmailVerification = "signupEmailVerification.handlebars",
   EmailVerification = "emailVerification.handlebars",
   SecretReminder = "secretReminder.handlebars",
   EmailMfa = "emailMfa.handlebars",

backend/src/services/smtp/templates/emailVerification.handlebars

@@ -9,9 +9,8 @@
 
 <body>
     <h2>Confirm your email address</h2>
-    <p>Your confirmation code is below — enter it in the browser window where you've started signing up for Infisical.</p>
+    <p>Your confirmation code is below — enter it in the browser window where you've started confirming your email.</p>
     <h1>{{code}}</h1>
-    <p>Questions about setting up Infisical? Email us at support@infisical.com</p>
 </body>
 
 </html>

backend/src/services/smtp/templates/signupEmailVerification.handlebars

@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta charset="utf-8">
+    <meta http-equiv="x-ua-compatible" content="ie=edge">
+    <title>Code</title>
+</head>
+
+<body>
+    <h2>Confirm your email address</h2>
+    <p>Your confirmation code is below — enter it in the browser window where you've started signing up for Infisical.</p>
+    <h1>{{code}}</h1>
+    <p>Questions about setting up Infisical? Email us at support@infisical.com</p>
+</body>
+
+</html>

backend/src/services/super-admin/super-admin-service.ts

@@ -102,7 +102,8 @@ export const superAdminServiceFactory = ({
           superAdmin: true,
           isGhost: false,
           isAccepted: true,
-          authMethods: [AuthMethod.EMAIL]
+          authMethods: [AuthMethod.EMAIL],
+          isEmailVerified: false
         },
         tx
       );

backend/src/services/user/user-dal.ts

@@ -34,19 +34,6 @@ export const userDALFactory = (db: TDbClient) => {
     }
   };
 
-  const findUserEncKeyByUserIdsBatch = async ({ userIds }: { userIds: string[] }, tx?: Knex) => {
-    try {
-      return await (tx || db)(TableName.Users)
-        .where({
-          isGhost: false
-        })
-        .whereIn(`${TableName.Users}.id`, userIds)
-        .join(TableName.UserEncryptionKey, `${TableName.Users}.id`, `${TableName.UserEncryptionKey}.userId`);
-    } catch (error) {
-      throw new DatabaseError({ error, name: "Find user enc by user ids batch" });
-    }
-  };
-
   const findUserEncKeyByUserId = async (userId: string) => {
     try {
       const user = await db(TableName.Users)
@@ -136,7 +123,6 @@ export const userDALFactory = (db: TDbClient) => {
     ...userOrm,
     findUserByUsername,
     findUserEncKeyByUsername,
-    findUserEncKeyByUserIdsBatch,
     findUserEncKeyByUserId,
     updateUserEncryptionByUserId,
     findUserByProjectMembershipId,

backend/src/services/user/user-fns.ts

@@ -4,13 +4,17 @@ import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { TUserDALFactory } from "@app/services/user/user-dal";
 
 export const normalizeUsername = async (username: string, userDAL: Pick<TUserDALFactory, "findOne">) => {
-  let attempt = slugify(username);
+  let attempt = slugify(username, {
+    preserveCharacters: ["@", "."]
+  });
 
   let user = await userDAL.findOne({ username: attempt });
   if (!user) return attempt;
 
   while (true) {
-    attempt = slugify(`${username}-${alphaNumericNanoId(4)}`);
+    attempt = slugify(`${username}-${alphaNumericNanoId(4)}`, {
+      preserveCharacters: ["@", "."]
+    });
     // eslint-disable-next-line no-await-in-loop
     user = await userDAL.findOne({ username: attempt });
 

backend/src/services/user/user-service.ts

@@ -1,15 +1,79 @@
 import { BadRequestError } from "@app/lib/errors";
+import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-service";
+import { TokenType } from "@app/services/auth-token/auth-token-types";
+import { TOrgDALFactory } from "@app/services/org/org-dal";
+import { TProjectMembershipDALFactory } from "@app/services/project-membership/project-membership-dal";
+import { TProjectUserMembershipRoleDALFactory } from "@app/services/project-membership/project-user-membership-role-dal";
+import { SmtpTemplates, TSmtpService } from "@app/services/smtp/smtp-service";
 
 import { AuthMethod } from "../auth/auth-type";
 import { TUserDALFactory } from "./user-dal";
 
 type TUserServiceFactoryDep = {
   userDAL: TUserDALFactory;
+  orgDAL: TOrgDALFactory;
+  projectMembershipDAL: TProjectMembershipDALFactory;
+  projectUserMembershipRoleDAL: TProjectUserMembershipRoleDALFactory;
+  tokenService: TAuthTokenServiceFactory;
+  smtpService: Pick<TSmtpService, "sendMail">;
 };
 
 export type TUserServiceFactory = ReturnType<typeof userServiceFactory>;
 
-export const userServiceFactory = ({ userDAL }: TUserServiceFactoryDep) => {
+export const userServiceFactory = ({ userDAL, tokenService, smtpService }: TUserServiceFactoryDep) => {
+  const sendEmailVerificationCode = async (userId: string) => {
+    const user = await userDAL.findById(userId);
+    if (!user) throw new BadRequestError({ name: "Failed to find user" });
+    if (!user.email)
+      throw new BadRequestError({ name: "Failed to send email verification code due to no email on user" });
+    if (user.isEmailVerified)
+      throw new BadRequestError({ name: "Failed to send email verification code due to email already verified" });
+
+    const token = await tokenService.createTokenForUser({
+      type: TokenType.TOKEN_EMAIL_VERIFICATION,
+      userId: user.id
+    });
+
+    await smtpService.sendMail({
+      template: SmtpTemplates.EmailVerification,
+      subjectLine: "Infisical confirmation code",
+      recipients: [user.email],
+      substitutions: {
+        code: token
+      }
+    });
+  };
+
+  const verifyEmailVerificationCode = async (userId: string, code: string) => {
+    const user = await userDAL.findById(userId);
+    if (!user) throw new BadRequestError({ name: "Failed to find user" });
+    if (user.isEmailVerified)
+      throw new BadRequestError({ name: "Failed to verify email verification code due to email already verified" });
+
+    await tokenService.validateTokenForUser({
+      type: TokenType.TOKEN_EMAIL_VERIFICATION,
+      userId: user.id,
+      code
+    });
+
+    await userDAL.updateById(userId, { isEmailVerified: true });
+  };
+
+  // lists users with same verified email only
+  const listUsersWithSameEmail = async (userId: string) => {
+    const user = await userDAL.findById(userId);
+    if (!user) throw new BadRequestError({ name: "Failed to find user" });
+    if (!user.email)
+      throw new BadRequestError({ name: "Failed to list users with same email due to no email on user" });
+
+    const users = await userDAL.find({
+      email: user.email,
+      isEmailVerified: true
+    });
+
+    return users;
+  };
+
   const toggleUserMfa = async (userId: string, isMfaEnabled: boolean) => {
     const user = await userDAL.findById(userId);
 
