feat: removed provider password from sql database

feat: fixed tokenization strategy
feat: updated by reptile feedback
2025-08-11 05:49:05 +00:00 · 2025-08-08 12:35:33 +05:30 · 2025-08-08 12:29:19 +05:30 · 2025-08-07 20:55:41 +05:30 · 2025-08-07 20:37:05 +05:30 · 2025-08-06 21:08:21 -04:00
27 changed files with 1231 additions and 600 deletions
--- a/backend/src/ee/services/dynamic-secret/providers/aws-elasticache.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/aws-elasticache.ts
@@ -15,6 +15,7 @@ import { z } from "zod";
 import { CustomAWSHasher } from "@app/lib/aws/hashing";
 import { crypto } from "@app/lib/crypto";
 import { BadRequestError } from "@app/lib/errors";
+import { sanitizeString } from "@app/lib/fn";
 import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";

 import { DynamicSecretAwsElastiCacheSchema, TDynamicProviderFns } from "./models";
@@ -170,14 +171,29 @@ export const AwsElastiCacheDatabaseProvider = (): TDynamicProviderFns => {
  };
  const validateConnection = async (inputs: unknown) => {
    const providerInputs = await validateProviderInputs(inputs);
-    await ElastiCacheUserManager(
-      {
-        accessKeyId: providerInputs.accessKeyId,
-        secretAccessKey: providerInputs.secretAccessKey
-      },
-      providerInputs.region
-    ).verifyCredentials(providerInputs.clusterName);
-    return true;
+    try {
+      await ElastiCacheUserManager(
+        {
+          accessKeyId: providerInputs.accessKeyId,
+          secretAccessKey: providerInputs.secretAccessKey
+        },
+        providerInputs.region
+      ).verifyCredentials(providerInputs.clusterName);
+      return true;
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [
+          providerInputs.accessKeyId,
+          providerInputs.secretAccessKey,
+          providerInputs.clusterName,
+          providerInputs.region
+        ]
+      });
+      throw new BadRequestError({
+        message: `Failed to connect with provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const create = async (data: {
@@ -206,21 +222,37 @@ export const AwsElastiCacheDatabaseProvider = (): TDynamicProviderFns => {

    const parsedStatement = CreateElastiCacheUserSchema.parse(JSON.parse(creationStatement));

-    await ElastiCacheUserManager(
-      {
-        accessKeyId: providerInputs.accessKeyId,
-        secretAccessKey: providerInputs.secretAccessKey
-      },
-      providerInputs.region
-    ).createUser(parsedStatement, providerInputs.clusterName);
+    try {
+      await ElastiCacheUserManager(
+        {
+          accessKeyId: providerInputs.accessKeyId,
+          secretAccessKey: providerInputs.secretAccessKey
+        },
+        providerInputs.region
+      ).createUser(parsedStatement, providerInputs.clusterName);

-    return {
-      entityId: leaseUsername,
-      data: {
-        DB_USERNAME: leaseUsername,
-        DB_PASSWORD: leasePassword
-      }
-    };
+      return {
+        entityId: leaseUsername,
+        data: {
+          DB_USERNAME: leaseUsername,
+          DB_PASSWORD: leasePassword
+        }
+      };
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [
+          leaseUsername,
+          leasePassword,
+          providerInputs.accessKeyId,
+          providerInputs.secretAccessKey,
+          providerInputs.clusterName
+        ]
+      });
+      throw new BadRequestError({
+        message: `Failed to create lease from provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const revoke = async (inputs: unknown, entityId: string) => {
@@ -229,15 +261,25 @@ export const AwsElastiCacheDatabaseProvider = (): TDynamicProviderFns => {
    const revokeStatement = handlebars.compile(providerInputs.revocationStatement)({ username: entityId });
    const parsedStatement = DeleteElasticCacheUserSchema.parse(JSON.parse(revokeStatement));

-    await ElastiCacheUserManager(
-      {
-        accessKeyId: providerInputs.accessKeyId,
-        secretAccessKey: providerInputs.secretAccessKey
-      },
-      providerInputs.region
-    ).deleteUser(parsedStatement);
+    try {
+      await ElastiCacheUserManager(
+        {
+          accessKeyId: providerInputs.accessKeyId,
+          secretAccessKey: providerInputs.secretAccessKey
+        },
+        providerInputs.region
+      ).deleteUser(parsedStatement);

-    return { entityId };
+      return { entityId };
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [entityId, providerInputs.accessKeyId, providerInputs.secretAccessKey, providerInputs.clusterName]
+      });
+      throw new BadRequestError({
+        message: `Failed to revoke lease from provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const renew = async (_inputs: unknown, entityId: string) => {
--- a/backend/src/ee/services/dynamic-secret/providers/aws-iam.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/aws-iam.ts
@@ -23,6 +23,7 @@ import { CustomAWSHasher } from "@app/lib/aws/hashing";
 import { getConfig } from "@app/lib/config/env";
 import { crypto } from "@app/lib/crypto/cryptography";
 import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
+import { sanitizeString } from "@app/lib/fn";
 import { alphaNumericNanoId } from "@app/lib/nanoid";

 import { AwsIamAuthType, DynamicSecretAwsIamSchema, TDynamicProviderFns } from "./models";
@@ -118,22 +119,39 @@ export const AwsIamProvider = (): TDynamicProviderFns => {

  const validateConnection = async (inputs: unknown, { projectId }: { projectId: string }) => {
    const providerInputs = await validateProviderInputs(inputs);
-    const client = await $getClient(providerInputs, projectId);
-    const isConnected = await client
-      .send(new GetUserCommand({}))
-      .then(() => true)
-      .catch((err) => {
-        const message = (err as Error)?.message;
-        if (
-          (providerInputs.method === AwsIamAuthType.AssumeRole || providerInputs.method === AwsIamAuthType.IRSA) &&
-          // assume role will throw an error asking to provider username, but if so this has access in aws correctly
-          message.includes("Must specify userName when calling with non-User credentials")
-        ) {
-          return true;
-        }
-        throw err;
+    try {
+      const client = await $getClient(providerInputs, projectId);
+      const isConnected = await client
+        .send(new GetUserCommand({}))
+        .then(() => true)
+        .catch((err) => {
+          const message = (err as Error)?.message;
+          if (
+            (providerInputs.method === AwsIamAuthType.AssumeRole || providerInputs.method === AwsIamAuthType.IRSA) &&
+            // assume role will throw an error asking to provider username, but if so this has access in aws correctly
+            message.includes("Must specify userName when calling with non-User credentials")
+          ) {
+            return true;
+          }
+          throw err;
+        });
+      return isConnected;
+    } catch (err) {
+      const sensitiveTokens = [];
+      if (providerInputs.method === AwsIamAuthType.AccessKey) {
+        sensitiveTokens.push(providerInputs.accessKey, providerInputs.secretAccessKey);
+      }
+      if (providerInputs.method === AwsIamAuthType.AssumeRole) {
+        sensitiveTokens.push(providerInputs.roleArn);
+      }
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: sensitiveTokens
      });
-    return isConnected;
+      throw new BadRequestError({
+        message: `Failed to connect with provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const create = async (data: {
@@ -162,62 +180,81 @@ export const AwsIamProvider = (): TDynamicProviderFns => {
      awsTags.push(...additionalTags);
    }

-    const createUserRes = await client.send(
-      new CreateUserCommand({
-        Path: awsPath,
-        PermissionsBoundary: permissionBoundaryPolicyArn || undefined,
-        Tags: awsTags,
-        UserName: username
-      })
-    );
-
-    if (!createUserRes.User) throw new BadRequestError({ message: "Failed to create AWS IAM User" });
-    if (userGroups) {
-      await Promise.all(
-        userGroups
-          .split(",")
-          .filter(Boolean)
-          .map((group) =>
-            client.send(new AddUserToGroupCommand({ UserName: createUserRes?.User?.UserName, GroupName: group }))
-          )
-      );
-    }
-    if (policyArns) {
-      await Promise.all(
-        policyArns
-          .split(",")
-          .filter(Boolean)
-          .map((policyArn) =>
-            client.send(new AttachUserPolicyCommand({ UserName: createUserRes?.User?.UserName, PolicyArn: policyArn }))
-          )
-      );
-    }
-    if (policyDocument) {
-      await client.send(
-        new PutUserPolicyCommand({
-          UserName: createUserRes.User.UserName,
-          PolicyName: `infisical-dynamic-policy-${alphaNumericNanoId(4)}`,
-          PolicyDocument: policyDocument
+    try {
+      const createUserRes = await client.send(
+        new CreateUserCommand({
+          Path: awsPath,
+          PermissionsBoundary: permissionBoundaryPolicyArn || undefined,
+          Tags: awsTags,
+          UserName: username
        })
      );
-    }

-    const createAccessKeyRes = await client.send(
-      new CreateAccessKeyCommand({
-        UserName: createUserRes.User.UserName
-      })
-    );
-    if (!createAccessKeyRes.AccessKey)
-      throw new BadRequestError({ message: "Failed to create AWS IAM User access key" });
-
-    return {
-      entityId: username,
-      data: {
-        ACCESS_KEY: createAccessKeyRes.AccessKey.AccessKeyId,
-        SECRET_ACCESS_KEY: createAccessKeyRes.AccessKey.SecretAccessKey,
-        USERNAME: username
+      if (!createUserRes.User) throw new BadRequestError({ message: "Failed to create AWS IAM User" });
+      if (userGroups) {
+        await Promise.all(
+          userGroups
+            .split(",")
+            .filter(Boolean)
+            .map((group) =>
+              client.send(new AddUserToGroupCommand({ UserName: createUserRes?.User?.UserName, GroupName: group }))
+            )
+        );
      }
-    };
+      if (policyArns) {
+        await Promise.all(
+          policyArns
+            .split(",")
+            .filter(Boolean)
+            .map((policyArn) =>
+              client.send(
+                new AttachUserPolicyCommand({ UserName: createUserRes?.User?.UserName, PolicyArn: policyArn })
+              )
+            )
+        );
+      }
+      if (policyDocument) {
+        await client.send(
+          new PutUserPolicyCommand({
+            UserName: createUserRes.User.UserName,
+            PolicyName: `infisical-dynamic-policy-${alphaNumericNanoId(4)}`,
+            PolicyDocument: policyDocument
+          })
+        );
+      }
+
+      const createAccessKeyRes = await client.send(
+        new CreateAccessKeyCommand({
+          UserName: createUserRes.User.UserName
+        })
+      );
+      if (!createAccessKeyRes.AccessKey)
+        throw new BadRequestError({ message: "Failed to create AWS IAM User access key" });
+
+      return {
+        entityId: username,
+        data: {
+          ACCESS_KEY: createAccessKeyRes.AccessKey.AccessKeyId,
+          SECRET_ACCESS_KEY: createAccessKeyRes.AccessKey.SecretAccessKey,
+          USERNAME: username
+        }
+      };
+    } catch (err) {
+      const sensitiveTokens = [username];
+      if (providerInputs.method === AwsIamAuthType.AccessKey) {
+        sensitiveTokens.push(providerInputs.accessKey, providerInputs.secretAccessKey);
+      }
+      if (providerInputs.method === AwsIamAuthType.AssumeRole) {
+        sensitiveTokens.push(providerInputs.roleArn);
+      }
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: sensitiveTokens
+      });
+      throw new BadRequestError({
+        message: `Failed to create lease from provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const revoke = async (inputs: unknown, entityId: string, metadata: { projectId: string }) => {
@@ -278,8 +315,25 @@ export const AwsIamProvider = (): TDynamicProviderFns => {
      )
    );

