doc: documentation updates for gcp app connection

Improvements: Integration Docs Nav Bar Reorder & Azure Integration Logo fix

backend/src/ee/services/audit-log/audit-log-dal.ts

@@ -39,11 +39,13 @@ export const auditLogDALFactory = (db: TDbClient) => {
       offset = 0,
       actorId,
       actorType,
+      secretPath,
       eventType,
       eventMetadata
     }: Omit<TFindQuery, "actor" | "eventType"> & {
       actorId?: string;
       actorType?: ActorType;
+      secretPath?: string;
       eventType?: EventType[];
       eventMetadata?: Record<string, string>;
     },
@@ -88,6 +90,10 @@ export const auditLogDALFactory = (db: TDbClient) => {
         });
       }
 
+      if (projectId && secretPath) {
+        void sqlQuery.whereRaw(`"eventMetadata" @> jsonb_build_object('secretPath', ?::text)`, [secretPath]);
+      }
+
       // Filter by actor type
       if (actorType) {
         void sqlQuery.where("actor", actorType);

backend/src/ee/services/audit-log/audit-log-service.ts

@@ -46,10 +46,6 @@ export const auditLogServiceFactory = ({
         actorOrgId
       );
 
-      /**
-       * NOTE (dangtony98): Update this to organization-level audit log permission check once audit logs are moved
-       * to the organization level ✅
-       */
       ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.AuditLogs);
     }
 
@@ -64,6 +60,7 @@ export const auditLogServiceFactory = ({
       actorId: filter.auditLogActorId,
       actorType: filter.actorType,
       eventMetadata: filter.eventMetadata,
+      secretPath: filter.secretPath,
       ...(filter.projectId ? { projectId: filter.projectId } : { orgId: actorOrgId })
     });
 

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -32,6 +32,7 @@ export type TListProjectAuditLogDTO = {
     projectId?: string;
     auditLogActorId?: string;
     actorType?: ActorType;
+    secretPath?: string;
     eventMetadata?: Record<string, string>;
   };
 } & Omit<TProjectPermission, "projectId">;

backend/src/lib/api-docs/constants.ts

@@ -828,6 +828,8 @@ export const AUDIT_LOGS = {
     projectId:
       "Optionally filter logs by project ID. If not provided, logs from the entire organization will be returned.",
     eventType: "The type of the event to export.",
+    secretPath:
+      "The path of the secret to query audit logs for. Note that the projectId parameter must also be provided.",
     userAgentType: "Choose which consuming application to export audit logs for.",
     eventMetadata:
       "Filter by event metadata key-value pairs. Formatted as `key1=value1,key2=value2`, with comma-separation.",

backend/src/server/routes/v1/integration-auth-router.ts

@@ -1151,6 +1151,50 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
     }
   });
 
+  server.route({
+    method: "GET",
+    url: "/:integrationAuthId/vercel/custom-environments",
+    config: {
+      rateLimit: readLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    schema: {
+      querystring: z.object({
+        teamId: z.string().trim()
+      }),
+      params: z.object({
+        integrationAuthId: z.string().trim()
+      }),
+      response: {
+        200: z.object({
+          environments: z
+            .object({
+              appId: z.string(),
+              customEnvironments: z
+                .object({
+                  id: z.string(),
+                  slug: z.string()
+                })
+                .array()
+            })
+            .array()
+        })
+      }
+    },
+    handler: async (req) => {
+      const environments = await server.services.integrationAuth.getVercelCustomEnvironments({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        id: req.params.integrationAuthId,
+        teamId: req.query.teamId
+      });
+
+      return { environments };
+    }
+  });
+
   server.route({
     method: "GET",
     url: "/:integrationAuthId/octopus-deploy/spaces",

backend/src/server/routes/v1/organization-router.ts

@@ -11,7 +11,7 @@ import {
 } from "@app/db/schemas";
 import { EventType, UserAgentType } from "@app/ee/services/audit-log/audit-log-types";
 import { AUDIT_LOGS, ORGANIZATIONS } from "@app/lib/api-docs";
-import { getLastMidnightDateISO } from "@app/lib/fn";
+import { getLastMidnightDateISO, removeTrailingSlash } from "@app/lib/fn";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { slugSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -113,6 +113,12 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
       querystring: z.object({
         projectId: z.string().optional().describe(AUDIT_LOGS.EXPORT.projectId),
         actorType: z.nativeEnum(ActorType).optional(),
+        secretPath: z
+          .string()
+          .optional()
+          .transform((val) => (!val ? val : removeTrailingSlash(val)))
+          .describe(AUDIT_LOGS.EXPORT.secretPath),
+
         // eventType is split with , for multiple values, we need to transform it to array
         eventType: z
           .string()

backend/src/server/routes/v1/password-router.ts

@@ -203,7 +203,8 @@ export const registerPasswordRouter = async (server: FastifyZodProvider) => {
         encryptedPrivateKeyIV: z.string().trim(),
         encryptedPrivateKeyTag: z.string().trim(),
         salt: z.string().trim(),
-        verifier: z.string().trim()
+        verifier: z.string().trim(),
+        password: z.string().trim()
       }),
       response: {
         200: z.object({
@@ -218,7 +219,69 @@ export const registerPasswordRouter = async (server: FastifyZodProvider) => {
         userId: token.userId
       });
 
-      return { message: "Successfully updated backup private key" };
+      return { message: "Successfully reset password" };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/email/password-setup",
+    config: {
+      rateLimit: authRateLimit
+    },
+    schema: {
+      response: {
+        200: z.object({
+          message: z.string()
+        })
+      }
+    },
+    handler: async (req) => {
+      await server.services.password.sendPasswordSetupEmail(req.permission);
+
+      return {
+        message: "A password setup link has been sent"
+      };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/password-setup",
+    config: {
+      rateLimit: authRateLimit
+    },
+    schema: {
+      body: z.object({
+        protectedKey: z.string().trim(),
+        protectedKeyIV: z.string().trim(),
+        protectedKeyTag: z.string().trim(),
+        encryptedPrivateKey: z.string().trim(),
+        encryptedPrivateKeyIV: z.string().trim(),
+        encryptedPrivateKeyTag: z.string().trim(),
+        salt: z.string().trim(),
+        verifier: z.string().trim(),
+        password: z.string().trim(),
+        token: z.string().trim()
+      }),
+      response: {
+        200: z.object({
+          message: z.string()
+        })
+      }
+    },
+    handler: async (req, res) => {
+      await server.services.password.setupPassword(req.body, req.permission);
+
+      const appCfg = getConfig();
+      void res.cookie("jid", "", {
+        httpOnly: true,
+        path: "/",
+        sameSite: "strict",
+        secure: appCfg.HTTPS_ENABLED
+      });
+
+      return { message: "Successfully setup password" };
     }
   });
 };

backend/src/services/app-connection/gcp/gcp-connection-fns.ts

@@ -153,7 +153,7 @@ export const validateGcpConnectionCredentials = async (appConnection: TGcpConnec
     const serviceAccountId = appConnection.credentials.serviceAccountEmail.split("@")[0];
     if (!serviceAccountId.endsWith(expectedAccountIdSuffix)) {
       throw new BadRequestError({
-        message: `GCP service account ID (the part of the email before '@') must have a suffix of "${expectedAccountIdSuffix}"`
+        message: `GCP service account ID must have a suffix of "${expectedAccountIdSuffix}" e.g. service-account-${expectedAccountIdSuffix}@my-project.iam.gserviceaccount.com"`
       });
     }
   }

backend/src/services/auth-token/auth-token-service.ts

@@ -57,6 +57,12 @@ export const getTokenConfig = (tokenType: TokenType) => {
       const expiresAt = new Date(new Date().getTime() + 86400000);
       return { token, expiresAt };
     }
+    case TokenType.TOKEN_EMAIL_PASSWORD_SETUP: {
+      // generate random hex
+      const token = crypto.randomBytes(16).toString("hex");
+      const expiresAt = new Date(new Date().getTime() + 86400000);
+      return { token, expiresAt };
+    }
     case TokenType.TOKEN_USER_UNLOCK: {
       const token = crypto.randomBytes(16).toString("hex");
       const expiresAt = new Date(new Date().getTime() + 259200000);

backend/src/services/auth-token/auth-token-types.ts

@@ -6,6 +6,7 @@ export enum TokenType {
   TOKEN_EMAIL_MFA = "emailMfa",
   TOKEN_EMAIL_ORG_INVITATION = "organizationInvitation",
   TOKEN_EMAIL_PASSWORD_RESET = "passwordReset",
+  TOKEN_EMAIL_PASSWORD_SETUP = "passwordSetup",
   TOKEN_USER_UNLOCK = "userUnlock"
 }
 

backend/src/services/auth/auth-password-service.ts

@@ -4,6 +4,8 @@ import jwt from "jsonwebtoken";
 import { SecretEncryptionAlgo, SecretKeyEncoding } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { generateSrpServerKey, srpCheckClientProof } from "@app/lib/crypto";
+import { BadRequestError } from "@app/lib/errors";
+import { OrgServiceActor } from "@app/lib/types";
 
 import { TAuthTokenServiceFactory } from "../auth-token/auth-token-service";
 import { TokenType } from "../auth-token/auth-token-types";
@@ -11,8 +13,13 @@ import { SmtpTemplates, TSmtpService } from "../smtp/smtp-service";
 import { TTotpConfigDALFactory } from "../totp/totp-config-dal";
 import { TUserDALFactory } from "../user/user-dal";
 import { TAuthDALFactory } from "./auth-dal";
-import { TChangePasswordDTO, TCreateBackupPrivateKeyDTO, TResetPasswordViaBackupKeyDTO } from "./auth-password-type";
-import { AuthTokenType } from "./auth-type";
+import {
+  TChangePasswordDTO,
+  TCreateBackupPrivateKeyDTO,
+  TResetPasswordViaBackupKeyDTO,
+  TSetupPasswordViaBackupKeyDTO
+} from "./auth-password-type";
+import { ActorType, AuthMethod, AuthTokenType } from "./auth-type";
 
 type TAuthPasswordServiceFactoryDep = {
   authDAL: TAuthDALFactory;
@@ -169,8 +176,13 @@ export const authPaswordServiceFactory = ({
     verifier,
     encryptedPrivateKeyIV,
     encryptedPrivateKeyTag,
-    userId
+    userId,
+    password
   }: TResetPasswordViaBackupKeyDTO) => {
+    const cfg = getConfig();
+
+    const hashedPassword = await bcrypt.hash(password, cfg.BCRYPT_SALT_ROUND);
+
     await userDAL.updateUserEncryptionByUserId(userId, {
       encryptionVersion: 2,
       protectedKey,
@@ -180,7 +192,8 @@ export const authPaswordServiceFactory = ({
       iv: encryptedPrivateKeyIV,
       tag: encryptedPrivateKeyTag,
       salt,
-      verifier
+      verifier,
+      hashedPassword
     });
 
     await userDAL.updateById(userId, {
@@ -267,6 +280,108 @@ export const authPaswordServiceFactory = ({
     return backupKey;
   };
 