@@ -72,6 +136,9 @@ export const userServiceFactory = ({ userDAL }: TUserServiceFactoryDep) => {
   };
 
   return {
+    sendEmailVerificationCode,
+    verifyEmailVerificationCode,
+    listUsersWithSameEmail,
     toggleUserMfa,
     updateUserName,
     updateAuthMethods,

cli/go.mod

@@ -29,7 +29,6 @@ require (
 require (
 	github.com/alessio/shellescape v1.4.1 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef // indirect
-	github.com/bradleyjkemp/cupaloy/v2 v2.8.0 // indirect
 	github.com/chzyer/readline v1.5.1 // indirect
 	github.com/danieljoos/wincred v1.2.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect

cli/go.sum

@@ -51,8 +51,6 @@ github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef h1:46PFijGL
 github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
 github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
 github.com/bketelsen/crypt v0.0.4/go.mod h1:aI6NrJ0pMGgvZKL1iVgXLnfIFJtfV+bKCoqOes/6LfM=
-github.com/bradleyjkemp/cupaloy/v2 v2.8.0 h1:any4BmKE+jGIaMpnU8YgH/I2LPiLBufr6oMMlVBbn9M=
-github.com/bradleyjkemp/cupaloy/v2 v2.8.0/go.mod h1:bm7JXdkRd4BHJk9HpwqAI8BoAY1lps46Enkdqw6aRX0=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/charmbracelet/lipgloss v0.5.0 h1:lulQHuVeodSgDez+3rGiuxlPVXSnhth442DATR2/8t8=
 github.com/charmbracelet/lipgloss v0.5.0/go.mod h1:EZLha/HbzEt7cYqdFPovlqy5FZPj0xFhg5SaqxScmgs=
@@ -326,7 +324,6 @@ github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An
 github.com/spf13/viper v1.8.1 h1:Kq1fyeebqsBfbjZj4EL7gj2IO0mMaiyjYUWcUsl2O44=
 github.com/spf13/viper v1.8.1/go.mod h1:o0Pch8wJ9BVSWGQMbra6iw0oQ5oktSIBaujf1rJH9Ns=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=

cli/packages/api/api.go

@@ -512,23 +512,16 @@ func CallUniversalAuthRefreshAccessToken(httpClient *resty.Client, request Unive
 
 func CallGetRawSecretsV3(httpClient *resty.Client, request GetRawSecretsV3Request) (GetRawSecretsV3Response, error) {
 	var getRawSecretsV3Response GetRawSecretsV3Response
-	req := httpClient.
+	response, err := httpClient.
 		R().
 		SetResult(&getRawSecretsV3Response).
 		SetHeader("User-Agent", USER_AGENT).
 		SetBody(request).
 		SetQueryParam("workspaceId", request.WorkspaceId).
 		SetQueryParam("environment", request.Environment).
-		SetQueryParam("secretPath", request.SecretPath)
-
-	if request.IncludeImport {
-		req.SetQueryParam("include_imports", "true")
-	}
-	if request.Recursive {
-		req.SetQueryParam("recursive", "true")
-	}
-
-	response, err := req.Get(fmt.Sprintf("%v/v3/secrets/raw", config.INFISICAL_URL))
+		SetQueryParam("secretPath", request.SecretPath).
+		SetQueryParam("include_imports", "false").
+		Get(fmt.Sprintf("%v/v3/secrets/raw", config.INFISICAL_URL))
 
 	if err != nil {
 		return GetRawSecretsV3Response{}, fmt.Errorf("CallGetRawSecretsV3: Unable to complete api request [err=%w]", err)

cli/packages/api/model.go

@@ -371,22 +371,6 @@ type ImportedSecretV3 struct {
 	Secrets     []EncryptedSecretV3 `json:"secrets"`
 }
 
-type ImportedRawSecretV3 struct {
-	SecretPath  string `json:"secretPath"`
-	Environment string `json:"environment"`
-	FolderId    string `json:"folderId"`
-	Secrets     []struct {
-		ID            string `json:"id"`
-		Workspace     string `json:"workspace"`
-		Environment   string `json:"environment"`
-		Version       int    `json:"version"`
-		Type          string `json:"type"`
-		SecretKey     string `json:"secretKey"`
-		SecretValue   string `json:"secretValue"`
-		SecretComment string `json:"secretComment"`
-	} `json:"secrets"`
-}
-
 type GetEncryptedSecretsV3Response struct {
 	Secrets         []EncryptedSecretV3 `json:"secrets"`
 	ImportedSecrets []ImportedSecretV3  `json:"imports,omitempty"`
@@ -544,7 +528,6 @@ type GetRawSecretsV3Request struct {
 	WorkspaceId   string `json:"workspaceId"`
 	SecretPath    string `json:"secretPath"`
 	IncludeImport bool   `json:"include_imports"`
-	Recursive     bool   `json:"recursive"`
 }
 
 type GetRawSecretsV3Response struct {
@@ -558,6 +541,6 @@ type GetRawSecretsV3Response struct {
 		SecretValue   string `json:"secretValue"`
 		SecretComment string `json:"secretComment"`
 	} `json:"secrets"`
-	Imports []ImportedRawSecretV3 `json:"imports"`
+	Imports []any `json:"imports"`
 	ETag    string
 }

cli/packages/cmd/agent.go

@@ -381,12 +381,6 @@ func ProcessTemplate(templateId int, templatePath string, data interface{}, acce
 	funcs := template.FuncMap{
 		"secret":         secretFunction,
 		"dynamic_secret": dynamicSecretFunction,
-		"minus": func(a, b int) int {
-			return a - b
-		},
-		"add": func(a, b int) int {
-			return a + b
-		},
 	}
 
 	templateName := path.Base(templatePath)
@@ -485,7 +479,7 @@ func (tm *AgentManager) GetToken() string {
 
 // Fetches a new access token using client credentials
 func (tm *AgentManager) FetchNewAccessToken() error {
-	clientID := os.Getenv(util.INFISICAL_UNIVERSAL_AUTH_CLIENT_ID_NAME)
+	clientID := os.Getenv("INFISICAL_UNIVERSAL_AUTH_CLIENT_ID")
 	if clientID == "" {
 		clientIDAsByte, err := ReadFile(tm.clientIdPath)
 		if err != nil {
@@ -515,7 +509,7 @@ func (tm *AgentManager) FetchNewAccessToken() error {
 	// save as cache in memory
 	tm.cachedClientSecret = clientSecret
 
-	loginResponse, err := util.UniversalAuthLogin(clientID, clientSecret)
+	err, loginResponse := universalAuthLogin(clientID, clientSecret)
 	if err != nil {
 		return err
 	}
@@ -731,6 +725,20 @@ func (tm *AgentManager) MonitorSecretChanges(secretTemplate Template, templateId
 	}
 }
 
+func universalAuthLogin(clientId string, clientSecret string) (error, api.UniversalAuthLoginResponse) {
+	httpClient := resty.New()
+	httpClient.SetRetryCount(10000).
+		SetRetryMaxWaitTime(20 * time.Second).
+		SetRetryWaitTime(5 * time.Second)
+
+	tokenResponse, err := api.CallUniversalAuthLogin(httpClient, api.UniversalAuthLoginRequest{ClientId: clientId, ClientSecret: clientSecret})
+	if err != nil {
+		return err, api.UniversalAuthLoginResponse{}
+	}
+
+	return nil, tokenResponse
+}
+
 // runCmd represents the run command
 var agentCmd = &cobra.Command{
 	Example: `

cli/packages/cmd/export.go

@@ -7,7 +7,6 @@ import (
 	"encoding/csv"
 	"encoding/json"
 	"fmt"
-	"os"
 	"strings"
 