-    await client.send(new DeleteUserCommand({ UserName: username }));
-    return { entityId: username };
+    try {
+      await client.send(new DeleteUserCommand({ UserName: username }));
+      return { entityId: username };
+    } catch (err) {
+      const sensitiveTokens = [username];
+      if (providerInputs.method === AwsIamAuthType.AccessKey) {
+        sensitiveTokens.push(providerInputs.accessKey, providerInputs.secretAccessKey);
+      }
+      if (providerInputs.method === AwsIamAuthType.AssumeRole) {
+        sensitiveTokens.push(providerInputs.roleArn);
+      }
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: sensitiveTokens
+      });
+      throw new BadRequestError({
+        message: `Failed to revoke lease from provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const renew = async (_inputs: unknown, entityId: string) => {
--- a/backend/src/ee/services/dynamic-secret/providers/azure-entra-id.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/azure-entra-id.ts
@@ -2,6 +2,7 @@ import axios from "axios";
 import { customAlphabet } from "nanoid";

 import { BadRequestError } from "@app/lib/errors";
+import { sanitizeString } from "@app/lib/fn";

 import { AzureEntraIDSchema, TDynamicProviderFns } from "./models";

@@ -51,45 +52,82 @@ export const AzureEntraIDProvider = (): TDynamicProviderFns & {

  const validateConnection = async (inputs: unknown) => {
    const providerInputs = await validateProviderInputs(inputs);
-    const data = await $getToken(providerInputs.tenantId, providerInputs.applicationId, providerInputs.clientSecret);
-    return data.success;
+    try {
+      const data = await $getToken(providerInputs.tenantId, providerInputs.applicationId, providerInputs.clientSecret);
+      return data.success;
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [providerInputs.clientSecret, providerInputs.applicationId, providerInputs.tenantId]
+      });
+      throw new BadRequestError({
+        message: `Failed to connect with provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const create = async ({ inputs }: { inputs: unknown }) => {
    const providerInputs = await validateProviderInputs(inputs);
-    const data = await $getToken(providerInputs.tenantId, providerInputs.applicationId, providerInputs.clientSecret);
-    if (!data.success) {
-      throw new BadRequestError({ message: "Failed to authorize to Microsoft Entra ID" });
-    }

    const password = generatePassword();
-
-    const response = await axios.patch(
-      `${MSFT_GRAPH_API_URL}/users/${providerInputs.userId}`,
-      {
-        passwordProfile: {
-          forceChangePasswordNextSignIn: false,
-          password
-        }
-      },
-      {
-        headers: {
-          "Content-Type": "application/json",
-          Authorization: `Bearer ${data.token}`
-        }
+    try {
+      const data = await $getToken(providerInputs.tenantId, providerInputs.applicationId, providerInputs.clientSecret);
+      if (!data.success) {
+        throw new BadRequestError({ message: "Failed to authorize to Microsoft Entra ID" });
      }
-    );
-    if (response.status !== 204) {
-      throw new BadRequestError({ message: "Failed to update password" });
-    }

-    return { entityId: providerInputs.userId, data: { email: providerInputs.email, password } };
+      const response = await axios.patch(
+        `${MSFT_GRAPH_API_URL}/users/${providerInputs.userId}`,
+        {
+          passwordProfile: {
+            forceChangePasswordNextSignIn: false,
+            password
+          }
+        },
+        {
+          headers: {
+            "Content-Type": "application/json",
+            Authorization: `Bearer ${data.token}`
+          }
+        }
+      );
+      if (response.status !== 204) {
+        throw new BadRequestError({ message: "Failed to update password" });
+      }
+
+      return { entityId: providerInputs.userId, data: { email: providerInputs.email, password } };
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [
+          providerInputs.clientSecret,
+          providerInputs.applicationId,
+          providerInputs.userId,
+          providerInputs.email,
+          password
+        ]
+      });
+      throw new BadRequestError({
+        message: `Failed to create lease from provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const revoke = async (inputs: unknown, entityId: string) => {
-    // Creates a new password
-    await create({ inputs });
-    return { entityId };
+    const providerInputs = await validateProviderInputs(inputs);
+    try {
+      // Creates a new password
+      await create({ inputs });
+      return { entityId };
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [providerInputs.clientSecret, providerInputs.applicationId, entityId]
+      });
+      throw new BadRequestError({
+        message: `Failed to revoke lease from provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const fetchAzureEntraIdUsers = async (tenantId: string, applicationId: string, clientSecret: string) => {
--- a/backend/src/ee/services/dynamic-secret/providers/cassandra.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/cassandra.ts
@@ -3,6 +3,8 @@ import handlebars from "handlebars";
 import { customAlphabet } from "nanoid";
 import { z } from "zod";

+import { BadRequestError } from "@app/lib/errors";
+import { sanitizeString } from "@app/lib/fn";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";

@@ -71,9 +73,24 @@ export const CassandraProvider = (): TDynamicProviderFns => {
    const providerInputs = await validateProviderInputs(inputs);
    const client = await $getClient(providerInputs);

-    const isConnected = await client.execute("SELECT * FROM system_schema.keyspaces").then(() => true);
-    await client.shutdown();
-    return isConnected;
+    try {
+      const isConnected = await client.execute("SELECT * FROM system_schema.keyspaces").then(() => true);
+      await client.shutdown();
+      return isConnected;
+    } catch (err) {
+      const tokens = [providerInputs.password, providerInputs.username];
+      if (providerInputs.keyspace) {
+        tokens.push(providerInputs.keyspace);
+      }
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens
+      });
+      await client.shutdown();
+      throw new BadRequestError({
+        message: `Failed to connect with provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const create = async (data: {
@@ -89,23 +106,39 @@ export const CassandraProvider = (): TDynamicProviderFns => {
    const username = generateUsername(usernameTemplate, identity);
    const password = generatePassword();
    const { keyspace } = providerInputs;
-    const expiration = new Date(expireAt).toISOString();

-    const creationStatement = handlebars.compile(providerInputs.creationStatement, { noEscape: true })({
-      username,
-      password,
-      expiration,
-      keyspace
-    });
+    try {
+      const expiration = new Date(expireAt).toISOString();

-    const queries = creationStatement.toString().split(";").filter(Boolean);
-    for (const query of queries) {
-      // eslint-disable-next-line
-      await client.execute(query);
+      const creationStatement = handlebars.compile(providerInputs.creationStatement, { noEscape: true })({
+        username,
+        password,
+        expiration,
+        keyspace
+      });
+
+      const queries = creationStatement.toString().split(";").filter(Boolean);
+      for (const query of queries) {
+        // eslint-disable-next-line
+        await client.execute(query);
+      }
+      await client.shutdown();
+
+      return { entityId: username, data: { DB_USERNAME: username, DB_PASSWORD: password } };
+    } catch (err) {
+      const tokens = [username, password];
+      if (keyspace) {
+        tokens.push(keyspace);
+      }
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens
+      });
+      await client.shutdown();
+      throw new BadRequestError({
+        message: `Failed to create lease from provider: ${sanitizedErrorMessage}`
+      });
    }
-    await client.shutdown();
-
-    return { entityId: username, data: { DB_USERNAME: username, DB_PASSWORD: password } };
  };

  const revoke = async (inputs: unknown, entityId: string) => {
@@ -115,14 +148,29 @@ export const CassandraProvider = (): TDynamicProviderFns => {
    const username = entityId;
    const { keyspace } = providerInputs;

-    const revokeStatement = handlebars.compile(providerInputs.revocationStatement)({ username, keyspace });
-    const queries = revokeStatement.toString().split(";").filter(Boolean);
-    for (const query of queries) {
-      // eslint-disable-next-line
-      await client.execute(query);
+    try {
+      const revokeStatement = handlebars.compile(providerInputs.revocationStatement)({ username, keyspace });
+      const queries = revokeStatement.toString().split(";").filter(Boolean);
+      for (const query of queries) {
+        // eslint-disable-next-line
+        await client.execute(query);
+      }
+      await client.shutdown();
+      return { entityId: username };
+    } catch (err) {
+      const tokens = [username];
+      if (keyspace) {
+        tokens.push(keyspace);
+      }
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens
+      });
+      await client.shutdown();
+      throw new BadRequestError({
+        message: `Failed to revoke lease from provider: ${sanitizedErrorMessage}`
+      });
    }
-    await client.shutdown();
-    return { entityId: username };
  };

  const renew = async (inputs: unknown, entityId: string, expireAt: number) => {
@@ -130,21 +178,36 @@ export const CassandraProvider = (): TDynamicProviderFns => {
    if (!providerInputs.renewStatement) return { entityId };

    const client = await $getClient(providerInputs);
-
-    const expiration = new Date(expireAt).toISOString();
    const { keyspace } = providerInputs;

-    const renewStatement = handlebars.compile(providerInputs.renewStatement)({
-      username: entityId,
-      keyspace,
-      expiration
-    });
-    const queries = renewStatement.toString().split(";").filter(Boolean);
-    for await (const query of queries) {
-      await client.execute(query);
+    try {
+      const expiration = new Date(expireAt).toISOString();
+
+      const renewStatement = handlebars.compile(providerInputs.renewStatement)({
+        username: entityId,
+        keyspace,
+        expiration
+      });
+      const queries = renewStatement.toString().split(";").filter(Boolean);
+      for await (const query of queries) {
+        await client.execute(query);
+      }
+      await client.shutdown();
+      return { entityId };
+    } catch (err) {
+      const tokens = [entityId];
+      if (keyspace) {
+        tokens.push(keyspace);
+      }
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens
+      });
+      await client.shutdown();
+      throw new BadRequestError({
+        message: `Failed to renew lease from provider: ${sanitizedErrorMessage}`
+      });
    }
-    await client.shutdown();
-    return { entityId };
  };

  return {
--- a/backend/src/ee/services/dynamic-secret/providers/elastic-search.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/elastic-search.ts
@@ -2,6 +2,8 @@ import { Client as ElasticSearchClient } from "@elastic/elasticsearch";
 import { customAlphabet } from "nanoid";
 import { z } from "zod";

+import { BadRequestError } from "@app/lib/errors";
+import { sanitizeString } from "@app/lib/fn";
 import { alphaNumericNanoId } from "@app/lib/nanoid";

 import { verifyHostInputValidity } from "../dynamic-secret-fns";
@@ -63,12 +65,24 @@ export const ElasticSearchProvider = (): TDynamicProviderFns => {
    const providerInputs = await validateProviderInputs(inputs);
    const connection = await $getClient(providerInputs);

-    const infoResponse = await connection
-      .info()
-      .then(() => true)
-      .catch(() => false);
-
-    return infoResponse;
+    try {
+      const infoResponse = await connection.info().then(() => true);
+      return infoResponse;
+    } catch (err) {
+      const tokens = [];
+      if (providerInputs.auth.type === ElasticSearchAuthTypes.ApiKey) {
+        tokens.push(providerInputs.auth.apiKey, providerInputs.auth.apiKeyId);
+      } else {
+        tokens.push(providerInputs.auth.username, providerInputs.auth.password);
+      }
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens
+      });
+      throw new BadRequestError({
+        message: `Failed to connect with provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const create = async (data: { inputs: unknown; usernameTemplate?: string | null; identity?: { name: string } }) => {
@@ -79,27 +93,49 @@ export const ElasticSearchProvider = (): TDynamicProviderFns => {
    const username = generateUsername(usernameTemplate, identity);
    const password = generatePassword();

-    await connection.security.putUser({
-      username,
-      password,
-      full_name: "Managed by Infisical.com",
-      roles: providerInputs.roles
-    });
+    try {
+      await connection.security.putUser({
+        username,
+        password,
+        full_name: "Managed by Infisical.com",
+        roles: providerInputs.roles
+      });