+  const sendPasswordSetupEmail = async (actor: OrgServiceActor) => {
+    if (actor.type !== ActorType.USER)
+      throw new BadRequestError({ message: `Actor of type ${actor.type} cannot set password` });
+
+    const user = await userDAL.findById(actor.id);
+
+    if (!user) throw new BadRequestError({ message: `Could not find user with ID ${actor.id}` });
+
+    if (!user.isAccepted || !user.authMethods)
+      throw new BadRequestError({ message: `You must complete signup to set a password` });
+
+    const cfg = getConfig();
+
+    const token = await tokenService.createTokenForUser({
+      type: TokenType.TOKEN_EMAIL_PASSWORD_SETUP,
+      userId: user.id
+    });
+
+    const email = user.email ?? user.username;
+
+    await smtpService.sendMail({
+      template: SmtpTemplates.SetupPassword,
+      recipients: [email],
+      subjectLine: "Infisical Password Setup",
+      substitutions: {
+        email,
+        token,
+        callback_url: cfg.SITE_URL ? `${cfg.SITE_URL}/password-setup` : ""
+      }
+    });
+  };
+
+  const setupPassword = async (
+    {
+      encryptedPrivateKey,
+      protectedKeyTag,
+      protectedKey,
+      protectedKeyIV,
+      salt,
+      verifier,
+      encryptedPrivateKeyIV,
+      encryptedPrivateKeyTag,
+      password,
+      token
+    }: TSetupPasswordViaBackupKeyDTO,
+    actor: OrgServiceActor
+  ) => {
+    try {
+      await tokenService.validateTokenForUser({
+        type: TokenType.TOKEN_EMAIL_PASSWORD_SETUP,
+        userId: actor.id,
+        code: token
+      });
+    } catch (e) {
+      throw new BadRequestError({ message: "Expired or invalid token. Please try again." });
+    }
+
+    await userDAL.transaction(async (tx) => {
+      const user = await userDAL.findById(actor.id, tx);
+
+      if (!user) throw new BadRequestError({ message: `Could not find user with ID ${actor.id}` });
+
+      if (!user.isAccepted || !user.authMethods)
+        throw new BadRequestError({ message: `You must complete signup to set a password` });
+
+      if (!user.authMethods.includes(AuthMethod.EMAIL)) {
+        await userDAL.updateById(
+          actor.id,
+          {
+            authMethods: [...user.authMethods, AuthMethod.EMAIL]
+          },
+          tx
+        );
+      }
+
+      const cfg = getConfig();
+
+      const hashedPassword = await bcrypt.hash(password, cfg.BCRYPT_SALT_ROUND);
+
+      await userDAL.updateUserEncryptionByUserId(
+        actor.id,
+        {
+          encryptionVersion: 2,
+          protectedKey,
+          protectedKeyIV,
+          protectedKeyTag,
+          encryptedPrivateKey,
+          iv: encryptedPrivateKeyIV,
+          tag: encryptedPrivateKeyTag,
+          salt,
+          verifier,
+          hashedPassword,
+          serverPrivateKey: null,
+          clientPublicKey: null
+        },
+        tx
+      );
+    });
+
+    await tokenService.revokeAllMySessions(actor.id);
+  };
+
   return {
     generateServerPubKey,
     changePassword,
@@ -274,6 +389,8 @@ export const authPaswordServiceFactory = ({
     sendPasswordResetEmail,
     verifyPasswordResetEmail,
     createBackupPrivateKey,
-    getBackupPrivateKeyOfUser
+    getBackupPrivateKeyOfUser,
+    sendPasswordSetupEmail,
+    setupPassword
   };
 };

backend/src/services/auth/auth-password-type.ts

@@ -23,6 +23,20 @@ export type TResetPasswordViaBackupKeyDTO = {
   encryptedPrivateKeyTag: string;
   salt: string;
   verifier: string;
+  password: string;
+};
+
+export type TSetupPasswordViaBackupKeyDTO = {
+  protectedKey: string;
+  protectedKeyIV: string;
+  protectedKeyTag: string;
+  encryptedPrivateKey: string;
+  encryptedPrivateKeyIV: string;
+  encryptedPrivateKeyTag: string;
+  salt: string;
+  verifier: string;
+  password: string;
+  token: string;
 };
 
 export type TCreateBackupPrivateKeyDTO = {

backend/src/services/integration-auth/integration-app-list.ts

@@ -132,16 +132,26 @@ const getAppsHeroku = async ({ accessToken }: { accessToken: string }) => {
 
 /**
  * Return list of names of apps for Vercel integration
+ * This is re-used for getting custom environments for Vercel
  */
-const getAppsVercel = async ({ accessToken, teamId }: { teamId?: string | null; accessToken: string }) => {
-  const apps: Array<{ name: string; appId: string }> = [];
+export const getAppsVercel = async ({ accessToken, teamId }: { teamId?: string | null; accessToken: string }) => {
+  const apps: Array<{ name: string; appId: string; customEnvironments: Array<{ slug: string; id: string }> }> = [];
 
   const limit = "20";
   let hasMorePages = true;
   let next: number | null = null;
 
   interface Response {
-    projects: { name: string; id: string }[];
+    projects: {
+      name: string;
+      id: string;
+      customEnvironments?: {
+        id: string;
+        type: string;
+        description: string;
+        slug: string;
+      }[];
+    }[];
     pagination: {
       count: number;
       next: number | null;
@@ -173,7 +183,12 @@ const getAppsVercel = async ({ accessToken, teamId }: { teamId?: string | null;
     data.projects.forEach((a) => {
       apps.push({
         name: a.name,
-        appId: a.id
+        appId: a.id,
+        customEnvironments:
+          a.customEnvironments?.map((env) => ({
+            slug: env.slug,
+            id: env.id
+          })) ?? []
       });
     });
 

backend/src/services/integration-auth/integration-auth-service.ts

@@ -25,11 +25,12 @@ import { TIntegrationDALFactory } from "../integration/integration-dal";
 import { TKmsServiceFactory } from "../kms/kms-service";
 import { KmsDataKey } from "../kms/kms-types";
 import { TProjectBotServiceFactory } from "../project-bot/project-bot-service";
-import { getApps } from "./integration-app-list";
+import { getApps, getAppsVercel } from "./integration-app-list";
 import { TCircleCIContext } from "./integration-app-types";
 import { TIntegrationAuthDALFactory } from "./integration-auth-dal";
 import { IntegrationAuthMetadataSchema, TIntegrationAuthMetadata } from "./integration-auth-schema";
 import {
+  GetVercelCustomEnvironmentsDTO,
   OctopusDeployScope,
   TBitbucketEnvironment,
   TBitbucketWorkspace,
@@ -1825,6 +1826,41 @@ export const integrationAuthServiceFactory = ({
     return integrationAuthDAL.create(newIntegrationAuth);
   };
 
+  const getVercelCustomEnvironments = async ({
+    actorId,
+    actor,
+    actorOrgId,
+    actorAuthMethod,
+    teamId,
+    id
+  }: GetVercelCustomEnvironmentsDTO) => {
+    const integrationAuth = await integrationAuthDAL.findById(id);
+    if (!integrationAuth) throw new NotFoundError({ message: `Integration auth with ID '${id}' not found` });
+
+    const { permission } = await permissionService.getProjectPermission({
+      actor,
+      actorId,
+      projectId: integrationAuth.projectId,
+      actorAuthMethod,
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
+
+    const { botKey, shouldUseSecretV2Bridge } = await projectBotService.getBotKey(integrationAuth.projectId);
+    const { accessToken } = await getIntegrationAccessToken(integrationAuth, shouldUseSecretV2Bridge, botKey);
+
+    const vercelApps = await getAppsVercel({
+      accessToken,
+      teamId
+    });
+
+    return vercelApps.map((app) => ({
+      customEnvironments: app.customEnvironments,
+      appId: app.appId
+    }));
+  };
+
   const getOctopusDeploySpaces = async ({
     actorId,
     actor,
@@ -1944,6 +1980,7 @@ export const integrationAuthServiceFactory = ({
     getIntegrationAccessToken,
     duplicateIntegrationAuth,
     getOctopusDeploySpaces,
-    getOctopusDeployScopeValues
+    getOctopusDeployScopeValues,
+    getVercelCustomEnvironments
   };
 };

backend/src/services/integration-auth/integration-auth-types.ts

@@ -284,3 +284,8 @@ export type TOctopusDeployVariableSet = {
     Self: string;
   };
 };
+
+export type GetVercelCustomEnvironmentsDTO = {
+  teamId: string;
+  id: string;
+} & Omit<TProjectPermission, "projectId">;