 	"github.com/Infisical/infisical-merge/packages/models"
@@ -45,11 +44,6 @@ var exportCmd = &cobra.Command{
 			util.HandleError(err)
 		}
 
-		includeImports, err := cmd.Flags().GetBool("include-imports")
-		if err != nil {
-			util.HandleError(err)
-		}
-
 		projectId, err := cmd.Flags().GetString("projectId")
 		if err != nil {
 			util.HandleError(err)
@@ -60,17 +54,13 @@ var exportCmd = &cobra.Command{
 			util.HandleError(err)
 		}
 
-		templatePath, err := cmd.Flags().GetString("template")
-		if err != nil {
-			util.HandleError(err)
-		}
-
 		secretOverriding, err := cmd.Flags().GetBool("secret-overriding")
 		if err != nil {
 			util.HandleError(err, "Unable to parse flag")
 		}
 
-		token, err := util.GetInfisicalToken(cmd)
+		infisicalToken, err := util.GetInfisicalServiceToken(cmd)
+
 		if err != nil {
 			util.HandleError(err, "Unable to parse flag")
 		}
@@ -85,46 +75,7 @@ var exportCmd = &cobra.Command{
 			util.HandleError(err, "Unable to parse flag")
 		}
 
-		request := models.GetAllSecretsParameters{
-			Environment:   environmentName,
-			TagSlugs:      tagSlugs,
-			WorkspaceId:   projectId,
-			SecretsPath:   secretsPath,
-			IncludeImport: includeImports,
-		}
-
-		if token != nil && token.Type == util.SERVICE_TOKEN_IDENTIFIER {
-			request.InfisicalToken = token.Token
-		} else if token != nil && token.Type == util.UNIVERSAL_AUTH_TOKEN_IDENTIFIER {
-			request.UniversalAuthAccessToken = token.Token
-		}
-
-		if templatePath != "" {
-			sigChan := make(chan os.Signal, 1)
-			dynamicSecretLeases := NewDynamicSecretLeaseManager(sigChan)
-			newEtag := ""
-
-			accessToken := ""
-			if token != nil {
-				accessToken = token.Token
-			} else {
-				log.Debug().Msg("GetAllEnvironmentVariables: Trying to fetch secrets using logged in details")
-				loggedInUserDetails, err := util.GetCurrentLoggedInUserDetails()
-				if err != nil {
-					util.HandleError(err)
-				}
-				accessToken = loggedInUserDetails.UserCredentials.JTWToken
-			}
-
-			processedTemplate, err := ProcessTemplate(1, templatePath, nil, accessToken, "", &newEtag, dynamicSecretLeases)
-			if err != nil {
-				util.HandleError(err)
-			}
-			fmt.Print(processedTemplate.String())
-			return
-		}
-
-		secrets, err := util.GetAllEnvironmentVariables(request, "")
+		secrets, err := util.GetAllEnvironmentVariables(models.GetAllSecretsParameters{Environment: environmentName, InfisicalToken: infisicalToken, TagSlugs: tagSlugs, WorkspaceId: projectId, SecretsPath: secretsPath}, "")
 		if err != nil {
 			util.HandleError(err, "Unable to fetch secrets")
 		}
@@ -137,20 +88,11 @@ var exportCmd = &cobra.Command{
 
 		var output string
 		if shouldExpandSecrets {
-
-			authParams := models.ExpandSecretsAuthentication{}
-
-			if token != nil && token.Type == util.SERVICE_TOKEN_IDENTIFIER {
-				authParams.InfisicalToken = token.Token
-			} else if token != nil && token.Type == util.UNIVERSAL_AUTH_TOKEN_IDENTIFIER {
-				authParams.UniversalAuthAccessToken = token.Token
-			}
-
-			secrets = util.ExpandSecrets(secrets, authParams, "")
+			secrets = util.ExpandSecrets(secrets, models.ExpandSecretsAuthentication{
+				InfisicalToken: infisicalToken,
+			}, "")
 		}
 		secrets = util.FilterSecretsByTag(secrets, tagSlugs)
-		secrets = util.SortSecretsByKeys(secrets)
-
 		output, err = formatEnvs(secrets, format)
 		if err != nil {
 			util.HandleError(err)
@@ -168,12 +110,10 @@ func init() {
 	exportCmd.Flags().Bool("expand", true, "Parse shell parameter expansions in your secrets")
 	exportCmd.Flags().StringP("format", "f", "dotenv", "Set the format of the output file (dotenv, json, csv)")
 	exportCmd.Flags().Bool("secret-overriding", true, "Prioritizes personal secrets, if any, with the same name over shared secrets")
-	exportCmd.Flags().Bool("include-imports", true, "Imported linked secrets")
 	exportCmd.Flags().String("token", "", "Fetch secrets using the Infisical Token")
 	exportCmd.Flags().StringP("tags", "t", "", "filter secrets by tag slugs")
 	exportCmd.Flags().String("projectId", "", "manually set the projectId to fetch secrets from")
 	exportCmd.Flags().String("path", "/", "get secrets within a folder path")
-	exportCmd.Flags().String("template", "", "The path to the template file used to render secrets")
 }
 
 // Format according to the format flag

cli/packages/cmd/folder.go

@@ -36,33 +36,18 @@ var getCmd = &cobra.Command{
 			}
 		}
 
-		projectId, err := cmd.Flags().GetString("projectId")
+		infisicalToken, err := util.GetInfisicalServiceToken(cmd)
+
 		if err != nil {
 			util.HandleError(err, "Unable to parse flag")
 		}
 
-		token, err := util.GetInfisicalToken(cmd)
-		if err != nil {
-			util.HandleError(err, "Unable to parse flag")
-		}
 		foldersPath, err := cmd.Flags().GetString("path")
 		if err != nil {
 			util.HandleError(err, "Unable to parse flag")
 		}
 
-		request := models.GetAllFoldersParameters{
-			Environment: environmentName,
-			WorkspaceId: projectId,
-			FoldersPath: foldersPath,
-		}
-
-		if token != nil && token.Type == util.SERVICE_TOKEN_IDENTIFIER {
-			request.InfisicalToken = token.Token
-		} else if token != nil && token.Type == util.UNIVERSAL_AUTH_TOKEN_IDENTIFIER {
-			request.UniversalAuthAccessToken = token.Token
-		}
-
-		folders, err := util.GetAllFolders(request)
+		folders, err := util.GetAllFolders(models.GetAllFoldersParameters{Environment: environmentName, InfisicalToken: infisicalToken, FoldersPath: foldersPath})
 		if err != nil {
 			util.HandleError(err, "Unable to get folders")
 		}

cli/packages/cmd/login.go

@@ -55,157 +55,95 @@ var loginCmd = &cobra.Command{
 	Short:                 "Login into your Infisical account",
 	DisableFlagsInUseLine: true,
 	Run: func(cmd *cobra.Command, args []string) {
-
-		loginMethod, err := cmd.Flags().GetString("method")
-		if err != nil {
-			util.HandleError(err)
-		}
-		plainOutput, err := cmd.Flags().GetBool("plain")
-		if err != nil {
+		currentLoggedInUserDetails, err := util.GetCurrentLoggedInUserDetails()
+		// if the key can't be found or there is an error getting current credentials from key ring, allow them to override
+		if err != nil && (strings.Contains(err.Error(), "we couldn't find your logged in details")) {
+			log.Debug().Err(err)
+		} else if err != nil {
 			util.HandleError(err)
 		}
 