-    await connection.close();
-    return { entityId: username, data: { DB_USERNAME: username, DB_PASSWORD: password } };
+      await connection.close();
+      return { entityId: username, data: { DB_USERNAME: username, DB_PASSWORD: password } };
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [username, password]
+      });
+      await connection.close();
+      throw new BadRequestError({
+        message: `Failed to create lease from provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const revoke = async (inputs: unknown, entityId: string) => {
    const providerInputs = await validateProviderInputs(inputs);
    const connection = await $getClient(providerInputs);

-    await connection.security.deleteUser({
-      username: entityId
-    });
+    try {
+      await connection.security.deleteUser({
+        username: entityId
+      });

-    await connection.close();
-    return { entityId };
+      await connection.close();
+      return { entityId };
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [entityId]
+      });
+      await connection.close();
+      throw new BadRequestError({
+        message: `Failed to revoke lease from provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const renew = async (_inputs: unknown, entityId: string) => {
--- a/backend/src/ee/services/dynamic-secret/providers/gcp-iam.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/gcp-iam.ts
@@ -3,6 +3,7 @@ import { GetAccessTokenResponse } from "google-auth-library/build/src/auth/oauth

 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, InternalServerError } from "@app/lib/errors";
+import { sanitizeString } from "@app/lib/fn";
 import { alphaNumericNanoId } from "@app/lib/nanoid";

 import { DynamicSecretGcpIamSchema, TDynamicProviderFns } from "./models";
@@ -65,8 +66,18 @@ export const GcpIamProvider = (): TDynamicProviderFns => {

  const validateConnection = async (inputs: unknown) => {
    const providerInputs = await validateProviderInputs(inputs);
-    await $getToken(providerInputs.serviceAccountEmail, 10);
-    return true;
+    try {
+      await $getToken(providerInputs.serviceAccountEmail, 10);
+      return true;
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [providerInputs.serviceAccountEmail]
+      });
+      throw new BadRequestError({
+        message: `Failed to connect with provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const create = async (data: { inputs: unknown; expireAt: number }) => {
@@ -74,13 +85,23 @@ export const GcpIamProvider = (): TDynamicProviderFns => {

    const providerInputs = await validateProviderInputs(inputs);

-    const now = Math.floor(Date.now() / 1000);
-    const ttl = Math.max(Math.floor(expireAt / 1000) - now, 0);
+    try {
+      const now = Math.floor(Date.now() / 1000);
+      const ttl = Math.max(Math.floor(expireAt / 1000) - now, 0);

-    const token = await $getToken(providerInputs.serviceAccountEmail, ttl);
-    const entityId = alphaNumericNanoId(32);
+      const token = await $getToken(providerInputs.serviceAccountEmail, ttl);
+      const entityId = alphaNumericNanoId(32);

-    return { entityId, data: { SERVICE_ACCOUNT_EMAIL: providerInputs.serviceAccountEmail, TOKEN: token } };
+      return { entityId, data: { SERVICE_ACCOUNT_EMAIL: providerInputs.serviceAccountEmail, TOKEN: token } };
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [providerInputs.serviceAccountEmail]
+      });
+      throw new BadRequestError({
+        message: `Failed to create lease from provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const revoke = async (_inputs: unknown, entityId: string) => {
@@ -89,10 +110,21 @@ export const GcpIamProvider = (): TDynamicProviderFns => {
  };

  const renew = async (inputs: unknown, entityId: string, expireAt: number) => {
-    // To renew a token it must be re-created
-    const data = await create({ inputs, expireAt });
+    try {
+      // To renew a token it must be re-created
+      const data = await create({ inputs, expireAt });

-    return { ...data, entityId };
+      return { ...data, entityId };
+    } catch (err) {
+      const providerInputs = await validateProviderInputs(inputs);
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [providerInputs.serviceAccountEmail]
+      });
+      throw new BadRequestError({
+        message: `Failed to renew lease from provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  return {
--- a/backend/src/ee/services/dynamic-secret/providers/github.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/github.ts
@@ -3,6 +3,7 @@ import jwt from "jsonwebtoken";

 import { crypto } from "@app/lib/crypto";
 import { BadRequestError, InternalServerError } from "@app/lib/errors";
+import { sanitizeString } from "@app/lib/fn";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { IntegrationUrls } from "@app/services/integration-auth/integration-list";

@@ -89,26 +90,46 @@ export const GithubProvider = (): TDynamicProviderFns => {

  const validateConnection = async (inputs: unknown) => {
    const providerInputs = await validateProviderInputs(inputs);
-    await $generateGitHubInstallationAccessToken(providerInputs);
-    return true;
+    try {
+      await $generateGitHubInstallationAccessToken(providerInputs);
+      return true;
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [providerInputs.privateKey, String(providerInputs.appId), String(providerInputs.installationId)]
+      });
+      throw new BadRequestError({
+        message: `Failed to connect with provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const create = async (data: { inputs: unknown }) => {
    const { inputs } = data;
    const providerInputs = await validateProviderInputs(inputs);

-    const ghTokenData = await $generateGitHubInstallationAccessToken(providerInputs);
-    const entityId = alphaNumericNanoId(32);
+    try {
+      const ghTokenData = await $generateGitHubInstallationAccessToken(providerInputs);
+      const entityId = alphaNumericNanoId(32);

-    return {
-      entityId,
-      data: {
-        TOKEN: ghTokenData.token,
-        EXPIRES_AT: ghTokenData.expires_at,
-        PERMISSIONS: ghTokenData.permissions,
-        REPOSITORY_SELECTION: ghTokenData.repository_selection
-      }
-    };
+      return {
+        entityId,
+        data: {
+          TOKEN: ghTokenData.token,
+          EXPIRES_AT: ghTokenData.expires_at,
+          PERMISSIONS: ghTokenData.permissions,
+          REPOSITORY_SELECTION: ghTokenData.repository_selection
+        }
+      };
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [providerInputs.privateKey, String(providerInputs.appId), String(providerInputs.installationId)]
+      });
+      throw new BadRequestError({
+        message: `Failed to create lease from provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const revoke = async () => {
--- a/backend/src/ee/services/dynamic-secret/providers/kubernetes.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/kubernetes.ts
@@ -2,7 +2,8 @@ import axios, { AxiosError } from "axios";
 import handlebars from "handlebars";
 import https from "https";

-import { BadRequestError, InternalServerError } from "@app/lib/errors";
+import { BadRequestError } from "@app/lib/errors";
+import { sanitizeString } from "@app/lib/fn";
 import { GatewayHttpProxyActions, GatewayProxyProtocol, withGatewayProxy } from "@app/lib/gateway";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { blockLocalAndPrivateIpAddresses } from "@app/lib/validator";
@@ -356,8 +357,12 @@ export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO):
        errorMessage = (error.response?.data as { message: string }).message;
      }

-      throw new InternalServerError({
-        message: `Failed to validate connection: ${errorMessage}`
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: errorMessage,
+        tokens: [providerInputs.clusterToken || ""]
+      });
+      throw new BadRequestError({
+        message: `Failed to connect with provider: ${sanitizedErrorMessage}`
      });
    }
  };
@@ -602,8 +607,12 @@ export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO):
        errorMessage = (error.response?.data as { message: string }).message;
      }

-      throw new InternalServerError({
-        message: `Failed to create dynamic secret: ${errorMessage}`
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: errorMessage,
+        tokens: [providerInputs.clusterToken || ""]
+      });
+      throw new BadRequestError({
+        message: `Failed to create lease from provider: ${sanitizedErrorMessage}`
      });
    }
  };
@@ -683,50 +692,65 @@ export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO):
    };

    if (providerInputs.credentialType === KubernetesCredentialType.Dynamic) {
-      const rawUrl =
-        providerInputs.authMethod === KubernetesAuthMethod.Gateway
-          ? GATEWAY_AUTH_DEFAULT_URL
-          : providerInputs.url || "";
+      try {
+        const rawUrl =
+          providerInputs.authMethod === KubernetesAuthMethod.Gateway
+            ? GATEWAY_AUTH_DEFAULT_URL
+            : providerInputs.url || "";

-      const url = new URL(rawUrl);
-      const k8sGatewayHost = url.hostname;
-      const k8sPort = url.port ? Number(url.port) : 443;
-      const k8sHost = `${url.protocol}//${url.hostname}`;
+        const url = new URL(rawUrl);
+        const k8sGatewayHost = url.hostname;
+        const k8sPort = url.port ? Number(url.port) : 443;
+        const k8sHost = `${url.protocol}//${url.hostname}`;

-      const httpsAgent =
-        providerInputs.ca && providerInputs.sslEnabled
-          ? new https.Agent({
-              ca: providerInputs.ca,
-              rejectUnauthorized: true
-            })
-          : undefined;
+        const httpsAgent =
+          providerInputs.ca && providerInputs.sslEnabled
+            ? new https.Agent({
+                ca: providerInputs.ca,
+                rejectUnauthorized: true
+              })
+            : undefined;

-      if (providerInputs.gatewayId) {
-        if (providerInputs.authMethod === KubernetesAuthMethod.Gateway) {
-          await $gatewayProxyWrapper(
-            {
-              gatewayId: providerInputs.gatewayId,
-              targetHost: k8sHost,
-              targetPort: k8sPort,
-              httpsAgent,
-              reviewTokenThroughGateway: true
-            },
-            serviceAccountDynamicCallback
-          );
+        if (providerInputs.gatewayId) {
+          if (providerInputs.authMethod === KubernetesAuthMethod.Gateway) {
+            await $gatewayProxyWrapper(
+              {
+                gatewayId: providerInputs.gatewayId,
+                targetHost: k8sHost,
+                targetPort: k8sPort,
+                httpsAgent,
+                reviewTokenThroughGateway: true
+              },
+              serviceAccountDynamicCallback
+            );
+          } else {
+            await $gatewayProxyWrapper(
+              {
+                gatewayId: providerInputs.gatewayId,
+                targetHost: k8sGatewayHost,
+                targetPort: k8sPort,
+                httpsAgent,
+                reviewTokenThroughGateway: false
+              },
+              serviceAccountDynamicCallback
+            );
+          }
        } else {
-          await $gatewayProxyWrapper(
-            {
-              gatewayId: providerInputs.gatewayId,
-              targetHost: k8sGatewayHost,
-              targetPort: k8sPort,
-              httpsAgent,
-              reviewTokenThroughGateway: false
-            },
-            serviceAccountDynamicCallback
-          );
+          await serviceAccountDynamicCallback(k8sHost, k8sPort, httpsAgent);
        }
-      } else {
-        await serviceAccountDynamicCallback(k8sHost, k8sPort, httpsAgent);
+      } catch (error) {
+        let errorMessage = error instanceof Error ? error.message : "Unknown error";
+        if (axios.isAxiosError(error) && (error.response?.data as { message: string })?.message) {
+          errorMessage = (error.response?.data as { message: string }).message;
+        }
+
+        const sanitizedErrorMessage = sanitizeString({
+          unsanitizedString: errorMessage,
+          tokens: [entityId, providerInputs.clusterToken || ""]
+        });
+        throw new BadRequestError({
+          message: `Failed to revoke lease from provider: ${sanitizedErrorMessage}`
+        });
      }
    }