backend/src/services/integration-auth/integration-sync-secret.ts

@@ -1450,9 +1450,13 @@ const syncSecretsVercel = async ({
   secrets: Record<string, { value: string; comment?: string } | null>;
   accessToken: string;
 }) => {
+  const isCustomEnvironment = !["development", "preview", "production"].includes(
+    integration.targetEnvironment as string
+  );
   interface VercelSecret {
     id?: string;
     type: string;
+    customEnvironmentIds?: string[];
     key: string;
     value: string;
     target: string[];
@@ -1486,6 +1490,16 @@ const syncSecretsVercel = async ({
       }
     )
   ).data.envs.filter((secret) => {
+    if (isCustomEnvironment) {
+      if (!secret.customEnvironmentIds?.includes(integration.targetEnvironment as string)) {
+        // case: secret does not have the same custom environment
+        return false;
+      }
+
+      // no need to check for preview environment, as custom environments are not available in preview
+      return true;
+    }
+
     if (!secret.target.includes(integration.targetEnvironment as string)) {
       // case: secret does not have the same target environment
       return false;
@@ -1583,7 +1597,13 @@ const syncSecretsVercel = async ({
             key,
             value: infisicalSecrets[key]?.value,
             type: "encrypted",
-            target: [integration.targetEnvironment as string],
+            ...(isCustomEnvironment
+              ? {
+                  customEnvironmentIds: [integration.targetEnvironment as string]
+                }
+              : {
+                  target: [integration.targetEnvironment as string]
+                }),
             ...(integration.path
               ? {
                   gitBranch: integration.path
@@ -1607,9 +1627,19 @@ const syncSecretsVercel = async ({
             key,
             value: infisicalSecrets[key]?.value,
             type: res[key].type,
-            target: res[key].target.includes(integration.targetEnvironment as string)
-              ? [...res[key].target]
-              : [...res[key].target, integration.targetEnvironment as string],
+
+            ...(!isCustomEnvironment
+              ? {
+                  target: res[key].target.includes(integration.targetEnvironment as string)
+                    ? [...res[key].target]
+                    : [...res[key].target, integration.targetEnvironment as string]
+                }
+              : {
+                  customEnvironmentIds: res[key].customEnvironmentIds?.includes(integration.targetEnvironment as string)
+                    ? [...(res[key].customEnvironmentIds || [])]
+                    : [...(res[key]?.customEnvironmentIds || []), integration.targetEnvironment as string]
+                }),
+
             ...(integration.path
               ? {
                   gitBranch: integration.path

backend/src/services/smtp/smtp-service.ts

@@ -30,6 +30,7 @@ export enum SmtpTemplates {
   NewDeviceJoin = "newDevice.handlebars",
   OrgInvite = "organizationInvitation.handlebars",
   ResetPassword = "passwordReset.handlebars",
+  SetupPassword = "passwordSetup.handlebars",
   SecretLeakIncident = "secretLeakIncident.handlebars",
   WorkspaceInvite = "workspaceInvitation.handlebars",
   ScimUserProvisioned = "scimUserProvisioned.handlebars",

backend/src/services/smtp/templates/passwordSetup.handlebars

@@ -0,0 +1,17 @@
+<html>
+  <head>
+    <meta charset="utf-8" />
+    <meta http-equiv="x-ua-compatible" content="ie=edge" />
+    <title>Password Setup</title>
+  </head>
+  <body>
+    <h2>Setup your password</h2>
+    <p>Someone requested to set up a password for your account.</p>
+    <p><strong>Make sure you are already logged in to Infisical in the current browser before clicking the link below.</strong></p>
+    <a href="{{callback_url}}?token={{token}}&to={{email}}">Setup password</a>
+    <p>If you didn't initiate this request, please contact
+      {{#if isCloud}}us immediately at team@infisical.com.{{else}}your administrator immediately.{{/if}}</p>
+
+    {{emailFooter}}
+  </body>
+</html>

company/documentation/engineering/how-to-write-design-doc.mdx

@@ -0,0 +1,67 @@
+---
+title: "How to write a design document"
+sidebarTitle: "Writing Design Docs"
+description: "Learn how to write a design document at Infisical"
+---
+
+## **Why write a design document?**
+
+Writing a design document helps you efficiently solve broad, complex engineering problems at Infisical. While planning is important, we are a startup, so speed and urgency should be your top of mind. Keep the process lightweight and time boxed so that we can get the most out of it.
+
+**Writing a design will help you:**
+
+- **Understand the problem space:** Deeply understand the problem you’re solving to make sure it is well scoped.
+- **Stay on the right path:** Without proper planning, you risk cycling between partial implementation and replanning, encountering roadblocks that force you back to square one. A solid plan minimizes wasted engineering hours.
+- **An opportunity to collaborate:** Bring relevant engineers into the discussion to develop well-thought-out solutions and catch potential issues you might have overlooked.
+- **Faster implementation:** A well-thought-out plan will help you catch roadblocks early and ship quickly because you know exactly what needs to get implemented.
+
+**When to write a design document:** 
+
+- **Write a design doc**: If the feature is not well defined, high-security, or will take more than **1 full engineering week** to build.
+- **Skip the design doc**: For small, straightforward features that can be built quickly with informal discussions.
+
+If you are unsure when to create a design doc, chat with @maidul.
+
+## **What to Include in your Design Document**
+
+Every feature/problem is unique, but your design docs should generally include the following sections. If you need to include additional sections, feel free to do so.
+
+1. **Title**
+    - A descriptive title.
+    - Name of document owner and name of reviewer(s).
+2. **Overview**
+    - A high-level summary of the problem and proposed solution. Keep it brief (max 3 paragraphs).
+3. **Context**
+    - Explain the problem’s background, why it’s important to solve now, and any constraints (e.g., technical, sales, or timeline-related). What do we get out of solving this problem? (needed to close a deal, scale, performance, etc.). 
+4. **Solution**
+    - Provide a big-picture explanation of the solution, followed by detailed technical architecture.
+    - Use diagrams/charts where needed.
+    - Write clearly so that another engineer could implement the solution in your absence.
+5. **Milestones**
+    - Break the project into phases with clear start and end dates estimates. Use a table or bullet points.
+6. **FAQ**
+    - Common questions or concerns someone might have while reading your document that can be quickly addressed.
+
+
+## **How to Write a Design Doc**
+
+- **Keep it Simple**: Use clear, simple language. Opt for short sentences, bullet points, and concrete examples over fluff writing.
+- **Use Visuals**: Add diagrams and charts for clarity to convey your ideas.
+- **Make it Self-Explanatory**: Ensure that anyone reading the document can understand and implement the plan without needing additional context.
+
+Before sharing your design docs with others, review your design doc as if you were a teammate seeing it for the first time. Anticipate questions and address them.
+
+
+## **Process from start to finish**
+
+1. **Research/Discuss**
+    - Before you start writing, take some time to research and get a solid understanding of the problem space. Look into how other well-established companies are tackling similar challenges, if they are. 
+      Talk through the problem and your initial solution with other engineers on the team—bounce ideas around and get their feedback. If you have ideas on how the system could if implemented in Infisical, would it effect any downstream features/systems, etc?
+      
+      Once you’ve got a general direction, you might need to test a some theories. This is where quick proof of concepts (POCs) come in handy, but don’t get too caught up in the details. The goal of a POC is simply to validate a core idea or concept so you can get to the rest of your planning.
+2. **Write the Doc**
+    - Based on your research/discussions, write the design doc and include all relevant sections. Your goal is to come up with a convincing plan on why this is the correct why to solve the problem at hand.
+3. **Assign Reviewers**
+    - Ask a relevant engineer(s) to review your document. Their role is to identify blind spots, challenge assumptions, and ensure everything is clear. Once you and the reviewer are on the same page on the approach, update the document with any missing details they brought up.
+4. **Team Review and Feedback**
+    - Invite the relevant engineers to a design doc review meeting and give them 10-15 minutes to read through the document. After everyone has had a chance to review it, open the floor up for discussion. Address any feedback or concerns raised during this meeting. If significant points were overlooked during your initial planning, you may need to revisit the drawing board. Your goal is to think about the feature holistically and minimize the need for drastic changes to your design doc later on.

company/mint.json

@@ -66,7 +66,8 @@
         {
           "group": "Engineering",
           "pages": [
-            "documentation/engineering/oncall"
+            "documentation/engineering/oncall",
+            "documentation/engineering/how-to-write-design-doc"
           ]
         }
       ]

docs/integrations/app-connections/gcp.mdx

@@ -10,16 +10,21 @@ Infisical supports [service account impersonation](https://cloud.google.com/iam/
     configuring your instance to use it.
 