-		if loginMethod != "user" && loginMethod != "universal-auth" {
-			util.PrintErrorMessageAndExit("Invalid login method. Please use either 'user' or 'universal-auth'")
-		}
-
-		if loginMethod == "user" {
-
-			currentLoggedInUserDetails, err := util.GetCurrentLoggedInUserDetails()
-			// if the key can't be found or there is an error getting current credentials from key ring, allow them to override
-			if err != nil && (strings.Contains(err.Error(), "we couldn't find your logged in details")) {
-				log.Debug().Err(err)
-			} else if err != nil {
-				util.HandleError(err)
-			}
-
-			if currentLoggedInUserDetails.IsUserLoggedIn && !currentLoggedInUserDetails.LoginExpired && len(currentLoggedInUserDetails.UserCredentials.PrivateKey) != 0 {
-				shouldOverride, err := userLoginMenu(currentLoggedInUserDetails.UserCredentials.Email)
-				if err != nil {
-					util.HandleError(err)
-				}
-
-				if !shouldOverride {
-					return
-				}
-			}
-			//override domain
-			domainQuery := true
-			if config.INFISICAL_URL_MANUAL_OVERRIDE != "" && config.INFISICAL_URL_MANUAL_OVERRIDE != util.INFISICAL_DEFAULT_API_URL {
-				overrideDomain, err := DomainOverridePrompt()
-				if err != nil {
-					util.HandleError(err)
-				}
-
-				//if not override set INFISICAL_URL to exported var
-				//set domainQuery to false
-				if !overrideDomain {
-					domainQuery = false
-					config.INFISICAL_URL = config.INFISICAL_URL_MANUAL_OVERRIDE
-				}
-
-			}
-
-			//prompt user to select domain between Infisical cloud and self hosting
-			if domainQuery {
-				err = askForDomain()
-				if err != nil {
-					util.HandleError(err, "Unable to parse domain url")
-				}
-			}
-			var userCredentialsToBeStored models.UserCredentials
-
-			interactiveLogin := false
-			if cmd.Flags().Changed("interactive") {
-				interactiveLogin = true
-				cliDefaultLogin(&userCredentialsToBeStored)
-			}
-
-			//call browser login function
-			if !interactiveLogin {
-				fmt.Println("Logging in via browser... To login via interactive mode run [infisical login -i]")
-				userCredentialsToBeStored, err = browserCliLogin()
-				if err != nil {
-					//default to cli login on error
-					cliDefaultLogin(&userCredentialsToBeStored)
-				}
-			}
-
-			err = util.StoreUserCredsInKeyRing(&userCredentialsToBeStored)
-			if err != nil {
-				log.Error().Msgf("Unable to store your credentials in system vault [%s]")
-				log.Error().Msgf("\nTo trouble shoot further, read https://infisical.com/docs/cli/faq")
-				log.Debug().Err(err)
-				//return here
-				util.HandleError(err)
-			}
-
-			err = util.WriteInitalConfig(&userCredentialsToBeStored)
-			if err != nil {
-				util.HandleError(err, "Unable to write write to Infisical Config file. Please try again")
-			}
-
-			// clear backed up secrets from prev account
-			util.DeleteBackupSecrets()
-
-			whilte := color.New(color.FgGreen)
-			boldWhite := whilte.Add(color.Bold)
-			time.Sleep(time.Second * 1)
-			boldWhite.Printf(">>>> Welcome to Infisical!")
-			boldWhite.Printf(" You are now logged in as %v <<<< \n", userCredentialsToBeStored.Email)
-
-			plainBold := color.New(color.Bold)
-
-			plainBold.Println("\nQuick links")
-			fmt.Println("- Learn to inject secrets into your application at https://infisical.com/docs/cli/usage")
-			fmt.Println("- Stuck? Join our slack for quick support https://infisical.com/slack")
-			Telemetry.CaptureEvent("cli-command:login", posthog.NewProperties().Set("infisical-backend", config.INFISICAL_URL).Set("version", util.CLI_VERSION))
-		} else if loginMethod == "universal-auth" {
-
-			clientId, err := cmd.Flags().GetString("client-id")
+		if currentLoggedInUserDetails.IsUserLoggedIn && !currentLoggedInUserDetails.LoginExpired && len(currentLoggedInUserDetails.UserCredentials.PrivateKey) != 0 {
+			shouldOverride, err := userLoginMenu(currentLoggedInUserDetails.UserCredentials.Email)
 			if err != nil {
 				util.HandleError(err)
 			}
 
-			clientSecret, err := cmd.Flags().GetString("client-secret")
-			if err != nil {
-				util.HandleError(err)
-			}
-
-			if clientId == "" {
-				clientId = os.Getenv(util.INFISICAL_UNIVERSAL_AUTH_CLIENT_ID_NAME)
-				if clientId == "" {
-					util.PrintErrorMessageAndExit("Please provide client-id")
-				}
-			}
-			if clientSecret == "" {
-				clientSecret = os.Getenv(util.INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET_NAME)
-				if clientSecret == "" {
-					util.PrintErrorMessageAndExit("Please provide client-secret")
-				}
-			}
-
-			res, err := util.UniversalAuthLogin(clientId, clientSecret)
-
-			if err != nil {
-				util.HandleError(err)
-			}
-
-			if plainOutput {
-				fmt.Println(res.AccessToken)
+			if !shouldOverride {
 				return
 			}
+		}
+		//override domain
+		domainQuery := true
+		if config.INFISICAL_URL_MANUAL_OVERRIDE != "" && config.INFISICAL_URL_MANUAL_OVERRIDE != util.INFISICAL_DEFAULT_API_URL {
+			overrideDomain, err := DomainOverridePrompt()
+			if err != nil {
+				util.HandleError(err)
+			}
 
-			boldGreen := color.New(color.FgGreen).Add(color.Bold)
-			boldPlain := color.New(color.Bold)
-			time.Sleep(time.Second * 1)
-			boldGreen.Printf(">>>> Successfully authenticated with Universal Auth!\n\n")
-			boldPlain.Printf("Universal Auth Access Token:\n%v", res.AccessToken)
-
-			plainBold := color.New(color.Bold)
-			plainBold.Println("\n\nYou can use this access token to authenticate through other commands in the CLI.")
+			//if not override set INFISICAL_URL to exported var
+			//set domainQuery to false
+			if !overrideDomain {
+				domainQuery = false
+				config.INFISICAL_URL = config.INFISICAL_URL_MANUAL_OVERRIDE
+			}
 