--- a/backend/src/ee/services/dynamic-secret/providers/ldap.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/ldap.ts
@@ -6,6 +6,7 @@ import RE2 from "re2";
 import { z } from "zod";

 import { BadRequestError } from "@app/lib/errors";
+import { sanitizeString } from "@app/lib/fn";
 import { alphaNumericNanoId } from "@app/lib/nanoid";

 import { LdapCredentialType, LdapSchema, TDynamicProviderFns } from "./models";
@@ -91,8 +92,18 @@ export const LdapProvider = (): TDynamicProviderFns => {

  const validateConnection = async (inputs: unknown) => {
    const providerInputs = await validateProviderInputs(inputs);
-    const client = await $getClient(providerInputs);
-    return client.connected;
+    try {
+      const client = await $getClient(providerInputs);
+      return client.connected;
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [providerInputs.bindpass, providerInputs.binddn]
+      });
+      throw new BadRequestError({
+        message: `Failed to connect with provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const executeLdif = async (client: ldapjs.Client, ldif_file: string) => {
@@ -205,11 +216,11 @@ export const LdapProvider = (): TDynamicProviderFns => {
    if (providerInputs.credentialType === LdapCredentialType.Static) {
      const dnRegex = new RE2("^dn:\\s*(.+)", "m");
      const dnMatch = dnRegex.exec(providerInputs.rotationLdif);
+      const username = dnMatch?.[1];
+      if (!username) throw new BadRequestError({ message: "Username not found from Ldif" });
+      const password = generatePassword();

      if (dnMatch) {
-        const username = dnMatch[1];
-        const password = generatePassword();
-
        const generatedLdif = generateLDIF({ username, password, ldifTemplate: providerInputs.rotationLdif });

        try {
@@ -217,7 +228,11 @@ export const LdapProvider = (): TDynamicProviderFns => {

          return { entityId: username, data: { DN_ARRAY: dnArray, USERNAME: username, PASSWORD: password } };
        } catch (err) {
-          throw new BadRequestError({ message: (err as Error).message });
+          const sanitizedErrorMessage = sanitizeString({
+            unsanitizedString: (err as Error)?.message,
+            tokens: [username, password, providerInputs.binddn, providerInputs.bindpass]
+          });
+          throw new BadRequestError({ message: sanitizedErrorMessage });
        }
      } else {
        throw new BadRequestError({
@@ -238,7 +253,11 @@ export const LdapProvider = (): TDynamicProviderFns => {
          const rollbackLdif = generateLDIF({ username, password, ldifTemplate: providerInputs.rollbackLdif });
          await executeLdif(client, rollbackLdif);
        }
-        throw new BadRequestError({ message: (err as Error).message });
+        const sanitizedErrorMessage = sanitizeString({
+          unsanitizedString: (err as Error)?.message,
+          tokens: [username, password, providerInputs.binddn, providerInputs.bindpass]
+        });
+        throw new BadRequestError({ message: sanitizedErrorMessage });
      }
    }
  };
@@ -262,7 +281,11 @@ export const LdapProvider = (): TDynamicProviderFns => {

          return { entityId: username, data: { DN_ARRAY: dnArray, USERNAME: username, PASSWORD: password } };
        } catch (err) {
-          throw new BadRequestError({ message: (err as Error).message });
+          const sanitizedErrorMessage = sanitizeString({
+            unsanitizedString: (err as Error)?.message,
+            tokens: [username, password, providerInputs.binddn, providerInputs.bindpass]
+          });
+          throw new BadRequestError({ message: sanitizedErrorMessage });
        }
      } else {
        throw new BadRequestError({
@@ -278,7 +301,7 @@ export const LdapProvider = (): TDynamicProviderFns => {
    return { entityId };
  };

-  const renew = async (inputs: unknown, entityId: string) => {
+  const renew = async (_inputs: unknown, entityId: string) => {
    // No renewal necessary
    return { entityId };
  };
--- a/backend/src/ee/services/dynamic-secret/providers/mongo-atlas.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/mongo-atlas.ts
@@ -3,6 +3,8 @@ import { customAlphabet } from "nanoid";
 import { z } from "zod";

 import { createDigestAuthRequestInterceptor } from "@app/lib/axios/digest-auth";
+import { BadRequestError } from "@app/lib/errors";
+import { sanitizeString } from "@app/lib/fn";
 import { alphaNumericNanoId } from "@app/lib/nanoid";

 import { DynamicSecretMongoAtlasSchema, TDynamicProviderFns } from "./models";
@@ -49,19 +51,25 @@ export const MongoAtlasProvider = (): TDynamicProviderFns => {
    const providerInputs = await validateProviderInputs(inputs);
    const client = await $getClient(providerInputs);

-    const isConnected = await client({
-      method: "GET",
-      url: `v2/groups/${providerInputs.groupId}/databaseUsers`,
-      params: { itemsPerPage: 1 }
-    })
-      .then(() => true)
-      .catch((error) => {
-        if ((error as AxiosError).response) {
-          throw new Error(JSON.stringify((error as AxiosError).response?.data));
-        }
-        throw error;
+    try {
+      const isConnected = await client({
+        method: "GET",
+        url: `v2/groups/${providerInputs.groupId}/databaseUsers`,
+        params: { itemsPerPage: 1 }
+      }).then(() => true);
+      return isConnected;
+    } catch (error) {
+      const errorMessage = (error as AxiosError).response
+        ? JSON.stringify((error as AxiosError).response?.data)
+        : (error as Error)?.message;
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: errorMessage,
+        tokens: [providerInputs.adminPublicKey, providerInputs.adminPrivateKey, providerInputs.groupId]
      });
-    return isConnected;
+      throw new BadRequestError({
+        message: `Failed to connect with provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const create = async (data: {
@@ -77,25 +85,39 @@ export const MongoAtlasProvider = (): TDynamicProviderFns => {
    const username = generateUsername(usernameTemplate, identity);
    const password = generatePassword();
    const expiration = new Date(expireAt).toISOString();
-    await client({
-      method: "POST",
-      url: `/v2/groups/${providerInputs.groupId}/databaseUsers`,
-      data: {
-        roles: providerInputs.roles,
-        scopes: providerInputs.scopes,
-        deleteAfterDate: expiration,
-        username,
-        password,
-        databaseName: "admin",
-        groupId: providerInputs.groupId
-      }
-    }).catch((error) => {
-      if ((error as AxiosError).response) {
-        throw new Error(JSON.stringify((error as AxiosError).response?.data));
-      }
-      throw error;
-    });
-    return { entityId: username, data: { DB_USERNAME: username, DB_PASSWORD: password } };
+    try {
+      await client({
+        method: "POST",
+        url: `/v2/groups/${providerInputs.groupId}/databaseUsers`,
+        data: {
+          roles: providerInputs.roles,
+          scopes: providerInputs.scopes,
+          deleteAfterDate: expiration,
+          username,
+          password,
+          databaseName: "admin",
+          groupId: providerInputs.groupId
+        }
+      });
+      return { entityId: username, data: { DB_USERNAME: username, DB_PASSWORD: password } };
+    } catch (error) {
+      const errorMessage = (error as AxiosError).response
+        ? JSON.stringify((error as AxiosError).response?.data)
+        : (error as Error)?.message;
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: errorMessage,
+        tokens: [
+          username,
+          password,
+          providerInputs.adminPublicKey,
+          providerInputs.adminPrivateKey,
+          providerInputs.groupId
+        ]
+      });
+      throw new BadRequestError({
+        message: `Failed to create lease from provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const revoke = async (inputs: unknown, entityId: string) => {
@@ -111,15 +133,23 @@ export const MongoAtlasProvider = (): TDynamicProviderFns => {
      throw err;
    });
    if (isExisting) {
-      await client({
-        method: "DELETE",
-        url: `/v2/groups/${providerInputs.groupId}/databaseUsers/admin/${username}`
-      }).catch((error) => {
-        if ((error as AxiosError).response) {
-          throw new Error(JSON.stringify((error as AxiosError).response?.data));
-        }
-        throw error;
-      });
+      try {
+        await client({
+          method: "DELETE",
+          url: `/v2/groups/${providerInputs.groupId}/databaseUsers/admin/${username}`
+        });
+      } catch (error) {
+        const errorMessage = (error as AxiosError).response
+          ? JSON.stringify((error as AxiosError).response?.data)
+          : (error as Error)?.message;
+        const sanitizedErrorMessage = sanitizeString({
+          unsanitizedString: errorMessage,
+          tokens: [username, providerInputs.adminPublicKey, providerInputs.adminPrivateKey, providerInputs.groupId]
+        });
+        throw new BadRequestError({
+          message: `Failed to revoke lease from provider: ${sanitizedErrorMessage}`
+        });
+      }
    }

    return { entityId: username };
@@ -132,21 +162,29 @@ export const MongoAtlasProvider = (): TDynamicProviderFns => {
    const username = entityId;
    const expiration = new Date(expireAt).toISOString();

-    await client({
-      method: "PATCH",
-      url: `/v2/groups/${providerInputs.groupId}/databaseUsers/admin/${username}`,
-      data: {
-        deleteAfterDate: expiration,
-        databaseName: "admin",
-        groupId: providerInputs.groupId
-      }
-    }).catch((error) => {
-      if ((error as AxiosError).response) {
-        throw new Error(JSON.stringify((error as AxiosError).response?.data));
-      }
-      throw error;
-    });
-    return { entityId: username };
+    try {
+      await client({
+        method: "PATCH",
+        url: `/v2/groups/${providerInputs.groupId}/databaseUsers/admin/${username}`,
+        data: {
+          deleteAfterDate: expiration,
+          databaseName: "admin",
+          groupId: providerInputs.groupId
+        }
+      });
+      return { entityId: username };
+    } catch (error) {
+      const errorMessage = (error as AxiosError).response
+        ? JSON.stringify((error as AxiosError).response?.data)
+        : (error as Error)?.message;
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: errorMessage,
+        tokens: [username, providerInputs.adminPublicKey, providerInputs.adminPrivateKey, providerInputs.groupId]
+      });
+      throw new BadRequestError({
+        message: `Failed to renew lease from provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  return {
--- a/backend/src/ee/services/dynamic-secret/providers/mongo-db.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/mongo-db.ts
@@ -2,6 +2,8 @@ import { MongoClient } from "mongodb";
 import { customAlphabet } from "nanoid";
 import { z } from "zod";

+import { BadRequestError } from "@app/lib/errors";
+import { sanitizeString } from "@app/lib/fn";
 import { alphaNumericNanoId } from "@app/lib/nanoid";

 import { verifyHostInputValidity } from "../dynamic-secret-fns";
@@ -51,13 +53,24 @@ export const MongoDBProvider = (): TDynamicProviderFns => {
    const providerInputs = await validateProviderInputs(inputs);
    const client = await $getClient(providerInputs);

-    const isConnected = await client
-      .db(providerInputs.database)
-      .command({ ping: 1 })
-      .then(() => true);
+    try {
+      const isConnected = await client
+        .db(providerInputs.database)
+        .command({ ping: 1 })
+        .then(() => true);

-    await client.close();
-    return isConnected;
+      await client.close();
+      return isConnected;
+    } catch (err) {
+      await client.close();
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [providerInputs.password, providerInputs.username, providerInputs.database, providerInputs.host]
+      });
+      throw new BadRequestError({
+        message: `Failed to connect with provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const create = async (data: { inputs: unknown; usernameTemplate?: string | null; identity?: { name: string } }) => {
@@ -68,16 +81,27 @@ export const MongoDBProvider = (): TDynamicProviderFns => {
    const username = generateUsername(usernameTemplate, identity);
    const password = generatePassword();

-    const db = client.db(providerInputs.database);
+    try {
+      const db = client.db(providerInputs.database);

-    await db.command({
-      createUser: username,
-      pwd: password,
-      roles: providerInputs.roles
-    });
-    await client.close();
+      await db.command({
+        createUser: username,
+        pwd: password,
+        roles: providerInputs.roles
+      });
+      await client.close();