     <Steps>
+        <Step title="Enable the IAM Service Account Credentials API">
+            ![Service Account API](/images/app-connections/gcp/service-account-credentials-api.png)
+        </Step>
         <Step title="Navigate to IAM & Admin > Service Accounts in Google Cloud Console">
-            ![Service Account Page](/images/app-connections/gcp/service-account-overview.png)
+            ![Service Account IAM Page](/images/app-connections/gcp/service-account-overview.png)
         </Step>
         <Step title="Create a Service Account">
             Create a new service account that will be used to impersonate other GCP service accounts for your app connections.
-            ![Service Account Page](/images/app-connections/gcp/create-instance-service-account.png)
+            ![Create Service Account Page](/images/app-connections/gcp/create-instance-service-account.png)
+
+            Press "DONE" after creating the service account.
         </Step>
         <Step title="Generate Service Account Key">
             Download the JSON key file for your service account. This will be used to authenticate your instance with GCP.
-            ![Service Account Page](/images/app-connections/gcp/create-service-account-credential.png)
+            ![Service Account Credential Page](/images/app-connections/gcp/create-service-account-credential.png)
         </Step>
         <Step title="Configure Your Instance">
             1. Copy the entire contents of the downloaded JSON key file.
@@ -55,9 +60,19 @@ Infisical supports [service account impersonation](https://cloud.google.com/iam/
                 ![Assign Service Account Permission](/images/app-connections/gcp/service-account-secret-sync-permission.png)
             </Tab>
         </Tabs>
+        After configuring the appropriate roles, press "DONE".
     </Step>
     <Step title="Enable Service Account Impersonation">
-        On the new service account, assign the `Service Account Token Creator` role to the Infisical instance's service account. This allows Infisical to impersonate the new service account.
+        To enable service account impersonation, you'll need to grant the **Service Account Token Creator** role to the Infisical instance's service account. This configuration allows Infisical to securely impersonate the new service account.
+        - Navigate to the IAM & Admin > Service Accounts section in your Google Cloud Console
+        - Select the newly created service account
+        - Click on the "PERMISSIONS" tab
+        - Click "Grant Access" to add a new principal
+
+        If you're using Infisical Cloud US, use the following service account: infisical-us@infisical-us.iam.gserviceaccount.com
+
+        If you're using Infisical Cloud EU, use the following service account: infisical-eu@infisical-eu.iam.gserviceaccount.com
+
         ![Service Account Page](/images/app-connections/gcp/service-account-grant-access.png)
     </Step>
 

docs/mint.json

@@ -344,34 +344,6 @@
         "cli/faq"
       ]
     },
-    {
-      "group": "App Connections",
-      "pages": [
-        "integrations/app-connections/overview",
-        {
-          "group": "Connections",
-          "pages": [
-            "integrations/app-connections/aws",
-            "integrations/app-connections/github",
-            "integrations/app-connections/gcp"
-          ]
-        }
-      ]
-    },
-    {
-      "group": "Secret Syncs",
-      "pages": [
-        "integrations/secret-syncs/overview",
-        {
-          "group": "Syncs",
-          "pages": [
-            "integrations/secret-syncs/aws-parameter-store",
-            "integrations/secret-syncs/github",
-            "integrations/secret-syncs/gcp-secret-manager"
-          ]
-        }
-      ]
-    },
     {
       "group": "Infrastructure Integrations",
       "pages": [
@@ -406,6 +378,34 @@
         "integrations/platforms/ansible"
       ]
     },
+    {
+      "group": "App Connections",
+      "pages": [
+        "integrations/app-connections/overview",
+        {
+          "group": "Connections",
+          "pages": [
+            "integrations/app-connections/aws",
+            "integrations/app-connections/github",
+            "integrations/app-connections/gcp"
+          ]
+        }
+      ]
+    },
+    {
+      "group": "Secret Syncs",
+      "pages": [
+        "integrations/secret-syncs/overview",
+        {
+          "group": "Syncs",
+          "pages": [
+            "integrations/secret-syncs/aws-parameter-store",
+            "integrations/secret-syncs/github",
+            "integrations/secret-syncs/gcp-secret-manager"
+          ]
+        }
+      ]
+    },
     {
       "group": "Native Integrations",
       "pages": [

frontend/src/const/routes.ts

@@ -13,7 +13,8 @@ export const ROUTE_PATHS = Object.freeze({
       "/_restrict-login-signup/login/provider/success"
     ),
     SignUpSsoPage: setRoute("/signup/sso", "/_restrict-login-signup/signup/sso"),
-    PasswordResetPage: setRoute("/password-reset", "/_restrict-login-signup/password-reset")
+    PasswordResetPage: setRoute("/password-reset", "/_restrict-login-signup/password-reset"),
+    PasswordSetupPage: setRoute("/password-setup", "/_authenticate/password-setup")
   },
   Organization: {
     SecretScanning: setRoute(

frontend/src/hooks/api/auditLogs/types.tsx

@@ -10,6 +10,7 @@ export type TGetAuditLogsFilter = {
   actorType?: ActorType;
   projectId?: string;
   actor?: string; // user ID format
+  secretPath?: string;
   startDate?: Date;
   endDate?: Date;
   limit: number;

frontend/src/hooks/api/auth/queries.tsx

@@ -23,6 +23,7 @@ import {
   MfaMethod,
   ResetPasswordDTO,
   SendMfaTokenDTO,
+  SetupPasswordDTO,
   SRP1DTO,
   SRPR1Res,
   TOauthTokenExchangeDTO,
@@ -286,7 +287,8 @@ export const useResetPassword = () => {
           encryptedPrivateKeyIV: details.encryptedPrivateKeyIV,
           encryptedPrivateKeyTag: details.encryptedPrivateKeyTag,
           salt: details.salt,
-          verifier: details.verifier
+          verifier: details.verifier,
+          password: details.password
         },
         {
           headers: {
@@ -336,3 +338,23 @@ export const checkUserTotpMfa = async () => {
 
   return data.isVerified;
 };
+
+export const useSendPasswordSetupEmail = () => {
+  return useMutation({
+    mutationFn: async () => {
+      const { data } = await apiRequest.post("/api/v1/password/email/password-setup");
+
+      return data;
+    }
+  });
+};
+
+export const useSetupPassword = () => {
+  return useMutation({
+    mutationFn: async (payload: SetupPasswordDTO) => {
+      const { data } = await apiRequest.post("/api/v1/password/password-setup", payload);
+
+      return data;
+    }
+  });
+};

frontend/src/hooks/api/auth/types.ts

@@ -133,6 +133,20 @@ export type ResetPasswordDTO = {
   salt: string;
   verifier: string;
   verificationToken: string;
+  password: string;
+};
+
+export type SetupPasswordDTO = {
+  protectedKey: string;
+  protectedKeyIV: string;
+  protectedKeyTag: string;
+  encryptedPrivateKey: string;
+  encryptedPrivateKeyIV: string;
+  encryptedPrivateKeyTag: string;
+  salt: string;
+  verifier: string;
+  token: string;
+  password: string;
 };
 
 export type IssueBackupPrivateKeyDTO = {

frontend/src/hooks/api/integrationAuth/index.tsx

@@ -16,5 +16,6 @@ export {
   useGetIntegrationAuthTeamCityBuildConfigs,
   useGetIntegrationAuthTeams,
   useGetIntegrationAuthVercelBranches,
+  useGetIntegrationAuthVercelCustomEnvironments,
   useSaveIntegrationAccessToken
 } from "./queries";

frontend/src/hooks/api/integrationAuth/queries.tsx

@@ -21,7 +21,8 @@ import {
   Team,
   TeamCityBuildConfig,
   TGetIntegrationAuthOctopusDeployScopeValuesDTO,
-  TOctopusDeployVariableSetScopeValues
+  TOctopusDeployVariableSetScopeValues,
+  VercelEnvironment
 } from "./types";
 
 const integrationAuthKeys = {
@@ -132,7 +133,9 @@ const integrationAuthKeys = {
   }: TGetIntegrationAuthOctopusDeployScopeValuesDTO) =>
     [{ integrationAuthId }, "getIntegrationAuthOctopusDeployScopeValues", params] as const,
   getIntegrationAuthCircleCIOrganizations: (integrationAuthId: string) =>
-    [{ integrationAuthId }, "getIntegrationAuthCircleCIOrganizations"] as const
+    [{ integrationAuthId }, "getIntegrationAuthCircleCIOrganizations"] as const,
+  getIntegrationAuthVercelCustomEnv: (integrationAuthId: string, teamId: string) =>
+    [{ integrationAuthId, teamId }, "integrationAuthVercelCustomEnv"] as const
 };
 
 const fetchIntegrationAuthById = async (integrationAuthId: string) => {
@@ -362,6 +365,29 @@ const fetchIntegrationAuthQoveryScopes = async ({
   return undefined;
 };
 
+const fetchIntegrationAuthVercelCustomEnvironments = async ({
+  integrationAuthId,
+  teamId
+}: {
+  integrationAuthId: string;
+  teamId: string;
+}) => {
+  const {
+    data: { environments }
+  } = await apiRequest.get<{
+    environments: {
+      appId: string;
+      customEnvironments: VercelEnvironment[];
+    }[];
+  }>(`/api/v1/integration-auth/${integrationAuthId}/vercel/custom-environments`, {
+    params: {
+      teamId
+    }
+  });
+
+  return environments;
+};
+
 const fetchIntegrationAuthHerokuPipelines = async ({
   integrationAuthId
 }: {
@@ -730,6 +756,24 @@ export const useGetIntegrationAuthQoveryScopes = ({
   });
 };
 
+export const useGetIntegrationAuthVercelCustomEnvironments = ({
+  integrationAuthId,
+  teamId
+}: {
+  integrationAuthId: string;
+  teamId: string;
+}) => {
+  return useQuery({
+    queryKey: integrationAuthKeys.getIntegrationAuthVercelCustomEnv(integrationAuthId, teamId),
+    queryFn: () =>
+      fetchIntegrationAuthVercelCustomEnvironments({
+        integrationAuthId,
+        teamId
+      }),
+    enabled: Boolean(teamId && integrationAuthId)
+  });
+};
+
 export const useGetIntegrationAuthHerokuPipelines = ({
   integrationAuthId
 }: {

frontend/src/hooks/api/integrationAuth/types.ts

@@ -43,6 +43,11 @@ export type Environment = {
   environmentId: string;
 };
 