 		}
+
+		//prompt user to select domain between Infisical cloud and self hosting
+		if domainQuery {
+			err = askForDomain()
+			if err != nil {
+				util.HandleError(err, "Unable to parse domain url")
+			}
+		}
+		var userCredentialsToBeStored models.UserCredentials
+
+		interactiveLogin := false
+		if cmd.Flags().Changed("interactive") {
+			interactiveLogin = true
+			cliDefaultLogin(&userCredentialsToBeStored)
+		}
+
+		//call browser login function
+		if !interactiveLogin {
+			fmt.Println("Logging in via browser... To login via interactive mode run [infisical login -i]")
+			userCredentialsToBeStored, err = browserCliLogin()
+			if err != nil {
+				//default to cli login on error
+				cliDefaultLogin(&userCredentialsToBeStored)
+			}
+		}
+
+		err = util.StoreUserCredsInKeyRing(&userCredentialsToBeStored)
+		if err != nil {
+			log.Error().Msgf("Unable to store your credentials in system vault [%s]")
+			log.Error().Msgf("\nTo trouble shoot further, read https://infisical.com/docs/cli/faq")
+			log.Debug().Err(err)
+			//return here
+			util.HandleError(err)
+		}
+
+		err = util.WriteInitalConfig(&userCredentialsToBeStored)
+		if err != nil {
+			util.HandleError(err, "Unable to write write to Infisical Config file. Please try again")
+		}
+
+		// clear backed up secrets from prev account
+		util.DeleteBackupSecrets()
+
+		whilte := color.New(color.FgGreen)
+		boldWhite := whilte.Add(color.Bold)
+		time.Sleep(time.Second * 1)
+		boldWhite.Printf(">>>> Welcome to Infisical!")
+		boldWhite.Printf(" You are now logged in as %v <<<< \n", userCredentialsToBeStored.Email)
+
+		plainBold := color.New(color.Bold)
+
+		plainBold.Println("\nQuick links")
+		fmt.Println("- Learn to inject secrets into your application at https://infisical.com/docs/cli/usage")
+		fmt.Println("- Stuck? Join our slack for quick support https://infisical.com/slack")
+		Telemetry.CaptureEvent("cli-command:login", posthog.NewProperties().Set("infisical-backend", config.INFISICAL_URL).Set("version", util.CLI_VERSION))
 	},
 }
 
@@ -375,10 +313,6 @@ func cliDefaultLogin(userCredentialsToBeStored *models.UserCredentials) {
 func init() {
 	rootCmd.AddCommand(loginCmd)
 	loginCmd.Flags().BoolP("interactive", "i", false, "login via the command line")
-	loginCmd.Flags().String("method", "user", "login method [user, universal-auth]")
-	loginCmd.Flags().String("client-id", "", "client id for universal auth")
-	loginCmd.Flags().Bool("plain", false, "only output the token without any formatting")
-	loginCmd.Flags().String("client-secret", "", "client secret for universal auth")
 }
 
 func DomainOverridePrompt() (bool, error) {

cli/packages/cmd/root.go

@@ -40,14 +40,8 @@ func init() {
 	rootCmd.PersistentFlags().StringP("log-level", "l", "info", "log level (trace, debug, info, warn, error, fatal)")
 	rootCmd.PersistentFlags().Bool("telemetry", true, "Infisical collects non-sensitive telemetry data to enhance features and improve user experience. Participation is voluntary")
 	rootCmd.PersistentFlags().StringVar(&config.INFISICAL_URL, "domain", util.INFISICAL_DEFAULT_API_URL, "Point the CLI to your own backend [can also set via environment variable name: INFISICAL_API_URL]")
-	rootCmd.PersistentFlags().Bool("silent", false, "Disable output of tip/info messages. Useful when running in scripts or CI/CD pipelines.")
 	rootCmd.PersistentPreRun = func(cmd *cobra.Command, args []string) {
-		silent, err := cmd.Flags().GetBool("silent")
-		if err != nil {
-			util.HandleError(err)
-		}
-
-		if !util.IsRunningInDocker() && !silent {
+		if !util.IsRunningInDocker() {
 			util.CheckForUpdate()
 		}
 	}

cli/packages/cmd/run.go

@@ -62,7 +62,8 @@ var runCmd = &cobra.Command{
 			}
 		}
 
-		token, err := util.GetInfisicalToken(cmd)
+		infisicalToken, err := util.GetInfisicalServiceToken(cmd)
+
 		if err != nil {
 			util.HandleError(err, "Unable to parse flag")
 		}
@@ -72,11 +73,6 @@ var runCmd = &cobra.Command{
 			util.HandleError(err, "Unable to parse flag")
 		}
 
-		projectId, err := cmd.Flags().GetString("projectId")
-		if err != nil {
-			util.HandleError(err, "Unable to parse flag")
-		}
-
 		secretOverriding, err := cmd.Flags().GetBool("secret-overriding")
 		if err != nil {
 			util.HandleError(err, "Unable to parse flag")
@@ -107,22 +103,7 @@ var runCmd = &cobra.Command{
 			util.HandleError(err, "Unable to parse flag")
 		}
 
-		request := models.GetAllSecretsParameters{
-			Environment:   environmentName,
-			WorkspaceId:   projectId,
-			TagSlugs:      tagSlugs,
-			SecretsPath:   secretsPath,
-			IncludeImport: includeImports,
-			Recursive:     recursive,
-		}
-
-		if token != nil && token.Type == util.SERVICE_TOKEN_IDENTIFIER {
-			request.InfisicalToken = token.Token
-		} else if token != nil && token.Type == util.UNIVERSAL_AUTH_TOKEN_IDENTIFIER {
-			request.UniversalAuthAccessToken = token.Token
-		}
-
-		secrets, err := util.GetAllEnvironmentVariables(request, projectConfigDir)
+		secrets, err := util.GetAllEnvironmentVariables(models.GetAllSecretsParameters{Environment: environmentName, InfisicalToken: infisicalToken, TagSlugs: tagSlugs, SecretsPath: secretsPath, IncludeImport: includeImports, Recursive: recursive}, projectConfigDir)
 
 		if err != nil {
 			util.HandleError(err, "Could not fetch secrets", "If you are using a service token to fetch secrets, please ensure it is valid")
@@ -135,16 +116,9 @@ var runCmd = &cobra.Command{
 		}
 
 		if shouldExpandSecrets {
-
-			authParams := models.ExpandSecretsAuthentication{}
-
-			if token != nil && token.Type == util.SERVICE_TOKEN_IDENTIFIER {
-				authParams.InfisicalToken = token.Token
-			} else if token != nil && token.Type == util.UNIVERSAL_AUTH_TOKEN_IDENTIFIER {
-				authParams.UniversalAuthAccessToken = token.Token
-			}
-
-			secrets = util.ExpandSecrets(secrets, authParams, projectConfigDir)
+			secrets = util.ExpandSecrets(secrets, models.ExpandSecretsAuthentication{
+				InfisicalToken: infisicalToken,
+			}, projectConfigDir)
 		}
 
 		secretsByKey := getSecretsByKeys(secrets)
@@ -175,15 +149,7 @@ var runCmd = &cobra.Command{
 
 		log.Debug().Msgf("injecting the following environment variables into shell: %v", env)
 