-    return { entityId: username, data: { DB_USERNAME: username, DB_PASSWORD: password } };
+      return { entityId: username, data: { DB_USERNAME: username, DB_PASSWORD: password } };
+    } catch (err) {
+      await client.close();
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [username, password, providerInputs.password, providerInputs.username, providerInputs.database]
+      });
+      throw new BadRequestError({
+        message: `Failed to create lease from provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const revoke = async (inputs: unknown, entityId: string) => {
@@ -86,13 +110,24 @@ export const MongoDBProvider = (): TDynamicProviderFns => {

    const username = entityId;

-    const db = client.db(providerInputs.database);
-    await db.command({
-      dropUser: username
-    });
-    await client.close();
+    try {
+      const db = client.db(providerInputs.database);
+      await db.command({
+        dropUser: username
+      });
+      await client.close();

-    return { entityId: username };
+      return { entityId: username };
+    } catch (err) {
+      await client.close();
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [username, providerInputs.password, providerInputs.username, providerInputs.database]
+      });
+      throw new BadRequestError({
+        message: `Failed to revoke lease from provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const renew = async (_inputs: unknown, entityId: string) => {
--- a/backend/src/ee/services/dynamic-secret/providers/rabbit-mq.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/rabbit-mq.ts
@@ -3,6 +3,8 @@ import https from "https";
 import { customAlphabet } from "nanoid";
 import { z } from "zod";

+import { BadRequestError } from "@app/lib/errors";
+import { sanitizeString } from "@app/lib/fn";
 import { logger } from "@app/lib/logger";
 import { alphaNumericNanoId } from "@app/lib/nanoid";

@@ -110,11 +112,19 @@ export const RabbitMqProvider = (): TDynamicProviderFns => {

  const validateConnection = async (inputs: unknown) => {
    const providerInputs = await validateProviderInputs(inputs);
-    const connection = await $getClient(providerInputs);
-
-    const infoResponse = await connection.get("/whoami").then(() => true);
-
-    return infoResponse;
+    try {
+      const connection = await $getClient(providerInputs);
+      const infoResponse = await connection.get("/whoami").then(() => true);
+      return infoResponse;
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [providerInputs.password, providerInputs.username, providerInputs.host]
+      });
+      throw new BadRequestError({
+        message: `Failed to connect with provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const create = async (data: { inputs: unknown; usernameTemplate?: string | null; identity?: { name: string } }) => {
@@ -125,26 +135,44 @@ export const RabbitMqProvider = (): TDynamicProviderFns => {
    const username = generateUsername(usernameTemplate, identity);
    const password = generatePassword();

-    await createRabbitMqUser({
-      axiosInstance: connection,
-      virtualHost: providerInputs.virtualHost,
-      createUser: {
-        password,
-        username,
-        tags: [...(providerInputs.tags ?? []), "infisical-user"]
-      }
-    });
-
-    return { entityId: username, data: { DB_USERNAME: username, DB_PASSWORD: password } };
+    try {
+      await createRabbitMqUser({
+        axiosInstance: connection,
+        virtualHost: providerInputs.virtualHost,
+        createUser: {
+          password,
+          username,
+          tags: [...(providerInputs.tags ?? []), "infisical-user"]
+        }
+      });
+      return { entityId: username, data: { DB_USERNAME: username, DB_PASSWORD: password } };
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [username, password, providerInputs.password, providerInputs.username]
+      });
+      throw new BadRequestError({
+        message: `Failed to create lease from provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const revoke = async (inputs: unknown, entityId: string) => {
    const providerInputs = await validateProviderInputs(inputs);
    const connection = await $getClient(providerInputs);

-    await deleteRabbitMqUser({ axiosInstance: connection, usernameToDelete: entityId });
-
-    return { entityId };
+    try {
+      await deleteRabbitMqUser({ axiosInstance: connection, usernameToDelete: entityId });
+      return { entityId };
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [entityId, providerInputs.password, providerInputs.username]
+      });
+      throw new BadRequestError({
+        message: `Failed to revoke lease from provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const renew = async (_inputs: unknown, entityId: string) => {
--- a/backend/src/ee/services/dynamic-secret/providers/redis.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/redis.ts
@@ -4,6 +4,7 @@ import { customAlphabet } from "nanoid";
 import { z } from "zod";

 import { BadRequestError } from "@app/lib/errors";
+import { sanitizeString } from "@app/lib/fn";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";

@@ -112,14 +113,27 @@ export const RedisDatabaseProvider = (): TDynamicProviderFns => {

  const validateConnection = async (inputs: unknown) => {
    const providerInputs = await validateProviderInputs(inputs);
-    const connection = await $getClient(providerInputs);
-
-    const pingResponse = await connection
-      .ping()
-      .then(() => true)
-      .catch(() => false);
-
-    return pingResponse;
+    let connection;
+    try {
+      connection = await $getClient(providerInputs);
+      const pingResponse = await connection.ping().then(() => true);
+      await connection.quit();
+      return pingResponse;
+    } catch (err) {
+      if (connection) await connection.quit();
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [
+          providerInputs.password || "",
+          providerInputs.username,
+          providerInputs.host,
+          String(providerInputs.port)
+        ]
+      });
+      throw new BadRequestError({
+        message: `Failed to connect with provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const create = async (data: {
@@ -144,10 +158,20 @@ export const RedisDatabaseProvider = (): TDynamicProviderFns => {

    const queries = creationStatement.toString().split(";").filter(Boolean);

-    await executeTransactions(connection, queries);
-
-    await connection.quit();
-    return { entityId: username, data: { DB_USERNAME: username, DB_PASSWORD: password } };
+    try {
+      await executeTransactions(connection, queries);
+      await connection.quit();
+      return { entityId: username, data: { DB_USERNAME: username, DB_PASSWORD: password } };
+    } catch (err) {
+      await connection.quit();
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [username, password, providerInputs.password || "", providerInputs.username]
+      });
+      throw new BadRequestError({
+        message: `Failed to create lease from provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const revoke = async (inputs: unknown, entityId: string) => {
@@ -159,10 +183,20 @@ export const RedisDatabaseProvider = (): TDynamicProviderFns => {
    const revokeStatement = handlebars.compile(providerInputs.revocationStatement)({ username });
    const queries = revokeStatement.toString().split(";").filter(Boolean);

-    await executeTransactions(connection, queries);
-
-    await connection.quit();
-    return { entityId: username };
+    try {
+      await executeTransactions(connection, queries);
+      await connection.quit();
+      return { entityId: username };
+    } catch (err) {
+      await connection.quit();
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [username, providerInputs.password || "", providerInputs.username]
+      });
+      throw new BadRequestError({
+        message: `Failed to revoke lease from provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const renew = async (inputs: unknown, entityId: string, expireAt: number) => {
@@ -176,13 +210,23 @@ export const RedisDatabaseProvider = (): TDynamicProviderFns => {

    const renewStatement = handlebars.compile(providerInputs.renewStatement)({ username, expiration });

-    if (renewStatement) {
-      const queries = renewStatement.toString().split(";").filter(Boolean);
-      await executeTransactions(connection, queries);
+    try {
+      if (renewStatement) {
+        const queries = renewStatement.toString().split(";").filter(Boolean);
+        await executeTransactions(connection, queries);
+      }
+      await connection.quit();
+      return { entityId: username };
+    } catch (err) {
+      await connection.quit();
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [username, providerInputs.password || "", providerInputs.username]
+      });
+      throw new BadRequestError({
+        message: `Failed to renew lease from provider: ${sanitizedErrorMessage}`
+      });
    }
-
-    await connection.quit();
-    return { entityId: username };
  };

  return {
--- a/backend/src/ee/services/dynamic-secret/providers/sap-ase.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/sap-ase.ts
@@ -4,6 +4,7 @@ import odbc from "odbc";
 import { z } from "zod";

 import { BadRequestError } from "@app/lib/errors";
+import { sanitizeString } from "@app/lib/fn";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";

@@ -67,25 +68,41 @@ export const SapAseProvider = (): TDynamicProviderFns => {

  const validateConnection = async (inputs: unknown) => {
    const providerInputs = await validateProviderInputs(inputs);
-    const masterClient = await $getClient(providerInputs, true);
-    const client = await $getClient(providerInputs);
+    let masterClient;
+    let client;
+    try {
+      masterClient = await $getClient(providerInputs, true);
+      client = await $getClient(providerInputs);

-    const [resultFromMasterDatabase] = await masterClient.query<{ version: string }>("SELECT @@VERSION AS version");
-    const [resultFromSelectedDatabase] = await client.query<{ version: string }>("SELECT @@VERSION AS version");
+      const [resultFromMasterDatabase] = await masterClient.query<{ version: string }>("SELECT @@VERSION AS version");
+      const [resultFromSelectedDatabase] = await client.query<{ version: string }>("SELECT @@VERSION AS version");

-    if (!resultFromSelectedDatabase.version) {
+      if (!resultFromSelectedDatabase.version) {
+        throw new BadRequestError({
+          message: "Failed to validate SAP ASE connection, version query failed"
+        });
+      }
+
+      if (resultFromMasterDatabase.version !== resultFromSelectedDatabase.version) {
+        throw new BadRequestError({
+          message: "Failed to validate SAP ASE connection (master), version mismatch"
+        });
+      }
+
+      await masterClient.close();
+      await client.close();
+      return true;
+    } catch (err) {
+      if (masterClient) await masterClient.close();
+      if (client) await client.close();
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [providerInputs.password, providerInputs.username, providerInputs.host, providerInputs.database]
+      });
      throw new BadRequestError({
-        message: "Failed to validate SAP ASE connection, version query failed"
+        message: `Failed to connect with provider: ${sanitizedErrorMessage}`
      });
    }
-
-    if (resultFromMasterDatabase.version !== resultFromSelectedDatabase.version) {
-      throw new BadRequestError({
-        message: "Failed to validate SAP ASE connection (master), version mismatch"
-      });
-    }
-
-    return true;
  };

  const create = async (data: { inputs: unknown; usernameTemplate?: string | null; identity?: { name: string } }) => {
@@ -105,16 +122,26 @@ export const SapAseProvider = (): TDynamicProviderFns => {

    const queries = creationStatement.trim().replaceAll("\n", "").split(";").filter(Boolean);

-    for await (const query of queries) {
-      // If it's an adduser query, we need to first call sp_addlogin on the MASTER database.
-      // If not done, then the newly created user won't be able to authenticate.
-      await (query.startsWith(SapCommands.CreateLogin) ? masterClient : client).query(query);
+    try {
+      for await (const query of queries) {
+        // If it's an adduser query, we need to first call sp_addlogin on the MASTER database.
+        // If not done, then the newly created user won't be able to authenticate.
+        await (query.startsWith(SapCommands.CreateLogin) ? masterClient : client).query(query);
+      }
+      await masterClient.close();
+      await client.close();
+      return { entityId: username, data: { DB_USERNAME: username, DB_PASSWORD: password } };
+    } catch (err) {
+      await masterClient.close();
+      await client.close();
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [username, password, providerInputs.password, providerInputs.username, providerInputs.database]
+      });
+      throw new BadRequestError({
+        message: `Failed to create lease from provider: ${sanitizedErrorMessage}`
+      });
    }
-
-    await masterClient.close();
-    await client.close();
-
-    return { entityId: username, data: { DB_USERNAME: username, DB_PASSWORD: password } };
  };

  const revoke = async (inputs: unknown, username: string) => {
@@ -140,14 +167,24 @@ export const SapAseProvider = (): TDynamicProviderFns => {
      }
    }