+export type VercelEnvironment = {
+  id: string;
+  slug: string;
+};
+
 export type ChecklyGroup = {
   name: string;
   groupId: number;

frontend/src/pages/auth/PasswordResetPage/PasswordResetPage.tsx

@@ -136,7 +136,8 @@ export const PasswordResetPage = () => {
               encryptedPrivateKeyTag,
               salt: result.salt,
               verifier: result.verifier,
-              verificationToken
+              verificationToken,
+              password: newPassword
             });
 
             navigate({ to: "/login" });

frontend/src/pages/auth/PasswordSetupPage/PasswordSetupPage.tsx

@@ -0,0 +1,349 @@
+import crypto from "crypto";
+
+import { FormEvent, useState } from "react";
+import { faCheck, faEye, faEyeSlash, faKey, faX } from "@fortawesome/free-solid-svg-icons";
+import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
+import { useNavigate, useSearch } from "@tanstack/react-router";
+import jsrp from "jsrp";
+
+import { createNotification } from "@app/components/notifications";
+import passwordCheck from "@app/components/utilities/checks/password/PasswordCheck";
+import Aes256Gcm from "@app/components/utilities/cryptography/aes-256-gcm";
+import { deriveArgonKey } from "@app/components/utilities/cryptography/crypto";
+import { Button, Card, CardTitle, FormControl, Input } from "@app/components/v2";
+import { ROUTE_PATHS } from "@app/const/routes";
+import { useSetupPassword } from "@app/hooks/api/auth/queries";
+
+// eslint-disable-next-line new-cap
+const client = new jsrp.client();
+
+export const PasswordSetupPage = () => {
+  const [password, setPassword] = useState("");
+  const [confirmPassword, setConfirmPassword] = useState("");
+  const [showPassword, setShowPassword] = useState(false);
+  const [showConfirmPassword, setShowConfirmPassword] = useState(false);
+  const [passwordsMatch, setPasswordsMatch] = useState(true);
+  const [passwordErrorTooShort, setPasswordErrorTooShort] = useState(true);
+  const [passwordErrorTooLong, setPasswordErrorTooLong] = useState(false);
+  const [passwordErrorNoLetterChar, setPasswordErrorNoLetterChar] = useState(true);
+  const [passwordErrorNoNumOrSpecialChar, setPasswordErrorNoNumOrSpecialChar] = useState(true);
+  const [passwordErrorRepeatedChar, setPasswordErrorRepeatedChar] = useState(false);
+  const [passwordErrorEscapeChar, setPasswordErrorEscapeChar] = useState(false);
+  const [passwordErrorLowEntropy, setPasswordErrorLowEntropy] = useState(false);
+  const [passwordErrorBreached, setPasswordErrorBreached] = useState(false);
+  const [isRedirecting, setIsRedirecting] = useState(false);
+
+  const search = useSearch({ from: ROUTE_PATHS.Auth.PasswordSetupPage.id });
+
+  const navigate = useNavigate();
+
+  const setupPassword = useSetupPassword();
+
+  const parsedUrl = search;
+  const token = parsedUrl.token as string;
+  const email = (parsedUrl.to as string)?.replace(" ", "+").trim();
+
+  const handleSetPassword = async (e: FormEvent<HTMLFormElement>) => {
+    e.preventDefault();
+    const errorCheck = await passwordCheck({
+      password,
+      setPasswordErrorTooShort,
+      setPasswordErrorTooLong,
+      setPasswordErrorNoLetterChar,
+      setPasswordErrorNoNumOrSpecialChar,
+      setPasswordErrorRepeatedChar,
+      setPasswordErrorEscapeChar,
+      setPasswordErrorLowEntropy,
+      setPasswordErrorBreached
+    });
+
+    if (password !== confirmPassword) {
+      setPasswordsMatch(false);
+      return;
+    }
+
+    setPasswordsMatch(true);
+
+    if (!errorCheck) {
+      client.init(
+        {
+          username: email,
+          password
+        },
+        async () => {
+          client.createVerifier(async (_err: any, result: { salt: string; verifier: string }) => {
+            const derivedKey = await deriveArgonKey({
+              password,
+              salt: result.salt,
+              mem: 65536,
+              time: 3,
+              parallelism: 1,
+              hashLen: 32
+            });
+
+            if (!derivedKey) throw new Error("Failed to derive key from password");
+
+            const key = crypto.randomBytes(32);
+
+            // create encrypted private key by encrypting the private
+            // key with the symmetric key [key]
+            const {
+              ciphertext: encryptedPrivateKey,
+              iv: encryptedPrivateKeyIV,
+              tag: encryptedPrivateKeyTag
+            } = Aes256Gcm.encrypt({
+              text: localStorage.getItem("PRIVATE_KEY") as string,
+              secret: key
+            });
+
+            // create the protected key by encrypting the symmetric key
+            // [key] with the derived key
+            const {
+              ciphertext: protectedKey,
+              iv: protectedKeyIV,
+              tag: protectedKeyTag
+            } = Aes256Gcm.encrypt({
+              text: key.toString("hex"),
+              secret: Buffer.from(derivedKey.hash)
+            });
+
+            try {
+              await setupPassword.mutateAsync({
+                protectedKey,
+                protectedKeyIV,
+                protectedKeyTag,
+                encryptedPrivateKey,
+                encryptedPrivateKeyIV,
+                encryptedPrivateKeyTag,
+                salt: result.salt,
+                verifier: result.verifier,
+                token,
+                password
+              });
+
+              setIsRedirecting(true);
+
+              createNotification({
+                type: "success",
+                title: "Password successfully set",
+                text: "Redirecting to login..."
+              });
+
+              setTimeout(() => {
+                window.location.href = "/login";
+              }, 3000);
+            } catch (error) {
+              createNotification({
+                type: "error",
+                text: (error as Error).message ?? "Error setting password"
+              });
+              navigate({ to: "/personal-settings" });
+            }
+          });
+        }
+      );
+    }
+  };
+
+  const isInvalidPassword =
+    passwordErrorTooShort ||
+    passwordErrorTooLong ||
+    passwordErrorNoLetterChar ||
+    passwordErrorNoNumOrSpecialChar ||
+    passwordErrorRepeatedChar ||
+    passwordErrorEscapeChar ||
+    passwordErrorLowEntropy ||
+    passwordErrorBreached;
+
+  return (
+    <div className="flex h-screen w-full flex-col items-center justify-center bg-bunker-800">
+      <form onSubmit={handleSetPassword}>
+        <Card className="flex w-full max-w-lg flex-col rounded-md border border-mineshaft-600 px-8 py-4">
+          <CardTitle
+            className="p-0 pb-4 pt-2 text-left text-xl"
+            subTitle="Make sure to store your password somewhere safe."
+          >
+            <div className="flex flex-row items-center">
+              <div className="flex items-center pb-0.5">
+                <FontAwesomeIcon icon={faKey} />
+              </div>
+              <span className="ml-2.5">Set Password</span>
+            </div>
+          </CardTitle>
+          <FormControl label="Password">
+            <Input
+              value={password}
+              type={showPassword ? "text" : "password"}
+              autoComplete="new-password"
+              onChange={(e) => {
+                setPassword(e.target.value);
+                passwordCheck({
+                  password: e.target.value,
+                  setPasswordErrorTooShort,
+                  setPasswordErrorTooLong,
+                  setPasswordErrorNoLetterChar,
+                  setPasswordErrorNoNumOrSpecialChar,
+                  setPasswordErrorRepeatedChar,
+                  setPasswordErrorEscapeChar,
+                  setPasswordErrorLowEntropy,
+                  setPasswordErrorBreached
+                });
+              }}
+              rightIcon={
+                <button
+                  type="button"
+                  onClick={() => {
+                    setShowPassword((prev) => !prev);
+                  }}
+                  className="cursor-pointer self-end text-gray-400"
+                >
+                  {showPassword ? (
+                    <FontAwesomeIcon size="sm" icon={faEyeSlash} />
+                  ) : (
+                    <FontAwesomeIcon size="sm" icon={faEye} />
+                  )}
+                </button>
+              }
+            />
+          </FormControl>
+          <FormControl
+            label="Confirm Password"
+            errorText="Passwords must match"
+            isError={!passwordsMatch}
+          >
+            <Input
+              value={confirmPassword}
+              type={showConfirmPassword ? "text" : "password"}
+              autoComplete="new-password"
+              onChange={(e) => setConfirmPassword(e.target.value)}
+              rightIcon={
+                <button
+                  type="button"
+                  onClick={() => {
+                    setShowConfirmPassword((prev) => !prev);
+                  }}
+                  className="cursor-pointer self-end text-gray-400"
+                >
+                  {showConfirmPassword ? (
+                    <FontAwesomeIcon size="sm" icon={faEyeSlash} />
+                  ) : (
+                    <FontAwesomeIcon size="sm" icon={faEye} />
+                  )}
+                </button>
+              }
+            />
+          </FormControl>
+          <div className="mb-4 flex w-full max-w-md flex-col items-start rounded-md bg-mineshaft-700 px-2 py-2 transition-opacity duration-100">
+            <div className="mb-1 text-sm text-gray-400">Password must contain:</div>
+            <div className="ml-1 flex flex-row items-center justify-start">
+              {passwordErrorTooShort ? (
+                <FontAwesomeIcon icon={faX} className="text-md mr-2.5 text-red" />
+              ) : (
+                <FontAwesomeIcon icon={faCheck} className="text-md mr-2 text-primary" />
+              )}
+              <div
+                className={`${passwordErrorTooShort ? "text-gray-400" : "text-gray-600"} text-sm`}
+              >
+                at least 14 characters
+              </div>
+            </div>
+            <div className="ml-1 flex flex-row items-center justify-start">
+              {passwordErrorTooLong ? (
+                <FontAwesomeIcon icon={faX} className="text-md mr-2.5 text-red" />
+              ) : (
+                <FontAwesomeIcon icon={faCheck} className="text-md mr-2 text-primary" />
+              )}
+              <div
+                className={`${passwordErrorTooLong ? "text-gray-400" : "text-gray-600"} text-sm`}
+              >
+                at most 100 characters
+              </div>
+            </div>
+            <div className="ml-1 flex flex-row items-center justify-start">
+              {passwordErrorNoLetterChar ? (
+                <FontAwesomeIcon icon={faX} className="text-md mr-2.5 text-red" />
+              ) : (
+                <FontAwesomeIcon icon={faCheck} className="text-md mr-2 text-primary" />
+              )}
+              <div
+                className={`${passwordErrorNoLetterChar ? "text-gray-400" : "text-gray-600"} text-sm`}
+              >
+                at least 1 letter character
+              </div>
+            </div>
+            <div className="ml-1 flex flex-row items-center justify-start">
+              {passwordErrorNoNumOrSpecialChar ? (
+                <FontAwesomeIcon icon={faX} className="text-md mr-2.5 text-red" />
+              ) : (
+                <FontAwesomeIcon icon={faCheck} className="text-md mr-2 text-primary" />
+              )}
+              <div
+                className={`${
+                  passwordErrorNoNumOrSpecialChar ? "text-gray-400" : "text-gray-600"
+                } text-sm`}
+              >
+                at least 1 number or special character
+              </div>
+            </div>
+            <div className="ml-1 flex flex-row items-center justify-start">
+              {passwordErrorRepeatedChar ? (
+                <FontAwesomeIcon icon={faX} className="text-md mr-2.5 text-red" />
+              ) : (
+                <FontAwesomeIcon icon={faCheck} className="text-md mr-2 text-primary" />
+              )}
+              <div
+                className={`${passwordErrorRepeatedChar ? "text-gray-400" : "text-gray-600"} text-sm`}
+              >
+                at most 3 repeated, consecutive characters
+              </div>
+            </div>
+            <div className="ml-1 flex flex-row items-center justify-start">
+              {passwordErrorEscapeChar ? (
+                <FontAwesomeIcon icon={faX} className="text-md mr-2.5 text-red" />
+              ) : (
+                <FontAwesomeIcon icon={faCheck} className="text-md mr-2 text-primary" />
+              )}
+              <div
+                className={`${passwordErrorEscapeChar ? "text-gray-400" : "text-gray-600"} text-sm`}
+              >
+                no escape characters
+              </div>
+            </div>
+            <div className="ml-1 flex flex-row items-center justify-start">
+              {passwordErrorLowEntropy ? (
+                <FontAwesomeIcon icon={faX} className="text-md mr-2.5 text-red" />
+              ) : (
+                <FontAwesomeIcon icon={faCheck} className="text-md mr-2 text-primary" />
+              )}
+              <div
+                className={`${passwordErrorLowEntropy ? "text-gray-400" : "text-gray-600"} text-sm`}
+              >
+                no personal information
+              </div>
+            </div>
+            <div className="ml-1 flex flex-row items-center justify-start">
+              {passwordErrorBreached ? (
+                <FontAwesomeIcon icon={faX} className="text-md mr-2.5 text-red" />
+              ) : (
+                <FontAwesomeIcon icon={faCheck} className="text-md mr-2 text-primary" />
+              )}
+              <div
+                className={`${passwordErrorBreached ? "text-gray-400" : "text-gray-600"} text-sm`}
+              >
+                password not found in a data breach.
+              </div>
+            </div>
+          </div>
+          <Button
+            isDisabled={isInvalidPassword || setupPassword.isPending || isRedirecting}
+            colorSchema="secondary"
+            type="submit"
+            isLoading={setupPassword.isPending}
+          >
+            Submit
+          </Button>
+        </Card>
+      </form>
+    </div>
+  );
+};