-		Telemetry.CaptureEvent("cli-command:run",
-			posthog.NewProperties().
-				Set("secretsCount", len(secrets)).
-				Set("environment", environmentName).
-				Set("isUsingServiceToken", token != nil && token.Type == util.SERVICE_TOKEN_IDENTIFIER).
-				Set("isUsingUniversalAuthToken", token != nil && token.Type == util.UNIVERSAL_AUTH_TOKEN_IDENTIFIER).
-				Set("single-command", strings.Join(args, " ")).
-				Set("multi-command", cmd.Flag("command").Value.String()).
-				Set("version", util.CLI_VERSION))
+		Telemetry.CaptureEvent("cli-command:run", posthog.NewProperties().Set("secretsCount", len(secrets)).Set("environment", environmentName).Set("isUsingServiceToken", infisicalToken != "").Set("single-command", strings.Join(args, " ")).Set("multi-command", cmd.Flag("command").Value.String()).Set("version", util.CLI_VERSION))
 
 		if cmd.Flags().Changed("command") {
 			command := cmd.Flag("command").Value.String()
@@ -238,7 +204,6 @@ func filterReservedEnvVars(env map[string]models.SingleEnvironmentVariable) {
 func init() {
 	rootCmd.AddCommand(runCmd)
 	runCmd.Flags().String("token", "", "Fetch secrets using the Infisical Token")
-	runCmd.Flags().String("projectId", "", "manually set the projectId to fetch folders from for machine identity")
 	runCmd.Flags().StringP("env", "e", "dev", "Set the environment (dev, prod, etc.) from which your secrets should be pulled from")
 	runCmd.Flags().Bool("expand", true, "Parse shell parameter expansions in your secrets")
 	runCmd.Flags().Bool("include-imports", true, "Import linked secrets ")

cli/packages/cmd/secrets.go

@@ -38,12 +38,12 @@ var secretsCmd = &cobra.Command{
 			}
 		}
 
-		token, err := util.GetInfisicalToken(cmd)
+		infisicalToken, err := util.GetInfisicalServiceToken(cmd)
+
 		if err != nil {
 			util.HandleError(err, "Unable to parse flag")
 		}
 
-		projectId, err := cmd.Flags().GetString("projectId")
 		if err != nil {
 			util.HandleError(err, "Unable to parse flag")
 		}
@@ -78,22 +78,7 @@ var secretsCmd = &cobra.Command{
 			util.HandleError(err, "Unable to parse flag")
 		}
 
-		request := models.GetAllSecretsParameters{
-			Environment:   environmentName,
-			WorkspaceId:   projectId,
-			TagSlugs:      tagSlugs,
-			SecretsPath:   secretsPath,
-			IncludeImport: includeImports,
-			Recursive:     recursive,
-		}
-
-		if token != nil && token.Type == util.SERVICE_TOKEN_IDENTIFIER {
-			request.InfisicalToken = token.Token
-		} else if token != nil && token.Type == util.UNIVERSAL_AUTH_TOKEN_IDENTIFIER {
-			request.UniversalAuthAccessToken = token.Token
-		}
-
-		secrets, err := util.GetAllEnvironmentVariables(request, "")
+		secrets, err := util.GetAllEnvironmentVariables(models.GetAllSecretsParameters{Environment: environmentName, InfisicalToken: infisicalToken, TagSlugs: tagSlugs, SecretsPath: secretsPath, IncludeImport: includeImports, Recursive: recursive}, "")
 		if err != nil {
 			util.HandleError(err)
 		}
@@ -105,20 +90,11 @@ var secretsCmd = &cobra.Command{
 		}
 
 		if shouldExpandSecrets {
-
-			authParams := models.ExpandSecretsAuthentication{}
-			if token != nil && token.Type == util.SERVICE_TOKEN_IDENTIFIER {
-				authParams.InfisicalToken = token.Token
-			} else if token != nil && token.Type == util.UNIVERSAL_AUTH_TOKEN_IDENTIFIER {
-				authParams.UniversalAuthAccessToken = token.Token
-			}
-
-			secrets = util.ExpandSecrets(secrets, authParams, "")
+			secrets = util.ExpandSecrets(secrets, models.ExpandSecretsAuthentication{
+				InfisicalToken: infisicalToken,
+			}, "")
 		}
 
-		// Sort the secrets by key so we can create a consistent output
-		secrets = util.SortSecretsByKeys(secrets)
-
 		visualize.PrintAllSecretDetails(secrets)
 		Telemetry.CaptureEvent("cli-command:secrets", posthog.NewProperties().Set("secretCount", len(secrets)).Set("version", util.CLI_VERSION))
 	},
@@ -426,12 +402,8 @@ func getSecretsByNames(cmd *cobra.Command, args []string) {
 		}
 	}
 
-	token, err := util.GetInfisicalToken(cmd)
-	if err != nil {
-		util.HandleError(err, "Unable to parse flag")
-	}
+	infisicalToken, err := util.GetInfisicalServiceToken(cmd)
 
-	shouldExpand, err := cmd.Flags().GetBool("expand")
 	if err != nil {
 		util.HandleError(err, "Unable to parse flag")
 	}
@@ -441,11 +413,6 @@ func getSecretsByNames(cmd *cobra.Command, args []string) {
 		util.HandleError(err, "Unable to parse flag")
 	}
 
-	projectId, err := cmd.Flags().GetString("projectId")
-	if err != nil {
-		util.HandleError(err, "Unable to parse flag")
-	}
-
 	secretsPath, err := cmd.Flags().GetString("path")
 	if err != nil {
 		util.HandleError(err, "Unable to parse path flag")
@@ -461,37 +428,11 @@ func getSecretsByNames(cmd *cobra.Command, args []string) {
 		util.HandleError(err, "Unable to parse path flag")
 	}
 
-	request := models.GetAllSecretsParameters{
-		Environment:   environmentName,
-		WorkspaceId:   projectId,
-		TagSlugs:      tagSlugs,
-		SecretsPath:   secretsPath,
-		IncludeImport: true,
-		Recursive:     recursive,
-	}
-
-	if token != nil && token.Type == util.SERVICE_TOKEN_IDENTIFIER {
-		request.InfisicalToken = token.Token
-	} else if token != nil && token.Type == util.UNIVERSAL_AUTH_TOKEN_IDENTIFIER {
-		request.UniversalAuthAccessToken = token.Token
-	}
-
-	secrets, err := util.GetAllEnvironmentVariables(request, "")
+	secrets, err := util.GetAllEnvironmentVariables(models.GetAllSecretsParameters{Environment: environmentName, InfisicalToken: infisicalToken, TagSlugs: tagSlugs, SecretsPath: secretsPath, IncludeImport: true, Recursive: recursive}, "")
 	if err != nil {
 		util.HandleError(err, "To fetch all secrets")
 	}
 