-    for await (const query of queries) {
-      await (query.startsWith(SapCommands.DropLogin) ? masterClient : client).query(query);
+    try {
+      for await (const query of queries) {
+        await (query.startsWith(SapCommands.DropLogin) ? masterClient : client).query(query);
+      }
+      await masterClient.close();
+      await client.close();
+      return { entityId: username };
+    } catch (err) {
+      await masterClient.close();
+      await client.close();
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [username, providerInputs.password, providerInputs.username, providerInputs.database]
+      });
+      throw new BadRequestError({
+        message: `Failed to revoke lease from provider: ${sanitizedErrorMessage}`
+      });
    }
-
-    await masterClient.close();
-    await client.close();
-
-    return { entityId: username };
  };

  const renew = async (_: unknown, username: string) => {
--- a/backend/src/ee/services/dynamic-secret/providers/sap-hana.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/sap-hana.ts
@@ -10,6 +10,7 @@ import { customAlphabet } from "nanoid";
 import { z } from "zod";

 import { BadRequestError } from "@app/lib/errors";
+import { sanitizeString } from "@app/lib/fn";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";

@@ -83,19 +84,26 @@ export const SapHanaProvider = (): TDynamicProviderFns => {

  const validateConnection = async (inputs: unknown) => {
    const providerInputs = await validateProviderInputs(inputs);
-    const client = await $getClient(providerInputs);
-
-    const testResult = await new Promise<boolean>((resolve, reject) => {
-      client.exec("SELECT 1 FROM DUMMY;", (err: any) => {
-        if (err) {
-          reject();
-        }
-
-        resolve(true);
+    try {
+      const client = await $getClient(providerInputs);
+      const testResult = await new Promise<boolean>((resolve, reject) => {
+        client.exec("SELECT 1 FROM DUMMY;", (err: any) => {
+          if (err) {
+            return reject(err);
+          }
+          resolve(true);
+        });
      });
-    });
-
-    return testResult;
+      return testResult;
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [providerInputs.password, providerInputs.username, providerInputs.host]
+      });
+      throw new BadRequestError({
+        message: `Failed to connect with provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const create = async (data: {
@@ -119,18 +127,22 @@ export const SapHanaProvider = (): TDynamicProviderFns => {
    });

    const queries = creationStatement.toString().split(";").filter(Boolean);
-    for await (const query of queries) {
-      await new Promise((resolve, reject) => {
-        client.exec(query, (err: any) => {
-          if (err) {
-            reject(
-              new BadRequestError({
-                message: err.message
-              })
-            );
-          }
-          resolve(true);
+    try {
+      for await (const query of queries) {
+        await new Promise((resolve, reject) => {
+          client.exec(query, (err: any) => {
+            if (err) return reject(err);
+            resolve(true);
+          });
        });
+      }
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [username, password, providerInputs.password, providerInputs.username]
+      });
+      throw new BadRequestError({
+        message: `Failed to create lease from provider: ${sanitizedErrorMessage}`
      });
    }

@@ -142,18 +154,24 @@ export const SapHanaProvider = (): TDynamicProviderFns => {
    const client = await $getClient(providerInputs);
    const revokeStatement = handlebars.compile(providerInputs.revocationStatement)({ username });
    const queries = revokeStatement.toString().split(";").filter(Boolean);
-    for await (const query of queries) {
-      await new Promise((resolve, reject) => {
-        client.exec(query, (err: any) => {
-          if (err) {
-            reject(
-              new BadRequestError({
-                message: err.message
-              })
-            );
-          }
-          resolve(true);
+    try {
+      for await (const query of queries) {
+        await new Promise((resolve, reject) => {
+          client.exec(query, (err: any) => {
+            if (err) {
+              reject(err);
+            }
+            resolve(true);
+          });
        });
+      }
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [username, providerInputs.password, providerInputs.username]
+      });
+      throw new BadRequestError({
+        message: `Failed to revoke lease from provider: ${sanitizedErrorMessage}`
      });
    }

@@ -174,16 +192,20 @@ export const SapHanaProvider = (): TDynamicProviderFns => {
        await new Promise((resolve, reject) => {
          client.exec(query, (err: any) => {
            if (err) {
-              reject(
-                new BadRequestError({
-                  message: err.message
-                })
-              );
+              reject(err);
            }
            resolve(true);
          });
        });
      }
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [entityId, providerInputs.password, providerInputs.username]
+      });
+      throw new BadRequestError({
+        message: `Failed to renew lease from provider: ${sanitizedErrorMessage}`
+      });
    } finally {
      client.disconnect();
    }
--- a/backend/src/ee/services/dynamic-secret/providers/snowflake.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/snowflake.ts
@@ -4,6 +4,7 @@ import snowflake from "snowflake-sdk";
 import { z } from "zod";

 import { BadRequestError } from "@app/lib/errors";
+import { sanitizeString } from "@app/lib/fn";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";

@@ -69,12 +70,10 @@ export const SnowflakeProvider = (): TDynamicProviderFns => {

  const validateConnection = async (inputs: unknown) => {
    const providerInputs = await validateProviderInputs(inputs);
-    const client = await $getClient(providerInputs);
-
-    let isValidConnection: boolean;
-
+    let client;
    try {
-      isValidConnection = await Promise.race([
+      client = await $getClient(providerInputs);
+      const isValidConnection = await Promise.race([
        client.isValidAsync(),
        new Promise((resolve) => {
          setTimeout(resolve, 10000);
@@ -82,11 +81,18 @@ export const SnowflakeProvider = (): TDynamicProviderFns => {
          throw new BadRequestError({ message: "Unable to establish connection - verify credentials" });
        })
      ]);
+      return isValidConnection;
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [providerInputs.password, providerInputs.username, providerInputs.accountId, providerInputs.orgId]
+      });
+      throw new BadRequestError({
+        message: `Failed to connect with provider: ${sanitizedErrorMessage}`
+      });
    } finally {
-      client.destroy(noop);
+      if (client) client.destroy(noop);
    }
-
-    return isValidConnection;
  };

  const create = async (data: {
@@ -116,13 +122,19 @@ export const SnowflakeProvider = (): TDynamicProviderFns => {
          sqlText: creationStatement,
          complete(err) {
            if (err) {
-              return reject(new BadRequestError({ name: "CreateLease", message: err.message }));
+              return reject(err);
            }

            return resolve(true);
          }
        });
      });
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error).message,
+        tokens: [username, password, providerInputs.password, providerInputs.username]
+      });
+      throw new BadRequestError({ message: `Failed to create lease from provider: ${sanitizedErrorMessage}` });
    } finally {
      client.destroy(noop);
    }
@@ -143,13 +155,19 @@ export const SnowflakeProvider = (): TDynamicProviderFns => {
          sqlText: revokeStatement,
          complete(err) {
            if (err) {
-              return reject(new BadRequestError({ name: "RevokeLease", message: err.message }));
+              return reject(err);
            }

            return resolve(true);
          }
        });
      });
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error).message,
+        tokens: [username, providerInputs.password, providerInputs.username]
+      });
+      throw new BadRequestError({ message: `Failed to revoke lease from provider: ${sanitizedErrorMessage}` });
    } finally {
      client.destroy(noop);
    }
@@ -175,13 +193,19 @@ export const SnowflakeProvider = (): TDynamicProviderFns => {
          sqlText: renewStatement,
          complete(err) {
            if (err) {
-              return reject(new BadRequestError({ name: "RenewLease", message: err.message }));
+              return reject(err);
            }

            return resolve(true);
          }
        });
      });
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error).message,
+        tokens: [entityId, providerInputs.password, providerInputs.username]
+      });
+      throw new BadRequestError({ message: `Failed to renew lease from provider: ${sanitizedErrorMessage}` });
    } finally {
      client.destroy(noop);
    }
--- a/backend/src/ee/services/dynamic-secret/providers/sql-database.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/sql-database.ts
@@ -3,6 +3,8 @@ import knex from "knex";
 import { z } from "zod";

 import { crypto } from "@app/lib/crypto/cryptography";
+import { BadRequestError } from "@app/lib/errors";
+import { sanitizeString } from "@app/lib/fn";
 import { GatewayProxyProtocol, withGatewayProxy } from "@app/lib/gateway";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
@@ -212,8 +214,19 @@ export const SqlDatabaseProvider = ({ gatewayService }: TSqlDatabaseProviderDTO)
      // oracle needs from keyword
      const testStatement = providerInputs.client === SqlProviders.Oracle ? "SELECT 1 FROM DUAL" : "SELECT 1";

-      isConnected = await db.raw(testStatement).then(() => true);
-      await db.destroy();
+      try {
+        isConnected = await db.raw(testStatement).then(() => true);
+      } catch (err) {
+        const sanitizedErrorMessage = sanitizeString({
+          unsanitizedString: (err as Error)?.message,
+          tokens: [providerInputs.username]
+        });
+        throw new BadRequestError({
+          message: `Failed to connect with provider: ${sanitizedErrorMessage}`
+        });
+      } finally {
+        await db.destroy();
+      }
    };

    if (providerInputs.gatewayId) {
@@ -233,13 +246,13 @@ export const SqlDatabaseProvider = ({ gatewayService }: TSqlDatabaseProviderDTO)
    const { inputs, expireAt, usernameTemplate, identity } = data;

    const providerInputs = await validateProviderInputs(inputs);
+    const { database } = providerInputs;
    const username = generateUsername(providerInputs.client, usernameTemplate, identity);

    const password = generatePassword(providerInputs.client, providerInputs.passwordRequirements);
    const gatewayCallback = async (host = providerInputs.host, port = providerInputs.port) => {
      const db = await $getClient({ ...providerInputs, port, host });
      try {
-        const { database } = providerInputs;
        const expiration = new Date(expireAt).toISOString();

        const creationStatement = handlebars.compile(providerInputs.creationStatement, { noEscape: true })({
@@ -256,6 +269,14 @@ export const SqlDatabaseProvider = ({ gatewayService }: TSqlDatabaseProviderDTO)
            await tx.raw(query);
          }
        });
+      } catch (err) {
+        const sanitizedErrorMessage = sanitizeString({
+          unsanitizedString: (err as Error)?.message,
+          tokens: [username, password, database]
+        });
+        throw new BadRequestError({
+          message: `Failed to create lease from provider: ${sanitizedErrorMessage}`
+        });
      } finally {
        await db.destroy();
      }
@@ -283,6 +304,14 @@ export const SqlDatabaseProvider = ({ gatewayService }: TSqlDatabaseProviderDTO)
            await tx.raw(query);
          }
        });
+      } catch (err) {
+        const sanitizedErrorMessage = sanitizeString({
+          unsanitizedString: (err as Error)?.message,
+          tokens: [username, database]
+        });
+        throw new BadRequestError({
+          message: `Failed to revoke lease from provider: ${sanitizedErrorMessage}`
+        });
      } finally {
        await db.destroy();
      }
@@ -319,6 +348,14 @@ export const SqlDatabaseProvider = ({ gatewayService }: TSqlDatabaseProviderDTO)
            }
          });
        }
+      } catch (err) {
+        const sanitizedErrorMessage = sanitizeString({
+          unsanitizedString: (err as Error)?.message,
+          tokens: [database]
+        });
+        throw new BadRequestError({
+          message: `Failed to renew lease from provider: ${sanitizedErrorMessage}`
+        });
      } finally {
        await db.destroy();
      }
--- a/backend/src/ee/services/dynamic-secret/providers/totp.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/totp.ts
@@ -1,6 +1,8 @@
 import { authenticator } from "otplib";
 import { HashAlgorithms } from "otplib/core";

+import { BadRequestError } from "@app/lib/errors";
+import { sanitizeString } from "@app/lib/fn";
 import { alphaNumericNanoId } from "@app/lib/nanoid";

 import { DynamicSecretTotpSchema, TDynamicProviderFns, TotpConfigType } from "./models";
@@ -12,62 +14,84 @@ export const TotpProvider = (): TDynamicProviderFns => {
    return providerInputs;
  };

-  const validateConnection = async () => {
-    return true;
+  const validateConnection = async (inputs: unknown) => {
+    try {
+      await validateProviderInputs(inputs);
+      return true;
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: []
+      });
+      throw new BadRequestError({
+        message: `Failed to connect with provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