frontend/src/pages/auth/PasswordSetupPage/route.tsx

@@ -0,0 +1,15 @@
+import { createFileRoute } from "@tanstack/react-router";
+import { zodValidator } from "@tanstack/zod-adapter";
+import { z } from "zod";
+
+import { PasswordSetupPage } from "./PasswordSetupPage";
+
+const PasswordSetupPageQueryParamsSchema = z.object({
+  token: z.string(),
+  to: z.string()
+});
+
+export const Route = createFileRoute("/_authenticate/password-setup")({
+  component: PasswordSetupPage,
+  validateSearch: zodValidator(PasswordSetupPageQueryParamsSchema)
+});

frontend/src/pages/middlewares/authenticate.tsx

@@ -1,12 +1,13 @@
 import { createFileRoute, redirect } from "@tanstack/react-router";
 
 import { createNotification } from "@app/components/notifications";
+import { ROUTE_PATHS } from "@app/const/routes";
 import { userKeys } from "@app/hooks/api";
 import { authKeys, fetchAuthToken } from "@app/hooks/api/auth/queries";
 import { fetchUserDetails } from "@app/hooks/api/users/queries";
 
 export const Route = createFileRoute("/_authenticate")({
-  beforeLoad: async ({ context }) => {
+  beforeLoad: async ({ context, location }) => {
     if (!context.serverConfig.initialized) {
       throw redirect({ to: "/admin/signup" });
     }
@@ -26,7 +27,7 @@ export const Route = createFileRoute("/_authenticate")({
         });
       });
 
-    if (!data.organizationId) {
+    if (!data.organizationId && location.pathname !== ROUTE_PATHS.Auth.PasswordSetupPage.path) {
       throw redirect({ to: "/login/select-organization" });
     }
 

frontend/src/pages/organization/AuditLogsPage/components/LogsFilter.tsx

@@ -14,6 +14,7 @@ import {
   DropdownMenuTrigger,
   FilterableSelect,
   FormControl,
+  Input,
   Select,
   SelectItem
 } from "@app/components/v2";
@@ -22,6 +23,7 @@ import { useGetAuditLogActorFilterOpts, useGetUserWorkspaces } from "@app/hooks/
 import { eventToNameMap, userAgentTTypeoNameMap } from "@app/hooks/api/auditLogs/constants";
 import { ActorType, EventType } from "@app/hooks/api/auditLogs/enums";
 import { Actor } from "@app/hooks/api/auditLogs/types";
+import { ProjectType } from "@app/hooks/api/workspace/types";
 
 import { AuditLogFilterFormData } from "./types";
 
@@ -50,6 +52,7 @@ export const LogsFilter = ({
   className,
   control,
   reset,
+  setValue,
   watch
 }: Props) => {
   const [isStartDatePickerOpen, setIsStartDatePickerOpen] = useState(false);
@@ -101,6 +104,7 @@ export const LogsFilter = ({
   };
 
   const selectedEventTypes = watch("eventType") as EventType[] | undefined;
+  const selectedProject = watch("project");
 
   return (
     <div
@@ -109,30 +113,48 @@ export const LogsFilter = ({
         className
       )}
     >
-      {isOrgAuditLogs && workspacesInOrg.length > 0 && (
-        <Controller
-          control={control}
-          name="project"
-          render={({ field: { onChange, value }, fieldState: { error } }) => (
-            <FormControl
-              label="Project"
-              errorText={error?.message}
-              isError={Boolean(error)}
-              className="mr-12 w-64"
-            >
-              <FilterableSelect
-                value={value}
-                isClearable
-                onChange={onChange}
-                placeholder="Select a project..."
-                options={workspacesInOrg.map(({ name, id }) => ({ name, id }))}
-                getOptionValue={(option) => option.id}
-                getOptionLabel={(option) => option.name}
-              />
-            </FormControl>
-          )}
-        />
-      )}
+      <div className="flex items-center gap-4">
+        {isOrgAuditLogs && workspacesInOrg.length > 0 && (
+          <Controller
+            control={control}
+            name="project"
+            render={({ field: { onChange, value }, fieldState: { error } }) => (
+              <FormControl
+                label="Project"
+                errorText={error?.message}
+                isError={Boolean(error)}
+                className="w-64"
+              >
+                <FilterableSelect
+                  value={value}
+                  isClearable
+                  onChange={(e) => {
+                    if (e === null) {
+                      setValue("secretPath", "");
+                    }
+                    onChange(e);
+                  }}
+                  placeholder="Select a project..."
+                  options={workspacesInOrg.map(({ name, id, type }) => ({ name, id, type }))}
+                  getOptionValue={(option) => option.id}
+                  getOptionLabel={(option) => option.name}
+                />
+              </FormControl>
+            )}
+          />
+        )}
+        {selectedProject?.type === ProjectType.SecretManager && (
+          <Controller
+            control={control}
+            name="secretPath"
+            render={({ field: { onChange, value, ...field } }) => (
+              <FormControl label="Secret path" className="w-40">
+                <Input {...field} value={value} onChange={(e) => onChange(e.target.value)} />
+              </FormControl>
+            )}
+          />
+        )}
+      </div>
       <div className="mt-1 flex items-center space-x-2">
         <Controller
           control={control}

frontend/src/pages/organization/AuditLogsPage/components/LogsSection.tsx

@@ -5,6 +5,7 @@ import { zodResolver } from "@hookform/resolvers/zod";
 import { UpgradePlanModal } from "@app/components/license/UpgradePlanModal";
 import { OrgPermissionActions, OrgPermissionSubjects, useSubscription } from "@app/context";
 import { withPermission } from "@app/hoc";
+import { useDebounce } from "@app/hooks";
 import { ActorType, EventType, UserAgentType } from "@app/hooks/api/auditLogs/enums";
 import { usePopUp } from "@app/hooks/usePopUp";
 
@@ -67,10 +68,13 @@ export const LogsSection = withPermission(
     const userAgentType = watch("userAgentType") as UserAgentType | undefined;
     const actor = watch("actor");
     const projectId = watch("project")?.id;
+    const secretPath = watch("secretPath");
 
     const startDate = watch("startDate");
     const endDate = watch("endDate");
 