-	if shouldExpand {
-		authParams := models.ExpandSecretsAuthentication{}
-		if token != nil && token.Type == util.SERVICE_TOKEN_IDENTIFIER {
-			authParams.InfisicalToken = token.Token
-		} else if token != nil && token.Type == util.UNIVERSAL_AUTH_TOKEN_IDENTIFIER {
-			authParams.UniversalAuthAccessToken = token.Token
-		}
-
-		secrets = util.ExpandSecrets(secrets, authParams, "")
-	}
-
 	requestedSecrets := []models.SingleEnvironmentVariable{}
 
 	secretsMap := getSecretsByKeys(secrets)
@@ -534,12 +475,8 @@ func generateExampleEnv(cmd *cobra.Command, args []string) {
 		util.HandleError(err, "Unable to parse flag")
 	}
 
-	token, err := util.GetInfisicalToken(cmd)
-	if err != nil {
-		util.HandleError(err, "Unable to parse flag")
-	}
+	infisicalToken, err := util.GetInfisicalServiceToken(cmd)
 
-	projectId, err := cmd.Flags().GetString("projectId")
 	if err != nil {
 		util.HandleError(err, "Unable to parse flag")
 	}
@@ -549,21 +486,7 @@ func generateExampleEnv(cmd *cobra.Command, args []string) {
 		util.HandleError(err, "Unable to parse flag")
 	}
 
-	request := models.GetAllSecretsParameters{
-		Environment:   environmentName,
-		WorkspaceId:   projectId,
-		TagSlugs:      tagSlugs,
-		SecretsPath:   secretsPath,
-		IncludeImport: true,
-	}
-
-	if token != nil && token.Type == util.SERVICE_TOKEN_IDENTIFIER {
-		request.InfisicalToken = token.Token
-	} else if token != nil && token.Type == util.UNIVERSAL_AUTH_TOKEN_IDENTIFIER {
-		request.UniversalAuthAccessToken = token.Token
-	}
-
-	secrets, err := util.GetAllEnvironmentVariables(request, "")
+	secrets, err := util.GetAllEnvironmentVariables(models.GetAllSecretsParameters{Environment: environmentName, InfisicalToken: infisicalToken, TagSlugs: tagSlugs, SecretsPath: secretsPath, IncludeImport: true}, "")
 	if err != nil {
 		util.HandleError(err, "To fetch all secrets")
 	}
@@ -763,23 +686,19 @@ func getSecretsByKeys(secrets []models.SingleEnvironmentVariable) map[string]mod
 
 func init() {
 	secretsGenerateExampleEnvCmd.Flags().String("token", "", "Fetch secrets using the Infisical Token")
-	secretsGenerateExampleEnvCmd.Flags().String("projectId", "", "manually set the projectId to fetch folders from for machine identity")
 	secretsGenerateExampleEnvCmd.Flags().String("path", "/", "Fetch secrets from within a folder path")
 	secretsCmd.AddCommand(secretsGenerateExampleEnvCmd)
 
 	secretsGetCmd.Flags().String("token", "", "Fetch secrets using the Infisical Token")
-	secretsGetCmd.Flags().String("projectId", "", "manually set the projectId to fetch folders from for machine identity")
+	secretsCmd.AddCommand(secretsGetCmd)
 	secretsGetCmd.Flags().String("path", "/", "get secrets within a folder path")
-	secretsGetCmd.Flags().Bool("expand", true, "Parse shell parameter expansions in your secrets")
 	secretsGetCmd.Flags().Bool("raw-value", false, "Returns only the value of secret, only works with one secret")
 	secretsGetCmd.Flags().Bool("recursive", false, "Fetch secrets from all sub-folders")
-	secretsCmd.AddCommand(secretsGetCmd)
 
 	secretsCmd.Flags().Bool("secret-overriding", true, "Prioritizes personal secrets, if any, with the same name over shared secrets")
 	secretsCmd.AddCommand(secretsSetCmd)
 	secretsSetCmd.Flags().String("path", "/", "set secrets within a folder path")
 
-	// Only supports logged in users (JWT auth)
 	secretsSetCmd.PersistentPreRun = func(cmd *cobra.Command, args []string) {
 		util.RequireLogin()
 		util.RequireLocalWorkspaceFile()
@@ -788,8 +707,6 @@ func init() {
 	secretsDeleteCmd.Flags().String("type", "personal", "the type of secret to delete: personal or shared  (default: personal)")
 	secretsDeleteCmd.Flags().String("path", "/", "get secrets within a folder path")
 	secretsCmd.AddCommand(secretsDeleteCmd)
-
-	// Only supports logged in users (JWT auth)
 	secretsDeleteCmd.PersistentPreRun = func(cmd *cobra.Command, args []string) {
 		util.RequireLogin()
 		util.RequireLocalWorkspaceFile()
@@ -801,7 +718,6 @@ func init() {
 	// Add getCmd, createCmd and deleteCmd flags here
 	getCmd.Flags().StringP("path", "p", "/", "The path from where folders should be fetched from")
 	getCmd.Flags().String("token", "", "Fetch folders using the infisical token")
-	getCmd.Flags().String("projectId", "", "manually set the projectId to fetch folders from for machine identity")
 	folderCmd.AddCommand(getCmd)
 
 	// Add createCmd flags here
@@ -819,7 +735,6 @@ func init() {
 	// ** End of folders sub command
 
 	secretsCmd.Flags().String("token", "", "Fetch secrets using the Infisical Token")
-	secretsCmd.Flags().String("projectId", "", "manually set the projectId to fetch folders from for machine identity")
 	secretsCmd.PersistentFlags().String("env", "dev", "Used to select the environment name on which actions should be taken on")
 	secretsCmd.Flags().Bool("expand", true, "Parse shell parameter expansions in your secrets")
 	secretsCmd.Flags().Bool("include-imports", true, "Imported linked secrets ")

cli/packages/cmd/token.go

@@ -1,63 +0,0 @@
-/*
-Copyright (c) 2023 Infisical Inc.
-*/
-package cmd
-
-import (
-	"strings"
-	"time"
-
-	"github.com/Infisical/infisical-merge/packages/util"
-	"github.com/fatih/color"
-	"github.com/spf13/cobra"
-)
-
-var tokenCmd = &cobra.Command{
-	Use:                   "token",
-	Short:                 "Manage your access tokens",
-	DisableFlagsInUseLine: true,
-	Example:               "infisical token",
-	Args:                  cobra.ExactArgs(0),
-	PreRun: func(cmd *cobra.Command, args []string) {
-		util.RequireLogin()
-	},
-	Run: func(cmd *cobra.Command, args []string) {
-	},
-}
-
-var tokenRenewCmd = &cobra.Command{
-	Use:                   "renew [token]",
-	Short:                 "Used to renew your universal auth access token",
-	DisableFlagsInUseLine: true,
-	Example:               "infisical token renew <access-token>",
-	Args:                  cobra.ExactArgs(1),
-	Run: func(cmd *cobra.Command, args []string) {
-		// args[0] will be the <INSERT_TOKEN> from your command call
-		token := args[0]
-
-		if strings.HasPrefix(token, "st.") {
-			util.PrintErrorMessageAndExit("You are trying to renew a service token. You can only renew universal auth access tokens.")
-		}
-
-		renewedAccessToken, err := util.RenewUniversalAuthAccessToken(token)
-
-		if err != nil {
-			util.HandleError(err, "Unable to renew token")
-		}
-
-		boldGreen := color.New(color.FgGreen).Add(color.Bold)
-		time.Sleep(time.Second * 1)
-		boldGreen.Printf(">>>> Successfully renewed token!\n\n")
-		boldGreen.Printf("Renewed Access Token:\n%v", renewedAccessToken)
-
-		plainBold := color.New(color.Bold)
-		plainBold.Println("\n\nYou can use the new access token to authenticate through other commands in the CLI.")
-
-	},
-}
-
-func init() {
-	tokenCmd.AddCommand(tokenRenewCmd)
-
-	rootCmd.AddCommand(tokenCmd)
-}

cli/packages/models/cli.go

@@ -59,11 +59,6 @@ type DynamicSecretLease struct {
 	Data map[string]interface{} `json:"data"`
 }
 