-  const create = async (inputs: unknown) => {
-    const providerInputs = await validateProviderInputs(inputs);
+  const create = async (data: { inputs: unknown }) => {
+    const { inputs } = data;
+    try {
+      const providerInputs = await validateProviderInputs(inputs);

-    const entityId = alphaNumericNanoId(32);
-    const authenticatorInstance = authenticator.clone();
+      const entityId = alphaNumericNanoId(32);
+      const authenticatorInstance = authenticator.clone();

-    let secret: string;
-    let period: number | null | undefined;
-    let digits: number | null | undefined;
-    let algorithm: HashAlgorithms | null | undefined;
+      let secret: string;
+      let period: number | null | undefined;
+      let digits: number | null | undefined;
+      let algorithm: HashAlgorithms | null | undefined;

-    if (providerInputs.configType === TotpConfigType.URL) {
-      const urlObj = new URL(providerInputs.url);
-      secret = urlObj.searchParams.get("secret") as string;
-      const periodFromUrl = urlObj.searchParams.get("period");
-      const digitsFromUrl = urlObj.searchParams.get("digits");
-      const algorithmFromUrl = urlObj.searchParams.get("algorithm");
+      if (providerInputs.configType === TotpConfigType.URL) {
+        const urlObj = new URL(providerInputs.url);
+        secret = urlObj.searchParams.get("secret") as string;
+        const periodFromUrl = urlObj.searchParams.get("period");
+        const digitsFromUrl = urlObj.searchParams.get("digits");
+        const algorithmFromUrl = urlObj.searchParams.get("algorithm");

-      if (periodFromUrl) {
-        period = +periodFromUrl;
+        if (periodFromUrl) {
+          period = +periodFromUrl;
+        }
+
+        if (digitsFromUrl) {
+          digits = +digitsFromUrl;
+        }
+
+        if (algorithmFromUrl) {
+          algorithm = algorithmFromUrl.toLowerCase() as HashAlgorithms;
+        }
+      } else {
+        secret = providerInputs.secret;
+        period = providerInputs.period;
+        digits = providerInputs.digits;
+        algorithm = providerInputs.algorithm as unknown as HashAlgorithms;
      }

-      if (digitsFromUrl) {
-        digits = +digitsFromUrl;
+      if (digits) {
+        authenticatorInstance.options = { digits };
      }

-      if (algorithmFromUrl) {
-        algorithm = algorithmFromUrl.toLowerCase() as HashAlgorithms;
+      if (algorithm) {
+        authenticatorInstance.options = { algorithm };
      }
-    } else {
-      secret = providerInputs.secret;
-      period = providerInputs.period;
-      digits = providerInputs.digits;
-      algorithm = providerInputs.algorithm as unknown as HashAlgorithms;
-    }

-    if (digits) {
-      authenticatorInstance.options = { digits };
-    }
+      if (period) {
+        authenticatorInstance.options = { step: period };
+      }

-    if (algorithm) {
-      authenticatorInstance.options = { algorithm };
+      return {
+        entityId,
+        data: { TOTP: authenticatorInstance.generate(secret), TIME_REMAINING: authenticatorInstance.timeRemaining() }
+      };
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: []
+      });
+      throw new BadRequestError({
+        message: `Failed to create lease from provider: ${sanitizedErrorMessage}`
+      });
    }
-
-    if (period) {
-      authenticatorInstance.options = { step: period };
-    }
-
-    return {
-      entityId,
-      data: { TOTP: authenticatorInstance.generate(secret), TIME_REMAINING: authenticatorInstance.timeRemaining() }
-    };
  };

  const revoke = async (_inputs: unknown, entityId: string) => {
--- a/backend/src/ee/services/dynamic-secret/providers/vertica.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/vertica.ts
@@ -4,6 +4,7 @@ import { z } from "zod";

 import { crypto } from "@app/lib/crypto/cryptography";
 import { BadRequestError } from "@app/lib/errors";
+import { sanitizeString } from "@app/lib/fn";
 import { GatewayProxyProtocol, withGatewayProxy } from "@app/lib/gateway";
 import { logger } from "@app/lib/logger";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
@@ -275,6 +276,14 @@ export const VerticaProvider = ({ gatewayService }: TVerticaProviderDTO): TDynam
            await client.raw(trimmedQuery);
          }
        }
+      } catch (err) {
+        const sanitizedErrorMessage = sanitizeString({
+          unsanitizedString: (err as Error)?.message,
+          tokens: [username, password, providerInputs.username, providerInputs.password]
+        });
+        throw new BadRequestError({
+          message: `Failed to create lease from provider: ${sanitizedErrorMessage}`
+        });
      } finally {
        if (client) await client.destroy();
      }
@@ -339,6 +348,14 @@ export const VerticaProvider = ({ gatewayService }: TVerticaProviderDTO): TDynam
            await client.raw(trimmedQuery);
          }
        }
+      } catch (err) {
+        const sanitizedErrorMessage = sanitizeString({
+          unsanitizedString: (err as Error)?.message,
+          tokens: [username, providerInputs.username, providerInputs.password]
+        });
+        throw new BadRequestError({
+          message: `Failed to revoke lease from provider: ${sanitizedErrorMessage}`
+        });
      } finally {
        if (client) await client.destroy();
      }
--- a/backend/src/lib/fn/string.ts
+++ b/backend/src/lib/fn/string.ts
@@ -19,3 +19,17 @@ export const prefixWithSlash = (str: string) => {
 const vowelRegex = new RE2(/^[aeiou]/i);

 export const startsWithVowel = (str: string) => vowelRegex.test(str);
+
+const pickWordsRegex = new RE2(/(\W+)/);
+export const sanitizeString = (dto: { unsanitizedString: string; tokens: string[] }) => {
+  const words = dto.unsanitizedString.split(pickWordsRegex);
+
+  const redactionSet = new Set(dto.tokens.filter(Boolean));
+  const sanitizedWords = words.map((el) => {
+    if (redactionSet.has(el)) {
+      return "[REDACTED]";
+    }
+    return el;
+  });
+  return sanitizedWords.join("");
+};
--- a/backend/src/services/app-connection/shared/sql/sql-connection-fns.ts
+++ b/backend/src/services/app-connection/shared/sql/sql-connection-fns.ts
@@ -44,7 +44,8 @@ const getConnectionConfig = ({
          ? {
              trustServerCertificate: !sslRejectUnauthorized,
              encrypt: true,
-              cryptoCredentialsDetails: sslCertificate ? { ca: sslCertificate } : {}
+              cryptoCredentialsDetails: sslCertificate ? { ca: sslCertificate } : {},
+              servername: host
            }
          : { encrypt: false }
      };
--- a/backend/src/services/certificate-authority/certificate-authority-validators.ts
+++ b/backend/src/services/certificate-authority/certificate-authority-validators.ts
@@ -2,6 +2,7 @@ import { z } from "zod";

 import { isValidIp } from "@app/lib/ip";
 import { isFQDN } from "@app/lib/validator/validate-url";
+import { TAltNameMapping, TAltNameType } from "@app/services/certificate/certificate-types";

 const isValidDate = (dateString: string) => {
  const date = new Date(dateString);
@@ -56,3 +57,19 @@ export const validateAltNamesField = z
      message: "Each alt name must be a valid hostname, email address, IP address or URL"
    }
  );
+
+export const validateAndMapAltNameType = (name: string): TAltNameMapping | null => {
+  if (isFQDN(name, { allow_wildcard: true, require_tld: false })) {
+    return { type: TAltNameType.DNS, value: name };
+  }
+  if (z.string().url().safeParse(name).success) {
+    return { type: TAltNameType.URL, value: name };
+  }
+  if (z.string().email().safeParse(name).success) {
+    return { type: TAltNameType.EMAIL, value: name };
+  }
+  if (isValidIp(name)) {
+    return { type: TAltNameType.IP, value: name };
+  }
+  return null;
+};
--- a/backend/src/services/certificate-authority/internal/internal-certificate-authority-fns.ts
+++ b/backend/src/services/certificate-authority/internal/internal-certificate-authority-fns.ts
@@ -1,7 +1,6 @@
 /* eslint-disable no-bitwise */
 import * as x509 from "@peculiar/x509";
 import RE2 from "re2";
-import { z } from "zod";

 import { TCertificateTemplates, TPkiSubscribers } from "@app/db/schemas";
 import { TCertificateAuthorityCrlDALFactory } from "@app/ee/services/certificate-authority-crl/certificate-authority-crl-dal";
@@ -9,7 +8,6 @@ import { getConfig } from "@app/lib/config/env";
 import { crypto } from "@app/lib/crypto/cryptography";
 import { BadRequestError } from "@app/lib/errors";
 import { ms } from "@app/lib/ms";
-import { isFQDN } from "@app/lib/validator/validate-url";
 import { TCertificateBodyDALFactory } from "@app/services/certificate/certificate-body-dal";
 import { TCertificateDALFactory } from "@app/services/certificate/certificate-dal";
 import { TCertificateSecretDALFactory } from "@app/services/certificate/certificate-secret-dal";
@@ -17,7 +15,8 @@ import {
  CertExtendedKeyUsage,
  CertKeyAlgorithm,
  CertKeyUsage,
-  CertStatus
+  CertStatus,
+  TAltNameMapping
 } from "@app/services/certificate/certificate-types";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
@@ -34,6 +33,7 @@ import {
 } from "../certificate-authority-fns";
 import { TCertificateAuthoritySecretDALFactory } from "../certificate-authority-secret-dal";
 import { TIssueCertWithTemplateDTO } from "./internal-certificate-authority-types";
+import { validateAndMapAltNameType } from "../certificate-authority-validators";

 type TInternalCertificateAuthorityFnsDeps = {
  certificateAuthorityDAL: Pick<TCertificateAuthorityDALFactory, "findByIdWithAssociatedCa" | "findById">;
@@ -152,27 +152,15 @@ export const InternalCertificateAuthorityFns = ({
      extensions.push(extendedKeyUsagesExtension);
    }

-    let altNamesArray: { type: "email" | "dns" | "ip" | "url"; value: string }[] = [];
+    let altNamesArray: TAltNameMapping[] = [];

    if (subscriber.subjectAlternativeNames?.length) {
      altNamesArray = subscriber.subjectAlternativeNames.map((altName) => {
-        if (z.string().email().safeParse(altName).success) {
-          return { type: "email", value: altName };
+        const altNameType = validateAndMapAltNameType(altName);
+        if (!altNameType) {
+          throw new BadRequestError({ message: `Invalid SAN entry: ${altName}` });
        }
-
-        if (isFQDN(altName, { allow_wildcard: true, require_tld: false })) {
-          return { type: "dns", value: altName };
-        }
-
-        if (z.string().url().safeParse(altName).success) {
-          return { type: "url", value: altName };
-        }
-
-        if (z.string().ip().safeParse(altName).success) {
-          return { type: "ip", value: altName };
-        }
-
-        throw new BadRequestError({ message: `Invalid SAN entry: ${altName}` });
+        return altNameType;
      });

      const altNamesExtension = new x509.SubjectAlternativeNameExtension(altNamesArray, false);
@@ -426,27 +414,15 @@ export const InternalCertificateAuthorityFns = ({
      );
    }