+    const [debouncedSecretPath] = useDebounce<string>(secretPath!, 500);
+
     return (
       <div>
         {showFilters && (
@@ -90,6 +94,7 @@ export const LogsSection = withPermission(
           isOrgAuditLogs={isOrgAuditLogs}
           showActorColumn={!!showActorColumn}
           filter={{
+            secretPath: debouncedSecretPath || undefined,
             eventMetadata: presets?.eventMetadata,
             projectId,
             actorType: presets?.actorType,

frontend/src/pages/organization/AuditLogsPage/components/types.tsx

@@ -1,14 +1,19 @@
 import { z } from "zod";
 
 import { EventType, UserAgentType } from "@app/hooks/api/auditLogs/enums";
+import { ProjectType } from "@app/hooks/api/workspace/types";
 
 export const auditLogFilterFormSchema = z
   .object({
     eventMetadata: z.object({}).optional(),
-    project: z.object({ id: z.string(), name: z.string() }).optional().nullable(),
+    project: z
+      .object({ id: z.string(), name: z.string(), type: z.nativeEnum(ProjectType) })
+      .optional()
+      .nullable(),
     eventType: z.nativeEnum(EventType).array(),
     actor: z.string().optional(),
     userAgentType: z.nativeEnum(UserAgentType),
+    secretPath: z.string().optional(),
     startDate: z.date().optional(),
     endDate: z.date().optional(),
     page: z.coerce.number().optional(),

frontend/src/pages/organization/SettingsPage/components/AppConnectionsTab/components/AppConnectionForm/GcpConnectionForm.tsx

@@ -114,36 +114,42 @@ export const GcpConnectionForm = ({ appConnection, onSubmit }: Props) => {
               className="group"
               helperText={
                 <>
-                  <span>
-                    {`Service account ID (the part of the email before '@') must be suffixed with "${expectedAccountIdSuffix}"`}
-                  </span>
-                  <Tooltip className="relative right-2" position="bottom" content="Copy">
-                    <IconButton
-                      variant="plain"
-                      ariaLabel="copy"
-                      onClick={() => {
-                        if (isCopied) {
-                          return;
-                        }
+                  <div>
+                    {`Service account ID must be suffixed with "${expectedAccountIdSuffix}"`}
+                    <Tooltip className="relative right-2" position="bottom" content="Copy">
+                      <IconButton
+                        variant="plain"
+                        ariaLabel="copy"
+                        onClick={() => {
+                          if (isCopied) {
+                            return;
+                          }
 
-                        navigator.clipboard.writeText(expectedAccountIdSuffix);
+                          navigator.clipboard.writeText(expectedAccountIdSuffix);
 
-                        createNotification({
-                          text: "Copied to clipboard",
-                          type: "info"
-                        });
+                          createNotification({
+                            text: "Copied to clipboard",
+                            type: "info"
+                          });
 
-                        toggleIsCopied(2000);
-                      }}
-                      className="hover:bg-bunker-100/10"
-                    >
-                      <FontAwesomeIcon
-                        icon={!isCopied ? faCopy : faCheck}
-                        size="sm"
-                        className="cursor-pointer"
-                      />
-                    </IconButton>
-                  </Tooltip>
+                          toggleIsCopied(2000);
+                        }}
+                        className="hover:bg-bunker-100/10"
+                      >
+                        <FontAwesomeIcon
+                          icon={!isCopied ? faCopy : faCheck}
+                          size="sm"
+                          className="cursor-pointer"
+                        />
+                      </IconButton>
+                    </Tooltip>
+                  </div>
+                  <div>
+                    Example:
+                    <span className="ml-1">service-account-</span>
+                    <span className="font-semibold">{expectedAccountIdSuffix}</span>
+                    <span>@my-project.iam.gserviceaccount.com</span>
+                  </div>
                 </>
               }
             >

frontend/src/pages/secret-manager/IntegrationsListPage/IntegrationsListPage.tsx

@@ -5,7 +5,7 @@ import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 import { useNavigate, useSearch } from "@tanstack/react-router";
 
 import { ProjectPermissionCan } from "@app/components/permissions";
-import { Badge, Tab, TabList, TabPanel, Tabs } from "@app/components/v2";
+import { Badge, PageHeader, Tab, TabList, TabPanel, Tabs } from "@app/components/v2";
 import { ROUTE_PATHS } from "@app/const/routes";
 import { ProjectPermissionActions, ProjectPermissionSub, useWorkspace } from "@app/context";
 import { IntegrationsListPageTabs } from "@app/types/integrations";
@@ -45,14 +45,12 @@ export const IntegrationsListPage = () => {
         <meta name="og:description" content={t("integrations.description") as string} />
       </Helmet>
       <div className="container relative mx-auto max-w-7xl pb-12 text-white">
-        <div className="mx-6 mb-8">
-          <div className="mb-4 mt-6 flex flex-col items-start justify-between px-2 text-xl">
-            <h1 className="text-3xl font-semibold">Integrations</h1>
-            <p className="text-base text-bunker-300">
-              Manage integrations with third-party services.
-            </p>
-          </div>
-          <div className="mx-2 mb-4 flex flex-col rounded-r border-l-2 border-l-primary bg-mineshaft-300/5 px-4 py-2.5">
+        <div className="mb-8">
+          <PageHeader
+            title="Integrations"
+            description="Manage integrations with third-party services."
+          />
+          <div className="mb-4 mt-4 flex flex-col rounded-r border-l-2 border-l-primary bg-mineshaft-300/5 px-4 py-2.5">
             <div className="mb-1 flex items-center text-sm">
               <FontAwesomeIcon icon={faInfoCircle} size="sm" className="mr-1 text-primary" />
               Integrations Update

frontend/src/pages/secret-manager/SecretSyncDetailsByIDPage/SecretSyncDetailsByIDPage.tsx

@@ -73,7 +73,7 @@ const PageContent = () => {
   return (
     <>
       <div className="container mx-auto flex flex-col justify-between bg-bunker-800 font-inter text-white">
-        <div className="mx-auto mb-6 w-full max-w-7xl px-6 py-6">
+        <div className="mx-auto mb-6 w-full max-w-7xl">
           <Button
             variant="link"
             type="submit"
@@ -89,7 +89,6 @@ const PageContent = () => {
                 }
               });
             }}
-            className="mb-4"
           >
             Secret Syncs
           </Button>

frontend/src/pages/secret-manager/integrations/AzureDevopsAuthorizePage/AzureDevopsAuthorizePage.tsx

@@ -65,7 +65,7 @@ export const AzureDevopsAuthorizePage = () => {
           <div className="flex flex-row items-center">
             <div className="flex items-center">
               <img
-                src="/images/integrations/Amazon Web Services.png"
+                src="/images/integrations/Microsoft Azure.png"
                 height={35}
                 width={35}
                 alt="Azure DevOps logo"

frontend/src/pages/secret-manager/integrations/AzureDevopsConfigurePage/AzureDevopsConfigurePage.tsx

@@ -106,7 +106,7 @@ export const AzureDevopsConfigurePage = () => {
           <div className="flex flex-row items-center">
             <div className="flex items-center">
               <img
-                src="/images/integrations/Amazon Web Services.png"
+                src="/images/integrations/Microsoft Azure.png"
                 height={35}
                 width={35}
                 alt="Azure DevOps logo"

frontend/src/pages/secret-manager/integrations/AzureKeyVaultAuthorizePage/AzureKeyVaultAuthorizePage.tsx

@@ -47,7 +47,12 @@ export function AzureKeyVaultAuthorizePage() {
         >
           <div className="flex flex-row items-center">
             <div className="flex items-center pb-0.5">
-              <img src="/images/integrations/GitHub.png" height={30} width={30} alt="Github logo" />
+              <img
+                src="/images/integrations/Microsoft Azure.png"
+                height={30}
+                width={30}
+                alt="Azure Key Vault logo"
+              />
             </div>
             <span className="ml-2.5">Azure Key Vault Integration </span>
             <a

frontend/src/pages/secret-manager/integrations/VercelConfigurePage/VercelConfigurePage.tsx

@@ -1,4 +1,4 @@
-import { useEffect, useState } from "react";
+import { useEffect, useMemo, useState } from "react";
 import { Helmet } from "react-helmet";
 import {
   faArrowUpRightFromSquare,
@@ -25,7 +25,8 @@ import { useCreateIntegration } from "@app/hooks/api";
 import {
   useGetIntegrationAuthApps,
   useGetIntegrationAuthById,
-  useGetIntegrationAuthVercelBranches
+  useGetIntegrationAuthVercelBranches,
+  useGetIntegrationAuthVercelCustomEnvironments
 } from "@app/hooks/api/integrationAuth";
 import { IntegrationSyncBehavior } from "@app/hooks/api/integrations/types";
 
@@ -75,6 +76,11 @@ export const VercelConfigurePage = () => {
       teamId: integrationAuth?.teamId as string
     });
 
+  const { data: customEnvironments } = useGetIntegrationAuthVercelCustomEnvironments({
+    teamId: integrationAuth?.teamId as string,
+    integrationAuthId: integrationAuthId as string
+  });
+
   const { data: branches } = useGetIntegrationAuthVercelBranches({
     integrationAuthId: integrationAuthId as string,
     appId: targetAppId
@@ -135,6 +141,26 @@ export const VercelConfigurePage = () => {
     }
   };
 