-type TokenDetails struct {
-	Type  string
-	Token string
-}
-
 type SingleFolder struct {
 	ID   string `json:"_id"`
 	Name string `json:"name"`
@@ -102,11 +97,10 @@ type GetAllSecretsParameters struct {
 }
 
 type GetAllFoldersParameters struct {
-	WorkspaceId              string
-	Environment              string
-	FoldersPath              string
-	InfisicalToken           string
-	UniversalAuthAccessToken string
+	WorkspaceId    string
+	Environment    string
+	FoldersPath    string
+	InfisicalToken string
 }
 
 type CreateFolderParameters struct {
@@ -129,8 +123,3 @@ type ExpandSecretsAuthentication struct {
 	InfisicalToken           string
 	UniversalAuthAccessToken string
 }
-
-type MachineIdentityCredentials struct {
-	ClientId     string
-	ClientSecret string
-}

cli/packages/util/constants.go

@@ -1,23 +1,17 @@
 package util
 
 const (
-	CONFIG_FILE_NAME                            = "infisical-config.json"
-	CONFIG_FOLDER_NAME                          = ".infisical"
-	INFISICAL_DEFAULT_API_URL                   = "https://app.infisical.com/api"
-	INFISICAL_DEFAULT_URL                       = "https://app.infisical.com"
-	INFISICAL_WORKSPACE_CONFIG_FILE_NAME        = ".infisical.json"
-	INFISICAL_TOKEN_NAME                        = "INFISICAL_TOKEN"
-	INFISICAL_UNIVERSAL_AUTH_CLIENT_ID_NAME     = "INFISICAL_UNIVERSAL_AUTH_CLIENT_ID"
-	INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET_NAME = "INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET"
-	INFISICAL_UNIVERSAL_AUTH_ACCESS_TOKEN_NAME  = "INFISICAL_UNIVERSAL_AUTH_ACCESS_TOKEN"
-	SECRET_TYPE_PERSONAL                        = "personal"
-	SECRET_TYPE_SHARED                          = "shared"
-	KEYRING_SERVICE_NAME                        = "infisical"
-	PERSONAL_SECRET_TYPE_NAME                   = "personal"
-	SHARED_SECRET_TYPE_NAME                     = "shared"
-
-	SERVICE_TOKEN_IDENTIFIER        = "service-token"
-	UNIVERSAL_AUTH_TOKEN_IDENTIFIER = "universal-auth-token"
+	CONFIG_FILE_NAME                     = "infisical-config.json"
+	CONFIG_FOLDER_NAME                   = ".infisical"
+	INFISICAL_DEFAULT_API_URL            = "https://app.infisical.com/api"
+	INFISICAL_DEFAULT_URL                = "https://app.infisical.com"
+	INFISICAL_WORKSPACE_CONFIG_FILE_NAME = ".infisical.json"
+	INFISICAL_TOKEN_NAME                 = "INFISICAL_TOKEN"
+	SECRET_TYPE_PERSONAL                 = "personal"
+	SECRET_TYPE_SHARED                   = "shared"
+	KEYRING_SERVICE_NAME                 = "infisical"
+	PERSONAL_SECRET_TYPE_NAME            = "personal"
+	SHARED_SECRET_TYPE_NAME              = "shared"
 )
 
 var (

cli/packages/util/folders.go

@@ -19,7 +19,7 @@ func GetAllFolders(params models.GetAllFoldersParameters) ([]models.SingleFolder
 
 	var foldersToReturn []models.SingleFolder
 	var folderErr error
-	if params.InfisicalToken == "" && params.UniversalAuthAccessToken == "" {
+	if params.InfisicalToken == "" {
 
 		log.Debug().Msg("GetAllFolders: Trying to fetch folders using logged in details")
 
@@ -44,24 +44,11 @@ func GetAllFolders(params models.GetAllFoldersParameters) ([]models.SingleFolder
 		folders, err := GetFoldersViaJTW(loggedInUserDetails.UserCredentials.JTWToken, workspaceFile.WorkspaceId, params.Environment, params.FoldersPath)
 		folderErr = err
 		foldersToReturn = folders
-	} else if params.InfisicalToken != "" {
-		log.Debug().Msg("GetAllFolders: Trying to fetch folders using service token")
-
+	} else {
 		// get folders via service token
 		folders, err := GetFoldersViaServiceToken(params.InfisicalToken, params.WorkspaceId, params.Environment, params.FoldersPath)
 		folderErr = err
 		foldersToReturn = folders
-	} else if params.UniversalAuthAccessToken != "" {
-		log.Debug().Msg("GetAllFolders: Trying to fetch folders using universal auth")
-
-		if params.WorkspaceId == "" {
-			PrintErrorMessageAndExit("Project ID is required when using machine identity")
-		}
-
-		// get folders via machine identity
-		folders, err := GetFoldersViaMachineIdentity(params.UniversalAuthAccessToken, params.WorkspaceId, params.Environment, params.FoldersPath)
-		folderErr = err
-		foldersToReturn = folders
 	}
 	return foldersToReturn, folderErr
 }
@@ -145,34 +132,6 @@ func GetFoldersViaServiceToken(fullServiceToken string, workspaceId string, envi
 	return folders, nil
 }
 
-func GetFoldersViaMachineIdentity(accessToken string, workspaceId string, envSlug string, foldersPath string) ([]models.SingleFolder, error) {
-	httpClient := resty.New()
-	httpClient.SetAuthToken(accessToken).
-		SetHeader("Accept", "application/json")
-
-	getFoldersRequest := api.GetFoldersV1Request{
-		WorkspaceId: workspaceId,
-		Environment: envSlug,
-		FoldersPath: foldersPath,
-	}
-
-	apiResponse, err := api.CallGetFoldersV1(httpClient, getFoldersRequest)
-	if err != nil {
-		return nil, err
-	}
-
-	var folders []models.SingleFolder
-
-	for _, folder := range apiResponse.Folders {
-		folders = append(folders, models.SingleFolder{
-			Name: folder.Name,
-			ID:   folder.ID,
-		})
-	}
-
-	return folders, nil
-}
-
 // CreateFolder creates a folder in Infisical
 func CreateFolder(params models.CreateFolderParameters) (models.SingleFolder, error) {
 	loggedInUserDetails, err := GetCurrentLoggedInUserDetails()