-    let altNamesArray: { type: "email" | "dns" | "ip" | "url"; value: string }[] = [];
+    let altNamesArray: TAltNameMapping[] = [];

    if (altNames) {
      altNamesArray = altNames.split(",").map((altName) => {
-        if (z.string().email().safeParse(altName).success) {
-          return { type: "email", value: altName };
+        const altNameType = validateAndMapAltNameType(altName);
+        if (!altNameType) {
+          throw new BadRequestError({ message: `Invalid SAN entry: ${altName}` });
        }
-
-        if (isFQDN(altName, { allow_wildcard: true, require_tld: false })) {
-          return { type: "dns", value: altName };
-        }
-
-        if (z.string().url().safeParse(altName).success) {
-          return { type: "url", value: altName };
-        }
-
-        if (z.string().ip().safeParse(altName).success) {
-          return { type: "ip", value: altName };
-        }
-
-        throw new BadRequestError({ message: `Invalid SAN entry: ${altName}` });
+        return altNameType;
      });

      const altNamesExtension = new x509.SubjectAlternativeNameExtension(altNamesArray, false);
--- a/backend/src/services/certificate-authority/internal/internal-certificate-authority-service.ts
+++ b/backend/src/services/certificate-authority/internal/internal-certificate-authority-service.ts
@@ -2,7 +2,6 @@
 import { ForbiddenError, subject } from "@casl/ability";
 import * as x509 from "@peculiar/x509";
 import slugify from "@sindresorhus/slugify";
-import { z } from "zod";

 import { ActionProjectType, TableName, TCertificateAuthorities, TCertificateTemplates } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
@@ -18,7 +17,6 @@ import { crypto } from "@app/lib/crypto/cryptography";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { ms } from "@app/lib/ms";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
-import { isFQDN } from "@app/lib/validator/validate-url";
 import { TCertificateBodyDALFactory } from "@app/services/certificate/certificate-body-dal";
 import { TCertificateDALFactory } from "@app/services/certificate/certificate-dal";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
@@ -34,7 +32,8 @@ import {
  CertExtendedKeyUsageOIDToName,
  CertKeyAlgorithm,
  CertKeyUsage,
-  CertStatus
+  CertStatus,
+  TAltNameMapping
 } from "../../certificate/certificate-types";
 import { TCertificateTemplateDALFactory } from "../../certificate-template/certificate-template-dal";
 import { validateCertificateDetailsAgainstTemplate } from "../../certificate-template/certificate-template-fns";
@@ -69,6 +68,7 @@ import {
  TSignIntermediateDTO,
  TUpdateCaDTO
 } from "./internal-certificate-authority-types";
+import { validateAndMapAltNameType } from "../certificate-authority-validators";

 type TInternalCertificateAuthorityServiceFactoryDep = {
  certificateAuthorityDAL: Pick<
@@ -1364,34 +1364,18 @@ export const internalCertificateAuthorityServiceFactory = ({
      );
    }

-    let altNamesArray: {
-      type: "email" | "dns";
-      value: string;
-    }[] = [];
+    let altNamesArray: TAltNameMapping[] = [];

    if (altNames) {
      altNamesArray = altNames
        .split(",")
        .map((name) => name.trim())
-        .map((altName) => {
-          // check if the altName is a valid email
-          if (z.string().email().safeParse(altName).success) {
-            return {
-              type: "email",
-              value: altName
-            };
+        .map((altName): TAltNameMapping => {
+          const altNameType = validateAndMapAltNameType(altName);
+          if (!altNameType) {
+            throw new Error(`Invalid altName: ${altName}`);
          }
-
-          // check if the altName is a valid hostname
-          if (isFQDN(altName, { allow_wildcard: true })) {
-            return {
-              type: "dns",
-              value: altName
-            };
-          }
-
-          // If altName is neither a valid email nor a valid hostname, throw an error or handle it accordingly
-          throw new Error(`Invalid altName: ${altName}`);
+          return altNameType;
        });

      const altNamesExtension = new x509.SubjectAlternativeNameExtension(altNamesArray, false);
@@ -1766,34 +1750,22 @@ export const internalCertificateAuthorityServiceFactory = ({
    }

    let altNamesFromCsr: string = "";
-    let altNamesArray: {
-      type: "email" | "dns";
-      value: string;
-    }[] = [];
+    let altNamesArray: TAltNameMapping[] = [];
+
    if (altNames) {
      altNamesArray = altNames
        .split(",")
        .map((name) => name.trim())
-        .map((altName) => {
-          // check if the altName is a valid email
-          if (z.string().email().safeParse(altName).success) {
-            return {
-              type: "email",
-              value: altName
-            };
+        .map((altName): TAltNameMapping => {
+          const altNameType = validateAndMapAltNameType(altName);
+          if (!altNameType) {
+            throw new Error(`Invalid altName: ${altName}`);
          }
-
-          // check if the altName is a valid hostname
-          if (isFQDN(altName, { allow_wildcard: true })) {
-            return {
-              type: "dns",
-              value: altName
-            };
-          }
-
-          // If altName is neither a valid email nor a valid hostname, throw an error or handle it accordingly
-          throw new Error(`Invalid altName: ${altName}`);
+          return altNameType;
        });
+
+      const altNamesExtension = new x509.SubjectAlternativeNameExtension(altNamesArray, false);
+      extensions.push(altNamesExtension);
    } else {
      // attempt to read from CSR if altNames is not explicitly provided
      const sanExtension = csrObj.extensions.find((ext) => ext.type === "2.5.29.17");
@@ -1801,11 +1773,16 @@ export const internalCertificateAuthorityServiceFactory = ({
        const sanNames = new x509.GeneralNames(sanExtension.value);

        altNamesArray = sanNames.items
-          .filter((value) => value.type === "email" || value.type === "dns")
-          .map((name) => ({
-            type: name.type as "email" | "dns",
-            value: name.value
-          }));
+          .filter(
+            (value) => value.type === "email" || value.type === "dns" || value.type === "url" || value.type === "ip"
+          )
+          .map((name): TAltNameMapping => {
+            const altNameType = validateAndMapAltNameType(name.value);
+            if (!altNameType) {
+              throw new Error(`Invalid altName from CSR: ${name.value}`);
+            }
+            return altNameType;
+          });

        altNamesFromCsr = sanNames.items.map((item) => item.value).join(",");
      }
--- a/backend/src/services/certificate/certificate-types.ts
+++ b/backend/src/services/certificate/certificate-types.ts
@@ -104,3 +104,14 @@ export type TGetCertificateCredentialsDTO = {
  projectDAL: Pick<TProjectDALFactory, "findOne" | "updateById" | "transaction">;
  kmsService: Pick<TKmsServiceFactory, "decryptWithKmsKey" | "generateKmsKey">;
 };
+
+export enum TAltNameType {
+  EMAIL = "email",
+  DNS = "dns",
+  IP = "ip",
+  URL = "url"
+}
+export type TAltNameMapping = {
+  type: TAltNameType;
+  value: string;
+};
--- a/frontend/src/hooks/api/auditLogs/queries.tsx
+++ b/frontend/src/hooks/api/auditLogs/queries.tsx
@@ -1,8 +1,7 @@
 import { useInfiniteQuery, useQuery } from "@tanstack/react-query";
-import { AxiosError } from "axios";

-import { createNotification } from "@app/components/notifications";
 import { apiRequest } from "@app/config/request";
+import { onRequestError } from "@app/hooks/api/reactQuery";
 import { TReactQueryOptions } from "@app/types/reactQuery";

 import { Actor, AuditLog, TGetAuditLogsFilter } from "./types";
@@ -46,12 +45,7 @@ export const useGetAuditLogs = (
        );
        return data.auditLogs;
      } catch (error) {
-        if (error instanceof AxiosError) {
-          createNotification({
-            type: "error",
-            text: error.response?.data.message
-          });
-        }
+        onRequestError(error);
        return [];
      }
    },
--- a/frontend/src/pages/organization/AuditLogsPage/components/LogsFilter.tsx
+++ b/frontend/src/pages/organization/AuditLogsPage/components/LogsFilter.tsx
@@ -119,7 +119,7 @@ export const LogsFilter = ({ presets, setFilter, filter, project }: Props) => {
          )}
        </Button>
      </DropdownMenuTrigger>
-      <DropdownMenuContent align="end" className="mt-4 py-4">
+      <DropdownMenuContent align="end" className="mt-4 overflow-visible py-4">
        <form onSubmit={handleSubmit(setFilter)}>
          <div className="flex min-w-64 flex-col font-inter">
            <div className="mb-3 flex items-center border-b border-b-mineshaft-500 px-3 pb-2">
@@ -176,7 +176,8 @@ export const LogsFilter = ({ presets, setFilter, filter, project }: Props) => {
                          </div>
                        </DropdownMenuTrigger>
                        <DropdownMenuContent
-                          align="start"
+                          align="end"
+                          sideOffset={2}
                          className="thin-scrollbar z-[100] max-h-80 overflow-hidden"
                        >
                          <div className="max-h-80 overflow-y-auto">
@@ -258,6 +259,7 @@ export const LogsFilter = ({ presets, setFilter, filter, project }: Props) => {
                          else setValue("userAgentType", e as UserAgentType, { shouldDirty: true });
                        }}
                        className={twMerge("w-full border border-mineshaft-500 bg-mineshaft-700")}
+                        position="popper"
                      >
                        <SelectItem value="all" key="all">
                          All sources
@@ -319,7 +321,6 @@ export const LogsFilter = ({ presets, setFilter, filter, project }: Props) => {
              <AnimatePresence initial={false}>
                {showSecretsSection && (
                  <motion.div
-                    className="overflow-hidden"
                    initial={{ opacity: 0, height: 0 }}
                    animate={{ opacity: 1, height: "auto" }}
                    exit={{ opacity: 0, height: 0 }}
@@ -352,6 +353,7 @@ export const LogsFilter = ({ presets, setFilter, filter, project }: Props) => {
                          >
                            <FilterableSelect
                              value={value}
+                              menuPlacement="top"
                              key={value?.name || "filter-environment"}
                              isClearable
                              isDisabled={!selectedProject}
Author	SHA1	Message	Date
=	4f52400887	feat: removed provider password from sql database	2025-08-08 12:35:33 +05:30
=	34eb9f475a	feat: fixed tokenization strategy	2025-08-08 12:29:19 +05:30
=	676ebaf3c2	feat: updated by reptile feedback	2025-08-07 20:55:41 +05:30
=	adb3185042	feat: better error notification for dynamic secret	2025-08-07 20:37:05 +05:30
x032205	1ad02e2da6	Merge pull request #4324 from Infisical/mssql-ssl-issue-fix servername host for mssql	2025-08-06 21:08:21 -04:00
x032205	e105a5f7da	servername host for mssql	2025-08-06 19:53:13 -04:00
Scott Wilson	72b80e1fd7	Merge pull request #4323 from Infisical/audit-log-error-message-parsing-fix fix(frontend): correctly parse fetch audit log error message	2025-08-06 15:47:25 -07:00
Scott Wilson	6429adfaf6	Merge pull request #4322 from Infisical/audit-log-dropdown-overflow improvement(frontend): update styling and overflow for audit log filter	2025-08-06 15:43:49 -07:00
Scott Wilson	fd89b3c702	fix: correctly parse audit log error message	2025-08-06 15:42:27 -07:00
Scott Wilson	50e40e8bcf	improvement: update styling and overflow for audit log filter	2025-08-06 15:17:55 -07:00
x032205	59cffe8cfb	Merge pull request #4313 from JuliusMieliauskas/fix-san-extension-contents FIX: SAN extension field in certificate issuance	2025-08-05 21:26:43 -04:00
Maidul Islam	fa61867a72	Merge pull request #4316 from Infisical/docs/update-self-hostable-ips Update prerequisites sections for secret syncs/rotations to include being able to accept requests…	2025-08-05 17:45:17 -07:00
Julius Mieliauskas	e7a6f46f56	refactored SAN validation logic	2025-08-06 00:26:27 +03:00
Julius Mieliauskas	e9f5055481	fixed SAN extension field in certificate issuance	2025-08-05 20:19:17 +03:00