+  const selectedVercelEnvironments = useMemo(() => {
+    let selectedEnvironments = vercelEnvironments;
+
+    const environments = customEnvironments?.find(
+      (e) => e.appId === targetAppId
+    )?.customEnvironments;
+
+    if (environments && environments.length > 0) {
+      selectedEnvironments = [
+        ...selectedEnvironments,
+        ...environments.map((env) => ({
+          name: env.slug,
+          slug: env.id
+        }))
+      ];
+    }
+
+    return selectedEnvironments;
+  }, [targetAppId, customEnvironments]);
+
   return integrationAuth &&
     selectedSourceEnvironment &&
     integrationAuthApps &&
@@ -210,7 +236,13 @@ export const VercelConfigurePage = () => {
         >
           <Select
             value={targetAppId}
-            onValueChange={(val) => setTargetAppId(val)}
+            onValueChange={(val) => {
+              if (vercelEnvironments.every((env) => env.slug !== targetEnvironment)) {
+                setTargetEnvironment(vercelEnvironments[0].slug);
+              }
+
+              setTargetAppId(val);
+            }}
             className="w-full border border-mineshaft-500"
             isDisabled={integrationAuthApps.length === 0}
           >
@@ -236,7 +268,7 @@ export const VercelConfigurePage = () => {
             onValueChange={(val) => setTargetEnvironment(val)}
             className="w-full border border-mineshaft-500"
           >
-            {vercelEnvironments.map((vercelEnvironment) => (
+            {selectedVercelEnvironments.map((vercelEnvironment) => (
               <SelectItem
                 value={vercelEnvironment.slug}
                 key={`target-environment-${vercelEnvironment.slug}`}

frontend/src/pages/user/PersonalSettingsPage/components/ChangePasswordSection/ChangePasswordSection.tsx

@@ -11,6 +11,7 @@ import attemptChangePassword from "@app/components/utilities/attemptChangePasswo
 import checkPassword from "@app/components/utilities/checks/password/checkPassword";
 import { Button, FormControl, Input } from "@app/components/v2";
 import { useUser } from "@app/context";
+import { useSendPasswordSetupEmail } from "@app/hooks/api/auth/queries";
 
 type Errors = {
   tooShort?: string;
@@ -45,6 +46,7 @@ export const ChangePasswordSection = () => {
   });
   const [errors, setErrors] = useState<Errors>({});
   const [isLoading, setIsLoading] = useState(false);
+  const sendSetupPasswordEmail = useSendPasswordSetupEmail();
 
   const onFormSubmit = async ({ oldPassword, newPassword }: FormData) => {
     try {
@@ -80,6 +82,24 @@ export const ChangePasswordSection = () => {
     }
   };
 
+  const onSetupPassword = async () => {
+    try {
+      await sendSetupPasswordEmail.mutateAsync();
+
+      createNotification({
+        title: "Password setup verification email sent",
+        text: "Check your email to confirm password setup",
+        type: "info"
+      });
+    } catch (err) {
+      console.error(err);
+      createNotification({
+        text: "Failed to send password setup email",
+        type: "error"
+      });
+    }
+  };
+
   return (
     <form
       onSubmit={handleSubmit(onFormSubmit)}
@@ -142,6 +162,16 @@ export const ChangePasswordSection = () => {
       <Button type="submit" colorSchema="secondary" isLoading={isLoading} isDisabled={isLoading}>
         Save
       </Button>
+      <p className="mt-2 font-inter text-sm text-mineshaft-400">
+        Need to setup a password?{" "}
+        <button
+          onClick={onSetupPassword}
+          type="button"
+          className="underline underline-offset-2 hover:text-mineshaft-200"
+        >
+          Click here
+        </button>
+      </p>
     </form>
   );
 };

frontend/src/routeTree.gen.ts

@@ -24,6 +24,7 @@ import { Route as authSignUpInvitePageRouteImport } from './pages/auth/SignUpInv
 import { Route as authRequestNewInvitePageRouteImport } from './pages/auth/RequestNewInvitePage/route'
 import { Route as authPasswordResetPageRouteImport } from './pages/auth/PasswordResetPage/route'
 import { Route as authEmailNotVerifiedPageRouteImport } from './pages/auth/EmailNotVerifiedPage/route'
+import { Route as authPasswordSetupPageRouteImport } from './pages/auth/PasswordSetupPage/route'
 import { Route as userLayoutImport } from './pages/user/layout'
 import { Route as organizationLayoutImport } from './pages/organization/layout'
 import { Route as publicViewSharedSecretByIDPageRouteImport } from './pages/public/ViewSharedSecretByIDPage/route'
@@ -310,6 +311,14 @@ const authEmailNotVerifiedPageRouteRoute =
     getParentRoute: () => middlewaresRestrictLoginSignupRoute,
   } as any)
 
+const authPasswordSetupPageRouteRoute = authPasswordSetupPageRouteImport.update(
+  {
+    id: '/password-setup',
+    path: '/password-setup',
+    getParentRoute: () => middlewaresAuthenticateRoute,
+  } as any,
+)
+
 const userLayoutRoute = userLayoutImport.update({
   id: '/_layout',
   getParentRoute: () => AuthenticatePersonalSettingsRoute,
@@ -1577,6 +1586,13 @@ declare module '@tanstack/react-router' {
       preLoaderRoute: typeof middlewaresRestrictLoginSignupImport
       parentRoute: typeof rootRoute
     }
+    '/_authenticate/password-setup': {
+      id: '/_authenticate/password-setup'
+      path: '/password-setup'
+      fullPath: '/password-setup'
+      preLoaderRoute: typeof authPasswordSetupPageRouteImport
+      parentRoute: typeof middlewaresAuthenticateImport
+    }
     '/_restrict-login-signup/email-not-verified': {
       id: '/_restrict-login-signup/email-not-verified'
       path: '/email-not-verified'
@@ -3397,12 +3413,14 @@ const AuthenticatePersonalSettingsRouteWithChildren =
   )
 
 interface middlewaresAuthenticateRouteChildren {
+  authPasswordSetupPageRouteRoute: typeof authPasswordSetupPageRouteRoute
   middlewaresInjectOrgDetailsRoute: typeof middlewaresInjectOrgDetailsRouteWithChildren
   AuthenticatePersonalSettingsRoute: typeof AuthenticatePersonalSettingsRouteWithChildren
 }
 
 const middlewaresAuthenticateRouteChildren: middlewaresAuthenticateRouteChildren =
   {
+    authPasswordSetupPageRouteRoute: authPasswordSetupPageRouteRoute,
     middlewaresInjectOrgDetailsRoute:
       middlewaresInjectOrgDetailsRouteWithChildren,
     AuthenticatePersonalSettingsRoute:
@@ -3487,6 +3505,7 @@ export interface FileRoutesByFullPath {
   '/cli-redirect': typeof authCliRedirectPageRouteRoute
   '/share-secret': typeof publicShareSecretPageRouteRoute
   '': typeof organizationLayoutRouteWithChildren
+  '/password-setup': typeof authPasswordSetupPageRouteRoute
   '/email-not-verified': typeof authEmailNotVerifiedPageRouteRoute
   '/password-reset': typeof authPasswordResetPageRouteRoute
   '/requestnewinvite': typeof authRequestNewInvitePageRouteRoute
@@ -3657,6 +3676,7 @@ export interface FileRoutesByTo {
   '/cli-redirect': typeof authCliRedirectPageRouteRoute
   '/share-secret': typeof publicShareSecretPageRouteRoute
   '': typeof organizationLayoutRouteWithChildren
+  '/password-setup': typeof authPasswordSetupPageRouteRoute
   '/email-not-verified': typeof authEmailNotVerifiedPageRouteRoute
   '/password-reset': typeof authPasswordResetPageRouteRoute
   '/requestnewinvite': typeof authRequestNewInvitePageRouteRoute
@@ -3824,6 +3844,7 @@ export interface FileRoutesById {
   '/share-secret': typeof publicShareSecretPageRouteRoute
   '/_authenticate': typeof middlewaresAuthenticateRouteWithChildren
   '/_restrict-login-signup': typeof middlewaresRestrictLoginSignupRouteWithChildren
+  '/_authenticate/password-setup': typeof authPasswordSetupPageRouteRoute
   '/_restrict-login-signup/email-not-verified': typeof authEmailNotVerifiedPageRouteRoute
   '/_restrict-login-signup/password-reset': typeof authPasswordResetPageRouteRoute
   '/_restrict-login-signup/requestnewinvite': typeof authRequestNewInvitePageRouteRoute
@@ -4004,6 +4025,7 @@ export interface FileRouteTypes {
     | '/cli-redirect'
     | '/share-secret'
     | ''
+    | '/password-setup'
     | '/email-not-verified'
     | '/password-reset'
     | '/requestnewinvite'
@@ -4173,6 +4195,7 @@ export interface FileRouteTypes {
     | '/cli-redirect'
     | '/share-secret'
     | ''
+    | '/password-setup'
     | '/email-not-verified'
     | '/password-reset'
     | '/requestnewinvite'
@@ -4338,6 +4361,7 @@ export interface FileRouteTypes {
     | '/share-secret'
     | '/_authenticate'
     | '/_restrict-login-signup'
+    | '/_authenticate/password-setup'
     | '/_restrict-login-signup/email-not-verified'
     | '/_restrict-login-signup/password-reset'
     | '/_restrict-login-signup/requestnewinvite'
@@ -4562,6 +4586,7 @@ export const routeTree = rootRoute
     "/_authenticate": {
       "filePath": "middlewares/authenticate.tsx",
       "children": [
+        "/_authenticate/password-setup",
         "/_authenticate/_inject-org-details",
         "/_authenticate/personal-settings"
       ]
@@ -4579,6 +4604,10 @@ export const routeTree = rootRoute
         "/_restrict-login-signup/admin/signup"
       ]
     },
+    "/_authenticate/password-setup": {
+      "filePath": "auth/PasswordSetupPage/route.tsx",
+      "parent": "/_authenticate"
+    },
     "/_restrict-login-signup/email-not-verified": {
       "filePath": "auth/EmailNotVerifiedPage/route.tsx",
       "parent": "/_restrict-login-signup"

frontend/src/routes.ts

@@ -335,6 +335,7 @@ export const routes = rootRoute("root.tsx", [
     route("/verify-email", "auth/VerifyEmailPage/route.tsx")
   ]),
   middleware("authenticate.tsx", [
+    route("/password-setup", "auth/PasswordSetupPage/route.tsx"),
     route("/personal-settings", [
       layout("user/layout.tsx", [index("user/PersonalSettingsPage/route.tsx")])
     ]),